@vellumai/assistant 0.7.2 → 0.8.0

package/src/daemon/disk-pressure-policy.ts

@@ -0,0 +1,163 @@
+import type { InterfaceId } from "../channels/types.js";
+import type { LLMCallSite } from "../config/schemas/llm.js";
+import type { DiskPressureStatus } from "./disk-pressure-guard.js";
+import type { ConversationType } from "./message-types/shared.js";
+import type { TrustContext } from "./trust-context.js";
+
+export type DiskPressureCleanupReason = "local-owner" | "guardian";
+
+export type DiskPressureBlockReason =
+  | "background"
+  | "trusted-contact"
+  | "non-guardian"
+  | "unknown-remote";
+
+export type DiskPressureTurnPolicyDecision =
+  | { action: "allow-normal" }
+  | { action: "allow-cleanup-mode"; reason: DiskPressureCleanupReason }
+  | { action: "block"; reason: DiskPressureBlockReason };
+
+export type DiskPressureTurnTrustClass =
+  | TrustContext["trustClass"]
+  | "non_guardian"
+  | "non-guardian"
+  | (string & {});
+
+export interface DiskPressureTurnTrustContext {
+  sourceChannel?: TrustContext["sourceChannel"] | (string & {});
+  trustClass?: DiskPressureTurnTrustClass;
+}
+
+export interface DiskPressureTurnMetadata {
+  conversationType?: ConversationType | (string & {}) | null;
+  conversationGroupId?: string | null;
+  conversationSource?: string | null;
+  callSite?: LLMCallSite | (string & {}) | null;
+  isInteractive?: boolean | null;
+  sourceChannel?: TrustContext["sourceChannel"] | (string & {}) | null;
+  sourceInterface?: InterfaceId | "vellum" | (string & {}) | null;
+  trustContext?: DiskPressureTurnTrustContext | null;
+  isDirectWake?: boolean | null;
+}
+
+const BACKGROUND_CONVERSATION_TYPES = new Set(["background", "scheduled"]);
+const BACKGROUND_GROUP_IDS = new Set(["system:background", "system:scheduled"]);
+const BACKGROUND_SOURCES = new Set([
+  "auto-analysis",
+  "background",
+  "compaction",
+  "direct",
+  "filing",
+  "heartbeat",
+  "memory",
+  "notification",
+  "proactive-artifact",
+  "reminder",
+  "schedule",
+  "task",
+  "update-bulletin",
+]);
+const LOCAL_OWNER_INTERFACES = new Set(["macos", "web", "vellum", "cli"]);
+
+export function classifyDiskPressureTurnPolicy(
+  status: DiskPressureStatus,
+  metadata: DiskPressureTurnMetadata,
+): DiskPressureTurnPolicyDecision {
+  if (!status.enabled || !status.locked || status.overrideActive) {
+    return { action: "allow-normal" };
+  }
+
+  if (!status.effectivelyLocked) {
+    return { action: "allow-normal" };
+  }
+
+  if (isBackgroundTurn(metadata)) {
+    return { action: "block", reason: "background" };
+  }
+
+  const trustClass = metadata.trustContext?.trustClass;
+  if (trustClass === "guardian") {
+    return { action: "allow-cleanup-mode", reason: "guardian" };
+  }
+
+  if (trustClass === "trusted_contact") {
+    return { action: "block", reason: "trusted-contact" };
+  }
+
+  if (isNonGuardianTrustClass(trustClass)) {
+    return { action: "block", reason: "non-guardian" };
+  }
+
+  if (trustClass === "unknown") {
+    return { action: "block", reason: "unknown-remote" };
+  }
+
+  if (trustClass !== undefined) {
+    return { action: "block", reason: "non-guardian" };
+  }
+
+  if (isLocalOwnerTurnWithoutTrust(metadata)) {
+    return { action: "allow-cleanup-mode", reason: "local-owner" };
+  }
+
+  return { action: "block", reason: "unknown-remote" };
+}
+
+function isBackgroundTurn(metadata: DiskPressureTurnMetadata): boolean {
+  if (isExplicitLocalOwnerCleanupTurn(metadata)) return false;
+  if (metadata.isDirectWake) return true;
+  if (metadata.callSite != null && metadata.callSite !== "mainAgent") {
+    return true;
+  }
+  if (
+    metadata.conversationType != null &&
+    BACKGROUND_CONVERSATION_TYPES.has(metadata.conversationType)
+  ) {
+    return true;
+  }
+  if (
+    metadata.conversationGroupId != null &&
+    BACKGROUND_GROUP_IDS.has(metadata.conversationGroupId)
+  ) {
+    return true;
+  }
+  return (
+    metadata.conversationSource != null &&
+    BACKGROUND_SOURCES.has(metadata.conversationSource)
+  );
+}
+
+function isNonGuardianTrustClass(
+  trustClass: DiskPressureTurnTrustClass | undefined,
+): boolean {
+  return trustClass === "non_guardian" || trustClass === "non-guardian";
+}
+
+function isLocalOwnerTurnWithoutTrust(
+  metadata: DiskPressureTurnMetadata,
+): boolean {
+  if (metadata.trustContext != null) return false;
+
+  const channel = metadata.sourceChannel;
+  const sourceInterface = metadata.sourceInterface;
+  if (channel !== "vellum" || sourceInterface == null) return false;
+  return LOCAL_OWNER_INTERFACES.has(sourceInterface);
+}
+
+function isExplicitLocalOwnerCleanupTurn(
+  metadata: DiskPressureTurnMetadata,
+): boolean {
+  if (metadata.isDirectWake !== true) return false;
+  const sourceInterface = metadata.sourceInterface;
+  if (
+    metadata.sourceChannel !== "vellum" ||
+    sourceInterface == null ||
+    !LOCAL_OWNER_INTERFACES.has(sourceInterface)
+  ) {
+    return false;
+  }
+  return (
+    metadata.trustContext == null ||
+    metadata.trustContext.trustClass === "guardian"
+  );
+}

