@vellumai/assistant 0.4.45 → 0.4.48

package/src/providers/ratelimit.ts

@@ -74,6 +74,15 @@ export class RateLimitProvider implements Provider {
 
     if (this.requestTimestamps.length >= limit) {
       const waitSec = Math.ceil((oldestInWindow + 60_000 - now) / 1000);
+      log.warn(
+        {
+          provider: this.name,
+          limit,
+          currentCount: this.requestTimestamps.length,
+          retryAfterSec: waitSec,
+        },
+        `Provider rate limit exceeded: ${limit} requests/minute for ${this.name}`,
+      );
       throw new RateLimitError(
         `Rate limit exceeded: ${limit} requests/minute. Try again in ${waitSec}s.`,
       );
@@ -85,6 +94,14 @@ export class RateLimitProvider implements Provider {
     if (limit <= 0) return;
 
     if (this.sessionTokens >= limit) {
+      log.warn(
+        {
+          provider: this.name,
+          sessionTokens: this.sessionTokens,
+          limit,
+        },
+        `Session token budget exhausted for ${this.name}: ${this.sessionTokens.toLocaleString()}/${limit.toLocaleString()}`,
+      );
       throw new RateLimitError(
         `Session token budget exhausted: ${this.sessionTokens.toLocaleString()}/${limit.toLocaleString()} tokens used. Start a new session to continue.`,
       );

package/src/providers/registry.ts

@@ -289,8 +289,8 @@ export function initializeProviders(config: ProvidersConfig): void {
     );
     routingSources.set("gemini", "user-key");
   } else {
-    // No user Gemini key — try managed proxy fallback
-    const managedBaseUrl = buildManagedBaseUrl("gemini");
+    // No user Gemini key — route through Vertex managed proxy
+    const managedBaseUrl = buildManagedBaseUrl("vertex");
     if (managedBaseUrl) {
       const ctx = resolveManagedProxyContext();
       const model = resolveModel(config, "gemini");

package/src/runtime/AGENTS.md

@@ -43,7 +43,7 @@ Host file allows the assistant to perform file operations (read, write, edit) on
   - `POST /v1/host-file-result` — `{ requestId, content, isError }`
 - **Tracking**: Uses the same `pending-interactions` tracker as approvals and host bash, with `kind: "host_file"`. The endpoint validates the interaction kind before resolving.
 
-### Channel approvals (Telegram, SMS)
+### Channel approvals (Telegram, Slack)
 
 Channel approval flows use `requestId` (not `runId`) as the primary identifier:
 
@@ -51,6 +51,23 @@ Channel approval flows use `requestId` (not `runId`) as the primary identifier:
 - Guardian approval records in `channelGuardianApprovalRequests` link via `requestId`.
 - The conversational approval engine classifies user intent and resolves via `session.handleConfirmationResponse(requestId, decision)`.
 
+## Rate Limiting & Diagnostics
+
+All `/v1/*` endpoints share a per-client-IP sliding-window rate limiter (`middleware/rate-limiter.ts`):
+
+- **Authenticated**: 300 requests/minute
+- **Unauthenticated**: 20 requests/minute
+
+When the limit is exceeded, the limiter returns 429 and logs a structured warning (module: `rate-limiter`) with the denied endpoint and a breakdown of which endpoints consumed the budget in the current window. This makes it easy to identify whether the cause is rapid thread switching, polling, or unexpected request volume.
+
+Logs are written to `~/.vellum/workspace/data/logs/vellum.log` by default. If `logFile.dir` is configured, logs rotate daily as `assistant-YYYY-MM-DD.log` in that directory. To watch rate limit events in real time:
+
+```bash
+tail -f ~/.vellum/workspace/data/logs/vellum.log | grep rate-limit
+```
+
+The provider-level rate limiter (`providers/ratelimit.ts`) also logs warnings (module: `rate-limit`) when request rate or token budget limits are enforced.
+
 ## HTTP-Only Transport
 
 HTTP is the sole transport for client-daemon communication. The runtime HTTP server (`assistant/src/runtime/http-server.ts`) is the canonical API surface. Clients connect via HTTP for request/response operations and SSE (`GET /v1/events`) for streaming server-to-client events.

