@vellumai/assistant 0.3.27 → 0.4.0

package/src/memory/ingress-invite-store.ts

@@ -33,6 +33,10 @@ export interface IngressInvite {
   redeemedByExternalUserId: string | null;
   redeemedByExternalChatId: string | null;
   redeemedAt: number | null;
+  // Voice invite fields (null for non-voice invites)
+  expectedExternalUserId: string | null;
+  voiceCodeHash: string | null;
+  voiceCodeDigits: number | null;
   createdAt: number;
   updatedAt: number;
 }
@@ -90,6 +94,9 @@ function rowToInvite(row: typeof assistantIngressInvites.$inferSelect): IngressI
     redeemedByExternalUserId: row.redeemedByExternalUserId,
     redeemedByExternalChatId: row.redeemedByExternalChatId,
     redeemedAt: row.redeemedAt,
+    expectedExternalUserId: row.expectedExternalUserId,
+    voiceCodeHash: row.voiceCodeHash,
+    voiceCodeDigits: row.voiceCodeDigits,
     createdAt: row.createdAt,
     updatedAt: row.updatedAt,
   };
@@ -127,6 +134,10 @@ export function createInvite(params: {
   note?: string;
   maxUses?: number;
   expiresInMs?: number;
+  // Voice invite metadata (all optional — omitted for non-voice invites)
+  expectedExternalUserId?: string;
+  voiceCodeHash?: string;
+  voiceCodeDigits?: number;
 }): { invite: IngressInvite; rawToken: string } {
   const db = getDb();
   const now = Date.now();
@@ -148,6 +159,9 @@ export function createInvite(params: {
     redeemedByExternalUserId: null,
     redeemedByExternalChatId: null,
     redeemedAt: null,
+    expectedExternalUserId: params.expectedExternalUserId ?? null,
+    voiceCodeHash: params.voiceCodeHash ?? null,
+    voiceCodeDigits: params.voiceCodeDigits ?? null,
     createdAt: now,
     updatedAt: now,
   };
@@ -432,3 +446,34 @@ export function findByTokenHash(tokenHash: string): IngressInvite | null {
 
   return row ? rowToInvite(row) : null;
 }
+
+// ---------------------------------------------------------------------------
+// findActiveVoiceInvites
+// ---------------------------------------------------------------------------
+
+/**
+ * Find all active voice invites bound to a specific caller identity.
+ * Used by the voice invite redemption flow to locate candidate invites
+ * before code hash matching.
+ */
+export function findActiveVoiceInvites(params: {
+  assistantId: string;
+  expectedExternalUserId: string;
+}): IngressInvite[] {
+  const db = getDb();
+
+  const rows = db
+    .select()
+    .from(assistantIngressInvites)
+    .where(
+      and(
+        eq(assistantIngressInvites.assistantId, params.assistantId),
+        eq(assistantIngressInvites.sourceChannel, 'voice'),
+        eq(assistantIngressInvites.status, 'active'),
+        eq(assistantIngressInvites.expectedExternalUserId, params.expectedExternalUserId),
+      ),
+    )
+    .all();
+
+  return rows.map(rowToInvite);
+}

package/src/memory/job-handlers/backfill.ts

@@ -24,21 +24,28 @@ const BACKFILL_CHECKPOINT_ID_KEY = 'memory:backfill:last_message_id';
 const RELATION_BACKFILL_CHECKPOINT_KEY = 'memory:relation_backfill:last_created_at';
 const RELATION_BACKFILL_CHECKPOINT_ID_KEY = 'memory:relation_backfill:last_message_id';
 
-type ProvenanceActorRole = 'guardian' | 'non-guardian' | 'unverified_channel';
+type ProvenanceTrustClass = 'guardian' | 'trusted_contact' | 'unknown';
 
-function parseProvenanceActorRole(rawMetadata: string | null): ProvenanceActorRole | undefined {
+function parseProvenanceTrustClass(rawMetadata: string | null): ProvenanceTrustClass | undefined {
   if (!rawMetadata) return undefined;
   try {
     const parsedJson: unknown = JSON.parse(rawMetadata);
     const parsed = messageMetadataSchema.safeParse(parsedJson);
-    return parsed.success ? parsed.data.provenanceActorRole : undefined;
+    if (!parsed.success) return undefined;
+    if (parsed.data.provenanceTrustClass) return parsed.data.provenanceTrustClass;
+    // Legacy fallback for rows written before provenanceTrustClass existed.
+    const legacyRole = (parsedJson as { provenanceActorRole?: unknown }).provenanceActorRole;
+    if (legacyRole === 'guardian') return 'guardian';
+    if (legacyRole === 'non-guardian') return 'trusted_contact';
+    if (legacyRole === 'unverified_channel') return 'unknown';
+    return undefined;
   } catch {
     return undefined;
   }
 }
 
