@vellumai/assistant 0.4.3 → 0.4.4

package/src/home-base/prebuilt/index.html

@@ -488,6 +488,24 @@
       </div>
     </section>
 
+    <!-- Brain Knowledge -->
+    <section class="section" id="home-base-brain-lane">
+      <div class="section-header anim anim-d6"><h2>Knowledge</h2></div>
+
+      <div class="card-stack">
+        <div class="card feature anim anim-d6">
+          <div class="card-icon">🧠</div>
+          <div class="card-body">
+            <div class="task">Knowledge Brain</div>
+            <div class="task-meta" id="home-base-brain-count">Loading...</div>
+            <div class="task-controls">
+              <a href="/v1/brain-graph-ui" class="task-button primary" id="home-base-brain-view">View →</a>
+            </div>
+          </div>
+        </div>
+      </div>
+    </section>
+
     <!-- Onboarding -->
     <section class="section" id="home-base-onboarding-lane">
       <div class="section-header anim anim-d6"><h2>Set up your assistant</h2></div>
@@ -656,6 +674,28 @@
           });
         });
       }
+
+      // Fetch brain graph count for the Knowledge Brain card.
+      (function () {
+        var countEl = byId('home-base-brain-count');
+        if (!countEl) return;
+        var apiToken = document.querySelector('meta[name="api-token"]');
+        var headers = {};
+        if (apiToken && apiToken.content) headers['Authorization'] = 'Bearer ' + apiToken.content;
+        fetch('/v1/brain-graph', { headers: headers })
+          .then(function (res) {
+            if (!res.ok) throw new Error('HTTP ' + res.status);
+            return res.json();
+          })
+          .then(function (data) {
+            var entities = (data.entities || []).length;
+            var relations = (data.relations || []).length;
+            countEl.textContent = entities + ' nodes \u2022 ' + relations + ' relations';
+          })
+          .catch(function () {
+            countEl.textContent = '\u2014';
+          });
+      })();
     })();
   </script>
 </body>

