@vellumai/assistant 0.6.4 → 0.6.5

package/src/tools/permission-checker.ts

@@ -1,6 +1,7 @@
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import { getConfig } from "../config/loader.js";
 import { getHookManager } from "../hooks/manager.js";
+import { resolveThreshold } from "../permissions/approval-policy.js";
 import {
   check,
   classifyRisk,
@@ -29,7 +30,12 @@ import type { Tool, ToolContext, ToolLifecycleEvent } from "./types.js";
 const log = getLogger("permission-checker");
 
 export type PermissionDecision =
-  | { allowed: true; decision: string; riskLevel: string }
+  | {
+      allowed: true;
+      decision: string;
+      riskLevel: string;
+      wasPrompted?: boolean;
+    }
   | { allowed: false; decision: string; riskLevel: string; content: string };
 
 export class PermissionChecker {
@@ -95,7 +101,7 @@ export class PermissionChecker {
       }
     }
 
-    const risk = await classifyRisk(
+    const { level: risk, reason: riskReason } = await classifyRisk(
       name,
       input,
       context.workingDir,
@@ -163,6 +169,7 @@ export class PermissionChecker {
           conversationId: context.conversationId,
           requestId: context.requestId,
           riskLevel,
+          riskReason,
           decision: "deny",
           reason: result.reason,
           durationMs,
@@ -204,20 +211,36 @@ export class PermissionChecker {
         // Exception: inline-command skill loads (skill_load_dynamic:*) must
         // never be silently auto-approved — they execute embedded commands
         // and require explicit human review or a pinned trust rule.
-        // Exception: high-risk tools (e.g. destructive shell commands, writes
-        // to sensitive paths) are denied — unattended sessions must not
-        // auto-approve operations that could cause significant damage if
-        // triggered by prompt injection from untrusted content.
+        // Exception: tools above the configured background threshold are
+        // denied — unattended sessions must not auto-approve operations that
+        // could cause significant damage if triggered by prompt injection
+        // from untrusted content.
         const isDynamicSkillLoad =
           result.matchedRule?.pattern.startsWith("skill_load_dynamic:") ===
           true;
+        const bgThreshold = resolveThreshold(
+          cfg.permissions.autoApproveUpTo,
+          "background",
+        );
+        const thresholdOrdinal: Record<string, number> = {
+          none: -1,
+          low: 0,
+          medium: 1,
+        };
+        const riskOrdinal: Record<string, number> = {
+          [RiskLevel.Low]: 0,
+          [RiskLevel.Medium]: 1,
+          [RiskLevel.High]: 2,
+        };
+        const withinThreshold =
+          (riskOrdinal[riskLevel] ?? 2) <= (thresholdOrdinal[bgThreshold] ?? 0);
         if (
           context.isInteractive === false &&
           context.trustClass === "guardian" &&
           !context.requireFreshApproval &&
           !isDynamicSkillLoad &&
           !v2ForcePrompt &&
-          riskLevel !== RiskLevel.High
+          withinThreshold
         ) {
           log.info(
             { toolName: name, riskLevel },
@@ -247,6 +270,7 @@ export class PermissionChecker {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
+            riskReason,
             decision: "deny",
             reason: "Non-interactive session: no client to approve prompt",
             durationMs,
@@ -321,6 +345,7 @@ export class PermissionChecker {
           conversationId: context.conversationId,
           requestId: context.requestId,
           riskLevel,
+          riskReason,
           reason: result.reason,
           allowlistOptions: promptOptions.allowlistOptions,
           scopeOptions: promptOptions.scopeOptions,
@@ -386,6 +411,7 @@ export class PermissionChecker {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
+            riskReason,
             decision: "deny",
             reason: denialReason,
             durationMs,
@@ -434,6 +460,7 @@ export class PermissionChecker {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
+            riskReason,
             decision: "always_deny",
             reason: denialReason,
             durationMs,
@@ -448,19 +475,13 @@ export class PermissionChecker {
 
         if (
           promptOptions.persistentDecisionsAllowed &&
-          (decision === "always_allow" ||
-            decision === "always_allow_high_risk") &&
+          decision === "always_allow" &&
           response.selectedPattern
         ) {
           const ruleOptions: {
-            allowHighRisk?: boolean;
             executionTarget?: string;
           } = {};
 
