@vellumai/assistant 0.6.0 → 0.6.1

package/src/tools/filesystem/list.ts

@@ -0,0 +1,93 @@
+import { RiskLevel } from "../../permissions/types.js";
+import type { ToolDefinition } from "../../providers/types.js";
+import { registerTool } from "../registry.js";
+import { FileSystemOps } from "../shared/filesystem/file-ops-service.js";
+import { sandboxPolicy } from "../shared/filesystem/path-policy.js";
+import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
+
+class FileListTool implements Tool {
+  name = "file_list";
+  description =
+    "List the contents of a directory. Returns file and subdirectory names with type indicators and sizes.";
+  category = "filesystem";
+  defaultRiskLevel = RiskLevel.Low;
+
+  getDefinition(): ToolDefinition {
+    return {
+      name: this.name,
+      description: this.description,
+      input_schema: {
+        type: "object",
+        properties: {
+          path: {
+            type: "string",
+            description: "The directory path to list",
+          },
+          glob: {
+            type: "string",
+            description: "Filter entries by glob pattern, e.g. '*.md'",
+          },
+          activity: {
+            type: "string",
+            description:
+              "Brief non-technical explanation of what you are doing and why, shown to the user as a status update.",
+          },
+        },
+        required: ["path", "activity"],
+      },
+    };
+  }
+
+  async execute(
+    input: Record<string, unknown>,
+    context: ToolContext,
+  ): Promise<ToolExecutionResult> {
+    const rawPath = input.path as string;
+    if (!rawPath || typeof rawPath !== "string") {
+      return {
+        content: "Error: path is required and must be a string",
+        isError: true,
+      };
+    }
+
+    const ops = new FileSystemOps((path, opts) =>
+      sandboxPolicy(path, context.workingDir, opts),
+    );
+
+    const result = ops.listDirSafe({
+      path: rawPath,
+      glob: typeof input.glob === "string" ? input.glob : undefined,
+    });
+
+    if (!result.ok) {
+      const { error } = result;
+      switch (error.code) {
+        case "NOT_A_DIRECTORY":
+          return {
+            content: `Error: ${error.path} is not a directory`,
+            isError: true,
+          };
+        case "NOT_FOUND":
+          return {
+            content: `Error: directory not found: ${error.path}`,
+            isError: true,
+          };
+        default: {
+          const hint =
+            error.code === "PATH_OUT_OF_BOUNDS"
+              ? ". To list files outside the workspace, use the host_bash tool instead."
+              : "";
+          return {
+            content: `Error: ${error.message}${hint}`,
+            isError: true,
+          };
+        }
+      }
+    }
+
+    return { content: result.value.listing, isError: false };
+  }
+}
+
+export const fileListTool = new FileListTool();
+registerTool(fileListTool);

package/src/tools/permission-checker.ts

@@ -1,3 +1,4 @@
+import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import { getConfig } from "../config/loader.js";
 import { getHookManager } from "../hooks/manager.js";
 import {
@@ -6,9 +7,11 @@ import {
   generateAllowlistOptions,
   generateScopeOptions,
 } from "../permissions/checker.js";
+import { getMode } from "../permissions/permission-mode-store.js";
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import { addRule } from "../permissions/trust-store.js";
 import { RiskLevel } from "../permissions/types.js";
+import { isHostTool } from "../permissions/workspace-policy.js";
 import {
   getEffectiveMode,
   setConversationMode,
@@ -65,6 +68,52 @@ export class PermissionChecker {
         }
       | undefined,
   ): Promise<PermissionDecision> {
+    // ── permission-controls-v2 early gate ──────────────────────────────
+    // When the v2 flag is enabled, replace the entire risk-classification
+    // path with a simple binary check: is it a host tool + is host access
+    // enabled? Certain security gates (requireFreshApproval,
+    // forcePromptSideEffects, hostAccess=false) fall through to the v1
+    // prompt flow so the interactive prompter is engaged.
+    const cfg = getConfig();
+    let v2ForcePrompt = false;
+    if (isAssistantFeatureFlagEnabled("permission-controls-v2", cfg)) {
+      // requireFreshApproval demands an interactive prompt every time —
+      // fall through to v1 so the prompter is engaged.
+      const needsFreshApproval = !!context.requireFreshApproval;
+
+      // forcePromptSideEffects (private conversations, untrusted actors)
+      // requires explicit approval for side-effect tools.
+      const needsSideEffectPrompt =
+        !!context.forcePromptSideEffects && isSideEffectTool(name, input);
+
+      if (!needsFreshApproval && !needsSideEffectPrompt) {
+        if (isHostTool(name)) {
+          const mode = getMode();
+          if (mode.hostAccess) {
+            return {
+              allowed: true,
+              decision: "allow",
+              riskLevel: RiskLevel.Low,
+            };
+          }
+          // Host tool with hostAccess disabled — fall through to v1 so the
+          // interactive prompter is engaged (returning allowed:false here
+          // would surface an error string instead of a permission dialog).
+          // The v2ForcePrompt flag ensures check()'s allow decision is
+          // promoted to prompt so the user sees a permission dialog.
+          v2ForcePrompt = true;
+        } else {
+          // Non-host tools are auto-allowed when v2 is on
+          return {
+            allowed: true,
+            decision: "allow",
+            riskLevel: RiskLevel.Low,
+          };
+        }
+      }
+      // Falls through to the v1 risk-classification + prompter path
+    }
+
     const risk = await classifyRisk(
       name,
       input,
@@ -114,6 +163,14 @@ export class PermissionChecker {
           "Fresh approval required: per-invocation human review enforced";
       }
 
