@rubytech/taskmaster 1.11.1 → 1.12.0

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-YAjVyXqJ.js"></script>
+    <script type="module" crossorigin src="./assets/index-DpMaqt-b.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-CpaEIgQy.css">
   </head>
   <body>

package/dist/gateway/control-ui.js

@@ -5,7 +5,7 @@ import { resolveAgentWorkspaceRoot } from "../agents/agent-scope.js";
 import { buildAgentSummaries } from "../commands/agents.config.js";
 import { DEFAULT_ASSISTANT_IDENTITY, resolveAssistantIdentity } from "./assistant-identity.js";
 import { resolveAgentBoundAccountId } from "../routing/bindings.js";
-import { detectOtpChannels } from "./public-chat/deliver-otp.js";
+import { detectOtpChannels, normalizeVerifyMethods } from "./public-chat/deliver-otp.js";
 import { resolvePublicAgentId } from "./public-chat/session.js";
 import { findBrandLogo } from "./server-methods/brand.js";
 import { buildControlUiAvatarUrl, CONTROL_UI_AVATAR_PREFIX, normalizeControlUiBasePath, resolveAssistantAvatarUrl, } from "./control-ui-shared.js";
@@ -570,7 +570,7 @@ export function handlePublicChatHttpRequest(req, res, opts) {
     // Inject public-chat globals before </head>
     const publicScript = `<script>` +
         `window.__TASKMASTER_PUBLIC_CHAT__=true;` +
-        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays, otpChannels, verifyMethods: config.publicChat?.verifyMethods ?? ["phone"], greeting: config.publicChat?.greetings?.[accountId] || undefined })};` +
+        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays, otpChannels, verifyMethods: normalizeVerifyMethods(config.publicChat?.verifyMethods ?? ["whatsapp", "sms"]), greeting: config.publicChat?.greetings?.[accountId] || undefined })};` +
         `</script>`;
     const headClose = baseInjected.indexOf("</head>");
     const withPublic = headClose !== -1

