@vellumai/assistant 0.5.7 → 0.5.8

package/Dockerfile

@@ -92,6 +92,7 @@ ENV IS_CONTAINERIZED=true
 
 # Copy from builder
 COPY --from=builder /app /app
+RUN chmod +x /app/assistant/docker-entrypoint.sh
 
 # Run the daemon + http server
-CMD ["bun", "run", "src/daemon/main.ts"]
+CMD ["/app/assistant/docker-entrypoint.sh"]

package/docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env sh
+set -eu
+
+if [ "$(id -u)" = "0" ] && [ "${VELLUM_WORKSPACE_DIR:-}" = "/workspace" ] && [ -d /workspace ]; then
+  git config --global --add safe.directory /workspace >/dev/null 2>&1 || true
+  git config --global --add safe.directory '/workspace/*' >/dev/null 2>&1 || true
+fi
+
+exec bun run src/daemon/main.ts

package/docs/architecture/memory.md

@@ -273,7 +273,7 @@ The key distinction: normal compaction is a cost-optimized background process th
 
 1. Run a recall-heavy turn and inspect `memory_recalled` events in the client trace stream.
 2. Validate baseline counters:
-   - `semanticHits`, `recencyHits`
+   - `semanticHits`
    - `tier1Count`, `tier2Count`
    - `hybridSearchLatencyMs`
    - `mergedCount`, `selectedCount`, `injectedTokens`, `latencyMs`
@@ -304,16 +304,18 @@ stateDiagram-v2
     Superseded --> Cleanup : cleanup_stale_superseded_items\n(delete from DB + Qdrant)
 ```
 
-**Item extraction** uses LLM-powered extraction (with pattern-based fallback) to identify memorable information from conversation messages. Each extracted item belongs to one of six kinds:
-
-| Kind         | Description                                       | Base Lifetime |
-| ------------ | ------------------------------------------------- | ------------- |
-| `identity`   | Personal info, facts, relationships               | 6 months      |
-| `preference` | Likes, dislikes, preferred approaches/tools       | 3 months      |
-| `constraint` | Rules, requirements, directives                   | 1 month       |
-| `project`    | Project details, repos, tech stacks, action items | 2 weeks       |
-| `decision`   | Choices made, approaches selected                 | 2 weeks       |
-| `event`      | Deadlines, milestones, meetings, dates            | 3 days        |
+**Item extraction** uses LLM-powered extraction (with pattern-based fallback) to identify memorable information from conversation messages. Each extracted item belongs to one of eight kinds:
+
+| Kind         | Description                                                        | Base Lifetime |
+| ------------ | ------------------------------------------------------------------ | ------------- |
+| `identity`   | Personal info, facts, relationships                                | 6 months      |
+| `preference` | Likes, dislikes, preferred approaches/tools                        | 3 months      |
+| `journal`    | Experiential reflections, journal-style notes, forward-looking items | 3 months      |
+| `constraint` | Rules, requirements, directives                                    | 1 month       |
+| `project`    | Project details, repos, tech stacks, action items                  | 2 weeks       |
+| `decision`   | Choices made, approaches selected                                  | 2 weeks       |
+| `event`      | Deadlines, milestones, meetings, dates                             | 3 days        |
+| `capability` | Skill catalog entries (system-generated, not LLM-extracted)        | never expires |
 
 **Supersession chains** replace the old conflict resolution system. When the LLM extracts a new item that updates an existing one, it sets `supersedes` to the old item's ID and `overrideConfidence` to one of three levels:
 

package/node_modules/@vellumai/ces-contracts/src/error.ts

@@ -3,7 +3,7 @@
  * dependencies between index.ts and rpc.ts.
