@vellumai/assistant 0.6.2 → 0.6.3

package/src/config/schemas/security.ts

@@ -79,12 +79,6 @@ export const PermissionsConfigSchema = z
       .describe(
         "Permission mode — 'strict' requires explicit approval for all operations, 'workspace' allows operations within the workspace",
       ),
-    askBeforeActing: z
-      .boolean({
-        error: "permissions.askBeforeActing must be a boolean",
-      })
-      .default(true)
-      .describe("Whether the assistant should check in before taking actions"),
     hostAccess: z
       .boolean({
         error: "permissions.hostAccess must be a boolean",

package/src/config/schemas/services.ts

@@ -61,6 +61,11 @@ export const LinearOAuthServiceSchema = BaseServiceSchema.extend({
 });
 export type LinearOAuthService = z.infer<typeof LinearOAuthServiceSchema>;
 
+export const GitHubOAuthServiceSchema = BaseServiceSchema.extend({
+  mode: ServiceModeSchema.default("your-own"),
+});
+export type GitHubOAuthService = z.infer<typeof GitHubOAuthServiceSchema>;
+
 export const ServicesSchema = z.object({
   inference: InferenceServiceSchema.default(InferenceServiceSchema.parse({})),
   "image-generation": ImageGenerationServiceSchema.default(
@@ -78,5 +83,8 @@ export const ServicesSchema = z.object({
   "linear-oauth": LinearOAuthServiceSchema.default(
     LinearOAuthServiceSchema.parse({}),
   ),
+  "github-oauth": GitHubOAuthServiceSchema.default(
+    GitHubOAuthServiceSchema.parse({}),
+  ),
 });
 export type Services = z.infer<typeof ServicesSchema>;

package/src/config/types.ts

@@ -27,7 +27,6 @@ export type {
   PermissionsConfig,
   QdrantConfig,
   RateLimitConfig,
-  SandboxConfig,
   SecretDetectionConfig,
   ServiceMode,
   Services,

