@vellumai/assistant 0.4.0 → 0.4.2

package/src/daemon/handlers/sessions.ts

@@ -7,8 +7,11 @@ import { type InterfaceId,isChannelId, parseChannelId, parseInterfaceId } from '
 import { getConfig } from '../../config/loader.js';
 import { getAttachmentsForMessage, getFilePathForAttachment, setAttachmentThumbnail } from '../../memory/attachments-store.js';
 import {
+  createCanonicalGuardianRequest,
+  generateCanonicalRequestCode,
   listCanonicalGuardianRequests,
   listPendingCanonicalGuardianRequestsByDestinationConversation,
+  resolveCanonicalGuardianRequest,
 } from '../../memory/canonical-guardian-store.js';
 import { getAttentionStateByConversationIds } from '../../memory/conversation-attention-store.js';
 import * as conversationStore from '../../memory/conversation-store.js';
@@ -47,6 +50,7 @@ import { normalizeThreadType } from '../ipc-protocol.js';
 import { executeRecordingIntent } from '../recording-executor.js';
 import { resolveRecordingIntent } from '../recording-intent.js';
 import { classifyRecordingIntentFallback, containsRecordingKeywords } from '../recording-intent-fallback.js';
+import type { Session } from '../session.js';
 import { buildSessionErrorMessage,classifySessionError } from '../session-error.js';
 import { resolveChannelCapabilities } from '../session-runtime-assembly.js';
 import { generateVideoThumbnail } from '../video-thumbnail.js';
@@ -66,6 +70,86 @@ import {
 
 const desktopApprovalConversationGenerator = createApprovalConversationGenerator();
 
+function syncCanonicalStatusFromIpcConfirmationDecision(
+  requestId: string,
+  decision: ConfirmationResponse['decision'],
+): void {
+  const targetStatus = decision === 'deny' || decision === 'always_deny'
+    ? 'denied' as const
+    : 'approved' as const;
+
+  try {
+    resolveCanonicalGuardianRequest(requestId, 'pending', { status: targetStatus });
+  } catch (err) {
+    log.debug(
+      { err, requestId, targetStatus },
+      'Failed to resolve canonical request from IPC confirmation response',
+    );
+  }
+}
+
+function makeIpcEventSender(params: {
+  ctx: HandlerContext;
+  socket: net.Socket;
+  session: Session;
+  conversationId: string;
+  sourceChannel: string;
+}): (event: ServerMessage) => void {
+  const {
+    ctx,
+    socket,
+    session,
+    conversationId,
+    sourceChannel,
+  } = params;
+
+  return (event: ServerMessage) => {
+    if (event.type === 'confirmation_request') {
+      pendingInteractions.register(event.requestId, {
+        session,
+        conversationId,
+        kind: 'confirmation',
+        confirmationDetails: {
+          toolName: event.toolName,
+          input: event.input,
+          riskLevel: event.riskLevel,
+          executionTarget: event.executionTarget,
+          allowlistOptions: event.allowlistOptions,
+          scopeOptions: event.scopeOptions,
+          persistentDecisionsAllowed: event.persistentDecisionsAllowed,
+        },
+      });
+
+      try {
+        createCanonicalGuardianRequest({
+          id: event.requestId,
+          kind: 'tool_approval',
+          sourceType: 'desktop',
+          sourceChannel,
+          conversationId,
+          toolName: event.toolName,
+          status: 'pending',
+          requestCode: generateCanonicalRequestCode(),
+          expiresAt: new Date(Date.now() + 5 * 60 * 1000).toISOString(),
+        });
+      } catch (err) {
+        log.debug(
+          { err, requestId: event.requestId, conversationId },
+          'Failed to create canonical request from IPC confirmation event',
+        );
+      }
+    } else if (event.type === 'secret_request') {
+      pendingInteractions.register(event.requestId, {
+        session,
+        conversationId,
+        kind: 'secret',
+      });
+    }
+
+    ctx.send(socket, event);
+  };
+}
+
 export async function handleUserMessage(
   msg: UserMessage,
   socket: net.Socket,
@@ -83,8 +167,14 @@ export async function handleUserMessage(
       wireEscalationHandler(session, socket, ctx);
     }
 
