@vellumai/assistant 0.7.1 → 0.7.3

package/src/tools/host-filesystem/read.test.ts

@@ -0,0 +1,129 @@
+import { mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import type { ToolContext } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mocks — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+
+mock.module("../../daemon/host-file-proxy.js", () => ({
+  HostFileProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        request: () => Promise.resolve({ content: "ok", isError: false }),
+      };
+    },
+  },
+}));
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
+const { hostFileReadTool } = await import("./read.js");
+
+const testDirs: string[] = [];
+
+afterEach(() => {
+  mockProxyAvailable = false;
+  for (const dir of testDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+function makeTempDir(): string {
+  const dir = realpathSync(mkdtempSync(join(tmpdir(), "host-read-test-")));
+  testDirs.push(dir);
+  return dir;
+}
+
+function makeContext(
+  workingDir: string,
+  transportInterface: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
+}
+
+describe("host_file_read cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt", target_client_id: "abc-123" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+
+  test("falls through to local fs on macos transport when proxy unavailable and path is non-image", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/nonexistent/x.txt" },
+      makeContext(workingDir, "macos"),
+    );
+    // Proves the guard did NOT fire on macOS — instead we got the
+    // local FileSystemOps NOT_FOUND error.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("File not found");
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: P2 fix)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/nonexistent/x.txt", target_client_id: "stale-mac" },
+      makeContext(workingDir, "macos"),
+    );
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the call
+    // must fall through to local FileSystemOps (NOT_FOUND for a fake path),
+    // NOT reject with "target client ... is no longer connected".
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("File not found");
+    expect(result.content).not.toContain("is no longer connected");
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt", target_client_id: "abc-123" },
+      // transportInterface intentionally undefined (legacy callers).
+      makeContext(workingDir, undefined),
+    );
+    // When transport metadata is missing we cannot rule out a non-host-proxy
+    // turn, so falling through to local fs would silently target the daemon
+    // container. The guard fires for both undefined transport AND
+    // non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+});

package/src/tools/host-filesystem/read.ts

@@ -1,8 +1,10 @@
 import { extname } from "node:path";
 
+import { supportsHostProxy } from "../../channels/types.js";
 import { HostFileProxy } from "../../daemon/host-file-proxy.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
+import { assistantEventHub } from "../../runtime/assistant-event-hub.js";
 import { FileSystemOps } from "../shared/filesystem/file-ops-service.js";
 import {
   IMAGE_EXTENSIONS,
@@ -37,6 +39,11 @@ class HostFileReadTool implements Tool {
             type: "number",
             description: "Maximum number of lines to read",
           },
+          target_client_id: {
+            type: "string",
+            description:
+              "ID of the specific client to execute this on. Required when multiple clients support host_file; omit when only one is connected. Obtain IDs from `assistant clients list --capability host_file`.",
+          },
         },
         required: ["path"],
       },
@@ -55,6 +62,64 @@ class HostFileReadTool implements Tool {
       };
     }
 
+    const targetClientId =
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
+        ? input.target_client_id
+        : undefined;
+
+    const transportInterface = context.transportInterface;
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      assistantEventHub.listClientsByCapability("host_file").length > 1
+    ) {
+      return {
+        content: `Error: multiple clients support host_file. Specify which client to use with \`target_client_id\`. Run \`assistant clients list --capability host_file\` to see client IDs and labels.`,
+        isError: true,
+      };
+    }
+
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, the request would fall through to local
+    // FileSystemOps below and read the daemon container's filesystem
+    // instead of the user's host machine.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostFileProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to local fs would
+    // silently target the daemon container's filesystem instead of the
+    // intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostFileProxy.instance.isAvailable() &&
+      (transportInterface == null || !supportsHostProxy(transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode),
     // including image reads that need the host filesystem view.
@@ -65,9 +130,12 @@ class HostFileReadTool implements Tool {
           path: rawPath,
           offset: typeof input.offset === "number" ? input.offset : undefined,
           limit: typeof input.limit === "number" ? input.limit : undefined,
+          targetClientId,
         },
         context.conversationId,
         context.signal,
+        targetClientId,
+        context.sourceActorPrincipalId,
       );
     }
 

package/src/tools/host-filesystem/transfer.test.ts

@@ -31,6 +31,15 @@ mock.module("../../daemon/host-transfer-proxy.js", () => ({
   },
 }));
 
