@vellumai/assistant 0.7.0 → 0.7.1

package/src/tools/host-terminal/host-shell.ts

@@ -20,6 +20,7 @@ import { isAbsolute } from "node:path";
 
 import { getConfig } from "../../config/loader.js";
 import { isCesShellLockdownEnabled } from "../../credential-execution/feature-gates.js";
+import { HostBashProxy } from "../../daemon/host-bash-proxy.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
 import { isUntrustedTrustClass } from "../../runtime/actor-trust-resolver.js";
@@ -191,7 +192,7 @@ class HostShellTool implements Tool {
 
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
-    if (context.hostBashProxy?.isAvailable()) {
+    if (HostBashProxy.instance.isAvailable()) {
       const rawSec =
         typeof input.timeout_seconds === "number"
           ? input.timeout_seconds
@@ -220,7 +221,7 @@ class HostShellTool implements Tool {
 
         const bgId = generateBackgroundToolId();
         const abortController = new AbortController();
-        const proxyPromise = context.hostBashProxy.request(
+        const proxyPromise = HostBashProxy.instance.request(
           {
             command,
             working_dir: rawWorkingDir as string | undefined,
@@ -266,7 +267,7 @@ class HostShellTool implements Tool {
         };
       }
 
-      return context.hostBashProxy.request(
+      return HostBashProxy.instance.request(
         {
           command,
           working_dir: rawWorkingDir as string | undefined,

package/src/tools/network/script-proxy/index.ts

@@ -1,10 +1 @@
-export {
-  createSession,
-  getActiveSession,
-  getOrStartSession,
-  getSessionEnv,
-  getSessionsForConversation,
-  startSession,
-  stopAllSessions,
-  stopSession,
-} from "./session-manager.js";
+export { getOrStartSession, getSessionEnv } from "./session-manager.js";

package/src/tools/permission-checker.ts

@@ -1,4 +1,5 @@
 import { getIsContainerized } from "../config/env-registry.js";
+import { mapApprovalProvenance } from "../permissions/approval-provenance.js";
 import {
   check,
   classifyRisk,
@@ -8,6 +9,7 @@ import {
 } from "../permissions/checker.js";
 import { getAutoApproveThreshold } from "../permissions/gateway-threshold-reader.js";
 import type { PermissionPrompter } from "../permissions/prompter.js";
+import type { ApprovalMode, ApprovalReason, RiskThreshold } from "../permissions/types.js";
 import { RiskLevel } from "../permissions/types.js";
 import { getLogger } from "../util/logger.js";
 import { buildPolicyContext } from "./policy-context.js";
@@ -23,6 +25,8 @@ export type PermissionDecision =
       decision: string;
       riskLevel: string;
       wasPrompted?: boolean;
+      /** ID of the trust rule that matched this invocation (if any). Always set when a rule matched, even for non-classifier tools where riskMeta is absent. */
+      matchedTrustRuleId?: string;
       /** Risk metadata from the classifier assessment cache (when available). */
       riskMeta?: {
         riskLevel: string;
@@ -31,12 +35,17 @@ export type PermissionDecision =
         riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
         isContainerized?: boolean;
       };
+      approvalMode?: ApprovalMode;
+      approvalReason?: ApprovalReason;
+      riskThreshold?: RiskThreshold;
     }
   | {
       allowed: false;
       decision: string;
       riskLevel: string;
       content: string;
+      /** ID of the trust rule that matched this invocation (if any). Always set when a rule matched, even for non-classifier tools where riskMeta is absent. */
+      matchedTrustRuleId?: string;
       /** Risk metadata from the classifier assessment cache (when available). */
       riskMeta?: {
         riskLevel: string;
@@ -45,6 +54,9 @@ export type PermissionDecision =
         riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
         isContainerized?: boolean;
       };
+      approvalMode?: ApprovalMode;
+      approvalReason?: ApprovalReason;
+      riskThreshold?: RiskThreshold;
     };
 
 export class PermissionChecker {
@@ -120,6 +132,19 @@ export class PermissionChecker {
         context.signal,
       );
 
