@vellumai/assistant 0.6.0 → 0.6.1

package/src/memory/schema/conversations.ts

@@ -30,9 +30,11 @@ export const conversations = sqliteTable(
     forkParentMessageId: text("fork_parent_message_id"),
     isAutoTitle: integer("is_auto_title").notNull().default(1),
     scheduleJobId: text("schedule_job_id"),
+    lastMessageAt: integer("last_message_at"),
   },
   (table) => [
     index("idx_conversations_updated_at").on(table.updatedAt),
+    index("idx_conversations_last_message_at").on(table.lastMessageAt),
     index("idx_conversations_conversation_type").on(table.conversationType),
     index("idx_conversations_fork_parent_conversation_id").on(
       table.forkParentConversationId,
@@ -109,6 +111,18 @@ export const messageAttachments = sqliteTable("message_attachments", {
   createdAt: integer("created_at").notNull(),
 });
 
+export const conversationGraphMemoryState = sqliteTable(
+  "conversation_graph_memory_state",
+  {
+    conversationId: text("conversation_id")
+      .primaryKey()
+      .references(() => conversations.id, { onDelete: "cascade" }),
+    stateJson: text("state_json").notNull(),
+    createdAt: integer("created_at").notNull(),
+    updatedAt: integer("updated_at").notNull(),
+  },
+);
+
 export const channelInboundEvents = sqliteTable("channel_inbound_events", {
   id: text("id").primaryKey(),
   sourceChannel: text("source_channel").notNull(),

package/src/memory/schema/infrastructure.ts

@@ -25,6 +25,9 @@ export const cronJobs = sqliteTable("cron_jobs", {
   routingHintsJson: text("routing_hints_json").notNull().default("{}"),
   status: text("status").notNull().default("active"), // 'active' | 'firing' | 'fired' | 'cancelled'
   quiet: integer("quiet", { mode: "boolean" }).notNull().default(false), // suppress completion notifications
+  reuseConversation: integer("reuse_conversation", { mode: "boolean" })
+    .notNull()
+    .default(false), // reuse the same conversation across runs
   createdAt: integer("created_at").notNull(),
   updatedAt: integer("updated_at").notNull(),
 });
@@ -118,7 +121,10 @@ export const llmRequestLogs = sqliteTable(
     responsePayload: text("response_payload").notNull(),
     createdAt: integer("created_at").notNull(),
   },
-  (table) => [index("idx_llm_request_logs_message_id").on(table.messageId)],
+  (table) => [
+    index("idx_llm_request_logs_message_id").on(table.messageId),
+    index("idx_llm_request_logs_created_at").on(table.createdAt),
+  ],
 );
 
 export const memoryRecallLogs = sqliteTable(
@@ -144,6 +150,7 @@ export const memoryRecallLogs = sqliteTable(
     topCandidatesJson: text("top_candidates_json").notNull(),
     injectedText: text("injected_text"),
     reason: text("reason"),
+    queryContext: text("query_context"),
     createdAt: integer("created_at").notNull(),
   },
   (table) => [

package/src/memory/schema/memory-core.ts

@@ -2,7 +2,6 @@ import {
   blob,
   index,
   integer,
-  real,
   sqliteTable,
   text,
   uniqueIndex,
@@ -32,56 +31,6 @@ export const memorySegments = sqliteTable(
   (table) => [index("idx_memory_segments_scope_id").on(table.scopeId)],
 );
 
