@vellumai/assistant 0.3.28 → 0.4.0

package/src/runtime/routes/ingress-routes.ts

@@ -8,10 +8,10 @@
  *   POST   /v1/ingress/members/:id/block — block a member
  *
  * Invites:
- *   GET    /v1/ingress/invites           — list invites
- *   POST   /v1/ingress/invites           — create an invite
- *   DELETE /v1/ingress/invites/:id       — revoke an invite
- *   POST   /v1/ingress/invites/redeem    — redeem an invite
+ *   GET    /v1/ingress/invites        — list invites
+ *   POST   /v1/ingress/invites        — create an invite (supports voice)
+ *   DELETE /v1/ingress/invites/:id    — revoke an invite
+ *   POST   /v1/ingress/invites/redeem — redeem an invite (token or voice code)
  */
 
 import {
@@ -20,6 +20,7 @@ import {
   listIngressInvites,
   listIngressMembers,
   redeemIngressInvite,
+  redeemVoiceInviteCode,
   revokeIngressInvite,
   revokeIngressMember,
   upsertIngressMember,
@@ -130,6 +131,11 @@ export function handleListInvites(url: URL): Response {
 
 /**
  * POST /v1/ingress/invites
+ *
+ * For voice invites, pass `sourceChannel: "voice"` with required
+ * `expectedExternalUserId` (E.164 phone). Voice codes are always 6 digits.
+ * The response will include a one-time `voiceCode` field that must be
+ * communicated to the invited user out-of-band.
  */
 export async function handleCreateInvite(req: Request): Promise<Response> {
   const body = (await req.json()) as Record<string, unknown>;
@@ -139,6 +145,8 @@ export async function handleCreateInvite(req: Request): Promise<Response> {
     note: body.note as string | undefined,
     maxUses: body.maxUses as number | undefined,
     expiresInMs: body.expiresInMs as number | undefined,
+    expectedExternalUserId: body.expectedExternalUserId as string | undefined,
+    voiceCodeDigits: body.voiceCodeDigits as number | undefined,
   });
 
   if (!result.ok) {
@@ -161,10 +169,50 @@ export function handleRevokeInvite(inviteId: string): Response {
 
 /**
  * POST /v1/ingress/invites/redeem
+ *
+ * Unified invite redemption endpoint. Supports two modes:
+ *
+ * 1. **Token-based** (existing): pass `token`, `sourceChannel`, `externalUserId`, etc.
+ * 2. **Voice code** (new): pass `code` and `callerExternalUserId` (E.164 phone).
+ *    Optionally pass `assistantId`.
+ *
+ * The presence of `code` in the body selects voice-code redemption.
  */
 export async function handleRedeemInvite(req: Request): Promise<Response> {
   const body = (await req.json()) as Record<string, unknown>;
 
+  // Voice-code redemption path: triggered when `code` is present
+  if (body.code != null) {
+    const callerExternalUserId = body.callerExternalUserId as string | undefined;
+    const code = body.code as string | undefined;
+
+    if (!callerExternalUserId || !code) {
+      return Response.json(
+        { ok: false, error: 'callerExternalUserId and code are required' },
+        { status: 400 },
+      );
+    }
+
+    const result = redeemVoiceInviteCode({
+      assistantId: body.assistantId as string | undefined,
+      callerExternalUserId,
+      sourceChannel: 'voice',
+      code,
+    });
+
+    if (!result.ok) {
+      return Response.json({ ok: false, error: result.reason }, { status: 400 });
+    }
+
+    return Response.json({
+      ok: true,
+      type: result.type,
+      memberId: result.memberId,
+      ...(result.type === 'redeemed' ? { inviteId: result.inviteId } : {}),
+    });
+  }
+
+  // Token-based redemption path (default)
   const result = redeemIngressInvite({
     token: body.token as string | undefined,
     externalUserId: body.externalUserId as string | undefined,

package/src/runtime/routes/pairing-routes.ts

@@ -75,6 +75,9 @@ export async function handlePairingRequest(req: Request, ctx: PairingHandlerCont
 
