npm - @vellumai/assistant - Versions diffs - 0.4.49 → 0.4.50 - Mend

@vellumai/assistant 0.4.49 → 0.4.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (239) hide show

package/ARCHITECTURE.md +24 -33
package/README.md +3 -3
package/docs/architecture/memory.md +180 -119
package/package.json +2 -2
package/src/__tests__/agent-loop.test.ts +3 -1
package/src/__tests__/anthropic-provider.test.ts +114 -23
package/src/__tests__/approval-cascade.test.ts +1 -15
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-feature-flag-guard.test.ts +0 -23
package/src/__tests__/canonical-guardian-store.test.ts +95 -0
package/src/__tests__/checker.test.ts +13 -0
package/src/__tests__/config-schema.test.ts +1 -68
package/src/__tests__/context-memory-e2e.test.ts +11 -100
package/src/__tests__/conversation-routes-guardian-reply.test.ts +8 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-security-e2e.test.ts +1 -0
package/src/__tests__/credential-vault-unit.test.ts +4 -0
package/src/__tests__/credential-vault.test.ts +13 -1
package/src/__tests__/cu-unified-flow.test.ts +532 -0
package/src/__tests__/date-context.test.ts +93 -77
package/src/__tests__/deterministic-verification-control-plane.test.ts +64 -0
package/src/__tests__/guardian-routing-invariants.test.ts +93 -0
package/src/__tests__/history-repair.test.ts +245 -0
package/src/__tests__/host-cu-proxy.test.ts +165 -3
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/invite-redemption-service.test.ts +65 -1
package/src/__tests__/keychain-broker-client.test.ts +4 -4
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +56 -18
package/src/__tests__/memory-lifecycle-e2e.test.ts +244 -387
package/src/__tests__/memory-recall-quality.test.ts +244 -407
package/src/__tests__/memory-regressions.experimental.test.ts +126 -101
package/src/__tests__/memory-regressions.test.ts +477 -2841
package/src/__tests__/memory-retrieval.benchmark.test.ts +33 -150
package/src/__tests__/memory-upsert-concurrency.test.ts +5 -244
package/src/__tests__/mime-builder.test.ts +28 -0
package/src/__tests__/native-web-search.test.ts +1 -0
package/src/__tests__/oauth-cli.test.ts +572 -5
package/src/__tests__/oauth-store.test.ts +120 -6
package/src/__tests__/qdrant-collection-migration.test.ts +53 -8
package/src/__tests__/registry.test.ts +0 -1
package/src/__tests__/relay-server.test.ts +46 -1
package/src/__tests__/schedule-tools.test.ts +32 -0
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -0
package/src/__tests__/secure-keys.test.ts +7 -2
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/session-abort-tool-results.test.ts +1 -14
package/src/__tests__/session-agent-loop-overflow.test.ts +1583 -0
package/src/__tests__/session-agent-loop.test.ts +19 -15
package/src/__tests__/session-confirmation-signals.test.ts +1 -15
package/src/__tests__/session-error.test.ts +124 -2
package/src/__tests__/session-history-web-search.test.ts +918 -0
package/src/__tests__/session-pre-run-repair.test.ts +1 -14
package/src/__tests__/session-provider-retry-repair.test.ts +25 -28
package/src/__tests__/session-queue.test.ts +37 -27
package/src/__tests__/session-runtime-assembly.test.ts +54 -0
package/src/__tests__/session-slash-known.test.ts +1 -15
package/src/__tests__/session-slash-queue.test.ts +1 -15
package/src/__tests__/session-slash-unknown.test.ts +1 -15
package/src/__tests__/session-workspace-cache-state.test.ts +3 -33
package/src/__tests__/session-workspace-injection.test.ts +3 -37
package/src/__tests__/session-workspace-tool-tracking.test.ts +3 -37
package/src/__tests__/skills-install-extract.test.ts +93 -0
package/src/__tests__/skillssh-registry.test.ts +451 -0
package/src/__tests__/trust-store.test.ts +15 -0
package/src/__tests__/voice-invite-redemption.test.ts +32 -1
package/src/agent/ax-tree-compaction.test.ts +51 -0
package/src/agent/loop.ts +39 -12
package/src/approvals/AGENTS.md +1 -1
package/src/approvals/guardian-request-resolvers.ts +14 -2
package/src/bundler/compiler-tools.ts +66 -2
package/src/calls/call-domain.ts +132 -0
package/src/calls/call-store.ts +6 -0
