QA Video Automation: Recording, Finalization & File-backed Attachments

[Jasonnnz]

Summary

Enables Velly to run QA/test workflows through computer-use sessions, record the screen, and return a playable + draggable video in chat. Adds QA intent detection, IPC contract extensions, daemon-side finalization handling with summary + attachment injection, macOS screen recording lifecycle, file-backed attachment storage with HTTP range-request streaming, chat video playback with drag-to-Finder support, and configurable retention cleanup.

Changes

• QA Intent Detection: detectQaIntent() pattern-matches QA/test commands and natural-language requests (narrowed to avoid false positives on common words like "check")
• IPC Contract Extensions: reportToSessionId, qaMode on CuSessionCreate and TaskRouted; conversationId on TaskSubmit; retentionDays, captureScope, includeAudio on TaskRouted; new CuSessionFinalized message with recording metadata
• Daemon Routing: Task routing and escalation handlers detect QA intent, set qaMode + reportToSessionId, pass retention/capture config
• Client QA Wiring: AppDelegate+Sessions.swift reads qaMode from task_routed, creates ScreenRecorder, passes QA params + retention + capture config to ComputerUseSession; sends conversationId in task_submit
• Daemon Finalization Handler: handleCuSessionFinalized creates file-backed attachment (always, for cleanup), injects summary + attachment into source chat (when reportToSessionId present). Uses recordingTracked flag to catch all edge cases.
• File-backed Attachment Schema: New storageKind, filePath, sha256, expiresAt columns; createFileBackedAttachment() for large files; backward-compatible
• Content Streaming Endpoint: GET /v1/attachments/:id/content with RFC 7233 range request support
• macOS Recording Lifecycle: ScreenRecorder using ScreenCaptureKit; integrated into Session.swift; configurable retention + capture scope + audio from daemon config
• Capture Scope Resolution: When captureScope is "window", resolves topmost non-self CGWindowID (excludes own PID + filters to layer 0); when "display", passes CGMainDisplayID(). Falls back gracefully.
• Chat Video UX: InlineVideoAttachmentView fetches from /content for file-backed attachments; .onDrag for drag-to-Finder
• Retention Cleanup: Configurable qaRecording.defaultRetentionDays; background cleanup task; orphan recordings tracked in DB
• Cancel Safety: Deferred abort with safety-net timer; timer properly disarmed via Task.isCancelled guard
• Metadata Lifecycle: Socket close handler owns socketToCuSession cleanup; targeted cleanup on session replacement
• Recording Fallback: recordingTracked flag ensures all untracked recordings get DB entries (missing conversation, empty summary, etc.)

Milestone PRs

• M1: IPC Contract Extensions + Swift Codegen #6907: M1: IPC Contract Extensions + Swift Codegen
• M2: Daemon Finalization Handler + CU Metadata Plumbing #6909: M2: Daemon Finalization Handler + CU Metadata Plumbing
• M3: File-backed Attachment Schema + Content Streaming Endpoint #6911: M3: File-backed Attachment Schema + Content Streaming Endpoint
• M4: macOS Recording Lifecycle + Chat Video UX #6916: M4: macOS Recording Lifecycle + Chat Video UX
• M5: Retention Cleanup + Tests + Documentation #6919: M5: Retention Cleanup + Tests + Documentation

Fix PRs

• Fix M1 review feedback: Swift init + codegen INT_PATTERNS #6910: Fix M1 review: Swift init + codegen INT_PATTERNS
• Fix M2 + M1-fix review feedback: metadata race + latencyMs type #6912: Fix M2 + M1-fix review: metadata race + latencyMs type
• Fix M3 feedback: legacy migration + RFC 7233 range clamping #6913: Fix M3 review: legacy migration + RFC 7233 range clamping
• Fix M4 feedback: finalize ordering + recorder defer cleanup #6920: Fix M4 review: finalize ordering + recorder defer cleanup
• Fix feedback: metadata leak on disconnect + storage_kind NOT NULL #6924: Fix: metadata leak on disconnect + storage_kind NOT NULL
• Fix M5 feedback: bound cleanup interval to prevent overflow #6925: Fix M5 review: bound cleanup interval to prevent overflow
• Fix cancel ordering: send abort after finalization for QA sessions #6926: Fix cancel ordering: send abort after finalization for QA sessions
• Fix metadata race: let socket close handler own socketToCuSession cleanup #6931: Fix metadata race: socket close handler owns socketToCuSession cleanup
• Fix cancel safety: deferred abort fallback for QA sessions #6932: Fix cancel safety: deferred abort fallback for QA sessions
• Fix session replacement: remove stale socket-to-session mapping #6933: Fix session replacement: remove stale socket-to-session mapping
• Fix cancel race: disarm safety-net timer before QA finalization #6934: Fix cancel race: disarm safety-net timer before QA finalization
• Wire QA intent detection in daemon routing + fix epoch units #6941: Wire QA intent detection + routing metadata + epoch fix
• Create file-backed attachment on QA finalize + video /content streaming #6943: File-backed attachment on finalize + video /content streaming
• Wire QA mode in macOS client: create recorder when daemon signals QA intent #6945: Wire QA mode in macOS client
• Fix direct QA reporting + configurable retention + orphan recording tracking #6951: Direct QA reporting + configurable retention + orphan recording tracking
• Fix ARCHITECTURE.md: clarify QA recording conditional paths #6952: Fix ARCHITECTURE.md QA recording data flow accuracy
• fix: recording fallback tracks all untracked recordings #6960: Fix recording fallback: track all untracked recordings
• feat: wire QA recording captureScope and includeAudio config #6967: Wire captureScope and includeAudio config to client
• fix: apply captureScope to resolve actual window/display for recording #6968: Apply captureScope to resolve actual window/display for recording
• fix: exclude own PID from window capture resolution #6975: Exclude own PID from window capture resolution
• fix: narrow QA intent detection + fix safety-net timer race #6978: Narrow QA intent regex + fix safety-net timer race

