@vellumai/assistant 0.5.6 → 0.5.8

package/src/daemon/install-symlink.ts

@@ -0,0 +1,195 @@
+import { execFileSync } from "node:child_process";
+import {
+  appendFileSync,
+  existsSync,
+  lstatSync,
+  mkdirSync,
+  readFileSync,
+  readlinkSync,
+  symlinkSync,
+  unlinkSync,
+} from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+
+import { getLogger } from "../util/logger.js";
+
+const log = getLogger("install-symlink");
+
+/**
+ * Resolves the path to the `vellum-assistant` binary that should be symlinked
+ * as `assistant`.
+ *
+ * - **Bundled (desktop app):** The daemon runs from a compiled binary inside
+ *   `Vellum.app/Contents/MacOS/`. `process.execPath` is the daemon binary
+ *   itself — the `vellum-assistant` CLI binary lives alongside it in the same
+ *   directory.
+ *
+ * - **Dev (bun):** `process.execPath` is the bun runtime. We resolve the
+ *   assistant entrypoint relative to this file's location in the source tree
+ *   and return a wrapper script path that would need bun to run — so we skip
+ *   symlinking in dev mode since developers manage their own PATH.
+ */
+function resolveAssistantBinary(): string | null {
+  const execPath = process.execPath;
+  // Detect the bundled desktop app case by checking for the app bundle path.
+  const isBundled = execPath.includes("/Contents/MacOS/");
+
+  if (isBundled) {
+    // The assistant CLI binary is a sibling of the daemon binary in
+    // Contents/MacOS/.
+    const macosDir = dirname(execPath);
+    const assistantBinary = join(macosDir, "vellum-assistant");
+    if (existsSync(assistantBinary)) {
+      return assistantBinary;
+    }
+    log.warn(
+      { expected: assistantBinary },
+      "Bundled vellum-assistant binary not found alongside daemon",
+    );
+    return null;
+  }
+
+  // Dev mode: resolve the assistant entrypoint from the source tree.
+  // The daemon entry is at assistant/src/daemon/main.ts and the assistant
+  // CLI entry is at assistant/src/index.ts.
+  const assistantEntry = join(dirname(__filename), "..", "index.ts");
+  if (existsSync(assistantEntry)) {
+    return assistantEntry;
+  }
+  return null;
+}
+
+/**
+ * Attempts to place a symlink at `symlinkPath` pointing to `target`.
+ * Returns true if the symlink was created or already points to the target.
+ */
+function trySymlink(target: string, symlinkPath: string): boolean {
+  try {
+    try {
+      const stats = lstatSync(symlinkPath);
+      if (!stats.isSymbolicLink()) {
+        // Real file — don't overwrite (could be a developer's local install)
+        return false;
+      }
+      const dest = readlinkSync(symlinkPath);
+      if (dest === target) return true;
+      // Stale or dangling symlink — remove before creating new one
+      unlinkSync(symlinkPath);
+    } catch (e) {
+      if ((e as NodeJS.ErrnoException)?.code !== "ENOENT") return false;
+      // Path doesn't exist — proceed to create symlink
+    }
+
+    const dir = dirname(symlinkPath);
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+    symlinkSync(target, symlinkPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Ensures ~/.local/bin is present in the user's shell profile so that
+ * symlinks placed there are on PATH in new terminal sessions.
+ */
+function ensureLocalBinInShellProfile(localBinDir: string): void {
+  const shell = process.env.SHELL ?? "";
+  const home = homedir();
+  const profilePath = shell.endsWith("/zsh")
+    ? join(home, ".zshrc")
+    : shell.endsWith("/bash")
+      ? join(home, ".bash_profile")
+      : null;
+  if (!profilePath) return;
+
+  try {
+    const contents = existsSync(profilePath)
+      ? readFileSync(profilePath, "utf-8")
+      : "";
+    if (contents.includes(localBinDir)) return;
+    const line = `\nexport PATH="${localBinDir}:$PATH"\n`;
+    appendFileSync(profilePath, line);
+    log.info(
+      { profilePath, localBinDir },
+      "Added ~/.local/bin to shell profile",
+    );
+  } catch {
+    // Not critical — user can add it manually
+  }
+}
+
+/**
+ * Checks whether `assistant` already resolves on PATH to something other than
+ * our candidate symlink locations. If so, we skip symlinking to avoid
+ * overwriting a developer's local build.
+ */
+function commandResolvesElsewhere(
+  commandName: string,
+  candidatePaths: Set<string>,
+): boolean {
+  try {
+    const resolved = execFileSync("/usr/bin/which", [commandName], {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "ignore"],
+    }).trim();
+    return resolved !== "" && !candidatePaths.has(resolved);
+  } catch {
+    // `which` exited non-zero — command not found, safe to proceed
+    return false;
+  }
+}
+
+/**
+ * Idempotent: installs (or verifies) a symlink for the `assistant` command.
+ *
+ * Called on every daemon startup. Handles two runtime modes:
+ * - **Bundled binary** (desktop app): symlinks to the compiled
+ *   `vellum-assistant` binary in the app bundle.
+ * - **Bun dev mode**: symlinks to a small wrapper script that invokes
+ *   `bun run` on the assistant entrypoint.
+ *
+ * Tries `/usr/local/bin/assistant` first, then falls back to
+ * `~/.local/bin/assistant` (and patches the shell profile if needed).
+ *
+ * Skipped when VELLUM_DEV=1 (developers manage their own PATH).
+ */
+export function installAssistantSymlink(): void {
+  if (process.env.VELLUM_DEV === "1") return;
+
+  const target = resolveAssistantBinary();
+  if (!target) return;
+
+  const localBinDir = join(homedir(), ".local", "bin");
+  const candidateDirs = ["/usr/local/bin", localBinDir];
+  const candidatePaths = new Set(
+    candidateDirs.map((dir) => `${dir}/assistant`),
+  );
+
+  if (commandResolvesElsewhere("assistant", candidatePaths)) {
+    log.info(
+      "`assistant` already resolves to a non-managed path — skipping symlink",
+    );
+    return;
+  }
+
+  for (const dir of candidateDirs) {
+    const symlinkPath = join(dir, "assistant");
+    if (trySymlink(target, symlinkPath)) {
+      log.info({ symlinkPath, target }, "Installed assistant symlink");
+      if (dir === localBinDir) {
+        ensureLocalBinInShellProfile(localBinDir);
+      }
+      return;
+    }
+    log.info(
+      { symlinkPath },
+      "Could not install assistant symlink at candidate — trying next",
+    );
+  }
+
+  log.warn("Could not install assistant symlink in any candidate directory");
+}

