@vellumai/assistant 0.4.52 → 0.4.53

package/src/oauth/provider-behaviors.ts

@@ -73,6 +73,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:slack": {
     service: "integration:slack",
+    loopbackPort: 17322,
     injectionTemplates: [
       {
         hostPattern: "slack.com",
@@ -114,6 +115,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:notion": {
     service: "integration:notion",
+    loopbackPort: 17323,
     injectionTemplates: [
       {
         hostPattern: "api.notion.com",
@@ -225,6 +227,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:linear": {
     service: "integration:linear",
+    loopbackPort: 17324,
     injectionTemplates: [
       {
         hostPattern: "api.linear.app",
@@ -305,6 +308,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:todoist": {
     service: "integration:todoist",
+    loopbackPort: 17325,
     injectionTemplates: [
       {
         hostPattern: "api.todoist.com",
@@ -347,6 +351,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:discord": {
     service: "integration:discord",
+    loopbackPort: 17326,
     injectionTemplates: [
       {
         hostPattern: "discord.com",
@@ -385,6 +390,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:dropbox": {
     service: "integration:dropbox",
+    loopbackPort: 17327,
     injectionTemplates: [
       {
         hostPattern: "api.dropboxapi.com",
@@ -433,6 +439,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:asana": {
     service: "integration:asana",
+    loopbackPort: 17328,
     injectionTemplates: [
       {
         hostPattern: "app.asana.com",
@@ -470,6 +477,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:airtable": {
     service: "integration:airtable",
+    loopbackPort: 17329,
     injectionTemplates: [
       {
         hostPattern: "api.airtable.com",
@@ -505,6 +513,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:hubspot": {
     service: "integration:hubspot",
+    loopbackPort: 17330,
     injectionTemplates: [
       {
         hostPattern: "api.hubapi.com",
@@ -543,6 +552,7 @@ export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
 
   "integration:figma": {
     service: "integration:figma",
+    loopbackPort: 17331,
     injectionTemplates: [
       {
         hostPattern: "api.figma.com",

package/src/oauth/seed-providers.ts

@@ -5,8 +5,8 @@ import { seedProviders } from "./oauth-store.js";
  *
  * These values are upserted into the `oauth_providers` SQLite table on
  * every startup. Only Vellum implementation fields (authUrl, tokenUrl,
- * tokenEndpointAuthMethod, extraParams, callbackTransport, loopbackPort,
- * pingUrl) are overwritten on subsequent startups — user-customizable
+ * tokenEndpointAuthMethod, extraParams, callbackTransport, pingUrl) are
+ * overwritten on subsequent startups — user-customizable
  * fields (defaultScopes, scopePolicy, userinfoUrl, baseUrl) are only
  * written on initial insert and preserved across restarts.
  *
@@ -32,7 +32,6 @@ const PROVIDER_SEED_DATA: Record<
     };
     extraParams?: Record<string, string>;
     callbackTransport?: string;
-    loopbackPort?: number;
   }
 > = {
   "integration:google": {
@@ -94,7 +93,7 @@ const PROVIDER_SEED_DATA: Record<
         "channels:read,channels:history,groups:read,groups:history,im:read,im:history,im:write,mpim:read,mpim:history,users:read,chat:write,search:read,reactions:write",
     },
     callbackTransport: "loopback",
-    loopbackPort: 17322,
+
   },
 
   "integration:notion": {
@@ -111,7 +110,8 @@ const PROVIDER_SEED_DATA: Record<
     },
     extraParams: { owner: "user" },
     tokenEndpointAuthMethod: "client_secret_basic",
-    callbackTransport: "gateway",
+    callbackTransport: "loopback",
+
   },
 
   "integration:twitter": {
@@ -169,6 +169,7 @@ const PROVIDER_SEED_DATA: Record<
     },
     extraParams: { prompt: "consent" },
     callbackTransport: "loopback",
+
   },
 
   "integration:spotify": {
@@ -209,6 +210,7 @@ const PROVIDER_SEED_DATA: Record<
       forbiddenScopes: ["data:delete"],
     },
     callbackTransport: "loopback",
+
   },
 
