@vellumai/assistant 0.7.2 → 0.7.3

package/src/daemon/host-app-control-proxy.ts

@@ -11,13 +11,22 @@
  * (PNG-hash loop guard) and the result-payload → ToolExecutionResult
  * translation on top.
  *
- * **Singleton lock.** Only one conversation may hold an active app-control
- * session at a time. The lock is module-level (`activeAppControlConversationId`)
- * because a session targets the user's actual desktop application, which
- * is a host-wide resource. The lock is acquired on a successful
- * `app_control_start` and released when the owning proxy's `dispose()`
- * fires. A second conversation that calls `start` while the lock is held
- * receives an `isError: true` tool result naming the holding conversation.
+ * **Session lock.** Only one conversation may hold an active app-control
+ * session at a time, and that session is bound to a specific target app.
+ * The lock is module-level (`activeAppControlSession`) because the session
+ * targets the user's actual desktop application, which is a host-wide
+ * resource. It is acquired on a successful `app_control_start` (storing
+ * `(conversationId, app)`) and released when the owning proxy's
+ * `dispose()` fires.
+ *
+ * `app_control_start` is the only tool that can acquire the lock — the
+ * user's medium-risk approval at start time is the consent boundary. All
+ * other tools (observe / press / combo / sequence / type / click / drag)
+ * require the calling conversation to own an active session targeting the
+ * same `app`; otherwise the call is rejected before any host dispatch.
+ * This prevents prompt-injected tool calls from sending raw input to
+ * arbitrary apps without the user having approved control of that
+ * specific app.
  *
  * **No step cap.** Unlike {@link HostCuProxy} which enforces a per-session
  * step ceiling via `loadConfig().maxStepsPerSession`, app-control sessions
@@ -51,36 +60,111 @@ const REQUEST_TIMEOUT_MS = 60 * 1000;
 const STUCK_REPEAT_THRESHOLD = 4;
 
 // ---------------------------------------------------------------------------
-// Tool name constants
+// Module-level session lock
 // ---------------------------------------------------------------------------
-//
-// Kept here (rather than imported from PR 5's tool registrations) so the
-// proxy is independently testable. PR 5 must use these same string values.
-
-const TOOL_START = "app_control_start";
 
-// ---------------------------------------------------------------------------
-// Module-level singleton lock
-// ---------------------------------------------------------------------------
+/**
+ * Active app-control session: the conversation that owns the lock and the
+ * `app` it was approved against. Set on a successful `app_control_start`;
+ * cleared by the owning proxy's `dispose()`.
+ */
+export interface ActiveAppControlSession {
+  conversationId: string;
+  /**
+   * The exact `app` string the user approved at start time (bundle ID or
+   * process name — preserved as-is). Compared case-insensitively against
+   * the `app` of subsequent non-start tool calls.
+   */
+  app: string;
+}
 
 /**
- * Conversation id that currently owns the active app-control session, or
- * `undefined` if no session is active. Set on a successful
- * `app_control_start`; cleared by the owning proxy's `dispose()`.
+ * Currently active session, or `undefined` when no session is held.
  *
  * Exported for test inspection only. Production code paths must not read
  * or mutate this directly — use the proxy methods.
  */
-let activeAppControlConversationId: string | undefined;
+let activeAppControlSession: ActiveAppControlSession | undefined;
 
-/** Test-only helper: read current lock owner. */
-export function _getActiveAppControlConversationId(): string | undefined {
-  return activeAppControlConversationId;
+/** Test-only helper: read current session. */
+export function _getActiveAppControlSession():
+  | ActiveAppControlSession
+  | undefined {
+  return activeAppControlSession;
 }
 