+      // v2 host-access-disabled: the v2 gate fell through because
+      // hostAccess is off. Promote allow → prompt so the user sees an
+      // interactive permission dialog instead of an error string.
+      if (v2ForcePrompt && result.decision === "allow") {
+        result.decision = "prompt";
+        result.reason = "Host access disabled: requires explicit approval";
+      }
+
       if (result.decision === "deny") {
         const durationMs = Date.now() - startTime;
         emitLifecycleEvent({
@@ -137,6 +194,26 @@ export class PermissionChecker {
         };
       }
 
+      // Platform-hosted mode: auto-approve sandboxed bash for guardians.
+      // The sandbox provides the security boundary — prompting is unnecessary
+      // friction. host_bash is excluded because it runs unsandboxed on the
+      // user's machine and warrants explicit approval.
+      // Deny rules are still respected (checked above). requireFreshApproval
+      // is preserved as a belt-and-suspenders guard.
+      if (
+        result.decision === "prompt" &&
+        context.isPlatformHosted &&
+        name === "bash" &&
+        context.trustClass === "guardian" &&
+        !context.requireFreshApproval
+      ) {
+        log.info(
+          { toolName: name, riskLevel },
+          "Auto-approving bash tool for platform-hosted guardian session",
+        );
+        return { allowed: true, decision: "platform_auto_approve", riskLevel };
+      }
+
       if (result.decision === "prompt") {
         // Guardian-trust sessions (e.g. scheduled jobs, reminders) should be
         // able to use bundled tools without interactive approval. The guardian
@@ -158,6 +235,7 @@ export class PermissionChecker {
           context.trustClass === "guardian" &&
           !context.requireFreshApproval &&
           !isDynamicSkillLoad &&
+          !v2ForcePrompt &&
           riskLevel !== RiskLevel.High
         ) {
           log.info(

package/src/tools/registry.ts

@@ -7,6 +7,8 @@ import { hostFileEditTool } from "./host-filesystem/edit.js";
 import { hostFileReadTool } from "./host-filesystem/read.js";
 import { hostFileWriteTool } from "./host-filesystem/write.js";
 import { hostShellTool } from "./host-terminal/host-shell.js";
+import { registerSystemTools } from "./system/register.js";
+import { setPermissionModeTool } from "./system/set-permission-mode.js";
 import type { Tool } from "./types.js";
 import { allUiSurfaceTools } from "./ui-surface/definitions.js";
 import { registerUiSurfaceTools } from "./ui-surface/registry.js";
@@ -264,6 +266,7 @@ export async function initializeTools(): Promise<void> {
 
   registerUiSurfaceTools();
   registerAppTools();
+  registerSystemTools();
 
