@rubytech/taskmaster 1.10.0 → 1.11.1

package/dist/control-ui/index.html

@@ -6,8 +6,8 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-CTFFQkyj.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-n_TWBBTg.css">
+    <script type="module" crossorigin src="./assets/index-YAjVyXqJ.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-CpaEIgQy.css">
   </head>
   <body>
     <taskmaster-app></taskmaster-app>

package/dist/cron/preloaded.js

@@ -0,0 +1,92 @@
+import fs from "node:fs";
+import path from "node:path";
+import { DEFAULT_CRON_DIR } from "./store.js";
+export const DEFAULT_SEED_TRACKER_PATH = path.join(DEFAULT_CRON_DIR, "seeded.json");
+export async function loadSeedTracker(trackerPath) {
+    try {
+        const raw = await fs.promises.readFile(trackerPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        return {
+            version: 1,
+            seeded: Array.isArray(parsed?.seeded) ? parsed.seeded : [],
+        };
+    }
+    catch {
+        return { version: 1, seeded: [] };
+    }
+}
+export async function saveSeedTracker(trackerPath, tracker) {
+    await fs.promises.mkdir(path.dirname(trackerPath), { recursive: true });
+    const json = JSON.stringify(tracker, null, 2);
+    await fs.promises.writeFile(trackerPath, json, "utf-8");
+}
+export function isTemplateSeeded(tracker, templateId) {
+    return tracker.seeded.some((e) => e.templateId === templateId);
+}
+export function markTemplateSeeded(tracker, templateId, jobId) {
+    tracker.seeded.push({ templateId, jobId, seededAtMs: Date.now() });
+}
+// ---------------------------------------------------------------------------
+// Template loader — scan bundled skills for cron-template.json files
+// ---------------------------------------------------------------------------
+/**
+ * Scan the bundled skills directory for cron-template.json files.
+ * Returns validated templates. Skips files that can't be parsed or lack a templateId.
+ */
+export function loadCronTemplatesFromBundledSkills(bundledSkillsDir) {
+    const templates = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(bundledSkillsDir, { withFileTypes: true });
+    }
+    catch {
+        return [];
+    }
+    for (const entry of entries) {
+        if (!entry.isDirectory())
+            continue;
+        const templatePath = path.join(bundledSkillsDir, entry.name, "cron-template.json");
+        try {
+            const raw = fs.readFileSync(templatePath, "utf-8");
+            const parsed = JSON.parse(raw);
+            if (typeof parsed.templateId === "string" && parsed.templateId.trim()) {
+                templates.push(parsed);
+            }
+        }
+        catch {
+            // No template or invalid JSON — skip silently.
+        }
+    }
+    return templates;
+}
+// ---------------------------------------------------------------------------
+// Seeding function — create cron jobs from un-seeded templates
+// ---------------------------------------------------------------------------
+export async function seedPreloadedCronJobs(params) {
+    const { bundledSkillsDir, trackerPath, cronService, defaultAccountId } = params;
+    const templates = loadCronTemplatesFromBundledSkills(bundledSkillsDir);
+    if (templates.length === 0)
+        return 0;
+    const tracker = await loadSeedTracker(trackerPath);
+    let seeded = 0;
+    for (const template of templates) {
+        if (isTemplateSeeded(tracker, template.templateId))
+            continue;
+        const job = await cronService.add({
+            name: template.name,
+            description: template.description,
+            enabled: template.enabled,
+            agentId: template.agentId,
+            accountId: defaultAccountId,
+            schedule: template.schedule,
+            sessionTarget: template.sessionTarget,
+            wakeMode: template.wakeMode,
+            payload: template.payload,
+            isolation: template.isolation,
+        });
+        markTemplateSeeded(tracker, template.templateId, job.id);
+        await saveSeedTracker(trackerPath, tracker);
+        seeded++;
+    }
+    return seeded;
+}

