@rubytech/taskmaster 1.11.0 → 1.11.2

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-YAjVyXqJ.js"></script>
+    <script type="module" crossorigin src="./assets/index-s8s_YKvR.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-CpaEIgQy.css">
   </head>
   <body>

package/dist/gateway/public-chat/deliver-otp.js

@@ -1,9 +1,10 @@
 /**
  * Deliver OTP verification codes via WhatsApp (primary), SMS (fallback), or email (Brevo).
+ * Both SMS and email use the same Brevo API key — SMS requires prepaid credits.
  */
 import { getActiveWebListener } from "../../web/active-listener.js";
 import { sendMessageWhatsApp } from "../../web/outbound.js";
-import { resolveSmsCredentials, sendSms } from "./deliver-sms.js";
+import { hasSmsApiKey, resolveSmsCredentials, sendSms } from "./deliver-sms.js";
 import { hasEmailApiKey, resolveEmailCredentials, sendEmail } from "./deliver-email.js";
 /** Detect whether an identifier is an email address. */
 function isEmail(identifier) {
@@ -17,7 +18,7 @@ export function detectOtpChannels(whatsappAccountId) {
     const channels = [];
     if (getActiveWebListener(whatsappAccountId))
         channels.push("whatsapp");
-    if (resolveSmsCredentials())
+    if (hasSmsApiKey())
         channels.push("sms");
     if (hasEmailApiKey())
         channels.push("email");
@@ -26,12 +27,13 @@ export function detectOtpChannels(whatsappAccountId) {
 /**
  * Deliver a verification code to the given identifier.
  *
- * Email identifiers (containing @) are sent via Brevo.
+ * Email identifiers (containing @) are sent via Brevo email API.
  * Phone identifiers use the existing WhatsApp -> SMS fallback chain.
+ * Both SMS and email share the same Brevo API key.
  */
 export async function deliverOtp(identifier, code, accountId) {
     const message = `Your verification code is: ${code}`;
-    // Email identifiers — deliver via Brevo only
+    // Email identifiers — deliver via Brevo email API
     if (isEmail(identifier)) {
         const emailCreds = await resolveEmailCredentials();
         if (!emailCreds) {
@@ -42,7 +44,7 @@ export async function deliverOtp(identifier, code, accountId) {
     }
     // Phone identifiers — WhatsApp first, SMS fallback
     const hasWhatsApp = !!getActiveWebListener(accountId);
-    const smsCreds = resolveSmsCredentials();
+    const smsCreds = await resolveSmsCredentials();
     if (hasWhatsApp) {
         try {
             await sendMessageWhatsApp(identifier, message, { verbose: false, accountId });
@@ -59,5 +61,5 @@ export async function deliverOtp(identifier, code, accountId) {
     if (hasWhatsApp) {
         throw new Error("Failed to send verification code via WhatsApp and SMS is not configured.");
     }
-    throw new Error("No verification channel available. Connect WhatsApp or configure SMS credentials.");
+    throw new Error("No verification channel available. Connect WhatsApp or add a Brevo API key with SMS credits.");
 }

