@vellumai/assistant 0.4.13 → 0.4.15

package/src/config/bundled-skills/sms-setup/SKILL.md

@@ -156,7 +156,7 @@ Now link the user's phone number as the trusted SMS guardian. Tell the user: "No
 
 Load the **guardian-verify-setup** skill to handle the verification flow:
 
-- Call `skill_load` with `skill_id: "guardian-verify-setup"` to load the dependency skill.
+- Call `skill_load` with `skill: "guardian-verify-setup"` to load the dependency skill.
 
 When invoking the skill, indicate the channel is `sms`. The guardian-verify-setup skill manages the full outbound verification flow, including:
 

package/src/config/bundled-skills/telegram-setup/SKILL.md

@@ -69,7 +69,7 @@ Now link the user's Telegram account as the trusted guardian for this bot. Tell
 
 Load the **guardian-verify-setup** skill to handle the verification flow:
 
-- Call `skill_load` with `skill_id: "guardian-verify-setup"` to load the dependency skill.
+- Call `skill_load` with `skill: "guardian-verify-setup"` to load the dependency skill.
 
 The guardian-verify-setup skill manages the full outbound verification flow for Telegram, including:
 

package/src/config/bundled-skills/twilio-setup/SKILL.md

@@ -229,7 +229,7 @@ Now link the user's phone number as the trusted guardian for SMS and/or voice ch
 
 Load the **guardian-verify-setup** skill to handle the verification flow:
 
-- Call `skill_load` with `skill_id: "guardian-verify-setup"` to load the dependency skill.
+- Call `skill_load` with `skill: "guardian-verify-setup"` to load the dependency skill.
 
 The guardian-verify-setup skill manages the full outbound verification flow for **one channel at a time** (sms, voice, or telegram). Each invocation handles:
 

package/src/daemon/approval-generators.ts

@@ -37,11 +37,12 @@ const APPROVAL_CONVERSATION_TOOL_SCHEMA = {
     properties: {
       disposition: {
         type: 'string',
-        enum: ['keep_pending', 'approve_once', 'approve_always', 'reject'],
+        enum: ['keep_pending', 'approve_once', 'approve_10m', 'approve_thread', 'approve_always', 'reject'],
         description:
           'The decision: keep_pending if the user is asking questions or unclear, '
-          + 'approve_once to approve this single request, approve_always to approve '
-          + 'this tool permanently, reject to deny the request.',
+          + 'approve_once to approve this single request, approve_10m to approve all '
+          + 'requests for 10 minutes, approve_thread to approve all requests in this '
+          + 'thread, approve_always to approve this tool permanently, reject to deny the request.',
       },
       replyText: {
         type: 'string',
@@ -61,6 +62,8 @@ const APPROVAL_CONVERSATION_TOOL_SCHEMA = {
 const VALID_DISPOSITIONS: ReadonlySet<string> = new Set([
   'keep_pending',
   'approve_once',
+  'approve_10m',
+  'approve_thread',
   'approve_always',
   'reject',
 ]);

package/src/daemon/handlers/config-ingress.ts

@@ -17,8 +17,8 @@ import {
   getTwilioVoiceWebhookUrl,
   type IngressConfig,
 } from '../../inbound/public-ingress-urls.js';
+import { mintDaemonDeliveryToken } from '../../runtime/auth/token-service.js';
 import { getSecureKey } from '../../security/secure-keys.js';
-import { readHttpToken } from '../../util/platform.js';
 import type { IngressConfigRequest } from '../ipc-protocol.js';
 import { CONFIG_RELOAD_DEBOUNCE_MS, defineHandlers, type HandlerContext,log } from './shared.js';
 
