@vellumai/assistant 0.4.49 → 0.4.51

package/src/runtime/invite-redemption-service.ts

@@ -8,7 +8,7 @@
  */
 
 import type { ChannelId } from "../channels/types.js";
-import { findContactChannel } from "../contacts/contact-store.js";
+import { findContactChannel, getContact } from "../contacts/contact-store.js";
 import { upsertContactChannel } from "../contacts/contacts-write.js";
 import { getSqlite } from "../memory/db.js";
 import {
@@ -135,7 +135,17 @@ export function redeemInvite(params: {
   const existingChannel = contactResult?.channel ?? null;
   const existingContact = contactResult?.contact ?? null;
 
-  if (existingChannel && existingChannel.status === "active") {
+  // If the invite targets a specific contact and the sender's existing channel
+  // belongs to a different contact, ignore the existing match — the invite
+  // should bind the sender's identity to the target contact, not the existing one.
+  const targetMismatch =
+    existingContact && existingContact.id !== invite.contactId;
+
+  if (
+    existingChannel &&
+    existingChannel.status === "active" &&
+    !targetMismatch
+  ) {
     return { ok: true, type: "already_member", memberId: existingChannel.id };
   }
 
@@ -150,7 +160,7 @@ export function redeemInvite(params: {
   // in a non-active state (revoked/pending), reactivate it via upsertContactChannel
   // and consume an invite use atomically. The fresh-member path below also
   // uses upsertContactChannel to keep contacts in sync.
-  if (existingChannel) {
+  if (existingChannel && !targetMismatch) {
     // Sentinel error used to trigger a transaction rollback when the invite
     // was concurrently revoked/expired between pre-validation and write time.
     const STALE_INVITE = Symbol("stale_invite");
@@ -189,6 +199,7 @@ export function redeemInvite(params: {
             inviteId: invite.id,
             verifiedAt: Date.now(),
             verifiedVia: "invite",
+            contactId: invite.contactId,
           });
 
           const recorded = recordInviteUse({
@@ -220,6 +231,16 @@ export function redeemInvite(params: {
 
   // Fresh member creation: upsert into contacts tables and consume an invite
   // use atomically, mirroring the reactivation path above.
+  // When the invite targets a specific contact (targetMismatch path), preserve
+  // the target contact's guardian-assigned display name if it has one.
+  let freshDisplayName = displayName;
+  if (invite.contactId) {
+    const targetContact = getContact(invite.contactId);
+    if (targetContact?.displayName?.trim().length) {
+      freshDisplayName = targetContact.displayName;
+    }
+  }
+
   const STALE_INVITE_FRESH = Symbol("stale_invite_fresh");
   let freshResult: ReturnType<typeof upsertContactChannel> | undefined;
   try {
@@ -229,13 +250,14 @@ export function redeemInvite(params: {
           sourceChannel,
           externalUserId,
           externalChatId,
-          displayName,
+          displayName: freshDisplayName,
           username,
           status: "active",
           policy: "allow",
           inviteId: invite.id,
           verifiedAt: Date.now(),
           verifiedVia: "invite",
+          contactId: invite.contactId,
         });
 
         const recorded = recordInviteUse({
@@ -338,8 +360,18 @@ export function redeemVoiceInviteCode(params: {
     externalUserId: canonicalCallerId,
   });
   const existingVoiceChannel = voiceContactResult?.channel ?? null;
+  const voiceContact = voiceContactResult?.contact ?? null;
+
+  // If the invite targets a specific contact and the sender's existing channel
+  // belongs to a different contact, ignore the existing match — the invite
+  // should bind the sender's identity to the target contact, not the existing one.
+  const targetMismatch = voiceContact && voiceContact.id !== invite.contactId;
 
-  if (existingVoiceChannel && existingVoiceChannel.status === "active") {
+  if (
+    existingVoiceChannel &&
+    existingVoiceChannel.status === "active" &&
+    !targetMismatch
+  ) {
     return {
       ok: true,
       type: "already_member",
@@ -356,12 +388,17 @@ export function redeemVoiceInviteCode(params: {
   const STALE_INVITE = Symbol("stale_invite");
   let memberId: string | undefined;
 
