@vellumai/assistant 0.4.37 → 0.4.41

package/src/runtime/channel-readiness-service.ts

@@ -1,6 +1,7 @@
 import {
   getPhoneNumberSid,
   getTollFreeVerificationStatus,
+  getTwilioCredentials,
   hasTwilioCredentials,
 } from "../calls/twilio-rest.js";
 import { getChannelInvitePolicy } from "../channels/config.js";
@@ -99,9 +100,13 @@ const smsProbe: ChannelProbe = {
   async runRemoteChecks(): Promise<ReadinessCheckResult[]> {
     if (!hasTwilioCredentials()) return [];
 
-    const accountSid = getSecureKey("credential:twilio:account_sid");
-    const authToken = getSecureKey("credential:twilio:auth_token");
-    if (!accountSid || !authToken) return [];
+    let accountSid: string;
+    let authToken: string;
+    try {
+      ({ accountSid, authToken } = getTwilioCredentials());
+    } catch {
+      return [];
+    }
 
     const phoneNumber = resolveSmsPhoneNumber();
     if (!phoneNumber) return [];
@@ -308,7 +313,7 @@ const emailProbe: ChannelProbe = {
           passed: hasInbox,
           message: hasInbox
             ? `Inbox address is configured (${address})`
-            : "No inbox address configured — create one with: vellum email setup inboxes",
+            : "No inbox address configured — create one with: assistant email setup inboxes",
         },
       ];
     } catch (err) {

package/src/runtime/gateway-internal-client.ts

@@ -30,10 +30,18 @@ async function parseErrorResponse(
   let message = `Gateway request failed (${resp.status})`;
 
   try {
-    const parsed = JSON.parse(body) as { error?: string };
+    const parsed = JSON.parse(body) as {
+      error?: string | { code?: string; message?: string };
+    };
     if (parsed.error) {
-      gatewayError = parsed.error;
-      message = parsed.error;
+      // Runtime httpError() returns { error: { code, message } } while
+      // gateway returns { error: "string" }. Handle both formats.
+      const errStr =
+        typeof parsed.error === "string"
+          ? parsed.error
+          : (parsed.error.message ?? JSON.stringify(parsed.error));
+      gatewayError = errStr;
+      message = errStr;
     }
   } catch {
     if (body) message = body;

package/src/runtime/http-server.ts

@@ -126,6 +126,7 @@ import {
   pairingRouteDefinitions,
 } from "./routes/pairing-routes.js";
 import { secretRouteDefinitions } from "./routes/secret-routes.js";
+import { slackShareRouteDefinitions } from "./routes/slack-share-routes.js";
 import { surfaceActionRouteDefinitions } from "./routes/surface-action-routes.js";
 import { surfaceContentRouteDefinitions } from "./routes/surface-content-routes.js";
 import { trustRulesRouteDefinitions } from "./routes/trust-rules-routes.js";
@@ -851,6 +852,7 @@ export class RuntimeHttpServer {
       ...contactCatchAllRouteDefinitions(),
 
       ...integrationRouteDefinitions(),
+      ...slackShareRouteDefinitions(),
       ...twilioRouteDefinitions(),
       ...channelReadinessRouteDefinitions(),
       ...attachmentRouteDefinitions(),

package/src/runtime/invite-redemption-service.ts

@@ -9,7 +9,7 @@
 
 import type { ChannelId } from "../channels/types.js";
 import { findContactChannel } from "../contacts/contact-store.js";
-import { upsertMember } from "../contacts/contacts-write.js";
+import { upsertContactChannel } from "../contacts/contacts-write.js";
 import { getSqlite } from "../memory/db.js";
 import {
   findActiveVoiceInvites,
@@ -147,9 +147,9 @@ export function redeemInvite(params: {
   }
 
