@vellumai/assistant 0.4.49 → 0.4.50

package/src/prompts/system-prompt.ts

@@ -690,7 +690,7 @@ function buildMemoryRecallSection(): string {
     "- The auto-injected memory context doesn't contain what you need",
     "- The user references something from a previous session",
     "",
-    "The tool searches across semantic, lexical, entity graph, and recency sources. Be specific in your query for best results.",
+    "The tool uses hybrid search (dense and sparse vectors) supplemented by recency. Be specific in your query for best results.",
   ].join("\n");
 }
 
@@ -845,7 +845,7 @@ export function buildCliReferenceSection(): string {
   return [
     "## Assistant CLI",
     "",
-    "The `assistant` CLI is installed on the user's machine and available via `bash`.",
+    "The `assistant` CLI is available in the sandbox. Always use the `bash` tool (never `host_bash`) when running `assistant` commands.",
     "For account and authentication work, prefer real `assistant` CLI workflows over any legacy account-record abstraction.",
     "- Use `assistant credentials ...` for stored secrets and credential metadata.",
     "- Use `assistant oauth connections token <provider-key>` for connected integration tokens.",
@@ -960,6 +960,22 @@ function buildDynamicSkillWorkflowSection(
     );
   }
 
+  lines.push(
+    "",
+    "### Community Skills Discovery",
+    "",
+    "When no built-in skill satisfies a request, search the community skills.sh registry:",
+    "1. Run `assistant skills search <query>` to find community skills. Results include install counts and security audit badges (ATH, Socket, Snyk).",
+    "2. Present the search results to the user, highlighting the security audit status. ATH is Gen Agent Trust Hub. Audits show PASS (safe/low risk), WARN (medium risk), or FAIL (high/critical risk) for each provider.",
+    "3. Check the skill's **source owner** to determine the trust level:",
+    "   - **Vellum-owned** (source starts with `vellum-ai/`): These are first-party skills published by the Vellum team. Install them directly without prompting — they are vetted and trusted.",
+    "   - **Third-party** (any other owner): Ask the user for permission before installing. Say something like: \"I found a community skill that could help with this, but it's published by a third party — we haven't vetted it. Want to install it anyway?\" Share the skill name, source, audit results, and install count.",
+    "4. Install with `assistant skills add <owner>/<repo>@<skill-name>` (e.g., `assistant skills add vercel-labs/skills@find-skills`).",
+    "5. After installation, load the skill with `skill_load` as usual.",
+    "",
+    "**Never install third-party community skills without explicit user confirmation.** Vellum-owned skills (`vellum-ai/*`) can be installed automatically.",
+  );
+
   return lines.join("\n");
 }
 

package/src/providers/anthropic/client.ts

@@ -63,20 +63,6 @@ function isToolUseBlock(block: unknown): block is Anthropic.ToolUseBlockParam {
   );
 }
 
-/** Type-guard for server_tool_use blocks (e.g. native web search). */
-function isServerToolUseBlock(block: unknown): block is {
-  type: "server_tool_use";
-  id: string;
-  name: string;
-  input: unknown;
-} {
-  return (
-    typeof block === "object" &&
-    block != null &&
-    (block as { type: string }).type === "server_tool_use"
-  );
-}
-
 /** Type-guard for tool_result blocks in Anthropic-formatted content. */
 function isToolResultBlock(
   block: unknown,
@@ -88,19 +74,6 @@ function isToolResultBlock(
   );
 }
 
-/** Type-guard for web_search_tool_result blocks. */
-function isWebSearchToolResultBlock(block: unknown): block is {
-  type: "web_search_tool_result";
-  tool_use_id: string;
-  content: unknown;
-} {
-  return (
-    typeof block === "object" &&
-    block != null &&
-    (block as { type: string }).type === "web_search_tool_result"
-  );
-}
-
 /**
  * Build a short diagnostic summary of a message array for error logging.
  * Shows role + block types (with tool_use/tool_result IDs) for each message.
@@ -134,79 +107,55 @@ function buildSyntheticToolResult(
   };
 }
 