package/src/calls/relay-server.ts +43 -5
package/src/calls/relay-setup-router.ts +17 -1
package/src/calls/twilio-config.ts +1 -1
package/src/calls/types.ts +3 -1
package/src/cli/commands/doctor.ts +4 -3
package/src/cli/commands/mcp.ts +46 -59
package/src/cli/commands/memory.ts +16 -165
package/src/cli/commands/oauth/apps.ts +31 -2
package/src/cli/commands/oauth/connections.ts +431 -97
package/src/cli/commands/oauth/providers.ts +15 -1
package/src/cli/commands/sessions.ts +5 -2
package/src/cli/commands/skills.ts +173 -1
package/src/cli/http-client.ts +0 -20
package/src/cli/main-screen.tsx +2 -2
package/src/cli/program.ts +5 -6
package/src/cli.ts +4 -10
package/src/config/bundled-skills/computer-use/TOOLS.json +1 -1
package/src/config/bundled-skills/computer-use/tools/computer-use-observe.ts +12 -0
package/src/config/bundled-tool-registry.ts +2 -5
package/src/config/schema.ts +1 -12
package/src/config/schemas/memory-lifecycle.ts +0 -9
package/src/config/schemas/memory-processing.ts +0 -180
package/src/config/schemas/memory-retrieval.ts +32 -104
package/src/config/schemas/memory.ts +0 -10
package/src/config/types.ts +0 -4
package/src/context/window-manager.ts +4 -1
package/src/daemon/config-watcher.ts +61 -3
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/date-context.ts +114 -31
package/src/daemon/handlers/sessions.ts +18 -13
package/src/daemon/handlers/skills.ts +20 -1
package/src/daemon/history-repair.ts +72 -8
package/src/daemon/host-cu-proxy.ts +55 -26
package/src/daemon/lifecycle.ts +31 -3
package/src/daemon/mcp-reload-service.ts +2 -2
package/src/daemon/message-types/computer-use.ts +1 -12
package/src/daemon/message-types/memory.ts +4 -16
package/src/daemon/message-types/messages.ts +1 -0
package/src/daemon/message-types/sessions.ts +4 -0
package/src/daemon/server.ts +12 -1
package/src/daemon/session-agent-loop-handlers.ts +38 -0
package/src/daemon/session-agent-loop.ts +334 -48
package/src/daemon/session-error.ts +89 -6
package/src/daemon/session-history.ts +17 -7
package/src/daemon/session-media-retry.ts +6 -2
package/src/daemon/session-memory.ts +69 -149
package/src/daemon/session-process.ts +10 -1
package/src/daemon/session-runtime-assembly.ts +49 -19
package/src/daemon/session-surfaces.ts +4 -1
package/src/daemon/session-tool-setup.ts +7 -1
package/src/daemon/session.ts +12 -2
package/src/instrument.ts +61 -1
package/src/memory/admin.ts +2 -191
package/src/memory/canonical-guardian-store.ts +38 -2
package/src/memory/conversation-crud.ts +0 -33
package/src/memory/conversation-queries.ts +22 -3
package/src/memory/db-init.ts +28 -0
package/src/memory/embedding-backend.ts +84 -8
package/src/memory/embedding-types.ts +9 -1
package/src/memory/indexer.ts +7 -46
package/src/memory/items-extractor.ts +274 -76
package/src/memory/job-handlers/backfill.ts +2 -127
package/src/memory/job-handlers/cleanup.ts +2 -16
package/src/memory/job-handlers/extraction.ts +2 -138
package/src/memory/job-handlers/index-maintenance.ts +1 -6
package/src/memory/job-handlers/summarization.ts +3 -148
package/src/memory/job-utils.ts +21 -59
package/src/memory/jobs-store.ts +1 -159
package/src/memory/jobs-worker.ts +9 -52
package/src/memory/migrations/104-core-indexes.ts +3 -3
package/src/memory/migrations/149-oauth-tables.ts +2 -0
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +98 -0
package/src/memory/migrations/151-oauth-providers-ping-url.ts +11 -0
package/src/memory/migrations/152-memory-item-supersession.ts +44 -0
package/src/memory/migrations/153-drop-entity-tables.ts +15 -0
package/src/memory/migrations/154-drop-fts.ts +20 -0
package/src/memory/migrations/155-drop-conflicts.ts +7 -0
package/src/memory/migrations/156-call-session-invite-metadata.ts +24 -0
package/src/memory/migrations/index.ts +7 -0
package/src/memory/qdrant-client.ts +148 -51
package/src/memory/raw-query.ts +1 -1
package/src/memory/retriever.test.ts +294 -273
package/src/memory/retriever.ts +421 -645
package/src/memory/schema/calls.ts +2 -0
package/src/memory/schema/memory-core.ts +3 -48
