@vellumai/assistant 0.4.1 → 0.4.2

package/src/daemon/server.ts

@@ -93,6 +93,16 @@ function resolveTurnInterface(sourceInterface?: string): InterfaceId {
   return 'vellum';
 }
 
+function resolveCanonicalRequestSourceType(sourceChannel: string | undefined): 'desktop' | 'channel' | 'voice' {
+  if (sourceChannel === 'voice') {
+    return 'voice';
+  }
+  if (sourceChannel === 'vellum') {
+    return 'desktop';
+  }
+  return 'channel';
+}
+
 /**
  * Build an onEvent callback that registers pending interactions when the agent
  * loop emits confirmation_request or secret_request events. This ensures that
@@ -121,12 +131,17 @@ function makePendingInteractionRegistrar(
 
       // Create a canonical guardian request so IPC/HTTP handlers can find it
       // via applyCanonicalGuardianDecision.
+      const guardianContext = session.guardianContext;
+      const sourceChannel = guardianContext?.sourceChannel ?? 'vellum';
       createCanonicalGuardianRequest({
         id: msg.requestId,
         kind: 'tool_approval',
-        sourceType: 'desktop',
-        sourceChannel: 'vellum',
+        sourceType: resolveCanonicalRequestSourceType(sourceChannel),
+        sourceChannel,
         conversationId,
+        requesterExternalUserId: guardianContext?.requesterExternalUserId,
+        requesterChatId: guardianContext?.requesterChatId,
+        guardianExternalUserId: guardianContext?.guardianExternalUserId,
         toolName: msg.toolName,
         status: 'pending',
         requestCode: generateCanonicalRequestCode(),

package/src/daemon/session-agent-loop.ts

@@ -20,7 +20,7 @@ import { commitAppTurnChanges } from '../memory/app-git-service.js';
 import { getApp, listAppFiles } from '../memory/app-store.js';
 import * as conversationStore from '../memory/conversation-store.js';
 import { getConversationOriginChannel, getConversationOriginInterface, provenanceFromGuardianContext } from '../memory/conversation-store.js';
-import { isReplaceableTitle, queueGenerateConversationTitle, queueRegenerateConversationTitle } from '../memory/conversation-title-service.js';
+import { GENERATING_TITLE, isReplaceableTitle, queueGenerateConversationTitle, queueRegenerateConversationTitle, UNTITLED_FALLBACK } from '../memory/conversation-title-service.js';
 import { stripMemoryRecallMessages } from '../memory/retriever.js';
 import type { PermissionPrompter } from '../permissions/prompter.js';
 import type { ContentBlock,Message } from '../providers/types.js';
@@ -211,10 +211,42 @@ export async function runAgentLoopImpl(
         ctx.messages.pop();
         conversationStore.deleteMessageById(userMessageId);
       }
+      // Replace loading placeholder so the thread isn't stuck as "Generating title..."
+      const blockedConv = conversationStore.getConversation(ctx.conversationId);
+      if (blockedConv?.title === GENERATING_TITLE) {
+        conversationStore.updateConversationTitle(ctx.conversationId, UNTITLED_FALLBACK, 1);
+        onEvent({ type: 'session_title_updated', sessionId: ctx.conversationId, title: UNTITLED_FALLBACK });
+      }
       onEvent({ type: 'error', message: `Message blocked by hook "${preMessageResult.blockedBy}"` });
       return;
     }
 
+    // Generate title early — the user message alone is sufficient context.
+    // Firing after hook gating but before the main LLM call removes the
+    // delay of waiting for the full assistant response. The second-pass
+    // regeneration at turn 3 will refine the title with more context.
+    // Deferred via setTimeout so the main agent loop LLM call is queued
+    // first, avoiding rate-limit slot contention. No abort signal — title
+    // generation should complete even if the user cancels the response,
+    // since the user message is already persisted.
+    const currentConvForTitle = conversationStore.getConversation(ctx.conversationId);
+    if (isReplaceableTitle(currentConvForTitle?.title ?? null)) {
+      setTimeout(() => {
+        queueGenerateConversationTitle({
+          conversationId: ctx.conversationId,
+          provider: ctx.provider,
+          userMessage: options?.titleText ?? content,
+          onTitleUpdated: (title) => {
+            onEvent({
+              type: 'session_title_updated',
+              sessionId: ctx.conversationId,
+              title,
+            });
+          },
+        });
+      }, 0);
+    }
+
     const isFirstMessage = ctx.messages.length === 1;
 
     const compacted = await ctx.contextWindowManager.maybeCompact(
@@ -721,27 +753,6 @@ export async function runAgentLoopImpl(
       });
     }
 
