@vellumai/assistant 0.4.2 → 0.4.3

package/ARCHITECTURE.md

@@ -397,7 +397,7 @@ A complementary access-granting flow where the guardian proactively creates a sh
 | Channel | Status | Prerequisites |
 |---------|--------|--------------|
 | Telegram | Shipped | Bot username resolved from credential metadata or `TELEGRAM_BOT_USERNAME` env |
-| Voice | Shipped | Identity-bound voice code redemption via DTMF/speech in the relay state machine. Gated behind `feature_flags.voice-invite-redemption.enabled` (default OFF). |
+| Voice | Shipped | Identity-bound voice code redemption via DTMF/speech in the relay state machine. Always-on canonical behavior with personalized friend/guardian name prompts. |
 | SMS | Deferred | Needs a deep-link strategy compatible with SMS (short URL or web redemption page) |
 | Slack | Deferred | Needs DM-safe ingress — Socket Mode handles channel messages but DM-initiated invite flows need routing |
 
@@ -413,10 +413,10 @@ Voice invites use a short numeric code (4-10 digits, default 6) instead of a URL
 
 **Call-time redemption subflow (`invite_redemption_pending`):**
 1. Unknown caller dials in. `relay-server.ts` resolves trust via `resolveActorTrust`. Caller is `unknown`, no pending guardian challenge.
-2. If `feature_flags.voice-invite-redemption.enabled` is ON, the relay checks `findActiveVoiceInvites` for invites bound to the caller's phone number.
-3. If active, non-expired invites exist, the relay enters the `invite_redemption_pending` state (reuses the `verification_pending` connection state) and prompts the caller to enter their invite code via DTMF or speech.
+2. The relay checks `findActiveVoiceInvites` for invites bound to the caller's phone number.
+3. If active, non-expired invites exist, the relay enters the `invite_redemption_pending` state (reuses the `verification_pending` connection state) and prompts the caller with personalized copy: `Welcome <friend-name>. Please enter the 6-digit code that <guardian-name> provided you to verify your identity.`
 4. `redeemVoiceInviteCode` validates: identity match, code hash match, expiry, use count. On success, an active member record is upserted and the call transitions to the normal call flow.
-5. On failure, the caller gets up to 3 attempts. After max attempts, the call is terminated.
+5. On invalid/expired code, the caller hears deterministic failure copy: `Sorry, the code you provided is incorrect or has since expired. Please ask <guardian-name> for a new code. Goodbye.` and the call ends immediately.
 
 **Security invariants:**
 - The plaintext voice code is returned exactly once at creation time and never stored.
@@ -424,8 +424,6 @@ Voice invites use a short numeric code (4-10 digits, default 6) instead of a URL
 - Failure responses are intentionally generic (`invalid_or_expired`) to prevent oracle attacks.
 - Blocked members cannot bypass the guardian's explicit block via invite redemption.
 
-**Feature flag:** `feature_flags.voice-invite-redemption.enabled` (default OFF). When disabled, unknown callers with active voice invites are denied normally — the invite check is skipped entirely.
-
 **Key source files:**
 
 | File | Purpose |
@@ -439,10 +437,76 @@ Voice invites use a short numeric code (4-10 digits, default 6) instead of a URL
 | `src/runtime/ingress-service.ts` | Shared business logic for invite/member operations (used by both HTTP routes and IPC) |
 | `src/runtime/routes/ingress-routes.ts` | HTTP API handlers for member/invite management including voice invite creation and redemption |
 | `src/runtime/routes/inbound-message-handler.ts` | Invite token intercept in the inbound flow (non-member and inactive-member branches) |
-| `src/calls/relay-server.ts` | Voice relay state machine — `invite_redemption_pending` subflow, feature flag gate |
+| `src/calls/relay-server.ts` | Voice relay state machine — `invite_redemption_pending` subflow (always-on canonical behavior) |
 | `src/util/voice-code.ts` | Cryptographic voice code generation and SHA-256 hashing |
 | `src/memory/ingress-invite-store.ts` | Invite persistence including `findActiveVoiceInvites` for identity-bound lookup |
 
