@vellumai/assistant 0.6.2 → 0.6.3

package/src/runtime/routes/host-browser-routes.ts

@@ -0,0 +1,279 @@
+/**
+ * Route handler for host browser result submissions.
+ *
+ * Resolves pending host browser proxy requests by requestId when the desktop
+ * client returns CDP results via HTTP.
+ */
+import { z } from "zod";
+
+import {
+  markTargetInvalidated,
+  publishCdpEvent,
+} from "../../browser-session/events.js";
+import { requireBoundGuardian } from "../auth/require-bound-guardian.js";
+import type { AuthContext } from "../auth/types.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+import * as pendingInteractions from "../pending-interactions.js";
+
+/**
+ * Result of attempting to resolve a host browser result frame. Used by both
+ * the HTTP endpoint and the WS relay path so they share the same validation
+ * and resolution semantics.
+ *
+ * Success → the pending interaction was consumed and the conversation (or
+ * CLI shim callback) was notified.
+ *
+ * Error variants mirror the HTTP status codes the `/v1/host-browser-result`
+ * endpoint returns, so the caller can log/translate them consistently.
+ */
+export type HostBrowserResultResolution =
+  | { ok: true }
+  | {
+      ok: false;
+      code: "BAD_REQUEST" | "NOT_FOUND" | "CONFLICT";
+      status: 400 | 404 | 409;
+      message: string;
+    };
+
+/**
+ * Shared resolver used by both the HTTP route handler and the WS
+ * `host_browser_result` frame handler. Looks up the pending interaction
+ * by requestId, validates its kind, and forwards the response to the
+ * owning conversation (or CLI shim callback).
+ *
+ * This function does NOT perform auth — callers are expected to have
+ * already authenticated the caller (the HTTP route uses
+ * `requireBoundGuardian`, the WS path relies on the JWT check performed
+ * at WebSocket upgrade time).
+ */
+export function resolveHostBrowserResultByRequestId(frame: {
+  requestId?: unknown;
+  content?: unknown;
+  isError?: unknown;
+}): HostBrowserResultResolution {
+  const { requestId, content, isError } = frame;
+
+  if (!requestId || typeof requestId !== "string") {
+    return {
+      ok: false,
+      code: "BAD_REQUEST",
+      status: 400,
+      message: "requestId is required",
+    };
+  }
+
+  // Peek first (non-destructive) so we can validate the interaction kind
+  // without accidentally consuming a confirmation or secret interaction.
+  const peeked = pendingInteractions.get(requestId);
+  if (!peeked) {
+    return {
+      ok: false,
+      code: "NOT_FOUND",
+      status: 404,
+      message: "No pending interaction found for this requestId",
+    };
+  }
+
+  if (peeked.kind !== "host_browser") {
+    return {
+      ok: false,
+      code: "CONFLICT",
+      status: 409,
+      message: `Pending interaction is of kind "${peeked.kind}", expected "host_browser"`,
+    };
+  }
+
+  // Validation passed — consume the pending interaction.
+  const interaction = pendingInteractions.resolve(requestId)!;
+
+  const normalizedContent = typeof content === "string" ? content : "";
+  const normalizedIsError = typeof isError === "boolean" ? isError : false;
+
+  // CLI shim path: pending interactions registered by /v1/browser-cdp carry
+  // a directBrowserResolve callback and are not bound to a Conversation.
+  // Resolve them in place without touching the conversation object.
+  if (interaction.directBrowserResolve) {
+    interaction.directBrowserResolve({
+      content: normalizedContent,
+      isError: normalizedIsError,
+    });
+    return { ok: true };
+  }
+
+  // The host_browser kind always has a conversation attached at register time
+  // (HostBrowserProxy.request wires it through), so this guard exists so a
+  // future refactor of pending-interactions can change the type without
+  // silently breaking the host_browser path. Prefer an explicit error over an
+  // optional-chain no-op that would leave the proxy request unresolved.
+  if (!interaction.conversation) {
+    return {
+      ok: false,
+      code: "BAD_REQUEST",
+      status: 400,
+      message:
+        "host_browser pending interaction has no associated conversation",
+    };
+  }
+
+  interaction.conversation.resolveHostBrowser(requestId, {
+    content: normalizedContent,
+    isError: normalizedIsError,
+  });
+
+  return { ok: true };
+}
+
+/**
+ * Result of attempting to resolve a `host_browser_event` frame. The
+ * event surface never fails — every well-formed frame is published
