npm - @vellumai/assistant - Versions diffs - 0.5.5 → 0.5.7 - Mend

@vellumai/assistant 0.5.5 → 0.5.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (382) hide show

package/.env.example +16 -2
package/ARCHITECTURE.md +6 -75
package/Dockerfile +4 -5
package/README.md +0 -2
package/bun.lock +0 -414
package/docs/architecture/keychain-broker.md +45 -240
package/docs/architecture/security.md +0 -17
package/docs/credential-execution-service.md +2 -2
package/node_modules/@vellumai/ces-contracts/package.json +1 -0
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +119 -0
package/node_modules/@vellumai/credential-storage/package.json +1 -0
package/node_modules/@vellumai/egress-proxy/package.json +1 -0
package/package.json +2 -3
package/src/__tests__/actor-token-service.test.ts +1 -2
package/src/__tests__/assistant-feature-flags-integration.test.ts +30 -29
package/src/__tests__/browser-skill-endstate.test.ts +6 -5
package/src/__tests__/btw-routes.test.ts +0 -39
package/src/__tests__/call-domain.test.ts +0 -128
package/src/__tests__/ces-rpc-credential-backend.test.ts +199 -0
package/src/__tests__/channel-approval-routes.test.ts +0 -5
package/src/__tests__/channel-readiness-service.test.ts +1 -60
package/src/__tests__/checker.test.ts +4 -2
package/src/__tests__/cli-command-risk-guard.test.ts +112 -0
package/src/__tests__/config-schema-cmd.test.ts +0 -1
package/src/__tests__/config-schema.test.ts +3 -3
package/src/__tests__/context-window-manager.test.ts +78 -0
package/src/__tests__/conversation-attention-telegram.test.ts +0 -5
package/src/__tests__/conversation-init.benchmark.test.ts +0 -2
package/src/__tests__/conversation-skill-tools.test.ts +0 -54
package/src/__tests__/conversation-title-service.test.ts +117 -1
package/src/__tests__/credential-execution-feature-gates.test.ts +28 -14
package/src/__tests__/credential-execution-managed-contract.test.ts +33 -18
package/src/__tests__/credential-security-e2e.test.ts +0 -66
package/src/__tests__/credential-security-invariants.test.ts +4 -45
package/src/__tests__/credentials-cli.test.ts +78 -0
package/src/__tests__/db-migration-rollback.test.ts +2015 -1
package/src/__tests__/docker-signing-key-bootstrap.test.ts +98 -0
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +6 -4
package/src/__tests__/guardian-routing-state.test.ts +0 -5
package/src/__tests__/host-shell-tool.test.ts +6 -7
package/src/__tests__/http-user-message-parity.test.ts +3 -103
package/src/__tests__/inbound-invite-redemption.test.ts +0 -4
package/src/__tests__/inline-skill-load-permissions.test.ts +6 -8
package/src/__tests__/intent-routing.test.ts +0 -13
package/src/__tests__/jobs-store-qdrant-breaker.test.ts +178 -0
package/src/__tests__/keychain-broker-client.test.ts +161 -22
package/src/__tests__/memory-jobs-worker-backoff.test.ts +150 -0
package/src/__tests__/memory-regressions.test.ts +8 -30
package/src/__tests__/migration-export-http.test.ts +2 -2
package/src/__tests__/migration-import-commit-http.test.ts +2 -2
package/src/__tests__/migration-import-preflight-http.test.ts +2 -2
package/src/__tests__/migration-validate-http.test.ts +2 -2
package/src/__tests__/non-member-access-request.test.ts +0 -5
package/src/__tests__/notification-decision-fallback.test.ts +4 -0
package/src/__tests__/notification-decision-identity.test.ts +4 -0
package/src/__tests__/permission-types.test.ts +1 -0
package/src/__tests__/provider-managed-proxy-integration.test.ts +5 -6
package/src/__tests__/qdrant-manager.test.ts +28 -2
package/src/__tests__/registry.test.ts +0 -6
package/src/__tests__/require-fresh-approval.test.ts +4 -0
package/src/__tests__/runtime-attachment-metadata.test.ts +0 -4
package/src/__tests__/secret-routes-managed-proxy.test.ts +0 -4
package/src/__tests__/secure-keys.test.ts +83 -263
package/src/__tests__/shell-identity.test.ts +96 -6
package/src/__tests__/skill-feature-flags-integration.test.ts +22 -14
package/src/__tests__/skill-feature-flags.test.ts +46 -45
package/src/__tests__/skill-load-feature-flag.test.ts +7 -10
package/src/__tests__/skill-load-inline-command.test.ts +8 -12
package/src/__tests__/skill-load-inline-includes.test.ts +6 -10
package/src/__tests__/skill-load-tool.test.ts +0 -2
package/src/__tests__/skill-projection-feature-flag.test.ts +33 -29
package/src/__tests__/skills.test.ts +0 -2
package/src/__tests__/slack-inbound-verification.test.ts +0 -4
package/src/__tests__/suggestion-routes.test.ts +1 -32
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +4 -0
package/src/__tests__/tool-executor-shell-integration.test.ts +5 -3
package/src/__tests__/tool-executor.test.ts +4 -0
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +0 -5
package/src/__tests__/trusted-contact-multichannel.test.ts +0 -4
package/src/__tests__/update-bulletin.test.ts +0 -2
package/src/__tests__/vellum-self-knowledge-inline-command.test.ts +6 -9
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -6
package/src/__tests__/workspace-migration-015-migrate-credentials-to-keychain.test.ts +252 -0
package/src/__tests__/workspace-migration-016-migrate-credentials-from-keychain.test.ts +218 -0
package/src/__tests__/workspace-migration-down-functions.test.ts +1009 -0
package/src/__tests__/workspace-migrations-runner.test.ts +114 -0
package/src/calls/audio-store.test.ts +97 -0
package/src/calls/audio-store.ts +205 -0
package/src/calls/call-controller.ts +85 -7
