vellum 0.2.7 → 0.2.9

package/bun.lock

@@ -11,8 +11,8 @@
         "@huggingface/transformers": "^3.8.1",
         "@qdrant/js-client-rest": "^1.16.2",
         "@sentry/node": "^10.38.0",
-        "@vellumai/cli": "0.1.8",
-        "@vellumai/vellum-gateway": "0.1.9",
+        "@vellumai/cli": "0.1.9",
+        "@vellumai/vellum-gateway": "0.1.10",
         "agentmail": "^0.1.0",
         "archiver": "^7.0.1",
         "commander": "^13.1.0",
@@ -542,9 +542,9 @@
 
     "@typescript-eslint/visitor-keys": ["@typescript-eslint/visitor-keys@8.56.0", "", { "dependencies": { "@typescript-eslint/types": "8.56.0", "eslint-visitor-keys": "^5.0.0" } }, "sha512-q+SL+b+05Ud6LbEE35qe4A99P+htKTKVbyiNEe45eCbJFyh/HVK9QXwlrbz+Q4L8SOW4roxSVwXYj4DMBT7Ieg=="],
 
-    "@vellumai/cli": ["@vellumai/cli@0.1.8", "", { "dependencies": { "ink": "^6.7.0", "react": "^19.2.4" }, "bin": { "vellum-cli": "src/index.ts" } }, "sha512-36P6W1rV1dK9Qg0N3oFjffz1CSarkGBgqc2ZGEI1de9RPSkVWBI0QmKCZrPeg1/qDzEh3InUIsV1qjNIe7z1pg=="],
+    "@vellumai/cli": ["@vellumai/cli@0.1.9", "", { "dependencies": { "ink": "^6.7.0", "react": "^19.2.4" }, "bin": { "vellum-cli": "src/index.ts" } }, "sha512-R5f9e6K2w+k5AwicpM4lNaWnXWaD9MvCRv6YCS+c7KuMUx8yD/jzRzSJTX1cIRNLcyty1bHrpInOQ2Wl5JeZDw=="],
 
-    "@vellumai/vellum-gateway": ["@vellumai/vellum-gateway@0.1.9", "", { "dependencies": { "file-type": "^21.3.0", "pino": "^9.6.0", "pino-pretty": "^13.1.3", "zod": "^4.3.6" } }, "sha512-LNE5ueTWvyi4jJxIb99qKyanOX2H9DftR2CliC4vfU6jjLQdvvD3vZccx/VS5uVhfQsIQK08HF1XF9MtCwoJHA=="],
+    "@vellumai/vellum-gateway": ["@vellumai/vellum-gateway@0.1.10", "", { "dependencies": { "file-type": "^21.3.0", "pino": "^9.6.0", "pino-pretty": "^13.1.3", "zod": "^4.3.6" } }, "sha512-a41fGexW8RpWL4RTfZ3EM+XJMvz7t26D1axu2xAtZioXW3ZWMLGuogHnIJsgglzESl49E6VmmUsUGeD+dseV2w=="],
 
     "abort-controller": ["abort-controller@3.0.0", "", { "dependencies": { "event-target-shim": "^5.0.0" } }, "sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg=="],
 

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "vellum",
-  "version": "0.2.7",
+  "version": "0.2.9",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"
   },
   "scripts": {
     "dev": "bun run src/index.ts",
+    "daemon:restart:http": "RUNTIME_HTTP_PORT=7821 bun run src/index.ts daemon restart",
     "db:generate": "drizzle-kit generate",
     "db:push": "drizzle-kit push",
     "ipc:inventory": "bun run scripts/ipc/check-contract-inventory.ts",
@@ -28,8 +29,8 @@
     "@huggingface/transformers": "^3.8.1",
     "@qdrant/js-client-rest": "^1.16.2",
     "@sentry/node": "^10.38.0",
-    "@vellumai/cli": "0.1.8",
-    "@vellumai/vellum-gateway": "0.1.9",
+    "@vellumai/cli": "0.1.9",
+    "@vellumai/vellum-gateway": "0.1.10",
     "agentmail": "^0.1.0",
     "archiver": "^7.0.1",
     "commander": "^13.1.0",

package/src/__tests__/asset-materialize-tool.test.ts

@@ -249,8 +249,8 @@ describe('AssetMaterializeTool size limit', () => {
     const db = getDb();
     const fakeId = 'oversized-attachment';
     db.run(
-      `INSERT INTO attachments (id, assistant_id, original_filename, mime_type, size_bytes, kind, data_base64, created_at)
-       VALUES ('${fakeId}', 'ast-1', 'huge.bin', 'application/octet-stream', ${51 * 1024 * 1024}, 'document', 'AAAA', ${Date.now()})`,
+      `INSERT INTO attachments (id, original_filename, mime_type, size_bytes, kind, data_base64, created_at)
+       VALUES ('${fakeId}', 'huge.bin', 'application/octet-stream', ${51 * 1024 * 1024}, 'document', 'AAAA', ${Date.now()})`,
     );
 
