@vellumai/assistant 0.7.2 → 0.7.3

package/src/runtime/auth/same-actor.ts

@@ -0,0 +1,216 @@
+/**
+ * Same-actor (same-user) binding check used by host proxies and result
+ * routes.
+ *
+ * Verifies that the submitting (source) actor's principal id matches the
+ * actor principal id captured for the target client at SSE subscription
+ * time. This is the authoritative gate that prevents cross-user
+ * execution and cross-user result submission across all three host-proxy
+ * capabilities (host_bash, host_file, host_cu).
+ *
+ * Two entry points map onto the two control-flow styles in the codebase:
+ *   - {@link enforceSameActorOrErrorResult} for proxies — returns a
+ *     tool-execution error result on rejection, `null` on success.
+ *   - {@link enforceSameActorOrThrow} for HTTP/IPC route handlers —
+ *     throws {@link ForbiddenError} on rejection so the route adapter
+ *     maps it to HTTP 403.
+ *
+ * Both paths log a single structured warn line on rejection with the
+ * shape `{ sourceActorPrincipalId, targetClientId, targetActorPrincipalId,
+ * op, reason }` so that bash, file, and CU rejections render identically
+ * in the audit log.
+ */
+import type { HostProxyCapability } from "../../channels/types.js";
+import { getLogger } from "../../util/logger.js";
+import type { AssistantEventHub } from "../assistant-event-hub.js";
+import { ForbiddenError } from "../routes/errors.js";
+
+const log = getLogger("same-actor");
+
+/**
+ * Canonical user-facing rejection message. Used by both the proxy and
+ * route paths so operators and auditors see identical wording regardless
+ * of whether the failure surfaced as a tool-execution result or an HTTP
+ * 403.
+ */
+const REJECTION_MESSAGE =
+  "Submitting actor does not match the target client's actor for this request. The targeted client's authenticated user must submit the result.";
+
+/** OpenAPI 403 description for `*-result` endpoints, kept identical. */
+export const SAME_ACTOR_FORBIDDEN_DESCRIPTION =
+  "Submitting client does not match the targeted client, or the submitting actor's principal does not match the target client's actor.";
+
+/** Per-capability scope for the structured warn log entry. */
+export type SameActorOp =
+  | "host_bash"
+  | "host_file"
+  | "host_cu"
+  | "host_transfer";
+
+/**
+ * Args for the live-lookup variant: caller supplies the hub + target client
+ * id, and the helper looks up the target's actor principal in real time.
+ * Used at proxy request time (registration), where the SSE subscription is
+ * present by definition.
+ */
+export interface SameActorLiveArgs {
+  hub: Pick<AssistantEventHub, "getActorPrincipalIdForClient">;
+  sourceActorPrincipalId: string | undefined;
+  targetClientId: string;
+  op: SameActorOp;
+}
+
+/**
+ * Args for the persisted-value variant: caller supplies a target actor
+ * principal id captured at registration time. Used at result-submission
+ * time, where the SSE subscription may have briefly disconnected and the
+ * live hub lookup would falsely 403 a legitimate result.
+ */
+export interface SameActorPersistedArgs {
+  sourceActorPrincipalId: string | undefined;
+  targetActorPrincipalId: string | undefined;
+  targetClientId: string;
+  op: SameActorOp;
+}
+
+export type SameActorArgs = SameActorLiveArgs;
+
+type RejectionReason = "missing_source" | "missing_target" | "mismatch";
+
+function isLive(
+  args: SameActorLiveArgs | SameActorPersistedArgs,
+): args is SameActorLiveArgs {
+  return (args as SameActorLiveArgs).hub != null;
+}
+
+/**
+ * Internal: returns the rejection reason or `undefined` when the source
+ * matches the target. Always logs on rejection so all callers share the
+ * same audit shape.
+ */
+function detectRejection(
+  args: SameActorLiveArgs | SameActorPersistedArgs,
+): RejectionReason | undefined {
+  const { sourceActorPrincipalId, targetClientId, op } = args;
+  const targetActorPrincipalId = isLive(args)
+    ? args.hub.getActorPrincipalIdForClient(targetClientId)
+    : args.targetActorPrincipalId;
+
+  let reason: RejectionReason | undefined;
+  if (sourceActorPrincipalId == null) {
+    reason = "missing_source";
+  } else if (targetActorPrincipalId == null) {
+    reason = "missing_target";
