npm - @vellumai/assistant - Versions diffs - 0.3.4 → 0.3.6 - Mend

@vellumai/assistant 0.3.4 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (506) hide show

package/Dockerfile +2 -0
package/README.md +88 -2
package/eslint.config.mjs +31 -0
package/package.json +1 -1
package/scripts/ipc/check-swift-decoder-drift.ts +4 -1
package/scripts/ipc/generate-swift.ts +31 -2
package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap +438 -1
package/src/__tests__/approval-conversation-turn.test.ts +214 -0
package/src/__tests__/approval-hardcoded-copy-guard.test.ts +41 -0
package/src/__tests__/approval-message-composer.test.ts +253 -0
package/src/__tests__/browser-manager.test.ts +1 -0
package/src/__tests__/call-conversation-messages.test.ts +130 -0
package/src/__tests__/call-domain.test.ts +12 -2
package/src/__tests__/call-orchestrator.test.ts +799 -249
package/src/__tests__/call-pointer-messages.test.ts +148 -0
package/src/__tests__/call-recovery.test.ts +3 -0
package/src/__tests__/call-routes-http.test.ts +32 -2
package/src/__tests__/call-store.test.ts +3 -0
package/src/__tests__/channel-approval-routes.test.ts +1277 -98
package/src/__tests__/channel-approval.test.ts +37 -0
package/src/__tests__/channel-approvals.test.ts +36 -50
package/src/__tests__/channel-guardian.test.ts +630 -22
package/src/__tests__/channel-readiness-service.test.ts +324 -0
package/src/__tests__/checker.test.ts +14 -7
package/src/__tests__/clarification-resolver.test.ts +44 -24
package/src/__tests__/commit-message-enrichment-service.test.ts +9 -4
package/src/__tests__/computer-use-session-working-dir.test.ts +8 -0
package/src/__tests__/config-schema.test.ts +14 -8
package/src/__tests__/context-window-manager.test.ts +30 -2
package/src/__tests__/contradiction-checker.test.ts +20 -5
package/src/__tests__/credential-security-invariants.test.ts +7 -2
package/src/__tests__/daemon-lifecycle.test.ts +13 -12
package/src/__tests__/db-migration-rollback.test.ts +752 -0
package/src/__tests__/dictation-mode-detection.test.ts +63 -0
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +2 -0
package/src/__tests__/entity-search.test.ts +615 -0
package/src/__tests__/fuzzy-match-property.test.ts +5 -5
package/src/__tests__/guardian-action-store.test.ts +123 -0
package/src/__tests__/guardian-action-sweep.test.ts +277 -0
package/src/__tests__/guardian-dispatch.test.ts +389 -0
package/src/__tests__/guardian-question-copy.test.ts +47 -0
package/src/__tests__/handlers-telegram-config.test.ts +4 -2
package/src/__tests__/handlers-twilio-config.test.ts +533 -0
package/src/__tests__/intent-routing.test.ts +2 -0
package/src/__tests__/ipc-snapshot.test.ts +291 -1
package/src/__tests__/memory-upsert-concurrency.test.ts +828 -0
package/src/__tests__/messaging-send-tool.test.ts +65 -0
package/src/__tests__/model-intents.test.ts +96 -0
package/src/__tests__/no-direct-anthropic-sdk-imports.test.ts +42 -0
package/src/__tests__/oauth2-gateway-transport.test.ts +130 -0
package/src/__tests__/onboarding-starter-tasks.test.ts +2 -0
package/src/__tests__/provider-commit-message-generator.test.ts +89 -13
package/src/__tests__/provider-error-scenarios.test.ts +621 -0
package/src/__tests__/provider-fail-open-selection.test.ts +119 -0
package/src/__tests__/qdrant-manager.test.ts +27 -20
package/src/__tests__/relay-server.test.ts +779 -40
package/src/__tests__/run-orchestrator-assistant-events.test.ts +6 -0
package/src/__tests__/run-orchestrator.test.ts +42 -4
package/src/__tests__/runtime-runs-http.test.ts +17 -1
package/src/__tests__/runtime-runs.test.ts +16 -0
package/src/__tests__/schedule-store.test.ts +18 -4
package/src/__tests__/scheduler-recurrence.test.ts +13 -4
package/src/__tests__/session-abort-tool-results.test.ts +6 -0
package/src/__tests__/session-agent-loop.test.ts +857 -0
package/src/__tests__/session-conflict-gate.test.ts +6 -0
package/src/__tests__/session-pre-run-repair.test.ts +6 -0
package/src/__tests__/session-profile-injection.test.ts +6 -0
package/src/__tests__/session-provider-retry-repair.test.ts +6 -0
package/src/__tests__/session-queue.test.ts +6 -0
package/src/__tests__/session-runtime-assembly.test.ts +321 -13
package/src/__tests__/session-slash-known.test.ts +6 -0
package/src/__tests__/session-slash-queue.test.ts +6 -0
package/src/__tests__/session-slash-unknown.test.ts +6 -0
package/src/__tests__/session-surfaces-task-progress.test.ts +2 -0
package/src/__tests__/session-tool-setup-app-refresh.test.ts +1 -0
package/src/__tests__/session-tool-setup-memory-scope.test.ts +1 -0
package/src/__tests__/session-tool-setup-side-effect-flag.test.ts +1 -0
package/src/__tests__/session-workspace-injection.test.ts +6 -0
package/src/__tests__/session-workspace-tool-tracking.test.ts +6 -0
package/src/__tests__/skills.test.ts +2 -0
package/src/__tests__/sms-messaging-provider.test.ts +126 -0
package/src/__tests__/starter-task-flow.test.ts +2 -0
package/src/__tests__/swarm-dag-pathological.test.ts +535 -0
package/src/__tests__/system-prompt.test.ts +2 -0
package/src/__tests__/task-management-tools.test.ts +2 -2
package/src/__tests__/task-runner.test.ts +14 -4
package/src/__tests__/terminal-tools.test.ts +25 -19
package/src/__tests__/tool-execution-abort-cleanup.test.ts +545 -0
package/src/__tests__/tool-executor-shell-integration.test.ts +11 -11
package/src/__tests__/tool-executor.test.ts +23 -24
package/src/__tests__/trust-store.test.ts +3 -3
package/src/__tests__/twilio-rest.test.ts +29 -0
package/src/__tests__/twilio-routes-elevenlabs.test.ts +3 -0
package/src/__tests__/twilio-routes-twiml.test.ts +11 -0
package/src/__tests__/twilio-routes.test.ts +167 -11
package/src/__tests__/twitter-cli-error-shaping.test.ts +2 -2
package/src/__tests__/user-reference.test.ts +2 -0
package/src/__tests__/voice-quality.test.ts +222 -0
package/src/__tests__/web-search.test.ts +46 -30
package/src/__tests__/work-item-output.test.ts +110 -0
package/src/agent/loop.ts +1 -1