@@ -47,11 +47,7 @@ export function computeGatewayTarget(): string {
  */
 export function triggerGatewayReconcile(ingressPublicBaseUrl: string | undefined): void {
   const gatewayBase = computeGatewayTarget();
-  const token = readHttpToken();
-  if (!token) {
-    log.debug('Skipping gateway reconcile trigger: no HTTP bearer token available');
-    return;
-  }
+  const token = mintDaemonDeliveryToken();
 
   const url = `${gatewayBase}/internal/telegram/reconcile`;
   const body = JSON.stringify({ ingressPublicBaseUrl: ingressPublicBaseUrl ?? '' });

package/src/daemon/handlers/guardian-actions.ts

@@ -8,7 +8,7 @@ import { listGuardianDecisionPrompts } from '../../runtime/routes/guardian-actio
 import type { GuardianActionDecision, GuardianActionsPendingRequest } from '../ipc-protocol.js';
 import { defineHandlers, log } from './shared.js';
 
-const VALID_ACTIONS = new Set<string>(['approve_once', 'approve_always', 'reject']);
+const VALID_ACTIONS = new Set<string>(['approve_once', 'approve_10m', 'approve_thread', 'approve_always', 'reject']);
 
 export const guardianActionsHandlers = defineHandlers({
   guardian_actions_pending_request: (msg: GuardianActionsPendingRequest, socket, ctx) => {

package/src/daemon/handlers/sessions.ts

@@ -19,7 +19,7 @@ import { GENERATING_TITLE, queueGenerateConversationTitle, UNTITLED_FALLBACK } f
 import * as externalConversationStore from '../../memory/external-conversation-store.js';
 import { DAEMON_INTERNAL_ASSISTANT_ID } from '../../runtime/assistant-scope.js';
 import { routeGuardianReply } from '../../runtime/guardian-reply-router.js';
-import { resolveLocalIpcGuardianContext } from '../../runtime/local-actor-identity.js';
+import { resolveLocalIpcAuthContext, resolveLocalIpcGuardianContext } from '../../runtime/local-actor-identity.js';
 import * as pendingInteractions from '../../runtime/pending-interactions.js';
 import { checkIngressForSecrets } from '../../security/secret-ingress.js';
 import { compileCustomPatterns, redactSecrets } from '../../security/secret-scanner.js';
@@ -119,6 +119,7 @@ function makeIpcEventSender(params: {
           allowlistOptions: event.allowlistOptions,
           scopeOptions: event.scopeOptions,
           persistentDecisionsAllowed: event.persistentDecisionsAllowed,
+          temporaryOptionsAvailable: event.temporaryOptionsAvailable,
         },
       });
 
@@ -286,6 +287,8 @@ export async function handleUserMessage(
       // the guardianPrincipalId, and resolveGuardianContext classifies the
       // local user as 'guardian' via binding match.
       session.setGuardianContext(resolveLocalIpcGuardianContext(ipcChannel));
+      // Align IPC sessions with the same AuthContext shape as HTTP sessions.
+      session.setAuthContext(resolveLocalIpcAuthContext(msg.sessionId));
       session.setCommandIntent(null);
       // Fire-and-forget: don't block the IPC handler so the connection can
       // continue receiving messages (e.g. cancel, confirmations, or

package/src/daemon/handlers/shared.ts

@@ -6,6 +6,7 @@ import { v4 as uuid } from 'uuid';
 import { getConfig } from '../../config/loader.js';
 import type { HeartbeatService } from '../../heartbeat/heartbeat-service.js';
 import type { SecretPromptResult } from '../../permissions/secret-prompter.js';
+import type { AuthContext } from '../../runtime/auth/types.js';
 import type { DebouncerMap } from '../../util/debounce.js';
 import { getLogger } from '../../util/logger.js';
 import { estimateBase64Bytes } from '../assistant-attachments.js';
@@ -105,6 +106,8 @@ export interface SessionCreateOptions {
   transport?: SessionTransportMetadata;
   assistantId?: string;
   guardianContext?: GuardianRuntimeContext;
+  /** Normalized auth context for the session (IPC or HTTP-derived). */
+  authContext?: AuthContext;
   /** Whether this turn can block on interactive approval prompts. */
   isInteractive?: boolean;
   memoryScopeId?: string;