package/src/daemon/handlers/shared.ts

@@ -63,6 +63,20 @@ export interface HistoryToolCall {
   approvalReason?: string;
   /** Snapshot of the auto-approve threshold at execution time. */
   riskThreshold?: string;
+  /**
+   * Display-only regex ladder for the rule editor (narrowest → broadest).
+   * Persisted on tool_use blocks by `annotatePersistedAssistantMessage` so
+   * historical chips render the same ladder as live tool_result events.
+   */
+  riskScopeOptions?: Array<{ pattern: string; label: string }>;
+  /** Minimatch save patterns for the rule editor (narrowest → broadest). */
+  riskAllowlistOptions?: Array<{
+    label: string;
+    description: string;
+    pattern: string;
+  }>;
+  /** Directory scope ladder for the rule editor. */
+  riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
 }
 
 export interface HistorySurface {
@@ -129,7 +143,6 @@ export interface ConversationCreateOptions {
   isInteractive?: boolean;
   /** Slack-only non-persisted notice injected into the active model turn. */
   slackRuntimeContextNotice?: string;
-  memoryScopeId?: string;
   /** Channel command intent metadata (e.g. Telegram /start). */
   commandIntent?: { type: string; payload?: string; languageCode?: string };
 
@@ -369,6 +382,18 @@ export function renderHistoryContent(content: unknown): RenderedHistoryContent {
         entry.approvalReason = block._approvalReason;
       if (typeof block._riskThreshold === "string")
         entry.riskThreshold = block._riskThreshold;
+      // Read back the 3 risk-option arrays persisted by
+      // `annotatePersistedAssistantMessage`. Validate the array shape only
+      // — element shapes are best-effort (we trust our own writer).
+      if (Array.isArray(block._riskScopeOptions))
+        entry.riskScopeOptions =
+          block._riskScopeOptions as HistoryToolCall["riskScopeOptions"];
+      if (Array.isArray(block._riskAllowlistOptions))
+        entry.riskAllowlistOptions =
+          block._riskAllowlistOptions as HistoryToolCall["riskAllowlistOptions"];
+      if (Array.isArray(block._riskDirectoryScopeOptions))
+        entry.riskDirectoryScopeOptions =
+          block._riskDirectoryScopeOptions as HistoryToolCall["riskDirectoryScopeOptions"];
       toolCalls.push(entry);
       if (id) pendingToolUses.set(id, entry);
       contentOrder.push(`tool:${toolCalls.length - 1}`);

package/src/daemon/handlers/skills.ts

@@ -430,7 +430,7 @@ async function listSkillsWithCatalog(): Promise<SlimSkillResponse[]> {
 
