@vellumai/assistant 0.4.46 → 0.4.48

package/ARCHITECTURE.md

@@ -347,8 +347,8 @@ Both tokens are stored in the secure key store (macOS Keychain with encrypted fi
 
 | Secure key                           | Content                                                                    |
 | ------------------------------------ | -------------------------------------------------------------------------- |
-| `credential:slack_channel:bot_token` | Slack bot token (used for `chat.postMessage` and `auth.test`)              |
-| `credential:slack_channel:app_token` | Slack app token (`xapp-...`, used for Socket Mode `apps.connections.open`) |
+| `credential/slack_channel/bot_token` | Slack bot token (used for `chat.postMessage` and `auth.test`)              |
+| `credential/slack_channel/app_token` | Slack app token (`xapp-...`, used for Socket Mode `apps.connections.open`) |
 
 Workspace metadata (team ID, team name, bot user ID, bot username) is stored as JSON in the credential metadata store under `('slack_channel', 'bot_token')`.
 
@@ -641,7 +641,7 @@ The assistant feature-flag resolver (`src/config/assistant-feature-flags.ts`) is
 | **3. `skill_load` tool**           | `executeSkillLoad()` in `tools/skills/load.ts`           | If the model attempts to load a flagged-off skill by name, the tool returns an error: `"skill is currently unavailable (disabled by feature flag)"`.                                                        |
 | **4. Runtime tool projection**     | `projectSkillTools()` in `daemon/session-skill-tools.ts` | Even if a skill was previously active in a session (has `<loaded_skill>` markers in history), the per-turn projection drops it when the flag is OFF. Already-registered tools are unregistered.             |
 | **5. Included child skills**       | `executeSkillLoad()` in `tools/skills/load.ts`           | When a parent skill includes children via the `includes` directive, each child is independently checked against its feature flag. Flagged-off children are silently excluded from the loaded skill content. |
-| **6. Skill install gate**          | `handleInstallSkill()` in `daemon/handlers/skills.ts`    | When a client requests skill installation, the handler checks the skill's feature flag before proceeding. If the flag is OFF, the install is rejected with an error.                                        |
+| **6. Skill install gate**          | `handleSkillsInstall()` in `daemon/handlers/skills.ts`   | When a client requests skill installation, the handler checks the skill's feature flag before proceeding. If the flag is OFF, the install is rejected with an error.                                        |
 
 All six enforcement points derive the flag key via `skillFlagKey(skill)` — which returns `undefined` for ungated skills, short-circuiting the check — and then call `isAssistantFeatureFlagEnabled(flagKey, config)` for consistency.
 
@@ -657,7 +657,7 @@ All six enforcement points derive the flag key via `skillFlagKey(skill)` — whi
 | `src/tools/skills/load.ts`                      | `executeSkillLoad()` — enforcement points 3 and 5                                                                                                                         |
 | `src/daemon/session-skill-tools.ts`             | `projectSkillTools()` — enforcement point 4                                                                                                                               |
 | `src/config/schema.ts`                          | `assistantFeatureFlagValues` field definition in `AssistantConfig` (Zod schema)                                                                                           |
-| `src/daemon/handlers/skills.ts`                 | `handleSkillsList()` — uses `resolveSkillStates()` for client responses; `handleInstallSkill()` — enforcement point 6                                                     |
+| `src/daemon/handlers/skills.ts`                 | `handleSkillsList()` — uses `resolveSkillStates()` for client responses; `handleSkillsInstall()` — enforcement point 6                                                    |
 | `meta/feature-flags/feature-flag-registry.json` | Unified feature flag registry (repo root) — all declared flags with scope, label, default values, and descriptions                                                        |
