@vellumai/assistant 0.7.0 → 0.7.1

package/src/tools/secret-detection-handler.ts

@@ -1,269 +0,0 @@
-import { getConfig } from "../config/loader.js";
-import { PermissionPrompter } from "../permissions/prompter.js";
-import { RiskLevel } from "../permissions/types.js";
-import type { SecretPattern } from "../security/secret-scanner.js";
-import {
-  compileCustomPatterns,
-  redactSecrets,
-  scanText,
-} from "../security/secret-scanner.js";
-import type {
-  ExecutionTarget,
-  ToolContext,
-  ToolExecutionResult,
-  ToolLifecycleEvent,
-} from "./types.js";
-
-/**
- * Encapsulates post-execution secret detection, redaction, and action handling.
- * Extracted from ToolExecutor to isolate the secret-scanning concern.
- */
-export class SecretDetectionHandler {
-  private prompter: PermissionPrompter;
-
-  constructor(prompter: PermissionPrompter) {
-    this.prompter = prompter;
-  }
-
-  /**
-   * Scan a tool execution result for secrets and apply the configured action
-   * (redact, block, or prompt). Returns the (possibly modified) result, or
-   * a blocked result if secrets were blocked. Returns `null` when no secret
-   * handling was needed and the caller should continue normally.
-   */
-  async handle(
-    execResult: ToolExecutionResult,
-    name: string,
-    input: Record<string, unknown>,
-    context: ToolContext,
-    executionTarget: ExecutionTarget,
-    riskLevel: string,
-    decision: string,
-    startTime: number,
-    emitLifecycleEvent: (
-      context: ToolContext,
-      event: ToolLifecycleEvent,
-    ) => void,
-  ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
-    const sdConfig = getConfig().secretDetection;
-    if (!sdConfig.enabled || execResult.isError) {
-      return { result: execResult, earlyReturn: false };
-    }
-
-    const entropyConfig = {
-      enabled: true,
-      base64Threshold: sdConfig.entropyThreshold,
-    };
-    const compiledCustom = sdConfig.customPatterns?.length
-      ? compileCustomPatterns(sdConfig.customPatterns)
-      : undefined;
-
-    const allMatches = this.collectMatches(
-      execResult,
-      entropyConfig,
-      compiledCustom,
-    );
-
-    if (allMatches.length === 0) {
-      return { result: execResult, earlyReturn: false };
-    }
-
-    const matchSummary = allMatches.map((m) => ({
-      type: m.type,
-      redactedValue: m.redactedValue,
-    }));
-
-    emitLifecycleEvent(context, {
-      type: "secret_detected",
-      toolName: name,
-      executionTarget,
-      input,
-      workingDir: context.workingDir,
-      conversationId: context.conversationId,
-      requestId: context.requestId,
-      matches: matchSummary,
-      action: sdConfig.action,
-      detectedAtMs: Date.now(),
-    });
-
-    if (sdConfig.action === "redact") {
-      this.redactResult(execResult, entropyConfig, compiledCustom);
-      return { result: execResult, earlyReturn: false };
-    }
-
-    if (sdConfig.action === "block") {
-      return this.handleBlock(
-        allMatches,
-        name,
-        input,
-        context,
-        executionTarget,
-        riskLevel,
-        decision,
-        startTime,
-        emitLifecycleEvent,
-      );
-    }
-
-    if (sdConfig.action === "prompt") {
-      return this.handlePrompt(
-        allMatches,
-        execResult,
-        name,
-        input,
-        context,
-        executionTarget,
-        riskLevel,
-        decision,
-        startTime,
-        emitLifecycleEvent,
-      );
-    }
-
-    return { result: execResult, earlyReturn: false };
-  }
-
-  private collectMatches(
-    execResult: ToolExecutionResult,
-    entropyConfig: { enabled: boolean; base64Threshold: number },
-    compiledCustom: SecretPattern[] | undefined,
-  ) {
-    const contentMatches = scanText(
-      execResult.content,
-      entropyConfig,
-      compiledCustom,
-    );
-    const diffMatches = execResult.diff
-      ? scanText(execResult.diff.newContent, entropyConfig, compiledCustom)
-      : [];
-    const blockMatches = (execResult.contentBlocks ?? []).flatMap((block) => {
-      if (block.type === "text")
-        return scanText(block.text, entropyConfig, compiledCustom);
-      if (block.type === "file" && block.extracted_text)
-        return scanText(block.extracted_text, entropyConfig, compiledCustom);
-      return [];
-    });
-    return [...contentMatches, ...diffMatches, ...blockMatches];
-  }
-
-  private redactResult(
