@vellumai/assistant 0.10.2-dev.202606250106.466483e → 0.10.2-dev.202606250318.5e7cfb0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.10.2-dev.202606250106.466483e",
+  "version": "0.10.2-dev.202606250318.5e7cfb0",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/__tests__/assistant-attachments.test.ts

@@ -373,6 +373,48 @@ describe("extractVellumLinks", () => {
     expect(result.directiveRequests[1].path).toBe("/tmp/b.pdf");
   });
 
+  test("decodes URL-encoded spaces in workspace paths", () => {
+    const text =
+      "[file with spaces.txt](vellum://workspace/scratch/file%20with%20spaces.txt)";
+    const result = extractVellumLinks(text);
+
+    expect(result.directiveRequests).toHaveLength(1);
+    expect(result.directiveRequests[0].source).toBe("sandbox");
+    expect(result.directiveRequests[0].path).toBe(
+      "scratch/file with spaces.txt",
+    );
+  });
+
+  test("decodes URL-encoded spaces in host paths", () => {
+    const text =
+      "[my file.pdf](vellum://host/Users/me/my%20file.pdf)";
+    const result = extractVellumLinks(text);
+
+    expect(result.directiveRequests).toHaveLength(1);
+    expect(result.directiveRequests[0].source).toBe("host");
+    expect(result.directiveRequests[0].path).toBe("/Users/me/my file.pdf");
+  });
+
+  test("warns on malformed percent-encoding instead of throwing", () => {
+    const text =
+      "[100% complete.txt](vellum://workspace/scratch/100%25complete.txt)";
+    const result = extractVellumLinks(text);
+
+    // %25 decodes to %, so this should succeed
+    expect(result.directiveRequests).toHaveLength(1);
+    expect(result.directiveRequests[0].path).toBe("scratch/100%complete.txt");
+  });
+
+  test("warns on malformed percent-encoding and skips the link", () => {
+    const text =
+      "[bad file](vellum://workspace/scratch/100%complete.txt)";
+    const result = extractVellumLinks(text);
+
+    expect(result.directiveRequests).toHaveLength(0);
+    expect(result.parseWarnings).toHaveLength(1);
+    expect(result.parseWarnings[0]).toContain("malformed percent-encoding");
+  });
+
   test("warns on empty workspace path", () => {
     const text = "[file](vellum://workspace/)";
     const result = extractVellumLinks(text);

package/src/__tests__/config-loader-backfill.test.ts

@@ -1703,8 +1703,8 @@ describe("seedInferenceProfiles BYOK-mode managed profile labels", () => {
 // ---------------------------------------------------------------------------
 // Tests: OS Beta flag-gated managed profile. The template is defined but
 // intentionally NOT part of MANAGED_PROFILE_TEMPLATES, so seedInferenceProfiles
-// must never create it. A later PR reconciles it in/out based on the `os-beta`
-// feature flag.
+// must never create it. The flag-gated reconcile creates or removes it based on
+// the `os-beta` feature flag.
 // ---------------------------------------------------------------------------
 
 describe("OS Beta managed profile template", () => {
@@ -1751,20 +1751,21 @@ describe("OS Beta managed profile template", () => {
     expect(MANAGED_PROFILE_NAMES.has("os-beta")).toBe(true);
   });
 
-  test("materializeProfile honors the explicit OS Beta model", () => {
+  test("materializeProfile resolves OS Beta to the Balanced model with low effort", () => {
     const entry = materializeProfile(
       OS_BETA_PROFILE_TEMPLATE,
-      "fireworks",
-      "fireworks-managed",
+      "together",
+      "together-managed",
     );
 
-    expect(entry.model).toBe("accounts/fireworks/models/glm-5p2");
-    expect(entry.provider_connection).toBe("fireworks-managed");
-    expect(entry.provider).toBe("fireworks");
+    expect(entry.model).toBe("MiniMaxAI/MiniMax-M3");
+    expect(entry.provider_connection).toBe("together-managed");
+    expect(entry.provider).toBe("together");
     expect(entry.label).toBe("OS Beta");
     expect(entry.source).toBe("managed");
     expect(entry.maxTokens).toBe(32000);
-    expect(entry.effort).toBe("high");
+    expect(entry.effort).toBe("low");
     expect(entry.thinking?.enabled).toBe(true);
+    expect(entry.topP).toBe(0.95);
   });
 });

package/src/__tests__/http-user-message-parity.test.ts

@@ -127,6 +127,44 @@ mock.module("../runtime/local-actor-identity.js", () => ({
     )?.principalId as string | undefined,
 }));
 