 | `src/config/feature-flag-registry.json`         | Bundled copy of the unified registry for compiled binary resolution                                                                                                       |
 
@@ -669,7 +669,7 @@ All six enforcement points derive the flag key via `skillFlagKey(skill)` — whi
 graph LR
     subgraph "macOS Keychain"
         K1["API Key<br/>service: vellum-assistant<br/>account: anthropic<br/>stored via /usr/bin/security CLI"]
-        K2["Credential Secrets<br/>key: credential:{service}:{field}<br/>stored via secure-keys.ts<br/>(encrypted file fallback if Keychain unavailable)"]
+        K2["Credential Secrets<br/>key: credential/{service}/{field}<br/>stored via secure-keys.ts<br/>(encrypted file fallback if Keychain unavailable)"]
     end
 
     subgraph "UserDefaults (plist)"

package/docs/architecture/security.md

@@ -179,7 +179,7 @@ File tool candidates include canonical (symlink-resolved) absolute paths via `no
 | `assistant/src/permissions/checker.ts`        | `classifyRisk()`, `check()`, `buildCommandCandidates()`, allowlist/scope generation                                                                                                 |
 | `assistant/src/permissions/shell-identity.ts` | `analyzeShellCommand()`, `deriveShellActionKeys()`, `buildShellCommandCandidates()`, `buildShellAllowlistOptions()` — parser-based shell command identity and action key derivation |
 | `assistant/src/permissions/trust-store.ts`    | Rule persistence, `findHighestPriorityRule()`, execution-target matching, starter bundle                                                                                            |
-| `assistant/src/permissions/prompter.ts`       | HTTP prompt flow: `confirmation_request` → `confirmation_response`                                                                                                                   |
+| `assistant/src/permissions/prompter.ts`       | HTTP prompt flow: `confirmation_request` → `confirmation_response`                                                                                                                  |
 | `assistant/src/permissions/defaults.ts`       | Default rule templates (system ask rules for host tools, CU, etc.)                                                                                                                  |
 | `assistant/src/skills/version-hash.ts`        | `computeSkillVersionHash()` — deterministic SHA-256 of skill source files                                                                                                           |
 | `assistant/src/skills/path-classifier.ts`     | `isSkillSourcePath()`, `normalizeFilePath()`, skill root detection                                                                                                                  |
@@ -233,7 +233,7 @@ sequenceDiagram
         UI->>HTTP: secret_response {requestId, value, delivery: "store"}
         HTTP->>Prompter: resolve(value, "store")
         Prompter->>Vault: {value, delivery: "store"}
-        Vault->>Keychain: setSecureKey("credential:svc:field", value)
+        Vault->>Keychain: setSecureKey("credential/svc/field", value)
         Vault->>Model: "Credential stored securely" (no value in output)
     else One-Time Send (if enabled)
         UI->>HTTP: secret_response {requestId, value, delivery: "transient_send"}
@@ -272,7 +272,7 @@ graph TB
     TOOL["Tool (e.g. browser_fill_credential)"] --> BROKER["CredentialBroker.use(service, field, tool, domain)"]
     BROKER --> POLICY{"Check policy:<br/>allowedTools + allowedDomains"}
     POLICY -->|denied| REJECT["PolicyDenied error"]
-    POLICY -->|allowed| FETCH["getSecureKey(credential:svc:field)"]
+    POLICY -->|allowed| FETCH["getSecureKey(credential/svc/field)"]
     FETCH --> INJECT["Inject value into tool execution<br/>(never returned to model)"]
 ```
 
@@ -290,7 +290,7 @@ The `allowOneTimeSend` config gate (default: `false`) enables a secondary "Send
 
 | Component           | Location                                             | What it stores                                                                                                                                               |
 | ------------------- | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Secret values       | macOS Keychain (primary) or encrypted file fallback  | Encrypted credential values keyed as `credential:{service}:{field}`. Falls back to encrypted file backend on Linux/headless or when Keychain is unavailable. |
