@vellumai/assistant 0.7.0 → 0.7.1

package/src/permissions/approval-provenance.ts

@@ -0,0 +1,70 @@
+import type { ApprovalMode, ApprovalReason } from "./types.js";
+
+/**
+ * Map a raw permission decision string (from permission-checker.ts) and
+ * optional context discriminants to a stable (approvalMode, approvalReason)
+ * pair for persistence and client display.
+ *
+ * Decision strings:
+ *   "allow"                 — auto-allowed by policy (sandbox, trust rule, or threshold)
+ *   "deny"                  — user denied via interactive prompt
+ *   "denied"                — system denied (no interactive client, or trust rule deny)
+ *   "platform_auto_approve" — guardian bash in platform-hosted session
+ *   "guardian_auto_approve" — non-interactive guardian session within background threshold
+ */
+export function mapApprovalProvenance(
+  decision: string,
+  opts: {
+    hasSandboxAutoApprove?: boolean;
+    matchedTrustRuleId?: string;
+    wasPrompted?: boolean;
+    wasTimeout?: boolean;
+    wasSystemCancel?: boolean;
+    wasAbort?: boolean;
+  },
+): { approvalMode: ApprovalMode; approvalReason: ApprovalReason } {
+  if (decision === "platform_auto_approve") {
+    return { approvalMode: "auto", approvalReason: "platform_auto_approve" };
+  }
+
+  if (decision === "guardian_auto_approve") {
+    return { approvalMode: "auto", approvalReason: "within_threshold" };
+  }
+
+  if (decision === "allow") {
+    if (opts.wasPrompted) {
+      return { approvalMode: "prompted", approvalReason: "user_approved" };
+    }
+    if (opts.hasSandboxAutoApprove) {
+      return { approvalMode: "auto", approvalReason: "sandbox_auto_approve" };
+    }
+    if (opts.matchedTrustRuleId) {
+      return { approvalMode: "auto", approvalReason: "trust_rule_allowed" };
+    }
+    return { approvalMode: "auto", approvalReason: "within_threshold" };
+  }
+
+  // "deny" — interactive prompt denied, timed out, or system-cancelled
+  if (decision === "deny") {
+    if (opts.wasSystemCancel) {
+      return { approvalMode: "prompted", approvalReason: "system_cancelled" };
+    }
+    if (opts.wasAbort) {
+      return { approvalMode: "prompted", approvalReason: "system_cancelled" };
+    }
+    if (opts.wasTimeout) {
+      return { approvalMode: "prompted", approvalReason: "timed_out" };
+    }
+    return { approvalMode: "prompted", approvalReason: "user_denied" };
+  }
+
+  // "denied" — system denied without user interaction
+  if (decision === "denied") {
+    if (opts.matchedTrustRuleId) {
+      return { approvalMode: "blocked", approvalReason: "trust_rule_denied" };
+    }
+    return { approvalMode: "blocked", approvalReason: "no_interactive_client" };
+  }
+
+  return { approvalMode: "unknown", approvalReason: "unknown" };
+}

package/src/permissions/checker.ts

@@ -198,7 +198,7 @@ function canonicalizeWebFetchUrl(parsed: URL): URL {
   return parsed;
 }
 
-export function normalizeWebFetchUrl(rawUrl: string): URL | null {
+function normalizeWebFetchUrl(rawUrl: string): URL | null {
   const trimmed = rawUrl.trim();
   if (!trimmed) return null;
 
@@ -558,6 +558,9 @@ export async function check(
     decision: approvalDecision.decision,
     reason: enrichedReason,
     matchedRule: approvalDecision.matchedRule,
+    hasSandboxAutoApprove:
+      approvalDecision.reason ===
+        "Workspace filesystem operation (sandbox auto-approve)" || undefined,
   };
 }
 

package/src/permissions/gateway-threshold-reader.ts

@@ -141,7 +141,10 @@ export async function getAutoApproveThreshold(
       return value;
     }
     // Unexpected value from gateway — default to "none" (Strict).
-    log.warn({ field, value }, "Gateway returned unexpected threshold value, defaulting to none");
+    log.warn(
+      { field, value },
+      "Gateway returned unexpected threshold value, defaulting to none",
+    );
     return "none";
   } catch (err) {
     // Gateway unreachable — default to "none" (Strict) so no tools are