-/** Test-only helper: clear lock between test cases. */
-export function _resetActiveAppControlConversationId(): void {
-  activeAppControlConversationId = undefined;
+/** Test-only helper: clear session between test cases. */
+export function _resetActiveAppControlSession(): void {
+  activeAppControlSession = undefined;
+}
+
+/**
+ * Test-only helper: prime the active session without a full `start` round-trip.
+ * Useful for tests that exercise non-start tool paths and don't need to
+ * verify the start flow itself.
+ */
+export function _setActiveAppControlSession(
+  session: ActiveAppControlSession,
+): void {
+  activeAppControlSession = session;
+}
+
+/**
+ * Validate a non-start tool call against the active session. Returns a
+ * `ToolExecutionResult` (with `isError: true`) when the call should be
+ * rejected; returns `null` when the call is authorized to dispatch.
+ *
+ * `app` matching is case-insensitive (macOS bundle IDs are
+ * case-insensitive in practice) but strict on form: `"Safari"` and
+ * `"com.apple.Safari"` do not match — the user approved a specific string
+ * and substituting a different form requires a new approval.
+ */
+function checkNonStartAuthorization(
+  input: HostAppControlInput,
+  conversationId: string,
+): ToolExecutionResult | null {
+  if (activeAppControlSession == null) {
+    return {
+      content:
+        "No app-control session is active. Call app_control_start to request " +
+        "user approval to control the target app, then retry.",
+      isError: true,
+    };
+  }
+  if (activeAppControlSession.conversationId !== conversationId) {
+    return {
+      content:
+        `Another conversation (${activeAppControlSession.conversationId}) currently ` +
+        `holds the app-control session. Wait for it to finish, or call ` +
+        `app_control_stop from that conversation first.`,
+      isError: true,
+    };
+  }
+  // `app` is required on every non-start variant of HostAppControlInput
+  // except `stop`, and `stop` short-circuits in conversation-surfaces and
+  // does not reach this method in production. A stop reaching here would
+  // be a defensive bug — surface it explicitly rather than dispatch.
+  const requestedApp = (input as { app?: string }).app;
+  if (requestedApp == null) {
+    return {
+      content:
+        "Tool input missing required 'app' field; cannot validate against " +
+        "the active app-control session.",
+      isError: true,
+    };
+  }
+  if (
+    requestedApp.toLowerCase() !== activeAppControlSession.app.toLowerCase()
+  ) {
+    return {
+      content:
+        `Active app-control session targets ${activeAppControlSession.app}; ` +
+        `cannot send actions to ${requestedApp}. Call app_control_stop and ` +
+        `app_control_start to switch apps.`,
+      isError: true,
+    };
+  }
+  return null;
 }
 
 // ---------------------------------------------------------------------------
@@ -91,7 +175,7 @@ export class HostAppControlProxy extends HostProxyBase<
   HostAppControlInput,
   HostAppControlResultPayload
 > {
-  /** Conversation that owns this proxy instance. Used by `dispose()` to release the singleton lock only when this proxy is the holder. */
+  /** Conversation that owns this proxy instance. Used by `dispose()` to release the session lock only when this proxy is the holder. */
   private readonly conversationId: string;
 
   /** sha256 hex of the most recent observation's `pngBase64`, or undefined. */
@@ -143,21 +227,29 @@ export class HostAppControlProxy extends HostProxyBase<
       return { content: "Aborted", isError: true };
     }
 
-    // Singleton-lock guard for `start`. Other tools assume a session
-    // already exists and are not gated here.
-    if (toolName === TOOL_START) {
+    // Authorization gate. `start` acquires the session lock (the user's
+    // medium-risk approval is the consent boundary); all other tools must
+    // belong to the active session and target the same `app`. Without this
+    // gate, prompt-injected calls would bypass the start-time approval and
+    // send raw input to arbitrary apps.
+    if (input.tool === "start") {
       if (
-        activeAppControlConversationId != null &&
-        activeAppControlConversationId !== conversationId
+        activeAppControlSession != null &&
+        activeAppControlSession.conversationId !== conversationId
       ) {
         return {
           content:
-            `Another conversation (${activeAppControlConversationId}) currently holds the ` +
+            `Another conversation (${activeAppControlSession.conversationId}) currently holds the ` +
             `app-control session. Wait for it to finish, or call app_control_stop ` +
             `from that conversation first.`,
           isError: true,
         };
       }
+    } else {
+      const sessionError = checkNonStartAuthorization(input, conversationId);
+      if (sessionError != null) {
+        return sessionError;
+      }
     }
 
     try {
@@ -167,7 +259,7 @@ export class HostAppControlProxy extends HostProxyBase<
         conversationId,
         signal,
       );
-      return this.handleSuccess(toolName, payload);
+      return this.handleSuccess(input, payload);
     } catch (err) {
       if (err instanceof HostProxyRequestError) {
         if (err.reason === "timeout") {
@@ -192,7 +284,7 @@ export class HostAppControlProxy extends HostProxyBase<
   // ---------------------------------------------------------------------------
 
   private handleSuccess(
-    toolName: string,
+    input: HostAppControlInput,
     payload: HostAppControlResultPayload,
   ): ToolExecutionResult {
     // Update PNG-hash loop tracking only for the "running" state — other
@@ -212,9 +304,13 @@ export class HostAppControlProxy extends HostProxyBase<
       }
     }
 
