@vellumai/assistant 0.4.53 → 0.4.55

package/docs/architecture/integrations.md

@@ -152,7 +152,7 @@ sequenceDiagram
     Note over UI,API: Tool Execution Flow
     Tool->>TokenMgr: withValidToken("gmail", callback)
     TokenMgr->>Store: getConnectionByProvider("integration:google")
-    TokenMgr->>Vault: getSecureKey("oauth_connection/{conn.id}/access_token")
+    TokenMgr->>Vault: getSecureKeyAsync("oauth_connection/{conn.id}/access_token")
     TokenMgr->>Store: check oauth_connections.expires_at
     alt Token expired
         TokenMgr->>Store: resolveRefreshConfig() → tokenUrl, clientId from provider/app rows

package/docs/architecture/keychain-broker.md

@@ -1,13 +1,15 @@
 # macOS Keychain Broker Architecture
 
 **Status:** Accepted
-**Last Updated:** 2026-03-05
+**Last Updated:** 2026-03-14
 **Owners:** macOS client + assistant runtime
 
 ## Decision
 
 Embed the keychain broker in the macOS app process rather than running a standalone daemon. The app exposes SecItem keychain operations over a Unix domain socket to the assistant runtime and gateway. Debug builds skip the broker entirely (`#if !DEBUG` guard) so developers never see keychain authorization prompts during rebuilds.
 
+Credential storage is abstracted behind a `CredentialBackend` interface with two implementations: a keychain backend (backed by the broker) and an encrypted file store backend. Each process resolves a single primary backend at startup and uses single-writer semantics -- all writes go to the resolved backend only, with no dual-writing.
+
 ## Problem Statement
 
 We want macOS to use Keychain as the primary secret store, but direct keychain access from the daemon process causes repeated authorization prompts. The prompts are especially problematic during development with ad-hoc signed builds, where every rebuild changes the signing identity and triggers a new keychain prompt.
@@ -20,6 +22,21 @@ Prior state:
 
 ## Architecture
 
+### CredentialBackend interface
+
+All credential storage operations are routed through the `CredentialBackend` interface, which provides a uniform API for get, set, delete, and list operations. This abstraction decouples `secure-keys.ts` from any specific storage mechanism.
+
+Two implementations exist:
+
+| Backend          | Backing store                                | When used                                                               |
+| ---------------- | -------------------------------------------- | ----------------------------------------------------------------------- |
+| Keychain backend | macOS Keychain via the broker UDS connection | Production app context (`VELLUM_DEV` is NOT `"1"`) and broker available |
+| Encrypted store  | `~/.vellum/protected/keys.enc` (AES-256-GCM) | `VELLUM_DEV=1`, broker unavailable, CLI-only, headless, CI              |
+
+The interface is intentionally minimal to make adding future backends trivial -- e.g., Linux secret service (libsecret/D-Bus), 1Password CLI, or cloud KMS. A new backend only needs to implement the `CredentialBackend` interface and be wired into the backend resolution logic.
+
+### Broker topology
+
 ```mermaid
 graph LR
     subgraph "macOS App Process"
@@ -29,11 +46,19 @@ graph LR
         SERVICE --> KC["macOS Keychain"]
     end
 
-    RUNTIME["Assistant Runtime (Bun)"] -->|"UDS JSON"| SERVER
-    GATEWAY["Gateway (Bun)"] -->|"UDS JSON<br/>(async)"| SERVER
+    subgraph "Backend Resolution"
+        RESOLVE{"resolveBackend()"}
+        KB["Keychain Backend"]
+        EB["Encrypted Store Backend"]
+        RESOLVE -->|"VELLUM_DEV!=1<br/>+ broker available"| KB
+        RESOLVE -->|"VELLUM_DEV=1<br/>OR broker unavailable"| EB
+    end
+
+    KB -->|"UDS JSON"| SERVER
+    RUNTIME["Assistant Runtime (Bun)"] --> RESOLVE
+    GATEWAY["Gateway (Bun)"] -->|"read-only"| RESOLVE
 
-    RUNTIME -.->|"fallback<br/>(sync + broker unavailable)"| ENC["Encrypted Store<br/>(~/.vellum/protected/keys.enc)"]
-    GATEWAY -.->|"fallback<br/>(broker unavailable)"| ENC
+    EB --> ENC["Encrypted Store<br/>(~/.vellum/protected/keys.enc)"]
 ```
 