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 
 export const RpcErrorSchema = z.object({
   code: z.string(),

package/node_modules/@vellumai/ces-contracts/src/grants.ts

@@ -9,7 +9,7 @@
  * - Audit record summaries (materialization events)
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 
 // ---------------------------------------------------------------------------
 // Grant proposal types

package/node_modules/@vellumai/ces-contracts/src/handles.ts

@@ -20,7 +20,7 @@
  *    is the platform-assigned connection identifier.
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 
 // ---------------------------------------------------------------------------
 // Handle type discriminator

package/node_modules/@vellumai/ces-contracts/src/index.ts

@@ -7,7 +7,7 @@
  * module so that both sides can depend on it without circular references.
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 import { RpcErrorSchema } from "./error.js";
 
 // ---------------------------------------------------------------------------

package/node_modules/@vellumai/ces-contracts/src/rpc.ts

@@ -33,7 +33,7 @@
  * - `list_credentials` — List all credential account names
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 import {
   AuditRecordSummarySchema,
   GrantProposalSchema,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.5.7",
+  "version": "0.5.8",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/__tests__/approval-cascade.test.ts

@@ -162,7 +162,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/browser-fill-credential.test.ts

@@ -61,7 +61,7 @@ mock.module("../security/secure-keys.js", () => ({
   getSecureKeyAsync: async (...args: unknown[]) => mockGetSecureKey(...args),
   setSecureKeyAsync: async () => true,
   deleteSecureKeyAsync: async () => "deleted",
-  listSecureKeysAsync: async () => [],
+  listSecureKeysAsync: async () => ({ accounts: [], unreachable: false }),
   _resetBackend: () => {},
 }));
 

package/src/__tests__/call-controller.test.ts

@@ -42,7 +42,6 @@ mock.module("../config/loader.js", () => {
     ui: {},
 
     provider: "anthropic",
-    providerOrder: ["anthropic"],
     calls: {
       enabled: true,
       provider: "twilio",

package/src/__tests__/ces-rpc-credential-backend.test.ts

@@ -185,15 +185,15 @@ describe("CesRpcCredentialBackend", () => {
       const result = await backend.list();
 
       expect(callFn).toHaveBeenCalledWith(CesRpcMethod.ListCredentials, {});
-      expect(result).toEqual(["account-a", "account-b"]);
+      expect(result).toEqual({ accounts: ["account-a", "account-b"], unreachable: false });
     });
 
-    test("returns empty array when RPC call throws", async () => {
+    test("returns unreachable when RPC call throws", async () => {
       callFn.mockRejectedValue(new Error("transport error"));
 
       const result = await backend.list();
 
-      expect(result).toEqual([]);
+      expect(result).toEqual({ accounts: [], unreachable: true });
     });
   });
 });

package/src/__tests__/ces-startup-timeout.test.ts

@@ -0,0 +1,40 @@
+import { describe, expect, mock, test } from "bun:test";
+
+import type { CesClient } from "../credential-execution/client.js";
+import {
+  awaitCesClientWithTimeout,
+  DEFAULT_CES_STARTUP_TIMEOUT_MS,
+} from "../credential-execution/startup-timeout.js";
+
+describe("awaitCesClientWithTimeout", () => {
+  test("clears the fallback timer when the CES client resolves first", async () => {
+    const onTimeout = mock(() => {});
+    const client = { isReady: () => true } as unknown as CesClient;
+
+    const result = await awaitCesClientWithTimeout(Promise.resolve(client), {
+      timeoutMs: 25,
+      onTimeout,
+    });
+
+    expect(result).toBe(client);
+
+    await new Promise((resolve) => setTimeout(resolve, 40));