-export const memoryItems = sqliteTable(
-  "memory_items",
-  {
-    id: text("id").primaryKey(),
-    kind: text("kind").notNull(),
-    subject: text("subject").notNull(),
-    statement: text("statement").notNull(),
-    status: text("status").notNull(),
-    confidence: real("confidence").notNull(),
-    importance: real("importance"),
-    accessCount: integer("access_count").notNull().default(0),
-    fingerprint: text("fingerprint").notNull(),
-    verificationState: text("verification_state")
-      .notNull()
-      .default("assistant_inferred"),
-    scopeId: text("scope_id").notNull().default("default"),
-    firstSeenAt: integer("first_seen_at").notNull(),
-    lastSeenAt: integer("last_seen_at").notNull(),
-    lastUsedAt: integer("last_used_at"),
-    validFrom: integer("valid_from"),
-    invalidAt: integer("invalid_at"),
-    supersedes: text("supersedes"),
-    supersededBy: text("superseded_by"),
-    overrideConfidence: text("override_confidence").default("inferred"),
-    sourceType: text("source_type").notNull().default("extraction"),
-    sourceMessageRole: text("source_message_role"),
-  },
-  (table) => [
-    index("idx_memory_items_scope_id").on(table.scopeId),
-    index("idx_memory_items_fingerprint").on(table.fingerprint),
-  ],
-);
-
-export const memoryItemSources = sqliteTable(
-  "memory_item_sources",
-  {
-    memoryItemId: text("memory_item_id")
-      .notNull()
-      .references(() => memoryItems.id, { onDelete: "cascade" }),
-    messageId: text("message_id")
-      .notNull()
-      .references(() => messages.id, { onDelete: "cascade" }),
-    evidence: text("evidence"),
-    createdAt: integer("created_at").notNull(),
-  },
-  (table) => [
-    index("idx_memory_item_sources_memory_item_id").on(table.memoryItemId),
-  ],
-);
-
 export const memorySummaries = sqliteTable(
   "memory_summaries",
   {

package/src/memory/schema/memory-graph.ts

@@ -137,3 +137,18 @@ export const memoryGraphTriggers = sqliteTable(
     index("idx_graph_triggers_type").on(table.type),
   ],
 );
+
+export const memoryGraphNodeEdits = sqliteTable(
+  "memory_graph_node_edits",
+  {
+    id: text("id").primaryKey(),
+    nodeId: text("node_id")
+      .notNull()
+      .references(() => memoryGraphNodes.id, { onDelete: "cascade" }),
+    previousContent: text("previous_content").notNull(),
+    newContent: text("new_content").notNull(),
+    source: text("source").notNull(),
+    conversationId: text("conversation_id"),
+    created: integer("created").notNull(),
+  },
+);

package/src/memory/task-memory-cleanup.ts

@@ -9,16 +9,29 @@ const log = getLogger("task-memory-cleanup");
  * so the check survives daemon restarts.
  */
 export function isConversationFailed(conversationId: string): boolean {
+  // For reused schedule conversations the same conversation_id appears in
+  // multiple cron_runs. A single failed run should NOT mark the conversation
+  // as permanently failed — only the *most recent* run for that conversation
+  // matters. We therefore check whether the latest cron_run (by created_at,
+  // which is a monotonically increasing epoch timestamp) has an error status.
+  // Note: cron_runs.id is a UUID v4 (random), so we cannot use MAX(id).
   const row = rawGet<{ found: number }>(
     `SELECT 1 AS found
        FROM (
          SELECT 1 FROM task_runs WHERE conversation_id = ? AND status = 'failed'
          UNION ALL
-         SELECT 1 FROM cron_runs WHERE conversation_id = ? AND status = 'error'
+         SELECT 1 FROM cron_runs
+          WHERE conversation_id = ?
+            AND status = 'error'
+            AND id = (
+              SELECT id FROM cron_runs WHERE conversation_id = ?
+              ORDER BY created_at DESC LIMIT 1
+            )
        )
       LIMIT 1`,
     conversationId,
     conversationId,
+    conversationId,
   );
   return row != null;
 }
@@ -57,9 +70,17 @@ export function invalidateAssistantInferredItemsForConversation(
                   AND tr.status = 'failed'
              )
              AND NOT EXISTS (
+               -- Check only the most recent cron_run for each conversation
+               -- so reused conversations with historical errors but recent
+               -- successes are still treated as valid corroborators.
                SELECT 1 FROM cron_runs cr
                 WHERE cr.conversation_id = jc2.value
                   AND cr.status = 'error'
+                  AND cr.id = (
+                    SELECT cr2.id FROM cron_runs cr2
+                     WHERE cr2.conversation_id = jc2.value
+                     ORDER BY cr2.created_at DESC LIMIT 1
+                  )
              )
         )`,
     Date.now(),
@@ -79,9 +100,9 @@ export function invalidateAssistantInferredItemsForConversation(
 