package/src/memory/schema/oauth.ts +2 -0
package/src/memory/search/formatting.ts +263 -176
package/src/memory/search/lexical.ts +1 -254
package/src/memory/search/ranking.ts +0 -455
package/src/memory/search/semantic.ts +100 -14
package/src/memory/search/staleness.ts +47 -0
package/src/memory/search/tier-classifier.ts +21 -0
package/src/memory/search/types.ts +15 -77
package/src/memory/task-memory-cleanup.ts +4 -6
package/src/messaging/providers/gmail/mime-builder.ts +17 -7
package/src/oauth/byo-connection.test.ts +8 -1
package/src/oauth/oauth-store.ts +113 -27
package/src/oauth/seed-providers.ts +6 -0
package/src/oauth/token-persistence.ts +11 -3
package/src/permissions/defaults.ts +1 -0
package/src/permissions/trust-store.ts +23 -1
package/src/playbooks/playbook-compiler.ts +1 -1
package/src/prompts/system-prompt.ts +18 -2
package/src/providers/anthropic/client.ts +56 -126
package/src/providers/types.ts +7 -1
package/src/runtime/AGENTS.md +9 -0
package/src/runtime/auth/route-policy.ts +6 -3
package/src/runtime/guardian-reply-router.ts +24 -22
package/src/runtime/http-server.ts +2 -2
package/src/runtime/invite-redemption-service.ts +19 -1
package/src/runtime/invite-service.ts +25 -0
package/src/runtime/pending-interactions.ts +2 -2
package/src/runtime/routes/brain-graph-routes.ts +10 -90
package/src/runtime/routes/conversation-routes.ts +9 -1
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -12
package/src/runtime/routes/memory-item-routes.test.ts +754 -0
package/src/runtime/routes/memory-item-routes.ts +503 -0
package/src/runtime/routes/session-management-routes.ts +3 -3
package/src/runtime/routes/settings-routes.ts +2 -2
package/src/runtime/routes/trust-rules-routes.ts +14 -0
package/src/runtime/routes/workspace-routes.ts +2 -1
package/src/security/keychain-broker-client.ts +17 -4
package/src/security/secure-keys.ts +25 -3
package/src/security/token-manager.ts +36 -36
package/src/skills/catalog-install.ts +74 -18
package/src/skills/skillssh-registry.ts +503 -0
package/src/tools/assets/search.ts +5 -1
package/src/tools/computer-use/definitions.ts +0 -10
package/src/tools/computer-use/registry.ts +1 -1
package/src/tools/credentials/vault.ts +1 -3
package/src/tools/memory/definitions.ts +4 -13
package/src/tools/memory/handlers.test.ts +83 -103
package/src/tools/memory/handlers.ts +50 -85
package/src/tools/schedule/create.ts +8 -1
package/src/tools/schedule/update.ts +8 -1
package/src/tools/skills/load.ts +25 -2
package/src/__tests__/clarification-resolver.test.ts +0 -193
package/src/__tests__/conflict-intent-tokenization.test.ts +0 -160
package/src/__tests__/conflict-policy.test.ts +0 -269
package/src/__tests__/conflict-store.test.ts +0 -372
package/src/__tests__/contradiction-checker.test.ts +0 -361
package/src/__tests__/entity-extractor.test.ts +0 -211
package/src/__tests__/entity-search.test.ts +0 -1117
package/src/__tests__/profile-compiler.test.ts +0 -392
package/src/__tests__/session-conflict-gate.test.ts +0 -1228
package/src/__tests__/session-profile-injection.test.ts +0 -557
package/src/config/bundled-skills/knowledge-graph/SKILL.md +0 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +0 -66
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +0 -211
package/src/daemon/session-conflict-gate.ts +0 -167
package/src/daemon/session-dynamic-profile.ts +0 -77
package/src/memory/clarification-resolver.ts +0 -417
package/src/memory/conflict-intent.ts +0 -205
package/src/memory/conflict-policy.ts +0 -127
package/src/memory/conflict-store.ts +0 -410
package/src/memory/contradiction-checker.ts +0 -508
package/src/memory/entity-extractor.ts +0 -535
package/src/memory/format-recall.ts +0 -47
package/src/memory/fts-reconciler.ts +0 -165
package/src/memory/job-handlers/conflict.ts +0 -200
package/src/memory/profile-compiler.ts +0 -195
package/src/memory/recall-cache.ts +0 -117
package/src/memory/search/entity.ts +0 -535
package/src/memory/search/query-expansion.test.ts +0 -70
package/src/memory/search/query-expansion.ts +0 -118
package/src/runtime/routes/mcp-routes.ts +0 -20

