@vellumai/assistant 0.4.34 → 0.4.36

package/src/daemon/session-tool-setup.ts

@@ -135,6 +135,7 @@ export function createToolExecutor(
   name: string,
   input: Record<string, unknown>,
   onOutput?: (chunk: string) => void,
+  toolUseId?: string,
 ) => Promise<ToolExecutionResult> {
   // Register the session's sendToClient for browser screencast surface messages
   registerSessionSender(ctx.conversationId, (msg) => ctx.sendToClient(msg));
@@ -143,6 +144,7 @@ export function createToolExecutor(
     name: string,
     input: Record<string, unknown>,
     onOutput?: (chunk: string) => void,
+    toolUseId?: string,
   ) => {
     if (isDoordashCommand(name, input)) {
       markDoordashStepInProgress(ctx, input);
@@ -172,6 +174,7 @@ export function createToolExecutor(
       allowedToolNames: ctx.allowedToolNames,
       memoryScopeId: ctx.memoryPolicy.scopeId,
       forcePromptSideEffects: ctx.memoryPolicy.strictSideEffects,
+      toolUseId,
       onToolLifecycleEvent: handleToolLifecycleEvent,
       sendToClient: (msg) => {
         // Tool context's sendToClient uses a loose { type: string; [key: string]: unknown }
@@ -255,6 +258,10 @@ export function createToolExecutor(
           undefined,
           ctx.conversationId,
           req.executionTarget,
+          undefined,
+          undefined,
+          undefined,
+          toolUseId,
         );
         if (
           (response.decision === "always_allow" ||

package/src/daemon/session.ts

@@ -222,6 +222,13 @@ export class Session {
    * no-op for socketless sessions.
    */
   private onStateSignal?: (msg: ServerMessage) => void;
+  /** Set by the agent loop to track confirmation outcomes for persistence. */
+  onConfirmationOutcome?: (
+    requestId: string,
+    state: string,
+    toolName?: string,
+    toolUseId?: string,
+  ) => void;
 
   constructor(
     conversationId: string,
@@ -243,7 +250,7 @@ export class Session {
       : { ...DEFAULT_MEMORY_POLICY };
     this.traceEmitter = new TraceEmitter(conversationId, sendToClient);
     this.prompter = new PermissionPrompter(sendToClient);
-    this.prompter.setOnStateChanged((requestId, state, source) => {
+    this.prompter.setOnStateChanged((requestId, state, source, toolUseId) => {
       // Route through emitConfirmationStateChanged so the onStateSignal
       // listener publishes to the SSE hub for HTTP/SSE consumers.
       this.emitConfirmationStateChanged({
@@ -251,7 +258,11 @@ export class Session {
         requestId,
         state,
         source,
+        toolUseId,
       });
+      // Notify the agent loop so it can track requestId → toolUseId mappings
+      // and record confirmation outcomes for persistence.
+      this.onConfirmationOutcome?.(requestId, state, undefined, toolUseId);
       // Emit activity state transitions for confirmation lifecycle
       if (state === "pending") {
         this.emitActivityState(
@@ -523,6 +534,9 @@ export class Session {
       return;
     }
 
+    // Capture toolUseId before resolving (resolution deletes the pending entry)
+    const toolUseId = this.prompter.getToolUseId(requestId);
+
     this.prompter.resolveConfirmation(
       requestId,
       decision,
@@ -547,6 +561,7 @@ export class Session {
       requestId,
       state: resolvedState,
       source: emissionContext?.source ?? "button",
+      toolUseId,
       ...(emissionContext?.causedByRequestId
         ? { causedByRequestId: emissionContext.causedByRequestId }
         : {}),
@@ -554,6 +569,13 @@ export class Session {
         ? { decisionText: emissionContext.decisionText }
         : {}),
     });
+    // Notify the agent loop of the confirmation outcome for persistence
+    this.onConfirmationOutcome?.(
+      requestId,
+      resolvedState,
+      undefined,
+      toolUseId,
+    );
     this.emitActivityState(
       "thinking",
       "confirmation_resolved",

package/src/daemon/tool-side-effects.ts

@@ -9,14 +9,18 @@
 
 import { join } from "node:path";
 
+import { generateAppIcon } from "../media/app-icon-generator.js";
 import { updatePublishedAppDeployment } from "../services/published-app-updater.js";
 import type { ToolExecutionResult } from "../tools/types.js";
+import { getLogger } from "../util/logger.js";
 import { getWorkspaceDir } from "../util/platform.js";
 import { isDoordashCommand, updateDoordashProgress } from "./doordash-steps.js";
 import type { ServerMessage } from "./ipc-protocol.js";
 import { refreshSurfacesForApp } from "./session-surfaces.js";
 import type { ToolSetupContext } from "./session-tool-setup.js";
 
