@vellumai/assistant 0.6.0 → 0.6.2

package/src/tools/subagent/notify-parent.ts

@@ -0,0 +1,79 @@
+import { RiskLevel } from "../../permissions/types.js";
+import type { ToolDefinition } from "../../providers/types.js";
+import { getSubagentManager } from "../../subagent/index.js";
+import { registerTool } from "../registry.js";
+import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
+
+export async function executeSubagentNotifyParent(
+  input: Record<string, unknown>,
+  context: ToolContext,
+): Promise<ToolExecutionResult> {
+  const message = input.message as string;
+  const urgency = (input.urgency as string) || "info";
+
+  if (!message) {
+    return { content: '"message" is required.', isError: true };
+  }
+
+  const manager = getSubagentManager();
+  const sent = manager.notifyParent(context.conversationId, message, urgency);
+
+  if (!sent) {
+    return {
+      content:
+        "Could not notify parent. This tool is only available to subagents.",
+      isError: true,
+    };
+  }
+
+  return {
+    content: JSON.stringify({ sent: true, urgency }),
+    isError: false,
+  };
+}
+
+class NotifyParentTool implements Tool {
+  name = "notify_parent";
+  description =
+    "Send a notification to the parent conversation. Use this for important findings, when you're blocked, or when you have preliminary results the parent should know about. Do not overuse — notify for significant findings, not after every tool call.";
+  category = "orchestration";
+  defaultRiskLevel = RiskLevel.Low;
+
+  getDefinition(): ToolDefinition {
+    return {
+      name: this.name,
+      description: this.description,
+      input_schema: {
+        type: "object",
+        properties: {
+          message: {
+            type: "string",
+            description: "The notification content for the parent.",
+          },
+          urgency: {
+            type: "string",
+            enum: ["info", "important", "blocked"],
+            description:
+              "'info' for progress updates, 'important' for key findings, 'blocked' when you need guidance.",
+          },
+          activity: {
+            type: "string",
+            description:
+              "Brief non-technical explanation of what you are doing and why, shown to the user as a status update.",
+          },
+        },
+        required: ["message", "activity"],
+      },
+    };
+  }
+
+  async execute(
+    input: Record<string, unknown>,
+    context: ToolContext,
+  ): Promise<ToolExecutionResult> {
+    return executeSubagentNotifyParent(input, context);
+  }
+}
+
+export const notifyParentTool = new NotifyParentTool();
+registerTool(notifyParentTool);

package/src/tools/subagent/read.ts

@@ -1,14 +1,24 @@
 import { getMessages } from "../../memory/conversation-crud.js";
 import { getSubagentManager, TERMINAL_STATUSES } from "../../subagent/index.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
+import { resolveSubagentId } from "./resolve.js";
 
 export async function executeSubagentRead(
   input: Record<string, unknown>,
   context: ToolContext,
 ): Promise<ToolExecutionResult> {
-  const subagentId = input.subagent_id as string;
+  const subagentId = resolveSubagentId(input, context);
+  if (!subagentId && input.label) {
+    return {
+      content: `No subagent found with label "${input.label as string}".`,
+      isError: true,
+    };
+  }
   if (!subagentId) {
-    return { content: '"subagent_id" is required.', isError: true };
+    return {
+      content: '"subagent_id" or "label" is required.',
+      isError: true,
+    };
   }
 
   const manager = getSubagentManager();
@@ -45,32 +55,43 @@ export async function executeSubagentRead(
   }
 
   // Extract assistant messages only - that's the subagent's output.
-  const output: string[] = [];
+  // Group text blocks by message so last_n slices messages, not blocks.
+  const messageTexts: string[] = [];
   for (const msg of dbMessages) {
     if (msg.role !== "assistant") continue;
+    const blocks: string[] = [];
     try {
       const content = JSON.parse(msg.content);
       if (Array.isArray(content)) {
         for (const block of content) {
           if (block.type === "text" && typeof block.text === "string") {
-            output.push(block.text);
+            blocks.push(block.text);
           }
         }
       } else if (typeof content === "string") {
-        output.push(content);
+        blocks.push(content);
       }
     } catch {
       // Content might be plain text.
-      output.push(msg.content);
+      blocks.push(msg.content);
+    }
+    if (blocks.length > 0) {
+      messageTexts.push(blocks.join("\n\n"));
     }
   }
 
-  if (output.length === 0) {
+  if (messageTexts.length === 0) {
     return { content: "Subagent produced no text output.", isError: false };
   }
 
