@vellumai/vellum-gateway 0.8.5 → 0.8.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/vellum-gateway",
-  "version": "0.8.5",
+  "version": "0.8.6",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/__tests__/guardian-init-lockfile.test.ts

@@ -526,14 +526,30 @@ describe("guardian/reset-bootstrap", () => {
     expect(body.error).toBe("Loopback-only endpoint");
   });
 
-  test("rejects in Docker mode (bootstrap secret set)", async () => {
+  test("rejects without valid bootstrap secret when secrets are configured", async () => {
     process.env.GUARDIAN_BOOTSTRAP_SECRET = "some-secret";
     const handler = createChannelVerificationSessionProxyHandler(makeConfig());
 
     const res = await handler.handleResetBootstrap("127.0.0.1");
     expect(res.status).toBe(403);
     const body = await res.json();
-    expect(body.error).toBe("Reset not available in containerized mode");
+    expect(body.error).toBe("Invalid bootstrap secret");
+  });
+
+  test("allows reset with valid bootstrap secret", async () => {
+    process.env.GUARDIAN_BOOTSTRAP_SECRET = "some-secret";
+    writeFileSync(lockPath(), new Date().toISOString(), { mode: 0o600 });
+    writeFileSync(consumedPath(), JSON.stringify([0]) + "\n", { mode: 0o600 });
+    const handler = createChannelVerificationSessionProxyHandler(makeConfig());
+
+    const req = new Request("http://localhost:7830/v1/guardian/reset-bootstrap", {
+      method: "POST",
+      headers: { "x-bootstrap-secret": "some-secret" },
+    });
+    const res = await handler.handleResetBootstrap("127.0.0.1", req);
+    expect(res.status).toBe(200);
+    expect(lockFileExists()).toBe(false);
+    expect(consumedSecrets()).toEqual([]);
   });
 
   test("resets in-flight flag so init can proceed", async () => {

package/src/__tests__/remote-feature-flag-sync.test.ts

@@ -62,6 +62,14 @@ const TEST_REGISTRY = {
       description: "Email channel integration",
       defaultEnabled: false,
     },
+    {
+      id: "platform-features-in-local-mode",
+      scope: "assistant",
+      key: "platform-features-in-local-mode",
+      label: "Platform Features in Local Mode",
+      description: "Gate platform API calls in local mode",
+      defaultEnabled: true,
+    },
   ],
 };
 

package/src/__tests__/route-schema-guard.test.ts

@@ -175,6 +175,8 @@ const EXCLUDED_FROM_SCHEMA = new Set([
   "/.well-known/agent-card.json",
   // Internal-only: reachable only via vembda's trusted gateway-query proxy
   "/v1/contacts/guardian/channel",
+  // BFF token auth — loopback-only, not part of the public gateway API
+  "/auth/token",
 ]);
 
 // ── Schema paths that don't map to a discrete route definition ──

package/src/auth/guardian-bootstrap.ts

@@ -24,6 +24,7 @@ import {
 } from "../db/schema.js";
 import { readCredential } from "../credential-reader.js";
 import { credentialKey } from "../credential-key.js";
+import { arePlatformFeaturesEnabled } from "../feature-flag-resolver.js";
 import { getLogger } from "../logger.js";
 
 import { CURRENT_POLICY_EPOCH } from "./policy.js";
@@ -544,6 +545,13 @@ function mintRefreshToken(
  * callers fall back to a generated principal ID in that case.
  */
 async function fetchPlatformOwnerDisplayName(): Promise<string | null> {
+  if (!arePlatformFeaturesEnabled()) {
+    log.debug(
+      "platform-features-in-local-mode is disabled — skipping platform owner display name fetch",
+    );
+    return null;
+  }
+
   const isPlatform =
     process.env.IS_PLATFORM?.trim().toLowerCase() === "true" ||
     process.env.IS_PLATFORM?.trim() === "1";

package/src/email/register-callback.ts

@@ -2,6 +2,7 @@ import type { ConfigFileCache } from "../config-file-cache.js";
 import type { CredentialCache } from "../credential-cache.js";
 import { credentialKey } from "../credential-key.js";
 import { fetchImpl } from "../fetch.js";
+import { arePlatformFeaturesEnabled } from "../feature-flag-resolver.js";
 import { getLogger } from "../logger.js";
 
