@vellumai/assistant 0.7.2 → 0.8.0

package/src/tools/host-terminal/host-shell.ts

@@ -179,9 +179,17 @@ class HostShellTool implements Tool {
       };
     }
     const background = input.background === true;
+    if (background && context.diskPressureCleanupModeActive === true) {
+      return {
+        content:
+          "Error: background host shell commands are not available during disk pressure cleanup mode.",
+        isError: true,
+      };
+    }
 
     const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
@@ -236,10 +244,7 @@ class HostShellTool implements Tool {
     // guard both targetClientId != null guards above are bypassed, and the
     // code falls through to local daemon execution — silently running commands
     // inside the Docker container instead of on the intended host machine.
-    if (
-      targetClientId != null &&
-      !HostBashProxy.instance.isAvailable()
-    ) {
+    if (targetClientId != null && !HostBashProxy.instance.isAvailable()) {
       return {
         content: `Error: target client "${targetClientId}" is no longer connected. The specified client may have disconnected since the tool was called. Run \`assistant clients list --capability host_bash\` to see currently connected clients.`,
         isError: true,
@@ -287,6 +292,7 @@ class HostShellTool implements Tool {
           },
           context.conversationId,
           abortController.signal,
+          context.sourceActorPrincipalId,
         );
 
         proxyPromise
@@ -315,7 +321,7 @@ class HostShellTool implements Tool {
           conversationId: context.conversationId,
           command,
           startedAt: Date.now(),
-          cancel: () => abortController.abort(),
+          cancel: (reason?: string) => abortController.abort(reason),
         });
 
         return {
@@ -334,6 +340,7 @@ class HostShellTool implements Tool {
         },
         context.conversationId,
         context.signal,
+        context.sourceActorPrincipalId,
       );
     }
 

package/src/tools/mcp/mcp-tool-factory.ts

@@ -2,6 +2,7 @@ import type { McpServerConfig } from "../../config/schemas/mcp.js";
 import type { McpServerManager } from "../../mcp/manager.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
+import { toProviderSafeToolName } from "../provider-tool-name.js";
 import { schemaDefinesProperty } from "../schema-transforms.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 
@@ -16,7 +17,7 @@ const riskMap: Record<string, RiskLevel> = {
  * and with core/skill tools.
  */
 function mcpToolName(serverId: string, toolName: string): string {
-  return `mcp__${serverId}__${toolName}`;
+  return toProviderSafeToolName(`mcp__${serverId}__${toolName}`);
 }
 
 export interface McpToolMetadata {

package/src/tools/memory/register.test.ts

@@ -14,6 +14,14 @@ import {
 import { PKB_WORKSPACE_SCOPE } from "../../memory/pkb/types.js";
 import type { ToolContext } from "../types.js";
 
+// This test exercises v1 PKB re-index enqueue. `config.memory.v2.enabled`
+// (default `true`) makes the enqueue path skipped — force it off so the
+// v1 PKB index path stays under test.
+mock.module("../../config/loader.js", () => ({
+  getConfig: () => ({ memory: { v2: { enabled: false } } }),
+  loadConfig: () => ({ memory: { v2: { enabled: false } } }),
+}));
+
 let tmpWorkspace: string;
 let previousWorkspaceEnv: string | undefined;
 
@@ -175,7 +183,7 @@ describe("recallTool.execute", () => {
         max_results: 4,
         depth: "deep",
       },
-      makeContext({ memoryScopeId: "scope-filter" }),
+      makeContext(),
     );
 
     expect(result).toEqual({
@@ -196,7 +204,7 @@ describe("recallTool.execute", () => {
 
     const result = await recallTool.execute(
       { query: "fallback search", sources: ["workspace"], depth: "fast" },
-      makeContext({ memoryScopeId: "scope-fallback" }),
+      makeContext(),
     );
 
     expect(result).toEqual({
@@ -205,7 +213,7 @@ describe("recallTool.execute", () => {
     });
   });
 