package/dist/gateway/public-chat/deliver-otp.js

@@ -1,14 +1,39 @@
 /**
- * Deliver OTP verification codes via WhatsApp (primary), SMS (fallback), or email (Brevo).
+ * Deliver OTP verification codes via WhatsApp, SMS (Brevo), or email (Brevo).
+ * Both SMS and email use the same Brevo API key — SMS requires prepaid credits.
+ *
+ * The admin controls which channels are enabled via `verifyMethods` config:
+ * "whatsapp", "sms", "email". The delivery logic only tries enabled channels.
  */
 import { getActiveWebListener } from "../../web/active-listener.js";
 import { sendMessageWhatsApp } from "../../web/outbound.js";
-import { resolveSmsCredentials, sendSms } from "./deliver-sms.js";
+import { hasSmsApiKey, resolveSmsCredentials, sendSms } from "./deliver-sms.js";
 import { hasEmailApiKey, resolveEmailCredentials, sendEmail } from "./deliver-email.js";
 /** Detect whether an identifier is an email address. */
 function isEmail(identifier) {
     return identifier.includes("@");
 }
+/**
+ * Normalize verify methods — expand deprecated "phone" into ["whatsapp", "sms"].
+ * Returns a deduplicated array of canonical method names.
+ */
+export function normalizeVerifyMethods(methods) {
+    const result = new Set();
+    for (const m of methods) {
+        if (m === "phone") {
+            result.add("whatsapp");
+            result.add("sms");
+        }
+        else {
+            result.add(m);
+        }
+    }
+    return [...result];
+}
+/** Check whether any phone-based verify method is enabled. */
+export function hasPhoneMethod(methods) {
+    return methods.includes("whatsapp") || methods.includes("sms");
+}
 /**
  * Detect which OTP delivery channels are currently available.
  * Does not attempt delivery — used by the capabilities endpoint.
@@ -17,7 +42,7 @@ export function detectOtpChannels(whatsappAccountId) {
     const channels = [];
     if (getActiveWebListener(whatsappAccountId))
         channels.push("whatsapp");
-    if (resolveSmsCredentials())
+    if (hasSmsApiKey())
         channels.push("sms");
     if (hasEmailApiKey())
         channels.push("email");
@@ -26,12 +51,14 @@ export function detectOtpChannels(whatsappAccountId) {
 /**
  * Deliver a verification code to the given identifier.
  *
- * Email identifiers (containing @) are sent via Brevo.
- * Phone identifiers use the existing WhatsApp -> SMS fallback chain.
+ * Email identifiers (containing @) are sent via Brevo email API.
+ * Phone identifiers try WhatsApp then SMS, but only channels that
+ * are enabled in `enabledMethods` are attempted.
  */
-export async function deliverOtp(identifier, code, accountId) {
+export async function deliverOtp(identifier, code, accountId, enabledMethods) {
     const message = `Your verification code is: ${code}`;
-    // Email identifiers — deliver via Brevo only
+    const methods = enabledMethods ?? ["whatsapp", "sms", "email"];
+    // Email identifiers — deliver via Brevo email API
     if (isEmail(identifier)) {
         const emailCreds = await resolveEmailCredentials();
         if (!emailCreds) {
@@ -40,24 +67,33 @@ export async function deliverOtp(identifier, code, accountId) {
         await sendEmail(identifier, "Your verification code", message, emailCreds);
         return { channel: "email" };
     }
-    // Phone identifiers — WhatsApp first, SMS fallback
-    const hasWhatsApp = !!getActiveWebListener(accountId);
-    const smsCreds = resolveSmsCredentials();
-    if (hasWhatsApp) {
+    // Phone identifiers — try enabled channels in order: WhatsApp, then SMS
+    const tryWhatsApp = methods.includes("whatsapp") && !!getActiveWebListener(accountId);
+    const trySms = methods.includes("sms");
+    if (tryWhatsApp) {
         try {
             await sendMessageWhatsApp(identifier, message, { verbose: false, accountId });
             return { channel: "whatsapp" };
         }
         catch {
-            // WhatsApp failed — fall through to SMS
+            // WhatsApp failed — fall through to SMS if enabled
         }
     }
-    if (smsCreds) {
-        await sendSms(identifier, message, smsCreds);
-        return { channel: "sms" };
+    if (trySms) {
+        const smsCreds = await resolveSmsCredentials();
+        if (smsCreds) {
+            await sendSms(identifier, message, smsCreds);
+            return { channel: "sms" };
+        }
     }
-    if (hasWhatsApp) {
-        throw new Error("Failed to send verification code via WhatsApp and SMS is not configured.");
+    // Build a specific error message based on what was tried
+    const tried = [];
+    if (methods.includes("whatsapp"))
+        tried.push("WhatsApp");
+    if (methods.includes("sms"))
+        tried.push("SMS");
+    if (tried.length === 0) {
+        throw new Error("No phone verification channel is enabled. Enable WhatsApp or SMS in Public Chat settings.");
     }
-    throw new Error("No verification channel available. Connect WhatsApp or configure SMS credentials.");
+    throw new Error(`Failed to send verification code via ${tried.join(" and ")}. Check that the channel is connected and configured.`);
 }