package/src/runtime/auth/route-policy.ts

@@ -403,6 +403,7 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "schedules/cancel", scopes: ["settings.write"] },
 
   // Diagnostics
+  { endpoint: "export", scopes: ["settings.read"] },
   { endpoint: "diagnostics/export", scopes: ["settings.read"] },
   { endpoint: "diagnostics/env-vars", scopes: ["settings.read"] },
 

package/src/runtime/channel-invite-transports/telegram.ts

@@ -16,6 +16,7 @@ import {
   saveRawConfig,
   setNestedValue,
 } from "../../config/loader.js";
+import { credentialKey } from "../../security/credential-key.js";
 import { getSecureKey } from "../../security/secure-keys.js";
 import { getTelegramBotUsername } from "../../telegram/bot-username.js";
 import { getLogger } from "../../util/logger.js";
@@ -40,7 +41,7 @@ export async function ensureTelegramBotUsernameResolved(): Promise<void> {
     return; // Username already cached in config
   }
 
-  const token = getSecureKey("credential:telegram:bot_token");
+  const token = getSecureKey(credentialKey("telegram", "bot_token"));
   if (!token) return;
 
   try {

package/src/runtime/channel-readiness-service.ts

@@ -3,6 +3,7 @@ import { hasTwilioCredentials } from "../calls/twilio-rest.js";
 import { getChannelInvitePolicy } from "../channels/config.js";
 import { loadRawConfig } from "../config/loader.js";
 import { getEmailService } from "../email/service.js";
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { resolveWhatsAppDisplayNumber } from "./channel-invite-transports/whatsapp.js";
 import type {
@@ -11,6 +12,7 @@ import type {
   ChannelProbeContext,
   ChannelReadinessSnapshot,
   ReadinessCheckResult,
+  SetupStatus,
 } from "./channel-readiness-types.js";
 import { probeLocalGatewayHealth } from "./local-gateway-health.js";
 
@@ -31,55 +33,83 @@ function hasIngressConfigured(): boolean {
   }
 }
 
+// ── Shared check helpers ────────────────────────────────────────────────────
+
+/** Build a check result from a boolean condition. */
+function check(
+  name: string,
+  passed: boolean,
+  passMessage: string,
+  failMessage: string,
+): ReadinessCheckResult {
+  return { name, passed, message: passed ? passMessage : failMessage };
+}
+
+/** Check that a secure credential key exists. */
+function checkCredential(
+  name: string,
+  service: string,
+  field: string,
+  label: string,
+): ReadinessCheckResult {
+  const exists = !!getSecureKey(credentialKey(service, field));
+  return check(
+    name,
+    exists,
+    `${label} is configured`,
+    `${label} is not configured`,
+  );
+}
+
+/** Check that public ingress is configured and enabled. */
+function checkIngress(): ReadinessCheckResult {
+  const has = hasIngressConfigured();
+  return check(
+    "ingress",
+    has,
+    "Public ingress URL is configured",
+    "Public ingress URL is not configured or disabled",
+  );
+}
+
 // ── Voice Probe ─────────────────────────────────────────────────────────────
 
