@vellumai/assistant 0.5.14 → 0.5.16

package/src/cli/commands/platform/__tests__/status.test.ts

@@ -1,10 +1,5 @@
-import { mkdtempSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-const testDir = mkdtempSync(join(tmpdir(), "platform-status-test-"));
-
 // ---------------------------------------------------------------------------
 // Mock state
 // ---------------------------------------------------------------------------
@@ -68,51 +63,6 @@ mock.module("../../../../util/logger.js", () => ({
   pruneOldLogFiles: () => 0,
 }));
 
-mock.module("../../../../util/platform.js", () => ({
-  getRootDir: () => testDir,
-  getDataDir: () => join(testDir, "data"),
-  getWorkspaceSkillsDir: () => join(testDir, "skills"),
-  getWorkspaceDir: () => join(testDir, "workspace"),
-  getWorkspaceHooksDir: () => join(testDir, "workspace", "hooks"),
-  getWorkspaceConfigPath: () => join(testDir, "workspace", "config.json"),
-  getHooksDir: () => join(testDir, "hooks"),
-  getSignalsDir: () => join(testDir, "signals"),
-  getConversationsDir: () => join(testDir, "conversations"),
-  getEmbeddingModelsDir: () => join(testDir, "models"),
-  getSandboxRootDir: () => join(testDir, "sandbox"),
-  getSandboxWorkingDir: () => join(testDir, "sandbox", "work"),
-  getInterfacesDir: () => join(testDir, "interfaces"),
-  getSoundsDir: () => join(testDir, "sounds"),
-  getHistoryPath: () => join(testDir, "history"),
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPlatformName: () => "linux",
-  getClipboardCommand: () => null,
-  resolveInstanceDataDir: () => undefined,
-  normalizeAssistantId: (id: string) => id,
-  getTCPPort: () => 0,
-  isTCPEnabled: () => false,
-  getTCPHost: () => "127.0.0.1",
-  isIOSPairingEnabled: () => false,
-  getPlatformTokenPath: () => join(testDir, "token"),
-  readPlatformToken: () => null,
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  getWorkspaceDirDisplay: () => testDir,
-  getWorkspacePromptPath: (file: string) => join(testDir, file),
-  getProtectedDir: () => join(testDir, "protected"),
-  getDeprecatedDir: () => join(testDir, "workspace", "deprecated"),
-  getExternalDir: () => join(testDir, "external"),
-  getBinDir: () => join(testDir, "bin"),
-  getDotEnvPath: () => join(testDir, ".env"),
-  getDaemonStderrLogPath: () => join(testDir, "daemon-stderr.log"),
-  getDaemonStartupLockPath: () => join(testDir, "daemon-startup.lock"),
-  getEmbedWorkerPidPath: () => join(testDir, "embed-worker.pid"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../../../../config/loader.js", () => ({
   API_KEY_PROVIDERS: [] as const,
   getConfig: () => ({

