@vellumai/assistant 0.3.28 → 0.4.1

package/src/runtime/routes/inbound-message-handler.ts

@@ -76,6 +76,7 @@ import { handleApprovalInterception } from './guardian-approval-interception.js'
 import { deliverGeneratedApprovalPrompt } from './guardian-approval-prompt.js';
 
 import '../channel-invite-transports/telegram.js';
+import '../channel-invite-transports/voice.js';
 
 const log = getLogger('runtime-http');
 
@@ -229,7 +230,7 @@ export async function handleChannelInbound(
     typeof (rawCommandIntentForAcl as Record<string, unknown>).payload === 'string' &&
     ((rawCommandIntentForAcl as Record<string, unknown>).payload as string).startsWith('gv_');
 
-  // Parse invite token from /start iv_<token> commands using the transport
+  // Parse invite token from /start payloads using the channel transport
   // adapter. The token is extracted once here so both the ACL bypass and
   // the intercept handler can reference it without re-parsing.
   const commandIntentForAcl = rawCommandIntentForAcl && typeof rawCommandIntentForAcl === 'object' && !Array.isArray(rawCommandIntentForAcl)
@@ -291,7 +292,7 @@ export async function handleChannelInbound(
       }
 
       // ── Invite token intercept (non-member) ──
-      // /start iv_<token> deep links grant access without guardian approval.
+      // /start invite deep links grant access without guardian approval.
       // Intercept here — before the deny gate — so valid invites short-circuit
       // the ACL rejection and never reach the agent pipeline.
       if (inviteToken && denyNonMember) {
@@ -774,6 +775,21 @@ export async function handleChannelInbound(
     const guardianVerifyOutcome: 'verified' | 'failed' = verifyResult.success ? 'verified' : 'failed';
 
     if (verifyResult.success) {
+      const existingMember = (canonicalSenderId ?? rawSenderId)
+        ? findMember({
+          assistantId: canonicalAssistantId,
+          sourceChannel,
+          externalUserId: canonicalSenderId ?? rawSenderId!,
+          externalChatId,
+        })
+        : null;
+      const memberMatchesSender = existingMember?.externalUserId
+        ? canonicalizeInboundIdentity(sourceChannel, existingMember.externalUserId) === (canonicalSenderId ?? rawSenderId)
+        : false;
+      const preservedDisplayName = memberMatchesSender && existingMember?.displayName?.trim().length
+        ? existingMember.displayName
+        : body.senderName;
+
       upsertMember({
         assistantId: canonicalAssistantId,
         sourceChannel,
@@ -781,7 +797,8 @@ export async function handleChannelInbound(
         externalChatId,
         status: 'active',
         policy: 'allow',
-        displayName: body.senderName,
+        // Keep guardian-curated member name stable across re-verification.
+        displayName: preservedDisplayName,
         username: body.senderUsername,
       });
 
@@ -898,8 +915,14 @@ export async function handleChannelInbound(
     externalChatId,
     senderExternalUserId: rawSenderId,
     senderUsername: body.senderUsername,
+    senderDisplayName: body.senderName,
   });
 
+  // Hoisted flag: set by the canonical guardian reply router when the invite
+  // handoff bypass fires. Prevents legacy approval interception from swallowing
+  // the message when other approvals are pending in the same chat.
+  let skipApprovalInterception = false;
+
   // ── Canonical guardian reply router ──
   // Attempts to route inbound messages through the canonical decision pipeline
   // before falling through to the legacy approval interception. Handles
@@ -910,7 +933,7 @@ export async function handleChannelInbound(
     replyCallbackUrl &&
     (trimmedContent.length > 0 || hasCallbackData) &&
     rawSenderId &&
-    guardianCtx.actorRole === 'guardian'
+    guardianCtx.trustClass === 'guardian'
   ) {
     // Compute destination-scoped pending request hints so the router can
     // discover canonical requests delivered to this chat even when the
@@ -983,13 +1006,21 @@ export async function handleChannelInbound(
         requestId: routerResult.requestId,
       });
     }
+
+    if (routerResult.skipApprovalInterception) {
+      skipApprovalInterception = true;
+    }
   }
 
