@vellumai/assistant 0.4.18 → 0.4.20

package/docs/runbook-trusted-contacts.md

@@ -5,11 +5,13 @@ Operational procedures for inspecting, managing, and debugging the trusted conta
 ## Prerequisites
 
 ```bash
-# Read the bearer token
-TOKEN=$(cat ~/.vellum/http-token)
-
 # Base URL (adjust if using a non-default port)
 BASE=http://localhost:7830
+
+# Bearer token: if running via the assistant's shell tools, $GATEWAY_AUTH_TOKEN
+# is injected automatically. For manual operator use, mint a token via the CLI
+# or use one from the daemon (e.g. from a recent shell env export).
+TOKEN=$GATEWAY_AUTH_TOKEN
 ```
 
 ## 1. Inspect Trusted Contacts (Members)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.18",
+  "version": "0.4.20",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"

package/src/__tests__/channel-approvals.test.ts

@@ -132,9 +132,11 @@ describe("getChannelApprovalPrompt", () => {
     const result = getChannelApprovalPrompt("conv-1");
     expect(result).not.toBeNull();
     expect(result!.promptText).toContain("shell");
-    expect(result!.actions).toHaveLength(3);
+    expect(result!.actions).toHaveLength(5);
     expect(result!.actions.map((a) => a.id)).toEqual([
       "approve_once",
+      "approve_10m",
+      "approve_thread",
       "approve_always",
       "reject",
     ]);
@@ -174,6 +176,8 @@ describe("getChannelApprovalPrompt", () => {
     expect(result).not.toBeNull();
     expect(result!.actions.map((a) => a.id)).toEqual([
       "approve_once",
+      "approve_10m",
+      "approve_thread",
       "approve_always",
       "reject",
     ]);
@@ -189,6 +193,8 @@ describe("getChannelApprovalPrompt", () => {
     expect(result).not.toBeNull();
     expect(result!.actions.map((a) => a.id)).toEqual([
       "approve_once",
+      "approve_10m",
+      "approve_thread",
       "approve_always",
       "reject",
     ]);

package/src/__tests__/conversation-routes-guardian-reply.test.ts

@@ -79,6 +79,14 @@ mock.module("../runtime/local-actor-identity.js", () => ({
   }),
 }));
 
+mock.module("../runtime/guardian-context-resolver.js", () => ({
+  resolveGuardianContext: () => ({
+    trustClass: "guardian",
+    sourceChannel: "vellum",
+  }),
+  toGuardianRuntimeContext: (ctx: unknown) => ctx,
+}));
+
 import type { AuthContext } from "../runtime/auth/types.js";
 import { handleSendMessage } from "../runtime/routes/conversation-routes.js";
 

package/src/__tests__/daemon-server-session-init.test.ts

@@ -131,6 +131,8 @@ class MockSession {
     this.guardianContext = ctx;
   }
 
+  setAuthContext(): void {}
+
   setChannelCapabilities(): void {}
 
   setCommandIntent(): void {}

package/src/__tests__/gmail-integration.test.ts

@@ -11,6 +11,13 @@ const toolsManifestPath = resolve(
   "../config/bundled-skills/messaging/TOOLS.json",
 );
 const toolsManifest = JSON.parse(readFileSync(toolsManifestPath, "utf-8"));
+const slackToolsManifestPath = resolve(
+  __dirname,
+  "../config/bundled-skills/slack/TOOLS.json",
+);
+const slackToolsManifest = JSON.parse(
+  readFileSync(slackToolsManifestPath, "utf-8"),
+);
 
 describe("Messaging tool contract", () => {
   const expectedGmailToolNames = [
@@ -70,19 +77,21 @@ describe("Messaging tool contract", () => {
   });
 
   test("TOOLS.json manifest contains all expected slack_* tool names", () => {
-    const manifestToolNames: string[] = toolsManifest.tools.map(
+    const slackToolNames: string[] = slackToolsManifest.tools.map(
       (t: { name: string }) => t.name,
     );
     for (const name of expectedSlackToolNames) {
-      expect(manifestToolNames).toContain(name);
+      expect(slackToolNames).toContain(name);
     }
   });
 
-  test("TOOLS.json manifest contains at least the expected number of tools", () => {
+  test("TOOLS.json manifests contain at least the expected number of tools", () => {
     const expectedMinimum =
       expectedGmailToolNames.length +
       expectedMessagingToolNames.length +
       expectedSlackToolNames.length;
-    expect(toolsManifest.tools.length).toBeGreaterThanOrEqual(expectedMinimum);
+    const totalTools =
+      toolsManifest.tools.length + slackToolsManifest.tools.length;
+    expect(totalTools).toBeGreaterThanOrEqual(expectedMinimum);
   });
 });

package/src/__tests__/handle-user-message-secret-resume.test.ts

@@ -1,7 +1,12 @@
 import * as net from "node:net";
 import { describe, expect, mock, test } from "bun:test";
 
