npm - @vellumai/assistant - Versions diffs - 0.4.4 → 0.4.6 - Mend

@vellumai/assistant 0.4.4 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

package/ARCHITECTURE.md +4 -4
package/README.md +6 -6
package/bun.lock +6 -2
package/docs/architecture/memory.md +4 -4
package/package.json +2 -2
package/src/__tests__/actor-token-service.test.ts +5 -2
package/src/__tests__/assistant-feature-flags-integration.test.ts +1 -0
package/src/__tests__/call-controller.test.ts +78 -0
package/src/__tests__/call-domain.test.ts +148 -10
package/src/__tests__/call-pointer-message-composer.test.ts +39 -49
package/src/__tests__/call-pointer-messages.test.ts +105 -43
package/src/__tests__/canonical-guardian-store.test.ts +44 -10
package/src/__tests__/channel-approval-routes.test.ts +67 -65
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +1 -0
package/src/__tests__/conversation-attention-telegram.test.ts +2 -2
package/src/__tests__/deterministic-verification-control-plane.test.ts +6 -6
package/src/__tests__/guardian-actions-endpoint.test.ts +7 -6
package/src/__tests__/guardian-decision-primitive-canonical.test.ts +57 -12
package/src/__tests__/guardian-grant-minting.test.ts +24 -24
package/src/__tests__/guardian-principal-id-roundtrip.test.ts +205 -0
package/src/__tests__/guardian-routing-invariants.test.ts +64 -25
package/src/__tests__/guardian-routing-state.test.ts +4 -4
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +2 -2
package/src/__tests__/inbound-invite-redemption.test.ts +8 -8
package/src/__tests__/memory-retrieval.benchmark.test.ts +22 -47
package/src/__tests__/no-is-trusted-guard.test.ts +77 -0
package/src/__tests__/non-member-access-request.test.ts +50 -47
package/src/__tests__/relay-server.test.ts +71 -0
package/src/__tests__/send-endpoint-busy.test.ts +6 -0
package/src/__tests__/session-tool-setup-tools-disabled.test.ts +155 -0
package/src/__tests__/skill-feature-flags-integration.test.ts +1 -0
package/src/__tests__/skill-projection.benchmark.test.ts +66 -2
package/src/__tests__/system-prompt.test.ts +1 -0
package/src/__tests__/tool-approval-handler.test.ts +1 -1
package/src/__tests__/tool-grant-request-escalation.test.ts +9 -2
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +8 -1
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +22 -22
package/src/__tests__/trusted-contact-multichannel.test.ts +4 -4
package/src/__tests__/trusted-contact-verification.test.ts +10 -10
package/src/approvals/guardian-decision-primitive.ts +29 -25
package/src/approvals/guardian-request-resolvers.ts +9 -5
package/src/calls/call-pointer-message-composer.ts +27 -85
package/src/calls/call-pointer-messages.ts +54 -21
package/src/calls/guardian-dispatch.ts +30 -0
package/src/calls/relay-server.ts +13 -13
package/src/config/system-prompt.ts +10 -3
package/src/config/templates/BOOTSTRAP.md +6 -5
package/src/config/templates/USER.md +1 -0
package/src/config/user-reference.ts +44 -0
package/src/daemon/handlers/guardian-actions.ts +5 -2
package/src/daemon/handlers/sessions.ts +8 -3
package/src/daemon/lifecycle.ts +109 -3
package/src/daemon/server.ts +32 -24
package/src/daemon/session-agent-loop.ts +4 -3
package/src/daemon/session-lifecycle.ts +1 -9
package/src/daemon/session-process.ts +2 -2
package/src/daemon/session-runtime-assembly.ts +2 -0
package/src/daemon/session-tool-setup.ts +10 -0
package/src/daemon/session.ts +1 -0
package/src/memory/canonical-guardian-store.ts +40 -0
package/src/memory/conversation-crud.ts +26 -0
package/src/memory/conversation-store.ts +1 -0
package/src/memory/db-init.ts +8 -0
package/src/memory/guardian-bindings.ts +4 -0
package/src/memory/job-handlers/backfill.ts +2 -9
