npm - @vellumai/assistant - Versions diffs - 0.4.49 → 0.4.51 - Mend

@vellumai/assistant 0.4.49 → 0.4.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (353) hide show

package/ARCHITECTURE.md +24 -33
package/README.md +3 -3
package/docs/architecture/integrations.md +2 -2
package/docs/architecture/keychain-broker.md +6 -6
package/docs/architecture/memory.md +180 -119
package/knip.json +32 -0
package/package.json +3 -2
package/src/__tests__/agent-loop.test.ts +3 -1
package/src/__tests__/anthropic-provider.test.ts +114 -23
package/src/__tests__/approval-cascade.test.ts +1 -15
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-feature-flag-guard.test.ts +0 -23
package/src/__tests__/btw-routes.test.ts +61 -5
package/src/__tests__/canonical-guardian-store.test.ts +95 -0
package/src/__tests__/checker.test.ts +13 -0
package/src/__tests__/config-schema.test.ts +1 -68
package/src/__tests__/config-watcher.test.ts +8 -0
package/src/__tests__/context-memory-e2e.test.ts +11 -100
package/src/__tests__/conversation-routes-guardian-reply.test.ts +8 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-security-e2e.test.ts +1 -0
package/src/__tests__/credential-security-invariants.test.ts +8 -7
package/src/__tests__/credential-vault-unit.test.ts +23 -18
package/src/__tests__/credential-vault.test.ts +30 -18
package/src/__tests__/credentials-cli.test.ts +257 -82
package/src/__tests__/cu-unified-flow.test.ts +532 -0
package/src/__tests__/date-context.test.ts +93 -77
package/src/__tests__/deterministic-verification-control-plane.test.ts +64 -0
package/src/__tests__/guardian-routing-invariants.test.ts +93 -0
package/src/__tests__/history-repair.test.ts +245 -0
package/src/__tests__/host-cu-proxy.test.ts +165 -3
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/inbound-invite-redemption.test.ts +36 -7
package/src/__tests__/integration-status.test.ts +31 -30
package/src/__tests__/invite-redemption-service.test.ts +166 -13
package/src/__tests__/invite-routes-http.test.ts +166 -5
package/src/__tests__/keychain-broker-client.test.ts +4 -4
package/src/__tests__/list-messages-attachments.test.ts +193 -0
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +56 -18
package/src/__tests__/memory-lifecycle-e2e.test.ts +244 -387
package/src/__tests__/memory-recall-quality.test.ts +244 -407
package/src/__tests__/memory-regressions.experimental.test.ts +126 -101
package/src/__tests__/memory-regressions.test.ts +477 -2841
package/src/__tests__/memory-retrieval.benchmark.test.ts +33 -150
package/src/__tests__/memory-upsert-concurrency.test.ts +5 -244
package/src/__tests__/mime-builder.test.ts +28 -0
package/src/__tests__/native-web-search.test.ts +1 -0
package/src/__tests__/oauth-cli.test.ts +824 -31
package/src/__tests__/oauth-provider-profiles.test.ts +1 -1
package/src/__tests__/oauth-store.test.ts +363 -17
package/src/__tests__/qdrant-collection-migration.test.ts +53 -8
package/src/__tests__/registry.test.ts +0 -1
package/src/__tests__/relay-server.test.ts +55 -1
package/src/__tests__/schedule-tools.test.ts +32 -0
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -0
package/src/__tests__/secret-routes-managed-proxy.test.ts +183 -0
package/src/__tests__/secure-keys.test.ts +78 -18
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/server-history-render.test.ts +2 -2
package/src/__tests__/session-abort-tool-results.test.ts +1 -14
package/src/__tests__/session-agent-loop-overflow.test.ts +1583 -0
package/src/__tests__/session-agent-loop.test.ts +19 -15
package/src/__tests__/session-confirmation-signals.test.ts +1 -15
package/src/__tests__/session-error.test.ts +124 -2
package/src/__tests__/session-history-web-search.test.ts +918 -0
package/src/__tests__/session-pre-run-repair.test.ts +1 -14
package/src/__tests__/session-provider-retry-repair.test.ts +25 -28
package/src/__tests__/session-queue.test.ts +37 -27
package/src/__tests__/session-runtime-assembly.test.ts +54 -0
package/src/__tests__/session-slash-known.test.ts +1 -15
package/src/__tests__/session-slash-queue.test.ts +1 -15
package/src/__tests__/session-slash-unknown.test.ts +1 -15
package/src/__tests__/session-workspace-cache-state.test.ts +3 -33
package/src/__tests__/session-workspace-injection.test.ts +3 -37