   // ── Approval interception ──
   // Keep this active whenever callback context is available.
+  // Skipped when the canonical router flagged skipApprovalInterception (e.g.
+  // invite handoff bypass) to prevent the legacy interceptor from swallowing
+  // messages that should reach the assistant.
   if (
     replyCallbackUrl &&
-    !result.duplicate
+    !result.duplicate &&
+    !skipApprovalInterception
   ) {
     const approvalResult = await handleApprovalInterception({
       conversationId: result.conversationId,
@@ -1369,7 +1400,7 @@ function startPendingApprovalPromptWatcher(params: {
   conversationId: string;
   sourceChannel: ChannelId;
   externalChatId: string;
-  guardianActorRole: GuardianContext['actorRole'];
+  guardianTrustClass: GuardianContext['trustClass'];
   replyCallbackUrl: string;
   bearerToken?: string;
   assistantId?: string;
@@ -1379,7 +1410,7 @@ function startPendingApprovalPromptWatcher(params: {
     conversationId,
     sourceChannel,
     externalChatId,
-    guardianActorRole,
+    guardianTrustClass,
     replyCallbackUrl,
     bearerToken,
     assistantId,
@@ -1388,7 +1419,7 @@ function startPendingApprovalPromptWatcher(params: {
 
   // Approval prompt delivery is guardian-only. Non-guardian and unverified
   // actors must never receive approval prompt broadcasts for the conversation.
-  if (guardianActorRole !== 'guardian') {
+  if (guardianTrustClass !== 'guardian') {
     return () => {};
   }
 
@@ -1470,7 +1501,7 @@ function processChannelMessageInBackground(params: BackgroundProcessingParams):
         conversationId,
         sourceChannel,
         externalChatId,
-        guardianActorRole: guardianCtx.actorRole,
+        guardianTrustClass: guardianCtx.trustClass,
         replyCallbackUrl,
         bearerToken,
         assistantId,
@@ -1494,7 +1525,7 @@ function processChannelMessageInBackground(params: BackgroundProcessingParams):
           },
           assistantId,
           guardianContext: toGuardianRuntimeContext(sourceChannel, guardianCtx),
-          isInteractive: guardianCtx.actorRole === 'guardian',
+          isInteractive: guardianCtx.trustClass === 'guardian',
           ...(cmdIntent ? { commandIntent: cmdIntent } : {}),
         },
         sourceChannel,

package/src/runtime/routes/ingress-routes.ts

@@ -8,10 +8,10 @@
  *   POST   /v1/ingress/members/:id/block — block a member
  *
  * Invites:
- *   GET    /v1/ingress/invites           — list invites
- *   POST   /v1/ingress/invites           — create an invite
- *   DELETE /v1/ingress/invites/:id       — revoke an invite
- *   POST   /v1/ingress/invites/redeem    — redeem an invite
+ *   GET    /v1/ingress/invites        — list invites
+ *   POST   /v1/ingress/invites        — create an invite (supports voice)
+ *   DELETE /v1/ingress/invites/:id    — revoke an invite
+ *   POST   /v1/ingress/invites/redeem — redeem an invite (token or voice code)
  */
 
 import {
@@ -20,6 +20,7 @@ import {
   listIngressInvites,
   listIngressMembers,
   redeemIngressInvite,
+  redeemVoiceInviteCode,
   revokeIngressInvite,
   revokeIngressMember,
   upsertIngressMember,
@@ -130,6 +131,11 @@ export function handleListInvites(url: URL): Response {
 
 /**
  * POST /v1/ingress/invites
+ *
+ * For voice invites, pass `sourceChannel: "voice"` with required
+ * `expectedExternalUserId` (E.164 phone). Voice codes are always 6 digits.
+ * The response will include a one-time `voiceCode` field that must be
+ * communicated to the invited user out-of-band.
  */
 export async function handleCreateInvite(req: Request): Promise<Response> {
   const body = (await req.json()) as Record<string, unknown>;
@@ -139,6 +145,8 @@ export async function handleCreateInvite(req: Request): Promise<Response> {
     note: body.note as string | undefined,
     maxUses: body.maxUses as number | undefined,
     expiresInMs: body.expiresInMs as number | undefined,
+    expectedExternalUserId: body.expectedExternalUserId as string | undefined,
+    voiceCodeDigits: body.voiceCodeDigits as number | undefined,
   });
 
   if (!result.ok) {
@@ -161,10 +169,50 @@ export function handleRevokeInvite(inviteId: string): Response {
 
