@vellumai/assistant 0.4.14 → 0.4.15

package/src/runtime/auth/types.ts

@@ -0,0 +1,79 @@
+/**
+ * Core auth types for the single-header JWT auth system.
+ *
+ * These types define the token claims, scope profiles, principal types,
+ * and the normalized AuthContext that downstream code consumes.
+ */
+
+// ---------------------------------------------------------------------------
+// Scope profiles — named bundles of permissions
+// ---------------------------------------------------------------------------
+
+export type ScopeProfile =
+  | 'actor_client_v1'
+  | 'gateway_ingress_v1'
+  | 'gateway_service_v1'
+  | 'ipc_v1';
+
+// ---------------------------------------------------------------------------
+// Individual scope strings
+// ---------------------------------------------------------------------------
+
+export type Scope =
+  | 'chat.read'
+  | 'chat.write'
+  | 'approval.read'
+  | 'approval.write'
+  | 'settings.read'
+  | 'settings.write'
+  | 'attachments.read'
+  | 'attachments.write'
+  | 'calls.read'
+  | 'calls.write'
+  | 'ingress.write'
+  | 'internal.write'
+  | 'feature_flags.read'
+  | 'feature_flags.write'
+  | 'ipc.all';
+
+// ---------------------------------------------------------------------------
+// Principal types — derived from the sub pattern
+// ---------------------------------------------------------------------------
+
+export type PrincipalType = 'actor' | 'svc_gateway' | 'ipc';
+
+// ---------------------------------------------------------------------------
+// Token audience — which service the JWT is intended for
+// ---------------------------------------------------------------------------
+
+export type TokenAudience = 'vellum-gateway' | 'vellum-daemon';
+
+// ---------------------------------------------------------------------------
+// JWT claims — the payload inside the token
+// ---------------------------------------------------------------------------
+
+export interface TokenClaims {
+  iss: 'vellum-auth';
+  aud: TokenAudience;
+  sub: string;
+  scope_profile: ScopeProfile;
+  exp: number;
+  policy_epoch: number;
+  iat?: number;
+  jti?: string;
+}
+
+// ---------------------------------------------------------------------------
+// AuthContext — normalized auth state for downstream consumers
+// ---------------------------------------------------------------------------
+
+export interface AuthContext {
+  subject: string;
+  principalType: PrincipalType;
+  assistantId: string;
+  actorPrincipalId?: string;
+  sessionId?: string;
+  scopeProfile: ScopeProfile;
+  scopes: ReadonlySet<Scope>;
+  policyEpoch: number;
+}

package/src/runtime/channel-approval-parser.ts

@@ -18,22 +18,28 @@ import type { ApprovalAction, ApprovalDecisionResult } from './channel-approval-
 // ---------------------------------------------------------------------------
 
 const APPROVE_ONCE_PHRASES = ['yes', 'approve', 'approve once', 'allow', 'go ahead'];
+const APPROVE_10M_PHRASES = ['approve for 10 minutes', 'allow for 10 minutes', 'approve 10m', 'allow 10m', 'approve 10 min', 'allow 10 min'];
+const APPROVE_THREAD_PHRASES = ['approve for thread', 'allow for thread', 'approve thread', 'allow thread'];
 const APPROVE_ALWAYS_PHRASES = ['always', 'approve always', 'allow always'];
 const REJECT_PHRASES = ['no', 'reject', 'deny', 'cancel'];
 
 /**
- * Build a Map from lowercased phrase to action. "Approve always" phrases
- * are checked first (longest-match-wins) because "approve" is a prefix
- * of "approve always".
+ * Build a Map from lowercased phrase to action. Longer phrases are
+ * inserted first so iteration order does not matter — we match on
+ * exact equality after normalising, not prefix matching.
  */
 function buildPhraseMap(): Map<string, ApprovalAction> {
   const map = new Map<string, ApprovalAction>();
 
