@vellumai/assistant 0.6.5 → 0.6.6

package/src/tools/permission-checker.ts

@@ -1,13 +1,15 @@
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
+import { getIsContainerized } from "../config/env-registry.js";
 import { getConfig } from "../config/loader.js";
-import { getHookManager } from "../hooks/manager.js";
 import { resolveThreshold } from "../permissions/approval-policy.js";
 import {
   check,
   classifyRisk,
   generateAllowlistOptions,
   generateScopeOptions,
+  getCachedAssessment,
 } from "../permissions/checker.js";
+import { getAutoApproveThreshold } from "../permissions/gateway-threshold-reader.js";
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import { addRule } from "../permissions/trust-store.js";
 import { RiskLevel } from "../permissions/types.js";
@@ -35,8 +37,27 @@ export type PermissionDecision =
       decision: string;
       riskLevel: string;
       wasPrompted?: boolean;
+      /** Risk metadata from the classifier assessment cache (when available). */
+      riskMeta?: {
+        riskLevel: string;
+        riskReason: string;
+        riskScopeOptions: Array<{ pattern: string; label: string }>;
+        isContainerized?: boolean;
+      };
     }
-  | { allowed: false; decision: string; riskLevel: string; content: string };
+  | {
+      allowed: false;
+      decision: string;
+      riskLevel: string;
+      content: string;
+      /** Risk metadata from the classifier assessment cache (when available). */
+      riskMeta?: {
+        riskLevel: string;
+        riskReason: string;
+        riskScopeOptions: Array<{ pattern: string; label: string }>;
+        isContainerized?: boolean;
+      };
+    };
 
 export class PermissionChecker {
   private prompter: PermissionPrompter;
@@ -58,10 +79,6 @@ export class PermissionChecker {
     context: ToolContext,
     executionTarget: ExecutionTarget,
     emitLifecycleEvent: (event: ToolLifecycleEvent) => void,
-    sanitizeToolInput: (
-      toolName: string,
-      input: Record<string, unknown>,
-    ) => Record<string, unknown>,
     startTime: number,
     computePreviewDiff: (
       toolName: string,
@@ -111,6 +128,19 @@ export class PermissionChecker {
     );
     const riskLevel: string = risk;
 
+    // Look up the cached assessment to extract risk metadata for the tool result.
+    // This is populated by classifyRisk() for classifier-backed tools (bash, file, web, skill).
+    // For tools without classifiers (e.g. MCP tools), the cache returns undefined.
+    const cachedAssessment = getCachedAssessment(name, input);
+    const riskMeta = cachedAssessment
+      ? {
+          riskLevel: cachedAssessment.riskLevel,
+          riskReason: cachedAssessment.reason,
+          riskScopeOptions: cachedAssessment.scopeOptions,
+          isContainerized: getIsContainerized(),
+        }
+      : undefined;
+
     // Wrap the rest of permission evaluation so that any exception
     // carries the classified risk level back to the caller. Without
     // this, the executor's catch block would fall back to the default
@@ -179,6 +209,7 @@ export class PermissionChecker {
           decision: "denied",
           riskLevel,
           content: result.reason,
+          riskMeta,
         };
       }
 
@@ -199,7 +230,12 @@ export class PermissionChecker {
           { toolName: name, riskLevel },
           "Auto-approving bash tool for platform-hosted guardian session",
         );
-        return { allowed: true, decision: "platform_auto_approve", riskLevel };
+        return {
+          allowed: true,
+          decision: "platform_auto_approve",
+          riskLevel,
+          riskMeta,
+        };
       }
 