-    const sendEvent = (event: ServerMessage) => ctx.send(socket, event);
     const ipcChannel = parseChannelId(msg.channel) ?? 'vellum';
+    const sendEvent = makeIpcEventSender({
+      ctx,
+      socket,
+      session,
+      conversationId: msg.sessionId,
+      sourceChannel: ipcChannel,
+    });
     const ipcInterface = parseInterfaceId(msg.interface);
     if (!ipcInterface) {
       ctx.send(socket, {
@@ -461,11 +551,13 @@ export async function handleUserMessage(
       }
     }
 
-    // If exactly one live turn is waiting on confirmation (no queued turns),
-    // try to consume this text as an inline approval decision first.
+    // If a live turn is waiting on confirmation, try to consume this text as
+    // an inline approval decision before auto-deny. We intentionally do not
+    // gate on queue depth: users often retry "approve"/"yes" while the queue
+    // is draining after a prior denial, and requiring an empty queue causes a
+    // deny/retry cascade where natural-language approvals never land.
     if (
       session.hasAnyPendingConfirmation()
-      && session.getQueueDepth() === 0
       && messageText.trim().length > 0
     ) {
       try {
@@ -598,6 +690,7 @@ export async function handleUserMessage(
       // stale request IDs are not reused as routing candidates.
       for (const interaction of pendingInteractions.getByConversation(msg.sessionId)) {
         if (interaction.session === session && interaction.kind === 'confirmation') {
+          syncCanonicalStatusFromIpcConfirmationDecision(interaction.requestId, 'deny');
           pendingInteractions.resolve(interaction.requestId);
         }
       }
@@ -638,6 +731,8 @@ export function handleConfirmationResponse(
         msg.selectedPattern,
         msg.selectedScope,
       );
+      syncCanonicalStatusFromIpcConfirmationDecision(msg.requestId, msg.decision);
+      pendingInteractions.resolve(msg.requestId);
       return;
     }
   }
@@ -651,6 +746,8 @@ export function handleConfirmationResponse(
         msg.selectedPattern,
         msg.selectedScope,
       );
+      syncCanonicalStatusFromIpcConfirmationDecision(msg.requestId, msg.decision);
+      pendingInteractions.resolve(msg.requestId);
       return;
     }
   }
@@ -670,6 +767,7 @@ export function handleSecretResponse(
     clearTimeout(standalone.timer);
     pendingStandaloneSecrets.delete(msg.requestId);
     standalone.resolve({ value: msg.value ?? null, delivery: msg.delivery ?? 'store' });
+    pendingInteractions.resolve(msg.requestId);
     return;
   }
 
@@ -680,6 +778,7 @@ export function handleSecretResponse(
     if (session.hasPendingSecret(msg.requestId)) {
       ctx.touchSession(sessionId);
       session.handleSecretResponse(msg.requestId, msg.value, msg.delivery);
+      pendingInteractions.resolve(msg.requestId);
       return;
     }
   }
@@ -780,11 +879,11 @@ export async function handleSessionCreate(
 
   // Auto-send the initial message if provided, kick-starting the skill.
   if (msg.initialMessage) {
-    // Queue title generation immediately (matches all other creation paths).
-    // The agent loop success path will also attempt title generation, but
-    // queueGenerateConversationTitle is safe to call redundantly — the
-    // replaceability check prevents double-writes. This ensures the title
-    // is generated even if the agent loop fails or is cancelled.
+    // Queue title generation eagerly — some processMessage paths (guardian
+    // replies, unknown slash commands) bypass the agent loop entirely, so
+    // we can't rely on the agent loop's early title generation alone.
+    // The agent loop also queues title generation, but isReplaceableTitle
+    // prevents double-writes since the first to complete sets a real title.
     if (title === GENERATING_TITLE) {
       queueGenerateConversationTitle({
         conversationId: conversation.id,
@@ -801,9 +900,15 @@ export async function handleSessionCreate(
     }
 
