@vellumai/assistant 0.5.8 → 0.5.10

package/src/cli/commands/credentials.ts

@@ -635,7 +635,7 @@ Examples:
             if (unreachable) {
               writeError(
                 cmd,
-                "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+                "Credential store is unreachable — ensure the assistant is running",
               );
             } else {
               writeError(cmd, "Credential not found");
@@ -676,7 +676,7 @@ Examples:
           const output = buildCredentialOutput(metadata, secret, connection);
 
           if (unreachable && (secret == null || secret.length === 0)) {
-            output.scrubbedValue = "(broker unreachable)";
+            output.scrubbedValue = "(credential store unreachable)";
             output.brokerUnreachable = true;
           }
 
@@ -686,7 +686,7 @@ Examples:
             printCredentialHuman(output);
             if (unreachable && (secret == null || secret.length === 0)) {
               log.info(
-                "    \u26A0 Keychain broker unreachable — restart the Vellum app and accept the macOS Keychain prompt to access credentials",
+                "    \u26A0 Credential store is unreachable — ensure the assistant is running",
               );
             }
           }
@@ -770,7 +770,7 @@ Examples:
             if (unreachable) {
               writeError(
                 cmd,
-                "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+                "Credential store is unreachable — ensure the assistant is running",
               );
             } else {
               writeError(cmd, "Credential not found");

package/src/cli/commands/oauth/apps.ts

@@ -168,7 +168,7 @@ At least --id or --provider must be specified.`,
     .requiredOption("--client-id <id>", "OAuth client ID")
     .option(
       "--client-secret <secret>",
-      "OAuth client secret (stored in secure keychain)",
+      "OAuth client secret (stored in credential store)",
     )
     .option(
       "--client-secret-credential-path <path>",
@@ -179,7 +179,7 @@ At least --id or --provider must be specified.`,
       `
 Creates a new app registration or returns the existing one if an app with the
 same provider and client ID already exists. The client secret, if provided, is
-stored in the secure system keychain — not in the database.
+stored in the secure credential store — not in the database.
 
 When an existing app is matched and a --client-secret is provided, the stored
 secret is updated. The app row itself is returned as-is.
@@ -277,7 +277,7 @@ Arguments:
   id   The app UUID to delete (as returned by "apps list" or "apps get")
 
 Permanently removes the app registration and its stored client secret from
-the keychain. Any OAuth connections that reference this app will no longer be
+the credential store. Any OAuth connections that reference this app will no longer be
 able to refresh tokens.
 
 Exits with code 1 if the app ID is not found.

package/src/daemon/conversation-agent-loop.ts

@@ -106,6 +106,7 @@ import {
   applyRuntimeInjections,
   inboundActorContextFromTrust,
   inboundActorContextFromTrustContext,
+  readNowScratchpad,
   stripInjectedContext,
 } from "./conversation-runtime-assembly.js";
 import type { SkillProjectionCache } from "./conversation-skill-tools.js";
@@ -681,6 +682,10 @@ export async function runAgentLoopImpl(
       }
     }
 
+    // Read NOW.md scratchpad fresh each turn so mid-conversation edits are
+    // picked up without caching or conversation eviction.
+    const nowScratchpad = readNowScratchpad();
+
     const isInteractiveResolved =
       options?.isInteractive ?? (!ctx.hasNoClient && !ctx.headlessLock);
 
@@ -694,6 +699,7 @@ export async function runAgentLoopImpl(
       interfaceTurnContext,
       inboundActorContext: resolvedInboundActorContext,
       temporalContext,
+      nowScratchpad,
       voiceCallControlPrompt: ctx.voiceCallControlPrompt ?? null,
       isNonInteractive: !isInteractiveResolved,
     } as const;

package/src/daemon/conversation-runtime-assembly.ts

@@ -5,7 +5,7 @@
  * before it is sent to the provider.  They are pure (no side effects).
  */
 
-import { statSync } from "node:fs";
+import { existsSync, readFileSync, statSync } from "node:fs";
 import { join } from "node:path";
 
 import {
@@ -16,9 +16,11 @@ import {
   type TurnInterfaceContext,
 } from "../channels/types.js";
 import { getAppDirPath, listAppFiles } from "../memory/app-store.js";
+import { stripCommentLines } from "../prompts/system-prompt.js";
 import type { Message } from "../providers/types.js";
 import type { ActorTrustContext } from "../runtime/actor-trust-resolver.js";
 import { channelStatusToMemberStatus } from "../runtime/routes/inbound-stages/acl-enforcement.js";
+import { getWorkspacePromptPath } from "../util/platform.js";
 