 const log = getLogger("email-callback");
@@ -37,6 +38,13 @@ export async function registerEmailCallbackRoute(caches?: {
   credentials?: CredentialCache;
   configFile?: ConfigFileCache;
 }): Promise<string | undefined> {
+  if (!arePlatformFeaturesEnabled()) {
+    log.debug(
+      "platform-features-in-local-mode is disabled — skipping email callback registration",
+    );
+    return undefined;
+  }
+
   const [platformBaseUrlRaw, assistantApiKeyRaw, assistantIdRaw] =
     caches?.credentials
       ? await Promise.all([

package/src/feature-flag-registry.json

@@ -25,6 +25,14 @@
       "description": "Enable user-hosted onboarding flow",
       "defaultEnabled": false
     },
+    {
+      "id": "prechat-onboarding-condensed-flow",
+      "scope": "client",
+      "key": "prechat-onboarding-condensed-flow",
+      "label": "Condensed Pre-chat Onboarding",
+      "description": "Enable the condensed pre-chat onboarding flow for a standard LaunchDarkly percentage rollout.",
+      "defaultEnabled": false
+    },
     {
       "id": "local-docker-enabled",
       "scope": "client",
@@ -190,7 +198,7 @@
       "scope": "assistant",
       "key": "fast-mode",
       "label": "Fast Mode",
-      "description": "Enable Anthropic fast mode for Opus models (4.6, 4.7), delivering up to 2.5x higher output tokens per second at premium pricing",
+      "description": "Enable Anthropic fast mode for Opus models (4.6, 4.7, 4.8), delivering up to 2.5x higher output tokens per second at premium pricing",
       "defaultEnabled": false
     },
     {
@@ -281,14 +289,6 @@
       "description": "Expose the developer-only Compaction Playground tab in macOS Settings and enable the /playground/* HTTP endpoints for exercising compaction conditions. Dev-only; default off.",
       "defaultEnabled": false
     },
-    {
-      "id": "safe-storage-limits",
-      "scope": "assistant",
-      "key": "safe-storage-limits",
-      "label": "Safe Storage Limits",
-      "description": "Enable disk pressure protection flows that block background work and remote actors while storage is critically low.",
-      "defaultEnabled": false
-    },
     {
       "id": "account-deletion",
       "scope": "assistant",
@@ -313,14 +313,6 @@
       "description": "Show the 'Analyze' / 'Analyze conversation' option in conversation context menus and the conversation title actions dropdown.",
       "defaultEnabled": false
     },
-    {
-      "id": "pro-plan-adjust",
-      "scope": "client",
-      "key": "pro-plan-adjust",
-      "label": "Pro Plan Adjust",
-      "description": "Show the rich Plan card (current plan, features, Manage/Upgrade CTA) at the top of the macOS Settings \u2192 Billing tab.",
-      "defaultEnabled": false
-    },
     {
       "id": "external-plugins",
       "scope": "assistant",
@@ -440,6 +432,14 @@
       "label": "Memory Router Playground",
       "description": "Expose the developer-only Memory Router Playground tab in macOS Settings and the /assistant/memory-router-playground web page for dry-running v4 router config overrides against the live page index. Dev-only; default off.",
       "defaultEnabled": false
+    },
+    {
+      "id": "platform-features-in-local-mode",
+      "scope": "assistant",
+      "key": "platform-features-in-local-mode",
+      "label": "Platform Features in Local Mode",
+      "description": "When enabled, the assistant can call the Vellum platform API from local mode. When disabled, all platform API clients in the daemon, gateway, CES, and web UI no-op with a debug log instead of making outbound requests.",
+      "defaultEnabled": true
     }
   ]
 }