-  // Reactivation should not overwrite a guardian-managed nickname (same
-  // protection as the token-based redemption path above).
-  const voiceContact = voiceContactResult?.contact ?? null;
-  const preservedDisplayName = voiceContact?.displayName?.trim().length
+  // When the invite targets a specific contact (targetMismatch path), preserve
+  // the target contact's guardian-assigned display name if it has one.
+  let preservedDisplayName = voiceContact?.displayName?.trim().length
     ? voiceContact.displayName
     : (invite.friendName ?? undefined);
+  if (targetMismatch && invite.contactId) {
+    const targetContact = getContact(invite.contactId);
+    if (targetContact?.displayName?.trim().length) {
+      preservedDisplayName = targetContact.displayName;
+    }
+  }
 
   try {
     getSqlite()
@@ -376,6 +413,7 @@ export function redeemVoiceInviteCode(params: {
           inviteId: invite.id,
           verifiedAt: Date.now(),
           verifiedVia: "invite",
+          contactId: invite.contactId,
         });
         memberId = writeResult!.channel.id;
 
@@ -476,7 +514,17 @@ export function redeemInviteByCode(params: {
   const existingChannel = contactResult?.channel ?? null;
   const existingContact = contactResult?.contact ?? null;
 
-  if (existingChannel && existingChannel.status === "active") {
+  // If the invite targets a specific contact and the sender's existing channel
+  // belongs to a different contact, ignore the existing match — the invite
+  // should bind the sender's identity to the target contact, not the existing one.
+  const targetMismatch =
+    existingContact && existingContact.id !== invite.contactId;
+
+  if (
+    existingChannel &&
+    existingChannel.status === "active" &&
+    !targetMismatch
+  ) {
     return { ok: true, type: "already_member", memberId: existingChannel.id };
   }
 
@@ -489,7 +537,7 @@ export function redeemInviteByCode(params: {
 
   // Inactive member reactivation: reactivate via upsertContactChannel and consume
   // an invite use atomically.
-  if (existingChannel) {
+  if (existingChannel && !targetMismatch) {
     const STALE_INVITE_REACTIVATE = Symbol("stale_invite_reactivate");
     const canonicalMemberId = existingChannel.externalUserId
       ? canonicalizeInboundIdentity(
@@ -525,6 +573,7 @@ export function redeemInviteByCode(params: {
             inviteId: invite.id,
             verifiedAt: Date.now(),
             verifiedVia: "invite",
+            contactId: invite.contactId,
           });
 
           const recorded = recordInviteUse({
@@ -553,6 +602,16 @@ export function redeemInviteByCode(params: {
 
   // Fresh member creation: upsert into contacts tables and consume an invite
   // use atomically.
+  // When the invite targets a specific contact (targetMismatch path), preserve
+  // the target contact's guardian-assigned display name if it has one.
+  let freshDisplayName = displayName;
+  if (invite.contactId) {
+    const targetContact = getContact(invite.contactId);
+    if (targetContact?.displayName?.trim().length) {
+      freshDisplayName = targetContact.displayName;
+    }
+  }
+
   const STALE_INVITE_FRESH = Symbol("stale_invite_fresh");
   let freshResult: ReturnType<typeof upsertContactChannel> | undefined;
   try {
@@ -562,13 +621,14 @@ export function redeemInviteByCode(params: {
           sourceChannel,
           externalUserId,
           externalChatId,
-          displayName,
+          displayName: freshDisplayName,
           username,
           status: "active",
           policy: "allow",
           inviteId: invite.id,
           verifiedAt: Date.now(),
           verifiedVia: "invite",
+          contactId: invite.contactId,
         });
 
         const recorded = recordInviteUse({

package/src/runtime/invite-service.ts

@@ -8,14 +8,17 @@
  * /v1/contacts/channels endpoints.
  */
 
+import { startInviteCall } from "../calls/call-domain.js";
 import { isChannelId } from "../channels/types.js";
 import {
   createInvite,
+  findById,
   findByTokenHash,
   hashToken,
   type IngressInvite,
   type InviteStatus,
   listInvites,
+  markInviteExpired,
   revokeInvite,
 } from "../memory/invite-store.js";
 import {
@@ -156,11 +159,16 @@ export async function createIngressInvite(params: {
   voiceCodeDigits?: number;
   friendName?: string;
   guardianName?: string;
+  contactId: string;
 }): Promise<IngressResult<InviteResponseData>> {
   if (!params.sourceChannel) {
     return { ok: false, error: "sourceChannel is required for create" };
   }
 
