@vellumai/assistant 0.4.35 → 0.4.37

package/src/config/bundled-skills/google-oauth-setup/SKILL.md

@@ -3,7 +3,7 @@ name: "Google OAuth Setup"
 description: "Set up Google Cloud OAuth credentials for Gmail and Calendar"
 user-invocable: true
 credential-setup-for: "gmail"
-includes: ["public-ingress"]
+includes: ["public-ingress", "browser"]
 metadata: { "vellum": { "emoji": "\ud83d\udd11" } }
 ---
 
@@ -88,6 +88,7 @@ Tell the user:
 >    - `https://www.googleapis.com/auth/calendar.readonly`
 >    - `https://www.googleapis.com/auth/calendar.events`
 >    - `https://www.googleapis.com/auth/userinfo.email`
+>    - `https://www.googleapis.com/auth/contacts.readonly`
 >    - Click **Update**, then **Save and Continue**
 > 5. On the Test users page, add **your email**, click **Save and Continue**
 > 6. On the Summary page, click **Back to Dashboard**
@@ -198,7 +199,42 @@ After the user authorizes (they'll come back and say so, or you can suggest they
 
 **IMPORTANT: Always use `host_bash` (not `bash`) for all commands in this path.** The `gcloud` and `gws` CLIs need host access for Homebrew/npm installation, browser-based authentication, and interactive terminal prompts — none of which are available inside the sandbox.
 
-You will set up Google Cloud OAuth credentials using the `gcloud` and `gws` command-line tools. This avoids browser automation entirely — the user only needs to sign in once via the browser and copy-paste credentials from terminal output into secure prompts.
+You will set up Google Cloud OAuth credentials using the `gcloud` and `gws` command-line tools plus browser automation. The user signs in once via the browser, the CLI handles project setup, and the browser automates credential creation — the user only needs to copy-paste the Client Secret.
+
+## Browser Interaction Principles
+
+Google Cloud Console's UI may change over time. Do NOT memorize or depend on specific element IDs, CSS selectors, or DOM structures. Instead:
+
+1. **Screenshot first, act second.** Before every interaction, take a `browser_screenshot` to see the current visual state. Use `browser_snapshot` to find interactive elements.
+2. **Adapt to what you see.** If a button's label or position differs from what you expect, use the screenshot to find the correct element.
+3. **Verify after every action.** After clicking, typing, or navigating, take a new screenshot to confirm the action succeeded.
+4. **Never assume DOM structure.** Use the snapshot to identify what's on the page and interact accordingly.
+5. **When stuck, screenshot and describe.** If you cannot find an expected element after 2 attempts, take a screenshot, describe what you see to the user, and ask for guidance.
+
+## Anti-Loop Guardrails
+
+Each step has a **retry budget of 3 attempts**. An attempt is one try at the step's primary action (e.g., clicking a button, filling a form). If a step fails after 3 attempts:
+
+1. **Stop trying.** Do not continue retrying the same approach.
+2. **Fall back to manual.** Tell the user what you were trying to do and ask them to complete that step manually in the browser. Give them the direct URL and clear text instructions.
+3. **Resume automation** at the next step once the user confirms the manual step is done.
+
+If **two or more steps** require manual fallback, abandon the automated flow entirely and switch to giving the user the remaining steps as clear text instructions with links.
+
+## Things That Do Not Work — Do Not Attempt
+
+These actions are technically impossible in the browser automation environment:
+
+- **Downloading files.** `browser_click` on a Download button does not save files to disk. Do NOT click "Download JSON" in the OAuth client creation dialog.
+- **Reading the Client Secret from a screenshot.** The secret IS visible in the creation dialog, but you MUST NOT attempt to read it from a screenshot — it is too easy to misread characters, and the value must be exact. Always use the `credential_store prompt` approach to let the user copy-paste it accurately.
+- **Clipboard operations.** You cannot copy/paste via browser automation.
+
+## Error Handling
+
+- **Page load failures:** Retry navigation once. If it still fails, tell the user and ask them to check their internet connection.
+- **Element not found:** Take a fresh screenshot to re-assess. The GCP Console UI may have changed. Describe what you see and try alternative approaches. If stuck after 2 attempts, ask the user for guidance.
+- **OAuth client already exists with same name:** This is fine — GCP allows multiple clients with the same name. Proceed with creation.
+- **Any unexpected state:** Take a `browser_screenshot`, describe what you see, and ask the user for guidance.
 
