@vellumai/assistant 0.4.49 → 0.4.51

package/src/cli/commands/mcp.ts

@@ -1,3 +1,6 @@
+import { mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
 import { UnauthorizedError } from "@modelcontextprotocol/sdk/client/auth.js";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
@@ -11,7 +14,7 @@ import {
   deleteMcpOAuthCredentials,
   McpOAuthProvider,
 } from "../../mcp/mcp-oauth-provider.js";
-import { httpSend } from "../http-client.js";
+import { getWorkspaceDir } from "../../util/platform.js";
 import { log } from "../logger.js";
 
 export const HEALTH_CHECK_TIMEOUT_MS = 10_000;
@@ -51,6 +54,21 @@ export async function checkServerHealth(
   }
 }
 
+/**
+ * Write a signal file so the daemon's ConfigWatcher triggers an MCP reload.
+ * Used by `mcp reload`, `mcp auth`, and any operation that needs the daemon
+ * to reconnect MCP servers.
+ */
+function signalMcpReload(): void {
+  try {
+    const signalsDir = join(getWorkspaceDir(), "signals");
+    mkdirSync(signalsDir, { recursive: true });
+    writeFileSync(join(signalsDir, "mcp-reload"), "");
+  } catch {
+    // Best-effort — the daemon may not be running or the directory may not exist.
+  }
+}
+
 export function registerMcpCommand(program: Command): void {
   const mcp = program
     .command("mcp")
@@ -67,8 +85,8 @@ server uses one of three transport types:
   sse               Remote server using Server-Sent Events
   streamable-http   Remote server using Streamable HTTP transport
 
-After changing MCP server configuration, run 'vellum mcp reload' to apply
-changes without restarting the assistant.
+MCP server configuration changes are detected automatically by the running
+assistant. You can also run 'vellum mcp reload' to trigger a manual reload.
 
 Examples:
   $ assistant mcp list
@@ -251,61 +269,20 @@ Examples:
     .addHelpText(
       "after",
       `
-Sends a message to the running assistant to disconnect and reconnect all MCP
-servers using the current configuration from disk. Active sessions pick up
-new tools on their next turn automatically. The assistant must be running.
+Signals the running assistant to disconnect and reconnect all MCP servers
+using the current configuration from disk. Active sessions pick up new tools
+on their next turn automatically. The assistant must be running.
 
 Examples:
   $ vellum mcp reload
   $ vellum mcp reload   # after editing config.json to add a new server
   $ vellum mcp reload   # after running "vellum mcp auth <server>"`,
     )
-    .action(async () => {
-      log.info("Sending reload request to assistant...");
-      try {
-        const res = await httpSend("/v1/mcp/reload", { method: "POST" });
-        const response = (await res.json()) as {
-          success: boolean;
-          serverCount?: number;
-          toolCount?: number;
-          servers?: {
-            id: string;
-            connected: boolean;
-            disabled?: boolean;
-            toolCount: number;
-            tools: string[];
-          }[];
-          error?: string;
-        };
-        if (response.success) {
-          log.info(
-            `MCP servers reloaded: ${response.serverCount} server(s), ${response.toolCount} tool(s)\n`,
-          );
-          if (response.servers && response.servers.length > 0) {
-            for (const server of response.servers) {
-              const status = server.disabled
-                ? "⊘ Disabled"
-                : server.connected
-                  ? "\u2713 Connected"
-                  : "\u2717 Not connected";
-              log.info(`  ${server.id}`);
-              log.info(`    Status: ${status}`);
-              log.info(
-                `    Tools:  ${server.toolCount > 0 ? server.tools.join(", ") : "(none)"}`,
-              );
-              log.info("");
-            }
-          }
-        } else {
-          log.error(`Failed to reload: ${response.error}`);
-          process.exitCode = 1;
-        }
-      } catch (err) {
-        log.error(
-          `Failed to send reload request: ${err instanceof Error ? err.message : err}`,
-        );
-        process.exitCode = 1;
-      }
+    .action(() => {
+      signalMcpReload();
+      log.info(
+        "MCP reload signal sent. The running assistant will reconnect servers shortly.",
+      );
     });
 
   mcp
@@ -422,7 +399,10 @@ Examples:
 
         saveRawConfig(raw);
         log.info(`Added MCP server "${name}" (${opts.transportType})`);
-        log.info("Run 'vellum mcp reload' to apply changes.");
+        log.info(
+          "The running assistant will pick up this change automatically. " +
+            "Or run 'vellum mcp reload' to apply now.",
+        );
       },
     );
 