package/dist/gateway/public-chat/deliver-sms.js

@@ -1,44 +1,81 @@
 /**
- * Lightweight Twilio SMS sender — single HTTP POST, no SDK dependency.
+ * Lightweight Brevo SMS sender — single HTTP POST, no SDK dependency.
+ *
+ * Uses the same Brevo API key as email delivery. The sender name is
+ * auto-detected from the verified email sender's display name.
+ * SMS requires prepaid credits in the Brevo account.
  */
 import { loadConfig } from "../../config/config.js";
+/** Cached sender name — avoids hitting the API on every SMS. */
+let cachedSenderName = null;
 /**
- * Read SMS credentials from `publicChat.sms` in config.
- * Returns null if any required field is missing.
+ * Query Brevo for the first active sender's display name.
+ * Returns the sender name or "Verify" as a safe fallback.
  */
-export function resolveSmsCredentials() {
+async function fetchSenderName(apiKey) {
+    try {
+        const res = await fetch("https://api.brevo.com/v3/senders", {
+            headers: { "api-key": apiKey, Accept: "application/json" },
+        });
+        if (!res.ok)
+            return "Verify";
+        const json = (await res.json());
+        const active = json.senders?.find((s) => s.active && s.name);
+        return active?.name ?? json.senders?.[0]?.name ?? "Verify";
+    }
+    catch {
+        return "Verify";
+    }
+}
+/**
+ * Sync check: is a Brevo API key configured?
+ * Used by detectOtpChannels() for capability reporting.
+ */
+export function hasSmsApiKey() {
     const cfg = loadConfig();
-    const sms = cfg.publicChat?.sms;
-    if (!sms?.accountSid || !sms.authToken || !sms.fromNumber)
+    return !!cfg.publicChat?.email?.apiKey;
+}
+/**
+ * Resolve SMS credentials from config.
+ *
+ * Uses the same Brevo API key as email. The sender name is resolved
+ * from the cached value or fetched from the Brevo senders API.
+ * Returns null if no API key is configured.
+ */
+export async function resolveSmsCredentials() {
+    const cfg = loadConfig();
+    const apiKey = cfg.publicChat?.email?.apiKey;
+    if (!apiKey)
         return null;
-    return {
-        accountSid: sms.accountSid,
-        authToken: sms.authToken,
-        fromNumber: sms.fromNumber,
-    };
+    if (cachedSenderName && cachedSenderName.apiKey === apiKey) {
+        return { apiKey, sender: cachedSenderName.name };
+    }
+    const name = await fetchSenderName(apiKey);
+    cachedSenderName = { apiKey, name };
+    return { apiKey, sender: name };
 }
 /**
- * Send an SMS via the Twilio REST API.
+ * Send an SMS via the Brevo transactional SMS API.
  */
 export async function sendSms(to, body, creds) {
-    const url = `https://api.twilio.com/2010-04-01/Accounts/${encodeURIComponent(creds.accountSid)}/Messages.json`;
-    const auth = Buffer.from(`${creds.accountSid}:${creds.authToken}`).toString("base64");
-    const params = new URLSearchParams();
-    params.set("To", to);
-    params.set("From", creds.fromNumber);
-    params.set("Body", body);
-    const res = await fetch(url, {
+    const res = await fetch("https://api.brevo.com/v3/transactionalSMS/sms", {
         method: "POST",
         headers: {
-            Authorization: `Basic ${auth}`,
-            "Content-Type": "application/x-www-form-urlencoded",
+            "api-key": creds.apiKey,
+            "Content-Type": "application/json",
+            Accept: "application/json",
         },
-        body: params.toString(),
+        body: JSON.stringify({
+            type: "transactional",
+            sender: creds.sender,
+            recipient: to,
+            content: body,
+        }),
     });
     if (!res.ok) {
         const text = await res.text().catch(() => "");
-        throw new Error(`Twilio SMS failed (${res.status}): ${text}`);
+        throw new Error(`Brevo SMS failed (${res.status}): ${text}`);
     }
     const json = (await res.json());
-    return { sid: json.sid ?? "unknown" };
+    return { id: String(json.messageId ?? "unknown") };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.11.0",
+  "version": "1.11.2",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/skills/brevo/SKILL.md

@@ -1,29 +1,30 @@
 ---
 name: brevo
-description: Guide users through getting a free Brevo API key for email OTP verification.
+description: Guide users through getting a free Brevo API key for email and SMS verification.
 metadata: {"taskmaster":{"emoji":"🔑"}}
 ---
 
 # Brevo Setup
 
-Walks users through creating a Brevo account, verifying a sender email address, and obtaining an API key. Brevo uses single sender verification — the user verifies one email address by entering a 6-digit code sent to it. No DNS records or domain ownership required.
+Walks users through creating a Brevo account, verifying a sender email address, and obtaining an API key. One API key powers both email OTP and SMS OTP — no separate provider needed. Brevo uses single sender verification — the user verifies one email address by entering a 6-digit code sent to it. No DNS records or domain ownership required.
 
