@vellumai/assistant 0.7.0 → 0.7.2

package/src/runtime/http-server.ts

@@ -5,7 +5,6 @@
  * configured port (default: 7821).
  */
 
-
 import type { ServerWebSocket } from "bun";
 
 import {
@@ -26,10 +25,8 @@ import {
   handleStatusCallback,
   handleVoiceWebhook,
 } from "../calls/twilio-routes.js";
-import {
-  hasUngatedHttpAuthDisabled,
-  isHttpAuthDisabled,
-} from "../config/env.js";
+import { isHttpAuthDisabled } from "../config/env.js";
+import { getIsPlatform } from "../config/env-registry.js";
 import { getConfig } from "../config/loader.js";
 import { processMessage } from "../daemon/process-message.js";
 import { createLiveVoiceSession } from "../live-voice/live-voice-session.js";
@@ -48,20 +45,12 @@ import {
   SttStreamSession,
 } from "../stt/stt-stream-session.js";
 import { getLogger } from "../util/logger.js";
-// Auth
-import {
-  authenticateHostBrowserResultRequest,
-  authenticateRequest,
-} from "./auth/middleware.js";
+import { authenticateRequest } from "./auth/middleware.js";
 import { parseSub } from "./auth/subject.js";
 import { verifyToken } from "./auth/token-service.js";
-import { verifyHostBrowserCapability } from "./capability-tokens.js";
 import { sweepFailedEvents } from "./channel-retry-sweep.js";
-import { getChromeExtensionRegistry } from "./chrome-extension-registry.js";
 import { httpError, type HttpErrorCode } from "./http-errors.js";
-import type { HTTPRouteDefinition } from "./http-router.js";
 import { HttpRouter } from "./http-router.js";
-// Middleware
 import {
   extractBearerToken,
   isLoopbackHost,
@@ -96,31 +85,12 @@ import {
   stopGuardianExpirySweep,
 } from "./routes/channel-guardian-routes.js";
 import { RouteError } from "./routes/errors.js";
-import {
-  resolveHostBrowserEvent,
-  resolveHostBrowserResultByRequestId,
-  resolveHostBrowserSessionInvalidated,
-} from "./routes/host-browser-routes.js";
-import { routeDefinitionsToHTTPRoutes } from "./routes/http-adapter.js";
 import { handleHealth, handleReadyz } from "./routes/identity-routes.js";
-import { ROUTES } from "./routes/index.js";
 import { matchSkillRoute } from "./skill-route-registry.js";
 
 // Re-export for consumers
 export { isPrivateAddress } from "./middleware/auth.js";
 
-// Re-export shared types so existing consumers don't need to update imports
-export type {
-  ApprovalConversationGenerator,
-  ApprovalCopyGenerator,
-  GuardianActionCopyGenerator,
-  GuardianFollowUpConversationGenerator,
-  MessageProcessor,
-  RuntimeAttachmentMetadata,
-  RuntimeHttpServerOptions,
-  RuntimeMessageConversationOptions,
-} from "./http-types.js";
-
 import type {
   ApprovalConversationGenerator,
   ApprovalCopyGenerator,
@@ -137,44 +107,10 @@ const DEFAULT_HOSTNAME = "127.0.0.1";
 /** Global hard cap on request body size (512 MB — accommodates large .vbundle backup imports). */
 const MAX_REQUEST_BODY_BYTES = 512 * 1024 * 1024;
 
