@vellumai/assistant 0.5.6 → 0.5.7

package/src/calls/call-store.ts

@@ -41,6 +41,10 @@ const parseCallSession = createRowMapper<
   inviteGuardianName: "inviteGuardianName",
   callerIdentityMode: "callerIdentityMode",
   callerIdentitySource: "callerIdentitySource",
+  skipDisclosure: {
+    from: "skipDisclosure",
+    transform: (v: unknown) => v === 1,
+  },
   initiatedFromConversationId: "initiatedFromConversationId",
   startedAt: "startedAt",
   endedAt: "endedAt",
@@ -87,11 +91,13 @@ export function createCallSession(opts: {
   inviteGuardianName?: string;
   callerIdentityMode?: string;
   callerIdentitySource?: string;
+  skipDisclosure?: boolean;
   initiatedFromConversationId?: string;
 }): CallSession {
   const db = getDb();
   const now = Date.now();
-  const session = {
+  const skipDisclosure = opts.skipDisclosure ?? false;
+  const row = {
     id: uuid(),
     conversationId: opts.conversationId,
     provider: opts.provider,
@@ -106,6 +112,7 @@ export function createCallSession(opts: {
     inviteGuardianName: opts.inviteGuardianName ?? null,
     callerIdentityMode: opts.callerIdentityMode ?? null,
     callerIdentitySource: opts.callerIdentitySource ?? null,
+    skipDisclosure: skipDisclosure ? 1 : 0,
     initiatedFromConversationId: opts.initiatedFromConversationId ?? null,
     startedAt: null,
     endedAt: null,
@@ -113,8 +120,8 @@ export function createCallSession(opts: {
     createdAt: now,
     updatedAt: now,
   };
-  db.insert(callSessions).values(session).run();
-  return session;
+  db.insert(callSessions).values(row).run();
+  return { ...row, skipDisclosure };
 }
 
 export function getCallSession(id: string): CallSession | null {

package/src/calls/fish-audio-client.ts

@@ -0,0 +1,117 @@
+import type { FishAudioConfig } from "../config/schemas/fish-audio.js";
+import { credentialKey } from "../security/credential-key.js";
+import { getSecureKeyAsync } from "../security/secure-keys.js";
+import { getLogger } from "../util/logger.js";
+
+const log = getLogger("fish-audio-client");
+
+/** Timeout waiting for the first chunk from Fish Audio (ms). */
+const FIRST_CHUNK_TIMEOUT_MS = 10_000;
+
+/** Timeout waiting between consecutive chunks (ms). */
+const IDLE_TIMEOUT_MS = 5_000;
+
+// ---------------------------------------------------------------------------
+// Fish Audio REST API (POST /v1/tts)
+// ---------------------------------------------------------------------------
+
+interface SynthesizeOptions {
+  onChunk?: (chunk: Uint8Array) => void;
+  signal?: AbortSignal;
+}
+
+/**
+ * Synthesize text to audio using the Fish Audio REST API with the s2-pro
+ * model. Streams audio chunks via the optional `onChunk` callback as they
+ * arrive from the server's chunked transfer-encoded response. Returns the
+ * complete audio buffer when the response finishes.
+ *
+ * Pass an `AbortSignal` to cancel in-flight synthesis (e.g. on barge-in).
+ */
+export async function synthesizeWithFishAudio(
+  text: string,
+  config: FishAudioConfig,
+  options?: SynthesizeOptions,
+): Promise<Buffer> {
+  const apiKey = await getSecureKeyAsync(
+    credentialKey("fish-audio", "api_key"),
+  );
+  if (!apiKey) {
+    throw new Error(
+      "Fish Audio API key not configured. Store it via: assistant credentials set --service fish-audio --field api_key <key>",
+    );
+  }
+
+  const body = {
+    text,
+    reference_id: config.referenceId || undefined,
+    model: "s2-pro",
+    format: config.format,
+    mp3_bitrate: 192,
+    chunk_length: config.chunkLength,
+    normalize: true,
+    latency: config.latency,
+    temperature: 1.0,
+    prosody: config.speed !== 1.0 ? { speed: config.speed } : undefined,
+  };
+
+  log.info(
+    {
+      referenceId: config.referenceId,
+      format: config.format,
+      textLength: text.length,
+    },
+    "Starting Fish Audio synthesis",
+  );
+
+  const response = await fetch("https://api.fish.audio/v1/tts", {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${apiKey}`,
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(body),
+    signal: options?.signal,
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Fish Audio API error (${response.status}): ${errorText}`);
+  }
+
+  if (!response.body) {
+    throw new Error("Fish Audio API returned no body");
+  }
+
+  const chunks: Uint8Array[] = [];
+  const reader = response.body.getReader();
+  let isFirstChunk = true;
+
+  while (true) {
+    const timeoutMs = isFirstChunk ? FIRST_CHUNK_TIMEOUT_MS : IDLE_TIMEOUT_MS;
+    const timeout = new Promise<never>((_, reject) =>
+      setTimeout(
+        () => reject(new Error(`Fish Audio read timed out after ${timeoutMs}ms`)),
+        timeoutMs,
+      ),
+    );
+    const { done, value } = await Promise.race([reader.read(), timeout]);
+    if (done) break;
+    if (value) {
+      isFirstChunk = false;
+      chunks.push(value);
+      options?.onChunk?.(value);
+    }
+  }
+
+  const totalLength = chunks.reduce((sum, c) => sum + c.byteLength, 0);
+  const merged = new Uint8Array(totalLength);
+  let offset = 0;
+  for (const chunk of chunks) {
+    merged.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+
+  log.debug({ bytes: totalLength }, "Fish Audio synthesis complete");
+  return Buffer.from(merged);
+}

