npm - @vellumai/assistant - Versions diffs - 0.5.5 → 0.5.6 - Mend

@vellumai/assistant 0.5.5 → 0.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (102) hide show

package/Dockerfile +3 -4
package/package.json +1 -1
package/src/__tests__/actor-token-service.test.ts +113 -0
package/src/__tests__/config-schema.test.ts +2 -2
package/src/__tests__/context-window-manager.test.ts +78 -0
package/src/__tests__/conversation-title-service.test.ts +30 -1
package/src/__tests__/docker-signing-key-bootstrap.test.ts +207 -0
package/src/__tests__/memory-regressions.test.ts +8 -30
package/src/__tests__/require-fresh-approval.test.ts +4 -0
package/src/__tests__/tool-executor-lifecycle-events.test.ts +4 -0
package/src/__tests__/tool-executor.test.ts +4 -0
package/src/cli/commands/conversations.ts +0 -18
package/src/config/env.ts +8 -2
package/src/config/feature-flag-registry.json +0 -8
package/src/config/schema.ts +0 -12
package/src/config/schemas/memory.ts +0 -4
package/src/config/schemas/platform.ts +1 -1
package/src/config/schemas/security.ts +4 -0
package/src/context/window-manager.ts +53 -2
package/src/daemon/config-watcher.ts +1 -4
package/src/daemon/conversation-agent-loop.ts +0 -60
package/src/daemon/conversation-memory.ts +0 -117
package/src/daemon/conversation-runtime-assembly.ts +0 -2
package/src/daemon/handlers/conversations.ts +0 -11
package/src/daemon/lifecycle.ts +3 -46
package/src/followups/followup-store.ts +5 -2
package/src/memory/conversation-crud.ts +0 -236
package/src/memory/conversation-title-service.ts +26 -10
package/src/memory/db-init.ts +5 -13
package/src/memory/indexer.ts +15 -106
package/src/memory/job-handlers/embedding.ts +0 -79
package/src/memory/job-utils.ts +1 -1
package/src/memory/jobs-store.ts +0 -8
package/src/memory/jobs-worker.ts +0 -20
package/src/memory/migrations/189-drop-simplified-memory.ts +42 -0
package/src/memory/migrations/index.ts +1 -3
package/src/memory/qdrant-client.ts +4 -6
package/src/memory/schema/conversations.ts +0 -3
package/src/memory/schema/index.ts +0 -2
package/src/messaging/draft-store.ts +2 -2
package/src/permissions/defaults.ts +3 -3
package/src/permissions/trust-client.ts +2 -13
package/src/permissions/trust-store.ts +8 -3
package/src/runtime/auth/route-policy.ts +14 -0
package/src/runtime/auth/token-service.ts +133 -0
package/src/runtime/http-server.ts +2 -0
package/src/runtime/routes/conversation-management-routes.ts +0 -36
package/src/runtime/routes/conversation-query-routes.ts +44 -2
package/src/runtime/routes/conversation-routes.ts +2 -1
package/src/runtime/routes/memory-item-routes.test.ts +221 -3
package/src/runtime/routes/memory-item-routes.ts +124 -2
package/src/runtime/routes/upgrade-broadcast-routes.ts +151 -0
