@vellumai/assistant 0.3.27 → 0.4.0

package/src/config/vellum-skills/trusted-contacts/SKILL.md

@@ -1,11 +1,11 @@
 ---
 name: "Trusted Contacts"
-description: "Manage trusted contacts and Telegram invite links — list, allow, revoke, block users, and create/list/revoke invite links for external channels"
+description: "Manage trusted contacts and invite links — list, allow, revoke, block users, and create/list/revoke invite links for Telegram and voice (phone call) channels"
 user-invocable: true
 metadata: {"vellum": {"emoji": "\ud83d\udc65"}}
 ---
 
-You are helping your user manage trusted contacts and invite links for the Vellum Assistant. Trusted contacts control who is allowed to send messages to the assistant through external channels like Telegram and SMS. Invite links let the guardian share a Telegram deep link that automatically grants access when opened. All operations go through the gateway HTTP API using `curl` with bearer auth.
+You are helping your user manage trusted contacts and invite links for the Vellum Assistant. Trusted contacts control who is allowed to send messages to the assistant through external channels like Telegram, SMS, and voice (phone calls). Invite links let the guardian share a Telegram deep link that automatically grants access when opened. Voice invites let the guardian authorize a specific phone number to call in — the invitee must call from that phone number AND enter a one-time numeric code. All operations go through the gateway HTTP API using `curl` with bearer auth.
 
 ## Prerequisites
 
@@ -18,8 +18,9 @@ You are helping your user manage trusted contacts and invite links for the Vellu
 - **Member**: A user identity (external user ID or chat ID) from a specific channel that has been registered with a policy.
 - **Policy**: Controls what the member can do — `allow` (can message freely) or `deny` (blocked from messaging).
 - **Status**: The member's lifecycle state — `active` (currently effective), `revoked` (access removed), or `blocked` (explicitly denied).
-- **Source channel**: The messaging platform the contact uses (e.g., `telegram`, `sms`).
+- **Source channel**: The messaging platform the contact uses (e.g., `telegram`, `sms`, `voice`).
 - **Invite link**: A shareable Telegram deep link that, when opened by someone, automatically grants them trusted-contact access. Each invite has a token, usage limits, and optional expiration.
+- **Voice invite**: An invite bound to a specific phone number for phone-call access. The guardian provides the invitee's phone number (E.164 format, e.g., `+15551234567`), and the system generates a numeric code. The invitee must call from that exact phone number AND enter the code when prompted. Both conditions must be met — the call must originate from the bound number, and the correct code must be entered. Voice invites do not have a Telegram-style deep link and do not use `/start` payload tokens. SMS-based invites are not supported.
 
 ## Available Actions
 
@@ -123,16 +124,53 @@ curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/members/<member_id>/block
 
 Use this when the guardian wants to invite someone to message the assistant on Telegram without needing their user ID upfront. The invite link is a shareable Telegram deep link — when someone opens it, they automatically get trusted-contact access.
 