package/src/permissions/prompter.ts

@@ -16,6 +16,8 @@ interface PendingPrompt {
     selectedPattern?: string;
     selectedScope?: string;
     decisionContext?: string;
+    wasTimeout?: boolean;
+    wasSystemCancel?: boolean;
   }) => void;
   reject: (reason: Error) => void;
   timer: ReturnType<typeof setTimeout>;
@@ -71,8 +73,11 @@ export class PermissionPrompter {
     selectedPattern?: string;
     selectedScope?: string;
     decisionContext?: string;
+    wasTimeout?: boolean;
+    wasSystemCancel?: boolean;
+    wasAbort?: boolean;
   }> {
-    if (signal?.aborted) return { decision: "deny" };
+    if (signal?.aborted) return { decision: "deny", wasAbort: true };
 
     const requestId = uuid();
 
@@ -87,6 +92,7 @@ export class PermissionPrompter {
         this.onStateChanged?.(requestId, "timed_out", "timeout", toolUseId);
         resolve({
           decision: "deny",
+          wasTimeout: true,
           decisionContext: `The permission prompt for the "${toolName}" tool timed out. The user did not explicitly deny this request — they may have been away or busy. You may retry this tool call if it is still needed for the current task.`,
         });
       }, timeoutMs);
@@ -103,7 +109,7 @@ export class PermissionPrompter {
           if (this.pending.has(requestId)) {
             clearTimeout(timer);
             this.pending.delete(requestId);
-            resolve({ decision: "deny" });
+            resolve({ decision: "deny", wasAbort: true });
           }
         };
         signal.addEventListener("abort", onAbort, { once: true });
@@ -187,6 +193,7 @@ export class PermissionPrompter {
       this.pending.delete(requestId);
       pending.resolve({
         decision: "deny",
+        wasSystemCancel: true,
         decisionContext:
           "The user sent a new message instead of responding to this permission prompt. Stop what you are doing and respond to the user's new message. Do NOT retry this tool or request permission again until the user asks you to.",
       });

package/src/permissions/secret-prompter.ts

@@ -2,6 +2,8 @@ import { v4 as uuid } from "uuid";
 
 import { getConfig } from "../config/loader.js";
 import type { ServerMessage } from "../daemon/message-protocol.js";
+import { broadcastMessage } from "../runtime/assistant-event-hub.js";
+import * as pendingInteractions from "../runtime/pending-interactions.js";
 import { AssistantError, ErrorCode } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
 
@@ -33,38 +35,22 @@ export interface SecretPrompterChannelContext {
 
 export class SecretPrompter {
   private pending = new Map<string, PendingSecretPrompt>();
-  private sendToClient: (msg: ServerMessage) => void;
-  private broadcastToAllClients?: (msg: ServerMessage) => void;
   private channelContext?: SecretPrompterChannelContext;
 
-  constructor(
-    sendToClient: (msg: ServerMessage) => void,
-    broadcastToAllClients?: (msg: ServerMessage) => void,
-  ) {
-    this.sendToClient = sendToClient;
-    this.broadcastToAllClients = broadcastToAllClients;
-  }
-
-  updateSender(sendToClient: (msg: ServerMessage) => void): void {
-    this.sendToClient = sendToClient;
-  }
-
-  updateBroadcast(broadcastToAllClients?: (msg: ServerMessage) => void): void {
-    this.broadcastToAllClients = broadcastToAllClients;
-  }
-
   setChannelContext(ctx: SecretPrompterChannelContext | undefined): void {
     this.channelContext = ctx;
   }
 
   /**
-   * Send a secret_request to the client and wait for the response.
+   * Broadcast a secret_request to all connected clients and wait for a
+   * response.
    *
-   * When the conversation originates from a channel that cannot render secure
-   * prompts (e.g. Slack), the request is broadcast to all connected clients
-   * via the SSE hub so the desktop app can display it. If no broadcast path
-   * is available and the channel doesn't support dynamic UI, the method
-   * fails fast with an error result rather than hanging until timeout.
+   * The request is always published to the SSE hub via
+   * {@link broadcastMessage} so any connected client (desktop, web) can
+   * display the secure prompt dialog.
+   *
+   * Pending interaction registration is handled by {@link broadcastMessage}
+   * when the secret_request event is published to the hub.
    *
    * SECURITY: Logs only metadata (requestId, service, field) — never the
    * returned secret value. The timeout path also returns a null value
@@ -81,32 +67,23 @@ export class SecretPrompter {
     allowedTools?: string[],
     allowedDomains?: string[],
   ): Promise<SecretPromptResult> {
-    // Determine whether the originating channel can render secure prompts.
-    const channelSupportsPrompt =
-      this.channelContext?.supportsDynamicUi !== false;
-
-    // If the channel cannot render the prompt and there's no broadcast path
-    // to reach a desktop client, fail fast instead of hanging for 5 minutes.
-    if (!channelSupportsPrompt && !this.broadcastToAllClients) {
-      log.warn(
-        { service, field, channel: this.channelContext?.channel },
-        "Secret prompt requested from a channel that cannot render it and no broadcast path is available",
-      );
-      return { value: null, delivery: "store", error: "unsupported_channel" };
-    }
-
     const requestId = uuid();
+    const effectiveConversationId = conversationId ?? "unknown";
 
