vellum 0.2.0 → 0.2.1

package/src/runtime/http-server.ts

@@ -10,6 +10,8 @@ import { resolve } from 'node:path';
 import { timingSafeEqual } from 'node:crypto';
 import { ConfigError, IngressBlockedError } from '../util/errors.js';
 import { getLogger } from '../util/logger.js';
+import { getSecureKey } from '../security/secure-keys.js';
+import { TwilioConversationRelayProvider } from '../calls/twilio-provider.js';
 import type { RunOrchestrator } from './run-orchestrator.js';
 
 // Route handlers — grouped by domain
@@ -45,6 +47,14 @@ import {
   handleDeleteSharedApp,
 } from './routes/app-routes.js';
 import { handleAddSecret } from './routes/secret-routes.js';
+import {
+  handleVoiceWebhook,
+  handleStatusCallback,
+  handleConnectAction,
+  handleCallAnswer,
+} from '../calls/twilio-routes.js';
+import { RelayConnection, activeRelayConnections } from '../calls/relay-server.js';
+import type { RelayWebSocketData } from '../calls/relay-server.js';
 
 // Re-export shared types so existing consumers don't need to update imports
 export type {
@@ -95,6 +105,82 @@ function getDiskSpaceInfo(): DiskSpaceInfo | null {
   }
 }
 
+/**
+ * Regex to extract the Twilio webhook subpath from both top-level and
+ * assistant-scoped route shapes:
+ *   /v1/calls/twilio/<subpath>
+ *   /v1/assistants/<id>/calls/twilio/<subpath>
+ */
+const TWILIO_WEBHOOK_RE = /^\/v1\/(?:assistants\/[^/]+\/)?calls\/twilio\/(.+)$/;
+
+/**
+ * Validate a Twilio webhook request's X-Twilio-Signature header.
+ *
+ * Returns the raw body text on success so callers can reconstruct the Request
+ * for downstream handlers (which also need to read the body).
+ * Returns a 403 Response if signature validation fails.
+ * If the Twilio auth token is not configured, skips validation with a warning.
+ */
+async function validateTwilioWebhook(
+  req: Request,
+): Promise<{ body: string } | Response> {
+  const rawBody = await req.text();
+  const authToken = getSecureKey('twilio_auth_token');
+
+  if (!authToken) {
+    log.warn('Twilio auth token not configured — skipping webhook signature validation');
+    return { body: rawBody };
+  }
+
+  const signature = req.headers.get('x-twilio-signature');
+  if (!signature) {
+    log.warn('Twilio webhook request missing X-Twilio-Signature header');
+    return Response.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  // Parse form-urlencoded body into key-value params for signature computation
+  const params: Record<string, string> = {};
+  const formData = new URLSearchParams(rawBody);
+  for (const [key, value] of formData.entries()) {
+    params[key] = value;
+  }
+
+  // Reconstruct the public-facing URL that Twilio signed against.
+  // Behind proxies/gateways, req.url is the local server URL (e.g.
+  // http://127.0.0.1:7821/...) which differs from the public URL Twilio
+  // used to compute the HMAC-SHA1 signature.
+  const publicBaseUrl = process.env.TWILIO_WEBHOOK_BASE_URL;
+  const parsedUrl = new URL(req.url);
+  const publicUrl = publicBaseUrl
+    ? publicBaseUrl.replace(/\/$/, '') + parsedUrl.pathname + parsedUrl.search
+    : req.url;
+
+  const isValid = TwilioConversationRelayProvider.verifyWebhookSignature(
+    publicUrl,
+    params,
+    signature,
+  );
+
+  if (!isValid) {
+    log.warn('Twilio webhook signature validation failed');
+    return Response.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  return { body: rawBody };
+}
+
+/**
+ * Re-create a Request with the same method, headers, and URL but with a
+ * pre-read body string so downstream handlers can call req.text() again.
+ */
+function cloneRequestWithBody(original: Request, body: string): Request {
+  return new Request(original.url, {
+    method: original.method,
+    headers: original.headers,
+    body,
+  });
+}
+
 export class RuntimeHttpServer {
   private server: ReturnType<typeof Bun.serve> | null = null;
   private port: number;
@@ -120,11 +206,37 @@ export class RuntimeHttpServer {
   }
 
