@vellumai/assistant 0.10.2-dev.202606250318.5e7cfb0 → 0.10.2

package/src/daemon/conversation-surfaces.ts

@@ -3,10 +3,7 @@ import { v4 as uuid } from "uuid";
 import { z } from "zod";
 
 import { SurfaceActionSchema } from "../api/events/ui-surface-show.js";
-import {
-  CardSurfaceDataSchema,
-  FileUploadSurfaceDataSchema,
-} from "../api/surfaces.js";
+import { CardSurfaceDataSchema } from "../api/surfaces.js";
 import { isActivationSession } from "../memory/activation-session-store.js";
 import {
   addAppConversationId,
@@ -59,7 +56,6 @@ import type {
   ConfirmationSurfaceData,
   CopyBlockSurfaceData,
   DynamicPageSurfaceData,
-  FileUploadSurfaceData,
   FormSurfaceData,
   ListSurfaceData,
   OAuthConnectSurfaceData,
@@ -587,20 +583,12 @@ function normalizeCardShowData(
           (typeof input[k] === "string" &&
             (input[k] as string).trim().length > 0),
       );
-      try {
-        Sentry.withScope((scope) => {
-          scope.setLevel("info");
-          scope.setTag("card_normalization", "alias_recovery");
-          scope.setTag("target_field", "body");
-          scope.setContext("card_normalization", {
-            used_aliases: usedAliases,
-            candidate_count: candidates.length,
-          });
-          Sentry.captureMessage("card_normalization:alias_recovery:body");
-        });
-      } catch {
-        // Never let telemetry break card rendering.
-      }
+      Sentry.addBreadcrumb({
+        category: "card-normalization",
+        message: `alias recovery: ${usedAliases.join(", ")} → body`,
+        level: "info",
+        data: { usedAliases, candidateCount: candidates.length },
+      });
     }
   }
   for (const key of bodyAliasKeys) {
@@ -617,16 +605,11 @@ function normalizeCardShowData(
     ]);
     if (aliased !== undefined) {
       normalized.title = aliased;
-      try {
-        Sentry.withScope((scope) => {
-          scope.setLevel("info");
-          scope.setTag("card_normalization", "alias_recovery");
-          scope.setTag("target_field", "title");
-          Sentry.captureMessage("card_normalization:alias_recovery:title");
-        });
-      } catch {
-        // Never let telemetry break card rendering.
-      }
+      Sentry.addBreadcrumb({
+        category: "card-normalization",
+        message: `alias recovery: title`,
+        level: "info",
+      });
     }
   }
   for (const key of titleAliasKeys) {
@@ -651,16 +634,11 @@ function normalizeCardShowData(
     ]);
     if (aliased !== undefined) {
       normalized.subtitle = aliased;
-      try {
-        Sentry.withScope((scope) => {
-          scope.setLevel("info");
-          scope.setTag("card_normalization", "alias_recovery");
-          scope.setTag("target_field", "subtitle");
-          Sentry.captureMessage("card_normalization:alias_recovery:subtitle");
-        });
-      } catch {
-        // Never let telemetry break card rendering.
-      }
+      Sentry.addBreadcrumb({
+        category: "card-normalization",
+        message: `alias recovery: subtitle`,
+        level: "info",
+      });
     }
   }
   for (const key of subtitleAliasKeys) {
@@ -710,21 +688,12 @@ function normalizeCardShowData(
       { droppedKeys },
       "ui_show card data carried keys the card contract does not model; their content will not render",
     );
-    try {
-      Sentry.withScope((scope) => {
-        scope.setLevel("warning");
-        scope.setTag("card_normalization", "dropped_keys");
-        scope.setContext("card_normalization", {
-          dropped_count: droppedKeys.length,
-        });
-        // Key names are model-controlled, so they ride in `extra`, which
-        // beforeSend redacts (it does not scrub `contexts`) — see instrument.ts.
-        scope.setExtra("dropped_keys", droppedKeys);
-        Sentry.captureMessage("card_normalization:dropped_keys");
-      });
-    } catch {
-      // Never let telemetry break card rendering.
-    }
+    Sentry.addBreadcrumb({
+      category: "card-normalization",
+      message: `dropped keys: ${droppedKeys.join(", ")}`,
+      level: "warning",
+      data: { droppedKeys },
+    });
   }
   const parsed = CardSurfaceDataSchema.safeParse(normalized);
   if (parsed.success) {
@@ -860,24 +829,6 @@ function normalizeOAuthConnectShowData(
   };
 }
 
