@vellumai/assistant 0.5.11 → 0.5.13

package/src/__tests__/slack-messaging-token-resolution.test.ts

@@ -117,12 +117,12 @@ describe("Slack messaging token resolution", () => {
       expect(await slackProvider.isConnected!()).toBe(true);
     });
 
-    test("returns true when only integration:slack has active OAuth connection (backwards compat)", async () => {
+    test("returns true when only slack has active OAuth connection (backwards compat)", async () => {
       // No bot token
       getSecureKeyAsyncMock.mockImplementation(async () => null);
       // But OAuth provider is connected
       isProviderConnectedMock.mockImplementation(async (service: string) =>
-        service === "integration:slack" ? true : false,
+        service === "slack" ? true : false,
       );
 
       expect(await slackProvider.isConnected!()).toBe(true);
@@ -139,7 +139,7 @@ describe("Slack messaging token resolution", () => {
   // ── slackProvider.resolveConnection() ───────────────────────────────────
 
   describe("slackProvider.resolveConnection()", () => {
-    test("returns bot token string when Socket Mode credentials exist", async () => {
+    test("returns undefined when Socket Mode credentials exist (token cached internally)", async () => {
       getSecureKeyAsyncMock.mockImplementation(async (key: string) =>
         key === "credential/slack_channel/bot_token"
           ? "xoxb-socket-token"
@@ -147,20 +147,20 @@ describe("Slack messaging token resolution", () => {
       );
 
       const result = await slackProvider.resolveConnection!();
-      expect(result).toBe("xoxb-socket-token");
+      expect(result).toBeUndefined();
     });
 
-    test("returns bot token string even without a slack_channel connection row (token-only resilience)", async () => {
+    test("returns undefined even without a slack_channel connection row (token-only resilience)", async () => {
       getSecureKeyAsyncMock.mockImplementation(async (key: string) =>
         key === "credential/slack_channel/bot_token" ? "xoxb-token-only" : null,
       );
-      // No connection row — resolveConnection should still return the token
+      // No connection row — resolveConnection should still return undefined (token cached internally)
 
       const result = await slackProvider.resolveConnection!();
-      expect(result).toBe("xoxb-token-only");
+      expect(result).toBeUndefined();
     });
 
-    test("returns OAuthConnection when only OAuth integration:slack credentials exist (backwards compat)", async () => {
+    test("returns OAuthConnection when only OAuth slack credentials exist (backwards compat)", async () => {
       getSecureKeyAsyncMock.mockImplementation(async () => null);
       const oauthConn = {
         accessToken: "xoxp-oauth-token",
@@ -169,16 +169,15 @@ describe("Slack messaging token resolution", () => {
 
       const result = await slackProvider.resolveConnection!();
       expect(result).toBe(oauthConn);
-      expect(resolveOAuthConnectionMock).toHaveBeenCalledWith(
-        "integration:slack",
-        { account: undefined },
-      );
+      expect(resolveOAuthConnectionMock).toHaveBeenCalledWith("slack", {
+        account: undefined,
+      });
     });
 
     test("throws when no credentials exist at all (no Socket Mode, no OAuth)", async () => {
       getSecureKeyAsyncMock.mockImplementation(async () => null);
       resolveOAuthConnectionMock.mockImplementation(async () => {
-        throw new Error("No OAuth connection found for integration:slack");
+        throw new Error("No OAuth connection found for slack");
       });
 
       await expect(slackProvider.resolveConnection!()).rejects.toThrow(
@@ -190,13 +189,13 @@ describe("Slack messaging token resolution", () => {
   // ── getProviderConnection() integration ─────────────────────────────────
 
   describe("getProviderConnection()", () => {
-    test("returns bot token string for Slack when Socket Mode credentials exist", async () => {
+    test("returns undefined for Slack when Socket Mode credentials exist (token cached internally)", async () => {
       getSecureKeyAsyncMock.mockImplementation(async (key: string) =>
         key === "credential/slack_channel/bot_token" ? "xoxb-conn-token" : null,
       );
 
       const result = await getProviderConnection(slackProvider);
-      expect(result).toBe("xoxb-conn-token");
+      expect(result).toBeUndefined();
     });
 
     test("returns OAuthConnection for Slack when only OAuth credentials exist (backwards compat)", async () => {
@@ -221,9 +220,9 @@ describe("Slack messaging token resolution", () => {
       );
     });
 
