@vellumai/assistant 0.4.49 → 0.4.51

package/src/memory/search/types.ts

@@ -1,11 +1,7 @@
 export type CandidateType = "segment" | "item" | "summary" | "media";
-export type CandidateSource =
-  | "lexical"
-  | "semantic"
-  | "recency"
-  | "entity_direct"
-  | "entity_relation"
-  | "item_direct";
+export type CandidateSource = "semantic" | "recency";
+
+export type StalenessLevel = "fresh" | "aging" | "stale" | "very_stale";
 
 export interface Candidate {
   key: string;
@@ -18,10 +14,11 @@ export interface Candidate {
   confidence: number;
   importance: number;
   createdAt: number;
-  lexical: number;
   semantic: number;
   recency: number;
   finalScore: number;
+  tier?: 1 | 2 | null;
+  staleness?: StalenessLevel;
 }
 
 export interface MemoryRecallCandiateDebug {
@@ -29,7 +26,6 @@ export interface MemoryRecallCandiateDebug {
   type: CandidateType;
   kind: string;
   finalScore: number;
-  lexical: number;
   semantic: number;
   recency: number;
 }
@@ -39,7 +35,7 @@ export type DegradationReason =
   | "qdrant_unavailable"
   | "embedding_generation_failed";
 
-export type FallbackSource = "lexical" | "recency" | "direct_item" | "entity";
+export type FallbackSource = "recency";
 
 export interface DegradationStatus {
   semanticUnavailable: boolean;
@@ -54,22 +50,22 @@ export interface MemoryRecallResult {
   reason?: string;
   provider?: string;
   model?: string;
-  lexicalHits: number;
   semanticHits: number;
   recencyHits: number;
-  entityHits: number;
-  relationSeedEntityCount: number;
-  relationTraversedEdgeCount: number;
-  relationNeighborEntityCount: number;
-  relationExpandedItemCount: number;
-  earlyTerminated: boolean;
   mergedCount: number;
   selectedCount: number;
-  rerankApplied: boolean;
   injectedTokens: number;
   injectedText: string;
   latencyMs: number;
   topCandidates: MemoryRecallCandiateDebug[];
+  /** Count of tier 1 candidates after demotion. */
+  tier1Count?: number;
+  /** Count of tier 2 candidates after demotion. */
+  tier2Count?: number;
+  /** Milliseconds spent in the hybrid search step. */
+  hybridSearchMs?: number;
+  /** Whether sparse vectors were used in the hybrid search. */
+  sparseVectorUsed?: boolean;
 }
 
 /**
@@ -99,67 +95,9 @@ export interface MemoryRecallOptions {
   maxInjectTokensOverride?: number;
 }
 
-export interface CollectedCandidates {
-  lexical: Candidate[];
-  recency: Candidate[];
-  semantic: Candidate[];
-  entity: Candidate[];
-  relationSeedEntityCount: number;
-  relationTraversedEdgeCount: number;
-  relationNeighborEntityCount: number;
-  relationExpandedItemCount: number;
-  earlyTerminated: boolean;
-  /** True when semantic search was attempted but threw an error. */
-  semanticSearchFailed: boolean;
-  /** True when semantic search was known to be unavailable before retrieval (no vector or breaker open). */
-  semanticUnavailable: boolean;
-  /** The error that caused semantic search to fail, if any. */
-  semanticSearchError?: unknown;
-  merged: Candidate[];
-}
-
-export interface EntitySearchResult {
-  candidates: Candidate[];
-  relationSeedEntityCount: number;
-  relationTraversedEdgeCount: number;
-  relationNeighborEntityCount: number;
-  relationExpandedItemCount: number;
-  candidateDepths?: Map<string, number>; // candidate key → BFS hop depth (1-based)
-}
-
-export interface MatchedEntityRow {
-  id: string;
-  name: string;
-  type: string;
-  aliases: string | null;
-  mention_count: number;
-}
-
 export interface ItemMetadata {
   accessCount: number;
   lastUsedAt: number | null;
   verificationState: string;
-}
-
-import type { EntityRelationType, EntityType } from "../entity-extractor.js";
-
-export interface TraversalOptions {
-  maxEdges: number;
-  maxNeighborEntities: number;
-  maxDepth?: number; // default 3
-  relationTypes?: EntityRelationType[];
-  entityTypes?: EntityType[];
-  /** When true, only follow source→target edges (frontier must be on source side). */
-  directed?: boolean;
-}
-
-export interface TraversalResult {
-  neighborEntityIds: string[];
-  traversedEdgeCount: number;
-  neighborDepths: Map<string, number>; // entityId → depth (1-based)
-}
-
-export interface TraversalStep {
-  relationTypes?: EntityRelationType[];
-  entityTypes?: EntityType[];
+  sourceConversationCount?: number;
 }

