vellum 0.2.2 → 0.2.8

package/src/calls/call-domain.ts

@@ -20,6 +20,7 @@ import { getCallOrchestrator, unregisterCallOrchestrator } from './call-state.js
 import { activeRelayConnections } from './relay-server.js';
 import { TwilioConversationRelayProvider } from './twilio-provider.js';
 import { getTwilioConfig } from './twilio-config.js';
+import { buildTwilioVoiceWebhookUrl, buildTwilioStatusCallbackUrl } from './twilio-webhook-urls.js';
 import type { CallSession } from './types.js';
 
 const log = getLogger('call-domain');
@@ -102,12 +103,11 @@ export async function startCall(input: StartCallInput): Promise<StartCallResult
 
     log.info({ callSessionId: session.id, to: phoneNumber, task }, 'Initiating outbound call');
 
-    const baseUrl = config.webhookBaseUrl.replace(/\/$/, '');
     const { callSid } = await provider.initiateCall({
       from: config.phoneNumber,
       to: phoneNumber,
-      webhookUrl: `${baseUrl}/webhooks/twilio/voice?callSessionId=${session.id}`,
-      statusCallbackUrl: `${baseUrl}/webhooks/twilio/status`,
+      webhookUrl: buildTwilioVoiceWebhookUrl(config.webhookBaseUrl, session.id),
+      statusCallbackUrl: buildTwilioStatusCallbackUrl(config.webhookBaseUrl),
     });
 
     updateCallSession(session.id, { providerCallSid: callSid });

package/src/calls/twilio-config.ts

@@ -1,5 +1,8 @@
 import { getSecureKey } from '../security/secure-keys.js';
 import { getLogger } from '../util/logger.js';
+import { loadConfig } from '../config/loader.js';
+import { getWebhookBaseUrl } from './twilio-webhook-urls.js';
+import { getTwilioRelayUrl } from '../inbound/public-ingress-urls.js';
 
 const log = getLogger('twilio-config');
 
@@ -12,21 +15,34 @@ export interface TwilioConfig {
 }
 
 export function getTwilioConfig(): TwilioConfig {
-  const accountSid = getSecureKey('twilio_account_sid');
-  const authToken = getSecureKey('twilio_auth_token');
-  const phoneNumber = process.env.TWILIO_PHONE_NUMBER || getSecureKey('twilio_phone_number') || '';
-  const webhookBaseUrl = process.env.TWILIO_WEBHOOK_BASE_URL || '';
-  const wssBaseUrl = process.env.TWILIO_WSS_BASE_URL || '';
+  const accountSid = getSecureKey('credential:twilio:account_sid');
+  const authToken = getSecureKey('credential:twilio:auth_token');
+  const phoneNumber = process.env.TWILIO_PHONE_NUMBER || getSecureKey('credential:twilio:phone_number') || '';
+  const config = loadConfig();
+  const webhookBaseUrl = getWebhookBaseUrl(config);
+
+  // In gateway_only mode, ignore TWILIO_WSS_BASE_URL and always use the
+  // centralized relay URL derived from the public ingress base URL.
+  let wssBaseUrl: string;
+  if (config.ingress.mode === 'gateway_only') {
+    if (process.env.TWILIO_WSS_BASE_URL) {
+      log.warn('TWILIO_WSS_BASE_URL env var is ignored in gateway-only mode. Relay URL is derived from ingress.publicBaseUrl.');
+    }
+    try {
+      wssBaseUrl = getTwilioRelayUrl(config);
+    } catch {
+      wssBaseUrl = '';
+    }
+  } else {
+    wssBaseUrl = process.env.TWILIO_WSS_BASE_URL || '';
+  }
 
   if (!accountSid || !authToken) {
-    throw new Error('Twilio credentials not configured. Set twilio_account_sid and twilio_auth_token via the credential_store tool.');
+    throw new Error('Twilio credentials not configured. Set credential:twilio:account_sid and credential:twilio:auth_token via the credential_store tool.');
   }
   if (!phoneNumber) {
     throw new Error('TWILIO_PHONE_NUMBER not configured.');
   }
-  if (!webhookBaseUrl) {
-    throw new Error('TWILIO_WEBHOOK_BASE_URL not configured.');
-  }
 
   log.debug('Twilio config loaded successfully');
 

package/src/calls/twilio-provider.ts

@@ -17,11 +17,11 @@ export class TwilioConversationRelayProvider implements VoiceProvider {
   // ── Credential helpers ──────────────────────────────────────────────
 
