@vellumai/assistant 0.10.1 → 0.10.2-dev.202606241651.2d2b40d

package/src/runtime/guardian-vellum-migration.ts

@@ -7,11 +7,22 @@
  * assistant-side since it reacts to incoming JWT principals.
  */
 
+import type { ChannelId } from "../channels/types.js";
 import {
   findGuardianForChannel,
   updateContactPrincipalAndChannel,
 } from "../contacts/contact-store.js";
+import {
+  getGuardianDelivery,
+  guardianForChannel,
+} from "../contacts/guardian-delivery-reader.js";
+import type { TrustContext } from "../daemon/trust-context.js";
 import { getLogger } from "../util/logger.js";
+import { DAEMON_INTERNAL_ASSISTANT_ID } from "./assistant-scope.js";
+import {
+  resolveTrustContext,
+  withSourceChannel,
+} from "./trust-context-resolver.js";
 
 const log = getLogger("guardian-vellum-migration");
 
@@ -31,18 +42,37 @@ const log = getLogger("guardian-vellum-migration");
  * minted by this daemon's signing key.
  *
  * Returns true if healing occurred, false otherwise.
+ *
+ * The gateway binding supplies the authoritative principal; the local
+ * assistant-mirror row is repaired whenever it diverges from the JWT
+ * principal — even when the gateway binding already matches — because the
+ * /v1/messages trust path still resolves against the local mirror in this
+ * plan. A stale mirror must be repaired or valid guardians stay `unknown`.
  */
-export function healGuardianBindingDrift(incomingPrincipalId: string): boolean {
+export async function healGuardianBindingDrift(
+  incomingPrincipalId: string,
+): Promise<boolean> {
   if (!incomingPrincipalId.startsWith("vellum-principal-")) {
     return false;
   }
 
+  const guardians = await getGuardianDelivery({ channelTypes: ["vellum"] });
+  if (!guardians) return false;
+  const guardian = guardianForChannel(guardians, "vellum");
+  if (!guardian) return false;
+
+  const currentPrincipalId = guardian.principalId;
+  if (!currentPrincipalId?.startsWith("vellum-principal-")) return false;
+
+  // Resolve the assistant-mirror row whose principal drives local trust.
   const guardianResult = findGuardianForChannel("vellum");
   if (!guardianResult) return false;
 
-  const currentPrincipalId = guardianResult.contact.principalId;
-  if (!currentPrincipalId?.startsWith("vellum-principal-")) return false;
-  if (currentPrincipalId === incomingPrincipalId) return false;
+  const localPrincipalId = guardianResult.contact.principalId;
+  // Only repair auto-generated local principals — never overwrite a real one.
+  if (!localPrincipalId?.startsWith("vellum-principal-")) return false;
+  // No-op when the local mirror already matches the JWT principal.
+  if (localPrincipalId === incomingPrincipalId) return false;
 
   const updated = updateContactPrincipalAndChannel(
     guardianResult.contact.id,
@@ -53,7 +83,7 @@ export function healGuardianBindingDrift(incomingPrincipalId: string): boolean {
   if (!updated) {
     log.warn(
       {
-        oldPrincipalId: currentPrincipalId,
+        oldPrincipalId: localPrincipalId,
         newPrincipalId: incomingPrincipalId,
       },
       "Skipped guardian binding drift heal — address collision on contact_channels",
@@ -63,11 +93,40 @@ export function healGuardianBindingDrift(incomingPrincipalId: string): boolean {
 
   log.info(
     {
-      oldPrincipalId: currentPrincipalId,
+      oldPrincipalId: localPrincipalId,
       newPrincipalId: incomingPrincipalId,
     },
-    "Healed vellum guardian binding drift — updated principalId to match JWT actor",
+    "Healed vellum guardian binding drift — updated local mirror principalId to match JWT actor",
   );
 
