npm - @vellumai/assistant - Versions diffs - 0.4.26 → 0.4.30 - Mend

@vellumai/assistant 0.4.26 → 0.4.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1360) hide show

package/.env.example +2 -2
package/AGENTS.md +5 -0
package/ARCHITECTURE.md +207 -105
package/Dockerfile +1 -1
package/README.md +111 -113
package/bun.lock +0 -3
package/docs/architecture/integrations.md +0 -1
package/docs/architecture/memory.md +100 -63
package/docs/error-handling.md +71 -0
package/docs/runbook-trusted-contacts.md +89 -52
package/docs/trusted-contact-access.md +48 -46
package/package.json +3 -3
package/scripts/compare-benchmarks.sh +12 -5
package/scripts/ipc/check-swift-decoder-drift.ts +5 -3
package/scripts/test.sh +89 -5
package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap +50 -37
package/src/__tests__/access-request-decision.test.ts +0 -1
package/src/__tests__/account-registry.test.ts +1 -1
package/src/__tests__/actor-token-service.test.ts +40 -26
package/src/__tests__/agent-loop-thinking.test.ts +29 -13
package/src/__tests__/agent-loop.test.ts +2 -1
package/src/__tests__/app-builder-tool-scripts.test.ts +1 -1
package/src/__tests__/app-executors.test.ts +7 -17
package/src/__tests__/approval-routes-http.test.ts +2 -2
package/src/__tests__/asset-materialize-tool.test.ts +7 -7
package/src/__tests__/asset-search-tool.test.ts +7 -7
package/src/__tests__/assistant-feature-flags-integration.test.ts +18 -10
package/src/__tests__/browser-fill-credential.test.ts +1 -1
package/src/__tests__/browser-skill-endstate.test.ts +10 -1
package/src/__tests__/bundled-skill-retrieval-guard.test.ts +218 -0
package/src/__tests__/call-controller.test.ts +99 -69
package/src/__tests__/call-start-guardian-guard.test.ts +1 -1
package/src/__tests__/channel-approval-routes.test.ts +157 -114
package/src/__tests__/channel-approval.test.ts +8 -0
package/src/__tests__/channel-approvals.test.ts +39 -1
package/src/__tests__/channel-guardian.test.ts +176 -275
package/src/__tests__/channel-readiness-service.test.ts +6 -2
package/src/__tests__/channel-reply-delivery.test.ts +33 -2
package/src/__tests__/channel-retry-sweep.test.ts +14 -14
package/src/__tests__/checker.test.ts +12 -31
package/src/__tests__/claude-code-tool-profiles.test.ts +1 -1
package/src/__tests__/commit-message-enrichment-service.test.ts +71 -59
package/src/__tests__/compaction.benchmark.test.ts +6 -2
package/src/__tests__/computer-use-tools.test.ts +1 -1
package/src/__tests__/config-schema.test.ts +66 -7
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +29 -29
package/src/__tests__/contacts-tools.test.ts +63 -2
package/src/__tests__/context-overflow-approval.test.ts +141 -0
package/src/__tests__/context-overflow-policy.test.ts +171 -0
package/src/__tests__/context-overflow-reducer.test.ts +533 -0
package/src/__tests__/context-window-manager.test.ts +97 -0
package/src/__tests__/conversation-attention-telegram.test.ts +38 -46
package/src/__tests__/conversation-pairing.test.ts +2 -2
package/src/__tests__/conversation-routes-guardian-reply.test.ts +214 -10
package/src/__tests__/conversation-routes.test.ts +4 -7
package/src/__tests__/credential-broker-browser-fill.test.ts +13 -2
package/src/__tests__/credential-security-e2e.test.ts +1 -1
package/src/__tests__/credential-security-invariants.test.ts +1 -1
package/src/__tests__/credential-vault-unit.test.ts +1 -1
package/src/__tests__/credential-vault.test.ts +11 -8
package/src/__tests__/daemon-lifecycle.test.ts +2 -2
package/src/__tests__/daemon-server-session-init.test.ts +6 -6
package/src/__tests__/delete-managed-skill-tool.test.ts +1 -1
package/src/__tests__/deterministic-verification-control-plane.test.ts +2 -2
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +9 -0
package/src/__tests__/emit-signal-routing-intent.test.ts +4 -0
package/src/__tests__/encrypted-store.test.ts +10 -7
package/src/__tests__/ephemeral-permissions.test.ts +3 -3
package/src/__tests__/file-edit-tool.test.ts +1 -1
package/src/__tests__/file-read-tool.test.ts +1 -1
package/src/__tests__/file-write-tool.test.ts +1 -1
package/src/__tests__/fixtures/credential-security-fixtures.ts +87 -64
package/src/__tests__/fixtures/media-reuse-fixtures.ts +37 -31
package/src/__tests__/fixtures/mock-signup-server.ts +171 -115
package/src/__tests__/fixtures/proxy-fixtures.ts +39 -39
package/src/__tests__/followup-tools.test.ts +1 -1
package/src/__tests__/gateway-only-guard.test.ts +4 -0
package/src/__tests__/gemini-image-service.test.ts +2 -2
package/src/__tests__/guardian-actions-endpoint.test.ts +543 -1
package/src/__tests__/guardian-control-plane-policy.test.ts +15 -15
package/src/__tests__/guardian-dispatch.test.ts +79 -1
package/src/__tests__/guardian-grant-minting.test.ts +20 -20
package/src/__tests__/guardian-outbound-http.test.ts +1 -2
package/src/__tests__/guardian-principal-id-roundtrip.test.ts +0 -41
package/src/__tests__/guardian-routing-invariants.test.ts +36 -16
package/src/__tests__/guardian-routing-state.test.ts +36 -52
package/src/__tests__/guardian-verification-intent-routing.test.ts +4 -6
package/src/__tests__/guardian-verify-setup-skill-regression.test.ts +6 -8
package/src/__tests__/handle-user-message-secret-resume.test.ts +39 -1
package/src/__tests__/handlers-cu-observation-blob.test.ts +21 -10
package/src/__tests__/handlers-telegram-config.test.ts +14 -14
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +23 -2
package/src/__tests__/headless-browser-interactions.test.ts +1 -1
package/src/__tests__/headless-browser-navigate.test.ts +1 -1
package/src/__tests__/headless-browser-read-tools.test.ts +1 -1
package/src/__tests__/headless-browser-snapshot.test.ts +1 -1
package/src/__tests__/heartbeat-service.test.ts +45 -2
package/src/__tests__/host-file-edit-tool.test.ts +1 -1
package/src/__tests__/host-file-read-tool.test.ts +1 -1
package/src/__tests__/host-file-write-tool.test.ts +1 -1
package/src/__tests__/host-shell-tool.test.ts +1 -1
package/src/__tests__/inbound-invite-redemption.test.ts +17 -19
package/src/__tests__/ingress-reconcile.test.ts +2 -2
package/src/__tests__/integrations-cli.test.ts +232 -0
package/src/__tests__/intent-routing.test.ts +7 -5
package/src/__tests__/invite-redemption-service.test.ts +5 -4
package/src/__tests__/{ingress-routes-http.test.ts → invite-routes-http.test.ts} +42 -321
package/src/__tests__/ipc-snapshot.test.ts +32 -31
package/src/__tests__/managed-skill-lifecycle.test.ts +1 -1
package/src/__tests__/mcp-cli.test.ts +136 -57
package/src/__tests__/mcp-client-auth.test.ts +95 -0
package/src/__tests__/media-generate-image.test.ts +2 -2
package/src/__tests__/media-reuse-story.e2e.test.ts +8 -8
package/src/__tests__/memory-regressions.test.ts +6 -6
package/src/__tests__/messaging-send-tool.test.ts +1 -1
package/src/__tests__/migration-cross-version-compatibility.test.ts +1855 -0
package/src/__tests__/migration-export-http.test.ts +540 -0
package/src/__tests__/migration-import-commit-http.test.ts +823 -0
package/src/__tests__/migration-import-preflight-http.test.ts +755 -0
package/src/__tests__/migration-parity-persistence.test.ts +1854 -0
package/src/__tests__/migration-transport.test.ts +904 -0
package/src/__tests__/migration-validate-http.test.ts +698 -0
package/src/__tests__/migration-wizard.test.ts +1289 -0
package/src/__tests__/nl-approval-parser.test.ts +305 -0
package/src/__tests__/non-member-access-request.test.ts +17 -17
package/src/__tests__/notification-decision-strategy.test.ts +110 -2
package/src/__tests__/notification-deep-link.test.ts +18 -0
package/src/__tests__/notification-guardian-path.test.ts +0 -1
package/src/__tests__/oauth-provider-profiles.test.ts +34 -0
package/src/__tests__/oauth2-gateway-transport.test.ts +1 -1
package/src/__tests__/playbook-execution.test.ts +1 -1
package/src/__tests__/playbook-tools.test.ts +1 -1
package/src/__tests__/provider-error-scenarios.test.ts +68 -0
package/src/__tests__/provider-streaming.benchmark.test.ts +3 -1
package/src/__tests__/proxy-approval-callback.test.ts +1 -1
package/src/__tests__/qdrant-manager.test.ts +40 -11
package/src/__tests__/rebind-secrets-screen.test.ts +839 -0
package/src/__tests__/recording-handler.test.ts +2 -2
package/src/__tests__/recording-intent-handler.test.ts +3 -3
package/src/__tests__/recording-state-machine.test.ts +2 -2
package/src/__tests__/relay-server.test.ts +507 -228
package/src/__tests__/reminder-store.test.ts +8 -0
package/src/__tests__/reminder.test.ts +8 -0
package/src/__tests__/{resolve-guardian-trust-class.test.ts → resolve-trust-class.test.ts} +11 -17
package/src/__tests__/retry-after-extraction.test.ts +111 -0
package/src/__tests__/scaffold-managed-skill-tool.test.ts +1 -1
package/src/__tests__/schedule-tools.test.ts +1 -1
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/script-proxy-connect-tunnel.test.ts +2 -3
package/src/__tests__/script-proxy-decision-trace.test.ts +2 -2
package/src/__tests__/script-proxy-http-forwarder.test.ts +1 -1
package/src/__tests__/script-proxy-injection-runtime.test.ts +5 -5
package/src/__tests__/script-proxy-mitm-handler.test.ts +4 -4
package/src/__tests__/script-proxy-policy-runtime.test.ts +2 -2
package/src/__tests__/script-proxy-policy.test.ts +2 -2
package/src/__tests__/script-proxy-profile-template-fallback.test.ts +127 -0
package/src/__tests__/script-proxy-session-manager.test.ts +4 -7
package/src/__tests__/script-proxy-session-runtime.test.ts +1 -6
package/src/__tests__/secret-onetime-send.test.ts +4 -4
package/src/__tests__/secret-scanner-executor.test.ts +2 -2
package/src/__tests__/send-endpoint-busy.test.ts +11 -9
package/src/__tests__/send-notification-tool.test.ts +2 -2
package/src/__tests__/session-abort-tool-results.test.ts +17 -2
package/src/__tests__/session-agent-loop.test.ts +456 -35
package/src/__tests__/session-confirmation-signals.test.ts +3 -2
package/src/__tests__/session-conflict-gate.test.ts +20 -3
package/src/__tests__/session-init.benchmark.test.ts +2 -2
package/src/__tests__/session-load-history-repair.test.ts +7 -7
package/src/__tests__/session-media-retry.test.ts +147 -0
package/src/__tests__/session-pre-run-repair.test.ts +17 -2
package/src/__tests__/session-profile-injection.test.ts +20 -3
package/src/__tests__/session-provider-retry-repair.test.ts +86 -6
package/src/__tests__/session-queue.test.ts +33 -18
package/src/__tests__/session-runtime-assembly.test.ts +147 -1
package/src/__tests__/session-runtime-workspace.test.ts +40 -0
package/src/__tests__/session-slash-known.test.ts +21 -3
package/src/__tests__/session-slash-queue.test.ts +17 -2
package/src/__tests__/session-slash-unknown.test.ts +17 -2
package/src/__tests__/session-surfaces-deselection.test.ts +208 -0
package/src/__tests__/session-workspace-cache-state.test.ts +2 -2
package/src/__tests__/session-workspace-injection.test.ts +17 -2
package/src/__tests__/session-workspace-tool-tracking.test.ts +17 -2
package/src/__tests__/shell-credential-ref.test.ts +1 -1
package/src/__tests__/shell-tool-proxy-mode.test.ts +1 -1
package/src/__tests__/skill-feature-flags-integration.test.ts +9 -5
package/src/__tests__/skill-feature-flags.test.ts +18 -12
package/src/__tests__/skill-load-feature-flag.test.ts +5 -4
package/src/__tests__/skill-load-tool.test.ts +1 -1
package/src/__tests__/skill-script-runner-host.test.ts +1 -1
package/src/__tests__/skill-script-runner-sandbox.test.ts +1 -1
package/src/__tests__/skill-script-runner.test.ts +1 -1
package/src/__tests__/skill-tool-factory.test.ts +1 -1
package/src/__tests__/slack-block-formatting.test.ts +100 -0
package/src/__tests__/slack-inbound-verification.test.ts +346 -0
package/src/__tests__/slack-reaction-approvals.test.ts +77 -0
package/src/__tests__/slack-skill.test.ts +4 -2
package/src/__tests__/starter-task-flow.test.ts +0 -1
package/src/__tests__/subagent-tools.test.ts +3 -3
package/src/__tests__/swarm-recursion.test.ts +1 -1
package/src/__tests__/swarm-session-integration.test.ts +1 -1
package/src/__tests__/swarm-tool.test.ts +1 -1
package/src/__tests__/task-management-tools.test.ts +1 -1
package/src/__tests__/task-tools.test.ts +1 -1
package/src/__tests__/terminal-tools.test.ts +1 -1
package/src/__tests__/test-support/browser-skill-harness.ts +39 -27
package/src/__tests__/test-support/computer-use-skill-harness.ts +14 -14
package/src/__tests__/tool-approval-handler.test.ts +15 -15
package/src/__tests__/tool-execution-abort-cleanup.test.ts +1 -1
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +1 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +2 -2
package/src/__tests__/tool-executor-shell-integration.test.ts +1 -1
package/src/__tests__/tool-executor.test.ts +23 -182
