@vellumai/assistant 0.4.1 → 0.4.3

package/src/memory/conversation-title-service.ts

@@ -286,7 +286,7 @@ function buildTitlePrompt(
   assistantResponse?: string,
 ): string {
   const parts: string[] = [
-    'Generate a very short title for this conversation. Rules: at most 5 words, at most 40 characters, no quotes.',
+    'Generate a very short title for this conversation. Rules: at most 5 words, at most 40 characters, no quotes, no markdown formatting.',
   ];
 
   if (context) {
@@ -313,12 +313,26 @@ function buildTitlePrompt(
 
 function normalizeTitle(raw: string): string {
   let title = raw.trim().replace(/^["']|["']$/g, '');
+  title = stripMarkdown(title);
   const words = title.split(/\s+/);
   if (words.length > 5) title = words.slice(0, 5).join(' ');
   if (title.length > 40) title = title.slice(0, 40).trimEnd();
   return title;
 }
 
+/** Strip common markdown formatting so titles render as plain text. */
+function stripMarkdown(text: string): string {
+  return text
+    .replace(/\*\*(.+?)\*\*/g, '$1')   // **bold**
+    .replace(/__(.+?)__/g, '$1')        // __bold__
+    .replace(/\*(.+?)\*/g, '$1')        // *italic*
+    .replace(/(?<!\w)_(.+?)_(?!\w)/g, '$1') // _italic_ (word-boundary-aware to preserve snake_case)
+    .replace(/~~(.+?)~~/g, '$1')        // ~~strikethrough~~
+    .replace(/`(.+?)`/g, '$1')          // `code`
+    .replace(/\[(.+?)\]\(.+?\)/g, '$1') // [link](url)
+    .replace(/^#{1,6}\s+/gm, '');       // # headings
+}
+
 function deriveFallbackTitle(context?: TitleContext): string | null {
   if (!context) return null;
   if (context.systemHint) return truncate(context.systemHint, 40, '');
@@ -328,7 +342,7 @@ function deriveFallbackTitle(context?: TitleContext): string | null {
 
 function buildRegenerationPrompt(recentMessages: MessageRow[]): string {
   const parts: string[] = [
-    'Generate a very short title for this conversation based on the recent messages below. Rules: at most 5 words, at most 40 characters, no quotes.',
+    'Generate a very short title for this conversation based on the recent messages below. Rules: at most 5 words, at most 40 characters, no quotes, no markdown formatting.',
     '',
     'Recent messages:',
   ];

package/src/memory/db-init.ts

@@ -37,6 +37,7 @@ import {
   migrateReminderRoutingIntent,
   migrateSchemaIndexesAndColumns,
   migrateVoiceInviteColumns,
+  migrateVoiceInviteDisplayMetadata,
   recoverCrashedMigrations,
   runComplexMigrations,
   runLateMigrations,
@@ -165,5 +166,8 @@ export function initializeDb(): void {
   // 26. Voice invite columns on assistant_ingress_invites
   migrateVoiceInviteColumns(database);
 
+  // 27. Voice invite display metadata (friend_name, guardian_name) for personalized prompts
+  migrateVoiceInviteDisplayMetadata(database);
+
   validateMigrationState(database);
 }

package/src/memory/delivery-crud.ts

@@ -8,6 +8,7 @@
 import { and, desc, eq, isNotNull } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
 import { getConversationByKey, getOrCreateConversation, setConversationKeyIfAbsent } from './conversation-key-store.js';
 import { getDb } from './db.js';
 import { channelInboundEvents, conversations } from './schema.js';
@@ -73,7 +74,7 @@ export function recordInbound(
   const scopedMapping = assistantId ? getConversationByKey(scopedKey) : null;
   if (scopedMapping) {
     mapping = { conversationId: scopedMapping.conversationId, created: false };
-  } else if (assistantId === 'self') {
+  } else if (assistantId === DAEMON_INTERNAL_ASSISTANT_ID) {
     const legacyMapping = getConversationByKey(legacyKey);
     if (legacyMapping) {
       mapping = { conversationId: legacyMapping.conversationId, created: false };

package/src/memory/embedding-local.ts

@@ -81,7 +81,11 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
       }
       this.pendingRequests.set(id, { resolve });
       this.workerProc.stdin.write(JSON.stringify({ id, texts }) + '\n');
-      this.workerProc.stdin.flush();
+      try {
+        this.workerProc.stdin.flush();
+      } catch {
+        // Worker may have exited — pending request will be resolved by stdout reader cleanup
+      }
     });
   }
 
