@vellumai/assistant 0.4.45 → 0.4.48

package/ARCHITECTURE.md

@@ -263,7 +263,7 @@ When a voice call's ASK_GUARDIAN consultation times out before the guardian resp
          |
          | (conversation engine classifies intent)
          v
- call_back / message_back / decline
+ call_back / decline
          |                        |
          v                        v
  [dispatching]              [declined] (terminal)
@@ -347,8 +347,8 @@ Both tokens are stored in the secure key store (macOS Keychain with encrypted fi
 
 | Secure key                           | Content                                                                    |
 | ------------------------------------ | -------------------------------------------------------------------------- |
-| `credential:slack_channel:bot_token` | Slack bot token (used for `chat.postMessage` and `auth.test`)              |
-| `credential:slack_channel:app_token` | Slack app token (`xapp-...`, used for Socket Mode `apps.connections.open`) |
+| `credential/slack_channel/bot_token` | Slack bot token (used for `chat.postMessage` and `auth.test`)              |
+| `credential/slack_channel/app_token` | Slack app token (`xapp-...`, used for Socket Mode `apps.connections.open`) |
 
 Workspace metadata (team ID, team name, bot user ID, bot username) is stored as JSON in the credential metadata store under `('slack_channel', 'bot_token')`.
 
@@ -641,7 +641,7 @@ The assistant feature-flag resolver (`src/config/assistant-feature-flags.ts`) is
 | **3. `skill_load` tool**           | `executeSkillLoad()` in `tools/skills/load.ts`           | If the model attempts to load a flagged-off skill by name, the tool returns an error: `"skill is currently unavailable (disabled by feature flag)"`.                                                        |
 | **4. Runtime tool projection**     | `projectSkillTools()` in `daemon/session-skill-tools.ts` | Even if a skill was previously active in a session (has `<loaded_skill>` markers in history), the per-turn projection drops it when the flag is OFF. Already-registered tools are unregistered.             |
 | **5. Included child skills**       | `executeSkillLoad()` in `tools/skills/load.ts`           | When a parent skill includes children via the `includes` directive, each child is independently checked against its feature flag. Flagged-off children are silently excluded from the loaded skill content. |
-| **6. Skill install gate**          | `handleInstallSkill()` in `daemon/handlers/skills.ts`    | When a client requests skill installation, the handler checks the skill's feature flag before proceeding. If the flag is OFF, the install is rejected with an error.                                        |
+| **6. Skill install gate**          | `handleSkillsInstall()` in `daemon/handlers/skills.ts`   | When a client requests skill installation, the handler checks the skill's feature flag before proceeding. If the flag is OFF, the install is rejected with an error.                                        |
 
 All six enforcement points derive the flag key via `skillFlagKey(skill)` — which returns `undefined` for ungated skills, short-circuiting the check — and then call `isAssistantFeatureFlagEnabled(flagKey, config)` for consistency.
 
@@ -657,7 +657,7 @@ All six enforcement points derive the flag key via `skillFlagKey(skill)` — whi
 | `src/tools/skills/load.ts`                      | `executeSkillLoad()` — enforcement points 3 and 5                                                                                                                         |
 | `src/daemon/session-skill-tools.ts`             | `projectSkillTools()` — enforcement point 4                                                                                                                               |
 | `src/config/schema.ts`                          | `assistantFeatureFlagValues` field definition in `AssistantConfig` (Zod schema)                                                                                           |
-| `src/daemon/handlers/skills.ts`                 | `handleSkillsList()` — uses `resolveSkillStates()` for client responses; `handleInstallSkill()` — enforcement point 6                                                     |
+| `src/daemon/handlers/skills.ts`                 | `handleSkillsList()` — uses `resolveSkillStates()` for client responses; `handleSkillsInstall()` — enforcement point 6                                                    |
 | `meta/feature-flags/feature-flag-registry.json` | Unified feature flag registry (repo root) — all declared flags with scope, label, default values, and descriptions                                                        |
 | `src/config/feature-flag-registry.json`         | Bundled copy of the unified registry for compiled binary resolution                                                                                                       |
 