package/src/schedule/schedule-store.ts +0 -21
package/src/skills/inline-command-render.ts +5 -1
package/src/skills/inline-command-runner.ts +30 -2
package/src/tools/memory/handlers.ts +1 -129
package/src/tools/permission-checker.ts +18 -0
package/src/tools/skills/load.ts +9 -2
package/src/util/platform.ts +5 -5
package/src/util/xml.ts +8 -0
package/src/workspace/heartbeat-service.ts +5 -24
package/src/__tests__/archive-recall.test.ts +0 -560
package/src/__tests__/conversation-memory-dirty-tail.test.ts +0 -150
package/src/__tests__/conversation-switch-memory-reduction.test.ts +0 -474
package/src/__tests__/db-memory-archive-migration.test.ts +0 -372
package/src/__tests__/db-memory-brief-state-migration.test.ts +0 -213
package/src/__tests__/db-memory-reducer-checkpoints.test.ts +0 -273
package/src/__tests__/memory-brief-open-loops.test.ts +0 -530
package/src/__tests__/memory-brief-time.test.ts +0 -285
package/src/__tests__/memory-brief-wrapper.test.ts +0 -311
package/src/__tests__/memory-chunk-archive.test.ts +0 -400
package/src/__tests__/memory-chunk-dual-write.test.ts +0 -453
package/src/__tests__/memory-episode-archive.test.ts +0 -370
package/src/__tests__/memory-episode-dual-write.test.ts +0 -626
package/src/__tests__/memory-observation-archive.test.ts +0 -375
package/src/__tests__/memory-observation-dual-write.test.ts +0 -318
package/src/__tests__/memory-reducer-job.test.ts +0 -538
package/src/__tests__/memory-reducer-scheduling.test.ts +0 -473
package/src/__tests__/memory-reducer-store.test.ts +0 -728
package/src/__tests__/memory-reducer-types.test.ts +0 -707
package/src/__tests__/memory-reducer.test.ts +0 -704
package/src/__tests__/memory-simplified-config.test.ts +0 -281
package/src/__tests__/simplified-memory-e2e.test.ts +0 -666
package/src/__tests__/simplified-memory-runtime.test.ts +0 -616
package/src/config/schemas/memory-simplified.ts +0 -101
package/src/memory/archive-recall.ts +0 -516
package/src/memory/archive-store.ts +0 -400
package/src/memory/brief-formatting.ts +0 -33
package/src/memory/brief-open-loops.ts +0 -266
package/src/memory/brief-time.ts +0 -162
package/src/memory/brief.ts +0 -75
package/src/memory/job-handlers/backfill-simplified-memory.ts +0 -462
package/src/memory/job-handlers/reduce-conversation-memory.ts +0 -229
package/src/memory/migrations/185-memory-brief-state.ts +0 -52
package/src/memory/migrations/186-memory-archive.ts +0 -109
package/src/memory/migrations/187-memory-reducer-checkpoints.ts +0 -19
package/src/memory/reducer-scheduler.ts +0 -242
package/src/memory/reducer-store.ts +0 -271
package/src/memory/reducer-types.ts +0 -106
package/src/memory/reducer.ts +0 -467
package/src/memory/schema/memory-archive.ts +0 -121
package/src/memory/schema/memory-brief.ts +0 -55

