npm - @vellumai/assistant - Versions diffs - 0.3.14 → 0.3.16 - Mend

@vellumai/assistant 0.3.14 → 0.3.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/ARCHITECTURE.md +142 -0
package/Dockerfile +2 -2
package/README.md +5 -5
package/docs/architecture/http-token-refresh.md +252 -0
package/docs/architecture/memory.md +5 -4
package/docs/architecture/scheduling.md +4 -88
package/docs/runbook-trusted-contacts.md +283 -0
package/docs/trusted-contact-access.md +247 -0
package/package.json +1 -1
package/scripts/ipc/check-swift-decoder-drift.ts +2 -0
package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap +2 -6
package/src/__tests__/access-request-decision.test.ts +331 -0
package/src/__tests__/asset-materialize-tool.test.ts +7 -7
package/src/__tests__/asset-search-tool.test.ts +15 -15
package/src/__tests__/attachments-store.test.ts +13 -13
package/src/__tests__/call-controller.test.ts +150 -4
package/src/__tests__/call-conversation-messages.test.ts +2 -2
package/src/__tests__/call-pointer-messages.test.ts +28 -0
package/src/__tests__/call-start-guardian-guard.test.ts +93 -0
package/src/__tests__/channel-approval-routes.test.ts +108 -12
package/src/__tests__/channel-guardian.test.ts +16 -14
package/src/__tests__/checker.test.ts +24 -0
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +2 -2
package/src/__tests__/config-watcher.test.ts +358 -0
package/src/__tests__/conversation-pairing.test.ts +24 -24
package/src/__tests__/conversation-store.test.ts +36 -36
package/src/__tests__/date-context.test.ts +179 -1
package/src/__tests__/db-migration-rollback.test.ts +4 -7
package/src/__tests__/deterministic-verification-control-plane.test.ts +5 -5
package/src/__tests__/emit-signal-routing-intent.test.ts +179 -0
package/src/__tests__/gateway-only-guard.test.ts +188 -0
package/src/__tests__/guardian-action-conversation-turn.test.ts +451 -0
package/src/__tests__/guardian-action-copy-generator.test.ts +197 -0
package/src/__tests__/guardian-action-followup-executor.test.ts +379 -0
package/src/__tests__/guardian-action-followup-store.test.ts +376 -0
package/src/__tests__/guardian-action-late-reply.test.ts +294 -0
package/src/__tests__/guardian-action-no-hardcoded-copy.test.ts +71 -0
package/src/__tests__/guardian-action-sweep.test.ts +9 -9
package/src/__tests__/guardian-control-plane-policy.test.ts +1 -3
package/src/__tests__/guardian-outbound-http.test.ts +202 -10
package/src/__tests__/guardian-verification-intent-routing.test.ts +179 -0
package/src/__tests__/guardian-verify-setup-skill-regression.test.ts +141 -0
package/src/__tests__/handlers-telegram-config.test.ts +6 -6
package/src/__tests__/hooks-runner.test.ts +13 -4
package/src/__tests__/ingress-routes-http.test.ts +443 -0
package/src/__tests__/intent-routing.test.ts +14 -0
package/src/__tests__/ipc-snapshot.test.ts +2 -5
package/src/__tests__/media-reuse-story.e2e.test.ts +7 -7
package/src/__tests__/memory-regressions.test.ts +16 -12
package/src/__tests__/non-member-access-request.test.ts +282 -0
package/src/__tests__/notification-decision-strategy.test.ts +136 -0
package/src/__tests__/notification-routing-intent.test.ts +11 -2
package/src/__tests__/notification-thread-candidates.test.ts +166 -0
package/src/__tests__/recording-intent-fallback.test.ts +0 -1
package/src/__tests__/recording-intent-handler.test.ts +6 -3
package/src/__tests__/recording-intent.test.ts +3 -2
package/src/__tests__/recording-state-machine.test.ts +337 -26
package/src/__tests__/registry.test.ts +17 -8
package/src/__tests__/relay-server.test.ts +105 -0
package/src/__tests__/reminder.test.ts +13 -0
package/src/__tests__/runtime-attachment-metadata.test.ts +4 -4
package/src/__tests__/scheduler-recurrence.test.ts +50 -0
package/src/__tests__/server-history-render.test.ts +8 -8
package/src/__tests__/session-agent-loop.test.ts +1 -0
package/src/__tests__/session-runtime-assembly.test.ts +49 -0
package/src/__tests__/session-skill-tools.test.ts +1 -0
package/src/__tests__/skill-projection.benchmark.test.ts +11 -3
package/src/__tests__/slack-channel-config.test.ts +230 -0
package/src/__tests__/subagent-manager-notify.test.ts +4 -4
package/src/__tests__/swarm-session-integration.test.ts +2 -2
package/src/__tests__/system-prompt.test.ts +43 -0
package/src/__tests__/task-management-tools.test.ts +3 -3
package/src/__tests__/task-tools.test.ts +3 -3
package/src/__tests__/trust-store.test.ts +17 -1
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +491 -0
package/src/__tests__/trusted-contact-multichannel.test.ts +409 -0
package/src/__tests__/trusted-contact-verification.test.ts +360 -0
package/src/__tests__/update-bulletin-format.test.ts +119 -0
package/src/__tests__/update-bulletin-state.test.ts +129 -0