Known limitations (deferred to M3/M4)

• QA intent detection is regex-based — Works for direct commands but misses nuanced requests ("smoke test onboarding"). LLM-based semantic classification planned for M3.
• Capture config is daemon-config-only, not per-request — captureScope and includeAudio always come from daemon config. Per-request overrides planned for M3.
• Chat injection requires conversationId — If absent on task_submit, recording is tracked for cleanup but not injected into chat. Product decision deferred.
• Saved QA scripts (M3) and scheduled self-QA (M4) remain unimplemented.

Project issue

Closes #6899

Test plan

• Verify IPC contract snapshot test passes
• Verify file-backed attachment CRUD tests pass
• Verify attachment content route tests (range requests, 206/416 responses)
• Verify recording cleanup tests
• Verify cu_session_finalized handler tests (7 tests including edge cases)
• Manual: send "test the onboarding flow" and verify QA intent triggers recording
• Manual: send "check my email" and verify QA mode does NOT trigger
• Manual: verify recording appears as playable video in chat with drag support
• Manual: verify retention cleanup removes expired recordings
• Manual: set qaRecording.captureScope to "window" and verify target app window is captured (not Vellum)

Generated with Claude Code

[Jasonnnz]

Addressed review feedback in #6978:

• QA intent false positives: Removed 'check' from direct prefix regex and natural language patterns — 'check my email', 'check the weather' no longer trigger QA mode.
• Safety-net timer race: Added guard !Task.isCancelled to properly disarm the cancel safety-net when run() cancels it.
• Already fixed in prior PRs: Recording orphaning (fix: recording fallback tracks all untracked recordings #6960), attachment persistence (Create file-backed attachment on QA finalize + video /content streaming #6943), socketToCuSession cleanup (Fix metadata race: let socket close handler own socketToCuSession cleanup #6931, Fix session replacement: remove stale socket-to-session mapping #6933), expiresAt epoch mismatch (Wire QA intent detection in daemon routing + fix epoch units #6941).

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 38 additional findings in Devin Review.

[devin-ai-integration]

🟡 Overly broad /\bvellum\b/i catch-all pattern causes false-positive target-app locking

The third pattern in the Vellum APP_HINTS entry (/\bvellum\b/i) matches any task text containing the standalone word "vellum", regardless of context. Because the Vellum entry is the first in the APP_HINTS array, it takes priority over all other app entries.

Root Cause & Impact

The function's own docstring states "This is intentionally conservative: only high-confidence patterns should lock the CU session to an app." However, /\bvellum\b/i is a bare-word match that fires on any mention of "vellum" — including non-app-reference contexts like:

• "test Chrome's rendering of vellum.ai pages" → locks to Vellum instead of Chrome
• "QA the login flow at vellum.ai in Safari" → locks to Vellum instead of Safari
• "search for vellum paper types" → locks to Vellum (no app intended)

When the session is locked to the wrong app, the daemon-side isTargetAppMatch in assistant/src/daemon/computer-use-session.ts:685-706 blocks opening the intended app, and the client-side frontmost-app guard blocks actions when the correct app is in front. In strictVisualQa mode, this causes the session to fail immediately.

The other two patterns in the Vellum entry are properly contextualized (/\b(vellum|velly)\s+(desktop\s+)?app\b/ requires "app" after the name, and /\b(vellum|velly)\s+assistant\b/ requires "assistant"). Only the third pattern is problematic.