package/src/daemon/lifecycle.ts

@@ -7,7 +7,6 @@ import { reconcileCallsOnStartup } from "../calls/call-recovery.js";
 import { setRelayBroadcast } from "../calls/relay-server.js";
 import { TwilioConversationRelayProvider } from "../calls/twilio-provider.js";
 import { setVoiceBridgeDeps } from "../calls/voice-session-bridge.js";
-import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import {
   getQdrantHttpPortEnv,
   getQdrantUrlEnv,
@@ -16,12 +15,27 @@ import {
   setIngressPublicBaseUrl,
   validateEnv,
 } from "../config/env.js";
-import { loadConfig } from "../config/loader.js";
+import { loadConfig, mergeDefaultWorkspaceConfig } from "../config/loader.js";
+import type { AssistantConfig } from "../config/schema.js";
+import type { CesClient } from "../credential-execution/client.js";
+import { createCesClient } from "../credential-execution/client.js";
+import {
+  isCesCredentialBackendEnabled,
+  isCesToolsEnabled,
+} from "../credential-execution/feature-gates.js";
+import {
+  type CesProcessManager,
+  CesUnavailableError,
+  createCesProcessManager,
+} from "../credential-execution/process-manager.js";
+import {
+  awaitCesClientWithTimeout,
+  DEFAULT_CES_STARTUP_TIMEOUT_MS,
+} from "../credential-execution/startup-timeout.js";
 import { HeartbeatService } from "../heartbeat/heartbeat-service.js";
 import { getHookManager } from "../hooks/manager.js";
 import { installTemplates } from "../hooks/templates.js";
 import { closeSentry, initSentry, setSentryDeviceId } from "../instrument.js";
-import { disableLogfire, initLogfire } from "../logfire.js";
 import { getMcpServerManager } from "../mcp/manager.js";
 import * as attachmentsStore from "../memory/attachments-store.js";
 import { expireAllPendingCanonicalRequests } from "../memory/canonical-guardian-store.js";
@@ -51,6 +65,7 @@ import { backfillManualTokenConnections } from "../oauth/manual-token-connection
 import { seedOAuthProviders } from "../oauth/seed-providers.js";
 import { ensurePromptFiles } from "../prompts/system-prompt.js";
 import { syncUpdateBulletinOnStartup } from "../prompts/update-bulletin.js";
+import { resolveManagedProxyContext } from "../providers/managed-proxy/context.js";
 import { buildAssistantEvent } from "../runtime/assistant-event.js";
 import { assistantEventHub } from "../runtime/assistant-event-hub.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
@@ -62,6 +77,7 @@ import {
 import { ensureVellumGuardianBinding } from "../runtime/guardian-vellum-migration.js";
 import { RuntimeHttpServer } from "../runtime/http-server.js";
 import { startScheduler } from "../schedule/scheduler.js";
+import { setCesClient } from "../security/secure-keys.js";
 import { seedCatalogSkillMemories } from "../skills/skill-memory.js";
 import { UsageTelemetryReporter } from "../telemetry/usage-telemetry-reporter.js";
 import { getDeviceId } from "../util/device-id.js";
@@ -101,6 +117,7 @@ import {
   switchConversation,
   undoLastMessage,
 } from "./handlers/conversations.js";
+import { installAssistantSymlink } from "./install-symlink.js";
 import type { ServerMessage } from "./message-protocol.js";
 import {
   initializeProvidersAndTools,
@@ -129,6 +146,104 @@ function loadDotEnv(): void {
   dotenvConfig({ path: join(getRootDir(), ".env"), quiet: true });
 }
 