package/src/__tests__/update-bulletin.test.ts +260 -0
package/src/__tests__/update-template-contract.test.ts +29 -0
package/src/agent/loop.ts +2 -2
package/src/amazon/client.ts +2 -3
package/src/calls/call-controller.ts +115 -34
package/src/calls/call-conversation-messages.ts +2 -2
package/src/calls/call-domain.ts +10 -3
package/src/calls/call-pointer-messages.ts +17 -5
package/src/calls/guardian-action-sweep.ts +77 -36
package/src/calls/relay-server.ts +51 -12
package/src/calls/twilio-routes.ts +3 -1
package/src/calls/types.ts +1 -1
package/src/calls/voice-session-bridge.ts +4 -4
package/src/cli/core-commands.ts +3 -3
package/src/cli/map.ts +8 -5
package/src/config/bundled-skills/phone-calls/SKILL.md +16 -1
package/src/config/bundled-skills/tasks/SKILL.md +1 -1
package/src/config/bundled-skills/tasks/TOOLS.json +4 -4
package/src/config/bundled-skills/time-based-actions/SKILL.md +11 -1
package/src/config/computer-use-prompt.ts +1 -0
package/src/config/core-schema.ts +16 -0
package/src/config/env-registry.ts +1 -0
package/src/config/env.ts +16 -1
package/src/config/memory-schema.ts +5 -0
package/src/config/schema.ts +4 -0
package/src/config/system-prompt.ts +69 -2
package/src/config/templates/BOOTSTRAP.md +1 -1
package/src/config/templates/IDENTITY.md +8 -4
package/src/config/templates/SOUL.md +14 -0
package/src/config/templates/UPDATES.md +16 -0
package/src/config/templates/USER.md +5 -1
package/src/config/types.ts +1 -0
package/src/config/update-bulletin-format.ts +52 -0
package/src/config/update-bulletin-state.ts +49 -0
package/src/config/update-bulletin.ts +82 -0
package/src/config/vellum-skills/catalog.json +6 -0
package/src/config/vellum-skills/chatgpt-import/tools/chatgpt-import.ts +1 -1
package/src/config/vellum-skills/guardian-verify-setup/SKILL.md +44 -10
package/src/config/vellum-skills/telegram-setup/SKILL.md +4 -4
package/src/config/vellum-skills/trusted-contacts/SKILL.md +147 -0
package/src/config/vellum-skills/twilio-setup/SKILL.md +2 -2
package/src/context/window-manager.ts +43 -3
package/src/daemon/config-watcher.ts +1 -0
package/src/daemon/connection-policy.ts +21 -1
package/src/daemon/daemon-control.ts +164 -7
package/src/daemon/date-context.ts +174 -1
package/src/daemon/guardian-action-generators.ts +175 -0
package/src/daemon/guardian-verification-intent.ts +120 -0
package/src/daemon/handlers/apps.ts +1 -3
package/src/daemon/handlers/config-channels.ts +8 -8
package/src/daemon/handlers/config-heartbeat.ts +1 -1
package/src/daemon/handlers/config-inbox.ts +55 -159
package/src/daemon/handlers/config-ingress.ts +1 -1
package/src/daemon/handlers/config-integrations.ts +1 -1
package/src/daemon/handlers/config-platform.ts +1 -1
package/src/daemon/handlers/config-scheduling.ts +2 -2
package/src/daemon/handlers/config-slack-channel.ts +190 -0
package/src/daemon/handlers/config-telegram.ts +1 -1
package/src/daemon/handlers/config-twilio.ts +1 -1
package/src/daemon/handlers/config-voice.ts +100 -0
package/src/daemon/handlers/config.ts +3 -0
package/src/daemon/handlers/index.ts +1 -1
package/src/daemon/handlers/misc.ts +84 -6
package/src/daemon/handlers/navigate-settings.ts +27 -0
package/src/daemon/handlers/recording.ts +270 -144
package/src/daemon/handlers/sessions.ts +107 -24
package/src/daemon/handlers/subagents.ts +3 -3
package/src/daemon/handlers/work-items.ts +10 -7
package/src/daemon/ipc-contract/integrations.ts +9 -1
package/src/daemon/ipc-contract/messages.ts +4 -0
package/src/daemon/ipc-contract/sessions.ts +1 -1
package/src/daemon/ipc-contract/settings.ts +26 -0
package/src/daemon/ipc-contract/shared.ts +2 -0
package/src/daemon/ipc-contract/work-items.ts +1 -7
package/src/daemon/ipc-contract-inventory.json +5 -1
package/src/daemon/ipc-contract.ts +5 -1
package/src/daemon/lifecycle.ts +306 -266
package/src/daemon/recording-executor.ts +1 -1
package/src/daemon/recording-intent.ts +0 -41
package/src/daemon/response-tier.ts +2 -2
package/src/daemon/server.ts +6 -6
package/src/daemon/session-agent-loop-handlers.ts +34 -9
package/src/daemon/session-agent-loop.ts +15 -8
package/src/daemon/session-history.ts +3 -2
package/src/daemon/session-media-retry.ts +3 -0
package/src/daemon/session-messaging.ts +38 -4
package/src/daemon/session-notifiers.ts +2 -2
package/src/daemon/session-process.ts +256 -23
package/src/daemon/session-queue-manager.ts +2 -0
package/src/daemon/session-runtime-assembly.ts +39 -0
package/src/daemon/session-skill-tools.ts +13 -4
package/src/daemon/session-tool-setup.ts +6 -7
package/src/daemon/session.ts +19 -8
package/src/daemon/tls-certs.ts +55 -13
package/src/daemon/tool-side-effects.ts +13 -5
package/src/gallery/default-gallery.ts +32 -9
