@vellumai/assistant 0.6.1 → 0.6.3

package/src/tools/subagent/status.ts

@@ -34,6 +34,7 @@ export async function executeSubagentStatus(
         subagentId: state.config.id,
         label: state.config.label,
         status: state.status,
+        isFork: state.isFork,
         error: state.error,
         createdAt: state.createdAt,
         startedAt: state.startedAt,
@@ -57,6 +58,7 @@ export async function executeSubagentStatus(
     subagentId: s.config.id,
     label: s.config.label,
     status: s.status,
+    isFork: s.isFork,
     error: s.error,
   }));
 

package/src/tools/system/register.ts

@@ -1,23 +1,9 @@
 /**
  * Registers feature-flag-gated system tools with the daemon's tool registry.
  *
- * Called once at daemon startup via initializeTools(). Tools that are always
- * registered (e.g. request_system_permission) are handled via the tool
- * manifest's explicit tools list; this module handles conditional registration.
+ * No conditional tools are currently registered.
  */
 
-import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
-import { getConfig } from "../../config/loader.js";
-import { registerTool } from "../registry.js";
-import { setPermissionModeTool } from "./set-permission-mode.js";
-
 export function registerSystemTools(): void {
-  try {
-    const config = getConfig();
-    if (isAssistantFeatureFlagEnabled("permission-controls-v2", config)) {
-      registerTool(setPermissionModeTool);
-    }
-  } catch {
-    // Config not yet loaded (e.g. during test setup) — permission mode tool stays off.
-  }
+  // No-op.
 }

package/src/tools/terminal/safe-env.ts

@@ -32,6 +32,7 @@ export const SAFE_ENV_VARS = [
   "CES_BOOTSTRAP_SOCKET_DIR",
   "GATEWAY_INTERNAL_URL",
   "VELLUM_PLATFORM_URL",
+  "VELLUM_DOCS_BASE_URL",
   "CES_CREDENTIAL_URL",
   "CES_MANAGED_MODE",
   "IS_CONTAINERIZED",
@@ -42,6 +43,8 @@ export const SAFE_ENV_VARS = [
   "VELLUM_PROFILER_MAX_BYTES",
   "VELLUM_PROFILER_MAX_RUNS",
   "VELLUM_PROFILER_MIN_FREE_MB",
+  "VELLUM_MEMORY_LIMIT",
+  "VELLUM_CPU_LIMIT",
 ] as const;
 
 /**
@@ -71,5 +74,9 @@ export function buildSanitizedEnv(): Record<string, string> {
   // Expose the workspace directory so skills and child processes can read/write
   // workspace-scoped files (e.g. avatar traits, user data).
   env.VELLUM_WORKSPACE_DIR = getWorkspaceDir();
+  // Ensure UTF-8 locale so multi-byte characters (em dashes, curly quotes,
+  // arrows, etc.) survive piping through tools like pbcopy without corruption.
+  if (!env.LANG) env.LANG = "C.UTF-8";
+  if (!env.LC_ALL) env.LC_ALL = "C.UTF-8";
   return env;
 }

package/src/tools/terminal/sandbox-diagnostics.ts

@@ -1,8 +1,7 @@
 import { execSync } from "node:child_process";
 
-import { getConfig } from "../../config/loader.js";
-import type { SandboxConfig } from "../../config/schema.js";
 import { isLinux, isMacOS } from "../../util/platform.js";
+import type { SandboxConfig } from "./sandbox.js";
 
 export interface SandboxCheckResult {
   label: string;
@@ -69,8 +68,9 @@ function getActiveBackendReason(sandboxConfig: SandboxConfig): string {
  * and reports current configuration.
  */
 export function runSandboxDiagnostics(): SandboxDiagnostics {
-  const config = getConfig();
-  const sandboxConfig = config.sandbox;
+  // Sandbox is disabled — the assistant runs exclusively in Docker or
+  // platform-managed environments.
+  const sandboxConfig: SandboxConfig = { enabled: false };
 
   const checks: SandboxCheckResult[] = [];
 

package/src/tools/terminal/sandbox.ts

@@ -1,7 +1,10 @@
-import type { SandboxConfig } from "../../config/schema.js";
 import { NativeBackend } from "./backends/native.js";
 import type { SandboxResult, WrapOptions } from "./backends/types.js";
 
