npm - @vellumai/assistant - Versions diffs - 0.5.6 → 0.5.8 - Mend

@vellumai/assistant 0.5.6 → 0.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (442) hide show

package/.env.example +16 -2
package/ARCHITECTURE.md +6 -75
package/Dockerfile +3 -2
package/README.md +0 -2
package/bun.lock +0 -414
package/docker-entrypoint.sh +9 -0
package/docs/architecture/keychain-broker.md +45 -240
package/docs/architecture/memory.md +13 -11
package/docs/architecture/security.md +0 -17
package/docs/credential-execution-service.md +2 -2
package/node_modules/@vellumai/ces-contracts/package.json +1 -0
package/node_modules/@vellumai/ces-contracts/src/error.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/grants.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/handles.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/index.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +120 -1
package/node_modules/@vellumai/credential-storage/package.json +1 -0
package/node_modules/@vellumai/egress-proxy/package.json +1 -0
package/package.json +2 -3
package/src/__tests__/actor-token-service.test.ts +0 -114
package/src/__tests__/approval-cascade.test.ts +0 -1
package/src/__tests__/assistant-feature-flags-integration.test.ts +30 -29
package/src/__tests__/browser-fill-credential.test.ts +1 -1
package/src/__tests__/browser-skill-endstate.test.ts +6 -5
package/src/__tests__/btw-routes.test.ts +0 -39
package/src/__tests__/call-controller.test.ts +0 -1
package/src/__tests__/call-domain.test.ts +0 -128
package/src/__tests__/ces-rpc-credential-backend.test.ts +199 -0
package/src/__tests__/ces-startup-timeout.test.ts +40 -0
package/src/__tests__/channel-approval-routes.test.ts +0 -5
package/src/__tests__/channel-readiness-service.test.ts +1 -60
package/src/__tests__/checker.test.ts +4 -2
package/src/__tests__/cli-command-risk-guard.test.ts +112 -0
package/src/__tests__/config-schema-cmd.test.ts +0 -2
package/src/__tests__/config-schema.test.ts +3 -1
package/src/__tests__/conversation-abort-tool-results.test.ts +0 -1
package/src/__tests__/conversation-agent-loop-overflow.test.ts +0 -2
package/src/__tests__/conversation-agent-loop.test.ts +2 -4
package/src/__tests__/conversation-attention-telegram.test.ts +0 -5
package/src/__tests__/conversation-confirmation-signals.test.ts +0 -1
package/src/__tests__/conversation-error.test.ts +15 -1
package/src/__tests__/conversation-init.benchmark.test.ts +0 -2
package/src/__tests__/conversation-messaging-secret-redirect.test.ts +1 -1
package/src/__tests__/conversation-pre-run-repair.test.ts +0 -1
package/src/__tests__/conversation-provider-retry-repair.test.ts +0 -1
package/src/__tests__/conversation-queue.test.ts +0 -1
package/src/__tests__/conversation-skill-tools.test.ts +0 -54
package/src/__tests__/conversation-slash-queue.test.ts +0 -1
package/src/__tests__/conversation-slash-unknown.test.ts +0 -1
package/src/__tests__/conversation-title-service.test.ts +87 -0
package/src/__tests__/conversation-workspace-injection.test.ts +0 -1
package/src/__tests__/conversation-workspace-tool-tracking.test.ts +0 -1
package/src/__tests__/credential-execution-client.test.ts +5 -2
package/src/__tests__/credential-execution-feature-gates.test.ts +59 -30
package/src/__tests__/credential-execution-managed-contract.test.ts +35 -20
package/src/__tests__/credential-security-e2e.test.ts +1 -67
package/src/__tests__/credential-security-invariants.test.ts +6 -50
package/src/__tests__/credentials-cli.test.ts +82 -3
package/src/__tests__/daemon-credential-client.test.ts +123 -0
package/src/__tests__/db-migration-rollback.test.ts +2015 -1
package/src/__tests__/deterministic-verification-control-plane.test.ts +1 -0
package/src/__tests__/docker-signing-key-bootstrap.test.ts +34 -143
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +6 -4
package/src/__tests__/gateway-client-managed-outbound.test.ts +79 -1
package/src/__tests__/guardian-routing-state.test.ts +0 -5
package/src/__tests__/host-shell-tool.test.ts +6 -7
package/src/__tests__/http-user-message-parity.test.ts +3 -103
package/src/__tests__/inbound-invite-redemption.test.ts +0 -4
package/src/__tests__/inline-skill-load-permissions.test.ts +6 -8
package/src/__tests__/intent-routing.test.ts +0 -13
package/src/__tests__/jobs-store-qdrant-breaker.test.ts +178 -0
package/src/__tests__/journal-context.test.ts +335 -0
package/src/__tests__/keychain-broker-client.test.ts +161 -22
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +0 -3
package/src/__tests__/memory-jobs-worker-backoff.test.ts +150 -0
package/src/__tests__/memory-lifecycle-e2e.test.ts +70 -25
package/src/__tests__/memory-recall-quality.test.ts +48 -17
package/src/__tests__/memory-regressions.test.ts +408 -363
package/src/__tests__/memory-retrieval.benchmark.test.ts +0 -3
package/src/__tests__/migration-export-http.test.ts +2 -2
package/src/__tests__/migration-import-commit-http.test.ts +2 -2
