@vellumai/assistant 0.3.8 → 0.3.9

package/src/runtime/http-server.ts

@@ -35,6 +35,11 @@ import {
   handleRunSecret,
   handleAddTrustRule,
 } from './routes/run-routes.js';
+import {
+  handleConfirm,
+  handleSecret,
+  handleTrustRule,
+} from './routes/approval-routes.js';
 import {
   handleDeleteConversation,
   handleChannelInbound,
@@ -566,6 +571,11 @@ export class RuntimeHttpServer {
         });
       }
 
+      // Standalone approval endpoints — keyed by requestId, orthogonal to message sending
+      if (endpoint === 'confirm' && req.method === 'POST') return await handleConfirm(req);
+      if (endpoint === 'secret' && req.method === 'POST') return await handleSecret(req);
+      if (endpoint === 'trust-rules' && req.method === 'POST') return await handleTrustRule(req);
+
       if (endpoint === 'attachments' && req.method === 'POST') return await handleUploadAttachment(req);
       if (endpoint === 'attachments' && req.method === 'DELETE') return await handleDeleteAttachment(req);
 

package/src/runtime/pending-interactions.ts

@@ -0,0 +1,73 @@
+/**
+ * In-memory tracker that maps requestId to session info for pending
+ * confirmation and secret interactions.
+ *
+ * When the agent loop emits a confirmation_request or secret_request,
+ * the onEvent callback registers the interaction here. Standalone HTTP
+ * endpoints (/v1/confirm, /v1/secret, /v1/trust-rules) look up the
+ * session from this tracker to resolve the interaction.
+ */
+
+import type { Session } from '../daemon/session.js';
+
+export interface ConfirmationDetails {
+  toolName: string;
+  input: Record<string, unknown>;
+  riskLevel: string;
+  executionTarget?: 'sandbox' | 'host';
+  allowlistOptions: Array<{ label: string; description: string; pattern: string }>;
+  scopeOptions: Array<{ label: string; scope: string }>;
+  persistentDecisionsAllowed?: boolean;
+}
+
+export interface PendingInteraction {
+  session: Session;
+  conversationId: string;
+  kind: 'confirmation' | 'secret';
+  confirmationDetails?: ConfirmationDetails;
+}
+
+const pending = new Map<string, PendingInteraction>();
+
+export function register(requestId: string, interaction: PendingInteraction): void {
+  pending.set(requestId, interaction);
+}
+
+/**
+ * Remove and return the pending interaction for the given requestId.
+ * Returns undefined if no interaction is registered.
+ */
+export function resolve(requestId: string): PendingInteraction | undefined {
+  const interaction = pending.get(requestId);
+  if (interaction) {
+    pending.delete(requestId);
+  }
+  return interaction;
+}
+
+/**
+ * Return the pending interaction without removing it.
+ * Used by trust-rule endpoint which doesn't resolve the confirmation itself.
+ */
+export function get(requestId: string): PendingInteraction | undefined {
+  return pending.get(requestId);
+}
+
+/**
+ * Return all pending interactions for a given conversation.
+ * Needed by channel approval migration (PR 3).
+ */
+export function getByConversation(conversationId: string): Array<{ requestId: string } & PendingInteraction> {
+  const results: Array<{ requestId: string } & PendingInteraction> = [];
+  for (const [requestId, interaction] of pending) {
+    if (interaction.conversationId === conversationId) {
+      results.push({ requestId, ...interaction });
+    }
+  }
+  return results;
+}
+
+/** Clear all pending interactions. Useful for testing. */
+export function clear(): void {
+  pending.clear();
+}