package/src/calls/call-domain.ts +3 -0
package/src/calls/call-store.ts +10 -3
package/src/calls/fish-audio-client.ts +117 -0
package/src/calls/relay-server.ts +27 -0
package/src/calls/twilio-routes.ts +2 -1
package/src/calls/types.ts +1 -0
package/src/calls/voice-ingress-preflight.ts +0 -42
package/src/calls/voice-quality.ts +26 -5
package/src/calls/voice-session-bridge.ts +6 -12
package/src/cli/commands/config.ts +1 -4
package/src/cli/commands/conversations.ts +0 -18
package/src/cli/commands/credentials.ts +34 -4
package/src/cli/commands/oauth/index.ts +7 -0
package/src/cli/commands/oauth/platform.ts +179 -0
package/src/cli/commands/platform.ts +3 -3
package/src/config/assistant-feature-flags.ts +186 -5
package/src/config/bundled-skills/messaging/SKILL.md +5 -5
package/src/config/bundled-skills/phone-calls/TOOLS.json +4 -0
package/src/config/bundled-skills/settings/TOOLS.json +2 -2
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +42 -0
package/src/config/bundled-tool-registry.ts +1 -11
package/src/config/env-registry.ts +1 -1
package/src/config/env.ts +16 -16
package/src/config/feature-flag-registry.json +48 -16
package/src/config/loader.ts +98 -31
package/src/config/schema.ts +4 -25
package/src/config/schemas/calls.ts +13 -0
package/src/config/schemas/fish-audio.ts +39 -0
package/src/config/schemas/memory.ts +0 -4
package/src/config/schemas/platform.ts +1 -1
package/src/config/schemas/security.ts +4 -4
package/src/config/types.ts +0 -1
package/src/contacts/contact-store.ts +39 -0
package/src/contacts/types.ts +2 -0
package/src/context/window-manager.ts +53 -2
package/src/credential-execution/approval-bridge.ts +1 -0
package/src/credential-execution/executable-discovery.ts +28 -4
package/src/credential-execution/feature-gates.ts +16 -0
package/src/credential-execution/process-manager.ts +38 -0
package/src/daemon/assistant-attachments.ts +9 -0
package/src/daemon/config-watcher.ts +6 -4
package/src/daemon/conversation-agent-loop.ts +0 -60
package/src/daemon/conversation-memory.ts +0 -117
package/src/daemon/conversation-runtime-assembly.ts +0 -2
package/src/daemon/conversation-tool-setup.ts +0 -105
package/src/daemon/conversation.ts +10 -1
package/src/daemon/handlers/config-vercel.ts +92 -0
package/src/daemon/handlers/conversations.ts +0 -11
package/src/daemon/handlers/skills.ts +2 -15
package/src/daemon/install-symlink.ts +195 -0
package/src/daemon/lifecycle.ts +229 -96
package/src/daemon/message-types/conversations.ts +3 -4
package/src/daemon/message-types/diagnostics.ts +3 -22
package/src/daemon/message-types/messages.ts +0 -2
package/src/daemon/message-types/upgrades.ts +8 -0
package/src/daemon/server.ts +30 -92
package/src/events/domain-events.ts +2 -1
package/src/followups/followup-store.ts +5 -2
package/src/inbound/platform-callback-registration.ts +3 -3
package/src/instrument.ts +8 -5
package/src/memory/conversation-crud.ts +0 -236
package/src/memory/conversation-title-service.ts +76 -11
package/src/memory/db-init.ts +15 -11
package/src/memory/indexer.ts +15 -106
package/src/memory/items-extractor.ts +15 -1
package/src/memory/job-handlers/conversation-starters.ts +4 -1
package/src/memory/job-handlers/embedding.ts +0 -79
package/src/memory/job-utils.ts +1 -1
package/src/memory/jobs-store.ts +30 -13
package/src/memory/jobs-worker.ts +31 -27
package/src/memory/migrations/001-job-deferrals.ts +19 -0
package/src/memory/migrations/004-entity-relation-dedup.ts +10 -0
package/src/memory/migrations/005-fingerprint-scope-unique.ts +76 -0
package/src/memory/migrations/006-scope-salted-fingerprints.ts +50 -0
package/src/memory/migrations/007-assistant-id-to-self.ts +10 -0
package/src/memory/migrations/008-remove-assistant-id-columns.ts +34 -0
package/src/memory/migrations/009-llm-usage-events-drop-assistant-id.ts +26 -0
package/src/memory/migrations/014-backfill-inbox-thread-state.ts +10 -0
package/src/memory/migrations/015-drop-active-search-index.ts +17 -0
package/src/memory/migrations/019-notification-tables-schema-migration.ts +12 -0
package/src/memory/migrations/020-rename-macos-ios-channel-to-vellum.ts +121 -0
package/src/memory/migrations/024-embedding-vector-blob.ts +74 -0
package/src/memory/migrations/026a-embeddings-nullable-vector-json.ts +82 -0
package/src/memory/migrations/036-normalize-phone-identities.ts +11 -0
package/src/memory/migrations/116-messages-fts.ts +106 -1
package/src/memory/migrations/126-backfill-guardian-principal-id.ts +52 -0
package/src/memory/migrations/127-guardian-principal-id-not-null.ts +77 -0
package/src/memory/migrations/134-contacts-notes-column.ts +13 -0
package/src/memory/migrations/135-backfill-contact-interaction-stats.ts +20 -0
package/src/memory/migrations/136-drop-assistant-id-columns.ts +52 -0
package/src/memory/migrations/140-backfill-usage-cache-accounting.ts +13 -0
package/src/memory/migrations/141-rename-verification-table.ts +54 -0
package/src/memory/migrations/142-rename-verification-session-id-column.ts +25 -0
package/src/memory/migrations/143-rename-guardian-verification-values.ts +35 -0
package/src/memory/migrations/144-rename-voice-to-phone.ts +136 -0
package/src/memory/migrations/145-drop-accounts-table.ts +32 -0
package/src/memory/migrations/147-migrate-reminders-to-schedules.ts +14 -1
package/src/memory/migrations/148-drop-reminders-table.ts +35 -1
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +69 -1
