@vellumai/assistant 0.10.3 → 0.10.4-staging.1

package/src/daemon/conversation-agent-loop.ts

@@ -520,12 +520,14 @@ export async function runAgentLoopImpl(
   let turnStarted = false;
   const state = createEventHandlerState();
   let persistedErrorAssistantMessage = false;
+  let deletedReservedAssistantMessage = false;
 
   const publishLoopMessagesChanged = (): void => {
     if (
       state.lastAssistantMessageId ||
       state.persistedToolUseIds.size > 0 ||
-      persistedErrorAssistantMessage
+      persistedErrorAssistantMessage ||
+      deletedReservedAssistantMessage
     ) {
       publishConversationMessagesChanged(ctx.conversationId);
     }
@@ -1151,23 +1153,22 @@ export async function runAgentLoopImpl(
       !abortController.signal.aborted &&
       !yieldedForHandoff
     ) {
-      // Drop any reservation stranded by the failed LLM call before
-      // inserting the synthetic error message. The B3 pre-allocation
-      // path reserves an empty assistant row at `llm_call_started`;
-      // when the call exits through the provider-error branch (no
-      // `message_complete`), `assistantRowAwaitingFinalization` stays
-      // true. Without this delete the transcript would carry both the
-      // empty reserved row AND the error message — and downstream sync
-      // (`syncLastAssistantMessageToDisk`) would mis-target the empty
-      // row. After delete we set `lastAssistantMessageId` to the new
-      // error row's id so the post-loop emission paths still point at
-      // a real message.
+      // Drop any reservation stranded by the failed LLM call. The B3
+      // pre-allocation path reserves an empty assistant row at
+      // `llm_call_started`; when the call exits through the provider-error
+      // branch (no `message_complete`), `assistantRowAwaitingFinalization`
+      // stays true. Without this delete the transcript would carry an empty
+      // reserved row, and downstream sync (`syncLastAssistantMessageToDisk`)
+      // would target it.
       if (
         state.assistantRowAwaitingFinalization &&
         state.lastAssistantMessageId
       ) {
         try {
           deleteMessageById(state.lastAssistantMessageId);
+          deletedReservedAssistantMessage = true;
+          state.lastAssistantMessageId = undefined;
+          state.assistantRowAwaitingFinalization = false;
         } catch (err) {
           rlog.warn(
             { err, messageId: state.lastAssistantMessageId },
@@ -1175,57 +1176,63 @@ export async function runAgentLoopImpl(
           );
         }
       }
-      const errChannelMeta = {
-        ...provenanceFromTrustContext(ctx.trustContext),
-        userMessageChannel: capturedTurnChannelContext.userMessageChannel,
-        assistantMessageChannel:
-          capturedTurnChannelContext.assistantMessageChannel,
-        userMessageInterface: capturedTurnInterfaceContext.userMessageInterface,
-        assistantMessageInterface:
-          capturedTurnInterfaceContext.assistantMessageInterface,
-      };
-      const errorAssistantMessage = createAssistantMessage(
-        state.providerErrorUserMessage,
-      );
-      const errorRow = await addMessage(
-        ctx.conversationId,
-        "assistant",
-        JSON.stringify(errorAssistantMessage.content),
-        { metadata: errChannelMeta },
-      );
-      persistedErrorAssistantMessage = true;
-      // Repoint `lastAssistantMessageId` at the synthetic error row so the
-      // post-loop sync, attachment resolution, and `message_complete`/
-      // `generation_handoff` emissions all reference a real, persisted
-      // message id. The previous reservation (if any) was already deleted
-      // above. Mark finalization complete so the next LLM call in this run
-      // (or a downstream handler) doesn't try to clean up an id that
-      // already corresponds to a finalized row.
-      state.lastAssistantMessageId = errorRow.id;
-      state.assistantRowAwaitingFinalization = false;
-      newMessages.push(errorAssistantMessage);
-      // Pipe the just-assigned message id into any orphaned LLM request log
-      // row(s) for this turn. The success path links rows via