-    test('Telegram still returns "" (no resolveConnection, uses isConnected path — regression check)', async () => {
+    test("Telegram returns undefined (no resolveConnection, uses isConnected path — regression check)", async () => {
       // Telegram has isConnected but no resolveConnection.
-      // When isConnected returns true, getProviderConnection returns ""
+      // When isConnected returns true, getProviderConnection returns undefined
       getSecureKeyAsyncMock.mockImplementation(async (key: string) => {
         if (key === "credential/telegram/bot_token") return "bot-token";
         if (key === "credential/telegram/webhook_secret") return "secret";
@@ -234,7 +233,7 @@ describe("Slack messaging token resolution", () => {
       );
 
       const result = await getProviderConnection(telegramBotMessagingProvider);
-      expect(result).toBe("");
+      expect(result).toBeUndefined();
     });
 
     test("Gmail still calls resolveOAuthConnection (no resolveConnection, no isConnected — regression check)", async () => {
@@ -247,10 +246,9 @@ describe("Slack messaging token resolution", () => {
 
       const result = await getProviderConnection(gmailMessagingProvider);
       expect(result).toBe(oauthConn);
-      expect(resolveOAuthConnectionMock).toHaveBeenCalledWith(
-        "integration:google",
-        { account: undefined },
-      );
+      expect(resolveOAuthConnectionMock).toHaveBeenCalledWith("google", {
+        account: undefined,
+      });
     });
   });
 
@@ -264,7 +262,7 @@ describe("Slack messaging token resolution", () => {
       );
       // Gmail connected via OAuth
       isProviderConnectedMock.mockImplementation(async (service: string) =>
-        service === "integration:google" ? true : false,
+        service === "google" ? true : false,
       );
 
       await expect(resolveProvider()).rejects.toThrow(
@@ -285,7 +283,7 @@ describe("Slack messaging token resolution", () => {
     test("auto-selects Gmail when it is the only connected provider (no Slack credentials)", async () => {
       getSecureKeyAsyncMock.mockImplementation(async () => null);
       isProviderConnectedMock.mockImplementation(async (service: string) =>
-        service === "integration:google" ? true : false,
+        service === "google" ? true : false,
       );
 
       const provider = await resolveProvider();

package/src/__tests__/slack-share-routes.test.ts

@@ -111,7 +111,7 @@ describe("handleListSlackChannels", () => {
   });
 
   test("returns channels sorted by type then name", async () => {
-    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
+    connectionByProvider["slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
       "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
@@ -192,7 +192,7 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 400 for malformed JSON", async () => {
-    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
+    connectionByProvider["slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
       "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
@@ -207,7 +207,7 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 400 when missing required fields", async () => {
-    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
+    connectionByProvider["slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
       "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
@@ -220,7 +220,7 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 404 when app not found", async () => {
-    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
+    connectionByProvider["slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
       "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
@@ -232,7 +232,7 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("posts message and returns success", async () => {
-    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
+    connectionByProvider["slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
       "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",