     ctx.socketToSession.set(socket, conversation.id);
-    const sendEvent = (event: ServerMessage) => ctx.send(socket, event);
     const requestId = uuid();
     const transportChannel = parseChannelId(msg.transport?.channelId) ?? 'vellum';
+    const sendEvent = makeIpcEventSender({
+      ctx,
+      socket,
+      session,
+      conversationId: conversation.id,
+      sourceChannel: transportChannel,
+    });
     session.setTurnChannelContext({
       userMessageChannel: transportChannel,
       assistantMessageChannel: transportChannel,
@@ -1136,7 +1241,16 @@ export async function handleRegenerate(
   }
   ctx.touchSession(msg.sessionId);
 
-  const sendEvent = (event: ServerMessage) => ctx.send(socket, event);
+  const regenerateChannel = parseChannelId(
+    session.getTurnChannelContext()?.assistantMessageChannel,
+  ) ?? 'vellum';
+  const sendEvent = makeIpcEventSender({
+    ctx,
+    socket,
+    session,
+    conversationId: msg.sessionId,
+    sourceChannel: regenerateChannel,
+  });
   const requestId = uuid();
   session.traceEmitter.emit('request_received', 'Regenerate requested', {
     requestId,

package/src/daemon/response-tier.ts

@@ -145,15 +145,16 @@ const TIER_SYSTEM_PROMPT =
 
 /**
  * Fire-and-forget Haiku call to classify the conversation trajectory.
- * Returns the classified tier or null on any failure.
+ * Returns the classified tier, or undefined when no provider is configured
+ * or on any failure.
  */
 export async function classifyResponseTierAsync(
   recentUserTexts: string[],
-): Promise<ResponseTier | null> {
+): Promise<ResponseTier | undefined> {
   const provider = getConfiguredProvider();
   if (!provider) {
     log.debug('No provider available for async tier classification');
-    return null;
+    return undefined;
   }
 
   const combined = recentUserTexts
@@ -186,14 +187,14 @@ export async function classifyResponseTierAsync(
       }
 
       log.debug({ raw }, 'Async tier classification returned unexpected value');
-      return null;
+      return undefined;
     } finally {
       cleanup();
     }
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     log.debug({ err: message }, 'Async tier classification failed');
-    return null;
+    return undefined;
   }
 }
 

package/src/daemon/server.ts

@@ -93,6 +93,16 @@ function resolveTurnInterface(sourceInterface?: string): InterfaceId {
   return 'vellum';
 }
 
+function resolveCanonicalRequestSourceType(sourceChannel: string | undefined): 'desktop' | 'channel' | 'voice' {
+  if (sourceChannel === 'voice') {
+    return 'voice';
+  }
+  if (sourceChannel === 'vellum') {
+    return 'desktop';
+  }
+  return 'channel';
+}
+
 /**
  * Build an onEvent callback that registers pending interactions when the agent
  * loop emits confirmation_request or secret_request events. This ensures that
@@ -121,12 +131,17 @@ function makePendingInteractionRegistrar(
 