   async start(): Promise<void> {
-    this.server = Bun.serve({
+    this.server = Bun.serve<RelayWebSocketData>({
       port: this.port,
       hostname: this.hostname,
       maxRequestBodySize: MAX_REQUEST_BODY_BYTES,
-      fetch: (req) => this.handleRequest(req),
+      fetch: (req, server) => this.handleRequest(req, server),
+      websocket: {
+        open(ws) {
+          const callSessionId = ws.data?.callSessionId;
+          log.info({ callSessionId }, 'ConversationRelay WebSocket opened');
+          if (callSessionId) {
+            const connection = new RelayConnection(ws, callSessionId);
+            activeRelayConnections.set(callSessionId, connection);
+          }
+        },
+        message(ws, message) {
+          const callSessionId = ws.data?.callSessionId;
+          if (callSessionId) {
+            const connection = activeRelayConnections.get(callSessionId);
+            connection?.handleMessage(typeof message === 'string' ? message : new TextDecoder().decode(message));
+          }
+        },
+        close(ws, code, reason) {
+          const callSessionId = ws.data?.callSessionId;
+          log.info({ callSessionId, code, reason: reason?.toString() }, 'ConversationRelay WebSocket closed');
+          if (callSessionId) {
+            const connection = activeRelayConnections.get(callSessionId);
+            connection?.destroy();
+            activeRelayConnections.delete(callSessionId);
+          }
+        },
+      },
     });
 
     // Sweep failed channel inbound events for retry every 30 seconds
@@ -162,7 +274,7 @@ export class RuntimeHttpServer {
     return timingSafeEqual(a, b);
   }
 
-  private async handleRequest(req: Request): Promise<Response> {
+  private async handleRequest(req: Request, server: ReturnType<typeof Bun.serve>): Promise<Response> {
     const url = new URL(req.url);
     const path = url.pathname;
 
@@ -171,6 +283,49 @@ export class RuntimeHttpServer {
       return this.handleHealth();
     }
 
+    // WebSocket upgrade for ConversationRelay — before auth check because
+    // Twilio WebSocket connections don't use bearer tokens.
+    if (path.startsWith('/v1/calls/relay') && req.headers.get('upgrade')?.toLowerCase() === 'websocket') {
+      const wsUrl = new URL(req.url);
+      const callSessionId = wsUrl.searchParams.get('callSessionId');
+      if (!callSessionId) {
+        return new Response('Missing callSessionId', { status: 400 });
+      }
+      const upgraded = server.upgrade(req, { data: { callSessionId } });
+      if (!upgraded) {
+        return new Response('WebSocket upgrade failed', { status: 500 });
+      }
+      // Bun handles the response after a successful upgrade.
+      // The RelayConnection is created in the websocket.open handler.
+      return undefined as unknown as Response;
+    }
+
+    // ── Twilio webhook endpoints — before auth check because Twilio
+    //    webhook POSTs don't include bearer tokens.
+    //    Supports both /v1/calls/twilio/* and /v1/assistants/:id/calls/twilio/*
+    //    Validates X-Twilio-Signature to prevent unauthorized access. ──
+    const twilioMatch = path.match(TWILIO_WEBHOOK_RE);
+    if (twilioMatch && req.method === 'POST') {
+      const twilioSubpath = twilioMatch[1];
+
+      // Validate Twilio request signature before dispatching
+      const validation = await validateTwilioWebhook(req);
+      if (validation instanceof Response) return validation;
+
+      // Reconstruct request so handlers can read the body
+      const validatedReq = cloneRequestWithBody(req, validation.body);
+
+      if (twilioSubpath === 'voice-webhook') {
+        return await handleVoiceWebhook(validatedReq);
+      }
+      if (twilioSubpath === 'status') {
+        return await handleStatusCallback(validatedReq);
+      }
+      if (twilioSubpath === 'connect-action') {
+        return await handleConnectAction(validatedReq);
+      }
+    }
+
     // Require bearer token when configured
     if ((process.env.DISABLE_HTTP_AUTH ?? "").toLowerCase() !== "true" && this.bearerToken) {
       const authHeader = req.headers.get('authorization');
@@ -180,6 +335,17 @@ export class RuntimeHttpServer {
       }
     }
 
