@vellumai/assistant 0.5.11 → 0.5.13

package/src/config/bundled-skills/gmail/SKILL.md

@@ -19,7 +19,7 @@ Do not offer AgentMail as an option or mention it unless the user specifically a
 ## Communication Style
 
 - **Be action-oriented.** When the user asks to do something ("declutter", "check my email"), start doing it immediately. Don't ask for permission to read their inbox - that's obviously what they want.
-- **Keep it human.** Never mention OAuth, tokens, APIs, sandboxes, credential proxies, or other technical internals. If something isn't working, say "Gmail needs to be reconnected" - not "the OAuth2 access token for integration:google has expired."
+- **Keep it human.** Never mention OAuth, tokens, APIs, sandboxes, credential proxies, or other technical internals. If something isn't working, say "Gmail needs to be reconnected" - not "the OAuth2 access token for google has expired."
 - **Show progress.** When running a tool that scans many emails, tell the user what you're doing: "Scanning your inbox for clutter..." Don't go silent.
 - **Be brief and warm.** One or two sentences per update is plenty. Don't over-explain what you're about to do - just do it and narrate lightly.
 
@@ -27,23 +27,23 @@ Do not offer AgentMail as an option or mention it unless the user specifically a
 
 ### Gmail
 
-1. **Try connecting directly first.** Call `credential_store` with `action: "oauth2_connect"` and `service: "gmail"`. The tool auto-fills Google's OAuth endpoints and looks up any previously stored client credentials - so this single call may be all that's needed.
-2. **If it fails because no client_id is found:** The user needs to create Google Cloud OAuth credentials first. Load the **google-oauth-applescript** skill:
-   - Call `skill_load` with `skill: "google-oauth-applescript"` to load the dependency skill.
-   - Tell the user Gmail isn't connected yet and briefly explain what the setup involves, then use `ui_show` with `surface_type: "confirmation"` to ask for permission to start:
-     - **message:** "Ready to set up Gmail?"
-     - **detail:** "I'll open a few pages in your browser and walk you through setting up Google Cloud credentials - creating a project, enabling APIs, and connecting your account. Takes about 5 minutes."
-     - **confirmLabel:** "Get Started"
-     - **cancelLabel:** "Not Now"
-   - If the user confirms, briefly acknowledge (e.g., "Setting up Gmail now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
-3. **If the user provides a client_id directly in chat:** Call `credential_store` with `action: "oauth2_connect"`, `service: "gmail"`, and `client_id: "<their value>"`. Include `client_secret` too if they provide one. Everything else is auto-filled.
+1. **Try connecting directly first.** Run `assistant oauth status google`. This will show whether or not the user had previously connected their google account. If so, they are ready to go.
+2. **If no connections are found:** The user needs to either use Vellum's managed google integration or set up their own google oauth app. 
+   - Call `skill_load` with `skill: "vellum-oauth-integrations"` with `provider-key: google` throughout.
+   - To use `your-own` mode, you will need to call `skill_load` with `skill: google-oauth-app-setup`. In this case:
+      - Tell the user Gmail isn't connected yet and briefly explain what the setup involves, then use `ui_show` with `surface_type: "confirmation"` to ask for permission to start:
+      - **message:** "Ready to set up Gmail?"
+      - **detail:** "I'll open a few pages in your browser and walk you through setting up Google Cloud credentials - creating a project, enabling APIs, and connecting your account. Takes about 5 minutes.\n\n**Your emails stay under your control** — I only ever create drafts. Nothing gets sent without your explicit say-so."
+      - **confirmLabel:** "Get Started"
+      - **cancelLabel:** "Not Now"
+      - If the user confirms, briefly acknowledge (e.g., "Setting up Gmail now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
 
 ## Error Recovery
 
 When a Gmail tool fails with a token or authorization error:
 