+// Capture the sourceActorPrincipalId that handleSendMessage threads into
+// shouldAttachHostProxyForCapability / preactivateHostProxySkills, so tests
+// can assert the dev-bypass translation landed before the CU proxy gate.
+// The macOS "native_support" path short-circuits before reading the
+// principal, so only web/ios turns exercise the same-actor branch.
+const hostProxyAttachCalls: Array<{
+  capability: string;
+  sourceInterface: unknown;
+  sourceActorPrincipalId: string | undefined;
+}> = [];
+const preactivateCalls: Array<{
+  sourceInterface: unknown;
+  sourceActorPrincipalId: string | undefined;
+}> = [];
+mock.module("../daemon/host-proxy-preactivation.js", () => ({
+  shouldAttachHostProxyForCapability: (
+    capability: string,
+    sourceInterface: unknown,
+    sourceActorPrincipalId: string | undefined,
+  ) => {
+    hostProxyAttachCalls.push({
+      capability,
+      sourceInterface,
+      sourceActorPrincipalId,
+    });
+    // Return false so the route skips proxy instantiation; we only care
+    // that the translated principal reached the gate.
+    return false;
+  },
+  preactivateHostProxySkills: (
+    _conversation: unknown,
+    sourceInterface: unknown,
+    sourceActorPrincipalId: string | undefined,
+  ) => {
+    preactivateCalls.push({ sourceInterface, sourceActorPrincipalId });
+  },
+}));
+
 let mockGuardians: Array<Record<string, unknown>> | null = [
   {
     channelType: "vellum",
@@ -612,4 +650,89 @@ describe("HTTP POST /v1/messages trust context from the gateway binding", () =>
     expect(ctx.trustClass).toBe("guardian");
     expect(ctx.sourceChannel).toBe("telegram");
   });
+
+  // A web turn's "dev-bypass" principal must translate to the real guardian
+  // principal before the CU/app-control same-actor proxy-attachment gate,
+  // so it matches the macOS client's SSE-registered principal.
+  test("dev-bypass is translated to the guardian principal before the CU proxy attach gate (web turn)", async () => {
+    hostProxyAttachCalls.length = 0;
+    preactivateCalls.length = 0;
+    const conversation = makeConversation();
+    const res = await callHandler(
+      (args) =>
+        handleSendMessage(args, {
+          sendMessageDeps: {
+            getOrCreateConversation: async () => conversation,
+            assistantEventHub: { publish: async () => {} } as any,
+            resolveAttachments: () => [],
+          },
+        }),
+      new Request("http://localhost/v1/messages", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "x-vellum-actor-principal-id": "dev-bypass",
+          "x-vellum-principal-type": "actor",
+        },
+        body: JSON.stringify({
+          conversationKey: "cu-attach-key",
+          content: "hi",
+          sourceChannel: "vellum",
+          interface: "web",
+        }),
+      }),
+      undefined,
+      202,
+    );
+    expect(res.status).toBe(202);
+
+    // The CU attach gate receives the translated guardian principal, not
+    // the raw "dev-bypass" string.
+    const cuCall = hostProxyAttachCalls.find(
+      (c) => c.capability === "host_cu",
+    );
+    expect(cuCall).toBeDefined();
+    expect(cuCall?.sourceActorPrincipalId).toBe("test-user");
+    expect(cuCall?.sourceActorPrincipalId).not.toBe("dev-bypass");
+
+    // Preactivation receives the same translated principal.
+    const preactivateCall = preactivateCalls[0];
+    expect(preactivateCall?.sourceActorPrincipalId).toBe("test-user");
+  });
+
+  test("real (non-dev-bypass) principal passes through the CU proxy attach gate unchanged", async () => {
+    hostProxyAttachCalls.length = 0;
+    const conversation = makeConversation();
+    await callHandler(
+      (args) =>
+        handleSendMessage(args, {
+          sendMessageDeps: {
+            getOrCreateConversation: async () => conversation,
+            assistantEventHub: { publish: async () => {} } as any,
+            resolveAttachments: () => [],
+          },
+        }),
+      new Request("http://localhost/v1/messages", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "x-vellum-actor-principal-id": "real-jwt-principal",
+          "x-vellum-principal-type": "actor",
+        },
+        body: JSON.stringify({
+          conversationKey: "cu-attach-real-key",
+          content: "hi",
+          sourceChannel: "vellum",
+          interface: "web",
+        }),
+      }),
+      undefined,
+      202,
+    );
+
+    const cuCall = hostProxyAttachCalls.find(
+      (c) => c.capability === "host_cu",
+    );
+    expect(cuCall?.sourceActorPrincipalId).toBe("real-jwt-principal");
+  });
 });