+    // ── Call answer endpoint — behind auth gate ──────────────────────
+    const callAnswerMatch = path.match(/^\/v1\/calls\/([^/]+)\/answer$/);
+    if (callAnswerMatch && req.method === 'POST') {
+      try {
+        return await handleCallAnswer(req, callAnswerMatch[1]);
+      } catch (err) {
+        log.error({ err, callSessionId: callAnswerMatch[1] }, 'Runtime HTTP handler error answering call');
+        return Response.json({ error: 'Internal server error' }, { status: 500 });
+      }
+    }
+
     // Serve shareable app pages
     const pagesMatch = path.match(/^\/pages\/([^/]+)$/);
     if (pagesMatch && req.method === 'GET') {
@@ -247,7 +413,7 @@ export class RuntimeHttpServer {
     // Paths already handled above (/v1/apps/..., /v1/secrets) will never reach here.
     const newRouteMatch = path.match(/^\/v1\/(?!assistants\/)(.+)$/);
     if (newRouteMatch) {
-      return this.dispatchEndpoint('local-assistant', newRouteMatch[1], req, url);
+      return this.dispatchEndpoint(newRouteMatch[1], req, url);
     }
 
     // Legacy: /v1/assistants/:assistantId/<endpoint>
@@ -259,7 +425,7 @@ export class RuntimeHttpServer {
     const assistantId = match[1];
     const endpoint = match[2];
     log.warn({ endpoint, assistantId }, '[deprecated] /v1/assistants/:assistantId/... route used; migrate to /v1/...');
-    return this.dispatchEndpoint(assistantId, endpoint, req, url);
+    return this.dispatchEndpoint(endpoint, req, url);
   }
 
   /**
@@ -268,7 +434,6 @@ export class RuntimeHttpServer {
    * legacy assistant-scoped routes (/v1/assistants/:assistantId/<endpoint>).
    */
   private async dispatchEndpoint(
-    assistantId: string,
     endpoint: string,
     req: Request,
     url: URL,
@@ -279,32 +444,32 @@ export class RuntimeHttpServer {
       }
 
       if (endpoint === 'messages' && req.method === 'GET') {
-        return handleListMessages(assistantId, url, this.interfacesDir);
+        return handleListMessages(url, this.interfacesDir);
       }
 
       if (endpoint === 'messages' && req.method === 'POST') {
-        return await handleSendMessage(assistantId, req, {
+        return await handleSendMessage(req, {
           processMessage: this.processMessage,
           persistAndProcessMessage: this.persistAndProcessMessage,
         });
       }
 
       if (endpoint === 'attachments' && req.method === 'POST') {
-        return await handleUploadAttachment(assistantId, req);
+        return await handleUploadAttachment(req);
       }
 
       if (endpoint === 'attachments' && req.method === 'DELETE') {
-        return await handleDeleteAttachment(assistantId, req);
+        return await handleDeleteAttachment(req);
       }
 
