@vellumai/assistant 0.4.2 → 0.4.4

package/src/runtime/routes/events-routes.ts

@@ -3,7 +3,9 @@
  *
  * GET /v1/events?conversationKey=...
  *
- * Auth is enforced by RuntimeHttpServer before this handler is called.
+ * Bearer auth is enforced by RuntimeHttpServer before this handler is called.
+ * Actor-token identity verification (with local CLI fallback) is performed
+ * within this handler to bind the SSE stream to a verified actor identity.
  * Subscribers receive all assistant events scoped to the given conversation.
  */
 
@@ -11,7 +13,9 @@ import { getOrCreateConversation } from '../../memory/conversation-key-store.js'
 import { formatSseFrame, formatSseHeartbeat } from '../assistant-event.js';
 import type { AssistantEventSubscription } from '../assistant-event-hub.js';
 import { AssistantEventHub,assistantEventHub } from '../assistant-event-hub.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
 import { httpError } from '../http-errors.js';
+import { type ServerWithRequestIP, verifyHttpActorTokenWithLocalFallback } from '../middleware/actor-token.js';
 
 /** Keep-alive comment sent to idle clients every 30 s by default. */
 const DEFAULT_HEARTBEAT_INTERVAL_MS = 30_000;
@@ -29,11 +33,23 @@ const DEFAULT_HEARTBEAT_INTERVAL_MS = 30_000;
 export function handleSubscribeAssistantEvents(
   req: Request,
   url: URL,
-  options?: {
-    hub?: AssistantEventHub;
-    heartbeatIntervalMs?: number;
-  },
+  options?:
+    | { hub?: AssistantEventHub; heartbeatIntervalMs?: number; skipActorVerification?: false; server: ServerWithRequestIP }
+    | { hub?: AssistantEventHub; heartbeatIntervalMs?: number; skipActorVerification: true },
 ): Response {
+  // Verify actor-token identity for vellum channel requests, with local
+  // CLI fallback for bearer-authenticated clients without X-Actor-Token.
+  if (options && !options.skipActorVerification) {
+    const actorVerification = verifyHttpActorTokenWithLocalFallback(req, options.server);
+    if (!actorVerification.ok) {
+      return httpError(
+        actorVerification.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
+        actorVerification.message,
+        actorVerification.status,
+      );
+    }
+  }
+
   const conversationKey = url.searchParams.get('conversationKey');
   if (!conversationKey) {
     return httpError('BAD_REQUEST', 'conversationKey is required', 400);
@@ -50,8 +66,6 @@ export function handleSubscribeAssistantEvents(
   // closures are in place before events can arrive.  `controllerRef` is set
   // synchronously inside ReadableStream's start(), so it is non-null by the
   // time any event or eviction fires.
-  // 'self' is the assistantId used by buildAssistantEvent('self', ...) for
-  // all HTTP and voice session events.
   let controllerRef: ReadableStreamDefaultController<Uint8Array> | null = null;
   let heartbeatTimer: ReturnType<typeof setInterval> | null = null;
   let sub!: AssistantEventSubscription;
@@ -63,7 +77,7 @@ export function handleSubscribeAssistantEvents(
 
   try {
     sub = hub.subscribe(
-      { assistantId: 'self', sessionId: mapping.conversationId },
+      { assistantId: DAEMON_INTERNAL_ASSISTANT_ID, sessionId: mapping.conversationId },
       (event) => {
         const controller = controllerRef;
         if (!controller) return;

package/src/runtime/routes/guardian-action-routes.ts

@@ -3,6 +3,10 @@
  *
  * These endpoints let desktop clients fetch pending guardian prompts and
  * submit button decisions without relying on text parsing.
+ *
+ * All guardian action endpoints require a valid actor token via the
+ * X-Actor-Token header (with local CLI fallback). Guardian decisions
+ * additionally verify the actor is the bound guardian.
  */
 import {
   applyCanonicalGuardianDecision,
@@ -16,6 +20,12 @@ import type { ApprovalAction } from '../channel-approval-types.js';
 import type { GuardianDecisionPrompt } from '../guardian-decision-types.js';
 import { buildDecisionActions } from '../guardian-decision-types.js';
 import { httpError } from '../http-errors.js';
+import {
+  isActorBoundGuardian,
+  isLocalFallbackBoundGuardian,
+  type ServerWithRequestIP,
+  verifyHttpActorTokenWithLocalFallback,
+} from '../middleware/actor-token.js';
 