-function isTrustedActorRole(actorRole: ProvenanceActorRole | undefined): boolean {
-  return actorRole === 'guardian' || actorRole === undefined;
+function isTrustedTrustClass(trustClass: ProvenanceTrustClass | undefined): boolean {
+  return trustClass === 'guardian' || trustClass === undefined;
 }
 
 export function backfillJob(job: MemoryJob, config: AssistantConfig): void {
@@ -68,7 +75,7 @@ export function backfillJob(job: MemoryJob, config: AssistantConfig): void {
         scopeId = getConversationMemoryScopeId(message.conversationId);
         scopeCache.set(message.conversationId, scopeId);
       }
-      const provenanceActorRole = parseProvenanceActorRole(message.metadata ?? null);
+      const provenanceTrustClass = parseProvenanceTrustClass(message.metadata ?? null);
       indexMessageNow({
         messageId: message.id,
         conversationId: message.conversationId,
@@ -76,7 +83,7 @@ export function backfillJob(job: MemoryJob, config: AssistantConfig): void {
         content: message.content,
         createdAt: message.createdAt,
         scopeId,
-        provenanceActorRole,
+        provenanceTrustClass,
       }, config.memory);
     }
     const lastMessage = batch[batch.length - 1];
@@ -139,8 +146,8 @@ export function backfillEntityRelationsJob(job: MemoryJob, config: AssistantConf
   let queuedExtractEntityJobs = 0;
   let skippedUntrusted = 0;
   for (const message of batch) {
-    const provenanceActorRole = parseProvenanceActorRole(message.metadata ?? null);
-    if (!isTrustedActorRole(provenanceActorRole)) {
+    const provenanceTrustClass = parseProvenanceTrustClass(message.metadata ?? null);
+    if (!isTrustedTrustClass(provenanceTrustClass)) {
       skippedUntrusted += 1;
       continue;
     }

