@vellumai/assistant 0.5.16 → 0.6.0

package/src/cli/commands/platform/index.ts

@@ -14,19 +14,19 @@ import { registerPlatformDisconnectCommand } from "./disconnect.js";
 export function registerPlatformCommand(program: Command): void {
   const platform = program
     .command("platform")
-    .description("Manage platform integration for containerized deployments")
+    .description("Manage Vellum Platform integration")
     .option("--json", "Machine-readable compact JSON output");
 
   platform.addHelpText(
     "after",
     `
-The platform subsystem manages the connection to Vellum Platform, callback
-routing, containerized deployment context, and webhook forwarding for
-assistants. Use 'connect', 'status', and 'disconnect' to manage platform
-credentials. When IS_CONTAINERIZED=true with a configured VELLUM_PLATFORM_URL
-and PLATFORM_ASSISTANT_ID, external service callbacks (Telegram webhooks,
-Twilio webhooks, OAuth redirects) route through the platform's gateway proxy
-instead of hitting the assistant directly.
+The platform subsystem manages the connection to Vellum Platform. Use
+'connect', 'status', and 'disconnect' to manage platform credentials.
+Any assistant using the managed LLM proxy can use these commands.
+
+When IS_PLATFORM=true (platform-managed deployments), external service
+callbacks (Telegram webhooks, Twilio webhooks, OAuth redirects) also
+route through the platform's gateway proxy via 'callback-routes'.
 
 Examples:
   $ assistant platform status --json
@@ -54,11 +54,11 @@ Examples:
       "after",
       `
 Reads platform-related environment variables and stored credentials to report
-the current containerized deployment context and connection state. Does not
+the current platform deployment context and connection state. Does not
 require the assistant to be running.
 
 Fields:
-  containerized       Whether IS_CONTAINERIZED is set (boolean)
+  isPlatform          Whether IS_PLATFORM is set (boolean)
   baseUrl             VELLUM_PLATFORM_URL — the platform gateway base URL
   assistantId         PLATFORM_ASSISTANT_ID — this assistant's platform UUID
   hasInternalApiKey   Whether PLATFORM_INTERNAL_API_KEY is set (boolean,
@@ -112,7 +112,7 @@ Examples:
         const connected = !!storedBaseUrl && hasStoredApiKey;
 
         const result = {
-          containerized: context.containerized,
+          isPlatform: context.isPlatform,
           baseUrl: context.platformBaseUrl,
           assistantId: context.assistantId,
           hasInternalApiKey: context.hasInternalApiKey,
@@ -126,7 +126,7 @@ Examples:
         if (shouldOutputJson(cmd)) {
           writeOutput(cmd, result);
         } else {
-          log.info(`Containerized: ${result.containerized}`);
+          log.info(`Platform: ${result.isPlatform}`);
           log.info(`Base URL: ${result.baseUrl || "(not set)"}`);
           log.info(`Assistant ID: ${result.assistantId || "(not set)"}`);
           log.info(
@@ -167,7 +167,7 @@ Examples:
     "after",
     `
 Callback routes tell the platform gateway how to forward inbound provider
-webhooks to the correct containerized assistant instance. Each route maps a
+webhooks to the correct platform-managed assistant instance. Each route maps a
 callback path and type to a stable external URL that external services
 (Telegram, Twilio, OAuth providers) should use.
 
@@ -196,7 +196,7 @@ Examples:
       `
 Registers a callback route with the platform's internal gateway endpoint so
 the platform knows how to forward inbound provider webhooks to this
-containerized assistant instance.
+platform-managed assistant instance.
 
 Arguments:
   --path    The path portion after the ingress base URL. Leading/trailing
@@ -210,7 +210,7 @@ Known callback path/type combinations:
   --path webhooks/twilio/status     --type twilio_status
   --path oauth/callback             --type oauth
 
-Requires a containerized environment (IS_CONTAINERIZED=true) with
+Requires a platform-managed environment (IS_PLATFORM=true) with
 VELLUM_PLATFORM_URL and PLATFORM_ASSISTANT_ID configured. Returns the
 platform-provided stable callback URL that external services should use.
 