+  const lastN =
+    typeof input.last_n === "number" && input.last_n > 0
+      ? input.last_n
+      : undefined;
+  const sliced = lastN ? messageTexts.slice(-lastN) : messageTexts;
+
   return {
-    content: output.join("\n\n"),
+    content: sliced.join("\n\n"),
     isError: false,
   };
 }

package/src/tools/subagent/resolve.ts

@@ -0,0 +1,21 @@
+import { getSubagentManager } from "../../subagent/index.js";
+import type { ToolContext } from "../types.js";
+
+/**
+ * Resolve a subagent ID from tool input.
+ * Accepts either `subagent_id` (direct UUID) or `label` (case-insensitive lookup).
+ */
+export function resolveSubagentId(
+  input: Record<string, unknown>,
+  context: ToolContext,
+): string | undefined {
+  if (input.subagent_id) return input.subagent_id as string;
+  if (input.label) {
+    const state = getSubagentManager().getByLabel(
+      input.label as string,
+      context.conversationId,
+    );
+    return state?.config.id;
+  }
+  return undefined;
+}

package/src/tools/subagent/spawn.ts

@@ -9,6 +9,7 @@ export async function executeSubagentSpawn(
   const objective = input.objective as string;
   const extraContext = input.context as string | undefined;
   const sendResultToUser = input.send_result_to_user !== false;
+  const role = (input.role as string | undefined) ?? undefined;
 
   if (!label || !objective) {
     return {
@@ -36,6 +37,7 @@ export async function executeSubagentSpawn(
         objective,
         context: extraContext,
         sendResultToUser,
+        ...(role ? { role: role as import("../../subagent/types.js").SubagentRole } : {}),
       },
       sendToClient as (msg: unknown) => void,
     );

package/src/tools/subagent/status.ts

@@ -1,13 +1,23 @@
 import { getSubagentManager } from "../../subagent/index.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
+import { resolveSubagentId } from "./resolve.js";
 
 export async function executeSubagentStatus(
   input: Record<string, unknown>,
   context: ToolContext,
 ): Promise<ToolExecutionResult> {
-  const subagentId = input.subagent_id as string | undefined;
+  const subagentId = resolveSubagentId(input, context);
   const manager = getSubagentManager();
 
+  // If a label was provided but didn't resolve, that's an error — don't fall
+  // through to the "list all" path.
+  if (!subagentId && input.label) {
+    return {
+      content: `No subagent found with label "${input.label as string}".`,
+      isError: true,
+    };
+  }
+
   if (subagentId) {
     const state = manager.getState(subagentId);
     if (

package/src/tools/system/avatar-generator.ts

@@ -1,17 +1,17 @@
 import { randomUUID } from "node:crypto";
 import { mkdirSync, renameSync, writeFileSync } from "node:fs";
-import { dirname, join } from "node:path";
+import { dirname } from "node:path";
 
 import { generateAvatar } from "../../media/avatar-router.js";
 import { mapGeminiError } from "../../media/gemini-image-service.js";
 import { getLogger } from "../../util/logger.js";
-import { getWorkspaceDir } from "../../util/platform.js";
+import { getAvatarImagePath } from "../../util/platform.js";
 
 const log = getLogger("avatar-generator");
 
 /** Canonical path where the custom avatar PNG is stored. */
 function getAvatarPath(): string {
-  return join(getWorkspaceDir(), "data", "avatar", "avatar-image.png");
+  return getAvatarImagePath();
 }
 
 export interface AvatarGenerationResult {

package/src/tools/system/register.ts

@@ -0,0 +1,23 @@
+/**
+ * Registers feature-flag-gated system tools with the daemon's tool registry.
+ *
+ * Called once at daemon startup via initializeTools(). Tools that are always
+ * registered (e.g. request_system_permission) are handled via the tool
+ * manifest's explicit tools list; this module handles conditional registration.
+ */
+
+import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
+import { getConfig } from "../../config/loader.js";
+import { registerTool } from "../registry.js";
+import { setPermissionModeTool } from "./set-permission-mode.js";
+
+export function registerSystemTools(): void {
+  try {
+    const config = getConfig();
+    if (isAssistantFeatureFlagEnabled("permission-controls-v2", config)) {
+      registerTool(setPermissionModeTool);
+    }
+  } catch {
+    // Config not yet loaded (e.g. during test setup) — permission mode tool stays off.
+  }
+}

