@vellumai/assistant 0.3.19 → 0.3.21

package/src/memory/conversation-store.ts

@@ -1,6 +1,9 @@
 // Re-export all conversation store functionality from focused sub-modules.
 // Existing imports from this file continue to work without changes.
 
+import { ensureDisplayOrderMigration } from './conversation-display-order-migration.js';
+import { rawExec, rawGet, rawRun } from './db.js';
+
 export {
   addMessage,
   clearAll,
@@ -42,3 +45,91 @@ export {
   type PaginatedMessagesResult,
   searchConversations,
 } from './conversation-queries.js';
+
+// Re-export for backward compat — callers that imported ensureColumns from here
+export { ensureDisplayOrderMigration as ensureColumns } from './conversation-display-order-migration.js';
+
+// ---------------------------------------------------------------------------
+// CRUD functions for display_order and is_pinned
+// ---------------------------------------------------------------------------
+
+export function getDisplayOrder(conversationId: string): number | null {
+  ensureDisplayOrderMigration();
+  const row = rawGet<{ display_order: number | null }>(
+    'SELECT display_order FROM conversations WHERE id = ?',
+    conversationId,
+  );
+  return row?.display_order ?? null;
+}
+
+export function setDisplayOrder(conversationId: string, order: number | null): void {
+  ensureDisplayOrderMigration();
+  rawRun(
+    'UPDATE conversations SET display_order = ? WHERE id = ?',
+    order,
+    conversationId,
+  );
+}
+
+export function batchSetDisplayOrders(
+  updates: Array<{ id: string; displayOrder: number | null; isPinned: boolean }>,
+): void {
+  ensureDisplayOrderMigration();
+  rawExec('BEGIN');
+  try {
+    for (const update of updates) {
+      rawRun(
+        'UPDATE conversations SET display_order = ?, is_pinned = ? WHERE id = ?',
+        update.displayOrder,
+        update.isPinned ? 1 : 0,
+        update.id,
+      );
+    }
+    rawExec('COMMIT');
+  } catch (err) {
+    rawExec('ROLLBACK');
+    throw err;
+  }
+}
+
+export function setConversationPinned(conversationId: string, isPinned: boolean): void {
+  ensureDisplayOrderMigration();
+  rawRun(
+    'UPDATE conversations SET is_pinned = ? WHERE id = ?',
+    isPinned ? 1 : 0,
+    conversationId,
+  );
+}
+
+export function getConversationDisplayMeta(
+  conversationId: string,
+): { displayOrder: number | null; isPinned: boolean } {
+  ensureDisplayOrderMigration();
+  const row = rawGet<{ display_order: number | null; is_pinned: number | null }>(
+    'SELECT display_order, is_pinned FROM conversations WHERE id = ?',
+    conversationId,
+  );
+  return {
+    displayOrder: row?.display_order ?? null,
+    isPinned: (row?.is_pinned ?? 0) === 1,
+  };
+}
+
+export function getDisplayMetaForConversations(
+  conversationIds: string[],
+): Map<string, { displayOrder: number | null; isPinned: boolean }> {
+  ensureDisplayOrderMigration();
+  const result = new Map<string, { displayOrder: number | null; isPinned: boolean }>();
+  if (conversationIds.length === 0) return result;
+  for (const id of conversationIds) {
+    const row = rawGet<{ display_order: number | null; is_pinned: number | null }>(
+      'SELECT display_order, is_pinned FROM conversations WHERE id = ?',
+      id,
+    );
+    result.set(id, {
+      displayOrder: row?.display_order ?? null,
+      isPinned: (row?.is_pinned ?? 0) === 1,
+    });
+  }
+  return result;
+}