-    // Acquire the singleton lock on a successful `start`.
-    if (toolName === TOOL_START && payload.state === "running") {
-      activeAppControlConversationId = this.conversationId;
+    // Store the exact `app` form for validation against subsequent
+    // non-start tool calls.
+    if (input.tool === "start" && payload.state === "running") {
+      activeAppControlSession = {
+        conversationId: this.conversationId,
+        app: input.app,
+      };
     }
 
     return this.formatResult(payload, stuck);
@@ -281,13 +377,13 @@ export class HostAppControlProxy extends HostProxyBase<
   // ---------------------------------------------------------------------------
 
   /**
-   * Reject pending requests via the base, then release the singleton lock
+   * Reject pending requests via the base, then release the session lock
    * if this proxy is the holder. Idempotent: safe to call multiple times.
    */
   override dispose(): void {
     super.dispose();
-    if (activeAppControlConversationId === this.conversationId) {
-      activeAppControlConversationId = undefined;
+    if (activeAppControlSession?.conversationId === this.conversationId) {
+      activeAppControlSession = undefined;
     }
   }
 }

package/src/daemon/host-bash-proxy.ts

@@ -5,6 +5,11 @@ import {
   assistantEventHub,
   broadcastMessage,
 } from "../runtime/assistant-event-hub.js";
+import {
+  ambiguousSameUserError,
+  enforceSameActorOrErrorResult,
+  pickSameUserAutoResolve,
+} from "../runtime/auth/same-actor.js";
 import * as pendingInteractions from "../runtime/pending-interactions.js";
 import { formatShellOutput } from "../tools/shared/shell-output.js";
 import type { ToolExecutionResult } from "../tools/types.js";
@@ -13,7 +18,6 @@ import { getLogger } from "../util/logger.js";
 
 const log = getLogger("host-bash-proxy");
 
-
 export class HostBashProxy {
   private static _instance: HostBashProxy | null = null;
 
@@ -62,14 +66,14 @@ export class HostBashProxy {
     },
     conversationId: string,
     signal?: AbortSignal,
+    // Principal ID of the actor on whose behalf this request is initiated.
+    sourceActorPrincipalId?: string,
   ): Promise<ToolExecutionResult> {
     if (signal?.aborted) {
       const result = formatShellOutput("", "Aborted", null, false, 0);
       return Promise.resolve(result);
     }
 
-    const capableClients = assistantEventHub.listClientsByCapability("host_bash");
-
     let resolvedTargetClientId: string | undefined;
 
     if (input.targetClientId) {
@@ -81,14 +85,37 @@ export class HostBashProxy {
         });
       }
       resolvedTargetClientId = input.targetClientId;
-    } else if (capableClients.length === 1) {
-      // Auto-resolve when exactly one capable client is connected.
-      resolvedTargetClientId = capableClients[0].clientId;
+    } else {
+      // Auto-resolve to the unique same-user client. Reject (rather than
+      // broadcast) when multiple same-user clients are connected so that
+      // a single targeted-style request cannot fan out across every one
+      // of the user's machines. Zero same-user matches falls through to
+      // the existing untargeted code path.
+      const resolved = pickSameUserAutoResolve({
+        hub: assistantEventHub,
+        capability: "host_bash",
+        sourceActorPrincipalId,
+      });
+      if (resolved.kind === "ambiguous") {
+        return Promise.resolve(ambiguousSameUserError("host_bash"));
+      }
+      resolvedTargetClientId =
+        resolved.kind === "match" ? resolved.clientId : undefined;
+    }
+
+    // Targeted requests must be bound to the same authenticated user as the
+    // target client. Fail closed at request time — before pendingInteractions
+    // registration and before broadcast — so a same-daemon caller cannot
+    // execute on another user's connected client.
+    if (resolvedTargetClientId != null) {
+      const rejection = enforceSameActorOrErrorResult({
+        hub: assistantEventHub,
+        sourceActorPrincipalId,
+        targetClientId: resolvedTargetClientId,
+        op: "host_bash",
+      });
+      if (rejection) return Promise.resolve(rejection);
     }
-    // capableClients.length === 0 or > 1 without explicit target: resolvedTargetClientId
-    // stays undefined and falls through to untargeted broadcast — the existing timeout/error
-    // path handles the zero-client case, and multi-client ambiguity is enforced at the tool
-    // executor layer (not here) once target_client_id is exposed in the tool schema.
 