+ * to the runtime-side CDP event bus — so the resolution is either
+ * `ok: true` or a `BAD_REQUEST` when the frame is malformed. Kept as
+ * a discriminated union (rather than `void`) so the WS dispatcher
+ * can log rejected frames with a consistent shape.
+ */
+export type HostBrowserEventResolution =
+  | { ok: true }
+  | {
+      ok: false;
+      code: "BAD_REQUEST";
+      status: 400;
+      message: string;
+    };
+
+/**
+ * Shared resolver for `host_browser_event` envelopes. Publishes the
+ * event into the module-level browser-session event bus where
+ * runtime-side consumers can subscribe. Validation is intentionally
+ * minimal — the frame is opaque to the bus and the bus's listeners
+ * are the ones that care about params shape.
+ */
+export function resolveHostBrowserEvent(frame: {
+  method?: unknown;
+  params?: unknown;
+  cdpSessionId?: unknown;
+}): HostBrowserEventResolution {
+  const { method, params, cdpSessionId } = frame;
+
+  if (!method || typeof method !== "string") {
+    return {
+      ok: false,
+      code: "BAD_REQUEST",
+      status: 400,
+      message: "method is required",
+    };
+  }
+
+  publishCdpEvent({
+    method,
+    params,
+    cdpSessionId:
+      typeof cdpSessionId === "string" && cdpSessionId.length > 0
+        ? cdpSessionId
+        : undefined,
+  });
+
+  return { ok: true };
+}
+
+/**
+ * Result of attempting to resolve a `host_browser_session_invalidated`
+ * frame. Mirrors {@link HostBrowserEventResolution} — publishing into
+ * the invalidated-target registry never fails, so the resolution is
+ * either `ok: true` or a `BAD_REQUEST` on a malformed frame.
+ */
+export type HostBrowserSessionInvalidatedResolution =
+  | { ok: true }
+  | {
+      ok: false;
+      code: "BAD_REQUEST";
+      status: 400;
+      message: string;
+    };
+
+/**
+ * Shared resolver for `host_browser_session_invalidated` envelopes.
+ * Marks the target as invalidated in the runtime-side registry; the
+ * next `BrowserSessionManager.send()` against that target will
+ * evict the stale session and force the owning tool to reattach.
+ *
+ * A frame without a `targetId` is tolerated (some detach notifications
+ * carry only a `reason`) but logged at info because it is less
+ * actionable than a targeted invalidation — the caller can still
+ * subscribe to the event bus to observe the signal.
+ */
+export function resolveHostBrowserSessionInvalidated(frame: {
+  targetId?: unknown;
+  reason?: unknown;
+}): HostBrowserSessionInvalidatedResolution {
+  const { targetId, reason } = frame;
+
+  if (targetId !== undefined && typeof targetId !== "string") {
+    return {
+      ok: false,
+      code: "BAD_REQUEST",
+      status: 400,
+      message: "targetId must be a string when present",
+    };
+  }
+
+  if (typeof targetId === "string" && targetId.length > 0) {
+    markTargetInvalidated(
+      targetId,
+      typeof reason === "string" ? reason : undefined,
+    );
+  }
+
+  return { ok: true };
+}
+
+/**
+ * POST /v1/host-browser-result — resolve a pending host browser request by requestId.
+ * Requires AuthContext with guardian-bound actor.
+ */
+export async function handleHostBrowserResult(
+  req: Request,
+  authContext: AuthContext,
+): Promise<Response> {
+  const authError = requireBoundGuardian(authContext);
+  if (authError) return authError;
+
+  const body = (await req.json()) as {
+    requestId?: string;
+    content?: string;
+    isError?: boolean;
+  };
+
+  const resolution = resolveHostBrowserResultByRequestId(body);
+  if (!resolution.ok) {
+    return httpError(resolution.code, resolution.message, resolution.status);
+  }
+
+  return Response.json({ accepted: true });
+}
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function hostBrowserRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "host-browser-result",
+      method: "POST",
+      summary: "Submit host browser result",
+      description: "Resolve a pending host browser request by requestId.",
+      tags: ["host"],
+      requestBody: z.object({
+        requestId: z.string().describe("Pending browser request ID"),
+        content: z.string().optional(),
+        isError: z.boolean().optional(),
+      }),
+      responseBody: z.object({
+        accepted: z.boolean(),
+      }),
+      handler: async ({ req, authContext }) =>
+        handleHostBrowserResult(req, authContext),
+    },
+  ];
+}