     const result = ctx.pairingStore.beginRequest({ pairingRequestId, pairingSecret, deviceId, deviceName });
     if (!result.ok) {
+      if (result.reason === 'already_paired') {
+        return httpError('CONFLICT', 'This pairing request is already bound to another device', 409);
+      }
       const statusCode = result.reason === 'invalid_secret' ? 403 : result.reason === 'not_found' ? 403 : 410;
       return httpError('FORBIDDEN', 'Forbidden', statusCode);
     }

package/src/tools/guardian-control-plane-policy.ts

@@ -124,13 +124,13 @@ export function isGuardianControlPlaneInvocation(
 export function enforceGuardianOnlyPolicy(
   toolName: string,
   input: Record<string, unknown>,
-  actorRole: string | undefined,
+  trustClass: string | undefined,
 ): { denied: boolean; reason?: string } {
   if (!isGuardianControlPlaneInvocation(toolName, input)) {
     return { denied: false };
   }
 
-  if (actorRole === 'guardian' || actorRole === undefined) {
+  if (trustClass === 'guardian' || trustClass === undefined) {
     return { denied: false };
   }
 

package/src/tools/tool-approval-handler.ts

@@ -10,8 +10,8 @@ import type { ExecutionTarget, Tool, ToolContext, ToolExecutionResult, ToolLifec
 
 const log = getLogger('tool-approval-handler');
 
-function isUntrustedGuardianActorRole(role: ToolContext['guardianActorRole']): boolean {
-  return role === 'non-guardian' || role === 'unverified_channel';
+function isUntrustedGuardianTrustClass(role: ToolContext['guardianTrustClass']): boolean {
+  return role === 'trusted_contact' || role === 'unknown';
 }
 
 function requiresGuardianApprovalForActor(
@@ -26,10 +26,10 @@ function requiresGuardianApprovalForActor(
 }
 
 function guardianApprovalDeniedMessage(
-  actorRole: ToolContext['guardianActorRole'],
+  trustClass: ToolContext['guardianTrustClass'],
   toolName: string,
 ): string {
-  if (actorRole === 'unverified_channel') {
+  if (trustClass === 'unknown') {
     return `Permission denied for "${toolName}": this action requires guardian approval from a verified channel identity.`;
   }
   return `Permission denied for "${toolName}": this action requires guardian approval and the current actor is not the guardian.`;
@@ -82,13 +82,13 @@ export class ToolApprovalHandler {
     }
 
     // Reject tool invocations targeting guardian control-plane endpoints from non-guardian actors.
-    const guardianCheck = enforceGuardianOnlyPolicy(name, input, context.guardianActorRole);
+    const guardianCheck = enforceGuardianOnlyPolicy(name, input, context.guardianTrustClass);
     if (guardianCheck.denied) {
       log.warn({
         toolName: name,
         sessionId: context.sessionId,
         conversationId: context.conversationId,
-        actorRole: context.guardianActorRole,
+        trustClass: context.guardianTrustClass,
         reason: 'guardian_only_policy',
       }, 'Guardian-only policy blocked tool invocation');
       const durationMs = Date.now() - startTime;
@@ -118,7 +118,7 @@ export class ToolApprovalHandler {
     let deferredConsumeParams: Parameters<typeof consumeGrantForInvocation>[0] | null = null;
 
     if (
-      isUntrustedGuardianActorRole(context.guardianActorRole)
+      isUntrustedGuardianTrustClass(context.guardianTrustClass)
       && requiresGuardianApprovalForActor(name, input, executionTarget)
     ) {
       const inputDigest = computeToolApprovalDigest(name, input);
@@ -233,7 +233,7 @@ export class ToolApprovalHandler {
           toolName: name,
           sessionId: context.sessionId,
           conversationId: context.conversationId,
-          actorRole: context.guardianActorRole,
+          trustClass: context.guardianTrustClass,
           executionTarget,
           grantId: grantResult.grant.id,
         }, 'Scoped grant consumed — allowing untrusted actor tool invocation');
@@ -273,7 +273,7 @@ export class ToolApprovalHandler {
       // actors remain fail-closed with no escalation.
       let escalationMessage: string | undefined;
       if (
-        context.guardianActorRole === 'non-guardian'
+        context.guardianTrustClass === 'trusted_contact'
         && context.assistantId
         && context.executionChannel
         && context.requesterExternalUserId
@@ -308,12 +308,12 @@ export class ToolApprovalHandler {
         // If escalation.failed, fall through to generic denial message.
       }
 
