@rubytech/taskmaster 1.2.0 → 1.3.0

package/dist/control-ui/index.html

@@ -6,8 +6,8 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-DwMopZij.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-DvB85yTz.css">
+    <script type="module" crossorigin src="./assets/index-DQ1kxYd4.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-CPawOl_z.css">
   </head>
   <body>
     <taskmaster-app></taskmaster-app>

package/dist/gateway/chat-sanitize.js

@@ -130,6 +130,7 @@ export function stripEnvelopeFromMessages(messages) {
 // 2. Remove base64 image blocks from content
 // 3. Add { type: "image", url: "/api/media?path=..." } blocks
 // ---------------------------------------------------------------------------
+import nodeFs from "node:fs";
 import nodePath from "node:path";
 function isBase64ImageBlock(block) {
     if (!block || typeof block !== "object")
@@ -236,7 +237,14 @@ function mediaRefToUrl(ref, workspaceRoot) {
     // Must stay within workspace (no ../ escapes)
     if (relPath.startsWith("..") || nodePath.isAbsolute(relPath))
         return null;
-    return `/api/media?path=${encodeURIComponent(relPath)}`;
+    // Append file mtime as cache buster so updated files are never served stale.
+    let mtime = "";
+    try {
+        const stat = nodeFs.statSync(ref.absPath);
+        mtime = `&t=${stat.mtimeMs | 0}`;
+    }
+    catch { /* file may not exist yet */ }
+    return `/api/media?path=${encodeURIComponent(relPath)}${mtime}`;
 }
 function stripBase64FromContentBlocks(content) {
     let changed = false;
@@ -302,11 +310,17 @@ export function sanitizeMediaForChat(messages, workspaceRoot) {
         // No workspace context — fall back to plain base64 stripping
         return stripBase64ImagesFromMessages(messages);
     }
-    // Track paths across all messages to prevent duplicate blocks when an
+    // Track paths within each assistant turn to prevent duplicate blocks when an
     // assistant message echoes a MEDIA: ref that already appeared in a tool result.
+    // Reset at each user message so the same file can be re-shared in later turns.
     const seenPaths = new Set();
     let changed = false;
     const next = messages.map((message) => {
+        // Reset dedup at user turn boundaries so files can appear again in later turns.
+        const entry = message;
+        const role = typeof entry?.role === "string" ? entry.role.toLowerCase() : "";
+        if (role === "user")
+            seenPaths.clear();
         const result = sanitizeMessageMedia(message, workspaceRoot, seenPaths);
         if (result !== message)
             changed = true;

package/dist/gateway/config-reload.js

@@ -9,6 +9,7 @@ const BASE_RELOAD_RULES = [
     { prefix: "access", kind: "none" },
     { prefix: "publicChat", kind: "none" },
     { prefix: "apiKeys", kind: "none" },
+    { prefix: "apiKeysDisabled", kind: "none" },
     { prefix: "gateway.remote", kind: "none" },
     { prefix: "gateway.reload", kind: "none" },
     { prefix: "hooks.gmail", kind: "hot", actions: ["restart-gmail-watcher"] },

package/dist/gateway/media-http.js

@@ -22,6 +22,16 @@ const ALLOWED_MEDIA_EXTENSIONS = new Set([
     ".tiff",
     ".tif",
     ".pdf",
+    // Audio
+    ".mp3",
+    ".opus",
+    ".ogg",
+    ".oga",
+    ".wav",
+    ".m4a",
+    ".webm",
+    ".aac",
+    ".flac",
 ]);
 function contentType(ext) {
     switch (ext) {
@@ -45,6 +55,24 @@ function contentType(ext) {
             return "image/tiff";
         case ".pdf":
             return "application/pdf";
+        // Audio
+        case ".mp3":
+            return "audio/mpeg";
+        case ".opus":
+            return "audio/opus";
+        case ".ogg":
+        case ".oga":
+            return "audio/ogg";
+        case ".wav":
+            return "audio/wav";
+        case ".m4a":
+            return "audio/mp4";
+        case ".webm":
+            return "audio/webm";
+        case ".aac":
+            return "audio/aac";
+        case ".flac":
+            return "audio/flac";
         default:
             return "application/octet-stream";
     }
@@ -109,7 +137,10 @@ export function handleMediaRequest(req, res, opts) {
     res.statusCode = 200;
     res.setHeader("Content-Type", contentType(ext));
     res.setHeader("Content-Length", stat.size);
-    res.setHeader("Cache-Control", "private, max-age=86400");
+    // Revalidate on every request so updated files (e.g. regenerated invoices)
+    // are never served stale. Last-Modified lets the browser use 304 for unchanged files.
+    res.setHeader("Cache-Control", "no-cache");
+    res.setHeader("Last-Modified", stat.mtime.toUTCString());
     if (req.method === "HEAD") {
         res.end();
     }