 // ---------------------------------------------------------------------------
 // GET /v1/guardian-actions/pending?conversationId=...
@@ -23,12 +33,22 @@ import { httpError } from '../http-errors.js';
 
 /**
  * List pending guardian decision prompts for a conversation.
+ * Requires a valid actor token.
  *
  * Returns guardian approval requests (from the channel guardian store) that
  * are still pending, mapped to the GuardianDecisionPrompt shape so clients
  * can render structured button UIs.
  */
-export function handleGuardianActionsPending(req: Request): Response {
+export function handleGuardianActionsPending(req: Request, server: ServerWithRequestIP): Response {
+  const tokenResult = verifyHttpActorTokenWithLocalFallback(req, server);
+  if (!tokenResult.ok) {
+    return httpError(
+      tokenResult.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
+      tokenResult.message,
+      tokenResult.status,
+    );
+  }
+
   const url = new URL(req.url);
   const conversationId = url.searchParams.get('conversationId');
 
@@ -46,12 +66,28 @@ export function handleGuardianActionsPending(req: Request): Response {
 
 /**
  * Submit a guardian action decision.
+ * Requires a valid actor token for a bound guardian.
  *
  * Routes all decisions through the unified canonical guardian decision
  * primitive which handles CAS resolution, resolver dispatch, and grant
  * minting.
  */
-export async function handleGuardianActionDecision(req: Request): Promise<Response> {
+export async function handleGuardianActionDecision(req: Request, server: ServerWithRequestIP): Promise<Response> {
+  const tokenResult = verifyHttpActorTokenWithLocalFallback(req, server);
+  if (!tokenResult.ok) {
+    return httpError(
+      tokenResult.status === 401 ? 'UNAUTHORIZED' : 'FORBIDDEN',
+      tokenResult.message,
+      tokenResult.status,
+    );
+  }
+  const isBoundGuardian = tokenResult.claims
+    ? isActorBoundGuardian(tokenResult.claims)
+    : isLocalFallbackBoundGuardian();
+  if (!isBoundGuardian) {
+    return httpError('FORBIDDEN', 'Actor is not the bound guardian for this channel', 403);
+  }
+
   const body = await req.json() as {
     requestId?: string;
     action?: string;
@@ -82,11 +118,17 @@ export async function handleGuardianActionDecision(req: Request): Promise<Respon
     }
   }
 
+  // Resolve the actor's external user ID: from the token claims if present,
+  // otherwise from the vellum guardian binding (local fallback).
+  const actorExternalUserId = tokenResult.claims
+    ? tokenResult.claims.guardianPrincipalId
+    : tokenResult.guardianContext.guardianExternalUserId;
+
   const canonicalResult = await applyCanonicalGuardianDecision({
     requestId,
     action: action as ApprovalAction,
     actorContext: {
-      externalUserId: undefined,
+      externalUserId: actorExternalUserId,
       channel: 'vellum',
       isTrusted: true,
     },

package/src/runtime/routes/guardian-approval-interception.ts

@@ -741,6 +741,35 @@ export async function handleApprovalInterception(
         }
         return { handled: true, type: 'decision_applied' };
       }
+
+      // Guard: non-guardian actors with a guardian binding must not self-approve
+      // even when no guardian approval row exists yet. The guardian approval
+      // row is created asynchronously when the approval prompt is delivered
+      // to the guardian. In the window between the pending confirmation being
+      // created (isInteractive=true) and the guardian approval row being
+      // persisted, any non-guardian actor could otherwise fall through to the
+      // standard conversational engine / legacy parser and resolve their own
+      // pending request via handleChannelDecision.
+      if (guardianCtx.trustClass !== 'guardian' && guardianCtx.guardianExternalUserId) {
+        log.info(
+          { conversationId, externalChatId, guardianExternalUserId: guardianCtx.guardianExternalUserId },
+          'Blocking non-guardian self-approval: pending confirmation exists but guardian approval row not yet created',
+        );
+        try {
+          const pendingText = await composeApprovalMessageGenerative({
+            scenario: 'request_pending_guardian',
+            channel: sourceChannel,
+          }, {}, approvalCopyGenerator);
+          await deliverChannelReply(replyCallbackUrl, {
+            chatId: externalChatId,
+            text: pendingText,
+            assistantId,
+          }, bearerToken);
+        } catch (err) {
+          log.error({ err, conversationId }, 'Failed to deliver guardian-pending notice to non-guardian actor (pre-row guard)');
+        }
+        return { handled: true, type: 'assistant_turn' };
+      }
     }
   }
 