+**Important**: The shell snippet below emits a `<vellum-sensitive-output>` directive containing the raw invite token. The tool executor automatically strips this directive and replaces the raw token with a placeholder so the LLM never sees it. The placeholder is resolved back to the real token in the final assistant reply.
+
 ```bash
 TOKEN=$(cat ~/.vellum/http-token)
-curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites" \
+
+INVITE_JSON=$(curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites" \
   -H "Content-Type: application/json" \
   -H "Authorization: Bearer $TOKEN" \
   -d '{
     "sourceChannel": "telegram",
     "maxUses": 1,
     "note": "<optional note, e.g. the person it is for>"
-  }'
+  }')
+
+INVITE_TOKEN=$(printf '%s' "$INVITE_JSON" | python3 -c "
+import json, sys
+data = json.load(sys.stdin)
+invite = data.get('invite', {})
+print(invite.get('token', ''), end='')
+")
+INVITE_URL=$(printf '%s' "$INVITE_JSON" | python3 -c "
+import json, sys
+data = json.load(sys.stdin)
+invite = data.get('invite', {})
+share = invite.get('share') or {}
+print(share.get('url', ''), end='')
+")
+
+if [ -z "$INVITE_TOKEN" ]; then
+  printf '%s\n' "$INVITE_JSON"
+  exit 1
+fi
+
+# Prefer backend-provided canonical link when available.
+if [ -z "$INVITE_URL" ]; then
+  BOT_CONFIG_JSON=$(curl -s "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/telegram/config" \
+    -H "Authorization: Bearer $TOKEN")
+  BOT_USERNAME=$(printf '%s' "$BOT_CONFIG_JSON" | tr -d '\n' | sed -n 's/.*"botUsername"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
+  if [ -z "$BOT_USERNAME" ]; then
+    echo "error:no_share_url_or_bot_username"
+    exit 1
+  fi
+  INVITE_URL="https://t.me/$BOT_USERNAME?start=iv_$INVITE_TOKEN"
+fi
+
+echo "<vellum-sensitive-output kind=\"invite_code\" value=\"$INVITE_TOKEN\" />"
+echo "$INVITE_URL"
 ```
 
 Optional fields:
@@ -140,21 +178,11 @@ Optional fields:
 - `expiresInMs` — expiration time in milliseconds from now (e.g., `86400000` for 24 hours). Defaults to 7 days (`604800000`) if omitted.
 - `note` — a human-readable label for the invite (e.g., "For Mom", "Family group").
 
-The response contains `{ ok: true, invite: { id, token, ... } }`. The `token` field is the raw invite token — it is only returned at creation time and cannot be retrieved later.
-
-**Building the shareable link**: After creating the invite, look up the Telegram bot username so you can build the deep link. Query the Telegram integration config:
-
-```bash
-TOKEN=$(cat ~/.vellum/http-token)
-curl -s "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/telegram/config" \
-  -H "Authorization: Bearer $TOKEN"
-```
+The create response contains `{ ok: true, invite: { id, token, share?, ... } }`.
+- `token` is the raw invite token and is only returned at creation time.
+- `share.url` is the canonical shareable deep link (when channel transport config is available).
 
-The response includes `botUsername`. Use it to construct the deep link:
-
-```
-https://t.me/<botUsername>?start=iv_<token>
-```
+Always use `invite.share.url` when present. Do not manually construct `?start=` links if the API already provided one.
 
 **Presenting to the guardian**: Give the guardian the link with clear copy-paste instructions:
 
@@ -211,9 +239,99 @@ curl -s -X DELETE "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites/<invite_id>" \
 
 Replace `<invite_id>` with the invite's `id` from the list response.
 
