@vellumai/assistant 0.4.13 → 0.4.15

package/src/runtime/routes/approval-routes.ts

@@ -4,63 +4,43 @@
  * These endpoints resolve pending confirmations, secrets, and trust rules
  * by requestId — orthogonal to message sending.
  *
- * All approval endpoints require a valid actor token via the X-Actor-Token
- * header (with local CLI fallback). Guardian decisions additionally verify
- * that the actor is the bound guardian.
+ * All approval endpoints require a valid JWT via the Authorization: Bearer
+ * header. Guardian decisions additionally verify that the actor is the
+ * bound guardian.
  */
+import { isHttpAuthDisabled } from '../../config/env.js';
 import { getConversationByKey } from '../../memory/conversation-key-store.js';
+import { getActiveBinding } from '../../memory/guardian-bindings.js';
 import { addRule } from '../../permissions/trust-store.js';
+import type { UserDecision } from '../../permissions/types.js';
 import { getTool } from '../../tools/registry.js';
 import { getLogger } from '../../util/logger.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
+import type { AuthContext } from '../auth/types.js';
 import { httpError } from '../http-errors.js';
-import {
-  isActorBoundGuardian,
-  isLocalFallbackBoundGuardian,
-  type ServerWithRequestIP,
-  verifyHttpActorTokenWithLocalFallback,
-} from '../middleware/actor-token.js';
 import * as pendingInteractions from '../pending-interactions.js';
 
 const log = getLogger('approval-routes');
 
 /**
- * Verify the actor token from the request with local fallback.
- * Returns an error Response if verification fails, or null if
- * the actor is authenticated (via actor token or local identity).
+ * Verify the actor from AuthContext is the bound guardian for the vellum channel.
+ * Returns an error Response if not, or null if allowed.
  */
-function requireActorToken(req: Request, server: ServerWithRequestIP): Response | null {
-  const result = verifyHttpActorTokenWithLocalFallback(req, server);
-  if (!result.ok) {
-    return httpError(
-      result.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
-      result.message,
-      result.status,
-    );
+function requireBoundGuardian(authContext: AuthContext): Response | null {
+  // Dev bypass: when auth is disabled, skip guardian binding check
+  // (mirrors enforcePolicy dev bypass in route-policy.ts)
+  if (isHttpAuthDisabled()) {
+    return null;
   }
-  return null;
-}
-
-/**
- * Verify the actor token and confirm the actor is the bound guardian.
- * When no actor token is present (bearer-authenticated local client),
- * falls back to local IPC identity resolution and checks the local
- * identity is the bound guardian.
- */
-function requireBoundGuardian(req: Request, server: ServerWithRequestIP): Response | null {
-  const result = verifyHttpActorTokenWithLocalFallback(req, server);
-  if (!result.ok) {
-    return httpError(
-      result.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
-      result.message,
-      result.status,
-    );
+  if (!authContext.actorPrincipalId) {
+    return httpError('FORBIDDEN', 'Actor is not the bound guardian for this channel', 403);
+  }
+  const binding = getActiveBinding(DAEMON_INTERNAL_ASSISTANT_ID, 'vellum');
+  if (!binding) {
+    // No binding yet — in pre-bootstrap state, allow through
+    return null;
   }
-  // For actor-token-authenticated requests, check the token's identity.
-  // For local fallback (bearer-auth only), check the local identity.
-  const isBoundGuardian = result.claims
-    ? isActorBoundGuardian(result.claims)
-    : isLocalFallbackBoundGuardian();
-  if (!isBoundGuardian) {
+  if (binding.guardianExternalUserId !== authContext.actorPrincipalId) {
     return httpError('FORBIDDEN', 'Actor is not the bound guardian for this channel', 403);
   }
   return null;
@@ -68,10 +48,10 @@ function requireBoundGuardian(req: Request, server: ServerWithRequestIP): Respon
 
