@vellumai/assistant 0.3.28 → 0.4.1

package/src/config/memory-schema.ts

@@ -145,7 +145,7 @@ const MemoryFreshnessConfigSchema = z.object({
       .number({ error: 'memory.retrieval.freshness.maxAgeDays.opinion must be a number' })
       .nonnegative('memory.retrieval.freshness.maxAgeDays.opinion must be non-negative')
       .default(60),
-  }).default({} as any),
+  }).default({ fact: 0, preference: 0, behavior: 90, event: 30, opinion: 60 }),
   staleDecay: z
     .number({ error: 'memory.retrieval.freshness.staleDecay must be a number' })
     .min(0, 'memory.retrieval.freshness.staleDecay must be >= 0')
@@ -181,15 +181,15 @@ export const MemoryRetrievalConfigSchema = z.object({
       error: 'memory.retrieval.injectionStrategy must be "prepend_user_block" or "separate_context_message"',
     })
     .default('prepend_user_block'),
-  reranking: MemoryRerankingConfigSchema.default({} as any),
-  freshness: MemoryFreshnessConfigSchema.default({} as any),
+  reranking: MemoryRerankingConfigSchema.default(MemoryRerankingConfigSchema.parse({})),
+  freshness: MemoryFreshnessConfigSchema.default(MemoryFreshnessConfigSchema.parse({})),
   scopePolicy: z
     .enum(['allow_global_fallback', 'strict'], {
       error: 'memory.retrieval.scopePolicy must be "allow_global_fallback" or "strict"',
     })
     .default('allow_global_fallback'),
-  dynamicBudget: MemoryDynamicBudgetConfigSchema.default({} as any),
-  earlyTermination: MemoryEarlyTerminationConfigSchema.default({} as any),
+  dynamicBudget: MemoryDynamicBudgetConfigSchema.default(MemoryDynamicBudgetConfigSchema.parse({})),
+  earlyTermination: MemoryEarlyTerminationConfigSchema.default(MemoryEarlyTerminationConfigSchema.parse({})),
 });
 
 export const MemorySegmentationConfigSchema = z.object({
@@ -287,7 +287,7 @@ export const MemoryEntityConfigSchema = z.object({
       .int('memory.entity.extractRelations.backfillBatchSize must be an integer')
       .positive('memory.entity.extractRelations.backfillBatchSize must be a positive integer')
       .default(200),
-  }).default({} as any),
+  }).default({ enabled: true, backfillBatchSize: 200 }),
   relationRetrieval: z.object({
     enabled: z
       .boolean({ error: 'memory.entity.relationRetrieval.enabled must be a boolean' })
@@ -320,7 +320,15 @@ export const MemoryEntityConfigSchema = z.object({
     depthDecay: z
       .boolean({ error: 'memory.entity.relationRetrieval.depthDecay must be a boolean' })
       .default(true),
-  }).default({} as any),
+  }).default({
+    enabled: true,
+    maxSeedEntities: 8,
+    maxNeighborEntities: 20,
+    maxEdges: 40,
+    neighborScoreMultiplier: 0.7,
+    maxDepth: 3,
+    depthDecay: true,
+  }),
 });
 
 export const MemoryConflictsConfigSchema = z.object({
@@ -384,18 +392,18 @@ export const MemoryConfigSchema = z.object({
   enabled: z
     .boolean({ error: 'memory.enabled must be a boolean' })
     .default(true),
-  embeddings: MemoryEmbeddingsConfigSchema.default({} as any),
-  qdrant: QdrantConfigSchema.default({} as any),
-  retrieval: MemoryRetrievalConfigSchema.default({} as any),
-  segmentation: MemorySegmentationConfigSchema.default({} as any),
-  jobs: MemoryJobsConfigSchema.default({} as any),
-  retention: MemoryRetentionConfigSchema.default({} as any),
-  cleanup: MemoryCleanupConfigSchema.default({} as any),
-  extraction: MemoryExtractionConfigSchema.default({} as any),
-  summarization: MemorySummarizationConfigSchema.default({} as any),
-  entity: MemoryEntityConfigSchema.default({} as any),
-  conflicts: MemoryConflictsConfigSchema.default({} as any),
-  profile: MemoryProfileConfigSchema.default({} as any),
+  embeddings: MemoryEmbeddingsConfigSchema.default(MemoryEmbeddingsConfigSchema.parse({})),
+  qdrant: QdrantConfigSchema.default(QdrantConfigSchema.parse({})),
+  retrieval: MemoryRetrievalConfigSchema.default(MemoryRetrievalConfigSchema.parse({})),
+  segmentation: MemorySegmentationConfigSchema.default(MemorySegmentationConfigSchema.parse({})),
+  jobs: MemoryJobsConfigSchema.default(MemoryJobsConfigSchema.parse({})),
+  retention: MemoryRetentionConfigSchema.default(MemoryRetentionConfigSchema.parse({})),
+  cleanup: MemoryCleanupConfigSchema.default(MemoryCleanupConfigSchema.parse({})),
+  extraction: MemoryExtractionConfigSchema.default(MemoryExtractionConfigSchema.parse({})),
+  summarization: MemorySummarizationConfigSchema.default(MemorySummarizationConfigSchema.parse({})),
+  entity: MemoryEntityConfigSchema.default(MemoryEntityConfigSchema.parse({})),
+  conflicts: MemoryConflictsConfigSchema.default(MemoryConflictsConfigSchema.parse({})),
+  profile: MemoryProfileConfigSchema.default(MemoryProfileConfigSchema.parse({})),
 });
 
