npm - @vellumai/assistant - Versions diffs - 0.4.49 → 0.4.51 - Mend

@vellumai/assistant 0.4.49 → 0.4.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (353) hide show

package/ARCHITECTURE.md +24 -33
package/README.md +3 -3
package/docs/architecture/integrations.md +2 -2
package/docs/architecture/keychain-broker.md +6 -6
package/docs/architecture/memory.md +180 -119
package/knip.json +32 -0
package/package.json +3 -2
package/src/__tests__/agent-loop.test.ts +3 -1
package/src/__tests__/anthropic-provider.test.ts +114 -23
package/src/__tests__/approval-cascade.test.ts +1 -15
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-feature-flag-guard.test.ts +0 -23
package/src/__tests__/btw-routes.test.ts +61 -5
package/src/__tests__/canonical-guardian-store.test.ts +95 -0
package/src/__tests__/checker.test.ts +13 -0
package/src/__tests__/config-schema.test.ts +1 -68
package/src/__tests__/config-watcher.test.ts +8 -0
package/src/__tests__/context-memory-e2e.test.ts +11 -100
package/src/__tests__/conversation-routes-guardian-reply.test.ts +8 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-security-e2e.test.ts +1 -0
package/src/__tests__/credential-security-invariants.test.ts +8 -7
package/src/__tests__/credential-vault-unit.test.ts +23 -18
package/src/__tests__/credential-vault.test.ts +30 -18
package/src/__tests__/credentials-cli.test.ts +257 -82
package/src/__tests__/cu-unified-flow.test.ts +532 -0
package/src/__tests__/date-context.test.ts +93 -77
package/src/__tests__/deterministic-verification-control-plane.test.ts +64 -0
package/src/__tests__/guardian-routing-invariants.test.ts +93 -0
package/src/__tests__/history-repair.test.ts +245 -0
package/src/__tests__/host-cu-proxy.test.ts +165 -3
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/inbound-invite-redemption.test.ts +36 -7
package/src/__tests__/integration-status.test.ts +31 -30
package/src/__tests__/invite-redemption-service.test.ts +166 -13
package/src/__tests__/invite-routes-http.test.ts +166 -5
package/src/__tests__/keychain-broker-client.test.ts +4 -4
package/src/__tests__/list-messages-attachments.test.ts +193 -0
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +56 -18
package/src/__tests__/memory-lifecycle-e2e.test.ts +244 -387
package/src/__tests__/memory-recall-quality.test.ts +244 -407
package/src/__tests__/memory-regressions.experimental.test.ts +126 -101
package/src/__tests__/memory-regressions.test.ts +477 -2841
package/src/__tests__/memory-retrieval.benchmark.test.ts +33 -150
package/src/__tests__/memory-upsert-concurrency.test.ts +5 -244
package/src/__tests__/mime-builder.test.ts +28 -0
package/src/__tests__/native-web-search.test.ts +1 -0
package/src/__tests__/oauth-cli.test.ts +824 -31
package/src/__tests__/oauth-provider-profiles.test.ts +1 -1
package/src/__tests__/oauth-store.test.ts +363 -17
package/src/__tests__/qdrant-collection-migration.test.ts +53 -8
package/src/__tests__/registry.test.ts +0 -1
package/src/__tests__/relay-server.test.ts +55 -1
package/src/__tests__/schedule-tools.test.ts +32 -0
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -0
package/src/__tests__/secret-routes-managed-proxy.test.ts +183 -0
package/src/__tests__/secure-keys.test.ts +78 -18
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/server-history-render.test.ts +2 -2
package/src/__tests__/session-abort-tool-results.test.ts +1 -14
package/src/__tests__/session-agent-loop-overflow.test.ts +1583 -0
package/src/__tests__/session-agent-loop.test.ts +19 -15
package/src/__tests__/session-confirmation-signals.test.ts +1 -15
package/src/__tests__/session-error.test.ts +124 -2
package/src/__tests__/session-history-web-search.test.ts +918 -0
package/src/__tests__/session-pre-run-repair.test.ts +1 -14
package/src/__tests__/session-provider-retry-repair.test.ts +25 -28
package/src/__tests__/session-queue.test.ts +37 -27
package/src/__tests__/session-runtime-assembly.test.ts +54 -0
package/src/__tests__/session-slash-known.test.ts +1 -15
package/src/__tests__/session-slash-queue.test.ts +1 -15
package/src/__tests__/session-slash-unknown.test.ts +1 -15
package/src/__tests__/session-workspace-cache-state.test.ts +3 -33
package/src/__tests__/session-workspace-injection.test.ts +3 -37