-    // Generate title if the current conversation title is still a replaceable
-    // placeholder. This replaces the previous `isFirstMessage` gate so that
-    // assistant-seeded/system-seeded threads also receive generated titles.
-    const currentConv = conversationStore.getConversation(ctx.conversationId);
-    if (isReplaceableTitle(currentConv?.title ?? null)) {
-      queueGenerateConversationTitle({
-        conversationId: ctx.conversationId,
-        provider: ctx.provider,
-        userMessage: options?.titleText ?? content,
-        assistantResponse: state.firstAssistantText || undefined,
-        onTitleUpdated: (title) => {
-          onEvent({
-            type: 'session_title_updated',
-            sessionId: ctx.conversationId,
-            title,
-          });
-        },
-        signal: abortController.signal,
-      });
-    }
-
     // Second title pass: after 3 completed turns, re-generate the title
     // using the last 3 messages for better context. Only fires when the
     // current title was auto-generated (isAutoTitle = 1).

package/src/memory/app-store.ts

@@ -147,6 +147,9 @@ function savePages(appId: string, pages: Record<string, string>): void {
   mkdirSync(pagesDir, { recursive: true });
   for (const [filename, content] of Object.entries(pages)) {
     validatePageFilename(filename);
+    if (typeof content !== 'string') {
+      throw new Error(`Page content for "${filename}" must be a string, got ${typeof content}`);
+    }
     writeFileSync(join(pagesDir, filename), content, 'utf-8');
   }
 }
@@ -194,6 +197,9 @@ export function createApp(params: {
   // Write htmlDefinition to {appId}/index.html on disk
   const appDir = join(dir, app.id);
   mkdirSync(appDir, { recursive: true });
+  if (typeof params.htmlDefinition !== 'string') {
+    throw new Error(`htmlDefinition must be a string, got ${typeof params.htmlDefinition}`);
+  }
   writeFileSync(join(appDir, 'index.html'), params.htmlDefinition, 'utf-8');
 
   // Write preview to companion file to keep the JSON small

package/src/memory/embedding-local.ts

@@ -81,7 +81,11 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
       }
       this.pendingRequests.set(id, { resolve });
       this.workerProc.stdin.write(JSON.stringify({ id, texts }) + '\n');
-      this.workerProc.stdin.flush();
+      try {
+        this.workerProc.stdin.flush();
+      } catch {
+        // Worker may have exited — pending request will be resolved by stdout reader cleanup
+      }
     });
   }
 
@@ -138,8 +142,10 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
       // Wait for the worker to signal it's ready (model loaded)
       await this.waitForReady();
     } catch (err) {
-      // Worker failed to start — collect stderr for diagnosis
+      // Worker failed to start — kill it to avoid deadlock, then collect stderr
       this.workerProc = null;
+      this.stdoutReaderActive = false;
+      try { proc.kill(); } catch { /* may already be dead */ }
       const exitCode = await proc.exited.catch(() => undefined);
       const stderr = await new Response(proc.stderr).text().catch(() => '');
       if (stderr.trim()) {
@@ -180,7 +186,9 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
     if (this.stdoutReaderActive || !this.workerProc) return;
     this.stdoutReaderActive = true;
 
-    const reader = this.workerProc.stdout.getReader();
+    // Capture reference to detect if a new worker was spawned during cleanup
+    const proc = this.workerProc;
+    const reader = proc.stdout.getReader();
     const decoder = new TextDecoder();
 
     (async () => {
@@ -195,17 +203,21 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
         // Reader cancelled or stream errored
       }
 
