@vellumai/assistant 0.7.0 → 0.7.1

package/ARCHITECTURE.md

@@ -1606,11 +1606,11 @@ graph TB
 Auto-approve thresholds are **gateway-owned** — they live in the gateway's SQLite database and are read by the assistant via IPC (`get_global_thresholds`, `get_conversation_threshold`). Users control thresholds via the **Settings UI** (Permissions & Privacy tab) or the **per-conversation risk tolerance picker**. When the gateway is unreachable, the assistant defaults to `"none"` (Strict) — fail-closed with no local fallback.
 
 | `autoApproveUpTo` | Low-risk tools | Medium-risk tools | High-risk tools |
-| ------------------ | -------------- | ----------------- | --------------- |
-| `"none"`           | Prompted       | Prompted          | Prompted        |
-| `"low"` (default)  | Auto-allowed   | Prompted          | Prompted        |
-| `"medium"`         | Auto-allowed   | Auto-allowed      | Prompted        |
-| `"high"`           | Auto-allowed   | Auto-allowed      | Auto-allowed    |
+| ----------------- | -------------- | ----------------- | --------------- |
+| `"none"`          | Prompted       | Prompted          | Prompted        |
+| `"low"` (default) | Auto-allowed   | Prompted          | Prompted        |
+| `"medium"`        | Auto-allowed   | Auto-allowed      | Prompted        |
+| `"high"`          | Auto-allowed   | Auto-allowed      | Auto-allowed    |
 
 When set to `"none"`, every tool invocation requires explicit approval. Explicit deny and ask rules always take precedence over the threshold.
 
@@ -1867,7 +1867,6 @@ Events emitted during a conversation lifecycle:
 | `tool_permission_decided`   | ToolTraceListener       | Permission granted or denied (carries `decision`)                                               |
 | `tool_finished`             | ToolTraceListener       | Tool execution completed (carries `durationMs`)                                                 |
 | `tool_failed`               | ToolTraceListener       | Tool execution failed (carries `durationMs`)                                                    |
-| `secret_detected`           | ToolTraceListener       | Secret found in tool output                                                                     |
 | `generation_handoff`        | Conversation            | Yielding to next queued message                                                                 |
 | `message_complete`          | Conversation            | Full request processing finished                                                                |
 | `generation_cancelled`      | Conversation            | User cancelled the generation                                                                   |
@@ -1876,7 +1875,7 @@ Events emitted during a conversation lifecycle:
 ### Architecture
 
 - **TraceEmitter** (daemon, per-conversation): Constructed with a `conversationId` and a `sendToClient` callback. Maintains a monotonic sequence counter for stable ordering. Truncates summaries to 200 chars and attribute values to 500 chars. Each call to `emit()` sends a `trace_event` SSE event to connected clients.
-- **ToolTraceListener** (daemon): Subscribes to the conversation's `EventBus` via `onAny()` and translates tool domain events (`tool.execution.started`, `tool.execution.finished`, `tool.execution.failed`, `tool.permission.requested`, `tool.permission.decided`, `tool.secret.detected`) into trace events through the `TraceEmitter`.
+- **ToolTraceListener** (daemon): Subscribes to the conversation's `EventBus` via `onAny()` and translates tool domain events (`tool.execution.started`, `tool.execution.finished`, `tool.execution.failed`, `tool.permission.requested`, `tool.permission.decided`) into trace events through the `TraceEmitter`.
 - **DaemonClient** (Swift, shared): Decodes `trace_event` SSE events into `TraceEventMessage` structs and invokes the `onTraceEvent` callback.
 - **TraceStore** (Swift, macOS): `@MainActor ObservableObject` that ingests `TraceEventMessage` structs. Deduplicates by `eventId`, maintains stable sort order (sequence, then timestampMs, then insertion order), groups events by conversation and requestId, and enforces a retention cap of 5,000 events per conversation. Each request group is classified with a terminal status: `completed` (via `message_complete`), `cancelled` (via `generation_cancelled`), `handedOff` (via `generation_handoff`), `error` (via `request_error` or any event with `status == "error"`), or `active` (no terminal event yet).
 - **DebugPanel** (Swift, macOS): SwiftUI view that observes `TraceStore`. Displays a metrics strip (request count, LLM calls, total tokens, average latency, tool failures) and a `TraceTimelineView` showing events grouped by requestId with color-coded status indicators. The timeline auto-scrolls to new events while the user is at the bottom; scrolling up pauses auto-scroll and shows a "Jump to bottom" button that resumes it.