-1. **Try to reconnect silently.** Call `credential_store` with `action: "oauth2_connect"` and `service: "gmail"`. This often resolves expired tokens automatically.
-2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected - let me set that up") and immediately follow the connection setup flow for Gmail (e.g., install and load **google-oauth-applescript**). The user came to you to get something done, not to troubleshoot OAuth - make it seamless.
+1. **Try to reconnect silently.** Call `assistant oauth ping google`. This often resolves expired tokens automatically.
+2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected - let me set that up") and immediately follow the connection setup flow for Gmail (e.g., install and load **google-oauth-app-setup**). The user came to you to get something done, not to troubleshoot OAuth - make it seamless.
 3. **Never try alternative approaches.** Don't use bash, curl, browser automation, or any workaround. If the Gmail tools can't do it, the reconnection flow is the answer.
 4. **Never expose error details.** The user doesn't need to see error messages about tokens, OAuth, or API failures. Translate errors into plain language.
 

package/src/config/bundled-skills/gmail/tools/gmail-archive.ts

@@ -35,7 +35,7 @@ export async function run(
     }
 
     try {
-      const connection = await resolveOAuthConnection("integration:google", {
+      const connection = await resolveOAuthConnection("google", {
         account,
       });
       const allMessageIds: string[] = [];
@@ -106,7 +106,7 @@ export async function run(
   } else if (messageId) {
     // Single message path
     try {
-      const connection = await resolveOAuthConnection("integration:google", {
+      const connection = await resolveOAuthConnection("google", {
         account,
       });
       await modifyMessage(connection, messageId, { removeLabelIds: ["INBOX"] });
@@ -126,7 +126,7 @@ export async function run(
   }
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     if (messageIds.length === 1) {

package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts

@@ -57,7 +57,7 @@ export async function run(
 
   if (action === "list") {
     try {
-      const connection = await resolveOAuthConnection("integration:google", {
+      const connection = await resolveOAuthConnection("google", {
         account,
       });
       const message = await getMessage(connection, messageId, "full");
@@ -81,7 +81,7 @@ export async function run(
     if (!filename) return err("filename is required for download.");
 
     try {
-      const connection = await resolveOAuthConnection("integration:google", {
+      const connection = await resolveOAuthConnection("google", {
         account,
       });
       const attachment = await getAttachment(

package/src/config/bundled-skills/gmail/tools/gmail-draft.ts

@@ -23,7 +23,7 @@ export async function run(
   if (!body) return err("body is required.");
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     const draft = await createDraft(

package/src/config/bundled-skills/gmail/tools/gmail-filters.ts

@@ -26,7 +26,7 @@ export async function run(
   }
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     switch (action) {

package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts

@@ -38,7 +38,7 @@ export async function run(
   }
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     switch (action) {

package/src/config/bundled-skills/gmail/tools/gmail-forward.ts

@@ -76,7 +76,7 @@ export async function run(
   if (!forwardTo) return err("to is required.");
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     const message = await getMessage(connection, messageId, "full");

package/src/config/bundled-skills/gmail/tools/gmail-label.ts

@@ -21,7 +21,7 @@ export async function run(
 
   if (messageIds && messageIds.length > 0) {
     try {
-      const connection = await resolveOAuthConnection("integration:google", {
+      const connection = await resolveOAuthConnection("google", {
         account,
       });
       await batchModifyMessages(connection, messageIds, {
@@ -36,7 +36,7 @@ export async function run(
 
   if (messageId) {
     try {
-      const connection = await resolveOAuthConnection("integration:google", {
+      const connection = await resolveOAuthConnection("google", {
         account,
       });
       await modifyMessage(connection, messageId, {

package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts

@@ -56,7 +56,7 @@ export async function run(
   const query = `in:inbox -has:unsubscribe newer_than:${timeRange}`;
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     // Pipeline: fire metadata fetches for each page of IDs as they arrive

package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts

@@ -15,7 +15,7 @@ export async function run(
   if (!draftId) return err("draft_id is required.");
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     const msg = await sendDraft(connection, draftId);

