@rubytech/taskmaster 1.11.2 → 1.12.1

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-s8s_YKvR.js"></script>
+    <script type="module" crossorigin src="./assets/index-4h8fLLNN.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-CpaEIgQy.css">
   </head>
   <body>

package/dist/gateway/control-ui.js

@@ -5,7 +5,7 @@ import { resolveAgentWorkspaceRoot } from "../agents/agent-scope.js";
 import { buildAgentSummaries } from "../commands/agents.config.js";
 import { DEFAULT_ASSISTANT_IDENTITY, resolveAssistantIdentity } from "./assistant-identity.js";
 import { resolveAgentBoundAccountId } from "../routing/bindings.js";
-import { detectOtpChannels } from "./public-chat/deliver-otp.js";
+import { detectOtpChannels, normalizeVerifyMethods } from "./public-chat/deliver-otp.js";
 import { resolvePublicAgentId } from "./public-chat/session.js";
 import { findBrandLogo } from "./server-methods/brand.js";
 import { buildControlUiAvatarUrl, CONTROL_UI_AVATAR_PREFIX, normalizeControlUiBasePath, resolveAssistantAvatarUrl, } from "./control-ui-shared.js";
@@ -527,7 +527,9 @@ export function handlePublicChatHttpRequest(req, res, opts) {
     const avatarValue = resolvedAvatar && /^(https?:\/\/|data:image\/|\/)/i.test(resolvedAvatar)
         ? resolvedAvatar
         : undefined;
-    const authMode = config.publicChat.auth ?? "anonymous";
+    const authMode = (config.publicChat?.accountSettings?.[accountId]?.auth ??
+        config.publicChat?.auth ??
+        "anonymous");
     const cookieTtlDays = config.publicChat.cookieTtlDays ?? 30;
     const brandName = config.ui?.brand?.name;
     const brandIconUrl = resolveBrandIconUrl(config.ui?.brand?.icon, root);
@@ -570,7 +572,7 @@ export function handlePublicChatHttpRequest(req, res, opts) {
     // Inject public-chat globals before </head>
     const publicScript = `<script>` +
         `window.__TASKMASTER_PUBLIC_CHAT__=true;` +
-        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays, otpChannels, verifyMethods: config.publicChat?.verifyMethods ?? ["phone"], greeting: config.publicChat?.greetings?.[accountId] || undefined })};` +
+        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays, otpChannels, verifyMethods: normalizeVerifyMethods(config.publicChat?.accountSettings?.[accountId]?.verifyMethods ?? config.publicChat?.verifyMethods ?? ["whatsapp", "sms"]), greeting: config.publicChat?.greetings?.[accountId] || undefined })};` +
         `</script>`;
     const headClose = baseInjected.indexOf("</head>");
     const withPublic = headClose !== -1
@@ -584,24 +586,37 @@ export function handlePublicChatHttpRequest(req, res, opts) {
 /** Widget script content — self-contained JS for embedding. */
 const WIDGET_SCRIPT = `(function(){
   "use strict";
-  var cfg={server:"",accountId:"",color:"#1a1a2e",bgColor:"#1a1a2e"};
+  var cfg={server:"",accountId:"",color:"",bgColor:"#1a1a2e",btnColor:""};
   var isOpen=false;
   var btn,overlay,iframe;
+  var SVG_NS="http://www.w3.org/2000/svg";
+  function svgEl(tag,attrs){var e=document.createElementNS(SVG_NS,tag);for(var k in attrs)e.setAttribute(k,attrs[k]);return e;}
+  function makeChatIcon(){var s=svgEl("svg",{width:"22",height:"22",viewBox:"0 0 24 24",fill:"none",stroke:"currentColor","stroke-width":"2","stroke-linecap":"round","stroke-linejoin":"round"});s.appendChild(svgEl("path",{d:"M7.9 20A9 9 0 1 0 4 16.1L2 22Z"}));return s;}
+  function makeCloseIcon(){var s=svgEl("svg",{width:"20",height:"20",viewBox:"0 0 24 24",fill:"none",stroke:"currentColor","stroke-width":"2.5","stroke-linecap":"round","stroke-linejoin":"round"});s.appendChild(svgEl("line",{x1:"18",y1:"6",x2:"6",y2:"18"}));s.appendChild(svgEl("line",{x1:"6",y1:"6",x2:"18",y2:"18"}));return s;}
+  function setIcon(el,fn){while(el.firstChild)el.removeChild(el.firstChild);el.appendChild(fn());}
 
