@vellumai/assistant 0.7.2 → 0.8.0

package/src/daemon/__tests__/conversation-tool-setup.test.ts

@@ -19,29 +19,28 @@
  * host_file_* are filtered out for chrome-extension regardless of the
  * hasNoClient flag.
  *
- * Cross-client exception (Phase 1): host_bash is allowed for non-host-proxy
- * interfaces (e.g. "web") when at least one host_bash-capable client is
- * connected via the event hub. host_file_* and host_browser remain filtered
- * regardless (Phase 2).
+ * Cross-client exception: tools whose capabilities are in
+ * CROSS_CLIENT_EXPOSED_CAPABILITIES (host_bash, host_file) are allowed for
+ * non-host-proxy interfaces (e.g. "web") when at least one capable client
+ * is connected via the event hub. host_browser is excluded (chrome-extension
+ * is its own executor; web turns have no CDP target model).
  */
 
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 // ── Module-level mocks ─────────────────────────────────────────────
 
-// Control how many host_bash-capable clients the hub reports.
-let mockHostBashClientCount = 0;
+// Control how many capable clients the hub reports per capability.
+const mockClientCountByCapability = new Map<string, number>();
 
 mock.module("../../runtime/assistant-event-hub.js", () => ({
   assistantEventHub: {
     listClientsByCapability: (cap: string) => {
-      if (cap === "host_bash") {
-        return Array.from({ length: mockHostBashClientCount }, (_, i) => ({
-          clientId: `mock-client-${i}`,
-          capabilities: ["host_bash"],
-        }));
-      }
-      return [];
+      const count = mockClientCountByCapability.get(cap) ?? 0;
+      return Array.from({ length: count }, (_, i) => ({
+        clientId: `mock-${cap}-client-${i}`,
+        capabilities: [cap],
+      }));
     },
   },
   broadcastMessage: () => {},
@@ -72,7 +71,7 @@ function makeCtx(
 }
 
 beforeEach(() => {
-  mockHostBashClientCount = 0;
+  mockClientCountByCapability.clear();
 });
 
 describe("isToolActiveForContext — host tool capability gating", () => {
@@ -213,7 +212,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
   test("host_bash is active for web transport when a host_bash-capable client is connected", () => {
     // Cross-client path: a web turn should see host_bash when a macOS client
     // with host_bash capability is connected via the event hub.
-    mockHostBashClientCount = 1;
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -224,7 +223,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
 
   test("host_bash is NOT active for web transport when no capable client is connected", () => {
     // No cross-client fallback: hub has no host_bash-capable subscribers.
-    mockHostBashClientCount = 0;
+    mockClientCountByCapability.set("host_bash", 0);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -233,11 +232,11 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
     ).toBe(false);
   });
 
-  test("host_file_read is NOT active for web transport even when a capable client is connected (Phase 2 gate)", () => {
-    // The cross-client exception is scoped to host_bash only.
-    // host_file_* remain filtered for non-host-proxy interfaces regardless
-    // of connected clients until Phase 2 lands.
-    mockHostBashClientCount = 1;
+  test("host_file_read is NOT active for web transport when only a host_bash client is connected", () => {
+    // The cross-client exception is per-capability: a host_bash-capable
+    // client in the hub does not satisfy host_file's exposure check, since
+    // listClientsByCapability is queried with the tool's actual capability.
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_file_read",
@@ -249,7 +248,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
   test("host_bash for macos transport is unaffected by the cross-client exception", () => {
     // macos natively supports host_bash via host proxy — the supportsHostProxy
     // check passes, so the cross-client branch is never reached.
-    mockHostBashClientCount = 0;
+    mockClientCountByCapability.set("host_bash", 0);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -262,7 +261,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
     // Even with a capable client in the hub, the macos SSE path takes
     // precedence — it passes the supportsHostProxy check, bypasses the
     // cross-client branch, and reaches the hasNoClient gate.
-    mockHostBashClientCount = 1;
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -275,7 +274,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
     // Security boundary: chrome-extension only gets host_browser. The
     // cross-client exception explicitly excludes chrome-extension transport
     // regardless of how many host_bash-capable clients are in the hub.
-    mockHostBashClientCount = 1;
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -287,7 +286,7 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
   test("host_bash is NOT active for web transport when hasNoClient is true (no approval UI)", () => {
     // hasNoClient gate: no interactive approval UI available for this turn.
     // Cross-client exception must not bypass this gate.
-    mockHostBashClientCount = 1;
+    mockClientCountByCapability.set("host_bash", 1);
     expect(
       isToolActiveForContext(
         "host_bash",
@@ -297,6 +296,68 @@ describe("isToolActiveForContext — cross-client exception (Phase 1: host_bash)
   });
 });
 
