@vellumai/assistant 0.7.2 → 0.7.3

package/src/config/seed-inference-profiles.ts

@@ -1,3 +1,6 @@
+import { PROVIDER_CATALOG } from "../providers/model-catalog.js";
+import { resolveModelIntent } from "../providers/model-intents.js";
+import type { ModelIntent } from "../providers/types.js";
 import { loadRawConfig, saveRawConfig } from "./loader.js";
 import {
   DEFAULT_CONTEXT_WINDOW_MAX_INPUT_TOKENS,
@@ -5,41 +8,82 @@ import {
 } from "./schemas/llm.js";
 
 /**
- * Declarative seed data for daemon-managed inference profiles.
- *
- * These profiles are overwritten on every startup so upstream model
- * updates propagate automatically. User-created profiles (keyed by
- * different names) are never touched.
+ * Template for a daemon-managed inference profile. The profile's model is
+ * resolved at seed time from `PROVIDER_MODEL_INTENTS` so the catalog stays the
+ * single source of truth for "which model does this intent map to?".
  */
-const MANAGED_PROFILE_SEED_DATA: Record<string, ProfileEntry> = {
+type ManagedProfileTemplate = Omit<ProfileEntry, "provider" | "model"> & {
+  intent: ModelIntent;
+};
+
+/**
+ * Anthropic-managed profiles. Always seeded so users can target Anthropic via
+ * their own key, even when the resolved default provider is something else.
+ */
+const ANTHROPIC_PROFILE_TEMPLATES: Record<string, ManagedProfileTemplate> = {
   balanced: {
+    intent: "balanced",
     source: "managed",
     label: "Balanced",
     description: "Good balance of quality, cost, and speed",
-    provider: "anthropic",
-    model: "claude-sonnet-4-6",
     maxTokens: 16000,
     effort: "high",
     thinking: { enabled: true, streamThinking: true },
     contextWindow: { maxInputTokens: DEFAULT_CONTEXT_WINDOW_MAX_INPUT_TOKENS },
   },
   "quality-optimized": {
+    intent: "quality-optimized",
     source: "managed",
     label: "Quality",
     description: "Best results with the most capable model",
-    provider: "anthropic",
-    model: "claude-opus-4-7",
     maxTokens: 32000,
     effort: "max",
     thinking: { enabled: true, streamThinking: true },
     contextWindow: { maxInputTokens: DEFAULT_CONTEXT_WINDOW_MAX_INPUT_TOKENS },
   },
   "cost-optimized": {
+    intent: "latency-optimized",
     source: "managed",
     label: "Speed",
     description: "Fastest responses at lower cost",
-    provider: "anthropic",
-    model: "claude-haiku-4-5-20251001",
+    maxTokens: 8192,
+    effort: "low",
+    thinking: { enabled: false, streamThinking: false },
+    contextWindow: { maxInputTokens: DEFAULT_CONTEXT_WINDOW_MAX_INPUT_TOKENS },
+  },
+};
+
+/**
+ * Custom-provider profile templates. Materialized at seed time when the
+ * resolved default provider is non-Anthropic, using `resolveModelIntent` to
+ * pick the model.
+ */
+const CUSTOM_PROFILE_TEMPLATES: Record<string, ManagedProfileTemplate> = {
+  "custom-balanced": {
+    intent: "balanced",
+    source: "user",
+    label: "Balanced (Custom Provider)",
+    description: "Good balance of quality, cost, and speed",
+    maxTokens: 16000,
+    effort: "high",
+    thinking: { enabled: true, streamThinking: true },
+    contextWindow: { maxInputTokens: DEFAULT_CONTEXT_WINDOW_MAX_INPUT_TOKENS },
+  },
+  "custom-quality-optimized": {
+    intent: "quality-optimized",
+    source: "user",
+    label: "Quality (Custom Provider)",
+    description: "Best results with the most capable model",
+    maxTokens: 32000,
+    effort: "max",
+    thinking: { enabled: true, streamThinking: true },
+    contextWindow: { maxInputTokens: DEFAULT_CONTEXT_WINDOW_MAX_INPUT_TOKENS },
+  },
+  "custom-cost-optimized": {
+    intent: "latency-optimized",
+    source: "user",
+    label: "Speed (Custom Provider)",
+    description: "Fastest responses at lower cost",
     maxTokens: 8192,
     effort: "low",
     thinking: { enabled: false, streamThinking: false },
@@ -48,26 +92,47 @@ const MANAGED_PROFILE_SEED_DATA: Record<string, ProfileEntry> = {
 };
 