+    expect(onTimeout).not.toHaveBeenCalled();
+  });
+
+  test("returns undefined and runs the fallback handler when the timeout wins", async () => {
+    const onTimeout = mock(() => {});
+
+    const result = await awaitCesClientWithTimeout(new Promise(() => {}), {
+      timeoutMs: 10,
+      onTimeout,
+    });
+
+    expect(result).toBeUndefined();
+    expect(onTimeout).toHaveBeenCalledTimes(1);
+  });
+
+  test("exports the daemon CES startup timeout constant", () => {
+    expect(DEFAULT_CES_STARTUP_TIMEOUT_MS).toBe(20_000);
+  });
+});

package/src/__tests__/config-schema-cmd.test.ts

@@ -204,7 +204,6 @@ describe("z.toJSONSchema integration", () => {
     expect(properties).toBeDefined();
     // Check that top-level keys are present
     expect(properties.services).toBeDefined();
-    expect(properties.providerOrder).toBeDefined();
     expect(properties.maxTokens).toBeDefined();
     expect(properties.calls).toBeDefined();
     expect(properties.memory).toBeDefined();

package/src/__tests__/config-schema.test.ts

@@ -638,6 +638,8 @@ describe("AssistantConfigSchema", () => {
         language: "en-US",
         transcriptionProvider: "Deepgram",
         ttsProvider: "elevenlabs",
+        hints: [],
+        interruptSensitivity: "low",
       },
       callerIdentity: {
         allowPerCallOverride: true,

package/src/__tests__/conversation-abort-tool-results.test.ts

@@ -129,7 +129,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-agent-loop-overflow.test.ts

@@ -168,7 +168,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),
@@ -199,7 +198,6 @@ mock.module("../daemon/conversation-memory.js", () => ({
       injectedText: "",
 
       semanticHits: 0,
-      recencyHits: 0,
       injectedTokens: 0,
       latencyMs: 0,
       tier1Count: 0,

package/src/__tests__/conversation-agent-loop.test.ts

@@ -158,7 +158,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),
@@ -189,7 +188,6 @@ mock.module("../daemon/conversation-memory.js", () => ({
       injectedText: "",
 
       semanticHits: 0,
-      recencyHits: 0,
       injectedTokens: 0,
       latencyMs: 0,
       tier1Count: 0,
@@ -614,7 +612,7 @@ describe("session-agent-loop", () => {
   });
 
   describe("LLM request log persistence", () => {
-    test("record request log prefers the actual provider from failover", async () => {
+    test("record request log captures the actual provider name", async () => {
       const events: ServerMessage[] = [];
       const rawRequest = {
         model: "gpt-4.1",
@@ -768,7 +766,7 @@ describe("session-agent-loop", () => {
   });
 
   describe("usage accounting", () => {
-    test("records the actual provider for failover-served usage", async () => {
+    test("records the actual provider for usage accounting", async () => {
       const events: ServerMessage[] = [];
 
       const agentLoopRun: AgentLoopRun = async (messages, onEvent) => {

package/src/__tests__/conversation-confirmation-signals.test.ts

@@ -154,7 +154,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-error.test.ts

@@ -6,7 +6,7 @@ import {
   classifyConversationError,
   isUserCancellation,
 } from "../daemon/conversation-error.js";
-import { ProviderError } from "../util/errors.js";
+import { ProviderError, ProviderNotConfiguredError } from "../util/errors.js";
 
 describe("isUserCancellation", () => {
   it("returns false for non-AbortError even when abort flag is set", () => {
@@ -278,6 +278,20 @@ describe("classifyConversationError", () => {
     });
   });
 
+  describe("provider not configured errors", () => {
+    it("classifies ProviderNotConfiguredError as PROVIDER_NOT_CONFIGURED", () => {
+      const err = new ProviderNotConfiguredError("anthropic", []);