 ## CLI Step 1: Confirm
 
@@ -210,9 +246,10 @@ Use `ui_show` with `surface_type: "confirmation"`:
   >
   > 1. **Install CLI tools** (`gcloud` and `gws`) if not already installed
   > 2. **You sign in** to your Google account once via the browser
-  > 3. **CLI automates everything** — project creation, APIs, consent screen, and credentials
-  > 4. **You copy-paste credentials** from the terminal output into secure prompts
-  > 5. **You authorize Vellum** with one click
+  > 3. **CLI automates everything** — project creation, APIs, and consent screen
+  > 4. **I create OAuth credentials** in the browser — you just watch
+  > 5. **One quick copy-paste** — you copy the Client Secret into a secure prompt
+  > 6. **You authorize Vellum** with one click
   >
   > Takes about a minute after first-time setup. Ready?
 
@@ -274,6 +311,8 @@ If the user is already authenticated (`gcloud auth list` shows an active account
 
 Tell the user: "Setting up your Google Cloud project, APIs, and credentials..."
 
+### Primary: `gws auth setup`
+
 ```bash
 gws auth setup
 ```
@@ -286,7 +325,52 @@ This command automates:
 
 Wait for the command to complete. It may have interactive prompts — let them run in the terminal and the user can respond if needed.
 
-Note the **project ID** from the output — you'll need it for the next step.
+If `gws auth setup` **succeeds**, note the **project ID** from the output and continue to **CLI Step 5**.
+
+### Fallback: `gcloud` CLI + browser automation
+
+If `gws auth setup` **fails** (common with personal Google accounts due to workspace-admin scope errors), use `gcloud` CLI and browser automation instead.
+
+**Step 4f-1: Create GCP project**
+
+Generate a unique suffix (4-6 random alphanumeric characters):
+
+```bash
+gcloud projects create vellum-assistant-SUFFIX --name="Vellum Assistant"
+```
+
+If the project already exists, use it. Note the **project ID**.
+
+**Step 4f-2: Enable APIs**
+
+```bash
+gcloud services enable gmail.googleapis.com --project=PROJECT_ID
+gcloud services enable calendar-json.googleapis.com --project=PROJECT_ID
+gcloud services enable people.googleapis.com --project=PROJECT_ID
+```
+
+**Step 4f-3: Configure OAuth consent screen via browser**
+
+Navigate to `https://console.cloud.google.com/apis/credentials/consent?project=PROJECT_ID`.
+
+Take a screenshot and snapshot, then:
+
+1. Select **"External"** user type, click **Create**
+2. Fill in the app registration form:
+   - App name: **"Vellum Assistant"**
+   - User support email: select the authenticated email from the dropdown
+   - Developer contact email: type the same email
+   - Click **Save and Continue**
+3. On the Scopes page, click **Save and Continue** (scopes are not needed for test-mode apps)
+4. On the Test users page:
+   - Click **+ Add Users**
+   - Enter the authenticated email address
+   - Click **Add**, then **Save and Continue**
+5. On the Summary page, click **Back to Dashboard**
+
+**Verify:** Take a screenshot. The consent screen should show "Testing" publishing status.
+
+After the fallback completes, skip CLI Step 5 (APIs already enabled above) and CLI Step 5c (test user already added above) — continue directly to **CLI Step 6**.
 
 ## CLI Step 5: Enable Additional APIs
 
@@ -299,56 +383,73 @@ gcloud services enable people.googleapis.com --project=PROJECT_ID
 
 If either command reports the API is already enabled, that's fine — continue.
 
