npm - @vellumai/assistant - Versions diffs - 0.4.37 → 0.4.41 - Mend

@vellumai/assistant 0.4.37 → 0.4.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/ARCHITECTURE.md +3 -3
package/README.md +13 -13
package/bun.lock +80 -24
package/docs/architecture/integrations.md +126 -128
package/docs/runbook-trusted-contacts.md +1 -1
package/docs/trusted-contact-access.md +12 -12
package/package.json +3 -1
package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap +0 -14
package/src/__tests__/app-bundler.test.ts +209 -0
package/src/__tests__/app-compiler.test.ts +279 -0
package/src/__tests__/app-executors.test.ts +293 -483
package/src/__tests__/app-migration.test.ts +148 -0
package/src/__tests__/app-routes-csp.test.ts +202 -0
package/src/__tests__/avatar-e2e.test.ts +452 -0
package/src/__tests__/avatar-generator.test.ts +193 -0
package/src/__tests__/avatar-router.test.ts +186 -0
package/src/__tests__/browser-download-timeout.test.ts +28 -0
package/src/__tests__/bundled-skill-retrieval-guard.test.ts +9 -9
package/src/__tests__/call-domain.test.ts +3 -7
package/src/__tests__/credential-security-e2e.test.ts +19 -12
package/src/__tests__/credentials-cli.test.ts +30 -4
package/src/__tests__/guardian-verify-setup-skill-regression.test.ts +1 -1
package/src/__tests__/handlers-slack-config.test.ts +0 -72
package/src/__tests__/handlers-telegram-config.test.ts +19 -12
package/src/__tests__/handlers-twitter-config.test.ts +105 -48
package/src/__tests__/inbound-invite-redemption.test.ts +4 -4
package/src/__tests__/integration-status.test.ts +15 -5
package/src/__tests__/integrations-cli.test.ts +1 -1
package/src/__tests__/invite-redemption-service.test.ts +62 -7
package/src/__tests__/ipc-snapshot.test.ts +0 -8
package/src/__tests__/managed-avatar-client.test.ts +280 -0
package/src/__tests__/mcp-cli.test.ts +3 -3
package/src/__tests__/oauth-cli.test.ts +203 -0
package/src/__tests__/relay-server.test.ts +3 -3
package/src/__tests__/secret-onetime-send.test.ts +19 -12
package/src/__tests__/secure-keys.test.ts +78 -0
package/src/__tests__/session-messaging-secret-redirect.test.ts +3 -0
package/src/__tests__/slack-channel-config.test.ts +23 -16
package/src/__tests__/slack-share-routes.test.ts +263 -0
package/src/__tests__/sms-messaging-provider.test.ts +3 -1
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +7 -7
package/src/__tests__/trusted-contact-multichannel.test.ts +3 -3
package/src/__tests__/trusted-contact-verification.test.ts +10 -10
package/src/__tests__/twilio-config.test.ts +15 -36
package/src/__tests__/twilio-provider.test.ts +4 -0
package/src/__tests__/twitter-auth-handler.test.ts +27 -14
package/src/__tests__/twitter-cli-error-shaping.test.ts +1 -1
package/src/__tests__/twitter-cli-routing.test.ts +38 -53
package/src/__tests__/twitter-oauth-client.test.ts +18 -47
package/src/__tests__/voice-invite-redemption.test.ts +27 -3
package/src/amazon/cart.ts +1 -1
package/src/amazon/client.ts +89 -7
package/src/approvals/guardian-request-resolvers.ts +2 -2
package/src/bundler/app-bundler.ts +77 -32
package/src/bundler/app-compiler.ts +195 -0
package/src/bundler/manifest.ts +1 -1
package/src/bundler/package-resolver.ts +185 -0
package/src/calls/call-domain.ts +4 -14
package/src/calls/relay-server.ts +2 -2
package/src/calls/twilio-config.ts +5 -24
package/src/calls/twilio-rest.ts +19 -5
package/src/cli/amazon.ts +74 -249
package/src/cli/audit.ts +2 -2
package/src/cli/autonomy.ts +9 -9
package/src/cli/channels.ts +5 -5
package/src/cli/completions.ts +27 -27
package/src/cli/config.ts +14 -14
package/src/cli/contacts.ts +27 -27
package/src/cli/credentials.ts +28 -28
package/src/cli/dev.ts +2 -2
package/src/cli/doctor.ts +2 -2
package/src/cli/email.ts +82 -82
package/src/cli/influencer.ts +13 -13
package/src/cli/integrations.ts +19 -144
package/src/cli/keys.ts +10 -10
package/src/cli/map.ts +4 -4
package/src/cli/mcp.ts +17 -17
package/src/cli/memory.ts +18 -18
package/src/cli/notifications.ts +13 -13
package/src/cli/oauth.ts +77 -0
package/src/cli/program.ts +2 -0
package/src/cli/sequence.ts +27 -27
package/src/cli/sessions.ts +12 -12
package/src/cli/trust.ts +8 -8
package/src/cli/twitter.ts +124 -70
package/src/config/bundled-skills/_shared/CLI_RETRIEVAL_PATTERN.md +1 -1