@@ -669,7 +669,7 @@ All six enforcement points derive the flag key via `skillFlagKey(skill)` — whi
 graph LR
     subgraph "macOS Keychain"
         K1["API Key<br/>service: vellum-assistant<br/>account: anthropic<br/>stored via /usr/bin/security CLI"]
-        K2["Credential Secrets<br/>key: credential:{service}:{field}<br/>stored via secure-keys.ts<br/>(encrypted file fallback if Keychain unavailable)"]
+        K2["Credential Secrets<br/>key: credential/{service}/{field}<br/>stored via secure-keys.ts<br/>(encrypted file fallback if Keychain unavailable)"]
     end
 
     subgraph "UserDefaults (plist)"

package/docs/architecture/memory.md

@@ -242,7 +242,7 @@ Two trust gates enforce trust-class-based access control over the memory pipelin
 
 - **Read gate** (`session-memory.ts`): When the current session's actor is untrusted, the memory recall pipeline returns a no-op context — no recall injection, no dynamic profile, no conflict resolution. This ensures untrusted actors cannot surface or exploit previously extracted memory.
 
-Trust policy is **cross-channel and trust-class-based**: decisions use `trustContext.trustClass`, not the channel string. Desktop sessions default to `trustClass: 'guardian'`. External channels (Telegram, SMS, WhatsApp, phone) provide explicit trust context via the resolver. Messages without provenance metadata are treated as trusted (guardian); all new messages carry provenance.
+Trust policy is **cross-channel and trust-class-based**: decisions use `trustContext.trustClass`, not the channel string. Desktop sessions default to `trustClass: 'guardian'`. External channels (Telegram, WhatsApp, phone) provide explicit trust context via the resolver. Messages without provenance metadata are treated as trusted (guardian); all new messages carry provenance.
 
 ---
 

package/docs/architecture/scheduling.md

@@ -45,7 +45,7 @@ The database column is named `cron_expression` and the Drizzle table is `cronJob
 
 ## Reminder Routing — Trigger-Time Multi-Channel Delivery
 
-Reminders support optional routing metadata that controls how the notification pipeline fans out delivery across channels when a reminder fires. This allows a single reminder to reach the user on multiple channels (desktop, Telegram, SMS) without requiring duplicate reminders.
+Reminders support optional routing metadata that controls how the notification pipeline fans out delivery across channels when a reminder fires. This allows a single reminder to reach the user on multiple channels (desktop, Telegram) without requiring duplicate reminders.
 
 ### Routing Metadata Model
 
@@ -69,7 +69,7 @@ sequenceDiagram
     participant Engine as Decision Engine<br/>(LLM)
     participant Enforce as enforceRoutingIntent
     participant Broadcaster as Broadcaster
-    participant Adapters as Channel Adapters<br/>(Vellum, Telegram, SMS)
+    participant Adapters as Channel Adapters<br/>(Vellum, Telegram)
 
     Scheduler->>Store: claimDueReminders(now)
     Store-->>Scheduler: ReminderRow[] (with routingIntent, routingHints)
@@ -106,7 +106,6 @@ Channel availability is resolved when the signal is emitted (not when the remind
 
 - **Vellum** — always connected (local HTTP)
 - **Telegram** — connected when an active guardian binding exists
-- **SMS** — connected when an active guardian binding exists
 
 If a channel becomes unavailable between reminder creation and fire time, it is silently excluded from delivery. The routing intent enforcement operates only on channels that are connected at fire time.
 

