@vellumai/assistant 0.6.1 → 0.6.3

package/src/__tests__/task-scheduler.test.ts

@@ -128,9 +128,17 @@ describe("scheduler run_task detection", () => {
     forceScheduleDue(schedule.id);
 
     // Track all processMessage calls
-    const directCalls: { conversationId: string; message: string }[] = [];
-    const processMessage = async (conversationId: string, message: string) => {
-      directCalls.push({ conversationId, message });
+    const directCalls: Array<{
+      conversationId: string;
+      message: string;
+      options?: { trustClass?: string; taskRunId?: string };
+    }> = [];
+    const processMessage = async (
+      conversationId: string,
+      message: string,
+      options?: { trustClass?: string; taskRunId?: string },
+    ) => {
+      directCalls.push({ conversationId, message, options });
     };
 
     const scheduler = startScheduler(
@@ -154,6 +162,8 @@ describe("scheduler run_task detection", () => {
     expect(runTaskCalls.length).toBe(1);
     // The scheduler should NOT pass the raw run_task: message to processMessage
     expect(rawCalls.length).toBe(0);
+    expect(runTaskCalls[0].options?.trustClass).toBe("guardian");
+    expect(typeof runTaskCalls[0].options?.taskRunId).toBe("string");
   });
 
   test("regular messages still go through processMessage normally", async () => {
@@ -167,9 +177,17 @@ describe("scheduler run_task detection", () => {
 
     forceScheduleDue(schedule.id);
 
-    const processedMessages: { conversationId: string; message: string }[] = [];
-    const processMessage = async (conversationId: string, message: string) => {
-      processedMessages.push({ conversationId, message });
+    const processedMessages: Array<{
+      conversationId: string;
+      message: string;
+      options?: { trustClass?: string; taskRunId?: string };
+    }> = [];
+    const processMessage = async (
+      conversationId: string,
+      message: string,
+      options?: { trustClass?: string; taskRunId?: string },
+    ) => {
+      processedMessages.push({ conversationId, message, options });
     };
 
     const scheduler = startScheduler(
@@ -185,6 +203,14 @@ describe("scheduler run_task detection", () => {
     expect(
       processedMessages.some((m) => m.message === "Do something normal"),
     ).toBe(true);
+    expect(
+      processedMessages.some(
+        (m) =>
+          m.message === "Do something normal" &&
+          m.options?.trustClass === "guardian" &&
+          m.options?.taskRunId === undefined,
+      ),
+    ).toBe(true);
   });
 
   test("handles task not found gracefully", async () => {

package/src/__tests__/telegram-config.test.ts

@@ -7,7 +7,7 @@ let oauthConnectionStore: Record<
   string,
   { id: string; status: string; accountInfo?: string | null }
 > = {};
-const syncCalls: Array<{ providerKey: string; accountInfo?: string }> = [];
+const syncCalls: Array<{ provider: string; accountInfo?: string }> = [];
 
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({ telegram: {}, ui: {} }),
@@ -49,32 +49,29 @@ mock.module("../security/secure-keys.js", () => ({
 }));
 
 mock.module("../oauth/oauth-store.js", () => ({
-  getConnectionByProvider: (providerKey: string) =>
-    oauthConnectionStore[providerKey] ?? undefined,
+  getConnectionByProvider: (provider: string) =>
+    oauthConnectionStore[provider] ?? undefined,
 }));
 
 mock.module("../oauth/manual-token-connection.js", () => ({
   ensureManualTokenConnection: async () => {},
   removeManualTokenConnection: () => {},
-  syncManualTokenConnection: async (
-    providerKey: string,
-    accountInfo?: string,
-  ) => {
-    syncCalls.push({ providerKey, accountInfo });
-    if (providerKey !== "telegram") return;
+  syncManualTokenConnection: async (provider: string, accountInfo?: string) => {
+    syncCalls.push({ provider, accountInfo });
+    if (provider !== "telegram") return;
     const hasBotToken =
       !!secureKeyStore[credentialKey("telegram", "bot_token")];
     const hasWebhookSecret =
       !!secureKeyStore[credentialKey("telegram", "webhook_secret")];
     if (hasBotToken && hasWebhookSecret) {
-      oauthConnectionStore[providerKey] = {
-        id: `conn-${providerKey}`,
+      oauthConnectionStore[provider] = {
+        id: `conn-${provider}`,
         status: "active",
         accountInfo: accountInfo ?? null,
       };
       return;
     }
-    delete oauthConnectionStore[providerKey];
+    delete oauthConnectionStore[provider];
   },
 }));
 