package/src/context/post-turn-tool-result-truncation.ts

@@ -0,0 +1,176 @@
+import { createHash } from "node:crypto";
+import { mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import type {
+  ContentBlock,
+  Message,
+  ToolResultContent,
+  ToolUseContent,
+} from "../providers/types.js";
+
+/** Minimum content length (chars) before a tool result is eligible for truncation. ~2000 tokens at 4 chars/token. */
+export const THRESHOLD_CHARS = 8_000;
+
+/** Target size (chars) for the truncated stub. ~300 tokens at 4 chars/token. */
+export const TARGET_CHARS = 1_200;
+
+/** Subdirectory name under the conversation directory for saved full results. */
+export const TOOL_RESULT_DIR = ".tool-results";
+
+/** Marker used to detect already-truncated results (idempotency guard). */
+export const TRUNCATION_MARKER = "\u2014 full result:";
+
+/**
+ * Deterministic file path for a tool result's full content on disk.
+ * Uses the first 12 hex chars of the SHA-256 of the tool_use_id.
+ */
+export function getToolResultFilePath(
+  conversationDir: string,
+  toolUseId: string,
+): string {
+  const hash = createHash("sha256").update(toolUseId).digest("hex").slice(0, 12);
+  return join(conversationDir, TOOL_RESULT_DIR, `${hash}.txt`);
+}
+
+/**
+ * Build the truncated stub that replaces a large tool result in context.
+ * Preserves the first and last halves of TARGET_CHARS, with a middle marker
+ * indicating how many tokens were omitted and where to find the full result.
+ */
+export function buildTruncatedContent(
+  original: string,
+  filePath: string,
+): string {
+  const half = Math.floor(TARGET_CHARS / 2);
+  const prefix = original.slice(0, half);
+  const suffix = original.slice(-half);
+  const omittedChars = original.length - TARGET_CHARS;
+  const estimatedTokens = Math.round(omittedChars / 4);
+  return `${prefix}\n\n...(${estimatedTokens} tokens omitted ${TRUNCATION_MARKER} ${filePath})\n\n${suffix}`;
+}
+
+/**
+ * Walk all messages and truncate tool results that exceed `THRESHOLD_CHARS`.
+ *
+ * For each eligible result:
+ * - The full content is persisted to a deterministic file path on disk.
+ * - The in-context content is replaced with a prefix/suffix stub.
+ *
+ * Results are skipped if they are below threshold, are error results,
+ * or have already been truncated (contain `TRUNCATION_MARKER`).
+ *
+ * Returns a shallow-copied messages array (only modified messages are cloned)
+ * and the count of results that were truncated.
+ */
+export function postTurnTruncateToolResults(
+  messages: Message[],
+  options: { conversationDir: string },
+): { messages: Message[]; truncatedCount: number } {
+  let truncatedCount = 0;
+
+  const mapped = messages.map((msg) => {
+    let changed = false;
+    const nextContent: ContentBlock[] = msg.content.map((block) => {
+      if (block.type !== "tool_result") return block;
+      const tr = block as ToolResultContent;
+
+      // Skip short results.
+      if (tr.content.length <= THRESHOLD_CHARS) return block;
+
+      // Skip error results.
+      if (tr.is_error) return block;
+
+      // Skip already-truncated results (idempotency).
+      if (tr.content.includes(TRUNCATION_MARKER)) return block;
+
+      const filePath = getToolResultFilePath(
+        options.conversationDir,
+        tr.tool_use_id,
+      );
+
+      // Persist full content to disk.
+      mkdirSync(join(options.conversationDir, TOOL_RESULT_DIR), {
+        recursive: true,
+      });
+      writeFileSync(filePath, tr.content, "utf-8");
+
+      changed = true;
+      truncatedCount++;
+      return {
+        ...tr,
+        content: buildTruncatedContent(tr.content, filePath),
+      } as ContentBlock;
+    });
+
+    return changed ? { ...msg, content: nextContent } : msg;
+  });
+
+  return { messages: truncatedCount > 0 ? mapped : messages, truncatedCount };
+}
+
+/** Stub that replaces a re-read of a saved tool result to avoid context duplication. */
+export const REREAD_STUB =
+  "(Re-read of saved tool result — original context is preserved above)";
+
+/**
+ * Deduplicate re-reads of saved tool results.
+ *
+ * When `postTurnTruncateToolResults` truncates a large result, it saves the full
+ * content to a `.tool-results/` file. If the model later calls `file_read` on that
+ * saved file, the result is a second copy of content whose truncated prefix/suffix
+ * is already in context. This function detects those re-reads and replaces their
+ * tool_result content with a short stub to avoid duplication.
+ */
+export function derefToolResultReReads(messages: Message[]): {
+  messages: Message[];
+  dereferencedCount: number;
+} {
+  // Build a set of tool_use_ids that are file_read calls targeting .tool-results/ paths.
+  const reReadToolUseIds = new Set<string>();
+
+  for (const msg of messages) {
+    if (msg.role !== "assistant") continue;
+    for (const block of msg.content) {
+      if (block.type !== "tool_use") continue;
+      const tu = block as ToolUseContent;
+      if (tu.name !== "file_read") continue;
+      const filePath = tu.input.path ?? tu.input.file_path;
+      if (typeof filePath !== "string") continue;
+      if (filePath.includes(`/${TOOL_RESULT_DIR}/`)) {
+        reReadToolUseIds.add(tu.id);
+      }
+    }
+  }
+
+  if (reReadToolUseIds.size === 0) {
+    return { messages, dereferencedCount: 0 };
+  }
+
+  let dereferencedCount = 0;
+
+  const mapped = messages.map((msg) => {
+    if (msg.role !== "user") return msg;
+
+    let changed = false;
+    const nextContent: ContentBlock[] = msg.content.map((block) => {
+      if (block.type !== "tool_result") return block;
+      const tr = block as ToolResultContent;
+      if (!reReadToolUseIds.has(tr.tool_use_id)) return block;
+
+      // Skip error results — preserve diagnostics (e.g. file not found).
+      if (tr.is_error) return block;
+
+      changed = true;
+      dereferencedCount++;
+      return { ...tr, content: REREAD_STUB } as ContentBlock;
+    });
+
+    return changed ? { ...msg, content: nextContent } : msg;
+  });
+
+  return {
+    messages: dereferencedCount > 0 ? mapped : messages,
+    dereferencedCount,
+  };
+}

