@vellumai/assistant 0.5.0 → 0.5.2

package/src/memory/retriever.ts

@@ -373,7 +373,7 @@ export async function buildMemoryRecall(
   // those messages are no longer in the conversation history and memory is
   // the only way they can influence the response.
   if (conversationId) {
-    const inContextMessageIds = getInContextMessageIds(conversationId);
+    const inContextMessageIds = getEffectiveInContextMessageIds(conversationId);
     if (inContextMessageIds) {
       for (const [key, c] of candidateMap) {
         if (c.type === "segment") {
@@ -392,6 +392,51 @@ export async function buildMemoryRecall(
           }
         }
       }
+
+      // ── Item filtering: exclude items whose ALL sources are in-context ──
+      // Items distilled from messages the model can already see are redundant.
+      // However, items with ANY source outside the in-context set carry
+      // cross-conversation information and must be preserved.
+      const itemCandidateIds = [...candidateMap.values()]
+        .filter((c) => c.type === "item")
+        .map((c) => c.id);
+
+      if (itemCandidateIds.length > 0) {
+        try {
+          const db = getDb();
+          const allSources = db
+            .select({
+              memoryItemId: memoryItemSources.memoryItemId,
+              messageId: memoryItemSources.messageId,
+            })
+            .from(memoryItemSources)
+            .where(inArray(memoryItemSources.memoryItemId, itemCandidateIds))
+            .all();
+
+          // Build item ID → source message IDs map
+          const itemSourceMap = new Map<string, string[]>();
+          for (const s of allSources) {
+            const existing = itemSourceMap.get(s.memoryItemId);
+            if (existing) existing.push(s.messageId);
+            else itemSourceMap.set(s.memoryItemId, [s.messageId]);
+          }
+
+          // Filter items whose ALL sources are in-context
+          for (const [key, c] of candidateMap) {
+            if (c.type !== "item") continue;
+            const sourceMessageIds = itemSourceMap.get(c.id);
+            if (!sourceMessageIds || sourceMessageIds.length === 0) continue;
+            if (sourceMessageIds.every((mid) => inContextMessageIds.has(mid))) {
+              candidateMap.delete(key);
+            }
+          }
+        } catch (err) {
+          log.warn(
+            { err },
+            "Failed to fetch item sources for in-context filtering; skipping",
+          );
+        }
+      }
     }
   }
 
@@ -574,14 +619,22 @@ export async function buildMemoryRecall(
 }
 
 /**
- * Get the set of message IDs that are still in the conversation's context
- * window (i.e., not compacted away). Uses `contextCompactedMessageCount` to
- * determine the offset: messages ordered by createdAt after that count are
- * still visible to the model.
+ * Get the set of message IDs that are effectively in the conversation's
+ * context window. This includes:
+ *   1. Messages still visible (not compacted) in the conversation history.
+ *   2. Fork-source message IDs — when a conversation is forked, messages are
+ *      copied with new IDs but their metadata stores the original parent
+ *      message ID as `forkSourceMessageId`. Segments sourced from those parent
+ *      messages are redundant because the fork already contains their content.
+ *
+ * Uses `contextCompactedMessageCount` to determine the compaction offset:
+ * messages ordered by createdAt after that count are still visible to the model.
  *
  * Returns `null` if the conversation is not found (deleted, or no DB row).
  */
-function getInContextMessageIds(conversationId: string): Set<string> | null {
+function getEffectiveInContextMessageIds(
+  conversationId: string,
+): Set<string> | null {
   try {
     const db = getDb();
 
@@ -599,9 +652,9 @@ function getInContextMessageIds(conversationId: string): Set<string> | null {
 
     const offset = conv.contextCompactedMessageCount;
 
-    // Fetch message IDs ordered by creation time, skipping compacted ones
+    // Fetch message IDs and metadata ordered by creation time
     const rows = db
-      .select({ id: messages.id })
+      .select({ id: messages.id, metadata: messages.metadata })
       .from(messages)
       .where(eq(messages.conversationId, conversationId))
       .orderBy(asc(messages.createdAt))
@@ -609,7 +662,30 @@ function getInContextMessageIds(conversationId: string): Set<string> | null {
 
