@vellumai/assistant 0.4.46 → 0.4.49

package/src/runtime/gateway-client.ts

@@ -31,8 +31,6 @@ export interface ChannelReplyPayload {
   ephemeral?: boolean;
   /** Slack user ID — required when `ephemeral` is true. */
   user?: string;
-  /** Telegram message_id for editing an existing message instead of sending a new one. */
-  messageId?: number;
   /** When provided, instructs the delivery endpoint to update an existing message instead of posting a new one. */
   messageTs?: string;
   /** When true, auto-generate Block Kit blocks from text via textToBlocks(). */
@@ -45,8 +43,6 @@ export interface ChannelDeliveryResult {
   ok: boolean;
   /** The message timestamp returned by the delivery endpoint (e.g. Slack message ts). */
   ts?: string;
-  /** The Telegram message_id returned when a new message was sent. */
-  messageId?: number;
 }
 
 interface ManagedOutboundCallbackContext {
@@ -100,9 +96,6 @@ export async function deliverChannelReply(
     if (typeof responseBody.ts === "string") {
       result.ts = responseBody.ts;
     }
-    if (typeof responseBody.messageId === "number") {
-      result.messageId = responseBody.messageId;
-    }
   } catch {
     // Response may not be JSON for non-Slack channels; that's fine.
   }

package/src/runtime/guardian-action-conversation-turn.ts

@@ -2,12 +2,11 @@
  * Guardian follow-up conversation engine.
  *
  * When a guardian replies to a post-timeout follow-up prompt (e.g. "would you
- * like to call them back or send a message?"), this engine classifies the
+ * like to call them back?"), this engine classifies the
  * guardian's intent into a structured disposition and produces a natural reply.
  *
  * Dispositions:
  *   - call_back:     Guardian wants to call the original caller back
- *   - message_back:  Guardian wants to send a text/message to the caller
  *   - decline:       Guardian declines to follow up ("never mind", "no thanks")
  *   - keep_pending:  Intent is ambiguous — ask for clarification
  *
@@ -37,7 +36,6 @@ const FALLBACK_RETRY_TEXT = getGuardianActionFallbackMessage({
 
 const VALID_DISPOSITIONS: ReadonlySet<string> = new Set([
   "call_back",
-  "message_back",
   "decline",
   "keep_pending",
 ]);

package/src/runtime/guardian-action-followup-executor.ts

@@ -173,7 +173,7 @@ async function executeCallBack(
 
 /**
  * Execute a follow-up action after the conversation engine has classified
- * the guardian's intent as call_back or message_back and the follow-up
+ * the guardian's intent as call_back and the follow-up
  * state has been transitioned to `dispatching`.
  *
  * On success: finalizes the follow-up to `completed` and returns

package/src/runtime/guardian-action-message-composer.ts

@@ -36,8 +36,6 @@ export type GuardianActionMessageScenario =
   | "guardian_superseded_remap"
   | "guardian_unknown_code"
   | "guardian_auto_matched"
-  | "outbound_message_copy"
-  | "followup_message_sent"
   | "followup_call_started"
   | "followup_action_failed"
   | "guardian_answer_delivery_failed";
@@ -183,8 +181,8 @@ export function getGuardianActionFallbackMessage(
 
     case "guardian_late_answer_followup":
       return context.callerIdentifier
-        ? `${context.callerIdentifier} called earlier with a question, but I wasn't able to connect them. Would you like to call them back or send them a message?`
-        : "Someone called earlier with a question, but I wasn't able to connect them. Would you like to call them back or send them a message?";
+        ? `${context.callerIdentifier} called earlier with a question, but I wasn't able to connect them. Would you like to call them back?`
+        : "Someone called earlier with a question, but I wasn't able to connect them. Would you like to call them back?";
 
     case "guardian_followup_dispatching":
       return context.followupAction
@@ -205,7 +203,7 @@ export function getGuardianActionFallbackMessage(
       return "No problem. Let me know if you change your mind or need anything else.";
 
     case "guardian_followup_clarification":
-      return "Sorry, I didn't quite catch that. Would you like to call them back, send them a message, or skip it for now?";
+      return "Sorry, I didn't quite catch that. Would you like to call them back or skip it for now?";
 
     case "guardian_pending_disambiguation":
       return listedCodes
@@ -247,24 +245,6 @@ export function getGuardianActionFallbackMessage(
         ? `Got it! Your answer has been applied to the current active request: "${context.questionText}"`
         : "Got it! Your answer has been applied to the current active request on the call.";
 
