@vellumai/assistant 0.7.1 → 0.7.3

package/src/runtime/channel-retry-sweep.ts

@@ -7,9 +7,11 @@ import {
   parseChannelId,
   parseInterfaceId,
 } from "../channels/types.js";
+import { getDiskPressureStatus } from "../daemon/disk-pressure-guard.js";
+import { classifyDiskPressureTurnPolicy } from "../daemon/disk-pressure-policy.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 import { updateDeliveredSegmentCount } from "../memory/delivery-channels.js";
-import { linkMessage } from "../memory/delivery-crud.js";
+import { clearPayload, linkMessage } from "../memory/delivery-crud.js";
 import {
   getRetryableEvents,
   markProcessed,
@@ -18,10 +20,13 @@ import {
 } from "../memory/delivery-status.js";
 import { getLogger } from "../util/logger.js";
 import { deliverReplyViaCallback } from "./channel-reply-delivery.js";
+import { deliverChannelReply } from "./gateway-client.js";
 import type { MessageProcessor } from "./http-types.js";
 import { resolveRoutingStateFromRuntime } from "./trust-context-resolver.js";
 
 const log = getLogger("runtime-http");
+const DISK_PRESSURE_REMOTE_BLOCK_REPLY =
+  "Storage is critically low, so remote messages are ignored until the guardian frees enough space. Please try again later.";
 
 function parseTrustRuntimeContext(value: unknown): TrustContext | undefined {
   if (!value || typeof value !== "object") return undefined;
@@ -163,6 +168,65 @@ export async function sweepFailedEvents(
       trustClass: "unknown",
     };
 
+    const diskPressureDecision = classifyDiskPressureTurnPolicy(
+      getDiskPressureStatus(),
+      {
+        sourceChannel,
+        sourceInterface,
+        trustContext: {
+          sourceChannel: trustContext.sourceChannel,
+          trustClass: trustContext.trustClass,
+        },
+      },
+    );
+    if (diskPressureDecision.action === "block") {
+      clearPayload(event.id);
+      markProcessed(event.id);
+      log.info(
+        {
+          eventId: event.id,
+          conversationId: event.conversationId,
+          reason: diskPressureDecision.reason,
+          trustClass: trustContext.trustClass,
+        },
+        "Skipped channel retry during disk pressure cleanup mode",
+      );
+
+      const replyCallbackUrl =
+        typeof payload.replyCallbackUrl === "string"
+          ? payload.replyCallbackUrl
+          : undefined;
+      const externalChatId =
+        typeof payload.externalChatId === "string"
+          ? payload.externalChatId
+          : undefined;
+      if (replyCallbackUrl && externalChatId) {
+        const requesterExternalUserId =
+          trustContext.requesterExternalUserId ??
+          (typeof payload.senderExternalUserId === "string"
+            ? payload.senderExternalUserId
+            : undefined);
+        const replyPayload: Parameters<typeof deliverChannelReply>[1] = {
+          chatId: externalChatId,
+          text: DISK_PRESSURE_REMOTE_BLOCK_REPLY,
+          assistantId,
+        };
+        if (sourceChannel === "slack" && requesterExternalUserId) {
+          replyPayload.ephemeral = true;
+          replyPayload.user = requesterExternalUserId;
+        }
+        try {
+          await deliverChannelReply(replyCallbackUrl, replyPayload);
+        } catch (err) {
+          log.warn(
+            { err, eventId: event.id, conversationId: event.conversationId },
+            "Failed to deliver disk pressure retry block reply",
+          );
+        }
+      }
+      continue;
+    }
+
     const metadataHintsRaw = sourceMetadata?.hints;
     const metadataHints = Array.isArray(metadataHintsRaw)
       ? metadataHintsRaw.filter(