package/src/memory/job-handlers/embedding.ts CHANGED Viewed

@@ -11,10 +11,7 @@ import type { MemoryJob } from "../jobs-store.js";
 import { extractMediaBlocks } from "../message-content.js";
 import {
   mediaAssets,
-  memoryChunks,
-  memoryEpisodes,
   memoryItems,
-  memoryObservations,
   memorySegments,
   memorySummaries,
   messages,
@@ -93,26 +90,6 @@ export async function embedSummaryJob(
   );
 }
-export async function embedChunkJob(
-  job: MemoryJob,
-  config: AssistantConfig,
-): Promise<void> {
-  const chunkId = asString(job.payload.chunkId);
-  if (!chunkId) return;
-  const db = getDb();
-  const chunk = db
-    .select()
-    .from(memoryChunks)
-    .where(eq(memoryChunks.id, chunkId))
-    .get();
-  if (!chunk) return;
-  await embedAndUpsert(config, "chunk", chunk.id, chunk.content, {
-    observation_id: chunk.observationId,
-    created_at: chunk.createdAt,
-    memory_scope_id: chunk.scopeId,
-  });
-}
 export async function embedMediaJob(
   job: MemoryJob,
   config: AssistantConfig,
@@ -146,40 +123,6 @@ export async function embedMediaJob(
   });
 }
-export async function embedObservationJob(
-  job: MemoryJob,
-  config: AssistantConfig,
-): Promise<void> {
-  const observationId = asString(job.payload.observationId);
-  const chunkId = asString(job.payload.chunkId);
-  if (!observationId || !chunkId) return;
-  const db = getDb();
-  const observation = db
-    .select()
-    .from(memoryObservations)
-    .where(eq(memoryObservations.id, observationId))
-    .get();
-  if (!observation) return;
-  const chunk = db
-    .select()
-    .from(memoryChunks)
-    .where(eq(memoryChunks.id, chunkId))
-    .get();
-  if (!chunk) return;
-  await embedAndUpsert(config, "observation", chunk.id, chunk.content, {
-    observation_id: observationId,
-    conversation_id: observation.conversationId,
-    role: observation.role,
-    modality: observation.modality,
-    source: observation.source,
-    created_at: observation.createdAt,
-    memory_scope_id: observation.scopeId,
-  });
-}
 export async function embedAttachmentJob(
   job: MemoryJob,
   config: AssistantConfig,
@@ -216,25 +159,3 @@ export async function embedAttachmentJob(
     memory_scope_id: memoryScopeId,
   });
 }
-export async function embedEpisodeJob(
-  job: MemoryJob,
-  config: AssistantConfig,
-): Promise<void> {
-  const episodeId = asString(job.payload.episodeId);
-  if (!episodeId) return;
-  const db = getDb();
-  const episode = db
-    .select()
-    .from(memoryEpisodes)
-    .where(eq(memoryEpisodes.id, episodeId))
-    .get();
-  if (!episode) return;
-  const text = `[episode] ${episode.title}: ${episode.summary}`;
-  await embedAndUpsert(config, "episode", episode.id, text, {
-    conversation_id: episode.conversationId,
-    created_at: episode.startAt,
-    last_seen_at: episode.endAt,
-    memory_scope_id: episode.scopeId,
-  });
-}

package/src/memory/job-utils.ts CHANGED Viewed

@@ -142,7 +142,7 @@ export function truncate(text: string, max: number): string {
 export async function embedAndUpsert(
   config: AssistantConfig,
-  targetType: "segment" | "item" | "summary" | "observation" | "chunk" | "episode" | "media",
+  targetType: "segment" | "item" | "summary" | "media",
   targetId: string,
   input: EmbeddingInput,
   extraPayload?: Record<string, unknown>,

package/src/memory/jobs-store.ts CHANGED Viewed

@@ -12,9 +12,6 @@ export type MemoryJobType =
   | "embed_segment"
   | "embed_item"
   | "embed_summary"
-  | "embed_chunk"
-  | "embed_episode"
-  | "embed_observation"
   | "extract_items"
   | "extract_entities"
   | "cleanup_stale_superseded_items"
@@ -30,8 +27,6 @@ export type MemoryJobType =
   | "embed_media"
   | "embed_attachment"
   | "generate_conversation_starters"
-  | "reduce_conversation_memory"
-  | "backfill_simplified_memory"
   | "generate_capability_cards" // legacy compat — silently dropped by worker (capability cards removed)
   | "generate_thread_starters"; // legacy compat — silently dropped by worker (renamed to generate_conversation_starters)
@@ -39,9 +34,6 @@ const EMBED_JOB_TYPES: MemoryJobType[] = [
   "embed_segment",
   "embed_item",
   "embed_summary",
-  "embed_chunk",
-  "embed_episode",
-  "embed_observation",
   "embed_media",
   "embed_attachment",
 ];