@@ -225,7 +225,7 @@ Examples:
           writeOutput(cmd, {
             ok: false,
             error:
-              "Platform callbacks not available — missing containerized platform registration context",
+              "Platform callbacks not available — missing platform registration context",
           });
           process.exitCode = 1;
           return;

package/src/cli/commands/skills.ts

@@ -12,6 +12,7 @@ import {
   uninstallSkillLocally,
 } from "../../skills/catalog-install.js";
 import { filterByQuery } from "../../skills/catalog-search.js";
+import { clawhubSearch } from "../../skills/clawhub.js";
 import type {
   AuditResponse,
   SkillsShSearchResult,
@@ -111,7 +112,9 @@ Examples:
 
   skills
     .command("search <query>")
-    .description("Search the Vellum catalog and skills.sh community registry")
+    .description(
+      "Search the Vellum catalog, skills.sh, and clawhub community registries",
+    )
     .option("--limit <n>", "Maximum number of community results", "10")
     .option("--json", "Machine-readable JSON output")
     .addHelpText(
@@ -119,11 +122,11 @@ Examples:
       `
 Arguments:
   query    Free-text search term matched against skill names, descriptions,
-           and tags. Searches the Vellum catalog first, then the skills.sh
-           community registry.
+           and tags. Searches the Vellum catalog, the skills.sh community
+           registry, and the clawhub registry.
 
-Displays results from both sources with clear labels. When a skill ID
-exists in both the Vellum catalog and the community registry, a conflict
+Displays results from all sources with clear labels. When a skill ID
+exists in both the Vellum catalog and a community registry, a conflict
 note is shown with guidance on which install command to use.
 
 Examples:
@@ -155,32 +158,64 @@ Examples:
           (s) => s.description,
         ]);
 
-        // ── Community registry search (non-fatal on failure) ─────────
+        // ── Community registry searches (non-fatal on failure) ────────
+        // Run skills.sh and clawhub searches in parallel.
         let registryResults: SkillsShSearchResult[] = [];
         let registryError: string | undefined;
-        try {
-          registryResults = await searchSkillsRegistry(query, limit);
-        } catch (err) {
-          registryError = err instanceof Error ? err.message : String(err);
+        let clawhubResults: Awaited<
+          ReturnType<typeof clawhubSearch>
+        >["skills"] = [];
+        let clawhubError: string | undefined;
+
+        const [skillsShResult, clawhubResult] = await Promise.allSettled([
+          searchSkillsRegistry(query, limit),
+          clawhubSearch(query, { limit }),
+        ]);
+
+        if (skillsShResult.status === "fulfilled") {
+          registryResults = skillsShResult.value;
+        } else {
+          registryError =
+            skillsShResult.reason instanceof Error
+              ? skillsShResult.reason.message
+              : String(skillsShResult.reason);
+        }
+
+        if (clawhubResult.status === "fulfilled") {
+          clawhubResults = clawhubResult.value.skills;
+        } else {
+          clawhubError =
+            clawhubResult.reason instanceof Error
+              ? clawhubResult.reason.message
+              : String(clawhubResult.reason);
         }
 
         // ── Conflict detection ───────────────────────────────────────
         const catalogIds = new Set(catalogMatches.map((s) => s.id));
-        const conflictIds = new Set(
-          registryResults
+        const conflictIds = new Set([
+          ...registryResults
             .filter((r) => catalogIds.has(r.skillId))
             .map((r) => r.skillId),
-        );
+          ...clawhubResults
+            .filter((r) => catalogIds.has(r.slug))
+            .map((r) => r.slug),
+        ]);
 