package/src/config/bundled-skills/agentmail/SKILL.md +34 -34
package/src/config/bundled-skills/amazon/SKILL.md +54 -54
package/src/config/bundled-skills/app-builder/SKILL.md +137 -3
package/src/config/bundled-skills/app-builder/tools/app-create.ts +10 -4
package/src/config/bundled-skills/configure-settings/SKILL.md +18 -18
package/src/config/bundled-skills/contacts/SKILL.md +12 -12
package/src/config/bundled-skills/doordash/lib/client.ts +7 -9
package/src/config/bundled-skills/email-setup/SKILL.md +4 -4
package/src/config/bundled-skills/frontend-design/icon.svg +16 -0
package/src/config/bundled-skills/google-oauth-setup/SKILL.md +143 -162
package/src/config/bundled-skills/guardian-verify-setup/SKILL.md +4 -4
package/src/config/bundled-skills/influencer/SKILL.md +13 -13
package/src/config/bundled-skills/mcp-setup/SKILL.md +11 -11
package/src/config/bundled-skills/phone-calls/SKILL.md +48 -54
package/src/config/bundled-skills/public-ingress/SKILL.md +6 -6
package/src/config/bundled-skills/slack-app-setup/SKILL.md +1 -1
package/src/config/bundled-skills/sms-setup/SKILL.md +3 -3
package/src/config/bundled-skills/telegram-setup/SKILL.md +2 -2
package/src/config/bundled-skills/twilio-setup/SKILL.md +136 -225
package/src/config/bundled-skills/twitter/SKILL.md +68 -44
package/src/config/bundled-skills/voice-setup/SKILL.md +2 -2
package/src/config/core-schema.ts +26 -0
package/src/config/env.ts +4 -0
package/src/config/feature-flag-registry.json +9 -1
package/src/config/schema.ts +8 -0
package/src/config/system-prompt.ts +6 -3
package/src/config/templates/BOOTSTRAP.md +7 -5
package/src/contacts/contacts-write.ts +5 -1
package/src/daemon/handlers/apps.ts +31 -4
package/src/daemon/handlers/config-ingress.ts +3 -3
package/src/daemon/handlers/config-integrations.ts +120 -49
package/src/daemon/handlers/config-slack-channel.ts +26 -7
package/src/daemon/handlers/config-slack.ts +1 -54
package/src/daemon/handlers/config-telegram.ts +28 -10
package/src/daemon/handlers/config.ts +1 -4
package/src/daemon/handlers/twitter-auth.ts +11 -4
package/src/daemon/ipc-contract/apps.ts +0 -13
package/src/daemon/ipc-contract-inventory.json +0 -2
package/src/daemon/lifecycle.ts +8 -1
package/src/daemon/session-messaging.ts +2 -2
package/src/daemon/tool-side-effects.ts +30 -0
package/src/email/providers/agentmail.ts +1 -1
package/src/email/providers/index.ts +1 -1
package/src/email/service.ts +1 -1
package/src/gallery/default-gallery.ts +538 -0
package/src/gallery/gallery-manifest.ts +5 -1
package/src/influencer/client.ts +8 -6
package/src/mcp/client.ts +1 -1
package/src/media/avatar-router.ts +99 -0
package/src/media/avatar-types.ts +60 -0
package/src/media/managed-avatar-client.ts +189 -0
package/src/memory/app-migration.ts +114 -0
package/src/memory/app-store.ts +11 -0
package/src/memory/qdrant-client.ts +1 -1
package/src/messaging/providers/slack/client.ts +12 -2
package/src/messaging/providers/sms/adapter.ts +6 -10
package/src/migrations/data-layout.ts +8 -1
package/src/oauth/token-persistence.ts +9 -6
package/src/runtime/assistant-scope.ts +5 -0
package/src/runtime/auth/route-policy.ts +4 -0
package/src/runtime/channel-readiness-service.ts +9 -4
package/src/runtime/gateway-internal-client.ts +11 -3
package/src/runtime/http-server.ts +2 -0
package/src/runtime/invite-redemption-service.ts +23 -13
package/src/runtime/middleware/twilio-validation.ts +2 -2
package/src/runtime/routes/app-routes.ts +131 -3
package/src/runtime/routes/inbound-stages/verification-intercept.ts +3 -3
package/src/runtime/routes/integration-routes.ts +2 -2
package/src/runtime/routes/slack-share-routes.ts +235 -0
package/src/runtime/routes/twilio-routes.ts +47 -34
package/src/schedule/integration-status.ts +2 -3
package/src/security/token-manager.ts +11 -3
package/src/tools/apps/executors.ts +116 -8
package/src/tools/browser/browser-manager.ts +30 -2
package/src/tools/browser/chrome-cdp.ts +31 -3
package/src/tools/credentials/vault.ts +9 -7
package/src/tools/executor.ts +4 -0
package/src/tools/system/avatar-generator.ts +55 -34
package/src/twitter/client.ts +1 -1
package/src/twitter/oauth-client.ts +31 -43
package/src/twitter/router.ts +25 -23
package/src/util/platform.ts +5 -0
package/src/slack/slack-webhook.ts +0 -66