package/src/__tests__/tool-grant-request-escalation.test.ts +11 -11
package/src/__tests__/tool-permission-simulate-handler.test.ts +4 -4
package/src/__tests__/transfer-progress-screen.test.ts +1180 -0
package/src/__tests__/trust-context-guards.test.ts +25 -29
package/src/__tests__/trusted-contact-approval-notifier.test.ts +23 -21
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +37 -40
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +29 -25
package/src/__tests__/trusted-contact-multichannel.test.ts +25 -24
package/src/__tests__/trusted-contact-verification.test.ts +64 -76
package/src/__tests__/turn-commit.test.ts +18 -18
package/src/__tests__/twilio-provider.test.ts +7 -7
package/src/__tests__/validation-results-screen.test.ts +1107 -0
package/src/__tests__/view-image-tool.test.ts +1 -1
package/src/__tests__/voice-invite-redemption.test.ts +4 -3
package/src/__tests__/voice-scoped-grant-consumer.test.ts +12 -12
package/src/__tests__/voice-session-bridge.test.ts +24 -24
package/src/agent/attachments.ts +3 -1
package/src/agent/loop.ts +13 -13
package/src/agent/message-types.ts +13 -7
package/src/amazon/cart.ts +59 -32
package/src/amazon/checkout.ts +25 -14
package/src/amazon/client.ts +61 -58
package/src/amazon/product-details.ts +3 -3
package/src/amazon/request-extractor.ts +46 -31
package/src/amazon/search.ts +6 -4
package/src/amazon/session.ts +33 -24
package/src/approvals/AGENTS.md +26 -0
package/src/approvals/approval-primitive.ts +87 -64
package/src/approvals/guardian-decision-primitive.ts +172 -81
package/src/approvals/guardian-request-resolvers.ts +262 -155
package/src/autonomy/autonomy-resolver.ts +7 -5
package/src/autonomy/autonomy-store.ts +34 -19
package/src/autonomy/disposition-mapper.ts +5 -5
package/src/autonomy/index.ts +6 -6
package/src/autonomy/types.ts +7 -3
package/src/browser-extension-relay/client.ts +50 -19
package/src/browser-extension-relay/protocol.ts +11 -11
package/src/browser-extension-relay/server.ts +45 -20
package/src/bundler/app-bundler.ts +75 -50
package/src/bundler/bundle-scanner.ts +145 -41
package/src/bundler/bundle-signer.ts +16 -14
package/src/bundler/signature-verifier.ts +36 -33
package/src/calls/call-constants.ts +10 -3
package/src/calls/call-controller.ts +473 -214
package/src/calls/call-conversation-messages.ts +25 -15
package/src/calls/call-domain.ts +401 -148
package/src/calls/call-pointer-message-composer.ts +26 -21
package/src/calls/call-pointer-messages.ts +52 -28
package/src/calls/call-recovery.ts +53 -37
package/src/calls/call-state-machine.ts +37 -7
package/src/calls/call-state.ts +35 -13
package/src/calls/call-store.ts +165 -77
package/src/calls/elevenlabs-client.ts +39 -20
package/src/calls/guardian-action-sweep.ts +42 -24
package/src/calls/guardian-dispatch.ts +79 -56
package/src/calls/guardian-question-copy.ts +28 -23
package/src/calls/relay-server.ts +1149 -532
package/src/calls/speaker-identification.ts +21 -15
package/src/calls/twilio-config.ts +34 -17
package/src/calls/twilio-provider.ts +108 -55
package/src/calls/twilio-rest.ts +212 -100
package/src/calls/twilio-routes.ts +165 -92
package/src/calls/types.ts +55 -7
package/src/calls/voice-quality.ts +6 -4
package/src/calls/voice-session-bridge.ts +181 -133
package/src/channels/config.ts +18 -14
package/src/channels/types.ts +38 -10
package/src/cli/amazon.ts +333 -227
package/src/cli/config-commands.ts +236 -146
package/src/cli/core-commands.ts +403 -329
package/src/cli/email-guardrails.ts +38 -19
package/src/cli/email.ts +207 -153
package/src/cli/influencer.ts +58 -56
package/src/cli/integrations.ts +306 -0
package/src/cli/ipc-client.ts +24 -19
package/src/cli/map.ts +176 -129
package/src/cli/mcp.ts +260 -152
package/src/cli/sequence.ts +165 -107
package/src/cli/twitter.ts +302 -218
package/src/cli.ts +418 -279
package/src/commands/cc-command-registry.ts +52 -27
package/src/config/agent-schema.ts +217 -134
package/src/config/assistant-feature-flags.ts +23 -18
package/src/config/bundled-skills/_shared/CLI_RETRIEVAL_PATTERN.md +19 -0
package/src/config/bundled-skills/app-builder/SKILL.md +193 -1500
package/src/config/bundled-skills/app-builder/TOOLS.json +70 -18
package/src/config/bundled-skills/app-builder/tools/app-create.ts +7 -4
package/src/config/bundled-skills/app-builder/tools/app-delete.ts +6 -3
package/src/config/bundled-skills/app-builder/tools/app-file-edit.ts +7 -4
package/src/config/bundled-skills/app-builder/tools/app-file-list.ts +6 -3
package/src/config/bundled-skills/app-builder/tools/app-file-read.ts +6 -3
package/src/config/bundled-skills/app-builder/tools/app-file-write.ts +7 -4
package/src/config/bundled-skills/app-builder/tools/app-list.ts +6 -3
package/src/config/bundled-skills/app-builder/tools/app-query.ts +6 -3
package/src/config/bundled-skills/app-builder/tools/app-update.ts +6 -3
package/src/config/bundled-skills/browser/TOOLS.json +59 -2
package/src/config/bundled-skills/browser/tools/browser-click.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-close.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-extract.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-fill-credential.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-hover.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-navigate.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-press-key.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-screenshot.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-scroll.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-select-option.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-snapshot.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-type.ts +5 -2
package/src/config/bundled-skills/browser/tools/browser-wait-for-download.ts +13 -6
package/src/config/bundled-skills/browser/tools/browser-wait-for.ts +5 -2
package/src/config/bundled-skills/chatgpt-import/TOOLS.json +4 -0
package/src/config/bundled-skills/claude-code/TOOLS.json +4 -0
package/src/config/bundled-skills/claude-code/tools/claude-code.ts +5 -2
package/src/config/bundled-skills/computer-use/SKILL.md +2 -2
package/src/config/bundled-skills/computer-use/TOOLS.json +50 -2
package/src/config/bundled-skills/computer-use/tools/computer-use-click.ts +6 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-done.ts +6 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-double-click.ts +10 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-drag.ts +6 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-key.ts +6 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-open-app.ts +6 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-request-control.ts +10 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-respond.ts +6 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-right-click.ts +10 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-run-applescript.ts +10 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-scroll.ts +6 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-type-text.ts +6 -3
package/src/config/bundled-skills/computer-use/tools/computer-use-wait.ts +6 -3
package/src/config/bundled-skills/configure-settings/SKILL.md +28 -14
package/src/config/bundled-skills/contacts/SKILL.md +453 -15
package/src/config/bundled-skills/contacts/TOOLS.json +22 -2
package/src/config/bundled-skills/contacts/tools/contact-merge.ts +79 -20
package/src/config/bundled-skills/contacts/tools/contact-search.ts +55 -18
package/src/config/bundled-skills/contacts/tools/contact-upsert.ts +64 -19
package/src/config/bundled-skills/document/TOOLS.json +8 -0
package/src/config/bundled-skills/document/tools/document-create.ts +5 -2
package/src/config/bundled-skills/document/tools/document-update.ts +5 -2
package/src/config/bundled-skills/doordash/doordash-cli.ts +17 -7
package/src/config/bundled-skills/email-setup/SKILL.md +12 -9
package/src/config/bundled-skills/followups/TOOLS.json +12 -0
package/src/config/bundled-skills/followups/tools/followup-create.ts +5 -2
package/src/config/bundled-skills/followups/tools/followup-list.ts +5 -2
package/src/config/bundled-skills/followups/tools/followup-resolve.ts +5 -2
package/src/config/bundled-skills/google-calendar/TOOLS.json +124 -26
package/src/config/bundled-skills/google-calendar/calendar-client.ts +44 -32
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +11 -5
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +13 -7
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +11 -5
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +13 -7
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +28 -12
package/src/config/bundled-skills/google-calendar/tools/shared.ts +6 -4
package/src/config/bundled-skills/google-calendar/types.ts +3 -3
package/src/config/bundled-skills/guardian-verify-setup/SKILL.md +88 -33
package/src/config/bundled-skills/image-studio/TOOLS.json +12 -2
package/src/config/bundled-skills/image-studio/tools/media-generate-image.ts +48 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +13 -3
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +60 -35
package/src/config/bundled-skills/mcp-setup/SKILL.md +75 -0
package/src/config/bundled-skills/media-processing/SKILL.md +55 -15
package/src/config/bundled-skills/media-processing/TOOLS.json +48 -2
package/src/config/bundled-skills/media-processing/__tests__/concurrency-pool.test.ts +12 -10
package/src/config/bundled-skills/media-processing/__tests__/cost-tracker.test.ts +34 -19
package/src/config/bundled-skills/media-processing/__tests__/preprocess.test.ts +82 -66
package/src/config/bundled-skills/media-processing/services/audio-transcribe.ts +148 -0
package/src/config/bundled-skills/media-processing/services/concurrency-pool.ts +1 -1
package/src/config/bundled-skills/media-processing/services/cost-tracker.ts +8 -3
package/src/config/bundled-skills/media-processing/services/gemini-map.ts +117 -53
package/src/config/bundled-skills/media-processing/services/gemini-video.ts +273 -0
package/src/config/bundled-skills/media-processing/services/preprocess.ts +185 -97
package/src/config/bundled-skills/media-processing/services/processing-pipeline.ts +32 -27
package/src/config/bundled-skills/media-processing/services/reduce.ts +101 -24
package/src/config/bundled-skills/media-processing/tools/analyze-keyframes.ts +121 -55
package/src/config/bundled-skills/media-processing/tools/extract-keyframes.ts +58 -24
package/src/config/bundled-skills/media-processing/tools/generate-clip.ts +198 -92
package/src/config/bundled-skills/media-processing/tools/ingest-media.ts +98 -70
package/src/config/bundled-skills/media-processing/tools/media-diagnostics.ts +59 -19
package/src/config/bundled-skills/media-processing/tools/media-status.ts +26 -10
package/src/config/bundled-skills/media-processing/tools/query-media-events.ts +29 -14
package/src/config/bundled-skills/messaging/SKILL.md +7 -5
package/src/config/bundled-skills/messaging/TOOLS.json +232 -186
package/src/config/bundled-skills/messaging/tools/gmail-archive-by-query.ts +31 -13
package/src/config/bundled-skills/messaging/tools/gmail-archive.ts +16 -10
package/src/config/bundled-skills/messaging/tools/gmail-batch-label.ts +18 -9
package/src/config/bundled-skills/messaging/tools/gmail-download-attachment.ts +23 -16
package/src/config/bundled-skills/messaging/tools/gmail-draft.ts +28 -12
package/src/config/bundled-skills/messaging/tools/gmail-filters.ts +41 -21
package/src/config/bundled-skills/messaging/tools/gmail-follow-up.ts +44 -23
package/src/config/bundled-skills/messaging/tools/gmail-forward.ts +73 -33
package/src/config/bundled-skills/messaging/tools/gmail-label.ts +15 -9
package/src/config/bundled-skills/messaging/tools/gmail-list-attachments.ts +22 -14
package/src/config/bundled-skills/messaging/tools/gmail-outreach-scan.ts +99 -50
package/src/config/bundled-skills/messaging/tools/gmail-send-draft.ts +14 -8
package/src/config/bundled-skills/messaging/tools/gmail-send-with-attachments.ts +63 -44
package/src/config/bundled-skills/messaging/tools/gmail-sender-digest.ts +90 -46
package/src/config/bundled-skills/messaging/tools/gmail-summarize-thread.ts +43 -22
package/src/config/bundled-skills/messaging/tools/gmail-trash.ts +15 -9
package/src/config/bundled-skills/messaging/tools/gmail-triage.ts +51 -22
package/src/config/bundled-skills/messaging/tools/gmail-unsubscribe.ts +62 -26
package/src/config/bundled-skills/messaging/tools/gmail-vacation.ts +34 -19
package/src/config/bundled-skills/messaging/tools/google-contacts.ts +32 -16
package/src/config/bundled-skills/messaging/tools/messaging-analyze-activity.ts +10 -4
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +91 -47
