@vellumai/assistant 0.3.28 → 0.4.0

package/src/calls/relay-server.ts

@@ -10,23 +10,25 @@ import { randomInt } from 'node:crypto';
 
 import type { ServerWebSocket } from 'bun';
 
+import { isAssistantFeatureFlagEnabled } from '../config/assistant-feature-flags.js';
 import { getConfig } from '../config/loader.js';
 import * as conversationStore from '../memory/conversation-store.js';
+import { findActiveVoiceInvites } from '../memory/ingress-invite-store.js';
 import { revokeScopedApprovalGrantsForContext } from '../memory/scoped-approval-grants.js';
 import { notifyGuardianOfAccessRequest } from '../runtime/access-request-helper.js';
-import { resolveActorTrust, toGuardianContextCompat } from '../runtime/actor-trust-resolver.js';
+import {
+  resolveActorTrust,
+  toGuardianRuntimeContextFromTrust,
+} from '../runtime/actor-trust-resolver.js';
 import {
   getPendingChallenge,
   validateAndConsumeChallenge,
 } from '../runtime/channel-guardian-service.js';
-import {
-  resolveGuardianContext,
-  toGuardianRuntimeContext,
-} from '../runtime/guardian-context-resolver.js';
 import {
   composeVerificationVoice,
   GUARDIAN_VERIFY_TEMPLATE_KEYS,
 } from '../runtime/guardian-verification-templates.js';
+import { redeemVoiceInviteCode } from '../runtime/ingress-service.js';
 import { parseJsonSafe } from '../util/json.js';
 import { getLogger } from '../util/logger.js';
 import { normalizeAssistantId } from '../util/platform.js';
@@ -173,6 +175,12 @@ export class RelayConnection {
   // Outbound guardian verification state (system calls the guardian)
   private outboundGuardianVerificationSessionId: string | null = null;
 
+  // Inbound voice invite redemption state
+  private inviteRedemptionActive = false;
+  private inviteRedemptionAssistantId: string | null = null;
+  private inviteRedemptionFromNumber: string | null = null;
+  private inviteRedemptionCodeLength = 6;
+
   constructor(ws: ServerWebSocket<RelayWebSocketData>, callSessionId: string) {
     this.ws = ws;
     this.callSessionId = callSessionId;
@@ -428,15 +436,13 @@ export class RelayConnection {
     // calls msg.from is the caller; for outbound calls msg.to is the
     // recipient (msg.from is the assistant's Twilio number).
     const otherPartyNumber = isInbound ? msg.from : msg.to;
-    const initialGuardianContext = toGuardianRuntimeContext(
-      'voice',
-      resolveGuardianContext({
-        assistantId,
-        sourceChannel: 'voice',
-        externalChatId: otherPartyNumber,
-        senderExternalUserId: otherPartyNumber || undefined,
-      }),
-    );
+    const initialActorTrust = resolveActorTrust({
+      assistantId,
+      sourceChannel: 'voice',
+      externalChatId: otherPartyNumber,
+      senderExternalUserId: otherPartyNumber || undefined,
+    });
+    const initialGuardianContext = toGuardianRuntimeContextFromTrust(initialActorTrust, otherPartyNumber);
 
     const controller = new CallController(this.callSessionId, this, session?.task ?? null, {
       broadcast: globalBroadcast,
@@ -494,6 +500,41 @@ export class RelayConnection {
       const pendingChallenge = getPendingChallenge(assistantId, 'voice');
 