package/src/memory/migrations/036-normalize-phone-identities.ts

@@ -0,0 +1,289 @@
+import { normalizePhoneNumber } from '../../util/phone.js';
+import { type DrizzleDb, getSqliteFrom } from '../db-connection.js';
+
+/**
+ * One-shot migration: normalize phone-like identity fields to E.164 format.
+ *
+ * Historical records may contain phone numbers in inconsistent formats
+ * (e.g., "(555) 123-4567", "1-555-123-4567", "+1 555 123 4567").
+ * This migration normalizes them to E.164 ("+15551234567") using the same
+ * normalizePhoneNumber utility used at runtime.
+ *
+ * Strategy:
+ *   - Tables with a `channel` column: only process rows where the channel
+ *     is phone-like (sms, voice, whatsapp).
+ *   - The `expected_phone_e164` column is always a phone number regardless
+ *     of channel, so it is normalized unconditionally.
+ *
+ * Collision handling: source queries are ordered by `updated_at DESC`
+ * (falling back to `rowid DESC` when the column is absent) so the
+ * most-recently-updated row is processed first and receives the UPDATE.
+ * When a subsequent (older) duplicate normalizes to the same value
+ * within the same unique-key scope, it is deleted — preserving the
+ * most recent state deterministically.
+ *
+ * Idempotent: already-normalized values pass through normalizePhoneNumber
+ * unchanged, and the checkpoint key prevents re-execution.
+ */
+export function migrateNormalizePhoneIdentities(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+  const checkpointKey = 'migration_normalize_phone_identities_v1';
+  const checkpoint = raw.query(
+    `SELECT 1 FROM memory_checkpoints WHERE key = ?`,
+  ).get(checkpointKey);
+  if (checkpoint) return;
+
+  const PHONE_CHANNELS = ['sms', 'voice', 'whatsapp'];
+
+  /**
+   * Unique key scope definition for collision detection.
+   * `peerColumns` are the other columns in the composite unique index
+   * (besides the column being normalized). When the normalized value
+   * matches an existing row with the same peer-column values, the
+   * current row is a duplicate and should be deleted.
+   * `whereClause` is an optional SQL fragment for partial unique indexes
+   * (e.g., `WHERE external_user_id IS NOT NULL`).
+   */
+  type UniqueKeyScope = {
+    peerColumns: string[];
+    whereClause?: string;
+  };
+
+  // Helper: normalize a column's phone-like values in a table filtered by channel.
+  // When uniqueKeyScope is provided, checks for collisions before updating.
+  // Rows are ordered by updated_at DESC (or rowid DESC as fallback) so the
+  // most-recently-updated row is processed first and survives collisions.
+  function normalizeColumnByChannel(
+    table: string,
+    column: string,
+    channelColumn: string,
+    uniqueKeyScope?: UniqueKeyScope,
+  ): void {
+    const tableExists = raw.query(
+      `SELECT 1 FROM sqlite_master WHERE type = 'table' AND name = ?`,
+    ).get(table);
+    if (!tableExists) return;
+
+    const colExists = raw.query(
+      `SELECT 1 FROM pragma_table_info(?) WHERE name = ?`,
+    ).get(table, column);
+    if (!colExists) return;
+
+    const chanColExists = raw.query(
+      `SELECT 1 FROM pragma_table_info(?) WHERE name = ?`,
+    ).get(table, channelColumn);
+    if (!chanColExists) return;
+
+    const hasUpdatedAt = !!raw.query(
+      `SELECT 1 FROM pragma_table_info(?) WHERE name = 'updated_at'`,
+    ).get(table);
+    const orderBy = hasUpdatedAt ? 'updated_at DESC, rowid DESC' : 'rowid DESC';
+
+    const selectColumns = [`id`, column];
+    if (uniqueKeyScope) {
+      for (const peer of uniqueKeyScope.peerColumns) {
+        if (!selectColumns.includes(peer)) selectColumns.push(peer);
+      }
+    }
+
+    const rows = raw.query(
+      `SELECT ${selectColumns.join(', ')} FROM ${table} WHERE ${channelColumn} IN (${PHONE_CHANNELS.map(() => '?').join(',')}) AND ${column} IS NOT NULL ORDER BY ${orderBy}`,
+    ).all(...PHONE_CHANNELS) as Array<{ id: string; [key: string]: string }>;
+
+    if (rows.length === 0) return;
+
+    const update = raw.prepare(
+      `UPDATE ${table} SET ${column} = ? WHERE id = ?`,
+    );
+    const deleteRow = raw.prepare(
+      `DELETE FROM ${table} WHERE id = ?`,
+    );
+
+    for (const row of rows) {
+      const original = row[column];
+      if (!original) continue;
+      const normalized = normalizePhoneNumber(original);
+      if (normalized && normalized !== original) {
+        if (uniqueKeyScope) {
+          // Check if another row already has the normalized value within the same unique-key scope
+          const peerConditions = uniqueKeyScope.peerColumns
+            .map((col) => `${col} = ?`)
+            .join(' AND ');
+          const peerValues = uniqueKeyScope.peerColumns.map((col) => row[col]);
+          const whereExtra = uniqueKeyScope.whereClause ? ` AND (${uniqueKeyScope.whereClause})` : '';
+          const existing = raw.query(
+            `SELECT 1 FROM ${table} WHERE ${column} = ? AND ${peerConditions} AND id != ?${whereExtra}`,
+          ).get(normalized, ...peerValues, row.id);
+          if (existing) {
+            // A canonical row already exists — delete this duplicate
+            deleteRow.run(row.id);
+            continue;
+          }
+        }
+        update.run(normalized, row.id);
+      }
+    }
+  }
+
+  // Helper: normalize a column unconditionally (no channel filter).
+  // Used for columns that are always phone numbers (e.g., expected_phone_e164).
+  // When uniqueKeyScope is provided, checks for collisions before updating.
+  // Rows are ordered by updated_at DESC (or rowid DESC as fallback) so the
+  // most-recently-updated row is processed first and survives collisions.
+  function normalizeColumnUnconditionally(