package/src/memory/db-init.ts

@@ -8,12 +8,12 @@ import {
   createConversationAttentionTables,
   createCoreIndexes,
   createCoreTables,
-  createScopedApprovalGrantsTable,
   createExternalConversationBindingsTables,
   createFollowupsTables,
   createMediaAssetsTables,
   createMessagesFts,
   createNotificationTables,
+  createScopedApprovalGrantsTable,
   createSequenceTables,
   createTasksAndWorkItemsTables,
   createWatchersAndLogsTables,
@@ -22,6 +22,7 @@ import {
   migrateConversationsThreadTypeIndex,
   migrateFkCascadeRebuilds,
   migrateGuardianActionFollowup,
+  migrateGuardianActionSupersession,
   migrateGuardianActionToolMetadata,
   migrateGuardianBootstrapToken,
   migrateGuardianDeliveryConversationIndex,
@@ -107,6 +108,9 @@ export function initializeDb(): void {
   // 14c2. Guardian action tool-approval metadata columns (tool_name, input_digest)
   migrateGuardianActionToolMetadata(database);
 
+  // 14c3. Guardian action supersession metadata (superseded_by_request_id, superseded_at) + session lookup index
+  migrateGuardianActionSupersession(database);
+
   // 14d. Index on conversations.thread_type for frequent WHERE filters
   migrateConversationsThreadTypeIndex(database);
 

package/src/memory/embedding-local.ts

@@ -58,24 +58,29 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
 
   private async initialize(): Promise<void> {
     log.info({ model: this.model }, 'Loading local embedding model (first load downloads the model)');
+
+    // In compiled Bun binaries, bare specifier resolution for packages with
+    // subdirectory entry points (like onnxruntime-common's dist/esm/index.js)
+    // fails. Additionally, CJS/ESM dual-instance issues cause onnxruntime-node's
+    // backend registration to be invisible to transformers. To solve both, the
+    // build step pre-bundles all JS deps into a single file placed inside
+    // onnxruntime-node/dist/ so native .node binary relative paths resolve.
+    const execDir = dirname(process.execPath);
+    const bundlePath = join(execDir, 'node_modules', 'onnxruntime-node', 'dist', 'transformers-bundle.mjs');
     let transformers: typeof import('@huggingface/transformers');
     try {
-      transformers = await import('@huggingface/transformers');
+      transformers = await import(bundlePath);
     } catch {
-      // In compiled Bun binaries, bare specifier resolution starts from the
-      // virtual /$bunfs/root/ filesystem and can't find externalized packages.
-      // Fall back to resolving from the executable's real disk location where
-      // node_modules/ is co-located.
+      // Fall back to bare specifier for dev mode (running via `bun run`, not compiled)
       try {
-        const execDir = dirname(process.execPath);
-        const modulePath = join(execDir, 'node_modules', '@huggingface', 'transformers');
-        transformers = await import(modulePath);
+        transformers = await import('@huggingface/transformers');
       } catch (err) {
         throw new Error(
           `Local embedding backend unavailable: failed to load @huggingface/transformers (${err instanceof Error ? err.message : String(err)})`,
         );
       }
     }
+
     this.extractor = await transformers.pipeline('feature-extraction', this.model, {
       dtype: 'fp32',
     }) as unknown as FeatureExtractionPipeline;

package/src/memory/guardian-action-store.ts

@@ -7,7 +7,7 @@
  * answer resolves the request and all other deliveries are marked answered.
  */
 
-import { and, count, desc, eq, inArray, lt } from 'drizzle-orm';
+import { and, count, desc, eq, inArray, isNotNull, lt } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 
 import { getLogger } from '../util/logger.js';
@@ -25,7 +25,7 @@ const log = getLogger('guardian-action-store');
 
 export type GuardianActionRequestStatus = 'pending' | 'answered' | 'expired' | 'cancelled';
 export type GuardianActionDeliveryStatus = 'pending' | 'sent' | 'failed' | 'answered' | 'expired' | 'cancelled';
-export type ExpiredReason = 'call_timeout' | 'sweep_timeout' | 'cancelled';
+export type ExpiredReason = 'call_timeout' | 'sweep_timeout' | 'cancelled' | 'superseded';
 export type FollowupState = 'none' | 'awaiting_guardian_choice' | 'dispatching' | 'completed' | 'declined' | 'failed';
 export type FollowupAction = 'call_back' | 'message_back' | 'decline';
 