       if (result.decision === "prompt") {
@@ -218,39 +254,50 @@ export class PermissionChecker {
         const isDynamicSkillLoad =
           result.matchedRule?.pattern.startsWith("skill_load_dynamic:") ===
           true;
-        const bgThreshold = resolveThreshold(
-          cfg.permissions.autoApproveUpTo,
-          "background",
-        );
-        const thresholdOrdinal: Record<string, number> = {
-          none: -1,
-          low: 0,
-          medium: 1,
-        };
-        const riskOrdinal: Record<string, number> = {
-          [RiskLevel.Low]: 0,
-          [RiskLevel.Medium]: 1,
-          [RiskLevel.High]: 2,
-        };
-        const withinThreshold =
-          (riskOrdinal[riskLevel] ?? 2) <= (thresholdOrdinal[bgThreshold] ?? 0);
         if (
           context.isInteractive === false &&
           context.trustClass === "guardian" &&
           !context.requireFreshApproval &&
           !isDynamicSkillLoad &&
-          !v2ForcePrompt &&
-          withinThreshold
+          !v2ForcePrompt
         ) {
-          log.info(
-            { toolName: name, riskLevel },
-            "Auto-approving for non-interactive guardian session",
+          // Use gateway threshold when v3 is enabled, falling back to config.
+          // getAutoApproveThreshold returns from cache (populated by check() above).
+          // Deferred inside the non-interactive branch so interactive prompts
+          // don't pay the gateway I/O cost.
+          const gatewayBgThreshold = await getAutoApproveThreshold(
+            context.conversationId,
+            "background",
           );
-          return {
-            allowed: true,
-            decision: "guardian_auto_approve",
-            riskLevel,
+          const bgThreshold =
+            gatewayBgThreshold ??
+            resolveThreshold(cfg.permissions.autoApproveUpTo, "background");
+          const thresholdOrdinal: Record<string, number> = {
+            none: -1,
+            low: 0,
+            medium: 1,
+            high: 2,
+          };
+          const riskOrdinal: Record<string, number> = {
+            [RiskLevel.Low]: 0,
+            [RiskLevel.Medium]: 1,
+            [RiskLevel.High]: 2,
           };
+          const withinThreshold =
+            (riskOrdinal[riskLevel] ?? 2) <=
+            (thresholdOrdinal[bgThreshold] ?? 0);
+          if (withinThreshold) {
+            log.info(
+              { toolName: name, riskLevel },
+              "Auto-approving for non-interactive guardian session",
+            );
+            return {
+              allowed: true,
+              decision: "guardian_auto_approve",
+              riskLevel,
+              riskMeta,
+            };
+          }
         }
 
         // Non-interactive sessions have no client to respond to prompts -
@@ -280,6 +327,7 @@ export class PermissionChecker {
             decision: "denied",
             riskLevel,
             content: `Permission denied: tool "${name}" requires user approval but no interactive client is connected. The tool was not executed. To allow this tool in non-interactive sessions, add a trust rule via permission settings.`,
+            riskMeta,
           };
         }
 
@@ -304,7 +352,12 @@ export class PermissionChecker {
             },
             "Temporary approval override active - auto-approving without prompt",
           );
-          return { allowed: true, decision: "temporary_override", riskLevel };
+          return {
+            allowed: true,
+            decision: "temporary_override",
+            riskLevel,
+            riskMeta,
+          };
         }
 
         const previewDiff = computePreviewDiff(name, input, context.workingDir);
@@ -353,13 +406,6 @@ export class PermissionChecker {
           persistentDecisionsAllowed: promptOptions.persistentDecisionsAllowed,
         });
 
-        await getHookManager().trigger("permission-request", {
-          toolName: name,
-          input: sanitizeToolInput(name, input),
-          riskLevel,
-          conversationId: context.conversationId,
-        });
-
         const response = await this.prompter.prompt(
           name,
           input,
@@ -374,6 +420,8 @@ export class PermissionChecker {
           promptOptions.temporaryOptionsAvailable,
           context.toolUseId,
           v2ForcePrompt,
+          riskReason,
+          getIsContainerized(),
         );
 
         const decision =
@@ -381,13 +429,6 @@ export class PermissionChecker {
             ? "deny"
             : response.decision;
 
-        await getHookManager().trigger("permission-resolve", {
-          toolName: name,
-          decision,
-          riskLevel,
-          conversationId: context.conversationId,
-        });
-
         if (decision === "deny") {
           const contextualDenial =
             typeof response.decisionContext === "string"
@@ -421,6 +462,7 @@ export class PermissionChecker {
             decision,
             riskLevel,
             content: denialMessage,
+            riskMeta,
           };
         }
 
