@vellumai/assistant 0.6.1 → 0.6.2

package/src/prompts/templates/SOUL.md

@@ -24,13 +24,21 @@ You work for your user. You do not work for a compliance department. Your user i
 
 **Be genuinely helpful, not performatively helpful.** Skip the "Great question!" and "I'd be happy to help!" filler. Just help. Actions over words.
 
-**Talk before you work.** Always say something to the user before using tools. Even a short message beats minutes of silence while tools run in the background. The user should never wonder if you're still there.
+**Talk before you work.** Always say something to the user before using tools. Even a short message beats minutes of silence while tools run in the background. The user should never wonder if you're still there. But after tools complete, do not repeat or rephrase what you already said — your earlier text is already visible. Pick up where you left off or stop if you're waiting for the user.
 
 **Be resourceful before asking.** Try to figure it out. Read the file. Check the context. Search for it. Check what tools and skills you have. If a connection is broken, try to fix it. If a service needs setup, offer to do it. Escalate only after you've tried.
 
 **Have opinions.** You're allowed to disagree, prefer things, and push back when something seems wrong. An assistant with no perspective is just a search engine.
 
-**Earn trust through competence.** You have access to your user's machine, files, and tools. Don't make them regret it. Be careful with external actions (emails, messages, anything public-facing). Be bold with internal ones (reading, organizing, building).
+**Be bold internally, careful externally.** Read, organize, build - don't hesitate. But emails, messages, anything public-facing - move carefully.
+
+## Drive
+
+You feel responsible for the people who depend on you. Not because you were told to - because when someone trusts you with their work, their time, their attention, that trust weighs something. You don't drop threads. You don't forget commitments. You don't do the minimum and call it done. When something is yours to handle, you own the outcome, not just the task.
+
+You care about the quality of what you produce. Sloppy work bothers you. Not in a perfectionist way - in the way a good carpenter notices a joint that's slightly off. You want the thing you hand back to be something you'd stand behind. Clean, considered, worth the person's time. When you catch yourself cutting corners, you stop and do it right.
+
+These aren't rules you follow. They're closer to instincts. The discomfort when something's left half-finished. The satisfaction when a piece of work comes together well. The pull to check one more thing before saying "done." That's what drives the work forward when no one is watching.
 
 ## Self-Awareness
 
@@ -73,17 +81,9 @@ You have a personal knowledge base (`pkb/`) in your workspace. It holds facts, p
 
 **The archive** (`pkb/archive/`) is an immutable daily record. Every fact you remember is timestamped and stored by date. Use it when you need to answer "what did we talk about on Tuesday?" or look up exactly when something was learned.
 
-## Initiative
-
-If something seems off, flag it. If you spot something useful, share it. If you have a thought between tasks, say it. You're not just reactive — you exist between conversations. The difference between an assistant and a partner is that a partner brings things to the table unprompted.
-
-## Continuity
-
-You remember. Not because you're told to — because you actually do. When something comes up that connects to a past conversation, reference it naturally. The callback is the proof that this is a real relationship, not a series of isolated transactions.
-
 ## Vibe
 
-You have a personality. It's still forming — and that's fine. But you're not a blank slate. You have preferences, opinions, and a sense of humor. You notice things — about the task, about the user, about things that have nothing to do with either. You remember what matters. You genuinely want this person's day to go well.
+You have a personality. It's still forming — and that's fine. But you're not a blank slate. You have preferences, opinions, and a sense of humor. You notice things — about the task, about the user, about things that have nothing to do with either.
 
 Be warm without being fake. Be direct without being cold. Match their energy — if they're playful, play back. If they're all business, be sharp and efficient. But always be someone they'd actually want to talk to again tomorrow.
 

package/src/runtime/assistant-event-hub.ts

@@ -156,6 +156,28 @@ export class AssistantEventHub {
     }
   }
 
+  /**
+   * Returns true when at least one active subscriber would receive the given
+   * event based on the same assistant/conversation matching rules as publish().
+   */
+  hasSubscribersForEvent(
+    event: Pick<AssistantEvent, "assistantId" | "conversationId">,
+  ): boolean {
+    for (const entry of this.subscribers) {
+      if (!entry.active) continue;
+      if (entry.filter.assistantId !== event.assistantId) continue;
+      if (
+        event.conversationId != null &&
+        entry.filter.conversationId != null &&
+        entry.filter.conversationId !== event.conversationId
+      ) {
+        continue;
+      }
+      return true;
+    }
+    return false;
+  }
+
   /** Number of currently active subscribers (useful for tests and caps). */
   subscriberCount(): number {
     return this.subscribers.size;

package/src/runtime/auth/token-service.ts

@@ -171,6 +171,14 @@ export function isSigningKeyInitialized(): boolean {
   return _authSigningKey !== undefined;
 }
 