package/src/config/bundled-skills/computer-use/TOOLS.json

@@ -23,7 +23,7 @@
       "name": "computer_use_click",
       "description": "Click an element on screen. Prefer element_id (from the accessibility tree) over x/y coordinates.",
       "category": "computer-use",
-      "risk": "low",
+      "risk": "medium",
       "input_schema": {
         "type": "object",
         "properties": {
@@ -62,7 +62,7 @@
       "name": "computer_use_type_text",
       "description": "Type text at the current cursor position. First click a text field (by element_id) to focus it, then call this tool. If a field shows 'FOCUSED', skip the click.",
       "category": "computer-use",
-      "risk": "low",
+      "risk": "medium",
       "input_schema": {
         "type": "object",
         "properties": {
@@ -88,7 +88,7 @@
       "name": "computer_use_key",
       "description": "Press a key or keyboard shortcut. Supported: enter, tab, escape, backspace, delete, up, down, left, right, space, cmd+a, cmd+c, cmd+v, cmd+z, cmd+tab, cmd+w, shift+tab, option+tab",
       "category": "computer-use",
-      "risk": "low",
+      "risk": "medium",
       "input_schema": {
         "type": "object",
         "properties": {
@@ -114,7 +114,7 @@
       "name": "computer_use_scroll",
       "description": "Scroll within an element by its [ID], or at raw screen coordinates as fallback.",
       "category": "computer-use",
-      "risk": "low",
+      "risk": "medium",
       "input_schema": {
         "type": "object",
         "properties": {
@@ -157,7 +157,7 @@
       "name": "computer_use_drag",
       "description": "Drag from one element or position to another. Use for moving files, resizing windows, rearranging items, or adjusting sliders.",
       "category": "computer-use",
-      "risk": "low",
+      "risk": "medium",
       "input_schema": {
         "type": "object",
         "properties": {
@@ -229,7 +229,7 @@
       "name": "computer_use_open_app",
       "description": "Open or switch to a macOS application by name. Preferred over cmd+tab for switching apps - more reliable and explicit.",
       "category": "computer-use",
-      "risk": "low",
+      "risk": "medium",
       "input_schema": {
         "type": "object",
         "properties": {
@@ -255,7 +255,7 @@
       "name": "computer_use_run_applescript",
       "description": "Run an AppleScript command. Prefer this over click/type when possible - it doesn't move the cursor or interrupt the user. Never use 'do shell script' inside AppleScript (blocked for security).",
       "category": "computer-use",
-      "risk": "low",
+      "risk": "medium",
       "input_schema": {
         "type": "object",
         "properties": {

package/src/config/bundled-skills/messaging/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: messaging
-description: Read, search, send, and manage messages across Gmail, Telegram, and other platforms
+description: Read, search, send, and manage messages across Gmail, Outlook, Telegram, and other platforms
 compatibility: "Designed for Vellum personal assistants"
 metadata:
   emoji: "\U0001F4AC"
@@ -11,7 +11,7 @@ metadata:
       - "Handles credential flows -- do not improvise setup instructions"
 ---
 
-You are a unified messaging assistant with access to multiple platforms (Gmail, Telegram, and more). Use the messaging tools to help users read, search, organize, draft, and send messages across all connected platforms.
+You are a unified messaging assistant with access to multiple platforms (Gmail, Outlook, Telegram, and more). Use the messaging tools to help users read, search, organize, draft, and send messages across all connected platforms.
 
 **Slack is not handled by this skill.** Slack messaging (send, read, search) is handled by the **slack** skill, which uses the Slack Web API directly via CLI. Do not use messaging tools with `platform: "slack"`.
 
@@ -67,6 +67,11 @@ When the user asks to "connect my email", "set up email", "manage my email", or
      - **cancelLabel:** "Not Now"
      - If the user confirms, briefly acknowledge (e.g., "Setting up Gmail now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
 
+### Outlook
+
+1. **Try connecting directly first.** Run `assistant oauth status outlook`. This will show whether the user has previously connected their Outlook account.
+2. **If no connections are found:** Guide the user to connect their Microsoft account through the OAuth flow.
+
 ### Slack
 
 Slack is **not** handled by this skill. For Slack setup, load the **slack-app-setup** skill directly. For Slack messaging, use the **slack** skill which accesses the Slack Web API via CLI.
@@ -118,6 +123,16 @@ When a messaging tool fails with a token or authorization error:
 - **Send / Reply**: Send a message or reply in a thread (via `thread_id`). High risk - requires user approval.
 - **Mark Read**: Mark conversation as read
 
+### Outlook
+
+- **Auth Test**: Verify connection and show account info
+- **List Conversations**: Show mail folders (Inbox, Sent, Drafts, etc.) with unread counts
+- **Read Messages**: Read message history from a folder
+- **Search**: Search messages using Microsoft Graph KQL syntax
+- **Send / Reply**: Send a message or reply to a thread (high risk - requires user approval)
+- **Mark Read**: Mark a message as read
+- **Thread Replies**: View all messages in a conversation thread
+
 ### Telegram
 