   // Inactive member reactivation: when the user already has a member record
-  // in a non-active state (revoked/pending), reactivate it via upsertMember
+  // in a non-active state (revoked/pending), reactivate it via upsertContactChannel
   // and consume an invite use atomically. The fresh-member path below also
-  // uses upsertMember to keep contacts in sync.
+  // uses upsertContactChannel to keep contacts in sync.
   if (existingChannel) {
     // Sentinel error used to trigger a transaction rollback when the invite
     // was concurrently revoked/expired between pre-validation and write time.
@@ -173,11 +173,11 @@ export function redeemInvite(params: {
         ? existingContact.displayName
         : displayName;
 
-    let reactivated: ReturnType<typeof upsertMember> | undefined;
+    let reactivated: ReturnType<typeof upsertContactChannel> | undefined;
     try {
       getSqlite()
         .transaction(() => {
-          reactivated = upsertMember({
+          reactivated = upsertContactChannel({
             sourceChannel,
             externalUserId,
             externalChatId,
@@ -187,6 +187,8 @@ export function redeemInvite(params: {
             status: "active",
             policy: "allow",
             inviteId: invite.id,
+            verifiedAt: Date.now(),
+            verifiedVia: "invite",
           });
 
           const recorded = recordInviteUse({
@@ -219,11 +221,11 @@ export function redeemInvite(params: {
   // Fresh member creation: upsert into contacts tables and consume an invite
   // use atomically, mirroring the reactivation path above.
   const STALE_INVITE_FRESH = Symbol("stale_invite_fresh");
-  let freshResult: ReturnType<typeof upsertMember> | undefined;
+  let freshResult: ReturnType<typeof upsertContactChannel> | undefined;
   try {
     getSqlite()
       .transaction(() => {
-        freshResult = upsertMember({
+        freshResult = upsertContactChannel({
           sourceChannel,
           externalUserId,
           externalChatId,
@@ -232,6 +234,8 @@ export function redeemInvite(params: {
           status: "active",
           policy: "allow",
           inviteId: invite.id,
+          verifiedAt: Date.now(),
+          verifiedVia: "invite",
         });
 
         const recorded = recordInviteUse({
@@ -362,7 +366,7 @@ export function redeemVoiceInviteCode(params: {
   try {
     getSqlite()
       .transaction(() => {
-        const writeResult = upsertMember({
+        const writeResult = upsertContactChannel({
           sourceChannel: "voice",
           externalUserId: callerExternalUserId,
           externalChatId: callerExternalUserId,
@@ -370,6 +374,8 @@ export function redeemVoiceInviteCode(params: {
           status: "active",
           policy: "allow",
           inviteId: invite.id,
+          verifiedAt: Date.now(),
+          verifiedVia: "invite",
         });
         memberId = writeResult!.channel.id;
 
@@ -481,7 +487,7 @@ export function redeemInviteByCode(params: {
     return { ok: false, reason: "invalid_token" };
   }
 
-  // Inactive member reactivation: reactivate via upsertMember and consume
+  // Inactive member reactivation: reactivate via upsertContactChannel and consume
   // an invite use atomically.
   if (existingChannel) {
     const STALE_INVITE_REACTIVATE = Symbol("stale_invite_reactivate");
@@ -504,11 +510,11 @@ export function redeemInviteByCode(params: {
         ? existingContact.displayName
         : displayName;
 
-    let reactivated: ReturnType<typeof upsertMember> | undefined;
+    let reactivated: ReturnType<typeof upsertContactChannel> | undefined;
     try {
       getSqlite()
         .transaction(() => {
-          reactivated = upsertMember({
+          reactivated = upsertContactChannel({
             sourceChannel,
             externalUserId,
             externalChatId,
@@ -517,6 +523,8 @@ export function redeemInviteByCode(params: {
             status: "active",
             policy: "allow",
             inviteId: invite.id,
+            verifiedAt: Date.now(),
+            verifiedVia: "invite",
           });
 
