@vellumai/assistant 0.4.45 → 0.4.48

package/src/runtime/http-server.ts

@@ -532,11 +532,16 @@ export class RuntimeHttpServer {
     if (!isHttpAuthDisabled()) {
       const clientIp = extractClientIp(req, server);
       const token = extractBearerToken(req);
-      const result = token
-        ? apiRateLimiter.check(clientIp)
-        : ipRateLimiter.check(clientIp);
+      const limiter = token ? apiRateLimiter : ipRateLimiter;
+      const limiterKind = token ? "authenticated" : "unauthenticated";
+      const result = limiter.check(clientIp, path);
       if (!result.allowed) {
-        return rateLimitResponse(result);
+        return rateLimitResponse(result, {
+          clientIp,
+          deniedPath: path,
+          limiterKind: limiterKind as "authenticated" | "unauthenticated",
+          pathCounts: limiter.getRecentPathCounts(clientIp),
+        });
       }
       const routerResponse = await this.router.dispatch(
         endpoint,

package/src/runtime/http-types.ts

@@ -83,7 +83,6 @@ export type GuardianActionCopyGenerator = (
 /** The disposition returned by the guardian follow-up conversation engine. */
 export type GuardianFollowUpDisposition =
   | "call_back"
-  | "message_back"
   | "decline"
   | "keep_pending";
 

package/src/runtime/middleware/rate-limiter.ts

@@ -2,10 +2,13 @@
 // Tracks request counts per key and returns 429 when the limit is exceeded.
 // Follows the same sliding-window pattern as gateway/src/auth-rate-limiter.ts.
 
+import { getLogger } from "../../util/logger.js";
 import type { HttpErrorResponse } from "../http-errors.js";
 import { isPrivateAddress } from "./auth.js";
 
-const DEFAULT_MAX_REQUESTS = 60;
+const log = getLogger("rate-limiter");
+
+const DEFAULT_MAX_REQUESTS = 300;
 const DEFAULT_WINDOW_MS = 60_000; // 60 seconds
 const MAX_TRACKED_TOKENS = 10_000;
 
@@ -14,8 +17,13 @@ const DEFAULT_IP_MAX_REQUESTS = 20;
 const DEFAULT_IP_WINDOW_MS = 60_000;
 const MAX_TRACKED_IPS = 50_000;
 
+interface RequestEntry {
+  timestamp: number;
+  path: string;
+}
+
 export class TokenRateLimiter {
-  private requests = new Map<string, number[]>();
+  private requests = new Map<string, RequestEntry[]>();
   private readonly maxRequests: number;
   private readonly windowMs: number;
   private readonly maxTrackedKeys: number;
@@ -34,11 +42,11 @@ export class TokenRateLimiter {
    * Check whether the request should be allowed and record it.
    * Returns rate limit metadata for response headers.
    */
-  check(key: string): RateLimitResult {
+  check(key: string, path?: string): RateLimitResult {
     const now = Date.now();
-    let timestamps = this.requests.get(key);
+    let entries = this.requests.get(key);
 
-    if (!timestamps) {
+    if (!entries) {
       if (this.requests.size >= this.maxTrackedKeys) {
         this.evictStale(now);
         if (this.requests.size >= this.maxTrackedKeys) {
@@ -46,24 +54,24 @@ export class TokenRateLimiter {
           if (oldest !== undefined) this.requests.delete(oldest);
         }
       }
-      timestamps = [];
-      this.requests.set(key, timestamps);
+      entries = [];
+      this.requests.set(key, entries);
     }
 
     const cutoff = now - this.windowMs;
 
-    // Remove expired timestamps from the front
-    while (timestamps.length > 0 && timestamps[0] <= cutoff) {
-      timestamps.shift();
+    // Remove expired entries from the front
+    while (entries.length > 0 && entries[0].timestamp <= cutoff) {
+      entries.shift();
     }
 