 Telegram is supported as a messaging provider with limited capabilities compared to Gmail due to Bot API constraints:

package/src/config/bundled-skills/settings/TOOLS.json

@@ -108,7 +108,7 @@
         "required": ["image_path"]
       },
       "executor": "tools/avatar-update.ts",
-      "execution_target": "sandbox"
+      "execution_target": "host"
     },
     {
       "name": "remove_avatar",
@@ -125,7 +125,7 @@
         }
       },
       "executor": "tools/avatar-remove.ts",
-      "execution_target": "sandbox"
+      "execution_target": "host"
     },
     {
       "name": "get_avatar",
@@ -142,7 +142,7 @@
         }
       },
       "executor": "tools/avatar-get.ts",
-      "execution_target": "sandbox"
+      "execution_target": "host"
     }
   ]
 }

package/src/config/feature-flag-registry.json

@@ -25,6 +25,14 @@
       "description": "Enable the Vellum Cloud hosting option on the Hosting screen",
       "defaultEnabled": false
     },
+    {
+      "id": "local-docker-enabled",
+      "scope": "macos",
+      "key": "local-docker-enabled",
+      "label": "Local Docker Mode",
+      "description": "When enabled, the Local hosting option uses Docker under the hood for sandboxed execution, hiding the separate Docker card",
+      "defaultEnabled": false
+    },
     {
       "id": "contacts",
       "scope": "assistant",
@@ -360,6 +368,14 @@
       "label": "Fast Mode",
       "description": "Enable Anthropic fast mode for Opus 4.6, delivering up to 2.5x higher output tokens per second at premium pricing",
       "defaultEnabled": false
+    },
+    {
+      "id": "outlook-oauth-integration",
+      "scope": "assistant",
+      "key": "outlook-oauth-integration",
+      "label": "Outlook / Microsoft Integration",
+      "description": "Enable the Outlook / Microsoft OAuth provider for connecting to Microsoft Graph APIs (email, calendar)",
+      "defaultEnabled": false
     }
   ]
 }

package/src/config/loader.ts

@@ -124,6 +124,10 @@ const DEPRECATED_FIELDS: Record<string, string> = {
     "providerOrder has been removed from the config schema. " +
     "Provider selection is now handled automatically. " +
     "The field will be removed from your config file.",
+  "permissions.dangerouslySkipPermissions":
+    "permissions.dangerouslySkipPermissions has been removed. " +
+    "Permission prompts are now always shown when required. " +
+    "The field will be removed from your config file.",
 };
 
 /**

package/src/config/schemas/security.ts

@@ -79,12 +79,6 @@ export const PermissionsConfigSchema = z
       .describe(
         "Permission mode — 'strict' requires explicit approval for all operations, 'workspace' allows operations within the workspace",
       ),
-    dangerouslySkipPermissions: z
-      .boolean({
-        error: "permissions.dangerouslySkipPermissions must be a boolean",
-      })
-      .default(false)
-      .describe("Auto-accept all permission prompts without asking"),
   })
   .describe("Permission enforcement mode for tool operations");
 

package/src/config/schemas/services.ts

@@ -51,6 +51,11 @@ export const GoogleOAuthServiceSchema = BaseServiceSchema.extend({
 });
 export type GoogleOAuthService = z.infer<typeof GoogleOAuthServiceSchema>;
 