@@ -53,6 +53,8 @@ export interface GuardianActionRequest {
   followupCompletedAt: number | null;
   toolName: string | null;
   inputDigest: string | null;
+  supersededByRequestId: string | null;
+  supersededAt: number | null;
   createdAt: number;
   updatedAt: number;
 }
@@ -101,6 +103,8 @@ function rowToRequest(row: typeof guardianActionRequests.$inferSelect): Guardian
     followupCompletedAt: row.followupCompletedAt ?? null,
     toolName: row.toolName ?? null,
     inputDigest: row.inputDigest ?? null,
+    supersededByRequestId: row.supersededByRequestId ?? null,
+    supersededAt: row.supersededAt ?? null,
     createdAt: row.createdAt,
     updatedAt: row.updatedAt,
   };
@@ -172,6 +176,8 @@ export function createGuardianActionRequest(params: {
     followupCompletedAt: null,
     toolName: params.toolName ?? null,
     inputDigest: params.inputDigest ?? null,
+    supersededByRequestId: null,
+    supersededAt: null,
     createdAt: now,
     updatedAt: now,
   };
@@ -240,6 +246,45 @@ export function countPendingRequestsByCallSessionId(callSessionId: string): numb
   return row?.count ?? 0;
 }
 
+/**
+ * Look up the vellum conversation ID used for the first guardian question
+ * delivery in a given call session. Returns the conversation ID when one
+ * exists, or null if no vellum delivery has been recorded yet.
+ *
+ * Used by guardian-dispatch to enforce deterministic thread affinity:
+ * all guardian questions within the same call session should route to
+ * the same vellum conversation.
+ */
+export function getGuardianConversationIdForCallSession(callSessionId: string): string | null {
+  try {
+    const db = getDb();
+    const row = db
+      .select({ conversationId: guardianActionDeliveries.destinationConversationId })
+      .from(guardianActionDeliveries)
+      .innerJoin(
+        guardianActionRequests,
+        eq(guardianActionDeliveries.requestId, guardianActionRequests.id),
+      )
+      .where(
+        and(
+          eq(guardianActionRequests.callSessionId, callSessionId),
+          eq(guardianActionDeliveries.destinationChannel, 'vellum'),
+          isNotNull(guardianActionDeliveries.destinationConversationId),
+        ),
+      )
+      .orderBy(guardianActionDeliveries.createdAt)
+      .limit(1)
+      .get();
+    return row?.conversationId ?? null;
+  } catch (err) {
+    if (err instanceof Error && err.message.includes('no such table')) {
+      log.warn({ err }, 'guardian tables not yet created');
+      return null;
+    }
+    throw err;
+  }
+}
+
 /**
  * First-response-wins resolution. Checks that the request is still
  * 'pending' before updating; returns the updated request on success
@@ -313,6 +358,84 @@ export function expireGuardianActionRequest(id: string, reason?: ExpiredReason):
     .run();
 }
 
