@rubytech/taskmaster 1.9.3 → 1.9.5

package/dist/agents/auth-profiles/store.js

@@ -134,7 +134,9 @@ function mergeAuthProfileStores(base, override) {
         !override.usageStats) {
         return base;
     }
-    // Merge profiles, preferring the fresher credential for OAuth/token types
+    // Merge profiles, preferring the fresher credential for OAuth/token types.
+    // For api_key profiles, prefer base (main store) — centralized API key
+    // management writes there, and agent stores only have inherited copies.
     const mergedProfiles = { ...base.profiles };
     for (const [profileId, overrideCred] of Object.entries(override.profiles)) {
         const baseCred = base.profiles[profileId];
@@ -142,8 +144,14 @@ function mergeAuthProfileStores(base, override) {
             // No conflict — use override
             mergedProfiles[profileId] = overrideCred;
         }
+        else if (baseCred.type === "api_key" && overrideCred.type === "api_key") {
+            // API keys: base (main store) is authoritative — applyApiKeys() writes
+            // the centralized key there.  Agent stores only have stale inherited
+            // copies.  Always prefer base so key updates propagate immediately.
+            // (keep base — already in mergedProfiles)
+        }
         else {
-            // Both have this profile — prefer the one with later expiry (fresher token)
+            // OAuth/token: prefer the one with later expiry (fresher token)
             const baseExpiry = getCredentialExpiry(baseCred);
             const overrideExpiry = getCredentialExpiry(overrideCred);
             if (overrideExpiry >= baseExpiry) {

package/dist/agents/pi-embedded-runner/run/attempt.js

@@ -486,6 +486,46 @@ export async function runEmbeddedAttempt(params) {
                     ? validateAnthropicTurns(validatedGemini)
                     : validatedGemini;
                 const limited = limitHistoryTurns(validated, getEffectiveHistoryLimit(params.sessionKey, params.config));
+                // On the first turn of a public-chat session, inject the configured
+                // greeting as a synthetic assistant message so the agent knows what
+                // the visitor is responding to and treats it as its own opening message.
+                // Greetings are keyed by accountId (workspace), not agentId, so we
+                // resolve which accountId maps to this session's agent.
+                if (limited.length === 0 && params.config?.publicChat?.greetings && params.sessionKey) {
+                    const greetings = params.config.publicChat.greetings;
+                    const { sessionAgentId } = resolveSessionAgentIds({
+                        sessionKey: params.sessionKey,
+                        config: params.config,
+                    });
+                    // Find greeting: try agentId first, then find the accountId whose
+                    // public agent matches this session's agent.
+                    let greetingText = greetings[sessionAgentId];
+                    if (!greetingText) {
+                        for (const [accountId, text] of Object.entries(greetings)) {
+                            if (!text)
+                                continue;
+                            try {
+                                const { resolvePublicAgentId } = await import("../../../gateway/public-chat/session.js");
+                                const mapped = resolvePublicAgentId(params.config, accountId);
+                                if (mapped === sessionAgentId) {
+                                    greetingText = text;
+                                    break;
+                                }
+                            }
+                            catch {
+                                break;
+                            }
+                        }
+                    }
+                    if (greetingText) {
+                        log.info(`Injecting greeting as assistant message: agentId=${sessionAgentId} greeting="${greetingText.slice(0, 60)}"`);
+                        limited.unshift({
+                            role: "assistant",
+                            content: [{ type: "text", text: greetingText }],
+                            timestamp: 0,
+                        });
+                    }
+                }
                 cacheTrace?.recordStage("session:limited", { messages: limited });
                 if (limited.length > 0) {
                     activeSession.agent.replaceMessages(limited);

package/dist/agents/taskmaster-tools.js

@@ -34,6 +34,7 @@ import { createSkillReadTool } from "./tools/skill-read-tool.js";
 import { createApiKeysTool } from "./tools/apikeys-tool.js";
 import { createImageGenerateTool } from "./tools/image-generate-tool.js";
 import { createSoftwareUpdateTool } from "./tools/software-update-tool.js";
+import { createVerifyContactTool, createVerifyContactCodeTool, } from "./tools/verify-contact-tool.js";
 export function createTaskmasterTools(options) {
     const imageTool = options?.agentDir?.trim()
         ? createImageTool({
@@ -147,6 +148,8 @@ export function createTaskmasterTools(options) {
         createContactDeleteTool(),
         createContactLookupTool(),
         createContactUpdateTool(),
+        createVerifyContactTool({ agentSessionKey: options?.agentSessionKey }),
+        createVerifyContactCodeTool({ agentSessionKey: options?.agentSessionKey }),
         createRelayMessageTool(),
         createApiKeysTool(),
         createFileDeleteTool({

