@vellumai/assistant 0.6.2 → 0.6.3

package/src/runtime/routes/skills-routes.ts

@@ -19,6 +19,7 @@ import {
   draftSkill,
   enableSkill,
   getSkill,
+  getSkillFileContent,
   getSkillFiles,
   inspectSkill,
   installSkill,
@@ -151,6 +152,55 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
       },
     },
 
+    // The router uses strict anchored-regex matching, so this route is never
+    // ambiguous with skills/:id/files.
+    {
+      endpoint: "skills/:id/files/content",
+      method: "GET",
+      policyKey: "skills",
+      summary: "Get skill file content",
+      description:
+        "Return the content of a single file belonging to an installed or catalog skill.",
+      tags: ["skills"],
+      queryParams: [
+        {
+          name: "path",
+          schema: { type: "string" },
+          required: true,
+          description: "Relative path of the file within the skill directory",
+        },
+      ],
+      responseBody: z.object({
+        path: z.string(),
+        name: z.string(),
+        size: z.number().int(),
+        mimeType: z.string(),
+        isBinary: z.boolean(),
+        content: z.string().nullable(),
+      }),
+      handler: async ({ params, url }) => {
+        const path = url.searchParams.get("path");
+        if (!path) {
+          return httpError(
+            "BAD_REQUEST",
+            "path query parameter is required",
+            400,
+          );
+        }
+        const result = await getSkillFileContent(params.id, path, ctx());
+        if ("error" in result) {
+          if (result.status === 400) {
+            return httpError("BAD_REQUEST", result.error, 400);
+          }
+          if (result.status === 404) {
+            return httpError("NOT_FOUND", result.error, 404);
+          }
+          return httpError("INTERNAL_ERROR", result.error, 500);
+        }
+        return Response.json(result);
+      },
+    },
+
     {
       endpoint: "skills/:id/files",
       method: "GET",
@@ -158,8 +208,8 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
       summary: "Get skill files",
       description: "Return skill metadata and directory contents.",
       tags: ["skills"],
-      handler: ({ params }) => {
-        const result = getSkillFiles(params.id, ctx());
+      handler: async ({ params }) => {
+        const result = await getSkillFiles(params.id, ctx());
         if ("error" in result) {
           if (result.status === 404) {
             return httpError("NOT_FOUND", result.error, 404);

package/src/runtime/routes/subagents-routes.ts

@@ -7,7 +7,7 @@
  */
 import { z } from "zod";
 
-import { getMessages } from "../../memory/conversation-crud.js";
+import { getMessages, type MessageRow } from "../../memory/conversation-crud.js";
 import { getSubagentManager } from "../../subagent/index.js";
 import { getLogger } from "../../util/logger.js";
 import { httpError } from "../http-errors.js";
@@ -31,16 +31,25 @@ export interface SubagentDetailResult {
     content: string;
     toolName?: string;
     isError?: boolean;
+    messageId?: string;
   }>;
 }
 
+const FORK_DIRECTIVE_RE =
+  /^⎯⎯⎯ FORK TASK ⎯⎯⎯\n[\s\S]*?Complete this task directly and return only your findings:\n\n([\s\S]*?)\n⎯⎯⎯+$/;
+
+function stripForkDirectiveFraming(text: string): string {
+  const match = FORK_DIRECTIVE_RE.exec(text);
+  return match ? match[1] : text;
+}
+
 /**
  * Parse raw message rows into subagent detail events. Extracted as a pure
  * function so it can be unit-tested without a database.
  */
 export function parseSubagentMessages(
   subagentId: string,
-  messages: Array<{ role: string; content: string }>,
+  messages: MessageRow[],
 ): SubagentDetailResult {
   // Extract objective from the first user message
   let objective: string | undefined;
@@ -53,7 +62,7 @@ export function parseSubagentMessages(
           (b: Record<string, unknown>) => isRecord(b) && b.type === "text",
         );
         if (textBlock && typeof textBlock.text === "string") {
-          objective = textBlock.text;
+          objective = stripForkDirectiveFraming(textBlock.text);
         }
       }
     } catch {
@@ -62,12 +71,7 @@ export function parseSubagentMessages(
   }
 
