@vellumai/assistant 0.7.0 → 0.7.1

package/src/runtime/routes/inbound-stages/acl-enforcement.ts

@@ -104,40 +104,6 @@ export interface AclResult {
   resolvedMember: ResolvedMember | null;
   /** When set, the caller must return this response immediately. */
   earlyResponse?: Record<string, unknown>;
-  /**
-   * Parsed guardian verification code from the message content, if any.
-   * Surfaced here so downstream verification intercept logic can use it
-   * without re-parsing.
-   */
-  guardianVerifyCode: string | undefined;
-}
-
-/**
- * Strip Slack/Telegram mrkdwn formatting wrappers from a raw message.
- * When users copy-paste a verification code from the desktop app with
- * rich-text formatting (e.g. bold), Slack preserves it as `*code*` in
- * the message text, which would otherwise fail the strict bare-code regex.
- */
-function stripMrkdwnFormatting(text: string): string {
-  // Bold (*…*), italic (_…_), strikethrough (~…~), inline code (`…`)
-  return text.replace(/^[*_~`]+/, "").replace(/[*_~`]+$/, "");
-}
-
-/**
- * Parse a guardian verification code from message content.
- * Accepts a bare code as the entire message: 6-digit numeric OR 64-char hex
- * (hex is retained for compatibility with unbound inbound/bootstrap sessions
- * that intentionally use high-entropy secrets).
- *
- * Strips surrounding mrkdwn formatting characters first so that codes
- * pasted with bold/italic/code formatting are still recognized.
- */
-function parseGuardianVerifyCode(content: string): string | undefined {
-  const stripped = stripMrkdwnFormatting(content);
-  const bareMatch = stripped.match(/^([0-9a-fA-F]{64}|\d{6})$/);
-  if (bareMatch) return bareMatch[1];
-
-  return undefined;
 }
 
 /** Map ChannelStatus to the API-facing member status (excludes "unverified"). */
@@ -174,11 +140,6 @@ export async function enforceIngressAcl(
 
   let resolvedMember: ResolvedMember | null = null;
 
-  // Verification codes must bypass the ACL membership check — users without a
-  // member record need to verify before they can be recognized as members.
-  const guardianVerifyCode = parseGuardianVerifyCode(trimmedContent);
-  const isGuardianVerifyCode = guardianVerifyCode !== undefined;
-
   // /start gv_<token> bootstrap commands must also bypass ACL — the user
   // hasn't been verified yet and needs to complete the bootstrap handshake.
   const rawCommandIntentForAcl = sourceMetadata?.commandIntent;
@@ -228,27 +189,7 @@ export async function enforceIngressAcl(
     }
 
     if (!resolvedMember) {
-      // Determine whether a verification-code bypass is warranted: only allow
-      // when there is a pending (unconsumed, unexpired) challenge AND no
-      // active guardian binding for this (assistantId, channel).
       let denyNonMember = true;
-      if (isGuardianVerifyCode) {
-        // Allow bypass when there is any consumable challenge or active
-        // outbound session.  The !hasActiveBinding guard is intentionally
-        // omitted: rebind sessions create a consumable challenge while a
-        // binding already exists, and the identity check inside
-        // validateAndConsumeVerification prevents unauthorized takeovers.
-        const hasPendingChallenge = !!getPendingSession(sourceChannel);
-        const hasActiveOutboundSession = !!findActiveSession(sourceChannel);
-        if (hasPendingChallenge || hasActiveOutboundSession) {
-          denyNonMember = false;
-        } else {
-          log.info(
-            { sourceChannel, hasPendingChallenge, hasActiveOutboundSession },
-            "Ingress ACL: guardian verification bypass denied",
-          );
-        }
-      }
 
       // Bootstrap deep-link commands bypass ACL only when the token
       // resolves to a real pending_bootstrap session. Without this check,
@@ -297,7 +238,6 @@ export async function enforceIngressAcl(
           return {
             resolvedMember: null,
             earlyResponse: inviteResult,
-            guardianVerifyCode,
           };
       }
 
@@ -322,7 +262,6 @@ export async function enforceIngressAcl(
           return {
             resolvedMember: null,
             earlyResponse: codeInterceptResult,
-            guardianVerifyCode,
           };
       }
 
