@vellumai/assistant 0.10.2-dev.202606250318.5e7cfb0 → 0.10.2

package/src/runtime/local-actor-identity.ts

@@ -14,11 +14,6 @@
 import type { ChannelId } from "../channels/types.js";
 import { isHttpAuthDisabled } from "../config/env.js";
 import { findGuardianForChannel } from "../contacts/contact-store.js";
-import {
-  getGuardianDelivery,
-  guardianForChannel,
-  peekCachedGuardianDelivery,
-} from "../contacts/guardian-delivery-reader.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 import { getLogger } from "../util/logger.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "./assistant-scope.js";
@@ -50,48 +45,13 @@ export function buildLocalAuthContext(conversationId: string): AuthContext {
 }
 
 /**
- * Resolve the local vellum guardian's principalId from the gateway.
+ * Look up the local vellum guardian's principalId from the contacts table.
  *
- * The gateway owns guardian binding; this reads it through the cached
- * `getGuardianDelivery` reader (PR-3 TTL + single-flight) so hot paths don't
- * storm the IPC. Falls back to the local contacts table for the bootstrap /
- * first-run window where the gateway has no guardian yet or is unreachable
- * (the reader returns `null`).
- *
- * Returns `undefined` when no vellum guardian binding exists in either source
- * (e.g. fresh install before bootstrap). Callers should treat that case as
+ * Returns `undefined` when no vellum guardian binding exists (e.g. fresh
+ * install before bootstrap). Callers should treat that case as
  * "not yet available" and either fall back or proceed without a principalId.
  */
-export async function findLocalGuardianPrincipalId(): Promise<
-  string | undefined
-> {
-  const list = await getGuardianDelivery({ channelTypes: ["vellum"] });
-  if (list) {
-    const principalId = guardianForChannel(list, "vellum")?.principalId;
-    if (principalId) return principalId;
-  }
-
-  return findLocalGuardianPrincipalIdFromStore();
-}
-
-/**
- * Synchronous read of the vellum guardian's principalId for paths that cannot
- * await {@link findLocalGuardianPrincipalId} — namely the SSE eager-subscribe
- * path (`events-routes`), which registers before the stream is created.
- *
- * Reads the same gateway-owned binding as the async path via a sync, IO-free
- * snapshot of the guardian-delivery cache (kept fresh by the async hot paths
- * and event-driven invalidation), so SSE registers the SAME principal the
- * send/result routes resolve. Falls back to the local store when the cache is
- * cold — the same fallback the async path lands on during bootstrap.
- */
-export function findLocalGuardianPrincipalIdFromStore(): string | undefined {
-  const cached = peekCachedGuardianDelivery({ channelTypes: ["vellum"] });
-  if (cached) {
-    const principalId = guardianForChannel(cached, "vellum")?.principalId;
-    if (principalId) return principalId;
-  }
-
+export function findLocalGuardianPrincipalId(): string | undefined {
   return findGuardianForChannel("vellum")?.contact.principalId ?? undefined;
 }
 
@@ -116,35 +76,12 @@ export function findLocalGuardianPrincipalIdFromStore(): string | undefined {
  * yet (e.g. fresh install before bootstrap); callers must treat this the
  * same as a missing principal.
  */
-export async function resolveActorPrincipalIdForLocalGuardian(
-  rawHeader: string | undefined,
-): Promise<string | undefined> {
-  if (rawHeader !== "dev-bypass" || !isHttpAuthDisabled()) return rawHeader;
-
-  const guardianPrincipalId = await findLocalGuardianPrincipalId();
-  if (guardianPrincipalId) return guardianPrincipalId;
-
-  log.warn(
-    "dev-bypass actor principal received but no vellum guardian binding found; returning undefined",
-  );
-  return undefined;
-}
-
-/**
- * Synchronous variant of {@link resolveActorPrincipalIdForLocalGuardian} for
- * the SSE eager-subscribe path, which registers before the response stream is
- * created and cannot await. Resolves the guardian from the IO-free gateway
- * cache snapshot first (same source the async path reads), falling back to the
- * local store when the cache is cold — so SSE registers the SAME principal the
- * send/result routes resolve and host-proxy targeting matches the same-user
- * client even when the local contact row is stale.
- */
-export function resolveActorPrincipalIdForLocalGuardianSync(
+export function resolveActorPrincipalIdForLocalGuardian(
   rawHeader: string | undefined,
 ): string | undefined {
   if (rawHeader !== "dev-bypass" || !isHttpAuthDisabled()) return rawHeader;
 