package/src/influencer/client.ts +2 -1
package/src/memory/channel-delivery-store.ts +37 -567
package/src/memory/channel-guardian-store.ts +66 -1317
package/src/memory/conflict-store.ts +4 -4
package/src/memory/conversation-attention-store.ts +4 -7
package/src/memory/conversation-crud.ts +668 -0
package/src/memory/conversation-queries.ts +361 -0
package/src/memory/conversation-store.ts +45 -983
package/src/memory/db-connection.ts +3 -0
package/src/memory/db-init.ts +25 -0
package/src/memory/delivery-channels.ts +175 -0
package/src/memory/delivery-crud.ts +211 -0
package/src/memory/delivery-status.ts +199 -0
package/src/memory/embedding-backend.ts +70 -4
package/src/memory/embedding-local.ts +12 -2
package/src/memory/entity-extractor.ts +3 -8
package/src/memory/fts-reconciler.ts +121 -0
package/src/memory/guardian-action-store.ts +366 -3
package/src/memory/guardian-approvals.ts +569 -0
package/src/memory/guardian-bindings.ts +130 -0
package/src/memory/guardian-rate-limits.ts +196 -0
package/src/memory/guardian-verification.ts +520 -0
package/src/memory/job-handlers/index-maintenance.ts +2 -1
package/src/memory/job-utils.ts +8 -5
package/src/memory/jobs-store.ts +66 -6
package/src/memory/jobs-worker.ts +23 -1
package/src/memory/migrations/030-guardian-action-followup.ts +21 -0
package/src/memory/migrations/030-guardian-verification-purpose.ts +17 -0
package/src/memory/migrations/031-conversations-thread-type-index.ts +5 -0
package/src/memory/migrations/100-core-tables.ts +1 -1
package/src/memory/migrations/101-watchers-and-logs.ts +4 -0
package/src/memory/migrations/108-tasks-and-work-items.ts +1 -1
package/src/memory/migrations/112-assistant-inbox.ts +1 -1
package/src/memory/migrations/113-late-migrations.ts +1 -1
package/src/memory/migrations/116-messages-fts.ts +13 -0
package/src/memory/migrations/119-schema-indexes-and-columns.ts +37 -0
package/src/memory/migrations/120-fk-cascade-rebuilds.ts +161 -0
package/src/memory/migrations/index.ts +8 -3
package/src/memory/migrations/validate-migration-state.ts +114 -15
package/src/memory/qdrant-circuit-breaker.ts +105 -0
package/src/memory/retriever.ts +46 -13
package/src/memory/schema-migration.ts +3 -0
package/src/memory/schema.ts +25 -7
package/src/memory/search/semantic.ts +8 -90
package/src/notifications/README.md +1 -1
package/src/notifications/broadcaster.ts +20 -2
package/src/notifications/conversation-pairing.ts +3 -3
package/src/notifications/decision-engine.ts +173 -8
package/src/notifications/deliveries-store.ts +27 -8
package/src/notifications/preferences-store.ts +7 -7
package/src/notifications/thread-candidates.ts +234 -0
package/src/notifications/types.ts +18 -0
package/src/permissions/defaults.ts +11 -1
package/src/permissions/prompter.ts +17 -0
package/src/permissions/trust-store.ts +2 -0
package/src/providers/failover.ts +19 -0
package/src/providers/registry.ts +46 -1
package/src/runtime/approval-message-composer.ts +1 -1
package/src/runtime/channel-guardian-service.ts +15 -3
package/src/runtime/channel-retry-sweep.ts +7 -2
package/src/runtime/guardian-action-conversation-turn.ts +85 -0
package/src/runtime/guardian-action-followup-executor.ts +301 -0
package/src/runtime/guardian-action-message-composer.ts +245 -0
package/src/runtime/guardian-outbound-actions.ts +35 -15
package/src/runtime/guardian-verification-templates.ts +15 -9
package/src/runtime/http-errors.ts +93 -0
package/src/runtime/http-server.ts +140 -51
package/src/runtime/http-types.ts +53 -0
package/src/runtime/ingress-service.ts +237 -0
package/src/runtime/middleware/error-handler.ts +4 -3
package/src/runtime/middleware/rate-limiter.ts +160 -0
package/src/runtime/middleware/request-logger.ts +71 -0
package/src/runtime/middleware/twilio-validation.ts +7 -6
package/src/runtime/pending-interactions.ts +12 -0
package/src/runtime/routes/access-request-decision.ts +215 -0
package/src/runtime/routes/app-routes.ts +25 -18
package/src/runtime/routes/approval-routes.ts +18 -47
package/src/runtime/routes/attachment-routes.ts +15 -41
package/src/runtime/routes/call-routes.ts +20 -20
package/src/runtime/routes/channel-delivery-routes.ts +6 -5
package/src/runtime/routes/contact-routes.ts +4 -9
package/src/runtime/routes/conversation-attention-routes.ts +5 -4
package/src/runtime/routes/conversation-routes.ts +26 -57
package/src/runtime/routes/debug-routes.ts +71 -0
package/src/runtime/routes/events-routes.ts +3 -2
package/src/runtime/routes/guardian-approval-interception.ts +221 -0
package/src/runtime/routes/identity-routes.ts +14 -10
package/src/runtime/routes/inbound-conversation.ts +3 -2
package/src/runtime/routes/inbound-message-handler.ts +527 -62
package/src/runtime/routes/ingress-routes.ts +174 -0