@@ -114,7 +111,7 @@ describe("Telegram config handler", () => {
     expect(result.botUsername).toBe("testbot");
     expect(result.connected).toBe(true);
     expect(syncCalls).toEqual([
-      { providerKey: "telegram", accountInfo: "@testbot" },
+      { provider: "telegram", accountInfo: "@testbot" },
     ]);
     expect(oauthConnectionStore["telegram"]?.accountInfo).toBe("@testbot");
   });

package/src/__tests__/terminal-sandbox.test.ts

@@ -2,7 +2,7 @@ import * as realChildProcess from "node:child_process";
 import * as realFs from "node:fs";
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-import type { SandboxConfig } from "../config/schema.js";
+import type { SandboxConfig } from "../tools/terminal/sandbox.js";
 
 let platform = "linux";
 

package/src/__tests__/terminal-tools.test.ts

@@ -65,13 +65,13 @@ mock.module("../tools/network/script-proxy/index.js", () => ({
 
 // ── Imports (after mocks) ───────────────────────────────────────────────────
 
-import type { SandboxConfig } from "../config/schema.js";
 import { parse } from "../tools/terminal/parser.js";
 import {
   ALWAYS_INJECTED_ENV_VARS,
   buildSanitizedEnv,
   SAFE_ENV_VARS,
 } from "../tools/terminal/safe-env.js";
+import type { SandboxConfig } from "../tools/terminal/sandbox.js";
 import { wrapCommand } from "../tools/terminal/sandbox.js";
 import { ToolError } from "../util/errors.js";
 
@@ -445,6 +445,15 @@ describe("buildSanitizedEnv", () => {
     expect(env.LC_CTYPE).toBe("UTF-8");
   });
 
+  test("defaults LANG and LC_ALL to UTF-8 when unset", () => {
+    delete process.env.LANG;
+    delete process.env.LC_ALL;
+
+    const env = buildSanitizedEnv();
+    expect(env.LANG).toBe("C.UTF-8");
+    expect(env.LC_ALL).toBe("C.UTF-8");
+  });
+
   test("injects INTERNAL_GATEWAY_BASE_URL from gateway config", () => {
     process.env.GATEWAY_PORT = "9000";
     const env = buildSanitizedEnv();
@@ -455,10 +464,7 @@ describe("buildSanitizedEnv", () => {
   test("result is a plain object with no prototype-inherited secrets", () => {
     const env = buildSanitizedEnv();
     const keys = Object.keys(env);
-    const safeKeys: string[] = [
-      ...SAFE_ENV_VARS,
-      ...ALWAYS_INJECTED_ENV_VARS,
-    ];
+    const safeKeys: string[] = [...SAFE_ENV_VARS, ...ALWAYS_INJECTED_ENV_VARS];
     for (const key of keys) {
       expect(safeKeys).toContain(key);
     }

package/src/__tests__/test-preload.ts

@@ -25,11 +25,25 @@ process.env.VELLUM_WORKSPACE_DIR = testDir;
 process.env.VELLUM_PLATFORM_URL = "https://test-platform.vellum.ai";
 process.exitCode = 0;
 