 // ─── Filtered skill listing ──────────────────────────────────────────────────
 
-export interface SkillListFilter {
+interface SkillListFilter {
   origin?: string;
   kind?: string;
   q?: string;
@@ -698,7 +698,6 @@ export async function getSkill(
 // depends on `catalog-cache.ts`, which would otherwise be reachable via this
 // handler module). Re-exported here so handlers can import it alongside
 // the other skill handler exports.
-export type { SkillFileEntry } from "../../skills/catalog-files.js";
 
 /**
  * Returns true if `filePath` is a symlink whose resolved real path escapes
@@ -1428,7 +1427,7 @@ export async function inspectSkill(
   }
 }
 
-export interface DraftResult {
+interface DraftResult {
   success: boolean;
   draft?: {
     skillId: string;
@@ -1583,7 +1582,7 @@ export async function draftSkill(params: {
   }
 }
 
-export interface CreateSkillParams {
+interface CreateSkillParams {
   skillId: string;
   name: string;
   description: string;

package/src/daemon/host-app-control-proxy.ts

@@ -11,13 +11,22 @@
  * (PNG-hash loop guard) and the result-payload → ToolExecutionResult
  * translation on top.
  *
- * **Singleton lock.** Only one conversation may hold an active app-control
- * session at a time. The lock is module-level (`activeAppControlConversationId`)
- * because a session targets the user's actual desktop application, which
- * is a host-wide resource. The lock is acquired on a successful
- * `app_control_start` and released when the owning proxy's `dispose()`
- * fires. A second conversation that calls `start` while the lock is held
- * receives an `isError: true` tool result naming the holding conversation.
+ * **Session lock.** Only one conversation may hold an active app-control
+ * session at a time, and that session is bound to a specific target app.
+ * The lock is module-level (`activeAppControlSession`) because the session
+ * targets the user's actual desktop application, which is a host-wide
+ * resource. It is acquired on a successful `app_control_start` (storing
+ * `(conversationId, app)`) and released when the owning proxy's
+ * `dispose()` fires.
+ *
+ * `app_control_start` is the only tool that can acquire the lock — the
+ * user's medium-risk approval at start time is the consent boundary. All
+ * other tools (observe / press / combo / sequence / type / click / drag)
+ * require the calling conversation to own an active session targeting the
+ * same `app`; otherwise the call is rejected before any host dispatch.
+ * This prevents prompt-injected tool calls from sending raw input to
+ * arbitrary apps without the user having approved control of that
+ * specific app.
  *
  * **No step cap.** Unlike {@link HostCuProxy} which enforces a per-session
  * step ceiling via `loadConfig().maxStepsPerSession`, app-control sessions
@@ -51,36 +60,111 @@ const REQUEST_TIMEOUT_MS = 60 * 1000;
 const STUCK_REPEAT_THRESHOLD = 4;
 
 // ---------------------------------------------------------------------------
-// Tool name constants
+// Module-level session lock
 // ---------------------------------------------------------------------------
-//
-// Kept here (rather than imported from PR 5's tool registrations) so the
-// proxy is independently testable. PR 5 must use these same string values.
-
-const TOOL_START = "app_control_start";
 
-// ---------------------------------------------------------------------------
-// Module-level singleton lock
-// ---------------------------------------------------------------------------
+/**
+ * Active app-control session: the conversation that owns the lock and the
+ * `app` it was approved against. Set on a successful `app_control_start`;
+ * cleared by the owning proxy's `dispose()`.
+ */
+export interface ActiveAppControlSession {
+  conversationId: string;
+  /**
+   * The exact `app` string the user approved at start time (bundle ID or
+   * process name — preserved as-is). Compared case-insensitively against
+   * the `app` of subsequent non-start tool calls.
+   */
+  app: string;
+}
 
