vellum 0.2.13 → 0.2.14

package/README.md

@@ -120,6 +120,38 @@ assistant/
 └── package.json
 ```
 
+## Channel Approval Flow
+
+When the assistant needs tool-use confirmation during a channel session (e.g., Telegram), the approval flow intercepts the run and surfaces an interactive prompt to the user. This is gated behind the `CHANNEL_APPROVALS_ENABLED=true` environment variable.
+
+### How it works
+
+1. **Detection** — When a channel inbound message triggers an agent loop, the runtime polls the run status. If the run transitions to `needs_confirmation`, the runtime sends an approval prompt to the gateway with inline keyboard metadata.
+2. **Interception** — Subsequent inbound messages on the same conversation are intercepted before normal processing. The handler checks for a pending approval and attempts to extract a decision from either callback data (button clicks) or plain text.
+3. **Decision** — The user's decision is mapped to the permission system (`allow` or `deny`) and applied to the pending run. For `approve_always`, a trust rule is persisted so future invocations of the same tool are auto-approved.
+4. **Reminder** — If the user sends a non-decision message while an approval is pending, a reminder prompt is re-sent with the approval buttons.
+
+### Key modules
+
+| File | Purpose |
+|------|---------|
+| `src/runtime/channel-approvals.ts` | Orchestration: `getChannelApprovalPrompt`, `buildApprovalUIMetadata`, `handleChannelDecision`, `buildReminderPrompt` |
+| `src/runtime/channel-approval-parser.ts` | Plain-text decision parser — matches phrases like `yes`, `approve`, `always`, `no`, `reject`, `deny`, `cancel` (case-insensitive) |
+| `src/runtime/channel-approval-types.ts` | Shared types: `ApprovalAction`, `ChannelApprovalPrompt`, `ApprovalUIMetadata`, `ApprovalDecisionResult` |
+| `src/runtime/routes/channel-routes.ts` | Integration point: `handleApprovalInterception` and `processChannelMessageWithApprovals` in the channel inbound handler |
+| `src/runtime/gateway-client.ts` | `deliverApprovalPrompt()` — sends the approval payload (text + UI metadata) to the gateway for rendering |
+| `src/memory/runs-store.ts` | `getPendingConfirmationsByConversation` — queries runs in `needs_confirmation` state |
+
+### Enabling
+
+Set the environment variable before starting the daemon:
+
+```bash
+CHANNEL_APPROVALS_ENABLED=true
+```
+
+When disabled (the default), channel messages follow the standard fire-and-forget processing path without approval interception.
+
 ## Database
 
 SQLite via Drizzle ORM, stored at `~/.vellum/workspace/data/db/assistant.db`. Key tables include conversations, messages, tool invocations, attachments, memory segments (with FTS5), memory items, entities, reminders, and recurrence schedules (cron + RRULE).

package/bun.lock

@@ -11,7 +11,7 @@
         "@huggingface/transformers": "^3.8.1",
         "@qdrant/js-client-rest": "^1.16.2",
         "@sentry/node": "^10.38.0",
-        "@vellumai/cli": "0.1.13",
+        "@vellumai/cli": "0.1.14",
         "@vellumai/vellum-gateway": "0.1.10",
         "agentmail": "^0.1.0",
         "archiver": "^7.0.1",
@@ -542,7 +542,7 @@
 
     "@typescript-eslint/visitor-keys": ["@typescript-eslint/visitor-keys@8.56.0", "", { "dependencies": { "@typescript-eslint/types": "8.56.0", "eslint-visitor-keys": "^5.0.0" } }, "sha512-q+SL+b+05Ud6LbEE35qe4A99P+htKTKVbyiNEe45eCbJFyh/HVK9QXwlrbz+Q4L8SOW4roxSVwXYj4DMBT7Ieg=="],
 
-    "@vellumai/cli": ["@vellumai/cli@0.1.13", "", { "dependencies": { "ink": "^6.7.0", "react": "^19.2.4", "react-devtools-core": "^6.1.2" }, "bin": { "vellum-cli": "src/index.ts" } }, "sha512-zoES1ddavpHZljC/uPkelJvIsen77aTtFwfLYAA4zdtCCf3zktS2+TaDVQxB1Eh+dbRi3Tgc+XCXbq7S86kFiQ=="],
+    "@vellumai/cli": ["@vellumai/cli@0.1.14", "", { "dependencies": { "ink": "^6.7.0", "react": "^19.2.4", "react-devtools-core": "^6.1.2" }, "bin": { "vellum-cli": "src/index.ts" } }, "sha512-SjPCBWhZIOsQaYdGswMlVpIqfFPvLEIwyBRQSMXcNayTxkMuj8nS6SyLiJau+8aD86EjrvAT1mp+Csd83wABvw=="],
 
     "@vellumai/vellum-gateway": ["@vellumai/vellum-gateway@0.1.10", "", { "dependencies": { "file-type": "^21.3.0", "pino": "^9.6.0", "pino-pretty": "^13.1.3", "zod": "^4.3.6" } }, "sha512-a41fGexW8RpWL4RTfZ3EM+XJMvz7t26D1axu2xAtZioXW3ZWMLGuogHnIJsgglzESl49E6VmmUsUGeD+dseV2w=="],
 

package/docs/skills.md

@@ -6,7 +6,7 @@ This document describes the security model for the Vellum Assistant skill system
 
 Skills extend the assistant's capabilities by providing instructions (via `SKILL.md`) and optional custom tools (via `TOOLS.json`). Skills can be **bundled** (shipped with the application), **managed** (user-installed via `scaffold_managed_skill`), **workspace** (project-local), or **extra** (additional directories configured by the user).