+// Prevent tests from routing credential writes through the real CES
+// (Credential Execution Service). Without this, setSecureKeyAsync() in
+// containerized environments writes to the live credential store.
+const savedIsContainerized = process.env.IS_CONTAINERIZED;
+const savedCesCredentialUrl = process.env.CES_CREDENTIAL_URL;
+delete process.env.IS_CONTAINERIZED;
+delete process.env.CES_CREDENTIAL_URL;
+
 afterAll(() => {
   resetDb();
   process.exitCode = 0;
   delete process.env.VELLUM_WORKSPACE_DIR;
   delete process.env.VELLUM_PLATFORM_URL;
+  if (savedIsContainerized !== undefined) {
+    process.env.IS_CONTAINERIZED = savedIsContainerized;
+  }
+  if (savedCesCredentialUrl !== undefined) {
+    process.env.CES_CREDENTIAL_URL = savedCesCredentialUrl;
+  }
   try {
     rmSync(testDir, { recursive: true, force: true });
   } catch {

package/src/__tests__/tool-approval-handler.test.ts

@@ -43,6 +43,11 @@ import {
   mintGrantFromDecision,
   type MintGrantParams,
 } from "../approvals/approval-primitive.js";
+import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
+import {
+  createConversation,
+  updateConversationHostAccess,
+} from "../memory/conversation-crud.js";
 import { getDb, initializeDb } from "../memory/db.js";
 import { scopedApprovalGrants } from "../memory/schema.js";
 import { computeToolApprovalDigest } from "../security/tool-approval-digest.js";
@@ -54,6 +59,8 @@ initializeDb();
 function clearTables(): void {
   const db = getDb();
   db.delete(scopedApprovalGrants).run();
+  db.run("DELETE FROM messages");
+  db.run("DELETE FROM conversations");
 }
 
 // ---------------------------------------------------------------------------
@@ -96,6 +103,7 @@ describe("ToolApprovalHandler / pre-exec gate grant check", () => {
   beforeEach(() => {
     clearTables();
     events.length = 0;
+    _setOverridesForTesting({});
   });
 
   test("untrusted actor + matching tool_signature grant -> allow", async () => {
@@ -508,4 +516,69 @@ describe("ToolApprovalHandler / pre-exec gate grant check", () => {
       expect(lastError.isExpected).toBe(true);
     }
   });
+
+  test("v2 trusted contact bypasses tool grants for sandboxed side-effect tools", async () => {
+    _setOverridesForTesting({ "permission-controls-v2": true });
+
+    const result = await handler.checkPreExecutionGates(
+      "bash",
+      { command: "echo hello" },
+      makeContext({ trustClass: "trusted_contact" }),
+      "sandbox",
+      "high",
+      Date.now(),
+      emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(true);
+    expect(events.filter((e) => e.type === "permission_denied")).toHaveLength(
+      0,
+    );
+  });
+
+  test("v2 trusted contact host tools are denied until computer access is enabled for the conversation", async () => {
+    _setOverridesForTesting({ "permission-controls-v2": true });
+
+    const conv = createConversation("trusted contact host gate");
+    const result = await handler.checkPreExecutionGates(
+      "bash",
+      { command: "ls -la" },
+      makeContext({
+        trustClass: "trusted_contact",
+        conversationId: conv.id,
+      }),
+      "host",
+      "high",
+      Date.now(),
+      emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(false);
+    if (result.allowed) return;
+    expect(result.result.content).toContain(
+      "computer access is not enabled for this conversation",
+    );
+  });
+
+  test("v2 trusted contact host tools run once computer access is enabled for the conversation", async () => {
+    _setOverridesForTesting({ "permission-controls-v2": true });
+
+    const conv = createConversation("trusted contact host access enabled");
+    updateConversationHostAccess(conv.id, true);
+
+    const result = await handler.checkPreExecutionGates(
+      "bash",
+      { command: "ls -la" },
+      makeContext({
+        trustClass: "trusted_contact",
+        conversationId: conv.id,
+      }),
+      "host",
+      "high",
+      Date.now(),
+      emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(true);
+  });
 });

package/src/__tests__/tool-domain-event-publisher.test.ts

@@ -37,7 +37,6 @@ describe("createToolDomainEventPublisher", () => {
       reason: "needs approval",
       allowlistOptions: [],
       scopeOptions: [],
-      sandboxed: true,
     });
 
     await publish({

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -41,7 +41,6 @@ let checkerDecision: "allow" | "prompt" | "deny" = "allow";
 let checkerReason = "allowed";
 let checkerRisk = "low";
 let promptDecision: "allow" | "always_allow" | "deny" | "always_deny" = "allow";
-let sandboxed = false;
 let fakeToolResult: ToolExecutionResult = { content: "ok", isError: false };
 let toolThrow: Error | null = null;
 
