@vellumai/assistant 0.5.16 → 0.6.1

package/src/runtime/routes/attachment-routes.ts

@@ -1,7 +1,8 @@
 /**
  * Route handlers for attachment upload, download, and deletion.
  */
-import { existsSync, statSync } from "node:fs";
+import { existsSync, realpathSync, statSync } from "node:fs";
+import { join, resolve, sep } from "node:path";
 
 import { z } from "zod";
 
@@ -11,12 +12,82 @@ import {
   getFilePathForAttachment,
   validateAttachmentUpload,
 } from "../../memory/attachments-store.js";
+import { getWorkspaceDir } from "../../util/platform.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 
 /** 150 MB — base64-encoded 100 MB attachment ≈ 134 MB plus JSON wrapper overhead. */
 const MAX_UPLOAD_BODY_BYTES = 150 * 1024 * 1024;
 
+function resolveCanonicalPath(filePath: string): string {
+  try {
+    return realpathSync(filePath);
+  } catch {
+    return resolve(filePath);
+  }
+}
+
+function isPathWithinDirectory(filePath: string, allowedDir: string): boolean {
+  return filePath === allowedDir || filePath.startsWith(allowedDir + sep);
+}
+
+function resolveAllowedAttachmentDirectories(): string[] {
+  const workspaceAttachmentsDir = join(
+    getWorkspaceDir(),
+    "data",
+    "attachments",
+  );
+  const recordingsDir = join(
+    process.env.HOME ?? "",
+    "Library/Application Support/vellum-assistant/recordings",
+  );
+  return [workspaceAttachmentsDir, recordingsDir].map((dir) => {
+    try {
+      return realpathSync(dir);
+    } catch {
+      return resolve(dir);
+    }
+  });
+}
+
+/**
+ * Check if a resolved path is inside a conversation attachments subdirectory.
+ * Matches: <conversationsDir>/<conversationId>/attachments/...
+ */
+function isConversationAttachmentPath(resolvedPath: string): boolean {
+  const conversationsDir = join(getWorkspaceDir(), "conversations");
+  let resolvedConversationsDir: string;
+  try {
+    resolvedConversationsDir = realpathSync(conversationsDir);
+  } catch {
+    resolvedConversationsDir = resolve(conversationsDir);
+  }
+
+  if (!isPathWithinDirectory(resolvedPath, resolvedConversationsDir)) {
+    return false;
+  }
+
+  // Extract the relative path after conversations/ and verify it contains
+  // an "attachments" segment: <conversationId>/attachments/...
+  const relativePath = resolvedPath.slice(resolvedConversationsDir.length + 1);
+  const segments = relativePath.split(sep);
+  return segments.length >= 3 && segments[1] === "attachments";
+}
+
+export function resolveAllowedFileBackedAttachmentPath(
+  filePath: string,
+): string | null {
+  const resolvedPath = resolveCanonicalPath(filePath);
+  const allowedDirs = resolveAllowedAttachmentDirectories();
+  if (allowedDirs.some((dir) => isPathWithinDirectory(resolvedPath, dir))) {
+    return resolvedPath;
+  }
+  if (isConversationAttachmentPath(resolvedPath)) {
+    return resolvedPath;
+  }
+  return null;
+}
+
 export async function handleUploadAttachment(req: Request): Promise<Response> {
   const rawBody = await req.arrayBuffer();
   if (rawBody.byteLength > MAX_UPLOAD_BODY_BYTES) {
@@ -56,14 +127,22 @@ export async function handleUploadAttachment(req: Request): Promise<Response> {
   // This supports retry of file-backed attachments (e.g. recordings) where the
   // client no longer holds the inline data but the file still exists on disk.
   if (filePath && typeof filePath === "string" && (!data || data === "")) {
-    if (!existsSync(filePath)) {
+    const resolvedPath = resolveAllowedFileBackedAttachmentPath(filePath);
+    if (!resolvedPath) {
+      return httpError(
+        "BAD_REQUEST",
+        "filePath is outside allowed upload directories",
+        400,
+      );
+    }
+    if (!existsSync(resolvedPath)) {
       return httpError("BAD_REQUEST", "filePath does not exist on disk", 400);
     }
-    const sizeBytes = statSync(filePath).size;
+    const sizeBytes = statSync(resolvedPath).size;
     attachment = attachmentsStore.uploadFileBackedAttachment(
       filename,
       mimeType,
-      filePath,
+      resolvedPath,
       sizeBytes,
     );
   } else {
@@ -130,24 +209,29 @@ export async function handleDeleteAttachment(req: Request): Promise<Response> {
 }
 
