@vellumai/assistant 0.4.46 → 0.4.49

package/src/calls/relay-server.ts

@@ -744,24 +744,20 @@ export class RelayConnection {
   }
 
   /**
-   * Start normal call flow — fire the controller greeting unless a
-   * static welcome greeting is configured.
+   * Start normal call flow — fire the controller greeting.
    */
   private startNormalCallFlow(
     controller: CallController,
     isInbound: boolean,
   ): void {
-    const hasStaticGreeting = !!process.env.CALL_WELCOME_GREETING?.trim();
-    if (!hasStaticGreeting) {
-      controller
-        .startInitialGreeting()
-        .catch((err) =>
-          log.error(
-            { err, callSessionId: this.callSessionId },
-            `Failed to start initial ${isInbound ? "inbound" : "outbound"} greeting`,
-          ),
-        );
-    }
+    controller
+      .startInitialGreeting()
+      .catch((err) =>
+        log.error(
+          { err, callSessionId: this.callSessionId },
+          `Failed to start initial ${isInbound ? "inbound" : "outbound"} greeting`,
+        ),
+      );
   }
 
   /**

package/src/calls/twilio-config.ts

@@ -1,9 +1,9 @@
-import { getTwilioPhoneNumberEnv } from "../config/env.js";
 import { loadConfig } from "../config/loader.js";
 import {
   getPublicBaseUrl,
   getTwilioRelayUrl,
 } from "../inbound/public-ingress-urls.js";
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { ConfigError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
@@ -24,14 +24,10 @@ export interface TwilioConfig {
  * agree on the same number.
  *
  * Resolution order:
- *   1. TWILIO_PHONE_NUMBER env var
- *   2. config.twilio?.phoneNumber
- *   3. ""
+ *   1. config.twilio?.phoneNumber
+ *   2. ""
  */
 export function resolveTwilioPhoneNumber(): string {
-  const fromEnv = getTwilioPhoneNumberEnv();
-  if (fromEnv) return fromEnv;
-
   try {
     const config = loadConfig();
     if (config.twilio?.phoneNumber) return config.twilio.phoneNumber;
@@ -45,7 +41,7 @@ export function resolveTwilioPhoneNumber(): string {
 export function getTwilioConfig(): TwilioConfig {
   const config = loadConfig();
   const accountSid = config.twilio?.accountSid || "";
-  const authToken = getSecureKey("credential:twilio:auth_token") || "";
+  const authToken = getSecureKey(credentialKey("twilio", "auth_token")) || "";
   const phoneNumber = resolveTwilioPhoneNumber();
   const webhookBaseUrl = getPublicBaseUrl(config);
 

package/src/calls/twilio-provider.ts

@@ -1,5 +1,6 @@
 import { createHmac, timingSafeEqual } from "node:crypto";
 
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { ProviderError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
@@ -280,7 +281,7 @@ export class TwilioConversationRelayProvider implements VoiceProvider {
    * middleware) can check availability independently.
    */
   static getAuthToken(): string | null {
-    return getSecureKey("credential:twilio:auth_token") || null;
+    return getSecureKey(credentialKey("twilio", "auth_token")) || null;
   }
 
   /**

package/src/calls/twilio-rest.ts

@@ -7,6 +7,7 @@
  */
 
 import { loadConfig } from "../config/loader.js";
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey } from "../security/secure-keys.js";
 import { ConfigError, ProviderError } from "../util/errors.js";
 
@@ -28,7 +29,7 @@ function resolveAccountSid(): string | undefined {
 
 /** Resolve the Twilio Auth Token from the credential store. */
 function resolveAuthToken(): string | undefined {
-  return getSecureKey("credential:twilio:auth_token") || undefined;
+  return getSecureKey(credentialKey("twilio", "auth_token")) || undefined;
 }
 
 /** Resolve Twilio credentials from config (SID) and credential store (token). Throws if not configured. */

package/src/calls/twilio-routes.ts

@@ -6,7 +6,6 @@
  * - handleConnectAction: called when the ConversationRelay connection ends
  */
 