package/Dockerfile

@@ -23,6 +23,7 @@ COPY packages/credential-storage ./packages/credential-storage
 COPY packages/egress-proxy ./packages/egress-proxy
 COPY packages/gateway-client ./packages/gateway-client
 COPY packages/skill-host-contracts ./packages/skill-host-contracts
+COPY packages/slack-text ./packages/slack-text
 
 # Install deps for shared packages that have their own file: dependencies.
 # Without this, bun's module resolution at runtime walks up from e.g.

package/README.md

@@ -85,7 +85,7 @@ bun run src/index.ts                # interactive CLI session
 | `assistant conversations list\|new\|export\|clear` | Manage conversations                             |
 | `assistant config set\|get\|list`                  | Manage configuration                             |
 | `assistant keys set\|list\|delete`                 | Manage API keys in secure storage                |
-| `assistant trust list\|add\|update\|remove`              | Manage trust rules                               |
+| `assistant trust list\|add\|update\|remove`        | Manage trust rules                               |
 
 ## Project Structure
 
@@ -189,7 +189,7 @@ Internal forwarding routes (`/v1/internal/twilio/*`) are unaffected — these ac
 The `/channels/inbound` endpoint requires a JWT with the `svc_gateway` principal type and `ingress.write` scope to prove the request originated from the gateway. This ensures channel messages can only arrive via the gateway (which performs webhook-level verification) and not via direct HTTP calls that bypass signature checks.
 
 - **JWT-based enforcement:** The route policy in `route-policy.ts` restricts `/channels/inbound` to the `svc_gateway` principal type with `ingress.write` scope. Actor and local principals are rejected with 403.
-- **Dev bypass:** When `DISABLE_HTTP_AUTH` + `VELLUM_UNSAFE_AUTH_BYPASS=1` are set, JWT verification is skipped and a synthetic dev context is used.
+- **Auth bypass:** When `DISABLE_HTTP_AUTH=true` is set (platform-managed deployments), JWT verification is skipped and a synthetic context is used.
 
 ## Twilio Setup Primitive
 

package/__tests__/permissions/gateway-threshold-reader.test.ts

@@ -2,35 +2,32 @@ import { afterEach, describe, expect, mock, test } from "bun:test";
 
 // ── Mocks ────────────────────────────────────────────────────────────────────
 
-let mockFeatureFlagEnabled = true;
-
 mock.module("../../src/config/assistant-feature-flags.js", () => ({
-  isAssistantFeatureFlagEnabled: (_key: string, _config: unknown) =>
-    mockFeatureFlagEnabled,
+  isAssistantFeatureFlagEnabled: () => true,
 }));
 
 mock.module("../../src/config/loader.js", () => ({
   getConfig: () => ({}),
 }));
 
-// Track gatewayGet calls for assertion
-const gatewayGetCalls: string[] = [];
-let gatewayGetHandler: (path: string) => unknown = () => ({});
-
-mock.module("../../src/runtime/gateway-internal-client.js", () => ({
-  GatewayRequestError: class GatewayRequestError extends Error {
-    statusCode: number;
-    gatewayError: string | undefined;
-    constructor(message: string, statusCode: number, gatewayError?: string) {
-      super(message);
-      this.name = "GatewayRequestError";
-      this.statusCode = statusCode;
-      this.gatewayError = gatewayError;
-    }
-  },
-  gatewayGet: async <T>(path: string): Promise<T> => {
-    gatewayGetCalls.push(path);
-    return gatewayGetHandler(path) as T;
+// Track ipcCall invocations for assertion
+const ipcCallLog: string[] = [];
+
+// Handler receives (method, params) and returns the IPC response value.
+// Return `undefined` to simulate a transport failure.
+// Return `null` for get_conversation_threshold to indicate "no override".
+type IpcHandler = (method: string, params?: Record<string, unknown>) => unknown;
+let ipcHandler: IpcHandler = () => undefined;
+
+mock.module("../../src/ipc/gateway-client.js", () => ({
+  ipcCall: async (method: string, params?: Record<string, unknown>) => {
+    // Normalise to a readable key for assertions
+    const key =
+      method === "get_conversation_threshold" && params?.conversationId
+        ? `/v1/permissions/thresholds/conversations/${params.conversationId}`
+        : "/v1/permissions/thresholds";
+    ipcCallLog.push(key);
+    return ipcHandler(method, params);
   },
 }));
 
