@vellumai/assistant 0.5.10 → 0.5.12

package/src/config/feature-flag-registry.json

@@ -4,7 +4,7 @@
     {
       "id": "browser",
       "scope": "assistant",
-      "key": "feature_flags.browser.enabled",
+      "key": "browser",
       "label": "Browser",
       "description": "Enable browser skill prerequisites section in the system prompt",
       "defaultEnabled": true
@@ -12,7 +12,7 @@
     {
       "id": "user-hosted-enabled",
       "scope": "macos",
-      "key": "user_hosted_enabled",
+      "key": "user-hosted-enabled",
       "label": "User Hosted Enabled",
       "description": "Enable user-hosted onboarding flow",
       "defaultEnabled": false
@@ -20,7 +20,7 @@
     {
       "id": "platform-hosted-enabled",
       "scope": "macos",
-      "key": "platform_hosted_enabled",
+      "key": "platform-hosted-enabled",
       "label": "Platform Hosted Assistants",
       "description": "Enable the Vellum Cloud hosting option on the Hosting screen",
       "defaultEnabled": false
@@ -28,7 +28,7 @@
     {
       "id": "contacts",
       "scope": "assistant",
-      "key": "feature_flags.contacts.enabled",
+      "key": "contacts",
       "label": "Contacts",
       "description": "Show the Contacts tab in Settings for viewing and managing contacts",
       "defaultEnabled": true
@@ -36,7 +36,7 @@
     {
       "id": "email-channel",
       "scope": "assistant",
-      "key": "feature_flags.email-channel.enabled",
+      "key": "email-channel",
       "label": "Email Channel",
       "description": "Enable the entire email integration: email CLI commands, email channel, sequences, email readiness probes, invite adapters, and the email-setup skill",
       "defaultEnabled": false
@@ -44,7 +44,7 @@
     {
       "id": "app-builder-multifile",
       "scope": "assistant",
-      "key": "feature_flags.app-builder-multifile.enabled",
+      "key": "app-builder-multifile",
       "label": "App Builder Multi-file",
       "description": "Enable multi-file TSX app creation with esbuild compilation instead of single-HTML apps",
       "defaultEnabled": false
@@ -52,7 +52,7 @@
     {
       "id": "mobile-pairing",
       "scope": "macos",
-      "key": "mobile_pairing_enabled",
+      "key": "mobile-pairing",
       "label": "Mobile Pairing",
       "description": "Show the Mobile (iOS) pairing card in Settings > Account",
       "defaultEnabled": false
@@ -60,7 +60,7 @@
     {
       "id": "settings-developer-nav",
       "scope": "assistant",
-      "key": "feature_flags.settings-developer-nav.enabled",
+      "key": "settings-developer-nav",
       "label": "Settings Developer Nav",
       "description": "Control Developer nav visibility in macOS settings",
       "defaultEnabled": true
@@ -68,7 +68,7 @@
     {
       "id": "developer-menu-items",
       "scope": "macos",
-      "key": "developer_menu_items_enabled",
+      "key": "developer-menu-items",
       "label": "Developer Menu Items",
       "description": "Show Component Gallery and Replay Onboarding in the menu bar",
       "defaultEnabled": false
@@ -76,7 +76,7 @@
     {
       "id": "ces-tools",
       "scope": "assistant",
-      "key": "feature_flags.ces-tools.enabled",
+      "key": "ces-tools",
       "label": "CES Tool Exposure",
       "description": "Register Credential Execution Service tools (credential-grant, credential-revoke, credential-list) in the agent loop",
       "defaultEnabled": false
@@ -84,7 +84,7 @@
     {
       "id": "ces-shell-lockdown",
       "scope": "assistant",
-      "key": "feature_flags.ces-shell-lockdown.enabled",
+      "key": "ces-shell-lockdown",
       "label": "CES Shell Lockdown",
       "description": "Enforce untrusted-agent shell lockdown when CES credentials are active, restricting direct shell access to credentialed services",
       "defaultEnabled": false
@@ -92,7 +92,7 @@
     {
       "id": "ces-secure-install",
       "scope": "assistant",
-      "key": "feature_flags.ces-secure-install.enabled",
+      "key": "ces-secure-install",
       "label": "CES Secure Command Installation",
       "description": "Enable secure tool/command installation via CES instead of direct shell execution for untrusted agents",
       "defaultEnabled": false
@@ -100,7 +100,7 @@
     {
       "id": "ces-grant-audit",
       "scope": "assistant",
-      "key": "feature_flags.ces-grant-audit.enabled",
+      "key": "ces-grant-audit",
       "label": "CES Grant & Audit Inspection",
       "description": "Surface credential grant and audit inspection endpoints for reviewing active grants and access logs",
       "defaultEnabled": false
@@ -108,7 +108,7 @@
     {
       "id": "ces-managed-sidecar",
       "scope": "assistant",
-      "key": "feature_flags.ces-managed-sidecar.enabled",
+      "key": "ces-managed-sidecar",
       "label": "CES Managed Sidecar Transport",
       "description": "Use managed sidecar transport for CES communication when running in a containerized environment",
       "defaultEnabled": true
@@ -116,7 +116,7 @@
     {
       "id": "ces-credential-backend",