   return true;
 }
+
+/**
+ * Re-resolve trust from the local mirror only for the narrow vellum-principal
+ * reset-drift case; null when it isn't drift (caller keeps the gateway verdict).
+ */
+export async function reResolveTrustOnResetDrift(
+  incomingPrincipalId: string,
+  sourceChannel: ChannelId,
+): Promise<TrustContext | null> {
+  const guardians = await getGuardianDelivery({ channelTypes: ["vellum"] });
+  const gatewayPrincipal = guardians
+    ? guardianForChannel(guardians, "vellum")?.principalId
+    : undefined;
+  const isResetDrift =
+    incomingPrincipalId.startsWith("vellum-principal-") &&
+    !!gatewayPrincipal?.startsWith("vellum-principal-") &&
+    gatewayPrincipal !== incomingPrincipalId;
+  if (!isResetDrift) return null;
+  await healGuardianBindingDrift(incomingPrincipalId);
+  return withSourceChannel(
+    sourceChannel,
+    resolveTrustContext({
+      assistantId: DAEMON_INTERNAL_ASSISTANT_ID,
+      sourceChannel: "vellum",
+      conversationExternalId: "local",
+      actorExternalId: incomingPrincipalId,
+    }),
+  );
+}

package/src/runtime/invite-redemption-service.ts

@@ -7,9 +7,14 @@
  * persisted, or returned in the outcome.
  */
 
+import {
+  getInboundTrustVerdict,
+  getPhoneCallerVerdict,
+} from "../calls/inbound-trust-reader.js";
 import type { ChannelId } from "../channels/types.js";
 import { findContactChannel, getContact } from "../contacts/contact-store.js";
 import { upsertContactChannel } from "../contacts/contacts-write.js";
+import type { ChannelStatus } from "../contacts/types.js";
 import { ipcCallPersistent } from "../ipc/gateway-client.js";
 import { getSqlite } from "../memory/db-connection.js";
 import {
@@ -23,9 +28,27 @@ import {
 import { canonicalizeInboundIdentity } from "../util/canonicalize-identity.js";
 import { getLogger } from "../util/logger.js";
 import { hashVoiceCode } from "../util/voice-code.js";
+import { verdictMemberFromVerdict } from "./trust-verdict-consumer.js";
 
 const log = getLogger("invite-redemption-service");
 
+/**
+ * Resolve the sender's existing member status for the already_member/blocked
+ * gate from the gateway trust verdict. Falls back to the local channel status
+ * when the verdict is absent or carries no resolvable member status (e.g. an
+ * externalChatId-only match or a resolutionFailed verdict), so a locally
+ * blocked contact can't bypass the gate.
+ */
+export async function resolveMemberGateStatus(
+  verdict: Awaited<ReturnType<typeof getInboundTrustVerdict>>,
+  localChannelStatus: ChannelStatus | null,
+): Promise<ChannelStatus | null> {
+  const memberStatus = verdict
+    ? verdictMemberFromVerdict(verdict)?.status
+    : null;
+  return memberStatus ?? localChannelStatus;
+}
+
 // ---------------------------------------------------------------------------
 // Gateway lifecycle bridge (shared by all redemption paths)
 // ---------------------------------------------------------------------------
@@ -218,18 +241,22 @@ export async function redeemInvite(params: {
   const targetMismatch =
     existingContact && existingContact.id !== invite.contactId;
 
-  if (
-    existingChannel &&
-    existingChannel.status === "active" &&
-    !targetMismatch
-  ) {
+  const gateStatus = await resolveMemberGateStatus(
+    await getInboundTrustVerdict({
+      channelType: sourceChannel as ChannelId,
+      actorExternalId: canonicalUserId,
+    }),
+    existingChannel?.status ?? null,
+  );
+
+  if (existingChannel && gateStatus === "active" && !targetMismatch) {
     return { ok: true, type: "already_member", memberId: existingChannel.id };
   }
 
   // Blocked members cannot bypass the guardian's explicit block via invite
   // links. Return the same generic failure as an invalid token to avoid
   // leaking membership status to the caller.
-  if (existingChannel && existingChannel.status === "blocked") {
+  if (existingChannel && gateStatus === "blocked") {
     return { ok: false, reason: "invalid_token" };
   }
 