+const log = getLogger("tool-side-effects");
+
 // ── Types ────────────────────────────────────────────────────────────
 
 export interface SideEffectContext {
@@ -65,13 +69,36 @@ function registerHook(
 
 // Broadcast app_files_changed when a new app is created so clients
 // (e.g. macOS "Things" sidebar) refresh their app list immediately.
+// Also kicks off async icon generation via Gemini.
 registerHook(
   "app_create",
   (_name, _input, result, { ctx, broadcastToAllClients }) => {
     try {
-      const parsed = JSON.parse(result.content) as { id?: string };
+      const parsed = JSON.parse(result.content) as {
+        id?: string;
+        name?: string;
+        description?: string;
+      };
       if (parsed.id) {
         handleAppChange(ctx, parsed.id, broadcastToAllClients);
+
+        // Fire-and-forget: generate an app icon in the background.
+        // When complete, broadcast again so clients pick up the new icon.
+        if (parsed.name) {
+          void generateAppIcon(parsed.id, parsed.name, parsed.description)
+            .then(() => {
+              broadcastToAllClients?.({
+                type: "app_files_changed",
+                appId: parsed.id!,
+              });
+            })
+            .catch((err) => {
+              log.warn(
+                { err, appId: parsed.id },
+                "Background icon generation failed",
+              );
+            });
+        }
       }
     } catch {
       // Result wasn't valid JSON — skip the broadcast.
@@ -79,6 +106,17 @@ registerHook(
   },
 );
 
+// Broadcast app_files_changed when an icon is (re)generated so clients refresh.
+registerHook(
+  "app_generate_icon",
+  (_name, input, _result, { broadcastToAllClients }) => {
+    const appId = input.app_id as string | undefined;
+    if (appId) {
+      broadcastToAllClients?.({ type: "app_files_changed", appId });
+    }
+  },
+);
+
 // Auto-refresh workspace surfaces when a persisted app is updated.
 registerHook(
   "app_update",

package/src/email/service.ts

@@ -17,6 +17,7 @@ import {
   setOutboundPaused,
 } from "../cli/email-guardrails.js";
 import {
+  getNestedValue,
   loadRawConfig,
   saveRawConfig,
   setNestedValue,
@@ -74,6 +75,8 @@ export class EmailService {
   /** Force re-creation of the provider (e.g. after `provider set`). */
   resetProvider(): void {
     this.providerInstance = null;
+    this.primaryAddressResolved = false;
+    this.cachedPrimaryAddress = undefined;
   }
 
   // =========================================================================
@@ -109,6 +112,54 @@ export class EmailService {
     };
   }
 
+  // =========================================================================
+  // Primary inbox address (cached)
+  // =========================================================================
+
+  private primaryAddressResolved = false;
+  private cachedPrimaryAddress: string | undefined;
+
+  /**
+   * Return the assistant's primary inbox email address, caching the result
+   * for the lifetime of this service instance. Returns `undefined` when no
+   * inboxes are configured or the provider is unavailable.
+   */
+  async getPrimaryInboxAddress(): Promise<string | undefined> {
+    if (this.primaryAddressResolved) {
+      return this.cachedPrimaryAddress;
+    }
+    try {
+      const p = await this.provider();
+      const health = await p.health();
+      this.cachedPrimaryAddress =
+        health.inboxes.length > 0 ? health.inboxes[0].address : undefined;
+    } catch {
+      this.cachedPrimaryAddress = undefined;
+    }
+
+    // Only cache positive results from the provider so a missing inbox is
+    // retried on next call (e.g. user sets up email after initial miss).
+    if (this.cachedPrimaryAddress !== undefined) {
+      this.primaryAddressResolved = true;
+      return this.cachedPrimaryAddress;
+    }
+
+    // Fall back to the statically configured email address in workspace config
+    // when the provider can't list inboxes (e.g. provider temporarily unavailable).
+    // Intentionally NOT setting primaryAddressResolved so the provider is retried
+    // on the next call — the fallback is a best-effort stopgap, not authoritative.
+    try {
+      const raw = loadRawConfig();
+      const configured = getNestedValue(raw, "email.address");
+      if (typeof configured === "string" && configured.length > 0) {
+        return configured;
+      }
+    } catch {
+      // Config unavailable — leave as undefined
+    }
+    return undefined;
+  }
+
   // =========================================================================
   // Domain setup
   // =========================================================================
@@ -138,7 +189,10 @@ export class EmailService {
     displayName?: string,
   ): Promise<EmailInbox> {
     const p = await this.provider();
-    return p.createInbox({ username, domain, displayName });
+    const inbox = await p.createInbox({ username, domain, displayName });
+    this.primaryAddressResolved = false;
+    this.cachedPrimaryAddress = undefined;
+    return inbox;
   }
 