       // Match attachments/:attachmentId
       const attachmentMatch = endpoint.match(/^attachments\/([^/]+)$/);
       if (attachmentMatch && req.method === 'GET') {
-        return handleGetAttachment(assistantId, attachmentMatch[1]);
+        return handleGetAttachment(attachmentMatch[1]);
       }
 
       if (endpoint === 'suggestion' && req.method === 'GET') {
-        return await handleGetSuggestion(assistantId, url, {
+        return await handleGetSuggestion(url, {
           suggestionCache: this.suggestionCache,
           suggestionInFlight: this.suggestionInFlight,
         });
@@ -314,7 +479,7 @@ export class RuntimeHttpServer {
         if (!this.runOrchestrator) {
           return Response.json({ error: 'Run orchestration not configured' }, { status: 503 });
         }
-        return await handleCreateRun(assistantId, req, this.runOrchestrator);
+        return await handleCreateRun(req, this.runOrchestrator);
       }
 
       // Match runs/:runId, runs/:runId/decision, runs/:runId/trust-rule
@@ -325,17 +490,17 @@ export class RuntimeHttpServer {
         }
         const runId = runsMatch[1];
         if (runsMatch[2] === '/decision' && req.method === 'POST') {
-          return await handleRunDecision(assistantId, runId, req, this.runOrchestrator);
+          return await handleRunDecision(runId, req, this.runOrchestrator);
         }
         if (runsMatch[2] === '/trust-rule' && req.method === 'POST') {
           const run = this.runOrchestrator.getRun(runId);
-          if (!run || run.assistantId !== assistantId) {
+          if (!run) {
             return Response.json({ error: 'Run not found' }, { status: 404 });
           }
           return await handleAddTrustRule(runId, req);
         }
         if (req.method === 'GET') {
-          return handleGetRun(assistantId, runId, this.runOrchestrator);
+          return handleGetRun(runId, this.runOrchestrator);
         }
       }
 
@@ -345,36 +510,36 @@ export class RuntimeHttpServer {
       }
 
       if (endpoint === 'channels/conversation' && req.method === 'DELETE') {
-        return await handleDeleteConversation(assistantId, req);
+        return await handleDeleteConversation(req);
       }
 
       if (endpoint === 'channels/inbound' && req.method === 'POST') {
-        return await handleChannelInbound(assistantId, req, this.processMessage);
+        return await handleChannelInbound(req, this.processMessage);
       }
 
       if (endpoint === 'channels/delivery-ack' && req.method === 'POST') {
-        return await handleChannelDeliveryAck(assistantId, req);
+        return await handleChannelDeliveryAck(req);
       }
 
       if (endpoint === 'channels/dead-letters' && req.method === 'GET') {
-        return handleListDeadLetters(assistantId);
+        return handleListDeadLetters();
       }
 
       if (endpoint === 'channels/replay' && req.method === 'POST') {
-        return await handleReplayDeadLetters(assistantId, req);
+        return await handleReplayDeadLetters(req);
       }
 
       return Response.json({ error: 'Not found', source: 'runtime' }, { status: 404 });
     } catch (err) {
       if (err instanceof IngressBlockedError) {
-        log.warn({ endpoint, assistantId, detectedTypes: err.detectedTypes }, 'Blocked HTTP request containing secrets');
+        log.warn({ endpoint, detectedTypes: err.detectedTypes }, 'Blocked HTTP request containing secrets');
         return Response.json({ error: err.message, code: err.code }, { status: 422 });
       }
       if (err instanceof ConfigError) {
-        log.warn({ err, endpoint, assistantId }, 'Runtime HTTP config error');
+        log.warn({ err, endpoint }, 'Runtime HTTP config error');
         return Response.json({ error: err.message, code: err.code }, { status: 422 });
       }
-      log.error({ err, endpoint, assistantId }, 'Runtime HTTP handler error');
+      log.error({ err, endpoint }, 'Runtime HTTP handler error');
       const message = err instanceof Error ? err.message : 'Internal server error';
       return Response.json({ error: message }, { status: 500 });
     }
@@ -428,7 +593,6 @@ export class RuntimeHttpServer {
 
       try {
         const { messageId: userMessageId } = await this.processMessage(
-          event.assistantId,
           event.conversationId,
           content,
           attachmentIds,