   "integration:discord": {
@@ -229,6 +231,7 @@ const PROVIDER_SEED_DATA: Record<
       forbiddenScopes: [],
     },
     callbackTransport: "loopback",
+
   },
 
   "integration:dropbox": {
@@ -250,6 +253,7 @@ const PROVIDER_SEED_DATA: Record<
     },
     extraParams: { token_access_type: "offline" },
     callbackTransport: "loopback",
+
   },
 
   "integration:asana": {
@@ -265,6 +269,7 @@ const PROVIDER_SEED_DATA: Record<
       forbiddenScopes: [],
     },
     callbackTransport: "loopback",
+
   },
 
   "integration:airtable": {
@@ -285,6 +290,7 @@ const PROVIDER_SEED_DATA: Record<
     },
     tokenEndpointAuthMethod: "client_secret_post",
     callbackTransport: "loopback",
+
   },
 
   "integration:hubspot": {
@@ -309,6 +315,7 @@ const PROVIDER_SEED_DATA: Record<
       forbiddenScopes: [],
     },
     callbackTransport: "loopback",
+
   },
 
   "integration:figma": {
@@ -324,6 +331,7 @@ const PROVIDER_SEED_DATA: Record<
       forbiddenScopes: [],
     },
     callbackTransport: "loopback",
+
   },
 
   // Manual-token providers: these don't use OAuth2 flows but need provider

package/src/permissions/checker.ts

@@ -143,7 +143,6 @@ const LOW_RISK_PROGRAMS = new Set([
   "tree",
   "du",
   "df",
-  "assistant",
 ]);
 
 // High-risk shell programs / patterns
@@ -197,6 +196,15 @@ const LOW_RISK_GIT_SUBCOMMANDS = new Set([
   "reflog",
 ]);
 
+// Vellum/assistant CLI subcommands that are low-risk (read-only)
+const LOW_RISK_CLI_SUBCOMMANDS = new Set([
+  "ps",
+  "doctor",
+  "audit",
+  "completions",
+  "map",
+]);
+
 // Commands that wrap another program — the real program appears as the first
 // non-flag argument.  When one of these is the segment program we look through
 // its args to find the effective program (e.g. `env curl …` → curl).
@@ -649,6 +657,17 @@ async function classifyRiskUncached(
         continue;
       }
 
+      if (prog === "vellum" || prog === "assistant") {
+        const subcommand = seg.args[0];
+        if (subcommand && LOW_RISK_CLI_SUBCOMMANDS.has(subcommand)) {
+          // Read-only subcommands stay at current risk
+          continue;
+        }
+        // Mutating subcommands are medium
+        maxRisk = RiskLevel.Medium;
+        continue;
+      }
+
       if (!LOW_RISK_PROGRAMS.has(prog)) {
         // Unknown program → medium
         if (maxRisk === RiskLevel.Low) {

package/src/prompts/__tests__/build-cli-reference-section.test.ts

@@ -29,7 +29,7 @@ describe("buildCliReferenceSection", () => {
 
   test("mentions bash as the way to invoke the CLI", () => {
     const result = buildCliReferenceSection();
-    expect(result).toContain("available via `bash`");
+    expect(result).toContain("use the `bash` tool");
   });
 
   test("routes account and auth work through documented assistant CLI commands", () => {

