@vellumai/assistant 0.3.2 → 0.3.3

package/src/__tests__/channel-approval.test.ts

@@ -65,8 +65,10 @@ function ensureConversation(conversationId: string): void {
 }
 
 function ensureMessage(messageId: string, conversationId: string): void {
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
   const { getDb } = require('../memory/db.js');
   const db = getDb();
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
   const { messages } = require('../memory/schema.js');
   try {
     db.insert(messages).values({

package/src/__tests__/channel-delivery-store.test.ts

@@ -24,7 +24,7 @@ mock.module('../util/logger.js', () => ({
 }));
 
 import { initializeDb, getDb, resetDb } from '../memory/db.js';
-import { channelInboundEvents, messages } from '../memory/schema.js';
+import { channelInboundEvents, conversations, messages } from '../memory/schema.js';
 import {
   recordInbound,
   linkMessage,
@@ -40,6 +40,8 @@ import {
 } from '../memory/channel-delivery-store.js';
 import { RETRY_MAX_ATTEMPTS } from '../memory/job-utils.js';
 import { eq } from 'drizzle-orm';
+import { setConversationKey, getConversationByKey } from '../memory/conversation-key-store.js';
+import { handleDeleteConversation } from '../runtime/routes/channel-routes.js';
 
 initializeDb();
 
@@ -135,6 +137,27 @@ describe('channel-delivery-store', () => {
     expect(r1.conversationId).not.toBe(r2.conversationId);
   });
 
+  test('same chat/channel but different assistantId uses different conversations', () => {
+    const r1 = recordInbound('telegram', 'chat-1', 'msg-1', { assistantId: 'asst-A' });
+    const r2 = recordInbound('telegram', 'chat-1', 'msg-2', { assistantId: 'asst-B' });
+
+    expect(r1.conversationId).not.toBe(r2.conversationId);
+  });
+
+  test('self assistant reuses legacy key and creates scoped alias', () => {
+    // Create a conversation via the legacy (no assistantId) path
+    const legacy = recordInbound('telegram', 'chat-1', 'msg-1');
+
+    // Now use assistantId='self' — should reuse the legacy conversation
+    const scoped = recordInbound('telegram', 'chat-1', 'msg-2', { assistantId: 'self' });
+    expect(scoped.conversationId).toBe(legacy.conversationId);
+
+    // The scoped alias key should exist, so subsequent calls with 'self'
+    // resolve directly without falling back to the legacy key
+    const again = recordInbound('telegram', 'chat-1', 'msg-3', { assistantId: 'self' });
+    expect(again.conversationId).toBe(legacy.conversationId);
+  });
+
   // ── Deduplication ─────────────────────────────────────────────────
 