+| Secret values       | macOS Keychain (primary) or encrypted file fallback  | Encrypted credential values keyed as `credential/{service}/{field}`. Falls back to encrypted file backend on Linux/headless or when Keychain is unavailable. |
 | Credential metadata | `~/.vellum/workspace/data/credentials/metadata.json` | Service, field, label, policy (allowedTools, allowedDomains), timestamps                                                                                     |
 | Config              | `~/.vellum/workspace/config.*`                       | `secretDetection` settings: enabled, action, entropyThreshold, allowOneTimeSend                                                                              |
 
@@ -303,7 +303,7 @@ The `allowOneTimeSend` config gate (default: `false`) enables a secondary "Send
 | `assistant/src/tools/credentials/metadata-store.ts`  | JSON file metadata CRUD for credential records                        |
 | `assistant/src/tools/credentials/broker.ts`          | Brokered credential access with policy enforcement and transient send |
 | `assistant/src/tools/credentials/policy-validate.ts` | Policy input validation (allowedTools, allowedDomains)                |
-| `assistant/src/permissions/secret-prompter.ts`       | HTTP secret_request/secret_response flow                               |
+| `assistant/src/permissions/secret-prompter.ts`       | HTTP secret_request/secret_response flow                              |
 | `assistant/src/security/secret-scanner.ts`           | Regex + entropy-based secret detection                                |
 | `assistant/src/security/secret-ingress.ts`           | Inbound message secret blocking                                       |
 | `clients/macos/.../SecretPromptManager.swift`        | Floating panel UI for secure credential entry                         |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.46",
+  "version": "0.4.48",
   "type": "module",
   "exports": {
     ".": "./src/index.ts"

package/src/__tests__/browser-fill-credential.test.ts

@@ -76,6 +76,7 @@ mock.module("../tools/credentials/metadata-store.js", () => ({
   _setMetadataPath: () => {},
 }));
 
+import { credentialKey } from "../security/credential-key.js";
 import { executeBrowserFillCredential } from "../tools/browser/browser-execution.js";
 import type { ToolContext } from "../tools/types.js";
 
@@ -142,7 +143,9 @@ describe("executeBrowserFillCredential", () => {
       '[data-vellum-eid="e1"]',
       "super-secret-password",
     );
-    expect(mockGetSecureKey).toHaveBeenCalledWith("credential:gmail:password");
+    expect(mockGetSecureKey).toHaveBeenCalledWith(
+      credentialKey("gmail", "password"),
+    );
   });
 
   test("fills credential by CSS selector", async () => {
@@ -297,7 +300,7 @@ describe("executeBrowserFillCredential", () => {
         "password",
       );
       expect(mockGetSecureKey).toHaveBeenCalledWith(
-        "credential:gmail:password",
+        credentialKey("gmail", "password"),
       );
     });
 

package/src/__tests__/bundled-skill-retrieval-guard.test.ts

@@ -90,7 +90,7 @@ const GATEWAY_RETRIEVAL_BANLIST: Array<{
     bannedSnippets: [
       'curl -s "$INTERNAL_GATEWAY_BASE_URL/v1/',
       "security find-generic-password",
-      "secret-tool lookup service vellum-assistant account credential:ngrok:authtoken",
+      "secret-tool lookup service vellum-assistant account credential/ngrok/authtoken",
     ],
   },
   {
@@ -119,6 +119,7 @@ const KEYCHAIN_ALLOWLIST = new Set<string>([
 const KEYCHAIN_PATTERNS = [
   "security find-generic-password",
   "secret-tool lookup service vellum-assistant account credential:",
+  "secret-tool lookup service vellum-assistant account credential/",
 ];
 
 const HOST_BASH_RETRIEVAL_ALLOWLIST = new Set<string>([

package/src/__tests__/channel-readiness-routes.test.ts

@@ -52,6 +52,7 @@ mock.module("../email/service.js", () => ({
 // ---------------------------------------------------------------------------
 
 import { createReadinessService } from "../runtime/channel-readiness-service.js";
+import { credentialKey } from "../security/credential-key.js";
 
 // ---------------------------------------------------------------------------
 // Tests
@@ -197,10 +198,10 @@ describe("channel readiness routes — email and WhatsApp probes", () => {
 
     test("reports ready when all Meta credentials and display number are configured", async () => {
       mockSecureKeys = {