@@ -465,11 +492,12 @@ export async function redeemVoiceInviteCode(params: {
   // should bind the sender's identity to the target contact, not the existing one.
   const targetMismatch = voiceContact && voiceContact.id !== invite.contactId;
 
-  if (
-    existingVoiceChannel &&
-    existingVoiceChannel.status === "active" &&
-    !targetMismatch
-  ) {
+  const gateStatus = await resolveMemberGateStatus(
+    await getPhoneCallerVerdict(canonicalCallerId),
+    existingVoiceChannel?.status ?? null,
+  );
+
+  if (existingVoiceChannel && gateStatus === "active" && !targetMismatch) {
     return {
       ok: true,
       type: "already_member",
@@ -478,7 +506,7 @@ export async function redeemVoiceInviteCode(params: {
   }
 
   // Blocked members cannot bypass the guardian's explicit block
-  if (existingVoiceChannel && existingVoiceChannel.status === "blocked") {
+  if (existingVoiceChannel && gateStatus === "blocked") {
     return { ok: false, reason: "invalid_or_expired" };
   }
 
@@ -639,18 +667,22 @@ export async function redeemInviteByCode(params: {
   const targetMismatch =
     existingContact && existingContact.id !== invite.contactId;
 
-  if (
-    existingChannel &&
-    existingChannel.status === "active" &&
-    !targetMismatch
-  ) {
+  const gateStatus = await resolveMemberGateStatus(
+    await getInboundTrustVerdict({
+      channelType: sourceChannel as ChannelId,
+      actorExternalId: canonicalUserId,
+    }),
+    existingChannel?.status ?? null,
+  );
+
+  if (existingChannel && gateStatus === "active" && !targetMismatch) {
     return { ok: true, type: "already_member", memberId: existingChannel.id };
   }
 
   // Blocked members cannot bypass the guardian's explicit block via invite
   // codes. Return the same generic failure as an invalid token to avoid
   // leaking membership status to the caller.
-  if (existingChannel && existingChannel.status === "blocked") {
+  if (existingChannel && gateStatus === "blocked") {
     return { ok: false, reason: "invalid_token" };
   }
 

package/src/runtime/local-actor-identity.ts

@@ -14,6 +14,11 @@
 import type { ChannelId } from "../channels/types.js";
 import { isHttpAuthDisabled } from "../config/env.js";
 import { findGuardianForChannel } from "../contacts/contact-store.js";
+import {
+  getGuardianDelivery,
+  guardianForChannel,
+  peekCachedGuardianDelivery,
+} from "../contacts/guardian-delivery-reader.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 import { getLogger } from "../util/logger.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "./assistant-scope.js";
@@ -45,13 +50,48 @@ export function buildLocalAuthContext(conversationId: string): AuthContext {
 }
 
 /**
- * Look up the local vellum guardian's principalId from the contacts table.
+ * Resolve the local vellum guardian's principalId from the gateway.
  *
- * Returns `undefined` when no vellum guardian binding exists (e.g. fresh
- * install before bootstrap). Callers should treat that case as
+ * The gateway owns guardian binding; this reads it through the cached
+ * `getGuardianDelivery` reader (PR-3 TTL + single-flight) so hot paths don't
+ * storm the IPC. Falls back to the local contacts table for the bootstrap /
+ * first-run window where the gateway has no guardian yet or is unreachable
+ * (the reader returns `null`).
+ *
+ * Returns `undefined` when no vellum guardian binding exists in either source
+ * (e.g. fresh install before bootstrap). Callers should treat that case as
  * "not yet available" and either fall back or proceed without a principalId.
  */
-export function findLocalGuardianPrincipalId(): string | undefined {
+export async function findLocalGuardianPrincipalId(): Promise<
+  string | undefined
+> {
+  const list = await getGuardianDelivery({ channelTypes: ["vellum"] });
+  if (list) {
+    const principalId = guardianForChannel(list, "vellum")?.principalId;
+    if (principalId) return principalId;
+  }
+
+  return findLocalGuardianPrincipalIdFromStore();
+}
+
+/**
+ * Synchronous read of the vellum guardian's principalId for paths that cannot
+ * await {@link findLocalGuardianPrincipalId} — namely the SSE eager-subscribe
+ * path (`events-routes`), which registers before the stream is created.
+ *
+ * Reads the same gateway-owned binding as the async path via a sync, IO-free
+ * snapshot of the guardian-delivery cache (kept fresh by the async hot paths
+ * and event-driven invalidation), so SSE registers the SAME principal the
+ * send/result routes resolve. Falls back to the local store when the cache is
+ * cold — the same fallback the async path lands on during bootstrap.
+ */
+export function findLocalGuardianPrincipalIdFromStore(): string | undefined {
+  const cached = peekCachedGuardianDelivery({ channelTypes: ["vellum"] });
+  if (cached) {
+    const principalId = guardianForChannel(cached, "vellum")?.principalId;
+    if (principalId) return principalId;
+  }
+
   return findGuardianForChannel("vellum")?.contact.principalId ?? undefined;
 }
 