 
-Because skills can introduce arbitrary tool behavior, they are subject to stricter permission defaults than core tools. The permission system uses **principal-aware trust rules** and **version-bound approvals** to ensure that skill-originated actions are explicitly authorized by the user.
+Because skills can introduce arbitrary tool behavior, they are subject to stricter permission defaults than core tools.
 
 ## Permission Defaults for Skill Tools
 
@@ -37,7 +37,7 @@ The allowlist options presented during a permission prompt include both version-
 
 ## Version-Bound Approvals
 
-Trust rules can include a `principalVersion` field that binds the rule to a specific content hash of the skill's source files. This is the primary mechanism for ensuring that approving a skill does not grant blanket permission to future (potentially modified) versions of that skill.
+Trust rules for `skill_load` can use version-specific patterns (e.g., `skill_load:my-skill@v1:abc123...`) to pin approval to a specific content hash of the skill's source files.
 
 ### How version hashing works
 
@@ -50,7 +50,7 @@ The `computeSkillVersionHash(directoryPath)` function computes a deterministic S
 
 ### Version invalidation
 
-When a skill's source files change (any file added, removed, or modified), the hash changes. Trust rules with the old `principalVersion` no longer match, and the user is re-prompted. This protects against:
+When a skill's source files change (any file added, removed, or modified), the hash changes. Version-specific trust rules with the old hash no longer match, and the user is re-prompted. This protects against:
 
 - **Supply-chain attacks**: A malicious update to a managed or workspace skill cannot silently inherit previous approvals.
 - **Accidental drift**: Editing a skill's tool scripts invalidates stale approvals, ensuring the user reviews the new behavior.
@@ -155,4 +155,4 @@ Trust rules are stored in `~/.vellum/protected/trust.json`. You can inspect this
 
 ### "A skill tool keeps prompting even though I approved it."
 
-Check whether the rule in `trust.json` has a `principalVersion` field. If so, the rule is version-specific and will stop matching if the skill's code has changed since approval. Also check whether the rule has the correct `executionTarget` — a rule scoped to `sandbox` will not match a tool running on `host`.