 const voiceProbe: ChannelProbe = {
   channel: "phone",
   async runLocalChecks(): Promise<ReadinessCheckResult[]> {
-    const results: ReadinessCheckResult[] = [];
-
     const hasCreds = hasTwilioCredentials();
-    results.push({
-      name: "twilio_credentials",
-      passed: hasCreds,
-      message: hasCreds
-        ? "Twilio credentials are configured"
-        : "Twilio Account SID and Auth Token are not configured",
-    });
-
-    const resolvedNumber = resolveTwilioPhoneNumber();
-    const hasPhone = !!resolvedNumber;
-    results.push({
-      name: "phone_number",
-      passed: hasPhone,
-      message: hasPhone
-        ? "Phone number is assigned for voice calls"
-        : "No phone number assigned for voice calls",
-    });
-
-    const hasIngress = hasIngressConfigured();
-    results.push({
-      name: "ingress",
-      passed: hasIngress,
-      message: hasIngress
-        ? "Public ingress URL is configured"
-        : "Public ingress URL is not configured or disabled",
-    });
-
-    if (hasIngress) {
-      const gatewayHealth = await probeLocalGatewayHealth();
-      results.push({
-        name: "gateway_health",
-        passed: gatewayHealth.healthy,
-        message: gatewayHealth.healthy
-          ? `Local gateway is serving requests at ${gatewayHealth.target}`
-          : `Local gateway is not serving requests at ${gatewayHealth.target}${
-              gatewayHealth.error ? `: ${gatewayHealth.error}` : ""
-            }`,
-      });
+    const hasPhone = !!resolveTwilioPhoneNumber();
+    const ingress = checkIngress();
+
+    const checks: ReadinessCheckResult[] = [
+      check(
+        "twilio_credentials",
+        hasCreds,
+        "Twilio credentials are configured",
+        "Twilio Account SID and Auth Token are not configured",
+      ),
+      check(
+        "phone_number",
+        hasPhone,
+        "Phone number is assigned for voice calls",
+        "No phone number assigned for voice calls",
+      ),
+      ingress,
+    ];
+
+    if (ingress.passed) {
+      const gw = await probeLocalGatewayHealth();
+      checks.push(
+        check(
+          "gateway_health",
+          gw.healthy,
+          `Local gateway is serving requests at ${gw.target}`,
+          `Local gateway is not serving requests at ${gw.target}${gw.error ? `: ${gw.error}` : ""}`,
+        ),
+      );
     }
 
-    return results;
+    return checks;
   },
 };
 
@@ -87,41 +117,16 @@ const voiceProbe: ChannelProbe = {
 
 const telegramProbe: ChannelProbe = {
   channel: "telegram",
-  runLocalChecks(): ReadinessCheckResult[] {
-    const results: ReadinessCheckResult[] = [];
-
-    const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
-    results.push({
-      name: "bot_token",
-      passed: hasBotToken,
-      message: hasBotToken
-        ? "Telegram bot token is configured"
-        : "Telegram bot token is not configured",
-    });
-
-    const hasWebhookSecret = !!getSecureKey(
-      "credential:telegram:webhook_secret",
-    );
-    results.push({
-      name: "webhook_secret",
-      passed: hasWebhookSecret,
-      message: hasWebhookSecret
-        ? "Telegram webhook secret is configured"
-        : "Telegram webhook secret is not configured",
-    });
-
-    const hasIngress = hasIngressConfigured();
-    results.push({
-      name: "ingress",
-      passed: hasIngress,
-      message: hasIngress
-        ? "Public ingress URL is configured"
-        : "Public ingress URL is not configured or disabled",
-    });
-
-    return results;
-  },
-  // Telegram has no remote checks currently
+  runLocalChecks: () => [
+    checkCredential("bot_token", "telegram", "bot_token", "Telegram bot token"),
+    checkCredential(
+      "webhook_secret",
+      "telegram",
+      "webhook_secret",
+      "Telegram webhook secret",
+    ),
+    checkIngress(),
+  ],
 };
 
 // ── Email Probe ─────────────────────────────────────────────────────────────
@@ -129,43 +134,33 @@ const telegramProbe: ChannelProbe = {
 const emailProbe: ChannelProbe = {
   channel: "email",
   runLocalChecks(): ReadinessCheckResult[] {
-    const results: ReadinessCheckResult[] = [];
-
     const hasApiKey = !!(
-      getSecureKey("agentmail") || getSecureKey("credential:agentmail:api_key")
+      getSecureKey("agentmail") ||
+      getSecureKey(credentialKey("agentmail", "api_key"))
     );
-    results.push({
-      name: "agentmail_api_key",
-      passed: hasApiKey,
-      message: hasApiKey
-        ? "AgentMail API key is configured"
-        : "AgentMail API key is not configured",
-    });
-
     const invitePolicy = getChannelInvitePolicy("email");
-    results.push({
-      name: "invite_policy",
-      passed: invitePolicy.codeRedemptionEnabled,
-      message: invitePolicy.codeRedemptionEnabled
-        ? "Email invite code redemption is enabled"
-        : "Email invite code redemption is disabled",
-    });
-
-    const hasIngress = hasIngressConfigured();
-    results.push({
-      name: "ingress",
-      passed: hasIngress,
-      message: hasIngress
-        ? "Public ingress URL is configured"
-        : "Public ingress URL is not configured or disabled",
-    });
-
-    return results;
+    return [
+      check(
+        "agentmail_api_key",
+        hasApiKey,
+        "AgentMail API key is configured",
+        "AgentMail API key is not configured",
+      ),
+      check(
+        "invite_policy",
+        invitePolicy.codeRedemptionEnabled,
+        "Email invite code redemption is enabled",
+        "Email invite code redemption is disabled",
+      ),
+      checkIngress(),
+    ];
   },
+  // runRemoteChecks UNCHANGED — keep the existing inbox_configured check as-is
   async runRemoteChecks(): Promise<ReadinessCheckResult[]> {
     // Only worth checking if the API key is present
     const hasApiKey = !!(
-      getSecureKey("agentmail") || getSecureKey("credential:agentmail:api_key")
+      getSecureKey("agentmail") ||
+      getSecureKey(credentialKey("agentmail", "api_key"))
     );
     if (!hasApiKey) return [];
 