-          if (decision === "always_allow_high_risk") {
-            ruleOptions.allowHighRisk = true;
-          }
-
           if (policyContext?.executionTarget != null) {
             ruleOptions.executionTarget = policyContext.executionTarget;
           }
@@ -502,7 +523,7 @@ export class PermissionChecker {
           );
         }
 
-        return { allowed: true, decision, riskLevel };
+        return { allowed: true, decision, riskLevel, wasPrompted: true };
       }
 
       // result.decision === 'allow'

package/src/tools/policy-context.ts

@@ -1,7 +1,24 @@
+import type { ExecutionContext } from "../permissions/approval-policy.js";
 import type { PolicyContext } from "../permissions/types.js";
 import { getTaskRunRules } from "../tasks/ephemeral-permissions.js";
 import type { Tool, ToolContext } from "./types.js";
 
+/**
+ * Derive the execution context from the tool context fields.
+ * - Guardian + non-interactive → "background" (scheduled jobs, reminders)
+ * - Non-interactive (non-guardian) → "headless"
+ * - Otherwise → "conversation"
+ */
+function deriveExecutionContext(context?: ToolContext): ExecutionContext {
+  if (context?.isInteractive === false && context.trustClass === "guardian") {
+    return "background";
+  }
+  if (context?.isInteractive === false) {
+    return "headless";
+  }
+  return "conversation";
+}
+
 /**
  * Build a PolicyContext from tool metadata and execution context.
  * When executing within a task run, ephemeral permission rules are
@@ -10,23 +27,23 @@ import type { Tool, ToolContext } from "./types.js";
 export function buildPolicyContext(
   tool: Tool,
   context?: ToolContext,
-): PolicyContext | undefined {
+): PolicyContext {
   const ephemeralRules = context?.taskRunId
     ? getTaskRunRules(context.taskRunId)
     : undefined;
 
+  const executionContext = deriveExecutionContext(context);
+
   if (tool.origin === "skill") {
     return {
       executionTarget: tool.executionTarget,
       ephemeralRules: ephemeralRules?.length ? ephemeralRules : undefined,
+      executionContext,
     };
   }
 
-  if (context?.taskRunId && ephemeralRules?.length) {
-    return {
-      ephemeralRules,
-    };
-  }
-
-  return undefined;
+  return {
+    ephemeralRules: ephemeralRules?.length ? ephemeralRules : undefined,
+    executionContext,
+  };
 }

package/src/tools/registry.ts

@@ -16,6 +16,48 @@ const log = getLogger("tool-registry");
 
 const tools = new Map<string, Tool>();
 