-  const guardianPrincipalId = findLocalGuardianPrincipalIdFromStore();
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
   if (guardianPrincipalId) return guardianPrincipalId;
 
   log.warn(
@@ -165,12 +102,12 @@ export function resolveActorPrincipalIdForLocalGuardianSync(
  * bootstrap), falls back to a minimal guardian context so the local
  * user is not incorrectly denied.
  */
-export async function resolveLocalTrustContext(
+export function resolveLocalTrustContext(
   sourceChannel: ChannelId = "vellum",
-): Promise<TrustContext> {
+): TrustContext {
   const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
 
-  const guardianPrincipalId = await findLocalGuardianPrincipalId();
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
   if (guardianPrincipalId) {
     const trustCtx = resolveTrustContext({
       assistantId,
@@ -202,12 +139,10 @@ export async function resolveLocalTrustContext(
  * downstream code to resolve guardian context using the same
  * `authContext.actorPrincipalId` path as HTTP sessions.
  */
-export async function resolveLocalAuthContext(
-  conversationId: string,
-): Promise<AuthContext> {
+export function resolveLocalAuthContext(conversationId: string): AuthContext {
   const authContext = buildLocalAuthContext(conversationId);
 
-  const guardianPrincipalId = await findLocalGuardianPrincipalId();
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
   if (guardianPrincipalId) {
     return { ...authContext, actorPrincipalId: guardianPrincipalId };
   }

package/src/runtime/pending-interactions.ts

@@ -229,15 +229,6 @@ export function getByConversation(
  * /v1/host-browser-result, /v1/host-app-control-result, or
  * /v1/host-transfer-result after completing the operation, get a 404, and the
  * proxy timer would fire with a spurious timeout error.
- *
- * `question` interactions are also skipped: a new message supersedes an open
- * ask_question by steering to it (see the enqueue path in
- * conversation-routes.ts), which aborts the parked turn and settles the
- * question via its abort signal. Clearing the entry here instead would drop it
- * without settling the prompt's Promise (questions carry no `rpcResolve`
- * fallback like secrets do) and would strip the steer of the entry it needs to
- * fire — which can co-occur with a confirmation, since one model response can
- * open both tools concurrently.
  */
 export function removeByConversation(
   conversationId: string,
@@ -253,8 +244,7 @@ export function removeByConversation(
       interaction.kind !== "host_browser" &&
       interaction.kind !== "host_app_control" &&
       interaction.kind !== "host_transfer" &&
-      interaction.kind !== "acp_confirmation" &&
-      interaction.kind !== "question"
+      interaction.kind !== "acp_confirmation"
     ) {
       // resolve() clears the stored timer and detaches abort listeners.
       resolve(requestId, state);

package/src/runtime/routes/__tests__/channel-verification-revoke.test.ts

@@ -10,7 +10,6 @@
 
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-import type { GuardianDelivery } from "@vellumai/gateway-client";
 import { IpcCallError } from "@vellumai/gateway-client/ipc-client";
 
 type IpcCall = { method: string; params?: Record<string, unknown> };
@@ -74,16 +73,8 @@ mock.module("../../channel-verification-service.js", () => ({
   getGuardianBinding: mock(() => guardianBinding),
 }));
 
-// Contact-store lookup that resolves the guardian's channel to downgrade. The
-// channel carries the type/address/externalChatId the gateway delivery is
-// matched against (see deliveryForChannel).
-let contactChannel: {
-  id: string;
-  status: string;
-  type: string;
-  address: string;
-  externalChatId: string;
-} | null = null;
+// Contact-store lookup that resolves the guardian's channel to downgrade.
+let contactChannel: { id: string; status: string } | null = null;
 const actualContactStore = await import("../../../contacts/contact-store.js");
 mock.module("../../../contacts/contact-store.js", () => ({
   ...actualContactStore,
@@ -92,20 +83,6 @@ mock.module("../../../contacts/contact-store.js", () => ({
   ),
 }));
 