       if (actorTrust.trustClass === 'unknown' && !pendingChallenge) {
+        // Before denying, check if there is an active voice invite bound
+        // to the caller's phone number. If so, enter the invite redemption
+        // subflow instead of denying the call outright.
+        // Gated behind the voice-invite-redemption feature flag (defaults OFF).
+        const voiceInviteEnabled = isAssistantFeatureFlagEnabled(
+          'feature_flags.voice-invite-redemption.enabled',
+          config,
+        );
+
+        if (voiceInviteEnabled) {
+          let voiceInvites: ReturnType<typeof findActiveVoiceInvites> = [];
+          try {
+            voiceInvites = findActiveVoiceInvites({
+              assistantId,
+              expectedExternalUserId: msg.from,
+            });
+          } catch (err) {
+            log.warn({ err, callSessionId: this.callSessionId }, 'Failed to check voice invites for unknown caller');
+          }
+
+          // Exclude invites that are past their expiresAt even if the DB
+          // status hasn't been lazily flipped to 'expired' yet.
+          const now = Date.now();
+          const nonExpiredInvites = voiceInvites.filter(i => !i.expiresAt || i.expiresAt > now);
+
+          if (nonExpiredInvites.length > 0) {
+            log.info(
+              { callSessionId: this.callSessionId, from: msg.from },
+              'Inbound voice ACL: unknown caller has active voice invite — entering redemption flow',
+            );
+            this.startInviteRedemption(assistantId, msg.from);
+            return;
+          }
+        }
+
         log.info(
           { callSessionId: this.callSessionId, from: msg.from, trustClass: actorTrust.trustClass },
           'Inbound voice ACL: unknown caller denied',
@@ -613,10 +654,7 @@ export class RelayConnection {
       // Update the controller's guardian context with the trust-resolved
       // context so downstream policy gates have accurate actor metadata.
       if (this.controller && actorTrust.trustClass !== 'unknown') {
-        const resolvedGuardianContext = toGuardianRuntimeContext(
-          'voice',
-          toGuardianContextCompat(actorTrust, msg.from),
-        );
+        const resolvedGuardianContext = toGuardianRuntimeContextFromTrust(actorTrust, msg.from);
         this.controller.setGuardianContext(resolvedGuardianContext);
       }
 
@@ -876,16 +914,14 @@ export class RelayConnection {
       } else {
         // Inbound: proceed to normal call flow
         if (this.controller) {
+          const verifiedActorTrust = resolveActorTrust({
+            assistantId: this.guardianChallengeAssistantId,
+            sourceChannel: 'voice',
+            externalChatId: this.guardianVerificationFromNumber,
+            senderExternalUserId: this.guardianVerificationFromNumber,
+          });
           this.controller.setGuardianContext(
-            toGuardianRuntimeContext(
-              'voice',
-              resolveGuardianContext({
-                assistantId: this.guardianChallengeAssistantId,
-                sourceChannel: 'voice',
-                externalChatId: this.guardianVerificationFromNumber,
-                senderExternalUserId: this.guardianVerificationFromNumber,
-              }),
-            ),
+            toGuardianRuntimeContextFromTrust(verifiedActorTrust, this.guardianVerificationFromNumber),
           );
           this.startNormalCallFlow(this.controller, true);
         }
@@ -960,6 +996,126 @@ export class RelayConnection {
     }
   }
 