package/dist/gateway/server-methods/apikeys.js

@@ -1,18 +1,24 @@
 /**
  * Gateway handlers for centralized API key management.
  *
- * apikeys.list  — returns provider catalog with set/unset status
- * apikeys.set   — stores a key for a provider (config watcher hot-reloads)
- * apikeys.remove — removes a key for a provider (config watcher hot-reloads)
+ * apikeys.list    — returns provider catalog with set/unset/disabled status
+ * apikeys.set     — stores a key for a provider (config watcher hot-reloads)
+ * apikeys.remove  — removes a key for a provider (config watcher hot-reloads)
+ * apikeys.disable — toggles a key's disabled state (key preserved, not distributed)
  *
  * No explicit restart needed — the config file watcher detects the change,
  * and `applyApiKeys()` runs as a side effect of `readConfigFileSnapshot()`,
  * injecting keys into the auth profile store and tool config paths.
  * The `apiKeys` prefix is registered as "none" in config-reload.ts.
  */
+import { removeAuthProfile } from "../../agents/auth-profiles.js";
 import { readConfigFileSnapshot, writeConfigFile } from "../../config/config.js";
 import { ErrorCodes, errorShape } from "../protocol/index.js";
 import { formatForLog } from "../ws-log.js";
+/** Providers whose API keys are stored as auth profiles (type: api_key). */
+const AUTH_PROFILE_PROVIDERS = new Set([
+    "anthropic", "openai", "google", "replicate", "hume",
+]);
 const PROVIDER_CATALOG = [
     { id: "anthropic", name: "Anthropic", category: "AI Model", primary: true },
     { id: "google", name: "Google", category: "Voice & Video", primary: true },
@@ -29,9 +35,10 @@ export const apikeysHandlers = {
         try {
             const snapshot = await readConfigFileSnapshot();
             const storedKeys = snapshot.config.apiKeys ?? {};
+            const disabledMap = snapshot.config.apiKeysDisabled ?? {};
             const providers = PROVIDER_CATALOG.map((p) => {
                 const raw = storedKeys[p.id]?.trim();
-                return { ...p, hasKey: Boolean(raw), key: raw || undefined };
+                return { ...p, hasKey: Boolean(raw), disabled: Boolean(disabledMap[p.id]), key: raw || undefined };
             });
             respond(true, { providers });
         }
@@ -73,11 +80,56 @@ export const apikeysHandlers = {
             const existing = { ...config.apiKeys };
             delete existing[provider];
             config.apiKeys = Object.keys(existing).length > 0 ? existing : undefined;
+            // Clean up disabled entry when key is removed
+            if (config.apiKeysDisabled?.[provider]) {
+                const disabled = { ...config.apiKeysDisabled };
+                delete disabled[provider];
+                config.apiKeysDisabled = Object.keys(disabled).length > 0 ? disabled : undefined;
+            }
             await writeConfigFile(config);
+            // Remove the auth profile so stale credentials are not picked up by
+            // provider resolution (the profile outlives the config key otherwise).
+            if (AUTH_PROFILE_PROVIDERS.has(provider)) {
+                removeAuthProfile({ profileId: `${provider}:api-key` });
+            }
             respond(true, { ok: true, provider });
         }
         catch (err) {
             respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, formatForLog(err)));
         }
     },
+    "apikeys.disable": async ({ params, respond }) => {
+        try {
+            const provider = params.provider?.trim();
+            const disabled = params.disabled;
+            if (!provider || !VALID_PROVIDER_IDS.has(provider)) {
+                respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, `Invalid provider: ${provider ?? "(empty)"}`));
+                return;
+            }
+            if (typeof disabled !== "boolean") {
+                respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "disabled must be a boolean"));
+                return;
+            }
+            const snapshot = await readConfigFileSnapshot();
+            const config = { ...snapshot.config };
+            if (disabled) {
+                config.apiKeysDisabled = { ...config.apiKeysDisabled, [provider]: true };
+            }
+            else {
+                const existing = { ...config.apiKeysDisabled };
+                delete existing[provider];
+                config.apiKeysDisabled = Object.keys(existing).length > 0 ? existing : undefined;
+            }
+            await writeConfigFile(config);
+            // Eagerly remove/restore auth profile so the change takes effect
+            // before the config watcher fires.
+            if (disabled && AUTH_PROFILE_PROVIDERS.has(provider)) {
+                removeAuthProfile({ profileId: `${provider}:api-key` });
+            }
+            respond(true, { ok: true, provider, disabled });
+        }
+        catch (err) {
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, formatForLog(err)));
+        }
+    },
 };

