@vellumai/assistant 0.6.1 → 0.6.3

package/src/runtime/routes/migration-routes.ts

@@ -21,6 +21,11 @@ import { invalidateConfigCache } from "../../config/loader.js";
 import { getDb, resetDb } from "../../memory/db-connection.js";
 import { validateMigrationState } from "../../memory/migrations/validate-migration-state.js";
 import { clearCache as clearTrustCache } from "../../permissions/trust-store.js";
+import {
+  bulkSetSecureKeysAsync,
+  getSecureKeyResultAsync,
+  listSecureKeysAsync,
+} from "../../security/secure-keys.js";
 import { getLogger } from "../../util/logger.js";
 import {
   getDbPath,
@@ -34,7 +39,10 @@ import {
   analyzeImport,
   DefaultPathResolver,
 } from "../migrations/vbundle-import-analyzer.js";
-import { commitImport } from "../migrations/vbundle-importer.js";
+import {
+  commitImport,
+  extractCredentialsFromBundle,
+} from "../migrations/vbundle-importer.js";
 import { validateVBundle } from "../migrations/vbundle-validator.js";
 
 const log = getLogger("migration-routes");
@@ -146,6 +154,27 @@ export async function handleMigrationExport(req: Request): Promise<Response> {
   let cleanup: (() => Promise<void>) | undefined;
 
   try {
+    // Read all stored credentials to include in the export bundle
+    const credentialList = await listSecureKeysAsync();
+    const credentials: Array<{ account: string; value: string }> = [];
+    if (credentialList.unreachable) {
+      log.warn(
+        "Credential store is unreachable — export will not include credentials",
+      );
+    } else {
+      for (const account of credentialList.accounts) {
+        const result = await getSecureKeyResultAsync(account);
+        if (result.unreachable) {
+          log.warn(
+            { account },
+            "Credential store unreachable when reading credential — skipping",
+          );
+        } else if (result.value != null) {
+          credentials.push({ account, value: result.value });
+        }
+      }
+    }
+
     const result = await streamExportVBundle({
       // hooksDir is intentionally omitted — hooks now live under workspace/hooks/
       // and are included in the workspace walk. Passing hooksDir separately would
@@ -153,6 +182,7 @@ export async function handleMigrationExport(req: Request): Promise<Response> {
       workspaceDir: getWorkspaceDir(),
       source: "runtime-export",
       description,
+      credentials,
       checkpoint: () => {
         const dbPath = getDbPath();
         try {
@@ -196,6 +226,7 @@ export async function handleMigrationExport(req: Request): Promise<Response> {
         "Content-Length": String(size),
         "X-Vbundle-Schema-Version": manifest.schema_version,
         "X-Vbundle-Manifest-Sha256": manifest.manifest_sha256,
+        "X-Vbundle-Credentials-Included": String(credentials.length),
       },
     });
   } catch (err) {
@@ -444,6 +475,57 @@ export async function handleMigrationImport(req: Request): Promise<Response> {
       );
     }
 
+    // Import credentials from the bundle into CES (non-blocking — failures
+    // are logged as warnings but do not fail the overall import).
+    let credentialsImported:
+      | {
+          total: number;
+          succeeded: number;
+          failed: number;
+          failedAccounts: string[];
+        }
+      | undefined;
+
+    if (validation.entries) {
+      const bundleCredentials = extractCredentialsFromBundle(
+        validation.entries,
+        validation.manifest!,
+      );
+      if (bundleCredentials.length > 0) {
+        try {
+          const credResults = await bulkSetSecureKeysAsync(bundleCredentials);
+          const failedResults = credResults.filter((r) => !r.ok);
+          if (failedResults.length > 0) {
+            log.warn(
+              { failed: failedResults.map((f) => f.account) },
+              "Some credentials failed to import",
+            );
+          }
+          log.info(
+            { total: bundleCredentials.length, failed: failedResults.length },
+            "Credential import complete",
+          );
+          const succeeded = bundleCredentials.length - failedResults.length;
+          credentialsImported = {
+            total: bundleCredentials.length,
+            succeeded,
+            failed: failedResults.length,
+            failedAccounts: failedResults.map((f) => f.account),
+          };
+          if (failedResults.length > 0) {
+            result.report.warnings.push(
+              `Imported ${succeeded} credential(s), ${failedResults.length} failed`,
+            );
+          }
+        } catch (err) {
+          log.warn({ err }, "Credential import failed entirely");
+          result.report.warnings.push(
+            `Credential import failed: ${err instanceof Error ? err.message : String(err)}`,
+          );
+        }
+      }
+    }
+
     // Invalidate in-process caches so imported settings.json and trust.json take effect
     invalidateConfigCache();
     clearTrustCache();
@@ -463,7 +545,10 @@ export async function handleMigrationImport(req: Request): Promise<Response> {
       // Don't fail the import if validation itself errors
     }
 
