vellum 0.2.2 → 0.2.7

package/src/__tests__/session-conflict-gate.test.ts

@@ -39,8 +39,18 @@ let resolverResult: {
 
 const persistedMessages: Array<{ id: string; role: string; content: string; createdAt: number }> = [];
 
+function makeMockLogger(): Record<string, unknown> {
+  const logger: Record<string, unknown> = {};
+  logger.child = () => logger;
+  logger.debug = () => {};
+  logger.info = () => {};
+  logger.warn = () => {};
+  logger.error = () => {};
+  return logger;
+}
+
 mock.module('../util/logger.js', () => ({
-  getLogger: () => new Proxy({} as Record<string, unknown>, { get: () => () => {} }),
+  getLogger: () => makeMockLogger(),
 }));
 
 mock.module('../util/platform.js', () => ({
@@ -305,7 +315,7 @@ describe('Session conflict soft gate', () => {
     await session.processMessage('Should I use React or Vue here?', [], (event) => events.push(event));
 
     expect(runCalls).toHaveLength(0);
-    expect(resolverCallCount).toBe(1);
+    expect(resolverCallCount).toBe(0);
     expect(markAskedCalls).toEqual(['conflict-relevant']);
     const clarificationEvent = events.find((event) => event.type === 'assistant_text_delta');
     expect(clarificationEvent).toBeDefined();
@@ -315,7 +325,7 @@ describe('Session conflict soft gate', () => {
     expect(events.some((event) => event.type === 'message_complete')).toBe(true);
   });
 
-  test('irrelevant unresolved conflict asks once and continues with normal answer flow', async () => {
+  test('irrelevant unresolved conflict does not inject side-question into normal answer flow', async () => {
     pendingConflicts = [{
       id: 'conflict-irrelevant',
       scopeId: 'default',
@@ -332,13 +342,6 @@ describe('Session conflict soft gate', () => {
       existingStatement: 'Use Postgres as the default database.',
       candidateStatement: 'Use MySQL as the default database.',
     }];
-    resolverResult = {
-      resolution: 'keep_existing',
-      strategy: 'heuristic',
-      resolvedStatement: null,
-      explanation: 'Resolved by accident.',
-    };
-
     const session = makeSession();
     await session.loadFromDb();
 
@@ -349,10 +352,10 @@ describe('Session conflict soft gate', () => {
     const injectedUser = runCalls[0][runCalls[0].length - 1];
     expect(injectedUser.role).toBe('user');
     const injectedText = extractText(injectedUser);
-    expect(injectedText).toContain('Memory clarification request');
-    expect(injectedText).toContain('Should I assume Postgres or MySQL?');
+    expect(injectedText).not.toContain('Memory clarification request');
+    expect(injectedText).not.toContain('Should I assume Postgres or MySQL?');
     expect(resolverCallCount).toBe(0);
-    expect(markAskedCalls).toEqual(['conflict-irrelevant']);
+    expect(markAskedCalls).toEqual([]);
     expect(events.some((event) => event.type === 'message_complete')).toBe(true);
   });
 
@@ -379,7 +382,7 @@ describe('Session conflict soft gate', () => {
 
     // First turn asks the clarification and records it as asked.
     await session.processMessage('Should I assume Postgres or MySQL?', [], () => {});
-    expect(resolverCallCount).toBe(1);
+    expect(resolverCallCount).toBe(0);
     expect(markAskedCalls).toEqual(['conflict-followup']);
 
     resolverResult = {
@@ -392,7 +395,7 @@ describe('Session conflict soft gate', () => {
     // Follow-up reply does not overlap statement tokens but should still resolve.
     await session.processMessage('Keep the new one.', [], () => {});
 
-    expect(resolverCallCount).toBe(2);
+    expect(resolverCallCount).toBe(1);
     expect(markAskedCalls).toEqual(['conflict-followup']);
     expect(runCalls).toHaveLength(1);
   });
@@ -420,7 +423,7 @@ describe('Session conflict soft gate', () => {
 
     // First turn asks the clarification.
     await session.processMessage('Should I assume Postgres or MySQL?', [], () => {});
-    expect(resolverCallCount).toBe(1);
+    expect(resolverCallCount).toBe(0);
     expect(markAskedCalls).toEqual(['conflict-concise']);
 
     resolverResult = {
@@ -433,7 +436,7 @@ describe('Session conflict soft gate', () => {
     // Short directional reply with no action verb should still resolve.
     await session.processMessage('both', [], () => {});
 