+  /**
+   * Enter the invite redemption subflow for an inbound unknown caller
+   * who has an active voice invite. Prompts the caller to enter their
+   * invite code via DTMF or speech.
+   */
+  private startInviteRedemption(assistantId: string, fromNumber: string): void {
+    this.inviteRedemptionActive = true;
+    this.inviteRedemptionAssistantId = assistantId;
+    this.inviteRedemptionFromNumber = fromNumber;
+    this.connectionState = 'verification_pending';
+    this.verificationAttempts = 0;
+    this.verificationMaxAttempts = 3;
+    this.inviteRedemptionCodeLength = 6;
+    this.dtmfBuffer = '';
+
+    recordCallEvent(this.callSessionId, 'invite_redemption_started', {
+      assistantId,
+      codeLength: 6,
+      maxAttempts: this.verificationMaxAttempts,
+    });
+
+    this.sendTextToken(
+      'Please enter your 6-digit invite code using your keypad, or speak the digits now.',
+      true,
+    );
+
+    log.info(
+      { callSessionId: this.callSessionId, assistantId },
+      'Inbound voice invite redemption started',
+    );
+  }
+
+  /**
+   * Validate an entered invite code against active voice invites for the
+   * caller. On success, create/activate the ingress member and transition
+   * to the normal call flow. On failure, allow retries up to max attempts.
+   */
+  private attemptInviteCodeRedemption(enteredCode: string): void {
+    if (!this.inviteRedemptionAssistantId || !this.inviteRedemptionFromNumber) {
+      return;
+    }
+
+    const result = redeemVoiceInviteCode({
+      assistantId: this.inviteRedemptionAssistantId,
+      callerExternalUserId: this.inviteRedemptionFromNumber,
+      sourceChannel: 'voice',
+      code: enteredCode,
+    });
+
+    if (result.ok) {
+      this.connectionState = 'connected';
+      this.inviteRedemptionActive = false;
+      this.verificationAttempts = 0;
+      this.dtmfBuffer = '';
+
+      recordCallEvent(this.callSessionId, 'invite_redemption_succeeded', {
+        memberId: result.memberId,
+        ...(result.type === 'redeemed' ? { inviteId: result.inviteId } : {}),
+      });
+      log.info(
+        { callSessionId: this.callSessionId, memberId: result.memberId, type: result.type },
+        'Voice invite redemption succeeded',
+      );
+
+      if (this.controller) {
+        const redeemedActorTrust = resolveActorTrust({
+          assistantId: this.inviteRedemptionAssistantId,
+          sourceChannel: 'voice',
+          externalChatId: this.inviteRedemptionFromNumber,
+          senderExternalUserId: this.inviteRedemptionFromNumber,
+        });
+        this.controller.setGuardianContext(
+          toGuardianRuntimeContextFromTrust(redeemedActorTrust, this.inviteRedemptionFromNumber),
+        );
+        this.startNormalCallFlow(this.controller, true);
+      }
+    } else {
+      this.verificationAttempts++;
+
+      if (this.verificationAttempts >= this.verificationMaxAttempts) {
+        this.inviteRedemptionActive = false;
+
+        recordCallEvent(this.callSessionId, 'invite_redemption_failed', {
+          attempts: this.verificationAttempts,
+        });
+        log.warn(
+          { callSessionId: this.callSessionId, attempts: this.verificationAttempts },
+          'Voice invite redemption failed — max attempts reached',
+        );
+
+        this.sendTextToken('Too many invalid attempts. Goodbye.', true);
+
+        updateCallSession(this.callSessionId, {
+          status: 'failed',
+          endedAt: Date.now(),
+          lastError: 'Voice invite redemption failed — max attempts exceeded',
+        });
+
+        const failSession = getCallSession(this.callSessionId);
+        if (failSession) {
+          expirePendingQuestions(this.callSessionId);
+          persistCallCompletionMessage(failSession.conversationId, this.callSessionId).catch((err) => {
+            log.error({ err, conversationId: failSession.conversationId, callSessionId: this.callSessionId }, 'Failed to persist call completion message');
+          });
+          fireCallCompletionNotifier(failSession.conversationId, this.callSessionId);
+        }
+
+        setTimeout(() => {
+          this.endSession('Invite redemption failed');
+        }, 2000);
+      } else {
+        log.info(
+          { callSessionId: this.callSessionId, attempt: this.verificationAttempts, maxAttempts: this.verificationMaxAttempts },
+          'Voice invite redemption attempt failed — retrying',
+        );
+        this.sendTextToken('Invalid code. Please try again.', true);
+      }
+    }
+  }
+
   private async handlePrompt(msg: RelayPromptMessage): Promise<void> {
     if (this.connectionState === 'disconnecting') {
       return;
@@ -990,6 +1146,26 @@ export class RelayConnection {
       return;
     }
 
+    // During invite redemption, attempt to parse spoken digits from the
+    // transcript and validate against the caller's active voice invite.
+    if (this.connectionState === 'verification_pending' && this.inviteRedemptionActive) {
+      const spokenDigits = RelayConnection.parseDigitsFromSpeech(msg.voicePrompt);
+      log.info(
+        { callSessionId: this.callSessionId, transcript: msg.voicePrompt, spokenDigits },
+        'Speech received during invite redemption',
+      );
+      if (spokenDigits.length >= this.inviteRedemptionCodeLength) {
+        const enteredCode = spokenDigits.slice(0, this.inviteRedemptionCodeLength);
+        this.attemptInviteCodeRedemption(enteredCode);
+      } else if (spokenDigits.length > 0) {
+        this.sendTextToken(
+          `I heard ${spokenDigits.length} digits. Please enter all ${this.inviteRedemptionCodeLength} digits of your code.`,
+          true,
+        );
+      }
+      return;
+    }
+
     // During outbound callee verification, ignore voice prompts — the callee
     // should be entering DTMF digits, not speaking.
     if (this.connectionState === 'verification_pending') {
@@ -1102,6 +1278,19 @@ export class RelayConnection {
       return;
     }
 