package/dist/gateway/public-chat/deliver-sms.js

@@ -1,44 +1,116 @@
 /**
- * Lightweight Twilio SMS sender — single HTTP POST, no SDK dependency.
+ * Lightweight Brevo SMS sender — single HTTP POST, no SDK dependency.
+ *
+ * Uses the same Brevo API key as email delivery. The SMS sender name comes
+ * from the same Brevo verified sender that email uses — matched by email
+ * address, so both channels present consistent branding.
+ * SMS requires prepaid credits in the Brevo account.
  */
 import { loadConfig } from "../../config/config.js";
+import { resolveEmailCredentials } from "./deliver-email.js";
+/** Cached sender name (already truncated to ≤11 chars). */
+let cachedSenderName = null;
 /**
- * Read SMS credentials from `publicChat.sms` in config.
- * Returns null if any required field is missing.
+ * Truncate a sender name to fit the GSM alphanumeric sender limit (11 chars).
+ * Tries to break at a word boundary to avoid ugly truncations.
  */
-export function resolveSmsCredentials() {
+function truncateSender(name) {
+    if (name.length <= 11)
+        return name;
+    // Try the first word — often the business name
+    const firstWord = name.split(/\s/)[0];
+    if (firstWord.length <= 11)
+        return firstWord;
+    // Last resort: hard truncate
+    return name.slice(0, 11);
+}
+/**
+ * Resolve the SMS sender name from Brevo's verified senders.
+ *
+ * If an email address is provided (from config), finds the matching sender
+ * and uses its display name — this ensures SMS and email use the same identity.
+ * Falls back to the first active sender, then "Verify" as a safe default.
+ */
+async function fetchSenderName(apiKey, matchEmail) {
+    try {
+        const res = await fetch("https://api.brevo.com/v3/senders", {
+            headers: { "api-key": apiKey, Accept: "application/json" },
+        });
+        if (!res.ok)
+            return "Verify";
+        const json = (await res.json());
+        const senders = json.senders ?? [];
+        // Match the sender whose email matches the one configured for email delivery
+        if (matchEmail) {
+            const match = senders.find((s) => s.email?.toLowerCase() === matchEmail.toLowerCase() && s.name);
+            if (match?.name)
+                return truncateSender(match.name);
+        }
+        // Fallback: first active sender with a name
+        const active = senders.find((s) => s.active && s.name);
+        const raw = active?.name ?? senders[0]?.name ?? "Verify";
+        return truncateSender(raw);
+    }
+    catch {
+        return "Verify";
+    }
+}
+/**
+ * Sync check: is a Brevo API key configured?
+ * Used by detectOtpChannels() for capability reporting.
+ */
+export function hasSmsApiKey() {
+    const cfg = loadConfig();
+    return !!cfg.publicChat?.email?.apiKey;
+}
+/**
+ * Resolve SMS credentials from config.
+ *
+ * Uses the same Brevo API key as email. The sender name is resolved by asking
+ * the email delivery module which sender it uses, then finding that sender's
+ * display name in Brevo. This ensures both email and SMS present the same
+ * brand identity. The name is truncated to 11 characters (GSM limit).
+ * Returns null if no API key is configured.
+ */
+export async function resolveSmsCredentials() {
     const cfg = loadConfig();
-    const sms = cfg.publicChat?.sms;
-    if (!sms?.accountSid || !sms.authToken || !sms.fromNumber)
+    const apiKey = cfg.publicChat?.email?.apiKey;
+    if (!apiKey)
         return null;
-    return {
-        accountSid: sms.accountSid,
-        authToken: sms.authToken,
-        fromNumber: sms.fromNumber,
-    };
+    if (cachedSenderName &&
+        cachedSenderName.apiKey === apiKey &&
+        cachedSenderName.name.length <= 11) {
+        return { apiKey, sender: cachedSenderName.name };
+    }
+    // Resolve the email address that email delivery uses — ensures SMS matches
+    // the same Brevo sender regardless of whether `from` is set in config.
+    const emailCreds = await resolveEmailCredentials();
+    const name = await fetchSenderName(apiKey, emailCreds?.from);
+    cachedSenderName = { apiKey, name };
+    return { apiKey, sender: name };
 }
 /**
- * Send an SMS via the Twilio REST API.
+ * Send an SMS via the Brevo transactional SMS API.
  */
 export async function sendSms(to, body, creds) {
-    const url = `https://api.twilio.com/2010-04-01/Accounts/${encodeURIComponent(creds.accountSid)}/Messages.json`;
-    const auth = Buffer.from(`${creds.accountSid}:${creds.authToken}`).toString("base64");
-    const params = new URLSearchParams();
-    params.set("To", to);
-    params.set("From", creds.fromNumber);
-    params.set("Body", body);
-    const res = await fetch(url, {
+    const res = await fetch("https://api.brevo.com/v3/transactionalSMS/sms", {
         method: "POST",
         headers: {
-            Authorization: `Basic ${auth}`,
-            "Content-Type": "application/x-www-form-urlencoded",
+            "api-key": creds.apiKey,
+            "Content-Type": "application/json",
+            Accept: "application/json",
         },
-        body: params.toString(),
+        body: JSON.stringify({
+            type: "transactional",
+            sender: creds.sender,
+            recipient: to,
+            content: body,
+        }),
     });
     if (!res.ok) {
         const text = await res.text().catch(() => "");
-        throw new Error(`Twilio SMS failed (${res.status}): ${text}`);
+        throw new Error(`Brevo SMS failed (${res.status}): ${text} [sender=${JSON.stringify(creds.sender)}, recipient=${to}]`);
     }
     const json = (await res.json());
-    return { sid: json.sid ?? "unknown" };
+    return { id: String(json.messageId ?? "unknown") };
 }

