@vellumai/assistant 0.5.5 → 0.5.6

package/src/runtime/routes/conversation-management-routes.ts

@@ -275,24 +275,6 @@ export function conversationManagementRouteDefinitions(
             targetId: summaryId,
           });
         }
-        for (const obsId of result.deletedObservationIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "observation",
-            targetId: obsId,
-          });
-        }
-        for (const chunkId of result.deletedChunkIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "chunk",
-            targetId: chunkId,
-          });
-        }
-        for (const episodeId of result.deletedEpisodeIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "episode",
-            targetId: episodeId,
-          });
-        }
         log.info(
           {
             conversationId: resolvedId,
@@ -349,24 +331,6 @@ export function conversationManagementRouteDefinitions(
             targetId: summaryId,
           });
         }
-        for (const obsId of deleted.deletedObservationIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "observation",
-            targetId: obsId,
-          });
-        }
-        for (const chunkId of deleted.deletedChunkIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "chunk",
-            targetId: chunkId,
-          });
-        }
-        for (const episodeId of deleted.deletedEpisodeIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "episode",
-            targetId: episodeId,
-          });
-        }
         log.info({ conversationId: resolvedId }, "Deleted conversation");
         return new Response(null, { status: 204 });
       },

package/src/runtime/routes/conversation-query-routes.ts

@@ -1,7 +1,7 @@
 /**
  * HTTP route definitions for model configuration, embedding configuration,
- * conversation search, message content, LLM context inspection, and queued
- * message deletion.
+ * permissions configuration, conversation search, message content, LLM
+ * context inspection, and queued message deletion.
  *
  * These routes expose conversation query functionality over the HTTP API.
  *
@@ -10,12 +10,15 @@
  * PUT    /v1/model/image-gen            — set image-gen model
  * GET    /v1/config/embeddings          — current embedding config
  * PUT    /v1/config/embeddings          — set embedding provider/model
+ * GET    /v1/config/permissions/skip    — dangerouslySkipPermissions status
+ * PUT    /v1/config/permissions/skip    — toggle dangerouslySkipPermissions
  * GET    /v1/conversations/search       — search conversations
  * GET    /v1/messages/:id/content       — full message content
  * GET    /v1/messages/:id/llm-context   — LLM request logs for a message
  * DELETE /v1/messages/queued/:id        — delete queued message
  */
 
+import { getConfig, loadRawConfig, saveRawConfig } from "../../config/loader.js";
 import { VALID_MEMORY_EMBEDDING_PROVIDERS } from "../../config/schemas/memory-storage.js";
 import { VALID_INFERENCE_PROVIDERS } from "../../config/schemas/services.js";
 import {
@@ -250,6 +253,45 @@ export function conversationQueryRouteDefinitions(
       },
     },
 
+    // ── Permissions config ─────────────────────────────────────────────
+    {
+      endpoint: "config/permissions/skip",
+      method: "GET",
+      policyKey: "config/permissions/skip",
+      handler: () => {
+        const config = getConfig();
+        return Response.json({
+          enabled: config.permissions.dangerouslySkipPermissions,
+        });
+      },
+    },
+    {
+      endpoint: "config/permissions/skip",
+      method: "PUT",
+      policyKey: "config/permissions/skip",
+      handler: async ({ req }) => {
+        const body = (await req.json()) as { enabled?: unknown };
+        if (typeof body.enabled !== "boolean") {
+          return httpError(
+            "BAD_REQUEST",
+            "Missing or invalid field: enabled (boolean)",
+            400,
+          );
+        }
+        const raw = loadRawConfig();
+        const permissions: Record<string, unknown> =
+          raw.permissions != null &&
+          typeof raw.permissions === "object" &&
+          !Array.isArray(raw.permissions)
+            ? (raw.permissions as Record<string, unknown>)
+            : {};
+        permissions.dangerouslySkipPermissions = body.enabled;
+        raw.permissions = permissions;
+        saveRawConfig(raw);
+        return Response.json({ enabled: body.enabled });
+      },
+    },
+
     // ── Conversation search ───────────────────────────────────────────
     {
       endpoint: "conversations/search",

package/src/runtime/routes/conversation-routes.ts

@@ -637,6 +637,7 @@ export async function handleSendMessage(
     interface?: string;
     conversationType?: string;
     automated?: boolean;
+    bypassSecretCheck?: boolean;
   };
 