+describe("isToolActiveForContext — cross-client exposure for host_file_*", () => {
+  const HOST_FILE_TOOLS = [
+    "host_file_read",
+    "host_file_write",
+    "host_file_edit",
+    "host_file_transfer",
+  ] as const;
+
+  for (const tool of HOST_FILE_TOOLS) {
+    test(`${tool} is exposed for web transport when a host_file client is connected`, () => {
+      mockClientCountByCapability.set("host_file", 1);
+      expect(
+        isToolActiveForContext(
+          tool,
+          makeCtx({ hasNoClient: false, transportInterface: "web" }),
+        ),
+      ).toBe(true);
+    });
+
+    test(`${tool} is NOT exposed for web when no host_file client is connected`, () => {
+      mockClientCountByCapability.set("host_file", 0);
+      expect(
+        isToolActiveForContext(
+          tool,
+          makeCtx({ hasNoClient: false, transportInterface: "web" }),
+        ),
+      ).toBe(false);
+    });
+
+    test(`${tool} is NOT exposed for chrome-extension (security boundary)`, () => {
+      mockClientCountByCapability.set("host_file", 1);
+      expect(
+        isToolActiveForContext(
+          tool,
+          makeCtx({ hasNoClient: true, transportInterface: "chrome-extension" }),
+        ),
+      ).toBe(false);
+    });
+
+    test(`${tool} is NOT exposed when hasNoClient is true (no approval UI)`, () => {
+      mockClientCountByCapability.set("host_file", 1);
+      expect(
+        isToolActiveForContext(
+          tool,
+          makeCtx({ hasNoClient: true, transportInterface: "web" }),
+        ),
+      ).toBe(false);
+    });
+  }
+
+  test("listClientsByCapability is queried with the actual capability, not host_bash (regression guard for D5 latent bug)", () => {
+    mockClientCountByCapability.set("host_bash", 0);
+    mockClientCountByCapability.set("host_file", 1);
+    expect(
+      isToolActiveForContext(
+        "host_file_transfer",
+        makeCtx({ hasNoClient: false, transportInterface: "web" }),
+      ),
+    ).toBe(true);
+  });
+});
+
 describe("HOST_TOOL_NAMES derivation", () => {
   test("HOST_TOOL_NAMES is derived from HOST_TOOL_TO_CAPABILITY", () => {
     // Sanity check: every tool in the names set has a capability mapping.

package/src/daemon/assistant-attachments.ts

@@ -125,7 +125,7 @@ export function classifyKind(mimeType: string): "image" | "video" | "document" {
 // Validation / cap enforcement
 // ---------------------------------------------------------------------------
 
-export interface ValidatedDrafts {
+interface ValidatedDrafts {
   accepted: AssistantAttachmentDraft[];
   warnings: string[];
 }
@@ -171,13 +171,13 @@ export interface DirectiveRequest {
   mimeType: string | undefined;
 }
 
-export interface DirectiveParseResult {
+interface DirectiveParseResult {
   cleanText: string;
   directiveRequests: DirectiveRequest[];
   parseWarnings: string[];
 }
 
-export interface DirectiveDisplayDrainResult {
+interface DirectiveDisplayDrainResult {
   emitText: string;
   bufferedRemainder: string;
 }
@@ -362,7 +362,7 @@ export function drainDirectiveDisplayBuffer(
 // Sandbox file resolution
 // ---------------------------------------------------------------------------
 
-export interface ResolveResult {
+interface ResolveResult {
   draft: AssistantAttachmentDraft | null;
   warning: string | null;
 }

package/src/daemon/config-watcher.ts

@@ -8,7 +8,9 @@ import {
   type FSWatcher,
   mkdirSync,
   readdirSync,
+  unwatchFile,
   watch,
+  watchFile,
 } from "node:fs";
 import { join } from "node:path";
 
@@ -17,7 +19,6 @@ import type { MemoryCleanupConfig } from "../config/schemas/memory-lifecycle.js"
 import { resetCleanupScheduleThrottle } from "../memory/cleanup-schedule-state.js";
 import { clearEmbeddingBackendCache } from "../memory/embedding-backend.js";
 import { initializeProviders } from "../providers/registry.js";
-import { handleBashSignal } from "../signals/bash.js";
 import { handleCancelSignal } from "../signals/cancel.js";
 import { handleConversationUndoSignal } from "../signals/conversation-undo.js";
 import { handleEmitEventSignal } from "../signals/emit-event.js";
@@ -47,19 +48,44 @@ function attachWatcherErrorHandler(watcher: FSWatcher, dir: string): void {
   });
 }
 