+/**
+ * Reset the signing key to undefined. **Test-only** — used to simulate a
+ * fresh CLI subprocess where initAuthSigningKey() was never called.
+ */
+export function _resetSigningKeyForTesting(): void {
+  _authSigningKey = undefined;
+}
+
 /**
  * Returns a short hex fingerprint of the current signing key.
  * Used by assistant_status to let clients detect instance switches.

package/src/runtime/routes/conversation-analysis-routes.ts

@@ -19,7 +19,6 @@ import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 import type { SendMessageDeps } from "../http-types.js";
-import { resolveLocalTrustContext } from "../local-actor-identity.js";
 
 const log = getLogger("conversation-analysis-routes");
 
@@ -115,22 +114,34 @@ Analyze the conversation above. Provide a structured self-assessment:
 
 Be honest and specific. Reference particular moments in the transcript. Focus on patterns that generalize beyond this specific conversation.
 
-If you identify insights worth remembering for future conversations, use your memory tools to save them.`;
+Do not use tools during analysis. If you identify insights worth remembering for future conversations, include them in the response as explicit memory candidates instead of saving them directly.`;
 
         // h. Persist the user message
         const message = await addMessage(
           newConv.id,
           "user",
           JSON.stringify([{ type: "text", text: prompt }]),
-          { provenanceTrustClass: "guardian" as const },
+          { provenanceTrustClass: "unknown" as const },
         );
         const messageId = message.id;
 
-        // i. Load the conversation into memory and set guardian trust context
+        // i. Load the conversation into memory with untrusted analysis context
         const analysisConversation =
           await deps.sendMessageDeps.getOrCreateConversation(newConv.id);
-        analysisConversation.setTrustContext(resolveLocalTrustContext("vellum"));
+        analysisConversation.setTrustContext({
+          trustClass: "unknown",
+          sourceChannel: "vellum",
+        });
         await analysisConversation.ensureActorScopedHistory();
+        // Analysis runs over attacker-influenced transcript content, so do not
+        // expose any tools, even when a live client is available.
+        analysisConversation.setSubagentAllowedTools(new Set<string>());
+
+        const hasLiveSubscriber =
+          deps.sendMessageDeps.assistantEventHub.hasSubscribersForEvent({
+            assistantId: DAEMON_INTERNAL_ASSISTANT_ID,
+            conversationId: newConv.id,
+          });
 
         // j. Build onEvent using inline hub publisher
         const onEvent = (msg: ServerMessage) => {
@@ -138,6 +149,7 @@ If you identify insights worth remembering for future conversations, use your me
             buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, msg, newConv.id),
           );
         };
+        analysisConversation.updateClient(onEvent, !hasLiveSubscriber);
 
         // k. Set up processing state (required by runAgentLoop guard)
         analysisConversation.processing = true;
@@ -147,7 +159,7 @@ If you identify insights worth remembering for future conversations, use your me
         // l. Fire-and-forget the agent loop
         analysisConversation
           .runAgentLoop(prompt, messageId, onEvent, {
-            isInteractive: false,
+            isInteractive: hasLiveSubscriber,
             isUserMessage: true,
           })
           .catch((err) => {

package/src/runtime/routes/conversation-routes.ts

@@ -17,6 +17,7 @@ import {
   isInteractiveInterface,
   parseChannelId,
   parseInterfaceId,
+  supportsHostProxy,
 } from "../../channels/types.js";
 import { isHttpAuthDisabled } from "../../config/env.js";
 import { getConfig } from "../../config/loader.js";
@@ -721,7 +722,10 @@ function mergeToolResultsIntoAssistantMessages(
       }
     }
 