       "scope": "assistant",
-      "key": "feature_flags.ces-credential-backend.enabled",
+      "key": "ces-credential-backend",
       "label": "CES Credential Backend",
       "description": "Route credential reads and writes through the CES process instead of accessing the encrypted store directly",
       "defaultEnabled": true
@@ -124,7 +124,7 @@
     {
       "id": "settings-billing",
       "scope": "macos",
-      "key": "settings_billing_enabled",
+      "key": "settings-billing",
       "label": "Billing Settings Tab",
       "description": "Show the Billing tab in Settings when signed in, displaying credits balance and top-up",
       "defaultEnabled": true
@@ -132,7 +132,7 @@
     {
       "id": "managed-sign-in",
       "scope": "macos",
-      "key": "managed_sign_in_enabled",
+      "key": "managed-sign-in",
       "label": "Managed Sign In",
       "description": "Enable managed (organization-hosted) sign-in flow in the onboarding experience",
       "defaultEnabled": true
@@ -140,7 +140,7 @@
     {
       "id": "integration-twitter",
       "scope": "assistant",
-      "key": "feature_flags.integration-twitter.enabled",
+      "key": "integration-twitter",
       "label": "Twitter / X Integration",
       "description": "Enable the Twitter / X OAuth setup skill for connecting to the Twitter API",
       "defaultEnabled": false
@@ -148,7 +148,7 @@
     {
       "id": "integration-github",
       "scope": "assistant",
-      "key": "feature_flags.integration-github.enabled",
+      "key": "integration-github",
       "label": "GitHub Integration",
       "description": "Enable the GitHub OAuth setup skill for connecting to GitHub",
       "defaultEnabled": false
@@ -156,7 +156,7 @@
     {
       "id": "integration-linear",
       "scope": "assistant",
-      "key": "feature_flags.integration-linear.enabled",
+      "key": "integration-linear",
       "label": "Linear Integration",
       "description": "Enable the Linear OAuth setup skill for connecting to Linear",
       "defaultEnabled": false
@@ -164,7 +164,7 @@
     {
       "id": "integration-spotify",
       "scope": "assistant",
-      "key": "feature_flags.integration-spotify.enabled",
+      "key": "integration-spotify",
       "label": "Spotify Integration",
       "description": "Enable the Spotify OAuth setup skill for connecting to the Spotify API",
       "defaultEnabled": false
@@ -172,7 +172,7 @@
     {
       "id": "integration-todoist",
       "scope": "assistant",
-      "key": "feature_flags.integration-todoist.enabled",
+      "key": "integration-todoist",
       "label": "Todoist Integration",
       "description": "Enable the Todoist OAuth setup skill for connecting to Todoist",
       "defaultEnabled": false
@@ -180,7 +180,7 @@
     {
       "id": "integration-discord",
       "scope": "assistant",
-      "key": "feature_flags.integration-discord.enabled",
+      "key": "integration-discord",
       "label": "Discord Integration",
       "description": "Enable the Discord OAuth setup skill for connecting to Discord",
       "defaultEnabled": false
@@ -188,7 +188,7 @@
     {
       "id": "integration-dropbox",
       "scope": "assistant",
-      "key": "feature_flags.integration-dropbox.enabled",
+      "key": "integration-dropbox",
       "label": "Dropbox Integration",
       "description": "Enable the Dropbox OAuth setup skill for connecting to Dropbox",
       "defaultEnabled": false
@@ -196,7 +196,7 @@
     {
       "id": "integration-asana",
       "scope": "assistant",
-      "key": "feature_flags.integration-asana.enabled",
+      "key": "integration-asana",
       "label": "Asana Integration",
       "description": "Enable the Asana OAuth setup skill for connecting to Asana",
       "defaultEnabled": false
@@ -204,7 +204,7 @@
     {
       "id": "integration-airtable",
       "scope": "assistant",
-      "key": "feature_flags.integration-airtable.enabled",
+      "key": "integration-airtable",
       "label": "Airtable Integration",
       "description": "Enable the Airtable OAuth setup skill for connecting to Airtable",
       "defaultEnabled": false
@@ -212,7 +212,7 @@
     {
       "id": "integration-hubspot",
       "scope": "assistant",
-      "key": "feature_flags.integration-hubspot.enabled",
+      "key": "integration-hubspot",
       "label": "HubSpot Integration",
       "description": "Enable the HubSpot OAuth setup skill for connecting to HubSpot CRM",
       "defaultEnabled": false
@@ -220,7 +220,7 @@
     {
       "id": "integration-figma",
       "scope": "assistant",
-      "key": "feature_flags.integration-figma.enabled",
+      "key": "integration-figma",
       "label": "Figma Integration",
       "description": "Enable the Figma OAuth setup skill for connecting to Figma",
       "defaultEnabled": false
@@ -228,7 +228,7 @@
     {
       "id": "integration-notion",
       "scope": "assistant",
-      "key": "feature_flags.integration-notion.enabled",
+      "key": "integration-notion",
       "label": "Notion Integration",
       "description": "Enable the Notion setup skill for connecting to Notion",