-/**
- * WebSocket data attached to `/v1/browser-relay` connections. The route
- * is used exclusively by the chrome-extension CDP proxy — outbound
- * `host_browser_request` frames are pushed through the
- * {@link ChromeExtensionRegistry}, and inbound `host_browser_result`
- * frames are dispatched through
- * `resolveHostBrowserResultByRequestId`. The extension may also submit
- * results via `POST /v1/host-browser-result` (both transports resolve
- * through the same core function).
- */
-interface BrowserRelayWebSocketData {
-  wsType: "browser-relay";
-  connectionId: string;
-  /**
-   * Guardian identity derived from the JWT claims at WebSocket upgrade
-   * time. Used by the ChromeExtensionRegistry to route
-   * host_browser_request frames to the correct extension. Undefined when
-   * HTTP auth is disabled (dev bypass) or when the token's sub cannot be
-   * parsed into an actor principal.
-   */
-  guardianId?: string;
-  /**
-   * Stable per-extension-install identifier supplied by the client on
-   * the WebSocket handshake (via the `clientInstanceId` query param or
-   * the `x-client-instance-id` header). Plumbed into the
-   * ChromeExtensionRegistry so multiple parallel installs for the same
-   * guardian (e.g. two Chrome profiles, two desktops) don't evict each
-   * other on register/unregister. Undefined on older extension builds
-   * — the registry synthesizes a connection-scoped fallback key in
-   * that case for backwards-compatible single-instance semantics.
-   */
-  clientInstanceId?: string;
-}
-
 /**
  * WebSocket data attached to `/v1/calls/media-stream` connections.
  * The `wsType` discriminator routes frames to the media-stream call
- * session instead of the ConversationRelay or browser-relay handlers.
+ * session instead of the ConversationRelay handlers.
  */
 interface MediaStreamWebSocketData {
   wsType: "media-stream";
@@ -243,7 +179,7 @@ export class RuntimeHttpServer {
     this.liveVoiceSessionManager = new LiveVoiceSessionManager({
       createSession: (context) => createLiveVoiceSession(context),
     });
-    this.router = new HttpRouter(this.buildRouteTable());
+    this.router = new HttpRouter();
   }
 