   test('duplicate inbound returns duplicate: true with same eventId', () => {
@@ -444,4 +467,84 @@ describe('channel-delivery-store', () => {
     const found = findMessageBySourceId('telegram', 'chat-1', 'src-1');
     expect(found!.messageId).toBe(msgId);
   });
+
+  // ── handleDeleteConversation assistantId parameter ───────────────
+
+  test('handleDeleteConversation uses route assistantId param to delete scoped key', async () => {
+    // Set up a scoped conversation key like the one created by recordInbound
+    // with a specific assistantId.
+    const convId = 'conv-delete-test';
+    const scopedKey = 'asst:my-assistant:telegram:chat-del';
+    const legacyKey = 'telegram:chat-del';
+
+    // Insert a conversation row so FK constraints are satisfied
+    const now = Date.now();
+    const db = getDb();
+    db.insert(conversations).values({
+      id: convId,
+      title: 'test',
+      createdAt: now,
+      updatedAt: now,
+    }).run();
+    setConversationKey(scopedKey, convId);
+    setConversationKey(legacyKey, convId);
+
+    // Verify both keys exist
+    expect(getConversationByKey(scopedKey)).not.toBeNull();
+    expect(getConversationByKey(legacyKey)).not.toBeNull();
+
+    // Call handleDeleteConversation with assistantId as a parameter (not in body)
+    const req = new Request('http://localhost/channels/conversation', {
+      method: 'DELETE',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        sourceChannel: 'telegram',
+        externalChatId: 'chat-del',
+        // Note: no assistantId in the body — it comes from the route param
+      }),
+    });
+
+    const res = await handleDeleteConversation(req, 'my-assistant');
+    expect(res.status).toBe(200);
+
+    const json = await res.json() as { ok: boolean };
+    expect(json.ok).toBe(true);
+
+    // Both the legacy key and the scoped key should be deleted
+    expect(getConversationByKey(scopedKey)).toBeNull();
+    expect(getConversationByKey(legacyKey)).toBeNull();
+  });
+
+  test('handleDeleteConversation defaults to "self" when no assistantId provided', async () => {
+    const convId = 'conv-delete-default';
+    const scopedKey = 'asst:self:telegram:chat-def';
+    const legacyKey = 'telegram:chat-def';
+
+    const now = Date.now();
+    const db = getDb();
+    db.insert(conversations).values({
+      id: convId,
+      title: 'test',
+      createdAt: now,
+      updatedAt: now,
+    }).run();
+    setConversationKey(scopedKey, convId);
+    setConversationKey(legacyKey, convId);
+
+    const req = new Request('http://localhost/channels/conversation', {
+      method: 'DELETE',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        sourceChannel: 'telegram',
+        externalChatId: 'chat-def',
+      }),
+    });
+
+    // No assistantId parameter — should default to 'self'
+    const res = await handleDeleteConversation(req);
+    expect(res.status).toBe(200);
+
+    expect(getConversationByKey(scopedKey)).toBeNull();
+    expect(getConversationByKey(legacyKey)).toBeNull();
+  });
 });

package/src/__tests__/channel-guardian.test.ts

@@ -949,7 +949,7 @@ describe('guardian service rate limiting', () => {
 
   test('valid challenge still succeeds when under threshold', () => {
     // Record a couple invalid attempts
-    const { secret } = createVerificationChallenge('asst-1', 'telegram');
+    const { secret: _secret } = createVerificationChallenge('asst-1', 'telegram');
     validateAndConsumeChallenge('asst-1', 'telegram', 'wrong-1', 'user-42', 'chat-42');
     validateAndConsumeChallenge('asst-1', 'telegram', 'wrong-2', 'user-42', 'chat-42');
 
