@vellumai/assistant 0.7.2 → 0.7.3

package/src/security/secure-keys.ts

@@ -18,6 +18,8 @@
  */
 
 import { AsyncLocalStorage } from "node:async_hooks";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
 
 import type {
   SecureKeyBackend,
@@ -28,6 +30,7 @@ import { getIsContainerized } from "../config/env-registry.js";
 import type { CesClient } from "../credential-execution/client.js";
 import { getAnyProviderEnvVar } from "../providers/provider-env-vars.js";
 import { getLogger } from "../util/logger.js";
+import { getProtectedDir } from "../util/platform.js";
 import { createCesCredentialBackend } from "./ces-credential-client.js";
 import { CesRpcCredentialBackend } from "./ces-rpc-credential-backend.js";
 import type {
@@ -584,6 +587,58 @@ export function getActiveBackendName(): string {
   return _resolvedBackend?.name ?? "none";
 }
 
+// ---------------------------------------------------------------------------
+// Backend introspection
+// ---------------------------------------------------------------------------
+
+export type BackendInfo =
+  | {
+      backend: "encrypted-store";
+      storePath: string;
+      storeKeyPath: string;
+      storeExists: boolean;
+      storeKeyExists: boolean;
+    }
+  | { backend: "ces-rpc"; ready: boolean }
+  | { backend: "ces-http"; url: string }
+  | { backend: "none" };
+
+/**
+ * Resolve the active credential backend (triggering resolution if not yet
+ * done) and return introspection details specific to that backend.
+ *
+ * Useful for `credentials status` — shows which store this process is talking
+ * to, so path/socket mismatches between the CLI and daemon are immediately
+ * visible.
+ */
+export function getActiveBackendInfoAsync(): Promise<BackendInfo> {
+  return withCredentialTimeout(async () => {
+    const backend = await resolveBackendAsync();
+    if (backend.name === "encrypted-store") {
+      const protectedDir = getProtectedDir();
+      const storePath = join(protectedDir, "keys.enc");
+      const storeKeyPath = join(protectedDir, "store.key");
+      return {
+        backend: "encrypted-store" as const,
+        storePath,
+        storeKeyPath,
+        storeExists: existsSync(storePath),
+        storeKeyExists: existsSync(storeKeyPath),
+      };
+    }
+    if (backend.name === "ces-rpc") {
+      return { backend: "ces-rpc" as const, ready: backend.isAvailable() };
+    }
+    if (backend.name === "ces-http") {
+      return {
+        backend: "ces-http" as const,
+        url: process.env.CES_CREDENTIAL_URL ?? "",
+      };
+    }
+    return { backend: "none" as const };
+  }, { backend: "none" as const });
+}
+
 /** @internal Test-only: reset the cached backends so they're re-created. */
 export function _resetBackend(): void {
   _cesClient = undefined;

package/src/skills/remote-skill-policy.ts

@@ -1,12 +1,6 @@
 type RemoteSkillProvider = "clawhub" | "skillssh";
 
-export type SkillsShRisk =
-  | "safe"
-  | "low"
-  | "medium"
-  | "high"
-  | "critical"
-  | "unknown";
+type SkillsShRisk = "safe" | "low" | "medium" | "high" | "critical" | "unknown";
 export type SkillsShRiskThreshold = Exclude<SkillsShRisk, "unknown">;
 
 export interface RemoteSkillPolicy {
@@ -50,17 +44,17 @@ interface SkillsShRemoteSkillCandidate extends RemoteSkillCandidateBase {
   audit?: SkillsShAuditState | null;
 }
 
-export type RemoteSkillCandidate =
+type RemoteSkillCandidate =
   | ClawhubRemoteSkillCandidate
   | SkillsShRemoteSkillCandidate;
 
-export type RemoteSkillDenyReason =
+type RemoteSkillDenyReason =
   | "clawhub_suspicious"
   | "clawhub_malware_blocked"
   | "clawhub_moderation_missing"
   | "skillssh_risk_exceeds_threshold";
 
-export type RemoteSkillInstallDecision =
+type RemoteSkillInstallDecision =
   | { ok: true }
   | { ok: false; reason: RemoteSkillDenyReason };
 

package/src/subagent/index.ts

@@ -1,11 +1,5 @@
 export { mergeSkillIds } from "./manager.js";
-export type {
-  SubagentConfig,
-  SubagentRole,
-  SubagentRoleConfig,
-  SubagentState,
-  SubagentStatus,
-} from "./types.js";
+export type { SubagentRole } from "./types.js";
 export { SUBAGENT_ROLE_REGISTRY, TERMINAL_STATUSES } from "./types.js";
 
 import { SubagentManager } from "./manager.js";

package/src/subagent/manager.ts

@@ -11,10 +11,7 @@
 import { v4 as uuid } from "uuid";
 
 import { getConfig } from "../config/loader.js";
-import {
-  Conversation,
-  type ConversationMemoryPolicy,
-} from "../daemon/conversation.js";
+import { Conversation } from "../daemon/conversation.js";
 import { findConversation } from "../daemon/conversation-store.js";
 import type { ServerMessage } from "../daemon/message-protocol.js";
 import { bootstrapConversation } from "../memory/conversation-bootstrap.js";
@@ -231,16 +228,6 @@ export class SubagentManager {
     const maxTokens = appConfig.llm.default.maxTokens;
     const workingDir = getSandboxWorkingDir();
 