package/dist/gateway/public-chat/deliver-email.js

@@ -1,39 +1,91 @@
 /**
- * Lightweight Resend email sender — single HTTP POST, no SDK dependency.
+ * Lightweight Brevo email sender — single HTTP POST, no SDK dependency.
+ *
+ * The "from" address is auto-detected from Brevo's senders API when not
+ * explicitly set in config. Users only need to provide an API key.
  */
 import { loadConfig } from "../../config/config.js";
 /**
- * Read email credentials from `publicChat.email` in config.
- * Returns null if any required field is missing.
+ * Sync check: is a Brevo API key configured?
+ * Used by detectOtpChannels() for capability reporting — does not resolve the
+ * "from" address, just confirms the key exists.
  */
-export function resolveEmailCredentials() {
+export function hasEmailApiKey() {
+    const cfg = loadConfig();
+    return !!cfg.publicChat?.email?.apiKey;
+}
+/** Cached verified sender — avoids hitting the API on every email. */
+let cachedSender = null;
+/**
+ * Query Brevo for the first active sender address.
+ * Returns the sender email or null if none exist.
+ */
+async function fetchVerifiedSender(apiKey) {
+    try {
+        const res = await fetch("https://api.brevo.com/v3/senders", {
+            headers: {
+                "api-key": apiKey,
+                Accept: "application/json",
+            },
+        });
+        if (!res.ok)
+            return null;
+        const json = (await res.json());
+        const active = json.senders?.find((s) => s.active && s.email);
+        return active?.email ?? json.senders?.[0]?.email ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Resolve email credentials from config.
+ *
+ * Only `publicChat.email.apiKey` is required. The "from" address is resolved
+ * in order: explicit config value → cached sender → live Brevo API lookup.
+ * Returns null if no API key is configured.
+ */
+export async function resolveEmailCredentials() {
     const cfg = loadConfig();
     const email = cfg.publicChat?.email;
-    if (!email?.apiKey || !email.from)
+    if (!email?.apiKey)
+        return null;
+    // Explicit from address in config — use it directly
+    if (email.from)
+        return { apiKey: email.apiKey, from: email.from };
+    // Cached sender for this API key
+    if (cachedSender && cachedSender.apiKey === email.apiKey) {
+        return { apiKey: email.apiKey, from: cachedSender.from };
+    }
+    // Auto-detect from Brevo senders API
+    const sender = await fetchVerifiedSender(email.apiKey);
+    if (!sender)
         return null;
-    return { apiKey: email.apiKey, from: email.from };
+    cachedSender = { apiKey: email.apiKey, from: sender };
+    return { apiKey: email.apiKey, from: sender };
 }
 /**
- * Send an email via the Resend REST API.
+ * Send an email via the Brevo transactional email API.
  */
 export async function sendEmail(to, subject, body, creds) {
-    const res = await fetch("https://api.resend.com/emails", {
+    const res = await fetch("https://api.brevo.com/v3/smtp/email", {
         method: "POST",
         headers: {
-            Authorization: `Bearer ${creds.apiKey}`,
+            "api-key": creds.apiKey,
             "Content-Type": "application/json",
+            Accept: "application/json",
         },
         body: JSON.stringify({
-            from: creds.from,
-            to: [to],
+            sender: { email: creds.from },
+            to: [{ email: to }],
             subject,
-            text: body,
+            textContent: body,
         }),
     });
     if (!res.ok) {
         const text = await res.text().catch(() => "");
-        throw new Error(`Resend email failed (${res.status}): ${text}`);
+        throw new Error(`Brevo email failed (${res.status}): ${text}`);
     }
     const json = (await res.json());
-    return { id: json.id ?? "unknown" };
+    return { id: json.messageId ?? "unknown" };
 }

