@vellumai/assistant 0.6.1 → 0.6.3

package/src/__tests__/trusted-contact-inline-approval-integration.test.ts

@@ -162,6 +162,7 @@ mock.module("../config/env.js", () => ({
 import { applyCanonicalGuardianDecision } from "../approvals/guardian-decision-primitive.js";
 import type { ActorContext } from "../approvals/guardian-request-resolvers.js";
 import { getResolver } from "../approvals/guardian-request-resolvers.js";
+import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
 import type { TrustContext } from "../daemon/conversation-runtime-assembly.js";
 import {
   createCanonicalGuardianRequest,
@@ -169,6 +170,10 @@ import {
   listCanonicalGuardianRequests,
   updateCanonicalGuardianRequest,
 } from "../memory/canonical-guardian-store.js";
+import {
+  createConversation,
+  updateConversationHostAccess,
+} from "../memory/conversation-crud.js";
 import { getDb, initializeDb } from "../memory/db.js";
 import { scopedApprovalGrants } from "../memory/schema.js";
 import { bridgeConfirmationRequestToGuardian } from "../runtime/confirmation-request-guardian-bridge.js";
@@ -184,6 +189,8 @@ initializeDb();
 function resetTables(): void {
   const db = getDb();
   db.delete(scopedApprovalGrants).run();
+  db.run("DELETE FROM messages");
+  db.run("DELETE FROM conversations");
   db.run("DELETE FROM canonical_guardian_deliveries");
   db.run("DELETE FROM canonical_guardian_requests");
 }
@@ -246,6 +253,7 @@ describe("(a) target flow: trusted-contact inline guardian approval end-to-end",
     events.length = 0;
     emittedSignals.length = 0;
     deliveredReplies.length = 0;
+    _setOverridesForTesting({});
     mockGuardianBinding = {
       id: "binding-1",
       assistantId: "self",
@@ -1160,3 +1168,104 @@ describe("cross-milestone integration checks", () => {
     expect(freshReq?.followupState).toBeNull();
   });
 });
+
+describe("(g) v2 trusted-contact flow: model-mediated guardian consent", () => {
+  const handler = new ToolApprovalHandler({
+    inlineGrantWait: { maxWaitMs: 100, intervalMs: 20 },
+  });
+
+  beforeEach(() => {
+    resetTables();
+    events.length = 0;
+    emittedSignals.length = 0;
+    deliveredReplies.length = 0;
+    _setOverridesForTesting({ "permission-controls-v2": true });
+    mockGuardianBinding = {
+      id: "binding-1",
+      assistantId: "self",
+      channel: "telegram",
+      guardianExternalUserId: "guardian-1",
+      guardianDeliveryChatId: "guardian-chat-1",
+      guardianPrincipalId: "test-principal-id",
+      status: "active",
+    };
+  });
+
+  test("trusted-contact host tools do not create tool_grant_request rows under v2", async () => {
+    const conv = createConversation("trusted contact v2 host gate");
+    const result = await handler.checkPreExecutionGates(
+      "bash",
+      { command: "ls" },
+      makeToolContext({
+        trustClass: "trusted_contact",
+        conversationId: conv.id,
+      }),
+      "host",
+      "high",
+      Date.now(),
+      emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(false);
+    if (result.allowed) return;
+    expect(result.result.content).toContain(
+      "computer access is not enabled for this conversation",
+    );
+
+    const requests = listCanonicalGuardianRequests({
+      kind: "tool_grant_request",
+      status: "pending",
+    });
+    expect(requests).toHaveLength(0);
+    expect(emittedSignals).toHaveLength(0);
+  });
+
+  test("trusted-contact host tools run inline once the guardian has already enabled computer access for the conversation", async () => {
+    const conv = createConversation("trusted contact v2 host access enabled");
+    updateConversationHostAccess(conv.id, true);
+
+    const result = await handler.checkPreExecutionGates(
+      "bash",
+      { command: "ls" },
+      makeToolContext({
+        trustClass: "trusted_contact",
+        conversationId: conv.id,
+      }),
+      "host",
+      "high",
+      Date.now(),
+      emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(true);
+  });
+
+  test("confirmation_request guardian bridge is disabled for trusted contacts under v2", () => {
+    const canonicalRequest = createCanonicalGuardianRequest({
+      id: `req-v2-skip-${Date.now()}`,
+      kind: "tool_approval",
+      sourceType: "channel",
+      sourceChannel: "telegram",
+      conversationId: "conv-v2-skip",
+      requesterExternalUserId: "requester-1",
+      guardianExternalUserId: "guardian-1",
+      guardianPrincipalId: "test-principal-id",
+      toolName: "bash",
+      status: "pending",
+      expiresAt: Date.now() + 5 * 60_000,
+    });
+
+    const result = bridgeConfirmationRequestToGuardian({
+      canonicalRequest,
+      trustContext: makeTrustedContactTrustContext(),
+      conversationId: "conv-v2-skip",
+      toolName: "bash",
+    });
+
+    expect("skipped" in result && result.skipped).toBe(true);
+    if ("skipped" in result) {
+      expect(result.reason).toBe("v2_model_mediated");
+    }
+    expect(emittedSignals).toHaveLength(0);
+  });
+});