       // Create a canonical guardian request so IPC/HTTP handlers can find it
       // via applyCanonicalGuardianDecision.
+      const guardianContext = session.guardianContext;
+      const sourceChannel = guardianContext?.sourceChannel ?? 'vellum';
       createCanonicalGuardianRequest({
         id: msg.requestId,
         kind: 'tool_approval',
-        sourceType: 'desktop',
-        sourceChannel: 'vellum',
+        sourceType: resolveCanonicalRequestSourceType(sourceChannel),
+        sourceChannel,
         conversationId,
+        requesterExternalUserId: guardianContext?.requesterExternalUserId,
+        requesterChatId: guardianContext?.requesterChatId,
+        guardianExternalUserId: guardianContext?.guardianExternalUserId,
         toolName: msg.toolName,
         status: 'pending',
         requestCode: generateCanonicalRequestCode(),

package/src/daemon/session-agent-loop.ts

@@ -20,7 +20,7 @@ import { commitAppTurnChanges } from '../memory/app-git-service.js';
 import { getApp, listAppFiles } from '../memory/app-store.js';
 import * as conversationStore from '../memory/conversation-store.js';
 import { getConversationOriginChannel, getConversationOriginInterface, provenanceFromGuardianContext } from '../memory/conversation-store.js';
-import { isReplaceableTitle, queueGenerateConversationTitle, queueRegenerateConversationTitle } from '../memory/conversation-title-service.js';
+import { GENERATING_TITLE, isReplaceableTitle, queueGenerateConversationTitle, queueRegenerateConversationTitle, UNTITLED_FALLBACK } from '../memory/conversation-title-service.js';
 import { stripMemoryRecallMessages } from '../memory/retriever.js';
 import type { PermissionPrompter } from '../permissions/prompter.js';
 import type { ContentBlock,Message } from '../providers/types.js';
@@ -211,10 +211,42 @@ export async function runAgentLoopImpl(
         ctx.messages.pop();
         conversationStore.deleteMessageById(userMessageId);
       }
+      // Replace loading placeholder so the thread isn't stuck as "Generating title..."
+      const blockedConv = conversationStore.getConversation(ctx.conversationId);
+      if (blockedConv?.title === GENERATING_TITLE) {
+        conversationStore.updateConversationTitle(ctx.conversationId, UNTITLED_FALLBACK, 1);
+        onEvent({ type: 'session_title_updated', sessionId: ctx.conversationId, title: UNTITLED_FALLBACK });
+      }
       onEvent({ type: 'error', message: `Message blocked by hook "${preMessageResult.blockedBy}"` });
       return;
     }
 
+    // Generate title early — the user message alone is sufficient context.
+    // Firing after hook gating but before the main LLM call removes the
+    // delay of waiting for the full assistant response. The second-pass
+    // regeneration at turn 3 will refine the title with more context.
+    // Deferred via setTimeout so the main agent loop LLM call is queued
+    // first, avoiding rate-limit slot contention. No abort signal — title
+    // generation should complete even if the user cancels the response,
+    // since the user message is already persisted.
+    const currentConvForTitle = conversationStore.getConversation(ctx.conversationId);
+    if (isReplaceableTitle(currentConvForTitle?.title ?? null)) {
+      setTimeout(() => {
+        queueGenerateConversationTitle({
+          conversationId: ctx.conversationId,
+          provider: ctx.provider,
+          userMessage: options?.titleText ?? content,
+          onTitleUpdated: (title) => {
+            onEvent({
+              type: 'session_title_updated',
+              sessionId: ctx.conversationId,
+              title,
+            });
+          },
+        });
+      }, 0);
+    }
+
     const isFirstMessage = ctx.messages.length === 1;
 
     const compacted = await ctx.contextWindowManager.maybeCompact(
@@ -721,27 +753,6 @@ export async function runAgentLoopImpl(
       });
     }
 
-    // Generate title if the current conversation title is still a replaceable
-    // placeholder. This replaces the previous `isFirstMessage` gate so that
-    // assistant-seeded/system-seeded threads also receive generated titles.
-    const currentConv = conversationStore.getConversation(ctx.conversationId);
-    if (isReplaceableTitle(currentConv?.title ?? null)) {
-      queueGenerateConversationTitle({
-        conversationId: ctx.conversationId,
-        provider: ctx.provider,
-        userMessage: options?.titleText ?? content,
-        assistantResponse: state.firstAssistantText || undefined,
-        onTitleUpdated: (title) => {
-          onEvent({
-            type: 'session_title_updated',
-            sessionId: ctx.conversationId,
-            title,
-          });
-        },
-        signal: abortController.signal,
-      });
-    }
-
     // Second title pass: after 3 completed turns, re-generate the title
     // using the last 3 messages for better context. Only fires when the
     // current title was auto-generated (isAutoTitle = 1).

