@vellumai/assistant 0.4.53 → 0.4.55

package/src/runtime/invite-instruction-generator.ts

@@ -23,49 +23,6 @@ const GENERATION_TIMEOUT_MS = 5_000;
 /** Maximum allowed length for a generated instruction. */
 const MAX_INSTRUCTION_LENGTH = 500;
 
-// ---------------------------------------------------------------------------
-// Channel display label
-// ---------------------------------------------------------------------------
-
-/** Human-readable label for a channel type. */
-export function channelDisplayLabel(type: string): string {
-  switch (type) {
-    case "telegram":
-      return "Telegram";
-    case "email":
-      return "Email";
-    case "slack":
-      return "Slack";
-    case "phone":
-      return "Voice";
-    default:
-      return type.charAt(0).toUpperCase() + type.slice(1);
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Deterministic fallback
-// ---------------------------------------------------------------------------
-
-/**
- * Build a deterministic fallback instruction when the LLM is unavailable.
- */
-export function buildFallbackInstruction(params: {
-  contactName?: string;
-  channelLabel: string;
-  channelHandle?: string;
-  shareUrl?: string;
-}): string {
-  const contact = params.contactName || "the contact";
-  const handle = params.channelHandle
-    ? ` at ${params.channelHandle}`
-    : ` on ${params.channelLabel}`;
-  if (params.shareUrl) {
-    return `Send ${contact} this link: ${params.shareUrl} — or tell them to message me${handle} with the code below.`;
-  }
-  return `Tell ${contact} to message me${handle} with the code below.`;
-}
-
 // ---------------------------------------------------------------------------
 // LLM-powered generation
 // ---------------------------------------------------------------------------
@@ -88,15 +45,32 @@ export async function generateInviteInstruction(params: {
    */
   shareUrl?: string;
 }): Promise<string> {
-  const channelLabel = channelDisplayLabel(params.channelType);
-  const fallback = buildFallbackInstruction({
-    contactName: params.contactName,
-    channelLabel,
-    channelHandle: params.channelHandle,
-    shareUrl: params.shareUrl,
-  });
+  const channelLabel = (() => {
+    switch (params.channelType) {
+      case "telegram":
+        return "Telegram";
+      case "email":
+        return "Email";
+      case "slack":
+        return "Slack";
+      case "phone":
+        return "Voice";
+      default:
+        return (
+          params.channelType.charAt(0).toUpperCase() +
+          params.channelType.slice(1)
+        );
+    }
+  })();
+  const contact = params.contactName || "the contact";
+  const handle = params.channelHandle
+    ? ` at ${params.channelHandle}`
+    : ` on ${channelLabel}`;
+  const fallback = params.shareUrl
+    ? `Send ${contact} this link: ${params.shareUrl} — or tell them to message me${handle} with the code below.`
+    : `Tell ${contact} to message me${handle} with the code below.`;
 
-  const resolved = resolveConfiguredProvider();
+  const resolved = await resolveConfiguredProvider();
   if (!resolved) {
     log.debug(
       "No provider available for invite instruction generation, using fallback",

package/src/runtime/invite-service.ts

@@ -34,7 +34,6 @@ import {
 } from "./channel-invite-transport.js";
 import { generateInviteInstruction } from "./invite-instruction-generator.js";
 import {
-  type InviteRedemptionOutcome,
   redeemInvite as redeemInviteTyped,
   redeemVoiceInviteCode as redeemVoiceInviteCodeTyped,
   type VoiceRedemptionOutcome,
@@ -372,25 +371,6 @@ export function redeemIngressInvite(params: {
   return { ok: true, data: inviteToResponse(inv) };
 }
 
-// ---------------------------------------------------------------------------
-// Typed invite redemption — preferred entry point for new callers
-// ---------------------------------------------------------------------------
-
-export { type InviteRedemptionOutcome } from "./invite-redemption-service.js";
-export { type VoiceRedemptionOutcome } from "./invite-redemption-service.js";
-
-export function redeemIngressInviteTyped(params: {
-  rawToken: string;
-  sourceChannel: string;
-  externalUserId?: string;
-  externalChatId?: string;
-  displayName?: string;
-  username?: string;
-  assistantId?: string;
-}): InviteRedemptionOutcome {
-  return redeemInviteTyped(params);
-}
-
 export function redeemVoiceInviteCode(params: {
   assistantId?: string;
   callerExternalUserId: string;

package/src/runtime/routes/attachment-routes.ts

@@ -101,7 +101,7 @@ export async function handleDeleteAttachment(req: Request): Promise<Response> {
   return new Response(null, { status: 204 });
 }
 