 function handleGetAttachment(attachmentId: string): Response {
+  // Use the file_path column to detect file-backed attachments, not string
+  // truthiness of dataBase64 (which would also match valid zero-byte uploads).
+  const isFileBacked = !!getFilePathForAttachment(attachmentId);
+
+  // Skip hydrating file data for file-backed attachments — clients should
+  // fetch content via GET /attachments/:id/content (which validates the path
+  // against the directory allowlist).
   const attachment = attachmentsStore.getAttachmentById(attachmentId, {
-    hydrateFileData: true,
+    hydrateFileData: !isFileBacked,
   });
   if (!attachment) {
     return httpError("NOT_FOUND", "Attachment not found", 404);
   }
 
-  // Use the file_path column to detect file-backed attachments, not string
-  // truthiness of dataBase64 (which would also match valid zero-byte uploads).
-  const isFileBacked = !!getFilePathForAttachment(attachmentId);
-
   return Response.json({
     id: attachment.id,
     filename: attachment.originalFilename,
     mimeType: attachment.mimeType,
     sizeBytes: attachment.sizeBytes,
     kind: attachment.kind,
-    data: attachment.dataBase64,
+    // Return null for file-backed attachments so the gateway's hydration check
+    // (payload.data == null) triggers a fetch from the /content endpoint.
+    data: isFileBacked ? null : attachment.dataBase64,
     // Signal to clients that they should fetch content via the /content endpoint
     ...(isFileBacked ? { fileBacked: true } : {}),
   });
@@ -162,21 +246,27 @@ export function handleGetAttachmentContent(
   attachmentId: string,
   req: Request,
 ): Response {
+  // Check for file-backed attachment first so we can skip hydration — file-backed
+  // content is served directly from disk via Bun.file, not from the hydrated base64.
+  const filePath = getFilePathForAttachment(attachmentId);
+  const isFileBacked = !!filePath;
+
   const attachment = attachmentsStore.getAttachmentById(attachmentId, {
-    hydrateFileData: true,
+    hydrateFileData: !isFileBacked,
   });
   if (!attachment) {
     return httpError("NOT_FOUND", "Attachment not found", 404);
   }
-
-  // Check for file-backed attachment
-  const filePath = getFilePathForAttachment(attachmentId);
   if (filePath) {
-    if (!existsSync(filePath)) {
+    const resolvedPath = resolveAllowedFileBackedAttachmentPath(filePath);
+    if (!resolvedPath) {
+      return httpError("NOT_FOUND", "Attachment content not found", 404);
+    }
+    if (!existsSync(resolvedPath)) {
       return httpError("NOT_FOUND", "Recording file not found on disk", 404);
     }
 
-    const file = Bun.file(filePath);
+    const file = Bun.file(resolvedPath);
     const rangeHeader = req.headers.get("Range");
 
     if (rangeHeader) {

package/src/runtime/routes/avatar-routes.ts

@@ -1,5 +1,3 @@
-import { join } from "node:path";
-
 import { z } from "zod";
 
 import { getCharacterComponents } from "../../avatar/character-components.js";
@@ -8,7 +6,7 @@ import {
   writeTraitsAndRenderAvatar,
 } from "../../avatar/traits-png-sync.js";
 import { getLogger } from "../../util/logger.js";
-import { getWorkspaceDir } from "../../util/platform.js";
+import { getAvatarImagePath } from "../../util/platform.js";
 import { buildAssistantEvent } from "../assistant-event.js";
 import { assistantEventHub } from "../assistant-event-hub.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
@@ -18,12 +16,7 @@ import type { RouteDefinition } from "../http-router.js";
 const log = getLogger("avatar-routes");
 