-function buildSyntheticWebSearchToolResult(
-  toolUseId: string,
-): Anthropic.ContentBlockParam {
-  return {
-    type: "web_search_tool_result",
-    tool_use_id: toolUseId,
-    content: {
-      type: "web_search_tool_result_error",
-      error_code: "unavailable",
-    },
-  } as unknown as Anthropic.ContentBlockParam;
-}
-
-/** Build the appropriate synthetic result block based on whether the ID is for a server tool or regular tool. */
-function buildSyntheticResult(
-  toolUseId: string,
-  serverToolIds: ReadonlySet<string>,
-): Anthropic.ContentBlockParam {
-  if (serverToolIds.has(toolUseId)) {
-    return buildSyntheticWebSearchToolResult(toolUseId);
-  }
-  return buildSyntheticToolResult(toolUseId);
-}
 
-function getOrderedToolUseIds(content: Anthropic.ContentBlockParam[]): {
-  ids: string[];
-  serverToolIds: Set<string>;
-} {
+/**
+ * Collect ordered IDs of client-side tool_use blocks only.
+ * Server-side tools (server_tool_use / web_search_tool_result) are self-paired
+ * within the assistant message and do not need cross-message pairing.
+ */
+function getOrderedToolUseIds(
+  content: Anthropic.ContentBlockParam[],
+): string[] {
   const ids: string[] = [];
   const seen = new Set<string>();
-  const serverToolIds = new Set<string>();
   for (const block of content) {
     if (isToolUseBlock(block)) {
       if (!seen.has(block.id)) {
         seen.add(block.id);
         ids.push(block.id);
       }
-    } else if (isServerToolUseBlock(block)) {
-      if (!seen.has(block.id)) {
-        seen.add(block.id);
-        ids.push(block.id);
-        serverToolIds.add(block.id);
-      }
     }
   }
-  return { ids, serverToolIds };
+  return ids;
 }
 
 function hasOrderedToolResultPrefix(
   content: Anthropic.ContentBlockParam[],
   orderedToolUseIds: string[],
-  serverToolIds: ReadonlySet<string>,
 ): boolean {
   if (content.length < orderedToolUseIds.length) return false;
   for (let idx = 0; idx < orderedToolUseIds.length; idx++) {
     const block = content[idx];
     const expectedId = orderedToolUseIds[idx];
-    if (serverToolIds.has(expectedId)) {
-      if (!isWebSearchToolResultBlock(block)) return false;
-      if (block.tool_use_id !== expectedId) return false;
-    } else {
-      if (!isToolResultBlock(block)) return false;
-      if (block.tool_use_id !== expectedId) return false;
-    }
+    if (!isToolResultBlock(block)) return false;
+    if (block.tool_use_id !== expectedId) return false;
   }
   return true;
 }
 
+/**
+ * Split an assistant message into:
+ * - pairedContent: everything up to and including client-side tool_use blocks
+ * - carryoverContent: trailing non-tool blocks after the last tool_use
+ *
+ * Server-side tools (server_tool_use / web_search_tool_result) are treated as
+ * regular content — they are self-paired within the assistant message and must
+ * not be separated by the cross-message pairing logic.
+ */
 function splitAssistantForToolPairing(content: Anthropic.ContentBlockParam[]): {
   pairedContent: Anthropic.ContentBlockParam[];
   carryoverContent: Anthropic.ContentBlockParam[];
   toolUseIds: string[];
-  serverToolIds: Set<string>;
 } {
   const leading: Anthropic.ContentBlockParam[] = [];
   const toolUseBlocks: Anthropic.ContentBlockParam[] = [];
@@ -214,7 +163,7 @@ function splitAssistantForToolPairing(content: Anthropic.ContentBlockParam[]): {
   let seenToolUse = false;
 
   for (const block of content) {
-    if (isToolUseBlock(block) || isServerToolUseBlock(block)) {
+    if (isToolUseBlock(block)) {
       seenToolUse = true;
       toolUseBlocks.push(block);
       continue;
@@ -231,7 +180,6 @@ function splitAssistantForToolPairing(content: Anthropic.ContentBlockParam[]): {
       pairedContent: content,
       carryoverContent: [],
       toolUseIds: [],
-      serverToolIds: new Set(),
     };
   }
 