     const requestId = uuid();
 
@@ -108,15 +135,7 @@ export class HostBashProxy {
         const timeoutMessage = resolvedTargetClientId
           ? `Host bash proxy timed out waiting for response from client ${resolvedTargetClientId}`
           : "Host bash proxy timed out waiting for client response";
-        resolve(
-          formatShellOutput(
-            "",
-            timeoutMessage,
-            null,
-            true,
-            timeoutSec,
-          ),
-        );
+        resolve(formatShellOutput("", timeoutMessage, null, true, timeoutSec));
       }, proxyTimeoutSec * 1000);
 
       if (signal) {
@@ -152,6 +171,12 @@ export class HostBashProxy {
         timer,
         detachAbort,
         targetClientId: resolvedTargetClientId,
+        targetActorPrincipalId:
+          resolvedTargetClientId != null
+            ? assistantEventHub.getActorPrincipalIdForClient(
+                resolvedTargetClientId,
+              )
+            : undefined,
         metadata: { timeoutSec },
       });
 
@@ -166,8 +191,8 @@ export class HostBashProxy {
             timeout_seconds: input.timeout_seconds,
             targetClientId: resolvedTargetClientId,
             ...(input.env && Object.keys(input.env).length > 0
-                ? { env: input.env }
-                : {}),
+              ? { env: input.env }
+              : {}),
           },
           conversationId,
           { targetClientId: resolvedTargetClientId },

package/src/daemon/host-cu-proxy.ts

@@ -23,6 +23,7 @@ import {
   assistantEventHub,
   broadcastMessage,
 } from "../runtime/assistant-event-hub.js";
+import { enforceSameActorOrErrorResult } from "../runtime/auth/same-actor.js";
 import * as pendingInteractions from "../runtime/pending-interactions.js";
 import type { ToolExecutionResult } from "../tools/types.js";
 import { AssistantError, ErrorCode } from "../util/errors.js";
@@ -121,6 +122,16 @@ export class HostCuProxy {
   // Request / resolve lifecycle
   // ---------------------------------------------------------------------------
 
+  /**
+   * Send a CU request to the connected desktop client.
+   *
+   * When `targetClientId` is supplied, the proxy validates that the target
+   * exists and advertises the `host_cu` capability, mirroring HostFileProxy's
+   * resolver-side checks so that the proxy is safe to call as a standalone
+   * API. It additionally enforces that the caller (`sourceActorPrincipalId`)
+   * and the target client share the same actor principal — cross-user
+   * targeted dispatch is rejected.
+   */
   request(
     toolName: string,
     input: Record<string, unknown>,
@@ -129,6 +140,7 @@ export class HostCuProxy {
     reasoning?: string,
     signal?: AbortSignal,
     targetClientId?: string,
+    sourceActorPrincipalId?: string,
   ): Promise<ToolExecutionResult> {
     if (signal?.aborted) {
       return Promise.resolve({
@@ -144,6 +156,38 @@ export class HostCuProxy {
       });
     }
 
+    // Existence + capability validation for explicit targets. Mirrors
+    // HostFileProxy's resolver-side guard so that the proxy is safe even
+    // when called outside the conversation-surfaces dispatch (which has
+    // its own validation layer).
+    if (targetClientId != null) {
+      const client = assistantEventHub.getClientById(targetClientId);
+      if (!client) {
+        return Promise.resolve({
+          content: `No connected client with id '${targetClientId}' supports host_cu. Run \`assistant clients list --capability host_cu\` to see available clients.`,
+          isError: true,
+        });
+      }
+      if (!client.capabilities.includes("host_cu")) {
+        return Promise.resolve({
+          content: `Client '${targetClientId}' does not support host_cu. Run \`assistant clients list --capability host_cu\` to see available clients.`,
+          isError: true,
+        });
+      }
+
+      // Same-user enforcement: targeted CU dispatch must be owned by the
+      // same actor on both sides. This is the authoritative gate — the
+      // dispatch layer (conversation-surfaces.ts) skips its own check
+      // and relies on the proxy.
+      const rejection = enforceSameActorOrErrorResult({
+        hub: assistantEventHub,
+        sourceActorPrincipalId,
+        targetClientId,
+        op: "host_cu",
+      });
+      if (rejection) return Promise.resolve(rejection);
+    }
+
     const requestId = uuid();
 