package/src/__tests__/migration-import-preflight-http.test.ts +2 -2
package/src/__tests__/migration-validate-http.test.ts +2 -2
package/src/__tests__/non-member-access-request.test.ts +2 -7
package/src/__tests__/notification-decision-fallback.test.ts +4 -0
package/src/__tests__/notification-decision-identity.test.ts +4 -0
package/src/__tests__/notification-decision-strategy.test.ts +71 -0
package/src/__tests__/oauth-cli.test.ts +5 -1
package/src/__tests__/permission-types.test.ts +1 -0
package/src/__tests__/provider-commit-message-generator.test.ts +0 -37
package/src/__tests__/provider-error-scenarios.test.ts +0 -267
package/src/__tests__/provider-managed-proxy-integration.test.ts +5 -6
package/src/__tests__/provider-streaming.benchmark.test.ts +2 -81
package/src/__tests__/qdrant-manager.test.ts +28 -2
package/src/__tests__/registry.test.ts +0 -6
package/src/__tests__/relay-server.test.ts +1 -2
package/src/__tests__/runtime-attachment-metadata.test.ts +0 -4
package/src/__tests__/script-proxy-injection-runtime.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -1
package/src/__tests__/secret-routes-managed-proxy.test.ts +0 -4
package/src/__tests__/secure-keys.test.ts +95 -272
package/src/__tests__/shell-identity.test.ts +96 -6
package/src/__tests__/skill-feature-flags-integration.test.ts +22 -14
package/src/__tests__/skill-feature-flags.test.ts +46 -45
package/src/__tests__/skill-load-feature-flag.test.ts +7 -10
package/src/__tests__/skill-load-inline-command.test.ts +8 -12
package/src/__tests__/skill-load-inline-includes.test.ts +6 -10
package/src/__tests__/skill-load-tool.test.ts +0 -2
package/src/__tests__/skill-memory.test.ts +17 -3
package/src/__tests__/skill-projection-feature-flag.test.ts +33 -29
package/src/__tests__/skills.test.ts +0 -2
package/src/__tests__/slack-inbound-verification.test.ts +0 -4
package/src/__tests__/stale-approval-dedup.test.ts +171 -0
package/src/__tests__/stt-hints.test.ts +437 -0
package/src/__tests__/suggestion-routes.test.ts +1 -32
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/task-memory-cleanup.test.ts +14 -0
package/src/__tests__/tool-executor-shell-integration.test.ts +5 -3
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +0 -5
package/src/__tests__/trusted-contact-multichannel.test.ts +0 -4
package/src/__tests__/twilio-routes-twiml.test.ts +139 -1
package/src/__tests__/update-bulletin.test.ts +0 -2
package/src/__tests__/vellum-self-knowledge-inline-command.test.ts +6 -9
package/src/__tests__/voice-quality.test.ts +58 -0
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -7
package/src/__tests__/workspace-migration-015-migrate-credentials-to-keychain.test.ts +252 -0
package/src/__tests__/workspace-migration-016-migrate-credentials-from-keychain.test.ts +220 -0
package/src/__tests__/workspace-migration-down-functions.test.ts +1009 -0
package/src/__tests__/workspace-migrations-runner.test.ts +114 -0
package/src/acp/agent-process.ts +9 -1
package/src/agent/loop.ts +1 -1
package/src/approvals/guardian-request-resolvers.ts +164 -38
package/src/calls/__tests__/tts-text-sanitizer.test.ts +254 -0
package/src/calls/audio-store.test.ts +97 -0
package/src/calls/audio-store.ts +205 -0
package/src/calls/call-controller.ts +90 -8
package/src/calls/call-domain.ts +3 -0
package/src/calls/call-store.ts +10 -3
package/src/calls/fish-audio-client.ts +129 -0
package/src/calls/relay-server.ts +27 -0
package/src/calls/stt-hints.ts +189 -0
package/src/calls/tts-text-sanitizer.ts +61 -0
package/src/calls/twilio-routes.ts +34 -5
package/src/calls/types.ts +1 -0
package/src/calls/voice-ingress-preflight.ts +0 -42
package/src/calls/voice-quality.ts +38 -5
package/src/calls/voice-session-bridge.ts +7 -12
package/src/cli/commands/avatar.ts +2 -2
package/src/cli/commands/config.ts +1 -4
package/src/cli/commands/credentials.ts +128 -82
package/src/cli/commands/doctor.ts +2 -2
package/src/cli/commands/keys.ts +7 -7
package/src/cli/commands/memory.ts +1 -1
package/src/cli/commands/oauth/connections.ts +11 -29
package/src/cli/commands/oauth/index.ts +7 -0
package/src/cli/commands/oauth/platform.ts +525 -0
package/src/cli/commands/platform.ts +3 -3
package/src/cli/lib/daemon-credential-client.ts +284 -0
package/src/cli.ts +1 -1
package/src/config/assistant-feature-flags.ts +186 -5
package/src/config/bundled-skills/AGENTS.md +34 -0
package/src/config/bundled-skills/acp/SKILL.md +10 -0
package/src/config/bundled-skills/app-builder/SKILL.md +0 -4
package/src/config/bundled-skills/messaging/SKILL.md +5 -5
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +2 -2
package/src/config/bundled-skills/phone-calls/TOOLS.json +4 -0
package/src/config/bundled-skills/playbooks/tools/playbook-create.ts +1 -0
package/src/config/bundled-skills/playbooks/tools/playbook-update.ts +1 -0
package/src/config/bundled-skills/settings/SKILL.md +15 -2
