@vellumai/assistant 0.3.15 → 0.3.16

package/src/memory/migrations/validate-migration-state.ts

@@ -1,18 +1,103 @@
+import { IntegrityError } from '../../util/errors.js';
 import { getLogger } from '../../util/logger.js';
+import { getDbPath } from '../../util/platform.js';
 import { type DrizzleDb,getSqliteFrom } from '../db-connection.js';
 import { MIGRATION_REGISTRY, type MigrationValidationResult } from './registry.js';
 
 const log = getLogger('memory-db');
 
+/**
+ * Recover from crashed migrations before the migration runner executes.
+ *
+ * Scans memory_checkpoints for entries with value 'started' — these represent
+ * migrations that began but never completed (e.g., due to a process crash).
+ * Deletes the stalled checkpoint so the migration can re-run from scratch on
+ * this startup. Each migration's own idempotency guards (DDL IF NOT EXISTS,
+ * transactional rollback) ensure re-running is safe.
+ *
+ * Call this BEFORE running migrations so that stalled checkpoints don't block
+ * re-execution.
+ */
+export function recoverCrashedMigrations(database: DrizzleDb): string[] {
+  const raw = getSqliteFrom(database);
+
+  let rows: Array<{ key: string; value: string }>;
+  try {
+    rows = raw.query(`SELECT key, value FROM memory_checkpoints`).all() as Array<{ key: string; value: string }>;
+  } catch {
+    return [];
+  }
+
+  const crashed = rows.filter((r) => r.value === 'started').map((r) => r.key);
+  if (crashed.length === 0) return [];
+
+  log.error(
+    { crashed },
+    [
+      '╔══════════════════════════════════════════════════════════════╗',
+      '║  CRASHED MIGRATIONS DETECTED — AUTO-RECOVERING             ║',
+      '╚══════════════════════════════════════════════════════════════╝',
+      '',
+      `The following migrations started but never completed: ${crashed.join(', ')}`,
+      '',
+      'Clearing stalled checkpoints so they can be retried on this startup.',
+      'If retries continue to fail, manually inspect the database:',
+      `  sqlite3 ${getDbPath()} "SELECT * FROM memory_checkpoints"`,
+    ].join('\n'),
+  );
+
+  for (const key of crashed) {
+    raw.query(`DELETE FROM memory_checkpoints WHERE key = ?`).run(key);
+    log.info({ key }, `Cleared stalled checkpoint "${key}" — migration will re-run`);
+  }
+
+  return crashed;
+}
+
+/**
+ * Wrap a migration function with crash-recovery bookkeeping.
+ *
+ * Writes a 'started' checkpoint before executing the migration body, then
+ * overwrites it with the completion value on success. If the process crashes
+ * between the start marker and completion, recoverCrashedMigrations (which
+ * runs before all migrations) will detect and clear it on the next startup.
+ *
+ * The migrationFn receives the raw SQLite database and should perform its
+ * own transaction management internally.
+ */
+export function withCrashRecovery(
+  database: DrizzleDb,
+  checkpointKey: string,
+  migrationFn: () => void,
+): void {
+  const raw = getSqliteFrom(database);
+
+  const existing = raw.query(
+    `SELECT value FROM memory_checkpoints WHERE key = ?`,
+  ).get(checkpointKey) as { value: string } | null;
+  if (existing && existing.value !== 'started') return;
+
+  raw.query(
+    `INSERT OR REPLACE INTO memory_checkpoints (key, value, updated_at) VALUES (?, 'started', ?)`,
+  ).run(checkpointKey, Date.now());
+
+  migrationFn();
+
+  raw.query(
+    `UPDATE memory_checkpoints SET value = '1', updated_at = ? WHERE key = ?`,
+  ).run(Date.now(), checkpointKey);
+}
+
 /**
  * Validate the applied migration state against the registry at startup.
  *
- * Logs warnings when a migration started but never completed (crash detected),
- * and logs errors when a migration was applied but a declared prerequisite is
- * missing from the checkpoints table (dependency ordering violation).
+ * Logs a prominent error when a migration started but never completed (crash
+ * detected) — startup continues so the migration can be retried.
  *
- * Returns structured diagnostic data so callers (e.g. tests) can assert on the
- * specific issues detected without having to re-query the DB or inspect logs.
+ * Throws an IntegrityError when a migration was applied but a declared
+ * prerequisite is missing from the checkpoints table (dependency ordering
+ * violation). This blocks daemon startup to prevent running with an
+ * inconsistent database schema.
  *
  * Call this AFTER all DDL and migration functions have run so that the final
  * state is inspected.
@@ -28,15 +113,23 @@ export function validateMigrationState(database: DrizzleDb): MigrationValidation
     return { crashed: [], dependencyViolations: [] };
   }
 
