@vellumai/assistant 0.7.0 → 0.7.2

package/src/daemon/__tests__/conversation-surfaces-launch.test.ts

@@ -45,10 +45,9 @@ mock.module("../../runtime/assistant-event.js", () => ({
   // Pass-through so `focus` / `conversationId` can be asserted directly
   // on the captured event's `message` payload.
   buildAssistantEvent: (
-    assistantId: string,
     message: unknown,
     conversationId?: string,
-  ) => ({ assistantId, message, conversationId }),
+  ) => ({ message, conversationId }),
 }));
 
 // Stub DB helpers so the real `launchConversation` can run without a DB.
@@ -76,12 +75,55 @@ mock.module("../../memory/conversation-crud.js", () => ({
   },
 }));
 
+// Stub conversation-store so the real `launchConversation` can hydrate
+// a fake Conversation without touching the real map.
+let trustContextOnConversation: unknown | null = null;
+const fakeConversation = {
+  setTrustContext: (c: unknown) => {
+    trustContextOnConversation = c;
+  },
+};
+const getOrCreateConversationCalls: string[] = [];
+const realConvStore = await import("../conversation-store.js");
+mock.module("../conversation-store.js", () => ({
+  ...realConvStore,
+  getOrCreateConversation: async (id: string) => {
+    getOrCreateConversationCalls.push(id);
+    return fakeConversation as never;
+  },
+}));
+
+// Stub processMessageInBackground so the seed turn is controllable.
+const processMessageCalls: Array<{
+  conversationId: string;
+  content: string;
+}> = [];
+let resolveProcess = () => {};
+let rejectProcess: (err: Error) => void = () => {};
+let markProcessStarted = () => {};
+let processStartedPromise = new Promise<void>((resolve) => {
+  markProcessStarted = resolve;
+});
+const realProcessMessage = await import("../process-message.js");
+mock.module("../process-message.js", () => ({
+  ...realProcessMessage,
+  processMessageInBackground: (
+    conversationId: string,
+    content: string,
+  ) => {
+    processMessageCalls.push({ conversationId, content });
+    markProcessStarted();
+    return new Promise((resolve, reject) => {
+      resolveProcess = () => resolve({ messageId: "msg-1" });
+      rejectProcess = (err) => reject(err);
+    });
+  },
+}));
+
 // Dynamic imports after mock.module calls so the stubs take effect
 // before the modules under test are loaded.
 const { createSurfaceMutex, handleSurfaceAction } =
   await import("../conversation-surfaces.js");
-const { registerLaunchConversationDeps, resetLaunchConversationDeps } =
-  await import("../conversation-launch.js");
 type SurfaceConversationContext =
   import("../conversation-surfaces.js").SurfaceConversationContext;
 type TrustContext = import("../trust-context.js").TrustContext;
@@ -89,60 +131,17 @@ type ServerMessage = import("../message-protocol.js").ServerMessage;
 type SurfaceData = import("../message-protocol.js").SurfaceData;
 type SurfaceType = import("../message-protocol.js").SurfaceType;
 
-// ── launchConversation deps harness ────────────────────────────────
+// ── Harness reset helper ───────────────────────────────────────────
 
-interface DepsHarness {
-  getOrCreateCalls: Array<string>;
-  processCalls: Array<{ conversationId: string; content: string }>;
-  lastTrustContext(): unknown | null;
-  resolveProcess: () => void;
-  rejectProcess: (err: Error) => void;
-  /** Resolves once `persistAndProcessMessage` has actually been invoked. */
-  processStarted: Promise<void>;
-}
-
-function setupLaunchDeps(): DepsHarness {
-  const getOrCreateCalls: Array<string> = [];
-  const processCalls: Array<{ conversationId: string; content: string }> = [];
-  let trustContextOnConversation: unknown | null = null;
-  let resolveProcess = () => {};
-  let rejectProcess: (err: Error) => void = () => {};
-  let markProcessStarted = () => {};
-  const processStarted = new Promise<void>((resolve) => {
+function resetProcessHarness(): void {
+  processMessageCalls.length = 0;
+  getOrCreateConversationCalls.length = 0;
+  trustContextOnConversation = null;
+  resolveProcess = () => {};
+  rejectProcess = () => {};
+  processStartedPromise = new Promise<void>((resolve) => {
     markProcessStarted = resolve;
   });
-
-  const fakeConversation = {
-    setTrustContext: (c: unknown) => {
-      trustContextOnConversation = c;
-    },
-  };
-
-  registerLaunchConversationDeps({
-    getOrCreateConversation: async (id: string) => {
-      getOrCreateCalls.push(id);
-      return fakeConversation as never;
-    },
-    persistAndProcessMessage: (conversationId: string, content: string) => {
-      processCalls.push({ conversationId, content });
-      markProcessStarted();
-      return new Promise((resolve, reject) => {
-        resolveProcess = () => resolve({ messageId: "msg-1" });
-        rejectProcess = (err) => reject(err);
-      });
-    },
-    publishAssistantEvent: () => {},
-    getAssistantId: () => "assistant-test-id",
-  });
-
-  return {
-    getOrCreateCalls,
-    processCalls,
-    lastTrustContext: () => trustContextOnConversation,
-    resolveProcess: () => resolveProcess(),
-    rejectProcess: (err: Error) => rejectProcess(err),
-    processStarted,
-  };
 }
 