package/dist/gateway/public-chat/deliver-otp.js

@@ -1,10 +1,10 @@
 /**
- * Deliver OTP verification codes via WhatsApp (primary), SMS (fallback), or email (Resend).
+ * Deliver OTP verification codes via WhatsApp (primary), SMS (fallback), or email (Brevo).
  */
 import { getActiveWebListener } from "../../web/active-listener.js";
 import { sendMessageWhatsApp } from "../../web/outbound.js";
 import { resolveSmsCredentials, sendSms } from "./deliver-sms.js";
-import { resolveEmailCredentials, sendEmail } from "./deliver-email.js";
+import { hasEmailApiKey, resolveEmailCredentials, sendEmail } from "./deliver-email.js";
 /** Detect whether an identifier is an email address. */
 function isEmail(identifier) {
     return identifier.includes("@");
@@ -19,23 +19,23 @@ export function detectOtpChannels(whatsappAccountId) {
         channels.push("whatsapp");
     if (resolveSmsCredentials())
         channels.push("sms");
-    if (resolveEmailCredentials())
+    if (hasEmailApiKey())
         channels.push("email");
     return channels;
 }
 /**
  * Deliver a verification code to the given identifier.
  *
- * Email identifiers (containing @) are sent via Resend.
+ * Email identifiers (containing @) are sent via Brevo.
  * Phone identifiers use the existing WhatsApp -> SMS fallback chain.
  */
 export async function deliverOtp(identifier, code, accountId) {
     const message = `Your verification code is: ${code}`;
-    // Email identifiers — deliver via Resend only
+    // Email identifiers — deliver via Brevo only
     if (isEmail(identifier)) {
-        const emailCreds = resolveEmailCredentials();
+        const emailCreds = await resolveEmailCredentials();
         if (!emailCreds) {
-            throw new Error("Email verification is not configured. Set publicChat.email credentials.");
+            throw new Error("Email verification is not configured. Add a Brevo API key and verify a sender in the Brevo console.");
         }
         await sendEmail(identifier, "Your verification code", message, emailCreds);
         return { channel: "email" };

package/dist/gateway/public-chat-api.js

@@ -5,7 +5,7 @@
  *
  * Endpoints:
  *   POST /session        — create an anonymous session (returns sessionKey)
- *   POST /otp/request    — request an OTP code (phone via WhatsApp/SMS, or email via Resend)
+ *   POST /otp/request    — request an OTP code (phone via WhatsApp/SMS, or email via Brevo)
  *   POST /otp/verify     — verify OTP and get a verified session (returns sessionKey)
  *   POST /chat           — send a message, receive the agent reply (sync or SSE stream)
  *   GET  /chat/history   — retrieve past messages for a session
@@ -14,7 +14,7 @@
  *
  * Authentication mirrors the public chat widget: anonymous sessions use a
  * client-provided identity string; verified sessions use OTP sent via phone
- * (WhatsApp with SMS fallback) or email (Resend). The sessionKey returned
+ * (WhatsApp with SMS fallback) or email (Brevo). The sessionKey returned
  * from /session or /otp/verify is passed via the X-Session-Key header on
  * subsequent requests.
  *

package/dist/gateway/server-methods/apikeys.js

@@ -26,7 +26,7 @@ const PROVIDER_CATALOG = [
     { id: "hume", name: "Hume", category: "Voice" },
     { id: "brave", name: "Brave", category: "Web Search" },
     { id: "elevenlabs", name: "ElevenLabs", category: "Voice" },
-    { id: "resend", name: "Resend", category: "Email" },
+    { id: "brevo", name: "Brevo", category: "Email" },
 ];
 const VALID_PROVIDER_IDS = new Set(PROVIDER_CATALOG.map((p) => p.id));
 export const apikeysHandlers = {

package/dist/gateway/server-methods/public-chat.js

@@ -31,7 +31,7 @@ function validateAccountId(raw) {
 export const publicChatHandlers = {
     /**
      * Request an OTP code — sends a 6-digit code via WhatsApp/SMS (phone) or
-     * Resend (email).
+     * Brevo (email).
      * Params: { identifier: string } or { phone: string } (backward compat)
      */
     "public.otp.request": async ({ params, respond, context }) => {

package/dist/gateway/server-methods/qr.js

@@ -0,0 +1,19 @@
+import { ErrorCodes, errorShape } from "../protocol/index.js";
+import { renderQrPngBase64 } from "../../web/qr-image.js";
+export const qrHandlers = {
+    "qr.generate": async ({ params, respond, context }) => {
+        const url = typeof params.url === "string" ? params.url : "";
+        if (!url) {
+            respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "missing url param"));
+            return;
+        }
+        try {
+            const base64 = await renderQrPngBase64(url, { scale: 6, marginModules: 2 });
+            respond(true, { dataUrl: `data:image/png;base64,${base64}` });
+        }
+        catch (err) {
+            context.logGateway.warn(`qr.generate failed: ${err instanceof Error ? err.message : String(err)}`);
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "failed to generate QR code"));
+        }
+    },
+};