     return new Promise<ToolExecutionResult>((resolve, reject) => {
@@ -170,9 +214,7 @@ export class HostCuProxy {
                   type: "host_cu_cancel",
                   requestId,
                   conversationId,
-                  ...(targetClientId != null
-                    ? { targetClientId }
-                    : {}),
+                  ...(targetClientId != null ? { targetClientId } : {}),
                 },
                 conversationId,
                 { targetClientId },
@@ -193,6 +235,10 @@ export class HostCuProxy {
         conversationId,
         kind: "host_cu",
         targetClientId,
+        targetActorPrincipalId:
+          targetClientId != null
+            ? assistantEventHub.getActorPrincipalIdForClient(targetClientId)
+            : undefined,
         rpcResolve: resolve,
         rpcReject: reject,
         timer,

package/src/daemon/host-file-proxy.ts

@@ -4,6 +4,11 @@ import {
   assistantEventHub,
   broadcastMessage,
 } from "../runtime/assistant-event-hub.js";
+import {
+  ambiguousSameUserError,
+  enforceSameActorOrErrorResult,
+  pickSameUserAutoResolve,
+} from "../runtime/auth/same-actor.js";
 import * as pendingInteractions from "../runtime/pending-interactions.js";
 import { readImageBase64 } from "../tools/shared/filesystem/image-read.js";
 import type { ToolExecutionResult } from "../tools/types.js";
@@ -68,15 +73,18 @@ export class HostFileProxy {
     conversationId: string,
     signal?: AbortSignal,
     targetClientId?: string,
+    sourceActorPrincipalId?: string,
   ): Promise<ToolExecutionResult> {
     if (signal?.aborted) {
       return Promise.resolve({ content: "Aborted", isError: true });
     }
 
-    // Resolve targetClientId: explicit → validate; single capable client → auto-resolve.
-    // Callers may embed targetClientId in the input object (tool handlers) or pass it as
-    // the 4th parameter (legacy). Prefer the explicit param; fall back to input field.
-    let resolvedTargetClientId: string | undefined = targetClientId ?? input.targetClientId;
+    // Resolve targetClientId: explicit → validate; single same-user
+    // capable client → auto-resolve. Callers may embed targetClientId in
+    // the input object (tool handlers) or pass it as the 4th parameter
+    // (legacy). Prefer the explicit param; fall back to input field.
+    let resolvedTargetClientId: string | undefined =
+      targetClientId ?? input.targetClientId;
     if (resolvedTargetClientId != null) {
       const client = assistantEventHub.getClientById(resolvedTargetClientId);
       if (!client) {
@@ -92,10 +100,32 @@ export class HostFileProxy {
         });
       }
     } else {
-      const capable = assistantEventHub.listClientsByCapability("host_file");
-      if (capable.length === 1) {
-        resolvedTargetClientId = capable[0].clientId;
+      // Auto-resolve to the unique same-user client. Reject ambiguous
+      // (multi-machine) cases so a single targeted-style request cannot
+      // fan out across the user's machines.
+      const resolved = pickSameUserAutoResolve({
+        hub: assistantEventHub,
+        capability: "host_file",
+        sourceActorPrincipalId,
+      });
+      if (resolved.kind === "ambiguous") {
+        return Promise.resolve(ambiguousSameUserError("host_file"));
       }
+      resolvedTargetClientId =
+        resolved.kind === "match" ? resolved.clientId : undefined;
+    }
+
+    // Same-user check: targeted host_file requests must be bound to the same
+    // authenticated user identity that opened the target client's SSE stream.
+    // Prevents cross-user routing through actor token mis-targeting.
+    if (resolvedTargetClientId != null) {
+      const rejection = enforceSameActorOrErrorResult({
+        hub: assistantEventHub,
+        sourceActorPrincipalId,
+        targetClientId: resolvedTargetClientId,
+        op: "host_file",
+      });
+      if (rejection) return Promise.resolve(rejection);
     }
 
     const requestId = uuid();
@@ -150,6 +180,12 @@ export class HostFileProxy {
         conversationId,
         kind: "host_file",
         targetClientId: resolvedTargetClientId,
+        targetActorPrincipalId:
+          resolvedTargetClientId != null
+            ? assistantEventHub.getActorPrincipalIdForClient(
+                resolvedTargetClientId,
+              )
+            : undefined,
         rpcResolve: resolve,
         rpcReject: reject,
         timer,