+/**
+ * Supersede a pending guardian action request: mark it expired with
+ * reason='superseded', record the replacement request ID and timestamp,
+ * and expire its active deliveries.
+ *
+ * Returns the updated request on success, or null if the request was
+ * not in 'pending' status (first-writer-wins).
+ */
+export function supersedeGuardianActionRequest(
+  id: string,
+  supersededByRequestId: string,
+): GuardianActionRequest | null {
+  const db = getDb();
+  const now = Date.now();
+
+  db.update(guardianActionRequests)
+    .set({
+      status: 'expired',
+      expiredReason: 'superseded',
+      supersededByRequestId,
+      supersededAt: now,
+      updatedAt: now,
+    })
+    .where(
+      and(
+        eq(guardianActionRequests.id, id),
+        eq(guardianActionRequests.status, 'pending'),
+      ),
+    )
+    .run();
+
+  if (rawChanges() === 0) return null;
+
+  // Also expire active deliveries
+  db.update(guardianActionDeliveries)
+    .set({ status: 'expired', updatedAt: now })
+    .where(
+      and(
+        eq(guardianActionDeliveries.requestId, id),
+        inArray(guardianActionDeliveries.status, ['pending', 'sent']),
+      ),
+    )
+    .run();
+
+  return getGuardianActionRequest(id);
+}
+
+/**
+ * Backfill supersession metadata on an already-expired request.
+ * Used when the superseding request ID is not known at the time the
+ * original request is expired (e.g., the new request is created
+ * asynchronously via dispatchGuardianQuestion).
+ *
+ * Only updates requests that are already in 'expired' status with
+ * expired_reason='superseded'.
+ */
+export function backfillSupersessionMetadata(
+  id: string,
+  supersededByRequestId: string,
+): void {
+  const db = getDb();
+  const now = Date.now();
+
+  db.update(guardianActionRequests)
+    .set({
+      supersededByRequestId,
+      supersededAt: now,
+      updatedAt: now,
+    })
+    .where(
+      and(
+        eq(guardianActionRequests.id, id),
+        eq(guardianActionRequests.status, 'expired'),
+      ),
+    )
+    .run();
+}
+
 /**
  * Get all pending guardian action requests that have expired.
  */

package/src/memory/ingress-invite-store.ts

@@ -66,7 +66,7 @@ const DEFAULT_EXPIRY_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
 // Helpers
 // ---------------------------------------------------------------------------
 
-function hashToken(rawToken: string): string {
+export function hashToken(rawToken: string): string {
   return createHash('sha256').update(rawToken).digest('hex');
 }
 
@@ -268,6 +268,12 @@ export function redeemInvite(params: {
     return { error: 'invite_max_uses_reached' };
   }
 
+  // Enforce channel-scoped redemption: when the caller specifies a channel, it
+  // must match the channel the invite was created for.
+  if (params.sourceChannel && params.sourceChannel !== invite.sourceChannel) {
+    return { error: 'invite_channel_mismatch' };
+  }
+
   const newUseCount = invite.useCount + 1;
   const newStatus = newUseCount >= invite.maxUses ? 'redeemed' : 'active';
 
@@ -323,6 +329,94 @@ export function redeemInvite(params: {
   return { invite: updatedInvite, member: rowToMember(memberRow) };
 }
 
+// ---------------------------------------------------------------------------
+// recordInviteUse — consume one use without creating a member row
+// ---------------------------------------------------------------------------
+
+/**
+ * Increment an invite's use count and record redemption metadata without
+ * inserting a new member row. Used when reactivating an existing inactive
+ * member via invite — the member row already exists and just needs an
+ * update, so the transactional INSERT in `redeemInvite` would hit a
+ * unique-key constraint.
+ *
+ * Returns `true` if the use was recorded, or `false` if the invite was
+ * concurrently revoked/expired (the WHERE clause constrains to
+ * `status = 'active'` so a stale write is impossible).
+ */
+export function recordInviteUse(params: {
+  inviteId: string;
+  externalUserId?: string;
+  externalChatId?: string;
+}): boolean {
+  const db = getDb();
+  const now = Date.now();
+
+  const invite = db
+    .select()
+    .from(assistantIngressInvites)
+    .where(eq(assistantIngressInvites.id, params.inviteId))
+    .get();
+
+  if (!invite) return false;
+
+  const newUseCount = invite.useCount + 1;
+  const newStatus = newUseCount >= invite.maxUses ? 'redeemed' : 'active';
+
+  // Constrain the update to active invites so a concurrent revoke/expire
+  // prevents this write rather than silently overwriting the new status.
+  db.update(assistantIngressInvites)
+    .set({
+      useCount: newUseCount,
+      status: newStatus,
+      redeemedByExternalUserId: params.externalUserId ?? null,
+      redeemedByExternalChatId: params.externalChatId ?? null,
+      redeemedAt: now,
+      updatedAt: now,
+    })
+    .where(
+      and(
+        eq(assistantIngressInvites.id, invite.id),
+        eq(assistantIngressInvites.status, 'active'),
+      ),
+    )
+    .run();
+
+  // Re-read to confirm the update took effect (the WHERE clause constrains
+  // to status = 'active', so a concurrent revoke/expire would prevent it).
+  const updated = db
+    .select({ useCount: assistantIngressInvites.useCount })
+    .from(assistantIngressInvites)
+    .where(eq(assistantIngressInvites.id, invite.id))
+    .get();
+
+  return !!updated && updated.useCount === newUseCount;
+}
+
+// ---------------------------------------------------------------------------
+// markInviteExpired
+// ---------------------------------------------------------------------------
+
+/**
+ * Transition an invite's status to 'expired' in storage. This is safe to call
+ * even if the invite is already expired — the WHERE clause scopes the update
+ * to 'active' rows so it becomes a no-op in that case.
+ */
+export function markInviteExpired(inviteId: string): void {
+  const db = getDb();
+  const now = Date.now();
+
+  db.update(assistantIngressInvites)
+    .set({ status: 'expired', updatedAt: now })
+    .where(
+      and(
+        eq(assistantIngressInvites.id, inviteId),
+        eq(assistantIngressInvites.status, 'active'),
+      ),
+    )
+    .run();
+}
+
 // ---------------------------------------------------------------------------
 // findByTokenHash
 // ---------------------------------------------------------------------------

