@vellumai/assistant 0.4.52 → 0.4.53

package/src/__tests__/tool-execution-abort-cleanup.test.ts

@@ -25,7 +25,6 @@ mock.module("../config/loader.js", () => ({
 
     provider: "anthropic",
     model: "test",
-    apiKeys: {},
     maxTokens: 4096,
     dataDir: "/tmp",
     timeouts: {

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -8,7 +8,6 @@ import type {
 const mockConfig = {
   provider: "anthropic",
   model: "test",
-  apiKeys: {},
   maxTokens: 4096,
   dataDir: "/tmp",
   timeouts: {

package/src/__tests__/tool-executor-shell-integration.test.ts

@@ -17,7 +17,6 @@ import type { ToolContext } from "../tools/types.js";
 const mockConfig = {
   provider: "anthropic",
   model: "test",
-  apiKeys: {},
   maxTokens: 4096,
   dataDir: "/tmp",
   timeouts: {

package/src/__tests__/tool-executor.test.ts

@@ -26,7 +26,6 @@ import type {
 const mockConfig = {
   provider: "anthropic",
   model: "test",
-  apiKeys: {},
   maxTokens: 4096,
   dataDir: "/tmp",
   timeouts: {

package/src/__tests__/trust-store.test.ts

@@ -1099,7 +1099,7 @@ describe("Trust Store", () => {
 
     // ── default allow: browser tools ────────────────────────────
 
-    test("all 10 browser tools have default allow rules", () => {
+    test("all 14 browser tools have default allow rules", () => {
       const templates = getDefaultRuleTemplates();
       const browserTools = [
         "browser_navigate",
@@ -1109,8 +1109,12 @@ describe("Trust Store", () => {
         "browser_click",
         "browser_type",
         "browser_press_key",
+        "browser_scroll",
+        "browser_select_option",
+        "browser_hover",
         "browser_wait_for",
         "browser_extract",
+        "browser_wait_for_download",
         "browser_fill_credential",
       ];
 

package/src/__tests__/twilio-routes.test.ts

@@ -120,11 +120,10 @@ mock.module("../util/logger.js", () => ({
 const mockConfigObj = {
   model: "test",
   provider: "test",
-  apiKeys: {},
   memory: { enabled: false },
   rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
   secretDetection: { enabled: false },
-  elevenlabs: { voiceId: "21m00Tcm4TlvDq8ikWAM" },
+  elevenlabs: { voiceId: DEFAULT_ELEVENLABS_VOICE_ID },
   calls: {
     voice: {
       language: "en-US",
@@ -322,6 +321,7 @@ import {
   handleStatusCallback,
   handleVoiceWebhook,
 } from "../calls/twilio-routes.js";
+import { DEFAULT_ELEVENLABS_VOICE_ID } from "../config/schemas/elevenlabs.js";
 import { getDb, initializeDb, resetDb } from "../memory/db.js";
 import { conversations } from "../memory/schema.js";
 import {

package/src/__tests__/verification-control-plane-policy.test.ts

@@ -19,7 +19,6 @@ import type {
 const mockConfig = {
   provider: "anthropic",
   model: "test",
-  apiKeys: {},
   maxTokens: 4096,
   dataDir: "/tmp",
   timeouts: {

package/src/__tests__/voice-quality.test.ts

@@ -10,6 +10,7 @@ import {
   buildElevenLabsVoiceSpec,
   resolveVoiceQualityProfile,
 } from "../calls/voice-quality.js";
+import { DEFAULT_ELEVENLABS_VOICE_ID } from "../config/schemas/elevenlabs.js";
 
 describe("buildElevenLabsVoiceSpec", () => {
   test("returns bare voiceId when no model is set", () => {
@@ -63,7 +64,7 @@ describe("buildElevenLabsVoiceSpec", () => {
 describe("resolveVoiceQualityProfile", () => {
   test("always returns ElevenLabs ttsProvider", () => {
     mockConfig = {
-      elevenlabs: { voiceId: "21m00Tcm4TlvDq8ikWAM" },
+      elevenlabs: { voiceId: DEFAULT_ELEVENLABS_VOICE_ID },
       calls: {
         voice: {
           language: "en-US",

package/src/__tests__/voice-scoped-grant-consumer.test.ts

@@ -55,7 +55,6 @@ mock.module("../config/loader.js", () => ({
 
     provider: "anthropic",
     providerOrder: ["anthropic"],
-    apiKeys: { anthropic: "test-key" },
     calls: {
       enabled: true,
       provider: "twilio",

