@vellumai/assistant 0.10.0-dev.202606222007.e9d01e2 → 0.10.0-dev.202606222147.354e06a

package/ARCHITECTURE.md

@@ -105,21 +105,20 @@ All HTTP API requests use a single `Authorization: Bearer <jwt>` header for auth
 
 Scoped approval grants allow a guardian's approval decision on one channel (e.g., Telegram) to authorize a tool execution on a different channel (e.g., voice). Two scope modes exist: `request_id` (bound to a specific pending request) and `tool_signature` (bound to `toolName` + canonical `inputDigest`). Grants are one-time-use, exact-match, fail-closed, and TTL-bound. Full architecture details (lifecycle flow, security invariants, key files) live in [`docs/architecture/security.md`](docs/architecture/security.md#channel-agnostic-scoped-approval-grants).
 
-### Guardian Decision Primitive (Dual-Mode Approval)
+### Guardian Decision Primitive
 
-All guardian approval decisions — regardless of how they arrive — route through a single unified primitive in `src/approvals/guardian-decision-primitive.ts`. This centralizes decision logic that was previously duplicated across callback button handlers, the conversational approval engine, and the requester self-cancel path.
+All guardian approval decisions — regardless of how they arrive — route through a single canonical primitive in `src/approvals/guardian-decision-primitive.ts`, which centralizes decision logic for callback button handlers, the conversational approval engine, and channel reactions/text.
 
 **Core API:**
 
-| Function                                          | Purpose                                                                                                                                                                                                                                                               |
-| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `applyGuardianDecision(params)`                   | Apply a guardian decision atomically: downgrade `approve_always` for guardian-on-behalf requests, capture approval info, resolve the pending interaction, update the approval record, and mint a scoped grant on approve. Returns `{ applied, reason?, requestId? }`. |
-| `listGuardianDecisionPrompts({ conversationId })` | List pending prompts for a conversation, aggregating channel guardian approval requests and pending confirmation interactions into a uniform `GuardianDecisionPrompt` shape.                                                                                          |
+| Function                                 | Purpose                                                                                                                                                                                                                                                                                             |
+| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `applyCanonicalGuardianDecision(params)` | Apply a guardian decision against the canonical store: validate status/identity/expiry, CAS-resolve the request (first-writer-wins), dispatch to the kind-specific resolver, mint a scoped grant on approve, and withdraw the request's approval cards. Returns a structured applied/failed result. |
 
 **Security invariants enforced by the primitive:**
 
 - Decision application is identity-bound to the expected guardian identity.
-- Decisions are first-response-wins (CAS-like stale protection via `handleChannelDecision`).
+- Decisions are first-response-wins (CAS stale protection via `resolveCanonicalGuardianRequest`).
 - `approve_always` is downgraded to `approve_once` for guardian-on-behalf requests (guardians cannot permanently allowlist tools for requesters).
 - Scoped grant minting only fires on explicit approve for requests with tool metadata.
 
@@ -199,14 +198,14 @@ The canonical guardian request system provides a channel-agnostic, unified domai
 
 **Key source files:**
 
-| File                                                    | Purpose                                                                                                       |
-| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- |
-| `src/memory/canonical-guardian-store.ts`                | Canonical request and delivery persistence (CRUD, CAS resolve, list with filters)                             |
-| `src/approvals/guardian-decision-primitive.ts`          | Unified decision primitive: `applyCanonicalGuardianDecision` (canonical) and `applyGuardianDecision` (legacy) |
-| `src/approvals/guardian-request-resolvers.ts`           | Resolver registry: kind-specific side-effect dispatch after CAS resolution                                    |
-| `src/runtime/guardian-reply-router.ts`                  | Shared inbound router: callback -> code -> NL classification pipeline                                         |
-| `src/runtime/routes/guardian-action-routes.ts`          | HTTP endpoints for prompt listing and decision submission                                                     |
-| `src/runtime/routes/canonical-guardian-expiry-sweep.ts` | Canonical request expiry sweep                                                                                |
+| File                                                    | Purpose                                                                               |
+| ------------------------------------------------------- | ------------------------------------------------------------------------------------- |
+| `src/memory/canonical-guardian-store.ts`                | Canonical request and delivery persistence (CRUD, CAS resolve, list with filters)     |
+| `src/approvals/guardian-decision-primitive.ts`          | Canonical decision primitive: `applyCanonicalGuardianDecision` + scoped grant minting |
+| `src/approvals/guardian-request-resolvers.ts`           | Resolver registry: kind-specific side-effect dispatch after CAS resolution            |
+| `src/runtime/guardian-reply-router.ts`                  | Shared inbound router: callback -> code -> NL classification pipeline                 |
+| `src/runtime/routes/guardian-action-routes.ts`          | HTTP endpoints for prompt listing and decision submission                             |
+| `src/runtime/routes/canonical-guardian-expiry-sweep.ts` | Canonical request expiry sweep                                                        |
 