-    execResult: ToolExecutionResult,
-    entropyConfig: { enabled: boolean; base64Threshold: number },
-    compiledCustom: SecretPattern[] | undefined,
-  ): void {
-    execResult.content = redactSecrets(
-      execResult.content,
-      entropyConfig,
-      compiledCustom,
-    );
-    if (execResult.diff) {
-      execResult.diff = {
-        ...execResult.diff,
-        newContent: redactSecrets(
-          execResult.diff.newContent,
-          entropyConfig,
-          compiledCustom,
-        ),
-      };
-    }
-    if (execResult.contentBlocks) {
-      execResult.contentBlocks = execResult.contentBlocks.map((block) => {
-        if (block.type === "text") {
-          return {
-            ...block,
-            text: redactSecrets(block.text, entropyConfig, compiledCustom),
-          };
-        }
-        if (block.type === "file" && block.extracted_text) {
-          return {
-            ...block,
-            extracted_text: redactSecrets(
-              block.extracted_text,
-              entropyConfig,
-              compiledCustom,
-            ),
-          };
-        }
-        return block;
-      });
-    }
-  }
-
-  private handleBlock(
-    allMatches: Array<{ type: string; redactedValue: string }>,
-    name: string,
-    input: Record<string, unknown>,
-    context: ToolContext,
-    executionTarget: ExecutionTarget,
-    riskLevel: string,
-    decision: string,
-    startTime: number,
-    emitLifecycleEvent: (
-      context: ToolContext,
-      event: ToolLifecycleEvent,
-    ) => void,
-  ): { result: ToolExecutionResult; earlyReturn: boolean } {
-    const types = [...new Set(allMatches.map((m) => m.type))].join(", ");
-    const blockedContent = `Tool output blocked: detected ${allMatches.length} potential secret(s) (${types}). Configure secretDetection.action to "redact" or "prompt" to allow output.`;
-    const durationMs = Date.now() - startTime;
-    const blockedResult: ToolExecutionResult = {
-      content: blockedContent,
-      isError: true,
-    };
-
-    emitLifecycleEvent(context, {
-      type: "executed",
-      toolName: name,
-      executionTarget,
-      input,
-      workingDir: context.workingDir,
-      conversationId: context.conversationId,
-      requestId: context.requestId,
-      riskLevel,
-      decision,
-      durationMs,
-      result: blockedResult,
-    });
-
-    return { result: blockedResult, earlyReturn: true };
-  }
-
-  private async handlePrompt(
-    allMatches: Array<{ type: string; redactedValue: string }>,
-    _execResult: ToolExecutionResult,
-    name: string,
-    input: Record<string, unknown>,
-    context: ToolContext,
-    executionTarget: ExecutionTarget,
-    _riskLevel: string,
-    _decision: string,
-    startTime: number,
-    emitLifecycleEvent: (
-      context: ToolContext,
-      event: ToolLifecycleEvent,
-    ) => void,
-  ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
-    const types = [...new Set(allMatches.map((m) => m.type))].join(", ");
-    const blockedContent = `Tool output blocked: detected ${allMatches.length} potential secret(s) (${types}). Ask the user for confirmation conversationally before retrying.`;
-    const durationMs = Date.now() - startTime;
-
-    emitLifecycleEvent(context, {
-      type: "permission_denied",
-      toolName: name,
-      executionTarget,
-      input,
-      workingDir: context.workingDir,
-      conversationId: context.conversationId,
-      requestId: context.requestId,
-      riskLevel: RiskLevel.High,
-      decision: "deny",
-      reason: "Secret output blocked without deterministic prompt",
-      durationMs,
-    });
-
-    return {
-      result: { content: blockedContent, isError: true },
-      earlyReturn: true,
-    };
-  }
-}

package/src/tools/terminal/backends/native.ts

@@ -1,327 +0,0 @@
-import { execSync } from "node:child_process";
-import { createHash } from "node:crypto";
-import { existsSync, mkdirSync, writeFileSync } from "node:fs";
-import { join } from "node:path";
-
-import { ToolError } from "../../../util/errors.js";
-import { getLogger } from "../../../util/logger.js";
-import { isLinux, isMacOS } from "../../../util/platform.js";
-import type { SandboxBackend, SandboxResult, WrapOptions } from "./types.js";
-
-const log = getLogger("sandbox");
-
-const HASH_DISPLAY_LENGTH = 12;
-
-/**
- * macOS TCC-protected directories that trigger permission prompts when accessed.