package/src/runtime/routes/guardian-bootstrap-routes.ts

@@ -0,0 +1,145 @@
+/**
+ * POST /v1/integrations/guardian/vellum/bootstrap
+ *
+ * Idempotent bootstrap endpoint for the vellum guardian channel.
+ * Creates or confirms a guardianPrincipalId and channel='vellum'
+ * guardian binding, then mints and returns an actor token bound
+ * to (assistantId, guardianPrincipalId, deviceId).
+ *
+ * Only the hashed token is persisted.
+ */
+
+import { createHash } from 'node:crypto';
+
+import { v4 as uuid } from 'uuid';
+
+import {
+  createBinding,
+  getActiveBinding,
+} from '../../memory/guardian-bindings.js';
+import { getLogger } from '../../util/logger.js';
+import { mintActorToken } from '../actor-token-service.js';
+import {
+  createActorTokenRecord,
+  revokeByDeviceBinding,
+} from '../actor-token-store.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
+import { httpError } from '../http-errors.js';
+import type { ServerWithRequestIP } from '../middleware/actor-token.js';
+
+const log = getLogger('guardian-bootstrap');
+
+/** Hash a device ID for storage (same pattern as approved-devices-store). */
+function hashDeviceId(deviceId: string): string {
+  return createHash('sha256').update(deviceId).digest('hex');
+}
+
+/**
+ * Ensure a guardianPrincipalId exists for the vellum channel.
+ * If a binding already exists, returns the existing guardianExternalUserId
+ * as the principal. Otherwise creates a new binding with a fresh principal.
+ */
+function ensureGuardianPrincipal(assistantId: string): {
+  guardianPrincipalId: string;
+  isNew: boolean;
+} {
+  const existing = getActiveBinding(assistantId, 'vellum');
+  if (existing) {
+    return { guardianPrincipalId: existing.guardianExternalUserId, isNew: false };
+  }
+
+  // Mint a new principal ID for the vellum channel
+  const guardianPrincipalId = `vellum-principal-${uuid()}`;
+
+  createBinding({
+    assistantId,
+    channel: 'vellum',
+    guardianExternalUserId: guardianPrincipalId,
+    guardianDeliveryChatId: 'local',
+    verifiedVia: 'bootstrap',
+    metadataJson: JSON.stringify({ bootstrappedAt: Date.now() }),
+  });
+
+  log.info({ assistantId, guardianPrincipalId }, 'Created vellum guardian principal via bootstrap');
+  return { guardianPrincipalId, isNew: true };
+}
+
+/** Loopback addresses — used to gate the bootstrap endpoint to local-only. */
+const LOOPBACK_ADDRESSES = new Set(['127.0.0.1', '::1', '::ffff:127.0.0.1']);
+
+/**
+ * Handle POST /v1/integrations/guardian/vellum/bootstrap
+ *
+ * Body: { platform: 'macos', deviceId: string }
+ * Returns: { guardianPrincipalId, actorToken, isNew }
+ *
+ * This endpoint is loopback-only (macOS local use only). iOS devices
+ * obtain actor tokens exclusively through the QR pairing flow.
+ */
+export async function handleGuardianBootstrap(req: Request, server: ServerWithRequestIP): Promise<Response> {
+  // Reject proxied requests — bootstrap is local-only
+  if (req.headers.get('x-forwarded-for')) {
+    return httpError('FORBIDDEN', 'Bootstrap endpoint is local-only', 403);
+  }
+
+  // Reject non-loopback peers
+  const peerIp = server.requestIP(req)?.address;
+  if (!peerIp || !LOOPBACK_ADDRESSES.has(peerIp)) {
+    return httpError('FORBIDDEN', 'Bootstrap endpoint is local-only', 403);
+  }
+
+  try {
+    const body = await req.json() as Record<string, unknown>;
+    const platform = typeof body.platform === 'string' ? body.platform.trim() : '';
+    const deviceId = typeof body.deviceId === 'string' ? body.deviceId.trim() : '';
+
+    if (!platform || !deviceId) {
+      return httpError('BAD_REQUEST', 'Missing required fields: platform, deviceId', 400);
+    }
+
+    if (platform !== 'macos') {
+      return httpError('BAD_REQUEST', 'Invalid platform. Bootstrap is macOS-only; iOS uses QR pairing.', 400);
+    }
+
+    const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
+    const { guardianPrincipalId, isNew } = ensureGuardianPrincipal(assistantId);
+    const hashedDeviceId = hashDeviceId(deviceId);
+
+    // Revoke any existing active tokens for this device binding
+    // so we maintain one-active-token-per-device
+    revokeByDeviceBinding(assistantId, guardianPrincipalId, hashedDeviceId);
+
+    // Mint a new actor token
+    const { token, tokenHash, claims } = mintActorToken({
+      assistantId,
+      platform,
+      deviceId,
+      guardianPrincipalId,
+    });
+
+    // Store only the hash
+    createActorTokenRecord({
+      tokenHash,
+      assistantId,
+      guardianPrincipalId,
+      hashedDeviceId,
+      platform,
+      issuedAt: claims.iat,
+      expiresAt: claims.exp,
+    });
+
+    log.info(
+      { assistantId, platform, guardianPrincipalId, isNew },
+      'Guardian bootstrap completed',
+    );
+
+    return Response.json({
+      guardianPrincipalId,
+      actorToken: token,
+      isNew,
+    });
+  } catch (err) {
+    log.error({ err }, 'Guardian bootstrap failed');
+    return httpError('INTERNAL_ERROR', 'Internal server error', 500);
+  }
+}