 export type MemoryEmbeddingsConfig = z.infer<typeof MemoryEmbeddingsConfigSchema>;

package/src/config/schema.ts

@@ -206,34 +206,34 @@ export const AssistantConfigSchema = z.object({
     .int('maxToolUseTurns must be an integer')
     .positive('maxToolUseTurns must be a positive integer')
     .default(60),
-  thinking: ThinkingConfigSchema.default({} as any),
-  contextWindow: ContextWindowConfigSchema.default({} as any),
-  memory: MemoryConfigSchema.default({} as any),
+  thinking: ThinkingConfigSchema.default(ThinkingConfigSchema.parse({})),
+  contextWindow: ContextWindowConfigSchema.default(ContextWindowConfigSchema.parse({})),
+  memory: MemoryConfigSchema.default(MemoryConfigSchema.parse({})),
   dataDir: z
     .string({ error: 'dataDir must be a string' })
     .default(getDataDir()),
-  timeouts: TimeoutConfigSchema.default({} as any),
-  sandbox: SandboxConfigSchema.default({} as any),
-  rateLimit: RateLimitConfigSchema.default({} as any),
-  secretDetection: SecretDetectionConfigSchema.default({} as any),
-  permissions: PermissionsConfigSchema.default({} as any),
-  auditLog: AuditLogConfigSchema.default({} as any),
-  logFile: LogFileConfigSchema.default({} as any),
+  timeouts: TimeoutConfigSchema.default(TimeoutConfigSchema.parse({})),
+  sandbox: SandboxConfigSchema.default(SandboxConfigSchema.parse({})),
+  rateLimit: RateLimitConfigSchema.default(RateLimitConfigSchema.parse({})),
+  secretDetection: SecretDetectionConfigSchema.default(SecretDetectionConfigSchema.parse({})),
+  permissions: PermissionsConfigSchema.default(PermissionsConfigSchema.parse({})),
+  auditLog: AuditLogConfigSchema.default(AuditLogConfigSchema.parse({})),
+  logFile: LogFileConfigSchema.default(LogFileConfigSchema.parse({})),
   pricingOverrides: z
     .array(ModelPricingOverrideSchema)
     .default([]),
-  heartbeat: HeartbeatConfigSchema.default({} as any),
-  swarm: SwarmConfigSchema.default({} as any),
-  mcp: McpConfigSchema.default({} as any),
-  skills: SkillsConfigSchema.default({} as any),
-  workspaceGit: WorkspaceGitConfigSchema.default({} as any),
-  calls: CallsConfigSchema.default({} as any),
-  sms: SmsConfigSchema.default({} as any),
+  heartbeat: HeartbeatConfigSchema.default(HeartbeatConfigSchema.parse({})),
+  swarm: SwarmConfigSchema.default(SwarmConfigSchema.parse({})),
+  mcp: McpConfigSchema.default(McpConfigSchema.parse({})),
+  skills: SkillsConfigSchema.default(SkillsConfigSchema.parse({})),
+  workspaceGit: WorkspaceGitConfigSchema.default(WorkspaceGitConfigSchema.parse({})),
+  calls: CallsConfigSchema.default(CallsConfigSchema.parse({})),
+  sms: SmsConfigSchema.default(SmsConfigSchema.parse({})),
   ingress: IngressConfigSchema,
-  platform: PlatformConfigSchema.default({} as any),
-  daemon: DaemonConfigSchema.default({} as any),
-  notifications: NotificationsConfigSchema.default({} as any),
-  ui: UiConfigSchema.default({} as any),
+  platform: PlatformConfigSchema.default(PlatformConfigSchema.parse({})),
+  daemon: DaemonConfigSchema.default(DaemonConfigSchema.parse({})),
+  notifications: NotificationsConfigSchema.default(NotificationsConfigSchema.parse({})),
+  ui: UiConfigSchema.default(UiConfigSchema.parse({})),
   featureFlags: z
     .record(z.string(), z.boolean({ error: 'featureFlags values must be booleans' }))
     .default({} as any),