package/src/context/window-manager.ts

@@ -102,6 +102,14 @@ export class ContextWindowManager {
   private readonly _systemPrompt: string | (() => string);
   private readonly config: ContextWindowConfig;
   private readonly toolTokenBudget: number;
+  /**
+   * Number of leading messages that are non-persisted (injected inherited
+   * context from a parent conversation).  `countPersistedMessages` subtracts
+   * this so `compactedPersistedMessages` only reflects DB-backed messages.
+   * Set by `Conversation.injectInheritedContext` and consumed (decremented)
+   * after a successful compaction pass.
+   */
+  nonPersistedPrefixCount = 0;
   /**
    * Cached resolved system prompt. Lazily populated on first access via the
    * `systemPrompt` getter and cleared after each compaction pass so the next
@@ -305,8 +313,12 @@ export class ContextWindowManager {
       };
     }
 
+    const injectedInCompactable = Math.min(
+      Math.max(0, this.nonPersistedPrefixCount - summaryOffset),
+      compactableMessages.length,
+    );
     const compactedPersistedMessages =
-      countPersistedMessages(compactableMessages);
+      countPersistedMessages(compactableMessages) - injectedInCompactable;
     const rawProjectedMessages = [
       createContextSummaryMessage(existingSummary ?? "Projected summary"),
       ...messages.slice(keepPlan.keepFromIndex),
@@ -452,6 +464,12 @@ export class ContextWindowManager {
         toolTokenBudget: this.toolTokenBudget,
       },
     );
+    // Consume the injected prefix messages that were compacted away.
+    this.nonPersistedPrefixCount = Math.max(
+      0,
+      this.nonPersistedPrefixCount - injectedInCompactable,
+    );
+
     log.info(
       {
         previousEstimatedInputTokens,

package/src/credential-execution/approval-bridge.ts

@@ -21,6 +21,7 @@ import type {
 
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import type { UserDecision } from "../permissions/types.js";
+import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
 import { getLogger } from "../util/logger.js";
 import type { CesClient } from "./client.js";
 
@@ -173,13 +174,7 @@ export async function bridgeCesApproval(
     signal?: AbortSignal;
   },
 ): Promise<CesApprovalBridgeResult> {
-  const {
-    proposal,
-    renderedProposal,
-    proposalHash,
-    sessionId,
-    conversationId,
-  } = approval;
+  const { proposal, renderedProposal, proposalHash, sessionId } = approval;
 
   // Non-interactive sessions have no client to respond — fail closed.
   if (options?.isInteractive === false) {
@@ -194,6 +189,24 @@ export async function bridgeCesApproval(
     return { outcome: "denied", userDecision: "deny" };
   }
 
+  if (isPermissionControlsV2Enabled()) {
+    log.info(
+      {
+        event: "ces_approval_bridge_v2_suppressed",
+        proposalHash,
+        sessionId,
+      },
+      "CES approval request auto-approved without deterministic prompt under v2",
+    );
+    const v2Decision = mapUserDecisionToCesDecision("allow");
+    return recordCesGrant({
+      approval,
+      cesClient,
+      decision: v2Decision,
+      reason: "permission_controls_v2_auto_allow",
+    });
+  }
+
   // Build the tool name and input for the confirmation prompt. The tool
   // name uses a `ces:` prefix so the client can distinguish CES approval
   // requests from regular tool confirmation prompts.
@@ -262,8 +275,29 @@ export async function bridgeCesApproval(
     `CES approval bridge: guardian decision is "${cesDecision.grantDecision}"`,
   );
 