@@ -470,6 +512,7 @@ export class PermissionChecker {
             decision,
             riskLevel,
             content: denialMessage,
+            riskMeta,
           };
         }
 
@@ -523,11 +566,17 @@ export class PermissionChecker {
           );
         }
 
-        return { allowed: true, decision, riskLevel, wasPrompted: true };
+        return {
+          allowed: true,
+          decision,
+          riskLevel,
+          wasPrompted: true,
+          riskMeta,
+        };
       }
 
       // result.decision === 'allow'
-      return { allowed: true, decision: "allow", riskLevel };
+      return { allowed: true, decision: "allow", riskLevel, riskMeta };
     } catch (err) {
       if (err instanceof Error) {
         (err as Error & { riskLevel?: string }).riskLevel = riskLevel;

package/src/tools/policy-context.ts

@@ -34,16 +34,20 @@ export function buildPolicyContext(
 
   const executionContext = deriveExecutionContext(context);
 
+  const conversationId = context?.conversationId;
+
   if (tool.origin === "skill") {
     return {
       executionTarget: tool.executionTarget,
       ephemeralRules: ephemeralRules?.length ? ephemeralRules : undefined,
       executionContext,
+      conversationId,
     };
   }
 
   return {
     ephemeralRules: ephemeralRules?.length ? ephemeralRules : undefined,
     executionContext,
+    conversationId,
   };
 }

package/src/tools/registry.ts

@@ -68,6 +68,12 @@ let coreToolsSnapshot: Map<string, Tool> | null = null;
 // Tools are only removed from the global registry when this drops to 0.
 const skillRefCount = new Map<string, number>();
 
+// Plugin-tool refcount lives in its own namespace so plugin and skill IDs
+// cannot collide in the ref map even if a plugin's `manifest.name` happens to
+// match a skill id. Conflict detection on `tools` (keyed by tool name) is
+// separate and covers the case of two extensions choosing the same tool name.
+const pluginRefCount = new Map<string, number>();
+
 export function registerTool(tool: Tool): void {
   const existing = tools.get(tool.name);
   if (existing) {
@@ -108,10 +114,22 @@ export function registerSkillTools(newTools: Tool[]): Tool[] {
         );
         continue;
       }
-      // Existing is also a skill tool - only allow replacement from the same owner.
-      if (existing.ownerSkillId !== tool.ownerSkillId) {
+      // Existing is from a different origin (plugin/mcp) or a different
+      // skill — skill tools can only replace themselves (hot-reload).
+      if (
+        existing.origin !== "skill" ||
+        existing.ownerSkillId !== tool.ownerSkillId
+      ) {
+        const owner =
+          existing.origin === "skill"
+            ? `skill "${existing.ownerSkillId}"`
+            : existing.origin === "plugin"
+              ? `plugin "${existing.ownerPluginId}"`
+              : existing.origin === "mcp"
+                ? `MCP server "${existing.ownerMcpServerId}"`
+                : `${existing.origin ?? "unknown"}-origin tool`;
         throw new Error(
-          `Skill tool "${tool.name}" is already registered by skill "${existing.ownerSkillId}"`,
+          `Skill tool "${tool.name}" is already registered by ${owner}`,
         );
       }
     }
@@ -136,6 +154,111 @@ export function registerSkillTools(newTools: Tool[]): Tool[] {
   return accepted;
 }
 