-export function handleGetAttachment(attachmentId: string): Response {
+function handleGetAttachment(attachmentId: string): Response {
   const attachment = attachmentsStore.getAttachmentById(attachmentId);
   if (!attachment) {
     return httpError("NOT_FOUND", "Attachment not found", 404);

package/src/runtime/routes/brain-graph-routes.ts

@@ -34,7 +34,7 @@ function getMemoryKindColor(kind: string): string {
   }
 }
 
-export function handleGetBrainGraph(): Response {
+function handleGetBrainGraph(): Response {
   try {
     const db = getDb();
 

package/src/runtime/routes/call-routes.ts

@@ -148,7 +148,7 @@ export async function handleStartCall(
 /**
  * GET /v1/calls/:callSessionId
  */
-export function handleGetCallStatus(callSessionId: string): Response {
+function handleGetCallStatus(callSessionId: string): Response {
   const result = getCallStatus(callSessionId);
 
   if (!result.ok) {

package/src/runtime/routes/conversation-routes.ts

@@ -352,16 +352,37 @@ export function handleListMessages(
           });
         }
       } else {
-        const linked = attachmentsStore.getAttachmentMetadataForMessage(m.id);
+        const linked =
+          attachmentsStore.getAttachmentMetadataForMessage(m.id);
         if (linked.length > 0) {
-          msgAttachments = linked.map((a) => ({
-            id: a.id,
-            filename: a.originalFilename,
-            mimeType: a.mimeType,
-            sizeBytes: a.sizeBytes,
-            kind: a.kind,
-            ...(a.thumbnailBase64 ? { thumbnailData: a.thumbnailBase64 } : {}),
-          }));
+          msgAttachments = linked.map((a) => {
+            if (a.mimeType.startsWith("image/")) {
+              const full = attachmentsStore.getAttachmentById(a.id);
+              return {
+                id: a.id,
+                filename: a.originalFilename,
+                mimeType: a.mimeType,
+                sizeBytes: a.sizeBytes,
+                kind: a.kind,
+                ...(full?.dataBase64
+                  ? { data: full.dataBase64 }
+                  : {}),
+                ...(a.thumbnailBase64
+                  ? { thumbnailData: a.thumbnailBase64 }
+                  : {}),
+              };
+            }
+            return {
+              id: a.id,
+              filename: a.originalFilename,
+              mimeType: a.mimeType,
+              sizeBytes: a.sizeBytes,
+              kind: a.kind,
+              ...(a.thumbnailBase64
+                ? { thumbnailData: a.thumbnailBase64 }
+                : {}),
+            };
+          });
         }
       }
     }
@@ -1116,7 +1137,7 @@ export async function handleGetSuggestion(
     }
 
     // Try LLM suggestion using the configured provider
-    const provider = getConfiguredProvider();
+    const provider = await getConfiguredProvider();
     if (provider) {
       try {
         // Deduplicate concurrent requests
@@ -1169,7 +1190,7 @@ export async function handleGetSuggestion(
  * Full-text search across all conversation threads (message content + titles).
  * Returns ranked results grouped by conversation, each with matching message excerpts.
  */
-export function handleSearchConversations(url: URL): Response {
+function handleSearchConversations(url: URL): Response {
   const query = url.searchParams.get("q") ?? "";
   if (!query.trim()) {
     return httpError("BAD_REQUEST", "q query parameter is required", 400);

package/src/runtime/routes/debug-routes.ts

@@ -35,7 +35,7 @@ function getMemoryItemCount(): number {
   }
 }
 
-export function handleDebug(): Response {
+function handleDebug(): Response {
   const now = Date.now();
   const uptimeSeconds = Math.floor((now - startedAt) / 1000);
 