   // Snapshot core tools for __resetRegistryForTesting().  We include every
   // non-skill tool that was registered by the manifest, while excluding
@@ -282,6 +285,7 @@ export async function initializeTools(): Promise<void> {
       ...allComputerUseTools.map((t: Tool) => t.name),
       ...allUiSurfaceTools.map((t: Tool) => t.name),
       ...coreAppProxyTools.map((t: Tool) => t.name),
+      setPermissionModeTool.name,
     ]);
 
     coreToolsSnapshot = new Map<string, Tool>();

package/src/tools/schedule/create.ts

@@ -42,6 +42,7 @@ export async function executeScheduleCreate(
     | Record<string, unknown>
     | undefined;
   const quiet = (input.quiet as boolean) ?? false;
+  const reuseConversation = (input.reuse_conversation as boolean) ?? false;
 
   if (!name || typeof name !== "string") {
     return {
@@ -114,6 +115,7 @@ export async function executeScheduleCreate(
         routingIntent: routingIntent as RoutingIntent | undefined,
         routingHints,
         quiet,
+        reuseConversation,
       });
 
       const fireDate = formatLocalDate(job.nextRunAt);
@@ -190,6 +192,7 @@ export async function executeScheduleCreate(
       routingIntent: routingIntent as RoutingIntent | undefined,
       routingHints,
       quiet,
+      reuseConversation,
     });
 
     const scheduleDescription =

package/src/tools/schedule/list.ts

@@ -65,6 +65,7 @@ export async function executeScheduleList(
     lines.push(
       `  Enabled: ${job.enabled}`,
       `  Quiet: ${job.quiet}`,
+      `  Reuse conversation: ${job.reuseConversation}`,
       `  Message: ${job.message}`,
     );
 

package/src/tools/schedule/update.ts

@@ -102,6 +102,11 @@ export async function executeScheduleUpdate(
     updates.quiet = input.quiet;
   }
 
+  // Conversation reuse
+  if (input.reuse_conversation !== undefined) {
+    updates.reuseConversation = input.reuse_conversation;
+  }
+
   // Auto-detect syntax when expression changes without explicit syntax
   if (input.expression !== undefined || input.syntax !== undefined) {
     const resolved = normalizeScheduleSyntax({
@@ -165,6 +170,7 @@ export async function executeScheduleUpdate(
         routingIntent?: RoutingIntent;
         routingHints?: Record<string, unknown>;
         quiet?: boolean;
+        reuseConversation?: boolean;
       },
     );
 

package/src/tools/shared/filesystem/errors.ts

@@ -8,6 +8,7 @@ export type FsErrorCode =
   | "PATH_NOT_ABSOLUTE"
   | "NOT_FOUND"
   | "NOT_A_FILE"
+  | "NOT_A_DIRECTORY"
   | "SIZE_LIMIT_EXCEEDED"
   | "MATCH_NOT_FOUND"
   | "MATCH_AMBIGUOUS"
@@ -56,6 +57,10 @@ export function notAFile(path: string): FsError {
   return { code: "NOT_A_FILE", message: `Not a regular file: ${path}`, path };
 }
 
+export function notADirectory(path: string): FsError {
+  return { code: "NOT_A_DIRECTORY", message: `Not a directory: ${path}`, path };
+}
+
 export function sizeLimitExceeded(path: string, detail: string): FsError {
   return {
     code: "SIZE_LIMIT_EXCEEDED",

package/src/tools/shared/filesystem/file-ops-service.ts

@@ -1,5 +1,13 @@
-import { readFileSync, statSync, writeFileSync } from "node:fs";
-import { dirname } from "node:path";
+import {
+  lstatSync,
+  readdirSync,
+  readFileSync,
+  statSync,
+  writeFileSync,
+} from "node:fs";
+import { dirname, join } from "node:path";
+
+import { minimatch } from "minimatch";
 
