@vellumai/assistant 0.5.9 → 0.5.11

package/src/memory/memory-recall-log-store.ts

@@ -0,0 +1,128 @@
+import { and, eq, inArray, isNull } from "drizzle-orm";
+import { v4 as uuid } from "uuid";
+
+import { getDb } from "./db.js";
+import { memoryRecallLogs } from "./schema.js";
+
+export interface RecordMemoryRecallLogParams {
+  conversationId: string;
+  enabled: boolean;
+  degraded: boolean;
+  provider?: string;
+  model?: string;
+  degradationJson?: unknown;
+  semanticHits: number;
+  mergedCount: number;
+  selectedCount: number;
+  tier1Count: number;
+  tier2Count: number;
+  hybridSearchLatencyMs: number;
+  sparseVectorUsed: boolean;
+  injectedTokens: number;
+  latencyMs: number;
+  topCandidatesJson: unknown;
+  injectedText?: string;
+  reason?: string;
+}
+
+export function recordMemoryRecallLog(params: RecordMemoryRecallLogParams): void {
+  const db = getDb();
+  db.insert(memoryRecallLogs)
+    .values({
+      id: uuid(),
+      conversationId: params.conversationId,
+      messageId: null,
+      enabled: params.enabled ? 1 : 0,
+      degraded: params.degraded ? 1 : 0,
+      provider: params.provider ?? null,
+      model: params.model ?? null,
+      degradationJson: params.degradationJson
+        ? JSON.stringify(params.degradationJson)
+        : null,
+      semanticHits: params.semanticHits,
+      mergedCount: params.mergedCount,
+      selectedCount: params.selectedCount,
+      tier1Count: params.tier1Count,
+      tier2Count: params.tier2Count,
+      hybridSearchLatencyMs: params.hybridSearchLatencyMs,
+      sparseVectorUsed: params.sparseVectorUsed ? 1 : 0,
+      injectedTokens: params.injectedTokens,
+      latencyMs: params.latencyMs,
+      topCandidatesJson: JSON.stringify(params.topCandidatesJson),
+      injectedText: params.injectedText ?? null,
+      reason: params.reason ?? null,
+      createdAt: Date.now(),
+    })
+    .run();
+}
+
+export function backfillMemoryRecallLogMessageId(
+  conversationId: string,
+  messageId: string,
+): void {
+  const db = getDb();
+  db.update(memoryRecallLogs)
+    .set({ messageId })
+    .where(
+      and(
+        eq(memoryRecallLogs.conversationId, conversationId),
+        isNull(memoryRecallLogs.messageId),
+      ),
+    )
+    .run();
+}
+
+export interface MemoryRecallLog {
+  enabled: boolean;
+  degraded: boolean;
+  provider: string | null;
+  model: string | null;
+  degradation: unknown | null;
+  semanticHits: number;
+  mergedCount: number;
+  selectedCount: number;
+  tier1Count: number;
+  tier2Count: number;
+  hybridSearchLatencyMs: number;
+  sparseVectorUsed: boolean;
+  injectedTokens: number;
+  latencyMs: number;
+  topCandidates: unknown;
+  injectedText: string | null;
+  reason: string | null;
+}
+
+export function getMemoryRecallLogByMessageIds(
+  messageIds: string[],
+): MemoryRecallLog | null {
+  if (messageIds.length === 0) return null;
+  const db = getDb();
+  const rows = db
+    .select()
+    .from(memoryRecallLogs)
+    .where(inArray(memoryRecallLogs.messageId, messageIds))
+    .all();
+  if (rows.length === 0) return null;
+  const row = rows[0]!;
+  return {
+    enabled: !!row.enabled,
+    degraded: !!row.degraded,
+    provider: row.provider,
+    model: row.model,
+    degradation: row.degradationJson
+      ? JSON.parse(row.degradationJson)
+      : null,
+    semanticHits: row.semanticHits,
+    mergedCount: row.mergedCount,
+    selectedCount: row.selectedCount,
+    tier1Count: row.tier1Count,
+    tier2Count: row.tier2Count,
+    hybridSearchLatencyMs: row.hybridSearchLatencyMs,
+    sparseVectorUsed: !!row.sparseVectorUsed,
+    injectedTokens: row.injectedTokens,
+    latencyMs: row.latencyMs,
+    topCandidates: JSON.parse(row.topCandidatesJson),
+    injectedText: row.injectedText,
+    reason: row.reason,
+  };
+}