 export const MANAGED_PROFILE_NAMES = new Set(
-  Object.keys(MANAGED_PROFILE_SEED_DATA),
+  Object.keys(ANTHROPIC_PROFILE_TEMPLATES),
 );
 
+const SEEDED_PROFILE_NAMES = new Set([
+  ...Object.keys(ANTHROPIC_PROFILE_TEMPLATES),
+  ...Object.keys(CUSTOM_PROFILE_TEMPLATES),
+]);
+
+const KNOWN_PROVIDERS = new Set(PROVIDER_CATALOG.map((entry) => entry.id));
+
+export type SeedInferenceProfilesOptions = {
+  /**
+   * Managed profile names supplied by the platform/default overlay for this
+   * startup. Those entries are already on disk by the time seeding runs and
+   * should remain authoritative for this boot.
+   */
+  preserveProfileNames?: Iterable<string>;
+  preserveActiveProfile?: boolean;
+};
+
 /**
  * Seed managed inference profiles into the workspace config.
  *
- * Called on every daemon startup after workspace migrations and before
- * the first `loadConfig()`. Managed profiles are overwritten entirely
- * (replace, not merge) so upstream model/effort changes propagate.
- * User-created profiles are never touched; pre-existing profiles
- * without a `source` field get `source: "user"` backfilled.
+ * Called on every daemon startup after workspace migrations and default-config
+ * overlay merge, but before the first `loadConfig()`. The 3 Anthropic-managed
+ * profiles (`balanced`, `quality-optimized`, `cost-optimized`) are always
+ * written so users can target Anthropic via their own key. When the resolved
+ * default provider is non-Anthropic, the 3 `custom-*` profiles are also
+ * materialized using `resolveModelIntent` against that provider, and
+ * `custom-balanced` becomes the active profile for fresh hatches.
  *
- * No-op when `VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH` is set (same guard
- * as migration 052) because the platform-provided default-config overlay
- * is the authoritative source for profile seeds.
+ * Default-config overlays can provide their own profile fragments and active
+ * profile. Lifecycle passes those explicit fields in `options`, letting local
+ * hatches still receive managed defaults while platform-owned profile choices
+ * remain authoritative.
  */
-export function seedInferenceProfiles(): void {
-  if (process.env.VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH) return;
-
+export function seedInferenceProfiles(
+  options: SeedInferenceProfilesOptions = {},
+): void {
   const config = loadRawConfig();
+  const preservedProfileNames = new Set(options.preserveProfileNames ?? []);
 
   if (config.llm == null || typeof config.llm !== "object") {
     config.llm = {};
@@ -79,25 +144,135 @@ export function seedInferenceProfiles(): void {
   }
   const profiles = llm.profiles as Record<string, Record<string, unknown>>;
 