-    return Response.json(result.report);
+    return Response.json({
+      ...result.report,
+      ...(credentialsImported ? { credentialsImported } : {}),
+    });
   } catch (err) {
     log.error({ err }, "Unexpected error during import commit");
     return httpError(

package/src/runtime/routes/oauth-apps.ts

@@ -60,8 +60,8 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
       endpoint: "oauth/apps",
       method: "GET",
       handler: ({ url }) => {
-        const providerKey = url.searchParams.get("provider_key");
-        if (!providerKey) {
+        const provider = url.searchParams.get("provider_key");
+        if (!provider) {
           return httpError(
             "BAD_REQUEST",
             "provider_key query parameter is required",
@@ -70,20 +70,18 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
         }
 
         const allApps = listApps();
-        const filtered = allApps.filter(
-          (row) => row.providerKey === providerKey,
-        );
+        const filtered = allApps.filter((row) => row.provider === provider);
 
-        const providerRow = getProvider(providerKey);
-        const provider = providerRow
+        const providerRow = getProvider(provider);
+        const providerSummary = providerRow
           ? serializeProviderSummary(providerRow)
           : null;
 
         return Response.json({
-          provider,
+          provider: providerSummary,
           apps: filtered.map((row) => ({
             id: row.id,
-            provider_key: row.providerKey,
+            provider_key: row.provider,
             client_id: row.clientId,
             created_at: row.createdAt,
             updated_at: row.updatedAt,
@@ -138,7 +136,7 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
           {
             app: {
               id: app.id,
-              provider_key: app.providerKey,
+              provider_key: app.provider,
               client_id: app.clientId,
               created_at: app.createdAt,
               updated_at: app.updatedAt,
@@ -165,9 +163,9 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
         }
 
         // Disconnect all connections for this app first to clean up tokens.
-        const connections = listConnections(app.providerKey, app.clientId);
+        const connections = listConnections(app.provider, app.clientId);
         for (const conn of connections) {
-          await disconnectOAuthProvider(app.providerKey, app.clientId, conn.id);
+          await disconnectOAuthProvider(app.provider, app.clientId, conn.id);
         }
 
         await deleteApp(params.id);
@@ -190,12 +188,12 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
           );
         }
 
-        const connections = listConnections(app.providerKey, app.clientId);
+        const connections = listConnections(app.provider, app.clientId);
 
         return Response.json({
           connections: connections.map((row) => ({
             id: row.id,
-            provider_key: row.providerKey,
+            provider_key: row.provider,
             account_info: row.accountInfo,
             granted_scopes: parseGrantedScopes(row.grantedScopes),
             status: row.status,
@@ -223,7 +221,7 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
         }
 
         const result = await disconnectOAuthProvider(
-          conn.providerKey,
+          conn.provider,
           undefined,
           conn.id,
         );
@@ -282,7 +280,7 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
         const clientSecret = await getAppClientSecret(app);
 
         const result = await orchestrateOAuthConnect({
-          service: app.providerKey,
+          service: app.provider,
           clientId: app.clientId,
           clientSecret,
           requestedScopes: body.scopes,
@@ -292,7 +290,7 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
 
         if (result.success && result.deferred) {
           return Response.json({
-            auth_url: result.authUrl,
+            auth_url: result.authorizeUrl,
             state: result.state,
           });
         }

package/src/runtime/routes/oauth-providers.ts

@@ -44,6 +44,10 @@ export function oauthProvidersRouteDefinitions(): RouteDefinition[] {
     },
 