package/src/memory/migrations/194-memory-recall-logs.ts

@@ -0,0 +1,50 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+import { withCrashRecovery } from "./validate-migration-state.js";
+
+const CHECKPOINT_KEY = "migration_create_memory_recall_logs_v1";
+
+/**
+ * Create the memory_recall_logs table for the inspector memory tab.
+ */
+export function migrateCreateMemoryRecallLogs(database: DrizzleDb): void {
+  withCrashRecovery(database, CHECKPOINT_KEY, () => {
+    const raw = getSqliteFrom(database);
+
+    raw.exec(/*sql*/ `
+      CREATE TABLE IF NOT EXISTS memory_recall_logs (
+        id TEXT PRIMARY KEY,
+        conversation_id TEXT NOT NULL,
+        message_id TEXT,
+        enabled INTEGER NOT NULL,
+        degraded INTEGER NOT NULL,
+        provider TEXT,
+        model TEXT,
+        degradation_json TEXT,
+        semantic_hits INTEGER NOT NULL,
+        merged_count INTEGER NOT NULL,
+        selected_count INTEGER NOT NULL,
+        tier1_count INTEGER NOT NULL,
+        tier2_count INTEGER NOT NULL,
+        hybrid_search_latency_ms INTEGER NOT NULL,
+        sparse_vector_used INTEGER NOT NULL,
+        injected_tokens INTEGER NOT NULL,
+        latency_ms INTEGER NOT NULL,
+        top_candidates_json TEXT NOT NULL,
+        injected_text TEXT,
+        reason TEXT,
+        created_at INTEGER NOT NULL
+      )
+    `);
+
+    raw.exec(/*sql*/ `
+      CREATE INDEX IF NOT EXISTS idx_memory_recall_logs_message_id
+      ON memory_recall_logs (message_id)
+    `);
+
+    raw.exec(/*sql*/ `
+      CREATE INDEX IF NOT EXISTS idx_memory_recall_logs_conversation_id
+      ON memory_recall_logs (conversation_id)
+    `);
+  });
+}

package/src/memory/migrations/195-oauth-providers-ping-config.ts

@@ -0,0 +1,23 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+
+export function migrateOAuthProvidersPingConfig(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+  try {
+    raw.exec(/*sql*/ `ALTER TABLE oauth_providers ADD COLUMN ping_method TEXT`);
+  } catch {
+    // Column already exists — nothing to do.
+  }
+  try {
+    raw.exec(
+      /*sql*/ `ALTER TABLE oauth_providers ADD COLUMN ping_headers TEXT`,
+    );
+  } catch {
+    // Column already exists — nothing to do.
+  }
+  try {
+    raw.exec(/*sql*/ `ALTER TABLE oauth_providers ADD COLUMN ping_body TEXT`);
+  } catch {
+    // Column already exists — nothing to do.
+  }
+}

package/src/memory/migrations/index.ts

@@ -132,6 +132,8 @@ export { migrateCallSessionSkipDisclosure } from "./190-call-session-skip-disclo
 export { migrateBackfillAudioAttachmentMimeTypes } from "./191-backfill-audio-attachment-mime-types.js";
 export { migrateContactsUserFileColumn } from "./192-contacts-user-file-column.js";
 export { migrateAddSourceTypeColumns } from "./193-add-source-type-columns.js";
+export { migrateCreateMemoryRecallLogs } from "./194-memory-recall-logs.js";
+export { migrateOAuthProvidersPingConfig } from "./195-oauth-providers-ping-config.js";
 export {
   MIGRATION_REGISTRY,
   type MigrationRegistryEntry,

package/src/memory/migrations/validate-migration-state.ts

@@ -98,7 +98,20 @@ export function withCrashRecovery(
     )
     .run(checkpointKey, Date.now());
 