@@ -1003,3 +1003,186 @@ describe('guardian service rate limiting', () => {
     expect(result.success).toBe(true);
   });
 });
+
+// ═══════════════════════════════════════════════════════════════════════════
+// 8. Assistant-scoped guardian resolution
+// ═══════════════════════════════════════════════════════════════════════════
+
+describe('assistant-scoped guardian resolution', () => {
+  beforeEach(() => {
+    resetTables();
+  });
+
+  test('isGuardian resolves independently per assistantId', () => {
+    // Create guardian binding for asst-A on telegram
+    createBinding({
+      assistantId: 'asst-A',
+      channel: 'telegram',
+      guardianExternalUserId: 'user-alpha',
+      guardianDeliveryChatId: 'chat-alpha',
+    });
+    // Create guardian binding for asst-B on telegram with a different user
+    createBinding({
+      assistantId: 'asst-B',
+      channel: 'telegram',
+      guardianExternalUserId: 'user-beta',
+      guardianDeliveryChatId: 'chat-beta',
+    });
+
+    // user-alpha is guardian for asst-A but not asst-B
+    expect(isGuardian('asst-A', 'telegram', 'user-alpha')).toBe(true);
+    expect(isGuardian('asst-B', 'telegram', 'user-alpha')).toBe(false);
+
+    // user-beta is guardian for asst-B but not asst-A
+    expect(isGuardian('asst-B', 'telegram', 'user-beta')).toBe(true);
+    expect(isGuardian('asst-A', 'telegram', 'user-beta')).toBe(false);
+  });
+
+  test('getGuardianBinding returns different bindings for different assistants', () => {
+    createBinding({
+      assistantId: 'asst-A',
+      channel: 'telegram',
+      guardianExternalUserId: 'user-alpha',
+      guardianDeliveryChatId: 'chat-alpha',
+    });
+    createBinding({
+      assistantId: 'asst-B',
+      channel: 'telegram',
+      guardianExternalUserId: 'user-beta',
+      guardianDeliveryChatId: 'chat-beta',
+    });
+
+    const bindingA = getGuardianBinding('asst-A', 'telegram');
+    const bindingB = getGuardianBinding('asst-B', 'telegram');
+
+    expect(bindingA).not.toBeNull();
+    expect(bindingB).not.toBeNull();
+    expect(bindingA!.guardianExternalUserId).toBe('user-alpha');
+    expect(bindingB!.guardianExternalUserId).toBe('user-beta');
+  });
+
+  test('revoking binding for one assistant does not affect another', () => {
+    createBinding({
+      assistantId: 'asst-A',
+      channel: 'telegram',
+      guardianExternalUserId: 'user-alpha',
+      guardianDeliveryChatId: 'chat-alpha',
+    });
+    createBinding({
+      assistantId: 'asst-B',
+      channel: 'telegram',
+      guardianExternalUserId: 'user-beta',
+      guardianDeliveryChatId: 'chat-beta',
+    });
+
+    serviceRevokeBinding('asst-A', 'telegram');
+
+    expect(getGuardianBinding('asst-A', 'telegram')).toBeNull();
+    expect(getGuardianBinding('asst-B', 'telegram')).not.toBeNull();
+  });
+
+  test('validateAndConsumeChallenge scoped to assistantId', () => {
+    // Create challenge for asst-A
+    const { secret: secretA } = createVerificationChallenge('asst-A', 'telegram');
+    // Create challenge for asst-B
+    const { secret: secretB } = createVerificationChallenge('asst-B', 'telegram');
+
+    // Attempting to consume asst-A challenge with asst-B should fail
+    const crossResult = validateAndConsumeChallenge(
+      'asst-B', 'telegram', secretA, 'user-1', 'chat-1',
+    );
+    expect(crossResult.success).toBe(false);
+
+    // Consuming with correct assistantId should succeed
+    const resultA = validateAndConsumeChallenge(
+      'asst-A', 'telegram', secretA, 'user-1', 'chat-1',
+    );
+    expect(resultA.success).toBe(true);
+
+    const resultB = validateAndConsumeChallenge(
+      'asst-B', 'telegram', secretB, 'user-2', 'chat-2',
+    );
+    expect(resultB.success).toBe(true);
+
+    // Verify bindings are scoped correctly
+    const bindingA = getGuardianBinding('asst-A', 'telegram');
+    const bindingB = getGuardianBinding('asst-B', 'telegram');
+    expect(bindingA!.guardianExternalUserId).toBe('user-1');
+    expect(bindingB!.guardianExternalUserId).toBe('user-2');
+  });
+});
+
+// ═══════════════════════════════════════════════════════════════════════════
+// 9. Assistant-scoped approval request lookups
+// ═══════════════════════════════════════════════════════════════════════════
+
+describe('assistant-scoped approval request lookups', () => {
+  beforeEach(() => {
+    resetTables();
+  });
+
+  test('createApprovalRequest stores assistantId and defaults to self', () => {
+    const reqWithoutId = createApprovalRequest({
+      runId: 'run-1',
+      conversationId: 'conv-1',
+      channel: 'telegram',
+      requesterExternalUserId: 'user-99',
+      requesterChatId: 'chat-99',
+      guardianExternalUserId: 'user-42',
+      guardianChatId: 'chat-42',
+      toolName: 'shell',
+      expiresAt: Date.now() + 300_000,
+    });
+    expect(reqWithoutId.assistantId).toBe('self');
+
+    const reqWithId = createApprovalRequest({
+      runId: 'run-2',
+      conversationId: 'conv-2',
+      assistantId: 'asst-A',
+      channel: 'telegram',
+      requesterExternalUserId: 'user-99',
+      requesterChatId: 'chat-99',
+      guardianExternalUserId: 'user-42',
+      guardianChatId: 'chat-42',
+      toolName: 'browser',
+      expiresAt: Date.now() + 300_000,
+    });
+    expect(reqWithId.assistantId).toBe('asst-A');
+  });
+
+  test('approval requests from different assistants are independent', () => {
+    createApprovalRequest({
+      runId: 'run-A',
+      conversationId: 'conv-A',
+      assistantId: 'asst-A',
+      channel: 'telegram',
+      requesterExternalUserId: 'user-99',
+      requesterChatId: 'chat-99',
+      guardianExternalUserId: 'user-42',
+      guardianChatId: 'chat-42',
+      toolName: 'shell',
+      expiresAt: Date.now() + 300_000,
+    });
+    createApprovalRequest({
+      runId: 'run-B',
+      conversationId: 'conv-B',
+      assistantId: 'asst-B',
+      channel: 'telegram',
+      requesterExternalUserId: 'user-88',
+      requesterChatId: 'chat-88',
+      guardianExternalUserId: 'user-42',
+      guardianChatId: 'chat-42',
+      toolName: 'browser',
+      expiresAt: Date.now() + 300_000,
+    });
+
+    const foundA = getPendingApprovalForRun('run-A');
+    const foundB = getPendingApprovalForRun('run-B');
+    expect(foundA).not.toBeNull();
+    expect(foundB).not.toBeNull();
+    expect(foundA!.assistantId).toBe('asst-A');
+    expect(foundB!.assistantId).toBe('asst-B');
+    expect(foundA!.toolName).toBe('shell');
+    expect(foundB!.toolName).toBe('browser');
+  });
+});