package/src/config/bundled-skills/settings/TOOLS.json +47 -2
package/src/config/bundled-skills/settings/tools/avatar-remove.ts +59 -0
package/src/config/bundled-skills/settings/tools/avatar-update.ts +80 -0
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +42 -0
package/src/config/bundled-skills/slack/SKILL.md +1 -1
package/src/config/bundled-tool-registry.ts +5 -11
package/src/config/defaults.ts +0 -2
package/src/config/env-registry.ts +5 -5
package/src/config/env.ts +21 -14
package/src/config/feature-flag-registry.json +49 -9
package/src/config/loader.ts +106 -42
package/src/config/schema.ts +9 -29
package/src/config/schemas/calls.ts +30 -0
package/src/config/schemas/fish-audio.ts +39 -0
package/src/config/schemas/inference.ts +2 -2
package/src/config/schemas/journal.ts +16 -0
package/src/config/schemas/memory-processing.ts +2 -2
package/src/config/schemas/security.ts +0 -4
package/src/config/types.ts +1 -1
package/src/contacts/contact-store.ts +39 -0
package/src/contacts/types.ts +2 -0
package/src/credential-execution/approval-bridge.ts +1 -0
package/src/credential-execution/executable-discovery.ts +28 -4
package/src/credential-execution/feature-gates.ts +16 -0
package/src/credential-execution/process-manager.ts +38 -0
package/src/credential-execution/startup-timeout.ts +36 -0
package/src/daemon/approval-generators.ts +3 -9
package/src/daemon/assistant-attachments.ts +9 -0
package/src/daemon/config-watcher.ts +5 -0
package/src/daemon/conversation-error.ts +13 -1
package/src/daemon/conversation-memory.ts +1 -2
package/src/daemon/conversation-process.ts +18 -1
package/src/daemon/conversation-surfaces.ts +30 -1
package/src/daemon/conversation-tool-setup.ts +0 -105
package/src/daemon/conversation.ts +21 -1
package/src/daemon/guardian-action-generators.ts +3 -9
package/src/daemon/handlers/config-vercel.ts +92 -0
package/src/daemon/handlers/skills.ts +2 -15
package/src/daemon/install-symlink.ts +195 -0
package/src/daemon/lifecycle.ts +234 -51
package/src/daemon/message-types/conversations.ts +4 -4
package/src/daemon/message-types/diagnostics.ts +3 -22
package/src/daemon/message-types/messages.ts +0 -2
package/src/daemon/message-types/upgrades.ts +8 -0
package/src/daemon/server.ts +32 -95
package/src/events/domain-events.ts +2 -1
package/src/inbound/platform-callback-registration.ts +3 -3
package/src/instrument.ts +8 -5
package/src/memory/app-store.ts +31 -0
package/src/memory/conversation-title-service.ts +50 -1
package/src/memory/db-init.ts +16 -0
package/src/memory/indexer.ts +19 -10
package/src/memory/items-extractor.ts +328 -321
package/src/memory/job-handlers/conversation-starters.ts +4 -1
package/src/memory/job-handlers/summarization.ts +26 -16
package/src/memory/jobs-store.ts +63 -6
package/src/memory/jobs-worker.ts +31 -7
package/src/memory/journal-memory.ts +214 -0
package/src/memory/migrations/001-job-deferrals.ts +19 -0
package/src/memory/migrations/004-entity-relation-dedup.ts +10 -0
package/src/memory/migrations/005-fingerprint-scope-unique.ts +76 -0
package/src/memory/migrations/006-scope-salted-fingerprints.ts +50 -0
package/src/memory/migrations/007-assistant-id-to-self.ts +10 -0
package/src/memory/migrations/008-remove-assistant-id-columns.ts +34 -0
package/src/memory/migrations/009-llm-usage-events-drop-assistant-id.ts +26 -0
package/src/memory/migrations/014-backfill-inbox-thread-state.ts +10 -0
package/src/memory/migrations/015-drop-active-search-index.ts +17 -0
package/src/memory/migrations/019-notification-tables-schema-migration.ts +12 -0
package/src/memory/migrations/020-rename-macos-ios-channel-to-vellum.ts +121 -0
package/src/memory/migrations/024-embedding-vector-blob.ts +74 -0
package/src/memory/migrations/026a-embeddings-nullable-vector-json.ts +82 -0
package/src/memory/migrations/036-normalize-phone-identities.ts +11 -0
package/src/memory/migrations/116-messages-fts.ts +106 -1
package/src/memory/migrations/126-backfill-guardian-principal-id.ts +52 -0
package/src/memory/migrations/127-guardian-principal-id-not-null.ts +77 -0
package/src/memory/migrations/134-contacts-notes-column.ts +13 -0
package/src/memory/migrations/135-backfill-contact-interaction-stats.ts +20 -0
package/src/memory/migrations/136-drop-assistant-id-columns.ts +52 -0
package/src/memory/migrations/140-backfill-usage-cache-accounting.ts +13 -0
package/src/memory/migrations/141-rename-verification-table.ts +54 -0
package/src/memory/migrations/142-rename-verification-session-id-column.ts +25 -0
package/src/memory/migrations/143-rename-guardian-verification-values.ts +35 -0
package/src/memory/migrations/144-rename-voice-to-phone.ts +136 -0
package/src/memory/migrations/145-drop-accounts-table.ts +32 -0
package/src/memory/migrations/147-migrate-reminders-to-schedules.ts +14 -1
package/src/memory/migrations/148-drop-reminders-table.ts +35 -1
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +69 -1
