@vellumai/assistant 0.7.0 → 0.7.1

package/src/runtime/migrations/vbundle-streaming-validator.ts

@@ -9,7 +9,7 @@
  * This module lets a caller validate a bundle while streaming:
  * - `readAndValidateManifest` consumes the first tar entry (which must be
  *   `manifest.json`), validates the schema, and verifies the self-referencing
- *   `manifest_sha256` against the canonicalized JSON.
+ *   `checksum` against the canonicalized JSON.
  * - `createHashVerifier` returns a passthrough `Transform` that hashes bytes
  *   flowing through it and errors the pipeline if the final digest or byte
  *   count does not match the expected values from the manifest.
@@ -24,9 +24,12 @@ import { Transform, type TransformCallback } from "node:stream";
 
 import type { StreamedTarEntry } from "./vbundle-tar-stream.js";
 import {
-  computeManifestSha256,
+  computeLegacyManifestSha256,
+  computeManifestChecksum,
+  LegacyManifestSchema,
   ManifestSchema,
   type ManifestType,
+  translateLegacyManifest,
 } from "./vbundle-validator.js";
 
 // ---------------------------------------------------------------------------
@@ -35,7 +38,7 @@ import {
 
 export interface ManifestReadResult {
   manifest: ManifestType;
-  /** Fast lookup from archive path -> expected sha256 + size (from manifest.files). */
+  /** Fast lookup from archive path -> expected sha256 + size (from manifest.contents). */
   expected: Map<string, { sha256: string; size: number }>;
 }
 
@@ -75,7 +78,7 @@ const MANIFEST_MAX_BYTES = 1 * 1024 * 1024;
  *   2. Size cap (1 MiB).
  *   3. JSON parse.
  *   4. Zod schema validation.
- *   5. Self-referencing `manifest_sha256` verification against the
+ *   5. Self-referencing `checksum` verification against the
  *      canonicalized JSON (minus that field).
  *
  * On success, returns the parsed manifest plus a `Map` keyed by archive
@@ -131,39 +134,58 @@ export async function readAndValidateManifest(
     );
   }
 
+  // Try the v1 schema first; fall back to the legacy six-field shape so
+  // existing on-disk bundles (backup snapshots, cross-version migrations)
+  // keep streaming-validating after upgrade. AGENTS.md prohibits silent
+  // breaks of persisted state.
   const parseResult = ManifestSchema.safeParse(manifestRaw);
-  if (!parseResult.success) {
-    const issues = parseResult.error.issues
-      .map((i) => `${i.path.join(".") || "<root>"}: ${i.message}`)
-      .join("; ");
-    throw new StreamingValidationError(
-      "manifest_schema",
-      `manifest.json failed schema validation: ${issues}`,
-    );
-  }
-
-  const manifest = parseResult.data;
+  let manifest: ManifestType;
 
-  // Recompute the self-referencing checksum using the exact canonicalization
-  // that vbundle-validator.ts uses. Any drift here would silently reject
-  // valid bundles produced by buildVBundle.
-  const computed = computeManifestSha256(manifestRaw);
-  if (computed !== manifest.manifest_sha256) {
-    throw new StreamingValidationError(
-      "manifest_sha256",
-      `Manifest checksum mismatch: expected ${manifest.manifest_sha256}, computed ${computed}`,
-    );
+  if (parseResult.success) {
+    manifest = parseResult.data;
+    // Recompute the self-referencing checksum using the exact canonicalization
+    // that vbundle-validator.ts uses. Any drift here would silently reject
+    // valid bundles produced by buildVBundle.
+    const computed = computeManifestChecksum(manifestRaw);
+    if (computed !== manifest.checksum) {
+      throw new StreamingValidationError(
+        "manifest_sha256",
+        `Manifest checksum mismatch: expected ${manifest.checksum}, computed ${computed}`,
+      );
+    }
+  } else {
+    const legacyParse = LegacyManifestSchema.safeParse(manifestRaw);
+    if (!legacyParse.success) {
+      const issues = parseResult.error.issues
+        .map((i) => `${i.path.join(".") || "<root>"}: ${i.message}`)
+        .join("; ");
+      throw new StreamingValidationError(
+        "manifest_schema",
+        `manifest.json failed schema validation: ${issues}`,
+      );
+    }
+    const legacy = legacyParse.data;
+    // Verify the legacy checksum using the OLD canonicalization (strip the
+    // field entirely; do NOT replace with "").
+    const computedLegacy = computeLegacyManifestSha256(manifestRaw);
+    if (computedLegacy !== legacy.manifest_sha256) {
+      throw new StreamingValidationError(
+        "manifest_sha256",
+        `Manifest checksum mismatch: expected ${legacy.manifest_sha256}, computed ${computedLegacy}`,
+      );
+    }
+    manifest = translateLegacyManifest(legacy);
   }
 
