@vellumai/assistant 0.7.1 → 0.7.2

package/src/daemon/__tests__/conversation-tool-setup.test.ts

@@ -18,17 +18,46 @@
  * first and is authoritative for structural support, so host_bash and
  * host_file_* are filtered out for chrome-extension regardless of the
  * hasNoClient flag.
+ *
+ * Cross-client exception (Phase 1): host_bash is allowed for non-host-proxy
+ * interfaces (e.g. "web") when at least one host_bash-capable client is
+ * connected via the event hub. host_file_* and host_browser remain filtered
+ * regardless (Phase 2).
  */
 
-import { describe, expect, test } from "bun:test";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+// ── Module-level mocks ─────────────────────────────────────────────
+
+// Control how many host_bash-capable clients the hub reports.
+let mockHostBashClientCount = 0;
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: (cap: string) => {
+      if (cap === "host_bash") {
+        return Array.from({ length: mockHostBashClientCount }, (_, i) => ({
+          clientId: `mock-client-${i}`,
+          capabilities: ["host_bash"],
+        }));
+      }
+      return [];
+    },
+  },
+  broadcastMessage: () => {},
+}));
 
-import type { SkillProjectionCache } from "../conversation-skill-tools.js";
-import {
+// Dynamic imports after mock.module calls so the stubs take effect
+// before the modules under test are loaded.
+const {
   HOST_TOOL_NAMES,
   HOST_TOOL_TO_CAPABILITY,
   isToolActiveForContext,
-  type SkillProjectionContext,
-} from "../conversation-tool-setup.js";
+} = await import("../conversation-tool-setup.js");
+type SkillProjectionContext =
+  import("../conversation-tool-setup.js").SkillProjectionContext;
+type SkillProjectionCache =
+  import("../conversation-skill-tools.js").SkillProjectionCache;
 
 function makeCtx(
   overrides: Partial<SkillProjectionContext> = {},
@@ -42,6 +71,10 @@ function makeCtx(
   };
 }
 
+beforeEach(() => {
+  mockHostBashClientCount = 0;
+});
+
 describe("isToolActiveForContext — host tool capability gating", () => {
   // macOS transport: SSE-based interactive approval required.
   test("host_bash is active for macOS with a connected client", () => {
@@ -176,6 +209,94 @@ describe("isToolActiveForContext — host tool capability gating", () => {
   });
 });
 
+describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)", () => {
+  test("host_bash is active for web transport when a host_bash-capable client is connected", () => {
+    // Cross-client path: a web turn should see host_bash when a macOS client
+    // with host_bash capability is connected via the event hub.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "web" }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash is NOT active for web transport when no capable client is connected", () => {
+    // No cross-client fallback: hub has no host_bash-capable subscribers.
+    mockHostBashClientCount = 0;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "web" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_file_read is NOT active for web transport even when a capable client is connected (Phase 2 gate)", () => {
+    // The cross-client exception is scoped to host_bash only.
+    // host_file_* remain filtered for non-host-proxy interfaces regardless
+    // of connected clients until Phase 2 lands.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_file_read",
+        makeCtx({ hasNoClient: false, transportInterface: "web" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_bash for macos transport is unaffected by the cross-client exception", () => {
+    // macos natively supports host_bash via host proxy — the supportsHostProxy
+    // check passes, so the cross-client branch is never reached.
+    mockHostBashClientCount = 0;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "macos" }),
+      ),
+    ).toBe(true);
+  });
+
+  test("host_bash for macos with no client is still denied (security invariant unaffected)", () => {
+    // Even with a capable client in the hub, the macos SSE path takes
+    // precedence — it passes the supportsHostProxy check, bypasses the
+    // cross-client branch, and reaches the hasNoClient gate.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: true, transportInterface: "macos" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_bash is NOT active for chrome-extension even when a capable client is connected", () => {
+    // Security boundary: chrome-extension only gets host_browser. The
+    // cross-client exception explicitly excludes chrome-extension transport
+    // regardless of how many host_bash-capable clients are in the hub.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: false, transportInterface: "chrome-extension" }),
+      ),
+    ).toBe(false);
+  });
+
+  test("host_bash is NOT active for web transport when hasNoClient is true (no approval UI)", () => {
+    // hasNoClient gate: no interactive approval UI available for this turn.
+    // Cross-client exception must not bypass this gate.
+    mockHostBashClientCount = 1;
+    expect(
+      isToolActiveForContext(
+        "host_bash",
+        makeCtx({ hasNoClient: true, transportInterface: "web" }),
+      ),
+    ).toBe(false);
+  });
+});
+
 describe("HOST_TOOL_NAMES derivation", () => {
   test("HOST_TOOL_NAMES is derived from HOST_TOOL_TO_CAPABILITY", () => {
     // Sanity check: every tool in the names set has a capability mapping.