 /**
  * POST /v1/confirm — resolve a pending confirmation by requestId.
- * Requires a valid actor token (guardian-bound).
+ * Requires AuthContext with guardian-bound actor.
  */
-export async function handleConfirm(req: Request, server: ServerWithRequestIP): Promise<Response> {
-  const authError = requireBoundGuardian(req, server);
+export async function handleConfirm(req: Request, authContext: AuthContext): Promise<Response> {
+  const authError = requireBoundGuardian(authContext);
   if (authError) return authError;
 
   const body = await req.json() as {
@@ -85,8 +65,9 @@ export async function handleConfirm(req: Request, server: ServerWithRequestIP):
     return httpError('BAD_REQUEST', 'requestId is required', 400);
   }
 
-  if (decision !== 'allow' && decision !== 'deny') {
-    return httpError('BAD_REQUEST', 'decision must be "allow" or "deny"', 400);
+  const validConfirmDecisions = ['allow', 'allow_10m', 'allow_thread', 'deny'];
+  if (typeof decision !== 'string' || !validConfirmDecisions.includes(decision)) {
+    return httpError('BAD_REQUEST', `decision must be one of: ${validConfirmDecisions.join(', ')}`, 400);
   }
 
   const interaction = pendingInteractions.resolve(requestId);
@@ -94,7 +75,7 @@ export async function handleConfirm(req: Request, server: ServerWithRequestIP):
     return httpError('NOT_FOUND', 'No pending interaction found for this requestId', 404);
   }
 
-  interaction.session.handleConfirmationResponse(requestId, decision, undefined, undefined, undefined, {
+  interaction.session.handleConfirmationResponse(requestId, decision as UserDecision, undefined, undefined, undefined, {
     source: 'button',
   });
   return Response.json({ accepted: true });
@@ -102,10 +83,10 @@ export async function handleConfirm(req: Request, server: ServerWithRequestIP):
 
 /**
  * POST /v1/secret — resolve a pending secret request by requestId.
- * Requires a valid actor token (guardian-bound).
+ * Requires AuthContext with guardian-bound actor.
  */
-export async function handleSecret(req: Request, server: ServerWithRequestIP): Promise<Response> {
-  const authError = requireBoundGuardian(req, server);
+export async function handleSecret(req: Request, authContext: AuthContext): Promise<Response> {
+  const authError = requireBoundGuardian(authContext);
   if (authError) return authError;
 
   const body = await req.json() as {
@@ -139,15 +120,15 @@ export async function handleSecret(req: Request, server: ServerWithRequestIP): P
 
 /**
  * POST /v1/trust-rules — add a trust rule for a pending confirmation.
- * Requires a valid actor token (guardian-bound).
+ * Requires AuthContext with guardian-bound actor.
  *
  * Does NOT resolve the confirmation itself (the client still needs to
  * POST /v1/confirm to approve/deny). Validates the pattern and scope
  * against the server-provided allowlist options from the original
  * confirmation_request.
  */
-export async function handleTrustRule(req: Request, server: ServerWithRequestIP): Promise<Response> {
-  const authError = requireBoundGuardian(req, server);
+export async function handleTrustRule(req: Request, authContext: AuthContext): Promise<Response> {
+  const authError = requireBoundGuardian(authContext);
   if (authError) return authError;
 
   const body = await req.json() as {
@@ -227,15 +208,16 @@ export async function handleTrustRule(req: Request, server: ServerWithRequestIP)
 
 /**
  * GET /v1/pending-interactions?conversationKey=...
- * Requires a valid actor token.
+ * Requires AuthContext (already verified upstream by JWT middleware).
  *
  * Returns pending confirmations and secrets for a conversation, allowing
  * polling-based clients (like the CLI) to discover approval requests
  * without SSE.
  */
-export function handleListPendingInteractions(url: URL, req: Request, server: ServerWithRequestIP): Response {
-  const authError = requireActorToken(req, server);
-  if (authError) return authError;
+export function handleListPendingInteractions(url: URL, _authContext: AuthContext): Response {
+  // Auth is already verified by JWT middleware upstream — no additional
+  // verification needed here. The _authContext parameter is accepted for
+  // type consistency and potential future use.
   const conversationKey = url.searchParams.get('conversationKey');
   const conversationId = url.searchParams.get('conversationId');
 