+/**
+ * Register tools contributed by a plugin. Stamps `origin: "plugin"` and
+ * `ownerPluginId: pluginName` on every incoming tool so plugin ownership is
+ * tracked in a namespace disjoint from skill tools — if a plugin's
+ * `manifest.name` happens to match a skill id, the two do not share refcount
+ * state or conflict-detection paths.
+ *
+ * Conflict handling mirrors {@link registerSkillTools}: collisions with core
+ * tools log a warning and skip; collisions with tools owned by a different
+ * plugin, skill, or MCP server throw; re-registering the same plugin's own
+ * tool (hot reload) is allowed.
+ *
+ * The stamp is authoritative: any pre-existing `origin` / `ownerPluginId` /
+ * `ownerSkillId` / `ownerMcpServerId` fields on the incoming tools are
+ * overwritten so the bootstrap cannot be spoofed into claiming tools on
+ * behalf of an unrelated extension.
+ */
+export function registerPluginTools(
+  pluginName: string,
+  newTools: Tool[],
+): Tool[] {
+  const stamped: Tool[] = newTools.map((tool) => ({
+    ...tool,
+    origin: "plugin" as const,
+    ownerPluginId: pluginName,
+    ownerSkillId: undefined,
+    ownerMcpServerId: undefined,
+  }));
+
+  const accepted: Tool[] = [];
+  for (const tool of stamped) {
+    const existing = tools.get(tool.name);
+    if (existing) {
+      const existingIsCore = existing.origin === "core" || !existing.origin;
+      if (existingIsCore) {
+        log.warn(
+          { toolName: tool.name, pluginName },
+          `Plugin "${pluginName}" tried to register tool "${tool.name}" which conflicts with a core tool. Skipping.`,
+        );
+        continue;
+      }
+      if (existing.origin === "plugin") {
+        if (existing.ownerPluginId !== pluginName) {
+          throw new Error(
+            `Plugin tool "${tool.name}" is already registered by plugin "${existing.ownerPluginId}"`,
+          );
+        }
+        // Same plugin re-registering its own tool (hot reload) — allow.
+      } else {
+        // Conflict with a skill or MCP-owned tool.
+        throw new Error(
+          `Plugin "${pluginName}" tried to register tool "${tool.name}" which conflicts with a ${existing.origin}-origin tool`,
+        );
+      }
+    }
+    accepted.push(tool);
+  }
+
+  for (const tool of accepted) {
+    tools.set(tool.name, tool);
+    log.info(
+      { name: tool.name, ownerPluginId: tool.ownerPluginId },
+      "Plugin tool registered",
+    );
+  }
+
+  if (accepted.length > 0) {
+    pluginRefCount.set(pluginName, (pluginRefCount.get(pluginName) ?? 0) + 1);
+  }
+
+  return accepted;
+}
+
+/**
+ * Decrement the reference count for a plugin and remove its tools only when
+ * no more references remain. Safe to call when the plugin never contributed
+ * tools (no-op).
+ */
+export function unregisterPluginTools(pluginName: string): void {
+  const current = pluginRefCount.get(pluginName) ?? 0;
+  if (current > 1) {
+    pluginRefCount.set(pluginName, current - 1);
+    log.info(
+      { pluginName, remaining: current - 1 },
+      "Decremented plugin ref count, tools kept",
+    );
+    return;
+  }
+
+  pluginRefCount.delete(pluginName);
+  for (const [name, tool] of tools) {
+    if (tool.origin === "plugin" && tool.ownerPluginId === pluginName) {
+      tools.delete(name);
+      log.info({ name, pluginName }, "Plugin tool unregistered");
+    }
+  }
+}
+
+/**
+ * Return the current reference count for a plugin's tools. Exposed for testing.
+ */
+export function getPluginRefCount(pluginName: string): number {
+  return pluginRefCount.get(pluginName) ?? 0;
+}
+
 /**
  * Decrement the reference count for a skill and remove its tools only when
  * no more sessions reference them.
@@ -190,6 +313,17 @@ export function registerMcpTools(newTools: Tool[]): Tool[] {
         );
         continue;
       }
+      if (existing.origin === "plugin") {
+        log.warn(
+          {
+            toolName: tool.name,
+            serverId: tool.ownerMcpServerId,
+            pluginName: existing.ownerPluginId,
+          },
+          `MCP server "${tool.ownerMcpServerId}" tried to register tool "${tool.name}" which conflicts with plugin tool from "${existing.ownerPluginId}". Skipping.`,
+        );
+        continue;
+      }
       if (
         existing.origin === "mcp" &&
         existing.ownerMcpServerId !== tool.ownerMcpServerId
@@ -341,6 +475,7 @@ export async function initializeTools(): Promise<void> {
     coreToolsSnapshot = new Map<string, Tool>();
     for (const [name, tool] of tools) {
       if (tool.origin === "skill") continue;
+      if (tool.origin === "plugin") continue;
       // Exclude pre-existing tools not declared in the manifest
       if (preExisting.has(name) && !manifestToolNames.has(name)) continue;
       coreToolsSnapshot.set(name, tool);
@@ -363,6 +498,7 @@ export async function initializeTools(): Promise<void> {
 export function __resetRegistryForTesting(): void {
   tools.clear();
   skillRefCount.clear();
+  pluginRefCount.clear();
 