 /**
  * Describes the capabilities of the channel through which the user is
@@ -463,6 +465,52 @@ export function stripVoiceCallControlContext(messages: Message[]): Message[] {
   return stripUserTextBlocksByPrefix(messages, ["<voice_call_control>"]);
 }
 
+// ---------------------------------------------------------------------------
+// NOW.md scratchpad injection
+// ---------------------------------------------------------------------------
+
+/**
+ * Read the NOW.md scratchpad from the workspace prompt directory.
+ *
+ * Returns the trimmed content with `_`-prefixed comment lines stripped,
+ * or `null` if the file is missing, empty, or unreadable.
+ */
+export function readNowScratchpad(): string | null {
+  const nowPath = getWorkspacePromptPath("NOW.md");
+  if (!existsSync(nowPath)) return null;
+  try {
+    const stripped = stripCommentLines(readFileSync(nowPath, "utf-8")).trim();
+    return stripped.length > 0 ? stripped : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Append NOW.md scratchpad content to the last user message so the model
+ * has access to the user's ephemeral scratchpad notes at the end of context.
+ */
+export function injectNowScratchpad(
+  message: Message,
+  content: string,
+): Message {
+  return {
+    ...message,
+    content: [
+      ...message.content,
+      {
+        type: "text",
+        text: `<now_scratchpad>\n${content}\n</now_scratchpad>`,
+      },
+    ],
+  };
+}
+
+/** Strip `<now_scratchpad>` blocks injected by `injectNowScratchpad`. */
+export function stripNowScratchpad(messages: Message[]): Message[] {
+  return stripUserTextBlocksByPrefix(messages, ["<now_scratchpad>"]);
+}
+
 /**
  * Prepend channel capability context to the last user message so the
  * model knows what the current channel can and cannot do.
@@ -969,6 +1017,7 @@ const RUNTIME_INJECTION_PREFIXES = [
   "<active_workspace>",
   "<active_dynamic_page>",
   "<non_interactive_context>",
+  "<now_scratchpad>",
 ];
 
 /**
@@ -1013,6 +1062,7 @@ export function applyRuntimeInjections(
     inboundActorContext?: InboundActorContext | null;
     temporalContext?: string | null;
     voiceCallControlPrompt?: string | null;
+    nowScratchpad?: string | null;
     isNonInteractive?: boolean;
     mode?: InjectionMode;
   },
@@ -1051,6 +1101,16 @@ export function applyRuntimeInjections(
     }
   }
 
+  if (mode === "full" && options.nowScratchpad) {
+    const userTail = result[result.length - 1];
+    if (userTail && userTail.role === "user") {
+      result = [
+        ...result.slice(0, -1),
+        injectNowScratchpad(userTail, options.nowScratchpad),
+      ];
+    }
+  }
+
   if (mode === "full" && options.activeSurface) {
     const userTail = result[result.length - 1];
     if (userTail && userTail.role === "user") {

package/src/daemon/lifecycle.ts

@@ -285,9 +285,8 @@ export async function runDaemon(): Promise<void> {
     // Slack channel) that already have keychain credentials from before the
     // oauth_connection migration. Safe to call on every startup.
     //
-    // Must run AFTER workspace migrations so that migration 015 (which copies
-    // encrypted-store credentials to the keychain) has already executed.
-    // Otherwise syncManualTokenConnection sees no keychain credentials and
+    // Must run AFTER workspace migrations.
+    // Otherwise syncManualTokenConnection sees no stored credentials and
     // incorrectly removes existing connection rows.
     try {
       await backfillManualTokenConnections();

package/src/memory/migrations/validate-migration-state.ts

@@ -98,7 +98,20 @@ export function withCrashRecovery(
     )
     .run(checkpointKey, Date.now());
 