-  for (const [name, seed] of Object.entries(MANAGED_PROFILE_SEED_DATA)) {
-    profiles[name] = { ...seed };
+  const requestedProvider =
+    readString(readObject(llm.default)?.provider) ?? "anthropic";
+  const isKnownProvider = KNOWN_PROVIDERS.has(requestedProvider);
+  const resolvedProvider: NonNullable<ProfileEntry["provider"]> =
+    isKnownProvider
+      ? (requestedProvider as NonNullable<ProfileEntry["provider"]>)
+      : "anthropic";
+  const isAnthropicDefault = resolvedProvider === "anthropic";
+
+  // Persist the resolved provider when the overlay supplied an unrecognized
+  // value, so the on-disk config doesn't keep emitting Zod warnings for
+  // `unknownprov` on every load.
+  if (!isKnownProvider) {
+    const defaultBlock = (readObject(llm.default) ?? {}) as Record<
+      string,
+      unknown
+    >;
+    defaultBlock.provider = resolvedProvider;
+    llm.default = defaultBlock;
+  }
+
+  for (const [name, template] of Object.entries(ANTHROPIC_PROFILE_TEMPLATES)) {
+    if (preservedProfileNames.has(name)) continue;
+    // Preserve a previously overlay-supplied profile whose provider matches
+    // the resolved default — that's the platform-managed case where the
+    // overlay file has already been consumed and archived. Only valid for
+    // non-Anthropic resolutions; when the default is Anthropic the daemon
+    // owns these names and re-seeds with Anthropic data so a stale openai
+    // `balanced` doesn't keep routing through the wrong provider after a
+    // re-hatch back to Anthropic.
+    const existing = readObject(profiles[name]);
+    const existingProvider = readString(existing?.provider);
+    if (
+      existing !== null &&
+      !isAnthropicDefault &&
+      existingProvider === resolvedProvider
+    ) {
+      continue;
+    }
+    profiles[name] = materializeProfile(template, "anthropic");
+  }
+
+  if (!isAnthropicDefault) {
+    for (const [name, template] of Object.entries(CUSTOM_PROFILE_TEMPLATES)) {
+      if (preservedProfileNames.has(name)) continue;
+      if (readObject(profiles[name]) !== null) continue;
+      profiles[name] = materializeProfile(template, resolvedProvider);
+    }
+  }
+
+  const requestedActiveProfile = readString(llm.activeProfile);
+  const requestedActiveEntry =
+    requestedActiveProfile !== undefined
+      ? readObject(profiles[requestedActiveProfile])
+      : null;
+  const requestedActiveExists = requestedActiveEntry !== null;
+  const shouldPreserveActiveProfile =
+    options.preserveActiveProfile === true && requestedActiveExists;
+
+  // Decide whether the existing active profile is still appropriate. A managed
+  // profile whose provider no longer matches the resolved default goes stale
+  // (e.g. re-hatching anthropic→openai leaves `balanced` pointing at anthropic;
+  // re-hatching openai→anthropic leaves `custom-balanced` pointing at openai).
+  // Either direction should land the user on the new default's `balanced`
+  // counterpart rather than routing the main agent to a stale provider.
+  // User-created profiles are left alone — those are the user's choice.
+  let keepActiveProfile = shouldPreserveActiveProfile;
+  if (!keepActiveProfile && requestedActiveExists) {
+    const isSeededName = SEEDED_PROFILE_NAMES.has(requestedActiveProfile!);
+    const activeProvider = readString(requestedActiveEntry?.provider);
+    const managedActiveProviderMismatch =
+      isSeededName && activeProvider !== resolvedProvider;
+    keepActiveProfile = !managedActiveProviderMismatch;
   }
 
