@vellumai/assistant 0.4.45 → 0.4.48

package/src/__tests__/secret-onetime-send.test.ts

@@ -69,6 +69,8 @@ mock.module("./policy-validate.js", () => ({
   }),
 }));
 
+import { credentialKey } from "../security/credential-key.js";
+
 const { credentialStoreTool } = await import("../tools/credentials/vault.js");
 
 describe("one-time send override", () => {
@@ -96,7 +98,7 @@ describe("one-time send override", () => {
     expect(result.isError).toBe(true);
     expect(result.content).toContain("not enabled");
     // Value must NOT be stored in keychain
-    expect(storedKeys.has("credential:svc:key")).toBe(false);
+    expect(storedKeys.has(credentialKey("svc", "key"))).toBe(false);
   });
 
   test("transient_send succeeds when allowOneTimeSend is enabled", async () => {
@@ -119,7 +121,7 @@ describe("one-time send override", () => {
     expect(result.isError).toBe(false);
     expect(result.content).toContain("NOT saved");
     // Value must NOT be stored in keychain
-    expect(storedKeys.has("credential:svc:key")).toBe(false);
+    expect(storedKeys.has(credentialKey("svc", "key"))).toBe(false);
   });
 
   test("store delivery always persists to keychain regardless of allowOneTimeSend", async () => {
@@ -138,7 +140,7 @@ describe("one-time send override", () => {
     );
     expect(result.isError).toBe(false);
     expect(result.content).toContain("stored");
-    expect(storedKeys.has("credential:svc:key")).toBe(true);
+    expect(storedKeys.has(credentialKey("svc", "key"))).toBe(true);
   });
 
   test("transient_send response content never contains the secret value", async () => {

package/src/__tests__/session-messaging-secret-redirect.test.ts

@@ -5,6 +5,7 @@ import {
   redirectToSecurePrompt,
 } from "../daemon/session-messaging.js";
 import type { SecretPrompter } from "../permissions/secret-prompter.js";
+import { credentialKey } from "../security/credential-key.js";
 
 const setSecureKeyMock = mock((_key?: string, _value?: string) => true);
 const upsertCredentialMetadataMock = mock(
@@ -108,7 +109,7 @@ describe("session-messaging secret redirect", () => {
       label: "Telegram Bot Token",
     });
     expect(setSecureKeyMock).toHaveBeenCalledWith(
-      "credential:telegram:bot_token",
+      credentialKey("telegram", "bot_token"),
       "123456789:ABCDefGHIJklmnopQRSTuvwxyz012345678",
     );
     expect(upsertCredentialMetadataMock).toHaveBeenCalledWith(
@@ -158,7 +159,7 @@ describe("session-messaging secret redirect", () => {
       label: "Telegram Bot Token",
     });
     expect(setSecureKeyMock).toHaveBeenCalledWith(
-      "credential:telegram:bot_token",
+      credentialKey("telegram", "bot_token"),
       "123456789:ABCDefGHIJklmnopQRSTuvwxyz012345678",
     );
   });
@@ -197,7 +198,7 @@ describe("session-messaging secret redirect", () => {
       label: "Telegram Bot Token",
     });
     expect(setSecureKeyMock).toHaveBeenCalledWith(
-      "credential:telegram:bot_token",
+      credentialKey("telegram", "bot_token"),
       "123456789:ABCDefGHIJklmnopQRSTuvwxyz012345678",
     );
   });
@@ -231,7 +232,7 @@ describe("session-messaging secret redirect", () => {
       label: "Secure Credential Entry",
     });
     expect(setSecureKeyMock).toHaveBeenCalledWith(
-      "credential:detected:Some Unknown Secret",
+      credentialKey("detected", "Some Unknown Secret"),
       "opaque-secret",
     );
     expect(upsertCredentialMetadataMock).toHaveBeenCalledWith(

package/src/__tests__/skills-uninstall.test.ts

@@ -58,7 +58,7 @@ describe("assistant skills uninstall", () => {
 
     // GIVEN a skill is installed locally
     installFakeSkill("weather");
-    writeSkillsIndex("- weather\n- google-oauth-setup\n");
+    writeSkillsIndex("- weather\n- google-oauth-applescript\n");
 
     // WHEN we uninstall the skill
     uninstallSkillLocally("weather");
@@ -71,7 +71,7 @@ describe("assistant skills uninstall", () => {
     expect(index).not.toContain("weather");
 
