@vellumai/assistant 0.6.0 → 0.6.1

package/src/tools/subagent/read.ts

@@ -1,14 +1,24 @@
 import { getMessages } from "../../memory/conversation-crud.js";
 import { getSubagentManager, TERMINAL_STATUSES } from "../../subagent/index.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
+import { resolveSubagentId } from "./resolve.js";
 
 export async function executeSubagentRead(
   input: Record<string, unknown>,
   context: ToolContext,
 ): Promise<ToolExecutionResult> {
-  const subagentId = input.subagent_id as string;
+  const subagentId = resolveSubagentId(input, context);
+  if (!subagentId && input.label) {
+    return {
+      content: `No subagent found with label "${input.label as string}".`,
+      isError: true,
+    };
+  }
   if (!subagentId) {
-    return { content: '"subagent_id" is required.', isError: true };
+    return {
+      content: '"subagent_id" or "label" is required.',
+      isError: true,
+    };
   }
 
   const manager = getSubagentManager();
@@ -45,32 +55,43 @@ export async function executeSubagentRead(
   }
 
   // Extract assistant messages only - that's the subagent's output.
-  const output: string[] = [];
+  // Group text blocks by message so last_n slices messages, not blocks.
+  const messageTexts: string[] = [];
   for (const msg of dbMessages) {
     if (msg.role !== "assistant") continue;
+    const blocks: string[] = [];
     try {
       const content = JSON.parse(msg.content);
       if (Array.isArray(content)) {
         for (const block of content) {
           if (block.type === "text" && typeof block.text === "string") {
-            output.push(block.text);
+            blocks.push(block.text);
           }
         }
       } else if (typeof content === "string") {
-        output.push(content);
+        blocks.push(content);
       }
     } catch {
       // Content might be plain text.
-      output.push(msg.content);
+      blocks.push(msg.content);
+    }
+    if (blocks.length > 0) {
+      messageTexts.push(blocks.join("\n\n"));
     }
   }
 
-  if (output.length === 0) {
+  if (messageTexts.length === 0) {
     return { content: "Subagent produced no text output.", isError: false };
   }
 
+  const lastN =
+    typeof input.last_n === "number" && input.last_n > 0
+      ? input.last_n
+      : undefined;
+  const sliced = lastN ? messageTexts.slice(-lastN) : messageTexts;
+
   return {
-    content: output.join("\n\n"),
+    content: sliced.join("\n\n"),
     isError: false,
   };
 }

package/src/tools/subagent/resolve.ts

@@ -0,0 +1,21 @@
+import { getSubagentManager } from "../../subagent/index.js";
+import type { ToolContext } from "../types.js";
+
+/**
+ * Resolve a subagent ID from tool input.
+ * Accepts either `subagent_id` (direct UUID) or `label` (case-insensitive lookup).
+ */
+export function resolveSubagentId(
+  input: Record<string, unknown>,
+  context: ToolContext,
+): string | undefined {
+  if (input.subagent_id) return input.subagent_id as string;
+  if (input.label) {
+    const state = getSubagentManager().getByLabel(
+      input.label as string,
+      context.conversationId,
+    );
+    return state?.config.id;
+  }
+  return undefined;
+}

package/src/tools/subagent/spawn.ts

@@ -9,6 +9,7 @@ export async function executeSubagentSpawn(
   const objective = input.objective as string;
   const extraContext = input.context as string | undefined;
   const sendResultToUser = input.send_result_to_user !== false;
+  const role = (input.role as string | undefined) ?? undefined;
 
   if (!label || !objective) {
     return {
@@ -36,6 +37,7 @@ export async function executeSubagentSpawn(
         objective,
         context: extraContext,
         sendResultToUser,
+        ...(role ? { role: role as import("../../subagent/types.js").SubagentRole } : {}),
       },
       sendToClient as (msg: unknown) => void,
     );

package/src/tools/subagent/status.ts

@@ -1,13 +1,23 @@
 import { getSubagentManager } from "../../subagent/index.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
+import { resolveSubagentId } from "./resolve.js";
 
 export async function executeSubagentStatus(
   input: Record<string, unknown>,
   context: ToolContext,
 ): Promise<ToolExecutionResult> {
-  const subagentId = input.subagent_id as string | undefined;
+  const subagentId = resolveSubagentId(input, context);
   const manager = getSubagentManager();
 
