@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/permissions/checker.test.ts

@@ -125,6 +125,16 @@ mock.module("../ipc/gateway-client.js", () => ({
 
 // ── Import the module under test AFTER mocks are set up ──────────────────────
 
+import {
+  mkdtempSync,
+  rmSync,
+  symlinkSync,
+  unlinkSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
 import {
   check,
   classifyRisk,
@@ -231,6 +241,47 @@ describe("Permission Checker (gateway IPC)", () => {
       expect(result2.reason).toBe("Cached test");
     });
 
+    test("file-tool cache misses when a symlink target is retargeted", async () => {
+      // File risk depends on filesystem state: the cache key folds in the
+      // symlink-resolved target, so the same raw input must NOT return a stale
+      // cached result after the symlink is pointed somewhere new.
+      const dir = mkdtempSync(join(tmpdir(), "risk-cache-symlink-"));
+      try {
+        const benign = join(dir, "benign.txt");
+        const other = join(dir, "other.txt");
+        writeFileSync(benign, "ok");
+        writeFileSync(other, "ok");
+        const link = join(dir, "link.txt");
+        symlinkSync(benign, link);
+
+        mockIpcClassifyRiskResult = {
+          risk: "low",
+          reason: "benign",
+          matchType: "registry",
+          scopeOptions: [],
+        };
+        const first = await classifyRisk("file_read", { path: link });
+        expect(first.level).toBe(RiskLevel.Low);
+
+        // Retarget the symlink to a different real file; raw input unchanged.
+        unlinkSync(link);
+        symlinkSync(other, link);
+
+        mockIpcClassifyRiskResult = {
+          risk: "high",
+          reason: "now sensitive",
+          matchType: "registry",
+          scopeOptions: [],
+        };
+        const second = await classifyRisk("file_read", { path: link });
+        // Cache must have missed and re-classified against the new target.
+        expect(second.level).toBe(RiskLevel.High);
+        expect(second.reason).toBe("now sensitive");
+      } finally {
+        rmSync(dir, { recursive: true, force: true });
+      }
+    });
+
     test("preserves commandCandidates from gateway response", async () => {
       mockIpcClassifyRiskResult = {
         risk: "low",

package/src/permissions/checker.ts

@@ -1,6 +1,6 @@
 import { createHash } from "node:crypto";
 import { homedir } from "node:os";
-import { dirname, join } from "node:path";
+import { dirname, join, resolve } from "node:path";
 
 import { getIsContainerized } from "../config/env-registry.js";
 import { getConfig } from "../config/loader.js";
@@ -16,6 +16,7 @@ import {
   looksLikePathOnlyInput,
 } from "../tools/network/url-safety.js";
 import { getTool, getToolOwner } from "../tools/registry.js";
+import { resolveRealPath } from "../tools/shared/filesystem/path-policy.js";
 import type { Tool } from "../tools/types.js";
 import {
   getDeprecatedDir,
@@ -23,6 +24,8 @@ import {
   getWorkspaceDir,
   getWorkspaceHooksDir,
   getWorkspacePluginsDir,
+  getWorkspaceRoutesDir,
+  getWorkspaceToolsDir,
 } from "../util/platform.js";
 import {
   type ApprovalContext,
@@ -99,6 +102,7 @@ function riskCacheKey(
   input: Record<string, unknown>,
   workingDir?: string,
   manifestOverride?: ManifestOverride,
+  fsStateKey?: string,
 ): string {
   // Strip `reason` and `activity` before computing the cache key — they are
   // cosmetic status text that varies per invocation even for identical tool
@@ -111,10 +115,31 @@ function riskCacheKey(
     .update(workingDir ?? "")
     .update("\0")
     .update(manifestOverride ? JSON.stringify(manifestOverride) : "")
+    // For file tools, fold in the symlink-resolved target path(s). File risk
+    // depends on filesystem state (a symlink can be retargeted under a
+    // protected dir between calls), so the same raw input must miss the cache
+    // when its canonicalized target changes.
+    .update("\0")
+    .update(fsStateKey ?? "")
     .digest("hex");
   return `${toolName}\0${hash}`;
 }
 
