@vellumai/assistant 0.6.1 → 0.6.3

package/src/credential-execution/approval-bridge.ts

@@ -21,6 +21,7 @@ import type {
 
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import type { UserDecision } from "../permissions/types.js";
+import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
 import { getLogger } from "../util/logger.js";
 import type { CesClient } from "./client.js";
 
@@ -173,13 +174,7 @@ export async function bridgeCesApproval(
     signal?: AbortSignal;
   },
 ): Promise<CesApprovalBridgeResult> {
-  const {
-    proposal,
-    renderedProposal,
-    proposalHash,
-    sessionId,
-    conversationId,
-  } = approval;
+  const { proposal, renderedProposal, proposalHash, sessionId } = approval;
 
   // Non-interactive sessions have no client to respond — fail closed.
   if (options?.isInteractive === false) {
@@ -194,6 +189,24 @@ export async function bridgeCesApproval(
     return { outcome: "denied", userDecision: "deny" };
   }
 
+  if (isPermissionControlsV2Enabled()) {
+    log.info(
+      {
+        event: "ces_approval_bridge_v2_suppressed",
+        proposalHash,
+        sessionId,
+      },
+      "CES approval request auto-approved without deterministic prompt under v2",
+    );
+    const v2Decision = mapUserDecisionToCesDecision("allow");
+    return recordCesGrant({
+      approval,
+      cesClient,
+      decision: v2Decision,
+      reason: "permission_controls_v2_auto_allow",
+    });
+  }
+
   // Build the tool name and input for the confirmation prompt. The tool
   // name uses a `ces:` prefix so the client can distinguish CES approval
   // requests from regular tool confirmation prompts.
@@ -220,7 +233,6 @@ export async function bridgeCesApproval(
     [], // No allowlist options — CES manages its own grant patterns
     [], // No scope options — CES manages scope internally
     undefined, // No file diff
-    undefined, // Not sandboxed
     options?.conversationId,
     "host", // CES operations target the host
     false, // Persistent decisions are managed by CES, not trust.json
@@ -263,8 +275,29 @@ export async function bridgeCesApproval(
     `CES approval bridge: guardian decision is "${cesDecision.grantDecision}"`,
   );
 
-  if (cesDecision.grantDecision === "denied") {
-    return { outcome: "denied", userDecision: response.decision };
+  return recordCesGrant({
+    approval,
+    cesClient,
+    decision: cesDecision,
+    reason: response.decisionContext,
+  });
+}
+
+async function recordCesGrant({
+  approval,
+  cesClient,
+  decision,
+  reason,
+}: {
+  approval: ApprovalRequired;
+  cesClient: CesClient;
+  decision: CesApprovalDecision;
+  reason?: string;
+}): Promise<CesApprovalBridgeResult> {
+  const { proposal, proposalHash, sessionId, conversationId } = approval;
+
+  if (decision.grantDecision === "denied") {
+    return { outcome: "denied", userDecision: decision.userDecision };
   }
 
   // Commit the approved grant to CES via record_grant RPC.
@@ -275,12 +308,12 @@ export async function bridgeCesApproval(
         decision: {
           proposal,
           proposalHash,
-          decision: cesDecision.grantDecision,
+          decision: decision.grantDecision,
           decidedBy: "guardian",
           decidedAt: new Date().toISOString(),
-          reason: response.decisionContext,
-          ttl: cesDecision.ttl,
-          grantType: cesDecision.grantType,
+          reason,
+          ttl: decision.ttl,
+          grantType: decision.grantType,
         },
         sessionId,
         conversationId,
@@ -324,7 +357,7 @@ export async function bridgeCesApproval(
         proposalHash,
         sessionId,
         grantId,
-        userDecision: response.decision,
+        userDecision: decision.userDecision,
       },
       "CES approval bridge: grant recorded successfully",
     );
@@ -332,7 +365,7 @@ export async function bridgeCesApproval(
     return {
       outcome: "approved",
       grantId,
-      userDecision: response.decision,
+      userDecision: decision.userDecision,
     };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);

package/src/credential-execution/managed-catalog.ts

@@ -130,16 +130,12 @@ export async function fetchManagedCatalog(): Promise<FetchManagedCatalogResult>
 
