@vellumai/assistant 0.4.52 → 0.4.53

package/src/signals/bash.ts

@@ -0,0 +1,157 @@
+/**
+ * Handle bash debug signals delivered via signal files from the CLI.
+ *
+ * Each invocation writes JSON to a unique `signals/bash.<requestId>` file.
+ * ConfigWatcher detects the new file and invokes {@link handleBashSignal},
+ * which reads the payload, spawns the command, and writes the result to
+ * `signals/bash.<requestId>.result` for the CLI to pick up.
+ *
+ * Per-request filenames avoid dropped commands when overlapping invocations
+ * race on the same signal file.
+ */
+
+import { spawn } from "node:child_process";
+import { readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "../util/logger.js";
+import { getWorkspaceDir } from "../util/platform.js";
+
+const log = getLogger("signal:bash");
+
+const DEFAULT_TIMEOUT_MS = 30_000;
+
+interface BashSignalPayload {
+  requestId: string;
+  command: string;
+  timeoutMs?: number;
+}
+
+interface BashSignalResult {
+  requestId: string;
+  stdout: string;
+  stderr: string;
+  exitCode: number | null;
+  timedOut: boolean;
+  error?: string;
+}
+
+function writeResult(requestId: string, result: BashSignalResult): void {
+  try {
+    writeFileSync(
+      join(getWorkspaceDir(), "signals", `bash.${requestId}.result`),
+      JSON.stringify(result),
+    );
+  } catch (err) {
+    log.error({ err, requestId }, "Failed to write bash signal result");
+  }
+}
+
+/**
+ * Read a `signals/bash.<requestId>` file, execute the command, and write
+ * the result to `signals/bash.<requestId>.result`. Called by ConfigWatcher
+ * when a matching signal file is created or modified.
+ */
+export function handleBashSignal(filename: string): void {
+  const signalPath = join(getWorkspaceDir(), "signals", filename);
+  let raw: string;
+  try {
+    raw = readFileSync(signalPath, "utf-8");
+  } catch {
+    // File may already be deleted (e.g. re-trigger from our own unlinkSync).
+    return;
+  }
+
+  let payload: BashSignalPayload;
+  try {
+    payload = JSON.parse(raw) as BashSignalPayload;
+  } catch (err) {
+    log.error({ err, filename }, "Failed to parse bash signal file");
+    return;
+  }
+
+  try {
+    unlinkSync(signalPath);
+  } catch {
+    // Best-effort cleanup; the file may already be gone.
+  }
+
+  const { requestId, command, timeoutMs } = payload;
+
+  if (!requestId || typeof requestId !== "string") {
+    log.warn("Bash signal missing requestId");
+    return;
+  }
+  if (!command || typeof command !== "string") {
+    log.warn({ requestId }, "Bash signal missing command");
+    return;
+  }
+
+  const effectiveTimeout =
+    typeof timeoutMs === "number" && timeoutMs > 0
+      ? timeoutMs
+      : DEFAULT_TIMEOUT_MS;
+
+  log.info({ requestId, command }, "Executing bash signal command");
+
+  const stdoutChunks: Buffer[] = [];
+  const stderrChunks: Buffer[] = [];
+  let timedOut = false;
+  let resultWritten = false;
+
+  const child = spawn("bash", ["-c", command], {
+    cwd: getWorkspaceDir(),
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+
+  const timer = setTimeout(() => {
+    timedOut = true;
+    child.kill("SIGKILL");
+  }, effectiveTimeout);
+
+  child.stdout.on("data", (data: Buffer) => {
+    stdoutChunks.push(data);
+  });
+
+  child.stderr.on("data", (data: Buffer) => {
+    stderrChunks.push(data);
+  });
+
+  child.on("close", (code) => {
+    clearTimeout(timer);
+    if (resultWritten) return;
+    resultWritten = true;
+
+    const stdout = Buffer.concat(stdoutChunks).toString();
+    const stderr = Buffer.concat(stderrChunks).toString();
+
+    log.info(
+      { requestId, exitCode: code, timedOut },
+      "Bash signal command completed",
+    );
+
+    writeResult(requestId, {
+      requestId,
+      stdout,
+      stderr,
+      exitCode: code,
+      timedOut,
+    });
+  });
+
+  child.on("error", (err) => {
+    clearTimeout(timer);
+    if (resultWritten) return;
+    resultWritten = true;
+
+    log.error({ err, requestId }, "Failed to spawn bash signal command");
+    writeResult(requestId, {
+      requestId,
+      stdout: "",
+      stderr: "",
+      exitCode: null,
+      timedOut: false,
+      error: err.message,
+    });
+  });
+}