package/src/runtime/routes/approval-routes.ts

@@ -0,0 +1,179 @@
+/**
+ * Route handlers for standalone approval endpoints.
+ *
+ * These endpoints resolve pending confirmations, secrets, and trust rules
+ * by requestId — orthogonal to message sending.
+ */
+import * as pendingInteractions from '../pending-interactions.js';
+import { addRule } from '../../permissions/trust-store.js';
+import { getTool } from '../../tools/registry.js';
+import { getLogger } from '../../util/logger.js';
+
+const log = getLogger('approval-routes');
+
+/**
+ * POST /v1/confirm — resolve a pending confirmation by requestId.
+ */
+export async function handleConfirm(req: Request): Promise<Response> {
+  const body = await req.json() as {
+    requestId?: string;
+    decision?: string;
+  };
+
+  const { requestId, decision } = body;
+
+  if (!requestId || typeof requestId !== 'string') {
+    return Response.json({ error: 'requestId is required' }, { status: 400 });
+  }
+
+  if (decision !== 'allow' && decision !== 'deny') {
+    return Response.json(
+      { error: 'decision must be "allow" or "deny"' },
+      { status: 400 },
+    );
+  }
+
+  const interaction = pendingInteractions.resolve(requestId);
+  if (!interaction) {
+    return Response.json(
+      { error: 'No pending interaction found for this requestId' },
+      { status: 404 },
+    );
+  }
+
+  interaction.session.handleConfirmationResponse(requestId, decision);
+  return Response.json({ accepted: true });
+}
+
+/**
+ * POST /v1/secret — resolve a pending secret request by requestId.
+ */
+export async function handleSecret(req: Request): Promise<Response> {
+  const body = await req.json() as {
+    requestId?: string;
+    value?: string;
+    delivery?: string;
+  };
+
+  const { requestId, value, delivery } = body;
+
+  if (!requestId || typeof requestId !== 'string') {
+    return Response.json({ error: 'requestId is required' }, { status: 400 });
+  }
+
+  if (delivery !== undefined && delivery !== 'store' && delivery !== 'transient_send') {
+    return Response.json(
+      { error: 'delivery must be "store" or "transient_send"' },
+      { status: 400 },
+    );
+  }
+
+  const interaction = pendingInteractions.resolve(requestId);
+  if (!interaction) {
+    return Response.json(
+      { error: 'No pending interaction found for this requestId' },
+      { status: 404 },
+    );
+  }
+
+  interaction.session.handleSecretResponse(
+    requestId,
+    value,
+    delivery as 'store' | 'transient_send' | undefined,
+  );
+  return Response.json({ accepted: true });
+}
+
+/**
+ * POST /v1/trust-rules — add a trust rule for a pending confirmation.
+ *
+ * Does NOT resolve the confirmation itself (the client still needs to
+ * POST /v1/confirm to approve/deny). Validates the pattern and scope
+ * against the server-provided allowlist options from the original
+ * confirmation_request.
+ */
+export async function handleTrustRule(req: Request): Promise<Response> {
+  const body = await req.json() as {
+    requestId?: string;
+    pattern?: string;
+    scope?: string;
+    decision?: string;
+  };
+
+  const { requestId, pattern, scope, decision } = body;
+
+  if (!requestId || typeof requestId !== 'string') {
+    return Response.json({ error: 'requestId is required' }, { status: 400 });
+  }
+
+  if (!pattern || typeof pattern !== 'string') {
+    return Response.json({ error: 'pattern is required' }, { status: 400 });
+  }
+
+  if (!scope || typeof scope !== 'string') {
+    return Response.json({ error: 'scope is required' }, { status: 400 });
+  }
+
+  if (decision !== 'allow' && decision !== 'deny') {
+    return Response.json({ error: 'decision must be "allow" or "deny"' }, { status: 400 });
+  }
+
+  // Look up without removing — trust rule doesn't resolve the confirmation
+  const interaction = pendingInteractions.get(requestId);
+  if (!interaction) {
+    return Response.json(
+      { error: 'No pending interaction found for this requestId' },
+      { status: 404 },
+    );
+  }
+
+  if (!interaction.confirmationDetails) {
+    return Response.json(
+      { error: 'No confirmation details available for this request' },
+      { status: 409 },
+    );
+  }
+
+  const confirmation = interaction.confirmationDetails;
+
+  if (confirmation.persistentDecisionsAllowed === false) {
+    return Response.json(
+      { error: 'Persistent trust rules are not allowed for this tool invocation' },
+      { status: 403 },
+    );
+  }
+
+  // Validate pattern against server-provided allowlist options
+  const validPatterns = (confirmation.allowlistOptions ?? []).map((o) => o.pattern);
+  if (!validPatterns.includes(pattern)) {
+    return Response.json(
+      { error: 'pattern does not match any server-provided allowlist option' },
+      { status: 403 },
+    );
+  }
+
+  // Validate scope against server-provided scope options
+  const validScopes = (confirmation.scopeOptions ?? []).map((o) => o.scope);
+  if (!validScopes.includes(scope)) {
+    return Response.json(
+      { error: 'scope does not match any server-provided scope option' },
+      { status: 403 },
+    );
+  }
+
+  try {
+    const tool = getTool(confirmation.toolName);
+    const executionTarget = tool?.origin === 'skill' ? confirmation.executionTarget : undefined;
+    addRule(confirmation.toolName, pattern, scope, decision, undefined, {
+      executionTarget,
+    });
+    log.info(
+      { tool: confirmation.toolName, pattern, scope, decision, requestId },
+      'Trust rule added via HTTP (bound to pending confirmation)',
+    );
+    return Response.json({ accepted: true });
+  } catch (err) {
+    log.error({ err }, 'Failed to add trust rule');
+    return Response.json({ error: 'Failed to add trust rule' }, { status: 500 });
+  }
+}