 /**
  * Cancel all pending/running memory jobs referencing the given conversation.
- * Covers every job type: `extract_items`, `embed_attachment` (keyed by messageId),
+ * Covers every job type: `embed_attachment` (keyed by messageId),
  * `embed_segment` (keyed by segmentId via memory_segments),
- * `build_conversation_summary` (keyed by conversationId),
+ * `graph_extract`, `build_conversation_summary` (keyed by conversationId),
  * and `embed_graph_node` (keyed by nodeId sourced from the conversation).
  */
 export function cancelPendingJobsForConversation(
@@ -91,7 +112,7 @@ export function cancelPendingJobsForConversation(
   const now = Date.now();
   let total = 0;
 
-  // Jobs keyed by messageId: extract_items, embed_attachment
+  // Jobs keyed by messageId: embed_attachment
   total += rawRun(
     `UPDATE memory_jobs
         SET status = 'failed',
@@ -106,7 +127,7 @@ export function cancelPendingJobsForConversation(
     conversationId,
   );
 
-  // Jobs keyed by conversationId: build_conversation_summary
+  // Jobs keyed by conversationId: graph_extract, build_conversation_summary
   total += rawRun(
     `UPDATE memory_jobs
         SET status = 'failed',
@@ -162,8 +183,8 @@ export function cancelPendingJobsForConversation(
 }
 
 /**
- * Cancel only pending/running `extract_items` jobs for messages in the
- * given conversation. Used by the task-failure path where we want to
+ * Cancel only pending/running `graph_extract` jobs for the given
+ * conversation. Used by the task-failure path where we want to
  * stop new extractions but must NOT cancel `embed_graph_node` jobs —
  * those nodes may be multi-sourced and still valid.
  */
@@ -177,10 +198,8 @@ function cancelPendingExtractionJobsForConversation(
             last_error = 'conversation_failed',
             updated_at = ?
       WHERE status IN ('pending', 'running')
-        AND type = 'extract_items'
-        AND json_extract(payload, '$.messageId') IN (
-          SELECT id FROM messages WHERE conversation_id = ?
-        )`,
+        AND type = 'graph_extract'
+        AND json_extract(payload, '$.conversationId') = ?`,
     now,
     conversationId,
   );

package/src/notifications/copy-composer.ts

@@ -408,6 +408,92 @@ const TEMPLATES: Partial<Record<NotificationSourceEventName, CopyTemplate>> = {
     };
   },
 