+    table: string,
+    column: string,
+    uniqueKeyScope?: UniqueKeyScope,
+  ): void {
+    const tableExists = raw.query(
+      `SELECT 1 FROM sqlite_master WHERE type = 'table' AND name = ?`,
+    ).get(table);
+    if (!tableExists) return;
+
+    const colExists = raw.query(
+      `SELECT 1 FROM pragma_table_info(?) WHERE name = ?`,
+    ).get(table, column);
+    if (!colExists) return;
+
+    const hasUpdatedAt = !!raw.query(
+      `SELECT 1 FROM pragma_table_info(?) WHERE name = 'updated_at'`,
+    ).get(table);
+    const orderBy = hasUpdatedAt ? 'updated_at DESC, rowid DESC' : 'rowid DESC';
+
+    const selectColumns = [`id`, column];
+    if (uniqueKeyScope) {
+      for (const peer of uniqueKeyScope.peerColumns) {
+        if (!selectColumns.includes(peer)) selectColumns.push(peer);
+      }
+    }
+
+    const rows = raw.query(
+      `SELECT ${selectColumns.join(', ')} FROM ${table} WHERE ${column} IS NOT NULL ORDER BY ${orderBy}`,
+    ).all() as Array<{ id: string; [key: string]: string }>;
+
+    if (rows.length === 0) return;
+
+    const update = raw.prepare(
+      `UPDATE ${table} SET ${column} = ? WHERE id = ?`,
+    );
+    const deleteRow = raw.prepare(
+      `DELETE FROM ${table} WHERE id = ?`,
+    );
+
+    for (const row of rows) {
+      const original = row[column];
+      if (!original) continue;
+      const normalized = normalizePhoneNumber(original);
+      if (normalized && normalized !== original) {
+        if (uniqueKeyScope) {
+          const peerConditions = uniqueKeyScope.peerColumns
+            .map((col) => `${col} = ?`)
+            .join(' AND ');
+          const peerValues = uniqueKeyScope.peerColumns.map((col) => row[col]);
+          const whereExtra = uniqueKeyScope.whereClause ? ` AND (${uniqueKeyScope.whereClause})` : '';
+          const existing = raw.query(
+            `SELECT 1 FROM ${table} WHERE ${column} = ? AND ${peerConditions} AND id != ?${whereExtra}`,
+          ).get(normalized, ...peerValues, row.id);
+          if (existing) {
+            deleteRow.run(row.id);
+            continue;
+          }
+        }
+        update.run(normalized, row.id);
+      }
+    }
+  }
+
+  try {
+    raw.exec('BEGIN');
+
+    // ── channel_guardian_bindings ──────────────────────────────────
+    // Has `channel` column — only normalize phone-like channels.
+    // Unique index idx_channel_guardian_bindings_active is on (assistant_id, channel)
+    // and does NOT include guardian_external_user_id, so no collision risk.
+    normalizeColumnByChannel(
+      'channel_guardian_bindings',
+      'guardian_external_user_id',
+      'channel',
+    );
+
+    // ── assistant_ingress_members ─────────────────────────────────
+    // Has `source_channel` column — only normalize phone-like channels.
+    // Unique index idx_ingress_members_user is on (assistant_id, source_channel, external_user_id)
+    // WHERE external_user_id IS NOT NULL — collision possible when two format variants normalize
+    // to the same E.164 within the same (assistant_id, source_channel) scope.
+    normalizeColumnByChannel(
+      'assistant_ingress_members',
+      'external_user_id',
+      'source_channel',
+      {
+        peerColumns: ['assistant_id', 'source_channel'],
+        whereClause: 'external_user_id IS NOT NULL',
+      },
+    );
+
+    // ── channel_guardian_verification_challenges ──────────────────
+    // Has `channel` column — normalize identity columns for phone-like channels.
+    // Index idx_channel_guardian_challenges_lookup is non-unique, no collision risk.
+    normalizeColumnByChannel(
+      'channel_guardian_verification_challenges',
+      'expected_external_user_id',
+      'channel',
+    );
+    normalizeColumnByChannel(
+      'channel_guardian_verification_challenges',
+      'consumed_by_external_user_id',
+      'channel',
+    );
+    // expected_phone_e164 is always a phone number regardless of channel.
+    // No unique index includes this column, no collision risk.
+    normalizeColumnUnconditionally(
+      'channel_guardian_verification_challenges',
+      'expected_phone_e164',
+    );
+
+    // ── canonical_guardian_requests ───────────────────────────────
+    // Has `source_channel` column — only normalize phone-like channels.
+    // All indexes on this table are non-unique, no collision risk.
+    normalizeColumnByChannel(
+      'canonical_guardian_requests',
+      'requester_external_user_id',
+      'source_channel',
+    );
+    normalizeColumnByChannel(
+      'canonical_guardian_requests',
+      'guardian_external_user_id',
+      'source_channel',
+    );
+    normalizeColumnByChannel(
+      'canonical_guardian_requests',
+      'decided_by_external_user_id',
+      'source_channel',
+    );
+
+    // ── channel_guardian_rate_limits ──────────────────────────────
+    // Has `channel` column — only normalize phone-like channels.
+    // Unique index idx_channel_guardian_rate_limits_actor is on
+    // (assistant_id, channel, actor_external_user_id, actor_chat_id) —
+    // collision possible when two format variants normalize to the same E.164
+    // within the same (assistant_id, channel, actor_chat_id) scope.
+    normalizeColumnByChannel(
+      'channel_guardian_rate_limits',
+      'actor_external_user_id',
+      'channel',
+      {
+        peerColumns: ['assistant_id', 'channel', 'actor_chat_id'],
+      },
+    );
+
+    // Write checkpoint
+    raw.query(
+      `INSERT OR IGNORE INTO memory_checkpoints (key, value, updated_at) VALUES (?, '1', ?)`,
+    ).run(checkpointKey, Date.now());
+
+    raw.exec('COMMIT');
+  } catch (e) {
+    try { raw.exec('ROLLBACK'); } catch { /* no active transaction */ }
+    throw e;
+  }
+}