 ## When to activate
 
-- User enables Email OTP or Visitor Chooses mode for Public Chat and email is not configured
-- User asks about email verification setup or Brevo
-- BOOTSTRAP detects missing Brevo API key when email verification is enabled
+- User enables Email OTP, Phone OTP, or Visitor Chooses mode for Public Chat and Brevo is not configured
+- User asks about email or SMS verification setup, or about Brevo
+- BOOTSTRAP detects missing Brevo API key when email or SMS verification is enabled
+- User asks about SMS fallback for phone verification
 
 ## What it unlocks
 
-- Email OTP verification for public chat visitors
-- Verification codes delivered via email to any address
-- Free tier: 300 emails per day, no credit card required
+- **Email OTP** — verification codes delivered via email to any address. Free tier: 300 emails per day, no credit card required.
+- **SMS OTP** — verification codes delivered via text message when WhatsApp is unavailable. Requires prepaid SMS credits in Brevo (purchased separately). Same API key as email — no additional configuration.
 
 ## References
 
 | Task | When to use | Reference |
 |------|-------------|-----------|
 | Guided setup | User wants help getting the key | `references/browser-setup.md` |
+| SMS credits | User wants to enable SMS fallback | `references/sms-credits.md` |
 
 Load the reference and follow its instructions.

package/skills/brevo/references/browser-setup.md

@@ -1,12 +1,15 @@
-# Brevo Email — Guided Setup
+# Brevo — Guided Setup
 
-Walk the user through getting Brevo credentials. Brevo uses single sender verification — the user verifies an email address by entering a 6-digit code sent to it. No DNS records required. Guide with clear instructions.
+Walk the user through getting Brevo credentials. One API key powers both email OTP and SMS OTP. Brevo uses single sender verification — the user verifies an email address by entering a 6-digit code sent to it. No DNS records required. Guide with clear instructions.
+
+**Important:** Brevo is primarily a marketing email platform. The signup flow and dashboard are oriented around marketing campaigns, contacts, and newsletters. The user does NOT need any of that. Guide them directly to the two things they need: a verified sender and an API key. Both are in the **Settings** page — accessed via the **gear icon** in the top-right toolbar. On the Settings page, both options are in the left sidebar under **Organization settings**.
 
 ---
 
 ## Prerequisites
 
 - User has an email address they want OTP emails to come from (e.g. their business email)
+- User has a mobile phone number (required by Brevo for account activation)
 - Chat channel for sending instructions
 
 ---
@@ -21,50 +24,80 @@ Tell the user what Brevo is and why they need it:
 
 ## Step 2: Create a Brevo account
 
-> "Go to **brevo.com** in your browser and click **Sign up free**.
+> "Go to **brevo.com** in your browser and click **Sign Up Free** in the top-right corner.
 >
 > You'll need to enter:
-> - Your email address
-> - A password
+> - Your **email address**
+> - A **password**
+>
+> You can also sign up with Google or Apple if that's easier.
+>
+> After clicking **Create an account**, Brevo will send a confirmation email. Click the link in it to verify your account.
 >
-> Brevo will send a confirmation email. Click the link in it to verify your account. Let me know when you're logged in."
+> **Next, Brevo will ask for your mobile phone number.** This is for account activation only — they send a text to verify you're a real person. Enter your number and the code they text you.
+>
+> Let me know when you're past that and logged in."
+
+Wait for the user to confirm they've completed signup and mobile verification.
+
+### Getting past the onboarding
 
-Wait for the user to confirm they've completed signup.
+After signup, Brevo lands on a **"Getting Started"** page that tries to walk you through creating contacts, campaigns, and other marketing features. The user does NOT need any of this.
 
-If the user is asked onboarding questions (company name, team size, etc.), tell them:
+If the user mentions being on a "Getting Started" page, or asks about contacts/campaigns/templates:
 
-> "Just fill in your business name and pick whatever options feel right — those are for Brevo's records and don't affect anything."
+> "You can skip all of that — it's for email marketing campaigns, which we don't need. We just need two things from Brevo: a verified sender address and an API key. Both are in the account settings. Let me show you where."
+
+If the user is asked onboarding questions (company name, team size, etc.):
+
+> "Just fill in your business name and pick whatever options feel right — those are for Brevo's records and don't affect anything we're doing."
 
 ## Step 3: Verify a sender email address
 
 This determines what email address OTP codes come from. Brevo sends a 6-digit code to the email — no DNS records needed.
 
