@vellumai/assistant 0.6.2 → 0.6.3

package/src/tools/host-filesystem/write.ts

@@ -8,7 +8,7 @@ import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 class HostFileWriteTool implements Tool {
   name = "host_file_write";
   description =
-    "Write content to a file on the host filesystem, creating it if it does not exist. Not for workspace files under .vellum (use file_write instead).";
+    "Write content to a file on your guardian's device, creating it if it does not exist. For files on your own machine, use file_write instead.";
   category = "host-filesystem";
   defaultRiskLevel = RiskLevel.Medium;
 

package/src/tools/host-terminal/host-shell.ts

@@ -207,30 +207,35 @@ class HostShellTool implements Tool {
         detached: true,
       });
 
-      const timer = setTimeout(() => {
-        timedOut = true;
+      // Kill the entire process tree. Tries the process group first
+      // (negative PID), then falls back to killing the direct child if the
+      // PID is unavailable or the group kill fails.
+      const killTree = () => {
+        if (child.pid != null) {
+          try {
+            process.kill(-child.pid, "SIGKILL");
+            return;
+          } catch {
+            // Process group may have already exited — fall through.
+          }
+        }
         try {
-          process.kill(-child.pid!, "SIGKILL");
+          child.kill("SIGKILL");
         } catch {
-          // Process group may have already exited.
+          // Child may have already exited.
         }
+      };
+
+      const timer = setTimeout(() => {
+        timedOut = true;
+        killTree();
       }, timeoutMs);
 
       // Cooperative cancellation via AbortSignal
-      const onAbort = () => {
-        try {
-          process.kill(-child.pid!, "SIGKILL");
-        } catch {
-          // Process group may have already exited.
-        }
-      };
+      const onAbort = () => killTree();
       if (context.signal) {
         if (context.signal.aborted) {
-          try {
-            process.kill(-child.pid!, "SIGKILL");
-          } catch {
-            // Process group may have already exited.
-          }
+          killTree();
         } else {
           context.signal.addEventListener("abort", onAbort, { once: true });
         }

package/src/tools/permission-checker.ts

@@ -7,11 +7,14 @@ import {
   generateAllowlistOptions,
   generateScopeOptions,
 } from "../permissions/checker.js";
-import { getMode } from "../permissions/permission-mode-store.js";
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import { addRule } from "../permissions/trust-store.js";
 import { RiskLevel } from "../permissions/types.js";
-import { isHostTool } from "../permissions/workspace-policy.js";
+import {
+  CONVERSATION_HOST_ACCESS_PROMPT,
+  evaluateV2ConsentDisposition,
+  isConversationHostAccessDecision,
+} from "../permissions/v2-consent-policy.js";
 import {
   getEffectiveMode,
   setConversationMode,
@@ -67,50 +70,29 @@ export class PermissionChecker {
         }
       | undefined,
   ): Promise<PermissionDecision> {
-    // ── permission-controls-v2 early gate ──────────────────────────────
-    // When the v2 flag is enabled, replace the entire risk-classification
-    // path with a simple binary check: is it a host tool + is host access
-    // enabled? Certain security gates (requireFreshApproval,
-    // forcePromptSideEffects, hostAccess=false) fall through to the v1
-    // prompt flow so the interactive prompter is engaged.
-    const cfg = getConfig();
     let v2ForcePrompt = false;
-    if (isAssistantFeatureFlagEnabled("permission-controls-v2", cfg)) {
-      // requireFreshApproval demands an interactive prompt every time —
-      // fall through to v1 so the prompter is engaged.
-      const needsFreshApproval = !!context.requireFreshApproval;
-
-      // forcePromptSideEffects (private conversations, untrusted actors)
-      // requires explicit approval for side-effect tools.
-      const needsSideEffectPrompt =
-        !!context.forcePromptSideEffects && isSideEffectTool(name, input);
-
-      if (!needsFreshApproval && !needsSideEffectPrompt) {
-        if (isHostTool(name)) {
-          const mode = getMode();
-          if (mode.hostAccess) {
-            return {
-              allowed: true,
-              decision: "allow",
-              riskLevel: RiskLevel.Low,
-            };
-          }
-          // Host tool with hostAccess disabled — fall through to v1 so the
-          // interactive prompter is engaged (returning allowed:false here
-          // would surface an error string instead of a permission dialog).
-          // The v2ForcePrompt flag ensures check()'s allow decision is
-          // promoted to prompt so the user sees a permission dialog.
-          v2ForcePrompt = true;
-        } else {
-          // Non-host tools are auto-allowed when v2 is on
-          return {
-            allowed: true,
-            decision: "allow",
-            riskLevel: RiskLevel.Low,
-          };
-        }
+    const cfg = getConfig();
+    const v2Enabled = isAssistantFeatureFlagEnabled(
+      "permission-controls-v2",
+      cfg,
+    );
+    if (v2Enabled) {
+      const v2Disposition = evaluateV2ConsentDisposition(name, input, context);
+      if (v2Disposition === "auto_allow") {
+        return {
+          allowed: true,
+          decision: "allow",
+          riskLevel: RiskLevel.Low,
+        };
+      }
+      if (v2Disposition === "prompt_host_access") {
+        // Host tool with hostAccess disabled — fall through to v1 so the
+        // interactive prompter is engaged (returning allowed:false here
+        // would surface an error string instead of a permission dialog).
+        // The v2ForcePrompt flag ensures check()'s allow decision is
+        // promoted to prompt so the user sees a permission dialog.
+        v2ForcePrompt = true;
       }
-      // Falls through to the v1 risk-classification + prompter path
     }
 