package/src/memory/migrations/037-voice-invite-columns.ts

@@ -0,0 +1,16 @@
+import type { DrizzleDb } from '../db-connection.js';
+
+/**
+ * Add voice invite columns to assistant_ingress_invites for guardian-initiated
+ * voice invite codes. All columns are nullable to keep existing invite rows
+ * compatible.
+ *
+ * - expected_external_user_id: E.164 phone number for identity binding
+ * - voice_code_hash: SHA-256 hash of the short numeric code
+ * - voice_code_digits: configurable digit count (nullable — NULL for non-voice invites)
+ */
+export function migrateVoiceInviteColumns(database: DrizzleDb): void {
+  try { database.run(/*sql*/ `ALTER TABLE assistant_ingress_invites ADD COLUMN expected_external_user_id TEXT`); } catch { /* already exists */ }
+  try { database.run(/*sql*/ `ALTER TABLE assistant_ingress_invites ADD COLUMN voice_code_hash TEXT`); } catch { /* already exists */ }
+  try { database.run(/*sql*/ `ALTER TABLE assistant_ingress_invites ADD COLUMN voice_code_digits INTEGER`); } catch { /* already exists */ }
+}

package/src/memory/migrations/118-reminder-routing-intent.ts

@@ -4,9 +4,9 @@ import type { DrizzleDb } from '../db-connection.js';
  * Add routing_intent and routing_hints_json columns to reminders table.
  *
  * routing_intent controls how the reminder is delivered at trigger time:
- *   - single_channel (default): deliver to a single best channel
+ *   - single_channel: deliver to a single best channel
  *   - multi_channel: deliver to a subset of channels
- *   - all_channels: deliver to every available channel
+ *   - all_channels (default): deliver to every available channel
  *
  * routing_hints_json stores an opaque JSON object with hints for the
  * routing engine (e.g. preferred channels, exclusions).
@@ -14,7 +14,7 @@ import type { DrizzleDb } from '../db-connection.js';
 export function migrateReminderRoutingIntent(database: DrizzleDb): void {
   try {
     database.run(
-      /*sql*/ `ALTER TABLE reminders ADD COLUMN routing_intent TEXT NOT NULL DEFAULT 'single_channel'`,
+      /*sql*/ `ALTER TABLE reminders ADD COLUMN routing_intent TEXT NOT NULL DEFAULT 'all_channels'`,
     );
   } catch { /* already exists */ }
 