package/src/runtime/routes/inbound-conversation.ts

@@ -3,9 +3,10 @@
  */
 import { deleteConversationKey } from '../../memory/conversation-key-store.js';
 import * as externalConversationStore from '../../memory/external-conversation-store.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
 import { httpError } from '../http-errors.js';
 
-export async function handleDeleteConversation(req: Request, assistantId: string = 'self'): Promise<Response> {
+export async function handleDeleteConversation(req: Request, assistantId: string = DAEMON_INTERNAL_ASSISTANT_ID): Promise<Response> {
   const body = await req.json() as {
     sourceChannel?: string;
     externalChatId?: string;
@@ -26,14 +27,14 @@ export async function handleDeleteConversation(req: Request, assistantId: string
   const legacyKey = `${sourceChannel}:${externalChatId}`;
   const scopedKey = `asst:${assistantId}:${sourceChannel}:${externalChatId}`;
   deleteConversationKey(scopedKey);
-  if (assistantId === 'self') {
+  if (assistantId === DAEMON_INTERNAL_ASSISTANT_ID) {
     deleteConversationKey(legacyKey);
   }
   // external_conversation_bindings is currently assistant-agnostic
   // (unique by sourceChannel + externalChatId). Restrict mutations to the
   // canonical self-assistant route so multi-assistant legacy routes do not
   // clobber each other's bindings.
-  if (assistantId === 'self') {
+  if (assistantId === DAEMON_INTERNAL_ASSISTANT_ID) {
     externalConversationStore.deleteBindingByChannelChat(sourceChannel, externalChatId);
   }
 