package/src/calls/relay-server.ts

@@ -139,6 +139,12 @@ export interface RelayEndMessage {
   handoffData?: string;
 }
 
+export interface RelayPlayMessage {
+  type: "play";
+  source: string;
+  interruptible: boolean;
+}
+
 // ── WebSocket data type ──────────────────────────────────────────────
 
 export interface RelayWebSocketData {
@@ -323,6 +329,27 @@ export class RelayConnection {
     }
   }
 
+  /**
+   * Send a play-audio URL to the caller. Used when the assistant handles
+   * TTS synthesis itself (e.g. Fish Audio) instead of relying on
+   * ConversationRelay's built-in TTS.
+   */
+  sendPlayUrl(url: string): void {
+    const message: RelayPlayMessage = {
+      type: "play",
+      source: url,
+      interruptible: true,
+    };
+    try {
+      this.ws.send(JSON.stringify(message));
+    } catch (err) {
+      log.error(
+        { err, callSessionId: this.callSessionId },
+        "Failed to send play URL",
+      );
+    }
+  }
+
   /**
    * End the ConversationRelay session.
    */

package/src/calls/twilio-routes.ts

@@ -49,6 +49,7 @@ export function generateTwiML(
   profile: {
     language: string;
     transcriptionProvider: string;
+    speechModel?: string;
     ttsProvider: string;
     voice: string;
   },
@@ -91,7 +92,7 @@ export function generateTwiML(
 ${greetingAttr}
       voice="${escapeXml(profile.voice)}"
       language="${escapeXml(profile.language)}"
-      transcriptionProvider="${escapeXml(profile.transcriptionProvider)}"
+      transcriptionProvider="${escapeXml(profile.transcriptionProvider)}"${profile.speechModel ? `\n      speechModel="${escapeXml(profile.speechModel)}"` : ""}
       ttsProvider="${escapeXml(profile.ttsProvider)}"
       interruptible="true"
       dtmfDetection="true"

package/src/calls/types.ts

@@ -75,6 +75,7 @@ export interface CallSession {
   inviteGuardianName: string | null;
   callerIdentityMode: string | null;
   callerIdentitySource: string | null;
+  skipDisclosure: boolean;
   initiatedFromConversationId?: string | null;
   startedAt: number | null;
   endedAt: number | null;

package/src/calls/voice-ingress-preflight.ts

@@ -29,18 +29,6 @@ function fail(error: string): VoiceIngressPreflightFailure {
   };
 }
 