-  // Insert longer phrases first so iteration order does not matter —
-  // we match on exact equality after normalising, not prefix matching.
   for (const phrase of APPROVE_ALWAYS_PHRASES) {
     map.set(phrase, 'approve_always');
   }
+  for (const phrase of APPROVE_10M_PHRASES) {
+    map.set(phrase, 'approve_10m');
+  }
+  for (const phrase of APPROVE_THREAD_PHRASES) {
+    map.set(phrase, 'approve_thread');
+  }
   for (const phrase of APPROVE_ONCE_PHRASES) {
     map.set(phrase, 'approve_once');
   }

package/src/runtime/channel-approval-types.ts

@@ -14,7 +14,7 @@ import type { GuardianDecisionAction } from './guardian-decision-types.js';
 // ---------------------------------------------------------------------------
 
 /** The set of actions a user can take on an approval prompt. */
-export type ApprovalAction = 'approve_once' | 'approve_always' | 'reject';
+export type ApprovalAction = 'approve_once' | 'approve_10m' | 'approve_thread' | 'approve_always' | 'reject';
 
 /** An action presented to the user as a tappable button or text option. */
 export interface ApprovalActionOption {

package/src/runtime/channel-approvals.ts

@@ -10,9 +10,11 @@
  */
 
 import { addRule } from '../permissions/trust-store.js';
+import type { UserDecision } from '../permissions/types.js';
 import { getTool } from '../tools/registry.js';
 import { composeApprovalMessage } from './approval-message-composer.js';
 import type {
+  ApprovalAction,
   ApprovalDecisionResult,
   ApprovalUIMetadata,
   ChannelApprovalPrompt,
@@ -110,6 +112,25 @@ export function buildApprovalUIMetadata(
   };
 }
 
+// ---------------------------------------------------------------------------
+// 2.5. Action → UserDecision mapping
+// ---------------------------------------------------------------------------
+
+/**
+ * Map a channel-level `ApprovalAction` to the permission system's
+ * `UserDecision` type. Temporary approval modes (`approve_10m`,
+ * `approve_thread`) map directly to their `allow_*` counterparts so
+ * the permission pipeline can activate the appropriate override.
+ */
+function mapApprovalActionToUserDecision(action: ApprovalAction): UserDecision {
+  switch (action) {
+    case 'reject': return 'deny';
+    case 'approve_10m': return 'allow_10m';
+    case 'approve_thread': return 'allow_thread';
+    default: return 'allow';
+  }
+}
+
 // ---------------------------------------------------------------------------
 // 3. Consume a user decision and apply it to the session
 // ---------------------------------------------------------------------------
@@ -176,7 +197,7 @@ export function handleChannelDecision(
   if (!resolved) return { applied: false };
 
   // Map channel-level action to the permission system's UserDecision type.
-  const userDecision = decision.action === 'reject' ? 'deny' as const : 'allow' as const;
+  const userDecision = mapApprovalActionToUserDecision(decision.action);
   if (decisionContext === undefined) {
     resolved.session.handleConfirmationResponse(info.requestId, userDecision);
   } else {

package/src/runtime/guardian-action-followup-executor.ts

@@ -29,7 +29,7 @@ import {
   type GuardianActionRequest,
 } from '../memory/guardian-action-store.js';
 import { getLogger } from '../util/logger.js';
-import { readHttpToken } from '../util/platform.js';
+import { mintDaemonDeliveryToken } from './auth/token-service.js';
 import { deliverChannelReply } from './gateway-client.js';
 import { composeGuardianActionMessageGenerative } from './guardian-action-message-composer.js';
 import type { GuardianActionCopyGenerator } from './http-types.js';
@@ -115,7 +115,7 @@ async function executeMessageBack(
 
     const gatewayBase = getGatewayInternalBaseUrl();
     const deliverUrl = `${gatewayBase}/deliver/sms`;
-    const bearerToken = readHttpToken() ?? undefined;
+    const bearerToken = mintDaemonDeliveryToken();
 