-  // Detect crashed migrations: a checkpoint value of 'started' means the
-  // migration wrote its start marker but never reached the completion INSERT.
-  // The migration will re-run on the next startup (its own idempotency guard
-  // will determine safety), but we surface a warning for visibility.
+  // Any remaining 'started' checkpoints after recovery + migration execution
+  // indicate a migration that was retried but failed again.
   const crashed = rows.filter((r) => r.value === 'started').map((r) => r.key);
   if (crashed.length > 0) {
-    log.warn(
+    log.error(
       { crashed },
-      'Crashed migrations detected — these migrations started but never completed; they will re-run on next startup',
+      [
+        '╔══════════════════════════════════════════════════════════════╗',
+        '║  MIGRATIONS STILL INCOMPLETE AFTER RETRY                   ║',
+        '╚══════════════════════════════════════════════════════════════╝',
+        '',
+        `The following migrations were retried but still did not complete: ${crashed.join(', ')}`,
+        '',
+        'Manual intervention is required. Inspect the database and resolve:',
+        `  sqlite3 ${getDbPath()} "DELETE FROM memory_checkpoints WHERE key = '<migration_key>'"`,
+        'Then restart the daemon.',
+      ].join('\n'),
     );
   }
 
@@ -56,14 +149,20 @@ export function validateMigrationState(database: DrizzleDb): MigrationValidation
 
     for (const dep of entry.dependsOn) {
       if (!completed.has(dep)) {
-        log.error(
-          { migration: entry.key, missingDependency: dep, version: entry.version },
-          'Migration dependency violation: this migration is marked complete but its declared prerequisite has no checkpoint — database schema may be inconsistent',
-        );
         dependencyViolations.push({ migration: entry.key, missingDependency: dep });
       }
     }
   }
 
+  if (dependencyViolations.length > 0) {
+    const details = dependencyViolations
+      .map((v) => `  - "${v.migration}" requires "${v.missingDependency}" but it has no checkpoint`)
+      .join('\n');
+    throw new IntegrityError(
+      `Migration dependency violations detected — database schema may be inconsistent:\n${details}\n` +
+      'The daemon cannot start safely. Inspect the database and re-run missing migrations.',
+    );
+  }
+
   return { crashed, dependencyViolations };
 }