       "defaultEnabled": false
@@ -236,7 +236,7 @@
     {
       "id": "conversation-starters",
       "scope": "assistant",
-      "key": "feature_flags.conversation-starters.enabled",
+      "key": "conversation-starters",
       "label": "Recommended Starts",
       "description": "Show a curated row of recommended starting actions on the empty conversation page, ordered by relevance as confident first-click options",
       "defaultEnabled": true
@@ -244,7 +244,7 @@
     {
       "id": "deploy-to-vercel",
       "scope": "assistant",
-      "key": "feature_flags.deploy-to-vercel.enabled",
+      "key": "deploy-to-vercel",
       "label": "Deploy to Vercel",
       "description": "Enable the Deploy to Vercel / Publish option in the app workspace header share menu",
       "defaultEnabled": false
@@ -252,15 +252,15 @@
     {
       "id": "managed-google-oauth",
       "scope": "assistant",
-      "key": "feature_flags.managed-google-oauth.enabled",
+      "key": "managed-google-oauth",
       "label": "Managed Google OAuth",
       "description": "Show the Google OAuth service card in Models & Services settings",
-      "defaultEnabled": false
+      "defaultEnabled": true
     },
     {
       "id": "settings-embedding-provider",
       "scope": "assistant",
-      "key": "feature_flags.settings-embedding-provider.enabled",
+      "key": "settings-embedding-provider",
       "label": "Embedding Provider Settings",
       "description": "Show the Embedding service card in Models & Services settings",
       "defaultEnabled": false
@@ -268,7 +268,7 @@
     {
       "id": "settings-schedules",
       "scope": "assistant",
-      "key": "feature_flags.settings-schedules.enabled",
+      "key": "settings-schedules",
       "label": "Schedules Settings Tab",
       "description": "Show the Schedules tab in Settings for viewing and managing schedules",
       "defaultEnabled": false
@@ -276,7 +276,7 @@
     {
       "id": "quick-input",
       "scope": "macos",
-      "key": "quick_input_enabled",
+      "key": "quick-input",
       "label": "Quick Input",
       "description": "Enable the Quick Input popover on right-click of the menu bar icon",
       "defaultEnabled": false
@@ -284,7 +284,7 @@
     {
       "id": "expand-completed-steps",
       "scope": "macos",
-      "key": "expand_completed_steps",
+      "key": "expand-completed-steps",
       "label": "Expand Completed Steps",
       "description": "Auto-expand completed tool call step groups instead of showing them collapsed",
       "defaultEnabled": false
@@ -292,7 +292,7 @@
     {
       "id": "inline-skill-commands",
       "scope": "assistant",
-      "key": "feature_flags.inline-skill-commands.enabled",
+      "key": "inline-skill-commands",
       "label": "Inline Skill Command Expansion",
       "description": "Enable secure inline skill command expansion via !`command` syntax, with version-pinned approval and sandboxed execution at skill load time",
       "defaultEnabled": true
@@ -300,7 +300,7 @@
     {
       "id": "channel-voice-transcription",
       "scope": "assistant",
-      "key": "feature_flags.channel-voice-transcription.enabled",
+      "key": "channel-voice-transcription",
       "label": "Channel Voice Transcription",
       "description": "Auto-transcribe voice/audio messages received from channels (Telegram, WhatsApp) before processing",
       "defaultEnabled": true
@@ -308,7 +308,7 @@
     {
       "id": "sounds",
       "scope": "assistant",
-      "key": "feature_flags.sounds.enabled",
+      "key": "sounds",
       "label": "Sounds",
       "description": "Enable the Sounds tab in Settings and all app sound playback (event sounds, random ambient sounds)",
       "defaultEnabled": true
@@ -316,7 +316,7 @@
     {
       "id": "message-tts",
       "scope": "assistant",
-      "key": "feature_flags.message-tts.enabled",
+      "key": "message-tts",
       "label": "Message Text-to-Speech",
       "description": "Show a speaker button on assistant messages to generate and play the message as audio via Fish Audio TTS",
       "defaultEnabled": false
@@ -324,10 +324,26 @@
     {
       "id": "backward-releases",
       "scope": "assistant",
-      "key": "feature_flags.backward-releases.enabled",
+      "key": "backward-releases",
       "label": "Backward Releases",
       "description": "Show older versions in the version picker, allowing rollback to previous releases",
       "defaultEnabled": true
+    },
+    {
+      "id": "show-background-conversations",
+      "scope": "assistant",
+      "key": "show-background-conversations",
+      "label": "Show Background Conversations",
+      "description": "Include background conversations (heartbeat, tasks) in the sidebar conversation list",
+      "defaultEnabled": false
+    },
+    {
+      "id": "voice-mode",
+      "scope": "assistant",
+      "key": "voice-mode",
+      "label": "Voice Mode",
+      "description": "Show the live voice conversation button in the composer",
+      "defaultEnabled": false
     }
   ]
 }