+Check whether the rule has the correct `executionTarget` — a rule scoped to `sandbox` will not match a tool running on `host`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vellum",
-  "version": "0.2.13",
+  "version": "0.2.14",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"
@@ -29,7 +29,7 @@
     "@huggingface/transformers": "^3.8.1",
     "@qdrant/js-client-rest": "^1.16.2",
     "@sentry/node": "^10.38.0",
-    "@vellumai/cli": "0.1.13",
+    "@vellumai/cli": "0.1.14",
     "@vellumai/vellum-gateway": "0.1.10",
     "agentmail": "^0.1.0",
     "archiver": "^7.0.1",

package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap

@@ -318,7 +318,9 @@ exports[`IPC message snapshots ClientMessage types suggestion_request serializes
 
 exports[`IPC message snapshots ClientMessage types add_trust_rule serializes to expected JSON 1`] = `
 {
+  "allowHighRisk": true,
   "decision": "allow",
+  "executionTarget": "host",
   "pattern": "git *",
   "scope": "/projects/my-app",
   "toolName": "bash",
@@ -509,6 +511,40 @@ exports[`IPC message snapshots ClientMessage types app_preview_request serialize
 }
 `;
 
+exports[`IPC message snapshots ClientMessage types app_history_request serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "limit": 25,
+  "type": "app_history_request",
+}
+`;
+
+exports[`IPC message snapshots ClientMessage types app_diff_request serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "fromCommit": "abc123def456",
+  "toCommit": "789abc123def",
+  "type": "app_diff_request",
+}
+`;
+
+exports[`IPC message snapshots ClientMessage types app_file_at_version_request serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "commitHash": "abc123def456",
+  "path": "index.html",
+  "type": "app_file_at_version_request",
+}
+`;
+
+exports[`IPC message snapshots ClientMessage types app_restore_request serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "commitHash": "abc123def456",
+  "type": "app_restore_request",
+}
+`;
+
 exports[`IPC message snapshots ClientMessage types share_app_cloud serializes to expected JSON 1`] = `
 {
   "appId": "app-001",
@@ -551,6 +587,13 @@ exports[`IPC message snapshots ClientMessage types twitter_integration_config se
 }
 `;
 
+exports[`IPC message snapshots ClientMessage types telegram_config serializes to expected JSON 1`] = `
+{
+  "action": "get",
+  "type": "telegram_config",
+}
+`;
+
 exports[`IPC message snapshots ClientMessage types twitter_auth_start serializes to expected JSON 1`] = `
 {
   "type": "twitter_auth_start",
@@ -830,6 +873,19 @@ exports[`IPC message snapshots ClientMessage types identity_get serializes to ex
 }
 `;
 
+exports[`IPC message snapshots ClientMessage types tool_permission_simulate serializes to expected JSON 1`] = `
+{
+  "forcePromptSideEffects": false,
+  "input": {
+    "command": "rm -rf /tmp/test",
+  },
+  "isInteractive": true,
+  "toolName": "bash",
+  "type": "tool_permission_simulate",
+  "workingDir": "/projects/my-app",
+}
+`;
+
 exports[`IPC message snapshots ServerMessage types auth_result serializes to expected JSON 1`] = `
 {
   "success": true,
@@ -946,9 +1002,6 @@ exports[`IPC message snapshots ServerMessage types confirmation_request serializ
   "input": {
     "command": "rm -rf /tmp/test",
   },
-  "principalId": "my-skill",
-  "principalKind": "skill",
-  "principalVersion": "sha256:abcdef1234567890",
   "requestId": "req-002",
   "riskLevel": "high",
   "sandboxed": false,
@@ -1841,6 +1894,17 @@ exports[`IPC message snapshots ServerMessage types twitter_integration_config_re
 }
 `;
 
+exports[`IPC message snapshots ServerMessage types telegram_config_response serializes to expected JSON 1`] = `
+{
+  "botUsername": "my_test_bot",
+  "connected": true,
+  "hasBotToken": true,
+  "hasWebhookSecret": true,
+  "success": true,
+  "type": "telegram_config_response",
+}
+`;
+
 exports[`IPC message snapshots ServerMessage types twitter_auth_result serializes to expected JSON 1`] = `
 {
   "accountInfo": "@vellum_test",
@@ -1882,6 +1946,49 @@ exports[`IPC message snapshots ServerMessage types app_preview_response serializ
 }
 `;
 
+exports[`IPC message snapshots ServerMessage types app_history_response serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "type": "app_history_response",
+  "versions": [
+    {
+      "commitHash": "abc123def456",
+      "message": "Initial app commit",
+      "timestamp": 1700000000,
+    },
+    {
+      "commitHash": "789abc123def",
+      "message": "Update landing page",
+      "timestamp": 1700001000,
+    },
+  ],
+}
+`;
+
+exports[`IPC message snapshots ServerMessage types app_diff_response serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "diff": "diff --git a/index.html b/index.html",
+  "type": "app_diff_response",