 /**
  * POST /v1/ingress/invites/redeem
+ *
+ * Unified invite redemption endpoint. Supports two modes:
+ *
+ * 1. **Token-based** (existing): pass `token`, `sourceChannel`, `externalUserId`, etc.
+ * 2. **Voice code** (new): pass `code` and `callerExternalUserId` (E.164 phone).
+ *    Optionally pass `assistantId`.
+ *
+ * The presence of `code` in the body selects voice-code redemption.
  */
 export async function handleRedeemInvite(req: Request): Promise<Response> {
   const body = (await req.json()) as Record<string, unknown>;
 
+  // Voice-code redemption path: triggered when `code` is present
+  if (body.code != null) {
+    const callerExternalUserId = body.callerExternalUserId as string | undefined;
+    const code = body.code as string | undefined;
+
+    if (!callerExternalUserId || !code) {
+      return Response.json(
+        { ok: false, error: 'callerExternalUserId and code are required' },
+        { status: 400 },
+      );
+    }
+
+    const result = redeemVoiceInviteCode({
+      assistantId: body.assistantId as string | undefined,
+      callerExternalUserId,
+      sourceChannel: 'voice',
+      code,
+    });
+
+    if (!result.ok) {
+      return Response.json({ ok: false, error: result.reason }, { status: 400 });
+    }
+
+    return Response.json({
+      ok: true,
+      type: result.type,
+      memberId: result.memberId,
+      ...(result.type === 'redeemed' ? { inviteId: result.inviteId } : {}),
+    });
+  }
+
+  // Token-based redemption path (default)
   const result = redeemIngressInvite({
     token: body.token as string | undefined,
     externalUserId: body.externalUserId as string | undefined,

package/src/runtime/routes/pairing-routes.ts

@@ -75,6 +75,9 @@ export async function handlePairingRequest(req: Request, ctx: PairingHandlerCont
 
     const result = ctx.pairingStore.beginRequest({ pairingRequestId, pairingSecret, deviceId, deviceName });
     if (!result.ok) {
+      if (result.reason === 'already_paired') {
+        return httpError('CONFLICT', 'This pairing request is already bound to another device', 409);
+      }
       const statusCode = result.reason === 'invalid_secret' ? 403 : result.reason === 'not_found' ? 403 : 410;
       return httpError('FORBIDDEN', 'Forbidden', statusCode);
     }

package/src/tools/guardian-control-plane-policy.ts

@@ -124,13 +124,13 @@ export function isGuardianControlPlaneInvocation(
 export function enforceGuardianOnlyPolicy(
   toolName: string,
   input: Record<string, unknown>,
-  actorRole: string | undefined,
+  trustClass: string | undefined,
 ): { denied: boolean; reason?: string } {
   if (!isGuardianControlPlaneInvocation(toolName, input)) {
     return { denied: false };
   }
 
-  if (actorRole === 'guardian' || actorRole === undefined) {
+  if (trustClass === 'guardian' || trustClass === undefined) {
     return { denied: false };
   }
 

package/src/tools/reminder/reminder-store.ts

@@ -1,7 +1,7 @@
 import { and, asc, eq, lte } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 
-import { getDb, rawChanges } from '../../memory/db.js';
+import { getDb, rawRun } from '../../memory/db.js';
 import { reminders } from '../../memory/schema.js';
 import { cast,createRowMapper, parseJson } from '../../util/row-mapper.js';
 
@@ -105,14 +105,11 @@ export function listReminders(options?: { pendingOnly?: boolean }): ReminderRow[
 }
 
 export function cancelReminder(id: string): boolean {
-  const db = getDb();
   const now = Date.now();
-  db
-    .update(reminders)
-    .set({ status: 'cancelled', updatedAt: now })
-    .where(and(eq(reminders.id, id), eq(reminders.status, 'pending')))
-    .run();
-  return rawChanges() > 0;
+  return rawRun(
+    'UPDATE reminders SET status = ?, updated_at = ? WHERE id = ? AND status = ?',
+    'cancelled', now, id, 'pending',
+  ) > 0;
 }
 