@@ -138,8 +142,10 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
       // Wait for the worker to signal it's ready (model loaded)
       await this.waitForReady();
     } catch (err) {
-      // Worker failed to start — collect stderr for diagnosis
+      // Worker failed to start — kill it to avoid deadlock, then collect stderr
       this.workerProc = null;
+      this.stdoutReaderActive = false;
+      try { proc.kill(); } catch { /* may already be dead */ }
       const exitCode = await proc.exited.catch(() => undefined);
       const stderr = await new Response(proc.stderr).text().catch(() => '');
       if (stderr.trim()) {
@@ -180,7 +186,9 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
     if (this.stdoutReaderActive || !this.workerProc) return;
     this.stdoutReaderActive = true;
 
-    const reader = this.workerProc.stdout.getReader();
+    // Capture reference to detect if a new worker was spawned during cleanup
+    const proc = this.workerProc;
+    const reader = proc.stdout.getReader();
     const decoder = new TextDecoder();
 
     (async () => {
@@ -195,17 +203,21 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
         // Reader cancelled or stream errored
       }
 
-      // Worker exited — reject all pending requests and clean up
-      for (const [, pending] of this.pendingRequests) {
-        pending.resolve({ error: 'Embedding worker process exited unexpectedly' });
+      // Only clean up if this reader's proc is still the active one.
+      // A new worker may have been spawned during the async cleanup window.
+      if (this.workerProc === proc) {
+        // Worker exited — reject all pending requests and clean up
+        for (const [, pending] of this.pendingRequests) {
+          pending.resolve({ error: 'Embedding worker process exited unexpectedly' });
+        }
+        this.pendingRequests.clear();
+        this.workerProc = null;
+        this.stdoutReaderActive = false;
+        this.removePidFile();
+        this.stdoutBuffer = '';
+        // Allow re-initialization on next embed() call
+        this.initGuard.reset();
       }
-      this.pendingRequests.clear();
-      this.workerProc = null;
-      this.stdoutReaderActive = false;
-      this.removePidFile();
-      this.stdoutBuffer = '';
-      // Allow re-initialization on next embed() call
-      this.initGuard.reset();
     })();
   }
 

package/src/memory/embedding-runtime-manager.ts

@@ -27,12 +27,13 @@ const log = getLogger('embedding-runtime-manager');
 const ONNXRUNTIME_NODE_VERSION = '1.21.0';
 const ONNXRUNTIME_COMMON_VERSION = '1.21.0';
 const TRANSFORMERS_VERSION = '3.8.1';
+const JINJA_VERSION = '0.5.5';
 
 /** Bun version to download when system bun is not available. */
 const BUN_VERSION = '1.2.0';
 
 /** Composite version string for cache invalidation. */
-const RUNTIME_VERSION = `ort-${ONNXRUNTIME_NODE_VERSION}_hf-${TRANSFORMERS_VERSION}`;
+const RUNTIME_VERSION = `ort-${ONNXRUNTIME_NODE_VERSION}_hf-${TRANSFORMERS_VERSION}_jinja-${JINJA_VERSION}`;
 
 const WORKER_FILENAME = 'embed-worker.mjs';
 