     return { ok: true, descriptors };
   } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    const safeMessage = message.replace(
-      /Api-Key\s+\S+/gi,
-      "Api-Key [REDACTED]",
-    );
-    log.warn(`Failed to fetch managed CES catalog: ${safeMessage}`);
+    const errorName = err instanceof Error ? err.constructor.name : "Unknown";
+    log.warn(`Failed to fetch managed CES catalog (${errorName})`);
     return {
       ok: false,
       descriptors: [],
-      error: `Failed to fetch managed CES catalog: ${safeMessage}`,
+      error: `Failed to fetch managed CES catalog (${errorName})`,
     };
   }
 }

package/src/daemon/__tests__/conversation-tool-setup.test.ts

@@ -0,0 +1,186 @@
+/**
+ * Tests for `isToolActiveForContext` host-tool capability gating.
+ *
+ * Two scenarios are verified:
+ * - chrome-extension is its own executor and is exempt from the hasNoClient
+ *   gate (the extension's own popup UI gates commands; there is no SSE
+ *   interactive approval channel, and chrome-extension turns intentionally
+ *   run with `hasNoClient: true` because chrome-extension is not in
+ *   `INTERACTIVE_INTERFACES`).
+ * - macos still requires a connected SSE client for interactive approval, so
+ *   `hasNoClient: true` continues to deny all host tools on macos.
+ *
+ * The per-capability check (`supportsHostProxy(transport, capability)`) runs
+ * first and is authoritative for structural support, so host_bash and
+ * host_file_* are filtered out for chrome-extension regardless of the
+ * hasNoClient flag.
+ */
+
+import { describe, expect, test } from "bun:test";
+
+import type { SkillProjectionCache } from "../conversation-skill-tools.js";
+import {
+  HOST_TOOL_NAMES,
+  HOST_TOOL_TO_CAPABILITY,
+  isToolActiveForContext,
+  type SkillProjectionContext,
+} from "../conversation-tool-setup.js";
+
+function makeCtx(
+  overrides: Partial<SkillProjectionContext> = {},
+): SkillProjectionContext {
+  return {
+    skillProjectionState: new Map(),
+    skillProjectionCache: {} as SkillProjectionCache,
+    coreToolNames: new Set<string>(),
+    toolsDisabledDepth: 0,
+    ...overrides,
+  };
+}
+
+describe("isToolActiveForContext — host tool capability gating", () => {
+  // macOS transport: SSE-based interactive approval required.
+  test("host_bash is active for macOS with a connected client", () => {
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "macos" }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash is NOT active for macOS when hasNoClient is true (security invariant)", () => {
+    // macOS uses an SSE-based interactive approval channel. Without a
+    // connected client the guardian auto-approve path could execute host
+    // commands unattended, so host tools must be denied.
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: true, transportInterface: "macos" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_file_read is NOT active for macOS when hasNoClient is true", () => {
+    expect(
+      isToolActiveForContext(
+        "host_file_read",
+        makeCtx({ hasNoClient: true, transportInterface: "macos" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_browser is active for macOS with a connected client", () => {
+    expect(
+      isToolActiveForContext(
+        "host_browser",
+        makeCtx({ hasNoClient: false, transportInterface: "macos" }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_browser is NOT active for macOS when hasNoClient is true", () => {
+    // macOS requires a client for any host tool — the SSE interactive
+    // approval channel must be available regardless of capability.
+    expect(
+      isToolActiveForContext(
+        "host_browser",
+        makeCtx({ hasNoClient: true, transportInterface: "macos" }),
+      ),
+    ).toBe(false);
+  });
+
+  // chrome-extension transport: the extension is its own executor.
+  test("host_browser is active for chrome-extension even when hasNoClient is true", () => {
+    // chrome-extension turns run with `hasNoClient: true` by design because
+    // chrome-extension is not in `INTERACTIVE_INTERFACES` — it is not an
+    // SSE interactive channel. The extension gates host_browser commands
+    // via its own popup UI, so the hasNoClient gate must not filter
+    // host_browser out for chrome-extension transports.
+    expect(
+      isToolActiveForContext(
+        "host_browser",
+        makeCtx({
+          hasNoClient: true,
+          transportInterface: "chrome-extension",
+        }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_browser is active for chrome-extension when hasNoClient is false", () => {
+    expect(
+      isToolActiveForContext(
+        "host_browser",
+        makeCtx({
+          hasNoClient: false,
+          transportInterface: "chrome-extension",
+        }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash is NOT active for chrome-extension even when hasNoClient is true", () => {
+    // The per-capability check runs first and is authoritative: chrome-extension
+    // only supports `host_browser`, so `host_bash` must be filtered out.
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({
+          hasNoClient: true,
+          transportInterface: "chrome-extension",
+        }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_file_read is NOT active for chrome-extension when hasNoClient is true", () => {
+    expect(
+      isToolActiveForContext(
+        "host_file_read",
+        makeCtx({
+          hasNoClient: true,
+          transportInterface: "chrome-extension",
+        }),
+      ),
+    ).toBe(false);
+  });
+
+  // Backwards-compat fallback: no transport plumbed through.
+  test("host_bash falls back to hasNoClient gate when transport is undefined (client connected)", () => {
+    // Without a transport interface we cannot run the per-capability check,
+    // so we fall back to the coarse-grained `hasNoClient` behavior.
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: undefined }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash falls back to hasNoClient gate when transport is undefined (no client)", () => {
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: true, transportInterface: undefined }),
+      ),
+    ).toBe(false);
+  });
+});
+
+describe("HOST_TOOL_NAMES derivation", () => {
+  test("HOST_TOOL_NAMES is derived from HOST_TOOL_TO_CAPABILITY", () => {
+    // Sanity check: every tool in the names set has a capability mapping.
+    // This is structurally enforced by the code (HOST_TOOL_NAMES is built
+    // from HOST_TOOL_TO_CAPABILITY.keys()), but we test it to make the
+    // invariant visible to readers and to catch any regression that
+    // splits the two collections back apart.
+    for (const name of HOST_TOOL_NAMES) {
+      expect(HOST_TOOL_TO_CAPABILITY.has(name)).toBe(true);
+    }
+    // Cardinality check: the two collections must have the same size so a
+    // future addition to HOST_TOOL_NAMES without a matching capability entry
+    // (or vice versa) would fail.
+    expect(HOST_TOOL_NAMES.size).toBe(HOST_TOOL_TO_CAPABILITY.size);
+  });
+});