-    const memoryPolicy: ConversationMemoryPolicy = isFork
-      ? {
-          scopeId: "default",
-          includeDefaultFallback: false,
-        }
-      : {
-          scopeId: `subagent:${subagentId}`,
-          includeDefaultFallback: true,
-        };
-
     // ── Initialise state ────────────────────────────────────────────
     const now = Date.now();
     // For forks, default sendResultToUser to false (silent) unless explicitly true.
@@ -289,7 +276,6 @@ export class SubagentManager {
       maxTokens,
       wrappedSendToClient,
       workingDir,
-      memoryPolicy,
       undefined, // sharedCesClient
       undefined, // speedOverride
       "5m", // cacheTtl — subagents run tight tool-use loops, 5m is always hot

package/src/tasks/task-runner.ts

@@ -67,7 +67,6 @@ export async function runTask(
 
   updateTaskRun(run.id, {
     conversationId: conversation.id,
-    memoryScopeId: `task:${task.id}`,
   });
 
   try {

package/src/tasks/task-store.ts

@@ -27,7 +27,6 @@ export interface TaskRun {
   finishedAt: number | null;
   error: string | null;
   principalId: string | null;
-  memoryScopeId: string | null;
   createdAt: number;
 }
 
@@ -109,7 +108,6 @@ export function createTaskRun(taskId: string): TaskRun {
     finishedAt: null,
     error: null,
     principalId: null,
-    memoryScopeId: null,
     createdAt: now,
   };
   db.insert(taskRuns).values(run).run();
@@ -125,7 +123,6 @@ export function updateTaskRun(
       | "conversationId"
       | "error"
       | "principalId"
-      | "memoryScopeId"
       | "startedAt"
       | "finishedAt"
     >

package/src/tools/background-tool-registry.ts

@@ -19,7 +19,7 @@ export interface BackgroundTool {
   command: string;
   startedAt: number;
   /** Kills the process (bash) or aborts the proxy (host_bash). */
-  cancel: () => void;
+  cancel: (reason?: string) => void;
 }
 
 /** Maximum number of concurrent background tools allowed. */
@@ -61,16 +61,30 @@ export function listBackgroundTools(conversationId?: string): BackgroundTool[] {
  * Cancels a background tool by ID: calls `tool.cancel()`, removes the entry,
  * and returns `true`. Returns `false` if the ID is not found.
  */
-export function cancelBackgroundTool(id: string): boolean {
+export function cancelBackgroundTool(id: string, reason?: string): boolean {
   const tool = registry.get(id);
   if (!tool) {
     return false;
   }
-  tool.cancel();
+  tool.cancel(reason);
   registry.delete(id);
   return true;
 }
 
+export function cancelBackgroundTools(
+  shouldCancel: (tool: BackgroundTool) => boolean,
+  reason?: string,
+): BackgroundTool[] {
+  const cancelled: BackgroundTool[] = [];
+  for (const tool of Array.from(registry.values())) {
+    if (!shouldCancel(tool)) continue;
+    tool.cancel(reason);
+    registry.delete(tool.id);
+    cancelled.push(tool);
+  }
+  return cancelled;
+}
+
 /**
  * Generates a short prefixed ID for a background tool.
  * Format: `bg-<8 hex chars>` (e.g. `bg-a1b2c3d4`).