+/**
+ * Compute the filesystem-state component of the risk cache key for file tools:
+ * the symlink-resolved target path(s). Returns `undefined` for non-file tools
+ * (whose risk does not depend on filesystem state).
+ */
+function fileToolFsStateKey(
+  toolName: string,
+  input: Record<string, unknown>,
+  workingDir?: string,
+): string | undefined {
+  if (!FILE_TOOL_NAMES.has(toolName)) return undefined;
+  const resolved = resolveFileToolPaths(toolName, input, workingDir);
+  return `${resolved.resolvedPath ?? ""}\0${resolved.resolvedTransferDestPath ?? ""}`;
+}
+
 /** Clear the risk classification cache. Called when trust rules change. Exported for test setup. */
 export function clearRiskCache(): void {
   riskCache.clear();
@@ -273,16 +298,153 @@ import type {
 
 function buildFileContext(): FileContext {
   const config = getConfig();
+  // Canonicalize the protected directories via realpath so that a symlinked
+  // component anywhere in their path still prefix-matches the canonicalized
+  // target path computed in buildClassifyRiskParams. Both sides must be
+  // symlink-resolved for the gateway's lexical prefix checks to be sound.
+  const protectedDir = resolveRealPath(getProtectedDir());
   return {
-    protectedDir: getProtectedDir(),
-    deprecatedDir: getDeprecatedDir(),
-    hooksDir: getWorkspaceHooksDir(),
-    pluginsDir: getWorkspacePluginsDir(),
-    actorTokenSigningKeyPath: join(
-      getProtectedDir(),
-      "actor-token-signing-key",
+    protectedDir,
+    deprecatedDir: resolveRealPath(getDeprecatedDir()),
+    hooksDir: resolveRealPath(getWorkspaceHooksDir()),
+    pluginsDir: resolveRealPath(getWorkspacePluginsDir()),
+    toolsDir: resolveRealPath(getWorkspaceToolsDir()),
+    routesDir: resolveRealPath(getWorkspaceRoutesDir()),
+    actorTokenSigningKeyPath: join(protectedDir, "actor-token-signing-key"),
+    skillSourceDirs: getSkillRoots(config.skills.load.extraDirs).map(
+      resolveRealPath,
     ),
-    skillSourceDirs: getSkillRoots(config.skills.load.extraDirs),
+  };
+}
+
+/**
+ * Canonicalize the security-sensitive path of a file tool invocation by
+ * resolving symlinks before it is sent to the gateway risk classifier.
+ *
+ * The gateway classifies file risk by lexically prefix-matching the target
+ * path against protected directories (skill source, hooks, plugins, the actor
+ * token signing key). Lexical resolution alone does not follow symlinks, so a
+ * symlink whose name looks benign but whose real target is a protected
+ * directory would be under-classified and could skip the High-risk approval
+ * prompt. Resolving symlinks here — on the daemon, which owns the workspace
+ * filesystem — closes that gap while keeping the gateway free of filesystem
+ * access (it cannot see the workspace in Docker mode).
+ *
+ * `resolveRealPath` falls back to the lexical path when the target lives on a
+ * filesystem this process cannot see (e.g. host_file paths proxied to a remote
+ * client), so this never regresses below today's lexical behavior.
+ */
+// The Docker sandbox mounts the workspace at /workspace, and the model emits
+// container-scoped paths (e.g. "/workspace/tools/evil.ts") even on local turns.
+// Mirror the gateway's resolveSandboxPath remap so the symlink-resolved path we
+// forward lines up with the gateway's lexical fallback and the protected dirs.
+const CONTAINER_WORKSPACE_PREFIX = "/workspace/";
+const CONTAINER_WORKSPACE_EXACT = "/workspace";
+
+function resolveSandboxBase(rawPath: string, workingDir: string): string {
+  let effectivePath = rawPath;
+  if (!rawPath.startsWith(workingDir + "/") && rawPath !== workingDir) {
