npm - @vellumai/assistant - Versions diffs - 0.3.0 - Mend

@vellumai/assistant 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1068) hide show

package/.dockerignore +27 -0
package/.env.example +22 -0
package/Dockerfile +99 -0
package/Dockerfile.sandbox +5 -0
package/README.md +248 -0
package/bun.lock +1723 -0
package/bunfig.toml +2 -0
package/docs/skills.md +158 -0
package/drizzle/0000_dizzy_maggott.sql +301 -0
package/drizzle/meta/0000_snapshot.json +1999 -0
package/drizzle/meta/_journal.json +13 -0
package/drizzle.config.ts +7 -0
package/eslint.config.mjs +17 -0
package/hook-templates/debug-prompt-logger/hook.json +7 -0
package/hook-templates/debug-prompt-logger/run.sh +68 -0
package/knip.json +9 -0
package/package.json +70 -0
package/scripts/capture-x-graphql.ts +545 -0
package/scripts/ipc/check-contract-inventory.ts +104 -0
package/scripts/ipc/check-swift-decoder-drift.ts +166 -0
package/scripts/ipc/generate-swift.ts +492 -0
package/scripts/test-filesystem-tools.sh +48 -0
package/scripts/test.sh +127 -0
package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap +2485 -0
package/src/__tests__/account-registry.test.ts +245 -0
package/src/__tests__/active-skill-tools.test.ts +378 -0
package/src/__tests__/agent-heartbeat-service.test.ts +250 -0
package/src/__tests__/agent-loop-thinking.test.ts +81 -0
package/src/__tests__/agent-loop.test.ts +1135 -0
package/src/__tests__/anthropic-provider.test.ts +778 -0
package/src/__tests__/app-builder-tool-scripts.test.ts +290 -0
package/src/__tests__/app-bundler.test.ts +292 -0
package/src/__tests__/app-executors.test.ts +613 -0
package/src/__tests__/app-git-history.test.ts +176 -0
package/src/__tests__/app-git-service.test.ts +169 -0
package/src/__tests__/app-open-proxy.test.ts +62 -0
package/src/__tests__/asset-materialize-tool.test.ts +452 -0
package/src/__tests__/asset-search-tool.test.ts +477 -0
package/src/__tests__/assistant-attachment-directive.test.ts +401 -0
package/src/__tests__/assistant-attachments.test.ts +437 -0
package/src/__tests__/assistant-event-hub.test.ts +226 -0
package/src/__tests__/assistant-event.test.ts +123 -0
package/src/__tests__/assistant-events-sse-hardening.test.ts +315 -0
package/src/__tests__/attachments-store.test.ts +476 -0
package/src/__tests__/attachments.test.ts +134 -0
package/src/__tests__/audit-log-rotation.test.ts +154 -0
package/src/__tests__/browser-fill-credential.test.ts +309 -0
package/src/__tests__/browser-manager.test.ts +203 -0
package/src/__tests__/browser-runtime-check.test.ts +55 -0
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +68 -0
package/src/__tests__/browser-skill-endstate.test.ts +195 -0
package/src/__tests__/bundle-scanner.test.ts +313 -0
package/src/__tests__/call-bridge.test.ts +517 -0
package/src/__tests__/call-constants.test.ts +40 -0
package/src/__tests__/call-domain.test.ts +163 -0
package/src/__tests__/call-orchestrator.test.ts +625 -0
package/src/__tests__/call-recovery.test.ts +518 -0
package/src/__tests__/call-routes-http.test.ts +699 -0
package/src/__tests__/call-state-machine.test.ts +143 -0
package/src/__tests__/call-state.test.ts +174 -0
package/src/__tests__/call-store.test.ts +691 -0
package/src/__tests__/channel-approval-routes.test.ts +2356 -0
package/src/__tests__/channel-approval.test.ts +299 -0
package/src/__tests__/channel-approvals.test.ts +521 -0
package/src/__tests__/channel-delivery-store.test.ts +447 -0
package/src/__tests__/channel-guardian.test.ts +1005 -0
package/src/__tests__/checker.test.ts +3519 -0
package/src/__tests__/clarification-resolver.test.ts +159 -0
package/src/__tests__/classifier.test.ts +67 -0
package/src/__tests__/claude-code-skill-regression.test.ts +127 -0
package/src/__tests__/claude-code-tool-profiles.test.ts +88 -0
package/src/__tests__/cli-discover.test.ts +85 -0
package/src/__tests__/cli.test.ts +26 -0
package/src/__tests__/clipboard.test.ts +80 -0
package/src/__tests__/commit-guarantee.test.ts +335 -0
package/src/__tests__/commit-message-enrichment-service.test.ts +550 -0
package/src/__tests__/compaction.benchmark.test.ts +176 -0
package/src/__tests__/computer-use-session-compaction.test.ts +132 -0
package/src/__tests__/computer-use-session-lifecycle.test.ts +293 -0
package/src/__tests__/computer-use-session-working-dir.test.ts +117 -0
package/src/__tests__/computer-use-skill-baseline.test.ts +74 -0
package/src/__tests__/computer-use-skill-endstate.test.ts +89 -0
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +217 -0
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +107 -0
package/src/__tests__/computer-use-skill-proxy-bridge.test.ts +54 -0
package/src/__tests__/computer-use-tools.test.ts +250 -0
package/src/__tests__/config-schema.test.ts +1462 -0
package/src/__tests__/conflict-intent-tokenization.test.ts +141 -0
package/src/__tests__/conflict-policy.test.ts +121 -0
package/src/__tests__/conflict-store.test.ts +332 -0
package/src/__tests__/connection-policy.test.ts +102 -0
package/src/__tests__/contacts-tools.test.ts +331 -0
package/src/__tests__/context-memory-e2e.test.ts +434 -0
package/src/__tests__/context-token-estimator.test.ts +135 -0
package/src/__tests__/context-window-manager.test.ts +376 -0
package/src/__tests__/contradiction-checker.test.ts +314 -0
package/src/__tests__/conversation-store.test.ts +612 -0
package/src/__tests__/credential-broker-browser-fill.test.ts +517 -0
package/src/__tests__/credential-broker-server-use.test.ts +554 -0
package/src/__tests__/credential-broker.test.ts +167 -0
package/src/__tests__/credential-host-pattern-match.test.ts +104 -0
package/src/__tests__/credential-metadata-store.test.ts +779 -0
package/src/__tests__/credential-policy-validate.test.ts +121 -0
package/src/__tests__/credential-resolve.test.ts +328 -0
package/src/__tests__/credential-security-e2e.test.ts +352 -0
package/src/__tests__/credential-security-invariants.test.ts +583 -0
package/src/__tests__/credential-selection.test.ts +354 -0
package/src/__tests__/credential-vault-unit.test.ts +780 -0
package/src/__tests__/credential-vault.test.ts +852 -0
package/src/__tests__/daemon-assistant-events.test.ts +164 -0
package/src/__tests__/daemon-server-session-init.test.ts +522 -0
package/src/__tests__/date-context.test.ts +373 -0
package/src/__tests__/db-schedule-syntax-migration.test.ts +129 -0
package/src/__tests__/delete-managed-skill-tool.test.ts +97 -0
package/src/__tests__/diff.test.ts +121 -0
package/src/__tests__/domain-normalize.test.ts +112 -0
package/src/__tests__/domain-policy.test.ts +124 -0
package/src/__tests__/doordash-client.test.ts +186 -0
package/src/__tests__/doordash-session.test.ts +152 -0
package/src/__tests__/dynamic-page-surface.test.ts +91 -0
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +132 -0
package/src/__tests__/edit-engine.test.ts +180 -0
package/src/__tests__/elevenlabs-client.test.ts +271 -0
package/src/__tests__/email-cli.test.ts +283 -0
package/src/__tests__/encrypted-store.test.ts +332 -0
package/src/__tests__/entity-extractor.test.ts +190 -0
package/src/__tests__/ephemeral-permissions.test.ts +362 -0
package/src/__tests__/evaluate-typescript-tool.test.ts +286 -0
package/src/__tests__/event-bus.test.ts +222 -0
package/src/__tests__/file-edit-tool.test.ts +122 -0
package/src/__tests__/file-ops-service.test.ts +330 -0
package/src/__tests__/file-read-tool.test.ts +75 -0
package/src/__tests__/file-write-tool.test.ts +113 -0
package/src/__tests__/filesystem-tools.test.ts +579 -0
package/src/__tests__/fixtures/credential-security-fixtures.ts +181 -0
package/src/__tests__/fixtures/media-reuse-fixtures.ts +126 -0
package/src/__tests__/fixtures/mock-signup-server.ts +387 -0
package/src/__tests__/fixtures/proxy-fixtures.ts +147 -0
package/src/__tests__/followup-tools.test.ts +303 -0
package/src/__tests__/forbidden-legacy-symbols.test.ts +71 -0
package/src/__tests__/fuzzy-match-property.test.ts +216 -0
package/src/__tests__/fuzzy-match.test.ts +138 -0
package/src/__tests__/gateway-only-enforcement.test.ts +631 -0
package/src/__tests__/gemini-image-service.test.ts +261 -0
package/src/__tests__/gemini-provider.test.ts +651 -0
package/src/__tests__/get-weather.test.ts +318 -0
package/src/__tests__/gmail-integration.test.ts +73 -0
package/src/__tests__/handlers-add-trust-rule-metadata.test.ts +202 -0
package/src/__tests__/handlers-cu-observation-blob.test.ts +352 -0
package/src/__tests__/handlers-ipc-blob-probe.test.ts +191 -0
package/src/__tests__/handlers-slack-config.test.ts +200 -0
package/src/__tests__/handlers-task-submit-slash.test.ts +38 -0
package/src/__tests__/handlers-telegram-config.test.ts +968 -0
package/src/__tests__/handlers-twilio-config.test.ts +659 -0
package/src/__tests__/handlers-twitter-config.test.ts +858 -0
package/src/__tests__/headless-browser-interactions.test.ts +536 -0
package/src/__tests__/headless-browser-navigate.test.ts +211 -0
package/src/__tests__/headless-browser-read-tools.test.ts +261 -0
package/src/__tests__/headless-browser-snapshot.test.ts +185 -0
package/src/__tests__/history-repair-observability.test.ts +56 -0
package/src/__tests__/history-repair.test.ts +510 -0
package/src/__tests__/home-base-bootstrap.test.ts +82 -0
package/src/__tests__/hooks-blocking.test.ts +128 -0
package/src/__tests__/hooks-cli.test.ts +144 -0
package/src/__tests__/hooks-config.test.ts +93 -0
package/src/__tests__/hooks-discovery.test.ts +199 -0
package/src/__tests__/hooks-integration.test.ts +189 -0
package/src/__tests__/hooks-manager.test.ts +187 -0
package/src/__tests__/hooks-runner.test.ts +182 -0
package/src/__tests__/hooks-settings.test.ts +154 -0
package/src/__tests__/hooks-templates.test.ts +137 -0
package/src/__tests__/hooks-ts-runner.test.ts +125 -0
package/src/__tests__/hooks-watch.test.ts +100 -0
package/src/__tests__/host-file-edit-tool.test.ts +228 -0
package/src/__tests__/host-file-read-tool.test.ts +123 -0
package/src/__tests__/host-file-write-tool.test.ts +136 -0
package/src/__tests__/host-shell-tool.test.ts +562 -0
package/src/__tests__/ingress-reconcile.test.ts +581 -0
package/src/__tests__/ingress-url-consistency.test.ts +214 -0
package/src/__tests__/intent-routing.test.ts +259 -0
package/src/__tests__/ipc-blob-store.test.ts +315 -0
package/src/__tests__/ipc-contract-inventory.test.ts +54 -0
package/src/__tests__/ipc-contract.test.ts +74 -0
package/src/__tests__/ipc-protocol.test.ts +113 -0
package/src/__tests__/ipc-roundtrip.benchmark.test.ts +237 -0
package/src/__tests__/ipc-snapshot.test.ts +1769 -0
package/src/__tests__/ipc-validate.test.ts +407 -0
package/src/__tests__/key-migration.test.ts +206 -0
package/src/__tests__/keychain.test.ts +258 -0
package/src/__tests__/llm-usage-store.test.ts +221 -0
package/src/__tests__/managed-skill-lifecycle.test.ts +257 -0
package/src/__tests__/managed-store.test.ts +608 -0
package/src/__tests__/media-generate-image.test.ts +238 -0
package/src/__tests__/media-reuse-story.e2e.test.ts +676 -0
package/src/__tests__/media-visibility-policy.test.ts +141 -0
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +235 -0
package/src/__tests__/memory-lifecycle-e2e.test.ts +481 -0
package/src/__tests__/memory-query-builder.test.ts +59 -0
package/src/__tests__/memory-recall-quality.test.ts +846 -0
package/src/__tests__/memory-regressions.experimental.test.ts +538 -0
package/src/__tests__/memory-regressions.test.ts +4435 -0
package/src/__tests__/memory-retrieval-budget.test.ts +49 -0
package/src/__tests__/memory-retrieval.benchmark.test.ts +430 -0
package/src/__tests__/migration-cli-flows.test.ts +169 -0
package/src/__tests__/migration-ordering.test.ts +249 -0
package/src/__tests__/mock-signup-server.test.ts +528 -0
package/src/__tests__/oauth-callback-registry.test.ts +92 -0
package/src/__tests__/oauth2-gateway-transport.test.ts +285 -0
package/src/__tests__/onboarding-starter-tasks.test.ts +176 -0
package/src/__tests__/onboarding-template-contract.test.ts +58 -0
package/src/__tests__/openai-provider.test.ts +753 -0
package/src/__tests__/parallel-tool.benchmark.test.ts +294 -0
package/src/__tests__/parser.test.ts +472 -0
package/src/__tests__/path-classifier.test.ts +73 -0
package/src/__tests__/path-policy.test.ts +435 -0
package/src/__tests__/platform-move-helper.test.ts +99 -0
package/src/__tests__/platform-socket-path.test.ts +52 -0
package/src/__tests__/platform-workspace-migration.test.ts +1000 -0
package/src/__tests__/platform.test.ts +131 -0
package/src/__tests__/playbook-execution.test.ts +502 -0
package/src/__tests__/playbook-tools.test.ts +340 -0
package/src/__tests__/prebuilt-home-base-seed.test.ts +75 -0
package/src/__tests__/pricing.test.ts +256 -0
package/src/__tests__/profile-compiler.test.ts +374 -0
package/src/__tests__/provider-commit-message-generator.test.ts +342 -0
package/src/__tests__/provider-registry-ollama.test.ts +16 -0
package/src/__tests__/provider-streaming.benchmark.test.ts +773 -0
package/src/__tests__/proxy-approval-callback.test.ts +601 -0