     // Messages up to `offset` have been compacted out of context
     const inContextRows = rows.slice(offset);
-    return new Set(inContextRows.map((r) => r.id));
+    const idSet = new Set(inContextRows.map((r) => r.id));
+
+    // Also include fork-source message IDs from in-context messages.
+    // When a conversation is forked, each copied message's metadata contains
+    // `forkSourceMessageId` pointing to the original (parent or grandparent)
+    // message ID. Segments sourced from those original messages are redundant.
+    for (const row of inContextRows) {
+      if (!row.metadata) continue;
+      try {
+        const parsed = JSON.parse(row.metadata);
+        if (
+          parsed &&
+          typeof parsed === "object" &&
+          !Array.isArray(parsed) &&
+          typeof parsed.forkSourceMessageId === "string"
+        ) {
+          idSet.add(parsed.forkSourceMessageId);
+        }
+      } catch {
+        // Invalid metadata JSON — skip, don't break filtering.
+      }
+    }
+
+    return idSet;
   } catch (err) {
     log.warn(
       { err },

package/src/memory/schema/conversations.ts

@@ -26,12 +26,17 @@ export const conversations = sqliteTable(
     memoryScopeId: text("memory_scope_id").notNull().default("default"),
     originChannel: text("origin_channel"),
     originInterface: text("origin_interface"),
+    forkParentConversationId: text("fork_parent_conversation_id"),
+    forkParentMessageId: text("fork_parent_message_id"),
     isAutoTitle: integer("is_auto_title").notNull().default(1),
     scheduleJobId: text("schedule_job_id"),
   },
   (table) => [
     index("idx_conversations_updated_at").on(table.updatedAt),
     index("idx_conversations_conversation_type").on(table.conversationType),
+    index("idx_conversations_fork_parent_conversation_id").on(
+      table.forkParentConversationId,
+    ),
   ],
 );
 
@@ -88,6 +93,7 @@ export const attachments = sqliteTable("attachments", {
   dataBase64: text("data_base64").notNull(),
   contentHash: text("content_hash"),
   thumbnailBase64: text("thumbnail_base64"),
+  filePath: text("file_path"),
   createdAt: integer("created_at").notNull(),
 });
 

package/src/memory/schema/infrastructure.ts

@@ -106,13 +106,19 @@ export const watcherEvents = sqliteTable("watcher_events", {
   createdAt: integer("created_at").notNull(),
 });
 
-export const llmRequestLogs = sqliteTable("llm_request_logs", {
-  id: text("id").primaryKey(),
-  conversationId: text("conversation_id").notNull(),
-  requestPayload: text("request_payload").notNull(),
-  responsePayload: text("response_payload").notNull(),
-  createdAt: integer("created_at").notNull(),
-});
+export const llmRequestLogs = sqliteTable(
+  "llm_request_logs",
+  {
+    id: text("id").primaryKey(),
+    conversationId: text("conversation_id").notNull(),
+    messageId: text("message_id"),
+    provider: text("provider"),
+    requestPayload: text("request_payload").notNull(),
+    responsePayload: text("response_payload").notNull(),
+    createdAt: integer("created_at").notNull(),
+  },
+  (table) => [index("idx_llm_request_logs_message_id").on(table.messageId)],
+);
 
 export const llmUsageEvents = sqliteTable(
   "llm_usage_events",

package/src/memory/schema/oauth.ts

@@ -18,6 +18,12 @@ export const oauthProviders = sqliteTable("oauth_providers", {
   extraParams: text("extra_params"),
   callbackTransport: text("callback_transport"),
   pingUrl: text("ping_url"),
+  managedServiceConfigKey: text("managed_service_config_key"),
+  displayName: text("display_name"),
+  description: text("description"),
+  dashboardUrl: text("dashboard_url"),
+  clientIdPlaceholder: text("client_id_placeholder"),
+  requiresClientSecret: integer("requires_client_secret").notNull().default(1),
   createdAt: integer("created_at").notNull(),
   updatedAt: integer("updated_at").notNull(),
 });

package/src/messaging/providers/gmail/mime-builder.ts

@@ -45,7 +45,9 @@ export function buildMultipartMime(options: MimeMessageOptions): string {
   const sanitizedSubject = sanitizeHeaderValue(subject);
   const sanitizedCc = cc ? sanitizeHeaderValue(cc) : undefined;
   const sanitizedBcc = bcc ? sanitizeHeaderValue(bcc) : undefined;
-  const sanitizedInReplyTo = inReplyTo ? sanitizeHeaderValue(inReplyTo) : undefined;
+  const sanitizedInReplyTo = inReplyTo
+    ? sanitizeHeaderValue(inReplyTo)
+    : undefined;
 