package/src/runtime/guardian-reply-router.ts

@@ -99,6 +99,13 @@ export interface GuardianReplyResult {
   requestId?: string;
   /** Detailed result from the canonical decision primitive (when a decision was attempted). */
   canonicalResult?: CanonicalDecisionResult;
+  /** When a voice access request was approved, the contact that should be activated. */
+  activatedContact?: {
+    sourceChannel: string;
+    externalUserId: string;
+    externalChatId?: string;
+    displayName?: string;
+  };
   /**
    * When true, the caller should skip legacy approval interception for this
    * message. Set by the invite handoff bypass so that "open invite flow"
@@ -686,6 +693,9 @@ async function applyDecision(
       ...(canonicalResult.resolverReplyText
         ? { replyText: canonicalResult.resolverReplyText }
         : {}),
+      ...(canonicalResult.activatedContact
+        ? { activatedContact: canonicalResult.activatedContact }
+        : {}),
       requestId,
       canonicalResult,
     };

package/src/runtime/http-server.ts

@@ -45,18 +45,12 @@ import {
   SttStreamSession,
 } from "../stt/stt-stream-session.js";
 import { getLogger } from "../util/logger.js";
-// Auth
-import {
-  authenticateHostBrowserResultRequest,
-  authenticateRequest,
-} from "./auth/middleware.js";
+import { authenticateRequest } from "./auth/middleware.js";
 import { parseSub } from "./auth/subject.js";
 import { verifyToken } from "./auth/token-service.js";
-import { verifyHostBrowserCapability } from "./capability-tokens.js";
 import { sweepFailedEvents } from "./channel-retry-sweep.js";
 import { httpError, type HttpErrorCode } from "./http-errors.js";
 import { HttpRouter } from "./http-router.js";
-// Middleware
 import {
   extractBearerToken,
   isLoopbackHost,
@@ -91,29 +85,12 @@ import {
   stopGuardianExpirySweep,
 } from "./routes/channel-guardian-routes.js";
 import { RouteError } from "./routes/errors.js";
-import {
-  resolveHostBrowserEvent,
-  resolveHostBrowserResultByRequestId,
-  resolveHostBrowserSessionInvalidated,
-} from "./routes/host-browser-routes.js";
 import { handleHealth, handleReadyz } from "./routes/identity-routes.js";
 import { matchSkillRoute } from "./skill-route-registry.js";
 
 // Re-export for consumers
 export { isPrivateAddress } from "./middleware/auth.js";
 
-// Re-export shared types so existing consumers don't need to update imports
-export type {
-  ApprovalConversationGenerator,
-  ApprovalCopyGenerator,
-  GuardianActionCopyGenerator,
-  GuardianFollowUpConversationGenerator,
-  MessageProcessor,
-  RuntimeAttachmentMetadata,
-  RuntimeHttpServerOptions,
-  RuntimeMessageConversationOptions,
-} from "./http-types.js";
-
 import type {
   ApprovalConversationGenerator,
   ApprovalCopyGenerator,
@@ -130,38 +107,10 @@ const DEFAULT_HOSTNAME = "127.0.0.1";
 /** Global hard cap on request body size (512 MB — accommodates large .vbundle backup imports). */
 const MAX_REQUEST_BODY_BYTES = 512 * 1024 * 1024;
 
