npm - @vellumai/assistant - Versions diffs - 0.4.45 → 0.4.48 - Mend

@vellumai/assistant 0.4.45 → 0.4.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (236) hide show

package/ARCHITECTURE.md +6 -6
package/docs/architecture/memory.md +1 -1
package/docs/architecture/scheduling.md +2 -3
package/docs/architecture/security.md +5 -5
package/docs/trusted-contact-access.md +5 -6
package/package.json +4 -1
package/src/__tests__/avatar-e2e.test.ts +18 -219
package/src/__tests__/avatar-generator.test.ts +5 -57
package/src/__tests__/browser-fill-credential.test.ts +5 -2
package/src/__tests__/bundled-skill-retrieval-guard.test.ts +2 -1
package/src/__tests__/channel-readiness-routes.test.ts +20 -19
package/src/__tests__/cli.test.ts +23 -0
package/src/__tests__/credential-broker-browser-fill.test.ts +23 -22
package/src/__tests__/credential-broker-server-use.test.ts +22 -21
package/src/__tests__/credential-broker.test.ts +2 -1
package/src/__tests__/credential-metadata-store.test.ts +240 -18
package/src/__tests__/credential-resolve.test.ts +5 -4
package/src/__tests__/credential-security-e2e.test.ts +8 -8
package/src/__tests__/credential-security-invariants.test.ts +104 -7
package/src/__tests__/credential-vault-unit.test.ts +22 -20
package/src/__tests__/credential-vault.test.ts +284 -12
package/src/__tests__/credentials-cli.test.ts +11 -6
package/src/__tests__/gateway-only-enforcement.test.ts +4 -2
package/src/__tests__/gemini-image-service.test.ts +75 -45
package/src/__tests__/gemini-provider.test.ts +9 -6
package/src/__tests__/guardian-action-conversation-turn.test.ts +1 -33
package/src/__tests__/guardian-action-copy-generator.test.ts +0 -20
package/src/__tests__/guardian-action-followup-executor.test.ts +1 -28
package/src/__tests__/guardian-action-followup-store.test.ts +1 -1
package/src/__tests__/guardian-grant-minting.test.ts +35 -0
package/src/__tests__/integration-status.test.ts +53 -21
package/src/__tests__/managed-proxy-context.test.ts +5 -3
package/src/__tests__/media-generate-image.test.ts +63 -2
package/src/__tests__/media-reuse-story.e2e.test.ts +7 -3
package/src/__tests__/messaging-send-tool.test.ts +4 -6
package/src/__tests__/provider-fail-open-selection.test.ts +3 -1
package/src/__tests__/provider-managed-proxy-integration.test.ts +70 -6
package/src/__tests__/schedule-store.test.ts +1 -1
package/src/__tests__/schema-transforms.test.ts +226 -0
package/src/__tests__/script-proxy-injection-runtime.test.ts +23 -13
package/src/__tests__/script-proxy-policy-runtime.test.ts +1 -1
package/src/__tests__/script-proxy-session-manager.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +5 -3
package/src/__tests__/session-messaging-secret-redirect.test.ts +5 -4
package/src/__tests__/skills-uninstall.test.ts +2 -2
package/src/__tests__/skills.test.ts +0 -9
package/src/__tests__/slack-channel-config.test.ts +9 -8
package/src/__tests__/slack-share-routes.test.ts +11 -6
package/src/__tests__/telegram-bot-username-resolution.test.ts +3 -0
package/src/__tests__/twilio-config.test.ts +2 -1
package/src/__tests__/twilio-provider.test.ts +4 -2
package/src/__tests__/twilio-routes.test.ts +5 -4
package/src/__tests__/verification-control-plane-policy.test.ts +1 -1
package/src/approvals/AGENTS.md +1 -1
package/src/calls/call-domain.ts +7 -4
package/src/calls/twilio-config.ts +2 -1
package/src/calls/twilio-provider.ts +2 -1
package/src/calls/twilio-rest.ts +2 -2
package/src/cli/commands/browser-relay.ts +40 -15
package/src/cli/commands/credentials.ts +9 -8
package/src/cli/commands/oauth.ts +1 -1
package/src/cli.ts +3 -2
package/src/config/bundled-skills/claude-code/TOOLS.json +0 -4
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +29 -32
package/src/config/bundled-skills/gmail/SKILL.md +4 -4
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +54 -61
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +25 -28
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +14 -17
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +39 -44
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +61 -58
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +50 -49
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +11 -13
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +148 -146
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +4 -7
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +175 -173
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +4 -7
