@vellumai/assistant 0.10.2-dev.202606250318.5e7cfb0 → 0.10.2

package/src/runtime/invite-redemption-service.ts

@@ -7,15 +7,11 @@
  * persisted, or returned in the outcome.
  */
 
-import {
-  getInboundTrustVerdict,
-  getPhoneCallerVerdict,
-} from "../calls/inbound-trust-reader.js";
 import type { ChannelId } from "../channels/types.js";
 import { findContactChannel, getContact } from "../contacts/contact-store.js";
-import { activateMemberChannel } from "../contacts/member-write-relay.js";
-import type { ChannelStatus } from "../contacts/types.js";
+import { upsertContactChannel } from "../contacts/contacts-write.js";
 import { ipcCallPersistent } from "../ipc/gateway-client.js";
+import { getSqlite } from "../memory/db-connection.js";
 import {
   findActiveVoiceInvites,
   findByInviteCodeHash,
@@ -27,27 +23,9 @@ import {
 import { canonicalizeInboundIdentity } from "../util/canonicalize-identity.js";
 import { getLogger } from "../util/logger.js";
 import { hashVoiceCode } from "../util/voice-code.js";
-import { verdictMemberFromVerdict } from "./trust-verdict-consumer.js";
 
 const log = getLogger("invite-redemption-service");
 
-/**
- * Resolve the sender's existing member status for the already_member/blocked
- * gate from the gateway trust verdict. Falls back to the local channel status
- * when the verdict is absent or carries no resolvable member status (e.g. an
- * externalChatId-only match or a resolutionFailed verdict), so a locally
- * blocked contact can't bypass the gate.
- */
-export async function resolveMemberGateStatus(
-  verdict: Awaited<ReturnType<typeof getInboundTrustVerdict>>,
-  localChannelStatus: ChannelStatus | null,
-): Promise<ChannelStatus | null> {
-  const memberStatus = verdict
-    ? verdictMemberFromVerdict(verdict)?.status
-    : null;
-  return memberStatus ?? localChannelStatus;
-}
-
 // ---------------------------------------------------------------------------
 // Gateway lifecycle bridge (shared by all redemption paths)
 // ---------------------------------------------------------------------------
@@ -240,22 +218,18 @@ export async function redeemInvite(params: {
   const targetMismatch =
     existingContact && existingContact.id !== invite.contactId;
 
-  const gateStatus = await resolveMemberGateStatus(
-    await getInboundTrustVerdict({
-      channelType: sourceChannel as ChannelId,
-      actorExternalId: canonicalUserId,
-    }),
-    existingChannel?.status ?? null,
-  );
-
-  if (existingChannel && gateStatus === "active" && !targetMismatch) {
+  if (
+    existingChannel &&
+    existingChannel.status === "active" &&
+    !targetMismatch
+  ) {
     return { ok: true, type: "already_member", memberId: existingChannel.id };
   }
 
   // Blocked members cannot bypass the guardian's explicit block via invite
   // links. Return the same generic failure as an invalid token to avoid
   // leaking membership status to the caller.
-  if (existingChannel && gateStatus === "blocked") {
+  if (existingChannel && existingChannel.status === "blocked") {
     return { ok: false, reason: "invalid_token" };
   }
 
@@ -273,10 +247,14 @@ export async function redeemInvite(params: {
     return { ok: false, reason: "invalid_token" };
   }
 
-  // Inactive member reactivation: when the user already has a member record in
-  // a non-active state (revoked/pending), reactivate it gateway-first then
-  // consume an invite use. The fresh-member path below mirrors this.
+  // Inactive member reactivation: when the user already has a member record
+  // in a non-active state (revoked/pending), reactivate it via upsertContactChannel
+  // and consume an invite use atomically. The fresh-member path below also
+  // uses upsertContactChannel to keep contacts in sync.
   if (existingChannel && !targetMismatch) {
+    // Sentinel error used to trigger a transaction rollback when the invite
+    // was concurrently revoked/expired between pre-validation and write time.
+    const STALE_INVITE = Symbol("stale_invite");
     const canonicalMemberId = existingChannel.address;
     const canonicalCallerId = externalUserId
       ? canonicalizeInboundIdentity(sourceChannel as ChannelId, externalUserId)
@@ -288,17 +266,42 @@ export async function redeemInvite(params: {
         ? existingContact.displayName
         : displayName;
 