+  "ingress.trusted_contact.guardian_decision": (payload) => {
+    const decision = str(payload.decision, "decided on");
+    const sourceChannel =
+      typeof payload.sourceChannel === "string"
+        ? payload.sourceChannel
+        : undefined;
+
+    const requesterDisplayName =
+      typeof payload.requesterDisplayName === "string" &&
+      payload.requesterDisplayName.length > 0
+        ? payload.requesterDisplayName
+        : undefined;
+    const requesterExternalUserId =
+      typeof payload.requesterExternalUserId === "string" &&
+      payload.requesterExternalUserId.length > 0
+        ? payload.requesterExternalUserId
+        : undefined;
+    const requesterLabel = sanitizeIdentityField(
+      requesterDisplayName ??
+        (sourceChannel === "slack" &&
+        requesterExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(requesterExternalUserId)
+          ? `<@${requesterExternalUserId}>`
+          : requesterExternalUserId) ??
+        "Someone",
+    );
+
+    const decidedByDisplayName =
+      typeof payload.decidedByDisplayName === "string" &&
+      payload.decidedByDisplayName.length > 0
+        ? payload.decidedByDisplayName
+        : undefined;
+    const decidedByExternalUserId =
+      typeof payload.decidedByExternalUserId === "string" &&
+      payload.decidedByExternalUserId.length > 0
+        ? payload.decidedByExternalUserId
+        : undefined;
+    const decidedByLabel = sanitizeIdentityField(
+      decidedByDisplayName ??
+        (sourceChannel === "slack" &&
+        decidedByExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(decidedByExternalUserId)
+          ? `<@${decidedByExternalUserId}>`
+          : decidedByExternalUserId) ??
+        "a guardian",
+    );
+
+    const verb = decision === "approved" ? "approved" : "denied";
+    return {
+      title: "Trusted Contact Decision",
+      body: `${requesterLabel}'s access request has been ${verb} by ${decidedByLabel}.`,
+    };
+  },
+
+  "ingress.trusted_contact.denied": (payload) => {
+    const sourceChannel =
+      typeof payload.sourceChannel === "string"
+        ? payload.sourceChannel
+        : undefined;
+
+    const requesterDisplayName =
+      typeof payload.requesterDisplayName === "string" &&
+      payload.requesterDisplayName.length > 0
+        ? payload.requesterDisplayName
+        : undefined;
+    const requesterExternalUserId =
+      typeof payload.requesterExternalUserId === "string" &&
+      payload.requesterExternalUserId.length > 0
+        ? payload.requesterExternalUserId
+        : undefined;
+    const requesterLabel = sanitizeIdentityField(
+      requesterDisplayName ??
+        (sourceChannel === "slack" &&
+        requesterExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(requesterExternalUserId)
+          ? `<@${requesterExternalUserId}>`
+          : requesterExternalUserId) ??
+        "Someone",
+    );
+
+    return {
+      title: "Trusted Contact Denied",
+      body: `A trusted contact request from ${requesterLabel} has been denied.`,
+    };
+  },
+
   "ingress.escalation": (payload) => ({
     title: "Escalation",
     body:

package/src/notifications/decision-engine.ts

@@ -13,6 +13,7 @@ import { v4 as uuid } from "uuid";
 
 import { getDeliverableChannels } from "../channels/config.js";
 import { getConfig } from "../config/loader.js";
+import { listGuardianChannels } from "../contacts/contact-store.js";
 import { resolveGuardianPersona } from "../prompts/persona-resolver.js";
 import { buildCoreIdentityContext } from "../prompts/system-prompt.js";
 import {
@@ -73,6 +74,7 @@ function buildSystemPrompt(
   preferenceContext?: string,
   candidateContext?: string,
   identityContext?: string,
+  recipientNotes?: string,
 ): string {
   const sections: string[] = [
     `You are a notification routing engine. Given a signal describing an event, decide whether the user should be notified, on which channel(s), and compose the notification copy.`,
@@ -89,6 +91,16 @@ function buildSystemPrompt(
     );
   }
 
+  if (recipientNotes) {
+    sections.push(
+      ``,
+      `<recipient-context>`,
+      `The following are notes about the notification recipient. Use this context to tailor notification tone, formality, and content to the recipient's preferences.`,
+      recipientNotes,
+      `</recipient-context>`,
+    );
+  }
+
   if (identityContext) {
     sections.push(
       ``,
@@ -807,11 +819,34 @@ async function classifyWithLLM(
   const identityContext = rawIdentityContext
     ? truncate(rawIdentityContext, MAX_IDENTITY_CONTEXT_CHARS, "\n…[truncated]")
     : undefined;
+
+  // Resolve guardian contact notes for recipient context. Use the channel-
+  // agnostic guardian lookup so notes are available even when the only
+  // deliverable channel is "vellum" (which has no contact channel type).
+  let recipientNotes: string | undefined;
+  try {
+    const guardianResult = listGuardianChannels();
+    if (guardianResult?.contact.notes) {
+      recipientNotes = truncate(
+        guardianResult.contact.notes,
+        MAX_IDENTITY_CONTEXT_CHARS,
+        "\n…[truncated]",
+      );
+    }
+  } catch (err) {
+    const errMsg = err instanceof Error ? err.message : String(err);
+    log.warn(
+      { err: errMsg },
+      "Failed to resolve guardian contact notes, proceeding without recipient context",
+    );
+  }
+
   const systemPrompt = buildSystemPrompt(
     availableChannels,
     preferenceContext,
     candidateContext,
     identityContext,
+    recipientNotes,
   );
   const prompt = buildUserPrompt(signal);
   const tool = buildDecisionTool(availableChannels);