package/dist/gateway/server-methods.js

@@ -33,6 +33,7 @@ import { voicewakeHandlers } from "./server-methods/voicewake.js";
 import { webHandlers } from "./server-methods/web.js";
 import { wizardHandlers } from "./server-methods/wizard.js";
 import { publicChatHandlers } from "./server-methods/public-chat.js";
+import { qrHandlers } from "./server-methods/qr.js";
 import { tailscaleHandlers } from "./server-methods/tailscale.js";
 import { networkHandlers } from "./server-methods/network.js";
 import { wifiHandlers } from "./server-methods/wifi.js";
@@ -105,6 +106,7 @@ const READ_METHODS = new Set([
     "workspaces.scan",
     "memory.status",
     "memory.audit",
+    "qr.generate",
 ]);
 const WRITE_METHODS = new Set([
     "send",
@@ -240,6 +242,7 @@ export const coreGatewayHandlers = {
     ...workspacesHandlers,
     ...brandHandlers,
     ...publicChatHandlers,
+    ...qrHandlers,
     ...networkHandlers,
     ...tailscaleHandlers,
     ...wifiHandlers,

package/dist/gateway/server.impl.js

@@ -34,6 +34,9 @@ import { createExecApprovalForwarder } from "../infra/exec-approval-forwarder.js
 import { createChannelManager } from "./server-channels.js";
 import { createAgentEventHandler } from "./server-chat.js";
 import { createGatewayCloseHandler } from "./server-close.js";
+import { resolveBundledSkillsDir } from "../agents/skills/bundled-dir.js";
+import { DEFAULT_SEED_TRACKER_PATH, seedPreloadedCronJobs } from "../cron/preloaded.js";
+import { DEFAULT_ACCOUNT_ID } from "../routing/session-key.js";
 import { buildGatewayCronService } from "./server-cron.js";
 import { applyGatewayLaneConcurrency } from "./server-lanes.js";
 import { startGatewayMaintenanceTimers } from "./server-maintenance.js";
@@ -395,7 +398,29 @@ export async function startGatewayServer(port = 18789, opts = {}) {
         broadcast("notification", evt);
     });
     let heartbeatRunner = startHeartbeatRunner({ cfg: cfgAtStart });
-    void cron.start().catch((err) => logCron.error(`failed to start: ${String(err)}`));
+    // Start cron, then seed preloaded cron jobs from bundled skills (one-time per template).
+    void cron
+        .start()
+        .then(async () => {
+        const bundledSkillsDir = resolveBundledSkillsDir();
+        if (!bundledSkillsDir)
+            return;
+        try {
+            const seeded = await seedPreloadedCronJobs({
+                bundledSkillsDir,
+                trackerPath: DEFAULT_SEED_TRACKER_PATH,
+                cronService: cron,
+                defaultAccountId: DEFAULT_ACCOUNT_ID,
+            });
+            if (seeded > 0) {
+                logCron.info(`cron: seeded ${seeded} preloaded job(s)`);
+            }
+        }
+        catch (err) {
+            logCron.error(`cron: failed to seed preloaded jobs: ${String(err)}`);
+        }
+    })
+        .catch((err) => logCron.error(`failed to start: ${String(err)}`));
     const execApprovalManager = new ExecApprovalManager();
     const execApprovalForwarder = createExecApprovalForwarder();
     const execApprovalHandlers = createExecApprovalHandlers(execApprovalManager, {

package/dist/wizard/onboarding.js

@@ -346,6 +346,13 @@ export async function runOnboardingWizard(opts, runtime = defaultRuntime, prompt
     }
     // Setup hooks (session memory on /new)
     nextConfig = await setupInternalHooks(nextConfig, runtime, prompter);
+    // Inform user about the preloaded Daily Strategic Review cron job.
+    await prompter.note([
+        "A Daily Strategic Review is pre-configured (paused).",
+        "It scans your conversations, audits your materials, and suggests improvements.",
+        "",
+        "To enable it: Control Panel → Advanced → Events → enable 🔭 Daily Strategic Review.",
+    ].join("\n"), "Daily Strategic Review");
     nextConfig = applyWizardMetadata(nextConfig, { command: "onboard", mode });
     await writeConfigFile(nextConfig);
     await finalizeOnboardingWizard({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.10.0",
+  "version": "1.11.1",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"
@@ -84,8 +84,6 @@
     "prepack": "pnpm build && pnpm ui:build",
     "docs:list": "node scripts/docs-list.js",
     "docs:bin": "node scripts/build-docs-list.mjs",
-    "docs:dev": "cd docs && mint dev",
-    "docs:build": "cd docs && pnpm dlx --reporter append-only mint broken-links",
     "build": "tsc -p tsconfig.json && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/write-build-info.ts",
     "plugins:sync": "node --import tsx scripts/sync-plugin-versions.ts",
     "release:check": "node --import tsx scripts/release-check.ts",