package/src/config/skills-schema.ts

@@ -24,8 +24,8 @@ export const RemoteProviderConfigSchema = z.object({
 });
 
 export const RemoteProvidersConfigSchema = z.object({
-  skillssh: RemoteProviderConfigSchema.default({} as any),
-  clawhub: RemoteProviderConfigSchema.default({} as any),
+  skillssh: RemoteProviderConfigSchema.default(RemoteProviderConfigSchema.parse({})),
+  clawhub: RemoteProviderConfigSchema.default(RemoteProviderConfigSchema.parse({})),
 });
 
 // 'unknown' is valid as a risk label on a skill but not as a threshold — setting the threshold
@@ -41,12 +41,12 @@ export const RemotePolicyConfigSchema = z.object({
 });
 
 export const SkillsConfigSchema = z.object({
-  entries: z.record(z.string(), SkillEntryConfigSchema).default({} as any),
-  load: SkillsLoadConfigSchema.default({} as any),
-  install: SkillsInstallConfigSchema.default({} as any),
+  entries: z.record(z.string(), SkillEntryConfigSchema).default({} as Record<string, never>),
+  load: SkillsLoadConfigSchema.default(SkillsLoadConfigSchema.parse({})),
+  install: SkillsInstallConfigSchema.default(SkillsInstallConfigSchema.parse({})),
   allowBundled: z.array(z.string()).nullable().default(null),
-  remoteProviders: RemoteProvidersConfigSchema.default({} as any),
-  remotePolicy: RemotePolicyConfigSchema.default({} as any),
+  remoteProviders: RemoteProvidersConfigSchema.default(RemoteProvidersConfigSchema.parse({})),
+  remotePolicy: RemotePolicyConfigSchema.default(RemotePolicyConfigSchema.parse({})),
 });
 
 export type SkillEntryConfig = z.infer<typeof SkillEntryConfigSchema>;

package/src/config/vellum-skills/trusted-contacts/SKILL.md

@@ -1,11 +1,11 @@
 ---
 name: "Trusted Contacts"
-description: "Manage trusted contacts and Telegram invite links — list, allow, revoke, block users, and create/list/revoke invite links for external channels"
+description: "Manage trusted contacts and invite links — list, allow, revoke, block users, and create/list/revoke invite links for Telegram and voice (phone call) channels"
 user-invocable: true
 metadata: {"vellum": {"emoji": "\ud83d\udc65"}}
 ---
 
-You are helping your user manage trusted contacts and invite links for the Vellum Assistant. Trusted contacts control who is allowed to send messages to the assistant through external channels like Telegram and SMS. Invite links let the guardian share a Telegram deep link that automatically grants access when opened. All operations go through the gateway HTTP API using `curl` with bearer auth.
+You are helping your user manage trusted contacts and invite links for the Vellum Assistant. Trusted contacts control who is allowed to send messages to the assistant through external channels like Telegram, SMS, and voice (phone calls). Invite links let the guardian share a Telegram deep link that automatically grants access when opened. Voice invites let the guardian authorize a specific phone number to call in — the invitee must call from that phone number AND enter a one-time numeric code. All operations go through the gateway HTTP API using `curl` with bearer auth.
 