   const { conversationKey, content, attachmentIds } = body;
@@ -708,7 +709,7 @@ export async function handleSendMessage(
   // This mirrors the legacy handleUserMessage behavior: secrets are
   // detected and the message is rejected with a safe notice. The client
   // should prompt the user to use the secure credential flow instead.
-  if (trimmedContent.length > 0) {
+  if (trimmedContent.length > 0 && !body.bypassSecretCheck) {
     const ingressCheck = checkIngressForSecrets(trimmedContent);
     if (ingressCheck.blocked) {
       log.warn(

package/src/runtime/routes/memory-item-routes.test.ts

@@ -37,13 +37,55 @@ mock.module("../../util/logger.js", () => ({
     }),
 }));
 
-// Stub config loader
+// Stub config loader — returns a config with memory enabled by default
 mock.module("../../config/loader.js", () => ({
-  loadConfig: () => ({}),
-  getConfig: () => ({}),
+  loadConfig: () => mockConfig,
+  getConfig: () => mockConfig,
   invalidateConfigCache: () => {},
 }));
 
+// ── Controllable mocks for semantic search ─────────────────────────────
+const mockConfig: unknown = {};
+
+let mockBackendStatus: {
+  enabled: boolean;
+  provider: string | null;
+  model: string | null;
+} = { enabled: false, provider: null, model: null };
+
+const mockEmbedResult: {
+  provider: string;
+  model: string;
+  vectors: number[][];
+} = { provider: "local", model: "test", vectors: [[0.1, 0.2, 0.3]] };
+
+let mockHybridSearchResults: Array<{
+  id: string;
+  score: number;
+  payload: Record<string, unknown>;
+}> = [];
+
+mock.module("../../memory/embedding-backend.js", () => ({
+  getMemoryBackendStatus: async () => mockBackendStatus,
+  embedWithBackend: async () => mockEmbedResult,
+  generateSparseEmbedding: () => ({
+    indices: [0, 1, 2],
+    values: [0.5, 0.3, 0.2],
+  }),
+}));
+
+mock.module("../../memory/qdrant-client.js", () => ({
+  getQdrantClient: () => ({
+    hybridSearch: async () => [...mockHybridSearchResults],
+    searchWithFilter: async () => [...mockHybridSearchResults],
+  }),
+  initQdrantClient: () => {},
+}));
+
+mock.module("../../memory/qdrant-circuit-breaker.js", () => ({
+  withQdrantBreaker: async (fn: () => Promise<unknown>) => fn(),
+}));
+
 import { and, eq } from "drizzle-orm";
 