package/src/memory/migrations/162-guardian-timestamps-epoch-ms.ts +290 -0
package/src/memory/migrations/169-rename-gmail-provider-key-to-google.ts +51 -1
package/src/memory/migrations/174-rename-thread-starters-table.ts +47 -1
package/src/memory/migrations/176-drop-capability-card-state.ts +13 -0
package/src/memory/migrations/180-backfill-inline-attachments-to-disk.ts +16 -0
package/src/memory/migrations/181-rename-thread-starters-checkpoints.ts +28 -1
package/src/memory/migrations/190-call-session-skip-disclosure.ts +15 -0
package/src/memory/migrations/191-backfill-audio-attachment-mime-types.ts +64 -0
package/src/memory/migrations/192-contacts-user-file-column.ts +15 -0
package/src/memory/migrations/193-add-source-type-columns.ts +81 -0
package/src/memory/migrations/index.ts +5 -0
package/src/memory/migrations/registry.ts +98 -0
package/src/memory/migrations/validate-migration-state.ts +137 -11
package/src/memory/qdrant-circuit-breaker.ts +9 -0
package/src/memory/qdrant-manager.ts +64 -7
package/src/memory/retriever.test.ts +37 -25
package/src/memory/retriever.ts +24 -49
package/src/memory/schema/calls.ts +1 -0
package/src/memory/schema/contacts.ts +1 -0
package/src/memory/schema/memory-core.ts +2 -0
package/src/memory/search/formatting.ts +7 -44
package/src/memory/search/staleness.ts +4 -0
package/src/memory/search/tier-classifier.ts +10 -2
package/src/memory/search/types.ts +2 -5
package/src/memory/task-memory-cleanup.ts +4 -3
package/src/notifications/adapters/slack.ts +168 -6
package/src/notifications/broadcaster.ts +1 -0
package/src/notifications/copy-composer.ts +59 -2
package/src/notifications/decision-engine.ts +4 -1
package/src/notifications/signal.ts +2 -0
package/src/notifications/types.ts +2 -0
package/src/oauth/connection-resolver.ts +6 -4
package/src/permissions/checker.ts +0 -38
package/src/permissions/shell-identity.ts +76 -22
package/src/permissions/types.ts +4 -2
package/src/platform/client.ts +35 -7
package/src/prompts/journal-context.ts +133 -0
package/src/prompts/persona-resolver.ts +194 -0
package/src/prompts/system-prompt.ts +44 -4
package/src/prompts/templates/SOUL.md +10 -0
package/src/prompts/templates/users/default.md +1 -0
package/src/providers/provider-send-message.ts +3 -32
package/src/providers/registry.ts +29 -179
package/src/providers/types.ts +1 -1
package/src/runtime/access-request-helper.ts +4 -0
package/src/runtime/auth/__tests__/credential-service.test.ts +0 -1
package/src/runtime/auth/__tests__/external-assistant-id.test.ts +13 -68
package/src/runtime/auth/__tests__/guard-tests.test.ts +9 -50
package/src/runtime/auth/external-assistant-id.ts +13 -59
package/src/runtime/auth/route-policy.ts +17 -1
package/src/runtime/auth/token-service.ts +43 -138
package/src/runtime/channel-readiness-service.ts +1 -16
package/src/runtime/gateway-client.ts +47 -4
package/src/runtime/guardian-decision-types.ts +45 -4
package/src/runtime/http-server.ts +31 -3
package/src/runtime/middleware/error-handler.ts +1 -9
package/src/runtime/routes/access-request-decision.ts +2 -2
package/src/runtime/routes/app-management-routes.ts +2 -1
package/src/runtime/routes/approval-strategies/guardian-callback-strategy.ts +219 -30
package/src/runtime/routes/approval-strategies/guardian-text-engine-strategy.ts +37 -14
package/src/runtime/routes/audio-routes.ts +40 -0
package/src/runtime/routes/btw-routes.ts +0 -17
package/src/runtime/routes/channel-readiness-routes.ts +9 -4
package/src/runtime/routes/conversation-query-routes.ts +63 -1
package/src/runtime/routes/conversation-routes.ts +4 -44
package/src/runtime/routes/debug-routes.ts +12 -9
package/src/runtime/routes/diagnostics-routes.ts +1 -477
package/src/runtime/routes/guardian-approval-interception.ts +168 -11
package/src/runtime/routes/guardian-approval-prompt.ts +6 -1
package/src/runtime/routes/guardian-approval-reply-helpers.ts +103 -21
package/src/runtime/routes/identity-routes.ts +19 -30
package/src/runtime/routes/inbound-message-handler.ts +31 -1
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +64 -5
package/src/runtime/routes/inbound-stages/background-dispatch.ts +52 -40
package/src/runtime/routes/inbound-stages/secret-ingress-check.ts +4 -33
package/src/runtime/routes/inbound-stages/transcribe-audio.test.ts +1 -1
package/src/runtime/routes/integrations/twilio.ts +52 -10
package/src/runtime/routes/integrations/vercel.ts +89 -0
package/src/runtime/routes/log-export-routes.ts +5 -0
package/src/runtime/routes/memory-item-routes.test.ts +3 -3
package/src/runtime/routes/memory-item-routes.ts +46 -14
package/src/runtime/routes/migration-rollback-routes.ts +209 -0
package/src/runtime/routes/migration-routes.ts +17 -1
package/src/runtime/routes/notification-routes.ts +58 -0
package/src/runtime/routes/schedule-routes.ts +65 -0
package/src/runtime/routes/secret-routes.ts +141 -10