 ### Key properties
@@ -42,7 +67,8 @@ graph LR
 - **No auth bootstrap problem.** The app writes the broker auth token to disk before launching the daemon, so the daemon always has a valid token at startup.
 - **No keychain prompts on signed builds.** Items are stored with `kSecAttrAccessibleAfterFirstUnlock` under the `vellum-assistant` service name. A stable code-signing identity means macOS grants access without prompting after the first unlock.
 - **No keychain interaction on debug builds.** The entire `KeychainBrokerServer` is compiled out with `#if !DEBUG`, so development builds use the encrypted file store exclusively.
-- **Encrypted file store as permanent fallback.** CLI-only, headless, and development environments always have the encrypted store (`~/.vellum/protected/keys.enc`) available. Async callers that use the broker also write through to the encrypted store so sync callers see a consistent view.
+- **Single-writer to resolved backend.** Each process resolves exactly one primary backend at startup. Writes go only to that backend. There is no dual-writing.
+- **Encrypted file store as permanent fallback.** CLI-only, headless, and development environments always have the encrypted store (`~/.vellum/protected/keys.enc`) available.
 
 ## Components
 
@@ -55,11 +81,12 @@ graph LR
 
 ### TypeScript side (runtime + gateway)
 
-| File                                               | Role                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `assistant/src/security/keychain-broker-client.ts` | Async UDS client for the runtime. Persistent socket connection, request/response correlation, auth token caching with auto-refresh on `UNAUTHORIZED`. Falls back gracefully (returns safe defaults, never throws).                                                                                                                                                                                                                                                                                            |
-| `assistant/src/security/secure-keys.ts`            | Unified API surface. Sync variants use encrypted store only. Async variants (`getSecureKeyAsync`, `setSecureKeyAsync`, `deleteSecureKeyAsync`) check the encrypted store first for reads (instant), falling back to the broker for keys that may exist only in the macOS Keychain. **Writes** go to both stores; return `false` on broker failure (no encrypted-store fallback). **Deletes** return `"deleted"`, `"not-found"`, or `"error"` to let callers distinguish idempotent no-ops from real failures. |
-| `gateway/src/credential-reader.ts`                 | Read-only credential reader. Tries broker via native async UDS connection (`node:net`), falls back to encrypted store. All public credential read functions are async.                                                                                                                                                                                                                                                                                                                                        |
+| File                                               | Role                                                                                                                                                                                                                                                                                                                                                          |
+| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `assistant/src/security/credential-backend.ts`     | `CredentialBackend` interface definition (`get`, `set`, `delete`, `list`) plus both adapter implementations: `KeychainBackend` (backed by the broker UDS client) and `EncryptedStoreBackend` (backed by `encrypted-store.ts` / `~/.vellum/protected/keys.enc`). Also exports factory functions `createKeychainBackend()` and `createEncryptedStoreBackend()`. |
+| `assistant/src/security/keychain-broker-client.ts` | Async UDS client for the runtime. Persistent socket connection, request/response correlation, auth token caching with auto-refresh on `UNAUTHORIZED`. Falls back gracefully (returns safe defaults, never throws).                                                                                                                                            |
+| `assistant/src/security/secure-keys.ts`            | Unified API surface. Resolves a single primary `CredentialBackend` at startup based on environment and broker availability. All writes go to the resolved backend only (single-writer). Reads check the primary backend first, with legacy fallback to the encrypted store for migration. Deletes clean up both stores to prevent stale keys.                 |
+| `gateway/src/credential-reader.ts`                 | Read-only credential reader. Tries broker via native async UDS connection (`node:net`), falls back to encrypted store. All public credential read functions are async.                                                                                                                                                                                        |
 
 ## Message Contract
 
@@ -161,39 +188,77 @@ XPC provides stronger caller identity guarantees via audit tokens and code requi
 - **Release builds:** The broker starts automatically with the app. The daemon discovers the broker via the derived socket path (`join(getRootDir(), "keychain-broker.sock")`) and token file. No configuration needed.
 - **CLI-only / headless:** No macOS app means no broker socket. All storage uses the encrypted file store. This is the expected path for CI, servers, and non-macOS platforms.
 