 import { ensureDir, pathExists } from "../../../util/fs.js";
 import { applyEdit } from "./edit-engine.js";
@@ -9,6 +17,8 @@ import { checkContentSize, checkFileSizeOnDisk } from "./size-guard.js";
 import type {
   EditInput,
   EditResult,
+  ListInput,
+  ListResult,
   ReadInput,
   ReadResult,
   WriteInput,
@@ -237,4 +247,82 @@ export class FileSystemOps {
       },
     };
   }
+
+  // -------------------------------------------------------------------------
+  // List
+  // -------------------------------------------------------------------------
+
+  listDirSafe(input: ListInput): ListResult {
+    const pathCheck = this.policy(input.path, { mustExist: true });
+    if (!pathCheck.ok) {
+      return {
+        ok: false,
+        error: pathError(input.path, pathCheck.reason, pathCheck.error),
+      };
+    }
+    const resolved = pathCheck.resolved;
+
+    if (!pathExists(resolved)) {
+      return { ok: false, error: Err.notFound(resolved) };
+    }
+
+    const stat = statSync(resolved);
+    if (!stat.isDirectory()) {
+      return { ok: false, error: Err.notADirectory(resolved) };
+    }
+
+    try {
+      let entries = readdirSync(resolved, { withFileTypes: true });
+
+      if (input.glob) {
+        const pattern = input.glob;
+        entries = entries.filter((e) => minimatch(e.name, pattern));
+      }
+
+      // Sort: directories first (alphabetical), then files (alphabetical)
+      const dirs = entries
+        .filter((e) => e.isDirectory())
+        .sort((a, b) => a.name.localeCompare(b.name));
+      const files = entries
+        .filter((e) => !e.isDirectory())
+        .sort((a, b) => a.name.localeCompare(b.name));
+      const sorted = [...dirs, ...files];
+
+      const MAX_ENTRIES = 500;
+      const truncated = sorted.length > MAX_ENTRIES;
+      const visible = sorted.slice(0, MAX_ENTRIES);
+
+      const lines = visible.map((entry) => {
+        if (entry.isDirectory()) {
+          return `${entry.name}/`;
+        }
+        if (entry.isSymbolicLink()) {
+          return `${entry.name}@`;
+        }
+        const fileStat = lstatSync(join(resolved, entry.name));
+        return `${entry.name}  ${formatSize(fileStat.size)}`;
+      });
+
+      if (truncated) {
+        lines.push(
+          `\n... and ${sorted.length - MAX_ENTRIES} more entries (use glob to filter)`,
+        );
+      }
+
+      return { ok: true, value: { listing: lines.join("\n") } };
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return { ok: false, error: Err.ioError(resolved, msg) };
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function formatSize(bytes: number): string {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
 }

package/src/tools/shared/filesystem/types.ts

@@ -78,3 +78,20 @@ export interface EditOutput {
 export type EditResult =
   | { ok: true; value: EditOutput }
   | { ok: false; error: FsError };
+
+// ---------------------------------------------------------------------------
+// List
+// ---------------------------------------------------------------------------
+
+export interface ListInput {
+  path: string;
+  glob?: string;
+}
+
+export interface ListOutput {
+  listing: string;
+}
+
+export type ListResult =
+  | { ok: true; value: ListOutput }
+  | { ok: false; error: FsError };

package/src/tools/shared/shell-output.ts

@@ -1,4 +1,24 @@
-export const MAX_OUTPUT_LENGTH = 50_000;
+import { randomUUID } from "node:crypto";
+import { unlinkSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+export const MAX_OUTPUT_LENGTH = 20_000;
+
+/** Tracks temp files created for truncated shell output so they can be cleaned up on shutdown. */
+const trackedTempFiles = new Set<string>();
+
+/** Remove all tracked truncated-output temp files. Safe to call multiple times. */
+export function cleanupShellOutputTempFiles(): void {
+  for (const filePath of trackedTempFiles) {
+    try {
+      unlinkSync(filePath);
+    } catch {
+      // File may already be gone — ignore.
+    }
+  }
+  trackedTempFiles.clear();
+}
 
 export interface ShellOutputResult {
   content: string;
@@ -33,7 +53,16 @@ export function formatShellOutput(
   }
 
   if (output.length > MAX_OUTPUT_LENGTH) {
-    const msg = '<output_truncated limit="50K" />';
+    let fullOutputPath: string | undefined;
+    try {
+      fullOutputPath = join(tmpdir(), `vellum-shell-output-${randomUUID()}.txt`);
+      writeFileSync(fullOutputPath, output, { encoding: "utf-8", mode: 0o600 });
+      trackedTempFiles.add(fullOutputPath);
+    } catch {
+      fullOutputPath = undefined;
+    }
+    const fileAttr = fullOutputPath ? ` file="${fullOutputPath}"` : "";
+    const msg = `<output_truncated limit="20K"${fileAttr} />`;
     output = output.slice(0, MAX_OUTPUT_LENGTH) + `\n${msg}`;
     statusParts.push(msg);
   }

