@vellumai/assistant 0.5.7 → 0.5.8

package/src/runtime/routes/secret-routes.ts

@@ -20,7 +20,10 @@ import { initializeProviders } from "../../providers/registry.js";
 import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
+  getActiveBackendName,
   getSecureKeyAsync,
+  getSecureKeyResultAsync,
+  listSecureKeysAsync,
   setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import {
@@ -103,11 +106,16 @@ export async function handleAddSecret(
   req: Request,
   getCesClient?: () => CesClient | undefined,
 ): Promise<Response> {
-  const body = (await req.json()) as {
-    type?: string;
-    name?: string;
-    value?: string;
-  };
+  let body: { type?: string; name?: string; value?: string };
+  try {
+    body = (await req.json()) as {
+      type?: string;
+      name?: string;
+      value?: string;
+    };
+  } catch {
+    return httpError("BAD_REQUEST", "Request body must be valid JSON", 400);
+  }
 
   const { type, name, value } = body;
 
@@ -178,7 +186,7 @@ export async function handleAddSecret(
       if (!stored) {
         return httpError(
           "INTERNAL_ERROR",
-          "Failed to store API key in secure storage",
+          `Failed to store API key in secure storage (backend: ${getActiveBackendName()})`,
           500,
         );
       }
@@ -190,7 +198,7 @@ export async function handleAddSecret(
     }
 
     if (type === "credential") {
-      const colonIdx = name.indexOf(":");
+      const colonIdx = name.lastIndexOf(":");
       if (colonIdx < 1 || colonIdx === name.length - 1) {
         return httpError(
           "BAD_REQUEST",
@@ -243,7 +251,7 @@ export async function handleAddSecret(
         if (!stored) {
           return httpError(
             "INTERNAL_ERROR",
-            "Failed to store credential in secure storage",
+            `Failed to store credential in secure storage (backend: ${getActiveBackendName()})`,
             500,
           );
         }
@@ -308,12 +316,90 @@ export async function handleAddSecret(
   }
 }
 
-export async function handleDeleteSecret(req: Request): Promise<Response> {
+export async function handleReadSecret(req: Request): Promise<Response> {
   const body = (await req.json()) as {
     type?: string;
     name?: string;
+    reveal?: boolean;
   };
 
+  const { type, name, reveal } = body;
+
+  if (!type || typeof type !== "string") {
+    return httpError("BAD_REQUEST", "type is required", 400);
+  }
+  if (!name || typeof name !== "string") {
+    return httpError("BAD_REQUEST", "name is required", 400);
+  }
+
+  try {
+    let accountKey: string;
+
+    if (type === "api_key") {
+      if (
+        !API_KEY_PROVIDERS.includes(name as (typeof API_KEY_PROVIDERS)[number])
+      ) {
+        return httpError(
+          "BAD_REQUEST",
+          `Unknown API key provider: ${name}. Valid providers: ${API_KEY_PROVIDERS.join(
+            ", ",
+          )}`,
+          400,
+        );
+      }
+      accountKey = name;
+    } else if (type === "credential") {
+      const colonIdx = name.lastIndexOf(":");
+      if (colonIdx < 1 || colonIdx === name.length - 1) {
+        return httpError(
+          "BAD_REQUEST",
+          'For credential type, name must be in "service:field" format (e.g. "github:api_token")',
+          400,
+        );
+      }
+      const service = name.slice(0, colonIdx);
+      const field = name.slice(colonIdx + 1);
+      accountKey = credentialKey(service, field);
+    } else {
+      return httpError(
+        "BAD_REQUEST",
+        `Unknown secret type: ${type}. Valid types: api_key, credential`,
+        400,
+      );
+    }
+
+    const { value, unreachable } = await getSecureKeyResultAsync(accountKey);
+    if (value === undefined) {
+      return Response.json({ found: false, unreachable });
+    }
+
+    if (reveal) {
+      return Response.json({ found: true, value, unreachable: false });
+    }
+
+    // Mask the value: show first 10 chars and last 4, hiding at least 3
+    const minHidden = 3;
+    const maxVisible = Math.max(1, value.length - minHidden);
+    const prefixLen = Math.min(10, maxVisible);
+    const suffixLen = Math.min(4, Math.max(0, maxVisible - prefixLen));
+    const masked = `${value.slice(0, prefixLen)}...${suffixLen > 0 ? value.slice(-suffixLen) : ""}`;
+
+    return Response.json({ found: true, masked, unreachable: false });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err, type, name }, "Failed to read secret via HTTP");
+    return httpError("INTERNAL_ERROR", message, 500);
+  }
+}
+
+export async function handleDeleteSecret(req: Request): Promise<Response> {
+  let body: { type?: string; name?: string };
+  try {
+    body = (await req.json()) as { type?: string; name?: string };
+  } catch {
+    return httpError("BAD_REQUEST", "Request body must be valid JSON", 400);
+  }
+
   const { type, name } = body;
 