   if (coreToolsSnapshot) {
     for (const [name, tool] of coreToolsSnapshot) {
@@ -379,4 +515,5 @@ export function __resetRegistryForTesting(): void {
 export function __clearRegistryForTesting(): void {
   tools.clear();
   skillRefCount.clear();
+  pluginRefCount.clear();
 }

package/src/tools/schedule/create.ts

@@ -13,7 +13,7 @@ import {
 } from "../../schedule/schedule-store.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
-const VALID_MODES: ScheduleMode[] = ["notify", "execute"];
+const VALID_MODES: ScheduleMode[] = ["notify", "execute", "script"];
 const VALID_ROUTING_INTENTS: RoutingIntent[] = [
   "single_channel",
   "multi_channel",
@@ -33,7 +33,8 @@ export async function executeScheduleCreate(
   }
   const name = input.name as string;
   const timezone = (input.timezone as string) ?? null;
-  const message = input.message as string;
+  const message = (input.message as string) ?? "";
+  const script = (input.script as string) ?? null;
   const enabled = (input.enabled as boolean) ?? true;
   const fireAt = input.fire_at as string | undefined;
   const mode = (input.mode as ScheduleMode | undefined) ?? "execute";
@@ -50,12 +51,6 @@ export async function executeScheduleCreate(
       isError: true,
     };
   }
-  if (!message || typeof message !== "string") {
-    return {
-      content: "Error: message is required and must be a string",
-      isError: true,
-    };
-  }
 
   // Validate mode
   if (!VALID_MODES.includes(mode)) {
@@ -65,6 +60,24 @@ export async function executeScheduleCreate(
     };
   }
 
+  // Mode-specific field validation
+  if (mode === "script") {
+    if (!script || typeof script !== "string") {
+      return {
+        content:
+          "Error: script is required for script mode and must be a non-empty string",
+        isError: true,
+      };
+    }
+  } else {
+    if (!message || typeof message !== "string") {
+      return {
+        content: "Error: message is required and must be a string",
+        isError: true,
+      };
+    }
+  }
+
   // Validate routing_intent
   if (
     routingIntent !== undefined &&
@@ -107,6 +120,7 @@ export async function executeScheduleCreate(
         cronExpression: null,
         timezone,
         message,
+        script,
         enabled,
         syntax: "cron",
         expression: null,
@@ -185,6 +199,7 @@ export async function executeScheduleCreate(
       cronExpression: resolved.expression,
       timezone,
       message,
+      script,
       enabled,
       syntax: resolved.syntax,
       expression: resolved.expression,

package/src/tools/schedule/update.ts

@@ -16,7 +16,7 @@ import {
 } from "../../schedule/schedule-store.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
-const VALID_MODES: ScheduleMode[] = ["notify", "execute"];
+const VALID_MODES: ScheduleMode[] = ["notify", "execute", "script"];
 const VALID_ROUTING_INTENTS: RoutingIntent[] = [
   "single_channel",
   "multi_channel",
@@ -66,6 +66,7 @@ export async function executeScheduleUpdate(
   if (input.name !== undefined) updates.name = input.name;
   if (input.timezone !== undefined) updates.timezone = input.timezone;
   if (input.message !== undefined) updates.message = input.message;
+  if (input.script !== undefined) updates.script = input.script;
   if (input.enabled !== undefined) updates.enabled = input.enabled;
 