   /** The port the server is actually listening on (resolved after start). */
@@ -254,7 +190,6 @@ export class RuntimeHttpServer {
   async start(): Promise<void> {
     type AllWebSocketData =
       | RelayWebSocketData
-      | BrowserRelayWebSocketData
       | MediaStreamWebSocketData
       | SttStreamWebSocketData
       | LiveVoiceWebSocketData;
@@ -267,23 +202,6 @@ export class RuntimeHttpServer {
       websocket: {
         open: (ws) => {
           const data = ws.data as AllWebSocketData;
-          if ("wsType" in data && data.wsType === "browser-relay") {
-            // When the JWT sub resolved to a guardian principal at upgrade
-            // time, register this connection with the chrome-extension
-            // registry so host_browser_request frames can be routed to it.
-            if (data.guardianId) {
-              const now = Date.now();
-              getChromeExtensionRegistry().register({
-                id: data.connectionId,
-                guardianId: data.guardianId,
-                clientInstanceId: data.clientInstanceId,
-                ws,
-                connectedAt: now,
-                lastActiveAt: now,
-              });
-            }
-            return;
-          }
           if ("wsType" in data && data.wsType === "media-stream") {
             const msData = data as MediaStreamWebSocketData;
             log.info(
@@ -392,129 +310,6 @@ export class RuntimeHttpServer {
             typeof message === "string"
               ? message
               : new TextDecoder().decode(message);
-          if ("wsType" in data && data.wsType === "browser-relay") {
-            // Inbound frames on `/v1/browser-relay` carry one of:
-            //   - `host_browser_result` — paired response to an outbound
-            //     `host_browser_request` (see PR2).
-            //   - `host_browser_event` — unsolicited CDP event forwarded
-            //     from the extension's `chrome.debugger.onEvent`
-            //     subscription (PR10).
-            //   - `host_browser_session_invalidated` — detach
-            //     notification forwarded from the extension's
-            //     `chrome.debugger.onDetach` subscription (PR10).
-            //
-            // Every supported frame type delegates into a shared
-            // resolver exported from `host-browser-routes.ts` so the
-            // validation and resolution semantics stay in lockstep
-            // with the HTTP path. Malformed or unsupported frames are
-            // logged at debug and swallowed — we never throw out of a
-            // WebSocket `message` handler because an uncaught
-            // exception would tear down the whole socket for an
-            // attacker-controlled payload.
-            let parsed: unknown;
-            try {
-              parsed = JSON.parse(raw);
-            } catch (err) {
-              log.debug(
-                {
-                  connectionId: data.connectionId,
-                  error: err instanceof Error ? err.message : String(err),
-                },
-                "browser-relay: dropped non-JSON inbound frame",
-              );
-              return;
-            }
-            if (!parsed || typeof parsed !== "object") {
-              log.debug(
-                { connectionId: data.connectionId },
-                "browser-relay: dropped non-object inbound frame",
-              );
-              return;
-            }
-            const frame = parsed as Record<string, unknown>;
-            switch (frame.type) {
-              case "host_browser_result": {
-                const resolution = resolveHostBrowserResultByRequestId({
-                  requestId: frame.requestId,
-                  content: frame.content,
-                  isError: frame.isError,
-                });
-                if (!resolution.ok) {
-                  log.warn(
-                    {
-                      connectionId: data.connectionId,
-                      requestId:
-                        typeof frame.requestId === "string"
-                          ? frame.requestId
-                          : undefined,
-                      code: resolution.code,
-                      message: resolution.message,
-                    },
-                    "browser-relay: host_browser_result frame rejected",
-                  );
-                }
-                return;
-              }
-              case "host_browser_event": {
-                const resolution = resolveHostBrowserEvent({
-                  method: frame.method,
-                  params: frame.params,
-                  cdpSessionId: frame.cdpSessionId,
-                });
-                if (!resolution.ok) {
-                  log.warn(
-                    {
-                      connectionId: data.connectionId,
-                      method:
-                        typeof frame.method === "string"
-                          ? frame.method
-                          : undefined,
-                      code: resolution.code,
-                      message: resolution.message,
-                    },
-                    "browser-relay: host_browser_event frame rejected",
-                  );
-                }
-                return;
-              }
-              case "host_browser_session_invalidated": {
-                const resolution = resolveHostBrowserSessionInvalidated({
-                  targetId: frame.targetId,
-                  reason: frame.reason,
-                });
-                if (!resolution.ok) {
-                  log.warn(
-                    {
-                      connectionId: data.connectionId,
-                      targetId:
-                        typeof frame.targetId === "string"
-                          ? frame.targetId
-                          : undefined,
-                      code: resolution.code,
-                      message: resolution.message,
-                    },
-                    "browser-relay: host_browser_session_invalidated frame rejected",
-                  );
-                }
-                return;
-              }
-              case "keepalive": {
-                // Extension keepalive frames refresh the connection's
-                // activity timestamp without producing log noise or
-                // altering routing semantics. Unknown extra keys on
-                // the frame are silently ignored (lenient validation).
-                getChromeExtensionRegistry().touch(data.connectionId);
-                return;
-              }
-              default: {
-                log.debug(
-                  { connectionId: data.connectionId, type: frame.type },
-                  "browser-relay: dropped unsupported inbound frame type",
-                );
-                return;
-              }
-            }
-          }
           if ("wsType" in data && data.wsType === "media-stream") {
             const msData = data as MediaStreamWebSocketData;
             msData.session?.handleMessage(raw);
@@ -564,15 +359,6 @@ export class RuntimeHttpServer {
         },
         close: (ws, code, reason) => {
           const data = ws.data as AllWebSocketData;
-          if ("wsType" in data && data.wsType === "browser-relay") {
-            // Always attempt to unregister — the registry uses connectionId
-            // as the key and no-ops if the entry is absent (e.g. when the
-            // connection was never registered because guardianId was
-            // undefined, or when it was superseded by a newer registration
-            // for the same guardian).
-            getChromeExtensionRegistry().unregister(data.connectionId);
-            return;
-          }
           if ("wsType" in data && data.wsType === "media-stream") {
             const msData = data as MediaStreamWebSocketData;
             log.info(
@@ -661,14 +447,16 @@ export class RuntimeHttpServer {
       );
     }
 