package/src/__tests__/credential-security-invariants.test.ts

@@ -189,6 +189,7 @@ describe('Invariant 2: no generic plaintext secret read API', () => {
       'calls/elevenlabs-config.ts',     // ElevenLabs voice quality API key lookup
       'calls/twilio-config.ts',         // call infrastructure credential lookup
       'calls/twilio-provider.ts',       // call infrastructure credential lookup
+      'calls/twilio-rest.ts',            // Twilio REST API credential lookup
       'cli/config-commands.ts',         // CLI credential management commands
       'runtime/http-server.ts',         // HTTP server credential lookup
       'daemon/handlers/twitter-auth.ts', // Twitter OAuth token storage

package/src/__tests__/daemon-server-session-init.test.ts

@@ -159,6 +159,10 @@ mock.module('../security/secret-allowlist.js', () => ({
   resetAllowlist: () => {},
 }));
 
+mock.module('../memory/external-conversation-store.js', () => ({
+  getBindingsForConversations: () => new Map(),
+}));
+
 mock.module('../memory/conversation-store.js', () => ({
   getLatestConversation: () => conversation,
   createConversation: (titleOrOpts?: string | { title?: string; threadType?: string }) => {
@@ -181,6 +185,7 @@ mock.module('../memory/conversation-store.js', () => ({
   },
   getMessages: () => [],
   listConversations: () => [conversation],
+  countConversations: () => 1,
 }));
 
 mock.module('../daemon/session.js', () => ({

package/src/__tests__/gateway-only-enforcement.test.ts

@@ -113,14 +113,11 @@ mock.module('../security/secure-keys.js', () => ({
   deleteSecureKey: () => {},
 }));
 
-mock.module('../inbound/public-ingress-urls.js', () => ({
-  getPublicBaseUrl: () => 'https://test.example.com',
-  getTwilioRelayUrl: () => 'wss://test.example.com/webhooks/twilio/relay',
-  getTwilioVoiceWebhookUrl: (_cfg: unknown, id: string) => `https://test.example.com/webhooks/twilio/voice?callSessionId=${id}`,
-  getTwilioStatusCallbackUrl: () => 'https://test.example.com/webhooks/twilio/status',
-  getTwilioConnectActionUrl: () => 'https://test.example.com/webhooks/twilio/connect-action',
-  getOAuthCallbackUrl: () => 'https://test.example.com/webhooks/oauth/callback',
-}));
+// NOTE: Do NOT mock '../inbound/public-ingress-urls.js' here.
+// Those are pure functions that derive URLs from the config object returned by
+// loadConfig() (which is already mocked above). Mocking them at the module level
+// leaks into other test files (e.g. ingress-url-consistency.test.ts) that need
+// the real implementations, causing cross-test contamination.
 
