@vellumai/assistant 0.5.8 → 0.5.10

package/AGENTS.md

@@ -2,4 +2,4 @@
 
 For error handling conventions (throw vs result objects vs null), see [docs/error-handling.md](docs/error-handling.md).
 
-Subdirectory-scoped rules live in local AGENTS.md files: `src/cli/`, `src/runtime/`, `src/approvals/`, `src/notifications/`.
+Subdirectory-scoped rules live in local AGENTS.md files: `src/cli/`, `src/runtime/`, `src/approvals/`, `src/notifications/`, `src/workspace/migrations/`.

package/ARCHITECTURE.md

@@ -321,7 +321,7 @@ The WhatsApp channel enables inbound and outbound messaging via the Meta WhatsAp
 - `WHATSAPP_APP_SECRET` — App secret for webhook signature verification
 - `WHATSAPP_WEBHOOK_VERIFY_TOKEN` — Token for the Meta webhook subscription handshake
 
-These can be set via environment variables or stored in the credential vault (keychain / encrypted store) under the `whatsapp` service prefix.
+These can be set via environment variables or stored in the credential vault (CES / encrypted store) under the `whatsapp` service prefix.
 
 **Limitations (v1)**: Rich approval UI (inline buttons) is not supported. Contacts and location message types are acknowledged but not forwarded.
 
@@ -343,7 +343,7 @@ All endpoints are JWT-authenticated via `Authorization: Bearer <jwt>`.
 
 **Credential storage pattern:**
 
-Both tokens are stored in the secure key store (macOS Keychain with encrypted file fallback):
+Both tokens are stored in the secure key store (CES credential store with encrypted file fallback):
 
 | Secure key                           | Content                                                                    |
 | ------------------------------------ | -------------------------------------------------------------------------- |
@@ -667,9 +667,9 @@ All six enforcement points derive the flag key via `skillFlagKey(skill)` — whi
 
 ```mermaid
 graph LR
-    subgraph "macOS Keychain"
-        K1["API Key<br/>service: vellum-assistant<br/>account: anthropic<br/>stored via /usr/bin/security CLI"]
-        K2["Credential Secrets<br/>key: credential/{service}/{field}<br/>stored via secure-keys.ts<br/>(encrypted file fallback if Keychain unavailable)"]
+    subgraph "Credential Store"
+        K1["API Key<br/>service: vellum-assistant<br/>account: anthropic<br/>stored via CES"]
+        K2["Credential Secrets<br/>key: credential/{service}/{field}<br/>stored via secure-keys.ts<br/>(encrypted file fallback)"]
     end
 
     subgraph "UserDefaults (plist)"
@@ -1937,10 +1937,10 @@ Connected channels are resolved at signal emission time: vellum is always includ
 
 | What                                     | Where                                                             | Format                              | ORM/Driver                         | Retention                                               |
 | ---------------------------------------- | ----------------------------------------------------------------- | ----------------------------------- | ---------------------------------- | ------------------------------------------------------- |
-| API key                                  | macOS Keychain                                                    | Encrypted binary                    | `/usr/bin/security` CLI            | Permanent                                               |
-| Credential secrets                       | macOS Keychain (or encrypted file fallback)                       | Encrypted binary                    | `secure-keys.ts` wrapper           | Permanent (until deleted via tool)                      |
+| API key                                  | CES / encrypted file store                                        | Encrypted binary                    | CES API / `secure-keys.ts`         | Permanent                                               |
+| Credential secrets                       | CES / encrypted file store                                        | Encrypted binary                    | `secure-keys.ts` wrapper           | Permanent (until deleted via tool)                      |
 | Credential metadata                      | `~/.vellum/workspace/data/credentials/metadata.json`              | JSON                                | Atomic file write                  | Permanent (until deleted via tool)                      |
-| Integration OAuth tokens                 | macOS Keychain (or encrypted file fallback, via `secure-keys.ts`) | Encrypted binary                    | `TokenManager` auto-refresh        | Until disconnected or revoked                           |
+| Integration OAuth tokens                 | CES / encrypted file store (via `secure-keys.ts`)                 | Encrypted binary                    | `TokenManager` auto-refresh        | Until disconnected or revoked                           |
