@vellumai/assistant 0.4.52 → 0.4.53

package/src/runtime/routes/conversation-routes.ts

@@ -11,6 +11,7 @@ import {
 import {
   CHANNEL_IDS,
   INTERFACE_IDS,
+  isInteractiveInterface,
   parseChannelId,
   parseInterfaceId,
 } from "../../channels/types.js";
@@ -656,14 +657,7 @@ export async function handleSendMessage(
   }
 
   const onEvent = makeHubPublisher(smDeps, mapping.conversationId, session);
-  // Desktop, CLI, and web interfaces have an SSE client that can display
-  // permission prompts. Channel interfaces (telegram, slack, etc.) route
-  // approvals through the guardian system and have no interactive prompter UI.
-  const isInteractiveInterface =
-    sourceInterface === "macos" ||
-    sourceInterface === "ios" ||
-    sourceInterface === "cli" ||
-    sourceInterface === "vellum";
+  const isInteractive = isInteractiveInterface(sourceInterface);
   // Only create the host bash proxy for desktop client interfaces that can
   // execute commands on the user's machine. Non-desktop sessions (CLI,
   // channels, headless) fall back to local execution.
@@ -709,7 +703,7 @@ export async function handleSendMessage(
     session.isProcessing() &&
     sourceInterface !== "macos" &&
     sourceInterface !== "ios";
-  session.updateClient(onEvent, !isInteractiveInterface, {
+  session.updateClient(onEvent, !isInteractive, {
     skipProxySenderUpdate: preservingProxies,
   });
 
@@ -781,7 +775,7 @@ export async function handleSendMessage(
         userMessageInterface: sourceInterface,
         assistantMessageInterface: sourceInterface,
       },
-      { isInteractive: isInteractiveInterface },
+      { isInteractive },
     );
     if (enqueueResult.rejected) {
       return Response.json(
@@ -821,6 +815,31 @@ export async function handleSendMessage(
     );
   }
 
+  // Auto-deny pending confirmations for idle sessions. The legacy
+  // handleUserMessage called autoDenyPendingConfirmations unconditionally
+  // before dispatching, so an idle session with lingering confirmations
+  // (e.g. the user never responded to a tool-approval prompt) must deny
+  // them before starting the new turn.
+  if (session.hasAnyPendingConfirmation()) {
+    for (const interaction of pendingInteractions.getByConversation(
+      mapping.conversationId,
+    )) {
+      if (
+        interaction.session === session &&
+        interaction.kind === "confirmation"
+      ) {
+        session.emitConfirmationStateChanged({
+          sessionId: mapping.conversationId,
+          requestId: interaction.requestId,
+          state: "denied" as const,
+          source: "auto_deny" as const,
+        });
+      }
+    }
+    session.denyAllPendingConfirmations();
+    pendingInteractions.removeBySession(session);
+  }
+
   // Session is idle — persist and fire agent loop immediately
   session.setTurnChannelContext({
     userMessageChannel: sourceChannel,
@@ -845,7 +864,7 @@ export async function handleSendMessage(
     provider: config.provider,
     estimatedCost: session.usageStats.estimatedCost,
   };
-  const slashResult = resolveSlash(rawContent, slashContext);
+  const slashResult = await resolveSlash(rawContent, slashContext);
 
   if (slashResult.kind === "unknown") {
     session.processing = true;
@@ -890,7 +909,7 @@ export async function handleSendMessage(
       // a config change from a concurrent request.
       const modelInfoEvent =
         isModelSlashCommand(rawContent) || isProviderShortcut(rawContent)
-          ? buildModelInfoEvent()
+          ? await buildModelInfoEvent()
           : null;
 
       const response = Response.json(
@@ -960,7 +979,7 @@ export async function handleSendMessage(
   // Fire-and-forget the agent loop; events flow to the hub via onEvent.
   session
     .runAgentLoop(resolvedContent, messageId, onEvent, {
-      isInteractive: isInteractiveInterface,
+      isInteractive,
       isUserMessage: true,
     })
     .catch((err) => {

package/src/runtime/routes/inbound-message-handler.ts

@@ -250,7 +250,7 @@ export async function handleChannelInbound(
       canonicalAssistantId,
       assistantId,
       content,
-      contactId: resolvedMember?.contact.id,
+      channelId: resolvedMember?.channel.id,
     });
   }
 
@@ -306,7 +306,7 @@ export async function handleChannelInbound(
   // retries). This was previously in ACL enforcement which runs before dedup,
   // causing retries to inflate interaction counts.
   if (!result.duplicate && resolvedMember) {
-    touchContactInteraction(resolvedMember.contact.id);
+    touchContactInteraction(resolvedMember.channel.id);
   }
 