package/src/runtime/routes/diagnostics-routes.ts

@@ -684,7 +684,7 @@ async function handleDictation(body: DictationBody): Promise<Response> {
   const transcription = expandSnippets(body.transcription, profile.snippets);
 
   try {
-    const provider = getConfiguredProvider();
+    const provider = await getConfiguredProvider();
     if (!provider) {
       log.warn(
         "Dictation: no provider available, using heuristic + raw transcription",
@@ -843,7 +843,7 @@ async function handleCommandMode(
   const maxTokens = Math.max(1024, computeMaxTokens(inputLength));
 
   try {
-    const provider = getConfiguredProvider();
+    const provider = await getConfiguredProvider();
     if (!provider) {
       log.warn("Command mode: no provider available, returning selected text");
       const normalizedText = applyDictionary(

package/src/runtime/routes/documents-routes.ts

@@ -27,7 +27,7 @@ type DocumentListRow = Omit<DocumentRow, "content">;
 // Shared business logic (used by both message handlers and HTTP routes)
 // ---------------------------------------------------------------------------
 
-export function saveDocument(params: {
+function saveDocument(params: {
   surfaceId: string;
   conversationId: string;
   title: string;
@@ -66,7 +66,7 @@ export function saveDocument(params: {
   }
 }
 
-export function loadDocument(surfaceId: string):
+function loadDocument(surfaceId: string):
   | {
       success: true;
       surfaceId: string;
@@ -112,7 +112,7 @@ export function loadDocument(surfaceId: string):
   }
 }
 
-export function listDocuments(conversationId?: string): Array<{
+function listDocuments(conversationId?: string): Array<{
   surfaceId: string;
   conversationId: string;
   title: string;

package/src/runtime/routes/global-search-routes.ts

@@ -134,7 +134,7 @@ async function searchMemoriesSemantic(
   existingIds: Set<string>,
 ): Promise<GlobalSearchMemory[]> {
   const config = getConfig();
-  const backendStatus = getMemoryBackendStatus(config);
+  const backendStatus = await getMemoryBackendStatus(config);
   if (!backendStatus.provider) return [];
 
   try {

package/src/runtime/routes/guardian-bootstrap-routes.ts

@@ -19,7 +19,6 @@ import { getLogger } from "../../util/logger.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
 import { mintCredentialPair } from "../auth/credential-service.js";
 import { httpError } from "../http-errors.js";
-import type { RouteDefinition } from "../http-router.js";
 
 /** Bun server shape needed for requestIP -- avoids importing the full Bun type. */
 type ServerWithRequestIP = {
@@ -154,22 +153,3 @@ export async function handleGuardianBootstrap(
     return httpError("INTERNAL_ERROR", "Internal server error", 500);
   }
 }
-
-// ---------------------------------------------------------------------------
-// Route definitions
-// ---------------------------------------------------------------------------
-
-/**
- * Guardian bootstrap is a pre-auth endpoint (handled before JWT auth in
- * http-server.ts), so these definitions are exported for completeness but
- * are not added to the authenticated route table.
- */
-export function guardianBootstrapRouteDefinitions(): RouteDefinition[] {
-  return [
-    {
-      endpoint: "guardian/init",
-      method: "POST",
-      handler: async ({ req, server }) => handleGuardianBootstrap(req, server),
-    },
-  ];
-}

package/src/runtime/routes/guardian-refresh-routes.ts

@@ -8,7 +8,6 @@
 import { getLogger } from "../../util/logger.js";
 import { rotateCredentials } from "../auth/credential-service.js";
 import { httpError } from "../http-errors.js";
-import type { RouteDefinition } from "../http-router.js";
 
 const log = getLogger("guardian-refresh");
 
