@vellumai/assistant 0.4.13 → 0.4.15

package/src/daemon/session-tool-setup.ts

@@ -6,31 +6,50 @@
  * keeping the constructor body focused on wiring.
  */
 
-import { generateAllowlistOptions, generateScopeOptions, normalizeWebFetchUrl } from '../permissions/checker.js';
-import type { PermissionPrompter } from '../permissions/prompter.js';
-import type { SecretPrompter } from '../permissions/secret-prompter.js';
-import { addRule, findHighestPriorityRule } from '../permissions/trust-store.js';
-import type { Message, ToolDefinition } from '../providers/types.js';
-import type { ToolExecutor } from '../tools/executor.js';
-import type { ToolExecutionResult, ToolLifecycleEventHandler } from '../tools/types.js';
-import { getLogger } from '../util/logger.js';
-import { isDoordashCommand, markDoordashStepInProgress } from './doordash-steps.js';
-import type { ServerMessage, UiSurfaceShow } from './ipc-protocol.js';
-import { runPostExecutionSideEffects } from './tool-side-effects.js';
-
-const log = getLogger('session-tool-setup');
-import { coreAppProxyTools } from '../tools/apps/definitions.js';
-import { registerSessionSender } from '../tools/browser/browser-screencast.js';
-import { requestComputerControlTool } from '../tools/computer-use/request-computer-control.js';
-import type { ProxyApprovalCallback, ProxyApprovalRequest } from '../tools/network/script-proxy/index.js';
-import { getAllToolDefinitions } from '../tools/registry.js';
-import { allUiSurfaceTools } from '../tools/ui-surface/definitions.js';
-import type { GuardianRuntimeContext } from './session-runtime-assembly.js';
-import { projectSkillTools, type SkillProjectionCache } from './session-skill-tools.js';
-import type { SurfaceSessionContext } from './session-surfaces.js';
 import {
-  surfaceProxyResolver,
-} from './session-surfaces.js';
+  generateAllowlistOptions,
+  generateScopeOptions,
+  normalizeWebFetchUrl,
+} from "../permissions/checker.js";
+import type { PermissionPrompter } from "../permissions/prompter.js";
+import type { SecretPrompter } from "../permissions/secret-prompter.js";
+import {
+  addRule,
+  findHighestPriorityRule,
+} from "../permissions/trust-store.js";
+import { isAllowDecision } from "../permissions/types.js";
+import type { Message, ToolDefinition } from "../providers/types.js";
+import { getEffectiveMode } from "../runtime/session-approval-overrides.js";
+import type { ToolExecutor } from "../tools/executor.js";
+import type {
+  ToolExecutionResult,
+  ToolLifecycleEventHandler,
+} from "../tools/types.js";
+import { getLogger } from "../util/logger.js";
+import {
+  isDoordashCommand,
+  markDoordashStepInProgress,
+} from "./doordash-steps.js";
+import type { ServerMessage, UiSurfaceShow } from "./ipc-protocol.js";
+import { runPostExecutionSideEffects } from "./tool-side-effects.js";
+
+const log = getLogger("session-tool-setup");
+import { coreAppProxyTools } from "../tools/apps/definitions.js";
+import { registerSessionSender } from "../tools/browser/browser-screencast.js";
+import { requestComputerControlTool } from "../tools/computer-use/request-computer-control.js";
+import type {
+  ProxyApprovalCallback,
+  ProxyApprovalRequest,
+} from "../tools/network/script-proxy/index.js";
+import { getAllToolDefinitions } from "../tools/registry.js";
+import { allUiSurfaceTools } from "../tools/ui-surface/definitions.js";
+import type { GuardianRuntimeContext } from "./session-runtime-assembly.js";
+import {
+  projectSkillTools,
+  type SkillProjectionCache,
+} from "./session-skill-tools.js";
+import type { SurfaceSessionContext } from "./session-surfaces.js";
+import { surfaceProxyResolver } from "./session-surfaces.js";
 