+  if (!params.contactId) {
+    return { ok: false, error: "contactId is required for create" };
+  }
+
   // For voice invites: generate a one-time numeric code, hash it, and pass
   // the hash to the store. The plaintext code is included in the response
   // exactly once and never stored.
@@ -210,6 +218,7 @@ export async function createIngressInvite(params: {
 
   const { invite, rawToken } = createInvite({
     sourceChannel: params.sourceChannel,
+    contactId: params.contactId,
     note: params.note,
     maxUses: params.maxUses,
     expiresInMs: params.expiresInMs,
@@ -250,6 +259,10 @@ export async function createIngressInvite(params: {
     });
   }
 
+  if (isVoice && params.friendName) {
+    guardianInstruction = `${params.friendName} will need this code when they answer. Share it with them first.`;
+  }
+
   // Voice invites must not expose the token — callers must redeem via the
   // identity-bound voice code flow, not the generic token redemption path.
   return {
@@ -291,6 +304,36 @@ export function revokeIngressInvite(
   return { ok: true, data: inviteToResponse(revoked) };
 }
 
+export async function triggerInviteCall(
+  inviteId: string,
+): Promise<IngressResult<{ callSid: string }>> {
+  if (!inviteId) return { ok: false, error: "inviteId is required" };
+  const invite = findById(inviteId);
+  if (!invite) return { ok: false, error: "Invite not found" };
+  if (invite.status !== "active")
+    return { ok: false, error: "Invite is not active" };
+  if (invite.expiresAt && invite.expiresAt <= Date.now()) {
+    markInviteExpired(invite.id);
+    return { ok: false, error: "Invite has expired" };
+  }
+  if (invite.sourceChannel !== "phone")
+    return { ok: false, error: "Only phone invites support call triggering" };
+  if (
+    !invite.expectedExternalUserId ||
+    !invite.friendName ||
+    !invite.guardianName
+  ) {
+    return { ok: false, error: "Invite is missing required voice metadata" };
+  }
+  const result = await startInviteCall({
+    phoneNumber: invite.expectedExternalUserId,
+    friendName: invite.friendName,
+    guardianName: invite.guardianName,
+  });
+  if (!result.ok) return { ok: false, error: result.error };
+  return { ok: true, data: { callSid: result.callSid } };
+}
+
 export function redeemIngressInvite(params: {
   token?: string;
   externalUserId?: string;

package/src/runtime/middleware/twilio-validation.ts

@@ -57,7 +57,7 @@ export async function validateTwilioWebhook(
 ): Promise<{ body: string } | Response> {
   const rawBody = await req.text();
 
-  const authToken = TwilioConversationRelayProvider.getAuthToken();
+  const authToken = await TwilioConversationRelayProvider.getAuthToken();
 
   if (!authToken) {
     log.error(

package/src/runtime/pending-interactions.ts

@@ -6,8 +6,8 @@
  * host_bash_request, host_file_request, or host_cu_request, the onEvent
  * callback registers the interaction here. Standalone HTTP endpoints
  * (/v1/confirm, /v1/secret, /v1/trust-rules, /v1/host-bash-result,
- * /v1/host-file-result, /v1/host-cu-result) look up the session from
- * this tracker to resolve the interaction.
+ * /v1/host-file-result, /v1/host-cu-result) look up the session from this
+ * tracker to resolve the interaction.
  */
 
 import type { Session } from "../daemon/session.js";

package/src/runtime/routes/brain-graph-routes.ts

@@ -2,7 +2,7 @@
  * Route handlers for the brain graph visualization endpoint.
  *
  * Queries the memory database to return a knowledge graph shaped for brain-lobe
- * visualization, with entities mapped to brain regions based on their type.
+ * visualization, with memory items mapped to brain regions based on their kind.
  */
 
 import { readFileSync } from "node:fs";
@@ -11,65 +11,23 @@ import { join } from "node:path";
 import { count } from "drizzle-orm";
 
 import { getDb } from "../../memory/db.js";
-import {
-  memoryEntities,
-  memoryEntityRelations,
-  memoryItems,
-} from "../../memory/schema.js";
+import { memoryItems } from "../../memory/schema.js";
 import { resolveBundledDir } from "../../util/bundled-asset.js";
 import type { RouteDefinition } from "../http-router.js";
 
