@vellumai/assistant 0.3.18 → 0.3.20

package/src/calls/call-controller.ts

@@ -12,10 +12,15 @@ import { getGatewayInternalBaseUrl } from '../config/env.js';
 import type { ServerMessage } from '../daemon/ipc-contract.js';
 import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
 import {
+  backfillSupersessionMetadata,
+  expireGuardianActionRequest,
+  getByPendingQuestionId,
   getDeliveriesByRequestId,
   getPendingRequestByCallSessionId,
   markTimedOutWithReason,
 } from '../memory/guardian-action-store.js';
+import { revokeScopedApprovalGrantsForContext } from '../memory/scoped-approval-grants.js';
+import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
 import { getLogger } from '../util/logger.js';
 import { readHttpToken } from '../util/platform.js';
 import { getMaxCallDurationMs, getUserConsultationTimeoutMs, SILENCE_TIMEOUT_MS } from './call-constants.js';
@@ -37,7 +42,19 @@ import { startVoiceTurn, type VoiceTurnHandle } from './voice-session-bridge.js'
 
 const log = getLogger('call-controller');
 
-type ControllerState = 'idle' | 'processing' | 'waiting_on_user' | 'speaking';
+type ControllerState = 'idle' | 'processing' | 'speaking';
+
+/**
+ * Tracks a pending guardian consultation independently of the controller's
+ * turn state. This allows the call to continue normal turn processing
+ * (idle -> processing -> speaking) while a consultation is outstanding.
+ */
+interface PendingConsultation {
+  questionText: string;
+  questionId: string;
+  toolApprovalMeta: { toolName: string; inputDigest: string } | null;
+  timer: ReturnType<typeof setTimeout>;
+}
 
 const ASK_GUARDIAN_CAPTURE_REGEX = /\[ASK_GUARDIAN:\s*(.+?)\]/;
 const ASK_GUARDIAN_MARKER_REGEX = /\[ASK_GUARDIAN:\s*.+?\]/g;
@@ -174,15 +191,18 @@ export class CallController {
   private silenceTimer: ReturnType<typeof setTimeout> | null = null;
   private durationTimer: ReturnType<typeof setTimeout> | null = null;
   private durationWarningTimer: ReturnType<typeof setTimeout> | null = null;
-  private consultationTimer: ReturnType<typeof setTimeout> | null = null;
+  /**
+   * Tracks the currently pending guardian consultation, if any. Decoupled
+   * from the controller's turn state so callers can continue to trigger
+   * normal turns while consultation is outstanding.
+   */
+  private pendingConsultation: PendingConsultation | null = null;
   private durationEndTimer: ReturnType<typeof setTimeout> | null = null;
   private task: string | null;
   /** True when the call session was created via the inbound path (no outbound task). */
   private isInbound: boolean;
-  /** Instructions queued while an LLM turn is in-flight or during waiting_on_user */
+  /** Instructions queued while an LLM turn is in-flight or during pending consultation */
   private pendingInstructions: string[] = [];
-  /** Caller utterances queued while waiting_on_user to prevent re-entrant turns */
-  private pendingCallerUtterances: Array<{transcript: string, speaker?: PromptSpeakerContext}> = [];
   /** Ensures the call opener is triggered at most once per call. */
   private initialGreetingStarted = false;
   /** Marks that the next caller turn should be treated as an opening acknowledgment. */
@@ -246,6 +266,15 @@ export class CallController {
     return this.state;
   }
 
+  /**
+   * Returns the question ID of the currently pending guardian consultation,
+   * or null if no consultation is active. Used by answerCall to match
+   * incoming answers to the correct consultation record.
+   */
+  getPendingConsultationQuestionId(): string | null {
+    return this.pendingConsultation?.questionId ?? null;
+  }
+
   /**
    * Update guardian trust context for subsequent LLM turns.
    */
@@ -268,19 +297,10 @@ export class CallController {
 
