@vellumai/vellum-gateway 0.6.2 → 0.6.3

package/src/__tests__/remote-feature-flag-sync.test.ts

@@ -60,7 +60,7 @@ function fakeCredentialCache(
 
 function defaultCredentials(): Record<string, string> {
   return {
-    "credential/vellum/platform_base_url": "https://assistant.vellum.ai",
+    "credential/vellum/platform_base_url": "https://platform.vellum.ai",
     "credential/vellum/platform_assistant_id": "asst-123",
     "credential/vellum/assistant_api_key": "test-api-key",
   };
@@ -550,6 +550,70 @@ describe("RemoteFeatureFlagSync", () => {
     sync.stop();
   });
 
+  test("syncNow during in-flight poll does not create duplicate poll chains", async () => {
+    // Simulate a slow fetch that takes 200ms to resolve.
+    let fetchCallCount = 0;
+    fetchMock = mock(async () => {
+      fetchCallCount++;
+      await new Promise((r) => setTimeout(r, 200));
+      return Response.json({ flags: { ok: true } });
+    });
+
+    const sync = new RemoteFeatureFlagSync({
+      credentials: fakeCredentialCache(defaultCredentials()),
+      initialPollIntervalMs: 50,
+    });
+    await sync.start();
+    // start() awaits its own fetchAndCache, so fetchCallCount is 1 now.
+    expect(fetchCallCount).toBe(1);
+
+    // Wait for the first poll timer to fire (50ms would be initial, but
+    // start succeeded so it snapped to steady-state). Instead, we'll
+    // call syncNow() directly — the interesting case is when poll() is
+    // already in-flight. To trigger that, we use a short interval.
+    sync.stop();
+
+    // Reset with short interval to create the race:
+    fetchCallCount = 0;
+    fetchMock = mock(async () => {
+      fetchCallCount++;
+      // Slow fetch — 150ms
+      await new Promise((r) => setTimeout(r, 150));
+      return Response.json({ flags: { ok: true } });
+    });
+
+    const sync2 = new RemoteFeatureFlagSync({
+      credentials: fakeCredentialCache(defaultCredentials()),
+      initialPollIntervalMs: 30,
+    });
+    await sync2.start(); // 1 fetch (slow, 150ms)
+    expect(fetchCallCount).toBe(1);
+
+    // Wait for poll timer to fire and start its fetch (30ms after start)
+    await new Promise((r) => setTimeout(r, 50));
+    // poll() has fired and its fetchAndCache() is now in-flight
+
+    // Call syncNow() while poll's fetch is in-flight
+    const syncNowPromise = sync2.syncNow();
+
+    // Wait for everything to settle
+    await syncNowPromise;
+    await new Promise((r) => setTimeout(r, 300));
+
+    // Count how many fetches happened after the race window
+    const fetchesDuringRace = fetchCallCount;
+
+    // Now wait a bit more — if duplicate poll chains exist, we'd see
+    // extra fetches firing at the short interval
+    await new Promise((r) => setTimeout(r, 200));
+
+    // Should NOT have extra fetches from a leaked poll chain
+    // At most: 1 (start) + 1 (poll) + 1 (syncNow) + 1 (next scheduled poll)
+    expect(fetchCallCount).toBeLessThanOrEqual(fetchesDuringRace + 1);
+
+    sync2.stop();
+  });
+
   test("doubles poll interval on consecutive failures", async () => {
     // Always fail — missing creds
     const creds = defaultCredentials();

package/src/__tests__/slack-deliver.test.ts

@@ -20,7 +20,6 @@ mock.module("../auth/token-exchange.js", () => ({
   mintIngressToken: () => "mock-ingress-token",
   mintServiceToken: () => "mock-service-token",
   mintExchangeToken: () => "mock-exchange-token",
-  mintBrowserRelayToken: () => "mock-browser-relay-token",
   validateEdgeToken: () => ({ ok: true }),
 }));
 

package/src/auth/token-exchange.ts

@@ -22,9 +22,6 @@ const log = getLogger("token-exchange");
 /** TTL for exchange tokens — short-lived, minted per-request. */
 const EXCHANGE_TOKEN_TTL_SECONDS = 60;
 