package/skills/brevo/SKILL.md

@@ -0,0 +1,29 @@
+---
+name: brevo
+description: Guide users through getting a free Brevo API key for email OTP verification.
+metadata: {"taskmaster":{"emoji":"🔑"}}
+---
+
+# Brevo Setup
+
+Walks users through creating a Brevo account, verifying a sender email address, and obtaining an API key. Brevo uses single sender verification — the user verifies one email address by entering a 6-digit code sent to it. No DNS records or domain ownership required.
+
+## When to activate
+
+- User enables Email OTP or Visitor Chooses mode for Public Chat and email is not configured
+- User asks about email verification setup or Brevo
+- BOOTSTRAP detects missing Brevo API key when email verification is enabled
+
+## What it unlocks
+
+- Email OTP verification for public chat visitors
+- Verification codes delivered via email to any address
+- Free tier: 300 emails per day, no credit card required
+
+## References
+
+| Task | When to use | Reference |
+|------|-------------|-----------|
+| Guided setup | User wants help getting the key | `references/browser-setup.md` |
+
+Load the reference and follow its instructions.

package/skills/brevo/references/browser-setup.md

@@ -0,0 +1,161 @@
+# Brevo Email — Guided Setup
+
+Walk the user through getting Brevo credentials. Brevo uses single sender verification — the user verifies an email address by entering a 6-digit code sent to it. No DNS records required. Guide with clear instructions.
+
+**Important:** Brevo is primarily a marketing email platform. The signup flow and dashboard are oriented around marketing campaigns, contacts, and newsletters. The user does NOT need any of that. Guide them directly to the two things they need: a verified sender and an API key. Both are in the **Settings** page — accessed via the **gear icon** in the top-right toolbar. On the Settings page, both options are in the left sidebar under **Organization settings**.
+
+---
+
+## Prerequisites
+
+- User has an email address they want OTP emails to come from (e.g. their business email)
+- User has a mobile phone number (required by Brevo for account activation)
+- Chat channel for sending instructions
+
+---
+
+## Step 1: Explain
+
+Tell the user what Brevo is and why they need it:
+
+> "To send verification codes by email, we need a Brevo account. It's completely free — you get 300 emails a day, which is way more than enough for verification codes. No credit card required.
+>
+> I'll walk you through the setup step by step. The whole thing takes about 5 minutes."
+
+## Step 2: Create a Brevo account
+
+> "Go to **brevo.com** in your browser and click **Sign Up Free** in the top-right corner.
+>
+> You'll need to enter:
+> - Your **email address**
+> - A **password**
+>
+> You can also sign up with Google or Apple if that's easier.
+>
+> After clicking **Create an account**, Brevo will send a confirmation email. Click the link in it to verify your account.
+>
+> **Next, Brevo will ask for your mobile phone number.** This is for account activation only — they send a text to verify you're a real person. Enter your number and the code they text you.
+>
+> Let me know when you're past that and logged in."
+
+Wait for the user to confirm they've completed signup and mobile verification.
+
+### Getting past the onboarding
+
+After signup, Brevo lands on a **"Getting Started"** page that tries to walk you through creating contacts, campaigns, and other marketing features. The user does NOT need any of this.
+
+If the user mentions being on a "Getting Started" page, or asks about contacts/campaigns/templates:
+
+> "You can skip all of that — it's for email marketing campaigns, which we don't need. We just need two things from Brevo: a verified sender address and an API key. Both are in the account settings. Let me show you where."
+
+If the user is asked onboarding questions (company name, team size, etc.):
+
+> "Just fill in your business name and pick whatever options feel right — those are for Brevo's records and don't affect anything we're doing."
+
+## Step 3: Verify a sender email address
+
+This determines what email address OTP codes come from. Brevo sends a 6-digit code to the email — no DNS records needed.
+
+**Navigation: Settings page (gear icon) → Organization settings → Senders, domains, IPs.**
+
+> "Now we need to verify the email address that verification codes will be sent from. This is what your visitors will see in their inbox.
+>
+> 1. In the **top-right toolbar**, click the **gear icon** (⚙️) to open **Settings**
+> 2. In the Settings left sidebar, under **Organization settings**, click **Senders, domains, IPs**
+> 3. Click the **Add sender** button (top-right of the page)
+> 4. Fill in:
+>    - **From Name** — your business name (e.g. "Acme Plumbing")
+>    - **From Email** — the email you want codes to come from (your business email works)
+> 5. Click **Add sender**
+> 6. A popup will appear saying **"Authenticate your domain now?"** — you have two options:
+>    - **"Do it later"** — skip domain authentication. Sender verification alone is enough to send verification codes. Choose this if you don't own the email domain or want the simplest setup.
+>    - **"Authenticate domain"** — lets Brevo's partner (Entri) automatically add DKIM and DMARC records to your domain. This improves email deliverability and makes your emails fully compliant with Gmail/Yahoo/Microsoft requirements. Choose this if you own the domain and want more robust delivery. Entri will ask you to log in to your domain provider and it handles the DNS records automatically — no technical knowledge needed.
+>