@@ -444,8 +424,8 @@ OAuth flow. If the server already has valid cached tokens, the command succeeds
 immediately without opening a browser. Tokens are cached locally for future use
 by the assistant.
 
-After successful authentication, run 'vellum mcp reload' to apply changes
-without restarting the assistant.
+After successful authentication, the running assistant detects the change
+automatically. You can also run 'vellum mcp reload' to apply immediately.
 
 Examples:
   $ assistant mcp auth my-server
@@ -603,7 +583,11 @@ Examples:
       provider.stopCallbackServer();
 
       log.info(`Authentication successful for "${name}".`);
-      log.info("Run 'vellum mcp reload' to apply changes.");
+      log.info(
+        "The running assistant will pick up this change automatically. " +
+          "Or run 'vellum mcp reload' to apply now.",
+      );
+      signalMcpReload();
       process.exit(0);
     });
 
@@ -621,8 +605,8 @@ any stored OAuth credentials (tokens, client info, discovery metadata) for
 sse/streamable-http servers. If no OAuth credentials exist, the cleanup is
 silently skipped.
 
-After removal, run 'vellum mcp reload' to apply changes without restarting
-the assistant.
+After removal, the running assistant detects the change automatically. You
+can also run 'vellum mcp reload' to apply immediately.
 
 Examples:
   $ assistant mcp remove my-server
@@ -655,6 +639,9 @@ Examples:
       delete servers[name];
       saveRawConfig(raw);
       log.info(`Removed MCP server "${name}".`);
-      log.info("Run 'vellum mcp reload' to apply changes.");
+      log.info(
+        "The running assistant will pick up this change automatically. " +
+          "Or run 'vellum mcp reload' to apply now.",
+      );
     });
 }

package/src/cli/commands/memory.ts

@@ -1,21 +1,16 @@
 import type { Command } from "commander";
 
 import {
-  dismissPendingConflicts,
   getMemorySystemStatus,
   queryMemory,
   requestMemoryBackfill,
   requestMemoryCleanup,
   requestMemoryRebuildIndex,
 } from "../../memory/admin.js";
-import { listPendingConflictDetails } from "../../memory/conflict-store.js";
 import { listConversations } from "../../memory/conversation-queries.js";
-import { rawGet } from "../../memory/db.js";
 import { initializeDb } from "../db.js";
 import { log } from "../logger.js";
 
-const SHORT_HASH_LENGTH = 8;
-
 export function registerMemoryCommand(program: Command): void {
   const memory = program
     .command("memory")
@@ -24,23 +19,20 @@ export function registerMemoryCommand(program: Command): void {
   memory.addHelpText(
     "after",
     `
-The memory subsystem indexes conversation segments into full-text search (FTS)
-and vector embeddings for semantic recall. When the assistant encounters new
-information that contradicts a stored fact, a conflict is created and held in
-"pending_clarification" status until explicitly dismissed or resolved.
+The memory subsystem indexes conversation segments using hybrid search (dense
+and sparse vector embeddings) for semantic recall, with tier classification
+to prioritize high-value memories.
 