package/src/skills/skillssh-registry.ts

@@ -228,7 +228,12 @@ async function findSkillDirInTree(
     headers,
     signal: AbortSignal.timeout(15_000),
   });
-  if (!response.ok) return null;
+  if (response.status === 404) return null;
+  if (!response.ok) {
+    throw new Error(
+      `GitHub API error while searching repo tree: HTTP ${response.status} ${response.statusText}`,
+    );
+  }
 
   const data = (await response.json()) as { tree: GitHubTreeEntry[] };
   const suffix = `${skillSlug}/SKILL.md`;

package/src/swarm/backend-claude-code.ts

@@ -5,9 +5,9 @@
  * is testable and swappable independently of the tool adapter.
  */
 
-import { getConfig } from "../config/loader.js";
 import { resolveModelIntent } from "../providers/model-intents.js";
 import type { ModelIntent } from "../providers/types.js";
+import { getSecureKeyAsync } from "../security/secure-keys.js";
 import { getLogger } from "../util/logger.js";
 import type {
   SwarmWorkerBackend,
@@ -28,9 +28,9 @@ export function createClaudeCodeBackend(): SwarmWorkerBackend {
   return {
     name: "claude_code",
 
-    isAvailable(): boolean {
-      const config = getConfig();
-      const apiKey = config.apiKeys.anthropic ?? process.env.ANTHROPIC_API_KEY;
+    async isAvailable(): Promise<boolean> {
+      const apiKey =
+        (await getSecureKeyAsync("anthropic")) ?? process.env.ANTHROPIC_API_KEY;
       return !!apiKey;
     },
 
@@ -39,9 +39,9 @@ export function createClaudeCodeBackend(): SwarmWorkerBackend {
       const stderrLines: string[] = [];
       try {
         const { query } = await import("@anthropic-ai/claude-agent-sdk");
-        const config = getConfig();
         const apiKey =
-          config.apiKeys.anthropic ?? process.env.ANTHROPIC_API_KEY;
+          (await getSecureKeyAsync("anthropic")) ??
+          process.env.ANTHROPIC_API_KEY;
         if (!apiKey) {
           return {
             success: false,

package/src/swarm/worker-backend.ts

@@ -125,7 +125,7 @@ export interface SwarmWorkerBackendInput {
 export interface SwarmWorkerBackend {
   readonly name: string;
   /** Check whether the backend is available (e.g. API key present). */
-  isAvailable(): boolean;
+  isAvailable(): boolean | Promise<boolean>;
   /** Run a task with the given input. */
   runTask(input: SwarmWorkerBackendInput): Promise<SwarmWorkerBackendResult>;
 }

package/src/swarm/worker-runner.ts

@@ -63,7 +63,7 @@ export async function runWorkerTask(
   emitStatus(onStatus, task.id, "queued");
 
   // Check backend availability
-  if (!backend.isAvailable()) {
+  if (!(await backend.isAvailable())) {
     emitStatus(onStatus, task.id, "failed");
     return {
       taskId: task.id,

package/src/telegram/bot-username.ts

@@ -1,5 +1,16 @@
 import { getConfig } from "../config/loader.js";
 