package/src/runtime/http-types.ts

@@ -12,7 +12,6 @@ export interface RuntimeMessageSessionOptions {
 }
 
 export type MessageProcessor = (
-  assistantId: string,
   conversationId: string,
   content: string,
   attachmentIds?: string[],
@@ -26,7 +25,6 @@ export type MessageProcessor = (
  * immediately.
  */
 export type NonBlockingMessageProcessor = (
-  assistantId: string,
   conversationId: string,
   content: string,
   attachmentIds?: string[],

package/src/runtime/routes/attachment-routes.ts

@@ -7,7 +7,7 @@ import { validateAttachmentUpload, AttachmentUploadError } from '../../memory/at
 /** 30 MB — base64-encoded 20 MB attachment ≈ 27 MB plus JSON wrapper overhead. */
 const MAX_UPLOAD_BODY_BYTES = 30 * 1024 * 1024;
 
-export async function handleUploadAttachment(assistantId: string, req: Request): Promise<Response> {
+export async function handleUploadAttachment(req: Request): Promise<Response> {
   const rawBody = await req.arrayBuffer();
   if (rawBody.byteLength > MAX_UPLOAD_BODY_BYTES) {
     return Response.json(
@@ -56,7 +56,7 @@ export async function handleUploadAttachment(assistantId: string, req: Request):
   let attachment: attachmentsStore.StoredAttachment;
   try {
     attachment = attachmentsStore.uploadAttachment(
-      assistantId,
+      "self",
       filename,
       mimeType,
       data,
@@ -78,7 +78,7 @@ export async function handleUploadAttachment(assistantId: string, req: Request):
   });
 }
 
-export async function handleDeleteAttachment(assistantId: string, req: Request): Promise<Response> {
+export async function handleDeleteAttachment(req: Request): Promise<Response> {
   let body: { attachmentId?: string };
   try {
     body = await req.json() as { attachmentId?: string };
@@ -98,7 +98,7 @@ export async function handleDeleteAttachment(assistantId: string, req: Request):
     );
   }
 
-  const result = attachmentsStore.deleteAttachment(assistantId, attachmentId);
+  const result = attachmentsStore.deleteAttachment("self", attachmentId);
 
   if (result === 'not_found') {
     return Response.json(
@@ -117,8 +117,8 @@ export async function handleDeleteAttachment(assistantId: string, req: Request):
   return new Response(null, { status: 204 });
 }
 
-export function handleGetAttachment(assistantId: string, attachmentId: string): Response {
-  const attachment = attachmentsStore.getAttachmentById(assistantId, attachmentId);
+export function handleGetAttachment(attachmentId: string): Response {
+  const attachment = attachmentsStore.getAttachmentById("self", attachmentId);
   if (!attachment) {
     return Response.json({ error: 'Attachment not found' }, { status: 404 });
   }

package/src/runtime/routes/channel-routes.ts

@@ -18,7 +18,7 @@ import type {
 
 const log = getLogger('runtime-http');
 
-export async function handleDeleteConversation(assistantId: string, req: Request): Promise<Response> {
+export async function handleDeleteConversation(req: Request): Promise<Response> {
   const body = await req.json() as {
     sourceChannel?: string;
     externalChatId?: string;
@@ -34,13 +34,12 @@ export async function handleDeleteConversation(assistantId: string, req: Request
   }
 
   const conversationKey = `${sourceChannel}:${externalChatId}`;
-  deleteConversationKey(assistantId, conversationKey);
+  deleteConversationKey("self", conversationKey);
 
   return Response.json({ ok: true });
 }
 
 export async function handleChannelInbound(
-  assistantId: string,
   req: Request,
   processMessage?: MessageProcessor,
 ): Promise<Response> {
@@ -90,7 +89,7 @@ export async function handleChannelInbound(
   }
 