     const risk = await classifyRisk(
@@ -301,25 +283,34 @@ export class PermissionChecker {
           return { allowed: true, decision: "temporary_override", riskLevel };
         }
 
-        const allowlistOptions = await generateAllowlistOptions(
-          name,
-          input,
-          context.signal,
-        );
-        const scopeOptions = generateScopeOptions(context.workingDir, name);
         const previewDiff = computePreviewDiff(name, input, context.workingDir);
-
-        const persistentDecisionsAllowed = !context.requireFreshApproval;
-
-        // Offer temporary approval options to guardians. Suppressed when
-        // requireFreshApproval is true - temporary overrides would be
-        // misleading since future invocations still require fresh approval.
-        const temporaryOptionsAvailable:
-          | Array<"allow_10m" | "allow_conversation">
-          | undefined =
-          context.trustClass === "guardian" && !context.requireFreshApproval
-            ? ["allow_10m", "allow_conversation"]
-            : undefined;
+        const promptOptions = v2ForcePrompt
+          ? CONVERSATION_HOST_ACCESS_PROMPT
+          : v2Enabled
+            ? {
+                allowlistOptions: [] as Awaited<
+                  ReturnType<typeof generateAllowlistOptions>
+                >,
+                scopeOptions: [] as ReturnType<typeof generateScopeOptions>,
+                persistentDecisionsAllowed: false,
+                temporaryOptionsAvailable: undefined,
+              }
+            : {
+                allowlistOptions: await generateAllowlistOptions(
+                  name,
+                  input,
+                  context.signal,
+                ),
+                scopeOptions: generateScopeOptions(context.workingDir, name),
+                persistentDecisionsAllowed: !context.requireFreshApproval,
+                temporaryOptionsAvailable:
+                  context.trustClass === "guardian" &&
+                  !context.requireFreshApproval
+                    ? (["allow_10m", "allow_conversation"] as Array<
+                        "allow_10m" | "allow_conversation"
+                      >)
+                    : undefined,
+              };
 
         emitLifecycleEvent({
           type: "permission_prompt",
@@ -331,10 +322,10 @@ export class PermissionChecker {
           requestId: context.requestId,
           riskLevel,
           reason: result.reason,
-          allowlistOptions,
-          scopeOptions,
+          allowlistOptions: promptOptions.allowlistOptions,
+          scopeOptions: promptOptions.scopeOptions,
           diff: previewDiff,
-          persistentDecisionsAllowed,
+          persistentDecisionsAllowed: promptOptions.persistentDecisionsAllowed,
         });
 