+/**
+ * Read the Telegram bot ID from config.
+ */
+export function getTelegramBotId(): string | undefined {
+  const value = getConfig().telegram.botId;
+  if (value.trim().length > 0) {
+    return value.trim();
+  }
+  return undefined;
+}
+
 /**
  * Read the Telegram bot username from config.
  */

package/src/tools/claude-code/claude-code.ts

@@ -2,9 +2,9 @@ import {
   getCCCommand,
   loadCCCommandTemplate,
 } from "../../commands/cc-command-registry.js";
-import { getConfig } from "../../config/loader.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
+import { getSecureKeyAsync } from "../../security/secure-keys.js";
 import type { WorkerProfile } from "../../swarm/worker-backend.js";
 import { getProfilePolicy } from "../../swarm/worker-backend.js";
 import { getLogger } from "../../util/logger.js";
@@ -203,12 +203,12 @@ export const claudeCodeTool: Tool = {
     const profilePolicy = getProfilePolicy(profileName);
 
     // Validate API key
-    const config = getConfig();
-    const apiKey = config.apiKeys.anthropic ?? process.env.ANTHROPIC_API_KEY;
+    const apiKey =
+      (await getSecureKeyAsync("anthropic")) ?? process.env.ANTHROPIC_API_KEY;
     if (!apiKey) {
       return {
         content:
-          "Error: No Anthropic API key configured. Set it via config or ANTHROPIC_API_KEY environment variable.",
+          "Error: No Anthropic API key configured. Set it via `keys set anthropic <key>` or configure it from the Settings page under API Keys.",
         isError: true,
       };
     }

package/src/tools/credentials/broker.ts

@@ -1,7 +1,7 @@
 import { v4 as uuid } from "uuid";
 
 import { credentialKey } from "../../security/credential-key.js";
-import { getSecureKey } from "../../security/secure-keys.js";
+import { getSecureKeyAsync } from "../../security/secure-keys.js";
 import { getLogger } from "../../util/logger.js";
 import type {
   AuthorizeRequest,
@@ -217,7 +217,7 @@ export class CredentialBroker {
     // Deletion is deferred until after a successful fill so the value survives
     // transient failures (e.g. stale element, page navigation, Playwright timeout).
     const transient = this.transientValues.get(storageKey);
-    const value = transient?.value ?? getSecureKey(storageKey);
+    const value = transient?.value ?? (await getSecureKeyAsync(storageKey));
     if (!value) {
       return {
         success: false,
@@ -302,7 +302,7 @@ export class CredentialBroker {
 
     const storageKey = credentialKey(request.service, request.field);
     const transient = this.transientValues.get(storageKey);
-    const value = transient?.value ?? getSecureKey(storageKey);
+    const value = transient?.value ?? (await getSecureKeyAsync(storageKey));
     if (!value) {
       return {
         success: false,
@@ -344,7 +344,9 @@ export class CredentialBroker {
    * never included in the result — the proxy reads it separately via
    * the secure key backend at injection time.
    */
-  serverUseById(request: ServerUseByIdRequest): ServerUseByIdResult {
+  async serverUseById(
+    request: ServerUseByIdRequest,
+  ): Promise<ServerUseByIdResult> {
     const resolved = resolveById(request.credentialId);
     if (!resolved) {
       return {
@@ -383,7 +385,7 @@ export class CredentialBroker {
 