package/docs/architecture/security.md

@@ -179,7 +179,7 @@ File tool candidates include canonical (symlink-resolved) absolute paths via `no
 | `assistant/src/permissions/checker.ts`        | `classifyRisk()`, `check()`, `buildCommandCandidates()`, allowlist/scope generation                                                                                                 |
 | `assistant/src/permissions/shell-identity.ts` | `analyzeShellCommand()`, `deriveShellActionKeys()`, `buildShellCommandCandidates()`, `buildShellAllowlistOptions()` — parser-based shell command identity and action key derivation |
 | `assistant/src/permissions/trust-store.ts`    | Rule persistence, `findHighestPriorityRule()`, execution-target matching, starter bundle                                                                                            |
-| `assistant/src/permissions/prompter.ts`       | HTTP prompt flow: `confirmation_request` → `confirmation_response`                                                                                                                   |
+| `assistant/src/permissions/prompter.ts`       | HTTP prompt flow: `confirmation_request` → `confirmation_response`                                                                                                                  |
 | `assistant/src/permissions/defaults.ts`       | Default rule templates (system ask rules for host tools, CU, etc.)                                                                                                                  |
 | `assistant/src/skills/version-hash.ts`        | `computeSkillVersionHash()` — deterministic SHA-256 of skill source files                                                                                                           |
 | `assistant/src/skills/path-classifier.ts`     | `isSkillSourcePath()`, `normalizeFilePath()`, skill root detection                                                                                                                  |
@@ -233,7 +233,7 @@ sequenceDiagram
         UI->>HTTP: secret_response {requestId, value, delivery: "store"}
         HTTP->>Prompter: resolve(value, "store")
         Prompter->>Vault: {value, delivery: "store"}
-        Vault->>Keychain: setSecureKey("credential:svc:field", value)
+        Vault->>Keychain: setSecureKey("credential/svc/field", value)
         Vault->>Model: "Credential stored securely" (no value in output)
     else One-Time Send (if enabled)
         UI->>HTTP: secret_response {requestId, value, delivery: "transient_send"}
@@ -272,7 +272,7 @@ graph TB
     TOOL["Tool (e.g. browser_fill_credential)"] --> BROKER["CredentialBroker.use(service, field, tool, domain)"]
     BROKER --> POLICY{"Check policy:<br/>allowedTools + allowedDomains"}
     POLICY -->|denied| REJECT["PolicyDenied error"]
-    POLICY -->|allowed| FETCH["getSecureKey(credential:svc:field)"]
+    POLICY -->|allowed| FETCH["getSecureKey(credential/svc/field)"]
     FETCH --> INJECT["Inject value into tool execution<br/>(never returned to model)"]
 ```
 
@@ -290,7 +290,7 @@ The `allowOneTimeSend` config gate (default: `false`) enables a secondary "Send
 
 | Component           | Location                                             | What it stores                                                                                                                                               |
 | ------------------- | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Secret values       | macOS Keychain (primary) or encrypted file fallback  | Encrypted credential values keyed as `credential:{service}:{field}`. Falls back to encrypted file backend on Linux/headless or when Keychain is unavailable. |
+| Secret values       | macOS Keychain (primary) or encrypted file fallback  | Encrypted credential values keyed as `credential/{service}/{field}`. Falls back to encrypted file backend on Linux/headless or when Keychain is unavailable. |
 | Credential metadata | `~/.vellum/workspace/data/credentials/metadata.json` | Service, field, label, policy (allowedTools, allowedDomains), timestamps                                                                                     |
 | Config              | `~/.vellum/workspace/config.*`                       | `secretDetection` settings: enabled, action, entropyThreshold, allowOneTimeSend                                                                              |
 
@@ -303,7 +303,7 @@ The `allowOneTimeSend` config gate (default: `false`) enables a secondary "Send