package/src/permissions/checker.ts

@@ -677,7 +677,7 @@ export async function classifyRisk(
     }
   }
 
-  const result = await classifyRiskUncached(
+  let result = await classifyRiskUncached(
     toolName,
     input,
     workingDir,
@@ -685,6 +685,17 @@ export async function classifyRisk(
     manifestOverride,
   );
 
+  // Proxied bash commands route through the credential proxy which handles
+  // per-request approval separately. Cap the bash tool's own risk at Medium
+  // so trust rules can auto-allow the command execution.
+  if (
+    toolName === "bash" &&
+    input.network_mode === "proxied" &&
+    result === RiskLevel.High
+  ) {
+    result = RiskLevel.Medium;
+  }
+
   if (cacheKey) {
     if (riskCache.size >= RISK_CACHE_MAX) {
       const oldest = riskCache.keys().next().value;

package/src/permissions/permission-mode-store.ts

@@ -0,0 +1,180 @@
+/**
+ * Singleton runtime store for the two-axis permission mode.
+ *
+ * Reads initial state from the `permissions` section of config.json on
+ * initialization and persists mutations back to the config file via the
+ * raw-config read/write helpers so env-var–derived keys are never leaked
+ * to disk.
+ *
+ * Downstream consumers (e.g. SSE broadcast) register change listeners
+ * via `onModeChanged()`.
+ */
+
+import {
+  invalidateConfigCache,
+  loadConfig,
+  loadRawConfig,
+  saveRawConfig,
+} from "../config/loader.js";
+import { getLogger } from "../util/logger.js";
+import type { PermissionMode } from "./permission-mode.js";
+import { DEFAULT_PERMISSION_MODE } from "./permission-mode.js";
+
+const log = getLogger("permission-mode-store");
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export type ModeChangeListener = (mode: PermissionMode) => void;
+
+// ---------------------------------------------------------------------------
+// Module-level state
+// ---------------------------------------------------------------------------
+
+let currentMode: PermissionMode = { ...DEFAULT_PERMISSION_MODE };
+let initialized = false;
+const listeners: ModeChangeListener[] = [];
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+function notifyListeners(): void {
+  const snapshot = { ...currentMode };
+  for (const listener of listeners) {
+    try {
+      listener(snapshot);
+    } catch (err) {
+      log.error({ err }, "Error in permission mode change listener");
+    }
+  }
+}
+
+/**
+ * Persist the current in-memory permission mode to config.json.
+ *
+ * Uses the raw-config pattern (loadRawConfig → mutate → saveRawConfig) so
+ * that env-var–derived fields (API keys, dataDir) are never written to disk.
+ */
+function persistToConfig(): void {
+  try {
+    const raw = loadRawConfig();
+
+    // Ensure the permissions object exists
+    if (
+      raw.permissions == null ||
+      typeof raw.permissions !== "object" ||
+      Array.isArray(raw.permissions)
+    ) {
+      raw.permissions = {};
+    }
+
+    const permissions = raw.permissions as Record<string, unknown>;
+    permissions.askBeforeActing = currentMode.askBeforeActing;
+    permissions.hostAccess = currentMode.hostAccess;
+
+    saveRawConfig(raw);
+
+    // Invalidate the cached config so the next loadConfig() picks up the
+    // persisted values rather than returning stale in-memory state.
+    invalidateConfigCache();
+  } catch (err) {
+    log.error({ err }, "Failed to persist permission mode to config");
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Initialize the store from the current config. Safe to call multiple times;
+ * subsequent calls are no-ops unless `resetForTesting()` has been called.
+ */
+export function initPermissionModeStore(): void {
+  if (initialized) return;
+
+  try {
+    const config = loadConfig();
+    currentMode = {
+      askBeforeActing: config.permissions.askBeforeActing,
+      hostAccess: config.permissions.hostAccess,
+    };
+  } catch (err) {
+    log.warn(
+      { err },
+      "Failed to load permission mode from config; using defaults",
+    );
+    currentMode = { ...DEFAULT_PERMISSION_MODE };
+  }
+
+  initialized = true;
+}
+
+/**
+ * Return the current permission mode. Initializes from config on first call
+ * if `initPermissionModeStore()` hasn't been called yet.
+ */
+export function getMode(): PermissionMode {
+  if (!initialized) {
+    initPermissionModeStore();
+  }
+  return { ...currentMode };
+}
+
+/**
+ * Update the `askBeforeActing` axis. Persists to config.json and notifies
+ * change listeners.
+ */
+export function setAskBeforeActing(value: boolean): void {
+  if (!initialized) {
+    initPermissionModeStore();
+  }
+
+  if (currentMode.askBeforeActing === value) return;
+
+  currentMode.askBeforeActing = value;
+  persistToConfig();
+  notifyListeners();
+}
+
+/**
+ * Update the `hostAccess` axis. Persists to config.json and notifies
+ * change listeners.
+ */
+export function setHostAccess(value: boolean): void {
+  if (!initialized) {
+    initPermissionModeStore();
+  }
+
+  if (currentMode.hostAccess === value) return;
+
+  currentMode.hostAccess = value;
+  persistToConfig();
+  notifyListeners();
+}
+
+/**
+ * Register a callback that fires whenever the permission mode changes.
+ * Returns an unsubscribe function.
+ */
+export function onModeChanged(callback: ModeChangeListener): () => void {
+  listeners.push(callback);
+  return () => {
+    const idx = listeners.indexOf(callback);
+    if (idx >= 0) {
+      listeners.splice(idx, 1);
+    }
+  };
+}
+
+/**
+ * Reset the store to uninitialized state. **Test-only** — production code
+ * should never call this.
+ */
+export function resetForTesting(): void {
+  currentMode = { ...DEFAULT_PERMISSION_MODE };
+  initialized = false;
+  listeners.length = 0;
+}