-      const reason = escalationMessage ?? guardianApprovalDeniedMessage(context.guardianActorRole, name);
+      const reason = escalationMessage ?? guardianApprovalDeniedMessage(context.guardianTrustClass, name);
       log.warn({
         toolName: name,
         sessionId: context.sessionId,
         conversationId: context.conversationId,
-        actorRole: context.guardianActorRole,
+        trustClass: context.guardianTrustClass,
         executionTarget,
         reason: 'guardian_approval_required',
         grantMissReason: grantResult.reason,

package/src/tools/types.ts

@@ -137,8 +137,8 @@ export interface ToolContext {
   proxyApprovalCallback?: import('./network/script-proxy/types.js').ProxyApprovalCallback;
   /** Optional principal identifier propagated to sub-tool confirmation flows. */
   principal?: string;
-  /** Guardian actor role for the session — used by the guardian control-plane policy gate. */
-  guardianActorRole?: 'guardian' | 'non-guardian' | 'unverified_channel';
+  /** Inbound trust classification for the session — used by trust/policy gates. */
+  guardianTrustClass?: 'guardian' | 'trusted_contact' | 'unknown';
   /** Channel through which the tool invocation originates (e.g. 'telegram', 'voice'). Used for scoped grant consumption. */
   executionChannel?: string;
   /** Voice/call session ID, if the invocation originates from a call. Used for scoped grant consumption. */

package/src/util/logger.ts

@@ -3,12 +3,22 @@ import { join } from 'node:path';
 import { Writable } from 'node:stream';
 
 import pino from 'pino';
+import type { PrettyOptions } from 'pino-pretty';
 import pinoPretty from 'pino-pretty';
 
 import { getDebugMode, getDebugStdoutLogs,getLogStderr } from '../config/env-registry.js';
 import { logSerializers } from './log-redact.js';
 import { getLogPath } from './platform.js';
 
+/** Common pino-pretty options that inline [module] into the message prefix. */
+function prettyOpts(extra?: PrettyOptions): PrettyOptions {
+  return {
+    messageFormat: '[{module}] {msg}',
+    ignore: 'module',
+    ...extra,
+  };
+}
+
 export type LogFileConfig = {
   dir: string | undefined;
   retentionDays: number;
@@ -59,7 +69,7 @@ let activeLogFileConfig: LogFileConfig | null = null;
 
 function buildRotatingLogger(config: LogFileConfig): pino.Logger {
   if (!config.dir) {
-    return pino({ name: 'assistant', serializers: logSerializers }, pinoPretty({ destination: 1 }));
+    return pino({ name: 'assistant', serializers: logSerializers }, pinoPretty(prettyOpts({ destination: 1 })));
   }
 
   if (!existsSync(config.dir)) {
@@ -68,9 +78,10 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
 
   const today = formatDate(new Date());
   const filePath = logFilePathForDate(config.dir, new Date());
-  const fileStream = pino.destination({ dest: filePath, sync: false, mkdir: true, mode: 0o600 });
+  const fileDest = pino.destination({ dest: filePath, sync: false, mkdir: true, mode: 0o600 });
   // Tighten permissions on pre-existing log files that may have been created with looser modes
   try { chmodSync(filePath, 0o600); } catch { /* best-effort */ }
+  const fileStream = pinoPretty(prettyOpts({ destination: fileDest, colorize: false }));
 