-  // Reset to the default managed profile when the current value is missing.
-  if (
-    typeof llm.activeProfile !== "string" ||
-    !(llm.activeProfile in profiles)
-  ) {
-    llm.activeProfile = "balanced";
+  let activeProfileName: string;
+  if (keepActiveProfile) {
+    activeProfileName = requestedActiveProfile!;
+  } else {
+    activeProfileName = isAnthropicDefault ? "balanced" : "custom-balanced";
+    llm.activeProfile = activeProfileName;
+  }
+
+  // Sync `llm.default.model` to the active profile's model so the providers
+  // registry sees a coherent provider/model pair. Only writes when the on-disk
+  // default model is missing or unambiguously belongs to a *different*
+  // provider's catalog (e.g. `claude-opus-4-7` paired with `provider: openai`).
+  // A user-supplied model not listed in any provider's catalog is preserved —
+  // ollama and openrouter expose far more models than `PROVIDER_CATALOG` lists,
+  // and silently overwriting `codellama`/`phi3`/etc. on every restart would
+  // break those users' configs. Skipped when the overlay owns the active
+  // profile (platform mode).
+  if (!shouldPreserveActiveProfile) {
+    const activeEntry = readObject(profiles[activeProfileName]);
+    const activeModel = readString(activeEntry?.model);
+    if (activeModel !== undefined) {
+      const defaultBlock = (readObject(llm.default) ?? {}) as Record<
+        string,
+        unknown
+      >;
+      const currentModel = readString(defaultBlock.model);
+      const modelBelongsToOtherProvider =
+        currentModel !== undefined &&
+        PROVIDER_CATALOG.some(
+          (p) =>
+            p.id !== resolvedProvider &&
+            p.models.some((m) => m.id === currentModel),
+        );
+      const shouldOverwriteDefaultModel =
+        currentModel === undefined || modelBelongsToOtherProvider;
+      if (shouldOverwriteDefaultModel) {
+        defaultBlock.model = activeModel;
+        llm.default = defaultBlock;
+      }
+    }
   }
 
   const profileOrder = Array.isArray(llm.profileOrder)
     ? (llm.profileOrder as string[])
     : [];
   const orderSet = new Set(profileOrder);
-  for (const name of MANAGED_PROFILE_NAMES) {
+  const seededOrder = [
+    ...Object.keys(ANTHROPIC_PROFILE_TEMPLATES),
+    ...(isAnthropicDefault ? [] : Object.keys(CUSTOM_PROFILE_TEMPLATES)),
+  ];
+  for (const name of seededOrder) {
     if (!orderSet.has(name)) {
       profileOrder.push(name);
+      orderSet.add(name);
     }
   }
   llm.profileOrder = profileOrder;
@@ -115,3 +290,25 @@ export function seedInferenceProfiles(): void {
 
   saveRawConfig(config);
 }
+
+function materializeProfile(
+  template: ManagedProfileTemplate,
+  provider: NonNullable<ProfileEntry["provider"]>,
+): ProfileEntry {
+  const { intent, ...rest } = template;
+  return {
+    ...rest,
+    provider,
+    model: resolveModelIntent(provider, intent),
+  };
+}
+
+function readObject(value: unknown): Record<string, unknown> | null {
+  return value !== null && typeof value === "object" && !Array.isArray(value)
+    ? (value as Record<string, unknown>)
+    : null;
+}
+
+function readString(value: unknown): string | undefined {
+  return typeof value === "string" && value.length > 0 ? value : undefined;
+}

package/src/contacts/contact-store.ts

@@ -704,31 +704,6 @@ export function mergeContacts(
   return getContactInternal(keepId)!;
 }
 
-/**
- * Delete a contact by ID. Guardians cannot be deleted as a safety guard.
- * Associated contactChannels and assistantContactMetadata rows are
- * cascade-deleted by the DB schema's onDelete constraints.
- */
-export function deleteContact(
-  contactId: string,
-): "ok" | "not_found" | "is_guardian" {
-  const db = getDb();
-
-  const contact = db
-    .select()
-    .from(contacts)
-    .where(eq(contacts.id, contactId))
-    .get();
-
-  if (!contact) return "not_found";
-  if (contact.role === "guardian") return "is_guardian";
-
-  db.delete(contacts).where(eq(contacts.id, contactId)).run();
-
-  emitContactChange();
-  return "ok";
-}
-
 /**
  * Find a contact by a specific channel address. Returns null if not found.
  */