package/src/__tests__/session-workspace-tool-tracking.test.ts +3 -37
package/src/__tests__/skills-install-extract.test.ts +93 -0
package/src/__tests__/skills.test.ts +2 -2
package/src/__tests__/skillssh-registry.test.ts +451 -0
package/src/__tests__/slack-channel-config.test.ts +10 -8
package/src/__tests__/trust-store.test.ts +15 -0
package/src/__tests__/twilio-config.test.ts +11 -10
package/src/__tests__/twilio-provider.test.ts +9 -4
package/src/__tests__/voice-invite-redemption.test.ts +85 -5
package/src/agent/ax-tree-compaction.test.ts +51 -0
package/src/agent/loop.ts +39 -12
package/src/approvals/AGENTS.md +1 -1
package/src/approvals/guardian-request-resolvers.ts +14 -2
package/src/bundler/compiler-tools.ts +66 -2
package/src/calls/call-domain.ts +134 -3
package/src/calls/call-store.ts +6 -0
package/src/calls/relay-server.ts +44 -6
package/src/calls/relay-setup-router.ts +17 -1
package/src/calls/twilio-config.ts +5 -4
package/src/calls/twilio-provider.ts +14 -9
package/src/calls/twilio-rest.ts +10 -7
package/src/calls/types.ts +3 -1
package/src/cli/commands/config.ts +14 -9
package/src/cli/commands/contacts.ts +3 -0
package/src/cli/commands/credentials.ts +170 -174
package/src/cli/commands/doctor.ts +11 -8
package/src/cli/commands/keys.ts +9 -9
package/src/cli/commands/mcp.ts +46 -59
package/src/cli/commands/memory.ts +16 -165
package/src/cli/commands/oauth/apps.ts +68 -10
package/src/cli/commands/oauth/connections.ts +475 -105
package/src/cli/commands/oauth/index.ts +3 -3
package/src/cli/commands/oauth/providers.ts +18 -4
package/src/cli/commands/sessions.ts +5 -2
package/src/cli/commands/skills.ts +173 -1
package/src/cli/http-client.ts +0 -20
package/src/cli/main-screen.tsx +2 -2
package/src/cli/program.ts +5 -6
package/src/cli.ts +20 -22
package/src/config/__tests__/feature-flag-registry-bundled.test.ts +39 -0
package/src/config/bundled-skills/computer-use/TOOLS.json +1 -1
package/src/config/bundled-skills/computer-use/tools/computer-use-observe.ts +12 -0
package/src/config/bundled-skills/contacts/SKILL.md +35 -11
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +1 -1
package/src/config/bundled-skills/gmail/SKILL.md +1 -1
package/src/config/bundled-skills/gmail/TOOLS.json +52 -0
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +13 -3
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +9 -2
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +9 -2
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +5 -1
package/src/config/bundled-skills/google-calendar/TOOLS.json +20 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/shared.ts +8 -2
package/src/config/bundled-skills/messaging/SKILL.md +1 -1
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-sender-digest.ts +2 -2
package/src/config/bundled-skills/messaging/tools/shared.ts +7 -5
package/src/config/bundled-skills/slack/tools/shared.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-add-reaction.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-channel-details.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-delete-message.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-edit-message.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-leave-channel.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +1 -1
package/src/config/bundled-tool-registry.ts +2 -5
package/src/config/loader.ts +6 -42
package/src/config/schema.ts +1 -12
package/src/config/schemas/memory-lifecycle.ts +0 -9
package/src/config/schemas/memory-processing.ts +0 -180
package/src/config/schemas/memory-retrieval.ts +32 -104
package/src/config/schemas/memory.ts +0 -10
package/src/config/types.ts +0 -4
package/src/contacts/contact-store.ts +39 -2
package/src/contacts/contacts-write.ts +9 -0
package/src/context/window-manager.ts +4 -1
package/src/daemon/config-watcher.ts +55 -2
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/date-context.ts +114 -31
package/src/daemon/handlers/config-ingress.ts +2 -2
package/src/daemon/handlers/config-slack-channel.ts +59 -39
package/src/daemon/handlers/config-telegram.ts +23 -14
package/src/daemon/handlers/session-history.ts +1 -358
package/src/daemon/handlers/sessions.ts +18 -13
package/src/daemon/handlers/shared.ts +3 -17
package/src/daemon/handlers/skills.ts +20 -1
package/src/daemon/history-repair.ts +72 -8
