@vellumai/assistant 0.4.46 → 0.4.48

package/src/config/bundled-skills/google-calendar/SKILL.md

@@ -16,8 +16,8 @@ You are a Google Calendar assistant with full access to the user's calendar. Use
 Before using any Calendar tool, verify that Google Calendar is connected by attempting a lightweight call (e.g., `calendar_list_events` with a narrow date range). If the call fails with a token/authorization error:
 
 1. **Do NOT call `credential_store oauth2_connect` yourself.** You do not have valid OAuth client credentials, and fabricating a client_id will cause a "401: invalid_client" error from Google.
-2. Instead, load the **google-oauth-setup** skill, which walks the user through creating real credentials in Google Cloud Console:
-   - Call `skill_load` with `skill: "google-oauth-setup"` to load the dependency skill.
+2. Instead, load the **google-oauth-applescript** skill, which walks the user through creating real credentials in Google Cloud Console:
+   - Call `skill_load` with `skill: "google-oauth-applescript"` to load the dependency skill.
 3. Tell the user: _"Google Calendar isn't connected yet. I've loaded a setup guide that will walk you through connecting your Google account — it only takes a couple of minutes."_
 
 ## Capabilities

package/src/config/bundled-skills/google-calendar/calendar-client.ts

@@ -1,3 +1,5 @@
+import type { OAuthConnection } from "../../../oauth/connection.js";
+import { GOOGLE_CALENDAR_BASE_URL } from "../../../oauth/provider-base-urls.js";
 import type {
   CalendarEvent,
   CalendarEventsListResponse,
@@ -6,8 +8,6 @@ import type {
   FreeBusyResponse,
 } from "./types.js";
 
-const CALENDAR_API_BASE = "https://www.googleapis.com/calendar/v3";
-
 export class CalendarApiError extends Error {
   constructor(
     public readonly status: number,
@@ -20,39 +20,80 @@ export class CalendarApiError extends Error {
 }
 
 async function request<T>(
-  token: string,
+  connection: OAuthConnection,
   path: string,
   options?: RequestInit,
 ): Promise<T> {
-  const url = `${CALENDAR_API_BASE}${path}`;
-  const resp = await fetch(url, {
-    ...options,
+  const method = (options?.method ?? "GET").toUpperCase();
+
+  // Extract non-auth headers
+  let extraHeaders: Record<string, string> | undefined;
+  if (options?.headers) {
+    const raw = options.headers;
+    const result: Record<string, string> = {};
+    if (raw instanceof Headers) {
+      raw.forEach((v, k) => {
+        if (k.toLowerCase() !== "authorization") result[k] = v;
+      });
+    } else if (Array.isArray(raw)) {
+      for (const [k, v] of raw) {
+        if (k.toLowerCase() !== "authorization") result[k] = v;
+      }
+    } else {
+      for (const [k, v] of Object.entries(raw)) {
+        if (k.toLowerCase() !== "authorization" && v !== undefined)
+          result[k] = v;
+      }
+    }
+    if (Object.keys(result).length > 0) extraHeaders = result;
+  }
+
+  // Extract body
+  let reqBody: unknown | undefined;
+  if (options?.body) {
+    if (typeof options.body === "string") {
+      try {
+        reqBody = JSON.parse(options.body);
+      } catch {
+        reqBody = options.body;
+      }
+    } else {
+      reqBody = options.body;
+    }
+  }
+
+  const resp = await connection.request({
+    method,
+    path,
+    baseUrl: GOOGLE_CALENDAR_BASE_URL,
     headers: {
-      Authorization: `Bearer ${token}`,
       "Content-Type": "application/json",
-      ...options?.headers,
+      ...extraHeaders,
     },
+    body: reqBody,
   });
-  if (!resp.ok) {
-    const body = await resp.text().catch(() => "");
+
+  if (resp.status < 200 || resp.status >= 300) {
+    const bodyStr =
+      typeof resp.body === "string"
+        ? resp.body
+        : JSON.stringify(resp.body ?? "");
     throw new CalendarApiError(
       resp.status,
-      resp.statusText,
-      `Calendar API ${resp.status}: ${body}`,
+      "",
+      `Calendar API ${resp.status}: ${bodyStr}`,
     );
   }
-  const contentLength = resp.headers.get("content-length");
-  if (resp.status === 204 || contentLength === "0") {
+
+  if (resp.status === 204 || resp.body === undefined) {
     return undefined as T;
   }
-  const text = await resp.text();
-  if (!text) return undefined as T;
-  return JSON.parse(text) as T;
+  return resp.body as T;
 }
 
