@vellumai/vellum-gateway 0.4.41 → 0.4.43

package/.env.example

@@ -4,9 +4,6 @@ TELEGRAM_BOT_TOKEN=
 # Required: Secret token for verifying Telegram webhook requests
 TELEGRAM_WEBHOOK_SECRET=
 
-# Optional: Override Telegram API base URL (default: https://api.telegram.org)
-# TELEGRAM_API_BASE_URL=https://api.telegram.org
-
 # Required: Base URL of the assistant runtime HTTP server
 ASSISTANT_RUNTIME_BASE_URL=http://localhost:7821
 
@@ -43,9 +40,6 @@ ASSISTANT_RUNTIME_BASE_URL=http://localhost:7821
 # Optional: Initial backoff between retries in milliseconds (default: 500)
 # GATEWAY_RUNTIME_INITIAL_BACKOFF_MS=500
 
-# Optional: Timeout for Telegram API/download calls in milliseconds (default: 15000)
-# GATEWAY_TELEGRAM_TIMEOUT_MS=15000
-
 # Optional: Max inbound webhook payload size in bytes (default: 1048576 = 1 MB)
 # GATEWAY_MAX_WEBHOOK_PAYLOAD_BYTES=1048576
 
@@ -57,20 +51,17 @@ ASSISTANT_RUNTIME_BASE_URL=http://localhost:7821
 
 # Optional: Canonical public base URL where the gateway is reachable externally.
 # Used by the assistant runtime to construct webhook and OAuth callback URLs.
-# Required for Twilio SMS webhook signature validation when behind a tunnel.
+# Required for Twilio webhook signature validation when behind a tunnel.
 # Set this to your tunnel's public URL during local development.
 # INGRESS_PUBLIC_BASE_URL=https://your-public-domain.com
 
-# --- SMS (Twilio) ---
+# --- Twilio ---
 
-# Optional: Twilio Account SID for outbound SMS via the Messages API
+# Optional: Twilio Account SID for voice calls via the API
 # TWILIO_ACCOUNT_SID=
 
-# Optional: Twilio Auth Token for webhook signature validation and outbound SMS
+# Optional: Twilio Auth Token for webhook signature validation
 # TWILIO_AUTH_TOKEN=
 
-# Optional: Twilio phone number (E.164) used as the From number for outbound SMS
+# Optional: Twilio phone number (E.164) used as the From number for voice calls
 # TWILIO_PHONE_NUMBER=
-
-# Optional: Dev-only bypass for bearer auth on /deliver/sms (default: false)
-# GATEWAY_SMS_DELIVER_AUTH_BYPASS=false

package/AGENTS.md

@@ -19,18 +19,17 @@ All assistant API requests from clients, CLI, skills, and user-facing tooling **
 **Exception boundary:** The gateway service itself may call the runtime internally. Tests may use direct runtime URLs for isolated unit/integration scenarios. Intentional local daemon-control paths are exempt:
 
 - `clients/shared/IPC/DaemonClient.swift`
-- `clients/macos/vellum-assistant/App/AppDelegate.swift` (`localHttpEnabled`)
 - `clients/macos/vellum-assistant/Features/Settings/SettingsConnectTab.swift` (health probe)
 
 **Migration rule:** If a needed endpoint is not available at the gateway, add a gateway route/proxy first, then consume it. Do not work around a missing gateway endpoint by hitting the runtime directly.
 
 **Ban on hardcoded runtime hosts/ports:** Do not embed `localhost:7821`, `127.0.0.1:7821`, or runtime-port-derived URLs in docs, skills, or user-facing guidance. Always reference gateway URLs instead. A CI guard test (`gateway-only-guard.test.ts`) enforces this — any new direct runtime URL reference in production code or skills will fail CI.
 
-**SKILL.md retrieval contract:** For config/status retrieval in bundled skills, use `bash` + canonical CLI surfaces. Start with `assistant config get` for generic config keys and secure credential surfaces (`credential_store`, `assistant keys`) for secrets. Use domain read commands (for example `assistant integrations ...`, `assistant email status ...`) where those domain surfaces exist. Do not use direct gateway `curl` (or manual `Authorization: Bearer $GATEWAY_AUTH_TOKEN`) for read-only retrieval paths. Do not use keychain lookup commands (`security find-generic-password`, `secret-tool`) in SKILL.md. `host_bash` is not allowed for Vellum CLI retrieval commands unless a documented exception is intentionally allowlisted.
+**SKILL.md retrieval contract:** For config/status retrieval in bundled skills, use `bash` + canonical CLI surfaces. Start with `assistant config get` for generic config keys and secure credential surfaces (`credential_store`, `assistant keys`) for secrets. Do not use direct gateway `curl` for read-only retrieval paths. Do not use keychain lookup commands (`security find-generic-password`, `secret-tool`) in SKILL.md. `host_bash` is not allowed for Vellum CLI retrieval commands unless a documented exception is intentionally allowlisted.
 
 **SKILL.md proxied outbound pattern:** For outbound third-party API calls from skills that require stored credentials, default to `bash` with `network_mode: "proxied"` and `credential_ids` instead of manual token/keychain plumbing. This keeps credentials out of chat and enforces credential policies consistently.
 
-**SKILL.md gateway URL pattern:** For gateway control-plane writes/actions that are not exposed through a CLI read command, use `$INTERNAL_GATEWAY_BASE_URL` (injected by `bash` and `host_bash`). `$GATEWAY_BASE_URL` is also injected and resolves to the configured public ingress URL when set (falling back to the internal gateway target). Do not hardcode `localhost`/ports in skill examples, and do not instruct users/agents to manually export either variable from Settings.
+**SKILL.md gateway URL pattern:** For gateway control-plane writes/actions that are not exposed through a CLI read command, use `$INTERNAL_GATEWAY_BASE_URL` (injected by `bash` and `host_bash`). Do not hardcode `localhost`/ports in skill examples, and do not instruct users/agents to manually export the variable from Settings. For public ingress URLs (e.g. OAuth redirect URIs, webhook registration), use `assistant config get ingress.publicBaseUrl` or load the `public-ingress` skill — do not inject public URLs as environment variables.
 
 ### Channel Identity Vocabulary