@vellumai/assistant 0.3.16 → 0.3.19

package/src/__tests__/voice-session-bridge.test.ts

@@ -8,6 +8,18 @@ import type { ServerMessage } from '../daemon/ipc-protocol.js';
 import type { Session } from '../daemon/session.js';
 
 const testDir = mkdtempSync(join(tmpdir(), 'voice-bridge-test-'));
+let mockedConfig: {
+  secretDetection: { enabled: boolean };
+  calls: { disclosure: { enabled: boolean; text: string } };
+} = {
+  secretDetection: { enabled: false },
+  calls: {
+    disclosure: {
+      enabled: false,
+      text: '',
+    },
+  },
+};
 
 mock.module('../util/platform.js', () => ({
   getRootDir: () => testDir,
@@ -29,15 +41,7 @@ mock.module('../util/logger.js', () => ({
 }));
 
 mock.module('../config/loader.js', () => ({
-  getConfig: () => ({
-    secretDetection: { enabled: false },
-    calls: {
-      disclosure: {
-        enabled: false,
-        text: '',
-      },
-    },
-  }),
+  getConfig: () => mockedConfig,
 }));
 
 import { setVoiceBridgeDeps, startVoiceTurn } from '../calls/voice-session-bridge.js';
@@ -85,6 +89,15 @@ function injectDeps(sessionFactory: () => Session): void {
 
 describe('voice-session-bridge', () => {
   beforeEach(() => {
+    mockedConfig = {
+      secretDetection: { enabled: false },
+      calls: {
+        disclosure: {
+          enabled: false,
+          text: '',
+        },
+      },
+    };
     const db = getDb();
     db.run('DELETE FROM messages');
     db.run('DELETE FROM conversations');
@@ -415,6 +428,93 @@ describe('voice-session-bridge', () => {
     expect(capturedGuardianContext).toEqual(guardianCtx);
   });
 
+  test('inbound non-guardian opener prompt uses pickup framing instead of outbound phrasing', async () => {
+    const conversation = createConversation('voice bridge inbound opener framing test');
+    const events: ServerMessage[] = [
+      { type: 'message_complete', sessionId: conversation.id },
+    ];
+
+    let capturedPrompt: string | null = null;
+    const session = {
+      ...makeStreamingSession(events),
+      setVoiceCallControlPrompt: (prompt: string | null) => {
+        if (prompt != null) capturedPrompt = prompt;
+      },
+    } as unknown as Session;
+
+    injectDeps(() => session);
+
+    await startVoiceTurn({
+      conversationId: conversation.id,
+      content: 'Hello there',
+      isInbound: true,
+      guardianContext: {
+        sourceChannel: 'voice',
+        actorRole: 'non-guardian',
+      },
+      onTextDelta: () => {},
+      onComplete: () => {},
+      onError: () => {},
+    });
+
+    await new Promise((r) => setTimeout(r, 50));
+    if (!capturedPrompt) throw new Error('Expected voice call control prompt to be set');
+    const prompt: string = capturedPrompt;
+
+    expect(prompt).toContain('this is an inbound call you are answering (not a call you initiated)');
+    expect(prompt).toContain('Introduce yourself once at the start using your assistant name if you know it');
+    expect(prompt).toContain('If your assistant name is not known, skip the name and just identify yourself as the guardian\'s assistant.');
+    expect(prompt).toContain('Do NOT say "I\'m calling" or "I\'m calling on behalf of".');
+  });
+
+  test('inbound disclosure guidance is rewritten for pickup context', async () => {
+    mockedConfig = {
+      secretDetection: { enabled: false },
+      calls: {
+        disclosure: {
+          enabled: true,
+          text: 'At the very beginning of the call, introduce yourself as an assistant calling on behalf of the person you represent.',
+        },
+      },
+    };
+
+    const conversation = createConversation('voice bridge inbound disclosure rewrite test');
+    const events: ServerMessage[] = [
+      { type: 'message_complete', sessionId: conversation.id },
+    ];
+
+    let capturedPrompt: string | null = null;
+    const session = {
+      ...makeStreamingSession(events),
+      setVoiceCallControlPrompt: (prompt: string | null) => {
+        if (prompt != null) capturedPrompt = prompt;
+      },
+    } as unknown as Session;
+
+    injectDeps(() => session);
+
+    await startVoiceTurn({
+      conversationId: conversation.id,
+      content: 'Hi',
+      isInbound: true,
+      guardianContext: {
+        sourceChannel: 'voice',
+        actorRole: 'non-guardian',
+      },
+      onTextDelta: () => {},
+      onComplete: () => {},
+      onError: () => {},
+    });
+
+    await new Promise((r) => setTimeout(r, 50));
+    if (!capturedPrompt) throw new Error('Expected voice call control prompt to be set');
+    const prompt: string = capturedPrompt;
+
+    expect(prompt).toContain('At the very beginning of the call, introduce yourself as an assistant calling on behalf of the person you represent.');
+    expect(prompt).toContain('rewrite any disclosure naturally for pickup context');
+    expect(prompt).toContain('Do NOT say "I\'m calling", "I called you", or "I\'m calling on behalf of".');
+  });
+
   test('auto-denies confirmation requests for non-guardian voice turns', async () => {
     const conversation = createConversation('voice bridge auto-deny non-guardian test');
 