   function init(opts){
     if(opts&&opts.server) cfg.server=opts.server.replace(/\\/$/,"");
     if(opts&&opts.accountId) cfg.accountId=opts.accountId;
-    if(opts&&opts.color) cfg.color=opts.color;
+    if(opts&&opts.color) cfg.btnColor=opts.color;
     if(opts&&opts.bgColor) cfg.bgColor=opts.bgColor;
-    build();
+    if(!cfg.btnColor){
+      fetch(cfg.server+"/public/api/v1/"+encodeURIComponent(cfg.accountId)+"/capabilities")
+        .then(function(r){return r.json()})
+        .then(function(d){if(d.background_color) cfg.btnColor=d.background_color; else if(d.accent_color) cfg.btnColor=d.accent_color; build();})
+        .catch(function(){build();});
+    } else {
+      build();
+    }
   }
 
   function build(){
+    if(!cfg.btnColor) cfg.btnColor="#1a1a2e";
     var css=document.createElement("style");
     css.textContent=[
       ".tm-widget-btn{position:fixed;bottom:20px;right:20px;width:48px;height:48px;",
-      "border-radius:50%;background:"+cfg.color+";color:#fff;border:none;cursor:pointer;",
-      "box-shadow:0 2px 8px rgba(0,0,0,.3);z-index:999999;font-size:22px;",
+      "border-radius:50%;background:"+cfg.btnColor+";color:#fff;border:none;cursor:pointer;",
+      "box-shadow:0 2px 8px rgba(0,0,0,.3);z-index:999999;",
       "display:flex;align-items:center;justify-content:center;transition:transform .2s}",
       ".tm-widget-btn:hover{transform:scale(1.08)}",
       ".tm-widget-overlay{position:fixed;bottom:78px;right:20px;width:400px;height:600px;",
@@ -618,7 +633,7 @@ const WIDGET_SCRIPT = `(function(){
 
     btn=document.createElement("button");
     btn.className="tm-widget-btn";
-    btn.textContent="\\uD83D\\uDCAC";
+    setIcon(btn,makeChatIcon);
     btn.setAttribute("aria-label","Chat");
     btn.onclick=toggle;
     document.body.appendChild(btn);
@@ -635,7 +650,7 @@ const WIDGET_SCRIPT = `(function(){
   function toggle(){
     isOpen=!isOpen;
     overlay.classList.toggle("open",isOpen);
-    btn.textContent=isOpen?"\\u2715":"\\uD83D\\uDCAC";
+    setIcon(btn,isOpen?makeCloseIcon:makeChatIcon);
   }
 
   window.Taskmaster={init:init};

package/dist/gateway/public-chat/deliver-email.js

@@ -45,24 +45,24 @@ async function fetchVerifiedSender(apiKey) {
  * in order: explicit config value → cached sender → live Brevo API lookup.
  * Returns null if no API key is configured.
  */
-export async function resolveEmailCredentials() {
+export async function resolveEmailCredentials(fromName) {
     const cfg = loadConfig();
     const email = cfg.publicChat?.email;
     if (!email?.apiKey)
         return null;
     // Explicit from address in config — use it directly
     if (email.from)
-        return { apiKey: email.apiKey, from: email.from };
+        return { apiKey: email.apiKey, from: email.from, fromName };
     // Cached sender for this API key
     if (cachedSender && cachedSender.apiKey === email.apiKey) {
-        return { apiKey: email.apiKey, from: cachedSender.from };
+        return { apiKey: email.apiKey, from: cachedSender.from, fromName };
     }
     // Auto-detect from Brevo senders API
     const sender = await fetchVerifiedSender(email.apiKey);
     if (!sender)
         return null;
     cachedSender = { apiKey: email.apiKey, from: sender };
-    return { apiKey: email.apiKey, from: sender };
+    return { apiKey: email.apiKey, from: sender, fromName };
 }
 /**
  * Send an email via the Brevo transactional email API.
@@ -76,7 +76,7 @@ export async function sendEmail(to, subject, body, creds) {
             Accept: "application/json",
         },
         body: JSON.stringify({
-            sender: { email: creds.from },
+            sender: creds.fromName ? { email: creds.from, name: creds.fromName } : { email: creds.from },
             to: [{ email: to }],
             subject,
             textContent: body,