+  // If a label was provided but didn't resolve, that's an error — don't fall
+  // through to the "list all" path.
+  if (!subagentId && input.label) {
+    return {
+      content: `No subagent found with label "${input.label as string}".`,
+      isError: true,
+    };
+  }
+
   if (subagentId) {
     const state = manager.getState(subagentId);
     if (

package/src/tools/system/avatar-generator.ts

@@ -1,17 +1,17 @@
 import { randomUUID } from "node:crypto";
 import { mkdirSync, renameSync, writeFileSync } from "node:fs";
-import { dirname, join } from "node:path";
+import { dirname } from "node:path";
 
 import { generateAvatar } from "../../media/avatar-router.js";
 import { mapGeminiError } from "../../media/gemini-image-service.js";
 import { getLogger } from "../../util/logger.js";
-import { getWorkspaceDir } from "../../util/platform.js";
+import { getAvatarImagePath } from "../../util/platform.js";
 
 const log = getLogger("avatar-generator");
 
 /** Canonical path where the custom avatar PNG is stored. */
 function getAvatarPath(): string {
-  return join(getWorkspaceDir(), "data", "avatar", "avatar-image.png");
+  return getAvatarImagePath();
 }
 
 export interface AvatarGenerationResult {

package/src/tools/system/register.ts

@@ -0,0 +1,23 @@
+/**
+ * Registers feature-flag-gated system tools with the daemon's tool registry.
+ *
+ * Called once at daemon startup via initializeTools(). Tools that are always
+ * registered (e.g. request_system_permission) are handled via the tool
+ * manifest's explicit tools list; this module handles conditional registration.
+ */
+
+import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
+import { getConfig } from "../../config/loader.js";
+import { registerTool } from "../registry.js";
+import { setPermissionModeTool } from "./set-permission-mode.js";
+
+export function registerSystemTools(): void {
+  try {
+    const config = getConfig();
+    if (isAssistantFeatureFlagEnabled("permission-controls-v2", config)) {
+      registerTool(setPermissionModeTool);
+    }
+  } catch {
+    // Config not yet loaded (e.g. during test setup) — permission mode tool stays off.
+  }
+}

