@vellumai/assistant 0.4.46 → 0.4.49

package/src/providers/managed-proxy/context.ts

@@ -10,11 +10,15 @@
  */
 
 import { getPlatformBaseUrl } from "../../config/env.js";
+import { credentialKey } from "../../security/credential-key.js";
 import { getSecureKey } from "../../security/secure-keys.js";
 import { MANAGED_PROVIDER_META } from "./constants.js";
 
 /** Storage key for the assistant API key credential. */
-const ASSISTANT_API_KEY_STORAGE_KEY = "credential:vellum:assistant_api_key";
+const ASSISTANT_API_KEY_STORAGE_KEY = credentialKey(
+  "vellum",
+  "assistant_api_key",
+);
 
 export interface ManagedProxyContext {
   /** Whether managed proxy prerequisites are satisfied. */

package/src/providers/ratelimit.ts

@@ -74,6 +74,15 @@ export class RateLimitProvider implements Provider {
 
     if (this.requestTimestamps.length >= limit) {
       const waitSec = Math.ceil((oldestInWindow + 60_000 - now) / 1000);
+      log.warn(
+        {
+          provider: this.name,
+          limit,
+          currentCount: this.requestTimestamps.length,
+          retryAfterSec: waitSec,
+        },
+        `Provider rate limit exceeded: ${limit} requests/minute for ${this.name}`,
+      );
       throw new RateLimitError(
         `Rate limit exceeded: ${limit} requests/minute. Try again in ${waitSec}s.`,
       );
@@ -85,6 +94,14 @@ export class RateLimitProvider implements Provider {
     if (limit <= 0) return;
 
     if (this.sessionTokens >= limit) {
+      log.warn(
+        {
+          provider: this.name,
+          sessionTokens: this.sessionTokens,
+          limit,
+        },
+        `Session token budget exhausted for ${this.name}: ${this.sessionTokens.toLocaleString()}/${limit.toLocaleString()}`,
+      );
       throw new RateLimitError(
         `Session token budget exhausted: ${this.sessionTokens.toLocaleString()}/${limit.toLocaleString()} tokens used. Start a new session to continue.`,
       );

package/src/providers/registry.ts

@@ -289,8 +289,8 @@ export function initializeProviders(config: ProvidersConfig): void {
     );
     routingSources.set("gemini", "user-key");
   } else {
-    // No user Gemini key — try managed proxy fallback
-    const managedBaseUrl = buildManagedBaseUrl("gemini");
+    // No user Gemini key — route through Vertex managed proxy
+    const managedBaseUrl = buildManagedBaseUrl("vertex");
     if (managedBaseUrl) {
       const ctx = resolveManagedProxyContext();
       const model = resolveModel(config, "gemini");

package/src/providers/retry.ts

@@ -1,5 +1,5 @@
 import { ProviderError } from "../util/errors.js";
-import { getLogger, isDebug } from "../util/logger.js";
+import { getLogger } from "../util/logger.js";
 import {
   computeRetryDelay,
   DEFAULT_BASE_DELAY_MS,
@@ -96,43 +96,17 @@ export class RetryProvider implements Provider {
     options?: SendMessageOptions,
   ): Promise<ProviderResponse> {
     let lastError: unknown;
-    const debug = isDebug();
-
-    if (debug) {
-      log.debug(
-        {
-          provider: this.name,
-          messageCount: messages.length,
-          toolCount: tools?.length ?? 0,
-        },
-        "Provider sendMessage start",
-      );
-    }
 
     const normalizedOptions = normalizeSendMessageOptions(this.name, options);
 
     for (let attempt = 0; attempt <= DEFAULT_MAX_RETRIES; attempt++) {
       try {
-        const start = Date.now();
         const result = await this.inner.sendMessage(
           messages,
           tools,
           systemPrompt,
           normalizedOptions,
         );
-        if (debug) {
-          log.debug(
-            {
-              provider: this.name,
-              durationMs: Date.now() - start,
-              attempt: attempt + 1,
-              model: result.model,
-              inputTokens: result.usage.inputTokens,
-              outputTokens: result.usage.outputTokens,
-            },
-            "Provider sendMessage success",
-          );
-        }
         return result;
       } catch (error) {
         lastError = error;

package/src/runtime/AGENTS.md

@@ -51,6 +51,23 @@ Channel approval flows use `requestId` (not `runId`) as the primary identifier:
 - Guardian approval records in `channelGuardianApprovalRequests` link via `requestId`.
 - The conversational approval engine classifies user intent and resolves via `session.handleConfirmationResponse(requestId, decision)`.
 