   // Extract events from both assistant and user messages.
-  const events: Array<{
-    type: string;
-    content: string;
-    toolName?: string;
-    isError?: boolean;
-  }> = [];
+  const events: SubagentDetailResult["events"] = [];
   const pendingTools = new Map<string, string>();
   for (const m of messages) {
     if (m.role !== "assistant" && m.role !== "user") continue;
@@ -86,7 +90,7 @@ export function parseSubagentMessages(
         block.type === "text" &&
         typeof block.text === "string"
       ) {
-        events.push({ type: "text", content: block.text });
+        events.push({ type: "text", content: block.text, messageId: m.id });
       } else if (block.type === "tool_use") {
         const name = typeof block.name === "string" ? block.name : "unknown";
         const input = isRecord(block.input)

package/src/runtime/routes/usage-routes.ts

@@ -3,7 +3,7 @@
  *
  * GET /v1/usage/totals?from=&to=              — aggregate totals for a time range
  * GET /v1/usage/daily?from=&to=               — per-day buckets for a time range
- * GET /v1/usage/breakdown?from=&to=&groupBy=  — grouped breakdown (actor, provider, model)
+ * GET /v1/usage/breakdown?from=&to=&groupBy=  — grouped breakdown (actor, provider, model, or conversation)
  */
 
 import { z } from "zod";
@@ -17,7 +17,7 @@ import {
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 
-const VALID_GROUP_BY = new Set(["actor", "provider", "model"]);
+const VALID_GROUP_BY = new Set(["actor", "provider", "model", "conversation"]);
 
 /**
  * Parse and validate the `from` and `to` epoch-millis query parameters.
@@ -137,7 +137,7 @@ export function usageRouteDefinitions(): RouteDefinition[] {
       method: "GET",
       summary: "Get usage breakdown",
       description:
-        "Return grouped usage breakdown (by actor, provider, or model).",
+        "Return grouped usage breakdown (by actor, provider, model, or conversation).",
       tags: ["usage"],
       queryParams: [
         {
@@ -153,7 +153,8 @@ export function usageRouteDefinitions(): RouteDefinition[] {
         {
           name: "groupBy",
           schema: { type: "string" },
-          description: "Group by: actor, provider, or model (required)",
+          description:
+            "Group by: actor, provider, model, or conversation (required)",
         },
       ],
       responseBody: z.object({
@@ -167,21 +168,21 @@ export function usageRouteDefinitions(): RouteDefinition[] {
         if (!groupBy) {
           return httpError(
             "BAD_REQUEST",
-            'Missing required query parameter: "groupBy" (one of: actor, provider, model)',
+            'Missing required query parameter: "groupBy" (one of: actor, provider, model, conversation)',
             400,
           );
         }
         if (!VALID_GROUP_BY.has(groupBy)) {
           return httpError(
             "BAD_REQUEST",
-            `Invalid "groupBy" value: "${groupBy}". Must be one of: actor, provider, model`,
+            `Invalid "groupBy" value: "${groupBy}". Must be one of: actor, provider, model, conversation`,
             400,
           );
         }
 
         const breakdown = getUsageGroupBreakdown(
           range,
-          groupBy as "actor" | "provider" | "model",
+          groupBy as "actor" | "provider" | "model" | "conversation",
         );
         return Response.json({ breakdown });
       },

package/src/runtime/routes/workspace-routes.test.ts

@@ -190,6 +190,28 @@ describe("isTextMimeType", () => {
     // A binary plist has a specific MIME type — extension should not override it
     expect(isTextMimeType("application/x-plist", "Info.plist")).toBe(false);
   });
+
+  test("application/octet-stream with .jsonl filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "messages.jsonl")).toBe(
+      true,
+    );
+  });
+
+  test("application/octet-stream with .ndjson filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "events.ndjson")).toBe(
+      true,
+    );
+  });
+
+  test("application/octet-stream with .JSONL uppercase is text", () => {
+    expect(isTextMimeType("application/octet-stream", "DATA.JSONL")).toBe(true);
+  });
+
+  test("application/octet-stream with .NDJSON uppercase is text", () => {
+    expect(isTextMimeType("application/octet-stream", "DATA.NDJSON")).toBe(
+      true,
+    );
+  });
 });
 
