@vellumai/assistant 0.3.27 → 0.4.0

package/src/tools/types.ts

@@ -1,6 +1,7 @@
 import type { SecretPromptResult } from '../permissions/secret-prompter.js';
 import type { AllowlistOption, RiskLevel, ScopeOption } from '../permissions/types.js';
 import type { ContentBlock,ToolDefinition } from '../providers/types.js';
+import type { SensitiveOutputBinding } from './sensitive-output-placeholders.js';
 
 export type ExecutionTarget = 'sandbox' | 'host';
 
@@ -136,14 +137,16 @@ export interface ToolContext {
   proxyApprovalCallback?: import('./network/script-proxy/types.js').ProxyApprovalCallback;
   /** Optional principal identifier propagated to sub-tool confirmation flows. */
   principal?: string;
-  /** Guardian actor role for the session — used by the guardian control-plane policy gate. */
-  guardianActorRole?: 'guardian' | 'non-guardian' | 'unverified_channel';
+  /** Inbound trust classification for the session — used by trust/policy gates. */
+  guardianTrustClass?: 'guardian' | 'trusted_contact' | 'unknown';
   /** Channel through which the tool invocation originates (e.g. 'telegram', 'voice'). Used for scoped grant consumption. */
   executionChannel?: string;
   /** Voice/call session ID, if the invocation originates from a call. Used for scoped grant consumption. */
   callSessionId?: string;
   /** External user ID of the requester (non-guardian actor). Used for scoped grant consumption. */
   requesterExternalUserId?: string;
+  /** Chat ID of the requester (non-guardian actor). Used for tool grant request escalation notifications. */
+  requesterChatId?: string;
 }
 
 export interface DiffInfo {
@@ -161,6 +164,14 @@ export interface ToolExecutionResult {
   status?: string;
   /** Optional rich content blocks (e.g. images) to include alongside text in the tool result. */
   contentBlocks?: ContentBlock[];
+  /**
+   * Runtime-internal sensitive output bindings (placeholder -> real value).
+   * Populated by the executor when tool output contains
+   * `<vellum-sensitive-output>` directives. The agent loop merges these
+   * into a per-run substitution map for deterministic post-generation
+   * replacement. MUST NOT be emitted in client-facing events or logs.
+   */
+  sensitiveBindings?: SensitiveOutputBinding[];
 }
 
 export interface Tool {

package/src/util/bundled-asset.ts

@@ -0,0 +1,31 @@
+import { existsSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+
+/**
+ * Resolve the path to a bundled asset directory, handling compiled Bun binaries
+ * where `import.meta.dirname` points to the `/$bunfs/` virtual filesystem and
+ * non-JS files (.md, .html, .json, etc.) are not embedded.
+ *
+ * Falls back to:
+ *   1. `Contents/Resources/<bundleName>` (macOS .app bundle)
+ *   2. `<execDir>/<bundleName>` (next to the binary, non-app-bundle deployments)
+ *   3. Original resolved path (source mode, or last resort)
+ *
+ * This matches the pattern established by bundled-skills and WASM resolution.
+ *
+ * @param callerDir  `import.meta.dirname ?? __dirname` from the call site
+ * @param relativePath  Relative path from the source file (used in source/dev mode)
+ * @param bundleName  Name of the asset directory in the app bundle
+ */
+export function resolveBundledDir(callerDir: string, relativePath: string, bundleName: string): string {
+  if (callerDir.startsWith('/$bunfs/')) {
+    const execDir = dirname(process.execPath);
+    // macOS .app bundle: binary in Contents/MacOS/, resources in Contents/Resources/
+    const resourcesPath = join(execDir, '..', 'Resources', bundleName);
+    if (existsSync(resourcesPath)) return resourcesPath;
+    // Next to the binary itself (non-app-bundle deployments)
+    const execDirPath = join(execDir, bundleName);
+    if (existsSync(execDirPath)) return execDirPath;
+  }
+  return join(callerDir, relativePath);
+}