+### Voice Inbound Security Model (Canonical)
+
+The voice inbound security model determines how unknown callers are handled when they dial in. Three paths exist, evaluated in priority order by `relay-server.ts` during the `handleSetup` phase. All guardian decisions route through `applyCanonicalGuardianDecision` in the canonical guardian request system.
+
+**Decision tree for inbound unknown callers:**
+
+```
+Unknown caller dials in
+        |
+        v
+resolveActorTrust() → trustClass
+        |
+        ├── guardian / trusted_contact → normal call flow
+        ├── blocked → immediate denial + disconnect
+        ├── policy: deny → immediate denial + disconnect
+        ├── policy: escalate → denial (voice cannot hold for async approval)
+        |
+        └── unknown (no binding) ──┐
+                                   |
+              ┌────────────────────┼──────────────────────┐
+              |                    |                       |
+    pendingChallenge?     activeVoiceInvites?      no invite, no challenge
+              |                    |                       |
+              v                    v                       v
+    Guardian verification   Invite redemption     Name capture +
+    (DTMF/speech code)     (personalized code)   guardian approval wait
+```
+
+**Path 1: Voice invite code redemption (guardian-initiated)**
+
+The guardian proactively creates a voice invite bound to the caller's E.164 phone number. When the unknown caller dials in and has an active, non-expired invite, the relay enters the `invite_redemption_pending` subflow with personalized prompts using the friend's and guardian's names. This is always-on canonical behavior (no feature flag). See [Voice Invite Flow](#voice-invite-flow-invite_redemption_pending) above.
+
+**Path 2: Live in-call guardian approval (friend-initiated)**
+
+When no invite exists and no pending guardian challenge is active, the relay enters the name capture + guardian approval wait flow:
+
+1. The relay transitions to `awaiting_name` state and prompts the caller for their name with a timeout.
+2. On name capture, `notifyGuardianOfAccessRequest` creates a canonical guardian request (`kind: 'access_request'`) and notifies the guardian via the notification pipeline.
+3. The relay transitions to `awaiting_guardian_decision` and plays hold music/messaging while polling the canonical request status.
+4. The guardian approves or denies via any channel (Telegram, SMS, desktop). All decisions route through `applyCanonicalGuardianDecision`, which dispatches to the `access_request` resolver in `guardian-request-resolvers.ts`.
+5. On approval: the resolver directly activates the caller as a trusted contact (upserts member with `status: 'active'`, `policy: 'allow'`), the poll detects the approved status, the relay transitions to the normal call flow with the caller's guardian context updated.
+6. On denial or timeout: the caller hears a denial message and the call ends.
+
+**Path 3: Inbound guardian verification (pending challenge)**
+
+When a pending voice guardian challenge exists (`getPendingChallenge`), the caller enters the DTMF/speech verification flow to complete an outbound-initiated guardian binding. This path is for guardian identity verification, not trusted-contact access.
+
+**Canonical decision routing:**
+
+All guardian decisions for voice access requests flow through:
+- `applyCanonicalGuardianDecision` (canonical guardian request system)
+- `accessRequestResolver` in `guardian-request-resolvers.ts` (kind-specific resolver)
+- For voice approvals: direct trusted-contact activation (no verification session needed since the caller is already on the line)
+- For text-channel access requests: verification session creation with 6-digit code (existing `access-request-decision.ts` path for legacy `channel_guardian_approval_requests`)
+
+**Key source files:**
+
+| File | Purpose |
+|------|---------|
+| `src/calls/relay-server.ts` | Inbound call decision tree, name capture, guardian approval wait polling |
+| `src/runtime/access-request-helper.ts` | Creates canonical access request and notifies guardian |
+| `src/approvals/guardian-decision-primitive.ts` | `applyCanonicalGuardianDecision` — unified decision primitive |
+| `src/approvals/guardian-request-resolvers.ts` | `access_request` resolver — voice direct activation, text-channel verification session |
+| `src/runtime/actor-trust-resolver.ts` | `resolveActorTrust` — caller trust classification |
+| `src/memory/canonical-guardian-store.ts` | Canonical request persistence and CAS resolution |
+
 ### Update Bulletin System
 