           const recorded = recordInviteUse({
@@ -546,11 +554,11 @@ export function redeemInviteByCode(params: {
   // Fresh member creation: upsert into contacts tables and consume an invite
   // use atomically.
   const STALE_INVITE_FRESH = Symbol("stale_invite_fresh");
-  let freshResult: ReturnType<typeof upsertMember> | undefined;
+  let freshResult: ReturnType<typeof upsertContactChannel> | undefined;
   try {
     getSqlite()
       .transaction(() => {
-        freshResult = upsertMember({
+        freshResult = upsertContactChannel({
           sourceChannel,
           externalUserId,
           externalChatId,
@@ -559,6 +567,8 @@ export function redeemInviteByCode(params: {
           status: "active",
           policy: "allow",
           inviteId: invite.id,
+          verifiedAt: Date.now(),
+          verifiedVia: "invite",
         });
 
         const recorded = recordInviteUse({

package/src/runtime/middleware/twilio-validation.ts

@@ -71,10 +71,10 @@ export async function validateTwilioWebhook(
 
   const authToken = TwilioConversationRelayProvider.getAuthToken();
 
-  // Fail-closed: reject if no auth token is configured
   if (!authToken) {
     log.error(
-      "Twilio auth token not configured — rejecting webhook request (fail-closed)",
+      "Twilio auth token not found in secure key store — cannot verify webhook HMAC signature. " +
+        "Rejecting request. Set credential:twilio:auth_token via the credential_store tool.",
     );
     return httpError("FORBIDDEN", "Forbidden", 403);
   }

package/src/runtime/routes/app-routes.ts

@@ -2,13 +2,13 @@
  * Route handlers for shareable app pages and cloud sharing.
  */
 import { randomBytes } from "node:crypto";
-import { readFileSync } from "node:fs";
-import { join } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
+import { extname, join } from "node:path";
 
 import JSZip from "jszip";
 
 import type { AppManifest } from "../../bundler/manifest.js";
-import { getApp } from "../../memory/app-store.js";
+import { getApp, getAppsDir, isMultifileApp } from "../../memory/app-store.js";
 import * as sharedAppLinksStore from "../../memory/shared-app-links-store.js";
 import { getLogger } from "../../util/logger.js";
 import { httpError } from "../http-errors.js";
@@ -46,6 +46,11 @@ export function handleServePage(appId: string): Response {
     return httpError("NOT_FOUND", "App not found", 404);
   }
 
+  // Multifile apps serve the compiled dist/index.html directly.
+  if (isMultifileApp(app)) {
+    return serveMultifileApp(appId, app.name);
+  }
+
   const css = loadDesignSystemCss();
   const escapedName = app.name.replace(
     /[<>&"]/g,
@@ -99,6 +104,122 @@ ${noncedHtml}
   });
 }
 