+      const result = classifyConversationError(err, baseCtx);
+      expect(result.code).toBe("PROVIDER_NOT_CONFIGURED");
+      expect(result.userMessage).toBe(
+        "No API key configured for inference. Add one in Settings to start chatting.",
+      );
+      expect(result.retryable).toBe(true);
+      expect(result.errorCategory).toBe("provider_not_configured");
+      expect(result.debugDetails).toBeDefined();
+    });
+  });
+
   describe("streaming corruption errors", () => {
     const cases = [
       "Unexpected event order, got message_start before receiving message_stop",

package/src/__tests__/conversation-messaging-secret-redirect.test.ts

@@ -28,7 +28,7 @@ mock.module("../security/secure-keys.js", () => ({
   setSecureKeyAsync: async (key?: string, value?: string) =>
     setSecureKeyMock(key, value),
   deleteSecureKeyAsync: async () => "deleted" as const,
-  listSecureKeysAsync: async () => [],
+  listSecureKeysAsync: async () => ({ accounts: [], unreachable: false }),
   _resetBackend: () => {},
 }));
 

package/src/__tests__/conversation-pre-run-repair.test.ts

@@ -119,7 +119,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-provider-retry-repair.test.ts

@@ -188,7 +188,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-queue.test.ts

@@ -204,7 +204,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-slash-queue.test.ts

@@ -130,7 +130,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-slash-unknown.test.ts

@@ -137,7 +137,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
 
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-workspace-injection.test.ts

@@ -149,7 +149,6 @@ mock.module("../memory/retriever.js", () => ({
     model: "mock",
     injectedText: "",
     semanticHits: 0,
-    recencyHits: 0,
     mergedCount: 0,
     selectedCount: 0,
     injectedTokens: 0,

package/src/__tests__/conversation-workspace-tool-tracking.test.ts

@@ -145,7 +145,6 @@ mock.module("../memory/retriever.js", () => ({
     model: "mock",
     injectedText: "",
     semanticHits: 0,
-    recencyHits: 0,
     mergedCount: 0,
     selectedCount: 0,
     injectedTokens: 0,

package/src/__tests__/credential-execution-client.test.ts

@@ -84,6 +84,9 @@ describe("local CES discovery", () => {
     if (result.mode === "unavailable") {
       expect(result.reason).toContain("CES executable not found");
       expect(result.mode).toBe("unavailable");
+    } else if (result.mode === "local-source") {
+      // Source entry point exists in the monorepo — verify the success shape.
+      expect(result.sourcePath).toBeTruthy();
     } else {
       // Binary exists in this environment — verify the success shape.
       expect(result.mode).toBe("local");
@@ -95,9 +98,9 @@ describe("local CES discovery", () => {
 
   test("never returns a fallback or in-process mode", () => {
     const result = discoverLocalCes();
-    // The result must be either "local" (with a valid path) or "unavailable".
+    // The result must be "local", "local-source", or "unavailable".
     // There must never be a fallback mode like "in-process" or "degraded".
-    expect(["local", "unavailable"]).toContain(result.mode);
+    expect(["local", "local-source", "unavailable"]).toContain(result.mode);
   });
 });
 

package/src/__tests__/credential-execution-feature-gates.test.ts

@@ -2,8 +2,8 @@
  * Tests for CES (Credential Execution Service) feature gates.
  *
  * Verifies:
- * - All CES flags default to disabled (safe dark-launch).
- * - Each flag can be enabled independently via config overrides.
+ * - Each CES flag defaults to its registry-declared value.
+ * - Each flag can be toggled independently via config overrides.
  * - Enabling CES flags does not implicitly change unrelated approval
  *   behavior or existing feature flags.