         await getHookManager().trigger("permission-request", {
@@ -348,27 +339,31 @@ export class PermissionChecker {
           name,
           input,
           riskLevel,
-          allowlistOptions,
-          scopeOptions,
+          promptOptions.allowlistOptions,
+          promptOptions.scopeOptions,
           previewDiff,
           context.conversationId,
           executionTarget,
-          persistentDecisionsAllowed,
+          promptOptions.persistentDecisionsAllowed,
           context.signal,
-          temporaryOptionsAvailable,
+          promptOptions.temporaryOptionsAvailable,
           context.toolUseId,
+          v2ForcePrompt,
         );
 
-        const decision = response.decision;
+        const decision =
+          v2ForcePrompt && !isConversationHostAccessDecision(response.decision)
+            ? "deny"
+            : response.decision;
 
         await getHookManager().trigger("permission-resolve", {
           toolName: name,
-          decision: response.decision,
+          decision,
           riskLevel,
           conversationId: context.conversationId,
         });
 
-        if (response.decision === "deny") {
+        if (decision === "deny") {
           const contextualDenial =
             typeof response.decisionContext === "string"
               ? response.decisionContext.trim()
@@ -403,15 +398,15 @@ export class PermissionChecker {
           };
         }
 
-        if (response.decision === "always_deny") {
+        if (decision === "always_deny") {
           // For non-scoped tools (empty scopeOptions), default to 'everywhere' since
           // the client has no scope picker and will send undefined.
           const effectiveDenyScope =
-            scopeOptions.length === 0
+            promptOptions.scopeOptions.length === 0
               ? (response.selectedScope ?? "everywhere")
               : response.selectedScope;
           const ruleSaved = !!(
-            persistentDecisionsAllowed &&
+            promptOptions.persistentDecisionsAllowed &&
             response.selectedPattern &&
             effectiveDenyScope
           );
@@ -452,9 +447,9 @@ export class PermissionChecker {
         }
 
         if (
-          persistentDecisionsAllowed &&
-          (response.decision === "always_allow" ||
-            response.decision === "always_allow_high_risk") &&
+          promptOptions.persistentDecisionsAllowed &&
+          (decision === "always_allow" ||
+            decision === "always_allow_high_risk") &&
           response.selectedPattern
         ) {
           const ruleOptions: {
@@ -462,7 +457,7 @@ export class PermissionChecker {
             executionTarget?: string;
           } = {};
 
-          if (response.decision === "always_allow_high_risk") {
+          if (decision === "always_allow_high_risk") {
             ruleOptions.allowHighRisk = true;
           }
 
@@ -474,7 +469,7 @@ export class PermissionChecker {
           // Only default to 'everywhere' for non-scoped tools (empty scopeOptions).
           // For scoped tools, require an explicit scope to prevent silent permission widening.
           const effectiveScope =
-            scopeOptions.length === 0
+            promptOptions.scopeOptions.length === 0
               ? (response.selectedScope ?? "everywhere")
               : response.selectedScope;
           if (effectiveScope) {
@@ -493,13 +488,13 @@ export class PermissionChecker {
         // time-limited or conversation-scoped override. Subsequent tool
         // invocations in this conversation will auto-approve without
         // prompting (checked above in the temporary override block).
-        if (response.decision === "allow_10m") {
+        if (decision === "allow_10m") {
           setTimedMode(context.conversationId);
           log.info(
             { toolName: name, conversationId: context.conversationId },
             "Activated timed (10m) temporary approval mode",
           );
-        } else if (response.decision === "allow_conversation") {
+        } else if (decision === "allow_conversation") {
           setConversationMode(context.conversationId);
           log.info(
             { toolName: name, conversationId: context.conversationId },

