@vellumai/assistant 0.4.31 → 0.4.33

package/src/runtime/routes/inbound-message-handler.ts

@@ -11,6 +11,7 @@ import {
   parseInterfaceId,
 } from "../../channels/types.js";
 import { getChannelPermissionProfile } from "../../config/channel-permission-profiles.js";
+import { touchContactInteraction } from "../../contacts/contacts-write.js";
 import type { TrustContext } from "../../daemon/session-runtime-assembly.js";
 import * as attachmentsStore from "../../memory/attachments-store.js";
 import * as channelDeliveryStore from "../../memory/channel-delivery-store.js";
@@ -44,9 +45,6 @@ import { handleGuardianReplyIntercept } from "./inbound-stages/guardian-reply-in
 import { runSecretIngressCheck } from "./inbound-stages/secret-ingress-check.js";
 import { handleVerificationIntercept } from "./inbound-stages/verification-intercept.js";
 
-import "../channel-invite-transports/telegram.js";
-import "../channel-invite-transports/voice.js";
-
 const log = getLogger("runtime-http");
 
 export async function handleChannelInbound(
@@ -251,6 +249,7 @@ export async function handleChannelInbound(
       canonicalAssistantId,
       assistantId,
       content,
+      contactId: resolvedMember?.contact.id,
     });
   }
 
@@ -302,6 +301,13 @@ export async function handleChannelInbound(
     }
   }
 
+  // Track contact interaction only for genuinely new messages (not webhook
+  // retries). This was previously in ACL enforcement which runs before dedup,
+  // causing retries to inflate interaction counts.
+  if (!result.duplicate && resolvedMember) {
+    touchContactInteraction(resolvedMember.contact.id);
+  }
+
   // external_conversation_bindings is assistant-agnostic. Restrict writes to
   // self so assistant-scoped legacy routes do not overwrite each other's
   // channel binding metadata for the same chat.

package/src/runtime/routes/inbound-stages/acl-enforcement.ts

@@ -6,12 +6,10 @@
  * Extracted from inbound-message-handler.ts to keep the top-level handler
  * focused on orchestration.
  */
+import { isInviteCodeRedemptionEnabled } from "../../../channels/config.js";
 import type { ChannelId } from "../../../channels/types.js";
 import { findContactChannel } from "../../../contacts/contact-store.js";
-import {
-  touchChannelLastSeen,
-  touchContactInteraction,
-} from "../../../contacts/contacts-write.js";
+import { touchChannelLastSeen } from "../../../contacts/contacts-write.js";
 import type {
   ChannelStatus,
   ContactChannel,
@@ -19,7 +17,12 @@ import type {
   MemberStatus,
 } from "../../../contacts/types.js";
 import * as channelDeliveryStore from "../../../memory/channel-delivery-store.js";
+import {
+  findByInviteCodeHash,
+  findByInviteCodeHashAnyChannel,
+} from "../../../memory/invite-store.js";
 import { getLogger } from "../../../util/logger.js";
+import { hashVoiceCode } from "../../../util/voice-code.js";
 import { notifyGuardianOfAccessRequest } from "../../access-request-helper.js";
 import {
   createOutboundSession,
@@ -27,9 +30,12 @@ import {
   getPendingChallenge,
   resolveBootstrapToken,
 } from "../../channel-guardian-service.js";
-import { getTransport } from "../../channel-invite-transport.js";
+import { getInviteAdapterRegistry } from "../../channel-invite-transport.js";
 import { deliverChannelReply } from "../../gateway-client.js";
-import { redeemInvite } from "../../invite-redemption-service.js";
+import {
+  redeemInvite,
+  redeemInviteByCode,
+} from "../../invite-redemption-service.js";
 import { getInviteRedemptionReply } from "../../invite-redemption-templates.js";
 
 const log = getLogger("runtime-http");
@@ -149,8 +155,8 @@ export async function enforceIngressAcl(
     !Array.isArray(rawCommandIntentForAcl)
       ? (rawCommandIntentForAcl as Record<string, unknown>)
       : undefined;
-  const inviteTransport = getTransport(sourceChannel);
-  const inviteToken = inviteTransport?.extractInboundToken({
+  const inviteAdapter = getInviteAdapterRegistry().get(sourceChannel);
+  const inviteToken = inviteAdapter?.extractInboundToken?.({
     commandIntent: commandIntentForAcl,
     content: trimmedContent,
     sourceMetadata,
@@ -256,6 +262,32 @@ export async function enforceIngressAcl(
           };
       }
 