   if (!type || typeof type !== "string") {
@@ -358,7 +444,7 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
     }
 
     if (type === "credential") {
-      const colonIdx = name.indexOf(":");
+      const colonIdx = name.lastIndexOf(":");
       if (colonIdx < 1 || colonIdx === name.length - 1) {
         return httpError(
           "BAD_REQUEST",
@@ -418,6 +504,41 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
   }
 }
 
+const CREDENTIAL_KEY_PREFIX = "credential/";
+
+export async function handleListSecrets(): Promise<Response> {
+  try {
+    const { accounts, unreachable } = await listSecureKeysAsync();
+    if (unreachable) {
+      return Response.json(
+        { error: "Credential store is unreachable" },
+        { status: 503 },
+      );
+    }
+
+    const secrets = accounts.map((account) => {
+      if (account.startsWith(CREDENTIAL_KEY_PREFIX)) {
+        // credential/{service}/{field} → service:field
+        const rest = account.slice(CREDENTIAL_KEY_PREFIX.length);
+        const slashIdx = rest.indexOf("/");
+        if (slashIdx > 0 && slashIdx < rest.length - 1) {
+          return {
+            type: "credential" as const,
+            name: `${rest.slice(0, slashIdx)}:${rest.slice(slashIdx + 1)}`,
+          };
+        }
+      }
+      // API key providers are stored with their raw provider name
+      return { type: "api_key" as const, name: account };
+    });
+
+    return Response.json({ secrets });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return httpError("INTERNAL_ERROR", message, 500);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Route definitions
 // ---------------------------------------------------------------------------
@@ -441,5 +562,15 @@ export function secretRouteDefinitions(
       method: "DELETE",
       handler: async ({ req }) => handleDeleteSecret(req),
     },
+    {
+      endpoint: "secrets",
+      method: "GET",
+      handler: async () => handleListSecrets(),
+    },
+    {
+      endpoint: "secrets/read",
+      method: "POST",
+      handler: async ({ req }) => handleReadSecret(req),
+    },
   ];
 }

package/src/runtime/routes/tts-routes.ts

@@ -8,6 +8,7 @@
  */
 
 import { synthesizeWithFishAudio } from "../../calls/fish-audio-client.js";
+import { sanitizeForTts } from "../../calls/tts-text-sanitizer.js";
 import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
 import { getConfig } from "../../config/loader.js";
 import { getMessageContent } from "../../daemon/handlers/conversation-history.js";
@@ -49,6 +50,15 @@ export function ttsRouteDefinitions(): RouteDefinition[] {
           return httpError("BAD_REQUEST", "Message has no text content", 400);
         }
 
+        const sanitizedText = sanitizeForTts(result.text);
+        if (!sanitizedText.trim()) {
+          return httpError(
+            "BAD_REQUEST",
+            "Message has no speakable text content",
+            400,
+          );
+        }
+
         const { fishAudio } = config;
         if (!fishAudio?.referenceId) {
           return httpError(
@@ -60,7 +70,7 @@ export function ttsRouteDefinitions(): RouteDefinition[] {
 
         try {
           const audioBuffer = await synthesizeWithFishAudio(
-            result.text,
+            sanitizedText,
             fishAudio,
           );
 

package/src/security/ces-credential-client.ts

@@ -19,6 +19,7 @@ import { getLogger } from "../util/logger.js";
 import type {
   CredentialBackend,
   CredentialGetResult,
+  CredentialListResult,
   DeleteResult,
 } from "./credential-backend.js";
 