 | `assistant/src/tools/credentials/metadata-store.ts`  | JSON file metadata CRUD for credential records                        |
 | `assistant/src/tools/credentials/broker.ts`          | Brokered credential access with policy enforcement and transient send |
 | `assistant/src/tools/credentials/policy-validate.ts` | Policy input validation (allowedTools, allowedDomains)                |
-| `assistant/src/permissions/secret-prompter.ts`       | HTTP secret_request/secret_response flow                               |
+| `assistant/src/permissions/secret-prompter.ts`       | HTTP secret_request/secret_response flow                              |
 | `assistant/src/security/secret-scanner.ts`           | Regex + entropy-based secret detection                                |
 | `assistant/src/security/secret-ingress.ts`           | Inbound message secret blocking                                       |
 | `clients/macos/.../SecretPromptManager.swift`        | Floating panel UI for secure credential entry                         |

package/docs/trusted-contact-access.md

@@ -12,7 +12,7 @@ Design doc defining how unknown users gain access to a Vellum assistant via chan
 
 ## User Journey
 
-1. **Unknown user messages the assistant** on Telegram (or SMS, or any channel).
+1. **Unknown user messages the assistant** on Telegram (or any channel).
 2. **Assistant rejects the message** via the ingress ACL in `inbound-message-handler.ts`. The user has no matching `contact_channels` record, so the handler replies: _"Hmm looks like you don't have access to talk to me. I'll let them know you tried talking to me and get back to you."_ and returns `{ denied: true, reason: 'not_a_member' }`.
 3. **Notification pipeline alerts the guardian.** The rejection triggers `notifyGuardianOfAccessRequest()` which creates a canonical access request and calls `emitNotificationSignal()` with `sourceEventName: 'ingress.access_request'`. The notification routes through the decision engine to all connected channels (vellum macOS app, Telegram, etc.). The guardian sees who is requesting access, including a request code for approve/reject and an `open invite flow` option to start the Trusted Contacts invite flow.
 
@@ -32,7 +32,7 @@ Design doc defining how unknown users gain access to a Vellum assistant via chan
    This ensures unknown inbound access attempts always trigger guardian notification, even when the requester's source channel has no guardian binding.
 
 4. **Guardian approves the request.** The guardian responds to the notification (via Telegram inline button, macOS app, or local app). On approval, the assistant creates a verification session via `createOutboundSession()` and generates a 6-digit verification code.
-5. **Guardian receives the verification code.** The assistant delivers the code to the guardian's verified channel (Telegram chat, SMS, etc.).
+5. **Guardian receives the verification code.** The assistant delivers the code to the guardian's verified channel (Telegram chat, etc.).
 6. **Guardian gives the code to the requester out-of-band** (in person, text message, phone call, etc.). This out-of-band transfer is the trust anchor: it proves the requester has a real-world relationship with the guardian.
 7. **Requester enters the code** back to the assistant on the same channel. The inbound message handler intercepts bare 6-digit codes when a pending verification session exists for that channel.
 8. **Assistant verifies the code and activates the user.** `validateAndConsumeVerification()` hashes the code, matches it against the pending session, verifies identity binding (the code must come from the expected channel identity), consumes the session, and calls `upsertContactChannel()` with `status: 'active'` and `policy: 'allow'`.
@@ -60,8 +60,7 @@ Identity binding ensures the verification code can only be consumed by the inten
 | Channel  | Identity fields                                                                  | Binding behavior                                                                                                                                                                                                                          |
 | -------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Telegram | `expectedExternalUserId` = Telegram user ID, `expectedChatId` = Telegram chat ID | Both are set when the guardian provides the requester's Telegram identity (from the original rejected message metadata). The `identityBindingStatus` is `'bound'`. Verification requires `actorExternalUserId` or `actorChatId` to match. |