-      // `handleMessageComplete` -> `backfillMessageIdOnLogs`, but provider-
-      // failure turns never fire `message_complete` (the synthetic assistant
-      // message is persisted directly above), so without this call the rows
-      // from `handleProviderError` stay with `message_id IS NULL` and a
-      // later turn's backfill sweep would wrong-attach them to that turn's
-      // assistant message. Scope is per-conversation, so concurrent runs on
-      // other conversations cannot collide. Non-fatal — a DB hiccup must
-      // not escalate a provider rejection into a turn-level throw.
-      try {
-        backfillMessageIdOnLogs(ctx.conversationId, errorRow.id);
-      } catch (err) {
-        rlog.warn(
-          { err },
-          "Failed to backfill message_id on provider-error LLM request logs (non-fatal)",
+      if (!state.persistProviderErrorAsAssistantMessage) {
+        state.assistantRowAwaitingFinalization = false;
+        state.lastAssistantMessageId = undefined;
+      } else {
+        const errChannelMeta = {
+          ...provenanceFromTrustContext(ctx.trustContext),
+          userMessageChannel: capturedTurnChannelContext.userMessageChannel,
+          assistantMessageChannel:
+            capturedTurnChannelContext.assistantMessageChannel,
+          userMessageInterface:
+            capturedTurnInterfaceContext.userMessageInterface,
+          assistantMessageInterface:
+            capturedTurnInterfaceContext.assistantMessageInterface,
+        };
+        const errorAssistantMessage = createAssistantMessage(
+          state.providerErrorUserMessage,
+        );
+        const errorRow = await addMessage(
+          ctx.conversationId,
+          "assistant",
+          JSON.stringify(errorAssistantMessage.content),
+          { metadata: errChannelMeta },
         );
+        persistedErrorAssistantMessage = true;
+        // Repoint `lastAssistantMessageId` at the synthetic error row so the
+        // post-loop sync, attachment resolution, and `message_complete`/
+        // `generation_handoff` emissions all reference a real, persisted
+        // message id. The previous reservation (if any) was already deleted
+        // above. Mark finalization complete so the next LLM call in this run
+        // (or a downstream handler) doesn't try to clean up an id that
+        // already corresponds to a finalized row.
+        state.lastAssistantMessageId = errorRow.id;
+        state.assistantRowAwaitingFinalization = false;
+        newMessages.push(errorAssistantMessage);
+        // Pipe the just-assigned message id into any orphaned LLM request log
+        // row(s) for this turn. The success path links rows via
+        // `handleMessageComplete` -> `backfillMessageIdOnLogs`, but provider-
+        // failure turns never fire `message_complete` (the synthetic assistant
+        // message is persisted directly above), so without this call the rows
+        // from `handleProviderError` stay with `message_id IS NULL` and a
+        // later turn's backfill sweep would wrong-attach them to that turn's
+        // assistant message. Scope is per-conversation, so concurrent runs on
+        // other conversations cannot collide. Non-fatal — a DB hiccup must
+        // not escalate a provider rejection into a turn-level throw.
+        try {
+          backfillMessageIdOnLogs(ctx.conversationId, errorRow.id);
+        } catch (err) {
+          rlog.warn(
+            { err },
+            "Failed to backfill message_id on provider-error LLM request logs (non-fatal)",
+          );
+        }
+        // Do NOT send assistant_text_delta here — handleProviderError already
+        // emitted a conversation_error event for this same error text, and the
+        // client renders it as an InlineChatErrorAlert. Sending a text delta
+        // would create a duplicate plain-text bubble below the alert card.
       }
-      // Do NOT send assistant_text_delta here — handleProviderError already
-      // emitted a conversation_error event for this same error text, and the
-      // client renders it as an InlineChatErrorAlert. Sending a text delta
-      // would create a duplicate plain-text bubble below the alert card.
     }
 