@@ -51,7 +52,13 @@ async function cesRequest(
 ): Promise<Response | null> {
   const baseUrl = getBaseUrl();
   const token = getServiceToken();
-  if (!baseUrl || !token) return null;
+  if (!baseUrl || !token) {
+    log.warn(
+      { method, path, hasBaseUrl: !!baseUrl, hasToken: !!token },
+      "CES credential request skipped — missing config",
+    );
+    return null;
+  }
 
   const url = `${baseUrl.replace(/\/+$/, "")}${path}`;
   const headers: Record<string, string> = {
@@ -128,16 +135,17 @@ export class CesCredentialBackend implements CredentialBackend {
           return false;
         }
         if (!res.ok) {
+          const detail = await res.text().catch(() => "");
           if (attempt < SET_MAX_RETRIES - 1) {
             log.warn(
-              { account, status: res.status, attempt },
+              { account, status: res.status, detail, attempt },
               "CES credential set returned non-OK status, retrying",
             );
             await new Promise((r) => setTimeout(r, SET_RETRY_DELAY_MS));
             continue;
           }
           log.warn(
-            { account, status: res.status },
+            { account, status: res.status, detail },
             "CES credential set returned non-OK status",
           );
           return false;
@@ -168,8 +176,9 @@ export class CesCredentialBackend implements CredentialBackend {
       if (!res) return "error";
       if (res.status === 404) return "not-found";
       if (!res.ok) {
+        const detail = await res.text().catch(() => "");
         log.warn(
-          { account, status: res.status },
+          { account, status: res.status, detail },
           "CES credential delete returned non-OK status",
         );
         return "error";
@@ -181,22 +190,22 @@ export class CesCredentialBackend implements CredentialBackend {
     }
   }
 
-  async list(): Promise<string[]> {
+  async list(): Promise<CredentialListResult> {
     try {
       const res = await cesRequest("GET", "/v1/credentials");
-      if (!res) return [];
+      if (!res) return { accounts: [], unreachable: true };
       if (!res.ok) {
         log.warn(
           { status: res.status },
           "CES credential list returned non-OK status",
         );
-        return [];
+        return { accounts: [], unreachable: true };
       }
       const data = (await res.json()) as { accounts?: string[] };
-      return data.accounts ?? [];
+      return { accounts: data.accounts ?? [], unreachable: false };
     } catch (err) {
       log.warn({ err }, "CES credential list threw unexpectedly");
-      return [];
+      return { accounts: [], unreachable: true };
     }
   }
 }

package/src/security/ces-rpc-credential-backend.ts

@@ -14,6 +14,7 @@ import { getLogger } from "../util/logger.js";
 import type {
   CredentialBackend,
   CredentialGetResult,
+  CredentialListResult,
   DeleteResult,
 } from "./credential-backend.js";
 
@@ -70,16 +71,16 @@ export class CesRpcCredentialBackend implements CredentialBackend {
     }
   }
 
-  async list(): Promise<string[]> {
+  async list(): Promise<CredentialListResult> {
     try {
       const result = await this.client.call(
         CesRpcMethod.ListCredentials,
         {},
       );
-      return result.accounts;
+      return { accounts: result.accounts, unreachable: false };
     } catch (err) {
       log.warn({ err }, "CES RPC credential list failed");
-      return [];
+      return { accounts: [], unreachable: true };
     }
   }
 }

package/src/security/credential-backend.ts

@@ -19,6 +19,12 @@ export interface CredentialGetResult {
   unreachable: boolean;
 }
 