package/src/tools/registry.ts

@@ -8,7 +8,6 @@ import { hostFileReadTool } from "./host-filesystem/read.js";
 import { hostFileWriteTool } from "./host-filesystem/write.js";
 import { hostShellTool } from "./host-terminal/host-shell.js";
 import { registerSystemTools } from "./system/register.js";
-import { setPermissionModeTool } from "./system/set-permission-mode.js";
 import type { Tool } from "./types.js";
 import { allUiSurfaceTools } from "./ui-surface/definitions.js";
 import { registerUiSurfaceTools } from "./ui-surface/registry.js";
@@ -285,7 +284,6 @@ export async function initializeTools(): Promise<void> {
       ...allComputerUseTools.map((t: Tool) => t.name),
       ...allUiSurfaceTools.map((t: Tool) => t.name),
       ...coreAppProxyTools.map((t: Tool) => t.name),
-      setPermissionModeTool.name,
     ]);
 
     coreToolsSnapshot = new Map<string, Tool>();

package/src/tools/secret-detection-handler.ts

@@ -2,6 +2,7 @@ import { getConfig } from "../config/loader.js";
 import { getHookManager } from "../hooks/manager.js";
 import { PermissionPrompter } from "../permissions/prompter.js";
 import { RiskLevel } from "../permissions/types.js";
+import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
 import type { SecretPattern } from "../security/secret-scanner.js";
 import {
   compileCustomPatterns,
@@ -269,6 +270,39 @@ export class SecretDetectionHandler {
   ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
     const types = [...new Set(allMatches.map((m) => m.type))].join(", ");
 
+    if (isPermissionControlsV2Enabled()) {
+      const blockedContent = `Tool output blocked: detected ${allMatches.length} potential secret(s) (${types}). Secret-output approval cards are disabled under v2. Ask the user for confirmation conversationally before retrying.`;
+      const durationMs = Date.now() - startTime;
+
+      emitLifecycleEvent(context, {
+        type: "permission_denied",
+        toolName: name,
+        executionTarget,
+        input,
+        workingDir: context.workingDir,
+        conversationId: context.conversationId,
+        requestId: context.requestId,
+        riskLevel: RiskLevel.High,
+        decision: "deny",
+        reason: "Secret output blocked without deterministic prompt under v2",
+        durationMs,
+      });
+
+      void getHookManager().trigger("post-tool-execute", {
+        toolName: name,
+        input: sanitizeToolInput(name, input),
+        riskLevel,
+        isError: true,
+        durationMs,
+        conversationId: context.conversationId,
+      });
+
+      return {
+        result: { content: blockedContent, isError: true },
+        earlyReturn: true,
+      };
+    }
+
     // Non-interactive sessions: auto-block secret output instead of waiting for prompt
     if (context.isInteractive === false) {
       const blockedContent = `Tool output blocked: detected ${allMatches.length} potential secret(s) (${types}). No interactive client available to approve.`;

package/src/tools/shared/filesystem/image-read.ts

@@ -61,63 +61,37 @@ function detectMediaType(buf: Buffer): string | null {
   return null;
 }
 
-/**
- * Read an image file from disk, optionally optimize it, and return a
- * ToolExecutionResult with base64-encoded image content blocks.
- *
- * The caller is responsible for path resolution and sandbox enforcement -
- * `resolvedPath` must be an already-validated absolute path.
- */
-export function readImageFile(resolvedPath: string): ToolExecutionResult {
-  let stat;
-  try {
-    stat = statSync(resolvedPath);
-  } catch {
-    return {
-      content: `Error: file not found: ${resolvedPath}`,
-      isError: true,
-    };
-  }
-
-  if (!stat.isFile()) {
-    return { content: `Error: ${resolvedPath} is not a file`, isError: true };
-  }
-
-  if (stat.size > MAX_SOURCE_SIZE_BYTES) {
-    const sizeMB = (stat.size / (1024 * 1024)).toFixed(1);
+function buildImageToolResult(
+  buffer: Buffer,
+  sourceLabel: string,
+): ToolExecutionResult {
+  if (buffer.length > MAX_SOURCE_SIZE_BYTES) {
+    const sizeMB = (buffer.length / (1024 * 1024)).toFixed(1);
     return {
       content: `Error: image too large (${sizeMB} MB). Maximum source file size is 100 MB.`,
       isError: true,
     };
   }
 