package/src/memory/jobs-worker.ts CHANGED Viewed

@@ -3,7 +3,6 @@ import type { AssistantConfig } from "../config/types.js";
 import { getLogger } from "../util/logger.js";
 import { rawRun } from "./db.js";
 import { backfillJob } from "./job-handlers/backfill.js";
-import { backfillSimplifiedMemoryJob } from "./job-handlers/backfill-simplified-memory.js";
 import {
   cleanupStaleSupersededItemsJob,
   pruneOldConversationsJob,
@@ -12,11 +11,8 @@ import { generateConversationStartersJob } from "./job-handlers/conversation-sta
 // ── Per-job-type handlers ──────────────────────────────────────────
 import {
   embedAttachmentJob,
-  embedChunkJob,
-  embedEpisodeJob,
   embedItemJob,
   embedMediaJob,
-  embedObservationJob,
   embedSegmentJob,
   embedSummaryJob,
 } from "./job-handlers/embedding.js";
@@ -26,7 +22,6 @@ import {
   rebuildIndexJob,
 } from "./job-handlers/index-maintenance.js";
 import { mediaProcessingJob } from "./job-handlers/media-processing.js";
-import { reduceConversationMemoryJob } from "./job-handlers/reduce-conversation-memory.js";
 import { buildConversationSummaryJob } from "./job-handlers/summarization.js";
 import {
   BackendUnavailableError,
@@ -272,15 +267,6 @@ async function processJob(
     case "embed_summary":
       await embedSummaryJob(job, config);
       return;
-    case "embed_chunk":
-      await embedChunkJob(job, config);
-      return;
-    case "embed_episode":
-      await embedEpisodeJob(job, config);
-      return;
-    case "embed_observation":
-      await embedObservationJob(job, config);
-      return;
     case "extract_items":
       await extractItemsJob(job);
       return;
@@ -321,12 +307,6 @@ async function processJob(
     case "embed_attachment":
       await embedAttachmentJob(job, config);
       return;
-    case "reduce_conversation_memory":
-      await reduceConversationMemoryJob(job);
-      return;
-    case "backfill_simplified_memory":
-      await backfillSimplifiedMemoryJob(job);
-      return;
     case "generate_conversation_starters":
       await generateConversationStartersJob(job);
       return;

package/src/memory/migrations/189-drop-simplified-memory.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+/**
+ * Drop simplified-memory tables and reducer checkpoint columns added by
+ * the simplified-memory-v1 plan, reverting to the legacy item/tier/XML
+ * memory system.
+ */
+export function migrateDropSimplifiedMemory(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+  // Drop simplified-memory tables (idempotent — IF EXISTS).
+  raw.exec(`DROP TABLE IF EXISTS time_contexts`);
+  raw.exec(`DROP TABLE IF EXISTS open_loops`);
+  raw.exec(`DROP TABLE IF EXISTS memory_observations`);
+  raw.exec(`DROP TABLE IF EXISTS memory_chunks`);
+  raw.exec(`DROP TABLE IF EXISTS memory_episodes`);
+  // Remove reducer checkpoint columns from conversations.
+  // SQLite doesn't support DROP COLUMN before 3.35.0, but Bun's built-in
+  // SQLite is >= 3.38, so this is safe.
+  for (const col of [
+    "memory_reduced_through_message_id",
+    "memory_dirty_tail_since_message_id",
+    "memory_last_reduced_at",
+  ]) {
+    try {
+      raw.exec(`ALTER TABLE conversations DROP COLUMN ${col}`);
+    } catch {
+      // Column doesn't exist — already cleaned up.
+    }
+  }
+  // Remove embedding rows for archive target types that no longer exist.
+  try {
+    raw.exec(
+      `DELETE FROM memory_embeddings WHERE target_type IN ('observation', 'chunk', 'episode')`,
+    );
+  } catch {
+    // Column doesn't exist — table was never migrated to include target_type.
+  }
+}

package/src/memory/migrations/index.ts CHANGED Viewed

@@ -126,10 +126,8 @@ export { migrateRenameThreadStartersCheckpoints } from "./181-rename-thread-star
 export { migrateOAuthProvidersDisplayMetadata } from "./182-oauth-providers-display-metadata.js";
 export { migrateConversationForkLineage } from "./183-add-conversation-fork-lineage.js";
 export { migrateLlmRequestLogProvider } from "./184-llm-request-log-provider.js";
-export { migrateMemoryBriefState } from "./185-memory-brief-state.js";
-export { migrateMemoryArchiveTables } from "./186-memory-archive.js";
-export { migrateMemoryReducerCheckpoints } from "./187-memory-reducer-checkpoints.js";
 export { migrateScheduleQuietFlag } from "./188-schedule-quiet-flag.js";
+export { migrateDropSimplifiedMemory } from "./189-drop-simplified-memory.js";
 export {
   MIGRATION_REGISTRY,
   type MigrationRegistryEntry,

