@vellumai/assistant 0.7.2 → 0.8.0

package/src/schedule/scheduler.ts

@@ -1,3 +1,8 @@
+import {
+  checkDiskPressureBackgroundGate,
+  diskPressureBackgroundSkipLogFields,
+  shouldLogDiskPressureBackgroundSkip,
+} from "../daemon/disk-pressure-background-gate.js";
 import { emitFeedEvent } from "../home/emit-feed-event.js";
 import { bootstrapConversation } from "../memory/conversation-bootstrap.js";
 import { getConversation } from "../memory/conversation-crud.js";
@@ -129,7 +134,7 @@ export function startScheduler(
   };
 }
 
-async function runScheduleOnce(
+export async function runScheduleOnce(
   processMessage: ScheduleMessageProcessor,
   notifyScheduleOneShot: ScheduleNotifyModeNotifier,
   watcherNotifier?: WatcherNotifier,
@@ -139,6 +144,20 @@ async function runScheduleOnce(
   const now = Date.now();
   let processed = 0;
 
+  const diskPressureGate = checkDiskPressureBackgroundGate("background-work");
+  if (diskPressureGate.action === "skip") {
+    if (shouldLogDiskPressureBackgroundSkip("scheduler")) {
+      log.warn(
+        {
+          source: "schedule",
+          ...diskPressureBackgroundSkipLogFields(diskPressureGate),
+        },
+        "Schedule tick skipped during disk pressure cleanup mode",
+      );
+    }
+    return 0;
+  }
+
   // ── Schedules (recurring cron/RRULE + one-shot) ─────────────────────
   const jobs = claimDueSchedules(now);
   for (const job of jobs) {

package/src/security/encrypted-store.ts

@@ -108,6 +108,8 @@ function getStoreKeyPath(): string {
   );
 }
 
+
+
 /**
  * Read the store.key file. Returns the raw 32-byte key buffer, or null
  * if the file is missing, wrong size, or unreadable.

package/src/security/secure-keys.ts

@@ -18,6 +18,8 @@
  */
 
 import { AsyncLocalStorage } from "node:async_hooks";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
 
 import type {
   SecureKeyBackend,
@@ -28,6 +30,7 @@ import { getIsContainerized } from "../config/env-registry.js";
 import type { CesClient } from "../credential-execution/client.js";
 import { getAnyProviderEnvVar } from "../providers/provider-env-vars.js";
 import { getLogger } from "../util/logger.js";
+import { getProtectedDir } from "../util/platform.js";
 import { createCesCredentialBackend } from "./ces-credential-client.js";
 import { CesRpcCredentialBackend } from "./ces-rpc-credential-backend.js";
 import type {
@@ -584,6 +587,58 @@ export function getActiveBackendName(): string {
   return _resolvedBackend?.name ?? "none";
 }
 
+// ---------------------------------------------------------------------------
+// Backend introspection
+// ---------------------------------------------------------------------------
+
+export type BackendInfo =
+  | {
+      backend: "encrypted-store";
+      storePath: string;
+      storeKeyPath: string;
+      storeExists: boolean;
+      storeKeyExists: boolean;
+    }
+  | { backend: "ces-rpc"; ready: boolean }
+  | { backend: "ces-http"; url: string }
+  | { backend: "none" };
+
+/**
+ * Resolve the active credential backend (triggering resolution if not yet
+ * done) and return introspection details specific to that backend.
+ *
+ * Useful for `credentials status` — shows which store this process is talking
+ * to, so path/socket mismatches between the CLI and daemon are immediately
+ * visible.
+ */
+export function getActiveBackendInfoAsync(): Promise<BackendInfo> {
+  return withCredentialTimeout(async () => {
+    const backend = await resolveBackendAsync();
+    if (backend.name === "encrypted-store") {
+      const protectedDir = getProtectedDir();
+      const storePath = join(protectedDir, "keys.enc");
+      const storeKeyPath = join(protectedDir, "store.key");
+      return {
+        backend: "encrypted-store" as const,
+        storePath,
+        storeKeyPath,
+        storeExists: existsSync(storePath),
+        storeKeyExists: existsSync(storeKeyPath),
+      };
+    }
+    if (backend.name === "ces-rpc") {
+      return { backend: "ces-rpc" as const, ready: backend.isAvailable() };
+    }
+    if (backend.name === "ces-http") {
+      return {
+        backend: "ces-http" as const,
+        url: process.env.CES_CREDENTIAL_URL ?? "",
+      };
+    }
+    return { backend: "none" as const };
+  }, { backend: "none" as const });
+}
+
 /** @internal Test-only: reset the cached backends so they're re-created. */
 export function _resetBackend(): void {
   _cesClient = undefined;