package/src/memory/migrations/162-guardian-timestamps-epoch-ms.ts +290 -0
package/src/memory/migrations/169-rename-gmail-provider-key-to-google.ts +51 -1
package/src/memory/migrations/174-rename-thread-starters-table.ts +47 -1
package/src/memory/migrations/176-drop-capability-card-state.ts +13 -0
package/src/memory/migrations/180-backfill-inline-attachments-to-disk.ts +16 -0
package/src/memory/migrations/181-rename-thread-starters-checkpoints.ts +28 -1
package/src/memory/migrations/189-drop-simplified-memory.ts +42 -0
package/src/memory/migrations/190-call-session-skip-disclosure.ts +15 -0
package/src/memory/migrations/191-backfill-audio-attachment-mime-types.ts +64 -0
package/src/memory/migrations/192-contacts-user-file-column.ts +15 -0
package/src/memory/migrations/index.ts +5 -3
package/src/memory/migrations/registry.ts +90 -0
package/src/memory/migrations/validate-migration-state.ts +137 -11
package/src/memory/qdrant-circuit-breaker.ts +9 -0
package/src/memory/qdrant-client.ts +4 -6
package/src/memory/qdrant-manager.ts +64 -7
package/src/memory/schema/calls.ts +1 -0
package/src/memory/schema/contacts.ts +1 -0
package/src/memory/schema/conversations.ts +0 -3
package/src/memory/schema/index.ts +0 -2
package/src/messaging/draft-store.ts +2 -2
package/src/notifications/decision-engine.ts +4 -1
package/src/oauth/connection-resolver.ts +6 -4
package/src/permissions/checker.ts +0 -38
package/src/permissions/defaults.ts +3 -3
package/src/permissions/shell-identity.ts +76 -22
package/src/permissions/trust-client.ts +2 -13
package/src/permissions/trust-store.ts +8 -3
package/src/permissions/types.ts +4 -2
package/src/platform/client.ts +35 -7
package/src/prompts/persona-resolver.ts +138 -0
package/src/prompts/system-prompt.ts +36 -4
package/src/prompts/templates/users/default.md +1 -0
package/src/providers/registry.ts +27 -40
package/src/runtime/auth/__tests__/credential-service.test.ts +0 -1
package/src/runtime/auth/__tests__/external-assistant-id.test.ts +13 -68
package/src/runtime/auth/external-assistant-id.ts +13 -59
package/src/runtime/auth/route-policy.ts +29 -1
package/src/runtime/auth/token-service.ts +53 -15
package/src/runtime/channel-readiness-service.ts +1 -16
package/src/runtime/http-server.ts +29 -2
package/src/runtime/middleware/error-handler.ts +1 -9
package/src/runtime/routes/audio-routes.ts +40 -0
package/src/runtime/routes/btw-routes.ts +0 -17
package/src/runtime/routes/conversation-management-routes.ts +0 -36
package/src/runtime/routes/conversation-query-routes.ts +106 -2
package/src/runtime/routes/conversation-routes.ts +4 -43
package/src/runtime/routes/diagnostics-routes.ts +1 -477
package/src/runtime/routes/identity-routes.ts +18 -29
package/src/runtime/routes/inbound-stages/secret-ingress-check.ts +4 -33
package/src/runtime/routes/inbound-stages/transcribe-audio.test.ts +1 -1
package/src/runtime/routes/integrations/vercel.ts +89 -0
package/src/runtime/routes/log-export-routes.ts +5 -0
package/src/runtime/routes/memory-item-routes.test.ts +221 -3
package/src/runtime/routes/memory-item-routes.ts +144 -4
package/src/runtime/routes/migration-rollback-routes.ts +209 -0
package/src/runtime/routes/migration-routes.ts +17 -1
package/src/runtime/routes/notification-routes.ts +58 -0
package/src/runtime/routes/schedule-routes.ts +65 -0
package/src/runtime/routes/settings-routes.ts +41 -1
package/src/runtime/routes/tts-routes.ts +86 -0
package/src/runtime/routes/upgrade-broadcast-routes.ts +175 -0
package/src/runtime/routes/workspace-commit-routes.ts +62 -0
package/src/runtime/routes/workspace-routes.test.ts +22 -1
package/src/runtime/routes/workspace-routes.ts +1 -1
package/src/runtime/routes/workspace-utils.ts +86 -2
package/src/schedule/schedule-store.ts +0 -21
package/src/security/ces-credential-client.ts +59 -22
package/src/security/ces-rpc-credential-backend.ts +85 -0
package/src/security/credential-backend.ts +12 -88
package/src/security/keychain-broker-client.ts +10 -2
package/src/security/secure-keys.ts +94 -113
package/src/skills/catalog-install.ts +13 -7
package/src/skills/inline-command-render.ts +5 -1
package/src/skills/inline-command-runner.ts +30 -2
package/src/telemetry/usage-telemetry-reporter.ts +4 -2
package/src/tools/calls/call-start.ts +1 -0
package/src/tools/executor.ts +0 -4
package/src/tools/memory/handlers.ts +1 -129
package/src/tools/network/script-proxy/session-manager.ts +19 -4
package/src/tools/network/web-fetch.ts +3 -1
package/src/tools/permission-checker.ts +18 -0
package/src/tools/skills/execute.ts +1 -1
package/src/tools/skills/load.ts +9 -2
package/src/tools/types.ts +0 -8
package/src/util/errors.ts +0 -12
package/src/util/platform.ts +8 -55
package/src/util/xml.ts +8 -0
package/src/workspace/git-service.ts +5 -2
package/src/workspace/heartbeat-service.ts +5 -24
package/src/workspace/migrations/001-avatar-rename.ts +15 -0
package/src/workspace/migrations/003-seed-device-id.ts +17 -1
package/src/workspace/migrations/004-extract-collect-usage-data.ts +33 -0
package/src/workspace/migrations/005-add-send-diagnostics.ts +3 -0
package/src/workspace/migrations/006-services-config.ts +49 -0
package/src/workspace/migrations/007-web-search-provider-rename.ts +27 -0
package/src/workspace/migrations/008-voice-timeout-and-max-steps.ts +3 -0
package/src/workspace/migrations/009-backfill-conversation-disk-view.ts +4 -0