package/src/daemon/__tests__/conversation-tool-setup.test.ts

@@ -19,29 +19,28 @@
  * host_file_* are filtered out for chrome-extension regardless of the
  * hasNoClient flag.
  *
- * Cross-client exception (Phase 1): host_bash is allowed for non-host-proxy
- * interfaces (e.g. "web") when at least one host_bash-capable client is
- * connected via the event hub. host_file_* and host_browser remain filtered
- * regardless (Phase 2).
+ * Cross-client exception: tools whose capabilities are in
+ * CROSS_CLIENT_EXPOSED_CAPABILITIES (host_bash, host_file) are allowed for
+ * non-host-proxy interfaces (e.g. "web") when at least one capable client
+ * is connected via the event hub. host_browser is excluded (chrome-extension
+ * is its own executor; web turns have no CDP target model).
  */
 
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 // ── Module-level mocks ─────────────────────────────────────────────
 
-// Control how many host_bash-capable clients the hub reports.
-let mockHostBashClientCount = 0;
+// Control how many capable clients the hub reports per capability.
+const mockClientCountByCapability = new Map<string, number>();
 
 mock.module("../../runtime/assistant-event-hub.js", () => ({
   assistantEventHub: {
     listClientsByCapability: (cap: string) => {
-      if (cap === "host_bash") {
-        return Array.from({ length: mockHostBashClientCount }, (_, i) => ({
-          clientId: `mock-client-${i}`,
-          capabilities: ["host_bash"],
-        }));
-      }
-      return [];
+      const count = mockClientCountByCapability.get(cap) ?? 0;
+      return Array.from({ length: count }, (_, i) => ({
+        clientId: `mock-${cap}-client-${i}`,
+        capabilities: [cap],
+      }));
     },
   },
   broadcastMessage: () => {},
@@ -72,7 +71,7 @@ function makeCtx(
 }
 
 beforeEach(() => {
-  mockHostBashClientCount = 0;
+  mockClientCountByCapability.clear();
 });
 
 describe("isToolActiveForContext — host tool capability gating", () => {
@@ -213,7 +212,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
   test("host_bash is active for web transport when a host_bash-capable client is connected", () => {
     // Cross-client path: a web turn should see host_bash when a macOS client
     // with host_bash capability is connected via the event hub.
-    mockHostBashClientCount = 1;
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -224,7 +223,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
 
   test("host_bash is NOT active for web transport when no capable client is connected", () => {
     // No cross-client fallback: hub has no host_bash-capable subscribers.
-    mockHostBashClientCount = 0;
+    mockClientCountByCapability.set("host_bash", 0);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -233,11 +232,11 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
     ).toBe(false);
   });
 
-  test("host_file_read is NOT active for web transport even when a capable client is connected (Phase 2 gate)", () => {
-    // The cross-client exception is scoped to host_bash only.
-    // host_file_* remain filtered for non-host-proxy interfaces regardless
-    // of connected clients until Phase 2 lands.
-    mockHostBashClientCount = 1;
+  test("host_file_read is NOT active for web transport when only a host_bash client is connected", () => {
+    // The cross-client exception is per-capability: a host_bash-capable
+    // client in the hub does not satisfy host_file's exposure check, since
+    // listClientsByCapability is queried with the tool's actual capability.
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_file_read",
@@ -249,7 +248,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
   test("host_bash for macos transport is unaffected by the cross-client exception", () => {
     // macos natively supports host_bash via host proxy — the supportsHostProxy
     // check passes, so the cross-client branch is never reached.
-    mockHostBashClientCount = 0;
+    mockClientCountByCapability.set("host_bash", 0);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -262,7 +261,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
     // Even with a capable client in the hub, the macos SSE path takes
     // precedence — it passes the supportsHostProxy check, bypasses the
     // cross-client branch, and reaches the hasNoClient gate.
-    mockHostBashClientCount = 1;
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -275,7 +274,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
     // Security boundary: chrome-extension only gets host_browser. The
     // cross-client exception explicitly excludes chrome-extension transport
     // regardless of how many host_bash-capable clients are in the hub.
-    mockHostBashClientCount = 1;
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -287,7 +286,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
   test("host_bash is NOT active for web transport when hasNoClient is true (no approval UI)", () => {
     // hasNoClient gate: no interactive approval UI available for this turn.
     // Cross-client exception must not bypass this gate.
-    mockHostBashClientCount = 1;
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -297,6 +296,68 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
   });
 });
 