package/src/__tests__/public-ingress-urls.test.ts +256 -0
package/src/__tests__/qdrant-manager.test.ts +267 -0
package/src/__tests__/ratelimit.test.ts +297 -0
package/src/__tests__/recurrence-engine-rruleset.test.ts +175 -0
package/src/__tests__/recurrence-engine.test.ts +78 -0
package/src/__tests__/recurrence-types.test.ts +79 -0
package/src/__tests__/registry.test.ts +494 -0
package/src/__tests__/relay-server.test.ts +688 -0
package/src/__tests__/reminder-store.test.ts +223 -0
package/src/__tests__/reminder.test.ts +229 -0
package/src/__tests__/request-file-tool.test.ts +158 -0
package/src/__tests__/run-orchestrator-assistant-events.test.ts +227 -0
package/src/__tests__/run-orchestrator.test.ts +425 -0
package/src/__tests__/runtime-attachment-metadata.test.ts +189 -0
package/src/__tests__/runtime-events-sse-parity.test.ts +343 -0
package/src/__tests__/runtime-events-sse.test.ts +162 -0
package/src/__tests__/runtime-runs-http.test.ts +438 -0
package/src/__tests__/runtime-runs.test.ts +260 -0
package/src/__tests__/sandbox-diagnostics.test.ts +408 -0
package/src/__tests__/sandbox-host-parity.test.ts +950 -0
package/src/__tests__/scaffold-managed-skill-tool.test.ts +253 -0
package/src/__tests__/schedule-store.test.ts +484 -0
package/src/__tests__/schedule-tools.test.ts +783 -0
package/src/__tests__/scheduler-recurrence.test.ts +430 -0
package/src/__tests__/script-proxy-certs.test.ts +90 -0
package/src/__tests__/script-proxy-connect-tunnel.test.ts +177 -0
package/src/__tests__/script-proxy-decision-trace.test.ts +156 -0
package/src/__tests__/script-proxy-http-forwarder.test.ts +281 -0
package/src/__tests__/script-proxy-injection-runtime.test.ts +401 -0
package/src/__tests__/script-proxy-mitm-handler.test.ts +407 -0
package/src/__tests__/script-proxy-policy-runtime.test.ts +287 -0
package/src/__tests__/script-proxy-policy.test.ts +310 -0
package/src/__tests__/script-proxy-rewrite-specificity.test.ts +135 -0
package/src/__tests__/script-proxy-router.test.ts +180 -0
package/src/__tests__/script-proxy-session-manager.test.ts +382 -0
package/src/__tests__/script-proxy-session-runtime.test.ts +113 -0
package/src/__tests__/secret-allowlist.test.ts +230 -0
package/src/__tests__/secret-ingress-handler.test.ts +110 -0
package/src/__tests__/secret-onetime-send.test.ts +130 -0
package/src/__tests__/secret-prompt-log-hygiene.test.ts +106 -0
package/src/__tests__/secret-response-routing.test.ts +93 -0
package/src/__tests__/secret-scanner-executor.test.ts +348 -0
package/src/__tests__/secret-scanner.test.ts +900 -0
package/src/__tests__/secure-keys.test.ts +323 -0
package/src/__tests__/server-history-render.test.ts +431 -0
package/src/__tests__/session-abort-tool-results.test.ts +240 -0
package/src/__tests__/session-conflict-gate.test.ts +1136 -0
package/src/__tests__/session-error.test.ts +369 -0
package/src/__tests__/session-evictor.test.ts +188 -0
package/src/__tests__/session-init.benchmark.test.ts +465 -0
package/src/__tests__/session-load-history-repair.test.ts +222 -0
package/src/__tests__/session-pre-run-repair.test.ts +213 -0
package/src/__tests__/session-process-bridge.test.ts +242 -0
package/src/__tests__/session-profile-injection.test.ts +444 -0
package/src/__tests__/session-provider-retry-repair.test.ts +306 -0
package/src/__tests__/session-queue.test.ts +1535 -0
package/src/__tests__/session-runtime-assembly.test.ts +476 -0
package/src/__tests__/session-runtime-workspace.test.ts +183 -0
package/src/__tests__/session-skill-tools.test.ts +2431 -0
package/src/__tests__/session-slash-known.test.ts +368 -0
package/src/__tests__/session-slash-queue.test.ts +288 -0
package/src/__tests__/session-slash-unknown.test.ts +271 -0
package/src/__tests__/session-surfaces-task-progress.test.ts +104 -0
package/src/__tests__/session-tool-setup-app-refresh.test.ts +473 -0
package/src/__tests__/session-tool-setup-memory-scope.test.ts +140 -0
package/src/__tests__/session-tool-setup-side-effect-flag.test.ts +140 -0
package/src/__tests__/session-undo.test.ts +75 -0
package/src/__tests__/session-workspace-cache-state.test.ts +246 -0
package/src/__tests__/session-workspace-injection.test.ts +327 -0
package/src/__tests__/session-workspace-tool-tracking.test.ts +240 -0
package/src/__tests__/shared-filesystem-errors.test.ts +78 -0
package/src/__tests__/shell-credential-ref.test.ts +187 -0
package/src/__tests__/shell-identity.test.ts +256 -0
package/src/__tests__/shell-parser-fuzz.test.ts +544 -0
package/src/__tests__/shell-parser-property.test.ts +433 -0
package/src/__tests__/shell-tool-proxy-mode.test.ts +272 -0
package/src/__tests__/signup-e2e.test.ts +353 -0
package/src/__tests__/size-guard.test.ts +117 -0
package/src/__tests__/skill-include-graph.test.ts +303 -0
package/src/__tests__/skill-load-tool.test.ts +409 -0
package/src/__tests__/skill-projection.benchmark.test.ts +338 -0
package/src/__tests__/skill-script-runner-host.test.ts +489 -0
package/src/__tests__/skill-script-runner-sandbox.test.ts +349 -0
package/src/__tests__/skill-script-runner.test.ts +159 -0
package/src/__tests__/skill-tool-factory.test.ts +252 -0
package/src/__tests__/skill-tool-manifest.test.ts +658 -0
package/src/__tests__/skill-version-hash.test.ts +182 -0
package/src/__tests__/skills.test.ts +680 -0
package/src/__tests__/slash-commands-catalog.test.ts +86 -0
package/src/__tests__/slash-commands-parser.test.ts +119 -0
package/src/__tests__/slash-commands-resolver.test.ts +193 -0
package/src/__tests__/slash-commands-rewrite.test.ts +39 -0
package/src/__tests__/speaker-identification.test.ts +52 -0
package/src/__tests__/starter-bundle.test.ts +136 -0
package/src/__tests__/starter-task-flow.test.ts +143 -0
package/src/__tests__/subagent-manager-notify.test.ts +404 -0
package/src/__tests__/subagent-tools.test.ts +801 -0
package/src/__tests__/subagent-types.test.ts +78 -0
package/src/__tests__/swarm-orchestrator.test.ts +428 -0
package/src/__tests__/swarm-plan-validator.test.ts +330 -0
package/src/__tests__/swarm-recursion.test.ts +165 -0
package/src/__tests__/swarm-router-planner.test.ts +208 -0
package/src/__tests__/swarm-session-integration.test.ts +274 -0
package/src/__tests__/swarm-tool.test.ts +145 -0
package/src/__tests__/swarm-worker-backend.test.ts +129 -0
package/src/__tests__/swarm-worker-runner.test.ts +272 -0
package/src/__tests__/system-prompt.test.ts +439 -0
package/src/__tests__/task-compiler.test.ts +284 -0
package/src/__tests__/task-management-tools.test.ts +936 -0
package/src/__tests__/task-runner.test.ts +216 -0
package/src/__tests__/task-scheduler.test.ts +217 -0
package/src/__tests__/task-tools.test.ts +595 -0
package/src/__tests__/terminal-sandbox-docker.test.ts +1064 -0
package/src/__tests__/terminal-sandbox.integration.test.ts +178 -0
package/src/__tests__/terminal-sandbox.test.ts +202 -0
package/src/__tests__/terminal-tools.test.ts +840 -0
package/src/__tests__/test-support/browser-skill-harness.ts +90 -0
package/src/__tests__/test-support/computer-use-skill-harness.ts +45 -0
package/src/__tests__/tool-audit-listener.test.ts +113 -0
package/src/__tests__/tool-domain-event-publisher.test.ts +253 -0
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +500 -0
package/src/__tests__/tool-executor-lifecycle-events.test.ts +516 -0
package/src/__tests__/tool-executor-redaction.test.ts +289 -0
package/src/__tests__/tool-executor-shell-integration.test.ts +301 -0
package/src/__tests__/tool-executor.test.ts +1989 -0
package/src/__tests__/tool-metrics-listener.test.ts +225 -0
package/src/__tests__/tool-notification-listener.test.ts +49 -0
package/src/__tests__/tool-permission-simulate-handler.test.ts +336 -0
package/src/__tests__/tool-policy.test.ts +54 -0
package/src/__tests__/tool-profiling-listener.test.ts +268 -0
package/src/__tests__/tool-result-truncation.test.ts +217 -0
package/src/__tests__/tool-trace-listener.test.ts +226 -0
package/src/__tests__/top-level-renderer.test.ts +121 -0
package/src/__tests__/top-level-scanner.test.ts +141 -0
package/src/__tests__/trace-emitter.test.ts +173 -0
package/src/__tests__/trust-store.test.ts +1605 -0
package/src/__tests__/turn-commit.test.ts +554 -0
package/src/__tests__/twilio-provider.test.ts +329 -0
package/src/__tests__/twilio-routes-elevenlabs.test.ts +375 -0
package/src/__tests__/twilio-routes-twiml.test.ts +127 -0
package/src/__tests__/twilio-routes.test.ts +577 -0
package/src/__tests__/twitter-auth-handler.test.ts +667 -0
package/src/__tests__/twitter-cli-error-shaping.test.ts +208 -0
package/src/__tests__/twitter-cli-routing.test.ts +252 -0
package/src/__tests__/twitter-oauth-client.test.ts +209 -0
package/src/__tests__/url-safety.test.ts +418 -0
package/src/__tests__/view-image-tool.test.ts +217 -0
package/src/__tests__/weather-skill-regression.test.ts +225 -0
package/src/__tests__/web-fetch.test.ts +869 -0
package/src/__tests__/web-search.test.ts +584 -0
package/src/__tests__/workspace-git-service.test.ts +1153 -0
package/src/__tests__/workspace-heartbeat-service.test.ts +486 -0
package/src/__tests__/workspace-lifecycle.test.ts +292 -0
package/src/__tests__/workspace-policy.test.ts +213 -0
package/src/agent/attachments.ts +35 -0
package/src/agent/loop.ts +500 -0
package/src/agent/message-types.ts +17 -0
package/src/agent-heartbeat/agent-heartbeat-service.ts +155 -0
package/src/autonomy/autonomy-resolver.ts +60 -0
package/src/autonomy/autonomy-store.ts +122 -0
package/src/autonomy/disposition-mapper.ts +31 -0
package/src/autonomy/index.ts +11 -0
package/src/autonomy/types.ts +39 -0
package/src/bundler/app-bundler.ts +295 -0
package/src/bundler/bundle-scanner.ts +535 -0
package/src/bundler/bundle-signer.ts +124 -0
package/src/bundler/manifest.ts +21 -0
package/src/bundler/signature-verifier.ts +184 -0
package/src/calls/call-bridge.ts +168 -0
package/src/calls/call-constants.ts +48 -0
package/src/calls/call-domain.ts +430 -0
package/src/calls/call-orchestrator.ts +498 -0
package/src/calls/call-recovery.ts +207 -0
package/src/calls/call-state-machine.ts +68 -0
package/src/calls/call-state.ts +87 -0
package/src/calls/call-store.ts +422 -0
package/src/calls/elevenlabs-client.ts +97 -0
package/src/calls/elevenlabs-config.ts +31 -0
package/src/calls/relay-server.ts +390 -0
package/src/calls/speaker-identification.ts +213 -0
package/src/calls/twilio-config.ts +45 -0
package/src/calls/twilio-provider.ts +263 -0
package/src/calls/twilio-rest.ts +156 -0
package/src/calls/twilio-routes.ts +311 -0
package/src/calls/types.ts +39 -0
package/src/calls/voice-provider.ts +14 -0
package/src/calls/voice-quality.ts +114 -0
package/src/cli/autonomy.ts +188 -0
package/src/cli/config-commands.ts +334 -0
package/src/cli/contacts.ts +149 -0
package/src/cli/core-commands.ts +784 -0
package/src/cli/doordash.ts +1055 -0
package/src/cli/email-guardrails.ts +200 -0
package/src/cli/email.ts +405 -0
package/src/cli/ipc-client.ts +82 -0
package/src/cli/main-screen.tsx +53 -0
package/src/cli/map.ts +270 -0
package/src/cli/twitter.ts +754 -0
package/src/cli.ts +918 -0
package/src/commands/__tests__/cc-command-registry.test.ts +319 -0
package/src/commands/cc-command-registry.ts +209 -0
package/src/config/bundled-skills/.gitkeep +0 -0
package/src/config/bundled-skills/agentmail/SKILL.md +128 -0
package/src/config/bundled-skills/agentmail/icon.svg +21 -0
package/src/config/bundled-skills/app-builder/SKILL.md +1404 -0
package/src/config/bundled-skills/app-builder/TOOLS.json +279 -0
package/src/config/bundled-skills/app-builder/icon.svg +9 -0
package/src/config/bundled-skills/app-builder/tools/app-create.ts +15 -0
package/src/config/bundled-skills/app-builder/tools/app-delete.ts +10 -0
package/src/config/bundled-skills/app-builder/tools/app-file-edit.ts +11 -0
package/src/config/bundled-skills/app-builder/tools/app-file-list.ts +10 -0
package/src/config/bundled-skills/app-builder/tools/app-file-read.ts +18 -0
package/src/config/bundled-skills/app-builder/tools/app-file-write.ts +11 -0
package/src/config/bundled-skills/app-builder/tools/app-list.ts +10 -0
package/src/config/bundled-skills/app-builder/tools/app-query.ts +10 -0
package/src/config/bundled-skills/app-builder/tools/app-update.ts +20 -0
package/src/config/bundled-skills/browser/SKILL.md +28 -0
package/src/config/bundled-skills/browser/TOOLS.json +234 -0
package/src/config/bundled-skills/browser/tools/browser-click.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-close.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-extract.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-fill-credential.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-navigate.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-press-key.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-screenshot.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-snapshot.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-type.ts +9 -0
package/src/config/bundled-skills/browser/tools/browser-wait-for.ts +9 -0
