@vellumai/assistant 0.4.2 → 0.4.4

package/src/runtime/routes/brain-graph-routes.ts

@@ -0,0 +1,222 @@
+/**
+ * Route handlers for the brain graph visualization endpoint.
+ *
+ * Queries the memory database to return a knowledge graph shaped for brain-lobe
+ * visualization, with entities mapped to brain regions based on their type.
+ */
+
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+import { count } from 'drizzle-orm';
+
+import { getDb } from '../../memory/db.js';
+import { memoryEntities, memoryEntityRelations, memoryItems } from '../../memory/schema.js';
+import { resolveBundledDir } from '../../util/bundled-asset.js';
+
+function getLobeRegion(entityType: string): string {
+  switch (entityType) {
+    case 'person':
+    case 'organization':
+      return 'right-social';
+    case 'project':
+    case 'company':
+      return 'left-planning';
+    case 'tool':
+      return 'left-technical';
+    case 'concept':
+      return 'right-creative';
+    case 'location':
+      return 'right-spatial';
+    default:
+      return 'center';
+  }
+}
+
+function getEntityColor(entityType: string): string {
+  switch (entityType) {
+    case 'person':
+      return '#22c55e';
+    case 'project':
+      return '#f97316';
+    case 'tool':
+      return '#06b6d4';
+    case 'company':
+      return '#a855f7';
+    case 'organization':
+      return '#a855f7';
+    case 'concept':
+      return '#eab308';
+    case 'location':
+      return '#14b8a6';
+    default:
+      return '#94a3b8';
+  }
+}
+
+function getMemoryKindColor(kind: string): string {
+  switch (kind) {
+    case 'profile':
+      return '#8b5cf6';
+    case 'preference':
+      return '#3b82f6';
+    case 'constraint':
+      return '#ef4444';
+    case 'instruction':
+      return '#f59e0b';
+    case 'style':
+      return '#ec4899';
+    default:
+      return '#94a3b8';
+  }
+}
+
+export function handleGetBrainGraph(): Response {
+  try {
+    const db = getDb();
+
+    const entityRows = db
+      .select({
+        id: memoryEntities.id,
+        name: memoryEntities.name,
+        type: memoryEntities.type,
+        mentionCount: memoryEntities.mentionCount,
+        firstSeenAt: memoryEntities.firstSeenAt,
+        lastSeenAt: memoryEntities.lastSeenAt,
+      })
+      .from(memoryEntities)
+      .all();
+
+    const relationRows = db
+      .select({
+        sourceEntityId: memoryEntityRelations.sourceEntityId,
+        targetEntityId: memoryEntityRelations.targetEntityId,
+        relation: memoryEntityRelations.relation,
+      })
+      .from(memoryEntityRelations)
+      .all();
+
+    const kindCountRows = db
+      .select({
+        kind: memoryItems.kind,
+        count: count(),
+      })
+      .from(memoryItems)
+      .groupBy(memoryItems.kind)
+      .all();
+
+    const entities = entityRows.map((entity) => ({
+      id: entity.id,
+      name: entity.name,
+      type: entity.type,
+      lobeRegion: getLobeRegion(entity.type),
+      color: getEntityColor(entity.type),
+      mentionCount: entity.mentionCount,
+      firstSeenAt: entity.firstSeenAt,
+      lastSeenAt: entity.lastSeenAt,
+    }));
+
+    const relations = relationRows.map((rel) => ({
+      sourceId: rel.sourceEntityId,