package/src/memory/migrations/121-canonical-guardian-requests.ts

@@ -0,0 +1,59 @@
+import type { DrizzleDb } from '../db-connection.js';
+
+/**
+ * Create canonical_guardian_requests and canonical_guardian_deliveries tables.
+ *
+ * These tables unify the split voice (guardian_action_requests / guardian_action_deliveries)
+ * and channel (channel_guardian_approval_requests) persistence models into a single
+ * canonical domain. Uses CREATE TABLE IF NOT EXISTS for idempotency.
+ */
+export function createCanonicalGuardianTables(database: DrizzleDb): void {
+  database.run(/*sql*/ `
+    CREATE TABLE IF NOT EXISTS canonical_guardian_requests (
+      id TEXT PRIMARY KEY,
+      kind TEXT NOT NULL,
+      source_type TEXT NOT NULL,
+      source_channel TEXT,
+      conversation_id TEXT,
+      requester_external_user_id TEXT,
+      guardian_external_user_id TEXT,
+      call_session_id TEXT,
+      pending_question_id TEXT,
+      question_text TEXT,
+      request_code TEXT,
+      tool_name TEXT,
+      input_digest TEXT,
+      status TEXT NOT NULL DEFAULT 'pending',
+      answer_text TEXT,
+      decided_by_external_user_id TEXT,
+      followup_state TEXT,
+      expires_at TEXT,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    )
+  `);
+
+  database.run(/*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_status ON canonical_guardian_requests(status)`);
+  database.run(/*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_guardian ON canonical_guardian_requests(guardian_external_user_id, status)`);
+  database.run(/*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_conversation ON canonical_guardian_requests(conversation_id, status)`);
+  database.run(/*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_source ON canonical_guardian_requests(source_type, status)`);
+  database.run(/*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_kind ON canonical_guardian_requests(kind, status)`);
+  database.run(/*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_request_code ON canonical_guardian_requests(request_code)`);
+
+  database.run(/*sql*/ `
+    CREATE TABLE IF NOT EXISTS canonical_guardian_deliveries (
+      id TEXT PRIMARY KEY,
+      request_id TEXT NOT NULL REFERENCES canonical_guardian_requests(id) ON DELETE CASCADE,
+      destination_channel TEXT NOT NULL,
+      destination_conversation_id TEXT,
+      destination_chat_id TEXT,
+      destination_message_id TEXT,
+      status TEXT NOT NULL DEFAULT 'pending',
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    )
+  `);
+
+  database.run(/*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_deliveries_request_id ON canonical_guardian_deliveries(request_id)`);
+  database.run(/*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_deliveries_status ON canonical_guardian_deliveries(status)`);
+}

package/src/memory/migrations/122-canonical-guardian-requester-chat-id.ts

@@ -0,0 +1,15 @@
+import type { DrizzleDb } from '../db-connection.js';
+
+/**
+ * Add requester_chat_id column to canonical_guardian_requests.
+ *
+ * On channels like Slack, the external chat ID (channel/DM ID) differs from
+ * the sender's external user ID. Without this column the access_request
+ * resolver would deliver approval/denial messages to the wrong destination.
+ *
+ * Uses ALTER TABLE ADD COLUMN with try/catch for idempotency — no registry
+ * entry needed.
+ */
+export function migrateCanonicalGuardianRequesterChatId(database: DrizzleDb): void {
+  try { database.run(/*sql*/ `ALTER TABLE canonical_guardian_requests ADD COLUMN requester_chat_id TEXT`); } catch { /* already exists */ }
+}

package/src/memory/migrations/123-canonical-guardian-deliveries-destination-index.ts

@@ -0,0 +1,15 @@
+import type { DrizzleDb } from '../db-connection.js';
+
+/**
+ * Add composite index on canonical_guardian_deliveries(destination_channel, destination_chat_id).
+ *
+ * The listPendingCanonicalGuardianRequestsByDestinationChat helper queries
+ * deliveries by (destination_channel, destination_chat_id) to bridge inbound
+ * guardian replies back to canonical requests. Without an index these
+ * degrade to full table scans as delivery history grows.
+ */
+export function migrateCanonicalGuardianDeliveriesDestinationIndex(database: DrizzleDb): void {
+  database.run(
+    /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_deliveries_destination ON canonical_guardian_deliveries(destination_channel, destination_chat_id)`,
+  );
+}