package/dist/gateway/public-chat/deliver-otp.js

@@ -1,6 +1,9 @@
 /**
- * Deliver OTP verification codes via WhatsApp (primary), SMS (fallback), or email (Brevo).
+ * Deliver OTP verification codes via WhatsApp, SMS (Brevo), or email (Brevo).
  * Both SMS and email use the same Brevo API key — SMS requires prepaid credits.
+ *
+ * The admin controls which channels are enabled via `verifyMethods` config:
+ * "whatsapp", "sms", "email". The delivery logic only tries enabled channels.
  */
 import { getActiveWebListener } from "../../web/active-listener.js";
 import { sendMessageWhatsApp } from "../../web/outbound.js";
@@ -10,6 +13,27 @@ import { hasEmailApiKey, resolveEmailCredentials, sendEmail } from "./deliver-em
 function isEmail(identifier) {
     return identifier.includes("@");
 }
+/**
+ * Normalize verify methods — expand deprecated "phone" into ["whatsapp", "sms"].
+ * Returns a deduplicated array of canonical method names.
+ */
+export function normalizeVerifyMethods(methods) {
+    const result = new Set();
+    for (const m of methods) {
+        if (m === "phone") {
+            result.add("whatsapp");
+            result.add("sms");
+        }
+        else {
+            result.add(m);
+        }
+    }
+    return [...result];
+}
+/** Check whether any phone-based verify method is enabled. */
+export function hasPhoneMethod(methods) {
+    return methods.includes("whatsapp") || methods.includes("sms");
+}
 /**
  * Detect which OTP delivery channels are currently available.
  * Does not attempt delivery — used by the capabilities endpoint.
@@ -28,38 +52,48 @@ export function detectOtpChannels(whatsappAccountId) {
  * Deliver a verification code to the given identifier.
  *
  * Email identifiers (containing @) are sent via Brevo email API.
- * Phone identifiers use the existing WhatsApp -> SMS fallback chain.
- * Both SMS and email share the same Brevo API key.
+ * Phone identifiers try WhatsApp then SMS, but only channels that
+ * are enabled in `enabledMethods` are attempted.
  */
-export async function deliverOtp(identifier, code, accountId) {
+export async function deliverOtp(identifier, code, accountId, enabledMethods, brandName) {
     const message = `Your verification code is: ${code}`;
+    const methods = enabledMethods ?? ["whatsapp", "sms", "email"];
     // Email identifiers — deliver via Brevo email API
     if (isEmail(identifier)) {
-        const emailCreds = await resolveEmailCredentials();
+        const emailCreds = await resolveEmailCredentials(brandName);
         if (!emailCreds) {
             throw new Error("Email verification is not configured. Add a Brevo API key and verify a sender in the Brevo console.");
         }
         await sendEmail(identifier, "Your verification code", message, emailCreds);
         return { channel: "email" };
     }
-    // Phone identifiers — WhatsApp first, SMS fallback
-    const hasWhatsApp = !!getActiveWebListener(accountId);
-    const smsCreds = await resolveSmsCredentials();
-    if (hasWhatsApp) {
+    // Phone identifiers — try enabled channels in order: WhatsApp, then SMS
+    const tryWhatsApp = methods.includes("whatsapp") && !!getActiveWebListener(accountId);
+    const trySms = methods.includes("sms");
+    if (tryWhatsApp) {
         try {
             await sendMessageWhatsApp(identifier, message, { verbose: false, accountId });
             return { channel: "whatsapp" };
         }
         catch {
-            // WhatsApp failed — fall through to SMS
+            // WhatsApp failed — fall through to SMS if enabled
         }
     }
-    if (smsCreds) {
-        await sendSms(identifier, message, smsCreds);
-        return { channel: "sms" };
+    if (trySms) {
+        const smsCreds = await resolveSmsCredentials(brandName);
+        if (smsCreds) {
+            await sendSms(identifier, message, smsCreds);
+            return { channel: "sms" };
+        }
     }
-    if (hasWhatsApp) {
-        throw new Error("Failed to send verification code via WhatsApp and SMS is not configured.");
+    // Build a specific error message based on what was tried
+    const tried = [];
+    if (methods.includes("whatsapp"))
+        tried.push("WhatsApp");
+    if (methods.includes("sms"))
+        tried.push("SMS");
+    if (tried.length === 0) {
+        throw new Error("No phone verification channel is enabled. Enable WhatsApp or SMS in Public Chat settings.");
     }
-    throw new Error("No verification channel available. Connect WhatsApp or add a Brevo API key with SMS credits.");
+    throw new Error(`Failed to send verification code via ${tried.join(" and ")}. Check that the channel is connected and configured.`);
 }