package/src/calls/call-controller.ts

@@ -8,6 +8,7 @@
  * barge-in, state machine, guardian verification).
  */
 
+import { getGatewayInternalBaseUrl } from '../config/env.js';
 import type { ServerMessage } from '../daemon/ipc-contract.js';
 import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
 import {
@@ -15,7 +16,9 @@ import {
   getPendingRequestByCallSessionId,
   markTimedOutWithReason,
 } from '../memory/guardian-action-store.js';
+import { revokeScopedApprovalGrantsForContext } from '../memory/scoped-approval-grants.js';
 import { getLogger } from '../util/logger.js';
+import { readHttpToken } from '../util/platform.js';
 import { getMaxCallDurationMs, getUserConsultationTimeoutMs, SILENCE_TIMEOUT_MS } from './call-constants.js';
 import { persistCallCompletionMessage } from './call-conversation-messages.js';
 import { addPointerMessage, formatDuration } from './call-pointer-messages.js';
@@ -27,10 +30,9 @@ import {
   recordCallEvent,
   updateCallSession,
 } from './call-store.js';
-import { getGatewayInternalBaseUrl } from '../config/env.js';
-import { readHttpToken } from '../util/platform.js';
-import { dispatchGuardianQuestion } from './guardian-dispatch.js';
+import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
 import { sendGuardianExpiryNotices } from './guardian-action-sweep.js';
+import { dispatchGuardianQuestion } from './guardian-dispatch.js';
 import type { RelayConnection } from './relay-server.js';
 import type { PromptSpeakerContext } from './speaker-identification.js';
 import { startVoiceTurn, type VoiceTurnHandle } from './voice-session-bridge.js';
@@ -41,6 +43,104 @@ type ControllerState = 'idle' | 'processing' | 'waiting_on_user' | 'speaking';
 