package/src/memory/migrations/125-guardian-principal-id-columns.ts +19 -0
package/src/memory/migrations/126-backfill-guardian-principal-id.ts +210 -0
package/src/memory/migrations/index.ts +2 -0
package/src/memory/migrations/registry.ts +5 -0
package/src/memory/schema.ts +3 -0
package/src/notifications/copy-composer.ts +2 -2
package/src/runtime/access-request-helper.ts +43 -28
package/src/runtime/actor-trust-resolver.ts +19 -14
package/src/runtime/channel-guardian-service.ts +6 -0
package/src/runtime/guardian-context-resolver.ts +6 -2
package/src/runtime/guardian-reply-router.ts +33 -16
package/src/runtime/guardian-vellum-migration.ts +29 -5
package/src/runtime/http-types.ts +0 -13
package/src/runtime/local-actor-identity.ts +19 -13
package/src/runtime/middleware/actor-token.ts +2 -2
package/src/runtime/routes/channel-delivery-routes.ts +5 -5
package/src/runtime/routes/conversation-routes.ts +45 -35
package/src/runtime/routes/guardian-action-routes.ts +7 -1
package/src/runtime/routes/guardian-approval-interception.ts +52 -52
package/src/runtime/routes/guardian-bootstrap-routes.ts +1 -0
package/src/runtime/routes/inbound-conversation.ts +7 -7
package/src/runtime/routes/inbound-message-handler.ts +105 -94
package/src/runtime/tool-grant-request-helper.ts +1 -0
package/src/util/logger.ts +10 -0
package/src/daemon/call-pointer-generators.ts +0 -59

package/src/runtime/routes/inbound-message-handler.ts CHANGED Viewed

@@ -119,14 +119,14 @@ export async function handleChannelInbound(
   const body = await req.json() as {
     sourceChannel?: string;
     interface?: string;
-    externalChatId?: string;
+    conversationExternalId?: string;
     externalMessageId?: string;
     content?: string;
     isEdit?: boolean;
-    senderName?: string;
+    actorDisplayName?: string;
     attachmentIds?: string[];
-    senderExternalUserId?: string;
-    senderUsername?: string;
+    actorExternalId?: string;
+    actorUsername?: string;
     sourceMetadata?: Record<string, unknown>;
     replyCallbackUrl?: string;
     callbackQueryId?: string;
@@ -134,7 +134,7 @@ export async function handleChannelInbound(
   };
   const {
-    externalChatId,
+    conversationExternalId,
     externalMessageId,
     content,
     isEdit,
@@ -161,8 +161,11 @@ export async function handleChannelInbound(
     return httpError('BAD_REQUEST', `Invalid interface: ${body.interface}. Valid values: ${INTERFACE_IDS.join(', ')}`, 400);
   }
-  if (!externalChatId || typeof externalChatId !== 'string') {
-    return httpError('BAD_REQUEST', 'externalChatId is required', 400);
+  if (!conversationExternalId || typeof conversationExternalId !== 'string') {
+    return httpError('BAD_REQUEST', 'conversationExternalId is required', 400);
+  }
+  if (!body.actorExternalId || typeof body.actorExternalId !== 'string' || !body.actorExternalId.trim()) {
+    return httpError('BAD_REQUEST', 'actorExternalId is required', 400);
   }
   if (!externalMessageId || typeof externalMessageId !== 'string') {
     return httpError('BAD_REQUEST', 'externalMessageId is required', 400);
@@ -189,12 +192,12 @@ export async function handleChannelInbound(
     log.debug({ raw: assistantId, canonical: canonicalAssistantId }, 'Canonicalized channel assistant ID');
   }
-  // Coerce senderExternalUserId to a string at the boundary — the field
+  // Coerce actorExternalId to a string at the boundary — the field
   // comes from unvalidated JSON and may be a number, object, or other
   // non-string type. Non-string truthy values would throw inside
   // canonicalizeInboundIdentity when it calls .trim().