package/src/util/canonicalize-identity.ts

@@ -0,0 +1,52 @@
+/**
+ * Channel-agnostic inbound identity canonicalization.
+ *
+ * Normalizes raw sender identifiers into a stable canonical form so that
+ * trust lookups, member matching, and guardian binding comparisons are
+ * immune to formatting variance across channels.
+ *
+ * Phone-like channels (sms, voice, whatsapp) normalize to E.164 using the
+ * existing phone utilities. Non-phone channels (telegram, slack, etc.)
+ * pass through the platform-stable ID as-is after whitespace trimming.
+ */
+
+import type { ChannelId } from '../channels/types.js';
+import { normalizePhoneNumber } from './phone.js';
+
+/** Channels whose raw sender IDs are phone numbers. */
+const PHONE_CHANNELS: ReadonlySet<ChannelId> = new Set(['sms', 'voice', 'whatsapp']);
+
+/**
+ * Canonicalize a raw inbound sender identity for the given channel.
+ *
+ * - For phone-like channels: attempts E.164 normalization. Returns the
+ *   normalized E.164 string on success, or the trimmed raw ID if
+ *   normalization fails (defensive: don't discard an identity just because
+ *   it doesn't parse as a phone number).
+ * - For non-phone channels: returns the trimmed raw ID unchanged (these
+ *   platforms provide stable, unique identifiers that don't need normalization).
+ *
+ * Returns `null` only when `rawId` is empty/whitespace-only.
+ */
+export function canonicalizeInboundIdentity(channel: ChannelId, rawId: string): string | null {
+  const trimmed = rawId.trim();
+  if (trimmed.length === 0) return null;
+
+  if (PHONE_CHANNELS.has(channel)) {
+    const e164 = normalizePhoneNumber(trimmed);
+    // Defensive: if normalization fails, preserve the raw ID so downstream
+    // lookups don't silently lose the identity.
+    return e164 ?? trimmed;
+  }
+
+  return trimmed;
+}
+
+/**
+ * Check whether a channel uses phone-number-based identity.
+ * Useful for call sites that need to know whether E.164 normalization
+ * applies without re-importing the channel set.
+ */
+export function isPhoneChannel(channel: ChannelId): boolean {
+  return PHONE_CHANNELS.has(channel);
+}

package/src/util/logger.ts

@@ -3,12 +3,22 @@ import { join } from 'node:path';
 import { Writable } from 'node:stream';
 
 import pino from 'pino';
+import type { PrettyOptions } from 'pino-pretty';
 import pinoPretty from 'pino-pretty';
 
 import { getDebugMode, getDebugStdoutLogs,getLogStderr } from '../config/env-registry.js';
 import { logSerializers } from './log-redact.js';
 import { getLogPath } from './platform.js';
 
+/** Common pino-pretty options that inline [module] into the message prefix. */
+function prettyOpts(extra?: PrettyOptions): PrettyOptions {
+  return {
+    messageFormat: '[{module}] {msg}',
+    ignore: 'module',
+    ...extra,
+  };
+}
+
 export type LogFileConfig = {
   dir: string | undefined;
   retentionDays: number;
@@ -59,7 +69,7 @@ let activeLogFileConfig: LogFileConfig | null = null;
 
 function buildRotatingLogger(config: LogFileConfig): pino.Logger {
   if (!config.dir) {
-    return pino({ name: 'assistant', serializers: logSerializers }, pinoPretty({ destination: 1 }));
+    return pino({ name: 'assistant', serializers: logSerializers }, pinoPretty(prettyOpts({ destination: 1 })));
   }
 
   if (!existsSync(config.dir)) {
@@ -68,9 +78,10 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
 
   const today = formatDate(new Date());
   const filePath = logFilePathForDate(config.dir, new Date());
-  const fileStream = pino.destination({ dest: filePath, sync: false, mkdir: true, mode: 0o600 });
+  const fileDest = pino.destination({ dest: filePath, sync: false, mkdir: true, mode: 0o600 });
   // Tighten permissions on pre-existing log files that may have been created with looser modes
   try { chmodSync(filePath, 0o600); } catch { /* best-effort */ }
+  const fileStream = pinoPretty(prettyOpts({ destination: fileDest, colorize: false }));
 