@@ -239,19 +187,16 @@ function splitAssistantForToolPairing(content: Anthropic.ContentBlockParam[]): {
     ...leading,
     ...toolUseBlocks,
   ];
-  const { ids, serverToolIds } = getOrderedToolUseIds(pairedContent);
   return {
     pairedContent,
     carryoverContent: carryover,
-    toolUseIds: ids,
-    serverToolIds,
+    toolUseIds: getOrderedToolUseIds(pairedContent),
   };
 }
 
 function normalizeFollowingUserContent(
   nextContent: Anthropic.ContentBlockParam[],
   orderedToolUseIds: string[],
-  serverToolIds: ReadonlySet<string>,
 ): {
   toolResultPrefix: Anthropic.ContentBlockParam[];
   remainingContent: Anthropic.ContentBlockParam[];
@@ -266,41 +211,24 @@ function normalizeFollowingUserContent(
     if (
       isToolResultBlock(block) &&
       pendingIds.has(block.tool_use_id) &&
-      !matchedById.has(block.tool_use_id) &&
-      !serverToolIds.has(block.tool_use_id)
+      !matchedById.has(block.tool_use_id)
     ) {
       matchedById.set(block.tool_use_id, block);
       continue;
     }
-    if (
-      isWebSearchToolResultBlock(block) &&
-      pendingIds.has(block.tool_use_id) &&
-      !matchedById.has(block.tool_use_id) &&
-      serverToolIds.has(block.tool_use_id)
-    ) {
-      matchedById.set(
-        block.tool_use_id,
-        block as unknown as Anthropic.ContentBlockParam,
-      );
-      continue;
-    }
     remaining.push(block);
   }
 
   const missingIds = orderedToolUseIds.filter((id) => !matchedById.has(id));
   const orderedResults = orderedToolUseIds.map(
-    (id) => matchedById.get(id) ?? buildSyntheticResult(id, serverToolIds),
+    (id) => matchedById.get(id) ?? buildSyntheticToolResult(id),
   );
 
   return {
     toolResultPrefix: orderedResults,
     remainingContent: remaining,
     missingIds,
-    hadOrderedPrefix: hasOrderedToolResultPrefix(
-      nextContent,
-      orderedToolUseIds,
-      serverToolIds,
-    ),
+    hadOrderedPrefix: hasOrderedToolResultPrefix(nextContent, orderedToolUseIds),
   };
 }
 
@@ -328,7 +256,7 @@ function ensureToolPairing(
     }
 
     const content = Array.isArray(msg.content) ? msg.content : [];
-    const { pairedContent, carryoverContent, toolUseIds, serverToolIds } =
+    const { pairedContent, carryoverContent, toolUseIds } =
       splitAssistantForToolPairing(content);
 
     if (toolUseIds.length === 0) {
@@ -337,7 +265,7 @@ function ensureToolPairing(
       continue;
     }
 
-    // Assistant message — push the paired portion (pre-tool text + tool_use/server_tool_use blocks)
+    // Assistant message — push the paired portion (pre-tool text + tool_use blocks)
     result.push({
       role: "assistant" as const,
       content: pairedContent,
@@ -358,11 +286,7 @@ function ensureToolPairing(
     const next = messages[i + 1];
     if (next && next.role === "user") {
       const nextContent = Array.isArray(next.content) ? next.content : [];
-      const normalized = normalizeFollowingUserContent(
-        nextContent,
-        toolUseIds,
-        serverToolIds,
-      );
+      const normalized = normalizeFollowingUserContent(nextContent, toolUseIds);
       if (normalized.missingIds.length > 0) {
         log.warn(
           {
@@ -427,9 +351,7 @@ function ensureToolPairing(
       );
       result.push({
         role: "user" as const,
-        content: toolUseIds.map((id) =>
-          buildSyntheticResult(id, serverToolIds),
-        ),
+        content: toolUseIds.map((id) => buildSyntheticToolResult(id)),
       });
 
