@vellumai/assistant 0.3.4 → 0.3.6

package/src/calls/relay-server.ts

@@ -7,7 +7,10 @@
  */
 
 import type { ServerWebSocket } from 'bun';
+import { randomInt } from 'node:crypto';
 import { getLogger } from '../util/logger.js';
+import { parseJsonSafe } from '../util/json.js';
+import { getConfig } from '../config/loader.js';
 import {
   getCallSession,
   updateCallSession,
@@ -16,12 +19,24 @@ import {
 } from './call-store.js';
 import { CallOrchestrator } from './call-orchestrator.js';
 import { fireCallTranscriptNotifier, fireCallCompletionNotifier } from './call-state.js';
+import { addPointerMessage, formatDuration } from './call-pointer-messages.js';
+import { persistCallCompletionMessage } from './call-conversation-messages.js';
+import * as conversationStore from '../memory/conversation-store.js';
 import {
   extractPromptSpeakerMetadata,
   SpeakerIdentityTracker,
   type PromptSpeakerContext,
 } from './speaker-identification.js';
 import { isTerminalState } from './call-state-machine.js';
+import {
+  getPendingChallenge,
+  validateAndConsumeChallenge,
+} from '../runtime/channel-guardian-service.js';
+import {
+  resolveGuardianContext,
+  toGuardianRuntimeContext,
+} from '../runtime/guardian-context-resolver.js';
+import { normalizeAssistantId } from '../util/platform.js';
 
 const log = getLogger('relay-server');
 
@@ -105,11 +120,21 @@ export interface RelayWebSocketData {
 /** Active relay connections keyed by callSessionId. */
 export const activeRelayConnections = new Map<string, RelayConnection>();
 
+/** Module-level broadcast function, set by the HTTP server during startup. */
+let globalBroadcast: ((msg: import('../daemon/ipc-contract.js').ServerMessage) => void) | undefined;
+
+/** Register a broadcast function so RelayConnection can forward IPC events. */
+export function setRelayBroadcast(fn: (msg: import('../daemon/ipc-contract.js').ServerMessage) => void): void {
+  globalBroadcast = fn;
+}
+
 // ── RelayConnection ──────────────────────────────────────────────────
 
 /**
  * Manages a single WebSocket connection for one call.
  */
+export type RelayConnectionState = 'connected' | 'verification_pending';
+
 export class RelayConnection {
   private ws: ServerWebSocket<RelayWebSocketData>;
   private callSessionId: string;
@@ -123,6 +148,19 @@ export class RelayConnection {
   private orchestrator: CallOrchestrator | null = null;
   private speakerIdentityTracker: SpeakerIdentityTracker;
 
+  // Verification state (outbound callee verification)
+  private connectionState: RelayConnectionState = 'connected';
+  private verificationCode: string | null = null;
+  private verificationAttempts = 0;
+  private verificationMaxAttempts = 3;
+  private verificationCodeLength = 6;
+  private dtmfBuffer = '';
+
+  // Inbound voice guardian verification state
+  private guardianVerificationActive = false;
+  private guardianChallengeAssistantId: string | null = null;
+  private guardianVerificationFromNumber: string | null = null;
+
   constructor(ws: ServerWebSocket<RelayWebSocketData>, callSessionId: string) {
     this.ws = ws;
     this.callSessionId = callSessionId;
@@ -131,14 +169,33 @@ export class RelayConnection {
     this.speakerIdentityTracker = new SpeakerIdentityTracker();
   }
 
+  /**
+   * Get the verification code for this connection (if verification is active).
+   */
+  getVerificationCode(): string | null {
+    return this.verificationCode;
+  }
+
+  /**
+   * Whether inbound guardian voice verification is currently active.
+   */
+  isGuardianVerificationActive(): boolean {
+    return this.guardianVerificationActive;
+  }
+
+  /**
+   * Get the current connection state.
+   */
+  getConnectionState(): RelayConnectionState {
+    return this.connectionState;
+  }
+
   /**
    * Handle an inbound message from Twilio via the ConversationRelay WebSocket.
    */
   async handleMessage(data: string): Promise<void> {
-    let parsed: RelayInboundMessage;
-    try {
-      parsed = JSON.parse(data) as RelayInboundMessage;
-    } catch {
+    const parsed = parseJsonSafe<RelayInboundMessage>(data);
+    if (!parsed) {
       log.warn({ callSessionId: this.callSessionId, data }, 'Failed to parse relay message');
       return;
     }
@@ -160,7 +217,7 @@ export class RelayConnection {
         this.handleError(parsed);
         break;
       default:
-        log.warn({ callSessionId: this.callSessionId, type: (parsed as Record<string, unknown>).type }, 'Unknown relay message type');
+        log.warn({ callSessionId: this.callSessionId, type: (parsed as { type: unknown }).type }, 'Unknown relay message type');
     }
   }
 
