@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/runtime/sync/resource-sync-events.ts

@@ -29,17 +29,7 @@ export function publishIdentityChanged(
     emoji: fields.emoji,
     home: fields.home,
   });
-  void publishSyncInvalidation(
-    [SYNC_TAGS.assistantIdentity, SYNC_TAGS.assistantIdentityIntro],
-    originClientId,
-  );
-}
-
-export function publishIdentityIntroChanged(originClientId?: string): void {
-  void publishSyncInvalidation(
-    [SYNC_TAGS.assistantIdentityIntro],
-    originClientId,
-  );
+  void publishSyncInvalidation([SYNC_TAGS.assistantIdentity], originClientId);
 }
 
 export function publishConfigChanged(originClientId?: string): void {

package/src/runtime/tool-grant-request-helper.ts

@@ -13,12 +13,14 @@
 
 import type { ChannelId } from "../channels/types.js";
 import {
-  createCanonicalGuardianDelivery,
   createCanonicalGuardianRequest,
   listCanonicalGuardianRequests,
 } from "../memory/canonical-guardian-store.js";
+import {
+  recordApprovalCardDelivery,
+  recordGuardianRequestDeliveries,
+} from "../notifications/canonical-delivery-recorder.js";
 import { emitNotificationSignal } from "../notifications/emit-signal.js";
-import type { NotificationSourceChannel } from "../notifications/signal.js";
 import { getLogger } from "../util/logger.js";
 import { getGuardianBinding } from "./channel-verification-service.js";
 import { GUARDIAN_APPROVAL_TTL_MS } from "./routes/channel-route-shared.js";
@@ -140,12 +142,16 @@ export function createOrReuseToolGrantRequest(
     canonicalRequest.requestCode ??
     canonicalRequest.id.slice(0, 6).toUpperCase();
 
+  // The vellum delivery row is created up front in onConversationCreated so the
+  // in-app client sees it immediately; the post-resolve recorder reuses it.
+  let vellumDeliveryId: string | undefined;
+
   // Emit notification so guardian is alerted. Uses 'guardian.question' as
   // sourceEventName so that existing request-code guidance in the notification
   // pipeline is preserved.
   const signalPromise = emitNotificationSignal({
     sourceEventName: "guardian.question",
-    sourceChannel: sourceChannel as NotificationSourceChannel,
+    sourceChannel,
     sourceContextId: conversationId,
     requiresConversation: true,
     attentionHints: {
@@ -167,25 +173,21 @@ export function createOrReuseToolGrantRequest(
     },
     dedupeKey: `tool-grant-request:${canonicalRequest.id}`,
     onConversationCreated: (info) => {
-      createCanonicalGuardianDelivery({
+      vellumDeliveryId = recordApprovalCardDelivery({
         requestId: canonicalRequest.id,
-        destinationChannel: "vellum",
-        destinationConversationId: info.conversationId,
-      });
+        channel: "vellum",
+        conversationId: info.conversationId,
+      })?.id;
     },
   });
 
   // Record deliveries from the notification pipeline results (fire-and-forget).
   void signalPromise.then((signalResult) => {
-    for (const result of signalResult.deliveryResults) {
-      if (result.channel === "vellum") continue; // handled in onConversationCreated
-      createCanonicalGuardianDelivery({
-        requestId: canonicalRequest.id,
-        destinationChannel: result.channel,
-        destinationChatId:
-          result.destination.length > 0 ? result.destination : undefined,
-      });
-    }
+    recordGuardianRequestDeliveries({
+      requestId: canonicalRequest.id,
+      deliveryResults: signalResult.deliveryResults,
+      vellumDeliveryId,
+    });
   });
 
   log.info(

package/src/runtime/trust-context-resolver.ts

@@ -16,6 +16,7 @@ import {
   type ResolveActorTrustInput,
   toTrustContext,
 } from "./actor-trust-resolver.js";
+import { resolveCapabilities } from "./capabilities.js";
 