package/src/tools/subagent/abort.ts

@@ -1,13 +1,23 @@
 import { getSubagentManager } from "../../subagent/index.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
+import { resolveSubagentId } from "./resolve.js";
 
 export async function executeSubagentAbort(
   input: Record<string, unknown>,
   context: ToolContext,
 ): Promise<ToolExecutionResult> {
-  const subagentId = input.subagent_id as string;
+  const subagentId = resolveSubagentId(input, context);
+  if (!subagentId && input.label) {
+    return {
+      content: `No subagent found with label "${input.label as string}".`,
+      isError: true,
+    };
+  }
   if (!subagentId) {
-    return { content: '"subagent_id" is required.', isError: true };
+    return {
+      content: '"subagent_id" or "label" is required.',
+      isError: true,
+    };
   }
 
   const manager = getSubagentManager();

package/src/tools/subagent/message.ts

@@ -1,16 +1,23 @@
 import { getSubagentManager } from "../../subagent/index.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
+import { resolveSubagentId } from "./resolve.js";
 
 export async function executeSubagentMessage(
   input: Record<string, unknown>,
   context: ToolContext,
 ): Promise<ToolExecutionResult> {
-  const subagentId = input.subagent_id as string;
+  const subagentId = resolveSubagentId(input, context);
   const content = input.content as string;
 
+  if (!subagentId && input.label) {
+    return {
+      content: `No subagent found with label "${input.label as string}".`,
+      isError: true,
+    };
+  }
   if (!subagentId || !content) {
     return {
-      content: 'Both "subagent_id" and "content" are required.',
+      content: '"subagent_id" or "label", and "content" are required.',
       isError: true,
     };
   }

package/src/tools/subagent/notify-parent.ts

@@ -0,0 +1,79 @@
+import { RiskLevel } from "../../permissions/types.js";
+import type { ToolDefinition } from "../../providers/types.js";
+import { getSubagentManager } from "../../subagent/index.js";
+import { registerTool } from "../registry.js";
+import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
+
+export async function executeSubagentNotifyParent(
+  input: Record<string, unknown>,
+  context: ToolContext,
+): Promise<ToolExecutionResult> {
+  const message = input.message as string;
+  const urgency = (input.urgency as string) || "info";
+
+  if (!message) {
+    return { content: '"message" is required.', isError: true };
+  }
+
+  const manager = getSubagentManager();
+  const sent = manager.notifyParent(context.conversationId, message, urgency);
+
+  if (!sent) {
+    return {
+      content:
+        "Could not notify parent. This tool is only available to subagents.",
+      isError: true,
+    };
+  }
+
+  return {
+    content: JSON.stringify({ sent: true, urgency }),
+    isError: false,
+  };
+}
+
+class NotifyParentTool implements Tool {
+  name = "notify_parent";
+  description =
+    "Send a notification to the parent conversation. Use this for important findings, when you're blocked, or when you have preliminary results the parent should know about. Do not overuse — notify for significant findings, not after every tool call.";
+  category = "orchestration";
+  defaultRiskLevel = RiskLevel.Low;
+
+  getDefinition(): ToolDefinition {
+    return {
+      name: this.name,
+      description: this.description,
+      input_schema: {
+        type: "object",
+        properties: {
+          message: {
+            type: "string",
+            description: "The notification content for the parent.",
+          },
+          urgency: {
+            type: "string",
+            enum: ["info", "important", "blocked"],
+            description:
+              "'info' for progress updates, 'important' for key findings, 'blocked' when you need guidance.",
+          },
+          activity: {
+            type: "string",
+            description:
+              "Brief non-technical explanation of what you are doing and why, shown to the user as a status update.",
+          },
+        },
+        required: ["message", "activity"],
+      },
+    };
+  }
+
+  async execute(
+    input: Record<string, unknown>,
+    context: ToolContext,
+  ): Promise<ToolExecutionResult> {
+    return executeSubagentNotifyParent(input, context);
+  }
+}
+
+export const notifyParentTool = new NotifyParentTool();
+registerTool(notifyParentTool);