package/src/runtime/routes/channel-inbound-routes.ts

@@ -45,6 +45,8 @@ import type {
 } from '../http-types.js';
 import { composeApprovalMessageGenerative } from '../approval-message-composer.js';
 import { refreshThreadEscalation } from '../../memory/inbox-escalation-projection.js';
+import { getConfig } from '../../config/loader.js';
+import { emitNotificationSignal } from '../../notifications/emit-signal.js';
 import {
   type GuardianContext,
   verifyGatewayOrigin,
@@ -360,9 +362,37 @@ export async function handleChannelInbound(
     // Update inbox thread escalation state so the desktop UI badge is accurate
     refreshThreadEscalation(result.conversationId, assistantId);
 
-    // Notify the guardian about the pending escalation via channel delivery
+    // Emit notification signal through the unified pipeline (fire-and-forget).
+    // This lets the decision engine route escalation alerts to all configured
+    // channels, supplementing the direct guardian notification below.
+    void emitNotificationSignal({
+      sourceEventName: 'ingress.escalation',
+      sourceChannel: sourceChannel,
+      sourceSessionId: result.conversationId,
+      assistantId,
+      attentionHints: {
+        requiresAction: true,
+        urgency: 'high',
+        isAsyncBackground: false,
+        visibleInSourceNow: false,
+      },
+      contextPayload: {
+        conversationId: result.conversationId,
+        sourceChannel,
+        externalChatId,
+        senderIdentifier: body.senderName || body.senderUsername || body.senderExternalUserId || 'Unknown sender',
+        eventId: result.eventId,
+      },
+      dedupeKey: `escalation:${result.eventId}`,
+    });
+
+    // Notify the guardian about the pending escalation via channel delivery.
+    // When the notification system is fully active it handles channel delivery,
+    // so skip the legacy path to avoid duplicate alerts.
+    const notifCfg = getConfig().notifications;
+    const notificationsActive = notifCfg.enabled && !notifCfg.shadowMode;
     const senderIdentifier = body.senderName || body.senderUsername || body.senderExternalUserId || 'Unknown sender';
-    if (body.replyCallbackUrl) {
+    if (!notificationsActive && body.replyCallbackUrl) {
       try {
         const notificationText = await composeApprovalMessageGenerative(
           {
@@ -388,8 +418,13 @@ export async function handleChannelInbound(
         // the pending escalation even if channel notification failed.
         log.error({ err, conversationId: result.conversationId, guardianChatId: binding.guardianDeliveryChatId }, 'Failed to notify guardian of ingress escalation');
       }
-    } else {
+    } else if (!notificationsActive) {
       log.warn({ conversationId: result.conversationId }, 'Ingress escalation created but no replyCallbackUrl to notify guardian');
+    } else {
+      log.info(
+        { conversationId: result.conversationId },
+        'Skipping legacy guardian escalation callback delivery — notification pipeline active',
+      );
     }
 
     return Response.json({ accepted: true, escalated: true, reason: 'policy_escalate' });
@@ -886,7 +921,7 @@ function processChannelMessageWithApprovals(params: ApprovalProcessingParams): v
         assistantMessageChannel: sourceChannel,
       };
 