+      // Extract the matched rule ID for propagation. Returned as a top-level
+      // field on PermissionDecision so it reaches the executor even when
+      // riskMeta is absent (non-classifier tools like MCP don't populate it).
+      const matchedTrustRuleId = result.matchedRule?.id;
+
+      // Resolved threshold snapshot for provenance. getAutoApproveThreshold
+      // returns from cache (populated by check() above), so this is free.
+      const conversationThreshold = await getAutoApproveThreshold(
+        policyContext.conversationId,
+        policyContext.executionContext,
+      );
+      const riskThreshold = conversationThreshold as RiskThreshold;
+
       // Some callers force prompting for side-effect tools even when a
       // trust/allow rule would auto-allow. Deny decisions are preserved -
       // only allow → prompt promotion happens here.
@@ -155,16 +180,21 @@ export class PermissionChecker {
           requestId: context.requestId,
           riskLevel,
           riskReason,
+          matchedTrustRuleId,
           decision: "deny",
           reason: result.reason,
           durationMs,
         });
+        const provenance = mapApprovalProvenance("denied", { matchedTrustRuleId });
         return {
           allowed: false,
           decision: "denied",
           riskLevel,
           content: result.reason,
+          matchedTrustRuleId,
           riskMeta,
+          ...provenance,
+          riskThreshold,
         };
       }
 
@@ -189,7 +219,10 @@ export class PermissionChecker {
           allowed: true,
           decision: "platform_auto_approve",
           riskLevel,
+          matchedTrustRuleId,
           riskMeta,
+          ...mapApprovalProvenance("platform_auto_approve", {}),
+          riskThreshold,
         };
       }
 
@@ -245,7 +278,10 @@ export class PermissionChecker {
               allowed: true,
               decision: "guardian_auto_approve",
               riskLevel,
+              matchedTrustRuleId,
               riskMeta,
+              ...mapApprovalProvenance("guardian_auto_approve", {}),
+              riskThreshold: bgThreshold as RiskThreshold,
             };
           }
         }
@@ -268,6 +304,7 @@ export class PermissionChecker {
             requestId: context.requestId,
             riskLevel,
             riskReason,
+            matchedTrustRuleId,
             decision: "deny",
             reason: "Non-interactive session: no client to approve prompt",
             durationMs,
@@ -277,7 +314,13 @@ export class PermissionChecker {
             decision: "denied",
             riskLevel,
             content: `Permission denied: tool "${name}" requires user approval but no interactive client is connected. The tool was not executed. To allow this tool in non-interactive sessions, add a trust rule via permission settings.`,
+            matchedTrustRuleId,
             riskMeta,
+            // Do not pass matchedTrustRuleId here: an ask-rule match put us in
+            // the prompt path, but the *reason* for denial is no interactive
+            // client, not a deny rule. Always emit no_interactive_client.
+            ...mapApprovalProvenance("denied", {}),
+            riskThreshold,
           };
         }
 
@@ -352,6 +395,7 @@ export class PermissionChecker {
             requestId: context.requestId,
             riskLevel,
             riskReason,
+            matchedTrustRuleId,
             decision: "deny",
             reason: denialReason,
             durationMs,
@@ -361,7 +405,14 @@ export class PermissionChecker {
             decision,
             riskLevel,
             content: denialMessage,
+            matchedTrustRuleId,
             riskMeta,
+            ...mapApprovalProvenance(decision, {
+              wasTimeout: response.wasTimeout,
+              wasSystemCancel: response.wasSystemCancel,
+              wasAbort: response.wasAbort,
+            }),
+            riskThreshold,
           };
         }
 
@@ -370,12 +421,26 @@ export class PermissionChecker {
           decision,
           riskLevel,
           wasPrompted: true,
+          matchedTrustRuleId,
           riskMeta,
+          ...mapApprovalProvenance(decision, { wasPrompted: true }),
+          riskThreshold,
         };
       }
 