package/src/memory/task-memory-cleanup.ts

@@ -1,6 +1,5 @@
 import { getLogger } from "../util/logger.js";
 import { rawGet, rawRun } from "./raw-query.js";
-import { bumpMemoryVersion } from "./recall-cache.js";
 
 const log = getLogger("task-memory-cleanup");
 
@@ -85,7 +84,6 @@ export function invalidateAssistantInferredItemsForConversation(
   );
 
   if (affected > 0) {
-    bumpMemoryVersion();
     log.info(
       { conversationId, affected },
       "Invalidated assistant-inferred memory items after task failure",
@@ -96,9 +94,9 @@ export function invalidateAssistantInferredItemsForConversation(
 }
 
 /**
- * Cancel pending `extract_items` and `extract_entities` jobs whose messageId
- * belongs to the given conversation. This drains the queue so the worker never
- * processes them, complementing the runtime check in the extraction handler.
+ * Cancel pending `extract_items` jobs whose messageId belongs to the given
+ * conversation. This drains the queue so the worker never processes them,
+ * complementing the runtime check in the extraction handler.
  */
 function cancelPendingExtractionJobsForConversation(
   conversationId: string,
@@ -109,7 +107,7 @@ function cancelPendingExtractionJobsForConversation(
         SET status = 'failed',
             last_error = 'conversation_failed',
             updated_at = ?
-      WHERE type IN ('extract_items', 'extract_entities')
+      WHERE type IN ('extract_items')
         AND status IN ('pending', 'running')
         AND json_extract(payload, '$.messageId') IN (
           SELECT id FROM messages WHERE conversation_id = ?

package/src/messaging/provider.ts

@@ -87,7 +87,7 @@ export interface MessagingProvider {
    * for providers that don't use OAuth (e.g. Telegram bot tokens stored
    * under a non-standard key).
    */
-  isConnected?(): boolean;
+  isConnected?(): Promise<boolean>;
 
   /** Platform-specific capabilities for tool routing (e.g. 'reactions', 'threads', 'labels'). */
   capabilities: Set<string>;

package/src/messaging/providers/gmail/adapter.ts

@@ -86,7 +86,7 @@ function mapGmailMessage(msg: GmailMessage): Message {
 export const gmailMessagingProvider: MessagingProvider = {
   id: "gmail",
   displayName: "Gmail",
-  credentialService: "integration:gmail",
+  credentialService: "integration:google",
   capabilities: new Set([
     "threads",
     "labels",

package/src/messaging/providers/gmail/mime-builder.ts

@@ -21,6 +21,10 @@ export interface MimeMessageOptions {
   attachments: MimeAttachment[];
 }
 
+function sanitizeHeaderValue(value: string): string {
+  return value.replace(/[\r\n]+/g, " ").trim();
+}
+
 function toBase64Url(input: Buffer): string {
   return input
     .toString("base64")
@@ -37,17 +41,23 @@ export function buildMultipartMime(options: MimeMessageOptions): string {
   const { to, subject, body, inReplyTo, cc, bcc, attachments } = options;
   const boundary = `----=_Part_${randomBytes(16).toString("hex")}`;
 