   /**
    * Handle a final caller utterance from the ConversationRelay.
+   * Caller utterances always trigger normal turns, even when a guardian
+   * consultation is pending — the consultation is tracked separately.
    */
   async handleCallerUtterance(transcript: string, speaker?: PromptSpeakerContext): Promise<void> {
-    // Do not start a new turn while waiting for guardian input — queue
-    // the utterance so it can be processed after the answer arrives.
-    if (this.state === 'waiting_on_user') {
-      log.warn(
-        { callSessionId: this.callSessionId },
-        'Caller utterance received while waiting_on_user — queued for after answer.',
-      );
-      this.pendingCallerUtterances.push({ transcript, speaker });
-      return;
-    }
-
     const interruptedInFlight = this.state === 'processing' || this.state === 'speaking';
     // If we're already processing or speaking, abort the in-flight generation
     if (interruptedInFlight) {
@@ -316,66 +336,39 @@ export class CallController {
   }
 
   /**
-   * Called when the user (in the chat UI) answers a pending question.
+   * Called when the guardian (via chat UI or channel) answers a pending
+   * consultation question. Acceptance is gated on having an active
+   * pending consultation record, not on controller turn state — so
+   * answers can arrive while the controller is idle, processing, or
+   * speaking.
    */
   async handleUserAnswer(answerText: string): Promise<boolean> {
-    if (this.state !== 'waiting_on_user') {
+    if (!this.pendingConsultation) {
       log.warn(
         { callSessionId: this.callSessionId, state: this.state },
-        'handleUserAnswer called but controller is not in waiting_on_user state',
+        'handleUserAnswer called but no pending consultation exists',
       );
       return false;
     }
 
-    // Clear the consultation timeout
-    if (this.consultationTimer) {
-      clearTimeout(this.consultationTimer);
-      this.consultationTimer = null;
-    }
-
-    // Defensive: await any lingering turn promise before starting a new one.
-    if (this.currentTurnPromise) {
-      const teardownPromise = this.currentTurnPromise;
-      this.currentTurnPromise = null;
-      await Promise.race([
-        teardownPromise.catch(() => {}),
-        new Promise<void>(resolve => setTimeout(resolve, 2000)),
-      ]);
-    }
+    // Clear the consultation timeout and record
+    clearTimeout(this.pendingConsultation.timer);
+    this.pendingConsultation = null;
 
-    this.state = 'processing';
     updateCallSession(this.callSessionId, { status: 'in_progress' });
 
-    // Merge any instructions that were queued during the waiting_on_user
-    // state into a single user message alongside the answer to avoid
-    // consecutive user-role messages (which violate API role-alternation
-    // requirements).
-    const parts: string[] = [];
-    for (const instr of this.pendingInstructions) {
-      parts.push(`[USER_INSTRUCTION: ${instr}]`);
-    }
-    this.pendingInstructions = [];
-    parts.push(`[USER_ANSWERED: ${answerText}]`);
+    // Inject the answer as a queued instruction so it merges into the
+    // next turn naturally, respecting role-alternation. If the controller
+    // is idle the instruction flush will fire a turn immediately.
+    this.pendingInstructions.push(`[USER_ANSWERED: ${answerText}]`);
 
-    const content = parts.join('\n');
+    // If the controller is idle, flush instructions immediately to
+    // deliver the answer. If processing/speaking, the answer will be
+    // delivered when the current turn completes via flushPendingInstructions.
+    if (this.state === 'idle') {
+      this.flushPendingInstructions();
+    }
 
-    // Fire-and-forget: unblock the caller so the HTTP response and answer
-    // persistence happen immediately, before LLM streaming begins.
-    this.runTurn(content)
-      .then(() => {
-        // If the answer turn ended the call (e.g. [END_CALL]), don't drain
-        // queued utterances — just discard them to avoid starting a fresh
-        // turn on a dead session.
-        if (this.state === 'idle' && this.isCallCompleted()) {
-          this.pendingCallerUtterances = [];
-          return;
-        }
-        this.drainPendingCallerUtterances();
-      })
-      .catch((err) => {
-        this.pendingCallerUtterances = [];
-        log.error({ err, callSessionId: this.callSessionId }, 'runTurn failed after user answer');
-      });
     return true;
   }
 