+      // ── 6-digit invite code intercept (non-member) ──
+      // On channels with codeRedemptionEnabled, a bare 6-digit message may be
+      // an invite code. Attempt redemption; on failure (no matching code) fall
+      // through to normal processing — the number may be a regular message.
+      if (denyNonMember && /^\d{6}$/.test(trimmedContent)) {
+        const codeInterceptResult = await handleInviteCodeIntercept({
+          code: trimmedContent,
+          sourceChannel,
+          externalChatId: conversationExternalId,
+          externalMessageId,
+          senderExternalUserId: canonicalSenderId ?? rawSenderId,
+          senderName: actorDisplayName,
+          senderUsername: actorUsername,
+          replyCallbackUrl,
+          bearerToken: mintBearerToken(),
+          assistantId,
+          canonicalAssistantId,
+        });
+        if (codeInterceptResult)
+          return {
+            resolvedMember: null,
+            earlyResponse: codeInterceptResult,
+            guardianVerifyCode,
+          };
+      }
+
       if (denyNonMember) {
         log.info(
           { sourceChannel, externalUserId: canonicalSenderId },
@@ -462,6 +494,31 @@ export async function enforceIngressAcl(
             };
         }
 
+        // ── 6-digit invite code intercept (inactive member) ──
+        // Same as the non-member branch: codes can reactivate revoked/pending
+        // members. Non-matching codes fall through to normal processing.
+        if (denyInactiveMember && /^\d{6}$/.test(trimmedContent)) {
+          const codeInterceptResult = await handleInviteCodeIntercept({
+            code: trimmedContent,
+            sourceChannel,
+            externalChatId: conversationExternalId,
+            externalMessageId,
+            senderExternalUserId: canonicalSenderId ?? rawSenderId,
+            senderName: actorDisplayName,
+            senderUsername: actorUsername,
+            replyCallbackUrl,
+            bearerToken: mintBearerToken(),
+            assistantId,
+            canonicalAssistantId,
+          });
+          if (codeInterceptResult)
+            return {
+              resolvedMember: null,
+              earlyResponse: codeInterceptResult,
+              guardianVerifyCode,
+            };
+        }
+
         if (denyInactiveMember) {
           log.info(
             {
@@ -635,9 +692,12 @@ export async function enforceIngressAcl(
         };
       }
 
-      // 'allow' or 'escalate' — update last seen and continue
+      // 'allow' or 'escalate' — update last seen timestamp.
+      // touchContactInteraction is intentionally NOT called here because
+      // duplicate detection hasn't run yet. It's called in
+      // inbound-message-handler.ts after dedup so webhook retries don't
+      // inflate interaction counts.
       touchChannelLastSeen(resolvedMember.channel.id);
-      touchContactInteraction(resolvedMember.contact.id);
     }
   }
 
@@ -796,6 +856,231 @@ async function handleInviteTokenIntercept(params: {
   });
 }
 