 | User preferences                         | UserDefaults                                                      | plist                               | Foundation                         | Permanent                                               |
 | Session logs                             | `~/Library/.../logs/session-*.json`                               | JSON per session                    | Swift Codable                      | Unbounded                                               |
 | Conversations & messages                 | `~/.vellum/workspace/data/db/assistant.db`                        | SQLite + WAL                        | Drizzle ORM (Bun)                  | Permanent                                               |

package/README.md

@@ -204,7 +204,7 @@ The runtime exposes a RESTful HTTP API for Twilio configuration, credential mana
 | Method | Path                                        | Description                                                                                                                                 |
 | ------ | ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
 | GET    | `/v1/integrations/twilio/config`            | Returns current state: `hasCredentials` (boolean) and `phoneNumber` (if assigned)                                                           |
-| POST   | `/v1/integrations/twilio/credentials`       | Validates and stores Account SID and Auth Token in secure storage (Keychain / encrypted file)                                               |
+| POST   | `/v1/integrations/twilio/credentials`       | Validates and stores Account SID and Auth Token in secure storage (CES / encrypted file store)                                               |
 | DELETE | `/v1/integrations/twilio/credentials`       | Removes stored credentials. Preserves the phone number in config so re-entering credentials resumes working without reassigning the number. |
 | GET    | `/v1/integrations/twilio/numbers`           | Lists all incoming phone numbers on the Twilio account with their capabilities                                                              |
 | POST   | `/v1/integrations/twilio/numbers/provision` | Purchases a new phone number. Accepts optional `areaCode` and `country`. Auto-assigns and configures webhooks when ingress is available.    |

package/docs/architecture/integrations.md

@@ -122,7 +122,7 @@ sequenceDiagram
     participant Browser as System Browser
     participant Google as Google OAuth Server
     participant Store as SQLite OAuth Store
-    participant Vault as Secure Keychain
+    participant Vault as Credential Store
     participant TokenMgr as TokenManager
     participant Tool as Gmail Tool Executor
     participant API as Gmail REST API
@@ -173,7 +173,7 @@ sequenceDiagram
 
 | Decision                                   | Rationale                                                                                                                                                                                                                                        |
 | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| PKCE by default, optional client_secret    | Desktop apps prefer PKCE; some providers (Slack) require a secret, which is stored in the secure keychain (`oauth_app/{id}/client_secret`) for autonomous refresh                                                                                |
+| PKCE by default, optional client_secret    | Desktop apps prefer PKCE; some providers (Slack) require a secret, which is stored in the credential store (`oauth_app/{id}/client_secret`) for autonomous refresh                                                                                |
 | Shared connect orchestrator                | All OAuth providers route through `orchestrateOAuthConnect()`, which resolves profiles, enforces scope policy, runs the flow, stores tokens, and verifies identity. Adding a provider is a declarative profile entry, not new orchestration code |
 | Canonical credential naming                | All reads and writes use `client_id`/`client_secret` as canonical field names                                                                                                                                                                    |
 | Gateway callback transport                 | OAuth callbacks are now routed through the gateway at `${ingress.publicBaseUrl}/webhooks/oauth/callback` instead of a loopback redirect URI. This enables OAuth flows to work in remote and tunneled deployments.                                |
@@ -261,7 +261,7 @@ Result is a discriminated union: `{ success, deferred, grantedScopes, accountInf
 
 `assistant/src/daemon/handlers/oauth-connect.ts` handles `oauth_connect_start` messages. The handler:
 
-1. Resolves client credentials from the keychain using canonical names (`client_id`, `client_secret`).
+1. Resolves client credentials from the credential store using canonical names (`client_id`, `client_secret`).