   if (hasAttachments) {
-    const resolved = attachmentsStore.getAttachmentsByIds(assistantId, attachmentIds);
+    const resolved = attachmentsStore.getAttachmentsByIds("self", attachmentIds);
     if (resolved.length !== attachmentIds.length) {
       const resolvedIds = new Set(resolved.map((a) => a.id));
       const missing = attachmentIds.filter((id) => !resolvedIds.has(id));
@@ -113,7 +112,7 @@ export async function handleChannelInbound(
   if (isEdit && sourceMessageId) {
     // Dedup the edit event itself (retried edited_message webhooks)
     const editResult = channelDeliveryStore.recordInbound(
-      assistantId,
+      "self",
       sourceChannel,
       externalChatId,
       externalMessageId,
@@ -137,7 +136,7 @@ export async function handleChannelInbound(
     let original: { messageId: string; conversationId: string } | null = null;
     for (let attempt = 0; attempt <= EDIT_LOOKUP_RETRIES; attempt++) {
       original = channelDeliveryStore.findMessageBySourceId(
-        assistantId,
+        "self",
         sourceChannel,
         externalChatId,
         sourceMessageId,
@@ -145,7 +144,7 @@ export async function handleChannelInbound(
       if (original) break;
       if (attempt < EDIT_LOOKUP_RETRIES) {
         log.info(
-          { assistantId, sourceMessageId, attempt: attempt + 1, maxAttempts: EDIT_LOOKUP_RETRIES },
+          { assistantId: "self", sourceMessageId, attempt: attempt + 1, maxAttempts: EDIT_LOOKUP_RETRIES },
           'Original message not linked yet, retrying edit lookup',
         );
         await new Promise((resolve) => setTimeout(resolve, EDIT_LOOKUP_DELAY_MS));
@@ -155,12 +154,12 @@ export async function handleChannelInbound(
     if (original) {
       conversationStore.updateMessageContent(original.messageId, content ?? '');
       log.info(
-        { assistantId, sourceMessageId, messageId: original.messageId },
+        { assistantId: "self", sourceMessageId, messageId: original.messageId },
         'Updated message content from edited_message',
       );
     } else {
       log.warn(
-        { assistantId, sourceChannel, externalChatId, sourceMessageId },
+        { assistantId: "self", sourceChannel, externalChatId, sourceMessageId },
         'Could not find original message for edit after retries, ignoring',
       );
     }
@@ -174,7 +173,7 @@ export async function handleChannelInbound(
 
   // ── New message path ──
   const result = channelDeliveryStore.recordInbound(
-    assistantId,
+    "self",
     sourceChannel,
     externalChatId,
     externalMessageId,
@@ -221,7 +220,6 @@ export async function handleChannelInbound(
       }
 
       const { messageId: userMessageId } = await processMessage(
-        assistantId,
         result.conversationId,
         content ?? '',
         hasAttachments ? attachmentIds : undefined,
@@ -259,7 +257,7 @@ export async function handleChannelInbound(
         try { parsed = JSON.parse(msgs[i].content); } catch { parsed = msgs[i].content; }
         const rendered = renderHistoryContent(parsed);
 
-        const linked = attachmentsStore.getAttachmentMetadataForMessage(msgs[i].id, assistantId);
+        const linked = attachmentsStore.getAttachmentMetadataForMessage(msgs[i].id, "self");
         const replyAttachments: RuntimeAttachmentMetadata[] = linked.map((a) => ({
           id: a.id,
           filename: a.originalFilename,
@@ -291,12 +289,12 @@ export async function handleChannelInbound(
   });
 }
 
-export function handleListDeadLetters(assistantId: string): Response {
-  const events = channelDeliveryStore.getDeadLetterEvents(assistantId);
+export function handleListDeadLetters(): Response {
+  const events = channelDeliveryStore.getDeadLetterEvents("self");
   return Response.json({ events });
 }
 
-export async function handleReplayDeadLetters(assistantId: string, req: Request): Promise<Response> {
+export async function handleReplayDeadLetters(req: Request): Promise<Response> {
   const body = await req.json() as { eventIds?: string[] };
   const eventIds = body.eventIds;
 