package/src/config/bundled-skills/claude-code/SKILL.md +50 -0
package/src/config/bundled-skills/claude-code/TOOLS.json +40 -0
package/src/config/bundled-skills/claude-code/tools/claude-code.ts +9 -0
package/src/config/bundled-skills/computer-use/SKILL.md +17 -0
package/src/config/bundled-skills/computer-use/TOOLS.json +326 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-click.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-done.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-double-click.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-drag.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-key.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-open-app.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-request-control.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-respond.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-right-click.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-run-applescript.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-scroll.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-type-text.ts +9 -0
package/src/config/bundled-skills/computer-use/tools/computer-use-wait.ts +9 -0
package/src/config/bundled-skills/contacts/SKILL.md +39 -0
package/src/config/bundled-skills/contacts/TOOLS.json +122 -0
package/src/config/bundled-skills/contacts/tools/contact-merge.ts +57 -0
package/src/config/bundled-skills/contacts/tools/contact-search.ts +60 -0
package/src/config/bundled-skills/contacts/tools/contact-upsert.ts +66 -0
package/src/config/bundled-skills/document/SKILL.md +26 -0
package/src/config/bundled-skills/document/TOOLS.json +53 -0
package/src/config/bundled-skills/document/tools/document-create.ts +9 -0
package/src/config/bundled-skills/document/tools/document-update.ts +9 -0
package/src/config/bundled-skills/doordash/SKILL.md +163 -0
package/src/config/bundled-skills/followups/SKILL.md +32 -0
package/src/config/bundled-skills/followups/TOOLS.json +100 -0
package/src/config/bundled-skills/followups/icon.svg +24 -0
package/src/config/bundled-skills/followups/tools/followup-create.ts +9 -0
package/src/config/bundled-skills/followups/tools/followup-list.ts +9 -0
package/src/config/bundled-skills/followups/tools/followup-resolve.ts +9 -0
package/src/config/bundled-skills/google-calendar/SKILL.md +51 -0
package/src/config/bundled-skills/google-calendar/TOOLS.json +108 -0
package/src/config/bundled-skills/google-calendar/calendar-client.ts +165 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +21 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +42 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +13 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +30 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +41 -0
package/src/config/bundled-skills/google-calendar/tools/shared.ts +18 -0
package/src/config/bundled-skills/google-calendar/types.ts +97 -0
package/src/config/bundled-skills/image-studio/SKILL.md +32 -0
package/src/config/bundled-skills/image-studio/TOOLS.json +42 -0
package/src/config/bundled-skills/image-studio/tools/media-generate-image.ts +115 -0
package/src/config/bundled-skills/macos-automation/SKILL.md +66 -0
package/src/config/bundled-skills/messaging/SKILL.md +153 -0
package/src/config/bundled-skills/messaging/TOOLS.json +357 -0
package/src/config/bundled-skills/messaging/tools/gmail-archive.ts +23 -0
package/src/config/bundled-skills/messaging/tools/gmail-batch-archive.ts +23 -0
package/src/config/bundled-skills/messaging/tools/gmail-batch-label.ts +25 -0
package/src/config/bundled-skills/messaging/tools/gmail-draft.ts +26 -0
package/src/config/bundled-skills/messaging/tools/gmail-label.ts +25 -0
package/src/config/bundled-skills/messaging/tools/gmail-trash.ts +23 -0
package/src/config/bundled-skills/messaging/tools/gmail-unsubscribe.ts +84 -0
package/src/config/bundled-skills/messaging/tools/messaging-analyze-activity.ts +18 -0
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +125 -0
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +16 -0
package/src/config/bundled-skills/messaging/tools/messaging-draft.ts +49 -0
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +21 -0
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +25 -0
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +28 -0
package/src/config/bundled-skills/messaging/tools/messaging-reply.ts +32 -0
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +22 -0
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +31 -0
package/src/config/bundled-skills/messaging/tools/shared.ts +76 -0
package/src/config/bundled-skills/messaging/tools/slack-add-reaction.ts +25 -0
package/src/config/bundled-skills/messaging/tools/slack-leave-channel.ts +23 -0
package/src/config/bundled-skills/phone-calls/SKILL.md +533 -0
package/src/config/bundled-skills/playbooks/SKILL.md +31 -0
package/src/config/bundled-skills/playbooks/TOOLS.json +126 -0
package/src/config/bundled-skills/playbooks/tools/playbook-create.ts +98 -0
package/src/config/bundled-skills/playbooks/tools/playbook-delete.ts +54 -0
package/src/config/bundled-skills/playbooks/tools/playbook-list.ts +76 -0
package/src/config/bundled-skills/playbooks/tools/playbook-update.ts +113 -0
package/src/config/bundled-skills/public-ingress/SKILL.md +200 -0
package/src/config/bundled-skills/reminder/SKILL.md +20 -0
package/src/config/bundled-skills/reminder/TOOLS.json +67 -0
package/src/config/bundled-skills/reminder/tools/reminder-cancel.ts +9 -0
package/src/config/bundled-skills/reminder/tools/reminder-create.ts +9 -0
package/src/config/bundled-skills/reminder/tools/reminder-list.ts +9 -0
package/src/config/bundled-skills/schedule/SKILL.md +74 -0
package/src/config/bundled-skills/schedule/TOOLS.json +135 -0
package/src/config/bundled-skills/schedule/tools/schedule-create.ts +9 -0
package/src/config/bundled-skills/schedule/tools/schedule-delete.ts +9 -0
package/src/config/bundled-skills/schedule/tools/schedule-list.ts +9 -0
package/src/config/bundled-skills/schedule/tools/schedule-update.ts +9 -0
package/src/config/bundled-skills/self-upgrade/SKILL.md +68 -0
package/src/config/bundled-skills/start-the-day/SKILL.md +70 -0
package/src/config/bundled-skills/start-the-day/icon.svg +13 -0
package/src/config/bundled-skills/subagent/SKILL.md +25 -0
package/src/config/bundled-skills/subagent/TOOLS.json +107 -0
package/src/config/bundled-skills/subagent/tools/subagent-abort.ts +9 -0
package/src/config/bundled-skills/subagent/tools/subagent-message.ts +9 -0
package/src/config/bundled-skills/subagent/tools/subagent-read.ts +9 -0
package/src/config/bundled-skills/subagent/tools/subagent-spawn.ts +9 -0
package/src/config/bundled-skills/subagent/tools/subagent-status.ts +9 -0
package/src/config/bundled-skills/tasks/SKILL.md +28 -0
package/src/config/bundled-skills/tasks/TOOLS.json +281 -0
package/src/config/bundled-skills/tasks/tools/task-delete.ts +9 -0
package/src/config/bundled-skills/tasks/tools/task-list-add.ts +9 -0
package/src/config/bundled-skills/tasks/tools/task-list-remove.ts +9 -0
package/src/config/bundled-skills/tasks/tools/task-list-show.ts +9 -0
package/src/config/bundled-skills/tasks/tools/task-list-update.ts +9 -0
package/src/config/bundled-skills/tasks/tools/task-list.ts +9 -0
package/src/config/bundled-skills/tasks/tools/task-queue-run.ts +9 -0
package/src/config/bundled-skills/tasks/tools/task-run.ts +9 -0
package/src/config/bundled-skills/tasks/tools/task-save.ts +9 -0
package/src/config/bundled-skills/transcribe/SKILL.md +25 -0
package/src/config/bundled-skills/transcribe/TOOLS.json +32 -0
package/src/config/bundled-skills/transcribe/tools/transcribe-media.ts +370 -0
package/src/config/bundled-skills/twitter/SKILL.md +220 -0
package/src/config/bundled-skills/watcher/SKILL.md +27 -0
package/src/config/bundled-skills/watcher/TOOLS.json +147 -0
package/src/config/bundled-skills/watcher/tools/watcher-create.ts +9 -0
package/src/config/bundled-skills/watcher/tools/watcher-delete.ts +9 -0
package/src/config/bundled-skills/watcher/tools/watcher-digest.ts +9 -0
package/src/config/bundled-skills/watcher/tools/watcher-list.ts +9 -0
package/src/config/bundled-skills/watcher/tools/watcher-update.ts +9 -0
package/src/config/bundled-skills/weather/SKILL.md +37 -0
package/src/config/bundled-skills/weather/TOOLS.json +32 -0
package/src/config/bundled-skills/weather/icon.svg +24 -0
package/src/config/bundled-skills/weather/tools/get-weather.ts +9 -0
package/src/config/computer-use-prompt.ts +97 -0
package/src/config/defaults.ts +263 -0
package/src/config/loader.ts +339 -0
package/src/config/schema.ts +1436 -0
package/src/config/skill-state.ts +95 -0
package/src/config/skills.ts +972 -0
package/src/config/system-prompt.ts +675 -0
package/src/config/templates/BOOTSTRAP.md +70 -0
package/src/config/templates/IDENTITY.md +25 -0
package/src/config/templates/LOOKS.md +25 -0
package/src/config/templates/SOUL.md +37 -0
package/src/config/templates/USER.md +19 -0
package/src/config/types.ts +42 -0
package/src/config/vellum-skills/chatgpt-import/SKILL.md +24 -0
package/src/config/vellum-skills/chatgpt-import/TOOLS.json +23 -0
package/src/config/vellum-skills/chatgpt-import/tools/chatgpt-import.ts +284 -0
package/src/config/vellum-skills/deploy-fullstack-vercel/SKILL.md +179 -0
package/src/config/vellum-skills/document-writer/SKILL.md +195 -0
package/src/config/vellum-skills/google-oauth-setup/SKILL.md +199 -0
package/src/config/vellum-skills/slack-oauth-setup/SKILL.md +153 -0
package/src/config/vellum-skills/telegram-setup/SKILL.md +143 -0
package/src/config/vellum-skills/twilio-setup/SKILL.md +213 -0
package/src/contacts/contact-store.ts +410 -0
package/src/contacts/index.ts +11 -0
package/src/contacts/types.ts +28 -0
package/src/context/token-estimator.ts +108 -0
package/src/context/tool-result-truncation.ts +128 -0
package/src/context/window-manager.ts +531 -0
package/src/daemon/assistant-attachments.ts +691 -0
package/src/daemon/classifier.ts +110 -0
package/src/daemon/computer-use-session.ts +903 -0
package/src/daemon/connection-policy.ts +41 -0
package/src/daemon/date-context.ts +136 -0
package/src/daemon/handlers/apps.ts +530 -0
package/src/daemon/handlers/browser.ts +54 -0
package/src/daemon/handlers/computer-use.ts +187 -0
package/src/daemon/handlers/config.ts +1517 -0
package/src/daemon/handlers/diagnostics.ts +338 -0
package/src/daemon/handlers/documents.ts +173 -0
package/src/daemon/handlers/home-base.ts +78 -0
package/src/daemon/handlers/identity.ts +127 -0
package/src/daemon/handlers/index.ts +129 -0
package/src/daemon/handlers/misc.ts +331 -0
package/src/daemon/handlers/open-bundle-handler.ts +80 -0
package/src/daemon/handlers/publish.ts +187 -0
package/src/daemon/handlers/sessions.ts +555 -0
package/src/daemon/handlers/shared.ts +570 -0
package/src/daemon/handlers/signing.ts +37 -0
package/src/daemon/handlers/skills.ts +486 -0
package/src/daemon/handlers/subagents.ts +210 -0
package/src/daemon/handlers/twitter-auth.ts +198 -0
package/src/daemon/handlers/work-items.ts +632 -0
package/src/daemon/handlers/workspace-files.ts +75 -0
package/src/daemon/handlers.ts +17 -0
package/src/daemon/history-repair.ts +214 -0
package/src/daemon/ipc-blob-store.ts +231 -0
package/src/daemon/ipc-contract-inventory.json +495 -0
package/src/daemon/ipc-contract-inventory.ts +126 -0
package/src/daemon/ipc-contract.ts +2551 -0
package/src/daemon/ipc-protocol.ts +75 -0
package/src/daemon/ipc-validate.ts +188 -0
package/src/daemon/lifecycle.ts +582 -0
package/src/daemon/main.ts +21 -0
package/src/daemon/media-visibility-policy.ts +57 -0
package/src/daemon/ride-shotgun-handler.ts +309 -0
package/src/daemon/server.ts +1215 -0
package/src/daemon/session-agent-loop.ts +922 -0
package/src/daemon/session-attachments.ts +196 -0
package/src/daemon/session-conflict-gate.ts +184 -0
package/src/daemon/session-dynamic-profile.ts +63 -0
package/src/daemon/session-error.ts +290 -0
package/src/daemon/session-evictor.ts +196 -0
package/src/daemon/session-history.ts +437 -0
package/src/daemon/session-lifecycle.ts +147 -0
package/src/daemon/session-media-retry.ts +147 -0
package/src/daemon/session-memory.ts +212 -0
package/src/daemon/session-messaging.ts +145 -0
package/src/daemon/session-notifiers.ts +193 -0
package/src/daemon/session-process.ts +323 -0
package/src/daemon/session-queue-manager.ts +82 -0
package/src/daemon/session-runtime-assembly.ts +447 -0
package/src/daemon/session-skill-tools.ts +356 -0
package/src/daemon/session-slash.ts +305 -0
package/src/daemon/session-surfaces.ts +702 -0
package/src/daemon/session-tool-setup.ts +523 -0
package/src/daemon/session-usage.ts +72 -0
package/src/daemon/session-workspace.ts +19 -0
package/src/daemon/session.ts +400 -0
package/src/daemon/tls-certs.ts +189 -0
package/src/daemon/trace-emitter.ts +82 -0
package/src/daemon/video-thumbnail.ts +62 -0
package/src/daemon/watch-handler.ts +274 -0
package/src/doordash/client.ts +999 -0