-        "credential:whatsapp:phone_number_id": "123456789",
-        "credential:whatsapp:access_token": "EAAxxxxxx",
-        "credential:whatsapp:app_secret": "abc123",
-        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+        [credentialKey("whatsapp", "phone_number_id")]: "123456789",
+        [credentialKey("whatsapp", "access_token")]: "EAAxxxxxx",
+        [credentialKey("whatsapp", "app_secret")]: "abc123",
+        [credentialKey("whatsapp", "webhook_verify_token")]: "my-verify-token",
       };
       mockRawConfig = {
         whatsapp: { phoneNumber: "+15551234567" },
@@ -215,10 +216,10 @@ describe("channel readiness routes — email and WhatsApp probes", () => {
 
     test("reports not ready when display phone number is missing", async () => {
       mockSecureKeys = {
-        "credential:whatsapp:phone_number_id": "123456789",
-        "credential:whatsapp:access_token": "EAAxxxxxx",
-        "credential:whatsapp:app_secret": "abc123",
-        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+        [credentialKey("whatsapp", "phone_number_id")]: "123456789",
+        [credentialKey("whatsapp", "access_token")]: "EAAxxxxxx",
+        [credentialKey("whatsapp", "app_secret")]: "abc123",
+        [credentialKey("whatsapp", "webhook_verify_token")]: "my-verify-token",
       };
       mockRawConfig = {
         ingress: { publicBaseUrl: "https://example.com", enabled: true },
@@ -236,10 +237,10 @@ describe("channel readiness routes — email and WhatsApp probes", () => {
 
     test("checks each Meta credential individually", async () => {
       mockSecureKeys = {
-        "credential:whatsapp:phone_number_id": "123456789",
+        [credentialKey("whatsapp", "phone_number_id")]: "123456789",
         // access_token missing
-        "credential:whatsapp:app_secret": "abc123",
-        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+        [credentialKey("whatsapp", "app_secret")]: "abc123",
+        [credentialKey("whatsapp", "webhook_verify_token")]: "my-verify-token",
       };
       mockRawConfig = {
         ingress: { publicBaseUrl: "https://example.com", enabled: true },
@@ -272,10 +273,10 @@ describe("channel readiness routes — email and WhatsApp probes", () => {
 
     test("checks invite policy", async () => {
       mockSecureKeys = {
-        "credential:whatsapp:phone_number_id": "123456789",
-        "credential:whatsapp:access_token": "EAAxxxxxx",
-        "credential:whatsapp:app_secret": "abc123",
-        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+        [credentialKey("whatsapp", "phone_number_id")]: "123456789",
+        [credentialKey("whatsapp", "access_token")]: "EAAxxxxxx",
+        [credentialKey("whatsapp", "app_secret")]: "abc123",
+        [credentialKey("whatsapp", "webhook_verify_token")]: "my-verify-token",
       };
       mockRawConfig = {
         whatsapp: { phoneNumber: "+15551234567" },
@@ -293,10 +294,10 @@ describe("channel readiness routes — email and WhatsApp probes", () => {
 
     test("checks ingress configuration", async () => {
       mockSecureKeys = {
-        "credential:whatsapp:phone_number_id": "123456789",
-        "credential:whatsapp:access_token": "EAAxxxxxx",
-        "credential:whatsapp:app_secret": "abc123",
-        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+        [credentialKey("whatsapp", "phone_number_id")]: "123456789",
+        [credentialKey("whatsapp", "access_token")]: "EAAxxxxxx",
+        [credentialKey("whatsapp", "app_secret")]: "abc123",
+        [credentialKey("whatsapp", "webhook_verify_token")]: "my-verify-token",
       };
       mockRawConfig = {
         whatsapp: { phoneNumber: "+15551234567" },

package/src/__tests__/cli.test.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from "node:crypto";
 import { describe, expect, test } from "bun:test";
 
 import {
@@ -66,3 +67,25 @@ describe("formatConfirmationCommandPreview", () => {
     expect(preview).toBe("edit /tmp/sample.txt");
   });
 });
+
+const UUID_RE =
+  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+
+describe("new-session conversationKey format", () => {
+  test("uses a valid UUID, not a timestamp", () => {
+    // Mirror the key construction in startCli()
+    const key = `builtin-cli:${randomUUID()}`;
+    const suffix = key.replace("builtin-cli:", "");
+
+    expect(suffix).toMatch(UUID_RE);
+    // A numeric timestamp would parse to a finite number; a UUID must not.
