@vellumai/assistant 0.5.6 → 0.5.8

package/src/cli/commands/credentials.ts

@@ -12,11 +12,6 @@ import {
   type OAuthConnectionRow,
 } from "../../oauth/oauth-store.js";
 import { credentialKey } from "../../security/credential-key.js";
-import {
-  deleteSecureKeyAsync,
-  getSecureKeyAsync,
-  setSecureKeyAsync,
-} from "../../security/secure-keys.js";
 import {
   assertMetadataWritable,
   type CredentialMetadata,
@@ -26,9 +21,33 @@ import {
   listCredentialMetadata,
   upsertCredentialMetadata,
 } from "../../tools/credentials/metadata-store.js";
+import {
+  deleteSecureKeyViaDaemon,
+  getSecureKeyResultViaDaemon,
+  getSecureKeyViaDaemon,
+  setSecureKeyViaDaemon,
+} from "../lib/daemon-credential-client.js";
 import { log } from "../logger.js";
 import { shouldOutputJson, writeOutput } from "../output.js";
 
+// ---------------------------------------------------------------------------
+// Format-aware error output
+// ---------------------------------------------------------------------------
+
+/**
+ * Write an error message respecting the output format. In JSON mode, emit a
+ * structured `{ ok: false, error }` object to stdout. In human mode, write
+ * plain text to stderr so the assistant (LLM) doesn't receive JSON that it
+ * might misinterpret as data.
+ */
+function writeError(cmd: Command, message: string): void {
+  if (shouldOutputJson(cmd)) {
+    writeOutput(cmd, { ok: false, error: message });
+  } else {
+    process.stderr.write(`Error: ${message}\n`);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // CES shell lockdown guard
 // ---------------------------------------------------------------------------
@@ -309,7 +328,7 @@ Examples:
 
         const credentials = await Promise.all(
           allMetadata.map(async (m) => {
-            const secret = await getSecureKeyAsync(
+            const secret = await getSecureKeyViaDaemon(
               credentialKey(m.service, m.field),
             );
             const connection = connectionsByProvider.get(m.service);
@@ -335,13 +354,13 @@ Examples:
           managedOutputs = descriptors.map(buildManagedCredentialOutput);
         }
 
-        writeOutput(cmd, {
-          ok: true,
-          credentials,
-          managedCredentials: managedOutputs,
-        });
-
-        if (!shouldOutputJson(cmd)) {
+        if (shouldOutputJson(cmd)) {
+          writeOutput(cmd, {
+            ok: true,
+            credentials,
+            managedCredentials: managedOutputs,
+          });
+        } else {
           const totalCount = credentials.length + managedOutputs.length;
           if (totalCount === 0) {
             log.info("No credentials found");
@@ -366,7 +385,7 @@ Examples:
         }
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
-        writeOutput(cmd, { ok: false, error: message });
+        writeError(cmd, message);
         process.exitCode = 1;
       }
     });
@@ -417,16 +436,16 @@ Examples:
       ) => {
         try {
           const { service, field } = opts;
-          const storageKey = credentialKey(service, field);
 
           assertMetadataWritable();
 
-          const stored = await setSecureKeyAsync(storageKey, value);
+          const stored = await setSecureKeyViaDaemon(
+            "credential",
+            `${service}:${field}`,
+            value,
+          );
           if (!stored) {
-            writeOutput(cmd, {
-              ok: false,
-              error: `Failed to store secret for ${service}:${field}`,
-            });
+            writeError(cmd, `Failed to store secret for ${service}:${field}`);
             process.exitCode = 1;
             return;
           }
@@ -442,21 +461,21 @@ Examples:
           });
           await syncManualTokenConnection(service);
 
-          writeOutput(cmd, {
-            ok: true,
-            credentialId: metadata.credentialId,
-            service,
-            field,
-          });
-
-          if (!shouldOutputJson(cmd)) {
+          if (shouldOutputJson(cmd)) {
+            writeOutput(cmd, {
+              ok: true,
+              credentialId: metadata.credentialId,
+              service,
+              field,
+            });
+          } else {
             log.info(
               `Stored credential ${service}:${field} (${metadata.credentialId})`,
             );
           }
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);
-          writeOutput(cmd, { ok: false, error: message });
+          writeError(cmd, message);
           process.exitCode = 1;
         }
       },
@@ -484,16 +503,18 @@ Examples:
     .action(async (opts: { service: string; field: string }, cmd: Command) => {
       try {
         const { service, field } = opts;
-        const storageKey = credentialKey(service, field);
 
         assertMetadataWritable();
 