   const expected = new Map<string, { sha256: string; size: number }>();
-  for (const file of manifest.files) {
+  for (const file of manifest.contents) {
     if (expected.has(file.path)) {
       throw new StreamingValidationError(
         "manifest_duplicate_path",
         `Manifest contains duplicate entry for path: ${file.path}`,
       );
     }
-    expected.set(file.path, { sha256: file.sha256, size: file.size });
+    expected.set(file.path, { sha256: file.sha256, size: file.size_bytes });
   }
 
   return { manifest, expected };

package/src/runtime/migrations/vbundle-validator.ts

@@ -5,7 +5,6 @@
  * - manifest.json: metadata with schema_version, checksums, and bundle info
  * - workspace/: the entire workspace directory tree (new format), OR
  *   data/db/assistant.db + config/settings.json (old format)
- * - trust/trust.json: trust rules (optional)
  *
  * Validation steps:
  * 1. Archive structure: valid gzip tar with required entries
@@ -14,32 +13,179 @@
  * 4. Per-file content integrity: SHA-256 of each file matches manifest checksums
  */
 
-import { createHash } from "node:crypto";
+import { createHash, randomUUID } from "node:crypto";
 import { gunzipSync } from "node:zlib";
 
 import { z } from "zod";
 
 // ---------------------------------------------------------------------------
-// Manifest schema
+// Manifest schema (v1)
 // ---------------------------------------------------------------------------
 
 const ManifestFileEntry = z.object({
+  path: z.string().min(1),
+  sha256: z.string().regex(/^[0-9a-f]{64}$/),
+  size_bytes: z.number().int().nonnegative(),
+});
+
+const AssistantInfo = z.object({
+  id: z.string().min(1),
+  name: z.string().min(1),
+  runtime_version: z.string().min(1),
+});
+
+const Origin = z.object({
+  mode: z.enum(["managed", "self-hosted-remote", "self-hosted-local"]),
+  platform_version: z.string().optional(),
+  hostname: z.string().optional(),
+});
+
+const Compatibility = z.object({
+  min_runtime_version: z.string().min(1),
+  max_runtime_version: z.string().nullable(),
+});
+
+const ExportOptions = z.object({
+  include_logs: z.boolean(),
+  include_browser_state: z.boolean(),
+  include_memory_vectors: z.boolean(),
+});
+
+export const ManifestSchema = z
+  .object({
+    schema_version: z.literal(1),
+    bundle_id: z.string().uuid(),
+    created_at: z.string().datetime({ offset: true }),
+    assistant: AssistantInfo,
+    origin: Origin,
+    compatibility: Compatibility,
+    contents: z.array(ManifestFileEntry),
+    checksum: z.string().regex(/^[0-9a-f]{64}$/),
+    secrets_redacted: z.boolean(),
+    export_options: ExportOptions,
+  })
+  .refine((m) => m.origin.mode !== "managed" || m.secrets_redacted === true, {
+    message: "secrets_redacted must be true when origin.mode is 'managed'",
+    path: ["secrets_redacted"],
+  })
+  .refine(
+    (m) =>
+      m.contents.some(
+        (f) =>
+          f.path === "data/db/assistant.db" ||
+          f.path === "workspace/data/db/assistant.db",
+      ),
+    {
+      message:
+        "contents must include an entry for data/db/assistant.db (legacy format) or workspace/data/db/assistant.db (current format)",
+      path: ["contents"],
+    },
+  );
+
+export type ManifestFileEntryType = z.infer<typeof ManifestFileEntry>;
+export type ManifestType = z.infer<typeof ManifestSchema>;
+
+// ---------------------------------------------------------------------------
+// Legacy manifest schema (pre-v1, six-field shape)
+// ---------------------------------------------------------------------------
+//
+// Older runtime versions wrote a six-field manifest with `schema_version: "1.0"`,
+// `files`, `size` (per-entry), and a self-referencing `manifest_sha256` field.
+// Existing on-disk artifacts produced by those versions — backup snapshots,
+// cross-version migration bundles — must keep validating after upgrade,
+// per AGENTS.md "no silent breaks of persisted state".
+//
+// We accept legacy bundles via a fallback parse + translator so the rest of
+// the validation pipeline (per-file hash + size verification) only ever sees
+// the v1 shape.
+
+const LegacyManifestFileEntry = z.object({
   path: z.string(),
   sha256: z.string(),
   size: z.number().int().nonnegative(),
 });
 