+## Rate Limiting & Diagnostics
+
+All `/v1/*` endpoints share a per-client-IP sliding-window rate limiter (`middleware/rate-limiter.ts`):
+
+- **Authenticated**: 300 requests/minute
+- **Unauthenticated**: 20 requests/minute
+
+When the limit is exceeded, the limiter returns 429 and logs a structured warning (module: `rate-limiter`) with the denied endpoint and a breakdown of which endpoints consumed the budget in the current window. This makes it easy to identify whether the cause is rapid thread switching, polling, or unexpected request volume.
+
+Logs are written to `~/.vellum/workspace/data/logs/vellum.log` by default. If `logFile.dir` is configured, logs rotate daily as `assistant-YYYY-MM-DD.log` in that directory. To watch rate limit events in real time:
+
+```bash
+tail -f ~/.vellum/workspace/data/logs/vellum.log | grep rate-limit
+```
+
+The provider-level rate limiter (`providers/ratelimit.ts`) also logs warnings (module: `rate-limit`) when request rate or token budget limits are enforced.
+
 ## HTTP-Only Transport
 
 HTTP is the sole transport for client-daemon communication. The runtime HTTP server (`assistant/src/runtime/http-server.ts`) is the canonical API surface. Clients connect via HTTP for request/response operations and SSE (`GET /v1/events`) for streaming server-to-client events.

package/src/runtime/auth/route-policy.ts

@@ -358,9 +358,6 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "computer-use/sessions/abort", scopes: ["chat.write"] },
   { endpoint: "computer-use/observations", scopes: ["chat.write"] },
   { endpoint: "computer-use/tasks", scopes: ["chat.write"] },
-  { endpoint: "computer-use/ride-shotgun/start", scopes: ["chat.write"] },
-  { endpoint: "computer-use/ride-shotgun/stop", scopes: ["chat.write"] },
-  { endpoint: "computer-use/ride-shotgun/status", scopes: ["chat.write"] },
   { endpoint: "computer-use/watch", scopes: ["chat.write"] },
 
   // Recordings

package/src/runtime/channel-invite-transports/telegram.ts

@@ -16,6 +16,7 @@ import {
   saveRawConfig,
   setNestedValue,
 } from "../../config/loader.js";
+import { credentialKey } from "../../security/credential-key.js";
 import { getSecureKey } from "../../security/secure-keys.js";
 import { getTelegramBotUsername } from "../../telegram/bot-username.js";
 import { getLogger } from "../../util/logger.js";
@@ -40,7 +41,7 @@ export async function ensureTelegramBotUsernameResolved(): Promise<void> {
     return; // Username already cached in config
   }
 
-  const token = getSecureKey("credential:telegram:bot_token");
+  const token = getSecureKey(credentialKey("telegram", "bot_token"));
   if (!token) return;
 
   try {

package/src/runtime/channel-readiness-service.ts

@@ -3,6 +3,7 @@ import { hasTwilioCredentials } from "../calls/twilio-rest.js";
 import { getChannelInvitePolicy } from "../channels/config.js";
 import { loadRawConfig } from "../config/loader.js";
 import { getEmailService } from "../email/service.js";
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { resolveWhatsAppDisplayNumber } from "./channel-invite-transports/whatsapp.js";
 import type {
@@ -11,6 +12,7 @@ import type {
   ChannelProbeContext,
   ChannelReadinessSnapshot,
   ReadinessCheckResult,
+  SetupStatus,
 } from "./channel-readiness-types.js";
 import { probeLocalGatewayHealth } from "./local-gateway-health.js";
 