-import { getCallWelcomeGreeting } from "../config/env.js";
 import { loadConfig } from "../config/loader.js";
 import { getTwilioRelayUrl } from "../inbound/public-ingress-urls.js";
 import { mintEdgeRelayToken } from "../runtime/auth/token-service.js";
@@ -236,7 +235,7 @@ function buildVoiceWebhookTwiml(
   );
 
   const relayUrl = getTwilioRelayUrl(loadConfig());
-  const welcomeGreeting = buildWelcomeGreeting(task, getCallWelcomeGreeting());
+  const welcomeGreeting = buildWelcomeGreeting(task);
 
   const relayToken = mintEdgeRelayToken();
 

package/src/calls/voice-ingress-preflight.ts

@@ -61,7 +61,7 @@ export async function preflightVoiceIngress(): Promise<VoiceIngressPreflightResu
     const msg = err instanceof Error ? err.message : String(err);
     return fail(
       msg ||
-        "Outbound voice calls require public ingress to be enabled and a public base URL (ingress.publicBaseUrl or INGRESS_PUBLIC_BASE_URL).",
+        "Outbound voice calls require public ingress to be enabled and a public base URL (ingress.publicBaseUrl).",
     );
   }
 

package/src/cli/commands/browser-relay.ts

@@ -1,5 +1,7 @@
 import type { Command } from "commander";
 
+import type { ExtensionCommand } from "../../browser-extension-relay/protocol.js";
+import { extensionRelayServer } from "../../browser-extension-relay/server.js";
 import {
   initAuthSigningKey,
   isSigningKeyInitialized,
@@ -16,22 +18,38 @@ import {
 } from "../../tools/browser/chrome-cdp.js";
 
 // ---------------------------------------------------------------------------
-// Shared relay helper
+// Shared relay helper — in-process when connected, gateway HTTP otherwise
 // ---------------------------------------------------------------------------
 
 async function relayCommand(command: Record<string, unknown>): Promise<void> {
   try {
-    if (!isSigningKeyInitialized()) {
-      initAuthSigningKey(loadOrCreateSigningKey());
-    }
-
-    const { data } = await gatewayPost<{
-      id: string;
+    // Dual-path: use in-process relay when connected (daemon context),
+    // otherwise fall back to gateway HTTP (out-of-process CLI context).
+    // We check connection status upfront rather than try/catch to avoid
+    // double-execution of side-effectful commands (navigate, new_tab, etc.)
+    // when sendCommand fails after the command was already dispatched.
+    let data: {
+      id?: string;
       success: boolean;
       result?: unknown;
       error?: string;
       tabId?: number;
-    }>("/v1/browser-relay/command", command);
+    };
+
+    if (extensionRelayServer.getStatus().connected) {
+      data = await extensionRelayServer.sendCommand(
+        command as Omit<ExtensionCommand, "id">,
+      );
+    } else {
+      // In-process relay not connected — fall back to gateway HTTP
+      if (!isSigningKeyInitialized()) {
+        initAuthSigningKey(loadOrCreateSigningKey());
+      }
+      ({ data } = await gatewayPost<typeof data>(
+        "/v1/browser-relay/command",
+        command,
+      ));
+    }
 
     if (data.success) {
       process.stdout.write(
@@ -367,15 +385,28 @@ Examples:
     )
     .action(async () => {
       try {
-        if (!isSigningKeyInitialized()) {
-          initAuthSigningKey(loadOrCreateSigningKey());
-        }
-        const data = await gatewayGet<{
+        // Dual-path: use in-process status when connected (daemon context),
+        // otherwise query gateway HTTP (out-of-process CLI context).
+        // getStatus() is a synchronous getter that never throws — we check
+        // .connected to decide whether the local status is meaningful.
+        let data: {
           connected: boolean;
-          connectionId?: string;
-          lastHeartbeatAt?: number;
+          connectionId?: string | null;
+          lastHeartbeatAt?: number | null;
           pendingCommandCount: number;
-        }>("/v1/browser-relay/status");
+        };
+
+        const localStatus = extensionRelayServer.getStatus();
+        if (localStatus.connected) {
+          data = localStatus;
+        } else {
+          // In-process relay not connected — fall back to gateway HTTP
+          if (!isSigningKeyInitialized()) {
+            initAuthSigningKey(loadOrCreateSigningKey());
+          }
+          data = await gatewayGet<typeof data>("/v1/browser-relay/status");
+        }
+
         process.stdout.write(
           JSON.stringify({
             ok: true,

package/src/cli/commands/completions.ts

@@ -45,7 +45,6 @@ Examples:
         autonomy: ["get", "set"],
       };
       const topLevel = [
-        "dev",
         "sessions",
         "config",
         "keys",
@@ -129,7 +128,6 @@ function generateZshCompletion(
 _assistant() {
     local -a commands
     commands=(
-        'dev:Run assistant in dev mode with auto-restart'
         'sessions:Manage sessions'
         'config:Manage configuration'
         'keys:Manage API keys in secure storage'
@@ -171,7 +169,6 @@ function generateFishCompletion(
   script += `complete -c assistant -f\n`;
 
   const descriptions: Record<string, string> = {
-    dev: "Run assistant in dev mode with auto-restart",
     sessions: "Manage sessions",
     config: "Manage configuration",
     keys: "Manage API keys in secure storage",

package/src/cli/commands/credentials.ts

@@ -1,5 +1,12 @@
 import type { Command } from "commander";
 