package/src/__tests__/web-search.test.ts

@@ -548,7 +548,7 @@ async function executeWebSearch(
   if (!apiKey) {
     return {
       content:
-        "Error: No web search API key configured. Provide a PERPLEXITY_API_KEY or BRAVE_API_KEY here in the chat using the secure credential prompt, or set it from the Settings page.",
+        "Error: No web search API key configured. Set it via `keys set perplexity <key>` or `keys set brave <key>`, or configure it from the Settings page under API Keys.",
       isError: true,
     };
   }

package/src/agent/loop.ts

@@ -1,5 +1,6 @@
 import * as Sentry from "@sentry/node";
 
+import { estimateToolsTokens } from "../context/token-estimator.js";
 import { truncateOversizedToolResults } from "../context/tool-result-truncation.js";
 import { getHookManager } from "../hooks/manager.js";
 import type {
@@ -78,7 +79,7 @@ export type AgentEvent =
       toolUseId: string;
       input: Record<string, unknown>;
     }
-  | { type: "server_tool_complete"; toolUseId: string }
+  | { type: "server_tool_complete"; toolUseId: string; isError: boolean }
   | { type: "error"; error: Error }
   | {
       type: "usage";
@@ -175,6 +176,20 @@ export class AgentLoop {
     this.toolExecutor = toolExecutor ?? null;
   }
 
+  /**
+   * Estimate token cost of the tool definitions sent to the provider.
+   *
+   * When `history` is provided and a dynamic `resolveTools` callback
+   * exists, the budget is derived from the resolved tool list for that
+   * turn — matching what `run()` actually sends. Without `history` (or
+   * without a resolver), falls back to the static `this.tools`.
+   */
+  getToolTokenBudget(history?: Message[]): number {
+    const tools =
+      history && this.resolveTools ? this.resolveTools(history) : this.tools;
+    return estimateToolsTokens(tools);
+  }
+
   async run(
     messages: Message[],
     onEvent: (event: AgentEvent) => void | Promise<void>,
@@ -318,6 +333,7 @@ export class AgentLoop {
                 onEvent({
                   type: "server_tool_complete",
                   toolUseId: event.toolUseId,
+                  isError: event.isError,
                 });
               }
             },

package/src/bundler/app-bundler.ts

@@ -14,7 +14,7 @@ import { join } from "node:path";
 import archiver from "archiver";
 import JSZip from "jszip";
 
-import { getApp, getAppsDir } from "../memory/app-store.js";
+import { getApp, getAppsDir, isMultifileApp } from "../memory/app-store.js";
 import { computeContentId } from "../util/content-id.js";
 import { getLogger } from "../util/logger.js";
 import { compileApp } from "./app-compiler.js";
@@ -60,8 +60,10 @@ export async function packageApp(
   const version = app.version ?? "1.0.0";
   const contentId = computeContentId(app.name);
 
+  const multifile = isMultifileApp(app);
+
   const manifest: AppManifest = {
-    format_version: 2,
+    format_version: multifile ? 2 : 1,
     name: app.name,
     ...(app.description ? { description: app.description } : {}),
     ...(app.icon ? { icon: app.icon } : {}),
@@ -74,34 +76,48 @@ export async function packageApp(
     content_id: contentId,
   };
 
-  // Compile the app and bundle the dist/ output.
+  // Compile the app and bundle the output.
   const compiledFiles: { name: string; data: Buffer }[] = [];
 
   const appDir = join(getAppsDir(), appId);
-  const compileResult = await compileApp(appDir);
-  if (!compileResult.ok) {
-    const messages = compileResult.errors
-      .map((e) => {
-        const loc = e.location
-          ? ` (${e.location.file}:${e.location.line}:${e.location.column})`
-          : "";
-        return `${e.text}${loc}`;
-      })
-      .join("\n");
-    throw new Error(`Compilation failed for app "${app.name}":\n${messages}`);
-  }
 