-    if (hasUngatedHttpAuthDisabled()) {
-      log.warn(
-        "DISABLE_HTTP_AUTH is set but VELLUM_UNSAFE_AUTH_BYPASS=1 is not — auth bypass is IGNORED and HTTP authentication remains enabled. Set VELLUM_UNSAFE_AUTH_BYPASS=1 to confirm the bypass.",
-      );
-    } else if (isHttpAuthDisabled()) {
-      log.warn(
-        "DISABLE_HTTP_AUTH is set — HTTP API authentication is DISABLED. All API endpoints are accessible without a bearer token. Do not use in production.",
-      );
+    if (isHttpAuthDisabled()) {
+      if (getIsPlatform()) {
+        log.info(
+          "DISABLE_HTTP_AUTH is set — HTTP auth disabled (expected: platform handles auth)",
+        );
+      } else {
+        log.warn(
+          "DISABLE_HTTP_AUTH is set — HTTP API authentication is DISABLED. All API endpoints are accessible without a bearer token.",
+        );
+      }
     }
 
     log.info(
@@ -769,13 +557,6 @@ export class RuntimeHttpServer {
       return handleReadyz();
     }
 
-    // WebSocket upgrade for the Chrome extension browser relay.
-    if (
-      path === "/v1/browser-relay" &&
-      req.headers.get("upgrade")?.toLowerCase() === "websocket"
-    ) {
-      return this.handleBrowserRelayUpgrade(req, server);
-    }
 
     // WebSocket upgrade for ConversationRelay — before auth check because
     // Twilio WebSocket connections don't use bearer tokens.
@@ -864,19 +645,7 @@ export class RuntimeHttpServer {
 
     // JWT bearer authentication — replaces the old shared-secret comparison.
     // authenticateRequest handles dev bypass (DISABLE_HTTP_AUTH) internally.
-    //
-    // Special-case: /v1/host-browser-result POST accepts either a
-    // daemon-minted JWT (legacy/cloud) or a host_browser capability
-    // token (self-hosted chrome extension). The chrome extension's
-    // HTTP fallback (`postHostBrowserResult`) hands over the same
-    // capability token it presented to `/v1/browser-relay`, so the
-    // POST route must understand both auth shapes. Every other route
-    // keeps the JWT-only flow via `authenticateRequest`.
-    const normalizedPath = path.endsWith("/") ? path.slice(0, -1) : path;
-    const authResult =
-      normalizedPath === "/v1/host-browser-result" && req.method === "POST"
-        ? await authenticateHostBrowserResultRequest(req)
-        : authenticateRequest(req);
+    const authResult = authenticateRequest(req);
     if (!authResult.ok) {
       return authResult.response;
     }
@@ -958,144 +727,6 @@ export class RuntimeHttpServer {
     return routerResponse ?? httpError("NOT_FOUND", "Not found", 404);
   }
 
