@vellumai/assistant 0.4.33 → 0.4.35

package/src/config/bundled-skills/google-oauth-setup/SKILL.md

@@ -1,20 +1,20 @@
 ---
 name: "Google OAuth Setup"
-description: "Set up Google Cloud OAuth credentials for Gmail and Calendar using browser automation"
+description: "Set up Google Cloud OAuth credentials for Gmail and Calendar"
 user-invocable: true
 credential-setup-for: "gmail"
-includes: ["browser", "public-ingress"]
-metadata: {"vellum": {"emoji": "\ud83d\udd11"}}
+includes: ["public-ingress"]
+metadata: { "vellum": { "emoji": "\ud83d\udd11" } }
 ---
 
 You are helping your user set up Google Cloud OAuth credentials so Gmail and Google Calendar integrations can connect.
 
 ## Client Check
 
-Determine whether the user has browser automation available (macOS desktop app) or is on a non-interactive channel (Telegram, SMS, etc.).
+Determine which setup path to use based on the user's client:
 
-- **macOS desktop app**: Follow the **Automated Setup** path below.
-- **Telegram or other channel** (no browser automation): Follow the **Manual Setup for Channels** path below.
+- **macOS desktop app**: Follow **Path B: CLI Setup** below.
+- **Telegram or other channel** (no browser automation): Follow **Path A: Manual Setup for Channels** below.
 
 ---
 
@@ -29,6 +29,7 @@ Tell the user:
 > **Setting up Gmail & Calendar from Telegram**
 >
 > Since I can't automate the browser from here, I'll walk you through each step with direct links. You'll need:
+>
 > 1. A Google account with access to Google Cloud Console
 > 2. About 5 minutes
 >
@@ -96,6 +97,7 @@ Tell the user:
 ### Channel Step 5: Create OAuth Credentials (Web Application)
 
 Before sending Step 4 to the user, resolve the concrete callback URL:
+
 - Read the configured public gateway URL (`ingress.publicBaseUrl`). If it is missing, run the `public-ingress` skill first.
 - Build `oauthCallbackUrl` as `<public gateway URL>/webhooks/oauth/callback`.
 - When you send the instructions below, replace `OAUTH_CALLBACK_URL` with that concrete value. Never send placeholders literally.
@@ -140,7 +142,7 @@ credential_store store:
 
 **Step 6b: Client Secret (requires split entry to avoid security filters)**
 
-The Client Secret starts with `GOCSPX-` which triggers the ingress secret scanner on channel messages. To work around this, ask the user to send only the portion *after* the prefix.
+The Client Secret starts with `GOCSPX-` which triggers the ingress secret scanner on channel messages. To work around this, ask the user to send only the portion _after_ the prefix.
 
 Tell the user:
 
@@ -192,229 +194,165 @@ After the user authorizes (they'll come back and say so, or you can suggest they
 
 ---
 
-# Path B: Automated Setup (macOS Desktop App)
-
-You will automate the entire GCP setup via the browser while the user watches in the Chrome window on the side. The user's only manual actions are: signing in to their Google account, and copy-pasting credentials from the Chrome window into secure prompts.
-
-## Browser Interaction Principles
-
-Google Cloud Console's UI changes frequently. Do NOT memorize or depend on specific element IDs, CSS selectors, or DOM structures. Instead:
-
-1. **Snapshot first, act second.** Before every interaction, use `browser_snapshot` to discover interactive elements and their IDs. This is your primary navigation tool; it gives you the accessibility tree with clickable/typeable element IDs. Use `browser_screenshot` for visual context when the snapshot alone isn't enough.
-2. **Adapt to what you see.** If an element's label or position differs from what you expect, use the snapshot to find the correct element. GCP may rename buttons, reorganize menus, or change form layouts at any time.
-3. **Verify after every action.** After clicking, typing, or navigating, take a new snapshot to confirm the action succeeded. If it didn't, try an alternative interaction (e.g., if a dropdown didn't open on click, try pressing Space or Enter on the element).
-4. **Never assume DOM structure.** Dropdowns may be `<select>`, `<mat-select>`, `<div role="listbox">`, or something else entirely. Use the snapshot to identify element types and interact accordingly.
-5. **When stuck after 2 attempts, describe and ask.** Take a screenshot, describe what you see to the user, and ask for guidance.
-
-## Anti-Loop Guardrails
+# Path B: CLI Setup (macOS Desktop App)
 