 Release-driven update notification system that surfaces release notes to the assistant via the system prompt.
@@ -1954,3 +2018,16 @@ Key files: `src/tools/sensitive-output-placeholders.ts`, `src/tools/executor.ts`
 ### Notifications
 
 For full notification developer guidance and lifecycle details, see [`assistant/src/notifications/README.md`](src/notifications/README.md).
+
+### Assistant Identity Boundary
+
+The daemon uses a single fixed internal scope constant — `DAEMON_INTERNAL_ASSISTANT_ID` (`'self'`), exported from `src/runtime/assistant-scope.ts` — for all assistant-scoped storage and routing within the daemon process. Public/external assistant IDs (e.g., those assigned during hatch, invite links, or platform registration) are an **edge concern** owned by the gateway and platform layers.
+
+**Boundary rule:** Daemon code must never derive internal scoping decisions from externally-provided assistant IDs. When a daemon path needs an assistant scope and none is provided, it defaults to `DAEMON_INTERNAL_ASSISTANT_ID`. The gateway is responsible for mapping public assistant IDs to internal routing before forwarding requests to the daemon.
+
+**Key files:**
+
+| File | Purpose |
+|------|---------|
+| `src/runtime/assistant-scope.ts` | Exports `DAEMON_INTERNAL_ASSISTANT_ID` constant |
+| `src/__tests__/assistant-id-boundary-guard.test.ts` | Guard tests enforcing the identity boundary |

package/docs/trusted-contact-access.md

@@ -112,6 +112,26 @@ The `assistant_ingress_invites` table supports a parallel invite-based onboardin
 |-------|--------------------------------|
 | `assistant_ingress_invites` | Not used in the guardian-mediated flow. Available as an alternative for direct invite links (e.g., guardian shares a URL instead of going through the approval + verification flow). |
 