-// Gateway delivery (ACL source of truth). The revoke gate relays only when the
-// matching delivery is live (active/pending/unverified); already-revoked or a
-// missing delivery short-circuits the relay.
-let guardianDeliveries: GuardianDelivery[] | null = null;
-mock.module("../../../contacts/guardian-delivery-reader.js", () => ({
-  getGuardianDelivery: mock(async (input?: { channelTypes?: string[] }) => {
-    if (guardianDeliveries == null) return null;
-    if (!input?.channelTypes) return guardianDeliveries;
-    return guardianDeliveries.filter((g) =>
-      input.channelTypes!.includes(g.channelType),
-    );
-  }),
-}));
-
 // Guard: the contact-channel ACL write moves to the gateway relay and must
 // never run locally. The assistant-owned guardian-binding teardown
 // (revokeGuardianBinding) still runs locally — assert it is invoked.
@@ -145,24 +122,7 @@ describe("verification revoke relay", () => {
       guardianExternalUserId: "guardian-user",
       guardianDeliveryChatId: "chat-1",
     };
-    contactChannel = {
-      id: "ch1",
-      status: "active",
-      type: "telegram",
-      address: "guardian-user",
-      externalChatId: "chat-1",
-    };
-    // Gateway delivery is live by default, so the revoke relay fires.
-    guardianDeliveries = [
-      {
-        channelType: "telegram",
-        contactId: "c1",
-        address: "guardian-user",
-        externalChatId: "chat-1",
-        status: "active",
-        verifiedAt: 1700000000,
-      },
-    ];
+    contactChannel = { id: "ch1", status: "active" };
     ipcCallPersistentMock.mockClear();
     cancelOutboundMock.mockClear();
     revokePendingSessionsMock.mockClear();
@@ -303,19 +263,8 @@ describe("verification revoke relay", () => {
     expect(result.bound).toBe(false);
   });
 
-  test("skips the relay when the gateway delivery is already revoked", async () => {
-    // The gateway (source of truth) already shows the channel revoked, so the
-    // redundant relay is skipped even though session/binding teardown runs.
-    guardianDeliveries = [
-      {
-        channelType: "telegram",
-        contactId: "c1",
-        address: "guardian-user",
-        externalChatId: "chat-1",
-        status: "revoked",
-        verifiedAt: 1700000000,
-      },
-    ];
+  test("skips the relay when the resolved channel is already revoked", async () => {
+    contactChannel = { id: "ch1", status: "revoked" };
 
     await revokeHandler({ body: { channel: "telegram" } });
 

package/src/runtime/routes/__tests__/channel-verification-routes.test.ts

@@ -24,7 +24,7 @@ mock.module("../../../daemon/handlers/config-channels.js", () => ({
     verifyTrustedContactCalls.push([contactChannelId, assistantId]);
     return verifyTrustedContactImpl(contactChannelId, assistantId);
   },
-  createInboundChallenge: async () => ({ success: true }),
+  createInboundChallenge: () => ({ success: true }),
   getVerificationStatus: () => ({ success: true }),
   revokeVerificationForChannel: () => ({ success: true }),
 }));

package/src/runtime/routes/__tests__/surface-action-routes.test.ts

@@ -25,7 +25,6 @@ interface StubConversation {
   handleSurfaceActionThrows?: Error;
   handleSurfaceUndoCalled?: boolean;
   handleSurfaceUndoThrows?: Error;
-  trustContext?: { trustClass: string; sourceChannel: string };
   surfaceActionCalls: Array<{
     surfaceId: string;
     actionId: string;
@@ -44,47 +43,6 @@ const findBySurfaceCalls: string[] = [];
 const getOrCreateCalls: string[] = [];
 const rawGetCalls: Array<{ sql: string; params: unknown[] }> = [];
 