+export interface CesStartupResult {
+  client: CesClient | undefined;
+  processManager: CesProcessManager | undefined;
+  clientPromise: Promise<CesClient | undefined> | undefined;
+  abortController: AbortController | undefined;
+}
+
+/**
+ * Start the CES (Credential Execution Service) process and perform the RPC
+ * handshake. Returns a promise that resolves with the CES client and process
+ * manager. Callers can fire-and-forget — the daemon does not need to await
+ * this for startup to continue.
+ *
+ * The managed sidecar accepts exactly one bootstrap connection, so this must
+ * be called at the process level (not per-conversation).
+ */
+export async function startCesProcess(
+  config: AssistantConfig,
+): Promise<CesStartupResult> {
+  const shouldStartCes =
+    isCesToolsEnabled(config) || isCesCredentialBackendEnabled(config);
+  if (!shouldStartCes) {
+    return {
+      client: undefined,
+      processManager: undefined,
+      clientPromise: undefined,
+      abortController: undefined,
+    };
+  }
+
+  const pm = createCesProcessManager({ assistantConfig: config });
+  const abortController = new AbortController();
+  let clientRef: CesClient | undefined;
+
+  const clientPromise = (async (): Promise<CesClient | undefined> => {
+    try {
+      const transport = await pm.start();
+      if (abortController.signal.aborted) {
+        throw new Error("CES initialization aborted during shutdown");
+      }
+      const client = createCesClient(transport);
+      clientRef = client;
+      // Resolve the assistant API key so CES can use it for platform
+      // credential materialisation. In managed mode the key is provisioned
+      // after hatch and stored in the credential store — CES can't read
+      // the env var, so we pass it via the handshake.
+      const proxyCtx = await resolveManagedProxyContext();
+      const { accepted, reason } = await client.handshake(
+        proxyCtx.assistantApiKey
+          ? { assistantApiKey: proxyCtx.assistantApiKey }
+          : undefined,
+      );
+      if (abortController.signal.aborted) {
+        client.close();
+        throw new Error("CES initialization aborted during shutdown");
+      }
+      if (accepted) {
+        log.info(
+          "CES client initialized and handshake accepted (server-level)",
+        );
+        return client;
+      }
+      log.warn(
+        { reason },
+        "CES handshake rejected — CES tools will be unavailable",
+      );
+      client.close();
+      clientRef = undefined;
+      await pm.stop();
+      return undefined;
+    } catch (err) {
+      if (err instanceof CesUnavailableError) {
+        log.info(
+          { reason: err.message },
+          "CES is not available — CES tools will be unavailable",
+        );
+      } else {
+        log.warn(
+          { error: err instanceof Error ? err.message : String(err) },
+          "Failed to initialize CES client — CES tools will be unavailable",
+        );
+      }
+      await pm.stop().catch(() => {});
+      clientRef = undefined;
+      return undefined;
+    }
+  })();
+
+  return {
+    get client() {
+      return clientRef;
+    },
+    processManager: pm,
+    clientPromise,
+    abortController,
+  };
+}
+
 // Entry point for the daemon process itself
 export async function runDaemon(): Promise<void> {
   loadDotEnv();
@@ -140,14 +255,12 @@ export async function runDaemon(): Promise<void> {
     // closeSentry() if the user has disabled it.
     initSentry();
 