-function getLobeRegion(entityType: string): string {
-  switch (entityType) {
-    case "person":
-    case "organization":
-      return "right-social";
-    case "project":
-    case "company":
-      return "left-planning";
-    case "tool":
-      return "left-technical";
-    case "concept":
-      return "right-creative";
-    case "location":
-      return "right-spatial";
-    default:
-      return "center";
-  }
-}
-
-function getEntityColor(entityType: string): string {
-  switch (entityType) {
-    case "person":
-      return "#22c55e";
-    case "project":
-      return "#f97316";
-    case "tool":
-      return "#06b6d4";
-    case "company":
-      return "#a855f7";
-    case "organization":
-      return "#a855f7";
-    case "concept":
-      return "#eab308";
-    case "location":
-      return "#14b8a6";
-    default:
-      return "#94a3b8";
-  }
-}
-
 function getMemoryKindColor(kind: string): string {
   switch (kind) {
-    case "profile":
+    case "identity":
       return "#8b5cf6";
     case "preference":
       return "#3b82f6";
+    case "project":
+      return "#10b981";
+    case "decision":
+      return "#f59e0b";
     case "constraint":
       return "#ef4444";
-    case "instruction":
-      return "#f59e0b";
-    case "style":
+    case "event":
       return "#ec4899";
     default:
       return "#94a3b8";
@@ -80,27 +38,6 @@ export function handleGetBrainGraph(): Response {
   try {
     const db = getDb();
 
-    const entityRows = db
-      .select({
-        id: memoryEntities.id,
-        name: memoryEntities.name,
-        type: memoryEntities.type,
-        mentionCount: memoryEntities.mentionCount,
-        firstSeenAt: memoryEntities.firstSeenAt,
-        lastSeenAt: memoryEntities.lastSeenAt,
-      })
-      .from(memoryEntities)
-      .all();
-
-    const relationRows = db
-      .select({
-        sourceEntityId: memoryEntityRelations.sourceEntityId,
-        targetEntityId: memoryEntityRelations.targetEntityId,
-        relation: memoryEntityRelations.relation,
-      })
-      .from(memoryEntityRelations)
-      .all();
-
     const kindCountRows = db
       .select({
         kind: memoryItems.kind,
@@ -110,23 +47,6 @@ export function handleGetBrainGraph(): Response {
       .groupBy(memoryItems.kind)
       .all();
 
-    const entities = entityRows.map((entity) => ({
-      id: entity.id,
-      name: entity.name,
-      type: entity.type,
-      lobeRegion: getLobeRegion(entity.type),
-      color: getEntityColor(entity.type),
-      mentionCount: entity.mentionCount,
-      firstSeenAt: entity.firstSeenAt,
-      lastSeenAt: entity.lastSeenAt,
-    }));
-
-    const relations = relationRows.map((rel) => ({
-      sourceId: rel.sourceEntityId,
-      targetId: rel.targetEntityId,
-      relation: rel.relation,
-    }));
-
     const memorySummary = kindCountRows.map((row) => ({
       kind: row.kind,
       count: row.count,
@@ -139,8 +59,8 @@ export function handleGetBrainGraph(): Response {
     );
 
     return Response.json({
-      entities,
-      relations,
+      entities: [],
+      relations: [],
       memorySummary,
       totalKnowledgeCount,
       generatedAt: new Date().toISOString(),

package/src/runtime/routes/btw-routes.ts

@@ -9,7 +9,7 @@
  */
 
 import { buildToolDefinitions } from "../../daemon/session-tool-setup.js";
-import { getOrCreateConversation } from "../../memory/conversation-key-store.js";
+import { getConversationByKey } from "../../memory/conversation-key-store.js";
 import {
   createTimeout,
   userMessage,
@@ -53,10 +53,15 @@ async function handleBtw(
     );
   }
 
