@vellumai/assistant 0.4.33 → 0.4.34

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.33",
+  "version": "0.4.34",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"

package/src/__tests__/access-request-decision.test.ts

@@ -99,7 +99,6 @@ function createTestApproval(overrides: Record<string, unknown> = {}) {
   return createApprovalRequest({
     runId: `ingress-access-request-${Date.now()}`,
     conversationId: `access-req-telegram-user-unknown-456`,
-    assistantId: "self",
     channel: "telegram",
     requesterExternalUserId: "user-unknown-456",
     requesterChatId: "chat-123",
@@ -157,7 +156,7 @@ describe("access request decision handler", () => {
     expect(result.type).toBe("approved");
 
     // There should be an active session for this channel
-    const session = findActiveSession("self", "telegram");
+    const session = findActiveSession("telegram");
     expect(session).not.toBeNull();
     expect(session!.expectedExternalUserId).toBe("user-unknown-456");
     expect(session!.expectedChatId).toBe("chat-123");
@@ -186,7 +185,7 @@ describe("access request decision handler", () => {
     expect(updated!.decidedByExternalUserId).toBe("guardian-user-789");
 
     // No verification session should be created
-    const session = findActiveSession("self", "telegram");
+    const session = findActiveSession("telegram");
     expect(session).toBeNull();
   });
 

package/src/__tests__/actor-token-service.test.ts

@@ -129,7 +129,6 @@ describe("actor-token store (hash-only)", () => {
 
     const record = createActorTokenRecord({
       tokenHash,
-      assistantId: "self",
       guardianPrincipalId: "principal-store",
       hashedDeviceId: "hashed-dev-store",
       platform: "macos",
@@ -148,7 +147,6 @@ describe("actor-token store (hash-only)", () => {
 
     createActorTokenRecord({
       tokenHash,
-      assistantId: "self",
       guardianPrincipalId: "principal-bind",
       hashedDeviceId: "hashed-dev-bind",
       platform: "ios",
@@ -156,7 +154,6 @@ describe("actor-token store (hash-only)", () => {
     });
 
     const found = findActiveByDeviceBinding(
-      "self",
       "principal-bind",
       "hashed-dev-bind",
     );
@@ -169,7 +166,6 @@ describe("actor-token store (hash-only)", () => {
 
     createActorTokenRecord({
       tokenHash,
-      assistantId: "self",
       guardianPrincipalId: "principal-revoke",
       hashedDeviceId: "hashed-dev-revoke",
       platform: "macos",
@@ -177,7 +173,6 @@ describe("actor-token store (hash-only)", () => {
     });
 
     const count = revokeByDeviceBinding(
-      "self",
       "principal-revoke",
       "hashed-dev-revoke",
     );
@@ -192,7 +187,6 @@ describe("actor-token store (hash-only)", () => {
 
     createActorTokenRecord({
       tokenHash,
-      assistantId: "self",
       guardianPrincipalId: "principal-single",
       hashedDeviceId: "hashed-dev-single",
       platform: "macos",
@@ -213,7 +207,7 @@ describe("guardian vellum migration", () => {
     const principalId = ensureVellumGuardianBinding("self");
     expect(principalId).toMatch(/^vellum-principal-/);
 
-    const guardianResult = findGuardianForChannel("vellum", "self");
+    const guardianResult = findGuardianForChannel("vellum");
     expect(guardianResult).not.toBeNull();
     expect(guardianResult!.contact.principalId).toBe(principalId);
     expect(guardianResult!.channel.verifiedVia).toBe("startup-migration");
@@ -227,7 +221,6 @@ describe("guardian vellum migration", () => {
 
   test("ensureVellumGuardianBinding preserves existing bindings for other channels", () => {
     createGuardianBinding({
-      assistantId: "self",
       channel: "telegram",
       guardianExternalUserId: "tg-user-123",
       guardianDeliveryChatId: "tg-chat-456",
@@ -237,11 +230,11 @@ describe("guardian vellum migration", () => {
 
     ensureVellumGuardianBinding("self");
 
-    const tgGuardian = findGuardianForChannel("telegram", "self");
+    const tgGuardian = findGuardianForChannel("telegram");
     expect(tgGuardian).not.toBeNull();
     expect(tgGuardian!.channel.externalUserId).toBe("tg-user-123");
 