     // Base persisted into `ctx.messages` is the loop's own returned history

package/src/daemon/conversation-error.ts

@@ -315,20 +315,17 @@ function classifyCore(
     }
     if (error.statusCode === 401 || error.statusCode === 403) {
       // Both managed-proxy and user-key 401/403s reach this branch.
-      // Managed-proxy routes through the assistant API key (stale → re-
-      // provision) and emits `MANAGED_KEY_INVALID`; everything else is a
-      // user-set credential that the upstream provider rejected → emit
-      // `PROVIDER_INVALID_KEY` so the macOS chat banner renders an
-      // "Invalid API key" surface (distinct from "API key required"
-      // which only fires when the key is genuinely missing — see
-      // `providerNotConfiguredClassification`).
+      // Managed-proxy routes through the assistant API key; if that
+      // credential is stale, the user cannot fix it from model settings.
+      // Everything else is a user-set credential that the upstream provider
+      // rejected, so emit `PROVIDER_INVALID_KEY` and let the chat banner point
+      // at Settings.
       const providerName = error.provider;
       if (getProviderRoutingSource(providerName) === "managed-proxy") {
         return {
           code: "MANAGED_KEY_INVALID",
-          userMessage:
-            "The assistant API key is invalid. Attempting to re-provision…",
-          retryable: true,
+          userMessage: "Couldn't refresh assistant credentials.",
+          retryable: false,
           errorCategory: "managed_key_invalid",
         };
       }

package/src/daemon/conversation-tool-setup.ts

@@ -17,7 +17,6 @@ import type { LLMCallSite } from "../config/schemas/llm.js";
 import { getBindingByConversation } from "../memory/external-conversation-store.js";
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import type { SecretPrompter } from "../permissions/secret-prompter.js";
-import { advisorEnabledForProfile } from "../plugins/defaults/advisor/advisor-gate.js";
 import type { Message, ToolDefinition } from "../providers/types.js";
 import { assistantEventHub } from "../runtime/assistant-event-hub.js";
 import { registerConversationSender } from "../tools/browser/browser-screencast.js";
@@ -575,15 +574,6 @@ export function isToolActiveForContext(
       return true;
     }
   }
-  if (name === "advisor") {
-    // Gated per chat-profile (`ProfileEntry.advisorEnabled`): when the resolved
-    // profile disables the advisor, omit the tool from the wire list so the
-    // model never sees a tool it can only no-op on. Resolves the profile the
-    // same way the advisor's execution-time guard does (the per-turn override,
-    // else the active profile). The wire list is fixed before PRE_MODEL_CALL
-    // hooks run, so later profile changes from hooks are not reflected here.
-    return advisorEnabledForProfile(ctx.currentTurnOverrideProfile ?? null);
-  }
   if (UI_SURFACE_TOOL_NAMES.has(name)) {
     if (
       channelCapabilities?.channel === "slack" &&

package/src/daemon/conversation.ts

@@ -243,6 +243,14 @@ export interface ConversationConstructorOptions {
   speedOverride?: Speed;
   cacheTtl?: "5m" | "1h";
   modelOverride?: string;
+  /**
+   * Give this conversation's LLM calls provider-native (server-side) web
+   * search when the resolved provider supports it (see
+   * {@link AgentLoopConfig.enableNativeWebSearch}). Set by the subagent manager
+   * for the tool-less advisor consult so it can ground guidance with live web
+   * access; non-native providers get nothing. Defaults to false.
+   */
+  enableNativeWebSearch?: boolean;
 }
 
 export class Conversation {
@@ -592,6 +600,7 @@ export class Conversation {
     options?: ConversationConstructorOptions,
   ) {
     const { maxTokens, speedOverride, cacheTtl, modelOverride } = options ?? {};
+    const enableNativeWebSearch = options?.enableNativeWebSearch ?? false;
     this.conversationId = conversationId;
     this.systemPrompt = systemPrompt;
     this.provider = provider;
@@ -690,6 +699,7 @@ export class Conversation {
         ? { speed: resolvedSpeed }
         : {}),
       ...(cacheTtl ? { cacheTtl } : {}),
+      ...(enableNativeWebSearch ? { enableNativeWebSearch: true } : {}),
     };
     if (configuredMaxTokens !== undefined) {
       agentLoopConfig.maxTokens = configuredMaxTokens;

package/src/daemon/external-plugins-bootstrap.ts

@@ -247,7 +247,14 @@ export async function bootstrapPlugins(): Promise<void> {
     // out-of-band kill switch — the operator creates a directory named
     // after the plugin's manifest name (e.g. `plugins/default-advisor/`)
     // and drops a `.disabled` file inside it. Runs before init so no
-    // hooks, tools, or routes from the disabled plugin are ever wired.
+    // tools or routes from the disabled plugin are ever wired.
+    //
+    // Unlike the feature-flag path above, we do NOT call
+    // `unregisterPlugin(name)` here. The plugin's hooks stay in the hook
+    // registry and are filtered at read time by `isPluginDisabled` in
+    // `getHooksFor`. This means `assistant plugins enable <name>` takes
+    // effect on the next turn without a restart — the hooks are already
+    // registered, they just need the sentinel removed to be included.
     const disabledSentinelPath = join(
       getWorkspacePluginsDir(),
       name,
@@ -258,7 +265,6 @@ export async function bootstrapPlugins(): Promise<void> {
         { plugin: name, sentinel: disabledSentinelPath },
         `skipping plugin ${name}: disabled via .disabled sentinel`,
       );
-      unregisterPlugin(name);
       continue;
     }
 