@@ -78,22 +77,3 @@ export async function handleGuardianRefresh(req: Request): Promise<Response> {
     return httpError("INTERNAL_ERROR", "Internal server error", 500);
   }
 }
-
-// ---------------------------------------------------------------------------
-// Route definitions
-// ---------------------------------------------------------------------------
-
-/**
- * Guardian refresh is a pre-auth endpoint (handled before JWT auth in
- * http-server.ts), so these definitions are exported for completeness but
- * are not added to the authenticated route table.
- */
-export function guardianRefreshRouteDefinitions(): RouteDefinition[] {
-  return [
-    {
-      endpoint: "guardian/refresh",
-      method: "POST",
-      handler: async ({ req }) => handleGuardianRefresh(req),
-    },
-  ];
-}

package/src/runtime/routes/secret-routes.ts

@@ -73,7 +73,7 @@ export async function handleAddSecret(req: Request): Promise<Response> {
         );
       }
       invalidateConfigCache();
-      initializeProviders(getConfig());
+      await initializeProviders(getConfig());
       log.info({ provider: name }, "API key updated via HTTP");
       return Response.json({ success: true, type, name }, { status: 201 });
     }
@@ -101,7 +101,7 @@ export async function handleAddSecret(req: Request): Promise<Response> {
       }
       upsertCredentialMetadata(service, field, {});
       if (isManagedProxyCredential(service, field)) {
-        initializeProviders(getConfig());
+        await initializeProviders(getConfig());
       }
       log.info({ service, field }, "Credential added via HTTP");
       return Response.json({ success: true, type, name }, { status: 201 });
@@ -162,7 +162,7 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
         );
       }
       invalidateConfigCache();
-      initializeProviders(getConfig());
+      await initializeProviders(getConfig());
       log.info({ provider: name }, "API key deleted via HTTP");
       return Response.json({ success: true, type, name });
     }
@@ -196,7 +196,7 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
       }
       deleteCredentialMetadata(service, field);
       if (isManagedProxyCredential(service, field)) {
-        initializeProviders(getConfig());
+        await initializeProviders(getConfig());
       }
       log.info({ service, field }, "Credential deleted via HTTP");
       return Response.json({ success: true, type, name });

package/src/runtime/routes/session-management-routes.ts

@@ -7,8 +7,10 @@
  * POST   /v1/conversations/:id/cancel     — cancel generation
  * POST   /v1/conversations/:id/undo       — undo last message
  * POST   /v1/conversations/:id/regenerate — regenerate last assistant response
+ * POST   /v1/sessions/reorder             — reorder / pin sessions
  */
 
+import { batchSetDisplayOrders } from "../../memory/conversation-crud.js";
 import { setConversationKeyIfAbsent } from "../../memory/conversation-key-store.js";
 import { getLogger } from "../../util/logger.js";
 import { httpError } from "../http-errors.js";
@@ -159,5 +161,30 @@ export function sessionManagementRouteDefinitions(
         }
       },
     },
+    {
+      endpoint: "sessions/reorder",
+      method: "POST",
+      policyKey: "sessions/reorder",
+      handler: async ({ req }) => {
+        const body = (await req.json()) as {
+          updates?: Array<{
+            sessionId: string;
+            displayOrder?: number;
+            isPinned?: boolean;
+          }>;
+        };
+        if (!Array.isArray(body.updates)) {
+          return httpError("BAD_REQUEST", "Missing updates array", 400);
+        }
+        batchSetDisplayOrders(
+          body.updates.map((u) => ({
+            id: u.sessionId,
+            displayOrder: u.displayOrder ?? null,
+            isPinned: u.isPinned ?? false,
+          })),
+        );
+        return Response.json({ ok: true });
+      },
+    },
   ];
 }

package/src/runtime/routes/trust-rules-routes.ts

@@ -20,7 +20,7 @@ const log = getLogger("trust-rules-routes");
 /**
  * GET /v1/trust-rules/manage — list all trust rules.
  */
-export function handleListTrustRules(): Response {
+function handleListTrustRules(): Response {
   const rules = getAllRules();
   return Response.json({ type: "trust_rules_list_response", rules });
 }