package/src/workspace/migrations/010-app-dir-rename.ts +78 -0
package/src/workspace/migrations/011-backfill-installation-id.ts +11 -0
package/src/workspace/migrations/012-rename-conversation-disk-view-dirs.ts +44 -0
package/src/workspace/migrations/013-repair-conversation-disk-view.ts +5 -0
package/src/workspace/migrations/015-migrate-credentials-to-keychain.ts +153 -0
package/src/workspace/migrations/016-extract-feature-flags-to-protected.ts +156 -0
package/src/workspace/migrations/016-migrate-credentials-from-keychain.ts +150 -0
package/src/workspace/migrations/017-seed-persona-dirs.ts +95 -0
package/src/workspace/migrations/migrate-to-workspace-volume.ts +23 -1
package/src/workspace/migrations/registry.ts +8 -0
package/src/workspace/migrations/runner.ts +106 -2
package/src/workspace/migrations/types.ts +4 -0
package/src/__tests__/archive-recall.test.ts +0 -560
package/src/__tests__/claude-code-skill-regression.test.ts +0 -206
package/src/__tests__/claude-code-tool-profiles.test.ts +0 -99
package/src/__tests__/conversation-memory-dirty-tail.test.ts +0 -150
package/src/__tests__/conversation-switch-memory-reduction.test.ts +0 -474
package/src/__tests__/db-memory-archive-migration.test.ts +0 -372
package/src/__tests__/db-memory-brief-state-migration.test.ts +0 -213
package/src/__tests__/db-memory-reducer-checkpoints.test.ts +0 -273
package/src/__tests__/diagnostics-export.test.ts +0 -288
package/src/__tests__/local-gateway-health.test.ts +0 -209
package/src/__tests__/memory-brief-open-loops.test.ts +0 -530
package/src/__tests__/memory-brief-time.test.ts +0 -285
package/src/__tests__/memory-brief-wrapper.test.ts +0 -311
package/src/__tests__/memory-chunk-archive.test.ts +0 -400
package/src/__tests__/memory-chunk-dual-write.test.ts +0 -453
package/src/__tests__/memory-episode-archive.test.ts +0 -370
package/src/__tests__/memory-episode-dual-write.test.ts +0 -626
package/src/__tests__/memory-observation-archive.test.ts +0 -375
package/src/__tests__/memory-observation-dual-write.test.ts +0 -318
package/src/__tests__/memory-reducer-job.test.ts +0 -538
package/src/__tests__/memory-reducer-scheduling.test.ts +0 -473
package/src/__tests__/memory-reducer-store.test.ts +0 -728
package/src/__tests__/memory-reducer-types.test.ts +0 -707
package/src/__tests__/memory-reducer.test.ts +0 -704
package/src/__tests__/memory-simplified-config.test.ts +0 -281
package/src/__tests__/secret-ingress-handler.test.ts +0 -120
package/src/__tests__/simplified-memory-e2e.test.ts +0 -666
package/src/__tests__/simplified-memory-runtime.test.ts +0 -616
package/src/__tests__/swarm-conversation-integration.test.ts +0 -358
package/src/__tests__/swarm-dag-pathological.test.ts +0 -547
package/src/__tests__/swarm-orchestrator.test.ts +0 -463
package/src/__tests__/swarm-plan-validator.test.ts +0 -384
package/src/__tests__/swarm-recursion.test.ts +0 -197
package/src/__tests__/swarm-router-planner.test.ts +0 -234
package/src/__tests__/swarm-tool.test.ts +0 -185
package/src/__tests__/swarm-worker-backend.test.ts +0 -144
package/src/__tests__/swarm-worker-runner.test.ts +0 -288
package/src/commands/__tests__/cc-command-registry.test.ts +0 -396
package/src/commands/cc-command-registry.ts +0 -248
package/src/config/bundled-skills/claude-code/SKILL.md +0 -53
package/src/config/bundled-skills/claude-code/TOOLS.json +0 -47
package/src/config/bundled-skills/claude-code/tools/claude-code.ts +0 -12
package/src/config/bundled-skills/orchestration/SKILL.md +0 -33
package/src/config/bundled-skills/orchestration/TOOLS.json +0 -35
package/src/config/bundled-skills/orchestration/tools/swarm-delegate.ts +0 -12
package/src/config/schemas/memory-simplified.ts +0 -101
package/src/config/schemas/swarm.ts +0 -82
package/src/logfire.ts +0 -135
package/src/memory/archive-recall.ts +0 -516
package/src/memory/archive-store.ts +0 -400
package/src/memory/brief-formatting.ts +0 -33
package/src/memory/brief-open-loops.ts +0 -266
package/src/memory/brief-time.ts +0 -162
package/src/memory/brief.ts +0 -75
package/src/memory/job-handlers/backfill-simplified-memory.ts +0 -462
package/src/memory/job-handlers/reduce-conversation-memory.ts +0 -229
package/src/memory/migrations/185-memory-brief-state.ts +0 -52
package/src/memory/migrations/186-memory-archive.ts +0 -109
package/src/memory/migrations/187-memory-reducer-checkpoints.ts +0 -19
package/src/memory/reducer-scheduler.ts +0 -242
package/src/memory/reducer-store.ts +0 -271
package/src/memory/reducer-types.ts +0 -106
package/src/memory/reducer.ts +0 -467
package/src/memory/schema/memory-archive.ts +0 -121
package/src/memory/schema/memory-brief.ts +0 -55
package/src/runtime/local-gateway-health.ts +0 -275
package/src/security/secret-ingress.ts +0 -68
package/src/swarm/backend-claude-code.ts +0 -225
package/src/swarm/checkpoint.ts +0 -137
package/src/swarm/graph-utils.ts +0 -53
package/src/swarm/index.ts +0 -55
package/src/swarm/limits.ts +0 -66
package/src/swarm/orchestrator.ts +0 -424
package/src/swarm/plan-validator.ts +0 -117
package/src/swarm/router-planner.ts +0 -162
package/src/swarm/router-prompts.ts +0 -39
package/src/swarm/synthesizer.ts +0 -81
package/src/swarm/types.ts +0 -72
package/src/swarm/worker-backend.ts +0 -131
package/src/swarm/worker-prompts.ts +0 -80
package/src/swarm/worker-runner.ts +0 -170
package/src/tools/claude-code/claude-code.ts +0 -610
package/src/tools/swarm/delegate.ts +0 -205