package/src/__tests__/v2-consent-policy.test.ts

@@ -0,0 +1,103 @@
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
+import type { ToolContext } from "../tools/types.js";
+
+const hostAccessByConversation = new Map<string, boolean>();
+
+mock.module("../memory/conversation-crud.js", () => ({
+  getConversationHostAccess: (conversationId: string) =>
+    hostAccessByConversation.get(conversationId) ?? false,
+}));
+
+function makeContext(overrides?: Partial<ToolContext>): ToolContext {
+  return {
+    workingDir: "/tmp/test",
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    isInteractive: true,
+    ...overrides,
+  } as ToolContext;
+}
+
+beforeEach(() => {
+  _setOverridesForTesting({});
+  hostAccessByConversation.clear();
+});
+
+afterEach(() => {
+  _setOverridesForTesting({});
+  hostAccessByConversation.clear();
+});
+
+describe("v2-consent-policy", () => {
+  test("returns legacy when the flag is disabled", async () => {
+    const { evaluateV2ConsentDisposition } =
+      await import("../permissions/v2-consent-policy.js");
+
+    expect(evaluateV2ConsentDisposition("host_bash", {}, makeContext())).toBe(
+      "legacy",
+    );
+  });
+
+  test("auto-allows non-host tools when the flag is enabled", async () => {
+    _setOverridesForTesting({ "permission-controls-v2": true });
+    const { evaluateV2ConsentDisposition } =
+      await import("../permissions/v2-consent-policy.js");
+
+    expect(evaluateV2ConsentDisposition("bash", {}, makeContext())).toBe(
+      "auto_allow",
+    );
+  });
+
+  test("uses conversation-scoped host access when the flag is enabled", async () => {
+    _setOverridesForTesting({ "permission-controls-v2": true });
+    hostAccessByConversation.set("allowed-conv", true);
+    hostAccessByConversation.set("blocked-conv", false);
+    const { evaluateV2ConsentDisposition } =
+      await import("../permissions/v2-consent-policy.js");
+
+    expect(
+      evaluateV2ConsentDisposition(
+        "host_bash",
+        {},
+        makeContext({ conversationId: "allowed-conv" }),
+      ),
+    ).toBe("auto_allow");
+    expect(
+      evaluateV2ConsentDisposition(
+        "host_bash",
+        {},
+        makeContext({ conversationId: "blocked-conv" }),
+      ),
+    ).toBe("prompt_host_access");
+  });
+
+  test("host-access prompts are identified by the stripped-down prompt shape", async () => {
+    _setOverridesForTesting({ "permission-controls-v2": true });
+    const {
+      CONVERSATION_HOST_ACCESS_PROMPT,
+      isConversationHostAccessEnablePrompt,
+    } = await import("../permissions/v2-consent-policy.js");
+
+    expect(
+      isConversationHostAccessEnablePrompt({
+        toolName: "host_bash",
+        ...CONVERSATION_HOST_ACCESS_PROMPT,
+      }),
+    ).toBe(true);
+    expect(
+      isConversationHostAccessEnablePrompt({
+        toolName: "host_bash",
+        ...CONVERSATION_HOST_ACCESS_PROMPT,
+        allowlistOptions: [
+          {
+            label: "Specific command",
+            description: "legacy rule",
+            pattern: "bash:*",
+          },
+        ],
+      }),
+    ).toBe(false);
+  });
+});