@@ -31,55 +33,83 @@ function hasIngressConfigured(): boolean {
   }
 }
 
+// ── Shared check helpers ────────────────────────────────────────────────────
+
+/** Build a check result from a boolean condition. */
+function check(
+  name: string,
+  passed: boolean,
+  passMessage: string,
+  failMessage: string,
+): ReadinessCheckResult {
+  return { name, passed, message: passed ? passMessage : failMessage };
+}
+
+/** Check that a secure credential key exists. */
+function checkCredential(
+  name: string,
+  service: string,
+  field: string,
+  label: string,
+): ReadinessCheckResult {
+  const exists = !!getSecureKey(credentialKey(service, field));
+  return check(
+    name,
+    exists,
+    `${label} is configured`,
+    `${label} is not configured`,
+  );
+}
+
+/** Check that public ingress is configured and enabled. */
+function checkIngress(): ReadinessCheckResult {
+  const has = hasIngressConfigured();
+  return check(
+    "ingress",
+    has,
+    "Public ingress URL is configured",
+    "Public ingress URL is not configured or disabled",
+  );
+}
+
 // ── Voice Probe ─────────────────────────────────────────────────────────────
 
 const voiceProbe: ChannelProbe = {
   channel: "phone",
   async runLocalChecks(): Promise<ReadinessCheckResult[]> {
-    const results: ReadinessCheckResult[] = [];
-
     const hasCreds = hasTwilioCredentials();
-    results.push({
-      name: "twilio_credentials",
-      passed: hasCreds,
-      message: hasCreds
-        ? "Twilio credentials are configured"
-        : "Twilio Account SID and Auth Token are not configured",
-    });
-
-    const resolvedNumber = resolveTwilioPhoneNumber();
-    const hasPhone = !!resolvedNumber;
-    results.push({
-      name: "phone_number",
-      passed: hasPhone,
-      message: hasPhone
-        ? "Phone number is assigned for voice calls"
-        : "No phone number assigned for voice calls",
-    });
-
-    const hasIngress = hasIngressConfigured();
-    results.push({
-      name: "ingress",
-      passed: hasIngress,
-      message: hasIngress
-        ? "Public ingress URL is configured"
-        : "Public ingress URL is not configured or disabled",
-    });
-
-    if (hasIngress) {
-      const gatewayHealth = await probeLocalGatewayHealth();
-      results.push({
-        name: "gateway_health",
-        passed: gatewayHealth.healthy,
-        message: gatewayHealth.healthy
-          ? `Local gateway is serving requests at ${gatewayHealth.target}`
-          : `Local gateway is not serving requests at ${gatewayHealth.target}${
-              gatewayHealth.error ? `: ${gatewayHealth.error}` : ""
-            }`,
-      });
+    const hasPhone = !!resolveTwilioPhoneNumber();
+    const ingress = checkIngress();
+
+    const checks: ReadinessCheckResult[] = [
+      check(
+        "twilio_credentials",
+        hasCreds,
+        "Twilio credentials are configured",
+        "Twilio Account SID and Auth Token are not configured",
+      ),
+      check(
+        "phone_number",
+        hasPhone,
+        "Phone number is assigned for voice calls",
+        "No phone number assigned for voice calls",
+      ),
+      ingress,
+    ];
+
+    if (ingress.passed) {
+      const gw = await probeLocalGatewayHealth();
+      checks.push(
+        check(
+          "gateway_health",
+          gw.healthy,
+          `Local gateway is serving requests at ${gw.target}`,
+          `Local gateway is not serving requests at ${gw.target}${gw.error ? `: ${gw.error}` : ""}`,
+        ),
+      );
     }
 
-    return results;
+    return checks;
   },
 };
 