-Each step has a **retry budget of 3 attempts**. An attempt is one try at the step's primary action (e.g., clicking a button, filling a form). If a step fails after 3 attempts:
+**IMPORTANT: Always use `host_bash` (not `bash`) for all commands in this path.** The `gcloud` and `gws` CLIs need host access for Homebrew/npm installation, browser-based authentication, and interactive terminal prompts — none of which are available inside the sandbox.
 
-1. **Stop trying.** Do not continue retrying the same approach.
-2. **Fall back to manual.** Tell the user what you were trying to do and ask them to complete that step manually in the Chrome window (which they can see on the side). Give them the direct URL and clear text instructions.
-3. **Resume automation** at the next step once the user confirms the manual step is done.
+You will set up Google Cloud OAuth credentials using the `gcloud` and `gws` command-line tools. This avoids browser automation entirely — the user only needs to sign in once via the browser and copy-paste credentials from terminal output into secure prompts.
 
-If **two or more steps** require manual fallback, abandon the automated flow entirely and switch to giving the user the remaining steps as clear text instructions with links, using "Desktop app" as the OAuth application type.
+## CLI Step 1: Confirm
 
-## Things That Do Not Work: Do Not Attempt
-
-These actions are technically impossible in the browser automation environment. Attempting them wastes time and leads to loops:
-
-- **Downloading files.** `browser_click` on a Download button does not save files to disk. There is NO JSON file to find at `~/Downloads` or anywhere else. Never click Download buttons.
-- **Clipboard operations.** You cannot copy/paste via browser automation. The user must manually copy values from the Chrome window.
-- **Deleting and recreating OAuth clients** to get a fresh secret. This orphans the stored client_id and causes `invalid_client` errors.
-- **Navigating away from the credential dialog** before both credentials are stored. You will lose the Client Secret display and cannot get it back without creating a new client.
-
-## Step 1: Single Upfront Confirmation
-
-Use `ui_show` with `surface_type: "confirmation"`. Set `message` to just the title, and `detail` to the body:
+Use `ui_show` with `surface_type: "confirmation"`:
 
 - **message:** `Set up Google Cloud for Gmail & Calendar`
 - **detail:**
   > Here's what will happen:
-  > 1. **A browser opens on the side** so you can watch everything I do
-  > 2. **You sign in** to your Google account in the browser
-  > 3. **I automate everything** including project creation, APIs, OAuth config, and credentials
-  > 4. **One copy-paste** where I'll ask you to copy the Client Secret from the browser into a secure prompt
+  >
+  > 1. **Install CLI tools** (`gcloud` and `gws`) if not already installed
+  > 2. **You sign in** to your Google account once via the browser
+  > 3. **CLI automates everything** — project creation, APIs, consent screen, and credentials
+  > 4. **You copy-paste credentials** from the terminal output into secure prompts
   > 5. **You authorize Vellum** with one click
   >
-  > The whole thing takes 2-3 minutes. Ready?
-
-If the user declines, acknowledge and stop. No further confirmations are needed after this point.
-
-## Step 2: Open Google Cloud Console and Sign In
+  > Takes about a minute after first-time setup. Ready?
 
