@vellumai/assistant 0.3.27 → 0.4.0

package/src/memory/schema.ts

@@ -874,6 +874,58 @@ export const guardianActionDeliveries = sqliteTable('guardian_action_deliveries'
   index('idx_guardian_action_deliveries_dest_conversation').on(table.destinationConversationId),
 ]);
 
+// ── Canonical Guardian Requests (unified cross-source guardian domain) ─
+
+export const canonicalGuardianRequests = sqliteTable('canonical_guardian_requests', {
+  id: text('id').primaryKey(),
+  kind: text('kind').notNull(),
+  sourceType: text('source_type').notNull(),
+  sourceChannel: text('source_channel'),
+  conversationId: text('conversation_id'),
+  requesterExternalUserId: text('requester_external_user_id'),
+  requesterChatId: text('requester_chat_id'),
+  guardianExternalUserId: text('guardian_external_user_id'),
+  callSessionId: text('call_session_id'),
+  pendingQuestionId: text('pending_question_id'),
+  questionText: text('question_text'),
+  requestCode: text('request_code'),
+  toolName: text('tool_name'),
+  inputDigest: text('input_digest'),
+  status: text('status').notNull().default('pending'),
+  answerText: text('answer_text'),
+  decidedByExternalUserId: text('decided_by_external_user_id'),
+  followupState: text('followup_state'),
+  expiresAt: text('expires_at'),
+  createdAt: text('created_at').notNull(),
+  updatedAt: text('updated_at').notNull(),
+}, (table) => [
+  index('idx_canonical_guardian_requests_status').on(table.status),
+  index('idx_canonical_guardian_requests_guardian').on(table.guardianExternalUserId, table.status),
+  index('idx_canonical_guardian_requests_conversation').on(table.conversationId, table.status),
+  index('idx_canonical_guardian_requests_source').on(table.sourceType, table.status),
+  index('idx_canonical_guardian_requests_kind').on(table.kind, table.status),
+  index('idx_canonical_guardian_requests_request_code').on(table.requestCode),
+]);
+
+// ── Canonical Guardian Deliveries (per-channel delivery tracking) ─────
+
+export const canonicalGuardianDeliveries = sqliteTable('canonical_guardian_deliveries', {
+  id: text('id').primaryKey(),
+  requestId: text('request_id')
+    .notNull()
+    .references(() => canonicalGuardianRequests.id, { onDelete: 'cascade' }),
+  destinationChannel: text('destination_channel').notNull(),
+  destinationConversationId: text('destination_conversation_id'),
+  destinationChatId: text('destination_chat_id'),
+  destinationMessageId: text('destination_message_id'),
+  status: text('status').notNull().default('pending'),
+  createdAt: text('created_at').notNull(),
+  updatedAt: text('updated_at').notNull(),
+}, (table) => [
+  index('idx_canonical_guardian_deliveries_request_id').on(table.requestId),
+  index('idx_canonical_guardian_deliveries_status').on(table.status),
+]);
+
 // ── Assistant Inbox ──────────────────────────────────────────────────
 
 export const assistantIngressInvites = sqliteTable('assistant_ingress_invites', {
@@ -890,6 +942,10 @@ export const assistantIngressInvites = sqliteTable('assistant_ingress_invites',
   redeemedByExternalUserId: text('redeemed_by_external_user_id'),
   redeemedByExternalChatId: text('redeemed_by_external_chat_id'),
   redeemedAt: integer('redeemed_at'),
+  // Voice invite fields (nullable — non-voice invites leave these NULL)
+  expectedExternalUserId: text('expected_external_user_id'),
+  voiceCodeHash: text('voice_code_hash'),
+  voiceCodeDigits: integer('voice_code_digits'),
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
 });

package/src/notifications/copy-composer.ts

@@ -37,10 +37,37 @@ const TEMPLATES: Record<string, CopyTemplate> = {
     body: `${str(payload.name, 'A schedule')} has finished running`,
   }),
 