-  test("propagates tool context and defaults missing memory scope", async () => {
+  test("propagates tool context", async () => {
     const controller = new AbortController();
 
     await recallTool.execute(
@@ -221,7 +229,6 @@ describe("recallTool.execute", () => {
     expect(recallCalls[0]?.context).toEqual({
       workingDir: "/workspace/project",
       conversationId: "conv-context",
-      memoryScopeId: "default",
       config: getConfig(),
       signal: controller.signal,
     });
@@ -275,9 +282,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
   test("enqueues re-index jobs for both buffer and daily archive paths", async () => {
     const result = await rememberTool.execute(
       { content: "index me please" },
-      // Passes a non-default per-conversation scopeId to prove the PKB
-      // enqueue ignores it and pins to PKB_WORKSPACE_SCOPE instead.
-      makeContext({ memoryScopeId: "scope-enqueue" }),
+      makeContext(),
     );
     expect(result.isError).toBe(false);
 
@@ -308,7 +313,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
   test("does not enqueue when content is empty (write was skipped)", async () => {
     const result = await rememberTool.execute(
       { content: "   " },
-      makeContext({ memoryScopeId: "scope-empty" }),
+      makeContext(),
     );
     expect(result.isError).toBe(true);
     expect(enqueueCalls).toHaveLength(0);
@@ -319,7 +324,7 @@ describe("rememberTool.execute — PKB re-index enqueue", () => {
 
     const result = await rememberTool.execute(
       { content: "enqueue will throw" },
-      makeContext({ memoryScopeId: "scope-throw" }),
+      makeContext(),
     );
 
     // Remember call succeeded despite enqueue throwing for each write.

package/src/tools/memory/register.ts

@@ -34,7 +34,7 @@ class RememberTool implements Tool {
     const result = handleRemember(
       typedInput,
       context.conversationId,
-      context.memoryScopeId ?? "default",
+      "default",
       getConfig(),
     );
     return {
@@ -73,7 +73,6 @@ class RecallTool implements Tool {
     const result = await runAgenticRecall(input as unknown as RecallInput, {
       workingDir: context.workingDir,
       conversationId: context.conversationId,
-      memoryScopeId: context.memoryScopeId ?? "default",
       config,
       signal: context.signal,
     });

package/src/tools/permission-checker.ts

@@ -32,6 +32,11 @@ export type PermissionDecision =
         riskLevel: string;
         riskReason: string;
         riskScopeOptions: Array<{ pattern: string; label: string }>;
+        riskAllowlistOptions?: Array<{
+          label: string;
+          description: string;
+          pattern: string;
+        }>;
         riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
         isContainerized?: boolean;
       };
@@ -51,6 +56,11 @@ export type PermissionDecision =
         riskLevel: string;
         riskReason: string;
         riskScopeOptions: Array<{ pattern: string; label: string }>;
+        riskAllowlistOptions?: Array<{
+          label: string;
+          description: string;
+          pattern: string;
+        }>;
         riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
         isContainerized?: boolean;
       };
@@ -111,7 +121,12 @@ export class PermissionChecker {
       ? {
           riskLevel: cachedAssessment.riskLevel,
           riskReason: cachedAssessment.reason,
+          // Display ladder (regex patterns — internal only, not for save).
           riskScopeOptions: cachedAssessment.scopeOptions,
+          // Save ladder (Minimatch globs — what the gateway matches against).
+          // Populated for classifiers that produce allowlist options
+          // (bash, file, skill); undefined otherwise.
+          riskAllowlistOptions: cachedAssessment.allowlistOptions,
           riskDirectoryScopeOptions: cachedAssessment.directoryScopeOptions,
           isContainerized: getIsContainerized(),
         }