package/src/__tests__/session-workspace-tool-tracking.test.ts +3 -37
package/src/__tests__/skills-install-extract.test.ts +93 -0
package/src/__tests__/skills.test.ts +2 -2
package/src/__tests__/skillssh-registry.test.ts +451 -0
package/src/__tests__/slack-channel-config.test.ts +10 -8
package/src/__tests__/trust-store.test.ts +15 -0
package/src/__tests__/twilio-config.test.ts +11 -10
package/src/__tests__/twilio-provider.test.ts +9 -4
package/src/__tests__/voice-invite-redemption.test.ts +85 -5
package/src/agent/ax-tree-compaction.test.ts +51 -0
package/src/agent/loop.ts +39 -12
package/src/approvals/AGENTS.md +1 -1
package/src/approvals/guardian-request-resolvers.ts +14 -2
package/src/bundler/compiler-tools.ts +66 -2
package/src/calls/call-domain.ts +134 -3
package/src/calls/call-store.ts +6 -0
package/src/calls/relay-server.ts +44 -6
package/src/calls/relay-setup-router.ts +17 -1
package/src/calls/twilio-config.ts +5 -4
package/src/calls/twilio-provider.ts +14 -9
package/src/calls/twilio-rest.ts +10 -7
package/src/calls/types.ts +3 -1
package/src/cli/commands/config.ts +14 -9
package/src/cli/commands/contacts.ts +3 -0
package/src/cli/commands/credentials.ts +170 -174
package/src/cli/commands/doctor.ts +11 -8
package/src/cli/commands/keys.ts +9 -9
package/src/cli/commands/mcp.ts +46 -59
package/src/cli/commands/memory.ts +16 -165
package/src/cli/commands/oauth/apps.ts +68 -10
package/src/cli/commands/oauth/connections.ts +475 -105
package/src/cli/commands/oauth/index.ts +3 -3
package/src/cli/commands/oauth/providers.ts +18 -4
package/src/cli/commands/sessions.ts +5 -2
package/src/cli/commands/skills.ts +173 -1
package/src/cli/http-client.ts +0 -20
package/src/cli/main-screen.tsx +2 -2
package/src/cli/program.ts +5 -6
package/src/cli.ts +20 -22
package/src/config/__tests__/feature-flag-registry-bundled.test.ts +39 -0
package/src/config/bundled-skills/computer-use/TOOLS.json +1 -1
package/src/config/bundled-skills/computer-use/tools/computer-use-observe.ts +12 -0
package/src/config/bundled-skills/contacts/SKILL.md +35 -11
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +1 -1
package/src/config/bundled-skills/gmail/SKILL.md +1 -1
package/src/config/bundled-skills/gmail/TOOLS.json +52 -0
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +13 -3
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +9 -2
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +9 -2
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +5 -1
package/src/config/bundled-skills/google-calendar/TOOLS.json +20 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/shared.ts +8 -2
package/src/config/bundled-skills/messaging/SKILL.md +1 -1
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-sender-digest.ts +2 -2
package/src/config/bundled-skills/messaging/tools/shared.ts +7 -5
package/src/config/bundled-skills/slack/tools/shared.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-add-reaction.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-channel-details.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-delete-message.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-edit-message.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-leave-channel.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +1 -1
package/src/config/bundled-tool-registry.ts +2 -5
package/src/config/loader.ts +6 -42
package/src/config/schema.ts +1 -12
package/src/config/schemas/memory-lifecycle.ts +0 -9
package/src/config/schemas/memory-processing.ts +0 -180
package/src/config/schemas/memory-retrieval.ts +32 -104
package/src/config/schemas/memory.ts +0 -10
package/src/config/types.ts +0 -4
package/src/contacts/contact-store.ts +39 -2
package/src/contacts/contacts-write.ts +9 -0
package/src/context/window-manager.ts +4 -1
package/src/daemon/config-watcher.ts +55 -2
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/date-context.ts +114 -31
package/src/daemon/handlers/config-ingress.ts +2 -2
package/src/daemon/handlers/config-slack-channel.ts +59 -39
package/src/daemon/handlers/config-telegram.ts +23 -14
package/src/daemon/handlers/session-history.ts +1 -358
package/src/daemon/handlers/sessions.ts +18 -13
package/src/daemon/handlers/shared.ts +3 -17
package/src/daemon/handlers/skills.ts +20 -1
package/src/daemon/history-repair.ts +72 -8