+// Mirror read/write/edit test files: stub the event hub so the multi-client
+// guard at line ~100 of transfer.ts is exercised against an isolated stub
+// rather than the live process-wide singleton.
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
 const { hostFileTransferTool } = await import("./transfer.js");
 
 const testDirs: string[] = [];
@@ -50,8 +59,16 @@ function makeTempDir(): string {
   return dir;
 }
 
-function makeContext(workingDir: string): ToolContext {
-  return { workingDir, conversationId: "test-conv", trustClass: "guardian" };
+function makeContext(
+  workingDir: string,
+  transportInterface?: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
 }
 
 // ---------------------------------------------------------------------------
@@ -269,3 +286,111 @@ describe("host_file_transfer managed mode", () => {
     expect(toSandboxCalls.length).toBe(0);
   });
 });
+
+// ---------------------------------------------------------------------------
+// Cross-client guard tests
+// ---------------------------------------------------------------------------
+
+describe("host_file_transfer cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    // mockProxyAvailable defaults to false.
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: "out.txt",
+        direction: "to_sandbox",
+      },
+      makeContext(workingDir, "web"),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: "out.txt",
+        direction: "to_sandbox",
+        target_client_id: "abc-123",
+      },
+      makeContext(workingDir, "web"),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+    const destFile = join(workingDir, "should-not-exist.txt");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: destFile,
+        direction: "to_sandbox",
+        target_client_id: "abc-123",
+      },
+      // transportInterface intentionally omitted (legacy callers).
+      makeContext(workingDir),
+    );
+
+    // Without transport metadata, falling through to executeLocal would
+    // silently target the daemon container. The guard fires for undefined
+    // transport AND non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(existsSync(destFile)).toBe(false);
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: Devin-flagged scope drift fix)", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+    const destFile = join(workingDir, "stale-target.txt");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: destFile,
+        direction: "to_sandbox",
+        target_client_id: "stale-mac",
+      },
+      makeContext(workingDir, "macos"),
+    );
+
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the local
+    // copy must succeed, NOT reject with "target client ... is no longer
+    // connected" or the older "target_client_id was specified but no host
+    // client is available" message.
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+});

package/src/tools/host-filesystem/transfer.ts

@@ -2,16 +2,18 @@ import { constants } from "node:fs";
 import { copyFile, lstat, mkdir, realpath } from "node:fs/promises";
 import { dirname, isAbsolute } from "node:path";
 
+import { supportsHostProxy } from "../../channels/types.js";
 import { HostTransferProxy } from "../../daemon/host-transfer-proxy.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
+import { assistantEventHub } from "../../runtime/assistant-event-hub.js";
 import { sandboxPolicy } from "../shared/filesystem/path-policy.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 
 class HostFileTransferTool implements Tool {
   name = "host_file_transfer";
   description =
-    "Copy a file between the assistant's workspace and the user's host machine. Set direction to 'to_host' to send a workspace file to the host, or 'to_sandbox' to pull a host file into the workspace.";
+    "Copy a file between the assistant's workspace and the user's host machine. Set direction to 'to_host' to send a workspace file to the host, or 'to_sandbox' to pull a host file into the workspace. When multiple clients support host_file, specify which one to use with target_client_id.";
   category = "host-filesystem";
   defaultRiskLevel = RiskLevel.Medium;
 
@@ -48,6 +50,11 @@ class HostFileTransferTool implements Tool {
             description:
               "Brief description of why the file is being transferred (for audit logging)",
           },
+          target_client_id: {
+            type: "string",
+            description:
+              "ID of the specific client to transfer files to/from. Required when multiple clients support host_file; omit when only one is connected. Obtain IDs from `assistant clients list --capability host_file`.",
+          },
         },
         required: ["source_path", "dest_path", "direction"],
       },
@@ -85,6 +92,65 @@ class HostFileTransferTool implements Tool {
 
     const overwrite = input.overwrite === true;
 