+  } else if (sourceActorPrincipalId !== targetActorPrincipalId) {
+    reason = "mismatch";
+  }
+  if (reason == null) return undefined;
+
+  log.warn(
+    {
+      sourceActorPrincipalId,
+      targetClientId,
+      targetActorPrincipalId,
+      op,
+      reason,
+    },
+    "Rejecting cross-user host proxy request",
+  );
+  return reason;
+}
+
+/**
+ * Route-flavored variant: throws {@link ForbiddenError} on rejection so
+ * the existing route adapter maps it to HTTP 403. Returns void on
+ * success.
+ *
+ * Accepts EITHER {@link SameActorLiveArgs} (live hub lookup, used at
+ * proxy registration time) OR {@link SameActorPersistedArgs} (compare
+ * against a value captured earlier, used at result-submission time so a
+ * brief SSE reconnect doesn't 403 a legitimate result).
+ */
+export function enforceSameActorOrThrow(
+  args: SameActorLiveArgs | SameActorPersistedArgs,
+): void {
+  if (detectRejection(args) != null) {
+    throw new ForbiddenError(REJECTION_MESSAGE);
+  }
+}
+
+/**
+ * Proxy-flavored variant: returns a tool-execution-shaped error result
+ * on rejection (so the proxy can pass it directly back to the agent),
+ * or `null` on success. Always uses the live hub lookup — proxy
+ * registration runs while the target SSE subscription is active.
+ */
+export function enforceSameActorOrErrorResult(
+  args: SameActorLiveArgs,
+): { content: string; isError: true } | null {
+  if (detectRejection(args) == null) return null;
+  return { content: REJECTION_MESSAGE, isError: true };
+}
+
+/**
+ * Result of attempting to auto-resolve a single same-user target client.
+ *
+ * - `match`: exactly one same-user client supports the capability. Use the
+ *   returned clientId.
+ * - `none`: no same-user client supports the capability. Caller's choice
+ *   how to handle (typically: fall through to no-target, which broadcasts
+ *   to nobody when no clients are connected).
+ * - `ambiguous`: more than one same-user client supports the capability.
+ *   Caller MUST refuse to silently broadcast across them; instead surface
+ *   an error asking the caller to specify `target_client_id`.
+ */
+export type AutoResolveResult =
+  | { kind: "match"; clientId: string }
+  | { kind: "none" }
+  | { kind: "ambiguous" };
+
+/**
+ * Filter capable clients by `actorPrincipalId === sourcePrincipalId` and
+ * report whether exactly one matched, zero matched, or more than one
+ * matched.
+ *
+ * Used by host proxies to auto-resolve a target client when the caller
+ * did not specify one. Skipping when the caller has no principal keeps
+ * the same-user binding closed: an unauthenticated caller cannot
+ * piggyback on a connected user's session.
+ *
+ * Why three outcomes (vs. just `string | undefined`)? Earlier revisions
+ * collapsed `none` and `ambiguous` into `undefined`, which caused the
+ * proxy to fall through to an untargeted broadcast — fanning a single
+ * targeted-style request out across every same-user machine. Surfacing
+ * `ambiguous` separately lets the proxy reject with a clear "specify
+ * target_client_id" error instead.
+ */
+export function pickSameUserAutoResolve(args: {
+  hub: Pick<AssistantEventHub, "listClientsByCapability">;
+  capability: HostProxyCapability;
+  sourceActorPrincipalId: string | undefined;
+}): AutoResolveResult {
+  const { hub, capability, sourceActorPrincipalId } = args;
+  if (sourceActorPrincipalId == null) return { kind: "none" };
+  const sameUser = hub
+    .listClientsByCapability(capability)
+    .filter((c) => c.actorPrincipalId === sourceActorPrincipalId);
+  if (sameUser.length === 0) return { kind: "none" };
+  if (sameUser.length === 1) {
+    return { kind: "match", clientId: sameUser[0].clientId };
+  }
+  return { kind: "ambiguous" };
+}
+
+/**
+ * Standard error result for proxies when {@link pickSameUserAutoResolve}
+ * returns `ambiguous`. Asks the caller to specify `target_client_id`.
+ */
+export function ambiguousSameUserError(capability: HostProxyCapability): {
+  content: string;
+  isError: true;
+} {
+  return {
+    content: `Multiple ${capability} clients are connected for this user. Specify target_client_id to disambiguate. Run \`assistant clients list --capability ${capability}\` to see client IDs.`,
+    isError: true,
+  };
+}