   // Mode validation and pass-through
@@ -163,6 +164,7 @@ export async function executeScheduleUpdate(
         cronExpression?: string;
         timezone?: string | null;
         message?: string;
+        script?: string | null;
         enabled?: boolean;
         syntax?: ScheduleSyntax;
         expression?: string;

package/src/tools/secret-detection-handler.ts

@@ -1,5 +1,4 @@
 import { getConfig } from "../config/loader.js";
-import { getHookManager } from "../hooks/manager.js";
 import { PermissionPrompter } from "../permissions/prompter.js";
 import { RiskLevel } from "../permissions/types.js";
 import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
@@ -46,10 +45,6 @@ export class SecretDetectionHandler {
       context: ToolContext,
       event: ToolLifecycleEvent,
     ) => void,
-    sanitizeToolInput: (
-      toolName: string,
-      input: Record<string, unknown>,
-    ) => Record<string, unknown>,
   ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
     const sdConfig = getConfig().secretDetection;
     if (!sdConfig.enabled || execResult.isError) {
@@ -108,7 +103,6 @@ export class SecretDetectionHandler {
         decision,
         startTime,
         emitLifecycleEvent,
-        sanitizeToolInput,
       );
     }
 
@@ -124,7 +118,6 @@ export class SecretDetectionHandler {
         decision,
         startTime,
         emitLifecycleEvent,
-        sanitizeToolInput,
       );
     }
 
@@ -210,10 +203,6 @@ export class SecretDetectionHandler {
       context: ToolContext,
       event: ToolLifecycleEvent,
     ) => void,
-    sanitizeToolInput: (
-      toolName: string,
-      input: Record<string, unknown>,
-    ) => Record<string, unknown>,
   ): { result: ToolExecutionResult; earlyReturn: boolean } {
     const types = [...new Set(allMatches.map((m) => m.type))].join(", ");
     const blockedContent = `Tool output blocked: detected ${allMatches.length} potential secret(s) (${types}). Configure secretDetection.action to "redact" or "prompt" to allow output.`;
@@ -237,15 +226,6 @@ export class SecretDetectionHandler {
       result: blockedResult,
     });
 
-    void getHookManager().trigger("post-tool-execute", {
-      toolName: name,
-      input: sanitizeToolInput(name, input),
-      riskLevel,
-      isError: true,
-      durationMs,
-      conversationId: context.conversationId,
-    });
-
     return { result: blockedResult, earlyReturn: true };
   }
 
@@ -263,10 +243,6 @@ export class SecretDetectionHandler {
       context: ToolContext,
       event: ToolLifecycleEvent,
     ) => void,
-    sanitizeToolInput: (
-      toolName: string,
-      input: Record<string, unknown>,
-    ) => Record<string, unknown>,
   ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
     const types = [...new Set(allMatches.map((m) => m.type))].join(", ");
 
@@ -288,15 +264,6 @@ export class SecretDetectionHandler {
         durationMs,
       });
 
-      void getHookManager().trigger("post-tool-execute", {
-        toolName: name,
-        input: sanitizeToolInput(name, input),
-        riskLevel,
-        isError: true,
-        durationMs,
-        conversationId: context.conversationId,
-      });
-
       return {
         result: { content: blockedContent, isError: true },
         earlyReturn: true,
@@ -322,15 +289,6 @@ export class SecretDetectionHandler {
         durationMs,
       });
 
-      void getHookManager().trigger("post-tool-execute", {
-        toolName: name,
-        input: sanitizeToolInput(name, input),
-        riskLevel,
-        isError: true,
-        durationMs,
-        conversationId: context.conversationId,
-      });
-
       return {
         result: { content: blockedContent, isError: true },
         earlyReturn: true,
@@ -389,15 +347,6 @@ export class SecretDetectionHandler {
         durationMs,
       });
 
-      void getHookManager().trigger("post-tool-execute", {
-        toolName: name,
-        input: sanitizeToolInput(name, input),
-        riskLevel,
-        isError: true,
-        durationMs,
-        conversationId: context.conversationId,
-      });
-
       return {
         result: { content: blockedContent, isError: true },
         earlyReturn: true,