 // ===========================================================================

package/src/runtime/routes/workspace-routes.ts

@@ -120,7 +120,14 @@ function handleWorkspaceFile(ctx: RouteContext): Response {
   }
 
   const mimeType = Bun.file(resolved).type;
-  const isText = isTextMimeType(mimeType, basename(resolved));
+  // Empty files with unknown MIME type default to text — there is no binary
+  // content to protect, and files created via the UI "New File" action are
+  // always 0 bytes. Without this override, extensionless files (e.g. "Test")
+  // would be classified as binary and rendered in a non-editable fallback view.
+  const isText =
+    stat.size === 0 && mimeType === "application/octet-stream"
+      ? true
+      : isTextMimeType(mimeType, basename(resolved));
   const isBinary = !isText;
 
   let content: string | undefined = undefined;

package/src/runtime/routes/workspace-utils.ts

@@ -159,6 +159,8 @@ const TEXT_FILE_EXTENSIONS = new Set([
   "patch",
   "log",
   "lock",
+  "jsonl",
+  "ndjson",
 ]);
 
 export function isTextMimeType(mimeType: string, fileName?: string): boolean {

package/src/schedule/scheduler.ts

@@ -23,6 +23,7 @@ const log = getLogger("scheduler");
 
 export interface ScheduleMessageOptions {
   trustClass?: "guardian" | "trusted_contact" | "unknown";
+  taskRunId?: string;
 }
 
 export type ScheduleMessageProcessor = (
@@ -196,11 +197,12 @@ async function runScheduleOnce(
             source: "schedule",
             scheduleJobId: job.id,
           },
-          processMessage as (
-            conversationId: string,
-            message: string,
-            taskRunId: string,
-          ) => Promise<void>,
+          async (conversationId, message, taskRunId) => {
+            await processMessage(conversationId, message, {
+              trustClass: "guardian",
+              taskRunId,
+            });
+          },
         );
 
         onScheduleConversationCreated?.({

package/src/security/ces-credential-client.ts

@@ -190,6 +190,26 @@ export class CesCredentialBackend implements CredentialBackend {
     }
   }
 
+  async bulkSet(
+    credentials: Array<{ account: string; value: string }>,
+  ): Promise<Array<{ account: string; ok: boolean }>> {
+    try {
+      const res = await cesRequest("POST", "/v1/credentials/bulk", {
+        credentials,
+      });
+      if (!res?.ok) {
+        return credentials.map((c) => ({ account: c.account, ok: false }));
+      }
+      const data = (await res.json()) as {
+        results: Array<{ account: string; ok: boolean }>;
+      };
+      return data.results;
+    } catch (err) {
+      log.warn({ err }, "CES credential bulk set threw unexpectedly");
+      return credentials.map((c) => ({ account: c.account, ok: false }));
+    }
+  }
+
   async list(): Promise<CredentialListResult> {
     try {
       const res = await cesRequest("GET", "/v1/credentials");

package/src/security/ces-rpc-credential-backend.ts

@@ -86,4 +86,21 @@ export class CesRpcCredentialBackend implements CredentialBackend {
       return { accounts: [], unreachable: true };
     }
   }
+
+  async bulkSet(
+    credentials: Array<{ account: string; value: string }>,
+  ): Promise<Array<{ account: string; ok: boolean }>> {
+    if (!this.isAvailable()) {
+      return credentials.map((c) => ({ account: c.account, ok: false }));
+    }
+    try {
+      const result = await this.client.call(CesRpcMethod.BulkSetCredentials, {
+        credentials,
+      });
+      return result.results;
+    } catch (err) {
+      log.warn({ err }, "CES RPC bulk credential set failed");
+      return credentials.map((c) => ({ account: c.account, ok: false }));
+    }
+  }
 }