package/src/runtime/channel-retry-sweep.ts

@@ -7,9 +7,11 @@ import {
   parseChannelId,
   parseInterfaceId,
 } from "../channels/types.js";
+import { getDiskPressureStatus } from "../daemon/disk-pressure-guard.js";
+import { classifyDiskPressureTurnPolicy } from "../daemon/disk-pressure-policy.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 import { updateDeliveredSegmentCount } from "../memory/delivery-channels.js";
-import { linkMessage } from "../memory/delivery-crud.js";
+import { clearPayload, linkMessage } from "../memory/delivery-crud.js";
 import {
   getRetryableEvents,
   markProcessed,
@@ -18,10 +20,13 @@ import {
 } from "../memory/delivery-status.js";
 import { getLogger } from "../util/logger.js";
 import { deliverReplyViaCallback } from "./channel-reply-delivery.js";
+import { deliverChannelReply } from "./gateway-client.js";
 import type { MessageProcessor } from "./http-types.js";
 import { resolveRoutingStateFromRuntime } from "./trust-context-resolver.js";
 
 const log = getLogger("runtime-http");
+const DISK_PRESSURE_REMOTE_BLOCK_REPLY =
+  "Storage is critically low, so remote messages are ignored until the guardian frees enough space. Please try again later.";
 
 function parseTrustRuntimeContext(value: unknown): TrustContext | undefined {
   if (!value || typeof value !== "object") return undefined;
@@ -163,6 +168,65 @@ export async function sweepFailedEvents(
       trustClass: "unknown",
     };
 
+    const diskPressureDecision = classifyDiskPressureTurnPolicy(
+      getDiskPressureStatus(),
+      {
+        sourceChannel,
+        sourceInterface,
+        trustContext: {
+          sourceChannel: trustContext.sourceChannel,
+          trustClass: trustContext.trustClass,
+        },
+      },
+    );
+    if (diskPressureDecision.action === "block") {
+      clearPayload(event.id);
+      markProcessed(event.id);
+      log.info(
+        {
+          eventId: event.id,
+          conversationId: event.conversationId,
+          reason: diskPressureDecision.reason,
+          trustClass: trustContext.trustClass,
+        },
+        "Skipped channel retry during disk pressure cleanup mode",
+      );
+
+      const replyCallbackUrl =
+        typeof payload.replyCallbackUrl === "string"
+          ? payload.replyCallbackUrl
+          : undefined;
+      const externalChatId =
+        typeof payload.externalChatId === "string"
+          ? payload.externalChatId
+          : undefined;
+      if (replyCallbackUrl && externalChatId) {
+        const requesterExternalUserId =
+          trustContext.requesterExternalUserId ??
+          (typeof payload.senderExternalUserId === "string"
+            ? payload.senderExternalUserId
+            : undefined);
+        const replyPayload: Parameters<typeof deliverChannelReply>[1] = {
+          chatId: externalChatId,
+          text: DISK_PRESSURE_REMOTE_BLOCK_REPLY,
+          assistantId,
+        };
+        if (sourceChannel === "slack" && requesterExternalUserId) {
+          replyPayload.ephemeral = true;
+          replyPayload.user = requesterExternalUserId;
+        }
+        try {
+          await deliverChannelReply(replyCallbackUrl, replyPayload);
+        } catch (err) {
+          log.warn(
+            { err, eventId: event.id, conversationId: event.conversationId },
+            "Failed to deliver disk pressure retry block reply",
+          );
+        }
+      }
+      continue;
+    }
+
     const metadataHintsRaw = sourceMetadata?.hints;
     const metadataHints = Array.isArray(metadataHintsRaw)
       ? metadataHintsRaw.filter(