@@ -48,42 +45,41 @@ import {
   _clearGlobalCacheForTesting,
   getAutoApproveThreshold,
 } from "../../src/permissions/gateway-threshold-reader.js";
-// Import GatewayRequestError from the mock so we can throw instances of it
-const { GatewayRequestError } =
-  await import("../../src/runtime/gateway-internal-client.js");
 
 // ── Helpers ──────────────────────────────────────────────────────────────────
 
 function resetMocks(): void {
-  mockFeatureFlagEnabled = true;
-  gatewayGetCalls.length = 0;
-  gatewayGetHandler = () => ({});
+  ipcCallLog.length = 0;
+  ipcHandler = () => undefined;
   _clearGlobalCacheForTesting();
 }
 
 afterEach(resetMocks);
 
+// Convenience: set up a handler that returns the given global thresholds and,
+// optionally, a per-conversation override threshold string.
+function withGlobals(
+  globals: { interactive: string; autonomous: string },
+  conversationOverride?: { conversationId: string; threshold: string },
+): void {
+  ipcHandler = (method, params) => {
+    if (method === "get_global_thresholds") return globals;
+    if (method === "get_conversation_threshold") {
+      const id = params?.conversationId;
+      if (conversationOverride && id === conversationOverride.conversationId) {
+        return { threshold: conversationOverride.threshold };
+      }
+      return null; // no override
+    }
+    return undefined;
+  };
+}
+
 // ── Tests ────────────────────────────────────────────────────────────────────
 
 describe("getAutoApproveThreshold", () => {
-  test("returns undefined when feature flag is off", async () => {
-    mockFeatureFlagEnabled = false;
-    const result = await getAutoApproveThreshold("conv-123", "conversation");
-    expect(result).toBeUndefined();
-    // Should not make any gateway calls
-    expect(gatewayGetCalls).toHaveLength(0);
-  });
-
   test("returns global defaults when gateway returns them", async () => {
-    gatewayGetHandler = (path: string) => {
-      if (path === "/v1/permissions/thresholds") {
-        return {
-          interactive: "medium",
-          autonomous: "low",
-        };
-      }
-      return {};
-    };
+    withGlobals({ interactive: "medium", autonomous: "low" });
 
     // conversation maps to interactive
     expect(await getAutoApproveThreshold(undefined, "conversation")).toBe(
@@ -102,105 +98,73 @@ describe("getAutoApproveThreshold", () => {
   });
 
   test("returns conversation override when it exists", async () => {
-    gatewayGetHandler = (path: string) => {
-      if (path === "/v1/permissions/thresholds/conversations/conv-xyz") {
-        return { threshold: "medium" };
-      }
-      if (path === "/v1/permissions/thresholds") {
-        return {
-          interactive: "low",
-          autonomous: "none",
-        };
-      }
-      return {};
-    };
+    withGlobals(
+      { interactive: "low", autonomous: "none" },
+      { conversationId: "conv-xyz", threshold: "medium" },
+    );
 
     const result = await getAutoApproveThreshold("conv-xyz", "conversation");
     expect(result).toBe("medium");
     // Should have called the conversation endpoint, not the global one
-    expect(gatewayGetCalls).toEqual([
+    expect(ipcCallLog).toEqual([
       "/v1/permissions/thresholds/conversations/conv-xyz",
     ]);
   });
 
