@vellumai/assistant 0.8.0 → 0.8.2

package/src/workspace/migrations/080-restrict-vercel-api-token-metadata.ts

@@ -0,0 +1,182 @@
+/**
+ * Workspace migration `080-restrict-vercel-api-token-metadata`.
+ *
+ * Repairs legacy Vercel API token credential metadata that was stored
+ * with overly permissive policy (e.g. `bash` in allowedTools and
+ * injection templates targeting `api.vercel.com`). Rewrites the
+ * Vercel record to the hardened policy:
+ *
+ *   - `allowedTools: ["publish_page", "unpublish_page"]`
+ *   - `allowedDomains: []`
+ *   - `injectionTemplates` removed
+ *
+ * Behaviour:
+ *   - Missing metadata file -> no-op.
+ *   - Malformed JSON -> log and no-op.
+ *   - Unrecognized future schema version -> no-op.
+ *   - No `vercel`/`api_token` credential record -> no-op.
+ *   - Already matches target policy -> no-op (no rewrite, no updatedAt bump).
+ *   - Non-Vercel credential records are never modified.
+ *
+ * Idempotent: running twice produces no second write. The runner's
+ * checkpoint also prevents re-runs, but this in-file guard keeps the
+ * migration safe even if the checkpoint is wiped.
+ *
+ * This migration never touches secure secret values — only the
+ * metadata policy fields.
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "../../util/logger.js";
+import type { WorkspaceMigration } from "./types.js";
+
+const log = getLogger(
+  "workspace-migration-080-restrict-vercel-api-token-metadata",
+);
+
+const METADATA_RELATIVE_PATH = join("data", "credentials", "metadata.json");
+
+/** Known on-disk schema versions we can safely handle. */
+const KNOWN_VERSIONS = new Set([1, 2, 3, 4, 5]);
+
+/** The hardened target policy for the Vercel API token. */
+const TARGET_ALLOWED_TOOLS = ["publish_page", "unpublish_page"];
+const TARGET_ALLOWED_DOMAINS: string[] = [];
+
+export const restrictVercelApiTokenMetadataMigration: WorkspaceMigration = {
+  id: "080-restrict-vercel-api-token-metadata",
+  description:
+    "Restrict existing Vercel API token metadata to publish tools only",
+
+  run(workspaceDir: string): void {
+    const metadataPath = join(workspaceDir, METADATA_RELATIVE_PATH);
+    if (!existsSync(metadataPath)) {
+      return;
+    }
+
+    let raw: string;
+    try {
+      raw = readFileSync(metadataPath, "utf-8");
+    } catch (err) {
+      log.warn(
+        { err, path: metadataPath },
+        "Failed to read credentials metadata; skipping migration",
+      );
+      return;
+    }
+
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (err) {
+      log.warn(
+        { err, path: metadataPath },
+        "Failed to parse credentials metadata JSON; skipping migration",
+      );
+      return;
+    }
+
+    if (!isPlainObject(parsed)) {
+      log.warn(
+        { path: metadataPath },
+        "Credentials metadata is not an object; skipping migration",
+      );
+      return;
+    }
+
+    // Respect unrecognized future schema versions — do not touch the file.
+    const version = typeof parsed.version === "number" ? parsed.version : 1;
+    if (!KNOWN_VERSIONS.has(version)) {
+      log.info(
+        { version, path: metadataPath },
+        "Credentials metadata has unrecognized version; skipping migration",
+      );
+      return;
+    }
+
+    const credentials = Array.isArray(parsed.credentials)
+      ? parsed.credentials
+      : [];
+
+    // Find the Vercel API token record.
+    const vercelIdx = credentials.findIndex(
+      (c: unknown) =>
+        isPlainObject(c) && c.service === "vercel" && c.field === "api_token",
+    );
+
+    if (vercelIdx === -1) {
+      // No Vercel credential — nothing to repair.