-    const remaining = Math.max(0, this.maxRequests - timestamps.length);
+    const remaining = Math.max(0, this.maxRequests - entries.length);
     const resetAt =
-      timestamps.length > 0
-        ? Math.ceil((timestamps[0] + this.windowMs) / 1000)
+      entries.length > 0
+        ? Math.ceil((entries[0].timestamp + this.windowMs) / 1000)
         : Math.ceil((now + this.windowMs) / 1000);
 
-    if (timestamps.length >= this.maxRequests) {
+    if (entries.length >= this.maxRequests) {
       return {
         allowed: false,
         limit: this.maxRequests,
@@ -72,7 +80,7 @@ export class TokenRateLimiter {
       };
     }
 
-    timestamps.push(now);
+    entries.push({ timestamp: now, path: path ?? "unknown" });
 
     return {
       allowed: true,
@@ -82,13 +90,36 @@ export class TokenRateLimiter {
     };
   }
 
+  /**
+   * Return a count of recent requests grouped by path for the given key.
+   * Sorted descending by count. Useful for diagnosing which endpoints
+   * are consuming the rate limit budget.
+   */
+  getRecentPathCounts(key: string): Array<{ path: string; count: number }> {
+    const entries = this.requests.get(key);
+    if (!entries || entries.length === 0) return [];
+
+    const now = Date.now();
+    const cutoff = now - this.windowMs;
+    const counts = new Map<string, number>();
+    for (const entry of entries) {
+      if (entry.timestamp > cutoff) {
+        counts.set(entry.path, (counts.get(entry.path) ?? 0) + 1);
+      }
+    }
+
+    return Array.from(counts.entries())
+      .map(([path, count]) => ({ path, count }))
+      .sort((a, b) => b.count - a.count);
+  }
+
   private evictStale(now: number): void {
     const cutoff = now - this.windowMs;
-    for (const [key, timestamps] of this.requests) {
-      while (timestamps.length > 0 && timestamps[0] <= cutoff) {
-        timestamps.shift();
+    for (const [key, entries] of this.requests) {
+      while (entries.length > 0 && entries[0].timestamp <= cutoff) {
+        entries.shift();
       }
-      if (timestamps.length === 0) {
+      if (entries.length === 0) {
         this.requests.delete(key);
       }
     }
@@ -115,8 +146,31 @@ export function rateLimitHeaders(
 }
 
 /** Return a 429 response with rate limit headers and a Retry-After hint. */
-export function rateLimitResponse(result: RateLimitResult): Response {
+export function rateLimitResponse(
+  result: RateLimitResult,
+  diagnostics?: {
+    clientIp: string;
+    deniedPath: string;
+    limiterKind: "authenticated" | "unauthenticated";
+    pathCounts: Array<{ path: string; count: number }>;
+  },
+): Response {
   const retryAfter = Math.max(1, result.resetAt - Math.ceil(Date.now() / 1000));
+
+  if (diagnostics) {
+    log.warn(
+      {
+        clientIp: diagnostics.clientIp,
+        deniedPath: diagnostics.deniedPath,
+        limiterKind: diagnostics.limiterKind,
+        limit: result.limit,
+        retryAfterSec: retryAfter,
+        recentRequests: diagnostics.pathCounts,
+      },
+      `Rate limited ${diagnostics.limiterKind} request: ${diagnostics.deniedPath} (${result.limit} req/min exceeded)`,
+    );
+  }
+
   const body: HttpErrorResponse = {
     error: { code: "RATE_LIMITED", message: "Too Many Requests" },
   };

package/src/runtime/middleware/twilio-validation.ts

@@ -29,12 +29,11 @@ export const GATEWAY_SUBPATH_MAP: Record<string, string> = {
   voice: "voice-webhook",
   status: "status",
   "connect-action": "connect-action",
-  sms: "sms",
 };
 
 /**
  * Direct Twilio webhook subpaths that are blocked in gateway_only mode.
- * Includes all public-facing webhook paths (voice, status, connect-action, sms)
+ * Includes all public-facing webhook paths (voice, status, connect-action)
  * because the runtime must never serve as a direct ingress for external webhooks.
  * Internal forwarding endpoints (gateway->runtime) are unaffected.
  */
@@ -42,7 +41,6 @@ export const GATEWAY_ONLY_BLOCKED_SUBPATHS = new Set([
   "voice-webhook",
   "status",
   "connect-action",
-  "sms",
 ]);
 