+      targetId: rel.targetEntityId,
+      relation: rel.relation,
+    }));
+
+    const memorySummary = kindCountRows.map((row) => ({
+      kind: row.kind,
+      count: row.count,
+      color: getMemoryKindColor(row.kind),
+    }));
+
+    const totalKnowledgeCount = memorySummary.reduce((sum, entry) => sum + entry.count, 0);
+
+    return Response.json({
+      entities,
+      relations,
+      memorySummary,
+      totalKnowledgeCount,
+      generatedAt: new Date().toISOString(),
+    });
+  } catch (err) {
+    return Response.json(
+      { error: 'Failed to generate brain graph', detail: err instanceof Error ? err.message : String(err) },
+      { status: 500 },
+    );
+  }
+}
+
+export function handleServeHomeBaseUI(bearerToken?: string): Response {
+  try {
+    const prebuiltDir = resolveBundledDir(
+      import.meta.dirname ?? __dirname,
+      '../../home-base/prebuilt',
+      'prebuilt',
+    );
+    let html = readFileSync(join(prebuiltDir, 'index.html'), 'utf-8');
+    if (bearerToken) {
+      const escapedToken = bearerToken
+        .replace(/&/g, '&')
+        .replace(/"/g, '"')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+      html = html.replace(
+        '</head>',
+        `  <meta name="api-token" content="${escapedToken}">\n</head>`,
+      );
+    }
+    return new Response(html, {
+      headers: { 'Content-Type': 'text/html; charset=utf-8' },
+    });
+  } catch (err) {
+    return Response.json(
+      { error: 'Home Base UI not available', detail: err instanceof Error ? err.message : String(err) },
+      { status: 500 },
+    );
+  }
+}
+
+export function handleServeBrainGraphUI(bearerToken?: string): Response {
+  try {
+    const prebuiltDir = resolveBundledDir(
+      import.meta.dirname ?? __dirname,
+      '../../home-base/prebuilt',
+      'prebuilt',
+    );
+    let html = readFileSync(join(prebuiltDir, 'brain-graph.html'), 'utf-8');
+    if (bearerToken) {
+      // Inject token as a meta tag for client-side fetch authentication.
+      // HTML-escape the token value to guard against injection if the token
+      // comes from an environment variable with special characters.
+      const escapedToken = bearerToken
+        .replace(/&/g, '&amp;')
+        .replace(/"/g, '&quot;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+      html = html.replace(
+        '</head>',
+        `  <meta name="api-token" content="${escapedToken}">\n</head>`,
+      );
+    }
+    // CSP permits the CDN sources required by D3.js and Three.js.
+    // 'unsafe-eval' is needed by Three.js's shader compilation path.
+    const csp = [
+      "default-src 'self'",
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://d3js.org",
+      "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+      "font-src 'self' https://fonts.gstatic.com",
+      "connect-src 'self'",
+      "img-src 'self' data:",
+    ].join('; ');
+    return new Response(html, {
+      headers: {
+        'Content-Type': 'text/html; charset=utf-8',
+        'Content-Security-Policy': csp,
+      },
+    });
+  } catch (err) {
+    return Response.json(
+      { error: 'Brain graph UI not available', detail: err instanceof Error ? err.message : String(err) },
+      { status: 500 },
+    );
+  }
+}