     // AND other skills should remain in the index
-    expect(index).toContain("google-oauth-setup");
+    expect(index).toContain("google-oauth-applescript");
   });
 
   test("errors when skill is not installed", () => {

package/src/__tests__/skills.test.ts

@@ -675,15 +675,6 @@ describe("ingress-dependent setup skills declare public-ingress", () => {
     expect(includes).toContain("public-ingress");
   });
 
-  test("google-oauth-setup includes public-ingress", () => {
-    const includes = readSkillIncludes(
-      FIRST_PARTY_SKILLS_DIR,
-      "google-oauth-setup",
-    );
-    expect(includes).toBeDefined();
-    expect(includes).toContain("public-ingress");
-  });
-
   test("slack-oauth-setup includes browser", () => {
     const includes = readSkillIncludes(
       FIRST_PARTY_SKILLS_DIR,

package/src/__tests__/slack-channel-config.test.ts

@@ -172,6 +172,7 @@ import {
   getSlackChannelConfig,
   setSlackChannelConfig,
 } from "../daemon/handlers/config-slack-channel.js";
+import { credentialKey } from "../security/credential-key.js";
 
 afterAll(() => {
   globalThis.fetch = originalFetch;
@@ -199,8 +200,8 @@ describe("Slack channel config handler", () => {
   });
 
   test("GET returns connected: true when both tokens are set", () => {
-    secureKeyStore["credential:slack_channel:bot_token"] = "xoxb-test";
-    secureKeyStore["credential:slack_channel:app_token"] = "xapp-test";
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+    secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
 
     const result = getSlackChannelConfig();
     expect(result.success).toBe(true);
@@ -210,7 +211,7 @@ describe("Slack channel config handler", () => {
   });
 
   test("GET returns metadata from config when available", () => {
-    secureKeyStore["credential:slack_channel:bot_token"] = "xoxb-test";
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
     configStore = {
       slack: {
         teamId: "T123",
@@ -240,7 +241,7 @@ describe("Slack channel config handler", () => {
     );
     expect(result.success).toBe(true);
     expect(result.hasAppToken).toBe(true);
-    expect(secureKeyStore["credential:slack_channel:app_token"]).toBe(
+    expect(secureKeyStore[credentialKey("slack_channel", "app_token")]).toBe(
       "xapp-valid-token-123",
     );
   });
@@ -296,8 +297,8 @@ describe("Slack channel config handler", () => {
   });
 
   test("DELETE clears credentials and config", async () => {
-    secureKeyStore["credential:slack_channel:bot_token"] = "xoxb-test";
-    secureKeyStore["credential:slack_channel:app_token"] = "xapp-test";
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+    secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
     credentialMetadataStore.push({
       service: "slack_channel",
       field: "bot_token",
@@ -322,10 +323,10 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(false);
 
     expect(
-      secureKeyStore["credential:slack_channel:bot_token"],
+      secureKeyStore[credentialKey("slack_channel", "bot_token")],
     ).toBeUndefined();
     expect(
-      secureKeyStore["credential:slack_channel:app_token"],
+      secureKeyStore[credentialKey("slack_channel", "app_token")],
     ).toBeUndefined();
     expect(credentialMetadataStore).toHaveLength(0);
 

package/src/__tests__/slack-share-routes.test.ts

@@ -1,5 +1,7 @@
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
+import { credentialKey } from "../security/credential-key.js";
+
 // ---------------------------------------------------------------------------
 // Mocks — must be declared before any imports that pull in mocked modules
 // ---------------------------------------------------------------------------
@@ -105,7 +107,7 @@ describe("handleListSlackChannels", () => {
 
   test("returns channels sorted by type then name", async () => {
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      credentialKey("integration:slack", "access_token"),
       "xoxb-test",
     );
 
@@ -176,7 +178,10 @@ describe("handleListSlackChannels", () => {
   });
 
   test("falls back to legacy bot token", async () => {
-    secureKeyValues.set("credential:slack_channel:bot_token", "xoxb-legacy");
+    secureKeyValues.set(
+      credentialKey("slack_channel", "bot_token"),
+      "xoxb-legacy",
+    );
 
     listConversationsResult = { ok: true, channels: [] };
 