+    expect(Number.isFinite(Number(suffix))).toBe(false);
+  });
+
+  test("generates unique keys across calls", () => {
+    const key1 = `builtin-cli:${randomUUID()}`;
+    const key2 = `builtin-cli:${randomUUID()}`;
+
+    expect(key1).not.toBe(key2);
+  });
+});

package/src/__tests__/credential-broker-browser-fill.test.ts

@@ -49,6 +49,7 @@ mock.module("../tools/registry.js", () => ({
 // Imports under test
 // ---------------------------------------------------------------------------
 
+import { credentialKey } from "../security/credential-key.js";
 import { setSecureKey } from "../security/secure-keys.js";
 import { CredentialBroker } from "../tools/credentials/broker.js";
 import {
@@ -92,7 +93,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     let filledValue: string | undefined;
     const result = await broker.browserFill({
@@ -114,7 +115,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -167,7 +168,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -193,8 +194,8 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "password", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:username", "octocat");
-    setSecureKey("credential:github:password", "hunter2");
+    setSecureKey(credentialKey("github", "username"), "octocat");
+    setSecureKey(credentialKey("github", "password"), "hunter2");
 
     const filled: Record<string, string> = {};
 
@@ -227,7 +228,7 @@ describe("CredentialBroker.browserFill", () => {
       allowedTools: ["browser_fill_credential"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -245,7 +246,7 @@ describe("CredentialBroker.browserFill", () => {
       allowedTools: ["browser_fill_credential"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -263,7 +264,7 @@ describe("CredentialBroker.browserFill", () => {
       allowedTools: ["browser_fill_credential"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -286,7 +287,7 @@ describe("CredentialBroker.browserFill", () => {
       allowedTools: ["browser_fill_credential"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -305,7 +306,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     // No domain provided and no allowedDomains policy — should succeed
     const result = await broker.browserFill({
@@ -322,7 +323,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["other_tool"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     let fillCalled = false;
     const result = await broker.browserFill({
@@ -343,7 +344,7 @@ describe("CredentialBroker.browserFill", () => {
 
   test("denies fill when allowedTools is empty (fail-closed)", async () => {
     upsertCredentialMetadata("github", "token", { allowedTools: [] });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -362,7 +363,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_supersecret");
+    setSecureKey(credentialKey("github", "token"), "ghp_supersecret");
 
     const result = await broker.browserFill({
       service: "github",
@@ -388,7 +389,7 @@ describe("CredentialBroker.browserFill", () => {
         allowedTools: ["s3_upload", "cloudfront_invalidate"],
         allowedDomains: [],
       });
-      setSecureKey("credential:aws:access_key", "AKIA_test");
+      setSecureKey(credentialKey("aws", "access_key"), "AKIA_test");
 
       let fillCalled = false;
       const result = await broker.browserFill({
@@ -413,7 +414,7 @@ describe("CredentialBroker.browserFill", () => {
         allowedTools: ["browser_fill_credential"],
         allowedDomains: ["github.com"],
       });
-      setSecureKey("credential:github:pat", "ghp_fill_test");
+      setSecureKey(credentialKey("github", "pat"), "ghp_fill_test");
 
       let fillCalled = false;
       const result = await broker.browserFill({
@@ -437,7 +438,7 @@ describe("CredentialBroker.browserFill", () => {
         allowedTools: ["slack_post"],
         allowedDomains: ["slack.com"],
       });
-      setSecureKey("credential:slack:bot_token", "xoxb-test");
+      setSecureKey(credentialKey("slack", "bot_token"), "xoxb-test");
 
       const result = await broker.browserFill({
         service: "slack",
@@ -460,7 +461,7 @@ describe("CredentialBroker.browserFill", () => {
       upsertCredentialMetadata("custom", "key", {
         allowedTools: [],