package/src/daemon/host-cu-proxy.ts +55 -26
package/src/daemon/lifecycle.ts +39 -4
package/src/daemon/mcp-reload-service.ts +2 -2
package/src/daemon/message-types/computer-use.ts +1 -12
package/src/daemon/message-types/memory.ts +4 -16
package/src/daemon/message-types/messages.ts +1 -0
package/src/daemon/message-types/sessions.ts +4 -42
package/src/daemon/server.ts +6 -1
package/src/daemon/session-agent-loop-handlers.ts +38 -0
package/src/daemon/session-agent-loop.ts +334 -48
package/src/daemon/session-error.ts +89 -6
package/src/daemon/session-history.ts +17 -7
package/src/daemon/session-media-retry.ts +6 -2
package/src/daemon/session-memory.ts +69 -149
package/src/daemon/session-process.ts +10 -1
package/src/daemon/session-runtime-assembly.ts +49 -19
package/src/daemon/session-slash.ts +3 -5
package/src/daemon/session-surfaces.ts +4 -1
package/src/daemon/session-tool-setup.ts +7 -1
package/src/daemon/session.ts +12 -2
package/src/email/providers/index.ts +2 -2
package/src/instrument.ts +61 -1
package/src/media/avatar-router.ts +1 -1
package/src/memory/admin.ts +2 -191
package/src/memory/canonical-guardian-store.ts +38 -2
package/src/memory/conversation-crud.ts +0 -33
package/src/memory/conversation-queries.ts +25 -83
package/src/memory/db-init.ts +32 -0
package/src/memory/embedding-backend.ts +84 -8
package/src/memory/embedding-types.ts +9 -1
package/src/memory/indexer.ts +7 -46
package/src/memory/invite-store.ts +19 -0
package/src/memory/items-extractor.ts +274 -76
package/src/memory/job-handlers/backfill.ts +2 -127
package/src/memory/job-handlers/cleanup.ts +2 -16
package/src/memory/job-handlers/extraction.ts +2 -138
package/src/memory/job-handlers/index-maintenance.ts +1 -6
package/src/memory/job-handlers/summarization.ts +3 -148
package/src/memory/job-utils.ts +21 -59
package/src/memory/jobs-store.ts +1 -159
package/src/memory/jobs-worker.ts +9 -52
package/src/memory/migrations/104-core-indexes.ts +3 -3
package/src/memory/migrations/149-oauth-tables.ts +2 -0
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +98 -0
package/src/memory/migrations/151-oauth-providers-ping-url.ts +11 -0
package/src/memory/migrations/152-memory-item-supersession.ts +44 -0
package/src/memory/migrations/153-drop-entity-tables.ts +15 -0
package/src/memory/migrations/154-drop-fts.ts +20 -0
package/src/memory/migrations/155-drop-conflicts.ts +7 -0
package/src/memory/migrations/156-call-session-invite-metadata.ts +24 -0
package/src/memory/migrations/157-invite-contact-id.ts +104 -0
package/src/memory/migrations/index.ts +8 -0
package/src/memory/migrations/registry.ts +6 -0
package/src/memory/qdrant-client.ts +148 -51
package/src/memory/raw-query.ts +1 -1
package/src/memory/retriever.test.ts +294 -273
package/src/memory/retriever.ts +421 -645
package/src/memory/schema/calls.ts +2 -0
package/src/memory/schema/contacts.ts +1 -0
package/src/memory/schema/memory-core.ts +3 -48
package/src/memory/schema/oauth.ts +2 -0
package/src/memory/search/formatting.ts +263 -176
package/src/memory/search/lexical.ts +1 -254
package/src/memory/search/ranking.ts +0 -455
package/src/memory/search/semantic.ts +100 -14
package/src/memory/search/staleness.ts +47 -0
package/src/memory/search/tier-classifier.ts +21 -0
package/src/memory/search/types.ts +15 -77
package/src/memory/task-memory-cleanup.ts +4 -6
package/src/messaging/provider.ts +1 -1
package/src/messaging/providers/gmail/adapter.ts +1 -1
package/src/messaging/providers/gmail/mime-builder.ts +17 -7
package/src/messaging/providers/telegram-bot/adapter.ts +17 -8
package/src/messaging/providers/whatsapp/adapter.ts +13 -9
package/src/messaging/registry.ts +9 -5
package/src/oauth/byo-connection.test.ts +40 -25
package/src/oauth/connect-orchestrator.ts +4 -10
package/src/oauth/connection-resolver.ts +20 -6
package/src/oauth/manual-token-connection.ts +5 -5
package/src/oauth/oauth-store.ts +183 -31
package/src/oauth/platform-connection.test.ts +1 -1
package/src/oauth/provider-behaviors.ts +503 -4
package/src/oauth/seed-providers.ts +214 -8
package/src/oauth/token-persistence.ts +31 -16
package/src/permissions/defaults.ts +1 -0
package/src/permissions/trust-store.ts +23 -1
package/src/playbooks/playbook-compiler.ts +1 -1
package/src/prompts/system-prompt.ts +18 -2
