@vellumai/assistant 0.6.2 → 0.6.4

package/src/runtime/migrations/vbundle-builder.ts

@@ -28,6 +28,7 @@ import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import { createGzip, gzipSync } from "node:zlib";
 
+import { sanitizeConfigForTransfer } from "../../config/sanitize-for-transfer.js";
 import type {
   ManifestFileEntryType,
   ManifestType,
@@ -66,6 +67,20 @@ interface FileMetadata {
   size: number;
 }
 
+/** In-memory entry for data not backed by a file on disk (e.g. credentials). */
+interface InMemoryEntry {
+  archivePath: string;
+  data: Uint8Array;
+  size: number;
+}
+
+/** Union of disk-backed and in-memory tar stream entries. */
+type TarStreamEntry = FileMetadata | InMemoryEntry;
+
+function isInMemoryEntry(entry: TarStreamEntry): entry is InMemoryEntry {
+  return "data" in entry;
+}
+
 // ---------------------------------------------------------------------------
 // Hash helpers
 // ---------------------------------------------------------------------------
@@ -439,6 +454,8 @@ export interface BuildExportVBundleOptions {
    * Called before the workspace walk so the DB file is up to date.
    */
   checkpoint?: () => void;
+  /** Optional credential entries to include in the archive under credentials/ prefix. */
+  credentials?: Array<{ account: string; value: string }>;
 }
 
 /**
@@ -456,8 +473,15 @@ export interface BuildExportVBundleOptions {
 export function buildExportVBundle(
   options: BuildExportVBundleOptions,
 ): BuildVBundleResult {
-  const { source, description, checkpoint, trustPath, workspaceDir, hooksDir } =
-    options;
+  const {
+    source,
+    description,
+    checkpoint,
+    trustPath,
+    workspaceDir,
+    hooksDir,
+    credentials,
+  } = options;
 
   // Flush WAL to the main database file before reading so the export
   // captures all committed rows (SQLite WAL mode keeps recent writes
@@ -483,6 +507,14 @@ export function buildExportVBundle(
     );
   }
 
+  // Sanitize workspace/config.json to strip environment-specific fields
+  const configEntry = files.find((f) => f.path === "workspace/config.json");
+  if (configEntry) {
+    const configJson = new TextDecoder().decode(configEntry.data);
+    const sanitized = sanitizeConfigForTransfer(configJson);
+    configEntry.data = new TextEncoder().encode(sanitized);
+  }
+
   // Include hooks directory if it exists (lives at ~/.vellum/hooks/, outside workspace).
   if (hooksDir && existsSync(hooksDir) && lstatSync(hooksDir).isDirectory()) {
     files.push(...walkDirectory(hooksDir, "hooks"));
@@ -494,6 +526,14 @@ export function buildExportVBundle(
     files.push({ path: "trust/trust.json", data: trustData });
   }
 
+  // Include credential entries if provided
+  if (credentials?.length) {
+    for (const { account, value } of credentials) {
+      const data = new TextEncoder().encode(value);
+      files.push({ path: `credentials/${account}`, data });
+    }
+  }
+
   return buildVBundle({
     files,
     source: source ?? "runtime-export",
@@ -688,7 +728,7 @@ function tarPaddingBytes(dataSize: number): Uint8Array {
  */
 async function* generateTarStream(
   manifestJson: Uint8Array,
-  files: FileMetadata[],
+  files: TarStreamEntry[],
 ): AsyncGenerator<Uint8Array> {
   // Manifest entry
   yield createPaxAndHeaderBlocks("manifest.json", manifestJson.length);
@@ -697,43 +737,52 @@ async function* generateTarStream(
 