package/dist/gateway/server-methods/tts.js

@@ -80,8 +80,11 @@ export const ttsHandlers = {
     },
     "tts.setProvider": async ({ params, respond }) => {
         const provider = typeof params.provider === "string" ? params.provider.trim() : "";
-        if (provider !== "openai" && provider !== "elevenlabs" && provider !== "edge") {
-            respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "Invalid provider. Use openai, elevenlabs, or edge."));
+        if (provider !== "openai" &&
+            provider !== "elevenlabs" &&
+            provider !== "edge" &&
+            provider !== "hume") {
+            respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "Invalid provider. Use openai, elevenlabs, hume, or edge."));
             return;
         }
         try {
@@ -115,6 +118,12 @@ export const ttsHandlers = {
                         configured: Boolean(resolveTtsApiKey(config, "elevenlabs")),
                         models: ["eleven_multilingual_v2", "eleven_turbo_v2_5", "eleven_monolingual_v1"],
                     },
+                    {
+                        id: "hume",
+                        name: "Hume",
+                        configured: Boolean(resolveTtsApiKey(config, "hume")),
+                        models: [],
+                    },
                     {
                         id: "edge",
                         name: "Edge TTS",

package/dist/gateway/server.impl.js

@@ -9,6 +9,7 @@ import { CONFIG_PATH_TASKMASTER, isNixMode, loadConfig, migrateLegacyConfig, rea
 import { VERSION } from "../version.js";
 import { isDiagnosticsEnabled } from "../infra/diagnostic-events.js";
 import { logAcceptedEnvOption } from "../infra/env.js";
+import { reconcileAgentContactTools } from "../config/agent-tools-reconcile.js";
 import { applyPluginAutoEnable } from "../config/plugin-auto-enable.js";
 import { clearAgentRunContext, onAgentEvent } from "../infra/agent-events.js";
 import { onHeartbeatEvent } from "../infra/heartbeat-events.js";
@@ -121,6 +122,20 @@ export async function startGatewayServer(port = 18789, opts = {}) {
             log.warn(`gateway: failed to persist plugin auto-enable changes: ${String(err)}`);
         }
     }
+    // Reconcile agent tool groups (e.g. individual contact tools → group:contacts).
+    const toolReconcile = reconcileAgentContactTools({ config: configSnapshot.config });
+    if (toolReconcile.changes.length > 0) {
+        try {
+            await writeConfigFile(toolReconcile.config);
+            configSnapshot = await readConfigFileSnapshot();
+            log.info(`gateway: reconciled agent tools:\n${toolReconcile.changes
+                .map((entry) => `- ${entry}`)
+                .join("\n")}`);
+        }
+        catch (err) {
+            log.warn(`gateway: failed to persist agent tools reconciliation: ${String(err)}`);
+        }
+    }
     // Stamp config with running version on startup so upgrades keep the stamp current.
     const storedVersion = configSnapshot.config.meta?.lastTouchedVersion;
     if (configSnapshot.exists && storedVersion !== VERSION) {