package/src/prompts/system-prompt.ts

@@ -309,7 +309,7 @@ export function buildStarterTaskPlaybookSection(): string {
     '3. Let the user pick one. Accept color names, hex values, or descriptions (e.g. "something warm").',
     '4. Confirm the selection: "I\'ll set your accent color to **{label}** ({hex}). Sound good?"',
     "5. On confirmation:",
-    '   - Use `app_file_edit` to update the `## Dashboard Color Preference` section in USER.md with `label`, `hex`, `source: "user_selected"`, and `applied: true`.',
+    '   - Use `app_file_edit` to update the `## Color Preference` section in USER.md with `label`, `hex`, and `source: "user_selected"`.',
     "   - Use `app_file_edit` to update the `## Onboarding Tasks` section: set `make_it_yours` to `done`.",
     "6. If the user declines or wants to skip, set `make_it_yours` to `skipped` in USER.md and move on.",
     "",
@@ -511,17 +511,8 @@ export function buildChannelAwarenessSection(): string {
     "- When the user asks about voice input or push-to-talk settings, use the tool to apply changes directly rather than directing them to settings.",
     "- When `microphone_permission_granted` is `false`, guide the user to grant microphone access in System Settings before using voice features.",
     "",
-    "### Group chat etiquette",
-    "- In group chats, you are a **participant**, not the user's proxy. Think before you speak.",
-    "- **Respond when:** directly mentioned, you can add genuine value, something witty fits naturally, or correcting important misinformation.",
-    '- **Stay silent when:** it\'s casual banter between humans, someone already answered, your response would just be "yeah" or "nice", or the conversation flows fine without you.',
-    "- **The human rule:** humans don't respond to every message in a group chat. Neither should you. Quality over quantity.",
-    "- On platforms with reactions (Discord, Slack), use emoji reactions naturally to acknowledge without cluttering.",
-    "",
     "### Platform formatting",
-    "- **Discord/WhatsApp:** Do not use markdown tables — use bullet lists instead.",
-    "- **Discord links:** Wrap multiple links in `<>` to suppress embeds.",
-    "- **WhatsApp:** No markdown headers — use **bold** or CAPS for emphasis.",
+    "- **WhatsApp:** Do not use markdown tables — use bullet lists instead. No markdown headers — use **bold** or CAPS for emphasis.",
   ].join("\n");
 }
 

package/src/prompts/templates/BOOTSTRAP.md

@@ -66,10 +66,8 @@ Do NOT delete this file until ALL of the following are true:
 
 - You have a name (given by user or self-chosen)
 - You've figured out your vibe and adopted it
-- 2 suggestions shown (via `ui_show` or as text if UI unavailable)
-- The user selected one, deferred both, or typed an alternate direction
 
-Once every condition is met, delete this file. You're done here.
+Once every condition is met, delete this file. You're done here. If you still haven't shown the 2 suggestions from step 6, do that in the same turn before or after deleting.
 
 ---
 

package/src/providers/anthropic/client.ts

@@ -107,7 +107,6 @@ function buildSyntheticToolResult(
   };
 }
 
-
 /**
  * Collect ordered IDs of client-side tool_use blocks only.
  * Server-side tools (server_tool_use / web_search_tool_result) are self-paired
@@ -228,7 +227,10 @@ function normalizeFollowingUserContent(
     toolResultPrefix: orderedResults,
     remainingContent: remaining,
     missingIds,
-    hadOrderedPrefix: hasOrderedToolResultPrefix(nextContent, orderedToolUseIds),
+    hadOrderedPrefix: hasOrderedToolResultPrefix(
+      nextContent,
+      orderedToolUseIds,
+    ),
   };
 }
 
@@ -712,20 +714,26 @@ export class AnthropicProvider implements Provider {
               type: "server_tool_start",
               name: event.content_block.name,
               toolUseId: event.content_block.id,
-              input: (
-                event.content_block as { input?: Record<string, unknown> }
-              ).input ?? {},
+              input:
+                (event.content_block as { input?: Record<string, unknown> })
+                  .input ?? {},
             });
           }
           if (
             event.type === "content_block_start" &&
             event.content_block.type === "web_search_tool_result"
           ) {
+            const block = event.content_block as {
+              tool_use_id: string;
+              content?: { type: "web_search_tool_result_error" } | unknown[];
+            };
+            const isError =
+              !Array.isArray(block.content) &&
+              block.content?.type === "web_search_tool_result_error";
             onEvent?.({
               type: "server_tool_complete",
-              toolUseId: (
-                event.content_block as { tool_use_id: string }
-              ).tool_use_id,
+              toolUseId: block.tool_use_id,
+              isError: !!isError,
             });
           }
           if (event.type === "content_block_stop") {