package/src/agent-heartbeat/agent-heartbeat-service.ts +2 -10
package/src/amazon/client.ts +1418 -0
package/src/amazon/request-extractor.ts +135 -0
package/src/amazon/session.ts +109 -0
package/src/autonomy/autonomy-store.ts +5 -5
package/src/browser-extension-relay/client.ts +124 -0
package/src/browser-extension-relay/protocol.ts +63 -0
package/src/browser-extension-relay/server.ts +177 -0
package/src/bundler/app-bundler.ts +3 -3
package/src/bundler/bundle-signer.ts +1 -1
package/src/bundler/signature-verifier.ts +1 -1
package/src/calls/call-conversation-messages.ts +33 -0
package/src/calls/call-domain.ts +114 -10
package/src/calls/call-orchestrator.ts +268 -59
package/src/calls/call-pointer-messages.ts +53 -0
package/src/calls/call-recovery.ts +3 -8
package/src/calls/call-store.ts +69 -87
package/src/calls/elevenlabs-config.ts +3 -2
package/src/calls/guardian-action-sweep.ts +105 -0
package/src/calls/guardian-dispatch.ts +203 -0
package/src/calls/guardian-question-copy.ts +133 -0
package/src/calls/relay-server.ts +466 -8
package/src/calls/speaker-identification.ts +1 -1
package/src/calls/twilio-config.ts +22 -14
package/src/calls/twilio-provider.ts +6 -4
package/src/calls/twilio-rest.ts +308 -7
package/src/calls/twilio-routes.ts +65 -12
package/src/calls/types.ts +3 -1
package/src/channels/types.ts +25 -0
package/src/cli/amazon.ts +815 -0
package/src/cli/config-commands.ts +2 -2
package/src/cli/core-commands.ts +4 -3
package/src/cli/influencer.ts +244 -0
package/src/cli/map.ts +89 -6
package/src/cli.ts +1 -1
package/src/config/agent-schema.ts +171 -0
package/src/config/bundled-skills/amazon/SKILL.md +127 -0
package/src/config/bundled-skills/amazon/icon.svg +13 -0
package/src/config/bundled-skills/api-mapping/SKILL.md +78 -0
package/src/config/bundled-skills/browser/SKILL.md +1 -0
package/src/config/bundled-skills/browser/TOOLS.json +17 -0
package/src/config/bundled-skills/browser/tools/browser-wait-for-download.ts +25 -0
package/src/config/bundled-skills/doordash/SKILL.md +51 -51
package/src/config/bundled-skills/email-setup/SKILL.md +14 -5
package/src/config/bundled-skills/google-oauth-setup/SKILL.md +183 -0
package/src/config/bundled-skills/influencer/SKILL.md +144 -0
package/src/config/bundled-skills/knowledge-graph/SKILL.md +15 -0
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +56 -0
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +185 -0
package/src/config/bundled-skills/macos-automation/icon.svg +12 -0
package/src/config/bundled-skills/media-processing/SKILL.md +176 -0
package/src/config/bundled-skills/media-processing/TOOLS.json +230 -0
package/src/config/bundled-skills/media-processing/__tests__/concurrency-pool.test.ts +77 -0
package/src/config/bundled-skills/media-processing/__tests__/cost-tracker.test.ts +69 -0
package/src/config/bundled-skills/media-processing/__tests__/preprocess.test.ts +303 -0
package/src/config/bundled-skills/media-processing/services/concurrency-pool.ts +55 -0
package/src/config/bundled-skills/media-processing/services/cost-tracker.ts +86 -0
package/src/config/bundled-skills/media-processing/services/gemini-map.ts +339 -0
package/src/config/bundled-skills/media-processing/services/preprocess.ts +551 -0
package/src/config/bundled-skills/media-processing/services/processing-pipeline.ts +259 -0
package/src/config/bundled-skills/media-processing/services/reduce.ts +197 -0
package/src/config/bundled-skills/media-processing/tools/analyze-keyframes.ts +136 -0
package/src/config/bundled-skills/media-processing/tools/extract-keyframes.ts +59 -0
package/src/config/bundled-skills/media-processing/tools/generate-clip.ts +195 -0
package/src/config/bundled-skills/media-processing/tools/ingest-media.ts +197 -0
package/src/config/bundled-skills/media-processing/tools/media-diagnostics.ts +143 -0
package/src/config/bundled-skills/media-processing/tools/media-status.ts +75 -0
package/src/config/bundled-skills/media-processing/tools/query-media-events.ts +65 -0
package/src/config/bundled-skills/messaging/SKILL.md +33 -8
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +4 -7
package/src/config/bundled-skills/messaging/tools/messaging-reply.ts +2 -1
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +5 -1
package/src/config/bundled-skills/phone-calls/SKILL.md +88 -23
package/src/config/bundled-skills/twitter/SKILL.md +19 -3
package/src/config/bundled-skills/twitter/icon.svg +14 -0
package/src/config/bundled-tool-registry.ts +310 -0
package/src/config/calls-schema.ts +181 -0
package/src/config/core-schema.ts +309 -0
package/src/config/defaults.ts +28 -3
package/src/config/env-registry.ts +162 -0
package/src/config/env.ts +175 -0
package/src/config/loader.ts +6 -6
package/src/config/memory-schema.ts +528 -0
package/src/config/sandbox-schema.ts +55 -0
package/src/config/schema.ts +158 -1133
package/src/config/skill-state.ts +1 -1
package/src/config/skills-schema.ts +32 -0
package/src/config/skills.ts +35 -24
package/src/config/system-prompt.ts +131 -56
package/src/config/templates/IDENTITY.md +2 -2
package/src/config/templates/SOUL.md +1 -1
package/src/config/types.ts +1 -0
package/src/config/user-reference.ts +4 -9
package/src/config/vellum-skills/catalog.json +6 -7
package/src/config/vellum-skills/chatgpt-import/tools/chatgpt-import.ts +5 -1
package/src/config/vellum-skills/slack-oauth-setup/SKILL.md +4 -3
package/src/config/vellum-skills/sms-setup/SKILL.md +216 -0
package/src/config/vellum-skills/twilio-setup/SKILL.md +40 -8
package/src/context/window-manager.ts +27 -7
package/src/daemon/approval-generators.ts +186 -0
package/src/daemon/approved-devices-store.ts +140 -0
package/src/daemon/assistant-attachments.ts +1 -1
package/src/daemon/classifier.ts +35 -32
package/src/daemon/config-watcher.ts +1 -1
package/src/daemon/daemon-control.ts +217 -0
package/src/daemon/handlers/apps.ts +2 -3
package/src/daemon/handlers/config-channels.ts +158 -0