+// ── External tool registry ───────────────────────────────────────────
+// Skills register their tools here at initialization time so the tool
+// manifest can include them without importing from `../skills/`.
+//
+// Each registration is stored as a provider closure. Closures are
+// resolved at `getExternalTools()` time (which `initializeTools()`
+// calls), not at registration time — this lets a skill defer its
+// feature-flag check until after the daemon has run
+// `mergeDefaultWorkspaceConfig()`, so skills see the merged config
+// instead of forcing an early `loadConfig()` against unmerged defaults.
+const externalToolProviders: Array<() => Tool[]> = [];
+
+/**
+ * Register tools provided by an external skill. Called during skill
+ * initialization (e.g. meet-join bootstrap).
+ *
+ * Accepts either a concrete `Tool[]` (resolved eagerly at the caller)
+ * or a `() => Tool[]` closure (resolved lazily inside
+ * `getExternalTools()`). Skills that perform feature-flag or config
+ * reads to decide which tools to surface must pass a closure so the
+ * read happens after daemon-startup config merging.
+ *
+ * Lives in registry.ts (not tool-manifest.ts) to avoid a circular
+ * dependency: skills/load.ts → … → meet-join/register.ts → tool-manifest.ts
+ * → skills/load.ts. Keeping it here lets external skill bootstraps import
+ * from registry.ts, which is already a leaf in the dependency graph.
+ */
+export function registerExternalTools(
+  toolsOrProvider: Tool[] | (() => Tool[]),
+): void {
+  const provider =
+    typeof toolsOrProvider === "function"
+      ? toolsOrProvider
+      : () => toolsOrProvider;
+  externalToolProviders.push(provider);
+}
+
+/** Return all externally registered tools. */
+export function getExternalTools(): Tool[] {
+  return externalToolProviders.flatMap((provider) => provider());
+}
+
 // Snapshot of core tools captured after initializeTools() completes.
 // Used by __resetRegistryForTesting() to restore eager tools that cannot
 // be re-registered because ESM import caching prevents side effects
@@ -245,6 +287,15 @@ export async function initializeTools(): Promise<void> {
     registerTool(tool);
   }
 
+  // External skill tools — registered by skill bootstrap modules via
+  // `registerExternalTools()`. Called at init time (not spread into
+  // `explicitTools`) so registrations that happen between module-load
+  // and `initializeTools()` are picked up.
+  const extTools = getExternalTools();
+  for (const tool of extTools) {
+    registerTool(tool);
+  }
+
   // Host tools are registered explicitly so host access stays opt-in until
   // this point in startup, rather than as module side effects.
   const hostTools = [
@@ -272,13 +323,14 @@ export async function initializeTools(): Promise<void> {
   // arbitrary test tools that were registered before init.
   //
   // A pre-existing tool is included only if it is a known manifest tool
-  // (declared in eagerModuleToolNames, explicitTools, or hostTools).
-  // This handles ESM cache hits where eager-module tools are already in
-  // the registry before init ran.
+  // (declared in eagerModuleToolNames, explicitTools, hostTools, or any
+  // registered external skill tool).  This handles ESM cache hits where
+  // eager-module tools are already in the registry before init ran.
   if (!coreToolsSnapshot) {
     const manifestToolNames = new Set<string>([
       ...eagerModuleToolNames,
       ...explicitTools.map((t: Tool) => t.name),
+      ...extTools.map((t: Tool) => t.name),
       ...hostTools.map((t: Tool) => t.name),
       ...cesTools.map((t: Tool) => t.name),
       ...allComputerUseTools.map((t: Tool) => t.name),

package/src/tools/side-effects.ts

@@ -12,17 +12,6 @@ const SIDE_EFFECT_TOOLS: ReadonlySet<string> = new Set([
   "bash",
   "host_bash",
   "web_fetch",
-  "browser_navigate",
-  "browser_click",
-  "browser_type",
-  "browser_press_key",
-  "browser_scroll",
-  "browser_select_option",
-  "browser_hover",
-  "browser_close",
-  "browser_attach",
-  "browser_detach",
-  "browser_fill_credential",
   "document_create",
   "document_update",
   "schedule_create",

package/src/tools/skills/execute.ts

@@ -6,7 +6,7 @@ import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 export class SkillExecuteTool implements Tool {
   name = "skill_execute";
   description =
-    "Execute a tool provided by a loaded skill. Use this instead of calling skill tools directly. The skill's instructions (from skill_load) describe available tools and their parameters.";
+    "Execute a tool provided by a loaded skill. Use this instead of calling skill tools directly. The skill's instructions (from skill_load) describe available tools and their parameters. For browser automation, use the `assistant browser` CLI commands instead.";
   category = "skills";
   defaultRiskLevel = RiskLevel.Low;
 