   activeLogDate = today;
   activeLogFileConfig = config;
@@ -78,7 +89,7 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
   const level = getDebugMode() ? 'debug' : 'info';
 
   if (getDebugMode()) {
-    const prettyStream = pinoPretty({ destination: 2 });
+    const prettyStream = pinoPretty(prettyOpts({ destination: 2 }));
     return pino(
       { name: 'assistant', level, serializers: logSerializers },
       pino.multistream([
@@ -92,7 +103,7 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
     { name: 'assistant', level, serializers: logSerializers },
     pino.multistream([
       { stream: fileStream, level: 'info' as const },
-      { stream: pinoPretty({ destination: 1 }), level: 'info' as const },
+      { stream: pinoPretty(prettyOpts({ destination: 1 })), level: 'info' as const },
     ]),
   );
 }
@@ -135,12 +146,13 @@ function getRootLogger(): pino.Logger {
 
     try {
       const logPath = getLogPath();
-      const fileStream = pino.destination({ dest: logPath, sync: false, mkdir: true, mode: 0o600 });
+      const fileDest = pino.destination({ dest: logPath, sync: false, mkdir: true, mode: 0o600 });
       // Tighten permissions on pre-existing log files that may have been created with looser modes
       try { chmodSync(logPath, 0o600); } catch { /* best-effort */ }
+      const fileStream = pinoPretty(prettyOpts({ destination: fileDest, colorize: false }));
 
       if (getDebugMode()) {
-        const prettyStream = pinoPretty({ destination: 2 });
+        const prettyStream = pinoPretty(prettyOpts({ destination: 2 }));
         const multi = pino.multistream([
           { stream: fileStream, level: 'info' as const },
           { stream: prettyStream, level: 'debug' as const },
@@ -151,14 +163,14 @@ function getRootLogger(): pino.Logger {
           { level: 'info', serializers: logSerializers },
           pino.multistream([
             { stream: fileStream, level: 'info' as const },
-            { stream: pinoPretty({ destination: 1 }), level: 'info' as const },
+            { stream: pinoPretty(prettyOpts({ destination: 1 })), level: 'info' as const },
           ]),
         );
       } else {
         rootLogger = pino({ level: 'info', serializers: logSerializers }, fileStream);
       }
     } catch {
-      rootLogger = pino({ level: getDebugMode() ? 'debug' : 'info', serializers: logSerializers }, pinoPretty({ destination: 2 }));
+      rootLogger = pino({ level: getDebugMode() ? 'debug' : 'info', serializers: logSerializers }, pinoPretty(prettyOpts({ destination: 2 })));
     }
   }
   return rootLogger;

package/src/util/platform.ts

@@ -121,6 +121,15 @@ export function getDataDir(): string {
   return join(getWorkspaceDir(), 'data');
 }
 
+/**
+ * Returns the embedding models directory (~/.vellum/workspace/embedding-models).
+ * Downloaded embedding runtime (onnxruntime-node, transformers bundle, model weights)
+ * is stored here, downloaded post-hatch rather than shipped with the app.
+ */
+export function getEmbeddingModelsDir(): string {
+  return join(getWorkspaceDir(), 'embedding-models');
+}
+
 /**
  * Returns the IPC blob directory (~/.vellum/workspace/data/ipc-blobs).
  * Temporary blob files for zero-copy IPC payloads live here.
@@ -357,6 +366,7 @@ export function ensureDataDir(): void {
     workspace,
     join(workspace, 'hooks'),
     join(workspace, 'skills'),
+    join(workspace, 'embedding-models'),
     // Data sub-dirs under workspace
     wsData,
     join(wsData, 'db'),

