@vellumai/assistant 0.7.2 → 0.7.3

package/src/tools/host-filesystem/transfer.test.ts

@@ -31,6 +31,15 @@ mock.module("../../daemon/host-transfer-proxy.js", () => ({
   },
 }));
 
+// Mirror read/write/edit test files: stub the event hub so the multi-client
+// guard at line ~100 of transfer.ts is exercised against an isolated stub
+// rather than the live process-wide singleton.
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
 const { hostFileTransferTool } = await import("./transfer.js");
 
 const testDirs: string[] = [];
@@ -50,8 +59,16 @@ function makeTempDir(): string {
   return dir;
 }
 
-function makeContext(workingDir: string): ToolContext {
-  return { workingDir, conversationId: "test-conv", trustClass: "guardian" };
+function makeContext(
+  workingDir: string,
+  transportInterface?: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
 }
 
 // ---------------------------------------------------------------------------
@@ -269,3 +286,111 @@ describe("host_file_transfer managed mode", () => {
     expect(toSandboxCalls.length).toBe(0);
   });
 });
+
+// ---------------------------------------------------------------------------
+// Cross-client guard tests
+// ---------------------------------------------------------------------------
+
+describe("host_file_transfer cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    // mockProxyAvailable defaults to false.
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: "out.txt",
+        direction: "to_sandbox",
+      },
+      makeContext(workingDir, "web"),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: "out.txt",
+        direction: "to_sandbox",
+        target_client_id: "abc-123",
+      },
+      makeContext(workingDir, "web"),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+    const destFile = join(workingDir, "should-not-exist.txt");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: destFile,
+        direction: "to_sandbox",
+        target_client_id: "abc-123",
+      },
+      // transportInterface intentionally omitted (legacy callers).
+      makeContext(workingDir),
+    );
+
+    // Without transport metadata, falling through to executeLocal would
+    // silently target the daemon container. The guard fires for undefined
+    // transport AND non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(existsSync(destFile)).toBe(false);
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: Devin-flagged scope drift fix)", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+    const destFile = join(workingDir, "stale-target.txt");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: destFile,
+        direction: "to_sandbox",
+        target_client_id: "stale-mac",
+      },
+      makeContext(workingDir, "macos"),
+    );
+
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the local
+    // copy must succeed, NOT reject with "target client ... is no longer
+    // connected" or the older "target_client_id was specified but no host
+    // client is available" message.
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+});

package/src/tools/host-filesystem/transfer.ts

@@ -93,7 +93,8 @@ class HostFileTransferTool implements Tool {
     const overwrite = input.overwrite === true;
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -103,7 +104,51 @@ class HostFileTransferTool implements Tool {
       !supportsHostProxy(context.transportInterface) &&
       assistantEventHub.listClientsByCapability("host_file").length > 1
     ) {
-      return { content: `Error: multiple clients support host_file. Specify which client to use with \`target_client_id\`. Run \`assistant clients list --capability host_file\` to see client IDs and labels.`, isError: true };
+      return {
+        content: `Error: multiple clients support host_file. Specify which client to use with \`target_client_id\`. Run \`assistant clients list --capability host_file\` to see client IDs and labels.`,
+        isError: true,
+      };
+    }
+
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, a web/ios turn whose host_file client has
+    // disconnected since projection would fall through to executeLocal
+    // below and act on the daemon container's filesystem instead of
+    // the user's host machine.
+    if (
+      targetClientId == null &&
+      context.transportInterface != null &&
+      !supportsHostProxy(context.transportInterface) &&
+      !HostTransferProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to executeLocal
+    // would silently target the daemon container's filesystem instead of
+    // the intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostTransferProxy.instance.isAvailable() &&
+      (context.transportInterface == null ||
+        !supportsHostProxy(context.transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
     }
 
     // Validate that host-side paths are absolute.
@@ -136,7 +181,9 @@ class HostFileTransferTool implements Tool {
 
     let resolvedDestPath = destPath;
     if (direction === "to_sandbox") {
-      const pathCheck = sandboxPolicy(destPath, context.workingDir, { mustExist: false });
+      const pathCheck = sandboxPolicy(destPath, context.workingDir, {
+        mustExist: false,
+      });
       if (!pathCheck.ok) {
         return {
           content: `Invalid destination path: ${pathCheck.error}`,
@@ -158,6 +205,7 @@ class HostFileTransferTool implements Tool {
             targetClientId,
           },
           context.signal,
+          context.sourceActorPrincipalId,
         );
       }
       return HostTransferProxy.instance.requestToSandbox(
@@ -169,17 +217,14 @@ class HostFileTransferTool implements Tool {
           targetClientId,
         },
         context.signal,
+        context.sourceActorPrincipalId,
       );
     }
 