@@ -20,7 +20,7 @@ export class SkillExecuteTool implements Tool {
           tool: {
             type: "string",
             description:
-              "The skill tool name to execute (e.g. 'browser_navigate', 'task_create')",
+              "The skill tool name to execute (e.g. 'task_create', 'deploy_run')",
           },
           input: {
             type: "object",

package/src/tools/skills/sandbox-runner.ts

@@ -152,6 +152,7 @@ function spawnRunner(
       workingDir: context.workingDir,
       conversationId: context.conversationId,
     });
+    env.__CONVERSATION_ID = context.conversationId;
 
     const child = spawn(wrapped.command, wrapped.args, {
       cwd: runDir,
@@ -219,7 +220,8 @@ function spawnRunner(
       if (code !== 0) {
         const truncatedStderr =
           stderr.length > MAX_OUTPUT_CHARS
-            ? safeStringSlice(stderr, 0, MAX_OUTPUT_CHARS) + "\n[stderr truncated]"
+            ? safeStringSlice(stderr, 0, MAX_OUTPUT_CHARS) +
+              "\n[stderr truncated]"
             : stderr;
         resolve({
           content: `Skill tool script "${executorPath}" exited with code ${code}:\n${truncatedStderr}`,
@@ -230,7 +232,8 @@ function spawnRunner(
 
       const truncatedStdout =
         stdout.length > MAX_OUTPUT_CHARS
-          ? safeStringSlice(stdout, 0, MAX_OUTPUT_CHARS) + "\n[stdout truncated]"
+          ? safeStringSlice(stdout, 0, MAX_OUTPUT_CHARS) +
+            "\n[stdout truncated]"
           : stdout;
       resolve({ content: truncatedStdout, isError: false });
     });

package/src/tools/terminal/backends/native.ts

@@ -12,6 +12,35 @@ const log = getLogger("sandbox");
 
 const HASH_DISPLAY_LENGTH = 12;
 
+/**
+ * macOS TCC-protected directories that trigger permission prompts when accessed.
+ * Unconditionally denied in the SBPL sandbox profile to prevent the assistant
+ * from triggering Photos, Contacts, Calendar, etc. dialogs during filesystem
+ * traversal (e.g. `find ~ -name .git`).
+ *
+ * Paths are relative to $HOME. Includes both TCC-protected directories that
+ * trigger prompts for all apps and directories like ~/Desktop and ~/Documents
+ * that are TCC-protected under App Sandbox or Full Disk Access checks.
+ */
+export const MACOS_TCC_PROTECTED_PATHS = [
+  "Desktop",
+  "Documents",
+  "Pictures/Photos Library.photoslibrary",
+  "Library/Photos",
+  "Library/Calendars",
+  "Library/Reminders",
+  "Library/Application Support/AddressBook",
+  "Library/Messages",
+  "Library/Mail",
+  "Library/Safari",
+  "Library/Cookies",
+  "Library/HomeKit",
+  "Library/IdentityServices",
+  "Library/Metadata/CoreSpotlight",
+  "Library/PersonalizationPortrait",
+  "Library/Suggestions",
+];
+
 /**
  * Build a macOS sandbox-exec SBPL profile.
  *
@@ -34,6 +63,18 @@ function buildSandboxProfile(
     ? ";; Allow network access (proxied mode - needed to reach the credential proxy)\n(allow network*)"
     : ";; Block network access\n(deny network*)";
 
+  // Block macOS TCC-protected directories to prevent permission prompts
+  // during filesystem traversal. Placed AFTER (allow file-read*) because
+  // SBPL uses last-match-wins semantics.
+  const home = process.env.HOME ?? "";
+  const tccDenyRules = home
+    ? "\n;; Block macOS TCC-protected directories to prevent permission prompts\n" +
+      MACOS_TCC_PROTECTED_PATHS.map(
+        (rel) =>
+          `(deny file-read* (subpath "${escapeSBPL(join(home, rel))}") (with no-log))`,
+      ).join("\n")
+    : "";
+
   // Build deny-read rules for protected paths (CES shell lockdown).
   // These are placed AFTER the allow file-read* rule because SBPL uses
   // last-match-wins semantics - the more specific deny overrides the
@@ -55,6 +96,13 @@ function buildSandboxProfile(
 