package/src/memory/qdrant-circuit-breaker.ts

@@ -0,0 +1,105 @@
+import { getLogger } from '../util/logger.js';
+
+const log = getLogger('qdrant-circuit-breaker');
+
+/**
+ * Circuit breaker for Qdrant operations.
+ *
+ * After FAILURE_THRESHOLD consecutive failures, the circuit opens and
+ * all calls fail-fast without hitting Qdrant. After COOLDOWN_MS, one
+ * probe request is allowed through (half-open). If the probe succeeds,
+ * the circuit closes; if it fails, the circuit re-opens.
+ */
+
+const FAILURE_THRESHOLD = 5;
+const COOLDOWN_MS = 30_000;
+
+type BreakerState = 'closed' | 'open' | 'half-open';
+
+let breakerState: BreakerState = 'closed';
+let consecutiveFailures = 0;
+let openedAt = 0;
+let halfOpenProbeInFlight = false;
+
+export class QdrantCircuitOpenError extends Error {
+  constructor() {
+    super('Qdrant circuit breaker open');
+    this.name = 'QdrantCircuitOpenError';
+  }
+}
+
+function allows(): boolean {
+  if (breakerState === 'closed') return true;
+  if (breakerState === 'open') {
+    if (Date.now() - openedAt >= COOLDOWN_MS) {
+      breakerState = 'half-open';
+      halfOpenProbeInFlight = true;
+      log.info('Qdrant circuit breaker entering half-open state — allowing probe request');
+      return true;
+    }
+    return false;
+  }
+  // half-open: only allow through if no probe is already in flight
+  if (halfOpenProbeInFlight) return false;
+  halfOpenProbeInFlight = true;
+  return true;
+}
+
+function recordSuccess(): void {
+  if (breakerState !== 'closed') {
+    log.info({ previousFailures: consecutiveFailures }, 'Qdrant circuit breaker closed — operation succeeded');
+  }
+  consecutiveFailures = 0;
+  breakerState = 'closed';
+  openedAt = 0;
+  halfOpenProbeInFlight = false;
+}
+
+function recordFailure(): void {
+  consecutiveFailures++;
+  halfOpenProbeInFlight = false;
+  if (consecutiveFailures >= FAILURE_THRESHOLD) {
+    breakerState = 'open';
+    openedAt = Date.now();
+    log.warn(
+      { consecutiveFailures, cooldownMs: COOLDOWN_MS },
+      'Qdrant circuit breaker opened — Qdrant operations disabled until probe succeeds',
+    );
+  } else if (breakerState === 'half-open') {
+    breakerState = 'open';
+    openedAt = Date.now();
+    log.warn('Qdrant circuit breaker re-opened — half-open probe failed');
+  }
+}
+
+/**
+ * Execute a Qdrant operation through the circuit breaker.
+ * Throws QdrantCircuitOpenError if the circuit is open.
+ * Re-throws the original error on failure after recording it.
+ */
+export async function withQdrantBreaker<T>(fn: () => Promise<T>): Promise<T> {
+  if (!allows()) {
+    throw new QdrantCircuitOpenError();
+  }
+  try {
+    const result = await fn();
+    recordSuccess();
+    return result;
+  } catch (err) {
+    recordFailure();
+    throw err;
+  }
+}
+
+/** @internal Test-only: reset circuit breaker state */
+export function _resetQdrantBreaker(): void {
+  breakerState = 'closed';
+  consecutiveFailures = 0;
+  openedAt = 0;
+  halfOpenProbeInFlight = false;
+}
+
+/** @internal Test-only: get breaker state */
+export function _getQdrantBreakerState(): { state: BreakerState; consecutiveFailures: number } {
+  return { state: breakerState, consecutiveFailures };
+}

package/src/memory/retriever.ts

@@ -139,6 +139,8 @@ async function collectAndMergeCandidates(
   // A per-call scopePolicyOverride takes precedence over the global policy.
   const scopeIds = buildScopeFilter(scopeId, scopePolicy, opts?.scopePolicyOverride);
 
+  let semanticSearchFailed = false;
+
   // -- Phase 1: cheap local searches (always run) --
   const lexical = lexicalSearch(query, config.memory.retrieval.lexicalTopK, excludeMessageIds, scopeIds);
 
@@ -220,8 +222,7 @@ async function collectAndMergeCandidates(
 
   // -- Early termination check --
   // If cheap sources already produced enough high-relevance candidates,
-  // skip the expensive semantic search (Qdrant network call) and entity
-  // relation traversal to reduce recall latency.
+  // skip semantic and entity search entirely.
   //
   // Deduplicate before counting: lexical and recency can return the same
   // segment (common when recent messages match the query), so checking raw
@@ -248,12 +249,8 @@ async function collectAndMergeCandidates(
     && cheapCandidates.length >= etConfig.minCandidates
     && cheapCandidates.filter((c) => c.lexical >= etConfig.confidenceThreshold).length >= etConfig.minHighConfidence;
 
-  // -- Phase 2: expensive searches (skipped on early termination) --
-  // Semantic search (async Qdrant network call) and entity search (sync
-  // SQLite graph traversal) are independent. Start the network call first,
-  // run the sync work while it's in flight, then await the result.
+  // -- Phase 2: entity search + await semantic (skipped on early termination) --
   let semantic: Candidate[] = [];
-  let semanticSearchFailed = false;
   let entity: Candidate[] = [];
   let candidateDepths: Map<string, number> | undefined;
   let relationSeedEntityCount = 0;
@@ -262,6 +259,8 @@ async function collectAndMergeCandidates(
   let relationExpandedItemCount = 0;
 
   if (!canTerminateEarly) {
+    // Start semantic search now that we know early termination won't apply.
+    // The network round-trip overlaps with entity search below.
     const semanticPromise = queryVector
       ? semanticSearch(queryVector, opts?.provider ?? 'unknown', opts?.model ?? 'unknown', config.memory.retrieval.semanticTopK, excludeMessageIds, scopeIds)
           .catch((err): Candidate[] => {
@@ -275,6 +274,8 @@ async function collectAndMergeCandidates(
           })
       : null;
 
