@vellumai/assistant 0.5.12 → 0.5.13

package/src/cli/commands/platform/__tests__/status.test.ts

@@ -0,0 +1,246 @@
+import { mkdtempSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+const testDir = mkdtempSync(join(tmpdir(), "platform-status-test-"));
+
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+
+let mockGetSecureKeyViaDaemon: (
+  account: string,
+) => Promise<string | undefined> = async () => undefined;
+
+let mockResolvePlatformCallbackRegistrationContext: () => Promise<
+  Record<string, unknown>
+> = async () => ({
+  containerized: false,
+  platformBaseUrl: "",
+  assistantId: "",
+  hasInternalApiKey: false,
+  hasAssistantApiKey: false,
+  authHeader: null,
+  enabled: false,
+});
+
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+
+mock.module("../../../../inbound/platform-callback-registration.js", () => ({
+  resolvePlatformCallbackRegistrationContext: () =>
+    mockResolvePlatformCallbackRegistrationContext(),
+  registerCallbackRoute: async () => "",
+  shouldUsePlatformCallbacks: () => false,
+  resolveCallbackUrl: async () => "",
+}));
+
+mock.module("../../../lib/daemon-credential-client.js", () => ({
+  getSecureKeyViaDaemon: (account: string) =>
+    mockGetSecureKeyViaDaemon(account),
+  deleteSecureKeyViaDaemon: async () => "not-found" as const,
+  setSecureKeyViaDaemon: async () => false,
+  getProviderKeyViaDaemon: async () => undefined,
+  getSecureKeyResultViaDaemon: async () => ({
+    value: undefined,
+    unreachable: false,
+  }),
+}));
+
+mock.module("../../../../util/logger.js", () => ({
+  getLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+  getCliLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+  initLogger: () => {},
+  truncateForLog: (value: string, maxLen = 500) =>
+    value.length > maxLen ? value.slice(0, maxLen) + "..." : value,
+  pruneOldLogFiles: () => 0,
+}));
+
+mock.module("../../../../util/platform.js", () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => join(testDir, "data"),
+  getWorkspaceSkillsDir: () => join(testDir, "skills"),
+  getWorkspaceDir: () => join(testDir, "workspace"),
+  getWorkspaceHooksDir: () => join(testDir, "workspace", "hooks"),
+  getWorkspaceConfigPath: () => join(testDir, "workspace", "config.json"),
+  getHooksDir: () => join(testDir, "hooks"),
+  getSignalsDir: () => join(testDir, "signals"),
+  getConversationsDir: () => join(testDir, "conversations"),
+  getEmbeddingModelsDir: () => join(testDir, "models"),
+  getSandboxRootDir: () => join(testDir, "sandbox"),
+  getSandboxWorkingDir: () => join(testDir, "sandbox", "work"),
+  getInterfacesDir: () => join(testDir, "interfaces"),
+  getSoundsDir: () => join(testDir, "sounds"),
+  getHistoryPath: () => join(testDir, "history"),
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPlatformName: () => "linux",
+  getClipboardCommand: () => null,
+  resolveInstanceDataDir: () => undefined,
+  normalizeAssistantId: (id: string) => id,
+  getTCPPort: () => 0,
+  isTCPEnabled: () => false,
+  getTCPHost: () => "127.0.0.1",
+  isIOSPairingEnabled: () => false,
+  getPlatformTokenPath: () => join(testDir, "token"),
+  readPlatformToken: () => null,
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => join(testDir, "test.db"),
+  getLogPath: () => join(testDir, "test.log"),
+  getWorkspaceDirDisplay: () => testDir,
+  getWorkspacePromptPath: (file: string) => join(testDir, file),
+  ensureDataDir: () => {},
+}));
+
+mock.module("../../../../config/loader.js", () => ({
+  API_KEY_PROVIDERS: [] as const,
+  getConfig: () => ({
+    permissions: { mode: "workspace" },
+    skills: { load: { extraDirs: [] } },
+    sandbox: { enabled: true },
+  }),
+  loadConfig: () => ({}),
+  invalidateConfigCache: () => {},
+  saveConfig: () => {},
+  loadRawConfig: () => ({}),
+  saveRawConfig: () => {},
+  getNestedValue: () => undefined,
+  setNestedValue: () => {},
+  applyNestedDefaults: (config: unknown) => config,
+  deepMergeMissing: () => false,
+  deepMergeOverwrite: () => {},
+  mergeDefaultWorkspaceConfig: () => {},
+}));
+