-  test("falls back to global when conversation override returns 404", async () => {
-    gatewayGetHandler = (path: string) => {
-      if (path.startsWith("/v1/permissions/thresholds/conversations/")) {
-        throw new GatewayRequestError("Not found", 404, "Not found");
-      }
-      if (path === "/v1/permissions/thresholds") {
-        return {
-          interactive: "low",
-          autonomous: "none",
-        };
-      }
-      return {};
-    };
+  test("falls back to global when conversation override returns null (no override)", async () => {
+    withGlobals({ interactive: "low", autonomous: "none" });
+    // ipcHandler returns null for get_conversation_threshold (no row)
 
     const result = await getAutoApproveThreshold("conv-123", "conversation");
     expect(result).toBe("low");
-    // Should have called both endpoints
-    expect(gatewayGetCalls).toEqual([
+    // Called conversation endpoint first, then global
+    expect(ipcCallLog).toEqual([
       "/v1/permissions/thresholds/conversations/conv-123",
       "/v1/permissions/thresholds",
     ]);
   });
 
-  test("falls back to hardcoded defaults on gateway error", async () => {
-    gatewayGetHandler = () => {
+  test("falls back to global when conversation ipc returns undefined (transport failure)", async () => {
+    ipcHandler = (method) => {
+      if (method === "get_conversation_threshold") return undefined; // transport failure
+      if (method === "get_global_thresholds")
+        return { interactive: "low", autonomous: "none" };
+      return undefined;
+    };
+
+    const result = await getAutoApproveThreshold("conv-123", "conversation");
+    expect(result).toBe("low");
+  });
+
+  test("falls back to 'none' (Strict) for all contexts on global gateway failure", async () => {
+    // When the gateway IPC is unreachable, the reader defaults to "none" for
+    // all contexts — defense-in-depth ensures no tools are silently
+    // auto-approved when the gateway is down.
+    ipcHandler = () => {
       throw new Error("Connection refused");
     };
 
-    // conversation → "low"
     expect(await getAutoApproveThreshold(undefined, "conversation")).toBe(
-      "low",
+      "none",
     );
 
     _clearGlobalCacheForTesting();
 
-    // background → "none" (maps to autonomous, which defaults to "none")
-    expect(await getAutoApproveThreshold(undefined, "background")).toBe(
-      "none",
-    );
+    expect(await getAutoApproveThreshold(undefined, "background")).toBe("none");
 
     _clearGlobalCacheForTesting();
 
-    // headless → "none"
     expect(await getAutoApproveThreshold(undefined, "headless")).toBe("none");
   });
 
-  test("falls back to hardcoded defaults on non-404 conversation error", async () => {
-    gatewayGetHandler = (path: string) => {
-      if (path.startsWith("/v1/permissions/thresholds/conversations/")) {
-        throw new GatewayRequestError("Internal error", 500, "Server error");
-      }
-      // Should not reach global endpoint
-      return {
-        interactive: "medium",
-        autonomous: "medium",
-      };
-    };
-
-    const result = await getAutoApproveThreshold("conv-123", "conversation");
-    // Should fall back to hardcoded default for conversation, not global endpoint
-    expect(result).toBe("low");
-    // Should have only called the conversation endpoint
-    expect(gatewayGetCalls).toEqual([
-      "/v1/permissions/thresholds/conversations/conv-123",
-    ]);
-  });
-
   test("caching: second call within 30s does not re-fetch global", async () => {
     let fetchCount = 0;
-    gatewayGetHandler = (path: string) => {
-      if (path === "/v1/permissions/thresholds") {
+    ipcHandler = (method) => {
+      if (method === "get_global_thresholds") {
         fetchCount++;
-        return {
-          interactive: "medium",
-          autonomous: "low",
-        };
+        return { interactive: "medium", autonomous: "low" };
       }
-      return {};
+      return null;
     };
 
     // First call — should fetch
@@ -226,15 +190,7 @@ describe("getAutoApproveThreshold", () => {
   });
 
   test("defaults executionContext to conversation when omitted", async () => {
-    gatewayGetHandler = (path: string) => {
-      if (path === "/v1/permissions/thresholds") {
-        return {
-          interactive: "medium",
-          autonomous: "low",
-        };
-      }
-      return {};
-    };
+    withGlobals({ interactive: "medium", autonomous: "low" });
 