 import { getDb, initializeDb, resetDb } from "../../memory/db.js";
@@ -392,6 +434,182 @@ describe("Memory Item Routes", () => {
       const res = await handler(ctx);
       expect(res.status).toBe(400);
     });
+
+    // ── Semantic / hybrid search ──────────────────────────────────────
+
+    test("uses semantic search when embedding backend is available", async () => {
+      insertItem({
+        id: "i1",
+        kind: "preference",
+        subject: "dark mode",
+        statement: "User prefers dark mode",
+      });
+      insertItem({
+        id: "i2",
+        kind: "identity",
+        subject: "name",
+        statement: "User name is Alice",
+      });
+
+      // Enable semantic search
+      mockBackendStatus = {
+        enabled: true,
+        provider: "local",
+        model: "test",
+      };
+      // Qdrant returns i2 first (higher relevance), then i1
+      mockHybridSearchResults = [
+        {
+          id: "pt-2",
+          score: 0.95,
+          payload: { target_type: "item", target_id: "i2" },
+        },
+        {
+          id: "pt-1",
+          score: 0.7,
+          payload: { target_type: "item", target_id: "i1" },
+        },
+      ];
+
+      const ctx = makeCtx({ search: "alice" });
+      const res = await handler(ctx);
+      const body = (await res.json()) as {
+        items: Array<{ id: string }>;
+        total: number;
+      };
+
+      // Results in Qdrant relevance order (i2 first)
+      expect(body.items.length).toBe(2);
+      expect(body.items[0].id).toBe("i2");
+      expect(body.items[1].id).toBe("i1");
+      expect(body.total).toBe(2);
+
+      // Reset
+      mockBackendStatus = { enabled: false, provider: null, model: null };
+      mockHybridSearchResults = [];
+    });
+
+    test("falls back to SQL LIKE when backend is unavailable", async () => {
+      insertItem({
+        id: "i1",
+        kind: "preference",
+        subject: "dark mode",
+        statement: "User prefers dark mode",
+      });
+      insertItem({
+        id: "i2",
+        kind: "identity",
+        subject: "name",
+        statement: "User name is Alice",
+      });
+
+      // Backend unavailable
+      mockBackendStatus = { enabled: false, provider: null, model: null };
+      mockHybridSearchResults = [];
+
+      const ctx = makeCtx({ search: "dark" });
+      const res = await handler(ctx);
+      const body = (await res.json()) as {
+        items: Array<{ id: string }>;
+        total: number;
+      };
+
+      // SQL LIKE fallback finds "dark" in subject/statement
+      expect(body.total).toBe(1);
+      expect(body.items[0].id).toBe("i1");
+    });
+
+    test("semantic search respects pagination", async () => {
+      insertItem({
+        id: "i1",
+        kind: "preference",
+        subject: "s1",
+        statement: "first item",
+      });
+      insertItem({
+        id: "i2",
+        kind: "preference",
+        subject: "s2",
+        statement: "second item",
+      });
+      insertItem({
+        id: "i3",
+        kind: "preference",
+        subject: "s3",
+        statement: "third item",
+      });
+
+      mockBackendStatus = {
+        enabled: true,
+        provider: "local",
+        model: "test",
+      };
+      mockHybridSearchResults = [
+        {
+          id: "pt-1",
+          score: 0.9,
+          payload: { target_type: "item", target_id: "i1" },
+        },
+        {
+          id: "pt-2",
+          score: 0.8,
+          payload: { target_type: "item", target_id: "i2" },
+        },
+        {
+          id: "pt-3",
+          score: 0.7,
+          payload: { target_type: "item", target_id: "i3" },
+        },
+      ];
+
+      // Request page 2 (offset=1, limit=1)
+      const ctx = makeCtx({ search: "item", limit: "1", offset: "1" });
+      const res = await handler(ctx);
+      const body = (await res.json()) as {
+        items: Array<{ id: string }>;
+        total: number;
+      };
+
+      expect(body.items.length).toBe(1);
+      expect(body.items[0].id).toBe("i2"); // second by relevance
+      expect(body.total).toBe(3);
+
+      // Reset
+      mockBackendStatus = { enabled: false, provider: null, model: null };
+      mockHybridSearchResults = [];
+    });
+
+    test("falls back to SQL when semantic returns empty results", async () => {
+      insertItem({
+        id: "i1",
+        kind: "preference",
+        subject: "dark mode",
+        statement: "User prefers dark mode",
+      });
+
+      mockBackendStatus = {
+        enabled: true,
+        provider: "local",
+        model: "test",
+      };
+      // Qdrant returns nothing
+      mockHybridSearchResults = [];
+
+      const ctx = makeCtx({ search: "dark" });
+      const res = await handler(ctx);
+      const body = (await res.json()) as {
+        items: Array<{ id: string }>;
+        total: number;
+      };
+
+      // Falls through to SQL LIKE
+      expect(body.total).toBe(1);
+      expect(body.items[0].id).toBe("i1");
+
+      // Reset
+      mockBackendStatus = { enabled: false, provider: null, model: null };
+      mockHybridSearchResults = [];
+    });
   });
 
   // =========================================================================

package/src/runtime/routes/memory-item-routes.ts

@@ -11,18 +11,29 @@
 import { and, asc, count, desc, eq, inArray, like, ne, or } from "drizzle-orm";
 import { v4 as uuid } from "uuid";
 
+import { getConfig } from "../../config/loader.js";
 import { getDb } from "../../memory/db.js";
+import {
+  embedWithBackend,
+  generateSparseEmbedding,
+  getMemoryBackendStatus,
+} from "../../memory/embedding-backend.js";
 import { computeMemoryFingerprint } from "../../memory/fingerprint.js";
 import { enqueueMemoryJob } from "../../memory/jobs-store.js";
+import { withQdrantBreaker } from "../../memory/qdrant-circuit-breaker.js";
+import { getQdrantClient } from "../../memory/qdrant-client.js";
 import {
   conversations,
   memoryEmbeddings,
   memoryItems,
 } from "../../memory/schema.js";
+import { getLogger } from "../../util/logger.js";
 import { truncate } from "../../util/truncate.js";
 import { httpError } from "../http-errors.js";
 import type { RouteContext, RouteDefinition } from "../http-router.js";
 