package/src/daemon/handlers/__tests__/config-a2a-accept.test.ts

@@ -174,7 +174,6 @@ describe("acceptA2AInvite", () => {
     expect(contact).not.toBeNull();
     expect(contact!.channels).toHaveLength(1);
     expect(contact!.channels[0]!.type).toBe("a2a");
-    expect(contact!.channels[0]!.status).toBe("active");
 
     // Verify assistant metadata
     const metadata = getAssistantContactMetadata(result.contactId!);

package/src/daemon/handlers/__tests__/config-a2a-complete.test.ts

@@ -100,8 +100,6 @@ describe("completeA2AInvite", () => {
     expect(contact!.displayName).toBe("Acceptor Bot");
     expect(contact!.channels).toHaveLength(1);
     expect(contact!.channels[0]!.type).toBe("a2a");
-    expect(contact!.channels[0]!.status).toBe("active");
-    expect(contact!.channels[0]!.policy).toBe("allow");
   });
 
   test("contact channel address is acceptor.assistantId.toLowerCase()", () => {

package/src/daemon/handlers/__tests__/config-a2a-redeem.test.ts

@@ -71,8 +71,6 @@ describe("redeemA2AInvite", () => {
     expect(contact!.displayName).toBe("Sender Bot");
     expect(contact!.channels).toHaveLength(1);
     expect(contact!.channels[0]!.type).toBe("a2a");
-    expect(contact!.channels[0]!.status).toBe("active");
-    expect(contact!.channels[0]!.policy).toBe("allow");
   });
 
   test("idempotency: already-connected sender returns alreadyConnected", () => {

package/src/daemon/handlers/__tests__/config-channels.test.ts

@@ -20,11 +20,14 @@ mock.module("../../../contacts/guardian-delivery-reader.js", () => ({
       input.channelTypes!.includes(g.channelType),
     );
   },
+  guardianForChannel: (
+    list: GuardianDelivery[],
+    channelType: string,
+  ) => list.find((g) => g.channelType === channelType && g.status === "active"),
 }));
 
 mock.module("../../../contacts/contact-store.js", () => ({
   findContactChannel: () => mockContactChannel,
-  findGuardianForChannel: () => null,
   getChannelById: () => mockChannel,
   getContact: () => ({ id: "contact-1", displayName: "Pat" }),
 }));
@@ -123,15 +126,7 @@ function channel(overrides: Partial<ContactChannel> = {}): ContactChannel {
     address: "user-123",
     isPrimary: true,
     externalChatId: "chat-123",
-    // DB columns are intentionally a terminal state to prove the gates ignore
-    // them and read from the gateway delivery instead.
-    status: "revoked",
-    policy: {} as ContactChannel["policy"],
-    verifiedAt: null,
-    verifiedVia: null,
     inviteId: null,
-    revokedReason: null,
-    blockedReason: null,
     lastSeenAt: null,
     interactionCount: 0,
     lastInteraction: null,
@@ -168,9 +163,9 @@ describe("revokeVerificationForChannel", () => {
   });
 
   test("skips a redundant revoke when the gateway delivery is already revoked", async () => {
-    // Local DB status is the live "active" here, but the gateway (SoT) says
-    // revoked — the gate must follow the gateway and not relay.
-    mockContactChannel = { channel: channel({ status: "active" }) };
+    // The gateway (SoT) says revoked — the gate must follow the gateway and
+    // not relay regardless of local state.
+    mockContactChannel = { channel: channel() };
     mockGuardians = [delivery({ status: "revoked" })];
     await revokeVerificationForChannel("telegram");
     expect(ipcCalls.map((c) => c.method)).not.toContain("mark_channel_revoked");
@@ -208,8 +203,8 @@ describe("verifyTrustedContact already-verified gate", () => {
   });
 