+### Voice In-Call Guardian Approval (friend-initiated)
+
+Voice calls have a dedicated in-call guardian approval flow that differs from the text-channel flow. Since the caller is actively on the line, the voice flow captures the caller's name, creates a canonical access request, and holds the call while awaiting the guardian's decision.
+
+**Flow:**
+1. Unknown caller dials in. `relay-server.ts` resolves trust — caller is `unknown`, no pending challenge, no active invite.
+2. Relay enters `awaiting_name` state and prompts the caller for their name (with a timeout).
+3. On name capture, `notifyGuardianOfAccessRequest` creates a canonical guardian request (`kind: 'access_request'`) and notifies the guardian.
+4. Relay transitions to `awaiting_guardian_decision` and polls `canonical_guardian_requests` for status changes.
+5. Guardian approves or denies via any channel. All decisions route through `applyCanonicalGuardianDecision`.
+6. On approval: the `access_request` resolver directly activates the caller as a trusted contact (`upsertMember` with `status: 'active'`, `policy: 'allow'`) — no verification session needed since the caller is already authenticated by their phone number.
+7. On denial or timeout: the caller hears a denial message and the call ends.
+
+**Key difference from text-channel flow:** Voice approvals skip the verification session step because the caller's phone identity is already known from the active call. Text-channel approvals still mint a 6-digit verification code for out-of-band identity confirmation.
+
+| Store | Table | Record |
+|-------|-------|--------|
+| `canonical-guardian-store.ts` | `canonical_guardian_requests` | `kind: 'access_request'`, `status: 'pending'` -> `'approved'` or `'denied'` |
+| `ingress-member-store.ts` | `assistant_ingress_members` | On approval: upserted with `status: 'active'`, `policy: 'allow'` |
+
 ## Sequence Diagram
 
 ```mermaid

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"

package/src/__tests__/access-request-decision.test.ts

@@ -31,7 +31,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));
 

package/src/__tests__/assistant-id-boundary-guard.test.ts

@@ -0,0 +1,290 @@
+import { execFileSync } from 'node:child_process';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+import { describe, expect, test } from 'bun:test';
+
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
+
+/**
+ * Guard tests for the assistant identity boundary.
+ *
+ * The daemon uses a fixed internal scope constant (`DAEMON_INTERNAL_ASSISTANT_ID`)
+ * for all assistant-scoped storage. Public assistant IDs are an edge concern
+ * handled by the gateway/platform layer — they must not leak into daemon
+ * scoping logic.
+ *
+ * These tests prevent regressions by scanning source files for banned patterns:
+ *  - No `normalizeAssistantId` usage in daemon/runtime scoping modules
+ *  - No assistant-scoped route handlers in the daemon HTTP server
+ *  - No hardcoded `'self'` string for assistant scoping (use the constant)
+ *  - The constant itself equals `'self'`
+ */
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Resolve repo root (tests run from assistant/). */
+function getRepoRoot(): string {
+  return join(process.cwd(), '..');
+}
+
+/**
+ * Directories containing daemon/runtime source files that must not reference
+ * `normalizeAssistantId` or hardcode assistant scope strings.
+ *
+ * Each directory gets both a `*.ts` glob (top-level files) and a `**\/*.ts`
+ * glob (nested files) so that `git grep` matches at all directory depths.
+ */
+const SCANNED_DIRS = [
+  'assistant/src/runtime',
+  'assistant/src/daemon',
+  'assistant/src/memory',
+  'assistant/src/approvals',
+  'assistant/src/calls',
+  'assistant/src/tools',
+];
+
+const SCANNED_DIR_GLOBS = SCANNED_DIRS.flatMap((dir) => [`${dir}/*.ts`, `${dir}/**/*.ts`]);
+
+function isTestFile(filePath: string): boolean {
+  return (
+    filePath.includes('/__tests__/') ||
+    filePath.endsWith('.test.ts') ||
+    filePath.endsWith('.test.js') ||
+    filePath.endsWith('.spec.ts') ||
+    filePath.endsWith('.spec.js')
+  );
+}
+
+function isMigrationFile(filePath: string): boolean {
+  return filePath.includes('/migrations/');
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('assistant ID boundary', () => {
+  // -------------------------------------------------------------------------
+  // Rule (d): The DAEMON_INTERNAL_ASSISTANT_ID constant equals 'self'
+  // -------------------------------------------------------------------------
+
+  test('DAEMON_INTERNAL_ASSISTANT_ID equals "self"', () => {
+    expect(DAEMON_INTERNAL_ASSISTANT_ID).toBe('self');
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (a): No normalizeAssistantId in daemon scoping paths — spot check
