@vellumai/assistant 0.6.1 → 0.6.3

package/src/inbound/platform-callback-registration.ts

@@ -1,15 +1,13 @@
 /**
- * Platform callback route registration for platform-managed deployments.
+ * Platform callback route registration.
  *
- * When the assistant daemon runs as a platform-managed instance (IS_PLATFORM=true)
- * with a configured VELLUM_PLATFORM_URL and PLATFORM_ASSISTANT_ID, external
- * service callbacks (Twilio webhooks, OAuth redirects, Telegram webhooks, etc.)
- * must route through the platform's gateway proxy instead of hitting the
- * assistant directly.
+ * Both platform-managed (IS_PLATFORM=true) and self-hosted assistants can
+ * register callback routes with the platform so inbound provider webhooks
+ * (Telegram, Twilio, email, OAuth) are forwarded correctly.
  *
- * This module registers callback routes with the platform's internal
- * gateway endpoint so the platform knows how to forward inbound provider
- * webhooks to the correct platform-managed assistant instance.
+ * Platform-managed assistants pick up context from environment variables.
+ * Self-hosted assistants use stored credentials (from `assistant platform
+ * connect` or the ensure-registration bootstrap).
  *
  * The platform endpoint is:
  *   POST {VELLUM_PLATFORM_URL}/v1/internal/gateway/callback-routes/register/
@@ -41,17 +39,18 @@ export interface PlatformCallbackRegistrationContext {
 }
 
 /**
- * Whether the daemon should register callback routes with the platform.
+ * Whether the **runtime** should automatically register callback routes.
  * True when IS_PLATFORM, VELLUM_PLATFORM_URL, and PLATFORM_ASSISTANT_ID
- * are all set. Intentionally does **not** require the managed proxy API key
- * so that callback-only flows (OAuth transport, Telegram/Twilio callback
- * registration) work during partial bootstrap before the key is injected.
+ * are all set — i.e. this is a platform-managed deployment.
+ *
+ * This is intentionally stricter than `context.enabled` (which also covers
+ * self-hosted assistants with stored credentials). Runtime auto-registration
+ * only applies to managed deployments; self-hosted assistants register
+ * explicitly via the CLI or gateway startup hooks.
  */
 export function shouldUsePlatformCallbacks(): boolean {
   return (
-    getIsPlatform() &&
-    !!getPlatformBaseUrl() &&
-    !!getPlatformAssistantId()
+    getIsPlatform() && !!getPlatformBaseUrl() && !!getPlatformAssistantId()
   );
 }
 
@@ -86,8 +85,10 @@ export async function resolvePlatformCallbackRegistrationContext(): Promise<Plat
     hasInternalApiKey: internalApiKey.length > 0,
     hasAssistantApiKey: assistantApiKey.length > 0,
     authHeader,
+    // Enabled when we have enough context to register callback routes.
+    // Does NOT require IS_PLATFORM — self-hosted assistants with stored
+    // credentials can also register routes.
     enabled:
-      platform &&
       platformBaseUrl.length > 0 &&
       assistantId.length > 0 &&
       authHeader !== null,

package/src/index.ts

@@ -2,4 +2,4 @@
 
 import { buildCliProgram } from "./cli/program.js";
 
-buildCliProgram().parse();
+(await buildCliProgram()).parse();

package/src/mcp/client.ts

@@ -35,6 +35,12 @@ export class McpClient {
     | null = null;
   private connected = false;
   private oauthProvider: McpOAuthProvider | null = null;
+  private _lastError: Error | null = null;
+
+  /** The last connection error, if any. Null when connected or not yet attempted. */
+  get lastError(): Error | null {
+    return this._lastError;
+  }
 
   get isConnected(): boolean {
     return this.connected;
@@ -46,6 +52,16 @@ export class McpClient {
       name: "vellum-assistant",
       version: "1.0.0",
     });
+
+    // Prevent SDK-internal transport errors (e.g. SSE reconnection auth
+    // failures) from surfacing as unhandled rejections that crash the daemon
+    // via the global unhandledRejection → shutdown handler.
+    this.client.onerror = (error) => {
+      log.warn(
+        { serverId: this.serverId, err: error },
+        "MCP SDK transport error (non-fatal)",
+      );
+    };
   }
 
   async connect(transportConfig: McpTransport): Promise<void> {
@@ -102,34 +118,24 @@ export class McpClient {
       }
       this.transport = null;
 