@@ -76,12 +116,35 @@ export function findLocalGuardianPrincipalId(): string | undefined {
  * yet (e.g. fresh install before bootstrap); callers must treat this the
  * same as a missing principal.
  */
-export function resolveActorPrincipalIdForLocalGuardian(
+export async function resolveActorPrincipalIdForLocalGuardian(
+  rawHeader: string | undefined,
+): Promise<string | undefined> {
+  if (rawHeader !== "dev-bypass" || !isHttpAuthDisabled()) return rawHeader;
+
+  const guardianPrincipalId = await findLocalGuardianPrincipalId();
+  if (guardianPrincipalId) return guardianPrincipalId;
+
+  log.warn(
+    "dev-bypass actor principal received but no vellum guardian binding found; returning undefined",
+  );
+  return undefined;
+}
+
+/**
+ * Synchronous variant of {@link resolveActorPrincipalIdForLocalGuardian} for
+ * the SSE eager-subscribe path, which registers before the response stream is
+ * created and cannot await. Resolves the guardian from the IO-free gateway
+ * cache snapshot first (same source the async path reads), falling back to the
+ * local store when the cache is cold — so SSE registers the SAME principal the
+ * send/result routes resolve and host-proxy targeting matches the same-user
+ * client even when the local contact row is stale.
+ */
+export function resolveActorPrincipalIdForLocalGuardianSync(
   rawHeader: string | undefined,
 ): string | undefined {
   if (rawHeader !== "dev-bypass" || !isHttpAuthDisabled()) return rawHeader;
 
-  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  const guardianPrincipalId = findLocalGuardianPrincipalIdFromStore();
   if (guardianPrincipalId) return guardianPrincipalId;
 
   log.warn(
@@ -102,12 +165,12 @@ export function resolveActorPrincipalIdForLocalGuardian(
  * bootstrap), falls back to a minimal guardian context so the local
  * user is not incorrectly denied.
  */
-export function resolveLocalTrustContext(
+export async function resolveLocalTrustContext(
   sourceChannel: ChannelId = "vellum",
-): TrustContext {
+): Promise<TrustContext> {
   const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
 
-  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  const guardianPrincipalId = await findLocalGuardianPrincipalId();
   if (guardianPrincipalId) {
     const trustCtx = resolveTrustContext({
       assistantId,
@@ -139,10 +202,12 @@ export function resolveLocalTrustContext(
  * downstream code to resolve guardian context using the same
  * `authContext.actorPrincipalId` path as HTTP sessions.
  */
-export function resolveLocalAuthContext(conversationId: string): AuthContext {
+export async function resolveLocalAuthContext(
+  conversationId: string,
+): Promise<AuthContext> {
   const authContext = buildLocalAuthContext(conversationId);
 