@@ -104,6 +105,7 @@ function generateWorkerScript(): string {
   return `\
 // embed-worker.mjs — Auto-generated by EmbeddingRuntimeManager
 // Runs in a separate bun process, communicates via JSON-lines over stdin/stdout.
+process.title = 'embed-worker';
 import { pipeline, env } from '@huggingface/transformers';
 
 const model = process.argv[2];
@@ -272,6 +274,12 @@ export class EmbeddingRuntimeManager {
     const tmpDir = join(this.baseDir, `.installing-${Date.now()}`);
     mkdirSync(tmpDir, { recursive: true });
 
+    // Declared outside try so catch/finally can reference them for cleanup
+    const modelCacheDir = join(this.baseDir, 'model-cache');
+    const existingBinDir = join(this.baseDir, 'bin');
+    let tmpModelCache: string | null = null;
+    let tmpBinDir: string | null = null;
+
     try {
       // Step 1: Download npm packages (and bun if needed) in parallel
       const nodeModules = join(tmpDir, 'node_modules');
@@ -291,6 +299,11 @@ export class EmbeddingRuntimeManager {
           join(nodeModules, '@huggingface', 'transformers'),
           signal,
         ),
+        downloadAndExtract(
+          npmTarballUrl('@huggingface/jinja', JINJA_VERSION),
+          join(nodeModules, '@huggingface', 'jinja'),
+          signal,
+        ),
       ];
 
       // Download bun binary if not already available on the system
@@ -358,19 +371,15 @@ export class EmbeddingRuntimeManager {
 
       // Step 6: Atomic swap — remove old install and rename temp to final
       // Preserve model-cache/, bin/ (downloaded bun), and .gitignore
-      const modelCacheDir = join(this.baseDir, 'model-cache');
       const hadModelCache = existsSync(modelCacheDir);
-      let tmpModelCache: string | null = null;
       if (hadModelCache) {
         tmpModelCache = join(this.baseDir, `.model-cache-preserve-${Date.now()}`);
         renameSync(modelCacheDir, tmpModelCache);
       }
 
       // Preserve downloaded bun binary if it exists and we didn't just download a new one
-      const existingBinDir = join(this.baseDir, 'bin');
       const newBinDir = join(tmpDir, 'bin');
       const hadBinDir = existsSync(existingBinDir) && !existsSync(newBinDir);
-      let tmpBinDir: string | null = null;
       if (hadBinDir) {
         tmpBinDir = join(this.baseDir, `.bin-preserve-${Date.now()}`);
         renameSync(existingBinDir, tmpBinDir);
@@ -399,11 +408,20 @@ export class EmbeddingRuntimeManager {
 
       log.info({ runtimeVersion: RUNTIME_VERSION }, 'Embedding runtime installed successfully');
     } catch (err) {
+      // Restore preserved directories if the swap failed
+      if (tmpModelCache && existsSync(tmpModelCache) && !existsSync(modelCacheDir)) {
+        try { renameSync(tmpModelCache, modelCacheDir); } catch { /* best effort */ }
+      }
+      if (tmpBinDir && existsSync(tmpBinDir) && !existsSync(existingBinDir)) {
+        try { renameSync(tmpBinDir, existingBinDir); } catch { /* best effort */ }
+      }
       log.error({ err }, 'Failed to install embedding runtime');
       throw err;
     } finally {
-      // Clean up temp directory
+      // Clean up temp directory and any leftover preserve dirs
       rmSync(tmpDir, { recursive: true, force: true });
+      if (tmpModelCache) rmSync(tmpModelCache, { recursive: true, force: true });
+      if (tmpBinDir) rmSync(tmpBinDir, { recursive: true, force: true });
     }
   }
 

package/src/memory/guardian-action-store.ts

@@ -10,6 +10,7 @@
 import { and, desc, eq, inArray, lt } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
 import { getLogger } from '../util/logger.js';
 import { getDb, rawChanges } from './db.js';
 import {
@@ -160,7 +161,7 @@ export function createGuardianActionRequest(params: {
 
   const row = {
     id,
-    assistantId: params.assistantId ?? 'self',
+    assistantId: params.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
     kind: params.kind,
     sourceChannel: params.sourceChannel,
     sourceConversationId: params.sourceConversationId,

package/src/memory/guardian-approvals.ts

@@ -9,6 +9,7 @@
 import { and, count, desc, eq, gt, lte } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
 import { getDb } from './db.js';
 import { channelGuardianApprovalRequests } from './schema.js';
 