package/src/memory/app-store.ts

@@ -147,6 +147,9 @@ function savePages(appId: string, pages: Record<string, string>): void {
   mkdirSync(pagesDir, { recursive: true });
   for (const [filename, content] of Object.entries(pages)) {
     validatePageFilename(filename);
+    if (typeof content !== 'string') {
+      throw new Error(`Page content for "${filename}" must be a string, got ${typeof content}`);
+    }
     writeFileSync(join(pagesDir, filename), content, 'utf-8');
   }
 }
@@ -194,6 +197,9 @@ export function createApp(params: {
   // Write htmlDefinition to {appId}/index.html on disk
   const appDir = join(dir, app.id);
   mkdirSync(appDir, { recursive: true });
+  if (typeof params.htmlDefinition !== 'string') {
+    throw new Error(`htmlDefinition must be a string, got ${typeof params.htmlDefinition}`);
+  }
   writeFileSync(join(appDir, 'index.html'), params.htmlDefinition, 'utf-8');
 
   // Write preview to companion file to keep the JSON small

package/src/memory/embedding-local.ts

@@ -81,7 +81,11 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
       }
       this.pendingRequests.set(id, { resolve });
       this.workerProc.stdin.write(JSON.stringify({ id, texts }) + '\n');
-      this.workerProc.stdin.flush();
+      try {
+        this.workerProc.stdin.flush();
+      } catch {
+        // Worker may have exited — pending request will be resolved by stdout reader cleanup
+      }
     });
   }
 
@@ -138,8 +142,10 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
       // Wait for the worker to signal it's ready (model loaded)
       await this.waitForReady();
     } catch (err) {
-      // Worker failed to start — collect stderr for diagnosis
+      // Worker failed to start — kill it to avoid deadlock, then collect stderr
       this.workerProc = null;
+      this.stdoutReaderActive = false;
+      try { proc.kill(); } catch { /* may already be dead */ }
       const exitCode = await proc.exited.catch(() => undefined);
       const stderr = await new Response(proc.stderr).text().catch(() => '');
       if (stderr.trim()) {
@@ -180,7 +186,9 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
     if (this.stdoutReaderActive || !this.workerProc) return;
     this.stdoutReaderActive = true;
 
-    const reader = this.workerProc.stdout.getReader();
+    // Capture reference to detect if a new worker was spawned during cleanup
+    const proc = this.workerProc;
+    const reader = proc.stdout.getReader();
     const decoder = new TextDecoder();
 
     (async () => {
@@ -195,17 +203,21 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
         // Reader cancelled or stream errored
       }
 
-      // Worker exited — reject all pending requests and clean up
-      for (const [, pending] of this.pendingRequests) {
-        pending.resolve({ error: 'Embedding worker process exited unexpectedly' });
+      // Only clean up if this reader's proc is still the active one.
+      // A new worker may have been spawned during the async cleanup window.
+      if (this.workerProc === proc) {
+        // Worker exited — reject all pending requests and clean up
+        for (const [, pending] of this.pendingRequests) {
+          pending.resolve({ error: 'Embedding worker process exited unexpectedly' });
+        }
+        this.pendingRequests.clear();
+        this.workerProc = null;
+        this.stdoutReaderActive = false;
+        this.removePidFile();
+        this.stdoutBuffer = '';
+        // Allow re-initialization on next embed() call
+        this.initGuard.reset();
       }
-      this.pendingRequests.clear();
-      this.workerProc = null;
-      this.stdoutReaderActive = false;
-      this.removePidFile();
-      this.stdoutBuffer = '';
-      // Allow re-initialization on next embed() call
-      this.initGuard.reset();
     })();
   }
 

package/src/memory/embedding-runtime-manager.ts

@@ -27,12 +27,13 @@ const log = getLogger('embedding-runtime-manager');
 const ONNXRUNTIME_NODE_VERSION = '1.21.0';
 const ONNXRUNTIME_COMMON_VERSION = '1.21.0';
 const TRANSFORMERS_VERSION = '3.8.1';
+const JINJA_VERSION = '0.5.5';
 