package/src/inbound/platform-callback-registration.ts

@@ -0,0 +1,157 @@
+/**
+ * Platform callback route registration for containerized deployments.
+ *
+ * When the assistant daemon runs inside a container (IS_CONTAINERIZED=true)
+ * with a configured PLATFORM_BASE_URL and PLATFORM_ASSISTANT_ID, external
+ * service callbacks (Twilio webhooks, OAuth redirects, Telegram webhooks, etc.)
+ * must route through the platform's gateway proxy instead of hitting the
+ * assistant directly.
+ *
+ * This module registers callback routes with the platform's internal
+ * gateway endpoint so the platform knows how to forward inbound provider
+ * webhooks to the correct containerized assistant instance.
+ *
+ * The platform endpoint is:
+ *   POST {PLATFORM_BASE_URL}/v1/internal/gateway/callback-routes/register/
+ *
+ * It accepts { assistant_id, callback_path, type } and returns a stable
+ * callback_url that external services should use.
+ */
+
+import { getPlatformAssistantId, getPlatformBaseUrl, getPlatformInternalApiKey } from '../config/env.js';
+import { getIsContainerized } from '../config/env-registry.js';
+import { getLogger } from '../util/logger.js';
+
+const log = getLogger('platform-callback-registration');
+
+/**
+ * Whether the daemon should register callback routes with the platform.
+ * True when IS_CONTAINERIZED, PLATFORM_BASE_URL, and PLATFORM_ASSISTANT_ID
+ * are all set.
+ */
+export function shouldUsePlatformCallbacks(): boolean {
+  return getIsContainerized() && !!getPlatformBaseUrl() && !!getPlatformAssistantId();
+}
+
+interface RegisterCallbackRouteResponse {
+  callback_url: string;
+  callback_path: string;
+  type: string;
+  assistant_id: string;
+}
+
+/**
+ * Register a callback route with the platform's internal gateway endpoint.
+ *
+ * @param callbackPath - The path portion after the ingress base URL
+ *   (e.g. "webhooks/twilio/voice"). Leading/trailing slashes are stripped
+ *   by the platform.
+ * @param type - The route type identifier (e.g. "twilio_voice", "twilio_sms",
+ *   "twilio_status", "oauth", "telegram").
+ * @returns The platform-provided callback URL that external services should use.
+ * @throws If the platform request fails.
+ */
+export async function registerCallbackRoute(
+  callbackPath: string,
+  type: string,
+): Promise<string> {
+  const platformBaseUrl = getPlatformBaseUrl().replace(/\/+$/, '');
+  const assistantId = getPlatformAssistantId();
+  const apiKey = getPlatformInternalApiKey();
+
+  const url = `${platformBaseUrl}/v1/internal/gateway/callback-routes/register/`;
+
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+  };
+
+  if (apiKey) {
+    headers['Authorization'] = `Bearer ${apiKey}`;
+  }
+
+  const body = JSON.stringify({
+    assistant_id: assistantId,
+    callback_path: callbackPath,
+    type,
+  });
+
+  log.debug({ callbackPath, type }, 'Registering platform callback route');
+
+  const response = await fetch(url, {
+    method: 'POST',
+    headers,
+    body,
+    signal: AbortSignal.timeout(10_000),
+  });
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => '');
+    throw new Error(
+      `Platform callback route registration failed (HTTP ${response.status}): ${detail}`,
+    );
+  }
+
+  const data = (await response.json()) as RegisterCallbackRouteResponse;
+
+  log.info(
+    { callbackPath, type, callbackUrl: data.callback_url },
+    'Platform callback route registered',
+  );
+
+  return data.callback_url;
+}
+
+/**
+ * Resolve a callback URL, registering with the platform when containerized.
+ *
+ * When platform callbacks are enabled, registers the route and returns the
+ * platform's stable callback URL (optionally with query parameters appended).
+ * Otherwise evaluates the lazy direct URL supplier and returns that value.
+ *
+ * The `directUrl` parameter is a **lazy supplier** (a function returning a
+ * string) rather than an eagerly-evaluated string. This is critical because
+ * the direct URL builders (e.g. `getTwilioVoiceWebhookUrl`) call
+ * `getPublicBaseUrl()` which throws when no public ingress URL is configured.
+ * In containerized environments that rely solely on platform callbacks, the
+ * direct URL is never needed — deferring evaluation avoids the throw.
+ *
+ * @param directUrl - Lazy supplier for the direct callback URL.
+ * @param callbackPath - The path to register (e.g. "webhooks/twilio/voice").
+ * @param type - The route type identifier.
+ * @param queryParams - Optional query parameters to append to the resolved URL.
+ * @returns The resolved callback URL.
+ */
+export async function resolveCallbackUrl(
+  directUrl: () => string,
+  callbackPath: string,
+  type: string,
+  queryParams?: Record<string, string>,
+): Promise<string> {
+  if (!shouldUsePlatformCallbacks()) {
+    return directUrl();
+  }
+
+  try {
+    let url = await registerCallbackRoute(callbackPath, type);
+    if (queryParams && Object.keys(queryParams).length > 0) {
+      const params = new URLSearchParams(queryParams);
+      const separator = url.includes('?') ? '&' : '?';
+      url = `${url}${separator}${params.toString()}`;
+    }
+    return url;
+  } catch (err) {
+    log.warn(
+      { err, callbackPath, type },
+      'Failed to register platform callback route, falling back to direct URL',
+    );
+    try {
+      return directUrl();
+    } catch (fallbackErr) {
+      log.error(
+        { fallbackErr, callbackPath, type },
+        'Direct URL fallback also failed after platform registration failure',
+      );
+      throw err;
+    }
+  }
+}

package/src/memory/canonical-guardian-store.ts

@@ -292,7 +292,7 @@ export interface UpdateCanonicalGuardianRequestParams {
   status?: CanonicalRequestStatus;
   answerText?: string;
   decidedByExternalUserId?: string;
-  followupState?: string;
+  followupState?: string | null;
   expiresAt?: string;
 }
 

package/src/memory/db-init.ts

@@ -1,6 +1,7 @@
 import { getDb } from './db-connection.js';
 import {
   addCoreColumns,
+  createActorTokenRecordsTable,
   createAssistantInboxTables,
   createCallSessionsTables,
   createCanonicalGuardianTables,
@@ -169,5 +170,8 @@ export function initializeDb(): void {
   // 27. Voice invite display metadata (friend_name, guardian_name) for personalized prompts
   migrateVoiceInviteDisplayMetadata(database);
 