package/src/memory/migrations/035-guardian-action-supersession.ts

@@ -0,0 +1,23 @@
+import type { DrizzleDb } from '../db-connection.js';
+
+/**
+ * Add supersession metadata columns to guardian_action_requests and
+ * create an index for efficient pending-request lookups by call session.
+ *
+ * - superseded_by_request_id: links to the request that replaced this one
+ * - superseded_at: timestamp when supersession occurred
+ * - Index (call_session_id, status, created_at DESC) for fast lookups of
+ *   the most recent pending request per call session
+ *
+ * The existing expired_reason column already supports 'superseded' as a
+ * value — this migration adds the structural metadata to track the
+ * supersession chain.
+ */
+export function migrateGuardianActionSupersession(database: DrizzleDb): void {
+  try { database.run(/*sql*/ `ALTER TABLE guardian_action_requests ADD COLUMN superseded_by_request_id TEXT`); } catch { /* already exists */ }
+  try { database.run(/*sql*/ `ALTER TABLE guardian_action_requests ADD COLUMN superseded_at INTEGER`); } catch { /* already exists */ }
+
+  database.run(
+    /*sql*/ `CREATE INDEX IF NOT EXISTS idx_guardian_action_requests_session_status_created ON guardian_action_requests(call_session_id, status, created_at DESC)`,
+  );
+}

package/src/memory/migrations/index.ts

@@ -33,9 +33,10 @@ export { migrateGuardianActionFollowup } from './030-guardian-action-followup.js
 export { migrateGuardianVerificationPurpose } from './030-guardian-verification-purpose.js';
 export { migrateConversationsThreadTypeIndex } from './031-conversations-thread-type-index.js';
 export { migrateGuardianDeliveryConversationIndex } from './032-guardian-delivery-conversation-index.js';
+export { migrateNotificationDeliveryThreadDecision } from './032-notification-delivery-thread-decision.js';
 export { createScopedApprovalGrantsTable } from './033-scoped-approval-grants.js';
 export { migrateGuardianActionToolMetadata } from './034-guardian-action-tool-metadata.js';
-export { migrateNotificationDeliveryThreadDecision } from './032-notification-delivery-thread-decision.js';
+export { migrateGuardianActionSupersession } from './035-guardian-action-supersession.js';
 export { createCoreTables } from './100-core-tables.js';
 export { createWatchersAndLogsTables } from './101-watchers-and-logs.js';
 export { addCoreColumns } from './102-alter-table-columns.js';

package/src/memory/schema.ts

@@ -845,9 +845,13 @@ export const guardianActionRequests = sqliteTable('guardian_action_requests', {
   followupCompletedAt: integer('followup_completed_at'),
   toolName: text('tool_name'),                                        // tool identity for tool-approval requests
   inputDigest: text('input_digest'),                                  // canonical SHA-256 digest of tool input
+  supersededByRequestId: text('superseded_by_request_id'),            // links to the request that replaced this one
+  supersededAt: integer('superseded_at'),                             // epoch ms when supersession occurred
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
-});
+}, (table) => [
+  index('idx_guardian_action_requests_session_status_created').on(table.callSessionId, table.status, table.createdAt),
+]);
 