-## Callsite Policy
+## Store-Routing Policy
 
-### Async-first policy
+### Backend resolution
 
-**All credential access should use the async functions** (`getSecureKeyAsync`, `setSecureKeyAsync`, `deleteSecureKeyAsync`). The async variants are the primary API: they check the encrypted store first (instant) and fall back to the keychain broker, ensuring secrets stored in the macOS Keychain are always reachable. The sync variants (`getSecureKey`, `setSecureKey`, `deleteSecureKey`) are **deprecated** and bypass the keychain broker entirely.
+At process startup, `secure-keys.ts` resolves a single primary `CredentialBackend` for the lifetime of the process:
 
-New code must not introduce sync secure-key calls. Existing sync call sites should be converted to async when their surrounding code paths support it.
+| Condition                                             | Resolved backend |
+| ----------------------------------------------------- | ---------------- |
+| `VELLUM_DEV` is NOT `"1"` **and** broker is available | Keychain backend |
+| `VELLUM_DEV=1` **or** broker is unavailable           | Encrypted store  |
 
-### Runtime request handlers (secret-routes, etc.)
+Once resolved, the backend does not change during the process lifetime. There is no runtime switching between backends.
 
-All runtime HTTP handlers that write or delete secrets **must** use the async APIs (`setSecureKeyAsync`, `deleteSecureKeyAsync`). These are the primary entry points for macOS app flows and must go through the broker to reach keychain.
+### Read strategy
 
-### Gateway (credential-reader)
+Reads go to the **primary backend first**. If the primary backend is the keychain backend and the key is not found, a legacy fallback read is attempted against the encrypted store. This fallback handles the migration period where keys written before the single-writer policy may still exist only in the encrypted store. When the primary backend is the encrypted store, there is no fallback -- the encrypted store is the sole source of truth.
+
+### Write strategy
+
+Writes go **only to the resolved primary backend**. There is no dual-writing. This eliminates the consistency problems that dual-writing introduced (partial failures leaving stores out of sync, unclear source of truth).
+
+- Keychain backend resolved: writes go to the keychain via broker only.
+- Encrypted store resolved: writes go to the encrypted file store only.
+
+### Delete strategy
 
-The gateway reads credentials via async `readCredential()` which tries the broker first (native async UDS), falling back to the encrypted store. The gateway never writes credentials — that responsibility belongs to the assistant runtime.
+Deletes **always clean up both stores** regardless of the resolved backend. This ensures that stale keys do not linger in the non-primary store, which could cause unexpected reads through the legacy fallback path.
 
-### Known sync exceptions
+### `VELLUM_DEV` environment variable
 
-The migration from sync to async secure-key functions is complete for all call sites except provider initialization paths that require synchronous access. The following call sites still use the deprecated sync variants.
+Setting `VELLUM_DEV=1` forces the encrypted store as the sole backend, bypassing the keychain broker entirely even when the broker socket is available. This serves two purposes:
 
-#### Provider initialization (must remain sync)
+1. **Development ergonomics.** Developers running the daemon outside the macOS app context (e.g., `bun run` directly) avoid broker connectivity issues and keychain prompt noise.
+2. **Deterministic testing.** Tests and CI environments get predictable encrypted-store-only behavior without depending on macOS Keychain infrastructure.
 
-These call sites run in synchronous initialization contexts where async I/O is not feasible:
+When `VELLUM_DEV` is not set or is set to any value other than `"1"`, backend resolution proceeds normally (broker availability check).
 
-| File                                               | Sync functions used | Reason                                                                                                                                                                                               |
-| -------------------------------------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `assistant/src/providers/managed-proxy/context.ts` | `getSecureKey`      | Provider context initialization is synchronous. The managed proxy context must resolve credentials before the first request can be processed, and the initialization path does not support awaiting. |
-| `assistant/src/providers/registry.ts`              | `getSecureKey`      | Provider registry initialization is synchronous. API keys must be resolved at provider construction time, and the call chain from config watcher through to provider init is fully synchronous.      |
+## Callsite Policy
+
+### Async-only policy
+
+**All credential access uses the async functions** (`getSecureKeyAsync`, `setSecureKeyAsync`, `deleteSecureKeyAsync`). These route through the resolved `CredentialBackend`, with legacy fallback reads to the encrypted store when the keychain backend is primary. The migration from sync to async is complete: the sync variants (`getSecureKey`, `setSecureKey`, `deleteSecureKey`) have been deleted and no longer exist in the codebase.
+
+### Runtime request handlers (secret-routes, etc.)
+
+All runtime HTTP handlers that write or delete secrets use the async APIs (`setSecureKeyAsync`, `deleteSecureKeyAsync`). These are the primary entry points for macOS app flows and route through the resolved backend.
+
+### Gateway (credential-reader)
 
