@vellumai/assistant 0.7.2 → 0.8.0

package/src/runtime/routes/host-file-routes.ts

@@ -7,8 +7,18 @@
 import { z } from "zod";
 
 import { HostFileProxy } from "../../daemon/host-file-proxy.js";
+import {
+  enforceSameActorOrThrow,
+  SAME_ACTOR_FORBIDDEN_DESCRIPTION,
+} from "../auth/same-actor.js";
+import { resolveActorPrincipalIdForLocalGuardian } from "../local-actor-identity.js";
 import * as pendingInteractions from "../pending-interactions.js";
-import { BadRequestError, ConflictError, ForbiddenError, NotFoundError } from "./errors.js";
+import {
+  BadRequestError,
+  ConflictError,
+  ForbiddenError,
+  NotFoundError,
+} from "./errors.js";
 import type { RouteDefinition, RouteHandlerArgs } from "./types.js";
 
 // ---------------------------------------------------------------------------
@@ -44,16 +54,33 @@ function handleHostFileResult({ body, headers }: RouteHandlerArgs) {
 
   // Validate submitting client matches the targeted client (if any).
   if (peeked.targetClientId != null) {
-    const rawClientId = (headers as Record<string, string | undefined>)?.["x-vellum-client-id"];
-    const submittingClientId = rawClientId?.trim() || undefined;
+    const headerMap = (headers as Record<string, string | undefined>) ?? {};
+    const submittingClientId =
+      headerMap["x-vellum-client-id"]?.trim() || undefined;
     if (!submittingClientId) {
-      throw new BadRequestError("x-vellum-client-id header is missing for a targeted host file request.");
+      throw new BadRequestError(
+        "x-vellum-client-id header is missing for a targeted host file request.",
+      );
     }
     if (submittingClientId !== peeked.targetClientId) {
       throw new ForbiddenError(
         `Client "${submittingClientId}" is not the target for this request (expected "${peeked.targetClientId}"). The targeted client must submit the result.`,
       );
     }
+
+    // Defense-in-depth: also require the submitting actor's principal id to
+    // match the actor that opened the target client's SSE stream. This blocks
+    // cross-user submissions even if a different user somehow obtains the
+    // target client id.
+    const submittingActorPrincipalId = resolveActorPrincipalIdForLocalGuardian(
+      headerMap["x-vellum-actor-principal-id"]?.trim() || undefined,
+    );
+    enforceSameActorOrThrow({
+      sourceActorPrincipalId: submittingActorPrincipalId,
+      targetActorPrincipalId: peeked.targetActorPrincipalId,
+      targetClientId: peeked.targetClientId,
+      op: "host_file",
+    });
   }
 
   HostFileProxy.instance.resolve(requestId, {
@@ -102,8 +129,7 @@ export const ROUTES: RouteDefinition[] = [
           "x-vellum-client-id header is missing for a targeted host file request.",
       },
       "403": {
-        description:
-          "Submitting client does not match the targeted client for this request.",
+        description: SAME_ACTOR_FORBIDDEN_DESCRIPTION,
       },
       "404": {
         description: "No pending interaction found for the given requestId.",

package/src/runtime/routes/host-transfer-routes.ts

@@ -8,8 +8,18 @@
 import { z } from "zod";
 
 import { HostTransferProxy } from "../../daemon/host-transfer-proxy.js";
+import {
+  enforceSameActorOrThrow,
+  SAME_ACTOR_FORBIDDEN_DESCRIPTION,
+} from "../auth/same-actor.js";
+import { resolveActorPrincipalIdForLocalGuardian } from "../local-actor-identity.js";
 import * as pendingInteractions from "../pending-interactions.js";
-import { BadRequestError, ConflictError, ForbiddenError, NotFoundError } from "./errors.js";
+import {
+  BadRequestError,
+  ConflictError,
+  ForbiddenError,
+  NotFoundError,
+} from "./errors.js";
 import type { RouteDefinition, RouteHandlerArgs } from "./types.js";
 