-  const distDir = join(appDir, "dist");
-  const indexHtml = await readFile(join(distDir, "index.html"), "utf-8");
-  const mainJs = await readFile(join(distDir, "main.js"));
+  if (multifile) {
+    // Multi-file TSX app: compile src/ -> dist/
+    const compileResult = await compileApp(appDir);
+    if (!compileResult.ok) {
+      const messages = compileResult.errors
+        .map((e) => {
+          const loc = e.location
+            ? ` (${e.location.file}:${e.location.line}:${e.location.column})`
+            : "";
+          return `${e.text}${loc}`;
+        })
+        .join("\n");
+      throw new Error(`Compilation failed for app "${app.name}":\n${messages}`);
+    }
+
+    const distDir = join(appDir, "dist");
+    const indexHtml = await readFile(join(distDir, "index.html"), "utf-8");
+    const mainJs = await readFile(join(distDir, "main.js"));
 
-  compiledFiles.push({ name: "index.html", data: Buffer.from(indexHtml) });
-  compiledFiles.push({ name: "main.js", data: mainJs });
+    compiledFiles.push({ name: "index.html", data: Buffer.from(indexHtml) });
+    compiledFiles.push({ name: "main.js", data: mainJs });
 
-  // main.css is optional — only produced when the app imports CSS
-  const cssPath = join(distDir, "main.css");
-  if (existsSync(cssPath)) {
-    compiledFiles.push({ name: "main.css", data: await readFile(cssPath) });
+    // main.css is optional — only produced when the app imports CSS
+    const cssPath = join(distDir, "main.css");
+    if (existsSync(cssPath)) {
+      compiledFiles.push({ name: "main.css", data: await readFile(cssPath) });
+    }
+  } else {
+    // Single-file HTML app: bundle index.html directly
+    const indexHtmlPath = join(appDir, "index.html");
+    if (!existsSync(indexHtmlPath)) {
+      throw new Error(
+        `App "${app.name}" has no src/ directory and no index.html`,
+      );
+    }
+    const indexHtml = await readFile(indexHtmlPath, "utf-8");
+    compiledFiles.push({ name: "index.html", data: Buffer.from(indexHtml) });
   }
 
   // Create the zip archive

package/src/calls/call-controller.ts

@@ -50,6 +50,7 @@ import {
   ASK_GUARDIAN_CAPTURE_REGEX,
   CALL_OPENING_ACK_MARKER,
   CALL_OPENING_MARKER,
+  CALL_VERIFICATION_COMPLETE_MARKER,
   couldBeControlMarker,
   END_CALL_MARKER,
   extractBalancedJson,
@@ -209,6 +210,21 @@ export class CallController {
     await this.runTurn(CALL_OPENING_MARKER);
   }
 
+  /**
+   * Kick off the first utterance after the caller has completed outbound
+   * phone verification. Sends a verification-aware marker so the LLM can
+   * greet naturally with context that verification just happened.
+   */
+  async startPostVerificationGreeting(): Promise<void> {
+    if (this.initialGreetingStarted) return;
+    if (this.state !== "idle") return;
+
+    this.initialGreetingStarted = true;
+    this.resetSilenceTimer();
+    this.lastSentWasOpener = true;
+    await this.runTurn(CALL_VERIFICATION_COMPLETE_MARKER);
+  }
+
   /**
    * Handle a final caller utterance from the ConversationRelay.
    * Caller utterances always trigger normal turns, even when a guardian

package/src/calls/relay-server.ts

@@ -595,7 +595,7 @@ export class RelayConnection {
           (resolved.actorTrust.trustClass === "guardian" ||
             resolved.actorTrust.trustClass === "trusted_contact")
         ) {
-          touchContactInteraction(resolved.actorTrust.memberRecord.contact.id);
+          touchContactInteraction(resolved.actorTrust.memberRecord.channel.id);
         }
         if (this.controller && resolved.actorTrust.trustClass !== "unknown") {
           this.controller.setTrustContext(
@@ -612,7 +612,7 @@ export class RelayConnection {
               resolved.actorTrust.trustClass === "trusted_contact")
           ) {
             touchContactInteraction(
-              resolved.actorTrust.memberRecord.contact.id,
+              resolved.actorTrust.memberRecord.channel.id,
             );
           }
           if (this.controller && resolved.actorTrust.trustClass !== "unknown") {
@@ -992,14 +992,7 @@ export class RelayConnection {
       }
 
       if (isOutbound) {
-        this.connectionState = "disconnecting";
-        this.sendTextToken(result.ttsMessage!, true);
-
-        updateCallSession(this.callSessionId, {
-          status: "completed",
-          endedAt: Date.now(),
-        });
-
+        // Keep the pointer message back to the initiating conversation
         const successSession = getCallSession(this.callSessionId);
         if (successSession?.initiatedFromConversationId) {
           addPointerMessage(
@@ -1018,9 +1011,32 @@ export class RelayConnection {
           });
         }
 