+    // Entity search is synchronous — run it while the semantic promise
+    // is in flight.
     if (config.memory.entity.enabled) {
       const entitySearchResult = entitySearch(
         query,
@@ -469,10 +470,39 @@ function formatRecallResult(
     1,
     Math.floor(options?.maxInjectTokensOverride ?? config.memory.retrieval.maxInjectTokens),
   );
-  const selected = trimToTokenBudget(merged, maxInjectTokens, config.memory.retrieval.injectionFormat);
+
+  // Reserve token budget for the degradation notice so it doesn't push
+  // injected text over maxInjectTokens when appended after trimming.
+  const degradationNotice = collected.semanticSearchFailed
+    ? '[Note: Semantic search is currently unavailable. Memory recall is limited to lexical and recency matching — results may be incomplete or miss semantically relevant memories.]'
+    : undefined;
+  const noticeOnlyTokenCost = degradationNotice
+    ? estimateTextTokens(degradationNotice)
+    : 0;
+  // +2 for '\n\n' separator — only needed when candidates are also present
+  const noticeTokenCost = noticeOnlyTokenCost + (degradationNotice ? 2 : 0);
+  // When the notice alone exceeds the budget, skip it entirely so
+  // injectedText never exceeds maxInjectTokens.
+  const budgetForNotice = noticeTokenCost <= maxInjectTokens;
+  const candidateBudget = budgetForNotice ? maxInjectTokens - noticeTokenCost : maxInjectTokens;
+
+  const selected = trimToTokenBudget(merged, candidateBudget, config.memory.retrieval.injectionFormat);
   markItemUsage(selected);
 
-  const injectedText = buildInjectedText(selected, config.memory.retrieval.injectionFormat);
+  let injectedText = buildInjectedText(selected, config.memory.retrieval.injectionFormat);
+
+  // Show the notice if it fits: when candidates are present the separator
+  // cost was already reserved; when no candidates were selected, the notice
+  // alone (without separator) may still fit even if the full cost didn't.
+  const canShowNotice = degradationNotice && (
+    budgetForNotice || (selected.length === 0 && noticeOnlyTokenCost <= maxInjectTokens)
+  );
+  if (canShowNotice) {
+    injectedText = injectedText.length > 0
+      ? injectedText + '\n\n' + degradationNotice
+      : degradationNotice;
+  }
+
   const topCandidates: MemoryRecallCandiateDebug[] = selected.slice(0, 10).map((c) => ({
     key: c.key,
     type: c.type,
@@ -720,14 +750,17 @@ export function injectMemoryRecallAsSeparateMessage<T extends { role: 'user' | '
 ): T[] {
   if (memoryRecallText.trim().length === 0) return messages;
   if (messages.length === 0) return messages;
+  // These synthetic messages satisfy the structural constraint T extends { role; content }
+  // but may lack extra fields present on T. In practice T is always Message which has
+  // only role and content, so the cast is safe.
   const contextMessage = {
     role: 'user' as const,
-    content: [{ type: 'text', text: memoryRecallText }],
-  } as unknown as T;
+    content: [{ type: 'text' as const, text: memoryRecallText }],
+  } as T;
   const ackMessage = {
     role: 'assistant' as const,
-    content: [{ type: 'text', text: MEMORY_CONTEXT_ACK }],
-  } as unknown as T;
+    content: [{ type: 'text' as const, text: MEMORY_CONTEXT_ACK }],
+  } as T;
   return [
     ...messages.slice(0, -1),
     contextMessage,

package/src/memory/schema-migration.ts

@@ -24,9 +24,12 @@ export {
   migrateRemainingTableIndexes,
   migrateReminderRoutingIntent,
   migrateRemoveAssistantIdColumns,
+  migrateSchemaIndexesAndColumns,
   migrateToolInvocationsFk,
   MIGRATION_REGISTRY,
   type MigrationRegistryEntry,
   type MigrationValidationResult,
+  recoverCrashedMigrations,
   validateMigrationState,
+  withCrashRecovery,
 } from './migrations/index.js';