   const headers = [
     `To: ${sanitizedTo}`,

package/src/notifications/copy-composer.ts

@@ -196,6 +196,14 @@ export function hasInviteFlowDirective(text: string | undefined): boolean {
  * Build the deterministic access-request contract text from payload fields.
  * This is the canonical baseline that enforcement can append when generated
  * copy is missing required elements.
+ *
+ * Channel-agnostic by design: this function reads from the generic
+ * `contextPayload` and works identically regardless of which channel
+ * (Slack, Telegram, desktop, etc.) the notification is delivered to.
+ * When `guardianResolutionSource` is present and not `"source-channel-contact"`,
+ * the guardian was resolved via fallback (e.g. vellum anchor) rather than
+ * a verified same-channel contact — downstream copy or routing can use
+ * this to append verification CTAs like "Was this you?".
  */
 export function buildAccessRequestContractText(
   payload: Record<string, unknown>,
@@ -208,6 +216,15 @@ export function buildAccessRequestContractText(
       ? payload.previousMemberStatus
       : undefined;
 
+  const guardianResolutionSource =
+    typeof payload.guardianResolutionSource === "string"
+      ? payload.guardianResolutionSource
+      : undefined;
+  const sourceChannel =
+    typeof payload.sourceChannel === "string"
+      ? payload.sourceChannel
+      : undefined;
+
   const lines: string[] = [];
   lines.push(buildAccessRequestIdentityLine(payload));
   if (previousMemberStatus === "revoked") {
@@ -220,6 +237,15 @@ export function buildAccessRequestContractText(
     );
   }
   lines.push(buildAccessRequestInviteDirective());
+  if (
+    (guardianResolutionSource === "vellum-anchor" ||
+      guardianResolutionSource === "none") &&
+    sourceChannel
+  ) {
+    lines.push(
+      `Note: You haven't verified your identity on ${sourceChannel} yet. If this was you trying to message your assistant, say "help me verify as guardian on ${sourceChannel}" to set up direct access.`,
+    );
+  }
   return lines.join("\n");
 }
 

package/src/notifications/decision-engine.ts

@@ -22,6 +22,7 @@ import {
 } from "../providers/provider-send-message.js";
 import type { ModelIntent, Provider } from "../providers/types.js";
 import { getLogger } from "../util/logger.js";
+import { truncate } from "../util/truncate.js";
 import {
   buildConversationCandidates,
   type ConversationCandidateSet,
@@ -55,6 +56,15 @@ const log = getLogger("notification-decision-engine");
 const DECISION_TIMEOUT_MS = 15_000;
 const PROMPT_VERSION = "v4";
 
+/**
+ * Maximum character budget for identity context injected into the notification
+ * decision prompt. We truncate to prevent oversized prompts when SOUL.md /
+ * IDENTITY.md / USER.md are large — exceeding the provider context window
+ * would cause the LLM call to fail and silently degrade to deterministic
+ * fallback for all notifications.
+ */
+const MAX_IDENTITY_CONTEXT_CHARS = 2000;
+
 // ── System prompt ──────────────────────────────────────────────────────
 
 function buildSystemPrompt(
@@ -790,7 +800,10 @@ async function classifyWithLLM(
   const candidateContext = candidateSet
     ? (serializeCandidatesForPrompt(candidateSet) ?? undefined)
     : undefined;
-  const identityContext = buildCoreIdentityContext() ?? undefined;
+  const rawIdentityContext = buildCoreIdentityContext();
+  const identityContext = rawIdentityContext
+    ? truncate(rawIdentityContext, MAX_IDENTITY_CONTEXT_CHARS, "\n…[truncated]")
+    : undefined;
   const systemPrompt = buildSystemPrompt(
     availableChannels,
     preferenceContext,

package/src/notifications/emit-signal.ts

@@ -220,7 +220,7 @@ export async function emitNotificationSignal<TEventName extends string>(
       sourceChannel: params.sourceChannel,
       sourceContextId: params.sourceContextId,
       attentionHints: params.attentionHints,
-      payload: params.contextPayload ?? {},
+      payload: (params.contextPayload ?? {}) as Record<string, unknown>,
       dedupeKey: params.dedupeKey,
     });
 

package/src/notifications/signal.ts

@@ -118,8 +118,44 @@ export interface AttentionHints {
 
 export type RoutingIntent = "single_channel" | "multi_channel" | "all_channels";
 
