@vellumai/assistant 0.5.6 → 0.5.8

package/src/config/loader.ts

@@ -2,19 +2,15 @@ import {
   existsSync,
   mkdirSync,
   readFileSync,
+  renameSync,
   statSync,
   writeFileSync,
 } from "node:fs";
-import { dirname } from "node:path";
+import { dirname, join } from "node:path";
 
 import { ConfigError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
-import {
-  ensureDataDir,
-  getWorkspaceConfigPath,
-  readLockfile,
-  writeLockfile,
-} from "../util/platform.js";
+import { ensureDataDir, getWorkspaceConfigPath } from "../util/platform.js";
 import { AssistantConfigSchema } from "./schema.js";
 import type { AssistantConfig } from "./types.js";
 
@@ -44,19 +40,16 @@ function ensureMigratedDataDir(): void {
 }
 
 /**
- * Zod 4's .default({}) returns {} as output without running inner-schema
- * parsing, so nested object defaults are never applied. Re-parse the config
- * to cascade defaults through each nesting level.
- * Max chain of .default({}) on object schemas is 4
- * (e.g. memory → retrieval → freshness → maxAgeDays),
- * so 5 parses are needed (N+1) to fully cascade.
+ * Parse a raw config through the Zod schema, applying all nested defaults.
+ *
+ * All nested object schemas use `.default(SubSchema.parse({}))` which
+ * pre-computes fully-resolved defaults at schema construction time, so a
+ * single parse is sufficient to cascade defaults through every nesting level.
  */
 export function applyNestedDefaults(config: unknown): AssistantConfig {
-  let current: unknown = config;
-  for (let i = 0; i < 5; i++) {
-    current = AssistantConfigSchema.parse(current);
-  }
-  return current as AssistantConfig;
+  return structuredClone(
+    AssistantConfigSchema.parse(config),
+  ) as AssistantConfig;
 }
 
 function cloneDefaultConfig(): AssistantConfig {
@@ -214,6 +207,35 @@ export function deepMergeMissing(
   return changed;
 }
 
+/**
+ * Deep-merge `overrides` into `target`, overwriting leaf values.
+ * Recursively merges nested objects; scalars and arrays from `overrides`
+ * replace corresponding values in `target`.
+ */
+export function deepMergeOverwrite(
+  target: Record<string, unknown>,
+  overrides: Record<string, unknown>,
+): void {
+  for (const key of Object.keys(overrides)) {
+    const ov = overrides[key];
+    if (
+      ov != null &&
+      typeof ov === "object" &&
+      !Array.isArray(ov) &&
+      target[key] != null &&
+      typeof target[key] === "object" &&
+      !Array.isArray(target[key])
+    ) {
+      deepMergeOverwrite(
+        target[key] as Record<string, unknown>,
+        ov as Record<string, unknown>,
+      );
+    } else {
+      target[key] = ov;
+    }
+  }
+}
+
 /**
  * Read the existing config.json from disk, merge any missing schema-default
  * keys, and rewrite only when there is an effective change.
@@ -248,6 +270,72 @@ function backfillConfigDefaults(
   }
 }
 
+/**
+ * Merge default workspace config from the file referenced by
+ * VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH into the workspace config on disk.
+ *
+ * Called once at daemon startup (before the first loadConfig()) so the
+ * defaults are persisted to the workspace config file alongside any
+ * schema-level defaults that loadConfig() backfills.
+ */
+export function mergeDefaultWorkspaceConfig(): void {
+  const defaultConfigPath = process.env.VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH;
+  if (!defaultConfigPath || !existsSync(defaultConfigPath)) return;
+
+  let defaults: unknown;
+  try {
+    defaults = JSON.parse(readFileSync(defaultConfigPath, "utf-8"));
+  } catch (err) {
+    log.warn(
+      { err },
+      "Failed to read default workspace config from %s",
+      defaultConfigPath,
+    );
+    return;
+  }
+
+  if (
+    defaults == null ||
+    typeof defaults !== "object" ||
+    Array.isArray(defaults)
+  ) {
+    return;
+  }
+
+  const configPath = getConfigPath();
+  let existing: Record<string, unknown> = {};
+  if (existsSync(configPath)) {
+    try {
+      existing = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch {
+      // If existing config is corrupt, start fresh
+    }
+  }
+
+  deepMergeOverwrite(existing, defaults as Record<string, unknown>);
+
+  const dir = dirname(configPath);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n");
+
+  // Move the temp file into the workspace directory as a permanent record.
+  // This prevents re-application on daemon restart (the env var still points
+  // at the old /tmp path which no longer exists).
+  try {
+    const dest = join(dir, "default-config.json");
+    renameSync(defaultConfigPath, dest);
+    log.info(
+      "Merged default workspace config from %s (archived to %s)",
+      defaultConfigPath,
+      dest,
+    );
+  } catch {
+    log.info("Merged default workspace config from %s", defaultConfigPath);
+  }
+}
+
 export function loadConfig(): AssistantConfig {
   if (cached) return cached;
 