-function buildGatewayUnhealthyMessage(
-  target: string,
-  error: string | undefined,
-  afterRecoveryAttempt: boolean,
-): string {
-  const detail = error ?? "Unknown gateway health check failure";
-  if (afterRecoveryAttempt) {
-    return `Voice callback gateway is still unhealthy at ${target} after a local recovery attempt: ${detail}`;
-  }
-  return `Voice callback gateway is unhealthy at ${target}: ${detail}`;
-}
-
 export async function preflightVoiceIngress(): Promise<VoiceIngressPreflightResult> {
   const ingressConfig = loadConfig();
 
@@ -65,36 +53,6 @@ export async function preflightVoiceIngress(): Promise<VoiceIngressPreflightResu
     );
   }
 
-  const { ensureLocalGatewayReady, probeLocalGatewayHealth } =
-    await import("../runtime/local-gateway-health.js");
-
-  const initialHealth = await probeLocalGatewayHealth();
-  if (!initialHealth.healthy && !initialHealth.localDeployment) {
-    return fail(
-      buildGatewayUnhealthyMessage(
-        initialHealth.target,
-        initialHealth.error,
-        false,
-      ),
-    );
-  }
-
-  if (initialHealth.localDeployment) {
-    const recovery = await ensureLocalGatewayReady();
-    // Re-probe after the wake flow so the dial path only continues when the
-    // current gateway process is demonstrably serving the callback stack.
-    const confirmedHealth = await probeLocalGatewayHealth();
-    if (!confirmedHealth.healthy) {
-      return fail(
-        buildGatewayUnhealthyMessage(
-          confirmedHealth.target,
-          confirmedHealth.error ?? recovery.error,
-          recovery.recoveryAttempted,
-        ),
-      );
-    }
-  }
-
   return {
     ok: true,
     ingressConfig: {

package/src/calls/voice-quality.ts

@@ -3,6 +3,7 @@ import { loadConfig } from "../config/loader.js";
 export interface VoiceQualityProfile {
   language: string;
   transcriptionProvider: string;
+  speechModel?: string;
   ttsProvider: string;
   voice: string;
 }
@@ -42,19 +43,39 @@ export function buildElevenLabsVoiceSpec(config: {
 /**
  * Resolve the effective voice quality profile from config.
  *
- * Always uses ElevenLabs TTS via Twilio ConversationRelay.
- * The voice ID comes from the shared `elevenlabs.voiceId` config
- * (defaults to Amelia — ZF6FPAbjXT4488VcRRnw).
+ * Supports ElevenLabs (default) and Fish Audio TTS providers.
+ * When Fish Audio is selected, `ttsProvider` is set to `"Google"` as a
+ * placeholder — ConversationRelay requires a valid provider in TwiML, but
+ * actual audio is delivered via `play` messages from the call-controller.
+ * The voice string is left empty since it is unused in that mode.
+ *
+ * For ElevenLabs, the voice ID comes from the shared `elevenlabs.voiceId`
+ * config (defaults to Amelia — ZF6FPAbjXT4488VcRRnw).
  */
 export function resolveVoiceQualityProfile(
   config?: ReturnType<typeof loadConfig>,
 ): VoiceQualityProfile {
   const cfg = config ?? loadConfig();
   const voice = cfg.calls.voice;
+  const configuredTts = voice.ttsProvider ?? "elevenlabs";
+  const fishAudio = configuredTts === "fish-audio";
   return {
     language: voice.language,
     transcriptionProvider: voice.transcriptionProvider,
-    ttsProvider: "ElevenLabs",
-    voice: buildElevenLabsVoiceSpec(cfg.elevenlabs),
+    speechModel:
+      voice.speechModel ??
+      (voice.transcriptionProvider === "Google" ? undefined : "nova-3"),
+    ttsProvider: fishAudio ? "Google" : "ElevenLabs",
+    voice: fishAudio ? "" : buildElevenLabsVoiceSpec(cfg.elevenlabs),
   };
 }
+
+/**
+ * Check whether Fish Audio TTS is configured for phone calls.
+ */
+export function isFishAudioTts(
+  config?: ReturnType<typeof loadConfig>,
+): boolean {
+  const cfg = config ?? loadConfig();
+  return cfg.calls.voice?.ttsProvider === "fish-audio";
+}