-  if (cesDecision.grantDecision === "denied") {
-    return { outcome: "denied", userDecision: response.decision };
+  return recordCesGrant({
+    approval,
+    cesClient,
+    decision: cesDecision,
+    reason: response.decisionContext,
+  });
+}
+
+async function recordCesGrant({
+  approval,
+  cesClient,
+  decision,
+  reason,
+}: {
+  approval: ApprovalRequired;
+  cesClient: CesClient;
+  decision: CesApprovalDecision;
+  reason?: string;
+}): Promise<CesApprovalBridgeResult> {
+  const { proposal, proposalHash, sessionId, conversationId } = approval;
+
+  if (decision.grantDecision === "denied") {
+    return { outcome: "denied", userDecision: decision.userDecision };
   }
 
   // Commit the approved grant to CES via record_grant RPC.
@@ -274,12 +308,12 @@ export async function bridgeCesApproval(
         decision: {
           proposal,
           proposalHash,
-          decision: cesDecision.grantDecision,
+          decision: decision.grantDecision,
           decidedBy: "guardian",
           decidedAt: new Date().toISOString(),
-          reason: response.decisionContext,
-          ttl: cesDecision.ttl,
-          grantType: cesDecision.grantType,
+          reason,
+          ttl: decision.ttl,
+          grantType: decision.grantType,
         },
         sessionId,
         conversationId,
@@ -323,7 +357,7 @@ export async function bridgeCesApproval(
         proposalHash,
         sessionId,
         grantId,
-        userDecision: response.decision,
+        userDecision: decision.userDecision,
       },
       "CES approval bridge: grant recorded successfully",
     );
@@ -331,7 +365,7 @@ export async function bridgeCesApproval(
     return {
       outcome: "approved",
       grantId,
-      userDecision: response.decision,
+      userDecision: decision.userDecision,
     };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);