-/**
- * WebSocket data attached to `/v1/browser-relay` connections. The route
- * is used exclusively by the chrome-extension CDP proxy — outbound
- * `host_browser_request` frames are pushed through the assistant event
- * hub, and inbound `host_browser_result` frames are dispatched through
- * `resolveHostBrowserResultByRequestId`. The extension may also submit
- * results via `POST /v1/host-browser-result` (both transports resolve
- * through the same core function).
- */
-interface BrowserRelayWebSocketData {
-  wsType: "browser-relay";
-  connectionId: string;
-  /**
-   * Guardian identity derived from the JWT claims at WebSocket upgrade
-   * time. Undefined when HTTP auth is disabled (dev bypass) or when the
-   * token's sub cannot be parsed into an actor principal.
-   */
-  guardianId?: string;
-  /**
-   * Stable per-extension-install identifier supplied by the client on
-   * the WebSocket handshake (via the `clientInstanceId` query param or
-   * the `x-client-instance-id` header). Allows multiple parallel installs
-   * for the same guardian (e.g. two Chrome profiles, two desktops) to
-   * coexist. Undefined on older extension builds.
-   */
-  clientInstanceId?: string;
-}
-
 /**
  * WebSocket data attached to `/v1/calls/media-stream` connections.
  * The `wsType` discriminator routes frames to the media-stream call
- * session instead of the ConversationRelay or browser-relay handlers.
+ * session instead of the ConversationRelay handlers.
  */
 interface MediaStreamWebSocketData {
   wsType: "media-stream";
@@ -241,7 +190,6 @@ export class RuntimeHttpServer {
   async start(): Promise<void> {
     type AllWebSocketData =
       | RelayWebSocketData
-      | BrowserRelayWebSocketData
       | MediaStreamWebSocketData
       | SttStreamWebSocketData
       | LiveVoiceWebSocketData;
@@ -362,125 +310,6 @@ export class RuntimeHttpServer {
             typeof message === "string"
               ? message
               : new TextDecoder().decode(message);
-          if ("wsType" in data && data.wsType === "browser-relay") {
-            // Inbound frames on `/v1/browser-relay` carry one of:
-            //   - `host_browser_result` — paired response to an outbound
-            //     `host_browser_request` (see PR2).
-            //   - `host_browser_event` — unsolicited CDP event forwarded
-            //     from the extension's `chrome.debugger.onEvent`
-            //     subscription (PR10).
-            //   - `host_browser_session_invalidated` — detach
-            //     notification forwarded from the extension's
-            //     `chrome.debugger.onDetach` subscription (PR10).
-            //
-            // Every supported frame type delegates into a shared
-            // resolver exported from `host-browser-routes.ts` so the
-            // validation and resolution semantics stay in lockstep
-            // with the HTTP path. Malformed or unsupported frames are
-            // logged at debug and swallowed — we never throw out of a
-            // WebSocket `message` handler because an uncaught
-            // exception would tear down the whole socket for an
-            // attacker-controlled payload.
-            let parsed: unknown;
-            try {
-              parsed = JSON.parse(raw);
-            } catch (err) {
-              log.debug(
-                {
-                  connectionId: data.connectionId,
-                  error: err instanceof Error ? err.message : String(err),
-                },
-                "browser-relay: dropped non-JSON inbound frame",
-              );
-              return;
-            }
-            if (!parsed || typeof parsed !== "object") {
-              log.debug(
-                { connectionId: data.connectionId },
-                "browser-relay: dropped non-object inbound frame",
-              );
-              return;
-            }
-            const frame = parsed as Record<string, unknown>;
-            switch (frame.type) {
-              case "host_browser_result": {
-                const resolution = resolveHostBrowserResultByRequestId({
-                  requestId: frame.requestId,
-                  content: frame.content,
-                  isError: frame.isError,
-                });
-                if (!resolution.ok) {
-                  log.warn(
-                    {
-                      connectionId: data.connectionId,
-                      requestId:
-                        typeof frame.requestId === "string"
-                          ? frame.requestId
-                          : undefined,
-                      code: resolution.code,
-                      message: resolution.message,
-                    },
-                    "browser-relay: host_browser_result frame rejected",
-                  );
-                }
-                return;
-              }
-              case "host_browser_event": {
-                const resolution = resolveHostBrowserEvent({
-                  method: frame.method,
-                  params: frame.params,
-                  cdpSessionId: frame.cdpSessionId,
-                });
-                if (!resolution.ok) {
-                  log.warn(
-                    {
-                      connectionId: data.connectionId,
-                      method:
-                        typeof frame.method === "string"
-                          ? frame.method
-                          : undefined,
-                      code: resolution.code,
-                      message: resolution.message,
-                    },
-                    "browser-relay: host_browser_event frame rejected",
-                  );
-                }
-                return;
-              }
-              case "host_browser_session_invalidated": {
-                const resolution = resolveHostBrowserSessionInvalidated({
-                  targetId: frame.targetId,
-                  reason: frame.reason,
-                });
-                if (!resolution.ok) {
-                  log.warn(
-                    {
-                      connectionId: data.connectionId,
-                      targetId:
-                        typeof frame.targetId === "string"
-                          ? frame.targetId
-                          : undefined,
-                      code: resolution.code,
-                      message: resolution.message,
-                    },
-                    "browser-relay: host_browser_session_invalidated frame rejected",
-                  );
-                }
-                return;
-              }
-              case "keepalive": {
-                // Extension keepalive — acknowledged, no action needed.
-                return;
-              }
-              default: {
-                log.debug(
-                  { connectionId: data.connectionId, type: frame.type },
-                  "browser-relay: dropped unsupported inbound frame type",
-                );
-                return;
-              }
-            }
-          }
           if ("wsType" in data && data.wsType === "media-stream") {
             const msData = data as MediaStreamWebSocketData;
             msData.session?.handleMessage(raw);
@@ -728,13 +557,6 @@ export class RuntimeHttpServer {
       return handleReadyz();
     }
 