package/src/runtime/routes/inbound-message-handler.ts

@@ -28,6 +28,7 @@ import { IngressBlockedError } from '../../util/errors.js';
 import { getLogger } from '../../util/logger.js';
 import { readHttpToken } from '../../util/platform.js';
 import { notifyGuardianOfAccessRequest } from '../access-request-helper.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../assistant-scope.js';
 import {
   buildApprovalUIMetadata,
   getApprovalInfoByConversation,
@@ -46,7 +47,7 @@ import {
 } from '../channel-guardian-service.js';
 import { getTransport } from '../channel-invite-transport.js';
 import { deliverChannelReply } from '../gateway-client.js';
-import { resolveGuardianContext } from '../guardian-context-resolver.js';
+import { resolveGuardianContext, resolveRoutingState } from '../guardian-context-resolver.js';
 import { routeGuardianReply } from '../guardian-reply-router.js';
 import {
   composeChannelVerifyReply,
@@ -97,7 +98,7 @@ export async function handleChannelInbound(
   req: Request,
   processMessage?: MessageProcessor,
   bearerToken?: string,
-  assistantId: string = 'self',
+  assistantId: string = DAEMON_INTERNAL_ASSISTANT_ID,
   gatewayOriginSecret?: string,
   approvalCopyGenerator?: ApprovalCopyGenerator,
   approvalConversationGenerator?: ApprovalConversationGenerator,
@@ -414,6 +415,7 @@ export async function handleChannelInbound(
                 senderExternalUserId: canonicalSenderId ?? rawSenderId,
                 senderName: body.senderName,
                 senderUsername: body.senderUsername,
+                previousMemberStatus: resolvedMember.status,
               });
               guardianNotified = accessResult.notified;
             } catch (err) {
@@ -580,7 +582,7 @@ export async function handleChannelInbound(
   // external_conversation_bindings is assistant-agnostic. Restrict writes to
   // self so assistant-scoped legacy routes do not overwrite each other's
   // channel binding metadata for the same chat.
-  if (canonicalAssistantId === 'self') {
+  if (canonicalAssistantId === DAEMON_INTERNAL_ASSISTANT_ID) {
     externalConversationStore.upsertBinding({
       conversationId: result.conversationId,
       sourceChannel,
@@ -1346,6 +1348,13 @@ interface BackgroundProcessingParams {
 const TELEGRAM_TYPING_INTERVAL_MS = 4_000;
 const PENDING_APPROVAL_POLL_INTERVAL_MS = 300;
 
+// Module-level map tracking which approval requestIds have already been
+// notified to trusted contacts. Maps requestId -> conversationId so that
+// cleanup can be scoped to the owning conversation's poller, preventing
+// concurrent pollers from different conversations from evicting each
+// other's entries.
+const globalNotifiedApprovalRequestIds = new Map<string, string>();
+
 function delay(ms: number): Promise<void> {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
@@ -1447,7 +1456,7 @@ function startPendingApprovalPromptWatcher(params: {
             replyCallbackUrl,
             chatId: externalChatId,
             sourceChannel,
-            assistantId: assistantId ?? 'self',
+            assistantId: assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
             bearerToken,
             prompt,
             uiMetadata: buildApprovalUIMetadata(prompt, info),
@@ -1477,6 +1486,126 @@ function startPendingApprovalPromptWatcher(params: {
   };
 }
 