-  const rawSenderId = body.senderExternalUserId != null
-    ? String(body.senderExternalUserId)
+  const rawSenderId = body.actorExternalId != null
+    ? String(body.actorExternalId)
     : undefined;
   // Canonicalize the sender identity so all trust lookups, member matching,
@@ -206,7 +209,7 @@ export async function handleChannelInbound(
     : null;
   // Track whether the original payload included a sender identity. A
-  // whitespace-only senderExternalUserId canonicalizes to null but still
+  // whitespace-only actorExternalId canonicalizes to null but still
   // represents an explicit (malformed) identity claim that must enter the
   // ACL deny path rather than bypassing it.
   const hasSenderIdentityClaim = rawSenderId !== undefined;
@@ -253,7 +256,7 @@ export async function handleChannelInbound(
         assistantId: canonicalAssistantId,
         sourceChannel,
         externalUserId: canonicalSenderId,
-        externalChatId,
+        externalChatId: conversationExternalId,
       });
     }
@@ -300,11 +303,11 @@ export async function handleChannelInbound(
         const inviteResult = await handleInviteTokenIntercept({
           rawToken: inviteToken,
           sourceChannel,
-          externalChatId,
+          externalChatId: conversationExternalId,
           externalMessageId,
           senderExternalUserId: canonicalSenderId ?? rawSenderId,
-          senderName: body.senderName,
-          senderUsername: body.senderUsername,
+          senderName: body.actorDisplayName,
+          senderUsername: body.actorUsername,
           replyCallbackUrl: body.replyCallbackUrl,
           bearerToken,
           assistantId,
@@ -324,14 +327,14 @@ export async function handleChannelInbound(
           const accessResult = notifyGuardianOfAccessRequest({
             canonicalAssistantId,
             sourceChannel,
-            externalChatId,
-            senderExternalUserId: canonicalSenderId ?? rawSenderId,
-            senderName: body.senderName,
-            senderUsername: body.senderUsername,
+            conversationExternalId,
+            actorExternalId: canonicalSenderId ?? rawSenderId,
+            actorDisplayName: body.actorDisplayName,
+            actorUsername: body.actorUsername,
           });
           guardianNotified = accessResult.notified;
         } catch (err) {
-          log.error({ err, sourceChannel, externalChatId }, 'Failed to notify guardian of access request');
+          log.error({ err, sourceChannel, conversationExternalId }, 'Failed to notify guardian of access request');
         }
         if (body.replyCallbackUrl) {
@@ -340,12 +343,12 @@ export async function handleChannelInbound(
             : "Sorry, you haven't been approved to message this assistant.";
           try {
             await deliverChannelReply(body.replyCallbackUrl, {
-              chatId: externalChatId,
+              chatId: conversationExternalId,
               text: replyText,
               assistantId,
             }, bearerToken);
           } catch (err) {
-            log.error({ err, externalChatId }, 'Failed to deliver ACL rejection reply');
+            log.error({ err, conversationExternalId }, 'Failed to deliver ACL rejection reply');
           }
         }
@@ -386,11 +389,11 @@ export async function handleChannelInbound(
           const inviteResult = await handleInviteTokenIntercept({
             rawToken: inviteToken,
             sourceChannel,
-            externalChatId,
+            externalChatId: conversationExternalId,
             externalMessageId,
             senderExternalUserId: canonicalSenderId ?? rawSenderId,
-            senderName: body.senderName,
-            senderUsername: body.senderUsername,
+            senderName: body.actorDisplayName,
+            senderUsername: body.actorUsername,
             replyCallbackUrl: body.replyCallbackUrl,
             bearerToken,
             assistantId,
@@ -411,15 +414,15 @@ export async function handleChannelInbound(
               const accessResult = notifyGuardianOfAccessRequest({
                 canonicalAssistantId,
                 sourceChannel,
-                externalChatId,
-                senderExternalUserId: canonicalSenderId ?? rawSenderId,
-                senderName: body.senderName,