-    case "outbound_message_copy":
-      // This message is sent TO the original caller relaying the guardian's answer.
-      // When lateAnswerText is available, include it — that's the whole point of message_back.
-      if (context.lateAnswerText && context.questionText) {
-        return `Hi! You asked "${context.questionText}" earlier. Here's the answer: ${context.lateAnswerText}`;
-      }
-      if (context.lateAnswerText) {
-        return `Hi! Regarding your earlier question — here's the answer: ${context.lateAnswerText}`;
-      }
-      return context.questionText
-        ? `Hi! You asked "${context.questionText}" earlier. We'll get back to you with an answer soon.`
-        : "Hi! Thanks for calling earlier. We'll get back to you soon.";
-
-    case "followup_message_sent":
-      return context.counterpartyPhone
-        ? `Done! I've sent a text message to ${context.counterpartyPhone} with your answer.`
-        : "Done! I've sent them a text message with your answer.";
-
     case "followup_call_started":
       return context.counterpartyPhone
         ? `Got it! I'm calling ${context.counterpartyPhone} back now to relay your answer.`

package/src/runtime/http-server.ts

@@ -110,7 +110,6 @@ import {
   stopGuardianExpirySweep,
 } from "./routes/channel-routes.js";
 import { channelVerificationRouteDefinitions } from "./routes/channel-verification-routes.js";
-import { computerUseRouteDefinitions } from "./routes/computer-use-routes.js";
 import {
   contactCatchAllRouteDefinitions,
   contactRouteDefinitions,
@@ -126,6 +125,7 @@ import { guardianActionRouteDefinitions } from "./routes/guardian-action-routes.
 import { handleGuardianBootstrap } from "./routes/guardian-bootstrap-routes.js";
 import { handleGuardianRefresh } from "./routes/guardian-refresh-routes.js";
 import { hostBashRouteDefinitions } from "./routes/host-bash-routes.js";
+import { hostCuRouteDefinitions } from "./routes/host-cu-routes.js";
 import { hostFileRouteDefinitions } from "./routes/host-file-routes.js";
 import { handleHealth } from "./routes/identity-routes.js";
 import { identityRouteDefinitions } from "./routes/identity-routes.js";
@@ -155,6 +155,7 @@ import { surfaceActionRouteDefinitions } from "./routes/surface-action-routes.js
 import { surfaceContentRouteDefinitions } from "./routes/surface-content-routes.js";
 import { trustRulesRouteDefinitions } from "./routes/trust-rules-routes.js";
 import { usageRouteDefinitions } from "./routes/usage-routes.js";
+import { watchRouteDefinitions } from "./routes/watch-routes.js";
 import { workItemRouteDefinitions } from "./routes/work-items-routes.js";
 import { workspaceRouteDefinitions } from "./routes/workspace-routes.js";
 
@@ -216,7 +217,7 @@ export class RuntimeHttpServer {
   private getSkillContext?: RuntimeHttpServerOptions["getSkillContext"];
   private sessionManagementDeps?: RuntimeHttpServerOptions["sessionManagementDeps"];
   private getModelSetContext?: RuntimeHttpServerOptions["getModelSetContext"];
-  private getComputerUseDeps?: RuntimeHttpServerOptions["getComputerUseDeps"];
+  private getWatchDeps?: RuntimeHttpServerOptions["getWatchDeps"];
   private getRecordingDeps?: RuntimeHttpServerOptions["getRecordingDeps"];
   private router: HttpRouter;
 