+/** Result of a list operation — distinguishes unreachable from empty. */
+export interface CredentialListResult {
+  accounts: string[];
+  unreachable: boolean;
+}
+
 // ---------------------------------------------------------------------------
 // Interface
 // ---------------------------------------------------------------------------
@@ -40,7 +46,7 @@ export interface CredentialBackend {
   delete(account: string): Promise<DeleteResult>;
 
   /** List all account names. */
-  list(): Promise<string[]>;
+  list(): Promise<CredentialListResult>;
 }
 
 // ---------------------------------------------------------------------------
@@ -78,11 +84,11 @@ export class EncryptedStoreBackend implements CredentialBackend {
     }
   }
 
-  async list(): Promise<string[]> {
+  async list(): Promise<CredentialListResult> {
     try {
-      return encryptedStore.listKeys();
+      return { accounts: encryptedStore.listKeys(), unreachable: false };
     } catch {
-      return [];
+      return { accounts: [], unreachable: true };
     }
   }
 }

package/src/security/secure-keys.ts

@@ -25,10 +25,17 @@ import type { CesClient } from "../credential-execution/client.js";
 import { getLogger } from "../util/logger.js";
 import { createCesCredentialBackend } from "./ces-credential-client.js";
 import { CesRpcCredentialBackend } from "./ces-rpc-credential-backend.js";
-import type { CredentialBackend, DeleteResult } from "./credential-backend.js";
+import type {
+  CredentialBackend,
+  CredentialListResult,
+  DeleteResult,
+} from "./credential-backend.js";
 import { createEncryptedStoreBackend } from "./credential-backend.js";
 
-export type { DeleteResult } from "./credential-backend.js";
+export type {
+  CredentialListResult,
+  DeleteResult,
+} from "./credential-backend.js";
 
 /**
  * Re-export shared-package secure-key abstractions so downstream consumers
@@ -89,7 +96,9 @@ async function doResolveBackend(): Promise<CredentialBackend> {
       _resolvedBackend = cesRpc;
       return cesRpc;
     }
-    log.warn("CES RPC client is set but not ready — falling back to local credential store");
+    log.warn(
+      "CES RPC client is set but not ready — falling back to local credential store",
+    );
   }
 
   // 2. CES HTTP — containerized / Docker / managed mode
@@ -115,7 +124,7 @@ async function doResolveBackend(): Promise<CredentialBackend> {
  *
  * Queries exactly one backend — no cross-store merge.
  */
-export async function listSecureKeysAsync(): Promise<string[]> {
+export async function listSecureKeysAsync(): Promise<CredentialListResult> {
   const backend = await resolveBackendAsync();
   return backend.list();
 }
@@ -241,6 +250,14 @@ export async function getMaskedProviderKey(
 // Test helpers
 // ---------------------------------------------------------------------------
 
+/**
+ * Return the name of the currently resolved credential backend.
+ * Useful for diagnostic messages when credential operations fail.
+ */
+export function getActiveBackendName(): string {
+  return _resolvedBackend?.name ?? "none";
+}
+
 /** @internal Test-only: reset the cached backends so they're re-created. */
 export function _resetBackend(): void {
   _cesClient = undefined;

package/src/skills/catalog-install.ts

@@ -13,12 +13,9 @@ import { homedir } from "node:os";
 import { dirname, join, posix, resolve, sep } from "node:path";
 import { gunzipSync } from "node:zlib";
 
+import { getPlatformBaseUrl } from "../config/env.js";
 import { getLogger } from "../util/logger.js";
-import {
-  getWorkspaceConfigPath,
-  getWorkspaceSkillsDir,
-  readPlatformToken,
-} from "../util/platform.js";
+import { getWorkspaceSkillsDir, readPlatformToken } from "../util/platform.js";
 import { deleteSkillCapabilityMemory } from "./skill-memory.js";
 
 const log = getLogger("catalog-install");
@@ -70,27 +67,6 @@ export function getRepoSkillsDir(): string | undefined {
 