 /**
- * Conversation id that currently owns the active app-control session, or
- * `undefined` if no session is active. Set on a successful
- * `app_control_start`; cleared by the owning proxy's `dispose()`.
+ * Currently active session, or `undefined` when no session is held.
  *
  * Exported for test inspection only. Production code paths must not read
  * or mutate this directly — use the proxy methods.
  */
-let activeAppControlConversationId: string | undefined;
+let activeAppControlSession: ActiveAppControlSession | undefined;
 
-/** Test-only helper: read current lock owner. */
-export function _getActiveAppControlConversationId(): string | undefined {
-  return activeAppControlConversationId;
+/** Test-only helper: read current session. */
+export function _getActiveAppControlSession():
+  | ActiveAppControlSession
+  | undefined {
+  return activeAppControlSession;
 }
 
-/** Test-only helper: clear lock between test cases. */
-export function _resetActiveAppControlConversationId(): void {
-  activeAppControlConversationId = undefined;
+/** Test-only helper: clear session between test cases. */
+export function _resetActiveAppControlSession(): void {
+  activeAppControlSession = undefined;
+}
+
+/**
+ * Test-only helper: prime the active session without a full `start` round-trip.
+ * Useful for tests that exercise non-start tool paths and don't need to
+ * verify the start flow itself.
+ */
+export function _setActiveAppControlSession(
+  session: ActiveAppControlSession,
+): void {
+  activeAppControlSession = session;
+}
+
+/**
+ * Validate a non-start tool call against the active session. Returns a
+ * `ToolExecutionResult` (with `isError: true`) when the call should be
+ * rejected; returns `null` when the call is authorized to dispatch.
+ *
+ * `app` matching is case-insensitive (macOS bundle IDs are
+ * case-insensitive in practice) but strict on form: `"Safari"` and
+ * `"com.apple.Safari"` do not match — the user approved a specific string
+ * and substituting a different form requires a new approval.
+ */
+function checkNonStartAuthorization(
+  input: HostAppControlInput,
+  conversationId: string,
+): ToolExecutionResult | null {
+  if (activeAppControlSession == null) {
+    return {
+      content:
+        "No app-control session is active. Call app_control_start to request " +
+        "user approval to control the target app, then retry.",
+      isError: true,
+    };
+  }
+  if (activeAppControlSession.conversationId !== conversationId) {
+    return {
+      content:
+        `Another conversation (${activeAppControlSession.conversationId}) currently ` +
+        `holds the app-control session. Wait for it to finish, or call ` +
+        `app_control_stop from that conversation first.`,
+      isError: true,
+    };
+  }
+  // `app` is required on every non-start variant of HostAppControlInput
+  // except `stop`, and `stop` short-circuits in conversation-surfaces and
+  // does not reach this method in production. A stop reaching here would
+  // be a defensive bug — surface it explicitly rather than dispatch.
+  const requestedApp = (input as { app?: string }).app;
+  if (requestedApp == null) {
+    return {
+      content:
+        "Tool input missing required 'app' field; cannot validate against " +
+        "the active app-control session.",
+      isError: true,
+    };
+  }
+  if (
+    requestedApp.toLowerCase() !== activeAppControlSession.app.toLowerCase()
+  ) {
+    return {
+      content:
+        `Active app-control session targets ${activeAppControlSession.app}; ` +
+        `cannot send actions to ${requestedApp}. Call app_control_stop and ` +
+        `app_control_start to switch apps.`,
+      isError: true,
+    };
+  }
+  return null;
 }
 
 // ---------------------------------------------------------------------------
@@ -91,7 +175,7 @@ export class HostAppControlProxy extends HostProxyBase<
   HostAppControlInput,
   HostAppControlResultPayload
 > {
-  /** Conversation that owns this proxy instance. Used by `dispose()` to release the singleton lock only when this proxy is the holder. */
+  /** Conversation that owns this proxy instance. Used by `dispose()` to release the session lock only when this proxy is the holder. */
   private readonly conversationId: string;
 
   /** sha256 hex of the most recent observation's `pngBase64`, or undefined. */
@@ -143,21 +227,29 @@ export class HostAppControlProxy extends HostProxyBase<
       return { content: "Aborted", isError: true };
     }
 