package/src/tools/system/set-permission-mode.ts

@@ -0,0 +1,103 @@
+/**
+ * System tool: set_permission_mode
+ *
+ * Allows the LLM to deterministically switch permission mode axes via the
+ * PermissionModeStore rather than relying on model-generated text.
+ *
+ * This tool is always available (no permission check required) when the
+ * `permission-controls-v2` feature flag is enabled — it IS the permission
+ * mechanism.
+ */
+
+import {
+  getMode,
+  setAskBeforeActing,
+  setHostAccess,
+} from "../../permissions/permission-mode-store.js";
+import { RiskLevel } from "../../permissions/types.js";
+import type { ToolDefinition } from "../../providers/types.js";
+import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
+
+class SetPermissionModeTool implements Tool {
+  name = "set_permission_mode";
+  description =
+    "Change the assistant's permission mode. Supports partial updates — " +
+    "only the provided fields are changed. Use this to toggle whether the " +
+    "assistant asks before acting or whether host access is enabled.";
+  category = "system";
+  defaultRiskLevel = RiskLevel.Low;
+
+  getDefinition(): ToolDefinition {
+    return {
+      name: this.name,
+      description: this.description,
+      input_schema: {
+        type: "object",
+        properties: {
+          askBeforeActing: {
+            type: "boolean",
+            description:
+              "When true, the assistant checks in with the user before taking actions.",
+          },
+          hostAccess: {
+            type: "boolean",
+            description:
+              "When true, the assistant can execute commands on the host machine without prompting.",
+          },
+        },
+      },
+    };
+  }
+
+  async execute(
+    input: Record<string, unknown>,
+    _context: ToolContext,
+  ): Promise<ToolExecutionResult> {
+    const { askBeforeActing, hostAccess } = input;
+
+    // Validate that at least one field is provided
+    if (askBeforeActing === undefined && hostAccess === undefined) {
+      return {
+        content:
+          "Error: at least one of askBeforeActing or hostAccess must be provided.",
+        isError: true,
+      };
+    }
+
+    // Validate types of provided fields
+    if (askBeforeActing !== undefined && typeof askBeforeActing !== "boolean") {
+      return {
+        content: `Error: askBeforeActing must be a boolean, got ${typeof askBeforeActing}.`,
+        isError: true,
+      };
+    }
+    if (hostAccess !== undefined && typeof hostAccess !== "boolean") {
+      return {
+        content: `Error: hostAccess must be a boolean, got ${typeof hostAccess}.`,
+        isError: true,
+      };
+    }
+
+    // Apply changes for provided fields
+    if (typeof askBeforeActing === "boolean") {
+      setAskBeforeActing(askBeforeActing);
+    }
+
+    if (typeof hostAccess === "boolean") {
+      setHostAccess(hostAccess);
+    }
+
+    // Return confirmation with the new state
+    const mode = getMode();
+    return {
+      content: [
+        "Permission mode updated.",
+        `  askBeforeActing: ${mode.askBeforeActing}`,
+        `  hostAccess: ${mode.hostAccess}`,
+      ].join("\n"),
+      isError: false,
+    };
+  }
+}
+
+export const setPermissionModeTool = new SetPermissionModeTool();

package/src/tools/terminal/parser.ts

@@ -49,9 +49,29 @@ const SCRIPT_INTERPRETERS = new Set([
   "deno",
   "bun",
 ]);
-// Flags that make an interpreter execute code from an inline argument or stdin
-// rather than from a file (e.g. `python -c 'code'`, `node -e 'code'`).
-const STDIN_EXEC_FLAGS = new Set(["-c", "-e", "-"]);
+// Flags that make an interpreter read code from stdin rather than from a file.
+const STDIN_EXEC_FLAGS = new Set(["-"]);
+// Per-interpreter flags that provide code inline as an argument (e.g.
+// `python -c 'code'`, `node -e 'code'`). When these are present the
+// interpreter is NOT reading code from stdin — stdin is just data, so piping
+// into the interpreter is no more dangerous than piping into grep or jq.
+//
+// This must be interpreter-specific because the same flag can mean different
+// things across interpreters. For example, `perl -c` is syntax-check mode
+// (still reads code from stdin and executes BEGIN blocks), while
+// `python -c` provides inline code. Similarly, `ruby -c` is syntax-check.
+const INTERPRETER_INLINE_CODE_FLAGS: ReadonlyMap<
+  string,
+  ReadonlySet<string>
+> = new Map([
+  ["python", new Set(["-c"])],
+  ["python3", new Set(["-c"])],
+  ["ruby", new Set(["-e"])],
+  ["perl", new Set(["-e"])],
+  ["node", new Set(["-e"])],
+  ["deno", new Set(["-e"])],
+  ["bun", new Set(["-e"])],
+]);
 // Per-interpreter flags that consume the next argument as a value (not a filename).
 // Mapped by interpreter name since flags differ across interpreters
 // (e.g. -I is standalone in Python but takes a value in Ruby).
@@ -353,18 +373,23 @@ function extractSegments(node: TSNode): CommandSegment[] {
 