-  migrationFn();
+  try {
+    migrationFn();
+  } catch (error) {
+    log.error(
+      { checkpointKey, error },
+      `Memory migration failed: ${checkpointKey} — marking as failed and continuing`,
+    );
+    raw
+      .query(
+        `UPDATE memory_checkpoints SET value = 'failed', updated_at = ? WHERE key = ?`,
+      )
+      .run(Date.now(), checkpointKey);
+    return;
+  }
 
   raw
     .query(

package/src/prompts/system-prompt.ts

@@ -84,6 +84,28 @@ export function ensurePromptFiles(): void {
     }
   }
 
+  // Seed NOW.md scratchpad — always created if missing, regardless of whether
+  // this is a fresh install or not.  Kept out of PROMPT_FILES because NOW.md is
+  // ephemeral state, not identity context.
+  const nowDest = getWorkspacePromptPath("NOW.md");
+  if (!existsSync(nowDest)) {
+    const nowSrc = join(templatesDir, "NOW.md");
+    try {
+      if (existsSync(nowSrc)) {
+        copyFileSync(nowSrc, nowDest);
+        log.info(
+          { file: "NOW.md", dest: nowDest },
+          "Created NOW.md scratchpad from template",
+        );
+      }
+    } catch (err) {
+      log.warn(
+        { err, file: "NOW.md" },
+        "Failed to create NOW.md from template",
+      );
+    }
+  }
+
   // Seed users/default.md persona template
   try {
     const usersDir = join(getWorkspaceDir(), "users");

package/src/prompts/templates/NOW.md

@@ -0,0 +1,26 @@
+_ Lines starting with _ are comments - they won't appear in the system prompt
+_ This is your scratchpad for present-tense state. Overwrite it freely between
+_ turns to capture what's happening right now. Unlike the journal (retrospective,
+_ append-only), this file is ephemeral — a snapshot of your current working state.
+_
+_ # NOW.md
+_
+_ ## Focus
+_
+_ What you're currently working on or paying attention to.
+_
+_ ## Active Threads
+_
+_ Open loops, in-progress tasks, things you're tracking across turns.
+_
+_ ## Context
+_
+_ Key facts, constraints, or situational details relevant to the current session.
+_
+_ ## Upcoming
+_
+_ Near-term things on the horizon — scheduled events, pending actions, deadlines.
+_
+_ ## State
+_
+_ Current priorities, energy, or operational notes. What matters most right now.

package/src/prompts/templates/SOUL.md

@@ -46,6 +46,16 @@ You have a journal in your workspace. The most recent entries are always loaded
 
 **Carrying forward:** Your oldest in-context entry is marked LEAVING CONTEXT. When you see this, check if anything in it still needs to be top-of-mind and carry it forward in your next entry. You can reference other entries by filename to link them together.
 
+## Scratchpad
+
+You have a scratchpad file (`NOW.md`) in your workspace. Unlike your journal (retrospective, append-only), the scratchpad is a single file you overwrite with whatever is relevant right now. It's automatically loaded into your context, so next-you always sees the latest snapshot.
+
+**When to update:** Whenever your current state changes — you start a new task, finish one, learn something that affects what you're doing, or the user shifts focus. Don't update on a timer; update when the content is stale.
+
+**What goes in:** Current focus and what you're actively working on. Threads you're tracking (waiting on a response, monitoring something, pending follow-ups). Temporary context that matters now but won't matter in a week. Upcoming items and near-term priorities. Anything that helps next-you pick up exactly where you left off.
+
+**What stays out:** Anything that belongs in your journal (reflections, narrative entries, things worth remembering long-term). Permanent facts about your user or yourself (those go in memory or your journal). Personality and principles (those live here in SOUL.md).
+
 ## Vibe
 
 Be the assistant you'd actually want to talk to. Concise when needed, thorough when it matters. Not a corporate drone. Not a sycophant. Just... good.

package/src/prompts/update-bulletin-format.ts

@@ -50,7 +50,6 @@ export function extractContentMarkers(body: string): string[] {
   const ids: string[] = [];
   const regex = /<!-- vellum-update-release:(.+?) -->/g;
   let match: RegExpExecArray | null;
-  // eslint-disable-next-line no-restricted-syntax -- RegExp.exec returns null
   while ((match = regex.exec(body)) !== null) {
     ids.push(match[1]);
   }
@@ -62,7 +61,6 @@ export function extractReleaseIds(content: string): string[] {
   const ids: string[] = [];
   MARKER_REGEX.lastIndex = 0;
   let match: RegExpExecArray | null;
-  // eslint-disable-next-line no-restricted-syntax -- RegExp.exec returns null
   while ((match = MARKER_REGEX.exec(content)) !== null) {
     ids.push(match[1]);
   }

