@vellumai/assistant 0.3.28 → 0.4.1

package/src/runtime/guardian-reply-router.ts

@@ -85,6 +85,12 @@ export interface GuardianReplyResult {
   requestId?: string;
   /** Detailed result from the canonical decision primitive (when a decision was attempted). */
   canonicalResult?: CanonicalDecisionResult;
+  /**
+   * When true, the caller should skip legacy approval interception for this
+   * message. Set by the invite handoff bypass so that "open invite flow"
+   * reaches the assistant even when other legacy guardian approvals are pending.
+   */
+  skipApprovalInterception?: boolean;
 }
 
 // ---------------------------------------------------------------------------
@@ -319,7 +325,30 @@ export async function routeGuardianReply(
     }
   }
 
-  // ── 2.5. Deterministic plain-text decisions for known pending targets ──
+  // ── 2.5. Invite handoff bypass for access requests ──
+  // When the guardian sends "open invite flow" and there is at least one
+  // pending access_request, return not_consumed so the message falls through
+  // to the normal assistant turn and can invoke the Trusted Contacts skill.
+  if (messageText.length > 0 && pendingRequests.length > 0) {
+    const normalized = messageText.trim().toLowerCase().replace(/[.!?]+$/g, '');
+    if (normalized === 'open invite flow') {
+      const hasAccessRequest = pendingRequests.some(r => r.kind === 'access_request');
+      if (hasAccessRequest) {
+        log.info(
+          { event: 'router_invite_handoff', pendingCount: pendingRequests.length },
+          'Guardian sent "open invite flow" with pending access_request — passing through to assistant',
+        );
+        return {
+          consumed: false,
+          decisionApplied: false,
+          type: 'not_consumed' as const,
+          skipApprovalInterception: true,
+        };
+      }
+    }
+  }
+
+  // ── 2.6. Deterministic plain-text decisions for known pending targets ──
   // Desktop sessions intentionally do not enable NL classification; when the
   // caller has exactly one known pending request and sends an explicit
   // approve/reject phrase ("approve", "yes", "reject", "no"), apply the
@@ -551,6 +580,7 @@ const EXPLICIT_APPROVE_PHRASES: ReadonlySet<string> = new Set([
   'yes',
   'y',
   'allow',
+  'go for it',
   'go ahead',
   'proceed',
   'do it',

package/src/runtime/ingress-service.ts

@@ -5,6 +5,7 @@
  * both the HTTP routes and the IPC handlers call the same logic.
  */
 
+import { isChannelId } from '../channels/types.js';
 import {
   createInvite,
   type IngressInvite,
@@ -22,11 +23,18 @@ import {
   revokeMember,
   upsertMember,
 } from '../memory/ingress-member-store.js';
+import { isValidE164 } from '../util/phone.js';
+import { generateVoiceCode, hashVoiceCode } from '../util/voice-code.js';
+import { getTransport } from './channel-invite-transport.js';
 import {
   type InviteRedemptionOutcome,
   redeemInvite as redeemInviteTyped,
+  redeemVoiceInviteCode as redeemVoiceInviteCodeTyped,
+  type VoiceRedemptionOutcome,
 } from './invite-redemption-service.js';
 
+import './channel-invite-transports/telegram.js';
+
 // ---------------------------------------------------------------------------
 // Response shapes — used by both HTTP routes and IPC handlers
 // ---------------------------------------------------------------------------
@@ -35,12 +43,20 @@ export interface InviteResponseData {
   id: string;
   sourceChannel: string;
   token?: string;
+  share?: {
+    url: string;
+    displayText: string;
+  };
   tokenHash: string;
   maxUses: number;
   useCount: number;
   expiresAt: number | null;
   status: string;
   note?: string;
+  // Voice invite fields (present only for voice invites)
+  expectedExternalUserId?: string;
+  voiceCode?: string;
+  voiceCodeDigits?: number;
   createdAt: number;
 }
 
@@ -61,17 +77,39 @@ export interface MemberResponseData {
 // Mappers
 // ---------------------------------------------------------------------------
 