@@ -384,17 +377,16 @@ export class CallController {
    * The instruction is formatted as a dedicated marker that the system prompt
    * tells the model to treat as high-priority steering input.
    *
-   * When the LLM is actively processing or speaking, or when the controller
-   * is waiting on a user answer, the instruction is queued and spliced into
-   * the conversation at the correct chronological position once the current
-   * turn completes.
+   * When the LLM is actively processing or speaking, the instruction is
+   * queued and spliced into the conversation at the correct chronological
+   * position once the current turn completes.
    */
   async handleUserInstruction(instructionText: string): Promise<void> {
     recordCallEvent(this.callSessionId, 'user_instruction_relayed', { instruction: instructionText });
 
     // Queue the instruction when it cannot be safely appended right now
-    if (this.state === 'processing' || this.state === 'speaking' || this.state === 'waiting_on_user') {
-      this.pendingInstructions.push(instructionText);
+    if (this.state === 'processing' || this.state === 'speaking') {
+      this.pendingInstructions.push(`[USER_INSTRUCTION: ${instructionText}]`);
       return;
     }
 
@@ -430,12 +422,27 @@ export class CallController {
     if (this.silenceTimer) clearTimeout(this.silenceTimer);
     if (this.durationTimer) clearTimeout(this.durationTimer);
     if (this.durationWarningTimer) clearTimeout(this.durationWarningTimer);
-    if (this.consultationTimer) clearTimeout(this.consultationTimer);
+    if (this.pendingConsultation) { clearTimeout(this.pendingConsultation.timer); this.pendingConsultation = null; }
     if (this.durationEndTimer) { clearTimeout(this.durationEndTimer); this.durationEndTimer = null; }
     this.llmRunVersion++;
     this.abortCurrentTurn();
     this.currentTurnPromise = null;
     unregisterCallController(this.callSessionId);
+
+    // Revoke any scoped approval grants bound to this call session.
+    // Revoke by both callSessionId and conversationId because the
+    // guardian-approval-interception minting path sets callSessionId: null
+    // but always sets conversationId.
+    try {
+      let revoked = revokeScopedApprovalGrantsForContext({ callSessionId: this.callSessionId });
+      revoked += revokeScopedApprovalGrantsForContext({ conversationId: this.conversationId });
+      if (revoked > 0) {
+        log.info({ callSessionId: this.callSessionId, conversationId: this.conversationId, revokedCount: revoked }, 'Revoked scoped grants on call end');
+      }
+    } catch (err) {
+      log.warn({ err, callSessionId: this.callSessionId }, 'Failed to revoke scoped grants on call end');
+    }
+
     log.info({ callSessionId: this.callSessionId }, 'CallController destroyed');
   }
 
@@ -574,6 +581,7 @@ export class CallController {
         // Start the voice turn through the session bridge
         startVoiceTurn({
           conversationId: this.conversationId,
+          callSessionId: this.callSessionId,
           content,
           assistantId: this.assistantId,
           guardianContext: this.guardianContext ?? undefined,
@@ -635,23 +643,24 @@ export class CallController {
       // `}]` inside JSON string values does not truncate the payload or
       // leak partial JSON into TTS output.
       const approvalMatch = extractBalancedJson(responseText);
-      let approvalQuestion: string | null = null;
+      let toolApprovalMeta: { question: string; toolName: string; inputDigest: string } | null = null;
       if (approvalMatch) {
         try {
-          const parsed = JSON.parse(approvalMatch.json) as { question?: string };
-          if (parsed.question) {
-            approvalQuestion = parsed.question;
+          const parsed = JSON.parse(approvalMatch.json) as { question?: string; toolName?: string; input?: Record<string, unknown> };
+          if (parsed.question && parsed.toolName && parsed.input) {
+            const digest = computeToolApprovalDigest(parsed.toolName, parsed.input);
+            toolApprovalMeta = { question: parsed.question, toolName: parsed.toolName, inputDigest: digest };
           }
         } catch {
           log.warn({ callSessionId: this.callSessionId }, 'Failed to parse ASK_GUARDIAN_APPROVAL JSON payload');
         }
       }
 
-      const askMatch = approvalQuestion
+      const askMatch = toolApprovalMeta
         ? null // structured approval takes precedence
         : responseText.match(ASK_GUARDIAN_CAPTURE_REGEX);
 