package/src/config/loader.ts

@@ -120,6 +120,10 @@ const DEPRECATED_FIELDS: Record<string, string> = {
     "rateLimit.maxTokensPerSession has been removed and is no longer enforced. " +
     "Per-session token budget tracking is no longer supported. " +
     "The field will be removed from your config file.",
+  providerOrder:
+    "providerOrder has been removed from the config schema. " +
+    "Provider selection is now handled automatically. " +
+    "The field will be removed from your config file.",
 };
 
 /**

package/src/config/schemas/platform.ts

@@ -39,14 +39,6 @@ export const DaemonConfigSchema = z
       .positive("daemon.sigkillGracePeriodMs must be a positive integer")
       .default(2000)
       .describe("Grace period after SIGTERM before sending SIGKILL (ms)"),
-    titleGenerationMaxTokens: z
-      .number({ error: "daemon.titleGenerationMaxTokens must be a number" })
-      .int("daemon.titleGenerationMaxTokens must be an integer")
-      .positive("daemon.titleGenerationMaxTokens must be a positive integer")
-      .default(50)
-      .describe(
-        "Maximum number of tokens for auto-generated conversation titles",
-      ),
     standaloneRecording: z
       .boolean({ error: "daemon.standaloneRecording must be a boolean" })
       .default(true)