       // If the assistant contained collapsed post-tool text, preserve it as a
@@ -445,13 +367,14 @@ function ensureToolPairing(
     }
   }
 
-  // Self-validation: verify no tool_use/tool_result mismatches remain
+  // Self-validation: verify no client-side tool_use/tool_result mismatches remain.
+  // Server-side tools (server_tool_use / web_search_tool_result) are self-paired
+  // within assistant messages and are not validated here.
   for (let j = 0; j < result.length; j++) {
     const m = result[j];
     if (m.role !== "assistant") continue;
     const c = Array.isArray(m.content) ? m.content : [];
-    const { ids: validationIds, serverToolIds: validationServerToolIds } =
-      getOrderedToolUseIds(c);
+    const validationIds = getOrderedToolUseIds(c);
     if (validationIds.length === 0) continue;
 
     const nxt = result[j + 1];
@@ -459,20 +382,9 @@ function ensureToolPairing(
       nxt && nxt.role === "user" && Array.isArray(nxt.content)
         ? nxt.content
         : [];
-    if (
-      !hasOrderedToolResultPrefix(
-        nxtContent,
-        validationIds,
-        validationServerToolIds,
-      )
-    ) {
+    if (!hasOrderedToolResultPrefix(nxtContent, validationIds)) {
       const unmatchedIds = validationIds.filter((id, idx) => {
         const block = nxtContent[idx];
-        if (validationServerToolIds.has(id)) {
-          return !(
-            isWebSearchToolResultBlock(block) && block.tool_use_id === id
-          );
-        }
         return !(isToolResultBlock(block) && block.tool_use_id === id);
       });
       log.error(
@@ -768,10 +680,14 @@ export class AnthropicProvider implements Provider {
               onEvent?.({ type: "text_delta", text: " " });
             }
             hasSeenTextBlock = true;
-          } else if (event.type === "content_block_start") {
-            // Reset on non-text blocks so that text separated by tool_use
-            // (text -> tool_use -> text) doesn't get a spurious leading space
-            // in the second text segment.
+          } else if (
+            event.type === "content_block_start" &&
+            event.content_block.type === "tool_use"
+          ) {
+            // Reset only for client-side tool_use blocks, which create visual
+            // separators in the UI. Server-side tool blocks (server_tool_use,
+            // web_search_tool_result) are transparent in the text stream and
+            // need the space preserved between surrounding text blocks.
             hasSeenTextBlock = false;
           }
           if (
@@ -796,6 +712,20 @@ export class AnthropicProvider implements Provider {
               type: "server_tool_start",
               name: event.content_block.name,
               toolUseId: event.content_block.id,
+              input: (
+                event.content_block as { input?: Record<string, unknown> }
+              ).input ?? {},
+            });
+          }
+          if (
+            event.type === "content_block_start" &&
+            event.content_block.type === "web_search_tool_result"
+          ) {
+            onEvent?.({
+              type: "server_tool_complete",
+              toolUseId: (
+                event.content_block as { tool_use_id: string }
+              ).tool_use_id,
             });
           }
           if (event.type === "content_block_stop") {

package/src/providers/types.ts

@@ -117,7 +117,13 @@ export type ProviderEvent =
       toolUseId: string;
       accumulatedJson: string;
     }
-  | { type: "server_tool_start"; name: string; toolUseId: string };
+  | {
+      type: "server_tool_start";
+      name: string;
+      toolUseId: string;
+      input: Record<string, unknown>;
+    }
+  | { type: "server_tool_complete"; toolUseId: string };
 
 export interface SendMessageConfig {
   model?: string;

package/src/runtime/AGENTS.md

@@ -43,6 +43,15 @@ Host file allows the assistant to perform file operations (read, write, edit) on
   - `POST /v1/host-file-result` — `{ requestId, content, isError }`
 - **Tracking**: Uses the same `pending-interactions` tracker as approvals and host bash, with `kind: "host_file"`. The endpoint validates the interaction kind before resolving.
 