package/src/security/credential-backend.ts

@@ -0,0 +1,148 @@
+/**
+ * CredentialBackend interface and adapters — abstracts credential storage
+ * behind a unified async API so callers don't need to know which backend
+ * (macOS Keychain, encrypted file store, etc.) is in use.
+ */
+
+import * as encryptedStore from "./encrypted-store.js";
+import type { KeychainBrokerClient } from "./keychain-broker-client.js";
+import { createBrokerClient } from "./keychain-broker-client.js";
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+/** Result of a delete operation — distinguishes success, not-found, and error. */
+export type DeleteResult = "deleted" | "not-found" | "error";
+
+// ---------------------------------------------------------------------------
+// Interface
+// ---------------------------------------------------------------------------
+
+export interface CredentialBackend {
+  /** Human-readable name for logging (e.g. "keychain", "encrypted-store"). */
+  readonly name: string;
+
+  /** Whether this backend is currently reachable. Sync and cheap. */
+  isAvailable(): boolean;
+
+  /** Retrieve a secret. Returns undefined if not found or on error. */
+  get(account: string): Promise<string | undefined>;
+
+  /** Store a secret. Returns true on success. */
+  set(account: string, value: string): Promise<boolean>;
+
+  /** Delete a secret. */
+  delete(account: string): Promise<DeleteResult>;
+
+  /** List all account names. */
+  list(): Promise<string[]>;
+}
+
+// ---------------------------------------------------------------------------
+// KeychainBackend
+// ---------------------------------------------------------------------------
+
+export class KeychainBackend implements CredentialBackend {
+  readonly name = "keychain";
+
+  constructor(private readonly client: KeychainBrokerClient) {}
+
+  isAvailable(): boolean {
+    return this.client.isAvailable();
+  }
+
+  async get(account: string): Promise<string | undefined> {
+    try {
+      const result = await this.client.get(account);
+      if (result == null || !result.found) return undefined;
+      return result.value;
+    } catch {
+      return undefined;
+    }
+  }
+
+  async set(account: string, value: string): Promise<boolean> {
+    try {
+      const result = await this.client.set(account, value);
+      return result.status === "ok";
+    } catch {
+      return false;
+    }
+  }
+
+  async delete(account: string): Promise<DeleteResult> {
+    try {
+      const ok = await this.client.del(account);
+      // The keychain broker returns a boolean — it does not distinguish
+      // "not found" from a genuine error, so we map false → "error".
+      return ok ? "deleted" : "error";
+    } catch {
+      return "error";
+    }
+  }
+
+  async list(): Promise<string[]> {
+    try {
+      return await this.client.list();
+    } catch {
+      return [];
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// EncryptedStoreBackend
+// ---------------------------------------------------------------------------
+
+export class EncryptedStoreBackend implements CredentialBackend {
+  readonly name = "encrypted-store";
+
+  isAvailable(): boolean {
+    return true;
+  }
+
+  async get(account: string): Promise<string | undefined> {
+    try {
+      return encryptedStore.getKey(account);
+    } catch {
+      return undefined;
+    }
+  }
+
+  async set(account: string, value: string): Promise<boolean> {
+    try {
+      return encryptedStore.setKey(account, value);
+    } catch {
+      return false;
+    }
+  }
+
+  async delete(account: string): Promise<DeleteResult> {
+    try {
+      return encryptedStore.deleteKey(account);
+    } catch {
+      return "error";
+    }
+  }
+
+  async list(): Promise<string[]> {
+    try {
+      return encryptedStore.listKeys();
+    } catch {
+      return [];
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Factory functions
+// ---------------------------------------------------------------------------
+
+export function createKeychainBackend(): KeychainBackend {
+  return new KeychainBackend(createBrokerClient());
+}
+
+export function createEncryptedStoreBackend(): EncryptedStoreBackend {
+  return new EncryptedStoreBackend();
+}

package/src/security/oauth2.ts

@@ -45,7 +45,7 @@ export interface OAuth2Config {
    * How the client authenticates at the token endpoint when a clientSecret is present.
    * - `client_secret_post`: Send client_id and client_secret in the POST body (default).
    * - `client_secret_basic`: Send an HTTP Basic Auth header with base64(client_id:client_secret).
-   * Defaults to `client_secret_post` for backward compatibility.
+   * Defaults to `client_secret_post`.
    */
   tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
 }

package/src/security/secret-allowlist.ts

@@ -131,7 +131,7 @@ export interface AllowlistValidationError {
  * Validate all regex patterns in an allowlist config without loading them.
  * Returns an array of validation errors (empty = all valid).
  */
-export function validateAllowlist(
+function validateAllowlist(
   config: AllowlistConfig,
 ): AllowlistValidationError[] {
   const errors: AllowlistValidationError[] = [];