@@ -194,7 +199,7 @@ describe("handleShareToSlackChannel", () => {
 
   test("returns 400 for malformed JSON", async () => {
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      credentialKey("integration:slack", "access_token"),
       "xoxb-test",
     );
     const req = new Request("http://localhost/v1/slack/share", {
@@ -208,7 +213,7 @@ describe("handleShareToSlackChannel", () => {
 
   test("returns 400 when missing required fields", async () => {
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      credentialKey("integration:slack", "access_token"),
       "xoxb-test",
     );
     const req = makeRequest({ appId: "app1" });
@@ -220,7 +225,7 @@ describe("handleShareToSlackChannel", () => {
 
   test("returns 404 when app not found", async () => {
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      credentialKey("integration:slack", "access_token"),
       "xoxb-test",
     );
     appStoreResult = null;
@@ -231,7 +236,7 @@ describe("handleShareToSlackChannel", () => {
 
   test("posts message and returns success", async () => {
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      credentialKey("integration:slack", "access_token"),
       "xoxb-test",
     );
     appStoreResult = {

package/src/__tests__/telegram-bot-username-resolution.test.ts

@@ -38,6 +38,9 @@ mock.module("../config/loader.js", () => ({
 
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: (_keyId: string) => mockSecureKey,
+  setSecureKey: (_account: string, _value: string) => true,
+  deleteSecureKey: (_account: string) => "deleted" as const,
+  listSecureKeys: () => [] as string[],
 }));
 
 // Suppress logger output during tests

package/src/__tests__/twilio-config.test.ts

@@ -26,11 +26,12 @@ mock.module("../inbound/public-ingress-urls.js", () => ({
 }));
 
 import { getTwilioConfig } from "../calls/twilio-config.js";
+import { credentialKey } from "../security/credential-key.js";
 
 describe("twilio-config", () => {
   beforeEach(() => {
     mockSecureKeys = {
-      "credential:twilio:auth_token": "test_auth_token",
+      [credentialKey("twilio", "auth_token")]: "test_auth_token",
     };
     mockLoadConfigResult = {
       twilio: {

package/src/__tests__/twilio-provider.test.ts

@@ -8,6 +8,8 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
+import { credentialKey } from "../security/credential-key.js";
+
 const testDir = mkdtempSync(join(tmpdir(), "twilio-provider-test-"));
 
 mock.module("../util/platform.js", () => ({
@@ -40,8 +42,8 @@ mock.module("../config/loader.js", () => ({
 
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: (key: string) => {
-    if (key === "credential:twilio:auth_token") return mockAuthToken;
-    if (key === "credential:twilio:account_sid") return mockAccountSid;
+    if (key === credentialKey("twilio", "auth_token")) return mockAuthToken;
+    if (key === credentialKey("twilio", "account_sid")) return mockAccountSid;
     return undefined;
   },
 }));

package/src/__tests__/twilio-routes.test.ts

@@ -47,12 +47,12 @@ function readMockTwilioAccountSid(): string | undefined {
   const twilio = (mockRawConfigStore.twilio ?? {}) as Record<string, unknown>;
   return (
     (twilio.accountSid as string | undefined) ??
-    mockSecureKeyStore["credential:twilio:account_sid"]
+    mockSecureKeyStore[credentialKey("twilio", "account_sid")]
   );
 }
 
 function readMockTwilioAuthToken(): string | undefined {
-  return mockSecureKeyStore["credential:twilio:auth_token"];
+  return mockSecureKeyStore[credentialKey("twilio", "auth_token")];
 }
 
 function readMockTwilioPhoneNumber(): string | undefined {
@@ -333,6 +333,7 @@ import {
   handleProvisionTwilioNumber,
   handleSetTwilioCredentials,
 } from "../runtime/routes/integrations/twilio.js";
+import { credentialKey } from "../security/credential-key.js";
 
 initializeDb();
 
@@ -429,8 +430,8 @@ describe("twilio webhook routes", () => {
       twilio: { accountSid: "AC_existing", phoneNumber: "+15550001111" },
     };
     mockSecureKeyStore = {
-      "credential:twilio:account_sid": "AC_existing",
-      "credential:twilio:auth_token": "test-auth-token",
+      [credentialKey("twilio", "account_sid")]: "AC_existing",
+      [credentialKey("twilio", "auth_token")]: "test-auth-token",
     };
     mockAvailableNumbers = [{ phoneNumber: "+15556667777" }];
     mockProvisionedNumber = { phoneNumber: "+15556667777" };

package/src/__tests__/verification-control-plane-policy.test.ts

@@ -402,7 +402,7 @@ describe("isVerificationControlPlaneInvocation", () => {
     test("detects endpoint despite malformed percent-encoding elsewhere in command", () => {
       const result = isVerificationControlPlaneInvocation("bash", {
         command:
-          'curl -H "X: %ZZ" http://localhost:3000/v1/channel-verification-sessions -d \'{"channel":"sms"}\'',
+          'curl -H "X: %ZZ" http://localhost:3000/v1/channel-verification-sessions -d \'{"channel":"telegram"}\'',
       });
       expect(result).toBe(true);
     });