-      const questionText = approvalQuestion ?? (askMatch ? askMatch[1] : null);
+      const questionText = toolApprovalMeta?.question ?? (askMatch ? askMatch[1] : null);
 
       if (questionText) {
         if (this.isCallerGuardian()) {
@@ -673,103 +682,101 @@ export class CallController {
             + `The unanswered question was: "${questionText}"`,
           );
           // Fall through to normal turn completion (idle + flushPendingInstructions)
+        } else if (this.pendingInstructions.some((instr) => instr.startsWith('[USER_ANSWERED:'))) {
+          // A guardian answer arrived mid-turn and is queued in
+          // pendingInstructions but hasn't been flushed yet. The in-flight
+          // LLM response was generated without knowledge of this answer, so
+          // creating a new consultation now would supersede the old one and
+          // desynchronize the flow. Skip this consultation — the answer will
+          // be flushed on the next turn, and if the model still needs to
+          // consult a guardian, it will emit another ASK_GUARDIAN then.
+          log.info({ callSessionId: this.callSessionId }, 'Deferring ASK_GUARDIAN — queued USER_ANSWERED pending');
+          recordCallEvent(this.callSessionId, 'guardian_consult_deferred', { question: questionText });
+          // Fall through to normal turn completion (idle + flushPendingInstructions)
         } else {
-          const pendingQuestion = createPendingQuestion(this.callSessionId, questionText);
-          this.state = 'waiting_on_user';
-          updateCallSession(this.callSessionId, { status: 'waiting_on_user' });
-          recordCallEvent(this.callSessionId, 'user_question_asked', { question: questionText });
-
-          // Notify the conversation that a question was asked
-          const session = getCallSession(this.callSessionId);
-          if (session) {
-            fireCallQuestionNotifier(session.conversationId, this.callSessionId, questionText);
-
-            // Dispatch guardian action request to all configured channels
-            void dispatchGuardianQuestion({
-              callSessionId: this.callSessionId,
-              conversationId: session.conversationId,
-              assistantId: this.assistantId,
-              pendingQuestion,
-            });
-          }
-
-          // Set a consultation timeout
-          this.consultationTimer = setTimeout(() => {
-            if (this.state !== 'waiting_on_user') return;
-
-            log.info({ callSessionId: this.callSessionId }, 'User consultation timed out');
-
-            // Mark the linked guardian action request as timed out and
-            // send expiry notices to guardian destinations. Deliveries
-            // must be captured before markTimedOutWithReason changes
-            // their status.
-            const pendingActionRequest = getPendingRequestByCallSessionId(this.callSessionId);
-            if (pendingActionRequest) {
-              const deliveries = getDeliveriesByRequestId(pendingActionRequest.id);
-              markTimedOutWithReason(pendingActionRequest.id, 'call_timeout');
+          // Determine the effective tool metadata for this ask. If the new
+          // ask has structured tool metadata, use it; otherwise inherit from
+          // the prior pending consultation (preserves tool scope on re-asks).
+          const effectiveToolMeta = toolApprovalMeta
+            ? { toolName: toolApprovalMeta.toolName, inputDigest: toolApprovalMeta.inputDigest }
+            : this.pendingConsultation?.toolApprovalMeta ?? null;
+
+          // Coalesce repeated identical asks: if a consultation is already
+          // pending for the same tool/action (or same informational question),
+          // avoid churning requests and just keep the existing one.
+          if (this.pendingConsultation) {
+            const isSameToolAction =
+              effectiveToolMeta && this.pendingConsultation.toolApprovalMeta
+                ? effectiveToolMeta.toolName === this.pendingConsultation.toolApprovalMeta.toolName
+                  && effectiveToolMeta.inputDigest === this.pendingConsultation.toolApprovalMeta.inputDigest
+                : !effectiveToolMeta && !this.pendingConsultation.toolApprovalMeta