-    if (targetClientId != null) {
-      return {
-        content: `Error: target_client_id '${targetClientId}' was specified but no host client is available. Ensure the client is connected.`,
-        isError: true,
-      };
-    }
-
-    // Local mode: direct filesystem copy.
+    // Local mode: direct filesystem copy. The non-host-proxy + stale
+    // target_client_id case is caught by the scoped guard at the top of
+    // execute(); on macos a stale target_client_id is silently ignored
+    // here, matching the read/write/edit pattern.
     return this.executeLocal(resolvedSourcePath, resolvedDestPath, overwrite);
   }
 

package/src/tools/host-filesystem/write.test.ts

@@ -0,0 +1,134 @@
+import { existsSync, mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import type { ToolContext } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mocks — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+
+mock.module("../../daemon/host-file-proxy.js", () => ({
+  HostFileProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        request: () => Promise.resolve({ content: "ok", isError: false }),
+      };
+    },
+  },
+}));
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
+const { hostFileWriteTool } = await import("./write.js");
+
+const testDirs: string[] = [];
+
+afterEach(() => {
+  mockProxyAvailable = false;
+  for (const dir of testDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+function makeTempDir(): string {
+  const dir = realpathSync(mkdtempSync(join(tmpdir(), "host-write-test-")));
+  testDirs.push(dir);
+  return dir;
+}
+
+function makeContext(
+  workingDir: string,
+  transportInterface: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
+}
+
+describe("host_file_write cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileWriteTool.execute(
+      { path: "/some/host/path.txt", content: "hello" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileWriteTool.execute(
+      {
+        path: "/some/host/path.txt",
+        content: "hello",
+        target_client_id: "abc-123",
+      },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+
+  test("falls through to local fs on macos transport when proxy unavailable", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "out.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello" },
+      makeContext(workingDir, "macos"),
+    );
+    // Proves the guard did NOT fire on macOS — local write succeeded.
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: P2 fix)", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "stale-target.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello", target_client_id: "stale-mac" },
+      makeContext(workingDir, "macos"),
+    );
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the local
+    // write must succeed, NOT reject with "target client ... is no longer
+    // connected".
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "should-not-exist.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello", target_client_id: "abc-123" },
+      // transportInterface intentionally undefined (legacy callers).
+      makeContext(workingDir, undefined),
+    );
+    // Without transport metadata, falling through to local fs would
+    // silently target the daemon container. The guard fires for undefined
+    // transport AND non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(existsSync(destFile)).toBe(false);
+  });
+});

package/src/tools/host-filesystem/write.ts

@@ -62,7 +62,8 @@ class HostFileWriteTool implements Tool {
     }
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -79,6 +80,45 @@ class HostFileWriteTool implements Tool {
       };
     }
 
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, the request would fall through to local
+    // FileSystemOps below and read the daemon container's filesystem
+    // instead of the user's host machine.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostFileProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to local fs would
+    // silently target the daemon container's filesystem instead of the
+    // intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostFileProxy.instance.isAvailable() &&
+      (transportInterface == null || !supportsHostProxy(transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
     if (HostFileProxy.instance.isAvailable()) {
@@ -91,6 +131,8 @@ class HostFileWriteTool implements Tool {
         },
         context.conversationId,
         context.signal,
+        targetClientId,
+        context.sourceActorPrincipalId,
       );
     }
 

package/src/tools/host-terminal/host-shell.ts

@@ -179,9 +179,17 @@ class HostShellTool implements Tool {
       };
     }
     const background = input.background === true;
+    if (background && context.diskPressureCleanupModeActive === true) {
+      return {
+        content:
+          "Error: background host shell commands are not available during disk pressure cleanup mode.",
+        isError: true,
+      };
+    }
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -236,10 +244,7 @@ class HostShellTool implements Tool {
     // guard both targetClientId != null guards above are bypassed, and the
     // code falls through to local daemon execution — silently running commands
     // inside the Docker container instead of on the intended host machine.
-    if (
-      targetClientId != null &&
-      !HostBashProxy.instance.isAvailable()
-    ) {
+    if (targetClientId != null && !HostBashProxy.instance.isAvailable()) {
       return {
         content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_bash\` to see currently connected clients.`,
         isError: true,
@@ -287,6 +292,7 @@ class HostShellTool implements Tool {
           },
           context.conversationId,
           abortController.signal,
+          context.sourceActorPrincipalId,
         );
 
         proxyPromise
@@ -315,7 +321,7 @@ class HostShellTool implements Tool {
           conversationId: context.conversationId,
           command,
           startedAt: Date.now(),
-          cancel: () => abortController.abort(),
+          cancel: (reason?: string) => abortController.abort(reason),
         });
 
         return {
@@ -334,6 +340,7 @@ class HostShellTool implements Tool {
         },
         context.conversationId,
         context.signal,
+        context.sourceActorPrincipalId,
       );
     }
 

package/src/tools/mcp/mcp-tool-factory.ts

@@ -2,6 +2,7 @@ import type { McpServerConfig } from "../../config/schemas/mcp.js";
 import type { McpServerManager } from "../../mcp/manager.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
+import { toProviderSafeToolName } from "../provider-tool-name.js";
 import { schemaDefinesProperty } from "../schema-transforms.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 
@@ -16,7 +17,7 @@ const riskMap: Record<string, RiskLevel> = {
  * and with core/skill tools.
  */
 function mcpToolName(serverId: string, toolName: string): string {
-  return `mcp__${serverId}__${toolName}`;
+  return toProviderSafeToolName(`mcp__${serverId}__${toolName}`);
 }
 
 export interface McpToolMetadata {

package/src/tools/memory/register.test.ts

@@ -11,9 +11,15 @@ import {
   test,
 } from "bun:test";
 