-/** TTL for browser relay tokens — longer-lived for extension use. */
-const BROWSER_RELAY_TOKEN_TTL_SECONDS = 3600;
-
 // ---------------------------------------------------------------------------
 // Edge token validation
 // ---------------------------------------------------------------------------
@@ -131,20 +128,3 @@ export function mintServiceToken(): string {
     ttlSeconds: EXCHANGE_TOKEN_TTL_SECONDS,
   });
 }
-
-/**
- * Mint a long-lived token for the Chrome extension to connect to the
- * browser relay WebSocket. Uses gateway audience so it passes
- * validateEdgeToken() on the WS upgrade path.
- *
- * sub=svc:browser-relay:self, scope_profile=gateway_service_v1, TTL=1h
- */
-export function mintBrowserRelayToken(): string {
-  return mintToken({
-    aud: "vellum-gateway",
-    sub: "svc:browser-relay:self",
-    scope_profile: "gateway_service_v1",
-    policy_epoch: CURRENT_POLICY_EPOCH,
-    ttlSeconds: BROWSER_RELAY_TOKEN_TTL_SECONDS,
-  });
-}

package/src/channels/transport-hints.ts

@@ -42,14 +42,47 @@ export const EMAIL_CHANNEL_TRANSPORT_HINTS = [
 ] as const;
 
 export const EMAIL_CHANNEL_TRANSPORT_UX_BRIEF =
-  "Email is an asynchronous medium. Responses can be longer and more detailed than chat. Use proper formatting. The user may not see the response immediately.";
+  "Email is an asynchronous medium. Responses can be longer and more detailed than chat. Use proper formatting. The user may not see the response immediately. To reply, you should almost always use the `assistant email send` CLI command (run `assistant email send --help` for usage). Use your judgment — there may be rare cases where a different medium is more appropriate or no reply is needed.";
 
-export function buildEmailTransportMetadata(): {
+/**
+ * Context from the inbound email that the assistant needs to construct a
+ * reply via the `assistant email send` CLI command.
+ */
+export interface EmailReplyContext {
+  /** The sender's email address (who the reply should go to). */
+  senderAddress: string;
+  /** The assistant's own email address (the "from" for the reply). */
+  recipientAddress: string;
+  /** Original email subject line, if present. */
+  subject?: string;
+  /** Message-ID of the inbound email for In-Reply-To threading. */
+  inReplyTo?: string;
+}
+
+export function buildEmailTransportMetadata(replyContext?: EmailReplyContext): {
   hints: string[];
   uxBrief: string;
 } {
+  const hints: string[] = [...EMAIL_CHANNEL_TRANSPORT_HINTS];
+
+  if (replyContext) {
+    hints.push(
+      `email-sender: ${replyContext.senderAddress}`,
+      `email-recipient: ${replyContext.recipientAddress}`,
+    );
+    if (replyContext.subject) {
+      hints.push(`email-subject: ${replyContext.subject}`);
+    }
+    if (replyContext.inReplyTo) {
+      hints.push(`email-in-reply-to: ${replyContext.inReplyTo}`);
+    }
+    hints.push(
+      "email-reply-help: Run `assistant email send --help` for send usage.",
+    );
+  }
+
   return {
-    hints: [...EMAIL_CHANNEL_TRANSPORT_HINTS],
+    hints,
     uxBrief: EMAIL_CHANNEL_TRANSPORT_UX_BRIEF,
   };
 }

package/src/credential-reader.ts

@@ -364,9 +364,15 @@ export const SLACK_CHANNEL_CREDENTIAL_SPEC: ServiceCredentialSpec = {
   requiredFields: ["bot_token", "app_token"],
 } as const;
 