package/src/daemon/handlers/skills.ts

@@ -299,11 +299,43 @@ export async function handleSkillsInstall(
       (s) => s.id === msg.slug && s.source === "bundled",
     );
     if (bundled) {
+      // Auto-enable the bundled skill so it's immediately usable
+      try {
+        const raw = loadRawConfig();
+        ensureSkillEntry(raw, msg.slug).enabled = true;
+        ctx.setSuppressConfigReload(true);
+        try {
+          saveRawConfig(raw);
+        } catch (err) {
+          ctx.setSuppressConfigReload(false);
+          throw err;
+        }
+        invalidateConfigCache();
+        ctx.debounceTimers.schedule(
+          "__suppress_reset__",
+          () => {
+            ctx.setSuppressConfigReload(false);
+          },
+          CONFIG_RELOAD_DEBOUNCE_MS,
+        );
+        ctx.updateConfigFingerprint();
+      } catch (err) {
+        log.warn(
+          { err, skillId: msg.slug },
+          "Failed to auto-enable bundled skill",
+        );
+      }
+
       ctx.send(socket, {
         type: "skills_operation_response",
         operation: "install",
         success: true,
       });
+      ctx.broadcast({
+        type: "skills_state_changed",
+        name: msg.slug,
+        state: "enabled",
+      });
       return;
     }
 

package/src/daemon/ipc-contract/messages.ts

@@ -30,7 +30,7 @@ export interface UserMessage {
 export interface ConfirmationResponse {
   type: 'confirmation_response';
   requestId: string;
-  decision: 'allow' | 'always_allow' | 'always_allow_high_risk' | 'deny' | 'always_deny';
+  decision: 'allow' | 'allow_10m' | 'allow_thread' | 'always_allow' | 'always_allow_high_risk' | 'deny' | 'always_deny';
   selectedPattern?: string;
   selectedScope?: string;
 }
@@ -119,6 +119,8 @@ export interface ConfirmationRequest {
   sessionId?: string;
   /** When false, the client should hide "always allow" / trust-rule persistence affordances. */
   persistentDecisionsAllowed?: boolean;
+  /** Which temporary approval options the client should render (e.g. "Allow for 10 minutes", "Allow for this thread"). */
+  temporaryOptionsAvailable?: Array<'allow_10m' | 'allow_thread'>;
 }
 
 export interface SecretRequest {

package/src/daemon/ipc-handler.ts

@@ -7,6 +7,10 @@ import * as net from 'node:net';
 
 import { buildAssistantEvent } from '../runtime/assistant-event.js';
 import { assistantEventHub } from '../runtime/assistant-event-hub.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
+import { CURRENT_POLICY_EPOCH } from '../runtime/auth/policy.js';
+import { resolveScopeProfile } from '../runtime/auth/scopes.js';
+import type { AuthContext } from '../runtime/auth/types.js';
 import { getLogger } from '../util/logger.js';
 import { serialize, type ServerMessage } from './ipc-protocol.js';
 
@@ -78,6 +82,26 @@ export class IpcSender {
   }
 }
 
+/**
+ * Build a synthetic AuthContext for an IPC session.
+ *
+ * IPC connections are local-only (Unix domain socket) and pre-authenticated
+ * via the daemon's file-system permission model. This produces the same
+ * AuthContext shape that HTTP routes receive from JWT verification, keeping
+ * downstream code transport-agnostic.
+ */
+export function buildIpcAuthContext(sessionId: string): AuthContext {
+  return {
+    subject: `ipc:self:${sessionId}`,
+    principalType: 'ipc',
+    assistantId: DAEMON_INTERNAL_ASSISTANT_ID,
+    sessionId,
+    scopeProfile: 'ipc_v1',
+    scopes: resolveScopeProfile('ipc_v1'),
+    policyEpoch: CURRENT_POLICY_EPOCH,
+  };
+}
+
 /** Extract sessionId from a ServerMessage if present. */
 function extractSessionId(msg: ServerMessage): string | undefined {
   const record = msg as unknown as Record<string, unknown>;