@@ -304,11 +302,11 @@ export async function handleReplayDeadLetters(assistantId: string, req: Request)
     return Response.json({ error: 'eventIds array is required' }, { status: 400 });
   }
 
-  const replayed = channelDeliveryStore.replayDeadLetters(assistantId, eventIds);
+  const replayed = channelDeliveryStore.replayDeadLetters("self", eventIds);
   return Response.json({ replayed });
 }
 
-export async function handleChannelDeliveryAck(assistantId: string, req: Request): Promise<Response> {
+export async function handleChannelDeliveryAck(req: Request): Promise<Response> {
   const body = await req.json() as {
     sourceChannel?: string;
     externalChatId?: string;
@@ -328,7 +326,7 @@ export async function handleChannelDeliveryAck(assistantId: string, req: Request
   }
 
   const acked = channelDeliveryStore.acknowledgeDelivery(
-    assistantId,
+    "self",
     sourceChannel,
     externalChatId,
     externalMessageId,

package/src/runtime/routes/conversation-routes.ts

@@ -43,7 +43,6 @@ function getInterfaceFilesWithMtimes(interfacesDir: string | null): Array<{ path
 }
 
 export function handleListMessages(
-  assistantId: string,
   url: URL,
   interfacesDir: string | null,
 ): Response {
@@ -55,7 +54,7 @@ export function handleListMessages(
     );
   }
 
-  const mapping = getConversationByKey(assistantId, conversationKey);
+  const mapping = getConversationByKey("self", conversationKey);
   if (!mapping) {
     return Response.json({ messages: [] });
   }
@@ -90,7 +89,7 @@ export function handleListMessages(
   const messages: RuntimeMessagePayload[] = merged.map((m) => {
     let msgAttachments: RuntimeAttachmentMetadata[] = [];
     if (m.role === 'assistant' && m.id) {
-      const linked = attachmentsStore.getAttachmentMetadataForMessage(m.id, assistantId);
+      const linked = attachmentsStore.getAttachmentMetadataForMessage(m.id, "self");
       if (linked.length > 0) {
         msgAttachments = linked.map((a) => ({
           id: a.id,
@@ -129,7 +128,6 @@ export function handleListMessages(
 }
 
 export async function handleSendMessage(
-  assistantId: string,
   req: Request,
   deps: {
     processMessage?: MessageProcessor;
@@ -172,7 +170,7 @@ export async function handleSendMessage(
 
   // Validate that all attachment IDs resolve
   if (hasAttachments) {
-    const resolved = attachmentsStore.getAttachmentsByIds(assistantId, attachmentIds);
+    const resolved = attachmentsStore.getAttachmentsByIds("self", attachmentIds);
     if (resolved.length !== attachmentIds.length) {
       const resolvedIds = new Set(resolved.map((a) => a.id));
       const missing = attachmentIds.filter((id) => !resolvedIds.has(id));
@@ -183,7 +181,7 @@ export async function handleSendMessage(
     }
   }
 
-  const mapping = getOrCreateConversation(assistantId, conversationKey);
+  const mapping = getOrCreateConversation("self", conversationKey);
 
   const processor = deps.persistAndProcessMessage ?? deps.processMessage;
   if (!processor) {
@@ -192,7 +190,6 @@ export async function handleSendMessage(
 
   try {
     const result = await processor(
-      assistantId,
       mapping.conversationId,
       content ?? '',
       hasAttachments ? attachmentIds : undefined,
@@ -236,7 +233,6 @@ async function generateLlmSuggestion(provider: Provider, assistantText: string):
 }
 
 export async function handleGetSuggestion(
-  assistantId: string,
   url: URL,
   deps: {
     suggestionCache: Map<string, string>;
@@ -251,7 +247,7 @@ export async function handleGetSuggestion(
     );
   }
 
-  const mapping = getConversationByKey(assistantId, conversationKey);
+  const mapping = getConversationByKey("self", conversationKey);
   if (!mapping) {
     return Response.json({ suggestion: null, messageId: null, source: 'none' as const });
   }