package/src/daemon/handlers/config-inbox.ts +540 -0
package/src/daemon/handlers/config-ingress.ts +231 -0
package/src/daemon/handlers/config-integrations.ts +258 -0
package/src/daemon/handlers/config-model.ts +143 -0
package/src/daemon/handlers/config-parental.ts +163 -0
package/src/daemon/handlers/config-scheduling.ts +172 -0
package/src/daemon/handlers/config-slack.ts +92 -0
package/src/daemon/handlers/config-telegram.ts +301 -0
package/src/daemon/handlers/config-tools.ts +177 -0
package/src/daemon/handlers/config-trust.ts +104 -0
package/src/daemon/handlers/config-twilio.ts +1080 -0
package/src/daemon/handlers/config.ts +53 -1689
package/src/daemon/handlers/diagnostics.ts +1 -1
package/src/daemon/handlers/dictation.ts +180 -0
package/src/daemon/handlers/documents.ts +18 -32
package/src/daemon/handlers/identity.ts +14 -23
package/src/daemon/handlers/index.ts +11 -0
package/src/daemon/handlers/misc.ts +3 -5
package/src/daemon/handlers/pairing.ts +98 -0
package/src/daemon/handlers/sessions.ts +56 -5
package/src/daemon/handlers/shared.ts +6 -1
package/src/daemon/handlers/skills.ts +1 -1
package/src/daemon/handlers/twitter-auth.ts +2 -0
package/src/daemon/handlers/work-items.ts +17 -9
package/src/daemon/handlers/workspace-files.ts +4 -3
package/src/daemon/install-cli-launchers.ts +113 -0
package/src/daemon/ipc-contract/apps.ts +356 -0
package/src/daemon/ipc-contract/browser.ts +74 -0
package/src/daemon/ipc-contract/computer-use.ts +151 -0
package/src/daemon/ipc-contract/diagnostics.ts +56 -0
package/src/daemon/ipc-contract/documents.ts +74 -0
package/src/daemon/ipc-contract/inbox.ts +209 -0
package/src/daemon/ipc-contract/integrations.ts +284 -0
package/src/daemon/ipc-contract/memory.ts +48 -0
package/src/daemon/ipc-contract/messages.ts +211 -0
package/src/daemon/ipc-contract/pairing.ts +45 -0
package/src/daemon/ipc-contract/parental-control.ts +95 -0
package/src/daemon/ipc-contract/schedules.ts +97 -0
package/src/daemon/ipc-contract/sessions.ts +315 -0
package/src/daemon/ipc-contract/shared.ts +42 -0
package/src/daemon/ipc-contract/skills.ts +120 -0
package/src/daemon/ipc-contract/subagents.ts +58 -0
package/src/daemon/ipc-contract/surfaces.ts +250 -0
package/src/daemon/ipc-contract/trust.ts +60 -0
package/src/daemon/ipc-contract/work-items.ts +225 -0
package/src/daemon/ipc-contract/workspace.ts +113 -0
package/src/daemon/ipc-contract-inventory.json +70 -0
package/src/daemon/ipc-contract-inventory.ts +55 -29
package/src/daemon/ipc-contract.ts +229 -2426
package/src/daemon/ipc-protocol.ts +1 -1
package/src/daemon/ipc-validate.ts +7 -0
package/src/daemon/lifecycle.ts +97 -377
package/src/daemon/pairing-store.ts +177 -0
package/src/daemon/providers-setup.ts +43 -0
package/src/daemon/ride-shotgun-handler.ts +68 -3
package/src/daemon/server.ts +66 -46
package/src/daemon/session-agent-loop-handlers.ts +421 -0
package/src/daemon/session-agent-loop.ts +117 -275
package/src/daemon/session-dynamic-profile.ts +1 -1
package/src/daemon/session-history.ts +1 -1
package/src/daemon/session-media-retry.ts +1 -1
package/src/daemon/session-messaging.ts +37 -2
package/src/daemon/session-notifiers.ts +5 -25
package/src/daemon/session-process.ts +99 -59
package/src/daemon/session-queue-manager.ts +96 -4
package/src/daemon/session-runtime-assembly.ts +199 -10
package/src/daemon/session-surfaces.ts +19 -4
package/src/daemon/session-tool-setup.ts +30 -30
package/src/daemon/session-workspace.ts +1 -1
package/src/daemon/session.ts +35 -2
package/src/daemon/shutdown-handlers.ts +122 -0
package/src/daemon/trace-emitter.ts +1 -1
package/src/daemon/watch-handler.ts +36 -33
package/src/doordash/cart-queries.ts +787 -0
package/src/doordash/client.ts +144 -127
package/src/doordash/order-queries.ts +85 -0
package/src/doordash/queries.ts +10 -1308
package/src/doordash/search-queries.ts +203 -0
package/src/doordash/session.ts +3 -2
package/src/doordash/store-queries.ts +246 -0
package/src/doordash/types.ts +367 -0
package/src/email/providers/agentmail.ts +2 -1
package/src/email/providers/index.ts +3 -2
package/src/email/service.ts +3 -2
package/src/errors.ts +43 -0
package/src/home-base/prebuilt/seed.ts +1 -1
package/src/hooks/cli.ts +6 -5
package/src/hooks/config.ts +6 -8
package/src/hooks/discovery.ts +6 -5
package/src/hooks/manager.ts +4 -3
package/src/hooks/runner.ts +2 -2
package/src/hooks/templates.ts +5 -5
package/src/inbound/public-ingress-urls.ts +6 -4
package/src/index.ts +4 -2
package/src/influencer/client.ts +1104 -0
package/src/instrument.ts +4 -3
package/src/logfire.ts +4 -3
package/src/memory/admin.ts +25 -35
package/src/memory/attachments-store.ts +4 -7
package/src/memory/channel-delivery-store.ts +30 -1
package/src/memory/channel-guardian-store.ts +202 -2
package/src/memory/clarification-resolver.ts +37 -33
package/src/memory/conflict-store.ts +67 -61
package/src/memory/contradiction-checker.ts +141 -117
package/src/memory/conversation-store.ts +335 -51
package/src/memory/db-connection.ts +27 -4
package/src/memory/db-init.ts +265 -4
package/src/memory/db.ts +14 -1
package/src/memory/embedding-backend.ts +27 -5
package/src/memory/embedding-ollama.ts +2 -1
package/src/memory/entity-extractor.ts +38 -35
package/src/memory/guardian-action-store.ts +430 -0
package/src/memory/inbox-escalation-projection.ts +59 -0
package/src/memory/inbox-thread-store.ts +218 -0
package/src/memory/ingress-invite-store.ts +338 -0
package/src/memory/ingress-member-store.ts +350 -0
package/src/memory/items-extractor.ts +91 -97
package/src/memory/job-handlers/index-maintenance.ts +3 -3
package/src/memory/job-handlers/media-processing.ts +69 -0
package/src/memory/job-handlers/summarization.ts +32 -26
package/src/memory/job-utils.ts +3 -10
package/src/memory/jobs-store.ts +8 -10
package/src/memory/jobs-worker.ts +55 -36
package/src/memory/media-store.ts +759 -0
package/src/memory/migrations/001-job-deferrals.ts +45 -0