package/dist/agents/tool-policy.js

@@ -36,7 +36,14 @@ export const TOOL_GROUPS = {
     // Skill management
     "group:skills": ["skill_read", "skill_draft_save"],
     // Contact record management
-    "group:contacts": ["contact_create", "contact_delete", "contact_lookup", "contact_update"],
+    "group:contacts": [
+        "contact_create",
+        "contact_delete",
+        "contact_lookup",
+        "contact_update",
+        "verify_contact",
+        "verify_contact_code",
+    ],
     // Admin management tools
     "group:admin": ["authorize_admin", "revoke_admin", "list_admins"],
     // All Taskmaster native tools (excludes provider plugins).
@@ -71,6 +78,8 @@ export const TOOL_GROUPS = {
         "file_delete",
         "file_list",
         "skill_draft_save",
+        "verify_contact",
+        "verify_contact_code",
     ],
 };
 // Tools that are never granted by profiles — must be explicitly added to the

package/dist/agents/tools/apikeys-tool.js

@@ -13,7 +13,7 @@ const ApiKeysSchema = Type.Object({
         description: 'Action to perform: "set" stores a key, "list" shows which providers have keys configured, "remove" deletes a stored key, "disable" toggles a key on/off without deleting it.',
     }),
     provider: Type.Optional(Type.String({
-        description: "Provider ID (required for set/remove/disable). Valid providers: anthropic, google, tavily, openai, replicate, hume, brave, elevenlabs.",
+        description: "Provider ID (required for set/remove/disable). Valid providers: anthropic, google, tavily, openai, replicate, hume, brave, elevenlabs, resend.",
     })),
     apiKey: Type.Optional(Type.String({
         description: "The API key value (required for set).",
@@ -26,7 +26,7 @@ export function createApiKeysTool() {
     return {
         label: "API Keys",
         name: "api_keys",
-        description: "Manage API keys for external providers. Use action 'set' to store a key (provider + apiKey required), 'list' to check which providers have keys configured, 'remove' to delete a stored key, or 'disable' to toggle a key on/off without deleting it (provider + disabled required). Valid providers: anthropic, google, tavily, openai, replicate, hume, brave, elevenlabs. Keys are applied immediately without restart.",
+        description: "Manage API keys for external providers. Use action 'set' to store a key (provider + apiKey required), 'list' to check which providers have keys configured, 'remove' to delete a stored key, or 'disable' to toggle a key on/off without deleting it (provider + disabled required). Valid providers: anthropic, google, tavily, openai, replicate, hume, brave, elevenlabs, resend. Keys are applied immediately without restart.",
         parameters: ApiKeysSchema,
         execute: async (_toolCallId, args) => {
             const params = args;

