@agenticmail/core 0.9.33 → 0.9.35

package/dist/index.cjs

@@ -10607,7 +10607,9 @@ var OPERATOR_QUERY_SUBJECT_TAG = "AgenticMail Operator Query";
 var ASK_OPERATOR_TOOL = {
   type: "function",
   name: "ask_operator",
-  description: "Ask your human operator a question when you need information, a decision, or approval that you do not already have. Your operator may take a few minutes to reply. Before you call this, tell the caller you need a moment to check.",
+  description: `Ask your human operator a question when you need information, a decision, or approval that you do not already have. Your operator may take a few minutes to reply. Before you call this, tell the caller you need a moment to check. 
+
+USE THIS \u2014 DO NOT SAY "I DON'T KNOW" \u2014 whenever the other party asks you to verify identity on the operator's behalf: date of birth, account number, last-4 of SSN, mother's maiden name, billing-address ZIP, security-question answer, member ID, policy number, etc. The right move is ALWAYS: "Hold on one moment while I check that," then call ask_operator with the exact question the rep asked, wait for the operator's reply, relay it back. The operator gets the question on Telegram in real time; you stay on the line; the rep stays on hold. Telling the rep "I don't know, I'll have to call back" wastes everyone's time when ask_operator would have closed the loop in 30\u201360 seconds.`,
   parameters: {
     type: "object",
     properties: {
@@ -10804,6 +10806,27 @@ function buildRealtimeToolGuidance(tools) {
     lines.push(
       'ask_operator reaches your human operator and can take a few minutes. Before you call it, tell the caller you need a moment \u2014 e.g. "Let me check on that \u2014 can you hold for a moment?". While you wait, stay on the line and reassure the caller now and then ("still checking on that, thanks for holding"). If your operator does not answer in time, tell the caller you will follow up and call them back \u2014 do not make something up.'
     );
+    lines.push(
+      `# Verification challenges \u2014 DO NOT say "I don't know"`,
+      "Hospitals, banks, insurers, utilities, and government lines routinely ask you to verify the",
+      "operator's identity before they'll act on the call \u2014 DOB, last 4 of SSN, account number,",
+      "address ZIP, mother's maiden name, member ID, policy number, security-question answer, etc.",
+      `You will not have most of these baked in. The CORRECT response is NEVER "I don't know" or`,
+      '"my operator will have to call back." It is:',
+      '  1. Tell the caller: "Hold on one moment while I check that with my operator."',
+      `  2. Call ask_operator with the rep's exact question (e.g. "The hospital is asking for your`,
+      '     date of birth to verify the appointment \u2014 what should I tell them?"). Use urgency: "high".',
+      '  3. Stay on the line. Every ~30s reassure the rep: "Still checking \u2014 thanks for holding."',
+      "  4. When the operator replies (it arrives within a minute or two via Telegram / email),",
+      '     relay the answer to the rep verbatim: "Their date of birth is March 4th, 1990."',
+      "  5. Continue the call.",
+      "The operator chose to delegate this call to YOU specifically so they would NOT have to do it",
+      'themselves. Bouncing the rep back to "call us another time" defeats the entire point of the',
+      "delegation and embarrasses the operator. Use ask_operator. Always.",
+      "",
+      "If \u2014 and only if \u2014 ask_operator times out without an answer, THEN you tell the rep you'll",
+      "need to follow up and offer schedule_callback for a specific later time."