+  // -------------------------------------------------------------------------
+
+  test('no normalizeAssistantId imports in daemon scoping paths', () => {
+    // Key daemon/runtime files that previously used normalizeAssistantId
+    // should now use DAEMON_INTERNAL_ASSISTANT_ID instead.
+    const daemonScopingFiles = [
+      'runtime/actor-trust-resolver.ts',
+      'runtime/guardian-outbound-actions.ts',
+      'daemon/handlers/config-channels.ts',
+      'runtime/routes/channel-route-shared.ts',
+      'calls/relay-server.ts',
+    ];
+
+    const srcDir = join(import.meta.dir, '..');
+    for (const relPath of daemonScopingFiles) {
+      const content = readFileSync(join(srcDir, relPath), 'utf-8');
+      expect(content).not.toContain("import { normalizeAssistantId }");
+      expect(content).not.toContain("import { normalizeAssistantId,");
+      expect(content).not.toContain("normalizeAssistantId(");
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (a): No normalizeAssistantId in daemon/runtime directories — broad scan
+  // -------------------------------------------------------------------------
+
+  test('no normalizeAssistantId usage across daemon/runtime source directories', () => {
+    const repoRoot = getRepoRoot();
+
+    // Scan all daemon/runtime source directories for any reference to
+    // normalizeAssistantId. The function is defined in util/platform.ts for
+    // gateway use — it must not appear in daemon scoping modules.
+    let grepOutput = '';
+    try {
+      grepOutput = execFileSync(
+        'git',
+        ['grep', '-lE', 'normalizeAssistantId', '--', ...SCANNED_DIR_GLOBS],
+        { encoding: 'utf-8', cwd: repoRoot },
+      ).trim();
+    } catch (err) {
+      // Exit code 1 means no matches — happy path
+      if ((err as { status?: number }).status === 1) {
+        return;
+      }
+      throw err;
+    }
+
+    const files = grepOutput.split('\n').filter((f) => f.length > 0);
+    const violations = files.filter((f) => !isTestFile(f));
+
+    if (violations.length > 0) {
+      const message = [
+        'Found daemon/runtime source files that reference `normalizeAssistantId`.',
+        'Daemon code should use the `DAEMON_INTERNAL_ASSISTANT_ID` constant instead.',
+        'The `normalizeAssistantId` function is for gateway/platform use only (defined in util/platform.ts).',
+        '',
+        'Violations:',
+        ...violations.map((f) => `  - ${f}`),
+      ].join('\n');
+
+      expect(violations, message).toEqual([]);
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (b): No assistant-scoped route registration in daemon HTTP server
+  // -------------------------------------------------------------------------
+
+  test('no /v1/assistants/:assistantId/ route handler registration in daemon HTTP server', () => {
+    const httpServerPath = join(import.meta.dir, '..', 'runtime', 'http-server.ts');
+    const content = readFileSync(httpServerPath, 'utf-8');
+
+    // The daemon HTTP server must not contain any assistant-scoped route
+    // patterns. All routes use flat /v1/<endpoint> paths; the gateway handles
+    // legacy assistant-scoped URL rewriting in its runtime proxy layer.
+
+    // Check that there's no regex extracting assistantId from a /v1/assistants/ path.
+    // Match both literal slashes (/v1/assistants/([) and escaped slashes in regex
+    // literals (\/v1\/assistants\/([) so we catch patterns like:
+    //   endpoint.match(/^\/v1\/assistants\/([^/]+)\/(.+)$/)
+    const routeHandlerRegex = /\\?\/v1\\?\/assistants\\?\/\(\[/;
+    const match = content.match(routeHandlerRegex);
+    expect(
+      match,
+      'Found a route pattern matching /v1/assistants/([^/]+)/... that extracts an assistantId. ' +
+        'The daemon HTTP server should not have assistant-scoped route handlers — ' +
+        'use flat /v1/<endpoint> paths instead.',
+    ).toBeNull();
+
+    // Scan the entire file for assistant-scoped path literals. No references
+    // to /v1/assistants/ should exist — the daemon uses flat paths only.
+    const lines = content.split('\n');
+    const violations: string[] = [];
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      // Match both literal /v1/assistants/ and escaped \/v1\/assistants\/
+      if (line.includes('/v1/assistants/') || line.includes('\\/v1\\/assistants\\/')) {
+        violations.push(`  line ${i + 1}: ${line.trim()}`);
+      }
+    }
+
+    expect(
+      violations,
+      'Found /v1/assistants/ references in the daemon HTTP server — ' +
+        'the daemon should not have assistant-scoped path literals.\n' +
+        violations.join('\n'),
+    ).toEqual([]);
+