-function normalizeFileUploadShowData(
-  rawData: Record<string, unknown>,
-): FileUploadSurfaceData {
-  // Parse against the canonical schema so the surface carries the shape the
-  // renderer expects. The schema is tolerant (every field optional and coerced)
-  // and recovers the common malformed `acceptedTypes` shapes — a comma-joined or
-  // bare string — into the `string[]` the renderer requires.
-  const parsed = FileUploadSurfaceDataSchema.safeParse(rawData);
-  if (parsed.success) {
-    return parsed.data;
-  }
-  log.warn(
-    { issues: parsed.error.issues },
-    "ui_show file_upload data failed FileUploadSurfaceDataSchema; rendering an empty file_upload surface",
-  );
-  return {};
-}
-
 function buildChoiceActions(data: ChoiceSurfaceData): Array<{
   id: string;
   label: string;
@@ -2944,9 +2895,7 @@ export async function surfaceProxyResolver(
               ? normalizeOAuthConnectShowData(rawData)
               : surfaceType === "dynamic_page"
                 ? normalizeDynamicPageShowData(input, rawData)
-                : surfaceType === "file_upload"
-                  ? normalizeFileUploadShowData(rawData)
-                  : (rawData as SurfaceData);
+                : (rawData as SurfaceData);
     // Parse actions through the schema instead of typecasting raw model output.
     // The model may place actions inside `data` instead of the top-level
     // `actions` param — recover them so they aren't silently dropped.
@@ -2963,27 +2912,18 @@ export async function surfaceProxyResolver(
         if (result.success) {
           valid.push(result.data);
         } else {
-          try {
-            Sentry.withScope((scope) => {
-              scope.setLevel("warning");
-              scope.setTag("card_normalization", "action_parse_failure");
-              scope.setContext("card_normalization", {
-                issue_paths: result.error.issues.map((i) => i.path.join(".")),
-              });
-              // raw object keys are model-controlled, so they ride in `extra`,
-              // which beforeSend redacts (it does not scrub `contexts`) — see
-              // instrument.ts.
-              scope.setExtra(
-                "raw_keys",
+          Sentry.addBreadcrumb({
+            category: "card-normalization",
+            message: "action parse failure (individual)",
+            level: "warning",
+            data: {
+              issuePaths: result.error.issues.map((i) => i.path.join(".")),
+              keys:
                 typeof raw === "object" && raw !== null
                   ? Object.keys(raw)
                   : [typeof raw],
-              );
-              Sentry.captureMessage("card_normalization:action_parse_failure");
-            });
-          } catch {
-            // Never let telemetry break card rendering.
-          }
+            },
+          });
         }
       }
       inputActions = valid.length > 0 ? valid : undefined;
@@ -3021,24 +2961,11 @@ export async function surfaceProxyResolver(
         !hasTemplate &&
         !hasActions
       ) {
-        try {
-          Sentry.withScope((scope) => {
-            scope.setLevel("warning");
-            scope.setTag("card_normalization", "empty_card_rejected");
-            scope.setContext("card_normalization", {
-              surface_type: surfaceType,
-              has_title: hasTitle,
-              has_body: hasBody,
-              has_subtitle: hasSubtitle,
-              has_metadata: hasMetadata,
-              has_template: hasTemplate,
-              has_actions: hasActions,
-            });
-            Sentry.captureMessage("card_normalization:empty_card_rejected");
-          });
-        } catch {
-          // Never let telemetry break card rendering.
-        }
+        Sentry.addBreadcrumb({
+          category: "card-normalization",
+          message: "empty card rejected",
+          level: "warning",
+        });
         return {
           content:
             "Error: ui_show card requires content — provide `data.body`, a `template` (e.g. task_progress with steps), `data.metadata`, `data.subtitle`, a `title`, or `actions`. The surface was not displayed because it carried no renderable content. Resend ui_show with populated card content.",