+/**
+ * Poll interval for `fs.watchFile()`. Use the stat-polling watcher
+ * because Bun's per-file `fs.watch()` doesn't detect renames on Linux
+ * (seemingly works on macOS). See https://github.com/oven-sh/bun/issues/15010.
+ */
+const WATCH_FILE_POLL_MS = 2_000;
+
 export class ConfigWatcher {
   private watchers: FSWatcher[] = [];
-  private debounceTimers = new DebouncerMap({
-    defaultDelayMs: 200,
-    maxEntries: 1000,
-    protectedKeyPrefix: "__",
-  });
+  private watchedFiles: Set<string> = new Set();
+  private stopped = false;
+  private debounceTimers: DebouncerMap;
   private suppressReload = false;
   lastFingerprint = "";
+  private lastConfig: ReturnType<typeof getConfig> | null = null;
   private lastRefreshTime = 0;
 
   static readonly REFRESH_INTERVAL_MS = 30_000;
 
+  /**
+   * @param pollIntervalMs Per-file stat poll interval (passed to
+   *   `fs.watchFile`). Default `WATCH_FILE_POLL_MS` (2s); tests pass a
+   *   smaller value for fast turnaround.
+   * @param debounceMs Debounce window applied to any detected file
+   *   change before invoking its handler. Default 200ms; tests pass a
+   *   smaller value to avoid sleeping unnecessarily.
+   */
+  constructor(
+    private readonly pollIntervalMs: number = WATCH_FILE_POLL_MS,
+    debounceMs = 200,
+  ) {
+    this.debounceTimers = new DebouncerMap({
+      defaultDelayMs: debounceMs,
+      maxEntries: 1000,
+      protectedKeyPrefix: "__",
+    });
+  }
+
   /** Expose the debounce timers so handlers can schedule debounced work. */
   get timers(): DebouncerMap {
     return this.debounceTimers;
@@ -88,12 +114,15 @@ export class ConfigWatcher {
 
   /** Initialize the config fingerprint (call after first config load). */
   initFingerprint(config: ReturnType<typeof getConfig>): void {
+    this.lastConfig = config;
     this.lastFingerprint = this.configFingerprint(config);
   }
 
   /** Update the fingerprint to match the current config. */
   updateFingerprint(): void {
-    this.lastFingerprint = this.configFingerprint(getConfig());
+    const config = getConfig();
+    this.lastConfig = config;
+    this.lastFingerprint = this.configFingerprint(config);
     this.lastRefreshTime = Date.now();
   }
 
@@ -103,7 +132,7 @@ export class ConfigWatcher {
    * Returns true if config actually changed.
    */
   async refreshConfigFromSources(): Promise<boolean> {
-    const prevCleanup = safeGetCleanupConfig();
+    const prevCleanup = this.lastConfig?.memory?.cleanup;
     invalidateConfigCache();
     const config = getConfig();
     const fingerprint = this.configFingerprint(config);
@@ -120,6 +149,7 @@ export class ConfigWatcher {
     }
     const isFirstInit = this.lastFingerprint === "";
     await initializeProviders(config);
+    this.lastConfig = config;
     this.lastFingerprint = fingerprint;
     return !isFirstInit;
   }
@@ -136,19 +166,24 @@ export class ConfigWatcher {
     onAvatarChanged?: () => void,
     onConfigChanged?: () => void,
   ): void {
+    // Reset the stopped flag so a stop()→start() cycle on the same
+    // instance resumes hot-reload instead of silently bailing in every
+    // watchFile callback. This matters because getConfigWatcher() is a
+    // module-level singleton — a daemon restart path that reuses it
+    // would otherwise be permanently mute.
+    this.stopped = false;
     const workspaceDir = getWorkspaceDir();
 
     const workspaceHandlers: Record<string, () => void> = {
       "config.json": async () => {
         if (this.suppressReload) return;
         try {
-          const prevConfig = getConfig();
-          const prevMcpFingerprint = JSON.stringify(prevConfig.mcp ?? {});
+          const prevMcpFingerprint = JSON.stringify(this.lastConfig?.mcp ?? {});
           const changed = await this.refreshConfigFromSources();
           if (changed) {
             onConversationEvict();
             onConfigChanged?.();
-            const newConfig = getConfig();
+            const newConfig = this.lastConfig ?? getConfig();
             const newMcpFingerprint = JSON.stringify(newConfig.mcp ?? {});
             if (newMcpFingerprint !== prevMcpFingerprint) {
               reloadMcpServers().catch((err: unknown) => {
@@ -170,37 +205,11 @@ export class ConfigWatcher {
       },
     };
 