-        const secretResult = await deleteSecureKeyAsync(storageKey);
+        const secretResult = await deleteSecureKeyViaDaemon(
+          "credential",
+          `${service}:${field}`,
+        );
         if (secretResult === "error") {
-          writeOutput(cmd, {
-            ok: false,
-            error: "Failed to delete credential from secure storage",
-          });
+          writeError(
+            cmd,
+            "Failed to delete credential from secure storage",
+          );
           process.exitCode = 1;
           return;
         }
@@ -510,10 +531,10 @@ Examples:
         }
 
         if (oauthResult === "error") {
-          writeOutput(cmd, {
-            ok: false,
-            error: "Failed to disconnect OAuth provider — please try again",
-          });
+          writeError(
+            cmd,
+            "Failed to disconnect OAuth provider — please try again",
+          );
           process.exitCode = 1;
           return;
         }
@@ -523,19 +544,19 @@ Examples:
           !metadataDeleted &&
           oauthResult !== "disconnected"
         ) {
-          writeOutput(cmd, { ok: false, error: "Credential not found" });
+          writeError(cmd, "Credential not found");
           process.exitCode = 1;
           return;
         }
 
-        writeOutput(cmd, { ok: true, service, field });
-
-        if (!shouldOutputJson(cmd)) {
+        if (shouldOutputJson(cmd)) {
+          writeOutput(cmd, { ok: true, service, field });
+        } else {
           log.info(`Deleted credential ${service}:${field}`);
         }
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
-        writeOutput(cmd, { ok: false, error: message });
+        writeError(cmd, message);
         process.exitCode = 1;
       }
     });
@@ -594,24 +615,31 @@ Examples:
               field = metadata.field;
             } else {
               // No metadata found by UUID, and we can't determine the storage key
-              writeOutput(cmd, { ok: false, error: "Credential not found" });
+              writeError(cmd, "Credential not found");
               process.exitCode = 1;
               return;
             }
           } else {
-            writeOutput(cmd, {
-              ok: false,
-              error:
-                "Either --service and --field flags or a credential UUID is required",
-            });
+            writeError(
+              cmd,
+              "Either --service and --field flags or a credential UUID is required",
+            );
             process.exitCode = 1;
             return;
           }
 
-          const secret = await getSecureKeyAsync(storageKey);
+          const { value: secret, unreachable } =
+            await getSecureKeyResultViaDaemon(storageKey);
 
           if (!metadata && (secret == null || secret.length === 0)) {
-            writeOutput(cmd, { ok: false, error: "Credential not found" });
+            if (unreachable) {
+              writeError(
+                cmd,
+                "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+              );
+            } else {
+              writeError(cmd, "Credential not found");
+            }
             process.exitCode = 1;
             return;
           }
@@ -620,23 +648,23 @@ Examples:
           // This can happen if someone stored a key directly without going through the
           // credential set command. Build a minimal output in that case.
           if (!metadata) {
-            writeOutput(cmd, {
-              ok: true,
-              service: service,
-              field: field,
-              credentialId: null,
-              scrubbedValue: scrubSecret(secret),
-              hasSecret: secret != null && secret.length > 0,
-              alias: null,
-              usageDescription: null,
-              allowedTools: [],
-              allowedDomains: [],
-              createdAt: null,
-              updatedAt: null,
-              injectionTemplateCount: 0,
-            });
-
-            if (!shouldOutputJson(cmd)) {
+            if (shouldOutputJson(cmd)) {
+              writeOutput(cmd, {
+                ok: true,
+                service: service,
+                field: field,
+                credentialId: null,
+                scrubbedValue: scrubSecret(secret),
+                hasSecret: secret != null && secret.length > 0,
+                alias: null,
+                usageDescription: null,
+                allowedTools: [],
+                allowedDomains: [],
+                createdAt: null,
+                updatedAt: null,
+                injectionTemplateCount: 0,
+              });
+            } else {
               log.info(`  ${service}:${field}`);
               log.info(`    Value:       ${scrubSecret(secret)}`);
               log.info("    (no metadata record)");
@@ -646,14 +674,25 @@ Examples:
 
           const connection = safeGetConnectionByProvider(metadata.service);
           const output = buildCredentialOutput(metadata, secret, connection);
-          writeOutput(cmd, output);
 