-  const mapping = getOrCreateConversation(conversationKey);
-  const session = await deps.sendMessageDeps.getOrCreateSession(
-    mapping.conversationId,
-  );
+  // Look up an existing conversation — never create one.  BTW is ephemeral
+  // (the file header promises "No messages are persisted"), so we must not
+  // call getOrCreateConversation which would insert a DB row.  When no
+  // conversation exists (e.g. greeting generation for a draft thread), we
+  // still get a usable session via getOrCreateSession with the raw key; the
+  // session lives only in memory and disappears on restart.
+  const mapping = getConversationByKey(conversationKey);
+  const sessionId = mapping?.conversationId ?? conversationKey;
+  const session = await deps.sendMessageDeps.getOrCreateSession(sessionId);
 
   const messages = [...session.getMessages(), userMessage(content.trim())];
   const tools = buildToolDefinitions();

package/src/runtime/routes/conversation-routes.ts

@@ -315,16 +315,53 @@ export function handleListMessages(
   let prevAssistantTimestamp = 0;
   const messages: RuntimeMessagePayload[] = parsed.map((m) => {
     let msgAttachments: RuntimeAttachmentMetadata[] = [];
-    if (m.role === "assistant" && m.id) {
-      const linked = attachmentsStore.getAttachmentMetadataForMessage(m.id);
-      if (linked.length > 0) {
-        msgAttachments = linked.map((a) => ({
-          id: a.id,
-          filename: a.originalFilename,
-          mimeType: a.mimeType,
-          sizeBytes: a.sizeBytes,
-          kind: a.kind,
-        }));
+    if (m.id) {
+      if (m.role === "user") {
+        // Use metadata-only query first to avoid loading large base64
+        // blobs for non-image attachments (documents, audio). Then
+        // selectively fetch full data only for images so the client can
+        // generate thumbnails for inline display on history restore.
+        const linked = attachmentsStore.getAttachmentMetadataForMessage(m.id);
+        if (linked.length > 0) {
+          msgAttachments = linked.map((a) => {
+            if (a.mimeType.startsWith("image/")) {
+              const full = attachmentsStore.getAttachmentById(a.id);
+              return {
+                id: a.id,
+                filename: a.originalFilename,
+                mimeType: a.mimeType,
+                sizeBytes: a.sizeBytes,
+                kind: a.kind,
+                ...(full?.dataBase64 ? { data: full.dataBase64 } : {}),
+                ...(a.thumbnailBase64
+                  ? { thumbnailData: a.thumbnailBase64 }
+                  : {}),
+              };
+            }
+            return {
+              id: a.id,
+              filename: a.originalFilename,
+              mimeType: a.mimeType,
+              sizeBytes: a.sizeBytes,
+              kind: a.kind,
+              ...(a.thumbnailBase64
+                ? { thumbnailData: a.thumbnailBase64 }
+                : {}),
+            };
+          });
+        }
+      } else {
+        const linked = attachmentsStore.getAttachmentMetadataForMessage(m.id);
+        if (linked.length > 0) {
+          msgAttachments = linked.map((a) => ({
+            id: a.id,
+            filename: a.originalFilename,
+            mimeType: a.mimeType,
+            sizeBytes: a.sizeBytes,
+            kind: a.kind,
+            ...(a.thumbnailBase64 ? { thumbnailData: a.thumbnailBase64 } : {}),
+          }));
+        }
       }
     }
 
@@ -648,9 +685,17 @@ export async function handleSendMessage(
       session.setHostFileProxy(fileProxy);
     }
     if (!session.isProcessing() || !session.hostCuProxy) {
-      const cuProxy = new HostCuProxy(onEvent);
+      const cuProxy = new HostCuProxy(onEvent, (requestId) => {
+        pendingInteractions.resolve(requestId);
+      });
       session.setHostCuProxy(cuProxy);
     }
+    // Only preactivate CU when the session is idle — if the session is
+    // processing, this message will be queued and preactivation is deferred
+    // to dequeue time in drainQueueImpl to avoid mutating in-flight turn state.
+    if (!session.isProcessing()) {
+      session.addPreactivatedSkillId("computer-use");
+    }
   } else if (!session.isProcessing()) {
     session.setHostBashProxy(undefined);
     session.setHostFileProxy(undefined);

package/src/runtime/routes/inbound-stages/acl-enforcement.ts

@@ -334,7 +334,7 @@ export async function enforceIngressAcl(
                   dmCallbackUrl,
                   {
                     chatId: senderUserId,
-                    text: "I've notified the owner. They'll share a verification code with you if they approve access. You can reply with the code here.",
+                    text: "I've notified the owner that you'd like to chat with me. If they approve your request, they'll share a 6-digit verification code with you. You can reply with the code here.",
                     assistantId,
                   },
                   mintBearerToken(),
@@ -423,11 +423,12 @@ export async function enforceIngressAcl(
 