 // ── Surface-context harness ────────────────────────────────────────
@@ -216,7 +215,6 @@ function registerCardSurface(
 // Helper: filter captured publish calls down to `open_conversation`
 // events. Typed so assertions can reach the inner `message` payload.
 function openConversationEvents(): Array<{
-  assistantId: string;
   conversationId?: string;
   message: {
     type: "open_conversation";
@@ -234,7 +232,6 @@ function openConversationEvents(): Array<{
     .map(
       (e) =>
         e as unknown as {
-          assistantId: string;
           conversationId?: string;
           message: {
             type: "open_conversation";
@@ -254,16 +251,12 @@ describe("handleSurfaceAction — launch_conversation dispatch", () => {
     publishCalls.length = 0;
     updateTitleCalls.length = 0;
     nextKeyStoreResult = { conversationId: "conv-new" };
-    // Reset module-level `_deps` so a test that forgets to call
-    // `setupLaunchDeps()` cannot accidentally piggy-back on deps left
-    // registered by a previous test. Each test that exercises the launch
-    // helper must call `setupLaunchDeps()` explicitly.
-    resetLaunchConversationDeps();
+    resetProcessHarness();
   });
 
   test("launches new conversation with inherited trust context and no chat message", async () => {
     nextKeyStoreResult = { conversationId: "conv-launched-1" };
-    const harness = setupLaunchDeps();
+    
     const originTrustContext: TrustContext = {
       sourceChannel: "vellum",
       trustClass: "guardian",
@@ -295,14 +288,14 @@ describe("handleSurfaceAction — launch_conversation dispatch", () => {
     expect(openEvents[0].message.title).toBe("New Thread");
 
     // 3. The spawned conversation inherited the origin's trust context.
-    expect(harness.lastTrustContext()).toEqual(originTrustContext);
+    expect(trustContextOnConversation).toEqual(originTrustContext);
 
     // 4. Seed turn was kicked off fire-and-forget — resolve it to clean
     //    up the pending promise the harness stubbed.
-    await harness.processStarted;
-    expect(harness.processCalls).toHaveLength(1);
-    expect(harness.processCalls[0].content).toBe("S");
-    harness.resolveProcess();
+    await processStartedPromise;
+    expect(processMessageCalls).toHaveLength(1);
+    expect(processMessageCalls[0].content).toBe("S");
+    resolveProcess();
 
     // 5. No chat message side effect on the origin conversation — neither
     //    the LLM pipeline nor the `[User action on app: ...]` text echo.
@@ -358,7 +351,7 @@ describe("handleSurfaceAction — launch_conversation dispatch", () => {
 
   test("omits originTrustContext when origin conversation has none", async () => {
     nextKeyStoreResult = { conversationId: "conv-launched-3" };
-    const harness = setupLaunchDeps();
+    
     // No `trustContext` on the origin context — simulating the
     // no-inherited-guardian path.
     const ctx = makeContext();
@@ -376,20 +369,20 @@ describe("handleSurfaceAction — launch_conversation dispatch", () => {
     });
 
     // Trust context was never applied to the spawned conversation.
-    expect(harness.lastTrustContext()).toBeNull();
+    expect(trustContextOnConversation).toBeNull();
 
     // Still exactly one open_conversation event with focus: false.
     const openEvents = openConversationEvents();
     expect(openEvents).toHaveLength(1);
     expect(openEvents[0].message.focus).toBe(false);
 
