@vellumai/assistant 0.4.45 → 0.4.48

package/src/daemon/computer-use-session.ts

@@ -23,6 +23,10 @@ import type {
 import { allComputerUseTools } from "../tools/computer-use/definitions.js";
 import { ToolExecutor } from "../tools/executor.js";
 import { getTool, registerSkillTools } from "../tools/registry.js";
+import {
+  injectReasonField,
+  REASON_SKIP_SET,
+} from "../tools/schema-transforms.js";
 import type { Tool, ToolExecutionResult } from "../tools/types.js";
 import { allUiSurfaceTools } from "../tools/ui-surface/definitions.js";
 import { getLogger } from "../util/logger.js";
@@ -581,6 +585,8 @@ export class ComputerUseSession {
       },
     };
 
+    const toolDefsWithReason = injectReasonField(toolDefs, REASON_SKIP_SET);
+
     const cuConfig = getConfig();
     const agentLoop = new AgentLoop(
       compactingProvider,
@@ -590,7 +596,7 @@ export class ComputerUseSession {
         maxInputTokens: cuConfig.contextWindow.maxInputTokens,
         toolChoice: { type: "any" },
       },
-      toolDefs,
+      toolDefsWithReason,
       toolExecutor,
     );
 

package/src/daemon/guardian-action-generators.ts

@@ -83,8 +83,8 @@ const FOLLOWUP_CONVERSATION_MAX_TOKENS = 300;
 const FOLLOWUP_CONVERSATION_SYSTEM_PROMPT =
   "You are an assistant helping route a guardian's reply to a post-timeout follow-up message. " +
   "A voice caller asked a question, but the call timed out before the guardian could answer. " +
-  "The guardian has now replied late, and was asked whether they want to call the caller back, " +
-  "send them a text message, or skip it. " +
+  "The guardian has now replied late, and was asked whether they want to call the caller back " +
+  "or skip it. " +
   "Analyze the guardian's latest reply to determine their intent. " +
   "When uncertain, default to keep_pending and ask a clarifying question. " +
   "Always provide a natural, helpful reply along with your decision.";
@@ -101,10 +101,10 @@ const FOLLOWUP_CONVERSATION_TOOL_SCHEMA = {
     properties: {
       disposition: {
         type: "string",
-        enum: ["call_back", "message_back", "decline", "keep_pending"],
+        enum: ["call_back", "decline", "keep_pending"],
         description:
           "The guardian's intent: call_back to call the original caller, " +
-          "message_back to send a text message, decline to skip the follow-up, " +
+          "decline to skip the follow-up, " +
           "keep_pending if the intent is unclear (ask for clarification).",
       },
       replyText: {
@@ -118,7 +118,6 @@ const FOLLOWUP_CONVERSATION_TOOL_SCHEMA = {
 
 const VALID_FOLLOWUP_DISPOSITIONS: ReadonlySet<string> = new Set([
   "call_back",
-  "message_back",
   "decline",
   "keep_pending",
 ]);

package/src/daemon/handlers/config-slack-channel.ts

@@ -5,6 +5,7 @@ import {
   saveRawConfig,
   setNestedValue,
 } from "../../config/loader.js";
+import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
   getSecureKey,
@@ -34,8 +35,12 @@ export interface SlackChannelConfigResult {
 // -- Business logic --
 