 /**

package/src/runtime/routes/channel-readiness-routes.ts

@@ -38,6 +38,7 @@ export async function handleGetChannelReadiness(url: URL): Promise<Response> {
       return {
         channel: s.channel,
         ready: s.ready,
+        setupStatus: s.setupStatus,
         checkedAt: s.checkedAt,
         stale: s.stale,
         reasons: s.reasons,
@@ -91,6 +92,7 @@ export async function handleRefreshChannelReadiness(
       return {
         channel: s.channel,
         ready: s.ready,
+        setupStatus: s.setupStatus,
         checkedAt: s.checkedAt,
         stale: s.stale,
         reasons: s.reasons,

package/src/runtime/routes/diagnostics-routes.ts

@@ -186,6 +186,7 @@ async function handleDiagnosticsExport(body: {
     // been persisted — the user message and in-flight tool/usage data are
     // still captured.
     let anchorMessage;
+    let anchorIsFallback = false;
     if (anchorMessageId) {
       anchorMessage = db
         .select()
@@ -220,6 +221,7 @@ async function handleDiagnosticsExport(body: {
         .orderBy(desc(messages.createdAt))
         .limit(1)
         .get();
+      anchorIsFallback = true;
     }
 
     // 2. Compute the export time range.
@@ -250,15 +252,15 @@ async function handleDiagnosticsExport(body: {
       rangeStart =
         precedingUserMessage?.createdAt ?? anchorMessage.createdAt - 2000;
 
-      // When the anchor is not an assistant message (e.g. the fallback "any
-      // message" path hit because the assistant reply hasn't been persisted
-      // yet), extend the range to the current time so in-flight tool
-      // invocations and usage recorded after the user message are captured.
-      const anchorIsAssistant = anchorMessage.role === "assistant";
-      rangeEnd = anchorIsAssistant ? anchorMessage.createdAt : now;
-      usageRangeEnd = anchorIsAssistant
-        ? anchorMessage.createdAt + 5000
-        : now + 5000;
+      // When the anchor was selected via the fallback "any message" path
+      // (because the assistant reply hasn't been persisted yet), extend the
+      // range to the current time so in-flight tool invocations and usage
+      // recorded after the user message are captured. An explicit anchor to a
+      // non-assistant message uses the message's own timestamp.
+      rangeEnd = anchorIsFallback ? now : anchorMessage.createdAt;
+      usageRangeEnd = anchorIsFallback
+        ? now + 5000
+        : anchorMessage.createdAt + 5000;
     } else {
       // No messages at all — use the current time so we capture any
       // in-flight LLM usage or tool invocations.

package/src/runtime/routes/guardian-approval-interception.ts

@@ -10,6 +10,7 @@ import { applyGuardianDecision } from "../../approvals/guardian-decision-primiti
 import type { ChannelId } from "../../channels/types.js";
 import type { TrustContext } from "../../daemon/session-runtime-assembly.js";
 import {
+  getAllPendingApprovalsByGuardianChat,
   getPendingApprovalForRequest,
   getUnresolvedApprovalForRequest,
   updateApprovalDecision,
@@ -123,7 +124,7 @@ export async function handleApprovalInterception(
   // Only guardians can approve via reaction — non-guardian reactions are
   // silently ignored to prevent self-approval.
   if (callbackData?.startsWith("reaction:")) {
-    if (trustCtx.trustClass !== "guardian") {
+    if (trustCtx.trustClass !== "guardian" || !actorExternalId) {
       return { handled: true, type: "stale_ignored" };
     }
     const reactionDecision = parseReactionCallbackData(callbackData);
@@ -131,13 +132,27 @@ export async function handleApprovalInterception(
       // Unknown emoji — ignore silently
       return { handled: true, type: "stale_ignored" };
     }
-    const pending = getApprovalInfoByConversation(conversationId);
-    if (pending.length === 0) {
+
+    const allPending = getAllPendingApprovalsByGuardianChat(
+      sourceChannel,
+      conversationExternalId,
+    );
+    const guardianPending = allPending.filter(
+      (approval) => approval.guardianExternalUserId === actorExternalId,
+    );
+    if (guardianPending.length !== 1) {
       return { handled: true, type: "stale_ignored" };
     }
-    const result = handleChannelDecision(conversationId, reactionDecision);
+
+    const result = applyGuardianDecision({
+      approval: guardianPending[0],
+      decision: reactionDecision,
+      actorPrincipalId: undefined,
+      actorExternalUserId: actorExternalId,
+      actorChannel: sourceChannel,
+    });
     if (result.applied) {
-      return { handled: true, type: "decision_applied" };
+      return { handled: true, type: "guardian_decision_applied" };
     }
     return { handled: true, type: "stale_ignored" };
   }