-  'guardian.question': (payload) => ({
-    title: 'Guardian Question',
-    body: str(payload.questionText, 'A guardian question needs your attention'),
-  }),
+  'guardian.question': (payload) => {
+    const question = str(payload.questionText, 'A guardian question needs your attention');
+    const requestCode = nonEmpty(typeof payload.requestCode === 'string' ? payload.requestCode : undefined);
+    if (!requestCode) {
+      return {
+        title: 'Guardian Question',
+        body: question,
+      };
+    }
+
+    const normalizedCode = requestCode.toUpperCase();
+    return {
+      title: 'Guardian Question',
+      body: `${question}\n\nReference code: ${normalizedCode}. Reply "${normalizedCode} approve" or "${normalizedCode} reject".`,
+    };
+  },
+
+  'ingress.access_request': (payload) => {
+    const requester = str(payload.senderIdentifier, 'Someone');
+    const requestCode = nonEmpty(typeof payload.requestCode === 'string' ? payload.requestCode : undefined);
+    const lines: string[] = [`${requester} is requesting access to the assistant.`];
+    if (requestCode) {
+      const code = requestCode.toUpperCase();
+      lines.push(`Reply "${code} approve" to grant access or "${code} reject" to deny.`);
+    }
+    lines.push('Reply "open invite flow" to start Trusted Contacts invite flow.');
+    return {
+      title: 'Access Request',
+      body: lines.join('\n'),
+    };
+  },
 
   'ingress.escalation': (payload) => ({
     title: 'Escalation',

package/src/notifications/decision-engine.ts

@@ -406,6 +406,61 @@ export function validateThreadActions(
   return result;
 }
 
+function ensureGuardianRequestCodeInCopy(
+  copy: RenderedChannelCopy,
+  requestCode: string,
+): RenderedChannelCopy {
+  const instruction = `Reference code: ${requestCode}. Reply "${requestCode} approve" or "${requestCode} reject".`;
+  const hasParserCompatibleInstructions = (text: string | undefined): boolean => {
+    if (typeof text !== 'string') return false;
+    const upper = text.toUpperCase();
+    return upper.includes(`${requestCode} APPROVE`) && upper.includes(`${requestCode} REJECT`);
+  };
+
+  const ensureText = (text: string | undefined): string => {
+    const base = typeof text === 'string' ? text.trim() : '';
+    if (hasParserCompatibleInstructions(base)) return base;
+    return base.length > 0 ? `${base}\n\n${instruction}` : instruction;
+  };
+
+  return {
+    ...copy,
+    body: ensureText(copy.body),
+    deliveryText: copy.deliveryText ? ensureText(copy.deliveryText) : copy.deliveryText,
+    threadSeedMessage: copy.threadSeedMessage ? ensureText(copy.threadSeedMessage) : copy.threadSeedMessage,
+  };
+}
+
+/**
+ * Guardian questions that share a conversation require explicit request-code
+ * targeting. Enforce request-code instructions in rendered copy so guardians
+ * can always disambiguate replies even when model copy omits them.
+ */
+function enforceGuardianRequestCode(
+  decision: NotificationDecision,
+  signal: NotificationSignal,
+): NotificationDecision {
+  if (signal.sourceEventName !== 'guardian.question') return decision;
+  const rawCode = signal.contextPayload.requestCode;
+  if (typeof rawCode !== 'string' || rawCode.trim().length === 0) return decision;
+
+  const requestCode = rawCode.trim().toUpperCase();
+  const nextCopy: Partial<Record<NotificationChannel, RenderedChannelCopy>> = {
+    ...decision.renderedCopy,
+  };
+
+  for (const channel of Object.keys(nextCopy) as NotificationChannel[]) {
+    const copy = nextCopy[channel];
+    if (!copy) continue;
+    nextCopy[channel] = ensureGuardianRequestCodeInCopy(copy, requestCode);
+  }
+
+  return {
+    ...decision,
+    renderedCopy: nextCopy,
+  };
+}
+
 // ── Core evaluation function ───────────────────────────────────────────
 
 export async function evaluateSignal(
@@ -444,6 +499,7 @@ export async function evaluateSignal(
   if (!provider) {
     log.warn('Configured provider unavailable for notification decision, using fallback');
     let decision = buildFallbackDecision(signal, availableChannels);
+    decision = enforceGuardianRequestCode(decision, signal);
     decision = enforceConversationAffinity(decision, signal.conversationAffinityHint);
     decision.persistedDecisionId = persistDecision(signal, decision);
     return decision;
@@ -458,6 +514,7 @@ export async function evaluateSignal(
     decision = buildFallbackDecision(signal, availableChannels);
   }
 