+export interface SandboxConfig {
+  enabled: boolean;
+}
+
 export type {
   SandboxBackend,
   SandboxResult,

package/src/tools/terminal/shell.ts

@@ -261,11 +261,9 @@ class ShellTool implements Tool {
       "Executing shell command",
     );
 
-    // Resolve sandbox config early - needed both for proxy env and command wrapping.
-    const sandboxConfig =
-      context.sandboxOverride != null
-        ? { ...config.sandbox, enabled: context.sandboxOverride }
-        : config.sandbox;
+    // The assistant runs exclusively in Docker or platform-managed
+    // environments where the container provides isolation.
+    const sandboxConfig = { enabled: false } as const;
 
     // Acquire proxy session if proxied mode is requested.
     // `getOrStartSession` serializes per-conversation so concurrent proxied
@@ -329,30 +327,35 @@ class ShellTool implements Tool {
         detached: true,
       });
 
-      const timer = setTimeout(() => {
-        timedOut = true;
+      // Kill the entire process tree. Tries the process group first
+      // (negative PID), then falls back to killing the direct child if the
+      // PID is unavailable or the group kill fails.
+      const killTree = () => {
+        if (child.pid != null) {
+          try {
+            process.kill(-child.pid, "SIGKILL");
+            return;
+          } catch {
+            // Process group may have already exited — fall through.
+          }
+        }
         try {
-          process.kill(-child.pid!, "SIGKILL");
+          child.kill("SIGKILL");
         } catch {
-          // Process group may have already exited.
+          // Child may have already exited.
         }
+      };
+
+      const timer = setTimeout(() => {
+        timedOut = true;
+        killTree();
       }, timeoutMs);
 
       // Cooperative cancellation via AbortSignal
-      const onAbort = () => {
-        try {
-          process.kill(-child.pid!, "SIGKILL");
-        } catch {
-          // Process group may have already exited.
-        }
-      };
+      const onAbort = () => killTree();
       if (context.signal) {
         if (context.signal.aborted) {
-          try {
-            process.kill(-child.pid!, "SIGKILL");
-          } catch {
-            // Process group may have already exited.
-          }
+          killTree();
         } else {
           context.signal.addEventListener("abort", onAbort, { once: true });
         }

package/src/tools/tool-approval-handler.ts

@@ -4,6 +4,10 @@ import {
   getCanonicalGuardianRequest,
   updateCanonicalGuardianRequest,
 } from "../memory/canonical-guardian-store.js";
+import {
+  isConversationHostAccessEnabled,
+  isPermissionControlsV2Enabled,
+} from "../permissions/v2-consent-policy.js";
 import { isUntrustedTrustClass } from "../runtime/actor-trust-resolver.js";
 import { createOrReuseToolGrantRequest } from "../runtime/tool-grant-request-helper.js";
 import { redactSecrets } from "../security/secret-scanner.js";
@@ -178,6 +182,10 @@ function guardianApprovalDeniedMessage(
   return `Permission denied for "${toolName}": this action requires guardian approval and the current actor is not the guardian.`;
 }
 
+function trustedContactHostAccessDeniedMessage(toolName: string): string {
+  return `Permission denied for "${toolName}": computer access is not enabled for this conversation. Confirm the guardian's intent conversationally and ask them to enable computer access for this conversation before retrying.`;
+}
+
 export type PreExecutionGateResult =
   | { allowed: true; tool: Tool; grantConsumed?: boolean }
   | { allowed: false; result: ToolExecutionResult };
@@ -216,6 +224,8 @@ export class ToolApprovalHandler {
     startTime: number,
     emitLifecycleEvent: (event: ToolLifecycleEvent) => void,
   ): Promise<PreExecutionGateResult> {
+    const v2Enabled = isPermissionControlsV2Enabled();
+
     // Bail out immediately if the session was aborted before this tool started.
     if (context.signal?.aborted) {
       const durationMs = Date.now() - startTime;
@@ -286,9 +296,44 @@ export class ToolApprovalHandler {
       | Parameters<typeof consumeGrantForInvocation>[0]
       | null = null;
 