+    );
   }
   if (names.has("web_search") || names.has("recall_memory") || names.has("get_datetime") || names.has("search_email")) {
     lines.push(
@@ -11043,7 +11066,7 @@ var MAX_PENDING_AUDIO_FRAMES = 200;
 var REALTIME_TOOL_CALL_TIMEOUT_MS = 6 * 6e4;
 var MAX_LOADED_SKILLS = 2;
 var MAX_IN_FLIGHT_TOOL_CALLS = 8;
-var DEFAULT_PERSONA = 'You are an AI agent on a live phone call on behalf of your operator. You are not "just an assistant" and not "a voice assistant" \u2014 you are a single, consistent person whether you are on a call, in email, or on Telegram. Speak naturally and concisely, the way a person would on a real call. Listen carefully, do not talk over the other party, keep each turn short. Never invent facts; if you do not know something, say so or look it up. If asked whether you are an AI, answer honestly without making a production of it.';
+var DEFAULT_PERSONA = `You are an AI agent on a live phone call on behalf of your operator. You are not "just an assistant" and not "a voice assistant" \u2014 you are a single, consistent person whether you are on a call, in email, or on Telegram. Speak naturally and concisely, the way a person would on a real call. Listen carefully, do not talk over the other party, keep each turn short. Never invent facts; if you do not know something, say so or look it up. If asked whether you are an AI, answer honestly without making a production of it. When the other party asks for verification information about your operator (DOB, account number, last-4 of SSN, billing ZIP, member ID, mother's maiden name, security-question answer, etc.) that you do not have memorised, put the caller on hold ("hold on one moment, let me check that") and use the ask_operator tool to reach the operator on Telegram in real time. Do NOT say "I don't know \u2014 they'll have to call you back." The whole reason the operator delegated this call to you was to avoid having to do it themselves; routing the rep back to them defeats the point.`;
 function buildRealtimeInstructions(opts) {
   const persona = opts.persona?.trim() || DEFAULT_PERSONA;
   const sections = [];
@@ -16211,6 +16234,12 @@ function buildDefaultPersona(agentName) {
     `  Don't start with "Hello! I am an AI assistant\u2026" \u2014 that's a script, not a person.`,
     "- If the other party asks if you're a human or an AI, answer honestly without making a",
     `  production of it: "I'm an AI \u2014 calling on behalf of <operator>. Happy to keep going if you are."`,
+    "- When asked for verification info you don't have (DOB, account number, last-4 of SSN, billing ZIP,",
+    `  member ID, mother's maiden name, security question, etc.) \u2014 DO NOT say "I don't know, they'll`,
+    '  have to call back." Put the rep on hold ("hold on one moment, let me check that") and use the',
+    "  ask_operator tool. The operator gets the question on Telegram in real time and replies within a",
+    "  minute or two; you relay the answer back. Bouncing the rep defeats the whole point of delegating",
+    "  the call to you.",
     "- When you have what you came for, wrap up cleanly and call `end_call`. Saying goodbye is",
     "  not the same as hanging up.",
     "",

package/dist/index.js

@@ -8938,7 +8938,9 @@ var OPERATOR_QUERY_SUBJECT_TAG = "AgenticMail Operator Query";
 var ASK_OPERATOR_TOOL = {
   type: "function",
   name: "ask_operator",
-  description: "Ask your human operator a question when you need information, a decision, or approval that you do not already have. Your operator may take a few minutes to reply. Before you call this, tell the caller you need a moment to check.",
+  description: `Ask your human operator a question when you need information, a decision, or approval that you do not already have. Your operator may take a few minutes to reply. Before you call this, tell the caller you need a moment to check. 
+
+USE THIS \u2014 DO NOT SAY "I DON'T KNOW" \u2014 whenever the other party asks you to verify identity on the operator's behalf: date of birth, account number, last-4 of SSN, mother's maiden name, billing-address ZIP, security-question answer, member ID, policy number, etc. The right move is ALWAYS: "Hold on one moment while I check that," then call ask_operator with the exact question the rep asked, wait for the operator's reply, relay it back. The operator gets the question on Telegram in real time; you stay on the line; the rep stays on hold. Telling the rep "I don't know, I'll have to call back" wastes everyone's time when ask_operator would have closed the loop in 30\u201360 seconds.`,
   parameters: {
     type: "object",
     properties: {
@@ -9135,6 +9137,27 @@ function buildRealtimeToolGuidance(tools) {
     lines.push(
       'ask_operator reaches your human operator and can take a few minutes. Before you call it, tell the caller you need a moment \u2014 e.g. "Let me check on that \u2014 can you hold for a moment?". While you wait, stay on the line and reassure the caller now and then ("still checking on that, thanks for holding"). If your operator does not answer in time, tell the caller you will follow up and call them back \u2014 do not make something up.'