 /**
  * Resolve route-level trust context from canonical identity state.
@@ -64,14 +65,15 @@ export interface RoutingState {
  * Compute the routing state for a channel actor turn.
  *
  * Guardian actors are always interactive (they self-approve).
- * Trusted contacts are only interactive when a guardian binding exists
- * to receive approval notifications. Unknown actors are never interactive.
+ * Trusted and unverified contacts are only interactive when a guardian
+ * binding exists to receive approval notifications. Unknown actors are
+ * never interactive.
  */
 export function resolveRoutingState(
   ctx: Pick<TrustContext, "trustClass" | "guardianExternalUserId">,
 ): RoutingState {
+  const caps = resolveCapabilities(ctx.trustClass);
   const isGuardian = ctx.trustClass === "guardian";
-  const isTrustedContact = ctx.trustClass === "trusted_contact";
 
   // Guardians self-approve — they are always interactive and route-resolvable.
   if (isGuardian) {
@@ -82,12 +84,13 @@ export function resolveRoutingState(
     };
   }
 
-  // Trusted contacts can be interactive only if a guardian destination
+  // Identity-known non-guardian contacts (trusted_contact /
+  // unverified_contact) can be interactive only if a guardian destination
   // exists. The guardian binding populates guardianExternalUserId during
   // trust resolution; its presence means there is a verified guardian
   // to route approval notifications to.
   const guardianRouteResolvable = !!ctx.guardianExternalUserId;
-  if (isTrustedContact) {
+  if (caps.mayBeInteractive) {
     return {
       canBeInteractive: true,
       guardianRouteResolvable,

package/src/schedule/inference-profile.ts

@@ -1,4 +1,4 @@
-import { getConfigReadOnly } from "../config/loader.js";
+import { validateInferenceProfileKey } from "../config/inference-profile-validation.js";
 
 /**
  * Validate a schedule's inference-profile key against the configured
@@ -12,17 +12,5 @@ import { getConfigReadOnly } from "../config/loader.js";
 export function validateScheduleInferenceProfile(
   profile: string,
 ): string | null {
-  if (!profile.trim()) {
-    return "inferenceProfile must be a non-empty string";
-  }
-  const profiles = getConfigReadOnly().llm?.profiles ?? {};
-  if (!Object.prototype.hasOwnProperty.call(profiles, profile)) {
-    const available = Object.keys(profiles).sort();
-    const hint =
-      available.length > 0
-        ? ` Available profiles: ${available.join(", ")}.`
-        : " No profiles defined in llm.profiles.";
-    return `Inference profile "${profile}" is not defined in llm.profiles.${hint}`;
-  }
-  return null;
+  return validateInferenceProfileKey(profile);
 }

package/src/schedule/schedule-store.ts

@@ -158,7 +158,7 @@ export function createSchedule(params: {
   const routingIntent = params.routingIntent ?? "all_channels";
   const routingHints = params.routingHints ?? {};
   const quiet = params.quiet ?? false;
-  const reuseConversation = params.reuseConversation ?? !isOneShot;
+  const reuseConversation = params.reuseConversation ?? false;
   const maxRetries = params.maxRetries ?? 3;
   const retryBackoffMs = params.retryBackoffMs ?? 60000;
   const timeoutMs = params.timeoutMs ?? null;

package/src/schedule/scheduler-types.ts

@@ -7,7 +7,11 @@
 import type { LLMCallSite } from "../config/schemas/llm.js";
 
 export interface ScheduleMessageOptions {
-  trustClass?: "guardian" | "trusted_contact" | "unknown";
+  trustClass?:
+    | "guardian"
+    | "trusted_contact"
+    | "unverified_contact"
+    | "unknown";
   taskRunId?: string;
   /**
    * Optional LLM call-site identifier propagated to the per-call provider