@@ -273,6 +255,7 @@ export function handleListPendingInteractions(url: URL, req: Request, server: Se
           })),
           scopeOptions: confirmation.confirmationDetails?.scopeOptions,
           persistentDecisionsAllowed: confirmation.confirmationDetails?.persistentDecisionsAllowed,
+          temporaryOptionsAvailable: confirmation.confirmationDetails?.temporaryOptionsAvailable,
         }
       : null,
     pendingSecret: secret

package/src/runtime/routes/channel-route-shared.ts

@@ -1,8 +1,6 @@
 /**
  * Shared types, constants, and utilities used across channel route modules.
  */
-import { timingSafeEqual } from 'node:crypto';
-
 import type { ChannelId } from '../../channels/types.js';
 import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
 import type {
@@ -18,44 +16,6 @@ export function canonicalChannelAssistantId(_assistantId: string): string {
   return DAEMON_INTERNAL_ASSISTANT_ID;
 }
 
-// ---------------------------------------------------------------------------
-// Gateway-origin proof
-// ---------------------------------------------------------------------------
-
-/**
- * Header name used by the gateway to prove a request originated from it.
- * The gateway sends a dedicated gateway-origin secret (or the bearer token
- * as fallback). The runtime validates it using constant-time comparison.
- * Requests to `/channels/inbound` that lack a valid proof are rejected with 403.
- */
-export const GATEWAY_ORIGIN_HEADER = 'X-Gateway-Origin';
-
-/**
- * Validate that the request carries a valid gateway-origin proof.
- * Uses constant-time comparison to prevent timing attacks.
- *
- * The `gatewayOriginSecret` parameter is the dedicated secret configured
- * via `RUNTIME_GATEWAY_ORIGIN_SECRET`. When set, only this value is
- * accepted. When not set, the function falls back to `bearerToken` for
- * backward compatibility. When neither is configured (local dev), validation
- * is skipped entirely.
- */
-export function verifyGatewayOrigin(
-  req: Request,
-  bearerToken?: string,
-  gatewayOriginSecret?: string,
-): boolean {
-  // Determine the expected secret: prefer dedicated secret, fall back to bearer token
-  const expectedSecret = gatewayOriginSecret ?? bearerToken;
-  if (!expectedSecret) return true; // No shared secret configured — skip validation
-  const provided = req.headers.get(GATEWAY_ORIGIN_HEADER);
-  if (!provided) return false;
-  const a = Buffer.from(provided);
-  const b = Buffer.from(expectedSecret);
-  if (a.length !== b.length) return false;
-  return timingSafeEqual(a, b);
-}
-
 // ---------------------------------------------------------------------------
 // Actor role
 // ---------------------------------------------------------------------------
@@ -69,7 +29,13 @@ export const GUARDIAN_APPROVAL_TTL_MS = 30 * 60 * 1000;
  */
 export function requiredDecisionKeywords(actions: ApprovalUIMetadata['actions']): string[] {
   const hasAlways = actions.some((action) => action.id === 'approve_always');
-  return hasAlways ? ['yes', 'always', 'no'] : ['yes', 'no'];
+  const has10m = actions.some((action) => action.id === 'approve_10m');
+  const hasThread = actions.some((action) => action.id === 'approve_thread');
+  const keywords = ['yes', 'no'];
+  if (has10m) keywords.push('approve for 10 minutes');
+  if (hasThread) keywords.push('approve for thread');
+  if (hasAlways) keywords.push('always');
+  return keywords;
 }
 