@@ -237,7 +238,7 @@ export class RuntimeHttpServer {
     this.getSkillContext = options.getSkillContext;
     this.sessionManagementDeps = options.sessionManagementDeps;
     this.getModelSetContext = options.getModelSetContext;
-    this.getComputerUseDeps = options.getComputerUseDeps;
+    this.getWatchDeps = options.getWatchDeps;
     this.getRecordingDeps = options.getRecordingDeps;
     this.router = new HttpRouter(this.buildRouteTable());
   }
@@ -532,11 +533,16 @@ export class RuntimeHttpServer {
     if (!isHttpAuthDisabled()) {
       const clientIp = extractClientIp(req, server);
       const token = extractBearerToken(req);
-      const result = token
-        ? apiRateLimiter.check(clientIp)
-        : ipRateLimiter.check(clientIp);
+      const limiter = token ? apiRateLimiter : ipRateLimiter;
+      const limiterKind = token ? "authenticated" : "unauthenticated";
+      const result = limiter.check(clientIp, path);
       if (!result.allowed) {
-        return rateLimitResponse(result);
+        return rateLimitResponse(result, {
+          clientIp,
+          deniedPath: path,
+          limiterKind: limiterKind as "authenticated" | "unauthenticated",
+          pathCounts: limiter.getRecentPathCounts(clientIp),
+        });
       }
       const routerResponse = await this.router.dispatch(
         endpoint,
@@ -941,6 +947,7 @@ export class RuntimeHttpServer {
       ...globalSearchRouteDefinitions(),
       ...approvalRouteDefinitions(),
       ...hostBashRouteDefinitions(),
+      ...hostCuRouteDefinitions(),
       ...hostFileRouteDefinitions(),
       ...(this.getSkillContext
         ? skillRouteDefinitions({
@@ -968,9 +975,9 @@ export class RuntimeHttpServer {
       ...channelReadinessRouteDefinitions(),
       ...attachmentRouteDefinitions(),
 
-      ...(this.getComputerUseDeps
-        ? computerUseRouteDefinitions({
-            getComputerUseDeps: this.getComputerUseDeps,
+      ...(this.getWatchDeps
+        ? watchRouteDefinitions({
+            getWatchDeps: this.getWatchDeps,
           })
         : []),
       ...(this.getRecordingDeps

package/src/runtime/http-types.ts

@@ -83,7 +83,6 @@ export type GuardianActionCopyGenerator = (
 /** The disposition returned by the guardian follow-up conversation engine. */
 export type GuardianFollowUpDisposition =
   | "call_back"
-  | "message_back"
   | "decline"
   | "keep_pending";
 
@@ -220,8 +219,8 @@ export interface RuntimeHttpServerOptions {
   sessionManagementDeps?: SessionManagementDeps;
   /** Lazy factory for model config set context (session eviction, config reload suppression). */
   getModelSetContext?: () => import("../daemon/handlers/config-model.js").ModelSetContext;
-  /** Provider for computer-use session dependencies (CU routes). */
-  getComputerUseDeps?: () => import("./routes/computer-use-routes.js").ComputerUseDeps;
+  /** Provider for watch observation dependencies (watch routes). */
+  getWatchDeps?: () => import("./routes/watch-routes.js").WatchDeps;
   /** Provider for recording dependencies (recording routes). */
   getRecordingDeps?: () => import("./routes/recording-routes.js").RecordingDeps;
 }

package/src/runtime/middleware/rate-limiter.ts

@@ -2,10 +2,13 @@
 // Tracks request counts per key and returns 429 when the limit is exceeded.
 // Follows the same sliding-window pattern as gateway/src/auth-rate-limiter.ts.
 