+  const sanitizedTo = sanitizeHeaderValue(to);
+  const sanitizedSubject = sanitizeHeaderValue(subject);
+  const sanitizedCc = cc ? sanitizeHeaderValue(cc) : undefined;
+  const sanitizedBcc = bcc ? sanitizeHeaderValue(bcc) : undefined;
+  const sanitizedInReplyTo = inReplyTo ? sanitizeHeaderValue(inReplyTo) : undefined;
+
   const headers = [
-    `To: ${to}`,
-    `Subject: ${subject}`,
+    `To: ${sanitizedTo}`,
+    `Subject: ${sanitizedSubject}`,
     "MIME-Version: 1.0",
     `Content-Type: multipart/mixed; boundary="${boundary}"`,
   ];
-  if (cc) headers.push(`Cc: ${cc}`);
-  if (bcc) headers.push(`Bcc: ${bcc}`);
-  if (inReplyTo) {
-    headers.push(`In-Reply-To: ${inReplyTo}`);
-    headers.push(`References: ${inReplyTo}`);
+  if (sanitizedCc) headers.push(`Cc: ${sanitizedCc}`);
+  if (sanitizedBcc) headers.push(`Bcc: ${sanitizedBcc}`);
+  if (sanitizedInReplyTo) {
+    headers.push(`In-Reply-To: ${sanitizedInReplyTo}`);
+    headers.push(`References: ${sanitizedInReplyTo}`);
   }
 
   const parts: string[] = [];

package/src/messaging/providers/telegram-bot/adapter.ts

@@ -18,7 +18,7 @@ import type { OAuthConnection } from "../../../oauth/connection.js";
 import { getConnectionByProvider } from "../../../oauth/oauth-store.js";
 import { mintDaemonDeliveryToken } from "../../../runtime/auth/token-service.js";
 import { credentialKey } from "../../../security/credential-key.js";
-import { getSecureKey } from "../../../security/secure-keys.js";
+import { getSecureKeyAsync } from "../../../security/secure-keys.js";
 import type { MessagingProvider } from "../../provider.js";
 import type {
   ConnectionInfo,
@@ -44,8 +44,8 @@ function getBearerToken(): string {
 }
 
 /** Read the Telegram bot token from the credential vault. */
-function getBotToken(): string | undefined {
-  return getSecureKey(credentialKey("telegram", "bot_token"));
+async function getBotToken(): Promise<string | undefined> {
+  return getSecureKeyAsync(credentialKey("telegram", "bot_token"));
 }
 
 export const telegramBotMessagingProvider: MessagingProvider = {
@@ -55,22 +55,31 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   capabilities: new Set(["send"]),
 
   /**
-   * Custom connectivity check using the oauth_connection record as the
-   * single source of truth, consistent with integration-status.ts.
+   * Custom connectivity check using both the oauth_connection record AND
+   * actual keychain credentials. The connection row alone can become stale
+   * if clearTelegramConfig() returns early on a secure-key deletion error
+   * without removing the row. Checking both ensures we don't report
+   * Telegram as connected when secrets are missing.
    *
    * Both bot_token and webhook_secret are required — the gateway's
    * /deliver/telegram endpoint rejects requests without the webhook
    * secret, so partial credentials would cause every send to fail.
    */
-  isConnected(): boolean {
+  async isConnected(): Promise<boolean> {
     const conn = getConnectionByProvider("telegram");
-    return !!(conn && conn.status === "active");
+    if (!(conn && conn.status === "active")) return false;
+    const botToken = await getBotToken();
+    if (botToken === undefined) return false;
+    const webhookSecret = await getSecureKeyAsync(
+      credentialKey("telegram", "webhook_secret"),
+    );
+    return !!webhookSecret;
   },
 
   async testConnection(
     _connectionOrToken: OAuthConnection | string,
   ): Promise<ConnectionInfo> {
-    const botToken = getBotToken();
+    const botToken = await getBotToken();
     if (!botToken) {
       return {
         connected: false,