   // external_conversation_bindings is assistant-agnostic. Restrict writes to
@@ -390,6 +390,13 @@ export async function handleChannelInbound(
       ? (rawCommandIntent as Record<string, unknown>)
       : undefined;
 
+  // Extract chat type (e.g. "private", "group", "supergroup") for group chat gating
+  const sourceChatType =
+    typeof sourceMetadata?.chatType === "string" &&
+    sourceMetadata.chatType.trim().length > 0
+      ? sourceMetadata.chatType.trim()
+      : undefined;
+
   // Preserve locale from sourceMetadata so the model can greet in the user's language
   const sourceLanguageCode =
     typeof sourceMetadata?.languageCode === "string" &&
@@ -620,6 +627,7 @@ export async function handleChannelInbound(
       assistantId: canonicalAssistantId,
       approvalCopyGenerator,
       externalMessageId: sourceMessageId ?? externalMessageId,
+      chatType: sourceChatType,
     });
   }
 

package/src/runtime/routes/inbound-stages/background-dispatch.ts

@@ -77,6 +77,8 @@ export interface BackgroundProcessingParams {
   sourceLanguageCode?: string;
   /** External message ID (e.g. Slack message ts) used for reaction indicators. */
   externalMessageId?: string;
+  /** Chat type from the gateway (e.g. "private", "group", "supergroup"). */
+  chatType?: string;
 }
 
 /**
@@ -105,6 +107,7 @@ export function processChannelMessageInBackground(
     commandIntent,
     sourceLanguageCode,
     externalMessageId,
+    chatType,
   } = params;
 
   (async () => {
@@ -193,6 +196,7 @@ export function processChannelMessageInBackground(
             channelId: sourceChannel,
             hints: metadataHints.length > 0 ? metadataHints : undefined,
             uxBrief: metadataUxBrief,
+            chatType,
           },
           assistantId,
           trustContext: trustCtx,

package/src/runtime/routes/inbound-stages/edit-intercept.ts

@@ -30,8 +30,8 @@ export interface EditInterceptParams {
   canonicalAssistantId: string;
   assistantId: string;
   content: string | undefined;
-  /** Contact ID for interaction tracking; omitted when the sender has no resolved member. */
-  contactId?: string;
+  /** Channel ID for channel-level interaction tracking. */
+  channelId?: string;
 }
 
 /**
@@ -52,7 +52,7 @@ export async function handleEditIntercept(
     canonicalAssistantId,
     assistantId,
     content,
-    contactId,
+    channelId,
   } = params;
 
   // Dedup the edit event itself (retried edited_message webhooks)
@@ -73,8 +73,8 @@ export async function handleEditIntercept(
 
   // Track contact interaction only for genuinely new edit events (not webhook
   // retries), matching the pattern used for the normal message path.
-  if (contactId) {
-    touchContactInteraction(contactId);
+  if (channelId) {
+    touchContactInteraction(channelId);
   }
 
   // Retry lookup a few times -- the original message may still be processing

package/src/runtime/routes/integrations/slack/share.ts

@@ -13,7 +13,7 @@ import {
 } from "../../../../messaging/providers/slack/client.js";
 import type { SlackConversation } from "../../../../messaging/providers/slack/types.js";
 import { getConnectionByProvider } from "../../../../oauth/oauth-store.js";
-import { getSecureKey } from "../../../../security/secure-keys.js";
+import { getSecureKeyAsync } from "../../../../security/secure-keys.js";
 import { getLogger } from "../../../../util/logger.js";
 import { httpError } from "../../../http-errors.js";
 import type { RouteDefinition } from "../../../http-router.js";
@@ -27,10 +27,10 @@ const log = getLogger("slack-share");
 /**
  * Resolve the Slack bot token from the OAuth connection store.
  */
-function resolveSlackToken(): string | undefined {
+async function resolveSlackToken(): Promise<string | undefined> {
   const conn = getConnectionByProvider("integration:slack");
   return conn
-    ? getSecureKey(`oauth_connection/${conn.id}/access_token`)
+    ? await getSecureKeyAsync(`oauth_connection/${conn.id}/access_token`)
     : undefined;
 }
 