-    expect(resolverCallCount).toBe(2);
+    expect(resolverCallCount).toBe(1);
     expect(runCalls).toHaveLength(1);
   });
 
@@ -460,7 +463,7 @@ describe('Session conflict soft gate', () => {
 
     // First turn: relevant question triggers clarification ask.
     await session.processMessage('Should I assume Postgres or MySQL?', [], () => {});
-    expect(resolverCallCount).toBe(1);
+    expect(resolverCallCount).toBe(0);
     expect(markAskedCalls).toEqual(['conflict-unrelated']);
 
     // Second turn: unrelated question containing the cue word "new" should NOT
@@ -473,8 +476,8 @@ describe('Session conflict soft gate', () => {
     };
     await session.processMessage("What's new in Bun?", [], () => {});
 
-    // The resolver should NOT have been called again for this unrelated question.
-    expect(resolverCallCount).toBe(1);
+    // The resolver should NOT have been called for this unrelated question.
+    expect(resolverCallCount).toBe(0);
     // Normal agent loop should still run.
     expect(runCalls).toHaveLength(1);
   });
@@ -502,7 +505,7 @@ describe('Session conflict soft gate', () => {
 
     // First turn: triggers clarification ask.
     await session.processMessage('Should I assume Postgres or MySQL?', [], () => {});
-    expect(resolverCallCount).toBe(1);
+    expect(resolverCallCount).toBe(0);
     expect(markAskedCalls).toEqual(['conflict-unrelated-no-qmark']);
 
     resolverResult = {
@@ -516,11 +519,11 @@ describe('Session conflict soft gate', () => {
     // Should NOT resolve the conflict.
     await session.processMessage('I started a new project today', [], () => {});
 
-    expect(resolverCallCount).toBe(1);
+    expect(resolverCallCount).toBe(0);
     expect(runCalls).toHaveLength(1);
   });
 
-  test('cooldown prevents repeated asks on subsequent turns', async () => {
+  test('irrelevant conflicts remain silent across subsequent turns', async () => {
     pendingConflicts = [{
       id: 'conflict-cooldown',
       scopeId: 'default',
@@ -547,9 +550,9 @@ describe('Session conflict soft gate', () => {
     expect(runCalls).toHaveLength(2);
     const firstUserText = extractText(runCalls[0][runCalls[0].length - 1]);
     const secondUserText = extractText(runCalls[1][runCalls[1].length - 1]);
-    expect(firstUserText).toContain('Memory clarification request');
+    expect(firstUserText).not.toContain('Memory clarification request');
     expect(secondUserText).not.toContain('Memory clarification request');
-    expect(markAskedCalls).toEqual(['conflict-cooldown']);
+    expect(markAskedCalls).toEqual([]);
   });
 