-      if (isHttpTransport) {
-        const isAuthError =
-          err instanceof UnauthorizedError ||
-          (err instanceof Error &&
-            /\b(401|403|unauthorized|forbidden)\b/i.test(err.message)) ||
-          (err != null &&
-            typeof err === "object" &&
-            "code" in err &&
-            (err.code === 401 || err.code === 403));
-
-        if (isAuthError) {
-          // Auth-related — user can run `assistant mcp auth <name>` to authenticate.
-          log.info(
-            { serverId: this.serverId, err },
-            "MCP server requires authentication",
-          );
-          return;
-        }
-
-        // Non-auth error (DNS, TLS, timeout, etc.) — log and re-throw
-        log.error(
+      if (isHttpTransport && isAuthRelatedError(err)) {
+        // Auth-related — user can run `assistant mcp auth <name>` to authenticate.
+        log.info(
           { serverId: this.serverId, err },
-          "MCP server connection failed",
+          "MCP server requires authentication",
         );
-        throw err;
+        return;
       }
 
-      throw err;
+      // Non-auth error (DNS, TLS, timeout, etc.) — log but never propagate
+      // an MCP connection failure to the caller.  The daemon must keep
+      // running even when individual MCP servers are unreachable.
+      this._lastError = err instanceof Error ? err : new Error(String(err));
+      log.error(
+        { serverId: this.serverId, err },
+        "MCP server connection failed",
+      );
+      return;
     }
 
     this.connected = true;
@@ -258,3 +264,32 @@ export class McpClient {
     }
   }
 }
+
+/**
+ * Returns true when `err` looks like an authentication / authorization failure
+ * from the MCP SDK or the remote server.  Used to distinguish "needs auth"
+ * from genuine transport failures so we can log guidance instead of crashing.
+ */
+function isAuthRelatedError(err: unknown): boolean {
+  if (err instanceof UnauthorizedError) return true;
+
+  if (
+    err instanceof Error &&
+    /\b(401|403|unauthorized|forbidden|authorizationCode is required|prepareTokenRequest)\b/i.test(
+      err.message,
+    )
+  ) {
+    return true;
+  }
+
+  if (
+    err != null &&
+    typeof err === "object" &&
+    "code" in err &&
+    (err.code === 401 || err.code === 403)
+  ) {
+    return true;
+  }
+
+  return false;
+}

package/src/memory/app-store.ts

@@ -64,6 +64,23 @@ export function isMultifileApp(app: AppDefinition): boolean {
   return app.formatVersion === 2;
 }
 
+/**
+ * Resolve the effective HTML for an app. For single-file apps this is
+ * `htmlDefinition` (the root index.html). For multifile apps it reads the
+ * compiled `dist/index.html` and inlines JS/CSS assets so the result is a
+ * self-contained HTML string suitable for `loadHTMLString`.
+ */
+export function resolveEffectiveAppHtml(app: AppDefinition): string {
+  if (!isMultifileApp(app)) return app.htmlDefinition;
+
+  const appDir = getAppDirPath(app.id);
+  const distIndex = join(appDir, "dist", "index.html");
+  if (existsSync(distIndex)) {
+    return inlineDistAssets(appDir, readFileSync(distIndex, "utf-8"));
+  }
+  return app.htmlDefinition;
+}
+
 /**
  * Inline dist assets (main.js, main.css) into the compiled HTML so it can be
  * delivered as a self-contained string via loadHTMLString/SSE without needing
@@ -75,7 +92,10 @@ export function inlineDistAssets(appDir: string, html: string): string {
   // Inline main.js
   const jsPath = join(distDir, "main.js");
   if (existsSync(jsPath)) {
-    const js = readFileSync(jsPath, "utf-8").replace(/<\/script>/g, "<\\/script>");
+    const js = readFileSync(jsPath, "utf-8").replace(
+      /<\/script>/g,
+      "<\\/script>",
+    );
     html = html.replace(
       /<script\s+type="module"\s+src="main\.js"\s*><\/script>/,
       () => `<script type="module">${js}</script>`,
@@ -818,6 +838,16 @@ export function listAppFiles(appId: string): string[] {
   return results.sort();
 }
 
