@vellumai/assistant 0.7.2 → 0.8.0

package/src/tools/host-filesystem/read.test.ts

@@ -0,0 +1,129 @@
+import { mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import type { ToolContext } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mocks — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+
+mock.module("../../daemon/host-file-proxy.js", () => ({
+  HostFileProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        request: () => Promise.resolve({ content: "ok", isError: false }),
+      };
+    },
+  },
+}));
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
+const { hostFileReadTool } = await import("./read.js");
+
+const testDirs: string[] = [];
+
+afterEach(() => {
+  mockProxyAvailable = false;
+  for (const dir of testDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+function makeTempDir(): string {
+  const dir = realpathSync(mkdtempSync(join(tmpdir(), "host-read-test-")));
+  testDirs.push(dir);
+  return dir;
+}
+
+function makeContext(
+  workingDir: string,
+  transportInterface: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
+}
+
+describe("host_file_read cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt", target_client_id: "abc-123" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+
+  test("falls through to local fs on macos transport when proxy unavailable and path is non-image", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/nonexistent/x.txt" },
+      makeContext(workingDir, "macos"),
+    );
+    // Proves the guard did NOT fire on macOS — instead we got the
+    // local FileSystemOps NOT_FOUND error.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("File not found");
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: P2 fix)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/nonexistent/x.txt", target_client_id: "stale-mac" },
+      makeContext(workingDir, "macos"),
+    );
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the call
+    // must fall through to local FileSystemOps (NOT_FOUND for a fake path),
+    // NOT reject with "target client ... is no longer connected".
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("File not found");
+    expect(result.content).not.toContain("is no longer connected");
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileReadTool.execute(
+      { path: "/some/host/path.txt", target_client_id: "abc-123" },
+      // transportInterface intentionally undefined (legacy callers).
+      makeContext(workingDir, undefined),
+    );
+    // When transport metadata is missing we cannot rule out a non-host-proxy
+    // turn, so falling through to local fs would silently target the daemon
+    // container. The guard fires for both undefined transport AND
+    // non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+});

package/src/tools/host-filesystem/read.ts

@@ -63,7 +63,8 @@ class HostFileReadTool implements Tool {
     }
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -80,6 +81,45 @@ class HostFileReadTool implements Tool {
       };
     }
 
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, the request would fall through to local
+    // FileSystemOps below and read the daemon container's filesystem
+    // instead of the user's host machine.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostFileProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to local fs would
+    // silently target the daemon container's filesystem instead of the
+    // intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostFileProxy.instance.isAvailable() &&
+      (transportInterface == null || !supportsHostProxy(transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode),
     // including image reads that need the host filesystem view.
@@ -94,6 +134,8 @@ class HostFileReadTool implements Tool {
         },
         context.conversationId,
         context.signal,
+        targetClientId,
+        context.sourceActorPrincipalId,
       );
     }
 

package/src/tools/host-filesystem/transfer.test.ts

@@ -31,6 +31,15 @@ mock.module("../../daemon/host-transfer-proxy.js", () => ({
   },
 }));
 
+// Mirror read/write/edit test files: stub the event hub so the multi-client
+// guard at line ~100 of transfer.ts is exercised against an isolated stub
+// rather than the live process-wide singleton.
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
 const { hostFileTransferTool } = await import("./transfer.js");
 
 const testDirs: string[] = [];
@@ -50,8 +59,16 @@ function makeTempDir(): string {
   return dir;
 }
 
-function makeContext(workingDir: string): ToolContext {
-  return { workingDir, conversationId: "test-conv", trustClass: "guardian" };
+function makeContext(
+  workingDir: string,
+  transportInterface?: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
 }
 
 // ---------------------------------------------------------------------------
@@ -269,3 +286,111 @@ describe("host_file_transfer managed mode", () => {
     expect(toSandboxCalls.length).toBe(0);
   });
 });
+
+// ---------------------------------------------------------------------------
+// Cross-client guard tests
+// ---------------------------------------------------------------------------
+
+describe("host_file_transfer cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    // mockProxyAvailable defaults to false.
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: "out.txt",
+        direction: "to_sandbox",
+      },
+      makeContext(workingDir, "web"),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: "out.txt",
+        direction: "to_sandbox",
+        target_client_id: "abc-123",
+      },
+      makeContext(workingDir, "web"),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+    const destFile = join(workingDir, "should-not-exist.txt");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: destFile,
+        direction: "to_sandbox",
+        target_client_id: "abc-123",
+      },
+      // transportInterface intentionally omitted (legacy callers).
+      makeContext(workingDir),
+    );
+
+    // Without transport metadata, falling through to executeLocal would
+    // silently target the daemon container. The guard fires for undefined
+    // transport AND non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(existsSync(destFile)).toBe(false);
+    expect(toSandboxCalls.length).toBe(0);
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: Devin-flagged scope drift fix)", async () => {
+    const workingDir = makeTempDir();
+    const srcDir = makeTempDir();
+    const srcFile = join(srcDir, "source.txt");
+    writeFileSync(srcFile, "content");
+    const destFile = join(workingDir, "stale-target.txt");
+
+    const result = await hostFileTransferTool.execute(
+      {
+        source_path: srcFile,
+        dest_path: destFile,
+        direction: "to_sandbox",
+        target_client_id: "stale-mac",
+      },
+      makeContext(workingDir, "macos"),
+    );
+
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the local
+    // copy must succeed, NOT reject with "target client ... is no longer
+    // connected" or the older "target_client_id was specified but no host
+    // client is available" message.
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+});