-        setTimeout(() => {
-          this.endSession("Verified — guardian challenge passed");
-        }, getTtsPlaybackDelayMs());
+        // Update trust context on the controller so the LLM knows this is the guardian
+        if (this.controller) {
+          const verifiedActorTrust = resolveActorTrust({
+            assistantId,
+            sourceChannel: "phone",
+            conversationExternalId: fromNumber,
+            actorExternalId: fromNumber,
+          });
+          this.controller.setTrustContext(
+            toTrustContext(verifiedActorTrust, fromNumber),
+          );
+        }
+
+        // Mark session as in-progress and transition to guardian conversation
+        // with verification context so the LLM greets naturally.
+        updateCallSession(this.callSessionId, { status: "in_progress" });
+        if (this.controller) {
+          this.controller
+            .startPostVerificationGreeting()
+            .catch((err) =>
+              log.error(
+                { err, callSessionId: this.callSessionId },
+                "Failed to start post-verification greeting",
+              ),
+            );
+        }
       } else if (result.verificationType === "trusted_contact") {
         this.continueCallAfterTrustedContactActivation({
           assistantId,

package/src/calls/voice-control-protocol.ts

@@ -11,6 +11,7 @@
 
 export const CALL_OPENING_MARKER = "[CALL_OPENING]";
 export const CALL_OPENING_ACK_MARKER = "[CALL_OPENING_ACK]";
+export const CALL_VERIFICATION_COMPLETE_MARKER = "[CALL_VERIFICATION_COMPLETE]";
 export const END_CALL_MARKER = "[END_CALL]";
 
 // ---------------------------------------------------------------------------

package/src/calls/voice-quality.ts

@@ -44,7 +44,7 @@ export function buildElevenLabsVoiceSpec(config: {
  *
  * Always uses ElevenLabs TTS via Twilio ConversationRelay.
  * The voice ID comes from the shared `elevenlabs.voiceId` config
- * (defaults to Rachel — 21m00Tcm4TlvDq8ikWAM).
+ * (defaults to Amelia — ZF6FPAbjXT4488VcRRnw).
  */
 export function resolveVoiceQualityProfile(
   config?: ReturnType<typeof loadConfig>,

package/src/calls/voice-session-bridge.ts

@@ -24,7 +24,10 @@ import { checkIngressForSecrets } from "../security/secret-ingress.js";
 import { computeToolApprovalDigest } from "../security/tool-approval-digest.js";
 import { IngressBlockedError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
-import { CALL_OPENING_MARKER } from "./voice-control-protocol.js";
+import {
+  CALL_OPENING_MARKER,
+  CALL_VERIFICATION_COMPLETE_MARKER,
+} from "./voice-control-protocol.js";
 
 const log = getLogger("voice-session-bridge");
 
@@ -197,7 +200,8 @@ function buildVoiceCallControlPrompt(opts: {
         ? " However, the disclosure text from rule 0 is separate from self-introduction and must always be included in your opening greeting, even if the Task does not mention introducing yourself."
         : "";
     lines.push(
-      `7. If the latest user turn is "(call connected — deliver opening greeting)", deliver your opening greeting based solely on the Task context above. The Task already describes how to open the call — follow it directly without adding any extra introduction on top. If the Task says to introduce yourself, do so once. If the Task does not mention introducing yourself, skip the introduction.${disclosureReminder} Vary the wording naturally; do not use a fixed template.`,
+      '7. If the latest user turn is "(verification completed — transitioning into conversation)", the caller just completed a phone verification code challenge on this call. Greet them naturally and ask if there is anything you can help with. Keep it casual and brief.',
+      `If the latest user turn is "(call connected — deliver opening greeting)", deliver your opening greeting based solely on the Task context above. The Task already describes how to open the call — follow it directly without adding any extra introduction on top. If the Task says to introduce yourself, do so once. If the Task does not mention introducing yourself, skip the introduction.${disclosureReminder} Vary the wording naturally; do not use a fixed template.`,
       "8. If the latest user turn includes [CALL_OPENING_ACK], treat it as the callee acknowledging your opener and continue the conversation naturally without re-introducing yourself or repeating the initial check-in question.",
     );
   }
@@ -269,7 +273,9 @@ export async function startVoiceTurn(
   const persistedContent =
     opts.content === CALL_OPENING_MARKER
       ? "(call connected — deliver opening greeting)"
-      : opts.content;
+      : opts.content === CALL_VERIFICATION_COMPLETE_MARKER
+        ? "(verification completed — transitioning into conversation)"
+        : opts.content;
 