package/src/daemon/handlers/config-integrations.ts CHANGED Viewed

@@ -1,10 +1,15 @@
 import * as net from "node:net";
-import { loadRawConfig, saveRawConfig } from "../../config/loader.js";
 import {
-  deleteSecureKey,
+  getNestedValue,
+  loadRawConfig,
+  saveRawConfig,
+  setNestedValue,
+} from "../../config/loader.js";
+import {
+  deleteSecureKeyAsync,
   getSecureKey,
-  setSecureKey,
+  setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import {
   deleteCredentialMetadata,
@@ -17,11 +22,11 @@ import type {
 } from "../ipc-protocol.js";
 import { defineHandlers, type HandlerContext, log } from "./shared.js";
-export function handleVercelApiConfig(
+export async function handleVercelApiConfig(
   msg: VercelApiConfigRequest,
   socket: net.Socket,
   ctx: HandlerContext,
-): void {
+): Promise<void> {
   try {
     if (msg.action === "get") {
       const existing = getSecureKey("credential:vercel:api_token");
@@ -40,7 +45,10 @@ export function handleVercelApiConfig(
         });
         return;
       }
-      const stored = setSecureKey("credential:vercel:api_token", msg.apiToken);
+      const stored = await setSecureKeyAsync(
+        "credential:vercel:api_token",
+        msg.apiToken,
+      );
       if (!stored) {
         ctx.send(socket, {
           type: "vercel_api_config_response",
@@ -59,7 +67,16 @@ export function handleVercelApiConfig(
         success: true,
       });
     } else {
-      deleteSecureKey("credential:vercel:api_token");
+      const r = await deleteSecureKeyAsync("credential:vercel:api_token");
+      if (r === "error") {
+        ctx.send(socket, {
+          type: "vercel_api_config_response",
+          hasToken: !!getSecureKey("credential:vercel:api_token"),
+          success: false,
+          error: "Failed to delete Vercel API token from secure storage",
+        });
+        return;
+      }
       deleteCredentialMetadata("vercel", "api_token");
       ctx.send(socket, {
         type: "vercel_api_config_response",
@@ -87,27 +104,27 @@ function hasTwitterClientId(): boolean {
   );
 }
-export function handleTwitterIntegrationConfig(
+export async function handleTwitterIntegrationConfig(
   msg: TwitterIntegrationConfigRequest,
   socket: net.Socket,
   ctx: HandlerContext,
-): void {
+): Promise<void> {
   try {
     if (msg.action === "get") {
       const raw = loadRawConfig();
       const mode =
-        (raw.twitterIntegrationMode as "local_byo" | "managed" | undefined) ??
-        "local_byo";
+        (getNestedValue(raw, "twitter.integrationMode") as
+          | "local_byo"
+          | "managed"
+          | undefined) ?? "local_byo";
       const strategy =
-        (raw.twitterOperationStrategy as
+        (getNestedValue(raw, "twitter.operationStrategy") as
           | "oauth"
           | "browser"
           | "auto"
           | undefined) ?? "auto";
-      const strategyConfigured = Object.prototype.hasOwnProperty.call(
-        raw,
-        "twitterOperationStrategy",
-      );
+      const strategyConfigured =
+        getNestedValue(raw, "twitter.operationStrategy") !== undefined;
       const localClientConfigured = hasTwitterClientId();
       const connected = !!getSecureKey(
         "credential:integration:twitter:access_token",
@@ -127,15 +144,13 @@ export function handleTwitterIntegrationConfig(
     } else if (msg.action === "get_strategy") {
       const raw = loadRawConfig();
       const strategy =
-        (raw.twitterOperationStrategy as
+        (getNestedValue(raw, "twitter.operationStrategy") as
           | "oauth"
           | "browser"
           | "auto"
           | undefined) ?? "auto";
-      const strategyConfigured = Object.prototype.hasOwnProperty.call(
-        raw,
-        "twitterOperationStrategy",
-      );
+      const strategyConfigured =
+        getNestedValue(raw, "twitter.operationStrategy") !== undefined;
       ctx.send(socket, {
         type: "twitter_integration_config_response",
         success: true,
@@ -162,7 +177,7 @@ export function handleTwitterIntegrationConfig(
         return;
       }
       const raw = loadRawConfig();
-      raw.twitterOperationStrategy = value;
+      setNestedValue(raw, "twitter.operationStrategy", value);
       saveRawConfig(raw);
       ctx.send(socket, {
         type: "twitter_integration_config_response",
@@ -177,7 +192,7 @@ export function handleTwitterIntegrationConfig(
       });
     } else if (msg.action === "set_mode") {
       const raw = loadRawConfig();
-      raw.twitterIntegrationMode = msg.mode ?? "local_byo";
+      setNestedValue(raw, "twitter.integrationMode", msg.mode ?? "local_byo");
       saveRawConfig(raw);
       ctx.send(socket, {
         type: "twitter_integration_config_response",
@@ -205,8 +220,8 @@ export function handleTwitterIntegrationConfig(
       const previousClientId =
         getSecureKey("credential:integration:twitter:client_id") ??
         getSecureKey("credential:integration:twitter:oauth_client_id");
-      // Write canonical key
-      const storedId = setSecureKey(
+      // Write canonical key (async — writes broker + encrypted store)
+      const storedId = await setSecureKeyAsync(
         "credential:integration:twitter:client_id",
         msg.clientId,
       );
@@ -222,30 +237,34 @@ export function handleTwitterIntegrationConfig(
         return;
       }
       // Also write legacy key for backward compatibility
-      setSecureKey(
+      await setSecureKeyAsync(
         "credential:integration:twitter:oauth_client_id",
         msg.clientId,
       );
       if (msg.clientSecret) {
         // Write canonical key
-        const storedSecret = setSecureKey(
+        const storedSecret = await setSecureKeyAsync(
           "credential:integration:twitter:client_secret",
           msg.clientSecret,
         );
         if (!storedSecret) {