-function inviteToResponse(inv: IngressInvite, rawToken?: string): InviteResponseData {
+function buildSharePayload(sourceChannel: string, rawToken?: string): InviteResponseData['share'] | undefined {
+  if (!rawToken || !isChannelId(sourceChannel)) return undefined;
+  const transport = getTransport(sourceChannel);
+  if (!transport?.buildShareableInvite) return undefined;
+
+  try {
+    return transport.buildShareableInvite({
+      rawToken,
+      sourceChannel,
+    });
+  } catch {
+    // Missing channel-specific config (e.g. Telegram bot username) should
+    // not fail invite creation — callers can still use the raw token.
+    return undefined;
+  }
+}
+
+function inviteToResponse(inv: IngressInvite, opts?: { rawToken?: string; voiceCode?: string }): InviteResponseData {
+  const share = buildSharePayload(inv.sourceChannel, opts?.rawToken);
   return {
     id: inv.id,
     sourceChannel: inv.sourceChannel,
-    ...(rawToken ? { token: rawToken } : {}),
+    ...(opts?.rawToken ? { token: opts.rawToken } : {}),
+    ...(share ? { share } : {}),
     tokenHash: inv.tokenHash,
     maxUses: inv.maxUses,
     useCount: inv.useCount,
     expiresAt: inv.expiresAt,
     status: inv.status,
     note: inv.note ?? undefined,
+    ...(inv.expectedExternalUserId ? { expectedExternalUserId: inv.expectedExternalUserId } : {}),
+    ...(opts?.voiceCode ? { voiceCode: opts.voiceCode } : {}),
+    ...(inv.voiceCodeDigits != null ? { voiceCodeDigits: inv.voiceCodeDigits } : {}),
     createdAt: inv.createdAt,
   };
 }
@@ -108,17 +146,46 @@ export function createIngressInvite(params: {
   note?: string;
   maxUses?: number;
   expiresInMs?: number;
+  // Voice invite parameters
+  expectedExternalUserId?: string;
+  voiceCodeDigits?: number;
 }): IngressResult<InviteResponseData> {
   if (!params.sourceChannel) {
     return { ok: false, error: 'sourceChannel is required for create' };
   }
+
+  // For voice invites: generate a one-time numeric code, hash it, and pass
+  // the hash to the store. The plaintext code is included in the response
+  // exactly once and never stored.
+  let voiceCode: string | undefined;
+  let voiceCodeHash: string | undefined;
+  const isVoice = params.sourceChannel === 'voice';
+
+  if (isVoice) {
+    if (!params.expectedExternalUserId) {
+      return { ok: false, error: 'expectedExternalUserId is required for voice invites' };
+    }
+    if (!isValidE164(params.expectedExternalUserId)) {
+      return { ok: false, error: 'expectedExternalUserId must be in E.164 format (e.g., +15551234567)' };
+    }
+    voiceCode = generateVoiceCode(6);
+    voiceCodeHash = hashVoiceCode(voiceCode);
+  }
+
   const { invite, rawToken } = createInvite({
     sourceChannel: params.sourceChannel,
     note: params.note,
     maxUses: params.maxUses,
     expiresInMs: params.expiresInMs,
+    ...(isVoice ? {
+      expectedExternalUserId: params.expectedExternalUserId,
+      voiceCodeHash,
+      voiceCodeDigits: 6,
+    } : {}),
   });
-  return { ok: true, data: inviteToResponse(invite, rawToken) };
+  // Voice invites must not expose the token — callers must redeem via the
+  // identity-bound voice code flow, not the generic token redemption path.
+  return { ok: true, data: inviteToResponse(invite, { rawToken: isVoice ? undefined : rawToken, voiceCode }) };
 }
 
 export function listIngressInvites(params: {
@@ -172,6 +239,7 @@ export function redeemIngressInvite(params: {
 // ---------------------------------------------------------------------------
 
 export { type InviteRedemptionOutcome } from './invite-redemption-service.js';
+export { type VoiceRedemptionOutcome } from './invite-redemption-service.js';
 
 export function redeemIngressInviteTyped(params: {
   rawToken: string;
@@ -185,6 +253,15 @@ export function redeemIngressInviteTyped(params: {
   return redeemInviteTyped(params);
 }
 