package/src/calls/voice-session-bridge.ts

@@ -20,9 +20,7 @@ import type { ServerMessage } from "../daemon/message-protocol.js";
 import { buildAssistantEvent } from "../runtime/assistant-event.js";
 import { assistantEventHub } from "../runtime/assistant-event-hub.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
-import { checkIngressForSecrets } from "../security/secret-ingress.js";
 import { computeToolApprovalDigest } from "../security/tool-approval-digest.js";
-import { IngressBlockedError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
 import {
   CALL_OPENING_MARKER,
@@ -95,6 +93,8 @@ export interface VoiceTurnOptions {
   isInbound: boolean;
   /** The outbound call task, if any. */
   task?: string | null;
+  /** When true, skip the disclosure announcement for this call. */
+  skipDisclosure?: boolean;
   /** Called for each streaming text token from the agent loop. */
   onTextDelta: (text: string) => void;
   /** Called when the agent loop completes a full response. */
@@ -128,9 +128,11 @@ function buildVoiceCallControlPrompt(opts: {
   isInbound: boolean;
   task?: string | null;
   isCallerGuardian?: boolean;
+  skipDisclosure?: boolean;
 }): string {
   const config = getConfig();
-  const disclosureEnabled = config.calls?.disclosure?.enabled === true;
+  const disclosureEnabled =
+    config.calls?.disclosure?.enabled === true && !opts.skipDisclosure;
   const disclosureText = config.calls?.disclosure?.text?.trim();
   const disclosureRule =
     disclosureEnabled && disclosureText
@@ -240,15 +242,6 @@ export async function startVoiceTurn(
     );
   }
 
-  // Block inbound content that contains secrets
-  const ingressCheck = checkIngressForSecrets(opts.content);
-  if (ingressCheck.blocked) {
-    throw new IngressBlockedError(
-      ingressCheck.userNotice!,
-      ingressCheck.detectedTypes,
-    );
-  }
-
   const eventSink: VoiceRunEventSink = {
     onTextDelta: opts.onTextDelta,
     onMessageComplete: opts.onComplete,
@@ -286,6 +279,7 @@ export async function startVoiceTurn(
     isInbound: opts.isInbound,
     task: opts.task,
     isCallerGuardian,
+    skipDisclosure: opts.skipDisclosure,
   });
 
   // Get or create the conversation

package/src/cli/commands/config.ts

@@ -6,7 +6,6 @@ import {
   loadRawConfig,
   saveRawConfig,
   setNestedValue,
-  syncConfigToLockfile,
 } from "../../config/loader.js";
 import { AssistantConfigSchema } from "../../config/schema.js";
 import { getSchemaAtPath } from "../../config/schema-utils.js";
@@ -73,8 +72,7 @@ Arguments:
           true, "42" becomes number 42). Falls back to plain string if JSON
           parsing fails.
 
-After writing the value to config.json, the lockfile is automatically synced
-to reflect the updated configuration.
+After writing the value to config.json, the change takes effect immediately.
 
 To manage API keys, use "assistant keys set <provider> <key>" instead.
 