package/dist/gateway/public-chat/deliver-sms.js

@@ -1,18 +1,37 @@
 /**
  * Lightweight Brevo SMS sender — single HTTP POST, no SDK dependency.
  *
- * Uses the same Brevo API key as email delivery. The sender name is
- * auto-detected from the verified email sender's display name.
+ * Uses the same Brevo API key as email delivery. The SMS sender name comes
+ * from the same Brevo verified sender that email uses — matched by email
+ * address, so both channels present consistent branding.
  * SMS requires prepaid credits in the Brevo account.
  */
 import { loadConfig } from "../../config/config.js";
-/** Cached sender name — avoids hitting the API on every SMS. */
+import { resolveEmailCredentials } from "./deliver-email.js";
+/** Cached sender name (already truncated to ≤11 chars). */
 let cachedSenderName = null;
 /**
- * Query Brevo for the first active sender's display name.
- * Returns the sender name or "Verify" as a safe fallback.
+ * Truncate a sender name to fit the GSM alphanumeric sender limit (11 chars).
+ * Tries to break at a word boundary to avoid ugly truncations.
  */
-async function fetchSenderName(apiKey) {
+function truncateSender(name) {
+    if (name.length <= 11)
+        return name;
+    // Try the first word — often the business name
+    const firstWord = name.split(/\s/)[0];
+    if (firstWord.length <= 11)
+        return firstWord;
+    // Last resort: hard truncate
+    return name.slice(0, 11);
+}
+/**
+ * Resolve the SMS sender name from Brevo's verified senders.
+ *
+ * If an email address is provided (from config), finds the matching sender
+ * and uses its display name — this ensures SMS and email use the same identity.
+ * Falls back to the first active sender, then "Verify" as a safe default.
+ */
+async function fetchSenderName(apiKey, matchEmail) {
     try {
         const res = await fetch("https://api.brevo.com/v3/senders", {
             headers: { "api-key": apiKey, Accept: "application/json" },
@@ -20,8 +39,17 @@ async function fetchSenderName(apiKey) {
         if (!res.ok)
             return "Verify";
         const json = (await res.json());
-        const active = json.senders?.find((s) => s.active && s.name);
-        return active?.name ?? json.senders?.[0]?.name ?? "Verify";
+        const senders = json.senders ?? [];
+        // Match the sender whose email matches the one configured for email delivery
+        if (matchEmail) {
+            const match = senders.find((s) => s.email?.toLowerCase() === matchEmail.toLowerCase() && s.name);
+            if (match?.name)
+                return truncateSender(match.name);
+        }
+        // Fallback: first active sender with a name
+        const active = senders.find((s) => s.active && s.name);
+        const raw = active?.name ?? senders[0]?.name ?? "Verify";
+        return truncateSender(raw);
     }
     catch {
         return "Verify";
@@ -38,19 +66,30 @@ export function hasSmsApiKey() {
 /**
  * Resolve SMS credentials from config.
  *
- * Uses the same Brevo API key as email. The sender name is resolved
- * from the cached value or fetched from the Brevo senders API.
+ * Uses the same Brevo API key as email. The sender name is resolved by asking
+ * the email delivery module which sender it uses, then finding that sender's
+ * display name in Brevo. This ensures both email and SMS present the same
+ * brand identity. The name is truncated to 11 characters (GSM limit).
  * Returns null if no API key is configured.
  */
-export async function resolveSmsCredentials() {
+export async function resolveSmsCredentials(brandName) {
     const cfg = loadConfig();
     const apiKey = cfg.publicChat?.email?.apiKey;
     if (!apiKey)
         return null;
-    if (cachedSenderName && cachedSenderName.apiKey === apiKey) {
+    // Brand name override takes precedence — use it directly (truncated to GSM limit)
+    if (brandName) {
+        return { apiKey, sender: truncateSender(brandName) };
+    }
+    if (cachedSenderName &&
+        cachedSenderName.apiKey === apiKey &&
+        cachedSenderName.name.length <= 11) {
         return { apiKey, sender: cachedSenderName.name };
     }
-    const name = await fetchSenderName(apiKey);
+    // Resolve the email address that email delivery uses — ensures SMS matches
+    // the same Brevo sender regardless of whether `from` is set in config.
+    const emailCreds = await resolveEmailCredentials();
+    const name = await fetchSenderName(apiKey, emailCreds?.from);
     cachedSenderName = { apiKey, name };
     return { apiKey, sender: name };
 }
@@ -74,7 +113,7 @@ export async function sendSms(to, body, creds) {
     });
     if (!res.ok) {
         const text = await res.text().catch(() => "");
-        throw new Error(`Brevo SMS failed (${res.status}): ${text}`);
+        throw new Error(`Brevo SMS failed (${res.status}): ${text} [sender=${JSON.stringify(creds.sender)}, recipient=${to}]`);
     }
     const json = (await res.json());
     return { id: String(json.messageId ?? "unknown") };