-// Gateway guardian-delivery list (shared by the route's dev-bypass lookup and
-// the local-principal-trust mapper): null = unreachable, [] = no guardian.
-let mockGuardianList: Array<Record<string, unknown>> | null = [];
-let httpAuthDisabled = false;
-
-// Stub for the shared reset-drift helper. The route under test only consumes
-// its result (a guardian TrustContext or null); the gate itself is covered in
-// runtime/__tests__/guardian-vellum-migration.test.ts. Tests set
-// `mockReResolve` per case and read `reResolveCalls` to assert routing.
-const reResolveCalls: string[] = [];
-let mockReResolve: { trustClass: string; sourceChannel: string } | null = null;
-
-mock.module("../../../contacts/guardian-delivery-reader.js", () => ({
-  getGuardianDelivery: (_input?: { channelTypes?: string[] }) =>
-    Promise.resolve(mockGuardianList),
-  peekCachedGuardianDelivery: () => mockGuardianList ?? undefined,
-  guardianForChannel: (
-    list: Array<Record<string, unknown>>,
-    channelType: string,
-  ) => list.find((g) => g.channelType === channelType && g.status === "active"),
-}));
-
-mock.module("../../../contacts/contact-store.js", () => ({
-  findGuardianForChannel: (_channelType: string) => null,
-  findContactByAddress: () => null,
-}));
-
-mock.module("../../../config/env.js", () => ({
-  isHttpAuthDisabled: () => httpAuthDisabled,
-}));
-
-mock.module("../../guardian-vellum-migration.js", () => ({
-  reResolveTrustOnResetDrift: async (
-    incomingPrincipalId: string,
-    _sourceChannel: string,
-  ) => {
-    reResolveCalls.push(incomingPrincipalId);
-    return mockReResolve;
-  },
-}));
-
 mock.module("../../../daemon/conversation-registry.js", () => ({
   findConversation: (id: string) => {
     findConvCalls.push(id);
@@ -164,9 +122,6 @@ function makeStub(id: string): StubConversation {
       stub.handleSurfaceUndoCalled = true;
       if (stub.handleSurfaceUndoThrows) throw stub.handleSurfaceUndoThrows;
     },
-    setTrustContext: (ctx: { trustClass: string; sourceChannel: string }) => {
-      stub.trustContext = ctx;
-    },
   });
   return stub;
 }
@@ -184,10 +139,6 @@ beforeEach(() => {
   findBySurfaceCalls.length = 0;
   getOrCreateCalls.length = 0;
   rawGetCalls.length = 0;
-  mockGuardianList = [];
-  httpAuthDisabled = false;
-  reResolveCalls.length = 0;
-  mockReResolve = null;
 });
 
 // ---------------------------------------------------------------------------
@@ -386,30 +337,6 @@ describe("triggerSurfaceAction handler", () => {
     ]);
   });
 
-  test("resolves dev-bypass to the guardian principal before threading the turn", async () => {
-    httpAuthDisabled = true;
-    mockGuardianList = [guardianDelivery(GUARDIAN_PRINCIPAL)];
-    const live = makeStub("conv-dev-thread");
-    memoryBySurface = live;
-
-    const handler = findHandler("triggerSurfaceAction");
-    await handler({
-      body: { surfaceId: "surf-dt", actionId: "act-dt" },
-      headers: { "x-vellum-actor-principal-id": "dev-bypass" },
-    });
-
-    // dev-bypass is translated so the surface turn matches the SSE host-proxy
-    // client's registered guardian principal (CU/app-control same-actor check).
-    expect(live.surfaceActionCalls).toEqual([
-      {
-        surfaceId: "surf-dt",
-        actionId: "act-dt",
-        data: undefined,
-        sourceActorPrincipalId: GUARDIAN_PRINCIPAL,
-      },
-    ]);
-  });
-
   test("propagates accepted=false rejection as BadRequestError", async () => {
     const live = makeStub("conv-reject");
     live.handleSurfaceActionResult = {
@@ -435,120 +362,6 @@ describe("triggerSurfaceAction handler", () => {
   });
 });
 