package/src/runtime/routes/memory-item-routes.ts ADDED Viewed

@@ -0,0 +1,503 @@
+/**
+ * Route handlers for memory item CRUD endpoints.
+ *
+ * GET    /v1/memory-items        — list memory items (with filtering, search, sort, pagination)
+ * GET    /v1/memory-items/:id    — get a single memory item
+ * POST   /v1/memory-items        — create a new memory item
+ * PATCH  /v1/memory-items/:id    — update an existing memory item
+ * DELETE /v1/memory-items/:id    — delete a memory item and its embeddings
+ */
+import { and, asc, count, desc, eq, like, ne, or } from "drizzle-orm";
+import { v4 as uuid } from "uuid";
+import { getDb } from "../../memory/db.js";
+import { computeMemoryFingerprint } from "../../memory/fingerprint.js";
+import { enqueueMemoryJob } from "../../memory/jobs-store.js";
+import { memoryEmbeddings, memoryItems } from "../../memory/schema.js";
+import { truncate } from "../../util/truncate.js";
+import { httpError } from "../http-errors.js";
+import type { RouteContext, RouteDefinition } from "../http-router.js";
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const VALID_KINDS = [
+  "identity",
+  "preference",
+  "project",
+  "decision",
+  "constraint",
+  "event",
+] as const;
+type MemoryItemKind = (typeof VALID_KINDS)[number];
+const VALID_SORT_FIELDS = [
+  "lastSeenAt",
+  "importance",
+  "kind",
+  "firstSeenAt",
+] as const;
+type SortField = (typeof VALID_SORT_FIELDS)[number];
+const SORT_COLUMN_MAP = {
+  lastSeenAt: memoryItems.lastSeenAt,
+  importance: memoryItems.importance,
+  kind: memoryItems.kind,
+  firstSeenAt: memoryItems.firstSeenAt,
+} as const;
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function isValidKind(value: string): value is MemoryItemKind {
+  return (VALID_KINDS as readonly string[]).includes(value);
+}
+function isValidSortField(value: string): value is SortField {
+  return (VALID_SORT_FIELDS as readonly string[]).includes(value);
+}
+// ---------------------------------------------------------------------------
+// GET /v1/memory-items
+// ---------------------------------------------------------------------------
+export function handleListMemoryItems(url: URL): Response {
+  const kindParam = url.searchParams.get("kind");
+  const statusParam = url.searchParams.get("status") ?? "active";
+  const searchParam = url.searchParams.get("search");
+  const sortParam = url.searchParams.get("sort") ?? "lastSeenAt";
+  const orderParam = url.searchParams.get("order") ?? "desc";
+  const limitParam = Number(url.searchParams.get("limit") ?? 100);
+  const offsetParam = Number(url.searchParams.get("offset") ?? 0);
+  if (kindParam && !isValidKind(kindParam)) {
+    return httpError(
+      "BAD_REQUEST",
+      `Invalid kind "${kindParam}". Must be one of: ${VALID_KINDS.join(", ")}`,
+      400,
+    );
+  }
+  if (!isValidSortField(sortParam)) {
+    return httpError(
+      "BAD_REQUEST",
+      `Invalid sort "${sortParam}". Must be one of: ${VALID_SORT_FIELDS.join(", ")}`,
+      400,
+    );
+  }
+  if (orderParam !== "asc" && orderParam !== "desc") {
+    return httpError(
+      "BAD_REQUEST",
+      `Invalid order "${orderParam}". Must be "asc" or "desc"`,
+      400,
+    );
+  }
+  const db = getDb();
+  // Build WHERE conditions
+  const conditions = [];
+  if (statusParam && statusParam !== "all") {
+    conditions.push(eq(memoryItems.status, statusParam));
+  }
+  if (kindParam) {
+    conditions.push(eq(memoryItems.kind, kindParam));
+  }
+  if (searchParam) {
+    conditions.push(
+      or(
+        like(memoryItems.subject, `%${searchParam}%`),
+        like(memoryItems.statement, `%${searchParam}%`),
+      )!,
+    );
+  }
+  const whereClause = conditions.length > 0 ? and(...conditions) : undefined;
+  // Count query
+  const countResult = db
+    .select({ count: count() })
+    .from(memoryItems)
+    .where(whereClause)
+    .get();
+  const total = countResult?.count ?? 0;
+  // Data query
+  const sortColumn = SORT_COLUMN_MAP[sortParam];
+  const orderFn = orderParam === "asc" ? asc : desc;
+  const items = db
+    .select()
+    .from(memoryItems)
+    .where(whereClause)
+    .orderBy(orderFn(sortColumn))
+    .limit(limitParam)
+    .offset(offsetParam)
+    .all();
+  return Response.json({ items, total });
+}
+// ---------------------------------------------------------------------------
+// GET /v1/memory-items/:id