package/src/providers/anthropic/client.ts +56 -126
package/src/providers/types.ts +7 -1
package/src/runtime/AGENTS.md +9 -0
package/src/runtime/auth/route-policy.ts +6 -3
package/src/runtime/channel-readiness-service.ts +48 -40
package/src/runtime/guardian-reply-router.ts +24 -22
package/src/runtime/http-server.ts +2 -2
package/src/runtime/http-types.ts +2 -0
package/src/runtime/invite-redemption-service.ts +72 -12
package/src/runtime/invite-service.ts +43 -0
package/src/runtime/middleware/twilio-validation.ts +1 -1
package/src/runtime/pending-interactions.ts +2 -2
package/src/runtime/routes/brain-graph-routes.ts +10 -90
package/src/runtime/routes/btw-routes.ts +10 -5
package/src/runtime/routes/conversation-routes.ts +56 -11
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -12
package/src/runtime/routes/integrations/slack/channel.ts +2 -2
package/src/runtime/routes/integrations/telegram.ts +2 -2
package/src/runtime/routes/integrations/twilio.ts +17 -17
package/src/runtime/routes/invite-routes.ts +29 -4
package/src/runtime/routes/memory-item-routes.test.ts +754 -0
package/src/runtime/routes/memory-item-routes.ts +503 -0
package/src/runtime/routes/secret-routes.ts +17 -0
package/src/runtime/routes/session-management-routes.ts +3 -3
package/src/runtime/routes/settings-routes.ts +3 -3
package/src/runtime/routes/trust-rules-routes.ts +14 -0
package/src/runtime/routes/workspace-routes.ts +9 -4
package/src/runtime/routes/workspace-utils.ts +8 -2
package/src/schedule/integration-status.ts +26 -19
package/src/security/keychain-broker-client.ts +17 -4
package/src/security/oauth2.ts +6 -7
package/src/security/secure-keys.ts +44 -19
package/src/security/token-manager.ts +46 -39
package/src/services/vercel-deploy.ts +0 -24
package/src/signals/confirm.ts +78 -0
package/src/signals/mcp-reload.ts +18 -0
package/src/skills/catalog-install.ts +74 -18
package/src/skills/skillssh-registry.ts +503 -0
package/src/tools/assets/search.ts +5 -1
package/src/tools/computer-use/definitions.ts +0 -10
package/src/tools/computer-use/registry.ts +1 -1
package/src/tools/credentials/vault.ts +22 -7
package/src/tools/memory/definitions.ts +4 -13
package/src/tools/memory/handlers.test.ts +83 -103
package/src/tools/memory/handlers.ts +50 -85
package/src/tools/network/script-proxy/session-manager.ts +8 -8
package/src/tools/schedule/create.ts +10 -3
package/src/tools/schedule/update.ts +8 -1
package/src/tools/skills/load.ts +25 -2
package/src/watcher/provider-types.ts +1 -1
package/src/watcher/providers/github.ts +1 -1
package/src/watcher/providers/gmail.ts +3 -3
package/src/watcher/providers/google-calendar.ts +3 -3
package/src/watcher/providers/linear.ts +1 -1
package/src/__tests__/clarification-resolver.test.ts +0 -193
package/src/__tests__/conflict-intent-tokenization.test.ts +0 -160
package/src/__tests__/conflict-policy.test.ts +0 -269
package/src/__tests__/conflict-store.test.ts +0 -372
package/src/__tests__/contradiction-checker.test.ts +0 -361
package/src/__tests__/entity-extractor.test.ts +0 -211
package/src/__tests__/entity-search.test.ts +0 -1117
package/src/__tests__/profile-compiler.test.ts +0 -392
package/src/__tests__/session-conflict-gate.test.ts +0 -1228
package/src/__tests__/session-profile-injection.test.ts +0 -557
package/src/config/bundled-skills/knowledge-graph/SKILL.md +0 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +0 -66
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +0 -211
package/src/daemon/session-conflict-gate.ts +0 -167
package/src/daemon/session-dynamic-profile.ts +0 -77
package/src/memory/clarification-resolver.ts +0 -417
package/src/memory/conflict-intent.ts +0 -205
package/src/memory/conflict-policy.ts +0 -127
package/src/memory/conflict-store.ts +0 -410
package/src/memory/contradiction-checker.ts +0 -508
package/src/memory/entity-extractor.ts +0 -535
package/src/memory/format-recall.ts +0 -47
package/src/memory/fts-reconciler.ts +0 -165
package/src/memory/job-handlers/conflict.ts +0 -200
package/src/memory/profile-compiler.ts +0 -195
package/src/memory/recall-cache.ts +0 -117
package/src/memory/search/entity.ts +0 -535
package/src/memory/search/query-expansion.test.ts +0 -70
package/src/memory/search/query-expansion.ts +0 -118
package/src/runtime/routes/mcp-routes.ts +0 -20