@@ -93,7 +91,6 @@ Examples:
       }
       setNestedValue(raw, key, parsed);
       saveRawConfig(raw);
-      syncConfigToLockfile();
       log.info(`Set ${key} = ${JSON.stringify(parsed)}`);
     });
 

package/src/cli/commands/credentials.ts

@@ -15,6 +15,7 @@ import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
   getSecureKeyAsync,
+  getSecureKeyResultAsync,
   setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import {
@@ -608,10 +609,19 @@ Examples:
             return;
           }
 
-          const secret = await getSecureKeyAsync(storageKey);
+          const { value: secret, unreachable } =
+            await getSecureKeyResultAsync(storageKey);
 
           if (!metadata && (secret == null || secret.length === 0)) {
-            writeOutput(cmd, { ok: false, error: "Credential not found" });
+            if (unreachable) {
+              writeOutput(cmd, {
+                ok: false,
+                error:
+                  "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+              });
+            } else {
+              writeOutput(cmd, { ok: false, error: "Credential not found" });
+            }
             process.exitCode = 1;
             return;
           }
@@ -646,10 +656,21 @@ Examples:
 
           const connection = safeGetConnectionByProvider(metadata.service);
           const output = buildCredentialOutput(metadata, secret, connection);
+
+          if (unreachable && (secret == null || secret.length === 0)) {
+            output.scrubbedValue = "(broker unreachable)";
+            output.brokerUnreachable = true;
+          }
+
           writeOutput(cmd, output);
 
           if (!shouldOutputJson(cmd)) {
             printCredentialHuman(output);
+            if (unreachable && (secret == null || secret.length === 0)) {
+              log.info(
+                "    \u26A0 Keychain broker unreachable — restart the Vellum app and accept the macOS Keychain prompt to access credentials",
+              );
+            }
           }
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);
@@ -725,10 +746,19 @@ Examples:
             return;
           }
 
-          const secret = await getSecureKeyAsync(storageKey);
+          const { value: secret, unreachable } =
+            await getSecureKeyResultAsync(storageKey);
 
           if (secret == null || secret.length === 0) {
-            writeOutput(cmd, { ok: false, error: "Credential not found" });
+            if (unreachable) {
+              writeOutput(cmd, {
+                ok: false,
+                error:
+                  "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+              });
+            } else {
+              writeOutput(cmd, { ok: false, error: "Credential not found" });
+            }
             process.exitCode = 1;
             return;
           }

package/src/cli/commands/oauth/index.ts

@@ -2,6 +2,7 @@ import type { Command } from "commander";
 
 import { registerAppCommands } from "./apps.js";
 import { registerConnectionCommands } from "./connections.js";
+import { registerPlatformCommands } from "./platform.js";
 import { registerProviderCommands } from "./providers.js";
 
 export function registerOAuthCommand(program: Command): void {
@@ -49,4 +50,10 @@ Examples:
   // ---------------------------------------------------------------------------
 
   registerConnectionCommands(oauth);
+
+  // ---------------------------------------------------------------------------
+  // platform — subcommand group
+  // ---------------------------------------------------------------------------
+
+  registerPlatformCommands(oauth);
 }