package/src/security/credential-backend.ts

@@ -47,6 +47,11 @@ export interface CredentialBackend {
 
   /** List all account names. */
   list(): Promise<CredentialListResult>;
+
+  /** Bulk-set multiple credentials. Optional — backends without native bulk support omit this. */
+  bulkSet?(
+    credentials: Array<{ account: string; value: string }>,
+  ): Promise<Array<{ account: string; ok: boolean }>>;
 }
 
 // ---------------------------------------------------------------------------

package/src/security/oauth2.ts

@@ -33,13 +33,13 @@ export type TokenEndpointAuthMethod =
   | "client_secret_post";
 
 export interface OAuth2Config {
-  authUrl: string;
-  tokenUrl: string;
+  authorizeUrl: string;
+  tokenExchangeUrl: string;
   scopes: string[];
   clientId: string;
   /** Client secret for providers that require it (e.g. Slack). PKCE is always used regardless. */
   clientSecret?: string;
-  extraParams?: Record<string, string>;
+  authorizeParams?: Record<string, string>;
   /** URL to fetch user identity info after OAuth. If omitted, account info is not fetched. */
   userinfoUrl?: string;
   /**
@@ -49,6 +49,13 @@ export interface OAuth2Config {
    * Defaults to `client_secret_post`.
    */
   tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
+  /**
+   * Separator used to join scopes in the authorize URL and split the
+   * granted-scope string returned by the token endpoint. Defaults to
+   * `" "` (space) per the OAuth 2.0 spec, but providers like Linear
+   * use `","` (comma).
+   */
+  scopeSeparator: string;
 }
 
 export interface OAuth2TokenResult {
@@ -130,7 +137,7 @@ async function exchangeCodeForTokens(
     }
   }
 
-  const tokenResp = await fetch(config.tokenUrl, {
+  const tokenResp = await fetch(config.tokenExchangeUrl, {
     method: "POST",
     headers,
     body: new URLSearchParams(tokenBody),
@@ -187,9 +194,19 @@ async function exchangeCodeForTokens(
       (tokenData.token_type as string | undefined),
   };
 
+  // Defensive split: providers (e.g. GitHub, Slack) may return comma-separated
+  // scopes in token responses regardless of the scope_separator used to join
+  // outbound authorize URLs, so we tolerate both spaces and commas here. When
+  // a provider explicitly configures a non-default separator (e.g. Linear uses
+  // ","), we honor that to keep symmetric round-tripping of configured scopes.
+  const splitPattern =
+    config.scopeSeparator === " " ? /[ ,]/ : config.scopeSeparator;
   const grantedScopes =
     typeof tokens.scope === "string"
-      ? tokens.scope.split(/[ ,]/).filter(Boolean)
+      ? tokens.scope
+          .split(splitPattern)
+          .map((s) => s.trim())
+          .filter(Boolean)
       : [...config.scopes];
 
   return { tokens, grantedScopes, rawTokenResponse: tokenData };
@@ -228,18 +245,18 @@ async function runGatewayFlow(
   });
 
   const authParams = new URLSearchParams({
-    ...config.extraParams,
+    ...config.authorizeParams,
     client_id: config.clientId,
     redirect_uri: redirectUri,
     response_type: "code",
-    scope: config.scopes.join(" "),
+    scope: config.scopes.join(config.scopeSeparator),
     state,
     code_challenge: codeChallenge,
     code_challenge_method: "S256",
   });
 
-  const authUrl = `${config.authUrl}?${authParams}`;
-  callbacks.openUrl(authUrl);
+  const authorizeUrl = `${config.authorizeUrl}?${authParams}`;
+  callbacks.openUrl(authorizeUrl);
 
   const code = await codePromise;
 