     await deliverChannelReply(
       deliverUrl,

package/src/runtime/guardian-context-resolver.ts

@@ -124,3 +124,18 @@ export function resolveRoutingState(ctx: Pick<GuardianRuntimeContext, 'trustClas
 export function resolveRoutingStateFromRuntime(ctx: GuardianRuntimeContext): RoutingState {
   return resolveRoutingState(ctx);
 }
+
+/**
+ * Override the sourceChannel on a resolved GuardianRuntimeContext.
+ *
+ * The HTTP /messages endpoint resolves trust against a fixed internal
+ * channel ('vellum') but the request body carries the actual sourceChannel
+ * (e.g. the channel the gateway routed the request through). This helper
+ * copies the context with the caller-supplied sourceChannel.
+ */
+export function toGuardianRuntimeContext(
+  sourceChannel: import('../channels/types.js').ChannelId,
+  ctx: GuardianRuntimeContext,
+): GuardianRuntimeContext {
+  return { ...ctx, sourceChannel };
+}

package/src/runtime/guardian-decision-types.ts

@@ -44,6 +44,8 @@ export interface GuardianDecisionAction {
 /** Canonical set of all guardian decision actions with their labels. */
 export const GUARDIAN_DECISION_ACTIONS = {
   approve_once:   { action: 'approve_once',   label: 'Approve once' },
+  approve_10m:    { action: 'approve_10m',    label: 'Allow 10 min' },
+  approve_thread: { action: 'approve_thread', label: 'Allow thread' },
   approve_always: { action: 'approve_always', label: 'Approve always' },
   reject:         { action: 'reject',         label: 'Reject' },
 } as const satisfies Record<string, GuardianDecisionAction>;
@@ -54,16 +56,21 @@ export const GUARDIAN_DECISION_ACTIONS = {
  *
  * When `persistentDecisionsAllowed` is `false`, the `approve_always` action
  * is excluded. When `forGuardianOnBehalf` is `true` (guardian acting on behalf
- * of a requester), `approve_always` is also excluded since guardians cannot
- * permanently allowlist tools on behalf of others.
+ * of a requester), both `approve_always` and the temporary modes are excluded
+ * since guardians cannot grant broad delegated allow modes on behalf of others.
+ *
+ * Temporary modes (`approve_10m`, `approve_thread`) are included for
+ * requester-side standard approval flows when persistent decisions are allowed.
  */
 export function buildDecisionActions(opts?: {
   persistentDecisionsAllowed?: boolean;
   forGuardianOnBehalf?: boolean;
 }): GuardianDecisionAction[] {
   const showAlways = opts?.persistentDecisionsAllowed !== false && !opts?.forGuardianOnBehalf;
+  const showTemporary = opts?.persistentDecisionsAllowed !== false && !opts?.forGuardianOnBehalf;
   return [
     GUARDIAN_DECISION_ACTIONS.approve_once,
+    ...(showTemporary ? [GUARDIAN_DECISION_ACTIONS.approve_10m, GUARDIAN_DECISION_ACTIONS.approve_thread] : []),
     ...(showAlways ? [GUARDIAN_DECISION_ACTIONS.approve_always] : []),
     GUARDIAN_DECISION_ACTIONS.reject,
   ];
@@ -72,16 +79,26 @@ export function buildDecisionActions(opts?: {
 /**
  * Build the plain-text fallback instruction string that matches the given
  * set of decision actions. Ensures the text always includes parser-compatible
- * keywords (yes/always/no) so text-based fallback remains actionable.
+ * keywords so text-based fallback remains actionable.
  */
 export function buildPlainTextFallback(
   promptText: string,
   actions: GuardianDecisionAction[],
 ): string {
   const hasAlways = actions.some(a => a.action === 'approve_always');
-  return hasAlways
-    ? `${promptText}\n\nReply "yes" to approve once, "always" to approve always, or "no" to reject.`
-    : `${promptText}\n\nReply "yes" to approve or "no" to reject.`;
+  const has10m = actions.some(a => a.action === 'approve_10m');
+  const hasThread = actions.some(a => a.action === 'approve_thread');
+
+  if (hasAlways && has10m && hasThread) {
+    return `${promptText}\n\nReply "yes" to approve once, "approve for 10 minutes", "approve for thread", "always" to approve always, or "no" to reject.`;
+  }
+  if (hasAlways) {
+    return `${promptText}\n\nReply "yes" to approve once, "always" to approve always, or "no" to reject.`;
+  }
+  if (has10m && hasThread) {
+    return `${promptText}\n\nReply "yes" to approve once, "approve for 10 minutes", "approve for thread", or "no" to reject.`;
+  }
+  return `${promptText}\n\nReply "yes" to approve or "no" to reject.`;
 }
 