@@ -252,6 +309,14 @@ export class RelayConnection {
         reason: reason || 'relay_closed',
         closeCode: code,
       });
+
+      // Post a pointer message in the initiating conversation
+      if (session.initiatedFromConversationId) {
+        const durationMs = session.startedAt ? Date.now() - session.startedAt : 0;
+        addPointerMessage(session.initiatedFromConversationId, 'completed', session.toNumber, {
+          duration: durationMs > 0 ? formatDuration(durationMs) : undefined,
+        });
+      }
     } else {
       const detail = reason || (code ? `relay_closed_${code}` : 'relay_closed_abnormal');
       updateCallSession(this.callSessionId, {
@@ -263,9 +328,17 @@ export class RelayConnection {
         reason: detail,
         closeCode: code,
       });
+
+      // Post a failure pointer message in the initiating conversation
+      if (session.initiatedFromConversationId) {
+        addPointerMessage(session.initiatedFromConversationId, 'failed', session.toNumber, {
+          reason: detail,
+        });
+      }
     }
 
     expirePendingQuestions(this.callSessionId);
+    persistCallCompletionMessage(session.conversationId, this.callSessionId);
     fireCallCompletionNotifier(session.conversationId, this.callSessionId);
   }
 
@@ -299,9 +372,272 @@ export class RelayConnection {
       customParameters: msg.customParameters,
     });
 