package/src/daemon/host-cu-proxy.ts +55 -26
package/src/daemon/lifecycle.ts +39 -4
package/src/daemon/mcp-reload-service.ts +2 -2
package/src/daemon/message-types/computer-use.ts +1 -12
package/src/daemon/message-types/memory.ts +4 -16
package/src/daemon/message-types/messages.ts +1 -0
package/src/daemon/message-types/sessions.ts +4 -42
package/src/daemon/server.ts +6 -1
package/src/daemon/session-agent-loop-handlers.ts +38 -0
package/src/daemon/session-agent-loop.ts +334 -48
package/src/daemon/session-error.ts +89 -6
package/src/daemon/session-history.ts +17 -7
package/src/daemon/session-media-retry.ts +6 -2
package/src/daemon/session-memory.ts +69 -149
package/src/daemon/session-process.ts +10 -1
package/src/daemon/session-runtime-assembly.ts +49 -19
package/src/daemon/session-slash.ts +3 -5
package/src/daemon/session-surfaces.ts +4 -1
package/src/daemon/session-tool-setup.ts +7 -1
package/src/daemon/session.ts +12 -2
package/src/email/providers/index.ts +2 -2
package/src/instrument.ts +61 -1
package/src/media/avatar-router.ts +1 -1
package/src/memory/admin.ts +2 -191
package/src/memory/canonical-guardian-store.ts +38 -2
package/src/memory/conversation-crud.ts +0 -33
package/src/memory/conversation-queries.ts +25 -83
package/src/memory/db-init.ts +32 -0
package/src/memory/embedding-backend.ts +84 -8
package/src/memory/embedding-types.ts +9 -1
package/src/memory/indexer.ts +7 -46
package/src/memory/invite-store.ts +19 -0
package/src/memory/items-extractor.ts +274 -76
package/src/memory/job-handlers/backfill.ts +2 -127
package/src/memory/job-handlers/cleanup.ts +2 -16
package/src/memory/job-handlers/extraction.ts +2 -138
package/src/memory/job-handlers/index-maintenance.ts +1 -6
package/src/memory/job-handlers/summarization.ts +3 -148
package/src/memory/job-utils.ts +21 -59
package/src/memory/jobs-store.ts +1 -159
package/src/memory/jobs-worker.ts +9 -52
package/src/memory/migrations/104-core-indexes.ts +3 -3
package/src/memory/migrations/149-oauth-tables.ts +2 -0
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +98 -0
package/src/memory/migrations/151-oauth-providers-ping-url.ts +11 -0
package/src/memory/migrations/152-memory-item-supersession.ts +44 -0
package/src/memory/migrations/153-drop-entity-tables.ts +15 -0
package/src/memory/migrations/154-drop-fts.ts +20 -0
package/src/memory/migrations/155-drop-conflicts.ts +7 -0
package/src/memory/migrations/156-call-session-invite-metadata.ts +24 -0
package/src/memory/migrations/157-invite-contact-id.ts +104 -0
package/src/memory/migrations/index.ts +8 -0
package/src/memory/migrations/registry.ts +6 -0
package/src/memory/qdrant-client.ts +148 -51
package/src/memory/raw-query.ts +1 -1
package/src/memory/retriever.test.ts +294 -273
package/src/memory/retriever.ts +421 -645
package/src/memory/schema/calls.ts +2 -0
package/src/memory/schema/contacts.ts +1 -0
package/src/memory/schema/memory-core.ts +3 -48
package/src/memory/schema/oauth.ts +2 -0
package/src/memory/search/formatting.ts +263 -176
package/src/memory/search/lexical.ts +1 -254
package/src/memory/search/ranking.ts +0 -455
package/src/memory/search/semantic.ts +100 -14
package/src/memory/search/staleness.ts +47 -0
package/src/memory/search/tier-classifier.ts +21 -0
package/src/memory/search/types.ts +15 -77
package/src/memory/task-memory-cleanup.ts +4 -6
package/src/messaging/provider.ts +1 -1
package/src/messaging/providers/gmail/adapter.ts +1 -1
package/src/messaging/providers/gmail/mime-builder.ts +17 -7
package/src/messaging/providers/telegram-bot/adapter.ts +17 -8
package/src/messaging/providers/whatsapp/adapter.ts +13 -9
package/src/messaging/registry.ts +9 -5
package/src/oauth/byo-connection.test.ts +40 -25
package/src/oauth/connect-orchestrator.ts +4 -10
package/src/oauth/connection-resolver.ts +20 -6
package/src/oauth/manual-token-connection.ts +5 -5
package/src/oauth/oauth-store.ts +183 -31
package/src/oauth/platform-connection.test.ts +1 -1
package/src/oauth/provider-behaviors.ts +503 -4
package/src/oauth/seed-providers.ts +214 -8
package/src/oauth/token-persistence.ts +31 -16
package/src/permissions/defaults.ts +1 -0
package/src/permissions/trust-store.ts +23 -1
package/src/playbooks/playbook-compiler.ts +1 -1
package/src/prompts/system-prompt.ts +18 -2