+// ---------------------------------------------------------------------------
+// 6-digit invite code intercept
+// ---------------------------------------------------------------------------
+
+/**
+ * Handle a bare 6-digit message as a potential invite code redemption.
+ *
+ * Checks channel policy (codeRedemptionEnabled), attempts redemption via
+ * `redeemInviteByCode`, and returns a Response to short-circuit the handler
+ * on success. Returns `null` when the code does not match any active invite,
+ * allowing the message to fall through to normal processing.
+ */
+async function handleInviteCodeIntercept(params: {
+  code: string;
+  sourceChannel: ChannelId;
+  externalChatId: string;
+  externalMessageId: string;
+  senderExternalUserId?: string;
+  senderName?: string;
+  senderUsername?: string;
+  replyCallbackUrl?: string;
+  bearerToken?: string;
+  assistantId?: string;
+  canonicalAssistantId: string;
+}): Promise<Response | null> {
+  const {
+    code,
+    sourceChannel,
+    externalChatId,
+    externalMessageId,
+    senderExternalUserId,
+    senderName,
+    senderUsername,
+    replyCallbackUrl,
+    bearerToken,
+    assistantId,
+    canonicalAssistantId,
+  } = params;
+
+  // Skip channels that don't support code redemption
+  if (!isInviteCodeRedemptionEnabled(sourceChannel)) {
+    return null;
+  }
+
+  // Pre-check: verify a matching invite exists before committing to handle
+  // this message. A bare 6-digit number may be a regular message, so we
+  // must not record inbound dedup until we know the code maps to an invite.
+  const codeHash = hashVoiceCode(code);
+  const candidateInvite = findByInviteCodeHash(codeHash, sourceChannel);
+  if (!candidateInvite) {
+    // The code doesn't match any invite on this channel. Before falling
+    // through to normal processing, check if it matches on a different
+    // channel — if so, inform the user instead of silently ignoring it.
+    const crossChannelInvite = findByInviteCodeHashAnyChannel(codeHash);
+    if (crossChannelInvite) {
+      // Record inbound for dedup tracking — without this, duplicate webhook
+      // deliveries would re-enter ACL and send the mismatch reply again.
+      const dedupResult = channelDeliveryStore.recordInbound(
+        sourceChannel,
+        externalChatId,
+        externalMessageId,
+        { assistantId: canonicalAssistantId },
+      );
+
+      if (dedupResult.duplicate) {
+        return Response.json({
+          accepted: true,
+          duplicate: true,
+          eventId: dedupResult.eventId,
+        });
+      }
+
+      const mismatchReply = "This invite is not valid for this channel.";
+      if (replyCallbackUrl) {
+        try {
+          await deliverChannelReply(
+            replyCallbackUrl,
+            {
+              chatId: externalChatId,
+              text: mismatchReply,
+              assistantId,
+            },
+            bearerToken,
+          );
+        } catch (err) {
+          log.error(
+            { err, externalChatId },
+            "Failed to deliver invite code channel-mismatch reply",
+          );
+        }
+      }
+      channelDeliveryStore.markProcessed(dedupResult.eventId);
+      return Response.json({
+        accepted: true,
+        eventId: dedupResult.eventId,
+        denied: true,
+        inviteRedemption: "channel_mismatch",
+      });
+    }
+    return null;
+  }
+
+  // Record the inbound event for dedup tracking BEFORE performing redemption,
+  // matching the token intercept path. Without this, duplicate webhook