+// ---------------------------------------------------------------------------
+export function handleGetMemoryItem(ctx: RouteContext): Response {
+  const { id } = ctx.params;
+  const db = getDb();
+  const item = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  if (!item) {
+    return httpError("NOT_FOUND", "Memory item not found", 404);
+  }
+  let supersedesSubject: string | undefined;
+  let supersededBySubject: string | undefined;
+  if (item.supersedes) {
+    const superseded = db
+      .select({ subject: memoryItems.subject })
+      .from(memoryItems)
+      .where(eq(memoryItems.id, item.supersedes))
+      .get();
+    supersedesSubject = superseded?.subject;
+  }
+  if (item.supersededBy) {
+    const superseding = db
+      .select({ subject: memoryItems.subject })
+      .from(memoryItems)
+      .where(eq(memoryItems.id, item.supersededBy))
+      .get();
+    supersededBySubject = superseding?.subject;
+  }
+  return Response.json({
+    item: {
+      ...item,
+      ...(supersedesSubject !== undefined ? { supersedesSubject } : {}),
+      ...(supersededBySubject !== undefined ? { supersededBySubject } : {}),
+    },
+  });
+}
+// ---------------------------------------------------------------------------
+// POST /v1/memory-items
+// ---------------------------------------------------------------------------
+export async function handleCreateMemoryItem(
+  ctx: RouteContext,
+): Promise<Response> {
+  const body = (await ctx.req.json()) as {
+    kind?: string;
+    subject?: string;
+    statement?: string;
+    importance?: number;
+  };
+  const { kind, subject, statement, importance } = body;
+  // Validate kind
+  if (typeof kind !== "string" || !isValidKind(kind)) {
+    return httpError(
+      "BAD_REQUEST",
+      `kind is required and must be one of: ${VALID_KINDS.join(", ")}`,
+      400,
+    );
+  }
+  // Validate subject
+  if (typeof subject !== "string" || subject.trim().length === 0) {
+    return httpError(
+      "BAD_REQUEST",
+      "subject is required and must be a non-empty string",
+      400,
+    );
+  }
+  // Validate statement
+  if (typeof statement !== "string" || statement.trim().length === 0) {
+    return httpError(
+      "BAD_REQUEST",
+      "statement is required and must be a non-empty string",
+      400,
+    );
+  }
+  const trimmedSubject = truncate(subject.trim(), 80, "");
+  const trimmedStatement = truncate(statement.trim(), 500, "");
+  const scopeId = "default";
+  const fingerprint = computeMemoryFingerprint(
+    scopeId,
+    kind,
+    trimmedSubject,
+    trimmedStatement,
+  );
+  const db = getDb();
+  // Check for existing item with same fingerprint + scopeId
+  const existing = db
+    .select()
+    .from(memoryItems)
+    .where(
+      and(
+        eq(memoryItems.fingerprint, fingerprint),
+        eq(memoryItems.scopeId, scopeId),
+      ),
+    )
+    .get();
+  if (existing) {
+    return httpError(
+      "CONFLICT",
+      "A memory with this content already exists",
+      409,
+    );
+  }
+  const id = uuid();
+  const now = Date.now();
+  db.insert(memoryItems)
+    .values({
+      id,
+      kind,
+      subject: trimmedSubject,
+      statement: trimmedStatement,
+      status: "active",
+      confidence: 0.95,
+      importance: importance ?? 0.8,
+      fingerprint,
+      verificationState: "user_confirmed",
+      scopeId,
+      firstSeenAt: now,
+      lastSeenAt: now,
+      lastUsedAt: null,
+      overrideConfidence: "explicit",
+    })
+    .run();
+  enqueueMemoryJob("embed_item", { itemId: id });
+  // Fetch the inserted row to return it
+  const insertedRow = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  return Response.json({ item: insertedRow }, { status: 201 });
+}
+// ---------------------------------------------------------------------------
+// PATCH /v1/memory-items/:id
+// ---------------------------------------------------------------------------
+export async function handleUpdateMemoryItem(
+  ctx: RouteContext,
+): Promise<Response> {
+  const { id } = ctx.params;
+  const body = (await ctx.req.json()) as {
+    subject?: string;
+    statement?: string;
+    kind?: string;
+    status?: string;
+    importance?: number;
+    verificationState?: string;
+  };
+  const db = getDb();
+  const existing = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  if (!existing) {
+    return httpError("NOT_FOUND", "Memory item not found", 404);