-  let buffer: Buffer;
-  try {
-    buffer = readFileSync(resolvedPath) as Buffer;
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return { content: `Error reading file: ${msg}`, isError: true };
-  }
-
   // Detect actual format from magic bytes - never trust the file extension
   // alone, since sips converts to JPEG and files can be misnamed.
   const detectedType = detectMediaType(buffer);
   if (!detectedType) {
     return {
-      content: `Error: could not detect image format for ${resolvedPath}. The file may be corrupt.`,
+      content: `Error: could not detect image format for ${sourceLabel}. The file may be corrupt.`,
       isError: true,
     };
   }
 
   // Optimize before size-checking — oversized images may compress under the limit.
   const rawBase64 = buffer.toString("base64");
-  const { data: base64Data, mediaType: finalType } =
-    optimizeImageForTransport(rawBase64, detectedType);
+  const { data: base64Data, mediaType: finalType } = optimizeImageForTransport(
+    rawBase64,
+    detectedType,
+  );
   const optimized = base64Data !== rawBase64;
 
-  const optimizedBytes = optimized
-    ? Math.ceil((base64Data.length * 3) / 4)
-    : buffer.length;
+  const optimizedBytes = Buffer.from(base64Data, "base64").length;
   if (optimizedBytes > MAX_SIZE_BYTES) {
     const sizeMB = (optimizedBytes / (1024 * 1024)).toFixed(1);
     return {
@@ -136,14 +110,61 @@ export function readImageFile(resolvedPath: string): ToolExecutionResult {
   };
 
   const sizeSuffix = optimized
-    ? ` (optimized from ${(stat.size / 1024).toFixed(0)} KB to ${(
+    ? ` (optimized from ${(buffer.length / 1024).toFixed(0)} KB to ${(
         optimizedBytes / 1024
       ).toFixed(0)} KB)`
     : "";
 
   return {
-    content: `Image loaded: ${resolvedPath} (${optimizedBytes} bytes, ${finalType})${sizeSuffix}`,
+    content: `Image loaded: ${sourceLabel} (${optimizedBytes} bytes, ${finalType})${sizeSuffix}`,
     isError: false,
     contentBlocks: [imageBlock],
   };
 }
+
+export function readImageBase64(
+  base64Data: string,
+  sourceLabel: string,
+): ToolExecutionResult {
+  return buildImageToolResult(Buffer.from(base64Data, "base64"), sourceLabel);
+}
+
+/**
+ * Read an image file from disk, optionally optimize it, and return a
+ * ToolExecutionResult with base64-encoded image content blocks.
+ *
+ * The caller is responsible for path resolution and sandbox enforcement -
+ * `resolvedPath` must be an already-validated absolute path.
+ */
+export function readImageFile(resolvedPath: string): ToolExecutionResult {
+  let stat;
+  try {
+    stat = statSync(resolvedPath);
+  } catch {
+    return {
+      content: `Error: file not found: ${resolvedPath}`,
+      isError: true,
+    };
+  }
+
+  if (!stat.isFile()) {
+    return { content: `Error: ${resolvedPath} is not a file`, isError: true };
+  }
+
+  if (stat.size > MAX_SOURCE_SIZE_BYTES) {
+    const sizeMB = (stat.size / (1024 * 1024)).toFixed(1);
+    return {
+      content: `Error: image too large (${sizeMB} MB). Maximum source file size is 100 MB.`,
+      isError: true,
+    };
+  }
+
+  let buffer: Buffer;
+  try {
+    buffer = readFileSync(resolvedPath) as Buffer;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { content: `Error reading file: ${msg}`, isError: true };
+  }
+  return buildImageToolResult(buffer, resolvedPath);
+}

package/src/tools/subagent/spawn.ts

@@ -8,9 +8,15 @@ export async function executeSubagentSpawn(
   const label = input.label as string;
   const objective = input.objective as string;
   const extraContext = input.context as string | undefined;
-  const sendResultToUser = input.send_result_to_user !== false;
+  const fork = input.fork === true;
   const role = (input.role as string | undefined) ?? undefined;
 