package/src/tools/host-filesystem/transfer.ts

@@ -93,7 +93,8 @@ class HostFileTransferTool implements Tool {
     const overwrite = input.overwrite === true;
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -103,7 +104,51 @@ class HostFileTransferTool implements Tool {
       !supportsHostProxy(context.transportInterface) &&
       assistantEventHub.listClientsByCapability("host_file").length > 1
     ) {
-      return { content: `Error: multiple clients support host_file. Specify which client to use with \`target_client_id\`. Run \`assistant clients list --capability host_file\` to see client IDs and labels.`, isError: true };
+      return {
+        content: `Error: multiple clients support host_file. Specify which client to use with \`target_client_id\`. Run \`assistant clients list --capability host_file\` to see client IDs and labels.`,
+        isError: true,
+      };
+    }
+
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, a web/ios turn whose host_file client has
+    // disconnected since projection would fall through to executeLocal
+    // below and act on the daemon container's filesystem instead of
+    // the user's host machine.
+    if (
+      targetClientId == null &&
+      context.transportInterface != null &&
+      !supportsHostProxy(context.transportInterface) &&
+      !HostTransferProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to executeLocal
+    // would silently target the daemon container's filesystem instead of
+    // the intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostTransferProxy.instance.isAvailable() &&
+      (context.transportInterface == null ||
+        !supportsHostProxy(context.transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
     }
 
     // Validate that host-side paths are absolute.
@@ -136,7 +181,9 @@ class HostFileTransferTool implements Tool {
 
     let resolvedDestPath = destPath;
     if (direction === "to_sandbox") {
-      const pathCheck = sandboxPolicy(destPath, context.workingDir, { mustExist: false });
+      const pathCheck = sandboxPolicy(destPath, context.workingDir, {
+        mustExist: false,
+      });
       if (!pathCheck.ok) {
         return {
           content: `Invalid destination path: ${pathCheck.error}`,
@@ -158,6 +205,7 @@ class HostFileTransferTool implements Tool {
             targetClientId,
           },
           context.signal,
+          context.sourceActorPrincipalId,
         );
       }
       return HostTransferProxy.instance.requestToSandbox(
@@ -169,17 +217,14 @@ class HostFileTransferTool implements Tool {
           targetClientId,
         },
         context.signal,
+        context.sourceActorPrincipalId,
       );
     }
 
-    if (targetClientId != null) {
-      return {
-        content: `Error: target_client_id '${targetClientId}' was specified but no host client is available. Ensure the client is connected.`,
-        isError: true,
-      };
-    }
-
-    // Local mode: direct filesystem copy.
+    // Local mode: direct filesystem copy. The non-host-proxy + stale
+    // target_client_id case is caught by the scoped guard at the top of
+    // execute(); on macos a stale target_client_id is silently ignored
+    // here, matching the read/write/edit pattern.
     return this.executeLocal(resolvedSourcePath, resolvedDestPath, overwrite);
   }
 