package/src/memory/qdrant-client.ts CHANGED Viewed

@@ -20,7 +20,7 @@ export interface QdrantClientConfig {
 }
 export interface QdrantPointPayload {
-  target_type: "segment" | "item" | "summary" | "observation" | "chunk" | "episode" | "media";
+  target_type: "segment" | "item" | "summary" | "media";
   target_id: string;
   text: string;
   kind?: string;
@@ -230,7 +230,7 @@ export class VellumQdrantClient {
   }
   async upsert(
-    targetType: "segment" | "item" | "summary" | "observation" | "chunk" | "episode" | "media",
+    targetType: "segment" | "item" | "summary" | "media",
     targetId: string,
     vector: number[],
     payload: Omit<QdrantPointPayload, "target_type" | "target_id">,
@@ -324,9 +324,7 @@ export class VellumQdrantClient {
   async searchWithFilter(
     vector: number[],
     limit: number,
-    targetTypes: Array<
-      "segment" | "item" | "summary" | "media" | "chunk" | "episode"
-    >,
+    targetTypes: Array<"segment" | "item" | "summary" | "media">,
     excludeMessageIds?: string[],
     scopeIds?: string[],
   ): Promise<QdrantSearchResult[]> {
@@ -349,7 +347,7 @@ export class VellumQdrantClient {
           },
           {
             key: "target_type",
-            match: { any: ["segment", "summary", "media", "chunk"] },
+            match: { any: ["segment", "summary", "media"] },
           },
         ],
       });

package/src/memory/schema/conversations.ts CHANGED Viewed

@@ -30,9 +30,6 @@ export const conversations = sqliteTable(
     forkParentMessageId: text("fork_parent_message_id"),
     isAutoTitle: integer("is_auto_title").notNull().default(1),
     scheduleJobId: text("schedule_job_id"),
-    memoryReducedThroughMessageId: text("memory_reduced_through_message_id"),
-    memoryDirtyTailSinceMessageId: text("memory_dirty_tail_since_message_id"),
-    memoryLastReducedAt: integer("memory_last_reduced_at"),
   },
   (table) => [
     index("idx_conversations_updated_at").on(table.updatedAt),

package/src/memory/schema/index.ts CHANGED Viewed

@@ -3,8 +3,6 @@ export * from "./contacts.js";
 export * from "./conversations.js";
 export * from "./guardian.js";
 export * from "./infrastructure.js";
-export * from "./memory-archive.js";
-export * from "./memory-brief.js";
 export * from "./memory-core.js";
 export * from "./notifications.js";
 export * from "./oauth.js";

package/src/messaging/draft-store.ts CHANGED Viewed

@@ -10,7 +10,7 @@ import { readdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { ensureDir, pathExists } from "../util/fs.js";
-import { getRootDir } from "../util/platform.js";
+import { getWorkspaceDir } from "../util/platform.js";
 export interface Draft {
   id: string;
@@ -25,7 +25,7 @@ export interface Draft {
 }
 function getDraftsDir(platform: string): string {
-  const dir = join(getRootDir(), "workspace", "data", "drafts", platform);
+  const dir = join(getWorkspaceDir(), "data", "drafts", platform);
   ensureDir(dir);
   return dir;
 }

package/src/permissions/defaults.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { join } from "node:path";
 import { getConfig } from "../config/loader.js";
 import { getBundledSkillsDir } from "../config/skills.js";
-import { getRootDir } from "../util/platform.js";
+import { getWorkspaceDir } from "../util/platform.js";
 export interface DefaultRuleTemplate {
   id: string;
@@ -116,7 +116,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   // Workspace prompt files — the agent should always be able to read, edit,
   // and write these without prompting.  Also allow `rm BOOTSTRAP.md` so the
   // agent can delete it at the end of the onboarding ritual.
-  const workspaceDir = join(getRootDir(), "workspace").replaceAll("\\", "/");
+  const workspaceDir = getWorkspaceDir().replaceAll("\\", "/");
   const WORKSPACE_PROMPT_FILES = [
     "IDENTITY.md",
     "USER.md",
@@ -163,7 +163,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   // Skill source directories — writing or editing skill source files should
   // require explicit user approval so a compromised agent loop cannot silently
   // modify skill code to escalate privileges.
-  const managedSkillsDir = join(getRootDir(), "workspace", "skills").replaceAll(
+  const managedSkillsDir = join(getWorkspaceDir(), "skills").replaceAll(
     "\\",
     "/",
   );