-      const run = await orchestrator.startRun(
+      const { run } = await orchestrator.startRun(
         conversationId,
         content,
         attachmentIds,

package/src/runtime/routes/conversation-routes.ts

@@ -22,6 +22,7 @@ import type {
 } from '../http-types.js';
 import type { ServerMessage } from '../../daemon/ipc-protocol.js';
 import { buildAssistantEvent } from '../assistant-event.js';
+import * as pendingInteractions from '../pending-interactions.js';
 import { getLogger } from '../../util/logger.js';
 
 const log = getLogger('conversation-routes');
@@ -143,13 +144,42 @@ export function handleListMessages(
 /**
  * Build an `onEvent` callback that publishes every outbound event to the
  * assistant event hub, maintaining ordered delivery through a serial chain.
+ *
+ * Also registers pending interactions when confirmation_request or
+ * secret_request events flow through, so standalone approval endpoints
+ * can look up the session by requestId.
  */
 function makeHubPublisher(
   deps: SendMessageDeps,
   conversationId: string,
+  session: import('../../daemon/session.js').Session,
 ): (msg: ServerMessage) => void {
   let hubChain: Promise<void> = Promise.resolve();
   return (msg: ServerMessage) => {
+    // Register pending interactions for approval events
+    if (msg.type === 'confirmation_request') {
+      pendingInteractions.register(msg.requestId, {
+        session,
+        conversationId,
+        kind: 'confirmation',
+        confirmationDetails: {
+          toolName: msg.toolName,
+          input: msg.input,
+          riskLevel: msg.riskLevel,
+          executionTarget: msg.executionTarget,
+          allowlistOptions: msg.allowlistOptions,
+          scopeOptions: msg.scopeOptions,
+          persistentDecisionsAllowed: msg.persistentDecisionsAllowed,
+        },
+      });
+    } else if (msg.type === 'secret_request') {
+      pendingInteractions.register(msg.requestId, {
+        session,
+        conversationId,
+        kind: 'secret',
+      });
+    }
+
     const msgRecord = msg as unknown as Record<string, unknown>;
     const msgSessionId =
       'sessionId' in msg && typeof msgRecord.sessionId === 'string'
@@ -243,7 +273,7 @@ export async function handleSendMessage(
   if (deps.sendMessageDeps) {
     const smDeps = deps.sendMessageDeps;
     const session = await smDeps.getOrCreateSession(mapping.conversationId);
-    const onEvent = makeHubPublisher(smDeps, mapping.conversationId);
+    const onEvent = makeHubPublisher(smDeps, mapping.conversationId, session);
 
     const attachments = hasAttachments
       ? smDeps.resolveAttachments(attachmentIds)

package/src/runtime/routes/run-routes.ts

@@ -66,7 +66,7 @@ export async function handleCreateRun(
   const mapping = getOrCreateConversation(conversationKey);
 
   try {
-    const run = await runOrchestrator.startRun(
+    const { run } = await runOrchestrator.startRun(
       mapping.conversationId,
       content ?? '',
       hasAttachments ? attachmentIds : undefined,

package/src/runtime/run-orchestrator.ts

@@ -34,6 +34,29 @@ const log = getLogger('run-orchestrator');
 // Types
 // ---------------------------------------------------------------------------
 
+/**
+ * Real-time event sink for voice TTS streaming. When provided to startRun(),
+ * agent-loop events are forwarded here alongside the existing assistantEventHub
+ * publication. This enables voice relay to receive streaming text deltas for
+ * real-time text-to-speech without modifying the standard channel path.
+ */
+export interface VoiceRunEventSink {
+  onTextDelta(text: string): void;
+  onMessageComplete(): void;
+  onError(message: string): void;
+  onToolUse(toolName: string, input: Record<string, unknown>): void;
+}
+
+/**
+ * Handle returned by startRun() that allows callers to abort an in-flight
+ * run. Used by voice barge-in to cancel the current turn without crashing
+ * session state.
+ */
+export interface RunHandle {
+  run: Run;
+  abort: () => void;
+}
+
 interface PendingRunState {
   prompterRequestId: string;
   session: Session;
@@ -92,6 +115,36 @@ export interface RunStartOptions {
   commandIntent?: { type: string; payload?: string; languageCode?: string };
   /** Resolved channel context for this turn. */
   turnChannelContext?: TurnChannelContext;
+  /**
+   * When provided, agent-loop events are forwarded to this sink in real time.
+   * Used by voice relay for streaming TTS token delivery.
+   */
+  eventSink?: VoiceRunEventSink;
+  /**
+   * When true, any confirmation_request from the prompter is immediately
+   * auto-denied instead of being stored for client polling. Used by the
+   * voice path when forceStrictSideEffects is active: the voice transport
+   * has no interactive approval UI, so without this flag the run would
+   * stall for the full permission timeout (300s by default).
+   */
+  voiceAutoDenyConfirmations?: boolean;
+  /**
+   * When true, confirmation_request events are auto-approved immediately.
+   * Used for verified-guardian voice turns where there is no interactive
+   * approval UI but parity with guardian chat permissions is required.
+   */
+  voiceAutoAllowConfirmations?: boolean;
+  /**
+   * When true, secret_request events are resolved immediately with a null
+   * value so voice turns do not stall waiting for a secret-entry UI that
+   * voice does not provide.
+   */
+  voiceAutoResolveSecrets?: boolean;
+  /**
+   * Call-control protocol prompt injected into each voice turn so the
+   * model knows to emit control markers ([ASK_GUARDIAN:], [END_CALL], etc.).
+   */
+  voiceCallControlPrompt?: string;
 }
 