package/src/util/voice-code.ts

@@ -0,0 +1,29 @@
+/**
+ * Cryptographic voice invite code generation and hashing.
+ *
+ * Generates short numeric codes (default 6 digits) for voice-channel invite
+ * redemption. The plaintext code is returned once at creation time and never
+ * stored — only its SHA-256 hash is persisted.
+ */
+
+import { createHash, randomInt } from 'node:crypto';
+
+/**
+ * Generate a cryptographically random numeric code of the given length.
+ * Uses node:crypto randomInt for uniform distribution.
+ */
+export function generateVoiceCode(digits: number = 6): string {
+  if (digits < 4 || digits > 10) {
+    throw new Error(`Voice code digit count must be between 4 and 10, got ${digits}`);
+  }
+  const min = Math.pow(10, digits - 1); // e.g. 100000 for 6 digits
+  const max = Math.pow(10, digits);     // e.g. 1000000 for 6 digits
+  return String(randomInt(min, max));
+}
+
+/**
+ * SHA-256 hash a voice code for storage comparison.
+ */
+export function hashVoiceCode(code: string): string {
+  return createHash('sha256').update(code).digest('hex');
+}

package/src/daemon/guardian-invite-intent.ts

@@ -1,124 +0,0 @@
-// Guardian invite intent resolution for deterministic first-turn routing.
-// Exports `resolveGuardianInviteIntent` as the single public entry point.
-// When a guardian invite management request is detected, the session pipeline
-// rewrites the message to force immediate entry into the trusted-contacts
-// skill flow, bypassing the normal agent loop's tendency to produce conceptual
-// preambles before loading the skill.
-
-export type GuardianInviteIntentResult =
-  | { kind: 'none' }
-  | { kind: 'invite_management'; rewrittenContent: string; action?: 'create' | 'list' | 'revoke' };
-
-// ── Direct invite patterns ────────────────────────────────────────────────
-// These capture imperative requests to manage Telegram invite links.
-
-const CREATE_INVITE_PATTERNS: RegExp[] = [
-  /\bcreate\s+(?:an?\s+)?(?:telegram\s+)?invite\s*(?:link)?\b/i,
-  /\binvite\s+(?:someone|somebody|a\s+friend|a\s+person)\s+(?:on|to|via|through)\s+telegram\b/i,
-  /\b(?:make|generate|get)\s+(?:a\s+|an\s+)?(?:telegram\s+)?invite\s*(?:link)?\b/i,
-  /\btelegram\s+invite\s*(?:link)?\b/i,
-  /\bsend\s+(?:a\s+|an\s+)?invite\s+(?:link\s+)?(?:on|for|via|through)\s+telegram\b/i,
-  /\bshare\s+(?:a\s+|an\s+)?(?:telegram\s+)?invite\s*(?:link)?\b/i,
-  /\binvite\s+(?:link\s+)?for\s+telegram\b/i,
-];
-
-const LIST_INVITE_PATTERNS: RegExp[] = [
-  /\b(?:show|list|view|see|display)\s+(?:my\s+)?(?:active\s+)?invite(?:s|\s*links?)\b/i,
-  /\b(?:show|list|view|see|display)\s+(?:my\s+)?(?:telegram\s+)?invite(?:s|\s*links?)\b/i,
-  /\bwhat\s+invite(?:s|\s*links?)\s+(?:do\s+I\s+have|are\s+active|exist)\b/i,
-  /\bhow\s+many\s+invite(?:s|\s*links?)\b/i,
-];
-
-const REVOKE_INVITE_PATTERNS: RegExp[] = [
-  /\b(?:revoke|cancel|disable|invalidate|delete|remove)\s+(?:the\s+|my\s+|an?\s+)?invite\s*(?:link)?\b/i,
-  /\b(?:revoke|cancel|disable|invalidate|delete|remove)\s+(?:the\s+|my\s+|an?\s+)?(?:telegram\s+)?invite\s*(?:link)?\b/i,
-  /\binvite\s*(?:link)?\s+(?:revoke|cancel|disable|invalidate|delete|remove)\b/i,
-];
-
-// ── Conceptual / question patterns ──────────────────────────────────────
-// These indicate the user is asking *about* invites rather than requesting
-// to manage them. Return passthrough for these.
-
-const CONCEPTUAL_PATTERNS: RegExp[] = [
-  /^\s*(?:how|what|why|when|where|who|which)\b.*\binvite/i,
-  /\bwhat\s+(?:is|are)\s+(?:an?\s+)?invite\s*(?:link)?\b/i,