 ## Prerequisites
 
@@ -18,8 +18,9 @@ You are helping your user manage trusted contacts and invite links for the Vellu
 - **Member**: A user identity (external user ID or chat ID) from a specific channel that has been registered with a policy.
 - **Policy**: Controls what the member can do — `allow` (can message freely) or `deny` (blocked from messaging).
 - **Status**: The member's lifecycle state — `active` (currently effective), `revoked` (access removed), or `blocked` (explicitly denied).
-- **Source channel**: The messaging platform the contact uses (e.g., `telegram`, `sms`).
+- **Source channel**: The messaging platform the contact uses (e.g., `telegram`, `sms`, `voice`).
 - **Invite link**: A shareable Telegram deep link that, when opened by someone, automatically grants them trusted-contact access. Each invite has a token, usage limits, and optional expiration.
+- **Voice invite**: An invite bound to a specific phone number for phone-call access. The guardian provides the invitee's phone number (E.164 format, e.g., `+15551234567`), and the system generates a numeric code. The invitee must call from that exact phone number AND enter the code when prompted. Both conditions must be met — the call must originate from the bound number, and the correct code must be entered. Voice invites do not have a Telegram-style deep link and do not use `/start` payload tokens. SMS-based invites are not supported.
 
 ## Available Actions
 
@@ -128,14 +129,6 @@ Use this when the guardian wants to invite someone to message the assistant on T
 ```bash
 TOKEN=$(cat ~/.vellum/http-token)
 
-BOT_CONFIG_JSON=$(curl -s "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/telegram/config" \
-  -H "Authorization: Bearer $TOKEN")
-BOT_USERNAME=$(printf '%s' "$BOT_CONFIG_JSON" | tr -d '\n' | sed -n 's/.*"botUsername"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
-if [ -z "$BOT_USERNAME" ]; then
-  echo "error:no_bot_username"
-  exit 1
-fi
-
 INVITE_JSON=$(curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites" \
   -H "Content-Type: application/json" \
   -H "Authorization: Bearer $TOKEN" \
@@ -144,14 +137,40 @@ INVITE_JSON=$(curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites" \
     "maxUses": 1,
     "note": "<optional note, e.g. the person it is for>"
   }')
-INVITE_TOKEN=$(printf '%s' "$INVITE_JSON" | tr -d '\n' | sed -n 's/.*"token"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
+
+INVITE_TOKEN=$(printf '%s' "$INVITE_JSON" | python3 -c "
+import json, sys
+data = json.load(sys.stdin)
+invite = data.get('invite', {})
+print(invite.get('token', ''), end='')
+")
+INVITE_URL=$(printf '%s' "$INVITE_JSON" | python3 -c "
+import json, sys
+data = json.load(sys.stdin)
+invite = data.get('invite', {})
+share = invite.get('share') or {}
+print(share.get('url', ''), end='')
+")
+
 if [ -z "$INVITE_TOKEN" ]; then
   printf '%s\n' "$INVITE_JSON"
   exit 1
 fi
 
+# Prefer backend-provided canonical link when available.
+if [ -z "$INVITE_URL" ]; then
+  BOT_CONFIG_JSON=$(curl -s "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/telegram/config" \
+    -H "Authorization: Bearer $TOKEN")
+  BOT_USERNAME=$(printf '%s' "$BOT_CONFIG_JSON" | tr -d '\n' | sed -n 's/.*"botUsername"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
+  if [ -z "$BOT_USERNAME" ]; then
+    echo "error:no_share_url_or_bot_username"
+    exit 1
+  fi
+  INVITE_URL="https://t.me/$BOT_USERNAME?start=iv_$INVITE_TOKEN"
+fi
+
 echo "<vellum-sensitive-output kind=\"invite_code\" value=\"$INVITE_TOKEN\" />"
-echo "https://t.me/$BOT_USERNAME?start=iv_$INVITE_TOKEN"
+echo "$INVITE_URL"
 ```
 
 Optional fields:
@@ -159,7 +178,11 @@ Optional fields:
 - `expiresInMs` — expiration time in milliseconds from now (e.g., `86400000` for 24 hours). Defaults to 7 days (`604800000`) if omitted.
 - `note` — a human-readable label for the invite (e.g., "For Mom", "Family group").
 
-The create response contains `{ ok: true, invite: { id, token, ... } }`. The `token` field is the raw invite token — it is only returned at creation time and cannot be retrieved later.
+The create response contains `{ ok: true, invite: { id, token, share?, ... } }`.
+- `token` is the raw invite token and is only returned at creation time.
+- `share.url` is the canonical shareable deep link (when channel transport config is available).
+
+Always use `invite.share.url` when present. Do not manually construct `?start=` links if the API already provided one.
 
 **Presenting to the guardian**: Give the guardian the link with clear copy-paste instructions:
 
@@ -216,9 +239,99 @@ curl -s -X DELETE "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites/<invite_id>" \
 
 Replace `<invite_id>` with the invite's `id` from the list response.
 