package/src/doordash/queries.ts +1311 -0
package/src/doordash/query-extractor.ts +93 -0
package/src/doordash/session.ts +82 -0
package/src/email/provider.ts +117 -0
package/src/email/providers/agentmail.ts +317 -0
package/src/email/providers/index.ts +58 -0
package/src/email/service.ts +303 -0
package/src/email/types.ts +126 -0
package/src/events/bus.ts +157 -0
package/src/events/domain-events.ts +83 -0
package/src/events/index.ts +18 -0
package/src/events/tool-audit-listener.ts +80 -0
package/src/events/tool-domain-event-publisher.ts +111 -0
package/src/events/tool-metrics-listener.ts +159 -0
package/src/events/tool-notification-listener.ts +17 -0
package/src/events/tool-profiling-listener.ts +158 -0
package/src/events/tool-trace-listener.ts +75 -0
package/src/export/formatter.ts +98 -0
package/src/followups/followup-store.ts +168 -0
package/src/followups/index.ts +10 -0
package/src/followups/types.ts +29 -0
package/src/gallery/default-gallery.ts +795 -0
package/src/gallery/gallery-manifest.ts +24 -0
package/src/home-base/app-link-store.ts +82 -0
package/src/home-base/bootstrap.ts +68 -0
package/src/home-base/prebuilt/index.html +662 -0
package/src/home-base/prebuilt/seed-metadata.json +21 -0
package/src/home-base/prebuilt/seed.ts +112 -0
package/src/home-base/prebuilt-home-base-updater.ts +30 -0
package/src/hooks/cli.ts +163 -0
package/src/hooks/config.ts +88 -0
package/src/hooks/discovery.ts +110 -0
package/src/hooks/manager.ts +124 -0
package/src/hooks/runner.ts +123 -0
package/src/hooks/templates.ts +52 -0
package/src/hooks/types.ts +72 -0
package/src/inbound/public-ingress-urls.ts +123 -0
package/src/index.ts +81 -0
package/src/instrument.ts +60 -0
package/src/logfire.ts +99 -0
package/src/media/gemini-image-service.ts +136 -0
package/src/memory/account-store.ts +108 -0
package/src/memory/admin.ts +211 -0
package/src/memory/app-git-service.ts +295 -0
package/src/memory/app-store.ts +577 -0
package/src/memory/attachments-store.ts +397 -0
package/src/memory/channel-delivery-store.ts +353 -0
package/src/memory/channel-guardian-store.ts +669 -0
package/src/memory/checkpoints.ts +52 -0
package/src/memory/clarification-resolver.ts +298 -0
package/src/memory/conflict-intent.ts +157 -0
package/src/memory/conflict-policy.ts +73 -0
package/src/memory/conflict-store.ts +350 -0
package/src/memory/contradiction-checker.ts +358 -0
package/src/memory/conversation-key-store.ts +122 -0
package/src/memory/conversation-store.ts +470 -0
package/src/memory/db.ts +1991 -0
package/src/memory/embedding-backend.ts +229 -0
package/src/memory/embedding-gemini.ts +52 -0
package/src/memory/embedding-local.ts +65 -0
package/src/memory/embedding-ollama.ts +55 -0
package/src/memory/embedding-openai.ts +25 -0
package/src/memory/entity-extractor.ts +474 -0
package/src/memory/external-conversation-store.ts +234 -0
package/src/memory/fingerprint.ts +20 -0
package/src/memory/indexer.ts +156 -0
package/src/memory/items-extractor.ts +461 -0
package/src/memory/job-handlers/backfill.ts +139 -0
package/src/memory/job-handlers/cleanup.ts +58 -0
package/src/memory/job-handlers/conflict.ts +141 -0
package/src/memory/job-handlers/embedding.ts +61 -0
package/src/memory/job-handlers/extraction.ts +123 -0
package/src/memory/job-handlers/index-maintenance.ts +54 -0
package/src/memory/job-handlers/summarization.ts +286 -0
package/src/memory/job-utils.ts +170 -0
package/src/memory/jobs-store.ts +401 -0
package/src/memory/jobs-worker.ts +313 -0
package/src/memory/llm-request-log-store.ts +45 -0
package/src/memory/llm-usage-store.ts +60 -0
package/src/memory/message-content.ts +54 -0
package/src/memory/profile-compiler.ts +160 -0
package/src/memory/published-pages-store.ts +137 -0
package/src/memory/qdrant-client.ts +366 -0
package/src/memory/qdrant-manager.ts +242 -0
package/src/memory/query-builder.ts +45 -0
package/src/memory/retrieval-budget.ts +30 -0
package/src/memory/retriever.ts +653 -0
package/src/memory/runs-store.ts +305 -0
package/src/memory/schema.ts +677 -0
package/src/memory/search/entity.ts +298 -0
package/src/memory/search/formatting.ts +207 -0
package/src/memory/search/lexical.ts +227 -0
package/src/memory/search/ranking.ts +401 -0
package/src/memory/search/semantic.ts +121 -0
package/src/memory/search/types.ts +137 -0
package/src/memory/segmenter.ts +68 -0
package/src/memory/shared-app-links-store.ts +138 -0
package/src/memory/tool-usage-store.ts +62 -0
package/src/messaging/activity-analyzer.ts +76 -0
package/src/messaging/draft-store.ts +88 -0
package/src/messaging/index.ts +3 -0
package/src/messaging/provider-types.ts +80 -0
package/src/messaging/provider.ts +52 -0
package/src/messaging/providers/gmail/adapter.ts +193 -0
package/src/messaging/providers/gmail/client.ts +204 -0
package/src/messaging/providers/gmail/types.ts +90 -0
package/src/messaging/providers/slack/adapter.ts +202 -0
package/src/messaging/providers/slack/client.ts +198 -0
package/src/messaging/providers/slack/types.ts +119 -0
package/src/messaging/providers/telegram-bot/adapter.ts +162 -0
package/src/messaging/providers/telegram-bot/client.ts +104 -0
package/src/messaging/providers/telegram-bot/types.ts +15 -0
package/src/messaging/registry.ts +35 -0
package/src/messaging/style-analyzer.ts +159 -0
package/src/messaging/thread-summarizer.ts +306 -0
package/src/messaging/triage-engine.ts +323 -0
package/src/messaging/types.ts +55 -0
package/src/permissions/checker.ts +640 -0
package/src/permissions/defaults.ts +254 -0
package/src/permissions/prompter.ts +98 -0
package/src/permissions/secret-prompter.ts +114 -0
package/src/permissions/shell-identity.ts +227 -0
package/src/permissions/trust-store.ts +607 -0
package/src/permissions/types.ts +43 -0
package/src/permissions/workspace-policy.ts +114 -0
package/src/playbooks/index.ts +2 -0
package/src/playbooks/playbook-compiler.ts +90 -0
package/src/playbooks/types.ts +55 -0
package/src/providers/anthropic/client.ts +751 -0
package/src/providers/failover.ts +129 -0
package/src/providers/fireworks/client.ts +20 -0
package/src/providers/gemini/client.ts +285 -0
package/src/providers/ollama/client.ts +30 -0
package/src/providers/openai/client.ts +337 -0
package/src/providers/openrouter/client.ts +20 -0
package/src/providers/ratelimit.ts +93 -0
package/src/providers/registry.ts +146 -0
package/src/providers/retry.ts +81 -0
package/src/providers/stream-timeout.ts +38 -0
package/src/providers/types.ts +109 -0
package/src/runtime/assistant-event-hub.ts +157 -0
package/src/runtime/assistant-event.ts +82 -0
package/src/runtime/channel-approval-parser.ts +60 -0
package/src/runtime/channel-approval-types.ts +73 -0
package/src/runtime/channel-approvals.ts +206 -0
package/src/runtime/channel-guardian-service.ts +212 -0
package/src/runtime/gateway-client.ts +58 -0
package/src/runtime/http-server.ts +1076 -0
package/src/runtime/http-types.ts +66 -0
package/src/runtime/routes/app-routes.ts +174 -0
package/src/runtime/routes/attachment-routes.ts +133 -0
package/src/runtime/routes/call-routes.ts +190 -0
package/src/runtime/routes/channel-routes.ts +1404 -0
package/src/runtime/routes/conversation-routes.ts +352 -0
package/src/runtime/routes/events-routes.ts +148 -0
package/src/runtime/routes/run-routes.ts +257 -0
package/src/runtime/routes/secret-routes.ts +76 -0
package/src/runtime/run-orchestrator.ts +330 -0
package/src/schedule/recurrence-engine.ts +162 -0
package/src/schedule/recurrence-types.ts +67 -0
package/src/schedule/schedule-store.ts +506 -0
package/src/schedule/scheduler.ts +171 -0
package/src/security/encrypted-store.ts +238 -0
package/src/security/keychain.ts +252 -0
package/src/security/oauth-callback-registry.ts +66 -0
package/src/security/oauth2.ts +274 -0
package/src/security/redaction.ts +89 -0
package/src/security/secret-allowlist.ts +164 -0
package/src/security/secret-ingress.ts +57 -0
package/src/security/secret-scanner.ts +550 -0
package/src/security/secure-keys.ts +180 -0
package/src/security/token-manager.ts +141 -0
package/src/services/published-app-updater.ts +69 -0
package/src/services/vercel-deploy.ts +73 -0
package/src/skills/active-skill-tools.ts +81 -0
package/src/skills/clawhub.ts +414 -0
package/src/skills/include-graph.ts +146 -0
package/src/skills/managed-store.ts +233 -0
package/src/skills/path-classifier.ts +128 -0
package/src/skills/slash-commands.ts +174 -0
package/src/skills/tool-manifest.ts +165 -0
package/src/skills/version-hash.ts +110 -0
package/src/slack/slack-webhook.ts +61 -0
package/src/subagent/index.ts +19 -0
package/src/subagent/manager.ts +511 -0
package/src/subagent/types.ts +69 -0
package/src/swarm/backend-claude-code.ts +145 -0
package/src/swarm/index.ts +44 -0
package/src/swarm/limits.ts +37 -0
package/src/swarm/orchestrator.ts +279 -0
package/src/swarm/plan-validator.ts +151 -0
package/src/swarm/router-planner.ts +100 -0
package/src/swarm/router-prompts.ts +36 -0
package/src/swarm/synthesizer.ts +62 -0
package/src/swarm/types.ts +62 -0
package/src/swarm/worker-backend.ts +121 -0
package/src/swarm/worker-prompts.ts +79 -0
package/src/swarm/worker-runner.ts +164 -0
package/src/tasks/SPEC.md +139 -0
package/src/tasks/candidate-store.ts +86 -0
package/src/tasks/ephemeral-permissions.ts +48 -0
package/src/tasks/task-compiler.ts +199 -0
package/src/tasks/task-runner.ts +90 -0
package/src/tasks/task-scheduler.ts +21 -0
package/src/tasks/task-store.ts +127 -0
package/src/tasks/tool-sanitizer.ts +36 -0
package/src/tools/apps/definitions.ts +59 -0
package/src/tools/apps/executors.ts +313 -0
package/src/tools/apps/open-proxy.ts +43 -0
package/src/tools/apps/registry.ts +16 -0
package/src/tools/assets/materialize.ts +218 -0
package/src/tools/assets/search.ts +361 -0
package/src/tools/browser/__tests__/auth-cache.test.ts +219 -0
package/src/tools/browser/__tests__/auth-detector.test.ts +362 -0
package/src/tools/browser/__tests__/jit-auth.test.ts +189 -0
package/src/tools/browser/api-map.ts +293 -0
package/src/tools/browser/auth-cache.ts +149 -0
package/src/tools/browser/auth-detector.ts +347 -0
package/src/tools/browser/auto-navigate.ts +270 -0
package/src/tools/browser/browser-execution.ts +980 -0
package/src/tools/browser/browser-handoff.ts +79 -0
package/src/tools/browser/browser-manager.ts +715 -0
package/src/tools/browser/browser-screencast.ts +217 -0
package/src/tools/browser/headless-browser.ts +450 -0
package/src/tools/browser/jit-auth.ts +51 -0
package/src/tools/browser/network-recorder.ts +349 -0
package/src/tools/browser/network-recording-types.ts +49 -0
package/src/tools/browser/recording-store.ts +49 -0
package/src/tools/browser/runtime-check.ts +43 -0
package/src/tools/browser/x-auto-navigate.ts +207 -0
package/src/tools/calls/call-end.ts +67 -0
package/src/tools/calls/call-start.ts +81 -0
package/src/tools/calls/call-status.ts +81 -0
package/src/tools/claude-code/claude-code.ts +428 -0
package/src/tools/computer-use/definitions.ts +443 -0
package/src/tools/computer-use/registry.ts +22 -0
package/src/tools/computer-use/request-computer-control.ts +53 -0
package/src/tools/computer-use/skill-proxy-bridge.ts +28 -0
package/src/tools/credentials/account-registry.ts +127 -0
package/src/tools/credentials/broker-types.ts +107 -0
package/src/tools/credentials/broker.ts +372 -0
package/src/tools/credentials/domain-policy.ts +51 -0
package/src/tools/credentials/host-pattern-match.ts +60 -0
package/src/tools/credentials/metadata-store.ts +335 -0
package/src/tools/credentials/policy-types.ts +52 -0
package/src/tools/credentials/policy-validate.ts +80 -0
package/src/tools/credentials/resolve.ts +122 -0
package/src/tools/credentials/selection.ts +159 -0
package/src/tools/credentials/tool-policy.ts +25 -0
package/src/tools/credentials/vault.ts +657 -0
package/src/tools/document/document-tool.ts +92 -0
package/src/tools/document/editor-template.ts +237 -0
package/src/tools/execution-target.ts +21 -0
package/src/tools/execution-timeout.ts +49 -0
package/src/tools/executor.ts +815 -0
package/src/tools/filesystem/edit.ts +127 -0
package/src/tools/filesystem/fuzzy-match.ts +202 -0
package/src/tools/filesystem/read.ts +71 -0
package/src/tools/filesystem/view-image.ts +199 -0
package/src/tools/filesystem/write.ts +79 -0
package/src/tools/followups/followup_create.ts +76 -0
package/src/tools/followups/followup_list.ts +60 -0
package/src/tools/followups/followup_resolve.ts +56 -0
package/src/tools/host-filesystem/edit.ts +125 -0
package/src/tools/host-filesystem/read.ts +80 -0
package/src/tools/host-filesystem/write.ts +76 -0
package/src/tools/host-terminal/cli-discover.ts +180 -0
package/src/tools/host-terminal/host-shell.ts +191 -0
package/src/tools/memory/definitions.ts +69 -0
package/src/tools/memory/handlers.ts +246 -0
package/src/tools/memory/register.ts +66 -0
package/src/tools/network/__tests__/web-search.test.ts +427 -0
package/src/tools/network/domain-normalize.ts +85 -0