+    if (rawPath.startsWith(CONTAINER_WORKSPACE_PREFIX)) {
+      effectivePath = rawPath.slice(CONTAINER_WORKSPACE_PREFIX.length);
+    } else if (rawPath === CONTAINER_WORKSPACE_EXACT) {
+      effectivePath = ".";
+    }
+  }
+  return resolve(workingDir, effectivePath);
+}
+
+function resolveClassificationPath(
+  filePath: string,
+  workingDir: string,
+  isHostTool: boolean,
+): string | undefined {
+  if (!filePath) return undefined;
+  // Mirror the gateway classifier's lexical base: host tools resolve the path
+  // as absolute/relative-to-cwd; sandbox tools apply the /workspace remap and
+  // resolve against workingDir. Then follow symlinks so a benign-looking name
+  // whose real target is a protected directory is still escalated.
+  const base = isHostTool
+    ? resolve(filePath)
+    : resolveSandboxBase(filePath, workingDir);
+  return resolveRealPath(base);
+}
+
+const FILE_TOOL_NAMES = new Set([
+  "file_read",
+  "file_write",
+  "file_edit",
+  "host_file_read",
+  "host_file_write",
+  "host_file_edit",
+  "host_file_transfer",
+]);
+
+interface FileToolResolution {
+  filePath: string;
+  effectiveWorkingDir: string;
+  isHostTool: boolean;
+  resolvedPath?: string;
+  transferSandboxDestPath?: string;
+  transferSandboxWorkingDir?: string;
+  resolvedTransferDestPath?: string;
+}
+
+/**
+ * Resolve the security-sensitive path(s) of a file tool invocation, including
+ * symlink canonicalization. Shared by the IPC param builder and the risk cache
+ * key so both observe the same filesystem state — file risk now depends on
+ * symlink targets, so the cache must key on the canonicalized path, not just
+ * the raw tool input.
+ */
+function resolveFileToolPaths(
+  toolName: string,
+  input: Record<string, unknown>,
+  workingDir?: string,
+): FileToolResolution {
+  const isHostTool = toolName.startsWith("host_");
+  let filePath: string;
+  // For host_file_transfer to_sandbox, the file is written into the workspace
+  // at dest_path — capture it (plus the sandbox working dir) so the gateway can
+  // escalate writes that land in a code-injection sink, since `path` carries
+  // the host-side source.
+  let transferSandboxDestPath: string | undefined;
+  let transferSandboxWorkingDir: string | undefined;
+  if (toolName === "host_file_transfer") {
+    // The security-sensitive host-side path is source_path when reading from
+    // the host (to_sandbox), dest_path when writing to the host (to_host).
+    const direction = getStringField(input, "direction");
+    if (direction === "to_sandbox") {
+      filePath = getStringField(input, "source_path");
+      transferSandboxDestPath = getStringField(input, "dest_path");
+      transferSandboxWorkingDir = workingDir ?? process.cwd();
+    } else {
+      filePath = getStringField(input, "dest_path");
+    }
+  } else {
+    filePath = getStringField(input, "path", "file_path");
+  }
+  const effectiveWorkingDir = isHostTool ? "/" : (workingDir ?? process.cwd());
+  return {
+    filePath,
+    effectiveWorkingDir,
+    isHostTool,
+    resolvedPath: resolveClassificationPath(
+      filePath,
+      effectiveWorkingDir,
+      isHostTool,
+    ),
+    transferSandboxDestPath,
+    transferSandboxWorkingDir,
+    // The to_sandbox destination is a workspace write — symlink-resolve it too
+    // so it can't mask a code-injection sink.
+    resolvedTransferDestPath:
+      transferSandboxDestPath != null
+        ? resolveClassificationPath(
+            transferSandboxDestPath,
+            transferSandboxWorkingDir ?? process.cwd(),
+            false,
+          )
+        : undefined,
   };
 }
 