package/src/tools/provider-tool-name.ts

@@ -0,0 +1,28 @@
+import { createHash } from "node:crypto";
+
+const PROVIDER_TOOL_NAME_MAX_LENGTH = 64;
+const PROVIDER_TOOL_NAME_RE = /^[a-zA-Z0-9_-]{1,64}$/;
+const HASH_LENGTH = 12;
+
+export function isProviderSafeToolName(name: string): boolean {
+  return PROVIDER_TOOL_NAME_RE.test(name);
+}
+
+export function toProviderSafeToolName(rawName: string): string {
+  const trimmed = rawName.trim();
+  if (isProviderSafeToolName(rawName)) {
+    return rawName;
+  }
+
+  const hash = createHash("sha256")
+    .update(rawName)
+    .digest("hex")
+    .slice(0, HASH_LENGTH);
+  const suffix = `__${hash}`;
+  const maxBaseLength = PROVIDER_TOOL_NAME_MAX_LENGTH - suffix.length;
+  const sanitized =
+    trimmed.replace(/[^a-zA-Z0-9_-]+/g, "_").replace(/^_+|_+$/g, "") || "tool";
+  const base = sanitized.slice(0, maxBaseLength).replace(/_+$/g, "") || "tool";
+
+  return `${base}${suffix}`;
+}

package/src/tools/registry.ts

@@ -8,6 +8,7 @@ import { hostFileReadTool } from "./host-filesystem/read.js";
 import { hostFileTransferTool } from "./host-filesystem/transfer.js";
 import { hostFileWriteTool } from "./host-filesystem/write.js";
 import { hostShellTool } from "./host-terminal/host-shell.js";
+import { toProviderSafeToolName } from "./provider-tool-name.js";
 import { registerSystemTools } from "./system/register.js";
 import type { Tool } from "./types.js";
 import { allUiSurfaceTools } from "./ui-surface/definitions.js";
@@ -75,6 +76,24 @@ const skillRefCount = new Map<string, number>();
 // separate and covers the case of two extensions choosing the same tool name.
 const pluginRefCount = new Map<string, number>();
 
+function withProviderSafeToolName(tool: Tool): Tool {
+  const safeName = toProviderSafeToolName(tool.name);
+  if (safeName === tool.name) {
+    return tool;
+  }
+
+  return {
+    ...tool,
+    name: safeName,
+    getDefinition(): ToolDefinition {
+      return {
+        ...tool.getDefinition(),
+        name: safeName,
+      };
+    },
+  };
+}
+
 export function registerTool(tool: Tool): void {
   const existing = tools.get(tool.name);
   if (existing) {
@@ -176,15 +195,17 @@ export function registerPluginTools(
   pluginName: string,
   newTools: Tool[],
 ): Tool[] {
-  const stamped: Tool[] = newTools.map((tool) => ({
-    ...tool,
-    origin: "plugin" as const,
-    ownerPluginId: pluginName,
-    ownerSkillId: undefined,
-    ownerMcpServerId: undefined,
-    ownerSkillBundled: undefined,
-    ownerSkillVersionHash: undefined,
-  }));
+  const stamped: Tool[] = newTools.map((tool) =>
+    withProviderSafeToolName({
+      ...tool,
+      origin: "plugin" as const,
+      ownerPluginId: pluginName,
+      ownerSkillId: undefined,
+      ownerMcpServerId: undefined,
+      ownerSkillBundled: undefined,
+      ownerSkillVersionHash: undefined,
+    }),
+  );
 
   const accepted: Tool[] = [];
   for (const tool of stamped) {

package/src/tools/skills/load.ts

@@ -19,7 +19,7 @@ import {
 import {
   collectAllMissing,
   indexCatalogById,
-  validateIncludes,
+  validateIncludeCycles,
 } from "../../skills/include-graph.js";
 import { renderInlineCommands } from "../../skills/inline-command-render.js";
 import { parseToolManifestFile } from "../../skills/tool-manifest.js";
@@ -204,6 +204,7 @@ export class SkillLoadTool implements Tool {
 