 function publishAvatarUpdated(): void {
-  const avatarPath = join(
-    getWorkspaceDir(),
-    "data",
-    "avatar",
-    "avatar-image.png",
-  );
+  const avatarPath = getAvatarImagePath();
   assistantEventHub
     .publish(
       buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, {

package/src/runtime/routes/brain-graph-routes.ts

@@ -2,7 +2,7 @@
  * Route handlers for the brain graph visualization endpoint.
  *
  * Queries the memory database to return a knowledge graph shaped for brain-lobe
- * visualization, with memory items mapped to brain regions based on their kind.
+ * visualization, with memory items mapped to brain regions based on their type.
  */
 
 import { readFileSync } from "node:fs";
@@ -12,24 +12,28 @@ import { count } from "drizzle-orm";
 import { z } from "zod";
 
 import { getDb } from "../../memory/db.js";
-import { memoryItems } from "../../memory/schema.js";
+import { memoryGraphNodes } from "../../memory/schema.js";
 import { resolveBundledDir } from "../../util/bundled-asset.js";
 import type { RouteDefinition } from "../http-router.js";
 
 function getMemoryKindColor(kind: string): string {
   switch (kind) {
-    case "identity":
-      return "#8b5cf6";
-    case "preference":
-      return "#3b82f6";
-    case "project":
-      return "#10b981";
-    case "decision":
-      return "#f59e0b";
-    case "constraint":
-      return "#ef4444";
-    case "event":
-      return "#ec4899";
+    case "episodic":
+      return "#ec4899"; // pink — specific moments/events
+    case "semantic":
+      return "#3b82f6"; // blue — facts/knowledge
+    case "procedural":
+      return "#10b981"; // green — skills/how-to
+    case "emotional":
+      return "#ef4444"; // red — feelings
+    case "prospective":
+      return "#f59e0b"; // amber — future-oriented
+    case "behavioral":
+      return "#8b5cf6"; // violet — behavioral patterns
+    case "narrative":
+      return "#6366f1"; // indigo — stories
+    case "shared":
+      return "#14b8a6"; // teal — relationship memories
     default:
       return "#94a3b8";
   }
@@ -41,11 +45,11 @@ function handleGetBrainGraph(): Response {
 
     const kindCountRows = db
       .select({
-        kind: memoryItems.kind,
+        kind: memoryGraphNodes.type,
         count: count(),
       })
-      .from(memoryItems)
-      .groupBy(memoryItems.kind)
+      .from(memoryGraphNodes)
+      .groupBy(memoryGraphNodes.type)
       .all();
 
     const memorySummary = kindCountRows.map((row) => ({
@@ -86,9 +90,6 @@ export function handleServeBrainGraphUI(bearerToken?: string): Response {
     );
     let html = readFileSync(join(brainGraphDir, "brain-graph.html"), "utf-8");
     if (bearerToken) {
-      // Inject token as a meta tag for client-side fetch authentication.
-      // HTML-escape the token value to guard against injection if the token
-      // comes from an environment variable with special characters.
       const escapedToken = bearerToken
         .replace(/&/g, "&")
         .replace(/"/g, """)
@@ -99,8 +100,6 @@ export function handleServeBrainGraphUI(bearerToken?: string): Response {
         `  <meta name="api-token" content="${escapedToken}">\n</head>`,
       );
     }
-    // CSP permits the CDN sources required by D3.js and Three.js.
-    // 'unsafe-eval' is needed by Three.js's shader compilation path.
     const csp = [
       "default-src 'self'",
       "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://d3js.org",

package/src/runtime/routes/btw-routes.ts

@@ -16,6 +16,8 @@ import { existsSync, readFileSync } from "node:fs";
 
 import { z } from "zod";
 
+import { getConfig } from "../../config/loader.js";
+import { readNowScratchpad } from "../../daemon/conversation-runtime-assembly.js";
 import { getConversationByKey } from "../../memory/conversation-key-store.js";
 import {
   resolveChannelPersona,
@@ -35,6 +37,9 @@ const log = getLogger("btw-routes");
 /** Conversation key used by the client for identity intro generation. */
 const IDENTITY_INTRO_KEY = "identity-intro";
 