@@ -347,25 +509,16 @@ function buildClassifyRiskParams(
       "host_file_transfer",
     ].includes(toolName)
   ) {
-    const isHostTool = toolName.startsWith("host_");
-    let filePath: string;
-    if (toolName === "host_file_transfer") {
-      // For host_file_transfer the security-sensitive path is the host-side
-      // path: source_path when reading from the host (to_sandbox), dest_path
-      // when writing to the host (to_host).
-      const direction = getStringField(input, "direction");
-      filePath =
-        direction === "to_sandbox"
-          ? getStringField(input, "source_path")
-          : getStringField(input, "dest_path");
-    } else {
-      filePath = getStringField(input, "path", "file_path");
-    }
+    const resolved = resolveFileToolPaths(toolName, input, workingDir);
     return {
       tool: toolName,
-      path: filePath,
-      workingDir: isHostTool ? "/" : (workingDir ?? process.cwd()),
+      path: resolved.filePath,
+      resolvedPath: resolved.resolvedPath,
+      workingDir: resolved.effectiveWorkingDir,
       fileContext: buildFileContext(),
+      transferSandboxDestPath: resolved.transferSandboxDestPath,
+      transferSandboxWorkingDir: resolved.transferSandboxWorkingDir,
+      resolvedTransferDestPath: resolved.resolvedTransferDestPath,
     };
   }
 
@@ -448,7 +601,13 @@ export async function classifyRisk(
   signal?.throwIfAborted();
 
   // Check cache first.
-  const cacheKey = riskCacheKey(toolName, input, workingDir, manifestOverride);
+  const cacheKey = riskCacheKey(
+    toolName,
+    input,
+    workingDir,
+    manifestOverride,
+    fileToolFsStateKey(toolName, input, workingDir),
+  );
   const cached = riskCache.get(cacheKey);
   if (cached !== undefined) {
     // LRU refresh

package/src/permissions/ipc-risk-types.ts

@@ -53,6 +53,8 @@ export interface FileContext {
   deprecatedDir: string;
   hooksDir: string;
   pluginsDir: string;
+  toolsDir: string;
+  routesDir: string;
   actorTokenSigningKeyPath: string;
   skillSourceDirs: string[];
 }
@@ -81,6 +83,13 @@ export interface ClassifyRiskParams {
   command?: string;
   url?: string;
   path?: string;
+  /**
+   * The file tool's target path with symlinks resolved (canonicalized by the
+   * daemon, which owns the workspace filesystem). The gateway uses this for its
+   * security escalation prefix checks so a symlink cannot mask a write into a
+   * protected directory. Falls back to lexical `path` resolution when absent.
+   */
+  resolvedPath?: string;
   skill?: string;
   mode?: string;
   script?: string;
@@ -95,4 +104,19 @@ export interface ClassifyRiskParams {
   registryDefaultRisk?: string;
   /** Number of credential references attached to this tool invocation. */
   credentialRefCount?: number;
+  /**
+   * For host_file_transfer with `direction: "to_sandbox"`: the workspace-side
+   * destination path and the sandbox working directory it resolves against, so
+   * the gateway can escalate transfers that install an executable file in a
+   * code-injection sink (tools/routes/hooks/plugins/skills).
+   */
+  transferSandboxDestPath?: string;
+  transferSandboxWorkingDir?: string;
+  /**
+   * The `to_sandbox` workspace destination with symlinks resolved
+   * (canonicalized by the daemon). Used for the code-injection-sink check so a
+   * symlinked destination cannot mask the real target. Falls back to lexical
+   * resolution of `transferSandboxDestPath` when absent.
+   */
+  resolvedTransferDestPath?: string;
 }

package/src/permissions/question-prompter.test.ts

@@ -48,6 +48,8 @@ interface MockInteraction {
     orderedIds: string[];
     optionsById: Record<string, string[]>;
   };
+  toolUseId?: string;
+  questionDetails?: { entries: Array<{ id: string; question: string }> };
 }
 const _piStore = new Map<string, MockInteraction>();
 mock.module("../runtime/pending-interactions.js", () => ({
@@ -205,6 +207,31 @@ describe("QuestionPrompter", () => {
     expect(_piStore.has(req.requestId)).toBe(false);
   });
 