package/src/daemon/ipc-validate.ts

@@ -137,7 +137,7 @@ const HIGH_RISK_VALIDATORS: Record<string, PropertyValidator> = {
     if (typeof obj.requestId !== 'string' || obj.requestId === '') {
       return 'confirmation_response requires a non-empty string "requestId"';
     }
-    const validDecisions = ['allow', 'always_allow', 'always_allow_high_risk', 'deny', 'always_deny'];
+    const validDecisions = ['allow', 'allow_10m', 'allow_thread', 'always_allow', 'always_allow_high_risk', 'deny', 'always_deny'];
     if (typeof obj.decision !== 'string' || !validDecisions.includes(obj.decision)) {
       return `confirmation_response "decision" must be one of: ${validDecisions.join(', ')}`;
     }

package/src/daemon/lifecycle.ts

@@ -39,11 +39,8 @@ import {
   emitNotificationSignal,
   registerBroadcastFn,
 } from "../notifications/emit-signal.js";
-import {
-  initSigningKey,
-  loadOrCreateSigningKey,
-} from "../runtime/actor-token-service.js";
 import { assistantEventHub } from "../runtime/assistant-event-hub.js";
+import { initAuthSigningKey, loadOrCreateSigningKey } from "../runtime/auth/token-service.js";
 import { ensureVellumGuardianBinding } from "../runtime/guardian-vellum-migration.js";
 import { RuntimeHttpServer } from "../runtime/http-server.js";
 import { startScheduler } from "../schedule/scheduler.js";
@@ -168,10 +165,11 @@ export async function runDaemon(): Promise<void> {
     chmodSync(httpTokenPath, 0o600);
     log.info("Daemon startup: bearer token written");
 
-    // Load (or generate + persist) the actor-token signing key so tokens
-    // survive daemon restarts. Must happen after ensureDataDir() creates
-    // the protected directory.
-    initSigningKey(loadOrCreateSigningKey());
+    // Load (or generate + persist) the auth signing key so tokens survive
+    // daemon restarts. Must happen after ensureDataDir() creates the
+    // protected directory.
+    const signingKey = loadOrCreateSigningKey();
+    initAuthSigningKey(signingKey);
 
     log.info("Daemon startup: migrations complete");
 

package/src/daemon/server.ts

@@ -163,6 +163,7 @@ function makePendingInteractionRegistrar(
           allowlistOptions: msg.allowlistOptions,
           scopeOptions: msg.scopeOptions,
           persistentDecisionsAllowed: msg.persistentDecisionsAllowed,
+          temporaryOptionsAvailable: msg.temporaryOptionsAvailable,
         },
       });
 
@@ -1056,6 +1057,7 @@ export class DaemonServer {
       options?.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
     );
     session.setGuardianContext(options?.guardianContext ?? null);
+    session.setAuthContext(options?.authContext ?? null);
     await session.ensureActorScopedHistory();
     session.setChannelCapabilities(
       resolveChannelCapabilities(sourceChannel, sourceInterface),
@@ -1120,6 +1122,7 @@ export class DaemonServer {
     session
       .runAgentLoop(content, messageId, onEvent, {
         isInteractive: options?.isInteractive ?? false,
+        isUserMessage: true,
       })
       .finally(() => {
         // Only reset if no other caller (e.g. a real IPC client) has rebound
@@ -1259,6 +1262,7 @@ export class DaemonServer {
     try {
       await session.runAgentLoop(resolvedContent, messageId, onEvent, {
         isInteractive: options?.isInteractive ?? false,
+        isUserMessage: true,
       });
     } finally {
       // Only reset if no other caller (e.g. a real IPC client) has rebound
@@ -1284,9 +1288,10 @@ export class DaemonServer {
 