package/src/daemon/bootstrap-turn-cleanup.ts

@@ -0,0 +1,45 @@
+import { getMessages, type MessageRow } from "../memory/conversation-crud.js";
+import { cleanupBootstrapFiles } from "../prompts/bootstrap-cleanup.js";
+import { getLogger } from "../util/logger.js";
+
+export const BOOTSTRAP_CLEANUP_USER_TURN_THRESHOLD = 4;
+
+const log = getLogger("bootstrap-turn-cleanup");
+
+function isWakeUpGreetingMessage(content: string): boolean {
+  return content.toLowerCase().includes("wake up, my friend");
+}
+
+export function countBootstrapUserTurns(
+  messages: Pick<MessageRow, "role" | "content">[],
+): number {
+  return messages.filter(
+    (message) =>
+      message.role === "user" && !isWakeUpGreetingMessage(message.content),
+  ).length;
+}
+
+export function shouldCleanupBootstrapAfterTurn(
+  messages: Pick<MessageRow, "role" | "content">[],
+  threshold = BOOTSTRAP_CLEANUP_USER_TURN_THRESHOLD,
+): boolean {
+  return countBootstrapUserTurns(messages) >= threshold;
+}
+
+export function cleanupBootstrapAfterTurnThreshold(
+  conversationId: string,
+): boolean {
+  let messages: MessageRow[];
+  try {
+    messages = getMessages(conversationId);
+  } catch (err) {
+    log.warn({ err, conversationId }, "Failed to inspect bootstrap turn count");
+    return false;
+  }
+
+  if (!shouldCleanupBootstrapAfterTurn(messages)) return false;
+
+  return cleanupBootstrapFiles(
+    `first conversation reached ${BOOTSTRAP_CLEANUP_USER_TURN_THRESHOLD} user turns`,
+  );
+}

package/src/daemon/config-watcher.ts

@@ -21,7 +21,6 @@ import { handleBashSignal } from "../signals/bash.js";
 import { handleCancelSignal } from "../signals/cancel.js";
 import { handleConversationUndoSignal } from "../signals/conversation-undo.js";
 import { handleEmitEventSignal } from "../signals/emit-event.js";
-import { handleMcpReloadSignal } from "../signals/mcp-reload.js";
 import { handleUserMessageSignal } from "../signals/user-message.js";
 import { DebouncerMap } from "../util/debounce.js";
 import { getLogger } from "../util/logger.js";
@@ -33,6 +32,7 @@ import {
   getWorkspaceDir,
   getWorkspaceSkillsDir,
 } from "../util/platform.js";
+import { reloadMcpServers } from "./mcp-reload-service.js";
 
 const log = getLogger("config-watcher");
 
@@ -151,7 +151,9 @@ export class ConfigWatcher {
             const newConfig = getConfig();
             const newMcpFingerprint = JSON.stringify(newConfig.mcp ?? {});
             if (newMcpFingerprint !== prevMcpFingerprint) {
-              handleMcpReloadSignal();
+              reloadMcpServers().catch((err: unknown) => {
+                log.error({ err }, "MCP reload after config change failed");
+              });
             }
           }
         } catch (err) {
@@ -331,7 +333,6 @@ export class ConfigWatcher {
 
     const exactSignalHandlers: Record<string, () => void | Promise<void>> = {
       cancel: handleCancelSignal,
-      "mcp-reload": handleMcpReloadSignal,
       "conversation-undo": handleConversationUndoSignal,
       "emit-event": handleEmitEventSignal,
     };

package/src/daemon/conversation-agent-loop-handlers.ts

@@ -43,6 +43,7 @@ import type {
 } from "../plugins/types.js";
 import type { ContentBlock, ImageContent } from "../providers/types.js";
 import { isContextOverflowError } from "../providers/types.js";
+import { redactSecrets } from "../security/secret-scanner.js";
 import { ProviderError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
 import type { DirectiveRequest } from "./assistant-attachments.js";
@@ -804,10 +805,16 @@ export async function handleMessageComplete(
       ([toolUseId, result]) => ({
         type: "tool_result",
         tool_use_id: toolUseId,
-        content: result.content,
+        content: redactSecrets(result.content),
         is_error: result.isError,
         ...(result.contentBlocks
-          ? { contentBlocks: result.contentBlocks }
+          ? {
+              contentBlocks: result.contentBlocks.map((block) =>
+                block.type === "text"
+                  ? { ...block, text: redactSecrets(block.text) }
+                  : block,
+              ),
+            }
           : {}),
       }),
     );
@@ -929,6 +936,17 @@ export async function handleMessageComplete(
       );
     }
   }
+  // Redact known-pattern secrets from assistant text blocks before they are
+  // written to durable storage. Non-text blocks (images, UI surfaces) pass
+  // through unchanged. The live model history retains the original values.
+  const contentForPersistence = contentWithSurfaces.map((block) => {
+    if (block.type === "text") {
+      const tb = block as Extract<ContentBlock, { type: "text" }>;
+      return { ...tb, text: redactSecrets(tb.text) };
+    }
+    return block;
+  });
+
   // Route the assistant-message persistence through the `persistence`
   // pipeline. No `syncToDisk` here — the orchestrator separately invokes
   // `syncMessageToDisk` on `state.lastAssistantMessageId` after the loop
@@ -941,7 +959,7 @@ export async function handleMessageComplete(
       op: "add",
       conversationId: deps.ctx.conversationId,
       role: "assistant",
-      content: JSON.stringify(contentWithSurfaces),
+      content: JSON.stringify(contentForPersistence),
       metadata: assistantChannelMetadata,
     },
     buildHandlerTurnContext(deps),

package/src/daemon/conversation-agent-loop.ts

@@ -24,7 +24,6 @@ import type {
   TurnChannelContext,
   TurnInterfaceContext,
 } from "../channels/types.js";
-import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import {
   contextWindowConfigFromEffective,
   resolveEffectiveContextWindow,
@@ -115,6 +114,7 @@ import type {
 import type { Provider } from "../providers/types.js";
 import { resolveActorTrust } from "../runtime/actor-trust-resolver.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
+import { redactSecrets } from "../security/secret-scanner.js";
 import { getSubagentManager } from "../subagent/index.js";
 import type { UsageActor } from "../usage/actors.js";
 import { getLogger } from "../util/logger.js";
@@ -127,6 +127,7 @@ import {
   type AssistantAttachmentDraft,
   cleanAssistantContent,
 } from "./assistant-attachments.js";
+import { cleanupBootstrapAfterTurnThreshold } from "./bootstrap-turn-cleanup.js";
 import { resolveOverflowAction } from "./context-overflow-policy.js";
 import {
   createInitialReducerState,
@@ -2533,10 +2534,16 @@ export async function runAgentLoopImpl(
       ).map(([toolUseId, result]) => ({
         type: "tool_result",
         tool_use_id: toolUseId,
-        content: result.content,
+        content: redactSecrets(result.content),
         is_error: result.isError,
         ...(result.contentBlocks
-          ? { contentBlocks: result.contentBlocks }
+          ? {
+              contentBlocks: result.contentBlocks.map((block) =>
+                block.type === "text"
+                  ? { ...block, text: redactSecrets(block.text) }
+                  : block,
+              ),
+            }
           : {}),
       }));
       const toolResultMetadata = {
@@ -2619,34 +2626,29 @@ export async function runAgentLoopImpl(
 
     // Post-turn tool result truncation: save large results to disk and
     // replace in-context content with a prefix/suffix stub + file pointer.
-    if (isAssistantFeatureFlagEnabled("tool-result-truncation", config)) {
-      try {
-        const conv = getConversation(ctx.conversationId);
-        if (conv) {
-          const convDir = getResolvedConversationDirPath(
-            ctx.conversationId,
-            conv.createdAt,
+    try {
+      const conv = getConversation(ctx.conversationId);
+      if (conv) {
+        const convDir = getResolvedConversationDirPath(
+          ctx.conversationId,
+          conv.createdAt,
+        );
+        const { messages: derefMessages, dereferencedCount } =
+          derefToolResultReReads(restoredHistory);
+        const { messages: truncatedMessages, truncatedCount } =
+          postTurnTruncateToolResults(derefMessages, {
+            conversationDir: convDir,
+          });
+        if (truncatedCount > 0 || dereferencedCount > 0) {
+          rlog.info(
+            { truncatedCount, dereferencedCount },
+            "Post-turn tool result truncation applied",
           );
-          const { messages: derefMessages, dereferencedCount } =
-            derefToolResultReReads(restoredHistory);
-          const { messages: truncatedMessages, truncatedCount } =
-            postTurnTruncateToolResults(derefMessages, {
-              conversationDir: convDir,
-            });
-          if (truncatedCount > 0 || dereferencedCount > 0) {
-            rlog.info(
-              { truncatedCount, dereferencedCount },
-              "Post-turn tool result truncation applied",
-            );
-          }
-          restoredHistory = truncatedMessages;
         }
-      } catch (err) {
-        rlog.warn(
-          { err },
-          "Post-turn tool result truncation failed (non-fatal)",
-        );
+        restoredHistory = truncatedMessages;
       }
+    } catch (err) {
+      rlog.warn({ err }, "Post-turn tool result truncation failed (non-fatal)");
     }
 
     // Persist injections in history: runtime-injected context stays on
@@ -2940,6 +2942,8 @@ export async function runAgentLoopImpl(
     }
   } finally {
     if (turnStarted) {
+      cleanupBootstrapAfterTurnThreshold(ctx.conversationId);
+
       ctx.turnCount++;
       const config = getConfig();
       const maxWait = config.workspaceGit?.turnCommitMaxWaitMs ?? 4000;

package/src/daemon/conversation-lifecycle.ts

@@ -240,11 +240,18 @@ export async function loadFromDb(ctx: LoadFromDbContext): Promise<void> {
           }
 
           // Memory remains rehydrated on all rows (existing behavior).
+          // Strip any pre-existing wrapper before re-wrapping so historical
+          // rows persisted with the wrapper (v2 path before the
+          // injectedBlockText contract was unified with v1's unwrapped form)
+          // don't render double-wrapped after rehydrate.
           if (typeof meta.memoryInjectedBlock === "string") {
+            const inner = meta.memoryInjectedBlock
+              .replace(/^<memory>\n/, "")
+              .replace(/\n<\/memory>$/, "");
             content = [
               {
                 type: "text" as const,
-                text: `<memory>\n${meta.memoryInjectedBlock}\n</memory>`,
+                text: `<memory>\n${inner}\n</memory>`,
               },
               ...content,
             ];

package/src/daemon/conversation-process.ts

@@ -14,7 +14,6 @@ import {
 import {
   parseChannelId,
   parseInterfaceId,
-  supportsHostProxy,
   type TurnChannelContext,
   type TurnInterfaceContext,
 } from "../channels/types.js";
@@ -46,6 +45,7 @@ import {
   type SlashContext,
 } from "./conversation-slash.js";
 import { getModelInfo } from "./handlers/config-model.js";
+import { preactivateHostProxySkills } from "./host-proxy-preactivation.js";
 import type {
   ServerMessage,
   UsageStats,
@@ -425,14 +425,19 @@ async function drainSingleMessage(
     conversation.applyHostEnvFromTransport(next.transport);
   }
 
-  // Preactivate computer-use skill for interactive desktop turns.
+  // Re-preactivate host-proxy skills for interactive desktop turns. The
+  // dequeue path reset `preactivatedSkillIds` above, so without these
+  // re-adds the relevant skill tools wouldn't be projected to the LLM
+  // for queued messages 2+ even though the underlying proxies (HostCuProxy,
+  // HostAppControlProxy) are still attached. Mirrors the per-message
+  // instantiation block in `conversation-routes.ts` / `process-message.ts`.
   if (next.isInteractive !== false) {
     const interfaceCtx =
       queuedInterfaceCtx ?? conversation.getTurnInterfaceContext();
-    const sourceInterface = interfaceCtx?.userMessageInterface;
-    if (sourceInterface && supportsHostProxy(sourceInterface)) {
-      conversation.addPreactivatedSkillId("computer-use");
-    }
+    preactivateHostProxySkills(
+      conversation,
+      interfaceCtx?.userMessageInterface,
+    );
   }
 
   // Snapshot persona context at turn start so later tool turns can't pick up
@@ -862,15 +867,15 @@ async function drainBatch(
     conversation.applyHostEnvFromTransport(head.transport);
   }
 
-  // Preactivate computer-use skill for interactive desktop turns.
+  // Re-preactivate host-proxy skills for interactive desktop turns.
   // Mirrors the single-message path exactly — sourced from `head`.
   if (head.isInteractive !== false) {
     const interfaceCtx =
       queuedInterfaceCtx ?? conversation.getTurnInterfaceContext();
-    const sourceInterface = interfaceCtx?.userMessageInterface;
-    if (sourceInterface && supportsHostProxy(sourceInterface)) {
-      conversation.addPreactivatedSkillId("computer-use");
-    }
+    preactivateHostProxySkills(
+      conversation,
+      interfaceCtx?.userMessageInterface,
+    );
   }
 
   // Snapshot persona context at turn start so later tool turns can't pick up

package/src/daemon/conversation-runtime-assembly.ts

@@ -1317,7 +1317,7 @@ export function getSlackCompactionWatermarkForPrefix(
   );
 }
 
-export function assembleSlackChronologicalContext(
+function assembleSlackChronologicalContext(
   rows: SlackTranscriptInputRow[],
   capabilities: ChannelCapabilities,
   options: {
@@ -1618,7 +1618,7 @@ const RUNTIME_INJECTION_PREFIXES = [
   "<memory_context __injected>",
   "<memory_context>", // backward-compat: strip legacy blocks from pre-__injected history
   // NOTE: `<memory>` blocks (both the dynamic activation block from
-  // `prependMemoryV2Block` and the static `memory-v2-static` injector) are
+  // `injectTextBlock` and the static `memory-v2-static` injector) are
   // intentionally NOT stripped — memory injections persist in history so
   // the assistant retains intra-turn memory state. The activation pipeline
   // dedupes via `everInjected`, and compaction handles aggregate growth, so