   test('passes session scopeId through to conflict store queries', async () => {

package/src/calls/__tests__/twilio-webhook-urls.test.ts

@@ -0,0 +1,162 @@
+import { describe, test, expect, beforeEach, afterEach, mock } from 'bun:test';
+
+// ---------------------------------------------------------------------------
+// Mocks — silence logger output during tests
+// ---------------------------------------------------------------------------
+
+function makeLoggerStub(): Record<string, unknown> {
+  const stub: Record<string, unknown> = {};
+  for (const m of ['info', 'warn', 'error', 'debug', 'trace', 'fatal', 'silent', 'child']) {
+    stub[m] = m === 'child' ? () => makeLoggerStub() : () => {};
+  }
+  return stub;
+}
+
+mock.module('../../util/logger.js', () => ({
+  getLogger: () => makeLoggerStub(),
+}));
+
+import {
+  normalizeBaseUrl,
+  buildTwilioVoiceWebhookUrl,
+  buildTwilioStatusCallbackUrl,
+  getWebhookBaseUrl,
+} from '../twilio-webhook-urls.js';
+
+// ---------------------------------------------------------------------------
+// normalizeBaseUrl
+// ---------------------------------------------------------------------------
+
+describe('normalizeBaseUrl', () => {
+  test('returns already-clean URL unchanged', () => {
+    expect(normalizeBaseUrl('https://example.com')).toBe('https://example.com');
+  });
+
+  test('strips trailing slash', () => {
+    expect(normalizeBaseUrl('https://example.com/')).toBe('https://example.com');
+  });
+
+  test('strips multiple trailing slashes', () => {
+    expect(normalizeBaseUrl('https://example.com///')).toBe('https://example.com');
+  });
+
+  test('trims leading and trailing whitespace', () => {
+    expect(normalizeBaseUrl('  https://example.com  ')).toBe('https://example.com');
+  });
+
+  test('trims whitespace and strips trailing slash together', () => {
+    expect(normalizeBaseUrl('  https://example.com/  ')).toBe('https://example.com');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// buildTwilioVoiceWebhookUrl
+// ---------------------------------------------------------------------------
+
+describe('buildTwilioVoiceWebhookUrl', () => {
+  test('returns correct URL with callSessionId', () => {
+    const url = buildTwilioVoiceWebhookUrl('https://example.com', 'session-123');
+    expect(url).toBe('https://example.com/webhooks/twilio/voice?callSessionId=session-123');
+  });
+
+  test('normalizes base URL before composing', () => {
+    const url = buildTwilioVoiceWebhookUrl('https://example.com/', 'abc');
+    expect(url).toBe('https://example.com/webhooks/twilio/voice?callSessionId=abc');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// buildTwilioStatusCallbackUrl
+// ---------------------------------------------------------------------------
+
+describe('buildTwilioStatusCallbackUrl', () => {
+  test('returns correct URL', () => {
+    const url = buildTwilioStatusCallbackUrl('https://example.com');
+    expect(url).toBe('https://example.com/webhooks/twilio/status');
+  });
+
+  test('normalizes base URL before composing', () => {
+    const url = buildTwilioStatusCallbackUrl('https://example.com/');
+    expect(url).toBe('https://example.com/webhooks/twilio/status');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// getWebhookBaseUrl
+// ---------------------------------------------------------------------------
+
+describe('getWebhookBaseUrl', () => {
+  let savedEnv: string | undefined;
+
+  beforeEach(() => {
+    savedEnv = process.env.TWILIO_WEBHOOK_BASE_URL;
+    delete process.env.TWILIO_WEBHOOK_BASE_URL;
+  });
+
+  afterEach(() => {
+    if (savedEnv !== undefined) {
+      process.env.TWILIO_WEBHOOK_BASE_URL = savedEnv;
+    } else {
+      delete process.env.TWILIO_WEBHOOK_BASE_URL;
+    }
+  });
+
+  test('uses config value when set', () => {
+    const result = getWebhookBaseUrl({ calls: { webhookBaseUrl: 'https://config.example.com/' } });
+    expect(result).toBe('https://config.example.com');
+  });
+
+  test('falls back to env var when config value is empty', () => {
+    process.env.TWILIO_WEBHOOK_BASE_URL = 'https://env.example.com/';
+    const result = getWebhookBaseUrl({ calls: { webhookBaseUrl: '' } });
+    expect(result).toBe('https://env.example.com');
+  });
+
+  test('falls back to env var when config value is undefined', () => {
+    process.env.TWILIO_WEBHOOK_BASE_URL = 'https://env.example.com';
+    const result = getWebhookBaseUrl({ calls: {} });
+    expect(result).toBe('https://env.example.com');
+  });
+
+  test('throws when neither config nor env var is set', () => {
+    expect(() => getWebhookBaseUrl({ calls: { webhookBaseUrl: '' } })).toThrow(
+      /No webhook base URL configured/,
+    );
+  });
+
+  test('throws when config is undefined and env var is unset', () => {
+    expect(() => getWebhookBaseUrl({ calls: {} })).toThrow(
+      /No webhook base URL configured/,
+    );
+  });
+
+  test('normalizes the returned URL', () => {
+    const result = getWebhookBaseUrl({ calls: { webhookBaseUrl: '  https://example.com/  ' } });
+    expect(result).toBe('https://example.com');
+  });
+
+  test('falls through when config value is whitespace-only', () => {
+    process.env.TWILIO_WEBHOOK_BASE_URL = 'https://env.example.com';
+    const result = getWebhookBaseUrl({ calls: { webhookBaseUrl: '   ' } });
+    expect(result).toBe('https://env.example.com');
+  });
+
+  test('falls through when config value is slash-only', () => {
+    process.env.TWILIO_WEBHOOK_BASE_URL = 'https://env.example.com';
+    const result = getWebhookBaseUrl({ calls: { webhookBaseUrl: '///' } });
+    expect(result).toBe('https://env.example.com');
+  });
+
+  test('throws when config is whitespace-only and env var is unset', () => {
+    expect(() => getWebhookBaseUrl({ calls: { webhookBaseUrl: '   ' } })).toThrow(
+      /No webhook base URL configured/,
+    );
+  });
+
+  test('throws when env var is whitespace-only and config is empty', () => {
+    process.env.TWILIO_WEBHOOK_BASE_URL = '   ';
+    expect(() => getWebhookBaseUrl({ calls: {} })).toThrow(
+      /No webhook base URL configured/,
+    );
+  });
+});