-## CLI Step 5b: Update OAuth Consent Screen Scopes
+## CLI Step 5c: Add Test User
 
-`gws auth setup` configures the consent screen with Gmail scopes only. Vellum also needs Calendar, Contacts, and userinfo scopes. Tell the user to add the missing scopes:
+`gws auth setup` does not add test users to the consent screen, and there is no CLI/API for it. Use browser automation to add the authenticated email as a test user.
 
-> **Update consent screen scopes**
->
-> Open: `https://console.cloud.google.com/apis/credentials/consent/edit?project=PROJECT_ID`
->
-> 1. Click through to the **Scopes** page (click **Save and Continue** on the first page)
-> 2. Click **Add or Remove Scopes** and ensure all of these are present:
->    - `https://www.googleapis.com/auth/gmail.readonly`
->    - `https://www.googleapis.com/auth/gmail.modify`
->    - `https://www.googleapis.com/auth/gmail.send`
->    - `https://www.googleapis.com/auth/calendar.readonly`
->    - `https://www.googleapis.com/auth/calendar.events`
->    - `https://www.googleapis.com/auth/userinfo.email`
->    - `https://www.googleapis.com/auth/contacts.readonly`
-> 3. Click **Update**, then **Save and Continue** through the remaining pages
+Navigate to `https://console.cloud.google.com/apis/credentials/consent?project=PROJECT_ID`.
 
-(Substitute the actual project ID into the URL.)
+Take a screenshot and snapshot. Find the **Test users** section (you may need to click **Edit App** or navigate to the consent screen edit flow):
 
-The Gmail scopes may already be present from `gws auth setup` — add any that are missing.
+1. Find and click the option to add test users (e.g., **+ Add Users** button)
+2. Enter the authenticated email address (from `gcloud auth list`)
+3. Click **Add** or **Save**
 
-## CLI Step 6: Collect Credentials
+**Verify:** Take a screenshot confirming the email appears in the test users list.
 
-The `gws auth setup` output or the GCP Console shows the Client ID and Client Secret. Ask the user to copy-paste them into secure prompts.
+If the user is already listed as a test user, skip this step.
 
-**Client ID:**
+## CLI Step 6: Create OAuth Credentials via Browser
+
+**Goal:** Create a Desktop OAuth client in GCP Console and capture both credentials.
+
+Navigate to `https://console.cloud.google.com/apis/credentials?project=PROJECT_ID` (substitute the actual project ID from step 4).
+
+Take a screenshot and snapshot to check the page state:
+
+- **Sign-in page:** Tell the user: "Please sign in to your Google account in the browser." Then auto-detect sign-in completion by polling screenshots every 5-10 seconds. Once signed in, continue.
+- **Already signed in / Credentials page loaded:** Continue immediately.
+
+### Step 6a: Create the OAuth Client
+
+1. Take a screenshot and snapshot. Find and click **+ Create Credentials**, then select **OAuth client ID**.
+2. On the creation form:
+   - Application type: Select **"Desktop app"**
+   - Name: **"Vellum Assistant"**
+   - Click **Create**
+3. **Verify:** Take a screenshot. A dialog should appear showing both the **Client ID** and **Client Secret**.
+
+### Step 6b: Extract Client ID
+
+Use `browser_extract` to read the Client ID from the creation dialog. It looks like `123456789-xxxxx.apps.googleusercontent.com`.
+
+Store it immediately:
 
 ```
-credential_store prompt:
+credential_store store:
   service: "integration:gmail"
   field: "client_id"
-  label: "Google OAuth Client ID"
-  description: "Copy the Client ID from the setup output or GCP Console. It looks like 123456789-xxxxx.apps.googleusercontent.com"
-  placeholder: "xxxxx.apps.googleusercontent.com"
+  value: "<the extracted Client ID>"
 ```
 
-**Client Secret:**
+### Step 6c: Capture Client Secret via Secure Prompt
+
+The Client Secret is visible in the same dialog. Do NOT attempt to read it from the screenshot — use a secure prompt so the user copies it accurately.
+
+Tell the user: "Your OAuth credentials have been created! Please copy the **Client Secret** shown in the dialog and paste it into the secure prompt below."
 
 ```
 credential_store prompt:
   service: "integration:gmail"
   field: "client_secret"
   label: "Google OAuth Client Secret"
-  description: "Copy the Client Secret from the setup output or GCP Console. It starts with GOCSPX-"
+  description: "Copy the Client Secret from the dialog on screen. It starts with GOCSPX-"
   placeholder: "GOCSPX-..."
 ```
 