+**Navigation: Settings page (gear icon) → Organization settings → Senders, domains, IPs.**
+
 > "Now we need to verify the email address that verification codes will be sent from. This is what your visitors will see in their inbox.
 >
-> 1. In the Brevo dashboard, click your **name/icon** in the top-right
-> 2. Click **Senders, Domains & Dedicated IPs** (or go to **Settings → Senders**)
-> 3. Click **Add a sender**
+> 1. In the **top-right toolbar**, click the **gear icon** (⚙️) to open **Settings**
+> 2. In the Settings left sidebar, under **Organization settings**, click **Senders, domains, IPs**
+> 3. Click the **Add sender** button (top-right of the page)
 > 4. Fill in:
 >    - **From Name** — your business name (e.g. "Acme Plumbing")
 >    - **From Email** — the email you want codes to come from (your business email works)
-> 5. Click **Save**
+> 5. Click **Add sender**
+> 6. A popup will appear saying **"Authenticate your domain now?"** — you have two options:
+>    - **"Do it later"** — skip domain authentication. Sender verification alone is enough to send verification codes. Choose this if you don't own the email domain or want the simplest setup.
+>    - **"Authenticate domain"** — lets Brevo's partner (Entri) automatically add DKIM and DMARC records to your domain. This improves email deliverability and makes your emails fully compliant with Gmail/Yahoo/Microsoft requirements. Choose this if you own the domain and want more robust delivery. Entri will ask you to log in to your domain provider and it handles the DNS records automatically — no technical knowledge needed.
 >
-> Brevo will send a **6-digit code** to that email address. Check your inbox (and spam folder), enter the code, and click **Verify**. Let me know when it's done."
+> Either way, Brevo will send a **6-digit code** to your email address. Check your inbox (and spam folder), enter the code, and click **Verify**. Let me know when it's done."
+
+If the user says they can't find it:
+
+> "In the top-right of the Brevo dashboard, there's a toolbar with several small icons. Click the **gear icon** (⚙️) — it should be between the help icon and the notification bell. That opens the Settings page. Then look in the left sidebar for **Senders, domains, IPs** under the **Organization settings** section."
+
+**Do NOT direct users to "Transactional" in the main dashboard sidebar or to "Campaigns".** Those are marketing features, not what they need.
 
 Wait for the user to confirm.
 
 ## Step 4: Get an API key
 
+**Navigation: same Settings page → Organization settings → SMTP & API.**
+
 > "Almost done. Now we need an API key:
 >
-> 1. Click your **name/icon** in the top-right again
-> 2. Click **SMTP & API**
-> 3. Click the **API Keys** tab
-> 4. Click **Generate a new API key**
-> 5. Give it a name like **Taskmaster**
-> 6. Click **Generate**
+> 1. You should still be on the Settings page. In the left sidebar under **Organization settings**, click **SMTP & API**
+> 2. Click the **API keys & MCP** tab (not the SMTP tab)
+> 3. Click **Generate a new API key**
+> 4. Give it a name like **Taskmaster**
+> 5. Click **Generate**
 >
-> You'll see the API key — it starts with **xkeysib-** and is quite long. **Copy it now**. Send it to me."
+> You'll see the API key — it starts with **xkeysib-** and is quite long. **Copy it now** — Brevo only shows it once. If you lose it, you'll need to generate a new one. Send me the key."
+
+If the user navigated away from Settings:
+
+> "Click the **gear icon** (⚙️) in the top-right toolbar to get back to Settings, then click **SMTP & API** in the left sidebar."
 
 Wait for the user to send the API key.
 
@@ -86,6 +119,14 @@ The key is applied immediately — no restart needed. Confirm to the user:
 
 That's it. No further configuration is needed in Taskmaster — the verified sender address is detected automatically from Brevo.
 