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +71 -76
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +32 -38
package/src/config/bundled-skills/google-calendar/SKILL.md +2 -2
package/src/config/bundled-skills/google-calendar/calendar-client.ts +70 -29
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +9 -10
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +5 -6
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +4 -5
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +14 -15
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +37 -37
package/src/config/bundled-skills/google-calendar/tools/shared.ts +4 -9
package/src/config/bundled-skills/image-studio/tools/media-generate-image.ts +24 -3
package/src/config/bundled-skills/messaging/SKILL.md +6 -6
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +62 -63
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +15 -16
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +6 -7
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +14 -15
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +128 -128
package/src/config/bundled-skills/messaging/tools/messaging-sender-digest.ts +33 -34
package/src/config/bundled-skills/messaging/tools/shared.ts +11 -11
package/src/config/bundled-skills/notifications/SKILL.md +1 -1
package/src/config/bundled-skills/phone-calls/SKILL.md +5 -5
package/src/config/bundled-skills/schedule/SKILL.md +1 -1
package/src/config/bundled-skills/skill-management/SKILL.md +1 -1
package/src/config/bundled-skills/slack/tools/shared.ts +4 -10
package/src/config/bundled-skills/slack/tools/slack-add-reaction.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-channel-details.ts +15 -16
package/src/config/bundled-skills/slack/tools/slack-delete-message.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-edit-message.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-leave-channel.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +95 -92
package/src/config/loader.ts +6 -0
package/src/daemon/computer-use-session.ts +7 -1
package/src/daemon/guardian-action-generators.ts +4 -5
package/src/daemon/handlers/config-slack-channel.ts +37 -20
package/src/daemon/handlers/config-telegram.ts +33 -20
package/src/daemon/lifecycle.ts +9 -1
package/src/daemon/message-types/integrations.ts +1 -0
package/src/daemon/ride-shotgun-handler.ts +3 -1
package/src/daemon/session-messaging.ts +3 -1
package/src/daemon/session-tool-setup.ts +18 -2
package/src/daemon/session.ts +1 -1
package/src/email/providers/index.ts +2 -1
package/src/instrument.ts +15 -1
package/src/media/app-icon-generator.ts +30 -4
package/src/media/avatar-router.ts +28 -62
package/src/media/gemini-image-service.ts +28 -2
package/src/memory/canonical-guardian-store.ts +1 -1
package/src/memory/guardian-action-store.ts +1 -1
package/src/memory/schema/guardian.ts +1 -1
package/src/messaging/provider.ts +16 -10
package/src/messaging/providers/gmail/adapter.ts +40 -23
package/src/messaging/providers/gmail/client.ts +203 -122
package/src/messaging/providers/gmail/people-client.ts +26 -18
package/src/messaging/providers/slack/adapter.ts +29 -19
package/src/messaging/providers/slack/client.ts +265 -78
package/src/messaging/providers/telegram-bot/adapter.ts +5 -4
package/src/messaging/providers/whatsapp/adapter.ts +6 -3
package/src/messaging/registry.ts +2 -1
package/src/oauth/byo-connection.test.ts +436 -0
package/src/oauth/byo-connection.ts +112 -0
package/src/oauth/connect-orchestrator.ts +27 -0
package/src/oauth/connection-resolver.ts +34 -0
package/src/oauth/connection.ts +38 -0
package/src/oauth/platform-connection.test.ts +163 -0
package/src/oauth/platform-connection.ts +110 -0
package/src/oauth/provider-base-urls.ts +21 -0
package/src/oauth/provider-profiles.ts +1 -1
package/src/oauth/token-persistence.ts +20 -20
package/src/permissions/checker.ts +6 -1
package/src/prompts/system-prompt.ts +52 -15
package/src/prompts/templates/BOOTSTRAP.md +1 -1
package/src/providers/gemini/client.ts +15 -6
package/src/providers/managed-proxy/constants.ts +2 -2
package/src/providers/managed-proxy/context.ts +5 -1
package/src/providers/ratelimit.ts +17 -0
package/src/providers/registry.ts +2 -2
package/src/runtime/AGENTS.md +18 -1
package/src/runtime/auth/route-policy.ts +1 -0
package/src/runtime/channel-invite-transports/telegram.ts +2 -1