package/src/memory/schema.ts

@@ -17,13 +17,16 @@ export const conversations = sqliteTable('conversations', {
   originChannel: text('origin_channel'),
   originInterface: text('origin_interface'),
   isAutoTitle: integer('is_auto_title').notNull().default(1),
-});
+}, (table) => [
+  index('idx_conversations_updated_at').on(table.updatedAt),
+  index('idx_conversations_thread_type').on(table.threadType),
+]);
 
 export const messages = sqliteTable('messages', {
   id: text('id').primaryKey(),
   conversationId: text('conversation_id')
     .notNull()
-    .references(() => conversations.id),
+    .references(() => conversations.id, { onDelete: 'cascade' }),
   role: text('role').notNull(),
   content: text('content').notNull(),
   createdAt: integer('created_at').notNull(),
@@ -166,6 +169,7 @@ export const memoryJobs = sqliteTable('memory_jobs', {
   deferrals: integer('deferrals').notNull().default(0),
   runAfter: integer('run_after').notNull(),
   lastError: text('last_error'),
+  startedAt: integer('started_at'),
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
 });
@@ -416,7 +420,7 @@ export const taskRuns = sqliteTable('task_runs', {
   id: text('id').primaryKey(),
   taskId: text('task_id')
     .notNull()
-    .references(() => tasks.id),
+    .references(() => tasks.id, { onDelete: 'cascade' }),
   conversationId: text('conversation_id'),
   status: text('status').notNull().default('pending'),
   startedAt: integer('started_at'),
@@ -540,7 +544,9 @@ export const llmUsageEvents = sqliteTable('llm_usage_events', {
   estimatedCostUsd: real('estimated_cost_usd'),
   pricingStatus: text('pricing_status').notNull(),
   metadataJson: text('metadata_json'),
-});
+}, (table) => [
+  index('idx_llm_usage_events_conversation_id').on(table.conversationId),
+]);
 
 // ── Call Sessions (outgoing AI phone calls) ──────────────────────────
 
@@ -566,7 +572,9 @@ export const callSessions = sqliteTable('call_sessions', {
   lastError: text('last_error'),
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
-});
+}, (table) => [
+  index('idx_call_sessions_status').on(table.status),
+]);
 
 export const callEvents = sqliteTable('call_events', {
   id: text('id').primaryKey(),
@@ -660,6 +668,8 @@ export const channelGuardianVerificationChallenges = sqliteTable('channel_guardi
   // Session configuration
   codeDigits: integer('code_digits').default(6),
   maxAttempts: integer('max_attempts').default(3),
+  // Distinguishes guardian verification from trusted contact verification
+  verificationPurpose: text('verification_purpose').default('guardian'),
   // Telegram bootstrap deep-link token hash
   bootstrapTokenHash: text('bootstrap_token_hash'),
   createdAt: integer('created_at').notNull(),
@@ -827,6 +837,12 @@ export const guardianActionRequests = sqliteTable('guardian_action_requests', {
   answeredByExternalUserId: text('answered_by_external_user_id'),
   answeredAt: integer('answered_at'),
   expiresAt: integer('expires_at').notNull(),
+  expiredReason: text('expired_reason'),                            // call_timeout | sweep_timeout | cancelled
+  followupState: text('followup_state').notNull().default('none'),  // none | awaiting_guardian_choice | dispatching | completed | declined | failed
+  lateAnswerText: text('late_answer_text'),
+  lateAnsweredAt: integer('late_answered_at'),
+  followupAction: text('followup_action'),                          // call_back | message_back | decline
+  followupCompletedAt: integer('followup_completed_at'),
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
 });
@@ -881,7 +897,7 @@ export const assistantIngressMembers = sqliteTable('assistant_ingress_members',
   status: text('status').notNull().default('pending'),
   policy: text('policy').notNull().default('allow'),
   inviteId: text('invite_id')
-    .references(() => assistantIngressInvites.id),
+    .references(() => assistantIngressInvites.id, { onDelete: 'cascade' }),
   createdBySessionId: text('created_by_session_id'),
   revokedReason: text('revoked_reason'),
   blockedReason: text('blocked_reason'),
@@ -1007,7 +1023,9 @@ export const notificationDeliveries = sqliteTable('notification_deliveries', {
   clientDeliveryAt: integer('client_delivery_at'),
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
-});
+}, (table) => [
+  uniqueIndex('idx_notification_deliveries_decision_channel').on(table.notificationDecisionId, table.channel),
+]);
 