   async listInboxes(): Promise<EmailInbox[]> {
@@ -148,7 +202,10 @@ export class EmailService {
 
   async ensureInboxes(domain: string): Promise<EmailInbox[]> {
     const p = await this.provider();
-    return p.ensureInboxes({ domain });
+    const inboxes = await p.ensureInboxes({ domain });
+    this.primaryAddressResolved = false;
+    this.cachedPrimaryAddress = undefined;
+    return inboxes;
   }
 
   // =========================================================================

package/src/index.ts

@@ -1,63 +1,5 @@
 #!/usr/bin/env bun
 
-import { createRequire } from "node:module";
+import { buildCliProgram } from "./cli/program.js";
 
-import { Command } from "commander";
-
-const require = createRequire(import.meta.url);
-const { version } = require("../package.json") as { version: string };
-
-import { registerAmazonCommand } from "./cli/amazon.js";
-import {
-  registerConfigCommand,
-  registerKeysCommand,
-  registerMemoryCommand,
-  registerTrustCommand,
-} from "./cli/config-commands.js";
-import {
-  registerAuditCommand,
-  registerCompletionsCommand,
-  registerDefaultAction,
-  registerDevCommand,
-  registerDoctorCommand,
-  registerSessionsCommand,
-} from "./cli/core-commands.js";
-import { registerEmailCommand } from "./cli/email.js";
-import { registerInfluencerCommand } from "./cli/influencer.js";
-import {
-  registerContactsCommand,
-  registerIntegrationsCommand,
-} from "./cli/integrations.js";
-import { registerMapCommand } from "./cli/map.js";
-import { registerMcpCommand } from "./cli/mcp.js";
-import { registerSequenceCommand } from "./cli/sequence.js";
-import { registerTwitterCommand } from "./cli/twitter.js";
-import { registerHooksCommand } from "./hooks/cli.js";
-
-const program = new Command();
-
-program.name("vellum").description("Local AI assistant").version(version);
-
-registerDefaultAction(program);
-registerDevCommand(program);
-registerSessionsCommand(program);
-registerConfigCommand(program);
-registerKeysCommand(program);
-registerTrustCommand(program);
-registerMemoryCommand(program);
-registerAuditCommand(program);
-registerDoctorCommand(program);
-registerHooksCommand(program);
-registerMcpCommand(program);
-registerEmailCommand(program);
-registerIntegrationsCommand(program);
-registerContactsCommand(program);
-registerAmazonCommand(program);
-registerCompletionsCommand(program);
-
-registerTwitterCommand(program);
-registerMapCommand(program);
-registerInfluencerCommand(program);
-registerSequenceCommand(program);
-
-program.parse();
+buildCliProgram().parse();

package/src/mcp/mcp-oauth-provider.ts

@@ -101,7 +101,17 @@ export class McpOAuthProvider implements OAuthClientProvider {
   }
 
   async saveTokens(tokens: OAuthTokens): Promise<void> {
-    await setSecureKeyAsync(tokensKey(this.serverId), JSON.stringify(tokens));
+    const ok = await setSecureKeyAsync(
+      tokensKey(this.serverId),
+      JSON.stringify(tokens),
+    );
+    if (!ok) {
+      log.warn(
+        { serverId: this.serverId },
+        "Failed to persist OAuth tokens to secure storage",
+      );
+      return;
+    }
     log.info({ serverId: this.serverId }, "OAuth tokens saved");
   }
 
@@ -124,7 +134,17 @@ export class McpOAuthProvider implements OAuthClientProvider {
   async saveClientInformation(
     info: OAuthClientInformationMixed,
   ): Promise<void> {
-    await setSecureKeyAsync(clientInfoKey(this.serverId), JSON.stringify(info));
+    const ok = await setSecureKeyAsync(
+      clientInfoKey(this.serverId),
+      JSON.stringify(info),
+    );
+    if (!ok) {
+      log.warn(
+        { serverId: this.serverId },
+        "Failed to persist OAuth client information to secure storage",
+      );
+      return;
+    }
     log.info({ serverId: this.serverId }, "OAuth client information saved");
   }
 