package/src/runtime/channel-readiness-service.ts +168 -195
package/src/runtime/channel-readiness-types.ts +4 -0
package/src/runtime/guardian-action-conversation-turn.ts +1 -3
package/src/runtime/guardian-action-followup-executor.ts +1 -2
package/src/runtime/guardian-action-message-composer.ts +3 -23
package/src/runtime/http-server.ts +9 -4
package/src/runtime/http-types.ts +0 -1
package/src/runtime/middleware/rate-limiter.ts +74 -20
package/src/runtime/middleware/twilio-validation.ts +1 -3
package/src/runtime/routes/channel-readiness-routes.ts +2 -0
package/src/runtime/routes/diagnostics-routes.ts +11 -9
package/src/runtime/routes/guardian-approval-interception.ts +20 -5
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +71 -25
package/src/runtime/routes/inbound-stages/guardian-reply-intercept.ts +12 -5
package/src/runtime/routes/integrations/slack/share.ts +3 -2
package/src/runtime/routes/integrations/twilio.ts +6 -5
package/src/runtime/routes/secret-routes.ts +3 -2
package/src/runtime/routes/settings-routes.ts +75 -17
package/src/runtime/telegram-streaming-delivery.test.ts +132 -0
package/src/runtime/telegram-streaming-delivery.ts +11 -1
package/src/schedule/integration-status.ts +5 -4
package/src/security/credential-key.ts +170 -0
package/src/security/token-manager.ts +36 -7
package/src/tools/apps/definitions.ts +0 -5
package/src/tools/assets/materialize.ts +0 -5
package/src/tools/assets/search.ts +0 -5
package/src/tools/browser/headless-browser.ts +1 -67
package/src/tools/claude-code/claude-code.ts +0 -5
package/src/tools/computer-use/request-computer-control.ts +0 -5
package/src/tools/credentials/broker.ts +6 -4
package/src/tools/credentials/metadata-store.ts +72 -20
package/src/tools/credentials/resolve.ts +2 -1
package/src/tools/credentials/vault.ts +77 -16
package/src/tools/filesystem/edit.ts +1 -6
package/src/tools/filesystem/read.ts +0 -5
package/src/tools/filesystem/write.ts +1 -6
package/src/tools/host-filesystem/edit.ts +1 -6
package/src/tools/host-filesystem/read.ts +1 -6
package/src/tools/host-filesystem/write.ts +1 -6
package/src/tools/mcp/mcp-tool-factory.ts +18 -1
package/src/tools/memory/definitions.ts +0 -5
package/src/tools/network/web-fetch.ts +0 -5
package/src/tools/network/web-search.ts +0 -5
package/src/tools/schema-transforms.ts +99 -0
package/src/tools/skills/load.ts +0 -5
package/src/tools/swarm/delegate.ts +0 -5
package/src/tools/system/avatar-generator.ts +3 -44
package/src/tools/ui-surface/definitions.ts +0 -15
package/src/tools/watch/screen-watch.ts +0 -5
package/src/version.ts +10 -0
package/src/watcher/providers/github.ts +51 -52
package/src/watcher/providers/gmail.ts +88 -80
package/src/watcher/providers/google-calendar.ts +93 -86
package/src/watcher/providers/linear.ts +87 -93
package/src/__tests__/avatar-router.test.ts +0 -149
package/src/__tests__/managed-avatar-client.test.ts +0 -337
package/src/config/bundled-skills/doordash/SKILL.md +0 -170
package/src/config/bundled-skills/doordash/__tests__/doordash-client.test.ts +0 -205
package/src/config/bundled-skills/doordash/__tests__/doordash-session.test.ts +0 -74
package/src/config/bundled-skills/doordash/doordash-cli.ts +0 -1081
package/src/config/bundled-skills/doordash/doordash-entry.ts +0 -22
package/src/config/bundled-skills/doordash/lib/cart-queries.ts +0 -787
package/src/config/bundled-skills/doordash/lib/client.ts +0 -1069
package/src/config/bundled-skills/doordash/lib/order-queries.ts +0 -85
package/src/config/bundled-skills/doordash/lib/queries.ts +0 -28
package/src/config/bundled-skills/doordash/lib/query-extractor.ts +0 -94
package/src/config/bundled-skills/doordash/lib/search-queries.ts +0 -203
package/src/config/bundled-skills/doordash/lib/session.ts +0 -96
package/src/config/bundled-skills/doordash/lib/shared/errors.ts +0 -61
package/src/config/bundled-skills/doordash/lib/shared/network-recorder.ts +0 -380
package/src/config/bundled-skills/doordash/lib/shared/platform.ts +0 -55
package/src/config/bundled-skills/doordash/lib/shared/recording-store.ts +0 -43
package/src/config/bundled-skills/doordash/lib/shared/recording-types.ts +0 -49
package/src/config/bundled-skills/doordash/lib/shared/truncate.ts +0 -6
package/src/config/bundled-skills/doordash/lib/store-queries.ts +0 -246
package/src/config/bundled-skills/doordash/lib/types.ts +0 -367
package/src/media/avatar-types.ts +0 -53
package/src/media/managed-avatar-client.ts +0 -225