   /**
    * Look up an active session by ID without creating one.
-   * Returns undefined if no session with that ID exists.
+   * Checks both normal sessions and computer-use sessions so the HTTP
+   * surface-action path is consistent with IPC dispatch.
    */
-  findSession(sessionId: string): Session | undefined {
-    return this.sessions.get(sessionId);
+  findSession(sessionId: string): Session | ComputerUseSession | undefined {
+    return this.cuSessions.get(sessionId) ?? this.sessions.get(sessionId);
   }
 }

package/src/daemon/session-agent-loop.ts

@@ -160,7 +160,7 @@ export async function runAgentLoopImpl(
   content: string,
   userMessageId: string,
   onEvent: (msg: ServerMessage) => void,
-  options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; titleText?: string },
+  options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; isUserMessage?: boolean; titleText?: string },
 ): Promise<void> {
   if (!ctx.abortController) {
     throw new Error('runAgentLoop called without prior persistUserMessage');
@@ -213,6 +213,24 @@ export async function runAgentLoopImpl(
   let turnStarted = false;
 
   try {
+    // Auto-complete stale interactive surfaces from previous turns.
+    // Only dismiss when the user sends a new message (not a surface action
+    // response), so internal turns (subagent notifications, lifecycle
+    // instructions) don't accidentally clear active interactive prompts.
+    // Placed inside try so the finally block still runs if onEvent throws.
+    if (options?.isUserMessage && !ctx.surfaceActionRequestIds.has(reqId)) {
+      for (const [surfaceId, entry] of ctx.pendingSurfaceActions) {
+        if (entry.surfaceType === 'dynamic_page') continue;
+        onEvent({
+          type: 'ui_surface_complete',
+          sessionId: ctx.conversationId,
+          surfaceId,
+          summary: 'Dismissed',
+        });
+        ctx.pendingSurfaceActions.delete(surfaceId);
+      }
+    }
+
     const preMessageResult = await getHookManager().trigger('pre-message', {
       sessionId: ctx.conversationId,
       messagePreview: truncate(content, 200, ''),

package/src/daemon/session-attachments.ts

@@ -2,6 +2,7 @@ import { AttachmentUploadError,linkAttachmentToMessage, setAttachmentThumbnail,
 import { check, classifyRisk, generateAllowlistOptions, generateScopeOptions } from '../permissions/checker.js';
 import type { PermissionPrompter } from '../permissions/prompter.js';
 import { addRule } from '../permissions/trust-store.js';
+import { isAllowDecision } from '../permissions/types.js';
 import type { ContentBlock } from '../providers/types.js';
 import { getLogger } from '../util/logger.js';
 import {
@@ -67,7 +68,7 @@ export async function approveHostAttachmentRead(
     addRule(toolName, response.selectedPattern, response.selectedScope, 'deny');
   }
 
-  return response.decision === 'allow' || response.decision === 'always_allow' || response.decision === 'always_allow_high_risk';
+  return isAllowDecision(response.decision);
 }
 
 export function formatAttachmentWarnings(warnings: string[]): string | null {

package/src/daemon/session-history.ts

@@ -264,7 +264,7 @@ export interface HistorySessionContext {
     content: string,
     userMessageId: string,
     onEvent: (msg: ServerMessage) => void,
-    options?: { skipPreMessageRollback?: boolean; titleText?: string },
+    options?: { skipPreMessageRollback?: boolean; isUserMessage?: boolean; titleText?: string },
   ): Promise<void>;
 }
 
@@ -435,5 +435,5 @@ export async function regenerate(
   session.abortController = new AbortController();
   session.currentRequestId = requestId ?? uuid();
 
-  await session.runAgentLoop(content, existingUserMessageId, onEvent, { skipPreMessageRollback: true });
+  await session.runAgentLoop(content, existingUserMessageId, onEvent, { skipPreMessageRollback: true, isUserMessage: true });
 }