 const ASK_GUARDIAN_CAPTURE_REGEX = /\[ASK_GUARDIAN:\s*(.+?)\]/;
 const ASK_GUARDIAN_MARKER_REGEX = /\[ASK_GUARDIAN:\s*.+?\]/g;
+
+// Flexible prefix for ASK_GUARDIAN_APPROVAL — tolerates variable whitespace
+// after the colon so the marker is recognized even if the model omits the
+// space or inserts a newline.
+const ASK_GUARDIAN_APPROVAL_PREFIX_RE = /\[ASK_GUARDIAN_APPROVAL:\s*/;
+
+/**
+ * Extract a balanced JSON object from text that starts with an
+ * ASK_GUARDIAN_APPROVAL prefix. Uses brace counting with string-literal
+ * awareness so that `}` or `}]` inside JSON string values does not
+ * terminate the match prematurely.
+ *
+ * Returns the extracted JSON string, the full marker text
+ * (prefix + JSON + "]"), and the start index — or null when:
+ *   - no prefix is found,
+ *   - braces are unbalanced (still streaming), or
+ *   - the closing `]` has not yet arrived (prevents stripping
+ *     the marker body while the bracket leaks into TTS in a later delta).
+ */
+function extractBalancedJson(
+  text: string,
+): { json: string; fullMatch: string; startIndex: number } | null {
+  const prefixMatch = ASK_GUARDIAN_APPROVAL_PREFIX_RE.exec(text);
+  if (!prefixMatch) return null;
+
+  const prefixIdx = prefixMatch.index;
+  const jsonStart = prefixIdx + prefixMatch[0].length;
+  if (jsonStart >= text.length || text[jsonStart] !== '{') return null;
+
+  let depth = 0;
+  let inString = false;
+  let escape = false;
+
+  for (let i = jsonStart; i < text.length; i++) {
+    const ch = text[i];
+
+    if (escape) {
+      escape = false;
+      continue;
+    }
+
+    if (ch === '\\' && inString) {
+      escape = true;
+      continue;
+    }
+
+    if (ch === '"') {
+      inString = !inString;
+      continue;
+    }
+
+    if (inString) continue;
+
+    if (ch === '{') {
+      depth++;
+    } else if (ch === '}') {
+      depth--;
+      if (depth === 0) {
+        const jsonEnd = i + 1;
+        const json = text.slice(jsonStart, jsonEnd);
+        // Skip any whitespace between the closing '}' and the expected ']'.
+        // Models sometimes emit formatted markers with spaces or newlines
+        // before the bracket (e.g. `{ ... }\n]` or `{ ... } ]`).
+        let bracketIdx = jsonEnd;
+        while (bracketIdx < text.length && /\s/.test(text[bracketIdx])) {
+          bracketIdx++;
+        }
+        // Require the closing ']' to be present before considering this
+        // a complete match. If it hasn't arrived yet (streaming), return
+        // null so the caller keeps buffering.
+        if (bracketIdx >= text.length || text[bracketIdx] !== ']') {
+          return null;
+        }
+        const fullMatchEnd = bracketIdx + 1;
+        const fullMatch = text.slice(prefixIdx, fullMatchEnd);
+        return { json, fullMatch, startIndex: prefixIdx };
+      }
+    }
+  }
+
+  return null; // Unbalanced braces — still streaming
+}
+
+/**
+ * Strip all balanced ASK_GUARDIAN_APPROVAL markers from text, handling
+ * nested braces, string literals, and flexible whitespace correctly.
+ * Only strips complete markers (prefix + balanced JSON + closing `]`).
+ */
+function stripGuardianApprovalMarkers(text: string): string {
+  let result = text;
+  for (;;) {
+    const match = extractBalancedJson(result);
+    if (!match) break;
+    result = result.slice(0, match.startIndex) + result.slice(match.startIndex + match.fullMatch.length);
+  }
+  return result;
+}
+
 const USER_ANSWERED_MARKER_REGEX = /\[USER_ANSWERED:\s*.+?\]/g;
 const USER_INSTRUCTION_MARKER_REGEX = /\[USER_INSTRUCTION:\s*.+?\]/g;
 const CALL_OPENING_MARKER_REGEX = /\[CALL_OPENING\]/g;
@@ -53,7 +153,8 @@ const CALL_OPENING_ACK_MARKER = '[CALL_OPENING_ACK]';
 const END_CALL_MARKER = '[END_CALL]';
 