-Any new sync usage requires explicit justification and should be documented here.
+The gateway reads credentials via async `readCredential()` which tries the broker first (native async UDS), falling back to the encrypted store. The gateway never writes credentials -- that responsibility belongs to the assistant runtime.
+
+### Sync function removal
+
+The sync secure-key functions (`getSecureKey`, `setSecureKey`, `deleteSecureKey`) have been deleted. All code uses the async variants (`getSecureKeyAsync`, `setSecureKeyAsync`, `deleteSecureKeyAsync`).
 
 ## Migration
 
-Existing encrypted store keys remain accessible — async reads check the encrypted store **first** (instant), falling back to the broker for keys that may exist only in the macOS Keychain. Successful writes from async code paths go to both the broker (keychain) and the encrypted store, keeping both in sync. If a broker write or delete fails, the operation returns `false` without falling back to the encrypted store alone, preventing stale divergence. Callers must inspect the boolean return value and handle failures (typically by logging a warning). There is no one-time migration step required.
+Existing encrypted store keys remain accessible through the legacy read fallback. When the keychain backend is the resolved primary, reads that miss in the keychain fall back to the encrypted store, so keys written before the single-writer policy are still reachable without a one-time migration step.
+
+Over time, as keys are re-written through normal credential update flows, they will be written only to the resolved primary backend. The legacy fallback read path will eventually become a no-op as all keys migrate naturally to the keychain.
+
+Deletes always clean up both stores, so stale keys in the non-primary store are removed as part of normal credential lifecycle operations.
 
 The old `keychain.ts` module (which called `/usr/bin/security` CLI directly) has been deleted. The old keychain-to-encrypted migration code has been removed. All keychain access now flows exclusively through the broker.
+
+## Extensibility
+
+The `CredentialBackend` interface is the extension point for adding new storage backends. To add a new backend (e.g., Linux secret service via libsecret/D-Bus, 1Password CLI, cloud KMS):
+
+1. Implement the `CredentialBackend` interface in a new module.
+2. Wire the new backend into the resolution logic in `secure-keys.ts`.
+3. The rest of the codebase is unaffected -- all callers go through the existing async API surface.
+
+No changes to callsites, the gateway, or the broker protocol are needed when adding a backend.