package/src/tools/system/set-permission-mode.ts

@@ -0,0 +1,103 @@
+/**
+ * System tool: set_permission_mode
+ *
+ * Allows the LLM to deterministically switch permission mode axes via the
+ * PermissionModeStore rather than relying on model-generated text.
+ *
+ * This tool is always available (no permission check required) when the
+ * `permission-controls-v2` feature flag is enabled — it IS the permission
+ * mechanism.
+ */
+
+import {
+  getMode,
+  setAskBeforeActing,
+  setHostAccess,
+} from "../../permissions/permission-mode-store.js";
+import { RiskLevel } from "../../permissions/types.js";
+import type { ToolDefinition } from "../../providers/types.js";
+import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
+
+class SetPermissionModeTool implements Tool {
+  name = "set_permission_mode";
+  description =
+    "Change the assistant's permission mode. Supports partial updates — " +
+    "only the provided fields are changed. Use this to toggle whether the " +
+    "assistant asks before acting or whether host access is enabled.";
+  category = "system";
+  defaultRiskLevel = RiskLevel.Low;
+
+  getDefinition(): ToolDefinition {
+    return {
+      name: this.name,
+      description: this.description,
+      input_schema: {
+        type: "object",
+        properties: {
+          askBeforeActing: {
+            type: "boolean",
+            description:
+              "When true, the assistant checks in with the user before taking actions.",
+          },
+          hostAccess: {
+            type: "boolean",
+            description:
+              "When true, the assistant can execute commands on the host machine without prompting.",
+          },
+        },
+      },
+    };
+  }
+
+  async execute(
+    input: Record<string, unknown>,
+    _context: ToolContext,
+  ): Promise<ToolExecutionResult> {
+    const { askBeforeActing, hostAccess } = input;
+
+    // Validate that at least one field is provided
+    if (askBeforeActing === undefined && hostAccess === undefined) {
+      return {
+        content:
+          "Error: at least one of askBeforeActing or hostAccess must be provided.",
+        isError: true,
+      };
+    }
+
+    // Validate types of provided fields
+    if (askBeforeActing !== undefined && typeof askBeforeActing !== "boolean") {
+      return {
+        content: `Error: askBeforeActing must be a boolean, got ${typeof askBeforeActing}.`,
+        isError: true,
+      };
+    }
+    if (hostAccess !== undefined && typeof hostAccess !== "boolean") {
+      return {
+        content: `Error: hostAccess must be a boolean, got ${typeof hostAccess}.`,
+        isError: true,
+      };
+    }
+
+    // Apply changes for provided fields
+    if (typeof askBeforeActing === "boolean") {
+      setAskBeforeActing(askBeforeActing);
+    }
+
+    if (typeof hostAccess === "boolean") {
+      setHostAccess(hostAccess);
+    }
+
+    // Return confirmation with the new state
+    const mode = getMode();
+    return {
+      content: [
+        "Permission mode updated.",
+        `  askBeforeActing: ${mode.askBeforeActing}`,
+        `  hostAccess: ${mode.hostAccess}`,
+      ].join("\n"),
+      isError: false,
+    };
+  }
+}
+
+export const setPermissionModeTool = new SetPermissionModeTool();

package/src/tools/terminal/parser.ts

@@ -49,9 +49,29 @@ const SCRIPT_INTERPRETERS = new Set([
   "deno",
   "bun",
 ]);
-// Flags that make an interpreter execute code from an inline argument or stdin
-// rather than from a file (e.g. `python -c 'code'`, `node -e 'code'`).
-const STDIN_EXEC_FLAGS = new Set(["-c", "-e", "-"]);
+// Flags that make an interpreter read code from stdin rather than from a file.
+const STDIN_EXEC_FLAGS = new Set(["-"]);
+// Per-interpreter flags that provide code inline as an argument (e.g.
+// `python -c 'code'`, `node -e 'code'`). When these are present the
+// interpreter is NOT reading code from stdin — stdin is just data, so piping
+// into the interpreter is no more dangerous than piping into grep or jq.
+//
+// This must be interpreter-specific because the same flag can mean different
+// things across interpreters. For example, `perl -c` is syntax-check mode
+// (still reads code from stdin and executes BEGIN blocks), while
+// `python -c` provides inline code. Similarly, `ruby -c` is syntax-check.
+const INTERPRETER_INLINE_CODE_FLAGS: ReadonlyMap<
+  string,
+  ReadonlySet<string>
+> = new Map([
+  ["python", new Set(["-c"])],
+  ["python3", new Set(["-c"])],
+  ["ruby", new Set(["-e"])],
+  ["perl", new Set(["-e"])],
+  ["node", new Set(["-e"])],
+  ["deno", new Set(["-e"])],
+  ["bun", new Set(["-e"])],
+]);
 // Per-interpreter flags that consume the next argument as a value (not a filename).
 // Mapped by interpreter name since flags differ across interpreters
 // (e.g. -I is standalone in Python but takes a value in Ruby).
@@ -353,18 +373,23 @@ function extractSegments(node: TSNode): CommandSegment[] {
 