@@ -400,7 +339,6 @@ export async function enforceIngressAcl(
                 reason: "verification_challenge_sent",
                 verificationSessionId: slackVerifyResult.sessionId,
               }),
-              guardianVerifyCode,
             };
           }
         }
@@ -466,7 +404,6 @@ export async function enforceIngressAcl(
             // callback delivery failed (e.g. signing-key mismatch → 401).
             ...(!replyDelivered && { replyText }),
           }),
-          guardianVerifyCode,
         };
       }
     }
@@ -474,27 +411,9 @@ export async function enforceIngressAcl(
     if (resolvedMember) {
       if (resolvedMember.channel.status !== "active") {
         const isBlockedMember = resolvedMember.channel.status === "blocked";
-        // Same bypass logic as the no-member branch: verification codes and
-        // bootstrap commands must pass through for re-verifiable states
+        // Bootstrap commands must pass through for re-verifiable states
         // (pending/revoked), but never for blocked members.
         let denyInactiveMember = true;
-        if (!isBlockedMember && isGuardianVerifyCode) {
-          const hasPendingChallenge = !!getPendingSession(sourceChannel);
-          const hasActiveOutboundSession = !!findActiveSession(sourceChannel);
-          if (hasPendingChallenge || hasActiveOutboundSession) {
-            denyInactiveMember = false;
-          } else {
-            log.info(
-              {
-                sourceChannel,
-                channelId: resolvedMember.channel.id,
-                hasPendingChallenge,
-                hasActiveOutboundSession,
-              },
-              "Ingress ACL: inactive member verification bypass denied",
-            );
-          }
-        }
         if (!isBlockedMember && isBootstrapCommand) {
           const bootstrapPayload = (
             rawCommandIntentForAcl as Record<string, unknown>
@@ -543,7 +462,6 @@ export async function enforceIngressAcl(
             return {
               resolvedMember: null,
               earlyResponse: inviteResult,
-              guardianVerifyCode,
             };
         }
 
@@ -573,7 +491,6 @@ export async function enforceIngressAcl(
             return {
               resolvedMember: null,
               earlyResponse: codeInterceptResult,
-              guardianVerifyCode,
             };
         }
 
@@ -657,7 +574,6 @@ export async function enforceIngressAcl(
                   reason: "verification_challenge_sent",
                   verificationSessionId: slackVerifyResult.sessionId,
                 }),
-                guardianVerifyCode,
               };
             }
           }
@@ -730,7 +646,6 @@ export async function enforceIngressAcl(
               reason: `member_${channelStatusToMemberStatus(resolvedMember.channel.status)}`,
               ...(!inactiveReplyDelivered && { replyText: inactiveReplyText }),
             }),
-            guardianVerifyCode,
           };
         }
       }
@@ -771,7 +686,6 @@ export async function enforceIngressAcl(
             reason: "policy_deny",
             ...(!denyReplyDelivered && { replyText: denyReplyText }),
           }),
-          guardianVerifyCode,
         };
       }
 
@@ -784,7 +698,7 @@ export async function enforceIngressAcl(
     }
   }
 
-  return { resolvedMember, guardianVerifyCode };
+  return { resolvedMember };
 }
 
 // ---------------------------------------------------------------------------

package/src/runtime/routes/inbound-stages/background-dispatch.ts

@@ -74,6 +74,7 @@ export interface BackgroundProcessingParams {
   externalChatId: string;
   trustCtx: TrustContext;
   metadataHints: string[];
+  slackRuntimeContextNotice?: string;
   metadataUxBrief?: string;
   replyCallbackUrl?: string;
   assistantId?: string;
@@ -108,6 +109,7 @@ export function processChannelMessageInBackground(
     externalChatId,
     trustCtx,
     metadataHints,
+    slackRuntimeContextNotice,
     metadataUxBrief,
     replyCallbackUrl,
     assistantId,
@@ -222,6 +224,7 @@ export function processChannelMessageInBackground(
           trustContext: trustCtx,
           isInteractive: resolveRoutingState(trustCtx).promptWaitingAllowed,
           ...(cmdIntent ? { commandIntent: cmdIntent } : {}),
+          ...(slackRuntimeContextNotice ? { slackRuntimeContextNotice } : {}),
           ...(slackInbound ? { slackInbound } : {}),
         },
         sourceChannel,