package/dist/media-understanding/apply.js

@@ -1,4 +1,5 @@
 import { finalizeInboundContext } from "../auto-reply/reply/inbound-context.js";
+import { logVerbose } from "../globals.js";
 import { extractMediaUserText, formatAudioTranscripts, formatMediaUnderstandingBody, } from "./format.js";
 import { runWithConcurrency } from "./concurrency.js";
 import { resolveConcurrency } from "./resolve.js";
@@ -42,6 +43,40 @@ export async function applyMediaUnderstanding(params) {
         if (decisions.length > 0) {
             ctx.MediaUnderstandingDecisions = [...(ctx.MediaUnderstandingDecisions ?? []), ...decisions];
         }
+        // Surface audio failures so the agent can inform the user instead of receiving
+        // a bare <media:audio> placeholder with no context about what went wrong.
+        const audioDecision = decisions.find((d) => d.capability === "audio");
+        const audioTranscribed = outputs.some((o) => o.kind === "audio.transcription");
+        const bodyHint = ctx.CommandBody ?? ctx.RawBody ?? ctx.Body ?? "";
+        const isAudioPlaceholder = /^<media:audio>/i.test(bodyHint.trim());
+        if (isAudioPlaceholder && !audioTranscribed) {
+            let reason;
+            if (ctx.MediaDownloadFailed) {
+                reason = "media download failed — the voice note could not be retrieved from WhatsApp";
+            }
+            else if (audioDecision?.outcome === "no-attachment") {
+                reason = "no audio file available for transcription";
+            }
+            else if (audioDecision?.outcome === "skipped") {
+                // Distinguish between "no providers at all" (empty attempts) and "providers tried but all failed"
+                const hasAttempts = audioDecision.attachments?.some((a) => a.attempts.length > 0);
+                reason = hasAttempts
+                    ? "all transcription attempts failed"
+                    : "no transcription provider configured (add an OpenAI, Google, Groq, or Deepgram API key)";
+            }
+            else if (audioDecision?.outcome === "disabled") {
+                reason = "audio transcription is disabled in config";
+            }
+            else {
+                reason = `transcription ${audioDecision?.outcome ?? "unavailable"}`;
+            }
+            const note = `[Voice note received but could not be transcribed: ${reason}]`;
+            logVerbose(`applyMediaUnderstanding: ${note}`);
+            ctx.Body = note;
+            ctx.CommandBody = note;
+            ctx.RawBody = note;
+            finalizeInboundContext(ctx, { forceBodyForAgent: true, forceBodyForCommands: true });
+        }
         if (outputs.length > 0) {
             ctx.Body = formatMediaUnderstandingBody({ body: ctx.Body, outputs });
             const audioOutputs = outputs.filter((output) => output.kind === "audio.transcription");

package/dist/media-understanding/providers/deepgram/audio.js

@@ -22,7 +22,7 @@ export async function transcribeDeepgramAudio(params) {
     }
     const headers = new Headers(params.headers);
     if (!headers.has("authorization")) {
-        headers.set("authorization", `Token ${params.apiKey}`);
+        headers.set("authorization", `Token ${params.apiKey ?? ""}`);
     }
     if (!headers.has("content-type")) {
         headers.set("content-type", params.mime ?? "application/octet-stream");

package/dist/media-understanding/providers/google/audio.js

@@ -23,7 +23,7 @@ export async function transcribeGeminiAudio(params) {
         headers.set("content-type", "application/json");
     }
     if (!headers.has("x-goog-api-key")) {
-        headers.set("x-goog-api-key", params.apiKey);
+        headers.set("x-goog-api-key", params.apiKey ?? "");
     }
     const body = {
         contents: [