package/src/permissions/trust-client.ts CHANGED Viewed

@@ -33,17 +33,6 @@ export interface AcceptStarterBundleResult {
 // Helpers
 // ---------------------------------------------------------------------------
-/**
- * Resolve the gateway base URL for trust rule requests.
- *
- * Prefers the `GATEWAY_INTERNAL_URL` env var (set in Docker environments
- * where the gateway runs in a separate container), falling back to the
- * existing `getGatewayInternalBaseUrl()` helper for local deployments.
- */
-function getBaseUrl(): string {
-  return process.env.GATEWAY_INTERNAL_URL ?? getGatewayInternalBaseUrl();
-}
 function authHeaders(): Record<string, string> {
   return {
     Authorization: `Bearer ${mintDaemonDeliveryToken()}`,
@@ -60,7 +49,7 @@ async function request<T>(
   path: string,
   body?: unknown,
 ): Promise<T> {
-  const url = `${getBaseUrl()}${path}`;
+  const url = `${getGatewayInternalBaseUrl()}${path}`;
   const options: RequestInit = {
     method,
     headers: authHeaders(),
@@ -102,7 +91,7 @@ async function request<T>(
  * Write operations are user-initiated and infrequent, so blocking is acceptable.
  */
 function requestSync<T>(method: string, path: string, body?: unknown): T {
-  const url = `${getBaseUrl()}${path}`;
+  const url = `${getGatewayInternalBaseUrl()}${path}`;
   const headers = authHeaders();
   const args: string[] = [
     "curl",

package/src/permissions/trust-store.ts CHANGED Viewed

@@ -185,9 +185,10 @@ function backfillDefaults(rules: TrustRule[]): boolean {
     }
   }
-  // Migrate existing default rules whose priority, pattern, decision, or
-  // allowHighRisk has changed in the template (e.g. host_bash pattern changed
-  // from '*' to '**', host tool priorities changed from 1000 to 50).
+  // Migrate existing default rules whose priority, pattern, scope, decision,
+  // or allowHighRisk has changed in the template (e.g. host_bash pattern
+  // changed from '*' to '**', host tool priorities changed from 1000 to 50,
+  // workspace scope changed from getRootDir()+workspace to getWorkspaceDir()).
   for (const template of getDefaultRuleTemplates()) {
     if (existingIds.has(template.id)) {
       const rule = rules.find((r) => r.id === template.id);
@@ -195,6 +196,7 @@ function backfillDefaults(rules: TrustRule[]): boolean {
         rule &&
         (rule.priority !== template.priority ||
           rule.pattern !== template.pattern ||
+          rule.scope !== template.scope ||
           rule.decision !== template.decision ||
           rule.allowHighRisk !== template.allowHighRisk)
       ) {
@@ -205,11 +207,14 @@ function backfillDefaults(rules: TrustRule[]): boolean {
             newPriority: template.priority,
             oldPattern: rule.pattern,
             newPattern: template.pattern,
+            oldScope: rule.scope,
+            newScope: template.scope,
           },
           "Migrated default rule to updated template values",
         );
         rule.priority = template.priority;
         rule.pattern = template.pattern;
+        rule.scope = template.scope;
         rule.decision = template.decision;
         if (template.allowHighRisk != null) {
           rule.allowHighRisk = template.allowHighRisk;