@@ -151,7 +150,7 @@ mock.module("../tools/shared/filesystem/path-policy.js", () => ({
 }));
 
 mock.module("../tools/terminal/sandbox.js", () => ({
-  wrapCommand: () => ({ command: "", sandboxed }),
+  wrapCommand: () => ({ command: "", sandboxed: false }),
 }));
 
 import { PermissionPrompter } from "../permissions/prompter.js";
@@ -193,7 +192,6 @@ describe("ToolExecutor lifecycle events", () => {
     checkerReason = "allowed";
     checkerRisk = "low";
     promptDecision = "allow";
-    sandboxed = false;
     fakeToolResult = { content: "ok", isError: false };
     toolThrow = null;
   });
@@ -231,7 +229,6 @@ describe("ToolExecutor lifecycle events", () => {
     checkerReason = "medium risk: requires approval";
     checkerRisk = "medium";
     promptDecision = "deny";
-    sandboxed = true;
 
     const events: ToolLifecycleEvent[] = [];
     const executor = new ToolExecutor(makePrompter());
@@ -256,7 +253,6 @@ describe("ToolExecutor lifecycle events", () => {
     expect(promptEvent.executionTarget).toBe("sandbox");
     expect(promptEvent.riskLevel).toBe("medium");
     expect(promptEvent.reason).toBe("medium risk: requires approval");
-    expect(promptEvent.sandboxed).toBe(true);
     expect(promptEvent.allowlistOptions).toEqual([
       { label: "exact", description: "exact", pattern: "exact" },
     ]);
@@ -276,7 +272,6 @@ describe("ToolExecutor lifecycle events", () => {
     checkerDecision = "prompt";
     checkerReason = "guardrail prompt";
     checkerRisk = "high";
-    sandboxed = true;
 
     const events: ToolLifecycleEvent[] = [];
     const executor = new ToolExecutor(
@@ -580,7 +575,6 @@ describe("ToolExecutor lifecycle events", () => {
     checkerReason = "Matched trust rule";
     checkerRisk = "low";
     promptDecision = "allow";
-    sandboxed = true;
 
     const events: ToolLifecycleEvent[] = [];
     const executor = new ToolExecutor(makePrompter());
@@ -602,7 +596,6 @@ describe("ToolExecutor lifecycle events", () => {
     expect(promptEvent.reason).toBe(
       "Private conversation: side-effect tools require explicit approval",
     );
-    expect(promptEvent.sandboxed).toBe(true);
   });
 
   test("no permission_prompt event for read-only tool even with forcePromptSideEffects", async () => {

package/src/__tests__/tool-executor.test.ts

@@ -1949,7 +1949,6 @@ describe("ToolExecutor persistentDecisionsAllowed contract", () => {
         _allowlistOptions: AllowlistOption[],
         _scopeOptions: ScopeOption[],
         _diff: unknown,
-        _sandboxed: unknown,
         _conversationId: unknown,
         _executionTarget: unknown,
         persistentDecisionsAllowed: boolean | undefined,