package/src/daemon/conversation-tool-setup.ts

@@ -22,12 +22,7 @@ import type { Message, ToolDefinition } from "../providers/types.js";
 import { assistantEventHub } from "../runtime/assistant-event-hub.js";
 import { registerConversationSender } from "../tools/browser/browser-screencast.js";
 import type { ToolExecutor } from "../tools/executor.js";
-import {
-  getMcpToolDefinitions,
-  getTool,
-  getWorkspaceToolDefinitions,
-  getWorkspaceToolNames,
-} from "../tools/registry.js";
+import { getMcpToolDefinitions, getTool } from "../tools/registry.js";
 import {
   ACTIVITY_SKIP_SET,
   injectActivityField,
@@ -46,7 +41,6 @@ import {
   type ToolExecutionResult,
   type ToolLifecycleEventHandler,
 } from "../tools/types.js";
-import { loadWorkspaceTools } from "../tools/workspace-tools/loader.js";
 import {
   resolveUsageAttribution,
   type UsageAttributionSnapshot,
@@ -244,10 +238,7 @@ export function createToolExecutor(
           });
         }
       },
-      isInteractive:
-        ctx.currentTurnIsNonInteractive !== undefined
-          ? !ctx.currentTurnIsNonInteractive
-          : !ctx.hasNoClient && !ctx.headlessLock,
+      isInteractive: !ctx.hasNoClient && !ctx.headlessLock,
       proxyToolResolver: (
         toolName: string,
         proxyInput: Record<string, unknown>,
@@ -515,7 +506,6 @@ const PLATFORM_TOOL_NAMES = new Set(["request_system_permission"]);
  */
 export const SUBAGENT_ONLY_TOOL_NAMES = new Set<string>([
   "file_list",
-  "code_search",
   "notify_parent",
 ]);
 
@@ -660,13 +650,11 @@ export function isToolActiveForContext(
  * allowedToolNames so newly-activated skill tools aren't blocked by
  * the executor's stale gate.
  *
- * Core (non-MCP, non-workspace) tool definitions are captured at conversation
- * creation and reused on each turn. MCP and workspace tool definitions are
- * re-read from the global registry on each turn so that tools registered or
- * changed after conversation creation are automatically picked up without
- * requiring conversation disposal or app restart — MCP via `vellum mcp
- * reload`, workspace tools via edits under `<workspaceDir>/tools/` that the
- * per-turn reconcile (kicked below) folds into the registry.
+ * Core (non-MCP) tool definitions are captured at conversation creation and
+ * reused on each turn. MCP tool definitions are re-read from the global
+ * registry on each turn so that tools registered after conversation creation
+ * (e.g. via `vellum mcp reload`) are automatically picked up without
+ * requiring conversation disposal or app restart.
  */
 export function createResolveToolsCallback(
   toolDefs: ToolDefinition[],
@@ -674,21 +662,16 @@ export function createResolveToolsCallback(
 ): ((history: Message[]) => ToolDefinition[]) | undefined {
   if (toolDefs.length === 0) return undefined;
 
-  // Separate the initial tool defs into core (stable) and the two dynamic
-  // categories (MCP, workspace). We keep core tools from the snapshot and
-  // re-read MCP + workspace tools from the registry each turn.
+  // Separate the initial tool defs into core (stable) and MCP (dynamic).
+  // We keep core tools from the snapshot and re-read MCP tools each turn.
   const initialMcpDefs = getMcpToolDefinitions();
   const initialMcpNames = new Set(initialMcpDefs.map((d) => d.name));
-  const initialWorkspaceNames = new Set(getWorkspaceToolNames());
-  const coreToolDefs = toolDefs.filter(
-    (d) => !initialMcpNames.has(d.name) && !initialWorkspaceNames.has(d.name),
-  );
+  const coreToolDefs = toolDefs.filter((d) => !initialMcpNames.has(d.name));
   log.debug(
     {
       coreCount: coreToolDefs.length,
       mcpCount: initialMcpDefs.length,
       mcpTools: initialMcpDefs.map((d) => d.name),
-      workspaceCount: initialWorkspaceNames.size,
     },
     "Conversation tool resolver initialized",
   );
@@ -702,13 +685,6 @@ export function createResolveToolsCallback(
       return [];
     }
 