-**Goal:** The user is signed in and the Google Cloud Console dashboard is loaded.
-
-Navigate to `https://console.cloud.google.com/`.
-
-Take a screenshot to check the page state:
-
-- **Sign-in page:** Tell the user: "Please sign in to your Google account in the Chrome window on the right side of your screen." Then auto-detect sign-in completion by polling with `browser_screenshot` every 5-10 seconds to check if the URL has moved away from `accounts.google.com` to `console.cloud.google.com`. Do NOT ask the user to "let me know when you're done"; detect it automatically. Once sign-in is detected, tell the user: "Signed in! Starting the automated setup now..."
-- **Already signed in:** Tell the user: "Already signed in, starting setup now..." and continue immediately.
-- **CAPTCHA:** The browser automation's built-in handoff will handle this. If it persists, tell the user: "There's a CAPTCHA in the browser, please complete it and I'll continue automatically."
-
-**What you should see when done:** URL contains `console.cloud.google.com` and no sign-in overlay is visible.
-
-## Step 3: Create or Select a Project
-
-**Goal:** A GCP project named "Vellum Assistant" exists and is selected.
-
-Tell the user: "Creating Google Cloud project..."
-
-Navigate to `https://console.cloud.google.com/projectcreate`.
-
-Take a `browser_snapshot`. Find the project name input field (look for an element with label containing "Project name" or a text input near the top of the form). Type "Vellum Assistant" into it.
-
-Look for a "Create" button in the snapshot and click it. Wait 10-15 seconds for project creation, then take a screenshot to check for:
-- **Success message** or redirect to the new project dashboard. Note the project ID from the URL or page content.
-- **"Project name already in use" error**: that's fine. Navigate to `https://console.cloud.google.com/cloud-resource-manager` to find and select the existing "Vellum Assistant" project. Use `browser_extract` to read the project ID from the page.
-- **Organization restriction or quota error**: tell the user what happened and ask them to resolve it.
-
-**What you should see when done:** The project selector in the top bar shows the project name, and you have the project ID (something like `vellum-assistant-12345`).
+If the user declines, acknowledge and stop.
 
-Tell the user: "Project created!"
+## CLI Step 2: Install Prerequisites
 
-## Step 4: Enable Gmail and Calendar APIs
+Check for and install each prerequisite. If any installation fails (e.g., Homebrew not available, corporate restrictions), tell the user what went wrong and provide manual installation instructions.
 
-**Goal:** Both the Gmail API and Google Calendar API are enabled for the project.
+### gcloud
 
-Tell the user: "Enabling Gmail and Calendar APIs..."
+```bash
+which gcloud
+```
 
-Navigate to each API's library page and enable it if not already enabled:
-1. `https://console.cloud.google.com/apis/library/gmail.googleapis.com?project=PROJECT_ID`
-2. `https://console.cloud.google.com/apis/library/calendar-json.googleapis.com?project=PROJECT_ID`
+If missing:
 
-For each page: take a `browser_snapshot`. Look for:
-- **"Enable" button**: click it, wait a few seconds, take another snapshot to confirm.
-- **"Manage" button or "API enabled" text**: the API is already enabled. Skip it.
+```bash
+brew install google-cloud-sdk
+```
 
-**What you should see when done:** Both API pages show "Manage" or "API enabled" status.
+After installation, verify it works:
 
-Tell the user: "APIs enabled!"
+```bash
+gcloud --version
+```
 
-## Step 5: Configure OAuth Consent Screen
+### gws
 
-**Goal:** An OAuth consent screen is configured with External user type, the required scopes, and the user added as a test user.
+```bash
+which gws
+```
 
-Tell the user: "Setting up OAuth consent screen. This is the longest step but it's fully automated..."
+If missing:
 
-Navigate to `https://console.cloud.google.com/apis/credentials/consent?project=PROJECT_ID`.
+```bash
+npm install -g @googleworkspace/cli
+```
 
-Take a `browser_snapshot` and `browser_screenshot`. Check the page state:
+After installation, verify it works:
 
-### If the consent screen is already configured
+```bash
+gws --version
+```
 
-You'll see a dashboard showing the app name ("Vellum Assistant" or similar) with an "Edit App" button. **Skip to Step 6.**
+## CLI Step 3: Sign In to Google
 
-### If you see a user type selection (External / Internal)
+Tell the user: "Opening your browser so you can sign in to Google..."
 