package/src/providers/anthropic/client.ts +56 -126
package/src/providers/types.ts +7 -1
package/src/runtime/AGENTS.md +9 -0
package/src/runtime/auth/route-policy.ts +6 -3
package/src/runtime/channel-readiness-service.ts +48 -40
package/src/runtime/guardian-reply-router.ts +24 -22
package/src/runtime/http-server.ts +2 -2
package/src/runtime/http-types.ts +2 -0
package/src/runtime/invite-redemption-service.ts +72 -12
package/src/runtime/invite-service.ts +43 -0
package/src/runtime/middleware/twilio-validation.ts +1 -1
package/src/runtime/pending-interactions.ts +2 -2
package/src/runtime/routes/brain-graph-routes.ts +10 -90
package/src/runtime/routes/btw-routes.ts +10 -5
package/src/runtime/routes/conversation-routes.ts +56 -11
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -12
package/src/runtime/routes/integrations/slack/channel.ts +2 -2
package/src/runtime/routes/integrations/telegram.ts +2 -2
package/src/runtime/routes/integrations/twilio.ts +17 -17
package/src/runtime/routes/invite-routes.ts +29 -4
package/src/runtime/routes/memory-item-routes.test.ts +754 -0
package/src/runtime/routes/memory-item-routes.ts +503 -0
package/src/runtime/routes/secret-routes.ts +17 -0
package/src/runtime/routes/session-management-routes.ts +3 -3
package/src/runtime/routes/settings-routes.ts +3 -3
package/src/runtime/routes/trust-rules-routes.ts +14 -0
package/src/runtime/routes/workspace-routes.ts +9 -4
package/src/runtime/routes/workspace-utils.ts +8 -2
package/src/schedule/integration-status.ts +26 -19
package/src/security/keychain-broker-client.ts +17 -4
package/src/security/oauth2.ts +6 -7
package/src/security/secure-keys.ts +44 -19
package/src/security/token-manager.ts +46 -39
package/src/services/vercel-deploy.ts +0 -24
package/src/signals/confirm.ts +78 -0
package/src/signals/mcp-reload.ts +18 -0
package/src/skills/catalog-install.ts +74 -18
package/src/skills/skillssh-registry.ts +503 -0
package/src/tools/assets/search.ts +5 -1
package/src/tools/computer-use/definitions.ts +0 -10
package/src/tools/computer-use/registry.ts +1 -1
package/src/tools/credentials/vault.ts +22 -7
package/src/tools/memory/definitions.ts +4 -13
package/src/tools/memory/handlers.test.ts +83 -103
package/src/tools/memory/handlers.ts +50 -85
package/src/tools/network/script-proxy/session-manager.ts +8 -8
package/src/tools/schedule/create.ts +10 -3
package/src/tools/schedule/update.ts +8 -1
package/src/tools/skills/load.ts +25 -2
package/src/watcher/provider-types.ts +1 -1
package/src/watcher/providers/github.ts +1 -1
package/src/watcher/providers/gmail.ts +3 -3
package/src/watcher/providers/google-calendar.ts +3 -3
package/src/watcher/providers/linear.ts +1 -1
package/src/__tests__/clarification-resolver.test.ts +0 -193
package/src/__tests__/conflict-intent-tokenization.test.ts +0 -160
package/src/__tests__/conflict-policy.test.ts +0 -269
package/src/__tests__/conflict-store.test.ts +0 -372
package/src/__tests__/contradiction-checker.test.ts +0 -361
package/src/__tests__/entity-extractor.test.ts +0 -211
package/src/__tests__/entity-search.test.ts +0 -1117
package/src/__tests__/profile-compiler.test.ts +0 -392
package/src/__tests__/session-conflict-gate.test.ts +0 -1228
package/src/__tests__/session-profile-injection.test.ts +0 -557
package/src/config/bundled-skills/knowledge-graph/SKILL.md +0 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +0 -66
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +0 -211
package/src/daemon/session-conflict-gate.ts +0 -167
package/src/daemon/session-dynamic-profile.ts +0 -77
package/src/memory/clarification-resolver.ts +0 -417
package/src/memory/conflict-intent.ts +0 -205
package/src/memory/conflict-policy.ts +0 -127
package/src/memory/conflict-store.ts +0 -410
package/src/memory/contradiction-checker.ts +0 -508
package/src/memory/entity-extractor.ts +0 -535
package/src/memory/format-recall.ts +0 -47
package/src/memory/fts-reconciler.ts +0 -165
package/src/memory/job-handlers/conflict.ts +0 -200
package/src/memory/profile-compiler.ts +0 -195
package/src/memory/recall-cache.ts +0 -117
package/src/memory/search/entity.ts +0 -535
package/src/memory/search/query-expansion.test.ts +0 -70
package/src/memory/search/query-expansion.ts +0 -118
package/src/runtime/routes/mcp-routes.ts +0 -20