package/src/approvals/AGENTS.md

@@ -3,7 +3,7 @@
 ## Approval Flow Resilience
 
 - **Rich delivery failures must degrade gracefully.** If delivering a rich approval prompt (e.g., Telegram inline buttons) fails, fall back to plain text with instructions (e.g., `Reply "yes" to approve`) — never auto-deny.
-- **Non-rich channels** (SMS, http-api) receive plain-text approval prompts. The conversational approval engine handles free-text responses.
+- **Non-rich channels** (http-api) receive plain-text approval prompts. The conversational approval engine handles free-text responses.
 - **Race conditions:** Always check whether a decision has already been resolved before delivering the engine's optimistic reply. If `handleChannelDecision` returns `applied: false`, deliver an "already resolved" notice and return `stale_ignored`.
 - **Requester self-cancel:** A requester with a pending guardian approval must be able to cancel their own request (but not self-approve).
 - **Unified guardian decision primitive:** All guardian decision paths (callback buttons, conversational engine, requester self-cancel) must route through `applyGuardianDecision()` in `assistant/src/approvals/guardian-decision-primitive.ts`. Do not inline decision logic (approve_always downgrade, approval record updates, grant minting) at individual callsites.

package/src/calls/call-domain.ts

@@ -21,6 +21,7 @@ import { upsertBinding } from "../memory/external-conversation-store.js";
 import { revokeScopedApprovalGrantsForContext } from "../memory/scoped-approval-grants.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
 import { isGuardian } from "../runtime/channel-verification-service.js";
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { getLogger } from "../util/logger.js";
 import { upsertActiveCallLease } from "./active-call-lease.js";
@@ -135,7 +136,7 @@ export type CallerIdentityResult =
  * For `assistant_number`: uses the Twilio phone number from
  *   `getTwilioConfig()`. No eligibility check is performed — this is a fast path.
  * For `user_number`: uses `config.calls.callerIdentity.userNumber` or the
- *   secure key `credential:twilio:user_phone_number`, then validates that the
+ *   secure key `credential/twilio/user_phone_number`, then validates that the
  *   number is usable as an outbound caller ID via the Twilio API.
  */
 export async function resolveCallerIdentity(
@@ -197,7 +198,9 @@ export async function resolveCallerIdentity(
     userNumber = getTwilioUserPhoneNumber()!;
     numberSource = "env_var";
   } else {
-    const secureKeyValue = getSecureKey("credential:twilio:user_phone_number");
+    const secureKeyValue = getSecureKey(
+      credentialKey("twilio", "user_phone_number"),
+    );
     if (secureKeyValue) {
       userNumber = secureKeyValue;
       numberSource = "secure_key";
@@ -212,7 +215,7 @@ export async function resolveCallerIdentity(
     return {
       ok: false,
       error:
-        "user_number mode requires a user phone number. Set calls.callerIdentity.userNumber in config or store credential:twilio:user_phone_number via the credential_store tool.",
+        "user_number mode requires a user phone number. Set calls.callerIdentity.userNumber in config or store credential/twilio/user_phone_number via the credential_store tool.",
     };
   }
 
@@ -223,7 +226,7 @@ export async function resolveCallerIdentity(
     );
     return {
       ok: false,
-      error: `User phone number "${userNumber}" is not in E.164 format (must start with + followed by digits, e.g. +14155551234). Check calls.callerIdentity.userNumber in config or credential:twilio:user_phone_number.`,
+      error: `User phone number "${userNumber}" is not in E.164 format (must start with + followed by digits, e.g. +14155551234). Check calls.callerIdentity.userNumber in config or credential/twilio/user_phone_number.`,
     };
   }
 

package/src/calls/twilio-config.ts

@@ -4,6 +4,7 @@ import {
   getPublicBaseUrl,
   getTwilioRelayUrl,
 } from "../inbound/public-ingress-urls.js";
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { ConfigError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
@@ -45,7 +46,7 @@ export function resolveTwilioPhoneNumber(): string {
 export function getTwilioConfig(): TwilioConfig {
   const config = loadConfig();
   const accountSid = config.twilio?.accountSid || "";
-  const authToken = getSecureKey("credential:twilio:auth_token") || "";
+  const authToken = getSecureKey(credentialKey("twilio", "auth_token")) || "";
   const phoneNumber = resolveTwilioPhoneNumber();
   const webhookBaseUrl = getPublicBaseUrl(config);
 

package/src/calls/twilio-provider.ts

@@ -1,5 +1,6 @@
 import { createHmac, timingSafeEqual } from "node:crypto";
 