package/src/runtime/routes/call-routes.ts

@@ -11,6 +11,7 @@
 import { answerCall, cancelCall, getCallStatus, relayInstruction,startCall } from '../../calls/call-domain.js';
 import { getConfig } from '../../config/loader.js';
 import { VALID_CALLER_IDENTITY_MODES } from '../../config/schema.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
 import { httpError, httpErrorCodeFromStatus } from '../http-errors.js';
 
 // ── Idempotency cache ─────────────────────────────────────────────────────────
@@ -41,7 +42,7 @@ function pruneIdempotencyCache(): void {
  * Optional `idempotencyKey`: if supplied, duplicate requests with the same key
  * within 5 minutes return the cached 201 response without starting a second call.
  */
-export async function handleStartCall(req: Request, assistantId: string = 'self'): Promise<Response> {
+export async function handleStartCall(req: Request, assistantId: string = DAEMON_INTERNAL_ASSISTANT_ID): Promise<Response> {
   if (!getConfig().calls.enabled) {
     return httpError('FORBIDDEN', 'Calls feature is disabled via configuration. Set calls.enabled to true to use this feature.', 403);
   }

package/src/runtime/routes/channel-readiness-routes.ts

@@ -0,0 +1,71 @@
+/**
+ * Route handlers for channel readiness endpoints.
+ *
+ * GET   /v1/channels/readiness          — get channel readiness snapshots
+ * POST  /v1/channels/readiness/refresh  — invalidate cache and refresh readiness
+ */
+
+import type { ChannelId } from '../../channels/types.js';
+import { getReadinessService } from '../../daemon/handlers/config-channels.js';
+
+/**
+ * GET /v1/channels/readiness
+ *
+ * Query params: channel? (optional ChannelId), includeRemote? (optional boolean)
+ */
+export async function handleGetChannelReadiness(url: URL): Promise<Response> {
+  const channel = (url.searchParams.get('channel') as ChannelId | null) ?? undefined;
+  const includeRemote = url.searchParams.get('includeRemote') === 'true';
+
+  const service = getReadinessService();
+  const snapshots = await service.getReadiness(channel, includeRemote);
+
+  return Response.json({
+    success: true,
+    snapshots: snapshots.map((s) => ({
+      channel: s.channel,
+      ready: s.ready,
+      checkedAt: s.checkedAt,
+      stale: s.stale,
+      reasons: s.reasons,
+      localChecks: s.localChecks,
+      remoteChecks: s.remoteChecks,
+    })),
+  });
+}
+
+/**
+ * POST /v1/channels/readiness/refresh
+ *
+ * Body: { channel?: ChannelId, includeRemote?: boolean }
+ */
+export async function handleRefreshChannelReadiness(req: Request): Promise<Response> {
+  const body = (await req.json().catch(() => ({}))) as {
+    channel?: ChannelId;
+    includeRemote?: boolean;
+  };
+
+  const service = getReadinessService();
+
+  // Invalidate cache before fetching
+  if (body.channel) {
+    service.invalidateChannel(body.channel);
+  } else {
+    service.invalidateAll();
+  }
+
+  const snapshots = await service.getReadiness(body.channel, body.includeRemote);
+
+  return Response.json({
+    success: true,
+    snapshots: snapshots.map((s) => ({
+      channel: s.channel,
+      ready: s.ready,
+      checkedAt: s.checkedAt,
+      stale: s.stale,
+      reasons: s.reasons,
+      localChecks: s.localChecks,
+      remoteChecks: s.remoteChecks,
+    })),
+  });
+}

package/src/runtime/routes/channel-route-shared.ts

@@ -4,7 +4,7 @@
 import { timingSafeEqual } from 'node:crypto';
 
 import type { ChannelId } from '../../channels/types.js';
-import { normalizeAssistantId } from '../../util/platform.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
 import type {
   ApprovalAction,
   ApprovalDecisionResult,
@@ -15,8 +15,8 @@ export type { ActorTrustClass, DenialReason, GuardianContext } from '../guardian
 export { toGuardianRuntimeContext } from '../guardian-context-resolver.js';
 
 /** Canonicalize assistantId for channel ingress paths. */
-export function canonicalChannelAssistantId(assistantId: string): string {
-  return normalizeAssistantId(assistantId);
+export function canonicalChannelAssistantId(_assistantId: string): string {
+  return DAEMON_INTERNAL_ASSISTANT_ID;
 }
 
 // ---------------------------------------------------------------------------

package/src/runtime/routes/conversation-attention-routes.ts

@@ -10,6 +10,7 @@ import {
 } from '../../memory/conversation-attention-store.js';
 import * as conversationStore from '../../memory/conversation-store.js';
 import { truncate } from '../../util/truncate.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
 import { httpError } from '../http-errors.js';
 
 export function handleListConversationAttention(url: URL): Response {
@@ -27,7 +28,7 @@ export function handleListConversationAttention(url: URL): Response {
   }
 
   const attentionStates = listConversationAttention({
-    assistantId: 'self',
+    assistantId: DAEMON_INTERNAL_ASSISTANT_ID,
     state: stateParam as AttentionFilterState,
     sourceChannel: channel,
     source: sourceParam !== 'all' ? sourceParam : undefined,

package/src/runtime/routes/conversation-routes.ts

@@ -24,6 +24,8 @@ import { getConfiguredProvider } from '../../providers/provider-send-message.js'
 import type { Provider } from '../../providers/types.js';
 import { getLogger } from '../../util/logger.js';
 import { buildAssistantEvent } from '../assistant-event.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
+import { bridgeConfirmationRequestToGuardian } from '../confirmation-request-guardian-bridge.js';
 import { routeGuardianReply } from '../guardian-reply-router.js';
 import { httpError } from '../http-errors.js';
 import type {
@@ -34,48 +36,41 @@ import type {
   RuntimeMessagePayload,
   SendMessageDeps,
 } from '../http-types.js';
+import { resolveLocalIpcGuardianContext } from '../local-actor-identity.js';
+import { type ServerWithRequestIP, verifyHttpActorTokenWithLocalFallback } from '../middleware/actor-token.js';
 import * as pendingInteractions from '../pending-interactions.js';
 
 const log = getLogger('conversation-routes');
 
 const SUGGESTION_CACHE_MAX = 100;
 