   test("does not short-circuit when the gateway channel has no verifiedAt", async () => {
-    // DB column says verified, but the gateway channel is unverified — proceed.
-    mockChannel = channel({ status: "active", verifiedAt: 1700000000 });
+    // The gateway channel is unverified — proceed regardless of local state.
+    mockChannel = channel();
     mockGwContactChannels = [
       { id: "ch-1", status: "pending", verifiedAt: null },
     ];

package/src/daemon/handlers/config-channels.ts

@@ -1,21 +1,21 @@
 import { createHash, randomBytes } from "node:crypto";
 
 import type { GuardianDelivery } from "@vellumai/gateway-client";
-import {
-  GetContactIpcResponseSchema,
-  MarkChannelRevokedIpcResponseSchema,
-} from "@vellumai/gateway-client/gateway-ipc-contracts";
+import { MarkChannelRevokedIpcResponseSchema } from "@vellumai/gateway-client/gateway-ipc-contracts";
 
 import { startVerificationCall } from "../../calls/call-domain.js";
 import type { ChannelId } from "../../channels/types.js";
 import { emitContactChange } from "../../contacts/contact-events.js";
 import {
   findContactChannel,
-  findGuardianForChannel,
   getChannelById,
   getContact,
 } from "../../contacts/contact-store.js";
-import { getGuardianDelivery } from "../../contacts/guardian-delivery-reader.js";
+import { gatewayContactChannelState } from "../../contacts/gateway-channel-read.js";
+import {
+  getGuardianDelivery,
+  guardianForChannel,
+} from "../../contacts/guardian-delivery-reader.js";
 import type { ContactChannel } from "../../contacts/types.js";
 import { ipcCallPersistent } from "../../ipc/gateway-client.js";
 import { getBindingByChannelChat } from "../../memory/external-conversation-store.js";
@@ -105,25 +105,6 @@ async function deliveryForChannel(
   );
 }
 
-/**
- * Read a contact channel's verified state from the gateway contact-channel read
- * (ACL source of truth). Covers all contacts, not just guardian deliveries.
- * Returns `undefined` when the gateway is unreachable or has no such channel.
- */
-async function gatewayContactChannelState(
-  channel: Pick<ContactChannel, "id" | "contactId">,
-): Promise<{ status: string; verifiedAt: number | null } | undefined> {
-  const result = await ipcCallPersistent("contacts_get_rich", {
-    contactId: channel.contactId,
-  });
-  if (!result || (result as { contact?: unknown }).contact == null) {
-    return undefined;
-  }
-  const { contact } = GetContactIpcResponseSchema.parse(result);
-  const ch = contact.channels.find((c) => c.id === channel.id);
-  return ch ? { status: ch.status, verifiedAt: ch.verifiedAt } : undefined;
-}
-
 // ---------------------------------------------------------------------------
 // Extracted business logic functions
 // ---------------------------------------------------------------------------
@@ -170,10 +151,14 @@ export async function getVerificationStatus(
 
   const binding = await getGuardianBinding(resolvedAssistantId, resolvedChannel);
 
-  // Read the contact directly to get displayName — getGuardianBinding is a
-  // compatibility shim that doesn't carry metadataJson.
-  const guardianResult = findGuardianForChannel(resolvedChannel);
-  const bindingDisplayName = guardianResult?.contact.displayName;
+  // Read the guardian displayName from the gateway delivery — getGuardianBinding
+  // is a compatibility shim that doesn't carry metadataJson.
+  const guardians = await getGuardianDelivery({
+    channelTypes: [resolvedChannel],
+  });
+  const bindingDisplayName = guardians
+    ? (guardianForChannel(guardians, resolvedChannel)?.displayName ?? undefined)
+    : undefined;
   const guardianDisplayName = resolveGuardianName(bindingDisplayName);
 
   // Resolve username from external conversation store.