+      return;
+    }
+
+    const vercelRecord = credentials[vercelIdx] as Record<string, unknown>;
+
+    // Check if already matches target policy.
+    if (alreadyMatchesTarget(vercelRecord)) {
+      return;
+    }
+
+    // Rewrite the Vercel record to the target policy.
+    vercelRecord.allowedTools = TARGET_ALLOWED_TOOLS;
+    vercelRecord.allowedDomains = TARGET_ALLOWED_DOMAINS;
+    delete vercelRecord.injectionTemplates;
+    vercelRecord.updatedAt = Date.now();
+
+    try {
+      writeFileSync(metadataPath, JSON.stringify(parsed, null, 2), "utf-8");
+      log.info(
+        { path: metadataPath },
+        "Repaired Vercel API token metadata to hardened policy",
+      );
+    } catch (err) {
+      log.warn(
+        { err, path: metadataPath },
+        "Failed to write repaired credentials metadata; leaving prior file in place",
+      );
+    }
+  },
+
+  down(_workspaceDir: string): void {
+    // Cannot recover the original vulnerable policy — and we would not
+    // want to even if we could. This is a security hardening migration.
+  },
+};
+
+/**
+ * Returns true when the Vercel record already matches the target
+ * hardened policy, meaning no rewrite is necessary.
+ */
+function alreadyMatchesTarget(record: Record<string, unknown>): boolean {
+  const tools = record.allowedTools;
+  const domains = record.allowedDomains;
+
+  if (!Array.isArray(tools) || tools.length !== TARGET_ALLOWED_TOOLS.length) {
+    return false;
+  }
+  const sortedTools = [...tools].sort();
+  const sortedTarget = [...TARGET_ALLOWED_TOOLS].sort();
+  for (let i = 0; i < sortedTools.length; i++) {
+    if (sortedTools[i] !== sortedTarget[i]) return false;
+  }
+
+  if (!Array.isArray(domains) || domains.length !== 0) {
+    return false;
+  }
+
+  // injectionTemplates must be absent or undefined.
+  if (
+    "injectionTemplates" in record &&
+    record.injectionTemplates !== undefined &&
+    record.injectionTemplates !== null
+  ) {
+    return false;
+  }
+
+  return true;
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/src/workspace/migrations/081-backfill-bash-allowed-tools-for-injection-credentials.ts

@@ -0,0 +1,160 @@
+/**
+ * Workspace migration `081-backfill-bash-allowed-tools-for-injection-credentials`.
+ *
+ * After migration 080 stripped Vercel's injection templates and locked
+ * its `allowedTools` to `["publish_page", "unpublish_page"]`, the new
+ * shell.ts credential policy enforcement (`isToolAllowed("bash", meta.allowedTools)`)
+ * would reject every other service that legitimately uses proxied bash
+ * via injection templates — because their `allowedTools` was never populated.
+ *
+ * This migration backfills `"bash"` into `allowedTools` for any credential
+ * that:
+ *   1. Has a non-empty `injectionTemplates` array (i.e., it uses proxied bash).
+ *   2. Has empty or missing `allowedTools`.
+ *
+ * Credentials that already have populated `allowedTools` (like the
+ * now-hardened Vercel credential) are NOT touched.
+ *
+ * Behaviour:
+ *   - Missing metadata file -> no-op.
+ *   - Malformed JSON -> log and no-op.
+ *   - Unrecognized future schema version -> no-op.
+ *   - No qualifying credentials -> no-op (no rewrite).
+ *   - Already backfilled -> no-op (idempotent).
+ *
+ * Idempotent: running twice produces no second write.