package/src/runtime/routes/settings-routes.ts +41 -1
package/src/runtime/routes/tts-routes.ts +96 -0
package/src/runtime/routes/upgrade-broadcast-routes.ts +26 -2
package/src/runtime/routes/workspace-commit-routes.ts +62 -0
package/src/runtime/routes/workspace-routes.test.ts +22 -1
package/src/runtime/routes/workspace-routes.ts +1 -1
package/src/runtime/routes/workspace-utils.ts +86 -2
package/src/security/ces-credential-client.ts +75 -29
package/src/security/ces-rpc-credential-backend.ts +86 -0
package/src/security/credential-backend.ts +22 -92
package/src/security/keychain-broker-client.ts +10 -2
package/src/security/secure-keys.ts +113 -115
package/src/skills/catalog-install.ts +6 -32
package/src/skills/skill-memory.ts +1 -0
package/src/subagent/manager.ts +2 -5
package/src/telemetry/usage-telemetry-reporter.ts +4 -2
package/src/tools/acp/spawn.ts +78 -1
package/src/tools/calls/call-start.ts +1 -0
package/src/tools/credentials/vault.ts +5 -3
package/src/tools/executor.ts +0 -4
package/src/tools/memory/definitions.ts +3 -2
package/src/tools/memory/handlers.ts +10 -7
package/src/tools/network/script-proxy/session-manager.ts +19 -4
package/src/tools/network/web-fetch.ts +3 -1
package/src/tools/skills/execute.ts +1 -1
package/src/tools/terminal/safe-env.ts +1 -0
package/src/tools/types.ts +0 -8
package/src/util/browser.ts +15 -0
package/src/util/errors.ts +0 -12
package/src/util/platform.ts +4 -51
package/src/workspace/git-service.ts +5 -2
package/src/workspace/migrations/001-avatar-rename.ts +15 -0
package/src/workspace/migrations/003-seed-device-id.ts +17 -1
package/src/workspace/migrations/004-extract-collect-usage-data.ts +33 -0
package/src/workspace/migrations/005-add-send-diagnostics.ts +3 -0
package/src/workspace/migrations/006-services-config.ts +49 -0
package/src/workspace/migrations/007-web-search-provider-rename.ts +27 -0
package/src/workspace/migrations/008-voice-timeout-and-max-steps.ts +3 -0
package/src/workspace/migrations/009-backfill-conversation-disk-view.ts +4 -0
package/src/workspace/migrations/010-app-dir-rename.ts +78 -0
package/src/workspace/migrations/011-backfill-installation-id.ts +11 -0
package/src/workspace/migrations/012-rename-conversation-disk-view-dirs.ts +44 -0
package/src/workspace/migrations/013-repair-conversation-disk-view.ts +5 -0
package/src/workspace/migrations/015-migrate-credentials-to-keychain.ts +153 -0
package/src/workspace/migrations/016-extract-feature-flags-to-protected.ts +156 -0
package/src/workspace/migrations/016-migrate-credentials-from-keychain.ts +150 -0
package/src/workspace/migrations/017-seed-persona-dirs.ts +96 -0
package/src/workspace/migrations/018-rekey-compound-credential-keys.ts +184 -0
package/src/workspace/migrations/019-scope-journal-to-guardian.ts +103 -0
package/src/workspace/migrations/migrate-to-workspace-volume.ts +27 -5
package/src/workspace/migrations/registry.ts +12 -0
package/src/workspace/migrations/runner.ts +106 -2
package/src/workspace/migrations/types.ts +4 -0
package/src/workspace/provider-commit-message-generator.ts +12 -21
package/src/__tests__/claude-code-skill-regression.test.ts +0 -206
package/src/__tests__/claude-code-tool-profiles.test.ts +0 -99
package/src/__tests__/diagnostics-export.test.ts +0 -288
package/src/__tests__/local-gateway-health.test.ts +0 -209
package/src/__tests__/provider-fail-open-selection.test.ts +0 -271
package/src/__tests__/provider-failover-actual-provider.test.ts +0 -66
package/src/__tests__/secret-ingress-handler.test.ts +0 -120
package/src/__tests__/swarm-conversation-integration.test.ts +0 -358
package/src/__tests__/swarm-dag-pathological.test.ts +0 -547
package/src/__tests__/swarm-orchestrator.test.ts +0 -463
package/src/__tests__/swarm-plan-validator.test.ts +0 -384
package/src/__tests__/swarm-recursion.test.ts +0 -197
package/src/__tests__/swarm-router-planner.test.ts +0 -234
package/src/__tests__/swarm-tool.test.ts +0 -185
package/src/__tests__/swarm-worker-backend.test.ts +0 -144
package/src/__tests__/swarm-worker-runner.test.ts +0 -288
package/src/commands/__tests__/cc-command-registry.test.ts +0 -396
package/src/commands/cc-command-registry.ts +0 -248
package/src/config/bundled-skills/claude-code/SKILL.md +0 -53
package/src/config/bundled-skills/claude-code/TOOLS.json +0 -47
package/src/config/bundled-skills/claude-code/tools/claude-code.ts +0 -12
package/src/config/bundled-skills/orchestration/SKILL.md +0 -33
package/src/config/bundled-skills/orchestration/TOOLS.json +0 -35
package/src/config/bundled-skills/orchestration/tools/swarm-delegate.ts +0 -12
package/src/config/schemas/swarm.ts +0 -82
package/src/logfire.ts +0 -135
package/src/memory/search/lexical.ts +0 -48
package/src/providers/failover.ts +0 -186
package/src/runtime/local-gateway-health.ts +0 -275
package/src/security/secret-ingress.ts +0 -68
package/src/swarm/backend-claude-code.ts +0 -225