 /**
@@ -132,13 +129,12 @@ export function claimDueReminders(now: number): ReminderRow[] {
 
   const claimed: ReminderRow[] = [];
   for (const row of candidates) {
-    db
-      .update(reminders)
-      .set({ status: 'firing', firedAt: now, updatedAt: now })
-      .where(and(eq(reminders.id, row.id), eq(reminders.status, 'pending')))
-      .run();
+    const changed = rawRun(
+      'UPDATE reminders SET status = ?, fired_at = ?, updated_at = ? WHERE id = ? AND status = ?',
+      'firing', now, now, row.id, 'pending',
+    );
 
-    if (rawChanges() === 0) continue;
+    if (changed === 0) continue;
 
     claimed.push(parseRow({
       ...row,

package/src/tools/tool-approval-handler.ts

@@ -10,8 +10,8 @@ import type { ExecutionTarget, Tool, ToolContext, ToolExecutionResult, ToolLifec
 
 const log = getLogger('tool-approval-handler');
 
-function isUntrustedGuardianActorRole(role: ToolContext['guardianActorRole']): boolean {
-  return role === 'non-guardian' || role === 'unverified_channel';
+function isUntrustedGuardianTrustClass(role: ToolContext['guardianTrustClass']): boolean {
+  return role === 'trusted_contact' || role === 'unknown';
 }
 
 function requiresGuardianApprovalForActor(
@@ -26,10 +26,10 @@ function requiresGuardianApprovalForActor(
 }
 
 function guardianApprovalDeniedMessage(
-  actorRole: ToolContext['guardianActorRole'],
+  trustClass: ToolContext['guardianTrustClass'],
   toolName: string,
 ): string {
-  if (actorRole === 'unverified_channel') {
+  if (trustClass === 'unknown') {
     return `Permission denied for "${toolName}": this action requires guardian approval from a verified channel identity.`;
   }
   return `Permission denied for "${toolName}": this action requires guardian approval and the current actor is not the guardian.`;
@@ -82,13 +82,13 @@ export class ToolApprovalHandler {
     }
 
     // Reject tool invocations targeting guardian control-plane endpoints from non-guardian actors.
-    const guardianCheck = enforceGuardianOnlyPolicy(name, input, context.guardianActorRole);
+    const guardianCheck = enforceGuardianOnlyPolicy(name, input, context.guardianTrustClass);
     if (guardianCheck.denied) {
       log.warn({
         toolName: name,
         sessionId: context.sessionId,
         conversationId: context.conversationId,
-        actorRole: context.guardianActorRole,
+        trustClass: context.guardianTrustClass,
         reason: 'guardian_only_policy',
       }, 'Guardian-only policy blocked tool invocation');
       const durationMs = Date.now() - startTime;
@@ -118,7 +118,7 @@ export class ToolApprovalHandler {
     let deferredConsumeParams: Parameters<typeof consumeGrantForInvocation>[0] | null = null;
 
     if (
-      isUntrustedGuardianActorRole(context.guardianActorRole)
+      isUntrustedGuardianTrustClass(context.guardianTrustClass)
       && requiresGuardianApprovalForActor(name, input, executionTarget)
     ) {
       const inputDigest = computeToolApprovalDigest(name, input);
@@ -233,7 +233,7 @@ export class ToolApprovalHandler {
           toolName: name,
           sessionId: context.sessionId,
           conversationId: context.conversationId,
-          actorRole: context.guardianActorRole,
+          trustClass: context.guardianTrustClass,
           executionTarget,
           grantId: grantResult.grant.id,
         }, 'Scoped grant consumed — allowing untrusted actor tool invocation');
@@ -273,7 +273,7 @@ export class ToolApprovalHandler {
       // actors remain fail-closed with no escalation.
       let escalationMessage: string | undefined;
       if (
-        context.guardianActorRole === 'non-guardian'
+        context.guardianTrustClass === 'trusted_contact'
         && context.assistantId
         && context.executionChannel
         && context.requesterExternalUserId
@@ -308,12 +308,12 @@ export class ToolApprovalHandler {
         // If escalation.failed, fall through to generic denial message.
       }
 