@@ -375,30 +463,6 @@ export function saveRawConfig(config: Record<string, unknown>): void {
   cached = null; // invalidate cache
 }
 
-/**
- * Sync client-relevant config values (e.g. platform.baseUrl) to the lockfile
- * so external tools (e.g. vel) can discover them without importing the full
- * config schema.  Mirrors the behaviour of `syncConfigToLockfile` in the
- * lightweight CLI (`cli/src/lib/assistant-config.ts`).
- */
-export function syncConfigToLockfile(): void {
-  const configPath = getWorkspaceConfigPath();
-  if (!existsSync(configPath)) return;
-
-  try {
-    const raw = JSON.parse(readFileSync(configPath, "utf-8")) as Record<
-      string,
-      unknown
-    >;
-    const platform = raw.platform as Record<string, unknown> | undefined;
-    const data = readLockfile() ?? {};
-    data.platformBaseUrl = (platform?.baseUrl as string) || undefined;
-    writeLockfile(data);
-  } catch {
-    // Config file unreadable — skip sync
-  }
-}
-
 export function getNestedValue(
   obj: Record<string, unknown>,
   path: string,

package/src/config/schema.ts

@@ -40,6 +40,8 @@ export {
   ElevenLabsConfigSchema,
   VALID_CONVERSATION_TIMEOUTS,
 } from "./schemas/elevenlabs.js";
+export type { FishAudioConfig } from "./schemas/fish-audio.js";
+export { FishAudioConfigSchema } from "./schemas/fish-audio.js";
 export type { HeartbeatConfig } from "./schemas/heartbeat.js";
 export { HeartbeatConfigSchema } from "./schemas/heartbeat.js";
 export type {
@@ -66,6 +68,8 @@ export {
   IngressRateLimitConfigSchema,
   IngressWebhookConfigSchema,
 } from "./schemas/ingress.js";
+export type { JournalConfig } from "./schemas/journal.js";
+export { JournalConfigSchema } from "./schemas/journal.js";
 export type { AuditLogConfig, LogFileConfig } from "./schemas/logging.js";
 export {
   AuditLogConfigSchema,
@@ -173,8 +177,6 @@ export {
   SkillsInstallConfigSchema,
   SkillsLoadConfigSchema,
 } from "./schemas/skills.js";
-export type { SwarmConfig } from "./schemas/swarm.js";
-export { SwarmConfigSchema } from "./schemas/swarm.js";
 export type { RateLimitConfig, TimeoutConfig } from "./schemas/timeouts.js";
 export {
   RateLimitConfigSchema,
@@ -193,6 +195,7 @@ import {
   WhatsAppConfigSchema,
 } from "./schemas/channels.js";
 import { ElevenLabsConfigSchema } from "./schemas/elevenlabs.js";
+import { FishAudioConfigSchema } from "./schemas/fish-audio.js";
 import { HeartbeatConfigSchema } from "./schemas/heartbeat.js";
 import {
   ContextWindowConfigSchema,
@@ -201,6 +204,7 @@ import {
   ThinkingConfigSchema,
 } from "./schemas/inference.js";
 import { IngressConfigSchema } from "./schemas/ingress.js";
+import { JournalConfigSchema } from "./schemas/journal.js";
 import {
   AuditLogConfigSchema,
   LogFileConfigSchema,
@@ -218,12 +222,8 @@ import {
   PermissionsConfigSchema,
   SecretDetectionConfigSchema,
 } from "./schemas/security.js";
-import {
-  ServicesSchema,
-  VALID_INFERENCE_PROVIDERS,
-} from "./schemas/services.js";
+import { ServicesSchema } from "./schemas/services.js";
 import { SkillsConfigSchema } from "./schemas/skills.js";
-import { SwarmConfigSchema } from "./schemas/swarm.js";
 import {
   RateLimitConfigSchema,
   TimeoutConfigSchema,
@@ -233,18 +233,6 @@ import { WorkspaceGitConfigSchema } from "./schemas/workspace-git.js";
 export const AssistantConfigSchema = z
   .object({
     services: ServicesSchema.default(ServicesSchema.parse({})),
-    providerOrder: z
-      .array(
-        z.enum(VALID_INFERENCE_PROVIDERS, {
-          error: `Each providerOrder entry must be one of: ${VALID_INFERENCE_PROVIDERS.join(
-            ", ",