package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts

@@ -58,7 +58,7 @@ export async function run(
   const inputPageToken = input.page_token as string | undefined;
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     // Pipeline: fire metadata fetches for each page of IDs as they arrive,

package/src/config/bundled-skills/gmail/tools/gmail-trash.ts

@@ -18,7 +18,7 @@ export async function run(
   }
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     await trashMessage(connection, messageId);

package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts

@@ -32,7 +32,7 @@ export async function run(
   }
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     const message = await getMessage(connection, messageId, "metadata", [

package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts

@@ -22,7 +22,7 @@ export async function run(
   }
 
   try {
-    const connection = await resolveOAuthConnection("integration:google", {
+    const connection = await resolveOAuthConnection("google", {
       account,
     });
     switch (action) {

package/src/config/bundled-skills/google-calendar/SKILL.md

@@ -14,10 +14,16 @@ You are a Google Calendar assistant with full access to the user's calendar. Use
 
 Before using any Calendar tool, verify that Google Calendar is connected by attempting a lightweight call (e.g., `calendar_list_events` with a narrow date range). If the call fails with a token/authorization error:
 
-1. **Do NOT call `credential_store oauth2_connect` yourself.** You do not have valid OAuth client credentials, and fabricating a client_id will cause a "401: invalid_client" error from Google.
-2. Instead, load the **google-oauth-applescript** skill, which walks the user through creating real credentials in Google Cloud Console:
-   - Call `skill_load` with `skill: "google-oauth-applescript"` to load the dependency skill.
-3. Tell the user: _"Google Calendar isn't connected yet. I've loaded a setup guide that will walk you through connecting your Google account - it only takes a couple of minutes."_
+1. **Try connecting directly first.** Run `assistant oauth status google`. This will show whether or not the user had previously connected their google account. If so, they are ready to go.
+2. **If no connections are found:** The user needs to either use Vellum's managed google integration or set up their own google oauth app. 
+   - Call `skill_load` with `skill: "vellum-oauth-integrations"` with `provider-key: google` throughout.
+   - To use `your-own` mode, you will need to call `skill_load` with `skill: google-oauth-app-setup`. In this case:
+      - Tell the user Google account isn't connected yet and briefly explain what the setup involves, then use `ui_show` with `surface_type: "confirmation"` to ask for permission to start:
+      - **message:** "Ready to set up Google Calendar?"
+      - **detail:** "I'll open a few pages in your browser and walk you through setting up Google Cloud credentials - creating a project, enabling APIs, and connecting your account. Takes about 5 minutes.\n\n**Your emails stay under your control** — I only ever create drafts. Nothing gets sent without your explicit say-so."
+      - **confirmLabel:** "Get Started"
+      - **cancelLabel:** "Not Now"
+      - If the user confirms, briefly acknowledge (e.g., "Setting up Google Calendar now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
 
 ## Capabilities
 

package/src/config/bundled-skills/google-calendar/tools/shared.ts

@@ -13,5 +13,5 @@ export function ok(content: string): ToolExecutionResult {
 export async function getCalendarConnection(
   account?: string,
 ): Promise<OAuthConnection> {
-  return resolveOAuthConnection("integration:google", { account });
+  return resolveOAuthConnection("google", { account });
 }

package/src/config/bundled-skills/messaging/SKILL.md

@@ -30,7 +30,7 @@ Do not offer AgentMail as an option or mention it unless the user specifically a
 ## Communication Style
 
 - **Be action-oriented.** When the user asks to do something ("declutter", "check my email"), start doing it immediately. Don't ask for permission to read their inbox - that's obviously what they want.
-- **Keep it human.** Never mention OAuth, tokens, APIs, sandboxes, credential proxies, or other technical internals. If something isn't working, say "Gmail needs to be reconnected" - not "the OAuth2 access token for integration:google has expired."
+- **Keep it human.** Never mention OAuth, tokens, APIs, sandboxes, credential proxies, or other technical internals. If something isn't working, say "Gmail needs to be reconnected" - not "the OAuth2 access token for google has expired."
 - **Show progress.** When running a tool that scans many emails, tell the user what you're doing: "Scanning your inbox for clutter..." Don't go silent.
 - **Be brief and warm.** One or two sentences per update is plenty. Don't over-explain what you're about to do - just do it and narrate lightly.
 