@@ -199,77 +194,47 @@ const emailProbe: ChannelProbe = {
 const whatsappProbe: ChannelProbe = {
   channel: "whatsapp",
   runLocalChecks(): ReadinessCheckResult[] {
-    const results: ReadinessCheckResult[] = [];
-
-    const hasPhoneNumberId = !!getSecureKey(
-      "credential:whatsapp:phone_number_id",
-    );
-    results.push({
-      name: "whatsapp_phone_number_id",
-      passed: hasPhoneNumberId,
-      message: hasPhoneNumberId
-        ? "WhatsApp phone number ID is configured"
-        : "WhatsApp phone number ID is not configured",
-    });
-
-    const hasAccessToken = !!getSecureKey("credential:whatsapp:access_token");
-    results.push({
-      name: "whatsapp_access_token",
-      passed: hasAccessToken,
-      message: hasAccessToken
-        ? "WhatsApp access token is configured"
-        : "WhatsApp access token is not configured",
-    });
-
-    const hasAppSecret = !!getSecureKey("credential:whatsapp:app_secret");
-    results.push({
-      name: "whatsapp_app_secret",
-      passed: hasAppSecret,
-      message: hasAppSecret
-        ? "WhatsApp app secret is configured"
-        : "WhatsApp app secret is not configured",
-    });
-
-    const hasWebhookVerifyToken = !!getSecureKey(
-      "credential:whatsapp:webhook_verify_token",
-    );
-    results.push({
-      name: "whatsapp_webhook_verify_token",
-      passed: hasWebhookVerifyToken,
-      message: hasWebhookVerifyToken
-        ? "WhatsApp webhook verify token is configured"
-        : "WhatsApp webhook verify token is not configured",
-    });
-
     const displayNumber = resolveWhatsAppDisplayNumber();
-    const hasDisplayNumber = !!displayNumber;
-    results.push({
-      name: "whatsapp_display_phone_number",
-      passed: hasDisplayNumber,
-      message: hasDisplayNumber
-        ? `WhatsApp display phone number is configured (${displayNumber})`
-        : "WhatsApp display phone number is not configured — set whatsapp.phoneNumber in workspace config",
-    });
-
     const invitePolicy = getChannelInvitePolicy("whatsapp");
-    results.push({
-      name: "invite_policy",
-      passed: invitePolicy.codeRedemptionEnabled,
-      message: invitePolicy.codeRedemptionEnabled
-        ? "WhatsApp invite code redemption is enabled"
-        : "WhatsApp invite code redemption is disabled",
-    });
-
-    const hasIngress = hasIngressConfigured();
-    results.push({
-      name: "ingress",
-      passed: hasIngress,
-      message: hasIngress
-        ? "Public ingress URL is configured"
-        : "Public ingress URL is not configured or disabled",
-    });
-
-    return results;
+    return [
+      checkCredential(
+        "whatsapp_phone_number_id",
+        "whatsapp",
+        "phone_number_id",
+        "WhatsApp phone number ID",
+      ),
+      checkCredential(
+        "whatsapp_access_token",
+        "whatsapp",
+        "access_token",
+        "WhatsApp access token",
+      ),
+      checkCredential(
+        "whatsapp_app_secret",
+        "whatsapp",
+        "app_secret",
+        "WhatsApp app secret",
+      ),
+      checkCredential(
+        "whatsapp_webhook_verify_token",
+        "whatsapp",
+        "webhook_verify_token",
+        "WhatsApp webhook verify token",
+      ),
+      check(
+        "whatsapp_display_phone_number",
+        !!displayNumber,
+        `WhatsApp display phone number is configured (${displayNumber})`,
+        "WhatsApp display phone number is not configured — set whatsapp.phoneNumber in workspace config",
+      ),
+      check(
+        "invite_policy",
+        invitePolicy.codeRedemptionEnabled,
+        "WhatsApp invite code redemption is enabled",
+        "WhatsApp invite code redemption is disabled",
+      ),
+      checkIngress(),
+    ];
   },
 };
 