 // ── Context Interface ────────────────────────────────────────────────
 
@@ -94,11 +113,19 @@ export function createToolExecutor(
   ctx: ToolSetupContext,
   handleToolLifecycleEvent: ToolLifecycleEventHandler,
   broadcastToAllClients?: (msg: ServerMessage) => void,
-): (name: string, input: Record<string, unknown>, onOutput?: (chunk: string) => void) => Promise<ToolExecutionResult> {
+): (
+  name: string,
+  input: Record<string, unknown>,
+  onOutput?: (chunk: string) => void,
+) => Promise<ToolExecutionResult> {
   // Register the session's sendToClient for browser screencast surface messages
   registerSessionSender(ctx.conversationId, (msg) => ctx.sendToClient(msg));
 
-  return async (name: string, input: Record<string, unknown>, onOutput?: (chunk: string) => void) => {
+  return async (
+    name: string,
+    input: Record<string, unknown>,
+    onOutput?: (chunk: string) => void,
+  ) => {
     if (isDoordashCommand(name, input)) {
       markDoordashStepInProgress(ctx, input);
     }
@@ -110,10 +137,11 @@ export function createToolExecutor(
       assistantId: ctx.assistantId,
       requestId: ctx.currentRequestId,
       taskRunId: ctx.taskRunId,
-      guardianTrustClass: ctx.guardianContext?.trustClass ?? 'guardian',
+      guardianTrustClass: ctx.guardianContext?.trustClass ?? "guardian",
       executionChannel: ctx.guardianContext?.sourceChannel,
       callSessionId: ctx.callSessionId,
-      triggeredBySurfaceAction: ctx.surfaceActionRequestIds?.has(ctx.currentRequestId ?? '') ?? false,
+      triggeredBySurfaceAction:
+        ctx.surfaceActionRequestIds?.has(ctx.currentRequestId ?? "") ?? false,
       requesterExternalUserId: ctx.guardianContext?.requesterExternalUserId,
       requesterChatId: ctx.guardianContext?.requesterChatId,
       onOutput,
@@ -127,7 +155,7 @@ export function createToolExecutor(
         // Tool context's sendToClient uses a loose { type: string; [key: string]: unknown }
         // signature, but at runtime these are always ServerMessage instances.
         ctx.sendToClient(msg as ServerMessage);
-        if (msg.type === 'ui_surface_show') {
+        if (msg.type === "ui_surface_show") {
           const s = msg as unknown as UiSurfaceShow;
           ctx.currentTurnSurfaces.push({
             surfaceId: s.surfaceId,
@@ -140,31 +168,59 @@ export function createToolExecutor(
         }
       },
       isInteractive: !ctx.hasNoClient && !ctx.headlessLock,
-      proxyToolResolver: (toolName: string, proxyInput: Record<string, unknown>) => surfaceProxyResolver(ctx, toolName, proxyInput),
+      proxyToolResolver: (
+        toolName: string,
+        proxyInput: Record<string, unknown>,
+      ) => surfaceProxyResolver(ctx, toolName, proxyInput),
       proxyApprovalCallback: createProxyApprovalCallback(prompter, ctx),
       requestSecret: async (params) => {
         return secretPrompter.prompt(
-          params.service, params.field, params.label,
-          params.description, params.placeholder,
+          params.service,
+          params.field,
+          params.label,
+          params.description,
+          params.placeholder,
           ctx.conversationId,
-          params.purpose, params.allowedTools, params.allowedDomains,
+          params.purpose,
+          params.allowedTools,
+          params.allowedDomains,
         );
       },
       requestConfirmation: async (req) => {
         // Check trust store before prompting
         const existingRule = findHighestPriorityRule(
-          'cc:' + req.toolName,
-          [req.toolName, `cc:${req.toolName}`, 'cc:*'],
+          "cc:" + req.toolName,
+          [req.toolName, `cc:${req.toolName}`, "cc:*"],
           ctx.workingDir,
         );
-        if (existingRule && existingRule.decision !== 'ask') {
+        if (existingRule && existingRule.decision !== "ask") {
           return {
-            decision: existingRule.decision === 'allow' ? 'allow' as const : 'deny' as const,
+            decision:
+              existingRule.decision === "allow"
+                ? ("allow" as const)
+                : ("deny" as const),
           };
         }