package/src/tools/network/script-proxy/__tests__/logging.test.ts +248 -0
package/src/tools/network/script-proxy/__tests__/policy.test.ts +234 -0
package/src/tools/network/script-proxy/__tests__/router.test.ts +76 -0
package/src/tools/network/script-proxy/certs.ts +237 -0
package/src/tools/network/script-proxy/connect-tunnel.ts +82 -0
package/src/tools/network/script-proxy/http-forwarder.ts +151 -0
package/src/tools/network/script-proxy/index.ts +28 -0
package/src/tools/network/script-proxy/logging.ts +196 -0
package/src/tools/network/script-proxy/mitm-handler.ts +269 -0
package/src/tools/network/script-proxy/policy.ts +152 -0
package/src/tools/network/script-proxy/router.ts +60 -0
package/src/tools/network/script-proxy/server.ts +136 -0
package/src/tools/network/script-proxy/session-manager.ts +534 -0
package/src/tools/network/script-proxy/types.ts +125 -0
package/src/tools/network/url-safety.ts +227 -0
package/src/tools/network/web-fetch.ts +713 -0
package/src/tools/network/web-search.ts +296 -0
package/src/tools/policy-context.ts +29 -0
package/src/tools/registry.ts +295 -0
package/src/tools/reminder/reminder-store.ts +148 -0
package/src/tools/reminder/reminder.ts +80 -0
package/src/tools/schedule/create.ts +81 -0
package/src/tools/schedule/delete.ts +28 -0
package/src/tools/schedule/list.ts +69 -0
package/src/tools/schedule/update.ts +97 -0
package/src/tools/shared/filesystem/edit-engine.ts +56 -0
package/src/tools/shared/filesystem/errors.ts +85 -0
package/src/tools/shared/filesystem/file-ops-service.ts +215 -0
package/src/tools/shared/filesystem/format-diff.ts +35 -0
package/src/tools/shared/filesystem/path-policy.ts +125 -0
package/src/tools/shared/filesystem/size-guard.ts +41 -0
package/src/tools/shared/filesystem/types.ts +80 -0
package/src/tools/shared/shell-output.ts +52 -0
package/src/tools/skills/delete-managed.ts +60 -0
package/src/tools/skills/load.ts +139 -0
package/src/tools/skills/sandbox-runner.ts +279 -0
package/src/tools/skills/scaffold-managed.ts +150 -0
package/src/tools/skills/script-contract.ts +6 -0
package/src/tools/skills/skill-script-runner.ts +86 -0
package/src/tools/skills/skill-tool-factory.ts +64 -0
package/src/tools/skills/vellum-catalog.ts +217 -0
package/src/tools/subagent/abort.ts +33 -0
package/src/tools/subagent/message.ts +39 -0
package/src/tools/subagent/read.ts +67 -0
package/src/tools/subagent/spawn.ts +46 -0
package/src/tools/subagent/status.ts +45 -0
package/src/tools/swarm/delegate.ts +183 -0
package/src/tools/system/request-permission.ts +98 -0
package/src/tools/system/version.ts +43 -0
package/src/tools/tasks/index.ts +27 -0
package/src/tools/tasks/task-delete.ts +82 -0
package/src/tools/tasks/task-list.ts +44 -0
package/src/tools/tasks/task-run.ts +97 -0
package/src/tools/tasks/task-save.ts +47 -0
package/src/tools/tasks/work-item-enqueue.ts +234 -0
package/src/tools/tasks/work-item-list.ts +55 -0
package/src/tools/tasks/work-item-remove.ts +60 -0
package/src/tools/tasks/work-item-run.ts +78 -0
package/src/tools/tasks/work-item-update.ts +114 -0
package/src/tools/terminal/backends/docker.ts +372 -0
package/src/tools/terminal/backends/native.ts +190 -0
package/src/tools/terminal/backends/types.ts +26 -0
package/src/tools/terminal/evaluate-typescript.ts +275 -0
package/src/tools/terminal/parser.ts +413 -0
package/src/tools/terminal/safe-env.ts +37 -0
package/src/tools/terminal/sandbox-diagnostics.ts +149 -0
package/src/tools/terminal/sandbox.ts +44 -0
package/src/tools/terminal/shell.ts +257 -0
package/src/tools/tool-manifest.ts +198 -0
package/src/tools/types.ts +176 -0
package/src/tools/ui-surface/definitions.ts +244 -0
package/src/tools/ui-surface/registry.ts +14 -0
package/src/tools/watch/screen-watch.ts +130 -0
package/src/tools/watch/watch-state.ts +119 -0
package/src/tools/watcher/create.ts +64 -0
package/src/tools/watcher/delete.ts +27 -0
package/src/tools/watcher/digest.ts +50 -0
package/src/tools/watcher/list.ts +60 -0
package/src/tools/watcher/update.ts +56 -0
package/src/tools/weather/service.ts +551 -0
package/src/twitter/client.ts +690 -0
package/src/twitter/oauth-client.ts +102 -0
package/src/twitter/router.ts +101 -0
package/src/twitter/session.ts +91 -0
package/src/usage/actors.ts +24 -0
package/src/usage/types.ts +37 -0
package/src/util/clipboard.ts +33 -0
package/src/util/content-id.ts +16 -0
package/src/util/debounce.ts +88 -0
package/src/util/diff.ts +181 -0
package/src/util/errors.ts +129 -0
package/src/util/logger.ts +243 -0
package/src/util/network-info.ts +47 -0
package/src/util/platform.ts +632 -0
package/src/util/pricing.ts +150 -0
package/src/util/promise-guard.ts +37 -0
package/src/util/retry.ts +98 -0
package/src/util/spinner.ts +51 -0
package/src/util/time.ts +16 -0
package/src/util/truncate.ts +6 -0
package/src/util/xml.ts +4 -0
package/src/version.ts +3 -0
package/src/watcher/constants.ts +11 -0
package/src/watcher/engine.ts +199 -0
package/src/watcher/provider-registry.ts +15 -0
package/src/watcher/provider-types.ts +48 -0
package/src/watcher/providers/gmail.ts +198 -0
package/src/watcher/providers/google-calendar.ts +228 -0
package/src/watcher/providers/slack.ts +129 -0
package/src/watcher/watcher-store.ts +419 -0
package/src/work-items/work-item-runner.ts +171 -0
package/src/work-items/work-item-store.ts +325 -0
package/src/workspace/commit-message-enrichment-service.ts +284 -0
package/src/workspace/commit-message-provider.ts +95 -0
package/src/workspace/git-service.ts +857 -0
package/src/workspace/heartbeat-service.ts +345 -0
package/src/workspace/provider-commit-message-generator.ts +285 -0
package/src/workspace/top-level-renderer.ts +19 -0
package/src/workspace/top-level-scanner.ts +41 -0
package/src/workspace/turn-commit.ts +175 -0
package/tsconfig.json +21 -0

package/src/daemon/handlers/config.ts ADDED Viewed

@@ -0,0 +1,1517 @@
+import * as net from 'node:net';
+import { getConfig, loadRawConfig, saveRawConfig } from '../../config/loader.js';
+import { initializeProviders } from '../../providers/registry.js';
+import { addRule, removeRule, updateRule, getAllRules, acceptStarterBundle } from '../../permissions/trust-store.js';
+import { classifyRisk, check, generateAllowlistOptions, generateScopeOptions } from '../../permissions/checker.js';
+import { isSideEffectTool } from '../../tools/executor.js';
+import { resolveExecutionTarget } from '../../tools/execution-target.js';
+import { getAllTools, getTool } from '../../tools/registry.js';
+import { listSchedules, updateSchedule, deleteSchedule, describeCronExpression } from '../../schedule/schedule-store.js';
+import { listReminders, cancelReminder } from '../../tools/reminder/reminder-store.js';
+import { getSecureKey, setSecureKey, deleteSecureKey } from '../../security/secure-keys.js';
+import { upsertCredentialMetadata, deleteCredentialMetadata, getCredentialMetadata } from '../../tools/credentials/metadata-store.js';
+import { postToSlackWebhook } from '../../slack/slack-webhook.js';
+import { getApp } from '../../memory/app-store.js';
+import { readHttpToken } from '../../util/platform.js';
+import type {
+  ModelSetRequest,
+  ImageGenModelSetRequest,
+  AddTrustRule,
+  RemoveTrustRule,
+  UpdateTrustRule,
+  ScheduleToggle,
+  ScheduleRemove,
+  ReminderCancel,
+  ShareToSlackRequest,
+  SlackWebhookConfigRequest,
+  IngressConfigRequest,
+  VercelApiConfigRequest,
+  TwitterIntegrationConfigRequest,
+  TelegramConfigRequest,
+  TwilioConfigRequest,
+  GuardianVerificationRequest,
+  ToolPermissionSimulateRequest,
+} from '../ipc-protocol.js';
+import {
+  hasTwilioCredentials,
+  listIncomingPhoneNumbers,
+  searchAvailableNumbers,
+  provisionPhoneNumber,
+} from '../../calls/twilio-rest.js';
+import { createVerificationChallenge, getGuardianBinding, revokeBinding as revokeGuardianBinding } from '../../runtime/channel-guardian-service.js';
+import { log, CONFIG_RELOAD_DEBOUNCE_MS, defineHandlers, type HandlerContext } from './shared.js';
+import { MODEL_TO_PROVIDER } from '../session-slash.js';
+// Lazily capture the env-provided INGRESS_PUBLIC_BASE_URL on first access
+// rather than at module load time. The daemon loads ~/.vellum/.env inside
+// runDaemon() (see lifecycle.ts), which runs AFTER static ES module imports
+// resolve. A module-level snapshot would miss dotenv-provided values.
+let _originalIngressEnvCaptured = false;
+let _originalIngressEnv: string | undefined;
+function getOriginalIngressEnv(): string | undefined {
+  if (!_originalIngressEnvCaptured) {
+    _originalIngressEnv = process.env.INGRESS_PUBLIC_BASE_URL;
+    _originalIngressEnvCaptured = true;
+  }
+  return _originalIngressEnv;
+}
+const TELEGRAM_BOT_TOKEN_IN_URL_PATTERN = /\/bot\d{8,10}:[A-Za-z0-9_-]{30,120}\//g;
+const TELEGRAM_BOT_TOKEN_PATTERN = /(?<![A-Za-z0-9_])\d{8,10}:[A-Za-z0-9_-]{30,120}(?![A-Za-z0-9_])/g;
+function redactTelegramBotTokens(value: string): string {
+  return value
+    .replace(TELEGRAM_BOT_TOKEN_IN_URL_PATTERN, '/bot[REDACTED]/')
+    .replace(TELEGRAM_BOT_TOKEN_PATTERN, '[REDACTED]');
+}
+function summarizeTelegramError(err: unknown): string {
+  const parts: string[] = [];
+  if (err instanceof Error) {
+    parts.push(err.message);
+  } else {
+    parts.push(String(err));
+  }
+  const path = (err as { path?: unknown })?.path;
+  if (typeof path === 'string' && path.length > 0) {
+    parts.push(`path=${path}`);
+  }
+  const code = (err as { code?: unknown })?.code;
+  if (typeof code === 'string' && code.length > 0) {
+    parts.push(`code=${code}`);
+  }
+  return redactTelegramBotTokens(parts.join(' '));
+}
+export function handleModelGet(socket: net.Socket, ctx: HandlerContext): void {
+  const config = getConfig();
+  const configured = Object.keys(config.apiKeys).filter((k) => !!config.apiKeys[k]);
+  if (!configured.includes('ollama')) configured.push('ollama');
+  ctx.send(socket, {
+    type: 'model_info',
+    model: config.model,
+    provider: config.provider,
+    configuredProviders: configured,
+  });
+}
+export function handleModelSet(
+  msg: ModelSetRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    // If the requested model is already the current model AND the provider
+    // is already aligned with what MODEL_TO_PROVIDER expects, skip expensive
+    // reinitialization but still send model_info so the client confirms.
+    // If the provider has drifted (e.g. manual config edit), fall through
+    // so the full reinit path can repair it.
+    {
+      const current = getConfig();
+      const expectedProvider = MODEL_TO_PROVIDER[msg.model];
+      const providerAligned = !expectedProvider || current.provider === expectedProvider;
+      if (msg.model === current.model && providerAligned) {
+        const configured = Object.keys(current.apiKeys).filter((k) => !!current.apiKeys[k]);
+        if (!configured.includes('ollama')) configured.push('ollama');
+        ctx.send(socket, {
+          type: 'model_info',
+          model: current.model,
+          provider: current.provider,
+          configuredProviders: configured,
+        });
+        return;
+      }
+    }
+    // Validate API key before switching
+    const provider = MODEL_TO_PROVIDER[msg.model];
+    if (provider && provider !== 'ollama') {
+      const currentConfig = getConfig();
+      if (!currentConfig.apiKeys[provider]) {
+        // Send current model_info so the client resyncs its optimistic state
+        // (don't use generic 'error' type — it would interrupt in-flight chat)
+        const configured = Object.keys(currentConfig.apiKeys).filter((k) => !!currentConfig.apiKeys[k]);
+        if (!configured.includes('ollama')) configured.push('ollama');
+        ctx.send(socket, { type: 'model_info', model: currentConfig.model, provider: currentConfig.provider, configuredProviders: configured });
+        return;
+      }
+    }
+    // Use raw config to avoid persisting env-var API keys to disk
+    const raw = loadRawConfig();
+    raw.model = msg.model;
+    // Infer provider from model ID to keep provider and model in sync
+    raw.provider = provider ?? raw.provider;
+    // Suppress the file watcher callback — handleModelSet already does
+    // the full reload sequence; a redundant watcher-triggered reload
+    // would incorrectly evict sessions created after this method returns.
+    const wasSuppressed = ctx.suppressConfigReload;
+    ctx.setSuppressConfigReload(true);
+    try {
+      saveRawConfig(raw);
+    } catch (err) {
+      ctx.setSuppressConfigReload(wasSuppressed);
+      throw err;
+    }
+    ctx.debounceTimers.schedule('__suppress_reset__', () => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+    // Re-initialize provider with the new model so LLM calls use it
+    const config = getConfig();
+    initializeProviders(config);
+    // Evict idle sessions immediately; mark busy ones as stale so they
+    // get recreated with the new provider once they finish processing.