+import { getLogger } from "../../util/logger.js";
 import type { HttpErrorResponse } from "../http-errors.js";
 import { isPrivateAddress } from "./auth.js";
 
-const DEFAULT_MAX_REQUESTS = 60;
+const log = getLogger("rate-limiter");
+
+const DEFAULT_MAX_REQUESTS = 300;
 const DEFAULT_WINDOW_MS = 60_000; // 60 seconds
 const MAX_TRACKED_TOKENS = 10_000;
 
@@ -14,8 +17,13 @@ const DEFAULT_IP_MAX_REQUESTS = 20;
 const DEFAULT_IP_WINDOW_MS = 60_000;
 const MAX_TRACKED_IPS = 50_000;
 
+interface RequestEntry {
+  timestamp: number;
+  path: string;
+}
+
 export class TokenRateLimiter {
-  private requests = new Map<string, number[]>();
+  private requests = new Map<string, RequestEntry[]>();
   private readonly maxRequests: number;
   private readonly windowMs: number;
   private readonly maxTrackedKeys: number;
@@ -34,11 +42,11 @@ export class TokenRateLimiter {
    * Check whether the request should be allowed and record it.
    * Returns rate limit metadata for response headers.
    */
-  check(key: string): RateLimitResult {
+  check(key: string, path?: string): RateLimitResult {
     const now = Date.now();
-    let timestamps = this.requests.get(key);
+    let entries = this.requests.get(key);
 
-    if (!timestamps) {
+    if (!entries) {
       if (this.requests.size >= this.maxTrackedKeys) {
         this.evictStale(now);
         if (this.requests.size >= this.maxTrackedKeys) {
@@ -46,24 +54,24 @@ export class TokenRateLimiter {
           if (oldest !== undefined) this.requests.delete(oldest);
         }
       }
-      timestamps = [];
-      this.requests.set(key, timestamps);
+      entries = [];
+      this.requests.set(key, entries);
     }
 
     const cutoff = now - this.windowMs;
 
-    // Remove expired timestamps from the front
-    while (timestamps.length > 0 && timestamps[0] <= cutoff) {
-      timestamps.shift();
+    // Remove expired entries from the front
+    while (entries.length > 0 && entries[0].timestamp <= cutoff) {
+      entries.shift();
     }
 
-    const remaining = Math.max(0, this.maxRequests - timestamps.length);
+    const remaining = Math.max(0, this.maxRequests - entries.length);
     const resetAt =
-      timestamps.length > 0
-        ? Math.ceil((timestamps[0] + this.windowMs) / 1000)
+      entries.length > 0
+        ? Math.ceil((entries[0].timestamp + this.windowMs) / 1000)
         : Math.ceil((now + this.windowMs) / 1000);
 
-    if (timestamps.length >= this.maxRequests) {
+    if (entries.length >= this.maxRequests) {
       return {
         allowed: false,
         limit: this.maxRequests,
@@ -72,7 +80,7 @@ export class TokenRateLimiter {
       };
     }
 
-    timestamps.push(now);
+    entries.push({ timestamp: now, path: path ?? "unknown" });
 
     return {
       allowed: true,
@@ -82,13 +90,36 @@ export class TokenRateLimiter {
     };
   }
 
+  /**
+   * Return a count of recent requests grouped by path for the given key.
+   * Sorted descending by count. Useful for diagnosing which endpoints
+   * are consuming the rate limit budget.
+   */
+  getRecentPathCounts(key: string): Array<{ path: string; count: number }> {
+    const entries = this.requests.get(key);
+    if (!entries || entries.length === 0) return [];
+
+    const now = Date.now();
+    const cutoff = now - this.windowMs;
+    const counts = new Map<string, number>();
+    for (const entry of entries) {
+      if (entry.timestamp > cutoff) {
+        counts.set(entry.path, (counts.get(entry.path) ?? 0) + 1);
+      }
+    }
+
+    return Array.from(counts.entries())
+      .map(([path, count]) => ({ path, count }))
+      .sort((a, b) => b.count - a.count);
+  }
+
   private evictStale(now: number): void {
     const cutoff = now - this.windowMs;
-    for (const [key, timestamps] of this.requests) {
-      while (timestamps.length > 0 && timestamps[0] <= cutoff) {
-        timestamps.shift();
+    for (const [key, entries] of this.requests) {
+      while (entries.length > 0 && entries[0].timestamp <= cutoff) {
+        entries.shift();
       }
-      if (timestamps.length === 0) {
+      if (entries.length === 0) {
         this.requests.delete(key);
       }
     }
@@ -115,8 +146,31 @@ export function rateLimitHeaders(
 }
 