     // Fail-closed: verify the secret value actually exists in secure storage.
     // Without this, downstream proxy code would attempt unauthenticated requests.
-    const value = getSecureKey(resolved.storageKey);
+    const value = await getSecureKeyAsync(resolved.storageKey);
     if (!value) {
       return {
         success: false,

package/src/tools/credentials/vault.ts

@@ -900,8 +900,9 @@ class CredentialStoreTool implements Tool {
             | "loopback"
             | "gateway"
             | null) ?? "gateway";
-        if (transport === "loopback" && descProviderRow.loopbackPort) {
-          redirectUri = `http://127.0.0.1:${descProviderRow.loopbackPort}/oauth/callback`;
+        const loopbackPort = descBehavior?.loopbackPort;
+        if (transport === "loopback" && loopbackPort) {
+          redirectUri = `http://localhost:${loopbackPort}/oauth/callback`;
         } else if (transport === "loopback") {
           redirectUri =
             "(automatic — no redirect URI needed, uses random localhost port)";

package/src/tools/network/__tests__/web-search.test.ts

@@ -2,8 +2,6 @@ import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
 // Mutable mock state — set per test
 let mockWebSearchProvider: string | undefined = "perplexity";
-let mockBraveConfigKey: string | undefined;
-let mockPerplexityConfigKey: string | undefined;
 let mockBraveSecureKey: string | undefined;
 let mockPerplexitySecureKey: string | undefined;
 
@@ -19,12 +17,11 @@ mock.module("../../registry.js", () => ({
 mock.module("../../../config/loader.js", () => ({
   getConfig: () => ({
     webSearchProvider: mockWebSearchProvider,
-    apiKeys: { brave: mockBraveConfigKey, perplexity: mockPerplexityConfigKey },
   }),
 }));
 
 mock.module("../../../security/secure-keys.js", () => ({
-  getSecureKey: (provider: string) => {
+  getSecureKeyAsync: async (provider: string) => {
     if (provider === "brave") return mockBraveSecureKey;
     if (provider === "perplexity") return mockPerplexitySecureKey;
     return undefined;
@@ -47,33 +44,16 @@ await import("../web-search.js");
 
 describe("web_search tool", () => {
   let originalFetch: typeof globalThis.fetch;
-  let savedBraveKey: string | undefined;
-  let savedPerplexityKey: string | undefined;
 
   beforeEach(() => {
     originalFetch = globalThis.fetch;
     mockWebSearchProvider = "perplexity";
-    mockBraveConfigKey = undefined;
-    mockPerplexityConfigKey = undefined;
     mockBraveSecureKey = undefined;
     mockPerplexitySecureKey = undefined;
-
-    // Isolate from host env so getApiKey() doesn't short-circuit on real keys
-    savedBraveKey = process.env.BRAVE_API_KEY;
-    savedPerplexityKey = process.env.PERPLEXITY_API_KEY;
-    delete process.env.BRAVE_API_KEY;
-    delete process.env.PERPLEXITY_API_KEY;
   });
 
   afterEach(() => {
     globalThis.fetch = originalFetch;
-
-    if (savedBraveKey !== undefined) process.env.BRAVE_API_KEY = savedBraveKey;
-    else delete process.env.BRAVE_API_KEY;
-
-    if (savedPerplexityKey !== undefined)
-      process.env.PERPLEXITY_API_KEY = savedPerplexityKey;
-    else delete process.env.PERPLEXITY_API_KEY;
   });
 
   function execute(input: Record<string, unknown>) {
@@ -105,7 +85,7 @@ describe("web_search tool", () => {
   // ---- Perplexity provider ------------------------------------------------
 
   test("executes Perplexity search successfully", async () => {
-    mockPerplexityConfigKey = "pplx-test-key";
+    mockPerplexitySecureKey = "pplx-test-key";
     globalThis.fetch = (async (_url: string, _init?: RequestInit) => {
       return new Response(
         JSON.stringify({
@@ -126,7 +106,7 @@ describe("web_search tool", () => {
   });
 
   test("Perplexity sends correct request format", async () => {
-    mockPerplexityConfigKey = "pplx-test-key";
+    mockPerplexitySecureKey = "pplx-test-key";
     let capturedUrl = "";
     let capturedBody: any = null;
     let capturedHeaders: any = null;
@@ -150,7 +130,7 @@ describe("web_search tool", () => {
   });
 