+    // If invite redemption is pending, accumulate digits and validate
+    // the code against the caller's active voice invite.
+    if (this.connectionState === 'verification_pending' && this.inviteRedemptionActive) {
+      this.dtmfBuffer += msg.digit;
+
+      if (this.dtmfBuffer.length >= this.inviteRedemptionCodeLength) {
+        const enteredCode = this.dtmfBuffer.slice(0, this.inviteRedemptionCodeLength);
+        this.dtmfBuffer = '';
+        this.attemptInviteCodeRedemption(enteredCode);
+      }
+      return;
+    }
+
     // If outbound callee verification is pending, accumulate digits and check the code
     if (this.connectionState === 'verification_pending' && this.verificationCode) {
       this.dtmfBuffer += msg.digit;

package/src/calls/types.ts

@@ -1,5 +1,5 @@
 export type CallStatus = 'initiated' | 'ringing' | 'in_progress' | 'waiting_on_user' | 'completed' | 'failed' | 'cancelled';
-export type CallEventType = 'call_started' | 'call_connected' | 'caller_spoke' | 'assistant_spoke' | 'user_question_asked' | 'user_answered' | 'user_instruction_relayed' | 'call_ended' | 'call_failed' | 'callee_verification_started' | 'callee_verification_succeeded' | 'callee_verification_failed' | 'guardian_voice_verification_started' | 'guardian_voice_verification_succeeded' | 'guardian_voice_verification_failed' | 'outbound_guardian_voice_verification_started' | 'outbound_guardian_voice_verification_succeeded' | 'outbound_guardian_voice_verification_failed' | 'guardian_consultation_timed_out' | 'guardian_unavailable_skipped' | 'guardian_consult_deferred' | 'guardian_consult_coalesced' | 'inbound_acl_denied';
+export type CallEventType = 'call_started' | 'call_connected' | 'caller_spoke' | 'assistant_spoke' | 'user_question_asked' | 'user_answered' | 'user_instruction_relayed' | 'call_ended' | 'call_failed' | 'callee_verification_started' | 'callee_verification_succeeded' | 'callee_verification_failed' | 'guardian_voice_verification_started' | 'guardian_voice_verification_succeeded' | 'guardian_voice_verification_failed' | 'outbound_guardian_voice_verification_started' | 'outbound_guardian_voice_verification_succeeded' | 'outbound_guardian_voice_verification_failed' | 'guardian_consultation_timed_out' | 'guardian_unavailable_skipped' | 'guardian_consult_deferred' | 'guardian_consult_coalesced' | 'inbound_acl_denied' | 'invite_redemption_started' | 'invite_redemption_succeeded' | 'invite_redemption_failed';
 export type PendingQuestionStatus = 'pending' | 'answered' | 'expired' | 'cancelled';
 
 /**

package/src/calls/voice-session-bridge.ts

@@ -250,8 +250,8 @@ export async function startVoiceTurn(opts: VoiceTurnOptions): Promise<VoiceTurnH
   // - guardian: permission prompts auto-allow (parity with guardian chat)
   // - everyone else (including unknown): fail-closed strict side-effects
   //   with auto-deny confirmations.
-  const actorRole = opts.guardianContext?.actorRole;
-  const isGuardian = actorRole === 'guardian';
+  const trustClass = opts.guardianContext?.trustClass;
+  const isGuardian = trustClass === 'guardian';
   const forceStrictSideEffects = isGuardian ? undefined : true;
 
   // Replace the [CALL_OPENING] marker with a neutral instruction before
@@ -264,7 +264,7 @@ export async function startVoiceTurn(opts: VoiceTurnOptions): Promise<VoiceTurnH
 
   // Build the call-control protocol prompt so the model knows how to emit
   // control markers (ASK_GUARDIAN, END_CALL, etc.) and recognize opener turns.
-  const isCallerGuardian = opts.guardianContext?.actorRole === 'guardian';
+  const isCallerGuardian = opts.guardianContext?.trustClass === 'guardian';
 
   const voiceCallControlPrompt = buildVoiceCallControlPrompt({
     isInbound: opts.isInbound,

package/src/cli.ts

@@ -492,6 +492,18 @@ export async function startCli(): Promise<void> {
         break;
       }
 