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "../../util/logger.js";
+import type { WorkspaceMigration } from "./types.js";
+
+const log = getLogger(
+  "workspace-migration-081-backfill-bash-allowed-tools-for-injection-credentials",
+);
+
+const METADATA_RELATIVE_PATH = join("data", "credentials", "metadata.json");
+
+/** Known on-disk schema versions we can safely handle. */
+const KNOWN_VERSIONS = new Set([1, 2, 3, 4, 5]);
+
+export const backfillBashAllowedToolsForInjectionCredentialsMigration: WorkspaceMigration =
+  {
+    id: "081-backfill-bash-allowed-tools-for-injection-credentials",
+    description:
+      "Backfill bash into allowedTools for credentials with injection templates",
+
+    run(workspaceDir: string): void {
+      const metadataPath = join(workspaceDir, METADATA_RELATIVE_PATH);
+      if (!existsSync(metadataPath)) {
+        return;
+      }
+
+      let raw: string;
+      try {
+        raw = readFileSync(metadataPath, "utf-8");
+      } catch (err) {
+        log.warn(
+          { err, path: metadataPath },
+          "Failed to read credentials metadata; skipping migration",
+        );
+        return;
+      }
+
+      let parsed: unknown;
+      try {
+        parsed = JSON.parse(raw);
+      } catch (err) {
+        log.warn(
+          { err, path: metadataPath },
+          "Failed to parse credentials metadata JSON; skipping migration",
+        );
+        return;
+      }
+
+      if (!isPlainObject(parsed)) {
+        log.warn(
+          { path: metadataPath },
+          "Credentials metadata is not an object; skipping migration",
+        );
+        return;
+      }
+
+      // Respect unrecognized future schema versions — do not touch the file.
+      const version = typeof parsed.version === "number" ? parsed.version : 1;
+      if (!KNOWN_VERSIONS.has(version)) {
+        log.info(
+          { version, path: metadataPath },
+          "Credentials metadata has unrecognized version; skipping migration",
+        );
+        return;
+      }
+
+      const credentials = Array.isArray(parsed.credentials)
+        ? parsed.credentials
+        : [];
+
+      let modified = false;
+
+      for (const cred of credentials) {
+        if (!isPlainObject(cred)) continue;
+
+        // Only target credentials with non-empty injectionTemplates.
+        if (!hasNonEmptyInjectionTemplates(cred)) continue;
+
+        // Only target credentials with empty or missing allowedTools.
+        if (hasPopulatedAllowedTools(cred)) continue;
+
+        // Backfill "bash" into allowedTools.
+        cred.allowedTools = ["bash"];
+        cred.updatedAt = Date.now();
+        modified = true;
+      }
+
+      if (!modified) {
+        return;
+      }
+
+      try {
+        writeFileSync(metadataPath, JSON.stringify(parsed, null, 2), "utf-8");
+        log.info(
+          { path: metadataPath },
+          "Backfilled bash into allowedTools for credentials with injection templates",
+        );
+      } catch (err) {
+        log.warn(
+          { err, path: metadataPath },
+          "Failed to write backfilled credentials metadata; leaving prior file in place",
+        );
+      }
+    },
+
+    down(_workspaceDir: string): void {
+      // This is a forward-only data repair. Rolling back would re-break
+      // proxied bash for affected services.
+    },
+  };
+
+/**
+ * Returns true when the credential has a non-empty `injectionTemplates` array.
+ */
+function hasNonEmptyInjectionTemplates(
+  record: Record<string, unknown>,
+): boolean {
+  const templates = record.injectionTemplates;
+  return Array.isArray(templates) && templates.length > 0;
+}
+
+/**
+ * Returns true when the credential has a populated (non-empty) `allowedTools` array.
+ */
+function hasPopulatedAllowedTools(record: Record<string, unknown>): boolean {
+  const tools = record.allowedTools;
+  return Array.isArray(tools) && tools.length > 0;
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/src/workspace/migrations/082-backfill-managed-profile-labels.ts

@@ -0,0 +1,154 @@
+/**
+ * Workspace migration `082-backfill-managed-profile-labels`.
+ *
+ * Backfills `label` on the three canonical managed inference profiles
+ * (`balanced`, `quality-optimized`, `cost-optimized`) when the on-disk
+ * profile is missing it.