 2. Validates that required credentials exist (including `client_secret` when the provider requires it).
 3. Delegates to `orchestrateOAuthConnect()`.
 4. Sends `oauth_connect_result` back to the client.
@@ -286,7 +286,7 @@ This replaces provider-specific handlers — any provider in the registry can be
 | `assistant/src/oauth/scope-policy.ts`            | Scope resolution and policy enforcement (pure, no I/O)                           |
 | `assistant/src/oauth/connect-orchestrator.ts`    | Shared connect orchestrator (profile → scopes → flow → tokens)                   |
 | `assistant/src/oauth/connect-types.ts`           | Shared types (`OAuthProviderBehavior`, `OAuthScopePolicy`, `OAuthConnectResult`) |
-| `assistant/src/oauth/token-persistence.ts`       | Token storage: keychain writes, metadata upsert, post-connect hooks              |
+| `assistant/src/oauth/token-persistence.ts`       | Token storage: credential store writes, metadata upsert, post-connect hooks      |
 | `assistant/src/daemon/handlers/oauth-connect.ts` | Generic `oauth_connect_start` / `oauth_connect_result` handler                   |
 
 ---

package/docs/architecture/keychain-broker.md

@@ -1,7 +1,7 @@
 # macOS Keychain Broker Architecture (Legacy)
 
 **Status:** Superseded by CES credential routing
-**Last Updated:** 2026-03-22
+**Last Updated:** 2026-03-24
 **Owners:** macOS client + assistant runtime
 
 ## Current State
@@ -16,24 +16,23 @@ See [`assistant/docs/credential-execution-service.md`](../credential-execution-s
 
 ### What remains
 
-The keychain broker is not fully deleted. These components still exist:
+The keychain broker is fully deleted. Only these historical migrations remain:
 
-| Component | Location | Why it exists |
-|---|---|---|
-| Keychain broker client | `assistant/src/security/keychain-broker-client.ts` | Used only by workspace migrations 015 and 016 |
-| Migration 015 | `assistant/src/workspace/migrations/015-migrate-credentials-to-keychain.ts` | Historical migration that copied encrypted store credentials into keychain |
+| Component     | Location                                                                      | Why it exists                                                                                      |
+| ------------- | ----------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
+| Migration 015 | `assistant/src/workspace/migrations/015-migrate-credentials-to-keychain.ts`   | Historical migration that copied encrypted store credentials into keychain                         |
 | Migration 016 | `assistant/src/workspace/migrations/016-migrate-credentials-from-keychain.ts` | Reverse migration that copies keychain credentials back to the encrypted store for CES unification |
-| Swift broker server | `clients/macos/vellum-assistant/Security/KeychainBrokerServer.swift` | UDS server in the macOS app; still compiled for release builds (`#if !DEBUG`) |
-| Swift broker service | `clients/macos/vellum-assistant/Security/KeychainBrokerService.swift` | `SecItem*` wrapper used by the broker server |
-| Gateway credential reader | `gateway/src/credential-reader.ts` | Still tries the keychain broker as a secondary fallback after CES, before the encrypted store |
 
-The broker client and Swift server remain because migrations 015/016 must be able to read/write the keychain for users who previously stored credentials there. These migrations are append-only and cannot be removed. The gateway's broker fallback provides a read path for credentials that may still be in the keychain during the migration window.
+Migrations 015/016 use inline `security` CLI helpers that shell out to `/usr/bin/security` directly, replacing the former broker client and UDS protocol. These migrations are append-only and cannot be removed.
 
 ### What was removed
 
+- **Keychain broker client** (`keychain-broker-client.ts`) -- the TypeScript client that communicated with the Swift UDS server. Migrations 015/016 now use inline `security` CLI helpers instead.
 - **`KeychainBackend`** class and `createKeychainBackend()` factory -- the daemon's `CredentialBackend` implementation that wrapped the broker client. Removed from `credential-backend.ts`.
 - **`resolveBackendAsync()` keychain resolution path** -- the daemon no longer considers `VELLUM_DESKTOP_APP` or `VELLUM_DEV` for backend selection. Backend resolution in `secure-keys.ts` now follows the CES RPC > CES HTTP > encrypted store priority.
 - **Dual-writing and broker-unavailable commit behavior** -- the daemon previously committed to the keychain backend even when the broker socket was unreachable, causing operations to fail visibly. This behavior is gone; CES RPC is the primary backend with encrypted store as a graceful fallback.
+- **Swift broker server** (`KeychainBrokerServer.swift`) -- the UDS server in the macOS app that accepted credential requests from the daemon and gateway. Deleted along with its `SecItem*` wrapper (`KeychainBrokerService.swift`).
+- **Gateway broker fallback** -- the gateway's `credential-reader.ts` no longer tries the keychain broker as a secondary fallback. Credential resolution is now CES HTTP > encrypted file store.