+        // Auto-approve sub-tool confirmations when a temporary approval
+        // override is active for this conversation (guardian only).
+        const guardianTrust = ctx.guardianContext?.trustClass ?? "guardian";
+        if (
+          guardianTrust === "guardian" &&
+          getEffectiveMode(ctx.conversationId) !== undefined
+        ) {
+          return { decision: "allow" as const };
+        }
         const allowlistOptions = [
-          { label: `cc:${req.toolName}`, description: `Claude Code ${req.toolName}`, pattern: `cc:${req.toolName}` },
-          { label: 'cc:*', description: 'All Claude Code sub-tools', pattern: 'cc:*' },
+          {
+            label: `cc:${req.toolName}`,
+            description: `Claude Code ${req.toolName}`,
+            pattern: `cc:${req.toolName}`,
+          },
+          {
+            label: "cc:*",
+            description: "All Claude Code sub-tools",
+            pattern: "cc:*",
+          },
         ];
         const scopeOptions = generateScopeOptions(ctx.workingDir);
         const response = await prompter.prompt(
@@ -173,26 +229,69 @@ export function createToolExecutor(
           req.riskLevel,
           allowlistOptions,
           scopeOptions,
-          undefined, undefined,
+          undefined,
+          undefined,
           ctx.conversationId,
           req.executionTarget,
         );
-        if ((response.decision === 'always_allow' || response.decision === 'always_allow_high_risk') && response.selectedPattern && response.selectedScope) {
-          log.info({ toolName: 'cc:' + req.toolName, pattern: response.selectedPattern, scope: response.selectedScope, highRisk: response.decision === 'always_allow_high_risk' }, 'Persisting always-allow trust rule');
-          addRule('cc:' + req.toolName, response.selectedPattern, response.selectedScope, 'allow', 100,
-            response.decision === 'always_allow_high_risk' ? { allowHighRisk: true } : undefined);
+        if (
+          (response.decision === "always_allow" ||
+            response.decision === "always_allow_high_risk") &&
+          response.selectedPattern &&
+          response.selectedScope
+        ) {
+          log.info(
+            {
+              toolName: "cc:" + req.toolName,
+              pattern: response.selectedPattern,
+              scope: response.selectedScope,
+              highRisk: response.decision === "always_allow_high_risk",
+            },
+            "Persisting always-allow trust rule",
+          );
+          addRule(
+            "cc:" + req.toolName,
+            response.selectedPattern,
+            response.selectedScope,
+            "allow",
+            100,
+            response.decision === "always_allow_high_risk"
+              ? { allowHighRisk: true }
+              : undefined,
+          );
         }
-        if (response.decision === 'always_deny' && response.selectedPattern && response.selectedScope) {
-          log.info({ toolName: 'cc:' + req.toolName, pattern: response.selectedPattern, scope: response.selectedScope }, 'Persisting always-deny trust rule');
-          addRule('cc:' + req.toolName, response.selectedPattern, response.selectedScope, 'deny');
+        if (
+          response.decision === "always_deny" &&
+          response.selectedPattern &&
+          response.selectedScope
+        ) {
+          log.info(
+            {
+              toolName: "cc:" + req.toolName,
+              pattern: response.selectedPattern,
+              scope: response.selectedScope,
+            },
+            "Persisting always-deny trust rule",
+          );
+          addRule(
+            "cc:" + req.toolName,
+            response.selectedPattern,
+            response.selectedScope,
+            "deny",
+          );
         }
         return {
-          decision: (response.decision === 'allow' || response.decision === 'always_allow' || response.decision === 'always_allow_high_risk') ? 'allow' as const : 'deny' as const,
+          decision: isAllowDecision(response.decision)
+            ? ("allow" as const)
+            : ("deny" as const),
         };
       },
     });
 