   private getCredentials(): { accountSid: string; authToken: string } {
-    const accountSid = getSecureKey('twilio_account_sid');
-    const authToken = getSecureKey('twilio_auth_token');
+    const accountSid = getSecureKey('credential:twilio:account_sid');
+    const authToken = getSecureKey('credential:twilio:auth_token');
     if (!accountSid || !authToken) {
       throw new Error(
-        'Twilio credentials not configured. Set twilio_account_sid and twilio_auth_token via the credential_store tool.',
+        'Twilio credentials not configured. Set credential:twilio:account_sid and credential:twilio:auth_token via the credential_store tool.',
       );
     }
     return { accountSid, authToken };
@@ -134,7 +134,7 @@ export class TwilioConversationRelayProvider implements VoiceProvider {
    * HTTP server webhook middleware) can check availability independently.
    */
   static getAuthToken(): string | null {
-    return getSecureKey('twilio_auth_token') ?? null;
+    return getSecureKey('credential:twilio:auth_token') ?? null;
   }
 
   /**

package/src/calls/twilio-routes.ts

@@ -22,6 +22,8 @@ import type { CallStatus } from './types.js';
 import { logDeadLetterEvent } from './call-recovery.js';
 import { isTerminalState } from './call-state-machine.js';
 import { getTwilioConfig } from './twilio-config.js';
+import { loadConfig } from '../config/loader.js';
+import { getTwilioRelayUrl } from '../inbound/public-ingress-urls.js';
 
 const log = getLogger('twilio-routes');
 
@@ -125,8 +127,14 @@ export async function handleVoiceWebhook(req: Request): Promise<Response> {
     log.info({ callSessionId, callSid }, 'Stored CallSid from voice webhook');
   }
 
-  const config = getTwilioConfig();
-  const relayUrl = resolveRelayUrl(config.wssBaseUrl, config.webhookBaseUrl);
+  const twilioConfig = getTwilioConfig();
+  let relayUrl: string;
+  try {
+    relayUrl = getTwilioRelayUrl(loadConfig());
+  } catch {
+    // Fallback to legacy resolution when ingress is not configured
+    relayUrl = resolveRelayUrl(twilioConfig.wssBaseUrl, twilioConfig.webhookBaseUrl);
+  }
   const welcomeGreeting = process.env.CALL_WELCOME_GREETING ?? 'Hello, how can I help you today?';
 
   const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting);

package/src/calls/twilio-webhook-urls.ts

@@ -0,0 +1,47 @@
+/**
+ * Twilio webhook URL helpers.
+ *
+ * This module is a thin backward-compat wrapper that delegates to the
+ * centralized URL builders in inbound/public-ingress-urls.ts.
+ */
+
+import {
+  getPublicBaseUrl,
+  type IngressConfig,
+} from '../inbound/public-ingress-urls.js';
+
+/**
+ * Resolve the webhook base URL from config, falling back to the
+ * TWILIO_WEBHOOK_BASE_URL environment variable with a deprecation warning.
+ * Throws if neither source provides a value.
+ *
+ * @deprecated Use `getPublicBaseUrl` from `inbound/public-ingress-urls.ts` instead.
+ */
+export function getWebhookBaseUrl(config: { calls: { webhookBaseUrl?: string }; ingress?: { publicBaseUrl?: string } }): string {
+  return getPublicBaseUrl(config as IngressConfig);
+}
+
+/**
+ * Trim whitespace and strip trailing slash from a URL string.
+ */
+export function normalizeBaseUrl(url: string): string {
+  return url.trim().replace(/\/+$/, '');
+}
+
+/**
+ * Build the Twilio voice webhook URL for a given call session.
+ *
+ * @deprecated Use `getTwilioVoiceWebhookUrl` from `inbound/public-ingress-urls.ts` instead.
+ */
+export function buildTwilioVoiceWebhookUrl(baseUrl: string, callSessionId: string): string {
+  return `${normalizeBaseUrl(baseUrl)}/webhooks/twilio/voice?callSessionId=${callSessionId}`;
+}
+
+/**
+ * Build the Twilio status callback URL.
+ *
+ * @deprecated Use `getTwilioStatusCallbackUrl` from `inbound/public-ingress-urls.ts` instead.
+ */
+export function buildTwilioStatusCallbackUrl(baseUrl: string): string {
+  return `${normalizeBaseUrl(baseUrl)}/webhooks/twilio/status`;
+}

package/src/cli/map.ts

@@ -15,9 +15,20 @@ import {
   serialize,
   createMessageParser,
 } from '../daemon/ipc-protocol.js';
+import { parse as parseTld } from 'tldts';
 import { loadRecording } from '../tools/browser/recording-store.js';
 import { analyzeApiMap, saveApiMap, printApiMapTable } from '../tools/browser/api-map.js';
 