+/**
+ * Check whether a file exists in the app directory.
+ * Path is validated to prevent traversal.
+ */
+export function appFileExists(appId: string, path: string): boolean {
+  validateId(appId);
+  const resolved = validateFilePath(appId, path);
+  return existsSync(resolved);
+}
+
 /**
  * Read a file from the app directory.
  * Path is validated to prevent traversal.

package/src/memory/conversation-crud.ts

@@ -170,6 +170,7 @@ export interface ConversationRow {
   originInterface: string | null;
   forkParentConversationId: string | null;
   forkParentMessageId: string | null;
+  hostAccess: number;
   isAutoTitle: number;
   scheduleJobId: string | null;
   lastMessageAt: number | null;
@@ -196,6 +197,7 @@ export const parseConversation = createRowMapper<
   originInterface: "originInterface",
   forkParentConversationId: "forkParentConversationId",
   forkParentMessageId: "forkParentMessageId",
+  hostAccess: "hostAccess",
   isAutoTitle: "isAutoTitle",
   scheduleJobId: "scheduleJobId",
   lastMessageAt: "lastMessageAt",
@@ -245,6 +247,7 @@ export function createConversation(
         source?: string;
         scheduleJobId?: string;
         groupId?: string;
+        hostAccess?: boolean;
       },
 ) {
   const db = getDb();
@@ -276,6 +279,7 @@ export function createConversation(
     contextSummary: null as string | null,
     contextCompactedMessageCount: 0,
     contextCompactedAt: null as number | null,
+    hostAccess: opts.hostAccess ? 1 : 0,
     conversationType,
     source,
     memoryScopeId,
@@ -314,12 +318,15 @@ export function createConversation(
 
   // group_id is NOT in the Drizzle schema (raw-query-only pattern).
   // Set via raw SQL after the INSERT succeeds.
-  if (groupId) {
+  // Always set group_id — default to "system:all" when none provided.
+  {
+    const effectiveGroupId = groupId ?? "system:all";
     for (let attempt = 0; ; attempt++) {
       try {
         rawRun(
-          "UPDATE conversations SET group_id = ? WHERE id = ?",
-          groupId,
+          "UPDATE conversations SET group_id = ?, is_pinned = ? WHERE id = ?",
+          effectiveGroupId,
+          effectiveGroupId === "system:pinned" ? 1 : 0,
           id,
         );
         break;
@@ -385,6 +392,11 @@ export function getConversationMemoryScopeId(conversationId: string): string {
   return conv?.memoryScopeId ?? "default";
 }
 
+export function getConversationHostAccess(conversationId: string): boolean {
+  const conv = getConversation(conversationId);
+  return conv?.hostAccess === 1;
+}
+
 /**
  * Fetch group_id for a conversation via raw SQL. group_id is NOT in the
  * Drizzle schema (raw-query-only pattern), so ConversationRow doesn't
@@ -469,7 +481,7 @@ export function forkConversation(params: {
     const fc = createConversation({
       title: forkTitle,
       conversationType: "standard",
-      groupId: parentGroupId ?? undefined,
+      groupId: parentGroupId ?? "system:all",
     });
 
     db.update(conversations)
@@ -1120,6 +1132,20 @@ export function updateConversationContextWindow(
     .run();
 }
 