+      case 'message_request_complete': {
+        // Request-level terminal for inline approval consumption.
+        // When no agent turn remains active, clear busy state and re-prompt.
+        if (msg.runStillActive !== true) {
+          spinner.stop();
+          generating = false;
+          process.stdout.write('\n\n');
+          prompt();
+        }
+        break;
+      }
+
       case 'generation_handoff': {
         // The current request's generation is done; show usage and re-prompt.
         // Always clear `generating` — this CLI client's generation is finished

package/src/config/agent-schema.ts

@@ -131,7 +131,7 @@ export const WorkspaceGitConfigSchema = z.object({
   commitMessageLLM: z.object({
     enabled: z.boolean({ error: 'workspaceGit.commitMessageLLM.enabled must be a boolean' }).default(false),
     useConfiguredProvider: z.boolean({ error: 'workspaceGit.commitMessageLLM.useConfiguredProvider must be a boolean' }).default(true),
-    providerFastModelOverrides: z.record(z.string(), z.string()).default({} as any),
+    providerFastModelOverrides: z.record(z.string(), z.string()).default({} as Record<string, string>),
     timeoutMs: z.number({ error: 'workspaceGit.commitMessageLLM.timeoutMs must be a number' })
       .int('workspaceGit.commitMessageLLM.timeoutMs must be an integer')
       .positive('workspaceGit.commitMessageLLM.timeoutMs must be a positive integer')
@@ -163,8 +163,19 @@ export const WorkspaceGitConfigSchema = z.object({
         .int().positive().default(2000),
       backoffMaxMs: z.number({ error: 'workspaceGit.commitMessageLLM.breaker.backoffMaxMs must be a number' })
         .int().positive().default(60000),
-    }).default({} as any),
-  }).default({} as any),
+    }).default({ openAfterFailures: 3, backoffBaseMs: 2000, backoffMaxMs: 60000 }),
+  }).default({
+    enabled: false,
+    useConfiguredProvider: true,
+    providerFastModelOverrides: {},
+    timeoutMs: 600,
+    maxTokens: 120,
+    temperature: 0.2,
+    maxFilesInPrompt: 30,
+    maxDiffBytes: 12000,
+    minRemainingTurnBudgetMs: 1000,
+    breaker: { openAfterFailures: 3, backoffBaseMs: 2000, backoffMaxMs: 60000 },
+  }),
 });
 
 export type HeartbeatConfig = z.infer<typeof HeartbeatConfigSchema>;

package/src/config/calls-schema.ts

@@ -76,7 +76,7 @@ export const CallsVoiceConfigSchema = z.object({
   fallbackToStandardOnError: z
     .boolean({ error: 'calls.voice.fallbackToStandardOnError must be a boolean' })
     .default(true),
-  elevenlabs: CallsElevenLabsConfigSchema.default({} as any),
+  elevenlabs: CallsElevenLabsConfigSchema.default(CallsElevenLabsConfigSchema.parse({})),
 });
 
 export const CallerIdentityConfigSchema = z.object({
@@ -125,14 +125,14 @@ export const CallsConfigSchema = z.object({
     .positive('calls.userConsultTimeoutSeconds must be a positive integer')
     .max(2_147_483, 'calls.userConsultTimeoutSeconds must be at most 2147483 (setTimeout-safe limit)')
     .default(120),
-  disclosure: CallsDisclosureConfigSchema.default({} as any),
-  safety: CallsSafetyConfigSchema.default({} as any),
-  voice: CallsVoiceConfigSchema.default({} as any),
+  disclosure: CallsDisclosureConfigSchema.default(CallsDisclosureConfigSchema.parse({})),
+  safety: CallsSafetyConfigSchema.default(CallsSafetyConfigSchema.parse({})),
+  voice: CallsVoiceConfigSchema.default(CallsVoiceConfigSchema.parse({})),
   model: z
     .string({ error: 'calls.model must be a string' })
     .optional(),
-  callerIdentity: CallerIdentityConfigSchema.default({} as any),
-  verification: CallsVerificationConfigSchema.default({} as any),
+  callerIdentity: CallerIdentityConfigSchema.default(CallerIdentityConfigSchema.parse({})),
+  verification: CallsVerificationConfigSchema.default(CallsVerificationConfigSchema.parse({})),
 });
 
 export type CallsConfig = z.infer<typeof CallsConfigSchema>;

package/src/config/core-schema.ts

@@ -231,8 +231,8 @@ const IngressBaseSchema = z.object({
       'ingress.publicBaseUrl must be an absolute URL starting with http:// or https://',
     )
     .default(''),
-  webhook: IngressWebhookConfigSchema.default({} as any),
-  rateLimit: IngressRateLimitConfigSchema.default({} as any),
+  webhook: IngressWebhookConfigSchema.default(IngressWebhookConfigSchema.parse({})),
+  rateLimit: IngressRateLimitConfigSchema.default(IngressRateLimitConfigSchema.parse({})),
   shutdownDrainMs: z
     .number({ error: 'ingress.shutdownDrainMs must be a number' })
     .int('ingress.shutdownDrainMs must be an integer')
@@ -241,7 +241,7 @@ const IngressBaseSchema = z.object({
 });
 