 ;; Allow read access to the filesystem (tools, libraries, etc.)
 (allow file-read*)
+${tccDenyRules}
+
+;; Re-allow reads for the working directory even if it falls under a TCC-denied
+;; subtree (e.g. ~/Desktop/my-project). SBPL is last-match-wins, so this
+;; override must come after the TCC deny rules above but BEFORE the CES
+;; deny-read rules below — credential isolation always takes precedence.
+(allow file-read* (subpath "__WORKING_DIR__"))
 ${denyReadRules}
 
 ;; Allow write access to the working directory and its children
@@ -120,12 +168,13 @@ function getProfilePath(
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true });
   }
-  // Include the network flag and deny-read paths in the hash so profiles
-  // with different configurations don't collide.
+  // Include the network flag, deny-read paths, and HOME in the hash so
+  // profiles with different configurations don't collide.
   let hashInput = allowNetwork ? `${workingDir}:proxied` : workingDir;
   if (denyReadPaths && denyReadPaths.length > 0) {
     hashInput += `:deny-read:${denyReadPaths.sort().join(",")}`;
   }
+  hashInput += `:home:${process.env.HOME ?? ""}`;
   const hash = createHash("sha256")
     .update(hashInput)
     .digest("hex")

package/src/tools/terminal/safe-env.ts

@@ -30,9 +30,11 @@ export const SAFE_ENV_VARS = [
   "VELLUM_DEV",
   "VELLUM_DEBUG",
   "VELLUM_ENVIRONMENT",
+  "BASE_DATA_DIR",
   "VELLUM_WORKSPACE_DIR",
   "CES_BOOTSTRAP_SOCKET_DIR",
   "GATEWAY_INTERNAL_URL",
+  "GATEWAY_SECURITY_DIR",
   "VELLUM_PLATFORM_URL",
   "VELLUM_ASSISTANT_PLATFORM_URL",
   "VELLUM_DOCS_BASE_URL",
@@ -82,8 +84,7 @@ export function buildSanitizedEnv(): Record<string, string> {
   // Ensure UTF-8 locale so multi-byte characters (em dashes, curly quotes,
   // arrows, etc.) survive piping through tools like pbcopy without corruption.
   // macOS (Darwin) does not provide C.UTF-8, so use en_US.UTF-8 there.
-  const utf8Locale =
-    process.platform === "darwin" ? "en_US.UTF-8" : "C.UTF-8";
+  const utf8Locale = process.platform === "darwin" ? "en_US.UTF-8" : "C.UTF-8";
   if (!env.LANG) env.LANG = utf8Locale;
   if (!env.LC_ALL) env.LC_ALL = utf8Locale;
   return env;

package/src/tools/terminal/shell.ts

@@ -306,6 +306,7 @@ class ShellTool implements Tool {
     }
 
     const env = buildSanitizedEnv();
+    env.__CONVERSATION_ID = context.conversationId;
     if (proxyEnv) {
       Object.assign(env, proxyEnv);
     }

package/src/tools/tool-manifest.ts

@@ -29,24 +29,6 @@ import { requestSystemPermissionTool } from "./system/request-permission.js";
 import { shellTool } from "./terminal/shell.js";
 import type { Tool } from "./types.js";
 