 function stripInternalSpeechMarkers(text: string): string {
-  return text
+  let result = stripGuardianApprovalMarkers(text);
+  result = result
     .replace(ASK_GUARDIAN_MARKER_REGEX, '')
     .replace(USER_ANSWERED_MARKER_REGEX, '')
     .replace(USER_INSTRUCTION_MARKER_REGEX, '')
@@ -62,6 +163,7 @@ function stripInternalSpeechMarkers(text: string): string {
     .replace(END_CALL_MARKER_REGEX, '')
     .replace(GUARDIAN_TIMEOUT_MARKER_REGEX, '')
     .replace(GUARDIAN_UNAVAILABLE_MARKER_REGEX, '');
+  return result;
 }
 
 export class CallController {
@@ -336,6 +438,21 @@ export class CallController {
     this.abortCurrentTurn();
     this.currentTurnPromise = null;
     unregisterCallController(this.callSessionId);
+
+    // Revoke any scoped approval grants bound to this call session.
+    // Revoke by both callSessionId and conversationId because the
+    // guardian-approval-interception minting path sets callSessionId: null
+    // but always sets conversationId.
+    try {
+      let revoked = revokeScopedApprovalGrantsForContext({ callSessionId: this.callSessionId });
+      revoked += revokeScopedApprovalGrantsForContext({ conversationId: this.conversationId });
+      if (revoked > 0) {
+        log.info({ callSessionId: this.callSessionId, conversationId: this.conversationId, revokedCount: revoked }, 'Revoked scoped grants on call end');
+      }
+    } catch (err) {
+      log.warn({ err, callSessionId: this.callSessionId }, 'Failed to revoke scoped grants on call end');
+    }
+
     log.info({ callSessionId: this.callSessionId }, 'CallController destroyed');
   }
 
@@ -414,6 +531,7 @@ export class CallController {
           // bracketed text (e.g. "[A]", "[note]") doesn't stall TTS.
           const afterBracket = ttsBuffer;
           const couldBeControl =
+            '[ASK_GUARDIAN_APPROVAL:'.startsWith(afterBracket) ||
             '[ASK_GUARDIAN:'.startsWith(afterBracket) ||
             '[USER_ANSWERED:'.startsWith(afterBracket) ||
             '[USER_INSTRUCTION:'.startsWith(afterBracket) ||
@@ -422,6 +540,7 @@ export class CallController {
             '[END_CALL]'.startsWith(afterBracket) ||
             '[GUARDIAN_TIMEOUT]'.startsWith(afterBracket) ||
             '[GUARDIAN_UNAVAILABLE]'.startsWith(afterBracket) ||
+            afterBracket.startsWith('[ASK_GUARDIAN_APPROVAL:') ||
             afterBracket.startsWith('[ASK_GUARDIAN:') ||
             afterBracket.startsWith('[USER_ANSWERED:') ||
             afterBracket.startsWith('[USER_INSTRUCTION:') ||
@@ -472,6 +591,7 @@ export class CallController {
         // Start the voice turn through the session bridge
         startVoiceTurn({
           conversationId: this.conversationId,
+          callSessionId: this.callSessionId,
           content,
           assistantId: this.assistantId,
           guardianContext: this.guardianContext ?? undefined,
@@ -528,11 +648,31 @@ export class CallController {
         }
       }
 
