@vellumai/assistant 0.10.3 → 0.10.4-staging.1

package/src/a2a/__tests__/e2e-a2a-channel.test.ts

@@ -42,6 +42,7 @@ mock.module("../../util/logger.js", () => ({
 // the a2a.enabled flag. We use the real config system backed by initializeDb's
 // workspace directory.
 
+import { seedContactChannel } from "../../__tests__/helpers/seed-contact-channel.js";
 import {
   invalidateConfigCache,
   loadRawConfig,
@@ -80,6 +81,15 @@ const originalFetch = globalThis.fetch;
 // Helpers
 // ---------------------------------------------------------------------------
 
+/** Read a channel's local ACL columns directly to assert the gateway dual-write. */
+function aclColumns(
+  channelId: string,
+): { status: string; policy: string } | null {
+  return getSqlite()
+    .query("SELECT status, policy FROM contact_channels WHERE id = ?")
+    .get(channelId) as { status: string; policy: string } | null;
+}
+
 function resetTables(): void {
   const sqlite = getSqlite();
   sqlite.run("DELETE FROM a2a_tasks");
@@ -164,17 +174,16 @@ describe("e2e: trusted contact setup", () => {
         {
           type: "a2a",
           address: "assistant-b",
-          status: "active",
-          policy: "allow",
         },
       ],
     });
 
+    // upsertContact persists the a2a channel identity; the gateway owns the ACL
+    // status verdict.
     const contact = findContactByAddress("a2a", "assistant-b");
     expect(contact).not.toBeNull();
     expect(contact!.channels.some((ch) => ch.type === "a2a")).toBe(true);
     const a2aChannel = contact!.channels.find((ch) => ch.type === "a2a");
-    expect(a2aChannel!.status).toBe("active");
     expect(a2aChannel!.address).toBe("assistant-b");
   });
 });
@@ -355,21 +364,13 @@ describe("e2e: unknown sender blocked (ACL enforcement)", () => {
   });
 
   test("trusted contact exists with active a2a channel — ACL passes", async () => {
-    const { upsertContact } = await import("../../contacts/contact-store.js");
-
     // Pre-create a trusted contact for the sender
-    upsertContact({
+    seedContactChannel({
+      sourceChannel: "a2a",
+      externalUserId: "trusted-assistant",
       displayName: "Trusted Bot",
-      contactType: "assistant",
-      role: "contact",
-      channels: [
-        {
-          type: "a2a",
-          address: "trusted-assistant",
-          status: "active",
-          policy: "allow",
-        },
-      ],
+      status: "active",
+      policy: "allow",
     });
 
     // Verify the contact exists (the ACL check the runtime performs)
@@ -378,8 +379,9 @@ describe("e2e: unknown sender blocked (ACL enforcement)", () => {
 
     const a2aChannel = contact!.channels.find((ch) => ch.type === "a2a");
     expect(a2aChannel).toBeTruthy();
-    expect(a2aChannel!.status).toBe("active");
-    expect(a2aChannel!.policy).toBe("allow");
+    const acl = aclColumns(a2aChannel!.id);
+    expect(acl!.status).toBe("active");
+    expect(acl!.policy).toBe("allow");
 
     // A task from this sender would pass the ACL check
     const msg = makeRequestMessage();
@@ -391,28 +393,21 @@ describe("e2e: unknown sender blocked (ACL enforcement)", () => {
   });
 
   test("contact exists but channel is blocked — ACL would reject", async () => {
-    const { upsertContact } = await import("../../contacts/contact-store.js");
-
-    upsertContact({
+    seedContactChannel({
+      sourceChannel: "a2a",
+      externalUserId: "blocked-assistant",
       displayName: "Blocked Bot",
-      contactType: "assistant",
-      role: "contact",
-      channels: [
-        {
-          type: "a2a",
-          address: "blocked-assistant",
-          status: "blocked",
-          policy: "deny",
-        },
-      ],
+      status: "blocked",
+      policy: "deny",
     });
 
     const contact = findContactByAddress("a2a", "blocked-assistant");
     expect(contact).not.toBeNull();
 
     const a2aChannel = contact!.channels.find((ch) => ch.type === "a2a");
-    expect(a2aChannel!.status).toBe("blocked");
-    expect(a2aChannel!.policy).toBe("deny");
+    const acl = aclColumns(a2aChannel!.id);
+    expect(acl!.status).toBe("blocked");
+    expect(acl!.policy).toBe("deny");
   });
 });
 