package/dist/gateway/public-chat-api.js

@@ -36,7 +36,7 @@ import { createInternalHookEvent, triggerInternalHook } from "../hooks/internal-
 import { emitAgentEvent, onAgentEvent } from "../infra/agent-events.js";
 import { INTERNAL_MESSAGE_CHANNEL } from "../utils/message-channel.js";
 import { requestOtp, verifyOtp } from "./public-chat/otp.js";
-import { deliverOtp, detectOtpChannels } from "./public-chat/deliver-otp.js";
+import { deliverOtp, detectOtpChannels, hasPhoneMethod, normalizeVerifyMethods, } from "./public-chat/deliver-otp.js";
 import { buildPublicSessionKey, resolvePublicAgentId } from "./public-chat/session.js";
 import { loadSessionEntry, readSessionMessages } from "./session-utils.js";
 import { extractFileAttachments, sanitizeMediaForChat, stripEnvelopeFromMessages, } from "./chat-sanitize.js";
@@ -98,14 +98,23 @@ function isValidEmail(email) {
 function normalizePhone(raw) {
     return raw.replace(/[\s\-()]/g, "");
 }
+/** Resolve the auth mode for a specific account, falling back to the global setting. */
+function resolveAccountAuthMode(cfg, accountId) {
+    return cfg.publicChat?.accountSettings?.[accountId]?.auth ?? cfg.publicChat?.auth ?? "anonymous";
+}
+/** Resolve the verify methods for a specific account, falling back to the global setting. */
+function resolveAccountVerifyMethods(cfg, accountId) {
+    return (cfg.publicChat?.accountSettings?.[accountId]?.verifyMethods ??
+        cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
+}
 /** Check whether the auth mode allows anonymous sessions. */
-function allowsAnonymous(cfg) {
-    const mode = cfg.publicChat?.auth ?? "anonymous";
+function allowsAnonymous(cfg, accountId) {
+    const mode = resolveAccountAuthMode(cfg, accountId);
     return mode === "anonymous" || mode === "choice";
 }
 /** Check whether the auth mode allows OTP verification. */
-function allowsVerified(cfg) {
-    const mode = cfg.publicChat?.auth ?? "anonymous";
+function allowsVerified(cfg, accountId) {
+    const mode = resolveAccountAuthMode(cfg, accountId);
     return mode === "verified" || mode === "choice";
 }
 function writeSse(res, data) {
@@ -184,7 +193,7 @@ async function handleSession(req, res, accountId, cfg, maxBodyBytes) {
         sendMethodNotAllowed(res);
         return;
     }
-    if (!allowsAnonymous(cfg)) {
+    if (!allowsAnonymous(cfg, accountId)) {
         sendForbidden(res, "anonymous sessions are disabled — use OTP verification");
         return;
     }
@@ -214,7 +223,7 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
         sendMethodNotAllowed(res);
         return;
     }
-    if (!allowsVerified(cfg)) {
+    if (!allowsVerified(cfg, accountId)) {
         sendForbidden(res, "OTP verification is disabled for this account");
         return;
     }
@@ -228,10 +237,10 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
         : typeof payload.phone === "string"
             ? payload.phone.trim()
             : "";
-    const isEmail = rawIdentifier.includes("@");