-        if (catalogMatches.length === 0 && registryResults.length === 0) {
+        if (
+          catalogMatches.length === 0 &&
+          registryResults.length === 0 &&
+          clawhubResults.length === 0
+        ) {
           if (json) {
             console.log(
               JSON.stringify({
                 ok: true,
                 catalog: [],
                 community: [],
+                clawhub: [],
                 audits: {},
                 ...(registryError ? { registryError } : {}),
+                ...(clawhubError ? { clawhubError } : {}),
               }),
             );
           } else {
@@ -188,6 +223,9 @@ Examples:
             if (registryError) {
               log.warn(`(skills.sh registry unavailable: ${registryError})`);
             }
+            if (clawhubError) {
+              log.warn(`(clawhub registry unavailable: ${clawhubError})`);
+            }
           }
           return;
         }
@@ -219,8 +257,10 @@ Examples:
               ok: true,
               catalog: catalogMatches,
               community: registryResults,
+              clawhub: clawhubResults,
               audits: allAudits,
               ...(registryError ? { registryError } : {}),
+              ...(clawhubError ? { clawhubError } : {}),
             }),
           );
           return;
@@ -280,6 +320,38 @@ Examples:
         } else if (registryError) {
           log.warn(`\n(skills.sh registry unavailable: ${registryError})`);
         }
+
+        // ── Display clawhub results ─────────────────────────────────
+        if (clawhubResults.length > 0) {
+          log.info(`Clawhub registry (${clawhubResults.length}):\n`);
+          for (const r of clawhubResults) {
+            const installed = isInstalled(r.slug);
+            const badge = installed ? " [installed]" : "";
+            log.info(`  ${r.name}${badge}`);
+            if (r.name !== r.slug) {
+              log.info(`    ID: ${r.slug}`);
+            }
+            if (r.author) {
+              log.info(`    Author: ${r.author}`);
+            }
+            if (r.description) {
+              log.info(`    Description: ${r.description}`);
+            }
+            if (r.stars > 0) {
+              log.info(`    Stars: ${r.stars}`);
+            }
+            if (r.installs > 0) {
+              log.info(`    Installs: ${r.installs}`);
+            }
+            log.info(`    Install: npx clawhub install ${r.slug}`);
+            if (conflictIds.has(r.slug)) {
+              log.info(`    NOTE: Conflicts with Vellum catalog skill`);
+            }
+            log.info("");
+          }
+        } else if (clawhubError) {
+          log.warn(`\n(clawhub registry unavailable: ${clawhubError})`);
+        }
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         if (json) {
@@ -416,8 +488,8 @@ Arguments:
 
 Notes:
   Fetches the skill's SKILL.md and supporting files from the specified GitHub
-  repository and installs them into the workspace skills directory. A
-  version.json file is written with origin metadata for provenance tracking.
+  repository and installs them into the workspace skills directory. An
+  install-meta.json file is written with origin metadata for provenance tracking.
 
 Examples:
   $ assistant skills add vercel-labs/skills@find-skills

package/src/cli/commands/trust.ts

@@ -18,7 +18,7 @@ export function registerTrustCommand(program: Command): void {
 Trust rules are pattern-based decisions (allow/deny) for tool invocations.
 Each rule specifies a tool name, a command pattern matched with glob syntax,
 a scope, a decision (allow or deny), and a priority. Rules are stored in
-~/.vellum/protected/trust.json and evaluated in priority order when the
+the protected directory (trust.json) and evaluated in priority order when the
 assistant invokes a tool.
 