package/src/runtime/routes/integration-routes.ts +82 -20
package/src/runtime/routes/pairing-routes.ts +11 -10
package/src/runtime/routes/secret-routes.ts +10 -18
package/src/runtime/verification-rate-limiter.ts +83 -0
package/src/schedule/schedule-store.ts +13 -1
package/src/schedule/scheduler.ts +2 -2
package/src/security/secret-ingress.ts +5 -2
package/src/security/secret-scanner.ts +72 -6
package/src/subagent/manager.ts +6 -4
package/src/swarm/plan-validator.ts +4 -1
package/src/tasks/task-runner.ts +3 -1
package/src/tools/browser/api-map.ts +9 -6
package/src/tools/calls/call-start.ts +20 -0
package/src/tools/executor.ts +50 -568
package/src/tools/permission-checker.ts +272 -0
package/src/tools/registry.ts +14 -6
package/src/tools/reminder/reminder-store.ts +7 -7
package/src/tools/reminder/reminder.ts +6 -3
package/src/tools/secret-detection-handler.ts +301 -0
package/src/tools/subagent/message.ts +1 -1
package/src/tools/system/voice-config.ts +62 -0
package/src/tools/tasks/index.ts +3 -3
package/src/tools/tasks/work-item-list.ts +3 -3
package/src/tools/tasks/work-item-update.ts +4 -5
package/src/tools/tool-approval-handler.ts +192 -0
package/src/tools/tool-manifest.ts +2 -0
package/src/watcher/watcher-store.ts +9 -9
package/src/work-items/work-item-runner.ts +9 -6
/package/src/memory/migrations/{026-embeddings-nullable-vector-json.ts → 026a-embeddings-nullable-vector-json.ts} +0 -0
/package/src/memory/migrations/{027-guardian-bootstrap-token.ts → 027a-guardian-bootstrap-token.ts} +0 -0

package/src/daemon/lifecycle.ts CHANGED Viewed

@@ -42,17 +42,21 @@ import {
   getInterfacesDir,
   getRootDir,
   getSocketPath,
+  removeSocketFile,
 } from '../util/platform.js';
 import { listWorkItems, updateWorkItem } from '../work-items/work-item-store.js';
 import { WorkspaceHeartbeatService } from '../workspace/heartbeat-service.js';
 import { createApprovalConversationGenerator,createApprovalCopyGenerator } from './approval-generators.js';
-import { cleanupPidFile,writePid } from './daemon-control.js';
+import { hasNoAuthOverride, hasUngatedNoAuthOverride } from './connection-policy.js';
+import { cleanupPidFile, cleanupPidFileIfOwner, writePid } from './daemon-control.js';
+import { createGuardianActionCopyGenerator, createGuardianFollowUpConversationGenerator } from './guardian-action-generators.js';
 import { initPairingHandlers } from './handlers/pairing.js';
 import { installCliLaunchers } from './install-cli-launchers.js';
 import type { ServerMessage } from './ipc-protocol.js';
 import { initializeProvidersAndTools, registerMessagingProviders,registerWatcherProviders } from './providers-setup.js';
 import { seedInterfaceFiles } from './seed-files.js';
 import { DaemonServer } from './server.js';
+import { setGuardianActionCopyGenerator, setGuardianFollowUpConversationGenerator } from './session-process.js';
 import { initSlashPairingContext } from './session-slash.js';
 import { installShutdownHandlers } from './shutdown-handlers.js';
@@ -76,216 +80,255 @@ function loadDotEnv(): void {
 export async function runDaemon(): Promise<void> {
   loadDotEnv();
   validateEnv();
-  initSentry();
-  await initLogfire();
-  // Migration order matters: first move legacy flat files into the data dir
-  // structure, then relocate the data dir into the active workspace, and
-  // finally create any directories that don't yet exist.
-  migrateToDataLayout();
-  migrateToWorkspaceLayout();
-  ensureDataDir();
-  log.info('Daemon startup: migrations complete');
-  seedInterfaceFiles();
+  if (hasUngatedNoAuthOverride()) {
+    log.warn('VELLUM_DAEMON_NOAUTH is set but VELLUM_UNSAFE_AUTH_BYPASS=1 is not — auth bypass is IGNORED and authentication remains enabled. Set VELLUM_UNSAFE_AUTH_BYPASS=1 to confirm the bypass.');
+  } else if (hasNoAuthOverride()) {
+    log.warn('VELLUM_DAEMON_NOAUTH is set — IPC authentication is DISABLED. This should only be used for development or SSH-forwarded sockets. Do not use in production.');
+  }
-  log.info('Daemon startup: installing templates and initializing DB');
-  installTemplates();
-  ensurePromptFiles();
+  // Track whether the IPC socket has been created so we can clean it up
+  // if init crashes after the socket is bound but before shutdown handlers
+  // are installed.
+  let socketCreated = false;
   try {
-    installCliLaunchers();
-  } catch (err) {
-    log.warn({ err }, 'CLI launcher installation failed — continuing startup');
-  }
-  initializeDb();
-  log.info('Daemon startup: DB initialized');
-  // Recover orphaned work items that were left in 'running' state when the
-  // daemon previously crashed or was killed mid-task.