@@ -507,26 +502,19 @@ describe("e2e: full A2A round-trip", () => {
     setConfigEnabled(true);
 
     // Step 1: Create trusted contact for Assistant B (platform-mediated)
-    upsertContact({
+    seedContactChannel({
+      sourceChannel: "a2a",
+      externalUserId: "assistant-b",
       displayName: "Assistant B",
-      contactType: "assistant",
-      role: "contact",
-      channels: [
-        {
-          type: "a2a",
-          address: "assistant-b",
-          status: "active",
-          policy: "allow",
-        },
-      ],
+      status: "active",
+      policy: "allow",
     });
 
     // Step 2: Verify trusted contact was created
     const contact = findContactByAddress("a2a", "assistant-b");
     expect(contact).not.toBeNull();
-    expect(contact!.channels.find((ch) => ch.type === "a2a")!.status).toBe(
-      "active",
-    );
+    const a2aChannel = contact!.channels.find((ch) => ch.type === "a2a")!;
+    expect(aclColumns(a2aChannel.id)!.status).toBe("active");
 
     // Step 3: Simulate inbound A2A message from B (as if B sent us a request)
     const inboundMsg = makeRequestMessage({

package/src/agent/loop-exclusive-tool.test.ts

@@ -1,9 +1,9 @@
 /**
  * Verifies the agent loop's exclusive-tool dispatch: when a tool the loop is
- * told is exclusive (e.g. the advisor) appears in a multi-call turn, only that
- * tool runs and the siblings are deferred un-run with a benign result — so the
- * model incorporates the exclusive tool's output before acting on anything
- * else. Drives the REAL loop, mocking only the provider boundary.
+ * told is exclusive appears in a multi-call turn, only that tool runs and the
+ * siblings are deferred un-run with a benign result — so the model incorporates
+ * the exclusive tool's output before acting on anything else. Drives the REAL
+ * loop, mocking only the provider boundary.
  */
 import { describe, expect, test } from "bun:test";
 
@@ -55,7 +55,7 @@ describe("AgentLoop — exclusive tool deferral", () => {
   test("runs the exclusive tool alone and defers sibling calls un-run", async () => {
     const { provider } = createMockProvider([
       toolUseTurn([
-        { id: "call-advisor", name: "advisor" },
+        { id: "call-exclusive", name: "exclusive_tool" },
         { id: "call-edit", name: "write_file" },
       ]),
       endTurn("done"),
@@ -67,7 +67,11 @@ describe("AgentLoop — exclusive tool deferral", () => {
       systemPrompt: "sys",
       conversationId: "excl-1",
       tools: [
-        { name: "advisor", description: "", input_schema: { type: "object" } },
+        {
+          name: "exclusive_tool",
+          description: "",
+          input_schema: { type: "object" },
+        },
         {
           name: "write_file",
           description: "",
@@ -78,7 +82,7 @@ describe("AgentLoop — exclusive tool deferral", () => {
         executed.push(name);
         return { content: `ran ${name}`, isError: false };
       },
-      isExclusiveTool: (name) => name === "advisor",
+      isExclusiveTool: (name) => name === "exclusive_tool",
     });
 
     const { history } = await loop.run({
@@ -87,19 +91,19 @@ describe("AgentLoop — exclusive tool deferral", () => {
     });
 
     // Only the exclusive tool actually executed.
-    expect(executed).toEqual(["advisor"]);
+    expect(executed).toEqual(["exclusive_tool"]);
 
     const results = toolResults(history);
-    const advisorResult = results.find(
-      (b) => b.tool_use_id === "call-advisor",
+    const exclusiveResult = results.find(
+      (b) => b.tool_use_id === "call-exclusive",
     )!;
     const editResult = results.find((b) => b.tool_use_id === "call-edit")!;
 
-    // The advisor ran; the sibling came back un-run (not an error) so the model
-    // can re-issue it after reading the guidance.
-    expect(advisorResult.content).toBe("ran advisor");
+    // The exclusive tool ran; the sibling came back un-run (not an error) so the
+    // model can re-issue it after reading the guidance.
+    expect(exclusiveResult.content).toBe("ran exclusive_tool");
     expect(editResult.content).toContain("not run");
-    expect(editResult.content).toContain("advisor");
+    expect(editResult.content).toContain("exclusive_tool");
     expect(editResult.is_error).toBe(false);
   });
 