 // ─── Platform API ────────────────────────────────────────────────────────────
 
-function getConfigPlatformUrl(): string | undefined {
-  try {
-    const configPath = getWorkspaceConfigPath();
-    if (!existsSync(configPath)) return undefined;
-    const raw = JSON.parse(readFileSync(configPath, "utf-8")) as Record<
-      string,
-      unknown
-    >;
-    const platform = raw.platform as Record<string, unknown> | undefined;
-    const baseUrl = platform?.baseUrl;
-    if (typeof baseUrl === "string" && baseUrl.trim()) return baseUrl.trim();
-  } catch {
-    // ignore
-  }
-  return undefined;
-}
-
-function getPlatformUrl(): string {
-  return process.env.VELLUM_PLATFORM_URL ?? getConfigPlatformUrl() ?? "";
-}
-
 function buildHeaders(): Record<string, string> {
   const headers: Record<string, string> = {};
   const token = readPlatformToken();
@@ -103,10 +79,7 @@ function buildHeaders(): Record<string, string> {
 // ─── Catalog operations ──────────────────────────────────────────────────────
 
 export async function fetchCatalog(): Promise<CatalogSkill[]> {
-  const platformUrl = getPlatformUrl();
-  if (!platformUrl) {
-    return [];
-  }
+  const platformUrl = getPlatformBaseUrl();
   const url = `${platformUrl}/v1/skills/`;
   const response = await fetch(url, {
     headers: buildHeaders(),
@@ -214,12 +187,7 @@ export async function fetchAndExtractSkill(
   skillId: string,
   destDir: string,
 ): Promise<void> {
-  const platformUrl = getPlatformUrl();
-  if (!platformUrl) {
-    throw new Error(
-      `Cannot fetch skill "${skillId}": VELLUM_PLATFORM_URL is not configured.`,
-    );
-  }
+  const platformUrl = getPlatformBaseUrl();
   const url = `${platformUrl}/v1/skills/${encodeURIComponent(skillId)}/`;
   const response = await fetch(url, {
     headers: buildHeaders(),

package/src/skills/skill-memory.ts

@@ -123,6 +123,7 @@ export function upsertSkillCapabilityMemory(
         confidence,
         importance,
         fingerprint,
+        sourceType: "extraction",
         scopeId,
         firstSeenAt: now,
         lastSeenAt: now,

package/src/subagent/manager.ts

@@ -18,7 +18,7 @@ import {
 import type { ServerMessage } from "../daemon/message-protocol.js";
 import { bootstrapConversation } from "../memory/conversation-bootstrap.js";
 import { RateLimitProvider } from "../providers/ratelimit.js";
-import { getFailoverProvider } from "../providers/registry.js";
+import { getProvider } from "../providers/registry.js";
 import { getLogger } from "../util/logger.js";
 import { getSandboxWorkingDir } from "../util/platform.js";
 import {
@@ -129,10 +129,7 @@ export class SubagentManager {
 
     // ── Build conversation dependencies ─────────────────────────────
     const appConfig = getConfig();
-    let provider = getFailoverProvider(
-      appConfig.services.inference.provider,
-      appConfig.providerOrder,
-    );
+    let provider = getProvider(appConfig.services.inference.provider);
     const { rateLimit } = appConfig;
     if (rateLimit.maxRequestsPerMinute > 0) {
       provider = new RateLimitProvider(