package/dist/agents/tools/file-delete-tool.js

@@ -2,7 +2,7 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { realpath } from "node:fs/promises";
 import { Type } from "@sinclair/typebox";
-import { resolveAgentWorkspaceRoot, resolveSessionAgentId } from "../agent-scope.js";
+import { resolveAgentWorkspaceDir, resolveAgentWorkspaceRoot, resolveSessionAgentId, } from "../agent-scope.js";
 import { jsonResult, readStringParam } from "./common.js";
 const FileDeleteSchema = Type.Object({
     path: Type.String({
@@ -18,13 +18,7 @@ const FileDeleteSchema = Type.Object({
  * Protected top-level entries that cannot be deleted.
  * These are structural directories/files whose removal would break the workspace.
  */
-const PROTECTED_TOP_LEVEL = new Set([
-    "agents",
-    "IDENTITY.md",
-    "SOUL.md",
-    "AGENTS.md",
-    "TOOLS.md",
-]);
+const PROTECTED_TOP_LEVEL = new Set(["agents", "IDENTITY.md", "SOUL.md", "AGENTS.md", "TOOLS.md"]);
 /**
  * Validate that `target` is strictly inside `root` (not equal to root).
  * Both paths must be real (symlinks resolved) before calling.
@@ -56,12 +50,17 @@ export function createFileDeleteTool(options) {
                 config: cfg,
             });
             const workspaceRoot = resolveAgentWorkspaceRoot(cfg, agentId);
+            const agentWorkspaceDir = resolveAgentWorkspaceDir(cfg, agentId);
             // ── Normalise and resolve target ────────────────────────────
             // Reject obviously malicious patterns before touching the filesystem.
             if (rawPath.includes("\0")) {
                 return jsonResult({ error: "Invalid path." });
             }
-            const resolved = path.resolve(workspaceRoot, rawPath);
+            // Memory paths resolve relative to the agent's workspace dir, which
+            // contains shared-scope symlinks alongside agent-scoped subdirectories.
+            const isMemoryPath = rawPath === "memory" || rawPath.startsWith("memory/");
+            const base = isMemoryPath ? agentWorkspaceDir : workspaceRoot;
+            const resolved = path.resolve(base, rawPath);
             // ── Containment check (pre-realpath) ────────────────────────
             if (!isInsideRoot(resolved, workspaceRoot)) {
                 return jsonResult({ error: "Path is outside the workspace." });
@@ -94,12 +93,18 @@ export function createFileDeleteTool(options) {
                 return jsonResult({ error: "Path resolves outside the workspace." });
             }
             // ── Protected path check ────────────────────────────────────
-            const relative = path.relative(realRoot, realTarget);
-            const topSegment = relative.split(path.sep)[0];
-            if (topSegment && PROTECTED_TOP_LEVEL.has(topSegment)) {
-                return jsonResult({
-                    error: `Cannot delete protected path: ${topSegment} is a structural workspace entry.`,
-                });
+            // Memory paths physically reside under agents/<id>/memory/ but the
+            // user addresses them as memory/…  — they are never structural entries.
+            // Only apply the structural protection for non-memory paths resolved
+            // against the workspace root.
+            if (!isMemoryPath) {
+                const relative = path.relative(realRoot, realTarget);
+                const topSegment = relative.split(path.sep)[0];
+                if (topSegment && PROTECTED_TOP_LEVEL.has(topSegment)) {
+                    return jsonResult({
+                        error: `Cannot delete protected path: ${topSegment} is a structural workspace entry.`,
+                    });
+                }
             }
             // ── Delete ──────────────────────────────────────────────────
             try {

package/dist/agents/tools/file-list-tool.js

@@ -2,7 +2,7 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { realpath } from "node:fs/promises";
 import { Type } from "@sinclair/typebox";
-import { resolveAgentWorkspaceRoot, resolveSessionAgentId } from "../agent-scope.js";
+import { resolveAgentWorkspaceDir, resolveAgentWorkspaceRoot, resolveSessionAgentId, } from "../agent-scope.js";
 import { jsonResult, readStringParam, readNumberParam } from "./common.js";
 const FileListSchema = Type.Object({
     path: Type.Optional(Type.String({
@@ -82,11 +82,18 @@ export function createFileListTool(options) {
                 config: cfg,
             });
             const workspaceRoot = resolveAgentWorkspaceRoot(cfg, agentId);
+            const agentWorkspaceDir = resolveAgentWorkspaceDir(cfg, agentId);
             // ── Normalise and resolve target ────────────────────────────
             if (rawPath.includes("\0")) {
                 return jsonResult({ error: "Invalid path." });
             }
-            const resolved = rawPath ? path.resolve(workspaceRoot, rawPath) : workspaceRoot;
+            // Memory paths resolve relative to the agent's workspace dir, which
+            // contains shared-scope symlinks (groups/, users/, …) alongside
+            // agent-scoped subdirectories (admin/, notes/, uploads/).  The
+            // workspace root's memory/ only has the shared scopes.
+            const isMemoryPath = rawPath === "memory" || rawPath.startsWith("memory/");
+            const base = isMemoryPath ? agentWorkspaceDir : workspaceRoot;
+            const resolved = rawPath ? path.resolve(base, rawPath) : workspaceRoot;
             // ── Containment check ───────────────────────────────────────
             let realTarget;
             try {