@@ -401,22 +418,22 @@ function startLoopbackServerAndWaitForCode(
       );
 
       const authParams = new URLSearchParams({
-        ...config.extraParams,
+        ...config.authorizeParams,
         client_id: config.clientId,
         redirect_uri: boundRedirectUri,
         response_type: "code",
-        scope: config.scopes.join(" "),
+        scope: config.scopes.join(config.scopeSeparator),
         state,
         code_challenge: codeChallenge,
         code_challenge_method: "S256",
       });
 
-      const authUrl = `${config.authUrl}?${authParams}`;
+      const authorizeUrl = `${config.authorizeUrl}?${authParams}`;
       log.info(
-        { authUrlLength: authUrl.length, state },
+        { authorizeUrlLength: authorizeUrl.length, state },
         "oauth2 loopback: built auth URL, calling openUrl callback",
       );
-      callbacks.openUrl(authUrl);
+      callbacks.openUrl(authorizeUrl);
       log.info("oauth2 loopback: openUrl callback returned");
     });
 
@@ -439,7 +456,7 @@ function startLoopbackServerAndWaitForCode(
 // ---------------------------------------------------------------------------
 
 export interface OAuth2PreparedFlow {
-  authUrl: string;
+  authorizeUrl: string;
   state: string;
   /** Resolves when the user completes authorization and tokens are exchanged. */
   completion: Promise<OAuth2FlowResult>;
@@ -493,17 +510,17 @@ export async function prepareOAuth2Flow(
   });
 
   const authParams = new URLSearchParams({
-    ...config.extraParams,
+    ...config.authorizeParams,
     client_id: config.clientId,
     redirect_uri: redirectUri,
     response_type: "code",
-    scope: config.scopes.join(" "),
+    scope: config.scopes.join(config.scopeSeparator),
     state,
     code_challenge: codeChallenge,
     code_challenge_method: "S256",
   });
 
-  const authUrl = `${config.authUrl}?${authParams}`;
+  const authorizeUrl = `${config.authorizeUrl}?${authParams}`;
 
   const completion = codePromise.then(async (code) => {
     return await exchangeCodeForTokens(config, code, redirectUri, codeVerifier);
@@ -511,7 +528,7 @@ export async function prepareOAuth2Flow(
 
   log.debug({ transport: "gateway", state }, "Prepared deferred OAuth2 flow");
 
-  return { authUrl, state, completion };
+  return { authorizeUrl, state, completion };
 }
 
 /**
@@ -533,17 +550,17 @@ async function prepareLoopbackFlow(
   );
 
   const authParams = new URLSearchParams({
-    ...config.extraParams,
+    ...config.authorizeParams,
     client_id: config.clientId,
     redirect_uri: redirectUri,
     response_type: "code",
-    scope: config.scopes.join(" "),
+    scope: config.scopes.join(config.scopeSeparator),
     state,
     code_challenge: codeChallenge,
     code_challenge_method: "S256",
   });
 
-  const authUrl = `${config.authUrl}?${authParams}`;
+  const authorizeUrl = `${config.authorizeUrl}?${authParams}`;
 
   const completion = codePromise.then(async (code) => {
     return await exchangeCodeForTokens(config, code, redirectUri, codeVerifier);
@@ -554,7 +571,7 @@ async function prepareLoopbackFlow(
     "Prepared deferred OAuth2 flow (loopback)",
   );
 
-  return { authUrl, state, completion };
+  return { authorizeUrl, state, completion };
 }
 
 /**
@@ -763,7 +780,7 @@ export async function startOAuth2Flow(
  * Supports both PKCE (no secret) and client_secret flows.
  */
 export async function refreshOAuth2Token(
-  tokenUrl: string,
+  tokenExchangeUrl: string,
   clientId: string,
   refreshToken: string,
   clientSecret?: string,
@@ -792,7 +809,7 @@ export async function refreshOAuth2Token(
     }
   }
 
-  const resp = await fetch(tokenUrl, {
+  const resp = await fetch(tokenExchangeUrl, {
     method: "POST",
     headers,
     body: new URLSearchParams(body),