@vellumai/credential-executor 0.6.5 → 0.7.0

package/node_modules/@vellumai/service-contracts/src/trust-rules.ts

@@ -0,0 +1,116 @@
+/**
+ * Trust rule types shared between the assistant daemon and the gateway.
+ *
+ * These are extracted from `assistant/src/permissions/types.ts` and
+ * `assistant/src/permissions/trust-store.ts` so that both packages can
+ * reference a single canonical definition.
+ *
+ * Tools are grouped into "families" based on how their permission candidates
+ * are constructed and matched:
+ *
+ * - **Scoped**: tools whose candidates include a filesystem path and obey
+ *   directory-boundary scope constraints (`file_read`, `file_write`,
+ *   `file_edit`, `host_file_read`, `host_file_write`, `host_file_edit`,
+ *   `host_file_transfer`, `bash`, `host_bash`).
+ * - **URL**: tools whose candidates include a URL (`web_fetch`,
+ *   `network_request`).
+ * - **Managed skill**: tools that manage first-party skill packages
+ *   (`scaffold_managed_skill`, `delete_managed_skill`).
+ * - **Skill load**: the `skill_load` tool, which uses a distinct candidate
+ *   namespace (`skill_load:selector` or `skill_load_dynamic:selector`).
+ * - **Generic**: everything else (computer-use tools, UI surface tools,
+ *   recall, skill_execute, etc.).
+ */
+
+// ---------------------------------------------------------------------------
+// Trust decision
+// ---------------------------------------------------------------------------
+
+/** The possible decisions a trust rule can make. */
+export type TrustDecision = "allow" | "deny" | "ask";
+
+// ---------------------------------------------------------------------------
+// Tool family constants
+// ---------------------------------------------------------------------------
+
+/**
+ * Tools whose permission candidates are scoped to a filesystem path and obey
+ * directory-boundary scope constraints.
+ */
+export const SCOPED_TOOLS = [
+  "file_read",
+  "file_write",
+  "file_edit",
+  "host_file_read",
+  "host_file_write",
+  "host_file_edit",
+  "host_file_transfer",
+  "bash",
+  "host_bash",
+] as const;
+
+/**
+ * Tools whose permission candidates include a URL.
+ */
+export const URL_TOOLS = ["web_fetch", "network_request"] as const;
+
+/**
+ * Tools that manage first-party skill packages (scaffold/delete).
+ */
+export const MANAGED_SKILL_TOOLS = [
+  "scaffold_managed_skill",
+  "delete_managed_skill",
+] as const;
+
+/**
+ * The skill_load tool name. Separated from the array constants because
+ * skill_load is a singleton, not a family with multiple members.
+ */
+export const SKILL_LOAD_TOOL = "skill_load" as const;
+
+/** Set for O(1) lookups when classifying tool names. */
+const SCOPED_TOOLS_SET: ReadonlySet<string> = new Set(SCOPED_TOOLS);
+const URL_TOOLS_SET: ReadonlySet<string> = new Set(URL_TOOLS);
+const MANAGED_SKILL_TOOLS_SET: ReadonlySet<string> = new Set(
+  MANAGED_SKILL_TOOLS,
+);
+
+// ---------------------------------------------------------------------------
+// Type guards
+// ---------------------------------------------------------------------------
+
+/** Returns true when the rule's tool belongs to the scoped-tool family. */
+export function isScopedRule(rule: { tool: string }): boolean {
+  return SCOPED_TOOLS_SET.has(rule.tool);
+}
+
+/** Returns true when the rule's tool belongs to the URL-tool family. */
+export function isUrlRule(rule: { tool: string }): boolean {
+  return URL_TOOLS_SET.has(rule.tool);
+}
+
+/** Returns true when the rule's tool belongs to the managed-skill-tool family. */
+export function isManagedSkillRule(rule: { tool: string }): boolean {
+  return MANAGED_SKILL_TOOLS_SET.has(rule.tool);
+}
+
+/** Returns true when the rule's tool is the skill_load tool. */
+export function isSkillLoadRule(rule: { tool: string }): boolean {
+  return rule.tool === SKILL_LOAD_TOOL;
+}
+
+// ---------------------------------------------------------------------------
+// Scope helper
+// ---------------------------------------------------------------------------
+
+/**
+ * Return the effective scope for any trust rule. Only scoped rules carry a
+ * `scope` field; all other rule families return `"everywhere"`.
+ */
+export function ruleScope(rule: { tool: string; scope?: string }): string {
+  if (isScopedRule(rule)) {
+    return rule.scope ?? "everywhere";
+  }
+  return "everywhere";
+}
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/credential-executor",
-  "version": "0.6.5",
+  "version": "0.7.0",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -18,14 +18,14 @@
     "prepack": "node ../scripts/prepack-bundled-deps.mjs"
   },
   "dependencies": {
-    "@vellumai/ces-contracts": "file:../packages/ces-contracts",
+    "@vellumai/service-contracts": "file:../packages/service-contracts",
     "@vellumai/credential-storage": "file:../packages/credential-storage",
     "@vellumai/egress-proxy": "file:../packages/egress-proxy",
     "pino": "9.14.0",
     "pino-pretty": "13.1.3"
   },
   "bundledDependencies": [
-    "@vellumai/ces-contracts",
+    "@vellumai/service-contracts",
     "@vellumai/credential-storage",
     "@vellumai/egress-proxy"
   ],