-  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  const guardianPrincipalId = await findLocalGuardianPrincipalId();
   if (guardianPrincipalId) {
     return { ...authContext, actorPrincipalId: guardianPrincipalId };
   }

package/src/runtime/local-principal-trust.ts

@@ -0,0 +1,52 @@
+/**
+ * Derives a local principal's {@link TrustContext} from the gateway guardian
+ * binding. Fails closed to unknown on a missing or null read.
+ */
+
+import type { ChannelId } from "../channels/types.js";
+import { getGuardianDelivery } from "../contacts/guardian-delivery-reader.js";
+import type { TrustContext } from "../daemon/trust-context.js";
+import { canonicalizeInboundIdentity } from "../util/canonicalize-identity.js";
+
+export interface ResolveLocalPrincipalTrustInput {
+  actorPrincipalId: string;
+  sourceChannel: ChannelId;
+  conversationExternalId: string;
+}
+
+/** Guardian match → guardian ctx; miss or null read → unknown (fail closed). */
+export async function resolveLocalPrincipalTrustContext(
+  input: ResolveLocalPrincipalTrustInput,
+): Promise<TrustContext> {
+  const unknownContext: TrustContext = {
+    sourceChannel: input.sourceChannel,
+    trustClass: "unknown",
+    requesterExternalUserId: input.actorPrincipalId,
+    requesterChatId: input.conversationExternalId,
+  };
+
+  // Fail closed: a null read means the gateway is unreachable — never grant
+  // guardian on a miss.
+  const guardians = await getGuardianDelivery({ channelTypes: ["vellum"] });
+  if (!guardians) return unknownContext;
+
+  const guardian = guardians.find(
+    (g) => g.principalId === input.actorPrincipalId,
+  );
+  if (!guardian) return unknownContext;
+
+  return {
+    sourceChannel: input.sourceChannel,
+    trustClass: "guardian",
+    guardianChatId: guardian.externalChatId ?? input.conversationExternalId,
+    guardianExternalUserId:
+      canonicalizeInboundIdentity(input.sourceChannel, guardian.address) ??
+      undefined,
+    guardianPrincipalId: guardian.principalId ?? undefined,
+    // Mirror toTrustContext: with no username the requester identifier is the
+    // canonical sender id, which for a vellum principal is actorPrincipalId.
+    requesterIdentifier: input.actorPrincipalId,
+    requesterExternalUserId: input.actorPrincipalId,
+    requesterChatId: input.conversationExternalId,
+  };
+}

package/src/runtime/pending-interactions.ts

@@ -229,6 +229,15 @@ export function getByConversation(
  * /v1/host-browser-result, /v1/host-app-control-result, or
  * /v1/host-transfer-result after completing the operation, get a 404, and the
  * proxy timer would fire with a spurious timeout error.
+ *
+ * `question` interactions are also skipped: a new message supersedes an open
+ * ask_question by steering to it (see the enqueue path in
+ * conversation-routes.ts), which aborts the parked turn and settles the
+ * question via its abort signal. Clearing the entry here instead would drop it
+ * without settling the prompt's Promise (questions carry no `rpcResolve`
+ * fallback like secrets do) and would strip the steer of the entry it needs to
+ * fire — which can co-occur with a confirmation, since one model response can
+ * open both tools concurrently.
  */
 export function removeByConversation(
   conversationId: string,
@@ -244,7 +253,8 @@ export function removeByConversation(
       interaction.kind !== "host_browser" &&
       interaction.kind !== "host_app_control" &&
       interaction.kind !== "host_transfer" &&
-      interaction.kind !== "acp_confirmation"
+      interaction.kind !== "acp_confirmation" &&
+      interaction.kind !== "question"
     ) {
       // resolve() clears the stored timer and detaches abort listeners.
       resolve(requestId, state);

package/src/runtime/routes/__tests__/channel-verification-revoke.test.ts

@@ -10,6 +10,7 @@
 
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
+import type { GuardianDelivery } from "@vellumai/gateway-client";
 import { IpcCallError } from "@vellumai/gateway-client/ipc-client";
 
 type IpcCall = { method: string; params?: Record<string, unknown> };
@@ -73,8 +74,16 @@ mock.module("../../channel-verification-service.js", () => ({
   getGuardianBinding: mock(() => guardianBinding),
 }));
 