package/src/daemon/__tests__/conversation-tool-setup.test.ts

@@ -0,0 +1,186 @@
+/**
+ * Tests for `isToolActiveForContext` host-tool capability gating.
+ *
+ * Two scenarios are verified:
+ * - chrome-extension is its own executor and is exempt from the hasNoClient
+ *   gate (the extension's own popup UI gates commands; there is no SSE
+ *   interactive approval channel, and chrome-extension turns intentionally
+ *   run with `hasNoClient: true` because chrome-extension is not in
+ *   `INTERACTIVE_INTERFACES`).
+ * - macos still requires a connected SSE client for interactive approval, so
+ *   `hasNoClient: true` continues to deny all host tools on macos.
+ *
+ * The per-capability check (`supportsHostProxy(transport, capability)`) runs
+ * first and is authoritative for structural support, so host_bash and
+ * host_file_* are filtered out for chrome-extension regardless of the
+ * hasNoClient flag.
+ */
+
+import { describe, expect, test } from "bun:test";
+
+import type { SkillProjectionCache } from "../conversation-skill-tools.js";
+import {
+  HOST_TOOL_NAMES,
+  HOST_TOOL_TO_CAPABILITY,
+  isToolActiveForContext,
+  type SkillProjectionContext,
+} from "../conversation-tool-setup.js";
+
+function makeCtx(
+  overrides: Partial<SkillProjectionContext> = {},
+): SkillProjectionContext {
+  return {
+    skillProjectionState: new Map(),
+    skillProjectionCache: {} as SkillProjectionCache,
+    coreToolNames: new Set<string>(),
+    toolsDisabledDepth: 0,
+    ...overrides,
+  };
+}
+
+describe("isToolActiveForContext — host tool capability gating", () => {
+  // macOS transport: SSE-based interactive approval required.
+  test("host_bash is active for macOS with a connected client", () => {
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "macos" }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash is NOT active for macOS when hasNoClient is true (security invariant)", () => {
+    // macOS uses an SSE-based interactive approval channel. Without a
+    // connected client the guardian auto-approve path could execute host
+    // commands unattended, so host tools must be denied.
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: true, transportInterface: "macos" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_file_read is NOT active for macOS when hasNoClient is true", () => {
+    expect(
+      isToolActiveForContext(
+        "host_file_read",
+        makeCtx({ hasNoClient: true, transportInterface: "macos" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_browser is active for macOS with a connected client", () => {
+    expect(
+      isToolActiveForContext(
+        "host_browser",
+        makeCtx({ hasNoClient: false, transportInterface: "macos" }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_browser is NOT active for macOS when hasNoClient is true", () => {
+    // macOS requires a client for any host tool — the SSE interactive
+    // approval channel must be available regardless of capability.
+    expect(
+      isToolActiveForContext(
+        "host_browser",
+        makeCtx({ hasNoClient: true, transportInterface: "macos" }),
+      ),
+    ).toBe(false);
+  });
+
+  // chrome-extension transport: the extension is its own executor.
+  test("host_browser is active for chrome-extension even when hasNoClient is true", () => {
+    // chrome-extension turns run with `hasNoClient: true` by design because
+    // chrome-extension is not in `INTERACTIVE_INTERFACES` — it is not an
+    // SSE interactive channel. The extension gates host_browser commands
+    // via its own popup UI, so the hasNoClient gate must not filter
+    // host_browser out for chrome-extension transports.
+    expect(
+      isToolActiveForContext(
+        "host_browser",
+        makeCtx({
+          hasNoClient: true,
+          transportInterface: "chrome-extension",
+        }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_browser is active for chrome-extension when hasNoClient is false", () => {
+    expect(
+      isToolActiveForContext(
+        "host_browser",
+        makeCtx({
+          hasNoClient: false,
+          transportInterface: "chrome-extension",
+        }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash is NOT active for chrome-extension even when hasNoClient is true", () => {
+    // The per-capability check runs first and is authoritative: chrome-extension
+    // only supports `host_browser`, so `host_bash` must be filtered out.
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({
+          hasNoClient: true,
+          transportInterface: "chrome-extension",
+        }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_file_read is NOT active for chrome-extension when hasNoClient is true", () => {
+    expect(
+      isToolActiveForContext(
+        "host_file_read",
+        makeCtx({
+          hasNoClient: true,
+          transportInterface: "chrome-extension",
+        }),
+      ),
+    ).toBe(false);
+  });
+
+  // Backwards-compat fallback: no transport plumbed through.
+  test("host_bash falls back to hasNoClient gate when transport is undefined (client connected)", () => {
+    // Without a transport interface we cannot run the per-capability check,
+    // so we fall back to the coarse-grained `hasNoClient` behavior.
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: undefined }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash falls back to hasNoClient gate when transport is undefined (no client)", () => {
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: true, transportInterface: undefined }),
+      ),
+    ).toBe(false);
+  });
+});
+
+describe("HOST_TOOL_NAMES derivation", () => {
+  test("HOST_TOOL_NAMES is derived from HOST_TOOL_TO_CAPABILITY", () => {
+    // Sanity check: every tool in the names set has a capability mapping.
+    // This is structurally enforced by the code (HOST_TOOL_NAMES is built
+    // from HOST_TOOL_TO_CAPABILITY.keys()), but we test it to make the
+    // invariant visible to readers and to catch any regression that
+    // splits the two collections back apart.
+    for (const name of HOST_TOOL_NAMES) {
+      expect(HOST_TOOL_TO_CAPABILITY.has(name)).toBe(true);
+    }
+    // Cardinality check: the two collections must have the same size so a
+    // future addition to HOST_TOOL_NAMES without a matching capability entry
+    // (or vice versa) would fail.
+    expect(HOST_TOOL_NAMES.size).toBe(HOST_TOOL_TO_CAPABILITY.size);
+  });
+});

package/src/daemon/app-source-watcher.ts

@@ -24,6 +24,20 @@ const APP_REFRESH_DEBOUNCE_MS = 500;
 
 export type AppSourceChangeCallback = (appId: string) => void;
 