package/src/runtime/routes/index.ts

@@ -26,6 +26,7 @@ import { ROUTES as CHANNEL_READINESS_ROUTES } from "./channel-readiness-routes.j
 import { CHANNEL_ROUTES } from "./channel-route-definitions.js";
 import { ROUTES as CHANNEL_VERIFICATION_ROUTES } from "./channel-verification-routes.js";
 import { ROUTES as CLIENT_ROUTES } from "./client-routes.js";
+import { ROUTES as CONSOLIDATION_ROUTES } from "./consolidation-routes.js";
 import { ROUTES as CONTACT_ROUTES } from "./contact-routes.js";
 import { ROUTES as CONVERSATION_ANALYSIS_ROUTES } from "./conversation-analysis-routes.js";
 import { ROUTES as CONVERSATION_ATTENTION_ROUTES } from "./conversation-attention-routes.js";
@@ -61,6 +62,7 @@ import { ROUTES as VERCEL_ROUTES } from "./integrations/vercel.js";
 import { ROUTES as INTERFACE_ROUTES } from "./interface-routes.js";
 import { ROUTES as INTERNAL_OAUTH_ROUTES } from "./internal-oauth-routes.js";
 import { ROUTES as INTERNAL_TWILIO_ROUTES } from "./internal-twilio-routes.js";
+import { ROUTES as LLM_CALL_SITES_ROUTES } from "./llm-call-sites-routes.js";
 import { ROUTES as LOG_EXPORT_ROUTES } from "./log-export-routes.js";
 import { ROUTES as MEMORY_ITEM_ROUTES } from "./memory-item-routes.js";
 import { ROUTES as MEMORY_V2_ROUTES } from "./memory-v2-routes.js";
@@ -125,6 +127,7 @@ export const ROUTES: RouteDefinition[] = [
   ...CONVERSATION_LIST_ROUTES,
   ...CONVERSATION_MANAGEMENT_ROUTES,
   ...CONVERSATION_MESSAGE_ROUTES,
+  ...CONSOLIDATION_ROUTES,
   ...CREDENTIAL_PROMPT_ROUTES,
   ...DEFER_ROUTES,
   ...CONVERSATION_QUERY_ROUTES,
@@ -150,6 +153,7 @@ export const ROUTES: RouteDefinition[] = [
   ...INTERNAL_OAUTH_ROUTES,
   ...INTERNAL_TWILIO_ROUTES,
   ...LOG_EXPORT_ROUTES,
+  ...LLM_CALL_SITES_ROUTES,
   ...MEMORY_ITEM_ROUTES,
   ...MEMORY_V2_ROUTES,
   ...MIGRATION_ROLLBACK_ROUTES,

package/src/runtime/routes/integrations/slack/channel.ts

@@ -4,7 +4,6 @@
  * GET    /v1/integrations/slack/channel/config        — get current config status
  * POST   /v1/integrations/slack/channel/config        — validate and store credentials
  * DELETE /v1/integrations/slack/channel/config        — clear credentials
- * POST   /v1/integrations/slack/channel/oauth-install — run OAuth loopback to capture bot+user tokens
  */
 
 import {
@@ -12,7 +11,6 @@ import {
   getSlackChannelConfig,
   setSlackChannelConfig,
 } from "../../../../daemon/handlers/config-slack-channel.js";
-import { runSlackChannelOAuthInstall } from "../../../../daemon/handlers/slack-channel-oauth-install.js";
 import { BadRequestError } from "../../errors.js";
 import type { RouteDefinition, RouteHandlerArgs } from "../../types.js";
 
@@ -45,17 +43,6 @@ async function handleClearSlackChannelConfig() {
   return clearSlackChannelConfig();
 }
 
