@vellumai/assistant 0.7.1 → 0.7.3

package/src/tools/host-filesystem/write.ts

@@ -1,6 +1,8 @@
+import { supportsHostProxy } from "../../channels/types.js";
 import { HostFileProxy } from "../../daemon/host-file-proxy.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
+import { assistantEventHub } from "../../runtime/assistant-event-hub.js";
 import { FileSystemOps } from "../shared/filesystem/file-ops-service.js";
 import { formatWriteSummary } from "../shared/filesystem/format-diff.js";
 import { hostPolicy } from "../shared/filesystem/path-policy.js";
@@ -28,6 +30,11 @@ class HostFileWriteTool implements Tool {
             type: "string",
             description: "The content to write to the file",
           },
+          target_client_id: {
+            type: "string",
+            description:
+              "ID of the specific client to execute this on. Required when multiple clients support host_file; omit when only one is connected. Obtain IDs from `assistant clients list --capability host_file`.",
+          },
         },
         required: ["path", "content"],
       },
@@ -54,6 +61,64 @@ class HostFileWriteTool implements Tool {
       };
     }
 
+    const targetClientId =
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
+        ? input.target_client_id
+        : undefined;
+
+    const transportInterface = context.transportInterface;
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      assistantEventHub.listClientsByCapability("host_file").length > 1
+    ) {
+      return {
+        content: `Error: multiple clients support host_file. Specify which client to use with \`target_client_id\`. Run \`assistant clients list --capability host_file\` to see client IDs and labels.`,
+        isError: true,
+      };
+    }
+
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, the request would fall through to local
+    // FileSystemOps below and read the daemon container's filesystem
+    // instead of the user's host machine.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostFileProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to local fs would
+    // silently target the daemon container's filesystem instead of the
+    // intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostFileProxy.instance.isAvailable() &&
+      (transportInterface == null || !supportsHostProxy(transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
     if (HostFileProxy.instance.isAvailable()) {
@@ -62,9 +127,12 @@ class HostFileWriteTool implements Tool {
           operation: "write",
           path: rawPath,
           content: fileContent,
+          targetClientId,
         },
         context.conversationId,
         context.signal,
+        targetClientId,
+        context.sourceActorPrincipalId,
       );
     }
 

package/src/tools/host-terminal/host-shell.ts

@@ -18,6 +18,7 @@ import { existsSync } from "node:fs";
 import { homedir } from "node:os";
 import { isAbsolute } from "node:path";
 
+import { supportsHostProxy } from "../../channels/types.js";
 import { getConfig } from "../../config/loader.js";
 import { isCesShellLockdownEnabled } from "../../credential-execution/feature-gates.js";
 import { HostBashProxy } from "../../daemon/host-bash-proxy.js";
@@ -25,6 +26,7 @@ import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
 import { isUntrustedTrustClass } from "../../runtime/actor-trust-resolver.js";
 import { wakeAgentForOpportunity } from "../../runtime/agent-wake.js";
+import { assistantEventHub } from "../../runtime/assistant-event-hub.js";
 import { redactSecrets } from "../../security/secret-scanner.js";
 import { getLogger } from "../../util/logger.js";
 import {
@@ -131,6 +133,11 @@ class HostShellTool implements Tool {
             description:
               "Run the command in the background on the host machine. The tool returns immediately with a background tool ID. When the process exits, its output is delivered to the conversation as a wake.",
           },
+          target_client_id: {
+            type: "string",
+            description:
+              "ID of the specific client to execute this command on. Required when multiple clients support host_bash; omit when only one client is connected. Obtain IDs from `assistant clients list --capability host_bash`.",
+          },
         },
         required: ["command", "activity"],
       },
@@ -172,6 +179,19 @@ class HostShellTool implements Tool {
       };
     }
     const background = input.background === true;
+    if (background && context.diskPressureCleanupModeActive === true) {
+      return {
+        content:
+          "Error: background host shell commands are not available during disk pressure cleanup mode.",
+        isError: true,
+      };
+    }
+
+    const targetClientId =
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
+        ? input.target_client_id
+        : undefined;
 
     const config = getConfig();
     const { shellDefaultTimeoutSec, shellMaxTimeoutSec } = config.timeouts;
@@ -190,6 +210,47 @@ class HostShellTool implements Tool {
       isCesShellLockdownEnabled(config) &&
       isUntrustedTrustClass(context.trustClass);
 