@@ -277,26 +242,20 @@ const whatsappProbe: ChannelProbe = {
 
 const slackProbe: ChannelProbe = {
   channel: "slack",
-  runLocalChecks(): ReadinessCheckResult[] {
-    const hasBotToken = !!getSecureKey("credential:slack_channel:bot_token");
-    const hasAppToken = !!getSecureKey("credential:slack_channel:app_token");
-    return [
-      {
-        name: "bot_token",
-        passed: hasBotToken,
-        message: hasBotToken
-          ? "Slack bot token is configured"
-          : "Slack bot token is not configured",
-      },
-      {
-        name: "app_token",
-        passed: hasAppToken,
-        message: hasAppToken
-          ? "Slack app token is configured"
-          : "Slack app token is not configured",
-      },
-    ];
-  },
+  runLocalChecks: () => [
+    checkCredential(
+      "bot_token",
+      "slack_channel",
+      "bot_token",
+      "Slack bot token",
+    ),
+    checkCredential(
+      "app_token",
+      "slack_channel",
+      "app_token",
+      "Slack app token",
+    ),
+  ],
 };
 
 // ── Service ─────────────────────────────────────────────────────────────────
@@ -369,6 +328,18 @@ export class ChannelReadinessService {
           : true;
       const ready = allLocalPassed && allRemotePassed;
 
+      // setupStatus: considers all checks (credentials + infrastructure)
+      const consideredChecks = [
+        ...localChecks,
+        ...(remoteChecks && remoteChecksAffectReadiness ? remoteChecks : []),
+      ];
+      const anyCheckPassed = consideredChecks.some((c) => c.passed);
+      const setupStatus: SetupStatus = !anyCheckPassed
+        ? "not_configured"
+        : ready
+          ? "ready"
+          : "incomplete";
+
       const reasons: Array<{ code: string; text: string }> = [];
       for (const check of localChecks) {
         if (!check.passed) {
@@ -386,6 +357,7 @@ export class ChannelReadinessService {
       const snapshot: ChannelReadinessSnapshot = {
         channel: ch,
         ready,
+        setupStatus,
         checkedAt:
           remoteChecks && cached && !remoteChecksFreshlyFetched
             ? cached.checkedAt
@@ -422,6 +394,7 @@ export class ChannelReadinessService {
     return {
       channel,
       ready: false,
+      setupStatus: "not_configured",
       checkedAt: Date.now(),
       stale: false,
       reasons: [

package/src/runtime/channel-readiness-types.ts

@@ -4,6 +4,9 @@ import type { ChannelId } from "../channels/types.js";
 
 export type { ChannelId };
 
+/** Setup progress for a channel: not_configured → incomplete → ready. */
+export type SetupStatus = "not_configured" | "incomplete" | "ready";
+
 /** Result of a single readiness check (local or remote). */
 export interface ReadinessCheckResult {
   name: string;
@@ -15,6 +18,7 @@ export interface ReadinessCheckResult {
 export interface ChannelReadinessSnapshot {
   channel: ChannelId;
   ready: boolean;
+  setupStatus: SetupStatus;
   checkedAt: number;
   stale: boolean;
   reasons: Array<{ code: string; text: string }>;