-    const vGuardian = findGuardianForChannel("vellum", "self");
+    const vGuardian = findGuardianForChannel("vellum");
     expect(vGuardian).not.toBeNull();
   });
 });
@@ -439,7 +432,7 @@ describe("resolveLocalIpcAuthContext", () => {
 
   test("enriches actorPrincipalId from vellum guardian binding when present", () => {
     ensureVellumGuardianBinding("self");
-    const guardianResult = findGuardianForChannel("vellum", "self");
+    const guardianResult = findGuardianForChannel("vellum");
     expect(guardianResult).toBeTruthy();
 
     const ctx = resolveLocalIpcAuthContext("session-123");

package/src/__tests__/approval-primitive.test.ts

@@ -60,7 +60,6 @@ afterAll(() => {
 function mintParams(overrides: Partial<MintGrantParams> = {}): MintGrantParams {
   const futureExpiry = new Date(Date.now() + 60_000).toISOString();
   return {
-    assistantId: "self",
     scopeMode: "request_id",
     requestChannel: "telegram",
     decisionChannel: "telegram",
@@ -177,7 +176,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
       toolName: "shell",
       inputDigest: computeToolApprovalDigest("shell", { command: "ls" }),
       consumingRequestId: "consumer-1",
-      assistantId: "self",
     });
 
     expect(result.ok).toBe(true);
@@ -200,7 +198,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
       toolName: "shell",
       inputDigest: digest,
       consumingRequestId: "consumer-2",
-      assistantId: "self",
     });
 
     expect(result.ok).toBe(true);
@@ -224,7 +221,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
       toolName: "shell",
       inputDigest: digest,
       consumingRequestId: "consumer-3",
-      assistantId: "self",
     });
 
     expect(result.ok).toBe(true);
@@ -242,7 +238,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
         toolName: "shell",
         inputDigest: computeToolApprovalDigest("shell", { command: "ls" }),
         consumingRequestId: "consumer-miss",
-        assistantId: "self",
       },
       { maxWaitMs: 0 },
     );
@@ -267,7 +262,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
         toolName: "file_write",
         inputDigest: digest,
         consumingRequestId: "consumer-mismatch-tool",
-        assistantId: "self",
       },
       { maxWaitMs: 0 },
     );
@@ -293,32 +287,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
           command: "rm -rf /",
         }),
         consumingRequestId: "consumer-mismatch-input",
-        assistantId: "self",
-      },
-      { maxWaitMs: 0 },
-    );
-
-    expect(result.ok).toBe(false);
-    if (result.ok) return;
-    expect(result.reason).toBe("no_match");
-  });
-
-  test("miss: assistant ID mismatch", async () => {
-    mintGrantFromDecision(
-      mintParams({
-        scopeMode: "request_id",
-        requestId: "req-assist",
-        assistantId: "assistant-A",
-      }),
-    );
-
-    const result = await consumeGrantForInvocation(
-      {
-        requestId: "req-assist",
-        toolName: "shell",
-        inputDigest: computeToolApprovalDigest("shell", {}),
-        consumingRequestId: "consumer-assist-mismatch",
-        assistantId: "assistant-B",
       },
       { maxWaitMs: 0 },
     );
@@ -344,7 +312,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
         toolName: "shell",
         inputDigest: computeToolApprovalDigest("shell", {}),
         consumingRequestId: "consumer-expired",
-        assistantId: "self",
       },
       { maxWaitMs: 0 },
     );
@@ -368,7 +335,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
       toolName: "shell",
       inputDigest: computeToolApprovalDigest("shell", {}),
       consumingRequestId: "consumer-first",
-      assistantId: "self",
     });
     expect(first.ok).toBe(true);
 
@@ -378,7 +344,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
         toolName: "shell",
         inputDigest: computeToolApprovalDigest("shell", {}),
         consumingRequestId: "consumer-second",
-        assistantId: "self",
       },
       { maxWaitMs: 0 },
     );
@@ -401,7 +366,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
       toolName: "shell",
       inputDigest: digest,
       consumingRequestId: "consumer-sig-first",
-      assistantId: "self",
     });
     expect(first.ok).toBe(true);
 