+import { _setOverridesForTesting } from "../../config/assistant-feature-flags.js";
 import { PKB_WORKSPACE_SCOPE } from "../../memory/pkb/types.js";
 import type { ToolContext } from "../types.js";
 
+// This test exercises v1 PKB re-index enqueue. The `memory-v2-enabled` flag
+// (registry default `true`) makes the enqueue path skipped — disable it so
+// the v1 PKB index path stays under test.
+_setOverridesForTesting({ "memory-v2-enabled": false });
+
 let tmpWorkspace: string;
 let previousWorkspaceEnv: string | undefined;
 
@@ -175,7 +181,7 @@ describe("recallTool.execute", () => {
         max_results: 4,
         depth: "deep",
       },
-      makeContext({ memoryScopeId: "scope-filter" }),
+      makeContext(),
     );
 
     expect(result).toEqual({
@@ -196,7 +202,7 @@ describe("recallTool.execute", () => {
 
     const result = await recallTool.execute(
       { query: "fallback search", sources: ["workspace"], depth: "fast" },
-      makeContext({ memoryScopeId: "scope-fallback" }),
+      makeContext(),
     );
 
     expect(result).toEqual({
@@ -205,7 +211,7 @@ describe("recallTool.execute", () => {
     });
   });
 
-  test("propagates tool context and defaults missing memory scope", async () => {
+  test("propagates tool context", async () => {
     const controller = new AbortController();
 
     await recallTool.execute(
@@ -221,7 +227,6 @@ describe("recallTool.execute", () => {
     expect(recallCalls[0]?.context).toEqual({
       workingDir: "/workspace/project",
       conversationId: "conv-context",
-      memoryScopeId: "default",
       config: getConfig(),
       signal: controller.signal,
     });
@@ -275,9 +280,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
   test("enqueues re-index jobs for both buffer and daily archive paths", async () => {
     const result = await rememberTool.execute(
       { content: "index me please" },
-      // Passes a non-default per-conversation scopeId to prove the PKB
-      // enqueue ignores it and pins to PKB_WORKSPACE_SCOPE instead.
-      makeContext({ memoryScopeId: "scope-enqueue" }),
+      makeContext(),
     );
     expect(result.isError).toBe(false);
 
@@ -308,7 +311,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
   test("does not enqueue when content is empty (write was skipped)", async () => {
     const result = await rememberTool.execute(
       { content: "   " },
-      makeContext({ memoryScopeId: "scope-empty" }),
+      makeContext(),
     );
     expect(result.isError).toBe(true);
     expect(enqueueCalls).toHaveLength(0);
@@ -319,7 +322,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
 
     const result = await rememberTool.execute(
       { content: "enqueue will throw" },
-      makeContext({ memoryScopeId: "scope-throw" }),
+      makeContext(),
     );
 
     // Remember call succeeded despite enqueue throwing for each write.

package/src/tools/memory/register.ts

@@ -34,7 +34,7 @@ class RememberTool implements Tool {
     const result = handleRemember(
       typedInput,
       context.conversationId,
-      context.memoryScopeId ?? "default",
+      "default",
       getConfig(),
     );
     return {
@@ -73,7 +73,6 @@ class RecallTool implements Tool {
     const result = await runAgenticRecall(input as unknown as RecallInput, {
       workingDir: context.workingDir,
       conversationId: context.conversationId,
-      memoryScopeId: context.memoryScopeId ?? "default",
       config,
       signal: context.signal,
     });

package/src/tools/provider-tool-name.ts

@@ -0,0 +1,28 @@
+import { createHash } from "node:crypto";
+
+const PROVIDER_TOOL_NAME_MAX_LENGTH = 64;
+const PROVIDER_TOOL_NAME_RE = /^[a-zA-Z0-9_-]{1,64}$/;
+const HASH_LENGTH = 12;
+
+export function isProviderSafeToolName(name: string): boolean {
+  return PROVIDER_TOOL_NAME_RE.test(name);
+}
+
+export function toProviderSafeToolName(rawName: string): string {
+  const trimmed = rawName.trim();
+  if (isProviderSafeToolName(rawName)) {
+    return rawName;
+  }
+
+  const hash = createHash("sha256")
+    .update(rawName)
+    .digest("hex")
+    .slice(0, HASH_LENGTH);
+  const suffix = `__${hash}`;
+  const maxBaseLength = PROVIDER_TOOL_NAME_MAX_LENGTH - suffix.length;
+  const sanitized =
+    trimmed.replace(/[^a-zA-Z0-9_-]+/g, "_").replace(/^_+|_+$/g, "") || "tool";
+  const base = sanitized.slice(0, maxBaseLength).replace(/_+$/g, "") || "tool";
+
+  return `${base}${suffix}`;
+}