@vellumai/assistant 0.8.0 → 0.8.1

package/src/workspace/migrations/080-restrict-vercel-api-token-metadata.ts

@@ -0,0 +1,182 @@
+/**
+ * Workspace migration `080-restrict-vercel-api-token-metadata`.
+ *
+ * Repairs legacy Vercel API token credential metadata that was stored
+ * with overly permissive policy (e.g. `bash` in allowedTools and
+ * injection templates targeting `api.vercel.com`). Rewrites the
+ * Vercel record to the hardened policy:
+ *
+ *   - `allowedTools: ["publish_page", "unpublish_page"]`
+ *   - `allowedDomains: []`
+ *   - `injectionTemplates` removed
+ *
+ * Behaviour:
+ *   - Missing metadata file -> no-op.
+ *   - Malformed JSON -> log and no-op.
+ *   - Unrecognized future schema version -> no-op.
+ *   - No `vercel`/`api_token` credential record -> no-op.
+ *   - Already matches target policy -> no-op (no rewrite, no updatedAt bump).
+ *   - Non-Vercel credential records are never modified.
+ *
+ * Idempotent: running twice produces no second write. The runner's
+ * checkpoint also prevents re-runs, but this in-file guard keeps the
+ * migration safe even if the checkpoint is wiped.
+ *
+ * This migration never touches secure secret values — only the
+ * metadata policy fields.
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "../../util/logger.js";
+import type { WorkspaceMigration } from "./types.js";
+
+const log = getLogger(
+  "workspace-migration-080-restrict-vercel-api-token-metadata",
+);
+
+const METADATA_RELATIVE_PATH = join("data", "credentials", "metadata.json");
+
+/** Known on-disk schema versions we can safely handle. */
+const KNOWN_VERSIONS = new Set([1, 2, 3, 4, 5]);
+
+/** The hardened target policy for the Vercel API token. */
+const TARGET_ALLOWED_TOOLS = ["publish_page", "unpublish_page"];
+const TARGET_ALLOWED_DOMAINS: string[] = [];
+
+export const restrictVercelApiTokenMetadataMigration: WorkspaceMigration = {
+  id: "080-restrict-vercel-api-token-metadata",
+  description:
+    "Restrict existing Vercel API token metadata to publish tools only",
+
+  run(workspaceDir: string): void {
+    const metadataPath = join(workspaceDir, METADATA_RELATIVE_PATH);
+    if (!existsSync(metadataPath)) {
+      return;
+    }
+
+    let raw: string;
+    try {
+      raw = readFileSync(metadataPath, "utf-8");
+    } catch (err) {
+      log.warn(
+        { err, path: metadataPath },
+        "Failed to read credentials metadata; skipping migration",
+      );
+      return;
+    }
+
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (err) {
+      log.warn(
+        { err, path: metadataPath },
+        "Failed to parse credentials metadata JSON; skipping migration",
+      );
+      return;
+    }
+
+    if (!isPlainObject(parsed)) {
+      log.warn(
+        { path: metadataPath },
+        "Credentials metadata is not an object; skipping migration",
+      );
+      return;
+    }
+
+    // Respect unrecognized future schema versions — do not touch the file.
+    const version = typeof parsed.version === "number" ? parsed.version : 1;
+    if (!KNOWN_VERSIONS.has(version)) {
+      log.info(
+        { version, path: metadataPath },
+        "Credentials metadata has unrecognized version; skipping migration",
+      );
+      return;
+    }
+
+    const credentials = Array.isArray(parsed.credentials)
+      ? parsed.credentials
+      : [];
+
+    // Find the Vercel API token record.
+    const vercelIdx = credentials.findIndex(
+      (c: unknown) =>
+        isPlainObject(c) && c.service === "vercel" && c.field === "api_token",
+    );
+
+    if (vercelIdx === -1) {
+      // No Vercel credential — nothing to repair.
+      return;
+    }
+
+    const vercelRecord = credentials[vercelIdx] as Record<string, unknown>;
+
+    // Check if already matches target policy.
+    if (alreadyMatchesTarget(vercelRecord)) {
+      return;
+    }
+
+    // Rewrite the Vercel record to the target policy.
+    vercelRecord.allowedTools = TARGET_ALLOWED_TOOLS;
+    vercelRecord.allowedDomains = TARGET_ALLOWED_DOMAINS;
+    delete vercelRecord.injectionTemplates;
+    vercelRecord.updatedAt = Date.now();
+
+    try {
+      writeFileSync(metadataPath, JSON.stringify(parsed, null, 2), "utf-8");
+      log.info(
+        { path: metadataPath },
+        "Repaired Vercel API token metadata to hardened policy",
+      );
+    } catch (err) {
+      log.warn(
+        { err, path: metadataPath },
+        "Failed to write repaired credentials metadata; leaving prior file in place",
+      );
+    }
+  },
+
+  down(_workspaceDir: string): void {
+    // Cannot recover the original vulnerable policy — and we would not
+    // want to even if we could. This is a security hardening migration.
+  },
+};
+
+/**
+ * Returns true when the Vercel record already matches the target
+ * hardened policy, meaning no rewrite is necessary.
+ */
+function alreadyMatchesTarget(record: Record<string, unknown>): boolean {
+  const tools = record.allowedTools;
+  const domains = record.allowedDomains;
+
+  if (!Array.isArray(tools) || tools.length !== TARGET_ALLOWED_TOOLS.length) {
+    return false;
+  }
+  const sortedTools = [...tools].sort();
+  const sortedTarget = [...TARGET_ALLOWED_TOOLS].sort();
+  for (let i = 0; i < sortedTools.length; i++) {
+    if (sortedTools[i] !== sortedTarget[i]) return false;
+  }
+
+  if (!Array.isArray(domains) || domains.length !== 0) {
+    return false;
+  }
+
+  // injectionTemplates must be absent or undefined.
+  if (
+    "injectionTemplates" in record &&
+    record.injectionTemplates !== undefined &&
+    record.injectionTemplates !== null
+  ) {
+    return false;
+  }
+
+  return true;
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/src/workspace/migrations/081-backfill-bash-allowed-tools-for-injection-credentials.ts