 /**
@@ -44,9 +54,31 @@ function handleTransferContentGet({
 
   const targetClientId = match.proxy.getTargetClientIdForTransfer(transferId);
   if (targetClientId != null) {
-    const submittingClientId = (headers as Record<string, string>)["x-vellum-client-id"]?.trim() || undefined;
-    if (!submittingClientId) throw new BadRequestError("x-vellum-client-id header required for targeted transfer");
-    if (submittingClientId !== targetClientId) throw new ForbiddenError(`Client "${submittingClientId}" is not the owner of this transfer`);
+    const headerMap = headers as Record<string, string | undefined>;
+    const submittingClientId =
+      headerMap["x-vellum-client-id"]?.trim() || undefined;
+    if (!submittingClientId)
+      throw new BadRequestError(
+        "x-vellum-client-id header required for targeted transfer",
+      );
+    if (submittingClientId !== targetClientId)
+      throw new ForbiddenError(
+        `Client "${submittingClientId}" is not the owner of this transfer`,
+      );
+
+    // Defense-in-depth: the submitting actor's principal must match the
+    // actor that opened the target client's SSE stream. Compare against
+    // the value persisted at registration time so a brief reconnect does
+    // not 403 a legitimate fetch.
+    enforceSameActorOrThrow({
+      sourceActorPrincipalId: resolveActorPrincipalIdForLocalGuardian(
+        headerMap["x-vellum-actor-principal-id"]?.trim() || undefined,
+      ),
+      targetActorPrincipalId:
+        match.proxy.getTargetActorPrincipalIdForTransfer(transferId),
+      targetClientId,
+      op: "host_transfer",
+    });
   }
 
   const content = match.proxy.getTransferContent(transferId);
@@ -105,9 +137,27 @@ async function handleTransferContentPut({
 
   const targetClientId = match.proxy.getTargetClientIdForTransfer(transferId);
   if (targetClientId != null) {
-    const submittingClientId = (headers as Record<string, string>)["x-vellum-client-id"]?.trim() || undefined;
-    if (!submittingClientId) throw new BadRequestError("x-vellum-client-id header required for targeted transfer");
-    if (submittingClientId !== targetClientId) throw new ForbiddenError(`Client "${submittingClientId}" is not the owner of this transfer`);
+    const headerMap = headers as Record<string, string | undefined>;
+    const submittingClientId =
+      headerMap["x-vellum-client-id"]?.trim() || undefined;
+    if (!submittingClientId)
+      throw new BadRequestError(
+        "x-vellum-client-id header required for targeted transfer",
+      );
+    if (submittingClientId !== targetClientId)
+      throw new ForbiddenError(
+        `Client "${submittingClientId}" is not the owner of this transfer`,
+      );
+
+    enforceSameActorOrThrow({
+      sourceActorPrincipalId: resolveActorPrincipalIdForLocalGuardian(
+        headerMap["x-vellum-actor-principal-id"]?.trim() || undefined,
+      ),
+      targetActorPrincipalId:
+        match.proxy.getTargetActorPrincipalIdForTransfer(transferId),
+      targetClientId,
+      op: "host_transfer",
+    });
   }
 
   const data = rawBody ? Buffer.from(rawBody) : Buffer.alloc(0);
@@ -158,10 +208,26 @@ function handleTransferResult({ body, headers }: RouteHandlerArgs) {
   }
 
   if (peeked.targetClientId != null) {
-    const rawClientId = (headers as Record<string, string | undefined>)?.["x-vellum-client-id"];
+    const headerMap = (headers as Record<string, string | undefined>) ?? {};
+    const rawClientId = headerMap["x-vellum-client-id"];
     const submittingClientId = rawClientId?.trim() || undefined;
-    if (!submittingClientId) throw new BadRequestError("x-vellum-client-id header is missing for a targeted host transfer request.");
-    if (submittingClientId !== peeked.targetClientId) throw new ForbiddenError(`Client "${submittingClientId}" is not the target for this request (expected "${peeked.targetClientId}").`);
+    if (!submittingClientId)
+      throw new BadRequestError(
+        "x-vellum-client-id header is missing for a targeted host transfer request.",
+      );
+    if (submittingClientId !== peeked.targetClientId)
+      throw new ForbiddenError(
+        `Client "${submittingClientId}" is not the target for this request (expected "${peeked.targetClientId}").`,
+      );
+
+    enforceSameActorOrThrow({
+      sourceActorPrincipalId: resolveActorPrincipalIdForLocalGuardian(
+        headerMap["x-vellum-actor-principal-id"]?.trim() || undefined,
+      ),
+      targetActorPrincipalId: peeked.targetActorPrincipalId,
+      targetClientId: peeked.targetClientId,
+      op: "host_transfer",
+    });
   }
 