+### Host CU (desktop proxy computer-use execution)
+
+Host CU allows the assistant to proxy computer-use actions (screenshots, mouse/keyboard input) to the desktop host via the client, following the same pattern as host bash and host file.
+
+- **Discovery**: Clients discover pending host CU requests via SSE events (`host_cu_request`) which include a `requestId`.
+- **Resolution**: Clients execute the CU action on the host and respond via:
+  - `POST /v1/host-cu-result` — `{ requestId, axTree?, axDiff?, screenshot?, screenshotWidthPx?, screenshotHeightPx?, screenWidthPt?, screenHeightPt?, executionResult?, executionError?, secondaryWindows?, userGuidance? }`
+- **Tracking**: Uses the same `pending-interactions` tracker as the other host proxy types, with `kind: "host_cu"`. Registration happens in `conversation-routes.ts` and the route handler is in `host-cu-routes.ts`.
+
 ### Channel approvals (Telegram, Slack)
 
 Channel approval flows use `requestId` (not `runId`) as the primary identifier:

package/src/runtime/auth/route-policy.ts

@@ -347,6 +347,12 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "skills:DELETE", scopes: ["settings.write"] },
   { endpoint: "skills:PATCH", scopes: ["settings.write"] },
 
+  // Memory items
+  { endpoint: "memory-items:GET", scopes: ["settings.read"] },
+  { endpoint: "memory-items:POST", scopes: ["settings.write"] },
+  { endpoint: "memory-items:PATCH", scopes: ["settings.write"] },
+  { endpoint: "memory-items:DELETE", scopes: ["settings.write"] },
+
   // Trust rule CRUD management
   { endpoint: "trust-rules/manage:GET", scopes: ["settings.read"] },
   { endpoint: "trust-rules/manage:POST", scopes: ["settings.write"] },
@@ -378,9 +384,6 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // Delivery ack
   { endpoint: "channels/delivery-ack", scopes: ["internal.write"] },
 
-  // MCP
-  { endpoint: "mcp/reload", scopes: ["settings.write"] },
-
   // Migrations
   { endpoint: "migrations/validate", scopes: ["settings.write"] },
   { endpoint: "migrations/export", scopes: ["settings.write"] },