       // result.decision === 'allow'
-      return { allowed: true, decision: "allow", riskLevel, riskMeta };
+      return {
+        allowed: true,
+        decision: "allow",
+        riskLevel,
+        matchedTrustRuleId,
+        riskMeta,
+        ...mapApprovalProvenance("allow", {
+          hasSandboxAutoApprove: result.hasSandboxAutoApprove,
+          matchedTrustRuleId,
+        }),
+        riskThreshold,
+      };
     } catch (err) {
       if (err instanceof Error) {
         (err as Error & { riskLevel?: string }).riskLevel = riskLevel;

package/src/tools/skills/sandbox-runner.ts

@@ -6,7 +6,6 @@ import { join, resolve } from "node:path";
 import { computeSkillVersionHash } from "../../skills/version-hash.js";
 import { safeStringSlice } from "../../util/unicode.js";
 import { buildSanitizedEnv } from "../terminal/safe-env.js";
-import { wrapCommand } from "../terminal/sandbox.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
 const DEFAULT_TIMEOUT_MS = 30_000;
@@ -138,12 +137,8 @@ function spawnRunner(
     const stderrChunks: Buffer[] = [];
     let timedOut = false;
 
-    // The assistant runs exclusively in Docker or platform-managed
-    // environments where the container provides isolation.
-    const sandboxConfig = { enabled: false } as const;
-
     const bunRunCmd = "bun run __skill_runner.ts";
-    const wrapped = wrapCommand(bunRunCmd, runDir, sandboxConfig);
+    const wrapped = { command: "bash", args: ["-c", "--", bunRunCmd] };
 
     const env = buildSanitizedEnv();
     env.__SKILL_INPUT_JSON = JSON.stringify(input);

package/src/tools/skills/skill-tool-factory.ts

@@ -15,6 +15,31 @@ const riskMap: Record<SkillToolEntry["risk"], RiskLevel> = {
   high: RiskLevel.High,
 };
 
+/**
+ * Validate that all keys in `input` are declared in the tool's input_schema
+ * properties. Returns an error result listing unknown parameters, or undefined
+ * if validation passes.
+ */
+function validateNoUnknownParams(
+  toolName: string,
+  input: Record<string, unknown>,
+  schema: SkillToolEntry["input_schema"],
+): ToolExecutionResult | undefined {
+  const properties = schema?.properties;
+  if (!properties) return undefined;
+
+  const knownKeys = new Set(Object.keys(properties));
+  const unknownKeys = Object.keys(input).filter((k) => !knownKeys.has(k));
+  if (unknownKeys.length === 0) return undefined;
+
+  const listed = unknownKeys.map((k) => `"${k}"`).join(", ");
+  const supported = [...knownKeys].map((k) => `"${k}"`).join(", ");
+  return {
+    content: `Unknown parameter${unknownKeys.length > 1 ? "s" : ""} ${listed} for tool "${toolName}". Supported parameters: ${supported}. Remove unsupported parameters and retry.`,
+    isError: true,
+  };
+}
+
 /**
  * Create a runtime Tool object from a manifest entry.
  * Maps SkillToolEntry metadata to the Tool interface and routes execution
@@ -50,6 +75,13 @@ export function createSkillTool(
       input: Record<string, unknown>,
       context: ToolContext,
     ): Promise<ToolExecutionResult> {
+      const validationError = validateNoUnknownParams(
+        entry.name,
+        input,
+        entry.input_schema,
+      );
+      if (validationError) return validationError;
+
       return runSkillToolScript(skillDir, entry.executor, input, context, {
         target: entry.execution_target,
         expectedSkillVersionHash: versionHash,

package/src/tools/terminal/safe-env.ts

@@ -54,6 +54,7 @@ export const SAFE_ENV_VARS = [
   "VELLUM_PROFILER_MIN_FREE_MB",
   "VELLUM_MEMORY_LIMIT",
   "VELLUM_CPU_LIMIT",
+  "VELLUM_MINIKUBE_STORAGE_SIZE",
   "VELLUM_BACKUP_DIR",
   "VELLUM_BACKUP_KEY_PATH",
 ] as const;

package/src/tools/terminal/shell.ts

@@ -1,7 +1,5 @@
 import type { ChildProcess } from "node:child_process";
 import { spawn } from "node:child_process";
-import { homedir } from "node:os";
-import { dirname, join } from "node:path";
 