+## SMS fallback (optional)
+
+If the user wants SMS verification codes (for when WhatsApp is unavailable), they can enable it with the same Brevo account. No additional API key or configuration is needed — just SMS credits.
+
+> "Your Brevo API key also works for SMS — same key, no extra setup. You just need SMS credits in your Brevo account. I can walk you through that if you'd like."
+
+If the user wants to proceed, load `references/sms-credits.md` and follow it.
+
 ---
 
 ## If the user already has a Brevo account
@@ -96,7 +137,20 @@ Check if they have a verified sender:
 
 If yes, skip to Step 4. If they're unsure:
 
-> "Go to **Settings → Senders** in Brevo and check if there's a verified sender listed. If not, we'll set one up."
+> "Click the **gear icon** (⚙️) in the top-right toolbar to open Settings. Then click **Senders, domains, IPs** in the left sidebar. Check if there's a verified sender listed. If not, we'll set one up."
+
+---
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| Can't find Senders or SMTP & API | Click the **gear icon** (⚙️) in the top-right toolbar to open the Settings page. Both options are in the left sidebar under **Organization settings**. |
+| Landed on "Getting Started" or campaign builder | Ignore it — click the **gear icon** (⚙️) in the top-right toolbar to go straight to Settings. |
+| "Transactional" page shows SMTP settings | Wrong place — that's in the main dashboard, not Settings. Click the **gear icon** (⚙️) in the top-right toolbar, then **SMTP & API** in the Settings sidebar. |
+| Clicked "Authenticate domain" by mistake | If you end up on a Domains page or see DNS/Entri prompts, click **Cancel** or close the modal, then click the **Senders** tab to get back to sender verification. |
+| Mobile verification code not arriving | Wait a minute and try again. Check you entered the right country code. Some VoIP numbers don't work — use a real mobile number. |
+| Can't find the free plan | On brevo.com/pricing, the free tier is the green banner at the top of the page ("Free forever, no credit card needed"). Click **Sign up free** there. |
 
 ---
 
@@ -105,9 +159,13 @@ If yes, skip to Step 4. If they're unsure:
 | Question | Answer |
 |----------|--------|
 | "Is it free?" | Yes — 300 emails per day, forever. No credit card required. For verification codes, that's more than enough. |
+| "Why do they need my phone number?" | Brevo requires a mobile number for account activation — it's a one-time verification to prevent spam accounts. They won't call or text you after that. |
 | "Can I use my Gmail/Outlook address?" | Yes, as long as you verify it by entering the 6-digit code Brevo sends to it. |
 | "Will emails go to spam?" | OTP emails are solicited (the user just clicked 'send me a code'), so they almost always reach the inbox. If a visitor doesn't see it, tell them to check spam. |
-| "I lost my API key" | Go to SMTP & API → API Keys in Brevo and generate a new one. |
+| "I lost my API key" | Click the gear icon (⚙️) in the top-right toolbar → SMTP & API → API keys & MCP tab, and generate a new one. |
 | "Do I need to set up DNS records?" | No. Single sender verification works without DNS. Brevo will recommend domain authentication for better deliverability, but it's not required. |
 | "Can I change the sender address later?" | Yes — add and verify a new sender in Brevo. Taskmaster auto-detects the verified sender, so no changes needed on this end. |
 | "Where does Taskmaster get the sender address?" | Automatically from the Brevo API. When you verify a sender in Brevo, Taskmaster detects it — you don't need to enter it anywhere else. |
+| "What about all the marketing stuff?" | Ignore it. Brevo is a full marketing platform, but we only use its transactional email and SMS APIs. You don't need to set up contacts, campaigns, or templates. |
+| "Can Brevo also send SMS?" | Yes — the same API key works for both email and SMS. You just need to purchase SMS credits in your Brevo account. See the SMS credits reference. |
+| "Do I need a separate provider for SMS?" | No. Brevo handles both email and SMS verification with the same API key. No Twilio or other SMS provider needed. |