+    // Guard: non-host-proxy interfaces need an explicit target when multiple
+    // capable clients are connected to avoid ambiguous untargeted broadcasts.
+    const transportInterface = context.transportInterface;
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      assistantEventHub.listClientsByCapability("host_bash").length > 1
+    ) {
+      return {
+        content: `Error: multiple clients support host_bash. Specify which client to use with \`target_client_id\`. Run \`assistant clients list --capability host_bash\` to see client IDs and labels.`,
+        isError: true,
+      };
+    }
+
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostBashProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_bash capability is connected. Connect a macOS client to use host_bash from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable (client
+    // disconnected between tool-definition and tool-execution). Without this
+    // guard both targetClientId != null guards above are bypassed, and the
+    // code falls through to local daemon execution — silently running commands
+    // inside the Docker container instead of on the intended host machine.
+    if (targetClientId != null && !HostBashProxy.instance.isAvailable()) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_bash\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
     if (HostBashProxy.instance.isAvailable()) {
@@ -227,9 +288,11 @@ class HostShellTool implements Tool {
             working_dir: rawWorkingDir as string | undefined,
             timeout_seconds: normalizedTimeout,
             env: proxyEnv,
+            targetClientId,
           },
           context.conversationId,
           abortController.signal,
+          context.sourceActorPrincipalId,
         );
 
         proxyPromise
@@ -258,7 +321,7 @@ class HostShellTool implements Tool {
           conversationId: context.conversationId,
           command,
           startedAt: Date.now(),
-          cancel: () => abortController.abort(),
+          cancel: (reason?: string) => abortController.abort(reason),
         });
 
         return {
@@ -273,9 +336,11 @@ class HostShellTool implements Tool {
           working_dir: rawWorkingDir as string | undefined,
           timeout_seconds: normalizedTimeout,
           env: proxyEnv,
+          targetClientId,
         },
         context.conversationId,
         context.signal,
+        context.sourceActorPrincipalId,
       );
     }
 

package/src/tools/mcp/mcp-tool-factory.ts

@@ -2,6 +2,7 @@ import type { McpServerConfig } from "../../config/schemas/mcp.js";
 import type { McpServerManager } from "../../mcp/manager.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
+import { toProviderSafeToolName } from "../provider-tool-name.js";
 import { schemaDefinesProperty } from "../schema-transforms.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 
@@ -16,7 +17,7 @@ const riskMap: Record<string, RiskLevel> = {
  * and with core/skill tools.
  */
 function mcpToolName(serverId: string, toolName: string): string {
-  return `mcp__${serverId}__${toolName}`;
+  return toProviderSafeToolName(`mcp__${serverId}__${toolName}`);
 }
 
 export interface McpToolMetadata {

package/src/tools/memory/register.test.ts

@@ -11,9 +11,15 @@ import {
   test,
 } from "bun:test";
 
+import { _setOverridesForTesting } from "../../config/assistant-feature-flags.js";
 import { PKB_WORKSPACE_SCOPE } from "../../memory/pkb/types.js";
 import type { ToolContext } from "../types.js";
 
+// This test exercises v1 PKB re-index enqueue. The `memory-v2-enabled` flag
+// (registry default `true`) makes the enqueue path skipped — disable it so
+// the v1 PKB index path stays under test.
+_setOverridesForTesting({ "memory-v2-enabled": false });
+
 let tmpWorkspace: string;
 let previousWorkspaceEnv: string | undefined;
 
@@ -175,7 +181,7 @@ describe("recallTool.execute", () => {
         max_results: 4,
         depth: "deep",
       },
-      makeContext({ memoryScopeId: "scope-filter" }),
+      makeContext(),
     );
 
     expect(result).toEqual({
@@ -196,7 +202,7 @@ describe("recallTool.execute", () => {
 
     const result = await recallTool.execute(
       { query: "fallback search", sources: ["workspace"], depth: "fast" },
-      makeContext({ memoryScopeId: "scope-fallback" }),
+      makeContext(),
     );
 
     expect(result).toEqual({
@@ -205,7 +211,7 @@ describe("recallTool.execute", () => {
     });
   });
 