     // executionContext omitted — should default to "conversation" → interactive
     const result = await getAutoApproveThreshold(undefined, undefined);
@@ -242,36 +198,20 @@ describe("getAutoApproveThreshold", () => {
   });
 
   test("skips conversation override when no conversationId", async () => {
-    gatewayGetHandler = (path: string) => {
-      if (path === "/v1/permissions/thresholds") {
-        return {
-          interactive: "low",
-          autonomous: "none",
-        };
-      }
-      return {};
-    };
+    withGlobals({ interactive: "low", autonomous: "none" });
 
     const result = await getAutoApproveThreshold(undefined, "conversation");
     expect(result).toBe("low");
     // Should only call global endpoint, not conversation
-    expect(gatewayGetCalls).toEqual(["/v1/permissions/thresholds"]);
+    expect(ipcCallLog).toEqual(["/v1/permissions/thresholds"]);
   });
 
   test("skips conversation override for non-conversation contexts", async () => {
-    gatewayGetHandler = (path: string) => {
-      if (path === "/v1/permissions/thresholds") {
-        return {
-          interactive: "low",
-          autonomous: "medium",
-        };
-      }
-      return {};
-    };
+    withGlobals({ interactive: "low", autonomous: "medium" });
 
     // Even with a conversationId, background context should not check conversation override
     const result = await getAutoApproveThreshold("conv-123", "background");
     expect(result).toBe("medium");
-    expect(gatewayGetCalls).toEqual(["/v1/permissions/thresholds"]);
+    expect(ipcCallLog).toEqual(["/v1/permissions/thresholds"]);
   });
 });

package/bun.lock

@@ -20,6 +20,7 @@
         "@vellumai/gateway-client": "file:../packages/gateway-client",
         "@vellumai/service-contracts": "file:../packages/service-contracts",
         "@vellumai/skill-host-contracts": "file:../packages/skill-host-contracts",
+        "@vellumai/slack-text": "file:../packages/slack-text",
         "archiver": "7.0.1",
         "commander": "13.1.0",
         "croner": "10.0.1",
@@ -422,6 +423,8 @@
 
     "@vellumai/skill-host-contracts": ["@vellumai/skill-host-contracts@file:../packages/skill-host-contracts", { "devDependencies": { "@types/bun": "1.3.10", "typescript": "5.9.3" } }],
 
+    "@vellumai/slack-text": ["@vellumai/slack-text@file:../packages/slack-text", { "devDependencies": { "@types/bun": "1.3.10", "typescript": "5.9.3" } }],
+
     "@vue/compiler-core": ["@vue/compiler-core@3.5.33", "", { "dependencies": { "@babel/parser": "^7.29.2", "@vue/shared": "3.5.33", "entities": "^7.0.1", "estree-walker": "^2.0.2", "source-map-js": "^1.2.1" } }, "sha512-3PZLQwFw4Za3TC8t0FvTy3wI16Kt+pmwcgNZca4Pj9iWL2E72a/gZlpBtAJvEdDMdCxdG/qq0C7PN0bsJuv0Rw=="],
 
     "@vue/compiler-dom": ["@vue/compiler-dom@3.5.33", "", { "dependencies": { "@vue/compiler-core": "3.5.33", "@vue/shared": "3.5.33" } }, "sha512-PXq0yrfCLzzL07rbXO4awtXY1Z06LG2eu6Adg3RJFa/j3Cii217XxxLXG22N330gw7GmALCY0Z8RgXEviwgpjA=="],

package/docs/architecture/security.md

@@ -39,11 +39,11 @@ graph TB
 Auto-approve thresholds are **gateway-owned** — they live in the gateway's SQLite database and are read by the assistant via IPC (`get_global_thresholds`, `get_conversation_threshold`). Users control thresholds via the **Settings UI** (Permissions & Privacy tab) or the **per-conversation risk tolerance picker**. When the gateway is unreachable, the assistant defaults to `"none"` (Strict) — fail-closed with no local fallback.
 