package/src/runtime/routes/memory-item-routes.ts ADDED Viewed

@@ -0,0 +1,503 @@
+/**
+ * Route handlers for memory item CRUD endpoints.
+ *
+ * GET    /v1/memory-items        — list memory items (with filtering, search, sort, pagination)
+ * GET    /v1/memory-items/:id    — get a single memory item
+ * POST   /v1/memory-items        — create a new memory item
+ * PATCH  /v1/memory-items/:id    — update an existing memory item
+ * DELETE /v1/memory-items/:id    — delete a memory item and its embeddings
+ */
+import { and, asc, count, desc, eq, like, ne, or } from "drizzle-orm";
+import { v4 as uuid } from "uuid";
+import { getDb } from "../../memory/db.js";
+import { computeMemoryFingerprint } from "../../memory/fingerprint.js";
+import { enqueueMemoryJob } from "../../memory/jobs-store.js";
+import { memoryEmbeddings, memoryItems } from "../../memory/schema.js";
+import { truncate } from "../../util/truncate.js";
+import { httpError } from "../http-errors.js";
+import type { RouteContext, RouteDefinition } from "../http-router.js";
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const VALID_KINDS = [
+  "identity",
+  "preference",
+  "project",
+  "decision",
+  "constraint",
+  "event",
+] as const;
+type MemoryItemKind = (typeof VALID_KINDS)[number];
+const VALID_SORT_FIELDS = [
+  "lastSeenAt",
+  "importance",
+  "kind",
+  "firstSeenAt",
+] as const;
+type SortField = (typeof VALID_SORT_FIELDS)[number];
+const SORT_COLUMN_MAP = {
+  lastSeenAt: memoryItems.lastSeenAt,
+  importance: memoryItems.importance,
+  kind: memoryItems.kind,
+  firstSeenAt: memoryItems.firstSeenAt,
+} as const;
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function isValidKind(value: string): value is MemoryItemKind {
+  return (VALID_KINDS as readonly string[]).includes(value);
+}
+function isValidSortField(value: string): value is SortField {
+  return (VALID_SORT_FIELDS as readonly string[]).includes(value);
+}
+// ---------------------------------------------------------------------------
+// GET /v1/memory-items
+// ---------------------------------------------------------------------------
+export function handleListMemoryItems(url: URL): Response {
+  const kindParam = url.searchParams.get("kind");
+  const statusParam = url.searchParams.get("status") ?? "active";
+  const searchParam = url.searchParams.get("search");
+  const sortParam = url.searchParams.get("sort") ?? "lastSeenAt";
+  const orderParam = url.searchParams.get("order") ?? "desc";
+  const limitParam = Number(url.searchParams.get("limit") ?? 100);
+  const offsetParam = Number(url.searchParams.get("offset") ?? 0);
+  if (kindParam && !isValidKind(kindParam)) {
+    return httpError(
+      "BAD_REQUEST",
+      `Invalid kind "${kindParam}". Must be one of: ${VALID_KINDS.join(", ")}`,
+      400,
+    );
+  }
+  if (!isValidSortField(sortParam)) {
+    return httpError(
+      "BAD_REQUEST",
+      `Invalid sort "${sortParam}". Must be one of: ${VALID_SORT_FIELDS.join(", ")}`,
+      400,
+    );
+  }
+  if (orderParam !== "asc" && orderParam !== "desc") {
+    return httpError(
+      "BAD_REQUEST",
+      `Invalid order "${orderParam}". Must be "asc" or "desc"`,
+      400,
+    );
+  }
+  const db = getDb();
+  // Build WHERE conditions
+  const conditions = [];
+  if (statusParam && statusParam !== "all") {
+    conditions.push(eq(memoryItems.status, statusParam));
+  }
+  if (kindParam) {
+    conditions.push(eq(memoryItems.kind, kindParam));
+  }
+  if (searchParam) {
+    conditions.push(
+      or(
+        like(memoryItems.subject, `%${searchParam}%`),
+        like(memoryItems.statement, `%${searchParam}%`),
+      )!,
+    );
+  }
+  const whereClause = conditions.length > 0 ? and(...conditions) : undefined;
+  // Count query
+  const countResult = db
+    .select({ count: count() })
+    .from(memoryItems)
+    .where(whereClause)
+    .get();
+  const total = countResult?.count ?? 0;
+  // Data query
+  const sortColumn = SORT_COLUMN_MAP[sortParam];
+  const orderFn = orderParam === "asc" ? asc : desc;
+  const items = db
+    .select()
+    .from(memoryItems)
+    .where(whereClause)
+    .orderBy(orderFn(sortColumn))
+    .limit(limitParam)
+    .offset(offsetParam)
+    .all();
+  return Response.json({ items, total });
+}
+// ---------------------------------------------------------------------------
+// GET /v1/memory-items/:id
+// ---------------------------------------------------------------------------
+export function handleGetMemoryItem(ctx: RouteContext): Response {
+  const { id } = ctx.params;
+  const db = getDb();
+  const item = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  if (!item) {
+    return httpError("NOT_FOUND", "Memory item not found", 404);
+  }
+  let supersedesSubject: string | undefined;
+  let supersededBySubject: string | undefined;
+  if (item.supersedes) {
+    const superseded = db
+      .select({ subject: memoryItems.subject })
+      .from(memoryItems)
+      .where(eq(memoryItems.id, item.supersedes))
+      .get();
+    supersedesSubject = superseded?.subject;
+  }
+  if (item.supersededBy) {
+    const superseding = db
+      .select({ subject: memoryItems.subject })
+      .from(memoryItems)
+      .where(eq(memoryItems.id, item.supersededBy))
+      .get();
+    supersededBySubject = superseding?.subject;
+  }
+  return Response.json({
+    item: {
+      ...item,
+      ...(supersedesSubject !== undefined ? { supersedesSubject } : {}),
+      ...(supersededBySubject !== undefined ? { supersededBySubject } : {}),
+    },
+  });
+}
+// ---------------------------------------------------------------------------
+// POST /v1/memory-items
+// ---------------------------------------------------------------------------
+export async function handleCreateMemoryItem(
+  ctx: RouteContext,
+): Promise<Response> {
+  const body = (await ctx.req.json()) as {
+    kind?: string;
+    subject?: string;
+    statement?: string;
+    importance?: number;
+  };
+  const { kind, subject, statement, importance } = body;
+  // Validate kind
+  if (typeof kind !== "string" || !isValidKind(kind)) {
+    return httpError(
+      "BAD_REQUEST",
+      `kind is required and must be one of: ${VALID_KINDS.join(", ")}`,
+      400,
+    );
+  }
+  // Validate subject
+  if (typeof subject !== "string" || subject.trim().length === 0) {
+    return httpError(
+      "BAD_REQUEST",
+      "subject is required and must be a non-empty string",
+      400,
+    );
+  }
+  // Validate statement
+  if (typeof statement !== "string" || statement.trim().length === 0) {
+    return httpError(
+      "BAD_REQUEST",