  */
@@ -54,28 +54,37 @@ const ALL_CES_FLAG_KEYS = [
   CES_MANAGED_SIDECAR_FLAG_KEY,
 ] as const;
 
-/** All CES predicate functions paired with their flag keys. */
+/** All CES predicate functions paired with their flag keys and expected defaults. */
 const ALL_CES_PREDICATES = [
-  { name: "isCesToolsEnabled", fn: isCesToolsEnabled, key: CES_TOOLS_FLAG_KEY },
+  {
+    name: "isCesToolsEnabled",
+    fn: isCesToolsEnabled,
+    key: CES_TOOLS_FLAG_KEY,
+    defaultEnabled: false,
+  },
   {
     name: "isCesShellLockdownEnabled",
     fn: isCesShellLockdownEnabled,
     key: CES_SHELL_LOCKDOWN_FLAG_KEY,
+    defaultEnabled: false,
   },
   {
     name: "isCesSecureInstallEnabled",
     fn: isCesSecureInstallEnabled,
     key: CES_SECURE_INSTALL_FLAG_KEY,
+    defaultEnabled: false,
   },
   {
     name: "isCesGrantAuditEnabled",
     fn: isCesGrantAuditEnabled,
     key: CES_GRANT_AUDIT_FLAG_KEY,
+    defaultEnabled: false,
   },
   {
     name: "isCesManagedSidecarEnabled",
     fn: isCesManagedSidecarEnabled,
     key: CES_MANAGED_SIDECAR_FLAG_KEY,
+    defaultEnabled: true,
   },
 ] as const;
 
@@ -92,21 +101,23 @@ describe("CES flag key format", () => {
 });
 
 // ---------------------------------------------------------------------------
-// Default-safe: all CES flags disabled by default
+// Defaults: each CES flag matches its registry-declared default
 // ---------------------------------------------------------------------------
 
-describe("CES flags default safely (all disabled)", () => {
-  for (const { name, fn } of ALL_CES_PREDICATES) {
-    test(`${name} returns false with no config overrides`, () => {
+describe("CES flags match registry defaults", () => {
+  for (const { name, fn, defaultEnabled } of ALL_CES_PREDICATES) {
+    test(`${name} returns ${defaultEnabled} with no config overrides`, () => {
       const config = makeConfig();
-      expect(fn(config)).toBe(false);
+      expect(fn(config)).toBe(defaultEnabled);
     });
   }
 
-  for (const key of ALL_CES_FLAG_KEYS) {
-    test(`isAssistantFeatureFlagEnabled('${key}') returns false with no overrides`, () => {
+  for (const pred of ALL_CES_PREDICATES) {
+    test(`isAssistantFeatureFlagEnabled('${pred.key}') returns ${pred.defaultEnabled} with no overrides`, () => {
       const config = makeConfig();
-      expect(isAssistantFeatureFlagEnabled(key, config)).toBe(false);
+      expect(isAssistantFeatureFlagEnabled(pred.key, config)).toBe(
+        pred.defaultEnabled,
+      );
     });
   }
 });
@@ -115,7 +126,7 @@ describe("CES flags default safely (all disabled)", () => {
 // Independent enablement: each flag can be enabled without affecting others
 // ---------------------------------------------------------------------------
 
-describe("CES flags can be enabled independently", () => {
+describe("CES flags can be toggled independently", () => {
   for (const { name, fn, key } of ALL_CES_PREDICATES) {
     test(`enabling ${key} makes ${name} return true`, () => {
       _setOverridesForTesting({ [key]: true });
@@ -123,12 +134,16 @@ describe("CES flags can be enabled independently", () => {
       expect(fn(config)).toBe(true);
     });
 
-    test(`enabling ${key} does not enable other CES flags`, () => {
+    test(`enabling ${key} does not change other CES flags from their defaults`, () => {
       _setOverridesForTesting({ [key]: true });
       const config = makeConfig();
-      for (const { fn: otherFn, key: otherKey } of ALL_CES_PREDICATES) {
+      for (const {
+        fn: otherFn,
+        key: otherKey,
+        defaultEnabled,
+      } of ALL_CES_PREDICATES) {
         if (otherKey === key) continue;
-        expect(otherFn(config)).toBe(false);
+        expect(otherFn(config)).toBe(defaultEnabled);
       }
     });
   }

package/src/__tests__/credential-execution-managed-contract.test.ts

@@ -446,9 +446,9 @@ describe("managed OAuth materialization through CES sidecar", () => {
 // ---------------------------------------------------------------------------
 