     const result = await assetMaterializeTool.execute(

package/src/__tests__/checker.test.ts

@@ -3854,3 +3854,107 @@ describe('computer-use tool permission defaults', () => {
     expect(risk).toBe(RiskLevel.Low);
   });
 });
+
+// ---------------------------------------------------------------------------
+// Scope-matching behavior: project-scoped vs everywhere rules
+// ---------------------------------------------------------------------------
+
+describe('scope matching behavior', () => {
+  beforeEach(() => {
+    clearCache();
+    testConfig.permissions = { mode: 'legacy' };
+    try { rmSync(join(checkerTestDir, 'protected', 'trust.json')); } catch { /* may not exist */ }
+  });
+
+  test('project-scoped rule matches tool invocations from within that directory', async () => {
+    const projectDir = '/home/user/my-project';
+    // Use the pattern format that file tools produce: "toolName:path/**"
+    addRule('file_write', 'file_write:/home/user/my-project/**', projectDir);
+
+    // Invocation from within the project directory should match
+    const result = await check('file_write', { path: '/home/user/my-project/src/index.ts' }, projectDir);
+    expect(result.decision).toBe('allow');
+    expect(result.matchedRule).toBeDefined();
+    expect(result.matchedRule!.scope).toBe(projectDir);
+  });
+
+  test('project-scoped rule matches tool invocations from subdirectory of project', async () => {
+    const projectDir = '/home/user/my-project';
+    addRule('file_write', 'file_write:/home/user/my-project/**', projectDir);
+
+    // Invocation from a subdirectory should also match (scope is a prefix match)
+    const result = await check('file_write', { path: '/home/user/my-project/src/index.ts' }, '/home/user/my-project/src');
+    expect(result.decision).toBe('allow');
+    expect(result.matchedRule).toBeDefined();
+    expect(result.matchedRule!.scope).toBe(projectDir);
+  });
+
+  test('project-scoped rule does NOT match invocations from sibling directory', async () => {
+    const projectDir = '/home/user/my-project';
+    // Use a broad pattern that matches any file, scoped to the project
+    addRule('file_write', 'file_write:*', projectDir);
+
+    // Invocation from a sibling directory should NOT match the project-scoped rule
+    const result = await check('file_write', { path: '/home/user/other-project/file.ts' }, '/home/user/other-project');
+    expect(result.decision).toBe('prompt');
+  });
+
+  test('project-scoped rule does NOT match invocations from parent directory', async () => {
+    const projectDir = '/home/user/my-project';
+    addRule('file_write', 'file_write:*', projectDir);
+
+    // Invocation from a parent directory should NOT match
+    const result = await check('file_write', { path: '/home/user/file.txt' }, '/home/user');
+    expect(result.decision).toBe('prompt');
+  });
+
+  test('project-scoped rule does NOT match directory with shared prefix', async () => {
+    // A rule for /home/user/project should NOT match /home/user/project-evil
+    // (directory-boundary enforcement in matchesScope)
+    const projectDir = '/home/user/project';
+    addRule('file_write', 'file_write:*', projectDir);
+
+    const result = await check('file_write', { path: '/home/user/project-evil/malicious.ts' }, '/home/user/project-evil');
+    expect(result.decision).toBe('prompt');
+  });
+
+  test('everywhere-scoped rule matches invocations from any directory', async () => {
+    addRule('file_write', 'file_write:*', 'everywhere');
+
+    // Should match from various directories
+    const r1 = await check('file_write', { path: 'file.ts' }, '/home/user/project-a');
+    expect(r1.decision).toBe('allow');
+    expect(r1.matchedRule).toBeDefined();
+    expect(r1.matchedRule!.scope).toBe('everywhere');
+
+    const r2 = await check('file_write', { path: 'output.txt' }, '/var/tmp');
+    expect(r2.decision).toBe('allow');
+    expect(r2.matchedRule!.scope).toBe('everywhere');
+
+    const r3 = await check('file_write', { path: 'file.json' }, '/opt/data');
+    expect(r3.decision).toBe('allow');
+    expect(r3.matchedRule!.scope).toBe('everywhere');
+  });
+
+  test('bash rule scoped to project matches commands within that project', async () => {
+    const projectDir = '/home/user/my-project';
+    addRule('bash', 'npm *', projectDir);
+
+    const result = await check('bash', { command: 'npm install' }, projectDir);
+    expect(result.decision).toBe('allow');
+    expect(result.matchedRule).toBeDefined();
+  });
+
+  test('bash rule scoped to project does NOT match commands from different project', async () => {
+    const projectDir = '/home/user/my-project';
+    addRule('bash', 'npm *', projectDir);
+
+    const result = await check('bash', { command: 'npm install' }, '/home/user/other-project');
+    // npm install is Low risk, so it falls through to auto-allow via the
+    // default sandbox bash rule, not via the project-scoped rule.
+    // The key assertion is that the project-scoped rule is NOT the matched rule.
+    if (result.matchedRule) {
+      expect(result.matchedRule.scope).not.toBe(projectDir);
+    }
+  });
+});