package/src/messaging/providers/whatsapp/adapter.ts

@@ -16,7 +16,7 @@ import * as externalConversationStore from "../../../memory/external-conversatio
 import type { OAuthConnection } from "../../../oauth/connection.js";
 import { mintDaemonDeliveryToken } from "../../../runtime/auth/token-service.js";
 import { credentialKey } from "../../../security/credential-key.js";
-import { getSecureKey } from "../../../security/secure-keys.js";
+import { getSecureKeyAsync } from "../../../security/secure-keys.js";
 import type { MessagingProvider } from "../../provider.js";
 import type {
   ConnectionInfo,
@@ -42,11 +42,15 @@ function getBearerToken(): string {
 }
 
 /** Check whether WhatsApp credentials are stored. */
-function hasWhatsAppCredentials(): boolean {
-  return (
-    !!getSecureKey(credentialKey("whatsapp", "phone_number_id")) &&
-    !!getSecureKey(credentialKey("whatsapp", "access_token"))
+async function hasWhatsAppCredentials(): Promise<boolean> {
+  const phoneNumberId = await getSecureKeyAsync(
+    credentialKey("whatsapp", "phone_number_id"),
   );
+  if (!phoneNumberId) return false;
+  const accessToken = await getSecureKeyAsync(
+    credentialKey("whatsapp", "access_token"),
+  );
+  return !!accessToken;
 }
 
 export const whatsappMessagingProvider: MessagingProvider = {
@@ -58,14 +62,14 @@ export const whatsappMessagingProvider: MessagingProvider = {
   /**
    * WhatsApp is connected when Meta Cloud API credentials are stored.
    */
-  isConnected(): boolean {
+  async isConnected(): Promise<boolean> {
     return hasWhatsAppCredentials();
   },
 
   async testConnection(
     _connectionOrToken: OAuthConnection | string,
   ): Promise<ConnectionInfo> {
-    if (!hasWhatsAppCredentials()) {
+    if (!(await hasWhatsAppCredentials())) {
       return {
         connected: false,
         user: "unknown",
@@ -77,9 +81,9 @@ export const whatsappMessagingProvider: MessagingProvider = {
       };
     }
 
-    const phoneNumberId = getSecureKey(
+    const phoneNumberId = (await getSecureKeyAsync(
       credentialKey("whatsapp", "phone_number_id"),
-    )!;
+    ))!;
 
     return {
       connected: true,

package/src/messaging/registry.ts

@@ -23,11 +23,15 @@ export function getMessagingProvider(id: string): MessagingProvider {
 }
 
 /** Return all registered providers that have stored credentials. */
-export function getConnectedProviders(): MessagingProvider[] {
-  return Array.from(providers.values()).filter((p) => {
-    if (p.isConnected) return p.isConnected();
-    return isProviderConnected(p.credentialService);
-  });
+export async function getConnectedProviders(): Promise<MessagingProvider[]> {
+  const results: MessagingProvider[] = [];
+  for (const p of providers.values()) {
+    const connected = p.isConnected
+      ? await p.isConnected()
+      : await isProviderConnected(p.credentialService);
+    if (connected) results.push(p);
+  }
+  return results;
 }
 
 /** Return all registered provider IDs. */

package/src/oauth/byo-connection.test.ts

@@ -81,7 +81,12 @@ const mockConnections = new Map<
 >();
 const mockApps = new Map<
   string,
-  { id: string; providerKey: string; clientId: string }
+  {
+    id: string;
+    providerKey: string;
+    clientId: string;
+    clientSecretCredentialPath: string;
+  }
 >();
 const mockProviders = new Map<
   string,
@@ -95,6 +100,12 @@ const mockProviders = new Map<
 