+ *
+ * Why this is needed
+ * ------------------
+ * Migration 052 (`seed-default-inference-profiles`) seeds the three
+ * canonical Anthropic profiles with provider/model/maxTokens/effort/
+ * thinking but **no `label`** field. The runtime profile seeder
+ * (`seedInferenceProfiles`) materializes labels on its second pass —
+ * but only when the profile didn't already exist. In platform mode
+ * (`IS_PLATFORM=true`) it deliberately defers to the existing on-disk
+ * entry to avoid clobbering platform-supplied overlay fragments, so the
+ * label never gets written.
+ *
+ * Net result: a fresh Cloud-hosted assistant (Marina QA #5, 0.8.1) shows
+ * raw slugs in the profile picker — `balanced`, `quality-optimized`,
+ * `cost-optimized` — instead of the human labels `Balanced`, `Quality`,
+ * `Speed`. This migration heals existing installs by writing the bare
+ * template label when absent.
+ *
+ * Behavior
+ * --------
+ *   - Missing config.json -> no-op.
+ *   - Malformed JSON -> log and no-op.
+ *   - `llm.profiles` absent -> no-op.
+ *   - For each canonical name: backfill `label` only when the key is
+ *     absent on disk. An explicit `null` (user cleared the label) is
+ *     preserved. A user-set string is preserved.
+ *   - Non-canonical profile names are never touched.
+ *
+ * Idempotent: running twice produces no second write.
+ *
+ * Does NOT skip on `VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH`: the platform
+ * overlay supplies its own label when it cares, and the runtime seeder's
+ * `preservedProfileNames` skip path will defer to that overlay-supplied
+ * label on every boot. This migration only fills the gap when no source
+ * (overlay, migration 052, or seeder) ever wrote a label.
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "../../util/logger.js";
+import type { WorkspaceMigration } from "./types.js";
+
+const log = getLogger("workspace-migration-082-backfill-managed-profile-labels");
+
+/**
+ * Bare template labels for the canonical managed profile triplet. Kept in
+ * sync with `MANAGED_PROFILE_TEMPLATES` in
+ * `assistant/src/config/seed-inference-profiles.ts`. Duplicated here
+ * intentionally — migrations are forward-only and self-contained per the
+ * workspace migrations AGENTS contract; future renames in the seeder
+ * must NOT retroactively change the data this migration writes.
+ */
+const CANONICAL_MANAGED_PROFILE_LABELS: Record<string, string> = {
+  balanced: "Balanced",
+  "quality-optimized": "Quality",
+  "cost-optimized": "Speed",
+};
+
+export const backfillManagedProfileLabelsMigration: WorkspaceMigration = {
+  id: "082-backfill-managed-profile-labels",
+  description:
+    "Backfill label on canonical managed inference profiles when absent",
+
+  run(workspaceDir: string): void {
+    const configPath = join(workspaceDir, "config.json");
+    if (!existsSync(configPath)) {
+      return;
+    }
+
+    let raw: string;
+    try {
+      raw = readFileSync(configPath, "utf-8");
+    } catch (err) {
+      log.warn(
+        { err, path: configPath },
+        "Failed to read config.json; skipping migration",
+      );
+      return;
+    }
+
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (err) {
+      log.warn(
+        { err, path: configPath },
+        "Failed to parse config.json; skipping migration",
+      );
+      return;
+    }
+
+    if (!isPlainObject(parsed)) {
+      return;
+    }
+
+    const llm = readObject(parsed.llm);
+    if (!llm) return;
+
+    const profiles = readObject(llm.profiles);
+    if (!profiles) return;
+
+    let modified = false;
+
+    for (const [name, label] of Object.entries(
+      CANONICAL_MANAGED_PROFILE_LABELS,
+    )) {
+      const profile = readObject(profiles[name]);
+      if (!profile) continue;
+      // Only backfill when the key is absent. Explicit `null` (user cleared
+      // the label) and any user-set string both signal intent and survive.