 // ── Conversation Attention ───────────────────────────────────────────
 

package/src/memory/search/semantic.ts

@@ -2,6 +2,7 @@ import { inArray } from 'drizzle-orm';
 
 import { getLogger } from '../../util/logger.js';
 import { getDb } from '../db.js';
+import { withQdrantBreaker, _resetQdrantBreaker, _getQdrantBreakerState } from '../qdrant-circuit-breaker.js';
 import type { QdrantSearchResult } from '../qdrant-client.js';
 import { getQdrantClient } from '../qdrant-client.js';
 import {
@@ -13,82 +14,10 @@ import {
 import { computeRecencyScore } from './ranking.js';
 import type { Candidate } from './types.js';
 
-const log = getLogger('qdrant-circuit-breaker');
+const log = getLogger('semantic-search');
 
-// ── Qdrant circuit breaker ───────────────────────────────────────────
-// After FAILURE_THRESHOLD consecutive Qdrant failures, stop sending
-// requests (open state). After COOLDOWN_MS, allow a single probe
-// request (half-open). If the probe succeeds, close the circuit; if it
-// fails, re-open and restart the cooldown.
-
-const FAILURE_THRESHOLD = 5;
-const COOLDOWN_MS = 60_000;
-
-type BreakerState = 'closed' | 'open' | 'half-open';
-
-let breakerState: BreakerState = 'closed';
-let consecutiveFailures = 0;
-let openedAt = 0;
-// Ensures only one request passes through during half-open state
-let halfOpenProbeInFlight = false;
-
-function qdrantBreakerAllows(): boolean {
-  if (breakerState === 'closed') return true;
-  if (breakerState === 'open') {
-    if (Date.now() - openedAt >= COOLDOWN_MS) {
-      breakerState = 'half-open';
-      halfOpenProbeInFlight = true;
-      log.info('Qdrant circuit breaker entering half-open state — allowing probe request');
-      return true;
-    }
-    return false;
-  }
-  // half-open: only allow through if no probe is already in flight
-  if (halfOpenProbeInFlight) return false;
-  halfOpenProbeInFlight = true;
-  return true;
-}
-
-function qdrantBreakerRecordSuccess(): void {
-  if (breakerState !== 'closed') {
-    log.info({ previousFailures: consecutiveFailures }, 'Qdrant circuit breaker closed — search succeeded');
-  }
-  consecutiveFailures = 0;
-  breakerState = 'closed';
-  openedAt = 0;
-  halfOpenProbeInFlight = false;
-}
-
-function qdrantBreakerRecordFailure(): void {
-  consecutiveFailures++;
-  halfOpenProbeInFlight = false;
-  if (consecutiveFailures >= FAILURE_THRESHOLD) {
-    breakerState = 'open';
-    openedAt = Date.now();
-    log.warn(
-      { consecutiveFailures, cooldownMs: COOLDOWN_MS },
-      'Qdrant circuit breaker opened — semantic search disabled until probe succeeds',
-    );
-  } else if (breakerState === 'half-open') {
-    // Probe failed — re-open
-    breakerState = 'open';
-    openedAt = Date.now();
-    log.warn('Qdrant circuit breaker re-opened — half-open probe failed');
-  }
-}
-
-/** @internal Test-only: reset circuit breaker state */
-export function _resetQdrantBreaker(): void {
-  breakerState = 'closed';
-  consecutiveFailures = 0;
-  openedAt = 0;
-  halfOpenProbeInFlight = false;
-}
-
-/** @internal Test-only: get breaker state */
-export function _getQdrantBreakerState(): { state: BreakerState; consecutiveFailures: number } {
-  return { state: breakerState, consecutiveFailures };
-}
+// Re-export for tests that depend on these from this module
+export { _resetQdrantBreaker, _getQdrantBreakerState };
 
 export async function semanticSearch(
   queryVector: number[],
@@ -100,31 +29,20 @@ export async function semanticSearch(
 ): Promise<Candidate[]> {
   if (limit <= 0) return [];
 