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +21 -9
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +9 -3
package/src/config/bundled-skills/messaging/tools/messaging-draft.ts +30 -17
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +10 -4
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +14 -6
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +16 -5
package/src/config/bundled-skills/messaging/tools/messaging-reply.ts +63 -36
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +10 -4
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +30 -12
package/src/config/bundled-skills/messaging/tools/messaging-sender-digest.ts +48 -29
package/src/config/bundled-skills/messaging/tools/scan-result-store.ts +20 -6
package/src/config/bundled-skills/messaging/tools/send-notification.ts +1 -1
package/src/config/bundled-skills/messaging/tools/sequence-analytics.ts +59 -22
package/src/config/bundled-skills/messaging/tools/sequence-cancel.ts +13 -7
package/src/config/bundled-skills/messaging/tools/sequence-create.ts +27 -12
package/src/config/bundled-skills/messaging/tools/sequence-delete.ts +14 -6
package/src/config/bundled-skills/messaging/tools/sequence-enroll.ts +30 -11
package/src/config/bundled-skills/messaging/tools/sequence-enrollment-list.ts +16 -8
package/src/config/bundled-skills/messaging/tools/sequence-get.ts +31 -13
package/src/config/bundled-skills/messaging/tools/sequence-import.ts +38 -22
package/src/config/bundled-skills/messaging/tools/sequence-list.ts +16 -7
package/src/config/bundled-skills/messaging/tools/sequence-pause.ts +29 -10
package/src/config/bundled-skills/messaging/tools/sequence-resume.ts +16 -8
package/src/config/bundled-skills/messaging/tools/sequence-update.ts +35 -16
package/src/config/bundled-skills/messaging/tools/shared.ts +26 -12
package/src/config/bundled-skills/notifications/SKILL.md +3 -2
package/src/config/bundled-skills/notifications/TOOLS.json +7 -13
package/src/config/bundled-skills/notifications/tools/send-notification.ts +69 -34
package/src/config/bundled-skills/notifications/tools/shared.ts +1 -1
package/src/config/bundled-skills/phone-calls/SKILL.md +46 -48
package/src/config/bundled-skills/phone-calls/TOOLS.json +13 -1
package/src/config/bundled-skills/phone-calls/tools/call-end.ts +1 -1
package/src/config/bundled-skills/phone-calls/tools/call-start.ts +1 -1
package/src/config/bundled-skills/phone-calls/tools/call-status.ts +1 -1
package/src/config/bundled-skills/playbooks/TOOLS.json +16 -0
package/src/config/bundled-skills/playbooks/tools/playbook-create.ts +91 -51
package/src/config/bundled-skills/playbooks/tools/playbook-delete.ts +30 -16
package/src/config/bundled-skills/playbooks/tools/playbook-list.ts +66 -27
package/src/config/bundled-skills/playbooks/tools/playbook-update.ts +89 -42
package/src/config/bundled-skills/public-ingress/SKILL.md +26 -19
package/src/config/bundled-skills/reminder/TOOLS.json +15 -2
package/src/config/bundled-skills/reminder/tools/reminder-cancel.ts +5 -2
package/src/config/bundled-skills/reminder/tools/reminder-create.ts +5 -2
package/src/config/bundled-skills/reminder/tools/reminder-list.ts +5 -2
package/src/config/bundled-skills/schedule/SKILL.md +33 -15
package/src/config/bundled-skills/schedule/TOOLS.json +17 -1
package/src/config/bundled-skills/schedule/tools/schedule-create.ts +5 -2
package/src/config/bundled-skills/schedule/tools/schedule-delete.ts +5 -2
package/src/config/bundled-skills/schedule/tools/schedule-list.ts +5 -2
package/src/config/bundled-skills/schedule/tools/schedule-update.ts +5 -2
package/src/config/bundled-skills/screen-recording/SKILL.md +11 -3
package/src/config/bundled-skills/self-upgrade/SKILL.md +9 -8
package/src/config/bundled-skills/slack/SKILL.md +30 -1
package/src/config/bundled-skills/slack/TOOLS.json +122 -17
package/src/config/bundled-skills/slack/tools/shared.ts +7 -5
package/src/config/bundled-skills/slack/tools/slack-add-reaction.ts +11 -5
package/src/config/bundled-skills/slack/tools/slack-channel-details.ts +11 -5
package/src/config/bundled-skills/slack/tools/slack-channel-permissions.ts +146 -0
package/src/config/bundled-skills/slack/tools/slack-configure-channels.ts +46 -16
package/src/config/bundled-skills/slack/tools/slack-delete-message.ts +11 -5
package/src/config/bundled-skills/slack/tools/slack-edit-message.ts +28 -0
package/src/config/bundled-skills/slack/tools/slack-leave-channel.ts +12 -6
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +120 -0
package/src/config/bundled-skills/slack-app-setup/SKILL.md +200 -0
package/src/config/bundled-skills/sms-setup/SKILL.md +5 -8
package/src/config/bundled-skills/subagent/TOOLS.json +22 -2
package/src/config/bundled-skills/subagent/tools/subagent-abort.ts +5 -2
package/src/config/bundled-skills/subagent/tools/subagent-message.ts +5 -2
package/src/config/bundled-skills/subagent/tools/subagent-read.ts +5 -2
package/src/config/bundled-skills/subagent/tools/subagent-spawn.ts +5 -2
package/src/config/bundled-skills/subagent/tools/subagent-status.ts +5 -2
package/src/config/bundled-skills/tasks/TOOLS.json +86 -14
package/src/config/bundled-skills/tasks/tools/task-delete.ts +5 -2
package/src/config/bundled-skills/tasks/tools/task-list-add.ts +5 -2
package/src/config/bundled-skills/tasks/tools/task-list-remove.ts +5 -2
package/src/config/bundled-skills/tasks/tools/task-list-show.ts +5 -2
package/src/config/bundled-skills/tasks/tools/task-list-update.ts +5 -2
package/src/config/bundled-skills/tasks/tools/task-list.ts +5 -2
package/src/config/bundled-skills/tasks/tools/task-queue-run.ts +5 -2
package/src/config/bundled-skills/tasks/tools/task-run.ts +5 -2
package/src/config/bundled-skills/tasks/tools/task-save.ts +5 -2
package/src/config/bundled-skills/telegram-setup/SKILL.md +7 -8
package/src/config/bundled-skills/transcribe/TOOLS.json +4 -0
package/src/config/bundled-skills/transcribe/tools/transcribe-media.ts +232 -127
package/src/config/bundled-skills/twilio-setup/SKILL.md +7 -12
package/src/config/bundled-skills/twitter/SKILL.md +19 -2
package/src/config/bundled-skills/voice-setup/SKILL.md +5 -5
package/src/config/bundled-skills/watcher/TOOLS.json +20 -0
package/src/config/bundled-skills/watcher/tools/watcher-create.ts +5 -2
package/src/config/bundled-skills/watcher/tools/watcher-delete.ts +5 -2
package/src/config/bundled-skills/watcher/tools/watcher-digest.ts +5 -2
package/src/config/bundled-skills/watcher/tools/watcher-list.ts +5 -2
package/src/config/bundled-skills/watcher/tools/watcher-update.ts +5 -2
package/src/config/bundled-skills/weather/TOOLS.json +4 -0
package/src/config/bundled-skills/weather/tools/get-weather.ts +5 -2
package/src/config/bundled-tool-registry.ts +2 -0
package/src/config/calls-schema.ts +108 -63
package/src/config/channel-permission-profiles.ts +155 -0
package/src/config/computer-use-prompt.ts +7 -7
package/src/config/core-schema.ts +239 -155
package/src/config/defaults.ts +2 -2
package/src/config/elevenlabs-schema.ts +15 -15
package/src/config/env-registry.ts +33 -33
package/src/config/env.ts +4 -1
package/src/config/feature-flag-registry.json +31 -7
package/src/config/loader.ts +118 -58
package/src/config/mcp-schema.ts +29 -15
package/src/config/memory-schema.ts +434 -229
package/src/config/notifications-schema.ts +4 -4
package/src/config/sandbox-schema.ts +2 -2
package/src/config/schema.ts +12 -2
package/src/config/skill-state.ts +27 -15
package/src/config/skills-schema.ts +72 -23
package/src/config/skills.ts +303 -143
package/src/config/system-prompt.ts +25 -6
package/src/config/types.ts +1 -1
package/src/config/update-bulletin-format.ts +3 -3
package/src/config/update-bulletin-state.ts +15 -6
package/src/config/update-bulletin-template-path.ts +8 -4
package/src/config/update-bulletin.ts +33 -14
package/src/config/user-reference.ts +8 -8
package/src/contacts/contact-events.ts +21 -0
package/src/contacts/contact-store.ts +813 -100
package/src/contacts/contacts-write.ts +287 -0
package/src/contacts/index.ts +13 -4
package/src/contacts/startup-migration.ts +21 -0
package/src/contacts/types.ts +73 -2
package/src/context/token-estimator.ts +54 -31
package/src/context/tool-result-truncation.ts +41 -7
package/src/context/window-manager.ts +225 -120
package/src/daemon/approval-generators.ts +83 -55
package/src/daemon/approved-devices-store.ts +33 -20
package/src/daemon/assistant-attachments.ts +157 -101
package/src/daemon/auth-manager.ts +17 -15
package/src/daemon/classifier.ts +117 -46
package/src/daemon/computer-use-session.ts +316 -187
package/src/daemon/config-watcher.ts +91 -44
package/src/daemon/connection-policy.ts +18 -10
package/src/daemon/context-overflow-approval.ts +48 -0
package/src/daemon/context-overflow-policy.ts +50 -0
package/src/daemon/context-overflow-reducer.ts +300 -0
package/src/daemon/daemon-control.ts +79 -51
package/src/daemon/date-context.ts +119 -69
package/src/daemon/dictation-profile-store.ts +94 -48
package/src/daemon/dictation-text-processing.ts +33 -12
package/src/daemon/doordash-steps.ts +92 -49
package/src/daemon/guardian-action-generators.ts +62 -46
package/src/daemon/guardian-verification-intent.ts +35 -19
package/src/daemon/handlers/apps.ts +258 -113
package/src/daemon/handlers/avatar.ts +20 -15
package/src/daemon/handlers/computer-use.ts +82 -39
package/src/daemon/handlers/config-channels.ts +146 -69
package/src/daemon/handlers/config-heartbeat.ts +114 -59
package/src/daemon/handlers/config-inbox.ts +213 -160
package/src/daemon/handlers/config-ingress.ts +127 -55
package/src/daemon/handlers/config-integrations.ts +145 -88
package/src/daemon/handlers/config-model.ts +58 -22
package/src/daemon/handlers/config-platform.ts +40 -16
package/src/daemon/handlers/config-scheduling.ts +109 -48
package/src/daemon/handlers/config-slack-channel.ts +67 -35
package/src/daemon/handlers/config-slack.ts +21 -20
package/src/daemon/handlers/config-telegram.ts +100 -70
package/src/daemon/handlers/config-tools.ts +103 -55
package/src/daemon/handlers/config-trust.ts +50 -20
package/src/daemon/handlers/config.ts +72 -24
package/src/daemon/handlers/contacts.ts +163 -0
package/src/daemon/handlers/diagnostics.ts +90 -48
package/src/daemon/handlers/documents.ts +74 -46
package/src/daemon/handlers/guardian-actions.ts +57 -77
package/src/daemon/handlers/home-base.ts +19 -16
package/src/daemon/handlers/identity.ts +65 -45
package/src/daemon/handlers/index.ts +78 -54
package/src/daemon/handlers/misc.ts +664 -234
package/src/daemon/handlers/navigate-settings.ts +14 -11
package/src/daemon/handlers/oauth-connect.ts +48 -35
package/src/daemon/handlers/open-bundle-handler.ts +31 -24
package/src/daemon/handlers/pairing.ts +51 -25
package/src/daemon/handlers/publish.ts +55 -33
package/src/daemon/handlers/recording.ts +378 -162
package/src/daemon/handlers/sessions.ts +922 -423
package/src/daemon/handlers/shared.ts +202 -117
package/src/daemon/handlers/signing.ts +25 -6
package/src/daemon/handlers/subagents.ts +117 -56
package/src/daemon/handlers/twitter-auth.ts +70 -49
package/src/daemon/handlers/work-items.ts +264 -112
package/src/daemon/handlers/workspace-files.ts +27 -20
package/src/daemon/handlers.ts +2 -2
package/src/daemon/history-repair.ts +16 -15
package/src/daemon/identity-helpers.ts +4 -4
package/src/daemon/install-cli-launchers.ts +33 -22
package/src/daemon/ipc-blob-store.ts +38 -24
package/src/daemon/ipc-contract/apps.ts +61 -50
package/src/daemon/ipc-contract/computer-use.ts +47 -37
package/src/daemon/ipc-contract/contacts.ts +69 -0
package/src/daemon/ipc-contract/diagnostics.ts +14 -14
package/src/daemon/ipc-contract/documents.ts +8 -8
package/src/daemon/ipc-contract/guardian-actions.ts +4 -4
package/src/daemon/ipc-contract/inbox.ts +12 -71
package/src/daemon/ipc-contract/integrations.ts +57 -44
package/src/daemon/ipc-contract/memory.ts +3 -5
package/src/daemon/ipc-contract/messages.ts +95 -69
package/src/daemon/ipc-contract/notifications.ts +10 -6
package/src/daemon/ipc-contract/pairing.ts +8 -8
package/src/daemon/ipc-contract/schedules.ts +20 -20
package/src/daemon/ipc-contract/sessions.ts +89 -57
package/src/daemon/ipc-contract/settings.ts +12 -7
package/src/daemon/ipc-contract/shared.ts +9 -7
package/src/daemon/ipc-contract/skills.ts +46 -26
package/src/daemon/ipc-contract/subagents.ts +9 -9
package/src/daemon/ipc-contract/surfaces.ts +0 -1
package/src/daemon/ipc-contract/trust.ts +11 -11
package/src/daemon/ipc-contract/work-items.ts +33 -28
package/src/daemon/ipc-contract/workspace.ts +28 -21
package/src/daemon/ipc-contract-inventory.json +10 -4
package/src/daemon/ipc-contract-inventory.ts +29 -26
package/src/daemon/ipc-contract.ts +111 -44