-async function handleSlackChannelOAuthInstall() {
-  const result = await runSlackChannelOAuthInstall();
-  if (!result.success) {
-    throw new BadRequestError(
-      (result as { error?: string }).error ??
-        "Slack OAuth install failed",
-    );
-  }
-  return result;
-}
-
 // ---------------------------------------------------------------------------
 // Route definitions
 // ---------------------------------------------------------------------------
@@ -91,15 +78,4 @@ export const ROUTES: RouteDefinition[] = [
     requirePolicyEnforcement: true,
     handler: () => handleClearSlackChannelConfig(),
   },
-  {
-    operationId: "integrations_slack_channel_oauth_install_post",
-    endpoint: "integrations/slack/channel/oauth-install",
-    method: "POST",
-    summary: "Run Slack OAuth install",
-    description:
-      "Run an OAuth2 loopback flow to install the Slack app and capture bot + user tokens.",
-    tags: ["integrations"],
-    requirePolicyEnforcement: true,
-    handler: () => handleSlackChannelOAuthInstall(),
-  },
 ];

package/src/runtime/routes/llm-call-sites-routes.ts

@@ -0,0 +1,22 @@
+import { CALL_SITE_CATALOG, CALL_SITE_DOMAINS } from "../../config/schemas/call-site-catalog.js";
+import type { RouteDefinition } from "./types.js";
+
+async function handleGetCallSites() {
+  return {
+    domains: CALL_SITE_DOMAINS,
+    callSites: CALL_SITE_CATALOG,
+  };
+}
+
+export const ROUTES: RouteDefinition[] = [
+  {
+    operationId: "llm_call_sites_list",
+    method: "GET",
+    endpoint: "config/llm/call-sites",
+    handler: handleGetCallSites,
+    summary: "List LLM call sites",
+    description:
+      "Returns the full catalog of LLM call sites with display names, descriptions, and domain groupings. Used by clients to render the per-call-site override settings UI.",
+    tags: ["config"],
+  },
+];

package/src/runtime/routes/memory-v2-routes.ts

@@ -12,7 +12,11 @@ import {
   enqueueMemoryJob,
   type MemoryJobType,
 } from "../../memory/jobs-store.js";
-import { readEdges, validateEdges } from "../../memory/v2/edges.js";
+import {
+  getEdgeIndex,
+  totalEdgeCount,
+  validateEdgeTargets,
+} from "../../memory/v2/edge-index.js";
 import { listPages, readPage } from "../../memory/v2/page-store.js";
 import { seedV2SkillEntries } from "../../memory/v2/skill-store.js";
 import { getWorkspaceDir } from "../../util/platform.js";
@@ -24,7 +28,7 @@ import type { RouteHandlerArgs } from "./types.js";
 
 const MemoryV2BackfillParams = z
   .object({
-    op: z.enum(["migrate", "rebuild-edges", "reembed", "activation-recompute"]),
+    op: z.enum(["migrate", "reembed", "activation-recompute"]),
     force: z.boolean().optional(),
   })
   .strict();
@@ -37,7 +41,6 @@ export type MemoryV2BackfillResult = {
 
 const OP_TO_JOB_TYPE: Record<MemoryV2BackfillOp, MemoryJobType> = {
   migrate: "memory_v2_migrate",
-  "rebuild-edges": "memory_v2_rebuild_edges",
   reembed: "memory_v2_reembed",
   "activation-recompute": "memory_v2_activation_recompute",
 };
@@ -98,21 +101,13 @@ async function handleValidate({
     }
   }
 
-  const edgesIdx = await readEdges(workspaceDir);
-  const validation = validateEdges(edgesIdx, knownSlugs);
-
-  const missing = new Set(validation.missing);
-  const missingEdgeEndpoints: MissingEdgeEndpoint[] = [];
-  for (const [from, to] of edgesIdx.edges) {
-    if (missing.has(from) || missing.has(to)) {
-      missingEdgeEndpoints.push({ from, to });
-    }
-  }
+  const edgeIndex = await getEdgeIndex(workspaceDir);
+  const { missing } = validateEdgeTargets(edgeIndex, knownSlugs);
 
   return {
     pageCount: knownSlugs.size,
-    edgeCount: edgesIdx.edges.length,
-    missingEdgeEndpoints,
+    edgeCount: totalEdgeCount(edgeIndex),
+    missingEdgeEndpoints: missing,
     oversizedPages,
     parseFailures,
   };