 export const IngressConfigSchema = IngressBaseSchema
-  .default({} as any)
+  .default(IngressBaseSchema.parse({}))
   .transform((val) => ({
     ...val,
     // Backward compatibility: if `enabled` was never explicitly set (undefined),

package/src/config/feature-flag-registry.json

@@ -49,6 +49,14 @@
       "description": "Send crash reports and error diagnostics to help improve the app",
       "defaultEnabled": true
     },
+    {
+      "id": "voice-invite-redemption",
+      "scope": "assistant",
+      "key": "feature_flags.voice-invite-redemption.enabled",
+      "label": "Voice Invite Redemption",
+      "description": "Enable voice invite code redemption for inbound callers with active voice invites",
+      "defaultEnabled": false
+    },
     {
       "id": "user-hosted-enabled",
       "scope": "macos",

package/src/config/mcp-schema.ts

@@ -37,7 +37,7 @@ export const McpServerConfigSchema = z.object({
 });
 
 export const McpConfigSchema = z.object({
-  servers: z.record(z.string(), McpServerConfigSchema).default({} as any),
+  servers: z.record(z.string(), McpServerConfigSchema).default({} as Record<string, never>),
   globalMaxTools: z.number({ error: 'mcp globalMaxTools must be a number' }).int().positive().default(50),
 });
 

package/src/config/memory-schema.ts

@@ -145,7 +145,7 @@ const MemoryFreshnessConfigSchema = z.object({
       .number({ error: 'memory.retrieval.freshness.maxAgeDays.opinion must be a number' })
       .nonnegative('memory.retrieval.freshness.maxAgeDays.opinion must be non-negative')
       .default(60),
-  }).default({} as any),
+  }).default({ fact: 0, preference: 0, behavior: 90, event: 30, opinion: 60 }),
   staleDecay: z
     .number({ error: 'memory.retrieval.freshness.staleDecay must be a number' })
     .min(0, 'memory.retrieval.freshness.staleDecay must be >= 0')
@@ -181,15 +181,15 @@ export const MemoryRetrievalConfigSchema = z.object({
       error: 'memory.retrieval.injectionStrategy must be "prepend_user_block" or "separate_context_message"',
     })
     .default('prepend_user_block'),
-  reranking: MemoryRerankingConfigSchema.default({} as any),
-  freshness: MemoryFreshnessConfigSchema.default({} as any),
+  reranking: MemoryRerankingConfigSchema.default(MemoryRerankingConfigSchema.parse({})),
+  freshness: MemoryFreshnessConfigSchema.default(MemoryFreshnessConfigSchema.parse({})),
   scopePolicy: z
     .enum(['allow_global_fallback', 'strict'], {
       error: 'memory.retrieval.scopePolicy must be "allow_global_fallback" or "strict"',
     })
     .default('allow_global_fallback'),
-  dynamicBudget: MemoryDynamicBudgetConfigSchema.default({} as any),
-  earlyTermination: MemoryEarlyTerminationConfigSchema.default({} as any),
+  dynamicBudget: MemoryDynamicBudgetConfigSchema.default(MemoryDynamicBudgetConfigSchema.parse({})),
+  earlyTermination: MemoryEarlyTerminationConfigSchema.default(MemoryEarlyTerminationConfigSchema.parse({})),
 });
 
 export const MemorySegmentationConfigSchema = z.object({
@@ -287,7 +287,7 @@ export const MemoryEntityConfigSchema = z.object({
       .int('memory.entity.extractRelations.backfillBatchSize must be an integer')
       .positive('memory.entity.extractRelations.backfillBatchSize must be a positive integer')
       .default(200),
-  }).default({} as any),
+  }).default({ enabled: true, backfillBatchSize: 200 }),
   relationRetrieval: z.object({
     enabled: z
       .boolean({ error: 'memory.entity.relationRetrieval.enabled must be a boolean' })
@@ -320,7 +320,15 @@ export const MemoryEntityConfigSchema = z.object({
     depthDecay: z
       .boolean({ error: 'memory.entity.relationRetrieval.depthDecay must be a boolean' })
       .default(true),
-  }).default({} as any),
+  }).default({
+    enabled: true,
+    maxSeedEntities: 8,
+    maxNeighborEntities: 20,
+    maxEdges: 40,
+    neighborScoreMultiplier: 0.7,
+    maxDepth: 3,
+    depthDecay: true,
+  }),
 });
 