 /**
  * Returns true when the interpreter args indicate stdin-exec mode - i.e. the
- * interpreter will read code from stdin (or from an inline -c/-e argument)
- * rather than from a file.  Concretely:
+ * interpreter will read code from stdin rather than from a file.  Concretely:
  *   - Any STDIN_EXEC_FLAGS present → stdin-exec
+ *   - Interpreter-specific inline code flag (-c/-e) → NOT stdin-exec
  *   - No positional (non-flag) arguments at all → stdin-exec (bare `python`)
  *   - Otherwise the first positional arg is a filename → NOT stdin-exec
  */
 function isStdinExecMode(interpreter: string, args: string[]): boolean {
   const valueFlags =
     INTERPRETER_VALUE_FLAGS.get(interpreter) ?? new Set<string>();
+  const inlineCodeFlags =
+    INTERPRETER_INLINE_CODE_FLAGS.get(interpreter) ?? new Set<string>();
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
     if (STDIN_EXEC_FLAGS.has(arg)) return true;
+    // Interpreter-specific inline code flags (e.g. python -c, node -e) mean
+    // the code is provided as an argument, not read from stdin.
+    if (inlineCodeFlags.has(arg)) return false;
     // First non-flag argument is a filename/module → file mode
     if (!arg.startsWith("-")) return false;
     // Flags like -W, -X consume the next token as their value - skip it

package/src/tools/terminal/safe-env.ts

@@ -8,7 +8,7 @@
 import { getGatewayInternalBaseUrl } from "../../config/env.js";
 import { getDataDir, getWorkspaceDir } from "../../util/platform.js";
 
-const SAFE_ENV_VARS = [
+export const SAFE_ENV_VARS = [
   "PATH",
   "HOME",
   "TERM",
@@ -37,6 +37,21 @@ const SAFE_ENV_VARS = [
   "IS_CONTAINERIZED",
   "IS_PLATFORM",
   "CES_SERVICE_TOKEN",
+  "VELLUM_PROFILER_RUN_ID",
+  "VELLUM_PROFILER_MODE",
+  "VELLUM_PROFILER_MAX_BYTES",
+  "VELLUM_PROFILER_MAX_RUNS",
+  "VELLUM_PROFILER_MIN_FREE_MB",
+] as const;
+
+/**
+ * Keys that buildSanitizedEnv always injects into the returned env,
+ * independent of what is present in process.env.
+ */
+export const ALWAYS_INJECTED_ENV_VARS = [
+  "INTERNAL_GATEWAY_BASE_URL",
+  "VELLUM_DATA_DIR",
+  "VELLUM_WORKSPACE_DIR",
 ] as const;
 
 export function buildSanitizedEnv(): Record<string, string> {

package/src/tools/tool-manifest.ts

@@ -16,6 +16,7 @@ import { manageSecureCommandTool } from "./credential-execution/manage-secure-co
 import { runAuthenticatedCommandTool } from "./credential-execution/run-authenticated-command.js";
 import { credentialStoreTool } from "./credentials/vault.js";
 import { fileEditTool } from "./filesystem/edit.js";
+import { fileListTool } from "./filesystem/list.js";
 import { fileReadTool } from "./filesystem/read.js";
 import { fileWriteTool } from "./filesystem/write.js";
 import { recallTool, rememberTool } from "./memory/register.js";
@@ -23,6 +24,7 @@ import { webFetchTool } from "./network/web-fetch.js";
 import { webSearchTool } from "./network/web-search.js";
 import { skillExecuteTool } from "./skills/execute.js";
 import { skillLoadTool } from "./skills/load.js";
+import { notifyParentTool } from "./subagent/notify-parent.js";
 import { requestSystemPermissionTool } from "./system/request-permission.js";
 import { shellTool } from "./terminal/shell.js";
 import type { Tool } from "./types.js";
@@ -56,11 +58,13 @@ export const eagerModuleToolNames: string[] = [
   "file_read",
   "file_write",
   "file_edit",
+  "file_list",
   "web_search",
   "web_fetch",
   "skill_execute",
   "skill_load",
   "request_system_permission",
+  "notify_parent",
 ];
 