@@ -133,7 +137,7 @@ describe("AgentLoop — exclusive tool deferral", () => {
         executed.push(name);
         return { content: `ran ${name}`, isError: false };
       },
-      isExclusiveTool: (name) => name === "advisor",
+      isExclusiveTool: (name) => name === "exclusive_tool",
     });
 
     const { history } = await loop.run({

package/src/agent/loop-native-web-search.test.ts

@@ -0,0 +1,200 @@
+/**
+ * Verifies the agent loop's provider-native web-search gate (used by the
+ * tool-less advisor consult): when `enableNativeWebSearch` is set, the loop
+ * appends a `web_search`-named SERVER tool to the outbound request and forces
+ * `tool_choice: auto` — but ONLY when the provider/model the call ACTUALLY
+ * routes to reports native-search support. A non-native target gets nothing,
+ * and the consult stays tool-less (no client `web_search` tool surfaced).
+ *
+ * The gate prefers the routing-aware `supportsNativeWebSearchFor(options)` (the
+ * routed (provider, model)'s capability) over the construction-time
+ * `supportsNativeWebSearch` snapshot. The advisor's `advisorProfile` can route
+ * `subagentSpawn` to a provider/model whose native-search support DIFFERS from
+ * the default, so the routed capability — not the default's — must drive the
+ * decision in both directions. Drives the REAL loop, mocking only the provider
+ * boundary.
+ */
+import { describe, expect, test } from "bun:test";
+
+import { createMockProvider } from "../__tests__/helpers/mock-provider.js";
+import type {
+  Provider,
+  ProviderResponse,
+  SendMessageOptions,
+} from "../providers/types.js";
+import { AgentLoop } from "./loop.js";
+
+const endTurn = (text: string): ProviderResponse => ({
+  content: [{ type: "text", text }],
+  model: "mock-model",
+  usage: { inputTokens: 1, outputTokens: 1 },
+  stopReason: "end_turn",
+});
+
+const baseRun = {
+  requestId: "req-web",
+  onEvent: () => {},
+  callSite: "subagentSpawn" as const,
+  trust: { sourceChannel: "vellum" as const, trustClass: "unknown" as const },
+};
+
+const userMessages = [
+  {
+    role: "user" as const,
+    content: [{ type: "text" as const, text: "advise" }],
+  },
+];
+
+/** Build a tool-less loop (mirrors the advisor consult) with the given flag. */
+function buildAdvisorLoop(
+  provider: Provider,
+  enableNativeWebSearch: boolean,
+): AgentLoop {
+  return new AgentLoop({
+    provider,
+    systemPrompt: "advisor system",
+    conversationId: "advisor-1",
+    // Tool-less for client tools — exactly the advisor role's empty allowlist.
+    config: { enableNativeWebSearch },
+  });
+}
+
+describe("AgentLoop — provider-native web search gate", () => {
+  test("attaches the native web_search server tool when the provider supports it", async () => {
+    const { provider, calls } = createMockProvider([endTurn("guidance")]);
+    (
+      provider as { supportsNativeWebSearch?: boolean }
+    ).supportsNativeWebSearch = true;
+
+    const loop = buildAdvisorLoop(provider, true);
+    await loop.run({ ...baseRun, messages: userMessages });
+
+    expect(calls).toHaveLength(1);
+    const sent = calls[0];
+    // The native web_search SERVER tool is the only tool surfaced.
+    expect(sent.tools?.map((t) => t.name)).toEqual(["web_search"]);
+    // tool_choice is forced to auto so the model may invoke the search.
+    expect(sent.options?.config?.tool_choice).toEqual({ type: "auto" });
+  });
+
+  test("attaches nothing on a non-native provider (consult stays tool-less)", async () => {
+    const { provider, calls } = createMockProvider([endTurn("guidance")]);
+    // supportsNativeWebSearch is absent (falsy) — a non-native provider.
+
+    const loop = buildAdvisorLoop(provider, true);
+    await loop.run({ ...baseRun, messages: userMessages });
+
+    expect(calls).toHaveLength(1);
+    const sent = calls[0];
+    // No web_search tool surfaced — no client tool the one-shot consult can't run.
+    expect(sent.tools).toBeUndefined();
+    // No tool_choice forced when nothing is attached.
+    expect(sent.options?.config?.tool_choice).toBeUndefined();
+  });
+