-  private async handleBrowserRelayUpgrade(
-    req: Request,
-    server: ReturnType<typeof Bun.serve>,
-  ): Promise<Response> {
-    if (
-      !isLoopbackHost(new URL(req.url).hostname) &&
-      !isPrivateNetworkPeer(server, req)
-    ) {
-      return httpError(
-        "FORBIDDEN",
-        "Browser relay only accepts connections from localhost",
-        403,
-      );
-    }
-
-    // When auth is enabled we accept two different kinds of token on the
-    // `/v1/browser-relay` handshake:
-    //
-    //   1. **Capability token** — a signed `host_browser_command`
-    //      capability minted by the gateway and handed to the chrome
-    //      extension by the native-messaging pair flow
-    //      (`/v1/browser-extension-pair`). This is the preferred,
-    //      self-hosted default: the extension never has to touch a
-    //      gateway JWT.
-    //   2. **JWT** (audience `vellum-daemon`) — the legacy path used by
-    //      the gateway-proxied cloud flow and by any compatibility
-    //      callers that still hold a daemon-bound JWT. In that case we
-    //      parse the JWT `sub` to extract the actor principal id and
-    //      fall back to the explicit `x-guardian-id` / `guardianId`
-    //      query param for service-token paths (see below).
-    //
-    // When auth is disabled (dev bypass), guardianId remains undefined
-    // and the registration is skipped — host_browser_request routing
-    // requires an authenticated guardian.
-    //
-    // Gateway path: when the WebSocket upgrade is proxied through the
-    // gateway, the upstream token minted by `mintServiceToken()` has
-    // `sub=svc:gateway:self` with no actor principal id. The gateway
-    // parses the downstream edge token's `actorPrincipalId` and forwards
-    // it as an explicit `guardianId` query parameter (and/or header) so
-    // we can register the connection under the real guardian. Missing
-    // guardian context on this path is rejected (fail closed).
-    // Read the client-supplied stable instance id off the handshake.
-    // The extension generates this on first run and persists it in
-    // chrome.storage so it survives service-worker restarts and
-    // browser restarts. The header form is preferred so gateway
-    // forwarding and proxy logs don't surface instance ids in the
-    // URL, but we also accept a query param for fetch-based clients
-    // that can't mutate headers. An empty string is treated as absent
-    // so sparse clients don't end up all sharing the same legacy key.
-    const rawInstanceHeader = req.headers.get("x-client-instance-id")?.trim();
-    const rawInstanceQuery = new URL(req.url).searchParams
-      .get("clientInstanceId")
-      ?.trim();
-    const clientInstanceId =
-      (rawInstanceHeader ?? "") || (rawInstanceQuery ?? "") || undefined;
-
-    let guardianId: string | undefined;
-    if (!isHttpAuthDisabled()) {
-      const wsUrl = new URL(req.url);
-      const token = wsUrl.searchParams.get("token");
-      if (!token) {
-        return httpError("UNAUTHORIZED", "Unauthorized", 401);
-      }
-      // 1) Capability-token path (self-hosted default). The chrome
-      //    extension presents the token it received from the native
-      //    messaging pair flow. We derive `guardianId` from the
-      //    capability claims directly — the claims are HMAC-signed by
-      //    the same daemon so there is no cross-tenant risk.
-      const capabilityClaims = await verifyHostBrowserCapability(token);
-      if (capabilityClaims) {
-        guardianId = capabilityClaims.guardianId;
-      } else {
-        // 2) JWT compatibility path (gateway / legacy). Fall back to the
-        //    existing verifyToken+parseSub flow so cloud callers and any
-        //    old self-hosted clients still holding a daemon JWT
-        //    continue to work during the cutover.
-        const jwtResult = verifyToken(token, "vellum-daemon");
-        if (!jwtResult.ok) {
-          return httpError("UNAUTHORIZED", "Unauthorized", 401);
-        }
-        const subResult = parseSub(jwtResult.claims.sub);
-        if (subResult.ok && subResult.actorPrincipalId) {
-          // Direct actor principal — this is the loopback / desktop path.
-          guardianId = subResult.actorPrincipalId;
-        } else {
-          // Service-token path (gateway-forwarded). The gateway must plumb
-          // the resolved actor principal as an explicit `x-guardian-id`
-          // header or `guardianId` query param. Header takes precedence
-          // because headers are easier for the gateway to forward without
-          // rewriting the URL.
-          const headerGuardianId =
-            req.headers.get("x-guardian-id")?.trim() ?? "";
-          const queryGuardianId =
-            wsUrl.searchParams.get("guardianId")?.trim() ?? "";
-          const fallbackGuardianId = headerGuardianId || queryGuardianId;
-          if (fallbackGuardianId) {
-            guardianId = fallbackGuardianId;
-          } else {
-            // Fail closed: a service-token relay upgrade without a
-            // guardian context cannot be routed safely. Allowing the
-            // upgrade to proceed creates an unscoped socket that never
-            // registers in the ChromeExtensionRegistry.
-            log.warn(
-              {
-                principalType: subResult.ok
-                  ? subResult.principalType
-                  : "unknown",
-                sub: jwtResult.claims.sub,
-              },
-              "Browser relay upgrade denied: missing guardian context on service-token path",
-            );
-            return httpError(
-              "UNAUTHORIZED",
-              "Browser relay requires guardian context",
-              401,
-            );
-          }
-        }
-      }
-    }
-
-    const connectionId = crypto.randomUUID();
-    const upgraded = server.upgrade(req, {
-      data: {
-        wsType: "browser-relay",
-        connectionId,
-        guardianId,
-        clientInstanceId,
-      } satisfies BrowserRelayWebSocketData,
-    });
-    if (!upgraded) {
-      return new Response("WebSocket upgrade failed", { status: 500 });
-    }
-    // Bun's WebSocket upgrade consumes the request — no Response is sent.
-    return undefined!;
-  }
-
   private verifyGatewayServiceToken(req: Request): Response | null {
     if (isHttpAuthDisabled()) return null;
 