@@ -0,0 +1,160 @@
+/**
+ * Workspace migration `081-backfill-bash-allowed-tools-for-injection-credentials`.
+ *
+ * After migration 080 stripped Vercel's injection templates and locked
+ * its `allowedTools` to `["publish_page", "unpublish_page"]`, the new
+ * shell.ts credential policy enforcement (`isToolAllowed("bash", meta.allowedTools)`)
+ * would reject every other service that legitimately uses proxied bash
+ * via injection templates — because their `allowedTools` was never populated.
+ *
+ * This migration backfills `"bash"` into `allowedTools` for any credential
+ * that:
+ *   1. Has a non-empty `injectionTemplates` array (i.e., it uses proxied bash).
+ *   2. Has empty or missing `allowedTools`.
+ *
+ * Credentials that already have populated `allowedTools` (like the
+ * now-hardened Vercel credential) are NOT touched.
+ *
+ * Behaviour:
+ *   - Missing metadata file -> no-op.
+ *   - Malformed JSON -> log and no-op.
+ *   - Unrecognized future schema version -> no-op.
+ *   - No qualifying credentials -> no-op (no rewrite).
+ *   - Already backfilled -> no-op (idempotent).
+ *
+ * Idempotent: running twice produces no second write.
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "../../util/logger.js";
+import type { WorkspaceMigration } from "./types.js";
+
+const log = getLogger(
+  "workspace-migration-081-backfill-bash-allowed-tools-for-injection-credentials",
+);
+
+const METADATA_RELATIVE_PATH = join("data", "credentials", "metadata.json");
+
+/** Known on-disk schema versions we can safely handle. */
+const KNOWN_VERSIONS = new Set([1, 2, 3, 4, 5]);
+
+export const backfillBashAllowedToolsForInjectionCredentialsMigration: WorkspaceMigration =
+  {
+    id: "081-backfill-bash-allowed-tools-for-injection-credentials",
+    description:
+      "Backfill bash into allowedTools for credentials with injection templates",
+
+    run(workspaceDir: string): void {
+      const metadataPath = join(workspaceDir, METADATA_RELATIVE_PATH);
+      if (!existsSync(metadataPath)) {
+        return;
+      }
+
+      let raw: string;
+      try {
+        raw = readFileSync(metadataPath, "utf-8");
+      } catch (err) {
+        log.warn(
+          { err, path: metadataPath },
+          "Failed to read credentials metadata; skipping migration",
+        );
+        return;
+      }
+
+      let parsed: unknown;
+      try {
+        parsed = JSON.parse(raw);
+      } catch (err) {
+        log.warn(
+          { err, path: metadataPath },
+          "Failed to parse credentials metadata JSON; skipping migration",
+        );
+        return;
+      }
+
+      if (!isPlainObject(parsed)) {
+        log.warn(
+          { path: metadataPath },
+          "Credentials metadata is not an object; skipping migration",
+        );
+        return;
+      }
+
+      // Respect unrecognized future schema versions — do not touch the file.
+      const version = typeof parsed.version === "number" ? parsed.version : 1;
+      if (!KNOWN_VERSIONS.has(version)) {
+        log.info(
+          { version, path: metadataPath },
+          "Credentials metadata has unrecognized version; skipping migration",
+        );
+        return;
+      }
+
+      const credentials = Array.isArray(parsed.credentials)
+        ? parsed.credentials
+        : [];
+
+      let modified = false;
+
+      for (const cred of credentials) {
+        if (!isPlainObject(cred)) continue;
+
+        // Only target credentials with non-empty injectionTemplates.
+        if (!hasNonEmptyInjectionTemplates(cred)) continue;
+
+        // Only target credentials with empty or missing allowedTools.
+        if (hasPopulatedAllowedTools(cred)) continue;
+
+        // Backfill "bash" into allowedTools.
+        cred.allowedTools = ["bash"];
+        cred.updatedAt = Date.now();
+        modified = true;
+      }
+
+      if (!modified) {
+        return;
+      }
+
+      try {
+        writeFileSync(metadataPath, JSON.stringify(parsed, null, 2), "utf-8");
+        log.info(
+          { path: metadataPath },
+          "Backfilled bash into allowedTools for credentials with injection templates",
+        );
+      } catch (err) {
+        log.warn(
+          { err, path: metadataPath },
+          "Failed to write backfilled credentials metadata; leaving prior file in place",
+        );
+      }
+    },
+
+    down(_workspaceDir: string): void {
+      // This is a forward-only data repair. Rolling back would re-break
+      // proxied bash for affected services.
+    },
+  };
+
+/**
+ * Returns true when the credential has a non-empty `injectionTemplates` array.
+ */
+function hasNonEmptyInjectionTemplates(
+  record: Record<string, unknown>,
+): boolean {
+  const templates = record.injectionTemplates;
+  return Array.isArray(templates) && templates.length > 0;
+}
+
+/**
+ * Returns true when the credential has a populated (non-empty) `allowedTools` array.
+ */
+function hasPopulatedAllowedTools(record: Record<string, unknown>): boolean {
+  const tools = record.allowedTools;
+  return Array.isArray(tools) && tools.length > 0;
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/src/workspace/migrations/082-backfill-managed-profile-labels.ts