 import { getConfig } from "../../config/loader.js";
 import { isCesShellLockdownEnabled } from "../../credential-execution/feature-gates.js";
@@ -11,11 +9,7 @@ import { isUntrustedTrustClass } from "../../runtime/actor-trust-resolver.js";
 import { wakeAgentForOpportunity } from "../../runtime/agent-wake.js";
 import { redactSecrets } from "../../security/secret-scanner.js";
 import { getLogger } from "../../util/logger.js";
-import {
-  getDataDir,
-  getProtectedDir,
-  getWorkspaceDir,
-} from "../../util/platform.js";
+import { getDataDir } from "../../util/platform.js";
 import {
   generateBackgroundToolId,
   isBackgroundToolLimitReached,
@@ -37,7 +31,6 @@ import type {
   ToolExecutionResult,
 } from "../types.js";
 import { buildSanitizedEnv } from "./safe-env.js";
-import { wrapCommand } from "./sandbox.js";
 
 /** Build a credential ref resolution trace for diagnostic logging. */
 function buildCredentialRefTrace(
@@ -48,62 +41,6 @@ function buildCredentialRefTrace(
   return { rawRefs, resolvedIds, unresolvedRefs };
 }
 
-/**
- * Build the list of absolute paths that should be blocked from read access
- * inside the sandbox when CES shell lockdown is active.
- *
- * Blocked paths include:
- * - Gateway security directory (credential store secrets, CES data)
- * - ~/.vellum/workspace/data/db/ - database files that may contain credential metadata
- * - CES bootstrap socket directory (/run/ces-bootstrap/ or CES_BOOTSTRAP_SOCKET_DIR)
- * - CES managed-mode data root (CES_DATA_DIR, or /ces-data when CES_MANAGED_MODE is set)
- */
-function buildCesProtectedPaths(): string[] {
-  const protectedDirs = process.env.GATEWAY_SECURITY_DIR
-    ? [process.env.GATEWAY_SECURITY_DIR]
-    : Array.from(
-        new Set([join(homedir(), ".vellum", "protected"), getProtectedDir()]),
-      );
-  const paths = [...protectedDirs, join(getWorkspaceDir(), "data", "db")];
-
-  // CES bootstrap socket directory - block access to the Unix socket that
-  // accepts RPC commands from the assistant process.
-  const bootstrapSocketDir =
-    process.env["CES_BOOTSTRAP_SOCKET_DIR"] || "/run/ces-bootstrap";
-  paths.push(bootstrapSocketDir);
-
-  // IPC socket directories - block access to the shared emptyDir volumes
-  // used for gateway↔daemon IPC in containerized deployments.
-  const gatewayIpcSocketDir =
-    process.env["GATEWAY_IPC_SOCKET_DIR"] || "/run/gateway-ipc";
-  paths.push(gatewayIpcSocketDir);
-
-  const assistantIpcSocketDir =
-    process.env["ASSISTANT_IPC_SOCKET_DIR"] || "/run/assistant-ipc";
-  paths.push(assistantIpcSocketDir);
-
-  // If a full socket path override is set (without the dir env var), block
-  // its parent directory as well.
-  if (
-    !process.env["CES_BOOTSTRAP_SOCKET_DIR"] &&
-    process.env["CES_BOOTSTRAP_SOCKET"]
-  ) {
-    paths.push(dirname(process.env["CES_BOOTSTRAP_SOCKET"]));
-  }
-
-  // CES managed-mode private data root - in managed deployments the CES
-  // data lives outside the Vellum root, so it isn't covered by the
-  // gateway security directory entry above.
-  const cesDataDir = process.env["CES_DATA_DIR"];
-  if (cesDataDir) {
-    paths.push(cesDataDir);
-  } else if (process.env["CES_MANAGED_MODE"]) {
-    paths.push("/ces-data");
-  }
-
-  return paths;
-}
-
 const log = getLogger("shell-tool");
 
 class ShellTool implements Tool {
@@ -292,10 +229,6 @@ class ShellTool implements Tool {
       "Executing shell command",
     );
 