package/dist/media-understanding/providers/google/video.js

@@ -23,7 +23,7 @@ export async function describeGeminiVideo(params) {
         headers.set("content-type", "application/json");
     }
     if (!headers.has("x-goog-api-key")) {
-        headers.set("x-goog-api-key", params.apiKey);
+        headers.set("x-goog-api-key", params.apiKey ?? "");
     }
     const body = {
         contents: [

package/dist/media-understanding/providers/index.js

@@ -5,6 +5,7 @@ import { googleProvider } from "./google/index.js";
 import { groqProvider } from "./groq/index.js";
 import { minimaxProvider } from "./minimax/index.js";
 import { openaiProvider } from "./openai/index.js";
+import { sherpaOnnxProvider } from "./sherpa-onnx/index.js";
 const PROVIDERS = [
     groqProvider,
     openaiProvider,
@@ -12,6 +13,7 @@ const PROVIDERS = [
     anthropicProvider,
     minimaxProvider,
     deepgramProvider,
+    sherpaOnnxProvider,
 ];
 export function normalizeMediaProviderId(id) {
     const normalized = normalizeProviderId(id);

package/dist/media-understanding/providers/openai/audio.js

@@ -25,7 +25,7 @@ export async function transcribeOpenAiCompatibleAudio(params) {
         form.append("prompt", params.prompt.trim());
     const headers = new Headers(params.headers);
     if (!headers.has("authorization")) {
-        headers.set("authorization", `Bearer ${params.apiKey}`);
+        headers.set("authorization", `Bearer ${params.apiKey ?? ""}`);
     }
     const res = await fetchWithTimeout(url, {
         method: "POST",

package/dist/media-understanding/providers/sherpa-onnx/index.js

@@ -0,0 +1,10 @@
+import { transcribeLocal, MODEL_LABEL } from "../../sherpa-onnx-local.js";
+export const sherpaOnnxProvider = {
+    id: "sherpa-onnx",
+    isLocal: true,
+    capabilities: ["audio"],
+    transcribeAudio: async (req) => {
+        const result = await transcribeLocal(req.buffer, req.fileName);
+        return { text: result.text, model: result.model ?? MODEL_LABEL };
+    },
+};