     return new Promise((resolve, reject) => {
       const timeoutMs = getConfig().timeouts.permissionTimeoutSec * 1000;
       const timer = setTimeout(() => {
         this.pending.delete(requestId);
+        pendingInteractions.resolve(requestId);
         log.warn({ requestId, service, field }, "Secret prompt timed out");
         resolve({ value: null, delivery: "store" });
       }, timeoutMs);
 
       this.pending.set(requestId, { resolve, reject, timer });
 
+      // pendingInteractions.register is now handled by broadcastMessage
+      // when the secret_request event is published to the hub.
+
       const config = getConfig();
       const msg: SecretRequestMessage = {
         type: "secret_request",
@@ -116,21 +93,14 @@ export class SecretPrompter {
         label,
         description,
         placeholder,
-        conversationId,
+        conversationId: effectiveConversationId,
         purpose,
         allowedTools,
         allowedDomains,
         allowOneTimeSend: config.secretDetection.allowOneTimeSend,
       };
 
-      // Use broadcastToAllClients when the originating channel cannot render
-      // secure prompts — this routes the request to the SSE hub where a
-      // connected desktop client can pick it up.
-      if (!channelSupportsPrompt && this.broadcastToAllClients) {
-        this.broadcastToAllClients(msg);
-      } else {
-        this.sendToClient(msg);
-      }
+      broadcastMessage(msg);
     });
   }
 
@@ -157,12 +127,15 @@ export class SecretPrompter {
     }
     clearTimeout(pending.timer);
     this.pending.delete(requestId);
+    // Clean up the global map (may already be removed by approval-routes).
+    pendingInteractions.resolve(requestId);
     pending.resolve({ value: value ?? null, delivery: delivery ?? "store" });
   }
 
   dispose(): void {
-    for (const [, pending] of this.pending) {
+    for (const [requestId, pending] of this.pending) {
       clearTimeout(pending.timer);
+      pendingInteractions.resolve(requestId);
       pending.reject(
         new AssistantError("Prompter disposed", ErrorCode.INTERNAL_ERROR),
       );

package/src/permissions/types.ts

@@ -4,6 +4,37 @@ export type {
 } from "@vellumai/skill-host-contracts";
 export { RiskLevel } from "@vellumai/skill-host-contracts";
 
+export type ApprovalMode = "prompted" | "auto" | "blocked" | "unknown";
+
+export type ApprovalReason =
+  | "user_approved"
+  | "user_denied"
+  | "timed_out"
+  | "within_threshold"
+  | "trust_rule_allowed"
+  | "trust_rule_denied"
+  | "sandbox_auto_approve"
+  | "platform_auto_approve"
+  | "no_interactive_client"
+  | "grant_scoped_consumed"
+  | "system_cancelled"
+  | "unknown";
+
+export type RiskThreshold = "none" | "low" | "medium" | "high";
+
+export const RISK_ORDINAL: Record<string, number> = {
+  low: 0,
+  medium: 1,
+  high: 2,
+};
+
+export const THRESHOLD_ORDINAL: Record<string, number> = {
+  none: -1,
+  low: 0,
+  medium: 1,
+  high: 2,
+};
+
 /** A persistent trust rule stored on disk and used for permission matching. */
 export interface TrustRule {
   id: string;
@@ -27,6 +58,8 @@ export interface PermissionCheckResult {
   decision: "allow" | "deny" | "prompt";
   reason: string;
   matchedRule?: TrustRule;
+  /** True when the decision was taken via the sandbox auto-approve path. */
+  hasSandboxAutoApprove?: boolean;
 }
 
 /** Contextual information passed alongside a permission check for policy decisions. */

package/src/permissions/workspace-policy.ts

@@ -68,11 +68,6 @@ const HOST_TOOLS = new Set([
   "computer_use_run_applescript",
 ]);
 