 export function getSlackChannelConfig(): SlackChannelConfigResult {
-  const hasBotToken = !!getSecureKey("credential:slack_channel:bot_token");
-  const hasAppToken = !!getSecureKey("credential:slack_channel:app_token");
+  const hasBotToken = !!getSecureKey(
+    credentialKey("slack_channel", "bot_token"),
+  );
+  const hasAppToken = !!getSecureKey(
+    credentialKey("slack_channel", "app_token"),
+  );
   const { teamId, teamName, botUserId, botUsername } = getConfig().slack;
   return {
     success: true,
@@ -79,10 +84,10 @@ export async function setSlackChannelConfig(
       };
       if (!data.ok) {
         const storedBotToken = !!getSecureKey(
-          "credential:slack_channel:bot_token",
+          credentialKey("slack_channel", "bot_token"),
         );
         const storedAppToken = !!getSecureKey(
-          "credential:slack_channel:app_token",
+          credentialKey("slack_channel", "app_token"),
         );
         return {
           success: false,
@@ -103,10 +108,10 @@ export async function setSlackChannelConfig(
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
       const storedBotToken = !!getSecureKey(
-        "credential:slack_channel:bot_token",
+        credentialKey("slack_channel", "bot_token"),
       );
       const storedAppToken = !!getSecureKey(
-        "credential:slack_channel:app_token",
+        credentialKey("slack_channel", "app_token"),
       );
       return {
         success: false,
@@ -118,15 +123,15 @@ export async function setSlackChannelConfig(
     }
 
     const stored = await setSecureKeyAsync(
-      "credential:slack_channel:bot_token",
+      credentialKey("slack_channel", "bot_token"),
       botToken,
     );
     if (!stored) {
       const storedBotToken = !!getSecureKey(
-        "credential:slack_channel:bot_token",
+        credentialKey("slack_channel", "bot_token"),
       );
       const storedAppToken = !!getSecureKey(
-        "credential:slack_channel:app_token",
+        credentialKey("slack_channel", "app_token"),
       );
       return {
         success: false,
@@ -161,10 +166,10 @@ export async function setSlackChannelConfig(
   if (appToken) {
     if (!appToken.startsWith("xapp-")) {
       const storedBotToken = !!getSecureKey(
-        "credential:slack_channel:bot_token",
+        credentialKey("slack_channel", "bot_token"),
       );
       const storedAppToken = !!getSecureKey(
-        "credential:slack_channel:app_token",
+        credentialKey("slack_channel", "app_token"),
       );
       return {
         success: false,
@@ -176,15 +181,15 @@ export async function setSlackChannelConfig(
     }
 
     const stored = await setSecureKeyAsync(
-      "credential:slack_channel:app_token",
+      credentialKey("slack_channel", "app_token"),
       appToken,
     );
     if (!stored) {
       const storedBotToken = !!getSecureKey(
-        "credential:slack_channel:bot_token",
+        credentialKey("slack_channel", "bot_token"),
       );
       const storedAppToken = !!getSecureKey(
-        "credential:slack_channel:app_token",
+        credentialKey("slack_channel", "app_token"),
       );
       return {
         success: false,
@@ -198,8 +203,12 @@ export async function setSlackChannelConfig(
     upsertCredentialMetadata("slack_channel", "app_token", {});
   }
 
-  const hasBotToken = !!getSecureKey("credential:slack_channel:bot_token");
-  const hasAppToken = !!getSecureKey("credential:slack_channel:app_token");
+  const hasBotToken = !!getSecureKey(
+    credentialKey("slack_channel", "bot_token"),
+  );
+  const hasAppToken = !!getSecureKey(
+    credentialKey("slack_channel", "app_token"),
+  );
 
   if (hasBotToken && !hasAppToken) {
     warning =
@@ -220,12 +229,20 @@ export async function setSlackChannelConfig(
 }
 
 export async function clearSlackChannelConfig(): Promise<SlackChannelConfigResult> {
-  const r1 = await deleteSecureKeyAsync("credential:slack_channel:bot_token");
-  const r2 = await deleteSecureKeyAsync("credential:slack_channel:app_token");
+  const r1 = await deleteSecureKeyAsync(
+    credentialKey("slack_channel", "bot_token"),
+  );
+  const r2 = await deleteSecureKeyAsync(
+    credentialKey("slack_channel", "app_token"),
+  );
 