 /** Bun version to download when system bun is not available. */
 const BUN_VERSION = '1.2.0';
 
 /** Composite version string for cache invalidation. */
-const RUNTIME_VERSION = `ort-${ONNXRUNTIME_NODE_VERSION}_hf-${TRANSFORMERS_VERSION}`;
+const RUNTIME_VERSION = `ort-${ONNXRUNTIME_NODE_VERSION}_hf-${TRANSFORMERS_VERSION}_jinja-${JINJA_VERSION}`;
 
 const WORKER_FILENAME = 'embed-worker.mjs';
 
@@ -104,6 +105,7 @@ function generateWorkerScript(): string {
   return `\
 // embed-worker.mjs — Auto-generated by EmbeddingRuntimeManager
 // Runs in a separate bun process, communicates via JSON-lines over stdin/stdout.
+process.title = 'embed-worker';
 import { pipeline, env } from '@huggingface/transformers';
 
 const model = process.argv[2];
@@ -272,6 +274,12 @@ export class EmbeddingRuntimeManager {
     const tmpDir = join(this.baseDir, `.installing-${Date.now()}`);
     mkdirSync(tmpDir, { recursive: true });
 
+    // Declared outside try so catch/finally can reference them for cleanup
+    const modelCacheDir = join(this.baseDir, 'model-cache');
+    const existingBinDir = join(this.baseDir, 'bin');
+    let tmpModelCache: string | null = null;
+    let tmpBinDir: string | null = null;
+
     try {
       // Step 1: Download npm packages (and bun if needed) in parallel
       const nodeModules = join(tmpDir, 'node_modules');
@@ -291,6 +299,11 @@ export class EmbeddingRuntimeManager {
           join(nodeModules, '@huggingface', 'transformers'),
           signal,
         ),
+        downloadAndExtract(
+          npmTarballUrl('@huggingface/jinja', JINJA_VERSION),
+          join(nodeModules, '@huggingface', 'jinja'),
+          signal,
+        ),
       ];
 
       // Download bun binary if not already available on the system
@@ -358,19 +371,15 @@ export class EmbeddingRuntimeManager {
 
       // Step 6: Atomic swap — remove old install and rename temp to final
       // Preserve model-cache/, bin/ (downloaded bun), and .gitignore
-      const modelCacheDir = join(this.baseDir, 'model-cache');
       const hadModelCache = existsSync(modelCacheDir);
-      let tmpModelCache: string | null = null;
       if (hadModelCache) {
         tmpModelCache = join(this.baseDir, `.model-cache-preserve-${Date.now()}`);
         renameSync(modelCacheDir, tmpModelCache);
       }
 
       // Preserve downloaded bun binary if it exists and we didn't just download a new one
-      const existingBinDir = join(this.baseDir, 'bin');
       const newBinDir = join(tmpDir, 'bin');
       const hadBinDir = existsSync(existingBinDir) && !existsSync(newBinDir);
-      let tmpBinDir: string | null = null;
       if (hadBinDir) {
         tmpBinDir = join(this.baseDir, `.bin-preserve-${Date.now()}`);
         renameSync(existingBinDir, tmpBinDir);
@@ -399,11 +408,20 @@ export class EmbeddingRuntimeManager {
 