-          if (!shouldOutputJson(cmd)) {
+          if (unreachable && (secret == null || secret.length === 0)) {
+            output.scrubbedValue = "(broker unreachable)";
+            output.brokerUnreachable = true;
+          }
+
+          if (shouldOutputJson(cmd)) {
+            writeOutput(cmd, output);
+          } else {
             printCredentialHuman(output);
+            if (unreachable && (secret == null || secret.length === 0)) {
+              log.info(
+                "    \u26A0 Keychain broker unreachable — restart the Vellum app and accept the macOS Keychain prompt to access credentials",
+              );
+            }
           }
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);
-          writeOutput(cmd, { ok: false, error: message });
+          writeError(cmd, message);
           process.exitCode = 1;
         }
       },
@@ -697,7 +736,7 @@ Examples:
         try {
           // CES shell lockdown: deny raw secret reveal in untrusted shells.
           if (isUntrustedShell()) {
-            writeOutput(cmd, { ok: false, error: UNTRUSTED_SHELL_ERROR });
+            writeError(cmd, UNTRUSTED_SHELL_ERROR);
             process.exitCode = 1;
             return;
           }
@@ -711,24 +750,31 @@ Examples:
             if (metadata) {
               storageKey = credentialKey(metadata.service, metadata.field);
             } else {
-              writeOutput(cmd, { ok: false, error: "Credential not found" });
+              writeError(cmd, "Credential not found");
               process.exitCode = 1;
               return;
             }
           } else {
-            writeOutput(cmd, {
-              ok: false,
-              error:
-                "Either --service and --field flags or a credential UUID is required",
-            });
+            writeError(
+              cmd,
+              "Either --service and --field flags or a credential UUID is required",
+            );
             process.exitCode = 1;
             return;
           }
 
-          const secret = await getSecureKeyAsync(storageKey);
+          const { value: secret, unreachable } =
+            await getSecureKeyResultViaDaemon(storageKey);
 
           if (secret == null || secret.length === 0) {
-            writeOutput(cmd, { ok: false, error: "Credential not found" });
+            if (unreachable) {
+              writeError(
+                cmd,
+                "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+              );
+            } else {
+              writeError(cmd, "Credential not found");
+            }
             process.exitCode = 1;
             return;
           }
@@ -740,7 +786,7 @@ Examples:
           }
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);
-          writeOutput(cmd, { ok: false, error: message });
+          writeError(cmd, message);
           process.exitCode = 1;
         }
       },

package/src/cli/commands/doctor.ts

@@ -7,7 +7,6 @@ import { getRuntimeHttpPort } from "../../config/env.js";
 import { loadRawConfig } from "../../config/loader.js";
 import { shouldAutoStartDaemon } from "../../daemon/connection-policy.js";
 import { isHttpHealthy } from "../../daemon/daemon-control.js";
-import { getProviderKeyAsync } from "../../security/secure-keys.js";
 import {
   getDbPath,
   getHooksDir,
@@ -16,6 +15,7 @@ import {
   getWorkspaceDir,
   getWorkspaceSkillsDir,
 } from "../../util/platform.js";
+import { getProviderKeyViaDaemon } from "../lib/daemon-credential-client.js";
 import { log } from "../logger.js";
 
 export function registerDoctorCommand(program: Command): void {
@@ -81,7 +81,7 @@ Examples:
         typeof rawInferenceProvider === "string"
           ? rawInferenceProvider
           : "anthropic";
-      const configKey = await getProviderKeyAsync(provider);
+      const configKey = await getProviderKeyViaDaemon(provider);
 
       if (provider === "ollama") {
         pass("Provider configured (Ollama; API key optional)");

package/src/cli/commands/keys.ts

@@ -2,10 +2,10 @@ import type { Command } from "commander";
 
 import { API_KEY_PROVIDERS } from "../../config/loader.js";
 import {
-  deleteSecureKeyAsync,
-  getSecureKeyAsync,
-  setSecureKeyAsync,
-} from "../../security/secure-keys.js";
+  deleteSecureKeyViaDaemon,
+  getSecureKeyViaDaemon,
+  setSecureKeyViaDaemon,
+} from "../lib/daemon-credential-client.js";
 import { log } from "../logger.js";
 
 // ---------------------------------------------------------------------------
@@ -61,7 +61,7 @@ Examples:
     .action(async () => {
       const stored: string[] = [];
       for (const provider of API_KEY_PROVIDERS) {
-        const value = await getSecureKeyAsync(provider);
+        const value = await getSecureKeyViaDaemon(provider);
         if (value) stored.push(provider);
       }
       if (stored.length === 0) {
@@ -99,7 +99,7 @@ Examples:
         process.exit(1);
       }
 