+                  && questionText === this.pendingConsultation.questionText;
+
+            if (isSameToolAction) {
+              // Same tool/action — coalesce. Keep the existing consultation
+              // alive and skip creating a new request.
               log.info(
-                { callSessionId: this.callSessionId, requestId: pendingActionRequest.id },
-                'Marked guardian action request as timed out',
+                { callSessionId: this.callSessionId, questionId: this.pendingConsultation.questionId },
+                'Coalescing repeated ASK_GUARDIAN — same tool/action already pending',
               );
-              void sendGuardianExpiryNotices(
-                deliveries,
-                pendingActionRequest.assistantId,
-                getGatewayInternalBaseUrl(),
-                readHttpToken() ?? undefined,
-              ).catch((err) => {
-                log.error(
-                  { err, callSessionId: this.callSessionId, requestId: pendingActionRequest.id },
-                  'Failed to send guardian action expiry notices after call timeout',
+              recordCallEvent(this.callSessionId, 'guardian_consult_coalesced', { question: questionText });
+              // Fall through to normal turn completion (idle + flushPendingInstructions)
+            } else {
+              // Materially different intent — supersede the old consultation.
+              clearTimeout(this.pendingConsultation.timer);
+
+              // Expire the previous consultation's storage records so stale
+              // guardian answers cannot match the old request.
+              expirePendingQuestions(this.callSessionId);
+              const previousRequest = getPendingRequestByCallSessionId(this.callSessionId);
+              if (previousRequest) {
+                // Immediately expire with 'superseded' reason to prevent
+                // stale answers from resolving the old request.
+                expireGuardianActionRequest(previousRequest.id, 'superseded');
+                log.info(
+                  { callSessionId: this.callSessionId, requestId: previousRequest.id },
+                  'Superseded guardian action request (materially different intent)',
                 );
-              });
-            }
-
-            // Expire pending questions and update call state
-            expirePendingQuestions(this.callSessionId);
-            this.state = 'idle';
-            updateCallSession(this.callSessionId, { status: 'in_progress' });
-            this.guardianUnavailableForCall = true;
-            recordCallEvent(this.callSessionId, 'guardian_consultation_timed_out', { question: questionText });
-
-            // Restart silence detection before firing the generated turn
-            this.resetSilenceTimer();
-
-            // Build a generated turn instruction instead of hardcoded text.
-            // Merge any queued instructions and caller utterances into the
-            // timeout turn to avoid concurrent-turn races.
-            const timeoutInstruction =
-              `[GUARDIAN_TIMEOUT] Your guardian did not respond in time to your question: "${questionText}". `
-              + `Apologize to the caller for the delay, let them know you were unable to reach your guardian, `
-              + `ask if they would like to leave a message or receive a callback, `
-              + `and ask if there are any other questions you can help with right now.`;
-
-            const parts: string[] = [];
-            for (const instr of this.pendingInstructions) {
-              parts.push(`[USER_INSTRUCTION: ${instr}]`);
-            }
-            this.pendingInstructions = [];
-            parts.push(`[USER_INSTRUCTION: ${timeoutInstruction}]`);
-
-            if (this.pendingCallerUtterances.length > 0) {
-              const latest = this.pendingCallerUtterances[this.pendingCallerUtterances.length - 1];
-              this.pendingCallerUtterances = [];
-              const callerContent = this.formatCallerUtterance(latest.transcript, latest.speaker);
-              if (callerContent.length > 0) {
-                parts.push(callerContent);
               }
-            }
 