       });
-      setSecureKey("credential:custom:key", "secret");
+      setSecureKey(credentialKey("custom", "key"), "secret");
 
       const result = await broker.browserFill({
         service: "custom",
@@ -490,7 +491,7 @@ describe("CredentialBroker.browserFill", () => {
       upsertCredentialMetadata("github", "token", {
         allowedTools: ["browser_fill_credential"],
       });
-      setSecureKey("credential:github:token", "ghp_updated");
+      setSecureKey(credentialKey("github", "token"), "ghp_updated");
 
       let filledValue: string | undefined;
       const result = await broker.browserFill({
@@ -514,8 +515,8 @@ describe("CredentialBroker.browserFill", () => {
       upsertCredentialMetadata("github", "password", {
         allowedTools: ["other_tool"],
       });
-      setSecureKey("credential:github:username", "octocat");
-      setSecureKey("credential:github:password", "hunter2");
+      setSecureKey(credentialKey("github", "username"), "octocat");
+      setSecureKey(credentialKey("github", "password"), "hunter2");
 
       // username allows browser_fill_credential
       const r1 = await broker.browserFill({
@@ -548,8 +549,8 @@ describe("CredentialBroker.browserFill", () => {
         allowedTools: ["browser_fill_credential"],
         allowedDomains: ["gitlab.com"],
       });
-      setSecureKey("credential:github:token", "gh_tok");
-      setSecureKey("credential:gitlab:token", "gl_tok");
+      setSecureKey(credentialKey("github", "token"), "gh_tok");
+      setSecureKey(credentialKey("gitlab", "token"), "gl_tok");
 
       // github credential on github.com succeeds
       let filled1 = "";

package/src/__tests__/credential-broker-server-use.test.ts

@@ -48,6 +48,7 @@ mock.module("../tools/registry.js", () => ({
 // Imports under test
 // ---------------------------------------------------------------------------
 
+import { credentialKey } from "../security/credential-key.js";
 import { setSecureKey } from "../security/secure-keys.js";
 import { CredentialBroker } from "../tools/credentials/broker.js";
 import {
@@ -85,7 +86,7 @@ describe("CredentialBroker.serverUse", () => {
     upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["publish_page"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -109,7 +110,7 @@ describe("CredentialBroker.serverUse", () => {
     upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["publish_page"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -161,7 +162,7 @@ describe("CredentialBroker.serverUse", () => {
     upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["publish_page"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -182,7 +183,7 @@ describe("CredentialBroker.serverUse", () => {
     upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["publish_page"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -201,7 +202,7 @@ describe("CredentialBroker.serverUse", () => {
       allowedTools: ["publish_page"],
       allowedDomains: ["vercel.com"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -222,7 +223,7 @@ describe("CredentialBroker.serverUse", () => {
       allowedTools: ["publish_page"],
       allowedDomains: [],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -247,7 +248,7 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("aws", "access_key", {
         allowedTools: ["deploy_lambda", "s3_upload"],
       });
-      setSecureKey("credential:aws:access_key", "AKIA_test");
+      setSecureKey(credentialKey("aws", "access_key"), "AKIA_test");
 
       const result = await broker.serverUse({
         service: "aws",
@@ -270,7 +271,7 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("stripe", "secret_key", {
         allowedTools: [],
       });
-      setSecureKey("credential:stripe:secret_key", "sk_test_xyz");
+      setSecureKey(credentialKey("stripe", "secret_key"), "sk_test_xyz");
 
       const result = await broker.serverUse({
         service: "stripe",
@@ -291,7 +292,7 @@ describe("CredentialBroker.serverUse", () => {
         allowedTools: ["git_push"],
         allowedDomains: ["github.com"],
       });
-      setSecureKey("credential:github:oauth_token", "gho_test");
+      setSecureKey(credentialKey("github", "oauth_token"), "gho_test");
 