package/skills/brevo/references/sms-credits.md

@@ -0,0 +1,68 @@
+# Brevo SMS Credits — Guided Setup
+
+Walk the user through purchasing SMS credits in Brevo. SMS verification uses the same Brevo API key as email — no additional configuration in Taskmaster. The user just needs credits in their Brevo account.
+
+**Important:** SMS credits are prepaid and never expire. Pricing varies by country (see below). The SMS sender name is auto-detected from the user's verified email sender in Brevo — no manual configuration needed.
+
+---
+
+## Prerequisites
+
+- User already has a Brevo account with an API key configured in Taskmaster (if not, use `references/browser-setup.md` first)
+- Chat channel for sending instructions
+
+---
+
+## Step 1: Explain
+
+> "Your Brevo API key already works for SMS — no extra setup needed on our end. You just need SMS credits in your Brevo account. Credits are prepaid and never expire, so you only pay for what you need.
+>
+> Let me walk you through purchasing credits. It takes about 2 minutes."
+
+## Step 2: Purchase SMS credits
+
+> "1. Go to **brevo.com** and log in
+> 2. In the **top-right toolbar**, click the **gear icon** (⚙️) to open **Settings**
+> 3. In the left sidebar, look for **Your plan** or **Billing** under your account settings
+> 4. Find the **SMS credits** section and click **Buy credits**
+> 5. Choose how many credits you need:
+>    - **100 credits** is a good starting amount for verification codes
+>    - Each SMS uses 1 credit
+>    - Credits never expire
+> 6. Complete the purchase
+>
+> Let me know when that's done."
+
+Wait for the user to confirm.
+
+## Step 3: Confirm
+
+> "SMS verification is now enabled. When a visitor verifies their phone number and WhatsApp is unavailable, the verification code will be sent by text message instead. No restart or configuration change needed — it works automatically with your existing Brevo API key."
+
+---
+
+## Pricing reference
+
+Approximate SMS credit costs (varies by country):
+
+| Region | Cost per 100 credits |
+|--------|---------------------|
+| US / Canada | ~$1.09 |
+| UK | ~$3.45 |
+| Australia | ~$5.50 |
+| EU (varies) | ~$3.00–$7.00 |
+
+Exact pricing is shown during purchase in the Brevo dashboard.
+
+---
+
+## Common questions
+
+| Question | Answer |
+|----------|--------|
+| "Do credits expire?" | No — prepaid SMS credits never expire. |
+| "How many credits per SMS?" | One credit per message. Each verification code is one SMS. |
+| "What phone number do SMS come from?" | Brevo assigns a sender automatically based on the destination country. You don't need to buy or manage a phone number. |
+| "What name appears on the SMS?" | The sender name from your verified email sender in Brevo (e.g. your business name). Taskmaster detects this automatically. |
+| "Do I need to change anything in Taskmaster?" | No. If your Brevo API key is already configured, SMS works automatically when you have credits. |
+| "Can I use SMS without email?" | The Brevo API key is configured through the email setup, but once configured it serves both email and SMS. You need at least one verified sender. |

