@vellumai/assistant 0.5.15 → 0.6.0

package/src/runtime/routes/conversation-query-routes.ts

@@ -1,6 +1,6 @@
 /**
  * HTTP route definitions for model configuration, embedding configuration,
- * permissions configuration, conversation search, message content, LLM
+ * conversation search, message content, LLM
  * context inspection, and queued message deletion.
  *
  * These routes expose conversation query functionality over the HTTP API.
@@ -10,8 +10,6 @@
  * PUT    /v1/model/image-gen            — set image-gen model
  * GET    /v1/config/embeddings          — current embedding config
  * PUT    /v1/config/embeddings          — set embedding provider/model
- * GET    /v1/config/permissions/skip    — dangerouslySkipPermissions status
- * PUT    /v1/config/permissions/skip    — toggle dangerouslySkipPermissions
  * GET    /v1/config                     — full raw workspace config
  * PATCH  /v1/config                     — deep-merge partial config
  * GET    /v1/conversations/search       — search conversations
@@ -24,7 +22,6 @@ import { z } from "zod";
 
 import {
   deepMergeOverwrite,
-  getConfig,
   loadRawConfig,
   saveRawConfig,
 } from "../../config/loader.js";
@@ -113,9 +110,7 @@ function applyStoredProviderToLlmContextResult(
   const mergedSummary = normalized.summary
     ? { ...normalized.summary, provider }
     : { provider };
-  const summary = attachEstimatedCost(
-    mergedSummary as LlmContextSummary,
-  );
+  const summary = attachEstimatedCost(mergedSummary as LlmContextSummary);
   return { ...normalized, summary };
 }
 
@@ -324,57 +319,6 @@ export function conversationQueryRouteDefinitions(
       },
     },
 
-    // ── Permissions config ─────────────────────────────────────────────
-    {
-      endpoint: "config/permissions/skip",
-      method: "GET",
-      policyKey: "config/permissions/skip",
-      summary: "Get permission-skip flag",
-      description: "Return whether dangerouslySkipPermissions is enabled.",
-      tags: ["config"],
-      responseBody: z.object({
-        enabled: z.boolean(),
-      }),
-      handler: () => {
-        const config = getConfig();
-        return Response.json({
-          enabled: config.permissions.dangerouslySkipPermissions,
-        });
-      },
-    },
-    {
-      endpoint: "config/permissions/skip",
-      method: "PUT",
-      policyKey: "config/permissions/skip",
-      summary: "Set permission-skip flag",
-      description: "Enable or disable dangerouslySkipPermissions.",
-      tags: ["config"],
-      requestBody: z.object({
-        enabled: z.boolean(),
-      }),
-      handler: async ({ req }) => {
-        const body = (await req.json()) as { enabled?: unknown };
-        if (typeof body.enabled !== "boolean") {
-          return httpError(
-            "BAD_REQUEST",
-            "Missing or invalid field: enabled (boolean)",
-            400,
-          );
-        }
-        const raw = loadRawConfig();
-        const permissions: Record<string, unknown> =
-          raw.permissions != null &&
-          typeof raw.permissions === "object" &&
-          !Array.isArray(raw.permissions)
-            ? (raw.permissions as Record<string, unknown>)
-            : {};
-        permissions.dangerouslySkipPermissions = body.enabled;
-        raw.permissions = permissions;
-        saveRawConfig(raw);
-        return Response.json({ enabled: body.enabled });
-      },
-    },
-
     // ── Full config read ─────────────────────────────────────────────
     {
       endpoint: "config",

package/src/runtime/routes/conversation-starter-routes.ts

@@ -161,9 +161,9 @@ function handleListConversationStarters(url: URL): Response {
     });
   }
 
-  // No starters — check whether we have memory items to generate from.
+  // No starters — check whether we have memory graph nodes to generate from.
   const memoryCount = rawGet<{ c: number }>(
-    `SELECT COUNT(*) AS c FROM memory_items WHERE status = 'active' AND scope_id = ?`,
+    `SELECT COUNT(*) AS c FROM memory_graph_nodes WHERE fidelity != 'gone' AND scope_id = ?`,
     scopeId,
   );
 

package/src/runtime/routes/debug-routes.ts

@@ -32,7 +32,7 @@ function getDatabaseSizeBytes(): number | null {
 function getMemoryItemCount(): number {
   try {
     const rows = rawAll<{ c: number }>(
-      "SELECT COUNT(*) AS c FROM memory_items",
+      "SELECT COUNT(*) AS c FROM memory_graph_nodes",
     );
     return rows[0]?.c ?? 0;
   } catch {

package/src/runtime/routes/global-search-routes.ts

@@ -100,34 +100,36 @@ function searchMemoryItems(query: string, limit: number): GlobalSearchMemory[] {
 
   interface MemoryRow {
     id: string;
-    kind: string;
-    statement: string;
-    subject: string;
+    type: string;
+    content: string;
     confidence: number;
-    last_seen_at: number;
+    last_accessed: number;
   }
 