package/src/permissions/permission-mode.ts

@@ -0,0 +1,31 @@
+import { z } from "zod";
+
+/**
+ * Two-axis permission model:
+ * - `askBeforeActing` — LLM behavior toggle: when true the assistant checks in
+ *   with the user before taking actions.
+ * - `hostAccess` — System-enforced gate: when true the assistant can execute
+ *   commands on the host machine without prompting.
+ */
+export type PermissionMode = {
+  askBeforeActing: boolean;
+  hostAccess: boolean;
+};
+
+export const DEFAULT_PERMISSION_MODE: PermissionMode = {
+  askBeforeActing: true,
+  hostAccess: false,
+};
+
+export const PermissionModeSchema = z.object({
+  askBeforeActing: z
+    .boolean({ error: "permissionMode.askBeforeActing must be a boolean" })
+    .default(true)
+    .describe("Whether the assistant should check in before taking actions"),
+  hostAccess: z
+    .boolean({ error: "permissionMode.hostAccess must be a boolean" })
+    .default(false)
+    .describe(
+      "Whether the assistant can execute commands on the host machine without prompting",
+    ),
+});

package/src/permissions/workspace-policy.ts

@@ -74,8 +74,17 @@ const HOST_TOOLS = new Set([
   "host_file_write",
   "host_file_edit",
   "host_bash",
+  "computer_use_run_applescript",
 ]);
 
+/**
+ * Check whether a tool name is a host-level tool that requires the
+ * `hostAccess` permission to execute.
+ */
+export function isHostTool(toolName: string): boolean {
+  return HOST_TOOLS.has(toolName);
+}
+
 /** Safe local-only tools that are always workspace-scoped. */
 const ALWAYS_SCOPED_TOOLS = new Set([
   "skill_load",