-    await harness.processStarted;
-    harness.resolveProcess();
+    await processStartedPromise;
+    resolveProcess();
   });
 
   test("handler returns before the seed turn resolves (fire-and-forget)", async () => {
     nextKeyStoreResult = { conversationId: "conv-nonblocking" };
-    const harness = setupLaunchDeps();
+    
     const ctx = makeContext();
     registerCardSurface(ctx, "surface-4");
 
@@ -413,14 +406,14 @@ describe("handleSurfaceAction — launch_conversation dispatch", () => {
     // Seed turn is in-flight but not yet resolved. Prove the helper
     // actually invoked it (so we know fire-and-forget is wired), then
     // resolve it to clean up.
-    await harness.processStarted;
-    expect(harness.processCalls).toHaveLength(1);
-    harness.resolveProcess();
+    await processStartedPromise;
+    expect(processMessageCalls).toHaveLength(1);
+    resolveProcess();
   });
 
   test("seed turn rejection is swallowed by the helper's .catch()", async () => {
     nextKeyStoreResult = { conversationId: "conv-seed-fails" };
-    const harness = setupLaunchDeps();
+    
     const ctx = makeContext();
     registerCardSurface(ctx, "surface-5");
 
@@ -438,8 +431,8 @@ describe("handleSurfaceAction — launch_conversation dispatch", () => {
     // Reject the pending seed turn — the helper's `.catch()` handler
     // must swallow it. If it didn't, Bun would surface the unhandled
     // rejection at test-end and this test would fail.
-    await harness.processStarted;
-    harness.rejectProcess(new Error("seed-turn-failed"));
+    await processStartedPromise;
+    rejectProcess(new Error("seed-turn-failed"));
     // Give the microtask queue a tick so the `.catch()` runs before
     // the test completes.
     await Promise.resolve();
@@ -456,7 +449,7 @@ describe("handleSurfaceAction — launch_conversation dispatch", () => {
     // message and triggering a full LLM round-trip on every click. The plan
     // claimed to eliminate that round-trip; this test enforces it.
     nextKeyStoreResult = { conversationId: "conv-pending-set" };
-    const harness = setupLaunchDeps();
+    
     const ctx = makeContext();
     registerCardSurface(ctx, "surface-pending");
     // Simulate `ui_show` having stamped a pending entry for this surface
@@ -491,7 +484,7 @@ describe("handleSurfaceAction — launch_conversation dispatch", () => {
     // persistent card aren't blocked behind a stale "owes-an-answer" flag.
     expect(ctx.pendingSurfaceActions.has("surface-pending")).toBe(false);
 
-    await harness.processStarted;
-    harness.resolveProcess();
+    await processStartedPromise;
+    resolveProcess();
   });
 });

package/src/daemon/__tests__/conversation-tool-setup.test.ts

@@ -18,17 +18,46 @@
  * first and is authoritative for structural support, so host_bash and
  * host_file_* are filtered out for chrome-extension regardless of the
  * hasNoClient flag.
+ *
+ * Cross-client exception (Phase 1): host_bash is allowed for non-host-proxy
+ * interfaces (e.g. "web") when at least one host_bash-capable client is
+ * connected via the event hub. host_file_* and host_browser remain filtered
+ * regardless (Phase 2).
  */
 
-import { describe, expect, test } from "bun:test";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+// ── Module-level mocks ─────────────────────────────────────────────
+
+// Control how many host_bash-capable clients the hub reports.
+let mockHostBashClientCount = 0;
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: (cap: string) => {
+      if (cap === "host_bash") {
+        return Array.from({ length: mockHostBashClientCount }, (_, i) => ({
+          clientId: `mock-client-${i}`,
+          capabilities: ["host_bash"],
+        }));
+      }
+      return [];
+    },
+  },
+  broadcastMessage: () => {},
+}));
 
-import type { SkillProjectionCache } from "../conversation-skill-tools.js";
-import {
+// Dynamic imports after mock.module calls so the stubs take effect
+// before the modules under test are loaded.
+const {
   HOST_TOOL_NAMES,
   HOST_TOOL_TO_CAPABILITY,
   isToolActiveForContext,
-  type SkillProjectionContext,
-} from "../conversation-tool-setup.js";
+} = await import("../conversation-tool-setup.js");
+type SkillProjectionContext =
+  import("../conversation-tool-setup.js").SkillProjectionContext;
+type SkillProjectionCache =
+  import("../conversation-skill-tools.js").SkillProjectionCache;
 
 function makeCtx(
   overrides: Partial<SkillProjectionContext> = {},
@@ -42,6 +71,10 @@ function makeCtx(
   };
 }
 