package/docs/architecture/security.md

@@ -233,7 +233,7 @@ sequenceDiagram
         UI->>HTTP: secret_response {requestId, value, delivery: "store"}
         HTTP->>Prompter: resolve(value, "store")
         Prompter->>Vault: {value, delivery: "store"}
-        Vault->>Keychain: setSecureKey("credential/svc/field", value)
+        Vault->>Keychain: setSecureKeyAsync("credential/svc/field", value)
         Vault->>Model: "Credential stored securely" (no value in output)
     else One-Time Send (if enabled)
         UI->>HTTP: secret_response {requestId, value, delivery: "transient_send"}
@@ -272,7 +272,7 @@ graph TB
     TOOL["Tool (e.g. browser_fill_credential)"] --> BROKER["CredentialBroker.use(service, field, tool, domain)"]
     BROKER --> POLICY{"Check policy:<br/>allowedTools + allowedDomains"}
     POLICY -->|denied| REJECT["PolicyDenied error"]
-    POLICY -->|allowed| FETCH["getSecureKey(credential/svc/field)"]
+    POLICY -->|allowed| FETCH["getSecureKeyAsync(credential/svc/field)"]
     FETCH --> INJECT["Inject value into tool execution<br/>(never returned to model)"]
 ```
 

package/knip.json

@@ -1,32 +1,10 @@
 {
-  "entry": ["src/**/*.test.ts", "src/**/__tests__/**/*.ts", "scripts/**/*.ts"],
-  "project": ["src/**/*.ts", "src/**/*.tsx", "scripts/**/*.ts"],
-  "ignore": [
-    "src/browser-extension-relay/client.ts",
-    "src/contacts/index.ts",
-    "src/daemon/main.ts",
-    "src/daemon/tls-certs.ts",
-    "src/errors.ts",
-    "src/events/index.ts",
-    "src/followups/index.ts",
-    "src/playbooks/index.ts",
-    "src/runtime/auth/index.ts",
-    "src/tasks/candidate-store.ts",
-    "src/tools/browser/api-map.ts",
-    "src/tools/browser/auto-navigate.ts",
-    "src/tools/browser/headless-browser.ts",
-    "src/tools/browser/recording-store.ts",
-    "src/tools/tasks/index.ts"
+  "entry": [
+    "src/**/*.test.ts",
+    "src/**/__tests__/**/*.ts",
+    "scripts/**/*.ts",
+    "src/daemon/main.ts"
   ],
-  "ignoreDependencies": [
-    "@hono/node-server",
-    "@vellumai/cli",
-    "esbuild",
-    "hono",
-    "ink",
-    "preact",
-    "quicktype-core",
-    "tree-sitter-bash",
-    "typescript-json-schema"
-  ]
+  "project": ["src/**/*.ts", "src/**/*.tsx", "scripts/**/*.ts"],
+  "ignoreDependencies": ["@vellumai/cli"]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.53",
+  "version": "0.4.55",
   "type": "module",
   "exports": {
     ".": "./src/index.ts"
@@ -29,7 +29,6 @@
     "@anthropic-ai/claude-agent-sdk": "^0.2.42",
     "@anthropic-ai/sdk": "^0.78.0",
     "@google/genai": "^1.40.0",
-    "@hono/node-server": "^1.19.11",
     "@modelcontextprotocol/sdk": "^1.15.1",
     "@qdrant/js-client-rest": "^1.16.2",
     "@sentry/node": "^10.38.0",
@@ -39,9 +38,6 @@
     "croner": "^10.0.1",
     "dotenv": "^17.3.1",
     "drizzle-orm": "^0.38.4",
-    "esbuild": "^0.24.0",
-    "hono": "^4.12.5",
-    "ink": "^6.7.0",
     "jszip": "^3.10.1",
     "minimatch": "^10.2.4",
     "openai": "^6.18.0",
@@ -49,7 +45,6 @@
     "pino-pretty": "^13.1.3",
     "playwright": "^1.58.2",
     "postgres": "^3.4.8",
-    "preact": "^10.25.0",
     "qrcode": "^1.5.4",
     "react": "^19.2.4",
     "rrule": "^2.8.1",
@@ -76,9 +71,7 @@
     "fast-check": "^4.5.3",
     "knip": "^5.83.1",
     "prettier": "^3.8.1",
-    "quicktype-core": "^23.2.6",
     "typescript": "^5.7.3",
-    "typescript-eslint": "^8.54.0",
-    "typescript-json-schema": "^0.67.1"
+    "typescript-eslint": "^8.54.0"
   }
 }

package/src/__tests__/agent-loop.test.ts

@@ -1206,7 +1206,7 @@ describe("AgentLoop", () => {
   // Dynamic tool resolver (resolveTools) tests
   // ---------------------------------------------------------------------------
 
-  // 25. Without resolveTools, static tools are used (backward compatible)
+  // 25. Without resolveTools, static tools are used
   test("without resolveTools, static tools are passed to provider", async () => {
     const { provider, calls } = createMockProvider([textResponse("Hi")]);
     const loop = new AgentLoop(provider, "system", {}, dummyTools);

package/src/__tests__/app-git-history.test.ts

@@ -3,7 +3,6 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
-import { _resetAppGitState } from "../memory/app-git-service.js";
 import { _resetGitServiceRegistry } from "../workspace/git-service.js";
 
 // Mock getDataDir to use a temp directory
@@ -35,7 +34,6 @@ describe("App Git History", () => {
     );
     mkdirSync(join(testDataDir, "apps"), { recursive: true });
     _resetGitServiceRegistry();
-    _resetAppGitState();
   });
 
   afterEach(() => {

package/src/__tests__/app-git-service.test.ts