-// ---------------------------------------------------------------------------
-// Trust context resolution
-// ---------------------------------------------------------------------------
-
-const GUARDIAN_PRINCIPAL = "principal-guardian";
-// Daemon-minted vellum-principal-* ids: the DB-reset drift signature. The
-// gateway rebinds to a fresh id while the client still holds a JWT for the old.
-const VELLUM_PRINCIPAL_OLD = "vellum-principal-old";
-const VELLUM_PRINCIPAL_NEW = "vellum-principal-new";
-
-function guardianDelivery(principalId: string): Record<string, unknown> {
-  return {
-    channelType: "vellum",
-    contactId: "contact-1",
-    principalId,
-    address: "guardian-address",
-    externalChatId: "guardian-chat",
-    status: "active",
-  };
-}
-
-// A guardian TrustContext the stubbed helper hands back on a recovered drift.
-function guardianCtx(): { trustClass: string; sourceChannel: string } {
-  return { trustClass: "guardian", sourceChannel: "vellum" };
-}
-
-describe("triggerSurfaceAction trust context", () => {
-  test("guardian principal → guardian from the gateway binding, helper not called", async () => {
-    mockGuardianList = [guardianDelivery(GUARDIAN_PRINCIPAL)];
-    const live = makeStub("conv-guardian");
-    memoryBySurface = live;
-
-    const handler = findHandler("triggerSurfaceAction");
-    await handler({
-      body: { surfaceId: "surf-g", actionId: "act-g" },
-      headers: { "x-vellum-actor-principal-id": GUARDIAN_PRINCIPAL },
-    });
-
-    expect(live.trustContext?.trustClass).toBe("guardian");
-    expect(live.trustContext?.sourceChannel).toBe("vellum");
-    // First-pass resolve already granted guardian, so the drift helper is skipped.
-    expect(reResolveCalls).toEqual([]);
-  });
-
-  test("unknown principal: helper consulted, null result stays unknown (fail closed)", async () => {
-    mockGuardianList = [guardianDelivery(GUARDIAN_PRINCIPAL)];
-    mockReResolve = null;
-    const live = makeStub("conv-unknown");
-    memoryBySurface = live;
-
-    const handler = findHandler("triggerSurfaceAction");
-    await handler({
-      body: { surfaceId: "surf-u", actionId: "act-u" },
-      headers: { "x-vellum-actor-principal-id": VELLUM_PRINCIPAL_OLD },
-    });
-
-    expect(reResolveCalls).toEqual([VELLUM_PRINCIPAL_OLD]);
-    expect(live.trustContext?.trustClass).toBe("unknown");
-  });
-
-  test("reset drift: helper returns guardian → route adopts it", async () => {
-    mockGuardianList = [guardianDelivery(VELLUM_PRINCIPAL_NEW)];
-    mockReResolve = guardianCtx();
-    const live = makeStub("conv-drift");
-    memoryBySurface = live;
-
-    const handler = findHandler("triggerSurfaceAction");
-    await handler({
-      body: { surfaceId: "surf-d", actionId: "act-d" },
-      headers: { "x-vellum-actor-principal-id": VELLUM_PRINCIPAL_OLD },
-    });
-
-    expect(reResolveCalls).toEqual([VELLUM_PRINCIPAL_OLD]);
-    expect(live.trustContext?.trustClass).toBe("guardian");
-  });
-
-  test("dev-bypass resolves the real guardian principal from the gateway, helper not called", async () => {
-    httpAuthDisabled = true;
-    mockGuardianList = [guardianDelivery(GUARDIAN_PRINCIPAL)];
-    const live = makeStub("conv-dev");
-    memoryBySurface = live;
-
-    const handler = findHandler("triggerSurfaceAction");
-    await handler({
-      body: { surfaceId: "surf-dev", actionId: "act-dev" },
-      headers: { "x-vellum-actor-principal-id": "dev-bypass" },
-    });
-
-    // The synthetic dev-bypass principal is translated to the real guardian,
-    // yielding a guardian trust context without consulting the drift helper.
-    expect(live.trustContext?.trustClass).toBe("guardian");
-    expect(reResolveCalls).toEqual([]);
-  });
-
-  test("dev-bypass with an empty gateway: helper null result → unknown (fail closed)", async () => {
-    httpAuthDisabled = true;
-    // The gateway has no active binding, so dev-bypass cannot translate to a
-    // real guardian; the first-pass resolve is unknown and the helper, returning
-    // null, leaves trust unknown.
-    mockGuardianList = [];
-    mockReResolve = null;
-    const live = makeStub("conv-dev-fallback");
-    memoryBySurface = live;
-
-    const handler = findHandler("triggerSurfaceAction");
-    await handler({
-      body: { surfaceId: "surf-devf", actionId: "act-devf" },
-      headers: { "x-vellum-actor-principal-id": "dev-bypass" },
-    });
-
-    expect(live.trustContext?.trustClass).toBe("unknown");
-  });
-});
-
 // ---------------------------------------------------------------------------
 // undoSurfaceAction
 // ---------------------------------------------------------------------------