   test("Perplexity returns no results message when response is empty", async () => {
-    mockPerplexityConfigKey = "pplx-test-key";
+    mockPerplexitySecureKey = "pplx-test-key";
     globalThis.fetch = (async () => {
       return new Response(JSON.stringify({ choices: [] }), {
         status: 200,
@@ -164,7 +144,7 @@ describe("web_search tool", () => {
   });
 
   test("Perplexity handles 401/403 auth errors", async () => {
-    mockPerplexityConfigKey = "bad-key";
+    mockPerplexitySecureKey = "bad-key";
     globalThis.fetch = (async () => {
       return new Response("Unauthorized", { status: 401 });
     }) as any;
@@ -175,7 +155,7 @@ describe("web_search tool", () => {
   });
 
   test("Perplexity handles 429 rate limit after max retries", async () => {
-    mockPerplexityConfigKey = "pplx-key";
+    mockPerplexitySecureKey = "pplx-key";
     let callCount = 0;
     globalThis.fetch = (async () => {
       callCount++;
@@ -193,7 +173,7 @@ describe("web_search tool", () => {
   });
 
   test("Perplexity handles generic server error", async () => {
-    mockPerplexityConfigKey = "pplx-key";
+    mockPerplexitySecureKey = "pplx-key";
     globalThis.fetch = (async () => {
       return new Response("Internal Server Error", { status: 500 });
     }) as any;
@@ -207,7 +187,7 @@ describe("web_search tool", () => {
 
   test("executes Brave search successfully", async () => {
     mockWebSearchProvider = "brave";
-    mockBraveConfigKey = "brave-test-key";
+    mockBraveSecureKey = "brave-test-key";
     globalThis.fetch = (async (_url: string) => {
       return new Response(
         JSON.stringify({
@@ -243,7 +223,7 @@ describe("web_search tool", () => {
 
   test("Brave sends correct query parameters", async () => {
     mockWebSearchProvider = "brave";
-    mockBraveConfigKey = "brave-key";
+    mockBraveSecureKey = "brave-key";
     let capturedUrl = "";
     globalThis.fetch = (async (url: string) => {
       capturedUrl = url;
@@ -268,7 +248,7 @@ describe("web_search tool", () => {
 
   test("Brave clamps count and offset", async () => {
     mockWebSearchProvider = "brave";
-    mockBraveConfigKey = "brave-key";
+    mockBraveSecureKey = "brave-key";
     let capturedUrl = "";
     globalThis.fetch = (async (url: string) => {
       capturedUrl = url;
@@ -286,7 +266,7 @@ describe("web_search tool", () => {
 
   test("Brave skips invalid freshness values", async () => {
     mockWebSearchProvider = "brave";
-    mockBraveConfigKey = "brave-key";
+    mockBraveSecureKey = "brave-key";
     let capturedUrl = "";
     globalThis.fetch = (async (url: string) => {
       capturedUrl = url;
@@ -303,7 +283,7 @@ describe("web_search tool", () => {
 
   test("Brave handles empty results", async () => {
     mockWebSearchProvider = "brave";
-    mockBraveConfigKey = "brave-key";
+    mockBraveSecureKey = "brave-key";
     globalThis.fetch = (async () => {
       return new Response(JSON.stringify({ web: { results: [] } }), {
         status: 200,
@@ -318,7 +298,7 @@ describe("web_search tool", () => {
 
   test("Brave handles 401 auth error", async () => {
     mockWebSearchProvider = "brave";
-    mockBraveConfigKey = "bad-key";
+    mockBraveSecureKey = "bad-key";
     globalThis.fetch = (async () => {
       return new Response("Forbidden", { status: 403 });
     }) as any;
@@ -330,7 +310,7 @@ describe("web_search tool", () => {
 