+export function redeemVoiceInviteCode(params: {
+  assistantId?: string;
+  callerExternalUserId: string;
+  sourceChannel: 'voice';
+  code: string;
+}): VoiceRedemptionOutcome {
+  return redeemVoiceInviteCodeTyped(params);
+}
+
 // ---------------------------------------------------------------------------
 // Member operations
 // ---------------------------------------------------------------------------

package/src/runtime/invite-redemption-service.ts

@@ -7,9 +7,12 @@
  * persisted, or returned in the outcome.
  */
 
+import type { ChannelId } from '../channels/types.js';
 import { getSqlite } from '../memory/db.js';
-import { findByTokenHash, hashToken, markInviteExpired, recordInviteUse,redeemInvite as storeRedeemInvite } from '../memory/ingress-invite-store.js';
+import { findActiveVoiceInvites,findByTokenHash, hashToken, markInviteExpired, recordInviteUse, redeemInvite as storeRedeemInvite } from '../memory/ingress-invite-store.js';
 import { findMember, upsertMember } from '../memory/ingress-member-store.js';
+import { canonicalizeInboundIdentity } from '../util/canonicalize-identity.js';
+import { hashVoiceCode } from '../util/voice-code.js';
 
 // ---------------------------------------------------------------------------
 // Outcome type
@@ -20,6 +23,13 @@ export type InviteRedemptionOutcome =
   | { ok: true; type: 'already_member'; memberId: string }
   | { ok: false; reason: 'invalid_token' | 'expired' | 'revoked' | 'max_uses_reached' | 'channel_mismatch' | 'missing_identity' };
 
+// Generic failure reasons for voice redemption — intentionally vague to avoid
+// leaking information about which invites exist or which identity is bound.
+export type VoiceRedemptionOutcome =
+  | { ok: true; type: 'redeemed'; memberId: string; inviteId: string }
+  | { ok: true; type: 'already_member'; memberId: string }
+  | { ok: false; reason: 'invalid_or_expired' };
+
 // ---------------------------------------------------------------------------
 // Error-string to typed-reason mapping
 // ---------------------------------------------------------------------------
@@ -111,6 +121,12 @@ export function redeemInvite(params: {
     // Sentinel error used to trigger a transaction rollback when the invite
     // was concurrently revoked/expired between pre-validation and write time.
     const STALE_INVITE = Symbol('stale_invite');
+    const canonicalMemberId = existingMember.externalUserId ? canonicalizeInboundIdentity(sourceChannel as ChannelId, existingMember.externalUserId) : null;
+    const canonicalCallerId = externalUserId ? canonicalizeInboundIdentity(sourceChannel as ChannelId, externalUserId) : null;
+    const memberMatchesSender = !!(canonicalMemberId && canonicalCallerId && canonicalMemberId === canonicalCallerId);
+    const preservedDisplayName = memberMatchesSender && existingMember.displayName?.trim().length
+      ? existingMember.displayName
+      : displayName;
 