-      const reason = escalationMessage ?? guardianApprovalDeniedMessage(context.guardianActorRole, name);
+      const reason = escalationMessage ?? guardianApprovalDeniedMessage(context.guardianTrustClass, name);
       log.warn({
         toolName: name,
         sessionId: context.sessionId,
         conversationId: context.conversationId,
-        actorRole: context.guardianActorRole,
+        trustClass: context.guardianTrustClass,
         executionTarget,
         reason: 'guardian_approval_required',
         grantMissReason: grantResult.reason,

package/src/tools/types.ts

@@ -137,8 +137,8 @@ export interface ToolContext {
   proxyApprovalCallback?: import('./network/script-proxy/types.js').ProxyApprovalCallback;
   /** Optional principal identifier propagated to sub-tool confirmation flows. */
   principal?: string;
-  /** Guardian actor role for the session — used by the guardian control-plane policy gate. */
-  guardianActorRole?: 'guardian' | 'non-guardian' | 'unverified_channel';
+  /** Inbound trust classification for the session — used by trust/policy gates. */
+  guardianTrustClass?: 'guardian' | 'trusted_contact' | 'unknown';
   /** Channel through which the tool invocation originates (e.g. 'telegram', 'voice'). Used for scoped grant consumption. */
   executionChannel?: string;
   /** Voice/call session ID, if the invocation originates from a call. Used for scoped grant consumption. */

package/src/util/logger.ts

@@ -3,12 +3,22 @@ import { join } from 'node:path';
 import { Writable } from 'node:stream';
 
 import pino from 'pino';
+import type { PrettyOptions } from 'pino-pretty';
 import pinoPretty from 'pino-pretty';
 
 import { getDebugMode, getDebugStdoutLogs,getLogStderr } from '../config/env-registry.js';
 import { logSerializers } from './log-redact.js';
 import { getLogPath } from './platform.js';
 
+/** Common pino-pretty options that inline [module] into the message prefix. */
+function prettyOpts(extra?: PrettyOptions): PrettyOptions {
+  return {
+    messageFormat: '[{module}] {msg}',
+    ignore: 'module',
+    ...extra,
+  };
+}
+
 export type LogFileConfig = {
   dir: string | undefined;
   retentionDays: number;
@@ -59,7 +69,7 @@ let activeLogFileConfig: LogFileConfig | null = null;
 
 function buildRotatingLogger(config: LogFileConfig): pino.Logger {
   if (!config.dir) {
-    return pino({ name: 'assistant', serializers: logSerializers }, pinoPretty({ destination: 1 }));
+    return pino({ name: 'assistant', serializers: logSerializers }, pinoPretty(prettyOpts({ destination: 1 })));
   }
 
   if (!existsSync(config.dir)) {
@@ -68,9 +78,10 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
 
   const today = formatDate(new Date());
   const filePath = logFilePathForDate(config.dir, new Date());
-  const fileStream = pino.destination({ dest: filePath, sync: false, mkdir: true, mode: 0o600 });
+  const fileDest = pino.destination({ dest: filePath, sync: false, mkdir: true, mode: 0o600 });
   // Tighten permissions on pre-existing log files that may have been created with looser modes
   try { chmodSync(filePath, 0o600); } catch { /* best-effort */ }
+  const fileStream = pinoPretty(prettyOpts({ destination: fileDest, colorize: false }));
 
   activeLogDate = today;
   activeLogFileConfig = config;
@@ -78,7 +89,7 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
   const level = getDebugMode() ? 'debug' : 'info';
 
   if (getDebugMode()) {
-    const prettyStream = pinoPretty({ destination: 2 });
+    const prettyStream = pinoPretty(prettyOpts({ destination: 2 }));
     return pino(
       { name: 'assistant', level, serializers: logSerializers },
       pino.multistream([
@@ -92,7 +103,7 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
     { name: 'assistant', level, serializers: logSerializers },
     pino.multistream([
       { stream: fileStream, level: 'info' as const },
-      { stream: pinoPretty({ destination: 1 }), level: 'info' as const },
+      { stream: pinoPretty(prettyOpts({ destination: 1 })), level: 'info' as const },
     ]),
   );
 }
@@ -135,12 +146,13 @@ function getRootLogger(): pino.Logger {
 