package/src/tools/host-filesystem/edit.test.ts

@@ -0,0 +1,151 @@
+import { mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import type { ToolContext } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mocks — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+
+mock.module("../../daemon/host-file-proxy.js", () => ({
+  HostFileProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        request: () => Promise.resolve({ content: "ok", isError: false }),
+      };
+    },
+  },
+}));
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
+const { hostFileEditTool } = await import("./edit.js");
+
+const testDirs: string[] = [];
+
+afterEach(() => {
+  mockProxyAvailable = false;
+  for (const dir of testDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+function makeTempDir(): string {
+  const dir = realpathSync(mkdtempSync(join(tmpdir(), "host-edit-test-")));
+  testDirs.push(dir);
+  return dir;
+}
+
+function makeContext(
+  workingDir: string,
+  transportInterface: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
+}
+
+describe("host_file_edit cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/some/host/path.txt",
+        old_string: "foo",
+        new_string: "bar",
+      },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/some/host/path.txt",
+        old_string: "foo",
+        new_string: "bar",
+        target_client_id: "abc-123",
+      },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+
+  test("falls through to local fs on macos transport when proxy unavailable", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/nonexistent/x.txt",
+        old_string: "foo",
+        new_string: "bar",
+      },
+      makeContext(workingDir, "macos"),
+    );
+    // Proves the guard did NOT fire on macOS — instead we got the
+    // local FileSystemOps error path (file not found / IO error).
+    expect(result.isError).toBe(true);
+    expect(result.content.toLowerCase()).toMatch(/not found|enoent|editing/);
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: P2 fix)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/nonexistent/x.txt",
+        old_string: "foo",
+        new_string: "bar",
+        target_client_id: "stale-mac",
+      },
+      makeContext(workingDir, "macos"),
+    );
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the call
+    // must fall through to local FileSystemOps, NOT reject with "target
+    // client ... is no longer connected".
+    expect(result.isError).toBe(true);
+    expect(result.content).not.toContain("is no longer connected");
+    expect(result.content.toLowerCase()).toMatch(/not found|enoent|editing/);
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/some/host/path.txt",
+        old_string: "foo",
+        new_string: "bar",
+        target_client_id: "abc-123",
+      },
+      // transportInterface intentionally undefined (legacy callers).
+      makeContext(workingDir, undefined),
+    );
+    // Without transport metadata, falling through to local fs would
+    // silently target the daemon container. The guard fires for undefined
+    // transport AND non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+});

package/src/tools/host-filesystem/edit.ts

@@ -92,7 +92,8 @@ class HostFileEditTool implements Tool {
     const replaceAll = input.replace_all === true;
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -109,6 +110,45 @@ class HostFileEditTool implements Tool {
       };
     }
 
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, the request would fall through to local
+    // FileSystemOps below and read the daemon container's filesystem
+    // instead of the user's host machine.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostFileProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to local fs would
+    // silently target the daemon container's filesystem instead of the
+    // intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostFileProxy.instance.isAvailable() &&
+      (transportInterface == null || !supportsHostProxy(transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
     if (HostFileProxy.instance.isAvailable()) {
@@ -123,6 +163,8 @@ class HostFileEditTool implements Tool {
         },
         context.conversationId,
         context.signal,
+        targetClientId,
+        context.sourceActorPrincipalId,
       );
     }
 

package/src/tools/host-filesystem/read.test.ts

@@ -0,0 +1,129 @@
+import { mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import type { ToolContext } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mocks — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+
+mock.module("../../daemon/host-file-proxy.js", () => ({
+  HostFileProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        request: () => Promise.resolve({ content: "ok", isError: false }),
+      };
+    },
+  },
+}));
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
+const { hostFileReadTool } = await import("./read.js");
+
+const testDirs: string[] = [];
+
+afterEach(() => {
+  mockProxyAvailable = false;
+  for (const dir of testDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+function makeTempDir(): string {
+  const dir = realpathSync(mkdtempSync(join(tmpdir(), "host-read-test-")));
+  testDirs.push(dir);
+  return dir;
+}
+
+function makeContext(
+  workingDir: string,
+  transportInterface: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
+}
+
+describe("host_file_read cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt", target_client_id: "abc-123" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+
+  test("falls through to local fs on macos transport when proxy unavailable and path is non-image", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/nonexistent/x.txt" },
+      makeContext(workingDir, "macos"),
+    );
+    // Proves the guard did NOT fire on macOS — instead we got the
+    // local FileSystemOps NOT_FOUND error.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("File not found");
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: P2 fix)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/nonexistent/x.txt", target_client_id: "stale-mac" },
+      makeContext(workingDir, "macos"),
+    );
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the call
+    // must fall through to local FileSystemOps (NOT_FOUND for a fake path),
+    // NOT reject with "target client ... is no longer connected".
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("File not found");
+    expect(result.content).not.toContain("is no longer connected");
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt", target_client_id: "abc-123" },
+      // transportInterface intentionally undefined (legacy callers).
+      makeContext(workingDir, undefined),
+    );
+    // When transport metadata is missing we cannot rule out a non-host-proxy
+    // turn, so falling through to local fs would silently target the daemon
+    // container. The guard fires for both undefined transport AND
+    // non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+});

package/src/tools/host-filesystem/read.ts

@@ -63,7 +63,8 @@ class HostFileReadTool implements Tool {
     }
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -80,6 +81,45 @@ class HostFileReadTool implements Tool {
       };
     }
 
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, the request would fall through to local
+    // FileSystemOps below and read the daemon container's filesystem
+    // instead of the user's host machine.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostFileProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to local fs would
+    // silently target the daemon container's filesystem instead of the
+    // intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostFileProxy.instance.isAvailable() &&
+      (transportInterface == null || !supportsHostProxy(transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode),
     // including image reads that need the host filesystem view.
@@ -94,6 +134,8 @@ class HostFileReadTool implements Tool {
         },
         context.conversationId,
         context.signal,
+        targetClientId,
+        context.sourceActorPrincipalId,
       );
     }