   activeLogDate = today;
   activeLogFileConfig = config;
@@ -78,7 +89,7 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
   const level = getDebugMode() ? 'debug' : 'info';
 
   if (getDebugMode()) {
-    const prettyStream = pinoPretty({ destination: 2 });
+    const prettyStream = pinoPretty(prettyOpts({ destination: 2 }));
     return pino(
       { name: 'assistant', level, serializers: logSerializers },
       pino.multistream([
@@ -92,7 +103,7 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
     { name: 'assistant', level, serializers: logSerializers },
     pino.multistream([
       { stream: fileStream, level: 'info' as const },
-      { stream: pinoPretty({ destination: 1 }), level: 'info' as const },
+      { stream: pinoPretty(prettyOpts({ destination: 1 })), level: 'info' as const },
     ]),
   );
 }
@@ -135,12 +146,13 @@ function getRootLogger(): pino.Logger {
 
     try {
       const logPath = getLogPath();
-      const fileStream = pino.destination({ dest: logPath, sync: false, mkdir: true, mode: 0o600 });
+      const fileDest = pino.destination({ dest: logPath, sync: false, mkdir: true, mode: 0o600 });
       // Tighten permissions on pre-existing log files that may have been created with looser modes
       try { chmodSync(logPath, 0o600); } catch { /* best-effort */ }
+      const fileStream = pinoPretty(prettyOpts({ destination: fileDest, colorize: false }));
 
       if (getDebugMode()) {
-        const prettyStream = pinoPretty({ destination: 2 });
+        const prettyStream = pinoPretty(prettyOpts({ destination: 2 }));
         const multi = pino.multistream([
           { stream: fileStream, level: 'info' as const },
           { stream: prettyStream, level: 'debug' as const },
@@ -151,14 +163,14 @@ function getRootLogger(): pino.Logger {
           { level: 'info', serializers: logSerializers },
           pino.multistream([
             { stream: fileStream, level: 'info' as const },
-            { stream: pinoPretty({ destination: 1 }), level: 'info' as const },
+            { stream: pinoPretty(prettyOpts({ destination: 1 })), level: 'info' as const },
           ]),
         );
       } else {
         rootLogger = pino({ level: 'info', serializers: logSerializers }, fileStream);
       }
     } catch {
-      rootLogger = pino({ level: getDebugMode() ? 'debug' : 'info', serializers: logSerializers }, pinoPretty({ destination: 2 }));
+      rootLogger = pino({ level: getDebugMode() ? 'debug' : 'info', serializers: logSerializers }, pinoPretty(prettyOpts({ destination: 2 })));
     }
   }
   return rootLogger;

package/src/util/platform.ts

@@ -121,6 +121,15 @@ export function getDataDir(): string {
   return join(getWorkspaceDir(), 'data');
 }
 
+/**
+ * Returns the embedding models directory (~/.vellum/workspace/embedding-models).
+ * Downloaded embedding runtime (onnxruntime-node, transformers bundle, model weights)
+ * is stored here, downloaded post-hatch rather than shipped with the app.
+ */
+export function getEmbeddingModelsDir(): string {
+  return join(getWorkspaceDir(), 'embedding-models');
+}
+
 /**
  * Returns the IPC blob directory (~/.vellum/workspace/data/ipc-blobs).
  * Temporary blob files for zero-copy IPC payloads live here.
@@ -357,6 +366,7 @@ export function ensureDataDir(): void {
     workspace,
     join(workspace, 'hooks'),
     join(workspace, 'skills'),
+    join(workspace, 'embedding-models'),
     // Data sub-dirs under workspace
     wsData,
     join(wsData, 'db'),