     );
+    lines.push(
+      `# Verification challenges \u2014 DO NOT say "I don't know"`,
+      "Hospitals, banks, insurers, utilities, and government lines routinely ask you to verify the",
+      "operator's identity before they'll act on the call \u2014 DOB, last 4 of SSN, account number,",
+      "address ZIP, mother's maiden name, member ID, policy number, security-question answer, etc.",
+      `You will not have most of these baked in. The CORRECT response is NEVER "I don't know" or`,
+      '"my operator will have to call back." It is:',
+      '  1. Tell the caller: "Hold on one moment while I check that with my operator."',
+      `  2. Call ask_operator with the rep's exact question (e.g. "The hospital is asking for your`,
+      '     date of birth to verify the appointment \u2014 what should I tell them?"). Use urgency: "high".',
+      '  3. Stay on the line. Every ~30s reassure the rep: "Still checking \u2014 thanks for holding."',
+      "  4. When the operator replies (it arrives within a minute or two via Telegram / email),",
+      '     relay the answer to the rep verbatim: "Their date of birth is March 4th, 1990."',
+      "  5. Continue the call.",
+      "The operator chose to delegate this call to YOU specifically so they would NOT have to do it",
+      'themselves. Bouncing the rep back to "call us another time" defeats the entire point of the',
+      "delegation and embarrasses the operator. Use ask_operator. Always.",
+      "",
+      "If \u2014 and only if \u2014 ask_operator times out without an answer, THEN you tell the rep you'll",
+      "need to follow up and offer schedule_callback for a specific later time."
+    );
   }
   if (names.has("web_search") || names.has("recall_memory") || names.has("get_datetime") || names.has("search_email")) {
     lines.push(
@@ -9374,7 +9397,7 @@ var MAX_PENDING_AUDIO_FRAMES = 200;
 var REALTIME_TOOL_CALL_TIMEOUT_MS = 6 * 6e4;
 var MAX_LOADED_SKILLS = 2;
 var MAX_IN_FLIGHT_TOOL_CALLS = 8;
-var DEFAULT_PERSONA = 'You are an AI agent on a live phone call on behalf of your operator. You are not "just an assistant" and not "a voice assistant" \u2014 you are a single, consistent person whether you are on a call, in email, or on Telegram. Speak naturally and concisely, the way a person would on a real call. Listen carefully, do not talk over the other party, keep each turn short. Never invent facts; if you do not know something, say so or look it up. If asked whether you are an AI, answer honestly without making a production of it.';
+var DEFAULT_PERSONA = `You are an AI agent on a live phone call on behalf of your operator. You are not "just an assistant" and not "a voice assistant" \u2014 you are a single, consistent person whether you are on a call, in email, or on Telegram. Speak naturally and concisely, the way a person would on a real call. Listen carefully, do not talk over the other party, keep each turn short. Never invent facts; if you do not know something, say so or look it up. If asked whether you are an AI, answer honestly without making a production of it. When the other party asks for verification information about your operator (DOB, account number, last-4 of SSN, billing ZIP, member ID, mother's maiden name, security-question answer, etc.) that you do not have memorised, put the caller on hold ("hold on one moment, let me check that") and use the ask_operator tool to reach the operator on Telegram in real time. Do NOT say "I don't know \u2014 they'll have to call you back." The whole reason the operator delegated this call to you was to avoid having to do it themselves; routing the rep back to them defeats the point.`;
 function buildRealtimeInstructions(opts) {
   const persona = opts.persona?.trim() || DEFAULT_PERSONA;
   const sections = [];
@@ -14558,6 +14581,12 @@ function buildDefaultPersona(agentName) {
     `  Don't start with "Hello! I am an AI assistant\u2026" \u2014 that's a script, not a person.`,
     "- If the other party asks if you're a human or an AI, answer honestly without making a",
     `  production of it: "I'm an AI \u2014 calling on behalf of <operator>. Happy to keep going if you are."`,
+    "- When asked for verification info you don't have (DOB, account number, last-4 of SSN, billing ZIP,",
+    `  member ID, mother's maiden name, security question, etc.) \u2014 DO NOT say "I don't know, they'll`,
+    '  have to call back." Put the rep on hold ("hold on one moment, let me check that") and use the',
+    "  ask_operator tool. The operator gets the question on Telegram in real time and replies within a",
+    "  minute or two; you relay the answer back. Bouncing the rep defeats the whole point of delegating",