package/src/tools/acp/spawn.ts

@@ -1,7 +1,68 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+
 import { getAcpSessionManager } from "../../acp/index.js";
 import { getConfig } from "../../config/loader.js";
+import { getLogger } from "../../util/logger.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
+const execFileAsync = promisify(execFile);
+const log = getLogger("acp:spawn");
+
+/** Cache so we only check once per process lifetime. */
+let adapterVersionChecked = false;
+
+interface AdapterVersionInfo {
+  outdated: true;
+  installed: string;
+  latest: string;
+}
+
+/**
+ * Checks if the globally-installed claude-agent-acp adapter is outdated.
+ * Runs at most once per process lifetime. Does NOT auto-update — returns
+ * version info so the caller can ask the user first.
+ */
+async function checkAdapterVersion(
+  command: string,
+): Promise<AdapterVersionInfo | null> {
+  if (adapterVersionChecked || command !== "claude-agent-acp") {
+    return null;
+  }
+
+  try {
+    const { stdout: installedRaw } = await execFileAsync("npm", [
+      "ls",
+      "-g",
+      "--json",
+      "@zed-industries/claude-agent-acp",
+    ]);
+    const { stdout: latestRaw } = await execFileAsync("npm", [
+      "view",
+      "@zed-industries/claude-agent-acp",
+      "version",
+    ]);
+
+    const installed =
+      JSON.parse(installedRaw)?.dependencies?.[
+        "@zed-industries/claude-agent-acp"
+      ]?.version;
+    const latest = latestRaw.trim();
+
+    adapterVersionChecked = true;
+
+    if (!installed || !latest || installed === latest) {
+      return null;
+    }
+
+    log.info({ installed, latest }, "claude-agent-acp is outdated");
+    return { outdated: true, installed, latest };
+  } catch (err) {
+    log.warn({ err }, "Failed to check claude-agent-acp version");
+    return null;
+  }
+}
+
 export async function executeAcpSpawn(
   input: Record<string, unknown>,
   context: ToolContext,
@@ -37,6 +98,17 @@ export async function executeAcpSpawn(
     };
   }
 
+  // Check if the ACP adapter is outdated before spawning
+  const versionInfo = await checkAdapterVersion(agentConfig.command);
+  if (versionInfo) {
+    return {
+      content:
+        `claude-agent-acp is outdated (installed: ${versionInfo.installed}, latest: ${versionInfo.latest}). ` +
+        `Ask the user if they'd like to update. If yes, run: npm install -g @zed-industries/claude-agent-acp@${versionInfo.latest} — then retry acp_spawn.`,
+      isError: true,
+    };
+  }
+
   try {
     const manager = getAcpSessionManager();
     const cwd = (input.cwd as string) || context.workingDir;
@@ -64,7 +136,12 @@ export async function executeAcpSpawn(
       isError: false,
     };
   } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
+    const msg =
+      err instanceof Error
+        ? err.message
+        : typeof err === "object" && err !== undefined
+          ? JSON.stringify(err)
+          : String(err);
     return { content: `Failed to spawn ACP agent: ${msg}`, isError: true };
   }
 }

package/src/tools/credentials/vault.ts

@@ -400,8 +400,9 @@ class CredentialStoreTool implements Tool {
         const credIdSuffix = metadata
           ? ` (credential_id: ${metadata.credentialId})`
           : "";
+        const retrieveHint = ` Retrieve with: \`assistant credentials reveal --service ${service} --field ${field}\``;
         return {
-          content: `Stored credential for ${service}/${field}.${credIdSuffix}${
+          content: `Stored credential for ${service}/${field}.${credIdSuffix}${retrieveHint}${
             slackChannelResult
               ? formatSlackChannelStatus(slackChannelResult)
               : ""
@@ -428,7 +429,7 @@ class CredentialStoreTool implements Tool {
         // (e.g. keychain) and the encrypted store (legacy keys).
         let secureKeySet: Set<string> | undefined;
         try {
-          secureKeySet = new Set(await listSecureKeysAsync());
+          secureKeySet = new Set((await listSecureKeysAsync()).accounts);
         } catch (err) {
           log.error(
             { err },
@@ -810,8 +811,9 @@ class CredentialStoreTool implements Tool {
         const promptCredIdSuffix = promptMeta
           ? ` (credential_id: ${promptMeta.credentialId})`
           : "";
+        const promptRetrieveHint = ` Retrieve with: \`assistant credentials reveal --service ${service} --field ${field}\``;
         return {
-          content: `Credential stored for ${service}/${field}.${promptCredIdSuffix}${
+          content: `Credential stored for ${service}/${field}.${promptCredIdSuffix}${promptRetrieveHint}${
             slackChannelResult
               ? formatSlackChannelStatus(slackChannelResult)
               : ""