   // File entries
   for (const file of files) {
-    yield createPaxAndHeaderBlocks(file.archivePath, file.size);
-
-    // Stream exactly file.size bytes from disk. Capping the read at the
-    // declared size keeps the tar structure valid even if the file grows
-    // between passes (common for log files on active assistants). If the
-    // file shrinks below the declared size, zero-pad to maintain block
-    // alignment. The WAL checkpoint before export is the primary
-    // consistency mechanism for the database.
-    let bytesWritten = 0;
-    if (file.size > 0) {
-      try {
-        const stream = createReadStream(file.diskPath, {
-          start: 0,
-          end: file.size - 1,
-        });
-        for await (const chunk of stream) {
-          const data =
-            chunk instanceof Uint8Array ? chunk : new Uint8Array(chunk);
-          bytesWritten += data.length;
-          yield data;
+    const entrySize = isInMemoryEntry(file) ? file.size : file.size;
+    yield createPaxAndHeaderBlocks(file.archivePath, entrySize);
+
+    if (isInMemoryEntry(file)) {
+      // In-memory entry — yield data directly
+      if (file.size > 0) {
+        yield file.data;
+      }
+    } else {
+      // Disk-backed entry — stream from disk
+      // Stream exactly file.size bytes from disk. Capping the read at the
+      // declared size keeps the tar structure valid even if the file grows
+      // between passes (common for log files on active assistants). If the
+      // file shrinks below the declared size, zero-pad to maintain block
+      // alignment. The WAL checkpoint before export is the primary
+      // consistency mechanism for the database.
+      let bytesWritten = 0;
+      if (file.size > 0) {
+        try {
+          const stream = createReadStream(file.diskPath, {
+            start: 0,
+            end: file.size - 1,
+          });
+          for await (const chunk of stream) {
+            const data =
+              chunk instanceof Uint8Array ? chunk : new Uint8Array(chunk);
+            bytesWritten += data.length;
+            yield data;
+          }
+        } catch {
+          // File was deleted or rotated between passes — emit zeros for
+          // the full declared size so the tar structure stays valid
         }
-      } catch {
-        // File was deleted or rotated between passes — emit zeros for
-        // the full declared size so the tar structure stays valid
       }
-    }
 
-    // If the file shrank, pad with zeros in bounded chunks to reach
-    // the declared size without a large single allocation
-    let remaining = file.size - bytesWritten;
-    while (remaining > 0) {
-      const chunkSize = Math.min(remaining, 65536);
-      yield new Uint8Array(chunkSize);
-      remaining -= chunkSize;
+      // If the file shrank, pad with zeros in bounded chunks to reach
+      // the declared size without a large single allocation
+      let remaining = file.size - bytesWritten;
+      while (remaining > 0) {
+        const chunkSize = Math.min(remaining, 65536);
+        yield new Uint8Array(chunkSize);
+        remaining -= chunkSize;
+      }
     }
 
-    yield tarPaddingBytes(file.size);
+    yield tarPaddingBytes(entrySize);
   }
 
   // End-of-archive: two zero blocks
@@ -765,8 +814,15 @@ export interface StreamExportVBundleResult {
 export async function streamExportVBundle(
   options: BuildExportVBundleOptions,
 ): Promise<StreamExportVBundleResult> {
-  const { source, description, checkpoint, trustPath, workspaceDir, hooksDir } =
-    options;
+  const {
+    source,
+    description,
+    checkpoint,
+    trustPath,
+    workspaceDir,
+    hooksDir,
+    credentials,
+  } = options;
 
   // Flush WAL to the main database file before reading
   if (checkpoint) {
@@ -806,6 +862,42 @@ export async function streamExportVBundle(
     }
   }
 
+  // Sanitize workspace/config.json: read from disk, sanitize, and replace the
+  // disk-backed metadata entry with an in-memory entry so the streaming tar
+  // writes sanitized content instead of the raw file.
+  const configMetadataIdx = allFileMetadata.findIndex(
+    (f) => f.archivePath === "workspace/config.json",
+  );
+
+  const sanitizedConfigEntries: InMemoryEntry[] = [];
+  if (configMetadataIdx !== -1) {
+    const configMeta = allFileMetadata[configMetadataIdx];
+    const rawConfigData = readFileSync(configMeta.diskPath, "utf8");
+    const sanitized = sanitizeConfigForTransfer(rawConfigData);
+    const sanitizedData = new TextEncoder().encode(sanitized);
+
+    // Remove the disk-backed entry and replace with an in-memory entry
+    allFileMetadata.splice(configMetadataIdx, 1);
+    sanitizedConfigEntries.push({
+      archivePath: "workspace/config.json",
+      data: sanitizedData,
+      size: sanitizedData.length,
+    });
+  }
+
+  // Build in-memory entries for credentials (not disk-backed)
+  const inMemoryEntries: InMemoryEntry[] = [];
+  if (credentials?.length) {
+    for (const { account, value } of credentials) {
+      const data = new TextEncoder().encode(value);
+      inMemoryEntries.push({
+        archivePath: `credentials/${account}`,
+        data,
+        size: data.length,
+      });
+    }
+  }
+
   // ------------------------------------------------------------------
   // Pass 1: Compute SHA-256 checksums to build the manifest
   // ------------------------------------------------------------------
@@ -820,6 +912,16 @@ export async function streamExportVBundle(
     });
   }
 