@@ -4,10 +4,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
-import {
-  _resetAppGitState,
-  commitAppTurnChanges,
-} from "../memory/app-git-service.js";
+import { commitAppTurnChanges } from "../memory/app-git-service.js";
 import { _resetGitServiceRegistry } from "../workspace/git-service.js";
 
 // Mock getDataDir to use a temp directory
@@ -36,7 +33,6 @@ describe("App Git Service", () => {
     );
     mkdirSync(join(testDataDir, "apps"), { recursive: true });
     _resetGitServiceRegistry();
-    _resetAppGitState();
   });
 
   afterEach(() => {
@@ -128,7 +124,6 @@ describe("App Git Service", () => {
   });
 
   test("commitAppTurnChanges swallows errors gracefully", async () => {
-    _resetAppGitState();
     // This should not throw
     await commitAppTurnChanges("test", 1);
   });

package/src/__tests__/approval-cascade.test.ts

@@ -54,7 +54,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/avatar-e2e.test.ts

@@ -34,7 +34,6 @@ mock.module("../config/loader.js", () => ({
 mock.module("../security/secure-keys.js", () => ({
   getSecureKeyAsync: async (name: string) =>
     name === "gemini" ? mockGeminiKey : null,
-  getSecureKey: () => null,
 }));
 
 mock.module("../util/platform.js", () => ({

package/src/__tests__/browser-fill-credential.test.ts

@@ -58,16 +58,11 @@ let mockGetSecureKey: ReturnType<typeof mock>;
 let mockGetCredentialMetadata: ReturnType<typeof mock>;
 
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (...args: unknown[]) => mockGetSecureKey(...args),
   getSecureKeyAsync: async (...args: unknown[]) => mockGetSecureKey(...args),
-  setSecureKey: () => true,
   setSecureKeyAsync: async () => true,
-  deleteSecureKey: () => "deleted",
   deleteSecureKeyAsync: async () => "deleted",
-  listSecureKeys: () => [],
-  getBackendType: () => "encrypted",
+  listSecureKeysAsync: async () => [],
   _resetBackend: () => {},
-  _setBackend: () => {},
 }));
 
 mock.module("../tools/credentials/metadata-store.js", () => ({

package/src/__tests__/call-domain.test.ts

@@ -114,7 +114,6 @@ mock.module("../calls/twilio-provider.js", () => ({
 }));
 
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: () => null,
   getSecureKeyAsync: async () => null,
 }));
 

package/src/__tests__/call-routes-http.test.ts

@@ -103,7 +103,6 @@ mock.module("../calls/twilio-config.js", () => ({
 
 // Mock secure keys
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: () => null,
   getSecureKeyAsync: async () => null,
 }));
 

package/src/__tests__/channel-guardian.test.ts

@@ -1441,7 +1441,7 @@ describe("HTTP handler channel-aware guardian status", () => {
     expect(resp!.guardianDisplayName).toBe("Guardian Name");
   });
 
-  test("status action defaults channel to telegram when omitted (backward compat)", async () => {
+  test("status action defaults channel to telegram when omitted", async () => {
     const { ctx, lastResponse } = createMockCtx();
     const msg: ChannelVerificationSessionRequest = {
       type: "channel_verification_session",
@@ -1457,7 +1457,7 @@ describe("HTTP handler channel-aware guardian status", () => {
     expect(resp!.assistantId).toBe("self");
   });
 
-  test("status action defaults assistantId to self when omitted (backward compat)", async () => {
+  test("status action defaults assistantId to self when omitted", async () => {
     const { ctx, lastResponse } = createMockCtx();
     const msg: ChannelVerificationSessionRequest = {
       type: "channel_verification_session",
@@ -2282,9 +2282,9 @@ describe("outbound verification sessions", () => {
     expect(result2.success).toBe(false);
   });
 
-  // ── Backward compat: existing inbound-only flow still works ──
+  // ── Inbound-only verification flow ──
 
-  test("backward compat: inbound-only challenge without expected identity still works", () => {
+  test("inbound-only challenge without expected identity still works", () => {
     const { secret } = createInboundVerificationSession("telegram");
 
     const result = validateAndConsumeVerification(

package/src/__tests__/channel-readiness-routes.test.ts

@@ -48,7 +48,6 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (key: string) => mockSecureKeys[key] ?? null,
   getSecureKeyAsync: async (key: string) => mockSecureKeys[key] ?? null,
 }));
 

package/src/__tests__/channel-readiness-service.test.ts

@@ -48,7 +48,6 @@ mock.module("../email/service.js", () => ({
 }));
 
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (key: string) => mockSecureKeys[key] ?? null,
   getSecureKeyAsync: async (key: string) => mockSecureKeys[key] ?? null,
 }));
 

package/src/__tests__/checker.test.ts