+### 8. Create a voice invite
+
+Use this when the guardian wants to authorize a specific phone number to call the assistant. Voice invites are identity-bound: the invitee must call from the specified phone number AND enter a one-time numeric code.
+
+**Important**: The response includes a `voiceCode` field that is only returned at creation time and cannot be retrieved later. Extract and present it clearly.
+
+```bash
+TOKEN=$(cat ~/.vellum/http-token)
+
+INVITE_JSON=$(curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer $TOKEN" \
+  -d '{
+    "sourceChannel": "voice",
+    "expectedExternalUserId": "<phone_number_E164>",
+    "maxUses": 1,
+    "note": "<optional note, e.g. the person it is for>"
+  }')
+printf '%s\n' "$INVITE_JSON"
+```
+
+Required fields:
+- `sourceChannel` — must be `"voice"`
+- `expectedExternalUserId` — the invitee's phone number in E.164 format (e.g., `+15551234567`)
+
+Optional fields:
+- `maxUses` — how many times the code can be used (default: 1)
+- `expiresInMs` — expiration time in milliseconds from now (e.g., `86400000` for 24 hours). Defaults to 7 days if omitted.
+- ~~`voiceCodeDigits`~~ — always 6 digits; this parameter is accepted but ignored
+- `note` — a human-readable label for the invite (e.g., "For Mom", "Dr. Smith")
+
+The create response contains `{ ok: true, invite: { id, voiceCode, expectedExternalUserId, ... } }`.
+- `voiceCode` is the numeric code the invitee must enter and is only returned at creation time.
+- Voice invite responses do **not** include `token` or `share.url`. Do not try to build or send a deep link for voice invites.
+
+**Presenting to the guardian**: Give the guardian clear instructions to relay to the invitee:
+
+> Voice invite created for **<phone_number>**:
+>
+> **Invite code: `<voiceCode>`**
+>
+> Share these instructions with the person you are inviting:
+> 1. Call the assistant's phone number from **<phone_number>** (the call must come from this exact number)
+> 2. When prompted, enter the code **<voiceCode>**
+> 3. Once verified, they will be added as a trusted contact and can call the assistant directly in the future
+>
+> This code can be used <maxUses> time(s)<and expires in X hours/days if applicable>.
+
+There is no "open link" step for voice invites. The invite is redeemed only during a live phone call from the bound number.
+
+If the user provides a phone number without the `+` country code prefix, ask them to confirm the full E.164 number (e.g., US numbers should be `+1XXXXXXXXXX`).
+
+**Note**: SMS-based invites are not currently supported. Only voice (phone call) invites are available for phone-based access.
+
+### 9. List voice invites
+
+Use this to show the guardian their active voice invites.
+
+```bash
+TOKEN=$(cat ~/.vellum/http-token)
+curl -s "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites?sourceChannel=voice" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+Optional query parameters:
+- `status` — filter by status (`active`, `revoked`, `redeemed`, `expired`)
+
+The response format is the same as regular invites but voice invites also include:
+- `expectedExternalUserId` — the bound phone number
+- `voiceCodeDigits` — always 6 (the code itself is not retrievable after creation)
+- `token` and `share` are not present for voice invites
+
+**Presenting results**: Format as a readable list. Show the note (or "unnamed" as fallback), bound phone number, status, uses remaining, and expiration. Highlight which invites are still active.
+
+### 10. Revoke a voice invite
+
+Use this when the guardian wants to cancel an active voice invite. **Always confirm before revoking.**
+
+Ask the user: *"I'll revoke the voice invite for [phone number or note]. The code will no longer work. Should I proceed?"*
+
+First, list voice invites to find the invite's `id`, then revoke:
+
+```bash
+TOKEN=$(cat ~/.vellum/http-token)
+curl -s -X DELETE "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites/<invite_id>" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+Replace `<invite_id>` with the invite's `id` from the list response. The same revoke endpoint is used for both Telegram and voice invites.
+
 ## Confirmation Requirements
 
-**All mutating actions (allow, revoke, block, revoke invite) require explicit user confirmation before execution.** This is a safety measure — modifying who can access the assistant should always be a deliberate choice. Creating an invite link does not require confirmation since it does not grant access until someone opens it.
+**All mutating actions (allow, revoke, block, revoke invite) require explicit user confirmation before execution.** This is a safety measure — modifying who can access the assistant should always be a deliberate choice. Creating an invite (Telegram link or voice invite) does not require confirmation since it does not grant access until the invitee redeems it.
 
 - Clearly state what action you are about to take and who it affects.
 - Wait for the user to confirm before running the curl command.
@@ -227,7 +345,9 @@ Replace `<invite_id>` with the invite's `id` from the list response.
   - `At least one of externalUserId or externalChatId is required` — ask the user for the contact's channel-specific identifier.
   - `Member not found or cannot be revoked` — the member ID may be invalid or the member is already revoked.
   - `Member not found or already blocked` — the member ID may be invalid or the member is already blocked.
-  - `sourceChannel is required for create` — when creating an invite, always pass `"sourceChannel": "telegram"`.
+  - `sourceChannel is required for create` — when creating an invite, always pass `"sourceChannel": "telegram"` for Telegram or `"sourceChannel": "voice"` for voice invites.
+  - `expectedExternalUserId is required for voice invites` — voice invites must include the invitee's phone number.
+  - `expectedExternalUserId must be in E.164 format` — the phone number must start with `+` followed by country code and number (e.g., `+15551234567`).
   - `Invite not found or already revoked` — the invite ID may be invalid or the invite is already revoked.
 