-// ── External tool registry ───────────────────────────────────────────
-// Skills register their tools here at initialization time so the tool
-// manifest can include them without importing from `../skills/`.
-const externalTools: Tool[] = [];
-
-/**
- * Register tools provided by an external skill. Called during skill
- * initialization.
- */
-export function registerExternalTools(tools: Tool[]): void {
-  externalTools.push(...tools);
-}
-
-/** Return all externally registered tools. */
-export function getExternalTools(): Tool[] {
-  return [...externalTools];
-}
-
 // ── Eager side-effect modules ───────────────────────────────────────
 // These static imports trigger top-level `registerTool()` side effects on
 // first evaluation. The named imports above serve double duty: they give us
@@ -109,9 +91,12 @@ export const explicitTools: Tool[] = [
   recallTool,
   credentialStoreTool,
   notifyParentTool,
-  // Meet tools are registered via registerExternalTools() during skill
-  // initialization — the assistant never imports directly from skills/.
-  ...getExternalTools(),
+  // NOTE: external skill tools (registered via registerExternalTools in
+  // registry.ts) are intentionally NOT included here. `explicitTools` is a
+  // module-level const whose value is fixed at first evaluation, so
+  // external tools registered after this file loads would be missed.
+  // `initializeTools()` in `registry.ts` calls `getExternalTools()`
+  // separately at runtime so late registrations are picked up.
 ];
 
 // ── CES tools (feature-flag gated) ──────────────────────────────────

package/src/tools/types.ts

@@ -31,6 +31,8 @@ export interface ToolExecutionStartEvent extends ToolLifecycleEventBase {
 export interface ToolPermissionPromptEvent extends ToolLifecycleEventBase {
   type: "permission_prompt";
   riskLevel: string;
+  /** Classifier-provided reason explaining why the risk level was assigned (bash/host_bash only). */
+  riskReason?: string;
   reason: string;
   allowlistOptions: AllowlistOption[];
   scopeOptions: ScopeOption[];
@@ -41,6 +43,8 @@ export interface ToolPermissionPromptEvent extends ToolLifecycleEventBase {
 export interface ToolPermissionDeniedEvent extends ToolLifecycleEventBase {
   type: "permission_denied";
   riskLevel: string;
+  /** Classifier-provided reason explaining why the risk level was assigned (bash/host_bash only). */
+  riskReason?: string;
   decision: "deny" | "always_deny";
   reason: string;
   durationMs: number;
@@ -163,6 +167,8 @@ export interface ToolContext {
   callSessionId?: string;
   /** True when the tool invocation was triggered by a user clicking a surface action button (not a regular message). */
   triggeredBySurfaceAction?: boolean;
+  /** True when the user explicitly approved this tool invocation via the interactive permission prompt (not auto-approved by trust rules or temporary overrides). */
+  approvedViaPrompt?: boolean;
   /**
    * True when the invocation is inside a scheduled task run whose
    * `required_tools` array pre-authorized this tool at task-creation time.
@@ -228,9 +234,12 @@ export interface ToolExecutionResult {
   sensitiveBindings?: SensitiveOutputBinding[];
   /**
    * When true, the agent loop should yield control back to the user after
-   * returning this result. Used by interactive surfaces (tables with action
-   * buttons, file uploads) to force-stop the loop so the LLM cannot bypass
-   * the "wait for user action" instruction.
+   * returning this result — tool results are pushed to history and the loop
+   * breaks without another LLM call. Two callers set this: interactive
+   * surfaces (tables with action buttons, file uploads) that force-stop the
+   * loop so the LLM cannot bypass the "wait for user action" instruction,
+   * and tools like `remember` that expose a `finish_turn` parameter letting
+   * the LLM voluntarily end its turn.
    */
   yieldToUser?: boolean;
   /**

package/src/tools/verification-control-plane-policy.ts

@@ -28,7 +28,7 @@ const VERIFICATION_PATH_REGEX = /\/v1\/channel-verification-sessions/;
 const COMMAND_TOOLS = new Set(["bash", "host_bash"]);
 
 /** Tools whose `input.url` (string) may contain verification endpoint paths. */
-const URL_TOOLS = new Set(["network_request", "web_fetch", "browser_navigate"]);
+const URL_TOOLS = new Set(["network_request", "web_fetch"]);
 
 /**
  * Normalize a string to defeat common URL obfuscation techniques before matching: