@vellumai/assistant 0.7.1 → 0.7.2

package/src/backup/stream-crypt.ts

@@ -1,263 +0,0 @@
-/**
- * Streaming AES-256-GCM file encryption/decryption for backup bundles.
- *
- * The on-disk format is:
- *
- *   [12-byte IV][ciphertext...][16-byte GCM auth tag]
- *
- * Both encrypt and decrypt use Node streams so peak memory stays bounded
- * regardless of input size. This is important for backup archives which may
- * run to many gigabytes on larger workspaces.
- *
- * The key must be exactly 32 bytes (AES-256). The IV is randomly generated
- * per call, which is required for GCM semantic security — never reuse an
- * IV with the same key.
- */
-
-import {
-  createCipheriv,
-  createDecipheriv,
-  randomBytes,
-} from "node:crypto";
-import {
-  createReadStream,
-  createWriteStream,
-} from "node:fs";
-import { open, rename, stat, unlink } from "node:fs/promises";
-import { Readable, Writable } from "node:stream";
-import { pipeline } from "node:stream/promises";
-
-// ---------------------------------------------------------------------------
-// Constants
-// ---------------------------------------------------------------------------
-
-/** Size of the AES-GCM initialization vector prefix, in bytes. */
-export const ENCRYPTED_HEADER_SIZE = 12;
-
-/** Size of the AES-GCM authentication tag suffix, in bytes. */
-export const GCM_TAG_SIZE = 16;
-
-const ALGORITHM = "aes-256-gcm";
-const KEY_LENGTH = 32;
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-function assertKey(key: Buffer): void {
-  if (key.length !== KEY_LENGTH) {
-    throw new Error("Backup encryption key must be 32 bytes");
-  }
-}
-
-async function safeUnlink(path: string): Promise<void> {
-  try {
-    await unlink(path);
-  } catch {
-    // best-effort cleanup — swallow ENOENT and other errors
-  }
-}
-
-function tempPath(outputPath: string): string {
-  return `${outputPath}.tmp.${process.pid}.${randomBytes(4).toString("hex")}`;
-}
-
-// ---------------------------------------------------------------------------
-// Encrypt
-// ---------------------------------------------------------------------------
-
-/**
- * Stream-encrypt `inputPath` to `outputPath` using AES-256-GCM.
- *
- * Produces `[IV (12 bytes)][ciphertext][auth tag (16 bytes)]` in the output.
- * Writes to a temp file and atomically renames on success; unlinks the temp
- * file on any error so failed writes don't leave partial bundles behind.
- */
-export async function encryptFile(
-  inputPath: string,
-  outputPath: string,
-  key: Buffer,
-): Promise<void> {
-  assertKey(key);
-
-  const iv = randomBytes(ENCRYPTED_HEADER_SIZE);
-  const cipher = createCipheriv(ALGORITHM, key, iv);
-
-  const tmp = tempPath(outputPath);
-  const writeStream = createWriteStream(tmp);
-
-  try {
-    // Write IV first so decrypt can read it without knowing the ciphertext size.
-    await new Promise<void>((resolve, reject) => {
-      writeStream.write(iv, (err) => (err ? reject(err) : resolve()));
-    });
-
-    // Stream plaintext through the cipher into the output.
-    const readStream = createReadStream(inputPath);
-    await pipeline(readStream, cipher, writeStream, { end: false });
-
-    // Append the auth tag after the ciphertext body.
-    const tag = cipher.getAuthTag();
-    await new Promise<void>((resolve, reject) => {
-      writeStream.write(tag, (err) => (err ? reject(err) : resolve()));
-    });
-
-    await new Promise<void>((resolve, reject) => {
-      writeStream.end((err?: Error | null) => (err ? reject(err) : resolve()));
-    });
-
-    await rename(tmp, outputPath);
-  } catch (err) {
-    // Make sure the write stream is closed before we try to unlink the temp file.
-    writeStream.destroy();
-    await safeUnlink(tmp);
-    throw err;
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Decrypt
-// ---------------------------------------------------------------------------
-
-/**
- * Stream-decrypt `inputPath` to `outputPath`. Expects the on-disk format
- * produced by `encryptFile`: `[IV][ciphertext][auth tag]`.
- *
- * Reads the IV and auth tag via positional reads, then streams only the
- * ciphertext body through the decipher. Atomic tmp + rename semantics.
- */
-export async function decryptFile(
-  inputPath: string,
-  outputPath: string,
-  key: Buffer,
-): Promise<void> {
-  assertKey(key);
-
-  const info = await stat(inputPath);
-  const totalSize = info.size;
-  const minSize = ENCRYPTED_HEADER_SIZE + GCM_TAG_SIZE;
-  if (totalSize < minSize) {
-    throw new Error(
-      `Encrypted file is too small: ${totalSize} bytes (need at least ${minSize})`,
-    );
-  }
-
-  // Read IV (first 12 bytes) and auth tag (last 16 bytes) via positional reads.
-  const iv = Buffer.alloc(ENCRYPTED_HEADER_SIZE);
-  const tag = Buffer.alloc(GCM_TAG_SIZE);
-  const fh = await open(inputPath, "r");
-  try {
-    await fh.read(iv, 0, ENCRYPTED_HEADER_SIZE, 0);
-    await fh.read(tag, 0, GCM_TAG_SIZE, totalSize - GCM_TAG_SIZE);
-  } finally {
-    await fh.close();
-  }
-
-  const decipher = createDecipheriv(ALGORITHM, key, iv);
-  decipher.setAuthTag(tag);
-
-  const ciphertextStart = ENCRYPTED_HEADER_SIZE;
-  const ciphertextEnd = totalSize - GCM_TAG_SIZE - 1; // createReadStream end is inclusive
-  const hasCiphertext = ciphertextEnd >= ciphertextStart;
-
-  const tmp = tempPath(outputPath);
-  const writeStream = createWriteStream(tmp);
-
-  try {
-    const ciphertextStream = hasCiphertext
-      ? createReadStream(inputPath, {
-          start: ciphertextStart,
-          end: ciphertextEnd,
-        })
-      : Readable.from([]);
-
-    // pipeline consumes the ciphertext, pushes it through the decipher, and
-    // calls decipher.final() at the end — which is where auth tag verification
-    // happens. A bad tag surfaces here as a thrown error.
-    await pipeline(ciphertextStream, decipher, writeStream);
-
-    await rename(tmp, outputPath);
-  } catch (err) {
-    writeStream.destroy();
-    await safeUnlink(tmp);
-    throw err;
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Verify
-// ---------------------------------------------------------------------------
-
-/**
- * Verify that `path` is a valid AES-256-GCM encrypted bundle for `key`.
- *
- * Streams the ciphertext through the decipher into a null sink and relies on
- * `decipher.final()` to either succeed (tag matches) or throw (tamper / wrong
- * key). No scratch file is written, so a full or read-only tmpdir cannot
- * cause a healthy backup to be reported as invalid.
- *
- * Returns `true` if the bundle authenticates, `false` on a cryptographic
- * failure (bad auth tag, wrong key, truncated/short input). Filesystem errors
- * on the *source* file (ENOENT, EACCES, EIO, …) are rethrown so callers can
- * distinguish tamper from transient I/O.
- */
-export async function verifyEncryptedFile(
-  path: string,
-  key: Buffer,
-): Promise<boolean> {
-  assertKey(key);
-
-  const info = await stat(path);
-  const totalSize = info.size;
-  const minSize = ENCRYPTED_HEADER_SIZE + GCM_TAG_SIZE;
-  if (totalSize < minSize) {
-    // Too short to contain an IV + tag — not a valid bundle.
-    return false;
-  }
-
-  const iv = Buffer.alloc(ENCRYPTED_HEADER_SIZE);
-  const tag = Buffer.alloc(GCM_TAG_SIZE);
-  const fh = await open(path, "r");
-  try {
-    await fh.read(iv, 0, ENCRYPTED_HEADER_SIZE, 0);
-    await fh.read(tag, 0, GCM_TAG_SIZE, totalSize - GCM_TAG_SIZE);
-  } finally {
-    await fh.close();
-  }
-
-  const decipher = createDecipheriv(ALGORITHM, key, iv);
-  decipher.setAuthTag(tag);
-
-  const ciphertextStart = ENCRYPTED_HEADER_SIZE;
-  const ciphertextEnd = totalSize - GCM_TAG_SIZE - 1;
-  const hasCiphertext = ciphertextEnd >= ciphertextStart;
-  const ciphertextStream = hasCiphertext
-    ? createReadStream(path, { start: ciphertextStart, end: ciphertextEnd })
-    : Readable.from([]);
-
-  // Discard-only sink — verification never touches scratch disk.
-  const nullSink = new Writable({
-    write(_chunk, _encoding, cb) {
-      cb();
-    },
-  });
-
-  try {
-    await pipeline(ciphertextStream, decipher, nullSink);
-    return true;
-  } catch (err) {
-    if (isFilesystemError(err)) {
-      throw err;
-    }
-    return false;
-  }
-}
-
-// Node errno exceptions surface as uppercase `E`-prefixed codes (ENOENT,
-// EACCES, ENOSPC, EIO, EROFS, …). Crypto errors use `ERR_*` codes or no code
-// at all, so the regex rules them out.
-function isFilesystemError(err: unknown): boolean {
-  if (!err || typeof err !== "object") return false;
-  const code = (err as { code?: unknown }).code;
-  return typeof code === "string" && /^E[A-Z]+$/.test(code);
-}

package/src/daemon/message-types/pairing.ts

@@ -1,58 +0,0 @@
-// Pairing approval and approved-device management types.
-
-// === Client → Server ===
-
-export interface PairingApprovalResponse {
-  type: "pairing_approval_response";
-  pairingRequestId: string;
-  decision: "approve_once" | "always_allow" | "deny";
-}
-
-export interface ApprovedDevicesList {
-  type: "approved_devices_list";
-}
-
-export interface ApprovedDeviceRemove {
-  type: "approved_device_remove";
-  hashedDeviceId: string;
-}
-
-export interface ApprovedDevicesClear {
-  type: "approved_devices_clear";
-}
-
-// === Server → Client ===
-
-export interface PairingApprovalRequest {
-  type: "pairing_approval_request";
-  pairingRequestId: string;
-  deviceId: string;
-  deviceName: string;
-}
-
-export interface ApprovedDevicesListResponse {
-  type: "approved_devices_list_response";
-  devices: Array<{
-    hashedDeviceId: string;
-    deviceName: string;
-    lastPairedAt: number;
-  }>;
-}
-
-export interface ApprovedDeviceRemoveResponse {
-  type: "approved_device_remove_response";
-  success: boolean;
-}
-
-// --- Domain-level union aliases (consumed by the barrel file) ---
-
-export type _PairingClientMessages =
-  | PairingApprovalResponse
-  | ApprovedDevicesList
-  | ApprovedDeviceRemove
-  | ApprovedDevicesClear;
-
-export type _PairingServerMessages =
-  | PairingApprovalRequest
-  | ApprovedDevicesListResponse
-  | ApprovedDeviceRemoveResponse;

package/src/outbound-proxy/config.ts

@@ -1,20 +0,0 @@
-/**
- * Configuration for the standalone proxy sidecar server.
- *
- * All values are sourced from environment variables with sensible defaults.
- * Invalid values cause the process to exit with a descriptive error so
- * misconfigurations are caught immediately at startup.
- */
-
-export interface SidecarConfig {
-  /** Port the proxy server listens on. */
-  port: number;
-  /** Host address to bind to. */
-  host: string;
-  /** Port for the health/readiness HTTP server. */
-  healthPort: number;
-  /** Optional CA directory for MITM interception (contains ca.pem / ca-key.pem). */
-  caDir: string | null;
-  /** Log level for the sidecar process. */
-  logLevel: "debug" | "info" | "warn" | "error";
-}

package/src/outbound-proxy/health.ts

@@ -1,18 +0,0 @@
-/**
- * Health / readiness HTTP server for the proxy sidecar.
- *
- * Exposes two endpoints on a separate control port:
- *   GET /healthz  - Liveness probe. Returns 200 whenever the process is alive.
- *   GET /readyz   - Readiness probe. Returns 200 only when the proxy server
- *                   is listening and ready to accept connections.
- *
- * All other paths return 404. Non-GET methods return 405.
- */
-
-export interface HealthServerOptions {
-  /**
-   * Callback that returns `true` when the proxy server is ready to accept
-   * connections. The readiness probe delegates to this function.
-   */
-  isReady: () => boolean;
-}

package/src/outbound-proxy/types.ts

@@ -1,150 +0,0 @@
-/** How a credential value is injected into an outbound proxied request. */
-export type CredentialInjectionType = "header" | "query";
-
-/**
- * Describes where and how to inject a credential into proxied requests
- * matching a specific host pattern.
- */
-export interface CredentialInjectionTemplate {
-  /** Glob pattern for matching request hosts (e.g. "*.fal.ai"). */
-  hostPattern: string;
-  /** Where the credential value is injected. */
-  injectionType: CredentialInjectionType;
-  /** Header name when injectionType is 'header' (e.g. "Authorization"). */
-  headerName?: string;
-  /** Prefix prepended to the secret value (e.g. "Key ", "Bearer "). */
-  valuePrefix?: string;
-  /** Query parameter name when injectionType is 'query'. */
-  queryParamName?: string;
-}
-
-/** Unique identifier for a proxy session. */
-export type ProxySessionId = string;
-
-export type ProxySessionStatus = "starting" | "active" | "stopping" | "stopped";
-
-export interface ProxySession {
-  id: ProxySessionId;
-  conversationId: string;
-  credentialIds: string[];
-  status: ProxySessionStatus;
-  createdAt: Date;
-  /** Ephemeral port assigned once the session starts listening. */
-  port: number | null;
-}
-
-export interface ProxySessionConfig {
-  /** How long (ms) an idle session stays alive before auto-stopping. */
-  idleTimeoutMs: number;
-  /** Maximum concurrent sessions per conversation. */
-  maxSessionsPerConversation: number;
-}
-
-export interface ProxyEnvVars {
-  HTTP_PROXY: string;
-  HTTPS_PROXY: string;
-  NO_PROXY: string;
-  NODE_EXTRA_CA_CERTS?: string;
-  /** Combined CA bundle (system roots + proxy CA) for non-Node TLS clients (curl, Python, etc.). */
-  SSL_CERT_FILE?: string;
-}
-
-// ---------------------------------------------------------------------------
-// Policy engine types
-// ---------------------------------------------------------------------------
-
-/** A single credential matched -- inject it. */
-export interface PolicyDecisionMatched {
-  kind: "matched";
-  credentialId: string;
-  template: CredentialInjectionTemplate;
-}
-
-/** Multiple credentials match -- caller must disambiguate. */
-export interface PolicyDecisionAmbiguous {
-  kind: "ambiguous";
-  candidates: Array<{
-    credentialId: string;
-    template: CredentialInjectionTemplate;
-  }>;
-}
-
-/** No credential matches the target host/path. */
-export interface PolicyDecisionMissing {
-  kind: "missing";
-}
-
-/** No credential_ids were requested -- pass-through. */
-export interface PolicyDecisionUnauthenticated {
-  kind: "unauthenticated";
-}
-
-// ---------------------------------------------------------------------------
-// Approval hook outcomes -- structured data for triggering permission prompts.
-// ---------------------------------------------------------------------------
-
-/** Context about the outbound request target, used to build permission prompts. */
-export interface RequestTargetContext {
-  hostname: string;
-  port: number | null;
-  path: string;
-  /** The protocol scheme of the original request ('http' or 'https'). */
-  scheme: "http" | "https";
-}
-
-/**
- * The target host matches a known credential template pattern, but the
- * session has no credential bound for it. The UI should prompt the user
- * to bind or create a credential.
- */
-export interface PolicyDecisionAskMissingCredential {
-  kind: "ask_missing_credential";
-  target: RequestTargetContext;
-  /** Host patterns from the known registry that matched the target. */
-  matchingPatterns: string[];
-}
-
-/**
- * The request doesn't match any known credential template and the session
- * has no credentials. The UI should prompt the user to allow or deny the
- * unauthenticated request.
- */
-export interface PolicyDecisionAskUnauthenticated {
-  kind: "ask_unauthenticated";
-  target: RequestTargetContext;
-}
-
-export type PolicyDecision =
-  | PolicyDecisionMatched
-  | PolicyDecisionAmbiguous
-  | PolicyDecisionMissing
-  | PolicyDecisionUnauthenticated
-  | PolicyDecisionAskMissingCredential
-  | PolicyDecisionAskUnauthenticated;
-
-// ---------------------------------------------------------------------------
-// Proxy approval callback -- wires policy "ask" decisions to the UI prompter.
-// ---------------------------------------------------------------------------
-
-/**
- * Payload passed to the approval callback when the policy engine emits an
- * `ask_missing_credential` or `ask_unauthenticated` decision. Contains
- * enough context for the prompter to build a meaningful confirmation dialog.
- */
-export interface ProxyApprovalRequest {
-  /** The policy decision that triggered the approval prompt. */
-  decision:
-    | PolicyDecisionAskMissingCredential
-    | PolicyDecisionAskUnauthenticated;
-  /** The proxy session ID that originated the request. */
-  sessionId: ProxySessionId;
-}
-
-/**
- * Callback signature for proxy approval prompts. The proxy service calls
- * this when an outbound request requires user confirmation. Returns `true`
- * if the user approves, `false` if denied.
- */
-export type ProxyApprovalCallback = (
-  request: ProxyApprovalRequest,
-) => Promise<boolean>;