package/src/memory/migrations/002-tool-invocations-fk.ts +43 -0
package/src/memory/migrations/003-memory-fts-backfill.ts +24 -0
package/src/memory/migrations/004-entity-relation-dedup.ts +87 -0
package/src/memory/migrations/005-fingerprint-scope-unique.ts +80 -0
package/src/memory/migrations/006-scope-salted-fingerprints.ts +62 -0
package/src/memory/migrations/007-assistant-id-to-self.ts +254 -0
package/src/memory/migrations/008-remove-assistant-id-columns.ts +208 -0
package/src/memory/migrations/009-llm-usage-events-drop-assistant-id.ts +83 -0
package/src/memory/migrations/010-ext-conv-bindings-channel-chat-unique.ts +56 -0
package/src/memory/migrations/011-call-sessions-provider-sid-dedup.ts +63 -0
package/src/memory/migrations/012-call-sessions-add-initiated-from.ts +19 -0
package/src/memory/migrations/013-guardian-action-tables.ts +68 -0
package/src/memory/migrations/014-backfill-inbox-thread-state.ts +76 -0
package/src/memory/migrations/015-drop-active-search-index.ts +27 -0
package/src/memory/migrations/016-memory-segments-indexes.ts +11 -0
package/src/memory/migrations/017-memory-items-indexes.ts +10 -0
package/src/memory/migrations/018-remaining-table-indexes.ts +13 -0
package/src/memory/migrations/index.ts +24 -0
package/src/memory/migrations/registry.ts +79 -0
package/src/memory/migrations/validate-migration-state.ts +69 -0
package/src/memory/qdrant-manager.ts +49 -8
package/src/memory/query-builder.ts +1 -1
package/src/memory/raw-query.ts +119 -0
package/src/memory/recall-cache.ts +4 -1
package/src/memory/retriever.ts +165 -47
package/src/memory/schema-migration.ts +25 -984
package/src/memory/schema.ts +228 -7
package/src/memory/search/entity.ts +205 -31
package/src/memory/search/lexical.ts +81 -52
package/src/memory/search/ranking.ts +27 -23
package/src/memory/search/semantic.ts +157 -19
package/src/memory/search/types.ts +24 -0
package/src/memory/shared-app-links-store.ts +4 -5
package/src/memory/validation.ts +19 -0
package/src/messaging/draft-store.ts +5 -6
package/src/messaging/provider-types.ts +2 -0
package/src/messaging/providers/sms/adapter.ts +201 -0
package/src/messaging/providers/sms/client.ts +93 -0
package/src/messaging/providers/sms/types.ts +7 -0
package/src/messaging/providers/telegram-bot/adapter.ts +2 -5
package/src/messaging/providers/whatsapp/adapter.ts +136 -0
package/src/messaging/providers/whatsapp/client.ts +67 -0
package/src/messaging/style-analyzer.ts +5 -4
package/src/messaging/thread-summarizer.ts +61 -69
package/src/messaging/triage-engine.ts +62 -71
package/src/migrations/config-merge.ts +53 -0
package/src/migrations/data-layout.ts +68 -0
package/src/migrations/data-merge.ts +33 -0
package/src/migrations/hooks-merge.ts +90 -0
package/src/migrations/index.ts +6 -0
package/src/migrations/log.ts +23 -0
package/src/migrations/skills-merge.ts +33 -0
package/src/migrations/workspace-layout.ts +79 -0
package/src/permissions/checker.ts +133 -11
package/src/permissions/prompter.ts +14 -0
package/src/permissions/shell-identity.ts +31 -1
package/src/permissions/trust-store.ts +21 -1
package/src/providers/anthropic/client.ts +4 -4
package/src/providers/failover.ts +2 -2
package/src/providers/model-intents.ts +70 -0
package/src/providers/ollama/client.ts +2 -1
package/src/providers/provider-send-message.ts +176 -0
package/src/providers/registry.ts +71 -30
package/src/providers/retry.ts +35 -1
package/src/providers/types.ts +12 -1
package/src/runtime/approval-conversation-turn.ts +97 -0
package/src/runtime/approval-message-composer.ts +253 -0
package/src/runtime/channel-approval-parser.ts +36 -2
package/src/runtime/channel-approvals.ts +11 -24
package/src/runtime/channel-guardian-service.ts +88 -21
package/src/runtime/channel-readiness-service.ts +418 -0
package/src/runtime/channel-readiness-types.ts +35 -0
package/src/runtime/channel-retry-sweep.ts +184 -0
package/src/runtime/guardian-context-resolver.ts +108 -0
package/src/runtime/http-server.ts +275 -717
package/src/runtime/http-types.ts +59 -3
package/src/runtime/middleware/auth.ts +116 -0
package/src/runtime/middleware/error-handler.ts +33 -0
package/src/runtime/middleware/twilio-validation.ts +127 -0
package/src/runtime/routes/app-routes.ts +1 -1
package/src/runtime/routes/call-routes.ts +51 -7
package/src/runtime/routes/channel-delivery-routes.ts +170 -0
package/src/runtime/routes/channel-guardian-routes.ts +1191 -0
package/src/runtime/routes/channel-inbound-routes.ts +1152 -0
package/src/runtime/routes/channel-route-shared.ts +144 -0
package/src/runtime/routes/channel-routes.ts +32 -1588
package/src/runtime/routes/conversation-routes.ts +50 -7
package/src/runtime/routes/events-routes.ts +2 -2
package/src/runtime/routes/identity-routes.ts +126 -0
package/src/runtime/routes/pairing-routes.ts +143 -0
package/src/runtime/routes/run-routes.ts +15 -1
package/src/runtime/run-orchestrator.ts +86 -35
package/src/schedule/schedule-store.ts +36 -32
package/src/schedule/scheduler.ts +3 -3
package/src/security/encrypted-store.ts +5 -7
package/src/security/oauth2.ts +45 -15
package/src/security/parental-control-store.ts +183 -0
package/src/security/secret-allowlist.ts +4 -3
package/src/security/secret-scanner.ts +5 -5
package/src/security/secure-keys.ts +1 -1
package/src/security/token-manager.ts +3 -2
package/src/services/vercel-deploy.ts +6 -2
package/src/skills/tool-manifest.ts +3 -3
package/src/skills/vellum-catalog-remote.ts +75 -16
package/src/slack/slack-webhook.ts +2 -1
package/src/swarm/orchestrator.ts +92 -1
package/src/swarm/router-planner.ts +6 -9
package/src/swarm/worker-prompts.ts +9 -12
package/src/tasks/task-compiler.ts +19 -28
package/src/tasks/task-runner.ts +1 -1
package/src/tools/assets/materialize.ts +2 -2
package/src/tools/assets/search.ts +15 -14
package/src/tools/browser/__tests__/auth-detector.test.ts +1 -0
package/src/tools/browser/auto-navigate.ts +1 -0
package/src/tools/browser/browser-execution.ts +10 -1