-Select **"External"** and click **Create** or **Get Started**.
+```bash
+gcloud auth login
+```
 
-### Consent screen form (wizard or single-page)
+This opens the browser for Google sign-in. Wait for the command to complete — it prints the authenticated account email on success.
 
-Google Cloud uses either a multi-page wizard or a single-page form. Adapt to what you see:
+If the user is already authenticated (`gcloud auth list` shows an active account), skip this step and tell the user: "Already signed in, continuing setup..."
 
-**App information section:**
-- **App name**: Type "Vellum Assistant" in the app name field.
-- **User support email**: This is typically a dropdown showing the signed-in user's email. Use `browser_snapshot` to find a `<select>` or clickable dropdown element near "User support email". Select the user's email.
-- **Developer contact email**: Type the user's email into this field. (Use the same email visible in the support email dropdown if you can read it, or use `browser_extract` to find the email shown on the page.)
-- Click **Save and Continue** if on a multi-page wizard.
+## CLI Step 4: GCP Project Setup
 
-**Scopes section:**
-- Click **"Add or Remove Scopes"** (or similar button).
-- In the scope picker dialog, look for a text input labeled **"Manually add scopes"** or **"Filter"** at the bottom or top of the dialog.
-- Paste all 6 scopes at once as a comma-separated string into that input:
-  ```
-  https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.send,https://www.googleapis.com/auth/calendar.readonly,https://www.googleapis.com/auth/calendar.events,https://www.googleapis.com/auth/userinfo.email
-  ```
-- Click **"Add to Table"** or **"Update"** to confirm the scopes.
-- If no manual input is available, you'll need to search for and check each scope individually using the scope tree. Search for each scope URL in the filter box and check its checkbox.
-- Click **Save and Continue** (or **Update** then **Save and Continue**).
+Tell the user: "Setting up your Google Cloud project, APIs, and credentials..."
 
-**Test users section:**
-- Click **"Add Users"** or similar.
-- Enter the user's email address.
-- Click **Add** then **Save and Continue**.
+```bash
+gws auth setup
+```
 
-**Summary section:**
-- Click **"Back to Dashboard"** or **"Submit"**.
+This command automates:
 
-**What you should see when done:** A consent screen dashboard showing "Vellum Assistant" as the app name.
+- GCP project creation (or selection of an existing one)
+- OAuth consent screen configuration
+- OAuth credential creation
 
-Tell the user: "Consent screen configured!"
+Wait for the command to complete. It may have interactive prompts — let them run in the terminal and the user can respond if needed.
 
-## Step 6: Create OAuth Credentials and Capture Them
+Note the **project ID** from the output — you'll need it for the next step.
 
-**Goal:** A "Desktop app" OAuth client exists, and both its Client ID and Client Secret are stored in the vault.
+## CLI Step 5: Enable Additional APIs
 
-Tell the user: "Creating OAuth credentials..."
+`gws auth setup` enables the APIs it needs, but Vellum also requires the Calendar and People APIs. Enable them explicitly using the project ID from step 4:
 
-### 6a: Create the credential
+```bash
+gcloud services enable calendar-json.googleapis.com --project=PROJECT_ID
+gcloud services enable people.googleapis.com --project=PROJECT_ID
+```
 
-Navigate to `https://console.cloud.google.com/apis/credentials?project=PROJECT_ID`.
+If either command reports the API is already enabled, that's fine — continue.
 