package/src/runtime/routes/host-file-routes.ts

@@ -27,9 +27,10 @@ export async function handleHostFileResult(
     requestId?: string;
     content?: string;
     isError?: boolean;
+    imageData?: string;
   };
 
-  const { requestId, content, isError } = body;
+  const { requestId, content, isError, imageData } = body;
 
   if (!requestId || typeof requestId !== "string") {
     return httpError("BAD_REQUEST", "requestId is required", 400);
@@ -60,6 +61,7 @@ export async function handleHostFileResult(
   interaction.conversation!.resolveHostFile(requestId, {
     content: content ?? "",
     isError: isError ?? false,
+    imageData,
   });
 
   return Response.json({ accepted: true });
@@ -87,6 +89,12 @@ export function hostFileRouteDefinitions(): RouteDefinition[] {
           .boolean()
           .describe("Whether the result is an error")
           .optional(),
+        imageData: z
+          .string()
+          .describe(
+            "Optional base64-encoded image bytes for successful image reads",
+          )
+          .optional(),
       }),
       responseBody: z.object({
         accepted: z.boolean(),

package/src/runtime/routes/identity-routes.ts

@@ -3,12 +3,13 @@
  */
 
 import { existsSync, readFileSync, statfsSync, statSync } from "node:fs";
-import { cpus, totalmem } from "node:os";
+import { availableParallelism, cpus, totalmem } from "node:os";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 
 import { z } from "zod";
 
+import { getCpuLimit, getIsPlatform } from "../../config/env-registry.js";
 import { parseIdentityFields } from "../../daemon/handlers/identity.js";
 import { getProfilerRuntimeStatus } from "../../daemon/profiler-run-store.js";
 import { getMaxMigrationVersion } from "../../memory/migrations/registry.js";
@@ -54,10 +55,60 @@ interface MemoryInfo {
   maxMb: number;
 }
 