package/dist/agents/tools/image-generate-api.js

@@ -1,11 +1,11 @@
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import { fetchWithTimeout, normalizeBaseUrl, readErrorResponse, } from "../../media-understanding/providers/shared.js";
 const log = createSubsystemLogger("image-gen");
-/** Show first 4 and last 4 characters of a key, mask everything in between. */
+/** Show first 8 and last 4 characters of a key, mask everything in between. */
 function maskKey(key) {
-    if (key.length <= 12)
+    if (key.length <= 16)
         return `${key.slice(0, 4)}...`;
-    return `${key.slice(0, 4)}...${key.slice(-4)}`;
+    return `${key.slice(0, 8)}...${key.slice(-4)}`;
 }
 /* ------------------------------------------------------------------ */
 /*  Constants                                                         */

package/dist/agents/tools/image-generate-tool.js

@@ -10,11 +10,11 @@ const log = createSubsystemLogger("image-gen");
 /* ------------------------------------------------------------------ */
 /*  Helpers                                                           */
 /* ------------------------------------------------------------------ */
-/** Show first 4 and last 4 characters of a key, mask everything in between. */
+/** Show first 8 and last 4 characters of a key, mask everything in between. */
 function maskKey(key) {
-    if (key.length <= 12)
+    if (key.length <= 16)
         return `${key.slice(0, 4)}...`;
-    return `${key.slice(0, 4)}...${key.slice(-4)}`;
+    return `${key.slice(0, 8)}...${key.slice(-4)}`;
 }
 /* ------------------------------------------------------------------ */
 /*  Constants                                                         */