package/src/cli/commands/oauth/platform.ts

@@ -0,0 +1,179 @@
+import type { Command } from "commander";
+
+import { getConfig } from "../../../config/loader.js";
+import {
+  type Services,
+  ServicesSchema,
+} from "../../../config/schemas/services.js";
+import { getProvider } from "../../../oauth/oauth-store.js";
+import { VellumPlatformClient } from "../../../platform/client.js";
+import { getCliLogger } from "../../logger.js";
+import { shouldOutputJson, writeOutput } from "../../output.js";
+
+const log = getCliLogger("cli");
+
+/**
+ * Normalize a bare provider name (e.g. "google") into the canonical provider
+ * key used internally (e.g. "integration:google").
+ */
+function toProviderKey(provider: string): string {
+  return provider.startsWith("integration:")
+    ? provider
+    : `integration:${provider}`;
+}
+
+export function registerPlatformCommands(oauth: Command): void {
+  const platform = oauth
+    .command("platform")
+    .description(
+      "Query platform-managed OAuth provider status and connections",
+    );
+
+  // ---------------------------------------------------------------------------
+  // platform status <provider>
+  // ---------------------------------------------------------------------------
+
+  platform
+    .command("status <provider>")
+    .description(
+      "Check whether a provider supports managed OAuth and list the user's active connections",
+    )
+    .addHelpText(
+      "after",
+      `
+Arguments:
+  provider   Provider name (e.g. google, slack, twitter)
+
+Checks whether the platform offers managed OAuth for the given provider,
+whether managed mode is currently enabled, and lists any active connections
+the user has set up on the platform.
+
+Examples:
+  $ assistant oauth platform status google
+  $ assistant oauth platform status slack --json`,
+    )
+    .action(
+      async (
+        provider: string,
+        _opts: Record<string, unknown>,
+        cmd: Command,
+      ) => {
+        try {
+          const providerKey = toProviderKey(provider);
+          const providerRow = getProvider(providerKey);
+
+          // 1. Check if the provider even supports managed mode
+          const managedKey = providerRow?.managedServiceConfigKey;
+          if (!managedKey || !(managedKey in ServicesSchema.shape)) {
+            writeOutput(cmd, {
+              ok: true,
+              provider,
+              managedAvailable: false,
+              managedEnabled: false,
+              connections: [],
+            });
+            if (!shouldOutputJson(cmd)) {
+              log.info(
+                `Provider "${provider}" does not support platform-managed OAuth`,
+              );
+            }
+            return;
+          }
+
+          // 2. Check if managed mode is enabled in the services config
+          const services: Services = getConfig().services;
+          const managedEnabled =
+            services[managedKey as keyof Services].mode === "managed";
+
+          if (!managedEnabled) {
+            writeOutput(cmd, {
+              ok: true,
+              provider,
+              managedAvailable: true,
+              managedEnabled: false,
+              connections: [],
+            });
+            if (!shouldOutputJson(cmd)) {
+              log.info(
+                `Provider "${provider}" supports managed OAuth but is set to "your-own" mode`,
+              );
+            }
+            return;
+          }
+
+          // 3. Fetch active connections from the platform
+          const client = await VellumPlatformClient.create();
+          if (!client || !client.platformAssistantId) {
+            writeOutput(cmd, {
+              ok: false,
+              error:
+                "Platform prerequisites not met (not logged in or missing assistant ID)",
+            });
+            process.exitCode = 1;
+            return;
+          }
+
+          const params = new URLSearchParams();
+          params.set("provider", provider);
+          params.set("status", "ACTIVE");
+
+          const path = `/v1/assistants/${encodeURIComponent(client.platformAssistantId)}/oauth/connections/?${params.toString()}`;
+          const response = await client.fetch(path);
+
+          if (!response.ok) {
+            writeOutput(cmd, {
+              ok: false,
+              error: `Platform returned HTTP ${response.status}`,
+            });
+            process.exitCode = 1;
+            return;
+          }
+
+          const body = (await response.json()) as unknown;
+
+          // The platform returns either a flat array or a {results: [...]} wrapper.
+          const rawEntries = (
+            Array.isArray(body)
+              ? body
+              : ((body as Record<string, unknown>).results ?? [])
+          ) as Array<{
+            id: string;
+            account_label?: string;
+            scopes_granted?: string[];
+            status?: string;
+          }>;
+
+          const connections = rawEntries.map((c) => ({
+            id: c.id,
+            accountLabel: c.account_label ?? null,
+            scopesGranted: c.scopes_granted ?? [],
+            status: c.status ?? "ACTIVE",
+          }));
+
+          writeOutput(cmd, {
+            ok: true,
+            provider,
+            managedAvailable: true,
+            managedEnabled: true,
+            connections,
+          });
+
+          if (!shouldOutputJson(cmd)) {
+            if (connections.length === 0) {
+              log.info(
+                `Provider "${provider}" is managed but has no active connections`,
+              );
+            } else {
+              log.info(
+                `Provider "${provider}": ${connections.length} active connection(s)`,
+              );
+            }
+          }
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          writeOutput(cmd, { ok: false, error: message });
+          process.exitCode = 1;
+        }
+      },
+    );
+}