+    // Guard against prefix-less assistants/ route patterns that extract an
+    // assistantId.  dispatchEndpoint receives the endpoint *after* the /v1/
+    // prefix has been stripped, so a regex like `assistants\/([^/]+)` would
+    // capture an external assistant ID from the path — violating the
+    // assistant-scoping boundary.
+    const prefixLessViolations: string[] = [];
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      // Match regex patterns like assistants\/([^/]+) that capture the ID
+      // segment.  We look for the escaped-slash form used inside JS regex
+      // literals (e.g. /^assistants\/([^/]+)\//).
+      if (/assistants\\\/\(\[/.test(line)) {
+        prefixLessViolations.push(`  line ${i + 1}: ${line.trim()}`);
+      }
+    }
+
+    expect(
+      prefixLessViolations,
+      'Found prefix-less assistants/([^/]+) route pattern that extracts an assistantId. ' +
+        'The daemon should not parse assistant IDs from URL paths — use ' +
+        'DAEMON_INTERNAL_ASSISTANT_ID instead.\n' +
+        prefixLessViolations.join('\n'),
+    ).toEqual([]);
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (c): No hardcoded 'self' for assistant scoping in daemon files
+  // -------------------------------------------------------------------------
+
+  test('no hardcoded \'self\' string for assistant scoping in daemon source files', () => {
+    const repoRoot = getRepoRoot();
+
+    // Search for patterns where 'self' is used as an assistant ID value.
+    // We look for assignment / default / comparison patterns that suggest
+    // using the raw string instead of the DAEMON_INTERNAL_ASSISTANT_ID constant.
+    //
+    // Patterns matched:
+    //   assistantId: 'self'
+    //   assistantId = 'self'
+    //   assistantId ?? 'self'
+    //   ?? 'self'   (fallback to self)
+    //   || 'self'   (fallback to self)
+    //
+    // Excluded:
+    //   - Test files (they may legitimately assert against the value)
+    //   - Migration files (SQL literals like DEFAULT 'self' are fine)
+    //   - IPC contract files (comments documenting default values are fine)
+    //   - CSP headers ('self' in Content-Security-Policy has nothing to do with assistant IDs)
+    const pattern = `(assistantId|assistant_id).*['"]self['"]`;
+
+    let grepOutput = '';
+    try {
+      grepOutput = execFileSync(
+        'git',
+        ['grep', '-nE', pattern, '--', ...SCANNED_DIR_GLOBS],
+        { encoding: 'utf-8', cwd: repoRoot },
+      ).trim();
+    } catch (err) {
+      // Exit code 1 means no matches — happy path
+      if ((err as { status?: number }).status === 1) {
+        return;
+      }
+      throw err;
+    }
+
+    const lines = grepOutput.split('\n').filter((l) => l.length > 0);
+    const violations = lines.filter((line) => {
+      const filePath = line.split(':')[0];
+      if (isTestFile(filePath)) return false;
+      if (isMigrationFile(filePath)) return false;
+
+      // Allow comments (lines where the code portion starts with //)
+      const parts = line.split(':');
+      // parts[0] = file, parts[1] = line number, rest = content
+      const content = parts.slice(2).join(':').trim();
+      if (content.startsWith('//') || content.startsWith('*') || content.startsWith('/*')) {
+        return false;
+      }
+
+      return true;
+    });
+
+    if (violations.length > 0) {
+      const message = [
+        "Found daemon/runtime source files with hardcoded 'self' for assistant scoping.",
+        'Use the `DAEMON_INTERNAL_ASSISTANT_ID` constant from `runtime/assistant-scope.ts` instead.',
+        '',
+        'Violations:',
+        ...violations.map((v) => `  - ${v}`),
+      ].join('\n');
+
+      expect(violations, message).toEqual([]);
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (d): Daemon storage keys don't contain external assistant IDs
+  // (verified by the constant value test above — if the constant is 'self',
+  // all daemon storage keyed by DAEMON_INTERNAL_ASSISTANT_ID uses the fixed
+  // internal value rather than externally-provided IDs).
+  // -------------------------------------------------------------------------
+});

package/src/__tests__/call-routes-http.test.ts

@@ -177,10 +177,6 @@ describe('runtime call routes — HTTP layer', () => {
     return `http://127.0.0.1:${port}/v1/calls${path}`;
   }
 
-  function assistantCallsUrl(assistantId: string, path = ''): string {
-    return `http://127.0.0.1:${port}/v1/assistants/${assistantId}/calls${path}`;
-  }
-
   // ── POST /v1/calls/start ────────────────────────────────────────────
 
   test('POST /v1/calls/start returns 201 with call session', async () => {
@@ -235,27 +231,6 @@ describe('runtime call routes — HTTP layer', () => {