 
 ## Original Design (Historical)
 
@@ -51,15 +50,15 @@ The macOS app embedded a `KeychainBrokerServer` (NWListener on a Unix domain soc
 
 Transport: Unix domain socket at `~/.vellum/keychain-broker.sock`, newline-delimited JSON.
 
-| Method | Params | Result |
-|---|---|---|
-| `broker.ping` | none | `{ pong: true }` |
-| `key.get` | `{ account }` | `{ found, value? }` |
-| `key.set` | `{ account, value }` | `{ stored: true }` |
-| `key.delete` | `{ account }` | `{ deleted: true }` |
-| `key.list` | none | `{ accounts: string[] }` |
+| Method        | Params               | Result                   |
+| ------------- | -------------------- | ------------------------ |
+| `broker.ping` | none                 | `{ pong: true }`         |
+| `key.get`     | `{ account }`        | `{ found, value? }`      |
+| `key.set`     | `{ account, value }` | `{ stored: true }`       |
+| `key.delete`  | `{ account }`        | `{ deleted: true }`      |
+| `key.list`    | none                 | `{ accounts: string[] }` |
 
-This protocol is still used by migrations 015/016 via the broker client.
+This protocol is no longer used. Migrations 015/016 now use inline `security` CLI helpers that shell out to `/usr/bin/security` directly instead of communicating over UDS.
 
 ### Security model
 

package/docs/architecture/security.md

@@ -222,7 +222,7 @@ sequenceDiagram
     participant Prompter as SecretPrompter
     participant HTTP as HTTP Transport
     participant UI as SecretPromptManager (Swift)
-    participant Keychain as macOS Keychain
+    participant Store as Credential Store (CES / encrypted file)
 
     Model->>Vault: action: "prompt", service, field, label
     Vault->>Prompter: requestSecret(service, field, label, ...)
@@ -233,7 +233,7 @@ sequenceDiagram
         UI->>HTTP: secret_response {requestId, value, delivery: "store"}
         HTTP->>Prompter: resolve(value, "store")
         Prompter->>Vault: {value, delivery: "store"}
-        Vault->>Keychain: setSecureKeyAsync("credential/svc/field", value)
+        Vault->>Store: setSecureKeyAsync("credential/svc/field", value)
         Vault->>Model: "Credential stored securely" (no value in output)
     else One-Time Send (if enabled)
         UI->>HTTP: secret_response {requestId, value, delivery: "transient_send"}
@@ -265,7 +265,7 @@ graph TB
 The `allowOneTimeSend` config gate (default: `false`) enables a secondary "Send Once" button in the secret prompt UI. When used:
 
 - The secret value is handed to the `CredentialBroker`, which holds it in memory for the next `consume` or `browserFill` call
-- The value is **not** persisted to the keychain
+- The value is **not** persisted to the credential store
 - The broker discards the value after a single use
 - The vault tool output confirms delivery without including the secret value — the value is never returned to the model
 - The config gate must be explicitly enabled by the operator
@@ -274,7 +274,7 @@ The `allowOneTimeSend` config gate (default: `false`) enables a secondary "Send
 
 | Component           | Location                                             | What it stores                                                                                                                                               |
 | ------------------- | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Secret values       | macOS Keychain (primary) or encrypted file fallback  | Encrypted credential values keyed as `credential/{service}/{field}`. Falls back to encrypted file backend on Linux/headless or when Keychain is unavailable. |
+| Secret values       | CES credential store or encrypted file store         | Encrypted credential values keyed as `credential/{service}/{field}`. Stored via CES RPC (primary), CES HTTP (containerized), or encrypted file store (fallback). |
 | Credential metadata | `~/.vellum/workspace/data/credentials/metadata.json` | Service, field, label, policy (allowedTools, allowedDomains), timestamps                                                                                     |
 | Config              | `~/.vellum/workspace/config.*`                       | `secretDetection` settings: enabled, action, entropyThreshold, allowOneTimeSend                                                                              |
 
@@ -283,7 +283,7 @@ The `allowOneTimeSend` config gate (default: `false`) enables a secondary "Send
 | File                                                 | Role                                                                  |
 | ---------------------------------------------------- | --------------------------------------------------------------------- |
 | `assistant/src/tools/credentials/vault.ts`           | `credential_store` tool — store, list, delete, prompt actions         |
-| `assistant/src/security/secure-keys.ts`              | Async secure key CRUD via keychain broker and encrypted file store    |
+| `assistant/src/security/secure-keys.ts`              | Async secure key CRUD via CES and encrypted file store               |
 | `assistant/src/tools/credentials/metadata-store.ts`  | JSON file metadata CRUD for credential records                        |
 | `assistant/src/tools/credentials/broker.ts`          | Brokered credential access with policy enforcement and transient send |
 | `assistant/src/tools/credentials/policy-validate.ts` | Policy input validation (allowedTools, allowedDomains)                |

package/eslint.config.mjs

@@ -29,37 +29,6 @@ const eslintConfig = defineConfig([
         { argsIgnorePattern: "^_", varsIgnorePattern: "^_" },
       ],
       "@typescript-eslint/no-explicit-any": "error",
-
-      // Standardize on `undefined` only — avoid `null` in new code.