package/src/__tests__/mcp-config-secret-boundary.test.ts

@@ -0,0 +1,390 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { makeMockLogger } from "./helpers/mock-logger.js";
+
+mock.module("../util/logger.js", () => ({
+  LOG_FILE_PATTERN: /^assistant-(\d{4}-\d{2}-\d{2})\.log$/,
+  getCliLogger: () => makeMockLogger(),
+  getLogger: () => makeMockLogger(),
+  initLogger: () => {},
+  pruneOldLogFiles: () => 0,
+  truncateForLog: (value: string, maxLen = 500) => value.slice(0, maxLen),
+}));
+
+let rawConfig: Record<string, unknown> = {};
+let savedRawConfig: Record<string, unknown> | null = null;
+
+function deepMerge(
+  target: Record<string, unknown>,
+  patch: Record<string, unknown>,
+): void {
+  for (const [key, value] of Object.entries(patch)) {
+    if (
+      value !== null &&
+      typeof value === "object" &&
+      !Array.isArray(value) &&
+      target[key] !== null &&
+      typeof target[key] === "object" &&
+      !Array.isArray(target[key])
+    ) {
+      deepMerge(
+        target[key] as Record<string, unknown>,
+        value as Record<string, unknown>,
+      );
+    } else {
+      target[key] = value;
+    }
+  }
+}
+
+function setNestedValue(
+  obj: Record<string, unknown>,
+  path: string,
+  value: unknown,
+): void {
+  const keys = path.split(".");
+  let current = obj;
+  for (const key of keys.slice(0, -1)) {
+    if (
+      current[key] === null ||
+      typeof current[key] !== "object" ||
+      Array.isArray(current[key])
+    ) {
+      current[key] = {};
+    }
+    current = current[key] as Record<string, unknown>;
+  }
+  current[keys[keys.length - 1]!] = value;
+}
+
+mock.module("../config/loader.js", () => ({
+  API_KEY_PROVIDERS: [],
+  applyNestedDefaults: (config: unknown) => config,
+  loadRawConfig: () => structuredClone(savedRawConfig ?? rawConfig),
+  saveRawConfig: (raw: Record<string, unknown>) => {
+    savedRawConfig = structuredClone(raw);
+  },
+  deepMergeOverwrite: deepMerge,
+  fillContextDefaultsForMissingKeys: () => {},
+  loadConfig: () => structuredClone(savedRawConfig ?? rawConfig),
+  getConfig: () => structuredClone(savedRawConfig ?? rawConfig),
+  getConfigReadOnly: () => structuredClone(savedRawConfig ?? rawConfig),
+  getDeploymentContextDefaults: () => ({}),
+  getNestedValue: (obj: Record<string, unknown>, path: string) =>
+    path.split(".").reduce<unknown>((current, key) => {
+      if (
+        current === null ||
+        typeof current !== "object" ||
+        Array.isArray(current)
+      ) {
+        return undefined;
+      }
+      return (current as Record<string, unknown>)[key];
+    }, obj),
+  invalidateConfigCache: () => {},
+  mergeDefaultWorkspaceConfig: () => ({
+    merged: false,
+    config: structuredClone(savedRawConfig ?? rawConfig),
+  }),
+  setNestedValue,
+  withSuppressedConfigDiskWrites: async (fn: () => unknown) => fn(),
+  withSuppressedConfigDiskWritesSync: (fn: () => unknown) => fn(),
+  _writeQuarantineNotice: () => {},
+}));
+
+mock.module("../daemon/config-watcher.js", () => ({
+  getConfigWatcher: () => ({
+    suppressConfigReload: false,
+    timers: { schedule: () => {} },
+    updateFingerprint: () => {},
+  }),
+}));
+
+mock.module("../providers/registry.js", () => ({
+  clearConnectionProviderCache: () => {},
+  getProvider: () => {
+    throw new Error("provider registry mock not implemented");
+  },
+  getProviderRoutingSource: () => null,
+  initializeProviders: async () => {},
+  isNativeWebSearchCapableProvider: () => false,
+  listProviders: () => [],
+  resolveProviderFromConnection: async () => null,
+}));
+
+mock.module("../memory/embedding-backend.js", () => ({
+  EmbeddingBackendUnavailableError: class EmbeddingBackendUnavailableError extends Error {},
+  SPARSE_EMBEDDING_VERSION: 4,
+  clearEmbeddingBackendCache: () => {},
+  embedWithBackend: async () => ({
+    provider: "local",
+    model: "test",
+    vectors: [],
+  }),
+  generateSparseEmbedding: () => ({ indices: [], values: [] }),
+  getMemoryBackendStatus: async () => ({
+    enabled: false,
+    provider: null,
+    model: null,
+  }),
+  resetLocalEmbeddingFailureState: () => {},
+  selectEmbeddingBackend: async () => null,
+  selectedBackendSupportsMultimodal: async () => false,
+}));
+
+mock.module("../security/secret-allowlist.js", () => ({
+  isAllowlisted: () => false,
+  loadAllowlist: () => {},
+  resetAllowlist: () => {},
+  validateAllowlistFile: () => null,
+}));
+
+const { ROUTES } =
+  await import("../runtime/routes/conversation-query-routes.js");
+const { BadRequestError } = await import("../runtime/routes/errors.js");
+
+function findRoute(operationId: string) {
+  const route = ROUTES.find((r) => r.operationId === operationId);
+  if (!route) throw new Error(`Route not found: ${operationId}`);
+  return route;
+}
+
+const configGetRoute = findRoute("config_get");
+const configPatchRoute = findRoute("config_patch");
+const configSetRoute = findRoute("config_set");
+
+describe("MCP config secret boundary", () => {
+  beforeEach(() => {
+    rawConfig = {};
+    savedRawConfig = null;
+  });
+
+  test("config_get omits legacy MCP transport headers from settings-read responses", () => {
+    rawConfig = {
+      mcp: {
+        servers: {
+          remote: {
+            transport: {
+              type: "streamable-http",
+              url: "https://mcp.example.com",
+              headers: {
+                Authorization: "Bearer mcp-secret",