-export const ManifestSchema = z.object({
+export const LegacyManifestSchema = z.object({
   schema_version: z.string(),
   created_at: z.string(),
   source: z.string().optional(),
   description: z.string().optional(),
-  files: z.array(ManifestFileEntry),
+  files: z.array(LegacyManifestFileEntry),
   manifest_sha256: z.string(),
 });
 
-export type ManifestFileEntryType = z.infer<typeof ManifestFileEntry>;
-export type ManifestType = z.infer<typeof ManifestSchema>;
+export type LegacyManifestType = z.infer<typeof LegacyManifestSchema>;
+
+/**
+ * Recompute the legacy `manifest_sha256` field — strips the field entirely
+ * (rather than emptying it) before canonicalizing, matching the pre-v1
+ * producer behavior. Required so legacy bundles whose checksum was computed
+ * the old way still verify after upgrade.
+ */
+export function computeLegacyManifestSha256(manifest: unknown): string {
+  const copy = { ...(manifest as Record<string, unknown>) };
+  delete copy.manifest_sha256;
+  return sha256Hex(canonicalizeJson(copy));
+}
+
+/**
+ * Coerce a legacy ISO-ish `created_at` into the v1 datetime regex shape.
+ * Pre-v1 producers always wrote `new Date().toISOString()`, which already
+ * has the `Z` suffix the v1 regex requires; this helper is defensive against
+ * any historical producer that omitted the offset/`Z`.
+ */
+function coerceLegacyCreatedAt(raw: string): string {
+  // If the string already parses as a Date, keep it as the canonical ISO form.
+  const parsed = new Date(raw);
+  if (!Number.isNaN(parsed.getTime())) {
+    // `toISOString()` always emits the `...Z` form the v1 regex accepts.
+    return parsed.toISOString();
+  }
+  return raw;
+}
+
+/**
+ * Translate a parsed legacy manifest into a v1 `ManifestType` so the rest of
+ * the validator pipeline can operate on a uniform shape.
+ *
+ * Legacy bundles never carried assistant identity, origin, compatibility, or
+ * export-option signals; we substitute conservative placeholders that satisfy
+ * the v1 schema's `.refine()` rules without misrepresenting the source bundle.
+ */
+export function translateLegacyManifest(
+  legacy: LegacyManifestType,
+): ManifestType {
+  return {
+    schema_version: 1,
+    bundle_id: randomUUID(),
+    created_at: coerceLegacyCreatedAt(legacy.created_at),
+    assistant: {
+      id: "self",
+      name: "Assistant",
+      runtime_version: "0.0.0-legacy",
+    },
+    // Legacy bundles came from the local self-hosted exporter; the
+    // conservative default is "self-hosted-local" so the v1 managed/secrets
+    // refine never trips on a translated legacy bundle.
+    origin: { mode: "self-hosted-local" },
+    compatibility: {
+      min_runtime_version: "0.0.0-legacy",
+      max_runtime_version: null,
+    },
+    contents: legacy.files.map((f) => ({
+      path: f.path,
+      sha256: f.sha256,
+      size_bytes: f.size,
+    })),
+    checksum: legacy.manifest_sha256,
+    secrets_redacted: false,
+    export_options: {
+      include_logs: false,
+      include_browser_state: false,
+      include_memory_vectors: false,
+    },
+  };
+}
 