 ## Typical Workflows
@@ -247,3 +367,11 @@ Replace `<invite_id>` with the invite's `id` from the list response.
 **"Show my invites"** / **"List active invite links"** — List invites filtered by `sourceChannel=telegram`, present active invites with uses remaining and expiration info.
 
 **"Revoke invite"** / **"Cancel invite link"** — List invites to identify the target, confirm, then revoke by ID.
+
+**"Create a voice invite for +15551234567"** — Create a voice invite with `sourceChannel: "voice"` and the given phone number as `expectedExternalUserId`. Present the invite code and instructions: the person must call from that number and enter the code.
+
+**"Let my mom call in"** / **"Invite someone by phone"** — Ask for the phone number in E.164 format, create a voice invite, and present the code + calling instructions.
+
+**"Show my voice invites"** / **"List phone invites"** — List invites filtered by `sourceChannel=voice`, present active invites with bound phone number and expiration info.
+
+**"Revoke voice invite"** / **"Cancel the phone invite for +15551234567"** — List voice invites, identify the target by phone number or note, confirm, then revoke by ID.

package/src/daemon/handlers/config-inbox.ts

@@ -303,9 +303,9 @@ async function executeApprove(
     }
   }
   session.setAssistantId(assistantId);
-  // The guardian approved this escalation, so tag as guardian to avoid
-  // 'unverified_channel' blocking memory extraction.
-  session.setGuardianContext({ actorRole: 'guardian', sourceChannel: sourceChannel ?? 'vellum' });
+  // The guardian approved this escalation, so tag as guardian trust to avoid
+  // unknown-provenance memory gating.
+  session.setGuardianContext({ trustClass: 'guardian', sourceChannel: sourceChannel ?? 'vellum' });
   session.setCommandIntent(null);
 
   // Process the message through the agent loop (no IPC event callback
@@ -379,7 +379,7 @@ async function executeDeny(
   // Store a system note about the denial in the conversation
   const denialInterface = isInterfaceId(sourceChannel) ? sourceChannel : undefined;
   await addMessage(conversationId, 'assistant', denialText, {
-    provenanceActorRole: 'guardian' as const,
+    provenanceTrustClass: 'guardian' as const,
     userMessageChannel: sourceChannel,
     assistantMessageChannel: sourceChannel,
     ...(denialInterface ? { userMessageInterface: denialInterface, assistantMessageInterface: denialInterface } : {}),

package/src/daemon/handlers/guardian-actions.ts

@@ -1,9 +1,8 @@
-import { applyGuardianDecision } from '../../approvals/guardian-decision-primitive.js';
-import { getPendingApprovalForRequest } from '../../memory/channel-guardian-store.js';
+import {
+  applyCanonicalGuardianDecision,
+} from '../../approvals/guardian-decision-primitive.js';
+import { getCanonicalGuardianRequest } from '../../memory/canonical-guardian-store.js';
 import type { ApprovalAction } from '../../runtime/channel-approval-types.js';
-import { handleChannelDecision } from '../../runtime/channel-approvals.js';
-import * as pendingInteractions from '../../runtime/pending-interactions.js';
-import { handleAccessRequestDecision } from '../../runtime/routes/access-request-decision.js';
 import { listGuardianDecisionPrompts } from '../../runtime/routes/guardian-action-routes.js';
 import type { GuardianActionDecision, GuardianActionsPendingRequest } from '../ipc-protocol.js';
 import { defineHandlers, log } from './shared.js';
@@ -16,7 +15,8 @@ export const guardianActionsHandlers = defineHandlers({
     ctx.send(socket, { type: 'guardian_actions_pending_response', conversationId: msg.conversationId, prompts });
   },
 