@@ -100,7 +101,7 @@ export function createApprovalRequest(params: {
     runId: params.runId,
     requestId: params.requestId ?? null,
     conversationId: params.conversationId,
-    assistantId: params.assistantId ?? 'self',
+    assistantId: params.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
     channel: params.channel,
     requesterExternalUserId: params.requesterExternalUserId,
     requesterChatId: params.requesterChatId,
@@ -402,7 +403,7 @@ export function listPendingApprovalRequests(params: {
   const db = getDb();
 
   const conditions = [
-    eq(channelGuardianApprovalRequests.assistantId, params.assistantId ?? 'self'),
+    eq(channelGuardianApprovalRequests.assistantId, params.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID),
   ];
   if (params.channel) {
     conditions.push(eq(channelGuardianApprovalRequests.channel, params.channel));

package/src/memory/ingress-invite-store.ts

@@ -10,6 +10,7 @@ import { createHash, randomBytes, randomUUID } from 'node:crypto';
 
 import { and, desc, eq } from 'drizzle-orm';
 
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
 import { getDb } from './db.js';
 import { assistantIngressInvites, assistantIngressMembers } from './schema.js';
 
@@ -37,6 +38,9 @@ export interface IngressInvite {
   expectedExternalUserId: string | null;
   voiceCodeHash: string | null;
   voiceCodeDigits: number | null;
+  // Display metadata for personalized voice prompts (null for non-voice invites)
+  friendName: string | null;
+  guardianName: string | null;
   createdAt: number;
   updatedAt: number;
 }
@@ -97,6 +101,8 @@ function rowToInvite(row: typeof assistantIngressInvites.$inferSelect): IngressI
     expectedExternalUserId: row.expectedExternalUserId,
     voiceCodeHash: row.voiceCodeHash,
     voiceCodeDigits: row.voiceCodeDigits,
+    friendName: row.friendName,
+    guardianName: row.guardianName,
     createdAt: row.createdAt,
     updatedAt: row.updatedAt,
   };
@@ -138,6 +144,8 @@ export function createInvite(params: {
   expectedExternalUserId?: string;
   voiceCodeHash?: string;
   voiceCodeDigits?: number;
+  friendName?: string;
+  guardianName?: string;
 }): { invite: IngressInvite; rawToken: string } {
   const db = getDb();
   const now = Date.now();
@@ -147,7 +155,7 @@ export function createInvite(params: {
 
   const row = {
     id,
-    assistantId: params.assistantId ?? 'self',
+    assistantId: params.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
     sourceChannel: params.sourceChannel,
     tokenHash: tokenH,
     createdBySessionId: params.createdBySessionId ?? null,
@@ -162,6 +170,8 @@ export function createInvite(params: {
     expectedExternalUserId: params.expectedExternalUserId ?? null,
     voiceCodeHash: params.voiceCodeHash ?? null,
     voiceCodeDigits: params.voiceCodeDigits ?? null,
+    friendName: params.friendName ?? null,
+    guardianName: params.guardianName ?? null,
     createdAt: now,
     updatedAt: now,
   };
@@ -183,7 +193,7 @@ export function listInvites(params: {
   offset?: number;
 }): IngressInvite[] {
   const db = getDb();
-  const assistantId = params.assistantId ?? 'self';
+  const assistantId = params.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID;
 
   const conditions = [eq(assistantIngressInvites.assistantId, assistantId)];
 

package/src/memory/ingress-member-store.ts

@@ -8,6 +8,7 @@
 import { and, desc, eq, or } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
 import { getDb } from './db.js';
 import { assistantIngressMembers } from './schema.js';
 
