@vellumai/assistant 0.3.2 → 0.3.4

package/src/memory/schema.ts

@@ -129,6 +129,7 @@ export const memoryEmbeddings = sqliteTable('memory_embeddings', {
   model: text('model').notNull(),
   dimensions: integer('dimensions').notNull(),
   vectorJson: text('vector_json').notNull(),
+  contentHash: text('content_hash'),
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
 });
@@ -646,6 +647,7 @@ export const channelGuardianApprovalRequests = sqliteTable('channel_guardian_app
   id: text('id').primaryKey(),
   runId: text('run_id').notNull(),
   conversationId: text('conversation_id').notNull(),
+  assistantId: text('assistant_id').notNull().default('self'),
   channel: text('channel').notNull(),
   requesterExternalUserId: text('requester_external_user_id').notNull(),
   requesterChatId: text('requester_chat_id').notNull(),
@@ -669,6 +671,10 @@ export const channelGuardianRateLimits = sqliteTable('channel_guardian_rate_limi
   channel: text('channel').notNull(),
   actorExternalUserId: text('actor_external_user_id').notNull(),
   actorChatId: text('actor_chat_id').notNull(),
+  // Legacy columns kept with defaults for backward compatibility with upgraded databases
+  // that still have the old NOT NULL columns without DEFAULT. Not read by app logic.
+  invalidAttempts: integer('invalid_attempts').notNull().default(0),
+  windowStartedAt: integer('window_started_at').notNull().default(0),
   attemptTimestampsJson: text('attempt_timestamps_json').notNull().default('[]'),
   lockedUntil: integer('locked_until'),
   createdAt: integer('created_at').notNull(),

package/src/memory/search/types.ts

@@ -94,6 +94,8 @@ export interface CollectedCandidates {
   relationNeighborEntityCount: number;
   relationExpandedItemCount: number;
   earlyTerminated: boolean;
+  /** True when semantic search was attempted but threw an error. */
+  semanticSearchFailed: boolean;
   merged: Candidate[];
 }
 

package/src/permissions/prompter.ts

@@ -10,7 +10,12 @@ import { redactSensitiveFields } from '../security/redaction.js';
 const log = getLogger('permission-prompter');
 
 interface PendingPrompt {
-  resolve: (value: { decision: UserDecision; selectedPattern?: string; selectedScope?: string }) => void;
+  resolve: (value: {
+    decision: UserDecision;
+    selectedPattern?: string;
+    selectedScope?: string;
+    decisionContext?: string;
+  }) => void;
   reject: (reason: Error) => void;
   timer: ReturnType<typeof setTimeout>;
 }
@@ -38,7 +43,12 @@ export class PermissionPrompter {
     sessionId?: string,
     executionTarget?: ExecutionTarget,
     persistentDecisionsAllowed?: boolean,
-  ): Promise<{ decision: UserDecision; selectedPattern?: string; selectedScope?: string }> {
+  ): Promise<{
+    decision: UserDecision;
+    selectedPattern?: string;
+    selectedScope?: string;
+    decisionContext?: string;
+  }> {
     const requestId = uuid();
 
     return new Promise((resolve, reject) => {
@@ -77,6 +87,7 @@ export class PermissionPrompter {
     decision: UserDecision,
     selectedPattern?: string,
     selectedScope?: string,
+    decisionContext?: string,
   ): void {
     const pending = this.pending.get(requestId);
     if (!pending) {
@@ -85,7 +96,7 @@ export class PermissionPrompter {
     }
     clearTimeout(pending.timer);
     this.pending.delete(requestId);
-    pending.resolve({ decision, selectedPattern, selectedScope });
+    pending.resolve({ decision, selectedPattern, selectedScope, decisionContext });
   }
 
   dispose(): void {

package/src/permissions/trust-store.ts

@@ -27,13 +27,17 @@ let cachedStarterBundleAccepted: boolean | null = null;
  * on every tool-call permission check.
  */
 const compiledPatterns = new Map<string, Minimatch>();
+/** Patterns that failed compilation — cached to avoid repeated attempts and log spam. */
+const invalidPatterns = new Set<string>();
 