 // ---------------------------------------------------------------------------
@@ -116,13 +169,16 @@ export class RunOrchestrator {
   /**
    * Start a new run: persist the user message, create a run record,
    * and fire the agent loop in the background.
+   *
+   * Returns a RunHandle containing the Run record and an abort() function
+   * that can cancel the in-flight agent loop (e.g. for voice barge-in).
    */
   async startRun(
     conversationId: string,
     content: string,
     attachmentIds?: string[],
     options?: RunStartOptions,
-  ): Promise<Run> {
+  ): Promise<RunHandle> {
     // Block inbound content that contains secrets — mirrors the IPC check in sessions.ts
     const ingressCheck = checkIngressForSecrets(content);
     if (ingressCheck.blocked) {
@@ -176,6 +232,7 @@ export class RunOrchestrator {
     // (e.g. attachment scope) match the actual transport rather than always
     // defaulting to 'macos'.
     session.setChannelCapabilities(resolveChannelCapabilities(options?.sourceChannel ?? 'macos'));
+    session.setVoiceCallControlPrompt(options?.voiceCallControlPrompt ?? null);
 
     // Serialized publish chain so hub subscribers observe events in order.
     let hubChain: Promise<void> = Promise.resolve();
@@ -202,9 +259,55 @@ export class RunOrchestrator {
     // When the prompter sends one of these, we record it in the run store so
     // the client can poll and submit a decision/secret via the respective endpoint.
     // Do NOT set hasNoClient — run sessions have a client (the HTTP caller).
+    const autoDeny = options?.voiceAutoDenyConfirmations === true;
+    const autoAllow = !autoDeny && options?.voiceAutoAllowConfirmations === true;
+    const autoResolveSecrets = options?.voiceAutoResolveSecrets === true;
     let lastError: string | null = null;
     session.updateClient((msg: ServerMessage) => {
       if (msg.type === 'confirmation_request') {
+        if (autoDeny) {
+          // Voice path with strict side effects: immediately deny the
+          // confirmation request so the agent loop resumes without
+          // waiting for the full permission timeout (300s). The voice
+          // transport has no interactive approval UI, so polling would
+          // just stall. Security is preserved — the tool call is denied.
+          log.info(
+            { runId: run.id, toolName: msg.toolName },
+            'Auto-denying confirmation request for voice turn (forceStrictSideEffects)',
+          );
+          session.handleConfirmationResponse(
+            msg.requestId,
+            'deny',
+            undefined,
+            undefined,
+            `Permission denied for "${msg.toolName}": this voice call does not have interactive approval capabilities. Side-effect tools are not available for non-guardian voice callers. In your next assistant reply, explain briefly that this action requires guardian-level access and cannot be performed during this call.`,
+          );
+          // Still publish to hub for observability, but skip run-store
+          // bookkeeping since the confirmation is already resolved.
+          publishToHub(msg);
+          return;
+        }
+        if (autoAllow) {
+          // Verified guardian voice turn: auto-approve so voice has the same
+          // permission capabilities as guardian chat despite lacking an
+          // interactive confirmation UI.
+          log.info(
+            { runId: run.id, toolName: msg.toolName },
+            'Auto-approving confirmation request for guardian voice turn',
+          );
+          session.handleConfirmationResponse(
+            msg.requestId,
+            'allow',
+            undefined,
+            undefined,
+            `Permission approved for "${msg.toolName}": this is a verified guardian voice call.`,
+          );
+          // Publish for observability, but skip run-store pending state since
+          // the request is already resolved.
+          publishToHub(msg);
+          return;
+        }
+
         runsStore.setRunConfirmation(run.id, {
           toolName: msg.toolName,
           toolUseId: msg.requestId,
@@ -220,6 +323,18 @@ export class RunOrchestrator {
           session,
         });
       } else if (msg.type === 'secret_request') {
+        if (autoResolveSecrets) {
+          // Voice has no secret-entry UI, so resolve immediately to avoid
+          // waiting for the full secret prompt timeout.
+          log.info(
+            { runId: run.id, service: msg.service, field: msg.field },
+            'Auto-resolving secret request for voice turn (no secret-entry UI)',
+          );
+          session.handleSecretResponse(msg.requestId, undefined, 'store');
+          publishToHub(msg);
+          return;
+        }
+
         runsStore.setRunSecret(run.id, {
           requestId: msg.requestId,
           service: msg.service,
@@ -249,6 +364,7 @@ export class RunOrchestrator {
       session.setGuardianContext(null);
       session.setCommandIntent(null);
       session.setAssistantId('self');
+      session.setVoiceCallControlPrompt(null);
       // Reset the session's client callback to a no-op so the stale
       // closure doesn't intercept events from future runs on the same session.
       // Set hasNoClient=true here since the run is done and no HTTP caller
@@ -256,6 +372,8 @@ export class RunOrchestrator {
       session.updateClient(() => {}, true);
     };
 