+  test("attaches nothing when the flag is off, even on a native provider", async () => {
+    const { provider, calls } = createMockProvider([endTurn("guidance")]);
+    (
+      provider as { supportsNativeWebSearch?: boolean }
+    ).supportsNativeWebSearch = true;
+
+    const loop = buildAdvisorLoop(provider, false);
+    await loop.run({ ...baseRun, messages: userMessages });
+
+    expect(calls).toHaveLength(1);
+    const sent = calls[0];
+    expect(sent.tools).toBeUndefined();
+    expect(sent.options?.config?.tool_choice).toBeUndefined();
+  });
+
+  test("does not duplicate web_search when a tool of that name is already present", async () => {
+    const { provider, calls } = createMockProvider([endTurn("guidance")]);
+    (
+      provider as { supportsNativeWebSearch?: boolean }
+    ).supportsNativeWebSearch = true;
+
+    // A loop that already exposes a `web_search` client tool (e.g. researcher
+    // role). The gate must not append a second `web_search` entry.
+    const loop = new AgentLoop({
+      provider,
+      systemPrompt: "sys",
+      conversationId: "advisor-dup",
+      config: { enableNativeWebSearch: true },
+      tools: [
+        {
+          name: "web_search",
+          description: "",
+          input_schema: { type: "object" },
+        },
+      ],
+    });
+    await loop.run({ ...baseRun, messages: userMessages });
+
+    const sent = calls[0];
+    expect(sent.tools?.filter((t) => t.name === "web_search")).toHaveLength(1);
+  });
+
+  // ── Routed capability drives the decision (not the static default) ────────
+
+  test("false positive: static flag is native but the ROUTED target is not — attaches nothing", async () => {
+    const { provider, calls } = createMockProvider([endTurn("guidance")]);
+    // The construction-time default supports native search…
+    (
+      provider as { supportsNativeWebSearch?: boolean }
+    ).supportsNativeWebSearch = true;
+    // …but the advisorProfile routes `subagentSpawn` to a provider/model that
+    // does NOT. The routing-aware probe wins, so no unexecutable client tool is
+    // surfaced to the otherwise tool-less advisor.
+    (
+      provider as {
+        supportsNativeWebSearchFor?: (o?: SendMessageOptions) => boolean;
+      }
+    ).supportsNativeWebSearchFor = () => false;
+
+    const loop = buildAdvisorLoop(provider, true);
+    await loop.run({ ...baseRun, messages: userMessages });
+
+    const sent = calls[0];
+    expect(sent.tools).toBeUndefined();
+    expect(sent.options?.config?.tool_choice).toBeUndefined();
+  });
+
+  test("false negative: static flag is non-native but the ROUTED target is — attaches the tool", async () => {
+    const { provider, calls } = createMockProvider([endTurn("guidance")]);
+    // The construction-time default lacks native search (flag absent/falsy)…
+    // …but the advisorProfile routes to a provider/model that has it.
+    (
+      provider as {
+        supportsNativeWebSearchFor?: (o?: SendMessageOptions) => boolean;
+      }
+    ).supportsNativeWebSearchFor = () => true;
+
+    const loop = buildAdvisorLoop(provider, true);
+    await loop.run({ ...baseRun, messages: userMessages });
+
+    const sent = calls[0];
+    expect(sent.tools?.map((t) => t.name)).toEqual(["web_search"]);
+    expect(sent.options?.config?.tool_choice).toEqual({ type: "auto" });
+  });
+
+  test("the routing probe receives the loop's callSite", async () => {
+    const { provider, calls } = createMockProvider([endTurn("guidance")]);
+    const probeOptions: (SendMessageOptions | undefined)[] = [];
+    (
+      provider as {
+        supportsNativeWebSearchFor?: (o?: SendMessageOptions) => boolean;
+      }
+    ).supportsNativeWebSearchFor = (o) => {
+      probeOptions.push(o);
+      return true;
+    };
+
+    const loop = buildAdvisorLoop(provider, true);
+    await loop.run({ ...baseRun, messages: userMessages });
+
+    expect(calls).toHaveLength(1);
+    // The probe is resolved against the same callSite the dispatch uses
+    // (`subagentSpawn` per `baseRun`), so the routed (provider, model) matches.
+    expect(probeOptions[0]?.config?.callSite).toBe("subagentSpawn");
+  });
+});