-            const content = parts.join('\n');
-            this.runTurn(content).catch((err) =>
-              log.error({ err, callSessionId: this.callSessionId }, 'runTurn failed after guardian consultation timeout'),
-            );
-          }, getUserConsultationTimeoutMs());
-          return;
+              this.pendingConsultation = null;
+
+              // Dispatch the new consultation with effective tool metadata.
+              // The previous request ID is passed through so the dispatch
+              // can backfill supersession chain metadata (superseded_by_request_id)
+              // once the new request has been created.
+              this.dispatchNewConsultation(questionText, effectiveToolMeta, previousRequest?.id ?? null);
+            }
+          } else {
+            // No prior consultation — dispatch fresh
+            this.dispatchNewConsultation(questionText, effectiveToolMeta, null);
+          }
         }
       }
 
       // Check for END_CALL marker
       if (responseText.includes(END_CALL_MARKER)) {
+        // Clear any pending consultation before completing the call.
+        // Without this, the consultation timeout can fire on an already-ended
+        // call, overwriting 'completed' status back to 'in_progress' and
+        // starting a new LLM turn on a dead session. Similarly, a late
+        // handleUserAnswer could be accepted since pendingConsultation is
+        // still non-null.
+        if (this.pendingConsultation) {
+          clearTimeout(this.pendingConsultation.timer);
+
+          // Expire store-side consultation records so clients don't observe
+          // a completed call with a dangling pendingQuestion, and guardian
+          // replies are cleanly rejected instead of hitting answerCall failures.
+          expirePendingQuestions(this.callSessionId);
+          const previousRequest = getPendingRequestByCallSessionId(this.callSessionId);
+          if (previousRequest) {
+            expireGuardianActionRequest(previousRequest.id, 'cancelled');
+          }
+
+          this.pendingConsultation = null;
+        }
+
         const currentSession = getCallSession(this.callSessionId);
         const shouldNotifyCompletion = currentSession
           ? currentSession.status !== 'completed' && currentSession.status !== 'failed' && currentSession.status !== 'cancelled'
@@ -854,14 +861,114 @@ export class CallController {
   }
 
   /**
-   * Check whether the underlying call session has already ended.
-   * Used to guard against post-completion work (e.g. draining queued
-   * utterances after an [END_CALL] turn).
+   * Create a new consultation: persist a pending question, dispatch
+   * guardian action request to channels, and start the consultation timer.
+   *
+   * If `supersededRequestId` is provided, backfills the supersession
+   * chain after the new request is created.
    */
-  private isCallCompleted(): boolean {
+  private dispatchNewConsultation(
+    questionText: string,
+    effectiveToolMeta: { toolName: string; inputDigest: string } | null,
+    supersededRequestId: string | null,
+  ): void {
+    const pendingQuestion = createPendingQuestion(this.callSessionId, questionText);
+    updateCallSession(this.callSessionId, { status: 'waiting_on_user' });
+    recordCallEvent(this.callSessionId, 'user_question_asked', { question: questionText });
+
+    // Notify the conversation that a question was asked
     const session = getCallSession(this.callSessionId);
-    if (!session) return true;
-    return session.status === 'completed' || session.status === 'failed' || session.status === 'cancelled';
+    if (session) {
+      fireCallQuestionNotifier(session.conversationId, this.callSessionId, questionText);
+
+      // Dispatch guardian action request to all configured channels
+      // Capture the pending question ID in a closure for stable lookup
+      // after the async dispatch completes — avoids a racy
+      // getPendingRequestByCallSessionId lookup that could return a
+      // different request if another supersession occurs during the gap.
+      const stablePendingQuestionId = pendingQuestion.id;
+      void dispatchGuardianQuestion({
+        callSessionId: this.callSessionId,
+        conversationId: session.conversationId,
+        assistantId: this.assistantId,
+        pendingQuestion,
+        toolName: effectiveToolMeta?.toolName,
+        inputDigest: effectiveToolMeta?.inputDigest,
+      }).then(() => {
+        // Backfill supersession chain: now that the new request exists in
+        // the store, update the old request's superseded_by_request_id.
+        if (supersededRequestId) {
+          const newRequest = getByPendingQuestionId(stablePendingQuestionId);
+          if (newRequest) {
+            backfillSupersessionMetadata(supersededRequestId, newRequest.id);
+          }
+        }
+      });
+    }
+
+    // Set a consultation timeout tied to this specific consultation
+    // record, not the global controller state.
+    const consultationTimer = setTimeout(() => {
+      // Only fire if this consultation is still the active one
+      if (!this.pendingConsultation || this.pendingConsultation.questionId !== pendingQuestion.id) return;
+
+      log.info({ callSessionId: this.callSessionId }, 'Guardian consultation timed out');
+
+      // Mark the linked guardian action request as timed out and
+      // send expiry notices to guardian destinations. Deliveries
+      // must be captured before markTimedOutWithReason changes
+      // their status.
+      const pendingActionRequest = getPendingRequestByCallSessionId(this.callSessionId);
+      if (pendingActionRequest) {
+        const deliveries = getDeliveriesByRequestId(pendingActionRequest.id);
+        markTimedOutWithReason(pendingActionRequest.id, 'call_timeout');
+        log.info(
+          { callSessionId: this.callSessionId, requestId: pendingActionRequest.id },
+          'Marked guardian action request as timed out',
+        );
+        void sendGuardianExpiryNotices(
+          deliveries,
+          pendingActionRequest.assistantId,
+          getGatewayInternalBaseUrl(),
+          readHttpToken() ?? undefined,
+        ).catch((err) => {
+          log.error(
+            { err, callSessionId: this.callSessionId, requestId: pendingActionRequest.id },
+            'Failed to send guardian action expiry notices after call timeout',
+          );
+        });
+      }
+
+      // Expire pending questions and update call state
+      expirePendingQuestions(this.callSessionId);
+      this.pendingConsultation = null;
+      updateCallSession(this.callSessionId, { status: 'in_progress' });
+      this.guardianUnavailableForCall = true;
+      recordCallEvent(this.callSessionId, 'guardian_consultation_timed_out', { question: questionText });
+
+      // Inject timeout instruction so the model addresses it on the
+      // next turn. If idle, flush immediately; otherwise it merges
+      // into the next turn completion.
+      const timeoutInstruction =
+        `[GUARDIAN_TIMEOUT] Your guardian did not respond in time to your question: "${questionText}". `
+        + `Apologize to the caller for the delay, let them know you were unable to reach your guardian, `
+        + `ask if they would like to leave a message or receive a callback, `
+        + `and ask if there are any other questions you can help with right now.`;
+
+      this.pendingInstructions.push(timeoutInstruction);
+
+      if (this.state === 'idle') {
+        this.resetSilenceTimer();
+        this.flushPendingInstructions();
+      }
+    }, getUserConsultationTimeoutMs());
+
+    this.pendingConsultation = {
+      questionText,
+      questionId: pendingQuestion.id,
+      toolApprovalMeta: effectiveToolMeta,
+      timer: consultationTimer,
+    };
   }
 