-      // Prefer `=== undefined`, `?? fallback`, or `?.` optional chaining
-      // instead of `=== null`.
-      "no-restricted-syntax": [
-        "error",
-        {
-          selector:
-            "BinaryExpression[operator='==='][right.type='Literal'][right.raw='null']",
-          message:
-            "Avoid `=== null`. Prefer `=== undefined`, `?? fallback`, or optional chaining `?.` instead.",
-        },
-        {
-          selector:
-            "BinaryExpression[operator='==='][left.type='Literal'][left.raw='null']",
-          message:
-            "Avoid `null ===`. Prefer `=== undefined`, `?? fallback`, or optional chaining `?.` instead.",
-        },
-        {
-          selector:
-            "BinaryExpression[operator='!=='][right.type='Literal'][right.raw='null']",
-          message:
-            "Avoid `!== null`. Prefer `!== undefined`, nullish coalescing `??`, or optional chaining `?.` instead.",
-        },
-        {
-          selector:
-            "BinaryExpression[operator='!=='][left.type='Literal'][left.raw='null']",
-          message:
-            "Avoid `null !==`. Prefer `!== undefined`, nullish coalescing `??`, or optional chaining `?.` instead.",
-        },
-      ],
     },
   },
   {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.5.8",
+  "version": "0.5.10",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/__tests__/conversation-runtime-assembly.test.ts

@@ -11,6 +11,7 @@ import {
   injectChannelCapabilityContext,
   injectChannelCommandContext,
   injectInboundActorContext,
+  injectNowScratchpad,
   injectTemporalContext,
   injectTurnContext,
   isGroupChatType,
@@ -18,6 +19,8 @@ import {
   stripChannelCapabilityContext,
   stripChannelTurnContext,
   stripInboundActorContext,
+  stripInjectedContext,
+  stripNowScratchpad,
   stripTemporalContext,
 } from "../daemon/conversation-runtime-assembly.js";
 import type { Message } from "../providers/types.js";
@@ -1318,6 +1321,7 @@ describe("applyRuntimeInjections — injection mode", () => {
       canonicalActorIdentity: "user-1",
       trustClass: "guardian",
     } as InboundActorContext,
+    nowScratchpad: "Current focus: shipping PR 3",
     isNonInteractive: true,
   };
 
@@ -1337,6 +1341,7 @@ describe("applyRuntimeInjections — injection mode", () => {
     expect(allText).toContain("<turn_context>");
     expect(allText).toContain("<inbound_actor_context>");
     expect(allText).toContain("<non_interactive_context>");
+    expect(allText).toContain("<now_scratchpad>");
   });
 
   test("explicit mode: 'full' behaves the same as default", () => {
@@ -1353,6 +1358,7 @@ describe("applyRuntimeInjections — injection mode", () => {
     expect(allText).toContain("<temporal_context>");
     expect(allText).toContain("<channel_command_context>");
     expect(allText).toContain("<active_workspace>");
+    expect(allText).toContain("<now_scratchpad>");
   });
 
   test("minimal mode skips high-token optional blocks", () => {
@@ -1370,6 +1376,7 @@ describe("applyRuntimeInjections — injection mode", () => {
     expect(allText).not.toContain("<temporal_context>");
     expect(allText).not.toContain("<channel_command_context>");
     expect(allText).not.toContain("<active_workspace>");
+    expect(allText).not.toContain("<now_scratchpad>");
   });
 
   test("minimal mode preserves safety-critical blocks", () => {
@@ -1417,3 +1424,223 @@ describe("applyRuntimeInjections — injection mode", () => {
     expect(texts).toContain("Hello");
   });
 });
+
+// ---------------------------------------------------------------------------
+// injectNowScratchpad
+// ---------------------------------------------------------------------------
+
+describe("injectNowScratchpad", () => {
+  const baseUserMessage: Message = {
+    role: "user",
+    content: [{ type: "text", text: "What should I work on?" }],
+  };
+