-    // Create and attach the LLM-driven orchestrator
-    const orchestrator = new CallOrchestrator(this.callSessionId, this, session?.task ?? null);
+    // Inbound calls skip callee verification — verification is an
+    // outbound-call concern where we need to confirm the callee's identity.
+    // We use initiatedFromConversationId rather than task == null because
+    // outbound calls always have an initiating conversation, while inbound
+    // calls (created via createInboundVoiceSession) never do. Relying on
+    // task == null is unreliable: task-less outbound sessions would
+    // incorrectly bypass outbound verification.
+    const assistantId = normalizeAssistantId(session?.assistantId ?? 'self');
+    const isInbound = session?.initiatedFromConversationId == null;
+
+    // Create and attach the LLM-driven orchestrator. For inbound voice,
+    // seed guardian actor context from caller identity + active binding so
+    // first-turn behavior matches channel ingress semantics.
+    const initialGuardianContext = isInbound
+      ? toGuardianRuntimeContext(
+        'voice',
+        resolveGuardianContext({
+          assistantId,
+          sourceChannel: 'voice',
+          externalChatId: msg.from,
+          senderExternalUserId: msg.from || undefined,
+        }),
+      )
+      : undefined;
+
+    const orchestrator = new CallOrchestrator(this.callSessionId, this, session?.task ?? null, {
+      broadcast: globalBroadcast,
+      assistantId,
+      guardianContext: initialGuardianContext,
+    });
     this.setOrchestrator(orchestrator);
+
+    const config = getConfig();
+    const verificationConfig = config.calls.verification;
+    if (!isInbound && verificationConfig.enabled) {
+      this.startVerification(session, verificationConfig);
+    } else if (isInbound) {
+      // For inbound calls, check if there's a pending voice guardian
+      // challenge that the caller needs to complete before proceeding.
+      const pendingChallenge = getPendingChallenge(assistantId, 'voice');
+
+      if (pendingChallenge) {
+        this.startInboundGuardianVerification(assistantId, msg.from);
+      } else {
+        this.startNormalCallFlow(orchestrator, true);
+      }
+    } else {
+      this.startNormalCallFlow(orchestrator, false);
+    }
+  }
+
+  /**
+   * Generate a verification code and prompt the callee to enter it via DTMF.
+   */
+  private startVerification(
+    session: ReturnType<typeof getCallSession>,
+    verificationConfig: { maxAttempts: number; codeLength: number },
+  ): void {
+    this.verificationMaxAttempts = verificationConfig.maxAttempts;
+    this.verificationCodeLength = verificationConfig.codeLength;
+    this.verificationAttempts = 0;
+    this.dtmfBuffer = '';
+
+    // Generate a random numeric code
+    const maxValue = Math.pow(10, this.verificationCodeLength);
+    const code = randomInt(0, maxValue).toString().padStart(this.verificationCodeLength, '0');
+    this.verificationCode = code;
+    this.connectionState = 'verification_pending';
+
+    recordCallEvent(this.callSessionId, 'callee_verification_started', {
+      codeLength: this.verificationCodeLength,
+      maxAttempts: this.verificationMaxAttempts,
+    });
+
+    // Send a TTS prompt with the code spoken digit by digit
+    const spokenCode = code.split('').join('. ');
+    this.sendTextToken(`Please enter the verification code: ${spokenCode}.`, true);
+
+    // Post the verification code to the initiating conversation so the
+    // guardian (user) can share it with the callee.
+    if (session?.initiatedFromConversationId) {
+      const codeMsg = `\u{1F510} Verification code for call to ${session.toNumber}: ${code}`;
+      conversationStore.addMessage(
+        session.initiatedFromConversationId,
+        'assistant',
+        JSON.stringify([{ type: 'text', text: codeMsg }]),
+        { userMessageChannel: 'voice', assistantMessageChannel: 'voice' },
+      );
+    }
+
+    log.info(
+      { callSessionId: this.callSessionId, codeLength: this.verificationCodeLength },
+      'Callee verification started',
+    );
+  }
+
+  /**
+   * Start normal call flow — fire the orchestrator greeting unless a
+   * static welcome greeting is configured.
+   */
+  private startNormalCallFlow(orchestrator: CallOrchestrator, isInbound: boolean): void {
+    const hasStaticGreeting = !!process.env.CALL_WELCOME_GREETING?.trim();
+    if (!hasStaticGreeting) {
+      orchestrator.startInitialGreeting().catch((err) =>
+        log.error({ err, callSessionId: this.callSessionId }, `Failed to start initial ${isInbound ? 'inbound' : 'outbound'} greeting`),
+      );
+    }
+  }
+
+  /**
+   * Enter verification-pending state for an inbound call with a pending
+   * voice guardian challenge. Prompts the caller to enter their six-digit
+   * verification code via DTMF or by speaking it.
+   */
+  private startInboundGuardianVerification(assistantId: string, fromNumber: string): void {
+    this.guardianVerificationActive = true;
+    this.guardianChallengeAssistantId = assistantId;
+    this.guardianVerificationFromNumber = fromNumber;
+    this.connectionState = 'verification_pending';
+    this.verificationAttempts = 0;
+    this.verificationMaxAttempts = 3;
+    this.verificationCodeLength = 6;
+    this.dtmfBuffer = '';
+
+    recordCallEvent(this.callSessionId, 'guardian_voice_verification_started', {
+      assistantId,
+      maxAttempts: this.verificationMaxAttempts,
+    });
+
+    this.sendTextToken(
+      'Welcome. Please enter your six-digit verification code using your keypad, or speak the digits now.',
+      true,
+    );
+
+    log.info(
+      { callSessionId: this.callSessionId, assistantId },
+      'Inbound guardian voice verification started',
+    );
+  }
+
+  /**
+   * Extract digit characters from a speech transcript. Recognizes both
+   * raw digit characters ("1 2 3") and spoken number words ("one two three").
+   */
+  private static parseDigitsFromSpeech(transcript: string): string {
+    const wordToDigit: Record<string, string> = {
+      zero: '0', oh: '0', o: '0',
+      one: '1', won: '1',
+      two: '2', too: '2', to: '2',
+      three: '3',
+      four: '4', for: '4', fore: '4',
+      five: '5',
+      six: '6',
+      seven: '7',
+      eight: '8', ate: '8',
+      nine: '9',
+    };
+
+    const digits: string[] = [];
+    const lower = transcript.toLowerCase();
+
+    // Split on whitespace and non-alphanumeric boundaries
+    const tokens = lower.split(/[\s,.\-;:!?]+/);
+    for (const token of tokens) {
+      if (/^\d$/.test(token)) {
+        digits.push(token);
+      } else if (wordToDigit[token]) {
+        digits.push(wordToDigit[token]);
+      } else if (/^\d+$/.test(token)) {
+        // Multi-digit number like "123456" — split into individual digits
+        digits.push(...token.split(''));
+      }
+    }
+
+    return digits.join('');
+  }
+
+  /**
+   * Attempt to validate an entered code against the pending voice guardian
+   * challenge via validateAndConsumeChallenge. On success, binds the
+   * guardian and transitions to normal call flow. On failure, enforces
+   * max attempts and terminates the call if exhausted.
+   */
+  private attemptGuardianCodeVerification(enteredCode: string): void {
+    if (!this.guardianChallengeAssistantId || !this.guardianVerificationFromNumber) {
+      return;
+    }
+
+    const result = validateAndConsumeChallenge(
+      this.guardianChallengeAssistantId,
+      'voice',
+      enteredCode,
+      this.guardianVerificationFromNumber,
+      this.guardianVerificationFromNumber,
+    );
+
+    if (result.success) {
+      // Guardian binding was created by validateAndConsumeChallenge
+      this.connectionState = 'connected';
+      this.guardianVerificationActive = false;
+      this.verificationAttempts = 0;
+      this.dtmfBuffer = '';
+
+      recordCallEvent(this.callSessionId, 'guardian_voice_verification_succeeded', {
+        bindingId: result.bindingId,
+      });
+      log.info({ callSessionId: this.callSessionId }, 'Inbound guardian voice verification succeeded');
+
+      // Proceed to normal call flow (use startNormalCallFlow to respect
+      // the CALL_WELCOME_GREETING static greeting guard)
+      if (this.orchestrator) {
+        this.orchestrator.setGuardianContext(
+          toGuardianRuntimeContext(
+            'voice',
+            resolveGuardianContext({
+              assistantId: this.guardianChallengeAssistantId,
+              sourceChannel: 'voice',
+              externalChatId: this.guardianVerificationFromNumber,
+              senderExternalUserId: this.guardianVerificationFromNumber,
+            }),
+          ),
+        );
+        this.startNormalCallFlow(this.orchestrator, true);
+      }
+    } else {
+      this.verificationAttempts++;
+
+      if (this.verificationAttempts >= this.verificationMaxAttempts) {
+        // Immediately deactivate verification so DTMF/speech input during
+        // the goodbye window doesn't trigger more verification attempts.
+        this.guardianVerificationActive = false;
+
+        recordCallEvent(this.callSessionId, 'guardian_voice_verification_failed', {
+          attempts: this.verificationAttempts,
+        });
+        log.warn(
+          { callSessionId: this.callSessionId, attempts: this.verificationAttempts },
+          'Inbound guardian voice verification failed — max attempts reached',
+        );
+
+        this.sendTextToken('Verification failed. Goodbye.', true);
+
+        updateCallSession(this.callSessionId, {
+          status: 'failed',
+          endedAt: Date.now(),
+          lastError: 'Guardian voice verification failed — max attempts exceeded',
+        });
+
+        const session = getCallSession(this.callSessionId);
+        if (session) {
+          expirePendingQuestions(this.callSessionId);
+          persistCallCompletionMessage(session.conversationId, this.callSessionId);
+          fireCallCompletionNotifier(session.conversationId, this.callSessionId);
+        }
+
+        setTimeout(() => {
+          this.endSession('Guardian verification failed');
+        }, 2000);
+      } else {
+        log.info(
+          { callSessionId: this.callSessionId, attempt: this.verificationAttempts, maxAttempts: this.verificationMaxAttempts },
+          'Inbound guardian voice verification attempt failed — retrying',
+        );
+        this.sendTextToken('That code was incorrect. Please try again.', true);
+      }
+    }
   }
 