@@ -61,7 +61,7 @@ const TYPE_SORT_ORDER: Record<string, number> = {
 };
 
 export async function handleListSlackChannels(): Promise<Response> {
-  const token = resolveSlackToken();
+  const token = await resolveSlackToken();
   if (!token) {
     return httpError("SERVICE_UNAVAILABLE", "No Slack token configured", 503);
   }
@@ -137,7 +137,7 @@ export async function handleListSlackChannels(): Promise<Response> {
 export async function handleShareToSlackChannel(
   req: Request,
 ): Promise<Response> {
-  const token = resolveSlackToken();
+  const token = await resolveSlackToken();
   if (!token) {
     return httpError("SERVICE_UNAVAILABLE", "No Slack token configured", 503);
   }

package/src/runtime/routes/log-export-routes.ts

@@ -6,8 +6,15 @@
  * of requiring direct filesystem access.
  */
 
-import { existsSync, readdirSync, readFileSync, statSync } from "node:fs";
-import { join } from "node:path";
+import { spawnSync } from "node:child_process";
+import {
+  existsSync,
+  lstatSync,
+  readdirSync,
+  readFileSync,
+  statSync,
+} from "node:fs";
+import { join, relative } from "node:path";
 
 import { desc } from "drizzle-orm";
 
@@ -18,6 +25,7 @@ import {
   getDataDir,
   getRootDir,
   getWorkspaceConfigPath,
+  getWorkspaceDir,
 } from "../../util/platform.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
@@ -36,6 +44,7 @@ interface ExportResponse {
   auditRows: Array<Record<string, unknown>>;
   logFiles: Record<string, string>;
   configSnapshot?: Record<string, unknown>;
+  workspaceFiles: Record<string, string>;
 }
 
 /**
@@ -91,12 +100,16 @@ async function handleExport(body: ExportRequestBody): Promise<Response> {
     // --- Sanitized config snapshot ---
     const configSnapshot = readSanitizedConfig();
 
+    // --- Workspace files ---
+    const workspaceFiles = collectWorkspaceFiles();
+
     log.info(
       {
         auditCount: auditRows.length,
         logFileCount: Object.keys(logFiles).length,
         totalBytes,
         hasConfig: configSnapshot !== undefined,
+        workspaceFileCount: Object.keys(workspaceFiles).length,
       },
       "Export completed",
     );
@@ -106,6 +119,7 @@ async function handleExport(body: ExportRequestBody): Promise<Response> {
       auditRows,
       logFiles,
       configSnapshot,
+      workspaceFiles,
     };
     return Response.json(payload);
   } catch (err) {
@@ -115,6 +129,112 @@ async function handleExport(body: ExportRequestBody): Promise<Response> {
   }
 }
 
+/** Directory prefixes to skip when collecting workspace files. */
+const WORKSPACE_SKIP_DIRS = new Set(["embedding-models", "data/qdrant"]);
+
+/** Files at the workspace root to skip (already covered by sanitized fields). */
+const WORKSPACE_SKIP_ROOT_FILES = new Set(["config.json"]);
+
+/** Maximum cumulative size for workspace file contents (10 MB). */
+const MAX_WORKSPACE_PAYLOAD_BYTES = 10 * 1024 * 1024;
+
+/**
+ * Recursively collects files from the workspace directory into a
+ * `Record<string, string>` map of relative path to content.
+ *
+ * - Skips `config.json` at the workspace root (already exported as a
+ *   sanitized `configSnapshot`; the raw file contains secrets).
+ * - Skips symlinks to prevent reading files outside the workspace.
+ * - Skips directories in `WORKSPACE_SKIP_DIRS`.
+ * - For `.db` files, shells out to `sqlite3 <path> .dump` and stores the
+ *   SQL text output with a `.sql` suffix appended to the key.
+ * - Skips binary files (detected via null-byte heuristic).
+ * - Stops collecting once `MAX_WORKSPACE_PAYLOAD_BYTES` is reached.
+ */
+function collectWorkspaceFiles(): Record<string, string> {
+  const wsDir = getWorkspaceDir();
+  if (!existsSync(wsDir)) return {};
+
+  const result: Record<string, string> = {};
+  let totalBytes = 0;
+
+  function walk(dir: string): void {
+    let entries: string[];
+    try {
+      entries = readdirSync(dir);
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      const fullPath = join(dir, entry);
+      const relPath = relative(wsDir, fullPath);
+
+      // Check if this path falls under a skipped directory prefix
+      if (
+        [...WORKSPACE_SKIP_DIRS].some(
+          (prefix) => relPath === prefix || relPath.startsWith(prefix + "/"),
+        )
+      ) {
+        continue;
+      }
+
+      // Skip root-level files that are already exported separately
+      if (dir === wsDir && WORKSPACE_SKIP_ROOT_FILES.has(entry)) {
+        continue;
+      }
+
+      try {
+        // Use lstatSync to avoid following symlinks
+        const stat = lstatSync(fullPath);
+
+        // Skip symlinks — they could point outside the workspace
+        if (stat.isSymbolicLink()) continue;
+
+        if (stat.isDirectory()) {
+          walk(fullPath);
+          continue;
+        }
+        if (!stat.isFile()) continue;
+
+        // Enforce cumulative size cap
+        if (totalBytes + stat.size > MAX_WORKSPACE_PAYLOAD_BYTES) continue;
+
+        // SQLite DB handling: dump as SQL text
+        if (entry.endsWith(".db")) {
+          try {
+            const proc = spawnSync("sqlite3", [fullPath, ".dump"], {
+              timeout: 10_000,
+            });
+            if (proc.status === 0 && proc.stdout) {
+              const output =
+                proc.stdout instanceof Buffer
+                  ? proc.stdout.toString("utf-8")
+                  : String(proc.stdout);
+              result[relPath + ".sql"] = output;
+              totalBytes += Buffer.byteLength(output, "utf-8");
+            }
+          } catch {
+            // Skip if dump fails
+          }
+          continue;
+        }
+
+        // Read as UTF-8 and skip binary files (null-byte heuristic)
+        const content = readFileSync(fullPath, "utf-8");
+        if (content.includes("\0")) continue;
+        result[relPath] = content;
+        totalBytes += stat.size;
+      } catch {
+        // Skip unreadable files
+      }
+    }
+  }
+
+  walk(wsDir);
+  return result;
+}
+
 /**
  * Replaces a string value with a presence flag: "(set)" if truthy, "(empty)" otherwise.
  */
@@ -134,14 +254,6 @@ function readSanitizedConfig(): Record<string, unknown> | undefined {
     const raw = readFileSync(configPath, "utf-8");
     const config = JSON.parse(raw) as Record<string, unknown>;
 