@@ -87,41 +117,16 @@ const voiceProbe: ChannelProbe = {
 
 const telegramProbe: ChannelProbe = {
   channel: "telegram",
-  runLocalChecks(): ReadinessCheckResult[] {
-    const results: ReadinessCheckResult[] = [];
-
-    const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
-    results.push({
-      name: "bot_token",
-      passed: hasBotToken,
-      message: hasBotToken
-        ? "Telegram bot token is configured"
-        : "Telegram bot token is not configured",
-    });
-
-    const hasWebhookSecret = !!getSecureKey(
-      "credential:telegram:webhook_secret",
-    );
-    results.push({
-      name: "webhook_secret",
-      passed: hasWebhookSecret,
-      message: hasWebhookSecret
-        ? "Telegram webhook secret is configured"
-        : "Telegram webhook secret is not configured",
-    });
-
-    const hasIngress = hasIngressConfigured();
-    results.push({
-      name: "ingress",
-      passed: hasIngress,
-      message: hasIngress
-        ? "Public ingress URL is configured"
-        : "Public ingress URL is not configured or disabled",
-    });
-
-    return results;
-  },
-  // Telegram has no remote checks currently
+  runLocalChecks: () => [
+    checkCredential("bot_token", "telegram", "bot_token", "Telegram bot token"),
+    checkCredential(
+      "webhook_secret",
+      "telegram",
+      "webhook_secret",
+      "Telegram webhook secret",
+    ),
+    checkIngress(),
+  ],
 };
 
 // ── Email Probe ─────────────────────────────────────────────────────────────
@@ -129,43 +134,33 @@ const telegramProbe: ChannelProbe = {
 const emailProbe: ChannelProbe = {
   channel: "email",
   runLocalChecks(): ReadinessCheckResult[] {
-    const results: ReadinessCheckResult[] = [];
-
     const hasApiKey = !!(
-      getSecureKey("agentmail") || getSecureKey("credential:agentmail:api_key")
+      getSecureKey("agentmail") ||
+      getSecureKey(credentialKey("agentmail", "api_key"))
     );
-    results.push({
-      name: "agentmail_api_key",
-      passed: hasApiKey,
-      message: hasApiKey
-        ? "AgentMail API key is configured"
-        : "AgentMail API key is not configured",
-    });
-
     const invitePolicy = getChannelInvitePolicy("email");
-    results.push({
-      name: "invite_policy",
-      passed: invitePolicy.codeRedemptionEnabled,
-      message: invitePolicy.codeRedemptionEnabled
-        ? "Email invite code redemption is enabled"
-        : "Email invite code redemption is disabled",
-    });
-
-    const hasIngress = hasIngressConfigured();
-    results.push({
-      name: "ingress",
-      passed: hasIngress,
-      message: hasIngress
-        ? "Public ingress URL is configured"
-        : "Public ingress URL is not configured or disabled",
-    });
-
-    return results;
+    return [
+      check(
+        "agentmail_api_key",
+        hasApiKey,
+        "AgentMail API key is configured",
+        "AgentMail API key is not configured",
+      ),
+      check(
+        "invite_policy",
+        invitePolicy.codeRedemptionEnabled,
+        "Email invite code redemption is enabled",
+        "Email invite code redemption is disabled",
+      ),
+      checkIngress(),
+    ];
   },
+  // runRemoteChecks UNCHANGED — keep the existing inbox_configured check as-is
   async runRemoteChecks(): Promise<ReadinessCheckResult[]> {
     // Only worth checking if the API key is present
     const hasApiKey = !!(
-      getSecureKey("agentmail") || getSecureKey("credential:agentmail:api_key")
+      getSecureKey("agentmail") ||
+      getSecureKey(credentialKey("agentmail", "api_key"))
     );
     if (!hasApiKey) return [];
 