package/src/__tests__/bulk-set-credentials.test.ts

@@ -7,7 +7,7 @@
 
 import { describe, expect, test } from "bun:test";
 
-import { CesRpcMethod } from "@vellumai/ces-contracts";
+import { CesRpcMethod } from "@vellumai/service-contracts/credential-rpc";
 import type { SecureKeyBackend } from "@vellumai/credential-storage";
 
 // ---------------------------------------------------------------------------

package/src/__tests__/command-executor.test.ts

@@ -45,7 +45,7 @@ import {
 } from "../toolstore/publish.js";
 import { getCesToolStoreDir, getCesDataRoot } from "../paths.js";
 import { computeDigest } from "../toolstore/integrity.js";
-import { hashProposal, type CommandGrantProposal } from "@vellumai/ces-contracts";
+import { hashProposal, type CommandGrantProposal } from "@vellumai/service-contracts/credential-rpc";
 
 // ---------------------------------------------------------------------------
 // Test helpers
@@ -244,7 +244,7 @@ function addCommandGrant(
  * Add a temporary command grant.
  *
  * Constructs the same CommandGrantProposal shape that the executor builds
- * and hashes it with `hashProposal` from `@vellumai/ces-contracts` so the
+ * and hashes it with `hashProposal` from `@vellumai/service-contracts` so the
  * hashes align.
  */
 function addTemporaryCommandGrant(

package/src/__tests__/http-executor.test.ts

@@ -24,7 +24,7 @@ import {
   localStaticHandle,
   localOAuthHandle,
   platformOAuthHandle,
-} from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
 import {
   type OAuthConnectionRecord,
   type SecureKeyBackend,

package/src/__tests__/local-materializers.test.ts

@@ -19,7 +19,7 @@ import {
   localStaticHandle,
   localOAuthHandle,
   platformOAuthHandle,
-} from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
 import {
   type OAuthConnectionRecord,
   type SecureKeyBackend,

package/src/__tests__/managed-integration.test.ts

@@ -34,7 +34,7 @@ import {
   type DeleteCredentialResponse,
   type ListCredentialsResponse,
   type RpcEnvelope,
-} from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
 
 import { PersistentGrantStore } from "../grants/persistent-store.js";
 import { TemporaryGrantStore } from "../grants/temporary-store.js";

package/src/__tests__/managed-lazy-getters.test.ts

@@ -260,7 +260,7 @@ describe("managed lazy getters — missing platform config fields", () => {
     /**
      * Verifies that updating assistantIdRef.current after buildLazyGetters
      * makes previously-undefined options become defined — the core fix for
-     * warm-pool pods where PLATFORM_ASSISTANT_ID is empty at CES startup.
+     * warm-pool pods where the assistant ID is empty at CES startup.
      */
 
     // GIVEN an API key is available but assistant ID is empty (warm-pool startup)

package/src/__tests__/managed-materializers.test.ts

@@ -14,7 +14,7 @@
 
 import { describe, expect, test } from "bun:test";
 
-import { platformOAuthHandle } from "@vellumai/ces-contracts";
+import { platformOAuthHandle } from "@vellumai/service-contracts/credential-rpc";
 
 import {
   type ManagedSubject,

package/src/__tests__/managed-rejection.test.ts

@@ -9,7 +9,7 @@
 
 import { describe, expect, test } from "bun:test";
 
-import { HandleType, localStaticHandle, parseHandle } from "@vellumai/ces-contracts";
+import { HandleType, localStaticHandle, parseHandle } from "@vellumai/service-contracts/credential-rpc";
 
 import { MANAGED_LOCAL_STATIC_REJECTION_ERROR } from "../managed-errors.js";
 

package/src/__tests__/transport.test.ts

@@ -21,7 +21,7 @@ import {
   CES_PROTOCOL_VERSION,
   type HandshakeAck,
   type RpcEnvelope,
-} from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
 
 import { getCesDataRoot, getBootstrapSocketPath, getHealthPort } from "../paths.js";
 import { CesRpcServer, type RpcHandlerRegistry } from "../server.js";

package/src/audit/store.ts

@@ -3,7 +3,7 @@
  *
  * Persists token-free audit record summaries to `audit.jsonl` inside
  * the CES-private data root. Each line is a self-contained JSON object
- * conforming to the `AuditRecordSummary` schema from `@vellumai/ces-contracts`.
+ * conforming to the `AuditRecordSummary` schema from `@vellumai/service-contracts`.
  *
  * Design principles:
  * - **Append-only**: Records are appended one per line. The file is never
@@ -27,7 +27,7 @@ import {
 } from "node:fs";
 import { dirname, join } from "node:path";
 