-    // Strip API key values — preserve which providers have keys configured
-    if (config.apiKeys && typeof config.apiKeys === "object") {
-      const keys = config.apiKeys as Record<string, unknown>;
-      config.apiKeys = Object.fromEntries(
-        Object.keys(keys).map((k) => [k, redactStringValue(keys[k])]),
-      );
-    }
-
     // Strip ingress webhook secret
     if (config.ingress && typeof config.ingress === "object") {
       const ingress = config.ingress as Record<string, unknown>;

package/src/runtime/routes/session-query-routes.ts

@@ -52,8 +52,8 @@ export function sessionQueryRouteDefinitions(
       endpoint: "model",
       method: "GET",
       policyKey: "model",
-      handler: () => {
-        const info = getModelInfo();
+      handler: async () => {
+        const info = await getModelInfo();
         return Response.json(info);
       },
     },
@@ -74,7 +74,7 @@ export function sessionQueryRouteDefinitions(
           );
         }
         try {
-          const info = setModel(body.modelId, deps.getModelSetContext());
+          const info = await setModel(body.modelId, deps.getModelSetContext());
           return Response.json(info);
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);

package/src/runtime/routes/settings-routes.ts

@@ -10,7 +10,13 @@
 import { readFileSync } from "node:fs";
 import { join } from "node:path";
 
+import { setIngressPublicBaseUrl } from "../../config/env.js";
+import { loadRawConfig, saveRawConfig } from "../../config/loader.js";
 import { loadSkillCatalog } from "../../config/skills.js";
+import {
+  computeGatewayTarget,
+  getIngressConfigResult,
+} from "../../daemon/handlers/config-ingress.js";
 import { normalizeActivationKey } from "../../daemon/handlers/config-voice.js";
 import { orchestrateOAuthConnect } from "../../oauth/connect-orchestrator.js";
 import {
@@ -694,5 +700,52 @@ export function settingsRouteDefinitions(): RouteDefinition[] {
       policyKey: "diagnostics/env-vars",
       handler: () => handleEnvVars(),
     },
+
+    // Ingress config (GET / PUT)
+    {
+      endpoint: "integrations/ingress/config",
+      method: "GET",
+      policyKey: "integrations/ingress/config:GET",
+      handler: () => Response.json(getIngressConfigResult()),
+    },
+    {
+      endpoint: "integrations/ingress/config",
+      method: "PUT",
+      policyKey: "integrations/ingress/config",
+      handler: async ({ req }) => {
+        try {
+          const body = (await req.json()) as {
+            publicBaseUrl?: string;
+            enabled?: boolean;
+          };
+          const value = (body.publicBaseUrl ?? "").trim().replace(/\/+$/, "");
+          const raw = loadRawConfig();
+          const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+          ingress.publicBaseUrl = value || undefined;
+          if (body.enabled !== undefined) {
+            ingress.enabled = body.enabled;
+          }
+          saveRawConfig({ ...raw, ingress });
+
+          const isEnabled = (ingress.enabled as boolean | undefined) ?? false;
+          if (value && isEnabled) {
+            setIngressPublicBaseUrl(value);
+          } else {
+            setIngressPublicBaseUrl(undefined);
+          }
+
+          return Response.json({
+            enabled: isEnabled,
+            publicBaseUrl: value,
+            localGatewayTarget: computeGatewayTarget(),
+            success: true,
+          });
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          log.error({ err }, "Failed to update ingress config via HTTP");
+          return httpError("INTERNAL_ERROR", message, 500);
+        }
+      },
+    },
   ];
 }