+  // 28. Actor token records (hash-only actor token persistence)
+  createActorTokenRecordsTable(database);
+
   validateMigrationState(database);
 }

package/src/memory/migrations/038-actor-token-records.ts

@@ -0,0 +1,39 @@
+import type { DrizzleDb } from '../db-connection.js';
+
+/**
+ * Create the actor_token_records table for hash-only actor token persistence.
+ *
+ * Stores the SHA-256 hash of each actor token alongside metadata for
+ * verification and revocation. The raw token plaintext is never stored.
+ */
+export function createActorTokenRecordsTable(database: DrizzleDb): void {
+  database.run(/*sql*/ `
+    CREATE TABLE IF NOT EXISTS actor_token_records (
+      id TEXT PRIMARY KEY,
+      token_hash TEXT NOT NULL,
+      assistant_id TEXT NOT NULL,
+      guardian_principal_id TEXT NOT NULL,
+      hashed_device_id TEXT NOT NULL,
+      platform TEXT NOT NULL,
+      status TEXT NOT NULL DEFAULT 'active',
+      issued_at INTEGER NOT NULL,
+      expires_at INTEGER,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  // Unique active token per device binding
+  database.run(
+    /*sql*/ `CREATE UNIQUE INDEX IF NOT EXISTS idx_actor_tokens_active_device
+      ON actor_token_records(assistant_id, guardian_principal_id, hashed_device_id)
+      WHERE status = 'active'`,
+  );
+
+  // Token hash lookup for verification
+  database.run(
+    /*sql*/ `CREATE INDEX IF NOT EXISTS idx_actor_tokens_hash
+      ON actor_token_records(token_hash)
+      WHERE status = 'active'`,
+  );
+}

package/src/memory/migrations/index.ts

@@ -39,6 +39,7 @@ export { migrateGuardianActionToolMetadata } from './034-guardian-action-tool-me
 export { migrateGuardianActionSupersession } from './035-guardian-action-supersession.js';
 export { migrateNormalizePhoneIdentities } from './036-normalize-phone-identities.js';
 export { migrateVoiceInviteColumns } from './037-voice-invite-columns.js';
+export { createActorTokenRecordsTable } from './038-actor-token-records.js';
 export { createCoreTables } from './100-core-tables.js';
 export { createWatchersAndLogsTables } from './101-watchers-and-logs.js';
 export { addCoreColumns } from './102-alter-table-columns.js';

package/src/memory/schema.ts

@@ -1143,6 +1143,22 @@ export const conversationAssistantAttentionState = sqliteTable('conversation_ass
   index('idx_conv_attn_state_assistant_last_seen').on(table.assistantId, table.lastSeenAssistantMessageAt),
 ]);
 
+// ── Actor Token Records ──────────────────────────────────────────────
+
+export const actorTokenRecords = sqliteTable('actor_token_records', {
+  id: text('id').primaryKey(),
+  tokenHash: text('token_hash').notNull(),
+  assistantId: text('assistant_id').notNull(),
+  guardianPrincipalId: text('guardian_principal_id').notNull(),
+  hashedDeviceId: text('hashed_device_id').notNull(),
+  platform: text('platform').notNull(),
+  status: text('status').notNull().default('active'),
+  issuedAt: integer('issued_at').notNull(),
+  expiresAt: integer('expires_at'),
+  createdAt: integer('created_at').notNull(),
+  updatedAt: integer('updated_at').notNull(),
+});
+
 // ── Scoped Approval Grants ──────────────────────────────────────────
 
 export const scopedApprovalGrants = sqliteTable('scoped_approval_grants', {

package/src/messaging/provider-types.ts

@@ -81,3 +81,27 @@ export interface SendOptions {
   /** Optional assistant scope for multi-assistant channels. */
   assistantId?: string;
 }
+
+/** Result from a sender digest scan — groups messages by sender for bulk cleanup. */
+export interface SenderDigestEntry {
+  id: string;
+  displayName: string;
+  email: string;
+  messageCount: number;
+  hasUnsubscribe: boolean;
+  newestMessageId: string;
+  searchQuery: string;
+  messageIds: string[];
+  hasMore: boolean;
+}
+
+export interface SenderDigestResult {
+  senders: SenderDigestEntry[];
+  totalScanned: number;
+  queryUsed: string;
+}
+
+export interface ArchiveResult {
+  archived: number;
+  truncated?: boolean;
+}