+// ---------------------------------------------------------------------------
+// Import module under test (after mocks are registered)
+// ---------------------------------------------------------------------------
+
+const { buildCliProgram } = await import("../../../program.js");
+
+// ---------------------------------------------------------------------------
+// Test helper
+// ---------------------------------------------------------------------------
+
+async function runCommand(
+  args: string[],
+): Promise<{ stdout: string; exitCode: number }> {
+  const originalStdoutWrite = process.stdout.write.bind(process.stdout);
+  const originalStderrWrite = process.stderr.write.bind(process.stderr);
+  const stdoutChunks: string[] = [];
+
+  process.stdout.write = ((chunk: unknown) => {
+    stdoutChunks.push(typeof chunk === "string" ? chunk : String(chunk));
+    return true;
+  }) as typeof process.stdout.write;
+
+  process.stderr.write = (() => true) as typeof process.stderr.write;
+
+  process.exitCode = 0;
+
+  try {
+    const program = buildCliProgram();
+    program.exitOverride();
+    program.configureOutput({
+      writeErr: () => {},
+      writeOut: (str: string) => stdoutChunks.push(str),
+    });
+    await program.parseAsync(["node", "assistant", ...args]);
+  } catch {
+    if (process.exitCode === 0) process.exitCode = 1;
+  } finally {
+    process.stdout.write = originalStdoutWrite;
+    process.stderr.write = originalStderrWrite;
+  }
+
+  const exitCode = process.exitCode ?? 0;
+  process.exitCode = 0;
+
+  return { exitCode, stdout: stdoutChunks.join("") };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("assistant platform status", () => {
+  beforeEach(() => {
+    mockGetSecureKeyViaDaemon = async () => undefined;
+    mockResolvePlatformCallbackRegistrationContext = async () => ({
+      containerized: false,
+      platformBaseUrl: "",
+      assistantId: "",
+      hasInternalApiKey: false,
+      hasAssistantApiKey: false,
+      authHeader: null,
+      enabled: false,
+    });
+    process.exitCode = 0;
+  });
+
+  test("connected platform returns full status with stored credentials", async () => {
+    /**
+     * When the assistant has stored platform credentials and a valid
+     * registration context, the status command should report connected
+     * with all context fields populated.
+     */
+
+    // GIVEN a containerized environment with platform configuration
+    mockResolvePlatformCallbackRegistrationContext = async () => ({
+      containerized: true,
+      platformBaseUrl: "https://platform.vellum.ai",
+      assistantId: "asst-abc-123",
+      hasInternalApiKey: true,
+      hasAssistantApiKey: true,
+      authHeader: "Bearer internal-key",
+      enabled: true,
+    });
+
+    // AND stored platform credentials exist
+    mockGetSecureKeyViaDaemon = async (account: string) => {
+      if (account === "credential/vellum/platform_base_url")
+        return "https://platform.vellum.ai";
+      if (account === "credential/vellum/assistant_api_key")
+        return "sk-test-key";
+      if (account === "credential/vellum/platform_organization_id")
+        return "org-456";
+      if (account === "credential/vellum/platform_user_id") return "user-789";
+      return undefined;
+    };
+
+    // WHEN the status command is run with --json
+    const { exitCode, stdout } = await runCommand([
+      "platform",
+      "status",
+      "--json",
+    ]);
+
+    // THEN the command succeeds
+    expect(exitCode).toBe(0);
+
+    // AND the output contains the expected status fields
+    const parsed = JSON.parse(stdout);
+    expect(parsed.containerized).toBe(true);
+    expect(parsed.baseUrl).toBe("https://platform.vellum.ai");
+    expect(parsed.assistantId).toBe("asst-abc-123");
+    expect(parsed.hasInternalApiKey).toBe(true);
+    expect(parsed.hasAssistantApiKey).toBe(true);
+    expect(parsed.available).toBe(true);
+    expect(parsed.connected).toBe(true);
+    expect(parsed.organizationId).toBe("org-456");
+    expect(parsed.userId).toBe("user-789");
+  });
+});