-    // Singleton-lock guard for `start`. Other tools assume a session
-    // already exists and are not gated here.
-    if (toolName === TOOL_START) {
+    // Authorization gate. `start` acquires the session lock (the user's
+    // medium-risk approval is the consent boundary); all other tools must
+    // belong to the active session and target the same `app`. Without this
+    // gate, prompt-injected calls would bypass the start-time approval and
+    // send raw input to arbitrary apps.
+    if (input.tool === "start") {
       if (
-        activeAppControlConversationId != null &&
-        activeAppControlConversationId !== conversationId
+        activeAppControlSession != null &&
+        activeAppControlSession.conversationId !== conversationId
       ) {
         return {
           content:
-            `Another conversation (${activeAppControlConversationId}) currently holds the ` +
+            `Another conversation (${activeAppControlSession.conversationId}) currently holds the ` +
             `app-control session. Wait for it to finish, or call app_control_stop ` +
             `from that conversation first.`,
           isError: true,
         };
       }
+    } else {
+      const sessionError = checkNonStartAuthorization(input, conversationId);
+      if (sessionError != null) {
+        return sessionError;
+      }
     }
 
     try {
@@ -167,7 +259,7 @@ export class HostAppControlProxy extends HostProxyBase<
         conversationId,
         signal,
       );
-      return this.handleSuccess(toolName, payload);
+      return this.handleSuccess(input, payload);
     } catch (err) {
       if (err instanceof HostProxyRequestError) {
         if (err.reason === "timeout") {
@@ -192,7 +284,7 @@ export class HostAppControlProxy extends HostProxyBase<
   // ---------------------------------------------------------------------------
 
   private handleSuccess(
-    toolName: string,
+    input: HostAppControlInput,
     payload: HostAppControlResultPayload,
   ): ToolExecutionResult {
     // Update PNG-hash loop tracking only for the "running" state — other
@@ -212,9 +304,13 @@ export class HostAppControlProxy extends HostProxyBase<
       }
     }
 
-    // Acquire the singleton lock on a successful `start`.
-    if (toolName === TOOL_START && payload.state === "running") {
-      activeAppControlConversationId = this.conversationId;
+    // Store the exact `app` form for validation against subsequent
+    // non-start tool calls.
+    if (input.tool === "start" && payload.state === "running") {
+      activeAppControlSession = {
+        conversationId: this.conversationId,
+        app: input.app,
+      };
     }
 
     return this.formatResult(payload, stuck);
@@ -281,13 +377,13 @@ export class HostAppControlProxy extends HostProxyBase<
   // ---------------------------------------------------------------------------
 
   /**
-   * Reject pending requests via the base, then release the singleton lock
+   * Reject pending requests via the base, then release the session lock
    * if this proxy is the holder. Idempotent: safe to call multiple times.
    */
   override dispose(): void {
     super.dispose();
-    if (activeAppControlConversationId === this.conversationId) {
-      activeAppControlConversationId = undefined;
+    if (activeAppControlSession?.conversationId === this.conversationId) {
+      activeAppControlSession = undefined;
     }
   }
 }

package/src/daemon/host-bash-proxy.ts

@@ -5,6 +5,11 @@ import {
   assistantEventHub,
   broadcastMessage,
 } from "../runtime/assistant-event-hub.js";
+import {
+  ambiguousSameUserError,
+  enforceSameActorOrErrorResult,
+  pickSameUserAutoResolve,
+} from "../runtime/auth/same-actor.js";
 import * as pendingInteractions from "../runtime/pending-interactions.js";
 import { formatShellOutput } from "../tools/shared/shell-output.js";
 import type { ToolExecutionResult } from "../tools/types.js";
@@ -13,7 +18,6 @@ import { getLogger } from "../util/logger.js";
 
 const log = getLogger("host-bash-proxy");
 
-
 export class HostBashProxy {
   private static _instance: HostBashProxy | null = null;
 
@@ -62,14 +66,14 @@ export class HostBashProxy {
     },
     conversationId: string,
     signal?: AbortSignal,
+    // Principal ID of the actor on whose behalf this request is initiated.
+    sourceActorPrincipalId?: string,
   ): Promise<ToolExecutionResult> {
     if (signal?.aborted) {
       const result = formatShellOutput("", "Aborted", null, false, 0);
       return Promise.resolve(result);
     }
 