@@ -44,7 +44,7 @@ Before using any messaging tool, verify that the platform is connected by callin
 
 ### Public Ingress (required for Telegram)
 
-Telegram setup requires webhook routing, but it does **not** always require ngrok. Before suggesting public ingress for Telegram, check managed callback availability with `assistant platform status --json`. If that reports `containerized: true` with a non-empty `assistantId` and `available: true`, use the platform callback route flow and do not prompt for ngrok. Only use the **public-ingress** skill for local assistants that genuinely need a public gateway URL. Slack uses Socket Mode and does not require public ingress. Gmail on the desktop app uses a loopback callback and does not require public ingress; the channel path (Path B in the google-oauth-applescript skill) handles public ingress internally when needed.
+Telegram setup requires webhook routing, but it does **not** always require ngrok. Before suggesting public ingress for Telegram, check managed callback availability with `assistant platform status --json`. If that reports `containerized: true` with a non-empty `assistantId` and `available: true`, use the platform callback route flow and do not prompt for ngrok. Only use the **public-ingress** skill for local assistants that genuinely need a public gateway URL. Slack uses Socket Mode and does not require public ingress. Gmail on the desktop app uses a loopback callback and does not require public ingress; the channel path (Path B in the google-oauth-app-setup skill) handles public ingress internally when needed.
 
 ### Email Connection Flow
 
@@ -56,16 +56,16 @@ When the user asks to "connect my email", "set up email", "manage my email", or
 
 ### Gmail
 
-1. **Try connecting directly first.** Call `credential_store` with `action: "oauth2_connect"` and `service: "gmail"`. The tool auto-fills Google's OAuth endpoints and looks up any previously stored client credentials - so this single call may be all that's needed.
-2. **If it fails because no client_id is found:** The user needs to create Google Cloud OAuth credentials first. Load the **google-oauth-applescript** skill:
-   - Call `skill_load` with `skill: "google-oauth-applescript"` to load the dependency skill.
+1. **Try connecting directly first.** Call `credential_store` with `action: "oauth2_connect"` and `service: "google"`. The tool auto-fills Google's OAuth endpoints and looks up any previously stored client credentials - so this single call may be all that's needed.
+2. **If it fails because no client_id is found:** The user needs to create Google Cloud OAuth credentials first. Load the **google-oauth-app-setup** skill:
+   - Call `skill_load` with `skill: "google-oauth-app-setup"` to load the dependency skill.
    - Tell the user Gmail isn't connected yet and briefly explain what the setup involves, then use `ui_show` with `surface_type: "confirmation"` to ask for permission to start:
      - **message:** "Ready to set up Gmail?"
      - **detail:** "I'll open a few pages in your browser and walk you through setting up Google Cloud credentials - creating a project, enabling APIs, and connecting your account. Takes about 5 minutes."
      - **confirmLabel:** "Get Started"
      - **cancelLabel:** "Not Now"
    - If the user confirms, briefly acknowledge (e.g., "Setting up Gmail now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
-3. **If the user provides a client_id directly in chat:** Call `credential_store` with `action: "oauth2_connect"`, `service: "gmail"`, and `client_id: "<their value>"`. Include `client_secret` too if they provide one. Everything else is auto-filled.
+3. **If the user provides a client_id directly in chat:** Call `credential_store` with `action: "oauth2_connect"`, `service: "google"`, and `client_id: "<their value>"`. If a `client_secret` is also needed, collect it securely via `credential_store` with `action: "prompt"` — never accept it pasted in chat. Everything else is auto-filled.
 