+  decision = enforceGuardianRequestCode(decision, signal);
   decision = enforceConversationAffinity(decision, signal.conversationAffinityHint);
   decision.persistedDecisionId = persistDecision(signal, decision);
 

package/src/permissions/defaults.ts

@@ -132,6 +132,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
     scope: workspaceDir,
     decision: 'allow',
     priority: 100,
+    allowHighRisk: true,
   };
 
   const updatesDeleteRule: DefaultRuleTemplate = {
@@ -141,6 +142,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
     scope: workspaceDir,
     decision: 'allow',
     priority: 100,
+    allowHighRisk: true,
   };
 
   // Skill source directories — writing or editing skill source files should

package/src/runtime/access-request-helper.ts

@@ -0,0 +1,173 @@
+/**
+ * Shared access-request creation and notification helper.
+ *
+ * Encapsulates the "create/dedupe canonical access request + emit notification"
+ * logic so both text-channel and voice-channel ingress paths use identical
+ * guardian notification flows.
+ *
+ * Access requests are a special case: they always create a canonical request
+ * and emit a notification signal, even when no same-channel guardian binding
+ * exists. Guardian binding resolution uses a fallback strategy:
+ *   1. Source-channel active binding first.
+ *   2. Any active binding for the assistant (deterministic, most-recently-verified).
+ *   3. No guardian identity (trusted/vellum-only resolution path).
+ */
+
+import type { ChannelId } from '../channels/types.js';
+import {
+  createCanonicalGuardianRequest,
+  listCanonicalGuardianRequests,
+} from '../memory/canonical-guardian-store.js';
+import { listActiveBindingsByAssistant } from '../memory/channel-guardian-store.js';
+import { emitNotificationSignal } from '../notifications/emit-signal.js';
+import { getLogger } from '../util/logger.js';
+import { getGuardianBinding } from './channel-guardian-service.js';
+import { GUARDIAN_APPROVAL_TTL_MS } from './routes/channel-route-shared.js';
+
+const log = getLogger('access-request-helper');
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface AccessRequestParams {
+  canonicalAssistantId: string;
+  sourceChannel: ChannelId;
+  externalChatId: string;
+  senderExternalUserId?: string;
+  senderName?: string;
+  senderUsername?: string;
+}
+
+export type AccessRequestResult =
+  | { notified: true; created: boolean; requestId: string }
+  | { notified: false; reason: 'no_sender_id' };
+
+// ---------------------------------------------------------------------------
+// Helper
+// ---------------------------------------------------------------------------
+
+/**
+ * Create/dedupe a canonical access request and emit a notification signal
+ * so the guardian can approve or deny the unknown sender.
+ *
+ * Returns a result indicating whether the guardian was notified and whether
+ * a new request was created or an existing one was deduped.
+ *
+ * Guardian binding resolution: source-channel first, then any active binding
+ * for the assistant, then null (notification pipeline handles delivery via
+ * trusted/vellum channels when no binding exists).
+ *
+ * This is intentionally synchronous with respect to the canonical store writes
+ * and fire-and-forget for the notification signal emission.
+ */
+export function notifyGuardianOfAccessRequest(
+  params: AccessRequestParams,
+): AccessRequestResult {
+  const {
+    canonicalAssistantId,
+    sourceChannel,
+    externalChatId,
+    senderExternalUserId,
+    senderName,
+    senderUsername,
+  } = params;
+
+  if (!senderExternalUserId) {
+    return { notified: false, reason: 'no_sender_id' };
+  }
+
+  // Resolve guardian binding with fallback strategy:
+  // 1. Source-channel active binding
+  // 2. Any active binding for the assistant (deterministic order)
+  // 3. null (no guardian identity — notification pipeline uses trusted channels)
+  const sourceBinding = getGuardianBinding(canonicalAssistantId, sourceChannel);
+  let guardianExternalUserId: string | null = null;
+  let guardianBindingChannel: string | null = null;
+
+  if (sourceBinding) {
+    guardianExternalUserId = sourceBinding.guardianExternalUserId;
+    guardianBindingChannel = sourceBinding.channel;
+  } else {
+    const allBindings = listActiveBindingsByAssistant(canonicalAssistantId);
+    if (allBindings.length > 0) {
+      guardianExternalUserId = allBindings[0].guardianExternalUserId;
+      guardianBindingChannel = allBindings[0].channel;
+      log.debug(
+        { sourceChannel, fallbackChannel: guardianBindingChannel, canonicalAssistantId },
+        'Using cross-channel guardian binding fallback for access request',
+      );
+    } else {
+      log.debug(
+        { sourceChannel, canonicalAssistantId },
+        'No guardian binding for access request — proceeding without guardian identity',
+      );
+    }
+  }
+
+  // Deduplicate: skip creation if there is already a pending canonical request
+  // for the same requester on this channel. Still return notified: true with
+  // the existing request ID so callers know the guardian was already notified.
+  const existingCanonical = listCanonicalGuardianRequests({
+    status: 'pending',
+    requesterExternalUserId: senderExternalUserId,
+    sourceChannel,
+    kind: 'access_request',
+  });
+  if (existingCanonical.length > 0) {
+    log.debug(
+      { sourceChannel, senderExternalUserId, existingId: existingCanonical[0].id },
+      'Skipping duplicate access request notification',
+    );
+    return { notified: true, created: false, requestId: existingCanonical[0].id };
+  }
+
+  const senderIdentifier = senderName || senderUsername || senderExternalUserId;
+  const requestId = `access-req-${canonicalAssistantId}-${sourceChannel}-${senderExternalUserId}-${Date.now()}`;
+
+  const canonicalRequest = createCanonicalGuardianRequest({
+    id: requestId,
+    kind: 'access_request',
+    sourceType: 'channel',
+    sourceChannel,
+    conversationId: `access-req-${sourceChannel}-${senderExternalUserId}`,
+    requesterExternalUserId: senderExternalUserId,
+    requesterChatId: externalChatId,
+    guardianExternalUserId: guardianExternalUserId ?? undefined,
+    toolName: 'ingress_access_request',
+    questionText: `${senderIdentifier} is requesting access to the assistant`,
+    expiresAt: new Date(Date.now() + GUARDIAN_APPROVAL_TTL_MS).toISOString(),
+  });
+
+  void emitNotificationSignal({
+    sourceEventName: 'ingress.access_request',
+    sourceChannel,
+    sourceSessionId: `access-req-${sourceChannel}-${senderExternalUserId}`,
+    assistantId: canonicalAssistantId,
+    attentionHints: {
+      requiresAction: true,
+      urgency: 'high',
+      isAsyncBackground: false,
+      visibleInSourceNow: false,
+    },
+    contextPayload: {
+      requestId,
+      requestCode: canonicalRequest.requestCode,
+      sourceChannel,
+      externalChatId,
+      senderExternalUserId,
+      senderName: senderName ?? null,
+      senderUsername: senderUsername ?? null,
+      senderIdentifier,
+      guardianBindingChannel,
+    },
+    dedupeKey: `access-request:${canonicalRequest.id}`,
+  });
+
+  log.info(
+    { sourceChannel, senderExternalUserId, senderIdentifier, guardianBindingChannel },
+    'Guardian notified of access request',
+  );
+
+  return { notified: true, created: true, requestId: canonicalRequest.id };
+}