     let reactivated: ReturnType<typeof upsertMember> | undefined;
     try {
@@ -120,7 +136,8 @@ export function redeemInvite(params: {
           sourceChannel,
           externalUserId,
           externalChatId,
-          displayName,
+          // Reactivation should not overwrite a guardian-managed nickname.
+          displayName: preservedDisplayName,
           username,
           status: 'active',
           policy: 'allow',
@@ -179,3 +196,125 @@ export function redeemInvite(params: {
     inviteId: result.invite.id,
   };
 }
+
+// ---------------------------------------------------------------------------
+// redeemVoiceInviteCode
+// ---------------------------------------------------------------------------
+
+/**
+ * Redeem a voice invite code for a caller identified by their E.164 phone number.
+ *
+ * Unlike token-based redemption, voice redemption:
+ *   1. Filters only active voice invites bound to the caller's identity
+ *      (expectedExternalUserId must match callerExternalUserId).
+ *   2. Validates the short numeric code by hashing it and comparing to the
+ *      stored voiceCodeHash.
+ *   3. Enforces expiry and use limits.
+ *   4. On success: upserts/reactivates a member with status 'active', policy 'allow'.
+ *   5. Consumes one invite use atomically (increment useCount).
+ *
+ * Failure responses are intentionally generic ("invalid_or_expired") to prevent
+ * oracle attacks that could reveal which invites exist or which phone numbers
+ * are bound.
+ */
+export function redeemVoiceInviteCode(params: {
+  assistantId?: string;
+  callerExternalUserId: string;
+  sourceChannel: 'voice';
+  code: string;
+}): VoiceRedemptionOutcome {
+  const { assistantId = 'self', callerExternalUserId, code } = params;
+
+  if (!callerExternalUserId) {
+    return { ok: false, reason: 'invalid_or_expired' };
+  }
+
+  // Find all active voice invites bound to the caller's phone number
+  const candidates = findActiveVoiceInvites({
+    assistantId,
+    expectedExternalUserId: callerExternalUserId,
+  });
+
+  if (candidates.length === 0) {
+    return { ok: false, reason: 'invalid_or_expired' };
+  }
+
+  const codeHash = hashVoiceCode(code);
+  const now = Date.now();
+
+  // Search for a matching invite: code hash match, not expired, uses remaining
+  const invite = candidates.find((inv) => {
+    if (inv.voiceCodeHash !== codeHash) return false;
+    if (inv.expiresAt <= now) return false;
+    if (inv.useCount >= inv.maxUses) return false;
+    return true;
+  });
+
+  if (!invite) {
+    // Mark any expired candidates while we're here
+    for (const inv of candidates) {
+      if (inv.expiresAt <= now && inv.status === 'active') {
+        markInviteExpired(inv.id);
+      }
+    }
+    return { ok: false, reason: 'invalid_or_expired' };
+  }
+
+  // Channel enforcement: voice invites can only be redeemed on the voice channel
+  if (invite.sourceChannel !== 'voice') {
+    return { ok: false, reason: 'invalid_or_expired' };
+  }
+
+  // Check for existing membership
+  const existingMember = findMember({
+    assistantId: invite.assistantId,
+    sourceChannel: 'voice',
+    externalUserId: callerExternalUserId,
+  });
+
+  if (existingMember && existingMember.status === 'active') {
+    return { ok: true, type: 'already_member', memberId: existingMember.id };
+  }
+
+  // Blocked members cannot bypass the guardian's explicit block
+  if (existingMember && existingMember.status === 'blocked') {
+    return { ok: false, reason: 'invalid_or_expired' };
+  }
+
+  // Atomic redemption: upsert member + consume invite use in a transaction
+  const STALE_INVITE = Symbol('stale_invite');
+  let memberId: string | undefined;
+
+  try {
+    getSqlite().transaction(() => {
+      const member = upsertMember({
+        assistantId: invite.assistantId,
+        sourceChannel: 'voice',
+        externalUserId: callerExternalUserId,
+        status: 'active',
+        policy: 'allow',
+        inviteId: invite.id,
+      });
+      memberId = member.id;
+
+      const recorded = recordInviteUse({
+        inviteId: invite.id,
+        externalUserId: callerExternalUserId,
+      });
+
+      if (!recorded) throw STALE_INVITE;
+    }).immediate();
+  } catch (err) {
+    if (err === STALE_INVITE) {
+      return { ok: false, reason: 'invalid_or_expired' };
+    }
+    throw err;
+  }
+
+  return {
+    ok: true,
+    type: 'redeemed',
+    memberId: memberId!,
+    inviteId: invite.id,
+  };
+}

package/src/runtime/routes/channel-route-shared.ts

@@ -11,7 +11,7 @@ import type {
   ApprovalUIMetadata,
 } from '../channel-approval-types.js';
 import type { DenialReason } from '../guardian-context-resolver.js';
-export type { ActorRole, DenialReason, GuardianContext } from '../guardian-context-resolver.js';
+export type { ActorTrustClass, DenialReason, GuardianContext } from '../guardian-context-resolver.js';
 export { toGuardianRuntimeContext } from '../guardian-context-resolver.js';
 