package/src/runtime/capability-tokens.ts

@@ -1,190 +0,0 @@
-/**
- * Capability token verification for scoped, short-lived tokens issued to the
- * chrome extension (and other thin clients).
- *
- * Both minting and verification are owned by the gateway
- * (`gateway/src/auth/capability-tokens.ts`). The daemon delegates
- * verification to the gateway via IPC so it never needs to read the
- * HMAC secret from the filesystem.
- *
- * Test-only helpers (`mintHostBrowserCapability`,
- * `setCapabilityTokenSecretForTests`, `resetCapabilityTokenSecretForTests`)
- * implement the same HMAC logic in-process so assistant tests can create
- * and verify tokens without a live gateway.
- */
-
-import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
-
-import { ipcCall } from "../ipc/gateway-client.js";
-import { getLogger } from "../util/logger.js";
-
-const log = getLogger("capability-tokens");
-
-// ---------------------------------------------------------------------------
-// Types (mirror the gateway's types for consumer convenience)
-// ---------------------------------------------------------------------------
-
-/** Capability identifiers that can be bound to a capability token. */
-export type Capability = "host_browser_command";
-
-/** Claims encoded in the signed payload. */
-export interface CapabilityClaims {
-  capability: Capability;
-  guardianId: string;
-  /** 16-byte random nonce, hex-encoded. Prevents replay across fresh mints. */
-  nonce: string;
-  /** ms-since-epoch expiry. */
-  expiresAt: number;
-}
-
-/** A freshly-minted capability token and its absolute expiry. */
-export interface CapabilityToken {
-  token: string;
-  expiresAt: number;
-}
-
-// ---------------------------------------------------------------------------
-// In-process HMAC helpers (shared between test mint/verify and IPC verify)
-// ---------------------------------------------------------------------------
-
-let _testSecret: Buffer | undefined;
-
-function base64urlEncode(buf: Buffer): string {
-  return buf
-    .toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
-}
-
-function base64urlDecode(s: string): Buffer {
-  const pad = s.length % 4 === 0 ? 0 : 4 - (s.length % 4);
-  const b64 = s.replace(/-/g, "+").replace(/_/g, "/") + "=".repeat(pad);
-  return Buffer.from(b64, "base64");
-}
-
-function sign(payload: string, secret: Buffer): string {
-  return base64urlEncode(createHmac("sha256", secret).update(payload).digest());
-}
-
-// ---------------------------------------------------------------------------
-// Verify (production: gateway IPC, test: in-process)
-// ---------------------------------------------------------------------------
-
-/**
- * Verify a capability token.
- *
- * In production, delegates to the gateway via IPC. In tests (when a
- * secret has been injected via `setCapabilityTokenSecretForTests`),
- * verifies in-process so tests don't need a live gateway.
- *
- * Returns the decoded claims on success or null on any failure.
- */
-export async function verifyHostBrowserCapability(
-  token: string,
-): Promise<CapabilityClaims | null> {
-  if (typeof token !== "string" || token.length === 0) return null;