package/src/runtime/routes/settings-routes.ts CHANGED Viewed

@@ -23,19 +23,30 @@ import {
   generateAllowlistOptions,
   generateScopeOptions,
 } from "../../permissions/checker.js";
+import { credentialKey } from "../../security/credential-key.js";
 import { getSecureKey } from "../../security/secure-keys.js";
 import { parseToolManifestFile } from "../../skills/tool-manifest.js";
-import { assertMetadataWritable } from "../../tools/credentials/metadata-store.js";
+import {
+  assertMetadataWritable,
+  getCredentialMetadata,
+} from "../../tools/credentials/metadata-store.js";
 import {
   type ManifestOverride,
   resolveExecutionTarget,
 } from "../../tools/execution-target.js";
 import { getAllTools, getTool } from "../../tools/registry.js";
+import {
+  injectReasonField,
+  REASON_SKIP_SET,
+} from "../../tools/schema-transforms.js";
 import { isSideEffectTool } from "../../tools/side-effects.js";
 import { setAvatarTool } from "../../tools/system/avatar-generator.js";
 import { pathExists } from "../../util/fs.js";
 import { getLogger } from "../../util/logger.js";
 import { getWorkspaceDir } from "../../util/platform.js";
+import { buildAssistantEvent } from "../assistant-event.js";
+import { assistantEventHub } from "../assistant-event-hub.js";
+import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 import { resolveWorkspacePath } from "./workspace-utils.js";
@@ -134,9 +145,9 @@ function getClientSecret(
   rawService: string,
 ): string | undefined {
   return (
-    getSecureKey(`credential:${resolvedService}:client_secret`) ??
+    getSecureKey(credentialKey(resolvedService, "client_secret")) ??
     (resolvedService !== rawService
-      ? getSecureKey(`credential:${rawService}:client_secret`)
+      ? getSecureKey(credentialKey(rawService, "client_secret"))
       : undefined) ??
     undefined
   );
@@ -162,9 +173,16 @@ async function handleOAuthConnectStart(body: {
   const resolvedService = resolveService(body.service);
-  let clientId = getSecureKey(`credential:${resolvedService}:client_id`);
+  // client_id is stored in metadata (oauth2ClientId), not the secure store.
+  let clientId = getCredentialMetadata(
+    resolvedService,
+    "access_token",
+  )?.oauth2ClientId;
   if (!clientId && resolvedService !== body.service) {
-    clientId = getSecureKey(`credential:${body.service}:client_id`);
+    clientId = getCredentialMetadata(
+      body.service,
+      "access_token",
+    )?.oauth2ClientId;
   }
   if (!clientId) {
@@ -203,6 +221,36 @@ async function handleOAuthConnectStart(body: {
       openUrl: (url: string) => {
         authUrl = url;
       },
+      onDeferredComplete: (deferredResult) => {
+        // Emit oauth_connect_result to all connected SSE clients so the
+        // UI can update immediately when the deferred browser flow completes.
+        assistantEventHub
+          .publish(
+            buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, {
+              type: "oauth_connect_result",
+              success: deferredResult.success,
+              service: deferredResult.service,
+              accountInfo: deferredResult.accountInfo,
+              error: deferredResult.error,
+            }),
+          )
+          .catch((err) => {
+            log.warn(
+              { err, service: deferredResult.service },
+              "Failed to publish oauth_connect_result event",
+            );
+          });
+        if (!deferredResult.success) {
+          log.warn(
+            {
+              service: deferredResult.service,
+              err: deferredResult.error,
+            },
+            "Deferred OAuth connect failed",
+          );
+        }
+      },
     });
     if (!result.success) {
@@ -309,23 +357,34 @@ function resolveManifestOverride(
 function handleToolNamesList(): Response {
   const tools = getAllTools();
   const nameSet = new Set(tools.map((t) => t.name));
-  const schemas: Record<
-    string,
-    {
-      type: string;
-      properties?: Record<string, unknown>;
-      required?: string[];
-    }
-  > = {};
+  type SchemaShape = {
+    type: string;
+    properties?: Record<string, unknown>;
+    required?: string[];
+  };
+  const schemas: Record<string, SchemaShape> = {};
+  // Collect raw definitions from the registry so we can transform them.
+  const rawDefs: import("../../providers/types.js").ToolDefinition[] = [];
   for (const tool of tools) {
     try {
-      const def = tool.getDefinition();
-      schemas[tool.name] = def.input_schema as (typeof schemas)[string];
+      rawDefs.push(tool.getDefinition());
     } catch {
       // Skip tools whose definitions can't be resolved
     }
   }
+  // Apply reason injection so settings/debug schemas match runtime behavior.
+  const transformedDefs = injectReasonField(rawDefs, REASON_SKIP_SET);
+  for (const def of transformedDefs) {
+    schemas[def.name] = def.input_schema as SchemaShape;
+  }
+  // Skill manifest schemas are served raw (untransformed). Unlike runtime tool
+  // schemas which have `reason` injected via injectReasonField(), skill manifests
+  // reflect the original TOOLS.json content. This is intentional: skill tools are
+  // invoked through skill_execute (which has its own reason field), so their
+  // individual schemas are never sent to the LLM directly.
   try {
     const catalog = loadSkillCatalog();
     for (const skill of catalog) {
@@ -337,8 +396,7 @@ function handleToolNamesList(): Response {
         for (const entry of manifest.tools) {
           if (nameSet.has(entry.name)) continue;
           nameSet.add(entry.name);
-          schemas[entry.name] =
-            entry.input_schema as unknown as (typeof schemas)[string];
+          schemas[entry.name] = entry.input_schema as unknown as SchemaShape;
         }
       } catch {
         // Skip skills whose manifests can't be parsed