+                "X-API-Key": "mcp-api-secret",
+              },
+            },
+          },
+        },
+      },
+    };
+
+    const result = configGetRoute.handler({}) as Record<string, unknown>;
+
+    expect(JSON.stringify(result)).not.toContain("mcp-secret");
+    expect(JSON.stringify(result)).not.toContain("mcp-api-secret");
+    const mcp = result.mcp as {
+      servers: { remote: { transport: Record<string, unknown> } };
+    };
+    expect(mcp.servers.remote.transport).toEqual({
+      type: "streamable-http",
+      url: "https://mcp.example.com",
+    });
+  });
+
+  test("config_get omits headers inside malformed MCP server trees", () => {
+    rawConfig = {
+      mcp: {
+        servers: [
+          {
+            transport: {
+              headers: { Authorization: "Bearer malformed-secret" },
+            },
+          },
+        ],
+      },
+    };
+
+    const result = configGetRoute.handler({}) as Record<string, unknown>;
+
+    expect(JSON.stringify(result)).not.toContain("malformed-secret");
+    expect(result).toEqual({
+      mcp: {
+        servers: [
+          {
+            transport: {},
+          },
+        ],
+      },
+    });
+  });
+
+  test("config_get preserves an MCP server named headers", () => {
+    rawConfig = {
+      mcp: {
+        servers: {
+          headers: {
+            transport: {
+              type: "streamable-http",
+              url: "https://mcp.example.com",
+            },
+          },
+        },
+      },
+    };
+
+    const result = configGetRoute.handler({}) as Record<string, unknown>;
+
+    expect(result).toEqual(rawConfig);
+  });
+
+  test("config_get preserves non-credential headers env vars", () => {
+    rawConfig = {
+      mcp: {
+        servers: {
+          local: {
+            transport: {
+              type: "stdio",
+              command: "npx",
+              env: {
+                headers: "not-a-transport-header",
+              },
+            },
+          },
+        },
+      },
+    };
+
+    const result = configGetRoute.handler({}) as Record<string, unknown>;
+
+    expect(result).toEqual(rawConfig);
+  });
+
+  test("config_patch rejects MCP transport headers so generic writes cannot reintroduce plaintext credentials", async () => {
+    await expect(
+      configPatchRoute.handler({
+        body: {
+          mcp: {
+            servers: {
+              remote: {
+                transport: {
+                  type: "streamable-http",
+                  url: "https://mcp.example.com",
+                  headers: { Authorization: "Bearer mcp-secret" },
+                },
+              },
+            },
+          },
+        },
+      }),
+    ).rejects.toThrow(BadRequestError);
+    expect(savedRawConfig).toBeNull();
+  });
+
+  test("config_patch allows an MCP server named headers when its value has no header credentials", async () => {
+    const result = await configPatchRoute.handler({
+      body: {
+        mcp: {
+          servers: {
+            headers: {
+              transport: {
+                type: "streamable-http",
+                url: "https://mcp.example.com",
+              },
+            },
+          },
+        },
+      },
+    });
+
+    expect(result).toEqual({
+      mcp: {
+        servers: {
+          headers: {
+            transport: {
+              type: "streamable-http",
+              url: "https://mcp.example.com",
+            },
+          },
+        },
+      },
+    });
+  });
+
+  test("config_patch allows non-credential headers env vars", async () => {
+    const result = await configPatchRoute.handler({
+      body: {
+        mcp: {
+          servers: {
+            local: {
+              transport: {
+                type: "stdio",
+                command: "npx",
+                env: {
+                  headers: "not-a-transport-header",
+                },
+              },
+            },
+          },
+        },
+      },
+    });
+
+    expect(result).toEqual({
+      mcp: {
+        servers: {
+          local: {
+            transport: {
+              type: "stdio",
+              command: "npx",
+              env: {
+                headers: "not-a-transport-header",
+              },
+            },
+          },
+        },
+      },
+    });
+  });
+
+  test("config_set rejects malformed MCP server trees containing headers", async () => {
+    await expect(
+      configSetRoute.handler({
+        body: {
+          path: "mcp.servers",
+          value: [
+            {
+              transport: {
+                headers: { Authorization: "Bearer malformed-secret" },
+              },
+            },
+          ],
+        },
+      }),
+    ).rejects.toThrow(BadRequestError);
+    expect(savedRawConfig).toBeNull();
+  });
+
+  test("config_set rejects direct MCP transport header paths", async () => {
+    rawConfig = {
+      mcp: {
+        servers: {
+          remote: {
+            transport: {
+              type: "streamable-http",
+              url: "https://mcp.example.com",
+            },
+          },
+        },
+      },
+    };
+
+    await expect(
+      configSetRoute.handler({
+        body: {
+          path: "mcp.servers.remote.transport.headers.Authorization",
+          value: "Bearer mcp-secret",
+        },
+      }),
+    ).rejects.toThrow(BadRequestError);
+    expect(savedRawConfig).toBeNull();
+  });
+});