package/src/runtime/guardian-reply-router.ts

@@ -99,6 +99,13 @@ export interface GuardianReplyResult {
   requestId?: string;
   /** Detailed result from the canonical decision primitive (when a decision was attempted). */
   canonicalResult?: CanonicalDecisionResult;
+  /** When a voice access request was approved, the contact that should be activated. */
+  activatedContact?: {
+    sourceChannel: string;
+    externalUserId: string;
+    externalChatId?: string;
+    displayName?: string;
+  };
   /**
    * When true, the caller should skip legacy approval interception for this
    * message. Set by the invite handoff bypass so that "open invite flow"
@@ -686,6 +693,9 @@ async function applyDecision(
       ...(canonicalResult.resolverReplyText
         ? { replyText: canonicalResult.resolverReplyText }
         : {}),
+      ...(canonicalResult.activatedContact
+        ? { activatedContact: canonicalResult.activatedContact }
+        : {}),
       requestId,
       canonicalResult,
     };

package/src/runtime/local-actor-identity.ts

@@ -12,6 +12,7 @@
  */
 
 import type { ChannelId } from "../channels/types.js";
+import { isHttpAuthDisabled } from "../config/env.js";
 import { findGuardianForChannel } from "../contacts/contact-store.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 import { getLogger } from "../util/logger.js";
@@ -43,6 +44,52 @@ export function buildLocalAuthContext(conversationId: string): AuthContext {
   };
 }
 
+/**
+ * Look up the local vellum guardian's principalId from the contacts table.
+ *
+ * Returns `undefined` when no vellum guardian binding exists (e.g. fresh
+ * install before bootstrap). Callers should treat that case as
+ * "not yet available" and either fall back or proceed without a principalId.
+ */
+export function findLocalGuardianPrincipalId(): string | undefined {
+  return findGuardianForChannel("vellum")?.contact.principalId ?? undefined;
+}
+
+/**
+ * Translate the synthetic dev-bypass actor principal to the real local
+ * guardian's principalId when running in `DISABLE_HTTP_AUTH=true` mode.
+ *
+ * The dev-bypass `AuthContext` (`runtime/auth/middleware.ts`) injects
+ * `"dev-bypass"` as the actor principal id for every request, but tool-side
+ * trust resolution (`resolveLocalTrustContext`) and SSE registration both
+ * carry the real local guardian principalId. Without this translation, every
+ * targeted host_bash/host_file/host_cu/host_transfer result POST mismatches
+ * the same-user check and is rejected with 403, and conversation/surface/
+ * guardian-action routes resolve trust against the wrong principal.
+ *
+ * Returns the input unchanged when:
+ *   - HTTP auth is enabled (production / non-dev-bypass deployments), OR
+ *   - the input is not literally `"dev-bypass"` (e.g. service tokens).
+ *
+ * Returns the local guardian principalId when both gates are true. Returns
+ * `undefined` when dev-bypass is set but no guardian binding has been created
+ * yet (e.g. fresh install before bootstrap); callers must treat this the
+ * same as a missing principal.
+ */
+export function resolveActorPrincipalIdForLocalGuardian(
+  rawHeader: string | undefined,
+): string | undefined {
+  if (rawHeader !== "dev-bypass" || !isHttpAuthDisabled()) return rawHeader;
+
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  if (guardianPrincipalId) return guardianPrincipalId;
+
+  log.warn(
+    "dev-bypass actor principal received but no vellum guardian binding found; returning undefined",
+  );
+  return undefined;
+}
+
 /**
  * Resolve the guardian runtime context for a local connection.
  *
@@ -60,10 +107,8 @@ export function resolveLocalTrustContext(
 ): TrustContext {
   const assistantId = DAEMON_INTERNAL_ASSISTANT_ID;
 