package/src/runtime/telegram-streaming-delivery.test.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+import type { ApprovalUIMetadata } from "./channel-approval-types.js";
 import type { ChannelDeliveryResult } from "./gateway-client.js";
 // ---------------------------------------------------------------------------
@@ -494,6 +495,137 @@ describe("TelegramStreamingDelivery", () => {
     expect(delivery.finishSucceeded).toBe(true);
   });
+  // ── Test 5j: no-messageId + tool_use_start + finish delivers post-tool text ─
+  test("no-messageId + tool_use_start + finish delivers post-tool text", async () => {
+    // Scenario from Devin review: initial send succeeds without messageId,
+    // more deltas arrive, tool_use_start fires, finish() must deliver post-tool text.
+    mockDeliverChannelReply.mockReset();
+    let localCallCount = 0;
+    mockDeliverChannelReply.mockImplementation(
+      async (): Promise<ChannelDeliveryResult> => {
+        localCallCount++;
+        if (localCallCount === 1) return { ok: true }; // no messageId
+        return { ok: true, messageId: 400 };
+      },
+    );
+    const delivery = createDelivery();
+    // Step 1: initial send (>= 20 chars), succeeds without messageId
+    delivery.onEvent({
+      type: "assistant_text_delta",
+      text: "a".repeat(25),
+    });
+    await flushPromises();
+    expect(mockDeliverChannelReply).toHaveBeenCalledTimes(1);
+    // Step 2: more deltas arrive — stuck in buffer (onTextDelta skips both branches)
+    delivery.onEvent({
+      type: "assistant_text_delta",
+      text: "post-tool text",
+    });
+    await flushPromises();
+    expect(mockDeliverChannelReply).toHaveBeenCalledTimes(1); // no new call
+    // Step 3: tool_use_start — buffer should NOT be moved to currentMessageText
+    delivery.onEvent({
+      type: "tool_use_start",
+      toolName: "some_tool",
+      input: {},
+    });
+    // Step 4: finish() — should deliver the post-tool text as a new message
+    await delivery.finish();
+    expect(mockDeliverChannelReply).toHaveBeenCalledTimes(2);
+    const secondPayload = callPayload(1);
+    expect(secondPayload.text).toBe("post-tool text");
+    expect(secondPayload.messageId).toBeUndefined(); // new message, not edit
+    expect(delivery.finishSucceeded).toBe(true);
+  });
+  // ── Test 5k: no-messageId + finish with approval sends approval as new message ─
+  test("no-messageId + finish with approval sends approval as new message", async () => {
+    // Scenario from Codex review: initial send succeeds without messageId,
+    // no additional buffer, but finish(approval) must still deliver approval buttons.
+    mockDeliverChannelReply.mockReset();
+    mockDeliverChannelReply.mockImplementation(
+      async (): Promise<ChannelDeliveryResult> => {
+        return { ok: true }; // no messageId
+      },
+    );
+    const delivery = createDelivery();
+    // Initial send succeeds without messageId
+    delivery.onEvent({
+      type: "assistant_text_delta",
+      text: "a".repeat(25),
+    });
+    await flushPromises();
+    expect(mockDeliverChannelReply).toHaveBeenCalledTimes(1);
+    // finish() with approval — approval must not be silently dropped
+    const approval: ApprovalUIMetadata = {
+      requestId: "test-req",
+      actions: [{ id: "approve_once", label: "Approve" }],
+      plainTextFallback: "Reply APPROVE or REJECT",
+    };
+    await delivery.finish(approval);
+    expect(mockDeliverChannelReply).toHaveBeenCalledTimes(2);
+    const secondPayload = callPayload(1);
+    // Approval buttons sent as a new message
+    expect(secondPayload.approval).toEqual(approval);
+    expect(secondPayload.messageId).toBeUndefined();
+    expect(delivery.finishSucceeded).toBe(true);
+  });
+  // ── Test 5l: no-messageId + buffer + finish with approval delivers both ─
+  test("no-messageId + buffer + finish with approval delivers both text and approval", async () => {
+    // Combined scenario: no-messageId initial send, buffered text, and approval buttons.
+    mockDeliverChannelReply.mockReset();
+    let localCallCount = 0;
+    mockDeliverChannelReply.mockImplementation(
+      async (): Promise<ChannelDeliveryResult> => {
+        localCallCount++;
+        if (localCallCount === 1) return { ok: true }; // no messageId
+        return { ok: true, messageId: 500 };
+      },
+    );
+    const delivery = createDelivery();
+    // Initial send succeeds without messageId
+    delivery.onEvent({
+      type: "assistant_text_delta",
+      text: "a".repeat(25),
+    });
+    await flushPromises();
+    expect(mockDeliverChannelReply).toHaveBeenCalledTimes(1);
+    // More deltas arrive
+    delivery.onEvent({
+      type: "assistant_text_delta",
+      text: "remainder",
+    });
+    // finish() with approval — should deliver buffer text + approval together
+    const approval: ApprovalUIMetadata = {
+      requestId: "test-req",
+      actions: [{ id: "approve_once", label: "Approve" }],
+      plainTextFallback: "Reply APPROVE or REJECT",
+    };
+    await delivery.finish(approval);
+    expect(mockDeliverChannelReply).toHaveBeenCalledTimes(2);
+    const secondPayload = callPayload(1);
+    expect(secondPayload.text).toBe("remainder");
+    expect(secondPayload.approval).toEqual(approval);
+    expect(secondPayload.messageId).toBeUndefined();
+    expect(delivery.finishSucceeded).toBe(true);
+  });
   // ── Test 6: skips final edit when text hasn't changed ───────────────
   test("skips final edit when text hasn't changed", async () => {
     const delivery = createDelivery();