-                senderUsername: body.senderUsername,
+                conversationExternalId,
+                actorExternalId: canonicalSenderId ?? rawSenderId,
+                actorDisplayName: body.actorDisplayName,
+                actorUsername: body.actorUsername,
                 previousMemberStatus: resolvedMember.status,
               });
               guardianNotified = accessResult.notified;
             } catch (err) {
-              log.error({ err, sourceChannel, externalChatId }, 'Failed to notify guardian of access request');
+              log.error({ err, sourceChannel, conversationExternalId }, 'Failed to notify guardian of access request');
             }
           }
@@ -429,12 +432,12 @@ export async function handleChannelInbound(
               : "Sorry, you haven't been approved to message this assistant.";
             try {
               await deliverChannelReply(body.replyCallbackUrl, {
-                chatId: externalChatId,
+                chatId: conversationExternalId,
                 text: replyText,
                 assistantId,
               }, bearerToken);
             } catch (err) {
-              log.error({ err, externalChatId }, 'Failed to deliver ACL rejection reply');
+              log.error({ err, conversationExternalId }, 'Failed to deliver ACL rejection reply');
             }
           }
           return Response.json({ accepted: true, denied: true, reason: `member_${resolvedMember.status}` });
@@ -446,12 +449,12 @@ export async function handleChannelInbound(
         if (body.replyCallbackUrl) {
           try {
             await deliverChannelReply(body.replyCallbackUrl, {
-              chatId: externalChatId,
+              chatId: conversationExternalId,
               text: "Sorry, you haven't been approved to message this assistant.",
               assistantId,
             }, bearerToken);
           } catch (err) {
-            log.error({ err, externalChatId }, 'Failed to deliver ACL rejection reply');
+            log.error({ err, conversationExternalId }, 'Failed to deliver ACL rejection reply');
           }
         }
         return Response.json({ accepted: true, denied: true, reason: 'policy_deny' });
@@ -487,7 +490,7 @@ export async function handleChannelInbound(
     // Dedup the edit event itself (retried edited_message webhooks)
     const editResult = channelDeliveryStore.recordInbound(
       sourceChannel,
-      externalChatId,
+      conversationExternalId,
       externalMessageId,
       { sourceMessageId, assistantId: canonicalAssistantId },
     );
@@ -510,7 +513,7 @@ export async function handleChannelInbound(
     for (let attempt = 0; attempt <= EDIT_LOOKUP_RETRIES; attempt++) {
       original = channelDeliveryStore.findMessageBySourceId(
         sourceChannel,
-        externalChatId,
+        conversationExternalId,
         sourceMessageId,
       );
       if (original) break;
@@ -531,7 +534,7 @@ export async function handleChannelInbound(
       );
     } else {
       log.warn(
-        { assistantId, sourceChannel, externalChatId, sourceMessageId },
+        { assistantId, sourceChannel, conversationExternalId, sourceMessageId },
         'Could not find original message for edit after retries, ignoring',
       );
     }
@@ -546,7 +549,7 @@ export async function handleChannelInbound(
   // ── New message path ──
   const result = channelDeliveryStore.recordInbound(
     sourceChannel,
-    externalChatId,
+    conversationExternalId,
     externalMessageId,
     { sourceMessageId, assistantId: canonicalAssistantId },
   );
@@ -586,10 +589,10 @@ export async function handleChannelInbound(
     externalConversationStore.upsertBinding({
       conversationId: result.conversationId,
       sourceChannel,
-      externalChatId,
+      externalChatId: conversationExternalId,
       externalUserId: canonicalSenderId ?? rawSenderId ?? null,
-      displayName: body.senderName ?? null,
-      username: body.senderUsername ?? null,
+      displayName: body.actorDisplayName ?? null,
+      username: body.actorUsername ?? null,
     });
   }
@@ -608,26 +611,34 @@ export async function handleChannelInbound(
     // Persist the raw payload so the decide handler can recover the original
     // message content when the escalation is approved.