 ### Outbound Channel Verification (HTTP Endpoints)
 

package/eslint-rules/cli-no-daemon-internals.js

@@ -47,9 +47,15 @@ const ALLOWED_PREFIXES = {
     "./",
     // Config schema/loader at depth-1 and depth-2.
     "../../config/loader",
+    "../../../config/loader",
     "../../config/schema",
     "../../config/env",
     "../../util/platform",
+    // Memory retrospective — the retrospective CLI runs the fork-based
+    // retrospective in-process (no daemon, no IPC), so it imports the
+    // job handler directly. Depth-2 for commands/memory/ nesting.
+    "../../memory/memory-retrospective-job",
+    "../../../memory/memory-retrospective-job",
     "../logger",
     "../output",
     "../../logger",

package/openapi.yaml

@@ -13317,8 +13317,8 @@ paths:
           schema:
             type: string
           description:
-            "Filter by provider. One of: anthropic, openai, gemini, ollama, fireworks, openrouter, openai-compatible,
-            minimax, atlascloud"
+            "Filter by provider. One of: anthropic, openai, gemini, ollama, fireworks, together, openrouter,
+            openai-compatible, minimax, atlascloud"
       responses:
         "200":
           description: Successful response
@@ -29216,6 +29216,7 @@ components:
         - openai-compatible
         - minimax
         - atlascloud
+        - together
     ProfilePatchEntry:
       type: object
       properties:
@@ -29592,6 +29593,7 @@ components:
         - gemini
         - ollama
         - fireworks
+        - together
         - openrouter
         - openai-compatible
         - minimax

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.10.0-dev.202606222007.e9d01e2",
+  "version": "0.10.0-dev.202606222147.354e06a",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/__tests__/access-request-seed-content-blocks.test.ts

@@ -22,6 +22,8 @@ describe("buildAccessRequestSeedContentBlocks", () => {
     expect(blocks).toHaveLength(2);
     expect((blocks[0] as Record<string, unknown>).type).toBe("ui_surface");
     expect((blocks[1] as Record<string, unknown>).type).toBe("text");
+    // The fallback block is flagged so surface-capable clients skip it.
+    expect((blocks[1] as Record<string, unknown>)._surfaceFallback).toBe(true);
   });
 