Suggested change

	patterns: [/\b(vellum|velly)\s+(desktop\s+)?app\b/, /\b(vellum|velly)\s+assistant\b/, /\bvellum\b/i],
	patterns: [/\b(vellum|velly)\s+(desktop\s+)?app\b/, /\b(vellum|velly)\s+assistant\b/, contextPattern('vellum')],

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 48 additional findings in Devin Review.

[devin-ai-integration]

🔴 cu_session_finalized allows arbitrary file-path attachment creation and file exfiltration

handleCuSessionFinalized persists file-backed attachments using the client-supplied msg.recording.localPath directly, without validating that the path is inside the recordings directory or otherwise trusted. The /v1/attachments/:id/content route later serves file-backed attachments by reading attachment.filePath from disk (assistant/src/runtime/routes/attachment-routes.ts:168-232).

Root Cause

The handler writes attacker-controlled paths into attachment metadata:

• Injection path: filePath: msg.recording.localPath when creating linked attachment (assistant/src/daemon/handlers/computer-use.ts:270-271)
• Fallback path: same unvalidated assignment in orphan-tracking path (assistant/src/daemon/handlers/computer-use.ts:353-354)

Because content serving trusts DB filePath, any authenticated client that can send cu_session_finalized can point an attachment at arbitrary readable files (for example, /etc/passwd or user secrets) and then fetch them via the new content endpoint.

Actual behavior: daemon accepts arbitrary localPath and later streams that file.

Expected behavior: daemon should only accept canonicalized paths within the managed recordings directory (or require a server-generated handle), rejecting out-of-root or non-recording paths.

Impact: local file disclosure / privilege boundary bypass through the attachment-content API.

Prompt for agents

In assistant/src/daemon/handlers/computer-use.ts, harden handleCuSessionFinalized so msg.recording.localPath cannot reference arbitrary files. In both createFileBackedAttachment call sites (around lines 266-274 and 349-356), canonicalize and validate the path before use: resolve realpath (or normalized absolute path), ensure it is inside the expected recordings root (from platform/data-dir config, e.g. <AppSupport>/vellum-assistant/recordings), reject symlink escapes and traversal, and verify the file exists and is a regular file. If validation fails, log a security warning and skip attachment creation. Also consider adding a helper function in this file for path validation to avoid duplication and keep behavior consistent between the primary and fallback attachment paths. Finally, add tests covering path traversal and out-of-root rejection in assistant/src/__tests__/cu-session-finalized.test.ts and/or attachment-content route tests.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[Jasonnnz]

This feature branch/PR has been quite the hill climb. Havent been able to get QA use case across due to CU not detecting. And trying to extract features out of this is proving to be extremely hard lol. Will cut my losses, extract the larger features out and do this smaller scale and just merge the branches sooner.

Still need to tweak the final QA usecase to see if we can get CU to properly handle it, but will work on bringing in screen recording capabilities first (as well as in chat viewing of recordings)

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 49 additional findings in Devin Review.

[devin-ai-integration]

🟡 APP_HINTS returns appName 'Vellum' but tests and macOS app expect 'Vellum Assistant'

The Vellum entry in APP_HINTS at assistant/src/daemon/target-app-hints.ts:46 sets appName: 'Vellum', but the corresponding tests at assistant/src/__tests__/target-app-hints.test.ts:9,14,19 all expect appName: 'Vellum Assistant'. The function resolveComputerUseTargetAppHint returns { appName: entry.appName, bundleId: entry.bundleId } directly from the table, so the tests will fail.

Root Cause and Impact

The APP_HINTS table entry for Vellum uses appName: 'Vellum' but the actual macOS application name is "Vellum Assistant" (bundle ID com.vellum.vellum-assistant). Three tests explicitly assert appName: 'Vellum Assistant'.

Beyond failing tests, appName propagates through the system:

• It's sent as targetAppName in CuSessionCreate and TaskRouted messages
• It's injected into the CU system prompt via buildComputerUseSystemPrompt (assistant/src/config/computer-use-prompt.ts:26)
• The Swift client's isExternalAppTarget at AppDelegate+Sessions.swift:79 checks both "vellum" and "vellum assistant" — returning 'Vellum' instead of 'Vellum Assistant' could cause incorrect external/internal classification
• The ActionExecutor.appAliases maps "vellum" → "Vellum", but the actual .app bundle may be named "Vellum Assistant.app", causing openApp to fail to find the app in filesystem search paths

Suggested change

	appName: 'Vellum',
	appName: 'Vellum Assistant',

---

Was this helpful? React with 👍 or 👎 to provide feedback.