@@ -78,7 +79,7 @@ export function upsertMember(params: {
   createdBySessionId?: string;
   assistantId?: string;
 }): IngressMember {
-  const assistantId = params.assistantId ?? 'self';
+  const assistantId = params.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID;
 
   if (!params.externalUserId && !params.externalChatId) {
     throw new Error('At least one of externalUserId or externalChatId must be provided');
@@ -181,7 +182,7 @@ export function listMembers(params?: {
   offset?: number;
 }): IngressMember[] {
   const db = getDb();
-  const assistantId = params?.assistantId ?? 'self';
+  const assistantId = params?.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID;
 
   const conditions = [eq(assistantIngressMembers.assistantId, assistantId)];
   if (params?.sourceChannel) {
@@ -304,7 +305,7 @@ export function findMember(params: {
   }
 
   const db = getDb();
-  const assistantId = params.assistantId ?? 'self';
+  const assistantId = params.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID;
 
   // Prefer lookup by externalUserId when available, fall back to externalChatId
   const matchConditions = [];

package/src/memory/migrations/124-voice-invite-display-metadata.ts

@@ -0,0 +1,14 @@
+import type { DrizzleDb } from '../db-connection.js';
+
+/**
+ * Add display metadata columns to assistant_ingress_invites for personalized
+ * voice invite prompts. Both columns are nullable to keep existing invite
+ * rows compatible.
+ *
+ * - friend_name: the name of the person being invited (used in welcome prompt)
+ * - guardian_name: the name of the guardian who created the invite (used in prompts)
+ */
+export function migrateVoiceInviteDisplayMetadata(database: DrizzleDb): void {
+  try { database.run(/*sql*/ `ALTER TABLE assistant_ingress_invites ADD COLUMN friend_name TEXT`); } catch { /* already exists */ }
+  try { database.run(/*sql*/ `ALTER TABLE assistant_ingress_invites ADD COLUMN guardian_name TEXT`); } catch { /* already exists */ }
+}

package/src/memory/migrations/index.ts

@@ -63,6 +63,7 @@ export { migrateFkCascadeRebuilds } from './120-fk-cascade-rebuilds.js';
 export { createCanonicalGuardianTables } from './121-canonical-guardian-requests.js';
 export { migrateCanonicalGuardianRequesterChatId } from './122-canonical-guardian-requester-chat-id.js';
 export { migrateCanonicalGuardianDeliveriesDestinationIndex } from './123-canonical-guardian-deliveries-destination-index.js';
+export { migrateVoiceInviteDisplayMetadata } from './124-voice-invite-display-metadata.js';
 export {
   MIGRATION_REGISTRY,
   type MigrationRegistryEntry,

package/src/memory/schema.ts

@@ -1,5 +1,7 @@
 import { blob, index,integer, real, sqliteTable, text, uniqueIndex } from 'drizzle-orm/sqlite-core';
 
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
+
 export const conversations = sqliteTable('conversations', {
   id: text('id').primaryKey(),
   title: text('title'),
@@ -683,7 +685,7 @@ export const channelGuardianApprovalRequests = sqliteTable('channel_guardian_app
   runId: text('run_id').notNull(),
   requestId: text('request_id'),
   conversationId: text('conversation_id').notNull(),
-  assistantId: text('assistant_id').notNull().default('self'),
+  assistantId: text('assistant_id').notNull().default(DAEMON_INTERNAL_ASSISTANT_ID),
   channel: text('channel').notNull(),
   requesterExternalUserId: text('requester_external_user_id').notNull(),
   requesterChatId: text('requester_chat_id').notNull(),
@@ -819,7 +821,7 @@ export const mediaEventFeedback = sqliteTable('media_event_feedback', {
 