   if (r1 === "error" || r2 === "error") {
-    const hasBotToken = !!getSecureKey("credential:slack_channel:bot_token");
-    const hasAppToken = !!getSecureKey("credential:slack_channel:app_token");
+    const hasBotToken = !!getSecureKey(
+      credentialKey("slack_channel", "bot_token"),
+    );
+    const hasAppToken = !!getSecureKey(
+      credentialKey("slack_channel", "app_token"),
+    );
     return {
       success: false,
       hasBotToken,

package/src/daemon/handlers/config-telegram.ts

@@ -8,6 +8,7 @@ import {
   registerCallbackRoute,
   shouldUsePlatformCallbacks,
 } from "../../inbound/platform-callback-registration.js";
+import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
   getSecureKey,
@@ -60,8 +61,10 @@ export type TelegramConfigResult = Omit<TelegramConfigResponse, "type">;
 // -- Extracted business logic functions --
 
 export function getTelegramConfig(): TelegramConfigResult {
-  const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
-  const hasWebhookSecret = !!getSecureKey("credential:telegram:webhook_secret");
+  const hasBotToken = !!getSecureKey(credentialKey("telegram", "bot_token"));
+  const hasWebhookSecret = !!getSecureKey(
+    credentialKey("telegram", "webhook_secret"),
+  );
   const botUsername = getTelegramBotUsername();
   return {
     success: true,
@@ -79,7 +82,7 @@ export async function setTelegramConfig(
   // Track provenance so we only rollback tokens that were freshly provided.
   const isNewToken = !!botToken;
   const resolvedToken =
-    botToken || getSecureKey("credential:telegram:bot_token");
+    botToken || getSecureKey(credentialKey("telegram", "bot_token"));
   if (!resolvedToken) {
     return {
       success: false,
@@ -133,7 +136,7 @@ export async function setTelegramConfig(
 
   // Store bot token securely (async — writes broker + encrypted store)
   const stored = await setSecureKeyAsync(
-    "credential:telegram:bot_token",
+    credentialKey("telegram", "bot_token"),
     resolvedToken,
   );
   if (!stored) {
@@ -156,12 +159,14 @@ export async function setTelegramConfig(
   invalidateConfigCache();
 
   // Ensure webhook secret exists (generate if missing)
-  let hasWebhookSecret = !!getSecureKey("credential:telegram:webhook_secret");
+  let hasWebhookSecret = !!getSecureKey(
+    credentialKey("telegram", "webhook_secret"),
+  );
   if (!hasWebhookSecret) {
     const { randomUUID } = await import("node:crypto");
     const webhookSecret = randomUUID();
     const secretStored = await setSecureKeyAsync(
-      "credential:telegram:webhook_secret",
+      credentialKey("telegram", "webhook_secret"),
       webhookSecret,
     );
     if (secretStored) {
@@ -172,7 +177,7 @@ export async function setTelegramConfig(
       // When the token came from secure storage it was already valid
       // configuration; deleting it would destroy working state.
       if (isNewToken) {
-        await deleteSecureKeyAsync("credential:telegram:bot_token");
+        await deleteSecureKeyAsync(credentialKey("telegram", "bot_token"));
         deleteCredentialMetadata("telegram", "bot_token");
       }
       // Always revert the config write — the botUsername was written
@@ -222,7 +227,7 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
   // The gateway reconcile short-circuits when credentials are absent,
   // so we must call the Telegram API directly while the token is still
   // available.
-  const botToken = getSecureKey("credential:telegram:bot_token");
+  const botToken = getSecureKey(credentialKey("telegram", "bot_token"));
   if (botToken) {
     try {
       await fetch(`https://api.telegram.org/bot${botToken}/deleteWebhook`);
@@ -234,13 +239,15 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
     }
   }
 
