@vellumai/assistant 0.5.7 → 0.5.8

package/src/calls/twilio-routes.ts

@@ -26,6 +26,7 @@ import {
   releaseCallbackClaim,
   updateCallSession,
 } from "./call-store.js";
+import { resolveCallHints } from "./stt-hints.js";
 import type { CallStatus } from "./types.js";
 import { resolveVoiceQualityProfile } from "./voice-quality.js";
 
@@ -52,9 +53,11 @@ export function generateTwiML(
     speechModel?: string;
     ttsProvider: string;
     voice: string;
+    interruptSensitivity: string;
   },
   relayToken?: string,
   customParameters?: Record<string, string>,
+  hints?: string,
 ): string {
   const greetingAttr =
     welcomeGreeting && welcomeGreeting.trim().length > 0
@@ -96,6 +99,7 @@ ${greetingAttr}
       ttsProvider="${escapeXml(profile.ttsProvider)}"
       interruptible="true"
       dtmfDetection="true"
+      interruptSensitivity="${escapeXml(profile.interruptSensitivity)}"${hints ? `\n      hints="${escapeXml(hints)}"` : ""}
     ${relayClose}
   </Connect>
 </Response>`;
@@ -180,7 +184,14 @@ export async function handleVoiceWebhook(req: Request): Promise<Response> {
 
     return buildVoiceWebhookTwiml(
       session.id,
-      session.task,
+      {
+        task: session.task,
+        toNumber: callerTo,
+        fromNumber: callerFrom,
+        direction: "inbound",
+        inviteFriendName: null,
+        inviteGuardianName: null,
+      },
       session.verificationSessionId,
     );
   }
@@ -208,7 +219,14 @@ export async function handleVoiceWebhook(req: Request): Promise<Response> {
 
   return buildVoiceWebhookTwiml(
     callSessionId,
-    session.task,
+    {
+      task: session.task,
+      toNumber: session.toNumber,
+      fromNumber: session.fromNumber,
+      direction: "outbound",
+      inviteFriendName: session.inviteFriendName,
+      inviteGuardianName: session.inviteGuardianName,
+    },
     session.verificationSessionId,
   );
 }
@@ -225,18 +243,27 @@ export async function handleVoiceWebhook(req: Request): Promise<Response> {
  */
 function buildVoiceWebhookTwiml(
   callSessionId: string,
-  task: string | null,
+  sessionContext: {
+    task: string | null;
+    toNumber: string;
+    fromNumber: string;
+    direction: "inbound" | "outbound";
+    inviteFriendName: string | null;
+    inviteGuardianName: string | null;
+  } | null,
   verificationSessionId?: string | null,
 ): Response {
   const profile = resolveVoiceQualityProfile(loadConfig());
 
+  const hints = resolveCallHints(sessionContext, profile.hints);
+
   log.info(
     { callSessionId, ttsProvider: profile.ttsProvider, voice: profile.voice },
     "Voice quality profile resolved",
   );
 
   const relayUrl = getTwilioRelayUrl(loadConfig());
-  const welcomeGreeting = buildWelcomeGreeting(task);
+  const welcomeGreeting = buildWelcomeGreeting(sessionContext?.task ?? null);
 
   const relayToken = mintEdgeRelayToken();
 
@@ -253,6 +280,7 @@ function buildVoiceWebhookTwiml(
     profile,
     relayToken,
     customParameters,
+    hints || undefined,
   );
 
   log.info({ callSessionId }, "Returning ConversationRelay TwiML");

package/src/calls/voice-quality.ts

@@ -6,6 +6,8 @@ export interface VoiceQualityProfile {
   speechModel?: string;
   ttsProvider: string;
   voice: string;
+  interruptSensitivity: string;
+  hints: string[];
 }
 