package/src/tools/host-filesystem/write.test.ts

@@ -0,0 +1,134 @@
+import { existsSync, mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import type { ToolContext } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mocks — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+
+mock.module("../../daemon/host-file-proxy.js", () => ({
+  HostFileProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        request: () => Promise.resolve({ content: "ok", isError: false }),
+      };
+    },
+  },
+}));
+
+mock.module("../../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    listClientsByCapability: () => [],
+  },
+}));
+
+const { hostFileWriteTool } = await import("./write.js");
+
+const testDirs: string[] = [];
+
+afterEach(() => {
+  mockProxyAvailable = false;
+  for (const dir of testDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+function makeTempDir(): string {
+  const dir = realpathSync(mkdtempSync(join(tmpdir(), "host-write-test-")));
+  testDirs.push(dir);
+  return dir;
+}
+
+function makeContext(
+  workingDir: string,
+  transportInterface: ToolContext["transportInterface"],
+): ToolContext {
+  return {
+    workingDir,
+    conversationId: "test-conv",
+    trustClass: "guardian",
+    transportInterface,
+  };
+}
+
+describe("host_file_write cross-client guards", () => {
+  test("returns 'no client' error on web transport when proxy unavailable and no targetClientId", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileWriteTool.execute(
+      { path: "/some/host/path.txt", content: "hello" },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      "no client with host_file capability is connected",
+    );
+  });
+
+  test("returns 'specified client disconnected' error when targetClientId set but proxy unavailable on web", async () => {
+    const workingDir = makeTempDir();
+    const result = await hostFileWriteTool.execute(
+      {
+        path: "/some/host/path.txt",
+        content: "hello",
+        target_client_id: "abc-123",
+      },
+      makeContext(workingDir, "web"),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+  });
+
+  test("falls through to local fs on macos transport when proxy unavailable", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "out.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello" },
+      makeContext(workingDir, "macos"),
+    );
+    // Proves the guard did NOT fire on macOS — local write succeeded.
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+
+  test("does NOT reject on macos transport with a stale target_client_id when proxy unavailable (regression: P2 fix)", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "stale-target.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello", target_client_id: "stale-mac" },
+      makeContext(workingDir, "macos"),
+    );
+    // The disconnected-target guard is scoped to non-host-proxy transports
+    // (!supportsHostProxy). On macos, a stale target_client_id auto-filled
+    // from a prior cross-client turn must be silently ignored and the local
+    // write must succeed, NOT reject with "target client ... is no longer
+    // connected".
+    expect(result.isError).toBe(false);
+    expect(existsSync(destFile)).toBe(true);
+  });
+
+  test("rejects when target_client_id is set but transport metadata is missing (legacy/backwards-compat path)", async () => {
+    const workingDir = makeTempDir();
+    const destFile = join(workingDir, "should-not-exist.txt");
+    const result = await hostFileWriteTool.execute(
+      { path: destFile, content: "hello", target_client_id: "abc-123" },
+      // transportInterface intentionally undefined (legacy callers).
+      makeContext(workingDir, undefined),
+    );
+    // Without transport metadata, falling through to local fs would
+    // silently target the daemon container. The guard fires for undefined
+    // transport AND non-host-proxy transports — only macos turns skip it.
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'target client "abc-123" is no longer connected',
+    );
+    expect(existsSync(destFile)).toBe(false);
+  });
+});

package/src/tools/host-filesystem/write.ts

@@ -62,7 +62,8 @@ class HostFileWriteTool implements Tool {
     }
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -79,6 +80,45 @@ class HostFileWriteTool implements Tool {
       };
     }
 
+    // Guard: non-host-proxy interfaces with no capable clients connected.
+    // Without this guard, the request would fall through to local
+    // FileSystemOps below and read the daemon container's filesystem
+    // instead of the user's host machine.
+    if (
+      targetClientId == null &&
+      transportInterface != null &&
+      !supportsHostProxy(transportInterface) &&
+      !HostFileProxy.instance.isAvailable()
+    ) {
+      return {
+        content:
+          "Error: no client with host_file capability is connected. Connect a macOS client to use host_file from a non-desktop interface.",
+        isError: true,
+      };
+    }
+
+    // Guard: explicit targetClientId provided but proxy is unavailable.
+    // Fires on non-host-proxy transports (web, ios) AND on legacy callers
+    // without transport metadata, where falling through to local fs would
+    // silently target the daemon container's filesystem instead of the
+    // intended host client. Skips only when transport is explicitly
+    // host-proxy-capable (macos), where local-fs fallback IS the intended
+    // offline behavior — a stale target_client_id auto-filled from a prior
+    // cross-client turn is silently ignored on those turns.
+    // Note: this scoping deliberately differs from host_bash
+    // (host-shell.ts:239-247), which rejects unconditionally for any
+    // stale target_client_id regardless of transport.
+    if (
+      targetClientId != null &&
+      !HostFileProxy.instance.isAvailable() &&
+      (transportInterface == null || !supportsHostProxy(transportInterface))
+    ) {
+      return {
+        content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_file\` to see currently connected clients.`,
+        isError: true,
+      };
+    }
+
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
     if (HostFileProxy.instance.isAvailable()) {
@@ -91,6 +131,8 @@ class HostFileWriteTool implements Tool {
         },
         context.conversationId,
         context.signal,
+        targetClientId,
+        context.sourceActorPrincipalId,
       );
     }