+/**
+ * Serve compiled output for multifile TSX apps.
+ * Falls back to a "not compiled yet" message if dist/index.html is missing.
+ */
+function serveMultifileApp(appId: string, appName: string): Response {
+  const distDir = join(getAppsDir(), appId, "dist");
+  const indexPath = join(distDir, "index.html");
+
+  if (!existsSync(indexPath)) {
+    const escapedName = appName.replace(
+      /[<>&"]/g,
+      (c) => HTML_ESCAPE_MAP[c] ?? c,
+    );
+    return new Response(
+      `<!DOCTYPE html><html><head><title>${escapedName}</title></head>` +
+        `<body><p>App has not been compiled yet. Edit a source file to trigger a build.</p></body></html>`,
+      {
+        headers: { "Content-Type": "text/html; charset=utf-8" },
+      },
+    );
+  }
+
+  // Rewrite relative asset paths to absolute HTTP routes so browsers and
+  // HTTP-based consumers (e.g. /pages/:appId) can resolve them. The macOS
+  // WebView uses the vellumapp:// scheme handler which resolves on disk,
+  // but HTTP clients need the /v1/apps/:appId/dist/ route.
+  let html = readFileSync(indexPath, "utf-8");
+  html = html.replace(
+    /(?:src|href)="(\.?\/?main\.(js|css))"/g,
+    (_match, _filename, ext) => {
+      const attr = ext === "css" ? "href" : "src";
+      return `${attr}="/v1/apps/${appId}/dist/main.${ext}"`;
+    },
+  );
+
+  // Compiled apps use external scripts so 'unsafe-inline' is not needed for
+  // script-src; however we keep it for style-src since the app HTML may use
+  // inline styles.
+  const csp = [
+    "default-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "script-src 'self'",
+    "img-src 'self' data: https:",
+    "font-src 'self' data: https:",
+    "object-src 'none'",
+    "base-uri 'self'",
+    "form-action 'self'",
+    "frame-ancestors 'self'",
+  ].join("; ");
+
+  return new Response(html, {
+    headers: {
+      "Content-Type": "text/html; charset=utf-8",
+      "Content-Security-Policy": csp,
+    },
+  });
+}
+
+/** Content-Type map for static dist/ assets. */
+const DIST_CONTENT_TYPES: Record<string, string> = {
+  ".js": "application/javascript",
+  ".css": "text/css",
+  ".html": "text/html",
+  ".json": "application/json",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".woff2": "font/woff2",
+  ".woff": "font/woff",
+};
+
+/**
+ * Serve a static file from an app's dist/ directory.
+ * Validates the filename to prevent path traversal.
+ */
+export function handleServeDistFile(appId: string, filename: string): Response {
+  // Reject any traversal attempts on appId
+  if (
+    !appId ||
+    appId.includes("..") ||
+    appId.includes("/") ||
+    appId.includes("\\") ||
+    appId !== appId.trim()
+  ) {
+    return httpError("BAD_REQUEST", "Invalid appId", 400);
+  }
+
+  // Reject any traversal attempts on filename
+  if (
+    !filename ||
+    filename.includes("..") ||
+    filename.includes("/") ||
+    filename.includes("\\") ||
+    filename !== filename.trim()
+  ) {
+    return httpError("BAD_REQUEST", "Invalid filename", 400);
+  }
+
+  const filePath = join(getAppsDir(), appId, "dist", filename);
+  if (!existsSync(filePath)) {
+    return httpError("NOT_FOUND", "File not found", 404);
+  }
+
+  const ext = extname(filename).toLowerCase();
+  const contentType = DIST_CONTENT_TYPES[ext] ?? "application/octet-stream";
+  const content = readFileSync(filePath);
+
+  return new Response(content, {
+    headers: {
+      "Content-Type": contentType,
+      "Cache-Control": "no-cache",
+    },
+  });
+}
+
 /** 50 MB — generous cap for zip app bundles. */
 const MAX_SHARE_BODY_BYTES = 50 * 1024 * 1024;
 
@@ -207,6 +328,13 @@ export function handleDeleteSharedApp(shareToken: string): Response {
 
 export function appRouteDefinitions(): RouteDefinition[] {
   return [
+    {
+      endpoint: "apps/:appId/dist/:filename",
+      method: "GET",
+      policyKey: "apps/dist",
+      handler: ({ params }) =>
+        handleServeDistFile(params.appId, params.filename),
+    },
     {
       endpoint: "apps/share",
       method: "POST",

package/src/runtime/routes/inbound-stages/verification-intercept.ts

@@ -18,7 +18,7 @@ import { findContactChannel } from "../../../contacts/contact-store.js";
 import {
   createGuardianBinding,
   revokeGuardianBinding,
-  upsertMember,
+  upsertContactChannel,
 } from "../../../contacts/contacts-write.js";
 import * as channelDeliveryStore from "../../../memory/channel-delivery-store.js";
 import { emitNotificationSignal } from "../../../notifications/emit-signal.js";
@@ -143,7 +143,7 @@ export async function handleVerificationIntercept(
         ? existingContact.displayName
         : actorDisplayName;
 