package/src/skills/include-graph.ts

@@ -61,14 +61,10 @@ type IncludeValidationResult =
   | IncludeValidationError
   | IncludeValidationCycleError;
 
-/**
- * Validate the include graph starting from the given root skill ID.
- * Uses three-state DFS (unseen/visiting/done) to detect both missing children
- * and cycles. Returns the first error encountered in DFS order.
- */
-export function validateIncludes(
+function validateIncludeGraph(
   rootId: string,
   catalogIndex: Map<string, SkillSummary>,
+  options: { failOnMissing: boolean },
 ): IncludeValidationResult {
   const visited: string[] = [];
   type State = "unseen" | "visiting" | "done";
@@ -97,13 +93,16 @@ export function validateIncludes(
     if (skill?.includes) {
       for (const childId of skill.includes) {
         if (!catalogIndex.has(childId)) {
-          return {
-            ok: false,
-            error: "missing",
-            missingChildId: childId,
-            parentId: id,
-            path: [...ancestry],
-          };
+          if (options.failOnMissing) {
+            return {
+              ok: false,
+              error: "missing",
+              missingChildId: childId,
+              parentId: id,
+              path: [...ancestry],
+            };
+          }
+          continue;
         }
         const childError = dfs(childId);
         if (childError) return childError;
@@ -120,6 +119,29 @@ export function validateIncludes(
   return { ok: true, visited };
 }
 
+/**
+ * Validate the include graph starting from the given root skill ID.
+ * Uses three-state DFS (unseen/visiting/done) to detect both missing children
+ * and cycles. Returns the first error encountered in DFS order.
+ */
+export function validateIncludes(
+  rootId: string,
+  catalogIndex: Map<string, SkillSummary>,
+): IncludeValidationResult {
+  return validateIncludeGraph(rootId, catalogIndex, { failOnMissing: true });
+}
+
+/**
+ * Validate only cycle safety for a graph that may intentionally have missing
+ * advisory includes. Missing child IDs are skipped during traversal.
+ */
+export function validateIncludeCycles(
+  rootId: string,
+  catalogIndex: Map<string, SkillSummary>,
+): IncludeValidationResult {
+  return validateIncludeGraph(rootId, catalogIndex, { failOnMissing: false });
+}
+
 /**
  * Recursively traverse the include graph starting from the given root skill ID.
  * Returns all visited skill IDs in DFS pre-order.

package/src/skills/remote-skill-policy.ts

@@ -1,12 +1,6 @@
 type RemoteSkillProvider = "clawhub" | "skillssh";
 
-export type SkillsShRisk =
-  | "safe"
-  | "low"
-  | "medium"
-  | "high"
-  | "critical"
-  | "unknown";
+type SkillsShRisk = "safe" | "low" | "medium" | "high" | "critical" | "unknown";
 export type SkillsShRiskThreshold = Exclude<SkillsShRisk, "unknown">;
 
 export interface RemoteSkillPolicy {
@@ -50,17 +44,17 @@ interface SkillsShRemoteSkillCandidate extends RemoteSkillCandidateBase {
   audit?: SkillsShAuditState | null;
 }
 
-export type RemoteSkillCandidate =
+type RemoteSkillCandidate =
   | ClawhubRemoteSkillCandidate
   | SkillsShRemoteSkillCandidate;
 
-export type RemoteSkillDenyReason =
+type RemoteSkillDenyReason =
   | "clawhub_suspicious"
   | "clawhub_malware_blocked"
   | "clawhub_moderation_missing"
   | "skillssh_risk_exceeds_threshold";
 