+/** Conversation key used by the client for empty-state greeting generation. */
+const GREETING_KEY = "greeting";
+
 /**
  * Parse the `## Identity Intro` section from SOUL.md.
  * Returns the first non-empty line under that heading, or null.
@@ -132,6 +137,18 @@ async function handleBtw(
     }
   }
 
+  // ----- Greeting context enrichment -----
+  // Inject NOW.md scratchpad so the model has contextual awareness (mood,
+  // current activity) and produces varied, relevant greetings instead of
+  // the same deterministic output each time.
+  let effectiveContent = trimmedContent;
+  if (conversationKey === GREETING_KEY) {
+    const now = readNowScratchpad();
+    if (now) {
+      effectiveContent = `${trimmedContent}\n\n<context>\n${now}\n</context>`;
+    }
+  }
+
   // Look up an existing conversation — never create one.  BTW is ephemeral
   // (the file header promises "No messages are persisted"), so we must not
   // call getOrCreateConversation which would insert a DB row.  When no
@@ -150,14 +167,18 @@ async function handleBtw(
       (async () => {
         try {
           const isIntroRequest = conversationKey === IDENTITY_INTRO_KEY;
+          const isGreeting = conversationKey === GREETING_KEY;
           const userPersona = resolveGuardianPersona();
           const channelPersona = resolveChannelPersona(undefined);
           const result = await runBtwSidechain({
-            content: trimmedContent,
+            content: effectiveContent,
             conversation,
             signal: req.signal,
             userPersona,
             channelPersona,
+            ...(isGreeting
+              ? { modelIntent: getConfig().ui.greetingModelIntent }
+              : {}),
             onEvent: (event) => {
               if (event.type === "text_delta") {
                 controller.enqueue(