-/** Check whether a tool name is a host-level tool. */
-export function isHostTool(toolName: string): boolean {
-  return HOST_TOOLS.has(toolName);
-}
-
 /** Safe local-only tools that are always workspace-scoped. */
 const ALWAYS_SCOPED_TOOLS = new Set([
   "skill_load",

package/src/platform/sync-identity.ts

@@ -119,11 +119,3 @@ function clearRequestedIfLatest(requestSeq: number): void {
     lastRequestedName = lastSyncedName;
   }
 }
-
-/** Reset cached state (for testing). */
-export function _resetSyncState(): void {
-  lastSyncedName = null;
-  lastRequestedName = null;
-  seq = 0;
-  pending = Promise.resolve();
-}

package/src/plugins/defaults/injectors.ts

@@ -16,6 +16,7 @@
  * | `unified-turn-context`   | 20    | prepend-user-tail       |
  * | `pkb-context`            | 30    | after-memory-prefix     |
  * | `pkb-reminder`           | 35    | after-memory-prefix     |
+ * | `memory-v2-static`       | 38    | after-memory-prefix     |
  * | `now-md`                 | 40    | after-memory-prefix     |
  * | `subagent-status`        | 50    | append-user-tail        |
  * | `slack-messages`         | 60    | replace-run-messages    |
@@ -44,8 +45,10 @@
 
 import { resolve } from "node:path";
 
+import { getConfig } from "../../config/loader.js";
 import { getInContextPkbPaths } from "../../daemon/pkb-context-tracker.js";
 import { buildPkbReminder } from "../../daemon/pkb-reminder-builder.js";
+import { isMemoryV2ReadActive } from "../../memory/context-search/sources/memory-v2.js";
 import { searchPkbFiles } from "../../memory/pkb/pkb-search.js";
 import { getLogger } from "../../util/logger.js";
 import { registerPlugin } from "../registry.js";
@@ -84,6 +87,7 @@ export const DEFAULT_INJECTOR_ORDER = {
   unifiedTurnContext: 20,
   pkbContext: 30,
   pkbReminder: 35,
+  memoryV2Static: 38,
   nowMd: 40,
   subagentStatus: 50,
   slackMessages: 60,
@@ -94,6 +98,18 @@ function readInjectionInputs(ctx: TurnContext): TurnInjectionInputs {
   return ctx.injectionInputs ?? {};
 }
 
+/**
+ * v2 read-side cutover guard. The `pkb-context` injector silences itself
+ * under v2 because the `<knowledge_base>` block surfaces PKB content the v2
+ * activation block already covers. The `pkb-reminder` injector still fires
+ * (its body is generic recall/remember guidance) but skips the hybrid-search
+ * hints — those name PKB paths v2 is moving away from. NOW.md is workspace
+ * state independent of PKB and fires unchanged.
+ */
+function isPkbInjectionSilencedByV2(): boolean {
+  return isMemoryV2ReadActive(getConfig());
+}
+
 /**
  * `workspace-context` injector — order 10, prepend-user-tail.
  *
@@ -173,6 +189,7 @@ const pkbContextInjector: Injector = {
     const inputs = readInjectionInputs(ctx);
     const mode = inputs.mode ?? "full";
     if (mode !== "full") return null;
+    if (isPkbInjectionSilencedByV2()) return null;
     if (!inputs.pkbContext) return null;
     return {
       id: "pkb-context",
@@ -203,7 +220,9 @@ const pkbReminderInjector: Injector = {
     const mode = inputs.mode ?? "full";
     if (mode !== "full") return null;
     if (!inputs.pkbActive) return null;
-    const reminder = await buildPkbReminderWithHints(inputs);
+    const reminder = isPkbInjectionSilencedByV2()
+      ? buildPkbReminder([])
+      : await buildPkbReminderWithHints(inputs);
     return {
       id: "pkb-reminder",
       text: reminder,
@@ -296,6 +315,53 @@ async function buildPkbReminderWithHints(
   return buildPkbReminder(hints);
 }
 