           // Roll back the client ID to its previous value to avoid inconsistent OAuth state
           if (previousClientId) {
-            setSecureKey(
+            await setSecureKeyAsync(
               "credential:integration:twitter:client_id",
               previousClientId,
             );
-            setSecureKey(
+            await setSecureKeyAsync(
               "credential:integration:twitter:oauth_client_id",
               previousClientId,
             );
           } else {
-            deleteSecureKey("credential:integration:twitter:client_id");
-            deleteSecureKey("credential:integration:twitter:oauth_client_id");
+            await deleteSecureKeyAsync(
+              "credential:integration:twitter:client_id",
+            );
+            await deleteSecureKeyAsync(
+              "credential:integration:twitter:oauth_client_id",
+            );
           }
           ctx.send(socket, {
             type: "twitter_integration_config_response",
@@ -258,14 +277,18 @@ export function handleTwitterIntegrationConfig(
           return;
         }
         // Also write legacy key for backward compatibility
-        setSecureKey(
+        await setSecureKeyAsync(
           "credential:integration:twitter:oauth_client_secret",
           msg.clientSecret,
         );
       } else {
         // Clear any stale secret when updating client without a secret (e.g. switching to PKCE)
-        deleteSecureKey("credential:integration:twitter:client_secret");
-        deleteSecureKey("credential:integration:twitter:oauth_client_secret");
+        await deleteSecureKeyAsync(
+          "credential:integration:twitter:client_secret",
+        );
+        await deleteSecureKeyAsync(
+          "credential:integration:twitter:oauth_client_secret",
+        );
       }
       ctx.send(socket, {
         type: "twitter_integration_config_response",
@@ -278,35 +301,83 @@ export function handleTwitterIntegrationConfig(
       });
     } else if (msg.action === "clear_local_client") {
       // If connected, disconnect first
+      const deleteResults: Array<"deleted" | "not-found" | "error"> = [];
       if (getSecureKey("credential:integration:twitter:access_token")) {
-        deleteSecureKey("credential:integration:twitter:access_token");
-        deleteSecureKey("credential:integration:twitter:refresh_token");
-        deleteCredentialMetadata("integration:twitter", "access_token");
+        deleteResults.push(
+          await deleteSecureKeyAsync(
+            "credential:integration:twitter:access_token",
+          ),
+        );
+        deleteResults.push(
+          await deleteSecureKeyAsync(
+            "credential:integration:twitter:refresh_token",
+          ),
+        );
       }
       // Remove both canonical and legacy client credential keys
-      deleteSecureKey("credential:integration:twitter:client_id");
-      deleteSecureKey("credential:integration:twitter:client_secret");
-      deleteSecureKey("credential:integration:twitter:oauth_client_id");
-      deleteSecureKey("credential:integration:twitter:oauth_client_secret");
+      deleteResults.push(
+        await deleteSecureKeyAsync("credential:integration:twitter:client_id"),
+      );
+      deleteResults.push(
+        await deleteSecureKeyAsync(
+          "credential:integration:twitter:client_secret",
+        ),
+      );
+      deleteResults.push(
+        await deleteSecureKeyAsync(
+          "credential:integration:twitter:oauth_client_id",
+        ),
+      );
+      deleteResults.push(
+        await deleteSecureKeyAsync(
+          "credential:integration:twitter:oauth_client_secret",
+        ),
+      );
+      const hasDeleteError = deleteResults.some((r) => r === "error");
+      if (!hasDeleteError) {
+        deleteCredentialMetadata("integration:twitter", "access_token");
+      }
       ctx.send(socket, {
         type: "twitter_integration_config_response",
-        success: true,
+        success: !hasDeleteError,
         managedAvailable: false,
-        localClientConfigured: false,
-        connected: false,
+        localClientConfigured: hasDeleteError ? hasTwitterClientId() : false,
+        connected: hasDeleteError
+          ? !!getSecureKey("credential:integration:twitter:access_token")
+          : false,
+        ...(hasDeleteError
+          ? {
+              error:
+                "Failed to delete some Twitter credentials from secure storage",
+            }
+          : {}),
       });
     } else if (msg.action === "disconnect") {
-      deleteSecureKey("credential:integration:twitter:access_token");
-      deleteSecureKey("credential:integration:twitter:refresh_token");
-      deleteCredentialMetadata("integration:twitter", "access_token");
+      const dr1 = await deleteSecureKeyAsync(
+        "credential:integration:twitter:access_token",
+      );
+      const dr2 = await deleteSecureKeyAsync(
+        "credential:integration:twitter:refresh_token",
+      );
       // Client credentials (client_id, oauth_client_id, etc.) are intentionally
       // preserved so the user can re-connect without reconfiguring.
+      const disconnectFailed = dr1 === "error" || dr2 === "error";
+      if (!disconnectFailed) {
+        deleteCredentialMetadata("integration:twitter", "access_token");
+      }
       ctx.send(socket, {
         type: "twitter_integration_config_response",
-        success: true,
+        success: !disconnectFailed,
         managedAvailable: false,
         localClientConfigured: hasTwitterClientId(),
-        connected: false,
+        connected: disconnectFailed
+          ? !!getSecureKey("credential:integration:twitter:access_token")
+          : false,
+        ...(disconnectFailed
+          ? {
+              error: "Failed to delete Twitter tokens from secure storage",
+            }
+          : {}),
       });
     } else {
       ctx.send(socket, {