     // GET /v1/oauth/providers/:providerKey — Get a single provider.
+    // The path parameter name `providerKey` is preserved for backward
+    // compatibility with the published OpenAPI spec (operationId
+    // `oauth_providers_by_providerKey_get`). The actual URL the client hits
+    // (`/v1/oauth/providers/google`) is unchanged either way.
     {
       endpoint: "oauth/providers/:providerKey",
       method: "GET",

package/src/runtime/routes/schedule-routes.ts

@@ -25,6 +25,10 @@ import type { RouteDefinition } from "../http-router.js";
 import type { SendMessageDeps } from "../http-types.js";
 
 const log = getLogger("schedule-routes");
+const SCHEDULE_GUARDIAN_TRUST_CONTEXT = {
+  sourceChannel: "vellum",
+  trustClass: "guardian",
+} as const;
 
 // ---------------------------------------------------------------------------
 // Handlers
@@ -202,17 +206,23 @@ async function handleRunScheduleNow(
             );
           }
           const conversation =
-            await sendMessageDeps.getOrCreateConversation(conversationId);
+            await sendMessageDeps.getOrCreateConversation(conversationId, {
+              trustContext: SCHEDULE_GUARDIAN_TRUST_CONTEXT,
+            });
           conversation.taskRunId = taskRunId;
-          await conversation.processMessage(
-            message,
-            [],
-            () => {}, // no event callback for HTTP mode
-            undefined,
-            undefined,
-            undefined,
-            { isInteractive: false },
-          );
+          try {
+            await conversation.processMessage(
+              message,
+              [],
+              () => {}, // no event callback for HTTP mode
+              undefined,
+              undefined,
+              undefined,
+              { isInteractive: false },
+            );
+          } finally {
+            conversation.taskRunId = undefined;
+          }
         },
       );
 
@@ -276,7 +286,10 @@ async function handleRunScheduleNow(
       throw new Error("sendMessageDeps not available for schedule execution");
     }
     const activeConversation =
-      await sendMessageDeps.getOrCreateConversation(conversationId);
+      await sendMessageDeps.getOrCreateConversation(conversationId, {
+        trustContext: SCHEDULE_GUARDIAN_TRUST_CONTEXT,
+      });
+    activeConversation.taskRunId = undefined;
     await activeConversation.processMessage(
       schedule.message,
       [],

package/src/runtime/routes/settings-routes.ts

@@ -12,16 +12,11 @@ import { join } from "node:path";
 
 import { z } from "zod";
 
-import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
 import {
   getPlatformBaseUrl,
   setIngressPublicBaseUrl,
 } from "../../config/env.js";
-import {
-  getConfig,
-  loadRawConfig,
-  saveRawConfig,
-} from "../../config/loader.js";
+import { loadRawConfig, saveRawConfig } from "../../config/loader.js";
 import { loadSkillCatalog } from "../../config/skills.js";
 import {
   computeGatewayTarget,
@@ -41,12 +36,6 @@ import {
   generateAllowlistOptions,
   generateScopeOptions,
 } from "../../permissions/checker.js";
-import {
-  getMode,
-  onModeChanged,
-  setAskBeforeActing,
-  setHostAccess,
-} from "../../permissions/permission-mode-store.js";
 import { getSecureKeyAsync } from "../../security/secure-keys.js";
 import { parseToolManifestFile } from "../../skills/tool-manifest.js";
 import {
@@ -72,24 +61,6 @@ import { resolveWorkspacePath } from "./workspace-utils.js";
 
 const log = getLogger("settings-routes");
 