-mock.module("../config/env.js", () => ({ isHttpAuthDisabled: () => true }));
+const actualEnv = await import("../config/env.js");
+mock.module("../config/env.js", () => ({
+  ...actualEnv,
+  isHttpAuthDisabled: () => true,
+  isMonitoringEnabled: () => false,
+}));
 
 const { handleUserMessage } = await import("../daemon/handlers/sessions.js");
 
@@ -47,6 +52,7 @@ describe("handleUserMessage secret redirect continuation", () => {
       setAssistantId: () => {},
       setChannelCapabilities: () => {},
       setGuardianContext: () => {},
+      setAuthContext: () => {},
       setCommandIntent: () => {},
       updateClient: () => {},
       emitActivityState: () => {},

package/src/__tests__/handlers-user-message-approval-consumption.test.ts

@@ -116,6 +116,7 @@ interface TestSession {
   setTurnInterfaceContext: (ctx: unknown) => void;
   setAssistantId: (assistantId: string) => void;
   setGuardianContext: (ctx: unknown) => void;
+  setAuthContext: (ctx: unknown) => void;
   setCommandIntent: (intent: unknown) => void;
   updateClient: (
     sendToClient: (msg: ServerMessage) => void,
@@ -180,6 +181,7 @@ function makeSession(overrides: Partial<TestSession> = {}): TestSession {
     setTurnInterfaceContext: () => {},
     setAssistantId: () => {},
     setGuardianContext: () => {},
+    setAuthContext: () => {},
     setCommandIntent: () => {},
     updateClient: () => {},
     emitActivityState: () => {},

package/src/__tests__/ingress-reconcile.test.ts

@@ -66,6 +66,13 @@ mock.module("../providers/registry.js", () => ({
   initializeProviders: () => {},
 }));
 
+// Mock token service — triggerGatewayReconcile now uses mintDaemonDeliveryToken
+// instead of readHttpToken for the Bearer token.
+let mintedToken: string | null = null;
+mock.module("../runtime/auth/token-service.js", () => ({
+  mintDaemonDeliveryToken: () => mintedToken ?? "test-delivery-token",
+}));
+
 import { handleIngressConfig } from "../daemon/handlers/config.js";
 import type { HandlerContext } from "../daemon/handlers/shared.js";
 import type {
@@ -121,6 +128,7 @@ describe("Ingress reconcile trigger in handleIngressConfig", () => {
   beforeEach(() => {
     rawConfigStore = {};
     httpTokenValue = null;
+    mintedToken = null;
     reconcileCalls = [];
     fetchShouldFail = false;
 
@@ -186,7 +194,7 @@ describe("Ingress reconcile trigger in handleIngressConfig", () => {
 
   // ── Token present/missing behavior ──────────────────────────────────────
 
-  test("skips reconcile trigger when no HTTP bearer token is available", async () => {
+  test("always triggers reconcile even when readHttpToken returns null (uses mintDaemonDeliveryToken)", async () => {
     httpTokenValue = null;
 
     const msg: IngressConfigRequest = {
@@ -206,12 +214,12 @@ describe("Ingress reconcile trigger in handleIngressConfig", () => {
     const res = sent[0] as { type: string; success: boolean };
     expect(res.success).toBe(true);
 
-    // No reconcile call should have been made
-    expect(reconcileCalls).toHaveLength(0);
+    // Reconcile is always triggered using mintDaemonDeliveryToken
+    expect(reconcileCalls).toHaveLength(1);
   });
 
-  test("triggers reconcile when HTTP bearer token is available", async () => {
-    httpTokenValue = "test-bearer-token";
+  test("triggers reconcile with mintDaemonDeliveryToken bearer token", async () => {
+    mintedToken = "test-bearer-token";
 
     const msg: IngressConfigRequest = {
       type: "ingress_config",

package/src/__tests__/mcp-cli.test.ts

@@ -144,7 +144,7 @@ describe("vellum mcp list", () => {
     expect(stdout).toContain("stdio");
     expect(stdout).toContain("npx -y some-mcp-server");
     expect(stdout).toContain("low");
-  });
+  }, 15_000);
 
   test("--json outputs valid JSON", () => {
     writeConfig({

package/src/__tests__/recording-intent-handler.test.ts

@@ -1,7 +1,12 @@
 import * as net from "node:net";
 import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 
-mock.module("../config/env.js", () => ({ isHttpAuthDisabled: () => true }));
+const actualEnv = await import("../config/env.js");
+mock.module("../config/env.js", () => ({
+  ...actualEnv,
+  isHttpAuthDisabled: () => true,
+  isMonitoringEnabled: () => false,
+}));
 