package/src/calls/call-domain.ts

@@ -20,6 +20,7 @@ import { getCallOrchestrator, unregisterCallOrchestrator } from './call-state.js
 import { activeRelayConnections } from './relay-server.js';
 import { TwilioConversationRelayProvider } from './twilio-provider.js';
 import { getTwilioConfig } from './twilio-config.js';
+import { buildTwilioVoiceWebhookUrl, buildTwilioStatusCallbackUrl } from './twilio-webhook-urls.js';
 import type { CallSession } from './types.js';
 
 const log = getLogger('call-domain');
@@ -102,12 +103,11 @@ export async function startCall(input: StartCallInput): Promise<StartCallResult
 
     log.info({ callSessionId: session.id, to: phoneNumber, task }, 'Initiating outbound call');
 
-    const baseUrl = config.webhookBaseUrl.replace(/\/$/, '');
     const { callSid } = await provider.initiateCall({
       from: config.phoneNumber,
       to: phoneNumber,
-      webhookUrl: `${baseUrl}/webhooks/twilio/voice?callSessionId=${session.id}`,
-      statusCallbackUrl: `${baseUrl}/webhooks/twilio/status`,
+      webhookUrl: buildTwilioVoiceWebhookUrl(config.webhookBaseUrl, session.id),
+      statusCallbackUrl: buildTwilioStatusCallbackUrl(config.webhookBaseUrl),
     });
 
     updateCallSession(session.id, { providerCallSid: callSid });

package/src/calls/twilio-config.ts

@@ -1,5 +1,7 @@
 import { getSecureKey } from '../security/secure-keys.js';
 import { getLogger } from '../util/logger.js';
+import { loadConfig } from '../config/loader.js';
+import { getWebhookBaseUrl } from './twilio-webhook-urls.js';
 
 const log = getLogger('twilio-config');
 
@@ -12,21 +14,19 @@ export interface TwilioConfig {
 }
 
 export function getTwilioConfig(): TwilioConfig {
-  const accountSid = getSecureKey('twilio_account_sid');
-  const authToken = getSecureKey('twilio_auth_token');
-  const phoneNumber = process.env.TWILIO_PHONE_NUMBER || getSecureKey('twilio_phone_number') || '';
-  const webhookBaseUrl = process.env.TWILIO_WEBHOOK_BASE_URL || '';
+  const accountSid = getSecureKey('credential:twilio:account_sid');
+  const authToken = getSecureKey('credential:twilio:auth_token');
+  const phoneNumber = process.env.TWILIO_PHONE_NUMBER || getSecureKey('credential:twilio:phone_number') || '';
+  const config = loadConfig();
+  const webhookBaseUrl = getWebhookBaseUrl(config);
   const wssBaseUrl = process.env.TWILIO_WSS_BASE_URL || '';
 
   if (!accountSid || !authToken) {
-    throw new Error('Twilio credentials not configured. Set twilio_account_sid and twilio_auth_token via the credential_store tool.');
+    throw new Error('Twilio credentials not configured. Set credential:twilio:account_sid and credential:twilio:auth_token via the credential_store tool.');
   }
   if (!phoneNumber) {
     throw new Error('TWILIO_PHONE_NUMBER not configured.');
   }
-  if (!webhookBaseUrl) {
-    throw new Error('TWILIO_WEBHOOK_BASE_URL not configured.');
-  }
 