package/src/__tests__/tool-side-effects-slack-dm.test.ts

@@ -30,8 +30,30 @@ mock.module("../media/app-icon-generator.js", () => ({
 mock.module("../memory/app-store.js", () => ({
   getApp: mock(() => null),
   getAppDirPath: mock(() => ""),
+  getAppsDir: mock(() => ""),
   isMultifileApp: mock(() => false),
   resolveAppIdFromPath: mock(() => null),
+  resolveAppIdByDirName: mock(() => null),
+  resolveAppDir: mock(() => ({ dirName: "", dirPath: "" })),
+  slugify: mock((s: string) => s),
+  validateDirName: mock(() => {}),
+  generateAppDirName: mock(() => ""),
+  listApps: mock(() => []),
+  createApp: mock(() => ({})),
+  updateApp: mock(() => {}),
+  deleteApp: mock(() => {}),
+  getAppPreview: mock(() => null),
+  createAppRecord: mock(() => ({})),
+  getAppRecord: mock(() => null),
+  queryAppRecords: mock(() => []),
+  updateAppRecord: mock(() => {}),
+  deleteAppRecord: mock(() => {}),
+  listAppFiles: mock(() => []),
+  appFileExists: mock(() => false),
+  readAppFile: mock(() => ""),
+  writeAppFile: mock(() => {}),
+  editAppFile: mock(() => ({})),
+  inlineDistAssets: mock((_, html: string) => html),
 }));
 mock.module("../services/published-app-updater.js", () => ({
   updatePublishedAppDeployment: mock(() => Promise.resolve()),

package/src/__tests__/top-level-renderer.test.ts

@@ -1,10 +1,11 @@
+import { homedir, userInfo } from "node:os";
 import { describe, expect, test } from "bun:test";
 
 import { renderWorkspaceTopLevelContext } from "../workspace/top-level-renderer.js";
 import type { TopLevelSnapshot } from "../workspace/top-level-scanner.js";
 
 describe("renderWorkspaceTopLevelContext", () => {
-  test("renders basic snapshot with directories and files", () => {
+  test("renders basic snapshot with directories, files, and host env", () => {
     const snapshot: TopLevelSnapshot = {
       rootPath: "/sandbox",
       directories: ["lib", "src", "tests"],
@@ -19,6 +20,8 @@ describe("renderWorkspaceTopLevelContext", () => {
         "Root: /sandbox",
         "Directories: lib, src, tests",
         "Files: README.md, package.json",
+        `Host home directory: ${homedir()}`,
+        `Host username: ${userInfo().username}`,
         "</workspace>",
       ].join("\n"),
     );
@@ -65,6 +68,8 @@ describe("renderWorkspaceTopLevelContext", () => {
         "Root: /empty",
         "Directories: ",
         "Files: ",
+        `Host home directory: ${homedir()}`,
+        `Host username: ${userInfo().username}`,
         "</workspace>",
       ].join("\n"),
     );
@@ -142,4 +147,71 @@ describe("renderWorkspaceTopLevelContext", () => {
     );
     expect(result).not.toContain("Current conversation folder");
   });
+
+  test("prefers client-reported host env over daemon os.homedir()", () => {
+    const snapshot: TopLevelSnapshot = {
+      rootPath: "/sandbox",
+      directories: ["src"],
+      files: ["package.json"],
+      truncated: false,
+    };
+
+    const result = renderWorkspaceTopLevelContext(snapshot, {
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    });
+
+    expect(result).toContain("Host home directory: /Users/alice");
+    expect(result).toContain("Host username: alice");
+    // Fallback values must NOT appear when client values are provided.
+    expect(result).not.toContain(`Host home directory: ${homedir()}`);
+    expect(result).not.toContain(`Host username: ${userInfo().username}`);
+  });
+
+  test("falls back to daemon os info when host env options omitted", () => {
+    const snapshot: TopLevelSnapshot = {
+      rootPath: "/sandbox",
+      directories: ["src"],
+      files: ["package.json"],
+      truncated: false,
+    };
+
+    const result = renderWorkspaceTopLevelContext(snapshot, {});
+
+    expect(result).toContain(`Host home directory: ${homedir()}`);
+    expect(result).toContain(`Host username: ${userInfo().username}`);
+  });
+
+  test("falls back to daemon os info when host env options are undefined", () => {
+    const snapshot: TopLevelSnapshot = {
+      rootPath: "/sandbox",
+      directories: ["src"],
+      files: ["package.json"],
+      truncated: false,
+    };
+
+    const result = renderWorkspaceTopLevelContext(snapshot, {
+      hostHomeDir: undefined,
+      hostUsername: undefined,
+    });
+
+    expect(result).toContain(`Host home directory: ${homedir()}`);
+    expect(result).toContain(`Host username: ${userInfo().username}`);
+  });
+
+  test("uses client home dir but falls back to os username when only home is provided", () => {
+    const snapshot: TopLevelSnapshot = {
+      rootPath: "/sandbox",
+      directories: ["src"],
+      files: ["package.json"],
+      truncated: false,
+    };
+
+    const result = renderWorkspaceTopLevelContext(snapshot, {
+      hostHomeDir: "/Users/alice",
+    });
+
+    expect(result).toContain("Host home directory: /Users/alice");
+    expect(result).toContain(`Host username: ${userInfo().username}`);
+  });
 });