   private async handlePrompt(msg: RelayPromptMessage): Promise<void> {
@@ -310,12 +646,41 @@ export class RelayConnection {
       return;
     }
 
+    // During inbound guardian verification, attempt to parse spoken digits
+    // from the transcript and validate them.
+    if (this.connectionState === 'verification_pending' && this.guardianVerificationActive) {
+      const spokenDigits = RelayConnection.parseDigitsFromSpeech(msg.voicePrompt);
+      log.info(
+        { callSessionId: this.callSessionId, transcript: msg.voicePrompt, spokenDigits },
+        'Speech received during guardian voice verification',
+      );
+      if (spokenDigits.length >= this.verificationCodeLength) {
+        const enteredCode = spokenDigits.slice(0, this.verificationCodeLength);
+        this.attemptGuardianCodeVerification(enteredCode);
+      } else if (spokenDigits.length > 0) {
+        this.sendTextToken(
+          `I heard ${spokenDigits.length} digits. Please enter all ${this.verificationCodeLength} digits of your code.`,
+          true,
+        );
+      }
+      return;
+    }
+
+    // During outbound callee verification, ignore voice prompts — the callee
+    // should be entering DTMF digits, not speaking.
+    if (this.connectionState === 'verification_pending') {
+      log.debug({ callSessionId: this.callSessionId }, 'Ignoring voice prompt during callee verification');
+      return;
+    }
+
     log.info(
       { callSessionId: this.callSessionId, transcript: msg.voicePrompt, lang: msg.lang },
       'Caller transcript received (final)',
     );
 