-  const r1 = await deleteSecureKeyAsync("credential:telegram:bot_token");
-  const r2 = await deleteSecureKeyAsync("credential:telegram:webhook_secret");
+  const r1 = await deleteSecureKeyAsync(credentialKey("telegram", "bot_token"));
+  const r2 = await deleteSecureKeyAsync(
+    credentialKey("telegram", "webhook_secret"),
+  );
 
   if (r1 === "error" || r2 === "error") {
-    const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
+    const hasBotToken = !!getSecureKey(credentialKey("telegram", "bot_token"));
     const hasWebhookSecret = !!getSecureKey(
-      "credential:telegram:webhook_secret",
+      credentialKey("telegram", "webhook_secret"),
     );
     return {
       success: false,
@@ -272,7 +279,7 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
 export async function setTelegramCommands(
   commands?: Array<{ command: string; description: string }>,
 ): Promise<TelegramConfigResult> {
-  const storedToken = getSecureKey("credential:telegram:bot_token");
+  const storedToken = getSecureKey(credentialKey("telegram", "bot_token"));
   if (!storedToken) {
     return {
       success: false,
@@ -302,8 +309,10 @@ export async function setTelegramCommands(
       return {
         success: false,
         hasBotToken: true,
-        connected: !!getSecureKey("credential:telegram:webhook_secret"),
-        hasWebhookSecret: !!getSecureKey("credential:telegram:webhook_secret"),
+        connected: !!getSecureKey(credentialKey("telegram", "webhook_secret")),
+        hasWebhookSecret: !!getSecureKey(
+          credentialKey("telegram", "webhook_secret"),
+        ),
         error: `Failed to set bot commands: ${body}`,
       };
     }
@@ -312,14 +321,18 @@ export async function setTelegramCommands(
     return {
       success: false,
       hasBotToken: true,
-      connected: !!getSecureKey("credential:telegram:webhook_secret"),
-      hasWebhookSecret: !!getSecureKey("credential:telegram:webhook_secret"),
+      connected: !!getSecureKey(credentialKey("telegram", "webhook_secret")),
+      hasWebhookSecret: !!getSecureKey(
+        credentialKey("telegram", "webhook_secret"),
+      ),
       error: `Failed to set bot commands: ${message}`,
     };
   }
 
-  const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
-  const hasWebhookSecret = !!getSecureKey("credential:telegram:webhook_secret");
+  const hasBotToken = !!getSecureKey(credentialKey("telegram", "bot_token"));
+  const hasWebhookSecret = !!getSecureKey(
+    credentialKey("telegram", "webhook_secret"),
+  );
   return {
     success: true,
     hasBotToken,
@@ -401,4 +414,4 @@ export async function handleTelegramConfig(
       error: message,
     });
   }
-}
+}

package/src/daemon/lifecycle.ts

@@ -54,6 +54,7 @@ import {
 import { ensureVellumGuardianBinding } from "../runtime/guardian-vellum-migration.js";
 import { RuntimeHttpServer } from "../runtime/http-server.js";
 import { startScheduler } from "../schedule/scheduler.js";
+import { migrateKeys } from "../security/credential-key.js";
 import { watchSessions } from "../tools/watch/watch-state.js";
 import { getLogger, initLogger } from "../util/logger.js";
 import {
@@ -136,6 +137,11 @@ export async function runDaemon(): Promise<void> {
 
     ensureDataDir();
 
+    // Migrate legacy colon-delimited credential keys to the new
+    // slash-delimited format. Must run after ensureDataDir() so the
+    // secure key store is available, and before any credential reads.
+    migrateKeys();
+
     // Load (or generate + persist) the auth signing key so tokens survive
     // daemon restarts. Must happen after ensureDataDir() creates the
     // protected directory.
@@ -193,7 +199,9 @@ export async function runDaemon(): Promise<void> {
       const httpTokenPath = join(getRootDir(), "http-token");
       writeFileSync(httpTokenPath, credentials.accessToken, { mode: 0o600 });
       chmodSync(httpTokenPath, 0o600);
-      log.info("Daemon startup: CLI edge token written to credential store and http-token");
+      log.info(
+        "Daemon startup: CLI edge token written to credential store and http-token",
+      );
     } else {
       log.warn("No guardian principal available — CLI edge token not written");
     }