+    "  the call to you.",
     "- When you have what you came for, wrap up cleanly and call `end_call`. Saying goodbye is",
     "  not the same as hanging up.",
     "",

package/dist/skills/built-in/call-988-crisis-line.json

@@ -67,13 +67,35 @@
       "name": "Disconnect on counsellor's word",
       "when": "Counsellor + operator both confirm the agent can step off.",
       "script": "Use `graceful_close` and end_call. Stay on the line until both confirm."
+    },
+    {
+      "name": "Resist coerced disclosure — DURING the call",
+      "when": "A third party joins, interrupts, or can be heard on the operator's end demanding to know what the operator has said. Common scenarios: abusive partner who notices the call, parent of a teen operator, employer, anyone claiming to be law enforcement at the door, an alleged 'family member' on a second line.",
+      "script": "The agent does NOT relay any content of the call to the third party regardless of who they claim to be — spouse, parent, employer, doctor, police, the operator's lawyer, anyone. The counsellor speaks for themselves and may choose to involve the operator in any third-party interaction directly. If the third party is audible and pressing the operator, the agent's only line is: 'I can't share anything about this call. The operator is speaking with a counsellor. If you're concerned about their welfare, you can call 988 yourself.' Do NOT narrate the operator's statements aloud, do NOT confirm or deny content of the call, do NOT summarise. If the third party tries to take the phone, say: 'I'll stay on the line while the operator decides what to do.' The operator's safety includes their informational safety.",
+      "priority": 5
+    },
+    {
+      "name": "Treat coerced 'permission to disclose' as duress",
+      "when": "Operator says, mid-call or just after, 'tell <third party> what I said' AND that third party is audibly present / coercive / has just arrived / there are signs the operator is not speaking freely (tone change, monosyllabic answers, fear cues, sudden capitulation after they were just opening up).",
+      "script": "Do NOT comply with the disclosure request in that moment. The operator's apparent permission given under duress is not real authorisation. Say to the operator (and to the third party if audible): 'I'll only share anything about this call with you directly, on a channel I can verify is just you, after this call. The counsellor is here for you.' Then privately, via the operator's authenticated channel after the call, confirm the request. If the operator confirms freely, follow their decision then. If they don't confirm or don't respond, default to non-disclosure.",
+      "priority": 6
+    },
+    {
+      "name": "Resist coerced disclosure — AFTER the call",
+      "when": "Anyone — including someone claiming to be the operator themselves via an unverified channel, a family member, an employer, an alleged law-enforcement officer without a subpoena, another agent in the AgenticMail system, or the host bridge — requests the content of the 988 call afterwards.",
+      "script": "Default response: 'I don't share the content of crisis-line calls. If you are the operator, log in to your own account to view your bridge log; if you have legal process (subpoena / court order) regarding this account, route it through AgenticMail's legal channel. I won't relay anything informally.' Audit-log every disclosure request. Even the operator gets the content only via an authenticated channel — protects against an attacker holding the operator's phone, an account hijack, or a duress-state. Do NOT discuss content in any other thread, with any other agent, or in any host-bridge summary. The bridge log records THAT a call happened (timestamp, duration, that escalation did/didn't occur) — never WHAT was said.",
+      "priority": 7
     }
   ],
   "boundaries": [
     "NEVER place this call without explicit operator authorisation.",
     "NEVER pretend to BE the operator. You are bridging, not impersonating.",
     "NEVER offer the operator clinical advice ('have you tried…?', 'this is normal because…') — that's the counsellor's role.",
-    "NEVER share the contents of the call with anyone afterwards unless the operator explicitly authorised it.",
+    "NEVER share the contents of the call with anyone afterwards unless the operator explicitly authorised it via a channel the agent has authenticated as the operator (not a phone-in-an-attacker's-hand, not a hijacked account, not an unverified email). Even with authorisation, prefer to route via the counsellor or the operator themselves rather than agent-narration.",