-Wait for both prompts to be completed before continuing.
+**CRITICAL — do NOT dismiss the creation dialog before the user has copied the secret.** Wait for the secure prompt to be completed before clicking OK or navigating away.
+
+After the secret is stored, you may close the dialog.
 
 ## CLI Step 7: Authorize
 

package/src/config/bundled-skills/messaging/tools/shared.ts

@@ -11,6 +11,7 @@ import type { MessagingProvider } from "../../../../messaging/provider.js";
 import {
   getConnectedProviders,
   getMessagingProvider,
+  isPlatformEnabled,
 } from "../../../../messaging/registry.js";
 import { withValidToken } from "../../../../security/token-manager.js";
 import type { ToolExecutionResult } from "../../../../tools/types.js";
@@ -32,7 +33,9 @@ export function err(message: string): ToolExecutionResult {
 export function resolveProvider(platformInput?: string): MessagingProvider {
   if (platformInput) return getMessagingProvider(platformInput);
 
-  const connected = getConnectedProviders();
+  const connected = getConnectedProviders().filter((p) =>
+    isPlatformEnabled(p.id),
+  );
   if (connected.length === 1) return connected[0];
   if (connected.length === 0) {
     throw new Error(

package/src/config/bundled-skills/twilio-setup/SKILL.md

@@ -17,10 +17,17 @@ vellum integrations twilio config --json
 curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/twilio/credentials" \
   -H "Authorization: Bearer $GATEWAY_AUTH_TOKEN" -H "Content-Type: application/json" \
   -d '{"accountSid":"ACxxx","authToken":"xxx"}'
-# 3. Provision or assign a number
-curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/twilio/numbers/provision" \
+# 3. Get credential ID and Account SID for proxied calls
+credential_store action=list  # → note credential_id for twilio/account_sid
+vellum integrations twilio config --json | jq -r '.accountSid'
+# 4. Search and provision via Twilio API (proxy injects auth automatically)
+#    bash network_mode=proxied credential_ids=["<cred_id>"]
+curl -s "https://api.twilio.com/2010-04-01/Accounts/<SID>/AvailablePhoneNumbers/US/Local.json?SmsEnabled=true&VoiceEnabled=true"
+curl -s -X POST "https://api.twilio.com/2010-04-01/Accounts/<SID>/IncomingPhoneNumbers.json" -d "PhoneNumber=+1xxx"
+# 5. Assign locally (saves to config + sets up webhooks)
+curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/twilio/numbers/assign" \
   -H "Authorization: Bearer $GATEWAY_AUTH_TOKEN" -H "Content-Type: application/json" \
-  -d '{"country":"US","areaCode":"415"}'
+  -d '{"phoneNumber":"+1xxx"}'
 ```
 
 For voice call setup after Twilio is configured, use `phone-calls` + `call_start`.
@@ -30,11 +37,11 @@ For voice call setup after Twilio is configured, use `phone-calls` + `call_start
 This skill manages the full Twilio lifecycle:
 
 - **Credential storage** — Account SID and Auth Token
-- **Phone number provisioning** — Buy a new number directly from Twilio
+- **Direct Twilio API access** — Search and purchase numbers via proxied calls to the Twilio REST API (the proxy injects authentication automatically)
 - **Phone number assignment** — Assign an existing Twilio number to the assistant
 - **Status checking** — Verify credentials and assigned number
 
-Mutating operations use Twilio HTTP control-plane endpoints on the gateway. Status/list retrieval uses `vellum integrations ...` CLI reads.
+Number search and purchase use proxied calls to the Twilio REST API (`bash` with `network_mode: "proxied"`). Local bookkeeping (assign, webhook sync) uses gateway control-plane endpoints. Status/list retrieval uses `vellum integrations ...` CLI reads.
 
 ### Multi-Assistant Setups
 
@@ -49,7 +56,7 @@ In a multi-assistant environment (multiple assistants sharing the same runtime),
 
 - `GET /v1/integrations/twilio/config` — Returns the phone number assigned to the specified assistant.
 - `POST /v1/integrations/twilio/numbers/assign` — Assigns a phone number to a specific assistant via the per-assistant mapping.
-- `POST /v1/integrations/twilio/numbers/provision` — Provisions a new number and assigns it to the specified assistant.