   test("Brave handles 429 rate limit with Retry-After header", async () => {
     mockWebSearchProvider = "brave";
-    mockBraveConfigKey = "brave-key";
+    mockBraveSecureKey = "brave-key";
     let callCount = 0;
     globalThis.fetch = (async () => {
       callCount++;
@@ -369,7 +349,7 @@ describe("web_search tool", () => {
 
   test("falls back from perplexity to brave when perplexity has no key", async () => {
     mockWebSearchProvider = "perplexity";
-    mockBraveConfigKey = "brave-fallback-key";
+    mockBraveSecureKey = "brave-fallback-key";
     let capturedUrl = "";
     globalThis.fetch = (async (url: string) => {
       capturedUrl = url;
@@ -386,7 +366,7 @@ describe("web_search tool", () => {
 
   test("falls back from brave to perplexity when brave has no key", async () => {
     mockWebSearchProvider = "brave";
-    mockPerplexityConfigKey = "pplx-fallback-key";
+    mockPerplexitySecureKey = "pplx-fallback-key";
     let capturedUrl = "";
     globalThis.fetch = (async (url: string, _init?: RequestInit) => {
       capturedUrl = url;
@@ -405,7 +385,7 @@ describe("web_search tool", () => {
 
   test("maps anthropic-native to perplexity", async () => {
     mockWebSearchProvider = "anthropic-native";
-    mockPerplexityConfigKey = "pplx-key";
+    mockPerplexitySecureKey = "pplx-key";
     let capturedUrl = "";
     globalThis.fetch = (async (url: string) => {
       capturedUrl = url;
@@ -422,38 +402,10 @@ describe("web_search tool", () => {
     expect(capturedUrl).toContain("perplexity");
   });
 
-  // ---- Env var keys -------------------------------------------------------
-
-  test("uses PERPLEXITY_API_KEY env var when available", async () => {
-    const origEnv = process.env.PERPLEXITY_API_KEY;
-    process.env.PERPLEXITY_API_KEY = "env-pplx-key";
-    try {
-      globalThis.fetch = (async (_url: string, init?: RequestInit) => {
-        const headers = new Headers(init?.headers);
-        expect(headers.get("authorization")).toBe("Bearer env-pplx-key");
-        return new Response(
-          JSON.stringify({
-            choices: [{ message: { content: "env key works" } }],
-          }),
-          { status: 200, headers: { "content-type": "application/json" } },
-        );
-      }) as any;
-
-      const result = await execute({ query: "test" });
-      expect(result.isError).toBe(false);
-    } finally {
-      if (origEnv === undefined) {
-        delete process.env.PERPLEXITY_API_KEY;
-      } else {
-        process.env.PERPLEXITY_API_KEY = origEnv;
-      }
-    }
-  });
-
   // ---- Network errors -----------------------------------------------------
 
   test("handles fetch exceptions", async () => {
-    mockPerplexityConfigKey = "pplx-key";
+    mockPerplexitySecureKey = "pplx-key";
     globalThis.fetch = (async () => {
       throw new Error("Network error: connection refused");
     }) as any;
@@ -463,24 +415,4 @@ describe("web_search tool", () => {
     expect(result.content).toContain("Web search failed");
     expect(result.content).toContain("connection refused");
   });
-
-  // ---- Secure key precedence ----------------------------------------------
-
-  test("prefers secure key over config key for brave", async () => {
-    mockWebSearchProvider = "brave";
-    mockBraveConfigKey = "config-key";
-    mockBraveSecureKey = "secure-key";
-    let capturedHeaders: Headers | null = null;
-    globalThis.fetch = (async (_url: string, init?: RequestInit) => {
-      capturedHeaders = new Headers(init?.headers);
-      return new Response(JSON.stringify({ web: { results: [] } }), {
-        status: 200,
-        headers: { "content-type": "application/json" },
-      });
-    }) as any;
-
-    await execute({ query: "test" });
-    // Brave uses X-Subscription-Token header with the secure key
-    expect(capturedHeaders!.get("x-subscription-token")).toBe("secure-key");
-  });
 });

package/src/tools/network/web-search.ts

@@ -1,7 +1,7 @@
 import { getConfig } from "../../config/loader.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
-import { getSecureKey } from "../../security/secure-keys.js";
+import { getSecureKeyAsync } from "../../security/secure-keys.js";
 import { getLogger } from "../../util/logger.js";
 import {
   DEFAULT_BASE_DELAY_MS,
@@ -50,21 +50,15 @@ function getWebSearchProvider(): WebSearchProvider {
   return configured as WebSearchProvider;
 }
 