 export const MemoryConflictsConfigSchema = z.object({
@@ -384,18 +392,18 @@ export const MemoryConfigSchema = z.object({
   enabled: z
     .boolean({ error: 'memory.enabled must be a boolean' })
     .default(true),
-  embeddings: MemoryEmbeddingsConfigSchema.default({} as any),
-  qdrant: QdrantConfigSchema.default({} as any),
-  retrieval: MemoryRetrievalConfigSchema.default({} as any),
-  segmentation: MemorySegmentationConfigSchema.default({} as any),
-  jobs: MemoryJobsConfigSchema.default({} as any),
-  retention: MemoryRetentionConfigSchema.default({} as any),
-  cleanup: MemoryCleanupConfigSchema.default({} as any),
-  extraction: MemoryExtractionConfigSchema.default({} as any),
-  summarization: MemorySummarizationConfigSchema.default({} as any),
-  entity: MemoryEntityConfigSchema.default({} as any),
-  conflicts: MemoryConflictsConfigSchema.default({} as any),
-  profile: MemoryProfileConfigSchema.default({} as any),
+  embeddings: MemoryEmbeddingsConfigSchema.default(MemoryEmbeddingsConfigSchema.parse({})),
+  qdrant: QdrantConfigSchema.default(QdrantConfigSchema.parse({})),
+  retrieval: MemoryRetrievalConfigSchema.default(MemoryRetrievalConfigSchema.parse({})),
+  segmentation: MemorySegmentationConfigSchema.default(MemorySegmentationConfigSchema.parse({})),
+  jobs: MemoryJobsConfigSchema.default(MemoryJobsConfigSchema.parse({})),
+  retention: MemoryRetentionConfigSchema.default(MemoryRetentionConfigSchema.parse({})),
+  cleanup: MemoryCleanupConfigSchema.default(MemoryCleanupConfigSchema.parse({})),
+  extraction: MemoryExtractionConfigSchema.default(MemoryExtractionConfigSchema.parse({})),
+  summarization: MemorySummarizationConfigSchema.default(MemorySummarizationConfigSchema.parse({})),
+  entity: MemoryEntityConfigSchema.default(MemoryEntityConfigSchema.parse({})),
+  conflicts: MemoryConflictsConfigSchema.default(MemoryConflictsConfigSchema.parse({})),
+  profile: MemoryProfileConfigSchema.default(MemoryProfileConfigSchema.parse({})),
 });
 
 export type MemoryEmbeddingsConfig = z.infer<typeof MemoryEmbeddingsConfigSchema>;