-// Read the container memory limit from cgroups if available, falling back to host total.
-// cgroups v2: /sys/fs/cgroup/memory.max (returns "max" when unlimited)
-// cgroups v1: /sys/fs/cgroup/memory/memory.limit_in_bytes (large sentinel when unlimited)
+/**
+ * Parse a Kubernetes-style memory string (e.g. "3Gi", "512Mi", "1G") into bytes.
+ * Returns null if the value is not a recognized format.
+ */
+function parseK8sMemoryBytes(value: string): number | null {
+  const match = value
+    .trim()
+    .match(/^(\d+(?:\.\d+)?)\s*(Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E|m)?$/);
+  if (!match) return null;
+  const num = parseFloat(match[1]);
+  const unit = match[2] ?? "";
+  const multipliers: Record<string, number> = {
+    "": 1,
+    m: 1e-3,
+    k: 1e3,
+    M: 1e6,
+    G: 1e9,
+    T: 1e12,
+    P: 1e15,
+    E: 1e18,
+    Ki: 1024,
+    Mi: 1024 ** 2,
+    Gi: 1024 ** 3,
+    Ti: 1024 ** 4,
+    Pi: 1024 ** 5,
+    Ei: 1024 ** 6,
+  };
+  const mult = multipliers[unit];
+  if (mult === undefined) return null;
+  const bytes = Math.round(num * mult);
+  return bytes > 0 ? bytes : null;
+}
+
+/**
+ * Read the memory limit from the VELLUM_MEMORY_LIMIT env var (K8s resource format),
+ * then fall back to cgroups, then to os.totalmem().
+ *
+ * In platform mode the container runs under gVisor where cgroup files may report
+ * the node's memory rather than the container limit. VELLUM_MEMORY_LIMIT is set
+ * by the StatefulSet template to the exact K8s memory limit (e.g. "3Gi").
+ */
 function getContainerMemoryLimitBytes(): number | null {
+  // 1. Prefer the explicit env var set by the platform StatefulSet template.
+  try {
+    const envLimit = process.env.VELLUM_MEMORY_LIMIT;
+    if (envLimit) {
+      const parsed = parseK8sMemoryBytes(envLimit);
+      if (parsed !== null) return parsed;
+    }
+  } catch {
+    /* env var parsing failed – fall through to cgroups */
+  }
+
+  // 2. Try cgroups v2.
   try {
     const v2 = readFileSync("/sys/fs/cgroup/memory.max", "utf-8").trim();
     if (v2 !== "max") {
@@ -67,6 +118,8 @@ function getContainerMemoryLimitBytes(): number | null {
   } catch {
     /* not available */
   }
+
+  // 3. Try cgroups v1.
   try {
     const v1 = readFileSync(
       "/sys/fs/cgroup/memory/memory.limit_in_bytes",
@@ -81,10 +134,56 @@ function getContainerMemoryLimitBytes(): number | null {
   return null;
 }
 
+/**
+ * Read the container's current memory usage from cgroup files.
+ *
+ * Tries cgroups v2 (`memory.current`) first, then cgroups v1
+ * (`memory/memory.usage_in_bytes`), mirroring the v2-then-v1 fallback used by
+ * `getContainerMemoryLimitBytes`. Returns null if neither file is available
+ * or readable.
+ *
+ * Unlike the limit lookup, no env-var override is needed: the gVisor issue
+ * that motivates VELLUM_MEMORY_LIMIT is specifically about the *limit* files
+ * exposing the host node's memory instead of the sandbox limit. The *usage*
+ * files (memory.current / memory.usage_in_bytes) reflect the sandbox's own
+ * accounting and are accurate under gVisor.
+ */
+function getContainerMemoryUsageBytes(): number | null {
+  // 1. Try cgroups v2.
+  try {
+    const v2 = readFileSync("/sys/fs/cgroup/memory.current", "utf-8").trim();
+    const bytes = parseInt(v2, 10);
+    if (!isNaN(bytes) && bytes > 0) return bytes;
+  } catch {
+    /* not available */
+  }
+
+  // 2. Try cgroups v1.
+  try {
+    const v1 = readFileSync(
+      "/sys/fs/cgroup/memory/memory.usage_in_bytes",
+      "utf-8",
+    ).trim();
+    const bytes = parseInt(v1, 10);
+    if (!isNaN(bytes) && bytes > 0) return bytes;
+  } catch {
+    /* not available */
+  }
+  return null;
+}
+
 function getMemoryInfo(): MemoryInfo {
   const bytesToMb = (b: number) => Math.round((b / (1024 * 1024)) * 100) / 100;
+  // In platform-managed mode the daemon shares its Node process with whatever
+  // the container is doing as a whole; `process.memoryUsage().rss` only sees
+  // this process's resident set, which understates the container footprint
+  // operators care about. Read the cgroup usage file directly so /v1/health
+  // matches what the StatefulSet's memory limit is enforced against.
+  const currentBytes =
+    (getIsPlatform() ? getContainerMemoryUsageBytes() : null) ??
+    process.memoryUsage().rss;
   return {
-    currentMb: bytesToMb(process.memoryUsage().rss),
+    currentMb: bytesToMb(currentBytes),
     maxMb: bytesToMb(getContainerMemoryLimitBytes() ?? totalmem()),
   };
 }
@@ -94,36 +193,180 @@ interface CpuInfo {
   maxCores: number;
 }
 