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { ProviderError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
@@ -280,7 +281,7 @@ export class TwilioConversationRelayProvider implements VoiceProvider {
    * middleware) can check availability independently.
    */
   static getAuthToken(): string | null {
-    return getSecureKey("credential:twilio:auth_token") || null;
+    return getSecureKey(credentialKey("twilio", "auth_token")) || null;
   }
 
   /**

package/src/calls/twilio-rest.ts

@@ -7,6 +7,7 @@
  */
 
 import { loadConfig } from "../config/loader.js";
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { ConfigError, ProviderError } from "../util/errors.js";
 
@@ -28,7 +29,7 @@ function resolveAccountSid(): string | undefined {
 
 /** Resolve the Twilio Auth Token from the credential store. */
 function resolveAuthToken(): string | undefined {
-  return getSecureKey("credential:twilio:auth_token") || undefined;
+  return getSecureKey(credentialKey("twilio", "auth_token")) || undefined;
 }
 
 /** Resolve Twilio credentials from config (SID) and credential store (token). Throws if not configured. */
@@ -124,7 +125,6 @@ export async function searchAvailableNumbers(
   areaCode?: string,
 ): Promise<AvailablePhoneNumber[]> {
   const params = new URLSearchParams({
-    SmsEnabled: "true",
     VoiceEnabled: "true",
   });
   if (areaCode) params.set("AreaCode", areaCode);

package/src/cli/commands/browser-relay.ts

@@ -1,5 +1,7 @@
 import type { Command } from "commander";
 
+import type { ExtensionCommand } from "../../browser-extension-relay/protocol.js";
+import { extensionRelayServer } from "../../browser-extension-relay/server.js";
 import {
   initAuthSigningKey,
   isSigningKeyInitialized,
@@ -16,22 +18,36 @@ import {
 } from "../../tools/browser/chrome-cdp.js";
 
 // ---------------------------------------------------------------------------
-// Shared relay helper
+// Shared relay helper — dual-path: in-process first, gateway fallback
 // ---------------------------------------------------------------------------
 
 async function relayCommand(command: Record<string, unknown>): Promise<void> {
   try {
-    if (!isSigningKeyInitialized()) {
-      initAuthSigningKey(loadOrCreateSigningKey());
-    }
-
-    const { data } = await gatewayPost<{
-      id: string;
+    // Try the in-process extensionRelayServer first (for when CLI runs
+    // within the daemon). Falls back to gateway HTTP for out-of-process
+    // CLI contexts.
+    let data: {
+      id?: string;
       success: boolean;
       result?: unknown;
       error?: string;
       tabId?: number;
-    }>("/v1/browser-relay/command", command);
+    };
+
+    try {
+      data = await extensionRelayServer.sendCommand(
+        command as Omit<ExtensionCommand, "id">,
+      );
+    } catch {
+      // In-process relay unavailable — fall back to gateway HTTP
+      if (!isSigningKeyInitialized()) {
+        initAuthSigningKey(loadOrCreateSigningKey());
+      }
+      ({ data } = await gatewayPost<typeof data>(
+        "/v1/browser-relay/command",
+        command,
+      ));
+    }
 
     if (data.success) {
       process.stdout.write(
@@ -367,15 +383,24 @@ Examples:
     )
     .action(async () => {
       try {
-        if (!isSigningKeyInitialized()) {
-          initAuthSigningKey(loadOrCreateSigningKey());
-        }
-        const data = await gatewayGet<{
+        // Dual-path: try in-process first, fall back to gateway HTTP
+        let data: {
           connected: boolean;
-          connectionId?: string;
-          lastHeartbeatAt?: number;
+          connectionId?: string | null;
+          lastHeartbeatAt?: number | null;
           pendingCommandCount: number;
-        }>("/v1/browser-relay/status");
+        };
+
+        try {
+          data = extensionRelayServer.getStatus();
+        } catch {
+          // In-process relay unavailable — fall back to gateway HTTP
+          if (!isSigningKeyInitialized()) {
+            initAuthSigningKey(loadOrCreateSigningKey());
+          }
+          data = await gatewayGet<typeof data>("/v1/browser-relay/status");
+        }
+
         process.stdout.write(
           JSON.stringify({
             ok: true,

package/src/cli/commands/credentials.ts

@@ -1,5 +1,6 @@
 import type { Command } from "commander";
 