-    // Consume the assistant invite use BEFORE activating the member, so a
-    // concurrent revoke/exhaustion (recordInviteUse returns false) leaves no
-    // active member behind.
+    let reactivated: ReturnType<typeof upsertContactChannel> | undefined;
     try {
-      if (
-        !recordInviteUse({ inviteId: invite.id, externalUserId, externalChatId })
-      ) {
-        // Invite revoked/expired between pre-validation and write.
+      getSqlite()
+        .transaction(() => {
+          reactivated = upsertContactChannel({
+            sourceChannel,
+            externalUserId,
+            externalChatId,
+            // Reactivation should not overwrite a guardian-managed nickname.
+            displayName: preservedDisplayName,
+            username,
+            role: "contact",
+            status: "active",
+            policy: "allow",
+            inviteId: invite.id,
+            verifiedAt: Date.now(),
+            verifiedVia: "invite",
+            contactId: invite.contactId,
+          });
+
+          const recorded = recordInviteUse({
+            inviteId: invite.id,
+            externalUserId,
+            externalChatId,
+          });
+
+          // If the invite was revoked/expired between pre-validation and this
+          // write, recordInviteUse returns false — throw to roll back the
+          // member reactivation so the DB stays consistent.
+          if (!recorded) throw STALE_INVITE;
+        })
+        .immediate();
+    } catch (err) {
+      if (err === STALE_INVITE) {
         return { ok: false, reason: "invalid_token" };
       }
-    } catch (err) {
       // Rare: the gateway claim already consumed the row but the assistant
       // mutation failed — a recoverable wasted gateway use; no cross-process
       // rollback is attempted.
@@ -309,30 +312,10 @@ export async function redeemInvite(params: {
       throw err;
     }
 
-    // Gateway-first: activate the member channel on the authoritative gateway
-    // before the assistant DB; the local mirror is best-effort.
-    const reactivated = await activateMemberChannel({
-      sourceChannel,
-      externalUserId,
-      externalChatId,
-      // Reactivation should not overwrite a guardian-managed nickname.
-      displayName: preservedDisplayName,
-      username,
-      policy: "allow",
-      inviteId: invite.id,
-      verifiedAt: Date.now(),
-      verifiedVia: "invite",
-      contactId: invite.contactId,
-    });
-
-    if (reactivated.status === "refused") {
-      return { ok: false, reason: "invalid_token" };
-    }
-
     return {
       ok: true,
       type: "redeemed",
-      memberId: reactivated.memberId,
+      memberId: reactivated!.channel.id,
       inviteId: invite.id,
     };
   }
@@ -349,17 +332,39 @@ export async function redeemInvite(params: {
     }
   }
 
-  // Consume the assistant invite use BEFORE activating the member, so a
-  // concurrent revoke/exhaustion (recordInviteUse returns false) leaves no
-  // active member behind.
+  const STALE_INVITE_FRESH = Symbol("stale_invite_fresh");
+  let freshResult: ReturnType<typeof upsertContactChannel> | undefined;
   try {
-    if (
-      !recordInviteUse({ inviteId: invite.id, externalUserId, externalChatId })
-    ) {
-      // Invite revoked/expired between pre-validation and write.
+    getSqlite()
+      .transaction(() => {
+        freshResult = upsertContactChannel({
+          sourceChannel,
+          externalUserId,
+          externalChatId,
+          displayName: freshDisplayName,
+          username,
+          role: "contact",
+          status: "active",
+          policy: "allow",
+          inviteId: invite.id,
+          verifiedAt: Date.now(),
+          verifiedVia: "invite",
+          contactId: invite.contactId,
+        });
+
+        const recorded = recordInviteUse({
+          inviteId: invite.id,
+          externalUserId,
+          externalChatId,
+        });
+
+        if (!recorded) throw STALE_INVITE_FRESH;
+      })
+      .immediate();
+  } catch (err) {
+    if (err === STALE_INVITE_FRESH) {
       return { ok: false, reason: "invalid_token" };
     }
-  } catch (err) {
     // Rare: gateway claim succeeded but the assistant mutation failed — a
     // recoverable wasted gateway use; no cross-process rollback attempted.
     log.error(
@@ -369,29 +374,10 @@ export async function redeemInvite(params: {
     throw err;
   }
 