-      // Check for ASK_GUARDIAN pattern
-      const askMatch = responseText.match(ASK_GUARDIAN_CAPTURE_REGEX);
-      if (askMatch) {
-        const questionText = askMatch[1];
+      // Check for structured tool-approval ASK_GUARDIAN_APPROVAL first,
+      // then informational ASK_GUARDIAN. Uses brace-balanced extraction so
+      // `}]` inside JSON string values does not truncate the payload or
+      // leak partial JSON into TTS output.
+      const approvalMatch = extractBalancedJson(responseText);
+      let toolApprovalMeta: { question: string; toolName: string; inputDigest: string } | null = null;
+      if (approvalMatch) {
+        try {
+          const parsed = JSON.parse(approvalMatch.json) as { question?: string; toolName?: string; input?: Record<string, unknown> };
+          if (parsed.question && parsed.toolName && parsed.input) {
+            const digest = computeToolApprovalDigest(parsed.toolName, parsed.input);
+            toolApprovalMeta = { question: parsed.question, toolName: parsed.toolName, inputDigest: digest };
+          }
+        } catch {
+          log.warn({ callSessionId: this.callSessionId }, 'Failed to parse ASK_GUARDIAN_APPROVAL JSON payload');
+        }
+      }
+
+      const askMatch = toolApprovalMeta
+        ? null // structured approval takes precedence
+        : responseText.match(ASK_GUARDIAN_CAPTURE_REGEX);
+
+      const questionText = toolApprovalMeta?.question ?? (askMatch ? askMatch[1] : null);
 
+      if (questionText) {
         if (this.isCallerGuardian()) {
           // Caller IS the guardian — don't dispatch cross-channel.
           // Queue an instruction so the next turn asks them directly.
@@ -569,6 +709,8 @@ export class CallController {
               conversationId: session.conversationId,
               assistantId: this.assistantId,
               pendingQuestion,
+              toolName: toolApprovalMeta?.toolName,
+              inputDigest: toolApprovalMeta?.inputDigest,
             });
           }
 

package/src/calls/call-domain.ts

@@ -13,6 +13,7 @@ import { getTwilioStatusCallbackUrl,getTwilioVoiceWebhookUrl } from '../inbound/
 import { getOrCreateConversation } from '../memory/conversation-key-store.js';
 import { queueGenerateConversationTitle } from '../memory/conversation-title-service.js';
 import { upsertBinding } from '../memory/external-conversation-store.js';
+import { revokeScopedApprovalGrantsForContext } from '../memory/scoped-approval-grants.js';
 import { isGuardian } from '../runtime/channel-guardian-service.js';
 import { getSecureKey } from '../security/secure-keys.js';
 import { getLogger } from '../util/logger.js';
@@ -489,6 +490,17 @@ export async function cancelCall(input: CancelCallInput): Promise<{ ok: true; se
   // Expire any pending questions so they don't linger
   expirePendingQuestions(callSessionId);
 
+  // Revoke any scoped approval grants bound to this call session.
+  // Revoke by both callSessionId and conversationId because the
+  // guardian-approval-interception minting path sets callSessionId: null
+  // but always sets conversationId.
+  try {
+    revokeScopedApprovalGrantsForContext({ callSessionId });
+    revokeScopedApprovalGrantsForContext({ conversationId: session.conversationId });
+  } catch (err) {
+    log.warn({ err, callSessionId }, 'Failed to revoke scoped grants on call cancel');
+  }
+
   // Re-check final status: a concurrent transition (e.g. Twilio callback) may have
   // moved the session to a terminal state before our update, causing it to be skipped.
   const updated = getCallSession(callSessionId);

package/src/calls/guardian-action-sweep.ts

@@ -17,8 +17,8 @@ import {
   getExpiredGuardianActionRequests,
 } from '../memory/guardian-action-store.js';
 import { deliverChannelReply } from '../runtime/gateway-client.js';
-import type { GuardianActionCopyGenerator } from '../runtime/http-types.js';
 import { composeGuardianActionMessageGenerative } from '../runtime/guardian-action-message-composer.js';
+import type { GuardianActionCopyGenerator } from '../runtime/http-types.js';
 import { getLogger } from '../util/logger.js';
 import { expirePendingQuestions } from './call-store.js';
 

package/src/calls/guardian-dispatch.ts

@@ -9,6 +9,7 @@
 
 import { getActiveBinding } from '../memory/channel-guardian-store.js';
 import {
+  countPendingRequestsByCallSessionId,
   createGuardianActionDelivery,
   createGuardianActionRequest,
   updateDeliveryStatus,
@@ -26,6 +27,10 @@ export interface GuardianDispatchParams {
   conversationId: string;
   assistantId: string;
   pendingQuestion: CallPendingQuestion;
+  /** Tool identity for tool-approval requests (absent for informational ASK_GUARDIAN). */
+  toolName?: string;
+  /** Canonical SHA-256 digest of tool input for tool-approval requests. */
+  inputDigest?: string;
 }
 