+const log = getLogger("memory-item-routes");
+
 // ---------------------------------------------------------------------------
 // Constants
 // ---------------------------------------------------------------------------
@@ -116,11 +127,76 @@ function buildConversationTitleMap(
   return map;
 }
 
+// ---------------------------------------------------------------------------
+// Semantic search helper
+// ---------------------------------------------------------------------------
+
+/**
+ * Attempt hybrid semantic search for memory items via Qdrant.
+ * Returns ordered item IDs + total count on success, or `null` when
+ * the embedding backend / Qdrant is unavailable (caller falls back to SQL).
+ */
+async function searchItemsSemantic(
+  query: string,
+  fetchLimit: number,
+  kindFilter: string | null,
+  statusFilter: string,
+): Promise<{ ids: string[]; total: number } | null> {
+  try {
+    const config = getConfig();
+    const backendStatus = await getMemoryBackendStatus(config);
+    if (!backendStatus.provider) return null;
+
+    const embedded = await embedWithBackend(config, [query]);
+    const queryVector = embedded.vectors[0];
+    if (!queryVector) return null;
+
+    const sparse = generateSparseEmbedding(query);
+    const sparseVector = { indices: sparse.indices, values: sparse.values };
+
+    // Build Qdrant filter — items only, exclude capability kind and sentinel
+    const mustConditions: Array<Record<string, unknown>> = [
+      { key: "target_type", match: { value: "item" } },
+    ];
+    if (statusFilter && statusFilter !== "all") {
+      mustConditions.push({ key: "status", match: { value: statusFilter } });
+    }
+    if (kindFilter) {
+      mustConditions.push({ key: "kind", match: { value: kindFilter } });
+    }
+
+    const filter = {
+      must: mustConditions,
+      must_not: [
+        { key: "kind", match: { value: "capability" } },
+        { key: "_meta", match: { value: true } },
+      ],
+    };
+
+    const qdrant = getQdrantClient();
+    const results = await withQdrantBreaker(() =>
+      qdrant.hybridSearch({
+        denseVector: queryVector,
+        sparseVector,
+        filter,
+        limit: fetchLimit,
+        prefetchLimit: fetchLimit,
+      }),
+    );
+
+    const ids = results.map((r) => r.payload.target_id);
+    return { ids, total: ids.length };
+  } catch (err) {
+    log.warn({ err }, "Semantic memory search failed, falling back to SQL");
+    return null;
+  }
+}
+
 // ---------------------------------------------------------------------------
 // GET /v1/memory-items
 // ---------------------------------------------------------------------------
 
-export function handleListMemoryItems(url: URL): Response {
+export async function handleListMemoryItems(url: URL): Promise<Response> {
   const kindParam = url.searchParams.get("kind");
   const statusParam = url.searchParams.get("status") ?? "active";
   const searchParam = url.searchParams.get("search");
@@ -155,7 +231,53 @@ export function handleListMemoryItems(url: URL): Response {
 
   const db = getDb();
 
-  // Build WHERE conditions
+  // ── Semantic search path ────────────────────────────────────────────
+  // When a search query is present, try Qdrant hybrid search first.
+  // Falls back to SQL LIKE when embeddings / Qdrant are unavailable.
+  if (searchParam) {
+    const semanticResult = await searchItemsSemantic(
+      searchParam,
+      limitParam + offsetParam,
+      kindParam,
+      statusParam,
+    );
+
+    if (semanticResult && semanticResult.ids.length > 0) {
+      // Slice for pagination
+      const pageIds = semanticResult.ids.slice(
+        offsetParam,
+        offsetParam + limitParam,
+      );
+
+      // Batch-fetch full rows from SQLite
+      const rows = db
+        .select()
+        .from(memoryItems)
+        .where(inArray(memoryItems.id, pageIds))
+        .all();
+
+      // Preserve Qdrant relevance ordering
+      const idOrder = new Map(pageIds.map((id, i) => [id, i]));
+      rows.sort((a, b) => (idOrder.get(a.id) ?? 0) - (idOrder.get(b.id) ?? 0));
+
+      const titleMap = buildConversationTitleMap(
+        db,
+        rows.map((i) => i.scopeId),
+      );
+      const enrichedItems = rows.map((item) => ({
+        ...item,
+        scopeLabel: resolveScopeLabel(item.scopeId, titleMap),
+      }));
+
+      return Response.json({
+        items: enrichedItems,
+        total: semanticResult.total,
+      });
+    }
+    // semanticResult was null (Qdrant unavailable) or empty — fall through to SQL
+  }
+
+  // ── SQL path (default or fallback) ──────────────────────────────────
   const conditions = [];
   // Hide system-managed capability memories (skill announcements) from the UI
   conditions.push(ne(memoryItems.kind, "capability"));