package/src/daemon/handlers/config-slack-channel.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import {
-  deleteSecureKey,
+  deleteSecureKeyAsync,
   getSecureKey,
-  setSecureKey,
+  setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import {
   deleteCredentialMetadata,
@@ -122,7 +122,10 @@ export async function setSlackChannelConfig(
       };
     }
-    const stored = setSecureKey("credential:slack_channel:bot_token", botToken);
+    const stored = await setSecureKeyAsync(
+      "credential:slack_channel:bot_token",
+      botToken,
+    );
     if (!stored) {
       const storedBotToken = !!getSecureKey(
         "credential:slack_channel:bot_token",
@@ -166,7 +169,10 @@ export async function setSlackChannelConfig(
       };
     }
-    const stored = setSecureKey("credential:slack_channel:app_token", appToken);
+    const stored = await setSecureKeyAsync(
+      "credential:slack_channel:app_token",
+      appToken,
+    );
     if (!stored) {
       const storedBotToken = !!getSecureKey(
         "credential:slack_channel:bot_token",
@@ -207,10 +213,23 @@ export async function setSlackChannelConfig(
   };
 }
-export function clearSlackChannelConfig(): SlackChannelConfigResult {
-  deleteSecureKey("credential:slack_channel:bot_token");
+export async function clearSlackChannelConfig(): Promise<SlackChannelConfigResult> {
+  const r1 = await deleteSecureKeyAsync("credential:slack_channel:bot_token");
+  const r2 = await deleteSecureKeyAsync("credential:slack_channel:app_token");
+  if (r1 === "error" || r2 === "error") {
+    const hasBotToken = !!getSecureKey("credential:slack_channel:bot_token");
+    const hasAppToken = !!getSecureKey("credential:slack_channel:app_token");
+    return {
+      success: false,
+      hasBotToken,
+      hasAppToken,
+      connected: hasBotToken && hasAppToken,
+      error: "Failed to delete Slack channel credentials from secure storage",
+    };
+  }
   deleteCredentialMetadata("slack_channel", "bot_token");
-  deleteSecureKey("credential:slack_channel:app_token");
   deleteCredentialMetadata("slack_channel", "app_token");
   return {