package/src/swarm/checkpoint.ts +0 -137
package/src/swarm/graph-utils.ts +0 -53
package/src/swarm/index.ts +0 -55
package/src/swarm/limits.ts +0 -66
package/src/swarm/orchestrator.ts +0 -424
package/src/swarm/plan-validator.ts +0 -117
package/src/swarm/router-planner.ts +0 -162
package/src/swarm/router-prompts.ts +0 -39
package/src/swarm/synthesizer.ts +0 -81
package/src/swarm/types.ts +0 -72
package/src/swarm/worker-backend.ts +0 -131
package/src/swarm/worker-prompts.ts +0 -80
package/src/swarm/worker-runner.ts +0 -170
package/src/tools/claude-code/claude-code.ts +0 -610
package/src/tools/swarm/delegate.ts +0 -205

package/src/__tests__/credential-security-invariants.test.ts CHANGED Viewed

@@ -138,45 +138,6 @@ describe("Invariant 1: secrets never enter LLM context", () => {
       });
     }
   }
-  // PR 27 — secret ingress block scans inbound messages
-  test("user message containing secret is blocked from entering history", () => {
-    // Mock config to enable block mode
-    mock.module("../config/loader.js", () => ({
-      applyNestedDefaults: (config: unknown) => config,
-      getConfig: () => ({
-        ui: {},
-        secretDetection: {
-          enabled: true,
-          action: "block",
-          blockIngress: true,
-        },
-      }),
-      invalidateConfigCache: () => {},
-      loadConfig: () => ({
-        ui: {},
-        secretDetection: {
-          enabled: true,
-          action: "block",
-          blockIngress: true,
-        },
-      }),
-    }));
-    // Re-import to pick up the mock
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { checkIngressForSecrets } = require("../security/secret-ingress.js");
-    // Build a fake AWS key at runtime to avoid pre-commit hook
-    const fakeKey = ["AKIA", "IOSFODNN7", "REALKEY"].join("");
-    const result = checkIngressForSecrets(`My key is ${fakeKey}`);
-    expect(result.blocked).toBe(true);
-    expect(result.detectedTypes.length).toBeGreaterThan(0);
-    // User notice must not echo the secret
-    expect(result.userNotice).toBeDefined();
-    expect(result.userNotice).not.toContain(fakeKey);
-  });
 });
 // ---------------------------------------------------------------------------
@@ -208,6 +169,7 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "tools/credentials/broker.ts", // brokered credential access
       "tools/network/web-search.ts", // web search API key lookup
       "daemon/handlers/config-telegram.ts", // Telegram bot token management
+      "daemon/handlers/config-vercel.ts", // Vercel API token management
       "runtime/routes/integrations/twilio.ts", // Twilio credential management (HTTP control-plane)
       "security/token-manager.ts", // OAuth token refresh flow
       "email/providers/index.ts", // email provider API key lookup
@@ -216,15 +178,16 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "calls/twilio-config.ts", // call infrastructure credential lookup
       "calls/twilio-provider.ts", // call infrastructure credential lookup
       "calls/twilio-rest.ts", // Twilio REST API credential lookup
+      "calls/fish-audio-client.ts", // Fish Audio TTS API key lookup
       "runtime/channel-invite-transports/telegram.ts", // Telegram invite transport bot token lookup
-      "cli/commands/keys.ts", // CLI credential management commands
-      "cli/commands/credentials.ts", // CLI credential management commands
+      "cli/lib/daemon-credential-client.ts", // CLI-to-daemon credential routing intermediary
       "messaging/providers/telegram-bot/adapter.ts", // Telegram bot token lookup for connectivity check
       "runtime/channel-readiness-service.ts", // channel readiness probes for Telegram connectivity
       "messaging/providers/whatsapp/adapter.ts", // WhatsApp credential lookup for connectivity check
       "messaging/providers/slack/adapter.ts", // Slack bot token lookup for Socket Mode connectivity check
       "daemon/handlers/config-slack-channel.ts", // Slack channel config credential management
       "providers/managed-proxy/context.ts", // managed proxy API key lookup for provider initialization
+      "platform/client.ts", // platform client keychain fallback for standalone CLI auth
       "mcp/mcp-oauth-provider.ts", // MCP OAuth token/client/discovery persistence
       "runtime/routes/integrations/slack/share.ts", // Slack share routes credential lookup
       "mcp/client.ts", // MCP client cached-token lookup
@@ -234,10 +197,7 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "daemon/conversation-messaging.ts", // credential storage during session messaging
       "runtime/routes/settings-routes.ts", // settings routes OAuth credential lookup (client_secret)
       "oauth/oauth-store.ts", // OAuth provider disconnect (delete stored tokens)
-      "cli/commands/oauth/connections.ts", // CLI OAuth connection delete (legacy credential cleanup)