package/src/__tests__/system-prompt.test.ts

@@ -24,6 +24,7 @@ mock.module("../util/platform.js", () => ({
   getWorkspaceConfigPath: () => join(TEST_DIR, "config.json"),
   getWorkspaceSkillsDir: () => join(TEST_DIR, "skills"),
   getWorkspaceHooksDir: () => join(TEST_DIR, "hooks"),
+  getConversationsDir: () => join(TEST_DIR, "conversations"),
   getWorkspacePromptPath: (file: string) => join(TEST_DIR, file),
   ensureDataDir: () => {},
   getPidPath: () => join(TEST_DIR, "vellum.pid"),
@@ -560,4 +561,42 @@ describe("ensurePromptFiles", () => {
     const bootstrapPath = join(TEST_DIR, "BOOTSTRAP.md");
     expect(existsSync(bootstrapPath)).toBe(false);
   });
+
+  test("auto-deletes stale BOOTSTRAP.md when prior conversations exist", () => {
+    // Simulate a non-first-run workspace: core files + BOOTSTRAP.md still present
+    writeFileSync(join(TEST_DIR, "IDENTITY.md"), "My identity");
+    writeFileSync(join(TEST_DIR, "SOUL.md"), "My soul");
+    writeFileSync(join(TEST_DIR, "USER.md"), "My user");
+    writeFileSync(join(TEST_DIR, "BOOTSTRAP.md"), "# Stale bootstrap");
+
+    // Create a conversations directory with at least one entry
+    const convDir = join(TEST_DIR, "conversations");
+    mkdirSync(convDir, { recursive: true });
+    writeFileSync(join(convDir, "conv-001.json"), "{}");
+
+    ensurePromptFiles();
+
+    expect(existsSync(join(TEST_DIR, "BOOTSTRAP.md"))).toBe(false);
+  });
+
+  test("keeps BOOTSTRAP.md on first run even if conversations dir exists", () => {
+    // First run: no core files exist, BOOTSTRAP.md should be created and kept
+    const convDir = join(TEST_DIR, "conversations");
+    mkdirSync(convDir, { recursive: true });
+    writeFileSync(join(convDir, "conv-001.json"), "{}");
+
+    ensurePromptFiles();
+
+    expect(existsSync(join(TEST_DIR, "BOOTSTRAP.md"))).toBe(true);
+  });
+
+  test("keeps BOOTSTRAP.md when no conversations exist yet", () => {
+    // Non-first-run but no conversations — user hasn't chatted yet
+    writeFileSync(join(TEST_DIR, "IDENTITY.md"), "My identity");
+    writeFileSync(join(TEST_DIR, "BOOTSTRAP.md"), "# Bootstrap");
+
+    ensurePromptFiles();
+
+    expect(existsSync(join(TEST_DIR, "BOOTSTRAP.md"))).toBe(true);
+  });
 });

package/src/__tests__/token-estimator-accuracy.benchmark.test.ts

@@ -205,7 +205,7 @@ function makeSystemPrompt(size: "small" | "production" = "small"): string {
     "### OAuth Setup",
     "Most integrations use OAuth for authentication.",
     "Guide the user through the OAuth flow when setting up a new integration:",
-    "1. Navigate to Settings > Integrations",
+    "1. Navigate to Settings > Models & Services",
     "2. Click 'Connect' for the desired service",
     "3. Authorize in the browser popup",
     "4. Confirm the connection is active",

package/src/__tests__/workspace-migration-backfill-installation-id.test.ts

@@ -284,20 +284,21 @@ describe("011-backfill-installation-id migration", () => {
     expect(parsed.assistants[0].installationId).toBe("sqlite-id");
   });
 
-  test("respects BASE_DATA_DIR environment variable", () => {
+  test("ignores BASE_DATA_DIR and always reads lockfile from homedir", () => {
     process.env.BASE_DATA_DIR = "/custom-base";
     getMemoryCheckpointFn.mockReturnValue("sqlite-id");
 
-    const customLockPath = "/custom-base/.vellum.lock.json";
+    // Lockfile under BASE_DATA_DIR should be ignored — the migration
+    // always reads from homedir() (per-user, not per-instance).
     setupFs({
-      [customLockPath]: makeLockfile([{ assistantId: "my-assistant" }]),
+      [LOCK_PATH]: makeLockfile([{ assistantId: "my-assistant" }]),
     });
 
     backfillInstallationIdMigration.run(WORKSPACE_DIR);
 
     expect(writeFileSyncFn).toHaveBeenCalledTimes(1);
     const [path] = writeFileSyncFn.mock.calls[0] as [string, string];
-    expect(path).toBe(customLockPath);
+    expect(path).toBe(LOCK_PATH);
   });
 
   test("preserves other assistants in lockfile when writing", () => {

package/src/cli/AGENTS.md

@@ -59,6 +59,46 @@ does and how to use it.
 4. **Use Commander's `.addHelpText("after", ...)`** for extended help. Don't
    cram everything into `.description()`.
 
+### No Redundant Command Lists in `addHelpText`
+
+Commander already renders a `Commands:` section from registered subcommands.
+Never duplicate that list in `.addHelpText("after", ...)`. The `addHelpText`
+block is for **supplementary context only** — domain notes, key concepts, and
+examples. Repeating command names and descriptions wastes vertical space and
+creates a maintenance burden (two places to update when a subcommand changes).
+
+**Bad:**
+
+```ts
+oauth.addHelpText(
+  "after",
+  `
+The oauth command group manages the full OAuth lifecycle:
+
+  connect     Initiate an OAuth flow for a provider
+  disconnect  Disconnect an OAuth provider
+  ...
+`,
+);
+```
+
+**Good:**
+
+```ts
+oauth.addHelpText(
+  "after",
+  `
+Providers are seeded on startup for built-in integrations. Apps and connections
+are created during the OAuth authorization flow or can be managed manually via
+their respective subcommands.
+
+Examples:
+  $ assistant oauth connect google --open-browser
+  $ assistant oauth status google
+`,
+);
+```
+
 ### ID and Key Arguments
 
 Options that accept IDs, keys, or opaque identifiers must include a short note
@@ -79,12 +119,12 @@ users and AI agents have no way to know what to pass.
 