+### 8. Create a voice invite
+
+Use this when the guardian wants to authorize a specific phone number to call the assistant. Voice invites are identity-bound: the invitee must call from the specified phone number AND enter a one-time numeric code.
+
+**Important**: The response includes a `voiceCode` field that is only returned at creation time and cannot be retrieved later. Extract and present it clearly.
+
+```bash
+TOKEN=$(cat ~/.vellum/http-token)
+
+INVITE_JSON=$(curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer $TOKEN" \
+  -d '{
+    "sourceChannel": "voice",
+    "expectedExternalUserId": "<phone_number_E164>",
+    "maxUses": 1,
+    "note": "<optional note, e.g. the person it is for>"
+  }')
+printf '%s\n' "$INVITE_JSON"
+```
+
+Required fields:
+- `sourceChannel` — must be `"voice"`
+- `expectedExternalUserId` — the invitee's phone number in E.164 format (e.g., `+15551234567`)
+
+Optional fields:
+- `maxUses` — how many times the code can be used (default: 1)
+- `expiresInMs` — expiration time in milliseconds from now (e.g., `86400000` for 24 hours). Defaults to 7 days if omitted.
+- ~~`voiceCodeDigits`~~ — always 6 digits; this parameter is accepted but ignored
+- `note` — a human-readable label for the invite (e.g., "For Mom", "Dr. Smith")
+
+The create response contains `{ ok: true, invite: { id, voiceCode, expectedExternalUserId, ... } }`.
+- `voiceCode` is the numeric code the invitee must enter and is only returned at creation time.
+- Voice invite responses do **not** include `token` or `share.url`. Do not try to build or send a deep link for voice invites.
+
+**Presenting to the guardian**: Give the guardian clear instructions to relay to the invitee:
+
+> Voice invite created for **<phone_number>**:
+>
+> **Invite code: `<voiceCode>`**
+>
+> Share these instructions with the person you are inviting:
+> 1. Call the assistant's phone number from **<phone_number>** (the call must come from this exact number)
+> 2. When prompted, enter the code **<voiceCode>**
+> 3. Once verified, they will be added as a trusted contact and can call the assistant directly in the future
+>
+> This code can be used <maxUses> time(s)<and expires in X hours/days if applicable>.
+
+There is no "open link" step for voice invites. The invite is redeemed only during a live phone call from the bound number.
+
+If the user provides a phone number without the `+` country code prefix, ask them to confirm the full E.164 number (e.g., US numbers should be `+1XXXXXXXXXX`).
+
+**Note**: SMS-based invites are not currently supported. Only voice (phone call) invites are available for phone-based access.
+
+### 9. List voice invites
+
+Use this to show the guardian their active voice invites.
+
+```bash
+TOKEN=$(cat ~/.vellum/http-token)
+curl -s "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites?sourceChannel=voice" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+Optional query parameters:
+- `status` — filter by status (`active`, `revoked`, `redeemed`, `expired`)
+
+The response format is the same as regular invites but voice invites also include:
+- `expectedExternalUserId` — the bound phone number
+- `voiceCodeDigits` — always 6 (the code itself is not retrievable after creation)
+- `token` and `share` are not present for voice invites
+
+**Presenting results**: Format as a readable list. Show the note (or "unnamed" as fallback), bound phone number, status, uses remaining, and expiration. Highlight which invites are still active.
+
+### 10. Revoke a voice invite
+
+Use this when the guardian wants to cancel an active voice invite. **Always confirm before revoking.**
+
+Ask the user: *"I'll revoke the voice invite for [phone number or note]. The code will no longer work. Should I proceed?"*
+
+First, list voice invites to find the invite's `id`, then revoke:
+
+```bash
+TOKEN=$(cat ~/.vellum/http-token)
+curl -s -X DELETE "$INTERNAL_GATEWAY_BASE_URL/v1/ingress/invites/<invite_id>" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+Replace `<invite_id>` with the invite's `id` from the list response. The same revoke endpoint is used for both Telegram and voice invites.
+
 ## Confirmation Requirements
 
-**All mutating actions (allow, revoke, block, revoke invite) require explicit user confirmation before execution.** This is a safety measure — modifying who can access the assistant should always be a deliberate choice. Creating an invite link does not require confirmation since it does not grant access until someone opens it.
+**All mutating actions (allow, revoke, block, revoke invite) require explicit user confirmation before execution.** This is a safety measure — modifying who can access the assistant should always be a deliberate choice. Creating an invite (Telegram link or voice invite) does not require confirmation since it does not grant access until the invitee redeems it.
 