+export const VELLUM_CREDENTIAL_SPEC: ServiceCredentialSpec = {
+  service: "vellum",
+  requiredFields: ["platform_base_url", "assistant_api_key", "platform_assistant_id", "webhook_secret"],
+} as const;
+
 export const ALL_CREDENTIAL_SPECS: readonly ServiceCredentialSpec[] = [
   TELEGRAM_CREDENTIAL_SPEC,
   TWILIO_CREDENTIAL_SPEC,
   WHATSAPP_CREDENTIAL_SPEC,
   SLACK_CHANNEL_CREDENTIAL_SPEC,
+  VELLUM_CREDENTIAL_SPEC,
 ];

package/src/email/register-callback.test.ts

@@ -0,0 +1,253 @@
+import { describe, test, expect, afterEach } from "bun:test";
+import type { ConfigFileCache } from "../config-file-cache.js";
+import type { CredentialCache } from "../credential-cache.js";
+import { credentialKey } from "../credential-key.js";
+import {
+  mockFetch,
+  getMockFetchCalls,
+  resetMockFetch,
+} from "../__tests__/mock-fetch.js";
+import {
+  registerEmailCallbackRoute,
+  EMAIL_CALLBACK_PATH,
+} from "./register-callback.js";
+
+afterEach(() => {
+  resetMockFetch();
+  delete process.env.VELLUM_PLATFORM_URL;
+  delete process.env.PLATFORM_INTERNAL_API_KEY;
+  delete process.env.PLATFORM_ASSISTANT_ID;
+});
+
+function makeConfigFile(
+  values: Record<string, Record<string, string>> = {},
+): ConfigFileCache {
+  return {
+    getString: (section: string, key: string) =>
+      values[section]?.[key] ?? undefined,
+    invalidate: () => {},
+  } as unknown as ConfigFileCache;
+}
+
+function makeCaches(opts: {
+  platformBaseUrl?: string;
+  assistantApiKey?: string;
+  platformAssistantId?: string;
+  ingressUrl?: string;
+}): { credentials: CredentialCache; configFile?: ConfigFileCache } {
+  const store = new Map<string, string>();
+  if (opts.platformBaseUrl)
+    store.set(
+      credentialKey("vellum", "platform_base_url"),
+      opts.platformBaseUrl,
+    );
+  if (opts.assistantApiKey)
+    store.set(
+      credentialKey("vellum", "assistant_api_key"),
+      opts.assistantApiKey,
+    );
+  if (opts.platformAssistantId)
+    store.set(
+      credentialKey("vellum", "platform_assistant_id"),
+      opts.platformAssistantId,
+    );
+
+  const result: {
+    credentials: CredentialCache;
+    configFile?: ConfigFileCache;
+  } = {
+    credentials: {
+      get: async (key: string) => store.get(key),
+      invalidate: () => {},
+    } as CredentialCache,
+  };
+
+  if (opts.ingressUrl) {
+    result.configFile = makeConfigFile({
+      ingress: { publicBaseUrl: opts.ingressUrl },
+    });
+  }
+
+  return result;
+}
+
+describe("registerEmailCallbackRoute", () => {
+  test("returns undefined when credentials are missing", async () => {
+    const result = await registerEmailCallbackRoute();
+    expect(result).toBeUndefined();
+  });
+
+  test("returns undefined when credential cache has no platform values", async () => {
+    const caches = makeCaches({});
+    const result = await registerEmailCallbackRoute(caches);
+    expect(result).toBeUndefined();
+  });
+
+  test("registers callback route with platform via credential cache", async () => {
+    const caches = makeCaches({
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "test-api-key",
+      platformAssistantId: "aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee",
+    });
+
+    const callbackUrl =
+      "https://platform.example.com/v1/gateway/callbacks/aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee/webhooks/email/";
+
+    mockFetch(
+      "callback-routes/register",
+      { method: "POST" },
+      {
+        body: { callback_url: callbackUrl },
+        status: 201,
+      },
+    );
+
+    const result = await registerEmailCallbackRoute(caches);
+
+    expect(result).toBe(callbackUrl);
+
+    const calls = getMockFetchCalls();
+    expect(calls).toHaveLength(1);
+    expect(calls[0].path).toContain(
+      "/v1/internal/gateway/callback-routes/register/",
+    );
+    const body = JSON.parse(calls[0].init.body as string);
+    expect(body).toEqual({
+      assistant_id: "aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee",
+      callback_path: EMAIL_CALLBACK_PATH,
+      type: "email",
+    });
+  });
+
+  test("falls back to env vars when credential cache is empty", async () => {