package/src/daemon/ipc-handler.ts +27 -19
package/src/daemon/ipc-protocol.ts +22 -12
package/src/daemon/ipc-validate.ts +91 -46
package/src/daemon/lifecycle.ts +39 -3
package/src/daemon/main.ts +10 -8
package/src/daemon/media-visibility-policy.ts +3 -1
package/src/daemon/pairing-store.ts +72 -40
package/src/daemon/providers-setup.ts +35 -25
package/src/daemon/recording-executor.ts +37 -30
package/src/daemon/recording-intent-fallback.ts +58 -28
package/src/daemon/recording-intent.ts +71 -61
package/src/daemon/ride-shotgun-handler.ts +201 -121
package/src/daemon/seed-files.ts +28 -17
package/src/daemon/server.ts +23 -14
package/src/daemon/session-agent-loop-handlers.ts +270 -135
package/src/daemon/session-agent-loop.ts +796 -253
package/src/daemon/session-attachments.ts +109 -40
package/src/daemon/session-conflict-gate.ts +72 -28
package/src/daemon/session-dynamic-profile.ts +36 -22
package/src/daemon/session-error.ts +68 -45
package/src/daemon/session-evictor.ts +17 -10
package/src/daemon/session-history.ts +201 -89
package/src/daemon/session-lifecycle.ts +80 -44
package/src/daemon/session-media-retry.ts +104 -42
package/src/daemon/session-memory.ts +77 -55
package/src/daemon/session-messaging.ts +261 -111
package/src/daemon/session-notifiers.ts +57 -45
package/src/daemon/session-process.ts +370 -154
package/src/daemon/session-queue-manager.ts +30 -13
package/src/daemon/session-runtime-assembly.ts +61 -15
package/src/daemon/session-skill-tools.ts +84 -36
package/src/daemon/session-slash.ts +178 -113
package/src/daemon/session-surfaces.ts +498 -212
package/src/daemon/session-tool-setup.ts +24 -16
package/src/daemon/session-usage.ts +26 -13
package/src/daemon/session-workspace.ts +7 -4
package/src/daemon/session.ts +18 -19
package/src/daemon/shutdown-handlers.ts +36 -33
package/src/daemon/tls-certs.ts +90 -57
package/src/daemon/tool-side-effects.ts +97 -65
package/src/daemon/trace-emitter.ts +8 -7
package/src/daemon/video-thumbnail.ts +55 -25
package/src/daemon/watch-handler.ts +164 -86
package/src/email/provider.ts +1 -1
package/src/email/providers/agentmail.ts +87 -45
package/src/email/providers/index.ts +19 -14
package/src/email/service.ts +52 -24
package/src/email/types.ts +2 -2
package/src/errors.ts +1 -1
package/src/events/bus.ts +30 -10
package/src/events/domain-events.ts +20 -13
package/src/events/index.ts +6 -6
package/src/events/tool-audit-listener.ts +34 -20
package/src/events/tool-domain-event-publisher.ts +22 -20
package/src/events/tool-metrics-listener.ts +26 -21
package/src/events/tool-notification-listener.ts +5 -5
package/src/events/tool-profiling-listener.ts +33 -23
package/src/events/tool-trace-listener.ts +70 -46
package/src/export/formatter.ts +38 -32
package/src/followups/followup-store.ts +43 -36
package/src/followups/index.ts +2 -2
package/src/followups/types.ts +1 -1
package/src/gallery/default-gallery.ts +37 -34
package/src/gallery/gallery-manifest.ts +9 -9
package/src/heartbeat/heartbeat-service.ts +59 -37
package/src/home-base/app-link-store.ts +14 -12
package/src/home-base/bootstrap.ts +14 -8
package/src/home-base/prebuilt/seed.ts +34 -26
package/src/home-base/prebuilt-home-base-updater.ts +14 -8
package/src/hooks/cli.ts +56 -43
package/src/hooks/config.ts +27 -14
package/src/hooks/discovery.ts +53 -33
package/src/hooks/manager.ts +50 -26
package/src/hooks/runner.ts +35 -29
package/src/hooks/templates.ts +38 -15
package/src/hooks/types.ts +13 -13
package/src/inbound/platform-callback-registration.ts +21 -15
package/src/inbound/public-ingress-urls.ts +9 -6
package/src/index.ts +20 -19
package/src/influencer/client.ts +261 -117
package/src/instrument.ts +3 -1
package/src/logfire.ts +64 -39
package/src/mcp/client.ts +107 -55
package/src/mcp/manager.ts +45 -18
package/src/mcp/mcp-oauth-provider.ts +114 -62
package/src/media/gemini-image-service.ts +75 -23
package/src/memory/account-store.ts +16 -9
package/src/memory/admin.ts +87 -57
package/src/memory/app-git-service.ts +77 -47
package/src/memory/app-store.ts +148 -78
package/src/memory/attachments-store.ts +123 -53
package/src/memory/canonical-guardian-store.ts +190 -48
package/src/memory/channel-delivery-store.ts +5 -5
package/src/memory/channel-guardian-store.ts +31 -16
package/src/memory/checkpoints.ts +14 -7
package/src/memory/clarification-resolver.ts +219 -104
package/src/memory/conflict-intent.ts +74 -23
package/src/memory/conflict-policy.ts +20 -7
package/src/memory/conflict-store.ts +144 -94
package/src/memory/contradiction-checker.ts +257 -132
package/src/memory/conversation-attention-store.ts +74 -32
package/src/memory/conversation-bootstrap.ts +28 -0
package/src/memory/conversation-crud.ts +12 -5
package/src/memory/conversation-display-order-migration.ts +7 -7
package/src/memory/conversation-key-store.ts +18 -13
package/src/memory/conversation-queries.ts +130 -52
package/src/memory/conversation-store.ts +43 -26
package/src/memory/conversation-title-service.ts +89 -66
package/src/memory/db-init.ts +94 -2
package/src/memory/db.ts +10 -3
package/src/memory/delivery-channels.ts +12 -6
package/src/memory/delivery-crud.ts +26 -12
package/src/memory/delivery-status.ts +19 -16
package/src/memory/embedding-backend.ts +205 -77
package/src/memory/embedding-gemini.ts +23 -10
package/src/memory/embedding-local.ts +89 -44
package/src/memory/embedding-ollama.ts +25 -13
package/src/memory/embedding-openai.ts +20 -11
package/src/memory/embedding-runtime-manager.ts +163 -90
package/src/memory/entity-extractor.ts +185 -123
package/src/memory/external-conversation-store.ts +30 -12
package/src/memory/fingerprint.ts +2 -2
package/src/memory/fts-reconciler.ts +57 -28
package/src/memory/guardian-action-store.ts +162 -100
package/src/memory/guardian-approvals.ts +63 -129
package/src/memory/guardian-rate-limits.ts +20 -9
package/src/memory/guardian-verification.ts +82 -35
package/src/memory/indexer.ts +96 -55
package/src/memory/{ingress-invite-store.ts → invite-store.ts} +28 -169
package/src/memory/items-extractor.ts +313 -157
package/src/memory/job-handlers/backfill.ts +116 -63
package/src/memory/job-handlers/cleanup.ts +64 -41
package/src/memory/job-handlers/conflict.ts +90 -49
package/src/memory/job-handlers/embedding.ts +32 -17
package/src/memory/job-handlers/extraction.ts +58 -33
package/src/memory/job-handlers/index-maintenance.ts +31 -17
package/src/memory/job-handlers/media-processing.ts +65 -24
package/src/memory/job-handlers/summarization.ts +186 -128
package/src/memory/job-utils.ts +100 -57
package/src/memory/jobs-store.ts +235 -142
package/src/memory/jobs-worker.ts +167 -83
package/src/memory/llm-request-log-store.ts +13 -11
package/src/memory/llm-usage-store.ts +35 -26
package/src/memory/media-store.ts +151 -44
package/src/memory/message-content.ts +28 -18
package/src/memory/migrations/001-job-deferrals.ts +11 -5
package/src/memory/migrations/002-tool-invocations-fk.ts +14 -6
package/src/memory/migrations/003-memory-fts-backfill.ts +11 -5
package/src/memory/migrations/004-entity-relation-dedup.ts +17 -11
package/src/memory/migrations/005-fingerprint-scope-unique.ts +36 -21
package/src/memory/migrations/006-scope-salted-fingerprints.ts +35 -20
package/src/memory/migrations/007-assistant-id-to-self.ts +40 -27
package/src/memory/migrations/008-remove-assistant-id-columns.ts +58 -36
package/src/memory/migrations/009-llm-usage-events-drop-assistant-id.ts +36 -22
package/src/memory/migrations/010-ext-conv-bindings-channel-chat-unique.ts +21 -11
package/src/memory/migrations/011-call-sessions-provider-sid-dedup.ts +30 -15
package/src/memory/migrations/012-call-sessions-add-initiated-from.ts +4 -2
package/src/memory/migrations/013-guardian-action-tables.ts +29 -11
package/src/memory/migrations/014-backfill-inbox-thread-state.ts +35 -21
package/src/memory/migrations/015-drop-active-search-index.ts +17 -11
package/src/memory/migrations/016-memory-segments-indexes.ts +7 -3
package/src/memory/migrations/017-memory-items-indexes.ts +4 -2
package/src/memory/migrations/018-remaining-table-indexes.ts +13 -5
package/src/memory/migrations/019-notification-tables-schema-migration.ts +34 -20
package/src/memory/migrations/020-rename-macos-ios-channel-to-vellum.ts +87 -53
package/src/memory/migrations/021-conversation-status-indexes.ts +7 -3
package/src/memory/migrations/022-add-origin-interface.ts +4 -2
package/src/memory/migrations/023-memory-item-sources-indexes.ts +4 -2
package/src/memory/migrations/024-embedding-vector-blob.ts +34 -18
package/src/memory/migrations/025-messages-fts-backfill.ts +11 -5
package/src/memory/migrations/026-guardian-verification-sessions.ts +80 -14
package/src/memory/migrations/026a-embeddings-nullable-vector-json.ts +42 -26
package/src/memory/migrations/027-notification-delivery-pairing-columns.ts +22 -8
package/src/memory/migrations/027a-guardian-bootstrap-token.ts +11 -3
package/src/memory/migrations/028-call-session-mode.ts +13 -3
package/src/memory/migrations/028-notification-delivery-client-ack.ts +22 -8
package/src/memory/migrations/029-channel-inbound-delivered-segments.ts +7 -3
package/src/memory/migrations/030-guardian-action-followup.ts +46 -8
package/src/memory/migrations/030-guardian-verification-purpose.ts +4 -2
package/src/memory/migrations/031-conversations-thread-type-index.ts +4 -2
package/src/memory/migrations/032-guardian-delivery-conversation-index.ts +4 -2
package/src/memory/migrations/032-notification-delivery-thread-decision.ts +22 -8
package/src/memory/migrations/033-scoped-approval-grants.ts +1 -1
package/src/memory/migrations/034-guardian-action-tool-metadata.ts +15 -3
package/src/memory/migrations/035-guardian-action-supersession.ts +15 -3
package/src/memory/migrations/036-normalize-phone-identities.ts +101 -87
package/src/memory/migrations/037-voice-invite-columns.ts +22 -4
package/src/memory/migrations/038-actor-token-records.ts +5 -9
package/src/memory/migrations/039-actor-refresh-token-records.ts +7 -13
package/src/memory/migrations/100-core-tables.ts +1 -1
package/src/memory/migrations/101-watchers-and-logs.ts +1 -1
package/src/memory/migrations/103-complex-migrations.ts +9 -9
package/src/memory/migrations/104-core-indexes.ts +188 -64
package/src/memory/migrations/105-contacts-and-triage.ts +28 -10
package/src/memory/migrations/106-call-sessions.ts +58 -16
package/src/memory/migrations/107-followups.ts +16 -6
package/src/memory/migrations/108-tasks-and-work-items.ts +43 -11
package/src/memory/migrations/109-external-conversation-bindings.ts +11 -5
package/src/memory/migrations/110-channel-guardian.ts +48 -10
package/src/memory/migrations/111-media-assets.ts +52 -18
package/src/memory/migrations/112-assistant-inbox.ts +32 -12
package/src/memory/migrations/113-late-migrations.ts +12 -12
package/src/memory/migrations/114-notifications.ts +28 -12
package/src/memory/migrations/115-sequences.ts +10 -4
package/src/memory/migrations/116-messages-fts.ts +1 -1
package/src/memory/migrations/117-conversation-attention.ts +16 -6
package/src/memory/migrations/118-reminder-routing-intent.ts +7 -3
package/src/memory/migrations/119-schema-indexes-and-columns.ts +35 -15
package/src/memory/migrations/120-fk-cascade-rebuilds.ts +36 -17
package/src/memory/migrations/121-canonical-guardian-requests.ts +25 -9
package/src/memory/migrations/122-canonical-guardian-requester-chat-id.ts +11 -3
package/src/memory/migrations/123-canonical-guardian-deliveries-destination-index.ts +4 -2
package/src/memory/migrations/124-voice-invite-display-metadata.ts +15 -3
package/src/memory/migrations/125-guardian-principal-id-columns.ts +22 -4
package/src/memory/migrations/126-backfill-guardian-principal-id.ts +174 -126
package/src/memory/migrations/127-guardian-principal-id-not-null.ts +58 -42
package/src/memory/migrations/128-contacts-role-principal.ts +26 -0
package/src/memory/migrations/129-contact-channels-access-fields.ts +105 -0
package/src/memory/migrations/130-contact-channels-type-ext-chat-id-index.ts +15 -0
package/src/memory/migrations/131-drop-legacy-member-guardian-tables.ts +134 -0
package/src/memory/migrations/132-contacts-assistant-id.ts +21 -0
package/src/memory/migrations/133-assistant-contact-metadata.ts +21 -0
package/src/memory/migrations/index.ts +83 -73
package/src/memory/migrations/registry.ts +53 -37
package/src/memory/migrations/validate-migration-state.ts +73 -46
package/src/memory/profile-compiler.ts +58 -24
package/src/memory/published-pages-store.ts +12 -16
package/src/memory/qdrant-circuit-breaker.ts +28 -20
package/src/memory/qdrant-client.ts +99 -63
package/src/memory/qdrant-manager.ts +89 -57
package/src/memory/query-builder.ts +9 -7