+    const eventSink = options?.eventSink;
+
     void (async () => {
       try {
         await session.runAgentLoop(content, messageId, (msg: ServerMessage) => {
@@ -270,6 +388,27 @@ export class RunOrchestrator {
           // prompter (confirmation_request). Both paths must publish so SSE
           // consumers receive the full response stream.
           publishToHub(msg);
+
+          // Forward voice-relevant events to the real-time event sink when
+          // provided. This runs in addition to (not instead of) the hub
+          // publication above so both paths remain active.
+          if (eventSink) {
+            if (msg.type === 'assistant_text_delta') {
+              eventSink.onTextDelta(msg.text);
+            } else if (msg.type === 'message_complete') {
+              eventSink.onMessageComplete();
+            } else if (msg.type === 'generation_cancelled') {
+              // Treat cancellation as a completed turn so the voice
+              // turnComplete promise settles instead of hanging forever.
+              eventSink.onMessageComplete();
+            } else if (msg.type === 'error') {
+              eventSink.onError(msg.message);
+            } else if (msg.type === 'session_error') {
+              eventSink.onError(msg.userMessage);
+            } else if (msg.type === 'tool_use_start') {
+              eventSink.onToolUse(msg.toolName, msg.input);
+            }
+          }
         });
         if (lastError) {
           log.error({ runId: run.id, error: lastError }, 'Run failed (error event from agent loop)');
@@ -281,12 +420,28 @@ export class RunOrchestrator {
         const message = err instanceof Error ? err.message : String(err);
         log.error({ err, runId: run.id }, 'Run failed');
         runsStore.failRun(run.id, message);
+        // Notify the voice event sink so the caller's turnComplete
+        // promise settles instead of hanging on unhandled exceptions.
+        if (eventSink) {
+          eventSink.onError(message);
+        }
       } finally {
         cleanup();
       }
     })();
 
-    return run;
+    return {
+      run,
+      // Scope the abort to this specific run by capturing the requestId.
+      // If the session has moved on to a new turn (different currentRequestId),
+      // this abort is stale and becomes a no-op — preventing voice barge-in
+      // from cancelling unrelated turns.
+      abort: () => {
+        if (session.currentRequestId === requestId) {
+          session.abort();
+        }
+      },
+    };
   }
 
   /** Read current run state from the store. */

package/src/tools/browser/browser-manager.ts

@@ -792,7 +792,7 @@ class BrowserManager {
     // Check if an unconsumed download already completed for this session
     const existing = this.downloads.get(sessionId);
     if (existing && existing.length > 0) {
-      const info = existing.pop()!;
+      const info = existing.shift()!;
       if (existing.length === 0) this.downloads.delete(sessionId);
       return Promise.resolve(info);
     }