-    await initLogfire();
-
     ensureDataDir();
 
     // Load (or generate + persist) the auth signing key so tokens survive
     // daemon restarts. Must happen after ensureDataDir() creates the
     // protected directory.
-    const signingKey = await resolveSigningKey();
+    const signingKey = resolveSigningKey();
     initAuthSigningKey(signingKey);
 
     seedInterfaceFiles();
@@ -163,9 +276,19 @@ export async function runDaemon(): Promise<void> {
     initializeDb();
     // Seed well-known OAuth provider configurations (insert-if-not-exists)
     seedOAuthProviders();
+    log.info("Daemon startup: DB initialized");
+
+    await runWorkspaceMigrations(getWorkspaceDir(), WORKSPACE_MIGRATIONS);
+    log.info("Daemon startup: workspace migrations complete");
+
     // Backfill oauth_connection rows for manual-token providers (Telegram,
     // Slack channel) that already have keychain credentials from before the
     // oauth_connection migration. Safe to call on every startup.
+    //
+    // Must run AFTER workspace migrations so that migration 015 (which copies
+    // encrypted-store credentials to the keychain) has already executed.
+    // Otherwise syncManualTokenConnection sees no keychain credentials and
+    // incorrectly removes existing connection rows.
     try {
       await backfillManualTokenConnections();
     } catch (err) {
@@ -174,10 +297,6 @@ export async function runDaemon(): Promise<void> {
         "Manual-token connection backfill failed — continuing startup",
       );
     }
-    log.info("Daemon startup: DB initialized");
-
-    await runWorkspaceMigrations(getWorkspaceDir(), WORKSPACE_MIGRATIONS);
-    log.info("Daemon startup: workspace migrations complete");
 
     // Now that workspace migrations have run (including 003-seed-device-id
     // which may copy the legacy installationId into device.json), it is safe
@@ -290,6 +409,11 @@ export async function runDaemon(): Promise<void> {
       log.warn({ err }, "Call recovery failed — continuing startup");
     }
 
+    // Merge CLI-provided default config (from VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH)
+    // into the workspace config file before the first loadConfig() call so
+    // onboarding preferences are persisted alongside schema defaults.
+    mergeDefaultWorkspaceConfig();
+
     log.info("Daemon startup: loading config");
     const config = loadConfig();
 
@@ -330,16 +454,36 @@ export async function runDaemon(): Promise<void> {
       log.info("Usage telemetry reporter started");
     }
 
-    // If Logfire observability is not explicitly enabled, disable it so
-    // wrapWithLogfire() calls during provider setup become no-ops. Logfire
-    // is initialized eagerly (before config loads) for the same reason as
-    // Sentry — but the feature flag gates whether it actually traces.
-    const logfireEnabled = isAssistantFeatureFlagEnabled(
-      "feature_flags.logfire.enabled",
-      config,
-    );
-    if (!logfireEnabled) {
-      disableLogfire();
+    // CES lifecycle — kick off early so CES handshake runs concurrently with
+    // provider/tool initialization. The CES sidecar accepts exactly one
+    // bootstrap connection, so startup must happen at the process level.
+    const cesStartupPromise = startCesProcess(config);
+
+    // When the credential backend flag is enabled, CES startup must complete
+    // BEFORE provider initialization so credential reads can go through CES.
+    // Block with a 20-second timeout — fall back to direct credential store
+    // on timeout.
+    if (isCesCredentialBackendEnabled(config)) {
+      const cesResult = await cesStartupPromise;
+      // startCesProcess() returns immediately — the actual handshake runs
+      // inside clientPromise. Await it (with a 20s timeout) so the CES client
+      // is available before provider initialization.
+      if (cesResult.clientPromise) {
+        const client = await awaitCesClientWithTimeout(
+          cesResult.clientPromise,
+          {
+            timeoutMs: DEFAULT_CES_STARTUP_TIMEOUT_MS,
+            onTimeout: () => {
+              log.warn(
+                "CES handshake timed out after 20s — falling back to direct credential store",
+              );
+            },
+          },
+        );
+        if (client) {
+          setCesClient(client);
+        }
+      }
     }
 
     await initializeProvidersAndTools(config);
@@ -348,6 +492,7 @@ export async function runDaemon(): Promise<void> {
     // routes can begin accepting requests while Qdrant initializes.
     log.info("Daemon startup: starting DaemonServer");
     const server = new DaemonServer();
+    server.setCes(await cesStartupPromise);
     await server.start();
     log.info("Daemon startup: DaemonServer started");
 