package/src/util/voice-code.ts

@@ -0,0 +1,29 @@
+/**
+ * Cryptographic voice invite code generation and hashing.
+ *
+ * Generates short numeric codes (default 6 digits) for voice-channel invite
+ * redemption. The plaintext code is returned once at creation time and never
+ * stored — only its SHA-256 hash is persisted.
+ */
+
+import { createHash, randomInt } from 'node:crypto';
+
+/**
+ * Generate a cryptographically random numeric code of the given length.
+ * Uses node:crypto randomInt for uniform distribution.
+ */
+export function generateVoiceCode(digits: number = 6): string {
+  if (digits < 4 || digits > 10) {
+    throw new Error(`Voice code digit count must be between 4 and 10, got ${digits}`);
+  }
+  const min = Math.pow(10, digits - 1); // e.g. 100000 for 6 digits
+  const max = Math.pow(10, digits);     // e.g. 1000000 for 6 digits
+  return String(randomInt(min, max));
+}
+
+/**
+ * SHA-256 hash a voice code for storage comparison.
+ */
+export function hashVoiceCode(code: string): string {
+  return createHash('sha256').update(code).digest('hex');
+}

package/src/daemon/guardian-invite-intent.ts

@@ -1,124 +0,0 @@
-// Guardian invite intent resolution for deterministic first-turn routing.
-// Exports `resolveGuardianInviteIntent` as the single public entry point.
-// When a guardian invite management request is detected, the session pipeline
-// rewrites the message to force immediate entry into the trusted-contacts
-// skill flow, bypassing the normal agent loop's tendency to produce conceptual
-// preambles before loading the skill.
-
-export type GuardianInviteIntentResult =
-  | { kind: 'none' }
-  | { kind: 'invite_management'; rewrittenContent: string; action?: 'create' | 'list' | 'revoke' };
-
-// ── Direct invite patterns ────────────────────────────────────────────────
-// These capture imperative requests to manage Telegram invite links.
-
-const CREATE_INVITE_PATTERNS: RegExp[] = [
-  /\bcreate\s+(?:an?\s+)?(?:telegram\s+)?invite\s*(?:link)?\b/i,
-  /\binvite\s+(?:someone|somebody|a\s+friend|a\s+person)\s+(?:on|to|via|through)\s+telegram\b/i,
-  /\b(?:make|generate|get)\s+(?:a\s+|an\s+)?(?:telegram\s+)?invite\s*(?:link)?\b/i,
-  /\btelegram\s+invite\s*(?:link)?\b/i,
-  /\bsend\s+(?:a\s+|an\s+)?invite\s+(?:link\s+)?(?:on|for|via|through)\s+telegram\b/i,
-  /\bshare\s+(?:a\s+|an\s+)?(?:telegram\s+)?invite\s*(?:link)?\b/i,
-  /\binvite\s+(?:link\s+)?for\s+telegram\b/i,
-];
-
-const LIST_INVITE_PATTERNS: RegExp[] = [
-  /\b(?:show|list|view|see|display)\s+(?:my\s+)?(?:active\s+)?invite(?:s|\s*links?)\b/i,
-  /\b(?:show|list|view|see|display)\s+(?:my\s+)?(?:telegram\s+)?invite(?:s|\s*links?)\b/i,
-  /\bwhat\s+invite(?:s|\s*links?)\s+(?:do\s+I\s+have|are\s+active|exist)\b/i,
-  /\bhow\s+many\s+invite(?:s|\s*links?)\b/i,
-];
-
-const REVOKE_INVITE_PATTERNS: RegExp[] = [
-  /\b(?:revoke|cancel|disable|invalidate|delete|remove)\s+(?:the\s+|my\s+|an?\s+)?invite\s*(?:link)?\b/i,
-  /\b(?:revoke|cancel|disable|invalidate|delete|remove)\s+(?:the\s+|my\s+|an?\s+)?(?:telegram\s+)?invite\s*(?:link)?\b/i,
-  /\binvite\s*(?:link)?\s+(?:revoke|cancel|disable|invalidate|delete|remove)\b/i,
-];
-
-// ── Conceptual / question patterns ──────────────────────────────────────
-// These indicate the user is asking *about* invites rather than requesting
-// to manage them. Return passthrough for these.
-
-const CONCEPTUAL_PATTERNS: RegExp[] = [
-  /^\s*(?:how|what|why|when|where|who|which)\b.*\binvite/i,
-  /\bwhat\s+(?:is|are)\s+(?:an?\s+)?invite\s*(?:link)?\b/i,