 Examples:
@@ -141,7 +141,7 @@ Examples:
     .addHelpText(
       "after",
       `
-Removes every trust rule from ~/.vellum/protected/trust.json. Prompts for
+Removes every trust rule from the protected directory (trust.json). Prompts for
 confirmation before proceeding (y/N). This action is irreversible — all
 rules must be re-created manually after clearing.
 

package/src/cli/lib/daemon-credential-client.ts

@@ -7,7 +7,6 @@
  * (health check, JWT minting, HTTP call).
  */
 
-import providerEnvVarsRegistry from "../../../../meta/provider-env-vars.json" with { type: "json" };
 import { getRuntimeHttpHost, getRuntimeHttpPort } from "../../config/env.js";
 import { API_KEY_PROVIDERS } from "../../config/loader.js";
 import { healthCheckHost, isHttpHealthy } from "../../daemon/daemon-control.js";
@@ -25,13 +24,13 @@ import {
   getSecureKeyResultAsync,
   setSecureKeyAsync,
 } from "../../security/secure-keys.js";
+import { PROVIDER_ENV_VAR_NAMES } from "../../shared/provider-env-vars.js";
 import { getLogger } from "../../util/logger.js";
 
 const log = getLogger("daemon-credential-client");
 const CREDENTIAL_KEY_PREFIX = "credential/";
 
-const PROVIDER_ENV_VARS: Record<string, string> =
-  providerEnvVarsRegistry.providers;
+const PROVIDER_ENV_VARS: Record<string, string> = PROVIDER_ENV_VAR_NAMES;
 
 // ---------------------------------------------------------------------------
 // Private daemon fetch helper

package/src/config/bundled-skills/acp/TOOLS.json

@@ -5,7 +5,7 @@
       "name": "acp_spawn",
       "description": "Spawn an external coding agent (e.g. Claude Code, Codex, Gemini CLI) via ACP to work on a task. The agent runs as a subprocess and streams results back. Use this when you want to delegate a coding task to an external agent that has its own tools, file editing, and terminal access. If ACP is not enabled, follow the setup instructions in SKILL.md to install claude-agent-acp and configure it. The command MUST be 'claude-agent-acp' - NEVER use 'claude', 'claude -p', or 'claude --acp'.",
       "category": "orchestration",
-      "risk": "low",
+      "risk": "high",
       "input_schema": {
         "type": "object",
         "properties": {

package/src/config/bundled-skills/contacts/SKILL.md

@@ -6,7 +6,6 @@ metadata:
   emoji: "👥"
   vellum:
     display-name: "Contacts"
-    feature-flag: "contacts"
 ---
 
 Manage the user's contacts, relationship graph, access control (trusted contacts), and invite links. This skill covers contact CRUD with multi-channel tracking, controlling who can message the assistant through external channels (Telegram, phone), and creating/managing invite links that grant access.

package/src/config/bundled-skills/contacts/TOOLS.json

@@ -47,14 +47,6 @@
                 "is_primary": {
                   "type": "boolean",
                   "description": "Whether this is the primary channel for this type"
-                },
-                "external_user_id": {
-                  "type": "string",
-                  "description": "Platform-native user ID (e.g. Slack user ID like U12345). Used to cache user lookups."
-                },
-                "external_chat_id": {
-                  "type": "string",
-                  "description": "Platform-native chat/DM channel ID (e.g. Slack DM channel like D12345). Used to cache DM channel lookups."
                 }
               },
               "required": ["type", "address"]

package/src/config/bundled-skills/contacts/tools/contact-upsert.ts

@@ -63,16 +63,12 @@ export async function executeContactUpsert(
         type: string;
         address: string;
         is_primary?: boolean;
-        external_user_id?: string;
-        external_chat_id?: string;
       }>
     | undefined;
   const channels = rawChannels?.map((ch) => ({
     type: ch.type,
     address: ch.address,
     isPrimary: ch.is_primary,
-    externalUserId: ch.external_user_id,
-    externalChatId: ch.external_chat_id,
   }));
 
   try {

package/src/config/bundled-skills/gmail/SKILL.md

@@ -28,22 +28,14 @@ Do not offer AgentMail as an option or mention it unless the user specifically a
 ### Gmail
 