-// ---------------------------------------------------------------------------
-// Permission mode SSE broadcast
-// ---------------------------------------------------------------------------
-
-onModeChanged((mode) => {
-  assistantEventHub
-    .publish(
-      buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, {
-        type: "permission_mode_update",
-        askBeforeActing: mode.askBeforeActing,
-        hostAccess: mode.hostAccess,
-      }),
-    )
-    .catch((err) => {
-      log.warn({ err }, "Failed to publish permission_mode_update event");
-    });
-});
-
 // ---------------------------------------------------------------------------
 // Voice config
 // ---------------------------------------------------------------------------
@@ -240,7 +211,7 @@ async function handleOAuthConnectStart(body: {
   try {
     // For HTTP, we cannot send `open_url` mid-request. The auth URL is
     // returned to the client to open.
-    let authUrl: string | undefined;
+    let authorizeUrl: string | undefined;
 
     const result = await orchestrateOAuthConnect({
       service,
@@ -250,7 +221,7 @@ async function handleOAuthConnectStart(body: {
       callbackTransport: "loopback",
       isInteractive: true,
       openUrl: (url: string) => {
-        authUrl = url;
+        authorizeUrl = url;
       },
       onDeferredComplete: (deferredResult) => {
         // Prefer accountInfo from oauth-store when available.
@@ -309,7 +280,9 @@ async function handleOAuthConnectStart(body: {
       return Response.json({
         ok: true,
         deferred: true,
-        authUrl: result.authUrl,
+        // Wire key stays `authUrl` for backward compatibility with existing
+        // clients; the internal field on `result` is `authorizeUrl`.
+        authUrl: result.authorizeUrl,
       });
     }
 
@@ -326,7 +299,9 @@ async function handleOAuthConnectStart(body: {
       ok: true,
       grantedScopes: result.grantedScopes,
       accountInfo: responseAccountInfo,
-      ...(authUrl ? { authUrl } : {}),
+      // Wire key stays `authUrl` for backward compatibility with existing
+      // clients; the local variable was renamed to `authorizeUrl`.
+      ...(authorizeUrl ? { authUrl: authorizeUrl } : {}),
     });
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -921,68 +896,5 @@ export function settingsRouteDefinitions(): RouteDefinition[] {
         }
       },
     },
-
-    // Permission mode (GET always available; PUT gated on feature flag)
-    {
-      endpoint: "permission-mode",
-      method: "GET",
-      policyKey: "permission-mode:GET",
-      summary: "Get permission mode",
-      description:
-        "Return the current two-axis permission mode (askBeforeActing, hostAccess).",
-      tags: ["settings"],
-      responseBody: z.object({
-        askBeforeActing: z.boolean(),
-        hostAccess: z.boolean(),
-      }),
-      handler: () => {
-        const mode = getMode();
-        return Response.json({
-          askBeforeActing: mode.askBeforeActing,
-          hostAccess: mode.hostAccess,
-        });
-      },
-    },
-    {
-      endpoint: "permission-mode",
-      method: "PUT",
-      policyKey: "permission-mode",
-      summary: "Update permission mode",
-      description:
-        "Update the two-axis permission mode. Requires the permission-controls-v2 feature flag.",
-      tags: ["settings"],
-      requestBody: z.object({
-        askBeforeActing: z.boolean().optional(),
-        hostAccess: z.boolean().optional(),
-      }),
-      responseBody: z.object({
-        askBeforeActing: z.boolean(),
-        hostAccess: z.boolean(),
-      }),
-      handler: async ({ req }) => {
-        const config = getConfig();
-        if (!isAssistantFeatureFlagEnabled("permission-controls-v2", config)) {
-          return httpError("NOT_FOUND", "Not found", 404);
-        }
-
-        const body = (await req.json()) as {
-          askBeforeActing?: boolean;
-          hostAccess?: boolean;
-        };
-
-        if (typeof body.askBeforeActing === "boolean") {
-          setAskBeforeActing(body.askBeforeActing);
-        }
-        if (typeof body.hostAccess === "boolean") {
-          setHostAccess(body.hostAccess);
-        }
-
-        const mode = getMode();
-        return Response.json({
-          askBeforeActing: mode.askBeforeActing,
-          hostAccess: mode.hostAccess,
-        });
-      },
-    },
   ];
 }