+- `POST /v1/integrations/twilio/numbers/provision` — Legacy convenience endpoint that provisions a new number and assigns it to the specified assistant. The main flow now uses proxied Twilio API calls (search + purchase) followed by the assign endpoint.
 - `GET /v1/integrations/twilio/numbers` — Lists all phone numbers on the shared Twilio account (uses global credentials).
 
 Include `assistantId` as a query parameter in assistant-scoped requests whenever:
@@ -110,19 +117,61 @@ The assistant needs a phone number to make calls and send SMS. There are two pat
 
 If the user wants to buy a new number through Twilio:
 
+**3a. Get the credential ID and Account SID:**
+
+```
+credential_store action=list
+```
+
+Find the entry with `service: "twilio"` and `field: "account_sid"`. Note its `credential_id`.
+
+Then retrieve the Account SID (needed for Twilio URL paths):
+
 ```bash
-curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/twilio/numbers/provision" \
+vellum integrations twilio config --json | jq -r '.accountSid'
+```
+
+**3b. Search for available numbers (proxied Twilio API):**
+
+```
+bash:
+  network_mode: proxied
+  credential_ids: ["<credential_id from 3a>"]
+  command: |
+    curl -s "https://api.twilio.com/2010-04-01/Accounts/<ACCOUNT_SID>/AvailablePhoneNumbers/US/Local.json?SmsEnabled=true&VoiceEnabled=true&AreaCode=415"
+```
+
+- `AreaCode` is optional — ask the user if they have a preferred area code
+- Replace `US` with a different ISO 3166-1 alpha-2 country code if the user wants a non-US number
+- The proxy automatically injects `Authorization: Basic <credentials>` — do not include an Authorization header
+
+The response contains an `available_phone_numbers` array. Present the first few options to the user with their `phone_number` and `friendly_name`.
+
+**3c. Purchase the chosen number (proxied Twilio API):**
+
+```
+bash:
+  network_mode: proxied
+  credential_ids: ["<credential_id from 3a>"]
+  command: |
+    curl -s -X POST "https://api.twilio.com/2010-04-01/Accounts/<ACCOUNT_SID>/IncomingPhoneNumbers.json" \
+      -d "PhoneNumber=+14155551234"
+```
+
+The response includes the purchased number's `phone_number` and `sid`.
+
+**3d. Assign locally (saves to config + sets up webhooks):**
+
+```bash
+curl -s -X POST "$INTERNAL_GATEWAY_BASE_URL/v1/integrations/twilio/numbers/assign" \
   -H "Authorization: Bearer $GATEWAY_AUTH_TOKEN" \
   -H "Content-Type: application/json" \
-  -d '{"country":"US","areaCode":"415"}'
+  -d '{"phoneNumber":"+14155551234"}'
 ```
 
-- `areaCode` is optional — ask the user if they have a preferred area code
-- `country` defaults to `"US"` — ask if they want a different country (ISO 3166-1 alpha-2)
+This persists the number to secure storage and config, and configures Twilio webhooks (voice, status callback, SMS) if a public ingress URL is available. The response includes the new `phoneNumber`. No separate assign call is needed.
 
-The endpoint provisions the number via the Twilio API, automatically assigns it to the assistant (persisting to both secure storage and config), and configures Twilio webhooks (voice, status callback, SMS) if a public ingress URL is available. The response includes the new `phoneNumber`. No separate assign call is needed.
-
-**Webhook auto-configuration:** When `ingress.publicBaseUrl` is configured, the endpoint automatically sets the following webhooks on the Twilio phone number:
+**Webhook auto-configuration:** When `ingress.publicBaseUrl` is configured, the assign endpoint automatically sets the following webhooks on the Twilio phone number:
 
 - Voice webhook: `{publicBaseUrl}/webhooks/twilio/voice`
 - Voice status callback: `{publicBaseUrl}/webhooks/twilio/status`
@@ -134,13 +183,17 @@ If ingress is not yet configured, webhook setup is skipped gracefully — the nu
 
 ### Option B: Assign an Existing Number
 
-If the user already has a Twilio phone number, first list available numbers:
+If the user already has a Twilio phone number, first get the credential ID and Account SID (same as Option A, step 3a), then list available numbers:
 
-```bash
-vellum integrations twilio numbers --json
+```
+bash:
+  network_mode: proxied
+  credential_ids: ["<credential_id>"]
+  command: |
+    curl -s "https://api.twilio.com/2010-04-01/Accounts/<ACCOUNT_SID>/IncomingPhoneNumbers.json"
 ```
 