package/src/memory/raw-query.ts +63 -14
package/src/memory/recall-cache.ts +15 -8
package/src/memory/retrieval-budget.ts +0 -1
package/src/memory/retriever.ts +385 -192
package/src/memory/schema-migration.ts +1 -1
package/src/memory/schema.ts +56 -56
package/src/memory/scoped-approval-grants.ts +99 -45
package/src/memory/search/entity.ts +102 -40
package/src/memory/search/formatting.ts +70 -52
package/src/memory/search/lexical.ts +82 -43
package/src/memory/search/ranking.ts +103 -39
package/src/memory/search/semantic.ts +59 -35
package/src/memory/search/types.ts +8 -8
package/src/memory/segmenter.ts +20 -12
package/src/memory/shared-app-links-store.ts +21 -16
package/src/memory/slack-thread-store.ts +187 -0
package/src/memory/task-memory-cleanup.ts +18 -8
package/src/memory/tool-usage-store.ts +27 -19
package/src/memory/validation.ts +4 -2
package/src/messaging/activity-analyzer.ts +7 -7
package/src/messaging/draft-store.ts +13 -10
package/src/messaging/email-classifier.ts +73 -37
package/src/messaging/index.ts +3 -3
package/src/messaging/outreach-classifier.ts +76 -38
package/src/messaging/provider-types.ts +2 -4
package/src/messaging/provider.ts +37 -8
package/src/messaging/providers/gmail/adapter.ts +183 -66
package/src/messaging/providers/gmail/client.ts +3 -1
package/src/messaging/providers/gmail/mime-builder.ts +21 -19
package/src/messaging/providers/gmail/people-client.ts +22 -9
package/src/messaging/providers/gmail/types.ts +6 -6
package/src/messaging/providers/slack/adapter.ts +93 -43
package/src/messaging/providers/slack/client.ts +165 -48
package/src/messaging/providers/slack/types.ts +10 -0
package/src/messaging/providers/sms/adapter.ts +76 -40
package/src/messaging/providers/sms/client.ts +4 -4
package/src/messaging/providers/telegram-bot/adapter.ts +52 -30
package/src/messaging/providers/telegram-bot/client.ts +7 -7
package/src/messaging/providers/whatsapp/adapter.ts +58 -31
package/src/messaging/providers/whatsapp/client.ts +4 -4
package/src/messaging/registry.ts +9 -5
package/src/messaging/style-analyzer.ts +69 -39
package/src/messaging/thread-summarizer.ts +101 -53
package/src/messaging/triage-engine.ts +111 -82
package/src/messaging/types.ts +10 -10
package/src/migrations/config-merge.ts +18 -10
package/src/migrations/data-layout.ts +35 -22
package/src/migrations/data-merge.ts +17 -7
package/src/migrations/hooks-merge.ts +43 -16
package/src/migrations/index.ts +6 -6
package/src/migrations/log.ts +9 -5
package/src/migrations/skills-merge.ts +17 -7
package/src/migrations/workspace-layout.ts +39 -25
package/src/notifications/AGENTS.md +5 -0
package/src/notifications/adapters/macos.ts +21 -14
package/src/notifications/adapters/slack.ts +90 -0
package/src/notifications/adapters/sms.ts +28 -15
package/src/notifications/adapters/telegram.ts +24 -15
package/src/notifications/broadcaster.ts +108 -52
package/src/notifications/conversation-pairing.ts +64 -29
package/src/notifications/copy-composer.ts +165 -95
package/src/notifications/decision-engine.ts +353 -147
package/src/notifications/decisions-store.ts +26 -10
package/src/notifications/deliveries-store.ts +23 -13
package/src/notifications/destination-resolver.ts +83 -24
package/src/notifications/deterministic-checks.ts +78 -27
package/src/notifications/emit-signal.ts +95 -41
package/src/notifications/events-store.ts +13 -7
package/src/notifications/guardian-question-mode.ts +125 -75
package/src/notifications/preference-extractor.ts +85 -53
package/src/notifications/preference-summary.ts +31 -18
package/src/notifications/preferences-store.ts +29 -18
package/src/notifications/runtime-dispatch.ts +22 -12
package/src/notifications/signal.ts +4 -4
package/src/notifications/thread-candidates.ts +59 -23
package/src/notifications/thread-seed-composer.ts +45 -27
package/src/notifications/types.ts +19 -10
package/src/oauth/connect-orchestrator.ts +105 -54
package/src/oauth/connect-types.ts +3 -3
package/src/oauth/provider-profiles.ts +102 -59
package/src/oauth/scope-policy.ts +5 -2
package/src/oauth/token-persistence.ts +58 -24
package/src/outbound-proxy/certs.ts +284 -0
package/src/outbound-proxy/config.ts +94 -0
package/src/outbound-proxy/connect-tunnel.ts +84 -0
package/src/outbound-proxy/health.ts +62 -0
package/src/outbound-proxy/host-pattern-match.ts +67 -0
package/src/outbound-proxy/http-forwarder.ts +162 -0
package/src/outbound-proxy/index.ts +80 -0
package/src/outbound-proxy/logging.ts +193 -0
package/src/outbound-proxy/mitm-handler.ts +292 -0
package/src/outbound-proxy/policy.ts +172 -0
package/src/outbound-proxy/router.ts +64 -0
package/src/outbound-proxy/server.ts +145 -0
package/src/outbound-proxy/types.ts +150 -0
package/src/permissions/checker.ts +481 -189
package/src/permissions/defaults.ts +135 -108
package/src/permissions/prompter.ts +53 -27
package/src/permissions/secret-prompter.ts +21 -15
package/src/permissions/shell-identity.ts +47 -16
package/src/permissions/trust-store.ts +185 -73
package/src/permissions/types.ts +22 -12
package/src/permissions/workspace-policy.ts +47 -38
package/src/playbooks/index.ts +10 -2
package/src/playbooks/playbook-compiler.ts +30 -24
package/src/playbooks/types.ts +11 -8
package/src/providers/anthropic/client.ts +328 -168
package/src/providers/failover.ts +57 -22
package/src/providers/fireworks/client.ts +9 -5
package/src/providers/gemini/client.ts +61 -39
package/src/providers/model-intents.ts +40 -33
package/src/providers/ollama/client.ts +7 -7
package/src/providers/openai/client.ts +109 -68
package/src/providers/openrouter/client.ts +9 -5
package/src/providers/provider-send-message.ts +59 -27
package/src/providers/ratelimit.ts +25 -8
package/src/providers/registry.ts +86 -38
package/src/providers/retry.ts +93 -37
package/src/providers/stream-timeout.ts +5 -3
package/src/providers/types.ts +7 -6
package/src/runtime/AGENTS.md +42 -0
package/src/runtime/access-request-helper.ts +118 -68
package/src/runtime/actor-refresh-token-store.ts +21 -16
package/src/runtime/actor-token-store.ts +25 -18
package/src/runtime/actor-trust-resolver.ts +191 -80
package/src/runtime/approval-conversation-turn.ts +39 -26
package/src/runtime/approval-message-composer.ts +116 -84
package/src/runtime/assistant-event-hub.ts +25 -6
package/src/runtime/assistant-event.ts +4 -4
package/src/runtime/assistant-scope.ts +1 -1
package/src/runtime/auth/__tests__/guard-tests.test.ts +36 -14
package/src/runtime/auth/context.ts +8 -7
package/src/runtime/auth/credential-service.ts +60 -38
package/src/runtime/auth/external-assistant-id.ts +16 -8
package/src/runtime/auth/index.ts +23 -16
package/src/runtime/auth/require-bound-guardian.ts +44 -0
package/src/runtime/auth/route-policy.ts +166 -104
package/src/runtime/auth/scopes.ts +22 -29
package/src/runtime/auth/subject.ts +19 -13
package/src/runtime/auth/token-service.ts +3 -3
package/src/runtime/auth/types.ts +23 -23
package/src/runtime/channel-approval-parser.ts +37 -14
package/src/runtime/channel-approval-types.ts +30 -4
package/src/runtime/channel-approvals.ts +49 -23
package/src/runtime/channel-guardian-service.ts +144 -103
package/src/runtime/channel-invite-transport.ts +5 -3
package/src/runtime/channel-invite-transports/telegram.ts +16 -10
package/src/runtime/channel-invite-transports/voice.ts +7 -7
package/src/runtime/channel-readiness-service.ts +139 -90
package/src/runtime/channel-readiness-types.ts +4 -2
package/src/runtime/channel-reply-delivery.ts +83 -14
package/src/runtime/channel-retry-sweep.ts +111 -62
package/src/runtime/confirmation-request-guardian-bridge.ts +73 -54
package/src/runtime/gateway-client.ts +122 -55
package/src/runtime/gateway-internal-client.ts +86 -0
package/src/runtime/guardian-action-conversation-turn.ts +34 -18
package/src/runtime/guardian-action-followup-executor.ts +115 -45
package/src/runtime/guardian-action-grant-minter.ts +40 -24
package/src/runtime/guardian-action-message-composer.ts +105 -84
package/src/runtime/guardian-action-service.ts +127 -0
package/src/runtime/guardian-decision-types.ts +28 -13
package/src/runtime/guardian-outbound-actions.ts +9 -0
package/src/runtime/guardian-reply-router.ts +274 -145
package/src/runtime/guardian-vellum-migration.ts +38 -24
package/src/runtime/guardian-verification-templates.ts +24 -12
package/src/runtime/http-router.ts +175 -0
package/src/runtime/http-server.ts +913 -680
package/src/runtime/http-types.ts +2 -2
package/src/runtime/invite-redemption-service.ts +211 -134
package/src/runtime/invite-redemption-templates.ts +18 -11
package/src/runtime/{ingress-service.ts → invite-service.ts} +92 -151
package/src/runtime/local-actor-identity.ts +73 -55
package/src/runtime/middleware/auth.ts +25 -14
package/src/runtime/middleware/error-handler.ts +15 -11
package/src/runtime/middleware/rate-limiter.ts +23 -17
package/src/runtime/middleware/request-logger.ts +4 -4
package/src/runtime/middleware/twilio-validation.ts +29 -20
package/src/runtime/migrations/migration-transport.ts +575 -0
package/src/runtime/migrations/migration-wizard.ts +715 -0
package/src/runtime/migrations/rebind-secrets-screen.ts +351 -0
package/src/runtime/migrations/transfer-progress-screen.ts +321 -0
package/src/runtime/migrations/validation-results-screen.ts +467 -0
package/src/runtime/migrations/vbundle-builder.ts +295 -0
package/src/runtime/migrations/vbundle-import-analyzer.ts +212 -0
package/src/runtime/migrations/vbundle-importer.ts +339 -0
package/src/runtime/migrations/vbundle-validator.ts +356 -0
package/src/runtime/nl-approval-parser.ts +138 -0
package/src/runtime/pending-interactions.ts +16 -7
package/src/runtime/routes/access-request-decision.ts +73 -52
package/src/runtime/routes/app-routes.ts +56 -38
package/src/runtime/routes/approval-routes.ts +144 -92
package/src/runtime/routes/approval-strategies/guardian-callback-strategy.ts +930 -0
package/src/runtime/routes/approval-strategies/guardian-legacy-fallback-strategy.ts +82 -0
package/src/runtime/routes/approval-strategies/guardian-text-engine-strategy.ts +151 -0
package/src/runtime/routes/attachment-routes.ts +59 -48
package/src/runtime/routes/brain-graph-routes.ts +85 -69
package/src/runtime/routes/call-routes.ts +79 -38
package/src/runtime/routes/canonical-guardian-expiry-sweep.ts +10 -10
package/src/runtime/routes/channel-delivery-routes.ts +19 -14
package/src/runtime/routes/channel-guardian-routes.ts +3 -3
package/src/runtime/routes/channel-inbound-routes.ts +2 -2
package/src/runtime/routes/channel-readiness-routes.ts +12 -6
package/src/runtime/routes/channel-route-shared.ts +67 -25
package/src/runtime/routes/channel-routes.ts +4 -6
package/src/runtime/routes/contact-routes.ts +374 -17
package/src/runtime/routes/conversation-attention-routes.ts +57 -28
package/src/runtime/routes/conversation-routes.ts +321 -174
package/src/runtime/routes/debug-routes.ts +14 -10
package/src/runtime/routes/events-routes.ts +90 -57
package/src/runtime/routes/global-search-routes.ts +266 -0
package/src/runtime/routes/guardian-action-routes.ts +112 -113
package/src/runtime/routes/guardian-approval-interception.ts +325 -874
package/src/runtime/routes/guardian-approval-prompt.ts +40 -24
package/src/runtime/routes/guardian-approval-reply-helpers.ts +135 -0
package/src/runtime/routes/guardian-bootstrap-routes.ts +55 -36
package/src/runtime/routes/guardian-expiry-sweep.ts +63 -37
package/src/runtime/routes/guardian-refresh-routes.ts +40 -19
package/src/runtime/routes/identity-routes.ts +71 -42
package/src/runtime/routes/inbound-conversation.ts +17 -11
package/src/runtime/routes/inbound-message-handler.ts +305 -1459
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +880 -0
package/src/runtime/routes/inbound-stages/background-dispatch.ts +600 -0
package/src/runtime/routes/inbound-stages/bootstrap-intercept.ts +214 -0
package/src/runtime/routes/inbound-stages/edit-intercept.ts +116 -0
package/src/runtime/routes/inbound-stages/escalation-intercept.ts +167 -0
package/src/runtime/routes/inbound-stages/guardian-reply-intercept.ts +185 -0
package/src/runtime/routes/inbound-stages/secret-ingress-check.ts +132 -0
package/src/runtime/routes/inbound-stages/verification-intercept.ts +340 -0
package/src/runtime/routes/integration-routes.ts +60 -21
package/src/runtime/routes/invite-routes.ts +140 -0
package/src/runtime/routes/migration-routes.ts +434 -0
package/src/runtime/routes/pairing-routes.ts +157 -79
package/src/runtime/routes/secret-routes.ts +6 -2
package/src/runtime/routes/twilio-routes.ts +443 -249
package/src/runtime/slack-block-formatting.ts +176 -0
package/src/runtime/tool-grant-request-helper.ts +36 -27
package/src/runtime/{guardian-context-resolver.ts → trust-context-resolver.ts} +29 -41