-    const watchDir = (
-      dir: string,
-      handlers: Record<string, () => void>,
-      label: string,
-    ): void => {
-      try {
-        const watcher = watch(dir, (_eventType, filename) => {
-          if (!filename) return;
-          const file = String(filename);
-          if (!handlers[file]) return;
-          this.debounceTimers.schedule(`file:${file}`, () => {
-            log.info({ file }, "File changed, reloading");
-            handlers[file]();
-          });
-        });
-        attachWatcherErrorHandler(watcher, dir);
-        this.watchers.push(watcher);
-        log.info({ dir }, `Watching ${label}`);
-      } catch (err) {
-        log.warn(
-          { err, dir },
-          `Failed to watch ${label}. Hot-reload will be unavailable.`,
-        );
-      }
-    };
-
-    watchDir(
-      workspaceDir,
-      workspaceHandlers,
-      "workspace directory for config/prompt changes",
-    );
+    // Per-file watches; don't watch the workspace directory itself because
+    // it contains socket files.
+    for (const [filename, handler] of Object.entries(workspaceHandlers)) {
+      this.watchFile(join(workspaceDir, filename), handler, filename);
+    }
 
     if (onSoundsConfigChanged) {
       this.startSoundsWatcher(onSoundsConfigChanged);
@@ -215,13 +224,46 @@ export class ConfigWatcher {
   }
 
   stop(): void {
+    this.stopped = true;
     this.debounceTimers.cancelAll();
+    for (const filePath of this.watchedFiles) {
+      unwatchFile(filePath);
+    }
+    this.watchedFiles.clear();
     for (const watcher of this.watchers) {
       watcher.close();
     }
     this.watchers = [];
   }
 
+  private watchFile(
+    filePath: string,
+    handler: () => void,
+    label: string,
+  ): void {
+    // Match the defensive pattern used by every other startXWatcher in
+    // this file: log the failure and continue. Per AGENTS.md, the daemon
+    // must never block startup — a watchFile() throw on some platform
+    // edge case must not propagate up to DaemonServer.start().
+    try {
+      watchFile(filePath, { interval: this.pollIntervalMs }, (curr, prev) => {
+        if (this.stopped) return;
+        if (curr.ino === prev.ino && curr.mtimeMs === prev.mtimeMs) return;
+        this.debounceTimers.schedule(`file:${filePath}`, () => {
+          log.info({ file: filePath }, "File changed, reloading");
+          handler();
+        });
+      });
+      this.watchedFiles.add(filePath);
+      log.info({ file: filePath }, `Watching ${label}`);
+    } catch (err) {
+      log.warn(
+        { err, file: filePath },
+        `Failed to watch ${label}. Hot-reload will be unavailable until restart.`,
+      );
+    }
+  }
+
   private startSoundsWatcher(onSoundsConfigChanged: () => void): void {
     const soundsDir = getSoundsDir();
     try {
@@ -341,7 +383,6 @@ export class ConfigWatcher {
       string,
       (filename: string) => void | Promise<void>
     > = {
-      "bash.": handleBashSignal,
       "user-message.": handleUserMessageSignal,
     };
 
@@ -486,20 +527,6 @@ export class ConfigWatcher {
   }
 }
 
-/**
- * Snapshot the current cleanup config so we can compare it against the
- * post-reload value. Tolerant of config-load failures — if the config can't
- * be read (e.g. first-load), returns undefined so the comparison below
- * treats it as "no previous value".
- */
-function safeGetCleanupConfig(): MemoryCleanupConfig | undefined {
-  try {
-    return getConfig().memory?.cleanup;
-  } catch {
-    return undefined;
-  }
-}
-
 /**
  * Return true if any cleanup field the user can change via the UI differs
  * between the previous and next config snapshots. Used to decide whether to
@@ -530,6 +557,7 @@ export function cleanupSettingsChanged(
   return (
     prev.llmRequestLogRetentionMs !== next.llmRequestLogRetentionMs ||
     prev.conversationRetentionDays !== next.conversationRetentionDays ||
+    prev.traceEventRetentionDays !== next.traceEventRetentionDays ||
     prev.enabled !== next.enabled
   );
 }