 Key concepts:
   segments     Chunks of conversation text extracted for indexing
   items        Distilled facts/statements derived from segments
   summaries    Compressed representations of conversation history
   embeddings   Vector representations used for semantic similarity search
-  conflicts    Pairs of contradictory statements awaiting resolution
 
 Examples:
   $ assistant memory status
   $ assistant memory query "What is the project deadline?"
-  $ assistant memory backfill
-  $ assistant memory dismiss-conflicts --all`,
+  $ assistant memory backfill`,
   );
 
   memory
@@ -59,10 +51,7 @@ Fields shown:
   items              Total distilled fact items stored
   summaries          Total compressed conversation summaries
   embeddings         Total vector embeddings computed
-  pending conflicts  Conflicts awaiting user resolution
-  resolved conflicts Conflicts that have been dismissed or resolved
-  oldest pending age How long the oldest unresolved conflict has been waiting
-  cleanup backlogs   Number of resolved conflicts and superseded items pending cleanup
+  cleanup backlogs   Number of superseded items pending cleanup
   cleanup throughput Number of cleanup operations completed in the last 24 hours
   jobs               Status of background jobs (backfill, cleanup, rebuild-index)
 
@@ -84,29 +73,9 @@ Examples:
       log.info(`Items: ${status.counts.items.toLocaleString()}`);
       log.info(`Summaries: ${status.counts.summaries.toLocaleString()}`);
       log.info(`Embeddings: ${status.counts.embeddings.toLocaleString()}`);
-      log.info(
-        `Pending conflicts: ${status.conflicts.pending.toLocaleString()}`,
-      );
-      log.info(
-        `Resolved conflicts: ${status.conflicts.resolved.toLocaleString()}`,
-      );
-      if (status.conflicts.oldestPendingAgeMs != null) {
-        const oldestMinutes = Math.floor(
-          status.conflicts.oldestPendingAgeMs / 60_000,
-        );
-        log.info(`Oldest pending conflict age: ${oldestMinutes} min`);
-      } else {
-        log.info("Oldest pending conflict age: n/a");
-      }
-      log.info(
-        `Cleanup backlog (resolved conflicts): ${status.cleanup.resolvedBacklog.toLocaleString()}`,
-      );
       log.info(
         `Cleanup backlog (superseded items): ${status.cleanup.supersededBacklog.toLocaleString()}`,
       );
-      log.info(
-        `Cleanup throughput 24h (resolved conflicts): ${status.cleanup.resolvedCompleted24h.toLocaleString()}`,
-      );
       log.info(
         `Cleanup throughput 24h (superseded items): ${status.cleanup.supersededCompleted24h.toLocaleString()}`,
       );
@@ -123,8 +92,8 @@ Examples:
     .addHelpText(
       "after",
       `
-Queues a background job to index unprocessed conversation segments into FTS
-and vector embeddings. The job resumes from where the last backfill left off,
+Queues a background job to index unprocessed conversation segments into
+vector embeddings. The job resumes from where the last backfill left off,
 processing only new or unindexed segments.
 
 The --force flag restarts the backfill from the very beginning, reprocessing
@@ -144,7 +113,7 @@ Examples:
   memory
     .command("cleanup")
     .description(
-      "Queue cleanup jobs for resolved conflicts and stale superseded items",
+      "Queue cleanup jobs for stale superseded items",
     )
     .option(
       "--retention-ms <ms>",
@@ -153,11 +122,8 @@ Examples:
     .addHelpText(
       "after",
       `
-Queues two background cleanup jobs:
-  1. Resolved conflicts cleanup — removes conflict records that have been
-     dismissed or resolved past the retention threshold.
-  2. Stale superseded items cleanup — removes memory items that have been
-     superseded by newer, corrected facts past the retention threshold.
+Queues a background cleanup job to remove memory items that have been
+superseded by newer, corrected facts past the retention threshold.
 