+/**
+ * Extract the registrable base domain from a hostname.
+ * e.g. "open.spotify.com" → "spotify.com", "connect.garmin.com" → "garmin.com"
+ * Falls back to the input if tldts can't parse it.
+ */
+function getBaseDomain(domain: string): string {
+  const result = parseTld(domain);
+  return result.domain ?? domain;
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -95,8 +106,12 @@ interface LearnResult {
   recordingPath?: string;
 }
 
-async function startLearnSession(domain: string, durationSeconds: number): Promise<LearnResult> {
-  await ensureChromeWithCDP(domain);
+async function startLearnSession(
+  navigateDomain: string,
+  recordDomain: string,
+  durationSeconds: number,
+): Promise<LearnResult> {
+  await ensureChromeWithCDP(navigateDomain);
 
   return new Promise((resolve, reject) => {
     const socketPath = getSocketPath();
@@ -123,7 +138,8 @@ async function startLearnSession(domain: string, durationSeconds: number): Promi
           durationSeconds,
           intervalSeconds: 5,
           mode: 'learn',
-          targetDomain: domain,
+          targetDomain: recordDomain,
+          navigateDomain,
           autoNavigate: true,
         } as unknown as import('../daemon/ipc-protocol.js').ClientMessage),
       );
@@ -196,11 +212,19 @@ export function registerMapCommand(program: Command): void {
       const duration = parseInt(opts.duration, 10);
 
       try {
-        // 1. Start learn session (launches Chrome + auto-navigates)
+        // Split into navigation domain (what Chrome browses) and recording domain (network filter).
+        // e.g. "open.spotify.com" → navigate open.spotify.com, record *.spotify.com
+        const navigateDomain = domain;
+        const recordDomain = getBaseDomain(domain);
+
         if (!json) {
-          console.log(`Starting API map session for ${domain} (${duration}s)...`);
+          if (navigateDomain !== recordDomain) {
+            console.log(`Starting API map session: navigating ${navigateDomain}, recording *.${recordDomain} (${duration}s)...`);
+          } else {
+            console.log(`Starting API map session for ${domain} (${duration}s)...`);
+          }
         }
-        const result = await startLearnSession(domain, duration);
+        const result = await startLearnSession(navigateDomain, recordDomain, duration);
 
         if (!result.recordingId) {
           outputError('Recording completed but no recording ID returned');

package/src/config/defaults.ts

@@ -217,6 +217,7 @@ export const DEFAULT_CONFIG: AssistantConfig = {
   calls: {
     enabled: true,
     provider: 'twilio' as const,
+    webhookBaseUrl: '',
     maxDurationSeconds: 3600,
     userConsultTimeoutSeconds: 120,
     disclosure: {
@@ -227,4 +228,8 @@ export const DEFAULT_CONFIG: AssistantConfig = {
       denyCategories: [],
     },
   },
+  ingress: {
+    publicBaseUrl: '',
+    mode: 'compat' as const,
+  },
 };

package/src/config/schema.ts

@@ -9,6 +9,7 @@ const VALID_SANDBOX_BACKENDS = ['native', 'docker'] as const;
 const VALID_DOCKER_NETWORKS = ['none', 'bridge'] as const;
 const VALID_PERMISSIONS_MODES = ['legacy', 'strict'] as const;
 const VALID_CALL_PROVIDERS = ['twilio'] as const;
+const VALID_INGRESS_MODES = ['gateway_only', 'compat'] as const;
 
 export const TimeoutConfigSchema = z.object({
   shellMaxTimeoutSec: z
@@ -780,8 +781,19 @@ export const WorkspaceGitConfigSchema = z.object({
         .int().positive().default(2000),
       backoffMaxMs: z.number({ error: 'workspaceGit.commitMessageLLM.breaker.backoffMaxMs must be a number' })
         .int().positive().default(60000),
-    }).default({}),
-  }).default({}),
+    }).default({ openAfterFailures: 3, backoffBaseMs: 2000, backoffMaxMs: 60000 }),
+  }).default({
+    enabled: false,
+    useConfiguredProvider: true,
+    providerFastModelOverrides: {},
+    timeoutMs: 600,
+    maxTokens: 120,
+    temperature: 0.2,
+    maxFilesInPrompt: 30,
+    maxDiffBytes: 12000,
+    minRemainingTurnBudgetMs: 1000,
+    breaker: { openAfterFailures: 3, backoffBaseMs: 2000, backoffMaxMs: 60000 },
+  }),
 });
 