package/src/security/__tests__/provider-key-env-fallback.test.ts

@@ -53,6 +53,7 @@ describe("getProviderKeyAsync env-var fallback (regression #27126)", () => {
     "BRAVE_API_KEY",
     "PERPLEXITY_API_KEY",
     "TAVILY_API_KEY",
+    "FIRECRAWL_API_KEY",
     "ANTHROPIC_API_KEY",
     "OPENAI_API_KEY",
   ];
@@ -103,6 +104,11 @@ describe("getProviderKeyAsync env-var fallback (regression #27126)", () => {
     expect(await getProviderKeyAsync("tavily")).toBe("tavily-env-test");
   });
 
+  test("returns FIRECRAWL_API_KEY from process.env when secure store is empty", async () => {
+    process.env.FIRECRAWL_API_KEY = "fc-env-test";
+    expect(await getProviderKeyAsync("firecrawl")).toBe("fc-env-test");
+  });
+
   test("returns ANTHROPIC_API_KEY from process.env when secure store is empty (LLM regression)", async () => {
     process.env.ANTHROPIC_API_KEY = "anthropic-env-test";
     expect(await getProviderKeyAsync("anthropic")).toBe("anthropic-env-test");

package/src/security/secret-patterns.ts

@@ -133,4 +133,7 @@ export const PREFIX_PATTERNS: SecretPrefixPattern[] = [
 
   // -- Tavily --
   { label: "Tavily API Key", regex: /tvly-[A-Za-z0-9]{20,}/ },
+
+  // -- Firecrawl --
+  { label: "Firecrawl API Key", regex: /fc-[A-Za-z0-9]{20,}/ },
 ];

package/src/subagent/manager.ts

@@ -237,10 +237,17 @@ export class SubagentManager {
         config.systemPromptOverride ??
         buildSubagentSystemPrompt({ ...config, id: subagentId }, role);
     }
-    const maxTokens = resolveCallSiteConfig(
-      "subagentSpawn",
-      appConfig.llm,
-    ).maxTokens;
+    // Resolve under the same profile the run will use (forwarded via
+    // `SubagentConfig`) so the constructed conversation's default token cap
+    // matches the inherited profile rather than the static `subagentSpawn`
+    // default. Per-call routing re-resolves the model anyway; this keeps the
+    // initial value consistent.
+    const maxTokens = resolveCallSiteConfig("subagentSpawn", appConfig.llm, {
+      ...(config.overrideProfile
+        ? { overrideProfile: config.overrideProfile }
+        : {}),
+      ...(config.forceOverrideProfile ? { forceOverrideProfile: true } : {}),
+    }).maxTokens;
     const workingDir = getSandboxWorkingDir();
 
     // ── Initialise state ────────────────────────────────────────────
@@ -453,6 +460,9 @@ export class SubagentManager {
         ...(managed.state.config.overrideProfile
           ? { overrideProfile: managed.state.config.overrideProfile }
           : {}),
+        ...(managed.state.config.forceOverrideProfile
+          ? { forceOverrideProfile: true }
+          : {}),
       });
 
       // Agent loop completed successfully.
@@ -641,6 +651,9 @@ export class SubagentManager {
           ...(managed.state.config.overrideProfile
             ? { overrideProfile: managed.state.config.overrideProfile }
             : {}),
+          ...(managed.state.config.forceOverrideProfile
+            ? { forceOverrideProfile: true }
+            : {}),
         })
         .catch((err) => {
           log.error({ subagentId, err }, "Subagent message processing failed");

package/src/subagent/types.ts

@@ -69,6 +69,12 @@ export interface SubagentConfig {
    * profile, every spawned subagent inherits it automatically.
    */
   overrideProfile?: string;
+  /**
+   * When true, the subagent's `overrideProfile` is an explicit spawn-time
+   * request and must float above call-site layers. Inherited parent profiles
+   * leave this unset so existing call-site precedence stays intact.
+   */
+  forceOverrideProfile?: boolean;
   /**
    * Tool-use id of the `skill_execute` call that spawned this subagent.
    * Forwarded into the `subagent_spawned` event so the client can anchor the