+  }
+  // Build the update set with only provided fields
+  const set: Record<string, unknown> = {
+    lastSeenAt: Date.now(),
+  };
+  if (body.subject !== undefined) {
+    if (typeof body.subject !== "string") {
+      return httpError("BAD_REQUEST", "subject must be a string", 400);
+    }
+    set.subject = truncate(body.subject.trim(), 80, "");
+  }
+  if (body.statement !== undefined) {
+    if (typeof body.statement !== "string") {
+      return httpError("BAD_REQUEST", "statement must be a string", 400);
+    }
+    set.statement = truncate(body.statement.trim(), 500, "");
+  }
+  if (body.kind !== undefined) {
+    if (!isValidKind(body.kind)) {
+      return httpError(
+        "BAD_REQUEST",
+        `Invalid kind "${body.kind}". Must be one of: ${VALID_KINDS.join(", ")}`,
+        400,
+      );
+    }
+    set.kind = body.kind;
+  }
+  if (body.status !== undefined) {
+    set.status = body.status;
+  }
+  if (body.importance !== undefined) {
+    set.importance = body.importance;
+  }
+  if (body.verificationState !== undefined) {
+    set.verificationState = body.verificationState;
+  }
+  // If subject, statement, or kind changed, recompute fingerprint
+  const contentChanged =
+    body.subject !== undefined ||
+    body.statement !== undefined ||
+    body.kind !== undefined;
+  if (contentChanged) {
+    const newSubject = (set.subject as string | undefined) ?? existing.subject;
+    const newStatement =
+      (set.statement as string | undefined) ?? existing.statement;
+    const newKind = (set.kind as string | undefined) ?? existing.kind;
+    const scopeId = existing.scopeId;
+    const fingerprint = computeMemoryFingerprint(
+      scopeId,
+      newKind,
+      newSubject,
+      newStatement,
+    );
+    // Check for collision (exclude self)
+    const collision = db
+      .select({ id: memoryItems.id })
+      .from(memoryItems)
+      .where(
+        and(
+          eq(memoryItems.fingerprint, fingerprint),
+          eq(memoryItems.scopeId, scopeId),
+          ne(memoryItems.id, id),
+        ),
+      )
+      .get();
+    if (collision) {
+      return httpError(
+        "CONFLICT",
+        "Another memory item with this content already exists",
+        409,
+      );
+    }
+    set.fingerprint = fingerprint;
+  }
+  db.update(memoryItems).set(set).where(eq(memoryItems.id, id)).run();
+  // If statement changed, enqueue embed job
+  if (body.statement !== undefined) {
+    enqueueMemoryJob("embed_item", { itemId: id });
+  }
+  // Fetch and return the updated row
+  const updatedRow = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  return Response.json({ item: updatedRow });
+}
+// ---------------------------------------------------------------------------
+// DELETE /v1/memory-items/:id
+// ---------------------------------------------------------------------------
+export async function handleDeleteMemoryItem(
+  ctx: RouteContext,
+): Promise<Response> {
+  const { id } = ctx.params;
+  const db = getDb();
+  const existing = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  if (!existing) {
+    return httpError("NOT_FOUND", "Memory item not found", 404);
+  }
+  // Delete embeddings for this item
+  db.delete(memoryEmbeddings)
+    .where(
+      and(
+        eq(memoryEmbeddings.targetType, "item"),
+        eq(memoryEmbeddings.targetId, id),
+      ),
+    )
+    .run();
+  // Delete the item (cascades memoryItemSources)
+  db.delete(memoryItems).where(eq(memoryItems.id, id)).run();
+  return new Response(null, { status: 204 });
+}
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+export function memoryItemRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "memory-items",
+      method: "GET",
+      handler: (ctx) => handleListMemoryItems(ctx.url),
+    },
+    {
+      endpoint: "memory-items/:id",
+      method: "GET",
+      policyKey: "memory-items",
+      handler: (ctx) => handleGetMemoryItem(ctx),
+    },
+    {
+      endpoint: "memory-items",
+      method: "POST",
+      handler: (ctx) => handleCreateMemoryItem(ctx),
+    },
+    {
+      endpoint: "memory-items/:id",
+      method: "PATCH",
+      policyKey: "memory-items",
+      handler: (ctx) => handleUpdateMemoryItem(ctx),
+    },
+    {
+      endpoint: "memory-items/:id",
+      method: "DELETE",
+      policyKey: "memory-items",
+      handler: (ctx) => handleDeleteMemoryItem(ctx),
+    },
+  ];
+}