+> Either way, Brevo will send a **6-digit code** to your email address. Check your inbox (and spam folder), enter the code, and click **Verify**. Let me know when it's done."
+
+If the user says they can't find it:
+
+> "In the top-right of the Brevo dashboard, there's a toolbar with several small icons. Click the **gear icon** (⚙️) — it should be between the help icon and the notification bell. That opens the Settings page. Then look in the left sidebar for **Senders, domains, IPs** under the **Organization settings** section."
+
+**Do NOT direct users to "Transactional" in the main dashboard sidebar or to "Campaigns".** Those are marketing features, not what they need.
+
+Wait for the user to confirm.
+
+## Step 4: Get an API key
+
+**Navigation: same Settings page → Organization settings → SMTP & API.**
+
+> "Almost done. Now we need an API key:
+>
+> 1. You should still be on the Settings page. In the left sidebar under **Organization settings**, click **SMTP & API**
+> 2. Click the **API keys & MCP** tab (not the SMTP tab)
+> 3. Click **Generate a new API key**
+> 4. Give it a name like **Taskmaster**
+> 5. Click **Generate**
+>
+> You'll see the API key — it starts with **xkeysib-** and is quite long. **Copy it now** — Brevo only shows it once. If you lose it, you'll need to generate a new one. Send me the key."
+
+If the user navigated away from Settings:
+
+> "Click the **gear icon** (⚙️) in the top-right toolbar to get back to Settings, then click **SMTP & API** in the left sidebar."
+
+Wait for the user to send the API key.
+
+Verify it looks right (starts with `xkeysib-`, usually 60+ characters). If not:
+
+> "That doesn't look like a Brevo API key — it should start with **xkeysib-** and be about 64 characters long. Can you check you copied the full key?"
+
+## Step 5: Save to Taskmaster
+
+Once you have the API key, store it using the `api_keys` tool:
+
+```
+api_keys({ action: "set", provider: "brevo", apiKey: "<the key>" })
+```
+
+The key is applied immediately — no restart needed. Confirm to the user:
+
+> "Done — I've saved your Brevo API key. Email verification is now enabled. When visitors use your public chat, they can verify their identity with an email code. The code will come from the address you verified in Brevo."
+
+That's it. No further configuration is needed in Taskmaster — the verified sender address is detected automatically from Brevo.
+
+---
+
+## If the user already has a Brevo account
+
+Check if they have a verified sender:
+
+> "Do you already have a verified sender in Brevo? If so, I just need your API key (starts with **xkeysib-**)."
+
+If yes, skip to Step 4. If they're unsure:
+
+> "Click the **gear icon** (⚙️) in the top-right toolbar to open Settings. Then click **Senders, domains, IPs** in the left sidebar. Check if there's a verified sender listed. If not, we'll set one up."
+
+---
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| Can't find Senders or SMTP & API | Click the **gear icon** (⚙️) in the top-right toolbar to open the Settings page. Both options are in the left sidebar under **Organization settings**. |
+| Landed on "Getting Started" or campaign builder | Ignore it — click the **gear icon** (⚙️) in the top-right toolbar to go straight to Settings. |
+| "Transactional" page shows SMTP settings | Wrong place — that's in the main dashboard, not Settings. Click the **gear icon** (⚙️) in the top-right toolbar, then **SMTP & API** in the Settings sidebar. |
+| Clicked "Authenticate domain" by mistake | If you end up on a Domains page or see DNS/Entri prompts, click **Cancel** or close the modal, then click the **Senders** tab to get back to sender verification. |
+| Mobile verification code not arriving | Wait a minute and try again. Check you entered the right country code. Some VoIP numbers don't work — use a real mobile number. |
+| Can't find the free plan | On brevo.com/pricing, the free tier is the green banner at the top of the page ("Free forever, no credit card needed"). Click **Sign up free** there. |
+
+---
+
+## Common questions
+
+| Question | Answer |
+|----------|--------|
+| "Is it free?" | Yes — 300 emails per day, forever. No credit card required. For verification codes, that's more than enough. |
+| "Why do they need my phone number?" | Brevo requires a mobile number for account activation — it's a one-time verification to prevent spam accounts. They won't call or text you after that. |
+| "Can I use my Gmail/Outlook address?" | Yes, as long as you verify it by entering the 6-digit code Brevo sends to it. |
+| "Will emails go to spam?" | OTP emails are solicited (the user just clicked 'send me a code'), so they almost always reach the inbox. If a visitor doesn't see it, tell them to check spam. |
+| "I lost my API key" | Click the gear icon (⚙️) in the top-right toolbar → SMTP & API → API keys & MCP tab, and generate a new one. |
+| "Do I need to set up DNS records?" | No. Single sender verification works without DNS. Brevo will recommend domain authentication for better deliverability, but it's not required. |
+| "Can I change the sender address later?" | Yes — add and verify a new sender in Brevo. Taskmaster auto-detects the verified sender, so no changes needed on this end. |
+| "Where does Taskmaster get the sender address?" | Automatically from the Brevo API. When you verify a sender in Brevo, Taskmaster detects it — you don't need to enter it anywhere else. |
+| "What about all the marketing stuff?" | Ignore it. Brevo is a full marketing platform, but we only use its transactional email API. You don't need to set up contacts, campaigns, or templates. |