+import {
+  disconnectOAuthProvider,
+  getConnectionByProvider,
+  listConnections,
+  type OAuthConnectionRow,
+} from "../../oauth/oauth-store.js";
+import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
   getSecureKey,
@@ -47,15 +54,45 @@ function scrubSecret(secret: string | undefined): string {
   return "****" + secret.slice(-4);
 }
 
+/**
+ * Safely look up an OAuth connection for a credential service.
+ * Returns undefined when the oauth-store has no data or the tables
+ * haven't been created yet (pre-migration).
+ */
+function safeGetConnectionByProvider(
+  service: string,
+): OAuthConnectionRow | undefined {
+  try {
+    return getConnectionByProvider(service);
+  } catch {
+    return undefined;
+  }
+}
+
+/**
+ * Safely list all OAuth connections. Returns an empty array when the
+ * oauth-store has no data or the tables haven't been created yet.
+ */
+function safeListConnections(): OAuthConnectionRow[] {
+  try {
+    return listConnections();
+  } catch {
+    return [];
+  }
+}
+
 /**
  * Build a structured credential output object suitable for both `inspect`
  * and `list` responses. Produces an identical shape for every credential.
+ * Optionally enriches with data from the oauth-store when a matching
+ * connection exists.
  */
 function buildCredentialOutput(
   metadata: CredentialMetadata,
   secret: string | undefined,
+  connection?: OAuthConnectionRow,
 ): Record<string, unknown> {
-  return {
+  const output: Record<string, unknown> = {
     ok: true,
     service: metadata.service,
     field: metadata.field,
@@ -66,14 +103,24 @@ function buildCredentialOutput(
     usageDescription: metadata.usageDescription ?? null,
     allowedTools: metadata.allowedTools,
     allowedDomains: metadata.allowedDomains,
-    grantedScopes: metadata.grantedScopes ?? null,
-    expiresAt: metadata.expiresAt
-      ? new Date(metadata.expiresAt).toISOString()
-      : null,
     createdAt: new Date(metadata.createdAt).toISOString(),
     updatedAt: new Date(metadata.updatedAt).toISOString(),
     injectionTemplateCount: metadata.injectionTemplates?.length ?? 0,
+    grantedScopes: connection ? JSON.parse(connection.grantedScopes) : null,
+    expiresAt: connection?.expiresAt
+      ? new Date(connection.expiresAt).toISOString()
+      : null,
   };
+
+  if (connection) {
+    output.oauthConnectionId = connection.id;
+    output.oauthAccountInfo = connection.accountInfo ?? null;
+    output.oauthStatus = connection.status;
+    output.oauthHasRefreshToken = connection.hasRefreshToken === 1;
+    output.oauthLabel = connection.label ?? null;
+  }
+
+  return output;
 }
 
 /**
@@ -100,15 +147,19 @@ function printCredentialHuman(output: Record<string, unknown>): void {
     log.info(
       `    Domains:     ${(output.allowedDomains as string[]).join(", ")}`,
     );
-  if (output.grantedScopes)
-    log.info(
-      `    Scopes:      ${(output.grantedScopes as string[]).join(", ")}`,
-    );
-  if (output.expiresAt) log.info(`    Expires:     ${output.expiresAt}`);
   log.info(`    Created:     ${output.createdAt}`);
   log.info(`    Updated:     ${output.updatedAt}`);
   if ((output.injectionTemplateCount as number) > 0)
     log.info(`    Templates:   ${output.injectionTemplateCount}`);
+
+  // OAuth connection enrichment
+  if (output.oauthStatus) {
+    log.info(`    OAuth:       ${output.oauthStatus}`);
+    if (output.oauthAccountInfo)
+      log.info(`    Account:     ${output.oauthAccountInfo}`);
+    if (output.oauthLabel) log.info(`    OAuth Label: ${output.oauthLabel}`);
+    log.info(`    Refresh:     ${output.oauthHasRefreshToken ? "yes" : "no"}`);
+  }
 }
 
 // ---------------------------------------------------------------------------
@@ -127,7 +178,7 @@ export function registerCredentialsCommand(program: Command): void {
     "after",
     `
 Credentials are identified by name in service:field format, matching the
-storage convention used internally (credential:{service}:{field}):
+storage convention used internally (credential/{service}/{field}):
 
   twilio:account_sid        Twilio account SID
   twilio:auth_token         Twilio auth token
@@ -197,9 +248,24 @@ Examples:
           });
         }
 