package/src/config/__tests__/sync-gated-profiles.test.ts

@@ -109,10 +109,13 @@ describe("reconcileFlagGatedProfiles", () => {
 
     const raw = readConfig();
     const osBeta = raw.llm.profiles["os-beta"]!;
-    expect(osBeta.model).toBe("accounts/fireworks/models/glm-5p2");
-    expect(osBeta.provider_connection).toBe("fireworks-managed");
+    expect(osBeta.model).toBe("MiniMaxAI/MiniMax-M3");
+    expect(osBeta.provider_connection).toBe("together-managed");
+    expect(osBeta.provider).toBe("together");
     expect(osBeta.source).toBe("managed");
     expect(osBeta.label).toBe("OS Beta");
+    expect(osBeta.effort).toBe("low");
+    expect(osBeta.topP).toBe(0.95);
 
     const order = raw.llm.profileOrder;
     expect(order.indexOf("os-beta")).toBe(order.indexOf("balanced") + 1);
@@ -128,6 +131,7 @@ describe("reconcileFlagGatedProfiles", () => {
     expect(osBeta.status).toBe("disabled");
     expect(osBeta.label).toBe("OS Beta (Managed)");
     expect(osBeta.source).toBe("managed");
+    expect(osBeta.effort).toBe("low");
   });
 
   test("flag on is idempotent across repeated runs", () => {
@@ -150,6 +154,7 @@ describe("reconcileFlagGatedProfiles", () => {
     raw.llm.profiles["os-beta"]!.label = "My OS Beta";
     raw.llm.profiles["os-beta"]!.status = "disabled";
     raw.llm.profiles["os-beta"]!.advisorEnabled = true;
+    raw.llm.profiles["os-beta"]!.topP = 0.8;
     writeConfig(raw);
     invalidateConfigCache();
 
@@ -159,7 +164,10 @@ describe("reconcileFlagGatedProfiles", () => {
     expect(after.label).toBe("My OS Beta");
     expect(after.status).toBe("disabled");
     expect(after.advisorEnabled).toBe(true);
-    expect(after.model).toBe("accounts/fireworks/models/glm-5p2");
+    expect(after.topP).toBe(0.8);
+    expect(after.model).toBe("MiniMaxAI/MiniMax-M3");
+    expect(after.provider_connection).toBe("together-managed");
+    expect(after.effort).toBe("low");
   });
 
   test("flag off removes a managed os-beta and applies fallbacks", () => {

package/src/config/feature-flag-registry.json

@@ -415,7 +415,7 @@
       "scope": "assistant",
       "key": "os-beta",
       "label": "OS Beta",
-      "description": "Enable the OS Beta model profile (GLM 5.2 / Fireworks) in the assistant's model profile selection.",
+      "description": "Enable the OS Beta model profile (MiniMax M3 / Together) in the assistant's model profile selection.",
       "defaultEnabled": false
     }
   ]