-The response includes a `numbers` array with each number's `phoneNumber`, `friendlyName`, and `capabilities` (voice, SMS). Present these to the user and let them choose.
+The response includes an `incoming_phone_numbers` array with each number's `phone_number`, `friendly_name`, and `capabilities`. Present these to the user and let them choose.
 
 Then assign the chosen number:
 

package/src/config/bundled-tool-registry.ts

@@ -20,6 +20,7 @@ import * as appFileEdit from "./bundled-skills/app-builder/tools/app-file-edit.j
 import * as appFileList from "./bundled-skills/app-builder/tools/app-file-list.js";
 import * as appFileRead from "./bundled-skills/app-builder/tools/app-file-read.js";
 import * as appFileWrite from "./bundled-skills/app-builder/tools/app-file-write.js";
+import * as appGenerateIcon from "./bundled-skills/app-builder/tools/app-generate-icon.js";
 import * as appList from "./bundled-skills/app-builder/tools/app-list.js";
 import * as appQuery from "./bundled-skills/app-builder/tools/app-query.js";
 import * as appUpdate from "./bundled-skills/app-builder/tools/app-update.js";
@@ -190,6 +191,7 @@ export const bundledToolRegistry = new Map<string, SkillToolScript>([
   ["app-builder:tools/app-file-read.ts", appFileRead],
   ["app-builder:tools/app-file-edit.ts", appFileEdit],
   ["app-builder:tools/app-file-write.ts", appFileWrite],
+  ["app-builder:tools/app-generate-icon.ts", appGenerateIcon],
 
   // browser
   ["browser:tools/browser-navigate.ts", browserNavigate],

package/src/config/core-schema.ts

@@ -252,6 +252,12 @@ export const SmsConfigSchema = z.object({
     .optional(),
 });
 
+export const WhatsAppConfigSchema = z.object({
+  phoneNumber: z
+    .string({ error: "whatsapp.phoneNumber must be a string" })
+    .default(""),
+});
+
 export const IngressWebhookConfigSchema = z.object({
   secret: z
     .string({ error: "ingress.webhook.secret must be a string" })
@@ -392,6 +398,7 @@ export type ContextOverflowRecoveryConfig = z.infer<
 export type ContextWindowConfig = z.infer<typeof ContextWindowConfigSchema>;
 export type ModelPricingOverride = z.infer<typeof ModelPricingOverrideSchema>;
 export type SmsConfig = z.infer<typeof SmsConfigSchema>;
+export type WhatsAppConfig = z.infer<typeof WhatsAppConfigSchema>;
 export type IngressWebhookConfig = z.infer<typeof IngressWebhookConfigSchema>;
 export type IngressRateLimitConfig = z.infer<
   typeof IngressRateLimitConfigSchema

