@vellumai/assistant 0.3.0 → 0.3.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"

package/src/__tests__/channel-approval-routes.test.ts

@@ -2281,8 +2281,8 @@ describe('expired guardian approval auto-denies via sweep', () => {
 
     const orchestrator = makeMockOrchestrator();
 
-    // Run the sweep
-    sweepExpiredGuardianApprovals(orchestrator, 'https://gateway.test/deliver', 'token');
+    // Run the sweep — pass the gateway base URL (not a full /deliver/<channel> URL)
+    sweepExpiredGuardianApprovals(orchestrator, 'https://gateway.test', 'token');
 
     // Wait for async notifications
     await new Promise((resolve) => setTimeout(resolve, 200));
@@ -2313,6 +2313,12 @@ describe('expired guardian approval auto-denies via sweep', () => {
     );
     expect(guardianNotify.length).toBeGreaterThanOrEqual(1);
 
+    // Verify the delivery URL is constructed per-channel (telegram in this case)
+    const allDeliverCalls = deliverSpy.mock.calls;
+    for (const call of allDeliverCalls) {
+      expect(call[0]).toBe('https://gateway.test/deliver/telegram');
+    }
+
     deliverSpy.mockRestore();
   });
 
@@ -2339,7 +2345,7 @@ describe('expired guardian approval auto-denies via sweep', () => {
 
     const orchestrator = makeMockOrchestrator();
 
-    sweepExpiredGuardianApprovals(orchestrator, 'https://gateway.test/deliver', 'token');
+    sweepExpiredGuardianApprovals(orchestrator, 'https://gateway.test', 'token');
 
     await new Promise((resolve) => setTimeout(resolve, 200));
 

package/src/daemon/handlers/config.ts

@@ -1358,7 +1358,7 @@ export function handleGuardianVerification(
       ctx.send(socket, {
         type: 'guardian_verification_response',
         success: true,
-        bound: !revoked,
+        bound: false,
       });
     } else {
       ctx.send(socket, {

package/src/memory/channel-guardian-store.ts

@@ -523,22 +523,34 @@ export interface VerificationRateLimit {
   channel: string;
   actorExternalUserId: string;
   actorChatId: string;
+  /** Individual attempt timestamps (epoch-ms) within the sliding window. */
+  attemptTimestamps: number[];
+  /** Derived count of attempts currently inside the window (convenience). */
   invalidAttempts: number;
-  windowStartedAt: number;
   lockedUntil: number | null;
   createdAt: number;
   updatedAt: number;
 }
 
+function parseTimestamps(json: string): number[] {
+  try {
+    const arr = JSON.parse(json);
+    return Array.isArray(arr) ? arr : [];
+  } catch {
+    return [];
+  }
+}
+
 function rowToRateLimit(row: typeof channelGuardianRateLimits.$inferSelect): VerificationRateLimit {
+  const timestamps = parseTimestamps(row.attemptTimestampsJson);
   return {
     id: row.id,
     assistantId: row.assistantId,
     channel: row.channel,
     actorExternalUserId: row.actorExternalUserId,
     actorChatId: row.actorChatId,
-    invalidAttempts: row.invalidAttempts,
-    windowStartedAt: row.windowStartedAt,
+    attemptTimestamps: timestamps,
+    invalidAttempts: timestamps.length,
     lockedUntil: row.lockedUntil,
     createdAt: row.createdAt,
     updatedAt: row.updatedAt,
@@ -572,9 +584,13 @@ export function getRateLimit(
 }
 
 /**
- * Record an invalid verification attempt. Creates the rate-limit row if
- * it does not yet exist, or increments the counter within the current
- * throttling window.
+ * Record an invalid verification attempt using a true sliding window.
+ *
+ * Each individual attempt timestamp is stored; on every new attempt we
+ * discard timestamps older than `windowMs`, append the current one, and
+ * check whether the count exceeds `maxAttempts`. This avoids the
+ * inactivity-timeout pitfall where attempts spaced just under the window
+ * accumulate indefinitely.
  */
 export function recordInvalidAttempt(
   assistantId: string,
@@ -587,20 +603,23 @@ export function recordInvalidAttempt(
 ): VerificationRateLimit {
   const db = getDb();
   const now = Date.now();
+  const cutoff = now - windowMs;
 
   const existing = getRateLimit(assistantId, channel, actorExternalUserId, actorChatId);
 