-Take a `browser_snapshot`. Find and click a button labeled **"Create Credentials"** or **"+ Create Credentials"**. A dropdown menu should appear. Take another snapshot and click **"OAuth client ID"**.
+## CLI Step 5b: Update OAuth Consent Screen Scopes
 
-On the creation form (take a snapshot to see the fields):
-- **Application type**: Find the dropdown and select **"Desktop app"**. This may be a `<select>` element or a custom dropdown. Use the snapshot to identify it. You might need to click the dropdown first, then take another snapshot to see the options, then click "Desktop app".
-- **Name**: Type "Vellum Assistant" in the name field.
-- Do NOT add any redirect URIs. The desktop app flow doesn't need them.
+`gws auth setup` configures the consent screen with Gmail scopes only. Vellum also needs Calendar, Contacts, and userinfo scopes. Tell the user to add the missing scopes:
 
-Click **"Create"** to submit the form.
+> **Update consent screen scopes**
+>
+> Open: `https://console.cloud.google.com/apis/credentials/consent/edit?project=PROJECT_ID`
+>
+> 1. Click through to the **Scopes** page (click **Save and Continue** on the first page)
+> 2. Click **Add or Remove Scopes** and ensure all of these are present:
+>    - `https://www.googleapis.com/auth/gmail.readonly`
+>    - `https://www.googleapis.com/auth/gmail.modify`
+>    - `https://www.googleapis.com/auth/gmail.send`
+>    - `https://www.googleapis.com/auth/calendar.readonly`
+>    - `https://www.googleapis.com/auth/calendar.events`
+>    - `https://www.googleapis.com/auth/userinfo.email`
+>    - `https://www.googleapis.com/auth/contacts.readonly`
+> 3. Click **Update**, then **Save and Continue** through the remaining pages
 
-### 6b: Capture credentials from the dialog
+(Substitute the actual project ID into the URL.)
 
-After creation, a dialog will display the **Client ID** and **Client Secret**. This is the critical step.
+The Gmail scopes may already be present from `gws auth setup` — add any that are missing.
 
-**First**, try to auto-read the **Client ID** using `browser_extract`. The Client ID matches the pattern `*.apps.googleusercontent.com`. Search the extracted text for this pattern. If found, store it:
+## CLI Step 6: Collect Credentials
 
-```
-credential_store store:
-  service: "integration:gmail"
-  field: "client_id"
-  value: "<the Client ID extracted from the page>"
-```
+The `gws auth setup` output or the GCP Console shows the Client ID and Client Secret. Ask the user to copy-paste them into secure prompts.
 
-If `browser_extract` fails to find the Client ID, prompt the user instead:
+**Client ID:**
 
 ```
 credential_store prompt:
   service: "integration:gmail"
   field: "client_id"
   label: "Google OAuth Client ID"
-  description: "Copy the Client ID from the dialog in the Chrome window and paste it here. It looks like 123456789-xxxxx.apps.googleusercontent.com"
+  description: "Copy the Client ID from the setup output or GCP Console. It looks like 123456789-xxxxx.apps.googleusercontent.com"
   placeholder: "xxxxx.apps.googleusercontent.com"
 ```
 
-**Then**, whether the Client ID was auto-read or prompted, tell the user:
-
-> "Got the Client ID! Now I need the Client Secret. You can see it in the dialog in the Chrome window. It starts with `GOCSPX-`. Please copy it and paste it into the secure prompt below."
-
-And present the secure prompt:
+**Client Secret:**
 
 ```
 credential_store prompt:
   service: "integration:gmail"
   field: "client_secret"
   label: "Google OAuth Client Secret"
-  description: "Copy the Client Secret from the Google Cloud Console dialog and paste it here."
+  description: "Copy the Client Secret from the setup output or GCP Console. It starts with GOCSPX-"
   placeholder: "GOCSPX-..."
 ```
 
-Wait for the user to complete the prompt. **Do not take any other browser actions until the user has pasted the secret.** The dialog must stay open so they can see and copy the value.
-
-If the user has trouble locating the secret, take a `browser_screenshot` and describe where the secret field is on the screen, but do NOT attempt to read the secret value yourself. It must come from the user for accuracy.
-
-**What you should see when done:** `credential_store list` shows both `client_id` and `client_secret` for `integration:gmail`.
-
-Tell the user: "Credentials stored securely!"
+Wait for both prompts to be completed before continuing.
 