-| SMS      | `expectedPhoneE164` = phone number in E.164 format                               | Set from the requester's phone number. Verification requires `actorExternalUserId` to match the expected phone.                                                                                                                           |
-| Voice    | `expectedPhoneE164` = phone number in E.164 format                               | Same as SMS: phone-based identity binding.                                                                                                                                                                                                |
+| Voice    | `expectedPhoneE164` = phone number in E.164 format                               | Phone-based identity binding. Verification requires `actorExternalUserId` to match the expected phone.                                                                                                                                    |
 | HTTP API | `expectedExternalUserId` = API caller identity                                   | Bound to whatever external user ID the API client provides.                                                                                                                                                                               |
 
 **Anti-oracle invariant:** When identity verification fails, the error message is identical to the "invalid or expired code" message. This prevents attackers from distinguishing between a wrong code and a wrong identity, which would leak information about which identities have pending sessions.
@@ -151,13 +150,13 @@ sequenceDiagram
     participant G as Guardian
     participant N as Notification Pipeline
 
-    U->>A: Send message on Telegram/SMS
+    U->>A: Send message on Telegram
     A->>A: findMember() → null
     A-->>U: "You haven't been approved. Ask the Guardian."
 
     A->>N: emitNotificationSignal('ingress.access_request')
     N->>N: evaluateSignal() → shouldNotify: true
-    N->>G: Deliver notification (Telegram/vellum/SMS)
+    N->>G: Deliver notification (Telegram/vellum)
 
     Note over G: Guardian sees access request<br/>with requester identity
 

package/package.json

@@ -1,7 +1,10 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.45",
+  "version": "0.4.48",
   "type": "module",
+  "exports": {
+    ".": "./src/index.ts"
+  },
   "bin": {
     "assistant": "./src/index.ts"
   },

package/src/__tests__/avatar-e2e.test.ts

@@ -5,9 +5,6 @@ import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 // ---------------------------------------------------------------------------
 
 let mockGeminiKey: string | undefined = "test-gemini-key";
-let mockApiKey: string | undefined = "test-api-key-123";
-let mockBaseUrl = "https://platform.test.vellum.ai";
-let mockPlatformEnvUrl = "https://env.test.vellum.ai";
 let mockWorkspaceDir = "/tmp/test-workspace-e2e";
 
 const mkdirSyncFn = mock(() => {});
@@ -15,7 +12,6 @@ const writeFileSyncFn = mock(() => {});
 const renameSyncFn = mock(() => {});
 
 let logInfoCalls: Array<[unknown, string]> = [];
-let logWarnCalls: Array<[unknown, string]> = [];
 let logErrorCalls: Array<[unknown, string]> = [];
 
 // ---------------------------------------------------------------------------
@@ -32,22 +28,10 @@ const geminiGenerateContentFn = mock(async () => geminiGenerateContentResult);
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     apiKeys: { gemini: mockGeminiKey },
-    platform: { baseUrl: mockBaseUrl },
     imageGenModel: "gemini-2.5-flash-image",
   }),
 }));
 
-mock.module("../config/env.js", () => ({
-  getPlatformBaseUrl: () => mockPlatformEnvUrl,
-}));
-
-mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (account: string) => {
-    if (account === "credential:vellum:assistant_api_key") return mockApiKey;
-    return undefined;
-  },
-}));
-
 mock.module("../util/platform.js", () => ({
   getWorkspaceDir: () => mockWorkspaceDir,
 }));
@@ -60,9 +44,7 @@ mock.module("pino", () => {
       info: (...args: unknown[]) => {
         logInfoCalls.push(args as [unknown, string]);
       },
-      warn: (...args: unknown[]) => {
-        logWarnCalls.push(args as [unknown, string]);
-      },
+      warn: () => {},
       error: (...args: unknown[]) => {