package/src/__tests__/config-schema.test.ts

@@ -646,7 +646,6 @@ describe('AssistantConfigSchema', () => {
     expect(result.calls).toEqual({
       enabled: true,
       provider: 'twilio',
-      webhookBaseUrl: '',
       maxDurationSeconds: 3600,
       userConsultTimeoutSeconds: 120,
       disclosure: {
@@ -659,11 +658,6 @@ describe('AssistantConfigSchema', () => {
     });
   });
 
-  test('calls.webhookBaseUrl defaults to empty string', () => {
-    const result = AssistantConfigSchema.parse({});
-    expect(result.calls.webhookBaseUrl).toBe('');
-  });
-
   test('accepts valid calls config overrides', () => {
     const result = AssistantConfigSchema.parse({
       calls: {

package/src/__tests__/forbidden-legacy-symbols.test.ts

@@ -0,0 +1,69 @@
+import { describe, test, expect } from 'bun:test';
+import { execSync } from 'node:child_process';
+import { resolve } from 'node:path';
+
+/**
+ * Guard test: fail if any legacy Twilio ingress symbols reappear in
+ * production source code, docs, configs, or scripts.
+ *
+ * Context: As part of the gateway-only ingress migration (#5948, #6000),
+ * all Twilio webhook configuration was consolidated into the gateway service.
+ * The assistant no longer manages its own Twilio webhook URLs — the gateway
+ * is the single ingress point for all telephony webhooks. Re-introducing
+ * these symbols in the assistant would bypass that architecture and create
+ * a split-brain ingress problem.
+ *
+ * Forbidden symbols:
+ *   - legacy uppercase Twilio webhook base env var
+ *   - twilioWebhookBaseUrl
+ *   - twilio_webhook_config
+ *   - calls.webhookBaseUrl
+ *
+ * Excluded directories:
+ *   - node_modules  — third-party code, not under our control
+ *   - __tests__     — test files (including this guard test) reference the
+ *                     symbols in grep patterns and assertions
+ *   - .private      — local-only developer notes and scratch files
+ */
+describe('forbidden legacy symbols', () => {
+  test('no production code references removed Twilio ingress symbols', () => {
+    const legacyEnvVar = ['TWILIO', 'WEBHOOK', 'BASE', 'URL'].join('_');
+    const forbiddenSymbols = [
+      legacyEnvVar,
+      'twilioWebhookBaseUrl',
+      'twilio_webhook_config',
+      'calls.webhookBaseUrl',
+    ];
+    const escapedPattern = forbiddenSymbols
+      .map((symbol) => symbol.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'))
+      .join('|');
+
+    const repoRoot = resolve(__dirname, '..', '..', '..');
+    let matches = '';
+    try {
+      matches = execSync(
+        `grep -rn -E "${escapedPattern}"` +
+        ' --include="*.ts" --include="*.tsx" --include="*.js" --include="*.mjs" --include="*.swift"' +
+        ' --include="*.json" --include="*.md" --include="*.yml" --include="*.yaml"' +
+        ' --include="*.sh"' +
+        ' --exclude-dir=node_modules --exclude-dir=__tests__ --exclude-dir=.private' +
+        ' .',
+        { cwd: repoRoot, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] },
+      );
+    } catch (err: unknown) {
+      // grep exits with code 1 when no matches are found — that is the expected (passing) case
+      const exitCode = (err as { status?: number }).status;
+      if (exitCode === 1) {
+        // No matches found — test passes
+        return;
+      }
+      // Any other error is unexpected
+      throw err;
+    }
+
+    // If we reach here, grep found matches (exit code 0) — fail the test
+    expect(matches.trim()).toBe(
+      '', // should be empty — if not, the matched lines appear in the failure message
+    );
+  });
+});