package/src/messaging/provider.ts

@@ -6,6 +6,7 @@
  */
 
 import type {
+  ArchiveResult,
   ConnectionInfo,
   Conversation,
   HistoryOptions,
@@ -13,6 +14,7 @@ import type {
   Message,
   SearchOptions,
   SearchResult,
+  SenderDigestResult,
   SendOptions,
   SendResult,
 } from './provider-types.js';
@@ -38,6 +40,11 @@ export interface MessagingProvider {
   getThreadReplies?(token: string, conversationId: string, threadId: string, options?: HistoryOptions): Promise<Message[]>;
   markRead?(token: string, conversationId: string, messageId?: string): Promise<void>;
 
+  /** Scan messages and group by sender for bulk cleanup (e.g. newsletter decluttering). */
+  senderDigest?(token: string, query: string, options?: { maxMessages?: number; maxSenders?: number }): Promise<SenderDigestResult>;
+  /** Archive messages matching a search query. */
+  archiveByQuery?(token: string, query: string): Promise<ArchiveResult>;
+
   /**
    * Override the default credential check used by getConnectedProviders().
    * When present, the registry calls this instead of looking for

package/src/messaging/providers/gmail/adapter.ts

@@ -7,6 +7,7 @@
 
 import type { MessagingProvider } from '../../provider.js';
 import type {
+  ArchiveResult,
   ConnectionInfo,
   Conversation,
   HistoryOptions,
@@ -14,6 +15,8 @@ import type {
   Message,
   SearchOptions,
   SearchResult,
+  SenderDigestEntry,
+  SenderDigestResult,
   SendOptions,
   SendResult,
 } from '../../provider-types.js';
@@ -191,4 +194,128 @@ export const gmailMessagingProvider: MessagingProvider = {
     if (!messageId) return;
     await gmail.modifyMessage(token, messageId, { removeLabelIds: ['UNREAD'] });
   },
+
+  async senderDigest(token: string, query: string, options?: { maxMessages?: number; maxSenders?: number }): Promise<SenderDigestResult> {
+    const maxMessages = Math.min(options?.maxMessages ?? 500, 2000);
+    const maxSenders = options?.maxSenders ?? 30;
+    const maxIdsPerSender = 1000;
+
+    const allMessageIds: string[] = [];
+    let pageToken: string | undefined;
+
+    while (allMessageIds.length < maxMessages) {
+      const pageSize = Math.min(100, maxMessages - allMessageIds.length);
+      const listResp = await gmail.listMessages(token, query, pageSize, pageToken);
+      const ids = (listResp.messages ?? []).map((m) => m.id);
+      if (ids.length === 0) break;
+      allMessageIds.push(...ids);
+      pageToken = listResp.nextPageToken ?? undefined;
+      if (!pageToken) break;
+    }
+
+    if (allMessageIds.length === 0) {
+      return { senders: [], totalScanned: 0, queryUsed: query };
+    }
+
+    const messages = await gmail.batchGetMessages(token, allMessageIds, 'metadata', [
+      'From', 'List-Unsubscribe',
+    ]);
+
+    const senderMap = new Map<string, {
+      displayName: string; email: string; messageCount: number;
+      hasUnsubscribe: boolean; newestMessageId: string;
+      newestUnsubscribableMessageId: string | null; newestUnsubscribableEpoch: number;
+      messageIds: string[]; hasMore: boolean;
+    }>();
+
+    for (const msg of messages) {
+      const headers = msg.payload?.headers ?? [];
+      const fromHeader = headers.find((h) => h.name.toLowerCase() === 'from')?.value ?? '';
+      const listUnsub = headers.find((h) => h.name.toLowerCase() === 'list-unsubscribe')?.value;
+
+      const match = fromHeader.match(/^(.+?)\s*<([^>]+)>$/);
+      const email = match ? match[2].toLowerCase() : fromHeader.trim().toLowerCase();
+      const displayName = match ? match[1].replace(/^["']|["']$/g, '').trim() : '';
+      if (!email) continue;
+
+      let agg = senderMap.get(email);
+      if (!agg) {
+        agg = {
+          displayName, email, messageCount: 0, hasUnsubscribe: false,
+          newestMessageId: msg.id, newestUnsubscribableMessageId: null,
+          newestUnsubscribableEpoch: 0, messageIds: [], hasMore: false,
+        };
+        senderMap.set(email, agg);
+      }
+