@@ -410,7 +374,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
         toolName: "shell",
         inputDigest: digest,
         consumingRequestId: "consumer-sig-second",
-        assistantId: "self",
       },
       { maxWaitMs: 0 },
     );
@@ -439,7 +402,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
       toolName: "shell",
       inputDigest: digest,
       consumingRequestId: "consumer-ctx",
-      assistantId: "self",
       conversationId: "conv-ctx",
       callSessionId: "call-ctx",
     });
@@ -463,7 +425,6 @@ describe("approval-primitive / consumeGrantForInvocation", () => {
         toolName: "shell",
         inputDigest: digest,
         consumingRequestId: "consumer-ctx-mismatch",
-        assistantId: "self",
         conversationId: "conv-B",
       },
       { maxWaitMs: 0 },
@@ -497,7 +458,6 @@ describe("approval-primitive / consumeGrantForInvocation retry", () => {
       toolName: "shell",
       inputDigest: digest,
       consumingRequestId: "consumer-async-immediate",
-      assistantId: "self",
     });
     const elapsed = Date.now() - start;
 
@@ -528,7 +488,6 @@ describe("approval-primitive / consumeGrantForInvocation retry", () => {
         toolName: "shell",
         inputDigest: digest,
         consumingRequestId: "consumer-async-delayed",
-        assistantId: "self",
       },
       { maxWaitMs: 5_000, intervalMs: 100 },
     );
@@ -553,7 +512,6 @@ describe("approval-primitive / consumeGrantForInvocation retry", () => {
         toolName: "shell",
         inputDigest: digest,
         consumingRequestId: "consumer-async-timeout",
-        assistantId: "self",
       },
       { maxWaitMs: 500, intervalMs: 100 },
     );
@@ -580,7 +538,6 @@ describe("approval-primitive / consumeGrantForInvocation retry", () => {
         toolName: "shell",
         inputDigest: digest,
         consumingRequestId: "consumer-aborted",
-        assistantId: "self",
       },
       { maxWaitMs: 2_000, intervalMs: 50, signal: controller.signal },
     );
@@ -606,7 +563,6 @@ describe("approval-primitive / consumeGrantForInvocation retry", () => {
         toolName: "shell",
         inputDigest: digest,
         consumingRequestId: "consumer-pre-aborted",
-        assistantId: "self",
       },
       { maxWaitMs: 2_000, intervalMs: 50, signal: controller.signal },
     );
@@ -628,7 +584,6 @@ describe("approval-primitive / consumeGrantForInvocation retry", () => {
         toolName: "shell",
         inputDigest: digest,
         consumingRequestId: "consumer-no-retry",
-        assistantId: "self",
       },
       { maxWaitMs: 0 },
     );

package/src/__tests__/assistant-id-boundary-guard.test.ts

@@ -18,6 +18,8 @@ import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
  *  - No assistant-scoped route handlers in the daemon HTTP server
  *  - No hardcoded `'self'` string for assistant scoping (use the constant)
  *  - The constant itself equals `'self'`
+ *  - No `assistantId` columns in daemon SQLite schema definitions
+ *  - No `assistantId` parameter in daemon store function signatures
  */
 