 - Clearly state what action you are about to take and who it affects.
 - Wait for the user to confirm before running the curl command.
@@ -232,7 +345,9 @@ Replace `<invite_id>` with the invite's `id` from the list response.
   - `At least one of externalUserId or externalChatId is required` — ask the user for the contact's channel-specific identifier.
   - `Member not found or cannot be revoked` — the member ID may be invalid or the member is already revoked.
   - `Member not found or already blocked` — the member ID may be invalid or the member is already blocked.
-  - `sourceChannel is required for create` — when creating an invite, always pass `"sourceChannel": "telegram"`.
+  - `sourceChannel is required for create` — when creating an invite, always pass `"sourceChannel": "telegram"` for Telegram or `"sourceChannel": "voice"` for voice invites.
+  - `expectedExternalUserId is required for voice invites` — voice invites must include the invitee's phone number.
+  - `expectedExternalUserId must be in E.164 format` — the phone number must start with `+` followed by country code and number (e.g., `+15551234567`).
   - `Invite not found or already revoked` — the invite ID may be invalid or the invite is already revoked.
 
 ## Typical Workflows
@@ -252,3 +367,11 @@ Replace `<invite_id>` with the invite's `id` from the list response.
 **"Show my invites"** / **"List active invite links"** — List invites filtered by `sourceChannel=telegram`, present active invites with uses remaining and expiration info.
 
 **"Revoke invite"** / **"Cancel invite link"** — List invites to identify the target, confirm, then revoke by ID.
+
+**"Create a voice invite for +15551234567"** — Create a voice invite with `sourceChannel: "voice"` and the given phone number as `expectedExternalUserId`. Present the invite code and instructions: the person must call from that number and enter the code.
+
+**"Let my mom call in"** / **"Invite someone by phone"** — Ask for the phone number in E.164 format, create a voice invite, and present the code + calling instructions.
+
+**"Show my voice invites"** / **"List phone invites"** — List invites filtered by `sourceChannel=voice`, present active invites with bound phone number and expiration info.
+
+**"Revoke voice invite"** / **"Cancel the phone invite for +15551234567"** — List voice invites, identify the target by phone number or note, confirm, then revoke by ID.

package/src/daemon/handlers/config-inbox.ts

@@ -303,9 +303,9 @@ async function executeApprove(
     }
   }
   session.setAssistantId(assistantId);
-  // The guardian approved this escalation, so tag as guardian to avoid
-  // 'unverified_channel' blocking memory extraction.
-  session.setGuardianContext({ actorRole: 'guardian', sourceChannel: sourceChannel ?? 'vellum' });
+  // The guardian approved this escalation, so tag as guardian trust to avoid
+  // unknown-provenance memory gating.
+  session.setGuardianContext({ trustClass: 'guardian', sourceChannel: sourceChannel ?? 'vellum' });
   session.setCommandIntent(null);
 
   // Process the message through the agent loop (no IPC event callback
@@ -379,7 +379,7 @@ async function executeDeny(
   // Store a system note about the denial in the conversation
   const denialInterface = isInterfaceId(sourceChannel) ? sourceChannel : undefined;
   await addMessage(conversationId, 'assistant', denialText, {
-    provenanceActorRole: 'guardian' as const,
+    provenanceTrustClass: 'guardian' as const,
     userMessageChannel: sourceChannel,
     assistantMessageChannel: sourceChannel,
     ...(denialInterface ? { userMessageInterface: denialInterface, assistantMessageInterface: denialInterface } : {}),

package/src/daemon/handlers/sessions.ts

@@ -2,18 +2,26 @@ import * as net from 'node:net';
 
 import { v4 as uuid } from 'uuid';
 