 // ---------------------------------------------------------------------------
 // Validation result types
@@ -190,14 +336,16 @@ export function canonicalizeJson(obj: unknown): string {
 }
 
 /**
- * Recompute the `manifest_sha256` field for a manifest object. Strips the
- * `manifest_sha256` property, canonicalizes the remaining JSON, and returns
- * the SHA-256 hex digest. Centralized here so the streaming validator and
- * the in-memory validator agree on the exact canonicalization.
+ * Recompute the `checksum` field for a manifest object.
+ *
+ * The v1 schema spec says the checksum is computed over the canonicalized
+ * manifest with the `checksum` field set to the empty string (not absent),
+ * so we replace it before canonicalizing — both producers and validators
+ * must agree on this exact wire shape. Centralized here so the streaming
+ * validator and the in-memory validator agree on the exact canonicalization.
  */
-export function computeManifestSha256(manifest: unknown): string {
-  const copy = { ...(manifest as Record<string, unknown>) };
-  delete copy.manifest_sha256;
+export function computeManifestChecksum(manifest: unknown): string {
+  const copy = { ...(manifest as Record<string, unknown>), checksum: "" };
   return sha256Hex(canonicalizeJson(copy));
 }
 
@@ -218,7 +366,7 @@ const MAX_DECOMPRESSED_SIZE = 2 * 1024 * 1024 * 1024;
  * Performs four validation passes:
  * 1. Archive structure (gzip decompression, tar parsing, required entries)
  * 2. Manifest schema (Zod validation of manifest.json)
- * 3. Manifest checksum (SHA-256 of canonicalized JSON without manifest_sha256)
+ * 3. Manifest checksum (SHA-256 of canonicalized JSON with the `checksum` field set to empty string)
  * 4. Per-file content integrity (SHA-256 of each file vs manifest declaration)
  */
 export function validateVBundle(data: Uint8Array): VBundleValidationResult {
@@ -293,39 +441,64 @@ export function validateVBundle(data: Uint8Array): VBundleValidationResult {
     return { is_valid: false, errors };
   }
 
+  // Try the v1 schema first. If that fails, fall back to the legacy six-field
+  // shape so existing on-disk bundles (backup snapshots, cross-version
+  // migrations) keep validating after upgrade. AGENTS.md prohibits silent
+  // breaks of persisted state.
   const parseResult = ManifestSchema.safeParse(manifestRaw);
-  if (!parseResult.success) {
-    for (const issue of parseResult.error.issues) {
+  let manifest: ManifestType;
+
+  if (parseResult.success) {
+    manifest = parseResult.data;
+
+    // Step 5 (v1): Verify manifest checksum — SHA-256 of canonicalized JSON
+    // with the `checksum` field replaced by an empty string.
+    const computedChecksum = computeManifestChecksum(manifestRaw);
+    if (computedChecksum !== manifest.checksum) {
       errors.push({
-        code: "MANIFEST_SCHEMA_ERROR",
-        message: `Manifest validation error at ${issue.path.join(".")}: ${
-          issue.message
-        }`,
-        path: `manifest.json/${issue.path.join(".")}`,
+        code: "MANIFEST_CHECKSUM_MISMATCH",
+        message: `Manifest checksum mismatch: expected ${manifest.checksum}, computed ${computedChecksum}`,
+        path: "manifest.json",
       });
     }
-    return { is_valid: false, errors };
-  }
-
-  const manifest = parseResult.data;
+  } else {
+    const legacyParse = LegacyManifestSchema.safeParse(manifestRaw);
+    if (!legacyParse.success) {
+      // Truly malformed — surface the v1 error for the clearer error trail.
+      for (const issue of parseResult.error.issues) {
+        errors.push({
+          code: "MANIFEST_SCHEMA_ERROR",
+          message: `Manifest validation error at ${issue.path.join(".")}: ${
+            issue.message
+          }`,
+          path: `manifest.json/${issue.path.join(".")}`,
+        });
+      }
+      return { is_valid: false, errors };
+    }
 