package/src/runtime/auth/__tests__/external-assistant-id.test.ts CHANGED Viewed

@@ -1,21 +1,7 @@
 /**
- * Tests for getExternalAssistantId resolution order.
+ * Tests for getExternalAssistantId.
  */
-import { afterEach, describe, expect, mock, test } from "bun:test";
-mock.module("../../../util/logger.js", () => ({
-  getLogger: () =>
-    new Proxy({} as Record<string, unknown>, {
-      get: () => () => {},
-    }),
-}));
-// Controllable mock for readLockfile — defaults to null (no lockfile data)
-const mockReadLockfile = mock(() => null as Record<string, unknown> | null);
-mock.module("../../../util/platform.js", () => ({
-  readLockfile: mockReadLockfile,
-}));
+import { afterEach, describe, expect, test } from "bun:test";
 import {
   getExternalAssistantId,
@@ -24,65 +10,24 @@ import {
 afterEach(() => {
   resetExternalAssistantIdCache();
-  mockReadLockfile.mockReset();
-  mockReadLockfile.mockImplementation(() => null);
-  delete process.env.BASE_DATA_DIR;
+  delete process.env.VELLUM_ASSISTANT_NAME;
 });
 describe("getExternalAssistantId", () => {
-  test("resolves from lockfile assistants array (most recently hatched)", () => {
-    mockReadLockfile.mockImplementation(() => ({
-      assistants: [
-        { assistantId: "vellum-old-fox", hatchedAt: "2025-01-01T00:00:00Z" },
-        { assistantId: "vellum-new-eel", hatchedAt: "2025-06-15T12:00:00Z" },
-      ],
-    }));
-    expect(getExternalAssistantId()).toBe("vellum-new-eel");
-  });
-  test("resolves from lockfile with single assistant entry", () => {
-    mockReadLockfile.mockImplementation(() => ({
-      assistants: [
-        { assistantId: "vellum-solo-cat", hatchedAt: "2025-03-01T00:00:00Z" },
-      ],
-    }));
-    expect(getExternalAssistantId()).toBe("vellum-solo-cat");
-  });
-  test("resolves from BASE_DATA_DIR when lockfile has no data", () => {
-    process.env.BASE_DATA_DIR = "/tmp/vellum/assistants/vellum-true-eel";
-    expect(getExternalAssistantId()).toBe("vellum-true-eel");
-  });
-  test("resolves from BASE_DATA_DIR with trailing slash", () => {
-    process.env.BASE_DATA_DIR = "/tmp/vellum/assistants/vellum-cool-heron/";
-    expect(getExternalAssistantId()).toBe("vellum-cool-heron");
-  });
-  test("resolves from BASE_DATA_DIR with Windows-style backslashes", () => {
-    process.env.BASE_DATA_DIR =
-      "C:\\Users\\user\\.local\\share\\vellum\\assistants\\vellum-nice-fox";
-    expect(getExternalAssistantId()).toBe("vellum-nice-fox");
-  });
-  test("resolves from BASE_DATA_DIR with /instances/<name> path", () => {
-    process.env.BASE_DATA_DIR = "/home/user/.vellum/instances/vellum-swift-owl";
-    expect(getExternalAssistantId()).toBe("vellum-swift-owl");
-  });
-  test("resolves from BASE_DATA_DIR with /instances/<name> trailing slash", () => {
-    process.env.BASE_DATA_DIR =
-      "/home/user/.vellum/instances/vellum-swift-owl/";
-    expect(getExternalAssistantId()).toBe("vellum-swift-owl");
+  test("resolves from VELLUM_ASSISTANT_NAME env var", () => {
+    process.env.VELLUM_ASSISTANT_NAME = "vellum-cool-eel";
+    expect(getExternalAssistantId()).toBe("vellum-cool-eel");
   });
-  test("falls back to undefined when BASE_DATA_DIR does not match known patterns", () => {
-    process.env.BASE_DATA_DIR = "/tmp/some-other-path";
-    expect(getExternalAssistantId()).toBe(undefined);
+  test("caches the resolved value", () => {
+    process.env.VELLUM_ASSISTANT_NAME = "vellum-cool-eel";
+    expect(getExternalAssistantId()).toBe("vellum-cool-eel");
+    // Change env var — cached value should still be returned
+    process.env.VELLUM_ASSISTANT_NAME = "vellum-other-fox";
+    expect(getExternalAssistantId()).toBe("vellum-cool-eel");
   });
-  test("falls back to undefined when BASE_DATA_DIR is not set", () => {
-    delete process.env.BASE_DATA_DIR;
+  test("returns undefined when env var is not set", () => {
     expect(getExternalAssistantId()).toBe(undefined);
   });
 });

package/src/runtime/auth/external-assistant-id.ts CHANGED Viewed

@@ -6,81 +6,35 @@
  * must identify which assistant the token belongs to, while the daemon
  * internally uses 'self'.
  *
- * Resolution order:
- *   1. Cached in-memory value (populated on first call)
- *   2. Most recently hatched entry in lockfile assistants array
- *      (sorted by `hatchedAt` descending) → assistantId
- *   3. BASE_DATA_DIR path matching `/assistants/<name>` or `/instances/<name>` suffix
- *   4. `undefined` — callers must handle the missing value
+ * Reads from the VELLUM_ASSISTANT_NAME env var, which is set by CLI
+ * hatch and Docker setup. Returns `undefined` if the env var is not set.
  *
- * The value is cached in memory after the first successful read.
+ * The value is cached in memory after the first read.
  */
-import { getBaseDataDir } from "../../config/env-registry.js";
 import { getLogger } from "../../util/logger.js";
-import { readLockfile } from "../../util/platform.js";
 const log = getLogger("external-assistant-id");
 let cached: string | null | undefined;
 /**
- * Get the external assistant ID.
- *
- * Resolution order:
- *   1. Cached in-memory value (populated on first call)
- *   2. Most recently hatched entry in lockfile assistants array
- *      (sorted by `hatchedAt` descending) → assistantId
- *   3. BASE_DATA_DIR path matching `/assistants/<name>` or `/instances/<name>` suffix
- *   4. `undefined` when resolution fails entirely
+ * Get the external assistant ID from the VELLUM_ASSISTANT_NAME env var.
+ * Returns `undefined` when the env var is not set.
  */
 export function getExternalAssistantId(): string | undefined {
   if (cached !== undefined) {
     return cached ?? undefined;
   }
-  try {
-    const lockData = readLockfile();
-    if (lockData) {
-      const assistants = lockData.assistants as
-        | Array<Record<string, unknown>>
-        | undefined;
-      if (assistants && assistants.length > 0) {
-        // Sort by hatchedAt descending to use the most recent entry,
-        // matching the pattern used elsewhere in the codebase.
-        const sorted = [...assistants].sort((a, b) => {
-          const dateA = new Date((a.hatchedAt as string) || 0).getTime();
-          const dateB = new Date((b.hatchedAt as string) || 0).getTime();
-          return dateB - dateA;
-        });
-        const latest = sorted[0];
-        if (typeof latest.assistantId === "string") {
-          cached = latest.assistantId;
-          log.info(
-            { externalAssistantId: cached },
-            "Resolved external assistant ID from lockfile",
-          );
-          return cached;
-        }
-      }
-    }
-  } catch (err) {
-    log.warn({ err }, "Failed to read lockfile for external assistant ID");
-  }
-  // Fallback: derive from BASE_DATA_DIR path
-  const base = getBaseDataDir();
-  if (base && typeof base === "string") {
-    const normalized = base.replace(/\\/g, "/").replace(/\/+$/, "");
-    const match = normalized.match(/\/(?:assistants|instances)\/([^/]+)$/);
-    if (match) {
-      cached = match[1];
-      log.info(
-        { externalAssistantId: cached },
-        "Resolved external assistant ID from BASE_DATA_DIR",
-      );
-      return cached;
-    }
+  const envName = process.env.VELLUM_ASSISTANT_NAME;
+  if (envName) {
+    cached = envName;
+    log.info(
+      { externalAssistantId: cached },
+      "Resolved external assistant ID from VELLUM_ASSISTANT_NAME",
+    );
+    return cached;
   }
   cached = null;