 // ---------------------------------------------------------------------------
@@ -78,6 +44,8 @@ export function requiredDecisionKeywords(actions: ApprovalUIMetadata['actions'])
 
 const VALID_ACTIONS: ReadonlySet<string> = new Set<string>([
   'approve_once',
+  'approve_10m',
+  'approve_thread',
   'approve_always',
   'reject',
 ]);

package/src/runtime/routes/channel-routes.ts

@@ -25,7 +25,5 @@ export {
   _setTestPollMaxWait,
   type ActorTrustClass,
   type DenialReason,
-  GATEWAY_ORIGIN_HEADER,
   type GuardianContext,
-  verifyGatewayOrigin,
 } from './channel-route-shared.js';

package/src/runtime/routes/conversation-routes.ts

@@ -25,7 +25,12 @@ import type { Provider } from '../../providers/types.js';
 import { getLogger } from '../../util/logger.js';
 import { buildAssistantEvent } from '../assistant-event.js';
 import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
+import type { AuthContext } from '../auth/types.js';
 import { bridgeConfirmationRequestToGuardian } from '../confirmation-request-guardian-bridge.js';
+import {
+  resolveGuardianContext,
+  toGuardianRuntimeContext,
+} from '../guardian-context-resolver.js';
 import { routeGuardianReply } from '../guardian-reply-router.js';
 import { httpError } from '../http-errors.js';
 import type {
@@ -36,8 +41,6 @@ import type {
   RuntimeMessagePayload,
   SendMessageDeps,
 } from '../http-types.js';
-import { resolveLocalIpcGuardianContext } from '../local-actor-identity.js';
-import { type ServerWithRequestIP, verifyHttpActorTokenWithLocalFallback } from '../middleware/actor-token.js';
 import * as pendingInteractions from '../pending-interactions.js';
 
 const log = getLogger('conversation-routes');
@@ -338,6 +341,7 @@ function makeHubPublisher(
           allowlistOptions: msg.allowlistOptions,
           scopeOptions: msg.scopeOptions,
           persistentDecisionsAllowed: msg.persistentDecisionsAllowed,
+          temporaryOptionsAvailable: msg.temporaryOptionsAvailable,
         },
       });
 
@@ -413,7 +417,7 @@ export async function handleSendMessage(
     sendMessageDeps?: SendMessageDeps;
     approvalConversationGenerator?: ApprovalConversationGenerator;
   },
-  server: ServerWithRequestIP,
+  authContext: AuthContext,
 ): Promise<Response> {
   const body = await req.json() as {
     conversationKey?: string;
@@ -471,35 +475,27 @@ export async function handleSendMessage(
 
   // ── Queue-if-busy path (preferred when sendMessageDeps is wired) ────
   if (deps.sendMessageDeps) {
-    // Vellum HTTP requests prefer actor-token identity. When absent (e.g. CLI
-    // bearer-auth only), fall back to local IPC identity resolution so
-    // bearer-authenticated local clients are not rejected.
-    const actorVerification = sourceChannel === 'vellum' ? verifyHttpActorTokenWithLocalFallback(req, server) : null;
-    if (actorVerification && !actorVerification.ok) {
-      return httpError(
-        actorVerification.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
-        actorVerification.message,
-        actorVerification.status,
-      );
-    }
-
     const smDeps = deps.sendMessageDeps;
     const session = await smDeps.getOrCreateSession(mapping.conversationId);
-    // Resolve actor identity from the verified actor token. The token's
-    // guardianPrincipalId is matched against the vellum guardian binding
-    // through the standard trust pipeline.
-    if (actorVerification?.ok) {
-      session.setGuardianContext(actorVerification.guardianContext);
+
+    // Resolve guardian context from the AuthContext's actorPrincipalId.
+    // The JWT-verified principal is used as the sender identity through
+    // the same trust resolution pipeline that channel ingress uses.
+    if (authContext.actorPrincipalId) {
+      const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
+      const guardianCtx = resolveGuardianContext({
+        assistantId,
+        sourceChannel: 'vellum',
+        conversationExternalId: 'local',
+        actorExternalId: authContext.actorPrincipalId,
+      });
+      session.setGuardianContext(toGuardianRuntimeContext(sourceChannel, guardianCtx));
     } else {
-      // Non-vellum channels through the HTTP API are still local
-      // authenticated requests. Resolve guardian context via the local
-      // identity pathway (vellum binding lookup) to preserve guardian
-      // trust. Falls back to a minimal guardian context if no binding
-      // exists (pre-bootstrap).
-      session.setGuardianContext(
-        resolveLocalIpcGuardianContext(sourceChannel) ?? { trustClass: 'guardian', sourceChannel },
-      );
+      // Service principals (svc_gateway) or tokens without an actor ID
+      // get a minimal guardian context so downstream code has something.
+      session.setGuardianContext({ trustClass: 'guardian', sourceChannel });
     }
+
     const onEvent = makeHubPublisher(smDeps, mapping.conversationId, session);
     // Route server-authoritative state signals (confirmation_state_changed,
     // assistant_activity_state) to the SSE hub. Without this, these signals
@@ -512,14 +508,9 @@ export async function handleSendMessage(
       : [];
 