-    const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+    const isEmailId = rawIdentifier.includes("@");
+    const verifyMethods = normalizeVerifyMethods(resolveAccountVerifyMethods(cfg, accountId));
     let identifier;
-    if (isEmail) {
+    if (isEmailId) {
         if (!verifyMethods.includes("email")) {
             sendForbidden(res, "email verification is not enabled for this account");
             return;
@@ -243,7 +252,7 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
         }
     }
     else {
-        if (!verifyMethods.includes("phone")) {
+        if (!hasPhoneMethod(verifyMethods)) {
             sendForbidden(res, "phone verification is not enabled for this account");
             return;
         }
@@ -265,8 +274,14 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
     // OTP code is sent from the correct number (not the first active account).
     const agentId = resolvePublicAgentId(cfg, accountId);
     const whatsappAccountId = resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined;
+    // Narrow delivery to visitor's preferred channel if specified and admin-enabled
+    const preferredChannel = typeof payload.channel === "string" ? payload.channel : undefined;
+    const deliveryMethods = preferredChannel && verifyMethods.includes(preferredChannel)
+        ? [preferredChannel]
+        : verifyMethods;
+    const brandName = accountId || undefined;
     try {
-        const delivery = await deliverOtp(identifier, result.code, whatsappAccountId);
+        const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods, brandName);
         sendJson(res, 200, { ok: true, channel: delivery.channel });
     }
     catch (err) {
@@ -282,7 +297,7 @@ async function handleOtpVerify(req, res, accountId, cfg, maxBodyBytes) {
         sendMethodNotAllowed(res);
         return;
     }
-    if (!allowsVerified(cfg)) {
+    if (!allowsVerified(cfg, accountId)) {
         sendForbidden(res, "OTP verification is disabled for this account");
         return;
     }
@@ -750,14 +765,19 @@ async function handleCapabilities(req, res, accountId, cfg) {
         sendMethodNotAllowed(res, "GET");
         return;
     }
-    const authMode = cfg.publicChat?.auth ?? "anonymous";
-    const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+    const authMode = resolveAccountAuthMode(cfg, accountId);
+    const verifyMethods = normalizeVerifyMethods(resolveAccountVerifyMethods(cfg, accountId));
     const agentId = resolvePublicAgentId(cfg, accountId);
     const whatsappAccountId = resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined;
     const channels = detectOtpChannels(whatsappAccountId);
+    const wsBrand = cfg.workspaces?.[accountId]?.brand;
+    const accentColor = wsBrand?.accentColor ?? cfg.ui?.seamColor ?? null;
+    const backgroundColor = wsBrand?.backgroundColor ?? null;
     sendJson(res, 200, {
         auth: authMode,
         verify_methods: verifyMethods,
+        accent_color: accentColor,
+        background_color: backgroundColor,
         otp: {
             available: channels.length > 0,
             channels,