       log.info({ runtimeVersion: RUNTIME_VERSION }, 'Embedding runtime installed successfully');
     } catch (err) {
+      // Restore preserved directories if the swap failed
+      if (tmpModelCache && existsSync(tmpModelCache) && !existsSync(modelCacheDir)) {
+        try { renameSync(tmpModelCache, modelCacheDir); } catch { /* best effort */ }
+      }
+      if (tmpBinDir && existsSync(tmpBinDir) && !existsSync(existingBinDir)) {
+        try { renameSync(tmpBinDir, existingBinDir); } catch { /* best effort */ }
+      }
       log.error({ err }, 'Failed to install embedding runtime');
       throw err;
     } finally {
-      // Clean up temp directory
+      // Clean up temp directory and any leftover preserve dirs
       rmSync(tmpDir, { recursive: true, force: true });
+      if (tmpModelCache) rmSync(tmpModelCache, { recursive: true, force: true });
+      if (tmpBinDir) rmSync(tmpBinDir, { recursive: true, force: true });
     }
   }
 

package/src/runtime/guardian-context-resolver.ts

@@ -7,6 +7,7 @@
  */
 import type { ChannelId } from '../channels/types.js';
 import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
+import { canonicalizeInboundIdentity } from '../util/canonicalize-identity.js';
 import {
   type DenialReason,
   resolveActorTrust,
@@ -41,11 +42,14 @@ export type ResolveGuardianContextInput = ResolveActorTrustInput;
  */
 export function resolveGuardianContext(input: ResolveGuardianContextInput): GuardianContext {
   const trust = resolveActorTrust(input);
+  const canonicalGuardianExternalUserId = trust.guardianBindingMatch?.guardianExternalUserId
+    ? canonicalizeInboundIdentity(input.sourceChannel, trust.guardianBindingMatch.guardianExternalUserId) ?? undefined
+    : undefined;
   return {
     trustClass: trust.trustClass,
     guardianChatId: trust.guardianBindingMatch?.guardianDeliveryChatId ??
       (trust.trustClass === 'guardian' ? input.externalChatId : undefined),
-    guardianExternalUserId: trust.guardianBindingMatch?.guardianExternalUserId,
+    guardianExternalUserId: canonicalGuardianExternalUserId,
     requesterIdentifier: trust.actorMetadata.identifier,
     requesterDisplayName: trust.actorMetadata.displayName,
     requesterSenderDisplayName: trust.actorMetadata.senderDisplayName,

package/src/runtime/guardian-reply-router.ts

@@ -237,6 +237,7 @@ export async function routeGuardianReply(
 ): Promise<GuardianReplyResult> {
   const { messageText, actor, conversationId, callbackData, approvalConversationGenerator, channelDeliveryContext } = ctx;
   const pendingRequests = findPendingCanonicalRequests(actor, ctx.pendingRequestIds, conversationId);
+  const scopedPendingRequestIds = ctx.pendingRequestIds ? new Set(ctx.pendingRequestIds) : null;
 
   // ── 1. Deterministic callback parsing (button presses) ──
   // No conversationId scoping here — the guardian's reply comes from a
@@ -257,6 +258,17 @@ export async function routeGuardianReply(
     const codeResult = parseRequestCode(messageText);
     if (codeResult) {
       const { request } = codeResult;
+      if (scopedPendingRequestIds && !scopedPendingRequestIds.has(request.id)) {
+        log.info(
+          {
+            event: 'router_code_out_of_scope',
+            requestId: request.id,
+            pendingHintCount: scopedPendingRequestIds.size,
+          },
+          'Request code matched a pending request outside the caller-provided scope; ignoring',
+        );
+        return notConsumed();
+      }
 
       if (request.status !== 'pending') {
         log.info(

package/src/runtime/http-server.ts

@@ -714,6 +714,7 @@ export class RuntimeHttpServer {
           processMessage: this.processMessage,
           persistAndProcessMessage: this.persistAndProcessMessage,
           sendMessageDeps: this.sendMessageDeps,
+          approvalConversationGenerator: this.approvalConversationGenerator,
         });
       }