@@ -134,8 +134,10 @@ registerTool(mockBundledSkillTool);
 
 // Register CU tools so classifyRisk returns their declared Low risk level
 // instead of falling through to Medium (unknown tool).
-import { registerComputerUseActionTools } from "../tools/computer-use/registry.js";
-registerComputerUseActionTools();
+import { allComputerUseTools } from "../tools/computer-use/definitions.js";
+for (const tool of allComputerUseTools) {
+  registerTool(tool);
+}
 
 function writeSkill(
   skillId: string,
@@ -1945,7 +1947,7 @@ describe("Permission Checker", () => {
       ).toHaveLength(0);
     });
 
-    test("returns directory options when toolName is omitted (backward compat)", () => {
+    test("returns directory options when toolName is omitted", () => {
       const options = generateScopeOptions("/home/user/project");
       expect(options).toHaveLength(3);
       expect(options[0].scope).toBe("/home/user/project");
@@ -2119,11 +2121,11 @@ describe("Permission Checker", () => {
     });
   });
 
-  // ── backward compat: addRule basics (PR 2/40) ──
+  // ── addRule basics ──
   // These tests verify that addRule() creates standard rules that
   // match by tool name, pattern glob, and scope prefix.
 
-  describe("backward compat: addRule basics (PR 2/40)", () => {
+  describe("addRule basics", () => {
     test("rule matches by tool/pattern/scope", async () => {
       addRule("skill_test_tool", "skill_test_tool:*", "/tmp", "allow", 2000);
       const result = await check("skill_test_tool", {}, "/tmp");
@@ -2172,7 +2174,7 @@ describe("Permission Checker", () => {
       expect(v2Result.matchedRule?.id).toBe(v1Result.matchedRule?.id);
     });
 
-    test("findHighestPriorityRule works without policy context (backward compat)", () => {
+    test("findHighestPriorityRule works without policy context", () => {
       // Calling findHighestPriorityRule without the optional 4th ctx
       // parameter still works — wildcard rules match any caller.
       addRule("skill_test_tool", "skill_test_tool:*", "/tmp", "allow", 2000);
@@ -2197,14 +2199,14 @@ describe("Permission Checker", () => {
     });
   });
 
-  // ── checker policy context backward compat (PR 17) ─────────────
+  // ── optional policyContext parameter ─────────────
 
-  describe("checker policy context backward compat (PR 17)", () => {
-    test("check() without policyContext still works (backward compatible)", async () => {
-      addRule("bash", "echo backward-compat", "/tmp", "allow", 2000);
+  describe("optional policyContext parameter", () => {
+    test("check() without policyContext still works", async () => {
+      addRule("bash", "echo test-optional-ctx", "/tmp", "allow", 2000);
       const result = await check(
         "bash",
-        { command: "echo backward-compat" },
+        { command: "echo test-optional-ctx" },
         "/tmp",
       );
       expect(result.decision).toBe("allow");

package/src/__tests__/claude-code-skill-regression.test.ts

@@ -35,7 +35,6 @@ mock.module("../config/loader.js", () => ({
 mock.module("../security/secure-keys.js", () => ({
   getSecureKeyAsync: async (name: string) =>
     name === "anthropic" ? "fake-anthropic-key" : null,
-  getSecureKey: () => null,
 }));
 
 // ---------------------------------------------------------------------------

package/src/__tests__/claude-code-tool-profiles.test.ts

@@ -40,7 +40,6 @@ mock.module("../config/loader.js", () => ({
 mock.module("../security/secure-keys.js", () => ({
   getSecureKeyAsync: async (name: string) =>
     name === "anthropic" ? "fake-anthropic-key" : null,
-  getSecureKey: () => null,
 }));
 
 import { claudeCodeTool } from "../tools/claude-code/claude-code.js";
@@ -88,7 +87,7 @@ describe("claude_code tool profile support", () => {
     }
   });
 
-  test("omitted profile defaults to general (backward compat)", async () => {
+  test("omitted profile defaults to general", async () => {
     const result = await claudeCodeTool.execute(
       { prompt: "test" },
       makeContext(),

package/src/__tests__/config-loader-backfill.test.ts

@@ -88,7 +88,6 @@ import {
   loadConfig,
 } from "../config/loader.js";
 import { _setStorePath } from "../security/encrypted-store.js";
-import { _setBackend } from "../security/secure-keys.js";
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -183,13 +182,11 @@ describe("config loader backfill", () => {
     }
     ensureTestDir();
     _setStorePath(join(TEST_DIR, "keys.enc"));
-    _setBackend("encrypted");
     invalidateConfigCache();
   });
 
   afterEach(() => {
     _setStorePath(null);
-    _setBackend(undefined);
     invalidateConfigCache();
   });