package/src/runtime/routes/skills-routes.ts

@@ -19,6 +19,7 @@ import {
   draftSkill,
   enableSkill,
   getSkill,
+  getSkillFileContent,
   getSkillFiles,
   inspectSkill,
   installSkill,
@@ -151,6 +152,55 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
       },
     },
 
+    // The router uses strict anchored-regex matching, so this route is never
+    // ambiguous with skills/:id/files.
+    {
+      endpoint: "skills/:id/files/content",
+      method: "GET",
+      policyKey: "skills",
+      summary: "Get skill file content",
+      description:
+        "Return the content of a single file belonging to an installed or catalog skill.",
+      tags: ["skills"],
+      queryParams: [
+        {
+          name: "path",
+          schema: { type: "string" },
+          required: true,
+          description: "Relative path of the file within the skill directory",
+        },
+      ],
+      responseBody: z.object({
+        path: z.string(),
+        name: z.string(),
+        size: z.number().int(),
+        mimeType: z.string(),
+        isBinary: z.boolean(),
+        content: z.string().nullable(),
+      }),
+      handler: async ({ params, url }) => {
+        const path = url.searchParams.get("path");
+        if (!path) {
+          return httpError(
+            "BAD_REQUEST",
+            "path query parameter is required",
+            400,
+          );
+        }
+        const result = await getSkillFileContent(params.id, path, ctx());
+        if ("error" in result) {
+          if (result.status === 400) {
+            return httpError("BAD_REQUEST", result.error, 400);
+          }
+          if (result.status === 404) {
+            return httpError("NOT_FOUND", result.error, 404);
+          }
+          return httpError("INTERNAL_ERROR", result.error, 500);
+        }
+        return Response.json(result);
+      },
+    },
+
     {
       endpoint: "skills/:id/files",
       method: "GET",
@@ -158,8 +208,8 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
       summary: "Get skill files",
       description: "Return skill metadata and directory contents.",
       tags: ["skills"],
-      handler: ({ params }) => {
-        const result = getSkillFiles(params.id, ctx());
+      handler: async ({ params }) => {
+        const result = await getSkillFiles(params.id, ctx());
         if ("error" in result) {
           if (result.status === 404) {
             return httpError("NOT_FOUND", result.error, 404);

package/src/runtime/routes/subagents-routes.ts

@@ -7,7 +7,7 @@
  */
 import { z } from "zod";
 
-import { getMessages } from "../../memory/conversation-crud.js";
+import { getMessages, type MessageRow } from "../../memory/conversation-crud.js";
 import { getSubagentManager } from "../../subagent/index.js";
 import { getLogger } from "../../util/logger.js";
 import { httpError } from "../http-errors.js";
@@ -31,16 +31,25 @@ export interface SubagentDetailResult {
     content: string;
     toolName?: string;
     isError?: boolean;
+    messageId?: string;
   }>;
 }
 