package/dist/gateway/public-chat-api.js

@@ -36,7 +36,7 @@ import { createInternalHookEvent, triggerInternalHook } from "../hooks/internal-
 import { emitAgentEvent, onAgentEvent } from "../infra/agent-events.js";
 import { INTERNAL_MESSAGE_CHANNEL } from "../utils/message-channel.js";
 import { requestOtp, verifyOtp } from "./public-chat/otp.js";
-import { deliverOtp, detectOtpChannels } from "./public-chat/deliver-otp.js";
+import { deliverOtp, detectOtpChannels, hasPhoneMethod, normalizeVerifyMethods, } from "./public-chat/deliver-otp.js";
 import { buildPublicSessionKey, resolvePublicAgentId } from "./public-chat/session.js";
 import { loadSessionEntry, readSessionMessages } from "./session-utils.js";
 import { extractFileAttachments, sanitizeMediaForChat, stripEnvelopeFromMessages, } from "./chat-sanitize.js";
@@ -228,10 +228,10 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
         : typeof payload.phone === "string"
             ? payload.phone.trim()
             : "";
-    const isEmail = rawIdentifier.includes("@");
-    const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+    const isEmailId = rawIdentifier.includes("@");
+    const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
     let identifier;
-    if (isEmail) {
+    if (isEmailId) {
         if (!verifyMethods.includes("email")) {
             sendForbidden(res, "email verification is not enabled for this account");
             return;
@@ -243,7 +243,7 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
         }
     }
     else {
-        if (!verifyMethods.includes("phone")) {
+        if (!hasPhoneMethod(verifyMethods)) {
             sendForbidden(res, "phone verification is not enabled for this account");
             return;
         }
@@ -265,8 +265,13 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
     // OTP code is sent from the correct number (not the first active account).
     const agentId = resolvePublicAgentId(cfg, accountId);
     const whatsappAccountId = resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined;
+    // Narrow delivery to visitor's preferred channel if specified and admin-enabled
+    const preferredChannel = typeof payload.channel === "string" ? payload.channel : undefined;
+    const deliveryMethods = preferredChannel && verifyMethods.includes(preferredChannel)
+        ? [preferredChannel]
+        : verifyMethods;
     try {
-        const delivery = await deliverOtp(identifier, result.code, whatsappAccountId);
+        const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods);
         sendJson(res, 200, { ok: true, channel: delivery.channel });
     }
     catch (err) {
@@ -751,7 +756,7 @@ async function handleCapabilities(req, res, accountId, cfg) {
         return;
     }
     const authMode = cfg.publicChat?.auth ?? "anonymous";
-    const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+    const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
     const agentId = resolvePublicAgentId(cfg, accountId);
     const whatsappAccountId = resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined;
     const channels = detectOtpChannels(whatsappAccountId);