+    const targetClientId =
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
+        ? input.target_client_id
+        : undefined;
+
+    if (
+      targetClientId == null &&
+      context.transportInterface != null &&
+      !supportsHostProxy(context.transportInterface) &&
+      assistantEventHub.listClientsByCapability("host_file").length > 1
+    ) {
+      return {
+        content: `Error: multiple clients support host_file. Specify which client to use with \`target_client_id\`. Run \`assistant clients list --capability host_file\` to see client IDs and labels.`,
+        isError: true,
+      };
+    }
+
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, a web/ios turn whose host_file client has
+    // disconnected since projection would fall through to executeLocal
+    // below and act on the daemon container's filesystem instead of
+    // the user's host machine.
+    if (
+      targetClientId == null &&
+      context.transportInterface != null &&
+      !supportsHostProxy(context.transportInterface) &&
+      !HostTransferProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to executeLocal
+    // would silently target the daemon container's filesystem instead of
+    // the intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostTransferProxy.instance.isAvailable() &&
+      (context.transportInterface == null ||
+        !supportsHostProxy(context.transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Validate that host-side paths are absolute.
     if (direction === "to_host" && !isAbsolute(destPath)) {
       return {
@@ -115,7 +181,9 @@ class HostFileTransferTool implements Tool {
 
     let resolvedDestPath = destPath;
     if (direction === "to_sandbox") {
-      const pathCheck = sandboxPolicy(destPath, context.workingDir, { mustExist: false });
+      const pathCheck = sandboxPolicy(destPath, context.workingDir, {
+        mustExist: false,
+      });
       if (!pathCheck.ok) {
         return {
           content: `Invalid destination path: ${pathCheck.error}`,
@@ -134,8 +202,10 @@ class HostFileTransferTool implements Tool {
             destPath,
             overwrite,
             conversationId: context.conversationId,
+            targetClientId,
           },
           context.signal,
+          context.sourceActorPrincipalId,
         );
       }
       return HostTransferProxy.instance.requestToSandbox(
@@ -144,12 +214,17 @@ class HostFileTransferTool implements Tool {
           destPath: resolvedDestPath,
           overwrite,
           conversationId: context.conversationId,
+          targetClientId,
         },
         context.signal,
+        context.sourceActorPrincipalId,
       );
     }
 
-    // Local mode: direct filesystem copy.
+    // Local mode: direct filesystem copy. The non-host-proxy + stale
+    // target_client_id case is caught by the scoped guard at the top of
+    // execute(); on macos a stale target_client_id is silently ignored
+    // here, matching the read/write/edit pattern.
     return this.executeLocal(resolvedSourcePath, resolvedDestPath, overwrite);
   }
 

package/src/tools/host-filesystem/write.test.ts

@@ -0,0 +1,134 @@
+import { existsSync, mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import type { ToolContext } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mocks — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+
+mock.module("../../daemon/host-file-proxy.js", () => ({
+  HostFileProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        request: () => Promise.resolve({ content: "ok", isError: false }),
+      };
+    },
+  },
+}));
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
+const { hostFileWriteTool } = await import("./write.js");
+
+const testDirs: string[] = [];
+
+afterEach(() => {
+  mockProxyAvailable = false;
+  for (const dir of testDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+function makeTempDir(): string {
+  const dir = realpathSync(mkdtempSync(join(tmpdir(), "host-write-test-")));
+  testDirs.push(dir);
+  return dir;
+}
+
+function makeContext(
+  workingDir: string,
+  transportInterface: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
+}
+
+describe("host_file_write cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileWriteTool.execute(
+      { path: "/some/host/path.txt", content: "hello" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileWriteTool.execute(
+      {
+        path: "/some/host/path.txt",
+        content: "hello",
+        target_client_id: "abc-123",
+      },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+
+  test("falls through to local fs on macos transport when proxy unavailable", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "out.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello" },
+      makeContext(workingDir, "macos"),
+    );
+    // Proves the guard did NOT fire on macOS — local write succeeded.
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: P2 fix)", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "stale-target.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello", target_client_id: "stale-mac" },
+      makeContext(workingDir, "macos"),
+    );
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the local
+    // write must succeed, NOT reject with "target client ... is no longer
+    // connected".
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "should-not-exist.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello", target_client_id: "abc-123" },
+      // transportInterface intentionally undefined (legacy callers).
+      makeContext(workingDir, undefined),
+    );
+    // Without transport metadata, falling through to local fs would
+    // silently target the daemon container. The guard fires for undefined
+    // transport AND non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(existsSync(destFile)).toBe(false);
+  });
+});