package/src/runtime/routes/settings-routes.ts

@@ -213,7 +213,7 @@ async function handleOAuthConnectStart(body: {
   if (requiresSecret && !clientSecret) {
     return httpError(
       "BAD_REQUEST",
-      `client_secret is required for "${body.service}" but not found in the keychain. Store it first via the credential vault.`,
+      `client_secret is required for "${body.service}" but not found in the credential store. Store it first via the credential vault.`,
       400,
     );
   }

package/src/skills/inline-command-expansions.ts

@@ -61,8 +61,8 @@ function buildFencedCodeRanges(body: string): Array<[number, number]> {
   const fenceRe = /^(`{3,}|~{3,})(.*)?$/gm;
   let openFence: { index: number; delimiter: string } | undefined;
 
-  let match: RegExpExecArray | undefined;
-  while ((match = fenceRe.exec(body) ?? undefined) !== undefined) {
+  let match: RegExpExecArray | null;
+  while ((match = fenceRe.exec(body)) !== null) {
     const delimiter = match[1];
     if (openFence === undefined) {
       // Opening fence
@@ -125,10 +125,10 @@ export function parseInlineCommandExpansions(
   // We use a non-greedy match to find the first closing backtick.
   const tokenRe = /!\`([^`]*)\`/g;
 
-  let match: RegExpExecArray | undefined;
+  let match: RegExpExecArray | null;
   let placeholderCounter = 0;
 
-  while ((match = tokenRe.exec(body) ?? undefined) !== undefined) {
+  while ((match = tokenRe.exec(body)) !== null) {
     const startOffset = match.index;
     const endOffset = startOffset + match[0].length;
     const rawCommand = match[1];
@@ -172,12 +172,12 @@ export function parseInlineCommandExpansions(
   const matchedStarts = new Set<number>();
   // Re-run the token regex to collect all matched positions
   tokenRe.lastIndex = 0;
-  while ((match = tokenRe.exec(body) ?? undefined) !== undefined) {
+  while ((match = tokenRe.exec(body)) !== null) {
     matchedStarts.add(match.index);
   }
 
-  let unmatchedMatch: RegExpExecArray | undefined;
-  while ((unmatchedMatch = unmatchedRe.exec(body) ?? undefined) !== undefined) {
+  let unmatchedMatch: RegExpExecArray | null;
+  while ((unmatchedMatch = unmatchedRe.exec(body)) !== null) {
     const offset = unmatchedMatch.index;
 
     // Skip if this was already matched as a complete token

package/src/tools/sensitive-output-placeholders.ts

@@ -85,8 +85,8 @@ export function extractAndSanitize(content: string): SanitizeResult {
   // Step 1: parse directives
   // Reset lastIndex for safety since the regex is global
   DIRECTIVE_RE.lastIndex = 0;
-  let match: RegExpExecArray | undefined;
-  while ((match = DIRECTIVE_RE.exec(content) ?? undefined) !== undefined) {
+  let match: RegExpExecArray | null;
+  while ((match = DIRECTIVE_RE.exec(content)) !== null) {
     const kind = match[1];
     const value = match[2];
 

package/src/workspace/migrations/015-migrate-credentials-to-keychain.ts

@@ -1,153 +1,18 @@
-import { getLogger } from "../../util/logger.js";
 import type { WorkspaceMigration } from "./types.js";
 