package/dist/gateway/server-methods/public-chat.js

@@ -6,7 +6,7 @@ import { resolveAgentBoundAccountId } from "../../routing/bindings.js";
 import { generateGreeting } from "../../suggestions/greeting.js";
 import { ErrorCodes, errorShape } from "../protocol/index.js";
 import { requestOtp, verifyOtp } from "../public-chat/otp.js";
-import { deliverOtp } from "../public-chat/deliver-otp.js";
+import { deliverOtp, hasPhoneMethod, normalizeVerifyMethods } from "../public-chat/deliver-otp.js";
 import { buildPublicSessionKey, resolvePublicAgentId } from "../public-chat/session.js";
 /** Strip spaces, dashes, and parentheses from a phone number. */
 function normalizePhone(raw) {
@@ -46,10 +46,10 @@ export const publicChatHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "public chat disabled"));
             return;
         }
-        const isEmail = rawIdentifier.includes("@");
-        const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+        const isEmailId = rawIdentifier.includes("@");
+        const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
         let identifier;
-        if (isEmail) {
+        if (isEmailId) {
             if (!verifyMethods.includes("email")) {
                 respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "email verification is not enabled"));
                 return;
@@ -61,7 +61,7 @@ export const publicChatHandlers = {
             }
         }
         else {
-            if (!verifyMethods.includes("phone")) {
+            if (!hasPhoneMethod(verifyMethods)) {
                 respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "phone verification is not enabled"));
                 return;
             }
@@ -82,8 +82,13 @@ export const publicChatHandlers = {
         const whatsappAccountId = agentId
             ? (resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined)
             : undefined;
+        // Narrow delivery to visitor's preferred channel if specified and admin-enabled
+        const preferredChannel = typeof params.channel === "string" ? params.channel : undefined;
+        const deliveryMethods = preferredChannel && verifyMethods.includes(preferredChannel)
+            ? [preferredChannel]
+            : verifyMethods;
         try {
-            const delivery = await deliverOtp(identifier, result.code, whatsappAccountId);
+            const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods);
             respond(true, { ok: true, channel: delivery.channel });
         }
         catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.11.1",
+  "version": "1.12.0",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/skills/brevo/SKILL.md

@@ -1,29 +1,30 @@
 ---
 name: brevo
-description: Guide users through getting a free Brevo API key for email OTP verification.
+description: Guide users through getting a free Brevo API key for email and SMS verification.
 metadata: {"taskmaster":{"emoji":"🔑"}}
 ---
 
 # Brevo Setup
 
-Walks users through creating a Brevo account, verifying a sender email address, and obtaining an API key. Brevo uses single sender verification — the user verifies one email address by entering a 6-digit code sent to it. No DNS records or domain ownership required.
+Walks users through creating a Brevo account, verifying a sender email address, and obtaining an API key. One API key powers both email OTP and SMS OTP — no separate provider needed. Brevo uses single sender verification — the user verifies one email address by entering a 6-digit code sent to it. No DNS records or domain ownership required.
 
 ## When to activate
 
-- User enables Email OTP or Visitor Chooses mode for Public Chat and email is not configured
-- User asks about email verification setup or Brevo
-- BOOTSTRAP detects missing Brevo API key when email verification is enabled
+- User enables Email OTP, Phone OTP, or Visitor Chooses mode for Public Chat and Brevo is not configured
+- User asks about email or SMS verification setup, or about Brevo
+- BOOTSTRAP detects missing Brevo API key when email or SMS verification is enabled
+- User asks about SMS fallback for phone verification
 
 ## What it unlocks
 
-- Email OTP verification for public chat visitors
-- Verification codes delivered via email to any address
-- Free tier: 300 emails per day, no credit card required
+- **Email OTP** — verification codes delivered via email to any address. Free tier: 300 emails per day, no credit card required.
+- **SMS OTP** — verification codes delivered via text message when WhatsApp is unavailable. Requires prepaid SMS credits in Brevo (purchased separately). Same API key as email — no additional configuration.
 