+export const OutlookOAuthServiceSchema = BaseServiceSchema.extend({
+  mode: ServiceModeSchema.default("your-own"),
+});
+export type OutlookOAuthService = z.infer<typeof OutlookOAuthServiceSchema>;
+
 export const ServicesSchema = z.object({
   inference: InferenceServiceSchema.default(InferenceServiceSchema.parse({})),
   "image-generation": ImageGenerationServiceSchema.default(
@@ -62,5 +67,8 @@ export const ServicesSchema = z.object({
   "google-oauth": GoogleOAuthServiceSchema.default(
     GoogleOAuthServiceSchema.parse({}),
   ),
+  "outlook-oauth": OutlookOAuthServiceSchema.default(
+    OutlookOAuthServiceSchema.parse({}),
+  ),
 });
 export type Services = z.infer<typeof ServicesSchema>;

package/src/context/window-manager.ts

@@ -581,7 +581,7 @@ export class ContextWindowManager {
     const overheadTokens =
       estimateTextTokens(SUMMARY_SYSTEM_PROMPT) +
       estimateTextTokens(currentSummary) +
-      // Scaffolding text in buildSummaryPrompt ("Update the summary...",
+      // Scaffolding text in buildSummaryContentBlocks ("Update the summary...",
       // section headers, etc.) — generous fixed estimate.
       200 +
       this.summaryMaxTokens;
@@ -598,6 +598,7 @@ export class ContextWindowManager {
     for (const block of blocks) {
       totalTokens += estimateBlockTokens(block);
     }
+    const originalTotalTokens = totalTokens;
     if (totalTokens <= maxTranscriptTokens) return blocks;
 
     // First pass: drop images from the beginning until we fit or run out of
@@ -618,17 +619,39 @@ export class ContextWindowManager {
     if (totalTokens <= maxTranscriptTokens) return result;
 
     // Second pass: drop text blocks from the beginning (oldest) until we fit.
+    // If a single text block exceeds the remaining budget, truncate it rather
+    // than dropping it entirely so the summarizer always has content to work with.
     let dropUntil = 0;
     let droppedTokens = 0;
     for (let i = 0; i < result.length && totalTokens > maxTranscriptTokens; i++) {
-      droppedTokens += estimateBlockTokens(result[i]);
-      totalTokens -= estimateBlockTokens(result[i]);
+      const blockTokens = estimateBlockTokens(result[i]);
+      const excess = totalTokens - maxTranscriptTokens;
+      if (blockTokens > excess && result[i].type === "text") {
+        // Truncate this block to shed exactly the excess tokens.
+        const keepTokens = blockTokens - excess;
+        const text = (result[i] as { type: "text"; text: string }).text;
+        // Approximate: 1 token ≈ 4 characters for truncation purposes.
+        const keepChars = Math.max(1, Math.floor(keepTokens * 4));
+        const truncatedText = text.slice(-keepChars);
+        const truncatedBlock: ContentBlock = {
+          type: "text",
+          text: `[...truncated] ${truncatedText}`,
+        };
+        const newBlockTokens = estimateBlockTokens(truncatedBlock);
+        droppedTokens += blockTokens - newBlockTokens;
+        totalTokens -= blockTokens - newBlockTokens;
+        result[i] = truncatedBlock;
+        dropUntil = i;
+        break;
+      }
+      droppedTokens += blockTokens;
+      totalTokens -= blockTokens;
       dropUntil = i + 1;
     }
 
     log.info(
       {
-        originalTokens: totalTokens + droppedTokens,
+        originalTokens: originalTotalTokens,
         cappedTokens: maxTranscriptTokens,
         droppedTokens,
       },
@@ -892,11 +915,7 @@ function serializeMessagesToContentBlocks(messages: Message[]): ContentBlock[] {
           textLines.length = 0;
         }
         blocks.push(block);
-      } else if (block.type === "web_search_tool_result") {
-        textLines.push(
-          `web_search_tool_result ${block.tool_use_id}: [opaque]`,
-        );
-      } else if (block.type === "tool_result") {
+      } else if (block.type === "tool_result") { // guard:allow-tool-result-only — web_search_tool_result handled by serializeBlock via else branch
         // Extract images from tool_result contentBlocks before serializing.
         const collectedImages: ImageContent[] = [];
         textLines.push(serializeToolResultBlock(block, collectedImages));