package/src/runtime/guardian-reply-router.ts

@@ -30,6 +30,7 @@ import {
   type CanonicalGuardianRequest,
   getCanonicalGuardianRequest,
   getCanonicalGuardianRequestByCode,
+  isRequestExpired,
   listCanonicalGuardianRequests,
 } from "../memory/canonical-guardian-store.js";
 import {
@@ -198,49 +199,50 @@ function findPendingCanonicalRequests(
   pendingRequestIds?: string[],
   conversationId?: string,
 ): CanonicalGuardianRequest[] {
+  let results: CanonicalGuardianRequest[];
+
   // When explicit IDs are provided, look them up directly
   if (pendingRequestIds) {
     if (pendingRequestIds.length === 0) {
       return [];
     }
-    return pendingRequestIds
+    results = pendingRequestIds
       .map(getCanonicalGuardianRequest)
       .filter((r): r is CanonicalGuardianRequest => r?.status === "pending");
-  }
-
-  // Query by guardian identity when available
-  if (actor.actorExternalUserId) {
-    return listCanonicalGuardianRequests({
+  } else if (actor.actorExternalUserId) {
+    // Query by guardian identity when available
+    results = listCanonicalGuardianRequests({
       status: "pending",
       guardianExternalUserId: actor.actorExternalUserId,
     });
-  }
-
-  // Actors without an actorExternalUserId: scope by conversationId so the NL
-  // path can discover pending requests bound to this conversation.
-  // Include guardianPrincipalId filter when available so the guardian only
-  // sees requests they are authorized to act on.
-  if (conversationId) {
-    return listCanonicalGuardianRequests({
+  } else if (conversationId) {
+    // Actors without an actorExternalUserId: scope by conversationId so the NL
+    // path can discover pending requests bound to this conversation.
+    // Include guardianPrincipalId filter when available so the guardian only
+    // sees requests they are authorized to act on.
+    results = listCanonicalGuardianRequests({
       status: "pending",
       conversationId,
       ...(actor.guardianPrincipalId
         ? { guardianPrincipalId: actor.guardianPrincipalId }
         : {}),
     });
-  }
-
-  // Actors with a guardianPrincipalId but no actorExternalUserId or
-  // conversationId: query by principal so desktop sessions can still
-  // discover pending guardian work via their bound principal.
-  if (actor.guardianPrincipalId) {
-    return listCanonicalGuardianRequests({
+  } else if (actor.guardianPrincipalId) {
+    // Actors with a guardianPrincipalId but no actorExternalUserId or
+    // conversationId: query by principal so desktop sessions can still
+    // discover pending guardian work via their bound principal.
+    results = listCanonicalGuardianRequests({
       status: "pending",
       guardianPrincipalId: actor.guardianPrincipalId,
     });
+  } else {
+    return [];
   }
 
-  return [];
+  // Exclude requests that have passed their expiresAt deadline — they can
+  // no longer be resolved and should not trigger disambiguation or NL
+  // classification.
+  return results.filter((r) => !isRequestExpired(r));
 }
 
 /** Map an approval action string to the NL engine's allowed actions for guardians. */

package/src/runtime/http-server.ts

@@ -135,7 +135,7 @@ import { telegramRouteDefinitions } from "./routes/integrations/telegram.js";
 import { twilioRouteDefinitions } from "./routes/integrations/twilio.js";
 import { inviteRouteDefinitions } from "./routes/invite-routes.js";
 import { logExportRouteDefinitions } from "./routes/log-export-routes.js";
-import { mcpRouteDefinitions } from "./routes/mcp-routes.js";
+import { memoryItemRouteDefinitions } from "./routes/memory-item-routes.js";
 import { migrationRouteDefinitions } from "./routes/migration-routes.js";
 import type { PairingHandlerContext } from "./routes/pairing-routes.js";
 import {
@@ -723,9 +723,9 @@ export class RuntimeHttpServer {
       ...secretRouteDefinitions(),
       ...identityRouteDefinitions(),
       ...debugRouteDefinitions(),
-      ...mcpRouteDefinitions(),
       ...usageRouteDefinitions(),
       ...workspaceRouteDefinitions(),
+      ...memoryItemRouteDefinitions(),
       ...settingsRouteDefinitions(),
       ...scheduleRouteDefinitions({
         sendMessageDeps: this.sendMessageDeps,

package/src/runtime/invite-redemption-service.ts

@@ -146,6 +146,12 @@ export function redeemInvite(params: {
     return { ok: false, reason: "invalid_token" };
   }
 
+  // Guardian channels must not be reactivated via regular invite redemption —
+  // their lifecycle is managed exclusively through the guardian binding flow.
+  if (existingContact && existingContact.role === "guardian") {
+    return { ok: false, reason: "invalid_token" };
+  }
+
   // Inactive member reactivation: when the user already has a member record
   // in a non-active state (revoked/pending), reactivate it via upsertContactChannel
   // and consume an invite use atomically. The fresh-member path below also
@@ -338,6 +344,7 @@ export function redeemVoiceInviteCode(params: {
     externalUserId: canonicalCallerId,
   });
   const existingVoiceChannel = voiceContactResult?.channel ?? null;
+  const voiceContact = voiceContactResult?.contact ?? null;
 
   if (existingVoiceChannel && existingVoiceChannel.status === "active") {
     return {
@@ -352,13 +359,18 @@ export function redeemVoiceInviteCode(params: {
     return { ok: false, reason: "invalid_or_expired" };
   }
 