   HostTransferProxy.instance.resolveTransferResult(requestId, {
@@ -195,8 +261,7 @@ export const ROUTES: RouteDefinition[] = [
           "x-vellum-client-id header is missing for a targeted transfer.",
       },
       "403": {
-        description:
-          "Submitting client does not match the targeted client for this transfer.",
+        description: SAME_ACTOR_FORBIDDEN_DESCRIPTION,
       },
     },
     handler: handleTransferContentGet,
@@ -217,8 +282,7 @@ export const ROUTES: RouteDefinition[] = [
           "x-vellum-client-id header is missing for a targeted transfer.",
       },
       "403": {
-        description:
-          "Submitting client does not match the targeted client for this transfer.",
+        description: SAME_ACTOR_FORBIDDEN_DESCRIPTION,
       },
     },
     handler: handleTransferContentPut,
@@ -247,8 +311,7 @@ export const ROUTES: RouteDefinition[] = [
           "x-vellum-client-id header is missing for a targeted host transfer request.",
       },
       "403": {
-        description:
-          "Submitting client does not match the targeted client for this transfer.",
+        description: SAME_ACTOR_FORBIDDEN_DESCRIPTION,
       },
     },
     handler: handleTransferResult,

package/src/runtime/routes/identity-routes.ts

@@ -2,24 +2,20 @@
  * Identity and health endpoint handlers.
  */
 
-import { spawnSync } from "node:child_process";
-import { existsSync, readFileSync, statfsSync } from "node:fs";
+import { existsSync, readFileSync } from "node:fs";
 import { availableParallelism, cpus, totalmem } from "node:os";
 
 import { z } from "zod";
 
-import {
-  getCpuLimit,
-  getIsPlatform,
-  getMinikubeStorageSize,
-} from "../../config/env-registry.js";
+import { getCpuLimit, getIsPlatform } from "../../config/env-registry.js";
 import { parseIdentityFields } from "../../daemon/handlers/identity.js";
 import { getProfilerRuntimeStatus } from "../../daemon/profiler-run-store.js";
 import { getMaxMigrationVersion } from "../../memory/migrations/registry.js";
 import {
-  getWorkspaceDir,
-  getWorkspacePromptPath,
-} from "../../util/platform.js";
+  getDiskUsageInfo,
+  parseK8sMemoryBytes,
+} from "../../util/disk-usage.js";
+import { getWorkspacePromptPath } from "../../util/platform.js";
 import { APP_VERSION } from "../../version.js";
 import { resolveHatchedAtReadOnly } from "../../workspace/hatched-date.js";
 import { WORKSPACE_MIGRATIONS } from "../../workspace/migrations/registry.js";
@@ -28,138 +24,11 @@ import { NotFoundError } from "./errors.js";
 import { getCachedIntro } from "./identity-intro-cache.js";
 import type { RouteDefinition } from "./types.js";
 