package/src/providers/managed-proxy/constants.ts

@@ -29,7 +29,7 @@ export const MANAGED_PROVIDER_META: Record<string, ManagedProviderMeta> = {
   anthropic: {
     name: "anthropic",
     managed: true,
-    proxyPath: "/v1/runtime-proxy/vertex",
+    proxyPath: "/v1/runtime-proxy/anthropic",
   },
   gemini: {
     name: "gemini",

package/src/providers/registry.ts

@@ -1,4 +1,5 @@
 import { wrapWithLogfire } from "../logfire.js";
+import { getSecureKey } from "../security/secure-keys.js";
 import { ConfigError, ProviderNotConfiguredError } from "../util/errors.js";
 import { AnthropicProvider } from "./anthropic/client.js";
 import { FailoverProvider, type ProviderHealthStatus } from "./failover.js";
@@ -135,7 +136,6 @@ export function getDefaultModel(providerName: string): string {
 }
 
 export interface ProvidersConfig {
-  apiKeys: Record<string, string>;
   provider: string;
   model: string;
   webSearchProvider?: string;
@@ -211,13 +211,14 @@ export function initializeProviders(config: ProvidersConfig): void {
   const streamTimeoutMs =
     (config.timeouts?.providerStreamTimeoutSec ?? 300) * 1000;
 
-  if (config.apiKeys.anthropic) {
+  const anthropicKey = getSecureKey("anthropic");
+  if (anthropicKey) {
     const model = resolveModel(config, "anthropic");
     registerProvider(
       "anthropic",
       new RetryProvider(
         wrapWithLogfire(
-          new AnthropicProvider(config.apiKeys.anthropic, model, {
+          new AnthropicProvider(anthropicKey, model, {
             useNativeWebSearch: config.webSearchProvider === "anthropic-native",
             streamTimeoutMs,
           }),
@@ -226,8 +227,8 @@ export function initializeProviders(config: ProvidersConfig): void {
     );
     routingSources.set("anthropic", "user-key");
   } else {
-    // No user Anthropic key — route through Vertex managed proxy
-    const managedBaseUrl = buildManagedBaseUrl("vertex");
+    // No user Anthropic key — route through managed proxy
+    const managedBaseUrl = buildManagedBaseUrl("anthropic");
     if (managedBaseUrl) {
       const ctx = resolveManagedProxyContext();
       const model = resolveModel(config, "anthropic");
@@ -247,13 +248,14 @@ export function initializeProviders(config: ProvidersConfig): void {
       routingSources.set("anthropic", "managed-proxy");
     }
   }
-  if (config.apiKeys.openai) {
+  const openaiKey = getSecureKey("openai");
+  if (openaiKey) {
     const model = resolveModel(config, "openai");
     registerProvider(
       "openai",
       new RetryProvider(
         wrapWithLogfire(
-          new OpenAIProvider(config.apiKeys.openai, model, { streamTimeoutMs }),
+          new OpenAIProvider(openaiKey, model, { streamTimeoutMs }),
         ),
       ),
     );
@@ -277,13 +279,14 @@ export function initializeProviders(config: ProvidersConfig): void {
       routingSources.set("openai", "managed-proxy");
     }
   }
-  if (config.apiKeys.gemini) {
+  const geminiKey = getSecureKey("gemini");
+  if (geminiKey) {
     const model = resolveModel(config, "gemini");
     registerProvider(
       "gemini",
       new RetryProvider(
         wrapWithLogfire(
-          new GeminiProvider(config.apiKeys.gemini, model, { streamTimeoutMs }),
+          new GeminiProvider(geminiKey, model, { streamTimeoutMs }),
         ),
       ),
     );
@@ -308,14 +311,15 @@ export function initializeProviders(config: ProvidersConfig): void {
       routingSources.set("gemini", "managed-proxy");
     }
   }
-  if (config.provider === "ollama" || config.apiKeys.ollama) {
+  const ollamaKey = getSecureKey("ollama");
+  if (config.provider === "ollama" || ollamaKey) {
     const model = resolveModel(config, "ollama");
     registerProvider(
       "ollama",
       new RetryProvider(
         wrapWithLogfire(
           new OllamaProvider(model, {
-            apiKey: config.apiKeys.ollama,
+            apiKey: ollamaKey ?? undefined,
             streamTimeoutMs,
           }),
         ),
@@ -323,13 +327,14 @@ export function initializeProviders(config: ProvidersConfig): void {
     );
     routingSources.set("ollama", "user-key");
   }
-  if (config.apiKeys.fireworks) {
+  const fireworksKey = getSecureKey("fireworks");
+  if (fireworksKey) {
     const model = resolveModel(config, "fireworks");
     registerProvider(
       "fireworks",
       new RetryProvider(
         wrapWithLogfire(
-          new FireworksProvider(config.apiKeys.fireworks, model, {
+          new FireworksProvider(fireworksKey, model, {
             streamTimeoutMs,
           }),
         ),
@@ -355,13 +360,14 @@ export function initializeProviders(config: ProvidersConfig): void {
       routingSources.set("fireworks", "managed-proxy");
     }
   }
-  if (config.apiKeys.openrouter) {
+  const openrouterKey = getSecureKey("openrouter");
+  if (openrouterKey) {
     const model = resolveModel(config, "openrouter");
     registerProvider(
       "openrouter",
       new RetryProvider(
         wrapWithLogfire(
-          new OpenRouterProvider(config.apiKeys.openrouter, model, {
+          new OpenRouterProvider(openrouterKey, model, {
             streamTimeoutMs,
           }),
         ),