-  // Try contacts-first for the vellum guardian channel
-  const guardianResult = findGuardianForChannel("vellum");
-  if (guardianResult && guardianResult.contact.principalId) {
-    const guardianPrincipalId = guardianResult.contact.principalId;
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  if (guardianPrincipalId) {
     const trustCtx = resolveTrustContext({
       assistantId,
       sourceChannel: "vellum",
@@ -97,13 +142,9 @@ export function resolveLocalTrustContext(
 export function resolveLocalAuthContext(conversationId: string): AuthContext {
   const authContext = buildLocalAuthContext(conversationId);
 
-  // Enrich with the guardian principal ID from contacts-first path
-  const guardianResult = findGuardianForChannel("vellum");
-  if (guardianResult && guardianResult.contact.principalId) {
-    return {
-      ...authContext,
-      actorPrincipalId: guardianResult.contact.principalId,
-    };
+  const guardianPrincipalId = findLocalGuardianPrincipalId();
+  if (guardianPrincipalId) {
+    return { ...authContext, actorPrincipalId: guardianPrincipalId };
   }
 
   log.warn(

package/src/runtime/pending-interactions.ts

@@ -59,6 +59,14 @@ export interface PendingInteraction {
   directResolve?: (decision: UserDecision) => void;
   /** When set, the host_bash request should be routed to this specific client. */
   targetClientId?: string;
+  /**
+   * Snapshot of `targetClientId`'s `actorPrincipalId` taken at registration
+   * time. Persisted so the result-route same-actor check compares against
+   * a stable value rather than the live hub — the target client's SSE
+   * subscription may have briefly disconnected between dispatch and result
+   * submission, which would otherwise 403 a legitimate result.
+   */
+  targetActorPrincipalId?: string;
 