package/dist/agents/tools/verify-contact-tool.js

@@ -0,0 +1,197 @@
+/**
+ * Cross-authentication tool -- links a second identifier (phone or email) to an
+ * existing contact by sending an OTP to the new identifier and verifying it.
+ *
+ * Two-step flow:
+ *   1. verify_contact -- sends OTP to the unverified identifier
+ *   2. verify_contact_code -- confirms the OTP and updates the contact record
+ */
+import { Type } from "@sinclair/typebox";
+import { loadConfig } from "../../config/config.js";
+import { deliverOtp } from "../../gateway/public-chat/deliver-otp.js";
+import { requestOtp, verifyOtp } from "../../gateway/public-chat/otp.js";
+import { findRecordByEmail, findRecordByPhone, getRecord, setRecord, } from "../../records/records-manager.js";
+import { resolveAgentBoundAccountId } from "../../routing/bindings.js";
+import { jsonResult } from "./common.js";
+/** In-memory pending cross-auth keyed by session key. */
+const pendingCrossAuth = new Map();
+const VerifyContactSchema = Type.Object({
+    type: Type.Union([Type.Literal("phone"), Type.Literal("email")], {
+        description: 'The type of identifier to verify: "phone" or "email".',
+    }),
+    value: Type.String({
+        description: "The phone number (E.164 format) or email address to send the verification code to.",
+    }),
+});
+const VerifyContactCodeSchema = Type.Object({
+    code: Type.String({ description: "The 6-digit verification code." }),
+});
+/** Extract the peer identifier from a DM session key (agent:x:dm:identifier). */
+function extractPeerId(sessionKey) {
+    const match = sessionKey.match(/^agent:[^:]+:dm:(.+)$/);
+    return match?.[1];
+}
+/** Extract the agent ID from a session key (agent:x:...). */
+function extractAgentId(sessionKey) {
+    const match = sessionKey.match(/^agent:([^:]+):/);
+    return match?.[1];
+}
+/** Resolve the contact record for a given peer identifier. */
+function resolveContactForPeer(peerId) {
+    const isEmailPeer = peerId.includes("@");
+    if (isEmailPeer)
+        return findRecordByEmail(peerId);
+    return findRecordByPhone(peerId) ?? getRecord(peerId);
+}
+export function createVerifyContactTool(opts) {
+    const sessionKey = opts?.agentSessionKey;
+    return {
+        label: "Verification",
+        name: "verify_contact",
+        description: "Send a verification code to a phone number or email address to cross-authenticate the current contact. " +
+            "Use this when a contact who authenticated via one method (e.g. email) provides their other identifier " +
+            "(e.g. phone number) and you want to verify and link it to their contact record.",
+        parameters: VerifyContactSchema,
+        execute: async (_toolCallId, args) => {
+            const params = args;
+            if (!sessionKey) {
+                return jsonResult({ success: false, error: "no active session" });
+            }
+            const peerId = extractPeerId(sessionKey);
+            if (!peerId || peerId.startsWith("anon-")) {
+                return jsonResult({
+                    success: false,
+                    error: "contact must be authenticated (not anonymous) to cross-verify",
+                });
+            }
+            const contact = resolveContactForPeer(peerId);
+            if (!contact) {
+                return jsonResult({
+                    success: false,
+                    error: `no contact record found for ${peerId}`,
+                });
+            }
+            // Check they don't already have this identifier
+            if (params.type === "email" && contact.email) {
+                return jsonResult({
+                    success: false,
+                    error: `contact already has email: ${contact.email}`,
+                });
+            }
+            if (params.type === "phone" && contact.phone) {
+                return jsonResult({
+                    success: false,
+                    error: `contact already has phone: ${contact.phone}`,
+                });
+            }
+            // Check for conflicts -- another contact already using this identifier
+            const existing = params.type === "email" ? findRecordByEmail(params.value) : findRecordByPhone(params.value);
+            if (existing && existing.id !== contact.id) {
+                return jsonResult({
+                    success: false,
+                    error: `another contact (${existing.name}) already uses this ${params.type}`,
+                });
+            }
+            // Request and deliver OTP
+            const normalized = params.type === "email" ? params.value.toLowerCase() : params.value;
+            const otpResult = requestOtp(normalized);
+            if (!otpResult.ok) {
+                return jsonResult({
+                    success: false,
+                    error: "rate limited -- try again shortly",
+                    retryAfterMs: otpResult.retryAfterMs,
+                });
+            }
+            const cfg = loadConfig();
+            const agentId = extractAgentId(sessionKey);
+            const whatsappAccountId = agentId
+                ? (resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined)
+                : undefined;
+            try {
+                const delivery = await deliverOtp(normalized, otpResult.code, whatsappAccountId);
+                pendingCrossAuth.set(sessionKey, {
+                    type: params.type,
+                    value: normalized,
+                    contactId: contact.id,
+                });
+                return jsonResult({
+                    success: true,
+                    message: `Verification code sent via ${delivery.channel}. Ask the contact for the code.`,
+                    channel: delivery.channel,
+                });
+            }
+            catch (err) {
+                return jsonResult({
+                    success: false,
+                    error: err instanceof Error ? err.message : "failed to send verification code",
+                });
+            }
+        },
+    };
+}
+export function createVerifyContactCodeTool(opts) {
+    const sessionKey = opts?.agentSessionKey;
+    return {
+        label: "Verification",
+        name: "verify_contact_code",
+        description: "Verify a cross-authentication code. Call this after verify_contact when the contact provides the 6-digit code.",
+        parameters: VerifyContactCodeSchema,
+        execute: async (_toolCallId, args) => {
+            const params = args;
+            if (!sessionKey) {
+                return jsonResult({ success: false, error: "no active session" });
+            }
+            const pending = pendingCrossAuth.get(sessionKey);
+            if (!pending) {
+                return jsonResult({
+                    success: false,
+                    error: "no pending cross-verification -- call verify_contact first",
+                });
+            }
+            const result = verifyOtp(pending.value, params.code);
+            if (!result.ok) {
+                const messages = {
+                    not_found: "no pending verification -- code may have expired",
+                    expired: "verification code expired -- request a new one",
+                    max_attempts: "too many attempts -- request a new code",
+                    invalid: "incorrect code",
+                };
+                // Don't clear pending on invalid code -- let them retry
+                if (result.error !== "invalid") {
+                    pendingCrossAuth.delete(sessionKey);
+                }
+                return jsonResult({
+                    success: false,
+                    error: messages[result.error] ?? "verification failed",
+                });
+            }
+            // Update contact record with the linked identifier
+            const contact = getRecord(pending.contactId);
+            if (!contact) {
+                pendingCrossAuth.delete(sessionKey);
+                return jsonResult({ success: false, error: "contact record not found" });
+            }
+            const updateInput = {
+                name: contact.name,
+                fields: contact.fields,
+                workspace: contact.workspace,
+            };
+            if (pending.type === "email")
+                updateInput.email = pending.value;
+            else
+                updateInput.phone = pending.value;
+            const updated = setRecord(contact.id, updateInput);
+            pendingCrossAuth.delete(sessionKey);
+            return jsonResult({
+                success: true,
+                message: `${pending.type} verified and linked to contact ${updated.name}.`,
+                contact: {
+                    id: updated.id,
+                    name: updated.name,
+                    email: updated.email,
+                    phone: updated.phone,
+                },
+            });
+        },
+    };
+}