package/src/telemetry/trace-collection-policy.test.ts

@@ -0,0 +1,28 @@
+import { describe, expect, test } from "bun:test";
+
+import {
+  isDiagnosticsConsentVersionEligible,
+  TRACE_COLLECTION_MIN_DIAGNOSTICS_CONSENT_VERSION,
+} from "./trace-collection-policy.js";
+
+describe("isDiagnosticsConsentVersionEligible", () => {
+  test("the threshold version itself is eligible (>=, inclusive boundary)", () => {
+    expect(
+      isDiagnosticsConsentVersionEligible(
+        TRACE_COLLECTION_MIN_DIAGNOSTICS_CONSENT_VERSION,
+      ),
+    ).toBe(true);
+  });
+
+  test("a later version is eligible", () => {
+    expect(isDiagnosticsConsentVersionEligible("2999-01-01")).toBe(true);
+  });
+
+  test("an earlier version fails closed", () => {
+    expect(isDiagnosticsConsentVersionEligible("2000-01-01")).toBe(false);
+  });
+
+  test("the empty version (never accepted / unversioned default) fails closed", () => {
+    expect(isDiagnosticsConsentVersionEligible("")).toBe(false);
+  });
+});

package/src/telemetry/trace-collection-policy.ts

@@ -0,0 +1,30 @@
+/**
+ * Per-turn trace-collection disclosure gate (daemon side).
+ *
+ * A "trace" is the full transcript of one assistant turn. Traces are only
+ * collected from owners who accepted the diagnostics-sharing consent copy that
+ * *discloses* trace collection — identified by its accepted version.
+ *
+ * This mirrors the platform's authoritative ingest gate in
+ * `vellum-assistant-platform`:
+ *   - `django/app/core/trace_collection.py` (`is_trace_collection_enabled`)
+ *   - `config.settings.TRACE_COLLECTION_MIN_DIAGNOSTICS_CONSENT_VERSION`
+ *
+ * The daemon applies the same `share_diagnostics_accepted_version >= threshold`
+ * check the platform does, so traces for ineligible owners never leave the
+ * device. (The platform would drop them anyway, but checking here keeps the PII
+ * local — data minimization.)
+ *
+ * Keep this constant in lockstep with the platform setting. Versions are
+ * "YYYY-MM-DD" strings, so the lexicographic compare is chronological; ""
+ * (never accepted) and older versions fail closed.
+ */
+export const TRACE_COLLECTION_MIN_DIAGNOSTICS_CONSENT_VERSION = "2026-06-18";
+
+/**
+ * True iff `version` (the owner's `share_diagnostics_accepted_version`) is at or
+ * past the disclosing version. Fails closed for "" / older versions.
+ */
+export function isDiagnosticsConsentVersionEligible(version: string): boolean {
+  return version >= TRACE_COLLECTION_MIN_DIAGNOSTICS_CONSENT_VERSION;
+}

package/src/telemetry/types.ts

@@ -147,6 +147,82 @@ export interface TurnTelemetryClientInfo {
   interface_version?: string;
 }
 