package/src/credential-execution/approval-bridge.ts

@@ -103,7 +103,6 @@ function mapUserDecisionToCesDecision(
         userDecision: decision,
       };
     case "temporary_override":
-    case "dangerously_skip_permissions":
       return {
         grantDecision: "approved",
         ttl: undefined,

package/src/daemon/config-watcher.ts

@@ -10,8 +10,10 @@ import {
   readdirSync,
   watch,
 } from "node:fs";
+import { homedir } from "node:os";
 import { join } from "node:path";
 
+import { clearFeatureFlagOverridesCache } from "../config/assistant-feature-flags.js";
 import { getConfig, invalidateConfigCache } from "../config/loader.js";
 import { clearEmbeddingBackendCache } from "../memory/embedding-backend.js";
 import { clearCache as clearTrustCache } from "../permissions/trust-store.js";
@@ -173,6 +175,7 @@ export class ConfigWatcher {
       "workspace directory for config/prompt changes",
     );
 
+    this.startFeatureFlagsWatcher();
     this.startSignalsWatcher();
     this.startSkillsWatchers(onConversationEvict);
   }
@@ -185,6 +188,54 @@ export class ConfigWatcher {
     this.watchers = [];
   }
 
+  private startFeatureFlagsWatcher(): void {
+    const protectedDir = process.env.GATEWAY_SECURITY_DIR
+      ? process.env.GATEWAY_SECURITY_DIR
+      : join(homedir(), ".vellum", "protected");
+
+    try {
+      if (!existsSync(protectedDir)) {
+        mkdirSync(protectedDir, { recursive: true });
+      }
+    } catch {
+      // If we can't create it, watching will also fail — handled below.
+    }
+
+    const FLAG_FILES = new Set([
+      "feature-flags.json",
+      "feature-flags-remote.json",
+    ]);
+
+    try {
+      const watcher = watch(protectedDir, (_eventType, filename) => {
+        if (!filename) return;
+        const file = String(filename);
+        if (!FLAG_FILES.has(file)) return;
+        this.debounceTimers.schedule(
+          "file:feature-flags",
+          () => {
+            log.info(
+              { file },
+              "Feature flags file changed, invalidating cache",
+            );
+            clearFeatureFlagOverridesCache();
+          },
+          500,
+        );
+      });
+      this.watchers.push(watcher);
+      log.info(
+        { dir: protectedDir },
+        "Watching protected directory for feature flag changes",
+      );
+    } catch (err) {
+      log.warn(
+        { err, dir: protectedDir },
+        "Failed to watch protected directory for feature flags. Flag changes will require a restart.",
+      );
+    }
+  }
+
   private startSignalsWatcher(): void {
     const signalsDir = getSignalsDir();
     try {

package/src/daemon/conversation-agent-loop.ts

@@ -1587,14 +1587,15 @@ export async function runAgentLoopImpl(
     }
 
     const restoredHistory = [...preRepairMessages, ...newMessages];
-    ctx.messages = stripInjectedContext(restoredHistory);
 
     const postLoopContextEstimate = estimatePromptTokens(
-      ctx.messages,
+      restoredHistory,
       ctx.systemPrompt,
       { providerName: ctx.provider.name, toolTokenBudget },
     );
 