 export const AgentHeartbeatConfigSchema = z.object({
@@ -883,6 +895,9 @@ export const CallsConfigSchema = z.object({
       error: `calls.provider must be one of: ${VALID_CALL_PROVIDERS.join(', ')}`,
     })
     .default('twilio'),
+  webhookBaseUrl: z
+    .string({ error: 'calls.webhookBaseUrl must be a string' })
+    .default(''),
   maxDurationSeconds: z
     .number({ error: 'calls.maxDurationSeconds must be a number' })
     .int('calls.maxDurationSeconds must be an integer')
@@ -911,6 +926,17 @@ export const SkillsConfigSchema = z.object({
   allowBundled: z.array(z.string()).nullable().default(null),
 });
 
+export const IngressConfigSchema = z.object({
+  publicBaseUrl: z
+    .string({ error: 'ingress.publicBaseUrl must be a string' })
+    .default(''),
+  mode: z
+    .enum(VALID_INGRESS_MODES, {
+      error: `ingress.mode must be one of: ${VALID_INGRESS_MODES.join(', ')}`,
+    })
+    .default('compat'),
+});
+
 export const AssistantConfigSchema = z.object({
   provider: z
     .enum(VALID_PROVIDERS, {
@@ -1149,6 +1175,7 @@ export const AssistantConfigSchema = z.object({
   calls: CallsConfigSchema.default({
     enabled: true,
     provider: 'twilio',
+    webhookBaseUrl: '',
     maxDurationSeconds: 3600,
     userConsultTimeoutSeconds: 120,
     disclosure: {
@@ -1159,6 +1186,10 @@ export const AssistantConfigSchema = z.object({
       denyCategories: [],
     },
   }),
+  ingress: IngressConfigSchema.default({
+    publicBaseUrl: '',
+    mode: 'compat',
+  }),
 }).superRefine((config, ctx) => {
   if (config.contextWindow.targetInputTokens >= config.contextWindow.maxInputTokens) {
     ctx.addIssue({
@@ -1219,3 +1250,4 @@ export type WorkspaceGitConfig = z.infer<typeof WorkspaceGitConfigSchema>;
 export type CallsConfig = z.infer<typeof CallsConfigSchema>;
 export type CallsDisclosureConfig = z.infer<typeof CallsDisclosureConfigSchema>;
 export type CallsSafetyConfig = z.infer<typeof CallsSafetyConfigSchema>;
+export type IngressConfig = z.infer<typeof IngressConfigSchema>;

package/src/config/system-prompt.ts

@@ -218,7 +218,7 @@ function buildTaskScheduleReminderRoutingSection(): string {
     '',
     'You can create ad-hoc work items by providing just a `title` to `task_list_add` — no existing task template is needed. A lightweight template is auto-created behind the scenes. For reusable task definitions with templates and input schemas, use `task_save` first.',
     '',
-    '**IMPORTANT:** When you call `task_list_show`, the Tasks window opens automatically on the client. Do NOT also create a separate surface/UI (via `ui_show` or `app_create`) to display the task queue. Doing so causes duplicate Task Queue windows. Just call `task_list_show` and let the native window handle the presentation.',
+    '**IMPORTANT:** When you call `task_list_show`, the Tasks window opens automatically on the client AND the tool returns the current task list. Present a brief summary of the tasks in your chat response so the user can see them inline. Do NOT also create a separate surface/UI (via `ui_show` or `app_create`) to display the task queue — that causes duplicate windows.',
     '',
     '### Schedules (schedule_create / schedule_list / schedule_update / schedule_delete)',
     'For recurring automated jobs that run on a recurrence schedule (cron or RRULE). Use ONLY when the user explicitly wants:',

package/src/config/types.ts

@@ -34,4 +34,5 @@ export type {
   CallsConfig,
   CallsDisclosureConfig,
   CallsSafetyConfig,
+  IngressConfig,
 } from './schema.js';

package/src/config/vellum-skills/telegram-setup/SKILL.md

@@ -98,8 +98,4 @@ Summarize what was done:
 - Bot commands registered: /new
 - Credentials stored securely in the vault
 