-      // Worker exited — reject all pending requests and clean up
-      for (const [, pending] of this.pendingRequests) {
-        pending.resolve({ error: 'Embedding worker process exited unexpectedly' });
+      // Only clean up if this reader's proc is still the active one.
+      // A new worker may have been spawned during the async cleanup window.
+      if (this.workerProc === proc) {
+        // Worker exited — reject all pending requests and clean up
+        for (const [, pending] of this.pendingRequests) {
+          pending.resolve({ error: 'Embedding worker process exited unexpectedly' });
+        }
+        this.pendingRequests.clear();
+        this.workerProc = null;
+        this.stdoutReaderActive = false;
+        this.removePidFile();
+        this.stdoutBuffer = '';
+        // Allow re-initialization on next embed() call
+        this.initGuard.reset();
       }
-      this.pendingRequests.clear();
-      this.workerProc = null;
-      this.stdoutReaderActive = false;
-      this.removePidFile();
-      this.stdoutBuffer = '';
-      // Allow re-initialization on next embed() call
-      this.initGuard.reset();
     })();
   }
 

package/src/memory/embedding-runtime-manager.ts

@@ -27,12 +27,13 @@ const log = getLogger('embedding-runtime-manager');
 const ONNXRUNTIME_NODE_VERSION = '1.21.0';
 const ONNXRUNTIME_COMMON_VERSION = '1.21.0';
 const TRANSFORMERS_VERSION = '3.8.1';
+const JINJA_VERSION = '0.5.5';
 
 /** Bun version to download when system bun is not available. */
 const BUN_VERSION = '1.2.0';
 
 /** Composite version string for cache invalidation. */
-const RUNTIME_VERSION = `ort-${ONNXRUNTIME_NODE_VERSION}_hf-${TRANSFORMERS_VERSION}`;
+const RUNTIME_VERSION = `ort-${ONNXRUNTIME_NODE_VERSION}_hf-${TRANSFORMERS_VERSION}_jinja-${JINJA_VERSION}`;
 
 const WORKER_FILENAME = 'embed-worker.mjs';
 
@@ -104,6 +105,7 @@ function generateWorkerScript(): string {
   return `\
 // embed-worker.mjs — Auto-generated by EmbeddingRuntimeManager
 // Runs in a separate bun process, communicates via JSON-lines over stdin/stdout.
+process.title = 'embed-worker';
 import { pipeline, env } from '@huggingface/transformers';
 
 const model = process.argv[2];
@@ -272,6 +274,12 @@ export class EmbeddingRuntimeManager {
     const tmpDir = join(this.baseDir, `.installing-${Date.now()}`);
     mkdirSync(tmpDir, { recursive: true });
 
+    // Declared outside try so catch/finally can reference them for cleanup
+    const modelCacheDir = join(this.baseDir, 'model-cache');
+    const existingBinDir = join(this.baseDir, 'bin');
+    let tmpModelCache: string | null = null;
+    let tmpBinDir: string | null = null;
+
     try {
       // Step 1: Download npm packages (and bun if needed) in parallel
       const nodeModules = join(tmpDir, 'node_modules');
@@ -291,6 +299,11 @@ export class EmbeddingRuntimeManager {
           join(nodeModules, '@huggingface', 'transformers'),
           signal,
         ),
+        downloadAndExtract(
+          npmTarballUrl('@huggingface/jinja', JINJA_VERSION),
+          join(nodeModules, '@huggingface', 'jinja'),
+          signal,
+        ),
       ];
 
       // Download bun binary if not already available on the system
@@ -358,19 +371,15 @@ export class EmbeddingRuntimeManager {
 
       // Step 6: Atomic swap — remove old install and rename temp to final
       // Preserve model-cache/, bin/ (downloaded bun), and .gitignore
-      const modelCacheDir = join(this.baseDir, 'model-cache');
       const hadModelCache = existsSync(modelCacheDir);
-      let tmpModelCache: string | null = null;
       if (hadModelCache) {
         tmpModelCache = join(this.baseDir, `.model-cache-preserve-${Date.now()}`);
         renameSync(modelCacheDir, tmpModelCache);
       }
 