package/src/tools/browser/browser-manager.ts +119 -4
package/src/tools/browser/network-recorder.ts +5 -0
package/src/tools/calls/call-start.ts +1 -0
package/src/tools/credentials/broker.ts +11 -2
package/src/tools/credentials/metadata-store.ts +18 -14
package/src/tools/credentials/post-connect-hooks.ts +61 -0
package/src/tools/credentials/vault.ts +49 -23
package/src/tools/execution-target.ts +11 -1
package/src/tools/executor.ts +68 -9
package/src/tools/host-terminal/cli-discover.ts +1 -1
package/src/tools/network/script-proxy/http-forwarder.ts +1 -1
package/src/tools/network/script-proxy/mitm-handler.ts +1 -1
package/src/tools/network/script-proxy/server.ts +1 -1
package/src/tools/network/script-proxy/session-manager.ts +6 -5
package/src/tools/network/web-fetch.ts +18 -2
package/src/tools/network/web-search.ts +8 -4
package/src/tools/reminder/reminder-store.ts +14 -15
package/src/tools/schedule/create.ts +1 -0
package/src/tools/schedule/list.ts +2 -1
package/src/tools/shared/filesystem/file-ops-service.ts +5 -7
package/src/tools/skills/skill-script-runner.ts +24 -9
package/src/tools/skills/skill-tool-factory.ts +1 -0
package/src/tools/tasks/work-item-enqueue.ts +2 -2
package/src/tools/terminal/evaluate-typescript.ts +21 -12
package/src/tools/terminal/parser.ts +50 -0
package/src/tools/types.ts +2 -0
package/src/tools/watcher/delete.ts +6 -0
package/src/tools/weather/service.ts +1 -1
package/src/twitter/client.ts +190 -24
package/src/twitter/router.ts +1 -1
package/src/twitter/session.ts +4 -3
package/src/util/clipboard.ts +1 -1
package/src/util/errors.ts +65 -8
package/src/util/fs.ts +40 -0
package/src/util/json.ts +10 -0
package/src/util/log-redact.ts +189 -0
package/src/util/logger.ts +19 -17
package/src/util/object.ts +3 -0
package/src/util/platform.ts +105 -363
package/src/util/pricing.ts +1 -1
package/src/util/promise-guard.ts +1 -1
package/src/util/retry.ts +19 -0
package/src/util/row-mapper.ts +79 -0
package/src/util/silently.ts +21 -0
package/src/watcher/engine.ts +5 -1
package/src/watcher/provider-types.ts +20 -0
package/src/watcher/providers/github.ts +156 -0
package/src/watcher/providers/gmail.ts +1 -0
package/src/watcher/providers/google-calendar.ts +1 -0
package/src/watcher/providers/linear.ts +460 -0
package/src/watcher/providers/slack.ts +1 -0
package/src/work-items/work-item-runner.ts +1 -1
package/src/workspace/git-service.ts +1 -1
package/src/workspace/provider-commit-message-generator.ts +51 -22
package/src/__tests__/call-bridge.test.ts +0 -517
package/src/__tests__/session-process-bridge.test.ts +0 -244
package/src/calls/call-bridge.ts +0 -168
package/src/config/vellum-skills/google-oauth-setup/SKILL.md +0 -199

package/src/daemon/handlers/config-ingress.ts ADDED Viewed

@@ -0,0 +1,231 @@
+import * as net from 'node:net';
+import { loadRawConfig, saveRawConfig } from '../../config/loader.js';
+import { getSecureKey } from '../../security/secure-keys.js';
+import { readHttpToken } from '../../util/platform.js';
+import {
+  hasTwilioCredentials,
+  updatePhoneNumberWebhooks,
+} from '../../calls/twilio-rest.js';
+import {
+  getTwilioVoiceWebhookUrl,
+  getTwilioStatusCallbackUrl,
+  getTwilioSmsWebhookUrl,
+  type IngressConfig,
+} from '../../inbound/public-ingress-urls.js';
+import type { IngressConfigRequest } from '../ipc-protocol.js';
+import { log, CONFIG_RELOAD_DEBOUNCE_MS, defineHandlers, type HandlerContext } from './shared.js';
+import {
+  getGatewayInternalBaseUrl,
+  getIngressPublicBaseUrl,
+  setIngressPublicBaseUrl,
+} from '../../config/env.js';
+// Lazily capture the env-provided INGRESS_PUBLIC_BASE_URL on first access
+// rather than at module load time. The daemon loads ~/.vellum/.env inside
+// runDaemon() (see lifecycle.ts), which runs AFTER static ES module imports
+// resolve. A module-level snapshot would miss dotenv-provided values.
+let _originalIngressEnvCaptured = false;
+let _originalIngressEnv: string | undefined;
+function getOriginalIngressEnv(): string | undefined {
+  if (!_originalIngressEnvCaptured) {
+    _originalIngressEnv = getIngressPublicBaseUrl();
+    _originalIngressEnvCaptured = true;
+  }
+  return _originalIngressEnv;
+}
+export function computeGatewayTarget(): string {
+  return getGatewayInternalBaseUrl();
+}
+/**
+ * Best-effort call to the gateway's internal reconcile endpoint so that
+ * Telegram webhook registration is updated immediately when the ingress
+ * URL changes, without requiring a gateway restart.
+ */
+export function triggerGatewayReconcile(ingressPublicBaseUrl: string | undefined): void {
+  const gatewayBase = computeGatewayTarget();
+  const token = readHttpToken();
+  if (!token) {
+    log.debug('Skipping gateway reconcile trigger: no HTTP bearer token available');
+    return;
+  }
+  const url = `${gatewayBase}/internal/telegram/reconcile`;
+  const body = JSON.stringify({ ingressPublicBaseUrl: ingressPublicBaseUrl ?? '' });
+  fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${token}`,
+    },
+    body,
+    signal: AbortSignal.timeout(5_000),
+  }).then((res) => {
+    if (res.ok) {
+      log.info('Gateway Telegram webhook reconcile triggered successfully');
+    } else {
+      log.warn({ status: res.status }, 'Gateway Telegram webhook reconcile returned non-OK status');
+    }
+  }).catch((err) => {
+    log.debug({ err }, 'Gateway Telegram webhook reconcile failed (gateway may not be running)');
+  });
+}
+/**
+ * Best-effort Twilio webhook sync helper.
+ *
+ * Computes the voice, status-callback, and SMS webhook URLs from the current
+ * ingress config and pushes them to the Twilio IncomingPhoneNumber API.
+ *
+ * Returns `{ success, warning }`. When the update fails, `success` is false
+ * and `warning` contains a human-readable message. Callers should treat
+ * failure as non-fatal so that the primary operation (provision, assign,
+ * ingress save) still succeeds.