@@ -154,7 +174,16 @@ export class McpOAuthProvider implements OAuthClientProvider {
   }
 
   async saveDiscoveryState(state: OAuthDiscoveryState): Promise<void> {
-    await setSecureKeyAsync(discoveryKey(this.serverId), JSON.stringify(state));
+    const ok = await setSecureKeyAsync(
+      discoveryKey(this.serverId),
+      JSON.stringify(state),
+    );
+    if (!ok) {
+      log.warn(
+        { serverId: this.serverId },
+        "Failed to persist OAuth discovery state to secure storage",
+      );
+    }
   }
 
   // --- Redirect to Authorization ---
@@ -214,16 +243,49 @@ export class McpOAuthProvider implements OAuthClientProvider {
     );
 
     if (scope === "all" || scope === "tokens") {
-      await deleteSecureKeyAsync(tokensKey(this.serverId));
+      const result = await deleteSecureKeyAsync(tokensKey(this.serverId));
+      if (result === "error") {
+        log.warn(
+          { serverId: this.serverId },
+          "Failed to delete OAuth tokens from secure storage",
+        );
+      } else if (result === "not-found") {
+        log.debug(
+          { serverId: this.serverId },
+          "OAuth tokens key not found in secure storage (already removed)",
+        );
+      }
     }
     if (scope === "all" || scope === "client") {
-      await deleteSecureKeyAsync(clientInfoKey(this.serverId));
+      const result = await deleteSecureKeyAsync(clientInfoKey(this.serverId));
+      if (result === "error") {
+        log.warn(
+          { serverId: this.serverId },
+          "Failed to delete OAuth client information from secure storage",
+        );
+      } else if (result === "not-found") {
+        log.debug(
+          { serverId: this.serverId },
+          "OAuth client information key not found in secure storage (already removed)",
+        );
+      }
     }
     if (scope === "all" || scope === "verifier") {
       this._codeVerifier = undefined;
     }
     if (scope === "all" || scope === "discovery") {
-      await deleteSecureKeyAsync(discoveryKey(this.serverId));
+      const result = await deleteSecureKeyAsync(discoveryKey(this.serverId));
+      if (result === "error") {
+        log.warn(
+          { serverId: this.serverId },
+          "Failed to delete OAuth discovery state from secure storage",
+        );
+      } else if (result === "not-found") {
+        log.debug(
+          { serverId: this.serverId },
+          "OAuth discovery state key not found in secure storage (already removed)",
+        );
+      }
     }
   }
 
@@ -373,12 +435,32 @@ export class McpOAuthProvider implements OAuthClientProvider {
 export async function deleteMcpOAuthCredentials(
   serverId: string,
 ): Promise<void> {
-  await Promise.all([
+  const [tokensResult, clientResult, discoveryResult] = await Promise.all([
     deleteSecureKeyAsync(tokensKey(serverId)),
     deleteSecureKeyAsync(clientInfoKey(serverId)),
     deleteSecureKeyAsync(discoveryKey(serverId)),
   ]);
-  log.info({ serverId }, "OAuth credentials deleted");
+  const results = [
+    { key: "tokens", result: tokensResult },
+    { key: "client_info", result: clientResult },
+    { key: "discovery", result: discoveryResult },
+  ];
+  const errors = results
+    .filter((r) => r.result === "error")
+    .map((r) => r.key);
+  if (errors.length > 0) {
+    log.warn(
+      { serverId, failedKeys: errors },
+      "Some OAuth credentials could not be deleted from secure storage",
+    );
+  }
+  const hasErrors = errors.length > 0;
+  log.info(
+    { serverId },
+    hasErrors
+      ? "OAuth credential deletion completed with errors"
+      : "OAuth credentials deleted",
+  );
 }
 