+/**
+ * Parse a Kubernetes-style CPU string (e.g. "2000m", "1", "500m") into
+ * fractional cores. Returns null if the value is not a recognized format.
+ */
+function parseK8sCpuCores(value: string): number | null {
+  const trimmed = value.trim();
+  const milliMatch = trimmed.match(/^(\d+)m$/);
+  if (milliMatch) {
+    const millis = parseInt(milliMatch[1], 10);
+    return millis > 0 ? millis / 1000 : null;
+  }
+  if (/^\d+(\.\d+)?$/.test(trimmed)) {
+    const num = parseFloat(trimmed);
+    return !isNaN(num) && num > 0 ? num : null;
+  }
+  return null;
+}
+
+/**
+ * Read the container's CPU core limit.
+ *
+ * Resolution order:
+ * 1. VELLUM_CPU_LIMIT env var (K8s resource format, e.g. "2000m" or "2").
+ *    In platform mode the container runs under gVisor where cgroup files may
+ *    report the node's CPU count rather than the sandbox limit.
+ * 2. cgroups v2 cpu.max (quota / period → fractional cores).
+ * 3. cgroups v1 cpu.cfs_quota_us / cpu.cfs_period_us.
+ * 4. os.cpus().length as last resort.
+ */
+function getContainerCpuCores(): number {
+  // 1. Prefer the explicit env var set by the platform StatefulSet template.
+  try {
+    const envLimit = getCpuLimit();
+    if (envLimit) {
+      const parsed = parseK8sCpuCores(envLimit);
+      if (parsed !== null) return parsed;
+    }
+  } catch {
+    /* env var parsing failed – fall through */
+  }
+
+  // 2. Try cgroups v2: /sys/fs/cgroup/cpu.max contains "$MAX $PERIOD".
+  try {
+    const raw = readFileSync("/sys/fs/cgroup/cpu.max", "utf-8").trim();
+    if (!raw.startsWith("max")) {
+      const parts = raw.split(/\s+/);
+      const quota = parseInt(parts[0], 10);
+      const period = parseInt(parts[1], 10);
+      if (!isNaN(quota) && !isNaN(period) && period > 0 && quota > 0) {
+        const cores = quota / period;
+        // Sanity check: if the value looks like the node's full CPU count
+        // and we're on a platform pod, it's likely gVisor leaking the host value.
+        if (cores < cpus().length * 0.9 || !getIsPlatform()) {
+          return cores;
+        }
+      }
+    }
+  } catch {
+    /* not available */
+  }
+
+  // 3. Try cgroups v1.
+  try {
+    const quota = parseInt(
+      readFileSync("/sys/fs/cgroup/cpu/cpu.cfs_quota_us", "utf-8").trim(),
+      10,
+    );
+    const period = parseInt(
+      readFileSync("/sys/fs/cgroup/cpu/cpu.cfs_period_us", "utf-8").trim(),
+      10,
+    );
+    if (!isNaN(quota) && !isNaN(period) && period > 0 && quota > 0) {
+      const cores = quota / period;
+      if (cores < cpus().length * 0.9 || !getIsPlatform()) {
+        return cores;
+      }
+    }
+  } catch {
+    /* not available */
+  }
+
+  return cpus().length || availableParallelism();
+}
+
+/**
+ * Read the container's CPU usage from cgroup accounting files.
+ *
+ * Returns total CPU microseconds consumed by the container since boot.
+ * We use the delta between two samples to compute percentage.
+ */
+function getContainerCpuUsageUs(): number | null {
+  // cgroups v2: cpu.stat has a "usage_usec" line.
+  try {
+    const stat = readFileSync("/sys/fs/cgroup/cpu.stat", "utf-8");
+    for (const line of stat.split("\n")) {
+      if (line.startsWith("usage_usec")) {
+        const val = parseInt(line.split(/\s+/)[1], 10);
+        if (!isNaN(val) && val > 0) return val;
+      }
+    }
+  } catch {
+    /* not available */
+  }
+
+  // cgroups v1: cpuacct.usage is in nanoseconds.
+  try {
+    const ns = parseInt(
+      readFileSync("/sys/fs/cgroup/cpuacct/cpuacct.usage", "utf-8").trim(),
+      10,
+    );
+    if (!isNaN(ns) && ns > 0) return ns / 1000; // convert ns → µs
+  } catch {
+    /* not available */
+  }
+
+  return null;
+}
+
 // Track CPU usage over a rolling window so /v1/health reports near-real-time
 // utilization instead of a lifetime average (total CPU time / total uptime).
 const CPU_SAMPLE_INTERVAL_MS = 5_000;
-let _lastCpuUsage: NodeJS.CpuUsage = process.cpuUsage();
+let _lastProcessCpuUsage: NodeJS.CpuUsage = process.cpuUsage();
+let _lastCgroupCpuUs: number | null = getContainerCpuUsageUs();
 let _lastCpuTime: number = Date.now();
 let _cachedCpuPercent = 0;
 