+ */
+export async function syncTwilioWebhooks(
+  phoneNumber: string,
+  accountSid: string,
+  authToken: string,
+  ingressConfig: IngressConfig,
+): Promise<{ success: boolean; warning?: string }> {
+  try {
+    const voiceUrl = getTwilioVoiceWebhookUrl(ingressConfig);
+    const statusCallbackUrl = getTwilioStatusCallbackUrl(ingressConfig);
+    const smsUrl = getTwilioSmsWebhookUrl(ingressConfig);
+    await updatePhoneNumberWebhooks(accountSid, authToken, phoneNumber, {
+      voiceUrl,
+      statusCallbackUrl,
+      smsUrl,
+    });
+    log.info({ phoneNumber }, 'Twilio webhooks configured successfully');
+    return { success: true };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.warn({ err, phoneNumber }, `Webhook configuration skipped: ${message}`);
+    return { success: false, warning: `Webhook configuration skipped: ${message}` };
+  }
+}
+export async function handleIngressConfig(
+  msg: IngressConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): Promise<void> {
+  const localGatewayTarget = computeGatewayTarget();
+  try {
+    if (msg.action === 'get') {
+      const raw = loadRawConfig();
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      const publicBaseUrl = (ingress.publicBaseUrl as string) ?? '';
+      // Backward compatibility: if `enabled` was never explicitly set,
+      // infer from whether a publicBaseUrl is configured so existing users
+      // who predate the toggle aren't silently disabled.
+      const enabled = (ingress.enabled as boolean | undefined) ?? (publicBaseUrl ? true : false);
+      ctx.send(socket, { type: 'ingress_config_response', enabled, publicBaseUrl, localGatewayTarget, success: true });
+    } else if (msg.action === 'set') {
+      const value = (msg.publicBaseUrl ?? '').trim().replace(/\/+$/, '');
+      // Ensure we capture the original env value before any mutation below
+      getOriginalIngressEnv();
+      const raw = loadRawConfig();
+      // Update ingress.publicBaseUrl — this is the single source of truth for
+      // the canonical public ingress URL. The gateway receives this value via
+      // the INGRESS_PUBLIC_BASE_URL env var at spawn time (see hatch.ts).
+      // The gateway also validates Twilio signatures against forwarded public
+      // URL headers, so local tunnel updates generally apply without restarts.
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      ingress.publicBaseUrl = value || undefined;
+      if (msg.enabled !== undefined) {
+        ingress.enabled = msg.enabled;
+      }
+      const wasSuppressed = ctx.suppressConfigReload;
+      ctx.setSuppressConfigReload(true);
+      try {
+        saveRawConfig({ ...raw, ingress });
+      } catch (err) {
+        ctx.setSuppressConfigReload(wasSuppressed);
+        throw err;
+      }
+      ctx.debounceTimers.schedule('__suppress_reset__', () => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+      // Propagate to the gateway's process environment so it picks up the
+      // new URL when it is restarted. For the local-deployment path the
+      // gateway runs as a child process that inherited the assistant's env,
+      // so updating process.env here ensures the value is visible when the
+      // gateway is restarted (e.g. by the self-upgrade skill or a manual
+      // `pkill -f gateway`).
+      // Only export the URL when ingress is enabled; clearing it when
+      // disabled ensures the gateway stops accepting inbound webhooks.
+      const isEnabled = (ingress.enabled as boolean | undefined) ?? (value ? true : false);
+      if (value && isEnabled) {
+        setIngressPublicBaseUrl(value);
+      } else if (isEnabled && getOriginalIngressEnv() !== undefined) {
+        // Ingress is enabled but the user cleared the URL — fall back to the
+        // env var that was present when the process started.
+        setIngressPublicBaseUrl(getOriginalIngressEnv()!);
+      } else {
+        // Ingress is disabled or no URL is configured and no startup env var
+        // exists — remove the env var so the gateway stops accepting webhooks.
+        setIngressPublicBaseUrl(undefined);
+      }
+      ctx.send(socket, { type: 'ingress_config_response', enabled: isEnabled, publicBaseUrl: value, localGatewayTarget, success: true });
+      // Trigger immediate Telegram webhook reconcile on the gateway so
+      // that changing the ingress URL takes effect without a restart.
+      // Called unconditionally so the gateway clears its in-memory URL
+      // when ingress is disabled, preventing stale re-registration on
+      // credential rotation.
+      // Use the effective URL from process.env (which accounts for the
+      // fallback branch above) rather than the raw `value` from the UI.
+      const effectiveUrl = isEnabled ? getIngressPublicBaseUrl() : undefined;
+      triggerGatewayReconcile(effectiveUrl);
+      // Best-effort Twilio webhook reconciliation: when ingress is being
+      // enabled/updated and Twilio numbers are assigned with valid credentials,
+      // push the new webhook URLs to Twilio so calls and SMS route correctly.
+      if (isEnabled && hasTwilioCredentials()) {
+        const currentConfig = loadRawConfig();
+        const smsConfig = (currentConfig?.sms ?? {}) as Record<string, unknown>;
+        const assignedNumbers = new Set<string>();
+        const legacyNumber = (smsConfig.phoneNumber as string) ?? '';
+        if (legacyNumber) assignedNumbers.add(legacyNumber);
+        const assistantPhoneNumbers = smsConfig.assistantPhoneNumbers;
+        if (assistantPhoneNumbers && typeof assistantPhoneNumbers === 'object' && !Array.isArray(assistantPhoneNumbers)) {
+          for (const number of Object.values(assistantPhoneNumbers as Record<string, unknown>)) {
+            if (typeof number === 'string' && number) {
+              assignedNumbers.add(number);
+            }
+          }
+        }
+        if (assignedNumbers.size > 0) {
+          const acctSid = getSecureKey('credential:twilio:account_sid')!;
+          const acctToken = getSecureKey('credential:twilio:auth_token')!;
+          // Fire-and-forget: webhook sync failure must not block the ingress save.
+          // Reconcile every assigned number so assistant-scoped mappings do not
+          // retain stale Twilio webhook URLs after ingress URL changes.