-function collectLivePendingConfirmationRequestIds(
+function collectCanonicalGuardianRequestHintIds(
   conversationId: string,
   sourceChannel: string,
   session: import('../../daemon/session.js').Session,
 ): string[] {
-  const pendingInteractionRequestIds = pendingInteractions
-    .getByConversation(conversationId)
-    .filter(
-      (interaction) =>
-        interaction.kind === 'confirmation'
-        && interaction.session === session
-        && session.hasPendingConfirmation(interaction.requestId),
-    )
-    .map((interaction) => interaction.requestId);
-
-  // Query both by destination conversation (via deliveries table) and by
-  // source conversation (direct field). For desktop/HTTP sessions these
-  // often overlap, but the Set dedup below handles that.
-  const pendingCanonicalRequestIds = [
+  const requests = [
     ...listPendingCanonicalGuardianRequestsByDestinationConversation(conversationId, sourceChannel)
-      .filter((request) => request.kind === 'tool_approval')
-      .map((request) => request.id),
+      .map((request) => ({ id: request.id, kind: request.kind })),
     ...listCanonicalGuardianRequests({
       status: 'pending',
       conversationId,
-      kind: 'tool_approval',
-    }).map((request) => request.id),
-  ].filter((requestId) => session.hasPendingConfirmation(requestId));
-
-  return Array.from(new Set([
-    ...pendingInteractionRequestIds,
-    ...pendingCanonicalRequestIds,
-  ]));
+    }).map((request) => ({ id: request.id, kind: request.kind })),
+  ];
+
+  const deduped = new Map<string, string>();
+  for (const request of requests) {
+    if (!deduped.has(request.id)) {
+      deduped.set(request.id, request.kind ?? '');
+    }
+  }
+
+  return Array.from(deduped.entries())
+    .filter(([requestId, kind]) => kind !== 'tool_approval' || session.hasPendingConfirmation(requestId))
+    .map(([requestId]) => requestId);
 }
 
-async function tryConsumeInlineApprovalReply(params: {
+async function tryConsumeCanonicalGuardianReply(params: {
   conversationId: string;
   sourceChannel: string;
   sourceInterface: string;
@@ -89,6 +84,8 @@ async function tryConsumeInlineApprovalReply(params: {
   session: import('../../daemon/session.js').Session;
   onEvent: (msg: ServerMessage) => void;
   approvalConversationGenerator?: ApprovalConversationGenerator;
+  /** Verified actor identity from actor-token middleware. */
+  verifiedActorExternalUserId?: string;
 }): Promise<{ consumed: boolean; messageId?: string }> {
   const {
     conversationId,
@@ -99,42 +96,57 @@ async function tryConsumeInlineApprovalReply(params: {
     session,
     onEvent,
     approvalConversationGenerator,
+    verifiedActorExternalUserId,
   } = params;
   const trimmedContent = content.trim();
 
-  // Try inline approval interception whenever a pending confirmation exists.
-  // We intentionally do not block on queue depth: after an auto-deny, users
-  // often retry with "approve"/"yes" while the queue is still draining, and
-  // requiring an empty queue can create a deny/retry cascade.
-  if (
-    !session.hasAnyPendingConfirmation()
-    || trimmedContent.length === 0
-  ) {
+  if (trimmedContent.length === 0) {
     return { consumed: false };
   }
 
-  const pendingRequestIds = collectLivePendingConfirmationRequestIds(conversationId, sourceChannel, session);
-  if (pendingRequestIds.length === 0) {
-    return { consumed: false };
-  }
+  const pendingRequestHintIds = collectCanonicalGuardianRequestHintIds(conversationId, sourceChannel, session);
+  const pendingRequestIds = pendingRequestHintIds.length > 0 ? pendingRequestHintIds : undefined;
 
   const routerResult = await routeGuardianReply({
     messageText: trimmedContent,
     channel: sourceChannel,
     actor: {
-      externalUserId: undefined,
+      externalUserId: verifiedActorExternalUserId,
       channel: sourceChannel,
-      isTrusted: true,
+      // When a verified identity is available, disable the trusted bypass so
+      // that the identity-match checks in applyCanonicalGuardianDecision
+      // actually run. Only fall back to isTrusted when no verified identity
+      // was resolved (defensive — shouldn't happen for vellum since
+      // verification runs upstream).
+      isTrusted: !verifiedActorExternalUserId,
     },
     conversationId,
     pendingRequestIds,
     approvalConversationGenerator,
+    emissionContext: {
+      source: 'inline_nl',
+      decisionText: trimmedContent,
+    },
   });
 
   if (!routerResult.consumed || routerResult.type === 'nl_keep_pending') {
     return { consumed: false };
   }
 