-  guardian_action_decision: (msg: GuardianActionDecision, socket, ctx) => {
+  guardian_action_decision: async (msg: GuardianActionDecision, socket, ctx) => {
+    try {
     // Validate the action is one of the known actions
     if (!VALID_ACTIONS.has(msg.action)) {
       log.warn({ requestId: msg.requestId, action: msg.action }, 'Invalid guardian action');
@@ -29,92 +29,71 @@ export const guardianActionsHandlers = defineHandlers({
       return;
     }
 
-    // Try the channel guardian approval store first (tool approval prompts)
-    const approval = getPendingApprovalForRequest(msg.requestId);
-    if (approval) {
-      // Enforce conversationId scoping when provided.
-      if (msg.conversationId && msg.conversationId !== approval.conversationId) {
-        log.warn({ requestId: msg.requestId, expected: approval.conversationId, got: msg.conversationId }, 'conversationId mismatch');
+    // Verify conversationId scoping before applying the canonical decision.
+    // A caller must not be able to cross-resolve requests from a different conversation.
+    if (msg.conversationId) {
+      const canonicalRequest = getCanonicalGuardianRequest(msg.requestId);
+      if (canonicalRequest && canonicalRequest.conversationId && canonicalRequest.conversationId !== msg.conversationId) {
+        log.warn({ requestId: msg.requestId, expected: canonicalRequest.conversationId, got: msg.conversationId }, 'conversationId mismatch');
         ctx.send(socket, {
           type: 'guardian_action_decision_response',
           applied: false,
-          reason: 'conversation_mismatch',
+          reason: 'not_found',
           requestId: msg.requestId,
         });
         return;
       }
-
-      // Access request approvals need a separate decision path — they don't have
-      // pending interactions and use verification sessions instead.
-      if (approval.toolName === 'ingress_access_request') {
-        const mappedAction = msg.action === 'reject' ? 'deny' as const : 'approve' as const;
-        // Use 'desktop' as the actor identity because this endpoint is
-        // unauthenticated — we cannot verify the caller is the assigned
-        // guardian, so we record a generic desktop origin instead of
-        // falsely attributing the decision to guardianExternalUserId.
-        const decisionResult = handleAccessRequestDecision(
-          approval,
-          mappedAction,
-          'desktop',
-        );
-        ctx.send(socket, {
-          type: 'guardian_action_decision_response',
-          applied: decisionResult.type !== 'stale',
-          requestId: msg.requestId,
-          reason: decisionResult.type === 'stale' ? 'stale' : undefined,
-        });
-        return;
-      }
-
-      const result = applyGuardianDecision({
-        approval,
-        decision: { action: msg.action as 'approve_once' | 'approve_always' | 'reject', source: 'plain_text', requestId: msg.requestId },
-        actorExternalUserId: undefined,
-        actorChannel: 'vellum',
-      });
-      ctx.send(socket, {
-        type: 'guardian_action_decision_response',
-        applied: result.applied,
-        reason: result.reason,
-        requestId: result.requestId ?? msg.requestId,
-      });
-      return;
     }
 
-    // Fall back to the pending interactions tracker (direct confirmation requests).
-    // Route through handleChannelDecision so approve_always properly persists trust rules.
-    const interaction = pendingInteractions.get(msg.requestId);
-    if (interaction) {
-      // Enforce conversationId scoping when provided.
-      if (msg.conversationId && msg.conversationId !== interaction.conversationId) {
-        log.warn({ requestId: msg.requestId, expected: interaction.conversationId, got: msg.conversationId }, 'conversationId mismatch');
+    const canonicalResult = await applyCanonicalGuardianDecision({
+      requestId: msg.requestId,
+      action: msg.action as ApprovalAction,
+      actorContext: {
+        externalUserId: undefined,
+        channel: 'vellum',
+        isTrusted: true,
+      },
+      userText: undefined,
+    });
+
+    if (canonicalResult.applied) {
+      // When the CAS committed but the resolver failed, the side effect
+      // (e.g. minting a verification session) did not happen. From the
+      // caller's perspective the decision was not truly applied.
+      if (canonicalResult.resolverFailed) {
         ctx.send(socket, {
           type: 'guardian_action_decision_response',
           applied: false,
-          reason: 'conversation_mismatch',
-          requestId: msg.requestId,
+          reason: 'resolver_failed',
+          resolverFailureReason: canonicalResult.resolverFailureReason,
+          requestId: canonicalResult.requestId,
         });
         return;
       }
 