-  migrationFn();
+  try {
+    migrationFn();
+  } catch (error) {
+    log.error(
+      { checkpointKey, error },
+      `Memory migration failed: ${checkpointKey} — marking as failed and continuing`,
+    );
+    raw
+      .query(
+        `UPDATE memory_checkpoints SET value = 'failed', updated_at = ? WHERE key = ?`,
+      )
+      .run(Date.now(), checkpointKey);
+    return;
+  }
 
   raw
     .query(

package/src/memory/retriever.test.ts

@@ -331,8 +331,7 @@ describe("Memory Retriever Pipeline", () => {
     expect(result.enabled).toBe(true);
     expect(result.degraded).toBe(false);
     expect(result.degradation).toBeUndefined();
-    // With mock Qdrant returning empty results and recency-only candidates
-    // scoring below tier thresholds, no candidates are selected.
+    // With Qdrant mocked empty, no candidates are found.
     // The pipeline still completes successfully with tier metadata.
     expect(result.tier1Count).toBeDefined();
     expect(result.tier2Count).toBeDefined();
@@ -345,7 +344,7 @@ describe("Memory Retriever Pipeline", () => {
   // Current-conversation segment filtering
   // -----------------------------------------------------------------------
 
-  test("current-conversation segments are filtered from recency results", async () => {
+  test("current-conversation segments are filtered from search results", async () => {
     const db = getDb();
     const now = Date.now();
     const activeConv = "conv-active";
@@ -613,7 +612,7 @@ describe("Memory Retriever Pipeline", () => {
 
     insertConversation(db, convId, now - MS_PER_DAY * 200);
 
-    // Create a message from 200 days ago to serve as recency source
+    // Create a message from 200 days ago (staleness test anchor)
     insertMessage(
       db,
       "msg-old",
@@ -679,7 +678,7 @@ describe("Memory Retriever Pipeline", () => {
   // Degradation: Qdrant circuit breaker open
   // -----------------------------------------------------------------------
 
-  test("Qdrant unavailable: pipeline completes with recency fallback", async () => {
+  test("Qdrant unavailable: pipeline completes with empty results", async () => {
     seedMemory();
 
     // Force the Qdrant circuit breaker open

package/src/memory/schema/infrastructure.ts

@@ -121,6 +121,37 @@ export const llmRequestLogs = sqliteTable(
   (table) => [index("idx_llm_request_logs_message_id").on(table.messageId)],
 );
 
+export const memoryRecallLogs = sqliteTable(
+  "memory_recall_logs",
+  {
+    id: text("id").primaryKey(),
+    conversationId: text("conversation_id").notNull(),
+    messageId: text("message_id"),
+    enabled: integer("enabled").notNull(),
+    degraded: integer("degraded").notNull(),
+    provider: text("provider"),
+    model: text("model"),
+    degradationJson: text("degradation_json"),
+    semanticHits: integer("semantic_hits").notNull(),
+    mergedCount: integer("merged_count").notNull(),
+    selectedCount: integer("selected_count").notNull(),
+    tier1Count: integer("tier1_count").notNull(),
+    tier2Count: integer("tier2_count").notNull(),
+    hybridSearchLatencyMs: integer("hybrid_search_latency_ms").notNull(),
+    sparseVectorUsed: integer("sparse_vector_used").notNull(),
+    injectedTokens: integer("injected_tokens").notNull(),
+    latencyMs: integer("latency_ms").notNull(),
+    topCandidatesJson: text("top_candidates_json").notNull(),
+    injectedText: text("injected_text"),
+    reason: text("reason"),
+    createdAt: integer("created_at").notNull(),
+  },
+  (table) => [
+    index("idx_memory_recall_logs_message_id").on(table.messageId),
+    index("idx_memory_recall_logs_conversation_id").on(table.conversationId),
+  ],
+);
+
 export const llmUsageEvents = sqliteTable(
   "llm_usage_events",
   {