   log.debug('Twilio config loaded successfully');
 

package/src/calls/twilio-provider.ts

@@ -17,11 +17,11 @@ export class TwilioConversationRelayProvider implements VoiceProvider {
   // ── Credential helpers ──────────────────────────────────────────────
 
   private getCredentials(): { accountSid: string; authToken: string } {
-    const accountSid = getSecureKey('twilio_account_sid');
-    const authToken = getSecureKey('twilio_auth_token');
+    const accountSid = getSecureKey('credential:twilio:account_sid');
+    const authToken = getSecureKey('credential:twilio:auth_token');
     if (!accountSid || !authToken) {
       throw new Error(
-        'Twilio credentials not configured. Set twilio_account_sid and twilio_auth_token via the credential_store tool.',
+        'Twilio credentials not configured. Set credential:twilio:account_sid and credential:twilio:auth_token via the credential_store tool.',
       );
     }
     return { accountSid, authToken };
@@ -134,7 +134,7 @@ export class TwilioConversationRelayProvider implements VoiceProvider {
    * HTTP server webhook middleware) can check availability independently.
    */
   static getAuthToken(): string | null {
-    return getSecureKey('twilio_auth_token') ?? null;
+    return getSecureKey('credential:twilio:auth_token') ?? null;
   }
 
   /**

package/src/calls/twilio-webhook-urls.ts

@@ -0,0 +1,50 @@
+import { getLogger } from '../util/logger.js';
+
+const log = getLogger('twilio-webhook-urls');
+
+/**
+ * Resolve the webhook base URL from config, falling back to the
+ * TWILIO_WEBHOOK_BASE_URL environment variable with a deprecation warning.
+ * Throws if neither source provides a value.
+ */
+export function getWebhookBaseUrl(config: { calls: { webhookBaseUrl?: string } }): string {
+  const configValue = config.calls.webhookBaseUrl;
+  if (configValue) {
+    const normalized = normalizeBaseUrl(configValue);
+    if (normalized) return normalized;
+  }
+
+  const envValue = process.env.TWILIO_WEBHOOK_BASE_URL;
+  if (envValue) {
+    log.warn(
+      'TWILIO_WEBHOOK_BASE_URL env var is deprecated — set calls.webhookBaseUrl in config instead.',
+    );
+    const normalized = normalizeBaseUrl(envValue);
+    if (normalized) return normalized;
+  }
+
+  throw new Error(
+    'No webhook base URL configured. Set calls.webhookBaseUrl in config or TWILIO_WEBHOOK_BASE_URL env var.',
+  );
+}
+
+/**
+ * Trim whitespace and strip trailing slash from a URL string.
+ */
+export function normalizeBaseUrl(url: string): string {
+  return url.trim().replace(/\/+$/, '');
+}
+
+/**
+ * Build the Twilio voice webhook URL for a given call session.
+ */
+export function buildTwilioVoiceWebhookUrl(baseUrl: string, callSessionId: string): string {
+  return `${normalizeBaseUrl(baseUrl)}/webhooks/twilio/voice?callSessionId=${callSessionId}`;
+}
+
+/**
+ * Build the Twilio status callback URL.
+ */
+export function buildTwilioStatusCallbackUrl(baseUrl: string): string {
+  return `${normalizeBaseUrl(baseUrl)}/webhooks/twilio/status`;
+}

package/src/cli/map.ts

@@ -15,9 +15,20 @@ import {
   serialize,
   createMessageParser,
 } from '../daemon/ipc-protocol.js';
+import { parse as parseTld } from 'tldts';
 import { loadRecording } from '../tools/browser/recording-store.js';
 import { analyzeApiMap, saveApiMap, printApiMapTable } from '../tools/browser/api-map.js';
 
+/**
+ * Extract the registrable base domain from a hostname.
+ * e.g. "open.spotify.com" → "spotify.com", "connect.garmin.com" → "garmin.com"
+ * Falls back to the input if tldts can't parse it.
+ */
+function getBaseDomain(domain: string): string {
+  const result = parseTld(domain);
+  return result.domain ?? domain;
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -95,8 +106,12 @@ interface LearnResult {
   recordingPath?: string;
 }
 