 /** Return a 429 response with rate limit headers and a Retry-After hint. */
-export function rateLimitResponse(result: RateLimitResult): Response {
+export function rateLimitResponse(
+  result: RateLimitResult,
+  diagnostics?: {
+    clientIp: string;
+    deniedPath: string;
+    limiterKind: "authenticated" | "unauthenticated";
+    pathCounts: Array<{ path: string; count: number }>;
+  },
+): Response {
   const retryAfter = Math.max(1, result.resetAt - Math.ceil(Date.now() / 1000));
+
+  if (diagnostics) {
+    log.warn(
+      {
+        clientIp: diagnostics.clientIp,
+        deniedPath: diagnostics.deniedPath,
+        limiterKind: diagnostics.limiterKind,
+        limit: result.limit,
+        retryAfterSec: retryAfter,
+        recentRequests: diagnostics.pathCounts,
+      },
+      `Rate limited ${diagnostics.limiterKind} request: ${diagnostics.deniedPath} (${result.limit} req/min exceeded)`,
+    );
+  }
+
   const body: HttpErrorResponse = {
     error: { code: "RATE_LIMITED", message: "Too Many Requests" },
   };

package/src/runtime/middleware/twilio-validation.ts

@@ -3,7 +3,6 @@
  */
 
 import { TwilioConversationRelayProvider } from "../../calls/twilio-provider.js";
-import { isTwilioWebhookValidationDisabled } from "../../config/env.js";
 import { loadConfig } from "../../config/loader.js";
 import { getPublicBaseUrl } from "../../inbound/public-ingress-urls.js";
 import { getLogger } from "../../util/logger.js";
@@ -51,22 +50,13 @@ export const GATEWAY_ONLY_BLOCKED_SUBPATHS = new Set([
  * Returns a 403 Response if signature validation fails.
  *
  * Fail-closed: if the auth token is not configured, the request is rejected
- * with 403 rather than silently skipping validation. An explicit local-dev
- * bypass is available via TWILIO_WEBHOOK_VALIDATION_DISABLED=true.
+ * with 403 rather than silently skipping validation.
  */
 export async function validateTwilioWebhook(
   req: Request,
 ): Promise<{ body: string } | Response> {
   const rawBody = await req.text();
 
-  // Allow explicit local-dev bypass -- must be exactly "true"
-  if (isTwilioWebhookValidationDisabled()) {
-    log.warn(
-      "Twilio webhook signature validation explicitly disabled via TWILIO_WEBHOOK_VALIDATION_DISABLED",
-    );
-    return { body: rawBody };
-  }
-
   const authToken = TwilioConversationRelayProvider.getAuthToken();
 
   if (!authToken) {

package/src/runtime/pending-interactions.ts

@@ -1,12 +1,13 @@
 /**
  * In-memory tracker that maps requestId to session info for pending
- * confirmation, secret, host_bash, and host_file interactions.
+ * confirmation, secret, host_bash, host_file, and host_cu interactions.
  *
  * When the agent loop emits a confirmation_request, secret_request,
- * host_bash_request, or host_file_request, the onEvent callback registers
- * the interaction here. Standalone HTTP endpoints (/v1/confirm, /v1/secret,
- * /v1/trust-rules, /v1/host-bash-result, /v1/host-file-result) look up
- * the session from this tracker to resolve the interaction.
+ * host_bash_request, host_file_request, or host_cu_request, the onEvent
+ * callback registers the interaction here. Standalone HTTP endpoints
+ * (/v1/confirm, /v1/secret, /v1/trust-rules, /v1/host-bash-result,
+ * /v1/host-file-result, /v1/host-cu-result) look up the session from
+ * this tracker to resolve the interaction.
  */
 
 import type { Session } from "../daemon/session.js";
@@ -29,7 +30,7 @@ export interface ConfirmationDetails {
 export interface PendingInteraction {
   session: Session;
   conversationId: string;
-  kind: "confirmation" | "secret" | "host_bash" | "host_file";
+  kind: "confirmation" | "secret" | "host_bash" | "host_file" | "host_cu";
   confirmationDetails?: ConfirmationDetails;
 }
 