-  /\bhow\s+(?:do|does|can)\s+(?:invite|invitation)s?\s+work\b/i,
-  /\bexplain\s+(?:the\s+)?invite\b/i,
-  /\btell\s+me\s+about\s+invite\b/i,
-];
-
-/** Common polite/filler words stripped before checking intent-only status. */
-const FILLER_PATTERN =
-  /\b(please|pls|plz|can\s+you|could\s+you|would\s+you|now|right\s+now|thanks|thank\s+you|thx|ty|for\s+me|ok(ay)?|hey|hi|hello|just|i\s+want\s+to|i'd\s+like\s+to|i\s+need\s+to|let's|let\s+me)\b/gi;
-
-// ── Internal helpers ─────────────────────────────────────────────────────
-
-function isConceptualQuestion(text: string): boolean {
-  const cleaned = text.replace(/^\s*(hey|hi|hello|please|pls|plz)[,\s]+/i, '');
-  // Allow actionable requests through even though they start with
-  // question-like words — these are imperative invite management requests.
-  if (LIST_INVITE_PATTERNS.some((p) => p.test(cleaned))) return false;
-  if (CREATE_INVITE_PATTERNS.some((p) => p.test(cleaned))) return false;
-  if (REVOKE_INVITE_PATTERNS.some((p) => p.test(cleaned))) return false;
-  return CONCEPTUAL_PATTERNS.some((p) => p.test(cleaned));
-}
-
-function detectAction(text: string): 'create' | 'list' | 'revoke' | undefined {
-  // Check revoke and list before create — create patterns include the broad
-  // `telegram invite link` matcher that would otherwise swallow revoke/list inputs.
-  if (REVOKE_INVITE_PATTERNS.some((p) => p.test(text))) return 'revoke';
-  if (LIST_INVITE_PATTERNS.some((p) => p.test(text))) return 'list';
-  if (CREATE_INVITE_PATTERNS.some((p) => p.test(text))) return 'create';
-  return undefined;
-}
-
-// ── Structured intent resolver ───────────────────────────────────────────
-
-/**
- * Resolves guardian invite management intent from user text.
- *
- * Pipeline:
- * 1. Skip slash commands entirely
- * 2. Conceptual question gate -- questions return `none`
- * 3. Detect create/list/revoke invite patterns
- * 4. On match, build a deterministic model instruction to load trusted-contacts
- */
-export function resolveGuardianInviteIntent(text: string): GuardianInviteIntentResult {
-  const trimmed = text.trim();
-
-  // Never intercept slash commands
-  if (trimmed.startsWith('/')) {
-    return { kind: 'none' };
-  }
-
-  // Conceptual questions pass through to normal agent processing
-  if (isConceptualQuestion(trimmed)) {
-    return { kind: 'none' };
-  }
-
-  // Strip fillers for pattern matching but keep original for context
-  const withoutFillers = trimmed.replace(FILLER_PATTERN, '').replace(/\s{2,}/g, ' ').trim();
-
-  const action = detectAction(withoutFillers);
-  if (!action) {
-    return { kind: 'none' };
-  }
-
-  // Build the rewritten content that deterministically loads the skill
-  const actionDescriptions: Record<string, string> = {
-    create: 'The user wants to create a Telegram invite link. Create the invite, look up the bot username, and present the shareable deep link with copy-paste instructions.',
-    list: 'The user wants to see their invite links. List all invites (especially active ones for Telegram) and present them in a readable format.',
-    revoke: 'The user wants to revoke an invite link. List invites to identify the target, confirm with the user, then revoke it.',
-  };
-
-  const rewrittenContent = [
-    actionDescriptions[action],
-    'Please invoke the "Trusted Contacts" skill (ID: trusted-contacts) immediately using skill_load.',
-  ].join('\n');
-
-  return {
-    kind: 'invite_management',
-    rewrittenContent,
-    action,
-  };
-}