package/src/schedule/integration-status.ts +44 -9
package/src/schedule/recurrence-engine.ts +47 -24
package/src/schedule/recurrence-types.ts +12 -7
package/src/schedule/schedule-store.ts +166 -83
package/src/schedule/scheduler.ts +37 -24
package/src/security/encrypted-store.ts +68 -38
package/src/security/keychain.ts +183 -120
package/src/security/oauth-callback-registry.ts +3 -3
package/src/security/oauth2.ts +226 -138
package/src/security/redaction.ts +24 -24
package/src/security/secret-allowlist.ts +46 -21
package/src/security/secret-ingress.ts +15 -7
package/src/security/secret-scanner.ts +193 -104
package/src/security/secure-keys.ts +9 -3
package/src/security/token-manager.ts +99 -40
package/src/security/tool-approval-digest.ts +3 -3
package/src/sequence/analytics.ts +52 -27
package/src/sequence/engine.ts +135 -72
package/src/sequence/guardrails.ts +32 -20
package/src/sequence/importer.ts +75 -37
package/src/sequence/reply-matcher.ts +36 -18
package/src/sequence/store.ts +137 -75
package/src/sequence/types.ts +30 -16
package/src/services/published-app-updater.ts +26 -16
package/src/services/vercel-deploy.ts +19 -15
package/src/skills/active-skill-tools.ts +3 -3
package/src/skills/clawhub.ts +178 -90
package/src/skills/include-graph.ts +24 -17
package/src/skills/managed-store.ts +89 -42
package/src/skills/path-classifier.ts +10 -10
package/src/skills/remote-skill-policy.ts +31 -22
package/src/skills/slash-commands.ts +36 -30
package/src/skills/tool-manifest.ts +60 -31
package/src/skills/version-hash.ts +25 -15
package/src/slack/slack-webhook.ts +19 -15
package/src/subagent/index.ts +4 -8
package/src/subagent/manager.ts +119 -69
package/src/subagent/types.ts +9 -12
package/src/swarm/backend-claude-code.ts +124 -45
package/src/swarm/checkpoint.ts +36 -16
package/src/swarm/graph-utils.ts +1 -3
package/src/swarm/index.ts +38 -19
package/src/swarm/limits.ts +13 -4
package/src/swarm/orchestrator.ts +108 -57
package/src/swarm/plan-validator.ts +23 -17
package/src/swarm/router-planner.ts +51 -22
package/src/swarm/router-prompts.ts +4 -1
package/src/swarm/synthesizer.ts +26 -18
package/src/swarm/types.ts +14 -4
package/src/swarm/worker-backend.ts +36 -26
package/src/swarm/worker-prompts.ts +13 -9
package/src/swarm/worker-runner.ts +40 -34
package/src/tasks/candidate-store.ts +14 -6
package/src/tasks/ephemeral-permissions.ts +9 -5
package/src/tasks/task-compiler.ts +41 -38
package/src/tasks/task-runner.ts +54 -26
package/src/tasks/task-scheduler.ts +1 -1
package/src/tasks/task-store.ts +20 -7
package/src/tasks/tool-sanitizer.ts +3 -3
package/src/tools/apps/definitions.ts +23 -15
package/src/tools/apps/executors.ts +122 -40
package/src/tools/apps/open-proxy.ts +5 -5
package/src/tools/apps/registry.ts +2 -2
package/src/tools/assets/materialize.ts +59 -41
package/src/tools/assets/search.ts +86 -48
package/src/tools/browser/api-map.ts +52 -36
package/src/tools/browser/auth-cache.ts +21 -18
package/src/tools/browser/auth-detector.ts +43 -28
package/src/tools/browser/auto-navigate.ts +149 -68
package/src/tools/browser/browser-execution.ts +9 -3
package/src/tools/browser/headless-browser.ts +287 -150
package/src/tools/browser/jit-auth.ts +37 -21
package/src/tools/browser/network-recorder.ts +138 -56
package/src/tools/browser/recording-store.ts +22 -15
package/src/tools/browser/runtime-check.ts +8 -5
package/src/tools/browser/x-auto-navigate.ts +88 -47
package/src/tools/calls/call-end.ts +10 -7
package/src/tools/calls/call-start.ts +30 -20
package/src/tools/calls/call-status.ts +8 -5
package/src/tools/claude-code/claude-code.ts +301 -165
package/src/tools/computer-use/definitions.ts +175 -130
package/src/tools/computer-use/registry.ts +2 -2
package/src/tools/computer-use/request-computer-control.ts +21 -13
package/src/tools/computer-use/skill-proxy-bridge.ts +1 -1
package/src/tools/credentials/account-registry.ts +52 -35
package/src/tools/credentials/broker-types.ts +1 -1
package/src/tools/credentials/broker.ts +97 -55
package/src/tools/credentials/domain-policy.ts +5 -2
package/src/tools/credentials/host-pattern-match.ts +15 -8
package/src/tools/credentials/metadata-store.ts +93 -43
package/src/tools/credentials/policy-types.ts +5 -2
package/src/tools/credentials/policy-validate.ts +21 -14
package/src/tools/credentials/post-connect-hooks.ts +18 -7
package/src/tools/credentials/resolve.ts +11 -10
package/src/tools/credentials/selection.ts +30 -25
package/src/tools/credentials/tool-policy.ts +5 -2
package/src/tools/credentials/vault.ts +538 -185
package/src/tools/document/document-tool.ts +23 -17
package/src/tools/document/editor-template.ts +12 -7
package/src/tools/execution-target.ts +13 -10
package/src/tools/execution-timeout.ts +6 -5
package/src/tools/executor.ts +141 -74
package/src/tools/filesystem/edit.ts +82 -45
package/src/tools/filesystem/fuzzy-match.ts +70 -32
package/src/tools/filesystem/read.ts +46 -28
package/src/tools/filesystem/view-image.ts +86 -42
package/src/tools/filesystem/write.ts +53 -32
package/src/tools/followups/followup_create.ts +43 -17
package/src/tools/followups/followup_list.ts +28 -13
package/src/tools/followups/followup_resolve.ts +9 -6
package/src/tools/guardian-control-plane-policy.ts +15 -14
package/src/tools/host-filesystem/edit.ts +77 -42
package/src/tools/host-filesystem/read.ts +52 -33
package/src/tools/host-filesystem/write.ts +50 -29
package/src/tools/host-terminal/host-shell.ts +97 -61
package/src/tools/mcp/mcp-tool-factory.ts +21 -14
package/src/tools/memory/definitions.ts +60 -28
package/src/tools/memory/handlers.ts +149 -77
package/src/tools/memory/register.ts +39 -16
package/src/tools/network/__tests__/web-search.test.ts +236 -177
package/src/tools/network/domain-normalize.ts +13 -9
package/src/tools/network/script-proxy/__tests__/logging.test.ts +193 -123
package/src/tools/network/script-proxy/__tests__/policy.test.ts +225 -127
package/src/tools/network/script-proxy/index.ts +1 -17
package/src/tools/network/script-proxy/session-manager.ts +178 -86
package/src/tools/network/url-safety.ts +56 -34
package/src/tools/network/web-fetch.ts +273 -155
package/src/tools/network/web-search.ts +166 -81
package/src/tools/permission-checker.ts +24 -25
package/src/tools/policy-context.ts +8 -5
package/src/tools/registry.ts +73 -46
package/src/tools/reminder/reminder-store.ts +65 -44
package/src/tools/reminder/reminder.ts +76 -35
package/src/tools/schedule/create.ts +44 -21
package/src/tools/schedule/delete.ts +8 -5
package/src/tools/schedule/list.ts +39 -19
package/src/tools/schedule/update.ts +49 -26
package/src/tools/secret-detection-handler.ts +130 -49
package/src/tools/sensitive-output-placeholders.ts +15 -8
package/src/tools/shared/filesystem/edit-engine.ts +45 -14
package/src/tools/shared/filesystem/errors.ts +18 -18
package/src/tools/shared/filesystem/file-ops-service.ts +59 -32
package/src/tools/shared/filesystem/format-diff.ts +21 -11
package/src/tools/shared/filesystem/path-policy.ts +17 -13
package/src/tools/shared/filesystem/size-guard.ts +8 -4
package/src/tools/shared/filesystem/types.ts +2 -2
package/src/tools/shared/shell-output.ts +4 -3
package/src/tools/side-effects.ts +36 -28
package/src/tools/skills/delete-managed.ts +30 -17
package/src/tools/skills/load.ts +88 -46
package/src/tools/skills/sandbox-runner.ts +62 -46
package/src/tools/skills/scaffold-managed.ts +98 -48
package/src/tools/skills/script-contract.ts +5 -2
package/src/tools/skills/skill-script-runner.ts +29 -13
package/src/tools/skills/skill-tool-factory.ts +20 -10
package/src/tools/subagent/abort.ts +10 -4
package/src/tools/subagent/message.ts +14 -8
package/src/tools/subagent/read.ts +20 -11
package/src/tools/subagent/spawn.ts +14 -6
package/src/tools/subagent/status.ts +7 -4
package/src/tools/swarm/delegate.ts +75 -49
package/src/tools/system/avatar-generator.ts +46 -33
package/src/tools/system/navigate-settings.ts +29 -19
package/src/tools/system/open-system-settings.ts +30 -20
package/src/tools/system/request-permission.ts +59 -44
package/src/tools/system/version.ts +27 -16
package/src/tools/system/voice-config.ts +116 -53
package/src/tools/tasks/index.ts +8 -8
package/src/tools/tasks/task-delete.ts +61 -22
package/src/tools/tasks/task-list.ts +23 -11
package/src/tools/tasks/task-run.ts +41 -16
package/src/tools/tasks/task-save.ts +27 -10
package/src/tools/tasks/work-item-enqueue.ts +114 -48
package/src/tools/tasks/work-item-list.ts +20 -10
package/src/tools/tasks/work-item-remove.ts +49 -15
package/src/tools/tasks/work-item-run.ts +34 -13
package/src/tools/tasks/work-item-update.ts +84 -31
package/src/tools/terminal/backends/native.ts +64 -35
package/src/tools/terminal/backends/types.ts +6 -2
package/src/tools/terminal/parser.ts +200 -125
package/src/tools/terminal/safe-env.ts +27 -21
package/src/tools/terminal/sandbox-diagnostics.ts +31 -13
package/src/tools/terminal/sandbox.ts +10 -6
package/src/tools/terminal/shell.ts +134 -68
package/src/tools/tool-approval-handler.ts +239 -140
package/src/tools/types.ts +79 -22
package/src/tools/ui-surface/definitions.ts +124 -89
package/src/tools/ui-surface/registry.ts +2 -2
package/src/tools/watch/screen-watch.ts +50 -32
package/src/tools/watch/watch-state.ts +41 -15
package/src/tools/watcher/create.ts +37 -15
package/src/tools/watcher/delete.ts +9 -6
package/src/tools/watcher/digest.ts +10 -6
package/src/tools/watcher/list.ts +37 -14
package/src/tools/watcher/update.ts +33 -18
package/src/tools/weather/service.ts +331 -174
package/src/twitter/client.ts +261 -138
package/src/twitter/oauth-client.ts +17 -13
package/src/twitter/router.ts +51 -23
package/src/twitter/session.ts +27 -18
package/src/types/qrcode.d.ts +6 -3
package/src/usage/actors.ts +16 -16
package/src/usage/types.ts +3 -3
package/src/util/bundled-asset.ts +10 -6
package/src/util/canonicalize-identity.ts +11 -4
package/src/util/clipboard.ts +7 -7
package/src/util/content-id.ts +3 -3
package/src/util/debounce.ts +3 -2
package/src/util/diff.ts +55 -33
package/src/util/errors.ts +31 -27
package/src/util/fs.ts +8 -2
package/src/util/log-redact.ts +12 -12
package/src/util/logger.ts +112 -51
package/src/util/network-info.ts +13 -5
package/src/util/object.ts +4 -2
package/src/util/phone.ts +4 -4
package/src/util/platform.ts +80 -58
package/src/util/pricing.ts +49 -31
package/src/util/retry.ts +39 -7
package/src/util/row-mapper.ts +7 -4
package/src/util/silently.ts +7 -4
package/src/util/spawn.ts +48 -0
package/src/util/spinner.ts +9 -7
package/src/util/time.ts +16 -3
package/src/util/truncate.ts +1 -1
package/src/util/voice-code.ts +6 -4
package/src/util/xml.ts +5 -1
package/src/version.ts +12 -8
package/src/watcher/engine.ts +71 -44
package/src/watcher/provider-registry.ts +1 -1
package/src/watcher/providers/github.ts +40 -23
package/src/watcher/providers/gmail.ts +59 -38
package/src/watcher/providers/google-calendar.ts +62 -48
package/src/watcher/providers/linear.ts +219 -150
package/src/watcher/providers/slack.ts +125 -29
package/src/watcher/watcher-store.ts +75 -55
package/src/work-items/work-item-runner.ts +62 -29
package/src/work-items/work-item-store.ts +137 -47
package/src/workspace/commit-message-enrichment-service.ts +65 -25
package/src/workspace/commit-message-provider.ts +14 -12
package/src/workspace/git-service.ts +355 -239
package/src/workspace/heartbeat-service.ts +74 -37
package/src/workspace/provider-commit-message-generator.ts +95 -70
package/src/workspace/top-level-renderer.ts +10 -8
package/src/workspace/top-level-scanner.ts +9 -3
package/src/workspace/turn-commit.ts +63 -36
package/src/__tests__/ingress-member-store.test.ts +0 -294
package/src/__tests__/script-proxy-router.test.ts +0 -215
package/src/config/bundled-skills/trusted-contacts/SKILL.md +0 -372
package/src/memory/guardian-bindings.ts +0 -158
package/src/memory/ingress-member-store.ts +0 -352
package/src/runtime/routes/ingress-routes.ts +0 -229
package/src/tools/network/script-proxy/__tests__/router.test.ts +0 -77
package/src/tools/network/script-proxy/certs.ts +0 -7
package/src/tools/network/script-proxy/connect-tunnel.ts +0 -1
package/src/tools/network/script-proxy/http-forwarder.ts +0 -2
package/src/tools/network/script-proxy/logging.ts +0 -12
package/src/tools/network/script-proxy/mitm-handler.ts +0 -2
package/src/tools/network/script-proxy/policy.ts +0 -4
package/src/tools/network/script-proxy/router.ts +0 -2
package/src/tools/network/script-proxy/server.ts +0 -5
package/src/tools/network/script-proxy/types.ts +0 -19

package/src/bundler/app-bundler.ts CHANGED Viewed

@@ -5,26 +5,26 @@
  * zip archive written to a temp file.