   if (existing) {
-    // If the throttling window has elapsed, reset the counter
-    const windowExpired = now - existing.windowStartedAt > windowMs;
-    const newAttempts = windowExpired ? 1 : existing.invalidAttempts + 1;
-    const newWindowStart = windowExpired ? now : existing.windowStartedAt;
-    const newLockedUntil = newAttempts >= maxAttempts ? now + lockoutMs : existing.lockedUntil;
+    // Keep only timestamps within the sliding window, then add the new one
+    const recentTimestamps = existing.attemptTimestamps.filter((ts) => ts > cutoff);
+    recentTimestamps.push(now);
+
+    const newLockedUntil =
+      recentTimestamps.length >= maxAttempts ? now + lockoutMs : existing.lockedUntil;
+
+    const timestampsJson = JSON.stringify(recentTimestamps);
 
     db.update(channelGuardianRateLimits)
       .set({
-        invalidAttempts: newAttempts,
-        windowStartedAt: newWindowStart,
+        attemptTimestampsJson: timestampsJson,
         lockedUntil: newLockedUntil,
         updatedAt: now,
       })
@@ -609,8 +628,8 @@ export function recordInvalidAttempt(
 
     return {
       ...existing,
-      invalidAttempts: newAttempts,
-      windowStartedAt: newWindowStart,
+      attemptTimestamps: recentTimestamps,
+      invalidAttempts: recentTimestamps.length,
       lockedUntil: newLockedUntil,
       updatedAt: now,
     };
@@ -618,6 +637,7 @@ export function recordInvalidAttempt(
 
   // First attempt — create the row
   const id = uuid();
+  const timestamps = [now];
   const lockedUntil = 1 >= maxAttempts ? now + lockoutMs : null;
   const row = {
     id,
@@ -625,8 +645,7 @@ export function recordInvalidAttempt(
     channel,
     actorExternalUserId,
     actorChatId,
-    invalidAttempts: 1,
-    windowStartedAt: now,
+    attemptTimestampsJson: JSON.stringify(timestamps),
     lockedUntil,
     createdAt: now,
     updatedAt: now,
@@ -652,9 +671,8 @@ export function resetRateLimit(
 
   db.update(channelGuardianRateLimits)
     .set({
-      invalidAttempts: 0,
+      attemptTimestampsJson: '[]',
       lockedUntil: null,
-      windowStartedAt: now,
       updatedAt: now,
     })
     .where(

package/src/memory/db.ts

@@ -1001,14 +1001,18 @@ export function initializeDb(): void {
       channel TEXT NOT NULL,
       actor_external_user_id TEXT NOT NULL,
       actor_chat_id TEXT NOT NULL,
-      invalid_attempts INTEGER NOT NULL DEFAULT 0,
-      window_started_at INTEGER NOT NULL,
+      attempt_timestamps_json TEXT NOT NULL DEFAULT '[]',
       locked_until INTEGER,
       created_at INTEGER NOT NULL,
       updated_at INTEGER NOT NULL
     )
   `);
 
+  // Migration: add attempt_timestamps_json column for true sliding-window rate limiting.
+  // The old invalid_attempts / window_started_at columns are left in place (SQLite
+  // doesn't support DROP COLUMN in older versions) but are no longer read by the app.
+  try { database.run(/*sql*/ `ALTER TABLE channel_guardian_rate_limits ADD COLUMN attempt_timestamps_json TEXT NOT NULL DEFAULT '[]'`); } catch { /* already exists */ }
+
   database.run(/*sql*/ `CREATE UNIQUE INDEX IF NOT EXISTS idx_channel_guardian_rate_limits_actor ON channel_guardian_rate_limits(assistant_id, channel, actor_external_user_id, actor_chat_id)`);
 
   migrateMemoryFtsBackfill(database);

package/src/memory/schema.ts

@@ -669,8 +669,7 @@ export const channelGuardianRateLimits = sqliteTable('channel_guardian_rate_limi
   channel: text('channel').notNull(),
   actorExternalUserId: text('actor_external_user_id').notNull(),
   actorChatId: text('actor_chat_id').notNull(),
-  invalidAttempts: integer('invalid_attempts').notNull().default(0),
-  windowStartedAt: integer('window_started_at').notNull(),
+  attemptTimestampsJson: text('attempt_timestamps_json').notNull().default('[]'),
   lockedUntil: integer('locked_until'),
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),

package/src/runtime/http-server.ts

@@ -41,6 +41,9 @@ import {
   handleChannelDeliveryAck,
   handleListDeadLetters,
   handleReplayDeadLetters,
+  isChannelApprovalsEnabled,
+  startGuardianExpirySweep,
+  stopGuardianExpirySweep,
 } from './routes/channel-routes.js';
 import * as channelDeliveryStore from '../memory/channel-delivery-store.js';
 import * as conversationStore from '../memory/conversation-store.js';
@@ -93,6 +96,15 @@ const log = getLogger('runtime-http');
 const DEFAULT_PORT = 7821;
 const DEFAULT_HOSTNAME = '127.0.0.1';
 