-  // Gateway-first: activate the member channel on the authoritative gateway
-  // before the assistant DB; the local mirror is best-effort.
-  const freshResult = await activateMemberChannel({
-    sourceChannel,
-    externalUserId,
-    externalChatId,
-    displayName: freshDisplayName,
-    username,
-    policy: "allow",
-    inviteId: invite.id,
-    verifiedAt: Date.now(),
-    verifiedVia: "invite",
-    contactId: invite.contactId,
-  });
-
-  if (freshResult.status === "refused") {
-    return { ok: false, reason: "invalid_token" };
-  }
-
   return {
     ok: true,
     type: "redeemed",
-    memberId: freshResult.memberId,
+    memberId: freshResult!.channel.id,
     inviteId: invite.id,
   };
 }
@@ -479,12 +465,11 @@ export async function redeemVoiceInviteCode(params: {
   // should bind the sender's identity to the target contact, not the existing one.
   const targetMismatch = voiceContact && voiceContact.id !== invite.contactId;
 
-  const gateStatus = await resolveMemberGateStatus(
-    await getPhoneCallerVerdict(canonicalCallerId),
-    existingVoiceChannel?.status ?? null,
-  );
-
-  if (existingVoiceChannel && gateStatus === "active" && !targetMismatch) {
+  if (
+    existingVoiceChannel &&
+    existingVoiceChannel.status === "active" &&
+    !targetMismatch
+  ) {
     return {
       ok: true,
       type: "already_member",
@@ -493,7 +478,7 @@ export async function redeemVoiceInviteCode(params: {
   }
 
   // Blocked members cannot bypass the guardian's explicit block
-  if (existingVoiceChannel && gateStatus === "blocked") {
+  if (existingVoiceChannel && existingVoiceChannel.status === "blocked") {
     return { ok: false, reason: "invalid_or_expired" };
   }
 
@@ -511,6 +496,10 @@ export async function redeemVoiceInviteCode(params: {
     return { ok: false, reason: "invalid_or_expired" };
   }
 
+  // Atomic redemption: upsert member + consume invite use in a transaction
+  const STALE_INVITE = Symbol("stale_invite");
+  let memberId: string | undefined;
+
   // When the invite targets a specific contact, preserve the target contact's
   // guardian-assigned display name if it has one.
   let preservedDisplayName = voiceContact?.displayName?.trim().length
@@ -523,20 +512,36 @@ export async function redeemVoiceInviteCode(params: {
     }
   }
 
-  // Consume the assistant invite use BEFORE activating the member, so a
-  // concurrent revoke/exhaustion (recordInviteUse returns false) leaves no
-  // active member behind.
   try {
-    if (
-      !recordInviteUse({
-        inviteId: invite.id,
-        externalUserId: callerExternalUserId,
+    getSqlite()
+      .transaction(() => {
+        const writeResult = upsertContactChannel({
+          sourceChannel: "phone",
+          externalUserId: callerExternalUserId,
+          externalChatId: callerExternalUserId,
+          displayName: preservedDisplayName,
+          role: "contact",
+          status: "active",
+          policy: "allow",
+          inviteId: invite.id,
+          verifiedAt: Date.now(),
+          verifiedVia: "invite",
+          contactId: invite.contactId,
+        });
+        memberId = writeResult!.channel.id;
+
+        const recorded = recordInviteUse({
+          inviteId: invite.id,
+          externalUserId: callerExternalUserId,
+        });
+
+        if (!recorded) throw STALE_INVITE;
       })
-    ) {
-      // Invite revoked/expired between pre-validation and write.
+      .immediate();
+  } catch (err) {
+    if (err === STALE_INVITE) {
       return { ok: false, reason: "invalid_or_expired" };
     }
-  } catch (err) {
     // Rare: gateway claim succeeded but the assistant mutation failed — a
     // recoverable wasted gateway use; no cross-process rollback attempted.
     log.error(
@@ -546,28 +551,10 @@ export async function redeemVoiceInviteCode(params: {
     throw err;
   }
 
