@vellumai/assistant 0.3.3 → 0.3.5

package/src/runtime/http-server.ts

@@ -11,7 +11,7 @@ import { fileURLToPath } from 'node:url';
 import { timingSafeEqual } from 'node:crypto';
 import { ConfigError, IngressBlockedError } from '../util/errors.js';
 import { getLogger } from '../util/logger.js';
-import { getWorkspacePromptPath } from '../util/platform.js';
+import { getWorkspacePromptPath, readLockfile } from '../util/platform.js';
 import { TwilioConversationRelayProvider } from '../calls/twilio-provider.js';
 import { loadConfig } from '../config/loader.js';
 import { getPublicBaseUrl } from '../inbound/public-ingress-urls.js';
@@ -41,7 +41,6 @@ import {
   handleChannelDeliveryAck,
   handleListDeadLetters,
   handleReplayDeadLetters,
-  isChannelApprovalsEnabled,
   startGuardianExpirySweep,
   stopGuardianExpirySweep,
 } from './routes/channel-routes.js';
@@ -75,6 +74,7 @@ import { RelayConnection, activeRelayConnections } from '../calls/relay-server.j
 import type { RelayWebSocketData } from '../calls/relay-server.js';
 import { handleSubscribeAssistantEvents } from './routes/events-routes.js';
 import { consumeCallback, consumeCallbackError } from '../security/oauth-callback-registry.js';
+import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
 
 // Re-export shared types so existing consumers don't need to update imports
 export type {
@@ -108,6 +108,37 @@ function getGatewayBaseUrl(): string {
 /** Global hard cap on request body size (50 MB). Bun rejects larger payloads before they reach handlers. */
 const MAX_REQUEST_BODY_BYTES = 50 * 1024 * 1024;
 
+function parseGuardianRuntimeContext(value: unknown): GuardianRuntimeContext | undefined {
+  if (!value || typeof value !== 'object') return undefined;
+  const raw = value as Record<string, unknown>;
+  const actorRole = raw.actorRole;
+  if (
+    actorRole !== 'guardian'
+    && actorRole !== 'non-guardian'
+    && actorRole !== 'unverified_channel'
+  ) {
+    return undefined;
+  }
+  const sourceChannel = typeof raw.sourceChannel === 'string' && raw.sourceChannel.trim().length > 0
+    ? raw.sourceChannel
+    : undefined;
+  if (!sourceChannel) return undefined;
+  const denialReason =
+    raw.denialReason === 'no_binding' || raw.denialReason === 'no_identity'
+      ? raw.denialReason
+      : undefined;
+  return {
+    sourceChannel,
+    actorRole,
+    guardianChatId: typeof raw.guardianChatId === 'string' ? raw.guardianChatId : undefined,
+    guardianExternalUserId: typeof raw.guardianExternalUserId === 'string' ? raw.guardianExternalUserId : undefined,
+    requesterIdentifier: typeof raw.requesterIdentifier === 'string' ? raw.requesterIdentifier : undefined,
+    requesterExternalUserId: typeof raw.requesterExternalUserId === 'string' ? raw.requesterExternalUserId : undefined,
+    requesterChatId: typeof raw.requesterChatId === 'string' ? raw.requesterChatId : undefined,
+    denialReason,
+  };
+}
+
 interface DiskSpaceInfo {
   path: string;
   totalMb: number;
@@ -414,8 +445,10 @@ export class RuntimeHttpServer {
       }, 30_000);
     }
 
-    // Start proactive guardian approval expiry sweep when approvals are enabled
-    if (isChannelApprovalsEnabled() && this.runOrchestrator) {
+    // Start proactive guardian approval expiry sweep whenever orchestrator
+    // support is available. Guardian approvals can be created even when the
+    // generic channel-approval UX flag is disabled.
+    if (this.runOrchestrator) {
       startGuardianExpirySweep(this.runOrchestrator, getGatewayBaseUrl(), this.bearerToken);
       log.info('Guardian approval expiry sweep started');
     }
@@ -761,7 +794,7 @@ export class RuntimeHttpServer {
 
       // ── Call API routes ───────────────────────────────────────────
       if (endpoint === 'calls/start' && req.method === 'POST') {
-        return await handleStartCall(req);
+        return await handleStartCall(req, assistantId);
       }
 