-    runPostExecutionSideEffects(name, input, result, { ctx, broadcastToAllClients });
+    runPostExecutionSideEffects(name, input, result, {
+      ctx,
+      broadcastToAllClients,
+    });
 
     return result;
   };
@@ -216,19 +315,20 @@ export function createProxyApprovalCallback(
 
     // Use the standard network_request tool name so trust rules align with
     // the checker's URL-based candidate generation and allowlist options.
-    const toolName = 'network_request';
+    const toolName = "network_request";
     const { scheme } = decision.target;
-    const url = `${scheme}://${hostname}${port ? ':' + port : ''}${path}`;
+    const url = `${scheme}://${hostname}${port ? ":" + port : ""}${path}`;
 
     const input: Record<string, unknown> = {
       url,
       proxy_session_id: request.sessionId,
     };
-    if (decision.kind === 'ask_missing_credential') {
+    if (decision.kind === "ask_missing_credential") {
       input.matching_patterns = decision.matchingPatterns;
     }
 
-    const riskLevel = decision.kind === 'ask_missing_credential' ? 'high' : 'medium';
+    const riskLevel =
+      decision.kind === "ask_missing_credential" ? "high" : "medium";
 
     // Check trust store before prompting — build candidates that mirror
     // buildCommandCandidates() in checker.ts for network_request.
@@ -242,16 +342,23 @@ export function createProxyApprovalCallback(
     // Deduplicate
     const uniqueCandidates = [...new Set(candidates)];
 
-    const existingRule = findHighestPriorityRule(toolName, uniqueCandidates, ctx.workingDir);
-    if (existingRule && existingRule.decision !== 'ask') {
-      if (existingRule.decision === 'deny') return false;
+    const existingRule = findHighestPriorityRule(
+      toolName,
+      uniqueCandidates,
+      ctx.workingDir,
+    );
+    if (existingRule && existingRule.decision !== "ask") {
+      if (existingRule.decision === "deny") return false;
       // For high-risk proxy decisions, a plain allow rule (without allowHighRisk)
       // must fall through to prompting — mirroring the checker's behavior.
-      if (riskLevel !== 'high' || existingRule.allowHighRisk === true) return true;
+      if (riskLevel !== "high" || existingRule.allowHighRisk === true)
+        return true;
     }
 
     // Use the checker's built-in allowlist generation for network_request
-    const allowlistOptions = await generateAllowlistOptions('network_request', { url });
+    const allowlistOptions = await generateAllowlistOptions("network_request", {
+      url,
+    });
 
     const scopeOptions = generateScopeOptions(ctx.workingDir);
 
@@ -261,6 +368,11 @@ export function createProxyApprovalCallback(
       return false;
     }
 
+    // Proxied network requests require per-invocation approval and must
+    // not be auto-approved by temporary overrides (allow_10m / allow_thread).
+    // Unlike regular tool invocations, these represent outbound network
+    // actions that should always receive explicit confirmation.
+
     const response = await prompter.prompt(
       toolName,
       input,
@@ -273,19 +385,54 @@ export function createProxyApprovalCallback(
     );
 