     // Resolve the verified actor's external user ID and principal for inline
-    // approval routing. Uses the guardianExternalUserId and guardianPrincipalId
-    // from the verified context (actor-token or local-fallback).
-    const verifiedActorExternalUserId = actorVerification?.ok
-      ? actorVerification.guardianContext.guardianExternalUserId
-      : session.guardianContext?.guardianExternalUserId;
-    const verifiedActorPrincipalId = actorVerification?.ok
-      ? actorVerification.guardianContext.guardianPrincipalId ?? undefined
-      : session.guardianContext?.guardianPrincipalId ?? undefined;
+    // approval routing from the session's guardian context.
+    const verifiedActorExternalUserId = session.guardianContext?.guardianExternalUserId;
+    const verifiedActorPrincipalId = session.guardianContext?.guardianPrincipalId ?? undefined;
 
     // Try to consume the message as a canonical guardian approval/rejection reply.
     // On failure, degrade to the existing queue/auto-deny path rather than
@@ -617,21 +608,20 @@ export async function handleSendMessage(
     return httpError('SERVICE_UNAVAILABLE', 'Message processing not configured', 503);
   }
 
-  // Require actor token for vellum channel requests on the legacy path too,
-  // with local IPC fallback for bearer-authenticated CLI clients.
-  const legacyActorVerification = sourceChannel === 'vellum' ? verifyHttpActorTokenWithLocalFallback(req, server) : null;
-  if (legacyActorVerification && !legacyActorVerification.ok) {
-    return httpError(
-      legacyActorVerification.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
-      legacyActorVerification.message,
-      legacyActorVerification.status,
-    );
+  // Resolve guardian context from AuthContext for the legacy path too.
+  let guardianContext: import('../../daemon/session-runtime-assembly.js').GuardianRuntimeContext;
+  if (authContext.actorPrincipalId) {
+    const legacyGuardianCtx = resolveGuardianContext({
+      assistantId: DAEMON_INTERNAL_ASSISTANT_ID,
+      sourceChannel: 'vellum',
+      conversationExternalId: 'local',
+      actorExternalId: authContext.actorPrincipalId,
+    });
+    guardianContext = toGuardianRuntimeContext(sourceChannel, legacyGuardianCtx);
+  } else {
+    guardianContext = { trustClass: 'guardian' as const, sourceChannel };
   }
 
-  const guardianContext = legacyActorVerification?.ok
-    ? legacyActorVerification.guardianContext
-    : resolveLocalIpcGuardianContext(sourceChannel) ?? { trustClass: 'guardian' as const, sourceChannel };
-
   try {
     const result = await processor(
       mapping.conversationId,

package/src/runtime/routes/events-routes.ts

@@ -3,9 +3,10 @@
  *
  * GET /v1/events?conversationKey=...
  *
- * Bearer auth is enforced by RuntimeHttpServer before this handler is called.
- * Actor-token identity verification (with local CLI fallback) is performed
- * within this handler to bind the SSE stream to a verified actor identity.
+ * JWT bearer auth is enforced by RuntimeHttpServer before this handler
+ * is called. The AuthContext is threaded through from the HTTP server
+ * layer, so no additional actor-token verification is needed here.
+ *
  * Subscribers receive all assistant events scoped to the given conversation.
  */
 