+beforeEach(() => {
+  mockHostBashClientCount = 0;
+});
+
 describe("isToolActiveForContext — host tool capability gating", () => {
   // macOS transport: SSE-based interactive approval required.
   test("host_bash is active for macOS with a connected client", () => {
@@ -176,6 +209,94 @@ describe("isToolActiveForContext — host tool capability gating", () => {
   });
 });
 
+describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)", () => {
+  test("host_bash is active for web transport when a host_bash-capable client is connected", () => {
+    // Cross-client path: a web turn should see host_bash when a macOS client
+    // with host_bash capability is connected via the event hub.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "web" }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash is NOT active for web transport when no capable client is connected", () => {
+    // No cross-client fallback: hub has no host_bash-capable subscribers.
+    mockHostBashClientCount = 0;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "web" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_file_read is NOT active for web transport even when a capable client is connected (Phase 2 gate)", () => {
+    // The cross-client exception is scoped to host_bash only.
+    // host_file_* remain filtered for non-host-proxy interfaces regardless
+    // of connected clients until Phase 2 lands.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_file_read",
+        makeCtx({ hasNoClient: false, transportInterface: "web" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_bash for macos transport is unaffected by the cross-client exception", () => {
+    // macos natively supports host_bash via host proxy — the supportsHostProxy
+    // check passes, so the cross-client branch is never reached.
+    mockHostBashClientCount = 0;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "macos" }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash for macos with no client is still denied (security invariant unaffected)", () => {
+    // Even with a capable client in the hub, the macos SSE path takes
+    // precedence — it passes the supportsHostProxy check, bypasses the
+    // cross-client branch, and reaches the hasNoClient gate.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: true, transportInterface: "macos" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_bash is NOT active for chrome-extension even when a capable client is connected", () => {
+    // Security boundary: chrome-extension only gets host_browser. The
+    // cross-client exception explicitly excludes chrome-extension transport
+    // regardless of how many host_bash-capable clients are in the hub.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "chrome-extension" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_bash is NOT active for web transport when hasNoClient is true (no approval UI)", () => {
+    // hasNoClient gate: no interactive approval UI available for this turn.
+    // Cross-client exception must not bypass this gate.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: true, transportInterface: "web" }),
+      ),
+    ).toBe(false);
+  });
+});
+
 describe("HOST_TOOL_NAMES derivation", () => {
   test("HOST_TOOL_NAMES is derived from HOST_TOOL_TO_CAPABILITY", () => {
     // Sanity check: every tool in the names set has a capability mapping.

package/src/daemon/__tests__/daemon-skill-host.test.ts

@@ -110,13 +110,8 @@ mock.module("../../runtime/assistant-event-hub.js", () => ({
 }));
 
 mock.module("../../runtime/assistant-event.js", () => ({
-  buildAssistantEvent: (
-    assistantId: string,
-    message: unknown,
-    conversationId?: string,
-  ) => ({
+  buildAssistantEvent: (message: unknown, conversationId?: string) => ({
     id: "evt-1",
-    assistantId,
     conversationId,
     emittedAt: "2024-01-01T00:00:00.000Z",
     message,
@@ -195,7 +190,6 @@ describe("createDaemonSkillHost", () => {
 
   test("identity normalizes a null assistant name to undefined", () => {
     expect(host.identity.getAssistantName()).toBeUndefined();
-    expect(host.identity.internalAssistantId).toBe("self");
   });
 
   test("platform methods return the stubbed values", () => {
@@ -243,11 +237,10 @@ describe("createDaemonSkillHost", () => {
 
   test("events.publish, subscribe, and buildEvent plumb through the hub", async () => {
     const evt = host.events.buildEvent({ type: "ping" }, "c1");
-    expect(evt.assistantId).toBe("self");
     expect(evt.conversationId).toBe("c1");
     await host.events.publish(evt);
     expect(publishSpy).toHaveBeenCalled();
-    const sub = host.events.subscribe({ assistantId: "self" }, () => undefined);
+    const sub = host.events.subscribe({}, () => undefined);
     expect(sub.active).toBe(true);
     expect(subscribeSpy).toHaveBeenCalled();
   });