+/**
+ * Module-level callback so tool-side-effects can ensure the watcher starts
+ * after the apps directory is created (e.g. on first app_create).
+ */
+let ensureWatcherStarted: (() => void) | null = null;
+
+export function setEnsureAppSourceWatcher(fn: () => void): void {
+  ensureWatcherStarted = fn;
+}
+
+export function ensureAppSourceWatcher(): void {
+  ensureWatcherStarted?.();
+}
+
 /**
  * Resolve app ID from a relative path within the apps directory.
  * Returns null if the path is not an app source file (e.g. dist/, records/).
@@ -48,12 +62,29 @@ function resolveAppIdFromRelPath(relPath: string): string | null {
 
 export class AppSourceWatcher {
   private watcher: FSWatcher | null = null;
+  private onChange: AppSourceChangeCallback | null = null;
   private debouncer = new DebouncerMap({
     defaultDelayMs: APP_REFRESH_DEBOUNCE_MS,
     maxEntries: 50,
   });
 
   start(onChange: AppSourceChangeCallback): void {
+    this.onChange = onChange;
+    this.tryWatch();
+  }
+
+  /**
+   * Ensure the watcher is running. Call after app creation so the watcher
+   * starts if the apps directory was created after daemon startup.
+   */
+  ensureStarted(): void {
+    if (this.watcher || !this.onChange) return;
+    this.tryWatch();
+  }
+
+  private tryWatch(): void {
+    if (this.watcher) return;
+
     let appsDir: string;
     try {
       appsDir = getAppsDir();
@@ -67,6 +98,9 @@ export class AppSourceWatcher {
       return;
     }
 
+    const onChange = this.onChange;
+    if (!onChange) return;
+
     try {
       this.watcher = watch(appsDir, { recursive: true }, (_eventType, filename) => {
         if (!filename) return;
@@ -78,6 +112,7 @@ export class AppSourceWatcher {
           onChange(appId);
         });
       });
+      log.info("App source watcher started");
     } catch (err) {
       log.warn({ err }, "Failed to watch apps directory; source watching disabled");
     }

package/src/daemon/context-overflow-approval.ts

@@ -1,5 +1,6 @@
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import { isAllowDecision } from "../permissions/types.js";
+import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
 
 /**
  * Reserved pseudo tool name used for context overflow compression approval
@@ -26,6 +27,10 @@ export async function requestCompressionApproval(
   prompter: PermissionPrompter,
   opts?: { signal?: AbortSignal },
 ): Promise<CompressionApprovalResult> {
+  if (isPermissionControlsV2Enabled()) {
+    return { approved: true };
+  }
+
   const result = await prompter.prompt(
     CONTEXT_OVERFLOW_TOOL_NAME,
     {

package/src/daemon/conversation-agent-loop-handlers.ts

@@ -932,10 +932,25 @@ export async function dispatchAgentEvent(
           "assistant_turn",
           deps.reqId,
         );
+
+        // Format web search results into a human-readable string for the client.
+        let resultText = "";
+        if (Array.isArray(event.content) && event.content.length > 0) {
+          resultText = (event.content as unknown[])
+            .filter(
+              (r): r is { type: string; title: string; url: string } =>
+                typeof r === "object" &&
+                r != null &&
+                (r as { type?: string }).type === "web_search_result",
+            )
+            .map((r) => `${r.title}\n${r.url}`)
+            .join("\n\n");
+        }
+
         deps.onEvent({
           type: "tool_result",
-          toolName: "",
-          result: "",
+          toolName: "web_search",
+          result: resultText,
           isError: event.isError,
           conversationId: deps.ctx.conversationId,
           toolUseId: event.toolUseId,