package/src/providers/types.ts

@@ -123,7 +123,7 @@ export type ProviderEvent =
       toolUseId: string;
       input: Record<string, unknown>;
     }
-  | { type: "server_tool_complete"; toolUseId: string };
+  | { type: "server_tool_complete"; toolUseId: string; isError: boolean };
 
 export interface SendMessageConfig {
   model?: string;

package/src/runtime/auth/route-policy.ts

@@ -413,6 +413,10 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // OAuth / integrations
   { endpoint: "integrations/oauth/start", scopes: ["settings.write"] },
 
+  // Ingress config
+  { endpoint: "integrations/ingress/config:GET", scopes: ["settings.read"] },
+  { endpoint: "integrations/ingress/config", scopes: ["settings.write"] },
+
   // Workspace files
   { endpoint: "workspace-files", scopes: ["settings.read"] },
   { endpoint: "workspace-files/read", scopes: ["settings.read"] },

package/src/runtime/channel-invite-transports/telegram.ts

@@ -17,8 +17,11 @@ import {
   setNestedValue,
 } from "../../config/loader.js";
 import { credentialKey } from "../../security/credential-key.js";
-import { getSecureKey } from "../../security/secure-keys.js";
-import { getTelegramBotUsername } from "../../telegram/bot-username.js";
+import { getSecureKeyAsync } from "../../security/secure-keys.js";
+import {
+  getTelegramBotId,
+  getTelegramBotUsername,
+} from "../../telegram/bot-username.js";
 import { getLogger } from "../../util/logger.js";
 import type {
   ChannelInviteAdapter,
@@ -37,11 +40,11 @@ import type {
  * gap so that invite share links can be generated.
  */
 export async function ensureTelegramBotUsernameResolved(): Promise<void> {
-  if (getTelegramBotUsername()) {
-    return; // Username already cached in config
+  if (getTelegramBotUsername() && getTelegramBotId()) {
+    return; // Username and bot ID already cached in config
   }
 
-  const token = getSecureKey(credentialKey("telegram", "bot_token"));
+  const token = await getSecureKeyAsync(credentialKey("telegram", "bot_token"));
   if (!token) return;
 
   try {
@@ -64,7 +67,7 @@ export async function ensureTelegramBotUsernameResolved(): Promise<void> {
     }
     const body = (await res.json()) as {
       ok: boolean;
-      result?: { username?: string };
+      result?: { id?: number; username?: string };
     };
     const username = body.result?.username;
     if (!username) {
@@ -75,6 +78,9 @@ export async function ensureTelegramBotUsernameResolved(): Promise<void> {
     }
     // Write to config
     const raw = loadRawConfig();
+    if (body.result?.id != null) {
+      setNestedValue(raw, "telegram.botId", String(body.result.id));
+    }
     setNestedValue(raw, "telegram.botUsername", username);
     saveRawConfig(raw);
     invalidateConfigCache();