     try {
       const logPath = getLogPath();
-      const fileStream = pino.destination({ dest: logPath, sync: false, mkdir: true, mode: 0o600 });
+      const fileDest = pino.destination({ dest: logPath, sync: false, mkdir: true, mode: 0o600 });
       // Tighten permissions on pre-existing log files that may have been created with looser modes
       try { chmodSync(logPath, 0o600); } catch { /* best-effort */ }
+      const fileStream = pinoPretty(prettyOpts({ destination: fileDest, colorize: false }));
 
       if (getDebugMode()) {
-        const prettyStream = pinoPretty({ destination: 2 });
+        const prettyStream = pinoPretty(prettyOpts({ destination: 2 }));
         const multi = pino.multistream([
           { stream: fileStream, level: 'info' as const },
           { stream: prettyStream, level: 'debug' as const },
@@ -151,14 +163,14 @@ function getRootLogger(): pino.Logger {
           { level: 'info', serializers: logSerializers },
           pino.multistream([
             { stream: fileStream, level: 'info' as const },
-            { stream: pinoPretty({ destination: 1 }), level: 'info' as const },
+            { stream: pinoPretty(prettyOpts({ destination: 1 })), level: 'info' as const },
           ]),
         );
       } else {
         rootLogger = pino({ level: 'info', serializers: logSerializers }, fileStream);
       }
     } catch {
-      rootLogger = pino({ level: getDebugMode() ? 'debug' : 'info', serializers: logSerializers }, pinoPretty({ destination: 2 }));
+      rootLogger = pino({ level: getDebugMode() ? 'debug' : 'info', serializers: logSerializers }, pinoPretty(prettyOpts({ destination: 2 })));
     }
   }
   return rootLogger;

package/src/util/platform.ts

@@ -121,6 +121,15 @@ export function getDataDir(): string {
   return join(getWorkspaceDir(), 'data');
 }
 
+/**
+ * Returns the embedding models directory (~/.vellum/workspace/embedding-models).
+ * Downloaded embedding runtime (onnxruntime-node, transformers bundle, model weights)
+ * is stored here, downloaded post-hatch rather than shipped with the app.
+ */
+export function getEmbeddingModelsDir(): string {
+  return join(getWorkspaceDir(), 'embedding-models');
+}
+
 /**
  * Returns the IPC blob directory (~/.vellum/workspace/data/ipc-blobs).
  * Temporary blob files for zero-copy IPC payloads live here.
@@ -357,6 +366,7 @@ export function ensureDataDir(): void {
     workspace,
     join(workspace, 'hooks'),
     join(workspace, 'skills'),
+    join(workspace, 'embedding-models'),
     // Data sub-dirs under workspace
     wsData,
     join(wsData, 'db'),

package/src/util/voice-code.ts

@@ -0,0 +1,29 @@
+/**
+ * Cryptographic voice invite code generation and hashing.
+ *
+ * Generates short numeric codes (default 6 digits) for voice-channel invite
+ * redemption. The plaintext code is returned once at creation time and never
+ * stored — only its SHA-256 hash is persisted.
+ */
+
+import { createHash, randomInt } from 'node:crypto';
+
+/**
+ * Generate a cryptographically random numeric code of the given length.
+ * Uses node:crypto randomInt for uniform distribution.
+ */
+export function generateVoiceCode(digits: number = 6): string {
+  if (digits < 4 || digits > 10) {
+    throw new Error(`Voice code digit count must be between 4 and 10, got ${digits}`);
+  }
+  const min = Math.pow(10, digits - 1); // e.g. 100000 for 6 digits
+  const max = Math.pow(10, digits);     // e.g. 1000000 for 6 digits
+  return String(randomInt(min, max));
+}
+
+/**
+ * SHA-256 hash a voice code for storage comparison.
+ */
+export function hashVoiceCode(code: string): string {
+  return createHash('sha256').update(code).digest('hex');
+}