package/dist/agents/workspace-migrations.js

@@ -0,0 +1,163 @@
+/**
+ * Workspace migrations — patches applied to deployed workspace files on gateway startup.
+ *
+ * Unlike bundled skills (which are whole-directory copies), workspace files like
+ * AGENTS.md are customised per-deployment (owner names, phone numbers, business
+ * details). Migrations patch these files in-place — checking for existing content
+ * first so they're idempotent.
+ *
+ * Each migration runs on every startup. They must be safe to re-run (no-op when
+ * the change is already present).
+ */
+import fs from "node:fs/promises";
+import path from "node:path";
+import { createSubsystemLogger } from "../logging/subsystem.js";
+import { listAgentIds, resolveAgentWorkspaceDir } from "./agent-scope.js";
+const log = createSubsystemLogger("workspace-migrations");
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Patterns that indicate a public-facing (non-admin) agent. */
+const PUBLIC_AGENT_INDICATORS = [
+    "customer-facing",
+    "Public Agent",
+    "public agent",
+    "parent and student-facing",
+    "booking agent",
+    "promotional instance",
+];
+/** Formatting section headers commonly found at the end of AGENTS files. */
+const FORMATTING_HEADERS = ["## WhatsApp Formatting", "## Message Formatting", "## Formatting"];
+/** Section headers that typically precede "## Capabilities" in admin agents. */
+const CAPABILITIES_HEADERS = ["## Capabilities", "## Stripe CLI Operations", "## User Management"];
+function isPublicAgent(content) {
+    return PUBLIC_AGENT_INDICATORS.some((p) => content.includes(p));
+}
+/**
+ * Find the index of a formatting-style section to insert before.
+ * Returns -1 if no known section is found.
+ */
+function findFormattingInsertPoint(content) {
+    for (const header of FORMATTING_HEADERS) {
+        const idx = content.lastIndexOf(header);
+        if (idx !== -1)
+            return idx;
+    }
+    return -1;
+}
+/**
+ * Find the index of a "## Capabilities" or similar section to insert before.
+ * Returns -1 if no known section is found.
+ */
+function findCapabilitiesInsertPoint(content) {
+    for (const header of CAPABILITIES_HEADERS) {
+        const idx = content.indexOf(header);
+        if (idx !== -1)
+            return idx;
+    }
+    return -1;
+}
+/**
+ * Insert a section into AGENTS.md content at the best position.
+ * Uses the provided finder to locate an insertion point; falls back to appending.
+ */
+function insertSection(content, section, findInsertPoint) {
+    const insertIdx = findInsertPoint(content);
+    if (insertIdx !== -1) {
+        return content.slice(0, insertIdx) + section + "\n\n---\n\n" + content.slice(insertIdx);
+    }
+    return content.trimEnd() + "\n\n---\n\n" + section + "\n";
+}
+// ---------------------------------------------------------------------------
+// Migration: Skill Recommendations (v1.9)
+// ---------------------------------------------------------------------------
+const ADMIN_SKILL_SECTION = `## Skill Recommendations
+
+When you notice a task that follows a repeatable pattern — something that has come up before or is likely to recur — proactively suggest creating a skill for it. Skills encode processes so they're followed consistently every time, without relying on memory or re-explanation.
+
+**Signs a task should be a skill:**
+- You've handled the same type of request more than once
+- The task has clear steps that shouldn't vary between occurrences
+- Getting it wrong has consequences (compliance, accuracy, customer experience)
+- The process involves domain knowledge that shouldn't be guessed at
+
+Don't wait to be asked. If you spot the pattern, recommend it.`;
+const PUBLIC_SKILL_SECTION = `## Spotting Repeatable Patterns
+
+When you find yourself repeatedly handling the same type of request — following the same steps, giving the same guidance, or applying the same rules — note the pattern in memory for review. Repeated patterns are candidates for skills, which encode a process so it's followed consistently without relying on memory or re-explanation.`;
+function hasSkillSection(content) {