+        // Build a lookup of oauth connections keyed by providerKey for enrichment.
+        // listConnections() returns rows in no guaranteed order, so we compare
+        // createdAt to keep the most recent active connection per provider —
+        // matching the behaviour of getConnectionByProvider() used by inspect.
+        const allConnections = safeListConnections();
+        const connectionsByProvider = new Map<string, OAuthConnectionRow>();
+        for (const conn of allConnections) {
+          if (conn.status !== "active") continue;
+          const existing = connectionsByProvider.get(conn.providerKey);
+          if (!existing || conn.createdAt > existing.createdAt) {
+            connectionsByProvider.set(conn.providerKey, conn);
+          }
+        }
+
         const credentials = allMetadata.map((m) => {
-          const secret = getSecureKey(`credential:${m.service}:${m.field}`);
-          return buildCredentialOutput(m, secret);
+          const secret = getSecureKey(credentialKey(m.service, m.field));
+          const connection = connectionsByProvider.get(m.service);
+          return buildCredentialOutput(m, secret, connection);
         });
 
         writeOutput(cmd, { ok: true, credentials });
@@ -273,7 +339,7 @@ Examples:
           }
 
           const { service, field } = parsed;
-          const storageKey = `credential:${service}:${field}`;
+          const storageKey = credentialKey(service, field);
 
           assertMetadataWritable();
 
@@ -350,7 +416,7 @@ Examples:
         }
 
         const { service, field } = parsed;
-        const storageKey = `credential:${service}:${field}`;
+        const storageKey = credentialKey(service, field);
 
         assertMetadataWritable();
 
@@ -366,7 +432,29 @@ Examples:
 
         const metadataDeleted = deleteCredentialMetadata(service, field);
 
-        if (secretResult !== "deleted" && !metadataDeleted) {
+        // Also clean up the OAuth connection and new-format secure keys.
+        // disconnectOAuthProvider is a no-op when no connection exists.
+        let oauthResult: "disconnected" | "not-found" | "error" = "not-found";
+        try {
+          oauthResult = await disconnectOAuthProvider(service);
+        } catch {
+          // Best-effort — OAuth tables may not exist yet
+        }
+
+        if (oauthResult === "error") {
+          writeOutput(cmd, {
+            ok: false,
+            error: "Failed to disconnect OAuth provider — please try again",
+          });
+          process.exitCode = 1;
+          return;
+        }
+
+        if (
+          secretResult !== "deleted" &&
+          !metadataDeleted &&
+          oauthResult !== "disconnected"
+        ) {
           writeOutput(cmd, { ok: false, error: "Credential not found" });
           process.exitCode = 1;
           return;
@@ -424,11 +512,11 @@ Examples:
             return;
           }
           metadata = getCredentialMetadata(parsed.service, parsed.field);
-          storageKey = `credential:${parsed.service}:${parsed.field}`;
+          storageKey = credentialKey(parsed.service, parsed.field);
         } else {
           metadata = getCredentialMetadataById(name);
           if (metadata) {
-            storageKey = `credential:${metadata.service}:${metadata.field}`;
+            storageKey = credentialKey(metadata.service, metadata.field);
           } else {
             // No metadata found by UUID, and we can't determine the storage key
             writeOutput(cmd, { ok: false, error: "Credential not found" });
@@ -463,8 +551,6 @@ Examples:
             usageDescription: null,
             allowedTools: [],
             allowedDomains: [],
-            grantedScopes: null,
-            expiresAt: null,
             createdAt: null,
             updatedAt: null,
             injectionTemplateCount: 0,
@@ -478,7 +564,8 @@ Examples:
           return;
         }
 
-        const output = buildCredentialOutput(metadata, secret);
+        const connection = safeGetConnectionByProvider(metadata.service);
+        const output = buildCredentialOutput(metadata, secret, connection);
         writeOutput(cmd, output);
 
         if (!shouldOutputJson(cmd)) {
@@ -529,11 +616,11 @@ Examples:
             process.exitCode = 1;
             return;
           }
-          storageKey = `credential:${parsed.service}:${parsed.field}`;
+          storageKey = credentialKey(parsed.service, parsed.field);
         } else {
           const metadata = getCredentialMetadataById(name);
           if (metadata) {
-            storageKey = `credential:${metadata.service}:${metadata.field}`;
+            storageKey = credentialKey(metadata.service, metadata.field);
           } else {
             writeOutput(cmd, { ok: false, error: "Credential not found" });
             process.exitCode = 1;