package/src/daemon/bootstrap-turn-cleanup.ts

@@ -0,0 +1,45 @@
+import { getMessages, type MessageRow } from "../memory/conversation-crud.js";
+import { cleanupBootstrapFiles } from "../prompts/bootstrap-cleanup.js";
+import { getLogger } from "../util/logger.js";
+
+export const BOOTSTRAP_CLEANUP_USER_TURN_THRESHOLD = 4;
+
+const log = getLogger("bootstrap-turn-cleanup");
+
+function isWakeUpGreetingMessage(content: string): boolean {
+  return content.toLowerCase().includes("wake up, my friend");
+}
+
+export function countBootstrapUserTurns(
+  messages: Pick<MessageRow, "role" | "content">[],
+): number {
+  return messages.filter(
+    (message) =>
+      message.role === "user" && !isWakeUpGreetingMessage(message.content),
+  ).length;
+}
+
+export function shouldCleanupBootstrapAfterTurn(
+  messages: Pick<MessageRow, "role" | "content">[],
+  threshold = BOOTSTRAP_CLEANUP_USER_TURN_THRESHOLD,
+): boolean {
+  return countBootstrapUserTurns(messages) >= threshold;
+}
+
+export function cleanupBootstrapAfterTurnThreshold(
+  conversationId: string,
+): boolean {
+  let messages: MessageRow[];
+  try {
+    messages = getMessages(conversationId);
+  } catch (err) {
+    log.warn({ err, conversationId }, "Failed to inspect bootstrap turn count");
+    return false;
+  }
+
+  if (!shouldCleanupBootstrapAfterTurn(messages)) return false;
+
+  return cleanupBootstrapFiles(
+    `first conversation reached ${BOOTSTRAP_CLEANUP_USER_TURN_THRESHOLD} user turns`,
+  );
+}

package/src/daemon/config-watcher.ts

@@ -21,7 +21,6 @@ import { handleBashSignal } from "../signals/bash.js";
 import { handleCancelSignal } from "../signals/cancel.js";
 import { handleConversationUndoSignal } from "../signals/conversation-undo.js";
 import { handleEmitEventSignal } from "../signals/emit-event.js";
-import { handleMcpReloadSignal } from "../signals/mcp-reload.js";
 import { handleUserMessageSignal } from "../signals/user-message.js";
 import { DebouncerMap } from "../util/debounce.js";
 import { getLogger } from "../util/logger.js";
@@ -33,6 +32,7 @@ import {
   getWorkspaceDir,
   getWorkspaceSkillsDir,
 } from "../util/platform.js";
+import { reloadMcpServers } from "./mcp-reload-service.js";
 
 const log = getLogger("config-watcher");
 
@@ -151,7 +151,9 @@ export class ConfigWatcher {
             const newConfig = getConfig();
             const newMcpFingerprint = JSON.stringify(newConfig.mcp ?? {});
             if (newMcpFingerprint !== prevMcpFingerprint) {
-              handleMcpReloadSignal();
+              reloadMcpServers().catch((err: unknown) => {
+                log.error({ err }, "MCP reload after config change failed");
+              });
             }
           }
         } catch (err) {
@@ -331,7 +333,6 @@ export class ConfigWatcher {
 
     const exactSignalHandlers: Record<string, () => void | Promise<void>> = {
       cancel: handleCancelSignal,
-      "mcp-reload": handleMcpReloadSignal,
       "conversation-undo": handleConversationUndoSignal,
       "emit-event": handleEmitEventSignal,
     };

package/src/daemon/connection-policy.ts

@@ -1,32 +1,7 @@
 /**
- * Connection policy helpers for daemon autostart and authentication behavior.
- *
- * Token authentication is always required.
- * To explicitly disable auth (e.g. development/testing scenarios),
- * set VELLUM_DAEMON_NOAUTH=1 on both the daemon and the client.
- * This is an intentional opt-in to an unsafe mode — never enable it
- * on connections accessible to untrusted users.
+ * Connection policy helpers for daemon autostart behavior.
  */
 
-/**
- * True when the user has explicitly opted into unauthenticated connections
- * via VELLUM_DAEMON_NOAUTH=1.
- *
- * Requires VELLUM_UNSAFE_AUTH_BYPASS=1 as a safety gate to prevent
- * accidental production use.
- */
-export function hasNoAuthOverride(
-  env: Record<string, string | undefined> = process.env,
-): boolean {
-  const value = env.VELLUM_DAEMON_NOAUTH?.trim();
-  if (value !== "1" && value !== "true") return false;
-
-  const safetyGate = env.VELLUM_UNSAFE_AUTH_BYPASS?.trim();
-  if (safetyGate !== "1") return false;
-
-  return true;
-}
-
 export function shouldAutoStartDaemon(
   env: Record<string, string | undefined> = process.env,
 ): boolean {