+    process.env.VELLUM_PLATFORM_URL = "https://env-platform.example.com";
+    process.env.PLATFORM_ASSISTANT_ID = "11111111-2222-3333-4444-555555555555";
+    process.env.PLATFORM_INTERNAL_API_KEY = "internal-key";
+
+    const callbackUrl =
+      "https://env-platform.example.com/v1/gateway/callbacks/11111111-2222-3333-4444-555555555555/webhooks/email/";
+
+    mockFetch(
+      "callback-routes/register",
+      { method: "POST" },
+      {
+        body: { callback_url: callbackUrl },
+        status: 201,
+      },
+    );
+
+    const result = await registerEmailCallbackRoute();
+
+    expect(result).toBe(callbackUrl);
+
+    const calls = getMockFetchCalls();
+    expect(calls).toHaveLength(1);
+    const headers = calls[0].init.headers as Record<string, string>;
+    expect(headers?.["Authorization"]).toBe("Bearer internal-key");
+  });
+
+  test("throws on non-ok response", async () => {
+    const caches = makeCaches({
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "test-api-key",
+      platformAssistantId: "aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee",
+    });
+
+    mockFetch(
+      "callback-routes/register",
+      { method: "POST" },
+      new Response("Forbidden", { status: 403 }),
+    );
+
+    await expect(registerEmailCallbackRoute(caches)).rejects.toThrow(
+      /Email callback route registration failed \(HTTP 403\)/,
+    );
+  });
+
+  test("throws when response has no callback_url", async () => {
+    const caches = makeCaches({
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "test-api-key",
+      platformAssistantId: "aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee",
+    });
+
+    mockFetch(
+      "callback-routes/register",
+      { method: "POST" },
+      {
+        body: { id: "route-id" },
+        status: 201,
+      },
+    );
+
+    await expect(registerEmailCallbackRoute(caches)).rejects.toThrow(
+      /did not include callback_url/,
+    );
+  });
+
+  test("sends callback_base_url when ingress URL is configured (self-hosted)", async () => {
+    const caches = makeCaches({
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "vak_selfhosted",
+      platformAssistantId: "aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee",
+      ingressUrl: "https://my-assistant.example.com",
+    });
+
+    const callbackUrl =
+      "https://my-assistant.example.com/v1/gateway/callbacks/aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee/webhooks/email/";
+
+    mockFetch(
+      "callback-routes/register",
+      { method: "POST" },
+      {
+        body: { callback_url: callbackUrl },
+        status: 201,
+      },
+    );
+
+    const result = await registerEmailCallbackRoute(caches);
+
+    expect(result).toBe(callbackUrl);
+
+    const calls = getMockFetchCalls();
+    expect(calls).toHaveLength(1);
+    const body = JSON.parse(calls[0].init.body as string);
+    expect(body).toEqual({
+      assistant_id: "aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee",
+      callback_path: EMAIL_CALLBACK_PATH,
+      type: "email",
+      callback_base_url: "https://my-assistant.example.com",
+    });
+  });
+
+  test("omits callback_base_url when no ingress URL is configured (platform-managed)", async () => {
+    const caches = makeCaches({
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "vak_managed",
+      platformAssistantId: "aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee",
+    });
+
+    const callbackUrl =
+      "https://platform.example.com/v1/gateway/callbacks/aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee/webhooks/email/";
+
+    mockFetch(
+      "callback-routes/register",
+      { method: "POST" },
+      {
+        body: { callback_url: callbackUrl },
+        status: 201,
+      },
+    );
+
+    await registerEmailCallbackRoute(caches);
+
+    const calls = getMockFetchCalls();
+    expect(calls).toHaveLength(1);
+    const body = JSON.parse(calls[0].init.body as string);
+    expect(body).not.toHaveProperty("callback_base_url");
+  });
+
+  test("EMAIL_CALLBACK_PATH matches gateway route", () => {
+    expect(EMAIL_CALLBACK_PATH).toBe("webhooks/email");
+  });
+});