-      const result = handleChannelDecision(
-        interaction.conversationId,
-        { action: msg.action as ApprovalAction, source: 'plain_text', requestId: msg.requestId },
-      );
       ctx.send(socket, {
         type: 'guardian_action_decision_response',
-        applied: result.applied,
-        requestId: result.requestId ?? msg.requestId,
+        applied: true,
+        requestId: canonicalResult.requestId,
       });
       return;
     }
 
-    log.warn({ requestId: msg.requestId }, 'No pending guardian action found for requestId');
+    // Return the reason for failure (stale, expired, not_found, etc.)
     ctx.send(socket, {
       type: 'guardian_action_decision_response',
       applied: false,
-      reason: 'not_found',
+      reason: canonicalResult.reason,
       requestId: msg.requestId,
     });
+    } catch (err) {
+      log.error({ err, requestId: msg.requestId }, 'guardian_action_decision: unhandled error');
+      ctx.send(socket, {
+        type: 'guardian_action_decision_response',
+        applied: false,
+        reason: 'internal_error',
+        requestId: msg.requestId,
+      });
+    }
   },
 });

package/src/daemon/handlers/sessions.ts

@@ -2,18 +2,26 @@ import * as net from 'node:net';
 
 import { v4 as uuid } from 'uuid';
 
+import { createAssistantMessage, createUserMessage } from '../../agent/message-types.js';
 import { type InterfaceId,isChannelId, parseChannelId, parseInterfaceId } from '../../channels/types.js';
 import { getConfig } from '../../config/loader.js';
 import { getAttachmentsForMessage, getFilePathForAttachment, setAttachmentThumbnail } from '../../memory/attachments-store.js';
+import {
+  listCanonicalGuardianRequests,
+  listPendingCanonicalGuardianRequestsByDestinationConversation,
+} from '../../memory/canonical-guardian-store.js';
 import { getAttentionStateByConversationIds } from '../../memory/conversation-attention-store.js';
 import * as conversationStore from '../../memory/conversation-store.js';
 import { GENERATING_TITLE, queueGenerateConversationTitle, UNTITLED_FALLBACK } from '../../memory/conversation-title-service.js';
 import * as externalConversationStore from '../../memory/external-conversation-store.js';
+import { routeGuardianReply } from '../../runtime/guardian-reply-router.js';
+import * as pendingInteractions from '../../runtime/pending-interactions.js';
 import { checkIngressForSecrets } from '../../security/secret-ingress.js';
 import { compileCustomPatterns, redactSecrets } from '../../security/secret-scanner.js';
 import { getSubagentManager } from '../../subagent/index.js';
 import { silentlyWithLog } from '../../util/silently.js';
 import { truncate } from '../../util/truncate.js';
+import { createApprovalConversationGenerator } from '../approval-generators.js';
 import { getAssistantName } from '../identity-helpers.js';
 import type { UserMessageAttachment } from '../ipc-contract.js';
 import type {
@@ -56,6 +64,8 @@ import {
   wireEscalationHandler,
 } from './shared.js';
 