-  const orphanedRunning = listWorkItems({ status: 'running' });
-  if (orphanedRunning.length > 0) {
-    for (const item of orphanedRunning) {
-      updateWorkItem(item.id, { status: 'failed', lastRunStatus: 'interrupted' });
-      log.info({ workItemId: item.id, title: item.title }, 'Recovered orphaned running work item → failed (interrupted)');
+    initSentry();
+    await initLogfire();
+    // Migration order matters: first move legacy flat files into the data dir
+    // structure, then relocate the data dir into the active workspace, and
+    // finally create any directories that don't yet exist.
+    migrateToDataLayout();
+    migrateToWorkspaceLayout();
+    ensureDataDir();
+    // Resolve and write the bearer token as early as possible so the CLI
+    // (which polls for this file during gateway startup) doesn't time out
+    // waiting for Qdrant or other slow init steps to finish.
+    const httpTokenPath = getHttpTokenPath();
+    let bearerToken = getRuntimeProxyBearerToken();
+    if (!bearerToken) {
+      try {
+        const existing = readFileSync(httpTokenPath, 'utf-8').trim();
+        if (existing) bearerToken = existing;
+      } catch {
+        // File doesn't exist or can't be read — will generate below
+      }
     }
-    log.info({ count: orphanedRunning.length }, 'Recovered orphaned running work items');
-  }
+    if (!bearerToken) {
+      bearerToken = randomBytes(32).toString('hex');
+    }
+    writeFileSync(httpTokenPath, bearerToken, { mode: 0o600 });
+    chmodSync(httpTokenPath, 0o600);
+    log.info('Daemon startup: bearer token written');
-  try {
-    const twilioProvider = new TwilioConversationRelayProvider();
-    await reconcileCallsOnStartup(twilioProvider, log);
-  } catch (err) {
-    log.warn({ err }, 'Call recovery failed — continuing startup');
-  }
+    log.info('Daemon startup: migrations complete');
-  log.info('Daemon startup: loading config');
-  const config = loadConfig();
+    seedInterfaceFiles();
-  if (config.logFile.dir) {
-    initLogger({ dir: config.logFile.dir, retentionDays: config.logFile.retentionDays });
-  }
+    log.info('Daemon startup: installing templates and initializing DB');
+    installTemplates();
+    ensurePromptFiles();
-  await initializeProvidersAndTools(config);
+    try {
+      installCliLaunchers();
+    } catch (err) {
+      log.warn({ err }, 'CLI launcher installation failed — continuing startup');
+    }
+    initializeDb();
+    log.info('Daemon startup: DB initialized');
+    // Recover orphaned work items that were left in 'running' state when the
+    // daemon previously crashed or was killed mid-task.
+    const orphanedRunning = listWorkItems({ status: 'running' });
+    if (orphanedRunning.length > 0) {
+      for (const item of orphanedRunning) {
+        updateWorkItem(item.id, { status: 'failed', lastRunStatus: 'interrupted' });
+        log.info({ workItemId: item.id, title: item.title }, 'Recovered orphaned running work item → failed (interrupted)');
+      }
+      log.info({ count: orphanedRunning.length }, 'Recovered orphaned running work items');
+    }
-  // Start the IPC socket BEFORE Qdrant so that clients can connect
-  // immediately. Qdrant startup can take 30+ seconds (binary download,
-  // /readyz polling) which previously blocked the socket from appearing.
-  log.info('Daemon startup: starting DaemonServer (IPC socket)');
-  const server = new DaemonServer();
-  await server.start();
-  log.info('Daemon startup: DaemonServer started');
+    try {
+      const twilioProvider = new TwilioConversationRelayProvider();
+      await reconcileCallsOnStartup(twilioProvider, log);
+    } catch (err) {
+      log.warn({ err }, 'Call recovery failed — continuing startup');
+    }
-  // Initialize Qdrant vector store — non-fatal so the daemon stays up without it
-  const qdrantUrl = getQdrantUrlEnv() || config.memory.qdrant.url;
-  log.info({ qdrantUrl }, 'Daemon startup: initializing Qdrant');
-  const qdrantManager = new QdrantManager({ url: qdrantUrl });
-  try {
-    await qdrantManager.start();
-    initQdrantClient({
-      url: qdrantUrl,
-      collection: config.memory.qdrant.collection,
-      vectorSize: config.memory.qdrant.vectorSize,
-      onDisk: config.memory.qdrant.onDisk,
-      quantization: config.memory.qdrant.quantization,
-    });
-    log.info('Qdrant vector store initialized');
-  } catch (err) {
-    log.warn({ err }, 'Qdrant failed to start — memory features will be unavailable');
-  }
+    log.info('Daemon startup: loading config');
+    const config = loadConfig();
-  log.info('Daemon startup: starting memory worker');
-  const memoryWorker = startMemoryJobsWorker();
-  registerWatcherProviders();
-  registerMessagingProviders();
-  // Register the IPC broadcast function for the notification signal pipeline's
-  // macOS adapter so it can deliver notification_intent messages to desktop clients.