-interface DiskSpaceInfo {
-  path: string;
-  totalMb: number;
-  usedMb: number;
-  freeMb: number;
-}
-
-/**
- * Measure the on-disk usage of one or more directory paths using `du -sb`.
- * Returns the sum of all paths in bytes, or null on failure.
- */
-function getDirectorySizeBytes(paths: string[]): number | null {
-  try {
-    const existing = paths.filter((p) => existsSync(p));
-    if (existing.length === 0) return null;
-    const result = spawnSync("du", ["-sb", ...existing], {
-      encoding: "utf-8",
-      timeout: 30_000,
-    });
-    if (result.status !== 0) return null;
-    let total = 0;
-    for (const line of result.stdout.trim().split("\n")) {
-      const size = parseInt(line.split("\t")[0], 10);
-      if (!isNaN(size) && size > 0) total += size;
-    }
-    return total > 0 ? total : null;
-  } catch {
-    return null;
-  }
-}
-
-const DU_CACHE_TTL_MS = 60_000;
-let duCacheValue: number | null = null;
-let duCacheTime = 0;
-let duCachePaths: string | null = null;
-
-function getCachedDirectorySizeBytes(paths: string[]): number | null {
-  const key = paths.join("\0");
-  const now = Date.now();
-  if (duCachePaths === key && now - duCacheTime < DU_CACHE_TTL_MS) {
-    return duCacheValue;
-  }
-  duCacheValue = getDirectorySizeBytes(paths);
-  duCacheTime = now;
-  duCachePaths = key;
-  return duCacheValue;
-}
-
-function getDiskSpaceInfo(): DiskSpaceInfo | null {
-  try {
-    const wsDir = getWorkspaceDir();
-    const diskPath = existsSync(wsDir) ? wsDir : "/";
-    const stats = statfsSync(diskPath);
-    const fsTotalBytes = stats.bsize * stats.blocks;
-    const fsFreeBytes = stats.bsize * stats.bavail;
-    const bytesToMb = (b: number) =>
-      Math.round((b / (1024 * 1024)) * 100) / 100;
-
-    // Minikube mode: the platform passes the PVC storage size so we can
-    // report accurate capacity. On hostPath-backed PVCs statfsSync reports
-    // the host's entire filesystem rather than the PVC. Detect this by
-    // comparing filesystem size against PVC size — if the filesystem is
-    // larger, measure actual directory usage with `du` instead.
-    const storageSizeRaw = getMinikubeStorageSize();
-    if (storageSizeRaw) {
-      const pvcTotalBytes = parseK8sMemoryBytes(storageSizeRaw);
-      if (pvcTotalBytes !== null && fsTotalBytes > pvcTotalBytes * 1.1) {
-        const volumePaths = [diskPath];
-        if (diskPath !== "/data" && existsSync("/data")) {
-          volumePaths.push("/data");
-        }
-        const usedBytes = getCachedDirectorySizeBytes(volumePaths);
-        if (usedBytes !== null) {
-          return {
-            path: diskPath,
-            totalMb: bytesToMb(pvcTotalBytes),
-            usedMb: bytesToMb(usedBytes),
-            freeMb: bytesToMb(Math.max(0, pvcTotalBytes - usedBytes)),
-          };
-        }
-      }
-    }
-
-    return {
-      path: diskPath,
-      totalMb: bytesToMb(fsTotalBytes),
-      usedMb: bytesToMb(fsTotalBytes - fsFreeBytes),
-      freeMb: bytesToMb(fsFreeBytes),
-    };
-  } catch {
-    return null;
-  }
-}
-
 interface MemoryInfo {
   currentMb: number;
   maxMb: number;
 }
 
-/**
- * Parse a Kubernetes-style memory string (e.g. "3Gi", "512Mi", "1G") into bytes.
- * Returns null if the value is not a recognized format.
- */
-function parseK8sMemoryBytes(value: string): number | null {
-  const match = value
-    .trim()
-    .match(/^(\d+(?:\.\d+)?)\s*(Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E|m)?$/);
-  if (!match) return null;
-  const num = parseFloat(match[1]);
-  const unit = match[2] ?? "";
-  const multipliers: Record<string, number> = {
-    "": 1,
-    m: 1e-3,
-    k: 1e3,
-    M: 1e6,
-    G: 1e9,
-    T: 1e12,
-    P: 1e15,
-    E: 1e18,
-    Ki: 1024,
-    Mi: 1024 ** 2,
-    Gi: 1024 ** 3,
-    Ti: 1024 ** 4,
-    Pi: 1024 ** 5,
-    Ei: 1024 ** 6,
-  };
-  const mult = multipliers[unit];
-  if (mult === undefined) return null;
-  const bytes = Math.round(num * mult);
-  return bytes > 0 ? bytes : null;
-}
-
 /**
  * Read the memory limit from the VELLUM_MEMORY_LIMIT env var (K8s resource format),
  * then fall back to cgroups, then to os.totalmem().
@@ -458,7 +327,7 @@ function getDetailedHealth() {
     status: "healthy",
     timestamp: new Date().toISOString(),
     version: APP_VERSION,
-    disk: getDiskSpaceInfo(),
+    disk: getDiskUsageInfo(),
     memory: getMemoryInfo(),
     cpu: getCpuInfo(),
     migrations: {