package/src/daemon/handlers/config-slack.ts CHANGED Viewed

@@ -1,61 +1,9 @@
 import * as net from "node:net";
 import { loadRawConfig, saveRawConfig } from "../../config/loader.js";
-import { getApp } from "../../memory/app-store.js";
-import { postToSlackWebhook } from "../../slack/slack-webhook.js";
-import type {
-  ShareToSlackRequest,
-  SlackWebhookConfigRequest,
-} from "../ipc-protocol.js";
+import type { SlackWebhookConfigRequest } from "../ipc-protocol.js";
 import { defineHandlers, type HandlerContext, log } from "./shared.js";
-export async function handleShareToSlack(
-  msg: ShareToSlackRequest,
-  socket: net.Socket,
-  ctx: HandlerContext,
-): Promise<void> {
-  try {
-    const config = loadRawConfig();
-    const webhookUrl = config.slackWebhookUrl as string | undefined;
-    if (!webhookUrl) {
-      ctx.send(socket, {
-        type: "share_to_slack_response",
-        success: false,
-        error:
-          "No Slack webhook URL configured. Provide one here in the chat, or set it from the Settings page.",
-      });
-      return;
-    }
-    const app = getApp(msg.appId);
-    if (!app) {
-      ctx.send(socket, {
-        type: "share_to_slack_response",
-        success: false,
-        error: `App not found: ${msg.appId}`,
-      });
-      return;
-    }
-    await postToSlackWebhook(
-      webhookUrl,
-      app.name,
-      app.description ?? "",
-      "\u{1F4F1}",
-    );
-    ctx.send(socket, { type: "share_to_slack_response", success: true });
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    log.error({ err, appId: msg.appId }, "Failed to share app to Slack");
-    ctx.send(socket, {
-      type: "share_to_slack_response",
-      success: false,
-      error: message,
-    });
-  }
-}
 export function handleSlackWebhookConfig(
   msg: SlackWebhookConfigRequest,
   socket: net.Socket,
@@ -89,6 +37,5 @@ export function handleSlackWebhookConfig(
 }
 export const slackHandlers = defineHandlers({
-  share_to_slack: handleShareToSlack,
   slack_webhook_config: handleSlackWebhookConfig,
 });