-  // Gateway-first: activate the member channel on the authoritative gateway
-  // before the assistant DB; the local mirror is best-effort.
-  const writeResult = await activateMemberChannel({
-    sourceChannel: "phone",
-    externalUserId: callerExternalUserId,
-    externalChatId: callerExternalUserId,
-    displayName: preservedDisplayName,
-    policy: "allow",
-    inviteId: invite.id,
-    verifiedAt: Date.now(),
-    verifiedVia: "invite",
-    contactId: invite.contactId,
-  });
-
-  if (writeResult.status === "refused") {
-    return { ok: false, reason: "invalid_or_expired" };
-  }
-
   return {
     ok: true,
     type: "redeemed",
-    memberId: writeResult.memberId,
+    memberId: memberId!,
     inviteId: invite.id,
   };
 }
@@ -652,22 +639,18 @@ export async function redeemInviteByCode(params: {
   const targetMismatch =
     existingContact && existingContact.id !== invite.contactId;
 
-  const gateStatus = await resolveMemberGateStatus(
-    await getInboundTrustVerdict({
-      channelType: sourceChannel as ChannelId,
-      actorExternalId: canonicalUserId,
-    }),
-    existingChannel?.status ?? null,
-  );
-
-  if (existingChannel && gateStatus === "active" && !targetMismatch) {
+  if (
+    existingChannel &&
+    existingChannel.status === "active" &&
+    !targetMismatch
+  ) {
     return { ok: true, type: "already_member", memberId: existingChannel.id };
   }
 
   // Blocked members cannot bypass the guardian's explicit block via invite
   // codes. Return the same generic failure as an invalid token to avoid
   // leaking membership status to the caller.
-  if (existingChannel && gateStatus === "blocked") {
+  if (existingChannel && existingChannel.status === "blocked") {
     return { ok: false, reason: "invalid_token" };
   }
 
@@ -684,9 +667,10 @@ export async function redeemInviteByCode(params: {
     return { ok: false, reason: "invalid_token" };
   }
 
-  // Inactive member reactivation: reactivate gateway-first, then consume an
-  // invite use.
+  // Inactive member reactivation: reactivate via upsertContactChannel and consume
+  // an invite use atomically.
   if (existingChannel && !targetMismatch) {
+    const STALE_INVITE_REACTIVATE = Symbol("stale_invite_reactivate");
     const canonicalMemberId = existingChannel.address;
     const canonicalCallerId = externalUserId
       ? canonicalizeInboundIdentity(sourceChannel as ChannelId, externalUserId)
@@ -698,17 +682,38 @@ export async function redeemInviteByCode(params: {
         ? existingContact.displayName
         : displayName;
 
-    // Consume the assistant invite use BEFORE activating the member, so a
-    // concurrent revoke/exhaustion (recordInviteUse returns false) leaves no
-    // active member behind.
+    let reactivated: ReturnType<typeof upsertContactChannel> | undefined;
     try {
-      if (
-        !recordInviteUse({ inviteId: invite.id, externalUserId, externalChatId })
-      ) {
-        // Invite revoked/expired between pre-validation and write.
+      getSqlite()
+        .transaction(() => {
+          reactivated = upsertContactChannel({
+            sourceChannel,
+            externalUserId,
+            externalChatId,
+            displayName: preservedDisplayName,
+            username,
+            role: "contact",
+            status: "active",
+            policy: "allow",
+            inviteId: invite.id,
+            verifiedAt: Date.now(),
+            verifiedVia: "invite",
+            contactId: invite.contactId,
+          });
+
+          const recorded = recordInviteUse({
+            inviteId: invite.id,
+            externalUserId,
+            externalChatId,
+          });
+
+          if (!recorded) throw STALE_INVITE_REACTIVATE;
+        })
+        .immediate();
+    } catch (err) {
+      if (err === STALE_INVITE_REACTIVATE) {
         return { ok: false, reason: "invalid_token" };
       }
-    } catch (err) {
       // Rare: gateway claim succeeded but the assistant mutation failed — a
       // recoverable wasted gateway use; no cross-process rollback attempted.
       log.error(
@@ -718,29 +723,10 @@ export async function redeemInviteByCode(params: {
       throw err;
     }
 