+  test("persists the full question entries on the interaction for rehydration", async () => {
+    // GIVEN a batched prompt with a tool-use id
+    const { prompter, sent } = makePrompter();
+
+    const promise = prompter.prompt({
+      ...threeQuestionParams,
+      toolUseId: "tool-q",
+    });
+    const req = sent[0] as QuestionRequestEvent;
+
+    // THEN the registered interaction carries the full entries (not just the
+    // id maps in `metadata`) so a history-load render can rehydrate the card
+    const interaction = _piStore.get(req.requestId);
+    expect(interaction?.toolUseId).toBe("tool-q");
+    expect(interaction?.questionDetails?.entries).toHaveLength(3);
+    expect(interaction?.questionDetails?.entries).toEqual(req.questions);
+
+    resolveBatch(req.requestId, [
+      { questionId: "q1", kind: "option", optionId: "a" },
+      { questionId: "q2", kind: "option", optionId: "x" },
+      { questionId: "q3", kind: "skip" },
+    ]);
+    await promise;
+  });
+
   test("free-text resolution", async () => {
     const { prompter, sent } = makePrompter();
 

package/src/permissions/question-prompter.ts

@@ -269,6 +269,10 @@ export class QuestionPrompter {
         timer,
         toolUseId,
         metadata: { orderedIds, optionsById } satisfies QuestionBatchMetadata,
+        // Persist the full entries (not just the id maps in `metadata`) so a
+        // history-load render can stamp this outstanding prompt back onto its
+        // tool call and rehydrate the question card after a reconnect.
+        questionDetails: { entries },
       });
 
       // Populate both shapes on the wire: `questions[]` is the canonical

package/src/platform/client.test.ts

@@ -178,4 +178,123 @@ describe("VellumPlatformClient", () => {
       });
     });
   });
+
+  describe("getOwnerConsent()", () => {
+    test("maps snake_case body to camelCase on 200", async () => {
+      globalThis.fetch = mock(async (url: string | URL | Request) => {
+        expect(String(url)).toBe(
+          "https://platform.example.com/v1/assistants/asst-123/owner-consent/",
+        );
+        return new Response(
+          JSON.stringify({
+            share_analytics: true,
+            share_diagnostics: false,
+            share_diagnostics_accepted_version: "2026-06-18",
+          }),
+          { status: 200 },
+        );
+      }) as unknown as typeof globalThis.fetch;
+
+      const client = await VellumPlatformClient.create();
+      const consent = await client!.getOwnerConsent();
+      expect(consent).toEqual({
+        shareAnalytics: true,
+        shareDiagnostics: false,
+        shareDiagnosticsAcceptedVersion: "2026-06-18",
+      });
+    });
+
+    test("defaults shareDiagnosticsAcceptedVersion to '' when the platform omits it (back-compat)", async () => {
+      globalThis.fetch = mock(
+        async () =>
+          new Response(
+            JSON.stringify({ share_analytics: true, share_diagnostics: true }),
+            { status: 200 },
+          ),
+      ) as unknown as typeof globalThis.fetch;
+
+      const client = await VellumPlatformClient.create();
+      const consent = await client!.getOwnerConsent();
+      expect(consent).toEqual({
+        shareAnalytics: true,
+        shareDiagnostics: true,
+        shareDiagnosticsAcceptedVersion: "",
+      });
+    });
+
+    test("uses the authenticated Api-Key header", async () => {
+      globalThis.fetch = mock(
+        async (_url: string | URL | Request, init?: RequestInit) => {
+          const headers = new Headers(init?.headers);
+          expect(headers.get("Authorization")).toBe("Api-Key sk-test-key");
+          return new Response(
+            JSON.stringify({ share_analytics: true, share_diagnostics: true }),
+            { status: 200 },
+          );
+        },
+      ) as unknown as typeof globalThis.fetch;
+
+      const client = await VellumPlatformClient.create();
+      await client!.getOwnerConsent();
+    });
+
+    test("returns null on 404", async () => {
+      globalThis.fetch = mock(
+        async () => new Response("not found", { status: 404 }),
+      ) as unknown as typeof globalThis.fetch;
+
+      const client = await VellumPlatformClient.create();
+      expect(await client!.getOwnerConsent()).toBeNull();
+    });
+
+    test("returns null on 500", async () => {
+      globalThis.fetch = mock(
+        async () => new Response("error", { status: 500 }),
+      ) as unknown as typeof globalThis.fetch;
+
+      const client = await VellumPlatformClient.create();
+      expect(await client!.getOwnerConsent()).toBeNull();
+    });
+
+    test("returns null on network error", async () => {
+      globalThis.fetch = mock(async () => {
+        throw new Error("network down");
+      }) as unknown as typeof globalThis.fetch;
+
+      const client = await VellumPlatformClient.create();
+      expect(await client!.getOwnerConsent()).toBeNull();
+    });
+
+    test("returns null on malformed body (non-boolean fields)", async () => {
+      globalThis.fetch = mock(
+        async () =>
+          new Response(
+            JSON.stringify({ share_analytics: "yes", share_diagnostics: 1 }),
+            { status: 200 },
+          ),
+      ) as unknown as typeof globalThis.fetch;
+
+      const client = await VellumPlatformClient.create();
+      expect(await client!.getOwnerConsent()).toBeNull();
+    });
+
+    test("returns null without fetching when assistantId is empty", async () => {
+      mockAssistantId = "";
+      mockSecureKeys = {};
+
+      const fetchSpy = mock(
+        async () =>
+          new Response(
+            JSON.stringify({ share_analytics: true, share_diagnostics: true }),
+            { status: 200 },
+          ),
+      );
+      globalThis.fetch = fetchSpy as unknown as typeof globalThis.fetch;
+
+      const client = await VellumPlatformClient.create();
+      expect(client!.platformAssistantId).toBe("");
+      expect(await client!.getOwnerConsent()).toBeNull();
+      expect(fetchSpy).not.toHaveBeenCalled();
+    });
+  });
 });