@@ -1446,21 +1077,4 @@ export class RuntimeHttpServer {
 
     return null;
   }
-
-  // ---------------------------------------------------------------------------
-  // Declarative route table
-  // ---------------------------------------------------------------------------
-
-  /**
-   * Build the full set of route definitions. Routes are matched in order,
-   * so more specific patterns (e.g. `calls/:id/cancel`) must precede
-   * more general ones (e.g. `calls/:id`).
-   *
-   * Each domain's routes are defined in their own module under
-   * `./routes/` and composed here via spread. The composition order
-   * preserves the original top-to-bottom matching semantics.
-   */
-  private buildRouteTable(): HTTPRouteDefinition[] {
-    return [...routeDefinitionsToHTTPRoutes(ROUTES)];
-  }
 }

package/src/runtime/http-types.ts

@@ -21,13 +21,8 @@ import type {
 
 export type {
   ApprovalCopyGenerator,
-  ApprovalMessageContext,
-  ApprovalMessageScenario,
   ComposeApprovalMessageGenerativeOptions,
-  ComposeGuardianActionMessageOptions,
   GuardianActionCopyGenerator,
-  GuardianActionMessageContext,
-  GuardianActionMessageScenario,
 } from "./message-composer-types.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 
@@ -118,6 +113,8 @@ export interface RuntimeMessageConversationOptions {
   isInteractive?: boolean;
   /** Channel command intent metadata (e.g. Telegram /start). */
   commandIntent?: { type: string; payload?: string; languageCode?: string };
+  /** Slack-only non-persisted notice injected into the active model turn. */
+  slackRuntimeContextNotice?: string;
   /** Optional callback to receive real-time agent loop events (text deltas, tool starts, etc.). */
   onEvent?: (msg: ServerMessage) => void;
   /**
@@ -206,6 +203,9 @@ export interface RuntimeMessagePayload {
     riskLevel?: string;
     riskReason?: string;
     autoApproved?: boolean;
+    approvalMode?: string;
+    approvalReason?: string;
+    riskThreshold?: string;
   }>;
   interfaces?: string[];
   surfaces?: Array<{

package/src/runtime/interactive-ui.ts

@@ -46,7 +46,6 @@ export type {
   InteractiveUiRequest,
   InteractiveUiResult,
 } from "./interactive-ui-types.js";
-export { RESERVED_ACTION_IDS } from "./interactive-ui-types.js";
 
 const log = getLogger("interactive-ui");
 

package/src/runtime/middleware/auth.ts

@@ -12,26 +12,6 @@ export function isLoopbackHost(hostname: string): boolean {
   );
 }
 
-/**
- * Stricter loopback-only check: accepts only 127.0.0.0/8, ::1, and their
- * IPv4-mapped IPv6 forms (::ffff:127.x.x.x). Use this instead of
- * isPrivateAddress for endpoints that must be restricted to the local
- * machine in non-containerized deployments.
- */
-export function isLoopbackAddress(addr: string): boolean {
-  const v4Mapped = addr.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
-  const normalized = v4Mapped ? v4Mapped[1] : addr;
-
-  if (normalized.includes(".")) {
-    const parts = normalized.split(".").map(Number);
-    if (parts.length !== 4 || parts.some((p) => isNaN(p) || p < 0 || p > 255))
-      return false;
-    return parts[0] === 127;
-  }
-
-  return normalized.toLowerCase() === "::1";
-}
-
 /**
  * @internal Exported for testing.
  *