@@ -0,0 +1,154 @@
+/**
+ * Workspace migration `082-backfill-managed-profile-labels`.
+ *
+ * Backfills `label` on the three canonical managed inference profiles
+ * (`balanced`, `quality-optimized`, `cost-optimized`) when the on-disk
+ * profile is missing it.
+ *
+ * Why this is needed
+ * ------------------
+ * Migration 052 (`seed-default-inference-profiles`) seeds the three
+ * canonical Anthropic profiles with provider/model/maxTokens/effort/
+ * thinking but **no `label`** field. The runtime profile seeder
+ * (`seedInferenceProfiles`) materializes labels on its second pass —
+ * but only when the profile didn't already exist. In platform mode
+ * (`IS_PLATFORM=true`) it deliberately defers to the existing on-disk
+ * entry to avoid clobbering platform-supplied overlay fragments, so the
+ * label never gets written.
+ *
+ * Net result: a fresh Cloud-hosted assistant (Marina QA #5, 0.8.1) shows
+ * raw slugs in the profile picker — `balanced`, `quality-optimized`,
+ * `cost-optimized` — instead of the human labels `Balanced`, `Quality`,
+ * `Speed`. This migration heals existing installs by writing the bare
+ * template label when absent.
+ *
+ * Behavior
+ * --------
+ *   - Missing config.json -> no-op.
+ *   - Malformed JSON -> log and no-op.
+ *   - `llm.profiles` absent -> no-op.
+ *   - For each canonical name: backfill `label` only when the key is
+ *     absent on disk. An explicit `null` (user cleared the label) is
+ *     preserved. A user-set string is preserved.
+ *   - Non-canonical profile names are never touched.
+ *
+ * Idempotent: running twice produces no second write.
+ *
+ * Does NOT skip on `VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH`: the platform
+ * overlay supplies its own label when it cares, and the runtime seeder's
+ * `preservedProfileNames` skip path will defer to that overlay-supplied
+ * label on every boot. This migration only fills the gap when no source
+ * (overlay, migration 052, or seeder) ever wrote a label.
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "../../util/logger.js";
+import type { WorkspaceMigration } from "./types.js";
+
+const log = getLogger("workspace-migration-082-backfill-managed-profile-labels");
+
+/**
+ * Bare template labels for the canonical managed profile triplet. Kept in
+ * sync with `MANAGED_PROFILE_TEMPLATES` in
+ * `assistant/src/config/seed-inference-profiles.ts`. Duplicated here
+ * intentionally — migrations are forward-only and self-contained per the
+ * workspace migrations AGENTS contract; future renames in the seeder
+ * must NOT retroactively change the data this migration writes.
+ */
+const CANONICAL_MANAGED_PROFILE_LABELS: Record<string, string> = {
+  balanced: "Balanced",
+  "quality-optimized": "Quality",
+  "cost-optimized": "Speed",
+};
+
+export const backfillManagedProfileLabelsMigration: WorkspaceMigration = {
+  id: "082-backfill-managed-profile-labels",
+  description:
+    "Backfill label on canonical managed inference profiles when absent",
+
+  run(workspaceDir: string): void {
+    const configPath = join(workspaceDir, "config.json");
+    if (!existsSync(configPath)) {
+      return;
+    }
+
+    let raw: string;
+    try {
+      raw = readFileSync(configPath, "utf-8");
+    } catch (err) {
+      log.warn(
+        { err, path: configPath },
+        "Failed to read config.json; skipping migration",
+      );
+      return;
+    }
+
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (err) {
+      log.warn(
+        { err, path: configPath },
+        "Failed to parse config.json; skipping migration",
+      );
+      return;
+    }
+
+    if (!isPlainObject(parsed)) {
+      return;
+    }
+
+    const llm = readObject(parsed.llm);
+    if (!llm) return;
+
+    const profiles = readObject(llm.profiles);
+    if (!profiles) return;
+
+    let modified = false;
+
+    for (const [name, label] of Object.entries(
+      CANONICAL_MANAGED_PROFILE_LABELS,
+    )) {
+      const profile = readObject(profiles[name]);
+      if (!profile) continue;
+      // Only backfill when the key is absent. Explicit `null` (user cleared
+      // the label) and any user-set string both signal intent and survive.
+      if ("label" in profile) continue;
+      profile.label = label;
+      modified = true;
+    }
+
+    if (!modified) return;
+
+    try {
+      writeFileSync(configPath, JSON.stringify(parsed, null, 2) + "\n", "utf-8");
+      log.info(
+        { path: configPath },
+        "Backfilled missing labels on canonical managed inference profiles",
+      );
+    } catch (err) {
+      log.warn(
+        { err, path: configPath },
+        "Failed to write backfilled config.json; leaving prior file in place",
+      );
+    }
+  },
+
+  down(_workspaceDir: string): void {
+    // Forward-only data repair. Rolling back would re-break the picker
+    // for installs whose only label source was this migration.
+  },
+};
+
+function readObject(value: unknown): Record<string, unknown> | null {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  return value as Record<string, unknown>;
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/src/workspace/migrations/registry.ts