-export type RemoteSkillInstallDecision =
+type RemoteSkillInstallDecision =
   | { ok: true }
   | { ok: false; reason: RemoteSkillDenyReason };
 

package/src/subagent/index.ts

@@ -1,11 +1,5 @@
 export { mergeSkillIds } from "./manager.js";
-export type {
-  SubagentConfig,
-  SubagentRole,
-  SubagentRoleConfig,
-  SubagentState,
-  SubagentStatus,
-} from "./types.js";
+export type { SubagentRole } from "./types.js";
 export { SUBAGENT_ROLE_REGISTRY, TERMINAL_STATUSES } from "./types.js";
 
 import { SubagentManager } from "./manager.js";

package/src/subagent/manager.ts

@@ -11,10 +11,7 @@
 import { v4 as uuid } from "uuid";
 
 import { getConfig } from "../config/loader.js";
-import {
-  Conversation,
-  type ConversationMemoryPolicy,
-} from "../daemon/conversation.js";
+import { Conversation } from "../daemon/conversation.js";
 import { findConversation } from "../daemon/conversation-store.js";
 import type { ServerMessage } from "../daemon/message-protocol.js";
 import { bootstrapConversation } from "../memory/conversation-bootstrap.js";
@@ -231,16 +228,6 @@ export class SubagentManager {
     const maxTokens = appConfig.llm.default.maxTokens;
     const workingDir = getSandboxWorkingDir();
 
-    const memoryPolicy: ConversationMemoryPolicy = isFork
-      ? {
-          scopeId: "default",
-          includeDefaultFallback: false,
-        }
-      : {
-          scopeId: `subagent:${subagentId}`,
-          includeDefaultFallback: true,
-        };
-
     // ── Initialise state ────────────────────────────────────────────
     const now = Date.now();
     // For forks, default sendResultToUser to false (silent) unless explicitly true.
@@ -289,7 +276,6 @@ export class SubagentManager {
       maxTokens,
       wrappedSendToClient,
       workingDir,
-      memoryPolicy,
       undefined, // sharedCesClient
       undefined, // speedOverride
       "5m", // cacheTtl — subagents run tight tool-use loops, 5m is always hot

package/src/tasks/task-runner.ts

@@ -67,7 +67,6 @@ export async function runTask(
 
   updateTaskRun(run.id, {
     conversationId: conversation.id,
-    memoryScopeId: `task:${task.id}`,
   });
 
   try {

package/src/tasks/task-store.ts

@@ -27,7 +27,6 @@ export interface TaskRun {
   finishedAt: number | null;
   error: string | null;
   principalId: string | null;
-  memoryScopeId: string | null;
   createdAt: number;
 }
 
@@ -109,7 +108,6 @@ export function createTaskRun(taskId: string): TaskRun {
     finishedAt: null,
     error: null,
     principalId: null,
-    memoryScopeId: null,
     createdAt: now,
   };
   db.insert(taskRuns).values(run).run();
@@ -125,7 +123,6 @@ export function updateTaskRun(
       | "conversationId"
       | "error"
       | "principalId"
-      | "memoryScopeId"
       | "startedAt"
       | "finishedAt"
     >

package/src/tools/background-tool-registry.ts

@@ -19,7 +19,7 @@ export interface BackgroundTool {
   command: string;
   startedAt: number;
   /** Kills the process (bash) or aborts the proxy (host_bash). */
-  cancel: () => void;
+  cancel: (reason?: string) => void;
 }
 
 /** Maximum number of concurrent background tools allowed. */
@@ -61,16 +61,30 @@ export function listBackgroundTools(conversationId?: string): BackgroundTool[] {
  * Cancels a background tool by ID: calls `tool.cancel()`, removes the entry,
  * and returns `true`. Returns `false` if the ID is not found.
  */
-export function cancelBackgroundTool(id: string): boolean {
+export function cancelBackgroundTool(id: string, reason?: string): boolean {
   const tool = registry.get(id);
   if (!tool) {
     return false;
   }
-  tool.cancel();
+  tool.cancel(reason);
   registry.delete(id);
   return true;
 }
 