package/src/runtime/auth/route-policy.ts CHANGED Viewed

@@ -176,6 +176,7 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // Settings / integrations / identity
   { endpoint: "identity", scopes: ["settings.read"] },
+  { endpoint: "identity/intro", scopes: ["settings.read"] },
   { endpoint: "brain-graph", scopes: ["settings.read"] },
   { endpoint: "brain-graph-ui", scopes: ["settings.read"] },
   { endpoint: "contacts", scopes: ["settings.read"] },
@@ -347,6 +348,14 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "config/embeddings:GET", scopes: ["settings.read"] },
   { endpoint: "config/embeddings:PUT", scopes: ["settings.write"] },
+  // Permissions config
+  { endpoint: "config/permissions/skip:GET", scopes: ["settings.read"] },
+  { endpoint: "config/permissions/skip:PUT", scopes: ["settings.write"] },
+  // Generic config read/patch
+  { endpoint: "config:GET", scopes: ["settings.read"] },
+  { endpoint: "config:PATCH", scopes: ["settings.write"] },
   // Conversation management
   { endpoint: "conversations:DELETE", scopes: ["chat.write"] },
   { endpoint: "conversations/wipe", scopes: ["chat.write"] },
@@ -355,9 +364,13 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // Conversation search
   { endpoint: "conversations/search", scopes: ["chat.read"] },
+  // Conversation starters
+  { endpoint: "conversation-starters", scopes: ["chat.read"] },
   // Message content
   { endpoint: "messages/content", scopes: ["chat.read"] },
   { endpoint: "messages/llm-context", scopes: ["chat.read"] },
+  { endpoint: "messages/tts", scopes: ["chat.read"] },
   // Queued message deletion
   { endpoint: "messages/queued", scopes: ["chat.write"] },
@@ -435,7 +448,6 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // Diagnostics
   { endpoint: "export", scopes: ["settings.read"] },
-  { endpoint: "diagnostics/export", scopes: ["settings.read"] },
   { endpoint: "diagnostics/env-vars", scopes: ["settings.read"] },
   // Dictation
@@ -498,3 +510,19 @@ for (const endpoint of INTERNAL_ENDPOINTS) {
     allowedPrincipalTypes: ["svc_gateway"],
   });
 }
+// Admin control-plane endpoints: gateway-only
+registerPolicy("admin/upgrade-broadcast", {
+  requiredScopes: ["internal.write"],
+  allowedPrincipalTypes: ["svc_gateway"],
+});
+registerPolicy("admin/workspace-commit", {
+  requiredScopes: ["internal.write"],
+  allowedPrincipalTypes: ["svc_gateway"],
+});
+registerPolicy("admin/rollback-migrations", {
+  requiredScopes: ["internal.write"],
+  allowedPrincipalTypes: ["svc_gateway"],
+});

package/src/runtime/auth/token-service.ts CHANGED Viewed

@@ -42,28 +42,44 @@ function getSigningKeyPath(): string {
   return join(getRootDir(), "protected", "actor-token-signing-key");
 }
+/**
+ * Load a signing key from disk. Returns the key buffer if found and valid,
+ * or undefined if the file does not exist or is invalid.
+ *
+ * Used in the Docker 403-fallback path where generating a new key would
+ * create a mismatch with the gateway's already-bootstrapped key.
+ */
+export function loadSigningKey(): Buffer | undefined {
+  const keyPath = getSigningKeyPath();
+  if (!existsSync(keyPath)) {
+    return undefined;
+  }
+  try {
+    const raw = readFileSync(keyPath);
+    if (raw.length === 32) {
+      log.info("Auth signing key loaded from disk");
+      return raw;
+    }
+    log.warn("Signing key file has unexpected length");
+    return undefined;
+  } catch (err) {
+    log.warn({ err }, "Failed to read signing key file");
+    return undefined;
+  }
+}
 /**
  * Load a signing key from disk or generate and persist a new one.
  * Uses atomic-write + chmod 0o600 for safe persistence.
  */
 export function loadOrCreateSigningKey(): Buffer {
-  const keyPath = getSigningKeyPath();
-  // Try to load existing key
-  if (existsSync(keyPath)) {
-    try {
-      const raw = readFileSync(keyPath);
-      if (raw.length === 32) {
-        log.info("Auth signing key loaded from disk");
-        return raw;
-      }
-      log.warn("Signing key file has unexpected length, regenerating");
-    } catch (err) {
-      log.warn({ err }, "Failed to read signing key file, regenerating");
-    }
+  const existing = loadSigningKey();
+  if (existing) {
+    return existing;
   }
   // Generate and persist a new key
+  const keyPath = getSigningKeyPath();
   const newKey = randomBytes(32);
   const dir = dirname(keyPath);
   if (!existsSync(dir)) {
@@ -78,6 +94,28 @@ export function loadOrCreateSigningKey(): Buffer {
   return newKey;
 }
+/**
+ * Resolve the signing key for the current environment.
+ *
+ * Resolution order:
+ *   1. ACTOR_TOKEN_SIGNING_KEY env var (hex-encoded, set by CLI for Docker)
+ *   2. File-based load/create (~/.vellum/protected/actor-token-signing-key)
+ */
+export function resolveSigningKey(): Buffer {
+  const envKey = process.env.ACTOR_TOKEN_SIGNING_KEY;
+  if (envKey) {
+    if (!/^[0-9a-f]{64}$/i.test(envKey)) {
+      throw new Error(
+        `Invalid ACTOR_TOKEN_SIGNING_KEY: expected 64 hex characters, got ${envKey.length} chars`,
+      );
+    }
+    log.info("Signing key loaded from ACTOR_TOKEN_SIGNING_KEY env var");
+    return Buffer.from(envKey, "hex");
+  }
+  return loadOrCreateSigningKey();
+}
 function getSigningKey(): Buffer {
   if (!_authSigningKey) {
     if (process.env.NODE_ENV === "test") {
@@ -113,7 +151,7 @@ export function isSigningKeyInitialized(): boolean {
 /**
  * Returns a short hex fingerprint of the current signing key.
- * Used by daemon_status to let clients detect instance switches.
+ * Used by assistant_status to let clients detect instance switches.
  */
 export function getSigningKeyFingerprint(): string {
   return createHash("sha256")