 /** List events from a calendar. */
 export async function listEvents(
-  token: string,
+  connection: OAuthConnection,
   calendarId = "primary",
   options?: {
     timeMin?: string;
@@ -86,19 +127,19 @@ export async function listEvents(
   if (options?.syncToken) params.set("syncToken", options.syncToken);
 
   return request<CalendarEventsListResponse>(
-    token,
+    connection,
     `/calendars/${encodeURIComponent(calendarId)}/events?${params}`,
   );
 }
 
 /** Get a single event by ID. */
 export async function getEvent(
-  token: string,
+  connection: OAuthConnection,
   eventId: string,
   calendarId = "primary",
 ): Promise<CalendarEvent> {
   return request<CalendarEvent>(
-    token,
+    connection,
     `/calendars/${encodeURIComponent(calendarId)}/events/${encodeURIComponent(
       eventId,
     )}`,
@@ -107,7 +148,7 @@ export async function getEvent(
 
 /** Create a new event. */
 export async function createEvent(
-  token: string,
+  connection: OAuthConnection,
   event: {
     summary: string;
     start: { dateTime?: string; date?: string; timeZone?: string };
@@ -121,7 +162,7 @@ export async function createEvent(
 ): Promise<CalendarEvent> {
   const params = new URLSearchParams({ sendUpdates });
   return request<CalendarEvent>(
-    token,
+    connection,
     `/calendars/${encodeURIComponent(calendarId)}/events?${params}`,
     {
       method: "POST",
@@ -132,7 +173,7 @@ export async function createEvent(
 
 /** Update an event (patch). */
 export async function patchEvent(
-  token: string,
+  connection: OAuthConnection,
   eventId: string,
   updates: Partial<{
     summary: string;
@@ -147,7 +188,7 @@ export async function patchEvent(
 ): Promise<CalendarEvent> {
   const params = new URLSearchParams({ sendUpdates });
   return request<CalendarEvent>(
-    token,
+    connection,
     `/calendars/${encodeURIComponent(calendarId)}/events/${encodeURIComponent(
       eventId,
     )}?${params}`,
@@ -160,10 +201,10 @@ export async function patchEvent(
 
 /** Query free/busy information. */
 export async function freeBusy(
-  token: string,
+  connection: OAuthConnection,
   query: FreeBusyRequest,
 ): Promise<FreeBusyResponse> {
-  return request<FreeBusyResponse>(token, "/freeBusy", {
+  return request<FreeBusyResponse>(connection, "/freeBusy", {
     method: "POST",
     body: JSON.stringify(query),
   });
@@ -171,7 +212,7 @@ export async function freeBusy(
 
 /** List calendars the user has access to. */
 export async function listCalendars(
-  token: string,
+  connection: OAuthConnection,
 ): Promise<CalendarListResponse> {
-  return request<CalendarListResponse>(token, "/users/me/calendarList");
+  return request<CalendarListResponse>(connection, "/users/me/calendarList");
 }

package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts

@@ -3,7 +3,7 @@ import type {
   ToolExecutionResult,
 } from "../../../../tools/types.js";
 import * as calendar from "../calendar-client.js";
-import { ok, withCalendarToken } from "./shared.js";
+import { getCalendarConnection, ok } from "./shared.js";
 
 export async function run(
   input: Record<string, unknown>,
@@ -14,14 +14,13 @@ export async function run(
   const calendarIds = (input.calendar_ids as string[]) ?? ["primary"];
   const timezone = input.timezone as string | undefined;
 
-  return withCalendarToken(async (token) => {
-    const result = await calendar.freeBusy(token, {
-      timeMin,
-      timeMax,
-      timeZone: timezone,
-      items: calendarIds.map((id) => ({ id })),
-    });
-
-    return ok(JSON.stringify(result, null, 2));
+  const connection = getCalendarConnection();
+  const result = await calendar.freeBusy(connection, {
+    timeMin,
+    timeMax,
+    timeZone: timezone,
+    items: calendarIds.map((id) => ({ id })),
   });
+
+  return ok(JSON.stringify(result, null, 2));
 }

package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts

@@ -3,7 +3,7 @@ import type {
   ToolExecutionResult,
 } from "../../../../tools/types.js";
 import * as calendar from "../calendar-client.js";
-import { ok, withCalendarToken } from "./shared.js";
+import { getCalendarConnection, ok } from "./shared.js";
 
 export async function run(
   input: Record<string, unknown>,
@@ -40,9 +40,8 @@ export async function run(
     eventBody.attendees = attendees.map((email) => ({ email }));
   }
 