@@ -199,77 +194,47 @@ const emailProbe: ChannelProbe = {
 const whatsappProbe: ChannelProbe = {
   channel: "whatsapp",
   runLocalChecks(): ReadinessCheckResult[] {
-    const results: ReadinessCheckResult[] = [];
-
-    const hasPhoneNumberId = !!getSecureKey(
-      "credential:whatsapp:phone_number_id",
-    );
-    results.push({
-      name: "whatsapp_phone_number_id",
-      passed: hasPhoneNumberId,
-      message: hasPhoneNumberId
-        ? "WhatsApp phone number ID is configured"
-        : "WhatsApp phone number ID is not configured",
-    });
-
-    const hasAccessToken = !!getSecureKey("credential:whatsapp:access_token");
-    results.push({
-      name: "whatsapp_access_token",
-      passed: hasAccessToken,
-      message: hasAccessToken
-        ? "WhatsApp access token is configured"
-        : "WhatsApp access token is not configured",
-    });
-
-    const hasAppSecret = !!getSecureKey("credential:whatsapp:app_secret");
-    results.push({
-      name: "whatsapp_app_secret",
-      passed: hasAppSecret,
-      message: hasAppSecret
-        ? "WhatsApp app secret is configured"
-        : "WhatsApp app secret is not configured",
-    });
-
-    const hasWebhookVerifyToken = !!getSecureKey(
-      "credential:whatsapp:webhook_verify_token",
-    );
-    results.push({
-      name: "whatsapp_webhook_verify_token",
-      passed: hasWebhookVerifyToken,
-      message: hasWebhookVerifyToken
-        ? "WhatsApp webhook verify token is configured"
-        : "WhatsApp webhook verify token is not configured",
-    });
-
     const displayNumber = resolveWhatsAppDisplayNumber();
-    const hasDisplayNumber = !!displayNumber;
-    results.push({
-      name: "whatsapp_display_phone_number",
-      passed: hasDisplayNumber,
-      message: hasDisplayNumber
-        ? `WhatsApp display phone number is configured (${displayNumber})`
-        : "WhatsApp display phone number is not configured — set whatsapp.phoneNumber in workspace config",
-    });
-
     const invitePolicy = getChannelInvitePolicy("whatsapp");
-    results.push({
-      name: "invite_policy",
-      passed: invitePolicy.codeRedemptionEnabled,
-      message: invitePolicy.codeRedemptionEnabled
-        ? "WhatsApp invite code redemption is enabled"
-        : "WhatsApp invite code redemption is disabled",
-    });
-
-    const hasIngress = hasIngressConfigured();
-    results.push({
-      name: "ingress",
-      passed: hasIngress,
-      message: hasIngress
-        ? "Public ingress URL is configured"
-        : "Public ingress URL is not configured or disabled",
-    });
-
-    return results;
+    return [
+      checkCredential(
+        "whatsapp_phone_number_id",
+        "whatsapp",
+        "phone_number_id",
+        "WhatsApp phone number ID",
+      ),
+      checkCredential(
+        "whatsapp_access_token",
+        "whatsapp",
+        "access_token",
+        "WhatsApp access token",
+      ),
+      checkCredential(
+        "whatsapp_app_secret",
+        "whatsapp",
+        "app_secret",
+        "WhatsApp app secret",
+      ),
+      checkCredential(
+        "whatsapp_webhook_verify_token",
+        "whatsapp",
+        "webhook_verify_token",
+        "WhatsApp webhook verify token",
+      ),
+      check(
+        "whatsapp_display_phone_number",
+        !!displayNumber,
+        `WhatsApp display phone number is configured (${displayNumber})`,
+        "WhatsApp display phone number is not configured — set whatsapp.phoneNumber in workspace config",
+      ),
+      check(
+        "invite_policy",
+        invitePolicy.codeRedemptionEnabled,
+        "WhatsApp invite code redemption is enabled",
+        "WhatsApp invite code redemption is disabled",
+      ),
+      checkIngress(),
+    ];
   },
 };
 