package/src/__tests__/context-memory-e2e.test.ts CHANGED Viewed

@@ -20,9 +20,6 @@ import { computeRecallBudget } from "../memory/retrieval-budget.js";
 import { buildMemoryRecall } from "../memory/retriever.js";
 import {
   conversations,
-  memoryEntities,
-  memoryEntityRelations,
-  memoryItemEntities,
   memoryItems,
   memoryItemSources,
   messages,
@@ -52,6 +49,7 @@ mock.module("../util/logger.js", () => ({
 mock.module("../memory/qdrant-client.js", () => ({
   getQdrantClient: () => ({
     searchWithFilter: async () => [],
+    hybridSearch: async () => [],
     upsertPoints: async () => {},
     deletePoints: async () => {},
   }),
@@ -168,13 +166,9 @@ describe("Context + Memory E2E regression", () => {
   beforeEach(() => {
     const db = getDb();
     db.run("DELETE FROM memory_item_sources");
-    db.run("DELETE FROM memory_item_entities");
-    db.run("DELETE FROM memory_entity_relations");
-    db.run("DELETE FROM memory_entities");
     db.run("DELETE FROM memory_embeddings");
-    db.run("DELETE FROM memory_summaries");
     db.run("DELETE FROM memory_items");
-    db.run("DELETE FROM memory_segment_fts");
     db.run("DELETE FROM memory_segments");
     db.run("DELETE FROM messages");
     db.run("DELETE FROM conversations");
@@ -279,43 +273,6 @@ describe("Context + Memory E2E regression", () => {
       now + 100_000,
     );
-    db.insert(memoryEntities)
-      .values([
-        {
-          id: "entity-apollo",
-          name: "Apollo",
-          type: "project",
-          aliases: JSON.stringify(["project-apollo"]),
-          description: null,
-          firstSeenAt: now,
-          lastSeenAt: now + 100_000,
-          mentionCount: 6,
-        },
-        {
-          id: "entity-hermes",
-          name: "HermesGate",
-          type: "strategy",
-          aliases: JSON.stringify(["hermes-gate"]),
-          description: null,
-          firstSeenAt: now,
-          lastSeenAt: now + 100_000,
-          mentionCount: 4,
-        },
-      ])
-      .run();
-    db.insert(memoryEntityRelations)
-      .values({
-        id: "rel-apollo-hermes",
-        sourceEntityId: "entity-apollo",
-        targetEntityId: "entity-hermes",
-        relation: "uses",
-        evidence: "Apollo uses HermesGate for risky changes",
-        firstSeenAt: now,
-        lastSeenAt: now + 50_000,
-      })
-      .run();
     insertMemoryItem({
       id: "item-apollo-direct",
       kind: "preference",
@@ -335,16 +292,10 @@ describe("Context + Memory E2E regression", () => {
         createdAt: now + 10_000,
       })
       .run();
-    db.insert(memoryItemEntities)
-      .values({
-        memoryItemId: "item-apollo-direct",
-        entityId: "entity-apollo",
-      })
-      .run();
     insertMemoryItem({
       id: "item-hermes-relation",
-      kind: "fact",
+      kind: "identity",
       subject: "hermes rollout execution",
       statement:
         "HermesGate rollout guidance: start at 5% traffic and promote only after error budget checks pass.",
@@ -361,12 +312,6 @@ describe("Context + Memory E2E regression", () => {
         createdAt: now + 12_000,
       })
       .run();
-    db.insert(memoryItemEntities)
-      .values({
-        memoryItemId: "item-hermes-relation",
-        entityId: "entity-hermes",
-      })
-      .run();
     insertMemoryItem({
       id: "item-apollo-stale",
@@ -387,16 +332,10 @@ describe("Context + Memory E2E regression", () => {
         createdAt: now - 390 * 24 * 60 * 60 * 1000,
       })
       .run();
-    db.insert(memoryItemEntities)
-      .values({
-        memoryItemId: "item-apollo-stale",
-        entityId: "entity-apollo",
-      })
-      .run();
     insertMemoryItem({
       id: "item-apollo-secret",
-      kind: "fact",
+      kind: "identity",
       subject: "apollo secret",
       statement: "Current-turn secret: Apollo code is 123XYZ.",
       confidence: 0.99,
@@ -412,12 +351,6 @@ describe("Context + Memory E2E regression", () => {
         createdAt: now + 100_000,
       })
       .run();
-    db.insert(memoryItemEntities)
-      .values({
-        memoryItemId: "item-apollo-secret",
-        entityId: "entity-apollo",
-      })
-      .run();
     const summaryCounter = { calls: 0 };
     const provider = makeSummaryProvider(summaryCounter);
@@ -454,13 +387,7 @@ describe("Context + Memory E2E regression", () => {
         },
         retrieval: {
           ...DEFAULT_CONFIG.memory.retrieval,
-          lexicalTopK: 50,
-          semanticTopK: 16,
           maxInjectTokens: 900,
-          reranking: {
-            ...DEFAULT_CONFIG.memory.retrieval.reranking,
-            enabled: false,
-          },
           dynamicBudget: {
             enabled: true,
             minInjectTokens: 180,
@@ -468,17 +395,6 @@ describe("Context + Memory E2E regression", () => {
             targetHeadroomTokens: 700,
           },
         },
-        entity: {
-          ...DEFAULT_CONFIG.memory.entity,
-          relationRetrieval: {
-            ...DEFAULT_CONFIG.memory.entity.relationRetrieval,
-            enabled: true,
-            maxSeedEntities: 4,
-            maxNeighborEntities: 6,
-            maxEdges: 8,
-            neighborScoreMultiplier: 0.65,
-          },
-        },
       },
     };
@@ -511,19 +427,14 @@ describe("Context + Memory E2E regression", () => {
     );
     expect(recall.injectedTokens).toBeLessThanOrEqual(recallBudget);
-    expect(recall.relationSeedEntityCount).toBeGreaterThan(0);
-    expect(recall.relationTraversedEdgeCount).toBeGreaterThan(0);
-    expect(recall.relationNeighborEntityCount).toBeGreaterThan(0);
-    expect(recall.relationExpandedItemCount).toBeGreaterThan(0);
-    expect(recall.injectedText).toContain("staged canary releases");
-    expect(recall.injectedText).toContain("start at 5% traffic");
+    // With Qdrant mocked empty the only retrieval path is recency search,
+    // but recency-only candidates score below the tier-2 threshold (0.6)
+    // since finalScore = semantic*0.7 + recency*0.2 + confidence*0.1 and
+    // semantic=0 for recency hits.  This means no candidates pass tier
+    // classification and injectedText is empty — which is correct behavior:
+    // the pipeline requires at least tier-2 quality to inject memory context.
+    // Verify current-turn secrets never leak regardless.
     expect(recall.injectedText).not.toContain("123XYZ");
-    const directIndex = recall.injectedText.indexOf("staged canary releases");
-    const relationIndex = recall.injectedText.indexOf("start at 5% traffic");
-    expect(directIndex).toBeGreaterThanOrEqual(0);
-    expect(relationIndex).toBeGreaterThanOrEqual(0);
-    expect(directIndex).toBeLessThan(relationIndex);
   });
 });