-  return withCalendarToken(async (token) => {
-    const event = await calendar.createEvent(token, eventBody, calendarId);
-    const link = event.htmlLink ? ` View it here: ${event.htmlLink}` : "";
-    return ok(`Event created (ID: ${event.id}).${link}`);
-  });
+  const connection = getCalendarConnection();
+  const event = await calendar.createEvent(connection, eventBody, calendarId);
+  const link = event.htmlLink ? ` View it here: ${event.htmlLink}` : "";
+  return ok(`Event created (ID: ${event.id}).${link}`);
 }

package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts

@@ -3,7 +3,7 @@ import type {
   ToolExecutionResult,
 } from "../../../../tools/types.js";
 import * as calendar from "../calendar-client.js";
-import { ok, withCalendarToken } from "./shared.js";
+import { getCalendarConnection, ok } from "./shared.js";
 
 export async function run(
   input: Record<string, unknown>,
@@ -12,8 +12,7 @@ export async function run(
   const eventId = input.event_id as string;
   const calendarId = (input.calendar_id as string) ?? "primary";
 
-  return withCalendarToken(async (token) => {
-    const event = await calendar.getEvent(token, eventId, calendarId);
-    return ok(JSON.stringify(event, null, 2));
-  });
+  const connection = getCalendarConnection();
+  const event = await calendar.getEvent(connection, eventId, calendarId);
+  return ok(JSON.stringify(event, null, 2));
 }

package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts

@@ -3,7 +3,7 @@ import type {
   ToolExecutionResult,
 } from "../../../../tools/types.js";
 import * as calendar from "../calendar-client.js";
-import { ok, withCalendarToken } from "./shared.js";
+import { getCalendarConnection, ok } from "./shared.js";
 
 export async function run(
   input: Record<string, unknown>,
@@ -17,20 +17,19 @@ export async function run(
   const singleEvents = (input.single_events as boolean) ?? true;
   const orderBy = input.order_by as "startTime" | "updated" | undefined;
 
-  return withCalendarToken(async (token) => {
-    const result = await calendar.listEvents(token, calendarId, {
-      timeMin,
-      timeMax,
-      maxResults,
-      query,
-      singleEvents,
-      orderBy,
-    });
+  const connection = getCalendarConnection();
+  const result = await calendar.listEvents(connection, calendarId, {
+    timeMin,
+    timeMax,
+    maxResults,
+    query,
+    singleEvents,
+    orderBy,
+  });
 
-    if (!result.items?.length) {
-      return ok("No events found in the specified time range.");
-    }
+  if (!result.items?.length) {
+    return ok("No events found in the specified time range.");
+  }
 
-    return ok(JSON.stringify(result, null, 2));
-  });
+  return ok(JSON.stringify(result, null, 2));
 }

package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts

@@ -3,7 +3,7 @@ import type {
   ToolExecutionResult,
 } from "../../../../tools/types.js";
 import * as calendar from "../calendar-client.js";
-import { ok, withCalendarToken } from "./shared.js";
+import { getCalendarConnection, ok } from "./shared.js";
 
 export async function run(
   input: Record<string, unknown>,
@@ -13,45 +13,45 @@ export async function run(
   const response = input.response as "accepted" | "declined" | "tentative";
   const calendarId = (input.calendar_id as string) ?? "primary";
 
-  return withCalendarToken(async (token) => {
-    // First get the event to find the user's attendee entry
-    const event = await calendar.getEvent(token, eventId, calendarId);
-    const selfAttendee = event.attendees?.find((a) => a.self);
+  const connection = getCalendarConnection();
 
-    if (!selfAttendee) {
-      // If the user is the organizer and not in the attendees list,
-      // they don't need to RSVP
-      if (event.organizer?.self) {
-        return ok("You are the organizer of this event. No RSVP needed.");
-      }
-      return ok(
-        "Could not find your attendee entry for this event. You may not be invited.",
-      );
-    }
+  // First get the event to find the user's attendee entry
+  const event = await calendar.getEvent(connection, eventId, calendarId);
+  const selfAttendee = event.attendees?.find((a) => a.self);
 