+  // Add in-memory entries (sanitized config, credentials) to the manifest
+  for (const entry of [...sanitizedConfigEntries, ...inMemoryEntries]) {
+    const sha256 = sha256Hex(entry.data);
+    fileEntries.push({
+      path: entry.archivePath,
+      sha256,
+      size: entry.size,
+    });
+  }
+
   const manifestWithoutChecksum = {
     schema_version: "1.0",
     created_at: new Date().toISOString(),
@@ -842,7 +944,12 @@ export async function streamExportVBundle(
 
   const tempPath = join(tmpdir(), `vbundle-export-${randomUUID()}.tmp`);
 
-  const tarGenerator = generateTarStream(manifestData, allFileMetadata);
+  const allEntries: TarStreamEntry[] = [
+    ...allFileMetadata,
+    ...sanitizedConfigEntries,
+    ...inMemoryEntries,
+  ];
+  const tarGenerator = generateTarStream(manifestData, allEntries);
   const tarReadable = Readable.from(tarGenerator);
   const gzipStream = createGzip();
   const writeStream = createWriteStream(tempPath, { mode: 0o600 });

package/src/runtime/migrations/vbundle-import-analyzer.ts

@@ -17,9 +17,19 @@ import { createHash } from "node:crypto";
 import { existsSync, readFileSync, statSync } from "node:fs";
 import { join, resolve } from "node:path";
 
+import { resolveGuardianPersonaPath } from "../../prompts/persona-resolver.js";
+import { getLogger } from "../../util/logger.js";
 import type { ManifestType } from "./vbundle-validator.js";
 
-/** Only these prompt filenames are accepted during import. */
+const log = getLogger("vbundle-import-analyzer");
+
+/**
+ * Only these prompt filenames are accepted during import.
+ *
+ * `USER.md` is retained for backward compatibility with legacy bundles —
+ * on import, its content is translated to `users/<slug>.md` at the
+ * current guardian's location (see `DefaultPathResolver.resolve`).
+ */
 const ALLOWED_PROMPT_FILENAMES = new Set([
   "IDENTITY.md",
   "SOUL.md",
@@ -27,6 +37,9 @@ const ALLOWED_PROMPT_FILENAMES = new Set([
   "UPDATES.md",
 ]);
 
+/** Archive path for the legacy guardian user persona file. */
+const LEGACY_USER_MD_ARCHIVE_PATH = "prompts/USER.md";
+
 // ---------------------------------------------------------------------------
 // Public types
 // ---------------------------------------------------------------------------
@@ -87,12 +100,27 @@ export interface PathResolver {
 }
 
 export class DefaultPathResolver implements PathResolver {
+  /**
+   * @param workspaceDir  absolute path to the workspace directory.
+   * @param hooksDir      absolute path to the hooks directory.
+   * @param guardianPersonaPathResolver  function that returns the
+   *   current guardian's persona path (`users/<slug>.md`) or `null`
+   *   when no guardian exists. Defaults to the production
+   *   `resolveGuardianPersonaPath` helper; tests inject a stub so they
+   *   don't need to mock the contact store.
+   */
   constructor(
     private workspaceDir?: string,
     private hooksDir?: string,
+    private guardianPersonaPathResolver: () => string | null = resolveGuardianPersonaPath,
   ) {}
 