 function applyDeliveryStatus(deliveryId: string, result: NotificationDeliveryResult): void {
@@ -47,6 +52,8 @@ export async function dispatchGuardianQuestion(params: GuardianDispatchParams):
     conversationId,
     assistantId,
     pendingQuestion,
+    toolName,
+    inputDigest,
   } = params;
 
   try {
@@ -62,6 +69,8 @@ export async function dispatchGuardianQuestion(params: GuardianDispatchParams):
       pendingQuestionId: pendingQuestion.id,
       questionText: pendingQuestion.questionText,
       expiresAt,
+      toolName,
+      inputDigest,
     });
 
     log.info(
@@ -69,6 +78,12 @@ export async function dispatchGuardianQuestion(params: GuardianDispatchParams):
       'Created guardian action request',
     );
 
+    // Count how many guardian requests are already pending for this call.
+    // This count is a candidate-affinity hint: the decision engine uses it
+    // to prefer reusing an existing thread when multiple questions arise
+    // in the same call session.
+    const activeGuardianRequestCount = countPendingRequestsByCallSessionId(callSessionId);
+
     // Route through the canonical notification pipeline. The paired vellum
     // conversation from this pipeline is the canonical guardian thread.
     let vellumDeliveryId: string | null = null;
@@ -90,6 +105,7 @@ export async function dispatchGuardianQuestion(params: GuardianDispatchParams):
         callSessionId,
         questionText: pendingQuestion.questionText,
         pendingQuestionId: pendingQuestion.id,
+        activeGuardianRequestCount,
       },
       dedupeKey: `guardian:${request.id}`,
       onThreadCreated: (info) => {

package/src/calls/relay-server.ts

@@ -12,6 +12,7 @@ import type { ServerWebSocket } from 'bun';
 
 import { getConfig } from '../config/loader.js';
 import * as conversationStore from '../memory/conversation-store.js';
+import { revokeScopedApprovalGrantsForContext } from '../memory/scoped-approval-grants.js';
 import {
   getPendingChallenge,
   validateAndConsumeChallenge,
@@ -351,6 +352,18 @@ export class RelayConnection {
     }
 
     expirePendingQuestions(this.callSessionId);
+
+    // Revoke any scoped approval grants bound to this call session.
+    // Revoke by both callSessionId and conversationId because the
+    // guardian-approval-interception minting path sets callSessionId: null
+    // but always sets conversationId.
+    try {
+      revokeScopedApprovalGrantsForContext({ callSessionId: this.callSessionId });
+      revokeScopedApprovalGrantsForContext({ conversationId: session.conversationId });
+    } catch (err) {
+      log.warn({ err, callSessionId: this.callSessionId }, 'Failed to revoke scoped grants on transport close');
+    }
+
     persistCallCompletionMessage(session.conversationId, this.callSessionId).catch((err) => {
       log.error({ err, conversationId: session.conversationId, callSessionId: this.callSessionId }, 'Failed to persist call completion message');
     });

package/src/calls/voice-session-bridge.ts

@@ -18,7 +18,9 @@ import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.
 import { resolveChannelCapabilities } from '../daemon/session-runtime-assembly.js';
 import { buildAssistantEvent } from '../runtime/assistant-event.js';
 import { assistantEventHub } from '../runtime/assistant-event-hub.js';
+import { consumeScopedApprovalGrantByToolSignature } from '../memory/scoped-approval-grants.js';
 import { checkIngressForSecrets } from '../security/secret-ingress.js';
+import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
 import { IngressBlockedError } from '../util/errors.js';
 import { getLogger } from '../util/logger.js';
 