 | `autoApproveUpTo` | Low-risk tools | Medium-risk tools | High-risk tools |
-| ------------------ | -------------- | ----------------- | --------------- |
-| `"none"`           | Prompted       | Prompted          | Prompted        |
-| `"low"` (default)  | Auto-allowed   | Prompted          | Prompted        |
-| `"medium"`         | Auto-allowed   | Auto-allowed      | Prompted        |
-| `"high"`           | Auto-allowed   | Auto-allowed      | Auto-allowed    |
+| ----------------- | -------------- | ----------------- | --------------- |
+| `"none"`          | Prompted       | Prompted          | Prompted        |
+| `"low"` (default) | Auto-allowed   | Prompted          | Prompted        |
+| `"medium"`        | Auto-allowed   | Auto-allowed      | Prompted        |
+| `"high"`          | Auto-allowed   | Auto-allowed      | Auto-allowed    |
 
 When set to `"none"`, every tool invocation requires explicit approval. Explicit deny and ask rules always take precedence over the threshold.
 
@@ -262,20 +262,22 @@ The `allowOneTimeSend` config gate (default: `false`) enables a secondary "Send
 | ------------------- | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Secret values       | CES credential store or encrypted file store         | Encrypted credential values keyed as `credential/{service}/{field}`. Stored via CES RPC (primary), CES HTTP (containerized), or encrypted file store (fallback). |
 | Credential metadata | `~/.vellum/workspace/data/credentials/metadata.json` | Service, field, label, policy (allowedTools, allowedDomains), timestamps                                                                                         |
-| Config              | `~/.vellum/workspace/config.*`                       | `secretDetection` settings: enabled, action, entropyThreshold, allowOneTimeSend                                                                                  |
+| Config              | `~/.vellum/workspace/config.*`                       | `secretDetection` settings: enabled, blockIngress, allowOneTimeSend                                                                                              |
 
 ### Key Files
 
-| File                                                 | Role                                                                  |
-| ---------------------------------------------------- | --------------------------------------------------------------------- |
-| `assistant/src/tools/credentials/vault.ts`           | `credential_store` tool — store, list, delete, prompt actions         |
-| `assistant/src/security/secure-keys.ts`              | Async secure key CRUD via CES and encrypted file store                |
-| `assistant/src/tools/credentials/metadata-store.ts`  | JSON file metadata CRUD for credential records                        |
-| `assistant/src/tools/credentials/broker.ts`          | Brokered credential access with policy enforcement and transient send |
-| `assistant/src/tools/credentials/policy-validate.ts` | Policy input validation (allowedTools, allowedDomains)                |
-| `assistant/src/permissions/secret-prompter.ts`       | HTTP secret_request/secret_response flow                              |
-| `assistant/src/security/secret-scanner.ts`           | Regex + entropy-based secret detection                                |
-| `clients/macos/.../SecretPromptManager.swift`        | Floating panel UI for secure credential entry                         |
+| File                                                 | Role                                                                               |
+| ---------------------------------------------------- | ---------------------------------------------------------------------------------- |
+| `assistant/src/tools/credentials/vault.ts`           | `credential_store` tool — store, list, delete, prompt actions                      |
+| `assistant/src/security/secure-keys.ts`              | Async secure key CRUD via CES and encrypted file store                             |
+| `assistant/src/tools/credentials/metadata-store.ts`  | JSON file metadata CRUD for credential records                                     |
+| `assistant/src/tools/credentials/broker.ts`          | Brokered credential access with policy enforcement and transient send              |
+| `assistant/src/tools/credentials/policy-validate.ts` | Policy input validation (allowedTools, allowedDomains)                             |
+| `assistant/src/permissions/secret-prompter.ts`       | HTTP secret_request/secret_response flow                                           |
+| `assistant/src/security/secret-scanner.ts`           | Prefix + shape-based secret regex detection (used by display-time `redactSecrets`) |
+| `assistant/src/security/secret-ingress.ts`           | Prefix-only ingress check on user messages                                         |
+| `assistant/src/util/log-redact.ts`                   | Pino log serializers — prefix-based redaction for logs                             |
+| `clients/macos/.../SecretPromptManager.swift`        | Floating panel UI for secure credential entry                                      |
 