-    // Update the attendee's response status
-    const updatedAttendees = event.attendees!.map((a) =>
-      a.self ? { ...a, responseStatus: response } : a,
+  if (!selfAttendee) {
+    // If the user is the organizer and not in the attendees list,
+    // they don't need to RSVP
+    if (event.organizer?.self) {
+      return ok("You are the organizer of this event. No RSVP needed.");
+    }
+    return ok(
+      "Could not find your attendee entry for this event. You may not be invited.",
     );
+  }
 
-    await calendar.patchEvent(
-      token,
-      eventId,
-      {
-        attendees: updatedAttendees as Array<{
-          email: string;
-          responseStatus?: string;
-        }>,
-      },
-      calendarId,
-    );
+  // Update the attendee's response status
+  const updatedAttendees = event.attendees!.map((a) =>
+    a.self ? { ...a, responseStatus: response } : a,
+  );
+
+  await calendar.patchEvent(
+    connection,
+    eventId,
+    {
+      attendees: updatedAttendees as Array<{
+        email: string;
+        responseStatus?: string;
+      }>,
+    },
+    calendarId,
+  );
 
-    const responseLabel =
-      response === "accepted"
-        ? "Accepted"
-        : response === "declined"
-          ? "Declined"
-          : "Tentatively accepted";
-    return ok(`${responseLabel} the event "${event.summary ?? eventId}".`);
-  });
+  const responseLabel =
+    response === "accepted"
+      ? "Accepted"
+      : response === "declined"
+        ? "Declined"
+        : "Tentatively accepted";
+  return ok(`${responseLabel} the event "${event.summary ?? eventId}".`);
 }

package/src/config/bundled-skills/google-calendar/tools/shared.ts

@@ -1,20 +1,15 @@
-import { withValidToken } from "../../../../security/token-manager.js";
+import type { OAuthConnection } from "../../../../oauth/connection.js";
+import { resolveOAuthConnection } from "../../../../oauth/connection-resolver.js";
 import type { ToolExecutionResult } from "../../../../tools/types.js";
 
 export function ok(content: string): ToolExecutionResult {
   return { content, isError: false };
 }
 
-export function err(message: string): ToolExecutionResult {
-  return { content: message, isError: true };
-}
-
 /**
  * Calendar uses the same OAuth credential service as Gmail since both
  * scopes are granted in a single OAuth consent flow.
  */
-export async function withCalendarToken<T>(
-  fn: (token: string) => Promise<T>,
-): Promise<T> {
-  return withValidToken("integration:gmail", fn);
+export function getCalendarConnection(): OAuthConnection {
+  return resolveOAuthConnection("integration:gmail");
 }

package/src/config/bundled-skills/image-studio/tools/media-generate-image.ts

@@ -5,10 +5,15 @@ import {
 } from "../../../../daemon/media-visibility-policy.js";
 import {
   generateImage,
+  type ImageGenCredentials,
   mapGeminiError,
 } from "../../../../media/gemini-image-service.js";
 import { getAttachmentsByIds } from "../../../../memory/attachments-store.js";
 import { getConversationThreadType } from "../../../../memory/conversation-crud.js";
+import {
+  buildManagedBaseUrl,
+  resolveManagedProxyContext,
+} from "../../../../providers/managed-proxy/context.js";
 import type { ImageContent } from "../../../../providers/types.js";
 import { getAttachmentSourceConversations } from "../../../../tools/assets/search.js";
 import type {
@@ -46,9 +51,25 @@ export async function run(
   context: ToolContext,
 ): Promise<ToolExecutionResult> {
   const config = getConfig();
-  const apiKey = config.apiKeys.gemini;
+  const apiKey = config.apiKeys.gemini ?? process.env.GEMINI_API_KEY;
+
+  // Resolve credentials: prefer direct API key, fall back to managed proxy
+  let credentials: ImageGenCredentials | undefined;
+  if (apiKey) {
+    credentials = { type: "direct", apiKey };
+  } else {
+    const managedBaseUrl = buildManagedBaseUrl("vertex");
+    if (managedBaseUrl) {
+      const ctx = resolveManagedProxyContext();
+      credentials = {
+        type: "managed-proxy",
+        assistantApiKey: ctx.assistantApiKey,
+        baseUrl: managedBaseUrl,
+      };
+    }
+  }
 