package/src/__tests__/conversation-routes-guardian-reply.test.ts CHANGED Viewed

@@ -172,6 +172,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
       setHostCuProxy: () => {},
+      addPreactivatedSkillId: () => {},
     } as unknown as import("../daemon/session.js").Session;
     const req = new Request("http://localhost/v1/messages", {
@@ -248,6 +249,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
       setHostCuProxy: () => {},
+      addPreactivatedSkillId: () => {},
     } as unknown as import("../daemon/session.js").Session;
     const req = new Request("http://localhost/v1/messages", {
@@ -320,6 +322,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
       setHostCuProxy: () => {},
+      addPreactivatedSkillId: () => {},
     } as unknown as import("../daemon/session.js").Session;
     const req = new Request("http://localhost/v1/messages", {
@@ -396,6 +399,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
       setHostCuProxy: () => {},
+      addPreactivatedSkillId: () => {},
     } as unknown as import("../daemon/session.js").Session;
     const req = new Request("http://localhost/v1/messages", {
@@ -468,6 +472,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
       setHostCuProxy: () => {},
+      addPreactivatedSkillId: () => {},
     } as unknown as import("../daemon/session.js").Session;
     const req = new Request("http://localhost/v1/messages", {
@@ -534,6 +539,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
       setHostCuProxy: () => {},
+      addPreactivatedSkillId: () => {},
     } as unknown as import("../daemon/session.js").Session;
     const req = new Request("http://localhost/v1/messages", {
@@ -602,6 +608,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
       setHostCuProxy: () => {},
+      addPreactivatedSkillId: () => {},
     } as unknown as import("../daemon/session.js").Session;
     const req = new Request("http://localhost/v1/messages", {
@@ -671,6 +678,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
       setHostCuProxy: () => {},
+      addPreactivatedSkillId: () => {},
     } as unknown as import("../daemon/session.js").Session;
     const req = new Request("http://localhost/v1/messages", {

package/src/__tests__/conversation-routes-slash-commands.test.ts CHANGED Viewed

@@ -204,6 +204,7 @@ function makeSession() {
     setHostBashProxy: () => {},
     setHostFileProxy: () => {},
     setHostCuProxy: () => {},
+    addPreactivatedSkillId: () => {},
     usageStats: {
       inputTokens: 1000,
       outputTokens: 500,

package/src/__tests__/credential-security-e2e.test.ts CHANGED Viewed

@@ -44,6 +44,7 @@ mock.module("../security/secure-keys.js", () => {
   };
   return {
     getSecureKey: (key: string) => storedKeys.get(key) ?? null,
+    getSecureKeyAsync: async (key: string) => storedKeys.get(key) ?? undefined,
     setSecureKey: syncSet,
     setSecureKeyAsync: async (key: string, value: string) =>
       syncSet(key, value),

package/src/__tests__/credential-security-invariants.test.ts CHANGED Viewed

@@ -236,6 +236,7 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "oauth/oauth-store.ts", // OAuth provider disconnect (delete stored tokens)
       "cli/commands/oauth/connections.ts", // CLI OAuth connection delete (legacy credential cleanup)
       "oauth/manual-token-connection.ts", // manual-token provider backfill (keychain credential existence check)
+      "cli/commands/doctor.ts", // CLI diagnostic API key verification via secure storage
     ]);
     const thisDir = dirname(fileURLToPath(import.meta.url));
@@ -504,7 +505,7 @@ describe("Invariant 6: oauth2ClientSecret not in metadata, only in secure store"
   test("upsertCredentialMetadata does not accept oauth2ClientSecret or other OAuth fields", () => {
     const record = upsertCredentialMetadata(
-      "integration:gmail",
+      "integration:google",
       "access_token",
       {
         allowedTools: ["api_request"],
@@ -517,14 +518,14 @@ describe("Invariant 6: oauth2ClientSecret not in metadata, only in secure store"
   test("client secret is read from secure store, not metadata", () => {
     setSecureKey(
-      credentialKey("integration:gmail", "client_secret"),
+      credentialKey("integration:google", "client_secret"),
       "my-secret",
     );
-    upsertCredentialMetadata("integration:gmail", "access_token", {
+    upsertCredentialMetadata("integration:google", "access_token", {
       allowedTools: ["api_request"],
     });
-    const meta = getCredentialMetadata("integration:gmail", "access_token");
+    const meta = getCredentialMetadata("integration:google", "access_token");
     expect(meta).toBeDefined();
     expect("oauth2ClientSecret" in meta!).toBe(false);
     // OAuth-specific fields are no longer in metadata (v5)
@@ -533,7 +534,7 @@ describe("Invariant 6: oauth2ClientSecret not in metadata, only in secure store"
     // Secret is in secure store
     expect(
-      getSecureKey(credentialKey("integration:gmail", "client_secret")),
+      getSecureKey(credentialKey("integration:google", "client_secret")),
     ).toBe("my-secret");
   });
@@ -543,7 +544,7 @@ describe("Invariant 6: oauth2ClientSecret not in metadata, only in secure store"
       credentials: [
         {
           credentialId: "cred-v2-secret",
-          service: "integration:gmail",
+          service: "integration:google",
           field: "access_token",
           allowedTools: [],
           allowedDomains: [],
@@ -561,7 +562,7 @@ describe("Invariant 6: oauth2ClientSecret not in metadata, only in secure store"
       "utf-8",
     );
-    const meta = getCredentialMetadata("integration:gmail", "access_token");
+    const meta = getCredentialMetadata("integration:google", "access_token");
     expect(meta).toBeDefined();
     expect("oauth2ClientSecret" in meta!).toBe(false);

