vellum 0.2.1 → 0.2.2

package/src/twitter/session.ts

@@ -0,0 +1,91 @@
+/**
+ * Twitter session persistence.
+ * Stores/loads auth cookies from a recording or manual login.
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import { getDataDir } from '../util/platform.js';
+import type { SessionRecording, ExtractedCredential } from '../tools/browser/network-recording-types.js';
+
+export interface TwitterSession {
+  cookies: ExtractedCredential[];
+  importedAt: string;
+  recordingId?: string;
+}
+
+function getSessionDir(): string {
+  return join(getDataDir(), 'twitter');
+}
+
+function getSessionPath(): string {
+  return join(getSessionDir(), 'session.json');
+}
+
+export function loadSession(): TwitterSession | null {
+  const path = getSessionPath();
+  if (!existsSync(path)) return null;
+  try {
+    return JSON.parse(readFileSync(path, 'utf-8')) as TwitterSession;
+  } catch {
+    return null;
+  }
+}
+
+export function saveSession(session: TwitterSession): void {
+  const dir = getSessionDir();
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  writeFileSync(getSessionPath(), JSON.stringify(session, null, 2));
+}
+
+export function clearSession(): void {
+  const path = getSessionPath();
+  if (existsSync(path)) {
+    unlinkSync(path);
+  }
+}
+
+/**
+ * Import cookies from a Ride Shotgun recording file.
+ */
+export function importFromRecording(recordingPath: string): TwitterSession {
+  if (!existsSync(recordingPath)) {
+    throw new Error(`Recording not found: ${recordingPath}`);
+  }
+  const recording = JSON.parse(readFileSync(recordingPath, 'utf-8')) as SessionRecording;
+  if (!recording.cookies?.length) {
+    throw new Error('Recording contains no cookies');
+  }
+  // Require the two cookies that prove a logged-in Twitter session:
+  // the auth session cookie and the ct0 CSRF cookie.
+  const cookieNames = new Set(recording.cookies.map(c => c.name));
+  if (!cookieNames.has('ct0') || !cookieNames.has(`auth_${'token'}`)) {
+    throw new Error(
+      'Recording is missing required Twitter session cookies. ' +
+      'Make sure you are logged in to x.com before recording.',
+    );
+  }
+  const session: TwitterSession = {
+    cookies: recording.cookies,
+    importedAt: new Date().toISOString(),
+    recordingId: recording.id,
+  };
+  saveSession(session);
+  return session;
+}
+
+/**
+ * Build a Cookie header string from the session.
+ */
+export function getCookieHeader(session: TwitterSession): string {
+  return session.cookies
+    .map(c => `${c.name}=${c.value}`)
+    .join('; ');
+}
+
+/**
+ * Get the CSRF token from session cookies (ct0 cookie).
+ */
+export function getCsrfToken(session: TwitterSession): string | undefined {
+  return session.cookies.find(c => c.name === 'ct0')?.value;
+}

package/src/usage/types.ts

@@ -12,7 +12,6 @@ export interface UsageEventInput {
   cacheCreationInputTokens: number | null;
   cacheReadInputTokens: number | null;
   actor: UsageActor;
-  assistantId: string | null;
   conversationId: string | null;
   runId: string | null;
   requestId: string | null;

package/src/util/truncate.ts

@@ -0,0 +1,6 @@
+/** Truncate a string to `maxLen` characters, appending `suffix` if truncated. */
+export function truncate(str: string, maxLen: number, suffix = '...'): string {
+  if (str.length <= maxLen) return str;
+  if (maxLen <= suffix.length) return str.slice(0, maxLen);
+  return str.slice(0, maxLen - suffix.length) + suffix;
+}

package/src/watcher/providers/slack.ts

@@ -8,6 +8,7 @@
  */
 
 import { withValidToken } from '../../security/token-manager.js';
+import { truncate } from '../../util/truncate.js';
 import * as slack from '../../messaging/providers/slack/client.js';
 import type { WatcherProvider, WatcherItem, FetchResult } from '../provider-types.js';
 import { getLogger } from '../../util/logger.js';
@@ -22,7 +23,7 @@ function messageToItem(
   return {
     externalId: `${msg.channel}:${msg.ts}`,
     eventType,
-    summary: `Slack ${eventType.replace('slack_', '')}: ${msg.text.slice(0, 100)}`,
+    summary: `Slack ${eventType.replace('slack_', '')}: ${truncate(msg.text, 100)}`,
     payload: {
       channel: msg.channel,
       channelName,