-    upsertMember({
+    upsertContactChannel({
       sourceChannel,
       externalUserId: canonicalSenderId ?? rawSenderId,
       externalChatId: conversationExternalId,
@@ -169,7 +169,7 @@ export async function handleVerificationIntercept(
           (canonicalSenderId ?? rawSenderId)
       ) {
         // Edge case: another user already bound. Log and skip binding creation.
-        // The upsertMember above already succeeded, so the sender is a known contact,
+        // The upsertContactChannel above already succeeded, so the sender is a known contact,
         // but they won't get guardian role.
         log.warn(
           {

package/src/runtime/routes/integration-routes.ts

@@ -139,8 +139,8 @@ export async function handleSetSlackChannelConfig(
 /**
  * DELETE /v1/integrations/slack/channel/config
  */
-export function handleClearSlackChannelConfig(): Response {
-  const result = clearSlackChannelConfig();
+export async function handleClearSlackChannelConfig(): Promise<Response> {
+  const result = await clearSlackChannelConfig();
   return Response.json(result);
 }
 

package/src/runtime/routes/slack-share-routes.ts

@@ -0,0 +1,235 @@
+/**
+ * Route handlers for Slack channel listing and direct sharing.
+ *
+ * These endpoints let the UI post app links directly to Slack channels
+ * without going through the legacy IPC-based Slack share flow.
+ */
+
+import { getApp } from "../../memory/app-store.js";
+import {
+  listConversations,
+  postMessage,
+  userInfo,
+} from "../../messaging/providers/slack/client.js";
+import type { SlackConversation } from "../../messaging/providers/slack/types.js";
+import { getSecureKey } from "../../security/secure-keys.js";
+import { getLogger } from "../../util/logger.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+const log = getLogger("slack-share-routes");
+
+// ---------------------------------------------------------------------------
+// Shared helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve the Slack bot token from secure storage.
+ * Prefers the OAuth integration token, falls back to the legacy channel token.
+ */
+function resolveSlackToken(): string | undefined {
+  return (
+    getSecureKey("credential:integration:slack:access_token") ??
+    getSecureKey("credential:slack_channel:bot_token")
+  );
+}
+
+// ---------------------------------------------------------------------------
+// GET /v1/slack/channels
+// ---------------------------------------------------------------------------
+
+interface NormalizedChannel {
+  id: string;
+  name: string;
+  type: "channel" | "group" | "dm";
+  isPrivate: boolean;
+}
+
+function classifyConversation(
+  conv: SlackConversation,
+): "channel" | "group" | "dm" {
+  if (conv.is_im) return "dm";
+  if (conv.is_mpim) return "group";
+  if (conv.is_group) return "group";
+  return "channel";
+}
+
+const TYPE_SORT_ORDER: Record<string, number> = {
+  channel: 0,
+  group: 1,
+  dm: 2,
+};
+
+export async function handleListSlackChannels(): Promise<Response> {
+  const token = resolveSlackToken();
+  if (!token) {
+    return httpError("SERVICE_UNAVAILABLE", "No Slack token configured", 503);
+  }
+
+  // Paginate through all results (follows the pattern in adapter.ts)
+  const allChannels: SlackConversation[] = [];
+  let cursor: string | undefined;
+  do {
+    const resp = await listConversations(
+      token,
+      "public_channel,private_channel,mpim,im",
+      true,
+      200,
+      cursor,
+    );
+    allChannels.push(...resp.channels);
+    cursor = resp.response_metadata?.next_cursor || undefined;
+  } while (cursor);
+
+  // Resolve DM display names in parallel, tolerating individual failures.
+  const dmUserIds = allChannels
+    .filter((c) => c.is_im && c.user)
+    .map((c) => c.user!);