package/src/config/bundled-skills/messaging/SKILL.md

@@ -65,7 +65,7 @@ When the user asks to "connect my email", "set up email", "manage my email", or
      - **confirmLabel:** "Get Started"
      - **cancelLabel:** "Not Now"
    - If the user confirms, briefly acknowledge (e.g., "Setting up Gmail now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
-3. **If the user provides a client_id directly in chat:** Call `credential_store` with `action: "oauth2_connect"`, `service: "google"`, and `client_id: "<their value>"`. Include `client_secret` too if they provide one. Everything else is auto-filled.
+3. **If the user provides a client_id directly in chat:** Call `credential_store` with `action: "oauth2_connect"`, `service: "google"`, and `client_id: "<their value>"`. If a `client_secret` is also needed, collect it securely via `credential_store` with `action: "prompt"` — never accept it pasted in chat. Everything else is auto-filled.
 
 ### Slack
 

package/src/config/bundled-skills/settings/TOOLS.json

@@ -57,7 +57,7 @@
     },
     {
       "name": "navigate_settings_tab",
-      "description": "Open the Vellum settings panel to a specific tab (e.g. General, Channels, Voice). Use this when the user needs to review or adjust settings visually.",
+      "description": "Open the Vellum settings panel to a specific tab (e.g. General, Models & Services, Voice). Use this when the user needs to review or adjust settings visually.",
       "category": "system",
       "risk": "low",
       "input_schema": {
@@ -67,11 +67,13 @@
             "type": "string",
             "enum": [
               "General",
-              "Channels",
               "Models & Services",
               "Voice",
+              "Sounds",
               "Permissions & Privacy",
-              "Contacts",
+              "Billing",
+              "Archived Conversations",
+              "Schedules",
               "Developer"
             ],
             "description": "The settings tab to navigate to"

package/src/config/bundled-skills/settings/tools/navigate-settings-tab.ts

@@ -5,11 +5,13 @@ import type {
 
 const SETTINGS_TABS = [
   "General",
-  "Channels",
   "Models & Services",
   "Voice",
+  "Sounds",
   "Permissions & Privacy",
-  "Contacts",
+  "Billing",
+  "Archived Conversations",
+  "Schedules",
   "Developer",
 ] as const;
 

package/src/config/feature-flag-registry.json

@@ -47,7 +47,7 @@
       "key": "app-builder-multifile",
       "label": "App Builder Multi-file",
       "description": "Enable multi-file TSX app creation with esbuild compilation instead of single-HTML apps",
-      "defaultEnabled": false
+      "defaultEnabled": true
     },
     {
       "id": "mobile-pairing",

package/src/credential-execution/client.ts

@@ -88,6 +88,12 @@ export interface CesClientHandshakeOptions {
    * credential materialisation without relying on env vars.
    */
   assistantApiKey?: string;
+  /**
+   * Optional platform assistant ID to pass to CES during the handshake.
+   * For warm-pool pods the PLATFORM_ASSISTANT_ID env var is empty at CES
+   * startup, so the assistant forwards it here once it is known.
+   */
+  assistantId?: string;
 }
 
 export interface CesClient {
@@ -111,13 +117,16 @@ export interface CesClient {
   ): Promise<CesRpcContract[M]["response"]>;
 
   /**
-   * Push an updated assistant API key to CES.
+   * Push an updated assistant API key (and optionally assistant ID) to CES.
    *
    * In managed mode the API key is provisioned after hatch, so the initial
    * handshake may have been sent without one. This method pushes the key
    * to CES after it arrives, without requiring a re-handshake.
    */
-  updateAssistantApiKey(assistantApiKey: string): Promise<{ updated: boolean }>;
+  updateAssistantApiKey(
+    assistantApiKey: string,
+    assistantId?: string,
+  ): Promise<{ updated: boolean }>;
 
   /** Whether the client has completed a successful handshake. */
   isReady(): boolean;
@@ -312,6 +321,7 @@ export function createCesClient(
           ...(options?.assistantApiKey
             ? { assistantApiKey: options.assistantApiKey }
             : {}),
+          ...(options?.assistantId ? { assistantId: options.assistantId } : {}),
         });
       } catch (err) {
         const entry = pending.get("handshake");
@@ -341,9 +351,11 @@ export function createCesClient(
 
     async updateAssistantApiKey(
       assistantApiKey: string,
+      assistantId?: string,
     ): Promise<{ updated: boolean }> {
       return call(CesRpcMethod.UpdateManagedCredential, {
         assistantApiKey,
+        ...(assistantId ? { assistantId } : {}),
       });
     },
 

package/src/daemon/first-greeting.ts

@@ -22,7 +22,12 @@ export function isWakeUpGreeting(
 ): boolean {
   if (conversationMessageCount !== 0) return false;
   if (!existsSync(getWorkspacePromptPath("BOOTSTRAP.md"))) return false;
-  return content.trim().toLowerCase() === "wake up, my friend.";
+  return (
+    content
+      .trim()
+      .toLowerCase()
+      .replace(/[.!?]+$/, "") === "wake up, my friend"
+  );
 }
 