package/src/runtime/routes/session-management-routes.ts CHANGED Viewed

@@ -29,7 +29,7 @@ export interface SessionManagementDeps {
   renameSession: (sessionId: string, name: string) => boolean;
   clearAllSessions: () => number;
   cancelGeneration: (sessionId: string) => boolean;
-  undoLastMessage: (sessionId: string) => { removedCount: number } | null;
+  undoLastMessage: (sessionId: string) => Promise<{ removedCount: number } | null>;
   regenerateResponse: (
     sessionId: string,
   ) => Promise<{ requestId: string } | null>;
@@ -115,8 +115,8 @@ export function sessionManagementRouteDefinitions(
       endpoint: "conversations/:id/undo",
       method: "POST",
       policyKey: "conversations/undo",
-      handler: ({ params }) => {
-        const result = deps.undoLastMessage(params.id);
+      handler: async ({ params }) => {
+        const result = await deps.undoLastMessage(params.id);
         if (!result) {
           return httpError(
             "NOT_FOUND",

package/src/runtime/routes/settings-routes.ts CHANGED Viewed

@@ -160,7 +160,7 @@ async function handleOAuthConnectStart(body: {
     const app = getApp(conn.oauthAppId);
     if (app) {
       clientId = app.clientId;
-      clientSecret = getSecureKey(`oauth_app/${app.id}/client_secret`);
+      clientSecret = getSecureKey(app.clientSecretCredentialPath);
     }
   }
@@ -170,7 +170,7 @@ async function handleOAuthConnectStart(body: {
     if (dbApp) {
       clientId = dbApp.clientId;
       if (!clientSecret) {
-        clientSecret = getSecureKey(`oauth_app/${dbApp.id}/client_secret`);
+        clientSecret = getSecureKey(dbApp.clientSecretCredentialPath);
       }
     }
   }

package/src/runtime/routes/trust-rules-routes.ts CHANGED Viewed

@@ -48,6 +48,13 @@ export async function handleAddTrustRuleManage(
   if (!toolName || typeof toolName !== "string") {
     return httpError("BAD_REQUEST", "toolName is required", 400);
   }
+  if (toolName.startsWith("__internal:")) {
+    return httpError(
+      "BAD_REQUEST",
+      "toolName must not start with __internal:",
+      400,
+    );
+  }
   if (!pattern || typeof pattern !== "string") {
     return httpError("BAD_REQUEST", "pattern is required", 400);
   }
@@ -124,6 +131,13 @@ export async function handleUpdateTrustRuleManage(
     priority?: number;
   };
+  if (typeof body.tool === "string" && body.tool.startsWith("__internal:")) {
+    return httpError(
+      "BAD_REQUEST",
+      "tool must not start with __internal:",
+      400,
+    );
+  }
   if (body.decision !== undefined) {
     const validDecisions = ["allow", "deny", "ask"] as const;
     if (