package/src/agent/loop.ts

@@ -95,6 +95,74 @@ export interface AgentLoopConfig {
   minTurnIntervalMs?: number;
   /** Override the default prompt cache TTL sent to the provider (e.g. "5m" for short-lived subagents). */
   cacheTtl?: "5m" | "1h";
+  /**
+   * Give every LLM call provider-native (server-side) web search, gated on the
+   * native-search capability of the (provider, model) the call routes to —
+   * {@link Provider.supportsNativeWebSearchFor} when the provider exposes it,
+   * else the static {@link Provider.supportsNativeWebSearch} flag.
+   * When both are true, the loop appends a `web_search`-named tool to the
+   * outbound request — which Anthropic/OpenAI substitute for their server-side
+   * search tool, running the search inline and returning results without a
+   * client tool round-trip — and forces `tool_choice: auto` so the model may
+   * call it. Non-native providers get nothing.
+   *
+   * This is a SERVER tool the provider runs itself, distinct from the client
+   * tool list (`tools` / `resolveTools`): it is never executed by
+   * {@link AgentLoopConstructorOptions.toolExecutor} and does not require any
+   * client-tool allowlist entry. Used by the tool-less advisor consult to
+   * ground its guidance with live web access while staying one-shot for client
+   * tools. Defaults to false — existing behavior.
+   */
+  enableNativeWebSearch?: boolean;
+}
+
+/**
+ * The `web_search`-named tool the loop appends when
+ * {@link AgentLoopConfig.enableNativeWebSearch} is set on a native provider.
+ * Anthropic/OpenAI intercept a tool with this name and substitute their own
+ * server-side web search (run inline, no client execution), so the exact
+ * `input_schema` is informational — the provider supplies the real schema.
+ */
+const NATIVE_WEB_SEARCH_TOOL: ToolDefinition = {
+  name: "web_search",
+  description:
+    "Search the web for current information to ground your response.",
+  input_schema: {
+    type: "object",
+    properties: {
+      query: { type: "string", description: "The search query." },
+    },
+    required: ["query"],
+  },
+};
+
+/**
+ * Build the minimal `SendMessageOptions` a routing-aware provider needs to
+ * report the native web-search capability of the (provider, model) THIS turn
+ * routes to. Mirrors the call-site fields the loop plumbs onto the actual send
+ * (`callSite` + `overrideProfile`/`forceOverrideProfile` + per-conversation
+ * `selectionSeed`) so the capability probe and the dispatch resolve the same
+ * arm. Returns `undefined` when there is no `callSite` (the legacy
+ * default-provider path); `selectionSeed` is omitted for standalone loops with
+ * no conversation id, matching the dispatch path's own guard.
+ */
+function buildNativeWebSearchProbeOptions(
+  callSite: LLMCallSite | undefined,
+  overrideProfile: string | undefined,
+  forceOverrideProfile: boolean,
+  conversationId: string | undefined,
+): SendMessageOptions | undefined {
+  if (!callSite) return undefined;
+  return {
+    config: {
+      callSite,
+      ...(overrideProfile ? { overrideProfile } : {}),
+      ...(overrideProfile && forceOverrideProfile
+        ? { forceOverrideProfile: true }
+        : {}),
+      ...(conversationId ? { selectionSeed: conversationId } : {}),
+    },
+  };
 }
 
 export interface CheckpointInfo {
@@ -1240,10 +1308,44 @@ export class AgentLoop {
 
         // Resolve tools for this turn: use the dynamic resolver if provided,
         // otherwise fall back to the static tool list.
-        const currentTools = this.resolveTools
+        const resolvedTools = this.resolveTools
           ? this.resolveTools(history)
           : this.tools;
 