-## Step 7: OAuth2 Authorization
+## CLI Step 7: Authorize
 
-**Goal:** The user authorizes Vellum to access their Gmail and Calendar via OAuth.
-
-Tell the user: "Starting the authorization flow — a Google sign-in page will open in a few seconds. Just click 'Allow' when it appears."
+Tell the user: "Starting the authorization flow — a Google sign-in page will open. Just click 'Allow' when it appears."
 
 Use `credential_store` with:
 
@@ -429,15 +367,6 @@ This auto-reads client_id and client_secret from the secure store and auto-fills
 
 **Verify:** The `oauth2_connect` call returns a success message with the connected account email.
 
-## Step 8: Done!
+## CLI Step 8: Done!
 
 Tell the user: "**Gmail and Calendar are connected!** You can now read, search, and send emails, plus view and manage your calendar. Try asking me to check your inbox or show your upcoming events!"
-
-## Error Handling
-
-- **Page load failures:** Retry navigation once. If it still fails, tell the user and ask them to check their internet connection.
-- **Permission errors in GCP:** The user may need billing enabled or organization-level permissions. Explain clearly and ask them to resolve it.
-- **Consent screen already configured:** Don't overwrite. Skip to credential creation.
-- **Element not found:** Take a fresh `browser_snapshot` to re-assess. The GCP UI may have changed. Describe what you see and try alternative approaches. If stuck after 2 attempts, ask the user for guidance. They can see the Chrome window too.
-- **OAuth flow timeout or failure:** Offer to retry. The credentials are already stored, so reconnecting only requires re-running the authorization flow.
-- **Any unexpected state:** Take a `browser_screenshot`, describe what you see, and ask the user for guidance.

package/src/config/bundled-skills/notifications/tools/send-notification.ts

@@ -131,7 +131,6 @@ export async function run(
       sourceEventName,
       sourceChannel: "assistant_tool",
       sourceSessionId,
-      assistantId: context.assistantId,
       attentionHints: {
         requiresAction: parseBool(input.requires_action, true),
         urgency,

package/src/contacts/contact-store.ts

@@ -1,4 +1,4 @@
-import { and, asc, desc, eq, isNull, like, or, sql } from "drizzle-orm";
+import { and, asc, desc, eq, like, sql } from "drizzle-orm";
 import { v4 as uuid } from "uuid";
 
 import { getDb } from "../memory/db.js";
@@ -41,7 +41,6 @@ function parseContact(row: typeof contacts.$inferSelect): Contact {
     role: row.role as Contact["role"],
     contactType: (row.contactType as Contact["contactType"]) ?? "human",
     principalId: row.principalId,
-    assistantId: row.assistantId ?? null,
   };
 }
 
@@ -105,7 +104,7 @@ interface SyncChannelData {
 
 // ── CRUD ─────────────────────────────────────────────────────────────
 
-/** Retrieve a contact by ID without assistantId scoping.
+/** Retrieve a contact by ID.
  * Used by functions that have already resolved identity through channel lookups. */
 export function getContactInternal(id: string): ContactWithChannels | null {
   const db = getDb();
@@ -114,21 +113,9 @@ export function getContactInternal(id: string): ContactWithChannels | null {
   return withChannels(parseContact(row));
 }
 