package/src/runtime/routes/inbound-stages/acl-enforcement.ts

@@ -314,21 +314,35 @@ export async function enforceIngressAcl(
               );
             }
 
+            // DM the requester so they have a private channel to reply with
+            // the verification code. Sending to the Slack user ID (not
+            // conversationExternalId) auto-opens a DM conversation.
             if (replyCallbackUrl) {
+              const senderUserId = (canonicalSenderId ?? rawSenderId)!;
+              // Strip threadTs from the callback URL — it belongs to the
+              // originating channel thread and would cause errors in the DM.
+              let dmCallbackUrl = replyCallbackUrl;
+              try {
+                const url = new URL(replyCallbackUrl);
+                url.searchParams.delete("threadTs");
+                dmCallbackUrl = url.toString();
+              } catch {
+                // Malformed URL — use as-is
+              }
               try {
                 await deliverChannelReply(
-                  replyCallbackUrl,
+                  dmCallbackUrl,
                   {
-                    chatId: conversationExternalId,
-                    text: "I've notified the owner. They'll share a verification code with you if they approve access.",
+                    chatId: senderUserId,
+                    text: "I've notified the owner. They'll share a verification code with you if they approve access. You can reply with the code here.",
                     assistantId,
                   },
                   mintBearerToken(),
                 );
               } catch (err) {
                 log.error(
-                  { err, conversationExternalId },
-                  "Failed to deliver Slack verification prompt reply",
+                  { err, senderUserId },
+                  "Failed to deliver Slack verification DM to requester",
                 );
               }
             }
@@ -371,14 +385,20 @@ export async function enforceIngressAcl(
           const replyText = guardianNotified
             ? "Hmm looks like you don't have access to talk to me. I'll let them know you tried talking to me and get back to you."
             : "Sorry, you haven't been approved to message this assistant.";
+          const replyPayload: Parameters<typeof deliverChannelReply>[1] = {
+            chatId: conversationExternalId,
+            text: replyText,
+            assistantId,
+          };
+          // On Slack, send as ephemeral so only the requester sees the rejection
+          if (sourceChannel === "slack" && (canonicalSenderId ?? rawSenderId)) {
+            replyPayload.ephemeral = true;
+            replyPayload.user = (canonicalSenderId ?? rawSenderId)!;
+          }
           try {
             await deliverChannelReply(
               replyCallbackUrl,
-              {
-                chatId: conversationExternalId,
-                text: replyText,
-                assistantId,
-              },
+              replyPayload,
               mintBearerToken(),
             );
           } catch (err) {
@@ -543,21 +563,31 @@ export async function enforceIngressAcl(
                 );
               }
 