     // Persist trust rule if the user chose "always allow" or "always deny"
-    if ((response.decision === 'always_allow' || response.decision === 'always_allow_high_risk') && response.selectedPattern && response.selectedScope) {
-      log.info({ toolName, pattern: response.selectedPattern, scope: response.selectedScope, highRisk: response.decision === 'always_allow_high_risk' }, 'Persisting always-allow trust rule (proxy)');
-      addRule(toolName, response.selectedPattern, response.selectedScope, 'allow', 100,
-        response.decision === 'always_allow_high_risk' ? { allowHighRisk: true } : undefined);
+    if (
+      (response.decision === "always_allow" ||
+        response.decision === "always_allow_high_risk") &&
+      response.selectedPattern &&
+      response.selectedScope
+    ) {
+      log.info(
+        {
+          toolName,
+          pattern: response.selectedPattern,
+          scope: response.selectedScope,
+          highRisk: response.decision === "always_allow_high_risk",
+        },
+        "Persisting always-allow trust rule (proxy)",
+      );
+      addRule(
+        toolName,
+        response.selectedPattern,
+        response.selectedScope,
+        "allow",
+        100,
+        response.decision === "always_allow_high_risk"
+          ? { allowHighRisk: true }
+          : undefined,
+      );
     }
-    if (response.decision === 'always_deny' && response.selectedPattern && response.selectedScope) {
-      log.info({ toolName, pattern: response.selectedPattern, scope: response.selectedScope }, 'Persisting always-deny trust rule (proxy)');
-      addRule(toolName, response.selectedPattern, response.selectedScope, 'deny');
+    if (
+      response.decision === "always_deny" &&
+      response.selectedPattern &&
+      response.selectedScope
+    ) {
+      log.info(
+        {
+          toolName,
+          pattern: response.selectedPattern,
+          scope: response.selectedScope,
+        },
+        "Persisting always-deny trust rule (proxy)",
+      );
+      addRule(
+        toolName,
+        response.selectedPattern,
+        response.selectedScope,
+        "deny",
+      );
     }
 
-    return response.decision === 'allow'
-      || response.decision === 'always_allow'
-      || response.decision === 'always_allow_high_risk';
+    return isAllowDecision(response.decision);
   };
 }
 
@@ -296,7 +443,7 @@ export function createProxyApprovalCallback(
  * history or explicit preactivation. Without this, their tools are
  * unavailable in fresh sessions until `skill_load` is called.
  */
-const DEFAULT_PREACTIVATED_SKILL_IDS = ['tasks', 'notifications'];
+const DEFAULT_PREACTIVATED_SKILL_IDS = ["tasks", "notifications"];
 
 /**
  * Subset of Session state that the resolveTools callback reads at each

package/src/daemon/session.ts

@@ -34,6 +34,8 @@ import { SecretPrompter } from '../permissions/secret-prompter.js';
 import type { UserDecision } from '../permissions/types.js';
 import type { Message } from '../providers/types.js';
 import type { Provider } from '../providers/types.js';
+import type { AuthContext } from '../runtime/auth/types.js';
+import * as approvalOverrides from '../runtime/session-approval-overrides.js';
 import { ToolExecutor } from '../tools/executor.js';
 import type { AssistantAttachmentDraft } from './assistant-attachments.js';
 import type { AssistantActivityState, ConfirmationStateChanged } from './ipc-contract/messages.js';
@@ -142,6 +144,7 @@ export class Session {
   /** @internal */ currentPage?: string;
   /** @internal */ channelCapabilities?: ChannelCapabilities;
   /** @internal */ guardianContext?: GuardianRuntimeContext;
+  /** @internal */ authContext?: AuthContext;
   /** @internal */ loadedHistoryTrustClass?: GuardianRuntimeContext['trustClass'];
   /** @internal */ voiceCallControlPrompt?: string;
   /** @internal */ assistantId?: string;
@@ -428,6 +431,7 @@ export class Session {
   }
 
   dispose(): void {
+    approvalOverrides.clearMode(this.conversationId);
     disposeSession(this);
   }
 
@@ -499,6 +503,12 @@ export class Session {
       decisionText?: string;
     },
   ): void {
+    // Guard: only proceed if the confirmation is still pending. Stale or
+    // already-resolved requests must not activate overrides or emit events.
+    if (!this.prompter.hasPendingRequest(requestId)) {
+      return;
+    }
+
     this.prompter.resolveConfirmation(
       requestId,
       decision,
@@ -507,6 +517,11 @@ export class Session {
       decisionContext,
     );
 
+    // Mode activation (setTimedMode / setThreadMode) is intentionally NOT
+    // done here. It is handled in permission-checker.ts where
+    // persistentDecisionsAllowed context is available — this prevents
+    // proxied bash commands from escalating into blanket auto-approval.
+
     // Emit authoritative confirmation state and activity transition centrally
     // so ALL callers (IPC handlers, /v1/confirm, channel bridges) get
     // consistent events without duplicating emission logic.
@@ -566,6 +581,14 @@ export class Session {
     this.guardianContext = ctx ?? undefined;
   }
 