     await stopServer();
   });
 
-  test('POST /v1/assistants/:assistantId/calls/start uses assistant-scoped caller number', async () => {
-    await startServer();
-    ensureConversation('conv-start-scoped-1');
-
-    const res = await fetch(assistantCallsUrl('asst-alpha', '/start'), {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', ...AUTH_HEADERS },
-      body: JSON.stringify({
-        phoneNumber: '+15559997777',
-        task: 'Check order status',
-        conversationId: 'conv-start-scoped-1',
-      }),
-    });
-
-    expect(res.status).toBe(201);
-    const body = await res.json() as { fromNumber: string };
-    expect(body.fromNumber).toBe('+15550009999');
-
-    await stopServer();
-  });
-
   test('POST /v1/calls/start returns 400 for invalid phone number', async () => {
     await startServer();
     ensureConversation('conv-start-2');

package/src/__tests__/channel-guardian.test.ts

@@ -22,7 +22,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));
 
@@ -1458,9 +1457,11 @@ describe('IPC handler channel-aware guardian status', () => {
     expect(resp!.channel).toBe('sms');
   });
 
-  test('status action with custom assistantId returns correct value', () => {
+  test('status action with custom assistantId is ignored (daemon uses internal scope)', () => {
+    // Create binding under the internal scope constant — the handler always
+    // uses DAEMON_INTERNAL_ASSISTANT_ID regardless of what the caller passes.
     createBinding({
-      assistantId: 'asst-custom',
+      assistantId: 'self',
       channel: 'telegram',
       guardianExternalUserId: 'user-77',
       guardianDeliveryChatId: 'chat-77',
@@ -1471,7 +1472,7 @@ describe('IPC handler channel-aware guardian status', () => {
       type: 'guardian_verification',
       action: 'status',
       channel: 'telegram',
-      assistantId: 'asst-custom',
+      assistantId: 'asst-custom',  // ignored by handler
     };
 
     handleGuardianVerification(msg, mockSocket, ctx);
@@ -1480,7 +1481,7 @@ describe('IPC handler channel-aware guardian status', () => {
     expect(resp).not.toBeNull();
     expect(resp!.success).toBe(true);
     expect(resp!.bound).toBe(true);
-    expect(resp!.assistantId).toBe('asst-custom');
+    expect(resp!.assistantId).toBe('self');
     expect(resp!.channel).toBe('telegram');
     expect(resp!.guardianExternalUserId).toBe('user-77');
     expect(resp!.guardianDeliveryChatId).toBe('chat-77');

package/src/__tests__/config-schema.test.ts

@@ -581,6 +581,8 @@ describe('AssistantConfigSchema', () => {
       provider: 'twilio',
       maxDurationSeconds: 3600,
       userConsultTimeoutSeconds: 120,
+      ttsPlaybackDelayMs: 3000,
+      accessRequestPollIntervalMs: 500,
       disclosure: {
         enabled: true,
         text: 'At the very beginning of the call, introduce yourself as an assistant calling on behalf of the person you represent. Do not say "AI assistant".',

package/src/__tests__/deterministic-verification-control-plane.test.ts

@@ -32,7 +32,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));
 

package/src/__tests__/guardian-actions-endpoint.test.ts

@@ -262,6 +262,27 @@ describe('HTTP handleGuardianActionDecision', () => {
     expect(mockApplyCanonicalGuardianDecision).toHaveBeenCalledTimes(1);
   });
 
+  test('applies decision for voice access_request kind through canonical primitive', async () => {
+    createTestCanonicalRequest({
+      conversationId: 'conv-voice-access',
+      requestId: 'req-voice-access-1',
+      kind: 'access_request',
+      toolName: 'ingress_access_request',
+      guardianExternalUserId: 'guardian-voice-42',
+    });
+    mockApplyCanonicalGuardianDecision.mockResolvedValueOnce({ applied: true, requestId: 'req-voice-access-1', grantMinted: false });
+
+    const req = new Request('http://localhost/v1/guardian-actions/decision', {
+      method: 'POST',
+      body: JSON.stringify({ requestId: 'req-voice-access-1', action: 'approve_once' }),
+    });
+    const res = await handleGuardianActionDecision(req);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.applied).toBe(true);
+    expect(mockApplyCanonicalGuardianDecision).toHaveBeenCalledTimes(1);
+  });
+
   test('returns stale reason from canonical decision primitive', async () => {
     createTestCanonicalRequest({ conversationId: 'conv-stale', requestId: 'req-stale-1' });
     mockApplyCanonicalGuardianDecision.mockResolvedValueOnce({ applied: false, reason: 'already_resolved' });

package/src/__tests__/guardian-outbound-http.test.ts

@@ -35,7 +35,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));
 

package/src/__tests__/inbound-invite-redemption.test.ts

@@ -28,7 +28,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));