- * Unconditionally denied in the SBPL sandbox profile to prevent the assistant
- * from triggering Photos, Contacts, Calendar, etc. dialogs during filesystem
- * traversal (e.g. `find ~ -name .git`).
- *
- * Paths are relative to $HOME. Includes both TCC-protected directories that
- * trigger prompts for all apps and directories like ~/Desktop and ~/Documents
- * that are TCC-protected under App Sandbox or Full Disk Access checks.
- */
-export const MACOS_TCC_PROTECTED_PATHS = [
-  "Desktop",
-  "Documents",
-  "Pictures/Photos Library.photoslibrary",
-  "Library/Photos",
-  "Library/Calendars",
-  "Library/Reminders",
-  "Library/Application Support/AddressBook",
-  "Library/Messages",
-  "Library/Mail",
-  "Library/Safari",
-  "Library/Cookies",
-  "Library/HomeKit",
-  "Library/IdentityServices",
-  "Library/Metadata/CoreSpotlight",
-  "Library/PersonalizationPortrait",
-  "Library/Suggestions",
-];
-
-/**
- * Build a macOS sandbox-exec SBPL profile.
- *
- * The profile restricts shell commands:
- * - Denies all by default
- * - Allows read access to most of the filesystem (needed for toolchains)
- * - Allows write access only to the working directory and temp dirs
- * - Blocks outbound network access (unless proxied)
- * - Blocks process debugging (ptrace)
- * - Optionally blocks read access to specific protected paths (CES lockdown)
- *
- * When `allowNetwork` is true the `(deny network*)` rule is replaced with
- * `(allow network*)` so the process can reach the local credential proxy.
- */
-function buildSandboxProfile(
-  allowNetwork: boolean,
-  denyReadPaths?: string[],
-): string {
-  const networkRule = allowNetwork
-    ? ";; Allow network access (proxied mode - needed to reach the credential proxy)\n(allow network*)"
-    : ";; Block network access\n(deny network*)";
-
-  // Block macOS TCC-protected directories to prevent permission prompts
-  // during filesystem traversal. Placed AFTER (allow file-read*) because
-  // SBPL uses last-match-wins semantics.
-  const home = process.env.HOME ?? "";
-  const tccDenyRules = home
-    ? "\n;; Block macOS TCC-protected directories to prevent permission prompts\n" +
-      MACOS_TCC_PROTECTED_PATHS.map(
-        (rel) =>
-          `(deny file-read* (subpath "${escapeSBPL(join(home, rel))}") (with no-log))`,
-      ).join("\n")
-    : "";
-
-  // Build deny-read rules for protected paths (CES shell lockdown).
-  // These are placed AFTER the allow file-read* rule because SBPL uses
-  // last-match-wins semantics - the more specific deny overrides the
-  // general allow.
-  const denyReadRules =
-    denyReadPaths && denyReadPaths.length > 0
-      ? "\n;; CES shell lockdown: block reads of protected credential/transport paths\n" +
-        denyReadPaths
-          .map(
-            (p) =>
-              `(deny file-read* (subpath "${escapeSBPL(p)}") (with no-log))`,
-          )
-          .join("\n")
-      : "";
-
-  return `
-(version 1)
-(deny default)
-
-;; Allow read access to the filesystem (tools, libraries, etc.)
-(allow file-read*)
-${tccDenyRules}
-
-;; Re-allow reads for the working directory even if it falls under a TCC-denied
-;; subtree (e.g. ~/Desktop/my-project). SBPL is last-match-wins, so this
-;; override must come after the TCC deny rules above but BEFORE the CES
-;; deny-read rules below — credential isolation always takes precedence.