package/src/runtime/actor-trust-resolver.ts

@@ -0,0 +1,221 @@
+/**
+ * Unified inbound actor trust resolver.
+ *
+ * Produces a single trust-resolved actor context from raw inbound identity
+ * fields. Normalizes sender identity via channel-agnostic canonicalization,
+ * then resolves trust classification by checking guardian bindings and
+ * ingress member records.
+ *
+ * Trust classifications:
+ * - `guardian`: sender matches the active guardian binding for this channel.
+ * - `trusted_contact`: sender is an active ingress member (not the guardian).
+ * - `unknown`: sender has no member record or no identity could be established.
+ */
+
+import type { ChannelId } from '../channels/types.js';
+import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
+import type { IngressMember } from '../memory/ingress-member-store.js';
+import { findMember } from '../memory/ingress-member-store.js';
+import { canonicalizeInboundIdentity } from '../util/canonicalize-identity.js';
+import { normalizeAssistantId } from '../util/platform.js';
+import { getGuardianBinding } from './channel-guardian-service.js';
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export type TrustClass = 'guardian' | 'trusted_contact' | 'unknown';
+export type DenialReason = 'no_binding' | 'no_identity';
+
+export interface ActorTrustContext {
+  /** Canonical (normalized) sender identity. Null when identity could not be established. */
+  canonicalSenderId: string | null;
+  /** Guardian binding match, if any, for this (assistantId, channel). */
+  guardianBindingMatch: {
+    guardianExternalUserId: string;
+    guardianDeliveryChatId: string | null;
+  } | null;
+  /** Ingress member record, if any, for this sender. */
+  memberRecord: IngressMember | null;
+  /** Trust classification. */
+  trustClass: TrustClass;
+  /** Assistant-facing metadata for downstream consumption. */
+  actorMetadata: {
+    identifier: string | undefined;
+    displayName: string | undefined;
+    senderDisplayName: string | undefined;
+    memberDisplayName: string | undefined;
+    username: string | undefined;
+    channel: ChannelId;
+    trustStatus: TrustClass;
+  };
+  /** Legacy denial reason for backward-compatible unverified_channel paths. */
+  denialReason?: DenialReason;
+}
+
+export interface ResolveActorTrustInput {
+  assistantId: string;
+  sourceChannel: ChannelId;
+  externalChatId: string;
+  senderExternalUserId?: string;
+  senderUsername?: string;
+  senderDisplayName?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Resolver
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve the inbound actor's trust context from raw identity fields.
+ *
+ * 1. Canonicalize the sender identity (E.164 for phone channels, trimmed ID otherwise).
+ * 2. Look up the guardian binding for (assistantId, channel).
+ * 3. Compare canonical sender identity to the guardian binding.
+ * 4. Look up the ingress member record using the canonical identity.
+ * 5. Classify: guardian > trusted_contact (active member) > unknown.
+ */
+export function resolveActorTrust(input: ResolveActorTrustInput): ActorTrustContext {
+  const assistantId = normalizeAssistantId(input.assistantId);
+
+  const rawUserId = typeof input.senderExternalUserId === 'string' && input.senderExternalUserId.trim().length > 0
+    ? input.senderExternalUserId.trim()
+    : undefined;
+
+  const senderUsername = typeof input.senderUsername === 'string' && input.senderUsername.trim().length > 0
+    ? input.senderUsername.trim()
+    : undefined;
+
+  const senderDisplayName = typeof input.senderDisplayName === 'string' && input.senderDisplayName.trim().length > 0
+    ? input.senderDisplayName.trim()
+    : undefined;
+
+  // Canonical identity: normalize phone-like channels to E.164.
+  const canonicalSenderId = rawUserId
+    ? canonicalizeInboundIdentity(input.sourceChannel, rawUserId)
+    : null;
+
+  const identifier = senderUsername ? `@${senderUsername}` : canonicalSenderId ?? undefined;
+
+  // No identity at all => unknown
+  if (!canonicalSenderId) {
+    return {
+      canonicalSenderId: null,
+      guardianBindingMatch: null,
+      memberRecord: null,
+      trustClass: 'unknown',
+      actorMetadata: {
+        identifier,
+        displayName: senderDisplayName,
+        senderDisplayName,
+        memberDisplayName: undefined,