package/src/email/register-callback.ts

@@ -0,0 +1,135 @@
+import type { ConfigFileCache } from "../config-file-cache.js";
+import type { CredentialCache } from "../credential-cache.js";
+import { credentialKey } from "../credential-key.js";
+import { fetchImpl } from "../fetch.js";
+import { getLogger } from "../logger.js";
+
+const log = getLogger("email-callback");
+
+/**
+ * The callback path registered with the platform for inbound email webhooks.
+ * Must match the gateway route path in index.ts ("/webhooks/email").
+ */
+export const EMAIL_CALLBACK_PATH = "webhooks/email";
+const EMAIL_CALLBACK_TYPE = "email";
+
+interface PlatformCallbackRouteResponse {
+  callback_url?: string;
+}
+
+/**
+ * Register a callback route with the Vellum platform so that inbound email
+ * webhooks are forwarded to this gateway instance.
+ *
+ * Follows the same pattern as Telegram's managed callback route registration
+ * in `telegram/webhook-manager.ts`.  Requires platform credentials (base URL,
+ * API key, assistant ID) either from the credential cache or environment
+ * variables.
+ *
+ * Self-hosted assistants with a configured ``ingress.publicBaseUrl`` send
+ * their own base URL so the callback route points directly at the gateway
+ * rather than through the platform proxy.
+ *
+ * Returns the platform-assigned callback URL on success, or `undefined` if
+ * credentials are not available.
+ */
+export async function registerEmailCallbackRoute(caches?: {
+  credentials?: CredentialCache;
+  configFile?: ConfigFileCache;
+}): Promise<string | undefined> {
+  // Read from credential cache when available
+  const [platformBaseUrlRaw, assistantApiKeyRaw, assistantIdRaw] =
+    caches?.credentials
+      ? await Promise.all([
+          caches.credentials.get(credentialKey("vellum", "platform_base_url")),
+          caches.credentials.get(credentialKey("vellum", "assistant_api_key")),
+          caches.credentials.get(
+            credentialKey("vellum", "platform_assistant_id"),
+          ),
+        ])
+      : [undefined, undefined, undefined];
+
+  // Fall back to env vars when credential cache values are missing, matching
+  // the daemon's resolvePlatformCallbackRegistrationContext() behaviour.
+  const platformBaseUrl = (
+    platformBaseUrlRaw?.trim() ||
+    process.env.VELLUM_PLATFORM_URL?.trim() ||
+    ""
+  ).replace(/\/+$/, "");
+
+  const platformInternalApiKey =
+    process.env.PLATFORM_INTERNAL_API_KEY?.trim() || undefined;
+  const assistantApiKey = !platformInternalApiKey
+    ? assistantApiKeyRaw?.trim() || undefined
+    : undefined;
+  const authToken = platformInternalApiKey || assistantApiKey;
+  const authScheme = platformInternalApiKey ? "Bearer" : "Api-Key";
+
+  const assistantId =
+    process.env.PLATFORM_ASSISTANT_ID?.trim() ||
+    assistantIdRaw?.trim() ||
+    undefined;
+
+  if (!platformBaseUrl || !authToken || !assistantId) {
+    log.debug(
+      {
+        hasPlatformBaseUrl: !!platformBaseUrl,
+        hasApiKey: !!authToken,
+        hasAssistantId: !!assistantId,
+      },
+      "Email callback route registration unavailable — missing credentials",
+    );
+    return undefined;
+  }
+
+  // Self-hosted assistants send their public ingress URL so the platform
+  // registers a callback pointing directly at the gateway rather than
+  // routing through the platform proxy (matching Telegram's two-tier
+  // pattern in telegram/webhook-manager.ts).
+  const ingressUrl = caches?.configFile
+    ?.getString("ingress", "publicBaseUrl")
+    ?.trim()
+    .replace(/\/+$/, "");
+
+  const requestBody: Record<string, string> = {
+    assistant_id: assistantId,
+    callback_path: EMAIL_CALLBACK_PATH,
+    type: EMAIL_CALLBACK_TYPE,
+  };
+  if (ingressUrl) {
+    requestBody.callback_base_url = ingressUrl;
+  }
+
+  const response = await fetchImpl(
+    `${platformBaseUrl}/v1/internal/gateway/callback-routes/register/`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `${authScheme} ${authToken}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(requestBody),
+      signal: AbortSignal.timeout(10_000),
+    },
+  );
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => "");
+    throw new Error(
+      detail
+        ? `Email callback route registration failed (HTTP ${response.status}): ${detail}`
+        : `Email callback route registration failed (HTTP ${response.status})`,
+    );
+  }
+
+  const data = (await response.json()) as PlatformCallbackRouteResponse;
+  const callbackUrl = data.callback_url?.trim();
+  if (!callbackUrl) {
+    throw new Error(
+      "Email callback route registration response did not include callback_url",
+    );
+  }
+
+  log.info({ callbackUrl }, "Email callback route registered with platform");
+  return callbackUrl;
+}