+        // Provider-native web search: append a `web_search`-named tool that the
+        // provider substitutes for its server-side search (run inline, no client
+        // execution), gated STRICTLY on the capability of the provider/model
+        // this call ACTUALLY routes to so a non-native provider never sees an
+        // unexecutable client tool. The advisor consult's `advisorProfile` can
+        // route `subagentSpawn` to a provider/model whose native-search support
+        // differs from the construction-time default, so the gate resolves the
+        // routed target (callSite + overrideProfile) via
+        // `supportsNativeWebSearchFor` rather than the static
+        // `this.provider.supportsNativeWebSearch` snapshot; providers without
+        // the routing-aware probe fall back to the static flag. This is a SERVER
+        // tool — it bypasses the client allowlist and the tool executor — so the
+        // tool-less advisor consult can ground its guidance with live web access
+        // while staying one-shot for client tools. Skip when a `web_search` tool
+        // is already present so we never duplicate the name.
+        const supportsRoutedNativeWebSearch = this.provider
+          .supportsNativeWebSearchFor
+          ? this.provider.supportsNativeWebSearchFor(
+              buildNativeWebSearchProbeOptions(
+                callSite,
+                resolveEffectiveOverrideProfile(),
+                forceOverrideProfile,
+                this.conversationId,
+              ),
+            )
+          : this.provider.supportsNativeWebSearch === true;
+        const attachNativeWebSearch =
+          this.config.enableNativeWebSearch === true &&
+          supportsRoutedNativeWebSearch &&
+          !resolvedTools.some((t) => t.name === NATIVE_WEB_SEARCH_TOOL.name);
+        const currentTools = attachNativeWebSearch
+          ? [...resolvedTools, NATIVE_WEB_SEARCH_TOOL]
+          : resolvedTools;
+
         // Field precedence (highest wins):
         //   1. Per-run explicit (`runModel`)
         //   2. Call-site resolved values (filled by
@@ -1286,6 +1388,11 @@ export class AgentLoop {
 
         if (this.config.toolChoice) {
           providerConfig.tool_choice = this.config.toolChoice;
+        } else if (attachNativeWebSearch) {
+          // The native web-search tool is the only tool on this turn (the
+          // advisor consult is otherwise tool-less). Let the model decide
+          // whether to search rather than forcing it.
+          providerConfig.tool_choice = { type: "auto" };
         }
 
         if (this.config.cacheTtl) {

package/src/api/responses/conversation-message.ts

@@ -283,6 +283,13 @@ const SlackMessageLinkSchema = z.object({
   webUrl: z.string().optional(),
 });
 
+const SlackReactionSchema = z.object({
+  emoji: z.string(),
+  op: z.enum(["added", "removed"]),
+  actorDisplayName: z.string().optional(),
+  targetChannelTs: z.string(),
+});
+
 /** Slack provenance for a history row that originated from a Slack channel. */
 export const ConversationSlackMessageSchema = z.object({
   channelId: z.string(),
@@ -297,6 +304,8 @@ export const ConversationSlackMessageSchema = z.object({
     .optional(),
   messageLink: SlackMessageLinkSchema.optional(),
   threadLink: SlackMessageLinkSchema.optional(),
+  eventKind: z.enum(["message", "reaction"]).optional(),
+  reaction: SlackReactionSchema.optional(),
 });
 export type ConversationSlackMessage = z.infer<
   typeof ConversationSlackMessageSchema

package/src/approvals/guardian-request-resolvers.ts

@@ -13,7 +13,7 @@
 
 import { answerCall } from "../calls/call-domain.js";
 import { findContactChannel } from "../contacts/contact-store.js";
-import { upsertContactChannel } from "../contacts/contacts-write.js";
+import { activateMemberChannel } from "../contacts/member-write-relay.js";
 import { findConversation } from "../daemon/conversation-registry.js";
 import {
   type CanonicalGuardianRequest,
@@ -592,19 +592,31 @@ const accessRequestResolver: GuardianRequestResolver = {
     // a verification session. The caller is already on the line and the
     // relay server's in-call wait loop will detect the approved status.
     if (channel === "phone") {
+      let activation: Awaited<ReturnType<typeof activateMemberChannel>>;
       try {
-        upsertContactChannel({
+        // Gateway-first activation: the gateway owns the ACL verdict, the local
+        // mirror persists the caller's contact/channel identity.
+        activation = await activateMemberChannel({
           sourceChannel: "phone",
           externalUserId: requesterExternalUserId,
           externalChatId: requesterChatId,
-          status: "active",
-          policy: "allow",
         });
       } catch (err) {
         log.error(
           { err, requesterExternalUserId },
           "Access request resolver: failed to activate voice caller as trusted contact",
         );
+        return { ok: false, reason: "voice_activation_failed" };
+      }
+
+      // Fail-closed: a refused activation did not land on the gateway source of
+      // truth, so the caller is not actually trusted — do not report success.
+      if (activation.status === "refused") {
+        log.error(
+          { requesterExternalUserId },
+          "Access request resolver: gateway refused voice caller activation",
+        );
+        return { ok: false, reason: "voice_activation_refused" };
       }
 
       log.info(