 // ---------------------------------------------------------------------------

package/src/runtime/guardian-outbound-actions.ts

@@ -16,8 +16,8 @@ import { sendMessage as sendSms } from "../messaging/providers/sms/client.js";
 import { getCredentialMetadata } from "../tools/credentials/metadata-store.js";
 import { getLogger } from "../util/logger.js";
 import { normalizePhoneNumber } from "../util/phone.js";
-import { readHttpToken } from "../util/platform.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "./assistant-scope.js";
+import { mintDaemonDeliveryToken } from "./auth/token-service.js";
 import {
   countRecentSendsToDestination,
   createOutboundSession,
@@ -153,13 +153,7 @@ function deliverVerificationSms(
   (async () => {
     try {
       const gatewayUrl = getGatewayInternalBaseUrl();
-      const bearerToken = readHttpToken();
-      if (!bearerToken) {
-        log.error(
-          "Cannot deliver verification SMS: no runtime HTTP token available",
-        );
-        return;
-      }
+      const bearerToken = mintDaemonDeliveryToken();
       await sendSms(gatewayUrl, bearerToken, to, text, assistantId);
       log.info({ to, assistantId }, "Verification SMS delivered");
     } catch (err) {
@@ -184,13 +178,7 @@ function deliverVerificationTelegram(
   (async () => {
     try {
       const gatewayUrl = getGatewayInternalBaseUrl();
-      const bearerToken = readHttpToken();
-      if (!bearerToken) {
-        log.error(
-          "Cannot deliver verification Telegram message: no runtime HTTP token available",
-        );
-        return;
-      }
+      const bearerToken = mintDaemonDeliveryToken();
       const url = `${gatewayUrl}/deliver/telegram`;
       const resp = await fetch(url, {
         method: "POST",
@@ -646,13 +634,7 @@ function deliverVerificationSlack(
   (async () => {
     try {
       const gatewayUrl = getGatewayInternalBaseUrl();
-      const bearerToken = readHttpToken();
-      if (!bearerToken) {
-        log.error(
-          "Cannot deliver verification Slack DM: no runtime HTTP token available",
-        );
-        return;
-      }
+      const bearerToken = mintDaemonDeliveryToken();
       const url = `${gatewayUrl}/deliver/slack`;
       const resp = await fetch(url, {
         method: "POST",

package/src/runtime/guardian-reply-router.ts

@@ -108,6 +108,8 @@ export interface GuardianReplyResult {
 
 const VALID_ACTIONS: ReadonlySet<string> = new Set([
   'approve_once',
+  'approve_10m',
+  'approve_thread',
   'approve_always',
   'reject',
 ]);
@@ -476,9 +478,9 @@ export async function routeGuardianReply(
     // Decision-bearing disposition from the engine
     let decisionAction = engineResult.disposition as ApprovalAction;
 
-    // Guardians cannot approve_always — the canonical primitive enforces
-    // this too, but enforce it here for clarity.
-    if (decisionAction === 'approve_always') {
+    // Guardians cannot use broad allow modes — the canonical primitive
+    // enforces this too, but enforce it here for clarity.
+    if (decisionAction === 'approve_always' || decisionAction === 'approve_10m' || decisionAction === 'approve_thread') {
       decisionAction = 'approve_once';
     }