-  // Search on both statement and subject for broader recall
   const rows = rawAll<MemoryRow>(
-    `SELECT id, kind, statement, subject, confidence, last_seen_at
-     FROM memory_items
-     WHERE (statement LIKE ? OR subject LIKE ?) AND status = 'active'
-     ORDER BY last_seen_at DESC
+    `SELECT id, type, content, confidence, last_accessed
+     FROM memory_graph_nodes
+     WHERE content LIKE ? AND fidelity != 'gone'
+     ORDER BY last_accessed DESC
      LIMIT ?`,
     likePattern,
-    likePattern,
     limit,
   );
 
-  return rows.map((r) => ({
-    id: r.id,
-    kind: r.kind,
-    text: r.statement,
-    subject: r.subject || null,
-    confidence: r.confidence,
-    updatedAt: r.last_seen_at,
-    source: "lexical" as const,
-  }));
+  return rows.map((r) => {
+    const nl = r.content.indexOf("\n");
+    const subject = nl >= 0 ? r.content.slice(0, nl) : r.content;
+    const statement = nl >= 0 ? r.content.slice(nl + 1) : r.content;
+    return {
+      id: r.id,
+      kind: r.type,
+      text: statement,
+      subject: subject || null,
+      confidence: r.confidence,
+      updatedAt: r.last_accessed,
+      source: "lexical" as const,
+    };
+  });
 }
 