+    for (const [id, session] of ctx.sessions) {
+      if (!session.isProcessing()) {
+        session.dispose();
+        ctx.sessions.delete(id);
+      } else {
+        session.markStale();
+      }
+    }
+    ctx.updateConfigFingerprint();
+    ctx.send(socket, {
+      type: 'model_info',
+      model: config.model,
+      provider: config.provider,
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    ctx.send(socket, { type: 'error', message: `Failed to set model: ${message}` });
+  }
+}
+export function handleImageGenModelSet(
+  msg: ImageGenModelSetRequest,
+  _socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    const raw = loadRawConfig();
+    raw.imageGenModel = msg.model;
+    const wasSuppressed = ctx.suppressConfigReload;
+    ctx.setSuppressConfigReload(true);
+    try {
+      saveRawConfig(raw);
+    } catch (err) {
+      ctx.setSuppressConfigReload(wasSuppressed);
+      throw err;
+    }
+    ctx.debounceTimers.schedule('__suppress_reset__', () => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+    ctx.updateConfigFingerprint();
+    log.info({ model: msg.model }, 'Image generation model updated');
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, `Failed to set image gen model: ${message}`);
+  }
+}
+export function handleAddTrustRule(
+  msg: AddTrustRule,
+  _socket: net.Socket,
+  _ctx: HandlerContext,
+): void {
+  try {
+    const hasMetadata = msg.allowHighRisk != null
+      || msg.executionTarget != null;
+    addRule(
+      msg.toolName,
+      msg.pattern,
+      msg.scope,
+      msg.decision,
+      undefined, // priority — use default
+      hasMetadata
+        ? {
+            allowHighRisk: msg.allowHighRisk,
+            executionTarget: msg.executionTarget,
+          }
+        : undefined,
+    );
+    log.info({ toolName: msg.toolName, pattern: msg.pattern, scope: msg.scope, decision: msg.decision }, 'Trust rule added via client');
+  } catch (err) {
+    log.error({ err, toolName: msg.toolName, pattern: msg.pattern, scope: msg.scope }, 'Failed to add trust rule via client');
+  }
+}
+export function handleTrustRulesList(socket: net.Socket, ctx: HandlerContext): void {
+  const rules = getAllRules();
+  ctx.send(socket, { type: 'trust_rules_list_response', rules });
+}
+export function handleRemoveTrustRule(
+  msg: RemoveTrustRule,
+  _socket: net.Socket,
+  _ctx: HandlerContext,
+): void {
+  try {
+    const removed = removeRule(msg.id);
+    if (!removed) {
+      log.warn({ id: msg.id }, 'Trust rule not found for removal');
+    } else {
+      log.info({ id: msg.id }, 'Trust rule removed via client');
+    }
+  } catch (err) {
+    log.error({ err }, 'Failed to remove trust rule');
+  }
+}
+export function handleUpdateTrustRule(
+  msg: UpdateTrustRule,
+  _socket: net.Socket,
+  _ctx: HandlerContext,
+): void {
+  try {
+    updateRule(msg.id, {
+      tool: msg.tool,
+      pattern: msg.pattern,
+      scope: msg.scope,
+      decision: msg.decision,
+      priority: msg.priority,
+    });
+    log.info({ id: msg.id }, 'Trust rule updated via client');
+  } catch (err) {
+    log.error({ err }, 'Failed to update trust rule');
+  }
+}
+export function handleAcceptStarterBundle(
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    const result = acceptStarterBundle();
+    ctx.send(socket, {
+      type: 'accept_starter_bundle_response',
+      accepted: result.accepted,
+      rulesAdded: result.rulesAdded,
+      alreadyAccepted: result.alreadyAccepted,
+    });
+    log.info({ rulesAdded: result.rulesAdded, alreadyAccepted: result.alreadyAccepted }, 'Starter bundle accepted via client');
+  } catch (err) {
+    log.error({ err }, 'Failed to accept starter bundle');
+    ctx.send(socket, { type: 'error', message: 'Failed to accept starter bundle' });
+  }
+}
+export function handleSchedulesList(socket: net.Socket, ctx: HandlerContext): void {
+  const jobs = listSchedules();
+  ctx.send(socket, {
+    type: 'schedules_list_response',
+    schedules: jobs.map((j) => ({
+      id: j.id,
+      name: j.name,
+      enabled: j.enabled,
+      syntax: j.syntax,
+      expression: j.expression,
+      cronExpression: j.cronExpression,
+      timezone: j.timezone,
+      message: j.message,
+      nextRunAt: j.nextRunAt,
+      lastRunAt: j.lastRunAt,
+      lastStatus: j.lastStatus,
+      description: j.syntax === 'cron' ? describeCronExpression(j.cronExpression) : j.expression,
+    })),
+  });
+}
+export function handleScheduleToggle(
+  msg: ScheduleToggle,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    updateSchedule(msg.id, { enabled: msg.enabled });
+    log.info({ id: msg.id, enabled: msg.enabled }, 'Schedule toggled via client');
+  } catch (err) {
+    log.error({ err }, 'Failed to toggle schedule');
+  }
+  handleSchedulesList(socket, ctx);
+}
+export function handleScheduleRemove(
+  msg: ScheduleRemove,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    const removed = deleteSchedule(msg.id);
+    if (!removed) {
+      log.warn({ id: msg.id }, 'Schedule not found for removal');
+    } else {
+      log.info({ id: msg.id }, 'Schedule removed via client');
+    }
+  } catch (err) {
+    log.error({ err }, 'Failed to remove schedule');
+  }
+  handleSchedulesList(socket, ctx);
+}
+export function handleRemindersList(socket: net.Socket, ctx: HandlerContext): void {
+  const items = listReminders();
+  ctx.send(socket, {
+    type: 'reminders_list_response',
+    reminders: items.map((r) => ({
+      id: r.id,
+      label: r.label,
+      message: r.message,
+      fireAt: r.fireAt,
+      mode: r.mode,
+      status: r.status,
+      firedAt: r.firedAt,
+      createdAt: r.createdAt,
+    })),
+  });
+}
+export function handleReminderCancel(
+  msg: ReminderCancel,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    const cancelled = cancelReminder(msg.id);
+    if (!cancelled) {
+      log.warn({ id: msg.id }, 'Reminder not found or already fired/cancelled');
+    } else {
+      log.info({ id: msg.id }, 'Reminder cancelled via client');
+    }
+  } catch (err) {
+    log.error({ err }, 'Failed to cancel reminder');
+  }
+  handleRemindersList(socket, ctx);
+}
+export async function handleShareToSlack(
+  msg: ShareToSlackRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): Promise<void> {
+  try {
+    const config = loadRawConfig();
+    const webhookUrl = config.slackWebhookUrl as string | undefined;
+    if (!webhookUrl) {
+      ctx.send(socket, {
+        type: 'share_to_slack_response',
+        success: false,
+        error: 'No Slack webhook URL configured. Set one in Settings.',
+      });
+      return;
+    }
+    const app = getApp(msg.appId);
+    if (!app) {
+      ctx.send(socket, {
+        type: 'share_to_slack_response',
+        success: false,
+        error: `App not found: ${msg.appId}`,
+      });
+      return;
+    }
+    await postToSlackWebhook(
+      webhookUrl,
+      app.name,
+      app.description ?? '',
+      '\u{1F4F1}',
+    );
+    ctx.send(socket, { type: 'share_to_slack_response', success: true });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err, appId: msg.appId }, 'Failed to share app to Slack');
+    ctx.send(socket, {
+      type: 'share_to_slack_response',
+      success: false,
+      error: message,
+    });
+  }
+}
+export function handleSlackWebhookConfig(
+  msg: SlackWebhookConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    const config = loadRawConfig();
+    if (msg.action === 'get') {
+      ctx.send(socket, {
+        type: 'slack_webhook_config_response',
+        webhookUrl: (config.slackWebhookUrl as string) ?? undefined,
+        success: true,
+      });
+    } else {
+      config.slackWebhookUrl = msg.webhookUrl ?? '';
+      saveRawConfig(config);
+      ctx.send(socket, {
+        type: 'slack_webhook_config_response',
+        success: true,
+      });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to handle Slack webhook config');
+    ctx.send(socket, {
+      type: 'slack_webhook_config_response',
+      success: false,
+      error: message,
+    });
+  }
+}
+function computeGatewayTarget(): string {
+  if (process.env.GATEWAY_INTERNAL_BASE_URL) {
+    return process.env.GATEWAY_INTERNAL_BASE_URL.replace(/\/+$/, '');
+  }
+  const portRaw = process.env.GATEWAY_PORT || '7830';
+  const port = Number(portRaw) || 7830;
+  return `http://127.0.0.1:${port}`;
+}
+/**
+ * Best-effort call to the gateway's internal reconcile endpoint so that
+ * Telegram webhook registration is updated immediately when the ingress
+ * URL changes, without requiring a gateway restart.
+ */
+function triggerGatewayReconcile(ingressPublicBaseUrl: string | undefined): void {
+  const gatewayBase = computeGatewayTarget();
+  const token = readHttpToken();
+  if (!token) {
+    log.debug('Skipping gateway reconcile trigger: no HTTP bearer token available');
+    return;
+  }
+  const url = `${gatewayBase}/internal/telegram/reconcile`;
+  const body = JSON.stringify({ ingressPublicBaseUrl: ingressPublicBaseUrl ?? '' });
+  fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${token}`,
+    },
+    body,
+    signal: AbortSignal.timeout(5_000),
+  }).then((res) => {
+    if (res.ok) {
+      log.info('Gateway Telegram webhook reconcile triggered successfully');
+    } else {
+      log.warn({ status: res.status }, 'Gateway Telegram webhook reconcile returned non-OK status');
+    }
+  }).catch((err) => {
+    log.debug({ err }, 'Gateway Telegram webhook reconcile failed (gateway may not be running)');
+  });
+}
+export function handleIngressConfig(
+  msg: IngressConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  const localGatewayTarget = computeGatewayTarget();
+  try {
+    if (msg.action === 'get') {
+      const raw = loadRawConfig();
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      const publicBaseUrl = (ingress.publicBaseUrl as string) ?? '';
+      // Backward compatibility: if `enabled` was never explicitly set,
+      // infer from whether a publicBaseUrl is configured so existing users
+      // who predate the toggle aren't silently disabled.
+      const enabled = (ingress.enabled as boolean | undefined) ?? (publicBaseUrl ? true : false);
+      ctx.send(socket, { type: 'ingress_config_response', enabled, publicBaseUrl, localGatewayTarget, success: true });
+    } else if (msg.action === 'set') {
+      const value = (msg.publicBaseUrl ?? '').trim().replace(/\/+$/, '');
+      // Ensure we capture the original env value before any mutation below
+      getOriginalIngressEnv();
+      const raw = loadRawConfig();
+      // Update ingress.publicBaseUrl — this is the single source of truth for
+      // the canonical public ingress URL. The gateway receives this value via
+      // the INGRESS_PUBLIC_BASE_URL env var at spawn time (see hatch.ts).
+      // The gateway also validates Twilio signatures against forwarded public
+      // URL headers, so local tunnel updates generally apply without restarts.
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      ingress.publicBaseUrl = value || undefined;
+      if (msg.enabled !== undefined) {
+        ingress.enabled = msg.enabled;
+      }
+      const wasSuppressed = ctx.suppressConfigReload;
+      ctx.setSuppressConfigReload(true);
+      try {
+        saveRawConfig({ ...raw, ingress });
+      } catch (err) {
+        ctx.setSuppressConfigReload(wasSuppressed);
+        throw err;
+      }
+      ctx.debounceTimers.schedule('__suppress_reset__', () => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+      // Propagate to the gateway's process environment so it picks up the
+      // new URL when it is restarted. For the local-deployment path the
+      // gateway runs as a child process that inherited the assistant's env,
+      // so updating process.env here ensures the value is visible when the
+      // gateway is restarted (e.g. by the self-upgrade skill or a manual
+      // `pkill -f gateway`).
+      // Only export the URL when ingress is enabled; clearing it when
+      // disabled ensures the gateway stops accepting inbound webhooks.
+      const isEnabled = (ingress.enabled as boolean | undefined) ?? (value ? true : false);
+      if (value && isEnabled) {
+        process.env.INGRESS_PUBLIC_BASE_URL = value;
+      } else if (isEnabled && getOriginalIngressEnv() !== undefined) {
+        // Ingress is enabled but the user cleared the URL — fall back to the
+        // env var that was present when the process started.
+        process.env.INGRESS_PUBLIC_BASE_URL = getOriginalIngressEnv()!;
+      } else {
+        // Ingress is disabled or no URL is configured and no startup env var
+        // exists — remove the env var so the gateway stops accepting webhooks.
+        delete process.env.INGRESS_PUBLIC_BASE_URL;
+      }
+      ctx.send(socket, { type: 'ingress_config_response', enabled: isEnabled, publicBaseUrl: value, localGatewayTarget, success: true });
+      // Trigger immediate Telegram webhook reconcile on the gateway so
+      // that changing the ingress URL takes effect without a restart.
+      // Called unconditionally so the gateway clears its in-memory URL
+      // when ingress is disabled, preventing stale re-registration on
+      // credential rotation.
+      // Use the effective URL from process.env (which accounts for the
+      // fallback branch above) rather than the raw `value` from the UI.