 // ---------------------------------------------------------------------------
@@ -466,4 +468,152 @@ describe("assistant ID boundary", () => {
       ).not.toContain("assistantId");
     }
   });
+
+  // -------------------------------------------------------------------------
+  // Rule (f): No assistantId columns in daemon SQLite schema definitions
+  //
+  // The daemon is assistant-agnostic — it uses DAEMON_INTERNAL_ASSISTANT_ID
+  // implicitly. Schema files must not define assistantId columns, which would
+  // re-introduce assistant-scoped storage in the daemon layer.
+  // -------------------------------------------------------------------------
+
+  test("no assistantId columns in daemon SQLite schema definitions", () => {
+    const repoRoot = getRepoRoot();
+
+    // Scan all Drizzle schema files for assistantId column definitions.
+    // The Drizzle ORM pattern is `assistantId: text(` for defining a text
+    // column named assistantId.
+    const schemaGlobs = [
+      "assistant/src/memory/schema/*.ts",
+      "assistant/src/memory/schema/**/*.ts",
+    ];
+
+    let grepOutput = "";
+    try {
+      grepOutput = execFileSync(
+        "git",
+        ["grep", "-nE", "assistantId\\s*:\\s*text\\(", "--", ...schemaGlobs],
+        { encoding: "utf-8", cwd: repoRoot },
+      ).trim();
+    } catch (err) {
+      // Exit code 1 means no matches — happy path
+      if ((err as { status?: number }).status === 1) {
+        return;
+      }
+      throw err;
+    }
+
+    const lines = grepOutput.split("\n").filter((l) => l.length > 0);
+    const violations = lines.filter((line) => {
+      // Allow comments
+      const parts = line.split(":");
+      const content = parts.slice(2).join(":").trim();
+      if (
+        content.startsWith("//") ||
+        content.startsWith("*") ||
+        content.startsWith("/*")
+      ) {
+        return false;
+      }
+      return true;
+    });
+
+    if (violations.length > 0) {
+      const message = [
+        "Found `assistantId` column definitions in daemon SQLite schema files.",
+        "`assistantId` columns are not allowed in daemon schema — the daemon uses",
+        "`DAEMON_INTERNAL_ASSISTANT_ID` implicitly and is assistant-agnostic.",
+        "",
+        "Violations:",
+        ...violations.map((v) => `  - ${v}`),
+      ].join("\n");
+
+      expect(violations, message).toEqual([]);
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (g): No assistantId parameter in daemon store function signatures
+  //
+  // Store functions in the daemon layer must not accept assistantId as a
+  // parameter. The daemon is assistant-agnostic — all assistant scoping
+  // uses DAEMON_INTERNAL_ASSISTANT_ID internally.
+  // -------------------------------------------------------------------------
+
+  test("no assistantId parameter in daemon store function signatures", () => {
+    const repoRoot = getRepoRoot();
+
+    // Scan store files for exported function signatures that include
+    // assistantId as a parameter. This covers memory stores, contact stores,
+    // notification stores, credential/token stores, and call stores.
+    const storeGlobs = [
+      "assistant/src/memory/*.ts",
+      "assistant/src/contacts/*.ts",
+      "assistant/src/notifications/*.ts",
+      "assistant/src/runtime/auth/credential-service.ts",
+      "assistant/src/runtime/actor-token-store.ts",
+      "assistant/src/runtime/actor-refresh-token-store.ts",
+      "assistant/src/calls/call-store.ts",
+    ];
+
+    // Match exported function declarations/expressions with assistantId in
+    // their parameter lists. Patterns:
+    //   export function foo(assistantId
+    //   export function foo(bar, assistantId
+    //   export async function foo(assistantId
+    //   export const foo = (assistantId
+    //   export const foo = async (assistantId
+    // We use a broad pattern that catches assistantId appearing after an
+    // opening paren in an export context.
+    const pattern =
+      "export\\s+(async\\s+)?function\\s+\\w+\\s*\\([^)]*assistantId|export\\s+const\\s+\\w+\\s*=\\s*(async\\s+)?\\([^)]*assistantId";
+
+    let grepOutput = "";
+    try {
+      grepOutput = execFileSync(
+        "git",
+        ["grep", "-nE", pattern, "--", ...storeGlobs],
+        { encoding: "utf-8", cwd: repoRoot },
+      ).trim();
+    } catch (err) {
+      // Exit code 1 means no matches — happy path
+      if ((err as { status?: number }).status === 1) {
+        return;
+      }
+      throw err;
+    }
+
+    const allLines = grepOutput.split("\n").filter((l) => l.length > 0);
+    const violations = allLines.filter((line) => {
+      const filePath = line.split(":")[0];
+      if (isTestFile(filePath)) return false;
+      if (isMigrationFile(filePath)) return false;
+
+      // Allow comments
+      const parts = line.split(":");
+      const content = parts.slice(2).join(":").trim();
+      if (
+        content.startsWith("//") ||
+        content.startsWith("*") ||
+        content.startsWith("/*")
+      ) {
+        return false;
+      }
+
+      return true;
+    });
+
+    if (violations.length > 0) {
+      const message = [
+        "Found daemon store functions with `assistantId` in their parameter signatures.",
+        "Store functions must not accept `assistantId` — the daemon is assistant-agnostic",
+        "and uses `DAEMON_INTERNAL_ASSISTANT_ID` implicitly.",
+        "",
+        "Violations:",
+        ...violations.map((v) => `  - ${v}`),
+      ].join("\n");
+
+      expect(violations, message).toEqual([]);
+    }
+  });
 });

package/src/__tests__/callback-handoff-copy.test.ts

@@ -15,7 +15,6 @@ function buildSignal(
 ): NotificationSignal {
   return {
     signalId: "test-signal-1",
-    assistantId: "self",
     createdAt: Date.now(),
     sourceChannel: "voice",
     sourceSessionId: "test-session-1",