 ## References
 
 | Task | When to use | Reference |
 |------|-------------|-----------|
 | Guided setup | User wants help getting the key | `references/browser-setup.md` |
+| SMS credits | User wants to enable SMS fallback | `references/sms-credits.md` |
 
 Load the reference and follow its instructions.

package/skills/brevo/references/browser-setup.md

@@ -1,6 +1,6 @@
-# Brevo Email — Guided Setup
+# Brevo — Guided Setup
 
-Walk the user through getting Brevo credentials. Brevo uses single sender verification — the user verifies an email address by entering a 6-digit code sent to it. No DNS records required. Guide with clear instructions.
+Walk the user through getting Brevo credentials. One API key powers both email OTP and SMS OTP. Brevo uses single sender verification — the user verifies an email address by entering a 6-digit code sent to it. No DNS records required. Guide with clear instructions.
 
 **Important:** Brevo is primarily a marketing email platform. The signup flow and dashboard are oriented around marketing campaigns, contacts, and newsletters. The user does NOT need any of that. Guide them directly to the two things they need: a verified sender and an API key. Both are in the **Settings** page — accessed via the **gear icon** in the top-right toolbar. On the Settings page, both options are in the left sidebar under **Organization settings**.
 
@@ -119,6 +119,14 @@ The key is applied immediately — no restart needed. Confirm to the user:
 
 That's it. No further configuration is needed in Taskmaster — the verified sender address is detected automatically from Brevo.
 
+## SMS fallback (optional)
+
+If the user wants SMS verification codes (for when WhatsApp is unavailable), they can enable it with the same Brevo account. No additional API key or configuration is needed — just SMS credits.
+
+> "Your Brevo API key also works for SMS — same key, no extra setup. You just need SMS credits in your Brevo account. I can walk you through that if you'd like."
+
+If the user wants to proceed, load `references/sms-credits.md` and follow it.
+
 ---
 
 ## If the user already has a Brevo account
@@ -158,4 +166,6 @@ If yes, skip to Step 4. If they're unsure:
 | "Do I need to set up DNS records?" | No. Single sender verification works without DNS. Brevo will recommend domain authentication for better deliverability, but it's not required. |
 | "Can I change the sender address later?" | Yes — add and verify a new sender in Brevo. Taskmaster auto-detects the verified sender, so no changes needed on this end. |
 | "Where does Taskmaster get the sender address?" | Automatically from the Brevo API. When you verify a sender in Brevo, Taskmaster detects it — you don't need to enter it anywhere else. |
-| "What about all the marketing stuff?" | Ignore it. Brevo is a full marketing platform, but we only use its transactional email API. You don't need to set up contacts, campaigns, or templates. |
+| "What about all the marketing stuff?" | Ignore it. Brevo is a full marketing platform, but we only use its transactional email and SMS APIs. You don't need to set up contacts, campaigns, or templates. |
+| "Can Brevo also send SMS?" | Yes — the same API key works for both email and SMS. You just need to purchase SMS credits in your Brevo account. See the SMS credits reference. |
+| "Do I need a separate provider for SMS?" | No. Brevo handles both email and SMS verification with the same API key. No Twilio or other SMS provider needed. |