+import { createAssistantMessage, createUserMessage } from '../../agent/message-types.js';
 import { type InterfaceId,isChannelId, parseChannelId, parseInterfaceId } from '../../channels/types.js';
 import { getConfig } from '../../config/loader.js';
 import { getAttachmentsForMessage, getFilePathForAttachment, setAttachmentThumbnail } from '../../memory/attachments-store.js';
+import {
+  listCanonicalGuardianRequests,
+  listPendingCanonicalGuardianRequestsByDestinationConversation,
+} from '../../memory/canonical-guardian-store.js';
 import { getAttentionStateByConversationIds } from '../../memory/conversation-attention-store.js';
 import * as conversationStore from '../../memory/conversation-store.js';
 import { GENERATING_TITLE, queueGenerateConversationTitle, UNTITLED_FALLBACK } from '../../memory/conversation-title-service.js';
 import * as externalConversationStore from '../../memory/external-conversation-store.js';
+import { routeGuardianReply } from '../../runtime/guardian-reply-router.js';
+import * as pendingInteractions from '../../runtime/pending-interactions.js';
 import { checkIngressForSecrets } from '../../security/secret-ingress.js';
 import { compileCustomPatterns, redactSecrets } from '../../security/secret-scanner.js';
 import { getSubagentManager } from '../../subagent/index.js';
 import { silentlyWithLog } from '../../util/silently.js';
 import { truncate } from '../../util/truncate.js';
+import { createApprovalConversationGenerator } from '../approval-generators.js';
 import { getAssistantName } from '../identity-helpers.js';
 import type { UserMessageAttachment } from '../ipc-contract.js';
 import type {
@@ -56,6 +64,8 @@ import {
   wireEscalationHandler,
 } from './shared.js';
 
+const desktopApprovalConversationGenerator = createApprovalConversationGenerator();
+
 export async function handleUserMessage(
   msg: UserMessage,
   socket: net.Socket,
@@ -172,9 +182,9 @@ export async function handleUserMessage(
         assistantMessageInterface: ipcInterface,
       });
       session.setAssistantId('self');
-      // IPC/desktop user IS the guardian — default to guardian role so messages
-      // are not tagged 'unverified_channel' (which blocks memory extraction).
-      session.setGuardianContext({ actorRole: 'guardian', sourceChannel: ipcChannel });
+      // IPC/desktop user IS the guardian — default to guardian trust so
+      // messages are not tagged as unknown provenance.
+      session.setGuardianContext({ trustClass: 'guardian', sourceChannel: ipcChannel });
       session.setCommandIntent(null);
       // Fire-and-forget: don't block the IPC handler so the connection can
       // continue receiving messages (e.g. cancel, confirmations, or
@@ -451,12 +461,146 @@ export async function handleUserMessage(
       }
     }
 