 describe("feature-flag rollback safety", () => {
-  test("managed sidecar flag defaults to false (safe dark-launch)", () => {
+  test("managed sidecar flag defaults to true (enabled by default)", () => {
     const config = makeConfig();
-    expect(isCesManagedSidecarEnabled(config)).toBe(false);
+    expect(isCesManagedSidecarEnabled(config)).toBe(true);
   });
 
   test("managed sidecar flag can be explicitly enabled", () => {

package/src/__tests__/credential-security-e2e.test.ts

@@ -66,7 +66,7 @@ mock.module("../security/secure-keys.js", () => {
     setSecureKeyAsync: async (key: string, value: string) =>
       syncSet(key, value),
     deleteSecureKeyAsync: async (key: string) => syncDelete(key),
-    listSecureKeysAsync: async () => [...storedKeys.keys()],
+    listSecureKeysAsync: async () => ({ accounts: [...storedKeys.keys()], unreachable: false }),
   };
 });
 

package/src/__tests__/credential-security-invariants.test.ts

@@ -180,8 +180,7 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "calls/twilio-rest.ts", // Twilio REST API credential lookup
       "calls/fish-audio-client.ts", // Fish Audio TTS API key lookup
       "runtime/channel-invite-transports/telegram.ts", // Telegram invite transport bot token lookup
-      "cli/commands/keys.ts", // CLI credential management commands
-      "cli/commands/credentials.ts", // CLI credential management commands
+      "cli/lib/daemon-credential-client.ts", // CLI-to-daemon credential routing intermediary
       "messaging/providers/telegram-bot/adapter.ts", // Telegram bot token lookup for connectivity check
       "runtime/channel-readiness-service.ts", // channel readiness probes for Telegram connectivity
       "messaging/providers/whatsapp/adapter.ts", // WhatsApp credential lookup for connectivity check
@@ -198,9 +197,7 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "daemon/conversation-messaging.ts", // credential storage during session messaging
       "runtime/routes/settings-routes.ts", // settings routes OAuth credential lookup (client_secret)
       "oauth/oauth-store.ts", // OAuth provider disconnect (delete stored tokens)
-      "cli/commands/oauth/connections.ts", // CLI OAuth connection delete (legacy credential cleanup)
       "oauth/manual-token-connection.ts", // manual-token provider backfill (keychain credential existence check)
-      "cli/commands/doctor.ts", // CLI diagnostic API key verification via secure storage
       "workspace/provider-commit-message-generator.ts", // commit message generation provider key lookup
       "config/bundled-skills/transcribe/tools/transcribe-media.ts", // transcription tool API key lookup
       "config/bundled-skills/image-studio/tools/media-generate-image.ts", // image generation tool API key lookup
@@ -213,7 +210,7 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "memory/embedding-backend.ts", // embedding backend API key lookup
       "daemon/providers-setup.ts", // provider initialization API key lookup
       "workspace/migrations/006-services-config.ts", // services config migration reads provider API keys
-      "cli/commands/avatar.ts", // CLI avatar generation API key lookup
+      "workspace/migrations/018-rekey-compound-credential-keys.ts", // re-key compound credential storage keys
       "config/bundled-skills/slack/tools/shared.ts", // Slack skill bot token lookup
       "daemon/conversation-process.ts", // masked provider key display
       "daemon/handlers/config-model.ts", // masked provider key display

package/src/__tests__/credentials-cli.test.ts

@@ -40,9 +40,10 @@ mock.module("../security/secure-keys.js", () => ({
     }
     return "not-found";
   },
-  listSecureKeysAsync: async (): Promise<string[]> => {
-    return [...secureKeyStore.keys()];
-  },
+  listSecureKeysAsync: async () => ({
+    accounts: [...secureKeyStore.keys()],
+    unreachable: false,
+  }),
   getSecureKeyAsync: async (account: string): Promise<string | undefined> => {
     return secureKeyStore.get(account);
   },