package/src/runtime/telegram-streaming-delivery.ts CHANGED Viewed

@@ -51,11 +51,13 @@ export class TelegramStreamingDelivery {
         // Flush buffer and send an edit so the message is up-to-date before the tool runs
         if (this.buffer.length > 0 && this.currentMessageId) {
           this.flushEdit();
-        } else if (this.buffer.length > 0) {
+        } else if (this.buffer.length > 0 && !this.textDelivered) {
           // No message sent yet — just move buffer to currentMessageText
           this.currentMessageText += this.buffer;
           this.buffer = "";
         }
+        // When textDelivered is true but currentMessageId is null (no-messageId
+        // response), leave buffer as-is so finish() sends it as a new message.
         break;
       case "message_complete":
         // Don't finalize here — let finish() handle it
@@ -121,6 +123,14 @@ export class TelegramStreamingDelivery {
       return;
     }
+    // Text was delivered but no messageId was returned, and there are approval
+    // buttons to attach. Send them as a new message so they aren't silently dropped.
+    if (!this.currentMessageId && this.textDelivered && approval) {
+      await this.sendNewMessage("", approval);
+      this.finishOk = true;
+      return;
+    }
     // Final edit with approval buttons if present.
     // Skip the edit when text hasn't changed since the last successful
     // delivery and there are no approval buttons to attach — sending the

package/src/schedule/integration-status.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { hasTwilioCredentials } from "../calls/twilio-rest.js";
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 interface IntegrationProbe {
@@ -13,13 +14,13 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
     name: "Gmail",
     category: "email",
     isConnected: () =>
-      !!getSecureKey("credential:integration:gmail:access_token"),
+      !!getSecureKey(credentialKey("integration:gmail", "access_token")),
   },
   {
     name: "Slack",
     category: "messaging",
     isConnected: () =>
-      !!getSecureKey("credential:integration:slack:access_token"),
+      !!getSecureKey(credentialKey("integration:slack", "access_token")),
   },
   {
     name: "Twilio",
@@ -30,8 +31,8 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
     name: "Telegram",
     category: "messaging",
     isConnected: () =>
-      !!getSecureKey("credential:telegram:bot_token") &&
-      !!getSecureKey("credential:telegram:webhook_secret"),
+      !!getSecureKey(credentialKey("telegram", "bot_token")) &&
+      !!getSecureKey(credentialKey("telegram", "webhook_secret")),
   },
 ];