-import type { AuditRecordSummary } from "@vellumai/ces-contracts";
+import type { AuditRecordSummary } from "@vellumai/service-contracts/credential-rpc";
 
 import { getCesAuditDir } from "../paths.js";
 

package/src/commands/executor.ts

@@ -74,7 +74,7 @@ import {
   type WorkspaceOutput,
   type CopybackResult,
 } from "./workspace.js";
-import { hashProposal, type AuditRecordSummary, type CommandGrantProposal } from "@vellumai/ces-contracts";
+import { hashProposal, type AuditRecordSummary, type CommandGrantProposal } from "@vellumai/service-contracts/credential-rpc";
 
 import type { AuditStore } from "../audit/store.js";
 import type { PersistentGrantStore } from "../grants/persistent-store.js";
@@ -737,7 +737,7 @@ function checkGrant(
 
   // Check temporary grants — build the same proposal shape that the
   // approval bridge produces, then hash with the canonical algorithm
-  // from `@vellumai/ces-contracts` so the hashes align.
+  // from `@vellumai/service-contracts` so the hashes align.
   const tempProposal: CommandGrantProposal = {
     type: "command",
     credentialHandle: request.credentialHandle,

package/src/grants/rpc-handlers.ts

@@ -23,7 +23,7 @@ import type {
   ListAuditRecords,
   ListAuditRecordsResponse,
   PersistentGrantRecord,
-} from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
 
 import type { PersistentGrantStore, PersistentGrant } from "./persistent-store.js";
 import type { TemporaryGrantStore } from "./temporary-store.js";

package/src/http/audit.ts

@@ -15,7 +15,7 @@
 
 import { randomUUID } from "node:crypto";
 
-import type { AuditRecordSummary } from "@vellumai/ces-contracts";
+import type { AuditRecordSummary } from "@vellumai/service-contracts/credential-rpc";
 import { derivePathTemplate } from "./path-template.js";
 
 // ---------------------------------------------------------------------------

package/src/http/executor.ts

@@ -26,8 +26,8 @@
 import type {
   MakeAuthenticatedRequest,
   MakeAuthenticatedRequestResponse,
-} from "@vellumai/ces-contracts";
-import { HandleType, parseHandle, hashProposal } from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
+import { HandleType, parseHandle, hashProposal } from "@vellumai/service-contracts/credential-rpc";
 import type { InjectionTemplate } from "@vellumai/credential-storage";
 
 import { evaluateHttpPolicy, type PolicyResult } from "./policy.js";

package/src/http/policy.ts

@@ -18,7 +18,7 @@
  *   credential.
  */
 
-import { hashProposal, type HttpGrantProposal } from "@vellumai/ces-contracts";
+import { hashProposal, type HttpGrantProposal } from "@vellumai/service-contracts/credential-rpc";
 
 import type { PersistentGrant, PersistentGrantStore } from "../grants/persistent-store.js";
 import type { TemporaryGrantStore } from "../grants/temporary-store.js";

package/src/main.ts

@@ -23,7 +23,7 @@ import { mkdirSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 
-import { CES_PROTOCOL_VERSION, CesRpcMethod } from "@vellumai/ces-contracts";
+import { CES_PROTOCOL_VERSION, CesRpcMethod } from "@vellumai/service-contracts/credential-rpc";
 import { StaticCredentialMetadataStore } from "@vellumai/credential-storage";
 
 import { AuditStore } from "./audit/store.js";

package/src/managed-errors.ts

@@ -1,9 +1,9 @@
 /**
  * Error message constants for managed-mode CES.
  *
- * Re-exported from @vellumai/ces-contracts so both the assistant and
+ * Re-exported from @vellumai/service-contracts so both the assistant and
  * credential-executor can share the constant via the approved shared-code
  * path without violating the hard process-boundary isolation.
  */
 