package/src/daemon/app-source-watcher.ts

@@ -24,6 +24,20 @@ const APP_REFRESH_DEBOUNCE_MS = 500;
 
 export type AppSourceChangeCallback = (appId: string) => void;
 
+/**
+ * Module-level callback so tool-side-effects can ensure the watcher starts
+ * after the apps directory is created (e.g. on first app_create).
+ */
+let ensureWatcherStarted: (() => void) | null = null;
+
+export function setEnsureAppSourceWatcher(fn: () => void): void {
+  ensureWatcherStarted = fn;
+}
+
+export function ensureAppSourceWatcher(): void {
+  ensureWatcherStarted?.();
+}
+
 /**
  * Resolve app ID from a relative path within the apps directory.
  * Returns null if the path is not an app source file (e.g. dist/, records/).
@@ -48,12 +62,29 @@ function resolveAppIdFromRelPath(relPath: string): string | null {
 
 export class AppSourceWatcher {
   private watcher: FSWatcher | null = null;
+  private onChange: AppSourceChangeCallback | null = null;
   private debouncer = new DebouncerMap({
     defaultDelayMs: APP_REFRESH_DEBOUNCE_MS,
     maxEntries: 50,
   });
 
   start(onChange: AppSourceChangeCallback): void {
+    this.onChange = onChange;
+    this.tryWatch();
+  }
+
+  /**
+   * Ensure the watcher is running. Call after app creation so the watcher
+   * starts if the apps directory was created after daemon startup.
+   */
+  ensureStarted(): void {
+    if (this.watcher || !this.onChange) return;
+    this.tryWatch();
+  }
+
+  private tryWatch(): void {
+    if (this.watcher) return;
+
     let appsDir: string;
     try {
       appsDir = getAppsDir();
@@ -67,6 +98,9 @@ export class AppSourceWatcher {
       return;
     }
 