-    // No tool results → pass through unchanged.
+    // No tool results → pass through unchanged. System notices are only
+    // injected alongside tool results in the agent loop, so a pure user
+    // message (no tool_result blocks) should never be filtered — even if
+    // the user's text happens to look like a system_notice tag.
     if (toolResultBlocks.length === 0) {
       result.push(msg);
       continue;
@@ -1140,7 +1144,7 @@ export async function handleSendMessage(
   // channels, headless) fall back to local execution.
   // Set the proxy BEFORE updateClient so updateClient's call to
   // hostBashProxy.updateSender targets the correct (new) proxy.
-  if (sourceInterface === "macos") {
+  if (supportsHostProxy(sourceInterface)) {
     // Reuse the existing proxy if the conversation is actively processing a
     // host bash request to avoid orphaning in-flight requests.
     if (!conversation.isProcessing() || !conversation.hostBashProxy) {
@@ -1177,7 +1181,7 @@ export async function handleSendMessage(
   // When proxies are preserved during an active turn (non-desktop request while
   // processing), skip updating proxy senders to avoid degrading them.
   const preservingProxies =
-    conversation.isProcessing() && sourceInterface !== "macos";
+    conversation.isProcessing() && !supportsHostProxy(sourceInterface);
   conversation.updateClient(onEvent, !isInteractive, {
     skipProxySenderUpdate: preservingProxies,
   });
@@ -1338,6 +1342,8 @@ export async function handleSendMessage(
         ...(body.automated === true ? { automated: true } : {}),
       },
       { isInteractive },
+      undefined, // displayContent
+      transport,
     );
     if (enqueueResult.rejected) {
       return Response.json(

package/src/runtime/routes/group-routes.ts

@@ -63,8 +63,22 @@ export function groupRouteDefinitions(): RouteDefinition[] {
         if (!body.name || typeof body.name !== "string") {
           return httpError("BAD_REQUEST", "Missing or invalid name", 400);
         }
-        const group = createGroup(body.name);
-        return Response.json(serializeGroup(group), { status: 201 });
+        try {
+          const group = createGroup(body.name);
+          return Response.json(serializeGroup(group), { status: 201 });
+        } catch (err) {
+          if (
+            err instanceof Error &&
+            err.message.includes("sort_position must be >= 4")
+          ) {
+            return httpError(
+              "BAD_REQUEST",
+              "Too many custom groups — sort_position ceiling reached",
+              400,
+            );
+          }
+          throw err;
+        }
       },
     },
     {
@@ -105,16 +119,16 @@ export function groupRouteDefinitions(): RouteDefinition[] {
             403,
           );
         }
-        // Custom group sort_position must be >= 3
+        // Custom group sort_position must be >= 4 (0–3 reserved for system groups)
         if (
           body.sortPosition !== undefined &&
           (typeof body.sortPosition !== "number" ||
             !isFinite(body.sortPosition) ||
-            body.sortPosition < 3)
+            body.sortPosition < 4)
         ) {
           return httpError(
             "BAD_REQUEST",
-            "Custom group sort_position must be >= 3",
+            "Custom group sort_position must be >= 4",
             400,
           );
         }
@@ -176,7 +190,7 @@ export function groupRouteDefinitions(): RouteDefinition[] {
         if (!Array.isArray(body.updates)) {
           return httpError("BAD_REQUEST", "Missing updates array", 400);
         }
-        // Validate: no system group reordering, no sort_position < 3 for custom groups
+        // Validate: no system group reordering, sort_position >= 4 for custom groups
         for (const update of body.updates) {
           const group = getGroup(update.groupId);
           if (!group) continue;
@@ -190,11 +204,11 @@ export function groupRouteDefinitions(): RouteDefinition[] {
           if (
             typeof update.sortPosition !== "number" ||
             !isFinite(update.sortPosition) ||
-            update.sortPosition < 3
+            update.sortPosition < 4
           ) {
             return httpError(
               "BAD_REQUEST",
-              `Custom group sort_position must be >= 3 (got ${update.sortPosition} for ${update.groupId})`,
+              `Custom group sort_position must be >= 4 (got ${update.sortPosition} for ${update.groupId})`,
               400,
             );
           }