package/src/memory/schema/oauth.ts

@@ -18,6 +18,9 @@ export const oauthProviders = sqliteTable("oauth_providers", {
   extraParams: text("extra_params"),
   callbackTransport: text("callback_transport"),
   pingUrl: text("ping_url"),
+  pingMethod: text("ping_method"),
+  pingHeaders: text("ping_headers"),
+  pingBody: text("ping_body"),
   managedServiceConfigKey: text("managed_service_config_key"),
   displayName: text("display_name"),
   description: text("description"),

package/src/messaging/providers/telegram-bot/adapter.ts

@@ -56,7 +56,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
 
   /**
    * Custom connectivity check using both the oauth_connection record AND
-   * actual keychain credentials. The connection row alone can become stale
+   * actual stored credentials. The connection row alone can become stale
    * if clearTelegramConfig() returns early on a secure-key deletion error
    * without removing the row. Checking both ensures we don't report
    * Telegram as connected when secrets are missing.

package/src/oauth/connect-orchestrator.ts

@@ -120,6 +120,16 @@ export async function orchestrateOAuthConnect(
   options: OAuthConnectOptions,
 ): Promise<OAuthConnectResult> {
   const resolvedService = resolveService(options.service);
+  log.info(
+    {
+      rawService: options.service,
+      resolvedService,
+      isInteractive: options.isInteractive,
+      hasOpenUrl: !!options.openUrl,
+      hasSendToClient: !!options.sendToClient,
+    },
+    "orchestrateOAuthConnect: starting",
+  );
 
   // Read provider config from the DB
   const providerRow = getProvider(resolvedService);
@@ -199,6 +209,20 @@ export async function orchestrateOAuthConnect(
     };
   }
 
+  log.info(
+    {
+      service: resolvedService,
+      authUrl,
+      tokenUrl,
+      scopeCount: finalScopes.length,
+      callbackTransport,
+      loopbackPort,
+      hasClientSecret: !!options.clientSecret,
+      clientIdPrefix: options.clientId.substring(0, 12) + "…",
+    },
+    "orchestrateOAuthConnect: resolved provider config",
+  );
+
   const oauthConfig = {
     authUrl,
     tokenUrl,
@@ -331,19 +355,31 @@ export async function orchestrateOAuthConnect(
   // -----------------------------------------------------------------------
   // Interactive path — open browser, block until completion
   // -----------------------------------------------------------------------
+  log.info(
+    { service: resolvedService, callbackTransport, loopbackPort },
+    "orchestrateOAuthConnect: entering interactive path",
+  );
   try {
     const { tokens, grantedScopes, rawTokenResponse } = await startOAuth2Flow(
       oauthConfig,
       {
         openUrl: (url) => {
+          log.info(
+            { service: resolvedService, urlLength: url.length },
+            "orchestrateOAuthConnect: openUrl callback fired, delivering auth URL to client",
+          );
           if (options.openUrl) {
+            log.info("orchestrateOAuthConnect: using options.openUrl");
             options.openUrl(url);
           } else if (options.sendToClient) {
+            log.info("orchestrateOAuthConnect: using sendToClient with open_url event");
             options.sendToClient({
               type: "open_url",
               url,
               title: `Connect ${resolvedService}`,
             });
+          } else {
+            log.warn("orchestrateOAuthConnect: no openUrl or sendToClient available — auth URL will not reach the user");
           }
         },
       },
@@ -354,6 +390,11 @@ export async function orchestrateOAuthConnect(
           : undefined,
     );
 
+    log.info(
+      { service: resolvedService, grantedScopeCount: grantedScopes.length },
+      "orchestrateOAuthConnect: interactive flow completed, exchanged code for tokens",
+    );
+
     // Parse account identifier from the provider's identity endpoint.
     // Best-effort — format varies by provider and may fail.
     let parsedAccountIdentifier: string | undefined;
@@ -362,6 +403,10 @@ export async function orchestrateOAuthConnect(
         parsedAccountIdentifier = await behavior.identityVerifier(
           tokens.accessToken,
         );
+        log.info(
+          { service: resolvedService, parsedAccountIdentifier },
+          "orchestrateOAuthConnect: identity verified",
+        );
       } catch {
         // Non-fatal
       }
@@ -375,6 +420,11 @@ export async function orchestrateOAuthConnect(
       parsedAccountIdentifier,
     });
 