package/src/runtime/routes/browser-routes.ts

@@ -92,7 +92,7 @@ async function handleBrowserExecute({
   // register with (dev-bypass otherwise mismatches).
   const headerActor =
     headers["x-vellum-actor-principal-id"]?.trim() || undefined;
-  const sourceActorPrincipalId = await resolveActorPrincipalIdForLocalGuardian(
+  const sourceActorPrincipalId = resolveActorPrincipalIdForLocalGuardian(
     conversation?.getTurnActorPrincipalId() ?? headerActor,
   );
 

package/src/runtime/routes/canonical-guardian-expiry-sweep.ts

@@ -8,16 +8,13 @@
  * requester.
  *
  * This sweep operates on the unified canonical domain
- * (`canonical_guardian_requests`). On expiry it transitions the request status
- * (the single source of truth), withdraws the approval cards on every surface,
- * notifies the requester that their request expired, and releases any in-memory
- * pending interaction. Requester notices are delivered straight to the
- * requester's channel — not the guardian-facing notification pipeline — and the
- * guardian stays passive, since the withdrawn card already reflects expiry.
+ * (`canonical_guardian_requests`) and does not auto-deny pending interactions
+ * or deliver channel notices — the canonical request status transition is the
+ * single source of truth, and consumers (resolvers, clients polling prompts)
+ * observe the expired status directly.
  */
 
 import { withdrawGuardianRequestCards } from "../../approvals/guardian-card-withdrawal.js";
-import { notifyExpiredGuardianRequest } from "../../approvals/guardian-expiry-notifier.js";
 import {
   listCanonicalGuardianRequests,
   resolveCanonicalGuardianRequest,
@@ -42,7 +39,7 @@ let sweepInProgress = false;
  * concurrent decision that wins the race is never overwritten by the
  * sweep.  Returns the count of requests transitioned to expired.
  */
-export async function sweepExpiredCanonicalGuardianRequests(): Promise<number> {
+async function sweepExpiredCanonicalGuardianRequests(): Promise<number> {
   const pending = listCanonicalGuardianRequests({ status: "pending" });
   const now = Date.now();
   let expiredCount = 0;
@@ -79,11 +76,6 @@ export async function sweepExpiredCanonicalGuardianRequests(): Promise<number> {
         request: resolved,
         status: "expired",
       });
-
-      // Notify the requester their request expired and release any in-memory
-      // pending interaction. Best-effort and non-throwing, like the card
-      // withdrawal above.
-      await notifyExpiredGuardianRequest(resolved);
     }
   }
 

package/src/runtime/routes/channel-verification-routes.ts

@@ -179,7 +179,7 @@ export async function handleCreateVerificationSession({
   }
 
   // Inbound challenge path
-  const result = await createInboundChallenge(channel, rebind, conversationId);
+  const result = createInboundChallenge(channel, rebind, conversationId);
   if (!result.success) {
     throw new BadRequestError(
       (result as { message?: string }).message ??
@@ -192,12 +192,12 @@ export async function handleCreateVerificationSession({
 /**
  * GET /v1/channel-verification-sessions/status
  */
-async function handleGetVerificationStatus({
+function handleGetVerificationStatus({
   queryParams = {},
   body = {},
 }: RouteHandlerArgs) {
   const channel = (queryParams.channel ?? (body as Record<string, unknown>).channel) as ChannelId | undefined;
-  return await getVerificationStatus(channel);
+  return getVerificationStatus(channel);
 }
 