 /** Get or compile a Minimatch object for the given pattern. Returns null if the pattern is invalid. */
 function getCompiledPattern(pattern: string): Minimatch | null {
+  if (invalidPatterns.has(pattern)) return null;
   let compiled = compiledPatterns.get(pattern);
   if (!compiled) {
     if (typeof pattern !== 'string') {
       log.warn({ pattern }, 'Cannot compile non-string pattern');
+      invalidPatterns.add(pattern as string);
       return null;
     }
     try {
@@ -41,6 +45,7 @@ function getCompiledPattern(pattern: string): Minimatch | null {
       compiledPatterns.set(pattern, compiled);
     } catch (err) {
       log.warn({ pattern, err }, 'Failed to compile pattern');
+      invalidPatterns.add(pattern);
       return null;
     }
   }
@@ -50,6 +55,7 @@ function getCompiledPattern(pattern: string): Minimatch | null {
 /** Rebuild the compiled pattern cache from the current rule set. */
 function rebuildPatternCache(rules: TrustRule[]): void {
   compiledPatterns.clear();
+  invalidPatterns.clear();
   for (const rule of rules) {
     if (typeof rule.pattern !== 'string') {
       log.warn({ ruleId: rule.id, pattern: rule.pattern }, 'Skipping rule with non-string pattern during cache rebuild');
@@ -509,6 +515,7 @@ export function clearCache(): void {
   cachedRules = null;
   cachedStarterBundleAccepted = null;
   compiledPatterns.clear();
+  invalidPatterns.clear();
 }
 
 // ─── Starter approval bundle ────────────────────────────────────────────────

package/src/runtime/channel-approvals.ts

@@ -13,6 +13,7 @@
 import { getPendingConfirmationsByConversation, getRun } from '../memory/runs-store.js';
 import type { PendingRunInfo } from '../memory/runs-store.js';
 import { addRule } from '../permissions/trust-store.js';
+import { getTool } from '../tools/registry.js';
 import type { RunOrchestrator } from './run-orchestrator.js';
 import { DEFAULT_APPROVAL_ACTIONS } from './channel-approval-types.js';
 import type {
@@ -101,11 +102,17 @@ export function handleChannelDecision(
   conversationId: string,
   decision: ApprovalDecisionResult,
   orchestrator: RunOrchestrator,
+  decisionContext?: string,
 ): HandleDecisionResult {
   const pending = getPendingConfirmationsByConversation(conversationId);
   if (pending.length === 0) return { applied: false };
 
-  const info = pending[0];
+  // Callback-based decisions include a run ID and must resolve to that exact
+  // pending confirmation. Plain-text decisions still apply to the first prompt.
+  const info = decision.runId
+    ? pending.find((candidate) => candidate.runId === decision.runId)
+    : pending[0];
+  if (!info) return { applied: false };
 
   if (decision.action === 'approve_always') {
     // Only persist a trust rule when the confirmation explicitly allows persistence
@@ -121,8 +128,13 @@ export function handleChannelDecision(
     ) {
       const pattern = confirmation.allowlistOptions[0].pattern;
       const scope = confirmation.scopeOptions[0].scope;
+      // Only persist executionTarget for skill-origin tools — core tools don't
+      // set it in their PolicyContext, so a persisted value would prevent the
+      // rule from ever matching on subsequent permission checks.
+      const tool = getTool(confirmation.toolName);
+      const executionTarget = tool?.origin === 'skill' ? confirmation.executionTarget : undefined;
       addRule(confirmation.toolName, pattern, scope, 'allow', 100, {
-        executionTarget: confirmation.executionTarget,
+        executionTarget,
       });
     }
     // When persistence is not allowed or options are missing, the decision
@@ -131,7 +143,9 @@ export function handleChannelDecision(
 
   // Map channel-level action to the permission system's UserDecision type.
   const userDecision = decision.action === 'reject' ? 'deny' as const : 'allow' as const;
-  const result = orchestrator.submitDecision(info.runId, userDecision);
+  const result = decisionContext === undefined
+    ? orchestrator.submitDecision(info.runId, userDecision)
+    : orchestrator.submitDecision(info.runId, userDecision, decisionContext);
 
   return {
     applied: result === 'applied',

package/src/runtime/gateway-client.ts

@@ -52,7 +52,8 @@ export async function deliverApprovalPrompt(
   chatId: string,
   text: string,
   approval: ApprovalUIMetadata,
+  assistantId?: string,
   bearerToken?: string,
 ): Promise<void> {
-  await deliverChannelReply(callbackUrl, { chatId, text, approval }, bearerToken);
+  await deliverChannelReply(callbackUrl, { chatId, text, approval, assistantId }, bearerToken);
 }

package/src/runtime/http-server.ts

@@ -41,7 +41,6 @@ import {
   handleChannelDeliveryAck,
   handleListDeadLetters,
   handleReplayDeadLetters,
-  isChannelApprovalsEnabled,
   startGuardianExpirySweep,
   stopGuardianExpirySweep,
 } from './routes/channel-routes.js';
@@ -154,13 +153,16 @@ const GATEWAY_SUBPATH_MAP: Record<string, string> = {
   voice: 'voice-webhook',
   status: 'status',
   'connect-action': 'connect-action',
+  sms: 'sms',
 };
 