 async function searchMemoriesSemantic(

package/src/runtime/routes/group-routes.ts

@@ -0,0 +1,207 @@
+/**
+ * Route handlers for conversation group management.
+ *
+ * GET    /v1/groups              — list all groups
+ * POST   /v1/groups              — create a custom group
+ * PATCH  /v1/groups/:groupId     — update a group
+ * DELETE /v1/groups/:groupId     — delete a group
+ * POST   /v1/groups/reorder      — reorder groups
+ */
+
+import { z } from "zod";
+
+import {
+  createGroup,
+  deleteGroup,
+  getGroup,
+  listGroups,
+  reorderGroups,
+  updateGroup,
+} from "../../memory/group-crud.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+function serializeGroup(group: ReturnType<typeof getGroup>) {
+  if (!group) return null;
+  return {
+    id: group.id,
+    name: group.name,
+    sortPosition: group.sortPosition,
+    isSystemGroup: group.isSystemGroup,
+  };
+}
+
+export function groupRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "groups",
+      method: "GET",
+      policyKey: "groups",
+      summary: "List groups",
+      description: "Return all conversation groups.",
+      tags: ["groups"],
+      handler: () => {
+        const groups = listGroups();
+        return Response.json({
+          groups: groups.map(serializeGroup),
+        });
+      },
+    },
+    {
+      endpoint: "groups",
+      method: "POST",
+      policyKey: "groups",
+      summary: "Create group",
+      description:
+        "Create a new custom conversation group. Server assigns sort_position.",
+      tags: ["groups"],
+      requestBody: z.object({
+        name: z.string().describe("Group name"),
+      }),
+      handler: async ({ req }) => {
+        const body = (await req.json()) as { name?: string };
+        if (!body.name || typeof body.name !== "string") {
+          return httpError("BAD_REQUEST", "Missing or invalid name", 400);
+        }
+        const group = createGroup(body.name);
+        return Response.json(serializeGroup(group), { status: 201 });
+      },
+    },
+    {
+      endpoint: "groups/:groupId",
+      method: "PATCH",
+      policyKey: "groups",
+      summary: "Update group",
+      description: "Update a conversation group's name or sort position.",
+      tags: ["groups"],
+      requestBody: z.object({
+        name: z.string().optional(),
+        sortPosition: z.number().optional(),
+      }),
+      handler: async ({ req, params }) => {
+        const groupId = params.groupId;
+        const existing = getGroup(groupId);
+        if (!existing) {
+          return httpError("NOT_FOUND", "Group not found", 404);
+        }
+        const body = (await req.json()) as {
+          name?: string;
+          sortPosition?: number;
+        };
+        if (body.name !== undefined && typeof body.name !== "string") {
+          return httpError("BAD_REQUEST", "name must be a string", 400);
+        }
+        if (
+          body.sortPosition !== undefined &&
+          typeof body.sortPosition !== "number"
+        ) {
+          return httpError("BAD_REQUEST", "sortPosition must be a number", 400);
+        }
+        // System groups allow name changes but block sortPosition/delete.
+        if (existing.isSystemGroup && body.sortPosition !== undefined) {
+          return httpError(
+            "FORBIDDEN",
+            "System group sort position cannot be changed",
+            403,
+          );
+        }
+        // Custom group sort_position must be >= 3
+        if (
+          body.sortPosition !== undefined &&
+          (typeof body.sortPosition !== "number" ||
+            !isFinite(body.sortPosition) ||
+            body.sortPosition < 3)
+        ) {
+          return httpError(
+            "BAD_REQUEST",
+            "Custom group sort_position must be >= 3",
+            400,
+          );
+        }
+        const updated = updateGroup(groupId, {
+          name: body.name,
+          sortPosition: body.sortPosition,
+        });
+        if (!updated) {
+          return httpError("NOT_FOUND", "Group not found", 404);
+        }
+        return Response.json(serializeGroup(updated));
+      },
+    },
+    {
+      endpoint: "groups/:groupId",
+      method: "DELETE",
+      policyKey: "groups",
+      summary: "Delete group",
+      description: "Delete a custom conversation group.",
+      tags: ["groups"],
+      handler: ({ params }) => {
+        const groupId = params.groupId;
+        const existing = getGroup(groupId);
+        if (!existing) {
+          return httpError("NOT_FOUND", "Group not found", 404);
+        }
+        // System groups cannot be deleted
+        if (existing.isSystemGroup) {
+          return httpError("FORBIDDEN", "System groups cannot be deleted", 403);
+        }
+        deleteGroup(groupId);
+        return new Response(null, { status: 204 });
+      },
+    },
+    {
+      endpoint: "groups/reorder",
+      method: "POST",
+      policyKey: "groups/reorder",
+      summary: "Reorder groups",
+      description: "Batch-update sort positions for conversation groups.",
+      tags: ["groups"],
+      requestBody: z.object({
+        updates: z
+          .array(
+            z.object({
+              groupId: z.string(),
+              sortPosition: z.number(),
+            }),
+          )
+          .describe("Array of { groupId, sortPosition } objects"),
+      }),
+      handler: async ({ req }) => {
+        const body = (await req.json()) as {
+          updates?: Array<{
+            groupId: string;
+            sortPosition: number;
+          }>;
+        };
+        if (!Array.isArray(body.updates)) {
+          return httpError("BAD_REQUEST", "Missing updates array", 400);
+        }
+        // Validate: no system group reordering, no sort_position < 3 for custom groups
+        for (const update of body.updates) {
+          const group = getGroup(update.groupId);
+          if (!group) continue;
+          if (group.isSystemGroup) {
+            return httpError(
+              "FORBIDDEN",
+              `Cannot reorder system group: ${update.groupId}`,
+              403,
+            );
+          }
+          if (
+            typeof update.sortPosition !== "number" ||
+            !isFinite(update.sortPosition) ||
+            update.sortPosition < 3
+          ) {
+            return httpError(
+              "BAD_REQUEST",
+              `Custom group sort_position must be >= 3 (got ${update.sortPosition} for ${update.groupId})`,
+              400,
+            );
+          }
+        }
+        reorderGroups(body.updates);
+        return Response.json({ ok: true });
+      },
+    },
+  ];
+}

package/src/runtime/routes/guardian-action-routes.ts

@@ -23,7 +23,10 @@ import { requireBoundGuardian } from "../auth/require-bound-guardian.js";
 import type { AuthContext } from "../auth/types.js";
 import { processGuardianDecision } from "../guardian-action-service.js";
 import type { GuardianDecisionPrompt } from "../guardian-decision-types.js";
-import { buildDecisionActions } from "../guardian-decision-types.js";
+import {
+  buildDecisionActions,
+  GUARDIAN_DECISION_ACTIONS,
+} from "../guardian-decision-types.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 
@@ -190,13 +193,15 @@ export function listGuardianDecisionPrompts(params: {
  * Map a canonical guardian request to the client-facing prompt format.
  *
  * Generates kind-specific questionText and action sets:
- * - `tool_approval`: "Approve tool: <name>" with approve/reject actions
- * - `pending_question`: voice-originated question with approve/reject actions
- * - `access_request`: explicit "Access Request" label with approve/reject actions
- *   and text fallback instructions (request code + "open invite flow")
+ * - `tool_approval`: temporal modes (approve_once, approve_10m, approve_conversation) + reject
+ * - `pending_question`: approve_once + reject only
+ * - `access_request`: approve_once + reject only, with text fallback instructions
+ *   (request code + "open invite flow")
+ * - `tool_grant_request`: approve_once + reject only
  *
- * All kinds use `forGuardianOnBehalf: true` (no approve_always) since the
- * guardian is acting on behalf of a requester.
+ * Only `tool_approval` receives temporal modes because time-scoped grants
+ * are meaningful only for tool execution. All other kinds get a simple
+ * approve_once/reject pair.
  */
 function mapCanonicalRequestToPrompt(
   req: CanonicalGuardianRequest,
@@ -204,9 +209,15 @@ function mapCanonicalRequestToPrompt(
 ): GuardianDecisionPrompt {
   const questionText = buildKindAwareQuestionText(req);
 