package/src/daemon/session-process.ts

@@ -81,7 +81,7 @@ export interface ProcessSessionContext {
     content: string,
     userMessageId: string,
     onEvent: (msg: ServerMessage) => void,
-    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; titleText?: string },
+    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; isUserMessage?: boolean; titleText?: string },
   ): Promise<void>;
   getTurnChannelContext(): TurnChannelContext | null;
   setTurnChannelContext(ctx: TurnChannelContext): void;
@@ -329,13 +329,11 @@ export async function drainQueue(session: ProcessSessionContext, reason: QueueDr
   // Fire-and-forget: persistUserMessage set session.processing = true
   // so subsequent messages will still be enqueued.
   // runAgentLoop's finally block will call drainQueue when this run completes.
-  const drainLoopOptions: { isInteractive?: boolean; titleText?: string } = {};
+  const drainLoopOptions: { isInteractive?: boolean; isUserMessage?: boolean; titleText?: string } = { isUserMessage: true };
   if (next.isInteractive !== undefined) drainLoopOptions.isInteractive = next.isInteractive;
   if (agentLoopContent !== resolvedContent) drainLoopOptions.titleText = resolvedContent;
 
-  session.runAgentLoop(agentLoopContent, userMessageId, next.onEvent,
-    Object.keys(drainLoopOptions).length > 0 ? drainLoopOptions : undefined,
-  ).catch((err) => {
+  session.runAgentLoop(agentLoopContent, userMessageId, next.onEvent, drainLoopOptions).catch((err) => {
     const message = err instanceof Error ? err.message : String(err);
     log.error({ err, conversationId: session.conversationId, requestId: next.requestId }, 'Error processing queued message');
     next.onEvent({ type: 'error', message: `Failed to process queued message: ${message}` });
@@ -559,12 +557,10 @@ export async function processMessage(
       });
   }
 
-  const loopOptions: { isInteractive?: boolean; titleText?: string } = {};
+  const loopOptions: { isInteractive?: boolean; isUserMessage?: boolean; titleText?: string } = { isUserMessage: true };
   if (options?.isInteractive !== undefined) loopOptions.isInteractive = options.isInteractive;
   if (agentLoopContent !== resolvedContent) loopOptions.titleText = resolvedContent;
 
-  await session.runAgentLoop(agentLoopContent, userMessageId, onEvent,
-    Object.keys(loopOptions).length > 0 ? loopOptions : undefined,
-  );
+  await session.runAgentLoop(agentLoopContent, userMessageId, onEvent, loopOptions);
   return userMessageId;
 }

package/src/daemon/session-surfaces.ts

@@ -150,6 +150,7 @@ export interface SurfaceSessionContext {
     attachments: never[],
     onEvent: (msg: ServerMessage) => void,
     requestId: string,
+    activeSurfaceId?: string,
   ): { queued: boolean; rejected?: boolean; requestId: string };
   getQueueDepth(): number;
   processMessage(
@@ -425,7 +426,7 @@ export function handleSurfaceAction(ctx: SurfaceSessionContext, surfaceId: strin
     attributes: { source: 'surface_action', surfaceId, actionId },
   });
 
-  const result = ctx.enqueueMessage(content, [], onEvent, requestId);
+  const result = ctx.enqueueMessage(content, [], onEvent, requestId, surfaceId);
   if (result.queued) {
     const position = ctx.getQueueDepth();
     if (!retainPending) {
@@ -631,6 +632,21 @@ export async function surfaceProxyResolver(
         : INTERACTIVE_SURFACE_TYPES.includes(surfaceType);
     const awaitAction = (input.await_action as boolean) ?? isInteractive;
 
+    // Only one non-persistent interactive surface at a time. If another
+    // surface is already awaiting user input, reject this one so the LLM
+    // presents surfaces sequentially.
+    if (awaitAction) {
+      const hasExistingPending = [...ctx.pendingSurfaceActions.values()].some(
+        entry => entry.surfaceType !== 'dynamic_page'
+      );
+      if (hasExistingPending) {
+        return {
+          content: 'Another interactive surface is already awaiting user input. Present one at a time — wait for the user to respond to the current surface before showing the next.',
+          isError: true,
+        };
+      }
+    }
+
     // Track surface state for ui_update merging
     ctx.surfaceState.set(surfaceId, { surfaceType, data, title });