package/src/feature-flag-registry.json

@@ -178,11 +178,11 @@
       "defaultEnabled": false
     },
     {
-      "id": "settings-integrations-grid",
+      "id": "multi-platform-assistant",
       "scope": "assistant",
-      "key": "settings-integrations-grid",
-      "label": "Integrations Grid",
-      "description": "Show the Integrations grid in Models & Services settings, replacing individual OAuth provider cards",
+      "key": "multi-platform-assistant",
+      "label": "Multi-Platform Assistant Switcher",
+      "description": "Enable the menu-bar assistant switcher for managing multiple platform-hosted assistants (new/switch/retire)",
       "defaultEnabled": false
     },
     {
@@ -288,7 +288,46 @@
       "label": "Permission Controls V2",
       "description": "Replace risk-level permission system with two independent controls: 'Ask before acting' (LLM behavior toggle) and 'Host access' (system-enforced gate)",
       "defaultEnabled": false
+    },
+    {
+      "id": "apple-container",
+      "scope": "macos",
+      "key": "apple-container",
+      "label": "Apple Container",
+      "description": "Enable assistant sandboxing via Apple Containers on macOS 26+, providing a lightweight native sandbox without third-party dependencies",
+      "defaultEnabled": false
+    },
+    {
+      "id": "tool-result-truncation",
+      "scope": "assistant",
+      "key": "tool-result-truncation",
+      "label": "Post-Turn Tool Result Truncation",
+      "description": "Truncate large tool results after each assistant turn, persisting full content to disk for on-demand re-reads",
+      "defaultEnabled": false
+    },
+    {
+      "id": "managed-gemini-embeddings-enabled",
+      "scope": "assistant",
+      "key": "managed-gemini-embeddings-enabled",
+      "label": "Managed Gemini Embeddings Enabled",
+      "description": "Route embedding requests through the platform runtime proxy using Vellum-managed Gemini credentials when available",
+      "defaultEnabled": false
+    },
+    {
+      "id": "fork-from-message",
+      "scope": "macos",
+      "key": "fork-from-message",
+      "label": "Fork from Message",
+      "description": "Show the 'Fork from here' option in message overflow menus",
+      "defaultEnabled": false
+    },
+    {
+      "id": "fork-from-message",
+      "scope": "macos",
+      "key": "fork-from-message",
+      "label": "Fork from Message",
+      "description": "Show the Fork from here option in message overflow menus",
+      "defaultEnabled": false
     }
   ]
 }
-