-    const capableClients = assistantEventHub.listClientsByCapability("host_bash");
-
     let resolvedTargetClientId: string | undefined;
 
     if (input.targetClientId) {
@@ -81,14 +85,37 @@ export class HostBashProxy {
         });
       }
       resolvedTargetClientId = input.targetClientId;
-    } else if (capableClients.length === 1) {
-      // Auto-resolve when exactly one capable client is connected.
-      resolvedTargetClientId = capableClients[0].clientId;
+    } else {
+      // Auto-resolve to the unique same-user client. Reject (rather than
+      // broadcast) when multiple same-user clients are connected so that
+      // a single targeted-style request cannot fan out across every one
+      // of the user's machines. Zero same-user matches falls through to
+      // the existing untargeted code path.
+      const resolved = pickSameUserAutoResolve({
+        hub: assistantEventHub,
+        capability: "host_bash",
+        sourceActorPrincipalId,
+      });
+      if (resolved.kind === "ambiguous") {
+        return Promise.resolve(ambiguousSameUserError("host_bash"));
+      }
+      resolvedTargetClientId =
+        resolved.kind === "match" ? resolved.clientId : undefined;
+    }
+
+    // Targeted requests must be bound to the same authenticated user as the
+    // target client. Fail closed at request time — before pendingInteractions
+    // registration and before broadcast — so a same-daemon caller cannot
+    // execute on another user's connected client.
+    if (resolvedTargetClientId != null) {
+      const rejection = enforceSameActorOrErrorResult({
+        hub: assistantEventHub,
+        sourceActorPrincipalId,
+        targetClientId: resolvedTargetClientId,
+        op: "host_bash",
+      });
+      if (rejection) return Promise.resolve(rejection);
     }
-    // capableClients.length === 0 or > 1 without explicit target: resolvedTargetClientId
-    // stays undefined and falls through to untargeted broadcast — the existing timeout/error
-    // path handles the zero-client case, and multi-client ambiguity is enforced at the tool
-    // executor layer (not here) once target_client_id is exposed in the tool schema.
 
     const requestId = uuid();
 
@@ -108,15 +135,7 @@ export class HostBashProxy {
         const timeoutMessage = resolvedTargetClientId
           ? `Host bash proxy timed out waiting for response from client ${resolvedTargetClientId}`
           : "Host bash proxy timed out waiting for client response";
-        resolve(
-          formatShellOutput(
-            "",
-            timeoutMessage,
-            null,
-            true,
-            timeoutSec,
-          ),
-        );
+        resolve(formatShellOutput("", timeoutMessage, null, true, timeoutSec));
       }, proxyTimeoutSec * 1000);
 
       if (signal) {
@@ -147,11 +166,17 @@ export class HostBashProxy {
       pendingInteractions.register(requestId, {
         conversationId,
         kind: "host_bash",
-        rpcResolve: resolve,
+        rpcResolve: resolve as (v: unknown) => void,
         rpcReject: reject,
         timer,
         detachAbort,
         targetClientId: resolvedTargetClientId,
+        targetActorPrincipalId:
+          resolvedTargetClientId != null
+            ? assistantEventHub.getActorPrincipalIdForClient(
+                resolvedTargetClientId,
+              )
+            : undefined,
         metadata: { timeoutSec },
       });
 
@@ -166,8 +191,8 @@ export class HostBashProxy {
             timeout_seconds: input.timeout_seconds,
             targetClientId: resolvedTargetClientId,
             ...(input.env && Object.keys(input.env).length > 0
-                ? { env: input.env }
-                : {}),
+              ? { env: input.env }
+              : {}),
           },
           conversationId,
           { targetClientId: resolvedTargetClientId },

package/src/daemon/host-browser-proxy.ts

@@ -135,7 +135,7 @@ export class HostBrowserProxy {
       pendingInteractions.register(requestId, {
         conversationId,
         kind: "host_browser",
-        rpcResolve: resolve,
+        rpcResolve: resolve as (v: unknown) => void,
         rpcReject: reject,
         timer,
         detachAbort,