   // -- RPC lifecycle (populated by host proxies) --
 

package/src/runtime/routes/__tests__/client-routes.test.ts

@@ -0,0 +1,155 @@
+/**
+ * Tests for the GET /v1/clients (list_clients) route.
+ *
+ * Validates the same-user filter applied to client listings:
+ * - Caller sees only clients owned by their `actorPrincipalId`.
+ * - Clients with no stored `actorPrincipalId` are filtered out (fail-closed).
+ * - Dev-bypass mode (`isHttpAuthDisabled()`) returns all clients.
+ */
+
+import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
+
+// ── Module mocks (must be set up before importing the route) ──────────────
+
+let fakeHttpAuthDisabled = false;
+
+mock.module("../../../config/env.js", () => ({
+  isHttpAuthDisabled: () => fakeHttpAuthDisabled,
+  hasUngatedHttpAuthDisabled: () => false,
+}));
+
+mock.module("../../../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+// ── Real imports (after mocks) ────────────────────────────────────────────
+
+import { assistantEventHub } from "../../assistant-event-hub.js";
+import { ROUTES } from "../client-routes.js";
+import type { RouteDefinition } from "../types.js";
+
+afterAll(() => {
+  mock.restore();
+});
+
+// ── Test helpers ──────────────────────────────────────────────────────────
+
+function findHandler(operationId: string): RouteDefinition["handler"] {
+  const route = ROUTES.find((r) => r.operationId === operationId);
+  if (!route) throw new Error(`Route ${operationId} not found`);
+  return route.handler;
+}
+
+type ListClientsResponse = {
+  clients: Array<{
+    clientId: string;
+    interfaceId: string;
+    capabilities: string[];
+    machineName?: string;
+    connectedAt: string;
+    lastActiveAt: string;
+  }>;
+};
+
+function registerClient(args: {
+  clientId: string;
+  actorPrincipalId?: string;
+}): void {
+  assistantEventHub.subscribe({
+    type: "client",
+    clientId: args.clientId,
+    interfaceId: "macos",
+    capabilities: ["host_bash", "host_file", "host_cu"],
+    actorPrincipalId: args.actorPrincipalId,
+    callback: () => {},
+  });
+}
+
+function clearHub(): void {
+  const ids = assistantEventHub.listClients().map((c) => c.clientId);
+  for (const id of ids) {
+    assistantEventHub.disposeClient(id);
+  }
+}
+
+// ── Tests ────────────────────────────────────────────────────────────────
+
+describe("list_clients route — same-user filter", () => {
+  beforeEach(() => {
+    fakeHttpAuthDisabled = false;
+    clearHub();
+  });
+
+  test("returns only clients owned by the calling actor", () => {
+    registerClient({ clientId: "client-A1", actorPrincipalId: "user-A" });
+    registerClient({ clientId: "client-A2", actorPrincipalId: "user-A" });
+    registerClient({ clientId: "client-B1", actorPrincipalId: "user-B" });
+
+    const handler = findHandler("list_clients");
+    const result = handler({
+      headers: { "x-vellum-actor-principal-id": "user-A" },
+    }) as ListClientsResponse;
+
+    const ids = result.clients.map((c) => c.clientId).sort();
+    expect(ids).toEqual(["client-A1", "client-A2"]);
+  });
+
+  test("filters out cross-user clients when listing as a different user", () => {
+    registerClient({ clientId: "client-A1", actorPrincipalId: "user-A" });
+    registerClient({ clientId: "client-B1", actorPrincipalId: "user-B" });
+
+    const handler = findHandler("list_clients");
+    const result = handler({
+      headers: { "x-vellum-actor-principal-id": "user-B" },
+    }) as ListClientsResponse;
+
+    const ids = result.clients.map((c) => c.clientId);
+    expect(ids).toEqual(["client-B1"]);
+  });
+
+  test("filters out clients with no stored actorPrincipalId (fail-closed)", () => {
+    registerClient({
+      clientId: "client-noprincipal",
+      actorPrincipalId: undefined,
+    });
+    registerClient({ clientId: "client-A1", actorPrincipalId: "user-A" });
+
+    const handler = findHandler("list_clients");
+    const result = handler({
+      headers: { "x-vellum-actor-principal-id": "user-A" },
+    }) as ListClientsResponse;
+
+    const ids = result.clients.map((c) => c.clientId);
+    expect(ids).toEqual(["client-A1"]);
+  });
+
+  test("filters out all clients when caller has no actorPrincipalId header (fail-closed)", () => {
+    registerClient({ clientId: "client-A1", actorPrincipalId: "user-A" });
+
+    const handler = findHandler("list_clients");
+    const result = handler({}) as ListClientsResponse;
+
+    expect(result.clients).toEqual([]);
+  });
+
+  test("dev-bypass mode returns all clients regardless of actor", () => {
+    fakeHttpAuthDisabled = true;
+    registerClient({ clientId: "client-A1", actorPrincipalId: "user-A" });
+    registerClient({ clientId: "client-B1", actorPrincipalId: "user-B" });
+    registerClient({
+      clientId: "client-noprincipal",
+      actorPrincipalId: undefined,
+    });
+
+    const handler = findHandler("list_clients");
+    const result = handler({
+      headers: { "x-vellum-actor-principal-id": "user-A" },
+    }) as ListClientsResponse;
+
+    const ids = result.clients.map((c) => c.clientId).sort();
+    expect(ids).toEqual(["client-A1", "client-B1", "client-noprincipal"]);
+  });
+});

package/src/runtime/routes/__tests__/conversation-query-routes.test.ts

@@ -10,7 +10,6 @@ mock.module("../../../util/logger.js", () => ({
 import {
   sampleConcepts as sharedSampleConcepts,
   sampleConfig,
-  sampleSkills,
 } from "../../../memory/__tests__/fixtures/memory-v2-activation-fixtures.js";
 