+import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
   getSecureKey,
@@ -127,7 +128,7 @@ export function registerCredentialsCommand(program: Command): void {
     "after",
     `
 Credentials are identified by name in service:field format, matching the
-storage convention used internally (credential:{service}:{field}):
+storage convention used internally (credential/{service}/{field}):
 
   twilio:account_sid        Twilio account SID
   twilio:auth_token         Twilio auth token
@@ -198,7 +199,7 @@ Examples:
         }
 
         const credentials = allMetadata.map((m) => {
-          const secret = getSecureKey(`credential:${m.service}:${m.field}`);
+          const secret = getSecureKey(credentialKey(m.service, m.field));
           return buildCredentialOutput(m, secret);
         });
 
@@ -273,7 +274,7 @@ Examples:
           }
 
           const { service, field } = parsed;
-          const storageKey = `credential:${service}:${field}`;
+          const storageKey = credentialKey(service, field);
 
           assertMetadataWritable();
 
@@ -350,7 +351,7 @@ Examples:
         }
 
         const { service, field } = parsed;
-        const storageKey = `credential:${service}:${field}`;
+        const storageKey = credentialKey(service, field);
 
         assertMetadataWritable();
 
@@ -424,11 +425,11 @@ Examples:
             return;
           }
           metadata = getCredentialMetadata(parsed.service, parsed.field);
-          storageKey = `credential:${parsed.service}:${parsed.field}`;
+          storageKey = credentialKey(parsed.service, parsed.field);
         } else {
           metadata = getCredentialMetadataById(name);
           if (metadata) {
-            storageKey = `credential:${metadata.service}:${metadata.field}`;
+            storageKey = credentialKey(metadata.service, metadata.field);
           } else {
             // No metadata found by UUID, and we can't determine the storage key
             writeOutput(cmd, { ok: false, error: "Credential not found" });
@@ -529,11 +530,11 @@ Examples:
             process.exitCode = 1;
             return;
           }
-          storageKey = `credential:${parsed.service}:${parsed.field}`;
+          storageKey = credentialKey(parsed.service, parsed.field);
         } else {
           const metadata = getCredentialMetadataById(name);
           if (metadata) {
-            storageKey = `credential:${metadata.service}:${metadata.field}`;
+            storageKey = credentialKey(metadata.service, metadata.field);
           } else {
             writeOutput(cmd, { ok: false, error: "Credential not found" });
             process.exitCode = 1;

package/src/cli/commands/oauth.ts

@@ -17,7 +17,7 @@ guaranteed-valid access token, refreshing transparently if the stored token
 is expired or near-expiry. Callers never need to handle refresh themselves.
 
 The <service> argument is the short integration name (e.g. "twitter", "gmail",
-"slack"). Internally this maps to credential:integration:<service>:access_token.
+"slack"). Internally this maps to credential/integration:<service>/access_token.
 
 Examples:
   $ assistant oauth token twitter

package/src/cli.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from "node:crypto";
 import { appendFileSync, mkdirSync, readFileSync } from "node:fs";
 import { dirname } from "node:path";
 import * as readline from "node:readline";
@@ -503,7 +504,7 @@ export async function startCli(): Promise<void> {
       const trimmed = answer.trim().toLowerCase();
       if (trimmed === "n") {
         // Create a new conversation by using a unique key
-        conversationKey = `builtin-cli:${Date.now()}`;
+        conversationKey = `builtin-cli:${randomUUID()}`;
         sessionId = "";
         pendingSessionPick = false;
         // Reconnect SSE with new conversation key
@@ -1147,7 +1148,7 @@ export async function startCli(): Promise<void> {
 
     if (content === "/new") {
       // Create a new conversation by using a unique key
-      conversationKey = `builtin-cli:${Date.now()}`;
+      conversationKey = `builtin-cli:${randomUUID()}`;
       sessionId = "";
       reconnectSse().then(() => {
         process.stdout.write(

package/src/config/bundled-skills/claude-code/TOOLS.json

@@ -37,10 +37,6 @@
             "type": "string",
             "enum": ["general", "researcher", "coder", "reviewer"],
             "description": "Worker profile that scopes tool access. Defaults to general (backward compatible)."
-          },
-          "reason": {
-            "type": "string",
-            "description": "Brief non-technical explanation of what you are delegating and why, shown to the user as a status update. Use simple language a non-technical person would understand."
           }
         }
       },