package/src/daemon/handlers/config-telegram.ts CHANGED Viewed

@@ -6,9 +6,9 @@ import {
   shouldUsePlatformCallbacks,
 } from "../../inbound/platform-callback-registration.js";
 import {
-  deleteSecureKey,
+  deleteSecureKeyAsync,
   getSecureKey,
-  setSecureKey,
+  setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import {
   deleteCredentialMetadata,
@@ -130,8 +130,11 @@ export async function setTelegramConfig(
     };
   }
-  // Store bot token securely
-  const stored = setSecureKey("credential:telegram:bot_token", resolvedToken);
+  // Store bot token securely (async — writes broker + encrypted store)
+  const stored = await setSecureKeyAsync(
+    "credential:telegram:bot_token",
+    resolvedToken,
+  );
   if (!stored) {
     return {
       success: false,
@@ -152,7 +155,7 @@ export async function setTelegramConfig(
   if (!hasWebhookSecret) {
     const { randomUUID } = await import("node:crypto");
     const webhookSecret = randomUUID();
-    const secretStored = setSecureKey(
+    const secretStored = await setSecureKeyAsync(
       "credential:telegram:webhook_secret",
       webhookSecret,
     );
@@ -164,7 +167,7 @@ export async function setTelegramConfig(
       // When the token came from secure storage it was already valid
       // configuration; deleting it would destroy working state.
       if (isNewToken) {
-        deleteSecureKey("credential:telegram:bot_token");
+        await deleteSecureKeyAsync("credential:telegram:bot_token");
         deleteCredentialMetadata("telegram", "bot_token");
       }
       return {
@@ -226,10 +229,8 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
     }
   }
-  deleteSecureKey("credential:telegram:bot_token");
-  deleteCredentialMetadata("telegram", "bot_token");
-  deleteSecureKey("credential:telegram:webhook_secret");
-  deleteCredentialMetadata("telegram", "webhook_secret");
+  const r1 = await deleteSecureKeyAsync("credential:telegram:bot_token");
+  const r2 = await deleteSecureKeyAsync("credential:telegram:webhook_secret");
   // Trigger reconcile to deregister webhook
   const effectiveUrl = getIngressPublicBaseUrl();
@@ -237,6 +238,23 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
     triggerGatewayReconcile(effectiveUrl);
   }
+  if (r1 === "error" || r2 === "error") {
+    const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
+    const hasWebhookSecret = !!getSecureKey(
+      "credential:telegram:webhook_secret",
+    );
+    return {
+      success: false,
+      hasBotToken,
+      connected: hasBotToken && hasWebhookSecret,
+      hasWebhookSecret,
+      error: "Failed to delete Telegram credentials from secure storage",
+    };
+  }
+  deleteCredentialMetadata("telegram", "bot_token");
+  deleteCredentialMetadata("telegram", "webhook_secret");
   return {
     success: true,
     hasBotToken: false,

package/src/daemon/handlers/config.ts CHANGED Viewed

@@ -40,10 +40,7 @@ export {
   handleSchedulesList,
   handleScheduleToggle,
 } from "./config-scheduling.js";
-export {
-  handleShareToSlack,
-  handleSlackWebhookConfig,
-} from "./config-slack.js";
+export { handleSlackWebhookConfig } from "./config-slack.js";
 export {
   handleTelegramConfig,
   summarizeTelegramError,

package/src/daemon/handlers/twitter-auth.ts CHANGED Viewed

@@ -1,6 +1,10 @@
 import * as net from "node:net";
-import { loadConfig, loadRawConfig } from "../../config/loader.js";
+import {
+  getNestedValue,
+  loadConfig,
+  loadRawConfig,
+} from "../../config/loader.js";
 import { getPublicBaseUrl } from "../../inbound/public-ingress-urls.js";
 import { orchestrateOAuthConnect } from "../../oauth/connect-orchestrator.js";
 import { getSecureKey } from "../../security/secure-keys.js";
@@ -51,7 +55,8 @@ export async function handleTwitterAuthStart(
   try {
     const raw = loadRawConfig();
     const mode =
-      (raw.twitterIntegrationMode as string | undefined) ?? "local_byo";
+      (getNestedValue(raw, "twitter.integrationMode") as string | undefined) ??
+      "local_byo";
     if (mode !== "local_byo") {
       ctx.send(socket, {
         type: "twitter_auth_result",
@@ -186,8 +191,10 @@ export function handleTwitterAuthStatus(
     );
     const raw = loadRawConfig();
     const mode =
-      (raw.twitterIntegrationMode as "local_byo" | "managed" | undefined) ??
-      "local_byo";
+      (getNestedValue(raw, "twitter.integrationMode") as
+        | "local_byo"
+        | "managed"
+        | undefined) ?? "local_byo";
     const meta = getCredentialMetadata("integration:twitter", "access_token");
     ctx.send(socket, {