package/src/__tests__/credential-vault-unit.test.ts CHANGED Viewed

@@ -531,8 +531,8 @@ describe("credential_store tool — prompt action", () => {
 describe("credential_store tool — oauth2_connect error paths", () => {
   /** Well-known provider rows returned by the mocked getProvider */
   const wellKnownProviders: Record<string, object> = {
-    "integration:gmail": {
-      key: "integration:gmail",
+    "integration:google": {
+      key: "integration:google",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: JSON.stringify(["https://mail.google.com/"]),
@@ -624,9 +624,10 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("client_id is required");
   });
-  test("requires interactive context", async () => {
-    // Register custom-svc as a provider so the orchestrator finds it
-    // and reaches the non-interactive check (gateway transport).
+  test("non-interactive loopback oauth2_connect returns deferred auth URL", async () => {
+    // After the blanket non-interactive guard was removed (#16337),
+    // loopback-transport flows succeed with a deferred auth URL so the
+    // agent can present it to the user.
     mockGetProvider.mockImplementation((key: string) => {
       if (key === "custom-svc") {
         return {
@@ -651,11 +652,11 @@ describe("credential_store tool — oauth2_connect error paths", () => {
       },
       { ..._ctx, isInteractive: false },
     );
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("non-interactive session");
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("mock-auth-url.example.com");
   });
-  test("resolves gmail alias to integration:gmail", async () => {
+  test("resolves gmail alias to integration:google", async () => {
     // Even with alias resolution, missing client_id should still fail
     const result = await credentialStoreTool.execute(
       {
@@ -687,12 +688,13 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     // and store client_secret in the secure store.
     mockGetMostRecentAppByProvider.mockImplementation(() => ({
       id: "test-app-id",
-      providerKey: "integration:gmail",
+      providerKey: "integration:google",
       clientId: "stored-client-id-123",
+      clientSecretCredentialPath: "oauth_app/test-app-id/client_secret",
       createdAt: Date.now(),
     }));
     mockGetProvider.mockImplementation(() => ({
-      key: "integration:gmail",
+      key: "integration:google",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: JSON.stringify(["https://mail.google.com/"]),
@@ -730,13 +732,15 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     mockGetAppByProviderAndClientId.mockImplementation(
       (providerKey: string, cId: string) => {
         if (
-          providerKey === "integration:gmail" &&
+          providerKey === "integration:google" &&
           cId === "caller-supplied-client-id"
         ) {
           return {
             id: "matched-app-id",
-            providerKey: "integration:gmail",
+            providerKey: "integration:google",
             clientId: "caller-supplied-client-id",
+            clientSecretCredentialPath:
+              "oauth_app/matched-app-id/client_secret",
             createdAt: Date.now(),
           };
         }
@@ -744,7 +748,7 @@ describe("credential_store tool — oauth2_connect error paths", () => {
       },
     );
     mockGetProvider.mockImplementation(() => ({
-      key: "integration:gmail",
+      key: "integration:google",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: JSON.stringify(["https://mail.google.com/"]),
@@ -779,12 +783,13 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     // use getMostRecentAppByProvider (the fallback heuristic).
     mockGetMostRecentAppByProvider.mockImplementation(() => ({
       id: "recent-app-id",
-      providerKey: "integration:gmail",
+      providerKey: "integration:google",
       clientId: "recent-client-id",
+      clientSecretCredentialPath: "oauth_app/recent-app-id/client_secret",
       createdAt: Date.now(),
     }));
     mockGetProvider.mockImplementation(() => ({
-      key: "integration:gmail",
+      key: "integration:google",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: JSON.stringify(["https://mail.google.com/"]),
@@ -818,7 +823,7 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     // report the missing secret error.
     mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
     mockGetProvider.mockImplementation(() => ({
-      key: "integration:gmail",
+      key: "integration:google",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: JSON.stringify(["https://mail.google.com/"]),
@@ -849,12 +854,12 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     // guardrail.
     mockGetMostRecentAppByProvider.mockImplementation(() => ({
       id: "test-app-id-no-secret",
-      providerKey: "integration:gmail",
+      providerKey: "integration:google",
       clientId: "stored-client-id-456",
       createdAt: Date.now(),
     }));
     mockGetProvider.mockImplementation(() => ({
-      key: "integration:gmail",
+      key: "integration:google",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: JSON.stringify(["https://mail.google.com/"]),