package/src/runtime/channel-readiness-service.ts CHANGED Viewed

@@ -15,7 +15,6 @@ import type {
   ReadinessCheckResult,
   SetupStatus,
 } from "./channel-readiness-types.js";
-import { probeLocalGatewayHealth } from "./local-gateway-health.js";
 /** Remote check results are cached for 5 minutes before being considered stale. */
 export const REMOTE_TTL_MS = 5 * 60 * 1000;
@@ -82,7 +81,7 @@ const voiceProbe: ChannelProbe = {
     const hasPhone = !!resolveTwilioPhoneNumber();
     const ingress = checkIngress();
-    const checks: ReadinessCheckResult[] = [
+    return [
       check(
         "twilio_credentials",
         hasCreds,
@@ -97,20 +96,6 @@ const voiceProbe: ChannelProbe = {
       ),
       ingress,
     ];
-    if (ingress.passed) {
-      const gw = await probeLocalGatewayHealth();
-      checks.push(
-        check(
-          "gateway_health",
-          gw.healthy,
-          `Local gateway is serving requests at ${gw.target}`,
-          `Local gateway is not serving requests at ${gw.target}${gw.error ? `: ${gw.error}` : ""}`,
-        ),
-      );
-    }
-    return checks;
   },
 };

package/src/runtime/http-server.ts CHANGED Viewed

@@ -106,6 +106,7 @@ import { handleServePage } from "./routes/app-routes.js";
 import { appRouteDefinitions } from "./routes/app-routes.js";
 import { approvalRouteDefinitions } from "./routes/approval-routes.js";
 import { attachmentRouteDefinitions } from "./routes/attachment-routes.js";
+import { handleGetAudio } from "./routes/audio-routes.js";
 import { avatarRouteDefinitions } from "./routes/avatar-routes.js";
 import { brainGraphRouteDefinitions } from "./routes/brain-graph-routes.js";
 import { btwRouteDefinitions } from "./routes/btw-routes.js";
@@ -144,16 +145,19 @@ import { handleGuardianRefresh } from "./routes/guardian-refresh-routes.js";
 import { hostBashRouteDefinitions } from "./routes/host-bash-routes.js";
 import { hostCuRouteDefinitions } from "./routes/host-cu-routes.js";
 import { hostFileRouteDefinitions } from "./routes/host-file-routes.js";
-import { handleHealth } from "./routes/identity-routes.js";
+import { handleHealth, handleReadyz } from "./routes/identity-routes.js";
 import { identityRouteDefinitions } from "./routes/identity-routes.js";
 import { slackChannelRouteDefinitions } from "./routes/integrations/slack/channel.js";
 import { slackShareRouteDefinitions } from "./routes/integrations/slack/share.js";
 import { telegramRouteDefinitions } from "./routes/integrations/telegram.js";
 import { twilioRouteDefinitions } from "./routes/integrations/twilio.js";
+import { vercelRouteDefinitions } from "./routes/integrations/vercel.js";
 import { inviteRouteDefinitions } from "./routes/invite-routes.js";
 import { logExportRouteDefinitions } from "./routes/log-export-routes.js";
 import { memoryItemRouteDefinitions } from "./routes/memory-item-routes.js";
+import { migrationRollbackRouteDefinitions } from "./routes/migration-rollback-routes.js";
 import { migrationRouteDefinitions } from "./routes/migration-routes.js";
+import { notificationRouteDefinitions } from "./routes/notification-routes.js";
 import { oauthAppsRouteDefinitions } from "./routes/oauth-apps.js";
 import type { PairingHandlerContext } from "./routes/pairing-routes.js";
 import {
@@ -172,9 +176,12 @@ import { surfaceContentRouteDefinitions } from "./routes/surface-content-routes.
 import { telemetryRouteDefinitions } from "./routes/telemetry-routes.js";
 import { traceEventRouteDefinitions } from "./routes/trace-event-routes.js";
 import { trustRulesRouteDefinitions } from "./routes/trust-rules-routes.js";
+import { ttsRouteDefinitions } from "./routes/tts-routes.js";
+import { upgradeBroadcastRouteDefinitions } from "./routes/upgrade-broadcast-routes.js";
 import { usageRouteDefinitions } from "./routes/usage-routes.js";
 import { watchRouteDefinitions } from "./routes/watch-routes.js";
 import { workItemRouteDefinitions } from "./routes/work-items-routes.js";
+import { workspaceCommitRouteDefinitions } from "./routes/workspace-commit-routes.js";
 import { workspaceRouteDefinitions } from "./routes/workspace-routes.js";
 // Re-export for consumers
@@ -463,7 +470,10 @@ export class RuntimeHttpServer {
     server.timeout(req, 1800);
     // Skip request logging for health-check probes to reduce log noise.
     const url = new URL(req.url);
-    if (url.pathname === "/healthz" && req.method === "GET") {
+    if (
+      (url.pathname === "/healthz" || url.pathname === "/readyz") &&
+      req.method === "GET"
+    ) {
       return this.routeRequest(req, server);
     }
     return withRequestLogging(req, () => this.routeRequest(req, server));
@@ -480,6 +490,10 @@ export class RuntimeHttpServer {
       return handleHealth();
     }
+    if (path === "/readyz" && req.method === "GET") {
+      return handleReadyz();
+    }
     // WebSocket upgrade for the Chrome extension browser relay.
     if (
       path === "/v1/browser-relay" &&
@@ -502,6 +516,13 @@ export class RuntimeHttpServer {
     const twilioResponse = await this.handleTwilioWebhook(req, path);
     if (twilioResponse) return twilioResponse;
+    // Audio serving endpoint — before auth check because Twilio
+    // fetches these URLs directly. The audioId is an unguessable UUID.
+    const audioMatch = path.match(/^\/v1\/audio\/([^/]+)$/);
+    if (audioMatch && req.method === "GET") {
+      return handleGetAudio(audioMatch[1]);
+    }
     // Pairing endpoints (unauthenticated, secret-gated)
     if (path === "/v1/pairing/request" && req.method === "POST") {
       return await handlePairingRequest(req, this.pairingContext);
@@ -918,6 +939,9 @@ export class RuntimeHttpServer {
         getCesClient: this.getCesClient,
       }),
       ...identityRouteDefinitions(),
+      ...upgradeBroadcastRouteDefinitions(),
+      ...workspaceCommitRouteDefinitions(),
+      ...migrationRollbackRouteDefinitions(),
       ...debugRouteDefinitions(),
       ...usageRouteDefinitions(),
       ...telemetryRouteDefinitions(),
@@ -929,6 +953,7 @@ export class RuntimeHttpServer {
       ...scheduleRouteDefinitions({
         sendMessageDeps: this.sendMessageDeps,
       }),
+      ...notificationRouteDefinitions(),
       ...diagnosticsRouteDefinitions(),
       ...logExportRouteDefinitions(),
       ...documentRouteDefinitions(),
@@ -959,6 +984,7 @@ export class RuntimeHttpServer {
             }
           : undefined,
       }),
+      ...ttsRouteDefinitions(),
       // Browser relay — not extracted into a domain module because
       // these two routes depend on the in-process extensionRelayServer
@@ -1163,6 +1189,7 @@ export class RuntimeHttpServer {
       ...slackChannelRouteDefinitions(),
       ...slackShareRouteDefinitions(),
       ...twilioRouteDefinitions(),
+      ...vercelRouteDefinitions(),
       ...channelReadinessRouteDefinitions(),
       ...oauthAppsRouteDefinitions(),
       ...attachmentRouteDefinitions(),