+/**
+ * Resolve a human-readable guardian name from the guardian binding metadata.
+ * Returns the display name, username (prefixed with @), or undefined if
+ * no name is available.
+ */
+function resolveGuardianDisplayName(
+  assistantId: string,
+  sourceChannel: ChannelId,
+): string | undefined {
+  const binding = getGuardianBinding(assistantId, sourceChannel);
+  if (!binding?.metadataJson) return undefined;
+  try {
+    const parsed = JSON.parse(binding.metadataJson) as Record<string, unknown>;
+    if (typeof parsed.displayName === 'string' && parsed.displayName.trim().length > 0) {
+      return parsed.displayName.trim();
+    }
+    if (typeof parsed.username === 'string' && parsed.username.trim().length > 0) {
+      return `@${parsed.username.trim()}`;
+    }
+  } catch {
+    // ignore malformed metadata
+  }
+  return undefined;
+}
+
+/**
+ * Start a poller that sends a one-shot "waiting for guardian approval" message
+ * to the trusted contact when a confirmation_request enters guardian approval
+ * wait. Deduplicates by requestId so each request only produces one message.
+ *
+ * Only activates for trusted-contact actors with a resolvable guardian route.
+ */
+function startTrustedContactApprovalNotifier(params: {
+  conversationId: string;
+  sourceChannel: ChannelId;
+  externalChatId: string;
+  guardianTrustClass: GuardianContext['trustClass'];
+  guardianExternalUserId?: string;
+  replyCallbackUrl: string;
+  bearerToken?: string;
+  assistantId?: string;
+}): () => void {
+  const {
+    conversationId,
+    sourceChannel,
+    externalChatId,
+    guardianTrustClass,
+    guardianExternalUserId,
+    replyCallbackUrl,
+    bearerToken,
+    assistantId,
+  } = params;
+
+  // Only notify trusted contacts who have a resolvable guardian route.
+  if (guardianTrustClass !== 'trusted_contact' || !guardianExternalUserId) {
+    return () => {};
+  }
+
+  let active = true;
+
+  const poll = async (): Promise<void> => {
+    while (active) {
+      try {
+        const pending = getApprovalInfoByConversation(conversationId);
+        const info = pending[0];
+
+        // Clean up resolved requests from the module-level dedupe map.
+        // Only remove entries that belong to THIS conversation — other
+        // conversations' pollers own their own entries. Without this
+        // scoping, concurrent pollers would evict each other's request
+        // IDs and cause duplicate notifications.
+        const currentPendingIds = new Set(pending.map(p => p.requestId));
+        for (const [rid, cid] of globalNotifiedApprovalRequestIds) {
+          if (cid === conversationId && !currentPendingIds.has(rid)) {
+            globalNotifiedApprovalRequestIds.delete(rid);
+          }
+        }
+
+        if (info && !globalNotifiedApprovalRequestIds.has(info.requestId)) {
+          globalNotifiedApprovalRequestIds.set(info.requestId, conversationId);
+          const guardianName = resolveGuardianDisplayName(
+            assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
+            sourceChannel,
+          );
+          const waitingText = guardianName
+            ? `Waiting for ${guardianName}'s approval...`
+            : 'Waiting for your guardian\'s approval...';
+          try {
+            await deliverChannelReply(replyCallbackUrl, {
+              chatId: externalChatId,
+              text: waitingText,
+              assistantId: assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
+            }, bearerToken);
+          } catch (err) {
+            log.warn({ err, conversationId }, 'Failed to deliver trusted-contact pending-approval notification');
+            // Remove from notified set so delivery is retried on next poll
+            globalNotifiedApprovalRequestIds.delete(info.requestId);
+          }
+        }
+      } catch (err) {
+        log.warn({ err, conversationId }, 'Trusted-contact approval notifier poll failed');
+      }
+      await delay(PENDING_APPROVAL_POLL_INTERVAL_MS);
+    }
+  };
+
+  void poll();
+  return () => {
+    active = false;
+
+    // Evict all dedupe entries owned by this conversation so the
+    // module-level map doesn't grow unboundedly after the poller stops.
+    for (const [rid, cid] of globalNotifiedApprovalRequestIds) {
+      if (cid === conversationId) {
+        globalNotifiedApprovalRequestIds.delete(rid);
+      }
+    }
+  };
+}
+
 function processChannelMessageInBackground(params: BackgroundProcessingParams): void {
   const {
     processMessage,
@@ -1519,6 +1648,18 @@ function processChannelMessageInBackground(params: BackgroundProcessingParams):
         approvalCopyGenerator,
       })
       : undefined;
+    const stopTcApprovalNotifier = replyCallbackUrl
+      ? startTrustedContactApprovalNotifier({
+        conversationId,
+        sourceChannel,
+        externalChatId,
+        guardianTrustClass: guardianCtx.trustClass,
+        guardianExternalUserId: guardianCtx.guardianExternalUserId,
+        replyCallbackUrl,
+        bearerToken,
+        assistantId,
+      })
+      : undefined;
 
     try {
       const cmdIntent = commandIntent && typeof commandIntent.type === 'string'
@@ -1536,7 +1677,7 @@ function processChannelMessageInBackground(params: BackgroundProcessingParams):
           },
           assistantId,
           guardianContext: toGuardianRuntimeContext(sourceChannel, guardianCtx),
-          isInteractive: guardianCtx.trustClass === 'guardian',
+          isInteractive: resolveRoutingState(guardianCtx).promptWaitingAllowed,
           ...(cmdIntent ? { commandIntent: cmdIntent } : {}),
         },
         sourceChannel,
@@ -1564,6 +1705,7 @@ function processChannelMessageInBackground(params: BackgroundProcessingParams):
     } finally {
       stopTypingHeartbeat?.();
       stopApprovalWatcher?.();
+      stopTcApprovalNotifier?.();
     }
   })();
 }

package/src/runtime/routes/ingress-routes.ts

@@ -147,6 +147,8 @@ export async function handleCreateInvite(req: Request): Promise<Response> {
     expiresInMs: body.expiresInMs as number | undefined,
     expectedExternalUserId: body.expectedExternalUserId as string | undefined,
     voiceCodeDigits: body.voiceCodeDigits as number | undefined,
+    friendName: body.friendName as string | undefined,
+    guardianName: body.guardianName as string | undefined,
   });
 
   if (!result.ok) {