-    // WebSocket upgrade for the Chrome extension browser relay.
-    if (
-      path === "/v1/browser-relay" &&
-      req.headers.get("upgrade")?.toLowerCase() === "websocket"
-    ) {
-      return this.handleBrowserRelayUpgrade(req, server);
-    }
 
     // WebSocket upgrade for ConversationRelay — before auth check because
     // Twilio WebSocket connections don't use bearer tokens.
@@ -823,19 +645,7 @@ export class RuntimeHttpServer {
 
     // JWT bearer authentication — replaces the old shared-secret comparison.
     // authenticateRequest handles dev bypass (DISABLE_HTTP_AUTH) internally.
-    //
-    // Special-case: /v1/host-browser-result POST accepts either a
-    // daemon-minted JWT (legacy/cloud) or a host_browser capability
-    // token (self-hosted chrome extension). The chrome extension's
-    // HTTP fallback (`postHostBrowserResult`) hands over the same
-    // capability token it presented to `/v1/browser-relay`, so the
-    // POST route must understand both auth shapes. Every other route
-    // keeps the JWT-only flow via `authenticateRequest`.
-    const normalizedPath = path.endsWith("/") ? path.slice(0, -1) : path;
-    const authResult =
-      normalizedPath === "/v1/host-browser-result" && req.method === "POST"
-        ? await authenticateHostBrowserResultRequest(req)
-        : authenticateRequest(req);
+    const authResult = authenticateRequest(req);
     if (!authResult.ok) {
       return authResult.response;
     }
@@ -917,142 +727,6 @@ export class RuntimeHttpServer {
     return routerResponse ?? httpError("NOT_FOUND", "Not found", 404);
   }
 