 let rawConfigFixture: Record<string, unknown> = {};
@@ -36,7 +35,6 @@ import {
   backfillMemoryV2ActivationMessageId,
   type MemoryV2ConceptRowRecord,
   type MemoryV2ConfigSnapshot,
-  type MemoryV2SkillRowRecord,
   recordMemoryV2ActivationLog,
 } from "../../../memory/memory-v2-activation-log-store.js";
 import {
@@ -153,7 +151,6 @@ describe("GET /v1/messages/:id/llm-context — memoryV2Activation", () => {
       turn: 4,
       mode: "per-turn",
       concepts: sampleConcepts,
-      skills: sampleSkills,
       config: sampleConfig,
     });
     backfillMemoryV2ActivationMessageId(conversationId, messageId);
@@ -163,7 +160,6 @@ describe("GET /v1/messages/:id/llm-context — memoryV2Activation", () => {
         turn: number;
         mode: "context-load" | "per-turn";
         concepts: MemoryV2ConceptRowRecord[];
-        skills: MemoryV2SkillRowRecord[];
         config: MemoryV2ConfigSnapshot;
       } | null;
       memoryRecall: unknown;
@@ -173,7 +169,6 @@ describe("GET /v1/messages/:id/llm-context — memoryV2Activation", () => {
     expect(body.memoryV2Activation!.turn).toBe(4);
     expect(body.memoryV2Activation!.mode).toBe("per-turn");
     expect(body.memoryV2Activation!.concepts).toEqual(sampleConcepts);
-    expect(body.memoryV2Activation!.skills).toEqual(sampleSkills);
     expect(body.memoryV2Activation!.config).toEqual(sampleConfig);
     // Backwards-compat: memoryRecall field still present.
     expect(body).toHaveProperty("memoryRecall");

package/src/runtime/routes/__tests__/heartbeat-routes.test.ts

@@ -90,7 +90,7 @@ describe("setHeartbeatConfig handler", () => {
     // invalidation + getConfig() read picked up the new on-disk state.
     expect(result.success).toBe(true);
     expect(result.enabled).toBe(true);
-    expect(result.intervalMs).toBe(6 * 3_600_000);
+    expect(result.intervalMs).toBe(30 * 60_000);
     expect(result.activeHoursStart).toBe(8);
     expect(result.activeHoursEnd).toBe(22);
   });

package/src/runtime/routes/client-routes.ts

@@ -8,6 +8,7 @@
 import { z } from "zod";
 
 import type { HostProxyCapability } from "../../channels/types.js";
+import { isHttpAuthDisabled } from "../../config/env.js";
 import { datesToISO } from "../../util/json.js";
 import { assistantEventHub } from "../assistant-event-hub.js";
 import { NotFoundError } from "./errors.js";
@@ -33,7 +34,7 @@ export const ROUTES: RouteDefinition[] = [
     responseBody: z.object({
       clients: z.array(z.object({}).passthrough()),
     }),
-    handler: ({ queryParams }) => {
+    handler: ({ queryParams, headers }) => {
       const capability = queryParams?.capability as
         | HostProxyCapability
         | undefined;
@@ -42,8 +43,25 @@ export const ROUTES: RouteDefinition[] = [
         ? assistantEventHub.listClientsByCapability(capability)
         : assistantEventHub.listClients();
 
+      // Defense-in-depth: filter the listing to clients owned by the calling
+      // actor so users cannot enumerate other users' connected client IDs.
+      // Clients with no stored `actorPrincipalId` (legacy SSE subscribers from
+      // before host-proxy-same-user, service-gateway tokens) are filtered out
+      // — fail-closed is the right default for this security boundary.
+      // Dev-bypass mode (DISABLE_HTTP_AUTH=true, mirroring
+      // require-bound-guardian.ts) preserves the previous "return all" behavior
+      // for platform-managed deployments where the platform handles auth.
+      const callerPrincipalId = headers?.["x-vellum-actor-principal-id"];
+      const filtered = isHttpAuthDisabled()
+        ? clients
+        : clients.filter(
+            (c) =>
+              c.actorPrincipalId !== undefined &&
+              c.actorPrincipalId === callerPrincipalId,
+          );
+
       return {
-        clients: clients.map((c) =>
+        clients: filtered.map((c) =>
           datesToISO({
             clientId: c.clientId,
             interfaceId: c.interfaceId,