 export const guardianActionRequests = sqliteTable('guardian_action_requests', {
   id: text('id').primaryKey(),
-  assistantId: text('assistant_id').notNull().default('self'),
+  assistantId: text('assistant_id').notNull().default(DAEMON_INTERNAL_ASSISTANT_ID),
   kind: text('kind').notNull(),                                  // 'ask_guardian'
   sourceChannel: text('source_channel').notNull(),               // 'voice'
   sourceConversationId: text('source_conversation_id').notNull(),
@@ -930,7 +932,7 @@ export const canonicalGuardianDeliveries = sqliteTable('canonical_guardian_deliv
 
 export const assistantIngressInvites = sqliteTable('assistant_ingress_invites', {
   id: text('id').primaryKey(),
-  assistantId: text('assistant_id').notNull().default('self'),
+  assistantId: text('assistant_id').notNull().default(DAEMON_INTERNAL_ASSISTANT_ID),
   sourceChannel: text('source_channel').notNull(),
   tokenHash: text('token_hash').notNull(),
   createdBySessionId: text('created_by_session_id'),
@@ -946,13 +948,16 @@ export const assistantIngressInvites = sqliteTable('assistant_ingress_invites',
   expectedExternalUserId: text('expected_external_user_id'),
   voiceCodeHash: text('voice_code_hash'),
   voiceCodeDigits: integer('voice_code_digits'),
+  // Display metadata for personalized voice prompts (nullable — non-voice invites leave these NULL)
+  friendName: text('friend_name'),
+  guardianName: text('guardian_name'),
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
 });
 
 export const assistantIngressMembers = sqliteTable('assistant_ingress_members', {
   id: text('id').primaryKey(),
-  assistantId: text('assistant_id').notNull().default('self'),
+  assistantId: text('assistant_id').notNull().default(DAEMON_INTERNAL_ASSISTANT_ID),
   sourceChannel: text('source_channel').notNull(),
   externalUserId: text('external_user_id'),
   externalChatId: text('external_chat_id'),
@@ -974,7 +979,7 @@ export const assistantInboxThreadState = sqliteTable('assistant_inbox_thread_sta
   conversationId: text('conversation_id')
     .primaryKey()
     .references(() => conversations.id, { onDelete: 'cascade' }),
-  assistantId: text('assistant_id').notNull().default('self'),
+  assistantId: text('assistant_id').notNull().default(DAEMON_INTERNAL_ASSISTANT_ID),
   sourceChannel: text('source_channel').notNull(),
   externalChatId: text('external_chat_id').notNull(),
   externalUserId: text('external_user_id'),

package/src/notifications/copy-composer.ts

@@ -57,7 +57,17 @@ const TEMPLATES: Record<string, CopyTemplate> = {
   'ingress.access_request': (payload) => {
     const requester = str(payload.senderIdentifier, 'Someone');
     const requestCode = nonEmpty(typeof payload.requestCode === 'string' ? payload.requestCode : undefined);
-    const lines: string[] = [`${requester} is requesting access to the assistant.`];
+    const sourceChannel = typeof payload.sourceChannel === 'string' ? payload.sourceChannel : undefined;
+    const callerName = nonEmpty(typeof payload.senderName === 'string' ? payload.senderName : undefined);
+    const lines: string[] = [];
+
+    // Voice-originated access requests include caller name context
+    if (sourceChannel === 'voice' && callerName) {
+      lines.push(`${callerName} (${str(payload.senderExternalUserId, requester)}) is calling and requesting access to the assistant.`);
+    } else {
+      lines.push(`${requester} is requesting access to the assistant.`);
+    }
+
     if (requestCode) {
       const code = requestCode.toUpperCase();
       lines.push(`Reply "${code} approve" to grant access or "${code} reject" to deny.`);

package/src/notifications/emit-signal.ts

@@ -13,6 +13,7 @@ import { v4 as uuid } from 'uuid';
 
 import { getDeliverableChannels } from '../channels/config.js';
 import { getActiveBinding } from '../memory/channel-guardian-store.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
 import { getLogger } from '../util/logger.js';
 import { type BroadcastFn, VellumAdapter } from './adapters/macos.js';
 import { SmsAdapter } from './adapters/sms.js';
@@ -170,7 +171,7 @@ export interface EmitSignalResult {
  */
 export async function emitNotificationSignal(params: EmitSignalParams): Promise<EmitSignalResult> {
   const signalId = uuid();
-  const assistantId = params.assistantId ?? 'self';
+  const assistantId = params.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID;
 