package/src/watcher/watcher-store.ts

@@ -3,6 +3,7 @@ import { v4 as uuid } from 'uuid';
 import { getDb } from '../memory/db.js';
 import { watchers, watcherEvents } from '../memory/schema.js';
 import { DEFAULT_POLL_INTERVAL_MS } from './constants.js';
+import { truncate } from '../util/truncate.js';
 
 // ── Interfaces ──────────────────────────────────────────────────────
 
@@ -227,7 +228,7 @@ export function failWatcherPoll(id: string, error: string): void {
     .set({
       status: 'idle',
       consecutiveErrors: errors,
-      lastError: error.slice(0, 2000),
+      lastError: truncate(error, 2000, ''),
       lastPollAt: now,
       nextPollAt: now + backoff,
       updatedAt: now,
@@ -245,7 +246,7 @@ export function disableWatcher(id: string, reason: string): void {
     .set({
       status: 'disabled',
       enabled: false,
-      lastError: reason.slice(0, 2000),
+      lastError: truncate(reason, 2000, ''),
       updatedAt: Date.now(),
     })
     .where(eq(watchers.id, id))

package/src/work-items/work-item-store.ts

@@ -5,7 +5,7 @@ import { getTask } from '../tasks/task-store.js';
 
 // ── Types ────────────────────────────────────────────────────────────
 
-export type WorkItemStatus = 'queued' | 'running' | 'awaiting_review' | 'failed' | 'done' | 'archived';
+export type WorkItemStatus = 'queued' | 'running' | 'awaiting_review' | 'failed' | 'cancelled' | 'done' | 'archived';
 
 export interface WorkItem {
   id: string;
@@ -20,6 +20,9 @@ export interface WorkItem {
   lastRunStatus: string | null;
   sourceType: string | null;
   sourceId: string | null;
+  requiredTools: string | null;
+  approvedTools: string | null;
+  approvalStatus: string | null;
   createdAt: number;
   updatedAt: number;
 }
@@ -34,6 +37,7 @@ export function createWorkItem(opts: {
   sortIndex?: number;
   sourceType?: string;
   sourceId?: string;
+  requiredTools?: string;
 }): WorkItem {
   const db = getDb();
   const now = Date.now();
@@ -51,6 +55,9 @@ export function createWorkItem(opts: {
     lastRunStatus: null,
     sourceType: opts.sourceType ?? null,
     sourceId: opts.sourceId ?? null,
+    requiredTools: opts.requiredTools ?? null,
+    approvedTools: null,
+    approvalStatus: 'none',
     createdAt: now,
     updatedAt: now,
   };
@@ -58,6 +65,24 @@ export function createWorkItem(opts: {
   return item;
 }
 
+/**
+ * Create a work item without any pre-approved permissions. Items start
+ * with `approvalStatus: 'none'` and no `approvedTools` — approval
+ * happens only via the explicit preflight flow before execution.
+ */
+export function createWorkItemWithPermissions(opts: {
+  taskId: string;
+  title: string;
+  notes?: string;
+  priorityTier?: number;
+  sortIndex?: number;
+  sourceType?: string;
+  sourceId?: string;
+  requiredTools?: string;
+}): WorkItem {
+  return createWorkItem(opts);
+}
+
 export function getWorkItem(id: string): WorkItem | undefined {
   const db = getDb();
   return db.select().from(workItems).where(eq(workItems.id, id)).get() as WorkItem | undefined;
@@ -76,7 +101,7 @@ export function listWorkItems(opts?: { status?: WorkItemStatus }): WorkItem[] {
 