-  // Circuit breaker: throw so the caller's .catch() marks the result as degraded
-  if (!qdrantBreakerAllows()) {
-    log.debug('Qdrant circuit breaker open — skipping semantic search');
-    throw new Error('Qdrant circuit breaker open');
-  }
-
   const qdrant = getQdrantClient();
 
   // Overfetch to account for items filtered out post-query (invalidated, excluded, etc.)
   // Use 3x when exclusions are active to ensure enough results survive filtering
   const overfetchMultiplier = excludedMessageIds.length > 0 ? 3 : 2;
   const fetchLimit = limit * overfetchMultiplier;
-  let results: QdrantSearchResult[];
-  try {
-    results = await qdrant.searchWithFilter(
+  const results: QdrantSearchResult[] = await withQdrantBreaker(() =>
+    qdrant.searchWithFilter(
       queryVector,
       fetchLimit,
       ['item', 'summary', 'segment'],
       excludedMessageIds,
-    );
-    qdrantBreakerRecordSuccess();
-  } catch (err) {
-    qdrantBreakerRecordFailure();
-    throw err;
-  }
+    ),
+  );
 
   const db = getDb();
 

package/src/notifications/README.md

@@ -190,7 +190,7 @@ Reminder fires (scheduler)
 The `enforceRoutingIntent()` function in `decision-engine.ts` runs after the LLM produces its channel selection but before deterministic checks. It overrides the decision's `selectedChannels` based on the routing intent:
 
 - **`all_channels`**: Replaces `selectedChannels` with all connected channels (from `getConnectedChannels()`).
-- **`multi_channel`**: If the LLM selected fewer than 2 channels but 2+ are connected, expands `selectedChannels` to all connected channels.
+- **`multi_channel`**: If the LLM selected fewer than 2 channels but 2+ are connected, expands `selectedChannels` to at least two connected channels.
 - **`single_channel`**: No override -- the LLM's selection stands.
 
 When enforcement changes the decision, the updated channel selection is re-persisted to the `notification_decisions` table so the stored decision matches what was actually dispatched. The `reasoningSummary` is annotated with the enforcement action (e.g. `[routing_intent=all_channels enforced: vellum, telegram, sms]`).

package/src/notifications/broadcaster.ts

@@ -14,7 +14,7 @@ import { v4 as uuid } from 'uuid';
 import { getLogger } from '../util/logger.js';
 import { pairDeliveryWithConversation } from './conversation-pairing.js';
 import { composeFallbackCopy } from './copy-composer.js';
-import { createDelivery, updateDeliveryStatus } from './deliveries-store.js';
+import { createDelivery, findDeliveryByDecisionAndChannel, updateDeliveryStatus } from './deliveries-store.js';
 import { resolveDestinations } from './destination-resolver.js';
 import type { NotificationSignal } from './signal.js';
 import type {
@@ -126,7 +126,7 @@ export class NotificationBroadcaster {
       }
 
       // Pair the delivery with a conversation before sending
-      const pairing = pairDeliveryWithConversation(signal, channel, copy);
+      const pairing = await pairDeliveryWithConversation(signal, channel, copy);
 
       // For the vellum channel, merge the conversationId into deep-link metadata
       // so the macOS/iOS client can navigate directly to the notification thread.
@@ -188,6 +188,24 @@ export class NotificationBroadcaster {
 
       try {
         if (hasPersistedDecision) {
+          const existingDelivery = findDeliveryByDecisionAndChannel(persistedDecisionId, channel);
+          if (existingDelivery) {
+            log.info(
+              { channel, signalId: signal.signalId, existingDeliveryId: existingDelivery.id },
+              'Delivery already exists for this decision+channel — skipping duplicate',
+            );
+            results.push({
+              channel,
+              destination: destinationLabel,
+              status: 'skipped',
+              errorMessage: 'Duplicate delivery skipped',
+              conversationId: existingDelivery.conversationId ?? undefined,
+              messageId: existingDelivery.messageId ?? undefined,
+              conversationStrategy: existingDelivery.conversationStrategy ?? undefined,
+            });
+            continue;
+          }
+
           createDelivery({
             id: deliveryId,
             notificationDecisionId: persistedDecisionId,