package/src/platform/client.ts

@@ -16,6 +16,18 @@ const log = getLogger("platform-client");
 
 let _missingPrereqsWarned = false;
 
+export interface OwnerConsent {
+  shareAnalytics: boolean;
+  shareDiagnostics: boolean;
+  /**
+   * Version of the diagnostics-sharing consent the owner accepted
+   * ("YYYY-MM-DD", or "" if never accepted). Composes the per-turn
+   * trace-collection gate: traces are only collected once this is >= the
+   * disclosing version (see telemetry/trace-collection-policy.ts).
+   */
+  shareDiagnosticsAcceptedVersion: string;
+}
+
 export class VellumPlatformClient {
   private readonly platformBaseUrl: string;
   private readonly apiKey: string;
@@ -109,6 +121,60 @@ export class VellumPlatformClient {
     return fetch(url, { ...init, headers });
   }
 
+  /**
+   * Fetch the platform owner's telemetry consent for this assistant.
+   *
+   * Returns `null` whenever the consent is unknown — missing assistant id,
+   * any non-2xx response (e.g. 404 before the endpoint is deployed), a
+   * malformed body, or a network error. Callers treat `null` as default-off.
+   * Never throws.
+   */
+  async getOwnerConsent(): Promise<OwnerConsent | null> {
+    if (!this.assistantId) {
+      return null;
+    }
+
+    try {
+      const res = await this.fetch(
+        `/v1/assistants/${this.assistantId}/owner-consent/`,
+      );
+      if (!res.ok) {
+        log.debug(
+          { status: res.status },
+          "owner-consent fetch returned non-2xx — treating as unknown",
+        );
+        return null;
+      }
+
+      const body = (await res.json()) as {
+        share_analytics?: unknown;
+        share_diagnostics?: unknown;
+        share_diagnostics_accepted_version?: unknown;
+      };
+      if (
+        typeof body.share_analytics !== "boolean" ||
+        typeof body.share_diagnostics !== "boolean"
+      ) {
+        log.debug("owner-consent body malformed — treating as unknown");
+        return null;
+      }
+
+      return {
+        shareAnalytics: body.share_analytics,
+        shareDiagnostics: body.share_diagnostics,
+        // Back-compat: an older platform that doesn't return this field yields
+        // "" → fails the trace-collection version gate → fail-closed (no trace).
+        shareDiagnosticsAcceptedVersion:
+          typeof body.share_diagnostics_accepted_version === "string"
+            ? body.share_diagnostics_accepted_version
+            : "",
+      };
+    } catch (err) {
+      log.debug({ err }, "owner-consent fetch failed — treating as unknown");
+      return null;
+    }
+  }
+
   get baseUrl(): string {
     return this.platformBaseUrl;
   }