-    // The assistant runs exclusively in Docker or platform-managed
-    // environments where the container provides isolation.
-    const sandboxConfig = { enabled: false } as const;
-
     // Acquire proxy session if proxied mode is requested.
     // `getOrStartSession` serializes per-conversation so concurrent proxied
     // commands share a single session instead of each creating one.
@@ -337,16 +270,7 @@ class ShellTool implements Tool {
       env.VELLUM_UNTRUSTED_SHELL = "1";
     }
 
-    // CES shell lockdown: build deny-read paths for protected credential
-    // data, the protected dir, and data sub-dirs that contain secrets.
-    const denyReadPaths: string[] | undefined = shellLockdownActive
-      ? buildCesProtectedPaths()
-      : undefined;
-
-    const wrapped = wrapCommand(command, context.workingDir, sandboxConfig, {
-      networkMode,
-      denyReadPaths,
-    });
+    const wrapped = { command: "bash", args: ["-c", "--", command] };
 
     // -----------------------------------------------------------------------
     // Background mode: spawn and return immediately. The process output is

package/src/tools/types.ts

@@ -10,15 +10,10 @@ import type {
   ToolExecutionStartEvent,
   ToolPermissionDeniedEvent,
   ToolPermissionPromptEvent,
-  ToolSecretDetectedEvent,
 } from "@vellumai/skill-host-contracts";
 
 import type { InterfaceId } from "../channels/types.js";
 import type { CesClient } from "../credential-execution/client.js";
-import type { HostBashProxy } from "../daemon/host-bash-proxy.js";
-import type { HostBrowserProxy } from "../daemon/host-browser-proxy.js";
-import type { HostFileProxy } from "../daemon/host-file-proxy.js";
-import type { HostTransferProxy } from "../daemon/host-transfer-proxy.js";
 import type { SecretPromptResult } from "../permissions/secret-prompter.js";
 import type { ContentBlock } from "../providers/types.js";
 import type { TrustClass } from "../runtime/actor-trust-resolver.js";
@@ -59,7 +54,6 @@ export type {
   ToolExecutionStartEvent,
   ToolPermissionDeniedEvent,
   ToolPermissionPromptEvent,
-  ToolSecretDetectedEvent,
 } from "@vellumai/skill-host-contracts";
 export { RiskLevel } from "@vellumai/skill-host-contracts";
 
@@ -97,6 +91,14 @@ export interface ToolExecutionResult {
   riskLevel?: string;
   /** Human-readable reason for the risk classification. */
   riskReason?: string;
+  /** ID of the trust rule that matched this invocation (if any). */
+  matchedTrustRuleId?: string;
+  /** How the decision was reached: prompted, auto, blocked, or unknown (legacy). */
+  approvalMode?: string;
+  /** Why the decision was reached (stable enum for client display). */
+  approvalReason?: string;
+  /** Snapshot of the auto-approve threshold at the time of execution. */
+  riskThreshold?: string;
   /** Whether the daemon is running in a containerized (Docker) environment. */
   isContainerized?: boolean;
   /** Scope options ladder for the rule editor (narrowest to broadest). */
@@ -134,6 +136,8 @@ export interface ToolExecutedEvent {
   requestId?: string;
   executionTarget?: ExecutionTarget;
   riskLevel: string;
+  /** ID of the trust rule that matched this invocation (if any). */
+  matchedTrustRuleId?: string;
   decision: string;
   durationMs: number;
   result: ToolExecutionResult;
@@ -144,8 +148,7 @@ export type ToolLifecycleEvent =
   | ToolPermissionPromptEvent
   | ToolPermissionDeniedEvent
   | ToolExecutedEvent
-  | ToolExecutionErrorEvent
-  | ToolSecretDetectedEvent;
+  | ToolExecutionErrorEvent;
 