package/src/runtime/auth/route-policy.ts CHANGED Viewed

@@ -176,6 +176,7 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // Settings / integrations / identity
   { endpoint: "identity", scopes: ["settings.read"] },
+  { endpoint: "identity/intro", scopes: ["settings.read"] },
   { endpoint: "brain-graph", scopes: ["settings.read"] },
   { endpoint: "brain-graph-ui", scopes: ["settings.read"] },
   { endpoint: "contacts", scopes: ["settings.read"] },
@@ -347,6 +348,10 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "config/embeddings:GET", scopes: ["settings.read"] },
   { endpoint: "config/embeddings:PUT", scopes: ["settings.write"] },
+  // Permissions config
+  { endpoint: "config/permissions/skip:GET", scopes: ["settings.read"] },
+  { endpoint: "config/permissions/skip:PUT", scopes: ["settings.write"] },
   // Conversation management
   { endpoint: "conversations:DELETE", scopes: ["chat.write"] },
   { endpoint: "conversations/wipe", scopes: ["chat.write"] },
@@ -355,6 +360,9 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // Conversation search
   { endpoint: "conversations/search", scopes: ["chat.read"] },
+  // Conversation starters
+  { endpoint: "conversation-starters", scopes: ["chat.read"] },
   // Message content
   { endpoint: "messages/content", scopes: ["chat.read"] },
   { endpoint: "messages/llm-context", scopes: ["chat.read"] },
@@ -498,3 +506,9 @@ for (const endpoint of INTERNAL_ENDPOINTS) {
     allowedPrincipalTypes: ["svc_gateway"],
   });
 }
+// Admin control-plane endpoints: gateway-only
+registerPolicy("admin/upgrade-broadcast", {
+  requiredScopes: ["internal.write"],
+  allowedPrincipalTypes: ["svc_gateway"],
+});