+    // If exactly one live turn is waiting on confirmation (no queued turns),
+    // try to consume this text as an inline approval decision first.
+    if (
+      session.hasAnyPendingConfirmation()
+      && session.getQueueDepth() === 0
+      && messageText.trim().length > 0
+    ) {
+      try {
+        const pendingInteractionRequestIdsForConversation = pendingInteractions
+          .getByConversation(msg.sessionId)
+          .filter(
+            (interaction) =>
+              interaction.kind === 'confirmation'
+              && interaction.session === session
+              && session.hasPendingConfirmation(interaction.requestId),
+          )
+          .map((interaction) => interaction.requestId);
+
+        const pendingCanonicalRequestIdsForConversation = [
+          ...listPendingCanonicalGuardianRequestsByDestinationConversation(msg.sessionId, ipcChannel)
+            .filter((request) => request.kind === 'tool_approval')
+            .map((request) => request.id),
+          ...listCanonicalGuardianRequests({
+            status: 'pending',
+            conversationId: msg.sessionId,
+            kind: 'tool_approval',
+          }).map((request) => request.id),
+        ].filter((pendingRequestId) => session.hasPendingConfirmation(pendingRequestId));
+
+        const pendingRequestIdsForConversation = Array.from(new Set([
+          ...pendingInteractionRequestIdsForConversation,
+          ...pendingCanonicalRequestIdsForConversation,
+        ]));
+
+        if (pendingRequestIdsForConversation.length > 0) {
+          const routerResult = await routeGuardianReply({
+            messageText: messageText.trim(),
+            channel: ipcChannel,
+            actor: {
+              externalUserId: undefined,
+              channel: ipcChannel,
+              isTrusted: true,
+            },
+            conversationId: msg.sessionId,
+            pendingRequestIds: pendingRequestIdsForConversation,
+            approvalConversationGenerator: desktopApprovalConversationGenerator,
+          });
+
+          if (routerResult.consumed && routerResult.type !== 'nl_keep_pending') {
+            const consumedChannelMeta = {
+              userMessageChannel: ipcChannel,
+              assistantMessageChannel: ipcChannel,
+              userMessageInterface: ipcInterface,
+              assistantMessageInterface: ipcInterface,
+              provenanceActorRole: 'guardian' as const,
+            };
+
+            const consumedUserMessage = createUserMessage(messageText, msg.attachments ?? []);
+            await conversationStore.addMessage(
+              msg.sessionId,
+              'user',
+              JSON.stringify(consumedUserMessage.content),
+              consumedChannelMeta,
+            );
+
+            const replyText = (routerResult.replyText?.trim())
+              || (routerResult.decisionApplied ? 'Decision applied.' : 'Request already resolved.');
+            const consumedAssistantMessage = createAssistantMessage(replyText);
+            await conversationStore.addMessage(
+              msg.sessionId,
+              'assistant',
+              JSON.stringify(consumedAssistantMessage.content),
+              consumedChannelMeta,
+            );
+            // Avoid mutating in-memory history while an agent loop is active;
+            // the loop owns history reconstruction for the in-flight turn.
+            if (!session.isProcessing()) {
+              // Keep in-memory history aligned with persisted transcript so
+              // session-history operations (undo/regenerate) target the same turn.
+              session.messages.push(consumedUserMessage, consumedAssistantMessage);
+            }
+
+            // Mirror the normal queued/dequeued lifecycle so desktop clients can
+            // reconcile queued bubble state for this just-sent user message.
+            ctx.send(socket, {
+              type: 'message_queued',
+              sessionId: msg.sessionId,
+              requestId,
+              position: 0,
+            });
+            ctx.send(socket, {
+              type: 'message_dequeued',
+              sessionId: msg.sessionId,
+              requestId,
+            });
+
+            // Only emit the reply delta when no agent turn is in-flight.
+            // When the agent is active, currentAssistantMessageId on the client
+            // points to the agent's streaming message and this delta would
+            // contaminate it.  The reply is already persisted to the DB, so the
+            // client will see it on the next transcript reload / session switch.
+            if (!session.isProcessing()) {
+              ctx.send(socket, {
+                type: 'assistant_text_delta',
+                text: replyText,
+                sessionId: msg.sessionId,
+              });
+            }
+            ctx.send(socket, {
+              type: 'message_request_complete',
+              sessionId: msg.sessionId,
+              requestId,
+              runStillActive: session.isProcessing(),
+            });
+
+            rlog.info(
+              { routerType: routerResult.type, decisionApplied: routerResult.decisionApplied, routerRequestId: routerResult.requestId },
+              'Consumed pending-confirmation reply before auto-deny',
+            );
+            return;
+          }
+        }
+      } catch (err) {
+        rlog.warn({ err }, 'Failed to process pending-confirmation reply; falling back to auto-deny behavior');
+      }
+    }
+
     // If the session has a pending tool confirmation, auto-deny it so the
-    // agent can process the user's follow-up message instead.  The agent
+    // agent can process the user's follow-up message instead. The agent
     // will see the denial and can re-request the tool if still needed.
     if (session.hasAnyPendingConfirmation()) {
       rlog.info('Auto-denying pending confirmation(s) due to new user message');
       session.denyAllPendingConfirmations();
+      // Keep the pending-interaction tracker aligned with the prompter so
+      // stale request IDs are not reused as routing candidates.
+      for (const interaction of pendingInteractions.getByConversation(msg.sessionId)) {
+        if (interaction.session === session && interaction.kind === 'confirmation') {
+          pendingInteractions.resolve(interaction.requestId);
+        }
+      }
     }
 
     dispatchUserMessage(

package/src/daemon/ipc-contract/messages.ts

@@ -173,6 +173,21 @@ export interface MessageDequeued {
   requestId: string;
 }
 
+/**
+ * Request-level terminal signal for a user message lifecycle.
+ *
+ * Unlike `message_complete`, this does not imply the active assistant turn
+ * has completed. It is used for paths that consume a request inline while a
+ * separate in-flight turn may still be running.
+ */
+export interface MessageRequestComplete {
+  type: 'message_request_complete';
+  sessionId: string;
+  requestId: string;
+  /** True when an existing turn is still running after this request is finalized. */
+  runStillActive?: boolean;
+}
+
 export interface MessageQueuedDeleted {
   type: 'message_queued_deleted';
   sessionId: string;
@@ -241,6 +256,7 @@ export type _MessagesServerMessages =
   | SecretDetected
   | MessageQueued
   | MessageDequeued
+  | MessageRequestComplete
   | MessageQueuedDeleted
   | SuggestionResponse
   | TraceEvent;

package/src/daemon/ipc-contract-inventory.json

@@ -267,6 +267,7 @@
     "message_dequeued",
     "message_queued",
     "message_queued_deleted",
+    "message_request_complete",
     "model_info",
     "navigate_settings",
     "notification_intent",