@@ -82,19 +83,20 @@ export function getByConversation(
  * Remove pending confirmation and secret interactions for a given session.
  * Used when auto-denying all pending interactions (e.g. new user message).
  *
- * host_bash and host_file interactions are intentionally skipped — they
- * represent in-flight tool executions proxied to the client, not
+ * host_bash, host_file, and host_cu interactions are intentionally skipped
+ * — they represent in-flight tool executions proxied to the client, not
  * confirmations to auto-deny. Removing them would orphan the request: the
- * client would POST to /v1/host-bash-result or /v1/host-file-result after
- * completing the operation, get a 404, and the proxy timer would fire with
- * a spurious timeout error.
+ * client would POST to /v1/host-bash-result, /v1/host-file-result, or
+ * /v1/host-cu-result after completing the operation, get a 404, and the
+ * proxy timer would fire with a spurious timeout error.
  */
 export function removeBySession(session: Session): void {
   for (const [requestId, interaction] of pending) {
     if (
       interaction.session === session &&
       interaction.kind !== "host_bash" &&
-      interaction.kind !== "host_file"
+      interaction.kind !== "host_file" &&
+      interaction.kind !== "host_cu"
     ) {
       pending.delete(requestId);
     }

package/src/runtime/routes/channel-delivery-routes.ts

@@ -5,7 +5,6 @@
 import * as deliveryStatus from "../../memory/delivery-status.js";
 import { httpError } from "../http-errors.js";
 export {
-  deliverAttachmentsOnly,
   type DeliverReplyOptions,
   deliverReplyViaCallback,
 } from "../channel-reply-delivery.js";

package/src/runtime/routes/channel-readiness-routes.ts

@@ -38,6 +38,7 @@ export async function handleGetChannelReadiness(url: URL): Promise<Response> {
       return {
         channel: s.channel,
         ready: s.ready,
+        setupStatus: s.setupStatus,
         checkedAt: s.checkedAt,
         stale: s.stale,
         reasons: s.reasons,
@@ -91,6 +92,7 @@ export async function handleRefreshChannelReadiness(
       return {
         channel: s.channel,
         ready: s.ready,
+        setupStatus: s.setupStatus,
         checkedAt: s.checkedAt,
         stale: s.stale,
         reasons: s.reasons,

package/src/runtime/routes/conversation-routes.ts

@@ -17,6 +17,7 @@ import {
 import { getConfig } from "../../config/loader.js";
 import { renderHistoryContent } from "../../daemon/handlers/shared.js";
 import { HostBashProxy } from "../../daemon/host-bash-proxy.js";
+import { HostCuProxy } from "../../daemon/host-cu-proxy.js";
 import { HostFileProxy } from "../../daemon/host-file-proxy.js";
 import type { ServerMessage } from "../../daemon/message-protocol.js";
 import {
@@ -449,6 +450,12 @@ function makeHubPublisher(
         conversationId,
         kind: "host_file",
       });
+    } else if (msg.type === "host_cu_request") {
+      pendingInteractions.register(msg.requestId, {
+        session,
+        conversationId,
+        kind: "host_cu",
+      });
     }
 
     // ServerMessage is a large union; sessionId exists on most but not all variants.
@@ -640,9 +647,14 @@ export async function handleSendMessage(
       });
       session.setHostFileProxy(fileProxy);
     }
+    if (!session.isProcessing() || !session.hostCuProxy) {
+      const cuProxy = new HostCuProxy(onEvent);
+      session.setHostCuProxy(cuProxy);
+    }
   } else if (!session.isProcessing()) {
     session.setHostBashProxy(undefined);
     session.setHostFileProxy(undefined);
+    session.setHostCuProxy(undefined);
   }
   // Wire sendToClient to the SSE hub so all subsystems can reach the HTTP client.
   // Called after setHostBashProxy so updateSender targets the current proxy.
@@ -679,7 +691,13 @@ export async function handleSendMessage(
       attachments,
       session,
       onEvent,
-      approvalConversationGenerator: deps.approvalConversationGenerator,
+      // Desktop path: disable NL classification to avoid consuming non-decision
+      // messages while a tool confirmation is pending. Deterministic code-prefix
+      // and callback parsing remain active. Mirrors session-process.ts behavior.
+      approvalConversationGenerator:
+        sourceChannel === "vellum"
+          ? undefined
+          : deps.approvalConversationGenerator,
       verifiedActorExternalUserId,
       verifiedActorPrincipalId,
     });
@@ -687,6 +705,7 @@ export async function handleSendMessage(
       return Response.json(
         {
           accepted: true,
+          conversationId: mapping.conversationId,
           ...(inlineReplyResult.messageId
             ? { messageId: inlineReplyResult.messageId }
             : {}),
@@ -751,7 +770,10 @@ export async function handleSendMessage(
       pendingInteractions.removeBySession(session);
     }
 