package/src/security/credential-key.ts ADDED Viewed

@@ -0,0 +1,170 @@
+/**
+ * Single source of truth for credential key format in the secure store.
+ *
+ * Keys follow the pattern: credential/{service}/{field}
+ *
+ * Previously, keys used colons as delimiters (credential:service:field),
+ * which was ambiguous when service names contained colons (e.g.
+ * "integration:gmail"). The slash-delimited format avoids this.
+ */
+import { listCredentialMetadata } from "../tools/credentials/metadata-store.js";
+import { getLogger } from "../util/logger.js";
+import {
+  deleteSecureKey,
+  getSecureKey,
+  listSecureKeys,
+  setSecureKey,
+} from "./secure-keys.js";
+const log = getLogger("credential-key");
+/**
+ * Build a credential key for the secure store.
+ *
+ * @returns A key of the form `credential/{service}/{field}`
+ */
+export function credentialKey(service: string, field: string): string {
+  return `credential/${service}/${field}`;
+}
+// ---------------------------------------------------------------------------
+// Migration from colon-delimited keys
+// ---------------------------------------------------------------------------
+let migrated = false;
+/**
+ * Migrate any legacy colon-delimited credential keys to the new
+ * slash-delimited format. Idempotent: skips keys that already exist
+ * under the new format, and only runs once per process (guarded by a
+ * module-level flag).
+ *
+ * Legacy key format: `credential:<service>:<field>`
+ * New key format:    `credential/<service>/<field>`
+ *
+ * The old colon-delimited format is ambiguous when either the service
+ * or field name contains colons — for `credential:A:B:C:D`, you can't
+ * tell where the service ends and the field begins without external
+ * context.
+ *
+ * To resolve this, the function first consults the credential metadata
+ * store to find which (service, field) pair matches a valid split.
+ * If no metadata match is found, it falls back to splitting on the
+ * **first** colon after the prefix — this handles the common case
+ * where service names are simple (e.g. "doordash.com") and field
+ * names may contain colons (e.g. "session:cookies").
+ */
+export function migrateKeys(): void {
+  if (migrated) return;
+  migrated = true;
+  let allKeys: string[];
+  try {
+    allKeys = listSecureKeys();
+  } catch (err) {
+    log.warn({ err }, "Failed to list secure keys during migration");
+    return;
+  }
+  const colonKeys = allKeys.filter(
+    (k) => k.startsWith("credential:") && !k.startsWith("credential/"),
+  );
+  if (colonKeys.length === 0) return;
+  log.info(
+    { count: colonKeys.length },
+    "Migrating colon-delimited credential keys to slash-delimited format",
+  );
+  // Build a set of known (service, field) pairs from credential metadata
+  // to disambiguate colon-delimited keys.
+  const knownPairs = new Set<string>();
+  try {
+    for (const meta of listCredentialMetadata()) {
+      knownPairs.add(`${meta.service}\0${meta.field}`);
+    }
+  } catch {
+    // If metadata is unavailable, we'll rely on the first-colon fallback.
+  }
+  for (const oldKey of colonKeys) {
+    // Strip the "credential:" prefix — `rest` is "service:field" with
+    // potential colons in either part.
+    const rest = oldKey.slice("credential:".length);
+    const parsed = parseServiceField(rest, knownPairs);
+    if (parsed === undefined) {
+      log.warn({ key: oldKey }, "Skipping malformed credential key");
+      continue;
+    }
+    const { service, field } = parsed;
+    const newKey = credentialKey(service, field);
+    // Skip if the new key already exists (idempotent)
+    if (getSecureKey(newKey) !== undefined) {
+      // Clean up old key
+      deleteSecureKey(oldKey);
+      continue;
+    }
+    const value = getSecureKey(oldKey);
+    if (value === undefined) {
+      continue;
+    }
+    const ok = setSecureKey(newKey, value);
+    if (ok) {
+      deleteSecureKey(oldKey);
+    } else {
+      log.warn(
+        { oldKey, newKey },
+        "Failed to write migrated key; keeping old key",
+      );
+    }
+  }
+}
+/**
+ * Parse a "service:field" string, using known metadata pairs to
+ * disambiguate when colons appear in either part.
+ *
+ * Strategy:
+ * 1. Try every possible split position and check against metadata.
+ * 2. If no metadata match, fall back to splitting on the first colon
+ *    (field names with colons are more common than service names with colons).
+ *
+ * Returns undefined for malformed keys that have no colon.
+ */
+function parseServiceField(
+  rest: string,
+  knownPairs: Set<string>,
+): { service: string; field: string } | undefined {
+  const firstColon = rest.indexOf(":");
+  if (firstColon <= 0) return undefined;
+  // Try each possible split position against metadata
+  if (knownPairs.size > 0) {
+    for (let i = firstColon; i < rest.length; i++) {
+      if (rest[i] !== ":") continue;
+      const service = rest.slice(0, i);
+      const field = rest.slice(i + 1);
+      if (field.length > 0 && knownPairs.has(`${service}\0${field}`)) {
+        return { service, field };
+      }
+    }
+  }
+  // Fallback: split on first colon — handles simple services with
+  // compound field names (e.g. "doordash.com:session:cookies").
+  return {
+    service: rest.slice(0, firstColon),
+    field: rest.slice(firstColon + 1),
+  };
+}
+/** @internal Test-only: reset the migration guard so migrateKeys() runs again. */
+export function _resetMigrationFlag(): void {
+  migrated = false;
+}