package/dist/gateway/server-methods/public-chat.js

@@ -6,7 +6,7 @@ import { resolveAgentBoundAccountId } from "../../routing/bindings.js";
 import { generateGreeting } from "../../suggestions/greeting.js";
 import { ErrorCodes, errorShape } from "../protocol/index.js";
 import { requestOtp, verifyOtp } from "../public-chat/otp.js";
-import { deliverOtp } from "../public-chat/deliver-otp.js";
+import { deliverOtp, hasPhoneMethod, normalizeVerifyMethods } from "../public-chat/deliver-otp.js";
 import { buildPublicSessionKey, resolvePublicAgentId } from "../public-chat/session.js";
 /** Strip spaces, dashes, and parentheses from a phone number. */
 function normalizePhone(raw) {
@@ -46,10 +46,11 @@ export const publicChatHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "public chat disabled"));
             return;
         }
-        const isEmail = rawIdentifier.includes("@");
-        const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+        const isEmailId = rawIdentifier.includes("@");
+        const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.accountSettings?.[accountId ?? ""]?.verifyMethods ??
+            cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
         let identifier;
-        if (isEmail) {
+        if (isEmailId) {
             if (!verifyMethods.includes("email")) {
                 respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "email verification is not enabled"));
                 return;
@@ -61,7 +62,7 @@ export const publicChatHandlers = {
             }
         }
         else {
-            if (!verifyMethods.includes("phone")) {
+            if (!hasPhoneMethod(verifyMethods)) {
                 respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "phone verification is not enabled"));
                 return;
             }
@@ -82,8 +83,14 @@ export const publicChatHandlers = {
         const whatsappAccountId = agentId
             ? (resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined)
             : undefined;
+        // Narrow delivery to visitor's preferred channel if specified and admin-enabled
+        const preferredChannel = typeof params.channel === "string" ? params.channel : undefined;
+        const deliveryMethods = preferredChannel && verifyMethods.includes(preferredChannel)
+            ? [preferredChannel]
+            : verifyMethods;
+        const brandName = accountId || undefined;
         try {
-            const delivery = await deliverOtp(identifier, result.code, whatsappAccountId);
+            const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods, brandName);
             respond(true, { ok: true, channel: delivery.channel });
         }
         catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.11.2",
+  "version": "1.12.1",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/skills/brevo/references/sms-credits.md

@@ -2,7 +2,9 @@
 
 Walk the user through purchasing SMS credits in Brevo. SMS verification uses the same Brevo API key as email — no additional configuration in Taskmaster. The user just needs credits in their Brevo account.
 
-**Important:** SMS credits are prepaid and never expire. Pricing varies by country (see below). The SMS sender name is auto-detected from the user's verified email sender in Brevo — no manual configuration needed.
+**Important:** SMS credits are prepaid and never expire. The cost depends on the destination country and number of messages.
+
+**SMS sender name:** The name that appears on the SMS (e.g. "Taskmaster") is taken from the same Brevo verified sender used for email — matched by email address. If you have multiple senders in Brevo, the one whose email matches the configured sender is used. The name is truncated to 11 characters (GSM limit) — if longer, the first word is used (e.g. "Rubytech LLC" becomes "Rubytech"). To control the SMS sender name, edit the sender's display name in Brevo under **Senders, Domains & Dedicated IPs → Senders**.
 
 ---
 
@@ -21,38 +23,43 @@ Walk the user through purchasing SMS credits in Brevo. SMS verification uses the
 