-  // Guardian-on-behalf prompts include approve_once, temporal modes
-  // (approve_10m, approve_conversation), and reject — but not approve_always.
-  const actions = buildDecisionActions({ forGuardianOnBehalf: true });
+  // Only tool_approval gets temporal modes (approve_10m, approve_conversation);
+  // all other kinds get a simple approve_once + reject pair.
+  const actions =
+    req.kind === "tool_approval"
+      ? buildDecisionActions({ forGuardianOnBehalf: true })
+      : [
+          GUARDIAN_DECISION_ACTIONS.approve_once,
+          GUARDIAN_DECISION_ACTIONS.reject,
+        ];
 
   const expiresAt = req.expiresAt
     ? new Date(req.expiresAt).getTime()

package/src/runtime/routes/guardian-bootstrap-routes.ts

@@ -19,7 +19,7 @@ import { getLogger } from "../../util/logger.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
 import { mintCredentialPair } from "../auth/credential-service.js";
 import { httpError } from "../http-errors.js";
-import { isPrivateAddress } from "../middleware/auth.js";
+import { isLoopbackAddress, isPrivateAddress } from "../middleware/auth.js";
 
 /** Bun server shape needed for requestIP -- avoids importing the full Bun type. */
 type ServerWithRequestIP = {
@@ -87,30 +87,34 @@ export async function handleGuardianBootstrap(
   req: Request,
   server: ServerWithRequestIP,
 ): Promise<Response> {
-  // Reject non-private-network peers (allows loopback, Docker bridge, etc.)
+  // In non-containerized (bare-metal) mode, restrict to loopback only —
+  // the runtime binds to localhost and LAN peers should not be able to
+  // bootstrap even if they somehow reach the endpoint.
+  // In containerized (Docker) mode, accept any private-network peer because
+  // the gateway connects over the Docker bridge (e.g. 172.17.0.1) and the
+  // GUARDIAN_BOOTSTRAP_SECRET enforced at the gateway layer provides the
+  // real authentication.
   const peerIp = server.requestIP(req)?.address;
-  if ((!peerIp || !isPrivateAddress(peerIp)) && !isHttpAuthDisabled()) {
+  const containerized = getIsContainerized();
+  const peerAllowed = containerized
+    ? isPrivateAddress(peerIp ?? "")
+    : isLoopbackAddress(peerIp ?? "");
+  if (!peerAllowed && !isHttpAuthDisabled()) {
     return httpError("FORBIDDEN", "Bootstrap endpoint is local-only", 403);
   }
 
-  // Reject requests forwarded from public networks. The gateway sets
-  // x-forwarded-for to the real client IP; if that IP is on a private
-  // network (loopback, Docker bridge, RFC 1918) the request is still
-  // considered local. Only reject when the forwarded IP is public.
+  // In non-containerized mode, any x-forwarded-for header means the request
+  // came through the gateway from a non-loopback client. Legitimate bare-metal
+  // bootstrap clients connect from localhost; the gateway does not inject
+  // x-forwarded-for for loopback peers (see gateway/src/index.ts). Reject
+  // forwarded requests to prevent LAN-adjacent clients from bootstrapping.
   //
-  // Skip this check when running in a container: the peer IP was already
-  // validated above (Docker bridge network = private), so the request
-  // reached us through a co-located gateway. The x-forwarded-for header
-  // reflects the original external client (e.g. platform proxy) and is
-  // not meaningful for local-only enforcement in this topology.
+  // In containerized mode, skip this check: the peer IP was already validated
+  // above (Docker bridge network = private), and the x-forwarded-for header
+  // reflects the original external client which is not meaningful for
+  // local-only enforcement in this topology.
   const forwarded = req.headers.get("x-forwarded-for");
-  const forwardedIp = forwarded ? forwarded.split(",")[0].trim() : null;
-  if (
-    forwardedIp &&
-    !isPrivateAddress(forwardedIp) &&
-    !isHttpAuthDisabled() &&
-    !getIsContainerized()
-  ) {
+  if (forwarded && !isHttpAuthDisabled() && !getIsContainerized()) {
     return httpError("FORBIDDEN", "Bootstrap endpoint is local-only", 403);
   }
 