-(allow file-read* (subpath "__WORKING_DIR__"))
-${denyReadRules}
-
-;; Allow write access to the working directory and its children
-(allow file-write*
-  (literal "/dev/null")
-  (subpath "__WORKING_DIR__")
-  (subpath "/private/tmp")
-  (subpath "/tmp")
-  (subpath "/var/folders"))
-
-;; Allow process execution (needed to run commands)
-(allow process-exec*)
-(allow process-fork)
-
-;; Allow signal delivery between parent and child
-(allow signal (target others))
-
-;; Allow sysctl reads (needed by many tools)
-(allow sysctl-read)
-
-;; Allow mach lookups (IPC, needed for basic process operation)
-(allow mach-lookup)
-(allow mach-register)
-
-;; Allow IOKit (needed for some system calls)
-(allow iokit-open)
-
-${networkRule}
-
-;; Block process debugging
-(deny process-info-pidinfo (target others))
-`.trim();
-}
-
-/**
- * Escape a path for safe embedding inside an SBPL quoted string.
- * Backslash-escapes characters that are meaningful in SBPL syntax.
- * Newlines/carriage returns are rejected since they cannot appear in real paths.
- */
-function escapeSBPL(path: string): string {
-  if (/[\n\r]/.test(path)) {
-    throw new ToolError(
-      "Working directory path contains newline characters, which cannot be used in a sandbox profile.",
-      "bash",
-    );
-  }
-  return path.replace(/[\\";()]/g, (ch) => `\\${ch}`);
-}
-
-/**
- * Get the path to the sandbox profile file, creating it if needed.
- *
- * Each distinct working directory gets its own profile file (keyed by
- * a hash of the path) to avoid race conditions when concurrent commands
- * use different working directories.
- */
-function getProfilePath(
-  workingDir: string,
-  allowNetwork: boolean,
-  denyReadPaths?: string[],
-): string {
-  const dir = join(process.env.HOME ?? "/tmp", ".vellum");
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true });
-  }
-  // Include the network flag, deny-read paths, and HOME in the hash so
-  // profiles with different configurations don't collide.
-  let hashInput = allowNetwork ? `${workingDir}:proxied` : workingDir;
-  if (denyReadPaths && denyReadPaths.length > 0) {
-    hashInput += `:deny-read:${denyReadPaths.sort().join(",")}`;
-  }
-  hashInput += `:home:${process.env.HOME ?? ""}`;
-  const hash = createHash("sha256")
-    .update(hashInput)
-    .digest("hex")
-    .slice(0, HASH_DISPLAY_LENGTH);
-  const path = join(dir, `sandbox-profile-${hash}.sb`);
-
-  const profile = buildSandboxProfile(allowNetwork, denyReadPaths).replace(
-    /__WORKING_DIR__/g,
-    () => escapeSBPL(workingDir),
-  );
-  writeFileSync(path, profile + "\n");
-  return path;
-}
-
-/**
- * Cache positive bwrap results only. Negative results are not cached so that
- * installing bwrap after the daemon starts takes effect without a restart.
- */
-let bwrapAvailable = false;
-
-/**
- * Check whether bwrap is installed AND functional (can create namespaces).
- *
- * Just testing `bwrap --version` is not enough - the binary may exist but
- * namespace creation can be blocked by the kernel (e.g. inside containers
- * or when user namespaces are disabled). We run a minimal sandbox that
- * exercises all namespace types used by buildBwrapArgs() (mount, network,
- * PID) to verify end-to-end functionality.
- *
- * Only positive results are cached - if bwrap is unavailable, we re-check
- * on every call so that a mid-session install is picked up immediately.
- */
-function isBwrapAvailable(): boolean {
-  if (bwrapAvailable) return true;
-  try {
-    execSync("bwrap --ro-bind / / --unshare-net --unshare-pid true", {
-      stdio: "ignore",
-      timeout: 5000,
-    });
-    bwrapAvailable = true;
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Build bwrap arguments for Linux sandboxing.
- *
- * Strategy mirrors the macOS sandbox-exec profile:
- * - Read-only bind-mount of the root filesystem (toolchains, libs, etc.)