+      agg.messageCount++;
+      if (listUnsub) agg.hasUnsubscribe = true;
+      if (!agg.displayName && displayName) agg.displayName = displayName;
+
+      if (agg.messageIds.length < maxIdsPerSender) {
+        agg.messageIds.push(msg.id);
+      } else {
+        agg.hasMore = true;
+      }
+
+      const msgEpoch = msg.internalDate ? Number(msg.internalDate) : 0;
+      if (listUnsub && msgEpoch >= agg.newestUnsubscribableEpoch) {
+        agg.newestUnsubscribableMessageId = msg.id;
+        agg.newestUnsubscribableEpoch = msgEpoch;
+      }
+    }
+
+    const sorted = [...senderMap.values()]
+      .sort((a, b) => b.messageCount - a.messageCount)
+      .slice(0, maxSenders);
+
+    const senders: SenderDigestEntry[] = sorted.map((s) => ({
+      id: Buffer.from(s.email).toString('base64url'),
+      displayName: s.displayName || s.email.split('@')[0],
+      email: s.email,
+      messageCount: s.messageCount,
+      hasUnsubscribe: s.hasUnsubscribe,
+      newestMessageId: (s.hasUnsubscribe && s.newestUnsubscribableMessageId)
+        ? s.newestUnsubscribableMessageId
+        : s.newestMessageId,
+      searchQuery: `from:${s.email} ${query}`,
+      messageIds: s.messageIds,
+      hasMore: s.hasMore,
+    }));
+
+    return { senders, totalScanned: allMessageIds.length, queryUsed: query };
+  },
+
+  async archiveByQuery(token: string, query: string): Promise<ArchiveResult> {
+    const maxMessages = 5000;
+    const batchModifyLimit = 1000;
+
+    const allMessageIds: string[] = [];
+    let pageToken: string | undefined;
+    let truncated = false;
+
+    while (allMessageIds.length < maxMessages) {
+      const listResp = await gmail.listMessages(token, query, Math.min(500, maxMessages - allMessageIds.length), pageToken);
+      const ids = (listResp.messages ?? []).map((m) => m.id);
+      if (ids.length === 0) break;
+      allMessageIds.push(...ids);
+      pageToken = listResp.nextPageToken ?? undefined;
+      if (!pageToken) break;
+    }
+
+    if (allMessageIds.length >= maxMessages && pageToken) {
+      truncated = true;
+    }
+
+    if (allMessageIds.length === 0) {
+      return { archived: 0 };
+    }
+
+    for (let i = 0; i < allMessageIds.length; i += batchModifyLimit) {
+      const chunk = allMessageIds.slice(i, i + batchModifyLimit);
+      await gmail.batchModifyMessages(token, chunk, { removeLabelIds: ['INBOX'] });
+    }
+
+    return { archived: allMessageIds.length, truncated };
+  },
 };

package/src/messaging/providers/sms/adapter.ts

@@ -18,6 +18,7 @@ import { getGatewayInternalBaseUrl, getTwilioPhoneNumberEnv } from '../../../con
 import { loadConfig } from '../../../config/loader.js';
 import { getOrCreateConversation } from '../../../memory/conversation-key-store.js';
 import * as externalConversationStore from '../../../memory/external-conversation-store.js';
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../../../runtime/assistant-scope.js';
 import { getSecureKey } from '../../../security/secure-keys.js';
 import { readHttpToken } from '../../../util/platform.js';
 import type { MessagingProvider } from '../../provider.js';
@@ -56,22 +57,8 @@ function hasTwilioCredentials(): boolean {
   );
 }
 
-/**
- * Resolve the configured SMS phone number.
- * Priority: assistant-scoped phone number > TWILIO_PHONE_NUMBER env > config sms.phoneNumber > secure key fallback.
- */
-function getPhoneNumber(assistantId?: string): string | undefined {
-  // Check assistant-scoped phone number first
-  if (assistantId) {
-    try {
-      const config = loadConfig();
-      const assistantPhone = config.sms?.assistantPhoneNumbers?.[assistantId];
-      if (assistantPhone) return assistantPhone;
-    } catch {
-      // Config may not be available yet during early startup
-    }
-  }
-
+/** Resolve the configured SMS phone number. */
+function getPhoneNumber(): string | undefined {
   const fromEnv = getTwilioPhoneNumberEnv();
   if (fromEnv) return fromEnv;
 