-    // Reconcile workspace tool overrides under `<workspaceDir>/tools/` into
-    // the registry, then re-read them below — the on-read replacement for a
-    // filesystem watcher. Fire-and-forget: the reconcile is idempotent,
-    // mtime-cached (a no-op costs one readdir + a stat per file) and
-    // serialized, so the registry settles for a subsequent turn to read.
-    void loadWorkspaceTools();
-
     // Filter core tools based on current conversation context so that tools
     // irrelevant to this turn (e.g. UI tools when no client is connected)
     // are omitted from the definitions sent to the provider.
@@ -729,34 +705,24 @@ export function createResolveToolsCallback(
       ? filteredCoreDefs.filter((d) => wireAllowlist.has(d.name))
       : filteredCoreDefs;
 
-    // Re-read MCP and workspace tool definitions from the registry each turn
-    // so conversations automatically pick up tools added/removed by `vellum
-    // mcp reload` and workspace-tool edits reconciled from disk, without
-    // recreating the conversation.
+    // Re-read MCP tool definitions from the registry each turn so conversations
+    // automatically pick up tools added/removed by `vellum mcp reload`.
     const currentMcpDefs = getMcpToolDefinitions();
-    const currentWorkspaceDefs = getWorkspaceToolDefinitions();
     log.debug(
       {
         coreCount: scopedCoreDefs.length,
         mcpCount: currentMcpDefs.length,
         mcpTools: currentMcpDefs.map((d) => d.name),
-        workspaceCount: currentWorkspaceDefs.length,
-        workspaceTools: currentWorkspaceDefs.map((d) => d.name),
       },
-      "MCP and workspace tools resolved for turn",
+      "MCP tools resolved for turn",
     );
     const scopedMcpDefs = wireAllowlist
       ? currentMcpDefs.filter((d) => wireAllowlist.has(d.name))
       : currentMcpDefs;
-    const scopedWorkspaceDefs = wireAllowlist
-      ? currentWorkspaceDefs.filter((d) => wireAllowlist.has(d.name))
-      : currentWorkspaceDefs;
     const excluded = new Set(getConfig().tools.exclude);
-    const allBaseDefs = [
-      ...scopedCoreDefs,
-      ...scopedWorkspaceDefs,
-      ...scopedMcpDefs,
-    ].filter((d) => !excluded.has(d.name));
+    const allBaseDefs = [...scopedCoreDefs, ...scopedMcpDefs].filter(
+      (d) => !excluded.has(d.name),
+    );
 
     const effectivePreactivated = [
       ...DEFAULT_PREACTIVATED_SKILL_IDS,

package/src/daemon/conversation.ts

@@ -50,7 +50,6 @@ import {
   getMessages,
   resolveOverrideProfile,
   setConversationHistoryStrippedAt,
-  setConversationProcessingStartedAt,
 } from "../memory/conversation-crud.js";
 import { getResolvedConversationDirPath } from "../memory/conversation-directories.js";
 import { ConversationGraphMemory } from "../memory/graph/conversation-graph-memory.js";
@@ -92,7 +91,7 @@ import {
   isActivationMomentParam,
 } from "../telemetry/activation-funnel.js";
 import { ToolExecutor } from "../tools/executor.js";
-import { getAllToolDefinitions, getTool } from "../tools/registry.js";
+import { getAllToolDefinitions } from "../tools/registry.js";
 import type { ToolLifecycleEvent } from "../tools/types.js";
 import type { OnboardingContext } from "../types/onboarding-context.js";
 import type { AbortReason } from "../util/abort-reasons.js";
@@ -377,7 +376,6 @@ export class Conversation {
    */
   wakePersonaOverride?: SystemPromptPersonaOverride;
   /** @internal */ currentTurnOverrideProfile?: string;
-  /** @internal */ currentTurnIsNonInteractive?: boolean;
   /** @internal */ authContext?: AuthContext;
   /** @internal */ currentTurnAuthContext?: AuthContext;
   /** @internal */ currentTurnSourceActorPrincipalId?: string;
@@ -703,9 +701,6 @@ export class Conversation {
       tools: toolDefs.length > 0 ? toolDefs : undefined,
       toolExecutor: toolDefs.length > 0 ? toolExecutor : undefined,
       resolveTools,
-      // A tool the registry marks exclusive (e.g. `advisor`) runs alone in its
-      // turn; the loop defers any sibling calls until the next turn.
-      isExclusiveTool: (name) => getTool(name)?.exclusive === true,
       resolveConversationDir: () => {
         const conv = getConversation(this.conversationId);
         if (!conv) return null;
@@ -1340,13 +1335,6 @@ export class Conversation {
   setProcessing(value: boolean): void {
     const wasProcessing = this._processing;
     this._processing = value;
-    // Persist the cross-process source of truth so out-of-process callers
-    // (retrospective CLI, future detached workers) can detect mid-turn state
-    // by reading the conversations row directly.
-    setConversationProcessingStartedAt(
-      this.conversationId,
-      value ? Date.now() : null,
-    );
     if (wasProcessing && !value) {
       void publishSyncInvalidation([
         conversationMetadataSyncTag(this.conversationId),