   /**
@@ -871,7 +978,7 @@ export class CallController {
     if (this.pendingInstructions.length === 0) return;
 
     const parts = this.pendingInstructions.map(
-      (instr) => `[USER_INSTRUCTION: ${instr}]`,
+      (instr) => instr.startsWith('[') ? instr : `[USER_INSTRUCTION: ${instr}]`,
     );
     this.pendingInstructions = [];
 
@@ -885,49 +992,6 @@ export class CallController {
     );
   }
 
-  /**
-   * Drain caller utterances that were queued while waiting_on_user.
-   * Only the most recent utterance is processed — older ones are discarded
-   * as stale since the caller likely moved on.
-   *
-   * @param contentPrefix — optional string (e.g. instruction markers) to
-   *   prepend to the turn content so instructions and the caller utterance
-   *   are sent as a single turn, avoiding concurrent-turn races.
-   */
-  private drainPendingCallerUtterances(contentPrefix?: string): void {
-    if (this.pendingCallerUtterances.length === 0) return;
-
-    // Keep only the most recent utterance; discard stale older ones
-    const latest = this.pendingCallerUtterances[this.pendingCallerUtterances.length - 1];
-    this.pendingCallerUtterances = [];
-
-    if (contentPrefix) {
-      // Merge prefix content with the caller utterance into a single turn
-      let callerContent = this.formatCallerUtterance(latest.transcript, latest.speaker);
-
-      // Preserve opening-ack semantics when draining bypasses handleCallerUtterance
-      if (this.awaitingOpeningAck) {
-        callerContent = callerContent.length > 0
-          ? `${CALL_OPENING_ACK_MARKER}\n${callerContent}`
-          : CALL_OPENING_ACK_MARKER;
-        this.awaitingOpeningAck = false;
-        this.lastSentWasOpener = false;
-      }
-
-      const combined = `${contentPrefix}\n${callerContent}`;
-      this.resetSilenceTimer();
-      this.runTurn(combined).catch((err) =>
-        log.error({ err, callSessionId: this.callSessionId }, 'runTurn failed after draining queued caller utterance with prefix'),
-      );
-      return;
-    }
-
-    // Fire-and-forget so we don't block the current turn's cleanup.
-    this.handleCallerUtterance(latest.transcript, latest.speaker).catch((err) =>
-      log.error({ err, callSessionId: this.callSessionId }, 'runTurn failed after draining queued caller utterance'),
-    );
-  }
-
   private startDurationTimer(): void {
     const maxDurationMs = getMaxCallDurationMs();
     const warningMs = maxDurationMs - 2 * 60 * 1000; // 2 minutes before max