       // Preserve downloaded bun binary if it exists and we didn't just download a new one
-      const existingBinDir = join(this.baseDir, 'bin');
       const newBinDir = join(tmpDir, 'bin');
       const hadBinDir = existsSync(existingBinDir) && !existsSync(newBinDir);
-      let tmpBinDir: string | null = null;
       if (hadBinDir) {
         tmpBinDir = join(this.baseDir, `.bin-preserve-${Date.now()}`);
         renameSync(existingBinDir, tmpBinDir);
@@ -399,11 +408,20 @@ export class EmbeddingRuntimeManager {
 
       log.info({ runtimeVersion: RUNTIME_VERSION }, 'Embedding runtime installed successfully');
     } catch (err) {
+      // Restore preserved directories if the swap failed
+      if (tmpModelCache && existsSync(tmpModelCache) && !existsSync(modelCacheDir)) {
+        try { renameSync(tmpModelCache, modelCacheDir); } catch { /* best effort */ }
+      }
+      if (tmpBinDir && existsSync(tmpBinDir) && !existsSync(existingBinDir)) {
+        try { renameSync(tmpBinDir, existingBinDir); } catch { /* best effort */ }
+      }
       log.error({ err }, 'Failed to install embedding runtime');
       throw err;
     } finally {
-      // Clean up temp directory
+      // Clean up temp directory and any leftover preserve dirs
       rmSync(tmpDir, { recursive: true, force: true });
+      if (tmpModelCache) rmSync(tmpModelCache, { recursive: true, force: true });
+      if (tmpBinDir) rmSync(tmpBinDir, { recursive: true, force: true });
     }
   }
 

package/src/runtime/guardian-context-resolver.ts

@@ -7,6 +7,7 @@
  */
 import type { ChannelId } from '../channels/types.js';
 import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
+import { canonicalizeInboundIdentity } from '../util/canonicalize-identity.js';
 import {
   type DenialReason,
   resolveActorTrust,
@@ -41,11 +42,14 @@ export type ResolveGuardianContextInput = ResolveActorTrustInput;
  */
 export function resolveGuardianContext(input: ResolveGuardianContextInput): GuardianContext {
   const trust = resolveActorTrust(input);
+  const canonicalGuardianExternalUserId = trust.guardianBindingMatch?.guardianExternalUserId
+    ? canonicalizeInboundIdentity(input.sourceChannel, trust.guardianBindingMatch.guardianExternalUserId) ?? undefined
+    : undefined;
   return {
     trustClass: trust.trustClass,
     guardianChatId: trust.guardianBindingMatch?.guardianDeliveryChatId ??
       (trust.trustClass === 'guardian' ? input.externalChatId : undefined),
-    guardianExternalUserId: trust.guardianBindingMatch?.guardianExternalUserId,
+    guardianExternalUserId: canonicalGuardianExternalUserId,
     requesterIdentifier: trust.actorMetadata.identifier,
     requesterDisplayName: trust.actorMetadata.displayName,
     requesterSenderDisplayName: trust.actorMetadata.senderDisplayName,

package/src/runtime/guardian-reply-router.ts

@@ -237,6 +237,7 @@ export async function routeGuardianReply(
 ): Promise<GuardianReplyResult> {
   const { messageText, actor, conversationId, callbackData, approvalConversationGenerator, channelDeliveryContext } = ctx;
   const pendingRequests = findPendingCanonicalRequests(actor, ctx.pendingRequestIds, conversationId);
+  const scopedPendingRequestIds = ctx.pendingRequestIds ? new Set(ctx.pendingRequestIds) : null;
 