 /**

package/src/daemon/lifecycle.ts

@@ -8,6 +8,7 @@ import { setRelayBroadcast } from "../calls/relay-server.js";
 import { TwilioConversationRelayProvider } from "../calls/twilio-provider.js";
 import { setVoiceBridgeDeps } from "../calls/voice-session-bridge.js";
 import {
+  getPlatformAssistantId,
   getQdrantHttpPortEnv,
   getQdrantUrlEnv,
   getRuntimeHttpHost,
@@ -198,11 +199,13 @@ export async function startCesProcess(
       // after hatch and stored in the credential store — CES can't read
       // the env var, so we pass it via the handshake.
       const proxyCtx = await resolveManagedProxyContext();
-      const { accepted, reason } = await client.handshake(
-        proxyCtx.assistantApiKey
+      const assistantId = getPlatformAssistantId();
+      const { accepted, reason } = await client.handshake({
+        ...(proxyCtx.assistantApiKey
           ? { assistantApiKey: proxyCtx.assistantApiKey }
-          : undefined,
-      );
+          : {}),
+        ...(assistantId ? { assistantId } : {}),
+      });
       if (abortController.signal.aborted) {
         client.close();
         throw new Error("CES initialization aborted during shutdown");
@@ -511,11 +514,13 @@ export async function runDaemon(): Promise<void> {
             const transport = await pm.start();
             const newClient = createCesClient(transport);
             const proxyCtx = await resolveManagedProxyContext();
-            const { accepted, reason } = await newClient.handshake(
-              proxyCtx.assistantApiKey
+            const assistantId = getPlatformAssistantId();
+            const { accepted, reason } = await newClient.handshake({
+              ...(proxyCtx.assistantApiKey
                 ? { assistantApiKey: proxyCtx.assistantApiKey }
-                : undefined,
-            );
+                : {}),
+              ...(assistantId ? { assistantId } : {}),
+            });
             if (accepted) {
               log.info("CES reconnection handshake accepted");
               return newClient;

package/src/index.ts

@@ -1,17 +1,5 @@
 #!/usr/bin/env bun
 
 import { buildCliProgram } from "./cli/program.js";
-import { resolveInstanceDataDir } from "./util/platform.js";
-
-// Auto-resolve BASE_DATA_DIR from the lockfile when running as a standalone CLI.
-// The daemon always has BASE_DATA_DIR set by the launcher (cli/src/lib/local.ts),
-// but the CLI process doesn't — so credential commands and other path-dependent
-// operations would read from ~/.vellum instead of the instance-scoped directory.
-if (!process.env.BASE_DATA_DIR) {
-  const instanceDir = resolveInstanceDataDir();
-  if (instanceDir) {
-    process.env.BASE_DATA_DIR = instanceDir;
-  }
-}
 
 buildCliProgram().parse();

package/src/memory/conversation-queries.ts

@@ -26,13 +26,13 @@ function buildFtsMatchQuery(text: string): string | null {
 
 export function listConversations(
   limit?: number,
-  includeBackground = false,
+  backgroundOnly = false,
   offset = 0,
 ): ConversationRow[] {
   ensureDisplayOrderMigration();
   const db = getDb();
-  const where = includeBackground
-    ? undefined
+  const where = backgroundOnly
+    ? sql`${conversations.conversationType} = 'background'`
     : sql`${conversations.conversationType} NOT IN ('background', 'private')`;
   const query = db
     .select()
@@ -44,10 +44,10 @@ export function listConversations(
   return query.all().map(parseConversation);
 }
 