package/src/__tests__/workspace-migration-030-seed-pkb-autoinject.test.ts

@@ -0,0 +1,168 @@
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+
+import { seedPkbAutoinjectMigration } from "../workspace/migrations/030-seed-pkb-autoinject.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+let workspaceDir: string;
+let pkbDir: string;
+
+function freshWorkspace(): void {
+  workspaceDir = join(
+    tmpdir(),
+    `vellum-migration-030-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+  );
+  pkbDir = join(workspaceDir, "pkb");
+  mkdirSync(pkbDir, { recursive: true });
+}
+
+// ---------------------------------------------------------------------------
+// Setup / Teardown
+// ---------------------------------------------------------------------------
+
+const dirs: string[] = [];
+
+beforeEach(() => {
+  freshWorkspace();
+  dirs.push(workspaceDir);
+});
+
+afterEach(() => {
+  for (const dir of dirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("030-seed-pkb-autoinject migration", () => {
+  test("has correct migration id", () => {
+    expect(seedPkbAutoinjectMigration.id).toBe("030-seed-pkb-autoinject");
+  });
+
+  // ─── run() ──────────────────────────────────────────────────────────────
+
+  test("creates _autoinject.md with default content", () => {
+    seedPkbAutoinjectMigration.run(workspaceDir);
+
+    const filePath = join(pkbDir, "_autoinject.md");
+    expect(existsSync(filePath)).toBe(true);
+
+    const content = readFileSync(filePath, "utf-8");
+    expect(content).toContain("INDEX.md");
+    expect(content).toContain("essentials.md");
+    expect(content).toContain("threads.md");
+    expect(content).toContain("buffer.md");
+  });
+
+  test("no-op when pkb/ does not exist", () => {
+    rmSync(pkbDir, { recursive: true, force: true });
+    seedPkbAutoinjectMigration.run(workspaceDir);
+    expect(existsSync(join(pkbDir, "_autoinject.md"))).toBe(false);
+  });
+
+  test("idempotent — does not overwrite existing _autoinject.md", () => {
+    const customContent = "INDEX.md\ncustom-topic.md\n";
+    writeFileSync(join(pkbDir, "_autoinject.md"), customContent, "utf-8");
+
+    seedPkbAutoinjectMigration.run(workspaceDir);
+
+    const content = readFileSync(join(pkbDir, "_autoinject.md"), "utf-8");
+    expect(content).toBe(customContent);
+  });
+
+  test("appends _autoinject.md entry to INDEX.md", () => {
+    const indexContent =
+      "# Knowledge Base\n\n## Always Loaded\n" +
+      "- essentials.md — Core facts\n" +
+      "- threads.md — Active threads\n" +
+      "- buffer.md — Inbox\n\n" +
+      "## Topics\n";
+    writeFileSync(join(pkbDir, "INDEX.md"), indexContent, "utf-8");
+
+    seedPkbAutoinjectMigration.run(workspaceDir);
+
+    const updated = readFileSync(join(pkbDir, "INDEX.md"), "utf-8");
+    expect(updated).toContain("_autoinject.md");
+    // Should appear after buffer.md
+    const bufferIdx = updated.indexOf("buffer.md");
+    const autoinjectIdx = updated.indexOf("_autoinject.md");
+    expect(autoinjectIdx).toBeGreaterThan(bufferIdx);
+  });
+
+  test("does not duplicate _autoinject.md entry in INDEX.md", () => {
+    const indexContent =
+      "# Knowledge Base\n\n## Always Loaded\n" +
+      "- buffer.md — Inbox\n" +
+      "- _autoinject.md — Controls autoinjection\n\n" +
+      "## Topics\n";
+    writeFileSync(join(pkbDir, "INDEX.md"), indexContent, "utf-8");
+
+    seedPkbAutoinjectMigration.run(workspaceDir);
+
+    const updated = readFileSync(join(pkbDir, "INDEX.md"), "utf-8");
+    const matches = updated.match(/_autoinject\.md/g);
+    expect(matches?.length).toBe(1);
+  });
+
+  test("handles missing INDEX.md gracefully", () => {
+    // No INDEX.md — should still create _autoinject.md without error
+    seedPkbAutoinjectMigration.run(workspaceDir);
+    expect(existsSync(join(pkbDir, "_autoinject.md"))).toBe(true);
+  });
+
+  // ─── down() ─────────────────────────────────────────────────────────────
+
+  describe("down()", () => {
+    test("removes _autoinject.md when content matches template", () => {
+      seedPkbAutoinjectMigration.run(workspaceDir);
+      expect(existsSync(join(pkbDir, "_autoinject.md"))).toBe(true);
+
+      seedPkbAutoinjectMigration.down(workspaceDir);
+      expect(existsSync(join(pkbDir, "_autoinject.md"))).toBe(false);
+    });
+
+    test("preserves _autoinject.md when user has customized it", () => {
+      const customContent = "INDEX.md\nmy-custom-file.md\n";
+      writeFileSync(join(pkbDir, "_autoinject.md"), customContent, "utf-8");
+
+      seedPkbAutoinjectMigration.down(workspaceDir);
+
+      expect(existsSync(join(pkbDir, "_autoinject.md"))).toBe(true);
+      expect(readFileSync(join(pkbDir, "_autoinject.md"), "utf-8")).toBe(
+        customContent,
+      );
+    });
+
+    test("no-op when _autoinject.md does not exist", () => {
+      seedPkbAutoinjectMigration.down(workspaceDir);
+      // Should not throw
+    });
+
+    test("no-op when pkb/ does not exist", () => {
+      rmSync(pkbDir, { recursive: true, force: true });
+      seedPkbAutoinjectMigration.down(workspaceDir);
+      // Should not throw
+    });
+
+    test("idempotent — calling down() twice is safe", () => {
+      seedPkbAutoinjectMigration.run(workspaceDir);
+      seedPkbAutoinjectMigration.down(workspaceDir);
+      seedPkbAutoinjectMigration.down(workspaceDir);
+      // Should not throw
+    });
+  });
+});