-Remind the user that the gateway needs these environment variables set to match:
-- `TELEGRAM_BOT_TOKEN` — the bot token
-- `TELEGRAM_WEBHOOK_SECRET` — the generated secret
-
-The values are stored in the credential vault and can be retrieved for gateway configuration.
+The gateway automatically detects credentials from the vault and will begin accepting Telegram webhooks shortly. No manual environment variable configuration is needed.

package/src/daemon/computer-use-session.ts

@@ -15,6 +15,7 @@ import { AgentLoop } from '../agent/loop.js';
 import { ToolExecutor } from '../tools/executor.js';
 import { PermissionPrompter } from '../permissions/prompter.js';
 import { SecretPrompter } from '../permissions/secret-prompter.js';
+import type { UserDecision } from '../permissions/types.js';
 import { allUiSurfaceTools } from '../tools/ui-surface/definitions.js';
 import { allComputerUseTools } from '../tools/computer-use/definitions.js';
 import { registerSkillTools } from '../tools/registry.js';
@@ -893,7 +894,7 @@ export class ComputerUseSession {
 
   handleConfirmationResponse(
     requestId: string,
-    decision: 'allow' | 'always_allow' | 'deny',
+    decision: UserDecision,
     selectedPattern?: string,
     selectedScope?: string,
   ): void {

package/src/daemon/handlers/config.ts

@@ -19,6 +19,8 @@ import type {
   ReminderCancel,
   ShareToSlackRequest,
   SlackWebhookConfigRequest,
+  TwilioWebhookConfigRequest,
+  IngressConfigRequest,
   VercelApiConfigRequest,
   TwitterIntegrationConfigRequest,
 } from '../ipc-protocol.js';
@@ -164,9 +166,9 @@ export function handleAddTrustRule(
 ): void {
   try {
     addRule(msg.toolName, msg.pattern, msg.scope, msg.decision);
-    log.info({ tool: msg.toolName, pattern: msg.pattern, scope: msg.scope, decision: msg.decision }, 'Trust rule added via client');
+    log.info({ toolName: msg.toolName, pattern: msg.pattern, scope: msg.scope, decision: msg.decision }, 'Trust rule added via client');
   } catch (err) {
-    log.error({ err }, 'Failed to add trust rule');
+    log.error({ err, toolName: msg.toolName, pattern: msg.pattern, scope: msg.scope }, 'Failed to add trust rule via client');
   }
 }
 