package/src/runtime/routes/workspace-routes.ts CHANGED Viewed

@@ -33,6 +33,7 @@ interface TreeEntry {
 function handleWorkspaceTree(ctx: RouteContext): Response {
   const requestedPath = ctx.url.searchParams.get("path") ?? "";
+  const showHidden = ctx.url.searchParams.get("showHidden") === "true";
   const resolved = resolveWorkspacePath(requestedPath);
   if (resolved === undefined) {
     return httpError("BAD_REQUEST", "Invalid path", 400);
@@ -45,7 +46,7 @@ function handleWorkspaceTree(ctx: RouteContext): Response {
     const entries: TreeEntry[] = [];
     for (const entry of dirents) {
       // Filter out dotfiles/directories (.env, .git, .private, etc.)
-      if (entry.name.startsWith(".")) continue;
+      if (!showHidden && entry.name.startsWith(".")) continue;
       const fullPath = join(resolved, entry.name);

package/src/security/keychain-broker-client.ts CHANGED Viewed

@@ -33,11 +33,18 @@ const REQUEST_TIMEOUT_MS = 5_000;
  *  back); `{ found: false }` means the key doesn't exist in the keychain. */
 export type BrokerGetResult = { found: boolean; value?: string } | null;
+/** Result of a `set()` call — distinguishes broker-unreachable from an active
+ *  rejection so callers can log meaningful diagnostics. */
+export type BrokerSetResult =
+  | { status: "ok" }
+  | { status: "unreachable" }
+  | { status: "rejected"; code: string; message: string };
 export interface KeychainBrokerClient {
   isAvailable(): boolean;
   ping(): Promise<{ pong: boolean } | null>;
   get(account: string): Promise<BrokerGetResult>;
-  set(account: string, value: string): Promise<boolean>;
+  set(account: string, value: string): Promise<BrokerSetResult>;
   del(account: string): Promise<boolean>;
   list(): Promise<string[]>;
 }
@@ -360,12 +367,18 @@ export function createBrokerClient(): KeychainBrokerClient {
       }
     },
-    async set(account: string, value: string): Promise<boolean> {
+    async set(account: string, value: string): Promise<BrokerSetResult> {
       try {
         const response = await doRequest("key.set", { account, value });
-        return response?.ok === true;
+        if (!response) return { status: "unreachable" };
+        if (response.ok) return { status: "ok" };
+        return {
+          status: "rejected",
+          code: response.error?.code ?? "UNKNOWN",
+          message: response.error?.message ?? "unknown error",
+        };
       } catch {
-        return false;
+        return { status: "unreachable" };
       }
     },

package/src/security/secure-keys.ts CHANGED Viewed

@@ -7,10 +7,13 @@
  * encrypted store (startup code paths cannot do async I/O).
  */
+import { getLogger } from "../util/logger.js";
 import * as encryptedStore from "./encrypted-store.js";
 import type { KeychainBrokerClient } from "./keychain-broker-client.js";
 import { createBrokerClient } from "./keychain-broker-client.js";
+const log = getLogger("secure-keys");
 let _broker: KeychainBrokerClient | undefined;
 function getBroker(): KeychainBrokerClient {
@@ -120,13 +123,32 @@ export async function setSecureKeyAsync(
 ): Promise<boolean> {
   const broker = getBroker();
   if (broker.isAvailable()) {
-    const brokerOk = await broker.set(account, value);
-    if (!brokerOk) return false;
+    const result = await broker.set(account, value);
+    if (result.status !== "ok") {
+      log.warn(
+        {
+          account,
+          brokerStatus: result.status,
+          ...(result.status === "rejected"
+            ? { brokerCode: result.code, brokerMessage: result.message }
+            : {}),
+        },
+        "Broker set failed for secure key",
+      );
+      return false;
+    }
     // Broker succeeded — also persist to encrypted store for sync callers.
     const encOk = encryptedStore.setKey(account, value);
+    if (!encOk) {
+      log.warn({ account }, "Encrypted store set failed after broker success");
+    }
     return encOk;
   }
-  return encryptedStore.setKey(account, value);
+  const encOk = encryptedStore.setKey(account, value);
+  if (!encOk) {
+    log.warn({ account }, "Encrypted store set failed (broker unavailable)");
+  }
+  return encOk;
 }
 /**