-      if (await setSecureKeyAsync(provider, key)) {
+      if (await setSecureKeyViaDaemon("api_key", provider, key)) {
         log.info(`Stored API key for "${provider}"`);
       } else {
         log.error(`Failed to store API key for "${provider}"`);
@@ -130,7 +130,7 @@ Examples:
         process.exit(1);
       }
 
-      const result = await deleteSecureKeyAsync(provider);
+      const result = await deleteSecureKeyViaDaemon("api_key", provider);
       if (result === "deleted") {
         log.info(`Deleted API key for "${provider}"`);
       } else if (result === "error") {

package/src/cli/commands/memory.ts

@@ -183,7 +183,7 @@ Examples:
         log.info(`Memory degraded: ${result.reason ?? "unknown reason"}`);
       }
       log.info(`Semantic hits: ${result.semanticHits}`);
-      log.info(`Recency hits: ${result.recencyHits}`);
+      log.info("Recency hits: 0");
       log.info(`Injected tokens: ${result.injectedTokens}`);
       log.info(`Latency: ${result.latencyMs}ms`);
       if (result.injectedText.length > 0) {

package/src/cli/commands/oauth/connections.ts

@@ -19,17 +19,16 @@ import {
   getProviderBehavior,
   resolveService,
 } from "../../../oauth/provider-behaviors.js";
-import { credentialKey } from "../../../security/credential-key.js";
-import {
-  deleteSecureKeyAsync,
-  getSecureKeyAsync,
-} from "../../../security/secure-keys.js";
 import { withValidToken } from "../../../security/token-manager.js";
 import {
   assertMetadataWritable,
   deleteCredentialMetadata,
 } from "../../../tools/credentials/metadata-store.js";
-import { isLinux, isMacOS } from "../../../util/platform.js";
+import { openInBrowser } from "../../../util/browser.js";
+import {
+  deleteSecureKeyViaDaemon,
+  getSecureKeyViaDaemon,
+} from "../../lib/daemon-credential-client.js";
 import { getCliLogger } from "../../logger.js";
 import { shouldOutputJson, writeOutput } from "../../output.js";
 
@@ -538,8 +537,10 @@ Examples:
             "client_secret",
           ];
           for (const field of legacyFields) {
-            const key = credentialKey(providerKey, field);
-            const result = await deleteSecureKeyAsync(key);
+            const result = await deleteSecureKeyViaDaemon(
+              "credential",
+              `${providerKey}:${field}`,
+            );
             if (result === "deleted") cleanedUp = true;
 
             const metaDeleted = deleteCredentialMetadata(providerKey, field);
@@ -633,7 +634,7 @@ Examples:
 
           if (dbApp) {
             if (!clientId) clientId = dbApp.clientId;
-            const storedSecret = await getSecureKeyAsync(
+            const storedSecret = await getSecureKeyViaDaemon(
               dbApp.clientSecretCredentialPath,
             );
             if (storedSecret) clientSecret = storedSecret;
@@ -685,26 +686,7 @@ Examples:
             clientId,
             clientSecret,
             isInteractive: !!opts.openBrowser,
-            openUrl: opts.openBrowser
-              ? (url) => {
-                  if (isMacOS()) {
-                    Bun.spawn(["open", url], {
-                      stdout: "ignore",
-                      stderr: "ignore",
-                    });
-                  } else if (isLinux()) {
-                    Bun.spawn(["xdg-open", url], {
-                      stdout: "ignore",
-                      stderr: "ignore",
-                    });
-                  } else {
-                    // Fallback: print URL for manual opening (stderr to keep --json stdout clean)
-                    process.stderr.write(
-                      `Open this URL to authorize:\n\n${url}\n`,
-                    );
-                  }
-                }
-              : undefined,
+            openUrl: opts.openBrowser ? openInBrowser : undefined,
             ...(opts.scopes ? { requestedScopes: opts.scopes } : {}),
           });
 

package/src/cli/commands/oauth/index.ts

@@ -2,6 +2,7 @@ import type { Command } from "commander";
 
 import { registerAppCommands } from "./apps.js";
 import { registerConnectionCommands } from "./connections.js";
+import { registerPlatformCommands } from "./platform.js";
 import { registerProviderCommands } from "./providers.js";
 
 export function registerOAuthCommand(program: Command): void {
@@ -49,4 +50,10 @@ Examples:
   // ---------------------------------------------------------------------------
 
   registerConnectionCommands(oauth);
+
+  // ---------------------------------------------------------------------------
+  // platform — subcommand group
+  // ---------------------------------------------------------------------------
+
+  registerPlatformCommands(oauth);
 }