package/src/runtime/routes/inbound-message-handler.ts

@@ -15,6 +15,8 @@ import {
   createApprovalConversationGenerator,
   createApprovalCopyGenerator,
 } from "../../daemon/approval-generators.js";
+import { getDiskPressureStatus } from "../../daemon/disk-pressure-guard.js";
+import { classifyDiskPressureTurnPolicy } from "../../daemon/disk-pressure-policy.js";
 import { processMessage } from "../../daemon/process-message.js";
 import type { TrustContext } from "../../daemon/trust-context.js";
 import { HeartbeatService } from "../../heartbeat/heartbeat-service.js";
@@ -35,6 +37,7 @@ import {
   getPendingVerificationReply,
 } from "../../memory/delivery-channels.js";
 import {
+  clearPayload,
   findMessageBySourceId,
   linkMessage,
   recordInbound,
@@ -75,6 +78,8 @@ import { tryTranscribeAudioAttachments } from "./inbound-stages/transcribe-audio
 import type { RouteHandlerArgs } from "./types.js";
 
 const log = getLogger("runtime-http");
+const DISK_PRESSURE_REMOTE_BLOCK_REPLY =
+  "Storage is critically low, so remote messages are ignored until the guardian frees enough space. Please try again later.";
 
 // Delete-lookup retry configuration. Delete webhooks can race ahead of
 // the inbound handler's `linkMessage` call when the original message's
@@ -524,6 +529,78 @@ export async function handleChannelInbound({
     });
   }
 
+  // ── Actor role resolution ──
+  // Uses shared channel-agnostic resolution so all ingress paths classify
+  // guardian vs non-guardian actors the same way.
+  const trustCtx: TrustContext = resolveTrustContext({
+    assistantId: canonicalAssistantId,
+    sourceChannel,
+    conversationExternalId,
+    actorExternalId: rawSenderId,
+    actorUsername: body.actorUsername,
+    actorDisplayName: body.actorDisplayName,
+  });
+
+  const diskPressureDecision = classifyDiskPressureTurnPolicy(
+    getDiskPressureStatus(),
+    {
+      sourceChannel,
+      sourceInterface,
+      trustContext: {
+        sourceChannel: trustCtx.sourceChannel,
+        trustClass: trustCtx.trustClass,
+      },
+    },
+  );
+  if (diskPressureDecision.action === "block") {
+    if (!result.duplicate) {
+      clearPayload(result.eventId);
+      markProcessed(result.eventId);
+    }
+    log.info(
+      {
+        conversationId: result.conversationId,
+        eventId: result.eventId,
+        duplicate: result.duplicate,
+        reason: diskPressureDecision.reason,
+        trustClass: trustCtx.trustClass,
+      },
+      "Channel inbound blocked during disk pressure cleanup mode",
+    );
+
+    if (replyCallbackUrl && !result.duplicate) {
+      const replyPayload: Parameters<typeof deliverChannelReply>[1] = {
+        chatId: conversationExternalId,
+        text: DISK_PRESSURE_REMOTE_BLOCK_REPLY,
+        assistantId: canonicalAssistantId,
+      };
+      if (sourceChannel === "slack" && (canonicalSenderId ?? rawSenderId)) {
+        replyPayload.ephemeral = true;
+        replyPayload.user = (canonicalSenderId ?? rawSenderId)!;
+      }
+      try {
+        await deliverChannelReply(replyCallbackUrl, replyPayload);
+      } catch (err) {
+        log.warn(
+          {
+            err,
+            conversationId: result.conversationId,
+            eventId: result.eventId,
+          },
+          "Failed to deliver disk pressure block reply",
+        );
+      }
+    }
+
+    return {
+      accepted: true,
+      duplicate: result.duplicate,
+      eventId: result.eventId,
+      diskPressure: "blocked",
+      reason: diskPressureDecision.reason,
+    };
+  }
+
   // ── Slack reaction handling ──
   // Reactions arrive as regular `SlackInboundEvent`s with `callbackData`
   // prefixed `reaction:` (added) or `reaction_removed:` (removed).
@@ -735,18 +812,6 @@ export async function handleChannelInbound({
   // which handles request code matching, callback parsing, and NL classification
   // against canonical_guardian_requests.
 