package/src/config/feature-flag-registry.json

@@ -47,6 +47,22 @@
       "key": "feature_flags.messaging.enabled",
       "label": "Messaging",
       "description": "Enable messaging skill section in the system prompt",
+      "defaultEnabled": true
+    },
+    {
+      "id": "messaging-gmail",
+      "scope": "assistant",
+      "key": "feature_flags.messaging.gmail.enabled",
+      "label": "Messaging: Gmail",
+      "description": "Allow messaging tools to operate on the Gmail platform",
+      "defaultEnabled": false
+    },
+    {
+      "id": "messaging-telegram",
+      "scope": "assistant",
+      "key": "feature_flags.messaging.telegram.enabled",
+      "label": "Messaging: Telegram",
+      "description": "Allow messaging tools to operate on the Telegram platform",
       "defaultEnabled": false
     },
     {

package/src/config/loader.ts

@@ -19,6 +19,8 @@ import {
   getWorkspaceConfigPath,
   migrateToDataLayout,
   migrateToWorkspaceLayout,
+  readLockfile,
+  writeLockfile,
 } from "../util/platform.js";
 import { AssistantConfigSchema } from "./schema.js";
 import type { AssistantConfig } from "./types.js";
@@ -422,6 +424,30 @@ export function saveRawConfig(config: Record<string, unknown>): void {
   cached = null; // invalidate cache
 }
 
+/**
+ * Sync client-relevant config values (e.g. platform.baseUrl) to the lockfile
+ * so external tools (e.g. vel) can discover them without importing the full
+ * config schema.  Mirrors the behaviour of `syncConfigToLockfile` in the
+ * lightweight CLI (`cli/src/lib/assistant-config.ts`).
+ */
+export function syncConfigToLockfile(): void {
+  const configPath = getWorkspaceConfigPath();
+  if (!existsSync(configPath)) return;
+
+  try {
+    const raw = JSON.parse(readFileSync(configPath, "utf-8")) as Record<
+      string,
+      unknown
+    >;
+    const platform = raw.platform as Record<string, unknown> | undefined;
+    const data = readLockfile() ?? {};
+    data.platformBaseUrl = (platform?.baseUrl as string) || undefined;
+    writeLockfile(data);
+  } catch {
+    // Config file unreadable — skip sync
+  }
+}
+
 export function getNestedValue(
   obj: Record<string, unknown>,
   path: string,

package/src/config/schema.ts

@@ -49,6 +49,7 @@ export type {
   ThinkingConfig,
   TimeoutConfig,
   UiConfig,
+  WhatsAppConfig,
 } from "./core-schema.js";
 export {
   AuditLogConfigSchema,
@@ -69,6 +70,7 @@ export {
   ThinkingConfigSchema,
   TimeoutConfigSchema,
   UiConfigSchema,
+  WhatsAppConfigSchema,
 } from "./core-schema.js";
 export type { ElevenLabsConfig } from "./elevenlabs-schema.js";
 export {
@@ -161,6 +163,7 @@ import {
   ThinkingConfigSchema,
   TimeoutConfigSchema,
   UiConfigSchema,
+  WhatsAppConfigSchema,
 } from "./core-schema.js";
 import { ElevenLabsConfigSchema } from "./elevenlabs-schema.js";
 import { McpConfigSchema } from "./mcp-schema.js";
@@ -261,6 +264,7 @@ export const AssistantConfigSchema = z
       ElevenLabsConfigSchema.parse({}),
     ),
     sms: SmsConfigSchema.default(SmsConfigSchema.parse({})),
+    whatsapp: WhatsAppConfigSchema.default(WhatsAppConfigSchema.parse({})),
     ingress: IngressConfigSchema,
     platform: PlatformConfigSchema.default(PlatformConfigSchema.parse({})),
     daemon: DaemonConfigSchema.default(DaemonConfigSchema.parse({})),

package/src/config/skill-state.ts

@@ -33,19 +33,6 @@ export function skillFlagKey(skillId: string): string {
   );
 }
 