-          )}`,
-        }),
-      )
-      .default([])
-      .describe(
-        "Fallback order of LLM providers — the assistant tries each in sequence if the previous one fails",
-      ),
     maxTokens: z
       .number({ error: "maxTokens must be a number" })
       .int("maxTokens must be an integer")
@@ -281,7 +269,7 @@ export const AssistantConfigSchema = z
         "Custom pricing overrides for specific provider/model combinations",
       ),
     heartbeat: HeartbeatConfigSchema.default(HeartbeatConfigSchema.parse({})),
-    swarm: SwarmConfigSchema.default(SwarmConfigSchema.parse({})),
+    journal: JournalConfigSchema.default(JournalConfigSchema.parse({})),
     mcp: McpConfigSchema.default(McpConfigSchema.parse({})),
     acp: AcpConfigSchema.default(AcpConfigSchema.parse({})),
     skills: SkillsConfigSchema.default(SkillsConfigSchema.parse({})),
@@ -293,6 +281,7 @@ export const AssistantConfigSchema = z
     elevenlabs: ElevenLabsConfigSchema.default(
       ElevenLabsConfigSchema.parse({}),
     ),
+    fishAudio: FishAudioConfigSchema.default(FishAudioConfigSchema.parse({})),
     whatsapp: WhatsAppConfigSchema.default(WhatsAppConfigSchema.parse({})),
     telegram: TelegramConfigSchema.default(TelegramConfigSchema.parse({})),
     slack: SlackConfigSchema.default(SlackConfigSchema.parse({})),
@@ -303,15 +292,6 @@ export const AssistantConfigSchema = z
       NotificationsConfigSchema.parse({}),
     ),
     ui: UiConfigSchema.default(UiConfigSchema.parse({})),
-    assistantFeatureFlagValues: z
-      .record(
-        z.string(),
-        z.boolean({
-          error: "assistantFeatureFlagValues values must be booleans",
-        }),
-      )
-      .optional()
-      .describe("Feature flag overrides — map of flag names to boolean values"),
     collectUsageData: z
       .boolean()
       .default(true)

package/src/config/schemas/calls.ts

@@ -6,6 +6,7 @@ export const VALID_CALLER_IDENTITY_MODES = [
   "user_number",
 ] as const;
 const VALID_CALL_TRANSCRIPTION_PROVIDERS = ["Deepgram", "Google"] as const;
+export const VALID_TTS_PROVIDERS = ["elevenlabs", "fish-audio"] as const;
 
 export const CallsDisclosureConfigSchema = z
   .object({
@@ -57,6 +58,35 @@ export const CallsVoiceConfigSchema = z
       })
       .default("Deepgram")
       .describe("Speech-to-text provider used for call transcription"),
+    speechModel: z
+      .string({ error: "calls.voice.speechModel must be a string" })
+      .optional()
+      .describe(
+        "ASR model to use for speech recognition (e.g. nova-3, nova-2-phonecall for Deepgram; telephony, long for Google)",
+      ),
+    ttsProvider: z
+      .enum(VALID_TTS_PROVIDERS, {
+        error: `calls.voice.ttsProvider must be one of: ${VALID_TTS_PROVIDERS.join(", ")}`,
+      })
+      .default("elevenlabs")
+      .describe("Text-to-speech provider for phone calls"),
+    hints: z
+      .array(
+        z.string({ error: "calls.voice.hints values must be strings" }),
+      )
+      .default([])
+      .describe(
+        "Static vocabulary hints for speech recognition — proper nouns, domain terms, and other words the STT provider should prioritize",
+      ),
+    interruptSensitivity: z
+      .enum(["low", "medium", "high"], {
+        error:
+          "calls.voice.interruptSensitivity must be one of: low, medium, high",
+      })
+      .default("low")
+      .describe(
+        "How aggressively the STT provider detects the start of caller speech — low reduces false interrupts from background noise",
+      ),
   })
   .describe("Voice and speech settings for phone calls");
 