+        username: senderUsername,
+        channel: input.sourceChannel,
+        trustStatus: 'unknown',
+      },
+      denialReason: 'no_identity',
+    };
+  }
+
+  // Guardian binding lookup
+  const binding = getGuardianBinding(assistantId, input.sourceChannel);
+  const guardianBindingMatch = binding
+    ? { guardianExternalUserId: binding.guardianExternalUserId, guardianDeliveryChatId: binding.guardianDeliveryChatId }
+    : null;
+
+  // Check if sender IS the guardian. Compare canonical sender against the
+  // binding's guardian identity (also canonicalize for phone channels to
+  // handle formatting variance in the stored binding).
+  let isGuardian = false;
+  if (binding) {
+    const canonicalGuardianId = canonicalizeInboundIdentity(input.sourceChannel, binding.guardianExternalUserId);
+    isGuardian = canonicalGuardianId === canonicalSenderId;
+  }
+
+  // Ingress member lookup using canonical identity.
+  const memberRecord = findMember({
+    assistantId,
+    sourceChannel: input.sourceChannel,
+    externalUserId: canonicalSenderId,
+    externalChatId: input.externalChatId,
+  });
+
+  // In group chats, findMember may match on externalChatId and return a
+  // record for a different user. Only use member metadata when the record's
+  // externalUserId matches the current sender to avoid misidentification.
+  // Canonicalize the stored member ID to handle formatting variance (e.g.
+  // phone numbers stored without E.164 normalization).
+  const memberMatchesSender = memberRecord?.externalUserId
+    ? canonicalizeInboundIdentity(input.sourceChannel, memberRecord.externalUserId) === canonicalSenderId
+    : false;
+
+  const memberUsername = memberMatchesSender && typeof memberRecord?.username === 'string' && memberRecord.username.trim().length > 0
+    ? memberRecord.username.trim()
+    : undefined;
+  const memberDisplayName = memberMatchesSender && typeof memberRecord?.displayName === 'string' && memberRecord.displayName.trim().length > 0
+    ? memberRecord.displayName.trim()
+    : undefined;
+  // Prefer member profile metadata over transient sender metadata so guardian-
+  // curated contact details are canonical for assistant-facing identity —
+  // but only when the member record actually belongs to the current sender.
+  const resolvedUsername = memberUsername ?? senderUsername;
+  const resolvedDisplayName = memberDisplayName ?? senderDisplayName;
+  const resolvedIdentifier = resolvedUsername ? `@${resolvedUsername}` : canonicalSenderId ?? undefined;
+
+  // Trust classification
+  let trustClass: TrustClass;
+  if (isGuardian) {
+    trustClass = 'guardian';
+  } else if (memberMatchesSender && memberRecord && memberRecord.status === 'active') {
+    trustClass = 'trusted_contact';
+  } else {
+    trustClass = 'unknown';
+  }
+
+  // Denial reason for legacy compatibility
+  let denialReason: DenialReason | undefined;
+  if (!isGuardian && !binding) {
+    denialReason = 'no_binding';
+  }
+
+  return {
+    canonicalSenderId,
+    guardianBindingMatch,
+    memberRecord,
+    trustClass,
+    actorMetadata: {
+      identifier: resolvedIdentifier,
+      displayName: resolvedDisplayName,
+      senderDisplayName,
+      memberDisplayName,
+      username: resolvedUsername,
+      channel: input.sourceChannel,
+      trustStatus: trustClass,
+    },
+    denialReason,
+  };
+}
+
+/**
+ * Convert an ActorTrustContext into the runtime trust context shape used by
+ * sessions/tooling.
+ */
+export function toGuardianRuntimeContextFromTrust(
+  ctx: ActorTrustContext,
+  externalChatId: string,
+): GuardianRuntimeContext {
+  return {
+    sourceChannel: ctx.actorMetadata.channel,
+    trustClass: ctx.trustClass,
+    guardianChatId: ctx.guardianBindingMatch?.guardianDeliveryChatId ??
+      (ctx.trustClass === 'guardian' ? externalChatId : undefined),
+    guardianExternalUserId: ctx.guardianBindingMatch?.guardianExternalUserId,
+    requesterIdentifier: ctx.actorMetadata.identifier,
+    requesterDisplayName: ctx.actorMetadata.displayName,
+    requesterSenderDisplayName: ctx.actorMetadata.senderDisplayName,
+    requesterMemberDisplayName: ctx.actorMetadata.memberDisplayName,
+    requesterExternalUserId: ctx.canonicalSenderId ?? undefined,
+    requesterChatId: externalChatId,
+    denialReason: ctx.denialReason,
+  };
+}