 // --- HTML rendering ---

package/src/media/app-icon-generator.ts

@@ -0,0 +1,86 @@
+/**
+ * Generates app icons using the Gemini image generation service.
+ *
+ * Called as an async side-effect after app creation — never blocks
+ * the main app_create flow. Icons are saved to the app's directory
+ * as `icon.png` and included in .vellum bundles.
+ */
+
+import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getConfig } from "../config/loader.js";
+import { getAppsDir } from "../memory/app-store.js";
+import { getLogger } from "../util/logger.js";
+import { generateImage, mapGeminiError } from "./gemini-image-service.js";
+
+const log = getLogger("app-icon-generator");
+
+/**
+ * Generate an app icon and save it to `~/.vellum/apps/{appId}/icon.png`.
+ *
+ * Uses Gemini image generation when an API key is available.
+ * Silently no-ops if no key is configured or generation fails.
+ */
+export async function generateAppIcon(
+  appId: string,
+  appName: string,
+  appDescription?: string,
+): Promise<void> {
+  const config = getConfig();
+  const apiKey = config.apiKeys.gemini ?? process.env.GEMINI_API_KEY;
+  if (!apiKey) {
+    log.debug("No Gemini API key — skipping app icon generation");
+    return;
+  }
+
+  const appDir = join(getAppsDir(), appId);
+  const iconPath = join(appDir, "icon.png");
+
+  // Don't regenerate if icon already exists
+  if (existsSync(iconPath)) {
+    return;
+  }
+
+  const descPart = appDescription ? ` Description: ${appDescription}.` : "";
+
+  const prompt =
+    `Design a beautiful, minimal app icon for "${appName}".${descPart}\n\n` +
+    "Style requirements:\n" +
+    "- Square app icon with rounded corners (like macOS/iOS app icons)\n" +
+    "- Clean, flat design with a single bold symbol or glyph in the center\n" +
+    "- Rich gradient background using 2-3 harmonious colors\n" +
+    "- The symbol should be white or very light colored for contrast\n" +
+    "- No text, no letters, no words — only a symbolic glyph\n" +
+    "- Professional quality, recognizable at small sizes (32px)\n" +
+    "- Modern aesthetic similar to Apple's design language";
+
+  try {
+    log.info({ appId, appName }, "Generating app icon via Gemini");
+
+    const result = await generateImage(apiKey, {
+      prompt,
+      mode: "generate",
+      model: config.imageGenModel,
+    });
+
+    if (result.images.length === 0) {
+      log.warn({ appId }, "Gemini returned no image for app icon");
+      return;
+    }
+
+    const image = result.images[0];
+    const pngBuffer = Buffer.from(image.dataBase64, "base64");
+
+    mkdirSync(appDir, { recursive: true });
+    writeFileSync(iconPath, pngBuffer);
+
+    log.info({ appId, iconPath }, "App icon saved");
+  } catch (error) {
+    const message = mapGeminiError(error);
+    log.warn(
+      { appId, error: message },
+      "App icon generation failed — skipping",
+    );
+  }
+}

package/src/memory/db-init.ts

@@ -36,7 +36,6 @@ import {
   migrateBackfillContactInteractionStats,
   migrateBackfillGuardianPrincipalId,
   migrateCallSessionMode,
-  migrateDropAssistantIdColumns,
   migrateCanonicalGuardianDeliveriesDestinationIndex,
   migrateCanonicalGuardianRequesterChatId,
   migrateChannelInboundDeliveredSegments,
@@ -46,7 +45,9 @@ import {
   migrateContactsNotesColumn,
   migrateContactsRolePrincipal,
   migrateConversationsThreadTypeIndex,
+  migrateDropAssistantIdColumns,
   migrateDropLegacyMemberGuardianTables,
+  migrateDropUsageCompositeIndexes,
   migrateFkCascadeRebuilds,
   migrateGuardianActionFollowup,
   migrateGuardianActionSupersession,
@@ -63,6 +64,7 @@ import {
   migrateNotificationDeliveryThreadDecision,
   migrateReminderRoutingIntent,
   migrateSchemaIndexesAndColumns,
+  migrateUsageDashboardIndexes,
   migrateVoiceInviteColumns,
   migrateVoiceInviteDisplayMetadata,
   recoverCrashedMigrations,
@@ -293,6 +295,15 @@ export function initializeDb(): void {
   // 40. Drop assistant_id columns from all 16 daemon tables
   migrateDropAssistantIdColumns(database);
 
+  // 41. Indexes on llm_usage_events for usage dashboard time-range and breakdown queries
+  migrateUsageDashboardIndexes(database);
+
+  // 42. (skipped) migrateReorderUsageDashboardIndexes — superseded by 43 which drops
+  // all composite indexes that 42 would create, so running it is wasted work.
+
+  // 43. Drop all composite usage indexes — they don't eliminate temp B-trees for GROUP BY
+  migrateDropUsageCompositeIndexes(database);
+
   validateMigrationState(database);
 
   if (process.env.BUN_TEST === "1") {