package/src/runtime/routes/workspace-routes.ts

@@ -1,5 +1,8 @@
 /**
  * Route handlers for workspace file browsing and content serving.
+ *
+ * WARNING: Workspace contents are included in diagnostic log exports.
+ * Do not store secrets here — use the credential store or protected/ directory.
  */
 import {
   existsSync,

package/src/runtime/verification-templates.ts

@@ -165,7 +165,7 @@ const voiceTemplates: Record<
     "That code was incorrect. Please try again.",
 
   [GUARDIAN_VERIFY_TEMPLATE_KEYS.VOICE_SUCCESS]: (_vars) =>
-    "Verification successful. Thank you. Goodbye.",
+    "Verification successful.",
 
   [GUARDIAN_VERIFY_TEMPLATE_KEYS.VOICE_FAILURE]: (_vars) =>
     "Too many incorrect attempts. Goodbye.",

package/src/security/oauth2.ts

@@ -359,9 +359,9 @@ function startLoopbackServerAndWaitForCode(
       server.close();
     }
 
-    server.listen(loopbackPort ?? 0, "127.0.0.1", () => {
+    server.listen(loopbackPort ?? 0, "localhost", () => {
       const addr = server.address() as { port: number };
-      boundRedirectUri = `http://127.0.0.1:${addr.port}${LOOPBACK_CALLBACK_PATH}`;
+      boundRedirectUri = `http://localhost:${addr.port}${LOOPBACK_CALLBACK_PATH}`;
 
       const authParams = new URLSearchParams({
         ...config.extraParams,
@@ -617,9 +617,9 @@ function startLoopbackServerForPreparedFlow(
       server.close();
     }
 
-    server.listen(loopbackPort ?? 0, "127.0.0.1", () => {
+    server.listen(loopbackPort ?? 0, "localhost", () => {
       const addr = server.address() as { port: number };
-      const redirectUri = `http://127.0.0.1:${addr.port}${LOOPBACK_CALLBACK_PATH}`;
+      const redirectUri = `http://localhost:${addr.port}${LOOPBACK_CALLBACK_PATH}`;
       listening = true;
       resolveSetup({ redirectUri, codePromise });
     });

package/src/security/secure-keys.ts

@@ -37,8 +37,8 @@ function getBroker(): KeychainBrokerClient {
  *
  * @deprecated Use `getSecureKeyAsync` instead. This sync variant only reads
  * from the encrypted file store, bypassing the keychain broker. Retained only
- * for startup code paths in `config/loader.ts` and `providers/managed-proxy/context.ts`
- * that cannot do async I/O.
+ * for sync code paths in `providers/registry.ts`, `providers/managed-proxy/context.ts`,
+ * and `memory/embedding-backend.ts` that cannot do async I/O.
  */
 export function getSecureKey(account: string): string | undefined {
   return encryptedStore.getKey(account);
@@ -50,8 +50,8 @@ export function getSecureKey(account: string): string | undefined {
  *
  * @deprecated Use `setSecureKeyAsync` instead. This sync variant only writes
  * to the encrypted file store, bypassing the keychain broker. Retained only
- * for startup code paths in `config/loader.ts` and `providers/managed-proxy/context.ts`
- * that cannot do async I/O.
+ * for sync code paths in `providers/registry.ts`, `providers/managed-proxy/context.ts`,
+ * and `memory/embedding-backend.ts` that cannot do async I/O.
  */
 export function setSecureKey(account: string, value: string): boolean {
   return encryptedStore.setKey(account, value);