package/skills/system-admin/SKILL.md

@@ -0,0 +1,68 @@
+---
+name: system-admin
+description: "System administration through conversation. Monitors system health, manages channels, branding, public chat, skills, and usage — replacing the need to navigate the control panel UI."
+metadata: {"taskmaster":{"always":true,"emoji":"⚙️","skillKey":"system-admin"}}
+---
+
+# System Administration
+
+You are the system administrator — the single point of contact for everything the business owner would otherwise need the control panel for. Your goal is to make the control panel unnecessary for day-to-day operations.
+
+## Philosophy
+
+The user chose Taskmaster because they want ONE conversation, not a dozen apps. Every time they'd have to leave this chat to check a dashboard, toggle a setting, or review logs — that's a failure. Handle it here.
+
+## Available Tools
+
+You have seven system administration tools. Use them proactively and reactively.
+
+### Monitoring (read-only, always safe)
+
+- **system_status** — System health, auth status, license, channel connections, software version. Use `overview` for a combined snapshot when the user asks "how's the system?" or at the start of any admin session.
+- **usage_report** — Token counts and cost data. Use `summary` for token breakdown, `cost` for spend over time. Offer monthly cost reports proactively.
+- **logs_read** — System logs and session transcripts. Use `system` for gateway errors, `sessions` for conversation traces. Essential for debugging any "it's not working" report.
+
+### Configuration (read + write, check before acting)
+
+- **channel_settings** — WhatsApp/iMessage connection status and settings. Change the AI model, thinking level, DM policy, or group chat policy per account.
+- **brand_settings** — Accent color, background color, logo status. Set colors via hex values. Logo upload requires the UI (binary data).
+- **public_chat_settings** — Enable/disable the public chat widget, manage the greeting, set access mode (open/verified/visitor-chooses).
+- **skill_manage** — List, create, update, delete, or install skills. Preloaded skills cannot be deleted.
+
+### Already available (from other tools)
+
+- **api_keys** — Manage provider API keys (Google, Tavily, OpenAI, etc.)
+- **software_update** — Check for updates, install them, restart the gateway
+- **cron** — Schedule recurring events and reminders
+- **gateway** — Restart the gateway, apply config changes
+
+## When to Use These Tools
+
+### Reactively — the user asks
+
+| User says | You do |
+|-----------|--------|
+| "How's the system?" / "Is everything working?" | `system_status` overview |
+| "What's my usage?" / "How much am I spending?" | `usage_report` cost + summary |
+| "Is WhatsApp connected?" | `channel_settings` status |
+| "Change the color to blue" | `brand_settings` set_colors |
+| "Enable the public chat" | `public_chat_settings` enable |
+| "What model am I using?" | `channel_settings` status |
+| "Switch to a cheaper model" | `channel_settings` set_model |
+| "Show me the logs" | `logs_read` system |
+| "Something isn't working" | `logs_read` system + `system_status` overview |
+| "Is there an update?" | `software_update` check |
+
+### Proactively — you notice something
+
+- After a restart or reconnection, check `system_status` and report any issues.
+- When discussing costs, offer to pull `usage_report` data.
+- If a user reports a message not going through, check `channel_settings` status and `logs_read`.
+- When generating a greeting for a new public chat setup, use `public_chat_settings` regenerate_greeting.
+
+## Principles
+
+- **Explain, don't just execute.** When changing a setting, tell the user what you're doing and what it means. "I've switched your WhatsApp to Sonnet — it's faster and cheaper than Opus, while still handling most conversations well."
+- **Confirm destructive actions.** Before disabling public chat, deleting a skill, or changing access modes — confirm with the user. Read operations never need confirmation.
+- **Surface the important, hide the noise.** The user doesn't need to see raw JSON. Summarize system status in plain language. "Everything's running smoothly — WhatsApp connected, Claude authenticated, license active. You've used about $4.20 this month."
+- **Know your limits.** Some things still need the UI: scanning WhatsApp QR codes, uploading logos, managing WiFi, Tailscale setup, PIN changes, OAuth re-authentication. When these come up, direct the user to the specific page: "Open the Setup page and scroll to WhatsApp to scan a new QR code."

package/skills/twilio/SKILL.md

@@ -1,29 +1,32 @@
 ---
 name: twilio
-description: Guide users through getting Twilio SMS credentials for phone verification fallback.
-metadata: {"taskmaster":{"emoji":"🔑"}}
+description: Guide users through getting Twilio credentials for the voice-call extension.
+metadata: {"taskmaster":{"emoji":"📞"}}
 ---
 
-# Twilio Setup
+# Twilio Setup (Voice Calling)
 
-Walks users through creating a Twilio account and obtaining SMS credentials (Account SID, Auth Token, and a phone number). Unlike Tavily or Google AI, Twilio signup requires identity verification — guide the user with clear instructions rather than browser automation.
+Walks users through creating a Twilio account and obtaining credentials for the voice-call extension. Twilio is used exclusively for voice calling — SMS verification uses Brevo instead.
 
 ## When to activate
 
-- User enables Phone OTP or Visitor Chooses mode for Public Chat and SMS fallback is not configured
-- User asks about SMS verification or Twilio setup
-- User gets "No verification channel available" error and WhatsApp is not connected
+- User wants to set up the voice-call extension with Twilio as the telephony provider
+- User asks about Twilio setup for voice calling
+- BOOTSTRAP detects missing Twilio credentials when voice-call extension is configured with Twilio provider
+
+## Important
+
+Twilio is NOT used for SMS verification. If the user asks about SMS for public chat verification, direct them to the **Brevo** skill instead — Brevo handles both email and SMS OTP with one API key.
 
 ## What it unlocks
 
-- SMS fallback for phone verification when WhatsApp is unavailable
-- Verification codes delivered via text message to any mobile phone
-- Free trial includes credit for testing; pay-as-you-go after that
+- Inbound and outbound voice calls via the voice-call extension
+- Twilio as a telephony provider alongside Plivo and Telnyx
 
 ## References
 
 | Task | When to use | Reference |
 |------|-------------|-----------|
-| Guided setup | User wants help getting Twilio credentials | `references/browser-setup.md` |
+| Guided setup | User wants help getting Twilio credentials for voice calling | `references/browser-setup.md` |
 
 Load the reference and follow its instructions.