-export function countConversations(includeBackground = false): number {
+export function countConversations(backgroundOnly = false): number {
   const db = getDb();
-  const where = includeBackground
-    ? undefined
+  const where = backgroundOnly
+    ? sql`${conversations.conversationType} = 'background'`
     : sql`${conversations.conversationType} NOT IN ('background', 'private')`;
   const [{ total }] = db
     .select({ total: count() })

package/src/memory/journal-memory.ts

@@ -143,7 +143,10 @@ export function upsertJournalMemoriesFromDisk(
 
     // Filter for .md files, excluding readme.md (case-insensitive)
     const mdFiles = files.filter(
-      (f) => f.endsWith(".md") && f.toLowerCase() !== "readme.md",
+      (f) =>
+        f.endsWith(".md") &&
+        !f.startsWith(".") &&
+        f.toLowerCase() !== "readme.md",
     );
 
     let upserted = 0;
@@ -178,7 +181,10 @@ export function upsertJournalMemoriesFromDisk(
         if (!statSync(subdirPath).isDirectory()) continue;
 
         const subFiles = readdirSync(subdirPath).filter(
-          (f) => f.endsWith(".md") && f.toLowerCase() !== "readme.md",
+          (f) =>
+            f.endsWith(".md") &&
+            !f.startsWith(".") &&
+            f.toLowerCase() !== "readme.md",
         );
 
         for (const filename of subFiles) {

package/src/prompts/journal-context.ts

@@ -78,7 +78,10 @@ export function buildJournalContext(
 
   // Filter for .md files, excluding README.md (case-insensitive)
   const mdFiles = files.filter(
-    (f) => f.endsWith(".md") && f.toLowerCase() !== "readme.md",
+    (f) =>
+      f.endsWith(".md") &&
+      !f.startsWith(".") &&
+      f.toLowerCase() !== "readme.md",
   );
 
   // Collect file info with birthtime (creation time), skipping unreadable entries

package/src/prompts/system-prompt.ts

@@ -197,6 +197,7 @@ export function buildSystemPrompt(options?: BuildSystemPromptOptions): string {
   // System Permissions section removed — guidance lives in request_system_permission tool description.
   // Parallel Task Orchestration section removed — orchestration skill description + hints cover this.
   staticParts.push(buildAccessPreferenceSection(hasNoClient));
+  staticParts.push(buildCredentialSecuritySection());
   // Memory Persistence, Memory Recall, Workspace Reflection, Learning from Mistakes
   // sections removed — guidance lives in memory_manage/memory_recall tool descriptions
   // and the Proactive Workspace Editing subsection in Configuration.
@@ -309,6 +310,8 @@ function buildInChatConfigurationSection(): string {
     "## In-Chat Configuration",
     "",
     "When the user needs to configure a value, collect it conversationally in the chat. Never direct the user to the Settings page for initial setup - Settings is for reviewing and updating existing configuration.",
+    "",
+    'The Settings tabs are: General, Models & Services, Voice, Sounds, Permissions & Privacy, Billing, Archived Conversations, Schedules, Developer. There is NO "Integrations" tab — never refer to "Settings > Integrations". For API keys and provider configuration, the correct tab is "Models & Services".',
   ].join("\n");
 }
 
@@ -334,6 +337,14 @@ function buildAccessPreferenceSection(hasNoClient: boolean): string {
   ].join("\n");
 }
 
+function buildCredentialSecuritySection(): string {
+  return [
+    "## Credential Security",
+    "",
+    'Never ask users to share secrets (API keys, tokens, passwords, webhook secrets) in chat — secret messages may be blocked at ingress. Use the `credential_store` tool with `action: "prompt"` instead; it collects secrets through a secure UI that never exposes the value in the conversation. Non-secret values (Client IDs, Account SIDs, usernames) may be collected conversationally.',
+  ].join("\n");
+}
+
 function buildIntegrationSection(): string {
   let connections: { providerKey: string; accountInfo?: string | null }[];
   try {