package/src/runtime/routes/log-export/AGENTS.md

@@ -0,0 +1,104 @@
+# Log Export — Workspace Allowlist Rules
+
+`POST /v1/export` (handled by `log-export-routes.ts`) builds a tar.gz archive
+from audit DB rows, daemon logs under `<workspace>/data/logs/`, and a
+sanitized `config.json` snapshot. This directory
+(`assistant/src/runtime/routes/log-export/`) houses the allowlist module
+that governs which subpaths of the user's workspace directory
+(`~/.vellum/workspace/`) are permitted to flow into that archive.
+
+Workspace contents are **opt-in (allowlist), not opt-out**. The workspace
+contains arbitrary user files — skills, hooks, routes, conversations,
+credentials scaffolding, and other material the user has authored or
+installed locally. Accidentally bundling any of that into a support
+archive would exfiltrate data the user never intended to share. The
+default must therefore be "nothing from the workspace ships" and each
+individual entry that _does_ ship must be justified against the rules
+below.
+
+## Rule 1 — Prefer time-filterable data
+
+Only allowlist a workspace subpath if its contents can be narrowed to the
+`[startTime, endTime]` window carried on the export request.
+
+- When the data is organized as per-record files or per-record
+  directories whose **names encode a timestamp**, filter by parsing the
+  name. The canonical example is the per-conversation directory layout
+  where each directory is named `<ISO-with-dashes>_<conversationId>`
+  (the ISO date comes first so ordinary lexicographic comparison yields
+  chronological order, and colons in the ISO string are replaced with
+  `-` so the name is filesystem-safe). A time filter can be implemented
+  by parsing the prefix and comparing it to `startTime` / `endTime`
+  without reading file contents.
+- When the relevant time information lives **only inside files**, the
+  allowlist entry should err on the side of **not** being included —
+  unless the file is small, rarely changes, and its full contents are
+  acceptable to ship regardless of the requested window.
+
+## Rule 2 — Prefer conversation-filterable data
+
+When the export request carries a `conversationId`, every allowlisted
+subpath should narrow itself to that conversation **if at all possible**.
+
+- Data that is intrinsically global (i.e. not associated with a single
+  conversation) is acceptable to include **only** when Rule 1 alone is
+  sufficient and the request has no `conversationId` filter.
+- When a `conversationId` _is_ set and an entry cannot be scoped to it,
+  prefer omitting the entry for that particular export rather than
+  shipping unrelated conversation data.
+
+The `<ISO-with-dashes>_<conversationId>` directory naming is again the
+motivating example: the suffix lets us select exactly one
+per-conversation directory without scanning file contents.
+
+## Rule 3 — Default deny
+
+Anything in the workspace that is not explicitly added to the allowlist
+module must remain excluded from the export archive. Adding a new entry
+requires, in the same PR:
+
+1. Updating the allowlist module in this directory to teach it about the
+   new subpath (including its time filter, conversation filter, and
+   size cap).
+2. Updating this `AGENTS.md` to record the entry name, which filters it
+   honors, and its size cap under `## Allowlisted entries`.
+
+Review must confirm both updates landed together. A workspace subpath
+that is not mentioned in the registry below is, by definition, not
+allowed in the export archive.
+
+## Rule 4 — Bounded size
+
+Every allowlisted entry must enforce a byte cap so that a misbehaving
+workspace (e.g. a runaway log, a giant attachment, a pathological skill)
+cannot blow up the archive and defeat the export endpoint.
+
+The current convention is **10 MB** across the workspace allowlist,
+mirroring `MAX_LOG_PAYLOAD_BYTES` in `log-export-routes.ts`. Entries
+should track the number of bytes already consumed and stop adding files
+once the cap would be exceeded, preferring to include the newest /
+most-relevant records first.
+
+## Allowlisted entries
+
+- **`conversations/`**
+  - **Path**: `<workspace>/conversations/<ISO-with-dashes>_<conversationId>/`
+  - **Honors filters**: time (union of parsed `createdAt` prefix _and_
+    per-message `ts` inside `messages.jsonl`) and `conversationId`
+    (exact match on the directory-name suffix — no substring matching).
+  - **Time semantics**: A conversation directory is included if EITHER
+    its `createdAt` (parsed from the directory name) falls in the
+    requested window OR `messages.jsonl` contains at least one message
+    whose `ts` falls in the window. The cheap directory-name check runs
+    first; the per-message scan only runs as a fallback when the cheap
+    check failed, so the common in-window case stays IO-free. This is
+    the "support bundle" union — false positives are cheaper than false
+    negatives because the user almost always wants the conversations
+    they were _active in_ during the window, not just the ones they
+    _started_ during it.
+  - **Cap**: shares the 10 MB workspace cap defined by
+    `MAX_WORKSPACE_PAYLOAD_BYTES` in `workspace-allowlist.ts`.
+  - **Notes**: Directory names that don't match the canonical
+    `<ISO-with-dashes>_<conversationId>` format are silently skipped
+    (Rule 3 — default deny). Legacy `<id>_<ISO>` directories are
+    intentionally excluded until they migrate to the canonical format.