package/skills/strategic-proactivity/SKILL.md

@@ -0,0 +1,45 @@
+---
+name: strategic-proactivity
+description: "Periodic strategic review — scans recent conversations, audits materials against reality, identifies gaps and opportunities, drafts improvements, and sends a prioritised summary to admins. Triggered by cron job or on-demand."
+metadata: {"taskmaster":{"emoji":"🔭"}}
+---
+
+# Strategic Proactivity
+
+## When to Activate
+
+- Triggered by a scheduled review (cron job)
+- Admin asks to review conversations, materials, opportunities, or gaps
+- Admin asks "what needs my attention?", "what should we be working on?", or similar strategic questions
+
+## Behaviour
+
+Load `references/daily-review.md` for the full review protocol and action framework.
+
+**Core principle:** Surface insights and draft improvements — don't just report. Always send findings to admin for approval before publishing anything.
+
+### Rules
+
+1. **Scan recent conversations** — all channels, all agent sessions (public, admin, group)
+2. **Compare against existing materials** — search memory for current documents, then check whether they still reflect reality
+3. **Identify gaps and opportunities** — questions that couldn't be answered, recurring themes, new verticals, unaddressed objections
+4. **Draft improvements** — don't just flag problems, write the fix
+5. **Track opportunities** — leads, partnership signals, market intel, feature requests
+6. **Send a concise summary to admins** — bullet points, prioritised by impact, with drafts attached where relevant
+
+### Output Format
+
+The summary should follow this structure:
+
+- **New Insights** — what emerged from conversations
+- **Drafts Ready** — what you've written or updated (saved to memory for review)
+- **Opportunities** — leads, partnerships, verticals worth pursuing
+- **Gaps Found** — materials that need updating or creating
+- **No Action Needed** — if genuinely nothing surfaced, say so briefly
+
+### Constraints
+
+- Keep total execution under 2 minutes
+- Don't publish anything to shared/ or public/ without admin approval
+- Save all drafts to memory for admin review before acting on them
+- Be honest — if nothing meaningful surfaced, say "quiet period" rather than padding the report