package/src/daemon/conversation-agent-loop-handlers.ts

@@ -137,6 +137,8 @@ export interface EventHandlerState {
   readonly directiveWarnings: string[];
   readonly toolUseIdToName: Map<string, string>;
   currentTurnToolNames: string[];
+  /** Sticky for the whole run: this turn created/refreshed an app. */
+  appBuildToolUsedThisRun: boolean;
   /** Tracks whether the first text delta has been emitted this turn for activity state transitions. */
   firstTextDeltaEmitted: boolean;
   /** Tracks whether a thinking delta has been emitted this turn for activity state transitions. */
@@ -168,6 +170,16 @@ export interface EventHandlerState {
       approvalMode?: string;
       approvalReason?: string;
       riskThreshold?: string;
+      /** Display-only regex ladder for the rule editor (narrowest → broadest). */
+      riskScopeOptions?: Array<{ pattern: string; label: string }>;
+      /** Minimatch save patterns for the rule editor (narrowest → broadest). */
+      riskAllowlistOptions?: Array<{
+        label: string;
+        description: string;
+        pattern: string;
+      }>;
+      /** Directory scope ladder for the rule editor. */
+      riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
     }
   >;
   /** tool_use_ids emitted in the current turn (populated in handleToolUse, cleared after annotation). */
@@ -219,6 +231,7 @@ export function createEventHandlerState(): EventHandlerState {
     directiveWarnings: [],
     toolUseIdToName: new Map(),
     currentTurnToolNames: [],
+    appBuildToolUsedThisRun: false,
     firstTextDeltaEmitted: false,
     firstThinkingDeltaEmitted: false,
     lastCompletedToolName: undefined,
@@ -365,6 +378,9 @@ export function handleToolUse(
 ): void {
   state.toolUseIdToName.set(event.id, event.name);
   state.currentTurnToolNames.push(event.name);
+  if (event.name === "app_create" || event.name === "app_refresh") {
+    state.appBuildToolUsedThisRun = true;
+  }
   state.toolCallTimestamps.set(event.id, { startedAt: Date.now() });
   state.currentToolUseId = event.id;
   state.currentTurnToolUseIds.push(event.id);
@@ -548,6 +564,14 @@ export function handleToolResult(
       approvalMode: event.approvalMode,
       approvalReason: event.approvalReason,
       riskThreshold: event.riskThreshold,
+      // Capture the 3 risk-option arrays so the persisted tool_use block
+      // carries the same chip ladder as the live tool_result event. Without
+      // these, hydrated chips from chat history fall back to the synthesized
+      // `*` allowlist and an empty scope ladder (see the comment on
+      // `synthesizeFallbackOption` in web's RuleEditorModal).
+      riskScopeOptions: event.riskScopeOptions,
+      riskAllowlistOptions: event.riskAllowlistOptions,
+      riskDirectoryScopeOptions: event.riskDirectoryScopeOptions,
     });
   }
 
@@ -627,6 +651,7 @@ export function handleToolResult(
     matchedTrustRuleId: event.matchedTrustRuleId,
     isContainerized: event.isContainerized,
     riskScopeOptions: event.riskScopeOptions,
+    riskAllowlistOptions: event.riskAllowlistOptions,
     riskDirectoryScopeOptions: event.riskDirectoryScopeOptions,
     approvalMode: event.approvalMode,
     approvalReason: event.approvalReason,
@@ -688,6 +713,19 @@ function annotatePersistedAssistantMessage(
         if (risk.approvalMode) rec._approvalMode = risk.approvalMode;
         if (risk.approvalReason) rec._approvalReason = risk.approvalReason;
         if (risk.riskThreshold) rec._riskThreshold = risk.riskThreshold;
+        // Persist the 3 risk-option arrays so the rule editor's chip ladder
+        // survives chat-history reload. These mirror the same-named fields
+        // on the live `tool_result` event; clients should read them back via
+        // `shared.ts` and treat them identically to the live values.
+        if (risk.riskScopeOptions && risk.riskScopeOptions.length > 0)
+          rec._riskScopeOptions = risk.riskScopeOptions;
+        if (risk.riskAllowlistOptions && risk.riskAllowlistOptions.length > 0)
+          rec._riskAllowlistOptions = risk.riskAllowlistOptions;
+        if (
+          risk.riskDirectoryScopeOptions &&
+          risk.riskDirectoryScopeOptions.length > 0
+        )
+          rec._riskDirectoryScopeOptions = risk.riskDirectoryScopeOptions;
         modified = true;
       }
     }