+      "statement is required and must be a non-empty string",
+      400,
+    );
+  }
+  const trimmedSubject = truncate(subject.trim(), 80, "");
+  const trimmedStatement = truncate(statement.trim(), 500, "");
+  const scopeId = "default";
+  const fingerprint = computeMemoryFingerprint(
+    scopeId,
+    kind,
+    trimmedSubject,
+    trimmedStatement,
+  );
+  const db = getDb();
+  // Check for existing item with same fingerprint + scopeId
+  const existing = db
+    .select()
+    .from(memoryItems)
+    .where(
+      and(
+        eq(memoryItems.fingerprint, fingerprint),
+        eq(memoryItems.scopeId, scopeId),
+      ),
+    )
+    .get();
+  if (existing) {
+    return httpError(
+      "CONFLICT",
+      "A memory with this content already exists",
+      409,
+    );
+  }
+  const id = uuid();
+  const now = Date.now();
+  db.insert(memoryItems)
+    .values({
+      id,
+      kind,
+      subject: trimmedSubject,
+      statement: trimmedStatement,
+      status: "active",
+      confidence: 0.95,
+      importance: importance ?? 0.8,
+      fingerprint,
+      verificationState: "user_confirmed",
+      scopeId,
+      firstSeenAt: now,
+      lastSeenAt: now,
+      lastUsedAt: null,
+      overrideConfidence: "explicit",
+    })
+    .run();
+  enqueueMemoryJob("embed_item", { itemId: id });
+  // Fetch the inserted row to return it
+  const insertedRow = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  return Response.json({ item: insertedRow }, { status: 201 });
+}
+// ---------------------------------------------------------------------------
+// PATCH /v1/memory-items/:id
+// ---------------------------------------------------------------------------
+export async function handleUpdateMemoryItem(
+  ctx: RouteContext,
+): Promise<Response> {
+  const { id } = ctx.params;
+  const body = (await ctx.req.json()) as {
+    subject?: string;
+    statement?: string;
+    kind?: string;
+    status?: string;
+    importance?: number;
+    verificationState?: string;
+  };
+  const db = getDb();
+  const existing = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  if (!existing) {
+    return httpError("NOT_FOUND", "Memory item not found", 404);
+  }
+  // Build the update set with only provided fields
+  const set: Record<string, unknown> = {
+    lastSeenAt: Date.now(),
+  };
+  if (body.subject !== undefined) {
+    if (typeof body.subject !== "string") {
+      return httpError("BAD_REQUEST", "subject must be a string", 400);
+    }
+    set.subject = truncate(body.subject.trim(), 80, "");
+  }
+  if (body.statement !== undefined) {
+    if (typeof body.statement !== "string") {
+      return httpError("BAD_REQUEST", "statement must be a string", 400);
+    }
+    set.statement = truncate(body.statement.trim(), 500, "");
+  }
+  if (body.kind !== undefined) {
+    if (!isValidKind(body.kind)) {
+      return httpError(
+        "BAD_REQUEST",
+        `Invalid kind "${body.kind}". Must be one of: ${VALID_KINDS.join(", ")}`,
+        400,
+      );
+    }
+    set.kind = body.kind;
+  }
+  if (body.status !== undefined) {
+    set.status = body.status;
+  }
+  if (body.importance !== undefined) {
+    set.importance = body.importance;
+  }
+  if (body.verificationState !== undefined) {
+    set.verificationState = body.verificationState;
+  }
+  // If subject, statement, or kind changed, recompute fingerprint
+  const contentChanged =
+    body.subject !== undefined ||
+    body.statement !== undefined ||
+    body.kind !== undefined;
+  if (contentChanged) {
+    const newSubject = (set.subject as string | undefined) ?? existing.subject;
+    const newStatement =
+      (set.statement as string | undefined) ?? existing.statement;
+    const newKind = (set.kind as string | undefined) ?? existing.kind;
+    const scopeId = existing.scopeId;
+    const fingerprint = computeMemoryFingerprint(
+      scopeId,
+      newKind,
+      newSubject,
+      newStatement,
+    );
+    // Check for collision (exclude self)
+    const collision = db
+      .select({ id: memoryItems.id })
+      .from(memoryItems)
+      .where(
+        and(
+          eq(memoryItems.fingerprint, fingerprint),
+          eq(memoryItems.scopeId, scopeId),
+          ne(memoryItems.id, id),
+        ),
+      )
+      .get();
+    if (collision) {
+      return httpError(
+        "CONFLICT",
+        "Another memory item with this content already exists",
+        409,
+      );
+    }
+    set.fingerprint = fingerprint;
+  }
+  db.update(memoryItems).set(set).where(eq(memoryItems.id, id)).run();
+  // If statement changed, enqueue embed job
+  if (body.statement !== undefined) {
+    enqueueMemoryJob("embed_item", { itemId: id });
+  }
+  // Fetch and return the updated row
+  const updatedRow = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  return Response.json({ item: updatedRow });
+}
+// ---------------------------------------------------------------------------
+// DELETE /v1/memory-items/:id
+// ---------------------------------------------------------------------------
+export async function handleDeleteMemoryItem(
+  ctx: RouteContext,
+): Promise<Response> {
+  const { id } = ctx.params;
+  const db = getDb();
+  const existing = db
+    .select()
+    .from(memoryItems)
+    .where(eq(memoryItems.id, id))
+    .get();
+  if (!existing) {
+    return httpError("NOT_FOUND", "Memory item not found", 404);
+  }
+  // Delete embeddings for this item
+  db.delete(memoryEmbeddings)
+    .where(
+      and(
+        eq(memoryEmbeddings.targetType, "item"),
+        eq(memoryEmbeddings.targetId, id),
+      ),
+    )
+    .run();
+  // Delete the item (cascades memoryItemSources)
+  db.delete(memoryItems).where(eq(memoryItems.id, id)).run();
+  return new Response(null, { status: 204 });
+}
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+export function memoryItemRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "memory-items",
+      method: "GET",
+      handler: (ctx) => handleListMemoryItems(ctx.url),
+    },
+    {
+      endpoint: "memory-items/:id",
+      method: "GET",
+      policyKey: "memory-items",
+      handler: (ctx) => handleGetMemoryItem(ctx),
+    },
+    {
+      endpoint: "memory-items",
+      method: "POST",
+      handler: (ctx) => handleCreateMemoryItem(ctx),
+    },
+    {
+      endpoint: "memory-items/:id",
+      method: "PATCH",
+      policyKey: "memory-items",
+      handler: (ctx) => handleUpdateMemoryItem(ctx),
+    },
+    {
+      endpoint: "memory-items/:id",
+      method: "DELETE",
+      policyKey: "memory-items",
+      handler: (ctx) => handleDeleteMemoryItem(ctx),
+    },
+  ];
+}