package/src/runtime/middleware/error-handler.ts CHANGED Viewed

@@ -4,7 +4,6 @@
 import {
   ConfigError,
-  IngressBlockedError,
   ProviderNotConfiguredError,
 } from "../../util/errors.js";
 import { getLogger } from "../../util/logger.js";
@@ -14,7 +13,7 @@ const log = getLogger("runtime-http");
 /**
  * Wrap an async endpoint handler with standard error handling.
- * Catches IngressBlockedError (422), ConfigError (422), and generic errors (500).
+ * Catches ConfigError (422) and generic errors (500).
  */
 export async function withErrorHandling(
   endpoint: string,
@@ -23,13 +22,6 @@ export async function withErrorHandling(
   try {
     return await handler();
   } catch (err) {
-    if (err instanceof IngressBlockedError) {
-      log.warn(
-        { endpoint, detectedTypes: err.detectedTypes },
-        "Blocked HTTP request containing secrets",
-      );
-      return httpError("UNPROCESSABLE_ENTITY", err.message, 422);
-    }
     if (err instanceof ProviderNotConfiguredError) {
       log.warn({ err, endpoint }, "No LLM provider configured");
       return httpError(

package/src/runtime/routes/audio-routes.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * HTTP route handler for serving synthesized TTS audio.
+ *
+ * GET /v1/audio/:audioId — retrieve a previously stored audio segment.
+ *
+ * This endpoint is unauthenticated because Twilio fetches audio URLs
+ * directly; the audioId itself is an unguessable UUID that acts as a
+ * capability token.
+ */
+import { getAudio } from "../../calls/audio-store.js";
+import { httpError } from "../http-errors.js";
+/**
+ * Handle GET /v1/audio/:audioId.
+ *
+ * Returns the audio with its stored Content-Type. For complete audio,
+ * includes Content-Length for efficient playback. For in-progress
+ * streaming entries, uses chunked transfer encoding.
+ */
+export function handleGetAudio(audioId: string): Response {
+  const entry = getAudio(audioId);
+  if (!entry) {
+    return httpError("NOT_FOUND", "Audio not found", 404);
+  }
+  if (entry.type === "buffer") {
+    return new Response(new Uint8Array(entry.buffer), {
+      status: 200,
+      headers: {
+        "Content-Type": entry.contentType,
+        "Content-Length": entry.buffer.length.toString(),
+      },
+    });
+  }
+  // Streaming — Content-Length unknown, chunked transfer encoding
+  return new Response(entry.stream, {
+    status: 200,
+    headers: { "Content-Type": entry.contentType },
+  });
+}

package/src/runtime/routes/btw-routes.ts CHANGED Viewed

@@ -15,7 +15,6 @@
 import { existsSync, readFileSync } from "node:fs";
 import { getConversationByKey } from "../../memory/conversation-key-store.js";
-import { checkIngressForSecrets } from "../../security/secret-ingress.js";
 import { getLogger } from "../../util/logger.js";
 import { getWorkspacePromptPath } from "../../util/platform.js";
 import type { AuthContext } from "../auth/types.js";
@@ -89,22 +88,6 @@ async function handleBtw(
   }
   const trimmedContent = content.trim();
-  const ingressCheck = checkIngressForSecrets(trimmedContent);
-  if (ingressCheck.blocked) {
-    log.warn(
-      { detectedTypes: ingressCheck.detectedTypes },
-      "Blocked /v1/btw message containing secrets",
-    );
-    return Response.json(
-      {
-        accepted: false,
-        error: "secret_blocked",
-        message: ingressCheck.userNotice,
-        detectedTypes: ingressCheck.detectedTypes,
-      },
-      { status: 422 },
-    );
-  }
   // ----- Identity intro fast-path -----
   // When the client requests the identity intro, check SOUL.md first (persisted

package/src/runtime/routes/conversation-management-routes.ts CHANGED Viewed

@@ -275,24 +275,6 @@ export function conversationManagementRouteDefinitions(
             targetId: summaryId,
           });
         }
-        for (const obsId of result.deletedObservationIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "observation",
-            targetId: obsId,
-          });
-        }
-        for (const chunkId of result.deletedChunkIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "chunk",
-            targetId: chunkId,
-          });
-        }
-        for (const episodeId of result.deletedEpisodeIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "episode",
-            targetId: episodeId,
-          });
-        }
         log.info(
           {
             conversationId: resolvedId,
@@ -349,24 +331,6 @@ export function conversationManagementRouteDefinitions(
             targetId: summaryId,
           });
         }
-        for (const obsId of deleted.deletedObservationIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "observation",
-            targetId: obsId,
-          });
-        }
-        for (const chunkId of deleted.deletedChunkIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "chunk",
-            targetId: chunkId,
-          });
-        }
-        for (const episodeId of deleted.deletedEpisodeIds) {
-          enqueueMemoryJob("delete_qdrant_vectors", {
-            targetType: "episode",
-            targetId: episodeId,
-          });
-        }
         log.info({ conversationId: resolvedId }, "Deleted conversation");
         return new Response(null, { status: 204 });
       },