-    // Gateway-first: activate the member channel on the authoritative gateway
-    // before the assistant DB; the local mirror is best-effort.
-    const reactivated = await activateMemberChannel({
-      sourceChannel,
-      externalUserId,
-      externalChatId,
-      displayName: preservedDisplayName,
-      username,
-      policy: "allow",
-      inviteId: invite.id,
-      verifiedAt: Date.now(),
-      verifiedVia: "invite",
-      contactId: invite.contactId,
-    });
-
-    if (reactivated.status === "refused") {
-      return { ok: false, reason: "invalid_token" };
-    }
-
     return {
       ok: true,
       type: "redeemed",
-      memberId: reactivated.memberId,
+      memberId: reactivated!.channel.id,
       inviteId: invite.id,
     };
   }
@@ -757,17 +743,39 @@ export async function redeemInviteByCode(params: {
     }
   }
 
-  // Consume the assistant invite use BEFORE activating the member, so a
-  // concurrent revoke/exhaustion (recordInviteUse returns false) leaves no
-  // active member behind.
+  const STALE_INVITE_FRESH = Symbol("stale_invite_fresh");
+  let freshResult: ReturnType<typeof upsertContactChannel> | undefined;
   try {
-    if (
-      !recordInviteUse({ inviteId: invite.id, externalUserId, externalChatId })
-    ) {
-      // Invite revoked/expired between pre-validation and write.
+    getSqlite()
+      .transaction(() => {
+        freshResult = upsertContactChannel({
+          sourceChannel,
+          externalUserId,
+          externalChatId,
+          displayName: freshDisplayName,
+          username,
+          role: "contact",
+          status: "active",
+          policy: "allow",
+          inviteId: invite.id,
+          verifiedAt: Date.now(),
+          verifiedVia: "invite",
+          contactId: invite.contactId,
+        });
+
+        const recorded = recordInviteUse({
+          inviteId: invite.id,
+          externalUserId,
+          externalChatId,
+        });
+
+        if (!recorded) throw STALE_INVITE_FRESH;
+      })
+      .immediate();
+  } catch (err) {
+    if (err === STALE_INVITE_FRESH) {
       return { ok: false, reason: "invalid_token" };
     }
-  } catch (err) {
     // Rare: gateway claim succeeded but the assistant mutation failed — a
     // recoverable wasted gateway use; no cross-process rollback attempted.
     log.error(
@@ -777,29 +785,10 @@ export async function redeemInviteByCode(params: {
     throw err;
   }
 
-  // Gateway-first: activate the member channel on the authoritative gateway
-  // before the assistant DB; the local mirror is best-effort.
-  const freshResult = await activateMemberChannel({
-    sourceChannel,
-    externalUserId,
-    externalChatId,
-    displayName: freshDisplayName,
-    username,
-    policy: "allow",
-    inviteId: invite.id,
-    verifiedAt: Date.now(),
-    verifiedVia: "invite",
-    contactId: invite.contactId,
-  });
-
-  if (freshResult.status === "refused") {
-    return { ok: false, reason: "invalid_token" };
-  }
-
   return {
     ok: true,
     type: "redeemed",
-    memberId: freshResult.memberId,
+    memberId: freshResult!.channel.id,
     inviteId: invite.id,
   };
 }