 ## Step 2: Purchase SMS credits
 
-> "1. Go to **brevo.com** and log in
-> 2. In the **top-right toolbar**, click the **gear icon** (⚙️) to open **Settings**
-> 3. In the left sidebar, look for **Your plan** or **Billing** under your account settings
-> 4. Find the **SMS credits** section and click **Buy credits**
-> 5. Choose how many credits you need:
->    - **100 credits** is a good starting amount for verification codes
->    - Each SMS uses 1 credit
->    - Credits never expire
-> 6. Complete the purchase
+**Navigation: Dashboard home → lightning icon (top-right toolbar) → "Campaign usage and plan" popup → SMS section → "Get more credits".**
+
+> "1. Go to **app.brevo.com** and log in — you should see the main dashboard ('Hello [name]')
+> 2. In the **top-right toolbar**, click the **lightning bolt icon** (⚡) — it's to the left of the help (?) and gear (⚙️) icons
+> 3. A **'Campaign usage and plan'** popup appears showing your plan, email credits, and SMS credits
+> 4. Under the **SMS** section (shows '0 credits left' if you haven't bought any), click **'Get more credits'**
+> 5. On the **'Add messages credits'** page:
+>    - **Type of message** — select **SMS**
+>    - **Number of messages** — enter **100** (a good starting amount for verification codes)
+>    - **Message destination** — select your country (e.g. **United Kingdom**)
+>    - The **Purchase summary** on the right shows the total cost
+> 6. Click **'Proceed to checkout'** and complete the purchase
 >
 > Let me know when that's done."
 
+If the user can't find the lightning icon:
+
+> "In the top-right toolbar of the Brevo dashboard, there are several small icons. The lightning bolt (⚡) is the first one on the left, before the help (?), gear (⚙️), bell (🔔), and chart icons. Click that — it opens a popup showing your plan and credits."
+
 Wait for the user to confirm.
 
 ## Step 3: Confirm
 
-> "SMS verification is now enabled. When a visitor verifies their phone number and WhatsApp is unavailable, the verification code will be sent by text message instead. No restart or configuration change needed — it works automatically with your existing Brevo API key."
+> "SMS credits are ready. To enable SMS verification, go to the **Setup** page → **Public Chat** settings → check the **SMS** checkbox under verification methods. You can enable SMS alongside WhatsApp, or on its own. When a visitor chooses SMS on the public chat page, the code is sent by text message. No restart needed — it uses your existing Brevo API key."
 
 ---
 
 ## Pricing reference
 
-Approximate SMS credit costs (varies by country):
+Pricing depends on the destination country and volume. The exact cost is shown on the checkout page when you select a country and message count. As a rough guide:
 
-| Region | Cost per 100 credits |
-|--------|---------------------|
+| Destination | 100 messages |
+|-------------|-------------|
+| UK | ~£2.82 |
 | US / Canada | ~$1.09 |
-| UK | ~$3.45 |
-| Australia | ~$5.50 |
-| EU (varies) | ~$3.00–$7.00 |
 
-Exact pricing is shown during purchase in the Brevo dashboard.
+Credits are called "message credits" and can be used for SMS. On the free plan, WhatsApp messages via Brevo require a Professional plan upgrade — but we don't use Brevo for WhatsApp, so this doesn't apply.
 
 ---
 
@@ -61,8 +68,9 @@ Exact pricing is shown during purchase in the Brevo dashboard.
 | Question | Answer |
 |----------|--------|
 | "Do credits expire?" | No — prepaid SMS credits never expire. |
-| "How many credits per SMS?" | One credit per message. Each verification code is one SMS. |
+| "How many credits per SMS?" | Depends on the destination country. The purchase page shows the exact conversion (e.g. 316.5 credits = 100 UK messages). |
 | "What phone number do SMS come from?" | Brevo assigns a sender automatically based on the destination country. You don't need to buy or manage a phone number. |
-| "What name appears on the SMS?" | The sender name from your verified email sender in Brevo (e.g. your business name). Taskmaster detects this automatically. |
+| "What name appears on the SMS?" | The display name from the same Brevo verified sender used for email (matched by email address). Must be 11 characters or fewer — if longer, the first word is used. Edit sender names under **Senders, Domains & Dedicated IPs → Senders** in Brevo. |
 | "Do I need to change anything in Taskmaster?" | No. If your Brevo API key is already configured, SMS works automatically when you have credits. |
 | "Can I use SMS without email?" | The Brevo API key is configured through the email setup, but once configured it serves both email and SMS. You need at least one verified sender. |
+| "Where do I check my remaining credits?" | Click the lightning bolt icon (⚡) in the top-right toolbar. The popup shows your SMS credits remaining. |