-  test("propagates tool context and defaults missing memory scope", async () => {
+  test("propagates tool context", async () => {
     const controller = new AbortController();
 
     await recallTool.execute(
@@ -221,7 +227,6 @@ describe("recallTool.execute", () => {
     expect(recallCalls[0]?.context).toEqual({
       workingDir: "/workspace/project",
       conversationId: "conv-context",
-      memoryScopeId: "default",
       config: getConfig(),
       signal: controller.signal,
     });
@@ -275,9 +280,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
   test("enqueues re-index jobs for both buffer and daily archive paths", async () => {
     const result = await rememberTool.execute(
       { content: "index me please" },
-      // Passes a non-default per-conversation scopeId to prove the PKB
-      // enqueue ignores it and pins to PKB_WORKSPACE_SCOPE instead.
-      makeContext({ memoryScopeId: "scope-enqueue" }),
+      makeContext(),
     );
     expect(result.isError).toBe(false);
 
@@ -308,7 +311,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
   test("does not enqueue when content is empty (write was skipped)", async () => {
     const result = await rememberTool.execute(
       { content: "   " },
-      makeContext({ memoryScopeId: "scope-empty" }),
+      makeContext(),
     );
     expect(result.isError).toBe(true);
     expect(enqueueCalls).toHaveLength(0);
@@ -319,7 +322,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
 
     const result = await rememberTool.execute(
       { content: "enqueue will throw" },
-      makeContext({ memoryScopeId: "scope-throw" }),
+      makeContext(),
     );
 
     // Remember call succeeded despite enqueue throwing for each write.

package/src/tools/memory/register.ts

@@ -34,7 +34,7 @@ class RememberTool implements Tool {
     const result = handleRemember(
       typedInput,
       context.conversationId,
-      context.memoryScopeId ?? "default",
+      "default",
       getConfig(),
     );
     return {
@@ -73,7 +73,6 @@ class RecallTool implements Tool {
     const result = await runAgenticRecall(input as unknown as RecallInput, {
       workingDir: context.workingDir,
       conversationId: context.conversationId,
-      memoryScopeId: context.memoryScopeId ?? "default",
       config,
       signal: context.signal,
     });

package/src/tools/provider-tool-name.ts

@@ -0,0 +1,28 @@
+import { createHash } from "node:crypto";
+
+const PROVIDER_TOOL_NAME_MAX_LENGTH = 64;
+const PROVIDER_TOOL_NAME_RE = /^[a-zA-Z0-9_-]{1,64}$/;
+const HASH_LENGTH = 12;
+
+export function isProviderSafeToolName(name: string): boolean {
+  return PROVIDER_TOOL_NAME_RE.test(name);
+}
+
+export function toProviderSafeToolName(rawName: string): string {
+  const trimmed = rawName.trim();
+  if (isProviderSafeToolName(rawName)) {
+    return rawName;
+  }
+
+  const hash = createHash("sha256")
+    .update(rawName)
+    .digest("hex")
+    .slice(0, HASH_LENGTH);
+  const suffix = `__${hash}`;
+  const maxBaseLength = PROVIDER_TOOL_NAME_MAX_LENGTH - suffix.length;
+  const sanitized =
+    trimmed.replace(/[^a-zA-Z0-9_-]+/g, "_").replace(/^_+|_+$/g, "") || "tool";
+  const base = sanitized.slice(0, maxBaseLength).replace(/_+$/g, "") || "tool";
+
+  return `${base}${suffix}`;
+}

package/src/tools/registry.ts

@@ -8,6 +8,7 @@ import { hostFileReadTool } from "./host-filesystem/read.js";
 import { hostFileTransferTool } from "./host-filesystem/transfer.js";
 import { hostFileWriteTool } from "./host-filesystem/write.js";
 import { hostShellTool } from "./host-terminal/host-shell.js";
+import { toProviderSafeToolName } from "./provider-tool-name.js";
 import { registerSystemTools } from "./system/register.js";
 import type { Tool } from "./types.js";
 import { allUiSurfaceTools } from "./ui-surface/definitions.js";
@@ -75,6 +76,24 @@ const skillRefCount = new Map<string, number>();
 // separate and covers the case of two extensions choosing the same tool name.
 const pluginRefCount = new Map<string, number>();
 