 mock.module("./oauth-store.js", () => ({
   getConnectionByProvider: (service: string) => mockConnections.get(service),
+  getConnection: (id: string) => {
+    for (const conn of mockConnections.values()) {
+      if (conn.id === id) return conn;
+    }
+    return undefined;
+  },
   getApp: (id: string) => mockApps.get(id),
   getProvider: (key: string) => mockProviders.get(key),
   updateConnection: () => {},
@@ -184,7 +195,7 @@ function setupCredential(
     tokenUrl: "https://oauth2.googleapis.com/token",
     // Only well-known providers (gmail) have a baseUrl; custom services don't
     baseUrl:
-      service === "integration:gmail"
+      service === "integration:google"
         ? "https://gmail.googleapis.com/gmail/v1/users/me"
         : undefined,
   });
@@ -192,6 +203,7 @@ function setupCredential(
     id: appId,
     providerKey: service,
     clientId: "test-client-id",
+    clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
   });
   mockConnections.set(service, {
     id: connId,
@@ -212,7 +224,7 @@ function setupCredential(
   upsertCredentialMetadata(service, "access_token", {});
 }
 
-function createConnection(service = "integration:gmail"): BYOOAuthConnection {
+function createConnection(service = "integration:google"): BYOOAuthConnection {
   return new BYOOAuthConnection({
     id: "test-cred-id",
     providerKey: service,
@@ -230,7 +242,7 @@ function createConnection(service = "integration:gmail"): BYOOAuthConnection {
 describe("BYOOAuthConnection", () => {
   describe("request()", () => {
     test("makes authenticated request with Bearer token", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       const result = await conn.request({
@@ -254,7 +266,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("appends query parameters", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       await conn.request({
@@ -270,7 +282,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("uses per-request baseUrl override", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       await conn.request({
@@ -284,7 +296,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("sends JSON body for POST requests", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       await conn.request({
@@ -304,7 +316,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("retries once on 401 response", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       // First call returns 401, second returns 200
@@ -332,7 +344,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("handles empty response body", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       globalThis.fetch = mock(() =>
@@ -349,7 +361,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("handles non-JSON response body", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       globalThis.fetch = mock(() =>
@@ -366,7 +378,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("returns response headers", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       globalThis.fetch = mock(() =>
@@ -390,7 +402,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("includes custom request headers", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       await conn.request({
@@ -409,7 +421,7 @@ describe("BYOOAuthConnection", () => {
   describe("proactive token refresh", () => {
     test("refreshes token when near expiry (within 5-minute buffer)", async () => {
       // Set token to expire in 2 minutes (within 5-min buffer)
-      setupCredential("integration:gmail", {
+      setupCredential("integration:google", {
         expiresAt: Date.now() + 2 * 60 * 1000,
       });
       const conn = createConnection();
@@ -433,7 +445,7 @@ describe("BYOOAuthConnection", () => {
 
   describe("withToken()", () => {
     test("provides valid token to callback", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       const result = await conn.withToken(async (token) => {
@@ -444,7 +456,7 @@ describe("BYOOAuthConnection", () => {
     });
 
     test("retries callback on 401 error", async () => {
-      setupCredential("integration:gmail");
+      setupCredential("integration:google");
       const conn = createConnection();
 
       let callCount = 0;
@@ -476,29 +488,31 @@ describe("BYOOAuthConnection", () => {
 });
 
 describe("resolveOAuthConnection", () => {
-  test("returns a BYOOAuthConnection for valid credential", () => {
-    setupCredential("integration:gmail");
-    const conn = resolveOAuthConnection("integration:gmail");
+  test("returns a BYOOAuthConnection for valid credential", async () => {
+    setupCredential("integration:google");
+    const conn = await resolveOAuthConnection("integration:google");
 
     expect(conn).toBeInstanceOf(BYOOAuthConnection);
-    expect(conn.providerKey).toBe("integration:gmail");
+    expect(conn.providerKey).toBe("integration:google");
     expect(conn.grantedScopes).toEqual(["read", "write"]);
   });
 