@@ -371,39 +516,69 @@ export async function runDaemon(): Promise<void> {
       log.info({ qdrantUrl }, "Daemon startup: initializing Qdrant");
       const manager = new QdrantManager({ url: qdrantUrl });
       bgRefs.qdrantManager = manager;
-      try {
-        await manager.start();
-        const embeddingSelection = await selectEmbeddingBackend(config);
-        const embeddingModel = embeddingSelection.backend
-          ? `${embeddingSelection.backend.provider}:${embeddingSelection.backend.model}:sparse-v${SPARSE_EMBEDDING_VERSION}`
-          : undefined;
-        const qdrantClient = initQdrantClient({
-          url: qdrantUrl,
-          collection: config.memory.qdrant.collection,
-          vectorSize: config.memory.qdrant.vectorSize,
-          onDisk: config.memory.qdrant.onDisk,
-          quantization: config.memory.qdrant.quantization,
-          embeddingModel,
-        });
+      const QDRANT_START_MAX_ATTEMPTS = 3;
+      let qdrantStarted = false;
+      for (let attempt = 1; attempt <= QDRANT_START_MAX_ATTEMPTS; attempt++) {
+        try {
+          await manager.start();
+          qdrantStarted = true;
+          break;
+        } catch (err) {
+          if (attempt < QDRANT_START_MAX_ATTEMPTS) {
+            const backoffMs = attempt * 5_000; // 5s, 10s
+            log.warn(
+              {
+                err,
+                attempt,
+                maxAttempts: QDRANT_START_MAX_ATTEMPTS,
+                backoffMs,
+              },
+              "Qdrant startup failed, retrying",
+            );
+            await Bun.sleep(backoffMs);
+          } else {
+            log.warn(
+              { err },
+              "Qdrant failed to start after all attempts — memory features will be unavailable",
+            );
+          }
+        }
+      }
+
+      if (qdrantStarted) {
+        try {
+          const embeddingSelection = await selectEmbeddingBackend(config);
+          const embeddingModel = embeddingSelection.backend
+            ? `${embeddingSelection.backend.provider}:${embeddingSelection.backend.model}:sparse-v${SPARSE_EMBEDDING_VERSION}`
+            : undefined;
+          const qdrantClient = initQdrantClient({
+            url: qdrantUrl,
+            collection: config.memory.qdrant.collection,
+            vectorSize: config.memory.qdrant.vectorSize,
+            onDisk: config.memory.qdrant.onDisk,
+            quantization: config.memory.qdrant.quantization,
+            embeddingModel,
+          });
 
-        // Eagerly ensure the collection exists so we detect migrations
-        // (unnamed→named vectors, dimension/model changes) at startup.
-        // If a destructive migration occurred, enqueue a rebuild_index job
-        // to re-embed all memory items from the SQLite cache.
-        const { migrated } = await qdrantClient.ensureCollection();
-        if (migrated) {
-          enqueueMemoryJob("rebuild_index", {});
-          log.info(
-            "Qdrant collection was migrated — enqueued rebuild_index job",
+          // Eagerly ensure the collection exists so we detect migrations
+          // (unnamed→named vectors, dimension/model changes) at startup.
+          // If a destructive migration occurred, enqueue a rebuild_index job
+          // to re-embed all memory items from the SQLite cache.
+          const { migrated } = await qdrantClient.ensureCollection();
+          if (migrated) {
+            enqueueMemoryJob("rebuild_index", {});
+            log.info(
+              "Qdrant collection was migrated — enqueued rebuild_index job",
+            );
+          }
+
+          log.info("Qdrant vector store initialized");
+        } catch (err) {
+          log.warn(
+            { err },
+            "Qdrant client initialization failed — memory features will be degraded",
           );
         }
-
-        log.info("Qdrant vector store initialized");
-      } catch (err) {
-        log.warn(
-          { err },
-          "Qdrant failed to start — memory features will be unavailable",
-        );
       }
 