package/src/feature-flag-resolver.ts

@@ -0,0 +1,36 @@
+import { loadFeatureFlagDefaults } from "./feature-flag-defaults.js";
+import {
+  hasRemoteFeatureFlagSnapshot,
+  readRemoteFeatureFlags,
+} from "./feature-flag-remote-store.js";
+import { readPersistedFeatureFlags } from "./feature-flag-store.js";
+
+/**
+ * Resolve the effective enabled/disabled state for a feature flag.
+ *
+ * Priority: persisted (user-toggled) > remote (platform-pushed) > registry default.
+ * Undeclared keys with no override return `false` (fail closed).
+ */
+export function isFeatureFlagEnabled(key: string): boolean {
+  const persisted = readPersistedFeatureFlags();
+  const persistedValue = persisted[key];
+  if (persistedValue !== undefined) return persistedValue;
+
+  if (hasRemoteFeatureFlagSnapshot()) {
+    const remote = readRemoteFeatureFlags();
+    return remote[key] ?? false;
+  }
+
+  const defaults = loadFeatureFlagDefaults();
+  return defaults[key]?.defaultEnabled ?? false;
+}
+
+function isPlatformMode(): boolean {
+  const v = process.env.IS_PLATFORM?.trim().toLowerCase();
+  return v === "true" || v === "1";
+}
+
+export function arePlatformFeaturesEnabled(): boolean {
+  if (isPlatformMode()) return true;
+  return isFeatureFlagEnabled("platform-features-in-local-mode");
+}

package/src/http/middleware/cors.ts

@@ -115,6 +115,10 @@ export function withExtensionCorsHeaders(
   }
 }
 
+// ---------------------------------------------------------------------------
+// WKWebView CORS
+// ---------------------------------------------------------------------------
+
 /**
  * Check whether the request `Origin` header matches a known webview origin.
  * Returns the validated origin string, or null if CORS headers should not be

package/src/http/routes/auth-token.ts

@@ -0,0 +1,60 @@
+import type { Server } from "bun";
+
+import { ensureVellumGuardianBinding } from "../../auth/guardian-bootstrap.js";
+import { CURRENT_POLICY_EPOCH } from "../../auth/policy.js";
+import { mintToken, verifyToken } from "../../auth/token-service.js";
+import { getLogger } from "../../logger.js";
+import { isLoopbackPeer } from "../../util/is-loopback-address.js";
+
+const log = getLogger("auth-token");
+
+const WEB_ORIGIN_RE = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/;
+
+const TOKEN_TTL_SECONDS = 30 * 24 * 60 * 60;
+
+export async function handleCreateToken(
+  req: Request,
+  server: Server<unknown> | undefined,
+): Promise<Response> {
+  if (!server || !isLoopbackPeer(server, req)) {
+    log.warn("Token create rejected: not a loopback peer");
+    return Response.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const origin = req.headers.get("origin");
+  if (!origin || !WEB_ORIGIN_RE.test(origin)) {
+    log.warn({ origin }, "Token create rejected: missing or invalid Origin");
+    return Response.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const authHeader = req.headers.get("authorization");
+  if (!authHeader || !authHeader.toLowerCase().startsWith("bearer ")) {
+    log.warn("Token create rejected: missing or malformed Authorization header");
+    return Response.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const bearerToken = authHeader.slice(7);
+  const verifyResult = verifyToken(bearerToken, "vellum-gateway");
+  if (!verifyResult.ok) {
+    log.warn({ reason: verifyResult.reason }, "Token create rejected: invalid guardian token");
+    return Response.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (verifyResult.claims.scope_profile !== "actor_client_v1") {
+    log.warn({ scope: verifyResult.claims.scope_profile }, "Token create rejected: insufficient scope");
+    return Response.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const guardianPrincipalId = await ensureVellumGuardianBinding();
+
+  const token = mintToken({
+    aud: "vellum-gateway",
+    sub: `actor:self:${guardianPrincipalId}`,
+    scope_profile: "actor_client_v1",
+    policy_epoch: CURRENT_POLICY_EPOCH,
+    ttlSeconds: TOKEN_TTL_SECONDS,
+  });
+
+  const expiresAt = Math.floor(Date.now() / 1000) + TOKEN_TTL_SECONDS;
+  log.info("Bearer token minted for web local mode");
+
+  return Response.json({ token, expiresAt });
+}

package/src/http/routes/channel-verification-session-proxy.test.ts

@@ -231,7 +231,7 @@ describe("channel-verification-session-proxy guardian init", () => {
     expect(body.ok).toBe(true);
   });
 