   // ── 1. Deterministic callback parsing (button presses) ──
   // No conversationId scoping here — the guardian's reply comes from a
@@ -257,6 +258,17 @@ export async function routeGuardianReply(
     const codeResult = parseRequestCode(messageText);
     if (codeResult) {
       const { request } = codeResult;
+      if (scopedPendingRequestIds && !scopedPendingRequestIds.has(request.id)) {
+        log.info(
+          {
+            event: 'router_code_out_of_scope',
+            requestId: request.id,
+            pendingHintCount: scopedPendingRequestIds.size,
+          },
+          'Request code matched a pending request outside the caller-provided scope; ignoring',
+        );
+        return notConsumed();
+      }
 
       if (request.status !== 'pending') {
         log.info(

package/src/runtime/http-server.ts

@@ -714,6 +714,7 @@ export class RuntimeHttpServer {
           processMessage: this.processMessage,
           persistAndProcessMessage: this.persistAndProcessMessage,
           sendMessageDeps: this.sendMessageDeps,
+          approvalConversationGenerator: this.approvalConversationGenerator,
         });
       }
 

package/src/runtime/routes/conversation-routes.ts

@@ -27,6 +27,7 @@ import { buildAssistantEvent } from '../assistant-event.js';
 import { routeGuardianReply } from '../guardian-reply-router.js';
 import { httpError } from '../http-errors.js';
 import type {
+  ApprovalConversationGenerator,
   MessageProcessor,
   NonBlockingMessageProcessor,
   RuntimeAttachmentMetadata,
@@ -87,6 +88,7 @@ async function tryConsumeInlineApprovalReply(params: {
   }>;
   session: import('../../daemon/session.js').Session;
   onEvent: (msg: ServerMessage) => void;
+  approvalConversationGenerator?: ApprovalConversationGenerator;
 }): Promise<{ consumed: boolean; messageId?: string }> {
   const {
     conversationId,
@@ -96,15 +98,16 @@ async function tryConsumeInlineApprovalReply(params: {
     attachments,
     session,
     onEvent,
+    approvalConversationGenerator,
   } = params;
   const trimmedContent = content.trim();
 
-  // Only consume inline replies when there are no queued turns, matching
-  // the IPC path guard. With queued messages, "approve"/"no" should be
-  // processed in queue order rather than treated as a confirmation reply.
+  // Try inline approval interception whenever a pending confirmation exists.
+  // We intentionally do not block on queue depth: after an auto-deny, users
+  // often retry with "approve"/"yes" while the queue is still draining, and
+  // requiring an empty queue can create a deny/retry cascade.
   if (
     !session.hasAnyPendingConfirmation()
-    || session.getQueueDepth() > 0
     || trimmedContent.length === 0
   ) {
     return { consumed: false };
@@ -125,6 +128,7 @@ async function tryConsumeInlineApprovalReply(params: {
     },
     conversationId,
     pendingRequestIds,
+    approvalConversationGenerator,
   });
 
   if (!routerResult.consumed || routerResult.type === 'nl_keep_pending') {
@@ -176,6 +180,16 @@ async function tryConsumeInlineApprovalReply(params: {
   return { consumed: true, messageId };
 }
 
+function resolveCanonicalRequestSourceType(sourceChannel: string | undefined): 'desktop' | 'channel' | 'voice' {
+  if (sourceChannel === 'voice') {
+    return 'voice';
+  }
+  if (sourceChannel === 'vellum') {
+    return 'desktop';
+  }
+  return 'channel';
+}
+
 function getInterfaceFilesWithMtimes(interfacesDir: string | null): Array<{ path: string; mtimeMs: number }> {
   if (!interfacesDir || !existsSync(interfacesDir)) return [];
   const results: Array<{ path: string; mtimeMs: number }> = [];
@@ -319,12 +333,17 @@ function makeHubPublisher(
 