package/src/daemon/disk-pressure-guard.ts

@@ -24,12 +24,6 @@ export const DISK_PRESSURE_CLEAR_THRESHOLD_PERCENT = 90;
 // clears the warning state, which discards the banner's (state-scoped) dismissal
 // so it re-appears the moment usage ticks back up.
 export const DISK_PRESSURE_WARNING_CLEAR_THRESHOLD_PERCENT = 77;
-// Absolute free-space floor (MiB). Regardless of usage percentage, never enter
-// the warning or critical state while at least this much space remains free. A
-// high usage percentage on a large disk can still leave many gigabytes
-// available, where locking is pointless. Small volumes (where a high percentage
-// genuinely means near-full) drop below the floor and remain protected.
-export const DISK_PRESSURE_MIN_FREE_FLOOR_MB = 2048;
 export const DISK_PRESSURE_CHECK_INTERVAL_MS = 60_000;
 export const DISK_PRESSURE_OVERRIDE_CONFIRMATION = "I understand the risks";
 export const DISK_PRESSURE_BLOCKED_CAPABILITIES = [
@@ -225,10 +219,7 @@ export function evaluateDiskPressureNow(): DiskPressureStatus {
   const criticalThreshold = state.status.locked
     ? DISK_PRESSURE_CLEAR_THRESHOLD_PERCENT
     : DISK_PRESSURE_THRESHOLD_PERCENT;
-  // Absolute free-space floor overrides the percentage thresholds: while ample
-  // space remains free, report "ok" no matter how full the volume is by percent.
-  const hasAmpleFreeSpace = usageInfo.freeMb >= DISK_PRESSURE_MIN_FREE_FLOOR_MB;
-  const isCritical = !hasAmpleFreeSpace && usagePercent >= criticalThreshold;
+  const isCritical = usagePercent >= criticalThreshold;
   // Mirror the critical deadband for the warning band: once in an active
   // pressure state (warning or critical), hold warning until usage clears the
   // lower warning-clear threshold. Treating "critical" as active here matters
@@ -244,8 +235,7 @@ export function evaluateDiskPressureNow(): DiskPressureStatus {
   const warningThreshold = inActivePressureState
     ? DISK_PRESSURE_WARNING_CLEAR_THRESHOLD_PERCENT
     : DISK_PRESSURE_WARNING_THRESHOLD_PERCENT;
-  const isWarning =
-    !hasAmpleFreeSpace && !isCritical && usagePercent >= warningThreshold;
+  const isWarning = !isCritical && usagePercent >= warningThreshold;
   const lastCheckedAt = new Date().toISOString();
 
   if (!isCritical && !isWarning) {

package/src/daemon/event-loop-watchdog.ts

@@ -33,7 +33,6 @@
 
 import * as Sentry from "@sentry/node";
 
-import { recordWatchdogEvent } from "../memory/watchdog-events-store.js";
 import { getLogger } from "../util/logger.js";
 
 const log = getLogger("event-loop-watchdog");
@@ -75,37 +74,11 @@ export function evaluateTick(
   return { blockedMs, exceeded: blockedMs >= thresholdMs };
 }
 