   const signal: NotificationSignal = {
     signalId,

package/src/runtime/access-request-helper.ts

@@ -105,14 +105,22 @@ export function notifyGuardianOfAccessRequest(
     }
   }
 
+  // The conversationId is assistant-scoped so the dedupe query below only
+  // matches requests for the same assistant. Without this, a pending request
+  // from assistant A could be returned for assistant B, allowing the caller
+  // to piggyback on A's guardian approval.
+  const conversationId = `access-req-${canonicalAssistantId}-${sourceChannel}-${senderExternalUserId}`;
+
   // Deduplicate: skip creation if there is already a pending canonical request
-  // for the same requester on this channel. Still return notified: true with
-  // the existing request ID so callers know the guardian was already notified.
+  // for the same requester on this channel *and* assistant. Still return
+  // notified: true with the existing request ID so callers know the guardian
+  // was already notified.
   const existingCanonical = listCanonicalGuardianRequests({
     status: 'pending',
     requesterExternalUserId: senderExternalUserId,
     sourceChannel,
     kind: 'access_request',
+    conversationId,
   });
   if (existingCanonical.length > 0) {
     log.debug(
@@ -130,7 +138,7 @@ export function notifyGuardianOfAccessRequest(
     kind: 'access_request',
     sourceType: 'channel',
     sourceChannel,
-    conversationId: `access-req-${sourceChannel}-${senderExternalUserId}`,
+    conversationId,
     requesterExternalUserId: senderExternalUserId,
     requesterChatId: externalChatId,
     guardianExternalUserId: guardianExternalUserId ?? undefined,

package/src/runtime/actor-trust-resolver.ts

@@ -17,7 +17,7 @@ import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.
 import type { IngressMember } from '../memory/ingress-member-store.js';
 import { findMember } from '../memory/ingress-member-store.js';
 import { canonicalizeInboundIdentity } from '../util/canonicalize-identity.js';
-import { normalizeAssistantId } from '../util/platform.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from './assistant-scope.js';
 import { getGuardianBinding } from './channel-guardian-service.js';
 
 // ---------------------------------------------------------------------------
@@ -76,7 +76,7 @@ export interface ResolveActorTrustInput {
  * 5. Classify: guardian > trusted_contact (active member) > unknown.
  */
 export function resolveActorTrust(input: ResolveActorTrustInput): ActorTrustContext {
-  const assistantId = normalizeAssistantId(input.assistantId);
+  const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
 
   const rawUserId = typeof input.senderExternalUserId === 'string' && input.senderExternalUserId.trim().length > 0
     ? input.senderExternalUserId.trim()

package/src/runtime/assistant-scope.ts

@@ -0,0 +1,10 @@
+/**
+ * Canonical internal scope ID for all daemon-side assistant-scoped storage.
+ *
+ * The daemon uses a single fixed identity (`'self'`) for its own assistant
+ * scope. Public/external assistant IDs are an edge concern owned by the
+ * gateway and platform layers (hatch, invite links, etc.). Daemon code
+ * should never derive scoping decisions from externally-provided assistant
+ * IDs — use this constant instead.
+ */
+export const DAEMON_INTERNAL_ASSISTANT_ID = 'self' as const;