-  registerBroadcastFn((msg) => server.broadcast(msg));
-  const scheduler = startScheduler(
-    async (conversationId, message) => {
-      await server.processMessage(conversationId, message);
-    },
-    (reminder) => {
-      void emitNotificationSignal({
-        sourceEventName: 'reminder.fired',
-        sourceChannel: 'scheduler',
-        sourceSessionId: reminder.id,
-        attentionHints: {
-          requiresAction: true,
-          urgency: 'high',
-          isAsyncBackground: false,
-          visibleInSourceNow: false,
-        },
-        contextPayload: {
-          reminderId: reminder.id,
-          label: reminder.label,
-          message: reminder.message,
-        },
-        routingIntent: reminder.routingIntent,
-        routingHints: reminder.routingHints,
-        dedupeKey: `reminder:${reminder.id}`,
-      });
-    },
-    (schedule) => {
-      void emitNotificationSignal({
-        sourceEventName: 'schedule.complete',
-        sourceChannel: 'scheduler',
-        sourceSessionId: schedule.id,
-        attentionHints: {
-          requiresAction: false,
-          urgency: 'medium',
-          isAsyncBackground: true,
-          visibleInSourceNow: false,
-        },
-        contextPayload: {
-          scheduleId: schedule.id,
-          name: schedule.name,
-        },
-      });
-    },
-    (notification) => {
-      void emitNotificationSignal({
-        sourceEventName: 'watcher.notification',
-        sourceChannel: 'watcher',
-        sourceSessionId: `watcher-${Date.now()}`,
-        attentionHints: {
-          requiresAction: false,
-          urgency: 'low',
-          isAsyncBackground: true,
-          visibleInSourceNow: false,
-        },
-        contextPayload: {
-          title: notification.title,
-          body: notification.body,
-        },
-      });
-    },
-    (params) => {
-      void emitNotificationSignal({
-        sourceEventName: 'watcher.escalation',
-        sourceChannel: 'watcher',
-        sourceSessionId: `watcher-escalation-${Date.now()}`,
-        attentionHints: {
-          requiresAction: true,
-          urgency: 'high',
-          isAsyncBackground: false,
-          visibleInSourceNow: false,
-        },
-        contextPayload: {
-          title: params.title,
-          body: params.body,
-        },
-      });
-    },
-  );
-  // Start the runtime HTTP server. Required for iOS pairing (gateway proxies
-  // to it) and optional REST API access. Defaults to port 7821.
-  let runtimeHttp: RuntimeHttpServer | null = null;
-  const httpPort = getRuntimeHttpPort();
-  log.info({ httpPort }, 'Daemon startup: starting runtime HTTP server');
-  // Resolve the bearer token in priority order:
-  //   1. Explicit env var (e.g. cloud deploys)
-  //   2. Existing token file on disk (preserves QR-paired iOS devices across restarts)
-  //   3. Fresh random token (first-time startup)
-  const httpTokenPath = getHttpTokenPath();
-  let bearerToken = getRuntimeProxyBearerToken();
-  if (!bearerToken) {
+    if (config.logFile.dir) {
+      initLogger({ dir: config.logFile.dir, retentionDays: config.logFile.retentionDays });
+    }
+    await initializeProvidersAndTools(config);
+    // Start the IPC socket BEFORE Qdrant so that clients can connect
+    // immediately. Qdrant startup can take 30+ seconds (binary download,
+    // /readyz polling) which previously blocked the socket from appearing.
+    log.info('Daemon startup: starting DaemonServer (IPC socket)');
+    const server = new DaemonServer();
+    await server.start();
+    socketCreated = true;
+    log.info('Daemon startup: DaemonServer started');
+    // Initialize Qdrant vector store — non-fatal so the daemon stays up without it
+    const qdrantUrl = getQdrantUrlEnv() || config.memory.qdrant.url;
+    log.info({ qdrantUrl }, 'Daemon startup: initializing Qdrant');
+    const qdrantManager = new QdrantManager({ url: qdrantUrl });
     try {
-      const existing = readFileSync(httpTokenPath, 'utf-8').trim();
-      if (existing) bearerToken = existing;
-    } catch {
-      // File doesn't exist or can't be read — will generate below
+      await qdrantManager.start();
+      initQdrantClient({
+        url: qdrantUrl,
+        collection: config.memory.qdrant.collection,
+        vectorSize: config.memory.qdrant.vectorSize,
+        onDisk: config.memory.qdrant.onDisk,
+        quantization: config.memory.qdrant.quantization,
+      });
+      log.info('Qdrant vector store initialized');
+    } catch (err) {
+      log.warn({ err }, 'Qdrant failed to start — memory features will be unavailable');
     }
-  }
-  if (!bearerToken) {
-    bearerToken = randomBytes(32).toString('hex');
-  }
-  writeFileSync(httpTokenPath, bearerToken, { mode: 0o600 });
-  chmodSync(httpTokenPath, 0o600);
-  const hostname = getRuntimeHttpHost();
-  runtimeHttp = new RuntimeHttpServer({
-    port: httpPort,
-    hostname,
-    bearerToken,
-    processMessage: (conversationId, content, attachmentIds, options, sourceChannel, sourceInterface) =>
-      server.processMessage(conversationId, content, attachmentIds, options, sourceChannel, sourceInterface),
-    persistAndProcessMessage: (conversationId, content, attachmentIds, options, sourceChannel, sourceInterface) =>
-      server.persistAndProcessMessage(conversationId, content, attachmentIds, options, sourceChannel, sourceInterface),
-    interfacesDir: getInterfacesDir(),
-    approvalCopyGenerator: createApprovalCopyGenerator(),
-    approvalConversationGenerator: createApprovalConversationGenerator(),
-    sendMessageDeps: {
-      getOrCreateSession: (conversationId) =>
+    log.info('Daemon startup: starting memory worker');
+    const memoryWorker = startMemoryJobsWorker();
+    registerWatcherProviders();
+    registerMessagingProviders();
+    // Register the IPC broadcast function for the notification signal pipeline's
+    // macOS adapter so it can deliver notification_intent messages to desktop clients.