 // Mock the oauth callback registry
 mock.module('../security/oauth-callback-registry.js', () => ({
@@ -289,6 +286,49 @@ describe('gateway-only ingress enforcement', () => {
     });
   });
 
+  // ── SMS-specific direct webhook routes blocked ──────────────────────
+
+  describe('SMS webhook routes are blocked at the runtime (gateway-only)', () => {
+
+    test('POST /webhooks/twilio/sms returns 410 (cannot bypass gateway)', async () => {
+      const res = await fetch(`http://127.0.0.1:${port}/webhooks/twilio/sms`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: makeFormBody({ Body: 'hello', From: '+15551234567', To: '+15559876543', MessageSid: 'SM123' }),
+      });
+      expect(res.status).toBe(410);
+      const body = await res.json() as { error: string; code: string };
+      expect(body.code).toBe('GATEWAY_ONLY');
+      expect(body.error).toContain('Direct webhook access disabled');
+    });
+
+    test('POST /v1/calls/twilio/sms returns 410 (legacy path also blocked)', async () => {
+      const res = await fetch(`http://127.0.0.1:${port}/v1/calls/twilio/sms`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: makeFormBody({ Body: 'hello', From: '+15551234567', MessageSid: 'SM456' }),
+      });
+      expect(res.status).toBe(410);
+      const body = await res.json() as { error: string; code: string };
+      expect(body.code).toBe('GATEWAY_ONLY');
+    });
+
+    test('POST /webhooks/twilio/sms with valid auth still returns 410 (auth does not bypass gateway-only)', async () => {
+      const res = await fetch(`http://127.0.0.1:${port}/webhooks/twilio/sms`, {
+        method: 'POST',
+        headers: {
+          ...AUTH_HEADERS,
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: makeFormBody({ Body: 'sneaky', From: '+15551234567', MessageSid: 'SM789' }),
+      });
+      // The gateway-only guard runs before auth for Twilio webhook paths
+      expect(res.status).toBe(410);
+      const body = await res.json() as { error: string; code: string };
+      expect(body.code).toBe('GATEWAY_ONLY');
+    });
+  });
+
   // ── Internal forwarding routes still work ─────
 
   describe('internal forwarding routes are not blocked', () => {
@@ -601,6 +641,45 @@ describe('gateway-only ingress enforcement', () => {
       // header, the request is rejected if bearer auth is missing.
       expect(res.status).toBe(401);
     });
+
+    test('POST /v1/channels/inbound with SMS sourceChannel requires X-Gateway-Origin', async () => {
+      const res = await fetch(`http://127.0.0.1:${port}/v1/channels/inbound`, {
+        method: 'POST',
+        headers: {
+          ...AUTH_HEADERS,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          sourceChannel: 'sms',
+          externalChatId: '+15551234567',
+          externalMessageId: 'SM-test-gw-1',
+          content: 'hello via SMS',
+        }),
+      });
+      // SMS messages must also go through the gateway — missing X-Gateway-Origin is rejected.
+      expect(res.status).toBe(403);
+      const body = await res.json() as { error: string; code: string };
+      expect(body.code).toBe('GATEWAY_ORIGIN_REQUIRED');
+    });
+
+    test('POST /v1/channels/inbound with SMS sourceChannel and valid X-Gateway-Origin passes', async () => {
+      const res = await fetch(`http://127.0.0.1:${port}/v1/channels/inbound`, {
+        method: 'POST',
+        headers: {
+          ...AUTH_HEADERS,
+          'Content-Type': 'application/json',
+          'X-Gateway-Origin': TEST_TOKEN,
+        },
+        body: JSON.stringify({
+          sourceChannel: 'sms',
+          externalChatId: '+15551234567',
+          externalMessageId: 'SM-test-gw-2',
+          content: 'hello via SMS',
+        }),
+      });
+      // Should NOT be 403 — the gateway-origin check passes.
+      expect(res.status).not.toBe(403);
+    });
   });
 