+  // deliveries could slip through: the first delivery redeems the invite and
+  // activates membership, then a retry finds an active member, passes ACL,
+  // and the raw 6-digit message leaks into the agent pipeline.
+  const dedupResult = channelDeliveryStore.recordInbound(
+    sourceChannel,
+    externalChatId,
+    externalMessageId,
+    { assistantId: canonicalAssistantId },
+  );
+
+  if (dedupResult.duplicate) {
+    return Response.json({
+      accepted: true,
+      duplicate: true,
+      eventId: dedupResult.eventId,
+    });
+  }
+
+  let outcome: ReturnType<typeof redeemInviteByCode>;
+  try {
+    outcome = redeemInviteByCode({
+      code,
+      sourceChannel,
+      externalUserId: senderExternalUserId,
+      externalChatId,
+      displayName: senderName,
+      username: senderUsername,
+      assistantId: canonicalAssistantId,
+    });
+  } catch (err) {
+    // Redemption threw — roll back the dedup record so webhook retries
+    // can re-attempt instead of short-circuiting as duplicates.
+    log.error(
+      { err, sourceChannel, externalChatId },
+      "Invite code intercept: redemption threw, rolling back dedup record",
+    );
+    channelDeliveryStore.deleteInbound(dedupResult.eventId);
+    throw err;
+  }
+
+  log.info(
+    {
+      sourceChannel,
+      externalChatId,
+      ok: outcome.ok,
+      type: outcome.ok ? outcome.type : undefined,
+      reason: !outcome.ok ? outcome.reason : undefined,
+    },
+    "Invite code intercept: redemption result",
+  );
+
+  // already_member: deliver acknowledgement and short-circuit
+  if (outcome.ok && outcome.type === "already_member") {
+    const replyText = getInviteRedemptionReply(outcome);
+    if (replyCallbackUrl) {
+      try {
+        await deliverChannelReply(
+          replyCallbackUrl,
+          {
+            chatId: externalChatId,
+            text: replyText,
+            assistantId,
+          },
+          bearerToken,
+        );
+      } catch (err) {
+        log.error(
+          { err, externalChatId },
+          "Failed to deliver invite code already-member reply",
+        );
+      }
+    }
+    channelDeliveryStore.markProcessed(dedupResult.eventId);
+    return Response.json({
+      accepted: true,
+      eventId: dedupResult.eventId,
+      inviteRedemption: "already_member",
+    });
+  }
+
+  const replyText = getInviteRedemptionReply(outcome);
+
+  if (replyCallbackUrl) {
+    try {
+      await deliverChannelReply(
+        replyCallbackUrl,
+        {
+          chatId: externalChatId,
+          text: replyText,
+          assistantId,
+        },
+        bearerToken,
+      );
+    } catch (err) {
+      log.error(
+        { err, externalChatId },
+        "Failed to deliver invite code redemption reply",
+      );
+    }
+  }
+
+  if (outcome.ok && outcome.type === "redeemed") {
+    channelDeliveryStore.markProcessed(dedupResult.eventId);
+    return Response.json({
+      accepted: true,
+      eventId: dedupResult.eventId,
+      inviteRedemption: "redeemed",
+      memberId: outcome.memberId,
+    });
+  }
+
+  // Failed redemption (expired, revoked, etc.) — inform and deny
+  channelDeliveryStore.markProcessed(dedupResult.eventId);
+  return Response.json({
+    accepted: true,
+    eventId: dedupResult.eventId,
+    denied: true,
+    inviteRedemption: !outcome.ok ? outcome.reason : undefined,
+  });
+}
+
 // ---------------------------------------------------------------------------
 // Slack verification challenge
 // ---------------------------------------------------------------------------