-/**
- * Check name emitted for event-loop block events. The platform's
- * `watchdog__event_loop_blocking_daily` admin query filters `check_name` to
- * this exact string, so it is the primary group-by dimension downstream —
- * keep it stable.
- */
-export const EVENT_LOOP_BLOCKED_CHECK_NAME = "event_loop_blocked";
-
 function reportBlock(blockedMs: number, thresholdMs: number): void {
   log.warn(
     { blockedMs, thresholdMs, tickIntervalMs: TICK_INTERVAL_MS },
     "event loop blocked",
   );
-  // Persist a `watchdog` telemetry event so the platform can surface
-  // event-loop blocking in the infrastructure admin chart. `recordWatchdogEvent`
-  // no-ops when usage-data collection is disabled (the event is dropped to
-  // honor the opt-out), so the watchdog runs unconditionally without leaking
-  // health data for opted-out owners. Never let a telemetry failure escape
-  // the timer callback — wrap it alongside the Sentry capture below.
-  try {
-    recordWatchdogEvent({
-      checkName: EVENT_LOOP_BLOCKED_CHECK_NAME,
-      value: blockedMs,
-      detail: {
-        threshold_ms: thresholdMs,
-        tick_interval_ms: TICK_INTERVAL_MS,
-      },
-    });
-  } catch {
-    // Never let a telemetry failure escape the timer callback.
-  }
   try {
     Sentry.withScope((scope) => {
       scope.setLevel("warning");
@@ -115,7 +88,7 @@ function reportBlock(blockedMs: number, thresholdMs: number): void {
         threshold_ms: thresholdMs,
         tick_interval_ms: TICK_INTERVAL_MS,
       });
-      Sentry.captureMessage(EVENT_LOOP_BLOCKED_CHECK_NAME);
+      Sentry.captureMessage("event_loop_blocked");
     });
   } catch {
     // Never let a telemetry failure escape the timer callback.

package/src/daemon/external-plugins-bootstrap.ts

@@ -19,20 +19,24 @@
  *    dropped from the registry via {@link unregisterPlugin} so none of its
  *    hooks participate in the turn lifecycle. This is the primary mechanism for
  *    shipping experimental plugins behind a feature flag.
- * 4. Validates the config block under `plugins.<name>` against
+ * 4. Resolves the plugin's `manifest.requiresCredential` entries via the
+ *    credential store helper ({@link getSecureKeyAsync}). In Docker mode
+ *    that helper goes through the CES HTTP API transparently; in local mode
+ *    it hits the encrypted file store / CES RPC backend.
+ * 5. Validates the config block under `plugins.<name>` against
  *    `manifest.config` if the manifest supplies a parser-like validator
  *    (Zod schemas with `.parse()` are supported; anything else is passed
  *    through untouched).
- * 5. Creates `<workspaceDir>/plugins-data/<plugin>/` on demand for per-plugin
+ * 6. Creates `<workspaceDir>/plugins-data/<plugin>/` on demand for per-plugin
  *    writable state and exposes it via {@link PluginInitContext.pluginStorageDir}.
- * 6. For each surviving plugin, registers its contributed tools and routes
+ * 7. For each surviving plugin, registers its contributed tools and routes
  *    into their global registries via {@link registerPluginTools} and
  *    {@link registerSkillRoute}. Contributions land BEFORE `init()` so
  *    the plugin's hook can observe a registry where its own model-visible
  *    surface is already wired — useful for plugins that want to attach
  *    metadata, warm caches, or otherwise interact with their own
  *    contributions during initialization.
- * 7. Awaits `plugin.init(ctx)` sequentially. An init failure is contained to
+ * 8. Awaits `plugin.init(ctx)` sequentially. An init failure is contained to
  *    the offending plugin: its already-registered tools and routes are rolled
  *    back, it is dropped from the registry, the failure is logged, and
  *    bootstrap continues with the remaining plugins. A single plugin's failure
@@ -72,6 +76,7 @@ import {
   type SkillRouteHandle,
   unregisterSkillRoute,
 } from "../runtime/skill-route-registry.js";
+import { getSecureKeyAsync } from "../security/secure-keys.js";
 import {
   registerPluginTools,
   unregisterPluginTools,
@@ -83,6 +88,25 @@ import { registerShutdownHook } from "./shutdown-registry.js";
 
 const log = getLogger("plugins-bootstrap");
 