-    return Response.json({ accepted: true, queued: true }, { status: 202 });
+    return Response.json(
+      { accepted: true, queued: true, conversationId: mapping.conversationId },
+      { status: 202 },
+    );
   }
 
   // Session is idle — persist and fire agent loop immediately
@@ -782,6 +804,7 @@ export async function handleSendMessage(
 
   if (slashResult.kind === "unknown") {
     session.processing = true;
+    let cleanupDeferred = false;
     try {
       const provenance = provenanceFromTrustContext(session.trustContext);
       const channelMeta = {
@@ -818,26 +841,54 @@ export async function handleSendMessage(
         sourceInterface,
       );
 
-      // Emit fresh model info before the text delta so the client has
-      // up-to-date configuredProviders when rendering /model, /models,
-      // and provider shortcut commands (/gpt4, /opus, etc.).
-      if (isModelSlashCommand(rawContent) || isProviderShortcut(rawContent)) {
-        onEvent(buildModelInfoEvent());
-      }
-
-      onEvent({ type: "assistant_text_delta", text: slashResult.message });
-      onEvent({
-        type: "message_complete",
-        sessionId: mapping.conversationId,
-      });
+      // Snapshot model info now so the deferred callback cannot observe
+      // a config change from a concurrent request.
+      const modelInfoEvent =
+        isModelSlashCommand(rawContent) || isProviderShortcut(rawContent)
+          ? buildModelInfoEvent()
+          : null;
 
-      return Response.json(
-        { accepted: true, messageId: persisted.id },
+      const response = Response.json(
+        {
+          accepted: true,
+          messageId: persisted.id,
+          conversationId: mapping.conversationId,
+        },
         { status: 202 },
       );
+
+      // Defer event publishing to next tick so the HTTP response reaches the
+      // client first. This ensures the client's serverToLocalSessionMap is
+      // populated before SSE events arrive, preventing dropped events in new
+      // desktop threads.
+      //
+      // session.processing and drainQueue are also deferred so the current
+      // slash command's events are emitted before the next queued message
+      // starts processing.
+      const conversationId = mapping.conversationId;
+      const message = slashResult.message;
+      setTimeout(() => {
+        if (modelInfoEvent) {
+          onEvent(modelInfoEvent);
+        }
+        onEvent({ type: "assistant_text_delta", text: message });
+        onEvent({
+          type: "message_complete",
+          sessionId: conversationId,
+        });
+        session.processing = false;
+        session.drainQueue().catch(() => {});
+      }, 0);
+
+      cleanupDeferred = true;
+      return response;
     } finally {
-      session.processing = false;
-      session.drainQueue().catch(() => {});
+      // No-op for the slash-command early-return path (handled inside
+      // setTimeout above), but still needed for error paths.
+      if (!cleanupDeferred && session.processing) {
+        session.processing = false;
+        session.drainQueue().catch(() => {});
+      }
     }
   }
 
@@ -874,7 +925,10 @@ export async function handleSendMessage(
       );
     });
 
-  return Response.json({ accepted: true, messageId }, { status: 202 });
+  return Response.json(
+    { accepted: true, messageId, conversationId: mapping.conversationId },
+    { status: 202 },
+  );
 }
 
 async function generateLlmSuggestion(