 export type ToolLifecycleEventHandler = (
   event: ToolLifecycleEvent,
@@ -164,7 +167,7 @@ export interface ToolContext {
   onOutput?: (chunk: string) => void;
   /** Abort signal for cooperative cancellation. Tools should check this periodically. */
   signal?: AbortSignal;
-  /** Optional callback for tool lifecycle events (start/prompt/deny/execute/error/secret_detected). */
+  /** Optional callback for tool lifecycle events (start/prompt/deny/execute/error). */
   onToolLifecycleEvent?: ToolLifecycleEventHandler;
   /** Optional resolver for proxy tools - delegates execution to an external client. */
   proxyToolResolver?: ProxyToolResolver;
@@ -239,14 +242,6 @@ export interface ToolContext {
   channelPermissionChannelId?: string;
   /** The tool_use block ID from the LLM response, used to correlate confirmation prompts with specific tool invocations. */
   toolUseId?: string;
-  /** Optional proxy for delegating host_bash execution to a connected client (managed/cloud-hosted mode). */
-  hostBashProxy?: HostBashProxy;
-  /** Optional proxy for delegating CDP commands to a connected client (managed/cloud-hosted mode). */
-  hostBrowserProxy?: HostBrowserProxy;
-  /** Optional proxy for delegating host_file_read/write/edit execution to a connected client (managed/cloud-hosted mode). */
-  hostFileProxy?: HostFileProxy;
-  /** Optional proxy for delegating bidirectional file transfers between sandbox and host (managed/cloud-hosted mode). */
-  hostTransferProxy?: HostTransferProxy;
   /** True when the assistant is running as a platform-managed remote instance. Used to auto-approve sandboxed bash tools. */
   isPlatformHosted?: boolean;
   /** CES RPC client for credential execution operations. When present, the executor can bridge CES approval flows. */
@@ -259,28 +254,6 @@ export interface ToolContext {
    * to cdp-inspect or local Playwright.
    */
   transportInterface?: InterfaceId;
-  /**
-   * True when the host browser proxy's sender was overridden by a
-   * registry-routed extension connection (ChromeExtensionRegistry WebSocket).
-   * The CDP factory uses this to distinguish between an SSE-backed proxy
-   * (macOS, no extension) and an extension-backed proxy: only the latter
-   * should suppress desktop-auto cdp-inspect when temporarily unavailable,
-   * because the extension transport was explicitly expected and the
-   * disconnection is transient. An SSE-backed proxy that reports
-   * unavailable (e.g. non-interactive turn) should NOT suppress
-   * cdp-inspect — the proxy was never expected to service browser requests.
-   */
-  hostBrowserRegistryRouted?: boolean;
-  /**
-   * Connected clients that support the `host_browser` capability, populated
-   * from the ClientRegistry. Used by `browser status` to report accurate
-   * extension availability even when no proxy is bound to the current
-   * conversation (e.g. when called from the CLI without a conversation ID).
-   */
-  connectedBrowserClients?: Array<{
-    clientId: string;
-    interfaceId: string;
-  }>;
   /**
    * The per-turn inference-profile override the agent loop is currently
    * running under, propagated through tool context so subagent-spawn tools

package/src/tts/__tests__/provider-catalog.test.ts

@@ -172,9 +172,9 @@ describe("Deepgram catalog entry", () => {
     expect(entry.capabilities.supportedFormats).toContain("opus");
   });
 
-  test("requires a bare API key stored under 'deepgram'", () => {
+  test("requires an API key stored under 'credential/deepgram/api_key'", () => {
     const apiKeySecret = entry.secretRequirements.find(
-      (s) => s.credentialStoreKey === "deepgram",
+      (s) => s.credentialStoreKey === "credential/deepgram/api_key",
     );
     expect(apiKeySecret).toBeDefined();
     expect(apiKeySecret!.displayName).toContain("Deepgram");

package/src/tts/provider-catalog.ts

@@ -152,7 +152,7 @@ const CATALOG: readonly TtsProviderCatalogEntry[] = [
     },
     secretRequirements: [
       {
-        credentialStoreKey: "deepgram",
+        credentialStoreKey: "credential/deepgram/api_key",
         displayName: "Deepgram API Key",
         setCommand: "assistant keys set deepgram <key>",
       },

package/src/usage/actors.ts

@@ -9,4 +9,5 @@ export type UsageActor =
   | "ambient_analyzer"
   | "suggestion_generator"
   | "computer_use_agent"
-  | "memory_embedding";
+  | "memory_embedding"
+  | "llm_call_site";