 Common discovery patterns:
 
-| Argument type | Discovery command                                                         |
-| ------------- | ------------------------------------------------------------------------- |
-| Provider key  | `assistant oauth providers list`                                          |
-| Connection ID | `assistant oauth connections list` or `assistant oauth status <provider>` |
-| OAuth app ID  | `assistant oauth apps list`                                               |
-| Contact ID    | `assistant contacts list`                                                 |
+| Argument type | Discovery command                   |
+| ------------- | ----------------------------------- |
+| Provider key  | `assistant oauth providers list`    |
+| Connection ID | `assistant oauth status <provider>` |
+| OAuth app ID  | `assistant oauth apps list`         |
+| Contact ID    | `assistant contacts list`           |
 
 ### Error Messages
 
@@ -104,7 +144,7 @@ throw new Error("Connection not found");
 
 ```ts
 throw new Error(
-  `Connection "${id}" not found. Run 'assistant oauth connections list' to see available connections.`,
+  `Connection "${id}" not found. Run 'assistant oauth status <provider>' to see available connections.`,
 );
 ```
 

package/src/cli/commands/browser-relay.ts

@@ -124,12 +124,6 @@ uses a dedicated user data directory at ~/Library/Application Support/Google/Chr
 and defaults to port 9222. Commands are routed through a Chrome extension
 relay that bridges the assistant to open Chrome tabs.
 
-Subgroups:
-  relay     Send commands to Chrome tabs via the browser extension relay
-  launch    Launch or connect to a Chrome CDP instance
-  minimize  Minimize the Chrome CDP window
-  restore   Restore the Chrome CDP window
-
 Examples:
   $ assistant browser chrome launch
   $ assistant browser chrome launch --start-url "https://example.com" --port 9333
@@ -150,17 +144,8 @@ Examples:
     `
 Routes commands to Chrome tabs through the browser extension relay. The relay
 connects the assistant to a Chrome extension that can inspect and control
-browser tabs.
-
-Available subcommands:
-  find-tab      Find a tab matching a URL pattern
-  new-tab       Open a new tab with a URL
-  navigate      Navigate an existing tab to a new URL
-  evaluate      Execute JavaScript in a tab
-  get-cookies   Fetch cookies for a domain
-  set-cookie    Set a cookie
-  screenshot    Capture a screenshot of a tab
-  status        Check browser extension relay connection status
+browser tabs. Commands support URL glob patterns for tab discovery and
+JavaScript evaluation with stdin piping for long scripts.
 
 Examples:
   $ assistant browser chrome relay find-tab --url "*://*.amazon.com/*"

package/src/cli/commands/contacts.ts

@@ -132,7 +132,7 @@ Examples:
       "after",
       `
 Arguments:
-  id   UUID of the contact to retrieve
+  id   UUID of the contact to retrieve. Run 'assistant contacts list' to find IDs.
 
 Returns the full contact record including role, display name, and all
 channel memberships (phone numbers, Telegram IDs, email addresses, etc.).
@@ -174,7 +174,8 @@ Examples:
       "after",
       `
 Arguments:
-  keepId    UUID of the surviving contact that will absorb the other
+  keepId    UUID of the surviving contact that will absorb the other.
+            Run 'assistant contacts list' to find IDs.
   mergeId   UUID of the contact to be merged and deleted
 
 All channel memberships, conversation history, and metadata from mergeId
@@ -331,7 +332,8 @@ Examples:
       "after",
       `
 Arguments:
-  channelId   UUID of the contact channel to update
+  channelId   UUID of the contact channel to update. Run 'assistant contacts get <contactId>'
+              to see a contact's channel IDs.
 
 Updates the access-control fields on an existing channel. At least one of
 --status or --policy must be provided.
@@ -590,7 +592,7 @@ Examples:
       "after",
       `
 Arguments:
-  inviteId   UUID of the invite to revoke
+  inviteId   UUID of the invite to revoke. Run 'assistant contacts invites list' to find IDs.
 