   // ── Startup warning for non-loopback host ──────────────────────────

package/src/__tests__/handlers-telegram-config.test.ts

@@ -905,6 +905,7 @@ describe('Telegram config handler', () => {
 
 import { handleGuardianVerification } from '../daemon/handlers/config.js';
 import type { GuardianVerificationRequest } from '../daemon/ipc-contract.js';
+import { createBinding } from '../memory/channel-guardian-store.js';
 
 describe('Guardian verification IPC actions', () => {
   beforeEach(() => {
@@ -965,4 +966,85 @@ describe('Guardian verification IPC actions', () => {
     expect(res.success).toBe(false);
     expect(res.error).toContain('Unknown action');
   });
+
+  test('create_challenge with explicit assistantId scopes challenge to that assistant', () => {
+    const msg: GuardianVerificationRequest = {
+      type: 'guardian_verification',
+      action: 'create_challenge',
+      channel: 'telegram',
+      assistantId: 'asst-ipc-X',
+    };
+
+    const { ctx, sent } = createTestContext();
+    handleGuardianVerification(msg, {} as net.Socket, ctx);
+
+    expect(sent).toHaveLength(1);
+    const res = sent[0] as { type: string; success: boolean; secret?: string; instruction?: string };
+    expect(res.success).toBe(true);
+    expect(res.secret).toBeDefined();
+    expect(res.instruction).toContain('/guardian_verify');
+  });
+
+  test('status action with explicit assistantId checks binding for that assistant', () => {
+    // Create a control binding for a known assistant so we can verify
+    // that querying a *different* assistantId actually returns bound=false
+    // (not just because no bindings exist at all).
+    createBinding({
+      assistantId: 'asst-ipc-bound',
+      channel: 'telegram',
+      guardianExternalUserId: 'guardian-user-1',
+      guardianDeliveryChatId: 'guardian-chat-1',
+    });
+
+    // Querying a different assistant should return bound=false
+    const unboundMsg: GuardianVerificationRequest = {
+      type: 'guardian_verification',
+      action: 'status',
+      channel: 'telegram',
+      assistantId: 'asst-ipc-Y',
+    };
+
+    const { ctx: ctx1, sent: sent1 } = createTestContext();
+    handleGuardianVerification(unboundMsg, {} as net.Socket, ctx1);
+
+    expect(sent1).toHaveLength(1);
+    const unboundRes = sent1[0] as { type: string; success: boolean; bound: boolean };
+    expect(unboundRes.success).toBe(true);
+    expect(unboundRes.bound).toBe(false);
+
+    // Querying the bound assistant should return bound=true
+    const boundMsg: GuardianVerificationRequest = {
+      type: 'guardian_verification',
+      action: 'status',
+      channel: 'telegram',
+      assistantId: 'asst-ipc-bound',
+    };
+
+    const { ctx: ctx2, sent: sent2 } = createTestContext();
+    handleGuardianVerification(boundMsg, {} as net.Socket, ctx2);
+
+    expect(sent2).toHaveLength(1);
+    const boundRes = sent2[0] as { type: string; success: boolean; bound: boolean; guardianExternalUserId?: string };
+    expect(boundRes.success).toBe(true);
+    expect(boundRes.bound).toBe(true);
+    expect(boundRes.guardianExternalUserId).toBe('guardian-user-1');
+  });
+
+  test('assistantId defaults to "self" when not provided', () => {
+    // create_challenge without assistantId should scope to 'self'
+    const createMsg: GuardianVerificationRequest = {
+      type: 'guardian_verification',
+      action: 'create_challenge',
+      channel: 'telegram',
+      // assistantId intentionally omitted
+    };
+
+    const { ctx: ctx1, sent: sent1 } = createTestContext();
+    handleGuardianVerification(createMsg, {} as net.Socket, ctx1);
+
+    expect(sent1).toHaveLength(1);
+    const createRes = sent1[0] as { type: string; success: boolean; secret?: string };
+    expect(createRes.success).toBe(true);
+    expect(createRes.secret).toBeDefined();
+  });
 });