-async function startLearnSession(domain: string, durationSeconds: number): Promise<LearnResult> {
-  await ensureChromeWithCDP(domain);
+async function startLearnSession(
+  navigateDomain: string,
+  recordDomain: string,
+  durationSeconds: number,
+): Promise<LearnResult> {
+  await ensureChromeWithCDP(navigateDomain);
 
   return new Promise((resolve, reject) => {
     const socketPath = getSocketPath();
@@ -123,7 +138,8 @@ async function startLearnSession(domain: string, durationSeconds: number): Promi
           durationSeconds,
           intervalSeconds: 5,
           mode: 'learn',
-          targetDomain: domain,
+          targetDomain: recordDomain,
+          navigateDomain,
           autoNavigate: true,
         } as unknown as import('../daemon/ipc-protocol.js').ClientMessage),
       );
@@ -196,11 +212,19 @@ export function registerMapCommand(program: Command): void {
       const duration = parseInt(opts.duration, 10);
 
       try {
-        // 1. Start learn session (launches Chrome + auto-navigates)
+        // Split into navigation domain (what Chrome browses) and recording domain (network filter).
+        // e.g. "open.spotify.com" → navigate open.spotify.com, record *.spotify.com
+        const navigateDomain = domain;
+        const recordDomain = getBaseDomain(domain);
+
         if (!json) {
-          console.log(`Starting API map session for ${domain} (${duration}s)...`);
+          if (navigateDomain !== recordDomain) {
+            console.log(`Starting API map session: navigating ${navigateDomain}, recording *.${recordDomain} (${duration}s)...`);
+          } else {
+            console.log(`Starting API map session for ${domain} (${duration}s)...`);
+          }
         }
-        const result = await startLearnSession(domain, duration);
+        const result = await startLearnSession(navigateDomain, recordDomain, duration);
 
         if (!result.recordingId) {
           outputError('Recording completed but no recording ID returned');

package/src/config/defaults.ts

@@ -217,6 +217,7 @@ export const DEFAULT_CONFIG: AssistantConfig = {
   calls: {
     enabled: true,
     provider: 'twilio' as const,
+    webhookBaseUrl: '',
     maxDurationSeconds: 3600,
     userConsultTimeoutSeconds: 120,
     disclosure: {

package/src/config/schema.ts

@@ -883,6 +883,9 @@ export const CallsConfigSchema = z.object({
       error: `calls.provider must be one of: ${VALID_CALL_PROVIDERS.join(', ')}`,
     })
     .default('twilio'),
+  webhookBaseUrl: z
+    .string({ error: 'calls.webhookBaseUrl must be a string' })
+    .default(''),
   maxDurationSeconds: z
     .number({ error: 'calls.maxDurationSeconds must be a number' })
     .int('calls.maxDurationSeconds must be an integer')
@@ -1149,6 +1152,7 @@ export const AssistantConfigSchema = z.object({
   calls: CallsConfigSchema.default({
     enabled: true,
     provider: 'twilio',
+    webhookBaseUrl: '',
     maxDurationSeconds: 3600,
     userConsultTimeoutSeconds: 120,
     disclosure: {

package/src/config/vellum-skills/telegram-setup/SKILL.md

@@ -98,8 +98,4 @@ Summarize what was done:
 - Bot commands registered: /new
 - Credentials stored securely in the vault
 
-Remind the user that the gateway needs these environment variables set to match:
-- `TELEGRAM_BOT_TOKEN` — the bot token
-- `TELEGRAM_WEBHOOK_SECRET` — the generated secret
-
-The values are stored in the credential vault and can be retrieved for gateway configuration.
+The gateway automatically detects credentials from the vault and will begin accepting Telegram webhooks shortly. No manual environment variable configuration is needed.

package/src/daemon/handlers/config.ts

@@ -19,6 +19,7 @@ import type {
   ReminderCancel,
   ShareToSlackRequest,
   SlackWebhookConfigRequest,
+  TwilioWebhookConfigRequest,
   VercelApiConfigRequest,
   TwitterIntegrationConfigRequest,
 } from '../ipc-protocol.js';
@@ -396,6 +397,41 @@ export function handleSlackWebhookConfig(
   }
 }
 