package/src/config/seed-inference-profiles.ts

@@ -164,19 +164,20 @@ export const OS_BETA_FEATURE_FLAG_KEY = "os-beta";
  * Flag-gated managed profile. NOT in MANAGED_PROFILE_TEMPLATES, so the
  * unconditional boot seed never creates it. Reconciled in/out by
  * the flag-gated profile reconcile based on the `os-beta` feature flag.
- * Balanced-parity defaults; GLM 5.2 pinned explicitly via `model`.
+ * Balanced defaults, with lower reasoning effort while the profile is in beta.
  */
 export const OS_BETA_PROFILE_TEMPLATE: ManagedProfileTemplate = {
-  model: "accounts/fireworks/models/glm-5p2",
-  provider: "fireworks",
-  connectionName: "fireworks-managed",
+  intent: "balanced",
+  provider: "together",
+  connectionName: "together-managed",
   source: "managed",
   label: "OS Beta",
-  description: "Open-source frontier model (GLM 5.2), in beta",
+  description: "Good balance of quality, cost, and speed, in beta",
   maxTokens: 32000,
-  effort: "high",
+  effort: "low",
   thinking: { enabled: true, streamThinking: true },
   contextWindow: { maxInputTokens: DEFAULT_CONTEXT_WINDOW_MAX_INPUT_TOKENS },
+  topP: 0.95,
 };
 
 // Membership here marks a name as managed. The route layer applies managed

package/src/config/sync-gated-profiles.ts

@@ -23,12 +23,12 @@ const log = getLogger("sync-gated-profiles");
  * Reconcile flag-gated managed profiles against the current feature-flag state.
  *
  * `seedInferenceProfiles()` runs synchronously at boot before feature flags are
- * available, so the OS Beta profile (GLM 5.2 / fireworks-managed) is materialized
- * here once flags have loaded. When the `os-beta` flag is on, the managed profile
- * is created (ordered right after `balanced`); when it is off, a previously
- * managed entry is removed with `profileOrder` / `activeProfile` / `advisorProfile`
- * fallbacks. The reconcile is idempotent and never touches a user-owned profile of
- * the same name.
+ * available, so the OS Beta profile (MiniMax M3 / together-managed) is
+ * materialized here once flags have loaded. When the `os-beta` flag is on, the
+ * managed profile is created (ordered right after `balanced`); when it is off, a
+ * previously managed entry is removed with `profileOrder` / `activeProfile` /
+ * `advisorProfile` fallbacks. The reconcile is idempotent and never touches a
+ * user-owned profile of the same name.
  *
  * Returns whether the on-disk config changed.
  */
@@ -105,23 +105,22 @@ function enableProfile(
     OS_BETA_PROFILE_TEMPLATE.connectionName,
   ) as Record<string, unknown>;
 
-  // BYOK installs seed managed profiles disabled: the platform-auth
-  // `fireworks-managed` connection backing this profile isn't usable until the
-  // user enables it, so a fresh OS Beta entry starts disabled to avoid offering
-  // an unusable route. A user's own status override (preserved below) wins on
-  // later reconciles.
+  // BYOK installs seed managed profiles disabled: the managed inference
+  // connection backing this profile isn't usable until the user enables it, so a
+  // fresh OS Beta entry starts disabled to avoid offering an unusable route. A
+  // user's own status override (preserved below) wins on later reconciles.
   if (isByokMode && !previous) {
     next.status = "disabled";
   }
 
   if (previous) {
-    // The only fields a user may override on a managed profile. Carry `label`
-    // by key-presence so an explicit null (user cleared it) survives too.
+    // Preserve user-owned overrides across reconciles.
     if ("label" in previous) next.label = previous.label;
     if ("status" in previous) next.status = previous.status;
     if ("advisorEnabled" in previous) {
       next.advisorEnabled = previous.advisorEnabled;
     }
+    if ("topP" in previous) next.topP = previous.topP;
   }
 
   let changed = false;

package/src/daemon/assistant-attachments.ts

@@ -284,6 +284,19 @@ interface VellumLinkExtractResult {
  * markdown links from assistant text and return corresponding directive
  * requests. The text is NOT modified — the links remain as rendered markdown.
  */
+/**
+ * Decode a vellum:// path segment, returning null on malformed percent-encoding
+ * (e.g. a literal `%` not followed by two hex digits). This prevents a single
+ * bad link from throwing URIError and aborting the entire assistant message.
+ */
+function safeDecodePath(rawPath: string): string | null {
+  try {
+    return decodeURIComponent(rawPath);
+  } catch {
+    return null;
+  }
+}
+
 export function extractVellumLinks(text: string): VellumLinkExtractResult {
   const directiveRequests: DirectiveRequest[] = [];
   const parseWarnings: string[] = [];
@@ -294,9 +307,19 @@ export function extractVellumLinks(text: string): VellumLinkExtractResult {
     const authority = m[2]!;
     const rawPath = m[3]!;
 