     if (resolvedMember) {
       if (resolvedMember.channel.status !== "active") {
+        const isBlockedMember = resolvedMember.channel.status === "blocked";
         // Same bypass logic as the no-member branch: verification codes and
-        // bootstrap commands must pass through even when the member record is
-        // revoked/blocked — otherwise the user can never re-verify.
+        // bootstrap commands must pass through for re-verifiable states
+        // (pending/revoked), but never for blocked members.
         let denyInactiveMember = true;
-        if (isGuardianVerifyCode) {
+        if (!isBlockedMember && isGuardianVerifyCode) {
           const hasPendingChallenge = !!getPendingSession(sourceChannel);
           const hasActiveOutboundSession = !!findActiveSession(sourceChannel);
           if (hasPendingChallenge || hasActiveOutboundSession) {
@@ -444,7 +445,7 @@ export async function enforceIngressAcl(
             );
           }
         }
-        if (isBootstrapCommand) {
+        if (!isBlockedMember && isBootstrapCommand) {
           const bootstrapPayload = (
             rawCommandIntentForAcl as Record<string, unknown>
           ).payload as string;
@@ -471,9 +472,11 @@ export async function enforceIngressAcl(
         }
 
         // ── Invite token intercept (inactive member) ──
-        // Same as the non-member branch: invite tokens can reactivate
-        // revoked/pending members without requiring guardian approval.
-        if (inviteToken && denyInactiveMember) {
+        // Invite tokens can reactivate revoked/pending members without
+        // requiring guardian approval, but blocked members are excluded so
+        // they are short-circuited at the ACL layer rather than entering the
+        // redemption path.
+        if (!isBlockedMember && inviteToken && denyInactiveMember) {
           const inviteResult = await handleInviteTokenIntercept({
             rawToken: inviteToken,
             sourceChannel,
@@ -496,9 +499,15 @@ export async function enforceIngressAcl(
         }
 
         // ── 6-digit invite code intercept (inactive member) ──
-        // Same as the non-member branch: codes can reactivate revoked/pending
-        // members. Non-matching codes fall through to normal processing.
-        if (denyInactiveMember && /^\d{6}$/.test(trimmedContent)) {
+        // Codes can reactivate revoked/pending members; non-matching codes
+        // fall through. Blocked members are excluded here for consistency —
+        // the redemption service would reject them anyway, but early exit
+        // avoids unnecessary work.
+        if (
+          !isBlockedMember &&
+          denyInactiveMember &&
+          /^\d{6}$/.test(trimmedContent)
+        ) {
           const codeInterceptResult = await handleInviteCodeIntercept({
             code: trimmedContent,
             sourceChannel,
@@ -579,7 +588,7 @@ export async function enforceIngressAcl(
                     dmCallbackUrl,
                     {
                       chatId: senderUserId,
-                      text: "I've notified the owner. They'll share a verification code with you if they approve access. You can reply with the code here.",
+                      text: "I've notified the owner that you'd like to chat with me. If they approve your request, they'll share a 6-digit verification code with you. You can reply with the code here.",
                       assistantId,
                     },
                     mintBearerToken(),

package/src/runtime/routes/integrations/slack/channel.ts

@@ -20,8 +20,8 @@ import type { RouteDefinition } from "../../../http-router.js";
 /**
  * GET /v1/integrations/slack/channel/config
  */
-export function handleGetSlackChannelConfig(): Response {
-  const result = getSlackChannelConfig();
+export async function handleGetSlackChannelConfig(): Promise<Response> {
+  const result = await getSlackChannelConfig();
   return Response.json(result);
 }
 

package/src/runtime/routes/integrations/telegram.ts

@@ -20,8 +20,8 @@ import type { RouteDefinition } from "../../http-router.js";
 /**
  * GET /v1/integrations/telegram/config
  */
-export function handleGetTelegramConfig(): Response {
-  const result = getTelegramConfig();
+export async function handleGetTelegramConfig(): Promise<Response> {
+  const result = await getTelegramConfig();
   return Response.json(result);
 }