+const desktopApprovalConversationGenerator = createApprovalConversationGenerator();
+
 export async function handleUserMessage(
   msg: UserMessage,
   socket: net.Socket,
@@ -172,9 +182,9 @@ export async function handleUserMessage(
         assistantMessageInterface: ipcInterface,
       });
       session.setAssistantId('self');
-      // IPC/desktop user IS the guardian — default to guardian role so messages
-      // are not tagged 'unverified_channel' (which blocks memory extraction).
-      session.setGuardianContext({ actorRole: 'guardian', sourceChannel: ipcChannel });
+      // IPC/desktop user IS the guardian — default to guardian trust so
+      // messages are not tagged as unknown provenance.
+      session.setGuardianContext({ trustClass: 'guardian', sourceChannel: ipcChannel });
       session.setCommandIntent(null);
       // Fire-and-forget: don't block the IPC handler so the connection can
       // continue receiving messages (e.g. cancel, confirmations, or
@@ -451,12 +461,146 @@ export async function handleUserMessage(
       }
     }
 
+    // If exactly one live turn is waiting on confirmation (no queued turns),
+    // try to consume this text as an inline approval decision first.
+    if (
+      session.hasAnyPendingConfirmation()
+      && session.getQueueDepth() === 0
+      && messageText.trim().length > 0
+    ) {
+      try {
+        const pendingInteractionRequestIdsForConversation = pendingInteractions
+          .getByConversation(msg.sessionId)
+          .filter(
+            (interaction) =>
+              interaction.kind === 'confirmation'
+              && interaction.session === session
+              && session.hasPendingConfirmation(interaction.requestId),
+          )
+          .map((interaction) => interaction.requestId);
+
+        const pendingCanonicalRequestIdsForConversation = [
+          ...listPendingCanonicalGuardianRequestsByDestinationConversation(msg.sessionId, ipcChannel)
+            .filter((request) => request.kind === 'tool_approval')
+            .map((request) => request.id),
+          ...listCanonicalGuardianRequests({
+            status: 'pending',
+            conversationId: msg.sessionId,
+            kind: 'tool_approval',
+          }).map((request) => request.id),
+        ].filter((pendingRequestId) => session.hasPendingConfirmation(pendingRequestId));
+
+        const pendingRequestIdsForConversation = Array.from(new Set([
+          ...pendingInteractionRequestIdsForConversation,
+          ...pendingCanonicalRequestIdsForConversation,
+        ]));
+
+        if (pendingRequestIdsForConversation.length > 0) {
+          const routerResult = await routeGuardianReply({
+            messageText: messageText.trim(),
+            channel: ipcChannel,
+            actor: {
+              externalUserId: undefined,
+              channel: ipcChannel,
+              isTrusted: true,
+            },
+            conversationId: msg.sessionId,
+            pendingRequestIds: pendingRequestIdsForConversation,
+            approvalConversationGenerator: desktopApprovalConversationGenerator,
+          });
+
+          if (routerResult.consumed && routerResult.type !== 'nl_keep_pending') {
+            const consumedChannelMeta = {
+              userMessageChannel: ipcChannel,
+              assistantMessageChannel: ipcChannel,
+              userMessageInterface: ipcInterface,
+              assistantMessageInterface: ipcInterface,
+              provenanceActorRole: 'guardian' as const,
+            };
+
+            const consumedUserMessage = createUserMessage(messageText, msg.attachments ?? []);
+            await conversationStore.addMessage(
+              msg.sessionId,
+              'user',
+              JSON.stringify(consumedUserMessage.content),
+              consumedChannelMeta,
+            );
+
+            const replyText = (routerResult.replyText?.trim())
+              || (routerResult.decisionApplied ? 'Decision applied.' : 'Request already resolved.');
+            const consumedAssistantMessage = createAssistantMessage(replyText);
+            await conversationStore.addMessage(
+              msg.sessionId,
+              'assistant',
+              JSON.stringify(consumedAssistantMessage.content),
+              consumedChannelMeta,
+            );
+            // Avoid mutating in-memory history while an agent loop is active;
+            // the loop owns history reconstruction for the in-flight turn.
+            if (!session.isProcessing()) {
+              // Keep in-memory history aligned with persisted transcript so
+              // session-history operations (undo/regenerate) target the same turn.
+              session.messages.push(consumedUserMessage, consumedAssistantMessage);
+            }
+
+            // Mirror the normal queued/dequeued lifecycle so desktop clients can
+            // reconcile queued bubble state for this just-sent user message.
+            ctx.send(socket, {
+              type: 'message_queued',
+              sessionId: msg.sessionId,
+              requestId,
+              position: 0,
+            });
+            ctx.send(socket, {
+              type: 'message_dequeued',
+              sessionId: msg.sessionId,
+              requestId,
+            });
+
+            // Only emit the reply delta when no agent turn is in-flight.
+            // When the agent is active, currentAssistantMessageId on the client
+            // points to the agent's streaming message and this delta would
+            // contaminate it.  The reply is already persisted to the DB, so the
+            // client will see it on the next transcript reload / session switch.
+            if (!session.isProcessing()) {
+              ctx.send(socket, {
+                type: 'assistant_text_delta',
+                text: replyText,
+                sessionId: msg.sessionId,
+              });
+            }
+            ctx.send(socket, {
+              type: 'message_request_complete',
+              sessionId: msg.sessionId,
+              requestId,
+              runStillActive: session.isProcessing(),
+            });
+
+            rlog.info(
+              { routerType: routerResult.type, decisionApplied: routerResult.decisionApplied, routerRequestId: routerResult.requestId },
+              'Consumed pending-confirmation reply before auto-deny',
+            );
+            return;
+          }
+        }
+      } catch (err) {
+        rlog.warn({ err }, 'Failed to process pending-confirmation reply; falling back to auto-deny behavior');
+      }
+    }
+
     // If the session has a pending tool confirmation, auto-deny it so the
-    // agent can process the user's follow-up message instead.  The agent
+    // agent can process the user's follow-up message instead. The agent
     // will see the denial and can re-request the tool if still needed.
     if (session.hasAnyPendingConfirmation()) {
       rlog.info('Auto-denying pending confirmation(s) due to new user message');
       session.denyAllPendingConfirmations();
+      // Keep the pending-interaction tracker aligned with the prompter so
+      // stale request IDs are not reused as routing candidates.
+      for (const interaction of pendingInteractions.getByConversation(msg.sessionId)) {
+        if (interaction.session === session && interaction.kind === 'confirmation') {
+          pendingInteractions.resolve(interaction.requestId);
+        }
+      }
     }
 