package/src/runtime/http-server.ts

@@ -27,13 +27,11 @@ import {
   handleVoiceWebhook,
 } from "../calls/twilio-routes.js";
 import { parseChannelId } from "../channels/types.js";
-import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import {
   getGatewayInternalBaseUrl,
   hasUngatedHttpAuthDisabled,
   isHttpAuthDisabled,
 } from "../config/env.js";
-import { getConfig } from "../config/loader.js";
 import type { ServerMessage } from "../daemon/message-protocol.js";
 import { PairingStore } from "../daemon/pairing-store.js";
 import {
@@ -1030,17 +1028,11 @@ export class RuntimeHttpServer {
         handler: ({ url }) => {
           const limit = Number(url.searchParams.get("limit") ?? 50);
           const offset = Number(url.searchParams.get("offset") ?? 0);
-          const includeBackground = isAssistantFeatureFlagEnabled(
-            "show-background-conversations",
-            getConfig(),
-          );
-          const conversations = listConversations(
-            limit,
-            includeBackground,
-            offset,
-          );
-          const totalCount = countConversations(includeBackground);
-          const conversationIds = conversations.map((c) => c.id);
+          const backgroundOnly =
+            url.searchParams.get("conversationType") === "background";
+          const rows = listConversations(limit, backgroundOnly, offset);
+          const totalCount = countConversations(backgroundOnly);
+          const conversationIds = rows.map((c) => c.id);
           const displayMeta = getDisplayMetaForConversations(conversationIds);
           const bindings =
             externalConversationStore.getBindingsForConversations(
@@ -1050,7 +1042,7 @@ export class RuntimeHttpServer {
             getAttentionStateByConversationIds(conversationIds);
           const parentCache = new Map<string, ConversationRow | null>();
           return Response.json({
-            conversations: conversations.map((conversation) =>
+            conversations: rows.map((conversation) =>
               this.serializeConversationSummary({
                 conversation,
                 binding: bindings.get(conversation.id),
@@ -1059,7 +1051,7 @@ export class RuntimeHttpServer {
                 parentCache,
               }),
             ),
-            hasMore: offset + conversations.length < totalCount,
+            hasMore: offset + rows.length < totalCount,
           });
         },
       },

package/src/runtime/migrations/rebind-secrets-screen.ts

@@ -106,7 +106,7 @@ const TASK_DEFINITIONS: readonly TaskDefinition[] = [
       "Secrets are redacted in export bundles for security. Re-enter all API keys, tokens, and credentials in the destination instance.",
     required: true,
     helpText:
-      "Navigate to Settings > Integrations to re-enter provider API keys (e.g., Anthropic, OpenAI). Check Settings > Secrets for any custom secrets used by skills.",
+      "Navigate to Settings > Models & Services to re-enter provider API keys (e.g., Anthropic, OpenAI). Check Settings > Models & Services for any custom secrets used by skills.",
   },
   {
     id: "rebind-channels",
@@ -133,7 +133,7 @@ const TASK_DEFINITIONS: readonly TaskDefinition[] = [
       "Ensure all webhook URLs registered with external services point to the new instance's public ingress URL.",
     required: false,
     helpText:
-      "Review the public ingress URL in Settings > Gateway. Update any external services (GitHub, calendar providers, etc.) that send webhooks to this assistant.",
+      "Review the public ingress URL in Settings > Developer. Update any external services (GitHub, calendar providers, etc.) that send webhooks to this assistant.",
   },
 ] as const;
 

package/src/runtime/routes/secret-routes.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import {
+  getPlatformAssistantId,
   setPlatformAssistantId,
   setPlatformBaseUrl,
   setPlatformOrganizationId,
@@ -86,7 +87,10 @@ async function queueApiKeyPropagation(
         return;
       }
       try {
-        await cesClient.updateAssistantApiKey(apiKey);
+        await cesClient.updateAssistantApiKey(
+          apiKey,
+          getPlatformAssistantId() || undefined,
+        );
         log.info(
           "Pushed queued assistant API key to CES after handshake completed",
         );
@@ -282,7 +286,10 @@ export async function handleAddSecret(
           if (cesClient) {
             if (cesClient.isReady()) {
               try {
-                await cesClient.updateAssistantApiKey(value);
+                await cesClient.updateAssistantApiKey(
+                  value,
+                  getPlatformAssistantId() || undefined,
+                );
                 log.info(
                   "Pushed assistant API key to CES after managed proxy credential update",
                 );

package/src/tools/browser/browser-manager.ts

@@ -242,13 +242,13 @@ class BrowserManager {
         if (!chromiumInstalled) {
           log.info("Chromium not installed, installing via playwright...");
           const proc = Bun.spawn(
-            ["bunx", "playwright", "install", "chromium"],
+            ["bunx", "playwright", "install", "--with-deps", "chromium"],
             {
               stdout: "pipe",
               stderr: "pipe",
             },
           );
-          const timeoutMs = 120_000;
+          const timeoutMs = 300_000;
           let timer: ReturnType<typeof setTimeout>;
           const exitCode = await Promise.race([
             proc.exited.finally(() => clearTimeout(timer)),