- * - Read-write bind-mount of the working directory
- * - Read-write tmpfs for /tmp
- * - /proc mounted for basic process operation
- * - /dev bind-mounted for device access (needed by many tools)
- * - Network access blocked (--unshare-net)
- * - PID namespace isolated (--unshare-pid)
- * - Optional tmpfs overlays on protected paths (CES lockdown)
- */
-function buildBwrapArgs(
-  workingDir: string,
-  command: string,
-  allowNetwork: boolean,
-  denyReadPaths?: string[],
-): string[] {
-  const args = [
-    // Filesystem: read-only root, writable working dir and temp
-    "--ro-bind",
-    "/",
-    "/",
-    "--bind",
-    workingDir,
-    workingDir,
-    "--bind",
-    "/tmp",
-    "/tmp",
-    "--dev",
-    "/dev",
-    "--proc",
-    "/proc",
-  ];
-
-  // CES shell lockdown: overlay protected paths with empty tmpfs mounts
-  // so the subprocess cannot read credential data, bootstrap sockets, or
-  // toolstore contents. The tmpfs mount hides the real directory contents.
-  if (denyReadPaths && denyReadPaths.length > 0) {
-    for (const p of denyReadPaths) {
-      args.push("--tmpfs", p);
-    }
-  }
-
-  // Only isolate the network namespace when network access is not needed.
-  // In proxied mode the process must be able to reach 127.0.0.1:<proxy-port>.
-  if (!allowNetwork) {
-    args.push("--unshare-net");
-  }
-
-  args.push(
-    "--unshare-pid",
-    // Run bash inside the sandbox
-    "bash",
-    "-c",
-    "--",
-    command,
-  );
-
-  return args;
-}
-
-/**
- * Native sandbox backend using OS-level sandboxing:
- * macOS sandbox-exec (SBPL profiles) and Linux bwrap (bubblewrap).
- */
-export class NativeBackend implements SandboxBackend {
-  wrap(
-    command: string,
-    workingDir: string,
-    options?: WrapOptions,
-  ): SandboxResult {
-    const allowNetwork = options?.networkMode === "proxied";
-    const denyReadPaths = options?.denyReadPaths;
-
-    if (isMacOS()) {
-      const profile = getProfilePath(workingDir, allowNetwork, denyReadPaths);
-      return {
-        command: "sandbox-exec",
-        args: ["-f", profile, "bash", "-c", "--", command],
-        sandboxed: true,
-      };
-    }
-
-    if (isLinux()) {
-      if (!isBwrapAvailable()) {
-        const msg =
-          "Sandbox is enabled but bwrap is not available or cannot create namespaces. Refusing to execute unsandboxed. Install bubblewrap (for example: apt install bubblewrap), or disable sandboxing.";
-        log.error(msg);
-        throw new ToolError(msg, "bash");
-      }
-      return {
-        command: "bwrap",
-        args: buildBwrapArgs(workingDir, command, allowNetwork, denyReadPaths),
-        sandboxed: true,
-      };
-    }
-
-    const msg = `Sandbox is enabled but not supported on this platform (${process.platform}). Refusing to execute unsandboxed. Disable sandboxing to run shell commands.`;
-    log.error(msg);
-    throw new ToolError(msg, "bash");
-  }
-}

package/src/tools/terminal/backends/types.ts

@@ -1,37 +0,0 @@
-export interface SandboxResult {
-  /** The command/args to use for spawning. */
-  command: string;
-  args: string[];
-  /** Whether sandboxing was applied. */
-  sandboxed: boolean;
-}
-
-/** Per-invocation options that override backend defaults. */
-export interface WrapOptions {
-  /**
-   * Network mode for this invocation.
-   * - 'off': network access is blocked (sandbox-exec deny network / bwrap --unshare-net). This is the default.
-   * - 'proxied': network access is allowed so the process can reach the local credential proxy.
-   */
-  networkMode?: "off" | "proxied";
-
-  /**
-   * Absolute paths that should be blocked from read access inside the sandbox.
-   * Used by CES shell lockdown to prevent untrusted shell commands from reading
-   * protected credential data, bootstrap sockets, and toolstore paths.
-   */
-  denyReadPaths?: string[];
-}
-
-/**
- * A sandbox backend knows how to wrap a shell command so it runs
- * inside an OS-level sandbox (macOS sandbox-exec, Linux bwrap, etc.).
- */
-export interface SandboxBackend {
-  /** Wrap a command for sandboxed execution in the given working directory. */
-  wrap(
-    command: string,
-    workingDir: string,
-    options?: WrapOptions,
-  ): SandboxResult;
-}