 The optional --retention-ms flag sets the minimum age (in milliseconds) a
 record must have before it is eligible for cleanup. If omitted, the system
@@ -175,9 +141,6 @@ Examples:
       const jobs = requestMemoryCleanup(
         Number.isFinite(retentionMs) ? retentionMs : undefined,
       );
-      log.info(
-        `Queued cleanup_resolved_conflicts job: ${jobs.resolvedConflictsJobId}`,
-      );
       log.info(
         `Queued cleanup_stale_superseded_items job: ${jobs.staleSupersededItemsJobId}`,
       );
@@ -195,8 +158,8 @@ Examples:
 Arguments:
   text   The recall query string used to search memory (e.g. "What is the
          project deadline?"). Matched against indexed segments using the full
-         recall pipeline: lexical (FTS), semantic (vector similarity), recency
-         (time-weighted), and entity (named entity extraction).
+         recall pipeline: semantic (dense + sparse vector similarity) and recency
+         (time-weighted).
 
 Runs the complete memory recall pipeline and displays hit counts for each
 retrieval strategy, the total injected token count, query latency, and the
@@ -221,10 +184,8 @@ Examples:
       if (result.degraded) {
         log.info(`Memory degraded: ${result.reason ?? "unknown reason"}`);
       }
-      log.info(`Lexical hits: ${result.lexicalHits}`);
       log.info(`Semantic hits: ${result.semanticHits}`);
       log.info(`Recency hits: ${result.recencyHits}`);
-      log.info(`Entity hits: ${result.entityHits}`);
       log.info(`Injected tokens: ${result.injectedTokens}`);
       log.info(`Latency: ${result.latencyMs}ms`);
       if (result.injectedText.length > 0) {
@@ -237,13 +198,13 @@ Examples:
 
   memory
     .command("rebuild-index")
-    .description("Queue a memory FTS+embedding index rebuild job")
+    .description("Queue a memory embedding index rebuild job")
     .addHelpText(
       "after",
       `
-Queues a background job that performs a full rebuild of both the FTS (full-text
-search) index and the vector embedding index. All existing index data is
-dropped and reconstructed from the source memory items.
+Queues a background job that performs a full rebuild of the vector embedding
+index. All existing index data is dropped and reconstructed from the source
+memory items.
 