-  private async handleBrowserRelayUpgrade(
-    req: Request,
-    server: ReturnType<typeof Bun.serve>,
-  ): Promise<Response> {
-    if (
-      !isLoopbackHost(new URL(req.url).hostname) &&
-      !isPrivateNetworkPeer(server, req)
-    ) {
-      return httpError(
-        "FORBIDDEN",
-        "Browser relay only accepts connections from localhost",
-        403,
-      );
-    }
-
-    // When auth is enabled we accept two different kinds of token on the
-    // `/v1/browser-relay` handshake:
-    //
-    //   1. **Capability token** — a signed `host_browser_command`
-    //      capability minted by the gateway and handed to the chrome
-    //      extension by the native-messaging pair flow
-    //      (`/v1/browser-extension-pair`). This is the preferred,
-    //      self-hosted default: the extension never has to touch a
-    //      gateway JWT.
-    //   2. **JWT** (audience `vellum-daemon`) — the legacy path used by
-    //      the gateway-proxied cloud flow and by any compatibility
-    //      callers that still hold a daemon-bound JWT. In that case we
-    //      parse the JWT `sub` to extract the actor principal id and
-    //      fall back to the explicit `x-guardian-id` / `guardianId`
-    //      query param for service-token paths (see below).
-    //
-    // When auth is disabled (dev bypass), guardianId remains undefined
-    // and the registration is skipped — host_browser_request routing
-    // requires an authenticated guardian.
-    //
-    // Gateway path: when the WebSocket upgrade is proxied through the
-    // gateway, the upstream token minted by `mintServiceToken()` has
-    // `sub=svc:gateway:self` with no actor principal id. The gateway
-    // parses the downstream edge token's `actorPrincipalId` and forwards
-    // it as an explicit `guardianId` query parameter (and/or header) so
-    // we can register the connection under the real guardian. Missing
-    // guardian context on this path is rejected (fail closed).
-    // Read the client-supplied stable instance id off the handshake.
-    // The extension generates this on first run and persists it in
-    // chrome.storage so it survives service-worker restarts and
-    // browser restarts. The header form is preferred so gateway
-    // forwarding and proxy logs don't surface instance ids in the
-    // URL, but we also accept a query param for fetch-based clients
-    // that can't mutate headers. An empty string is treated as absent
-    // so sparse clients don't end up all sharing the same legacy key.
-    const rawInstanceHeader = req.headers.get("x-client-instance-id")?.trim();
-    const rawInstanceQuery = new URL(req.url).searchParams
-      .get("clientInstanceId")
-      ?.trim();
-    const clientInstanceId =
-      (rawInstanceHeader ?? "") || (rawInstanceQuery ?? "") || undefined;
-
-    let guardianId: string | undefined;
-    if (!isHttpAuthDisabled()) {
-      const wsUrl = new URL(req.url);
-      const token = wsUrl.searchParams.get("token");
-      if (!token) {
-        return httpError("UNAUTHORIZED", "Unauthorized", 401);
-      }
-      // 1) Capability-token path (self-hosted default). The chrome
-      //    extension presents the token it received from the native
-      //    messaging pair flow. We derive `guardianId` from the
-      //    capability claims directly — the claims are HMAC-signed by
-      //    the same daemon so there is no cross-tenant risk.
-      const capabilityClaims = await verifyHostBrowserCapability(token);
-      if (capabilityClaims) {
-        guardianId = capabilityClaims.guardianId;
-      } else {
-        // 2) JWT compatibility path (gateway / legacy). Fall back to the
-        //    existing verifyToken+parseSub flow so cloud callers and any
-        //    old self-hosted clients still holding a daemon JWT
-        //    continue to work during the cutover.
-        const jwtResult = verifyToken(token, "vellum-daemon");
-        if (!jwtResult.ok) {
-          return httpError("UNAUTHORIZED", "Unauthorized", 401);
-        }
-        const subResult = parseSub(jwtResult.claims.sub);
-        if (subResult.ok && subResult.actorPrincipalId) {
-          // Direct actor principal — this is the loopback / desktop path.
-          guardianId = subResult.actorPrincipalId;
-        } else {
-          // Service-token path (gateway-forwarded). The gateway must plumb
-          // the resolved actor principal as an explicit `x-guardian-id`
-          // header or `guardianId` query param. Header takes precedence
-          // because headers are easier for the gateway to forward without
-          // rewriting the URL.
-          const headerGuardianId =
-            req.headers.get("x-guardian-id")?.trim() ?? "";
-          const queryGuardianId =
-            wsUrl.searchParams.get("guardianId")?.trim() ?? "";
-          const fallbackGuardianId = headerGuardianId || queryGuardianId;
-          if (fallbackGuardianId) {
-            guardianId = fallbackGuardianId;
-          } else {
-            // Fail closed: a service-token relay upgrade without a
-            // guardian context cannot be routed safely.
-            log.warn(
-              {
-                principalType: subResult.ok
-                  ? subResult.principalType
-                  : "unknown",
-                sub: jwtResult.claims.sub,
-              },
-              "Browser relay upgrade denied: missing guardian context on service-token path",
-            );
-            return httpError(
-              "UNAUTHORIZED",
-              "Browser relay requires guardian context",
-              401,
-            );
-          }
-        }
-      }
-    }
-
-    const connectionId = crypto.randomUUID();
-    const upgraded = server.upgrade(req, {
-      data: {
-        wsType: "browser-relay",
-        connectionId,
-        guardianId,
-        clientInstanceId,
-      } satisfies BrowserRelayWebSocketData,
-    });
-    if (!upgraded) {
-      return new Response("WebSocket upgrade failed", { status: 500 });
-    }
-    // Bun's WebSocket upgrade consumes the request — no Response is sent.
-    return undefined!;
-  }
-
   private verifyGatewayServiceToken(req: Request): Response | null {
     if (isHttpAuthDisabled()) return null;
 