+/**
+ * Resolve one credential value. Returns the raw secret string or throws a
+ * {@link PluginExecutionError} tagged with the plugin name so the caller can
+ * fail startup with clear attribution.
+ */
+async function resolveCredentialOrThrow(
+  pluginName: string,
+  credentialKey: string,
+): Promise<string> {
+  const value = await getSecureKeyAsync(credentialKey);
+  if (value === undefined || value === "") {
+    throw new PluginExecutionError(
+      `plugin ${pluginName} requires credential "${credentialKey}" but the credential store returned no value`,
+      pluginName,
+    );
+  }
+  return value;
+}
+
 /**
  * Validate a plugin config block. If the manifest supplies a parser-like
  * validator (Zod schemas expose `.parse()`), use it. Otherwise pass the
@@ -322,6 +346,11 @@ async function initializePlugin(
   let initCompleted = false;
 
   try {
+    const credentials: Record<string, string> = {};
+    for (const key of plugin.manifest.requiresCredential ?? []) {
+      credentials[key] = await resolveCredentialOrThrow(name, key);
+    }
+
     const config = validatePluginConfig(
       name,
       plugin.manifest.config,
@@ -330,6 +359,7 @@ async function initializePlugin(
 
     const initContext = {
       config,
+      credentials,
       logger: log.child({ plugin: name }),
       pluginStorageDir: ensurePluginStorageDir(name),
       assistantVersion: APP_VERSION,

package/src/daemon/handlers/__tests__/config-a2a-redeem.test.ts

@@ -129,29 +129,4 @@ describe("redeemA2AInvite", () => {
     const result = redeemA2AInvite({ sender: SENDER });
     expect(result.success).toBe(true);
   });
-
-  test("activeConnections counts a2a channel existence, not status", () => {
-    const result = redeemA2AInvite({ sender: SENDER });
-    expect(result.success).toBe(true);
-
-    expect(getA2AConfig().activeConnections).toBe(1);
-
-    // Readiness is existence-based: a non-active stored status still counts.
-    const sqlite = getSqlite();
-    sqlite.run("UPDATE contact_channels SET status = 'unverified'");
-    invalidateConfigCache();
-    expect(getA2AConfig().activeConnections).toBe(1);
-  });
-
-  test("already-connected guard fires regardless of stored channel status", () => {
-    const first = redeemA2AInvite({ sender: SENDER });
-    expect(first.success).toBe(true);
-
-    const sqlite = getSqlite();
-    sqlite.run("UPDATE contact_channels SET status = 'revoked'");
-
-    const second = redeemA2AInvite({ sender: SENDER });
-    expect(second.alreadyConnected).toBe(true);
-    expect(second.contactId).toBe(first.contactId);
-  });
 });

package/src/daemon/handlers/config-a2a.ts

@@ -96,11 +96,13 @@ export function getA2AConfig(): A2AConfigResult {
   const config = getConfig();
   const enabled = config.a2a?.enabled ?? false;
 
-  // a2a is peer binding outside the human-trust ACL model — the gateway has no
-  // canonical a2a channel status, so channel existence is the readiness signal.
   const contacts = searchContacts({ channelType: "a2a" });
   const activeConnections = contacts.reduce((count, c) => {
-    return count + c.channels.filter((ch) => ch.type === "a2a").length;
+    return (
+      count +
+      c.channels.filter((ch) => ch.type === "a2a" && ch.status === "active")
+        .length
+    );
   }, 0);
 
   return { success: true, enabled, activeConnections };
@@ -268,9 +270,12 @@ export function redeemA2AInvite(params: {
     setA2AConfig();
   }
 
-  // 2. Check for existing contact with this sender (a2a binding existence)
+  // 2. Check for existing active contact with this sender
   const existing = findContactByAddress("a2a", params.sender.assistantId);
-  if (existing && existing.channels.some((ch) => ch.type === "a2a")) {
+  if (
+    existing &&
+    existing.channels.some((ch) => ch.type === "a2a" && ch.status === "active")
+  ) {
     return { success: true, alreadyConnected: true, contactId: existing.id };
   }
 
@@ -368,7 +373,10 @@ export async function acceptA2AInvite(params: {
   // 2. Short-circuit if already connected — avoids a network round-trip
   //    and consuming a token on the sender side.
   const existing = findContactByAddress("a2a", params.senderAssistantId);
-  if (existing && existing.channels.some((ch) => ch.type === "a2a")) {
+  if (
+    existing &&
+    existing.channels.some((ch) => ch.type === "a2a" && ch.status === "active")
+  ) {
     return { success: true, alreadyConnected: true, contactId: existing.id };
   }