 // Kick off the background sampler. unref() so it never prevents process exit.
 setInterval(() => {
   const now = Date.now();
-  const newUsage = process.cpuUsage();
   const elapsedMs = now - _lastCpuTime;
-  if (elapsedMs > 0) {
-    const deltaCpuUs =
-      newUsage.user -
-      _lastCpuUsage.user +
-      (newUsage.system - _lastCpuUsage.system);
-    const deltaCpuMs = deltaCpuUs / 1000;
-    const numCores = cpus().length;
+  if (elapsedMs <= 0) return;
+
+  const numCores = getContainerCpuCores();
+
+  // Always sample process-level CPU so the baseline stays fresh. This
+  // prevents a spike if the platform cgroup path later falls back to
+  // process.cpuUsage() after cgroup stats were previously available.
+  const newProcessUsage = process.cpuUsage();
+  const processDeltaUs =
+    newProcessUsage.user -
+    _lastProcessCpuUsage.user +
+    (newProcessUsage.system - _lastProcessCpuUsage.system);
+  _lastProcessCpuUsage = newProcessUsage;
+
+  if (getIsPlatform()) {
+    // In platform mode, prefer cgroup-level CPU usage so we see the full
+    // container footprint, not just this process.
+    const cgroupUs = getContainerCpuUsageUs();
+    if (cgroupUs !== null && _lastCgroupCpuUs !== null) {
+      const deltaCpuUs = cgroupUs - _lastCgroupCpuUs;
+      const deltaCpuMs = deltaCpuUs / 1000;
+      _cachedCpuPercent =
+        Math.round((deltaCpuMs / (elapsedMs * numCores)) * 10000) / 100;
+    } else {
+      // cgroup CPU stats unavailable (e.g. gVisor) – fall back to process-level.
+      const deltaCpuMs = processDeltaUs / 1000;
+      _cachedCpuPercent =
+        Math.round((deltaCpuMs / (elapsedMs * numCores)) * 10000) / 100;
+    }
+    _lastCgroupCpuUs = cgroupUs;
+  } else {
+    // Non-platform: use process.cpuUsage() (accurate for single-process mode).
+    const deltaCpuMs = processDeltaUs / 1000;
     _cachedCpuPercent =
       Math.round((deltaCpuMs / (elapsedMs * numCores)) * 10000) / 100;
   }
-  _lastCpuUsage = newUsage;
+
   _lastCpuTime = now;
 }, CPU_SAMPLE_INTERVAL_MS).unref();
 
 function getCpuInfo(): CpuInfo {
   return {
     currentPercent: _cachedCpuPercent,
-    maxCores: cpus().length,
+    maxCores: Math.ceil(getContainerCpuCores()),
   };
 }