+export function updateConversationHostAccess(
+  id: string,
+  hostAccess: boolean,
+): void {
+  const db = getDb();
+  db.update(conversations)
+    .set({
+      hostAccess: hostAccess ? 1 : 0,
+      updatedAt: Date.now(),
+    })
+    .where(eq(conversations.id, id))
+    .run();
+}
+
 /**
  * Delete all conversations, messages, and related data (tool invocations,
  * memory segments, etc.) from the daemon database.
@@ -1547,17 +1573,19 @@ export function batchSetDisplayOrders(
       if (update.groupId !== undefined) {
         // New client: groupId is authoritative.
         // Derive is_pinned from groupId.
-        // Sanitize: if groupId references a deleted/unknown group, fall back
-        // to NULL to avoid FK violation that would roll back the entire batch.
+        // Sanitize: if groupId is null or references a deleted/unknown group,
+        // fall back to "system:all" to avoid FK violation that would roll back
+        // the entire batch.
         let safeGroupId = update.groupId;
-        if (
-          safeGroupId !== null &&
+        if (safeGroupId === null) {
+          safeGroupId = "system:all";
+        } else if (
           !rawGet<{ id: string }>(
             "SELECT id FROM conversation_groups WHERE id = ?",
             safeGroupId,
           )
         ) {
-          safeGroupId = null;
+          safeGroupId = "system:all";
         }
         rawRun(
           "UPDATE conversations SET display_order = ?, is_pinned = ?, group_id = ? WHERE id = ?",
@@ -1587,7 +1615,7 @@ export function batchSetDisplayOrders(
                  WHEN source IN ('schedule', 'reminder') THEN 'system:scheduled'
                  WHEN source IN ('heartbeat', 'task') THEN 'system:background'
                  WHEN conversation_type = 'background' AND COALESCE(source, '') != 'notification' THEN 'system:background'
-                 ELSE NULL
+                 ELSE 'system:all'
                END
              ELSE group_id END
              WHERE id = ?`,

package/src/memory/conversation-directories.ts

@@ -26,6 +26,45 @@ export function getConversationDirName(
   return `${getConversationDirTimestamp(createdAtMs)}_${id}`;
 }
 
+/**
+ * Parse a canonical conversation directory name (`<ISO-with-dashes>_<id>`)
+ * back into its components. Returns null for names that don't match the
+ * canonical format — callers should treat null as "skip this entry"
+ * rather than as an error.
+ *
+ * Inverse of {@link getConversationDirName}. Does NOT parse the legacy
+ * `<id>_<ISO-with-dashes>` format.
+ */
+export function parseConversationDirName(
+  name: string,
+): { conversationId: string; createdAtMs: number } | null {
+  // Canonical format: YYYY-MM-DDTHH-MM-SS.sssZ_<uuid>
+  // The timestamp portion has 4 hyphens (date + time-component separators)
+  // and ends in `Z`. Anchor the regex to enforce that.
+  const match = name.match(
+    /^(\d{4}-\d{2}-\d{2})T(\d{2})-(\d{2})-(\d{2}\.\d{1,9}Z)_(.+)$/,
+  );
+  if (!match) return null;
+  const [, datePart, hh, mm, ssAndMs, conversationId] = match;
+  const iso = `${datePart}T${hh}:${mm}:${ssAndMs}`;
+  const ms = Date.parse(iso);
+  if (Number.isNaN(ms)) return null;
+  if (!conversationId) return null;
+  // Reject conversation IDs that are path-traversal-shaped or contain
+  // path separators. These are never valid conversation IDs and would
+  // be a defense-in-depth concern if parsed.conversationId is later used
+  // to construct filesystem paths.
+  if (
+    conversationId === "." ||
+    conversationId === ".." ||
+    conversationId.includes("/") ||
+    conversationId.includes("\\")
+  ) {
+    return null;
+  }
+  return { conversationId, createdAtMs: ms };
+}
+
 /**
  * Return the absolute path to a conversation's timestamp-first disk-view
  * directory.

package/src/memory/conversation-group-migration.ts

@@ -57,15 +57,45 @@ export function ensureGroupMigration(): void {
     }
   }
 
-  // 3. Seed system groups (three: pinned, scheduled, background)
+  // 3. Seed system groups (four: pinned, scheduled, background, all)
+  const now = Math.floor(Date.now() / 1000);
   rawExec(`
-    INSERT OR IGNORE INTO conversation_groups (id, name, sort_position, is_system_group)
+    INSERT OR IGNORE INTO conversation_groups (id, name, sort_position, is_system_group, created_at, updated_at)
     VALUES
-      ('system:pinned', 'Pinned', 0, TRUE),
-      ('system:scheduled', 'Scheduled', 1, TRUE),
-      ('system:background', 'Background', 2, TRUE)
+      ('system:pinned', 'Pinned', 0, TRUE, ${now}, ${now}),
+      ('system:scheduled', 'Scheduled', 1, TRUE, ${now}, ${now}),
+      ('system:background', 'Background', 2, TRUE, ${now}, ${now}),
+      ('system:all', 'Recents', 3, TRUE, ${now}, ${now})
   `);
 