package/src/config/schemas/security.ts

@@ -44,6 +44,12 @@ export const SecretDetectionConfigSchema = z
       .describe(
         "Shannon entropy threshold for detecting high-entropy strings as potential secrets",
       ),
+    blockIngress: z
+      .boolean({ error: "secretDetection.blockIngress must be a boolean" })
+      .default(true)
+      .describe(
+        "Whether to block user messages containing detected secrets at ingress",
+      ),
     allowOneTimeSend: z
       .boolean({ error: "secretDetection.allowOneTimeSend must be a boolean" })
       .default(false)
@@ -74,7 +80,9 @@ export const PermissionsConfigSchema = z
         "Permission mode — 'strict' requires explicit approval for all operations, 'workspace' allows operations within the workspace",
       ),
     dangerouslySkipPermissions: z
-      .boolean({ error: "permissions.dangerouslySkipPermissions must be a boolean" })
+      .boolean({
+        error: "permissions.dangerouslySkipPermissions must be a boolean",
+      })
       .default(false)
       .describe("Auto-accept all permission prompts without asking"),
   })

package/src/config/schemas/services.ts

@@ -47,7 +47,7 @@ export const WebSearchServiceSchema = BaseServiceSchema.extend({
 export type WebSearchService = z.infer<typeof WebSearchServiceSchema>;
 
 export const GoogleOAuthServiceSchema = BaseServiceSchema.extend({
-  mode: ServiceModeSchema.default("managed"),
+  mode: ServiceModeSchema.default("your-own"),
 });
 export type GoogleOAuthService = z.infer<typeof GoogleOAuthServiceSchema>;
 

package/src/config/skill-state.ts

@@ -17,9 +17,7 @@ export interface ResolvedSkill {
 export function skillFlagKey(
   skill: Pick<SkillSummary, "featureFlag">,
 ): string | undefined {
-  return skill.featureFlag
-    ? `feature_flags.${skill.featureFlag}.enabled`
-    : undefined;
+  return skill.featureFlag || undefined;
 }
 
 export function resolveSkillStates(

package/src/config/skills.ts

@@ -928,13 +928,11 @@ function applyFeatureGatedSections(body: string): string {
   let result = body;
 
   result = result.replace(mainRe, (_match, flagId: string, content: string) => {
-    const key = `feature_flags.${flagId}.enabled`;
-    return isAssistantFeatureFlagEnabled(key, config) ? content : "";
+    return isAssistantFeatureFlagEnabled(flagId, config) ? content : "";
   });
 
   result = result.replace(altRe, (_match, flagId: string, content: string) => {
-    const key = `feature_flags.${flagId}.enabled`;
-    return isAssistantFeatureFlagEnabled(key, config) ? "" : content;
+    return isAssistantFeatureFlagEnabled(flagId, config) ? "" : content;
   });
 
   return result;

package/src/credential-execution/client.ts

@@ -348,7 +348,7 @@ export function createCesClient(
     },
 
     isReady(): boolean {
-      return ready;
+      return ready && transport.isAlive();
     },
 
     close(): void {

package/src/credential-execution/feature-gates.ts

@@ -5,8 +5,8 @@
  * All checks delegate to the unified feature-flag resolver so that
  * config overrides and registry defaults are respected uniformly.
  *
- * Flag keys follow the canonical `feature_flags.<id>.enabled` format
- * and are declared in `meta/feature-flags/feature-flag-registry.json`.
+ * Flag keys use simple kebab-case format (e.g., "ces-tools") and are
+ * declared in `meta/feature-flags/feature-flag-registry.json`.
  */
 
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
@@ -17,27 +17,23 @@ import type { AssistantConfig } from "../config/schema.js";
 // ---------------------------------------------------------------------------
 
 /** Gate for CES tool registration (credential-grant, credential-revoke, credential-list). */
-export const CES_TOOLS_FLAG_KEY = "feature_flags.ces-tools.enabled" as const;
+export const CES_TOOLS_FLAG_KEY = "ces-tools" as const;
 