 This is useful after schema changes, embedding model upgrades, or if index
 corruption is suspected. The rebuild runs asynchronously; use "assistant memory
@@ -258,114 +219,4 @@ Examples:
       const jobId = requestMemoryRebuildIndex();
       log.info(`Queued rebuild-index job: ${jobId}`);
     });
-
-  memory
-    .command("dismiss-conflicts")
-    .description("Dismiss pending memory conflicts (all or matching a pattern)")
-    .option("-a, --all", "Dismiss all pending conflicts")
-    .option(
-      "-p, --pattern <regex>",
-      "Dismiss conflicts where either statement matches this regex",
-    )
-    .option("-s, --scope <id>", 'Memory scope (default: "default")')
-    .option("--dry-run", "Show what would be dismissed without making changes")
-    .addHelpText(
-      "after",
-      `
-Two modes of operation:
-  --all              Dismiss every pending conflict in the scope
-  --pattern <regex>  Dismiss only conflicts where either the existing or
-                     candidate statement matches the given regex (case-insensitive)
-
-At least one of --all or --pattern must be provided. If both are given,
---all takes priority and all pending conflicts are dismissed.
-
-The --scope flag targets a specific memory scope. Defaults to "default" if
-omitted. The --dry-run flag previews which conflicts would be dismissed
-without actually modifying any records.
-
-Examples:
-  $ assistant memory dismiss-conflicts --all
-  $ assistant memory dismiss-conflicts --pattern "project deadline" --dry-run
-  $ assistant memory dismiss-conflicts --pattern "^preferred\\b" --scope work`,
-    )
-    .action(
-      (opts: {
-        all?: boolean;
-        pattern?: string;
-        scope?: string;
-        dryRun?: boolean;
-      }) => {
-        if (!opts.all && !opts.pattern) {
-          log.info("At least one of --all or --pattern must be provided.");
-          log.info("Use --dry-run to preview without making changes.");
-          return;
-        }
-
-        initializeDb();
-
-        const pattern = opts.pattern
-          ? new RegExp(opts.pattern, "i")
-          : undefined;
-
-        if (opts.dryRun) {
-          const scopeId = opts.scope ?? "default";
-          const totalPending =
-            rawGet<{ c: number }>(
-              `SELECT COUNT(*) AS c FROM memory_item_conflicts WHERE scope_id = ? AND status = 'pending_clarification'`,
-              scopeId,
-            )?.c ?? 0;
-
-          // Show a sample of conflicts (can't paginate without dismissing)
-          const sample = listPendingConflictDetails(scopeId, 1000);
-          let matchCount = 0;
-          for (const conflict of sample) {
-            const matches =
-              opts.all ||
-              (pattern &&
-                (pattern.test(conflict.existingStatement) ||
-                  pattern.test(conflict.candidateStatement)));
-            if (!matches) continue;
-            matchCount++;
-            log.info(
-              `  [${conflict.id.slice(0, SHORT_HASH_LENGTH)}] "${
-                conflict.existingStatement
-              }" vs "${conflict.candidateStatement}"`,
-            );
-          }
-
-          if (opts.all) {
-            // --all matches everything, so matchCount is just the sample size
-            log.info(
-              `\nDry run: ${totalPending} of ${totalPending} pending conflicts would be dismissed.`,
-            );
-          } else {
-            const moreNote =
-              totalPending > sample.length
-                ? ` (showing first ${sample.length} of ${totalPending})`
-                : "";
-            log.info(
-              `\nDry run: ${matchCount} of ${totalPending} pending conflicts would be dismissed.${moreNote}`,
-            );
-          }
-          return;
-        }
-
-        const result = dismissPendingConflicts({
-          all: opts.all,
-          pattern,
-          scopeId: opts.scope,
-        });
-        for (const detail of result.details) {
-          log.info(
-            `  Dismissed [${detail.id.slice(0, SHORT_HASH_LENGTH)}]: "${
-              detail.existingStatement
-            }" vs "${detail.candidateStatement}"`,
-          );
-        }
-        log.info(
-          `\nDismissed ${result.dismissed} conflicts. ${result.remaining} pending conflicts remain.`,
-        );
-      },
-    );
 }

package/src/cli/commands/oauth/apps.ts

@@ -8,6 +8,8 @@ import {
   listApps,
   upsertApp,
 } from "../../../oauth/oauth-store.js";
+import { credentialKey } from "../../../security/credential-key.js";
+import { getCredentialMetadata } from "../../../tools/credentials/metadata-store.js";
 import { getCliLogger } from "../../logger.js";
 import { shouldOutputJson, writeOutput } from "../../output.js";
 
@@ -45,8 +47,8 @@ client_secret linked to a provider. Each provider can have multiple apps
 Examples:
   $ assistant oauth apps list
   $ assistant oauth apps get --id <uuid>
-  $ assistant oauth apps get --provider integration:gmail
-  $ assistant oauth apps upsert --provider integration:gmail --client-id abc123
+  $ assistant oauth apps get --provider integration:google
+  $ assistant oauth apps upsert --provider integration:google --client-id abc123
   $ assistant oauth apps delete <id>`,
   );
 
@@ -96,7 +98,7 @@ Examples:
       "Look up an OAuth app by ID, provider + client-id, or provider",
     )
     .option("--id <id>", "App ID (UUID)")
-    .option("--provider <key>", "Provider key (e.g. integration:gmail)")
+    .option("--provider <key>", "Provider key (e.g. integration:google)")
     .option("--client-id <id>", "OAuth client ID (requires --provider)")
     .addHelpText(
       "after",
@@ -107,10 +109,10 @@ Three lookup modes are supported:
      $ assistant oauth apps get --id <uuid>
 
   2. By provider + client ID (exact match):
-     $ assistant oauth apps get --provider integration:gmail --client-id abc123
+     $ assistant oauth apps get --provider integration:google --client-id abc123
 
   3. By provider only (returns the most recently created app):
-     $ assistant oauth apps get --provider integration:gmail
+     $ assistant oauth apps get --provider integration:google
 