+          for (const assignedNumber of assignedNumbers) {
+            syncTwilioWebhooks(assignedNumber, acctSid, acctToken, currentConfig as IngressConfig)
+              .catch(() => {
+                // Already logged inside syncTwilioWebhooks
+              });
+          }
+        }
+      }
+    } else {
+      ctx.send(socket, { type: 'ingress_config_response', enabled: false, publicBaseUrl: '', localGatewayTarget, success: false, error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}` });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    ctx.send(socket, { type: 'ingress_config_response', enabled: false, publicBaseUrl: '', localGatewayTarget, success: false, error: message });
+  }
+}
+export const ingressHandlers = defineHandlers({
+  ingress_config: handleIngressConfig,
+});

package/src/daemon/handlers/config-integrations.ts ADDED Viewed

@@ -0,0 +1,258 @@
+import * as net from 'node:net';
+import { loadRawConfig, saveRawConfig } from '../../config/loader.js';
+import { getSecureKey, setSecureKey, deleteSecureKey } from '../../security/secure-keys.js';
+import { upsertCredentialMetadata, deleteCredentialMetadata, getCredentialMetadata } from '../../tools/credentials/metadata-store.js';
+import type {
+  VercelApiConfigRequest,
+  TwitterIntegrationConfigRequest,
+} from '../ipc-protocol.js';
+import { log, defineHandlers, type HandlerContext } from './shared.js';
+export function handleVercelApiConfig(
+  msg: VercelApiConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    if (msg.action === 'get') {
+      const existing = getSecureKey('credential:vercel:api_token');
+      ctx.send(socket, {
+        type: 'vercel_api_config_response',
+        hasToken: !!existing,
+        success: true,
+      });
+    } else if (msg.action === 'set') {
+      if (!msg.apiToken) {
+        ctx.send(socket, {
+          type: 'vercel_api_config_response',
+          hasToken: false,
+          success: false,
+          error: 'apiToken is required for set action',
+        });
+        return;
+      }
+      const stored = setSecureKey('credential:vercel:api_token', msg.apiToken);
+      if (!stored) {
+        ctx.send(socket, {
+          type: 'vercel_api_config_response',
+          hasToken: false,
+          success: false,
+          error: 'Failed to store API token in secure storage',
+        });
+        return;
+      }
+      upsertCredentialMetadata('vercel', 'api_token', {
+        allowedTools: ['publish_page', 'unpublish_page'],
+      });
+      ctx.send(socket, {
+        type: 'vercel_api_config_response',
+        hasToken: true,
+        success: true,
+      });
+    } else {
+      deleteSecureKey('credential:vercel:api_token');
+      deleteCredentialMetadata('vercel', 'api_token');
+      ctx.send(socket, {
+        type: 'vercel_api_config_response',
+        hasToken: false,
+        success: true,
+      });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to handle Vercel API config');
+    ctx.send(socket, {
+      type: 'vercel_api_config_response',
+      hasToken: false,
+      success: false,
+      error: message,
+    });
+  }
+}
+export function handleTwitterIntegrationConfig(
+  msg: TwitterIntegrationConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    if (msg.action === 'get') {
+      const raw = loadRawConfig();
+      const mode = (raw.twitterIntegrationMode as 'local_byo' | 'managed' | undefined) ?? 'local_byo';
+      const strategy = (raw.twitterOperationStrategy as 'oauth' | 'browser' | 'auto' | undefined) ?? 'auto';
+      const strategyConfigured = Object.prototype.hasOwnProperty.call(raw, 'twitterOperationStrategy');
+      const localClientConfigured = !!getSecureKey('credential:integration:twitter:oauth_client_id');
+      const connected = !!getSecureKey('credential:integration:twitter:access_token');
+      const meta = getCredentialMetadata('integration:twitter', 'access_token');
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        mode,
+        managedAvailable: false,
+        localClientConfigured,
+        connected,
+        accountInfo: meta?.accountInfo ?? undefined,
+        strategy,
+        strategyConfigured,
+      });
+    } else if (msg.action === 'get_strategy') {
+      const raw = loadRawConfig();
+      const strategy = (raw.twitterOperationStrategy as 'oauth' | 'browser' | 'auto' | undefined) ?? 'auto';
+      const strategyConfigured = Object.prototype.hasOwnProperty.call(raw, 'twitterOperationStrategy');
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: !!getSecureKey('credential:integration:twitter:oauth_client_id'),
+        connected: !!getSecureKey('credential:integration:twitter:access_token'),
+        strategy,
+        strategyConfigured,
+      });
+    } else if (msg.action === 'set_strategy') {
+      const valid = ['oauth', 'browser', 'auto'];
+      const value = msg.strategy;
+      if (!value || !valid.includes(value)) {
+        ctx.send(socket, {
+          type: 'twitter_integration_config_response',
+          success: false,
+          managedAvailable: false,
+          localClientConfigured: false,
+          connected: false,
+          error: `Invalid strategy value: ${String(value)}. Must be one of: ${valid.join(', ')}`,
+        });
+        return;
+      }
+      const raw = loadRawConfig();
+      raw.twitterOperationStrategy = value;
+      saveRawConfig(raw);
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: !!getSecureKey('credential:integration:twitter:oauth_client_id'),
+        connected: !!getSecureKey('credential:integration:twitter:access_token'),
+        strategy: value as 'oauth' | 'browser' | 'auto',
+        strategyConfigured: true,
+      });
+    } else if (msg.action === 'set_mode') {
+      const raw = loadRawConfig();
+      raw.twitterIntegrationMode = msg.mode ?? 'local_byo';
+      saveRawConfig(raw);
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        mode: msg.mode ?? 'local_byo',
+        managedAvailable: false,
+        localClientConfigured: !!getSecureKey('credential:integration:twitter:oauth_client_id'),
+        connected: !!getSecureKey('credential:integration:twitter:access_token'),
+      });
+    } else if (msg.action === 'set_local_client') {
+      if (!msg.clientId) {
+        ctx.send(socket, {
+          type: 'twitter_integration_config_response',
+          success: false,
+          managedAvailable: false,
+          localClientConfigured: false,
+          connected: false,
+          error: 'clientId is required for set_local_client action',
+        });
+        return;
+      }
+      const previousClientId = getSecureKey('credential:integration:twitter:oauth_client_id');
+      const storedId = setSecureKey('credential:integration:twitter:oauth_client_id', msg.clientId);
+      if (!storedId) {
+        ctx.send(socket, {
+          type: 'twitter_integration_config_response',
+          success: false,
+          managedAvailable: false,
+          localClientConfigured: false,
+          connected: false,
+          error: 'Failed to store client ID in secure storage',
+        });
+        return;
+      }
+      if (msg.clientSecret) {
+        const storedSecret = setSecureKey('credential:integration:twitter:oauth_client_secret', msg.clientSecret);
+        if (!storedSecret) {
+          // Roll back the client ID to its previous value to avoid inconsistent OAuth state
+          if (previousClientId) {
+            setSecureKey('credential:integration:twitter:oauth_client_id', previousClientId);
+          } else {
+            deleteSecureKey('credential:integration:twitter:oauth_client_id');
+          }
+          ctx.send(socket, {
+            type: 'twitter_integration_config_response',
+            success: false,
+            managedAvailable: false,