package/src/runtime/routes/secret-routes.ts CHANGED Viewed

@@ -20,6 +20,17 @@ import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 const log = getLogger("runtime-http");
+const MANAGED_PROXY_CREDENTIAL = {
+  service: "vellum",
+  field: "assistant_api_key",
+};
+function isManagedProxyCredential(service: string, field: string): boolean {
+  return (
+    service === MANAGED_PROXY_CREDENTIAL.service &&
+    field === MANAGED_PROXY_CREDENTIAL.field
+  );
+}
 export async function handleAddSecret(req: Request): Promise<Response> {
   const body = (await req.json()) as {
@@ -89,6 +100,9 @@ export async function handleAddSecret(req: Request): Promise<Response> {
         );
       }
       upsertCredentialMetadata(service, field, {});
+      if (isManagedProxyCredential(service, field)) {
+        initializeProviders(getConfig());
+      }
       log.info({ service, field }, "Credential added via HTTP");
       return Response.json({ success: true, type, name }, { status: 201 });
     }
@@ -181,6 +195,9 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
         );
       }
       deleteCredentialMetadata(service, field);
+      if (isManagedProxyCredential(service, field)) {
+        initializeProviders(getConfig());
+      }
       log.info({ service, field }, "Credential deleted via HTTP");
       return Response.json({ success: true, type, name });
     }

package/src/runtime/routes/session-management-routes.ts CHANGED Viewed

@@ -29,7 +29,7 @@ export interface SessionManagementDeps {
   renameSession: (sessionId: string, name: string) => boolean;
   clearAllSessions: () => number;
   cancelGeneration: (sessionId: string) => boolean;
-  undoLastMessage: (sessionId: string) => { removedCount: number } | null;
+  undoLastMessage: (sessionId: string) => Promise<{ removedCount: number } | null>;
   regenerateResponse: (
     sessionId: string,
   ) => Promise<{ requestId: string } | null>;
@@ -115,8 +115,8 @@ export function sessionManagementRouteDefinitions(
       endpoint: "conversations/:id/undo",
       method: "POST",
       policyKey: "conversations/undo",
-      handler: ({ params }) => {
-        const result = deps.undoLastMessage(params.id);
+      handler: async ({ params }) => {
+        const result = await deps.undoLastMessage(params.id);
         if (!result) {
           return httpError(
             "NOT_FOUND",