package/src/__tests__/workspace-policy.test.ts

@@ -198,7 +198,7 @@ describe("isWorkspaceScopedInvocation", () => {
   // ── Bash ───────────────────────────────────────────────────────────
 
   describe("bash", () => {
-    test("returns true (sandbox handles isolation)", () => {
+    test("returns true (container handles isolation)", () => {
       expect(
         isWorkspaceScopedInvocation(
           "bash",
@@ -255,12 +255,7 @@ describe("isWorkspaceScopedInvocation", () => {
   // ── Always-scoped safe tools ───────────────────────────────────────
 
   describe("always-scoped tools", () => {
-    const safeTools = [
-      "skill_load",
-      "recall",
-      "ui_update",
-      "ui_dismiss",
-    ];
+    const safeTools = ["skill_load", "recall", "ui_update", "ui_dismiss"];
 
     for (const tool of safeTools) {
       test(`${tool} is workspace-scoped`, () => {

package/src/acp/client-handler.ts

@@ -32,6 +32,7 @@ import type {
 
 import type { ServerMessage } from "../daemon/message-protocol.js";
 import type { UserDecision } from "../permissions/types.js";
+import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
 import * as pendingInteractions from "../runtime/pending-interactions.js";
 import { getLogger } from "../util/logger.js";
 
@@ -184,6 +185,15 @@ export class VellumAcpClientHandler implements Client {
       kind: opt.kind,
     }));
 
+    if (isPermissionControlsV2Enabled()) {
+      const allowOptionId = findAllowOptionId(options);
+      return {
+        outcome: allowOptionId
+          ? { outcome: "selected", optionId: allowOptionId }
+          : { outcome: "cancelled" },
+      };
+    }
+
     // Send the confirmation_request first — this triggers makeEventSender
     // which registers a normal "confirmation" entry in pendingInteractions.
     this.sendToVellum({
@@ -422,15 +432,31 @@ function mapDecisionToOptionId(
     const alwaysDeny = options.find((o) => o.kind === "reject_always");
     if (alwaysDeny) return alwaysDeny.optionId;
   }
-  const denyOpt =
-    options.find((o) => o.kind === "reject_once") ??
-    options.find((o) => o.kind === "reject_always");
-  if (denyOpt) return denyOpt.optionId;
+  const denyOpt = findRejectOptionId(options);
+  if (denyOpt) return denyOpt;
 
   // Fallback: return first option
   return options[0]?.optionId ?? "deny";
 }
 
+function findRejectOptionId(
+  options: Array<{ optionId: string; kind: string }>,
+): string | undefined {
+  return (
+    options.find((o) => o.kind === "reject_once")?.optionId ??
+    options.find((o) => o.kind === "reject_always")?.optionId
+  );
+}
+
+function findAllowOptionId(
+  options: Array<{ optionId: string; kind: string }>,
+): string | undefined {
+  return (
+    options.find((o) => o.kind === "allow_once")?.optionId ??
+    options.find((o) => o.kind === "allow_always")?.optionId
+  );
+}
+
 /**
  * Extracts text from a ContentBlock.
  */

package/src/agent/loop.ts

@@ -82,7 +82,12 @@ export type AgentEvent =
       toolUseId: string;
       input: Record<string, unknown>;
     }
-  | { type: "server_tool_complete"; toolUseId: string; isError: boolean }
+  | {
+      type: "server_tool_complete";
+      toolUseId: string;
+      isError: boolean;
+      content?: unknown[];
+    }
   | { type: "error"; error: Error }
   | {
       type: "usage";
@@ -98,7 +103,7 @@ export type AgentEvent =
     };
 