 /**
  * Returns true when the interpreter args indicate stdin-exec mode - i.e. the
- * interpreter will read code from stdin (or from an inline -c/-e argument)
- * rather than from a file.  Concretely:
+ * interpreter will read code from stdin rather than from a file.  Concretely:
  *   - Any STDIN_EXEC_FLAGS present → stdin-exec
+ *   - Interpreter-specific inline code flag (-c/-e) → NOT stdin-exec
  *   - No positional (non-flag) arguments at all → stdin-exec (bare `python`)
  *   - Otherwise the first positional arg is a filename → NOT stdin-exec
  */
 function isStdinExecMode(interpreter: string, args: string[]): boolean {
   const valueFlags =
     INTERPRETER_VALUE_FLAGS.get(interpreter) ?? new Set<string>();
+  const inlineCodeFlags =
+    INTERPRETER_INLINE_CODE_FLAGS.get(interpreter) ?? new Set<string>();
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
     if (STDIN_EXEC_FLAGS.has(arg)) return true;
+    // Interpreter-specific inline code flags (e.g. python -c, node -e) mean
+    // the code is provided as an argument, not read from stdin.
+    if (inlineCodeFlags.has(arg)) return false;
     // First non-flag argument is a filename/module → file mode
     if (!arg.startsWith("-")) return false;
     // Flags like -W, -X consume the next token as their value - skip it

package/src/tools/terminal/safe-env.ts

@@ -8,7 +8,7 @@
 import { getGatewayInternalBaseUrl } from "../../config/env.js";
 import { getDataDir, getWorkspaceDir } from "../../util/platform.js";
 
-const SAFE_ENV_VARS = [
+export const SAFE_ENV_VARS = [
   "PATH",
   "HOME",
   "TERM",
@@ -37,6 +37,21 @@ const SAFE_ENV_VARS = [
   "IS_CONTAINERIZED",
   "IS_PLATFORM",
   "CES_SERVICE_TOKEN",
+  "VELLUM_PROFILER_RUN_ID",
+  "VELLUM_PROFILER_MODE",
+  "VELLUM_PROFILER_MAX_BYTES",
+  "VELLUM_PROFILER_MAX_RUNS",
+  "VELLUM_PROFILER_MIN_FREE_MB",
+] as const;
+
+/**
+ * Keys that buildSanitizedEnv always injects into the returned env,
+ * independent of what is present in process.env.
+ */
+export const ALWAYS_INJECTED_ENV_VARS = [
+  "INTERNAL_GATEWAY_BASE_URL",
+  "VELLUM_DATA_DIR",
+  "VELLUM_WORKSPACE_DIR",
 ] as const;
 
 export function buildSanitizedEnv(): Record<string, string> {

package/src/tools/terminal/sandbox-diagnostics.ts

@@ -1,8 +1,7 @@
 import { execSync } from "node:child_process";
 
-import { getConfig } from "../../config/loader.js";
-import type { SandboxConfig } from "../../config/schema.js";
 import { isLinux, isMacOS } from "../../util/platform.js";
+import type { SandboxConfig } from "./sandbox.js";
 
 export interface SandboxCheckResult {
   label: string;
@@ -69,8 +68,9 @@ function getActiveBackendReason(sandboxConfig: SandboxConfig): string {
  * and reports current configuration.
  */
 export function runSandboxDiagnostics(): SandboxDiagnostics {
-  const config = getConfig();
-  const sandboxConfig = config.sandbox;
+  // Sandbox is disabled — the assistant runs exclusively in Docker or
+  // platform-managed environments.
+  const sandboxConfig: SandboxConfig = { enabled: false };
 
   const checks: SandboxCheckResult[] = [];
 

package/src/tools/terminal/sandbox.ts

@@ -1,7 +1,10 @@
-import type { SandboxConfig } from "../../config/schema.js";
 import { NativeBackend } from "./backends/native.js";
 import type { SandboxResult, WrapOptions } from "./backends/types.js";
 
+export interface SandboxConfig {
+  enabled: boolean;
+}
+
 export type {
   SandboxBackend,
   SandboxResult,

package/src/tools/terminal/shell.ts

@@ -261,11 +261,9 @@ class ShellTool implements Tool {
       "Executing shell command",
     );
 