 /**
@@ -59,14 +61,24 @@ export function resolveVoiceQualityProfile(
   const voice = cfg.calls.voice;
   const configuredTts = voice.ttsProvider ?? "elevenlabs";
   const fishAudio = configuredTts === "fish-audio";
+  const isGoogle = voice.transcriptionProvider === "Google";
+  // Treat the legacy Deepgram default ("nova-3") as unset when provider is
+  // Google — upgraded workspaces may still have it persisted from prior defaults.
+  const effectiveSpeechModel =
+    voice.speechModel == null ||
+    (voice.speechModel === "nova-3" && isGoogle)
+      ? isGoogle
+        ? undefined
+        : "nova-3"
+      : voice.speechModel;
   return {
     language: voice.language,
     transcriptionProvider: voice.transcriptionProvider,
-    speechModel:
-      voice.speechModel ??
-      (voice.transcriptionProvider === "Google" ? undefined : "nova-3"),
+    speechModel: effectiveSpeechModel,
     ttsProvider: fishAudio ? "Google" : "ElevenLabs",
     voice: fishAudio ? "" : buildElevenLabsVoiceSpec(cfg.elevenlabs),
+    interruptSensitivity: voice.interruptSensitivity ?? "low",
+    hints: voice.hints ?? [],
   };
 }
 

package/src/calls/voice-session-bridge.ts

@@ -212,6 +212,7 @@ function buildVoiceCallControlPrompt(opts: {
   lines.push(
     "9. After the opening greeting turn, treat the Task field as background context only — do not re-execute its instructions on subsequent turns.",
     '10. Do not make up information. If you are unsure, use [ASK_GUARDIAN: your question] to consult your guardian. For tool permission requests, use [ASK_GUARDIAN_APPROVAL: {"question":"...","toolName":"...","input":{...}}].',
+    `11. Your text is sent directly to a text-to-speech engine. Never use markdown formatting (asterisks, headers, backticks, links) or emojis in your spoken responses. Write plain conversational text only. Protocol markers like ${opts.isCallerGuardian ? "[END_CALL]" : "[ASK_GUARDIAN: ...] and [END_CALL]"} are not spoken text and should still be used normally.`,
     "</voice_call_control>",
   );
 

package/src/cli/commands/avatar.ts

@@ -11,9 +11,9 @@ import {
 } from "../../avatar/traits-png-sync.js";
 import { setPlatformBaseUrl } from "../../config/env.js";
 import { credentialKey } from "../../security/credential-key.js";
-import { getSecureKeyAsync } from "../../security/secure-keys.js";
 import { generateAndSaveAvatar } from "../../tools/system/avatar-generator.js";
 import { getWorkspaceDir } from "../../util/platform.js";
+import { getSecureKeyViaDaemon } from "../lib/daemon-credential-client.js";
 import { log } from "../logger.js";
 import { writeOutput } from "../output.js";
 
@@ -74,7 +74,7 @@ Examples:
       // without the daemon's in-memory state.
       try {
         const key = credentialKey("vellum", "platform_base_url");
-        const persisted = await getSecureKeyAsync(key);
+        const persisted = await getSecureKeyViaDaemon(key);
         if (persisted) {
           setPlatformBaseUrl(persisted);
         }

package/src/cli/commands/credentials.ts

@@ -12,12 +12,6 @@ import {
   type OAuthConnectionRow,
 } from "../../oauth/oauth-store.js";
 import { credentialKey } from "../../security/credential-key.js";
-import {
-  deleteSecureKeyAsync,
-  getSecureKeyAsync,
-  getSecureKeyResultAsync,
-  setSecureKeyAsync,
-} from "../../security/secure-keys.js";
 import {
   assertMetadataWritable,
   type CredentialMetadata,
@@ -27,9 +21,33 @@ import {
   listCredentialMetadata,
   upsertCredentialMetadata,
 } from "../../tools/credentials/metadata-store.js";
+import {
+  deleteSecureKeyViaDaemon,
+  getSecureKeyResultViaDaemon,
+  getSecureKeyViaDaemon,
+  setSecureKeyViaDaemon,
+} from "../lib/daemon-credential-client.js";
 import { log } from "../logger.js";
 import { shouldOutputJson, writeOutput } from "../output.js";
 