 ### Slack
 
@@ -96,7 +96,7 @@ The guardian-verify-setup skill handles the full outbound verification flow for
 When a messaging tool fails with a token or authorization error:
 
 1. **Try to reconnect silently.** Call `credential_store` with `action: "oauth2_connect"` and the appropriate `service`. This often resolves expired tokens automatically.
-2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected - let me set that up") and immediately follow the connection setup flow for that platform (e.g., install and load **google-oauth-applescript** for Gmail). The user came to you to get something done, not to troubleshoot OAuth - make it seamless.
+2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected - let me set that up") and immediately follow the connection setup flow for that platform (e.g., install and load **google-oauth-app-setup** for Gmail). The user came to you to get something done, not to troubleshoot OAuth - make it seamless.
 3. **Never try alternative approaches.** Don't use bash, curl, browser automation, or any workaround. If the messaging tools can't do it, the reconnection flow is the answer.
 4. **Never expose error details.** The user doesn't need to see error messages about tokens, OAuth, or API failures. Translate errors into plain language.
 

package/src/config/bundled-skills/messaging/tools/messaging-send.ts

@@ -9,7 +9,6 @@ import {
   listMessages,
 } from "../../../../messaging/providers/gmail/client.js";
 import { buildMultipartMime } from "../../../../messaging/providers/gmail/mime-builder.js";
-import type { OAuthConnection } from "../../../../oauth/connection.js";
 import type {
   ToolContext,
   ToolExecutionResult,
@@ -57,7 +56,11 @@ export async function run(
 
     // Gmail: create a draft instead of sending directly
     if (provider.id === "gmail") {
-      const gmailConn = conn as OAuthConnection;
+      if (!conn)
+        return err(
+          "Gmail requires an OAuth connection — is the account connected?",
+        );
+      const gmailConn = conn;
       // Reply mode: thread_id provided - create a threaded draft with reply-all recipients
       if (threadId) {
         // Fetch thread messages to extract recipients and threading headers

package/src/config/bundled-skills/messaging/tools/shared.ts

@@ -126,17 +126,16 @@ export async function resolveProvider(
 }
 
 /**
- * Resolve an OAuthConnection (or empty string for non-OAuth providers)
- * for the given messaging provider.
+ * Resolve an OAuthConnection for the given messaging provider.
  *
- * Non-OAuth providers (e.g. Telegram) use isConnected() and don't need
- * tokens - they receive an empty string which the string overload handles.
+ * Returns undefined for providers that manage credentials internally
+ * (e.g. Telegram bot tokens, Slack Socket Mode bot tokens).
  */
 export async function getProviderConnection(
   provider: MessagingProvider,
   account?: string,
-): Promise<OAuthConnection | string> {
+): Promise<OAuthConnection | undefined> {
   if (provider.resolveConnection) return provider.resolveConnection(account);
-  if (await provider.isConnected?.()) return "";
+  if (await provider.isConnected?.()) return undefined;
   return resolveOAuthConnection(provider.credentialService, { account });
 }

package/src/config/bundled-skills/settings/TOOLS.json

@@ -57,7 +57,7 @@
     },
     {
       "name": "navigate_settings_tab",
-      "description": "Open the Vellum settings panel to a specific tab (e.g. General, Channels, Voice). Use this when the user needs to review or adjust settings visually.",
+      "description": "Open the Vellum settings panel to a specific tab (e.g. General, Models & Services, Voice). Use this when the user needs to review or adjust settings visually.",
       "category": "system",
       "risk": "low",
       "input_schema": {
@@ -67,11 +67,13 @@
             "type": "string",
             "enum": [
               "General",
-              "Channels",
               "Models & Services",
               "Voice",
+              "Sounds",
               "Permissions & Privacy",
-              "Contacts",
+              "Billing",
+              "Archived Conversations",
+              "Schedules",
               "Developer"
             ],
             "description": "The settings tab to navigate to"