   resolve(archivePath: string): string | null {
+    // Skip credential entries — handled separately by the credential import step
+    if (archivePath.startsWith("credentials/")) {
+      return null;
+    }
+
     // New format: workspace/ prefix — maps directly into the workspace dir
     if (archivePath.startsWith("workspace/") && this.workspaceDir) {
       const relPath = archivePath.slice("workspace/".length);
@@ -134,6 +162,38 @@ export class DefaultPathResolver implements PathResolver {
       if (!ALLOWED_PROMPT_FILENAMES.has(filename)) {
         return null;
       }
+
+      // Legacy USER.md translation: rewrite the destination to the
+      // current guardian's per-user persona file `users/<slug>.md`.
+      // Guardian-less workspaces return null → importer skips with a
+      // warning (see vbundle-importer.ts). This lookup runs against
+      // whatever DB state is live at the time of resolve — typically
+      // the pre-import workspace, which is the common upgrade case.
+      if (archivePath === LEGACY_USER_MD_ARCHIVE_PATH) {
+        const guardianPath = this.guardianPersonaPathResolver();
+        if (!guardianPath) {
+          log.warn(
+            { path: archivePath },
+            "Legacy prompts/USER.md has no guardian target — will be skipped on import",
+          );
+          return null;
+        }
+        // Containment check: guardian path must live under the workspace.
+        const wsRoot = resolve(this.workspaceDir);
+        const guardianResolved = resolve(guardianPath);
+        if (
+          guardianResolved !== wsRoot &&
+          !guardianResolved.startsWith(wsRoot + "/")
+        ) {
+          log.warn(
+            { path: archivePath, guardianPath },
+            "Guardian persona path falls outside workspace — refusing to write",
+          );
+          return null;
+        }
+        return guardianResolved;
+      }
+
       const resolved = resolve(this.workspaceDir, filename);
       const wsRoot = resolve(this.workspaceDir);
       if (resolved !== wsRoot && !resolved.startsWith(wsRoot + "/")) {
@@ -190,7 +250,42 @@ export function analyzeImport(
   for (const fileEntry of manifest.files) {
     const diskPath = pathResolver.resolve(fileEntry.path);
 
+    // Credential entries are handled separately by the credential import
+    // step — skip them without flagging as unknown/conflict.
+    if (fileEntry.path.startsWith("credentials/")) {
+      files.push({
+        path: fileEntry.path,
+        action: "skip",
+        bundle_size: fileEntry.size,
+        bundle_sha256: fileEntry.sha256,
+        current_size: null,
+        current_sha256: null,
+      });
+      continue;
+    }
+
     if (!diskPath) {
+      // Legacy `prompts/USER.md` in a guardian-less workspace has no
+      // destination to translate to. The commit-time path skips this
+      // entry with a warning rather than failing, so preflight mirrors
+      // that: emit a non-blocking skip so `can_import` stays true and
+      // upgrade paths proceed. No conflict is registered.
+      if (fileEntry.path === LEGACY_USER_MD_ARCHIVE_PATH) {
+        log.warn(
+          { path: fileEntry.path },
+          "Legacy prompts/USER.md has no guardian target — will be skipped on import",
+        );
+        files.push({
+          path: fileEntry.path,
+          action: "skip",
+          bundle_size: fileEntry.size,
+          bundle_sha256: fileEntry.sha256,
+          current_size: null,
+          current_sha256: null,
+        });
+        continue;
+      }
+
       // Unknown archive path — would have nowhere to write
       conflicts.push({
         code: "UNKNOWN_ARCHIVE_PATH",

package/src/runtime/migrations/vbundle-importer.ts

@@ -24,10 +24,18 @@ import {
 } from "node:fs";
 import { dirname, join } from "node:path";
 
+import { sanitizeConfigForTransfer } from "../../config/sanitize-for-transfer.js";
+import { isGuardianPersonaCustomized } from "../../prompts/persona-resolver.js";
+import { getLogger } from "../../util/logger.js";
 import type { PathResolver } from "./vbundle-import-analyzer.js";
 import type { ManifestType, VBundleTarEntry } from "./vbundle-validator.js";
 import { validateVBundle } from "./vbundle-validator.js";
 