     // Load catalog for include validation and child metadata output
     let catalogIndex: Map<string, SkillSummary> | undefined;
+    let missingIncludedSkillIds: string[] = [];
     if (skill.includes && skill.includes.length > 0) {
       let catalog = loadSkillCatalog();
       catalogIndex = indexCatalogById(catalog);
@@ -260,19 +261,13 @@ export class SkillLoadTool implements Tool {
         catalogIndex = indexCatalogById(catalog);
       }
 
-      // Validate (fail-closed - catches genuinely missing deps + cycles)
-      const validation = validateIncludes(skill.id, catalogIndex);
+      missingIncludedSkillIds = [...collectAllMissing(skill.id, catalogIndex)];
+
+      // Validate cycles fail closed. Missing includes are advisory: the parent
+      // skill should still load so the assistant can decide whether to search
+      // for and install the suggested dependency.
+      const validation = validateIncludeCycles(skill.id, catalogIndex);
       if (!validation.ok) {
-        if (validation.error === "missing") {
-          return {
-            content: `Error: skill "${skill.id}" includes "${
-              validation.missingChildId
-            }" which was not found (referenced by "${
-              validation.parentId
-            }" via path: ${validation.path.join(" → ")})`,
-            isError: true,
-          };
-        }
         if (validation.error === "cycle") {
           return {
             content: `Error: skill "${
@@ -283,10 +278,6 @@ export class SkillLoadTool implements Tool {
             isError: true,
           };
         }
-        return {
-          content: `Error: skill "${skill.id}" has an invalid include graph`,
-          isError: true,
-        };
       }
     }
 
@@ -444,13 +435,25 @@ export class SkillLoadTool implements Tool {
           }
         }
       }
-      immediateChildrenSection = `Included Skills (immediate):\n${childLines.join(
-        "\n",
-      )}`;
+      immediateChildrenSection =
+        childLines.length > 0
+          ? `Included Skills (immediate):\n${childLines.join("\n")}`
+          : "Included Skills (immediate): none";
     } else {
       immediateChildrenSection = "Included Skills (immediate): none";
     }
 
+    const missingIncludesSection =
+      missingIncludedSkillIds.length > 0
+        ? [
+            "Suggested Included Skills (not loaded):",
+            ...missingIncludedSkillIds.map(
+              (id) =>
+                `  - ${id}: not installed or unavailable. If this task needs it, search for and install this skill, then load it.`,
+            ),
+          ].join("\n")
+        : undefined;
+
     let versionHash: string | undefined;
     try {
       versionHash = computeSkillVersionHash(skill.directoryPath);
@@ -512,6 +515,7 @@ export class SkillLoadTool implements Tool {
           : []),
         ...includedBodies.flatMap((b) => [b, ""]),
         immediateChildrenSection,
+        ...(missingIncludesSection ? [missingIncludesSection] : []),
         "",
         `<loaded_skill id="${skill.id}"${versionAttr} />`,
         ...includeMarkers,

package/src/tools/terminal/shell.ts

@@ -111,6 +111,15 @@ class ShellTool implements Tool {
       return { content: "Error: command contains null bytes", isError: true };
     }
 
+    const background = input.background === true;
+    if (background && context.diskPressureCleanupModeActive === true) {
+      return {
+        content:
+          "Error: background shell commands are not available during disk pressure cleanup mode.",
+        isError: true,
+      };
+    }
+
     const config = getConfig();
     const shellLockdownActive =
       isCesShellLockdownEnabled(config) &&
@@ -276,7 +285,6 @@ class ShellTool implements Tool {
     // Background mode: spawn and return immediately. The process output is
     // delivered to the conversation as a wake when the process exits.
     // -----------------------------------------------------------------------
-    const background = input.background === true;
     if (background) {
       // Check the registry limit BEFORE spawning so we never leak an
       // untracked process when the registry is full.