+  // Success-path emissions (approved/denied) are handled centrally
+  // by handleConfirmationResponse (called via the resolver chain).
+  // However, stale/failed paths never reach handleConfirmationResponse,
+  // so we emit resolved_stale here for those cases.
+  if (routerResult.requestId && !routerResult.decisionApplied) {
+    session.emitConfirmationStateChanged({
+      sessionId: conversationId,
+      requestId: routerResult.requestId,
+      state: 'resolved_stale',
+      source: 'inline_nl',
+      decisionText: trimmedContent,
+    });
+  }
+
   // Decision has been applied — transcript persistence is best-effort.
   // If DB writes fail, we still return consumed: true so the approval text
   // is not re-processed as a new user turn.
@@ -335,7 +347,7 @@ function makeHubPublisher(
       // via applyCanonicalGuardianDecision.
       const guardianContext = session.guardianContext;
       const sourceChannel = guardianContext?.sourceChannel ?? 'vellum';
-      createCanonicalGuardianRequest({
+      const canonicalRequest = createCanonicalGuardianRequest({
         id: msg.requestId,
         kind: 'tool_approval',
         sourceType: resolveCanonicalRequestSourceType(sourceChannel),
@@ -349,6 +361,18 @@ function makeHubPublisher(
         requestCode: generateCanonicalRequestCode(),
         expiresAt: new Date(Date.now() + 5 * 60 * 1000).toISOString(),
       });
+
+      // For trusted-contact sessions, bridge to guardian.question so the
+      // guardian gets notified and can approve via callback/request-code.
+      if (guardianContext) {
+        bridgeConfirmationRequestToGuardian({
+          canonicalRequest,
+          guardianContext,
+          conversationId,
+          toolName: msg.toolName,
+          assistantId: session.assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
+        });
+      }
     } else if (msg.type === 'secret_request') {
       pendingInteractions.register(msg.requestId, {
         session,
@@ -363,7 +387,7 @@ function makeHubPublisher(
         ? (msg as { sessionId: string }).sessionId
         : undefined;
     const resolvedSessionId = msgSessionId ?? conversationId;
-    const event = buildAssistantEvent('self', msg, resolvedSessionId);
+    const event = buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, msg, resolvedSessionId);
     hubChain = (async () => {
       await hubChain;
       try {
@@ -383,6 +407,7 @@ export async function handleSendMessage(
     sendMessageDeps?: SendMessageDeps;
     approvalConversationGenerator?: ApprovalConversationGenerator;
   },
+  server: ServerWithRequestIP,
 ): Promise<Response> {
   const body = await req.json() as {
     conversationKey?: string;
@@ -440,31 +465,68 @@ export async function handleSendMessage(
 
   // ── Queue-if-busy path (preferred when sendMessageDeps is wired) ────
   if (deps.sendMessageDeps) {
+    // Vellum HTTP requests prefer actor-token identity. When absent (e.g. CLI
+    // bearer-auth only), fall back to local IPC identity resolution so
+    // bearer-authenticated local clients are not rejected.
+    const actorVerification = sourceChannel === 'vellum' ? verifyHttpActorTokenWithLocalFallback(req, server) : null;
+    if (actorVerification && !actorVerification.ok) {
+      return httpError(
+        actorVerification.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
+        actorVerification.message,
+        actorVerification.status,
+      );
+    }
+
     const smDeps = deps.sendMessageDeps;
     const session = await smDeps.getOrCreateSession(mapping.conversationId);
-    // HTTP API is a trusted local ingress (same as IPC) — set guardian context
-    // so that memory extraction is not silently disabled by unverified provenance.
-    session.setGuardianContext({ trustClass: 'guardian', sourceChannel: sourceChannel ?? 'http' });
+    // Resolve actor identity from the verified actor token. The token's
+    // guardianPrincipalId is matched against the vellum guardian binding
+    // through the standard trust pipeline.
+    if (actorVerification?.ok) {
+      session.setGuardianContext(actorVerification.guardianContext);
+    } else {
+      // Non-vellum channels through the HTTP API are still local
+      // authenticated requests. Resolve guardian context via the local
+      // identity pathway (vellum binding lookup) to preserve guardian
+      // trust. Falls back to a minimal guardian context if no binding
+      // exists (pre-bootstrap).
+      session.setGuardianContext(
+        resolveLocalIpcGuardianContext(sourceChannel) ?? { trustClass: 'guardian', sourceChannel },
+      );
+    }
     const onEvent = makeHubPublisher(smDeps, mapping.conversationId, session);
+    // Route server-authoritative state signals (confirmation_state_changed,
+    // assistant_activity_state) to the SSE hub. Without this, these signals
+    // only travel through session.sendToClient, which is a no-op for
+    // socketless HTTP sessions.
+    session.setStateSignalListener(onEvent);
 