+    registerBroadcastFn((msg) => server.broadcast(msg));
+    const scheduler = startScheduler(
+      async (conversationId, message) => {
+        await server.processMessage(conversationId, message);
+      },
+      (reminder) => {
+        void emitNotificationSignal({
+          sourceEventName: 'reminder.fired',
+          sourceChannel: 'scheduler',
+          sourceSessionId: reminder.id,
+          attentionHints: {
+            requiresAction: true,
+            urgency: 'high',
+            isAsyncBackground: false,
+            visibleInSourceNow: false,
+          },
+          contextPayload: {
+            reminderId: reminder.id,
+            label: reminder.label,
+            message: reminder.message,
+          },
+          routingIntent: reminder.routingIntent,
+          routingHints: reminder.routingHints,
+          dedupeKey: `reminder:${reminder.id}`,
+        });
+      },
+      (schedule) => {
+        void emitNotificationSignal({
+          sourceEventName: 'schedule.complete',
+          sourceChannel: 'scheduler',
+          sourceSessionId: schedule.id,
+          attentionHints: {
+            requiresAction: false,
+            urgency: 'medium',
+            isAsyncBackground: true,
+            visibleInSourceNow: false,
+          },
+          contextPayload: {
+            scheduleId: schedule.id,
+            name: schedule.name,
+          },
+        });
+      },
+      (notification) => {
+        void emitNotificationSignal({
+          sourceEventName: 'watcher.notification',
+          sourceChannel: 'watcher',
+          sourceSessionId: `watcher-${Date.now()}`,
+          attentionHints: {
+            requiresAction: false,
+            urgency: 'low',
+            isAsyncBackground: true,
+            visibleInSourceNow: false,
+          },
+          contextPayload: {
+            title: notification.title,
+            body: notification.body,
+          },
+        });
+      },
+      (params) => {
+        void emitNotificationSignal({
+          sourceEventName: 'watcher.escalation',
+          sourceChannel: 'watcher',
+          sourceSessionId: `watcher-escalation-${Date.now()}`,
+          attentionHints: {
+            requiresAction: true,
+            urgency: 'high',
+            isAsyncBackground: false,
+            visibleInSourceNow: false,
+          },
+          contextPayload: {
+            title: params.title,
+            body: params.body,
+          },
+        });
+      },
+    );
+    // Start the runtime HTTP server. Required for iOS pairing (gateway proxies
+    // to it) and optional REST API access. Defaults to port 7821.
+    let runtimeHttp: RuntimeHttpServer | null = null;
+    const httpPort = getRuntimeHttpPort();
+    log.info({ httpPort }, 'Daemon startup: starting runtime HTTP server');
+    const hostname = getRuntimeHttpHost();
+    runtimeHttp = new RuntimeHttpServer({
+      port: httpPort,
+      hostname,
+      bearerToken,
+      processMessage: (conversationId, content, attachmentIds, options, sourceChannel, sourceInterface) =>
+        server.processMessage(conversationId, content, attachmentIds, options, sourceChannel, sourceInterface),
+      persistAndProcessMessage: (conversationId, content, attachmentIds, options, sourceChannel, sourceInterface) =>
+        server.persistAndProcessMessage(conversationId, content, attachmentIds, options, sourceChannel, sourceInterface),
+      interfacesDir: getInterfacesDir(),
+      approvalCopyGenerator: createApprovalCopyGenerator(),
+      approvalConversationGenerator: createApprovalConversationGenerator(),
+      guardianActionCopyGenerator: (() => {
+        const gen = createGuardianActionCopyGenerator();
+        setGuardianActionCopyGenerator(gen);
+        return gen;
+      })(),
+      guardianFollowUpConversationGenerator: (() => {
+        const gen = createGuardianFollowUpConversationGenerator();
+        setGuardianFollowUpConversationGenerator(gen);
+        return gen;
+      })(),
+      sendMessageDeps: {
+        getOrCreateSession: (conversationId) =>
+          server.getSessionForMessages(conversationId),
+        assistantEventHub,
+        resolveAttachments: (attachmentIds) =>
+          attachmentsStore.getAttachmentsByIds(attachmentIds).map((a) => ({
+            id: a.id,
+            filename: a.originalFilename,
+            mimeType: a.mimeType,
+            data: a.dataBase64,
+          })),
+      },
+    });
+    // Inject voice bridge deps BEFORE attempting to start the HTTP server.
+    // The bridge must be available even when the HTTP server fails to bind.
+    setVoiceBridgeDeps({
+      getOrCreateSession: (conversationId, _transport) =>
         server.getSessionForMessages(conversationId),
-      assistantEventHub,
       resolveAttachments: (attachmentIds) =>
         attachmentsStore.getAttachmentsByIds(attachmentIds).map((a) => ({
           id: a.id,
@@ -293,80 +336,77 @@ export async function runDaemon(): Promise<void> {
           mimeType: a.mimeType,
           data: a.dataBase64,
         })),
-    },
-  });
-  // Inject voice bridge deps BEFORE attempting to start the HTTP server.
-  // The bridge must be available even when the HTTP server fails to bind.