+/**
+ * `memory-v2-static` injector — order 38, after-memory-prefix.
+ *
+ * Injects the v2 static memory block (essentials/threads/recent/buffer
+ * concatenated under markdown headings) wrapped in `<memory>...</memory>`
+ * onto the user message. The agent loop only forwards `memoryV2Static` on
+ * full-mode turns (first turn / post-compaction), mirroring the PKB
+ * auto-inject cadence — subsequent turns get `null` and the prior block
+ * stays cached on its original user message.
+ *
+ * Sits between `pkb-reminder` (35) and `now-md` (40) so the rendered order
+ * after the memory prefix is `[pkb-reminder, pkb-context, memory-v2-static,
+ * now-md, ...user text]` when every PKB injector also fires (transitional
+ * state). Once PKB is fully retired under v2 this is the only block
+ * adjacent to the memory prefix.
+ *
+ * Gating:
+ *  - `mode === "full"`.
+ *  - `memoryV2Static` is a non-null, non-empty string.
+ */
+const memoryV2StaticInjector: Injector = {
+  name: "memory-v2-static",
+  order: DEFAULT_INJECTOR_ORDER.memoryV2Static,
+  async produce(ctx: TurnContext): Promise<InjectionBlock | null> {
+    const inputs = readInjectionInputs(ctx);
+    const mode = inputs.mode ?? "full";
+    if (mode !== "full") return null;
+    const content = inputs.memoryV2Static;
+    if (!content) return null;
+    return {
+      id: "memory-v2-static",
+      text: buildMemoryV2StaticBlock(content),
+      placement: "after-memory-prefix",
+    };
+  },
+};
+
+/**
+ * Wrap the static memory content in `<memory>...</memory>`. Escapes any
+ * closing `</memory>` inside the content so authored memory files cannot
+ * accidentally break out of the wrapper.
+ */
+function buildMemoryV2StaticBlock(content: string): string {
+  const escaped = content.replace(/<\/memory\s*>/gi, "&lt;/memory&gt;");
+  return `<memory>\n${escaped}\n</memory>`;
+}
+
 /**
  * `now-md` injector — order 40, after-memory-prefix.
  *
@@ -362,7 +428,7 @@ const subagentStatusInjector: Injector = {
  * Swaps the conversation's `runMessages` array with a pre-rendered
  * chronological Slack transcript built from the persisted message rows.
  * Applied to every Slack conversation (channels and DMs alike). The
- * orchestrator builds the transcript via `loadSlackChronologicalMessages`
+ * orchestrator builds the transcript via `loadSlackChronologicalContext`
  * before the chain runs.
  *
  * Memory-block prepending is preserved across the replacement:
@@ -458,6 +524,7 @@ export const defaultInjectorsPlugin: Plugin = {
     unifiedTurnContextInjector,
     pkbContextInjector,
     pkbReminderInjector,
+    memoryV2StaticInjector,
     nowMdInjector,
     subagentStatusInjector,
     slackMessagesInjector,

package/src/plugins/defaults/overflow-reduce.ts

@@ -74,8 +74,9 @@ export const defaultOverflowReduceMiddleware: Middleware<
     attempts++;
     args.emitActivityState();
 
+    const basisMessages = messages;
     const step = await reduceContextOverflow(
-      messages,
+      basisMessages,
       {
         providerName: args.providerName,
         systemPrompt: args.systemPrompt,
@@ -101,7 +102,7 @@ export const defaultOverflowReduceMiddleware: Middleware<
     // Let the orchestrator apply compaction side effects (circuit-breaker
     // tracking, event emission, ctx mutation) before we re-inject.
     if (step.compactionResult) {
-      await args.onCompactionResult(step.compactionResult);
+      await args.onCompactionResult(step.compactionResult, basisMessages);
       if (stepCompacted) {
         reducerCompacted = true;
       }

package/src/plugins/types.ts

@@ -401,6 +401,7 @@ export interface OverflowReduceArgs {
    */
   readonly onCompactionResult: (
     result: ContextWindowResult,
+    compactedBasis?: Message[],
   ) => void | Promise<void>;
   /**
    * Invoked after each step to rebuild `runMessages` from the step's
@@ -815,6 +816,13 @@ export interface TurnInjectionInputs {
    * Falls back to `pkbRoot` when omitted.
    */
   readonly pkbWorkingDir?: string;
+  /**
+   * Pre-rendered v2 static memory content (essentials/threads/recent/buffer
+   * concatenated, header-wrapped) or null to skip. The agent loop only
+   * passes this on full-mode turns; the injector wraps it in `<memory>` for
+   * the user message.
+   */
+  readonly memoryV2Static?: string | null;
   /** NOW.md scratchpad content or null to skip. */
   readonly nowScratchpad?: string | null;
   /** Pre-built `<active_subagents>` block or null to skip. */