 /** Canonicalize assistantId for channel ingress paths. */

package/src/runtime/routes/channel-routes.ts

@@ -23,7 +23,7 @@ export {
 } from './channel-inbound-routes.js';
 export {
   _setTestPollMaxWait,
-  type ActorRole,
+  type ActorTrustClass,
   type DenialReason,
   GATEWAY_ORIGIN_HEADER,
   type GuardianContext,

package/src/runtime/routes/conversation-routes.ts

@@ -4,6 +4,7 @@
 import { existsSync, readdirSync, statSync } from 'node:fs';
 import { join, relative } from 'node:path';
 
+import { createAssistantMessage, createUserMessage } from '../../agent/message-types.js';
 import { CHANNEL_IDS, INTERFACE_IDS, parseChannelId, parseInterfaceId } from '../../channels/types.js';
 import { mergeToolResults,renderHistoryContent } from '../../daemon/handlers.js';
 import type { ServerMessage } from '../../daemon/ipc-protocol.js';
@@ -11,6 +12,8 @@ import * as attachmentsStore from '../../memory/attachments-store.js';
 import {
   createCanonicalGuardianRequest,
   generateCanonicalRequestCode,
+  listCanonicalGuardianRequests,
+  listPendingCanonicalGuardianRequestsByDestinationConversation,
 } from '../../memory/canonical-guardian-store.js';
 import {
   getConversationByKey,
@@ -21,6 +24,7 @@ import { getConfiguredProvider } from '../../providers/provider-send-message.js'
 import type { Provider } from '../../providers/types.js';
 import { getLogger } from '../../util/logger.js';
 import { buildAssistantEvent } from '../assistant-event.js';
+import { routeGuardianReply } from '../guardian-reply-router.js';
 import { httpError } from '../http-errors.js';
 import type {
   MessageProcessor,
@@ -35,6 +39,143 @@ const log = getLogger('conversation-routes');
 
 const SUGGESTION_CACHE_MAX = 100;
 