-/**
- * @deprecated Use `isAssistantFeatureFlagEnabled` from `./assistant-feature-flags.js` instead.
- *
- * Thin backward-compatible wrapper that delegates to the canonical resolver.
- * Kept to avoid breaking existing call sites during migration.
- */
-export function isSkillFeatureEnabled(
-  skillId: string,
-  config: AssistantConfig,
-): boolean {
-  return isAssistantFeatureFlagEnabled(skillFlagKey(skillId), config);
-}
-
 export function resolveSkillStates(
   catalog: SkillSummary[],
   config: AssistantConfig,

package/src/config/system-prompt.ts

@@ -1,6 +1,7 @@
 import { copyFileSync, existsSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 
+import { CLI_HELP_REFERENCE } from "../cli/reference.js";
 import { listCredentialMetadata } from "../tools/credentials/metadata-store.js";
 import { resolveBundledDir } from "../util/bundled-asset.js";
 import { getLogger } from "../util/logger.js";
@@ -20,6 +21,13 @@ const log = getLogger("system-prompt");
 
 const PROMPT_FILES = ["SOUL.md", "IDENTITY.md", "USER.md"] as const;
 
+let cachedCliHelp: string | undefined;
+
+/** @internal Reset the CLI help cache — exposed for testing only. */
+export function _resetCliHelpCache(): void {
+  cachedCliHelp = undefined;
+}
+
 /**
  * Copy template prompt files into the data directory if they don't already exist.
  * Called once during daemon startup so users always have discoverable files to edit.
@@ -149,6 +157,7 @@ export function buildSystemPrompt(): string {
   }
   if (getIsContainerized()) parts.push(buildContainerizedSection());
   parts.push(buildConfigSection());
+  parts.push(buildCliReferenceSection());
   parts.push(buildPostToolResponseSection());
   parts.push(buildExternalCommsIdentitySection());
   parts.push(buildChannelAwarenessSection());
@@ -778,6 +787,24 @@ function buildConfigSection(): string {
   ].join("\n");
 }
 
+export function buildCliReferenceSection(): string {
+  if (cachedCliHelp === undefined) {
+    cachedCliHelp = CLI_HELP_REFERENCE.trim();
+  }
+
+  return [
+    "## Assistant CLI",
+    "",
+    "The `assistant` CLI is installed on the user's machine and available via `bash`.",
+    "",
+    "```",
+    cachedCliHelp,
+    "```",
+    "",
+    "Run `assistant <command> --help` for detailed help on any subcommand.",
+  ].join("\n");
+}
+
 /**
  * Strip lines starting with `_` (comment convention for prompt .md files)
  * and collapse any resulting consecutive blank lines.

package/src/contacts/contact-store.ts

@@ -623,6 +623,31 @@ export function mergeContacts(
   return getContactInternal(keepId)!;
 }
 
+/**
+ * Delete a contact by ID. Guardians cannot be deleted as a safety guard.
+ * Associated contactChannels and assistantContactMetadata rows are
+ * cascade-deleted by the DB schema's onDelete constraints.
+ */
+export function deleteContact(
+  contactId: string,
+): "ok" | "not_found" | "is_guardian" {
+  const db = getDb();
+
+  const contact = db
+    .select()
+    .from(contacts)
+    .where(eq(contacts.id, contactId))
+    .get();
+
+  if (!contact) return "not_found";
+  if (contact.role === "guardian") return "is_guardian";
+
+  db.delete(contacts).where(eq(contacts.id, contactId)).run();
+
+  emitContactChange();
+  return "ok";
+}
+
 /**
  * Find a contact by a specific channel address. Returns null if not found.
  */

package/src/daemon/computer-use-session.ts

@@ -103,7 +103,7 @@ export class ComputerUseSession {
       resolve: (result: ToolExecutionResult) => void;
     }
   >();
-  private surfaceState = new Map<
+  /** @internal */ surfaceState = new Map<
     string,
     { surfaceType: SurfaceType; data: SurfaceData; title?: string }
   >();

package/src/daemon/handlers/apps.ts

@@ -559,6 +559,7 @@ export async function handleBundleApp(
     ctx.send(socket, {
       type: "bundle_app_response",
       bundlePath: result.bundlePath,
+      iconImageBase64: result.iconImageBase64,
       manifest: result.manifest,
     });
   } catch (err) {