package/src/runtime/routes/inbound-message-handler.ts

@@ -44,6 +44,7 @@ import { processChannelMessageInBackground } from "./inbound-stages/background-d
 import { handleBootstrapIntercept } from "./inbound-stages/bootstrap-intercept.js";
 import { handleEditIntercept } from "./inbound-stages/edit-intercept.js";
 import { handleEscalationIntercept } from "./inbound-stages/escalation-intercept.js";
+import { handleGuardianActivationIntercept } from "./inbound-stages/guardian-activation-intercept.js";
 import { handleGuardianReplyIntercept } from "./inbound-stages/guardian-reply-intercept.js";
 import { runSecretIngressCheck } from "./inbound-stages/secret-ingress-check.js";
 import { tryTranscribeAudioAttachments } from "./inbound-stages/transcribe-audio.js";
@@ -199,6 +200,24 @@ export async function handleChannelInbound(
   // ACL deny path rather than bypassing it.
   const hasSenderIdentityClaim = rawSenderId !== undefined;
 
+  // ── Guardian channel activation ──
+  // When a bare /start arrives on a channel with no guardian, auto-initiate
+  // guardian verification so the first user can claim the channel.
+  const guardianActivationResponse = await handleGuardianActivationIntercept({
+    sourceChannel,
+    conversationExternalId,
+    rawSenderId,
+    canonicalSenderId,
+    actorDisplayName: body.actorDisplayName,
+    actorUsername: body.actorUsername,
+    sourceMetadata: body.sourceMetadata,
+    replyCallbackUrl: body.replyCallbackUrl,
+    mintBearerToken,
+    assistantId,
+    externalMessageId,
+  });
+  if (guardianActivationResponse) return guardianActivationResponse;
+
   // ── Ingress ACL enforcement ──
   const aclResult = await enforceIngressAcl({
     canonicalSenderId,

package/src/runtime/routes/inbound-stages/background-dispatch.ts

@@ -15,6 +15,7 @@ import * as deliveryCrud from "../../../memory/delivery-crud.js";
 import * as deliveryStatus from "../../../memory/delivery-status.js";
 import {
   extractChannelFromCallbackUrl,
+  extractMessageTsFromCallbackUrl,
   extractThreadTsFromCallbackUrl,
   setThreadTs,
 } from "../../../memory/slack-thread-store.js";
@@ -328,9 +329,49 @@ export function setSlackThinkingStatus(
   // the correct thread for the Assistants API status.
   const threadTs = extractThreadTsFromCallbackUrl(callbackUrl);
 
-  // If there's no thread context, we can't set a thread status — bail.
+  // For non-threaded DMs, fall back to emoji reaction on the original message.
   if (!threadTs) {
-    return () => {};
+    const messageTs = extractMessageTsFromCallbackUrl(callbackUrl);
+    if (!messageTs) return () => {};
+
+    const addPromise = deliverChannelReply(
+      callbackUrl,
+      {
+        chatId,
+        assistantId,
+        reaction: { action: "add", name: "eyes", messageTs },
+      },
+      mintBearerToken(),
+    ).catch((err) => {
+      log.debug({ err, chatId, messageTs }, "Failed to add Slack eyes reaction");
+    });
+
+    const clearReaction = () => {
+      if (cleared) return;
+      cleared = true;
+      clearTimeout(safetyTimer);
+      void addPromise.then(() =>
+        deliverChannelReply(
+          callbackUrl,
+          {
+            chatId,
+            assistantId,
+            reaction: { action: "remove", name: "eyes", messageTs },
+          },
+          mintBearerToken(),
+        ).catch((err) => {
+          log.debug(
+            { err, chatId, messageTs },
+            "Failed to remove Slack eyes reaction",
+          );
+        }),
+      );
+    };
+
+    const safetyTimer = setTimeout(clearReaction, SLACK_THINKING_MAX_DURATION_MS);
+    (safetyTimer as { unref?: () => void }).unref?.();
+
+    return clearReaction;
   }
 
   // Track the set promise so clear waits for it to settle first,