package/src/runtime/guardian-action-conversation-turn.ts

@@ -2,12 +2,11 @@
  * Guardian follow-up conversation engine.
  *
  * When a guardian replies to a post-timeout follow-up prompt (e.g. "would you
- * like to call them back or send a message?"), this engine classifies the
+ * like to call them back?"), this engine classifies the
  * guardian's intent into a structured disposition and produces a natural reply.
  *
  * Dispositions:
  *   - call_back:     Guardian wants to call the original caller back
- *   - message_back:  Guardian wants to send a text/message to the caller
  *   - decline:       Guardian declines to follow up ("never mind", "no thanks")
  *   - keep_pending:  Intent is ambiguous — ask for clarification
  *
@@ -37,7 +36,6 @@ const FALLBACK_RETRY_TEXT = getGuardianActionFallbackMessage({
 
 const VALID_DISPOSITIONS: ReadonlySet<string> = new Set([
   "call_back",
-  "message_back",
   "decline",
   "keep_pending",
 ]);

package/src/runtime/guardian-action-followup-executor.ts

@@ -173,7 +173,7 @@ async function executeCallBack(
 
 /**
  * Execute a follow-up action after the conversation engine has classified
- * the guardian's intent as call_back or message_back and the follow-up
+ * the guardian's intent as call_back and the follow-up
  * state has been transitioned to `dispatching`.
  *
  * On success: finalizes the follow-up to `completed` and returns
@@ -250,7 +250,6 @@ export async function executeFollowupAction(
     actionResult = await executeCallBack(request, counterparty);
   } else {
     // decline is already handled in M5 — should not reach the executor.
-    // message_back (SMS) is no longer supported.
     finalizeFollowup(requestId, "failed");
     const errorText = await composeGuardianActionMessageGenerative(
       {

package/src/runtime/guardian-action-message-composer.ts

@@ -36,8 +36,6 @@ export type GuardianActionMessageScenario =
   | "guardian_superseded_remap"
   | "guardian_unknown_code"
   | "guardian_auto_matched"
-  | "outbound_message_copy"
-  | "followup_message_sent"
   | "followup_call_started"
   | "followup_action_failed"
   | "guardian_answer_delivery_failed";
@@ -183,8 +181,8 @@ export function getGuardianActionFallbackMessage(
 
     case "guardian_late_answer_followup":
       return context.callerIdentifier
-        ? `${context.callerIdentifier} called earlier with a question, but I wasn't able to connect them. Would you like to call them back or send them a message?`
-        : "Someone called earlier with a question, but I wasn't able to connect them. Would you like to call them back or send them a message?";
+        ? `${context.callerIdentifier} called earlier with a question, but I wasn't able to connect them. Would you like to call them back?`
+        : "Someone called earlier with a question, but I wasn't able to connect them. Would you like to call them back?";
 
     case "guardian_followup_dispatching":
       return context.followupAction
@@ -205,7 +203,7 @@ export function getGuardianActionFallbackMessage(
       return "No problem. Let me know if you change your mind or need anything else.";
 
     case "guardian_followup_clarification":
-      return "Sorry, I didn't quite catch that. Would you like to call them back, send them a message, or skip it for now?";
+      return "Sorry, I didn't quite catch that. Would you like to call them back or skip it for now?";
 
     case "guardian_pending_disambiguation":
       return listedCodes
@@ -247,24 +245,6 @@ export function getGuardianActionFallbackMessage(
         ? `Got it! Your answer has been applied to the current active request: "${context.questionText}"`
         : "Got it! Your answer has been applied to the current active request on the call.";
 
-    case "outbound_message_copy":
-      // This message is sent TO the original caller relaying the guardian's answer.
-      // When lateAnswerText is available, include it — that's the whole point of message_back.
-      if (context.lateAnswerText && context.questionText) {
-        return `Hi! You asked "${context.questionText}" earlier. Here's the answer: ${context.lateAnswerText}`;
-      }
-      if (context.lateAnswerText) {
-        return `Hi! Regarding your earlier question — here's the answer: ${context.lateAnswerText}`;
-      }
-      return context.questionText
-        ? `Hi! You asked "${context.questionText}" earlier. We'll get back to you with an answer soon.`
-        : "Hi! Thanks for calling earlier. We'll get back to you soon.";
-
-    case "followup_message_sent":
-      return context.counterpartyPhone
-        ? `Done! I've sent a text message to ${context.counterpartyPhone} with your answer.`
-        : "Done! I've sent them a text message with your answer.";
-
     case "followup_call_started":
       return context.counterpartyPhone
         ? `Got it! I'm calling ${context.counterpartyPhone} back now to relay your answer.`