+}
+`;
+
+exports[`IPC message snapshots ServerMessage types app_file_at_version_response serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "content": "<html><body>Hello</body></html>",
+  "path": "index.html",
+  "type": "app_file_at_version_response",
+}
+`;
+
+exports[`IPC message snapshots ServerMessage types app_restore_response serializes to expected JSON 1`] = `
+{
+  "success": true,
+  "type": "app_restore_response",
+}
+`;
+
 exports[`IPC message snapshots ServerMessage types ui_surface_undo_result serializes to expected JSON 1`] = `
 {
   "remainingUndos": 3,
@@ -2314,3 +2421,106 @@ exports[`IPC message snapshots ServerMessage types identity_get_response seriali
   "type": "identity_get_response",
 }
 `;
+
+exports[`IPC message snapshots ServerMessage types tool_permission_simulate_response serializes to expected JSON 1`] = `
+{
+  "decision": "prompt",
+  "executionTarget": "host",
+  "promptPayload": {
+    "allowlistOptions": [
+      {
+        "description": "Allow rm commands",
+        "label": "Allow rm commands",
+        "pattern": "bash:rm *",
+      },
+    ],
+    "persistentDecisionsAllowed": true,
+    "scopeOptions": [
+      {
+        "label": "In /projects/my-app",
+        "scope": "/projects/my-app",
+      },
+    ],
+  },
+  "reason": "No matching trust rule; tool requires approval",
+  "riskLevel": "high",
+  "success": true,
+  "type": "tool_permission_simulate_response",
+}
+`;
+
+exports[`IPC message snapshots ClientMessage types app_history_request serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "type": "app_history_request",
+}
+`;
+
+exports[`IPC message snapshots ClientMessage types app_diff_request serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "fromCommit": "abc123",
+  "type": "app_diff_request",
+}
+`;
+
+exports[`IPC message snapshots ClientMessage types app_file_at_version_request serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "commitHash": "abc123",
+  "path": "index.html",
+  "type": "app_file_at_version_request",
+}
+`;
+
+exports[`IPC message snapshots ClientMessage types app_restore_request serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "commitHash": "abc123",
+  "type": "app_restore_request",
+}
+`;
+
+exports[`IPC message snapshots ServerMessage types app_history_response serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "type": "app_history_response",
+  "versions": [
+    {
+      "commitHash": "abc123",
+      "message": "Initial commit",
+      "timestamp": 1700000000,
+    },
+  ],
+}
+`;
+
+exports[`IPC message snapshots ServerMessage types app_diff_response serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "diff": 
+"--- a/index.html
++++ b/index.html
+@@ -1 +1 @@
+-old
++new"
+,
+  "type": "app_diff_response",
+}
+`;
+
+exports[`IPC message snapshots ServerMessage types app_file_at_version_response serializes to expected JSON 1`] = `
+{
+  "appId": "app-001",
+  "content": "<html></html>",
+  "path": "index.html",
+  "type": "app_file_at_version_response",
+}
+`;
+
+exports[`IPC message snapshots ServerMessage types app_restore_response serializes to expected JSON 1`] = `
+{
+  "success": true,
+  "type": "app_restore_response",
+}
+`;

package/src/__tests__/app-git-history.test.ts

@@ -0,0 +1,176 @@
+import { describe, test, expect, beforeEach, afterEach, mock } from 'bun:test';
+import { mkdirSync, rmSync, existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { _resetGitServiceRegistry } from '../workspace/git-service.js';
+import { _resetAppGitState } from '../memory/app-git-service.js';
+
+// Mock getDataDir to use a temp directory
+let testDataDir: string;
+
+mock.module('../util/platform.js', () => ({
+  getDataDir: () => testDataDir,
+  getProjectDir: () => testDataDir,
+}));
+
+// Re-import after mocking so modules use our temp dir
+const { createApp, updateApp, deleteApp: _deleteApp, writeAppFile: _writeAppFile, editAppFile: _editAppFile, getAppsDir } = await import('../memory/app-store.js');
+const { getAppHistory, getAppDiff, getAppFileAtVersion, restoreAppVersion, commitAppChange: _commitAppChange } = await import('../memory/app-git-service.js');
+
+describe('App Git History', () => {
+  beforeEach(() => {
+    testDataDir = join(tmpdir(), `vellum-app-git-history-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(join(testDataDir, 'apps'), { recursive: true });
+    _resetGitServiceRegistry();
+    _resetAppGitState();
+  });
+
+  afterEach(() => {
+    if (existsSync(testDataDir)) {
+      rmSync(testDataDir, { recursive: true, force: true });
+    }
+  });
+
+  /** Wait for fire-and-forget commits to complete. */
+  async function waitForCommits(): Promise<void> {
+    await new Promise(resolve => setTimeout(resolve, 500));