 /** Gate for untrusted-agent shell lockdown when CES credentials are active. */
-export const CES_SHELL_LOCKDOWN_FLAG_KEY =
-  "feature_flags.ces-shell-lockdown.enabled" as const;
+export const CES_SHELL_LOCKDOWN_FLAG_KEY = "ces-shell-lockdown" as const;
 
 /** Gate for secure tool/command installation via CES. */
-export const CES_SECURE_INSTALL_FLAG_KEY =
-  "feature_flags.ces-secure-install.enabled" as const;
+export const CES_SECURE_INSTALL_FLAG_KEY = "ces-secure-install" as const;
 
 /** Gate for credential grant and audit inspection surfaces. */
-export const CES_GRANT_AUDIT_FLAG_KEY =
-  "feature_flags.ces-grant-audit.enabled" as const;
+export const CES_GRANT_AUDIT_FLAG_KEY = "ces-grant-audit" as const;
 
 /** Gate for managed sidecar transport in containerized environments. */
-export const CES_MANAGED_SIDECAR_FLAG_KEY =
-  "feature_flags.ces-managed-sidecar.enabled" as const;
+export const CES_MANAGED_SIDECAR_FLAG_KEY = "ces-managed-sidecar" as const;
 
 /** Gate for routing credential reads/writes through the CES process. */
 export const CES_CREDENTIAL_BACKEND_FLAG_KEY =
-  "feature_flags.ces-credential-backend.enabled" as const;
+  "ces-credential-backend" as const;
 
 // ---------------------------------------------------------------------------
 // Public API — predicate functions
@@ -84,8 +80,5 @@ export function isCesManagedSidecarEnabled(config: AssistantConfig): boolean {
 export function isCesCredentialBackendEnabled(
   config: AssistantConfig,
 ): boolean {
-  return isAssistantFeatureFlagEnabled(
-    CES_CREDENTIAL_BACKEND_FLAG_KEY,
-    config,
-  );
+  return isAssistantFeatureFlagEnabled(CES_CREDENTIAL_BACKEND_FLAG_KEY, config);
 }

package/src/credential-execution/process-manager.ts

@@ -140,6 +140,18 @@ export function createCesProcessManager(
 
       if (managedAllowed) {
         discoveryResult = await discoverCes();
+        if (discoveryResult.mode === "unavailable") {
+          // The managed sidecar bootstrap socket is not present — this happens
+          // when the flag is enabled by default but the instance pre-dates the
+          // socket volume mount (e.g. existing Docker configs without the
+          // ces-bootstrap volume). Warn and fall back to local discovery so
+          // these deployments don't fail on upgrade.
+          log.warn(
+            { reason: discoveryResult.reason },
+            "CES managed sidecar bootstrap socket unavailable — falling back to local CES discovery",
+          );
+          discoveryResult = discoverLocalCes();
+        }
       } else {
         log.info(
           "CES managed sidecar feature flag is off — skipping managed discovery, falling back to local",

package/src/daemon/config-watcher.ts

@@ -158,6 +158,10 @@ export class ConfigWatcher {
         clearFeatureFlagOverridesCache();
         onConversationEvict();
       },
+      "feature-flags-remote.json": () => {
+        clearFeatureFlagOverridesCache();
+        onConversationEvict();
+      },
       "secret-allowlist.json": () => {
         resetAllowlist();
         try {

package/src/daemon/conversation-agent-loop-handlers.ts

@@ -25,6 +25,7 @@ import {
   backfillMessageIdOnLogs,
   recordRequestLog,
 } from "../memory/llm-request-log-store.js";
+import { backfillMemoryRecallLogMessageId } from "../memory/memory-recall-log-store.js";
 import type { ContentBlock, ImageContent } from "../providers/types.js";
 import type { DirectiveRequest } from "./assistant-attachments.js";
 import {
@@ -739,6 +740,15 @@ export async function handleMessageComplete(
     );
   }
 
+  try {
+    backfillMemoryRecallLogMessageId(deps.ctx.conversationId, assistantMsg.id);
+  } catch (err) {
+    deps.rlog.warn(
+      { err },
+      "Failed to backfill message_id on memory recall log (non-fatal)",
+    );
+  }
+
   deps.ctx.currentTurnSurfaces = [];
 
   // Emit trace event