 // ─── Mocks (must be before any imports that depend on them) ─────────────────
 
@@ -351,7 +356,9 @@ mock.module("../subagent/index.js", () => ({
 
 // ── Mock IPC protocol helpers ──────────────────────────────────────────────
 
+const actualIpcProtocol = await import("../daemon/ipc-protocol.js");
 mock.module("../daemon/ipc-protocol.js", () => ({
+  ...actualIpcProtocol,
   normalizeThreadType: (t: string) => t ?? "primary",
 }));
 
@@ -414,6 +421,7 @@ function createCtx(overrides?: Partial<HandlerContext>): {
     setAssistantId: noop,
     setChannelCapabilities: noop,
     setGuardianContext: noop,
+    setAuthContext: noop,
     setCommandIntent: noop,
     updateClient: noop,
     processMessage: async () => {},

package/src/__tests__/send-endpoint-busy.test.ts

@@ -108,6 +108,7 @@ function makeCompletingSession(): Session {
     setChannelCapabilities: () => {},
     setAssistantId: () => {},
     setGuardianContext: () => {},
+    setAuthContext: () => {},
     setCommandIntent: () => {},
     setTurnChannelContext: () => {},
     setTurnInterfaceContext: () => {},
@@ -160,6 +161,7 @@ function makeHangingSession(): Session {
     setChannelCapabilities: () => {},
     setAssistantId: () => {},
     setGuardianContext: () => {},
+    setAuthContext: () => {},
     setCommandIntent: () => {},
     setTurnChannelContext: () => {},
     setTurnInterfaceContext: () => {},
@@ -236,7 +238,11 @@ function makePendingApprovalSession(
     },
     setChannelCapabilities: () => {},
     setAssistantId: () => {},
-    setGuardianContext: () => {},
+    guardianContext: undefined as unknown,
+    setGuardianContext(this: { guardianContext: unknown }, ctx: unknown) {
+      this.guardianContext = ctx;
+    },
+    setAuthContext: () => {},
     setCommandIntent: () => {},
     setTurnChannelContext: () => {},
     setTurnInterfaceContext: () => {},
@@ -290,7 +296,7 @@ describe("POST /v1/messages — queue-if-busy and hub publishing", () => {
     createBinding({
       assistantId: "self",
       channel: "vellum",
-      guardianExternalUserId: "guardian-vellum",
+      guardianExternalUserId: "dev-bypass",
       guardianDeliveryChatId: "vellum",
       guardianPrincipalId: "test-principal-id",
     });

package/src/__tests__/sms-messaging-provider.test.ts

@@ -37,6 +37,10 @@ mock.module("../util/platform.js", () => ({
   readHttpToken: () => "runtime-token",
 }));
 
+mock.module("../runtime/auth/token-service.js", () => ({
+  mintDaemonDeliveryToken: () => "runtime-token",
+}));
+
 mock.module("../config/loader.js", () => ({
   loadConfig: () => configState,
 }));

package/src/__tests__/system-prompt.test.ts

@@ -72,6 +72,7 @@ const {
   ensurePromptFiles,
   stripCommentLines,
   buildExternalCommsIdentitySection,
+  buildPhoneCallsRoutingSection,
 } = await import("../config/system-prompt.js");
 
 /** Strip the Configuration and Skills sections so base-prompt tests stay focused. */
@@ -224,8 +225,23 @@ describe("buildSystemPrompt", () => {
     expect(section).toContain("Occasional variations are acceptable");
   });
 
-  test("includes memory persistence section in high tier", () => {
-    const result = buildSystemPrompt("high");
+  test("includes phone calls routing section", () => {
+    const result = buildSystemPrompt();
+    expect(result).toContain("## Routing: Phone Calls");
+    expect(result).toContain('skill: "phone-calls"');
+  });
+
+  test("buildPhoneCallsRoutingSection returns section with expected content", () => {
+    const section = buildPhoneCallsRoutingSection();
+    expect(section).toContain("## Routing: Phone Calls");
+    expect(section).toContain("Trigger phrases");
+    expect(section).toContain("Exclusivity rules");
+    expect(section).toContain("phone-calls");
+    expect(section).toContain("Do NOT improvise Twilio setup instructions");
+  });
+
+  test("includes memory persistence section", () => {
+    const result = buildSystemPrompt();
     expect(result).toContain("## Memory Persistence");
     expect(result).toContain("memory_save");
     expect(result).toContain("Saved > unsaved. Always.");

package/src/__tests__/tool-execution-abort-cleanup.test.ts

@@ -78,6 +78,7 @@ mock.module("../tools/network/script-proxy/index.js", () => ({
 }));
 
 mock.module("../util/platform.js", () => ({
+  getRootDir: () => "/tmp",
   getDataDir: () => "/tmp",
   getSocketPath: () => "/tmp/vellum.sock",
 }));