   // Build the call-control protocol prompt so the model knows how to emit
   // control markers (ASK_GUARDIAN, END_CALL, etc.) and recognize opener turns.

package/src/channels/types.ts

@@ -74,6 +74,22 @@ export function assertInterfaceId(value: unknown, field: string): InterfaceId {
   return value;
 }
 
+/**
+ * Interfaces that have an SSE client capable of displaying interactive
+ * permission prompts. Channel interfaces (telegram, slack, etc.) route
+ * approvals through the guardian system and have no interactive prompter UI.
+ */
+export const INTERACTIVE_INTERFACES: ReadonlySet<InterfaceId> = new Set([
+  "macos",
+  "ios",
+  "cli",
+  "vellum",
+]);
+
+export function isInteractiveInterface(id: InterfaceId): boolean {
+  return INTERACTIVE_INTERFACES.has(id);
+}
+
 export interface TurnInterfaceContext {
   userMessageInterface: InterfaceId;
   assistantMessageInterface: InterfaceId;

package/src/cli/commands/bash.ts

@@ -0,0 +1,173 @@
+import { randomUUID } from "node:crypto";
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  unlinkSync,
+  writeFileSync,
+} from "node:fs";
+import { join } from "node:path";
+
+import type { Command } from "commander";
+
+import { getWorkspaceDir } from "../../util/platform.js";
+import { log } from "../logger.js";
+
+const DEFAULT_TIMEOUT_MS = 30_000;
+const POLL_INTERVAL_MS = 100;
+
+interface BashSignalResult {
+  requestId: string;
+  stdout: string;
+  stderr: string;
+  exitCode: number | null;
+  timedOut: boolean;
+  error?: string;
+}
+
+export function registerBashCommand(program: Command): void {
+  program
+    .command("bash <command>")
+    .description(
+      "Execute a shell command through the assistant process for debugging",
+    )
+    .option(
+      "-t, --timeout <ms>",
+      "Timeout in milliseconds for command execution",
+      String(DEFAULT_TIMEOUT_MS),
+    )
+    .addHelpText(
+      "after",
+      `
+Sends a shell command to the running assistant for execution via the
+signals directory. The assistant spawns the command in its own process environment
+and returns stdout, stderr, and the exit code.
+
+This is a developer debugging tool for inspecting how the assistant invokes and
+observes shell commands. The command runs with the assistant's environment, working
+directory, and process context — not the caller's shell.
+
+The CLI writes the command to signals/bash.<requestId> and polls
+signals/bash.<requestId>.result for the output. The assistant must be running
+for this to work.
+
+Arguments:
+  command   The shell command string to execute (e.g. "echo hello", "ls -la").
+            Runs in bash via \`bash -c\` in the assistant's process environment.
+
+Examples:
+  $ assistant bash "echo hello"
+  $ assistant bash "which node"
+  $ assistant bash "env | grep PATH" --timeout 10000
+  $ assistant bash "ls -la"`,
+    )
+    .action((command: string, opts: { timeout: string }) => {
+      const timeoutMs = parseInt(opts.timeout, 10);
+      if (!Number.isFinite(timeoutMs) || timeoutMs < 1) {
+        log.error("Invalid timeout value. Must be a positive integer.");
+        process.exitCode = 1;
+        return;
+      }
+
+      const requestId = randomUUID();
+      const signalsDir = join(getWorkspaceDir(), "signals");
+
+      try {
+        mkdirSync(signalsDir, { recursive: true });
+      } catch {
+        log.error("Failed to create signals directory.");
+        process.exitCode = 1;
+        return;
+      }
+
+      // Write the command signal for the assistant to pick up.
+      const signalPath = join(signalsDir, `bash.${requestId}`);
+      const resultPath = join(signalsDir, `bash.${requestId}.result`);
+
+      try {
+        writeFileSync(
+          signalPath,
+          JSON.stringify({ requestId, command, timeoutMs }),
+        );
+      } catch {
+        log.error("Failed to write bash signal file.");
+        process.exitCode = 1;
+        return;
+      }
+
+      log.info(`Sent command to assistant (requestId: ${requestId})`);
+      log.info("Waiting for result...");
+
+      // Poll for the result file until timeout.
+      const deadline = Date.now() + timeoutMs + 5_000; // extra buffer for assistant overhead
+
+      const poll = setInterval(() => {
+        if (Date.now() > deadline) {
+          clearInterval(poll);
+          cleanupSignalFiles();
+          log.error(
+            "Timed out waiting for response. Is the assistant running?",
+          );
+          process.exitCode = 1;
+          return;
+        }
+
+        if (!existsSync(resultPath)) return;
+
+        let result: BashSignalResult;
+        try {
+          const content = readFileSync(resultPath, "utf-8");
+          result = JSON.parse(content) as BashSignalResult;
+        } catch {
+          // File may be partially written; retry on next poll.
+          return;
+        }
+
+        // Ignore stale results from a previous invocation.
+        if (result.requestId !== requestId) return;
+
+        clearInterval(poll);
+        cleanupSignalFiles();
+
+        if (result.error) {
+          log.error(`Spawn error: ${result.error}`);
+          process.exitCode = 1;
+          return;
+        }
+
+        if (result.stdout) {
+          process.stdout.write(result.stdout);
+          if (!result.stdout.endsWith("\n")) {
+            process.stdout.write("\n");
+          }
+        }
+
+        if (result.stderr) {
+          process.stderr.write(result.stderr);
+          if (!result.stderr.endsWith("\n")) {
+            process.stderr.write("\n");
+          }
+        }
+
+        if (result.timedOut) {
+          log.info(`Command timed out in assistant.`);
+        }
+
+        if (result.exitCode != null && result.exitCode !== 0) {
+          log.info(`Exit code: ${result.exitCode}`);
+        }
+
+        process.exitCode = result.exitCode ?? 1;
+      }, POLL_INTERVAL_MS);
+
+      function cleanupSignalFiles(): void {
+        for (const p of [signalPath, resultPath]) {
+          try {
+            unlinkSync(p);
+          } catch {
+            // Best-effort cleanup; the file may already be gone.
+          }
+        }
+      }
+    });
+}