@@ -14,8 +15,8 @@ import { formatSseFrame, formatSseHeartbeat } from '../assistant-event.js';
 import type { AssistantEventSubscription } from '../assistant-event-hub.js';
 import { AssistantEventHub,assistantEventHub } from '../assistant-event-hub.js';
 import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
+import type { AuthContext } from '../auth/types.js';
 import { httpError } from '../http-errors.js';
-import { type ServerWithRequestIP, verifyHttpActorTokenWithLocalFallback } from '../middleware/actor-token.js';
 
 /** Keep-alive comment sent to idle clients every 30 s by default. */
 const DEFAULT_HEARTBEAT_INTERVAL_MS = 30_000;
@@ -24,31 +25,23 @@ const DEFAULT_HEARTBEAT_INTERVAL_MS = 30_000;
  * Stream assistant events as Server-Sent Events for a specific conversation.
  *
  * Query params:
- *   conversationKey — required; scopes the stream to one conversation.
+ *   conversationKey -- required; scopes the stream to one conversation.
  *
  * Options (for testing):
- *   hub               — override the event hub (defaults to process singleton).
- *   heartbeatIntervalMs — how often to emit keep-alive comments (default 30 s).
+ *   hub               -- override the event hub (defaults to process singleton).
+ *   heartbeatIntervalMs -- how often to emit keep-alive comments (default 30 s).
  */
 export function handleSubscribeAssistantEvents(
   req: Request,
   url: URL,
   options?:
-    | { hub?: AssistantEventHub; heartbeatIntervalMs?: number; skipActorVerification?: false; server: ServerWithRequestIP }
+    | { hub?: AssistantEventHub; heartbeatIntervalMs?: number; authContext: AuthContext }
     | { hub?: AssistantEventHub; heartbeatIntervalMs?: number; skipActorVerification: true },
 ): Response {
-  // Verify actor-token identity for vellum channel requests, with local
-  // CLI fallback for bearer-authenticated clients without X-Actor-Token.
-  if (options && !options.skipActorVerification) {
-    const actorVerification = verifyHttpActorTokenWithLocalFallback(req, options.server);
-    if (!actorVerification.ok) {
-      return httpError(
-        actorVerification.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
-        actorVerification.message,
-        actorVerification.status,
-      );
-    }
-  }
+  // Auth is already verified upstream by JWT middleware. The AuthContext
+  // is available via options.authContext but we don't need to check it
+  // further here -- the route policy in http-server.ts already enforced
+  // scope and principal type requirements.
 
   const conversationKey = url.searchParams.get('conversationKey');
   if (!conversationKey) {
@@ -61,7 +54,7 @@ export function handleSubscribeAssistantEvents(
   const mapping = getOrCreateConversation(conversationKey);
   const encoder = new TextEncoder();
 
-  // ── Eager subscribe ──────────────────────────────────────────────────────
+  // -- Eager subscribe --------------------------------------------------------
   // Subscribe before creating the ReadableStream so the callback and onEvict
   // closures are in place before events can arrive.  `controllerRef` is set
   // synchronously inside ReadableStream's start(), so it is non-null by the
@@ -116,7 +109,7 @@ export function handleSubscribeAssistantEvents(
       controllerRef = controller;
 
       // If the client already disconnected before start() ran, clean up
-      // immediately — the abort event fires once and won't be re-dispatched.
+      // immediately -- the abort event fires once and won't be re-dispatched.
       if (req.signal.aborted) {
         sub.dispose();
         cleanup();