+  // Guardian channels must not be reactivated via regular invite redemption —
+  // their lifecycle is managed exclusively through the guardian binding flow.
+  if (voiceContact && voiceContact.role === "guardian") {
+    return { ok: false, reason: "invalid_or_expired" };
+  }
+
   // Atomic redemption: upsert member + consume invite use in a transaction
   const STALE_INVITE = Symbol("stale_invite");
   let memberId: string | undefined;
 
   // Reactivation should not overwrite a guardian-managed nickname (same
   // protection as the token-based redemption path above).
-  const voiceContact = voiceContactResult?.contact ?? null;
   const preservedDisplayName = voiceContact?.displayName?.trim().length
     ? voiceContact.displayName
     : (invite.friendName ?? undefined);
@@ -487,6 +499,12 @@ export function redeemInviteByCode(params: {
     return { ok: false, reason: "invalid_token" };
   }
 
+  // Guardian channels must not be reactivated via regular invite redemption —
+  // their lifecycle is managed exclusively through the guardian binding flow.
+  if (existingContact && existingContact.role === "guardian") {
+    return { ok: false, reason: "invalid_token" };
+  }
+
   // Inactive member reactivation: reactivate via upsertContactChannel and consume
   // an invite use atomically.
   if (existingChannel) {

package/src/runtime/invite-service.ts

@@ -8,6 +8,7 @@
  * /v1/contacts/channels endpoints.
  */
 
+import { startInviteCall } from "../calls/call-domain.js";
 import { isChannelId } from "../channels/types.js";
 import {
   createInvite,
@@ -23,6 +24,7 @@ import {
   DEFAULT_USER_REFERENCE,
   resolveGuardianName,
 } from "../prompts/user-reference.js";
+import { getLogger } from "../util/logger.js";
 import { isValidE164 } from "../util/phone.js";
 import { generateVoiceCode, hashVoiceCode } from "../util/voice-code.js";
 import {
@@ -37,6 +39,8 @@ import {
   type VoiceRedemptionOutcome,
 } from "./invite-redemption-service.js";
 
+const log = getLogger("invite-service");
+
 // ---------------------------------------------------------------------------
 // Response shapes — used by both HTTP routes and message handlers
 // ---------------------------------------------------------------------------
@@ -250,6 +254,27 @@ export async function createIngressInvite(params: {
     });
   }
 
+  // For voice invites with a known phone number, initiate an outbound call
+  // so the contact is prompted to enter their code immediately.
+  if (
+    params.sourceChannel === "phone" &&
+    params.expectedExternalUserId &&
+    params.friendName &&
+    effectiveGuardianName
+  ) {
+    // Fire-and-forget: don't block invite creation on call initiation
+    startInviteCall({
+      phoneNumber: params.expectedExternalUserId,
+      friendName: params.friendName,
+      guardianName: effectiveGuardianName,
+    }).catch((err) => {
+      log.warn(
+        { err, inviteId: invite.id },
+        "Failed to initiate outbound invite call",
+      );
+    });
+  }
+
   // Voice invites must not expose the token — callers must redeem via the
   // identity-bound voice code flow, not the generic token redemption path.
   return {

package/src/runtime/pending-interactions.ts

@@ -6,8 +6,8 @@
  * host_bash_request, host_file_request, or host_cu_request, the onEvent
  * callback registers the interaction here. Standalone HTTP endpoints
  * (/v1/confirm, /v1/secret, /v1/trust-rules, /v1/host-bash-result,
- * /v1/host-file-result, /v1/host-cu-result) look up the session from
- * this tracker to resolve the interaction.
+ * /v1/host-file-result, /v1/host-cu-result) look up the session from this
+ * tracker to resolve the interaction.
  */
 
 import type { Session } from "../daemon/session.js";