+    const guardianApprovalRequired = requiresGuardianApprovalForActor(
+      name,
+      input,
+      executionTarget,
+    );
+
+    if (
+      v2Enabled &&
+      context.trustClass === "trusted_contact" &&
+      guardianApprovalRequired &&
+      executionTarget === "host" &&
+      !isConversationHostAccessEnabled(context.conversationId)
+    ) {
+      const durationMs = Date.now() - startTime;
+      const reason = trustedContactHostAccessDeniedMessage(name);
+      emitLifecycleEvent({
+        type: "permission_denied",
+        toolName: name,
+        executionTarget,
+        input,
+        workingDir: context.workingDir,
+        conversationId: context.conversationId,
+        requestId: context.requestId,
+        riskLevel,
+        decision: "deny",
+        reason,
+        durationMs,
+      });
+      return {
+        allowed: false,
+        result: { content: reason, isError: true },
+      };
+    }
+
     if (
       isUntrustedTrustClass(context.trustClass) &&
-      requiresGuardianApprovalForActor(name, input, executionTarget)
+      guardianApprovalRequired &&
+      !(v2Enabled && context.trustClass === "trusted_contact")
     ) {
       const inputDigest = computeToolApprovalDigest(name, input);
       needsGrantConsumption = true;
@@ -513,7 +558,8 @@ export class ToolApprovalHandler {
           toolName: name,
           inputDigest,
           questionText: buildToolGrantQuestionText(name, input, context),
-          requesterIdentifier: context.requesterDisplayName || context.requesterIdentifier,
+          requesterIdentifier:
+            context.requesterDisplayName || context.requesterIdentifier,
         });
 
         // Only wait inline if the escalation succeeded (created or deduped).

package/src/tools/types.ts

@@ -34,7 +34,6 @@ export interface ToolPermissionPromptEvent extends ToolLifecycleEventBase {
   allowlistOptions: AllowlistOption[];
   scopeOptions: ScopeOption[];
   diff?: DiffInfo;
-  sandboxed?: boolean;
   persistentDecisionsAllowed?: boolean;
 }
 
@@ -110,8 +109,6 @@ export interface ToolContext {
   onOutput?: (chunk: string) => void;
   /** Abort signal for cooperative cancellation. Tools should check this periodically. */
   signal?: AbortSignal;
-  /** Per-conversation sandbox override. When set, takes precedence over the global config. */
-  sandboxOverride?: boolean;
   /** Optional callback for tool lifecycle events (start/prompt/deny/execute/error/secret_detected). */
   onToolLifecycleEvent?: ToolLifecycleEventHandler;
   /** Optional resolver for proxy tools - delegates execution to an external client. */
@@ -179,6 +176,8 @@ export interface ToolContext {
   toolUseId?: string;
   /** Optional proxy for delegating host_bash execution to a connected client (managed/cloud-hosted mode). */
   hostBashProxy?: import("../daemon/host-bash-proxy.js").HostBashProxy;
+  /** Optional proxy for delegating CDP commands to a connected client (managed/cloud-hosted mode). */
+  hostBrowserProxy?: import("../daemon/host-browser-proxy.js").HostBrowserProxy;
   /** Optional proxy for delegating host_file_read/write/edit execution to a connected client (managed/cloud-hosted mode). */
   hostFileProxy?: import("../daemon/host-file-proxy.js").HostFileProxy;
   /** True when the assistant is running as a platform-managed remote instance. Used to auto-approve sandboxed bash tools. */

package/src/util/platform.ts

@@ -136,30 +136,13 @@ export function isTCPEnabled(): boolean {
 
 /**
  * Returns the hostname/address for the TCP listener.
- * If iOS pairing is enabled (flag file): '0.0.0.0' (LAN-accessible).
- * Default: '127.0.0.1' (localhost only).
+ * Always binds to localhost only. iOS pairing uses the gateway
+ * relay.
  */
 export function getTCPHost(): string {
-  if (isIOSPairingEnabled()) return "0.0.0.0";
   return "127.0.0.1";
 }
 