 // ── Guardian Action Deliveries (per-channel delivery tracking) ───────
 

package/src/memory/scoped-approval-grants.ts

@@ -11,12 +11,12 @@
  *   - Expired and revoked grants cannot be consumed.
  */
 
-import { and, eq, lt, sql } from 'drizzle-orm';
+import { and, eq, sql } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 
+import { getLogger } from '../util/logger.js';
 import { getDb, rawChanges } from './db.js';
 import { scopedApprovalGrants } from './schema.js';
-import { getLogger } from '../util/logger.js';
 
 const log = getLogger('scoped-approval-grants');
 
@@ -104,7 +104,7 @@ export interface CreateScopedApprovalGrantParams {
   expiresAt: string;
 }
 
-export function createScopedApprovalGrant(params: CreateScopedApprovalGrantParams): ScopedApprovalGrant {
+function createScopedApprovalGrant(params: CreateScopedApprovalGrantParams): ScopedApprovalGrant {
   const db = getDb();
   const now = new Date().toISOString();
   const id = uuid();
@@ -167,7 +167,7 @@ export interface ConsumeByRequestIdResult {
  * given `requestId` and `assistantId`.  Uses compare-and-swap on the
  * `status` column so concurrent consumers race safely — at most one wins.
  */
-export function consumeScopedApprovalGrantByRequestId(
+function consumeScopedApprovalGrantByRequestId(
   requestId: string,
   consumingRequestId: string,
   assistantId: string,
@@ -280,7 +280,7 @@ export interface ConsumeByToolSignatureResult {
  * times before giving up. This prevents false denials when multiple matching
  * grants exist but a concurrent consumer steals the first pick.
  */
-export function consumeScopedApprovalGrantByToolSignature(
+function consumeScopedApprovalGrantByToolSignature(
   params: ConsumeByToolSignatureParams,
 ): ConsumeByToolSignatureResult {
   const db = getDb();
@@ -507,3 +507,12 @@ export function revokeScopedApprovalGrantsForContext(params: RevokeContextParams
 
   return count;
 }
+
+// @internal — exposed for tests and the approval-primitive wrapper only.
+// Do not import these from production code outside this package; use the
+// approval-primitive API instead.
+export const _internal = {
+  createScopedApprovalGrant,
+  consumeScopedApprovalGrantByRequestId,
+  consumeScopedApprovalGrantByToolSignature,
+};

package/src/messaging/providers/slack/client.ts

@@ -8,6 +8,7 @@
 import type {
   SlackApiResponse,
   SlackAuthTestResponse,
+  SlackChatDeleteResponse,
   SlackConversationHistoryResponse,
   SlackConversationLeaveResponse,
   SlackConversationMarkResponse,
@@ -188,6 +189,17 @@ export async function addReaction(
   });
 }
 
+export async function deleteMessage(
+  token: string,
+  channel: string,
+  ts: string,
+): Promise<SlackChatDeleteResponse> {
+  return request<SlackChatDeleteResponse>(token, 'chat.delete', undefined, {
+    channel,
+    ts,
+  });
+}
+
 export async function leaveConversation(
   token: string,
   channel: string,

package/src/messaging/providers/slack/types.ts

@@ -116,4 +116,9 @@ export type SlackReactionAddResponse = SlackApiResponse;
 
 export type SlackConversationLeaveResponse = SlackApiResponse;
 
+export interface SlackChatDeleteResponse extends SlackApiResponse {
+  channel: string;
+  ts: string;
+}
+
 export type SlackConversationMarkResponse = SlackApiResponse;