         logErrorCalls.push(args as [unknown, string]);
       },
@@ -109,7 +91,6 @@ mock.module("@google/genai", () => ({
 }));
 
 // Import after all mocks are set up
-import { AVATAR_MAX_DECODED_BYTES } from "../media/avatar-types.js";
 import { setAvatarTool } from "../tools/system/avatar-generator.js";
 
 // ---------------------------------------------------------------------------
@@ -123,18 +104,6 @@ function executeAvatar(description: string) {
   );
 }
 
-/** Standard successful Vertex predictions response. */
-function managedPlatformResponse() {
-  return {
-    predictions: [
-      {
-        bytesBase64Encoded: "iVBORw0KGgoAAAANSUhEUg==",
-        mimeType: "image/png",
-      },
-    ],
-  };
-}
-
 /** Standard successful Gemini generateContent response. */
 function geminiContentResponse() {
   return {
@@ -155,26 +124,6 @@ function geminiContentResponse() {
   };
 }
 
-function mockFetchReturning(response: {
-  ok: boolean;
-  status: number;
-  body: unknown;
-}) {
-  globalThis.fetch = mock(() =>
-    Promise.resolve({
-      ok: response.ok,
-      status: response.status,
-      json: async () => response.body,
-      text: async () =>
-        typeof response.body === "string"
-          ? response.body
-          : JSON.stringify(response.body),
-    }),
-  ) as unknown as typeof globalThis.fetch;
-}
-
-const originalFetch = globalThis.fetch;
-
 const expectedAvatarPath =
   "/tmp/test-workspace-e2e/data/avatar/custom-avatar.png";
 
@@ -188,9 +137,6 @@ describe("avatar E2E integration", () => {
 
   beforeEach(() => {
     mockGeminiKey = "test-gemini-key";
-    mockApiKey = "test-api-key-123";
-    mockBaseUrl = "https://platform.test.vellum.ai";
-    mockPlatformEnvUrl = "https://env.test.vellum.ai";
     mockWorkspaceDir = "/tmp/test-workspace-e2e";
 
     mkdirSyncFn.mockClear();
@@ -199,11 +145,9 @@ describe("avatar E2E integration", () => {
     geminiGenerateContentFn.mockClear();
 
     logInfoCalls = [];
-    logWarnCalls = [];
     logErrorCalls = [];
 
     geminiGenerateContentResult = geminiContentResponse();
-    globalThis.fetch = originalFetch;
 
     // Clear env var so tests control the key entirely via config mock
     delete process.env.GEMINI_API_KEY;
@@ -219,16 +163,10 @@ describe("avatar E2E integration", () => {
   });
 
   // -----------------------------------------------------------------------
-  // 1. Managed success E2E
+  // 1. Local Gemini success
   // -----------------------------------------------------------------------
 
-  test("managed success — file written, correct content, success message", async () => {
-    mockFetchReturning({
-      ok: true,
-      status: 200,
-      body: managedPlatformResponse(),
-    });
-
+  test("local Gemini success — file written, correct content, success message", async () => {
     const result = await executeAvatar("a friendly robot");
 
     // Verify success message
@@ -252,68 +190,15 @@ describe("avatar E2E integration", () => {
     const expectedBuffer = Buffer.from("iVBORw0KGgoAAAANSUhEUg==", "base64");
     expect(writtenBuffer.equals(expectedBuffer)).toBe(true);
 
-    // Verify Gemini was never called
-    expect(geminiGenerateContentFn).not.toHaveBeenCalled();
-  });
-
-  // -----------------------------------------------------------------------
-  // 2. Managed failure — falls back to local
-  // -----------------------------------------------------------------------
-
-  test("managed failure — falls back to local Gemini, file written", async () => {
-    mockFetchReturning({
-      ok: false,
-      status: 502,
-      body: {
-        code: "upstream_error",
-        subcode: "bad_gateway",
-        detail: "Bad gateway",
-        retryable: true,
-        correlation_id: "corr-502",
-      },
-    });
-
-    const result = await executeAvatar("a cute cat");
-
-    // Verify success — local path was used
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Avatar updated");
-
-    // Verify file was written
-    expect(writeFileSyncFn).toHaveBeenCalledTimes(1);
-    expect(renameSyncFn).toHaveBeenCalledTimes(1);
-
-    // Verify Gemini was called as fallback
-    expect(geminiGenerateContentFn).toHaveBeenCalledTimes(1);
-  });
-
-  // -----------------------------------------------------------------------
-  // 3. No managed prerequisites — goes straight to local
-  // -----------------------------------------------------------------------
-
-  test("no managed API key — goes straight to local Gemini", async () => {