  */
-import { createHash,randomUUID } from 'node:crypto';
-import { createWriteStream } from 'node:fs';
-import { readFile, stat,writeFile } from 'node:fs/promises';
-import { tmpdir } from 'node:os';
-import { extname,join } from 'node:path';
-import archiver from 'archiver';
-import JSZip from 'jszip';
-import { getApp } from '../memory/app-store.js';
-import { computeContentId } from '../util/content-id.js';
-import { getLogger } from '../util/logger.js';
-import type { SigningCallback } from './bundle-signer.js';
-import { signBundle } from './bundle-signer.js';
-import type { AppManifest } from './manifest.js';
-import { serializeManifest } from './manifest.js';
-const bundlerLog = getLogger('app-bundler');
-import { APP_VERSION } from '../version.js';
+import { createHash, randomUUID } from "node:crypto";
+import { createWriteStream } from "node:fs";
+import { readFile, stat, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { extname, join } from "node:path";
+import archiver from "archiver";
+import JSZip from "jszip";
+import { getApp } from "../memory/app-store.js";
+import { computeContentId } from "../util/content-id.js";
+import { getLogger } from "../util/logger.js";
+import type { SigningCallback } from "./bundle-signer.js";
+import { signBundle } from "./bundle-signer.js";
+import type { AppManifest } from "./manifest.js";
+import { serializeManifest } from "./manifest.js";
+const bundlerLog = getLogger("app-bundler");
+import { APP_VERSION } from "../version.js";
 const PACKAGE_VERSION = APP_VERSION;
 const SHORT_HASH_LENGTH = 8;
@@ -56,10 +56,11 @@ export function extractRemoteUrls(html: string): string[] {
   // Match href="..." on any element except navigation/resolution tags (not assets).
   // Captures the tag name and href value so we can skip them.
-  const hrefRe = /<(\w+)\b[^>]*?\bhref\s*=\s*(?:"([^"]*?)"|'([^']*?)'|([^\s>]+))[^>]*?\/?>/gi;
+  const hrefRe =
+    /<(\w+)\b[^>]*?\bhref\s*=\s*(?:"([^"]*?)"|'([^']*?)'|([^\s>]+))[^>]*?\/?>/gi;
   while ((m = hrefRe.exec(html)) != null) {
     const tagName = m[1];
-    if (['a', 'base', 'area'].includes(tagName.toLowerCase())) continue;
+    if (["a", "base", "area"].includes(tagName.toLowerCase())) continue;
     const url = m[2] ?? m[3] ?? m[4];
     if (url && /^https?:\/\//i.test(url)) {
       urls.add(url);
@@ -83,8 +84,11 @@ export function extractRemoteUrls(html: string): string[] {
  * Uses a hash of the URL to avoid collisions, preserving the original extension.
  */
 function assetFilename(url: string): string {
-  const hash = createHash('sha256').update(url).digest('hex').slice(0, HASH_DISPLAY_LENGTH);
-  let ext = '';
+  const hash = createHash("sha256")
+    .update(url)
+    .digest("hex")
+    .slice(0, HASH_DISPLAY_LENGTH);
+  let ext = "";
   try {
     const parsed = new URL(url);
     ext = extname(parsed.pathname);
@@ -93,7 +97,7 @@ function assetFilename(url: string): string {
   }
   // Fallback: if no extension or it's too long/weird, drop it
   if (!ext || ext.length > 10 || !/^\.\w+$/.test(ext)) {
-    ext = '';
+    ext = "";
   }
   return `${hash}${ext}`;
 }
@@ -119,12 +123,18 @@ export async function materializeAssets(
     urls.map(async (url) => {
       try {
         const controller = new AbortController();
-        const timeout = setTimeout(() => controller.abort(), ASSET_FETCH_TIMEOUT_MS);
+        const timeout = setTimeout(
+          () => controller.abort(),
+          ASSET_FETCH_TIMEOUT_MS,
+        );
         let buf: Buffer;
         try {
           const resp = await fetch(url, { signal: controller.signal });
           if (!resp.ok) {
-            bundlerLog.warn({ url, status: resp.status }, 'Failed to fetch asset, keeping original URL');
+            bundlerLog.warn(
+              { url, status: resp.status },
+              "Failed to fetch asset, keeping original URL",
+            );
             return;
           }
           buf = Buffer.from(await resp.arrayBuffer());
@@ -136,7 +146,10 @@ export async function materializeAssets(
         assets.push({ archivePath, data: buf });
         urlMap.set(url, archivePath);
       } catch (err) {
-        bundlerLog.warn({ url, err }, 'Failed to fetch asset, keeping original URL');
+        bundlerLog.warn(
+          { url, err },
+          "Failed to fetch asset, keeping original URL",
+        );
       }
     }),
   );
@@ -144,12 +157,14 @@ export async function materializeAssets(
   // Rewrite URLs in HTML — replace each occurrence of the original URL with the local path.
   // Sort by length descending so longer URLs are replaced first, preventing prefix collisions
   // (e.g. "https://cdn/x" replacing part of "https://cdn/x/y.png").
-  const sortedEntries = [...urlMap.entries()].sort((a, b) => b[0].length - a[0].length);
+  const sortedEntries = [...urlMap.entries()].sort(
+    (a, b) => b[0].length - a[0].length,
+  );
   let rewrittenHtml = html;
   for (const [originalUrl, localPath] of sortedEntries) {
     // Escape regex special chars in the URL
-    const escaped = originalUrl.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-    rewrittenHtml = rewrittenHtml.replace(new RegExp(escaped, 'g'), localPath);
+    const escaped = originalUrl.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    rewrittenHtml = rewrittenHtml.replace(new RegExp(escaped, "g"), localPath);
   }
   return { rewrittenHtml, assets };
@@ -180,7 +195,7 @@ export async function packageApp(
   // Build manifest
   const createdBy = `vellum-assistant/${PACKAGE_VERSION}`;
-  const version = app.version ?? '1.0.0';
+  const version = app.version ?? "1.0.0";
   const contentId = computeContentId(app.name);
   const manifest: AppManifest = {
@@ -191,14 +206,16 @@ export async function packageApp(
     ...(app.preview ? { preview: app.preview } : {}),
     created_at: new Date().toISOString(),
     created_by: createdBy,
-    entry: 'index.html',
+    entry: "index.html",
     capabilities: [],
     version,
     content_id: contentId,
   };
   // Fetch remote assets and rewrite HTML to reference local copies
-  const { rewrittenHtml, assets: fetchedAssets } = await materializeAssets(app.htmlDefinition);
+  const { rewrittenHtml, assets: fetchedAssets } = await materializeAssets(
+    app.htmlDefinition,
+  );
   // Also materialize assets in additional pages
   const rewrittenPages: Record<string, string> = {};
@@ -219,19 +236,22 @@ export async function packageApp(
   const allAssets = [...allAssetsMap.values()];
   // Create the zip archive
-  const bundleFilename = `${app.name.replace(/[^a-zA-Z0-9_-]/g, '_')}-${randomUUID().slice(0, SHORT_HASH_LENGTH)}.vellumapp`;
+  const bundleFilename = `${app.name.replace(
+    /[^a-zA-Z0-9_-]/g,
+    "_",
+  )}-${randomUUID().slice(0, SHORT_HASH_LENGTH)}.vellumapp`;
   const bundlePath = join(tmpdir(), bundleFilename);
   await new Promise<void>((resolve, reject) => {
     const output = createWriteStream(bundlePath);
-    const archive = archiver('zip', { zlib: { level: 9 } });
+    const archive = archiver("zip", { zlib: { level: 9 } });
-    output.on('close', () => resolve());
-    output.on('error', (err: Error) => reject(err));
-    archive.on('error', (err: Error) => reject(err));
-    archive.on('warning', (err: Error) => {
+    output.on("close", () => resolve());
+    output.on("error", (err: Error) => reject(err));
+    archive.on("error", (err: Error) => reject(err));
+    archive.on("warning", (err: Error) => {
       // Only reject on fatal warnings
-      if ((err as NodeJS.ErrnoException).code !== 'ENOENT') {
+      if ((err as NodeJS.ErrnoException).code !== "ENOENT") {
         reject(err);
       }
     });
@@ -239,10 +259,10 @@ export async function packageApp(
     archive.pipe(output);
     // Add manifest.json at root level
-    archive.append(serializeManifest(manifest), { name: 'manifest.json' });
+    archive.append(serializeManifest(manifest), { name: "manifest.json" });
     // Add index.html at root level
-    archive.append(rewrittenHtml, { name: 'index.html' });
+    archive.append(rewrittenHtml, { name: "index.html" });
     // Add additional pages alongside index.html (with rewritten asset URLs)
     if (app.pages) {
@@ -268,17 +288,20 @@ export async function packageApp(
       // Re-open the zip and add signature.json
       const zipBuffer = await readFile(bundlePath);
       const zip = await JSZip.loadAsync(zipBuffer);
-      zip.file('signature.json', JSON.stringify(signatureJson, null, 2));
+      zip.file("signature.json", JSON.stringify(signatureJson, null, 2));
       const signedBuffer = await zip.generateAsync({
-        type: 'nodebuffer',
-        compression: 'DEFLATE',
+        type: "nodebuffer",
+        compression: "DEFLATE",
         compressionOptions: { level: 9 },
       });
       await writeFile(bundlePath, signedBuffer);
-      bundlerLog.info({ appId }, 'Bundle signed successfully');
+      bundlerLog.info({ appId }, "Bundle signed successfully");
     } catch (err) {
-      bundlerLog.warn({ err, appId }, 'Failed to sign bundle, proceeding unsigned');
+      bundlerLog.warn(
+        { err, appId },
+        "Failed to sign bundle, proceeding unsigned",
+      );
     }
   }
@@ -286,10 +309,12 @@ export async function packageApp(
   const stats = await stat(bundlePath);
   if (stats.size > MAX_BUNDLE_SIZE_BYTES) {
     // Clean up the oversized file
-    const { unlink } = await import('node:fs/promises');
+    const { unlink } = await import("node:fs/promises");
     await unlink(bundlePath);
     throw new Error(
-      `Bundle size ${(stats.size / 1024 / 1024).toFixed(1)} MB exceeds the maximum allowed size of 25 MB`,
+      `Bundle size ${(stats.size / 1024 / 1024).toFixed(
+        1,
+      )} MB exceeds the maximum allowed size of 25 MB`,
     );
   }

package/src/bundler/bundle-scanner.ts CHANGED Viewed

@@ -52,16 +52,17 @@ const REQUIRED_MANIFEST_FIELDS = [
 ] as const;
 // Magic byte signatures for image validation
-const IMAGE_SIGNATURES: Record<string, { bytes: number[]; offset?: number }[]> = {
-  ".png": [{ bytes: [0x89, 0x50, 0x4e, 0x47] }], // \x89PNG
-  ".jpg": [{ bytes: [0xff, 0xd8, 0xff] }],
-  ".jpeg": [{ bytes: [0xff, 0xd8, 0xff] }],
-  ".gif": [{ bytes: [0x47, 0x49, 0x46, 0x38] }], // GIF8
-  ".webp": [
-    { bytes: [0x52, 0x49, 0x46, 0x46] }, // RIFF at offset 0
-    // bytes 8-11 should be WEBP — checked separately
-  ],
-};
+const IMAGE_SIGNATURES: Record<string, { bytes: number[]; offset?: number }[]> =
+  {
+    ".png": [{ bytes: [0x89, 0x50, 0x4e, 0x47] }], // \x89PNG
+    ".jpg": [{ bytes: [0xff, 0xd8, 0xff] }],
+    ".jpeg": [{ bytes: [0xff, 0xd8, 0xff] }],
+    ".gif": [{ bytes: [0x47, 0x49, 0x46, 0x38] }], // GIF8
+    ".webp": [
+      { bytes: [0x52, 0x49, 0x46, 0x46] }, // RIFF at offset 0
+      // bytes 8-11 should be WEBP — checked separately
+    ],
+  };
 // ---------------------------------------------------------------------------
 // Main entry point
@@ -85,11 +86,17 @@ export async function scanBundle(zipPath: string): Promise<ScanResult> {
   }
   // Run all scan phases
-  const manifest = await scanArchiveStructure(zip, fileData.byteLength, findings);
+  const manifest = await scanArchiveStructure(
+    zip,
+    fileData.byteLength,
+    findings,
+  );
   if (manifest) {
     await scanHtmlEntry(zip, manifest.entry as string, findings);
   }
-  const entryName = manifest ? (manifest.entry as string | undefined) : undefined;
+  const entryName = manifest
+    ? (manifest.entry as string | undefined)
+    : undefined;
   await scanAssets(zip, findings, entryName);
   const passed = !findings.some((f) => f.level === "block");
@@ -151,23 +158,36 @@ async function scanArchiveStructure(
     const data = await entry.async("uint8array");
     totalDecompressed += data.byteLength;
     if (totalDecompressed > MAX_DECOMPRESSED_SIZE) break;
-    if (compressedSize > 0 && totalDecompressed / compressedSize > MAX_COMPRESSION_RATIO) break;
+    if (
+      compressedSize > 0 &&
+      totalDecompressed / compressedSize > MAX_COMPRESSION_RATIO
+    )
+      break;
   }
   if (totalDecompressed > MAX_DECOMPRESSED_SIZE) {
     findings.push({
       category: "archive",
       code: "too_large",
-      message: `Total decompressed size ${(totalDecompressed / 1024 / 1024).toFixed(1)} MB exceeds ${MAX_DECOMPRESSED_SIZE / 1024 / 1024} MB limit`,
+      message: `Total decompressed size ${(
+        totalDecompressed /
+        1024 /
+        1024