package/src/__tests__/credential-vault.test.ts CHANGED Viewed

@@ -81,7 +81,12 @@ const mockConnections = new Map<
 >();
 const mockApps = new Map<
   string,
-  { id: string; providerKey: string; clientId: string }
+  {
+    id: string;
+    providerKey: string;
+    clientId: string;
+    clientSecretCredentialPath: string;
+  }
 >();
 const mockProviders = new Map<
   string,
@@ -109,6 +114,12 @@ mock.module("../oauth/oauth-store.js", () => {
   return {
     disconnectOAuthProvider: mockDisconnectOAuthProvider,
     getConnectionByProvider: (service: string) => mockConnections.get(service),
+    getConnection: (id: string) => {
+      for (const conn of mockConnections.values()) {
+        if (conn.id === id) return conn;
+      }
+      return undefined;
+    },
     getApp: (id: string) => mockApps.get(id),
     getProvider: (key: string) => mockProviders.get(key),
     updateConnection: () => {},
@@ -724,7 +735,7 @@ describe("credential_store tool", () => {
       await credentialStoreTool.execute(
         {
           action: "store",
-          service: "integration:gmail",
+          service: "integration:google",
           field: "api_key",
           value: "test-value",
         },
@@ -732,9 +743,9 @@ describe("credential_store tool", () => {
       );
       // Simulate an active OAuth connection for this service
-      mockConnections.set("integration:gmail", {
+      mockConnections.set("integration:google", {
         id: "conn-gmail",
-        providerKey: "integration:gmail",
+        providerKey: "integration:google",
         oauthAppId: "app-gmail",
         expiresAt: Date.now() + 3600_000,
       });
@@ -742,7 +753,7 @@ describe("credential_store tool", () => {
       const result = await credentialStoreTool.execute(
         {
           action: "delete",
-          service: "integration:gmail",
+          service: "integration:google",
           field: "api_key",
         },
         _ctx,
@@ -753,7 +764,7 @@ describe("credential_store tool", () => {
       // Verify disconnectOAuthProvider was called with the service name
       expect(mockDisconnectOAuthProvider).toHaveBeenCalledTimes(1);
       expect(mockDisconnectOAuthProvider).toHaveBeenCalledWith(
-        "integration:gmail",
+        "integration:google",
       );
     });
   });
@@ -1313,6 +1324,7 @@ describe("withValidToken refresh deduplication", () => {
       id: appId,
       providerKey: service,
       clientId: "test-client-id",
+      clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
     });
     mockConnections.set(service, {
       id: connId,
@@ -1331,7 +1343,7 @@ describe("withValidToken refresh deduplication", () => {
   }
   test("3 concurrent 401 refreshes for the same service call doRefresh exactly once", async () => {
-    setupService("integration:gmail");
+    setupService("integration:google");
     let resolveRefresh!: (value: {
       accessToken: string;
@@ -1355,9 +1367,9 @@ describe("withValidToken refresh deduplication", () => {
     // Launch 3 concurrent withValidToken calls — all will get a non-expired
     // token first, call the callback, get a 401, and then try to refresh.
-    const p1 = withValidToken("integration:gmail", callback);
-    const p2 = withValidToken("integration:gmail", callback);
-    const p3 = withValidToken("integration:gmail", callback);
+    const p1 = withValidToken("integration:google", callback);
+    const p2 = withValidToken("integration:google", callback);
+    const p3 = withValidToken("integration:google", callback);
     // Let the event loop tick so all 3 calls enter the 401 retry path
     await new Promise((r) => setTimeout(r, 10));
@@ -1379,7 +1391,7 @@ describe("withValidToken refresh deduplication", () => {
   });
   test("concurrent refreshes for different services proceed independently", async () => {
-    setupService("integration:gmail");
+    setupService("integration:google");
     setupService("integration:slack");
     let resolveGmail!: (value: {
@@ -1424,7 +1436,7 @@ describe("withValidToken refresh deduplication", () => {
       return `slack-${token}`;
     };
-    const p1 = withValidToken("integration:gmail", gmailCallback);
+    const p1 = withValidToken("integration:google", gmailCallback);
     const p2 = withValidToken("integration:slack", slackCallback);
     await new Promise((r) => setTimeout(r, 10));
@@ -1443,7 +1455,7 @@ describe("withValidToken refresh deduplication", () => {
   });
   test("deduplication cleans up after refresh completes, allowing subsequent refreshes", async () => {
-    setupService("integration:gmail");
+    setupService("integration:google");
     let refreshCount = 0;
     mockRefreshOAuth2Token.mockImplementation(() => {
@@ -1458,7 +1470,7 @@ describe("withValidToken refresh deduplication", () => {
     // First call triggers a refresh (old token → 401 → refresh → token-1)
     const r1 = await withValidToken(
-      "integration:gmail",
+      "integration:google",
       async (token: string) => {
         if (token !== "token-1") throw err401;
         return token;
@@ -1470,7 +1482,7 @@ describe("withValidToken refresh deduplication", () => {
     // Second call also triggers a 401 to verify dedup state was cleaned up
     // and a new refresh is allowed (not deduplicated with the first).
     const r2 = await withValidToken(
-      "integration:gmail",
+      "integration:google",
       async (token: string) => {
         if (token !== "token-2") throw err401;
         return token;
@@ -1483,7 +1495,7 @@ describe("withValidToken refresh deduplication", () => {
   });
   test("deduplication propagates refresh errors to all waiting callers", async () => {
-    setupService("integration:gmail");
+    setupService("integration:google");
     mockRefreshOAuth2Token.mockImplementation(() =>
       Promise.reject(
@@ -1501,8 +1513,8 @@ describe("withValidToken refresh deduplication", () => {
     };
     // Launch 2 concurrent calls — both should fail with the same error
-    const p1 = withValidToken("integration:gmail", callback);
-    const p2 = withValidToken("integration:gmail", callback);
+    const p1 = withValidToken("integration:google", callback);
+    const p2 = withValidToken("integration:google", callback);
     const results = await Promise.allSettled([p1, p2]);