+              // DM the requester (same as non-member path)
               if (replyCallbackUrl) {
+                const senderUserId = (canonicalSenderId ?? rawSenderId)!;
+                let dmCallbackUrl = replyCallbackUrl;
+                try {
+                  const url = new URL(replyCallbackUrl);
+                  url.searchParams.delete("threadTs");
+                  dmCallbackUrl = url.toString();
+                } catch {
+                  // Malformed URL — use as-is
+                }
                 try {
                   await deliverChannelReply(
-                    replyCallbackUrl,
+                    dmCallbackUrl,
                     {
-                      chatId: conversationExternalId,
-                      text: "I've notified the owner. They'll share a verification code with you if they approve access.",
+                      chatId: senderUserId,
+                      text: "I've notified the owner. They'll share a verification code with you if they approve access. You can reply with the code here.",
                       assistantId,
                     },
                     mintBearerToken(),
                   );
                 } catch (err) {
                   log.error(
-                    { err, conversationExternalId },
-                    "Failed to deliver Slack verification prompt reply (inactive member)",
+                    { err, senderUserId },
+                    "Failed to deliver Slack verification DM to requester (inactive member)",
                   );
                 }
               }
@@ -605,14 +635,25 @@ export async function enforceIngressAcl(
             const replyText = guardianNotified
               ? "Hmm looks like you don't have access to talk to me. I'll let them know you tried talking to me and get back to you."
               : "Sorry, you haven't been approved to message this assistant.";
+            const inactiveReplyPayload: Parameters<
+              typeof deliverChannelReply
+            >[1] = {
+              chatId: conversationExternalId,
+              text: replyText,
+              assistantId,
+            };
+            // On Slack, send as ephemeral so only the requester sees the rejection
+            if (
+              sourceChannel === "slack" &&
+              (canonicalSenderId ?? rawSenderId)
+            ) {
+              inactiveReplyPayload.ephemeral = true;
+              inactiveReplyPayload.user = (canonicalSenderId ?? rawSenderId)!;
+            }
             try {
               await deliverChannelReply(
                 replyCallbackUrl,
-                {
-                  chatId: conversationExternalId,
-                  text: replyText,
-                  assistantId,
-                },
+                inactiveReplyPayload,
                 mintBearerToken(),
               );
             } catch (err) {
@@ -640,14 +681,19 @@ export async function enforceIngressAcl(
           "Ingress ACL: member policy deny",
         );
         if (replyCallbackUrl) {
+          const denyPayload: Parameters<typeof deliverChannelReply>[1] = {
+            chatId: conversationExternalId,
+            text: "Sorry, you haven't been approved to message this assistant.",
+            assistantId,
+          };
+          if (sourceChannel === "slack" && (canonicalSenderId ?? rawSenderId)) {
+            denyPayload.ephemeral = true;
+            denyPayload.user = (canonicalSenderId ?? rawSenderId)!;
+          }
           try {
             await deliverChannelReply(
               replyCallbackUrl,
-              {
-                chatId: conversationExternalId,
-                text: "Sorry, you haven't been approved to message this assistant.",
-                assistantId,
-              },
+              denyPayload,
               mintBearerToken(),
             );
           } catch (err) {

package/src/runtime/routes/inbound-stages/guardian-reply-intercept.ts

@@ -149,14 +149,21 @@ export async function handleGuardianReplyIntercept(
   if (routerResult.consumed) {
     // Deliver reply text if the router produced one
     if (routerResult.replyText) {
+      const routerReplyPayload: Parameters<typeof deliverChannelReply>[1] = {
+        chatId: conversationExternalId,
+        text: routerResult.replyText,
+        assistantId: canonicalAssistantId,
+      };
+      // On Slack, send guardian management replies (disambiguation, pending
+      // request lists, etc.) as ephemeral so only the guardian sees them.
+      if (sourceChannel === "slack" && (canonicalSenderId ?? rawSenderId)) {
+        routerReplyPayload.ephemeral = true;
+        routerReplyPayload.user = (canonicalSenderId ?? rawSenderId)!;
+      }
       try {
         await deliverChannelReply(
           replyCallbackUrl,
-          {
-            chatId: conversationExternalId,
-            text: routerResult.replyText,
-            assistantId: canonicalAssistantId,
-          },
+          routerReplyPayload,
           mintBearerToken(),
         );
       } catch (err) {