 1. **Try connecting directly first.** Run `assistant oauth status google`. This will show whether or not the user had previously connected their google account. If so, they are ready to go.
-2. **If no connections are found:** The user needs to either use Vellum's managed google integration or set up their own google oauth app. 
-   - Call `skill_load` with `skill: "vellum-oauth-integrations"` with `provider-key: google` throughout.
-   - To use `your-own` mode, you will need to call `skill_load` with `skill: google-oauth-app-setup`. In this case:
-      - Tell the user Gmail isn't connected yet and briefly explain what the setup involves, then use `ui_show` with `surface_type: "confirmation"` to ask for permission to start:
-      - **message:** "Ready to set up Gmail?"
-      - **detail:** "I'll open a few pages in your browser and walk you through setting up Google Cloud credentials - creating a project, enabling APIs, and connecting your account. Takes about 5 minutes.\n\n**Your emails stay under your control** — I only ever create drafts. Nothing gets sent without your explicit say-so."
-      - **confirmLabel:** "Get Started"
-      - **cancelLabel:** "Not Now"
-      - If the user confirms, briefly acknowledge (e.g., "Setting up Gmail now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
+2. **If no connections are found:** Call `skill_load` with `skill: "vellum-oauth-integrations"`. The skill will evaluate whether managed or your-own mode is appropriate and guide the user accordingly.
 
 ## Error Recovery
 
 When a Gmail tool fails with a token or authorization error:
 
 1. **Try to reconnect silently.** Call `assistant oauth ping google`. This often resolves expired tokens automatically.
-2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected - let me set that up") and immediately follow the connection setup flow for Gmail (e.g., install and load **google-oauth-app-setup**). The user came to you to get something done, not to troubleshoot OAuth - make it seamless.
+2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected - let me set that up") and immediately load **vellum-oauth-integrations**. The user came to you to get something done, not to troubleshoot OAuth - make it seamless.
 3. **Never try alternative approaches.** Don't use bash, curl, browser automation, or any workaround. If the Gmail tools can't do it, the reconnection flow is the answer.
 4. **Never expose error details.** The user doesn't need to see error messages about tokens, OAuth, or API failures. Translate errors into plain language.
 

package/src/config/bundled-skills/google-calendar/SKILL.md

@@ -15,15 +15,7 @@ You are a Google Calendar assistant with full access to the user's calendar. Use
 Before using any Calendar tool, verify that Google Calendar is connected by attempting a lightweight call (e.g., `calendar_list_events` with a narrow date range). If the call fails with a token/authorization error:
 
 1. **Try connecting directly first.** Run `assistant oauth status google`. This will show whether or not the user had previously connected their google account. If so, they are ready to go.
-2. **If no connections are found:** The user needs to either use Vellum's managed google integration or set up their own google oauth app. 
-   - Call `skill_load` with `skill: "vellum-oauth-integrations"` with `provider-key: google` throughout.
-   - To use `your-own` mode, you will need to call `skill_load` with `skill: google-oauth-app-setup`. In this case:
-      - Tell the user Google account isn't connected yet and briefly explain what the setup involves, then use `ui_show` with `surface_type: "confirmation"` to ask for permission to start:
-      - **message:** "Ready to set up Google Calendar?"
-      - **detail:** "I'll open a few pages in your browser and walk you through setting up Google Cloud credentials - creating a project, enabling APIs, and connecting your account. Takes about 5 minutes.\n\n**Your emails stay under your control** — I only ever create drafts. Nothing gets sent without your explicit say-so."
-      - **confirmLabel:** "Get Started"
-      - **cancelLabel:** "Not Now"
-      - If the user confirms, briefly acknowledge (e.g., "Setting up Google Calendar now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
+2. **If no connections are found:** Call `skill_load` with `skill: "vellum-oauth-integrations"`. The skill will evaluate whether managed or your-own mode is appropriate and guide the user accordingly.
 