+  // For fork mode, sendResultToUser defaults to false unless explicitly set to true.
+  // For regular mode, sendResultToUser defaults to true (existing behavior).
+  const sendResultToUser = fork
+    ? input.send_result_to_user === true
+    : input.send_result_to_user !== false;
+
   if (!label || !objective) {
     return {
       content: 'Both "label" and "objective" are required.',
@@ -29,6 +35,36 @@ export async function executeSubagentSpawn(
     };
   }
 
+  // ── Fork mode: resolve parent context ────────────────────────────
+  let forkFields: {
+    fork: true;
+    parentMessages: import("../../providers/types.js").Message[];
+    parentSystemPrompt: string;
+  } | undefined;
+
+  if (fork) {
+    const parentConversation = manager.resolveParentConversation?.(
+      context.conversationId,
+    );
+    if (!parentConversation) {
+      return {
+        content:
+          "Cannot fork: parent conversation could not be resolved. " +
+          "This may happen if the conversation was evicted or the resolveParentConversation callback is not wired.",
+        isError: true,
+      };
+    }
+
+    const parentMessages = [...parentConversation.messages];
+    const parentSystemPrompt = parentConversation.getCurrentSystemPrompt();
+
+    forkFields = {
+      fork: true,
+      parentMessages,
+      parentSystemPrompt,
+    };
+  }
+
   try {
     const subagentId = await manager.spawn(
       {
@@ -37,7 +73,12 @@ export async function executeSubagentSpawn(
         objective,
         context: extraContext,
         sendResultToUser,
-        ...(role ? { role: role as import("../../subagent/types.js").SubagentRole } : {}),
+        // For fork mode, role is ignored by the manager (forced to general),
+        // but we still omit it from the config to signal intent.
+        ...(!fork && role
+          ? { role: role as import("../../subagent/types.js").SubagentRole }
+          : {}),
+        ...forkFields,
       },
       sendToClient as (msg: unknown) => void,
     );
@@ -47,7 +88,10 @@ export async function executeSubagentSpawn(
         subagentId,
         label,
         status: "pending",
-        message: `Subagent "${label}" spawned. You will be notified automatically when it completes or fails - do NOT poll subagent_status. Continue the conversation normally.`,
+        ...(fork ? { isFork: true } : {}),
+        message: fork
+          ? `Forked subagent "${label}" spawned with full parent context. You will be notified automatically when it completes or fails - do NOT poll subagent_status. Continue the conversation normally.`
+          : `Subagent "${label}" spawned. You will be notified automatically when it completes or fails - do NOT poll subagent_status. Continue the conversation normally.`,
       }),
       isError: false,
     };

package/src/tools/subagent/status.ts

@@ -34,6 +34,7 @@ export async function executeSubagentStatus(
         subagentId: state.config.id,
         label: state.config.label,
         status: state.status,
+        isFork: state.isFork,
         error: state.error,
         createdAt: state.createdAt,
         startedAt: state.startedAt,
@@ -57,6 +58,7 @@ export async function executeSubagentStatus(
     subagentId: s.config.id,
     label: s.config.label,
     status: s.status,
+    isFork: s.isFork,
     error: s.error,
   }));
 

package/src/tools/system/register.ts

@@ -1,23 +1,9 @@
 /**
  * Registers feature-flag-gated system tools with the daemon's tool registry.
  *
- * Called once at daemon startup via initializeTools(). Tools that are always
- * registered (e.g. request_system_permission) are handled via the tool
- * manifest's explicit tools list; this module handles conditional registration.
+ * No conditional tools are currently registered.
  */
 
-import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
-import { getConfig } from "../../config/loader.js";
-import { registerTool } from "../registry.js";
-import { setPermissionModeTool } from "./set-permission-mode.js";
-
 export function registerSystemTools(): void {
-  try {
-    const config = getConfig();
-    if (isAssistantFeatureFlagEnabled("permission-controls-v2", config)) {
-      registerTool(setPermissionModeTool);
-    }
-  } catch {
-    // Config not yet loaded (e.g. during test setup) — permission mode tool stays off.
-  }
+  // No-op.
 }