@@ -69,6 +69,17 @@ import { releaseNotesLocalTimezoneMigration } from "./068-release-notes-local-ti
 import { seedOnboardingThreadsMigration } from "./069-seed-onboarding-threads.js";
 import { memoryV2SummarySchemaRebuildMigration } from "./070-memory-v2-summary-schema-rebuild.js";
 import { removeSafeStorageReleaseNoteMigration } from "./071-remove-safe-storage-release-note.js";
+import { seedReplySuggestionCallsiteMigration } from "./072-seed-reply-suggestion-callsite.js";
+import { repairRecallCallsiteEmptyProfileMigration } from "./073-repair-recall-callsite-empty-profile.js";
+import { dropDeprecatedSecretDetectionKeysMigration } from "./074-drop-deprecated-secret-detection-keys.js";
+import { memoryV2Bm25BDefaultReembedMigration } from "./075-memory-v2-bm25-b-default-reembed.js";
+import { dropServicesInferenceModeMigration } from "./076-drop-services-inference-mode.js";
+import { seedMemoryRouterCallsiteMigration } from "./077-seed-memory-router-callsite.js";
+import { releaseNotesTavilyWebSearchMigration } from "./078-release-notes-tavily-web-search.js";
+import { homeFeedNotificationOnlyMigration } from "./079-home-feed-notification-only.js";
+import { restrictVercelApiTokenMetadataMigration } from "./080-restrict-vercel-api-token-metadata.js";
+import { backfillBashAllowedToolsForInjectionCredentialsMigration } from "./081-backfill-bash-allowed-tools-for-injection-credentials.js";
+import { backfillManagedProfileLabelsMigration } from "./082-backfill-managed-profile-labels.js";
 import { migrateToWorkspaceVolumeMigration } from "./migrate-to-workspace-volume.js";
 import type { WorkspaceMigration } from "./types.js";
 