-  // ── Actor role resolution ──
-  // Uses shared channel-agnostic resolution so all ingress paths classify
-  // guardian vs non-guardian actors the same way.
-  const trustCtx: TrustContext = resolveTrustContext({
-    assistantId: canonicalAssistantId,
-    sourceChannel,
-    conversationExternalId,
-    actorExternalId: rawSenderId,
-    actorUsername: body.actorUsername,
-    actorDisplayName: body.actorDisplayName,
-  });
-
   // ── Canonical guardian reply router ──
   const guardianReplyResult = await handleGuardianReplyIntercept({
     isDuplicate: result.duplicate,

package/src/runtime/routes/index.ts

@@ -37,9 +37,11 @@ import { ROUTES as CONVERSATION_QUERY_ROUTES } from "./conversation-query-routes
 import { ROUTES as CONVERSATION_MESSAGE_ROUTES } from "./conversation-routes.js";
 import { ROUTES as CONVERSATION_STARTER_ROUTES } from "./conversation-starter-routes.js";
 import { ROUTES as CREDENTIAL_PROMPT_ROUTES } from "./credential-prompt-routes.js";
+import { ROUTES as DEBUG_BASH_ROUTES } from "./debug-bash-routes.js";
 import { ROUTES as DEBUG_ROUTES } from "./debug-routes.js";
 import { ROUTES as DEFER_ROUTES } from "./defer-routes.js";
 import { ROUTES as DIAGNOSTICS_ROUTES } from "./diagnostics-routes.js";
+import { ROUTES as DISK_PRESSURE_ROUTES } from "./disk-pressure-routes.js";
 import { ROUTES as DOCUMENT_ROUTES } from "./documents-routes.js";
 import { ROUTES as EVENTS_ROUTES } from "./events-routes.js";
 import { ROUTES as FILING_ROUTES } from "./filing-routes.js";
@@ -74,6 +76,7 @@ import { ROUTES as MIGRATION_ROLLBACK_ROUTES } from "./migration-rollback-routes
 import { ROUTES as MIGRATION_ROUTES } from "./migration-routes.js";
 import { ROUTES as NOTIFICATION_ROUTES } from "./notification-routes.js";
 import { ROUTES as OAUTH_APPS_ROUTES } from "./oauth-apps.js";
+import { ROUTES as OAUTH_CONNECT_ROUTES } from "./oauth-connect-routes.js";
 import { ROUTES as OAUTH_PROVIDERS_ROUTES } from "./oauth-providers.js";
 import { ROUTES as PLAYGROUND_ROUTES } from "./playground/index.js";
 import { ROUTES as PROFILER_ROUTES } from "./profiler-routes.js";
@@ -137,8 +140,10 @@ export const ROUTES: RouteDefinition[] = [
   ...DEFER_ROUTES,
   ...CONVERSATION_QUERY_ROUTES,
   ...CONVERSATION_STARTER_ROUTES,
+  ...DEBUG_BASH_ROUTES,
   ...DEBUG_ROUTES,
   ...DIAGNOSTICS_ROUTES,
+  ...DISK_PRESSURE_ROUTES,
   ...DOCUMENT_ROUTES,
   ...EVENTS_ROUTES,
   ...FILING_ROUTES,
@@ -159,6 +164,7 @@ export const ROUTES: RouteDefinition[] = [
   ...INTERFACE_ROUTES,
   ...INTERNAL_OAUTH_ROUTES,
   ...MCP_AUTH_ROUTES,
+  ...OAUTH_CONNECT_ROUTES,
   ...INTERNAL_TWILIO_ROUTES,
   ...LOG_EXPORT_ROUTES,
   ...LLM_CALL_SITES_ROUTES,