     const attachments = hasAttachments
       ? smDeps.resolveAttachments(attachmentIds)
       : [];
 
-    // Try to consume the message as an inline approval/rejection reply.
+    // Resolve the verified actor's external user ID for inline approval
+    // routing. Uses the guardianExternalUserId from the verified context
+    // (actor-token or local-fallback) rather than hardcoding undefined.
+    const verifiedActorExternalUserId = actorVerification?.ok
+      ? actorVerification.guardianContext.guardianExternalUserId
+      : undefined;
+
+    // Try to consume the message as a canonical guardian approval/rejection reply.
     // On failure, degrade to the existing queue/auto-deny path rather than
     // surfacing a 500 — mirrors the IPC handler's catch-and-fallback.
     try {
-      const inlineReplyResult = await tryConsumeInlineApprovalReply({
+      const inlineReplyResult = await tryConsumeCanonicalGuardianReply({
         conversationId: mapping.conversationId,
         sourceChannel,
         sourceInterface,
         content: content ?? '',
-      attachments,
-      session,
-      onEvent,
-      approvalConversationGenerator: deps.approvalConversationGenerator,
-    });
+        attachments,
+        session,
+        onEvent,
+        approvalConversationGenerator: deps.approvalConversationGenerator,
+        verifiedActorExternalUserId,
+      });
       if (inlineReplyResult.consumed) {
         return Response.json(
           { accepted: true, ...(inlineReplyResult.messageId ? { messageId: inlineReplyResult.messageId } : {}) },
@@ -479,6 +541,18 @@ export async function handleSendMessage(
       // If a tool confirmation is pending, auto-deny it so the agent
       // can finish the current turn and process this queued message.
       if (session.hasAnyPendingConfirmation()) {
+        // Emit authoritative denial state for each pending request.
+        // The onStateSignal listener routes these to the SSE hub automatically.
+        for (const interaction of pendingInteractions.getByConversation(mapping.conversationId)) {
+          if (interaction.session === session && interaction.kind === 'confirmation') {
+            session.emitConfirmationStateChanged({
+              sessionId: mapping.conversationId,
+              requestId: interaction.requestId,
+              state: 'denied' as const,
+              source: 'auto_deny' as const,
+            });
+          }
+        }
         session.denyAllPendingConfirmations();
         pendingInteractions.removeBySession(session);
       }
@@ -533,12 +607,27 @@ export async function handleSendMessage(
     return httpError('SERVICE_UNAVAILABLE', 'Message processing not configured', 503);
   }
 
+  // Require actor token for vellum channel requests on the legacy path too,
+  // with local IPC fallback for bearer-authenticated CLI clients.
+  const legacyActorVerification = sourceChannel === 'vellum' ? verifyHttpActorTokenWithLocalFallback(req, server) : null;
+  if (legacyActorVerification && !legacyActorVerification.ok) {
+    return httpError(
+      legacyActorVerification.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
+      legacyActorVerification.message,
+      legacyActorVerification.status,
+    );
+  }
+
+  const guardianContext = legacyActorVerification?.ok
+    ? legacyActorVerification.guardianContext
+    : resolveLocalIpcGuardianContext(sourceChannel) ?? { trustClass: 'guardian' as const, sourceChannel };
+
   try {
     const result = await processor(
       mapping.conversationId,
       content ?? '',
       hasAttachments ? attachmentIds : undefined,
-      { guardianContext: { trustClass: 'guardian', sourceChannel } },
+      { guardianContext },
       sourceChannel,
       sourceInterface,
     );