+      if ("label" in profile) continue;
+      profile.label = label;
+      modified = true;
+    }
+
+    if (!modified) return;
+
+    try {
+      writeFileSync(configPath, JSON.stringify(parsed, null, 2) + "\n", "utf-8");
+      log.info(
+        { path: configPath },
+        "Backfilled missing labels on canonical managed inference profiles",
+      );
+    } catch (err) {
+      log.warn(
+        { err, path: configPath },
+        "Failed to write backfilled config.json; leaving prior file in place",
+      );
+    }
+  },
+
+  down(_workspaceDir: string): void {
+    // Forward-only data repair. Rolling back would re-break the picker
+    // for installs whose only label source was this migration.
+  },
+};
+
+function readObject(value: unknown): Record<string, unknown> | null {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  return value as Record<string, unknown>;
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/src/workspace/migrations/083-system-prompt-prefix-to-file.ts

@@ -0,0 +1,191 @@
+/**
+ * Workspace migration 083: Move config.systemPromptPrefix to a workspace file.
+ *
+ * The custom system prompt prefix used to live as a top-level config field
+ * (`config.json` → `systemPromptPrefix`).  Editable system-prompt sections
+ * now live under `<workspace>/prompts/system/<id>.md`.  This migration
+ * carries any existing config value over to `00-prefix.md` and strips the
+ * key from `config.json`.
+ *
+ * Behavior:
+ *   - config has non-empty string + 00-prefix.md body is empty → write the
+ *     prefix into the file body, preserving the bundled frontmatter
+ *   - config has non-empty string + 00-prefix.md body already has content →
+ *     leave the file alone (user authorship wins).  Just strip the config key
+ *   - config has null / missing field / whitespace-only string → no-op for
+ *     the file; strip the key
+ *
+ * On filesystem write failure we **throw**.  The runner marks the migration
+ * as `"failed"` so the operator can see it in checkpoints; we explicitly do
+ * not silently mark it complete.  Note the config key is only deleted on a
+ * successful path, so the user's prefix is preserved in `config.json` until
+ * the next attempt.
+ *
+ * Per workspace-migration AGENTS.md, all helpers are inlined.
+ */
+
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  renameSync,
+  writeFileSync,
+} from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "../../util/logger.js";
+import type { WorkspaceMigration } from "./types.js";
+
+const log = getLogger("workspace-migration-083-system-prompt-prefix-to-file");
+
+/**
+ * Default frontmatter used when the bundled 00-prefix.md is somehow missing
+ * (e.g. running a development build where seeding hasn't happened yet).  In
+ * the normal startup order, `ensurePromptFiles()` runs before this migration,
+ * so the file already exists with the canonical bundled frontmatter.
+ */
+const FALLBACK_PREFIX_FRONTMATTER = [
+  "---",
+  'enabled: "!excludeCustomPrefix"',
+  "---",
+  "",
+].join("\n");
+
+/** Matches a `---`-delimited frontmatter block at the start of a file. */
+const FRONTMATTER_REGEX = /^---\r?\n[\s\S]*?\r?\n---(?:\r?\n|$)/;
+
+export const systemPromptPrefixToFileMigration: WorkspaceMigration = {
+  id: "083-system-prompt-prefix-to-file",
+  description:
+    "Move config.systemPromptPrefix to <workspace>/prompts/system/00-prefix.md",
+
+  run(workspaceDir: string): void {
+    const configPath = join(workspaceDir, "config.json");
+    if (!existsSync(configPath)) return;
+
+    let raw: string;
+    try {
+      raw = readFileSync(configPath, "utf-8");
+    } catch (err) {
+      log.warn({ err, configPath }, "Failed to read config.json, skipping");
+      return;
+    }
+
+    let config: Record<string, unknown>;
+    try {
+      const parsed: unknown = JSON.parse(raw);
+      if (
+        parsed === null ||
+        typeof parsed !== "object" ||
+        Array.isArray(parsed)
+      ) {
+        log.warn({ configPath }, "config.json is not a JSON object, skipping");
+        return;
+      }
+      config = parsed as Record<string, unknown>;
+    } catch (err) {
+      log.warn({ err, configPath }, "Failed to parse config.json, skipping");
+      return;
+    }
+
+    if (!Object.prototype.hasOwnProperty.call(config, "systemPromptPrefix")) {
+      // Already migrated (or never set). Nothing to do.