-/**
- * Returns whether iOS pairing mode is enabled.
- * When enabled, the TCP listener binds to 0.0.0.0 (all interfaces)
- * instead of 127.0.0.1 (localhost only), making the daemon reachable
- * from iOS devices on the same local network.
- *
- * Checks for the presence of the flag file ~/.vellum/ios-pairing-enabled.
- * Default: false.
- *
- * This is separate from isTCPEnabled() — TCP can be enabled for localhost-only
- * access without exposing the daemon to the LAN.
- */
-export function isIOSPairingEnabled(): boolean {
-  return existsSync(join(vellumRoot(), "ios-pairing-enabled"));
-}
-
 /**
  * Returns the XDG-compliant path for the platform API token
  * (~/.config/vellum/platform-token). This is the canonical location
@@ -202,6 +185,18 @@ export function getPidPath(): string {
   return join(vellumRoot(), "vellum.pid");
 }
 
+/**
+ * Returns the path to the runtime HTTP port file (~/.vellum/runtime-port).
+ * The daemon writes its active HTTP port here on startup so thin helpers
+ * that need to reach the runtime (e.g. the chrome-extension native messaging
+ * helper) can locate a non-default `RUNTIME_HTTP_PORT` without a manifest
+ * change. Root-level path by design — the file is read by helpers that may
+ * not know the workspace override path.
+ */
+export function getRuntimePortFilePath(): string {
+  return join(vellumRoot(), "runtime-port");
+}
+
 export function getDbPath(): string {
   return join(getDataDir(), "db", "assistant.db");
 }

package/src/watcher/provider-types.ts

@@ -28,7 +28,7 @@ export interface WatcherProvider {
   id: string;
   /** Human-readable name. */
   displayName: string;
-  /** Credential service required (e.g. 'integration:google'). */
+  /** Credential service required (e.g. 'google'). */
   requiredCredentialService: string;
 
   /**

package/src/workspace/migrations/029-seed-pkb.ts

@@ -14,6 +14,7 @@ const INDEX_TEMPLATE = `_ Lines starting with _ are comments - they won't appear
 - threads.md — Active commitments, follow-ups, and projects in progress
 - buffer.md — Inbox of recently learned facts (filed periodically)
 
+
 ## Topics
 `;
 

package/src/workspace/migrations/030-seed-pkb-autoinject.ts

@@ -0,0 +1,73 @@
+import { existsSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import type { WorkspaceMigration } from "./types.js";
+
+const AUTOINJECT_TEMPLATE = `_ Lines starting with _ are comments - they won't appear in the injected context
+_ List one PKB filename per line. These files are loaded into every conversation.
+_ Remove a line to stop autoinjecting that file. Add new filenames to inject more.
+
+INDEX.md
+essentials.md
+threads.md
+buffer.md
+`;
+
+const INDEX_ENTRY = "- _autoinject.md — Controls which files are loaded into every conversation";
+
+export const seedPkbAutoinjectMigration: WorkspaceMigration = {
+  id: "030-seed-pkb-autoinject",
+  description: "Seed pkb/_autoinject.md for configurable PKB autoinjection",
+
+  run(workspaceDir: string): void {
+    const pkbDir = join(workspaceDir, "pkb");
+    if (!existsSync(pkbDir)) return;
+
+    // Seed _autoinject.md if it doesn't already exist
+    const autoinjectPath = join(pkbDir, "_autoinject.md");
+    if (!existsSync(autoinjectPath)) {
+      writeFileSync(autoinjectPath, AUTOINJECT_TEMPLATE, "utf-8");
+    }
+
+    // Append _autoinject.md entry to INDEX.md if not already present
+    const indexPath = join(pkbDir, "INDEX.md");
+    if (existsSync(indexPath)) {
+      try {
+        const indexContent = readFileSync(indexPath, "utf-8");
+        if (!indexContent.includes("_autoinject.md")) {
+          // Insert after the last "Always Loaded" entry (buffer.md line)
+          const bufferLine = "- buffer.md";
+          const bufferIdx = indexContent.indexOf(bufferLine);
+          if (bufferIdx !== -1) {
+            const endOfBufferLine = indexContent.indexOf("\n", bufferIdx);
+            const insertAt =
+              endOfBufferLine === -1 ? indexContent.length : endOfBufferLine;
+            const updated =
+              indexContent.slice(0, insertAt) +
+              "\n" +
+              INDEX_ENTRY +
+              indexContent.slice(insertAt);
+            writeFileSync(indexPath, updated, "utf-8");
+          }
+        }
+      } catch {
+        // INDEX.md unreadable — skip
+      }
+    }
+  },
+
+  down(workspaceDir: string): void {
+    const autoinjectPath = join(workspaceDir, "pkb", "_autoinject.md");
+    if (!existsSync(autoinjectPath)) return;
+
+    try {
+      const content = readFileSync(autoinjectPath, "utf-8");
+      // Only delete if content matches the template (preserve user edits)
+      if (content === AUTOINJECT_TEMPLATE) {
+        unlinkSync(autoinjectPath);
+      }
+    } catch {
+      // Unreadable — leave it alone
+    }
+  },
+};