package/skills/brevo/references/sms-credits.md

@@ -0,0 +1,76 @@
+# Brevo SMS Credits — Guided Setup
+
+Walk the user through purchasing SMS credits in Brevo. SMS verification uses the same Brevo API key as email — no additional configuration in Taskmaster. The user just needs credits in their Brevo account.
+
+**Important:** SMS credits are prepaid and never expire. The cost depends on the destination country and number of messages.
+
+**SMS sender name:** The name that appears on the SMS (e.g. "Taskmaster") is taken from the same Brevo verified sender used for email — matched by email address. If you have multiple senders in Brevo, the one whose email matches the configured sender is used. The name is truncated to 11 characters (GSM limit) — if longer, the first word is used (e.g. "Rubytech LLC" becomes "Rubytech"). To control the SMS sender name, edit the sender's display name in Brevo under **Senders, Domains & Dedicated IPs → Senders**.
+
+---
+
+## Prerequisites
+
+- User already has a Brevo account with an API key configured in Taskmaster (if not, use `references/browser-setup.md` first)
+- Chat channel for sending instructions
+
+---
+
+## Step 1: Explain
+
+> "Your Brevo API key already works for SMS — no extra setup needed on our end. You just need SMS credits in your Brevo account. Credits are prepaid and never expire, so you only pay for what you need.
+>
+> Let me walk you through purchasing credits. It takes about 2 minutes."
+
+## Step 2: Purchase SMS credits
+
+**Navigation: Dashboard home → lightning icon (top-right toolbar) → "Campaign usage and plan" popup → SMS section → "Get more credits".**
+
+> "1. Go to **app.brevo.com** and log in — you should see the main dashboard ('Hello [name]')
+> 2. In the **top-right toolbar**, click the **lightning bolt icon** (⚡) — it's to the left of the help (?) and gear (⚙️) icons
+> 3. A **'Campaign usage and plan'** popup appears showing your plan, email credits, and SMS credits
+> 4. Under the **SMS** section (shows '0 credits left' if you haven't bought any), click **'Get more credits'**
+> 5. On the **'Add messages credits'** page:
+>    - **Type of message** — select **SMS**
+>    - **Number of messages** — enter **100** (a good starting amount for verification codes)
+>    - **Message destination** — select your country (e.g. **United Kingdom**)
+>    - The **Purchase summary** on the right shows the total cost
+> 6. Click **'Proceed to checkout'** and complete the purchase
+>
+> Let me know when that's done."
+
+If the user can't find the lightning icon:
+
+> "In the top-right toolbar of the Brevo dashboard, there are several small icons. The lightning bolt (⚡) is the first one on the left, before the help (?), gear (⚙️), bell (🔔), and chart icons. Click that — it opens a popup showing your plan and credits."
+
+Wait for the user to confirm.
+
+## Step 3: Confirm
+
+> "SMS credits are ready. To enable SMS verification, go to the **Setup** page → **Public Chat** settings → check the **SMS** checkbox under verification methods. You can enable SMS alongside WhatsApp, or on its own. When a visitor chooses SMS on the public chat page, the code is sent by text message. No restart needed — it uses your existing Brevo API key."
+
+---
+
+## Pricing reference
+
+Pricing depends on the destination country and volume. The exact cost is shown on the checkout page when you select a country and message count. As a rough guide:
+
+| Destination | 100 messages |
+|-------------|-------------|
+| UK | ~£2.82 |
+| US / Canada | ~$1.09 |
+
+Credits are called "message credits" and can be used for SMS. On the free plan, WhatsApp messages via Brevo require a Professional plan upgrade — but we don't use Brevo for WhatsApp, so this doesn't apply.
+
+---
+
+## Common questions
+
+| Question | Answer |
+|----------|--------|
+| "Do credits expire?" | No — prepaid SMS credits never expire. |
+| "How many credits per SMS?" | Depends on the destination country. The purchase page shows the exact conversion (e.g. 316.5 credits = 100 UK messages). |
+| "What phone number do SMS come from?" | Brevo assigns a sender automatically based on the destination country. You don't need to buy or manage a phone number. |
+| "What name appears on the SMS?" | The display name from the same Brevo verified sender used for email (matched by email address). Must be 11 characters or fewer — if longer, the first word is used. Edit sender names under **Senders, Domains & Dedicated IPs → Senders** in Brevo. |
+| "Do I need to change anything in Taskmaster?" | No. If your Brevo API key is already configured, SMS works automatically when you have credits. |
+| "Can I use SMS without email?" | The Brevo API key is configured through the email setup, but once configured it serves both email and SMS. You need at least one verified sender. |
+| "Where do I check my remaining credits?" | Click the lightning bolt icon (⚡) in the top-right toolbar. The popup shows your SMS credits remaining. |