@@ -81,6 +83,8 @@ export interface VoiceRunEventSink {
 export interface VoiceTurnOptions {
   /** The conversation ID for this voice call's session. */
   conversationId: string;
+  /** The call session ID for scoped grant matching. */
+  callSessionId?: string;
   /** The transcribed caller utterance or synthetic marker. */
   content: string;
   /** Assistant scope for multi-assistant channels. */
@@ -129,7 +133,9 @@ function buildVoiceCallControlPrompt(opts: {
   const disclosureEnabled = config.calls?.disclosure?.enabled === true;
   const disclosureText = config.calls?.disclosure?.text?.trim();
   const disclosureRule = disclosureEnabled && disclosureText
-    ? `0. ${disclosureText}`
+    ? opts.isInbound
+      ? `0. ${disclosureText} This is an inbound call you are answering, so rewrite any disclosure naturally for pickup context. Do NOT say "I'm calling", "I called you", or "I'm calling on behalf of".`
+      : `0. ${disclosureText}`
     : '0. Begin the conversation naturally.';
 
   const lines: string[] = ['<voice_call_control>'];
@@ -145,7 +151,12 @@ function buildVoiceCallControlPrompt(opts: {
     '1. Be concise — keep responses to 1-3 sentences. Phone conversations should be brief and natural.',
     ...(opts.isCallerGuardian
       ? ['2. You are speaking directly with your guardian (your user). Do NOT use [ASK_GUARDIAN:]. If you need permission, information, or confirmation, ask them directly in the conversation. They can answer you right now.']
-      : ['2. You can consult your guardian at any time by including [ASK_GUARDIAN: your question here] in your response. When you do, add a natural hold message like "Let me check on that for you."']
+      : [[
+          '2. You can consult your guardian in two ways:',
+          '   - For general questions or information: [ASK_GUARDIAN: your question here]',
+          '   - For tool/action permission requests: [ASK_GUARDIAN_APPROVAL: {"question":"Describe what you need permission for","toolName":"the_tool_name","input":{...tool input object...}}]',
+          '   Use ASK_GUARDIAN_APPROVAL when you need permission to execute a specific tool or action. Use ASK_GUARDIAN for everything else (general questions, advice, information). When you use either marker, add a natural hold message like "Let me check on that for you."',
+        ].join('\n')]
     ),
   );
 
@@ -174,7 +185,7 @@ function buildVoiceCallControlPrompt(opts: {
       );
     } else {
       lines.push(
-        '7. If the latest user turn is "(call connected — deliver opening greeting)", greet the caller warmly and ask how you can help. Vary the wording; do not use a fixed template.',
+        '7. If the latest user turn is "(call connected — deliver opening greeting)", this is an inbound call you are answering (not a call you initiated). Greet the caller warmly and ask how you can help. Introduce yourself once at the start using your assistant name if you know it (for example: "Hey there, this is Ava, Sam\'s assistant. How can I help?"). If your assistant name is not known, skip the name and just identify yourself as the guardian\'s assistant. Do NOT say "I\'m calling" or "I\'m calling on behalf of". Vary the wording; do not use a fixed template.',
       );
     }
     lines.push(
@@ -192,7 +203,7 @@ function buildVoiceCallControlPrompt(opts: {
 
   lines.push(
     '9. After the opening greeting turn, treat the Task field as background context only — do not re-execute its instructions on subsequent turns.',
-    '10. Do not make up information. If you are unsure, use [ASK_GUARDIAN: your question] to consult your guardian.',
+    '10. Do not make up information. If you are unsure, use [ASK_GUARDIAN: your question] to consult your guardian. For tool permission requests, use [ASK_GUARDIAN_APPROVAL: {"question":"...","toolName":"...","input":{...}}].',
     '</voice_call_control>',
   );
 