+    log.info(
+      { service: resolvedService, accountInfo },
+      "orchestrateOAuthConnect: tokens stored, connect complete",
+    );
+
     return {
       success: true,
       deferred: false,
@@ -384,6 +434,10 @@ export async function orchestrateOAuthConnect(
   } catch (err: unknown) {
     const message =
       err instanceof Error ? err.message : "Unknown error during OAuth flow";
+    log.error(
+      { service: resolvedService, err },
+      "orchestrateOAuthConnect: interactive flow failed",
+    );
     return {
       success: false,
       error: `Error connecting "${resolvedService}": ${message}`,

package/src/oauth/manual-token-connection.ts

@@ -2,9 +2,9 @@
  * Helpers for managing oauth_connection records for non-OAuth (manual-token)
  * providers like slack_channel and telegram.
  *
- * These providers store credentials via the keychain (setSecureKeyAsync) but
- * also maintain an oauth_connection row so that getConnectionByProvider() can
- * be used as the single source of truth for connection status across the
+ * These providers store credentials via the credential store (setSecureKeyAsync)
+ * but also maintain an oauth_connection row so that getConnectionByProvider()
+ * can be used as the single source of truth for connection status across the
  * codebase.
  */
 
@@ -57,7 +57,7 @@ export async function ensureManualTokenConnection(
  * Remove the oauth_connection row for a manual-token provider.
  *
  * Note: This only removes the oauth_connection row. The caller is still
- * responsible for deleting the keychain credentials separately.
+ * responsible for deleting the stored credentials separately.
  */
 export function removeManualTokenConnection(providerKey: string): void {
   const conn = getConnectionByProvider(providerKey);
@@ -114,7 +114,7 @@ export async function syncManualTokenConnection(
 
 /**
  * Backfill oauth_connection rows for manual-token providers that already
- * have valid keychain credentials but are missing connection records.
+ * have valid stored credentials but are missing connection records.
  *
  * This handles the upgrade path from installations that stored credentials
  * before the oauth_connection migration. Without this, existing Telegram