@@ -149,4 +160,15 @@ export const WORKSPACE_MIGRATIONS: WorkspaceMigration[] = [
   seedOnboardingThreadsMigration,
   memoryV2SummarySchemaRebuildMigration,
   removeSafeStorageReleaseNoteMigration,
+  seedReplySuggestionCallsiteMigration,
+  repairRecallCallsiteEmptyProfileMigration,
+  dropDeprecatedSecretDetectionKeysMigration,
+  memoryV2Bm25BDefaultReembedMigration,
+  dropServicesInferenceModeMigration,
+  seedMemoryRouterCallsiteMigration,
+  releaseNotesTavilyWebSearchMigration,
+  homeFeedNotificationOnlyMigration,
+  restrictVercelApiTokenMetadataMigration,
+  backfillBashAllowedToolsForInjectionCredentialsMigration,
+  backfillManagedProfileLabelsMigration,
 ];

package/src/workspace/migrations/runner.ts

@@ -3,7 +3,11 @@ import { dirname, join } from "node:path";
 
 import { ensureDir, readTextFileSync } from "../../util/fs.js";
 import { getLogger } from "../../util/logger.js";
-import type { WorkspaceMigration, WorkspaceMigrationStatus } from "./types.js";
+import type {
+  MigrationRunContext,
+  WorkspaceMigration,
+  WorkspaceMigrationStatus,
+} from "./types.js";
 
 const log = getLogger("workspace-migrations");
 