+export function cancelBackgroundTools(
+  shouldCancel: (tool: BackgroundTool) => boolean,
+  reason?: string,
+): BackgroundTool[] {
+  const cancelled: BackgroundTool[] = [];
+  for (const tool of Array.from(registry.values())) {
+    if (!shouldCancel(tool)) continue;
+    tool.cancel(reason);
+    registry.delete(tool.id);
+    cancelled.push(tool);
+  }
+  return cancelled;
+}
+
 /**
  * Generates a short prefixed ID for a background tool.
  * Format: `bg-<8 hex chars>` (e.g. `bg-a1b2c3d4`).

package/src/tools/document/document-tool.ts

@@ -1,5 +1,9 @@
 import { randomUUID } from "node:crypto";
 
+import {
+  saveDocument,
+  updateDocumentContent,
+} from "../../documents/document-store.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
 // ── Exported execute functions ──────────────────────────────────────
@@ -12,6 +16,20 @@ export function executeDocumentCreate(
   const initialContent = (input.initial_content as string | undefined) || "";
   const surfaceId = `doc-${randomUUID()}`;
 
+  // Persist the document so any client (web or macOS) can fetch it via
+  // GET /v1/documents/:id. The macOS client may later update the row
+  // via document_save; ON CONFLICT DO UPDATE handles that.
+  const wordCount = initialContent
+    .split(/\s+/)
+    .filter((w) => w.length > 0).length;
+  saveDocument({
+    surfaceId,
+    conversationId: context.conversationId,
+    title,
+    content: initialContent,
+    wordCount,
+  });
+
   // Send document_editor_show message to open the built-in RTE
   if (context.sendToClient) {
     context.sendToClient({
@@ -67,6 +85,8 @@ export function executeDocumentUpdate(
   const content = input.content as string;
   const mode = (input.mode as string | undefined) || "append";
 
+  updateDocumentContent(surfaceId, content, mode);
+
   // Send document_editor_update message to update the built-in RTE
   if (context.sendToClient) {
     context.sendToClient({

package/src/tools/executor.ts

@@ -27,6 +27,7 @@ import { applyEdit } from "./shared/filesystem/edit-engine.js";
 import { sandboxPolicy } from "./shared/filesystem/path-policy.js";
 import { MAX_FILE_SIZE_BYTES } from "./shared/filesystem/size-guard.js";
 import { ToolApprovalHandler } from "./tool-approval-handler.js";
+import { resolveToolNameAlias } from "./tool-name-aliases.js";
 import type {
   ToolContext,
   ToolExecutionResult,
@@ -76,7 +77,12 @@ export class ToolExecutor {
     };
 
     const middlewares = getMiddlewaresFor("toolExecute");
-    const pipelineArgs: ToolExecuteArgs = { name, input, context };
+    const executionName = resolveToolNameAlias(name, context.allowedToolNames);
+    const pipelineArgs: ToolExecuteArgs = {
+      name: executionName,
+      input,
+      context,
+    };
 
     // No pipeline-level timeout: `executeInternal` already wraps the real
     // tool invocation in `executeWithTimeout`, which is the sole enforcer
@@ -107,6 +113,11 @@ export class ToolExecutor {
           riskLevel: string;
           riskReason: string;
           riskScopeOptions: Array<{ pattern: string; label: string }>;
+          riskAllowlistOptions?: Array<{
+            label: string;
+            description: string;
+            pattern: string;
+          }>;
           riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
           isContainerized?: boolean;
         }
@@ -205,6 +216,7 @@ export class ToolExecutor {
             riskLevel: permRiskMeta?.riskLevel,
             riskReason: permRiskMeta?.riskReason,
             riskScopeOptions: permRiskMeta?.riskScopeOptions,
+            riskAllowlistOptions: permRiskMeta?.riskAllowlistOptions,
             riskDirectoryScopeOptions: permRiskMeta?.riskDirectoryScopeOptions,
             isContainerized: permRiskMeta?.isContainerized,
             matchedTrustRuleId: permMatchedTrustRuleId,
@@ -422,12 +434,16 @@ export class ToolExecutor {
           riskLevel: permRiskMeta.riskLevel,
           riskReason: permRiskMeta.riskReason,
           riskScopeOptions: permRiskMeta.riskScopeOptions,
+          riskAllowlistOptions: permRiskMeta.riskAllowlistOptions,
           riskDirectoryScopeOptions: permRiskMeta.riskDirectoryScopeOptions,
           isContainerized: permRiskMeta.isContainerized,
         };
       }
       if (permMatchedTrustRuleId) {
-        execResult = { ...execResult, matchedTrustRuleId: permMatchedTrustRuleId };
+        execResult = {
+          ...execResult,
+          matchedTrustRuleId: permMatchedTrustRuleId,
+        };
       }
       if (permApprovalMode) {
         execResult = { ...execResult, approvalMode: permApprovalMode };