package/src/oauth/oauth-store.ts

@@ -45,11 +45,12 @@ export type OAuthConnectionRow = typeof oauthConnections.$inferSelect;
  * Seed well-known provider profiles into the database. Uses INSERT … ON
  * CONFLICT DO UPDATE so that implementation fields (authUrl, tokenUrl,
  * tokenEndpointAuthMethod, userinfoUrl, extraParams, callbackTransport,
- * pingUrl, managedServiceConfigKey) and display metadata (displayName,
- * description, dashboardUrl, clientIdPlaceholder, requiresClientSecret)
- * propagate to existing installations on every startup, while
- * user-customizable fields (defaultScopes, scopePolicy, baseUrl) are
- * only written on the initial insert.
+ * pingUrl, pingMethod, pingHeaders, pingBody, managedServiceConfigKey)
+ * and display metadata (displayName, description, dashboardUrl,
+ * clientIdPlaceholder, requiresClientSecret) propagate to existing
+ * installations on every startup, while user-customizable fields
+ * (defaultScopes, scopePolicy, baseUrl) are only written on the
+ * initial insert.
  */
 export function seedProviders(
   profiles: Array<{
@@ -59,6 +60,9 @@ export function seedProviders(
     tokenEndpointAuthMethod?: string;
     userinfoUrl?: string;
     pingUrl?: string;
+    pingMethod?: string;
+    pingHeaders?: Record<string, string>;
+    pingBody?: unknown;
     baseUrl?: string;
     defaultScopes: string[];
     scopePolicy: Record<string, unknown>;
@@ -80,6 +84,10 @@ export function seedProviders(
     const tokenEndpointAuthMethod = p.tokenEndpointAuthMethod ?? null;
     const userinfoUrl = p.userinfoUrl ?? null;
     const pingUrl = p.pingUrl ?? null;
+    const pingMethod = p.pingMethod ?? null;
+    const pingHeaders = p.pingHeaders ? JSON.stringify(p.pingHeaders) : null;
+    const pingBody =
+      p.pingBody !== undefined ? JSON.stringify(p.pingBody) : null;
     const baseUrl = p.baseUrl ?? null;
     const defaultScopes = JSON.stringify(p.defaultScopes);
     const scopePolicy = JSON.stringify(p.scopePolicy);
@@ -105,6 +113,9 @@ export function seedProviders(
         extraParams,
         callbackTransport,
         pingUrl,
+        pingMethod,
+        pingHeaders,
+        pingBody,
         managedServiceConfigKey,
         displayName,
         description,
@@ -124,6 +135,9 @@ export function seedProviders(
           extraParams,
           callbackTransport,
           pingUrl,
+          pingMethod,
+          pingHeaders,
+          pingBody,
           managedServiceConfigKey,
           displayName,
           description,
@@ -164,6 +178,9 @@ export function registerProvider(params: {
   tokenEndpointAuthMethod?: string;
   userinfoUrl?: string;
   pingUrl?: string;
+  pingMethod?: string;
+  pingHeaders?: Record<string, string>;
+  pingBody?: unknown;
   baseUrl?: string;
   defaultScopes: string[];
   scopePolicy: Record<string, unknown>;
@@ -196,6 +213,10 @@ export function registerProvider(params: {
     extraParams: params.extraParams ? JSON.stringify(params.extraParams) : null,
     callbackTransport: params.callbackTransport ?? null,
     pingUrl: params.pingUrl ?? null,
+    pingMethod: params.pingMethod ?? null,
+    pingHeaders: params.pingHeaders ? JSON.stringify(params.pingHeaders) : null,
+    pingBody:
+      params.pingBody !== undefined ? JSON.stringify(params.pingBody) : null,
     managedServiceConfigKey: params.managedServiceConfigKey ?? null,
     displayName: params.displayName ?? null,
     description: params.description ?? null,

package/src/oauth/seed-providers.ts

@@ -6,7 +6,8 @@ import { seedProviders } from "./oauth-store.js";
  * These values are upserted into the `oauth_providers` SQLite table on
  * every startup. Only Vellum implementation fields (authUrl, tokenUrl,
  * tokenEndpointAuthMethod, userinfoUrl, extraParams, callbackTransport,
- * pingUrl, managedServiceConfigKey) and display metadata (displayName,
+ * pingUrl, pingMethod, pingHeaders, pingBody, managedServiceConfigKey)
+ * and display metadata (displayName,
  * description, dashboardUrl, clientIdPlaceholder, requiresClientSecret)
  * are overwritten on subsequent startups — user-customizable
  * fields (defaultScopes, scopePolicy, baseUrl) are only
@@ -25,6 +26,9 @@ const PROVIDER_SEED_DATA: Record<
     tokenEndpointAuthMethod?: string;
     userinfoUrl?: string;
     pingUrl?: string;
+    pingMethod?: string;
+    pingHeaders?: Record<string, string>;
+    pingBody?: unknown;
     baseUrl?: string;
     defaultScopes: string[];
     scopePolicy: {
@@ -117,6 +121,7 @@ const PROVIDER_SEED_DATA: Record<
     authUrl: "https://api.notion.com/v1/oauth/authorize",
     tokenUrl: "https://api.notion.com/v1/oauth/token",
     pingUrl: "https://api.notion.com/v1/users/me",
+    pingHeaders: { "Notion-Version": "2022-06-28" },
     baseUrl: "https://api.notion.com",
     displayName: "Notion",
     description: "Pages and databases",
@@ -187,6 +192,9 @@ const PROVIDER_SEED_DATA: Record<
     authUrl: "https://linear.app/oauth/authorize",
     tokenUrl: "https://api.linear.app/oauth/token",
     pingUrl: "https://api.linear.app/graphql",
+    pingMethod: "POST",
+    pingHeaders: { "Content-Type": "application/json" },
+    pingBody: { query: "{ viewer { id name email } }" },
     baseUrl: "https://api.linear.app",
     displayName: "Linear",
     description: "Issues and projects",
@@ -280,6 +288,7 @@ const PROVIDER_SEED_DATA: Record<
     authUrl: "https://www.dropbox.com/oauth2/authorize",
     tokenUrl: "https://api.dropboxapi.com/oauth2/token",
     pingUrl: "https://api.dropboxapi.com/2/users/get_current_account",
+    pingMethod: "POST",
     baseUrl: "https://api.dropboxapi.com/2",
     displayName: "Dropbox",
     description: "Files and folders",