package/src/config/bundled-skills/settings/tools/navigate-settings-tab.ts

@@ -5,11 +5,13 @@ import type {
 
 const SETTINGS_TABS = [
   "General",
-  "Channels",
   "Models & Services",
   "Voice",
+  "Sounds",
   "Permissions & Privacy",
-  "Contacts",
+  "Billing",
+  "Archived Conversations",
+  "Schedules",
   "Developer",
 ] as const;
 

package/src/config/bundled-tool-registry.ts

@@ -56,6 +56,8 @@ import * as contactMerge from "./bundled-skills/contacts/tools/contact-merge.js"
 import * as contactSearch from "./bundled-skills/contacts/tools/contact-search.js";
 import * as contactUpsert from "./bundled-skills/contacts/tools/contact-upsert.js";
 import * as googleContacts from "./bundled-skills/contacts/tools/google-contacts.js";
+// ── conversations ─────────────────────────────────────────────────────────────
+import * as renameConversation from "./bundled-skills/conversations/tools/rename-conversation.js";
 // ── document ───────────────────────────────────────────────────────────────────
 import * as documentCreate from "./bundled-skills/document/tools/document-create.js";
 import * as documentUpdate from "./bundled-skills/document/tools/document-update.js";
@@ -222,6 +224,9 @@ export const bundledToolRegistry = new Map<string, SkillToolScript>([
   ["contacts:tools/contact-merge.ts", contactMerge],
   ["contacts:tools/google-contacts.ts", googleContacts],
 
+  // conversations
+  ["conversations:tools/rename-conversation.ts", renameConversation],
+
   // document
   ["document:tools/document-create.ts", documentCreate],
   ["document:tools/document-update.ts", documentUpdate],

package/src/config/feature-flag-registry.json

@@ -47,7 +47,7 @@
       "key": "app-builder-multifile",
       "label": "App Builder Multi-file",
       "description": "Enable multi-file TSX app creation with esbuild compilation instead of single-HTML apps",
-      "defaultEnabled": false
+      "defaultEnabled": true
     },
     {
       "id": "mobile-pairing",
@@ -255,7 +255,7 @@
       "key": "managed-google-oauth",
       "label": "Managed Google OAuth",
       "description": "Show the Google OAuth service card in Models & Services settings",
-      "defaultEnabled": false
+      "defaultEnabled": true
     },
     {
       "id": "settings-embedding-provider",

package/src/credential-execution/client.ts

@@ -88,6 +88,12 @@ export interface CesClientHandshakeOptions {
    * credential materialisation without relying on env vars.
    */
   assistantApiKey?: string;
+  /**
+   * Optional platform assistant ID to pass to CES during the handshake.
+   * For warm-pool pods the PLATFORM_ASSISTANT_ID env var is empty at CES
+   * startup, so the assistant forwards it here once it is known.
+   */
+  assistantId?: string;
 }
 
 export interface CesClient {
@@ -111,13 +117,16 @@ export interface CesClient {
   ): Promise<CesRpcContract[M]["response"]>;
 
   /**
-   * Push an updated assistant API key to CES.
+   * Push an updated assistant API key (and optionally assistant ID) to CES.
    *
    * In managed mode the API key is provisioned after hatch, so the initial
    * handshake may have been sent without one. This method pushes the key
    * to CES after it arrives, without requiring a re-handshake.
    */
-  updateAssistantApiKey(assistantApiKey: string): Promise<{ updated: boolean }>;
+  updateAssistantApiKey(
+    assistantApiKey: string,
+    assistantId?: string,
+  ): Promise<{ updated: boolean }>;
 