package/src/config/schemas/fish-audio.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+
+export const FishAudioConfigSchema = z
+  .object({
+    referenceId: z
+      .string({ error: "fishAudio.referenceId must be a string" })
+      .default("")
+      .describe("Fish Audio voice/clone reference ID"),
+    chunkLength: z
+      .number({ error: "fishAudio.chunkLength must be a number" })
+      .int("fishAudio.chunkLength must be an integer")
+      .min(100, "fishAudio.chunkLength must be >= 100")
+      .max(300, "fishAudio.chunkLength must be <= 300")
+      .default(200)
+      .describe("Text chunk size for streaming synthesis"),
+    format: z
+      .enum(["mp3", "wav", "opus"], {
+        error: "fishAudio.format must be one of: mp3, wav, opus",
+      })
+      .default("mp3")
+      .describe("Output audio format"),
+    latency: z
+      .enum(["normal", "balanced"], {
+        error: "fishAudio.latency must be one of: normal, balanced",
+      })
+      .default("normal")
+      .describe(
+        "Latency/quality tradeoff for Fish Audio S2 synthesis. 'normal' prioritizes lower latency; 'balanced' trades latency for higher quality.",
+      ),
+    speed: z
+      .number({ error: "fishAudio.speed must be a number" })
+      .min(0.5, "fishAudio.speed must be >= 0.5")
+      .max(2.0, "fishAudio.speed must be <= 2.0")
+      .default(1.0)
+      .describe("Playback speed multiplier (0.5 = slower, 2.0 = faster)"),
+  })
+  .describe("Fish Audio text-to-speech configuration");
+
+export type FishAudioConfig = z.infer<typeof FishAudioConfigSchema>;

package/src/config/schemas/inference.ts

@@ -26,8 +26,8 @@ export const ThinkingConfigSchema = z
   .describe("Extended thinking (chain-of-thought) configuration");
 
 export const EffortSchema = z
-  .enum(["low", "medium", "high"], {
-    error: 'effort must be "low", "medium", or "high"',
+  .enum(["low", "medium", "high", "max"], {
+    error: 'effort must be "low", "medium", "high", or "max"',
   })
   .default("high")
   .describe(

package/src/config/schemas/journal.ts

@@ -0,0 +1,16 @@
+import { z } from "zod";
+
+export const JournalConfigSchema = z
+  .object({
+    contextWindowSize: z
+      .number({ error: "journal.contextWindowSize must be a number" })
+      .int("journal.contextWindowSize must be an integer")
+      .min(0, "journal.contextWindowSize must be >= 0")
+      .default(10)
+      .describe(
+        "Number of recent journal entries to include in context (0 to disable)",
+      ),
+  })
+  .describe("Journal context window configuration");
+
+export type JournalConfig = z.infer<typeof JournalConfigSchema>;

package/src/config/schemas/memory-processing.ts

@@ -12,7 +12,7 @@ export const MemoryExtractionConfigSchema = z
       .enum(["latency-optimized", "quality-optimized", "vision-optimized"], {
         error: "memory.extraction.modelIntent must be a valid model intent",
       })
-      .default("latency-optimized")
+      .default("quality-optimized")
       .describe(
         "Model selection strategy for extraction — trade off speed vs quality",
       ),
@@ -39,7 +39,7 @@ export const MemorySummarizationConfigSchema = z
       .enum(["latency-optimized", "quality-optimized", "vision-optimized"], {
         error: "memory.summarization.modelIntent must be a valid model intent",
       })
-      .default("latency-optimized")
+      .default("quality-optimized")
       .describe(
         "Model selection strategy for summarization — trade off speed vs quality",
       ),