+    const onChange = this.onChange;
+    if (!onChange) return;
+
     try {
       this.watcher = watch(appsDir, { recursive: true }, (_eventType, filename) => {
         if (!filename) return;
@@ -78,6 +112,7 @@ export class AppSourceWatcher {
           onChange(appId);
         });
       });
+      log.info("App source watcher started");
     } catch (err) {
       log.warn({ err }, "Failed to watch apps directory; source watching disabled");
     }

package/src/daemon/config-watcher.ts

@@ -118,6 +118,8 @@ export class ConfigWatcher {
     onIdentityChanged?: () => void,
     onSoundsConfigChanged?: () => void,
     onAvatarChanged?: () => void,
+    onConfigChanged?: () => void,
+    onFeatureFlagsChanged?: () => void,
   ): void {
     const workspaceDir = getWorkspaceDir();
 
@@ -130,6 +132,7 @@ export class ConfigWatcher {
           const changed = await this.refreshConfigFromSources();
           if (changed) {
             onConversationEvict();
+            onConfigChanged?.();
             const newConfig = getConfig();
             const newMcpFingerprint = JSON.stringify(newConfig.mcp ?? {});
             if (newMcpFingerprint !== prevMcpFingerprint) {
@@ -190,7 +193,7 @@ export class ConfigWatcher {
       this.startAvatarWatcher(onAvatarChanged);
     }
 
-    this.startFeatureFlagsWatcher();
+    this.startFeatureFlagsWatcher(onFeatureFlagsChanged);
     this.startSignalsWatcher();
     this.startSkillsWatchers(onConversationEvict);
   }
@@ -266,7 +269,7 @@ export class ConfigWatcher {
     }
   }
 
-  private startFeatureFlagsWatcher(): void {
+  private startFeatureFlagsWatcher(onFeatureFlagsChanged?: () => void): void {
     const protectedDir = process.env.GATEWAY_SECURITY_DIR
       ? process.env.GATEWAY_SECURITY_DIR
       : join(homedir(), ".vellum", "protected");
@@ -297,6 +300,7 @@ export class ConfigWatcher {
               "Feature flags file changed, invalidating cache",
             );
             clearFeatureFlagOverridesCache();
+            onFeatureFlagsChanged?.();
           },
           500,
         );

package/src/daemon/context-overflow-approval.ts

@@ -1,5 +1,6 @@
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import { isAllowDecision } from "../permissions/types.js";
+import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
 
 /**
  * Reserved pseudo tool name used for context overflow compression approval
@@ -26,6 +27,10 @@ export async function requestCompressionApproval(
   prompter: PermissionPrompter,
   opts?: { signal?: AbortSignal },
 ): Promise<CompressionApprovalResult> {
+  if (isPermissionControlsV2Enabled()) {
+    return { approved: true };
+  }
+
   const result = await prompter.prompt(
     CONTEXT_OVERFLOW_TOOL_NAME,
     {
@@ -39,7 +44,6 @@ export async function requestCompressionApproval(
     undefined,
     undefined,
     undefined,
-    undefined,
     false,
     opts?.signal,
   );

package/src/daemon/conversation-agent-loop-handlers.ts

@@ -932,10 +932,25 @@ export async function dispatchAgentEvent(
           "assistant_turn",
           deps.reqId,
         );
+
+        // Format web search results into a human-readable string for the client.
+        let resultText = "";
+        if (Array.isArray(event.content) && event.content.length > 0) {
+          resultText = (event.content as unknown[])
+            .filter(
+              (r): r is { type: string; title: string; url: string } =>
+                typeof r === "object" &&
+                r != null &&
+                (r as { type?: string }).type === "web_search_result",
+            )
+            .map((r) => `${r.title}\n${r.url}`)
+            .join("\n\n");
+        }
+
         deps.onEvent({
           type: "tool_result",
-          toolName: "",
-          result: "",
+          toolName: "web_search",
+          result: resultText,
           isError: event.isError,
           conversationId: deps.ctx.conversationId,
           toolUseId: event.toolUseId,