+// ---------------------------------------------------------------------------
+// Format-aware error output
+// ---------------------------------------------------------------------------
+
+/**
+ * Write an error message respecting the output format. In JSON mode, emit a
+ * structured `{ ok: false, error }` object to stdout. In human mode, write
+ * plain text to stderr so the assistant (LLM) doesn't receive JSON that it
+ * might misinterpret as data.
+ */
+function writeError(cmd: Command, message: string): void {
+  if (shouldOutputJson(cmd)) {
+    writeOutput(cmd, { ok: false, error: message });
+  } else {
+    process.stderr.write(`Error: ${message}\n`);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // CES shell lockdown guard
 // ---------------------------------------------------------------------------
@@ -310,7 +328,7 @@ Examples:
 
         const credentials = await Promise.all(
           allMetadata.map(async (m) => {
-            const secret = await getSecureKeyAsync(
+            const secret = await getSecureKeyViaDaemon(
               credentialKey(m.service, m.field),
             );
             const connection = connectionsByProvider.get(m.service);
@@ -336,13 +354,13 @@ Examples:
           managedOutputs = descriptors.map(buildManagedCredentialOutput);
         }
 
-        writeOutput(cmd, {
-          ok: true,
-          credentials,
-          managedCredentials: managedOutputs,
-        });
-
-        if (!shouldOutputJson(cmd)) {
+        if (shouldOutputJson(cmd)) {
+          writeOutput(cmd, {
+            ok: true,
+            credentials,
+            managedCredentials: managedOutputs,
+          });
+        } else {
           const totalCount = credentials.length + managedOutputs.length;
           if (totalCount === 0) {
             log.info("No credentials found");
@@ -367,7 +385,7 @@ Examples:
         }
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
-        writeOutput(cmd, { ok: false, error: message });
+        writeError(cmd, message);
         process.exitCode = 1;
       }
     });
@@ -418,16 +436,16 @@ Examples:
       ) => {
         try {
           const { service, field } = opts;
-          const storageKey = credentialKey(service, field);
 
           assertMetadataWritable();
 
-          const stored = await setSecureKeyAsync(storageKey, value);
+          const stored = await setSecureKeyViaDaemon(
+            "credential",
+            `${service}:${field}`,
+            value,
+          );
           if (!stored) {
-            writeOutput(cmd, {
-              ok: false,
-              error: `Failed to store secret for ${service}:${field}`,
-            });
+            writeError(cmd, `Failed to store secret for ${service}:${field}`);
             process.exitCode = 1;
             return;
           }
@@ -443,21 +461,21 @@ Examples:
           });
           await syncManualTokenConnection(service);
 
-          writeOutput(cmd, {
-            ok: true,
-            credentialId: metadata.credentialId,
-            service,
-            field,
-          });
-
-          if (!shouldOutputJson(cmd)) {
+          if (shouldOutputJson(cmd)) {
+            writeOutput(cmd, {
+              ok: true,
+              credentialId: metadata.credentialId,
+              service,
+              field,
+            });
+          } else {
             log.info(
               `Stored credential ${service}:${field} (${metadata.credentialId})`,
             );
           }
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);
-          writeOutput(cmd, { ok: false, error: message });
+          writeError(cmd, message);
           process.exitCode = 1;
         }
       },
@@ -485,16 +503,18 @@ Examples:
     .action(async (opts: { service: string; field: string }, cmd: Command) => {
       try {
         const { service, field } = opts;
-        const storageKey = credentialKey(service, field);
 
         assertMetadataWritable();
 
-        const secretResult = await deleteSecureKeyAsync(storageKey);
+        const secretResult = await deleteSecureKeyViaDaemon(
+          "credential",
+          `${service}:${field}`,
+        );
         if (secretResult === "error") {
-          writeOutput(cmd, {
-            ok: false,
-            error: "Failed to delete credential from secure storage",
-          });
+          writeError(
+            cmd,
+            "Failed to delete credential from secure storage",
+          );
           process.exitCode = 1;
           return;
         }
@@ -511,10 +531,10 @@ Examples:
         }
 
         if (oauthResult === "error") {
-          writeOutput(cmd, {
-            ok: false,
-            error: "Failed to disconnect OAuth provider — please try again",
-          });
+          writeError(
+            cmd,
+            "Failed to disconnect OAuth provider — please try again",
+          );
           process.exitCode = 1;
           return;
         }
@@ -524,19 +544,19 @@ Examples:
           !metadataDeleted &&
           oauthResult !== "disconnected"
         ) {
-          writeOutput(cmd, { ok: false, error: "Credential not found" });
+          writeError(cmd, "Credential not found");
           process.exitCode = 1;
           return;
         }
 