-
-  // Test path: in-process verification with the injected secret.
-  if (_testSecret) {
-    return verifyInProcess(token, _testSecret);
-  }
-
-  // Production path: delegate to the gateway.
-  try {
-    const result = await ipcCall("verify_capability_token", { token });
-    if (!result || typeof result !== "object") return null;
-
-    const claims = result as Record<string, unknown>;
-    if (claims.valid === false) return null;
-    if (claims.capability !== "host_browser_command") return null;
-    if (
-      typeof claims.guardianId !== "string" ||
-      claims.guardianId.length === 0
-    ) {
-      return null;
-    }
-
-    return claims as unknown as CapabilityClaims;
-  } catch (err) {
-    log.warn({ err }, "Failed to verify capability token via gateway IPC");
-    return null;
-  }
-}
-
-function verifyInProcess(
-  token: string,
-  secret: Buffer,
-): CapabilityClaims | null {
-  const dot = token.indexOf(".");
-  if (dot < 0) return null;
-  const payload = token.slice(0, dot);
-  const sig = token.slice(dot + 1);
-  if (!payload || !sig) return null;
-
-  const expected = sign(payload, secret);
-  const a = Buffer.from(sig, "utf8");
-  const b = Buffer.from(expected, "utf8");
-  if (a.length !== b.length) return null;
-  if (!timingSafeEqual(a, b)) return null;
-
-  let claims: CapabilityClaims;
-  try {
-    claims = JSON.parse(
-      base64urlDecode(payload).toString("utf8"),
-    ) as CapabilityClaims;
-  } catch {
-    return null;
-  }
-
-  if (!claims || typeof claims !== "object") return null;
-  if (claims.capability !== "host_browser_command") return null;
-  if (typeof claims.guardianId !== "string" || claims.guardianId.length === 0) {
-    return null;
-  }
-  if (typeof claims.expiresAt !== "number" || claims.expiresAt <= Date.now()) {
-    return null;
-  }
-  return claims;
-}
-
-// ---------------------------------------------------------------------------
-// Test-only helpers
-// ---------------------------------------------------------------------------
-
-/**
- * Mint a capability token in-process. Test-only — production minting is
- * done by the gateway.
- */
-export function mintHostBrowserCapability(
-  guardianId: string,
-  ttlMs: number = 30 * 60 * 1000,
-): CapabilityToken {
-  const secret = _testSecret;
-  if (!secret) {
-    throw new Error(
-      "capability token secret not set — call setCapabilityTokenSecretForTests() first",
-    );
-  }
-  const expiresAt = Date.now() + ttlMs;
-  const nonce = randomBytes(16).toString("hex");
-  const claims: CapabilityClaims = {
-    capability: "host_browser_command",
-    guardianId,
-    nonce,
-    expiresAt,
-  };
-  const payload = base64urlEncode(Buffer.from(JSON.stringify(claims), "utf8"));
-  const sig = sign(payload, secret);
-  return { token: `${payload}.${sig}`, expiresAt };
-}
-
-/** Inject a deterministic secret for tests. */
-export function setCapabilityTokenSecretForTests(secret: Buffer): void {
-  _testSecret = secret;
-}
-
-/** Reset the test secret. */
-export function resetCapabilityTokenSecretForTests(): void {
-  _testSecret = undefined;
-}