+      const effectiveUrl = isEnabled ? process.env.INGRESS_PUBLIC_BASE_URL : undefined;
+      triggerGatewayReconcile(effectiveUrl);
+    } else {
+      ctx.send(socket, { type: 'ingress_config_response', enabled: false, publicBaseUrl: '', localGatewayTarget, success: false, error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}` });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    ctx.send(socket, { type: 'ingress_config_response', enabled: false, publicBaseUrl: '', localGatewayTarget, success: false, error: message });
+  }
+}
+export function handleVercelApiConfig(
+  msg: VercelApiConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    if (msg.action === 'get') {
+      const existing = getSecureKey('credential:vercel:api_token');
+      ctx.send(socket, {
+        type: 'vercel_api_config_response',
+        hasToken: !!existing,
+        success: true,
+      });
+    } else if (msg.action === 'set') {
+      if (!msg.apiToken) {
+        ctx.send(socket, {
+          type: 'vercel_api_config_response',
+          hasToken: false,
+          success: false,
+          error: 'apiToken is required for set action',
+        });
+        return;
+      }
+      const stored = setSecureKey('credential:vercel:api_token', msg.apiToken);
+      if (!stored) {
+        ctx.send(socket, {
+          type: 'vercel_api_config_response',
+          hasToken: false,
+          success: false,
+          error: 'Failed to store API token in secure storage',
+        });
+        return;
+      }
+      upsertCredentialMetadata('vercel', 'api_token', {
+        allowedTools: ['publish_page', 'unpublish_page'],
+      });
+      ctx.send(socket, {
+        type: 'vercel_api_config_response',
+        hasToken: true,
+        success: true,
+      });
+    } else {
+      deleteSecureKey('credential:vercel:api_token');
+      deleteCredentialMetadata('vercel', 'api_token');
+      ctx.send(socket, {
+        type: 'vercel_api_config_response',
+        hasToken: false,
+        success: true,
+      });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to handle Vercel API config');
+    ctx.send(socket, {
+      type: 'vercel_api_config_response',
+      hasToken: false,
+      success: false,
+      error: message,
+    });
+  }
+}
+export function handleTwitterIntegrationConfig(
+  msg: TwitterIntegrationConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    if (msg.action === 'get') {
+      const raw = loadRawConfig();
+      const mode = (raw.twitterIntegrationMode as 'local_byo' | 'managed' | undefined) ?? 'local_byo';
+      const strategy = (raw.twitterOperationStrategy as 'oauth' | 'browser' | 'auto' | undefined) ?? 'auto';
+      const strategyConfigured = Object.prototype.hasOwnProperty.call(raw, 'twitterOperationStrategy');
+      const localClientConfigured = !!getSecureKey('credential:integration:twitter:oauth_client_id');
+      const connected = !!getSecureKey('credential:integration:twitter:access_token');
+      const meta = getCredentialMetadata('integration:twitter', 'access_token');
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        mode,
+        managedAvailable: false,
+        localClientConfigured,
+        connected,
+        accountInfo: meta?.accountInfo ?? undefined,
+        strategy,
+        strategyConfigured,
+      });
+    } else if (msg.action === 'get_strategy') {
+      const raw = loadRawConfig();
+      const strategy = (raw.twitterOperationStrategy as 'oauth' | 'browser' | 'auto' | undefined) ?? 'auto';
+      const strategyConfigured = Object.prototype.hasOwnProperty.call(raw, 'twitterOperationStrategy');
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: !!getSecureKey('credential:integration:twitter:oauth_client_id'),
+        connected: !!getSecureKey('credential:integration:twitter:access_token'),
+        strategy,
+        strategyConfigured,
+      });
+    } else if (msg.action === 'set_strategy') {
+      const valid = ['oauth', 'browser', 'auto'];
+      const value = msg.strategy;
+      if (!value || !valid.includes(value)) {
+        ctx.send(socket, {
+          type: 'twitter_integration_config_response',
+          success: false,
+          managedAvailable: false,
+          localClientConfigured: false,
+          connected: false,
+          error: `Invalid strategy value: ${String(value)}. Must be one of: ${valid.join(', ')}`,
+        });
+        return;
+      }
+      const raw = loadRawConfig();
+      raw.twitterOperationStrategy = value;
+      saveRawConfig(raw);
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: !!getSecureKey('credential:integration:twitter:oauth_client_id'),
+        connected: !!getSecureKey('credential:integration:twitter:access_token'),
+        strategy: value as 'oauth' | 'browser' | 'auto',
+        strategyConfigured: true,
+      });
+    } else if (msg.action === 'set_mode') {
+      const raw = loadRawConfig();
+      raw.twitterIntegrationMode = msg.mode ?? 'local_byo';
+      saveRawConfig(raw);
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        mode: msg.mode ?? 'local_byo',
+        managedAvailable: false,
+        localClientConfigured: !!getSecureKey('credential:integration:twitter:oauth_client_id'),
+        connected: !!getSecureKey('credential:integration:twitter:access_token'),
+      });
+    } else if (msg.action === 'set_local_client') {
+      if (!msg.clientId) {
+        ctx.send(socket, {
+          type: 'twitter_integration_config_response',
+          success: false,
+          managedAvailable: false,
+          localClientConfigured: false,
+          connected: false,
+          error: 'clientId is required for set_local_client action',
+        });
+        return;
+      }
+      const previousClientId = getSecureKey('credential:integration:twitter:oauth_client_id');
+      const storedId = setSecureKey('credential:integration:twitter:oauth_client_id', msg.clientId);
+      if (!storedId) {
+        ctx.send(socket, {
+          type: 'twitter_integration_config_response',
+          success: false,
+          managedAvailable: false,
+          localClientConfigured: false,
+          connected: false,
+          error: 'Failed to store client ID in secure storage',
+        });
+        return;
+      }
+      if (msg.clientSecret) {
+        const storedSecret = setSecureKey('credential:integration:twitter:oauth_client_secret', msg.clientSecret);
+        if (!storedSecret) {
+          // Roll back the client ID to its previous value to avoid inconsistent OAuth state
+          if (previousClientId) {
+            setSecureKey('credential:integration:twitter:oauth_client_id', previousClientId);
+          } else {
+            deleteSecureKey('credential:integration:twitter:oauth_client_id');
+          }
+          ctx.send(socket, {
+            type: 'twitter_integration_config_response',
+            success: false,
+            managedAvailable: false,
+            localClientConfigured: !!previousClientId,
+            connected: false,
+            error: 'Failed to store client secret in secure storage',
+          });
+          return;
+        }
+      } else {
+        // Clear any stale secret when updating client without a secret (e.g. switching to PKCE)
+        deleteSecureKey('credential:integration:twitter:oauth_client_secret');
+      }
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: true,
+        connected: !!getSecureKey('credential:integration:twitter:access_token'),
+      });
+    } else if (msg.action === 'clear_local_client') {
+      // If connected, disconnect first
+      if (getSecureKey('credential:integration:twitter:access_token')) {
+        deleteSecureKey('credential:integration:twitter:access_token');
+        deleteSecureKey('credential:integration:twitter:refresh_token');
+        deleteCredentialMetadata('integration:twitter', 'access_token');
+      }
+      deleteSecureKey('credential:integration:twitter:oauth_client_id');
+      deleteSecureKey('credential:integration:twitter:oauth_client_secret');
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: false,
+        connected: false,
+      });
+    } else if (msg.action === 'disconnect') {
+      deleteSecureKey('credential:integration:twitter:access_token');
+      deleteSecureKey('credential:integration:twitter:refresh_token');
+      deleteCredentialMetadata('integration:twitter', 'access_token');
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: !!getSecureKey('credential:integration:twitter:oauth_client_id'),
+        connected: false,
+      });
+    } else {
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: false,
+        managedAvailable: false,
+        localClientConfigured: false,
+        connected: false,
+        error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}`,
+      });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to handle Twitter integration config');
+    ctx.send(socket, {
+      type: 'twitter_integration_config_response',
+      success: false,
+      managedAvailable: false,
+      localClientConfigured: false,
+      connected: false,
+      error: message,
+    });
+  }
+}
+export async function handleTelegramConfig(
+  msg: TelegramConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): Promise<void> {
+  try {
+    if (msg.action === 'get') {
+      const hasBotToken = !!getSecureKey('credential:telegram:bot_token');
+      const hasWebhookSecret = !!getSecureKey('credential:telegram:webhook_secret');
+      const meta = getCredentialMetadata('telegram', 'bot_token');
+      const botUsername = meta?.accountInfo ?? undefined;
+      ctx.send(socket, {
+        type: 'telegram_config_response',
+        success: true,
+        hasBotToken,
+        botUsername,
+        connected: hasBotToken && hasWebhookSecret,
+        hasWebhookSecret,
+      });
+    } else if (msg.action === 'set') {
+      // Resolve token: prefer explicit msg.botToken, fall back to secure storage.
+      // Track provenance so we only rollback tokens that were freshly provided.
+      const isNewToken = !!msg.botToken;
+      const botToken = msg.botToken || getSecureKey('credential:telegram:bot_token');
+      if (!botToken) {
+        ctx.send(socket, {
+          type: 'telegram_config_response',
+          success: false,
+          hasBotToken: false,
+          connected: false,
+          hasWebhookSecret: false,
+          error: 'botToken is required for set action',
+        });
+        return;
+      }
+      // Validate token via Telegram getMe API
+      let botUsername: string;
+      try {
+        const res = await fetch(`https://api.telegram.org/bot${botToken}/getMe`);
+        if (!res.ok) {
+          const body = await res.text();
+          ctx.send(socket, {
+            type: 'telegram_config_response',
+            success: false,
+            hasBotToken: false,
+            connected: false,
+            hasWebhookSecret: false,
+            error: `Telegram API validation failed: ${body}`,
+          });
+          return;
+        }
+        const data = await res.json() as { ok: boolean; result?: { username?: string } };
+        if (!data.ok || !data.result?.username) {
+          ctx.send(socket, {
+            type: 'telegram_config_response',
+            success: false,
+            hasBotToken: false,
+            connected: false,
+            hasWebhookSecret: false,
+            error: 'Telegram API returned unexpected response',
+          });
+          return;
+        }
+        botUsername = data.result.username;
+      } catch (err) {
+        const message = summarizeTelegramError(err);
+        ctx.send(socket, {
+          type: 'telegram_config_response',
+          success: false,
+          hasBotToken: false,
+          connected: false,
+          hasWebhookSecret: false,
+          error: `Failed to validate bot token: ${message}`,
+        });
+        return;
+      }
+      // Store bot token securely
+      const stored = setSecureKey('credential:telegram:bot_token', botToken);
+      if (!stored) {
+        ctx.send(socket, {
+          type: 'telegram_config_response',
+          success: false,
+          hasBotToken: false,
+          connected: false,
+          hasWebhookSecret: false,
+          error: 'Failed to store bot token in secure storage',
+        });
+        return;
+      }
+      // Store metadata with bot username
+      upsertCredentialMetadata('telegram', 'bot_token', {
+        accountInfo: botUsername,
+      });
+      // Ensure webhook secret exists (generate if missing)
+      let hasWebhookSecret = !!getSecureKey('credential:telegram:webhook_secret');
+      if (!hasWebhookSecret) {
+        const { randomUUID } = await import('node:crypto');
+        const webhookSecret = randomUUID();
+        const secretStored = setSecureKey('credential:telegram:webhook_secret', webhookSecret);
+        if (secretStored) {
+          upsertCredentialMetadata('telegram', 'webhook_secret', {});
+          hasWebhookSecret = true;
+        } else {
+          // Only roll back the bot token if it was freshly provided.
+          // When the token came from secure storage it was already valid
+          // configuration; deleting it would destroy working state.
+          if (isNewToken) {
+            deleteSecureKey('credential:telegram:bot_token');
+            deleteCredentialMetadata('telegram', 'bot_token');
+          }
+          ctx.send(socket, {
+            type: 'telegram_config_response',
+            success: false,
+            hasBotToken: !isNewToken,
+            connected: false,
+            hasWebhookSecret: false,
+            error: 'Failed to store webhook secret',
+          });
+          return;
+        }
+      } else {
+        // Self-heal: ensure metadata exists even when the secret was
+        // already present (covers previously lost/corrupted metadata).
+        upsertCredentialMetadata('telegram', 'webhook_secret', {});
+      }
+      ctx.send(socket, {
+        type: 'telegram_config_response',
+        success: true,
+        hasBotToken: true,
+        botUsername,
+        connected: true,
+        hasWebhookSecret,
+      });
+      // Trigger gateway reconcile so the webhook registration updates immediately
+      const effectiveUrl = process.env.INGRESS_PUBLIC_BASE_URL;
+      if (effectiveUrl) {
+        triggerGatewayReconcile(effectiveUrl);
+      }
+    } else if (msg.action === 'clear') {
+      // Deregister the Telegram webhook before deleting credentials.
+      // The gateway reconcile short-circuits when credentials are absent,
+      // so we must call the Telegram API directly while the token is still
+      // available.