package/src/runtime/routes/upgrade-broadcast-routes.ts

@@ -0,0 +1,151 @@
+/**
+ * Upgrade broadcast endpoint — publishes service group update lifecycle
+ * events (starting / complete) to all connected SSE clients.
+ *
+ * Protected by a route policy restricting access to gateway service
+ * principals only (`svc_gateway` with `internal.write` scope), following
+ * the same pattern as other gateway-forwarded control-plane endpoints.
+ * The gateway requires a valid edge JWT and forwards the request with a
+ * minted service token.
+ */
+
+import type {
+  ServiceGroupUpdateComplete,
+  ServiceGroupUpdateStarting,
+} from "../../daemon/message-types/upgrades.js";
+import { buildAssistantEvent } from "../assistant-event.js";
+import { assistantEventHub } from "../assistant-event-hub.js";
+import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+export function upgradeBroadcastRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "admin/upgrade-broadcast",
+      method: "POST",
+      handler: async ({ req }) => {
+        let body: unknown;
+        try {
+          body = await req.json();
+        } catch {
+          return httpError("BAD_REQUEST", "Invalid JSON body", 400);
+        }
+
+        if (!body || typeof body !== "object") {
+          return httpError(
+            "BAD_REQUEST",
+            "Request body must be a JSON object",
+            400,
+          );
+        }
+
+        const { type } = body as { type?: unknown };
+
+        if (type === "starting") {
+          const { targetVersion, expectedDowntimeSeconds } = body as {
+            targetVersion?: unknown;
+            expectedDowntimeSeconds?: unknown;
+          };
+
+          if (typeof targetVersion !== "string" || targetVersion.length === 0) {
+            return httpError(
+              "BAD_REQUEST",
+              "targetVersion is required and must be a non-empty string",
+              400,
+            );
+          }
+
+          const downtime =
+            expectedDowntimeSeconds === undefined
+              ? 60
+              : expectedDowntimeSeconds;
+
+          if (
+            typeof downtime !== "number" ||
+            !isFinite(downtime) ||
+            downtime < 0
+          ) {
+            return httpError(
+              "BAD_REQUEST",
+              "expectedDowntimeSeconds must be a non-negative number",
+              400,
+            );
+          }
+
+          const message: ServiceGroupUpdateStarting = {
+            type: "service_group_update_starting",
+            targetVersion,
+            expectedDowntimeSeconds: downtime,
+          };
+
+          await assistantEventHub.publish(
+            buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, message),
+          );
+
+          return Response.json({ ok: true });
+        }
+
+        if (type === "complete") {
+          const { installedVersion, success, rolledBackToVersion } = body as {
+            installedVersion?: unknown;
+            success?: unknown;
+            rolledBackToVersion?: unknown;
+          };
+
+          if (
+            typeof installedVersion !== "string" ||
+            installedVersion.length === 0
+          ) {
+            return httpError(
+              "BAD_REQUEST",
+              "installedVersion is required and must be a non-empty string",
+              400,
+            );
+          }
+
+          if (typeof success !== "boolean") {
+            return httpError(
+              "BAD_REQUEST",
+              "success is required and must be a boolean",
+              400,
+            );
+          }
+
+          if (
+            rolledBackToVersion !== undefined &&
+            (typeof rolledBackToVersion !== "string" ||
+              rolledBackToVersion.length === 0)
+          ) {
+            return httpError(
+              "BAD_REQUEST",
+              "rolledBackToVersion must be a non-empty string when provided",
+              400,
+            );
+          }
+
+          const message: ServiceGroupUpdateComplete = {
+            type: "service_group_update_complete",
+            installedVersion,
+            success,
+            ...(typeof rolledBackToVersion === "string"
+              ? { rolledBackToVersion }
+              : {}),
+          };
+
+          await assistantEventHub.publish(
+            buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, message),
+          );
+
+          return Response.json({ ok: true });
+        }
+
+        return httpError(
+          "BAD_REQUEST",
+          'type must be "starting" or "complete"',
+          400,
+        );
+      },
+    },
+  ];
+}