+// ── Typed context payloads ──────────────────────────────────────────────
+
+/**
+ * How the guardian was resolved for an access request.
+ *
+ * - `"source-channel-contact"` — Guardian was found via the originating channel's
+ *   contact store and their principalId matches the assistant's anchor.
+ * - `"vellum-anchor"` — No same-channel guardian matched; fell back to the
+ *   assistant's vellum guardian principal.
+ * - `"none"` — No guardian binding could be resolved at all.
+ *
+ * Downstream consumers (notification copy, routing) use this to decide whether
+ * to append a "Was this you?" CTA or route notifications beyond the source channel.
+ * This is channel-agnostic by design — any channel's access request that
+ * resolves to a non-source-channel guardian gets the same treatment.
+ */
+export type GuardianResolutionSource =
+  | "source-channel-contact"
+  | "vellum-anchor"
+  | "none";
+
+export interface AccessRequestContextPayload {
+  requestId: string;
+  requestCode: string;
+  sourceChannel: string;
+  conversationExternalId: string;
+  actorExternalId: string;
+  actorDisplayName: string | null;
+  actorUsername: string | null;
+  senderIdentifier: string;
+  guardianBindingChannel: string | null;
+  guardianResolutionSource: GuardianResolutionSource;
+  previousMemberStatus: string | null;
+}
+
 export interface NotificationEventContextPayloadMap {
   "guardian.question": GuardianQuestionPayload;
+  "ingress.access_request": AccessRequestContextPayload;
 }
 
 export type NotificationContextPayload<TEventName extends string = string> =

package/src/oauth/byo-connection.test.ts

@@ -236,8 +236,6 @@ function createConnection(service = "integration:google"): BYOOAuthConnection {
     providerKey: service,
     baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
     accountInfo: null,
-    grantedScopes: ["read", "write"],
-    credentialService: service,
   });
 }
 
@@ -500,12 +498,11 @@ describe("resolveOAuthConnection", () => {
 
     expect(conn).toBeInstanceOf(BYOOAuthConnection);
     expect(conn.providerKey).toBe("integration:google");
-    expect(conn.grantedScopes).toEqual(["read", "write"]);
   });
 
   test("throws when no credential metadata exists", async () => {
     await expect(resolveOAuthConnection("integration:unknown")).rejects.toThrow(
-      /No credential found for "integration:unknown"/,
+      /No active OAuth connection found for "integration:unknown"/,
     );
   });
 
@@ -517,45 +514,4 @@ describe("resolveOAuthConnection", () => {
       /No base URL configured for "integration:custom-service"/,
     );
   });
-
-  test("resolves base URL via app's canonical providerKey for custom credential_service", async () => {
-    // Set up a well-known provider with a baseUrl
-    mockProviders.set("github", {
-      key: "github",
-      tokenUrl: "https://github.com/login/oauth/access_token",
-      baseUrl: "https://api.github.com",
-    });
-    // The custom credential service has no provider entry of its own
-    // (getProvider("integration:github-work") returns undefined)
-
-    // App points to the canonical "github" provider
-    const appId = "app-github-work";
-    mockApps.set(appId, {
-      id: appId,
-      providerKey: "github",
-      clientId: "test-client-id",
-      clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
-    });
-
-    // Connection uses the custom credential service as its providerKey
-    const connId = "conn-github-work";
-    mockConnections.set("integration:github-work", {
-      id: connId,
-      providerKey: "integration:github-work",
-      oauthAppId: appId,
-      expiresAt: Date.now() + 3600 * 1000,
-      grantedScopes: JSON.stringify(["repo"]),
-      accountInfo: null,
-    });
-    await setSecureKeyAsync(
-      `oauth_connection/${connId}/access_token`,
-      "ghp-test-token",
-    );
-
-    const conn = await resolveOAuthConnection("integration:github-work");
-
-    expect(conn).toBeInstanceOf(BYOOAuthConnection);
-    expect(conn.providerKey).toBe("integration:github-work");
-    expect(conn.grantedScopes).toEqual(["repo"]);
-  });
 });