package/dist/media-understanding/runner.js

@@ -5,7 +5,7 @@ import path from "node:path";
 import { findModelInCatalog, loadModelCatalog, modelSupportsVision, } from "../agents/model-catalog.js";
 import { applyTemplate } from "../auto-reply/templating.js";
 import { requireApiKey, resolveApiKeyForProvider } from "../agents/model-auth.js";
-import { logVerbose, shouldLogVerbose } from "../globals.js";
+import { createSubsystemLogger } from "../logging/subsystem.js";
 import { runExec } from "../process/exec.js";
 import { MediaAttachmentCache, normalizeAttachments, selectAttachments } from "./attachments.js";
 import { CLI_OUTPUT_MAX_BUFFER, DEFAULT_AUDIO_MODELS, DEFAULT_TIMEOUT_SECONDS, } from "./defaults.js";
@@ -23,6 +23,7 @@ const DEFAULT_IMAGE_MODELS = {
     google: "gemini-3-flash-preview",
     minimax: "MiniMax-VL-01",
 };
+const log = createSubsystemLogger("gateway/media");
 export function buildProviderRegistry(overrides) {
     return buildMediaUnderstandingRegistry(overrides);
 }
@@ -33,7 +34,6 @@ export function createMediaAttachmentCache(attachments) {
     return new MediaAttachmentCache(attachments);
 }
 const binaryCache = new Map();
-const geminiProbeCache = new Map();
 function expandHomeDir(value) {
     if (!value.startsWith("~"))
         return value;
@@ -181,26 +181,6 @@ function extractSherpaOnnxText(raw) {
     }
     return null;
 }
-async function probeGeminiCli() {
-    const cached = geminiProbeCache.get("gemini");
-    if (cached)
-        return cached;
-    const resolved = (async () => {
-        if (!(await hasBinary("gemini")))
-            return false;
-        try {
-            const { stdout } = await runExec("gemini", ["--output-format", "json", "ok"], {
-                timeoutMs: 8000,
-            });
-            return Boolean(extractGeminiResponse(stdout) ?? stdout.toLowerCase().includes("ok"));
-        }
-        catch {
-            return false;
-        }
-    })();
-    geminiProbeCache.set("gemini", resolved);
-    return resolved;
-}
 async function resolveLocalWhisperCppEntry() {
     if (!(await hasBinary("whisper-cli")))
         return null;
@@ -234,7 +214,34 @@ async function resolveLocalWhisperEntry() {
         ],
     };
 }
-async function resolveSherpaOnnxEntry() {
+/**
+ * Check if sherpa-onnx-node (npm package) is available with model + ffmpeg.
+ * Returns a provider entry so the pipeline uses the Node.js API directly
+ * (no CLI binary or SHERPA_ONNX_MODEL_DIR env var required).
+ */
+async function resolveSherpaOnnxNodeEntry() {
+    try {
+        const { isReady } = await import("./sherpa-onnx-local.js");
+        if (await isReady()) {
+            return { type: "provider", provider: "sherpa-onnx" };
+        }
+        // Package + ffmpeg available but model not yet downloaded — still viable
+        // (the provider will trigger a lazy download on first use)
+        const { isAvailable } = await import("./sherpa-onnx-local.js");
+        if (await isAvailable()) {
+            return { type: "provider", provider: "sherpa-onnx" };
+        }
+    }
+    catch {
+        // sherpa-onnx-node not installed — skip
+    }
+    return null;
+}
+/**
+ * Fallback: check for sherpa-onnx-offline CLI binary + SHERPA_ONNX_MODEL_DIR env var.
+ * This is the legacy detection path for users who installed the binary manually.
+ */
+async function resolveSherpaOnnxCliEntry() {
     if (!(await hasBinary("sherpa-onnx-offline")))
         return null;
     const modelDir = process.env.SHERPA_ONNX_MODEL_DIR?.trim();
@@ -265,32 +272,19 @@ async function resolveSherpaOnnxEntry() {
     };
 }
 async function resolveLocalAudioEntry() {
-    const sherpa = await resolveSherpaOnnxEntry();
-    if (sherpa)
-        return sherpa;
+    // Prefer sherpa-onnx-node (npm, no PATH issues, automatic model management)
+    const sherpaNode = await resolveSherpaOnnxNodeEntry();
+    if (sherpaNode)
+        return sherpaNode;
+    // Fallback: CLI binary (legacy/manual installs)
+    const sherpaCli = await resolveSherpaOnnxCliEntry();
+    if (sherpaCli)
+        return sherpaCli;
     const whisperCpp = await resolveLocalWhisperCppEntry();
     if (whisperCpp)
         return whisperCpp;
     return await resolveLocalWhisperEntry();
 }
-async function resolveGeminiCliEntry(_capability) {
-    if (!(await probeGeminiCli()))
-        return null;
-    return {
-        type: "cli",
-        command: "gemini",
-        args: [
-            "--output-format",
-            "json",
-            "--allowed-tools",
-            "read_many_files",
-            "--include-directories",
-            "{{MediaDir}}",
-            "{{Prompt}}",
-            "Use read_many_files to read {{MediaPath}} and respond with only the text output.",