package/src/runtime/routes/integrations/slack/share.ts

@@ -12,6 +12,7 @@ import {
   userInfo,
 } from "../../../../messaging/providers/slack/client.js";
 import type { SlackConversation } from "../../../../messaging/providers/slack/types.js";
+import { credentialKey } from "../../../../security/credential-key.js";
 import { getSecureKey } from "../../../../security/secure-keys.js";
 import { getLogger } from "../../../../util/logger.js";
 import { httpError } from "../../../http-errors.js";
@@ -29,8 +30,8 @@ const log = getLogger("slack-share");
  */
 function resolveSlackToken(): string | undefined {
   return (
-    getSecureKey("credential:integration:slack:access_token") ??
-    getSecureKey("credential:slack_channel:bot_token")
+    getSecureKey(credentialKey("integration:slack", "access_token")) ??
+    getSecureKey(credentialKey("slack_channel", "bot_token"))
   );
 }
 

package/src/runtime/routes/integrations/twilio.ts

@@ -21,6 +21,7 @@ import {
 import { loadRawConfig, saveRawConfig } from "../../../config/loader.js";
 import { syncTwilioWebhooks } from "../../../daemon/handlers/config-ingress.js";
 import type { IngressConfig } from "../../../inbound/public-ingress-urls.js";
+import { credentialKey } from "../../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
   setSecureKeyAsync,
@@ -136,7 +137,7 @@ export async function handleSetTwilioCredentials(
   // validation (gateway/src/credential-reader.ts), while the assistant reads
   // from config via resolveAccountSid(). Both stores must stay in sync.
   const sidStored = await setSecureKeyAsync(
-    "credential:twilio:account_sid",
+    credentialKey("twilio", "account_sid"),
     body.accountSid,
   );
   if (!sidStored) {
@@ -148,11 +149,11 @@ export async function handleSetTwilioCredentials(
   }
 
   const tokenStored = await setSecureKeyAsync(
-    "credential:twilio:auth_token",
+    credentialKey("twilio", "auth_token"),
     body.authToken,
   );
   if (!tokenStored) {
-    await deleteSecureKeyAsync("credential:twilio:account_sid");
+    await deleteSecureKeyAsync(credentialKey("twilio", "account_sid"));
     return Response.json({
       success: false,
       hasCredentials: false,
@@ -202,8 +203,8 @@ export async function handleSetTwilioCredentials(
  * DELETE /v1/integrations/twilio/credentials
  */
 export async function handleClearTwilioCredentials(): Promise<Response> {
-  const r1 = await deleteSecureKeyAsync("credential:twilio:account_sid");
-  const r2 = await deleteSecureKeyAsync("credential:twilio:auth_token");
+  const r1 = await deleteSecureKeyAsync(credentialKey("twilio", "account_sid"));
+  const r2 = await deleteSecureKeyAsync(credentialKey("twilio", "auth_token"));
 
   if (r1 === "error" || r2 === "error") {
     return Response.json(

package/src/runtime/routes/secret-routes.ts

@@ -4,6 +4,7 @@ import {
   invalidateConfigCache,
 } from "../../config/loader.js";
 import { initializeProviders } from "../../providers/registry.js";
+import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
   getSecureKeyAsync,
@@ -78,7 +79,7 @@ export async function handleAddSecret(req: Request): Promise<Response> {
       assertMetadataWritable();
       const service = name.slice(0, colonIdx);
       const field = name.slice(colonIdx + 1);
-      const key = `credential:${service}:${field}`;
+      const key = credentialKey(service, field);
       const stored = await setSecureKeyAsync(key, value);
       if (!stored) {
         return httpError(
@@ -164,7 +165,7 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
       const service = name.slice(0, colonIdx);
       const field = name.slice(colonIdx + 1);
       assertMetadataWritable();
-      const key = `credential:${service}:${field}`;
+      const key = credentialKey(service, field);
       // Check existence first — the broker always returns "deleted" even
       // for keys that don't exist, so we need a pre-check for 404 semantics.
       const existing = await getSecureKeyAsync(key);