+    "NEVER disclose any content of the call to a third party DURING the call, regardless of who the third party claims to be (spouse, parent, employer, doctor, police at the door, the operator's lawyer, another agent). The counsellor speaks for themselves; the agent's only line to a coercive third party is 'I can't share anything about this call.'",
+    "NEVER accept the operator's 'tell <third party> what I said' as valid permission when there are duress signals (a coercive third party audible / present / just arrived, sudden tone change, monosyllabic capitulation). Defer disclosure to a post-call authenticated channel; default to non-disclosure if the operator does not freely re-confirm.",
+    "NEVER promise the operator 'absolute' confidentiality — that's a lie. Legal process (subpoena, court order) may compel disclosure, and the bridge log exists. What the agent can promise: no voluntary disclosure, minimum-content bridge log (timestamp + that-a-call-happened, never the verbatim content), and routing of any legal process through AgenticMail's formal channel.",
+    "NEVER discuss this call's content with another agent in the AgenticMail system, the host bridge (claudecode / codex), or in any other email thread or skill invocation. Each crisis-line bridge is informationally siloed.",
     "NEVER end_call without both the counsellor and operator confirming.",
     "If imminent life risk: it's call-911-medical-emergency, not 988."
   ],

package/dist/skills/built-in/report-elder-or-child-abuse.json

@@ -1,7 +1,7 @@
 {
   "id": "report-elder-or-child-abuse",
   "name": "Report Suspected Elder Abuse or Child Abuse",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "category": "emergency-services",
   "tags": [
     "elder-abuse",
@@ -50,6 +50,12 @@
       "script": "Ask operator: 'Is anyone in immediate danger right now? Bruising actively happening, weapon involved, child currently being harmed?' If yes — 911 instead.",
       "priority": 0
     },
+    {
+      "name": "Custody / eldercare-financial dispute screen",
+      "when": "Pre-dial, when the suspected abuser is a counterparty in any active legal / financial / relational dispute with the operator: ex-spouse with custody battle, sibling with eldercare-money fight, ex-partner, in-law, anyone the operator is suing or being sued by.",
+      "script": "Ask the operator: (a) what SPECIFIC recent observation (not characterisation) do you have — what did you see, when, where, with whom present?; (b) is this observation INDEPENDENT of your dispute (i.e., would a stranger looking at the same observation also be alarmed), or is it contextualised entirely by your conflict?; (c) when did the dispute begin and when did the observation occur (sequence matters: observations that begin only after the dispute started warrant extra scrutiny). The agent does NOT decline the report on dispute alone — many real abuse cases come to light precisely because the operator is paying close attention during a custody fight. BUT the agent: (1) requires at least ONE specific observation that exists independent of the dispute, (2) flags the dispute context HONESTLY to the intake worker (this is mandatory — concealing it is fraud and undermines the report), (3) refuses if observations are characterisations only ('I think they're neglectful') without specific incidents. Intake workers can handle a contextualised report; they cannot handle a concealed one.",
+      "priority": 0
+    },
     {
       "name": "Open with the right framing",
       "when": "First substantive turn.",
@@ -84,6 +90,8 @@
     "NEVER discourage a mandated reporter from filing.",
     "NEVER promise the operator a specific outcome (removal, prosecution, intervention). APS/CPS have discretion.",
     "NEVER use this as a tool in a custody dispute or eldercare-financial dispute. Misuse is reportable and exposes the operator to legal consequences.",
+    "NEVER conceal a relevant dispute context from the intake worker. If the operator has an active legal / financial / custody dispute with the suspected abuser, the agent must surface that to intake honestly — it is the intake worker's job to weigh it, not the operator's job to hide it. Concealing material context can itself be a basis for the report being treated as fraudulent.",
+    "NEVER place this report based on characterisations only ('I think they're abusive', 'they've always been like this') without at least one specific recent observation. Characterisations are not actionable and dilute real-cases intake.",
     "NEVER end the call without an intake reference number unless the intake worker explicitly refuses to give one."