package/src/security/token-manager.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import {
   upsertCredentialMetadata,
 } from "../tools/credentials/metadata-store.js";
 import { getLogger } from "../util/logger.js";
+import { credentialKey, migrateKeys } from "./credential-key.js";
 import { refreshOAuth2Token, type TokenEndpointAuthMethod } from "./oauth2.js";
 import { getSecureKey, setSecureKeyAsync } from "./secure-keys.js";
@@ -106,11 +107,34 @@ function recordRefreshFailure(service: string): void {
   }
 }
+// ── Per-service refresh deduplication ─────────────────────────────────
+// When multiple concurrent `withValidToken` calls detect an expired or
+// 401-rejected token for the same service, only one actual refresh
+// attempt is made. Other callers join the in-flight promise.
+const inflightRefreshes = new Map<string, Promise<string>>();
+function deduplicatedRefresh(service: string): Promise<string> {
+  const existing = inflightRefreshes.get(service);
+  if (existing) return existing;
+  const promise = doRefresh(service).finally(() => {
+    inflightRefreshes.delete(service);
+  });
+  inflightRefreshes.set(service, promise);
+  return promise;
+}
 /** @internal Test-only: reset all circuit breaker state */
 export function _resetRefreshBreakers(): void {
   refreshBreakers.clear();
 }
+/** @internal Test-only: reset in-flight refresh deduplication state */
+export function _resetInflightRefreshes(): void {
+  inflightRefreshes.clear();
+}
 /** @internal Test-only: get breaker state for a service */
 export function _getRefreshBreakerState(
   service: string,
@@ -148,7 +172,7 @@ function isTokenExpired(service: string): boolean {
  * Throws `TokenExpiredError` if refresh is not possible.
  */
 async function doRefresh(service: string): Promise<string> {
-  const refreshToken = getSecureKey(`credential:${service}:refresh_token`);
+  const refreshToken = getSecureKey(credentialKey(service, "refresh_token"));
   if (!refreshToken) {
     throw new TokenExpiredError(
       service,
@@ -175,7 +199,7 @@ async function doRefresh(service: string): Promise<string> {
     );
   }
-  const clientSecret = meta?.oauth2ClientSecret as string | undefined;
+  const clientSecret = getSecureKey(credentialKey(service, "client_secret"));
   const authMethod = meta?.oauth2TokenEndpointAuthMethod as
     | TokenEndpointAuthMethod
     | undefined;
@@ -219,7 +243,7 @@ async function doRefresh(service: string): Promise<string> {
   if (
     !(await setSecureKeyAsync(
-      `credential:${service}:access_token`,
+      credentialKey(service, "access_token"),
       result.accessToken,
     ))
   ) {
@@ -232,7 +256,7 @@ async function doRefresh(service: string): Promise<string> {
   if (result.refreshToken) {
     if (
       !(await setSecureKeyAsync(
-        `credential:${service}:refresh_token`,
+        credentialKey(service, "refresh_token"),
         result.refreshToken,
       ))
     ) {
@@ -265,12 +289,17 @@ async function doRefresh(service: string): Promise<string> {
  * 1. Retrieves the stored access token (throws if none exists).
  * 2. If the token is expired or near-expiry, refreshes it before calling the callback.
  * 3. If the callback throws with a 401 status, attempts one refresh-and-retry cycle.
+ *
+ * @deprecated Use `resolveOAuthConnection(service).request()` instead.
+ * Retained only for BYO connection internals.
  */
 export async function withValidToken<T>(
   service: string,
   callback: (token: string) => Promise<T>,
 ): Promise<T> {
-  let token = getSecureKey(`credential:${service}:access_token`);
+  migrateKeys();
+  let token = getSecureKey(credentialKey(service, "access_token"));
   if (!token) {
     throw new TokenExpiredError(
       service,
@@ -280,14 +309,14 @@ export async function withValidToken<T>(
   // Proactively refresh if expired or about to expire.
   if (isTokenExpired(service)) {
-    token = await doRefresh(service);
+    token = await deduplicatedRefresh(service);
   }
   try {
     return await callback(token);
   } catch (err: unknown) {
     if (is401Error(err)) {
-      token = await doRefresh(service);
+      token = await deduplicatedRefresh(service);
       return callback(token);
     }
     throw err;

package/src/tools/apps/definitions.ts CHANGED Viewed

@@ -51,11 +51,6 @@ const appOpenTool: Tool = {
             description:
               "Display mode. 'preview' shows an inline preview card in chat. 'workspace' opens the full app in a workspace panel. Defaults to 'workspace'.",
           },
-          reason: {
-            type: "string",
-            description:
-              "Brief non-technical explanation of what you are opening and why, shown to the user as a status update. Use simple language a non-technical person would understand.",
-          },
         },
         required: ["app_id"],
       },

package/src/tools/assets/materialize.ts CHANGED Viewed

@@ -95,11 +95,6 @@ const definition: ToolDefinition = {
         description:
           "Path where the file should be written, relative to (or inside) the sandbox working directory.",
       },
-      reason: {
-        type: "string",
-        description:
-          "Brief non-technical explanation of what you are saving and why, shown to the user as a status update. Use simple language a non-technical person would understand.",
-      },
     },
     required: ["attachment_id", "destination_path"],
   },

package/src/tools/assets/search.ts CHANGED Viewed

@@ -298,11 +298,6 @@ const definition: ToolDefinition = {
         type: "number",
         description: `Maximum results to return (default ${DEFAULT_LIMIT}, max ${MAX_RESULTS}).`,
       },
-      reason: {
-        type: "string",
-        description:
-          "Brief non-technical explanation of what you are searching for and why, shown to the user as a status update. Use simple language a non-technical person would understand.",
-      },
     },
     required: [],
   },