@@ -337,9 +348,39 @@ export async function startVoiceTurn(opts: VoiceTurnOptions): Promise<VoiceTurnH
   session.updateClient((msg: ServerMessage) => {
     if (msg.type === 'confirmation_request') {
       if (autoDeny) {
+        // Before auto-denying, check if a guardian from another channel
+        // has pre-approved this exact tool invocation via a scoped grant.
+        const inputDigest = computeToolApprovalDigest(msg.toolName, msg.input);
+        const consumeResult = consumeScopedApprovalGrantByToolSignature({
+          toolName: msg.toolName,
+          inputDigest,
+          consumingRequestId: msg.requestId,
+          assistantId: opts.assistantId,
+          executionChannel: 'voice',
+          conversationId: opts.conversationId,
+          callSessionId: opts.callSessionId,
+          requesterExternalUserId: opts.guardianContext?.requesterExternalUserId,
+        });
+
+        if (consumeResult.ok) {
+          log.info(
+            { turnId, toolName: msg.toolName, grantId: consumeResult.grant?.id },
+            'Consumed scoped grant — allowing non-guardian voice confirmation',
+          );
+          session.handleConfirmationResponse(
+            msg.requestId,
+            'allow',
+            undefined,
+            undefined,
+            `Permission approved for "${msg.toolName}": guardian pre-approved via scoped grant.`,
+          );
+          publishToHub(msg);
+          return;
+        }
+
         log.info(
           { turnId, toolName: msg.toolName },
-          'Auto-denying confirmation request for voice turn (forceStrictSideEffects)',
+          'Auto-denying confirmation request for voice turn (no matching scoped grant)',
         );
         session.handleConfirmationResponse(
           msg.requestId,

package/src/cli/core-commands.ts

@@ -109,7 +109,7 @@ export function registerDevCommand(program: Command): void {
     .command('dev')
     .description('Run the daemon in dev mode with auto-restart on file changes')
     .action(async () => {
-      const status = await getDaemonStatus();
+      let status = await getDaemonStatus();
       if (status.running) {
         log.info('Stopping existing daemon...');
         const stopResult = await stopDaemon();
@@ -117,6 +117,46 @@ export function registerDevCommand(program: Command): void {
           log.error('Failed to stop existing daemon — process survived SIGKILL');
           process.exit(1);
         }
+      } else if (status.pid) {
+        // PID file references a live process but the socket is unresponsive.
+        // This can happen during the daemon startup window before the socket
+        // is bound. Wait briefly for it to come up before replacing.
+        log.info('Daemon process alive but socket unresponsive — waiting for startup...');
+        const maxWait = 5000;
+        const interval = 500;
+        let waited = 0;
+        let resolved = false;
+        while (waited < maxWait) {
+          await new Promise((r) => setTimeout(r, interval));
+          waited += interval;
+          status = await getDaemonStatus();
+          if (status.running) {
+            // Socket came up — stop the daemon normally.
+            log.info('Daemon became responsive, stopping it...');
+            const stopResult = await stopDaemon();
+            if (!stopResult.stopped && stopResult.reason === 'stop_failed') {
+              log.error('Failed to stop existing daemon — process survived SIGKILL');
+              process.exit(1);
+            }
+            resolved = true;
+            break;
+          }
+          if (!status.pid) {
+            // Process exited on its own — PID file already cleaned up.
+            resolved = true;
+            break;
+          }
+        }
+        if (!resolved) {
+          // Still alive but unresponsive after waiting — stop it via stopDaemon()
+          // which handles SIGTERM → SIGKILL escalation and PID file cleanup.
+          log.info('Daemon still unresponsive after wait — stopping it...');
+          const stopResult = await stopDaemon();
+          if (!stopResult.stopped && stopResult.reason === 'stop_failed') {
+            log.error('Failed to stop existing daemon — process survived SIGKILL');
+            process.exit(1);
+          }
+        }
       }
 
       const mainPath = `${import.meta.dirname}/../daemon/main.ts`;