package/src/runtime/routes/inbound-stages/background-dispatch.ts

@@ -8,7 +8,8 @@
  * focused on orchestration.
  */
 import type { ChannelId, InterfaceId } from "../../../channels/types.js";
-import { resolveUserReference } from "../../../config/user-reference.js";
+import { resolveGuardianName } from "../../../config/user-reference.js";
+import { findGuardianForChannel } from "../../../contacts/contact-store.js";
 import type { TrustContext } from "../../../daemon/session-runtime-assembly.js";
 import * as channelDeliveryStore from "../../../memory/channel-delivery-store.js";
 import {
@@ -23,7 +24,6 @@ import {
   getApprovalInfoByConversation,
   getChannelApprovalPrompt,
 } from "../../channel-approvals.js";
-import { getGuardianBinding } from "../../channel-guardian-service.js";
 import { deliverChannelReply } from "../../gateway-client.js";
 import type {
   ApprovalCopyGenerator,
@@ -441,41 +441,6 @@ export function startPendingApprovalPromptWatcher(params: {
   };
 }
 
-// ---------------------------------------------------------------------------
-// Guardian display name resolver
-// ---------------------------------------------------------------------------
-
-/**
- * Resolve a human-readable guardian name from the guardian binding metadata.
- * Returns the display name, username (prefixed with @), or undefined if
- * no name is available.
- */
-export function resolveGuardianDisplayName(
-  assistantId: string,
-  sourceChannel: ChannelId,
-): string | undefined {
-  const binding = getGuardianBinding(assistantId, sourceChannel);
-  if (!binding?.metadataJson) return undefined;
-  try {
-    const parsed = JSON.parse(binding.metadataJson) as Record<string, unknown>;
-    if (
-      typeof parsed.displayName === "string" &&
-      parsed.displayName.trim().length > 0
-    ) {
-      return parsed.displayName.trim();
-    }
-    if (
-      typeof parsed.username === "string" &&
-      parsed.username.trim().length > 0
-    ) {
-      return `@${parsed.username.trim()}`;
-    }
-  } catch {
-    // ignore malformed metadata
-  }
-  return undefined;
-}
-
 // ---------------------------------------------------------------------------
 // Trusted contact approval notifier
 // ---------------------------------------------------------------------------
@@ -542,11 +507,13 @@ export function startTrustedContactApprovalNotifier(params: {
 
         if (info && !globalNotifiedApprovalRequestIds.has(info.requestId)) {
           globalNotifiedApprovalRequestIds.set(info.requestId, conversationId);
-          const guardianName =
-            resolveGuardianDisplayName(
-              assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
-              sourceChannel,
-            ) ?? resolveUserReference();
+          const guardian = findGuardianForChannel(
+            sourceChannel,
+            assistantId ?? DAEMON_INTERNAL_ASSISTANT_ID,
+          );
+          const guardianName = resolveGuardianName(
+            guardian?.contact.displayName,
+          );
           const waitingText = `Waiting for ${guardianName}'s approval...`;
           try {
             await deliverChannelReply(

package/src/runtime/routes/inbound-stages/edit-intercept.ts

@@ -11,6 +11,7 @@
  * focused on orchestration.
  */
 import type { ChannelId } from "../../../channels/types.js";
+import { touchContactInteraction } from "../../../contacts/contacts-write.js";
 import * as channelDeliveryStore from "../../../memory/channel-delivery-store.js";
 import * as conversationStore from "../../../memory/conversation-store.js";
 import { getLogger } from "../../../util/logger.js";
@@ -29,6 +30,8 @@ export interface EditInterceptParams {
   canonicalAssistantId: string;
   assistantId: string;
   content: string | undefined;
+  /** Contact ID for interaction tracking; omitted when the sender has no resolved member. */
+  contactId?: string;
 }
 
 /**
@@ -49,6 +52,7 @@ export async function handleEditIntercept(
     canonicalAssistantId,
     assistantId,
     content,
+    contactId,
   } = params;
 
   // Dedup the edit event itself (retried edited_message webhooks)
@@ -67,6 +71,12 @@ export async function handleEditIntercept(
     });
   }
 
+  // Track contact interaction only for genuinely new edit events (not webhook
+  // retries), matching the pattern used for the normal message path.
+  if (contactId) {
+    touchContactInteraction(contactId);
+  }
+
   // Retry lookup a few times -- the original message may still be processing
   // (linkMessage hasn't been called yet). Short backoff avoids losing edits
   // that arrive while the original agent loop is in progress.

package/src/runtime/routes/integration-routes.ts

@@ -48,6 +48,7 @@ import {
   startOutbound,
 } from "../guardian-outbound-actions.js";
 import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
 import { guardianVerificationLimiter } from "../verification-rate-limiter.js";
 