-    mockApiKey = undefined; // No managed API key available
-
-    const result = await executeAvatar("a cute cat");
-
-    // Verify success via local path
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Avatar updated");
-
-    // Verify Gemini was called directly (no managed attempt)
+    // Verify Gemini was called
     expect(geminiGenerateContentFn).toHaveBeenCalledTimes(1);
-
-    // Verify file was written
-    expect(writeFileSyncFn).toHaveBeenCalledTimes(1);
-    expect(renameSyncFn).toHaveBeenCalledTimes(1);
   });
 
   // -----------------------------------------------------------------------
-  // 4. No managed prerequisites and no local key — error
+  // 2. No Gemini key — error
   // -----------------------------------------------------------------------
 
-  test("no managed API key and no Gemini key — error surfaced", async () => {
-    mockApiKey = undefined;
+  test("no Gemini key — error surfaced", async () => {
     mockGeminiKey = undefined;
 
     const result = await executeAvatar("a whimsical owl");
@@ -323,109 +208,23 @@ describe("avatar E2E integration", () => {
   });
 
   // -----------------------------------------------------------------------
-  // 5. Response validation — bad MIME type
+  // 3. Gemini API failure
   // -----------------------------------------------------------------------
 
-  test("managed response with disallowed MIME type — falls back to local", async () => {
-    mockFetchReturning({
-      ok: true,
-      status: 200,
-      body: {
-        predictions: [
-          {
-            bytesBase64Encoded: "iVBORw0KGgoAAAANSUhEUg==",
-            mimeType: "image/gif",
+  test("Gemini API failure — error surfaced", async () => {
+    geminiGenerateContentResult = {
+      candidates: [
+        {
+          content: {
+            parts: [],
           },
-        ],
-      },
-    });
-
-    const result = await executeAvatar("a cat");
-
-    // Managed fails validation, falls back to local Gemini
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Avatar updated");
-    expect(geminiGenerateContentFn).toHaveBeenCalledTimes(1);
-  });
-
-  // -----------------------------------------------------------------------
-  // 6. Response validation — oversized image
-  // -----------------------------------------------------------------------
-
-  test("managed response with oversized data — falls back to local", async () => {
-    const oversizedBase64 = "A".repeat(
-      Math.ceil(((AVATAR_MAX_DECODED_BYTES + 100) * 4) / 3),
-    );
-    mockFetchReturning({
-      ok: true,
-      status: 200,
-      body: {
-        predictions: [
-          { bytesBase64Encoded: oversizedBase64, mimeType: "image/png" },
-        ],
-      },
-    });
-
-    const result = await executeAvatar("a cat");
-
-    // Managed fails validation, falls back to local Gemini
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Avatar updated");
-    expect(geminiGenerateContentFn).toHaveBeenCalledTimes(1);
-  });
-
-  // -----------------------------------------------------------------------
-  // 7. Rate limit — falls back to local
-  // -----------------------------------------------------------------------
-
-  test("managed 429 response — falls back to local Gemini", async () => {
-    mockFetchReturning({
-      ok: false,
-      status: 429,
-      body: {
-        code: "avatar_rate_limited",
-        subcode: "too_many_requests",
-        detail: "Rate limit exceeded",
-        retryable: true,
-        correlation_id: "corr-429",
-      },
-    });
+        },
+      ],
+    };
 
     const result = await executeAvatar("a cat");
 
-    // Falls back to local successfully
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Avatar updated");
-    expect(geminiGenerateContentFn).toHaveBeenCalledTimes(1);
-  });
-
-  // -----------------------------------------------------------------------
-  // 8. Correlation ID propagation
-  // -----------------------------------------------------------------------
-
-  test("managed success — correlation ID is propagated through the pipeline", async () => {
-    mockFetchReturning({
-      ok: true,
-      status: 200,
-      body: managedPlatformResponse(),
-    });
-
-    const result = await executeAvatar("a robot");
-
-    // The managed path succeeded and wrote the avatar file
-    expect(result.isError).toBe(false);
-    expect(writeFileSyncFn).toHaveBeenCalled();
-
-    // Correlation ID is now generated client-side, so just verify one is logged