+const FORK_DIRECTIVE_RE =
+  /^⎯⎯⎯ FORK TASK ⎯⎯⎯\n[\s\S]*?Complete this task directly and return only your findings:\n\n([\s\S]*?)\n⎯⎯⎯+$/;
+
+function stripForkDirectiveFraming(text: string): string {
+  const match = FORK_DIRECTIVE_RE.exec(text);
+  return match ? match[1] : text;
+}
+
 /**
  * Parse raw message rows into subagent detail events. Extracted as a pure
  * function so it can be unit-tested without a database.
  */
 export function parseSubagentMessages(
   subagentId: string,
-  messages: Array<{ role: string; content: string }>,
+  messages: MessageRow[],
 ): SubagentDetailResult {
   // Extract objective from the first user message
   let objective: string | undefined;
@@ -53,7 +62,7 @@ export function parseSubagentMessages(
           (b: Record<string, unknown>) => isRecord(b) && b.type === "text",
         );
         if (textBlock && typeof textBlock.text === "string") {
-          objective = textBlock.text;
+          objective = stripForkDirectiveFraming(textBlock.text);
         }
       }
     } catch {
@@ -62,12 +71,7 @@ export function parseSubagentMessages(
   }
 
   // Extract events from both assistant and user messages.
-  const events: Array<{
-    type: string;
-    content: string;
-    toolName?: string;
-    isError?: boolean;
-  }> = [];
+  const events: SubagentDetailResult["events"] = [];
   const pendingTools = new Map<string, string>();
   for (const m of messages) {
     if (m.role !== "assistant" && m.role !== "user") continue;
@@ -86,7 +90,7 @@ export function parseSubagentMessages(
         block.type === "text" &&
         typeof block.text === "string"
       ) {
-        events.push({ type: "text", content: block.text });
+        events.push({ type: "text", content: block.text, messageId: m.id });
       } else if (block.type === "tool_use") {
         const name = typeof block.name === "string" ? block.name : "unknown";
         const input = isRecord(block.input)

package/src/runtime/routes/usage-routes.ts

@@ -3,7 +3,7 @@
  *
  * GET /v1/usage/totals?from=&to=              — aggregate totals for a time range
  * GET /v1/usage/daily?from=&to=               — per-day buckets for a time range
- * GET /v1/usage/breakdown?from=&to=&groupBy=  — grouped breakdown (actor, provider, model)
+ * GET /v1/usage/breakdown?from=&to=&groupBy=  — grouped breakdown (actor, provider, model, or conversation)
  */
 
 import { z } from "zod";
@@ -17,7 +17,7 @@ import {
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 
-const VALID_GROUP_BY = new Set(["actor", "provider", "model"]);
+const VALID_GROUP_BY = new Set(["actor", "provider", "model", "conversation"]);
 
 /**
  * Parse and validate the `from` and `to` epoch-millis query parameters.
@@ -137,7 +137,7 @@ export function usageRouteDefinitions(): RouteDefinition[] {
       method: "GET",
       summary: "Get usage breakdown",
       description:
-        "Return grouped usage breakdown (by actor, provider, or model).",
+        "Return grouped usage breakdown (by actor, provider, model, or conversation).",
       tags: ["usage"],
       queryParams: [
         {
@@ -153,7 +153,8 @@ export function usageRouteDefinitions(): RouteDefinition[] {
         {
           name: "groupBy",
           schema: { type: "string" },
-          description: "Group by: actor, provider, or model (required)",
+          description:
+            "Group by: actor, provider, model, or conversation (required)",
         },
       ],
       responseBody: z.object({
@@ -167,21 +168,21 @@ export function usageRouteDefinitions(): RouteDefinition[] {
         if (!groupBy) {
           return httpError(
             "BAD_REQUEST",
-            'Missing required query parameter: "groupBy" (one of: actor, provider, model)',
+            'Missing required query parameter: "groupBy" (one of: actor, provider, model, conversation)',
             400,
           );
         }
         if (!VALID_GROUP_BY.has(groupBy)) {
           return httpError(
             "BAD_REQUEST",
-            `Invalid "groupBy" value: "${groupBy}". Must be one of: actor, provider, model`,
+            `Invalid "groupBy" value: "${groupBy}". Must be one of: actor, provider, model, conversation`,
             400,
           );
         }
 
         const breakdown = getUsageGroupBreakdown(
           range,
-          groupBy as "actor" | "provider" | "model",
+          groupBy as "actor" | "provider" | "model" | "conversation",
         );
         return Response.json({ breakdown });
       },