 At least --id or --provider must be specified.`,
     )
@@ -159,12 +161,19 @@ At least --id or --provider must be specified.`,
   apps
     .command("upsert")
     .description("Create or return an existing OAuth app registration")
-    .requiredOption("--provider <key>", "Provider key (e.g. integration:gmail)")
+    .requiredOption(
+      "--provider <key>",
+      "Provider key (e.g. integration:google)",
+    )
     .requiredOption("--client-id <id>", "OAuth client ID")
     .option(
       "--client-secret <secret>",
       "OAuth client secret (stored in secure keychain)",
     )
+    .option(
+      "--client-secret-credential-path <path>",
+      "Path to an existing client secret in the credential store (mutually exclusive with --client-secret)",
+    )
     .addHelpText(
       "after",
       `
@@ -175,21 +184,70 @@ stored in the secure system keychain — not in the database.
 When an existing app is matched and a --client-secret is provided, the stored
 secret is updated. The app row itself is returned as-is.
 
+You can supply the client secret directly via --client-secret, or reference an
+existing credential in the store via --client-secret-credential-path. These two
+options are mutually exclusive — providing both is an error.
+
+The --client-secret-credential-path accepts two formats:
+  1. Full credential path: "credential/integration:google/client_secret"
+  2. Short name (service:field): "integration:google:client_secret"
+     Resolved via the metadata store by splitting on the last colon.
+
 Examples:
-  $ assistant oauth apps upsert --provider integration:gmail --client-id abc123
+  $ assistant oauth apps upsert --provider integration:google --client-id abc123
   $ assistant oauth apps upsert --provider integration:slack --client-id def456 --client-secret s3cret
-  $ assistant oauth apps upsert --provider integration:gmail --client-id abc123 --json`,
+  $ assistant oauth apps upsert --provider integration:slack --client-id def456 --client-secret-credential-path "credential/integration:slack/client_secret"
+  $ assistant oauth apps upsert --provider integration:slack --client-id def456 --client-secret-credential-path "integration:slack:client_secret"
+  $ assistant oauth apps upsert --provider integration:google --client-id abc123 --json`,
     )
     .action(
       async (
-        opts: { provider: string; clientId: string; clientSecret?: string },
+        opts: {
+          provider: string;
+          clientId: string;
+          clientSecret?: string;
+          clientSecretCredentialPath?: string;
+        },
         cmd: Command,
       ) => {
         try {
+          if (opts.clientSecret && opts.clientSecretCredentialPath) {
+            writeOutput(cmd, {
+              ok: false,
+              error:
+                "Cannot provide both --client-secret and --client-secret-credential-path",
+            });
+            process.exitCode = 1;
+            return;
+          }
+
+          let resolvedCredentialPath = opts.clientSecretCredentialPath;
+          if (
+            resolvedCredentialPath &&
+            !resolvedCredentialPath.startsWith("credential/")
+          ) {
+            // Attempt to interpret as a credential key — split on the LAST colon to get service/field
+            const lastColon = resolvedCredentialPath.lastIndexOf(":");
+            if (lastColon > 0) {
+              const asService = resolvedCredentialPath.slice(0, lastColon);
+              const asField = resolvedCredentialPath.slice(lastColon + 1);
+              // If a credential exists in metadata with these coordinates, resolve it
+              const meta = getCredentialMetadata(asService, asField);
+              if (meta) {
+                resolvedCredentialPath = credentialKey(asService, asField);
+              }
+            }
+          }
+
+          const clientSecretOpts = opts.clientSecret
+            ? { clientSecretValue: opts.clientSecret }
+            : resolvedCredentialPath
+              ? { clientSecretCredentialPath: resolvedCredentialPath }
+              : undefined;
           const row = await upsertApp(
             opts.provider,
             opts.clientId,
-            opts.clientSecret,
+            clientSecretOpts,
           );
 
           if (!shouldOutputJson(cmd)) {