@@ -76,6 +80,13 @@ export async function runWorkspaceMigrations(
     seen.add(m.id);
   }
 
+  // Detect a brand-new workspace: no checkpoint file existed before this run.
+  // Captured before loadCheckpoints so seeding migrations can distinguish a
+  // first-ever boot from an upgrade where the user may have cleared seeded files.
+  const ctx: MigrationRunContext = {
+    isNewWorkspace: readTextFileSync(getCheckpointPath(workspaceDir)) == null,
+  };
+
   const checkpoints = loadCheckpoints(workspaceDir);
 
   for (const [id, entry] of Object.entries(checkpoints.applied)) {
@@ -104,7 +115,7 @@ export async function runWorkspaceMigrations(
     saveCheckpoints(workspaceDir, checkpoints);
 
     try {
-      await migration.run(workspaceDir);
+      await migration.run(workspaceDir, ctx);
     } catch (error) {
       log.error(
         { migrationId: migration.id, error },

package/src/workspace/migrations/types.ts

@@ -1,13 +1,23 @@
+/** Runtime context passed to each migration's `run()`.
+ *  Lets seeding migrations distinguish a brand-new workspace from a workspace
+ *  upgrading through this migration for the first time. */
+export interface MigrationRunContext {
+  /** True when no workspace-migration checkpoint file existed at the start of
+   *  this run — i.e., this is a freshly-created workspace, not an upgrade. */
+  isNewWorkspace: boolean;
+}
+
 export interface WorkspaceMigration {
   /** Unique identifier, e.g. "001-avatar-rename". Used as the checkpoint key.
    *  Must be unique across all registered migrations — the runner validates this at startup. */
   id: string;
   /** Human-readable description for logging. */
   description: string;
-  /** The migration function. Receives the workspace directory path.
-   *  Must be idempotent — safe to re-run if it was interrupted.
+  /** The migration function. Receives the workspace directory path and an
+   *  optional context object (always supplied by the runner; tests may omit
+   *  it). Must be idempotent — safe to re-run if it was interrupted.
    *  Both synchronous and asynchronous migrations are supported. */
-  run(workspaceDir: string): void | Promise<void>;
+  run(workspaceDir: string, ctx?: MigrationRunContext): void | Promise<void>;
   /** Reverse the migration. Receives the workspace directory path.
    *  Must be idempotent — safe to re-run if it was interrupted.
    *  Both synchronous and asynchronous rollbacks are supported. */

package/src/workspace/provider-commit-message-generator.ts

@@ -1,3 +1,4 @@
+import { resolveCallSiteConfig } from "../config/llm-resolver.js";
 import { getConfig } from "../config/loader.js";
 import { resolveConfiguredProvider } from "../providers/provider-send-message.js";
 import type { Message } from "../providers/types.js";
@@ -45,7 +46,7 @@ const KEYLESS_PROVIDERS = new Set(["ollama"]);
 const deterministicProvider = new DefaultCommitMessageProvider();
 
 function getProviderCandidates(config: ReturnType<typeof getConfig>): string[] {
-  return [config.llm.default.provider];
+  return [resolveCallSiteConfig("commitMessage", config.llm).provider];
 }
 
 function buildDeterministicResult(
@@ -146,7 +147,7 @@ class ProviderCommitMessageGenerator {
         return buildDeterministicResult(context, "missing_provider_api_key");
       }
       log.debug(
-        { provider: config.llm.default.provider },
+        { provider: resolveCallSiteConfig("commitMessage", config.llm).provider },
         "Provider not initialized; falling back to deterministic",
       );
       return buildDeterministicResult(context, "provider_not_initialized");