     channelDeliveryStore.storePayload(result.eventId, {
-      sourceChannel, interface: sourceInterface, externalChatId, externalMessageId, content,
+      sourceChannel, interface: sourceInterface, externalChatId: conversationExternalId, externalMessageId, content,
       attachmentIds, sourceMetadata: body.sourceMetadata,
-      senderName: body.senderName,
-      senderExternalUserId: body.senderExternalUserId,
-      senderUsername: body.senderUsername,
+      senderName: body.actorDisplayName,
+      senderExternalUserId: body.actorExternalId,
+      senderUsername: body.actorUsername,
       replyCallbackUrl: body.replyCallbackUrl,
       assistantId: canonicalAssistantId,
     });
-    createCanonicalGuardianRequest({
-      kind: 'tool_approval',
-      sourceType: 'channel',
-      sourceChannel,
-      conversationId: result.conversationId,
-      requesterExternalUserId: canonicalSenderId ?? rawSenderId ?? undefined,
-      guardianExternalUserId: binding.guardianExternalUserId,
-      toolName: 'ingress_message',
-      questionText: 'Ingress policy requires guardian approval',
-      expiresAt: new Date(Date.now() + GUARDIAN_APPROVAL_TTL_MS).toISOString(),
-    });
+    try {
+      createCanonicalGuardianRequest({
+        kind: 'tool_approval',
+        sourceType: 'channel',
+        sourceChannel,
+        conversationId: result.conversationId,
+        requesterExternalUserId: canonicalSenderId ?? rawSenderId ?? undefined,
+        guardianExternalUserId: binding.guardianExternalUserId,
+        guardianPrincipalId: binding.guardianPrincipalId ?? undefined,
+        toolName: 'ingress_message',
+        questionText: 'Ingress policy requires guardian approval',
+        expiresAt: new Date(Date.now() + GUARDIAN_APPROVAL_TTL_MS).toISOString(),
+      });
+    } catch (err) {
+      log.warn(
+        { err, conversationId: result.conversationId, sourceChannel },
+        'Failed to create canonical guardian request for ingress escalation — escalation continues via notification pipeline',
+      );
+    }
     // Emit notification signal through the unified pipeline (fire-and-forget).
     // This lets the decision engine route escalation alerts to all configured
@@ -646,8 +657,8 @@ export async function handleChannelInbound(
       contextPayload: {
         conversationId: result.conversationId,
         sourceChannel,
-        externalChatId,
-        senderIdentifier: body.senderName || body.senderUsername || rawSenderId || 'Unknown sender',
+        conversationExternalId,
+        senderIdentifier: body.actorDisplayName || body.actorUsername || rawSenderId || 'Unknown sender',
         eventId: result.eventId,
       },
       dedupeKey: `escalation:${result.eventId}`,
@@ -700,7 +711,7 @@ export async function handleChannelInbound(
     if (bootstrapSession && bootstrapSession.status === 'pending_bootstrap') {
       // Bind the pending_bootstrap session to the sender's identity
-      bindSessionIdentity(bootstrapSession.id, rawSenderId!, externalChatId);
+      bindSessionIdentity(bootstrapSession.id, rawSenderId!, conversationExternalId);
       // Transition bootstrap session to awaiting_response
       updateSessionStatus(bootstrapSession.id, 'awaiting_response');
@@ -711,9 +722,9 @@ export async function handleChannelInbound(
         assistantId: canonicalAssistantId,
         channel: sourceChannel,
         expectedExternalUserId: rawSenderId!,
-        expectedChatId: externalChatId,
+        expectedChatId: conversationExternalId,
         identityBindingStatus: 'bound',
-        destinationAddress: externalChatId,
+        destinationAddress: conversationExternalId,
       });
       // Compose and send the verification prompt via Telegram
@@ -726,7 +737,7 @@ export async function handleChannelInbound(
       );
       // Deliver verification Telegram message via the gateway (fire-and-forget)
-      deliverBootstrapVerificationTelegram(externalChatId, telegramBody, canonicalAssistantId);
+      deliverBootstrapVerificationTelegram(conversationExternalId, telegramBody, canonicalAssistantId);
       // Update delivery tracking
       const now = Date.now();
@@ -769,9 +780,9 @@ export async function handleChannelInbound(
       sourceChannel,
       guardianVerifyCode,
       canonicalSenderId ?? rawSenderId!,