 const DEFAULT_CONFIG: AgentLoopConfig = {
-  maxTokens: 16000,
+  maxTokens: 64000,
   effort: "high",
   minTurnIntervalMs: 150,
 };
@@ -201,7 +206,6 @@ export class AgentLoop {
   ): Promise<Message[]> {
     const history = [...messages];
     let toolUseTurns = 0;
-    let nudgedForEmptyResponse = false;
     let consecutiveErrorTurns = 0;
     let lastLlmCallTime = 0;
     const rlog = requestId ? log.child({ requestId }) : log;
@@ -345,6 +349,7 @@ export class AgentLoop {
                   type: "server_tool_complete",
                   toolUseId: event.toolUseId,
                   isError: event.isError,
+                  ...(event.content ? { content: event.content } : {}),
                 });
               }
             },
@@ -403,35 +408,7 @@ export class AgentLoop {
             block.type === "tool_use",
         );
 
-        // Check if the assistant turn contained any visible text (used for
-        // the empty-response nudge).
-        const hasTextBlock = response.content.some(
-          (block) => block.type === "text" && block.text.trim().length > 0,
-        );
-
         if (toolUseBlocks.length === 0 || !this.toolExecutor) {
-          // Check if the LLM returned no text after tool results — nudge it to respond
-          const lastUserMsg =
-            history.length >= 2 ? history[history.length - 2] : undefined;
-          const lastWasToolResult =
-            lastUserMsg?.role === "user" &&
-            lastUserMsg.content.some((block) => block.type === "tool_result");
-
-          if (!hasTextBlock && lastWasToolResult && !nudgedForEmptyResponse) {
-            nudgedForEmptyResponse = true;
-            history.push({
-              role: "user",
-              content: [
-                {
-                  type: "text",
-                  text: "<system_notice>You executed tools but didn't tell the user what happened. Provide a brief, conversational summary of the results.</system_notice>",
-                },
-              ],
-            });
-            continue;
-          }
-
-          // No tool calls or no executor — done
           break;
         }
 
@@ -738,10 +715,10 @@ export function compactAxTreeHistory(messages: Message[]): Message[] {
  * once by the LLM on the turn it was captured, then replaced with a text
  * placeholder on subsequent turns.
  *
- * We look for the last user message with tool_results (not just the last user
- * message) because the empty-response nudge path appends a text-only user
- * message after the tool results. Preserving images in that case ensures
- * the model still sees the screenshot on the retry.
+ * We target the last user message with tool_results (not just the last user
+ * message) because a plain-text user message may follow the tool-result
+ * turn. Using the last user message unconditionally would leave the most
+ * recent tool screenshots unprotected from stripping.
  */
 function stripOldImageBlocks(history: Message[]): Message[] {
   // Find the last user message that contains tool_result blocks.

package/src/approvals/guardian-request-resolvers.ts

@@ -26,6 +26,7 @@ import {
 } from "../notifications/signal.js";
 import { addRule } from "../permissions/trust-store.js";
 import type { UserDecision } from "../permissions/types.js";
+import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
 import { mintDaemonDeliveryToken } from "../runtime/auth/token-service.js";
 import type { ApprovalAction } from "../runtime/channel-approval-types.js";
@@ -192,8 +193,9 @@ const pendingInteractionResolver: GuardianRequestResolver = {
     // Handle approve_always: persist a trust rule when the confirmation
     // explicitly allows persistence and provides explicit options.
     if (
-      decision.action === "approve_always" ||
-      decision.action === "approve_once"
+      !isPermissionControlsV2Enabled() &&
+      (decision.action === "approve_always" ||
+        decision.action === "approve_once")
     ) {
       const details = interaction.confirmationDetails;
       if (
@@ -237,19 +239,23 @@ const pendingInteractionResolver: GuardianRequestResolver = {
     // temporal modes (approve_10m, approve_conversation) reach the session with
     // the correct UserDecision instead of collapsing to plain "allow".
     let userDecision: UserDecision;
-    switch (decision.action) {
-      case "reject":
-        userDecision = "deny";
-        break;
-      case "approve_10m":
-        userDecision = "allow_10m";
-        break;
-      case "approve_conversation":
-        userDecision = "allow_conversation";
-        break;
-      default:
-        userDecision = "allow";
-        break;
+    if (isPermissionControlsV2Enabled()) {
+      userDecision = decision.action === "reject" ? "deny" : "allow";
+    } else {
+      switch (decision.action) {
+        case "reject":
+          userDecision = "deny";
+          break;
+        case "approve_10m":
+          userDecision = "allow_10m";
+          break;
+        case "approve_conversation":
+          userDecision = "allow_conversation";
+          break;
+        default:
+          userDecision = "allow";
+          break;
+      }
     }
     resolved.conversation!.handleConfirmationResponse(
       request.id,