+  test("appends now_scratchpad block to user message", () => {
+    const result = injectNowScratchpad(
+      baseUserMessage,
+      "Current focus: shipping PR 3",
+    );
+    expect(result.content.length).toBe(2);
+    // Original content comes first
+    expect((result.content[0] as { type: "text"; text: string }).text).toBe(
+      "What should I work on?",
+    );
+    // Scratchpad is appended (not prepended)
+    const injected = result.content[1];
+    expect(injected.type).toBe("text");
+    const text = (injected as { type: "text"; text: string }).text;
+    expect(text).toBe(
+      "<now_scratchpad>\nCurrent focus: shipping PR 3\n</now_scratchpad>",
+    );
+  });
+
+  test("preserves existing multi-block content and appends at end", () => {
+    const multiBlockMessage: Message = {
+      role: "user",
+      content: [
+        { type: "text", text: "First block" },
+        { type: "text", text: "Second block" },
+      ],
+    };
+
+    const result = injectNowScratchpad(multiBlockMessage, "scratchpad notes");
+    expect(result.content.length).toBe(3);
+    expect((result.content[0] as { type: "text"; text: string }).text).toBe(
+      "First block",
+    );
+    expect((result.content[1] as { type: "text"; text: string }).text).toBe(
+      "Second block",
+    );
+    expect(
+      (result.content[2] as { type: "text"; text: string }).text,
+    ).toContain("<now_scratchpad>");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// stripNowScratchpad
+// ---------------------------------------------------------------------------
+
+describe("stripNowScratchpad", () => {
+  test("strips now_scratchpad blocks from user messages", () => {
+    const messages: Message[] = [
+      {
+        role: "user",
+        content: [
+          { type: "text", text: "Hello" },
+          {
+            type: "text",
+            text: "<now_scratchpad>\nSome notes\n</now_scratchpad>",
+          },
+        ],
+      },
+      {
+        role: "assistant",
+        content: [{ type: "text", text: "Hi there" }],
+      },
+    ];
+
+    const result = stripNowScratchpad(messages);
+
+    expect(result.length).toBe(2);
+    expect(result[0].content.length).toBe(1);
+    expect((result[0].content[0] as { type: "text"; text: string }).text).toBe(
+      "Hello",
+    );
+    // Assistant message untouched
+    expect(result[1].content.length).toBe(1);
+  });
+
+  test("removes user messages that only contain now_scratchpad", () => {
+    const messages: Message[] = [
+      {
+        role: "user",
+        content: [
+          {
+            type: "text",
+            text: "<now_scratchpad>\nSome notes\n</now_scratchpad>",
+          },
+        ],
+      },
+    ];
+
+    const result = stripNowScratchpad(messages);
+    expect(result.length).toBe(0);
+  });
+
+  test("leaves messages without now_scratchpad untouched", () => {
+    const messages: Message[] = [
+      {
+        role: "user",
+        content: [{ type: "text", text: "Normal message" }],
+      },
+    ];
+
+    const result = stripNowScratchpad(messages);
+    expect(result.length).toBe(1);
+    expect(result[0]).toBe(messages[0]); // Same reference — untouched
+  });
+});
+
+// ---------------------------------------------------------------------------
+// stripInjectedContext removes now_scratchpad blocks
+// ---------------------------------------------------------------------------
+
+describe("stripInjectedContext with now_scratchpad", () => {
+  test("strips now_scratchpad blocks alongside other injections", () => {
+    const messages: Message[] = [
+      {
+        role: "user",
+        content: [
+          {
+            type: "text",
+            text: "<channel_capabilities>\nchannel: telegram\n</channel_capabilities>",
+          },
+          { type: "text", text: "Hello" },
+          {
+            type: "text",