package/src/daemon/lifecycle.ts

@@ -74,6 +74,7 @@ import {
   resolveSigningKey,
 } from "../runtime/auth/token-service.js";
 import { RuntimeHttpServer } from "../runtime/http-server.js";
+import { warmLocalGuardianPrincipalCache } from "../runtime/local-actor-identity.js";
 import { recoverInterruptedImport } from "../runtime/migrations/vbundle-streaming-importer.js";
 import { registerSecretsDeps } from "../runtime/routes/secrets-deps.js";
 import {
@@ -824,6 +825,16 @@ export async function runDaemon(): Promise<void> {
 
     await server.start();
     log.info("Daemon startup: DaemonServer started");
+
+    // Warm the gateway guardian-delivery cache so the SSE eager-subscribe path
+    // (sync, IO-free) resolves the local actor principal on the FIRST client
+    // registration. Without this, a cold cache regresses host-proxy same-user
+    // targeting until a later reconnect. Non-blocking: failures aren't cached
+    // and the async hot paths re-warm on their next read.
+    void warmLocalGuardianPrincipalCache().catch((err) =>
+      log.warn({ err }, "Guardian principal cache warm failed — continuing"),
+    );
+
     startDiskPressureGuardForLifecycle();
     startOrphanReaper();
     startEventLoopWatchdog();
@@ -966,10 +977,11 @@ export async function runDaemon(): Promise<void> {
         }
       }
 
-      // `startMemoryJobsWorker` selects the worker implementation based on
-      // `memory.worker.enabled` (in-process vs. a separate OS process).
-      // Shutdown stops whichever worker is actually running — see
-      // shutdown-handlers.ts.
+      // `startMemoryJobsWorker` starts the in-process supervisor (which owns
+      // the synchronous runner and stands down when an out-of-process worker is
+      // live) and spawns the out-of-process worker at boot when
+      // `memory.worker.enabled` is set. Shutdown stops whichever worker is
+      // actually running — see shutdown-handlers.ts.
       log.info("Daemon startup: starting memory worker");
       bgRefs.memoryWorker = startMemoryJobsWorker();
 

package/src/daemon/message-types/surfaces.ts

@@ -116,6 +116,8 @@ export interface FormSurfaceData {
   submitLabel?: string;
   pages?: FormPage[];
   pageLabels?: { next?: string; back?: string; submit?: string };
+  /** Progress indicator style for multi-page forms: segment bar or labeled tabs. */
+  progressStyle?: "bar" | "tabs";
 }
 
 export interface ListItem {

package/src/heartbeat/heartbeat-service.ts

@@ -3,6 +3,7 @@ import { join } from "node:path";
 
 import { getConfig } from "../config/loader.js";
 import type { HeartbeatConfig } from "../config/schemas/heartbeat.js";
+import { getGuardianDelivery } from "../contacts/guardian-delivery-reader.js";
 import {
   checkDiskPressureBackgroundGate,
   diskPressureBackgroundSkipLogFields,
@@ -761,6 +762,10 @@ export class HeartbeatService {
 
     const checklist = this.readChecklist();
     const completedRunCount = countCompletedHeartbeatRuns();
+    // Warm the vellum guardian-delivery cache so buildPrompt's sync guardian
+    // persona read (isShallowProfile → resolveGuardianPersona) hits a fresh key
+    // instead of falling back to default.md on a cold/TTL-expired cache.
+    await getGuardianDelivery({ channelTypes: ["vellum"] });
     const { prompt, includedReengagement } = this.buildPrompt(
       checklist,
       unhealthyProviders,

package/src/home/relationship-state-writer.ts

@@ -21,6 +21,7 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 
+import { getGuardianDelivery } from "../contacts/guardian-delivery-reader.js";
 import { countConversations as countConversationsDb } from "../memory/conversation-queries.js";
 import { listConnections } from "../oauth/oauth-store.js";
 import { resolveGuardianPersonaPath } from "../prompts/persona-resolver.js";
@@ -162,6 +163,10 @@ export async function computeRelationshipState(): Promise<RelationshipState> {
   //      old workspaces that never ran migration 031.
   //   3. Empty string → extraction yields [] and `userName` is undefined.
   // Every step is guarded because the writer must never throw.
+  // Warm the vellum guardian-delivery cache so the sync persona resolution in
+  // resolveGuardianUserContent hits a fresh key instead of falling back to
+  // default.md on a cold/TTL-expired cache.
+  await getGuardianDelivery({ channelTypes: ["vellum"] });
   const userMd = resolveGuardianUserContent();
   const soulMd = safeRead(getWorkspacePromptPath("SOUL.md"));
   const identityPath = getWorkspacePromptPath("IDENTITY.md");