       log.info("Daemon startup: starting memory worker");
@@ -833,7 +1008,7 @@ export async function runDaemon(): Promise<void> {
         server.broadcast(msg as ServerMessage),
       );
       initSlashPairingContext(runtimeHttp.getPairingStore());
-      server.setHttpPort(httpPort);
+      server.broadcastStatus();
       log.info(
         { port: httpPort, hostname },
         "Daemon startup: runtime HTTP server listening",
@@ -849,6 +1024,14 @@ export async function runDaemon(): Promise<void> {
     writePid(process.pid);
     log.info({ pid: process.pid }, "Daemon started");
 
+    // Install the `assistant` CLI symlink idempotently on every daemon start.
+    // Non-blocking — failures are logged but don't affect startup.
+    try {
+      installAssistantSymlink();
+    } catch (err) {
+      log.warn({ err }, "Assistant symlink installation failed — continuing");
+    }
+
     const hookManager = getHookManager();
     hookManager.watch();
 

package/src/daemon/message-types/conversations.ts

@@ -221,9 +221,8 @@ export interface PongMessage {
   type: "pong";
 }
 
-export interface DaemonStatusMessage {
-  type: "daemon_status";
-  httpPort?: number;
+export interface AssistantStatusMessage {
+  type: "assistant_status";
   version?: string;
   keyFingerprint?: string;
 }
@@ -372,6 +371,7 @@ export type ConversationErrorCode =
   | "PROVIDER_BILLING"
   | "PROVIDER_ORDERING"
   | "PROVIDER_WEB_SEARCH"
+  | "PROVIDER_NOT_CONFIGURED"
   | "CONTEXT_TOO_LARGE"
   | "CONVERSATION_ABORTED"
   | "CONVERSATION_PROCESSING_FAILED"
@@ -419,7 +419,7 @@ export type _ConversationsClientMessages =
 export type _ConversationsServerMessages =
   | AuthResult
   | PongMessage
-  | DaemonStatusMessage
+  | AssistantStatusMessage
   | GenerationCancelled
   | GenerationHandoff
   | ModelInfo

package/src/daemon/message-types/diagnostics.ts

@@ -1,15 +1,9 @@
-// Diagnostics, environment, blob probe, and dictation types.
+// Diagnostics, environment, and dictation types.
 
 import type { DictationContext } from "./shared.js";
 
 // === Client → Server ===
 
-export interface DiagnosticsExportRequest {
-  type: "diagnostics_export_request";
-  conversationId: string;
-  anchorMessageId?: string; // if omitted, use latest assistant message
-}
-
 export interface EnvVarsRequest {
   type: "env_vars_request";
 }
@@ -23,13 +17,6 @@ export interface DictationRequest {
 
 // === Server → Client ===
 
-export interface DiagnosticsExportResponse {
-  type: "diagnostics_export_response";
-  success: boolean;
-  filePath?: string; // path to the zip file on success
-  error?: string; // error message on failure
-}
-
 export interface EnvVarsResponse {
   type: "env_vars_response";
   vars: Record<string, string>;
@@ -46,12 +33,6 @@ export interface DictationResponse {
 
 // --- Domain-level union aliases (consumed by the barrel file) ---
 
-export type _DiagnosticsClientMessages =
-  | DiagnosticsExportRequest
-  | EnvVarsRequest
-  | DictationRequest;
+export type _DiagnosticsClientMessages = EnvVarsRequest | DictationRequest;
 
-export type _DiagnosticsServerMessages =
-  | DiagnosticsExportResponse
-  | EnvVarsResponse
-  | DictationResponse;
+export type _DiagnosticsServerMessages = EnvVarsResponse | DictationResponse;

package/src/daemon/message-types/messages.ts

@@ -13,8 +13,6 @@ export interface UserMessage {
   activeSurfaceId?: string;
   /** The page currently displayed in the WebView (e.g. "settings.html"). */
   currentPage?: string;
-  /** When true, skip the secret-ingress check. Set by the client when the user clicks "Send Anyway". */
-  bypassSecretCheck?: boolean;
   /** Originating channel identifier (e.g. 'vellum'). Defaults to 'vellum' when absent. */
   channel?: ChannelId;
   /** Originating interface identifier (e.g. 'macos'). */