-  /\bhow\s+(?:do|does|can)\s+(?:invite|invitation)s?\s+work\b/i,
-  /\bexplain\s+(?:the\s+)?invite\b/i,
-  /\btell\s+me\s+about\s+invite\b/i,
-];
-
-/** Common polite/filler words stripped before checking intent-only status. */
-const FILLER_PATTERN =
-  /\b(please|pls|plz|can\s+you|could\s+you|would\s+you|now|right\s+now|thanks|thank\s+you|thx|ty|for\s+me|ok(ay)?|hey|hi|hello|just|i\s+want\s+to|i'd\s+like\s+to|i\s+need\s+to|let's|let\s+me)\b/gi;
-
-// ── Internal helpers ─────────────────────────────────────────────────────
-
-function isConceptualQuestion(text: string): boolean {
-  const cleaned = text.replace(/^\s*(hey|hi|hello|please|pls|plz)[,\s]+/i, '');
-  // Allow actionable requests through even though they start with
-  // question-like words — these are imperative invite management requests.
-  if (LIST_INVITE_PATTERNS.some((p) => p.test(cleaned))) return false;
-  if (CREATE_INVITE_PATTERNS.some((p) => p.test(cleaned))) return false;
-  if (REVOKE_INVITE_PATTERNS.some((p) => p.test(cleaned))) return false;
-  return CONCEPTUAL_PATTERNS.some((p) => p.test(cleaned));
-}
-
-function detectAction(text: string): 'create' | 'list' | 'revoke' | undefined {
-  // Check revoke and list before create — create patterns include the broad
-  // `telegram invite link` matcher that would otherwise swallow revoke/list inputs.
-  if (REVOKE_INVITE_PATTERNS.some((p) => p.test(text))) return 'revoke';
-  if (LIST_INVITE_PATTERNS.some((p) => p.test(text))) return 'list';
-  if (CREATE_INVITE_PATTERNS.some((p) => p.test(text))) return 'create';
-  return undefined;
-}
-
-// ── Structured intent resolver ───────────────────────────────────────────
-
-/**
- * Resolves guardian invite management intent from user text.
- *
- * Pipeline:
- * 1. Skip slash commands entirely
- * 2. Conceptual question gate -- questions return `none`
- * 3. Detect create/list/revoke invite patterns
- * 4. On match, build a deterministic model instruction to load trusted-contacts
- */
-export function resolveGuardianInviteIntent(text: string): GuardianInviteIntentResult {
-  const trimmed = text.trim();
-
-  // Never intercept slash commands
-  if (trimmed.startsWith('/')) {
-    return { kind: 'none' };
-  }
-
-  // Conceptual questions pass through to normal agent processing
-  if (isConceptualQuestion(trimmed)) {
-    return { kind: 'none' };
-  }
-
-  // Strip fillers for pattern matching but keep original for context
-  const withoutFillers = trimmed.replace(FILLER_PATTERN, '').replace(/\s{2,}/g, ' ').trim();
-
-  const action = detectAction(withoutFillers);
-  if (!action) {
-    return { kind: 'none' };
-  }
-
-  // Build the rewritten content that deterministically loads the skill
-  const actionDescriptions: Record<string, string> = {
-    create: 'The user wants to create a Telegram invite link. Create the invite, look up the bot username, and present the shareable deep link with copy-paste instructions.',
-    list: 'The user wants to see their invite links. List all invites (especially active ones for Telegram) and present them in a readable format.',
-    revoke: 'The user wants to revoke an invite link. List invites to identify the target, confirm with the user, then revoke it.',
-  };
-
-  const rewrittenContent = [
-    actionDescriptions[action],
-    'Please invoke the "Trusted Contacts" skill (ID: trusted-contacts) immediately using skill_load.',
-  ].join('\n');
-
-  return {
-    kind: 'invite_management',
-    rewrittenContent,
-    action,
-  };
-}