-      externalChatId,
-      body.senderUsername,
-      body.senderName,
+      conversationExternalId,
+      body.actorUsername,
+      body.actorDisplayName,
     );
     const guardianVerifyOutcome: 'verified' | 'failed' = verifyResult.success ? 'verified' : 'failed';
@@ -782,7 +793,7 @@ export async function handleChannelInbound(
           assistantId: canonicalAssistantId,
           sourceChannel,
           externalUserId: canonicalSenderId ?? rawSenderId!,
-          externalChatId,
+          externalChatId: conversationExternalId,
         })
         : null;
       const memberMatchesSender = existingMember?.externalUserId
@@ -790,18 +801,18 @@ export async function handleChannelInbound(
         : false;
       const preservedDisplayName = memberMatchesSender && existingMember?.displayName?.trim().length
         ? existingMember.displayName
-        : body.senderName;
+        : body.actorDisplayName;
       upsertMember({
         assistantId: canonicalAssistantId,
         sourceChannel,
         externalUserId: canonicalSenderId ?? rawSenderId!,
-        externalChatId,
+        externalChatId: conversationExternalId,
         status: 'active',
         policy: 'allow',
         // Keep guardian-curated member name stable across re-verification.
         displayName: preservedDisplayName,
-        username: body.senderUsername,
+        username: body.actorUsername,
       });
       const verifyLogLabel = verifyResult.verificationType === 'trusted_contact'
@@ -826,10 +837,10 @@ export async function handleChannelInbound(
           },
           contextPayload: {
             sourceChannel,
-            externalUserId: canonicalSenderId ?? rawSenderId!,
-            externalChatId,
-            senderName: body.senderName ?? null,
-            senderUsername: body.senderUsername ?? null,
+            actorExternalId: canonicalSenderId ?? rawSenderId!,
+            conversationExternalId,
+            actorDisplayName: body.actorDisplayName ?? null,
+            actorUsername: body.actorUsername ?? null,
           },
           dedupeKey: `trusted-contact:activated:${canonicalAssistantId}:${sourceChannel}:${canonicalSenderId ?? rawSenderId!}`,
         });
@@ -851,7 +862,7 @@ export async function handleChannelInbound(
       }
       try {
         await deliverChannelReply(replyCallbackUrl, {
-          chatId: externalChatId,
+          chatId: conversationExternalId,
           text: replyText,
           assistantId,
         }, bearerToken);
@@ -860,9 +871,9 @@ export async function handleChannelInbound(
         // we cannot simply re-throw and let the gateway retry the full
         // flow. Instead, persist the reply so that gateway retries
         // (which arrive as duplicates) can re-attempt delivery.
-        log.error({ err, externalChatId }, 'Failed to deliver deterministic verification reply; persisting for retry');
+        log.error({ err, conversationExternalId }, 'Failed to deliver deterministic verification reply; persisting for retry');
         channelDeliveryStore.storePendingVerificationReply(result.eventId, {
-          chatId: externalChatId,
+          chatId: conversationExternalId,
           text: replyText,
           assistantId,
         });
@@ -874,7 +885,7 @@ export async function handleChannelInbound(
         setTimeout(async () => {
           try {
             await deliverChannelReply(replyCallbackUrl, {
-              chatId: externalChatId,
+              chatId: conversationExternalId,
               text: replyText,
               assistantId,
             }, bearerToken);
@@ -914,10 +925,10 @@ export async function handleChannelInbound(
   const guardianCtx: GuardianContext = resolveGuardianContext({
     assistantId: canonicalAssistantId,
     sourceChannel,
-    externalChatId,
-    senderExternalUserId: rawSenderId,
-    senderUsername: body.senderUsername,
-    senderDisplayName: body.senderName,
+    conversationExternalId,
+    actorExternalId: rawSenderId,
+    actorUsername: body.actorUsername,
+    actorDisplayName: body.actorDisplayName,
   });
   // Hoisted flag: set by the canonical guardian reply router when the invite
@@ -949,7 +960,7 @@ export async function handleChannelInbound(
     // router's own identity-based fallback stays active.