 ## Capabilities
 

package/src/config/bundled-skills/messaging/SKILL.md

@@ -19,13 +19,13 @@ You are a unified messaging assistant with access to multiple platforms (Gmail,
 
 When composing messages on behalf of your user to external recipients, refer to yourself as an "assistant" (not "AI assistant"). Use your user's name and pronouns from USER.md. Don't volunteer that you are an AI unless directly asked.
 
-For Gmail management (archive, label, triage, declutter), load the **gmail** skill. For email sequences, load the **sequences** skill.
+For Email management (archive, label, triage, declutter), load the **gmail** or **outlook** skill. For email sequences, load the **sequences** skill.
 
 ## Email Routing Priority
 
-When the user mentions "email" - sending, reading, checking, decluttering, drafting, or anything else - **always default to the user's own email (Gmail)** unless they explicitly ask about the assistant's own email address (e.g., "set up your email", "send from your address", "check your inbox"). The vast majority of email requests are about the user's Gmail, not the assistant's AgentMail address.
+When the user mentions "email" - sending, reading, checking, decluttering, drafting, or anything else - **always default to the user's own email** unless they explicitly ask about the assistant's own email address (e.g., "set up your email", "send from your address", "check your inbox"). The vast majority of email requests are about the user's Gmail or Outlook, not the assistant's AgentMail address.
 
-Do not offer AgentMail as an option or mention it unless the user specifically asks. If Gmail is not connected, guide them through Gmail setup - do not suggest AgentMail as an alternative.
+Do not offer AgentMail as an option or mention it unless the user specifically asks. If Gmail and Outlookk are not connected, guide them through setup - do not suggest AgentMail as an alternative.
 
 ## Communication Style
 
@@ -44,33 +44,25 @@ Before using any messaging tool, verify that the platform is connected by callin
 
 ### Public Ingress (required for Telegram)
 
-Telegram setup requires webhook routing, but it does **not** always require ngrok. Before suggesting public ingress for Telegram, check managed callback availability with `assistant platform status --json`. If that reports `containerized: true` with a non-empty `assistantId` and `available: true`, use the platform callback route flow and do not prompt for ngrok. Only use the **public-ingress** skill for local assistants that genuinely need a public gateway URL. Slack uses Socket Mode and does not require public ingress. Gmail on the desktop app uses a loopback callback and does not require public ingress; the channel path (Path B in the google-oauth-app-setup skill) handles public ingress internally when needed.
+Telegram setup requires webhook routing, but it does **not** always require ngrok. Before suggesting public ingress for Telegram, check managed callback availability with `assistant platform status --json`. If that reports `isPlatform: true` with a non-empty `assistantId` and `available: true`, use the platform callback route flow and do not prompt for ngrok. Only use the **public-ingress** skill for local assistants that genuinely need a public gateway URL. Slack uses Socket Mode and does not require public ingress. Gmail/Outlook on the desktop app uses a loopback callback and does not require public ingress; the channel path (Path B in the vellum-oauth-integrations skill) handles public ingress internally when needed.
 
 ### Email Connection Flow
 
 When the user asks to "connect my email", "set up email", "manage my email", or similar - and has not named a specific provider:
 
-1. **Discover what's connected.** Call `messaging_auth_test` for `gmail` (and any other email-capable platforms). If one succeeds, tell the user it's already connected and proceed with their request.
+1. **Discover what's connected.** Call `messaging_auth_test` for `gmail`or `outlook` (and any other email-capable platforms). If one succeeds, tell the user it's already connected and proceed with their request.
 2. **If nothing is connected**, ask which provider they use - but keep it brief and conversational (e.g., "Which email do you use - Gmail, Outlook, etc.?"), not a numbered list of options with descriptions.
-3. **Once the provider is known, act immediately.** Don't present setup options or explain OAuth. If it's Gmail, follow the Gmail section below. For any other provider, let the user know that only Gmail is fully supported right now, and offer to set up Gmail instead.
+3. **Once the provider is known, act immediately.** Don't present setup options or explain OAuth. If it's Gmail or Outlook, follow the sections below. For any other provider, let the user know that only Gmail and Outlook are fully supported right now, and offer to set up Gmail/Outlook instead.
 