 ---
 

package/knip.json

@@ -12,6 +12,7 @@
     "@vellumai/egress-proxy",
     "@vellumai/gateway-client",
     "@vellumai/service-contracts",
+    "@vellumai/slack-text",
     "@resvg/resvg-js-darwin-arm64",
     "@resvg/resvg-js-darwin-x64",
     "@vellumai/skill-host-contracts",

package/node_modules/@vellumai/skill-host-contracts/__tests__/client.test.ts

@@ -259,7 +259,6 @@ beforeEach(async () => {
   server = new StubServer(socketPath);
   // Standard identity/platform/log stubs every test relies on for
   // `connect()` to succeed.
-  server.register("host.identity.getInternalAssistantId", () => "self");
   server.register(
     "host.identity.getAssistantName",
     () => "Example Assistant",
@@ -298,7 +297,6 @@ async function openClient(
 describe("SkillHostClient: bootstrap + sync accessors", () => {
   test("connect populates identity/platform caches", async () => {
     client = await openClient();
-    expect(client.identity.internalAssistantId).toBe("self");
     expect(client.identity.getAssistantName()).toBe("Example Assistant");
     expect(client.platform.workspaceDir()).toBe("/tmp/workspace");
     expect(client.platform.vellumRoot()).toBe("/tmp/vellum");
@@ -310,7 +308,6 @@ describe("SkillHostClient: bootstrap + sync accessors", () => {
       socketPath,
       skillId: "test-skill",
     });
-    expect(() => client!.identity.internalAssistantId).toThrow(/not connected/);
     expect(() => client!.platform.workspaceDir()).toThrow(/not connected/);
   });
 
@@ -880,11 +877,10 @@ describe("SkillHostClient: connect() retry semantics", () => {
     client = new SkillHostClient({ socketPath, skillId: "test-skill" });
     await expect(client.connect()).rejects.toThrow(/boom/);
     // Sync accessors should still throw — the cache wasn't populated.
-    expect(() => client!.identity.internalAssistantId).toThrow(/not connected/);
+    expect(() => client!.platform.workspaceDir()).toThrow(/not connected/);
     // Second connect() must retry prefetch instead of short-circuiting on
     // the still-alive socket.
     await client.connect();
-    expect(client.identity.internalAssistantId).toBe("self");
     expect(client.identity.getAssistantName()).toBe("Recovered Assistant");
     expect(nameCalls).toBe(2);
   });

package/node_modules/@vellumai/skill-host-contracts/src/assistant-event.ts

@@ -28,8 +28,6 @@ import { randomUUID } from "node:crypto";
 export interface AssistantEvent<TMessage = unknown> {
   /** Globally unique event identifier (UUID). */
   id: string;
-  /** The assistant this event belongs to. */
-  assistantId: string;
   /** Resolved conversation id when available. */
   conversationId?: string;
   /** ISO-8601 timestamp of when the event was emitted. */
@@ -43,18 +41,15 @@ export interface AssistantEvent<TMessage = unknown> {
 /**
  * Construct an `AssistantEvent` envelope around a message payload.
  *
- * @param assistantId     The logical assistant identifier (e.g. from the daemon or HTTP route).
  * @param message         The outbound message payload.
  * @param conversationId  Optional conversation id -- pass when known.
  */
 export function buildAssistantEvent<TMessage>(
-  assistantId: string,
   message: TMessage,
   conversationId?: string,
 ): AssistantEvent<TMessage> {
   return {
     id: randomUUID(),
-    assistantId,
     conversationId,
     emittedAt: new Date().toISOString(),
     message,

package/node_modules/@vellumai/skill-host-contracts/src/client.ts

@@ -64,7 +64,7 @@
  * ### Sync-method bootstrap
  *
  * The `SkillHost` contract exposes a number of synchronous accessors
- * (`identity.internalAssistantId`, `platform.workspaceDir()`,
+ * (`identity.getAssistantName()`, `platform.workspaceDir()`,
  * `platform.runtimeMode()`, etc.) that naturally cannot round-trip an async
  * IPC call on every invocation. `connect()` prefetches the stable subset of
  * these values once, caches them locally, and every subsequent sync accessor
@@ -311,8 +311,8 @@ export class SkillHostClient implements SkillHost {
   >();
 