package/src/tools/tool-approval-handler.ts

@@ -13,12 +13,13 @@ import { getLogger } from "../util/logger.js";
 import { getAllTools, getTool } from "./registry.js";
 import { isSideEffectTool } from "./side-effects.js";
 import { summarizeToolInput } from "./tool-input-summary.js";
-import type {
-  ExecutionTarget,
-  Tool,
-  ToolContext,
-  ToolExecutionResult,
-  ToolLifecycleEvent,
+import {
+  type ExecutionTarget,
+  isDiskPressureCleanupToolName,
+  type Tool,
+  type ToolContext,
+  type ToolExecutionResult,
+  type ToolLifecycleEvent,
 } from "./types.js";
 import { enforceVerificationControlPlanePolicy } from "./verification-control-plane-policy.js";
 
@@ -309,6 +310,30 @@ export class ToolApprovalHandler {
       };
     }
 
+    if (
+      context.diskPressureCleanupModeActive === true &&
+      !isDiskPressureCleanupToolName(name)
+    ) {
+      const msg = `Tool "${name}" is not available during disk pressure cleanup mode.`;
+      const durationMs = Date.now() - startTime;
+      emitLifecycleEvent({
+        type: "error",
+        toolName: name,
+        executionTarget,
+        input,
+        workingDir: context.workingDir,
+        conversationId: context.conversationId,
+        requestId: context.requestId,
+        riskLevel,
+        decision: "error",
+        durationMs,
+        errorMessage: msg,
+        isExpected: true,
+        errorCategory: "tool_failure",
+      });
+      return { allowed: false, result: { content: msg, isError: true } };
+    }
+
     // Gate tools not active for the current turn
     if (context.allowedToolNames && !context.allowedToolNames.has(name)) {
       const msg = `Tool "${name}" is not currently active. Load the skill that provides this tool first.`;

package/src/tools/tool-name-aliases.ts

@@ -0,0 +1,19 @@
+const TOOL_NAME_ALIASES = new Map<string, string>([
+  ["create_app", "app_create"],
+]);
+
+/**
+ * Resolve high-confidence compatibility aliases before active-tool gating.
+ * Keep this list narrow: aliases should only cover observed model drift where
+ * the canonical target is active for the turn.
+ */
+export function resolveToolNameAlias(
+  name: string,
+  allowedToolNames?: ReadonlySet<string>,
+): string {
+  if (allowedToolNames?.has(name)) return name;
+  const canonical = TOOL_NAME_ALIASES.get(name);
+  if (!canonical) return name;
+  if (allowedToolNames && !allowedToolNames.has(canonical)) return name;
+  return canonical;
+}

package/src/tools/types.ts

@@ -18,6 +18,20 @@ import type { SecretPromptResult } from "../permissions/secret-prompter.js";
 import type { ContentBlock } from "../providers/types.js";
 import type { TrustClass } from "../runtime/actor-trust-resolver.js";
 