package/src/config/schema.ts

@@ -206,34 +206,34 @@ export const AssistantConfigSchema = z.object({
     .int('maxToolUseTurns must be an integer')
     .positive('maxToolUseTurns must be a positive integer')
     .default(60),
-  thinking: ThinkingConfigSchema.default({} as any),
-  contextWindow: ContextWindowConfigSchema.default({} as any),
-  memory: MemoryConfigSchema.default({} as any),
+  thinking: ThinkingConfigSchema.default(ThinkingConfigSchema.parse({})),
+  contextWindow: ContextWindowConfigSchema.default(ContextWindowConfigSchema.parse({})),
+  memory: MemoryConfigSchema.default(MemoryConfigSchema.parse({})),
   dataDir: z
     .string({ error: 'dataDir must be a string' })
     .default(getDataDir()),
-  timeouts: TimeoutConfigSchema.default({} as any),
-  sandbox: SandboxConfigSchema.default({} as any),
-  rateLimit: RateLimitConfigSchema.default({} as any),
-  secretDetection: SecretDetectionConfigSchema.default({} as any),
-  permissions: PermissionsConfigSchema.default({} as any),
-  auditLog: AuditLogConfigSchema.default({} as any),
-  logFile: LogFileConfigSchema.default({} as any),
+  timeouts: TimeoutConfigSchema.default(TimeoutConfigSchema.parse({})),
+  sandbox: SandboxConfigSchema.default(SandboxConfigSchema.parse({})),
+  rateLimit: RateLimitConfigSchema.default(RateLimitConfigSchema.parse({})),
+  secretDetection: SecretDetectionConfigSchema.default(SecretDetectionConfigSchema.parse({})),
+  permissions: PermissionsConfigSchema.default(PermissionsConfigSchema.parse({})),
+  auditLog: AuditLogConfigSchema.default(AuditLogConfigSchema.parse({})),
+  logFile: LogFileConfigSchema.default(LogFileConfigSchema.parse({})),
   pricingOverrides: z
     .array(ModelPricingOverrideSchema)
     .default([]),
-  heartbeat: HeartbeatConfigSchema.default({} as any),
-  swarm: SwarmConfigSchema.default({} as any),
-  mcp: McpConfigSchema.default({} as any),
-  skills: SkillsConfigSchema.default({} as any),
-  workspaceGit: WorkspaceGitConfigSchema.default({} as any),
-  calls: CallsConfigSchema.default({} as any),
-  sms: SmsConfigSchema.default({} as any),
+  heartbeat: HeartbeatConfigSchema.default(HeartbeatConfigSchema.parse({})),
+  swarm: SwarmConfigSchema.default(SwarmConfigSchema.parse({})),
+  mcp: McpConfigSchema.default(McpConfigSchema.parse({})),
+  skills: SkillsConfigSchema.default(SkillsConfigSchema.parse({})),
+  workspaceGit: WorkspaceGitConfigSchema.default(WorkspaceGitConfigSchema.parse({})),
+  calls: CallsConfigSchema.default(CallsConfigSchema.parse({})),
+  sms: SmsConfigSchema.default(SmsConfigSchema.parse({})),
   ingress: IngressConfigSchema,
-  platform: PlatformConfigSchema.default({} as any),
-  daemon: DaemonConfigSchema.default({} as any),
-  notifications: NotificationsConfigSchema.default({} as any),
-  ui: UiConfigSchema.default({} as any),
+  platform: PlatformConfigSchema.default(PlatformConfigSchema.parse({})),
+  daemon: DaemonConfigSchema.default(DaemonConfigSchema.parse({})),
+  notifications: NotificationsConfigSchema.default(NotificationsConfigSchema.parse({})),
+  ui: UiConfigSchema.default(UiConfigSchema.parse({})),
   featureFlags: z
     .record(z.string(), z.boolean({ error: 'featureFlags values must be booleans' }))
     .default({} as any),

package/src/config/skills-schema.ts

@@ -24,8 +24,8 @@ export const RemoteProviderConfigSchema = z.object({
 });
 
 export const RemoteProvidersConfigSchema = z.object({
-  skillssh: RemoteProviderConfigSchema.default({} as any),
-  clawhub: RemoteProviderConfigSchema.default({} as any),
+  skillssh: RemoteProviderConfigSchema.default(RemoteProviderConfigSchema.parse({})),
+  clawhub: RemoteProviderConfigSchema.default(RemoteProviderConfigSchema.parse({})),
 });
 
 // 'unknown' is valid as a risk label on a skill but not as a threshold — setting the threshold
@@ -41,12 +41,12 @@ export const RemotePolicyConfigSchema = z.object({
 });
 
 export const SkillsConfigSchema = z.object({
-  entries: z.record(z.string(), SkillEntryConfigSchema).default({} as any),
-  load: SkillsLoadConfigSchema.default({} as any),
-  install: SkillsInstallConfigSchema.default({} as any),
+  entries: z.record(z.string(), SkillEntryConfigSchema).default({} as Record<string, never>),
+  load: SkillsLoadConfigSchema.default(SkillsLoadConfigSchema.parse({})),
+  install: SkillsInstallConfigSchema.default(SkillsInstallConfigSchema.parse({})),
   allowBundled: z.array(z.string()).nullable().default(null),
-  remoteProviders: RemoteProvidersConfigSchema.default({} as any),
-  remotePolicy: RemotePolicyConfigSchema.default({} as any),
+  remoteProviders: RemoteProvidersConfigSchema.default(RemoteProvidersConfigSchema.parse({})),
+  remotePolicy: RemotePolicyConfigSchema.default(RemotePolicyConfigSchema.parse({})),
 });
 
 export type SkillEntryConfig = z.infer<typeof SkillEntryConfigSchema>;