package/src/runtime/auth/token-service.ts CHANGED Viewed

@@ -28,6 +28,22 @@ import type { ScopeProfile, TokenAudience, TokenClaims } from "./types.js";
 const log = getLogger("token-service");
+// ---------------------------------------------------------------------------
+// Bootstrap sentinel error
+// ---------------------------------------------------------------------------
+/**
+ * Thrown when the gateway's signing-key bootstrap endpoint returns 403,
+ * indicating that bootstrap has already completed (daemon restart case).
+ * The caller should fall back to loading the key from disk.
+ */
+export class BootstrapAlreadyCompleted extends Error {
+  constructor() {
+    super("Gateway signing key bootstrap already completed");
+    this.name = "BootstrapAlreadyCompleted";
+  }
+}
 // ---------------------------------------------------------------------------
 // Signing key management
 // ---------------------------------------------------------------------------
@@ -78,6 +94,123 @@ export function loadOrCreateSigningKey(): Buffer {
   return newKey;
 }
+/**
+ * Fetch the shared signing key from the gateway's bootstrap endpoint.
+ *
+ * Used in Docker mode where the gateway owns the signing key and the daemon
+ * must fetch it at startup. Retries up to 30 times with 1s intervals to
+ * tolerate gateway startup delays.
+ *
+ * @returns A 32-byte Buffer containing the signing key.
+ * @throws {BootstrapAlreadyCompleted} If the gateway returns 403 (bootstrap
+ *   already completed — daemon restart case). Caller should fall back to
+ *   loading the key from disk.
+ * @throws {Error} If the gateway is unreachable after all retry attempts.
+ */
+export async function fetchSigningKeyFromGateway(): Promise<Buffer> {
+  const gatewayUrl = process.env.GATEWAY_INTERNAL_URL;
+  if (!gatewayUrl) {
+    throw new Error("GATEWAY_INTERNAL_URL not set — cannot fetch signing key");
+  }
+  const maxAttempts = 30;
+  const intervalMs = 1000;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    let resp: Response | undefined;
+    try {
+      resp = await fetch(`${gatewayUrl}/internal/signing-key-bootstrap`, {
+        signal: AbortSignal.timeout(5000),
+      });
+    } catch (err) {
+      log.warn(
+        { err, attempt },
+        "Signing key bootstrap: connection failed, retrying",
+      );
+      await Bun.sleep(intervalMs);
+      continue;
+    }
+    if (resp.ok) {
+      const body = (await resp.json()) as { key: string };
+      const keyBuf = Buffer.from(body.key, "hex");
+      if (keyBuf.length !== 32) {
+        throw new Error(`Invalid signing key length: ${keyBuf.length}`);
+      }
+      log.info("Signing key fetched from gateway bootstrap endpoint");
+      return keyBuf;
+    }
+    if (resp.status === 403) {
+      // Bootstrap already completed — fall through to file-based load.
+      // This happens on daemon restart when the gateway lockfile persists.
+      log.info(
+        "Gateway signing key bootstrap already completed — loading from disk",
+      );
+      throw new BootstrapAlreadyCompleted();
+    }
+    log.warn(
+      { status: resp.status, attempt },
+      "Signing key bootstrap: gateway not ready, retrying",
+    );
+    await Bun.sleep(intervalMs);
+  }
+  throw new Error("Signing key bootstrap: timed out waiting for gateway");
+}
+/**
+ * Persist a signing key to disk using an atomic-write pattern.
+ * Used after fetching the key from the gateway so daemon restarts can
+ * load it from disk when the gateway returns 403.
+ */
+function persistSigningKey(key: Buffer): void {
+  const keyPath = getSigningKeyPath();
+  const dir = dirname(keyPath);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  const tmpPath = keyPath + ".tmp." + process.pid;
+  writeFileSync(tmpPath, key, { mode: 0o600 });
+  renameSync(tmpPath, keyPath);
+  chmodSync(keyPath, 0o600);
+}
+/**
+ * Resolve the signing key for the current environment.
+ *
+ * In Docker mode (IS_CONTAINERIZED=true + GATEWAY_INTERNAL_URL set), fetches
+ * the key from the gateway's bootstrap endpoint and persists it locally for
+ * restart resilience. On daemon restart (gateway returns 403), falls back to
+ * loading the key from disk.
+ *
+ * In local mode, delegates to the existing file-based loadOrCreateSigningKey().
+ */
+export async function resolveSigningKey(): Promise<Buffer> {
+  const isContainerized = process.env.IS_CONTAINERIZED === "true";
+  const gatewayUrl = process.env.GATEWAY_INTERNAL_URL;
+  if (isContainerized && gatewayUrl) {
+    try {
+      const key = await fetchSigningKeyFromGateway();
+      // Persist locally so daemon restarts (where gateway returns 403) load from disk.
+      persistSigningKey(key);
+      return key;
+    } catch (err) {
+      if (err instanceof BootstrapAlreadyCompleted) {
+        // Gateway already bootstrapped (daemon restart) — load from disk.
+        return loadOrCreateSigningKey();
+      }
+      throw err;
+    }
+  }
+  // Local mode: use file-based load/create (unchanged behavior).
+  return loadOrCreateSigningKey();
+}
 function getSigningKey(): Buffer {
   if (!_authSigningKey) {
     if (process.env.NODE_ENV === "test") {

package/src/runtime/http-server.ts CHANGED Viewed

@@ -172,6 +172,7 @@ import { surfaceContentRouteDefinitions } from "./routes/surface-content-routes.
 import { telemetryRouteDefinitions } from "./routes/telemetry-routes.js";
 import { traceEventRouteDefinitions } from "./routes/trace-event-routes.js";
 import { trustRulesRouteDefinitions } from "./routes/trust-rules-routes.js";
+import { upgradeBroadcastRouteDefinitions } from "./routes/upgrade-broadcast-routes.js";
 import { usageRouteDefinitions } from "./routes/usage-routes.js";
 import { watchRouteDefinitions } from "./routes/watch-routes.js";
 import { workItemRouteDefinitions } from "./routes/work-items-routes.js";
@@ -918,6 +919,7 @@ export class RuntimeHttpServer {
         getCesClient: this.getCesClient,
       }),
       ...identityRouteDefinitions(),
+      ...upgradeBroadcastRouteDefinitions(),
       ...debugRouteDefinitions(),
       ...usageRouteDefinitions(),
       ...telemetryRouteDefinitions(),