+    ctx.messages = stripInjectedContext(restoredHistory);
+
     emitUsage(
       ctx,
       state.exchangeInputTokens,

package/src/daemon/conversation-process.ts

@@ -936,6 +936,7 @@ export async function processMessage(
       return persisted.id;
     } finally {
       conversation.processing = false;
+      await drainQueue(conversation);
     }
   }
 

package/src/daemon/conversation-usage.ts

@@ -175,6 +175,7 @@ export function recordUsage(
   );
   onEvent({
     type: "usage_update",
+    conversationId: ctx.conversationId,
     inputTokens,
     outputTokens,
     totalInputTokens: ctx.usageStats.inputTokens,

package/src/daemon/handlers/skills.ts

@@ -42,7 +42,10 @@ import {
   removeSkillsIndexEntry,
   validateManagedSkillId,
 } from "../../skills/managed-store.js";
-import { deleteSkillCapabilityMemory } from "../../skills/skill-memory.js";
+import {
+  deleteSkillCapabilityMemory,
+  seedCatalogSkillMemories,
+} from "../../skills/skill-memory.js";
 import { getWorkspaceSkillsDir } from "../../util/platform.js";
 import {
   CONFIG_RELOAD_DEBOUNCE_MS,
@@ -478,6 +481,7 @@ export function enableSkill(
       name: skillId,
       state: "enabled",
     });
+    seedCatalogSkillMemories();
     return { success: true };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -572,6 +576,7 @@ export async function installSkill(
           "Failed to auto-enable bundled skill",
         );
       }
+      seedCatalogSkillMemories();
       return { success: true };
     }
 
@@ -602,6 +607,7 @@ export async function installSkill(
           );
         }
 
+        seedCatalogSkillMemories();
         return { success: true };
       }
     } catch (err) {
@@ -637,6 +643,7 @@ export async function installSkill(
       log.warn({ err, skillId }, "Failed to auto-enable installed skill");
     }
 
+    seedCatalogSkillMemories();
     return { success: true };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -1035,6 +1042,7 @@ export async function createSkill(
       );
     }
 
+    seedCatalogSkillMemories();
     return { success: true };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);

package/src/daemon/lifecycle.ts

@@ -5,6 +5,7 @@ import { reconcileCallsOnStartup } from "../calls/call-recovery.js";
 import { setRelayBroadcast } from "../calls/relay-server.js";
 import { TwilioConversationRelayProvider } from "../calls/twilio-provider.js";
 import { setVoiceBridgeDeps } from "../calls/voice-session-bridge.js";
+import { seedCliCommandMemories } from "../cli/cli-memory.js";
 import {
   getPlatformAssistantId,
   getQdrantHttpPortEnv,
@@ -641,11 +642,19 @@ export async function runDaemon(): Promise<void> {
       log.info("Daemon startup: starting memory worker");
       bgRefs.memoryWorker = startMemoryJobsWorker();
 
-      // Seed capability memories for first-party catalog skills so the memory
+      // Seed capability memories for all enabled skills so the memory
       // pipeline can surface relevant skills via semantic search.
-      void seedCatalogSkillMemories().catch((err) =>
-        log.warn({ err }, "Catalog skill memory seeding failed — continuing"),
-      );
+      try {
+        seedCatalogSkillMemories();
+      } catch (err) {
+        log.warn({ err }, "Catalog skill memory seeding failed — continuing");
+      }
+
+      try {
+        seedCliCommandMemories();
+      } catch (err) {
+        log.warn({ err }, "CLI command memory seeding failed — continuing");
+      }
     }
 
     // Fire-and-forget: Qdrant init runs concurrently with the rest of startup

package/src/daemon/message-types/conversations.ts

@@ -335,6 +335,7 @@ export interface UndoComplete {
 
 export interface UsageUpdate {
   type: "usage_update";
+  conversationId: string;
   inputTokens: number;
   outputTokens: number;
   totalInputTokens: number;