+            localClientConfigured: !!previousClientId,
+            connected: false,
+            error: 'Failed to store client secret in secure storage',
+          });
+          return;
+        }
+      } else {
+        // Clear any stale secret when updating client without a secret (e.g. switching to PKCE)
+        deleteSecureKey('credential:integration:twitter:oauth_client_secret');
+      }
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: true,
+        connected: !!getSecureKey('credential:integration:twitter:access_token'),
+      });
+    } else if (msg.action === 'clear_local_client') {
+      // If connected, disconnect first
+      if (getSecureKey('credential:integration:twitter:access_token')) {
+        deleteSecureKey('credential:integration:twitter:access_token');
+        deleteSecureKey('credential:integration:twitter:refresh_token');
+        deleteCredentialMetadata('integration:twitter', 'access_token');
+      }
+      deleteSecureKey('credential:integration:twitter:oauth_client_id');
+      deleteSecureKey('credential:integration:twitter:oauth_client_secret');
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: false,
+        connected: false,
+      });
+    } else if (msg.action === 'disconnect') {
+      deleteSecureKey('credential:integration:twitter:access_token');
+      deleteSecureKey('credential:integration:twitter:refresh_token');
+      deleteCredentialMetadata('integration:twitter', 'access_token');
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: true,
+        managedAvailable: false,
+        localClientConfigured: !!getSecureKey('credential:integration:twitter:oauth_client_id'),
+        connected: false,
+      });
+    } else {
+      ctx.send(socket, {
+        type: 'twitter_integration_config_response',
+        success: false,
+        managedAvailable: false,
+        localClientConfigured: false,
+        connected: false,
+        error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}`,
+      });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, 'Failed to handle Twitter integration config');
+    ctx.send(socket, {
+      type: 'twitter_integration_config_response',
+      success: false,
+      managedAvailable: false,
+      localClientConfigured: false,
+      connected: false,
+      error: message,
+    });
+  }
+}
+export const integrationHandlers = defineHandlers({
+  vercel_api_config: handleVercelApiConfig,
+  twitter_integration_config: handleTwitterIntegrationConfig,
+});

package/src/daemon/handlers/config-model.ts ADDED Viewed

@@ -0,0 +1,143 @@
+import * as net from 'node:net';
+import { getConfig, loadRawConfig, saveRawConfig } from '../../config/loader.js';
+import { initializeProviders } from '../../providers/registry.js';
+import type {
+  ModelSetRequest,
+  ImageGenModelSetRequest,
+} from '../ipc-protocol.js';
+import { log, CONFIG_RELOAD_DEBOUNCE_MS, defineHandlers, type HandlerContext } from './shared.js';
+import { MODEL_TO_PROVIDER } from '../session-slash.js';
+export function handleModelGet(socket: net.Socket, ctx: HandlerContext): void {
+  const config = getConfig();
+  const configured = Object.keys(config.apiKeys).filter((k) => !!config.apiKeys[k]);
+  if (!configured.includes('ollama')) configured.push('ollama');
+  ctx.send(socket, {
+    type: 'model_info',
+    model: config.model,
+    provider: config.provider,
+    configuredProviders: configured,
+  });
+}
+export function handleModelSet(
+  msg: ModelSetRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    // If the requested model is already the current model AND the provider
+    // is already aligned with what MODEL_TO_PROVIDER expects, skip expensive
+    // reinitialization but still send model_info so the client confirms.
+    // If the provider has drifted (e.g. manual config edit), fall through
+    // so the full reinit path can repair it.
+    {
+      const current = getConfig();
+      const expectedProvider = MODEL_TO_PROVIDER[msg.model];
+      const providerAligned = !expectedProvider || current.provider === expectedProvider;
+      if (msg.model === current.model && providerAligned) {
+        const configured = Object.keys(current.apiKeys).filter((k) => !!current.apiKeys[k]);
+        if (!configured.includes('ollama')) configured.push('ollama');
+        ctx.send(socket, {
+          type: 'model_info',
+          model: current.model,
+          provider: current.provider,
+          configuredProviders: configured,
+        });
+        return;
+      }
+    }
+    // Validate API key before switching
+    const provider = MODEL_TO_PROVIDER[msg.model];
+    if (provider && provider !== 'ollama') {
+      const currentConfig = getConfig();
+      if (!currentConfig.apiKeys[provider]) {
+        // Send current model_info so the client resyncs its optimistic state
+        // (don't use generic 'error' type — it would interrupt in-flight chat)
+        const configured = Object.keys(currentConfig.apiKeys).filter((k) => !!currentConfig.apiKeys[k]);
+        if (!configured.includes('ollama')) configured.push('ollama');
+        ctx.send(socket, { type: 'model_info', model: currentConfig.model, provider: currentConfig.provider, configuredProviders: configured });
+        return;
+      }
+    }
+    // Use raw config to avoid persisting env-var API keys to disk
+    const raw = loadRawConfig();
+    raw.model = msg.model;
+    // Infer provider from model ID to keep provider and model in sync
+    raw.provider = provider ?? raw.provider;
+    // Suppress the file watcher callback — handleModelSet already does
+    // the full reload sequence; a redundant watcher-triggered reload
+    // would incorrectly evict sessions created after this method returns.
+    const wasSuppressed = ctx.suppressConfigReload;
+    ctx.setSuppressConfigReload(true);
+    try {
+      saveRawConfig(raw);
+    } catch (err) {
+      ctx.setSuppressConfigReload(wasSuppressed);
+      throw err;
+    }
+    ctx.debounceTimers.schedule('__suppress_reset__', () => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+    // Re-initialize provider with the new model so LLM calls use it
+    const config = getConfig();
+    initializeProviders(config);
+    // Evict idle sessions immediately; mark busy ones as stale so they
+    // get recreated with the new provider once they finish processing.
+    for (const [id, session] of ctx.sessions) {
+      if (!session.isProcessing()) {
+        session.dispose();
+        ctx.sessions.delete(id);
+      } else {
+        session.markStale();
+      }
+    }
+    ctx.updateConfigFingerprint();
+    ctx.send(socket, {
+      type: 'model_info',
+      model: config.model,
+      provider: config.provider,
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    ctx.send(socket, { type: 'error', message: `Failed to set model: ${message}` });
+  }
+}
+export function handleImageGenModelSet(
+  msg: ImageGenModelSetRequest,
+  _socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    const raw = loadRawConfig();
+    raw.imageGenModel = msg.model;
+    const wasSuppressed = ctx.suppressConfigReload;
+    ctx.setSuppressConfigReload(true);
+    try {
+      saveRawConfig(raw);
+    } catch (err) {
+      ctx.setSuppressConfigReload(wasSuppressed);
+      throw err;
+    }
+    ctx.debounceTimers.schedule('__suppress_reset__', () => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+    ctx.updateConfigFingerprint();
+    log.info({ model: msg.model }, 'Image generation model updated');
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err }, `Failed to set image gen model: ${message}`);
+  }
+}
+export const modelHandlers = defineHandlers({
+  model_get: (_msg, socket, ctx) => handleModelGet(socket, ctx),
+  model_set: handleModelSet,
+  image_gen_model_set: handleImageGenModelSet,
+});