-  test("throws when no credential metadata exists", () => {
-    expect(() => resolveOAuthConnection("integration:unknown")).toThrow(
+  test("throws when no credential metadata exists", async () => {
+    await expect(resolveOAuthConnection("integration:unknown")).rejects.toThrow(
       /No credential found for "integration:unknown"/,
     );
   });
 
-  test("throws when no base URL configured", () => {
+  test("throws when no base URL configured", async () => {
     setupCredential("integration:custom-service");
-    expect(() => resolveOAuthConnection("integration:custom-service")).toThrow(
+    await expect(
+      resolveOAuthConnection("integration:custom-service"),
+    ).rejects.toThrow(
       /No base URL configured for "integration:custom-service"/,
     );
   });
 
-  test("resolves base URL via app's canonical providerKey for custom credential_service", () => {
+  test("resolves base URL via app's canonical providerKey for custom credential_service", async () => {
     // Set up a well-known provider with a baseUrl
     mockProviders.set("github", {
       key: "github",
@@ -514,6 +528,7 @@ describe("resolveOAuthConnection", () => {
       id: appId,
       providerKey: "github",
       clientId: "test-client-id",
+      clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
     });
 
     // Connection uses the custom credential service as its providerKey
@@ -528,7 +543,7 @@ describe("resolveOAuthConnection", () => {
     });
     setSecureKey(`oauth_connection/${connId}/access_token`, "ghp-test-token");
 
-    const conn = resolveOAuthConnection("integration:github-work");
+    const conn = await resolveOAuthConnection("integration:github-work");
 
     expect(conn).toBeInstanceOf(BYOOAuthConnection);
     expect(conn.providerKey).toBe("integration:github-work");

package/src/oauth/connect-orchestrator.ts

@@ -48,7 +48,6 @@ function resolveBehavior(providerKey: string): {
   setup?: OAuthProviderBehavior["setup"];
   setupSkillId?: string;
   postConnectHookId?: string;
-  injectionTemplates?: OAuthProviderBehavior["injectionTemplates"];
 } {
   const behavior = getProviderBehavior(providerKey);
   if (!behavior) return {};
@@ -57,7 +56,6 @@ function resolveBehavior(providerKey: string): {
     setup: behavior.setup,
     setupSkillId: behavior.setupSkillId,
     postConnectHookId: behavior.postConnectHookId,
-    injectionTemplates: behavior.injectionTemplates,
   };
 }
 
@@ -90,8 +88,6 @@ export interface OAuthConnectOptions {
   openUrl?: (url: string) => void;
   /** Send a message to the client (e.g. open_url). */
   sendToClient?: (msg: { type: string; [key: string]: unknown }) => void;
-  /** Tools allowed to use the resulting credential. */
-  allowedTools?: string[];
 
   /**
    * Called when the deferred (non-interactive) flow completes — either
@@ -164,7 +160,7 @@ export async function orchestrateOAuthConnect(
     | undefined;
   const callbackTransport =
     (providerRow.callbackTransport as "loopback" | "gateway" | null) ??
-    "gateway";
+    "loopback";
   const loopbackPort = providerRow.loopbackPort;
 
   // Resolve scopes via the scope policy engine
@@ -216,11 +212,7 @@ export async function orchestrateOAuthConnect(
     service: resolvedService,
     clientId: options.clientId,
     clientSecret: options.clientSecret,
-    tokenUrl,
-    tokenEndpointAuthMethod,
     userinfoUrl,
-    allowedTools: options.allowedTools,
-    wellKnownInjectionTemplates: behavior.injectionTemplates,
   };
 
   // -----------------------------------------------------------------------
@@ -249,7 +241,9 @@ export async function orchestrateOAuthConnect(
         oauthConfig,
         callbackTransport === "loopback"
           ? { callbackTransport, loopbackPort: loopbackPort ?? undefined }
-          : undefined,
+          : callbackTransport === "gateway"
+            ? { callbackTransport }
+            : undefined,
       );
 
       // Fire-and-forget: store tokens when the callback arrives