       "oauth/manual-token-connection.ts", // manual-token provider backfill (keychain credential existence check)
-      "cli/commands/doctor.ts", // CLI diagnostic API key verification via secure storage
-      "swarm/backend-claude-code.ts", // Claude Code swarm backend API key lookup
       "workspace/provider-commit-message-generator.ts", // commit message generation provider key lookup
       "config/bundled-skills/transcribe/tools/transcribe-media.ts", // transcription tool API key lookup
       "config/bundled-skills/image-studio/tools/media-generate-image.ts", // image generation tool API key lookup
@@ -249,13 +209,13 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "media/avatar-router.ts", // avatar generation API key lookup
       "memory/embedding-backend.ts", // embedding backend API key lookup
       "daemon/providers-setup.ts", // provider initialization API key lookup
-      "tools/claude-code/claude-code.ts", // Claude Code tool API key lookup
       "workspace/migrations/006-services-config.ts", // services config migration reads provider API keys
-      "cli/commands/avatar.ts", // CLI avatar generation API key lookup
+      "workspace/migrations/018-rekey-compound-credential-keys.ts", // re-key compound credential storage keys
       "config/bundled-skills/slack/tools/shared.ts", // Slack skill bot token lookup
       "daemon/conversation-process.ts", // masked provider key display
       "daemon/handlers/config-model.ts", // masked provider key display
       "providers/speech-to-text/resolve.ts", // STT provider API key lookup
+      "daemon/lifecycle.ts", // CES client injection into secure-keys at startup
     ]);
     const thisDir = dirname(fileURLToPath(import.meta.url));
@@ -613,10 +573,6 @@ describe("One-time send override", () => {
   test("default secretDetection.action is redact", () => {
     expect(DEFAULT_CONFIG.secretDetection.action).toBe("redact");
   });
-  test("default secretDetection.blockIngress is true", () => {
-    expect(DEFAULT_CONFIG.secretDetection.blockIngress).toBe(true);
-  });
 });
 // ---------------------------------------------------------------------------

package/src/__tests__/credentials-cli.test.ts CHANGED Viewed

@@ -12,6 +12,7 @@ import type { CredentialMetadata } from "../tools/credentials/metadata-store.js"
 let secureKeyStore = new Map<string, string>();
 let metadataStore: CredentialMetadata[] = [];
 let idCounter = 0;
+let mockBrokerUnreachable = false;
 function nextUUID(): string {
   idCounter += 1;
@@ -39,12 +40,19 @@ mock.module("../security/secure-keys.js", () => ({
     }
     return "not-found";
   },
-  listSecureKeysAsync: async (): Promise<string[]> => {
-    return [...secureKeyStore.keys()];
-  },
+  listSecureKeysAsync: async () => ({
+    accounts: [...secureKeyStore.keys()],
+    unreachable: false,
+  }),
   getSecureKeyAsync: async (account: string): Promise<string | undefined> => {
     return secureKeyStore.get(account);
   },
+  getSecureKeyResultAsync: async (
+    account: string,
+  ): Promise<{ value: string | undefined; unreachable: boolean }> => ({
+    value: secureKeyStore.get(account),
+    unreachable: mockBrokerUnreachable,
+  }),
   _resetBackend: (): void => {},
 }));
@@ -264,6 +272,7 @@ describe("assistant credentials CLI", () => {
     secureKeyStore = new Map();
     metadataStore = [];
     idCounter = 0;
+    mockBrokerUnreachable = false;
     disconnectOAuthProviderCalls = [];
     disconnectOAuthProviderResult = "not-found";
     process.exitCode = 0;
@@ -870,6 +879,42 @@ describe("assistant credentials CLI", () => {
       expect(parsed.hasSecret).toBe(false);
       expect(parsed.scrubbedValue).toBe("(not set)");
     });
+    test("shows broker unreachable when metadata exists but broker is down", async () => {
+      seedMetadataOnly("twilio", "account_sid");
+      mockBrokerUnreachable = true;
+      const result = await runCli([
+        "inspect",
+        "--service",
+        "twilio",
+        "--field",
+        "account_sid",
+        "--json",
+      ]);
+      expect(result.exitCode).toBe(0);
+      const parsed = JSON.parse(result.stdout);
+      expect(parsed.ok).toBe(true);
+      expect(parsed.scrubbedValue).toBe("(broker unreachable)");
+      expect(parsed.brokerUnreachable).toBe(true);
+    });
+    test("shows unreachable error when no metadata and broker is down", async () => {
+      mockBrokerUnreachable = true;
+      const result = await runCli([
+        "inspect",
+        "--service",
+        "nonexistent",
+        "--field",
+        "field",
+        "--json",
+      ]);
+      expect(result.exitCode).toBe(1);
+      const parsed = JSON.parse(result.stdout);
+      expect(parsed.ok).toBe(false);
+      expect(parsed.error).toContain("Keychain broker is unreachable");
+    });
   });
   // =========================================================================