+      ).toFixed(1)} MB exceeds ${MAX_DECOMPRESSED_SIZE / 1024 / 1024} MB limit`,
       level: "block",
     });
   }
-  if (compressedSize > 0 && totalDecompressed / compressedSize > MAX_COMPRESSION_RATIO) {
+  if (
+    compressedSize > 0 &&
+    totalDecompressed / compressedSize > MAX_COMPRESSION_RATIO
+  ) {
     findings.push({
       category: "archive",
       code: "zip_bomb",
-      message: `Compression ratio ${(totalDecompressed / compressedSize).toFixed(0)}:1 exceeds ${MAX_COMPRESSION_RATIO}:1 limit`,
+      message: `Compression ratio ${(
+        totalDecompressed / compressedSize
+      ).toFixed(0)}:1 exceeds ${MAX_COMPRESSION_RATIO}:1 limit`,
       level: "block",
     });
   }
@@ -282,7 +302,8 @@ async function scanHtmlEntry(
   }
   // <meta http-equiv="refresh"> with external URL
-  const metaRefreshRe = /<meta[^>]+http-equiv\s*=\s*["']refresh["'][^>]+content\s*=\s*["'][^"']*url\s*=\s*([^"'\s;]+)/gi;
+  const metaRefreshRe =
+    /<meta[^>]+http-equiv\s*=\s*["']refresh["'][^>]+content\s*=\s*["'][^"']*url\s*=\s*([^"'\s;]+)/gi;
   for (const m of html.matchAll(metaRefreshRe)) {
     if (isExternalUrl(m[1])) {
       findings.push({
@@ -309,7 +330,8 @@ async function scanHtmlEntry(
     findings.push({
       category: "html",
       code: "formaction_external",
-      message: "formaction attribute with external URL bypasses form restrictions",
+      message:
+        "formaction attribute with external URL bypasses form restrictions",
       level: "block",
     });
   }
@@ -317,43 +339,88 @@ async function scanHtmlEntry(
   // --- Warn-level: suspicious JS patterns ---
   const warnPatterns: { pattern: RegExp; code: string; message: string }[] = [
-    { pattern: /\bfetch\s*\(/g, code: "network_fetch", message: "Uses fetch() for network requests \u2014 could send or receive data from external servers" },
-    { pattern: /\bXMLHttpRequest\b/g, code: "network_xhr", message: "Uses XMLHttpRequest for network requests \u2014 could send or receive data from external servers" },
-    { pattern: /\bnew\s+WebSocket\b/g, code: "network_websocket", message: "Uses WebSocket connections \u2014 could maintain persistent communication with a server" },
-    { pattern: /\bEventSource\b/g, code: "network_eventsource", message: "Uses server-sent events \u2014 could receive live data from a server" },
-    { pattern: /\bdocument\.cookie\b/g, code: "cookie_access", message: "Accesses browser cookies \u2014 could read or store tracking data" },
-    { pattern: /\beval\s*\(/g, code: "eval_usage", message: "Uses eval() for dynamic code execution \u2014 could run code not visible in the source" },
-    { pattern: /\bFunction\s*\(/g, code: "function_constructor", message: "Uses Function() constructor for dynamic code execution \u2014 could run code not visible in the source" },
+    {
+      pattern: /\bfetch\s*\(/g,
+      code: "network_fetch",
+      message:
+        "Uses fetch() for network requests \u2014 could send or receive data from external servers",
+    },
+    {
+      pattern: /\bXMLHttpRequest\b/g,
+      code: "network_xhr",
+      message:
+        "Uses XMLHttpRequest for network requests \u2014 could send or receive data from external servers",
+    },
+    {
+      pattern: /\bnew\s+WebSocket\b/g,
+      code: "network_websocket",
+      message:
+        "Uses WebSocket connections \u2014 could maintain persistent communication with a server",
+    },
+    {
+      pattern: /\bEventSource\b/g,
+      code: "network_eventsource",
+      message:
+        "Uses server-sent events \u2014 could receive live data from a server",
+    },
+    {
+      pattern: /\bdocument\.cookie\b/g,
+      code: "cookie_access",
+      message:
+        "Accesses browser cookies \u2014 could read or store tracking data",
+    },
+    {
+      pattern: /\beval\s*\(/g,
+      code: "eval_usage",
+      message:
+        "Uses eval() for dynamic code execution \u2014 could run code not visible in the source",
+    },
+    {
+      pattern: /\bFunction\s*\(/g,
+      code: "function_constructor",
+      message:
+        "Uses Function() constructor for dynamic code execution \u2014 could run code not visible in the source",
+    },
     {
       pattern: /\bsetTimeout\s*\(\s*["'`]/g,
       code: "settimeout_string",
-      message: "Uses setTimeout() with string for code execution \u2014 could run code not visible in the source",
+      message:
+        "Uses setTimeout() with string for code execution \u2014 could run code not visible in the source",
     },
     {
       pattern: /\bsetInterval\s*\(\s*["'`]/g,
       code: "setinterval_string",
-      message: "Uses setInterval() with string for code execution \u2014 could run code not visible in the source",
+      message:
+        "Uses setInterval() with string for code execution \u2014 could run code not visible in the source",
+    },
+    {
+      pattern: /\bwindow\.open\s*\(/g,
+      code: "window_open",
+      message: "Opens new windows \u2014 could navigate to external sites",
     },
-    { pattern: /\bwindow\.open\s*\(/g, code: "window_open", message: "Opens new windows \u2014 could navigate to external sites" },
     {
       pattern: /\bwindow\.location\s*=/g,
       code: "window_location_assign",
       message: "Redirects the page \u2014 could navigate away from the app",
     },
     {
-      pattern: /\bon(?:error|load|focus|blur|mouseover|mouseout|click|dblclick|submit|input|change|keydown|keyup|keypress)\s*=/g,
+      pattern:
+        /\bon(?:error|load|focus|blur|mouseover|mouseout|click|dblclick|submit|input|change|keydown|keyup|keypress)\s*=/g,
       code: "html_event_handler",
-      message: "Uses inline event handlers \u2014 standard for interactive apps",
+      message:
+        "Uses inline event handlers \u2014 standard for interactive apps",
     },
     {
       pattern: /@import\s+(?:url\s*\(|['"]https?:\/\/)/g,
       code: "css_import",
-      message: "Loads external stylesheet \u2014 could connect to an external server",
+      message:
+        "Loads external stylesheet \u2014 could connect to an external server",
     },
     {
       pattern: /url\s*\(\s*['"]?https?:\/\//g,
       code: "css_external_url",
-      message: "References external URL in CSS \u2014 could load resources from an external server",
+      message:
+        "References external URL in CSS \u2014 could load resources from an external server",
     },
     {
       pattern: /(?:src|href)\s*=\s*["']data:/g,
@@ -381,7 +448,9 @@ async function scanHtmlEntry(
       findings.push({
         category: "html",
         code: "obfuscated_js",
-        message: `Possible obfuscated JS: line ${i + 1} is ${(line.length / 1024).toFixed(1)} KB`,
+        message: `Possible obfuscated JS: line ${i + 1} is ${(
+          line.length / 1024
+        ).toFixed(1)} KB`,
         level: "warn",
       });
       break; // one finding is enough
@@ -389,7 +458,9 @@ async function scanHtmlEntry(
   }
   // High density of hex/unicode escapes
-  const escapeMatches = html.match(/\\x[0-9a-fA-F]{2}|\\u[0-9a-fA-F]{4}|\\u\{[0-9a-fA-F]+\}/g);
+  const escapeMatches = html.match(
+    /\\x[0-9a-fA-F]{2}|\\u[0-9a-fA-F]{4}|\\u\{[0-9a-fA-F]+\}/g,
+  );
   if (escapeMatches && escapeMatches.length > 50) {
     findings.push({
       category: "html",
@@ -402,15 +473,27 @@ async function scanHtmlEntry(
 function isExternalUrl(url: string): boolean {
   const lower = url.toLowerCase();
-  return lower.startsWith("http://") || lower.startsWith("https://") || url.startsWith("//");
+  return (
+    lower.startsWith("http://") ||
+    lower.startsWith("https://") ||
+    url.startsWith("//")
+  );
 }
 // ---------------------------------------------------------------------------
 // Phase 3: Asset scan
 // ---------------------------------------------------------------------------
-async function scanAssets(zip: JSZip, findings: ScanFinding[], manifestEntry?: string): Promise<void> {
-  const allowedRootFiles = new Set(["index.html", "manifest.json", "signature.json"]);
+async function scanAssets(
+  zip: JSZip,
+  findings: ScanFinding[],
+  manifestEntry?: string,
+): Promise<void> {
+  const allowedRootFiles = new Set([
+    "index.html",
+    "manifest.json",
+    "signature.json",
+  ]);
   if (manifestEntry) {
     allowedRootFiles.add(manifestEntry);
   }
@@ -426,13 +509,34 @@ async function scanAssets(zip: JSZip, findings: ScanFinding[], manifestEntry?: s
     const dotParts = basename.split(".");
     if (dotParts.length > 2) {
       const suspiciousInnerExts = new Set([
-        "jpg", "jpeg", "png", "gif", "webp", "svg", "bmp", "ico",
-        "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx",
-        "html", "htm", "txt", "rtf", "zip", "tar", "gz",
+        "jpg",
+        "jpeg",
+        "png",
+        "gif",
+        "webp",
+        "svg",
+        "bmp",
+        "ico",
+        "pdf",
+        "doc",
+        "docx",
+        "xls",
+        "xlsx",
+        "ppt",
+        "pptx",
+        "html",
+        "htm",
+        "txt",
+        "rtf",
+        "zip",
+        "tar",
+        "gz",
       ]);
       // Check if any non-final extension segment is a known content type
       const innerParts = dotParts.slice(1, -1); // extensions between first dot and last dot
-      const hasSuspiciousInner = innerParts.some((p) => suspiciousInnerExts.has(p.toLowerCase()));
+      const hasSuspiciousInner = innerParts.some((p) =>
+        suspiciousInnerExts.has(p.toLowerCase()),
+      );
       if (hasSuspiciousInner) {
         findings.push({
           category: "asset",

package/src/bundler/bundle-signer.ts CHANGED Viewed

@@ -5,13 +5,13 @@
  * and requests an Ed25519 signature from the Swift client via IPC.
  */
-import { createHash } from 'node:crypto';
-import { readFile } from 'node:fs/promises';
+import { createHash } from "node:crypto";
+import { readFile } from "node:fs/promises";
-import JSZip from 'jszip';
+import JSZip from "jszip";
 export interface SignatureJson {
-  algorithm: 'ed25519';
+  algorithm: "ed25519";
   signer: {
     key_id: string;
     display_name: string;
@@ -35,7 +35,7 @@ export type SigningCallback = (payload: string) => Promise<{
  * Recursively sort object keys alphabetically for canonical JSON.
  */
 function sortKeysDeep(obj: unknown): unknown {
-  if (obj == null || typeof obj !== 'object') {
+  if (obj == null || typeof obj !== "object") {
     return obj;
   }
   if (Array.isArray(obj)) {
@@ -51,12 +51,14 @@ function sortKeysDeep(obj: unknown): unknown {
 /**
  * Compute SHA-256 hashes of all files in a zip archive, excluding signature.json.
  */
-async function computeContentHashes(zip: JSZip): Promise<Record<string, string>> {
+async function computeContentHashes(
+  zip: JSZip,
+): Promise<Record<string, string>> {
   const hashes: Record<string, string> = {};
   const entries: string[] = [];
   zip.forEach((relativePath, _file) => {
-    if (relativePath !== 'signature.json') {
+    if (relativePath !== "signature.json") {
       entries.push(relativePath);
     }
   });
@@ -67,8 +69,8 @@ async function computeContentHashes(zip: JSZip): Promise<Record<string, string>>
   for (const entryPath of entries) {
     const file = zip.file(entryPath);
     if (!file || file.dir) continue;
-    const content = await file.async('nodebuffer');
-    const hash = createHash('sha256').update(content).digest('hex');
+    const content = await file.async("nodebuffer");
+    const hash = createHash("sha256").update(content).digest("hex");
     hashes[entryPath] = hash;
   }
@@ -93,11 +95,11 @@ export async function signBundle(
   const contentHashes = await computeContentHashes(zip);
   // 2. Read manifest
-  const manifestFile = zip.file('manifest.json');
+  const manifestFile = zip.file("manifest.json");
   if (!manifestFile) {
-    throw new Error('Bundle is missing manifest.json');
+    throw new Error("Bundle is missing manifest.json");
   }
-  const manifestText = await manifestFile.async('text');
+  const manifestText = await manifestFile.async("text");
   const manifest = JSON.parse(manifestText) as Record<string, unknown>;
   // 3. Construct canonical signing payload with sorted keys
@@ -112,10 +114,10 @@ export async function signBundle(
   // 5. Build SignatureJson
   const signatureJson: SignatureJson = {
-    algorithm: 'ed25519',
+    algorithm: "ed25519",
     signer: {
       key_id: keyId,
-      display_name: 'Local Signer',
+      display_name: "Local Signer",
     },
     content_hashes: contentHashes,
     signature,