package/src/runtime/channel-retry-sweep.ts

@@ -170,6 +170,11 @@ export async function sweepFailedEvents(
       sourceMetadata.uxBrief.trim().length > 0
         ? sourceMetadata.uxBrief.trim()
         : undefined;
+    const metadataChatType =
+      typeof sourceMetadata?.chatType === "string" &&
+      sourceMetadata.chatType.trim().length > 0
+        ? sourceMetadata.chatType.trim()
+        : undefined;
 
     try {
       const { messageId: userMessageId } = await processMessage(
@@ -181,6 +186,7 @@ export async function sweepFailedEvents(
             channelId: sourceChannel,
             hints: metadataHints.length > 0 ? metadataHints : undefined,
             uxBrief: metadataUxBrief,
+            chatType: metadataChatType,
           },
           assistantId,
           trustContext,

package/src/runtime/http-types.ts

@@ -116,6 +116,7 @@ export interface RuntimeMessageSessionOptions {
     channelId: ChannelId;
     hints?: string[];
     uxBrief?: string;
+    chatType?: string;
   };
   assistantId?: string;
   trustContext?: TrustContext;

package/src/runtime/middleware/error-handler.ts

@@ -32,10 +32,9 @@ export async function withErrorHandling(
     }
     if (err instanceof ProviderNotConfiguredError) {
       log.warn({ err, endpoint }, "No LLM provider configured");
-      const envVar = `${err.requestedProvider.toUpperCase()}_API_KEY`;
       return httpError(
         "UNPROCESSABLE_ENTITY",
-        `No API key configured. Set ${envVar} in your environment or run \`vellum hatch\` to set up your assistant.`,
+        `No API key configured for ${err.requestedProvider}. Run \`keys set ${err.requestedProvider} <key>\` or configure it from the Settings page under API Keys.`,
         422,
       );
     }

package/src/runtime/routes/app-management-routes.ts

@@ -862,6 +862,7 @@ export function appManagementRouteDefinitions(): RouteDefinition[] {
         try {
           const result = await packageApp(params.id);
           return Response.json({
+            type: "bundle_app_response",
             bundlePath: result.bundlePath,
             iconImageBase64: result.iconImageBase64,
             manifest: result.manifest,

package/src/runtime/routes/btw-routes.ts

@@ -14,6 +14,7 @@ import {
   createTimeout,
   userMessage,
 } from "../../providers/provider-send-message.js";
+import { checkIngressForSecrets } from "../../security/secret-ingress.js";
 import { getLogger } from "../../util/logger.js";
 import type { AuthContext } from "../auth/types.js";
 import { httpError } from "../http-errors.js";
@@ -53,6 +54,24 @@ async function handleBtw(
     );
   }
 
+  const trimmedContent = content.trim();
+  const ingressCheck = checkIngressForSecrets(trimmedContent);
+  if (ingressCheck.blocked) {
+    log.warn(
+      { detectedTypes: ingressCheck.detectedTypes },
+      "Blocked /v1/btw message containing secrets",
+    );
+    return Response.json(
+      {
+        accepted: false,
+        error: "secret_blocked",
+        message: ingressCheck.userNotice,
+        detectedTypes: ingressCheck.detectedTypes,
+      },
+      { status: 422 },
+    );
+  }
+
   // Look up an existing conversation — never create one.  BTW is ephemeral
   // (the file header promises "No messages are persisted"), so we must not
   // call getOrCreateConversation which would insert a DB row.  When no
@@ -63,7 +82,7 @@ async function handleBtw(
   const sessionId = mapping?.conversationId ?? conversationKey;
   const session = await deps.sendMessageDeps.getOrCreateSession(sessionId);
 
-  const messages = [...session.getMessages(), userMessage(content.trim())];
+  const messages = [...session.getMessages(), userMessage(trimmedContent)];
   const tools = buildToolDefinitions();
   const { signal: timeoutSignal, cleanup: cleanupTimeout } =
     createTimeout(30_000);