package/src/runtime/channel-guardian-service.ts

@@ -231,11 +231,19 @@ export function validateAndConsumeChallenge(
       }
     }
 
-    // For Telegram: verify actorChatId matches expectedChatId
-    // AND/OR actorExternalUserId matches expectedExternalUserId
+    // For chat-based channels (Telegram, Slack, etc.): when both
+    // expectedExternalUserId and expectedChatId are set, require the
+    // externalUserId match — chatId alone is insufficient because chat IDs
+    // can be shared (e.g. Slack channel IDs, Telegram group chat IDs) and
+    // would let any participant in the same chat satisfy identity binding.
+    // Fall back to chatId-only match only when expectedExternalUserId is
+    // not available (legacy sessions or channels without user-level identity).
     if (challenge.expectedChatId != null) {
-      if (actorChatId === challenge.expectedChatId ||
-          actorExternalUserId === challenge.expectedExternalUserId) {
+      if (challenge.expectedExternalUserId != null) {
+        if (actorExternalUserId === challenge.expectedExternalUserId) {
+          identityMatch = true;
+        }
+      } else if (actorChatId === challenge.expectedChatId) {
         identityMatch = true;
       }
     }

package/src/runtime/channel-invite-transports/voice.ts

@@ -0,0 +1,58 @@
+/**
+ * Voice channel invite transport adapter.
+ *
+ * Voice invites are identity-bound: the invitee must call from a specific
+ * phone number and enter a numeric code. Unlike Telegram invites, there is
+ * no shareable deep link — the guardian relays the code and calling
+ * instructions verbally or via another channel.
+ *
+ * The transport builds human-readable instruction text and provides a
+ * no-op token extractor since voice invite redemption uses the dedicated
+ * voice-code path rather than generic token extraction.
+ */
+
+import type { ChannelId } from '../../channels/types.js';
+import {
+  type ChannelInviteTransport,
+  type InviteSharePayload,
+  registerTransport,
+} from '../channel-invite-transport.js';
+
+// ---------------------------------------------------------------------------
+// Transport implementation
+// ---------------------------------------------------------------------------
+
+export const voiceInviteTransport: ChannelInviteTransport = {
+  channel: 'voice' as ChannelId,
+
+  buildShareableInvite(_params: {
+    rawToken: string;
+    sourceChannel: ChannelId;
+  }): InviteSharePayload {
+    // Voice invites do not produce a clickable URL. The "url" field contains
+    // a placeholder — callers should use displayText for presentation.
+    return {
+      url: '',
+      displayText: [
+        'Voice invite created.',
+        'The invitee must call the assistant\'s phone number from the authorized number and enter their invite code when prompted.',
+      ].join(' '),
+    };
+  },
+
+  extractInboundToken(_params: {
+    commandIntent?: Record<string, unknown>;
+    content: string;
+    sourceMetadata?: Record<string, unknown>;
+  }): string | undefined {
+    // Voice invite redemption bypasses generic token extraction — it uses
+    // the identity-bound voice-code flow in invite-redemption-service.ts.
+    return undefined;
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Auto-register on import
+// ---------------------------------------------------------------------------
+
+registerTransport(voiceInviteTransport);