     const deliveryScopedPendingRequests = listPendingCanonicalGuardianRequestsByDestinationChat(
       sourceChannel,
-      externalChatId,
+      conversationExternalId,
     );
     let pendingRequestIds: string[] | undefined;
     if (deliveryScopedPendingRequests.length > 0) {
@@ -972,7 +983,7 @@ export async function handleChannelInbound(
       actor: {
         externalUserId: canonicalSenderId ?? rawSenderId!,
         channel: sourceChannel,
-        isTrusted: false,
+        guardianPrincipalId: guardianCtx.guardianPrincipalId ?? undefined,
       },
       conversationId: result.conversationId,
       callbackData: body.callbackData,
@@ -980,7 +991,7 @@ export async function handleChannelInbound(
       approvalConversationGenerator,
       channelDeliveryContext: {
         replyCallbackUrl,
-        guardianChatId: externalChatId,
+        guardianChatId: conversationExternalId,
         assistantId: canonicalAssistantId,
         bearerToken,
       },
@@ -991,12 +1002,12 @@ export async function handleChannelInbound(
       if (routerResult.replyText) {
         try {
           await deliverChannelReply(replyCallbackUrl, {
-            chatId: externalChatId,
+            chatId: conversationExternalId,
             text: routerResult.replyText,
             assistantId: canonicalAssistantId,
           }, bearerToken);
         } catch (err) {
-          log.error({ err, externalChatId }, 'Failed to deliver canonical router reply');
+          log.error({ err, conversationExternalId }, 'Failed to deliver canonical router reply');
         }
       }
@@ -1028,9 +1039,9 @@ export async function handleChannelInbound(
       conversationId: result.conversationId,
       callbackData: body.callbackData,
       content: trimmedContent,
-      externalChatId,
+      conversationExternalId,
       sourceChannel,
-      senderExternalUserId: canonicalSenderId ?? rawSenderId,
+      actorExternalId: canonicalSenderId ?? rawSenderId,
       replyCallbackUrl,
       bearerToken,
       guardianCtx,
@@ -1125,11 +1136,11 @@ export async function handleChannelInbound(
     // replayed. If the ingress check later detects secrets we clear it
     // before throwing, so secret-bearing content is never left on disk.