 ### Gmail
 
 1. **Try connecting directly first.** Run `assistant oauth status google`. This will show whether or not the user had previously connected their google account. If so, they are ready to go.
-2. **If no connections are found:** The user needs to either use Vellum's managed google integration or set up their own google oauth app.
-   - Call `skill_load` with `skill: "vellum-oauth-integrations"` with `provider-key: google` throughout.
-   - To use `your-own` mode, you will need to call `skill_load` with `skill: google-oauth-app-setup`. In this case:
-     - Tell the user Gmail isn't connected yet and briefly explain what the setup involves, then use `ui_show` with `surface_type: "confirmation"` to ask for permission to start:
-     - **message:** "Ready to set up Gmail?"
-     - **detail:** "I'll open a few pages in your browser and walk you through setting up Google Cloud credentials - creating a project, enabling APIs, and connecting your account. Takes about 5 minutes."
-     - **confirmLabel:** "Get Started"
-     - **cancelLabel:** "Not Now"
-     - If the user confirms, briefly acknowledge (e.g., "Setting up Gmail now...") and proceed with the setup guide. If they decline, acknowledge and let them know they can set it up later.
+2. **If no connections are found:** Call `skill_load` with `skill: "vellum-oauth-integrations"`. The skill will evaluate whether managed or your-own mode is appropriate and guide the user accordingly.
 
 ### Outlook
 
 1. **Try connecting directly first.** Run `assistant oauth status outlook`. This will show whether the user has previously connected their Outlook account.
-2. **If no connections are found:** Guide the user to connect their Microsoft account through the OAuth flow.
+2. **If no connections are found:** Call `skill_load` with `skill: "vellum-oauth-integrations"`. The skill will evaluate whether managed or your-own mode is appropriate and guide the user accordingly.
 
 ### Slack
 
@@ -101,7 +93,7 @@ The guardian-verify-setup skill handles the full outbound verification flow for
 When a messaging tool fails with a token or authorization error:
 
 1. **Try to reconnect silently.** Run `assistant oauth ping <provider>`. This often resolves expired tokens automatically.
-2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected - let me set that up") and immediately follow the connection setup flow for that platform (e.g., install and load **google-oauth-app-setup** for Gmail). The user came to you to get something done, not to troubleshoot OAuth - make it seamless.
+2. **If reconnection fails, go straight to setup.** Don't present options, ask which route the user prefers, or explain what went wrong technically. Just tell the user briefly (e.g., "Gmail needs to be reconnected - let me set that up") and immediately load **vellum-oauth-integrations**. The user came to you to get something done, not to troubleshoot OAuth - make it seamless.
 3. **Never try alternative approaches.** Don't use bash, curl, browser automation, or any workaround. If the messaging tools can't do it, the reconnection flow is the answer.
 4. **Never expose error details.** The user doesn't need to see error messages about tokens, OAuth, or API failures. Translate errors into plain language.
 
@@ -114,7 +106,7 @@ When a messaging tool fails with a token or authorization error:
 
 ## Capabilities
 
-### Universal (Gmail)
+### Gmail
 
 - **Auth Test**: Verify connection and show account info
 - **List Conversations**: Show inboxes, DMs with unread counts

package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts

@@ -1,10 +1,9 @@
-import { and, eq } from "drizzle-orm";
+import { and, eq, sql } from "drizzle-orm";
 import { v4 as uuid } from "uuid";
 
 import { getDb } from "../../../../memory/db.js";
-import { computeMemoryFingerprint } from "../../../../memory/fingerprint.js";
 import { enqueueMemoryJob } from "../../../../memory/jobs-store.js";
-import { memoryItems } from "../../../../memory/schema.js";
+import { memoryGraphNodes } from "../../../../memory/schema.js";
 import { clampUnitInterval } from "../../../../memory/validation.js";
 import { extractStylePatterns } from "../../../../messaging/style-analyzer.js";
 import type {
@@ -14,6 +13,12 @@ import type {
 import { truncate } from "../../../../util/truncate.js";
 import { err, getProviderConnection, ok, resolveProvider } from "./shared.js";
 