package/src/cli/commands/doctor.ts

@@ -7,7 +7,7 @@ import { getRuntimeHttpPort } from "../../config/env.js";
 import { loadRawConfig } from "../../config/loader.js";
 import { shouldAutoStartDaemon } from "../../daemon/connection-policy.js";
 import { isHttpHealthy } from "../../daemon/daemon-control.js";
-import { getSecureKey } from "../../security/secure-keys.js";
+import { getSecureKeyAsync } from "../../security/secure-keys.js";
 import {
   getDbPath,
   getLogPath,
@@ -35,7 +35,7 @@ Output symbols:
 
 Diagnostic checks performed:
   1.  Bun is installed           Verifies bun is available in PATH
-  2.  API key configured         Checks for a valid provider API key in config or env
+  2.  API key configured         Checks for a valid provider API key in secure storage
   3.  Assistant reachable         HTTP health check against the assistant server
   4.  Database exists/readable   Opens the SQLite database and runs a test query
   5.  Directory structure        Verifies required ~/.vellum/ directories exist
@@ -76,32 +76,14 @@ Examples:
       const raw = loadRawConfig();
       const provider =
         typeof raw.provider === "string" ? raw.provider : "anthropic";
-      const providerEnvVar: Record<string, string> = {
-        anthropic: "ANTHROPIC_API_KEY",
-        openai: "OPENAI_API_KEY",
-        gemini: "GEMINI_API_KEY",
-        ollama: "OLLAMA_API_KEY",
-        fireworks: "FIREWORKS_API_KEY",
-        openrouter: "OPENROUTER_API_KEY",
-      };
-      const configKey = getSecureKey(provider);
-      const envVar = providerEnvVar[provider];
-      const envKey = envVar ? process.env[envVar] : undefined;
-      const plaintextKey = (
-        raw.apiKeys as Record<string, string> | undefined
-      )?.[provider];
+      const configKey = await getSecureKeyAsync(provider);
 
       if (provider === "ollama") {
         pass("Provider configured (Ollama; API key optional)");
-      } else if (envKey || configKey || plaintextKey) {
+      } else if (configKey) {
         pass("API key configured");
       } else {
-        fail(
-          "API key configured",
-          envVar
-            ? `set ${envVar} or run: assistant keys set ${provider} <key>`
-            : `set API key for provider "${provider}"`,
-        );
+        fail("API key configured", `run: assistant keys set ${provider} <key>`);
       }
 
       // 3. Daemon reachable (HTTP health check)