+export const DISK_PRESSURE_CLEANUP_TOOL_NAMES: ReadonlySet<string> = new Set([
+  "bash",
+  "host_bash",
+  "file_read",
+  "file_list",
+  "host_file_read",
+  "background_tool_list",
+  "background_tool_cancel",
+]);
+
+export function isDiskPressureCleanupToolName(name: string): boolean {
+  return DISK_PRESSURE_CLEANUP_TOOL_NAMES.has(name);
+}
+
 // ---------------------------------------------------------------------------
 // Re-exports + concrete overlays for types that live in
 // @vellumai/skill-host-contracts.
@@ -101,8 +115,26 @@ export interface ToolExecutionResult {
   riskThreshold?: string;
   /** Whether the daemon is running in a containerized (Docker) environment. */
   isContainerized?: boolean;
-  /** Scope options ladder for the rule editor (narrowest to broadest). */
+  /**
+   * Display-only ladder of scope option labels for the rule editor
+   * (narrowest to broadest). The `pattern` field here is a regex-style
+   * descriptor used internally by the daemon and is NOT a valid trust
+   * rule pattern. Use `riskAllowlistOptions` for the pattern that gets
+   * saved as a trust rule.
+   */
   riskScopeOptions?: Array<{ pattern: string; label: string }>;
+  /**
+   * Allowlist options for the rule editor save path (narrowest to
+   * broadest). Each `pattern` is a Minimatch-glob compatible string
+   * (e.g. raw command for exact match, `action:<program>` for command
+   * wildcards) — what the gateway actually matches against. Mirrors
+   * the `allowlistOptions` field on `ConfirmationRequest` SSE events.
+   */
+  riskAllowlistOptions?: Array<{
+    label: string;
+    description: string;
+    pattern: string;
+  }>;
   /** Directory scope ladder for the rule editor (narrowest to broadest). */
   riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
   /**
@@ -177,6 +209,8 @@ export interface ToolContext {
   proxyToolResolver?: ProxyToolResolver;
   /** When set, only tools in this set may execute. Tools outside the set are blocked with an error. */
   allowedToolNames?: Set<string>;
+  /** True when this turn is restricted to storage cleanup-safe tools. */
+  diskPressureCleanupModeActive?: boolean;
   /** Prompt the user for a secret value via native SecureField UI. */
   requestSecret?: (params: {
     service: string;
@@ -192,8 +226,6 @@ export interface ToolContext {
   sendToClient?: (msg: { type: string; [key: string]: unknown }) => void;
   /** True when an interactive client is connected (not just a no-op callback). */
   isInteractive?: boolean;
-  /** Memory scope ID from the conversation's memory policy, so memory tools can target the correct scope. */
-  memoryScopeId?: string;
   /** When true, tools with side effects should always prompt for confirmation. */
   forcePromptSideEffects?: boolean;
   /**
@@ -268,6 +300,14 @@ export interface ToolContext {
    * `executeSubagentSpawn` in tools/subagent/spawn.ts.
    */
   overrideProfile?: string;
+  /**
+   * Canonical principal ID of the actor on whose behalf this tool invocation
+   * is running. Sourced from `conversation.trustContext.guardianPrincipalId`.
+   * Used by host proxies to bind cross-client targeted execution to the same
+   * authenticated user identity. May be undefined for legacy/internal flows
+   * with no resolved actor identity.
+   */
+  sourceActorPrincipalId?: string;
 }
 
 export interface Tool {

package/src/tts/provider-catalog.ts

@@ -13,8 +13,6 @@
 
 import type { TtsCallMode, TtsProviderId } from "./types.js";
 
-export type { TtsCallMode } from "./types.js";
-
 // ---------------------------------------------------------------------------
 // Catalog entry model
 // ---------------------------------------------------------------------------
@@ -22,7 +20,7 @@ export type { TtsCallMode } from "./types.js";
 /**
  * Metadata about a secret (API key / credential) required by a provider.
  */
-export interface TtsProviderSecretRequirement {
+interface TtsProviderSecretRequirement {
   /**
    * The key used to retrieve this secret from the secure credential store.
    *
@@ -49,7 +47,7 @@ export interface TtsProviderSecretRequirement {
  * These describe static, provider-wide traits — they do not change based
  * on runtime configuration or per-request parameters.
  */
-export interface TtsProviderCatalogCapabilities {
+interface TtsProviderCatalogCapabilities {
   /** Whether the provider supports chunk-level streaming synthesis. */
   readonly supportsStreaming: boolean;
 
@@ -64,7 +62,7 @@ export interface TtsProviderCatalogCapabilities {
  * metadata level — identity, display name, telephony call mode,
  * capabilities, and secret requirements.
  */
-export interface TtsProviderCatalogEntry {
+interface TtsProviderCatalogEntry {
   /** Unique provider identifier matching {@link TtsProviderId}. */
   readonly id: TtsProviderId;