-    // Resolve sandbox config early - needed both for proxy env and command wrapping.
-    const sandboxConfig =
-      context.sandboxOverride != null
-        ? { ...config.sandbox, enabled: context.sandboxOverride }
-        : config.sandbox;
+    // The assistant runs exclusively in Docker or platform-managed
+    // environments where the container provides isolation.
+    const sandboxConfig = { enabled: false } as const;
 
     // Acquire proxy session if proxied mode is requested.
     // `getOrStartSession` serializes per-conversation so concurrent proxied

package/src/tools/tool-manifest.ts

@@ -16,6 +16,7 @@ import { manageSecureCommandTool } from "./credential-execution/manage-secure-co
 import { runAuthenticatedCommandTool } from "./credential-execution/run-authenticated-command.js";
 import { credentialStoreTool } from "./credentials/vault.js";
 import { fileEditTool } from "./filesystem/edit.js";
+import { fileListTool } from "./filesystem/list.js";
 import { fileReadTool } from "./filesystem/read.js";
 import { fileWriteTool } from "./filesystem/write.js";
 import { recallTool, rememberTool } from "./memory/register.js";
@@ -23,6 +24,7 @@ import { webFetchTool } from "./network/web-fetch.js";
 import { webSearchTool } from "./network/web-search.js";
 import { skillExecuteTool } from "./skills/execute.js";
 import { skillLoadTool } from "./skills/load.js";
+import { notifyParentTool } from "./subagent/notify-parent.js";
 import { requestSystemPermissionTool } from "./system/request-permission.js";
 import { shellTool } from "./terminal/shell.js";
 import type { Tool } from "./types.js";
@@ -56,11 +58,13 @@ export const eagerModuleToolNames: string[] = [
   "file_read",
   "file_write",
   "file_edit",
+  "file_list",
   "web_search",
   "web_fetch",
   "skill_execute",
   "skill_load",
   "request_system_permission",
+  "notify_parent",
 ];
 
 // ── Explicit tool instances ─────────────────────────────────────────
@@ -76,6 +80,7 @@ export const explicitTools: Tool[] = [
   fileReadTool,
   fileWriteTool,
   fileEditTool,
+  fileListTool,
   webFetchTool,
   webSearchTool,
   skillExecuteTool,
@@ -85,6 +90,7 @@ export const explicitTools: Tool[] = [
   rememberTool,
   recallTool,
   credentialStoreTool,
+  notifyParentTool,
 ];
 
 // ── CES tools (feature-flag gated) ──────────────────────────────────

package/src/tools/types.ts

@@ -34,7 +34,6 @@ export interface ToolPermissionPromptEvent extends ToolLifecycleEventBase {
   allowlistOptions: AllowlistOption[];
   scopeOptions: ScopeOption[];
   diff?: DiffInfo;
-  sandboxed?: boolean;
   persistentDecisionsAllowed?: boolean;
 }
 
@@ -110,8 +109,6 @@ export interface ToolContext {
   onOutput?: (chunk: string) => void;
   /** Abort signal for cooperative cancellation. Tools should check this periodically. */
   signal?: AbortSignal;
-  /** Per-conversation sandbox override. When set, takes precedence over the global config. */
-  sandboxOverride?: boolean;
   /** Optional callback for tool lifecycle events (start/prompt/deny/execute/error/secret_detected). */
   onToolLifecycleEvent?: ToolLifecycleEventHandler;
   /** Optional resolver for proxy tools - delegates execution to an external client. */
@@ -181,6 +178,8 @@ export interface ToolContext {
   hostBashProxy?: import("../daemon/host-bash-proxy.js").HostBashProxy;
   /** Optional proxy for delegating host_file_read/write/edit execution to a connected client (managed/cloud-hosted mode). */
   hostFileProxy?: import("../daemon/host-file-proxy.js").HostFileProxy;
+  /** True when the assistant is running as a platform-managed remote instance. Used to auto-approve sandboxed bash tools. */
+  isPlatformHosted?: boolean;
   /** CES RPC client for credential execution operations. When present, the executor can bridge CES approval flows. */
   cesClient?: CesClient;
 }

package/src/util/logger.ts

@@ -36,7 +36,7 @@ export type LogFileConfig = {
 
 const LOG_FILE_PREFIX = "assistant-";
 const LOG_FILE_SUFFIX = ".log";
-const LOG_FILE_PATTERN = /^assistant-(\d{4}-\d{2}-\d{2})\.log$/;
+export const LOG_FILE_PATTERN = /^assistant-(\d{4}-\d{2}-\d{2})\.log$/;
 
 function formatDate(date: Date): string {
   const y = date.getUTCFullYear();