+export function handleTwilioWebhookConfig(
+  msg: TwilioWebhookConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    if (msg.action === 'get') {
+      const raw = loadRawConfig();
+      const webhookBaseUrl = (raw?.calls as Record<string, unknown>)?.webhookBaseUrl as string ?? '';
+      ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl, success: true });
+    } else if (msg.action === 'set') {
+      const value = (msg.webhookBaseUrl ?? '').trim().replace(/\/+$/, '');
+      const raw = loadRawConfig();
+      const calls = (raw?.calls ?? {}) as Record<string, unknown>;
+      calls.webhookBaseUrl = value || undefined;
+      const wasSuppressed = ctx.suppressConfigReload;
+      ctx.setSuppressConfigReload(true);
+      try {
+        saveRawConfig({ ...raw, calls });
+      } catch (err) {
+        ctx.setSuppressConfigReload(wasSuppressed);
+        throw err;
+      }
+      const existingSuppressTimer = ctx.debounceTimers.get('__suppress_reset__');
+      if (existingSuppressTimer) clearTimeout(existingSuppressTimer);
+      const resetTimer = setTimeout(() => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+      ctx.debounceTimers.set('__suppress_reset__', resetTimer);
+      ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: value, success: true });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: '', success: false, error: message });
+  }
+}
+
 export function handleVercelApiConfig(
   msg: VercelApiConfigRequest,
   socket: net.Socket,
@@ -503,6 +539,7 @@ export function handleTwitterIntegrationConfig(
         });
         return;
       }
+      const previousClientId = getSecureKey('credential:integration:twitter:oauth_client_id');
       const storedId = setSecureKey('credential:integration:twitter:oauth_client_id', msg.clientId);
       if (!storedId) {
         ctx.send(socket, {
@@ -518,8 +555,12 @@ export function handleTwitterIntegrationConfig(
       if (msg.clientSecret) {
         const storedSecret = setSecureKey('credential:integration:twitter:oauth_client_secret', msg.clientSecret);
         if (!storedSecret) {
-          // Roll back the already-persisted client ID to avoid inconsistent OAuth state
-          deleteSecureKey('credential:integration:twitter:oauth_client_id');
+          // Roll back the client ID to its previous value to avoid inconsistent OAuth state
+          if (previousClientId) {
+            setSecureKey('credential:integration:twitter:oauth_client_id', previousClientId);
+          } else {
+            deleteSecureKey('credential:integration:twitter:oauth_client_id');
+          }
           ctx.send(socket, {
             type: 'twitter_integration_config_response',
             success: false,
@@ -616,6 +657,7 @@ export const configHandlers = defineHandlers({
   reminder_cancel: handleReminderCancel,
   share_to_slack: handleShareToSlack,
   slack_webhook_config: handleSlackWebhookConfig,
+  twilio_webhook_config: handleTwilioWebhookConfig,
   vercel_api_config: handleVercelApiConfig,
   twitter_integration_config: handleTwitterIntegrationConfig,
   env_vars_request: (_msg, socket, ctx) => handleEnvVarsRequest(socket, ctx),

package/src/daemon/ipc-contract-inventory.json

@@ -80,6 +80,7 @@
     "SuggestionRequest",
     "TaskSubmit",
     "TrustRulesList",
+    "TwilioWebhookConfigRequest",
     "TwitterAuthStartRequest",
     "TwitterAuthStatusRequest",
     "TwitterIntegrationConfigRequest",
@@ -191,6 +192,7 @@
     "ToolUseStart",
     "TraceEvent",
     "TrustRulesListResponse",
+    "TwilioWebhookConfigResponse",
     "TwitterAuthResult",
     "TwitterAuthStatusResponse",
     "TwitterIntegrationConfigResponse",
@@ -301,6 +303,7 @@
     "suggestion_request",
     "task_submit",
     "trust_rules_list",
+    "twilio_webhook_config",
     "twitter_auth_start",
     "twitter_auth_status",
     "twitter_integration_config",
@@ -412,6 +415,7 @@
     "tool_use_start",
     "trace_event",
     "trust_rules_list_response",
+    "twilio_webhook_config_response",
     "twitter_auth_result",
     "twitter_auth_status_response",
     "twitter_integration_config_response",