+function withProviderSafeToolName(tool: Tool): Tool {
+  const safeName = toProviderSafeToolName(tool.name);
+  if (safeName === tool.name) {
+    return tool;
+  }
+
+  return {
+    ...tool,
+    name: safeName,
+    getDefinition(): ToolDefinition {
+      return {
+        ...tool.getDefinition(),
+        name: safeName,
+      };
+    },
+  };
+}
+
 export function registerTool(tool: Tool): void {
   const existing = tools.get(tool.name);
   if (existing) {
@@ -176,15 +195,17 @@ export function registerPluginTools(
   pluginName: string,
   newTools: Tool[],
 ): Tool[] {
-  const stamped: Tool[] = newTools.map((tool) => ({
-    ...tool,
-    origin: "plugin" as const,
-    ownerPluginId: pluginName,
-    ownerSkillId: undefined,
-    ownerMcpServerId: undefined,
-    ownerSkillBundled: undefined,
-    ownerSkillVersionHash: undefined,
-  }));
+  const stamped: Tool[] = newTools.map((tool) =>
+    withProviderSafeToolName({
+      ...tool,
+      origin: "plugin" as const,
+      ownerPluginId: pluginName,
+      ownerSkillId: undefined,
+      ownerMcpServerId: undefined,
+      ownerSkillBundled: undefined,
+      ownerSkillVersionHash: undefined,
+    }),
+  );
 
   const accepted: Tool[] = [];
   for (const tool of stamped) {

package/src/tools/schedule/create.ts

@@ -44,6 +44,8 @@ export async function executeScheduleCreate(
     | undefined;
   const quiet = (input.quiet as boolean) ?? false;
   const reuseConversation = (input.reuse_conversation as boolean) ?? false;
+  const maxRetries = input.max_retries as number | undefined;
+  const retryBackoffMs = input.retry_backoff_ms as number | undefined;
 
   if (!name || typeof name !== "string") {
     return {
@@ -130,6 +132,8 @@ export async function executeScheduleCreate(
         routingHints,
         quiet,
         reuseConversation,
+        maxRetries,
+        retryBackoffMs,
       });
 
       const fireDate = formatLocalDate(job.nextRunAt);
@@ -208,6 +212,8 @@ export async function executeScheduleCreate(
       routingHints,
       quiet,
       reuseConversation,
+      maxRetries,
+      retryBackoffMs,
     });
 
     const scheduleDescription =

package/src/tools/schedule/list.ts

@@ -77,6 +77,8 @@ export async function executeScheduleList(
       `  Last run: ${job.lastRunAt ? formatLocalDate(job.lastRunAt) : "never"}`,
       `  Last status: ${job.lastStatus ?? "n/a"}`,
       `  Retry count: ${job.retryCount}`,
+      `  Max retries: ${job.maxRetries}`,
+      `  Retry backoff: ${job.retryBackoffMs}ms`,
       `  Created: ${formatLocalDate(job.createdAt)}`,
     );
 

package/src/tools/schedule/update.ts

@@ -108,6 +108,14 @@ export async function executeScheduleUpdate(
     updates.reuseConversation = input.reuse_conversation;
   }
 
+  // Retry policy
+  if (input.max_retries !== undefined) {
+    updates.maxRetries = input.max_retries;
+  }
+  if (input.retry_backoff_ms !== undefined) {
+    updates.retryBackoffMs = input.retry_backoff_ms;
+  }
+
   // Auto-detect syntax when expression changes without explicit syntax
   if (input.expression !== undefined || input.syntax !== undefined) {
     const resolved = normalizeScheduleSyntax({
@@ -173,6 +181,8 @@ export async function executeScheduleUpdate(
         routingHints?: Record<string, unknown>;
         quiet?: boolean;
         reuseConversation?: boolean;
+        maxRetries?: number;
+        retryBackoffMs?: number;
       },
     );
 

package/src/tools/shared/filesystem/file-ops-service.ts

@@ -52,6 +52,8 @@ function pathError(
       return Err.pathNotAbsolute(path);
     case "out_of_bounds":
       return { code: "PATH_OUT_OF_BOUNDS", message: detail, path };
+    case "denied":
+      return { code: "PATH_OUT_OF_BOUNDS", message: detail, path };
   }
 }
 

package/src/tools/shared/filesystem/path-policy.ts

@@ -11,7 +11,14 @@ import {
 /**
  * Result type shared by both sandbox and host path policies.
  */
-export type PathFailureReason = "not_absolute" | "out_of_bounds";
+export type PathFailureReason = "not_absolute" | "out_of_bounds" | "denied";
+
+/**
+ * Basenames that must never be read or written by the assistant, regardless
+ * of where they resolve. Defense-in-depth: even if a key file is accidentally
+ * placed inside the workspace boundary, the assistant cannot access it.
+ */
+const DENIED_BASENAMES = new Set([".backup.key", "backup.key"]);
 
 export type PathResult =
   | { ok: true; resolved: string }
@@ -106,6 +113,16 @@ export function sandboxPolicy(
     };
   }
 