+  const uniqueUserIds = [...new Set(dmUserIds)];
+  const nameResults = await Promise.allSettled(
+    uniqueUserIds.map((uid) =>
+      userInfo(token, uid).then((r) => ({
+        uid,
+        name:
+          r.user.profile?.display_name ||
+          r.user.profile?.real_name ||
+          r.user.real_name ||
+          r.user.name,
+      })),
+    ),
+  );
+  const nameMap = new Map<string, string>();
+  for (const r of nameResults) {
+    if (r.status === "fulfilled") {
+      nameMap.set(r.value.uid, r.value.name);
+    }
+  }
+
+  const channels: NormalizedChannel[] = allChannels.map((c) => {
+    const type = classifyConversation(c);
+    let name = c.name ?? c.id;
+    if (type === "dm" && c.user) {
+      name = nameMap.get(c.user) ?? c.user;
+    }
+    return {
+      id: c.id,
+      name,
+      type,
+      isPrivate: c.is_private ?? c.is_group ?? false,
+    };
+  });
+
+  // Sort: channels first, then groups, then DMs — alphabetical within each.
+  channels.sort((a, b) => {
+    const typeOrder =
+      (TYPE_SORT_ORDER[a.type] ?? 9) - (TYPE_SORT_ORDER[b.type] ?? 9);
+    if (typeOrder !== 0) return typeOrder;
+    return a.name.localeCompare(b.name);
+  });
+
+  return Response.json({ channels });
+}
+
+// ---------------------------------------------------------------------------
+// POST /v1/slack/share
+// ---------------------------------------------------------------------------
+
+export async function handleShareToSlackChannel(
+  req: Request,
+): Promise<Response> {
+  const token = resolveSlackToken();
+  if (!token) {
+    return httpError("SERVICE_UNAVAILABLE", "No Slack token configured", 503);
+  }
+
+  let body: Record<string, unknown>;
+  try {
+    body = (await req.json()) as Record<string, unknown>;
+  } catch {
+    return httpError("BAD_REQUEST", "Malformed JSON body", 400);
+  }
+
+  const appId = body.appId;
+  const channelId = body.channelId;
+  const message = body.message;
+
+  if (!appId || !channelId) {
+    return httpError(
+      "BAD_REQUEST",
+      "Missing required fields: appId, channelId",
+      400,
+    );
+  }
+
+  if (typeof appId !== "string" || typeof channelId !== "string") {
+    return httpError(
+      "BAD_REQUEST",
+      "Fields appId and channelId must be strings",
+      400,
+    );
+  }
+
+  if (message !== undefined && typeof message !== "string") {
+    return httpError("BAD_REQUEST", "Field message must be a string", 400);
+  }
+
+  const app = getApp(appId);
+  if (!app) {
+    return httpError("NOT_FOUND", "App not found", 404);
+  }
+
+  // Build a Block Kit message with a deterministic fallback text.
+  const fallbackText = message
+    ? `${message} — ${app.name}`
+    : `Shared app: ${app.name}`;
+
+  const blocks: unknown[] = [
+    {
+      type: "section",
+      text: {
+        type: "mrkdwn",
+        text: message ? `${message}\n\n*${app.name}*` : `*${app.name}*`,
+      },
+    },
+  ];
+
+  if (app.description) {
+    blocks.push({
+      type: "context",
+      elements: [{ type: "mrkdwn", text: app.description }],
+    });
+  }
+
+  try {
+    const result = await postMessage(token, channelId, fallbackText, {
+      blocks,
+    });
+    return Response.json({
+      ok: true,
+      ts: result.ts,
+      channel: result.channel,
+    });
+  } catch (err) {
+    log.error({ err, appId, channelId }, "Failed to share app to Slack");
+    return httpError("INTERNAL_ERROR", "Failed to post message to Slack", 500);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function slackShareRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "slack/channels",
+      method: "GET",
+      handler: () => handleListSlackChannels(),
+    },
+    {
+      endpoint: "slack/share",
+      method: "POST",
+      handler: async ({ req }) => handleShareToSlackChannel(req),
+    },
+  ];
+}