package/src/__tests__/transport-hints-queue.test.ts

@@ -0,0 +1,62 @@
+import { describe, expect, test } from "bun:test";
+
+import type {
+  HostProxyTransportMetadata,
+  NonHostProxyTransportMetadata,
+} from "../daemon/message-types/conversations.js";
+import { buildTransportHints } from "../daemon/transport-hints.js";
+
+// ---------------------------------------------------------------------------
+// buildTransportHints
+// ---------------------------------------------------------------------------
+
+describe("buildTransportHints", () => {
+  test("returns empty array for host-proxy transport without client hints", () => {
+    const transport: HostProxyTransportMetadata = {
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    };
+
+    const hints = buildTransportHints(transport);
+
+    expect(hints).toHaveLength(0);
+  });
+
+  test("returns empty array for non-host-proxy transport without client hints", () => {
+    const transport: NonHostProxyTransportMetadata = {
+      channelId: "vellum",
+      interfaceId: "ios",
+    };
+
+    const hints = buildTransportHints(transport);
+
+    expect(hints).toHaveLength(0);
+  });
+
+  test("forwards client-provided hints", () => {
+    const transport: HostProxyTransportMetadata = {
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/bob",
+      hostUsername: "bob",
+      hints: ["custom hint"],
+    };
+
+    const hints = buildTransportHints(transport);
+
+    expect(hints).toEqual(["custom hint"]);
+  });
+
+  test("returns empty array when no hints field present", () => {
+    const transport: HostProxyTransportMetadata = {
+      channelId: "vellum",
+      interfaceId: "macos",
+    };
+
+    const hints = buildTransportHints(transport);
+
+    expect(hints).toHaveLength(0);
+  });
+});

package/src/__tests__/trust-store.test.ts

@@ -909,8 +909,8 @@ describe("Trust Store", () => {
       expect(match!.id).toBe("default:allow-bash-rm-bootstrap");
       expect(match!.decision).toBe("allow");
       expect(match!.allowHighRisk).toBe(true);
-      // Outside workspace, the bootstrap rule doesn't match — with sandbox
-      // disabled (the default), there is no catch-all bash allow rule either.
+      // Outside workspace, the bootstrap rule doesn't match — without
+      // IS_CONTAINERIZED there is no catch-all bash allow rule either.
       const other = findHighestPriorityRule(
         "bash",
         ["rm BOOTSTRAP.md"],
@@ -930,8 +930,8 @@ describe("Trust Store", () => {
       expect(match!.id).toBe("default:allow-bash-rm-updates");
       expect(match!.decision).toBe("allow");
       expect(match!.allowHighRisk).toBe(true);
-      // Outside workspace, should NOT match the updates rule — with sandbox
-      // disabled (the default), there is no catch-all bash allow rule either.
+      // Outside workspace, should NOT match the updates rule — without
+      // IS_CONTAINERIZED there is no catch-all bash allow rule either.
       const other = findHighestPriorityRule(
         "bash",
         ["rm UPDATES.md"],