-    const speakerMetadata = extractPromptSpeakerMetadata(msg as unknown as Record<string, unknown>);
+    // Spread to widen the typed message into a plain record — extractPromptSpeakerMetadata
+    // probes for snake_case and nested property variants not on RelayPromptMessage.
+    const speakerMetadata = extractPromptSpeakerMetadata({ ...msg });
     const speaker = this.speakerIdentityTracker.identifySpeaker(speakerMetadata);
 
     // Record in conversation history
@@ -338,6 +703,14 @@ export class RelayConnection {
 
     const session = getCallSession(this.callSessionId);
     if (session) {
+      // Persist caller transcript to the voice conversation so it survives
+      // even when no live daemon Session is listening.
+      conversationStore.addMessage(
+        session.conversationId,
+        'user',
+        JSON.stringify([{ type: 'text', text: msg.voicePrompt }]),
+        { userMessageChannel: 'voice', assistantMessageChannel: 'voice' },
+      );
       fireCallTranscriptNotifier(session.conversationId, this.callSessionId, 'caller', msg.voicePrompt);
     }
 
@@ -375,6 +748,91 @@ export class RelayConnection {
     recordCallEvent(this.callSessionId, 'caller_spoke', {
       dtmfDigit: msg.digit,
     });
+
+    // If inbound guardian verification is pending, accumulate digits and
+    // validate against the challenge via the guardian service.
+    if (this.connectionState === 'verification_pending' && this.guardianVerificationActive) {
+      this.dtmfBuffer += msg.digit;
+
+      if (this.dtmfBuffer.length >= this.verificationCodeLength) {
+        const enteredCode = this.dtmfBuffer.slice(0, this.verificationCodeLength);
+        this.dtmfBuffer = '';
+        this.attemptGuardianCodeVerification(enteredCode);
+      }
+      return;
+    }
+
+    // If outbound callee verification is pending, accumulate digits and check the code
+    if (this.connectionState === 'verification_pending' && this.verificationCode) {
+      this.dtmfBuffer += msg.digit;
+
+      if (this.dtmfBuffer.length >= this.verificationCodeLength) {
+        const enteredCode = this.dtmfBuffer.slice(0, this.verificationCodeLength);
+        this.dtmfBuffer = '';
+
+        if (enteredCode === this.verificationCode) {
+          // Verification succeeded
+          this.connectionState = 'connected';
+          this.verificationCode = null;
+          this.verificationAttempts = 0;
+
+          recordCallEvent(this.callSessionId, 'callee_verification_succeeded', {});
+          log.info({ callSessionId: this.callSessionId }, 'Callee verification succeeded');
+
+          // Proceed to the normal call flow
+          if (this.orchestrator) {
+            this.orchestrator.startInitialGreeting().catch((err) =>
+              log.error({ err, callSessionId: this.callSessionId }, 'Failed to start initial outbound greeting after verification'),
+            );
+          }
+        } else {
+          // Verification failed for this attempt
+          this.verificationAttempts++;
+
+          if (this.verificationAttempts >= this.verificationMaxAttempts) {
+            // Max attempts reached — end the call
+            recordCallEvent(this.callSessionId, 'callee_verification_failed', {
+              attempts: this.verificationAttempts,
+            });
+            log.warn({ callSessionId: this.callSessionId, attempts: this.verificationAttempts }, 'Callee verification failed — max attempts reached');
+
+            this.sendTextToken('Verification failed. Goodbye.', true);
+
+            // Mark failed immediately so a relay close during the goodbye TTS
+            // window cannot race this into a terminal "completed" status.
+            updateCallSession(this.callSessionId, {
+              status: 'failed',
+              endedAt: Date.now(),
+              lastError: 'Callee verification failed — max attempts exceeded',
+            });
+
+            const session = getCallSession(this.callSessionId);
+            if (session) {
+              expirePendingQuestions(this.callSessionId);
+              persistCallCompletionMessage(session.conversationId, this.callSessionId);
+              fireCallCompletionNotifier(session.conversationId, this.callSessionId);
+              if (session.initiatedFromConversationId) {
+                addPointerMessage(session.initiatedFromConversationId, 'failed', session.toNumber, {
+                  reason: 'Callee verification failed',
+                });
+              }
+            }
+
+            // End the call with failed status after TTS plays
+            setTimeout(() => {
+              this.endSession('Verification failed');
+            }, 2000);
+          } else {
+            // Allow another attempt
+            log.info(
+              { callSessionId: this.callSessionId, attempt: this.verificationAttempts, maxAttempts: this.verificationMaxAttempts },
+              'Callee verification attempt failed — retrying',
+            );
+            this.sendTextToken('That code was incorrect. Please try again.', true);
+          }
+        }
+      }
+    }
   }
 