-export function getContact(
-  id: string,
-  assistantId: string,
-): ContactWithChannels | null {
+export function getContact(id: string): ContactWithChannels | null {
   const db = getDb();
-  const row = db
-    .select()
-    .from(contacts)
-    .where(
-      and(
-        eq(contacts.id, id),
-        or(eq(contacts.assistantId, assistantId), isNull(contacts.assistantId)),
-      ),
-    )
-    .get();
+  const row = db.select().from(contacts).where(eq(contacts.id, id)).get();
   if (!row) return null;
   return withChannels(parseContact(row));
 }
@@ -154,7 +141,6 @@ export function upsertContact(params: {
   role?: ContactRole;
   contactType?: ContactType;
   principalId?: string | null;
-  assistantId: string;
   channels?: SyncChannelData[];
 }): ContactWithChannels & { created: boolean } {
   const db = getDb();
@@ -180,8 +166,6 @@ export function upsertContact(params: {
         updateSet.contactType = params.contactType;
       if (params.principalId !== undefined)
         updateSet.principalId = params.principalId;
-      if (params.assistantId !== undefined)
-        updateSet.assistantId = params.assistantId;
 
       db.update(contacts)
         .set(updateSet)
@@ -245,8 +229,6 @@ export function upsertContact(params: {
           updateSet.contactType = params.contactType;
         if (params.principalId !== undefined)
           updateSet.principalId = params.principalId;
-        if (params.assistantId !== undefined)
-          updateSet.assistantId = params.assistantId;
 
         db.update(contacts)
           .set(updateSet)
@@ -272,7 +254,6 @@ export function upsertContact(params: {
       role: params.role ?? "contact",
       contactType: params.contactType ?? "human",
       principalId: params.principalId ?? null,
-      assistantId: params.assistantId,
       createdAt: now,
       updatedAt: now,
     })
@@ -404,7 +385,6 @@ function syncChannels(
 }
 
 export function searchContacts(params: {
-  assistantId: string;
   query?: string;
   channelAddress?: string;
   channelType?: string;
@@ -426,20 +406,10 @@ export function searchContacts(params: {
       .where(
         params.channelType
           ? and(
-              or(
-                eq(contacts.assistantId, params.assistantId),
-                isNull(contacts.assistantId),
-              ),
               eq(contactChannels.type, params.channelType),
               like(contactChannels.address, `%${normalizedAddress}%`),
             )
-          : and(
-              or(
-                eq(contacts.assistantId, params.assistantId),
-                isNull(contacts.assistantId),
-              ),
-              like(contactChannels.address, `%${normalizedAddress}%`),
-            ),
+          : and(like(contactChannels.address, `%${normalizedAddress}%`)),
       )
       .all();
 
@@ -467,15 +437,7 @@ export function searchContacts(params: {
       .select({ contactId: contactChannels.contactId })
       .from(contactChannels)
       .innerJoin(contacts, eq(contactChannels.contactId, contacts.id))
-      .where(
-        and(
-          or(
-            eq(contacts.assistantId, params.assistantId),
-            isNull(contacts.assistantId),
-          ),
-          eq(contactChannels.type, params.channelType),
-        ),
-      )
+      .where(eq(contactChannels.type, params.channelType))
       .all();
 
     const contactIds = [...new Set(channelRows.map((r) => r.contactId))];
@@ -497,12 +459,7 @@ export function searchContacts(params: {
   }
 
   // Search by display name, optionally filtered by channelType
-  const conditions = [
-    or(
-      eq(contacts.assistantId, params.assistantId),
-      isNull(contacts.assistantId),
-    )!,
-  ];
+  const conditions = [];
   if (params.query) {
     const sanitized = escapeLike(params.query);
     if (!sanitized && !params.role && !params.contactType) return [];
@@ -560,7 +517,6 @@ export function searchContacts(params: {
 }
 