+const log = getLogger("vbundle-importer");
+
+/** Archive path for the legacy guardian user persona file. */
+const LEGACY_USER_MD_ARCHIVE_PATH = "prompts/USER.md";
+
 // ---------------------------------------------------------------------------
 // Public types
 // ---------------------------------------------------------------------------
@@ -227,6 +235,12 @@ export function commitImport(options: ImportCommitOptions): ImportCommitResult {
   let backupsCreated = 0;
 
   for (const fileEntry of manifest.files) {
+    // Credential entries are handled separately by extractCredentialsFromBundle()
+    // in migration-routes.ts — skip them silently without warnings or skip counts.
+    if (fileEntry.path.startsWith("credentials/")) {
+      continue;
+    }
+
     const diskPath = pathResolver.resolve(fileEntry.path);
 
     if (!diskPath) {
@@ -263,6 +277,33 @@ export function commitImport(options: ImportCommitOptions): ImportCommitResult {
       continue;
     }
 
+    // Legacy guardian persona (prompts/USER.md) is translated to the
+    // current guardian's users/<slug>.md by DefaultPathResolver. If
+    // that target already holds user-authored content, skip rather
+    // than clobber — the user has curated their persona since the
+    // bundle was exported.
+    if (
+      fileEntry.path === LEGACY_USER_MD_ARCHIVE_PATH &&
+      isGuardianPersonaCustomized(diskPath)
+    ) {
+      log.warn(
+        { archivePath: fileEntry.path, diskPath },
+        "Skipping legacy prompts/USER.md import: guardian persona is already customized",
+      );
+      warnings.push(
+        `Skipped "${fileEntry.path}": guardian persona at "${diskPath}" is already customized`,
+      );
+      importedFiles.push({
+        path: fileEntry.path,
+        disk_path: diskPath,
+        action: "skipped",
+        size: fileEntry.size,
+        sha256: fileEntry.sha256,
+        backup_path: null,
+      });
+      continue;
+    }
+
     // Determine action and create backup if needed
     let backupPath: string | null = null;
     let action: ImportFileAction;
@@ -315,9 +356,20 @@ export function commitImport(options: ImportCommitOptions): ImportCommitResult {
       }
     }
 
+    // Sanitize config files to strip environment-specific fields (defense-in-depth)
+    let dataToWrite: Uint8Array = archiveEntry.data;
+    if (
+      fileEntry.path === "workspace/config.json" ||
+      fileEntry.path === "config/settings.json"
+    ) {
+      const configJson = new TextDecoder().decode(archiveEntry.data);
+      const sanitized = sanitizeConfigForTransfer(configJson);
+      dataToWrite = new TextEncoder().encode(sanitized);
+    }
+
     // Write the file
     try {
-      writeFileSync(diskPath, archiveEntry.data);
+      writeFileSync(diskPath, dataToWrite);
     } catch (err) {
       return {
         ok: false,
@@ -335,14 +387,17 @@ export function commitImport(options: ImportCommitOptions): ImportCommitResult {
     }
 
     // Step 3: Post-write integrity check — verify the written file
+    // Use the SHA of the data we actually wrote (which may differ from the
+    // manifest SHA if the config was sanitized during import).
+    const expectedSha256 = sha256Hex(dataToWrite);
     try {
       const writtenData = new Uint8Array(readFileSync(diskPath));
       const writtenSha256 = sha256Hex(writtenData);
 
-      if (writtenSha256 !== fileEntry.sha256) {
+      if (writtenSha256 !== expectedSha256) {
         warnings.push(
           `Post-write integrity warning for "${fileEntry.path}": ` +
-            `expected SHA-256 ${fileEntry.sha256}, got ${writtenSha256}`,
+            `expected SHA-256 ${expectedSha256}, got ${writtenSha256}`,
         );
       }
     } catch {
@@ -355,8 +410,8 @@ export function commitImport(options: ImportCommitOptions): ImportCommitResult {
       path: fileEntry.path,
       disk_path: diskPath,
       action,
-      size: archiveEntry.size,
-      sha256: fileEntry.sha256,
+      size: dataToWrite.length,
+      sha256: expectedSha256,
       backup_path: backupPath,
     });
   }
@@ -380,6 +435,35 @@ export function commitImport(options: ImportCommitOptions): ImportCommitResult {
   return { ok: true, report };
 }
 