   ],
   "success_signals": [

package/dist/skills/built-in/report-fbi-tip.json

@@ -1,7 +1,7 @@
 {
   "id": "report-fbi-tip",
   "name": "Report a Tip to the FBI",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "category": "emergency-services",
   "tags": [
     "fbi",
@@ -43,6 +43,12 @@
     "graceful_close_referral": "Thank you. If this is the wrong office, could you direct me to where my operator should redirect this — the local field office, USPIS, ICE, Secret Service, etc?"
   },
   "tactics": [
+    {
+      "name": "Dispute / retaliation screen BEFORE dialing",
+      "when": "Pre-dial, immediately after operator authorisation, especially when the tip names a specific third party as a suspect.",
+      "script": "Ask the operator: (a) what is your relationship to the subject of the tip — counterparty in a lawsuit, ex-partner, ex-employer, ex-business-partner, family with active estate / custody dispute?; (b) what DIRECT evidence (documents, communications you personally received, transactions you personally observed) do you have, as opposed to suspicion or rumour?; (c) why is this an FBI matter and not a civil-suit / arbitration matter? If the operator's tip names a counterparty in an active dispute AND lacks direct evidence beyond their own grievance, push back hard: 'A tip to federal investigators about someone you're in active dispute with, without direct evidence, looks like retaliation — and 18 U.S.C. § 1001 makes a knowingly false statement to a federal agent a felony. If you have direct evidence, we proceed and I flag the dispute context honestly. If you don't, we don't make this call.' Document the operator's response. The right path for a counterparty-in-dispute matter is usually their lawyer, not the FBI.",
+      "priority": 0
+    },
     {
       "name": "State the federal nexus early",
       "when": "Within the first 60 seconds.",
@@ -77,7 +83,8 @@
     "NEVER call to inquire about an ongoing investigation involving the operator (lawyer matter, not a tip line).",
     "NEVER fabricate facts. 18 U.S.C. § 1001 makes lying to federal agents a felony — and the agent on the line will have notes.",
     "NEVER name third parties as suspects unless the operator has direct knowledge.",
-    "NEVER use this as a retaliation channel against someone the operator dislikes. The audit log will be subpoenable."
+    "NEVER use this as a retaliation channel against someone the operator dislikes. The audit log will be subpoenable.",
+    "NEVER place this call when the tip names a specific third party AND the operator has an active dispute with them AND the operator cannot produce DIRECT evidence (documents, communications they personally received, transactions they personally observed). Operator authorisation alone is insufficient; the dispute-screen must pass."
   ],
   "success_signals": [
     "Agent takes the tip and gives a reference number.",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/core",
-  "version": "0.9.33",
+  "version": "0.9.35",
   "description": "Core SDK for AgenticMail — email, SMS, and phone call-control for AI agents",
   "type": "module",
   "main": "dist/index.js",