@@ -85,15 +72,6 @@ function getPhoneNumber(assistantId?: string): string | undefined {
   return getSecureKey('credential:twilio:phone_number') || undefined;
 }
 
-function hasAnyAssistantPhoneNumber(): boolean {
-  try {
-    const config = loadConfig();
-    return Object.keys(config.sms?.assistantPhoneNumbers ?? {}).length > 0;
-  } catch {
-    return false;
-  }
-}
-
 export const smsMessagingProvider: MessagingProvider = {
   id: 'sms',
   displayName: 'SMS',
@@ -106,7 +84,16 @@ export const smsMessagingProvider: MessagingProvider = {
    * the `from` for outbound messages.
    */
   isConnected(): boolean {
-    return hasTwilioCredentials() && (!!getPhoneNumber() || hasAnyAssistantPhoneNumber());
+    if (!hasTwilioCredentials()) return false;
+    if (getPhoneNumber()) return true;
+    try {
+      const config = loadConfig();
+      const mappings = config.sms?.assistantPhoneNumbers as Record<string, string> | undefined;
+      if (mappings && Object.keys(mappings).length > 0) return true;
+    } catch {
+      // Config may not be available yet
+    }
+    return false;
   },
 
   async testConnection(_token: string): Promise<ConnectionInfo> {
@@ -120,7 +107,26 @@ export const smsMessagingProvider: MessagingProvider = {
     }
 
     const phoneNumber = getPhoneNumber();
-    if (!phoneNumber && !hasAnyAssistantPhoneNumber()) {
+    if (!phoneNumber) {
+      // Mirror isConnected(): fall back to assistant-scoped phone numbers
+      try {
+        const config = loadConfig();
+        const mappings = config.sms?.assistantPhoneNumbers as Record<string, string> | undefined;
+        if (mappings && Object.keys(mappings).length > 0) {
+          const accountSid = getSecureKey('credential:twilio:account_sid')!;
+          return {
+            connected: true,
+            user: 'assistant-scoped',
+            platform: 'sms',
+            metadata: {
+              accountSid: accountSid.slice(0, 6) + '...',
+              assistantPhoneNumbers: Object.keys(mappings).length,
+            },
+          };
+        }
+      } catch {
+        // Config may not be available yet
+      }
       return {
         connected: false,
         user: 'unknown',
@@ -133,12 +139,11 @@ export const smsMessagingProvider: MessagingProvider = {
 
     return {
       connected: true,
-      user: phoneNumber ?? 'assistant-scoped numbers configured',
+      user: phoneNumber,
       platform: 'sms',
       metadata: {
         accountSid: accountSid.slice(0, 6) + '...',
-        ...(phoneNumber ? { phoneNumber } : {}),
-        hasAssistantScopedPhoneNumbers: hasAnyAssistantPhoneNumber(),
+        phoneNumber,
       },
     };
   },
@@ -152,16 +157,14 @@ export const smsMessagingProvider: MessagingProvider = {
 
     // Upsert external conversation binding so the conversation key mapping
     // exists for the next inbound SMS from this number.
+    const isSelfScope = !assistantId || assistantId === DAEMON_INTERNAL_ASSISTANT_ID;
     try {
       const sourceChannel = 'sms';
-      const conversationKey = assistantId && assistantId !== 'self'
-        ? `asst:${assistantId}:${sourceChannel}:${conversationId}`
-        : `${sourceChannel}:${conversationId}`;
+      const conversationKey = isSelfScope
+        ? `${sourceChannel}:${conversationId}`
+        : `asst:${assistantId}:${sourceChannel}:${conversationId}`;
       const { conversationId: internalId } = getOrCreateConversation(conversationKey);
-      // external_conversation_bindings is assistant-agnostic (unique by
-      // sourceChannel + externalChatId). Restrict proactive writes to self so
-      // multi-assistant sends cannot clobber each other's binding metadata.
-      if (!assistantId || assistantId === 'self') {
+      if (isSelfScope) {
         externalConversationStore.upsertOutboundBinding({
           conversationId: internalId,
           sourceChannel,