@@ -277,26 +242,20 @@ const whatsappProbe: ChannelProbe = {
 
 const slackProbe: ChannelProbe = {
   channel: "slack",
-  runLocalChecks(): ReadinessCheckResult[] {
-    const hasBotToken = !!getSecureKey("credential:slack_channel:bot_token");
-    const hasAppToken = !!getSecureKey("credential:slack_channel:app_token");
-    return [
-      {
-        name: "bot_token",
-        passed: hasBotToken,
-        message: hasBotToken
-          ? "Slack bot token is configured"
-          : "Slack bot token is not configured",
-      },
-      {
-        name: "app_token",
-        passed: hasAppToken,
-        message: hasAppToken
-          ? "Slack app token is configured"
-          : "Slack app token is not configured",
-      },
-    ];
-  },
+  runLocalChecks: () => [
+    checkCredential(
+      "bot_token",
+      "slack_channel",
+      "bot_token",
+      "Slack bot token",
+    ),
+    checkCredential(
+      "app_token",
+      "slack_channel",
+      "app_token",
+      "Slack app token",
+    ),
+  ],
 };
 
 // ── Service ─────────────────────────────────────────────────────────────────
@@ -369,6 +328,18 @@ export class ChannelReadinessService {
           : true;
       const ready = allLocalPassed && allRemotePassed;
 
+      // setupStatus: considers all checks (credentials + infrastructure)
+      const consideredChecks = [
+        ...localChecks,
+        ...(remoteChecks && remoteChecksAffectReadiness ? remoteChecks : []),
+      ];
+      const anyCheckPassed = consideredChecks.some((c) => c.passed);
+      const setupStatus: SetupStatus = !anyCheckPassed
+        ? "not_configured"
+        : ready
+          ? "ready"
+          : "incomplete";
+
       const reasons: Array<{ code: string; text: string }> = [];
       for (const check of localChecks) {
         if (!check.passed) {
@@ -386,6 +357,7 @@ export class ChannelReadinessService {
       const snapshot: ChannelReadinessSnapshot = {
         channel: ch,
         ready,
+        setupStatus,
         checkedAt:
           remoteChecks && cached && !remoteChecksFreshlyFetched
             ? cached.checkedAt
@@ -422,6 +394,7 @@ export class ChannelReadinessService {
     return {
       channel,
       ready: false,
+      setupStatus: "not_configured",
       checkedAt: Date.now(),
       stale: false,
       reasons: [

package/src/runtime/channel-readiness-types.ts

@@ -4,6 +4,9 @@ import type { ChannelId } from "../channels/types.js";
 
 export type { ChannelId };
 
+/** Setup progress for a channel: not_configured → incomplete → ready. */
+export type SetupStatus = "not_configured" | "incomplete" | "ready";
+
 /** Result of a single readiness check (local or remote). */
 export interface ReadinessCheckResult {
   name: string;
@@ -15,6 +18,7 @@ export interface ReadinessCheckResult {
 export interface ChannelReadinessSnapshot {
   channel: ChannelId;
   ready: boolean;
+  setupStatus: SetupStatus;
   checkedAt: number;
   stale: boolean;
   reasons: Array<{ code: string; text: string }>;

package/src/runtime/channel-reply-delivery.ts

@@ -208,43 +208,3 @@ export async function deliverReplyViaCallback(
     break;
   }
 }
-
-/**
- * Deliver only the attachments from the last assistant message, skipping text.
- * Used when streaming already delivered the text content and only file
- * attachments remain to be sent via the normal delivery path.
- */
-export async function deliverAttachmentsOnly(
-  conversationId: string,
-  externalChatId: string,
-  callbackUrl: string,
-  bearerToken?: string,
-  assistantId?: string,
-): Promise<void> {
-  const msgs = getMessages(conversationId);
-  for (let i = msgs.length - 1; i >= 0; i--) {
-    if (msgs[i].role !== "assistant") continue;
-
-    const linked = attachmentsStore.getAttachmentMetadataForMessage(msgs[i].id);
-    if (linked.length === 0) return;
-
-    const replyAttachments: RuntimeAttachmentMetadata[] = linked.map((a) => ({
-      id: a.id,
-      filename: a.originalFilename,
-      mimeType: a.mimeType,
-      sizeBytes: a.sizeBytes,
-      kind: a.kind,
-    }));
-
-    await deliverChannelReply(
-      callbackUrl,
-      {
-        chatId: externalChatId,
-        attachments: replyAttachments,
-        assistantId,
-      },
-      bearerToken,
-    );
-    break;
-  }
-}