+  // One-time migration: move system:all to sortPosition 3 (from 999999).
+  // Bump custom groups at position 3+ up by 1 to make room. Wrapped in a
+  // transaction so a crash between the shift and the sentinel can't cause
+  // repeated drift on restart.
+  const sortShiftDone = rawGet<{ id: string }>(
+    "SELECT id FROM conversation_groups WHERE id = '_sort_shift_complete'",
+  );
+  if (!sortShiftDone) {
+    try {
+      rawExec("BEGIN");
+      rawRun(
+        "UPDATE conversation_groups SET sort_position = sort_position + 1 WHERE is_system_group = 0 AND sort_position >= 3",
+      );
+      rawRun(
+        "UPDATE conversation_groups SET sort_position = 3 WHERE id = 'system:all' AND sort_position != 3",
+      );
+      rawRun(
+        `INSERT OR IGNORE INTO conversation_groups (id, name, sort_position, is_system_group, created_at, updated_at)
+         VALUES ('_sort_shift_complete', '_sort_shift_complete', -1, TRUE, ${now}, ${now})`,
+      );
+      rawExec("COMMIT");
+    } catch (err) {
+      rawExec("ROLLBACK");
+      log.error({ err }, "Sort-position shift transaction failed, rolled back");
+      throw err;
+    }
+  }
+
   // 4. One-time backfill (guard: persistent marker prevents re-running on restart)
   //
   // The backfill sets group_id on existing conversations based on their attributes.
@@ -153,5 +183,35 @@ export function ensureGroupMigration(): void {
     }
   }
 
+  // 5. One-time backfill: assign all ungrouped conversations to system:all
+  //
+  // Separate from the initial backfill above because system:all is added later.
+  // Uses its own sentinel so it runs exactly once, even on existing installations
+  // where the original backfill already completed.
+  const allBackfillDone = rawGet<{ id: string }>(
+    "SELECT id FROM conversation_groups WHERE id = '_backfill_all_complete'",
+  );
+
+  if (!allBackfillDone) {
+    try {
+      rawExec("BEGIN");
+
+      rawExec(`
+        UPDATE conversations SET group_id = 'system:all' WHERE group_id IS NULL
+      `);
+
+      rawExec(`
+        INSERT OR IGNORE INTO conversation_groups (id, name, sort_position, is_system_group)
+        VALUES ('_backfill_all_complete', '_backfill_all_complete', -1, TRUE)
+      `);
+
+      rawExec("COMMIT");
+    } catch (err) {
+      rawExec("ROLLBACK");
+      log.error({ err }, "system:all backfill transaction failed, rolled back");
+      throw err;
+    }
+  }
+
   migrated = true;
 }