-  it("rejects handleResetBootstrap in containerized mode", async () => {
+  it("rejects handleResetBootstrap without valid bootstrap secret", async () => {
     process.env.GUARDIAN_BOOTSTRAP_SECRET = "secret-abc";
     const config = makeConfig();
     const handler = createChannelVerificationSessionProxyHandler(config);
@@ -240,6 +240,6 @@ describe("channel-verification-session-proxy guardian init", () => {
 
     expect(response.status).toBe(403);
     const body = await response.json();
-    expect(body.error).toBe("Reset not available in containerized mode");
+    expect(body.error).toBe("Invalid bootstrap secret");
   });
 });

package/src/http/routes/channel-verification-session-proxy.ts

@@ -458,15 +458,19 @@ export function createChannelVerificationSessionProxyHandler(
         );
       }
 
-      // Docker mode uses secret-based consumption tracking — resetting the
-      // lockfile alone wouldn't help because consumed secrets are tracked
-      // separately. Only bare-metal (no bootstrap secret) uses the simple
-      // lockfile as the sole guard.
-      if (parseBootstrapSecrets().length > 0) {
-        return Response.json(
-          { error: "Reset not available in containerized mode" },
-          { status: 403 },
-        );
+      // When bootstrap secrets are configured, require a valid one to
+      // authorize the reset. This allows bare-metal re-pair (the macOS app
+      // reads the secret from the lockfile) while preventing unauthorized
+      // resets on Docker deployments where secrets are ephemeral.
+      const expectedSecrets = parseBootstrapSecrets();
+      if (expectedSecrets.length > 0) {
+        const provided = req?.headers.get("x-bootstrap-secret");
+        if (!provided || !expectedSecrets.includes(provided)) {
+          return Response.json(
+            { error: "Invalid bootstrap secret" },
+            { status: 403 },
+          );
+        }
       }
 
       // Refuse while an init request is awaiting an upstream response —
@@ -482,6 +486,7 @@ export function createChannelVerificationSessionProxyHandler(
 
       const lockDir = getGatewaySecurityDir();
       const lockPath = join(lockDir, "guardian-init.lock");
+      const consumedPath = join(lockDir, "guardian-init-consumed.json");
 
       try {
         if (existsSync(lockPath)) {
@@ -490,8 +495,12 @@ export function createChannelVerificationSessionProxyHandler(
             "Guardian bootstrap lock file removed — re-init is now allowed",
           );
         }
+        if (existsSync(consumedPath)) {
+          unlinkSync(consumedPath);
+          log.info("Guardian consumed secrets file removed");
+        }
       } catch (err) {
-        log.error({ err }, "Failed to remove guardian-init.lock");
+        log.error({ err }, "Failed to remove guardian-init lock/consumed files");
         return Response.json(
           { error: "Failed to remove lock file" },
           { status: 500 },

package/src/http/routes/feature-flags.ts

@@ -35,7 +35,9 @@ export function createFeatureFlagsGetHandler() {
       const remote = readRemoteFeatureFlags();
       const hasRemoteSnapshot = hasRemoteFeatureFlagSnapshot();
 
-      // Build entries for ALL declared flags, merging persisted values
+      // Build entries for ALL declared flags, merging persisted values.
+      // When a remote snapshot exists, flags absent from it are treated
+      // as disabled (the platform omitted them intentionally).
       const entries: FeatureFlagEntry[] = [];
       for (const [key, def] of Object.entries(defaults)) {
         const persistedValue = persisted[key];

package/src/index.ts

@@ -151,6 +151,7 @@ import {
   handlePreflight,
   withCorsHeaders,
 } from "./http/middleware/cors.js";
+import { handleCreateToken } from "./http/routes/auth-token.js";
 import {
   createRouter,
   type RouteDefinition,
@@ -159,6 +160,7 @@ import {
 import { SleepWakeDetector } from "./sleep-wake-detector.js";
 import { callTelegramApi } from "./telegram/api.js";
 import { fetchImpl } from "./fetch.js";
+import { arePlatformFeaturesEnabled } from "./feature-flag-resolver.js";
 import { isNewCommand, handleNewCommand } from "./webhook-pipeline.js";
 import { reconcileTelegramWebhook } from "./telegram/webhook-manager.js";
 import { registerEmailCallbackRoute } from "./email/register-callback.js";
@@ -1414,6 +1416,14 @@ async function main() {
     },
   ];
 