-  setVoiceBridgeDeps({
-    getOrCreateSession: (conversationId, _transport) =>
-      server.getSessionForMessages(conversationId),
-    resolveAttachments: (attachmentIds) =>
-      attachmentsStore.getAttachmentsByIds(attachmentIds).map((a) => ({
-        id: a.id,
-        filename: a.originalFilename,
-        mimeType: a.mimeType,
-        data: a.dataBase64,
-      })),
-    deriveDefaultStrictSideEffects: (conversationId) => {
-      const threadType = conversationStore.getConversationThreadType(conversationId);
-      return threadType === 'private';
-    },
-  });
-  try {
-    await runtimeHttp.start();
-    setRelayBroadcast((msg) => server.broadcast(msg));
-    runtimeHttp.setPairingBroadcast((msg) => server.broadcast(msg as ServerMessage));
-    initPairingHandlers(runtimeHttp.getPairingStore(), bearerToken);
-    initSlashPairingContext(runtimeHttp.getPairingStore());
-    server.setHttpPort(httpPort);
-    log.info({ port: httpPort, hostname }, 'Daemon startup: runtime HTTP server listening');
-  } catch (err) {
-    log.warn({ err, port: httpPort }, 'Failed to start runtime HTTP server, continuing without it');
-    runtimeHttp = null;
-  }
+      deriveDefaultStrictSideEffects: (conversationId) => {
+        const threadType = conversationStore.getConversationThreadType(conversationId);
+        return threadType === 'private';
+      },
+    });
+    try {
+      await runtimeHttp.start();
+      setRelayBroadcast((msg) => server.broadcast(msg));
+      runtimeHttp.setPairingBroadcast((msg) => server.broadcast(msg as ServerMessage));
+      initPairingHandlers(runtimeHttp.getPairingStore(), bearerToken);
+      initSlashPairingContext(runtimeHttp.getPairingStore());
+      server.setHttpPort(httpPort);
+      log.info({ port: httpPort, hostname }, 'Daemon startup: runtime HTTP server listening');
+    } catch (err) {
+      log.warn({ err, port: httpPort }, 'Failed to start runtime HTTP server, continuing without it');
+      runtimeHttp = null;
+    }
-  writePid(process.pid);
-  log.info({ pid: process.pid }, 'Daemon started');
+    writePid(process.pid);
+    log.info({ pid: process.pid }, 'Daemon started');
-  const hookManager = getHookManager();
-  hookManager.watch();
+    const hookManager = getHookManager();
+    hookManager.watch();
-  void hookManager.trigger('daemon-start', {
-    pid: process.pid,
-    socketPath: getSocketPath(),
-  });
+    void hookManager.trigger('daemon-start', {
+      pid: process.pid,
+      socketPath: getSocketPath(),
+    });
-  if (config.auditLog.retentionDays > 0) {
-    try {
-      rotateToolInvocations(config.auditLog.retentionDays);
-    } catch (err) {
-      log.warn({ err }, 'Audit log rotation failed');
+    if (config.auditLog.retentionDays > 0) {
+      try {
+        rotateToolInvocations(config.auditLog.retentionDays);
+      } catch (err) {
+        log.warn({ err }, 'Audit log rotation failed');
+      }
     }
-  }
-  const workspaceHeartbeat = new WorkspaceHeartbeatService();
-  workspaceHeartbeat.start();
-  const heartbeatConfig = config.heartbeat;
-  const heartbeat = new HeartbeatService({
-    processMessage: (conversationId, content) =>
-      server.processMessage(conversationId, content),
-    alerter: (alert) => server.broadcast(alert),
-  });
-  heartbeat.start();
-  server.setHeartbeatService(heartbeat);
-  log.info({ enabled: heartbeatConfig.enabled, intervalMs: heartbeatConfig.intervalMs }, 'Heartbeat service configured');
-  installShutdownHandlers({
-    server,
-    workspaceHeartbeat,
-    heartbeat,
-    hookManager,
-    runtimeHttp,
-    scheduler,
-    memoryWorker,
-    qdrantManager,
-    cleanupPidFile,
-  });
+    const workspaceHeartbeat = new WorkspaceHeartbeatService();
+    workspaceHeartbeat.start();
+    const heartbeatConfig = config.heartbeat;
+    const heartbeat = new HeartbeatService({
+      processMessage: (conversationId, content) =>
+        server.processMessage(conversationId, content),
+      alerter: (alert) => server.broadcast(alert),
+    });
+    heartbeat.start();
+    server.setHeartbeatService(heartbeat);
+    log.info({ enabled: heartbeatConfig.enabled, intervalMs: heartbeatConfig.intervalMs }, 'Heartbeat service configured');
+    installShutdownHandlers({
+      server,
+      workspaceHeartbeat,
+      heartbeat,
+      hookManager,
+      runtimeHttp,
+      scheduler,
+      memoryWorker,
+      qdrantManager,
+      cleanupPidFile,
+    });
+  } catch (err) {
+    log.error({ err }, 'Daemon startup failed — cleaning up');
+    cleanupPidFileIfOwner(process.pid);
+    if (socketCreated) {
+      try {
+        removeSocketFile(getSocketPath());
+      } catch {
+        // Best-effort socket cleanup
+      }
+    }
+    throw err;
+  }
 }

package/src/daemon/recording-executor.ts CHANGED Viewed

@@ -5,7 +5,6 @@
 import type * as net from 'node:net';
-import type { HandlerContext } from './handlers/shared.js';
 import {
   handleRecordingPause,
   handleRecordingRestart,
@@ -14,6 +13,7 @@ import {
   handleRecordingStop,
   isRecordingIdle,
 } from './handlers/recording.js';
+import type { HandlerContext } from './handlers/shared.js';
 import type { RecordingIntentResult } from './recording-intent.js';
 export interface RecordingExecutionContext {