+    const decodedPath = safeDecodePath(rawPath);
+    if (decodedPath === null) {
+      parseWarnings.push(
+        `Ignored vellum://${authority} link "${linkText}": malformed percent-encoding in path.`,
+      );
+      continue;
+    }
+
     if (authority === "workspace") {
       // Strip the leading "/" to get a workspace-relative path
-      const path = rawPath.startsWith("/") ? rawPath.slice(1) : rawPath;
+      const path = decodedPath.startsWith("/")
+        ? decodedPath.slice(1)
+        : decodedPath;
       if (!path) {
         parseWarnings.push(
           `Ignored vellum://workspace link "${linkText}": empty path.`,
@@ -310,8 +333,8 @@ export function extractVellumLinks(text: string): VellumLinkExtractResult {
         mimeType: undefined,
       });
     } else {
-      // host: rawPath is already absolute (starts with /)
-      if (!rawPath || rawPath === "/") {
+      // host: decodedPath is already absolute (starts with /)
+      if (!decodedPath || decodedPath === "/") {
         parseWarnings.push(
           `Ignored vellum://host link "${linkText}": empty path.`,
         );
@@ -319,7 +342,7 @@ export function extractVellumLinks(text: string): VellumLinkExtractResult {
       }
       directiveRequests.push({
         source: "host",
-        path: rawPath,
+        path: decodedPath,
         filename: linkText || undefined,
         mimeType: undefined,
       });

package/src/onboarding/checkin-event.test.ts

@@ -54,6 +54,8 @@ describe("buildCheckinDescription", () => {
     expect(html).toContain(
       "https://www.vellum.ai/assistant/conversations/uuid-123?prompt=What%20would%20you%20recommend",
     );
+    // Carries onboarding attribution for the calendar-event CTA.
+    expect(html).toContain("&utm_source=onboarding&utm_medium=calendar_event");
     // Only sanitization-safe tags; the CTA is a bold link, not a styled button.
     expect(html).toContain("<a href=");
     expect(html).toContain("<strong>");

package/src/onboarding/checkin-event.ts

@@ -66,7 +66,7 @@ export function buildCheckinTitle({
  * (`uuid`) pre-seeded with the first-week prompt.
  */
 export function buildCheckinDescription(uuid: string): string {
-  const href = `https://www.vellum.ai/assistant/conversations/${uuid}?prompt=${CTA_ENCODED_PROMPT}`;
+  const href = `https://www.vellum.ai/assistant/conversations/${uuid}?prompt=${CTA_ENCODED_PROMPT}&utm_source=onboarding&utm_medium=calendar_event`;
   return [
     "<p>👋 <strong>Hi, it was great to meet you properly.</strong></p>",
     "<p>You just set me up, and I've already started learning <strong>what you're working on</strong>. This 15 minutes is the natural place to put that to work. I'll walk you through one thing I'd like to do for you this week.</p>",

package/src/runtime/routes/conversation-query-routes.ts

@@ -486,6 +486,74 @@ function readPlainObject(value: unknown): Record<string, unknown> | undefined {
   return value as Record<string, unknown>;
 }
 