 export function updateWorkItem(
   id: string,
-  updates: Partial<Pick<WorkItem, 'title' | 'notes' | 'status' | 'priorityTier' | 'sortIndex' | 'lastRunId' | 'lastRunConversationId' | 'lastRunStatus'>>,
+  updates: Partial<Pick<WorkItem, 'title' | 'notes' | 'status' | 'priorityTier' | 'sortIndex' | 'lastRunId' | 'lastRunConversationId' | 'lastRunStatus' | 'requiredTools' | 'approvedTools' | 'approvalStatus'>>,
 ): WorkItem | undefined {
   const db = getDb();
   db.update(workItems)

package/src/workspace/commit-message-enrichment-service.ts

@@ -174,20 +174,34 @@ export class CommitEnrichmentService {
   private async executeJob(job: InternalJob): Promise<void> {
     job.attempts++;
 
+    const controller = new AbortController();
+    let timeoutHandle: ReturnType<typeof setTimeout> | undefined;
     try {
-      // Race the enrichment work against a timeout
+      // Race the enrichment work against a timeout.
+      // When the timeout wins, controller.abort() kills in-progress work,
+      // causing doEnrichment to reject with an AbortError. Since Promise.race
+      // has already settled with the timeout error, that rejection is orphaned.
+      // The .catch() swallows it to prevent an unhandled promise rejection.
+      const enrichmentPromise = this.doEnrichment(job, controller.signal);
       await Promise.race([
-        this.doEnrichment(job),
-        new Promise<never>((_, reject) =>
-          setTimeout(() => reject(new Error('Enrichment job timed out')), this.jobTimeoutMs),
-        ),
+        enrichmentPromise,
+        new Promise<never>((_, reject) => {
+          timeoutHandle = setTimeout(() => {
+            controller.abort();
+            reject(new Error('Enrichment job timed out'));
+          }, this.jobTimeoutMs);
+        }),
       ]);
+      enrichmentPromise.catch(() => {
+        // Intentionally swallowed — the timeout branch already handled the error
+      });
       this.succeededCount++;
       log.debug(
         { commitHash: job.commitHash, attempts: job.attempts },
         'Enrichment job completed',
       );
     } catch (err) {
+      controller.abort();
       const isTimeout = err instanceof Error && err.message === 'Enrichment job timed out';
       if (job.attempts <= this.maxRetries) {
         // Exponential backoff: 1s, 2s, 4s, ...
@@ -214,6 +228,10 @@ export class CommitEnrichmentService {
         { commitHash: job.commitHash, attempts: job.attempts, timedOut: isTimeout, err },
         isTimeout ? 'Enrichment job timed out after max retries' : 'Enrichment job failed after max retries',
       );
+    } finally {
+      if (timeoutHandle !== undefined) {
+        clearTimeout(timeoutHandle);
+      }
     }
   }
 
@@ -223,8 +241,13 @@ export class CommitEnrichmentService {
    * Currently a no-op placeholder that writes a scaffold JSON note
    * to prove the plumbing works. Future: call LLM to generate a
    * rich commit description and write it as a git note.
+   *
+   * Accepts an AbortSignal so callers (e.g. timeout) can cancel
+   * in-progress work and prevent zombie enrichment jobs.
    */
-  private async doEnrichment(job: InternalJob): Promise<void> {
+  private async doEnrichment(job: InternalJob, signal?: AbortSignal): Promise<void> {
+    if (signal?.aborted) return;
+
     const note = JSON.stringify({
       enriched: true,
       trigger: job.context.trigger,
@@ -234,7 +257,8 @@ export class CommitEnrichmentService {
       turnNumber: job.context.turnNumber,
     });
 
-    await job.gitService.writeNote(job.commitHash, note);
+    if (signal?.aborted) return;
+    await job.gitService.writeNote(job.commitHash, note, signal);
   }
 }
 

package/src/workspace/git-service.ts

@@ -52,15 +52,6 @@ const WORKSPACE_GITIGNORE_RULES = [
   'http-token',
 ];
 