package/src/runtime/guardian-context-resolver.ts

@@ -7,6 +7,7 @@
  */
 import type { ChannelId } from '../channels/types.js';
 import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
+import { canonicalizeInboundIdentity } from '../util/canonicalize-identity.js';
 import {
   type DenialReason,
   resolveActorTrust,
@@ -41,11 +42,14 @@ export type ResolveGuardianContextInput = ResolveActorTrustInput;
  */
 export function resolveGuardianContext(input: ResolveGuardianContextInput): GuardianContext {
   const trust = resolveActorTrust(input);
+  const canonicalGuardianExternalUserId = trust.guardianBindingMatch?.guardianExternalUserId
+    ? canonicalizeInboundIdentity(input.sourceChannel, trust.guardianBindingMatch.guardianExternalUserId) ?? undefined
+    : undefined;
   return {
     trustClass: trust.trustClass,
     guardianChatId: trust.guardianBindingMatch?.guardianDeliveryChatId ??
       (trust.trustClass === 'guardian' ? input.externalChatId : undefined),
-    guardianExternalUserId: trust.guardianBindingMatch?.guardianExternalUserId,
+    guardianExternalUserId: canonicalGuardianExternalUserId,
     requesterIdentifier: trust.actorMetadata.identifier,
     requesterDisplayName: trust.actorMetadata.displayName,
     requesterSenderDisplayName: trust.actorMetadata.senderDisplayName,

package/src/runtime/guardian-outbound-actions.ts

@@ -16,7 +16,8 @@ import { sendMessage as sendSms } from '../messaging/providers/sms/client.js';
 import { getCredentialMetadata } from '../tools/credentials/metadata-store.js';
 import { getLogger } from '../util/logger.js';
 import { normalizePhoneNumber } from '../util/phone.js';
-import { normalizeAssistantId, readHttpToken } from '../util/platform.js';
+import { readHttpToken } from '../util/platform.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from './assistant-scope.js';
 import {
   countRecentSendsToDestination,
   createOutboundSession,
@@ -243,7 +244,7 @@ function initiateGuardianVoiceCall(
 // ---------------------------------------------------------------------------
 
 export function startOutbound(params: StartOutboundParams): OutboundActionResult {
-  const assistantId = normalizeAssistantId(params.assistantId ?? 'self');
+  const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
   const channel = params.channel;
   const originConversationId = params.originConversationId;
 
@@ -541,7 +542,7 @@ function startOutboundVoice(
 // ---------------------------------------------------------------------------
 
 export function resendOutbound(params: ResendOutboundParams): OutboundActionResult {
-  const assistantId = normalizeAssistantId(params.assistantId ?? 'self');
+  const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
   const channel = params.channel;
   const originConversationId = params.originConversationId;
 
@@ -707,7 +708,7 @@ export function resendOutbound(params: ResendOutboundParams): OutboundActionResu
 // ---------------------------------------------------------------------------
 
 export function cancelOutbound(params: CancelOutboundParams): OutboundActionResult {
-  const assistantId = normalizeAssistantId(params.assistantId ?? 'self');
+  const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
   const channel = params.channel;
 
   const session = findActiveSession(assistantId, channel);

package/src/runtime/guardian-reply-router.ts

@@ -237,6 +237,7 @@ export async function routeGuardianReply(
 ): Promise<GuardianReplyResult> {
   const { messageText, actor, conversationId, callbackData, approvalConversationGenerator, channelDeliveryContext } = ctx;
   const pendingRequests = findPendingCanonicalRequests(actor, ctx.pendingRequestIds, conversationId);
+  const scopedPendingRequestIds = ctx.pendingRequestIds ? new Set(ctx.pendingRequestIds) : null;
 
   // ── 1. Deterministic callback parsing (button presses) ──
   // No conversationId scoping here — the guardian's reply comes from a
@@ -257,6 +258,17 @@ export async function routeGuardianReply(
     const codeResult = parseRequestCode(messageText);
     if (codeResult) {
       const { request } = codeResult;
+      if (scopedPendingRequestIds && !scopedPendingRequestIds.has(request.id)) {
+        log.info(
+          {
+            event: 'router_code_out_of_scope',
+            requestId: request.id,
+            pendingHintCount: scopedPendingRequestIds.size,
+          },
+          'Request code matched a pending request outside the caller-provided scope; ignoring',
+        );
+        return notConsumed();
+      }
 
       if (request.status !== 'pending') {
         log.info(