+function stripTransportHeadersRecursively(value: unknown): void {
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      stripTransportHeadersRecursively(item);
+    }
+    return;
+  }
+
+  const object = readPlainObject(value);
+  if (!object) return;
+  const transport = readPlainObject(object.transport);
+  if (transport) delete transport.headers;
+  for (const child of Object.values(object)) {
+    stripTransportHeadersRecursively(child);
+  }
+}
+
+function containsTransportHeadersRecursively(value: unknown): boolean {
+  if (Array.isArray(value)) {
+    return value.some((item) => containsTransportHeadersRecursively(item));
+  }
+
+  const object = readPlainObject(value);
+  if (!object) return false;
+  const transport = readPlainObject(object.transport);
+  if (transport && Object.hasOwn(transport, "headers")) return true;
+  return Object.values(object).some((child) =>
+    containsTransportHeadersRecursively(child),
+  );
+}
+
+function sanitizeMcpTransportHeadersForSettingsRead(config: unknown): void {
+  const root = readPlainObject(config);
+  if (!root) return;
+  const mcp = readPlainObject(root.mcp);
+  if (!mcp || !Object.hasOwn(mcp, "servers")) return;
+  if (Array.isArray(mcp.servers)) {
+    stripTransportHeadersRecursively(mcp.servers);
+    return;
+  }
+  const servers = readPlainObject(mcp.servers);
+  if (!servers) return;
+  for (const server of Object.values(servers)) {
+    stripTransportHeadersRecursively(server);
+  }
+}
+
+function patchContainsMcpTransportHeaders(patch: unknown): boolean {
+  const root = readPlainObject(patch);
+  const mcp = readPlainObject(root?.mcp);
+  if (!mcp || !Object.hasOwn(mcp, "servers")) return false;
+  if (Array.isArray(mcp.servers)) {
+    return containsTransportHeadersRecursively(mcp.servers);
+  }
+  const servers = readPlainObject(mcp.servers);
+  if (!servers) return false;
+  return Object.values(servers).some((server) =>
+    containsTransportHeadersRecursively(server),
+  );
+}
+
+function rejectMcpTransportHeaderWrite(patch: unknown): void {
+  if (!patchContainsMcpTransportHeaders(patch)) return;
+  throw new BadRequestError(
+    "MCP authentication headers must be managed through MCP server add/update APIs, not generic config writes.",
+  );
+}
+
 const WireProfileEntry = ProfileEntry.extend({
   supportsVision: z.boolean().optional(),
 })
@@ -688,6 +756,7 @@ const ConfigPatchRequestSchema = z
 function handleGetConfig() {
   try {
     const config = applyContextDefaultsToRawConfig(loadRawConfig());
+    sanitizeMcpTransportHeadersForSettingsRead(config);
     enrichProfilesWithVisionFlag(config);
     return config;
   } catch (err) {
@@ -840,6 +909,7 @@ async function handlePatchConfig({ body }: RouteHandlerArgs) {
     throw new BadRequestError("Body must be a non-empty JSON object");
   }
   rejectManagedProfileDeletion(body as Record<string, unknown>);
+  rejectMcpTransportHeaderWrite(body);
 
   const raw = loadRawConfig();
   const patch = body as Record<string, unknown>;
@@ -848,6 +918,7 @@ async function handlePatchConfig({ body }: RouteHandlerArgs) {
   await commitConfigWrite(raw, "patch");
 
   const merged = applyContextDefaultsToRawConfig(loadRawConfig());
+  sanitizeMcpTransportHeadersForSettingsRead(merged);
   enrichProfilesWithVisionFlag(merged);
   return merged;
 }
@@ -892,6 +963,7 @@ async function handleSetConfig({ body }: RouteHandlerArgs) {
   const patchShape: Record<string, unknown> = {};
   setNestedValue(patchShape, path, value);
   rejectManagedProfileDeletion(patchShape);
+  rejectMcpTransportHeaderWrite(patchShape);
 
   const raw = loadRawConfig();
   setNestedValue(raw, path, value);

package/src/runtime/routes/conversation-routes.ts

@@ -135,7 +135,10 @@ import type {
   RuntimeMessagePayload,
   SendMessageDeps,
 } from "../http-types.js";
-import { findLocalGuardianPrincipalId } from "../local-actor-identity.js";
+import {
+  findLocalGuardianPrincipalId,
+  resolveActorPrincipalIdForLocalGuardian,
+} from "../local-actor-identity.js";
 import { resolveLocalPrincipalTrustContext } from "../local-principal-trust.js";
 import * as pendingInteractions from "../pending-interactions.js";
 import {
@@ -1509,10 +1512,13 @@ export async function handleSendMessage(
   }
 
   const isInteractive = isInteractiveInterface(sourceInterface);
-  // Use the JWT-verified requester principal — not guardianPrincipalId,
-  // which is the workspace owner and would let a trusted contact's web
-  // turn match against the guardian's macOS client.
-  const sourceActorPrincipalId = actorPrincipalId ?? undefined;
+  // Translate the dev-bypass actor principal to the real guardian principal
+  // before the same-actor host-proxy gate so web/iOS turns match the macOS
+  // client's SSE-registered principal. No-op for real JWT principals in
+  // non-dev-bypass deployments.
+  const sourceActorPrincipalId = await resolveActorPrincipalIdForLocalGuardian(
+    actorPrincipalId ?? undefined,
+  );
   // Bash/File/Transfer singletons are globally available via isAvailable() —
   // no per-conversation gating needed. CU is per-conversation (owns step
   // count, AX tree history, loop detection).