+            text: "<now_scratchpad>\nCurrent focus\n</now_scratchpad>",
+          },
+        ],
+      },
+    ];
+
+    const result = stripInjectedContext(messages);
+    expect(result.length).toBe(1);
+    expect(result[0].content.length).toBe(1);
+    expect((result[0].content[0] as { type: "text"; text: string }).text).toBe(
+      "Hello",
+    );
+  });
+});
+
+// ---------------------------------------------------------------------------
+// applyRuntimeInjections with nowScratchpad
+// ---------------------------------------------------------------------------
+
+describe("applyRuntimeInjections with nowScratchpad", () => {
+  const baseMessages: Message[] = [
+    {
+      role: "user",
+      content: [{ type: "text", text: "What should I do?" }],
+    },
+  ];
+
+  test("injects now_scratchpad block when provided", () => {
+    const result = applyRuntimeInjections(baseMessages, {
+      nowScratchpad: "Current focus: fix the bug",
+    });
+
+    expect(result.length).toBe(1);
+    expect(result[0].content.length).toBe(2);
+    const injected = result[0].content[1];
+    const text = (injected as { type: "text"; text: string }).text;
+    expect(text).toContain("<now_scratchpad>");
+    expect(text).toContain("Current focus: fix the bug");
+  });
+
+  test("appended block appears after user's original text content", () => {
+    const result = applyRuntimeInjections(baseMessages, {
+      nowScratchpad: "scratchpad notes",
+    });
+
+    // Original text is first
+    expect(
+      (result[0].content[0] as { type: "text"; text: string }).text,
+    ).toBe("What should I do?");
+    // Scratchpad is appended after
+    expect(
+      (result[0].content[1] as { type: "text"; text: string }).text,
+    ).toContain("<now_scratchpad>");
+  });
+
+  test("does not inject when nowScratchpad is null", () => {
+    const result = applyRuntimeInjections(baseMessages, {
+      nowScratchpad: null,
+    });
+
+    expect(result.length).toBe(1);
+    expect(result[0].content.length).toBe(1);
+  });
+
+  test("does not inject when nowScratchpad is omitted", () => {
+    const result = applyRuntimeInjections(baseMessages, {});
+
+    expect(result.length).toBe(1);
+    expect(result[0].content.length).toBe(1);
+  });
+
+  test("skipped in minimal mode", () => {
+    const result = applyRuntimeInjections(baseMessages, {
+      nowScratchpad: "Current focus: fix the bug",
+      mode: "minimal",
+    });
+
+    const allText = result[0].content
+      .filter((b): b is { type: "text"; text: string } => b.type === "text")
+      .map((b) => b.text)
+      .join("\n");
+
+    expect(allText).not.toContain("<now_scratchpad>");
+  });
+});

package/src/__tests__/credentials-cli.test.ts

@@ -895,7 +895,7 @@ describe("assistant credentials CLI", () => {
       expect(result.exitCode).toBe(0);
       const parsed = JSON.parse(result.stdout);
       expect(parsed.ok).toBe(true);
-      expect(parsed.scrubbedValue).toBe("(broker unreachable)");
+      expect(parsed.scrubbedValue).toBe("(credential store unreachable)");
       expect(parsed.brokerUnreachable).toBe(true);
     });
 
@@ -913,7 +913,7 @@ describe("assistant credentials CLI", () => {
       expect(result.exitCode).toBe(1);
       const parsed = JSON.parse(result.stdout);
       expect(parsed.ok).toBe(false);
-      expect(parsed.error).toContain("Keychain broker is unreachable");
+      expect(parsed.error).toContain("Credential store is unreachable");
     });
   });
 
@@ -1029,7 +1029,7 @@ describe("assistant credentials CLI", () => {
       expect(result.exitCode).toBe(1);
       const parsed = JSON.parse(result.stdout);
       expect(parsed.ok).toBe(false);
-      expect(parsed.error).toContain("Keychain broker is unreachable");
+      expect(parsed.error).toContain("Credential store is unreachable");
     });
 
     test("returns credential-not-found when broker is up", async () => {