+  // Check both the logical path and the symlink-resolved path so a symlink
+  // with a non-denied name pointing at a denied file is still caught.
+  if (DENIED_BASENAMES.has(basename(resolved)) || DENIED_BASENAMES.has(basename(realResolved))) {
+    return {
+      ok: false,
+      reason: "denied",
+      error: `Access to "${basename(resolved)}" is denied`,
+    };
+  }
+
   return { ok: true, resolved };
 }
 
@@ -125,5 +142,12 @@ export function hostPolicy(rawPath: string): PathResult {
       error: `path must be absolute for host file access: ${rawPath}`,
     };
   }
+  if (DENIED_BASENAMES.has(basename(rawPath))) {
+    return {
+      ok: false,
+      reason: "denied",
+      error: `Access to "${basename(rawPath)}" is denied`,
+    };
+  }
   return { ok: true, resolved: rawPath };
 }

package/src/tools/skills/load.ts

@@ -29,9 +29,6 @@ import { getWorkspaceDirDisplay } from "../../util/platform.js";
 import { registerTool } from "../registry.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 
-/** Canonical feature flag key for inline skill command expansion. */
-const INLINE_COMMANDS_FLAG_KEY = "inline-skill-commands";
-
 /** Skill sources eligible for inline command expansion in v1. */
 const INLINE_COMMAND_ELIGIBLE_SOURCES = new Set([
   "bundled",
@@ -300,20 +297,6 @@ export class SkillLoadTool implements Tool {
       skill.inlineCommandExpansions && skill.inlineCommandExpansions.length > 0;
 
     if (hasInlineCommands) {
-      const inlineFlagEnabled = isAssistantFeatureFlagEnabled(
-        INLINE_COMMANDS_FLAG_KEY,
-        config,
-      );
-
-      if (!inlineFlagEnabled) {
-        // Feature flag is off: fail closed instead of leaving live tokens in
-        // the prompt that the LLM might try to interpret.
-        return {
-          content: `Error: skill "${skill.id}" contains inline command expansions but the inline-skill-commands feature flag is disabled. Enable the flag to use this skill.`,
-          isError: true,
-        };
-      }
-
       if (skill.source === "extra") {
         // Third-party extra roots are out of scope for inline command
         // expansion in v1. Reject explicitly so the failure is clear.
@@ -391,21 +374,6 @@ export class SkillLoadTool implements Tool {
             childLoaded.skill.inlineCommandExpansions.length > 0;
 
           if (childHasInlineCommands) {
-            const childInlineFlagEnabled = isAssistantFeatureFlagEnabled(
-              INLINE_COMMANDS_FLAG_KEY,
-              config,
-            );
-
-            // Fail closed: if the flag is off, reject the entire skill_load
-            // just like we do for root skills. Leaving raw !`...` tokens in
-            // the prompt would violate the documented fail-closed contract.
-            if (!childInlineFlagEnabled) {
-              return {
-                content: `Error: included skill "${childId}" contains inline command expansions but the inline-skill-commands feature flag is disabled. Enable the flag to use skill "${skill.id}".`,
-                isError: true,
-              };
-            }
-
             if (childLoaded.skill.source === "extra") {
               return {
                 content: `Error: included skill "${childId}" contains inline command expansions but inline commands are not supported for third-party (extra) skill sources.`,

package/src/tools/terminal/shell.ts

@@ -111,6 +111,15 @@ class ShellTool implements Tool {
       return { content: "Error: command contains null bytes", isError: true };
     }
 
+    const background = input.background === true;
+    if (background && context.diskPressureCleanupModeActive === true) {
+      return {
+        content:
+          "Error: background shell commands are not available during disk pressure cleanup mode.",
+        isError: true,
+      };
+    }
+
     const config = getConfig();
     const shellLockdownActive =
       isCesShellLockdownEnabled(config) &&
@@ -276,7 +285,6 @@ class ShellTool implements Tool {
     // Background mode: spawn and return immediately. The process output is
     // delivered to the conversation as a wake when the process exits.
     // -----------------------------------------------------------------------
-    const background = input.background === true;
     if (background) {
       // Check the registry limit BEFORE spawning so we never leak an
       // untracked process when the registry is full.