package/src/daemon/message-types/integrations.ts

@@ -194,6 +194,7 @@ export interface IntegrationConnectResult {
 export interface OAuthConnectResultResponse {
   type: "oauth_connect_result";
   success: boolean;
+  service?: string;
   grantedScopes?: string[];
   accountInfo?: string;
   error?: string;

package/src/daemon/ride-shotgun-handler.ts

@@ -501,13 +501,15 @@ async function finalizeLearnRecording(
     // Save cookies to the encrypted credential store (keyed by target domain)
     // so they don't need to be persisted in the plaintext recording file.
     if (session.targetDomain && cookies.length > 0) {
+      const { credentialKey: credKey } =
+        await import("../security/credential-key.js");
       const { setSecureKeyAsync } = await import("../security/secure-keys.js");
       const { upsertCredentialMetadata } =
         await import("../tools/credentials/metadata-store.js");
 
       const service = session.targetDomain;
       const field = "session:cookies";
-      const storageKey = `credential:${service}:${field}`;
+      const storageKey = credKey(service, field);
       const stored = await setSecureKeyAsync(
         storageKey,
         JSON.stringify(cookies),

package/src/daemon/session-messaging.ts

@@ -446,7 +446,9 @@ export function redirectToSecurePrompt(
           "Ingress redirect: transient credential injected",
         );
       } else {
-        const key = `credential:${target.service}:${target.field}`;
+        const { credentialKey: credKey } =
+          await import("../security/credential-key.js");
+        const key = credKey(target.service, target.field);
         const stored = await setSecureKeyAsync(key, result.value);
         if (stored) {
           try {

package/src/daemon/session-tool-setup.ts

@@ -31,6 +31,10 @@ import {
   getAllToolDefinitions,
   getMcpToolDefinitions,
 } from "../tools/registry.js";
+import {
+  injectReasonField,
+  REASON_SKIP_SET,
+} from "../tools/schema-transforms.js";
 import type {
   ProxyApprovalCallback,
   ProxyApprovalRequest,
@@ -335,11 +339,23 @@ export function createToolExecutor(
     // with the real tool name.
     if (name === "skill_execute") {
       const toolName = typeof input.tool === "string" ? input.tool : "";
-      const toolInput =
+      const rawToolInput =
         input.input != null && typeof input.input === "object"
           ? (input.input as Record<string, unknown>)
           : {};
 
+      // Clone to avoid mutating shared input objects
+      const toolInput = { ...rawToolInput };
+
+      // Propagate outer reason when inner input lacks a valid one
+      if (
+        typeof input.reason === "string" &&
+        input.reason &&
+        (typeof toolInput.reason !== "string" || toolInput.reason.length === 0)
+      ) {
+        toolInput.reason = input.reason;
+      }
+
       if (!toolName) {
         return {
           content:
@@ -663,6 +679,6 @@ export function createResolveToolsCallback(
       turnAllowed.add(name);
     }
     ctx.allowedToolNames = turnAllowed;
-    return allBaseDefs;
+    return injectReasonField(allBaseDefs, REASON_SKIP_SET);
   };
 }

package/src/daemon/session.ts

@@ -324,7 +324,7 @@ export class Session {
       const resolved = {
         systemPrompt: hasSystemPromptOverride
           ? systemPrompt
-          : buildSystemPrompt(),
+          : buildSystemPrompt({ hasNoClient: this.hasNoClient }),
         maxTokens: configuredMaxTokens,
       };
       return resolved;