       // Create a canonical guardian request so IPC/HTTP handlers can find it
       // via applyCanonicalGuardianDecision.
+      const guardianContext = session.guardianContext;
+      const sourceChannel = guardianContext?.sourceChannel ?? 'vellum';
       createCanonicalGuardianRequest({
         id: msg.requestId,
         kind: 'tool_approval',
-        sourceType: 'desktop',
-        sourceChannel: 'vellum',
+        sourceType: resolveCanonicalRequestSourceType(sourceChannel),
+        sourceChannel,
         conversationId,
+        requesterExternalUserId: guardianContext?.requesterExternalUserId,
+        requesterChatId: guardianContext?.requesterChatId,
+        guardianExternalUserId: guardianContext?.guardianExternalUserId,
         toolName: msg.toolName,
         status: 'pending',
         requestCode: generateCanonicalRequestCode(),
@@ -362,6 +381,7 @@ export async function handleSendMessage(
     processMessage?: MessageProcessor;
     persistAndProcessMessage?: NonBlockingMessageProcessor;
     sendMessageDeps?: SendMessageDeps;
+    approvalConversationGenerator?: ApprovalConversationGenerator;
   },
 ): Promise<Response> {
   const body = await req.json() as {
@@ -440,10 +460,11 @@ export async function handleSendMessage(
         sourceChannel,
         sourceInterface,
         content: content ?? '',
-        attachments,
-        session,
-        onEvent,
-      });
+      attachments,
+      session,
+      onEvent,
+      approvalConversationGenerator: deps.approvalConversationGenerator,
+    });
       if (inlineReplyResult.consumed) {
         return Response.json(
           { accepted: true, ...(inlineReplyResult.messageId ? { messageId: inlineReplyResult.messageId } : {}) },

package/src/runtime/routes/inbound-message-handler.ts

@@ -1401,6 +1401,8 @@ function startPendingApprovalPromptWatcher(params: {
   sourceChannel: ChannelId;
   externalChatId: string;
   guardianTrustClass: GuardianContext['trustClass'];
+  guardianExternalUserId?: string;
+  requesterExternalUserId?: string;
   replyCallbackUrl: string;
   bearerToken?: string;
   assistantId?: string;
@@ -1411,6 +1413,8 @@ function startPendingApprovalPromptWatcher(params: {
     sourceChannel,
     externalChatId,
     guardianTrustClass,
+    guardianExternalUserId,
+    requesterExternalUserId,
     replyCallbackUrl,
     bearerToken,
     assistantId,
@@ -1419,7 +1423,12 @@ function startPendingApprovalPromptWatcher(params: {
 
   // Approval prompt delivery is guardian-only. Non-guardian and unverified
   // actors must never receive approval prompt broadcasts for the conversation.
-  if (guardianTrustClass !== 'guardian') {
+  // We also require an explicit identity match against the bound guardian to
+  // avoid broadcasting prompts when trustClass is stale/mis-scoped.
+  const isBoundGuardianActor = guardianTrustClass === 'guardian'
+    && !!guardianExternalUserId
+    && requesterExternalUserId === guardianExternalUserId;
+  if (!isBoundGuardianActor) {
     return () => {};
   }
 
@@ -1502,6 +1511,8 @@ function processChannelMessageInBackground(params: BackgroundProcessingParams):
         sourceChannel,
         externalChatId,
         guardianTrustClass: guardianCtx.trustClass,
+        guardianExternalUserId: guardianCtx.guardianExternalUserId,
+        requesterExternalUserId: guardianCtx.requesterExternalUserId,
         replyCallbackUrl,
         bearerToken,
         assistantId,

package/src/tools/apps/executors.ts

@@ -102,6 +102,21 @@ export async function executeAppCreate(
   const preview = input.preview;
   const appType = input.type === 'site' ? 'site' as const : 'app' as const;
 
+  // Validate required fields — LLM input is not type-checked at runtime
+  if (typeof name !== 'string' || name.trim() === '') {
+    return { content: JSON.stringify({ error: 'name is required and must be a non-empty string' }), isError: true };
+  }
+  if (typeof htmlDefinition !== 'string') {
+    return { content: JSON.stringify({ error: 'html is required and must be a string containing the HTML definition' }), isError: true };
+  }
+  if (pages) {
+    for (const [filename, content] of Object.entries(pages)) {
+      if (typeof content !== 'string') {
+        return { content: JSON.stringify({ error: `pages["${filename}"] must be a string, got ${typeof content}` }), isError: true };
+      }
+    }
+  }
+
   const app = store.createApp({ name, description, schemaJson, htmlDefinition, pages, appType });
 
   if (input.set_as_home_base) {