package/src/runtime/routes/conversation-analysis-routes.ts

@@ -0,0 +1,173 @@
+/**
+ * Route handler for conversation analysis.
+ *
+ * POST /v1/conversations/:id/analyze — analyze a conversation via a new
+ * agent loop that produces a structured self-assessment.
+ */
+
+import type { ServerMessage } from "../../daemon/message-protocol.js";
+import {
+  addMessage,
+  createConversation,
+  getConversation,
+  getMessages,
+} from "../../memory/conversation-crud.js";
+import { resolveConversationId } from "../../memory/conversation-key-store.js";
+import { getLogger } from "../../util/logger.js";
+import { buildAssistantEvent } from "../assistant-event.js";
+import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+import type { SendMessageDeps } from "../http-types.js";
+import { resolveLocalTrustContext } from "../local-actor-identity.js";
+
+const log = getLogger("conversation-analysis-routes");
+
+// ---------------------------------------------------------------------------
+// Dependency types — injected by the daemon at wiring time
+// ---------------------------------------------------------------------------
+
+export interface ConversationAnalysisDeps {
+  sendMessageDeps: SendMessageDeps;
+  buildConversationDetailResponse: (
+    id: string,
+  ) => Record<string, unknown> | null;
+}
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function conversationAnalysisRouteDefinitions(
+  deps: ConversationAnalysisDeps,
+): RouteDefinition[] {
+  return [
+    {
+      endpoint: "conversations/:id/analyze",
+      method: "POST",
+      policyKey: "conversations/analyze",
+      summary: "Analyze a conversation",
+      description:
+        "Create a new conversation with a structured self-assessment of an existing conversation.",
+      tags: ["conversations"],
+      handler: async ({ params }) => {
+        // a. Resolve conversation ID
+        const resolvedId = resolveConversationId(params.id);
+        if (!resolvedId) {
+          return httpError(
+            "NOT_FOUND",
+            `Conversation ${params.id} not found`,
+            404,
+          );
+        }
+
+        // b. Load the conversation
+        const conversation = getConversation(resolvedId);
+        if (!conversation) {
+          return httpError(
+            "NOT_FOUND",
+            `Conversation ${resolvedId} not found`,
+            404,
+          );
+        }
+
+        // c. Reject private conversations
+        if (conversation.conversationType === "private") {
+          return httpError(
+            "FORBIDDEN",
+            "Private conversations cannot be analyzed",
+            403,
+          );
+        }
+
+        // d. Check for messages
+        const existingMessages = getMessages(resolvedId);
+        if (existingMessages.length === 0) {
+          return httpError(
+            "BAD_REQUEST",
+            "Conversation has no messages to analyze",
+            400,
+          );
+        }
+
+        // e. Build the analysis transcript
+        const { buildAnalysisTranscript } =
+          await import("../../export/transcript-formatter.js");
+        const transcript = buildAnalysisTranscript(resolvedId);
+
+        // f. Create a new conversation for the analysis
+        const newConv = createConversation({
+          title: `Analysis: ${conversation.title ?? "Untitled"}`,
+        });
+
+        // g. Build the analysis prompt
+        const prompt = `<transcript>
+${transcript}
+</transcript>
+
+Analyze the conversation above. Provide a structured self-assessment:
+
+1. **Summary**: What was the user trying to accomplish? What was the outcome?
+2. **What went well**: Effective tool usage, good reasoning, helpful responses, problem-solving patterns.
+3. **What went wrong**: Errors, unnecessary tool calls, incorrect assumptions, wasted turns, misunderstandings.
+4. **Root causes**: Why did failures happen? Missing context? Wrong approach? Tool limitations?
+5. **Recommendations**: Specific, actionable improvements for similar conversations next time.
+
+Be honest and specific. Reference particular moments in the transcript. Focus on patterns that generalize beyond this specific conversation.
+
+If you identify insights worth remembering for future conversations, use your memory tools to save them.`;
+
+        // h. Persist the user message
+        const message = await addMessage(
+          newConv.id,
+          "user",
+          JSON.stringify([{ type: "text", text: prompt }]),
+          { provenanceTrustClass: "guardian" as const },
+        );
+        const messageId = message.id;
+
+        // i. Load the conversation into memory and set guardian trust context
+        const analysisConversation =
+          await deps.sendMessageDeps.getOrCreateConversation(newConv.id);
+        analysisConversation.setTrustContext(resolveLocalTrustContext("vellum"));
+        await analysisConversation.ensureActorScopedHistory();
+
+        // j. Build onEvent using inline hub publisher
+        const onEvent = (msg: ServerMessage) => {
+          deps.sendMessageDeps.assistantEventHub.publish(
+            buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, msg, newConv.id),
+          );
+        };
+
+        // k. Set up processing state (required by runAgentLoop guard)
+        analysisConversation.processing = true;
+        analysisConversation.abortController = new AbortController();
+        analysisConversation.currentRequestId = crypto.randomUUID();
+
+        // l. Fire-and-forget the agent loop
+        analysisConversation
+          .runAgentLoop(prompt, messageId, onEvent, {
+            isInteractive: false,
+            isUserMessage: true,
+          })
+          .catch((err) => {
+            log.error(
+              { err, conversationId: newConv.id },
+              "Analysis agent loop failed",
+            );
+          });
+
+        // m. Return the new conversation detail
+        const detail = deps.buildConversationDetailResponse(newConv.id);
+        if (!detail) {
+          return httpError(
+            "INTERNAL_ERROR",
+            `Analysis conversation ${newConv.id} could not be loaded`,
+            500,
+          );
+        }
+        return Response.json(detail);
+      },
+    },
+  ];
+}