-        writeOutput(cmd, { ok: true, service, field });
-
-        if (!shouldOutputJson(cmd)) {
+        if (shouldOutputJson(cmd)) {
+          writeOutput(cmd, { ok: true, service, field });
+        } else {
           log.info(`Deleted credential ${service}:${field}`);
         }
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
-        writeOutput(cmd, { ok: false, error: message });
+        writeError(cmd, message);
         process.exitCode = 1;
       }
     });
@@ -595,32 +615,30 @@ Examples:
               field = metadata.field;
             } else {
               // No metadata found by UUID, and we can't determine the storage key
-              writeOutput(cmd, { ok: false, error: "Credential not found" });
+              writeError(cmd, "Credential not found");
               process.exitCode = 1;
               return;
             }
           } else {
-            writeOutput(cmd, {
-              ok: false,
-              error:
-                "Either --service and --field flags or a credential UUID is required",
-            });
+            writeError(
+              cmd,
+              "Either --service and --field flags or a credential UUID is required",
+            );
             process.exitCode = 1;
             return;
           }
 
           const { value: secret, unreachable } =
-            await getSecureKeyResultAsync(storageKey);
+            await getSecureKeyResultViaDaemon(storageKey);
 
           if (!metadata && (secret == null || secret.length === 0)) {
             if (unreachable) {
-              writeOutput(cmd, {
-                ok: false,
-                error:
-                  "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
-              });
+              writeError(
+                cmd,
+                "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+              );
             } else {
-              writeOutput(cmd, { ok: false, error: "Credential not found" });
+              writeError(cmd, "Credential not found");
             }
             process.exitCode = 1;
             return;
@@ -630,23 +648,23 @@ Examples:
           // This can happen if someone stored a key directly without going through the
           // credential set command. Build a minimal output in that case.
           if (!metadata) {
-            writeOutput(cmd, {
-              ok: true,
-              service: service,
-              field: field,
-              credentialId: null,
-              scrubbedValue: scrubSecret(secret),
-              hasSecret: secret != null && secret.length > 0,
-              alias: null,
-              usageDescription: null,
-              allowedTools: [],
-              allowedDomains: [],
-              createdAt: null,
-              updatedAt: null,
-              injectionTemplateCount: 0,
-            });
-
-            if (!shouldOutputJson(cmd)) {
+            if (shouldOutputJson(cmd)) {
+              writeOutput(cmd, {
+                ok: true,
+                service: service,
+                field: field,
+                credentialId: null,
+                scrubbedValue: scrubSecret(secret),
+                hasSecret: secret != null && secret.length > 0,
+                alias: null,
+                usageDescription: null,
+                allowedTools: [],
+                allowedDomains: [],
+                createdAt: null,
+                updatedAt: null,
+                injectionTemplateCount: 0,
+              });
+            } else {
               log.info(`  ${service}:${field}`);
               log.info(`    Value:       ${scrubSecret(secret)}`);
               log.info("    (no metadata record)");
@@ -662,9 +680,9 @@ Examples:
             output.brokerUnreachable = true;
           }
 
-          writeOutput(cmd, output);
-
-          if (!shouldOutputJson(cmd)) {
+          if (shouldOutputJson(cmd)) {
+            writeOutput(cmd, output);
+          } else {
             printCredentialHuman(output);
             if (unreachable && (secret == null || secret.length === 0)) {
               log.info(
@@ -674,7 +692,7 @@ Examples:
           }
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);
-          writeOutput(cmd, { ok: false, error: message });
+          writeError(cmd, message);
           process.exitCode = 1;
         }
       },
@@ -718,7 +736,7 @@ Examples:
         try {
           // CES shell lockdown: deny raw secret reveal in untrusted shells.
           if (isUntrustedShell()) {
-            writeOutput(cmd, { ok: false, error: UNTRUSTED_SHELL_ERROR });
+            writeError(cmd, UNTRUSTED_SHELL_ERROR);
             process.exitCode = 1;
             return;
           }
@@ -732,32 +750,30 @@ Examples:
             if (metadata) {
               storageKey = credentialKey(metadata.service, metadata.field);
             } else {
-              writeOutput(cmd, { ok: false, error: "Credential not found" });
+              writeError(cmd, "Credential not found");
               process.exitCode = 1;
               return;
             }
           } else {
-            writeOutput(cmd, {
-              ok: false,
-              error:
-                "Either --service and --field flags or a credential UUID is required",
-            });
+            writeError(
+              cmd,
+              "Either --service and --field flags or a credential UUID is required",
+            );
             process.exitCode = 1;
             return;
           }
 