   // Prefetched sync state — populated by `connect()`.
-  private cachedInternalAssistantId: string | null = null;
   private cachedAssistantName: string | undefined = undefined;
+  private cachedPrefetchDone = false;
   private cachedWorkspaceDir: string | null = null;
   private cachedVellumRoot: string | null = null;
   private cachedRuntimeMode: DaemonRuntimeMode | null = null;
@@ -383,7 +383,7 @@ export class SkillHostClient implements SkillHost {
     // the caches are still null and sync accessors would throw — fall
     // through and re-run prefetch over the existing socket.
     const socketAlive = !!this.socket && !this.socket.destroyed;
-    const prefetchDone = this.cachedInternalAssistantId !== null;
+    const prefetchDone = this.cachedPrefetchDone;
     if (socketAlive && prefetchDone) return;
 
     const ensureSocket = socketAlive ? Promise.resolve() : this.doConnect();
@@ -774,15 +774,14 @@ export class SkillHostClient implements SkillHost {
   // ── Internal: bootstrap cache ───────────────────────────────────────────
 
   private async prefetchSyncState(): Promise<void> {
-    const [assistantId, workspaceDir, vellumRootValue, runtimeMode, name] =
+    const [workspaceDir, vellumRootValue, runtimeMode, name] =
       await Promise.all([
-        this.call<string>("host.identity.getInternalAssistantId"),
         this.call<string>("host.platform.workspaceDir"),
         this.call<string>("host.platform.vellumRoot"),
         this.call<DaemonRuntimeMode>("host.platform.runtimeMode"),
         this.call<string | null>("host.identity.getAssistantName"),
       ]);
-    this.cachedInternalAssistantId = assistantId;
+    this.cachedPrefetchDone = true;
     this.cachedWorkspaceDir = workspaceDir;
     this.cachedVellumRoot = vellumRootValue;
     this.cachedRuntimeMode = runtimeMode;
@@ -844,13 +843,9 @@ export class SkillHostClient implements SkillHost {
     const self = this;
     return {
       getAssistantName: () => {
-        if (self.cachedInternalAssistantId === null) throw notConnected();
+        if (!self.cachedPrefetchDone) throw notConnected();
         return self.cachedAssistantName;
       },
-      get internalAssistantId(): string {
-        if (self.cachedInternalAssistantId === null) throw notConnected();
-        return self.cachedInternalAssistantId;
-      },
     };
   }
 
@@ -1000,13 +995,12 @@ export class SkillHostClient implements SkillHost {
         // `buildEvent` is typed as sync on the contract (the daemon
         // allocates a uuid + timestamp and returns the envelope). A sync
         // round-trip isn't possible, so the client produces an envelope
-        // locally using the cached assistant id and the standard uuid /
-        // timestamp sources. This matches the observable shape of the
-        // daemon's `buildAssistantEvent` without the round-trip.
-        if (this.cachedInternalAssistantId === null) throw notConnected();
+        // locally using the standard uuid / timestamp sources. This matches
+        // the observable shape of the daemon's `buildAssistantEvent` without
+        // the round-trip.
+        if (!this.cachedPrefetchDone) throw notConnected();
         return {
           id: randomUUID(),
-          assistantId: this.cachedInternalAssistantId,
           conversationId,
           emittedAt: new Date().toISOString(),
           message,

package/node_modules/@vellumai/skill-host-contracts/src/skill-host.ts

@@ -94,12 +94,6 @@ export interface IdentityFacet {
    * `undefined` when no name has been set.
    */
   getAssistantName(): string | undefined;
-  /**
-   * The daemon's internal assistant id (`DAEMON_INTERNAL_ASSISTANT_ID`).
-   * Skills use this as the `assistantId` field on events they publish and
-   * as the subject of memory writes.
-   */
-  readonly internalAssistantId: string;
 }
 
 // ---------------------------------------------------------------------------
@@ -228,9 +222,7 @@ export interface MemoryFacet {
 
 /** Subscription filter mirroring `AssistantEventFilter` from the daemon's hub. */
 export interface Filter {
-  /** Only deliver events for this assistant. */
-  assistantId: string;
-  /** When set, further restrict to this conversation. */
+  /** When set, restrict delivery to this conversation. */
   conversationId?: string;
 }