package/src/runtime/routes/conversation-management-routes.ts

@@ -344,12 +344,6 @@ export function conversationManagementRouteDefinitions(
             targetId: segId,
           });
         }
-        for (const itemId of result.orphanedItemIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "item",
-            targetId: itemId,
-          });
-        }
         for (const summaryId of result.deletedSummaryIds) {
           enqueueMemoryJob("delete_qdrant_vectors", {
             targetType: "summary",
@@ -359,7 +353,6 @@ export function conversationManagementRouteDefinitions(
         log.info(
           {
             conversationId: resolvedId,
-            unsuperseded: result.unsupersededItemIds.length,
             summariesDeleted: result.deletedSummaryIds.length,
             jobsCancelled: result.cancelledJobCount,
           },
@@ -367,7 +360,7 @@ export function conversationManagementRouteDefinitions(
         );
         return Response.json({
           wiped: true,
-          unsupersededItems: result.unsupersededItemIds.length,
+          unsupersededItems: 0,
           deletedSummaries: result.deletedSummaryIds.length,
           cancelledJobs: result.cancelledJobCount,
         });
@@ -417,12 +410,6 @@ export function conversationManagementRouteDefinitions(
             targetId: segId,
           });
         }
-        for (const itemId of deleted.orphanedItemIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "item",
-            targetId: itemId,
-          });
-        }
         for (const summaryId of deleted.deletedSummaryIds) {
           enqueueMemoryJob("delete_qdrant_vectors", {
             targetType: "summary",
@@ -528,6 +515,7 @@ export function conversationManagementRouteDefinitions(
             conversationId: string;
             displayOrder?: number;
             isPinned?: boolean;
+            groupId?: string | null;
           }>;
         };
         if (!Array.isArray(body.updates)) {
@@ -538,6 +526,7 @@ export function conversationManagementRouteDefinitions(
             id: u.conversationId,
             displayOrder: u.displayOrder ?? null,
             isPinned: u.isPinned ?? false,
+            groupId: u.groupId,
           })),
         );
         return Response.json({ ok: true });

package/src/runtime/routes/conversation-query-routes.ts

@@ -43,7 +43,10 @@ import {
 } from "../../daemon/handlers/conversation-history.js";
 import { deleteQueuedMessage } from "../../daemon/handlers/conversations.js";
 import { getAssistantMessageIdsInTurn } from "../../memory/conversation-crud.js";
-import { getRequestLogsByMessageId } from "../../memory/llm-request-log-store.js";
+import {
+  getRequestLogById,
+  getRequestLogsByMessageId,
+} from "../../memory/llm-request-log-store.js";
 import { getMemoryRecallLogByMessageIds } from "../../memory/memory-recall-log-store.js";
 import { resolvePricingForUsage } from "../../util/pricing.js";
 import { httpError } from "../http-errors.js";
@@ -487,8 +490,8 @@ export function conversationQueryRouteDefinitions(
             );
             return {
               id: log.id,
-              requestPayload,
-              responsePayload,
+              requestPayload: null,
+              responsePayload: null,
               createdAt: log.createdAt,
               ...result,
             };
@@ -498,6 +501,49 @@ export function conversationQueryRouteDefinitions(
       },
     },
 
+    // ── Raw payload for a single LLM request log ─────────────────────
+    {
+      endpoint: "llm-request-logs/:id/payload",
+      method: "GET",
+      policyKey: "llm-request-logs/payload",
+      summary: "Get raw payload for a single LLM request log",
+      description:
+        "Return the full request and response payloads for a specific log entry.",
+      tags: ["messages"],
+      responseBody: z.object({
+        id: z.string(),
+        requestPayload: z.unknown(),
+        responsePayload: z.unknown(),
+      }),
+      handler: ({ params }) => {
+        const logId = params.id;
+        if (!logId) {
+          return httpError("BAD_REQUEST", "log id is required", 400);
+        }
+        const log = getRequestLogById(logId);
+        if (!log) {
+          return httpError("NOT_FOUND", "log not found", 404);
+        }
+        let requestPayload: unknown;
+        try {
+          requestPayload = JSON.parse(log.requestPayload);
+        } catch {
+          requestPayload = log.requestPayload;
+        }
+        let responsePayload: unknown;
+        try {
+          responsePayload = JSON.parse(log.responsePayload);
+        } catch {
+          responsePayload = log.responsePayload;
+        }
+        return Response.json({
+          id: log.id,
+          requestPayload,
+          responsePayload,
+        });
+      },
+    },
+
     // ── Delete queued message ─────────────────────────────────────────
     {
       endpoint: "messages/queued/:id",