-// Contact-store lookup that resolves the guardian's channel to downgrade.
-let contactChannel: { id: string; status: string } | null = null;
+// Contact-store lookup that resolves the guardian's channel to downgrade. The
+// channel carries the type/address/externalChatId the gateway delivery is
+// matched against (see deliveryForChannel).
+let contactChannel: {
+  id: string;
+  status: string;
+  type: string;
+  address: string;
+  externalChatId: string;
+} | null = null;
 const actualContactStore = await import("../../../contacts/contact-store.js");
 mock.module("../../../contacts/contact-store.js", () => ({
   ...actualContactStore,
@@ -83,6 +92,20 @@ mock.module("../../../contacts/contact-store.js", () => ({
   ),
 }));
 
+// Gateway delivery (ACL source of truth). The revoke gate relays only when the
+// matching delivery is live (active/pending/unverified); already-revoked or a
+// missing delivery short-circuits the relay.
+let guardianDeliveries: GuardianDelivery[] | null = null;
+mock.module("../../../contacts/guardian-delivery-reader.js", () => ({
+  getGuardianDelivery: mock(async (input?: { channelTypes?: string[] }) => {
+    if (guardianDeliveries == null) return null;
+    if (!input?.channelTypes) return guardianDeliveries;
+    return guardianDeliveries.filter((g) =>
+      input.channelTypes!.includes(g.channelType),
+    );
+  }),
+}));
+
 // Guard: the contact-channel ACL write moves to the gateway relay and must
 // never run locally. The assistant-owned guardian-binding teardown
 // (revokeGuardianBinding) still runs locally — assert it is invoked.
@@ -122,7 +145,24 @@ describe("verification revoke relay", () => {
       guardianExternalUserId: "guardian-user",
       guardianDeliveryChatId: "chat-1",
     };
-    contactChannel = { id: "ch1", status: "active" };
+    contactChannel = {
+      id: "ch1",
+      status: "active",
+      type: "telegram",
+      address: "guardian-user",
+      externalChatId: "chat-1",
+    };
+    // Gateway delivery is live by default, so the revoke relay fires.
+    guardianDeliveries = [
+      {
+        channelType: "telegram",
+        contactId: "c1",
+        address: "guardian-user",
+        externalChatId: "chat-1",
+        status: "active",
+        verifiedAt: 1700000000,
+      },
+    ];
     ipcCallPersistentMock.mockClear();
     cancelOutboundMock.mockClear();
     revokePendingSessionsMock.mockClear();
@@ -263,8 +303,19 @@ describe("verification revoke relay", () => {
     expect(result.bound).toBe(false);
   });
 
-  test("skips the relay when the resolved channel is already revoked", async () => {
-    contactChannel = { id: "ch1", status: "revoked" };
+  test("skips the relay when the gateway delivery is already revoked", async () => {
+    // The gateway (source of truth) already shows the channel revoked, so the
+    // redundant relay is skipped even though session/binding teardown runs.
+    guardianDeliveries = [
+      {
+        channelType: "telegram",
+        contactId: "c1",
+        address: "guardian-user",
+        externalChatId: "chat-1",
+        status: "revoked",
+        verifiedAt: 1700000000,
+      },
+    ];
 
     await revokeHandler({ body: { channel: "telegram" } });
 

package/src/runtime/routes/__tests__/channel-verification-routes.test.ts

@@ -24,7 +24,7 @@ mock.module("../../../daemon/handlers/config-channels.js", () => ({
     verifyTrustedContactCalls.push([contactChannelId, assistantId]);
     return verifyTrustedContactImpl(contactChannelId, assistantId);
   },
-  createInboundChallenge: () => ({ success: true }),
+  createInboundChallenge: async () => ({ success: true }),
   getVerificationStatus: () => ({ success: true }),
   revokeVerificationForChannel: () => ({ success: true }),
 }));