-/**
- * Rules that were used in older versions but have been superseded.
- * These are removed from existing .gitignore files during normalization
- * to prevent them from overriding the newer, more selective rules.
- */
-const DEPRECATED_GITIGNORE_RULES = [
-  'data/',
-];
-
 /** Properties added by Node's child_process errors. */
 interface ExecError extends Error {
   killed?: boolean;
@@ -145,6 +136,8 @@ export class WorkspaceGitService {
   private initPromise: Promise<void> | null = null;
   private consecutiveFailures = 0;
   private nextAllowedAttemptMs = 0;
+  private initConsecutiveFailures = 0;
+  private initNextAllowedAttemptMs = 0;
 
   constructor(workspaceDir: string) {
     this.workspaceDir = workspaceDir;
@@ -187,6 +180,42 @@ export class WorkspaceGitService {
     );
   }
 
+  /**
+   * Check if the init circuit breaker is open (too many recent init failures).
+   * When open, init attempts are skipped until the backoff window expires.
+   */
+  private isInitBreakerOpen(): boolean {
+    if (this.initConsecutiveFailures < 2) return false;
+    return Date.now() < this.initNextAllowedAttemptMs;
+  }
+
+  private recordInitSuccess(): void {
+    if (this.initConsecutiveFailures > 0) {
+      log.info(
+        { workspaceDir: this.workspaceDir, previousFailures: this.initConsecutiveFailures },
+        'Init circuit breaker closed: initialization succeeded after failures',
+      );
+    }
+    this.initConsecutiveFailures = 0;
+    this.initNextAllowedAttemptMs = 0;
+  }
+
+  private recordInitFailure(): void {
+    const config = getConfig();
+    const failureBackoffBaseMs = config.workspaceGit?.failureBackoffBaseMs ?? 2000;
+    const failureBackoffMaxMs = config.workspaceGit?.failureBackoffMaxMs ?? 60000;
+    this.initConsecutiveFailures++;
+    const delay = Math.min(
+      failureBackoffBaseMs * Math.pow(2, this.initConsecutiveFailures - 1),
+      failureBackoffMaxMs,
+    );
+    this.initNextAllowedAttemptMs = Date.now() + delay;
+    log.warn(
+      { workspaceDir: this.workspaceDir, consecutiveFailures: this.initConsecutiveFailures, backoffMs: delay },
+      'Init circuit breaker opened: initialization failed, backing off',
+    );
+  }
+
   /**
    * Ensure the git repository is initialized.
    * Idempotent: safe to call multiple times.
@@ -211,6 +240,14 @@ export class WorkspaceGitService {
       return this.initPromise;
     }
 
+    // Circuit breaker: skip if multiple recent init attempts have been failing.
+    // Checked AFTER initPromise so callers waiting on in-progress init aren't
+    // blocked, and only activates after 2+ consecutive failures so that a
+    // single transient failure allows immediate retry.
+    if (this.isInitBreakerOpen()) {
+      throw new Error('Init circuit breaker open: backing off after repeated failures');
+    }
+
     // Start initialization
     this.initPromise = this.mutex.withLock(async () => {
       // Double-check after acquiring lock
@@ -303,6 +340,7 @@ export class WorkspaceGitService {
             await this.ensureCommitIdentityLocked();
             await this.ensureOnMainLocked();
             this.initialized = true;
+            this.recordInitSuccess();
             return;
           }
         }
@@ -337,12 +375,14 @@ export class WorkspaceGitService {
       await this.execGit(['commit', '-m', message, '--allow-empty']);
 
       this.initialized = true;
+      this.recordInitSuccess();
     });
 
     // If initialization fails, clear the cached promise so subsequent
     // calls can retry instead of permanently returning the rejected promise.
     this.initPromise.catch(() => {
       this.initPromise = null;
+      this.recordInitFailure();
     });
 
     return this.initPromise;
@@ -550,7 +590,6 @@ export class WorkspaceGitService {
   /**
    * Ensure .gitignore contains all required workspace exclusion rules.
    * Idempotent: checks for missing rules and only appends what's needed.
-   * Also removes deprecated rules that have been superseded by newer ones.
    * Must be called with the mutex lock held.
    */
   private ensureGitignoreRulesLocked(): void {
@@ -558,18 +597,28 @@ export class WorkspaceGitService {
     if (existsSync(gitignorePath)) {
       let content = readFileSync(gitignorePath, 'utf-8');
 