package/src/runtime/routes/settings-routes.ts CHANGED Viewed

@@ -29,7 +29,7 @@ import {
   generateAllowlistOptions,
   generateScopeOptions,
 } from "../../permissions/checker.js";
-import { getSecureKey } from "../../security/secure-keys.js";
+import { getSecureKeyAsync } from "../../security/secure-keys.js";
 import { parseToolManifestFile } from "../../skills/tool-manifest.js";
 import {
   type ManifestOverride,
@@ -160,7 +160,7 @@ async function handleOAuthConnectStart(body: {
     const app = getApp(conn.oauthAppId);
     if (app) {
       clientId = app.clientId;
-      clientSecret = getSecureKey(`oauth_app/${app.id}/client_secret`);
+      clientSecret = await getSecureKeyAsync(app.clientSecretCredentialPath);
     }
   }
@@ -170,7 +170,7 @@ async function handleOAuthConnectStart(body: {
     if (dbApp) {
       clientId = dbApp.clientId;
       if (!clientSecret) {
-        clientSecret = getSecureKey(`oauth_app/${dbApp.id}/client_secret`);
+        clientSecret = await getSecureKeyAsync(dbApp.clientSecretCredentialPath);
       }
     }
   }

package/src/runtime/routes/trust-rules-routes.ts CHANGED Viewed

@@ -48,6 +48,13 @@ export async function handleAddTrustRuleManage(
   if (!toolName || typeof toolName !== "string") {
     return httpError("BAD_REQUEST", "toolName is required", 400);
   }
+  if (toolName.startsWith("__internal:")) {
+    return httpError(
+      "BAD_REQUEST",
+      "toolName must not start with __internal:",
+      400,
+    );
+  }
   if (!pattern || typeof pattern !== "string") {
     return httpError("BAD_REQUEST", "pattern is required", 400);
   }
@@ -124,6 +131,13 @@ export async function handleUpdateTrustRuleManage(
     priority?: number;
   };
+  if (typeof body.tool === "string" && body.tool.startsWith("__internal:")) {
+    return httpError(
+      "BAD_REQUEST",
+      "tool must not start with __internal:",
+      400,
+    );
+  }
   if (body.decision !== undefined) {
     const validDecisions = ["allow", "deny", "ask"] as const;
     if (

package/src/runtime/routes/workspace-routes.ts CHANGED Viewed

@@ -33,7 +33,10 @@ interface TreeEntry {
 function handleWorkspaceTree(ctx: RouteContext): Response {
   const requestedPath = ctx.url.searchParams.get("path") ?? "";
-  const resolved = resolveWorkspacePath(requestedPath);
+  const showHidden = ctx.url.searchParams.get("showHidden") === "true";
+  const resolved = resolveWorkspacePath(requestedPath, {
+    allowHidden: showHidden,
+  });
   if (resolved === undefined) {
     return httpError("BAD_REQUEST", "Invalid path", 400);
   }
@@ -45,7 +48,7 @@ function handleWorkspaceTree(ctx: RouteContext): Response {
     const entries: TreeEntry[] = [];
     for (const entry of dirents) {
       // Filter out dotfiles/directories (.env, .git, .private, etc.)
-      if (entry.name.startsWith(".")) continue;
+      if (!showHidden && entry.name.startsWith(".")) continue;
       const fullPath = join(resolved, entry.name);
@@ -95,7 +98,8 @@ function handleWorkspaceFile(ctx: RouteContext): Response {
     return httpError("BAD_REQUEST", "path query parameter is required", 400);
   }
-  const resolved = resolveWorkspacePath(path);
+  const showHidden = ctx.url.searchParams.get("showHidden") === "true";
+  const resolved = resolveWorkspacePath(path, { allowHidden: showHidden });
   if (resolved === undefined) {
     return httpError("BAD_REQUEST", "Invalid path", 400);
   }
@@ -145,7 +149,8 @@ function handleWorkspaceFileContent(ctx: RouteContext): Response {
     );
   }
-  const resolved = resolveWorkspacePath(path);
+  const showHidden = ctx.url.searchParams.get("showHidden") === "true";
+  const resolved = resolveWorkspacePath(path, { allowHidden: showHidden });
   if (resolved === undefined) {
     return httpError("BAD_REQUEST", "Invalid path", 400);
   }

package/src/runtime/routes/workspace-utils.ts CHANGED Viewed

@@ -7,10 +7,16 @@ import { getWorkspaceDir } from "../../util/platform.js";
  * Resolves a user-provided relative path to an absolute path within the workspace.
  * Returns the resolved absolute path, or undefined if the path escapes the workspace root.
  */
-export function resolveWorkspacePath(relativePath: string): string | undefined {
+export function resolveWorkspacePath(
+  relativePath: string,
+  options?: { allowHidden?: boolean },
+): string | undefined {
   // Reject paths containing hidden (dot-prefixed) segments like .env, .git, .hidden/foo
   const segments = relativePath.split(/[/\\]/);
-  if (segments.some((s) => s.startsWith(".") && s !== "." && s !== "..")) {
+  if (
+    !options?.allowHidden &&
+    segments.some((s) => s.startsWith(".") && s !== "." && s !== "..")
+  ) {
     return undefined;
   }