   /** Whether the client has completed a successful handshake. */
   isReady(): boolean;
@@ -312,6 +321,7 @@ export function createCesClient(
           ...(options?.assistantApiKey
             ? { assistantApiKey: options.assistantApiKey }
             : {}),
+          ...(options?.assistantId ? { assistantId: options.assistantId } : {}),
         });
       } catch (err) {
         const entry = pending.get("handshake");
@@ -341,14 +351,16 @@ export function createCesClient(
 
     async updateAssistantApiKey(
       assistantApiKey: string,
+      assistantId?: string,
     ): Promise<{ updated: boolean }> {
       return call(CesRpcMethod.UpdateManagedCredential, {
         assistantApiKey,
+        ...(assistantId ? { assistantId } : {}),
       });
     },
 
     isReady(): boolean {
-      return ready;
+      return ready && transport.isAlive();
     },
 
     close(): void {

package/src/daemon/conversation-agent-loop.ts

@@ -245,6 +245,7 @@ export interface AgentLoopConversationContext {
   trustContext?: TrustContext;
   assistantId?: string;
   voiceCallControlPrompt?: string;
+  transportHints?: string[];
 
   readonly coreToolNames: Set<string>;
   allowedToolNames?: Set<string>;
@@ -748,6 +749,7 @@ export async function runAgentLoopImpl(
       temporalContext,
       nowScratchpad,
       voiceCallControlPrompt: ctx.voiceCallControlPrompt ?? null,
+      transportHints: ctx.transportHints ?? null,
       isNonInteractive: !isInteractiveResolved,
     } as const;
 

package/src/daemon/conversation-error.ts

@@ -1,3 +1,4 @@
+import { getProviderRoutingSource } from "../providers/registry.js";
 import { ProviderError, ProviderNotConfiguredError } from "../util/errors.js";
 import type {
   ConversationErrorCode,
@@ -200,12 +201,40 @@ function classifyCore(
         errorCategory: "context_too_large",
       };
     }
+    if (error.statusCode === 401 || error.statusCode === 403) {
+      if (
+        /invalid.*api.?key|invalid.*x-api-key|authentication.?error/i.test(
+          message,
+        )
+      ) {
+        // Check if this provider is routed through the managed proxy.
+        // If so, the assistant API key is stale — the client should reprovision.
+        const providerName = error.provider;
+        if (getProviderRoutingSource(providerName) === "managed-proxy") {
+          return {
+            code: "MANAGED_KEY_INVALID",
+            userMessage:
+              "The assistant API key is invalid. Attempting to re-provision…",
+            retryable: true,
+            errorCategory: "managed_key_invalid",
+          };
+        }
+        return {
+          code: "PROVIDER_NOT_CONFIGURED",
+          userMessage:
+            "Your API key is invalid or expired. Update it in Settings or switch to managed mode.",
+          retryable: false,
+          errorCategory: "provider_not_configured",
+        };
+      }
+    }
     if (error.statusCode === 401) {
       return {
-        code: "PROVIDER_BILLING",
-        userMessage: "Your API key is invalid or expired.",
+        code: "PROVIDER_NOT_CONFIGURED",
+        userMessage:
+          "Your API key is invalid or expired. Update it in Settings or switch to managed mode.",
         retryable: false,
-        errorCategory: "provider_billing",
+        errorCategory: "provider_not_configured",
       };
     }
     if (error.statusCode === 402) {
@@ -275,10 +304,11 @@ function classifyCore(
         )
       ) {
         return {
-          code: "PROVIDER_BILLING",
-          userMessage: "Your API key is invalid.",
+          code: "PROVIDER_NOT_CONFIGURED",
+          userMessage:
+            "Your API key is invalid. Update it in Settings or switch to managed mode.",
           retryable: false,
-          errorCategory: "provider_billing",
+          errorCategory: "provider_not_configured",
         };
       }
       return {

package/src/daemon/conversation-messaging.ts

@@ -296,6 +296,15 @@ export async function persistUserMessage(
     cleanMessage,
     attachmentInputs,
   );
+  log.info(
+    {
+      contentBlockTypes: Array.isArray(llmMessage.content)
+        ? llmMessage.content.map((b) => b.type)
+        : typeof llmMessage.content,
+      attachmentCount: attachments.length,
+    },
+    "persistUserMessage: content blocks being sent to model",
+  );
   ctx.messages.push(llmMessage);
 
   try {