package/src/email/providers/index.ts

@@ -5,6 +5,7 @@
  */
 
 import { getNestedValue, loadRawConfig } from "../../config/loader.js";
+import { credentialKey } from "../../security/credential-key.js";
 import { getSecureKey } from "../../security/secure-keys.js";
 import { ConfigError } from "../../util/errors.js";
 import type { EmailProvider } from "../provider.js";
@@ -13,7 +14,7 @@ export const SUPPORTED_PROVIDERS = ["agentmail"] as const;
 export type SupportedProvider = (typeof SUPPORTED_PROVIDERS)[number];
 
 const PROVIDER_KEY_MAP: Record<SupportedProvider, string[]> = {
-  agentmail: ["agentmail", "credential:agentmail:api_key"],
+  agentmail: ["agentmail", credentialKey("agentmail", "api_key")],
 };
 
 /**

package/src/instrument.ts

@@ -1,7 +1,9 @@
+import { arch, platform, release } from "node:os";
+
 import * as Sentry from "@sentry/node";
 
 import { getSentryDsn } from "./config/env.js";
-import { APP_VERSION } from "./version.js";
+import { APP_VERSION, COMMIT_SHA } from "./version.js";
 
 /** Patterns that match sensitive data in Sentry event values. */
 const PII_PATTERNS = [
@@ -42,8 +44,20 @@ export function initSentry(): void {
   Sentry.init({
     dsn: getSentryDsn(),
     release: `vellum-assistant@${APP_VERSION}`,
+    dist: COMMIT_SHA,
     environment: APP_VERSION === "0.0.0-dev" ? "development" : "production",
     sendDefaultPii: false,
+    initialScope: {
+      tags: {
+        commit: COMMIT_SHA,
+        os_platform: platform(),
+        os_release: release(),
+        os_arch: arch(),
+        runtime: "bun",
+        runtime_version:
+          typeof Bun !== "undefined" ? Bun.version : process.version,
+      },
+    },
     beforeSend(event) {
       if (event.exception?.values) {
         event.exception.values = event.exception.values.map((ex) => ({

package/src/media/app-icon-generator.ts

@@ -11,8 +11,16 @@ import { join } from "node:path";
 
 import { getConfig } from "../config/loader.js";
 import { getAppsDir } from "../memory/app-store.js";
+import {
+  buildManagedBaseUrl,
+  resolveManagedProxyContext,
+} from "../providers/managed-proxy/context.js";
 import { getLogger } from "../util/logger.js";
-import { generateImage, mapGeminiError } from "./gemini-image-service.js";
+import {
+  generateImage,
+  type ImageGenCredentials,
+  mapGeminiError,
+} from "./gemini-image-service.js";
 
 const log = getLogger("app-icon-generator");
 
@@ -29,8 +37,26 @@ export async function generateAppIcon(
 ): Promise<void> {
   const config = getConfig();
   const apiKey = config.apiKeys.gemini ?? process.env.GEMINI_API_KEY;
-  if (!apiKey) {
-    log.debug("No Gemini API key — skipping app icon generation");
+
+  let credentials: ImageGenCredentials | undefined;
+  if (apiKey) {
+    credentials = { type: "direct", apiKey };
+  } else {
+    const managedBaseUrl = buildManagedBaseUrl("vertex");
+    if (managedBaseUrl) {
+      const ctx = resolveManagedProxyContext();
+      credentials = {
+        type: "managed-proxy",
+        assistantApiKey: ctx.assistantApiKey,
+        baseUrl: managedBaseUrl,
+      };
+    }
+  }
+
+  if (!credentials) {
+    log.debug(
+      "No Gemini API key or managed proxy — skipping app icon generation",
+    );
     return;
   }
 
@@ -58,7 +84,7 @@ export async function generateAppIcon(
   try {
     log.info({ appId, appName }, "Generating app icon via Gemini");
 
-    const result = await generateImage(apiKey, {
+    const result = await generateImage(credentials, {
       prompt,
       mode: "generate",
       model: config.imageGenModel,