       const result = await broker.serverUse({
         service: "github",
@@ -322,7 +323,7 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("vercel", "api_token", {
         allowedTools: ["publish_page", "unpublish_page"],
       });
-      setSecureKey("credential:vercel:api_token", "tok_updated");
+      setSecureKey(credentialKey("vercel", "api_token"), "tok_updated");
 
       const result = await broker.serverUse({
         service: "vercel",
@@ -342,8 +343,8 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("vercel", "deploy_hook", {
         allowedTools: ["trigger_deploy"],
       });
-      setSecureKey("credential:vercel:api_token", "tok_api");
-      setSecureKey("credential:vercel:deploy_hook", "hook_secret");
+      setSecureKey(credentialKey("vercel", "api_token"), "tok_api");
+      setSecureKey(credentialKey("vercel", "deploy_hook"), "hook_secret");
 
       // api_token should deny trigger_deploy
       const r1 = await broker.serverUse({
@@ -377,8 +378,8 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("gitlab", "api_token", {
         allowedTools: ["gitlab_api"],
       });
-      setSecureKey("credential:github:api_token", "gh_tok");
-      setSecureKey("credential:gitlab:api_token", "gl_tok");
+      setSecureKey(credentialKey("github", "api_token"), "gh_tok");
+      setSecureKey(credentialKey("gitlab", "api_token"), "gl_tok");
 
       // github credential should not serve gitlab tool
       const r1 = broker.serverUseById({
@@ -395,8 +396,8 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("gitlab", "api_token", {
         allowedTools: ["gitlab_api"],
       });
-      setSecureKey("credential:github:api_token", "gh_tok");
-      setSecureKey("credential:gitlab:api_token", "gl_tok");
+      setSecureKey(credentialKey("github", "api_token"), "gh_tok");
+      setSecureKey(credentialKey("gitlab", "api_token"), "gl_tok");
 
       // github credential should not serve gitlab tool
       const r1 = await broker.serverUse({
@@ -458,7 +459,7 @@ describe("CredentialBroker.serverUseById", () => {
         },
       ],
     });
-    setSecureKey("credential:fal:api_key", "fal-secret-key");
+    setSecureKey(credentialKey("fal", "api_key"), "fal-secret-key");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,
@@ -483,7 +484,7 @@ describe("CredentialBroker.serverUseById", () => {
     const meta = upsertCredentialMetadata("fal", "api_key", {
       allowedTools: ["media_proxy"],
     });
-    setSecureKey("credential:fal:api_key", "fal-secret-key");
+    setSecureKey(credentialKey("fal", "api_key"), "fal-secret-key");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,
@@ -514,7 +515,7 @@ describe("CredentialBroker.serverUseById", () => {
       allowedTools: ["media_proxy"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:oauth_token", "gho_test");
+    setSecureKey(credentialKey("github", "oauth_token"), "gho_test");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,
@@ -531,7 +532,7 @@ describe("CredentialBroker.serverUseById", () => {
     const meta = upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["media_proxy"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,
@@ -547,7 +548,7 @@ describe("CredentialBroker.serverUseById", () => {
     const meta = upsertCredentialMetadata("stripe", "secret_key", {
       allowedTools: [],
     });
-    setSecureKey("credential:stripe:secret_key", "sk_test_xyz");
+    setSecureKey(credentialKey("stripe", "secret_key"), "sk_test_xyz");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,

package/src/__tests__/credential-broker.test.ts

@@ -3,6 +3,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterEach, beforeEach, describe, expect, test } from "bun:test";
 
+import { credentialKey } from "../security/credential-key.js";
 import { CredentialBroker } from "../tools/credentials/broker.js";
 import {
   _setMetadataPath,
@@ -125,7 +126,7 @@ describe("CredentialBroker", () => {
 
       const result = broker.consume(auth.token.tokenId);
       expect(result.success).toBe(true);
-      expect(result.storageKey).toBe("credential:github:token");
+      expect(result.storageKey).toBe(credentialKey("github", "token"));
     });
 
     test("rejects double consumption", () => {