package/src/permissions/checker.ts

@@ -444,7 +444,7 @@ async function buildCommandCandidates(
       // through to the permissive skill_load:* allow rule.
       const config = getConfig();
       const inlineEnabled = isAssistantFeatureFlagEnabled(
-        "feature_flags.inline-skill-commands.enabled",
+        "inline-skill-commands",
         config,
       );
 
@@ -1107,7 +1107,7 @@ function skillLoadAllowlistStrategy(
     // Check whether this is a dynamic (inline-command) skill load
     const config = getConfig();
     const inlineEnabled = isAssistantFeatureFlagEnabled(
-      "feature_flags.inline-skill-commands.enabled",
+      "inline-skill-commands",
       config,
     );
 

package/src/permissions/trust-client.ts

@@ -13,7 +13,7 @@
 import type { TrustRule } from "@vellumai/ces-contracts";
 
 import { getGatewayInternalBaseUrl } from "../config/env.js";
-import { mintDaemonDeliveryToken } from "../runtime/auth/token-service.js";
+import { mintEdgeRelayToken } from "../runtime/auth/token-service.js";
 import { getLogger } from "../util/logger.js";
 
 const log = getLogger("trust-client");
@@ -35,7 +35,7 @@ export interface AcceptStarterBundleResult {
 
 function authHeaders(): Record<string, string> {
   return {
-    Authorization: `Bearer ${mintDaemonDeliveryToken()}`,
+    Authorization: `Bearer ${mintEdgeRelayToken()}`,
     "Content-Type": "application/json",
   };
 }

package/src/platform/client.ts

@@ -30,7 +30,7 @@ export class VellumPlatformClient {
    *
    * First tries the in-memory managed proxy context (available when the daemon
    * has rehydrated env overrides). Falls back to reading platform credentials
-   * directly from the secure keychain so that standalone CLI invocations work
+   * directly from the credential store so that standalone CLI invocations work
    * without the daemon having run its rehydration step.
    *
    * Returns `null` when auth prerequisites are missing (not logged in, no API
@@ -44,7 +44,7 @@ export class VellumPlatformClient {
     let apiKey = ctx.enabled ? ctx.assistantApiKey : "";
     let assistantId = getPlatformAssistantId();
 
-    // Fall back to keychain for values not yet rehydrated (standalone CLI).
+    // Fall back to credential store for values not yet rehydrated (standalone CLI).
     if (!baseUrl) {
       baseUrl =
         (await getSecureKeyAsync(

package/src/prompts/journal-context.ts

@@ -88,7 +88,9 @@ export function buildJournalContext(
         const filepath = join(journalDir, f);
         const stat = statSync(filepath);
         if (!stat.isFile()) return [];
-        return [{ filename: f, filepath, birthtimeMs: stat.birthtimeMs }];
+        // Fall back to mtimeMs when birthtimeMs is unavailable (returns 0 on Linux ext4, NFS, Docker overlayfs)
+        const birthtimeMs = stat.birthtimeMs > 0 ? stat.birthtimeMs : stat.mtimeMs;
+        return [{ filename: f, filepath, birthtimeMs }];
       } catch {
         return [];
       }
@@ -129,5 +131,8 @@ export function buildJournalContext(
     sections.push(header + "\n" + content);
   }
 
+  // If all readFileSync calls failed, sections only contains the header — return null
+  if (sections.length === 1) return null;
+
   return sections.join("\n\n");
 }