package/src/memory/migrations/index.ts

@@ -37,6 +37,8 @@ export { migrateNotificationDeliveryThreadDecision } from './032-notification-de
 export { createScopedApprovalGrantsTable } from './033-scoped-approval-grants.js';
 export { migrateGuardianActionToolMetadata } from './034-guardian-action-tool-metadata.js';
 export { migrateGuardianActionSupersession } from './035-guardian-action-supersession.js';
+export { migrateNormalizePhoneIdentities } from './036-normalize-phone-identities.js';
+export { migrateVoiceInviteColumns } from './037-voice-invite-columns.js';
 export { createCoreTables } from './100-core-tables.js';
 export { createWatchersAndLogsTables } from './101-watchers-and-logs.js';
 export { addCoreColumns } from './102-alter-table-columns.js';
@@ -58,6 +60,9 @@ export { createConversationAttentionTables } from './117-conversation-attention.
 export { migrateReminderRoutingIntent } from './118-reminder-routing-intent.js';
 export { migrateSchemaIndexesAndColumns } from './119-schema-indexes-and-columns.js';
 export { migrateFkCascadeRebuilds } from './120-fk-cascade-rebuilds.js';
+export { createCanonicalGuardianTables } from './121-canonical-guardian-requests.js';
+export { migrateCanonicalGuardianRequesterChatId } from './122-canonical-guardian-requester-chat-id.js';
+export { migrateCanonicalGuardianDeliveriesDestinationIndex } from './123-canonical-guardian-deliveries-destination-index.js';
 export {
   MIGRATION_REGISTRY,
   type MigrationRegistryEntry,

package/src/memory/migrations/registry.ts

@@ -90,6 +90,11 @@ export const MIGRATION_REGISTRY: MigrationRegistryEntry[] = [
     dependsOn: ['migration_embedding_vector_blob_v1'],
     description: 'Rebuild memory_embeddings to make vector_json nullable (pre-100 DBs had NOT NULL)',
   },
+  {
+    key: 'migration_normalize_phone_identities_v1',
+    version: 14,
+    description: 'Normalize phone-like identity fields to E.164 format across guardian bindings, verification challenges, canonical requests, ingress members, and rate limits',
+  },
 ];
 
 export interface MigrationValidationResult {

package/src/memory/qdrant-client.ts

@@ -80,28 +80,37 @@ export class VellumQdrantClient {
 
     log.info({ collection: this.collection, vectorSize: this.vectorSize }, 'Creating Qdrant collection');
 
-    await this.client.createCollection(this.collection, {
-      vectors: {
-        size: this.vectorSize,
-        distance: 'Cosine',
-        on_disk: this.onDisk,
-      },
-      hnsw_config: {
-        on_disk: this.onDisk,
-        m: 16,
-        ef_construct: 100,
-      },
-      quantization_config: this.quantization === 'scalar'
-        ? {
-          scalar: {
-            type: 'int8',
-            quantile: 0.99,
-            always_ram: true,
-          },
-        }
-        : undefined,
-      on_disk_payload: this.onDisk,
-    });
+    try {
+      await this.client.createCollection(this.collection, {
+        vectors: {
+          size: this.vectorSize,
+          distance: 'Cosine',
+          on_disk: this.onDisk,
+        },
+        hnsw_config: {
+          on_disk: this.onDisk,
+          m: 16,
+          ef_construct: 100,
+        },
+        quantization_config: this.quantization === 'scalar'
+          ? {
+            scalar: {
+              type: 'int8',
+              quantile: 0.99,
+              always_ram: true,
+            },
+          }
+          : undefined,
+        on_disk_payload: this.onDisk,
+      });
+    } catch (err) {
+      // 409 = collection was created by a concurrent caller — that's fine
+      if (err instanceof Error && 'status' in err && (err as { status: number }).status === 409) {
+        this.collectionReady = true;
+        return;
+      }
+      throw err;
+    }
 
     // Create payload indexes for efficient filtering
     await Promise.all([

package/src/memory/schema-migration.ts

@@ -19,6 +19,7 @@ export {
   migrateMemoryItemsScopeSaltedFingerprints,
   migrateMemorySegmentsIndexes,
   migrateMessagesFtsBackfill,
+  migrateNormalizePhoneIdentities,
   migrateNotificationDeliveryPairingColumns,
   migrateNotificationDeliveryThreadDecision,
   migrateNotificationTablesSchema,