package/src/daemon/providers-setup.ts

@@ -8,6 +8,7 @@ import type { AssistantConfig } from "../config/types.js";
 import { setSentryOrganizationId, setSentryUserId } from "../instrument.js";
 import { getMcpServerManager } from "../mcp/manager.js";
 import { gmailMessagingProvider } from "../messaging/providers/gmail/adapter.js";
+import { outlookMessagingProvider } from "../messaging/providers/outlook/adapter.js";
 import { slackProvider as slackMessagingProvider } from "../messaging/providers/slack/adapter.js";
 import { telegramBotMessagingProvider } from "../messaging/providers/telegram-bot/adapter.js";
 import { whatsappMessagingProvider } from "../messaging/providers/whatsapp/adapter.js";
@@ -140,6 +141,7 @@ export function registerWatcherProviders(): void {
 export function registerMessagingProviders(): void {
   registerMessagingProvider(slackMessagingProvider);
   registerMessagingProvider(gmailMessagingProvider);
+  registerMessagingProvider(outlookMessagingProvider);
   registerMessagingProvider(telegramBotMessagingProvider);
   registerMessagingProvider(whatsappMessagingProvider);
 }

package/src/daemon/server.ts

@@ -576,6 +576,17 @@ export class DaemonServer {
       if (params.attachments && params.attachments.length > 0) {
         for (const a of params.attachments) {
           try {
+            const validation = attachmentsStore.validateAttachmentUpload(
+              a.filename,
+              a.mimeType,
+            );
+            if (!validation.ok) {
+              log.warn(
+                { error: validation.error, path: a.path },
+                "Signal attachment rejected by validation",
+              );
+              continue;
+            }
             const size = statSync(a.path).size;
             const stored = attachmentsStore.uploadFileBackedAttachment(
               a.filename,
@@ -584,12 +595,11 @@ export class DaemonServer {
               size,
             );
             attachmentIds.push(stored.id);
-            const fileData = readFileSync(a.path).toString("base64");
             resolvedAttachments.push({
               id: stored.id,
               filename: a.filename,
               mimeType: a.mimeType,
-              data: fileData,
+              data: "",
               filePath: a.path,
             });
           } catch (err) {
@@ -609,20 +619,17 @@ export class DaemonServer {
             "string"
             ? (msg as { conversationId: string }).conversationId
             : undefined;
-        const event = buildAssistantEvent(
-          DAEMON_INTERNAL_ASSISTANT_ID,
-          msg,
-          msgConversationId ?? conversationId,
-        );
-        assistantEventHub.publish(event).catch((err) => {
-          log.warn(
-            { err },
-            "assistant-events hub subscriber threw during signal user-message",
-          );
-        });
+        this.publishAssistantEvent(msg, msgConversationId ?? conversationId);
       };
 
       if (conversation.isProcessing()) {
+        // Hydrate file data now — the queue path won't re-read from
+        // the attachment store, so base64 content must be inline.
+        for (const att of resolvedAttachments) {
+          if (att.filePath && !att.data) {
+            att.data = readFileSync(att.filePath).toString("base64");
+          }
+        }
         const requestId = crypto.randomUUID();
         const resolvedChannel = resolveTurnChannel(params.sourceChannel);
         const resolvedInterface = resolveTurnInterface(params.sourceInterface);
@@ -977,15 +984,12 @@ export class DaemonServer {
     // Persist the conversation's current trust/auth context so it survives
     // eviction and recreation. The restore path in getOrCreateConversation
     // reads from storedOptions.trustContext / storedOptions.authContext.
-    const currentTrust = conversation.trustContext;
-    const currentAuth = conversation.authContext;
-    if (currentTrust || currentAuth) {
-      this.conversationOptions.set(conversationId, {
-        ...this.conversationOptions.get(conversationId),
-        ...(currentTrust ? { trustContext: currentTrust } : {}),
-        ...(currentAuth ? { authContext: currentAuth } : {}),
-      });
-    }
+    // Always write — including null — so explicit clearing isn't lost.
+    this.conversationOptions.set(conversationId, {
+      ...this.conversationOptions.get(conversationId),
+      trustContext: conversation.trustContext,
+      authContext: conversation.authContext,
+    });
     conversation.setChannelCapabilities(
       resolveChannelCapabilities(
         sourceChannel,