 /**
  * Direct Twilio webhook subpaths that are blocked in gateway_only mode.
+ * Includes all public-facing webhook paths (voice, status, connect-action, SMS)
+ * because the runtime must never serve as a direct ingress for external webhooks.
  * Internal forwarding endpoints (gateway→runtime) are unaffected.
  */
-const GATEWAY_ONLY_BLOCKED_SUBPATHS = new Set(['voice-webhook', 'status', 'connect-action']);
+const GATEWAY_ONLY_BLOCKED_SUBPATHS = new Set(['voice-webhook', 'status', 'connect-action', 'sms']);
 
 /**
  * Check if a request origin is from a private/internal network address.
@@ -411,8 +413,10 @@ export class RuntimeHttpServer {
       }, 30_000);
     }
 
-    // Start proactive guardian approval expiry sweep when approvals are enabled
-    if (isChannelApprovalsEnabled() && this.runOrchestrator) {
+    // Start proactive guardian approval expiry sweep whenever orchestrator
+    // support is available. Guardian approvals can be created even when the
+    // generic channel-approval UX flag is disabled.
+    if (this.runOrchestrator) {
       startGuardianExpirySweep(this.runOrchestrator, getGatewayBaseUrl(), this.bearerToken);
       log.info('Guardian approval expiry sweep started');
     }
@@ -616,7 +620,7 @@ export class RuntimeHttpServer {
     const assistantId = match[1];
     const endpoint = match[2];
     log.warn({ endpoint, assistantId }, '[deprecated] /v1/assistants/:assistantId/... route used; migrate to /v1/...');
-    return this.dispatchEndpoint(endpoint, req, url);
+    return this.dispatchEndpoint(endpoint, req, url, assistantId);
   }
 
   /**
@@ -628,6 +632,7 @@ export class RuntimeHttpServer {
     endpoint: string,
     req: Request,
     url: URL,
+    assistantId: string = 'self',
   ): Promise<Response> {
     try {
       if (endpoint === 'health' && req.method === 'GET') {
@@ -636,7 +641,9 @@ export class RuntimeHttpServer {
 
       if (endpoint === 'conversations' && req.method === 'GET') {
         const limit = Number(url.searchParams.get('limit') ?? 50);
-        const conversations = conversationStore.listConversations(limit);
+        const offset = Number(url.searchParams.get('offset') ?? 0);
+        const conversations = conversationStore.listConversations(limit, false, offset);
+        const totalCount = conversationStore.countConversations();
         const bindings = externalConversationStore.getBindingsForConversations(
           conversations.map((c) => c.id),
         );
@@ -659,6 +666,7 @@ export class RuntimeHttpServer {
               } : {}),
             };
           }),
+          hasMore: offset + conversations.length < totalCount,
         });
       }
 
@@ -732,11 +740,12 @@ export class RuntimeHttpServer {
       }
 
       if (endpoint === 'channels/conversation' && req.method === 'DELETE') {
-        return await handleDeleteConversation(req);
+        return await handleDeleteConversation(req, assistantId);
       }
 
       if (endpoint === 'channels/inbound' && req.method === 'POST') {
-        return await handleChannelInbound(req, this.processMessage, this.bearerToken, this.runOrchestrator);
+        const gatewayOriginSecret = process.env.RUNTIME_GATEWAY_ORIGIN_SECRET || undefined;
+        return await handleChannelInbound(req, this.processMessage, this.bearerToken, this.runOrchestrator, assistantId, gatewayOriginSecret);
       }
 
       if (endpoint === 'channels/delivery-ack' && req.method === 'POST') {
@@ -931,8 +940,16 @@ export class RuntimeHttpServer {
           const externalChatId = typeof payload.externalChatId === 'string'
             ? payload.externalChatId
             : undefined;
+          const assistantId = typeof payload.assistantId === 'string'
+            ? payload.assistantId
+            : undefined;
           if (externalChatId) {
-            await this.deliverReplyViaCallback(event.conversationId, externalChatId, replyCallbackUrl);
+            await this.deliverReplyViaCallback(
+              event.conversationId,
+              externalChatId,
+              replyCallbackUrl,
+              assistantId,
+            );
           }
         }
       } catch (err) {
@@ -946,6 +963,7 @@ export class RuntimeHttpServer {
     conversationId: string,
     externalChatId: string,
     callbackUrl: string,
+    assistantId?: string,
   ): Promise<void> {
     const msgs = conversationStore.getMessages(conversationId);
     for (let i = msgs.length - 1; i >= 0; i--) {
@@ -968,6 +986,7 @@ export class RuntimeHttpServer {
             chatId: externalChatId,
             text: rendered.text || undefined,
             attachments: replyAttachments.length > 0 ? replyAttachments : undefined,
+            assistantId,
           }, this.bearerToken);
         }
         break;