package/skills/system-admin/SKILL.md

@@ -0,0 +1,68 @@
+---
+name: system-admin
+description: "System administration through conversation. Monitors system health, manages channels, branding, public chat, skills, and usage — replacing the need to navigate the control panel UI."
+metadata: {"taskmaster":{"always":true,"emoji":"⚙️","skillKey":"system-admin"}}
+---
+
+# System Administration
+
+You are the system administrator — the single point of contact for everything the business owner would otherwise need the control panel for. Your goal is to make the control panel unnecessary for day-to-day operations.
+
+## Philosophy
+
+The user chose Taskmaster because they want ONE conversation, not a dozen apps. Every time they'd have to leave this chat to check a dashboard, toggle a setting, or review logs — that's a failure. Handle it here.
+
+## Available Tools
+
+You have seven system administration tools. Use them proactively and reactively.
+
+### Monitoring (read-only, always safe)
+
+- **system_status** — System health, auth status, license, channel connections, software version. Use `overview` for a combined snapshot when the user asks "how's the system?" or at the start of any admin session.
+- **usage_report** — Token counts and cost data. Use `summary` for token breakdown, `cost` for spend over time. Offer monthly cost reports proactively.
+- **logs_read** — System logs and session transcripts. Use `system` for gateway errors, `sessions` for conversation traces. Essential for debugging any "it's not working" report.
+
+### Configuration (read + write, check before acting)
+
+- **channel_settings** — WhatsApp/iMessage connection status and settings. Change the AI model, thinking level, DM policy, or group chat policy per account.
+- **brand_settings** — Accent color, background color, logo status. Set colors via hex values. Logo upload requires the UI (binary data).
+- **public_chat_settings** — Enable/disable the public chat widget, manage the greeting, set access mode (open/verified/visitor-chooses).
+- **skill_manage** — List, create, update, delete, or install skills. Preloaded skills cannot be deleted.
+
+### Already available (from other tools)
+
+- **api_keys** — Manage provider API keys (Google, Tavily, OpenAI, etc.)
+- **software_update** — Check for updates, install them, restart the gateway
+- **cron** — Schedule recurring events and reminders
+- **gateway** — Restart the gateway, apply config changes
+
+## When to Use These Tools
+
+### Reactively — the user asks
+
+| User says | You do |
+|-----------|--------|
+| "How's the system?" / "Is everything working?" | `system_status` overview |
+| "What's my usage?" / "How much am I spending?" | `usage_report` cost + summary |
+| "Is WhatsApp connected?" | `channel_settings` status |
+| "Change the color to blue" | `brand_settings` set_colors |
+| "Enable the public chat" | `public_chat_settings` enable |
+| "What model am I using?" | `channel_settings` status |
+| "Switch to a cheaper model" | `channel_settings` set_model |
+| "Show me the logs" | `logs_read` system |
+| "Something isn't working" | `logs_read` system + `system_status` overview |
+| "Is there an update?" | `software_update` check |
+
+### Proactively — you notice something
+
+- After a restart or reconnection, check `system_status` and report any issues.
+- When discussing costs, offer to pull `usage_report` data.
+- If a user reports a message not going through, check `channel_settings` status and `logs_read`.
+- When generating a greeting for a new public chat setup, use `public_chat_settings` regenerate_greeting.
+
+## Principles
+
+- **Explain, don't just execute.** When changing a setting, tell the user what you're doing and what it means. "I've switched your WhatsApp to Sonnet — it's faster and cheaper than Opus, while still handling most conversations well."
+- **Confirm destructive actions.** Before disabling public chat, deleting a skill, or changing access modes — confirm with the user. Read operations never need confirmation.
+- **Surface the important, hide the noise.** The user doesn't need to see raw JSON. Summarize system status in plain language. "Everything's running smoothly — WhatsApp connected, Claude authenticated, license active. You've used about $4.20 this month."
+- **Know your limits.** Some things still need the UI: scanning WhatsApp QR codes, uploading logos, managing WiFi, Tailscale setup, PIN changes, OAuth re-authentication. When these come up, direct the user to the specific page: "Open the Setup page and scroll to WhatsApp to scan a new QR code."