-  if (!apiKey) {
+  if (!credentials) {
     return {
       content:
         "No Gemini API key configured. Please set your Gemini API key to use image generation.",
@@ -95,7 +116,7 @@ export async function run(
   }
 
   try {
-    const result = await generateImage(apiKey, {
+    const result = await generateImage(credentials, {
       prompt,
       mode,
       sourceImages,

package/src/config/bundled-skills/messaging/SKILL.md

@@ -33,9 +33,9 @@ When a platform is connected (auth test succeeds), always use the messaging API
 
 Before using any messaging tool, verify that the platform is connected by calling `messaging_auth_test` with the appropriate `platform` parameter. If the call fails with a token/authorization error, follow the steps below.
 
-### Public Ingress (required for all platforms)
+### Public Ingress (required for Slack and Telegram)
 
-Gmail, Slack, and Telegram setup all require a publicly reachable URL for OAuth callbacks or webhook delivery. The **public-ingress** skill handles ngrok tunnel setup and persists the URL as `ingress.publicBaseUrl`. Each setup skill below declares `public-ingress` as a dependency and will prompt you to run it if `ingress.publicBaseUrl` is not configured.
+Slack and Telegram setup require a publicly reachable URL for OAuth callbacks or webhook delivery. The **public-ingress** skill handles ngrok tunnel setup and persists the URL as `ingress.publicBaseUrl`. Gmail on the desktop app uses a loopback callback and does not require public ingress; the channel path (Path B in the google-oauth-applescript skill) handles public ingress internally when needed.
 
 ### Email Connection Flow
 
@@ -48,11 +48,11 @@ When the user asks to "connect my email", "set up email", "manage my email", or
 ### Gmail
 
 1. **Try connecting directly first.** Call `credential_store` with `action: "oauth2_connect"` and `service: "gmail"`. The tool auto-fills Google's OAuth endpoints and looks up any previously stored client credentials — so this single call may be all that's needed.
-2. **If it fails because no client_id is found:** The user needs to create Google Cloud OAuth credentials first. Load the **google-oauth-setup** skill (which depends on **public-ingress** for the redirect URI):
-   - Call `skill_load` with `skill: "google-oauth-setup"` to load the dependency skill.
+2. **If it fails because no client_id is found:** The user needs to create Google Cloud OAuth credentials first. Load the **google-oauth-applescript** skill:
+   - Call `skill_load` with `skill: "google-oauth-applescript"` to load the dependency skill.
    - Tell the user Gmail isn't connected yet and briefly explain what the setup involves, then use `ui_show` with `surface_type: "confirmation"` to ask for permission to start:
      - **message:** "Ready to set up Gmail?"
-     - **detail:** "I'll open a browser where you sign in to Google, then automate everything else — creating a project, enabling APIs, and connecting your account. Takes 2-3 minutes and you can watch in the browser preview panel."
+     - **detail:** "I'll open a few pages in your browser and walk you through setting up Google Cloud credentials — creating a project, enabling APIs, and connecting your account. Takes about 5 minutes."
      - **confirmLabel:** "Get Started"
      - **cancelLabel:** "Not Now"
    - If the user confirms, briefly acknowledge (e.g., "Setting up Gmail now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
@@ -95,7 +95,7 @@ The guardian-verify-setup skill handles the full outbound verification flow for
 When a messaging tool fails with a token or authorization error:
 
 1. **Try to reconnect silently.** Call `credential_store` with `action: "oauth2_connect"` and the appropriate `service`. This often resolves expired tokens automatically.
-2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected — let me set that up") and immediately follow the connection setup flow for that platform (e.g., install and load **google-oauth-setup** for Gmail). The user came to you to get something done, not to troubleshoot OAuth — make it seamless.
+2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected — let me set that up") and immediately follow the connection setup flow for that platform (e.g., install and load **google-oauth-applescript** for Gmail). The user came to you to get something done, not to troubleshoot OAuth — make it seamless.
 3. **Never try alternative approaches.** Don't use bash, curl, browser automation, or any workaround. If the messaging tools can't do it, the reconnection flow is the answer.
 4. **Never expose error details.** The user doesn't need to see error messages about tokens, OAuth, or API failures. Translate errors into plain language.