   test("card surface has correct surfaceType and surfaceId", () => {

package/src/__tests__/approval-interception-trust-gates.test.ts

@@ -0,0 +1,151 @@
+/**
+ * Trust-class gates in `handleApprovalInterception`.
+ *
+ * The interception dispatcher applies identity-based gates before any decision
+ * is resolved:
+ *  - An unverified sender (no established identity) auto-denies a pending
+ *    approval — a missing-identity actor must not be able to leave a sensitive
+ *    request actionable.
+ *  - An identity-known non-guardian must NOT auto-deny; it waits for the
+ *    guardian and receives a "pending" notice.
+ */
+
+import { beforeEach, describe, expect, mock, spyOn, test } from "bun:test";
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+const _conversationMocks = new Map<string, unknown>();
+mock.module("../daemon/conversation-registry.js", () => ({
+  findConversation: (id: string) => _conversationMocks.get(id),
+}));
+
+import type { Conversation } from "../daemon/conversation.js";
+import type { TrustContext } from "../daemon/trust-context.js";
+import { initializeDb } from "../memory/db-init.js";
+import * as approvalMessageComposer from "../runtime/approval-message-composer.js";
+import * as gatewayClient from "../runtime/gateway-client.js";
+import * as pendingInteractions from "../runtime/pending-interactions.js";
+import { handleApprovalInterception } from "../runtime/routes/guardian-approval-interception.js";
+
+await initializeDb();
+
+const ASSISTANT_ID = "self";
+const CONVERSATION_ID = "conv-1";
+const REQUESTER_CHAT = "requester-chat-1";
+const TOOL_NAME = "execute_shell";
+const TOOL_INPUT = { command: "rm -rf /tmp/test" };
+
+function registerPendingInteraction(
+  requestId: string,
+  conversationId: string,
+  toolName: string,
+  input: Record<string, unknown> = TOOL_INPUT,
+): ReturnType<typeof mock> {
+  const handleConfirmationResponse = mock(() => {});
+  const _mockSession = {
+    handleConfirmationResponse,
+    ensureActorScopedHistory: async () => {},
+  } as unknown as Conversation;
+  _conversationMocks.set(conversationId, _mockSession);
+
+  pendingInteractions.register(requestId, {
+    conversationId,
+    kind: "confirmation",
+    confirmationDetails: {
+      toolName,
+      input,
+      riskLevel: "high",
+      allowlistOptions: [
+        { label: "test", description: "test", pattern: "test" },
+      ],
+      scopeOptions: [{ label: "everywhere", scope: "everywhere" }],
+    },
+  });
+
+  return handleConfirmationResponse;
+}
+
+describe("approval interception trust-class gates", () => {
+  let deliverSpy: ReturnType<typeof spyOn>;
+  let composeSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    pendingInteractions.clear();
+    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue({
+      ok: true,
+    });
+    composeSpy = spyOn(
+      approvalMessageComposer,
+      "composeApprovalMessageGenerative",
+    ).mockResolvedValue("test message");
+  });
+
+  test("identity-known unknown sender does not auto-deny pending approval", async () => {
+    const sessionMock = registerPendingInteraction(
+      "req-unknown-no-auto-deny-1",
+      CONVERSATION_ID,
+      TOOL_NAME,
+      TOOL_INPUT,
+    );
+
+    const result = await handleApprovalInterception({
+      conversationId: CONVERSATION_ID,
+      content: "approve",
+      conversationExternalId: REQUESTER_CHAT,
+      sourceChannel: "telegram",
+      actorExternalId: "intruder-user-1",
+      replyCallbackUrl: "https://gateway.test/deliver",
+      trustCtx: {
+        sourceChannel: "telegram",
+        trustClass: "unknown",
+        requesterExternalUserId: "intruder-user-1",
+        guardianExternalUserId: "guardian-1",
+      } as TrustContext,
+      assistantId: ASSISTANT_ID,
+    });
+
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe("assistant_turn");
+    expect(sessionMock).not.toHaveBeenCalled();
+
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+
+  test("unverified sender (no identity) auto-denies pending approval", async () => {
+    const sessionMock = registerPendingInteraction(
+      "req-unknown-auto-deny-1",
+      CONVERSATION_ID,
+      TOOL_NAME,
+      TOOL_INPUT,
+    );
+
+    const result = await handleApprovalInterception({
+      conversationId: CONVERSATION_ID,
+      content: "approve",
+      conversationExternalId: REQUESTER_CHAT,
+      sourceChannel: "telegram",
+      actorExternalId: undefined,
+      replyCallbackUrl: "https://gateway.test/deliver",
+      trustCtx: {
+        sourceChannel: "telegram",
+        trustClass: "unknown",
+      } as TrustContext,
+      assistantId: ASSISTANT_ID,
+    });
+
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe("decision_applied");
+    expect(sessionMock).toHaveBeenCalled();
+    expect(sessionMock.mock.calls[0]?.[0]).toBe("req-unknown-auto-deny-1");
+    expect(sessionMock.mock.calls[0]?.[1]).toBe("deny");
+
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+});

package/src/__tests__/background-workers-disk-pressure.test.ts

@@ -116,6 +116,7 @@ mock.module("../memory/conversation-crud.js", () => ({
   findAnalysisConversationFor: mock(() => null),
   findMostRecentRetrospectiveFor: mock(() => null),
   forkConversation: mock(() => ({ id: "conv-fork" })),
+  forkConversationForRetrospective: mock(async () => ({ id: "conv-fork" })),
   getConversationOverrideProfile: () => undefined,
   resolveOverrideProfile: () => undefined,
   getConversationMemoryScopeId: () => "default",