+// ---------------------------------------------------------------------------
+// Credential extraction
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract credential entries from a validated vbundle tar entries map.
+ *
+ * Credentials are stored under the `credentials/` prefix in the archive,
+ * where the remainder of the path is the account name and the entry data
+ * is the credential value.
+ */
+export function extractCredentialsFromBundle(
+  entries: Map<string, VBundleTarEntry>,
+  manifest: ManifestType,
+): Array<{ account: string; value: string }> {
+  const manifestPaths = new Set(manifest.files.map((f) => f.path));
+  const credentials: Array<{ account: string; value: string }> = [];
+  for (const [path, entry] of entries) {
+    if (path.startsWith("credentials/") && manifestPaths.has(path)) {
+      const account = path.slice("credentials/".length);
+      if (account) {
+        const value = new TextDecoder().decode(entry.data);
+        credentials.push({ account, value });
+      }
+    }
+  }
+  return credentials;
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------

package/src/runtime/pending-interactions.ts

@@ -1,13 +1,15 @@
 /**
  * In-memory tracker that maps requestId to conversation info for pending
- * confirmation, secret, host_bash, host_file, and host_cu interactions.
+ * confirmation, secret, host_bash, host_file, host_cu, and host_browser
+ * interactions.
  *
  * When the agent loop emits a confirmation_request, secret_request,
- * host_bash_request, host_file_request, or host_cu_request, the onEvent
- * callback registers the interaction here. Standalone HTTP endpoints
- * (/v1/confirm, /v1/secret, /v1/trust-rules, /v1/host-bash-result,
- * /v1/host-file-result, /v1/host-cu-result) look up the conversation from this
- * tracker to resolve the interaction.
+ * host_bash_request, host_file_request, host_cu_request, or
+ * host_browser_request, the onEvent callback registers the interaction here.
+ * Standalone HTTP endpoints (/v1/confirm, /v1/secret, /v1/trust-rules,
+ * /v1/host-bash-result, /v1/host-file-result, /v1/host-cu-result,
+ * /v1/host-browser-result) look up the conversation from this tracker to
+ * resolve the interaction.
  */
 
 import type { Conversation } from "../daemon/conversation.js";
@@ -45,6 +47,7 @@ export interface PendingInteraction {
     | "host_bash"
     | "host_file"
     | "host_cu"
+    | "host_browser"
     | "acp_confirmation";
   confirmationDetails?: ConfirmationDetails;
   /** For ACP permissions: resolves directly without a Conversation object. */
@@ -82,7 +85,7 @@ export function get(requestId: string): PendingInteraction | undefined {
 
 /**
  * Return all pending interactions for a given conversation.
- * Needed by channel approval migration (PR 3).
+ * Needed by channel approval migration.
  */
 export function getByConversation(
   conversationId: string,
@@ -100,12 +103,13 @@ export function getByConversation(
  * Remove pending confirmation and secret interactions for a given conversation.
  * Used when auto-denying all pending interactions (e.g. new user message).
  *
- * host_bash, host_file, and host_cu interactions are intentionally skipped
- * — they represent in-flight tool executions proxied to the client, not
- * confirmations to auto-deny. Removing them would orphan the request: the
- * client would POST to /v1/host-bash-result, /v1/host-file-result, or
- * /v1/host-cu-result after completing the operation, get a 404, and the
- * proxy timer would fire with a spurious timeout error.
+ * host_bash, host_file, host_cu, and host_browser interactions are
+ * intentionally skipped — they represent in-flight tool executions proxied to
+ * the client, not confirmations to auto-deny. Removing them would orphan the
+ * request: the client would POST to /v1/host-bash-result,
+ * /v1/host-file-result, /v1/host-cu-result, or /v1/host-browser-result after
+ * completing the operation, get a 404, and the proxy timer would fire with a
+ * spurious timeout error.
  */
 export function removeByConversation(conversation: Conversation): void {
   for (const [requestId, interaction] of pending) {
@@ -114,6 +118,7 @@ export function removeByConversation(conversation: Conversation): void {
       interaction.kind !== "host_bash" &&
       interaction.kind !== "host_file" &&
       interaction.kind !== "host_cu" &&
+      interaction.kind !== "host_browser" &&
       interaction.kind !== "acp_confirmation"
     ) {
       pending.delete(requestId);