package/src/config/schemas/security.ts

@@ -50,10 +50,6 @@ export const SecretDetectionConfigSchema = z
       .describe(
         "Whether to allow sending a detected secret once (with user confirmation) before redacting future occurrences",
       ),
-    blockIngress: z
-      .boolean({ error: "secretDetection.blockIngress must be a boolean" })
-      .default(true)
-      .describe("Whether to block secrets in incoming ingress messages"),
     customPatterns: z
       .array(CustomSecretPatternSchema)
       .optional()

package/src/config/types.ts

@@ -12,6 +12,7 @@ export type {
   ImageGenerationService,
   InferenceService,
   IngressConfig,
+  JournalConfig,
   LogFileConfig,
   MemoryConfig,
   MemoryEmbeddingsConfig,
@@ -35,7 +36,6 @@ export type {
   SkillsInstallConfig,
   SkillsLoadConfig,
   SlackConfig,
-  SwarmConfig,
   ThinkingConfig,
   TimeoutConfig,
   UiConfig,

package/src/contacts/contact-store.ts

@@ -28,6 +28,36 @@ function escapeLike(value: string): string {
   return value.replace(/%/g, "").replace(/_/g, "");
 }
 
+/**
+ * Generate a collision-free slugified filename for a contact's per-user persona file.
+ * Produces filenames like "alice.md", "alice-2.md", "alice-3.md", etc.
+ */
+export function generateUserFileSlug(displayName: string): string {
+  const slug =
+    displayName
+      .toLowerCase()
+      .replace(/[^a-z0-9]+/g, "-")
+      .replace(/^-+|-+$/g, "")
+      .slice(0, 100) || "user";
+
+  const db = getDb();
+  const rows = db
+    .select({ userFile: contacts.userFile })
+    .from(contacts)
+    .where(like(contacts.userFile, `${escapeLike(slug)}%`))
+    .all();
+
+  const taken = new Set(rows.map((r) => r.userFile?.toLowerCase()));
+
+  const base = `${slug}.md`;
+  if (!taken.has(base)) return base;
+
+  for (let i = 2; ; i++) {
+    const candidate = `${slug}-${i}.md`;
+    if (!taken.has(candidate)) return candidate;
+  }
+}
+
 function parseContact(row: typeof contacts.$inferSelect): Contact {
   return {
     id: row.id,
@@ -40,6 +70,7 @@ function parseContact(row: typeof contacts.$inferSelect): Contact {
     role: row.role as Contact["role"],
     contactType: (row.contactType as Contact["contactType"]) ?? "human",
     principalId: row.principalId,
+    userFile: row.userFile ?? null,
   };
 }
 
@@ -148,6 +179,7 @@ export function upsertContact(params: {
   role?: ContactRole;
   contactType?: ContactType;
   principalId?: string | null;
+  userFile?: string | null;
   channels?: SyncChannelData[];
   /** When true, conflicting channels on other contacts are reassigned to this
    *  contact instead of being skipped. Used by invite redemption to bind a
@@ -177,6 +209,7 @@ export function upsertContact(params: {
         updateSet.contactType = params.contactType;
       if (params.principalId !== undefined)
         updateSet.principalId = params.principalId;
+      if (params.userFile !== undefined) updateSet.userFile = params.userFile;
 
       db.update(contacts)
         .set(updateSet)
@@ -224,6 +257,7 @@ export function upsertContact(params: {
           updateSet.contactType = params.contactType;
         if (params.principalId !== undefined)
           updateSet.principalId = params.principalId;
+        if (params.userFile !== undefined) updateSet.userFile = params.userFile;
 
         db.update(contacts)
           .set(updateSet)
@@ -239,6 +273,10 @@ export function upsertContact(params: {
 