-function getApiKey(provider: WebSearchProvider): string | undefined {
+async function getApiKey(
+  provider: WebSearchProvider,
+): Promise<string | undefined> {
   if (provider === "brave") {
-    if (process.env.BRAVE_API_KEY) return process.env.BRAVE_API_KEY;
-    const secureKey = getSecureKey("brave");
-    if (secureKey) return secureKey;
-    const config = getConfig();
-    return config.apiKeys.brave;
+    return (await getSecureKeyAsync("brave")) ?? undefined;
   }
 
   // Perplexity
-  if (process.env.PERPLEXITY_API_KEY) return process.env.PERPLEXITY_API_KEY;
-  const secureKey = getSecureKey("perplexity");
-  if (secureKey) return secureKey;
-  const config = getConfig();
-  return config.apiKeys.perplexity;
+  return (await getSecureKeyAsync("perplexity")) ?? undefined;
 }
 
 function formatBraveResults(
@@ -321,13 +315,13 @@ class WebSearchTool implements Tool {
     }
 
     let provider = getWebSearchProvider();
-    let apiKey = getApiKey(provider);
+    let apiKey = await getApiKey(provider);
 
     // Fallback: if the configured provider has no key, try the other provider
     if (!apiKey) {
       const fallback: WebSearchProvider =
         provider === "perplexity" ? "brave" : "perplexity";
-      const fallbackKey = getApiKey(fallback);
+      const fallbackKey = await getApiKey(fallback);
       if (fallbackKey) {
         log.info(
           { from: provider, to: fallback },
@@ -338,7 +332,7 @@ class WebSearchTool implements Tool {
       } else {
         return {
           content:
-            "Error: No web search API key configured. Set a PERPLEXITY_API_KEY or BRAVE_API_KEY environment variable, or configure it from the Settings page under API Keys.",
+            "Error: No web search API key configured. Set it via `keys set perplexity <key>` or `keys set brave <key>`, or configure it from the Settings page under API Keys.",
           isError: true,
         };
       }

package/src/util/platform.ts

@@ -328,7 +328,13 @@ export function getHooksDir(): string {
 // These will become the canonical paths after workspace migration.
 // Currently not used by call-sites; wired in later PRs.
 
-/** Returns ~/.vellum/workspace — the workspace root for user-facing state. */
+/**
+ * Returns ~/.vellum/workspace — the workspace root for user-facing state.
+ *
+ * WARNING: The entire workspace directory is included in diagnostic log exports
+ * ("Send logs to Vellum"). Do not store secrets, API keys, or sensitive
+ * credentials here — use the credential store or ~/.vellum/protected/ instead.
+ */
 export function getWorkspaceDir(): string {
   return join(getRootDir(), "workspace");
 }

package/src/util/pricing.ts

@@ -20,7 +20,6 @@ const PROVIDER_PRICING: Record<string, Record<string, ModelPricing>> = {
   anthropic: {
     "claude-opus-4-6": { inputPer1M: 5, outputPer1M: 25 },
     "claude-opus-4": { inputPer1M: 15, outputPer1M: 75 },
-    "claude-opus-4-6-fast": { inputPer1M: 30, outputPer1M: 150 },
     "claude-sonnet-4": { inputPer1M: 3, outputPer1M: 15 },
     "claude-haiku-4": { inputPer1M: 0.8, outputPer1M: 4 },
   },