     dispatchUserMessage(

package/src/daemon/ipc-contract/guardian-actions.ts

@@ -31,6 +31,12 @@ export interface GuardianActionsPendingResponse {
     expiresAt: number;
     conversationId: string;
     callSessionId: string | null;
+    /**
+     * Canonical request kind (e.g. 'tool_approval', 'pending_question').
+     * Present when the prompt originates from the canonical guardian request
+     * store. Absent for legacy-only prompts.
+     */
+    kind?: string;
   }>;
 }
 
@@ -38,6 +44,7 @@ export interface GuardianActionDecisionResponse {
   type: 'guardian_action_decision_response';
   applied: boolean;
   reason?: string;
+  resolverFailureReason?: string;
   requestId?: string;
   userText?: string;
 }

package/src/daemon/ipc-contract/messages.ts

@@ -173,6 +173,21 @@ export interface MessageDequeued {
   requestId: string;
 }
 
+/**
+ * Request-level terminal signal for a user message lifecycle.
+ *
+ * Unlike `message_complete`, this does not imply the active assistant turn
+ * has completed. It is used for paths that consume a request inline while a
+ * separate in-flight turn may still be running.
+ */
+export interface MessageRequestComplete {
+  type: 'message_request_complete';
+  sessionId: string;
+  requestId: string;
+  /** True when an existing turn is still running after this request is finalized. */
+  runStillActive?: boolean;
+}
+
 export interface MessageQueuedDeleted {
   type: 'message_queued_deleted';
   sessionId: string;
@@ -241,6 +256,7 @@ export type _MessagesServerMessages =
   | SecretDetected
   | MessageQueued
   | MessageDequeued
+  | MessageRequestComplete
   | MessageQueuedDeleted
   | SuggestionResponse
   | TraceEvent;