-    const correlationLogged = logInfoCalls.some(([meta, message]) => {
-      if (message !== "Avatar saved successfully") return false;
-      if (!meta || typeof meta !== "object" || !("correlationId" in meta)) {
-        return false;
-      }
-      const cid = (meta as { correlationId?: unknown }).correlationId;
-      return typeof cid === "string" && cid.length > 0;
-    });
-
-    expect(correlationLogged).toBe(true);
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("failed");
   });
 });

package/src/__tests__/avatar-generator.test.ts

@@ -1,7 +1,5 @@
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-import { ManagedAvatarError } from "../media/avatar-types.js";
-
 // ---------------------------------------------------------------------------
 // Mock state
 // ---------------------------------------------------------------------------
@@ -10,7 +8,7 @@ let mockRouterResult: unknown;
 let mockRouterError: Error | undefined;
 let mockWorkspaceDir = "/tmp/test-workspace";
 
-const routedGenerateAvatarFn = mock(async () => {
+const generateAvatarFn = mock(async () => {
   if (mockRouterError) throw mockRouterError;
   return mockRouterResult;
 });
@@ -24,7 +22,7 @@ const renameSyncFn = mock(() => {});
 // ---------------------------------------------------------------------------
 
 mock.module("../media/avatar-router.js", () => ({
-  routedGenerateAvatar: routedGenerateAvatarFn,
+  generateAvatar: generateAvatarFn,
 }));
 
 mock.module("../util/logger.js", () => ({
@@ -57,8 +55,6 @@ function successResult() {
   return {
     imageBase64: "iVBORw0KGgoAAAANSUhEUg==",
     mimeType: "image/png",
-    pathUsed: "local" as const,
-    correlationId: "test-corr-id",
   };
 }
 
@@ -78,7 +74,7 @@ describe("setAvatarTool", () => {
     mockRouterResult = successResult();
     mockRouterError = undefined;
     mockWorkspaceDir = "/tmp/test-workspace";
-    routedGenerateAvatarFn.mockClear();
+    generateAvatarFn.mockClear();
     mkdirSyncFn.mockClear();
     writeFileSyncFn.mockClear();
     renameSyncFn.mockClear();
@@ -89,7 +85,7 @@ describe("setAvatarTool", () => {
 
     expect(result.isError).toBe(false);
     expect(result.content).toContain("Avatar updated");
-    expect(routedGenerateAvatarFn).toHaveBeenCalledTimes(1);
+    expect(generateAvatarFn).toHaveBeenCalledTimes(1);
   });
 
   test("empty description returns error", async () => {
@@ -97,7 +93,7 @@ describe("setAvatarTool", () => {
 
     expect(result.isError).toBe(true);
     expect(result.content).toContain("description is required");
-    expect(routedGenerateAvatarFn).not.toHaveBeenCalled();
+    expect(generateAvatarFn).not.toHaveBeenCalled();
   });
 
   test("no image data returned yields error", async () => {
@@ -109,54 +105,6 @@ describe("setAvatarTool", () => {
     expect(result.content).toContain("No image data returned");
   });
 
-  test("ManagedAvatarError with statusCode 429 returns user-friendly rate limit message", async () => {
-    mockRouterError = new ManagedAvatarError({
-      code: "some_error_code",
-      subcode: "too_many_requests",
-      detail: "Rate limited",
-      retryable: true,
-      correlationId: "corr-rate",
-      statusCode: 429,
-    });
-
-    const result = await executeAvatar("a cat");
-
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("rate limited");
-  });
-
-  test("ManagedAvatarError with 503 returns service unavailable message", async () => {
-    mockRouterError = new ManagedAvatarError({
-      code: "avatar_service_error",
-      subcode: "upstream_unavailable",
-      detail: "Service down",
-      retryable: true,
-      correlationId: "corr-503",
-      statusCode: 503,
-    });
-
-    const result = await executeAvatar("a cat");
-
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("temporarily unavailable");
-  });
-
-  test("ManagedAvatarError with other code returns detail message", async () => {
-    mockRouterError = new ManagedAvatarError({
-      code: "avatar_content_filtered",
-      subcode: "policy_violation",
-      detail: "Content was filtered by safety policy",
-      retryable: false,
-      correlationId: "corr-filter",
-      statusCode: 400,
-    });
-
-    const result = await executeAvatar("a cat");
-
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("Content was filtered by safety policy");
-  });
-
   test("generic error returns mapped message", async () => {
     mockRouterError = new Error("Network timeout");