+      return;
+    }
+
+    const value = config.systemPromptPrefix;
+    const trimmed = typeof value === "string" ? value.trim() : "";
+
+    const sysDir = join(workspaceDir, "prompts", "system");
+    const prefixFile = join(sysDir, "00-prefix.md");
+
+    if (trimmed.length > 0) {
+      // Read the existing file (if any) so we can preserve frontmatter and
+      // avoid clobbering user-authored content.
+      let existingFrontmatter = FALLBACK_PREFIX_FRONTMATTER;
+      let existingBody = "";
+      if (existsSync(prefixFile)) {
+        const existingRaw = readFileSync(prefixFile, "utf-8");
+        const fmMatch = existingRaw.match(FRONTMATTER_REGEX);
+        if (fmMatch) {
+          existingFrontmatter = fmMatch[0];
+          existingBody = existingRaw.slice(fmMatch[0].length).trim();
+        } else {
+          existingBody = existingRaw.trim();
+        }
+      }
+
+      if (existingBody.length > 0) {
+        // User already authored content here.  Leave the file alone, but
+        // continue on to strip the now-superseded config key.
+        log.info(
+          { prefixFile },
+          "00-prefix.md already has user content; keeping it, dropping config key only",
+        );
+      } else {
+        mkdirSync(sysDir, { recursive: true });
+        writeFileSync(
+          prefixFile,
+          existingFrontmatter + trimmed + "\n",
+          "utf-8",
+        );
+        log.info({ prefixFile }, "Wrote system prompt prefix to file");
+      }
+    }
+
+    // Strip the field from config.json regardless of whether we wrote a body
+    // — the field is removed from the schema either way.
+    delete config.systemPromptPrefix;
+    writeJsonAtomic(configPath, config);
+  },
+
+  down(workspaceDir: string): void {
+    const configPath = join(workspaceDir, "config.json");
+    const prefixFile = join(workspaceDir, "prompts", "system", "00-prefix.md");
+
+    if (!existsSync(configPath) || !existsSync(prefixFile)) return;
+
+    let config: Record<string, unknown>;
+    try {
+      const parsed: unknown = JSON.parse(readFileSync(configPath, "utf-8"));
+      if (
+        parsed === null ||
+        typeof parsed !== "object" ||
+        Array.isArray(parsed)
+      )
+        return;
+      config = parsed as Record<string, unknown>;
+    } catch {
+      return;
+    }
+
+    let body = "";
+    try {
+      const raw = readFileSync(prefixFile, "utf-8");
+      const stripped = raw.replace(FRONTMATTER_REGEX, "").trim();
+      // Strip `_` comment lines too — same convention as runtime renderer.
+      body = stripped
+        .split("\n")
+        .filter((line) => !line.trimStart().startsWith("_"))
+        .join("\n")
+        .trim();
+    } catch {
+      return;
+    }
+
+    config.systemPromptPrefix = body.length > 0 ? body : null;
+    writeJsonAtomic(configPath, config);
+  },
+};
+
+/**
+ * Atomic JSON write: write to temp file alongside the target, then rename.
+ * Throws on failure so callers can propagate to the migration runner (which
+ * marks the migration `"failed"`).  Inlined per workspace-migration
+ * self-containment rule.
+ */
+function writeJsonAtomic(path: string, data: unknown): void {
+  const tmp = `${path}.tmp.${process.pid}.${Date.now()}`;
+  writeFileSync(tmp, JSON.stringify(data, null, 2) + "\n", "utf-8");
+  renameSync(tmp, path);
+}