-        ],
-    };
-}
 async function resolveKeyEntry(params) {
     const { cfg, agentDir, providerRegistry, capability } = params;
     const checkProvider = async (providerId, model) => {
@@ -362,9 +356,6 @@ async function resolveAutoEntries(params) {
         if (localAudio)
             return [localAudio];
     }
-    const gemini = await resolveGeminiCliEntry(params.capability);
-    if (gemini)
-        return [gemini];
     const keys = await resolveKeyEntry(params);
     if (keys)
         return [keys];
@@ -635,14 +626,18 @@ async function runProviderEntry(params) {
             maxBytes,
             timeoutMs,
         });
-        const auth = await resolveApiKeyForProvider({
-            provider: providerId,
-            cfg,
-            profileId: entry.profile,
-            preferredProfile: entry.preferredProfile,
-            agentDir: params.agentDir,
-        });
-        const apiKey = requireApiKey(auth, providerId);
+        // Local providers (e.g. sherpa-onnx) do not require an API key.
+        let apiKey;
+        if (!provider.isLocal) {
+            const auth = await resolveApiKeyForProvider({
+                provider: providerId,
+                cfg,
+                profileId: entry.profile,
+                preferredProfile: entry.preferredProfile,
+                agentDir: params.agentDir,
+            });
+            apiKey = requireApiKey(auth, providerId);
+        }
         const providerConfig = cfg.models?.providers?.[providerId];
         const baseUrl = entry.baseUrl ?? params.config?.baseUrl ?? providerConfig?.baseUrl;
         const mergedHeaders = {
@@ -751,9 +746,7 @@ async function runCliEntry(params) {
     };
     const argv = [command, ...args].map((part, index) => index === 0 ? part : applyTemplate(part, templCtx));
     try {
-        if (shouldLogVerbose()) {
-            logVerbose(`Media understanding via CLI: ${argv.join(" ")}`);
-        }
+        log.debug(`CLI: ${argv.join(" ")}`);
         const { stdout } = await runExec(argv[0], argv.slice(1), {
             timeoutMs,
             maxBuffer: CLI_OUTPUT_MAX_BUFFER,
@@ -825,9 +818,7 @@ async function runAttachmentEntries(params) {
                     outcome: "skipped",
                     reason: `${err.reason}: ${err.message}`,
                 }));
-                if (shouldLogVerbose()) {
-                    logVerbose(`Skipping ${capability} model due to ${err.reason}: ${err.message}`);
-                }
+                log.debug(`Skipping ${capability} model: ${err.reason}: ${err.message}`);
                 continue;
             }
             attempts.push(buildModelDecision({
@@ -836,9 +827,7 @@ async function runAttachmentEntries(params) {
                 outcome: "failed",
                 reason: String(err),
             }));
-            if (shouldLogVerbose()) {
-                logVerbose(`${capability} understanding failed: ${String(err)}`);
-            }
+            log.error(`${capability} failed: ${String(err)}`);
         }
     }
     return { output: null, attempts };
@@ -866,9 +855,7 @@ export async function runCapability(params) {
     }
     const scopeDecision = resolveScopeDecision({ scope: config?.scope, ctx });
     if (scopeDecision === "deny") {
-        if (shouldLogVerbose()) {
-            logVerbose(`${capability} understanding disabled by scope policy.`);
-        }
+        log.debug(`${capability} disabled by scope policy`);
         return {
             outputs: [],
             decision: {
@@ -885,9 +872,7 @@ export async function runCapability(params) {
         const catalog = await loadModelCatalog({ config: cfg });
         const entry = findModelInCatalog(catalog, activeProvider, params.activeModel?.model ?? "");
         if (modelSupportsVision(entry)) {
-            if (shouldLogVerbose()) {
-                logVerbose("Skipping image understanding: primary model supports vision natively");
-            }
+            log.debug("Skipping image understanding: primary model supports vision natively");
             const model = params.activeModel?.model?.trim();
             const reason = "primary model supports vision natively";
             return {
@@ -966,8 +951,12 @@ export async function runCapability(params) {
         outcome: outputs.length > 0 ? "success" : "skipped",
         attachments: attachmentDecisions,
     };
-    if (shouldLogVerbose()) {
-        logVerbose(`Media understanding ${formatDecisionSummary(decision)}`);
+    const summary = formatDecisionSummary(decision);
+    if (decision.outcome === "success") {
+        log.info(summary);
+    }
+    else {
+        log.debug(summary);
     }
     return {
         outputs,