package/src/daemon/ipc-contract/apps.ts CHANGED Viewed

@@ -127,11 +127,6 @@ export interface ShareAppCloudRequest {
   appId: string;
 }
-export interface ShareToSlackRequest {
-  type: "share_to_slack";
-  appId: string;
-}
 export interface PublishPageRequest {
   type: "publish_page";
   html: string;
@@ -341,12 +336,6 @@ export interface AppRestoreResponse {
   error?: string;
 }
-export interface ShareToSlackResponse {
-  type: "share_to_slack_response";
-  success: boolean;
-  error?: string;
-}
 export interface PublishPageResponse {
   type: "publish_page_response";
   success: boolean;
@@ -389,7 +378,6 @@ export type _AppsClientMessages =
   | AppFileAtVersionRequest
   | AppRestoreRequest
   | ShareAppCloudRequest
-  | ShareToSlackRequest
   | AppUpdatePreviewRequest
   | AppPreviewRequest
   | PublishPageRequest
@@ -414,7 +402,6 @@ export type _AppsServerMessages =
   | AppDiffResponse
   | AppFileAtVersionResponse
   | AppRestoreResponse
-  | ShareToSlackResponse
   | AppUpdatePreviewResponse
   | AppPreviewResponse
   | PublishPageResponse

package/src/daemon/ipc-contract-inventory.json CHANGED Viewed

@@ -134,7 +134,6 @@
     "session_switch",
     "sessions_clear",
     "share_app_cloud",
-    "share_to_slack",
     "shared_app_delete",
     "shared_apps_list",
     "sign_bundle_payload_response",
@@ -291,7 +290,6 @@
     "session_title_updated",
     "sessions_clear_response",
     "share_app_cloud_response",
-    "share_to_slack_response",
     "shared_app_delete_response",
     "shared_apps_list_response",
     "sign_bundle_payload",

package/src/daemon/lifecycle.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import { TwilioConversationRelayProvider } from "../calls/twilio-provider.js";
 import { setVoiceBridgeDeps } from "../calls/voice-session-bridge.js";
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import {
+  getQdrantHttpPortEnv,
   getQdrantUrlEnv,
   getRuntimeHttpHost,
   getRuntimeHttpPort,
@@ -250,7 +251,13 @@ export async function runDaemon(): Promise<void> {
     log.info("Daemon startup: DaemonServer started");
     // Initialize Qdrant vector store — non-fatal so the daemon stays up without it
-    const qdrantUrl = getQdrantUrlEnv() || config.memory.qdrant.url;
+    // Prefer QDRANT_HTTP_PORT (locally-spawned Qdrant on a specific port) over
+    // QDRANT_URL (external Qdrant instance) so the CLI can set the port without
+    // triggering QdrantManager's external mode which skips local process spawn.
+    const qdrantHttpPort = getQdrantHttpPortEnv();
+    const qdrantUrl = qdrantHttpPort
+      ? `http://127.0.0.1:${qdrantHttpPort}`
+      : getQdrantUrlEnv() || config.memory.qdrant.url;
     log.info({ qdrantUrl }, "Daemon startup: initializing Qdrant");
     const qdrantManager = new QdrantManager({ url: qdrantUrl });
     try {

package/src/daemon/session-messaging.ts CHANGED Viewed

@@ -403,7 +403,7 @@ export function redirectToSecurePrompt(
     .then(async (result): Promise<void> => {
       if (!result.value) return;
-      const { setSecureKey } = await import("../security/secure-keys.js");
+      const { setSecureKeyAsync } = await import("../security/secure-keys.js");
       const { upsertCredentialMetadata } =
         await import("../tools/credentials/metadata-store.js");
@@ -435,7 +435,7 @@ export function redirectToSecurePrompt(
         );
       } else {
         const key = `credential:${target.service}:${target.field}`;
-        const stored = setSecureKey(key, result.value);
+        const stored = await setSecureKeyAsync(key, result.value);
         if (stored) {
           try {
             upsertCredentialMetadata(target.service, target.field, {});