+describe("isToolActiveForContext — cross-client exposure for host_file_*", () => {
+  const HOST_FILE_TOOLS = [
+    "host_file_read",
+    "host_file_write",
+    "host_file_edit",
+    "host_file_transfer",
+  ] as const;
+
+  for (const tool of HOST_FILE_TOOLS) {
+    test(`${tool} is exposed for web transport when a host_file client is connected`, () => {
+      mockClientCountByCapability.set("host_file", 1);
+      expect(
+        isToolActiveForContext(
+          tool,
+          makeCtx({ hasNoClient: false, transportInterface: "web" }),
+        ),
+      ).toBe(true);
+    });
+
+    test(`${tool} is NOT exposed for web when no host_file client is connected`, () => {
+      mockClientCountByCapability.set("host_file", 0);
+      expect(
+        isToolActiveForContext(
+          tool,
+          makeCtx({ hasNoClient: false, transportInterface: "web" }),
+        ),
+      ).toBe(false);
+    });
+
+    test(`${tool} is NOT exposed for chrome-extension (security boundary)`, () => {
+      mockClientCountByCapability.set("host_file", 1);
+      expect(
+        isToolActiveForContext(
+          tool,
+          makeCtx({ hasNoClient: true, transportInterface: "chrome-extension" }),
+        ),
+      ).toBe(false);
+    });
+
+    test(`${tool} is NOT exposed when hasNoClient is true (no approval UI)`, () => {
+      mockClientCountByCapability.set("host_file", 1);
+      expect(
+        isToolActiveForContext(
+          tool,
+          makeCtx({ hasNoClient: true, transportInterface: "web" }),
+        ),
+      ).toBe(false);
+    });
+  }
+
+  test("listClientsByCapability is queried with the actual capability, not host_bash (regression guard for D5 latent bug)", () => {
+    mockClientCountByCapability.set("host_bash", 0);
+    mockClientCountByCapability.set("host_file", 1);
+    expect(
+      isToolActiveForContext(
+        "host_file_transfer",
+        makeCtx({ hasNoClient: false, transportInterface: "web" }),
+      ),
+    ).toBe(true);
+  });
+});
+
 describe("HOST_TOOL_NAMES derivation", () => {
   test("HOST_TOOL_NAMES is derived from HOST_TOOL_TO_CAPABILITY", () => {
     // Sanity check: every tool in the names set has a capability mapping.

package/src/daemon/assistant-attachments.ts

@@ -125,7 +125,7 @@ export function classifyKind(mimeType: string): "image" | "video" | "document" {
 // Validation / cap enforcement
 // ---------------------------------------------------------------------------
 
-export interface ValidatedDrafts {
+interface ValidatedDrafts {
   accepted: AssistantAttachmentDraft[];
   warnings: string[];
 }
@@ -171,13 +171,13 @@ export interface DirectiveRequest {
   mimeType: string | undefined;
 }
 
-export interface DirectiveParseResult {
+interface DirectiveParseResult {
   cleanText: string;
   directiveRequests: DirectiveRequest[];
   parseWarnings: string[];
 }
 
-export interface DirectiveDisplayDrainResult {
+interface DirectiveDisplayDrainResult {
   emitText: string;
   bufferedRemainder: string;
 }
@@ -362,7 +362,7 @@ export function drainDirectiveDisplayBuffer(
 // Sandbox file resolution
 // ---------------------------------------------------------------------------
 
-export interface ResolveResult {
+interface ResolveResult {
   draft: AssistantAttachmentDraft | null;
   warning: string | null;
 }