+/**
+ * One message in a turn trace. `role` is the stored `messages.role`
+ * (`"user"` / `"assistant"` / `"system"`); tool-result rows persisted with
+ * role `"user"` keep that role here so the transcript is faithful to what was
+ * sent to the model. `content` is the parsed `messages.content` — either the
+ * modern `ContentBlock[]` (text / tool_use / tool_result / thinking / image /
+ * file blocks) or a legacy plain string. Stored verbatim by the platform as an
+ * opaque JSON column, so the shape is self-describing rather than normalized.
+ */
+export interface TurnTraceMessage {
+  /** `messages.id` — stable per-row id. */
+  id: string;
+  /** Stored role of the message row. */
+  role: string;
+  /** Epoch-ms `messages.created_at`. */
+  created_at: number;
+  /**
+   * Parsed `messages.content`. `unknown` because it is forwarded verbatim:
+   * modern rows are `ContentBlock[]`, legacy rows are a plain string.
+   */
+  content: unknown;
+}
+
+/**
+ * One tool invocation in a turn trace, projected from the `tool_invocations`
+ * audit table for the turn window. Carries the full tool call + result so the
+ * platform sees the same transcript the assistant did. Both `input` and
+ * `result` are captured verbatim (full-fidelity) — no field-level redaction is
+ * applied. The protections for this PII are the owner consent gate, the
+ * PII-segregated `pii_turn_raw` table, and its 30-day TTL.
+ */
+export interface TurnTraceToolCall {
+  /** `tool_invocations.id`. */
+  id: string;
+  tool_name: string;
+  /** Verbatim tool input — parsed JSON when it parses, else the raw string. */
+  input: unknown;
+  /** Stored tool result string (verbatim). */
+  result: string;
+  /** Audit decision (`"allow"` / `"error"` / …). */
+  decision: string;
+  duration_ms: number;
+  created_at: number;
+}
+
+/**
+ * Full transcript of a single turn — the user message, assistant response
+ * message(s), and the tool calls + results that occurred between this user
+ * turn and the next real user turn. Attached to the turn telemetry event's
+ * `trace` field ONLY when trace collection is enabled — the `trace-collection`
+ * feature flag AND the owner's `share_diagnostics` consent must both be true.
+ * The platform stores this verbatim as an opaque JSON column, so the daemon
+ * owns the shape.
+ *
+ * Each turn's trace is its natural window. A turn whose window holds no
+ * assistant response (a coalesced-batch head, or a turn that failed/cancelled
+ * before responding) traces user-only — faithful, since its window genuinely
+ * has no response. A coalesced batch's shared response lives on the batch's
+ * final turn's window, where the daemon already attributes it.
+ */
+export interface TurnTrace {
+  /** Shape version so the platform/dbt can evolve parsing without ambiguity. */
+  schema_version: 1;
+  /**
+   * Ordered message rows for the turn (the user message first, then assistant
+   * responses and any tool-result rows), oldest-first by `(created_at, id)`.
+   */
+  messages: TurnTraceMessage[];
+  /**
+   * Tool invocations that occurred during the turn window, oldest-first. May
+   * be empty for turns with no tool use. Projected from `tool_invocations`,
+   * which complements the inline tool_use/tool_result blocks in `messages`.
+   */
+  tool_calls: TurnTraceToolCall[];
+}
+
 /** Turn event — one per user message. */
 export interface TurnTelemetryEvent extends TelemetryEventBase {
   type: "turn";
@@ -200,6 +276,19 @@ export interface TurnTelemetryEvent extends TelemetryEventBase {
    * middleware hasn't been wired to yet).
    */
   client: TurnTelemetryClientInfo | null;
+  /**
+   * Full per-turn transcript (user message + assistant responses + tool
+   * calls/results). Present ONLY when trace collection is enabled — the daemon
+   * composes the gate itself from the `trace-collection` feature flag (delivered
+   * via the assistant-tagged flag sync, evaluated server-side for this
+   * assistant's owner) AND the owner's cached `share_diagnostics` consent, both
+   * of which must be true. Fail-closed: when either is off (or unknown) no trace
+   * is attached. The platform dual-writes consented traces into a separate PII
+   * table and keeps the trace-free turn row; downstream consumers that don't
+   * read traces ignore this field. Null / absent when the gate is off or the
+   * serialized trace exceeded the size cap.
+   */
+  trace?: TurnTrace | null;
 }
 
 /** Lifecycle event — app_open, hatch, etc. */