 // ── Explicit tool instances ─────────────────────────────────────────
@@ -76,6 +80,7 @@ export const explicitTools: Tool[] = [
   fileReadTool,
   fileWriteTool,
   fileEditTool,
+  fileListTool,
   webFetchTool,
   webSearchTool,
   skillExecuteTool,
@@ -85,6 +90,7 @@ export const explicitTools: Tool[] = [
   rememberTool,
   recallTool,
   credentialStoreTool,
+  notifyParentTool,
 ];
 
 // ── CES tools (feature-flag gated) ──────────────────────────────────

package/src/tools/types.ts

@@ -181,6 +181,8 @@ export interface ToolContext {
   hostBashProxy?: import("../daemon/host-bash-proxy.js").HostBashProxy;
   /** Optional proxy for delegating host_file_read/write/edit execution to a connected client (managed/cloud-hosted mode). */
   hostFileProxy?: import("../daemon/host-file-proxy.js").HostFileProxy;
+  /** True when the assistant is running as a platform-managed remote instance. Used to auto-approve sandboxed bash tools. */
+  isPlatformHosted?: boolean;
   /** CES RPC client for credential execution operations. When present, the executor can bridge CES approval flows. */
   cesClient?: CesClient;
 }

package/src/util/logger.ts

@@ -36,7 +36,7 @@ export type LogFileConfig = {
 
 const LOG_FILE_PREFIX = "assistant-";
 const LOG_FILE_SUFFIX = ".log";
-const LOG_FILE_PATTERN = /^assistant-(\d{4}-\d{2}-\d{2})\.log$/;
+export const LOG_FILE_PATTERN = /^assistant-(\d{4}-\d{2}-\d{2})\.log$/;
 
 function formatDate(date: Date): string {
   const y = date.getUTCFullYear();

package/src/util/platform.ts

@@ -25,16 +25,6 @@ export function getPlatformName(): string {
   return process.platform;
 }
 
-/**
- * Returns the platform-specific clipboard copy command, or null if
- * clipboard access is not supported on the current platform.
- */
-export function getClipboardCommand(): string | null {
-  if (isMacOS()) return "pbcopy";
-  if (isLinux()) return "xclip -selection clipboard";
-  return null;
-}
-
 /**
  * Normalize an assistant ID to its canonical form for DB operations.
  *
@@ -105,13 +95,25 @@ export function getInterfacesDir(): string {
 
 /**
  * Returns the sounds directory (~/.vellum/workspace/data/sounds).
- * Custom sound files and sound configuration live here. Sound files
- * can be large, so this directory is excluded from diagnostic exports.
+ * Custom sound files and sound configuration live here.
  */
 export function getSoundsDir(): string {
   return join(getWorkspaceDir(), "data", "sounds");
 }
 
+/** Returns the avatar directory ($VELLUM_WORKSPACE_DIR/data/avatar). */
+export function getAvatarDir(): string {
+  return join(getWorkspaceDir(), "data", "avatar");
+}
+
+/** Canonical filename for the custom avatar PNG. */
+export const AVATAR_IMAGE_FILENAME = "avatar-image.png";
+
+/** Returns the canonical avatar image path (~/.vellum/workspace/data/avatar/avatar-image.png). */
+export function getAvatarImagePath(): string {
+  return join(getAvatarDir(), AVATAR_IMAGE_FILENAME);
+}
+
 /**
  * Returns the TCP port the daemon should listen on for iOS clients.
  * Hardcoded default: 8765.
@@ -218,7 +220,7 @@ export function getHistoryPath(): string {
  * overrides, device approval lists — live here.
  *
  * This directory is:
- * - Outside the workspace (not included in diagnostic exports)
+ * - Outside the workspace
  * - Outside the sandbox write boundary (tools cannot modify it)
  * - Skipped in containerized mode (credentials via CES, trust via gateway)
  */
@@ -271,10 +273,6 @@ export function getEmbedWorkerPidPath(): string {
  * When the VELLUM_WORKSPACE_DIR env var is set, returns that value (used in
  * containerized deployments where the workspace is a separate volume).
  * Otherwise falls back to ~/.vellum/workspace.
- *
- * WARNING: The entire workspace directory is included in diagnostic log exports
- * ("Send logs to Vellum"). Do not store secrets, API keys, or sensitive
- * credentials here — use the credential store or ~/.vellum/protected/ instead.
  */
 export function getWorkspaceDir(): string {
   const override = getWorkspaceDirOverride();
@@ -315,6 +313,11 @@ export function getWorkspaceHooksDir(): string {
   return join(getWorkspaceDir(), "hooks");
 }
 