 /**

package/src/runtime/routes/contact-routes.ts

@@ -17,6 +17,8 @@ import { IpcCallError } from "@vellumai/gateway-client/ipc-client";
 import { z } from "zod";
 
 import {
+  getAssistantContactMetadata,
+  getContact,
   listContacts,
   mergeContacts,
   searchContacts,
@@ -137,10 +139,9 @@ const contactSchema = z.object({
 
 /**
  * Relay a non-search contact list read to the gateway (source of truth for ACL
- * fields). Shared by the GET `contacts` list and the `search_contacts`
- * no-filter case so both serve gateway-sourced data consistently. Fail-closed:
- * a relay failure surfaces as an error rather than reading ACL from the
- * assistant DB.
+ * fields), falling back to the assistant DB on IPC failure. Shared by the GET
+ * `contacts` list and the `search_contacts` no-filter case so both serve
+ * gateway-sourced data consistently.
  */
 async function relayListContacts(
   limit: number,
@@ -157,7 +158,15 @@ async function relayListContacts(
       contacts: contacts.map(prepareContactResponse),
     };
   } catch (err) {
-    rethrowGatewayError(err);
+    log.warn(
+      { err },
+      "relayListContacts: gateway relay failed; falling back to assistant DB",
+    );
+    const contacts = listContacts(limit, role);
+    return {
+      ok: true,
+      contacts: contacts.map(prepareContactResponse),
+    };
   }
 }
 
@@ -231,10 +240,25 @@ export async function handleGetContact(contactId: string) {
       assistantMetadata: assistantMetadata ?? undefined,
     };
   } catch (err) {
-    // A clean not-found is a real 404. Any other relay failure fails closed
-    // rather than reading ACL from the assistant DB.
+    // A clean not-found is a real 404 — don't fall back or mask it.
     if (err instanceof NotFoundError) throw err;
-    rethrowGatewayError(err);
+    log.warn(
+      { err, contactId },
+      "handleGetContact: gateway relay failed; falling back to assistant DB",
+    );
+    const contact = getContact(contactId);
+    if (!contact) {
+      throw new NotFoundError(`Contact "${contactId}" not found`);
+    }
+    const assistantMeta =
+      contact.contactType === "assistant"
+        ? getAssistantContactMetadata(contact.id)
+        : undefined;
+    return {
+      ok: true,
+      contact: prepareContactResponse(contact),
+      assistantMetadata: assistantMeta ?? undefined,
+    };
   }
 }
 

package/src/runtime/routes/conversation-cli-routes.ts

@@ -9,10 +9,10 @@
 import { v4 as uuid } from "uuid";
 import { z } from "zod";
 
+import { findConversation } from "../../daemon/conversation-registry.js";
 import { clearAllConversations as clearAllActive } from "../../daemon/handlers/conversations.js";
 import { formatJson, formatMarkdown } from "../../export/formatter.js";
 import { ipcCall as ipcCallGateway } from "../../ipc/gateway-client.js";
-import { isConversationProcessing } from "../../memory/conversation-crud.js";
 import {
   addMessage,
   createConversation,
@@ -53,9 +53,10 @@ function handleListCli({ body = {} }: RouteHandlerArgs) {
       id: c.id,
       title: c.title,
       updatedAt: c.updatedAt,
-      // Checks in-memory flag first (hot path), falls back to the
-      // persisted `processing_started_at` column for cold conversations.
-      isProcessing: isConversationProcessing(c.id),
+      // `isProcessing` mirrors `Conversation.isProcessing()` from the
+      // in-memory daemon store — true when the agent loop is mid-turn.
+      // Rows not currently in memory (cold / evicted) report `false`.
+      isProcessing: findConversation(c.id)?.isProcessing() ?? false,
     })),
   };
 }