-  // Step 5: Verify manifest checksum
-  // The manifest_sha256 field is the SHA-256 of the canonicalized JSON
-  // with the manifest_sha256 field itself excluded.
-  const computedManifestSha256 = computeManifestSha256(manifestRaw);
+    // Step 5 (legacy): Verify the legacy `manifest_sha256` using the OLD
+    // canonicalization (strip the field entirely; do NOT replace with "").
+    const legacy = legacyParse.data;
+    const computedLegacyChecksum = computeLegacyManifestSha256(manifestRaw);
+    if (computedLegacyChecksum !== legacy.manifest_sha256) {
+      errors.push({
+        code: "MANIFEST_CHECKSUM_MISMATCH",
+        message: `Manifest checksum mismatch: expected ${legacy.manifest_sha256}, computed ${computedLegacyChecksum}`,
+        path: "manifest.json",
+      });
+      return { is_valid: false, errors };
+    }
 
-  if (computedManifestSha256 !== manifest.manifest_sha256) {
-    errors.push({
-      code: "MANIFEST_CHECKSUM_MISMATCH",
-      message: `Manifest checksum mismatch: expected ${manifest.manifest_sha256}, computed ${computedManifestSha256}`,
-      path: "manifest.json",
-    });
+    // Translate to v1 so the rest of the pipeline (per-file hash + size
+    // verification, refine rules) sees a uniform shape.
+    manifest = translateLegacyManifest(legacy);
   }
 
   // Step 6: Verify per-file content integrity
-  const manifestFilePaths = new Set(manifest.files.map((f) => f.path));
+  const manifestFilePaths = new Set(manifest.contents.map((f) => f.path));
 
-  for (const fileEntry of manifest.files) {
+  for (const fileEntry of manifest.contents) {
     const archiveEntry = entryMap.get(fileEntry.path);
     if (!archiveEntry) {
       errors.push({
@@ -337,10 +510,10 @@ export function validateVBundle(data: Uint8Array): VBundleValidationResult {
     }
 
     // Verify size
-    if (archiveEntry.size !== fileEntry.size) {
+    if (archiveEntry.size !== fileEntry.size_bytes) {
       errors.push({
         code: "FILE_SIZE_MISMATCH",
-        message: `Size mismatch for ${fileEntry.path}: manifest declares ${fileEntry.size} bytes, archive has ${archiveEntry.size} bytes`,
+        message: `Size mismatch for ${fileEntry.path}: manifest declares ${fileEntry.size_bytes} bytes, archive has ${archiveEntry.size} bytes`,
         path: fileEntry.path,
       });
     }
@@ -364,7 +537,7 @@ export function validateVBundle(data: Uint8Array): VBundleValidationResult {
     if (!manifestFilePaths.has(required)) {
       errors.push({
         code: "REQUIRED_FILE_NOT_IN_MANIFEST",
-        message: `Required file ${required} exists in archive but has no checksum entry in manifest.files`,
+        message: `Required file ${required} exists in archive but has no checksum entry in manifest.contents`,
         path: required,
       });
     }

package/src/runtime/pending-interactions.ts

@@ -13,7 +13,6 @@
  * resolve the interaction.
  */
 
-import type { Conversation } from "../daemon/conversation.js";
 import type { UserDecision } from "../permissions/types.js";
 
 export interface ConfirmationDetails {
@@ -39,7 +38,6 @@ export interface ConfirmationDetails {
 }
 
 export interface PendingInteraction {
-  conversation: Conversation | null;
   conversationId: string;
   kind:
     | "confirmation"
@@ -112,10 +110,10 @@ export function getByConversation(
  * /v1/host-transfer-result after completing the operation, get a 404, and the
  * proxy timer would fire with a spurious timeout error.
  */
-export function removeByConversation(conversation: Conversation): void {
+export function removeByConversation(conversationId: string): void {
   for (const [requestId, interaction] of pending) {
     if (
-      interaction.conversation === conversation &&
+      interaction.conversationId === conversationId &&
       interaction.kind !== "host_bash" &&
       interaction.kind !== "host_file" &&
       interaction.kind !== "host_cu" &&
@@ -143,6 +141,17 @@ export function getByKind(
   return results;
 }
 