+      const botToken = getSecureKey('credential:telegram:bot_token');
+      if (botToken) {
+        try {
+          await fetch(`https://api.telegram.org/bot${botToken}/deleteWebhook`);
+        } catch (err) {
+          log.warn(
+            { error: summarizeTelegramError(err) },
+            'Failed to deregister Telegram webhook (proceeding with credential cleanup)',
+          );
+        }
+      }
+      deleteSecureKey('credential:telegram:bot_token');
+      deleteCredentialMetadata('telegram', 'bot_token');
+      deleteSecureKey('credential:telegram:webhook_secret');
+      deleteCredentialMetadata('telegram', 'webhook_secret');
+      ctx.send(socket, {
+        type: 'telegram_config_response',
+        success: true,
+        hasBotToken: false,
+        connected: false,
+        hasWebhookSecret: false,
+      });
+      // Trigger reconcile to deregister webhook
+      const effectiveUrl = process.env.INGRESS_PUBLIC_BASE_URL;
+      if (effectiveUrl) {
+        triggerGatewayReconcile(effectiveUrl);
+      }
+    } else if (msg.action === 'set_commands') {
+      const storedToken = getSecureKey('credential:telegram:bot_token');
+      if (!storedToken) {
+        ctx.send(socket, {
+          type: 'telegram_config_response',
+          success: false,
+          hasBotToken: false,
+          connected: false,
+          hasWebhookSecret: false,
+          error: 'Bot token not configured. Run set action first.',
+        });
+        return;
+      }
+      const commands = msg.commands ?? [
+        { command: 'new', description: 'Start a new conversation' },
+        { command: 'guardian_verify', description: 'Verify your guardian identity' },
+      ];
+      try {
+        const res = await fetch(`https://api.telegram.org/bot${storedToken}/setMyCommands`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ commands }),
+        });
+        if (!res.ok) {
+          const body = await res.text();
+          ctx.send(socket, {
+            type: 'telegram_config_response',
+            success: false,
+            hasBotToken: true,
+            connected: !!getSecureKey('credential:telegram:webhook_secret'),
+            hasWebhookSecret: !!getSecureKey('credential:telegram:webhook_secret'),
+            error: `Failed to set bot commands: ${body}`,
+          });
+          return;
+        }
+      } catch (err) {
+        const message = summarizeTelegramError(err);
+        ctx.send(socket, {
+          type: 'telegram_config_response',
+          success: false,
+          hasBotToken: true,
+          connected: !!getSecureKey('credential:telegram:webhook_secret'),
+          hasWebhookSecret: !!getSecureKey('credential:telegram:webhook_secret'),
+          error: `Failed to set bot commands: ${message}`,
+        });
+        return;
+      }
+      const hasBotToken = !!getSecureKey('credential:telegram:bot_token');
+      const hasWebhookSecret = !!getSecureKey('credential:telegram:webhook_secret');
+      ctx.send(socket, {
+        type: 'telegram_config_response',
+        success: true,
+        hasBotToken,
+        connected: hasBotToken && hasWebhookSecret,
+        hasWebhookSecret,
+      });
+    } else {
+      ctx.send(socket, {
+        type: 'telegram_config_response',
+        success: false,
+        hasBotToken: false,
+        connected: false,
+        hasWebhookSecret: false,
+        error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}`,
+      });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to handle Telegram config');
+    ctx.send(socket, {
+      type: 'telegram_config_response',
+      success: false,
+      hasBotToken: false,
+      connected: false,
+      hasWebhookSecret: false,
+      error: message,
+    });
+  }
+}
+export async function handleTwilioConfig(
+  msg: TwilioConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): Promise<void> {
+  try {
+    if (msg.action === 'get') {
+      const hasCredentials = hasTwilioCredentials();
+      const raw = loadRawConfig();
+      const sms = (raw?.sms ?? {}) as Record<string, unknown>;
+      const phoneNumber = (sms.phoneNumber as string) ?? '';
+      ctx.send(socket, {
+        type: 'twilio_config_response',
+        success: true,
+        hasCredentials,
+        phoneNumber: phoneNumber || undefined,
+      });
+    } else if (msg.action === 'set_credentials') {
+      if (!msg.accountSid || !msg.authToken) {
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: hasTwilioCredentials(),
+          error: 'accountSid and authToken are required for set_credentials action',
+        });
+        return;
+      }
+      // Validate credentials by calling the Twilio API
+      const authHeader = 'Basic ' + Buffer.from(`${msg.accountSid}:${msg.authToken}`).toString('base64');
+      try {
+        const res = await fetch(
+          `https://api.twilio.com/2010-04-01/Accounts/${msg.accountSid}.json`,
+          {
+            method: 'GET',
+            headers: { Authorization: authHeader },
+          },
+        );
+        if (!res.ok) {
+          const body = await res.text();
+          ctx.send(socket, {
+            type: 'twilio_config_response',
+            success: false,
+            hasCredentials: hasTwilioCredentials(),
+            error: `Twilio API validation failed (${res.status}): ${body}`,
+          });
+          return;
+        }
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: hasTwilioCredentials(),
+          error: `Failed to validate Twilio credentials: ${message}`,
+        });
+        return;
+      }
+      // Store credentials securely
+      const sidStored = setSecureKey('credential:twilio:account_sid', msg.accountSid);
+      if (!sidStored) {
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: false,
+          error: 'Failed to store Account SID in secure storage',
+        });
+        return;
+      }
+      const tokenStored = setSecureKey('credential:twilio:auth_token', msg.authToken);
+      if (!tokenStored) {
+        // Roll back the Account SID
+        deleteSecureKey('credential:twilio:account_sid');
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: false,
+          error: 'Failed to store Auth Token in secure storage',
+        });
+        return;
+      }
+      upsertCredentialMetadata('twilio', 'account_sid', {});
+      upsertCredentialMetadata('twilio', 'auth_token', {});
+      ctx.send(socket, {
+        type: 'twilio_config_response',
+        success: true,
+        hasCredentials: true,
+      });
+    } else if (msg.action === 'clear_credentials') {
+      deleteSecureKey('credential:twilio:account_sid');
+      deleteSecureKey('credential:twilio:auth_token');
+      deleteSecureKey('credential:twilio:phone_number');
+      deleteCredentialMetadata('twilio', 'account_sid');
+      deleteCredentialMetadata('twilio', 'auth_token');
+      ctx.send(socket, {
+        type: 'twilio_config_response',
+        success: true,
+        hasCredentials: false,
+      });
+    } else if (msg.action === 'provision_number') {
+      if (!hasTwilioCredentials()) {
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: false,
+          error: 'Twilio credentials not configured. Set credentials first.',
+        });
+        return;
+      }
+      const accountSid = getSecureKey('credential:twilio:account_sid')!;
+      const authToken = getSecureKey('credential:twilio:auth_token')!;
+      const country = msg.country ?? 'US';
+      // Search for an available number
+      const available = await searchAvailableNumbers(accountSid, authToken, country, msg.areaCode);
+      if (available.length === 0) {
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: true,
+          error: `No available phone numbers found for country=${country}${msg.areaCode ? ` areaCode=${msg.areaCode}` : ''}`,
+        });
+        return;
+      }
+      // Purchase the first available number
+      const purchased = await provisionPhoneNumber(accountSid, authToken, available[0].phoneNumber);
+      ctx.send(socket, {
+        type: 'twilio_config_response',
+        success: true,
+        hasCredentials: true,
+        phoneNumber: purchased.phoneNumber,
+      });
+    } else if (msg.action === 'assign_number') {
+      if (!msg.phoneNumber) {
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: hasTwilioCredentials(),
+          error: 'phoneNumber is required for assign_number action',
+        });
+        return;
+      }
+      // Persist the phone number in the secure credential store so the
+      // active Twilio runtime can read it via credential:twilio:phone_number
+      const phoneStored = setSecureKey('credential:twilio:phone_number', msg.phoneNumber);
+      if (!phoneStored) {
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: hasTwilioCredentials(),
+          error: 'Failed to store phone number in secure storage',
+        });
+        return;
+      }
+      // Also persist in assistant config (non-secret) for the UI
+      const raw = loadRawConfig();
+      const sms = (raw?.sms ?? {}) as Record<string, unknown>;
+      sms.phoneNumber = msg.phoneNumber;
+      const wasSuppressed = ctx.suppressConfigReload;
+      ctx.setSuppressConfigReload(true);
+      try {
+        saveRawConfig({ ...raw, sms });
+      } catch (err) {
+        ctx.setSuppressConfigReload(wasSuppressed);
+        throw err;
+      }
+      ctx.debounceTimers.schedule('__suppress_reset__', () => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+      ctx.send(socket, {
+        type: 'twilio_config_response',
+        success: true,
+        hasCredentials: hasTwilioCredentials(),
+        phoneNumber: msg.phoneNumber,
+      });
+    } else if (msg.action === 'list_numbers') {
+      if (!hasTwilioCredentials()) {
+        ctx.send(socket, {
+          type: 'twilio_config_response',
+          success: false,
+          hasCredentials: false,
+          error: 'Twilio credentials not configured. Set credentials first.',
+        });
+        return;
+      }
+      const accountSid = getSecureKey('credential:twilio:account_sid')!;
+      const authToken = getSecureKey('credential:twilio:auth_token')!;
+      const numbers = await listIncomingPhoneNumbers(accountSid, authToken);
+      ctx.send(socket, {
+        type: 'twilio_config_response',
+        success: true,
+        hasCredentials: true,
+        numbers,
+      });
+    } else {
+      ctx.send(socket, {
+        type: 'twilio_config_response',
+        success: false,
+        hasCredentials: hasTwilioCredentials(),
+        error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}`,
+      });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to handle Twilio config');
+    ctx.send(socket, {
+      type: 'twilio_config_response',
+      success: false,
+      hasCredentials: hasTwilioCredentials(),
+      error: message,
+    });
+  }
+}
+export function handleGuardianVerification(
+  msg: GuardianVerificationRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    // In single-assistant mode, 'self' is the canonical assistant ID used
+    // by channel routes when validating challenges on the inbound path.
+    const assistantId = 'self';
+    const channel = msg.channel ?? 'telegram';
+    if (msg.action === 'create_challenge') {
+      const result = createVerificationChallenge(assistantId, channel, msg.sessionId);
+      ctx.send(socket, {
+        type: 'guardian_verification_response',
+        success: true,
+        secret: result.secret,
+        instruction: result.instruction,
+      });
+    } else if (msg.action === 'status') {
+      const binding = getGuardianBinding(assistantId, channel);
+      ctx.send(socket, {
+        type: 'guardian_verification_response',
+        success: true,
+        bound: binding !== null,
+        guardianExternalUserId: binding?.guardianExternalUserId,
+      });
+    } else if (msg.action === 'revoke') {
+      const revoked = revokeGuardianBinding(assistantId, channel);
+      ctx.send(socket, {
+        type: 'guardian_verification_response',
+        success: true,
+        bound: !revoked,
+      });
+    } else {
+      ctx.send(socket, {
+        type: 'guardian_verification_response',
+        success: false,
+        error: `Unknown action: ${String(msg.action)}`,
+      });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to handle guardian verification');
+    ctx.send(socket, {
+      type: 'guardian_verification_response',
+      success: false,
+      error: message,
+    });
+  }
+}
+export function handleEnvVarsRequest(socket: net.Socket, ctx: HandlerContext): void {
+  const vars: Record<string, string> = {};
+  for (const [key, value] of Object.entries(process.env)) {
+    if (value !== undefined) vars[key] = value;
+  }
+  ctx.send(socket, { type: 'env_vars_response', vars });
+}
+export async function handleToolPermissionSimulate(
+  msg: ToolPermissionSimulateRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): Promise<void> {
+  try {
+    if (!msg.toolName || typeof msg.toolName !== 'string') {
+      ctx.send(socket, {
+        type: 'tool_permission_simulate_response',
+        success: false,
+        error: 'toolName is required',
+      });
+      return;
+    }
+    if (!msg.input || typeof msg.input !== 'object') {
+      ctx.send(socket, {
+        type: 'tool_permission_simulate_response',
+        success: false,
+        error: 'input is required and must be an object',
+      });
+      return;
+    }
+    const workingDir = msg.workingDir ?? process.cwd();
+    // Only infer execution target when the tool is actually registered;
+    // for unresolved tools, leave it undefined so trust rules are unscoped.
+    const isRegistered = getTool(msg.toolName) !== undefined;
+    const executionTarget = isRegistered ? resolveExecutionTarget(msg.toolName) : undefined;
+    const policyContext = executionTarget ? { executionTarget } : undefined;
+    const riskLevel = await classifyRisk(msg.toolName, msg.input, workingDir);
+    const result = await check(msg.toolName, msg.input, workingDir, policyContext);
+    // Private-thread override: promote allow → prompt for side-effect tools
+    if (
+      msg.forcePromptSideEffects
+      && result.decision === 'allow'
+      && isSideEffectTool(msg.toolName, msg.input)
+    ) {
+      result.decision = 'prompt';
+      result.reason = 'Private thread: side-effect tools require explicit approval';
+    }
+    // Non-interactive override: convert prompt → deny
+    if (msg.isInteractive === false && result.decision === 'prompt') {
+      result.decision = 'deny';
+      result.reason = 'Non-interactive session: no client to approve prompt';
+    }
+    // When decision is prompt, generate the full payload the UI needs
+    let promptPayload: {
+      allowlistOptions: Array<{ label: string; description: string; pattern: string }>;
+      scopeOptions: Array<{ label: string; scope: string }>;
+      persistentDecisionsAllowed: boolean;
+    } | undefined;
+    if (result.decision === 'prompt') {
+      const allowlistOptions = await generateAllowlistOptions(msg.toolName, msg.input);
+      const scopeOptions = generateScopeOptions(workingDir, msg.toolName);
+      const persistentDecisionsAllowed = !(
+        msg.toolName === 'bash'
+        && msg.input.network_mode === 'proxied'
+      );
+      promptPayload = { allowlistOptions, scopeOptions, persistentDecisionsAllowed };
+    }
+    ctx.send(socket, {
+      type: 'tool_permission_simulate_response',
+      success: true,
+      decision: result.decision,
+      riskLevel,
+      reason: result.reason,
+      executionTarget,
+      matchedRuleId: result.matchedRule?.id,
+      promptPayload,
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to simulate tool permission');
+    ctx.send(socket, {
+      type: 'tool_permission_simulate_response',
+      success: false,
+      error: message,
+    });
+  }
+}
+export function handleToolNamesList(socket: net.Socket, ctx: HandlerContext): void {
+  const tools = getAllTools();
+  const names = tools.map((t) => t.name).sort((a, b) => a.localeCompare(b));
+  const schemas: Record<string, import('../ipc-contract.js').ToolInputSchema> = {};
+  for (const tool of tools) {
+    try {
+      const def = tool.getDefinition();
+      schemas[tool.name] = def.input_schema as import('../ipc-contract.js').ToolInputSchema;
+    } catch {
+      // Skip tools whose definitions can't be resolved
+    }
+  }
+  ctx.send(socket, { type: 'tool_names_list_response', names, schemas });
+}
+export const configHandlers = defineHandlers({
+  model_get: (_msg, socket, ctx) => handleModelGet(socket, ctx),
+  model_set: handleModelSet,
+  image_gen_model_set: handleImageGenModelSet,
+  add_trust_rule: handleAddTrustRule,
+  trust_rules_list: (_msg, socket, ctx) => handleTrustRulesList(socket, ctx),
+  remove_trust_rule: handleRemoveTrustRule,
+  update_trust_rule: handleUpdateTrustRule,
+  accept_starter_bundle: (_msg, socket, ctx) => handleAcceptStarterBundle(socket, ctx),
+  schedules_list: (_msg, socket, ctx) => handleSchedulesList(socket, ctx),
+  schedule_toggle: handleScheduleToggle,
+  schedule_remove: handleScheduleRemove,
+  reminders_list: (_msg, socket, ctx) => handleRemindersList(socket, ctx),
+  reminder_cancel: handleReminderCancel,
+  share_to_slack: handleShareToSlack,
+  slack_webhook_config: handleSlackWebhookConfig,
+  ingress_config: handleIngressConfig,
+  vercel_api_config: handleVercelApiConfig,
+  twitter_integration_config: handleTwitterIntegrationConfig,
+  telegram_config: handleTelegramConfig,
+  twilio_config: handleTwilioConfig,
+  guardian_verification: handleGuardianVerification,
+  env_vars_request: (_msg, socket, ctx) => handleEnvVarsRequest(socket, ctx),
+  tool_permission_simulate: handleToolPermissionSimulate,
+  tool_names_list: (_msg, socket, ctx) => handleToolNamesList(socket, ctx),
+});