+function collectLivePendingConfirmationRequestIds(
+  conversationId: string,
+  sourceChannel: string,
+  session: import('../../daemon/session.js').Session,
+): string[] {
+  const pendingInteractionRequestIds = pendingInteractions
+    .getByConversation(conversationId)
+    .filter(
+      (interaction) =>
+        interaction.kind === 'confirmation'
+        && interaction.session === session
+        && session.hasPendingConfirmation(interaction.requestId),
+    )
+    .map((interaction) => interaction.requestId);
+
+  // Query both by destination conversation (via deliveries table) and by
+  // source conversation (direct field). For desktop/HTTP sessions these
+  // often overlap, but the Set dedup below handles that.
+  const pendingCanonicalRequestIds = [
+    ...listPendingCanonicalGuardianRequestsByDestinationConversation(conversationId, sourceChannel)
+      .filter((request) => request.kind === 'tool_approval')
+      .map((request) => request.id),
+    ...listCanonicalGuardianRequests({
+      status: 'pending',
+      conversationId,
+      kind: 'tool_approval',
+    }).map((request) => request.id),
+  ].filter((requestId) => session.hasPendingConfirmation(requestId));
+
+  return Array.from(new Set([
+    ...pendingInteractionRequestIds,
+    ...pendingCanonicalRequestIds,
+  ]));
+}
+
+async function tryConsumeInlineApprovalReply(params: {
+  conversationId: string;
+  sourceChannel: string;
+  sourceInterface: string;
+  content: string;
+  attachments: Array<{
+    id: string;
+    filename: string;
+    mimeType: string;
+    data: string;
+  }>;
+  session: import('../../daemon/session.js').Session;
+  onEvent: (msg: ServerMessage) => void;
+}): Promise<{ consumed: boolean; messageId?: string }> {
+  const {
+    conversationId,
+    sourceChannel,
+    sourceInterface,
+    content,
+    attachments,
+    session,
+    onEvent,
+  } = params;
+  const trimmedContent = content.trim();
+
+  // Only consume inline replies when there are no queued turns, matching
+  // the IPC path guard. With queued messages, "approve"/"no" should be
+  // processed in queue order rather than treated as a confirmation reply.
+  if (
+    !session.hasAnyPendingConfirmation()
+    || session.getQueueDepth() > 0
+    || trimmedContent.length === 0
+  ) {
+    return { consumed: false };
+  }
+
+  const pendingRequestIds = collectLivePendingConfirmationRequestIds(conversationId, sourceChannel, session);
+  if (pendingRequestIds.length === 0) {
+    return { consumed: false };
+  }
+
+  const routerResult = await routeGuardianReply({
+    messageText: trimmedContent,
+    channel: sourceChannel,
+    actor: {
+      externalUserId: undefined,
+      channel: sourceChannel,
+      isTrusted: true,
+    },
+    conversationId,
+    pendingRequestIds,
+  });
+
+  if (!routerResult.consumed || routerResult.type === 'nl_keep_pending') {
+    return { consumed: false };
+  }
+
+  // Decision has been applied — transcript persistence is best-effort.
+  // If DB writes fail, we still return consumed: true so the approval text
+  // is not re-processed as a new user turn.
+  let messageId: string | undefined;
+  try {
+    const channelMeta = {
+      userMessageChannel: sourceChannel,
+      assistantMessageChannel: sourceChannel,
+      userMessageInterface: sourceInterface,
+      assistantMessageInterface: sourceInterface,
+      provenanceActorRole: 'guardian' as const,
+    };
+
+    const userMessage = createUserMessage(content, attachments);
+    const persistedUser = await conversationStore.addMessage(
+      conversationId,
+      'user',
+      JSON.stringify(userMessage.content),
+      channelMeta,
+    );
+    messageId = persistedUser.id;
+
+    const replyText = (routerResult.replyText?.trim())
+      || (routerResult.decisionApplied ? 'Decision applied.' : 'Request already resolved.');
+    const assistantMessage = createAssistantMessage(replyText);
+    await conversationStore.addMessage(
+      conversationId,
+      'assistant',
+      JSON.stringify(assistantMessage.content),
+      channelMeta,
+    );
+
+    // Avoid mutating in-memory history / emitting stream deltas while a run is active.
+    if (!session.isProcessing()) {
+      session.getMessages().push(userMessage, assistantMessage);
+      onEvent({ type: 'assistant_text_delta', text: replyText, sessionId: conversationId });
+      onEvent({ type: 'message_complete', sessionId: conversationId });
+    }
+  } catch (err) {
+    log.warn({ err, conversationId }, 'Failed to persist inline approval transcript entries');
+  }
+
+  return { consumed: true, messageId };
+}
+
 function getInterfaceFilesWithMtimes(interfacesDir: string | null): Array<{ path: string; mtimeMs: number }> {
   if (!interfacesDir || !existsSync(interfacesDir)) return [];
   const results: Array<{ path: string; mtimeMs: number }> = [];
@@ -283,13 +424,36 @@ export async function handleSendMessage(
     const session = await smDeps.getOrCreateSession(mapping.conversationId);
     // HTTP API is a trusted local ingress (same as IPC) — set guardian context
     // so that memory extraction is not silently disabled by unverified provenance.
-    session.setGuardianContext({ actorRole: 'guardian', sourceChannel: sourceChannel ?? 'http' });
+    session.setGuardianContext({ trustClass: 'guardian', sourceChannel: sourceChannel ?? 'http' });
     const onEvent = makeHubPublisher(smDeps, mapping.conversationId, session);
 
     const attachments = hasAttachments
       ? smDeps.resolveAttachments(attachmentIds)
       : [];
 