@@ -969,6 +1014,40 @@ describe("assistant credentials CLI", () => {
       expect(parsed.ok).toBe(false);
       expect(parsed.error).toContain("not found");
     });
+    test("returns unreachable error when broker is down", async () => {
+      mockBrokerUnreachable = true;
+      const result = await runCli([
+        "reveal",
+        "--service",
+        "twilio",
+        "--field",
+        "auth_token",
+        "--json",
+      ]);
+      expect(result.exitCode).toBe(1);
+      const parsed = JSON.parse(result.stdout);
+      expect(parsed.ok).toBe(false);
+      expect(parsed.error).toContain("Keychain broker is unreachable");
+    });
+    test("returns credential-not-found when broker is up", async () => {
+      mockBrokerUnreachable = false;
+      const result = await runCli([
+        "reveal",
+        "--service",
+        "twilio",
+        "--field",
+        "nonexistent",
+        "--json",
+      ]);
+      expect(result.exitCode).toBe(1);
+      const parsed = JSON.parse(result.stdout);
+      expect(parsed.ok).toBe(false);
+      expect(parsed.error).toBe("Credential not found");
+    });
   });
   // =========================================================================

package/src/__tests__/daemon-credential-client.test.ts ADDED Viewed

@@ -0,0 +1,123 @@
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+import { credentialKey } from "../security/credential-key.js";
+let fallbackValues = new Map<string, string>();
+mock.module("../config/env.js", () => ({
+  getRuntimeHttpHost: () => "127.0.0.1",
+  getRuntimeHttpPort: () => 4123,
+}));
+mock.module("../daemon/daemon-control.js", () => ({
+  healthCheckHost: (host: string) => host,
+  isHttpHealthy: async () => true,
+}));
+mock.module("../runtime/auth/token-service.js", () => ({
+  initAuthSigningKey: () => {},
+  loadOrCreateSigningKey: () => "signing-key",
+  mintDaemonDeliveryToken: () => "daemon-token",
+}));
+mock.module("../security/secure-keys.js", () => ({
+  deleteSecureKeyAsync: async () => "deleted" as const,
+  getSecureKeyAsync: async (account: string) => fallbackValues.get(account),
+  getSecureKeyResultAsync: async (account: string) => ({
+    value: fallbackValues.get(account),
+    unreachable: false,
+  }),
+  setSecureKeyAsync: async () => true,
+}));
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+import {
+  getSecureKeyResultViaDaemon,
+  getSecureKeyViaDaemon,
+} from "../cli/lib/daemon-credential-client.js";
+const originalFetch = globalThis.fetch;
+const fetchCalls: Array<{ url: string; init?: RequestInit }> = [];
+function getRequestBody(index = 0): Record<string, unknown> {
+  const body = fetchCalls[index]?.init?.body;
+  if (typeof body !== "string") {
+    throw new Error("Expected fetch body to be a JSON string");
+  }
+  return JSON.parse(body) as Record<string, unknown>;
+}
+beforeEach(() => {
+  fallbackValues = new Map();
+  fetchCalls.length = 0;
+  const mockFetch = mock(
+    async (input: string | URL | Request, init?: RequestInit) => {
+      const url =
+        typeof input === "string"
+          ? input
+          : input instanceof URL
+            ? input.toString()
+            : input.url;
+      fetchCalls.push({ url, init });
+      return new Response(
+        JSON.stringify({ found: true, value: "secret-value" }),
+        {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        },
+      );
+    },
+  );
+  globalThis.fetch = mockFetch as unknown as typeof globalThis.fetch;
+});
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+describe("daemon credential read requests", () => {
+  test("keeps provider secrets on the api_key path", async () => {
+    const value = await getSecureKeyViaDaemon("openai");
+    expect(value).toBe("secret-value");
+    expect(fetchCalls).toHaveLength(1);
+    expect(fetchCalls[0]?.url).toBe("http://127.0.0.1:4123/v1/secrets/read");
+    expect(getRequestBody()).toEqual({
+      type: "api_key",
+      name: "openai",
+      reveal: true,
+    });
+  });
+  test("converts canonical credential keys into credential reads", async () => {
+    const value = await getSecureKeyViaDaemon(
+      credentialKey("vellum", "platform_base_url"),
+    );
+    expect(value).toBe("secret-value");
+    expect(getRequestBody()).toEqual({
+      type: "credential",
+      name: "vellum:platform_base_url",
+      reveal: true,
+    });
+  });
+  test("preserves compound credential service names on metadata reads", async () => {
+    const result = await getSecureKeyResultViaDaemon(
+      credentialKey("integration:google", "client_secret"),
+    );
+    expect(result).toEqual({ value: "secret-value", unreachable: false });
+    expect(getRequestBody()).toEqual({
+      type: "credential",
+      name: "integration:google:client_secret",
+      reveal: true,
+    });
+  });
+});