+  setAuthContext(ctx: AuthContext | null): void {
+    this.authContext = ctx ?? undefined;
+  }
+
+  getAuthContext(): AuthContext | undefined {
+    return this.authContext;
+  }
+
   setVoiceCallControlPrompt(prompt: string | null): void {
     this.voiceCallControlPrompt = prompt ?? undefined;
   }
@@ -617,7 +640,7 @@ export class Session {
     content: string,
     userMessageId: string,
     onEvent: (msg: ServerMessage) => void,
-    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; titleText?: string },
+    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; isUserMessage?: boolean; titleText?: string },
   ): Promise<void> {
     return runAgentLoopImpl(this, content, userMessageId, onEvent, options);
   }

package/src/events/domain-events.ts

@@ -20,7 +20,7 @@ export interface ToolDomainEvents {
     sessionId: string;
     requestId?: string;
     toolName: string;
-    decision: 'allow' | 'always_allow' | 'deny' | 'always_deny';
+    decision: 'allow' | 'allow_10m' | 'allow_thread' | 'always_allow' | 'deny' | 'always_deny';
     riskLevel: string;
     decidedAtMs: number;
   };

package/src/events/tool-domain-event-publisher.ts

@@ -1,13 +1,8 @@
+import { isAllowDecision, type UserDecision } from '../permissions/types.js';
 import type { ToolLifecycleEventHandler } from '../tools/types.js';
 import type { EventBus } from './bus.js';
 import type { AssistantDomainEvents } from './domain-events.js';
 
-const allowDecisions = new Set(['allow', 'always_allow']);
-
-function isAllowDecision(decision: string): decision is 'allow' | 'always_allow' {
-  return allowDecisions.has(decision);
-}
-
 export function createToolDomainEventPublisher(
   eventBus: EventBus<AssistantDomainEvents>,
 ): ToolLifecycleEventHandler {
@@ -45,13 +40,13 @@ export function createToolDomainEventPublisher(
         });
         break;
       case 'executed':
-        if (isAllowDecision(event.decision)) {
+        if (isAllowDecision(event.decision as UserDecision)) {
           await eventBus.emit('tool.permission.decided', {
             conversationId: event.conversationId,
             sessionId: event.sessionId,
             requestId: event.requestId,
             toolName: event.toolName,
-            decision: event.decision,
+            decision: event.decision as AssistantDomainEvents['tool.permission.decided']['decision'],
             riskLevel: event.riskLevel,
             decidedAtMs: Date.now(),
           });
@@ -69,13 +64,13 @@ export function createToolDomainEventPublisher(
         });
         break;
       case 'error':
-        if (isAllowDecision(event.decision)) {
+        if (isAllowDecision(event.decision as UserDecision)) {
           await eventBus.emit('tool.permission.decided', {
             conversationId: event.conversationId,
             sessionId: event.sessionId,
             requestId: event.requestId,
             toolName: event.toolName,
-            decision: event.decision,
+            decision: event.decision as AssistantDomainEvents['tool.permission.decided']['decision'],
             riskLevel: event.riskLevel,
             decidedAtMs: Date.now(),
           });

package/src/influencer/client.ts

@@ -48,7 +48,7 @@
 import type { ExtensionCommand, ExtensionResponse } from '../browser-extension-relay/protocol.js';
 import { extensionRelayServer } from '../browser-extension-relay/server.js';
 import { getGatewayInternalBaseUrl } from '../config/env.js';
-import { readHttpToken } from '../util/platform.js';
+import { isSigningKeyInitialized, mintEdgeRelayToken } from '../runtime/auth/token-service.js';
 
 // ---------------------------------------------------------------------------
 // Types
@@ -126,13 +126,14 @@ async function sendRelayCommand(command: Record<string, unknown>): Promise<Exten
     return extensionRelayServer.sendCommand(command as Omit<ExtensionCommand, 'id'>);
   }
 