+    // Try to consume the message as an inline approval/rejection reply.
+    // On failure, degrade to the existing queue/auto-deny path rather than
+    // surfacing a 500 — mirrors the IPC handler's catch-and-fallback.
+    try {
+      const inlineReplyResult = await tryConsumeInlineApprovalReply({
+        conversationId: mapping.conversationId,
+        sourceChannel,
+        sourceInterface,
+        content: content ?? '',
+        attachments,
+        session,
+        onEvent,
+      });
+      if (inlineReplyResult.consumed) {
+        return Response.json(
+          { accepted: true, ...(inlineReplyResult.messageId ? { messageId: inlineReplyResult.messageId } : {}) },
+          { status: 202 },
+        );
+      }
+    } catch (err) {
+      log.warn({ err, conversationId: mapping.conversationId }, 'Inline approval consumption failed, falling through to normal send path');
+    }
+
     if (session.isProcessing()) {
       // If a tool confirmation is pending, auto-deny it so the agent
       // can finish the current turn and process this queued message.
@@ -353,7 +517,7 @@ export async function handleSendMessage(
       mapping.conversationId,
       content ?? '',
       hasAttachments ? attachmentIds : undefined,
-      { guardianContext: { actorRole: 'guardian', sourceChannel } },
+      { guardianContext: { trustClass: 'guardian', sourceChannel } },
       sourceChannel,
       sourceInterface,
     );

package/src/runtime/routes/guardian-approval-interception.ts

@@ -100,7 +100,7 @@ export async function handleApprovalInterception(
   // request targeting this chat, the message might be a decision on behalf
   // of a non-guardian requester.
   if (
-    guardianCtx.actorRole === 'guardian' &&
+    guardianCtx.trustClass === 'guardian' &&
     senderExternalUserId
   ) {
     // Callback/button path: deterministic and takes priority.
@@ -161,7 +161,7 @@ export async function handleApprovalInterception(
     if (guardianApproval) {
       // Validate that the sender is the specific guardian who was assigned
       // this approval request. This is a defense-in-depth check — the
-      // actorRole check above already verifies the sender is a guardian,
+      // trustClass check above already verifies the sender is a guardian,
       // but this catches edge cases like binding rotation between request
       // creation and decision.
       if (senderExternalUserId !== guardianApproval.guardianExternalUserId) {
@@ -548,9 +548,15 @@ export async function handleApprovalInterception(
   const pendingPrompt = getChannelApprovalPrompt(conversationId);
   if (!pendingPrompt) return { handled: false };
 
-  // When the sender is from an unverified channel, auto-deny any pending
-  // confirmation and block self-approval.
-  if (guardianCtx.actorRole === 'unverified_channel') {
+  // Legacy unverified-channel equivalent:
+  // unknown trust + explicit denial reason (`no_identity` / `no_binding`).
+  // Unknown without a denial reason means identity-known, non-member sender
+  // in a shared channel; that case must not force-reject someone else's request.
+  const isLegacyUnverifiedSender = guardianCtx.trustClass === 'unknown' && !!guardianCtx.denialReason;
+
+  // When the sender is from a legacy-unverified channel actor, auto-deny any
+  // pending confirmation and block self-approval.
+  if (isLegacyUnverifiedSender) {
     const pending = getApprovalInfoByConversation(conversationId);
     if (pending.length > 0) {
       handleChannelDecision(
@@ -569,7 +575,12 @@ export async function handleApprovalInterception(
   // When the sender is a non-guardian and there's a pending guardian approval
   // for this conversation's request, block self-approval. The non-guardian must
   // wait for the guardian to decide.
-  if (guardianCtx.actorRole === 'non-guardian') {
+  //
+  // Include identity-known, non-member senders (`unknown` without denialReason)
+  // so shared-channel participants can't approve/deny someone else's pending request.
+  const isIdentityKnownNonGuardian = guardianCtx.trustClass === 'trusted_contact'
+    || (guardianCtx.trustClass === 'unknown' && !guardianCtx.denialReason);
+  if (isIdentityKnownNonGuardian) {
     const pending = getApprovalInfoByConversation(conversationId);
     if (pending.length > 0) {
       const guardianApprovalForRequest = getPendingApprovalForRequest(pending[0].requestId);