+/** Map legacy caller kinds to valid MemoryType values. */
+const KIND_TO_MEMORY_TYPE: Record<string, string> = {
+  style: "behavioral",
+  relationship: "semantic",
+};
+
 function upsertMemoryItem(opts: {
   kind: string;
   subject: string;
@@ -23,58 +28,60 @@ function upsertMemoryItem(opts: {
 }): void {
   const db = getDb();
   const now = Date.now();
-  const fingerprint = computeMemoryFingerprint(
-    opts.scopeId,
-    opts.kind,
-    opts.subject,
-    opts.statement,
-  );
+  const content = `${opts.subject}\n${opts.statement}`;
 
   const existing = db
     .select()
-    .from(memoryItems)
+    .from(memoryGraphNodes)
     .where(
       and(
-        eq(memoryItems.fingerprint, fingerprint),
-        eq(memoryItems.scopeId, opts.scopeId),
+        eq(memoryGraphNodes.content, content),
+        eq(memoryGraphNodes.scopeId, opts.scopeId),
+        sql`${memoryGraphNodes.fidelity} != 'gone'`,
       ),
     )
     .get();
 
   if (existing) {
-    db.update(memoryItems)
+    db.update(memoryGraphNodes)
       .set({
-        statement: opts.statement,
-        status: "active",
-        importance: clampUnitInterval(
-          Math.max(existing.importance ?? 0, opts.importance),
+        content,
+        type: KIND_TO_MEMORY_TYPE[opts.kind] ?? opts.kind,
+        fidelity: "vivid",
+        significance: clampUnitInterval(
+          Math.max(existing.significance ?? 0, opts.importance),
         ),
-        lastSeenAt: now,
-        sourceType: existing.sourceType === "tool" ? "tool" : "extraction",
+        lastAccessed: now,
+        sourceType: existing.sourceType === "direct" ? "direct" : "inferred",
       })
-      .where(eq(memoryItems.id, existing.id))
+      .where(eq(memoryGraphNodes.id, existing.id))
       .run();
-    enqueueMemoryJob("embed_item", { itemId: existing.id });
+    enqueueMemoryJob("embed_graph_node", { nodeId: existing.id });
   } else {
     const id = uuid();
-    db.insert(memoryItems)
+    db.insert(memoryGraphNodes)
       .values({
         id,
-        kind: opts.kind,
-        subject: opts.subject,
-        statement: opts.statement,
-        status: "active",
+        content,
+        type: KIND_TO_MEMORY_TYPE[opts.kind] ?? opts.kind,
+        created: now,
+        lastAccessed: now,
+        lastConsolidated: now,
+        emotionalCharge: '{"valence":0,"intensity":0.1,"decayCurve":"linear","decayRate":0.05,"originalIntensity":0.1}',
+        fidelity: "vivid",
         confidence: 0.8,
-        importance: clampUnitInterval(opts.importance),
-        fingerprint,
-        sourceType: "extraction",
+        significance: clampUnitInterval(opts.importance),
+        stability: 14,
+        reinforcementCount: 0,
+        lastReinforced: now,
+        sourceConversations: "[]",
+        sourceType: "inferred",
+        narrativeRole: null,
+        partOfStory: null,
         scopeId: opts.scopeId,
-        firstSeenAt: now,
-        lastSeenAt: now,
-        lastUsedAt: null,
       })
       .run();
-    enqueueMemoryJob("embed_item", { itemId: id });
+    enqueueMemoryJob("embed_graph_node", { nodeId: id });
   }
 }