+  }
+
+  test('getAppHistory returns commits for a specific app', async () => {
+    const app = createApp({
+      name: 'History App',
+      schemaJson: '{}',
+      htmlDefinition: '<h1>v1</h1>',
+    });
+    await waitForCommits();
+
+    updateApp(app.id, { htmlDefinition: '<h1>v2</h1>' });
+    await waitForCommits();
+
+    const history = await getAppHistory(app.id);
+    expect(history.length).toBeGreaterThanOrEqual(2);
+    expect(history[0].message).toContain('Update app');
+    // The create commit may be absorbed into the "Initial commit" on a fresh repo
+    expect(history[history.length - 1].message).toMatch(/Create app|Initial commit/);
+    expect(history[0].commitHash).toMatch(/^[0-9a-f]+$/);
+    expect(history[0].timestamp).toBeGreaterThan(0);
+  });
+
+  test('getAppHistory does not return commits for other apps', async () => {
+    const app1 = createApp({
+      name: 'App One',
+      schemaJson: '{}',
+      htmlDefinition: '<p>one</p>',
+    });
+    await waitForCommits();
+
+    const app2 = createApp({
+      name: 'App Two',
+      schemaJson: '{}',
+      htmlDefinition: '<p>two</p>',
+    });
+    await waitForCommits();
+
+    const history1 = await getAppHistory(app1.id);
+    const history2 = await getAppHistory(app2.id);
+
+    // App1's history should only contain its own commits
+    expect(history1.every(v => v.message.includes('App One') || v.message.includes('Initial commit'))).toBe(true);
+    // App2's history should only contain its own commits
+    expect(history2.every(v => v.message.includes('App Two') || v.message.includes('Initial commit'))).toBe(true);
+  });
+
+  test('getAppHistory respects limit', async () => {
+    const app = createApp({
+      name: 'Limited App',
+      schemaJson: '{}',
+      htmlDefinition: '<p>v1</p>',
+    });
+    await waitForCommits();
+
+    updateApp(app.id, { htmlDefinition: '<p>v2</p>' });
+    await waitForCommits();
+
+    updateApp(app.id, { htmlDefinition: '<p>v3</p>' });
+    await waitForCommits();
+
+    const limited = await getAppHistory(app.id, 2);
+    expect(limited.length).toBe(2);
+  });
+
+  test('getAppDiff shows changes between versions', async () => {
+    const app = createApp({
+      name: 'Diff App',
+      schemaJson: '{}',
+      htmlDefinition: '<p>original</p>',
+    });
+    await waitForCommits();
+
+    const history1 = await getAppHistory(app.id);
+    const createHash = history1[0].commitHash;
+
+    updateApp(app.id, { htmlDefinition: '<p>modified</p>' });
+    await waitForCommits();
+
+    const history2 = await getAppHistory(app.id);
+    const updateHash = history2[0].commitHash;
+
+    const diff = await getAppDiff(app.id, createHash, updateHash);
+    expect(diff).toContain('original');
+    expect(diff).toContain('modified');
+  });
+
+  test('getAppFileAtVersion returns file content at a specific commit', async () => {
+    const app = createApp({
+      name: 'File Version App',
+      schemaJson: '{}',
+      htmlDefinition: '<p>version one</p>',
+    });
+    await waitForCommits();
+
+    const history1 = await getAppHistory(app.id);
+    const v1Hash = history1[0].commitHash;
+
+    updateApp(app.id, { htmlDefinition: '<p>version two</p>' });
+    await waitForCommits();
+
+    // Get the file at v1 — should show old content
+    const v1Content = await getAppFileAtVersion(app.id, 'index.html', v1Hash);
+    expect(v1Content).toContain('version one');
+    expect(v1Content).not.toContain('version two');
+
+    // Current file should show new content
+    const currentContent = readFileSync(join(getAppsDir(), app.id, 'index.html'), 'utf-8');
+    expect(currentContent).toContain('version two');
+  });
+
+  test('restoreAppVersion restores files and creates a new commit', async () => {
+    const app = createApp({
+      name: 'Restore App',
+      schemaJson: '{}',
+      htmlDefinition: '<p>original content</p>',
+    });
+    await waitForCommits();
+
+    const history1 = await getAppHistory(app.id);
+    const originalHash = history1[0].commitHash;
+
+    updateApp(app.id, { htmlDefinition: '<p>new content</p>' });
+    await waitForCommits();
+
+    // Verify current content is "new content"
+    let current = readFileSync(join(getAppsDir(), app.id, 'index.html'), 'utf-8');
+    expect(current).toContain('new content');
+
+    // Restore to original
+    await restoreAppVersion(app.id, originalHash);
+
+    // Verify content is restored
+    current = readFileSync(join(getAppsDir(), app.id, 'index.html'), 'utf-8');
+    expect(current).toContain('original content');
+
+    // Verify a restore commit was created
+    const history2 = await getAppHistory(app.id);
+    expect(history2[0].message).toContain('Restore app');
+  });
+});