   // Create new contact
   contactId = contactId ?? uuid();
+  const userFileValue =
+    params.userFile !== undefined
+      ? params.userFile
+      : generateUserFileSlug(params.displayName);
   db.insert(contacts)
     .values({
       id: contactId,
@@ -247,6 +285,7 @@ export function upsertContact(params: {
       role: params.role ?? "contact",
       contactType: params.contactType ?? "human",
       principalId: params.principalId ?? null,
+      userFile: userFileValue ?? null,
       createdAt: now,
       updatedAt: now,
     })

package/src/contacts/types.ts

@@ -44,6 +44,8 @@ export interface Contact {
    * identified by channel address instead.
    */
   principalId: string | null;
+  /** Workspace-relative path to a per-user persona file for this contact. */
+  userFile: string | null;
 }
 
 export type ChannelStatus =

package/src/credential-execution/approval-bridge.ts

@@ -103,6 +103,7 @@ function mapUserDecisionToCesDecision(
         userDecision: decision,
       };
     case "temporary_override":
+    case "dangerously_skip_permissions":
       return {
         grantDecision: "approved",
         ttl: undefined,

package/src/credential-execution/executable-discovery.ts

@@ -79,6 +79,11 @@ export interface LocalDiscoverySuccess {
   executablePath: string;
 }
 
+export interface LocalSourceDiscoverySuccess {
+  mode: "local-source";
+  sourcePath: string;
+}
+
 export interface ManagedDiscoverySuccess {
   mode: "managed";
   socketPath: string;
@@ -91,6 +96,7 @@ export interface DiscoveryFailure {
 
 export type DiscoveryResult =
   | LocalDiscoverySuccess
+  | LocalSourceDiscoverySuccess
   | ManagedDiscoverySuccess
   | DiscoveryFailure;
 
@@ -101,11 +107,16 @@ export type DiscoveryResult =
 /**
  * Discover the local CES executable.
  *
- * Searches well-known paths for the `credential-executor` binary. Returns
- * a structured result — never throws. If the binary is not found, returns
+ * Searches well-known paths for the `credential-executor` binary. If the
+ * compiled binary is not found, falls back to the TypeScript source entry
+ * point in the monorepo. Returns a structured result — never throws. If
+ * neither the binary nor the source entry point is found, returns
  * `{ mode: "unavailable" }` so the caller can fail closed.
  */
-export function discoverLocalCes(): LocalDiscoverySuccess | DiscoveryFailure {
+export function discoverLocalCes():
+  | LocalDiscoverySuccess
+  | LocalSourceDiscoverySuccess
+  | DiscoveryFailure {
   const searchPaths = getLocalBinarySearchPaths();
 
   for (const candidate of searchPaths) {
@@ -115,7 +126,20 @@ export function discoverLocalCes(): LocalDiscoverySuccess | DiscoveryFailure {
     }
   }
 
-  const reason = `CES executable not found. Searched: ${searchPaths.join(", ")}`;
+  // Fallback: check for source entry point in the monorepo
+  const monorepoRoot = join(import.meta.dir, "..", "..", "..");
+  const sourceEntry = join(
+    monorepoRoot,
+    "credential-executor",
+    "src",
+    "main.ts",
+  );
+  if (existsSync(sourceEntry)) {
+    log.info({ path: sourceEntry }, "Found local CES source entry point");
+    return { mode: "local-source", sourcePath: sourceEntry };
+  }
+
+  const reason = `CES executable not found. Searched: ${searchPaths.join(", ")}; also checked source at ${sourceEntry}`;
   log.warn(reason);
   return { mode: "unavailable", reason };
 }

package/src/credential-execution/feature-gates.ts

@@ -35,6 +35,10 @@ export const CES_GRANT_AUDIT_FLAG_KEY =
 export const CES_MANAGED_SIDECAR_FLAG_KEY =
   "feature_flags.ces-managed-sidecar.enabled" as const;
 
+/** Gate for routing credential reads/writes through the CES process. */
+export const CES_CREDENTIAL_BACKEND_FLAG_KEY =
+  "feature_flags.ces-credential-backend.enabled" as const;
+
 // ---------------------------------------------------------------------------
 // Public API — predicate functions
 // ---------------------------------------------------------------------------
@@ -73,3 +77,15 @@ export function isCesGrantAuditEnabled(config: AssistantConfig): boolean {
 export function isCesManagedSidecarEnabled(config: AssistantConfig): boolean {
   return isAssistantFeatureFlagEnabled(CES_MANAGED_SIDECAR_FLAG_KEY, config);
 }
+
+/**
+ * Whether credential reads and writes should be routed through the CES process.
+ */
+export function isCesCredentialBackendEnabled(
+  config: AssistantConfig,
+): boolean {
+  return isAssistantFeatureFlagEnabled(
+    CES_CREDENTIAL_BACKEND_FLAG_KEY,
+    config,
+  );
+}