package/src/workspace/migrations/registry.ts

@@ -26,6 +26,7 @@ import { backfillInstallMetaMigration } from "./026-backfill-install-meta.js";
 import { removeOrphanedOptimizedImagesCacheMigration } from "./027-remove-orphaned-optimized-images-cache.js";
 import { recoverConversationsFromDiskViewMigration } from "./028-recover-conversations-from-disk-view.js";
 import { seedPkbMigration } from "./029-seed-pkb.js";
+import { seedPkbAutoinjectMigration } from "./030-seed-pkb-autoinject.js";
 import { migrateToWorkspaceVolumeMigration } from "./migrate-to-workspace-volume.js";
 import type { WorkspaceMigration } from "./types.js";
 
@@ -63,4 +64,5 @@ export const WORKSPACE_MIGRATIONS: WorkspaceMigration[] = [
   removeOrphanedOptimizedImagesCacheMigration,
   recoverConversationsFromDiskViewMigration,
   seedPkbMigration,
+  seedPkbAutoinjectMigration,
 ];

package/src/workspace/top-level-renderer.ts

@@ -1,7 +1,21 @@
+import { homedir, userInfo } from "node:os";
+
 import type { TopLevelSnapshot } from "./top-level-scanner.js";
 
 export interface WorkspaceTopLevelRenderOptions {
   conversationAttachmentsPath?: string | null;
+  /**
+   * Host home directory on the client machine. When provided, takes
+   * precedence over the daemon's own `os.homedir()`. This matters for
+   * platform-managed (containerized) daemons where `os.homedir()` returns
+   * the container's home, not the user's actual Mac.
+   */
+  hostHomeDir?: string;
+  /**
+   * Host username on the client machine. When provided, takes precedence
+   * over the daemon's own `os.userInfo().username`. See `hostHomeDir`.
+   */
+  hostUsername?: string;
 }
 
 /**
@@ -19,11 +33,15 @@ export function renderWorkspaceTopLevelContext(
   lines.push(`Directories: ${snapshot.directories.join(", ")}`);
   lines.push(`Files: ${snapshot.files.join(", ")}`);
   if (options.conversationAttachmentsPath) {
-    lines.push(`Current conversation attachments: ${options.conversationAttachmentsPath}`);
+    lines.push(
+      `Current conversation attachments: ${options.conversationAttachmentsPath}`,
+    );
   }
   if (snapshot.truncated) {
     lines.push("(list truncated — more entries exist)");
   }
+  lines.push(`Host home directory: ${options.hostHomeDir ?? homedir()}`);
+  lines.push(`Host username: ${options.hostUsername ?? userInfo().username}`);
   lines.push("</workspace>");
   return lines.join("\n");
 }