-export { MANAGED_LOCAL_STATIC_REJECTION_ERROR } from "@vellumai/ces-contracts";
+export { MANAGED_LOCAL_STATIC_REJECTION_ERROR } from "@vellumai/service-contracts/credential-rpc";

package/src/managed-lazy-getters.ts

@@ -23,10 +23,10 @@ export interface ApiKeyRef {
 }
 
 /**
- * Mutable reference to the platform assistant ID. For warm-pool pods the
- * PLATFORM_ASSISTANT_ID env var is empty at startup; the assistant forwards
- * the ID via the handshake or update_managed_credential RPC after
- * provisioning, and `.current` is updated so lazy getters pick it up.
+ * Mutable reference to the platform assistant ID. The assistant ID is not
+ * available at CES startup (warm-pool pods); the assistant forwards it via
+ * the handshake or update_managed_credential RPC after provisioning, and
+ * `.current` is updated so lazy getters pick it up.
  */
 export interface AssistantIdRef {
   current: string;

package/src/managed-main.ts

@@ -22,7 +22,7 @@ import { createServer as createNetServer, type Socket } from "node:net";
 import { dirname, join } from "node:path";
 import { Readable, Writable } from "node:stream";
 
-import { CES_PROTOCOL_VERSION, CesRpcMethod } from "@vellumai/ces-contracts";
+import { CES_PROTOCOL_VERSION, CesRpcMethod } from "@vellumai/service-contracts/credential-rpc";
 
 import { AuditStore } from "./audit/store.js";
 import { PersistentGrantStore } from "./grants/persistent-store.js";
@@ -56,7 +56,7 @@ import { validateSourceUrl } from "./toolstore/manifest.js";
 import { buildCesEgressHooks } from "./commands/egress-hooks.js";
 import { resolveManagedSubject } from "./subjects/managed.js";
 import { materializeManagedToken } from "./materializers/managed-platform.js";
-import { HandleType, parseHandle } from "@vellumai/ces-contracts";
+import { HandleType, parseHandle } from "@vellumai/service-contracts/credential-rpc";
 import { buildLazyGetters, type ApiKeyRef, type AssistantIdRef } from "./managed-lazy-getters.js";
 import { MANAGED_LOCAL_STATIC_REJECTION_ERROR } from "./managed-errors.js";
 import type { SecureKeyBackend } from "@vellumai/credential-storage";
@@ -586,7 +586,7 @@ async function main(): Promise<void> {
   // are available to handlers at call time (after the handshake completes).
   const sessionIdRef: SessionIdRef = { current: `ces-managed-${Date.now()}` };
   const apiKeyRef: ApiKeyRef = { current: "" };
-  const assistantIdRef: AssistantIdRef = { current: process.env["PLATFORM_ASSISTANT_ID"] ?? "" };
+  const assistantIdRef: AssistantIdRef = { current: "" };
   const handlers = buildHandlers(sessionIdRef, apiKeyRef, assistantIdRef, secureKeyBackend);
 
   const rpcLog = getLogger("rpc");

package/src/materializers/local.ts

@@ -32,7 +32,7 @@ import {
   RefreshDeduplicator,
   persistRefreshedTokens,
 } from "@vellumai/credential-storage";
-import { HandleType } from "@vellumai/ces-contracts";
+import { HandleType } from "@vellumai/service-contracts/credential-rpc";
 
 import type {
   ResolvedLocalSubject,

package/src/server.ts

@@ -2,7 +2,7 @@
  * CES RPC server.
  *
  * Implements the server-side of the CES wire protocol defined in
- * `@vellumai/ces-contracts`. The server reads newline-delimited JSON
+ * `@vellumai/service-contracts`. The server reads newline-delimited JSON
  * messages from a readable stream, dispatches them through the RPC
  * contract, and writes responses back to a writable stream.
  *
@@ -32,7 +32,7 @@ import {
   type RunAuthenticatedCommandResponse,
   type TransportMessage,
   TransportMessageSchema,
-} from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
 
 import { resolve } from "node:path";
 

package/src/subjects/local.ts

@@ -7,7 +7,7 @@
  * operates independently — it never imports from the assistant daemon.
  *
  * Subject resolution is the first phase of credential materialisation:
- * 1. Parse the handle (via `@vellumai/ces-contracts`)
+ * 1. Parse the handle (via `@vellumai/service-contracts`)
  * 2. Look up the metadata/connection record in local storage
  * 3. Return a resolved subject that the materialiser can consume
  *
@@ -26,7 +26,7 @@ import {
   parseHandle,
   type LocalOAuthHandle,
   type LocalStaticHandle,
-} from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
 
 // ---------------------------------------------------------------------------
 // Resolved subject types

package/src/subjects/managed.ts

@@ -24,7 +24,7 @@ import {
   HandleType,
   parseHandle,
   type PlatformOAuthHandle,
-} from "@vellumai/ces-contracts";
+} from "@vellumai/service-contracts/credential-rpc";
 
 // ---------------------------------------------------------------------------
 // Common subject interface