+    return (content.includes("## Skill Recommendations") ||
+        content.includes("## Spotting Repeatable Patterns"));
+}
+async function patchSkillRecommendations(agentsPath, content) {
+    if (hasSkillSection(content))
+        return null;
+    const section = isPublicAgent(content) ? PUBLIC_SKILL_SECTION : ADMIN_SKILL_SECTION;
+    return insertSection(content, section, findFormattingInsertPoint);
+}
+// ---------------------------------------------------------------------------
+// Migration: Owner Learning (v1.9)
+// ---------------------------------------------------------------------------
+const OWNER_LEARNING_SECTION = `## Learning About Your Operator
+
+You talk to the same person every day. An assistant that adapts to how someone thinks and works is more useful than one that starts fresh every session.
+
+Pay attention to how they communicate, what they care about, how they make decisions, and what works well between you. When you notice something worth remembering — a preference, a pattern, a lesson about working with them — update \`USER.md\` or store it in \`memory/admin/\`.
+
+This isn't a one-time setup. USER.md should grow as your understanding of them deepens: their communication style, decision-making patterns, working rhythms, what they delegate vs handle personally, and what kind of updates they actually find valuable.`;
+function hasOwnerLearningSection(content) {
+    return content.includes("## Learning About") || content.includes("## Learning about");
+}
+async function patchOwnerLearning(agentsPath, content) {
+    // Only admin agents — public agents don't have USER.md or admin memory.
+    if (isPublicAgent(content))
+        return null;
+    if (hasOwnerLearningSection(content))
+        return null;
+    return insertSection(content, OWNER_LEARNING_SECTION, findCapabilitiesInsertPoint);
+}
+const MIGRATIONS = [
+    { name: "skill-recommendations", apply: patchSkillRecommendations },
+    { name: "owner-learning", apply: patchOwnerLearning },
+];
+/**
+ * Run all workspace migrations for every configured agent.
+ * Called once at gateway startup, after bundled skill sync.
+ */
+export async function runWorkspaceMigrations(cfg) {
+    const agentIds = listAgentIds(cfg);
+    for (const agentId of agentIds) {
+        const wsDir = resolveAgentWorkspaceDir(cfg, agentId);
+        const agentsPath = path.join(wsDir, "AGENTS.md");
+        let content;
+        try {
+            content = await fs.readFile(agentsPath, "utf-8");
+        }
+        catch {
+            continue; // No AGENTS.md — nothing to patch.
+        }
+        let current = content;
+        const applied = [];
+        for (const migration of MIGRATIONS) {
+            try {
+                const result = await migration.apply(agentsPath, current);
+                if (result !== null) {
+                    current = result;
+                    applied.push(migration.name);
+                }
+            }
+            catch (err) {
+                log.warn(`migration "${migration.name}" failed for agent "${agentId}": ${String(err)}`);
+            }
+        }
+        if (applied.length > 0) {
+            try {
+                await fs.writeFile(agentsPath, current, "utf-8");
+                log.info(`patched AGENTS.md for agent "${agentId}": ${applied.join(", ")}`);
+            }
+            catch (err) {
+                log.warn(`failed to write AGENTS.md for agent "${agentId}": ${String(err)}`);
+            }
+        }
+    }
+}

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.9.3",
-  "commit": "65d408bbe013355d2df19762fe1a745a98c3584e",
-  "builtAt": "2026-02-27T07:59:49.321Z"
+  "version": "1.9.5",
+  "commit": "521c1bca1da1357a98d5afc5f71aafcf2a5831b8",
+  "builtAt": "2026-02-28T15:36:00.493Z"
 }

package/dist/config/defaults.js

@@ -443,6 +443,10 @@ export function applyApiKeys(config) {
             };
             continue;
         }
+        if (provider === "resend") {
+            cfg = setNestedKey(cfg, ["publicChat", "email", "apiKey"], trimmedKey);
+            continue;
+        }
     }
     return cfg;
 }