+/** Resolve the gateway base URL for internal delivery callbacks. */
+function getGatewayBaseUrl(): string {
+  if (process.env.GATEWAY_INTERNAL_BASE_URL) {
+    return process.env.GATEWAY_INTERNAL_BASE_URL.replace(/\/+$/, '');
+  }
+  const port = Number(process.env.GATEWAY_PORT) || 7830;
+  return `http://127.0.0.1:${port}`;
+}
+
 /** Global hard cap on request body size (50 MB). Bun rejects larger payloads before they reach handlers. */
 const MAX_REQUEST_BODY_BYTES = 50 * 1024 * 1024;
 
@@ -399,6 +411,12 @@ export class RuntimeHttpServer {
       }, 30_000);
     }
 
+    // Start proactive guardian approval expiry sweep when approvals are enabled
+    if (isChannelApprovalsEnabled() && this.runOrchestrator) {
+      startGuardianExpirySweep(this.runOrchestrator, getGatewayBaseUrl(), this.bearerToken);
+      log.info('Guardian approval expiry sweep started');
+    }
+
     // Startup guard: log gateway-only mode warnings
     log.info('Running in gateway-only ingress mode. Direct webhook routes disabled.');
     if (!isLoopbackHost(this.hostname)) {
@@ -409,6 +427,7 @@ export class RuntimeHttpServer {
   }
 
   async stop(): Promise<void> {
+    stopGuardianExpirySweep();
     if (this.retrySweepTimer) {
       clearInterval(this.retrySweepTimer);
       this.retrySweepTimer = null;

package/src/runtime/routes/channel-routes.ts

@@ -1333,10 +1333,14 @@ let expirySweepTimer: ReturnType<typeof setInterval> | null = null;
  * and notify both the requester and guardian. This runs proactively on a
  * timer so expired approvals are closed without waiting for follow-up
  * traffic from either party.
+ *
+ * Accepts a `gatewayBaseUrl` rather than a fixed delivery URL so that
+ * each approval's notification is routed to the correct channel-specific
+ * endpoint (e.g. `/deliver/telegram`, `/deliver/sms`).
  */
 export function sweepExpiredGuardianApprovals(
   orchestrator: RunOrchestrator,
-  replyCallbackUrl: string,
+  gatewayBaseUrl: string,
   bearerToken?: string,
 ): void {
   const expired = getExpiredPendingApprovals();
@@ -1351,8 +1355,11 @@ export function sweepExpiredGuardianApprovals(
     };
     handleChannelDecision(approval.conversationId, expiredDecision, orchestrator);
 
+    // Construct the per-channel delivery URL from the approval's channel
+    const deliverUrl = `${gatewayBaseUrl}/deliver/${approval.channel}`;
+
     // Notify the requester that the approval expired
-    deliverChannelReply(replyCallbackUrl, {
+    deliverChannelReply(deliverUrl, {
       chatId: approval.requesterChatId,
       text: `Your guardian approval request for "${approval.toolName}" has expired and the action has been denied. Please try again.`,
     }, bearerToken).catch((err) => {
@@ -1360,7 +1367,7 @@ export function sweepExpiredGuardianApprovals(
     });
 
     // Notify the guardian that the approval expired
-    deliverChannelReply(replyCallbackUrl, {
+    deliverChannelReply(deliverUrl, {
       chatId: approval.guardianChatId,
       text: `The approval request for "${approval.toolName}" from user ${approval.requesterExternalUserId} has expired and was automatically denied.`,
     }, bearerToken).catch((err) => {
@@ -1380,13 +1387,13 @@ export function sweepExpiredGuardianApprovals(
  */
 export function startGuardianExpirySweep(
   orchestrator: RunOrchestrator,
-  replyCallbackUrl: string,
+  gatewayBaseUrl: string,
   bearerToken?: string,
 ): void {
   if (expirySweepTimer) return;
   expirySweepTimer = setInterval(() => {
     try {
-      sweepExpiredGuardianApprovals(orchestrator, replyCallbackUrl, bearerToken);
+      sweepExpiredGuardianApprovals(orchestrator, gatewayBaseUrl, bearerToken);
     } catch (err) {
       log.error({ err }, 'Guardian expiry sweep failed');
     }