     channelDeliveryStore.storePayload(result.eventId, {
-      sourceChannel, externalChatId, externalMessageId, content,
+      sourceChannel, externalChatId: conversationExternalId, externalMessageId, content,
       attachmentIds, sourceMetadata: body.sourceMetadata,
-      senderName: body.senderName,
-      senderExternalUserId: body.senderExternalUserId,
-      senderUsername: body.senderUsername,
+      senderName: body.actorDisplayName,
+      senderExternalUserId: body.actorExternalId,
+      senderUsername: body.actorUsername,
       guardianCtx: toGuardianRuntimeContext(sourceChannel, guardianCtx),
       replyCallbackUrl,
       assistantId: canonicalAssistantId,
@@ -1183,7 +1194,7 @@ export async function handleChannelInbound(
       attachmentIds: hasAttachments ? attachmentIds : undefined,
       sourceChannel,
       sourceInterface,
-      externalChatId,
+      externalChatId: conversationExternalId,
       guardianCtx,
       metadataHints,
       metadataUxBrief,
@@ -1272,7 +1283,7 @@ async function handleInviteTokenIntercept(params: {
   });
   log.info(
-    { sourceChannel, externalChatId, ok: outcome.ok, type: outcome.ok ? outcome.type : undefined, reason: !outcome.ok ? outcome.reason : undefined },
+    { sourceChannel, externalChatId: params.externalChatId, ok: outcome.ok, type: outcome.ok ? outcome.type : undefined, reason: !outcome.ok ? outcome.reason : undefined },
     'Invite token intercept: redemption result',
   );

package/src/runtime/tool-grant-request-helper.ts CHANGED Viewed

@@ -123,6 +123,7 @@ export function createOrReuseToolGrantRequest(
     requesterExternalUserId,
     requesterChatId: requesterChatId ?? undefined,
     guardianExternalUserId: binding.guardianExternalUserId,
+    guardianPrincipalId: binding.guardianPrincipalId ?? undefined,
     toolName,
     inputDigest,
     questionText,

package/src/util/logger.ts CHANGED Viewed

@@ -99,6 +99,16 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
     );
   }
+  // When stdout is not a TTY (e.g. desktop app redirects to a hatch log file),
+  // write to the rotating file only — the hatch log already captured early
+  // startup output and echoing pino output there is unnecessary duplication.
+  if (!process.stdout.isTTY) {
+    return pino(
+      { name: 'assistant', level, serializers: logSerializers },
+      fileStream,
+    );
+  }
   return pino(
     { name: 'assistant', level, serializers: logSerializers },
     pino.multistream([

package/src/daemon/call-pointer-generators.ts DELETED Viewed

@@ -1,59 +0,0 @@
-import {
-  buildPointerGenerationPrompt,
-  getPointerFallbackMessage,
-  includesRequiredFacts,
-  POINTER_COPY_MAX_TOKENS,
-  POINTER_COPY_SYSTEM_PROMPT,
-  POINTER_COPY_TIMEOUT_MS,
-} from '../calls/call-pointer-message-composer.js';
-import { loadConfig } from '../config/loader.js';
-import { getFailoverProvider } from '../providers/registry.js';
-import type { PointerCopyGenerator } from '../runtime/http-types.js';
-/**
- * Create the daemon-owned pointer copy generator that resolves providers
- * and calls `provider.sendMessage` to generate pointer message text.
- * This keeps all provider awareness in the daemon lifecycle, away from
- * the runtime composer.
- */
-export function createPointerCopyGenerator(): PointerCopyGenerator {
-  return async (context, options = {}) => {
-    const config = loadConfig();
-    let provider;
-    try {
-      provider = getFailoverProvider(config.provider, config.providerOrder);
-    } catch {
-      return null;
-    }
-    const fallbackText = options.fallbackText?.trim() || getPointerFallbackMessage(context);
-    const requiredFacts = options.requiredFacts
-      ?.map((f) => f.trim())
-      .filter((f) => f.length > 0);
-    const prompt = buildPointerGenerationPrompt(context, fallbackText, requiredFacts);
-    const response = await provider.sendMessage(
-      [{ role: 'user', content: [{ type: 'text', text: prompt }] }],
-      [],
-      POINTER_COPY_SYSTEM_PROMPT,
-      {
-        config: {
-          max_tokens: options.maxTokens ?? POINTER_COPY_MAX_TOKENS,
-          modelIntent: 'latency-optimized',
-        },
-        signal: AbortSignal.timeout(options.timeoutMs ?? POINTER_COPY_TIMEOUT_MS),
-      },
-    );
-    const block = response.content.find((entry) => entry.type === 'text');
-    const text = block && 'text' in block ? block.text.trim() : '';
-    if (!text) return null;
-    const cleaned = text
-      .replace(/^["'`]+/, '')
-      .replace(/["'`]+$/, '')
-      .trim();
-    if (!cleaned) return null;
-    if (!includesRequiredFacts(cleaned, requiredFacts)) return null;
-    return cleaned;
-  };
-}