       // Match calls/:callSessionId and calls/:callSessionId/cancel, calls/:callSessionId/answer, calls/:callSessionId/instruction
@@ -906,6 +939,10 @@ export class RuntimeHttpServer {
       const attachmentIds = Array.isArray(payload.attachmentIds) ? payload.attachmentIds as string[] : undefined;
       const sourceChannel = payload.sourceChannel as string;
       const sourceMetadata = payload.sourceMetadata as Record<string, unknown> | undefined;
+      const assistantId = typeof payload.assistantId === 'string'
+        ? payload.assistantId
+        : undefined;
+      const guardianContext = parseGuardianRuntimeContext(payload.guardianCtx);
 
       const metadataHintsRaw = sourceMetadata?.hints;
       const metadataHints = Array.isArray(metadataHintsRaw)
@@ -926,6 +963,8 @@ export class RuntimeHttpServer {
               hints: metadataHints.length > 0 ? metadataHints : undefined,
               uxBrief: metadataUxBrief,
             },
+            assistantId,
+            guardianContext,
           },
         );
         channelDeliveryStore.linkMessage(event.id, userMessageId);
@@ -940,7 +979,12 @@ export class RuntimeHttpServer {
             ? payload.externalChatId
             : undefined;
           if (externalChatId) {
-            await this.deliverReplyViaCallback(event.conversationId, externalChatId, replyCallbackUrl);
+            await this.deliverReplyViaCallback(
+              event.conversationId,
+              externalChatId,
+              replyCallbackUrl,
+              assistantId,
+            );
           }
         }
       } catch (err) {
@@ -954,6 +998,7 @@ export class RuntimeHttpServer {
     conversationId: string,
     externalChatId: string,
     callbackUrl: string,
+    assistantId?: string,
   ): Promise<void> {
     const msgs = conversationStore.getMessages(conversationId);
     for (let i = msgs.length - 1; i >= 0; i--) {
@@ -976,6 +1021,7 @@ export class RuntimeHttpServer {
             chatId: externalChatId,
             text: rendered.text || undefined,
             attachments: replyAttachments.length > 0 ? replyAttachments : undefined,
+            assistantId,
           }, this.bearerToken);
         }
         break;
@@ -1035,28 +1081,19 @@ export class RuntimeHttpServer {
     let cloud: string | undefined;
     let originSystem: string | undefined;
     try {
-      const homedir = process.env.HOME ?? process.env.USERPROFILE ?? '';
-      const lockfilePaths = [
-        join(homedir, '.vellum.lock.json'),
-        join(homedir, '.vellum.lockfile.json'),
-      ];
-      for (const lockPath of lockfilePaths) {
-        if (!existsSync(lockPath)) continue;
-        const lockData = JSON.parse(readFileSync(lockPath, 'utf-8'));
-        const assistants = lockData.assistants as Array<Record<string, unknown>> | undefined;
-        if (assistants && assistants.length > 0) {
-          // Use the most recently hatched assistant
-          const sorted = [...assistants].sort((a, b) => {
-            const dateA = new Date(a.hatchedAt as string || 0).getTime();
-            const dateB = new Date(b.hatchedAt as string || 0).getTime();
-            return dateB - dateA;
-          });
-          const latest = sorted[0];
-          assistantId = latest.assistantId as string | undefined;
-          cloud = latest.cloud as string | undefined;
-          originSystem = cloud === 'local' ? 'local' : cloud;
-        }
-        break;
+      const lockData = readLockfile();
+      const assistants = lockData?.assistants as Array<Record<string, unknown>> | undefined;
+      if (assistants && assistants.length > 0) {
+        // Use the most recently hatched assistant
+        const sorted = [...assistants].sort((a, b) => {
+          const dateA = new Date(a.hatchedAt as string || 0).getTime();
+          const dateB = new Date(b.hatchedAt as string || 0).getTime();
+          return dateB - dateA;
+        });
+        const latest = sorted[0];
+        assistantId = latest.assistantId as string | undefined;
+        cloud = latest.cloud as string | undefined;
+        originSystem = cloud === 'local' ? 'local' : cloud;
       }
     } catch {
       // ignore — lockfile may not exist

package/src/runtime/http-types.ts

@@ -2,6 +2,7 @@
  * Shared types for the runtime HTTP server and its route handlers.
  */
 import type { RunOrchestrator } from './run-orchestrator.js';
+import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
 
 export interface RuntimeMessageSessionOptions {
   transport?: {
@@ -9,6 +10,8 @@ export interface RuntimeMessageSessionOptions {
     hints?: string[];
     uxBrief?: string;
   };
+  assistantId?: string;
+  guardianContext?: GuardianRuntimeContext;
 }
 
 export type MessageProcessor = (

package/src/runtime/routes/call-routes.ts

@@ -17,7 +17,7 @@ import { VALID_CALLER_IDENTITY_MODES } from '../../config/schema.js';
  *
  * Body: { phoneNumber: string; task: string; context?: string; conversationId: string; callerIdentityMode?: 'assistant_number' | 'user_number' }
  */
-export async function handleStartCall(req: Request): Promise<Response> {
+export async function handleStartCall(req: Request, assistantId: string = 'self'): Promise<Response> {
   if (!getConfig().calls.enabled) {
     return Response.json(
       { error: 'Calls feature is disabled via configuration. Set calls.enabled to true to use this feature.' },
@@ -59,6 +59,7 @@ export async function handleStartCall(req: Request): Promise<Response> {
     task: body.task ?? '',
     context: body.context,
     conversationId: body.conversationId,
+    assistantId,
     callerIdentityMode: body.callerIdentityMode,
   });