           const { value: secret, unreachable } =
-            await getSecureKeyResultAsync(storageKey);
+            await getSecureKeyResultViaDaemon(storageKey);
 
           if (secret == null || secret.length === 0) {
             if (unreachable) {
-              writeOutput(cmd, {
-                ok: false,
-                error:
-                  "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
-              });
+              writeError(
+                cmd,
+                "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+              );
             } else {
-              writeOutput(cmd, { ok: false, error: "Credential not found" });
+              writeError(cmd, "Credential not found");
             }
             process.exitCode = 1;
             return;
@@ -770,7 +786,7 @@ Examples:
           }
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);
-          writeOutput(cmd, { ok: false, error: message });
+          writeError(cmd, message);
           process.exitCode = 1;
         }
       },

package/src/cli/commands/doctor.ts

@@ -7,7 +7,6 @@ import { getRuntimeHttpPort } from "../../config/env.js";
 import { loadRawConfig } from "../../config/loader.js";
 import { shouldAutoStartDaemon } from "../../daemon/connection-policy.js";
 import { isHttpHealthy } from "../../daemon/daemon-control.js";
-import { getProviderKeyAsync } from "../../security/secure-keys.js";
 import {
   getDbPath,
   getHooksDir,
@@ -16,6 +15,7 @@ import {
   getWorkspaceDir,
   getWorkspaceSkillsDir,
 } from "../../util/platform.js";
+import { getProviderKeyViaDaemon } from "../lib/daemon-credential-client.js";
 import { log } from "../logger.js";
 
 export function registerDoctorCommand(program: Command): void {
@@ -81,7 +81,7 @@ Examples:
         typeof rawInferenceProvider === "string"
           ? rawInferenceProvider
           : "anthropic";
-      const configKey = await getProviderKeyAsync(provider);
+      const configKey = await getProviderKeyViaDaemon(provider);
 
       if (provider === "ollama") {
         pass("Provider configured (Ollama; API key optional)");

package/src/cli/commands/keys.ts

@@ -2,10 +2,10 @@ import type { Command } from "commander";
 
 import { API_KEY_PROVIDERS } from "../../config/loader.js";
 import {
-  deleteSecureKeyAsync,
-  getSecureKeyAsync,
-  setSecureKeyAsync,
-} from "../../security/secure-keys.js";
+  deleteSecureKeyViaDaemon,
+  getSecureKeyViaDaemon,
+  setSecureKeyViaDaemon,
+} from "../lib/daemon-credential-client.js";
 import { log } from "../logger.js";
 
 // ---------------------------------------------------------------------------
@@ -61,7 +61,7 @@ Examples:
     .action(async () => {
       const stored: string[] = [];
       for (const provider of API_KEY_PROVIDERS) {
-        const value = await getSecureKeyAsync(provider);
+        const value = await getSecureKeyViaDaemon(provider);
         if (value) stored.push(provider);
       }
       if (stored.length === 0) {
@@ -99,7 +99,7 @@ Examples:
         process.exit(1);
       }
 
-      if (await setSecureKeyAsync(provider, key)) {
+      if (await setSecureKeyViaDaemon("api_key", provider, key)) {
         log.info(`Stored API key for "${provider}"`);
       } else {
         log.error(`Failed to store API key for "${provider}"`);
@@ -130,7 +130,7 @@ Examples:
         process.exit(1);
       }
 
-      const result = await deleteSecureKeyAsync(provider);
+      const result = await deleteSecureKeyViaDaemon("api_key", provider);
       if (result === "deleted") {
         log.info(`Deleted API key for "${provider}"`);
       } else if (result === "error") {

package/src/cli/commands/memory.ts

@@ -183,7 +183,7 @@ Examples:
         log.info(`Memory degraded: ${result.reason ?? "unknown reason"}`);
       }
       log.info(`Semantic hits: ${result.semanticHits}`);
-      log.info(`Recency hits: ${result.recencyHits}`);
+      log.info("Recency hits: 0");
       log.info(`Injected tokens: ${result.injectedTokens}`);
       log.info(`Latency: ${result.latencyMs}ms`);
       if (result.injectedText.length > 0) {