+  // ── Web token auth ──
+  routes.push({
+    path: "/auth/token",
+    method: "POST",
+    auth: "custom",
+    handler: (req) => handleCreateToken(req, server),
+  });
+
   // Runtime proxy catch-all — must be last so specific routes are checked first.
   routes.push({
     path: /^\//, // match everything
@@ -1685,6 +1695,7 @@ async function main() {
         );
         if (extensionOrigin)
           return withExtensionCorsHeaders(body, extensionOrigin);
+
         return withCorsHeaders(body, webviewOrigin!);
       }
       log.error({ err }, "Unhandled gateway error");
@@ -1743,6 +1754,13 @@ async function main() {
    *  Throttled to at most one outbound POST per 30 seconds. */
   let lastRecordActivityTs = 0;
   async function notifyRecordActivity(): Promise<void> {
+    if (!arePlatformFeaturesEnabled()) {
+      log.debug(
+        "platform-features-in-local-mode is disabled — skipping record-activity",
+      );
+      return;
+    }
+
     const now = Date.now();
     if (now - lastRecordActivityTs < 30_000) return;
     lastRecordActivityTs = now;

package/src/risk/command-registry/commands/assistant.ts

@@ -72,6 +72,9 @@ const ASSISTANT_SUPPORTED_COMMAND_PATHS = [
   "channel-verification-sessions resend",
   "channel-verification-sessions cancel",
   "channel-verification-sessions revoke",
+  "channels",
+  "channels list",
+  "channels get",
   "clients",
   "clients disconnect",
   "clients list",

package/src/schema.ts

@@ -1935,13 +1935,13 @@ export function buildSchema(): Record<string, unknown> {
         post: {
           summary: "Reset guardian bootstrap lock",
           description:
-            "Loopback-only, bare-metal-only endpoint that removes the guardian-init lock file so that /v1/guardian/init can be called again. Used by the desktop app to recover from a lost actor token.",
+            "Loopback-only endpoint that removes the guardian-init lock file so that /v1/guardian/init can be called again. When bootstrap secrets are configured, callers must provide a valid x-bootstrap-secret header. Used by the desktop app to recover from a lost actor token.",
           operationId: "guardianResetBootstrap",
           responses: {
             "200": { description: "Lock file removed (or already absent)" },
             "403": {
               description:
-                "Forbidden — non-loopback origin or containerized mode",
+                "Forbidden — non-loopback origin or invalid bootstrap secret",
             },
             "409": {
               description: "Guardian init is in progress — try again shortly",

package/src/telegram/webhook-manager.ts

@@ -2,6 +2,7 @@ import type { CredentialCache } from "../credential-cache.js";
 import type { ConfigFileCache } from "../config-file-cache.js";
 import { credentialKey } from "../credential-key.js";
 import { fetchImpl } from "../fetch.js";
+import { arePlatformFeaturesEnabled } from "../feature-flag-resolver.js";
 import { callTelegramApi } from "./api.js";
 import { getLogger } from "../logger.js";
 
@@ -31,6 +32,13 @@ interface PlatformCallbackRouteResponse {
 async function registerManagedTelegramCallbackRoute(
   caches?: WebhookManagerCaches,
 ): Promise<string | undefined> {
+  if (!arePlatformFeaturesEnabled()) {
+    log.debug(
+      "platform-features-in-local-mode is disabled — skipping managed Telegram callback registration",
+    );
+    return undefined;
+  }
+
   const [platformBaseUrlRaw, assistantApiKeyRaw, assistantIdRaw] =
     caches?.credentials
       ? await Promise.all([