package/src/runtime/http-types.ts

@@ -21,13 +21,8 @@ import type {
 
 export type {
   ApprovalCopyGenerator,
-  ApprovalMessageContext,
-  ApprovalMessageScenario,
   ComposeApprovalMessageGenerativeOptions,
-  ComposeGuardianActionMessageOptions,
   GuardianActionCopyGenerator,
-  GuardianActionMessageContext,
-  GuardianActionMessageScenario,
 } from "./message-composer-types.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 

package/src/runtime/local-actor-identity.ts

@@ -12,6 +12,7 @@
  */
 
 import type { ChannelId } from "../channels/types.js";
+import { isHttpAuthDisabled } from "../config/env.js";
 import { findGuardianForChannel } from "../contacts/contact-store.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 import { getLogger } from "../util/logger.js";
@@ -43,6 +44,52 @@ export function buildLocalAuthContext(conversationId: string): AuthContext {
   };
 }
 
+/**
+ * Look up the local vellum guardian's principalId from the contacts table.
+ *
+ * Returns `undefined` when no vellum guardian binding exists (e.g. fresh
+ * install before bootstrap). Callers should treat that case as
+ * "not yet available" and either fall back or proceed without a principalId.
+ */
+export function findLocalGuardianPrincipalId(): string | undefined {
+  return findGuardianForChannel("vellum")?.contact.principalId ?? undefined;
+}
+
+/**
+ * Translate the synthetic dev-bypass actor principal to the real local
+ * guardian's principalId when running in `DISABLE_HTTP_AUTH=true` mode.
+ *
+ * The dev-bypass `AuthContext` (`runtime/auth/middleware.ts`) injects
+ * `"dev-bypass"` as the actor principal id for every request, but tool-side
+ * trust resolution (`resolveLocalTrustContext`) and SSE registration both
+ * carry the real local guardian principalId. Without this translation, every
+ * targeted host_bash/host_file/host_cu/host_transfer result POST mismatches
+ * the same-user check and is rejected with 403, and conversation/surface/
+ * guardian-action routes resolve trust against the wrong principal.
+ *
+ * Returns the input unchanged when:
+ *   - HTTP auth is enabled (production / non-dev-bypass deployments), OR
+ *   - the input is not literally `"dev-bypass"` (e.g. service tokens).
+ *
+ * Returns the local guardian principalId when both gates are true. Returns
+ * `undefined` when dev-bypass is set but no guardian binding has been created
+ * yet (e.g. fresh install before bootstrap); callers must treat this the
+ * same as a missing principal.
+ */
+export function resolveActorPrincipalIdForLocalGuardian(
+  rawHeader: string | undefined,
+): string | undefined {
+  if (rawHeader !== "dev-bypass" || !isHttpAuthDisabled()) return rawHeader;
+
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  if (guardianPrincipalId) return guardianPrincipalId;
+
+  log.warn(
+    "dev-bypass actor principal received but no vellum guardian binding found; returning undefined",
+  );
+  return undefined;
+}
+
 /**
  * Resolve the guardian runtime context for a local connection.
  *
@@ -60,10 +107,8 @@ export function resolveLocalTrustContext(
 ): TrustContext {
   const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
 
-  // Try contacts-first for the vellum guardian channel
-  const guardianResult = findGuardianForChannel("vellum");
-  if (guardianResult && guardianResult.contact.principalId) {
-    const guardianPrincipalId = guardianResult.contact.principalId;
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  if (guardianPrincipalId) {
     const trustCtx = resolveTrustContext({
       assistantId,
       sourceChannel: "vellum",
@@ -97,13 +142,9 @@ export function resolveLocalTrustContext(
 export function resolveLocalAuthContext(conversationId: string): AuthContext {
   const authContext = buildLocalAuthContext(conversationId);
 
-  // Enrich with the guardian principal ID from contacts-first path
-  const guardianResult = findGuardianForChannel("vellum");
-  if (guardianResult && guardianResult.contact.principalId) {
-    return {
-      ...authContext,
-      actorPrincipalId: guardianResult.contact.principalId,
-    };
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  if (guardianPrincipalId) {
+    return { ...authContext, actorPrincipalId: guardianPrincipalId };
   }
 
   log.warn(