+/**
+ * Return all pending interactions across all conversations.
+ */
+export function getAll(): Array<{ requestId: string } & PendingInteraction> {
+  const results: Array<{ requestId: string } & PendingInteraction> = [];
+  for (const [requestId, interaction] of pending) {
+    results.push({ requestId, ...interaction });
+  }
+  return results;
+}
+
 /** Clear all pending interactions. Useful for testing. */
 export function clear(): void {
   pending.clear();

package/src/runtime/routes/__tests__/acp-routes.test.ts

@@ -41,7 +41,6 @@ mock.module("../../../acp/index.js", () => ({
   getAcpSessionManager: () => ({
     getStatus: () => fakeInMemorySessions,
   }),
-  broadcastToAllClients: null,
 }));
 
 import { getSqlite } from "../../../memory/db-connection.js";

package/src/runtime/routes/__tests__/backup-routes.test.ts

@@ -26,6 +26,7 @@ import type { BackupRunResult } from "../../../backup/backup-worker.js";
 import type { RestoreResult, VerifyResult } from "../../../backup/restore.js";
 import type { BackupConfig } from "../../../config/schema.js";
 import { BackupConfigSchema } from "../../../config/schema.js";
+import type { ManifestType } from "../../migrations/vbundle-validator.js";
 
 // ---------------------------------------------------------------------------
 // Module mocks — must appear before any imports of the module under test
@@ -144,13 +145,31 @@ interface VerifyCall {
 
 let lastRestoreArgs: RestoreCall | null = null;
 let lastVerifyArgs: VerifyCall | null = null;
-let mockRestoreResult: RestoreResult = {
-  manifest: {
-    schema_version: "1.0",
+
+function makeV1Manifest(): ManifestType {
+  return {
+    schema_version: 1,
+    bundle_id: "00000000-0000-4000-8000-000000000000",
     created_at: "2026-04-11T10:00:00.000Z",
-    files: [],
-    manifest_sha256: "0".repeat(64),
-  } as unknown as RestoreResult["manifest"],
+    assistant: { id: "self", name: "Test", runtime_version: "0.0.0-test" },
+    origin: { mode: "self-hosted-local" },
+    compatibility: {
+      min_runtime_version: "0.0.0-test",
+      max_runtime_version: null,
+    },
+    contents: [],
+    checksum: "0".repeat(64),
+    secrets_redacted: false,
+    export_options: {
+      include_logs: false,
+      include_browser_state: false,
+      include_memory_vectors: false,
+    },
+  };
+}
+
+let mockRestoreResult: RestoreResult = {
+  manifest: makeV1Manifest(),
   restoredFiles: 0,
 };
 let mockRestoreError: Error | null = null;
@@ -236,12 +255,7 @@ beforeEach(() => {
   lastVerifyArgs = null;
   mockRestoreError = null;
   mockRestoreResult = {
-    manifest: {
-      schema_version: "1.0",
-      created_at: "2026-04-11T10:00:00.000Z",
-      files: [],
-      manifest_sha256: "0".repeat(64),
-    } as unknown as RestoreResult["manifest"],
+    manifest: makeV1Manifest(),
     restoredFiles: 0,
   };
   mockVerifyResult = { valid: true };
@@ -465,7 +479,7 @@ describe("handleBackupCreate", () => {
     await handleBackupCreate();
     expect(mockReadBackupKeyCalls).toBe(0);
     const keyFileExists = await import("node:fs").then((m) =>
-      m.existsSync(join(ROOT, "workspace", "protected", "backup.key")),
+      m.existsSync(join(ROOT, "workspace", ".backup.key")),
     );
     expect(keyFileExists).toBe(false);
   });
@@ -768,12 +782,7 @@ describe("handleBackupVerify", () => {
     mockReadBackupKeyCalls = 0;
     mockVerifyResult = {
       valid: true,
-      manifest: {
-        schema_version: "1.0",
-        created_at: "2026-04-11T10:00:00.000Z",
-        files: [],
-        manifest_sha256: "0".repeat(64),
-      } as unknown as VerifyResult["manifest"],
+      manifest: makeV1Manifest(),
     };
 
     const result = (await handleBackupVerify({