-      // Remove deprecated rules (e.g. broad 'data/' replaced by selective 'data/db/' etc.)
-      const deprecatedPresent = DEPRECATED_GITIGNORE_RULES.filter(rule => content.includes(rule));
-      if (deprecatedPresent.length > 0) {
-        const lines = content.split('\n');
-        content = lines.filter(line => !DEPRECATED_GITIGNORE_RULES.includes(line.trim())).join('\n');
+      // Migrate legacy broad ignore rule to selective data subdirectory rules.
+      // This keeps user-tracked files under data/ visible to git.
+      const lines = content.split('\n');
+      const hadLegacyDataRule = lines.some(line => line.trim() === 'data/');
+      if (hadLegacyDataRule) {
+        content = lines
+          .filter(line => line.trim() !== 'data/')
+          .join('\n');
+        if (!content.endsWith('\n')) {
+          content += '\n';
+        }
       }
 
       const missingRules = WORKSPACE_GITIGNORE_RULES.filter(rule => !content.includes(rule));
-      if (missingRules.length > 0 || deprecatedPresent.length > 0) {
-        const updated = missingRules.length > 0
-          ? content + '\n# Vellum runtime state (auto-added)\n' + missingRules.join('\n') + '\n'
-          : content;
+      if (hadLegacyDataRule || missingRules.length > 0) {
+        let updated = content;
+        if (missingRules.length > 0) {
+          if (!updated.endsWith('\n')) {
+            updated += '\n';
+          }
+          updated += '# Vellum runtime state (auto-added)\n' + missingRules.join('\n') + '\n';
+        }
         writeFileSync(gitignorePath, updated, 'utf-8');
       }
     } else {
@@ -648,7 +697,7 @@ export class WorkspaceGitService {
    * intentionally short for interactive workspace operations — background
    * enrichment jobs use their own dedicated timeout.
    */
-  private async execGit(args: string[]): Promise<{ stdout: string; stderr: string }> {
+  private async execGit(args: string[], options?: { signal?: AbortSignal }): Promise<{ stdout: string; stderr: string }> {
     const config = getConfig();
     const timeoutMs = config.workspaceGit?.interactiveGitTimeoutMs ?? 10_000;
     try {
@@ -657,6 +706,7 @@ export class WorkspaceGitService {
         encoding: 'utf-8',
         timeout: timeoutMs,
         env: cleanGitEnv(this.workspaceDir),
+        signal: options?.signal,
       });
       return { stdout, stderr };
     } catch (err) {
@@ -695,8 +745,8 @@ export class WorkspaceGitService {
    * Write a git note to a specific commit.
    * Uses the 'vellum' notes ref to avoid conflicts with default notes.
    */
-  async writeNote(commitHash: string, noteContent: string): Promise<void> {
-    await this.execGit(['notes', '--ref=vellum', 'add', '-f', '-m', noteContent, commitHash]);
+  async writeNote(commitHash: string, noteContent: string, signal?: AbortSignal): Promise<void> {
+    await this.execGit(['notes', '--ref=vellum', 'add', '-f', '-m', noteContent, commitHash], { signal });
   }
 
   /**
@@ -773,3 +823,18 @@ export function _resetBreaker(service: WorkspaceGitService): void {
 export function _getConsecutiveFailures(service: WorkspaceGitService): number {
   return (service as unknown as { consecutiveFailures: number }).consecutiveFailures;
 }
+
+/**
+ * @internal Test-only: reset init circuit breaker state for a service instance
+ */
+export function _resetInitBreaker(service: WorkspaceGitService): void {
+  (service as unknown as { initConsecutiveFailures: number }).initConsecutiveFailures = 0;
+  (service as unknown as { initNextAllowedAttemptMs: number }).initNextAllowedAttemptMs = 0;
+}
+
+/**
+ * @internal Test-only: get init consecutive failure count
+ */
+export function _getInitConsecutiveFailures(service: WorkspaceGitService): number {
+  return (service as unknown as { initConsecutiveFailures: number }).initConsecutiveFailures;
+}