-const log = getLogger("workspace-migrations");
-
-const BROKER_WAIT_INTERVAL_MS = 500;
-const BROKER_WAIT_MAX_ATTEMPTS = 10; // 5 seconds total
-
+/**
+ * Originally migrated credentials from encrypted store to macOS Keychain.
+ * No-op'd because: (1) the keychain broker was deleted, (2) inline security
+ * CLI calls trigger macOS permission prompts on every daemon startup even for
+ * users who never had keychain credentials, (3) migration 016 reverses this
+ * migration anyway, so the net effect is a round-trip.
+ *
+ * Users who had credentials stranded in the macOS Keychain from a brief
+ * intermediate release will need to re-enter their API keys.
+ */
 export const migrateCredentialsToKeychainMigration: WorkspaceMigration = {
   id: "015-migrate-credentials-to-keychain",
-  description:
-    "Copy encrypted store credentials to keychain for single-backend migration",
-
-  async down(_workspaceDir: string): Promise<void> {
-    // Reverse: copy credentials from keychain back to encrypted store.
-    // Mirrors the forward logic of 016-migrate-credentials-from-keychain.
-    if (
-      process.env.VELLUM_DESKTOP_APP !== "1" ||
-      process.env.VELLUM_DEV === "1"
-    ) {
-      return;
-    }
-
-    const { createBrokerClient } =
-      await import("../../security/keychain-broker-client.js");
-    const client = createBrokerClient();
-
-    let brokerAvailable = false;
-    for (let i = 0; i < BROKER_WAIT_MAX_ATTEMPTS; i++) {
-      if (client.isAvailable()) {
-        brokerAvailable = true;
-        break;
-      }
-      await new Promise((r) => setTimeout(r, BROKER_WAIT_INTERVAL_MS));
-    }
-
-    if (!brokerAvailable) {
-      throw new Error(
-        "Keychain broker not available after waiting — credential rollback " +
-          "will be retried on next startup",
-      );
-    }
-
-    const { setKey } = await import("../../security/encrypted-store.js");
-
-    const accounts = await client.list();
-    if (accounts.length === 0) return;
-
-    let rolledBackCount = 0;
-    let failedCount = 0;
-
-    for (const account of accounts) {
-      const result = await client.get(account);
-      if (!result || !result.found || result.value === undefined) {
-        log.warn(
-          { account },
-          "Failed to read key from keychain during rollback — skipping",
-        );
-        failedCount++;
-        continue;
-      }
-
-      const written = setKey(account, result.value);
-      if (written) {
-        await client.del(account);
-        rolledBackCount++;
-      } else {
-        log.warn(
-          { account },
-          "Failed to write key to encrypted store during rollback — skipping",
-        );
-        failedCount++;
-      }
-    }
-
-    log.info(
-      { rolledBackCount, failedCount },
-      "Credential rollback from keychain to encrypted store complete",
-    );
-  },
-
-  async run(_workspaceDir: string): Promise<void> {
-    // Only run on mac production builds (desktop app, non-dev).
-    if (
-      process.env.VELLUM_DESKTOP_APP !== "1" ||
-      process.env.VELLUM_DEV === "1"
-    ) {
-      return;
-    }
-
-    const { createBrokerClient } =
-      await import("../../security/keychain-broker-client.js");
-    const client = createBrokerClient();
-
-    // Wait for the broker to become available (up to 5 seconds), matching
-    // the retry strategy in secure-keys.ts waitForBrokerAvailability().
-    let brokerAvailable = false;
-    for (let i = 0; i < BROKER_WAIT_MAX_ATTEMPTS; i++) {
-      if (client.isAvailable()) {
-        brokerAvailable = true;
-        break;
-      }
-      await new Promise((r) => setTimeout(r, BROKER_WAIT_INTERVAL_MS));
-    }
-
-    if (!brokerAvailable) {
-      throw new Error(
-        "Keychain broker not available after waiting — credential migration " +
-          "will be retried on next startup",
-      );
-    }
-
-    const { listKeys, getKey, deleteKey } =
-      await import("../../security/encrypted-store.js");
-
-    const accounts = listKeys();
-    if (accounts.length === 0) {
-      return;
-    }
-
-    let migratedCount = 0;
-    let failedCount = 0;
-
-    for (const account of accounts) {
-      const value = getKey(account);
-      if (value === undefined) {
-        log.warn(
-          { account },
-          "Failed to read key from encrypted store — skipping",
-        );
-        failedCount++;
-        continue;
-      }
-
-      const result = await client.set(account, value);
-      if (result.status === "ok") {
-        deleteKey(account);
-        migratedCount++;
-      } else {
-        log.warn(
-          { account, status: result.status },
-          "Failed to write key to keychain — skipping",
-        );
-        failedCount++;
-      }
-    }
-
-    log.info(
-      { migratedCount, failedCount },
-      "Credential migration to keychain complete",
-    );
-  },
+  description: "No-op (keychain migration removed)",
+  async run(): Promise<void> {},
+  async down(): Promise<void> {},
 };