 Revokes an active invite so it can no longer be redeemed. Already-redeemed
 channel memberships are not affected. Returns the updated invite record.

package/src/cli/commands/conversations.ts

@@ -12,6 +12,7 @@ import { ensureDaemonRunning } from "../../daemon/lifecycle.js";
 import { formatJson, formatMarkdown } from "../../export/formatter.js";
 import {
   clearAll as clearAllConversations,
+  countConversationsByScheduleJobId,
   createConversation,
   getConversation,
   getMessages,
@@ -29,6 +30,7 @@ import {
   loadOrCreateSigningKey,
   mintDaemonDeliveryToken,
 } from "../../runtime/auth/token-service.js";
+import { deleteSchedule } from "../../schedule/schedule-store.js";
 import { timeAgo } from "../../util/time.js";
 import { initializeDb } from "../db.js";
 import { log } from "../logger.js";
@@ -119,7 +121,7 @@ Arguments:
   conversationId   Optional conversation ID (or unique prefix). Defaults to the
                    most recent conversation. Supports prefix matching — e.g.
                    "abc123" matches the first conversation whose ID starts with
-                   "abc123".
+                   "abc123". Run 'assistant conversations list' to find IDs.
 
 Two output formats are available:
   md    Markdown conversation transcript (default). Human-readable rendering
@@ -275,6 +277,7 @@ Examples:
       `
 Arguments:
   conversationId   Conversation ID (or unique prefix). Supports prefix matching.
+                   Run 'assistant conversations list' to find IDs.
 
 Permanently wipes the conversation and reverts all memory changes it caused:
 restores superseded memory items, deletes conversation summaries, and cancels
@@ -353,6 +356,15 @@ Examples:
         return;
       }
 
+      // Cancel the associated schedule job (if any) before wiping —
+      // but only when this is the last conversation referencing it.
+      if (
+        conversation.scheduleJobId &&
+        countConversationsByScheduleJobId(conversation.scheduleJobId) <= 1
+      ) {
+        deleteSchedule(conversation.scheduleJobId);
+      }
+
       // Daemon not running — safe to wipe directly (no in-memory state).
       const result = wipeConversation(conversation.id);
 

package/src/cli/commands/credential-execution.ts

@@ -129,6 +129,20 @@ export function registerCredentialExecutionCommand(program: Command): void {
     )
     .option("--json", "Machine-readable compact JSON output");
 
+  ce.addHelpText(
+    "after",
+    `
+The Credential Execution Service (CES) mediates all secret-bearing operations.
+Grants authorize specific credential handles for constrained purposes, and
+audit records log each credentialed operation. Neither grants nor audit records
+ever contain raw secret values — only sanitized metadata.
+
+Examples:
+  $ assistant credential-execution grants list
+  $ assistant credential-execution grants revoke <grantId>
+  $ assistant credential-execution audit list`,
+  );
+
   // -------------------------------------------------------------------------
   // grants
   // -------------------------------------------------------------------------
@@ -215,7 +229,8 @@ that grant for credentialed operations. The grant is permanently removed
 from CES state.
 
 Arguments:
-  grantId   The stable grant identifier (UUID)
+  grantId   The stable grant identifier (UUID). Run 'assistant credential-execution
+            grants list' to find grant IDs.
 
 Examples:
   $ assistant credential-execution grants revoke 7a3b1c2d-4e5f-6789-abcd-ef0123456789

package/src/cli/commands/credentials.ts

@@ -397,10 +397,7 @@ Examples:
   credential
     .command("set <value>")
     .description("Store a secret and create or update its metadata")
-    .requiredOption(
-      "--service <service>",
-      "Service namespace (e.g. integration:google)",
-    )
+    .requiredOption("--service <service>", "Service namespace (e.g. google)")
     .requiredOption("--field <field>", "Field name (e.g. client_secret)")
     .option("--label <label>", 'Human-friendly label (e.g. "prod", "work")')
     .option("--description <description>", "What this credential is used for")
@@ -511,10 +508,7 @@ Examples:
           `${service}:${field}`,
         );
         if (secretResult === "error") {
-          writeError(
-            cmd,
-            "Failed to delete credential from secure storage",
-          );
+          writeError(cmd, "Failed to delete credential from secure storage");
           process.exitCode = 1;
           return;
         }