package/src/memory/conversation-starters-cadence.ts

@@ -0,0 +1,76 @@
+/**
+ * Cadence logic for conversation starters generation.
+ *
+ * Decides whether a new generation job should be enqueued based on how many
+ * active memory items have accumulated since the last generation.
+ */
+
+import { and, eq, inArray, sql } from "drizzle-orm";
+
+import { getLogger } from "../util/logger.js";
+import { getDb } from "./db.js";
+import { enqueueMemoryJob } from "./jobs-store.js";
+import { rawGet } from "./raw-query.js";
+import { memoryCheckpoints, memoryJobs } from "./schema.js";
+
+const log = getLogger("conversation-starters-cadence");
+
+/**
+ * Check whether enough new memory items have accumulated to justify
+ * generating a fresh batch of conversation starters.
+ */
+export function maybeEnqueueConversationStartersJob(scopeId: string): void {
+  const db = getDb();
+
+  // Count total active memory items
+  const countRow = rawGet<{ c: number }>(
+    `SELECT COUNT(*) AS c FROM memory_graph_nodes WHERE fidelity != 'gone' AND scope_id = ?`,
+    scopeId,
+  );
+  const totalActive = countRow?.c ?? 0;
+  if (totalActive === 0) return;
+
+  // Read checkpoint: item count at last generation (scoped so each scope tracks independently)
+  const checkpointKey = `conversation_starters:item_count_at_last_gen:${scopeId}`;
+  const checkpoint = db
+    .select({ value: memoryCheckpoints.value })
+    .from(memoryCheckpoints)
+    .where(eq(memoryCheckpoints.key, checkpointKey))
+    .get();
+  const parsedLastCount = checkpoint ? parseInt(checkpoint.value, 10) : 0;
+  const lastCount = Number.isFinite(parsedLastCount) ? parsedLastCount : 0;
+
+  // Cadence formula
+  let threshold: number;
+  if (totalActive <= 10) {
+    threshold = 1;
+  } else if (totalActive <= 50) {
+    threshold = 5;
+  } else {
+    threshold = 10;
+  }
+
+  const checkpointAhead = totalActive < lastCount;
+  const delta = Math.max(0, totalActive - lastCount);
+  if (!checkpointAhead && delta < threshold) return;
+
+  // Dedup: don't enqueue if a pending/running job for this scope already exists
+  const existing = db
+    .select({ id: memoryJobs.id })
+    .from(memoryJobs)
+    .where(
+      and(
+        eq(memoryJobs.type, "generate_conversation_starters"),
+        inArray(memoryJobs.status, ["pending", "running"]),
+        sql`json_extract(${memoryJobs.payload}, '$.scopeId') = ${scopeId}`,
+      ),
+    )
+    .get();
+  if (existing) return;
+
+  enqueueMemoryJob("generate_conversation_starters", { scopeId });
+  log.info(
+    { totalActive, lastCount, delta, threshold, scopeId, checkpointAhead },
+    "Enqueued conversation starters generation job",
+  );
+}

package/src/memory/conversation-title-service.ts

@@ -284,10 +284,13 @@ export function queueRegenerateConversationTitle(
  */
 function buildTitleSystemPrompt(): string {
   return [
-    "You generate short conversation titles. Output ONLY the title text — no explanation, no quotes, no markdown, no preamble.",
+    "You generate ultra-concise conversation titles. Output ONLY the title text — no explanation, no quotes, no markdown, no preamble.",
     "",
     "Rules:",
-    "- Summarize the TOPIC the user is asking about",
+    "- 2–6 words. Titles longer than 6 words are unacceptable — ruthlessly compress",
+    "- Summarize the TOPIC, not the request or instructions",
+    "- Noun phrases are ideal (e.g. 'Auth Middleware Rewrite', 'Docker Volume Mounts')",
+    "- Do NOT echo back what the user asked you to do",
     "- Do NOT respond to the conversation content",
     "- Do NOT assess feasibility or comment on capabilities",
   ].join("\n");

package/src/memory/db-init.ts

@@ -58,6 +58,7 @@ import {
   migrateContactsRolePrincipal,
   migrateContactsUserFileColumn,
   migrateConversationForkLineage,
+  migrateConversationHostAccess,
   migrateConversationsLastMessageAt,
   migrateConversationsThreadTypeIndex,
   migrateCreateConversationGraphMemoryState,
@@ -110,9 +111,14 @@ import {
   migrateOAuthProvidersBehaviorColumns,
   migrateOAuthProvidersDisplayMetadata,
   migrateOAuthProvidersFeatureFlag,
+  migrateOAuthProvidersLogoUrl,
   migrateOAuthProvidersManagedServiceConfigKey,
   migrateOAuthProvidersPingConfig,
   migrateOAuthProvidersPingUrl,
+  migrateOAuthProvidersRefreshUrl,
+  migrateOAuthProvidersRevoke,
+  migrateOAuthProvidersScopeSeparator,
+  migrateOAuthProvidersTokenAuthMethodDefault,
   migrateReminderRoutingIntent,
   migrateRemindersToSchedules,
   migrateRenameConversationTypeColumn,
@@ -352,6 +358,12 @@ export function initializeDb(): void {
     migrateScheduleReuseConversation,
     migrateMemoryRecallLogsQueryContext,
     migrateLlmRequestLogsCreatedAtIndex,
+    migrateOAuthProvidersScopeSeparator,
+    migrateOAuthProvidersRefreshUrl,
+    migrateOAuthProvidersRevoke,
+    migrateOAuthProvidersTokenAuthMethodDefault,
+    migrateConversationHostAccess,
+    migrateOAuthProvidersLogoUrl,
   ];
 
   // Run each migration step, catching and logging individual failures so one