 export function listContacts(
-  assistantId: string,
   limit = 50,
   role?: ContactRole,
   contactType?: ContactType,
@@ -568,9 +524,7 @@ export function listContacts(
 ): ContactWithChannels[] {
   const db = getDb();
   const effectiveLimit = opts?.uncapped ? limit : Math.min(limit, 200);
-  const conditions = [
-    or(eq(contacts.assistantId, assistantId), isNull(contacts.assistantId))!,
-  ];
+  const conditions = [];
   if (role) conditions.push(eq(contacts.role, role));
   if (contactType) conditions.push(eq(contacts.contactType, contactType));
   const rows = db
@@ -595,7 +549,6 @@ export function listContacts(
 export function mergeContacts(
   keepId: string,
   mergeId: string,
-  assistantId: string,
 ): ContactWithChannels {
   const db = getDb();
 
@@ -607,30 +560,14 @@ export function mergeContacts(
     const keep = tx
       .select()
       .from(contacts)
-      .where(
-        and(
-          eq(contacts.id, keepId),
-          or(
-            eq(contacts.assistantId, assistantId),
-            isNull(contacts.assistantId),
-          ),
-        ),
-      )
+      .where(eq(contacts.id, keepId))
       .get();
     if (!keep) throw new Error(`Contact "${keepId}" not found`);
 
     const merge = tx
       .select()
       .from(contacts)
-      .where(
-        and(
-          eq(contacts.id, mergeId),
-          or(
-            eq(contacts.assistantId, assistantId),
-            isNull(contacts.assistantId),
-          ),
-        ),
-      )
+      .where(eq(contacts.id, mergeId))
       .get();
     if (!merge) throw new Error(`Contact "${mergeId}" not found`);
 
@@ -646,8 +583,6 @@ export function mergeContacts(
         lastInteraction: mergedLastInteraction,
         notes: [keep.notes, merge.notes].filter(Boolean).join("\n") || null,
         updatedAt: now,
-        // Rebind legacy null-scoped contacts to prevent cross-assistant leakage
-        ...(keep.assistantId == null ? { assistantId } : {}),
       })
       .where(eq(contacts.id, keepId))
       .run();
@@ -805,14 +740,12 @@ export function findContactChannel(params: {
  */
 export function findGuardianForChannel(
   channelType: string,
-  assistantId: string,
 ): { contact: Contact; channel: ContactChannel } | null {
   const db = getDb();
   const conditions = [
     eq(contacts.role, "guardian"),
     eq(contactChannels.type, channelType),
     eq(contactChannels.status, "active"),
-    eq(contacts.assistantId, assistantId),
   ];
   const rows = db
     .select({
@@ -841,16 +774,12 @@ export function findGuardianForChannel(
  *
  * Returns true if a channel was found and revoked, false otherwise.
  */
-export function revokeGuardianChannel(
-  channelType: string,
-  assistantId: string,
-): boolean {
+export function revokeGuardianChannel(channelType: string): boolean {
   const db = getDb();
   const conditions = [
     eq(contacts.role, "guardian"),
     eq(contactChannels.type, channelType),
     eq(contactChannels.status, "active"),
-    eq(contacts.assistantId, assistantId),
   ];
   const rows = db
     .select({
@@ -885,7 +814,7 @@ export function revokeGuardianChannel(
  * pick a guardian that has no active channels.
  * Returns channels ordered by most-recently-verified first.
  */
-export function listGuardianChannels(assistantId: string): {
+export function listGuardianChannels(): {
   contact: Contact;
   channels: ContactChannel[];
 } | null {
@@ -898,11 +827,7 @@ export function listGuardianChannels(assistantId: string): {
     .from(contacts)
     .innerJoin(contactChannels, eq(contacts.id, contactChannels.contactId))
     .where(
-      and(
-        eq(contacts.role, "guardian"),
-        eq(contactChannels.status, "active"),
-        eq(contacts.assistantId, assistantId),
-      ),
+      and(eq(contacts.role, "guardian"), eq(contactChannels.status, "active")),
     )
     .orderBy(desc(contactChannels.verifiedAt))
     .all();