-  // Fall back to HTTP relay endpoint on the daemon
-  const token = readHttpToken();
-  if (!token) {
-    throw new Error(
-      'Browser extension relay is not connected and no HTTP token found. Is the daemon running?',
-    );
+  // Fall back to HTTP relay endpoint via the gateway.
+  // The gateway validates edge JWTs (aud=vellum-gateway) and mints an
+  // exchange token for the runtime. Without the signing key (CLI
+  // out-of-process), we cannot mint JWTs at all.
+  if (!isSigningKeyInitialized()) {
+    throw new Error('Auth signing key not initialized — browser-relay commands require the daemon to be running');
   }
+  const token = mintEdgeRelayToken();
 
   const resp = await fetch(`${getGatewayInternalBaseUrl()}/v1/browser-relay/command`, {
     method: 'POST',

package/src/messaging/providers/gmail/client.ts

@@ -193,12 +193,17 @@ export async function createDraft(
   subject: string,
   body: string,
   inReplyTo?: string,
+  cc?: string,
+  bcc?: string,
+  threadId?: string,
 ): Promise<GmailDraft> {
   const headers = [
     `To: ${to}`,
     `Subject: ${subject}`,
     'Content-Type: text/plain; charset=utf-8',
   ];
+  if (cc) headers.push(`Cc: ${cc}`);
+  if (bcc) headers.push(`Bcc: ${bcc}`);
   if (inReplyTo) {
     headers.push(`In-Reply-To: ${inReplyTo}`);
     headers.push(`References: ${inReplyTo}`);
@@ -208,9 +213,36 @@ export async function createDraft(
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
     .replace(/=+$/, '');
+  const message: Record<string, unknown> = { raw };
+  if (threadId) message.threadId = threadId;
+  return request<GmailDraft>(token, '/drafts', {
+    method: 'POST',
+    body: JSON.stringify({ message }),
+  });
+}
+
+/** Create a draft from a pre-built base64url MIME payload. */
+export async function createDraftRaw(
+  token: string,
+  raw: string,
+  threadId?: string,
+): Promise<GmailDraft> {
+  const message: Record<string, unknown> = { raw };
+  if (threadId) message.threadId = threadId;
   return request<GmailDraft>(token, '/drafts', {
     method: 'POST',
-    body: JSON.stringify({ message: { raw } }),
+    body: JSON.stringify({ message }),
+  });
+}
+
+/** Send an existing draft by ID. */
+export async function sendDraft(
+  token: string,
+  draftId: string,
+): Promise<GmailMessage> {
+  return request<GmailMessage>(token, '/drafts/send', {
+    method: 'POST',
+    body: JSON.stringify({ id: draftId }),
   });
 }
 

package/src/messaging/providers/gmail/mime-builder.ts

@@ -16,6 +16,8 @@ export interface MimeMessageOptions {
   subject: string;
   body: string;
   inReplyTo?: string;
+  cc?: string;
+  bcc?: string;
   attachments: MimeAttachment[];
 }
 
@@ -32,7 +34,7 @@ function toBase64Url(input: Buffer): string {
  * Returns a base64url-encoded string ready for Gmail's messages.send `raw` field.
  */
 export function buildMultipartMime(options: MimeMessageOptions): string {
-  const { to, subject, body, inReplyTo, attachments } = options;
+  const { to, subject, body, inReplyTo, cc, bcc, attachments } = options;
   const boundary = `----=_Part_${randomBytes(16).toString('hex')}`;
 
   const headers = [
@@ -41,6 +43,8 @@ export function buildMultipartMime(options: MimeMessageOptions): string {
     'MIME-Version: 1.0',
     `Content-Type: multipart/mixed; boundary="${boundary}"`,
   ];
+  if (cc) headers.push(`Cc: ${cc}`);
+  if (bcc) headers.push(`Bcc: ${bcc}`);
   if (inReplyTo) {
     headers.push(`In-Reply-To: ${inReplyTo}`);
     headers.push(`References: ${inReplyTo}`);