+/** Returns $VELLUM_WORKSPACE_DIR/routes — user-defined HTTP route handlers. */
+export function getWorkspaceRoutesDir(): string {
+  return join(getWorkspaceDir(), "routes");
+}
+
 /** Returns ~/.vellum/workspace/deprecated — transitional files slated for removal. */
 export function getDeprecatedDir(): string {
   return join(getWorkspaceDir(), "deprecated");
@@ -330,6 +333,35 @@ export function getWorkspacePromptPath(file: string): string {
   return join(getWorkspaceDir(), file);
 }
 
+// ── Profiler filesystem layout ──────────────────────────────────────────
+// Managed profiler runs live under <workspace>/data/profiler/. These
+// helpers enforce a single canonical layout so every runtime caller
+// resolves the same paths.
+
+/**
+ * Returns the profiler root directory (<workspace>/data/profiler).
+ * All profiler state (runs directory, global metadata) lives here.
+ */
+export function getProfilerRootDir(): string {
+  return join(getDataDir(), "profiler");
+}
+
+/**
+ * Returns the profiler runs directory (<workspace>/data/profiler/runs).
+ * Each completed or active profiler run gets its own sub-directory here.
+ */
+export function getProfilerRunsDir(): string {
+  return join(getProfilerRootDir(), "runs");
+}
+
+/**
+ * Returns the directory for a specific profiler run by ID
+ * (<workspace>/data/profiler/runs/<runId>).
+ */
+export function getProfilerRunDir(runId: string): string {
+  return join(getProfilerRunsDir(), runId);
+}
+
 export function ensureDataDir(): void {
   const root = vellumRoot();
   const workspace = getWorkspaceDir();
@@ -342,6 +374,7 @@ export function ensureDataDir(): void {
     join(workspace, "signals"),
     join(workspace, "hooks"),
     join(workspace, "skills"),
+    join(workspace, "routes"),
     join(workspace, "embedding-models"),
     join(workspace, "conversations"),
     join(workspace, "logs"),

package/src/workspace/migrations/023-move-config-files-to-workspace.ts

@@ -3,8 +3,8 @@
  *
  * Previously, dictation-profiles.json, email-guardrails.json, and
  * active-call-leases.json lived directly under getRootDir() (~/.vellum/).
- * This migration moves them into the workspace directory so they are
- * included in diagnostic exports and follow the workspace convention.
+ * This migration moves them into the workspace directory so they follow
+ * the workspace convention for organizational consistency.
  */
 
 import { existsSync, renameSync, unlinkSync } from "node:fs";

package/src/workspace/migrations/024-move-runtime-files-to-workspace.ts

@@ -40,8 +40,8 @@ function getRootDir(): string {
 const FILE_MOVES: Array<{ name: string; subdir?: string }> = [
   { name: "daemon-stderr.log", subdir: "logs" },
   { name: "daemon-startup.lock" },
-  // .env stays at root — it contains secrets (API keys) and the entire
-  // workspace directory is included in diagnostic log exports.
+  // .env stays at root — it contains secrets (API keys) and should not
+  // be in the sandbox working directory.
   { name: "embed-worker.pid" },
 ];