   private handleError(msg: RelayErrorMessage): void {

package/src/calls/speaker-identification.ts

@@ -66,7 +66,7 @@ export function extractPromptSpeakerMetadata(message: Record<string, unknown>):
   const pickNumber = (...values: unknown[]): number | undefined => {
     for (const value of values) {
       const parsed = toNumber(value);
-      if (parsed !== null) return parsed;
+      if (parsed != null) return parsed;
     }
     return undefined;
   };

package/src/calls/twilio-config.ts

@@ -2,6 +2,8 @@ import { getSecureKey } from '../security/secure-keys.js';
 import { getLogger } from '../util/logger.js';
 import { loadConfig } from '../config/loader.js';
 import { getPublicBaseUrl, getTwilioRelayUrl } from '../inbound/public-ingress-urls.js';
+import { ConfigError } from '../util/errors.js';
+import { getTwilioPhoneNumberEnv, getTwilioWssBaseUrl } from '../config/env.js';
 
 const log = getLogger('twilio-config');
 
@@ -13,27 +15,33 @@ export interface TwilioConfig {
   wssBaseUrl: string;
 }
 
-export function getTwilioConfig(): TwilioConfig {
-  const accountSid = getSecureKey('credential:twilio:account_sid');
-  const authToken = getSecureKey('credential:twilio:auth_token');
-  const config = loadConfig();
+function resolveTwilioPhoneNumber(assistantId: string | undefined, config: ReturnType<typeof loadConfig>): string {
+  if (assistantId) {
+    const assistantPhone = config.sms?.assistantPhoneNumbers?.[assistantId];
+    if (assistantPhone) {
+      return assistantPhone;
+    }
+  }
 
-  // Phone number resolution priority:
+  // Global fallback order:
   // 1. TWILIO_PHONE_NUMBER env var (explicit override)
   // 2. config file sms.phoneNumber (primary storage)
   // 3. credential:twilio:phone_number secure key (backward-compat fallback)
-  const phoneNumber =
-    process.env.TWILIO_PHONE_NUMBER ||
-    config.sms?.phoneNumber ||
-    getSecureKey('credential:twilio:phone_number') ||
-    '';
+  return getTwilioPhoneNumberEnv() || config.sms?.phoneNumber || getSecureKey('credential:twilio:phone_number') || '';
+}
+
+export function getTwilioConfig(assistantId?: string): TwilioConfig {
+  const accountSid = getSecureKey('credential:twilio:account_sid');
+  const authToken = getSecureKey('credential:twilio:auth_token');
+  const config = loadConfig();
+  const phoneNumber = resolveTwilioPhoneNumber(assistantId, config);
   const webhookBaseUrl = getPublicBaseUrl(config);
 
   // Always use the centralized relay URL derived from the public ingress base URL.
   // TWILIO_WSS_BASE_URL is ignored.
   let wssBaseUrl: string;
-  if (process.env.TWILIO_WSS_BASE_URL) {
-    log.warn('TWILIO_WSS_BASE_URL env var is ignored. Relay URL is derived from ingress.publicBaseUrl.');
+  if (getTwilioWssBaseUrl()) {
+    log.warn('TWILIO_WSS_BASE_URL env var is deprecated. Relay URL is derived from ingress.publicBaseUrl.');
   }
   try {
     wssBaseUrl = getTwilioRelayUrl(config);
@@ -42,10 +50,10 @@ export function getTwilioConfig(): TwilioConfig {
   }
 
   if (!accountSid || !authToken) {
-    throw new Error('Twilio credentials not configured. Set credential:twilio:account_sid and credential:twilio:auth_token via the credential_store tool.');
+    throw new ConfigError('Twilio credentials not configured. Set credential:twilio:account_sid and credential:twilio:auth_token via the credential_store tool.');
   }
   if (!phoneNumber) {
-    throw new Error('TWILIO_PHONE_NUMBER not configured.');
+    throw new ConfigError('Twilio phone number not configured.');
   }
 
   log.debug('Twilio config loaded successfully');