package/src/oauth/byo-connection.ts

@@ -25,31 +25,25 @@ export interface BYOOAuthConnectionOptions {
   providerKey: string;
   baseUrl: string;
   accountInfo: string | null;
-  grantedScopes: string[];
-  credentialService: string;
 }
 
 export class BYOOAuthConnection implements OAuthConnection {
   readonly id: string;
   readonly providerKey: string;
   readonly accountInfo: string | null;
-  readonly grantedScopes: string[];
 
   private readonly baseUrl: string;
-  private readonly credentialService: string;
 
   constructor(opts: BYOOAuthConnectionOptions) {
     this.id = opts.id;
     this.providerKey = opts.providerKey;
     this.baseUrl = opts.baseUrl;
     this.accountInfo = opts.accountInfo;
-    this.grantedScopes = opts.grantedScopes;
-    this.credentialService = opts.credentialService;
   }
 
   async request(req: OAuthConnectionRequest): Promise<OAuthConnectionResponse> {
     return withValidToken(
-      this.credentialService,
+      this.providerKey,
       async (token) => {
         const effectiveBaseUrl = req.baseUrl ?? this.baseUrl;
         let fullUrl = `${effectiveBaseUrl}${req.path}`;
@@ -106,7 +100,7 @@ export class BYOOAuthConnection implements OAuthConnection {
   }
 
   async withToken<T>(fn: (token: string) => Promise<T>): Promise<T> {
-    return withValidToken(this.credentialService, fn, {
+    return withValidToken(this.providerKey, fn, {
       connectionId: this.id,
     });
   }

package/src/oauth/connect-orchestrator.ts

@@ -252,12 +252,13 @@ export async function orchestrateOAuthConnect(
       prepared.completion
         .then(async (result) => {
           try {
-            let accountInfo: string | undefined;
+            let parsedAccountIdentifier: string | undefined;
 
-            // Run identity verifier if available (code-side behavior)
+            // Parse account identifier from the provider's identity endpoint.
+            // Best-effort — format varies by provider and may fail.
             if (behavior.identityVerifier) {
               try {
-                accountInfo = await behavior.identityVerifier(
+                parsedAccountIdentifier = await behavior.identityVerifier(
                   result.tokens.accessToken,
                 );
               } catch {
@@ -270,19 +271,19 @@ export async function orchestrateOAuthConnect(
               tokens: result.tokens,
               grantedScopes: result.grantedScopes,
               rawTokenResponse: result.rawTokenResponse,
-              identityAccountInfo: accountInfo,
+              parsedAccountIdentifier,
             });
             log.info(
               {
                 service: resolvedService,
-                accountInfo: stored.accountInfo ?? accountInfo,
+                accountInfo: stored.accountInfo ?? parsedAccountIdentifier,
               },
               "Deferred OAuth2 flow completed — tokens stored",
             );
             options.onDeferredComplete?.({
               success: true,
               service: resolvedService,
-              accountInfo: stored.accountInfo ?? accountInfo,
+              accountInfo: stored.accountInfo ?? parsedAccountIdentifier,
             });
           } catch (err) {
             log.error(
@@ -353,11 +354,14 @@ export async function orchestrateOAuthConnect(
           : undefined,
     );
 
-    // Run identity verifier if available (code-side behavior)
-    let verifiedIdentity: string | undefined;
+    // Parse account identifier from the provider's identity endpoint.
+    // Best-effort — format varies by provider and may fail.
+    let parsedAccountIdentifier: string | undefined;
     if (behavior.identityVerifier) {
       try {
-        verifiedIdentity = await behavior.identityVerifier(tokens.accessToken);
+        parsedAccountIdentifier = await behavior.identityVerifier(
+          tokens.accessToken,
+        );
       } catch {
         // Non-fatal
       }
@@ -368,14 +372,14 @@ export async function orchestrateOAuthConnect(
       tokens,
       grantedScopes,
       rawTokenResponse,
-      identityAccountInfo: verifiedIdentity,
+      parsedAccountIdentifier,
     });
 
     return {
       success: true,
       deferred: false,
       grantedScopes,
-      accountInfo: accountInfo ?? verifiedIdentity,
+      accountInfo: accountInfo ?? parsedAccountIdentifier,
     };
   } catch (err: unknown) {
     const message =