 /**
@@ -296,3 +297,85 @@ export async function handleCancelOutbound(req: Request): Promise<Response> {
   const status = result.success ? 200 : 400;
   return Response.json(result, { status });
 }
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function integrationRouteDefinitions(): RouteDefinition[] {
+  return [
+    // Telegram
+    {
+      endpoint: "integrations/telegram/config",
+      method: "GET",
+      handler: () => handleGetTelegramConfig(),
+    },
+    {
+      endpoint: "integrations/telegram/config",
+      method: "POST",
+      handler: async ({ req }) => handleSetTelegramConfig(req),
+    },
+    {
+      endpoint: "integrations/telegram/config",
+      method: "DELETE",
+      handler: async () => handleClearTelegramConfig(),
+    },
+    {
+      endpoint: "integrations/telegram/commands",
+      method: "POST",
+      handler: async ({ req }) => handleSetTelegramCommands(req),
+    },
+    {
+      endpoint: "integrations/telegram/setup",
+      method: "POST",
+      handler: async ({ req }) => handleSetupTelegram(req),
+    },
+    // Slack
+    {
+      endpoint: "integrations/slack/channel/config",
+      method: "GET",
+      handler: () => handleGetSlackChannelConfig(),
+    },
+    {
+      endpoint: "integrations/slack/channel/config",
+      method: "POST",
+      handler: async ({ req }) => handleSetSlackChannelConfig(req),
+    },
+    {
+      endpoint: "integrations/slack/channel/config",
+      method: "DELETE",
+      handler: () => handleClearSlackChannelConfig(),
+    },
+    // Guardian
+    {
+      endpoint: "integrations/guardian/challenge",
+      method: "POST",
+      handler: async ({ req }) => handleCreateGuardianChallenge(req),
+    },
+    {
+      endpoint: "integrations/guardian/status",
+      method: "GET",
+      handler: ({ url }) => handleGetGuardianStatus(url),
+    },
+    {
+      endpoint: "integrations/guardian/revoke",
+      method: "POST",
+      handler: async ({ req }) => handleRevokeGuardian(req),
+    },
+    {
+      endpoint: "integrations/guardian/outbound/start",
+      method: "POST",
+      handler: async ({ req }) => handleStartOutbound(req),
+    },
+    {
+      endpoint: "integrations/guardian/outbound/resend",
+      method: "POST",
+      handler: async ({ req }) => handleResendOutbound(req),
+    },
+    {
+      endpoint: "integrations/guardian/outbound/cancel",
+      method: "POST",
+      handler: async ({ req }) => handleCancelOutbound(req),
+    },
+  ];
+}

package/src/runtime/routes/invite-routes.ts

@@ -8,6 +8,7 @@
  *   POST   /v1/contacts/invites/redeem — redeem an invite (token or voice code)
  */
 
+import type { RouteDefinition } from "../http-router.js";
 import {
   createIngressInvite,
   listIngressInvites,
@@ -51,6 +52,7 @@ export async function handleCreateInvite(req: Request): Promise<Response> {
     note: body.note as string | undefined,
     maxUses: body.maxUses as number | undefined,
     expiresInMs: body.expiresInMs as number | undefined,
+    contactName: body.contactName as string | undefined,
     expectedExternalUserId: body.expectedExternalUserId as string | undefined,
     voiceCodeDigits: body.voiceCodeDigits as number | undefined,
     friendName: body.friendName as string | undefined,
@@ -138,3 +140,33 @@ export async function handleRedeemInvite(req: Request): Promise<Response> {
   }
   return Response.json({ ok: true, invite: result.data });
 }
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function inviteRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "contacts/invites",
+      method: "GET",
+      handler: ({ url }) => handleListInvites(url),
+    },
+    {
+      endpoint: "contacts/invites",
+      method: "POST",
+      handler: async ({ req }) => handleCreateInvite(req),
+    },
+    {
+      endpoint: "contacts/invites/redeem",
+      method: "POST",
+      handler: async ({ req }) => handleRedeemInvite(req),
+    },
+    {
+      endpoint: "contacts/invites/:id",
+      method: "DELETE",
+      policyKey: "contacts/invites",
+      handler: ({ params }) => handleRevokeInvite(params.id),
+    },
+  ];
+}