package/src/tools/host-filesystem/edit.test.ts

@@ -0,0 +1,151 @@
+import { mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import type { ToolContext } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mocks — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+
+mock.module("../../daemon/host-file-proxy.js", () => ({
+  HostFileProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        request: () => Promise.resolve({ content: "ok", isError: false }),
+      };
+    },
+  },
+}));
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
+const { hostFileEditTool } = await import("./edit.js");
+
+const testDirs: string[] = [];
+
+afterEach(() => {
+  mockProxyAvailable = false;
+  for (const dir of testDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+function makeTempDir(): string {
+  const dir = realpathSync(mkdtempSync(join(tmpdir(), "host-edit-test-")));
+  testDirs.push(dir);
+  return dir;
+}
+
+function makeContext(
+  workingDir: string,
+  transportInterface: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
+}
+
+describe("host_file_edit cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/some/host/path.txt",
+        old_string: "foo",
+        new_string: "bar",
+      },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/some/host/path.txt",
+        old_string: "foo",
+        new_string: "bar",
+        target_client_id: "abc-123",
+      },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+
+  test("falls through to local fs on macos transport when proxy unavailable", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/nonexistent/x.txt",
+        old_string: "foo",
+        new_string: "bar",
+      },
+      makeContext(workingDir, "macos"),
+    );
+    // Proves the guard did NOT fire on macOS — instead we got the
+    // local FileSystemOps error path (file not found / IO error).
+    expect(result.isError).toBe(true);
+    expect(result.content.toLowerCase()).toMatch(/not found|enoent|editing/);
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: P2 fix)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/nonexistent/x.txt",
+        old_string: "foo",
+        new_string: "bar",
+        target_client_id: "stale-mac",
+      },
+      makeContext(workingDir, "macos"),
+    );
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the call
+    // must fall through to local FileSystemOps, NOT reject with "target
+    // client ... is no longer connected".
+    expect(result.isError).toBe(true);
+    expect(result.content).not.toContain("is no longer connected");
+    expect(result.content.toLowerCase()).toMatch(/not found|enoent|editing/);
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileEditTool.execute(
+      {
+        path: "/some/host/path.txt",
+        old_string: "foo",
+        new_string: "bar",
+        target_client_id: "abc-123",
+      },
+      // transportInterface intentionally undefined (legacy callers).
+      makeContext(workingDir, undefined),
+    );
+    // Without transport metadata, falling through to local fs would
+    // silently target the daemon container. The guard fires for undefined
+    // transport AND non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+});

package/src/tools/host-filesystem/edit.ts

@@ -92,7 +92,8 @@ class HostFileEditTool implements Tool {
     const replaceAll = input.replace_all === true;
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -109,6 +110,45 @@ class HostFileEditTool implements Tool {
       };
     }
 
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, the request would fall through to local
+    // FileSystemOps below and read the daemon container's filesystem
+    // instead of the user's host machine.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostFileProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to local fs would
+    // silently target the daemon container's filesystem instead of the
+    // intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostFileProxy.instance.isAvailable() &&
+      (transportInterface == null || !supportsHostProxy(transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
     if (HostFileProxy.instance.isAvailable()) {
@@ -123,6 +163,8 @@ class HostFileEditTool implements Tool {
         },
         context.conversationId,
         context.signal,
+        targetClientId,
+        context.sourceActorPrincipalId,
       );
     }