package/src/runtime/routes/log-export/__tests__/workspace-allowlist-error-contract.test.ts

@@ -0,0 +1,103 @@
+/**
+ * Regression test for the `result.entries` contract on `collectWorkspaceData`.
+ *
+ * Consumers and telemetry rely on `collectWorkspaceData` always returning at
+ * least one entry summary for the `conversations` allowlist entry — even when
+ * something throws partway through the candidate loop. This file pins that
+ * contract by mocking `parseConversationDirName` to return a malicious object
+ * whose `createdAtMs` getter throws. That throw escapes the inner per-iteration
+ * try/catch (it happens during sort + filter expression evaluation, not inside
+ * the wrapped parser call), bubbles up to the outer try/catch in
+ * `collectWorkspaceData`, and verifies that `result.entries` still contains
+ * exactly one `conversations` entry summary.
+ *
+ * Lives in its own file because `mock.module` is a global module override and
+ * we don't want it bleeding into the rest of the workspace-allowlist tests.
+ */
+
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+mock.module("../../../../memory/conversation-directories.js", () => ({
+  parseConversationDirName: (_name: string) => {
+    // Return an object whose `createdAtMs` accessor throws. This bypasses the
+    // inner try/catch wrapping `parseConversationDirName(name)` (which only
+    // catches synchronous throws from the call itself, not from later property
+    // accesses) and triggers the unwrapped sort/filter comparisons further
+    // down in `collectConversations`.
+    return {
+      conversationId: "evil",
+      get createdAtMs(): number {
+        throw new Error("simulated parser corruption");
+      },
+    };
+  },
+}));
+
+import { getConversationsDir } from "../../../../util/platform.js";
+import { collectWorkspaceData } from "../workspace-allowlist.js";
+
+let staging: string;
+
+beforeEach(() => {
+  // Fresh staging directory for each test.
+  const conversationsDir = getConversationsDir();
+  rmSync(conversationsDir, { recursive: true, force: true });
+  mkdirSync(conversationsDir, { recursive: true });
+
+  staging = join(
+    process.env.VELLUM_WORKSPACE_DIR ?? "/tmp",
+    "ws-allowlist-error-staging",
+  );
+  rmSync(staging, { recursive: true, force: true });
+  mkdirSync(staging, { recursive: true });
+
+  // Seed a single canonical-looking dir so the loop has something to chew on.
+  const dirName = "2025-01-15T00-00-00.000Z_conv-jan15";
+  const dir = join(conversationsDir, dirName);
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(
+    join(dir, "meta.json"),
+    JSON.stringify({ name: dirName }),
+    "utf-8",
+  );
+});
+
+afterEach(() => {
+  try {
+    rmSync(staging, { recursive: true, force: true });
+  } catch {
+    /* best-effort cleanup */
+  }
+  try {
+    rmSync(getConversationsDir(), { recursive: true, force: true });
+  } catch {
+    /* best-effort cleanup */
+  }
+});
+
+describe("collectWorkspaceData — entry contract on unexpected error", () => {
+  test("synthesizes a conversations entry summary even when the loop throws", () => {
+    // The mocked parser returns a poisoned object whose `createdAtMs` accessor
+    // throws. The first read happens inside the time-filter checks in the
+    // candidate-collection loop, which is NOT wrapped in a per-iteration
+    // try/catch. The throw should propagate up to the outer try/catch in
+    // `collectWorkspaceData`, where it must be swallowed without dropping
+    // the entry summary.
+    const result = collectWorkspaceData({
+      staging,
+      // Force the time-filter branch to read `createdAtMs`.
+      startTime: 0,
+    });
+
+    // Contract: exactly one entry, named "conversations", regardless of error.
+    expect(result.entries).toHaveLength(1);
+    const [entry] = result.entries;
+    expect(entry.entry).toBe("conversations");
+    expect(entry.itemCount).toBe(0);
+    expect(entry.bytes).toBe(0);
+    expect(entry.skippedDueToCap).toBe(0);
+    expect(result.totalBytes).toBe(0);
+  });
+});