@@ -396,6 +398,88 @@ export function handleSlackWebhookConfig(
   }
 }
 
+export function handleTwilioWebhookConfig(
+  msg: TwilioWebhookConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    if (msg.action === 'get') {
+      const raw = loadRawConfig();
+      const webhookBaseUrl = (raw?.calls as Record<string, unknown>)?.webhookBaseUrl as string ?? '';
+      ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl, success: true });
+    } else if (msg.action === 'set') {
+      const value = (msg.webhookBaseUrl ?? '').trim().replace(/\/+$/, '');
+      const raw = loadRawConfig();
+      const calls = (raw?.calls ?? {}) as Record<string, unknown>;
+      calls.webhookBaseUrl = value || undefined;
+      const wasSuppressed = ctx.suppressConfigReload;
+      ctx.setSuppressConfigReload(true);
+      try {
+        saveRawConfig({ ...raw, calls });
+      } catch (err) {
+        ctx.setSuppressConfigReload(wasSuppressed);
+        throw err;
+      }
+      const existingSuppressTimer = ctx.debounceTimers.get('__suppress_reset__');
+      if (existingSuppressTimer) clearTimeout(existingSuppressTimer);
+      const resetTimer = setTimeout(() => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+      ctx.debounceTimers.set('__suppress_reset__', resetTimer);
+      ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: value, success: true });
+    } else {
+      ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: '', success: false, error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}` });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: '', success: false, error: message });
+  }
+}
+
+export function handleIngressConfig(
+  msg: IngressConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    if (msg.action === 'get') {
+      const raw = loadRawConfig();
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      const publicBaseUrl = (ingress.publicBaseUrl as string) ?? '';
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl, success: true });
+    } else if (msg.action === 'set') {
+      const value = (msg.publicBaseUrl ?? '').trim().replace(/\/+$/, '');
+      const raw = loadRawConfig();
+
+      // Update ingress.publicBaseUrl
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      ingress.publicBaseUrl = value || undefined;
+
+      // Also update calls.webhookBaseUrl for backward compat
+      const calls = (raw?.calls ?? {}) as Record<string, unknown>;
+      calls.webhookBaseUrl = value || undefined;
+
+      const wasSuppressed = ctx.suppressConfigReload;
+      ctx.setSuppressConfigReload(true);
+      try {
+        saveRawConfig({ ...raw, ingress, calls });
+      } catch (err) {
+        ctx.setSuppressConfigReload(wasSuppressed);
+        throw err;
+      }
+      const existingSuppressTimer = ctx.debounceTimers.get('__suppress_reset__');
+      if (existingSuppressTimer) clearTimeout(existingSuppressTimer);
+      const resetTimer = setTimeout(() => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+      ctx.debounceTimers.set('__suppress_reset__', resetTimer);
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: value, success: true });
+    } else {
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: '', success: false, error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}` });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: '', success: false, error: message });
+  }
+}
+
 export function handleVercelApiConfig(
   msg: VercelApiConfigRequest,
   socket: net.Socket,
@@ -503,6 +587,7 @@ export function handleTwitterIntegrationConfig(
         });
         return;
       }
+      const previousClientId = getSecureKey('credential:integration:twitter:oauth_client_id');
       const storedId = setSecureKey('credential:integration:twitter:oauth_client_id', msg.clientId);
       if (!storedId) {
         ctx.send(socket, {
@@ -518,8 +603,12 @@ export function handleTwitterIntegrationConfig(
       if (msg.clientSecret) {
         const storedSecret = setSecureKey('credential:integration:twitter:oauth_client_secret', msg.clientSecret);
         if (!storedSecret) {
-          // Roll back the already-persisted client ID to avoid inconsistent OAuth state
-          deleteSecureKey('credential:integration:twitter:oauth_client_id');
+          // Roll back the client ID to its previous value to avoid inconsistent OAuth state
+          if (previousClientId) {
+            setSecureKey('credential:integration:twitter:oauth_client_id', previousClientId);
+          } else {
+            deleteSecureKey('credential:integration:twitter:oauth_client_id');
+          }
           ctx.send(socket, {
             type: 'twitter_integration_config_response',
             success: false,
@@ -616,6 +705,8 @@ export const configHandlers = defineHandlers({
   reminder_cancel: handleReminderCancel,
   share_to_slack: handleShareToSlack,
   slack_webhook_config: handleSlackWebhookConfig,
+  twilio_webhook_config: handleTwilioWebhookConfig,
+  ingress_config: handleIngressConfig,
   vercel_api_config: handleVercelApiConfig,
   twitter_integration_config: handleTwitterIntegrationConfig,
   env_vars_request: (_msg, socket, ctx) => handleEnvVarsRequest(socket, ctx),

package/src/daemon/handlers/sessions.ts

@@ -145,7 +145,7 @@ export function handleConfirmationResponse(
       ctx.touchSession(sessionId);
       session.handleConfirmationResponse(
         msg.requestId,
-        msg.decision as 'allow' | 'always_allow' | 'deny',
+        msg.decision,
         msg.selectedPattern,
         msg.selectedScope,
       );
@@ -158,7 +158,7 @@ export function handleConfirmationResponse(
     if (cuSession.hasPendingConfirmation(msg.requestId)) {
       cuSession.handleConfirmationResponse(
         msg.requestId,
-        msg.decision as 'allow' | 'always_allow' | 'deny',
+        msg.decision,
         msg.selectedPattern,
         msg.selectedScope,
       );

package/src/daemon/handlers/work-items.ts

@@ -426,8 +426,8 @@ export async function handleWorkItemRunTask(
   // Execute task asynchronously — lazily create a session inside the callback
   // using the conversationId provided by runTask, so the session references
   // the conversation that was actually inserted into the database.
+  let session: Awaited<ReturnType<typeof ctx.getOrCreateSession>> | null = null;
   try {
-    let session: Awaited<ReturnType<typeof ctx.getOrCreateSession>> | null = null;
     const result = await runTask(
       { taskId: workItem.taskId, workingDir: process.cwd(), approvedTools },
       async (conversationId, message, taskRunId) => {

package/src/daemon/ipc-contract-inventory.json

@@ -32,6 +32,7 @@
     "HistoryRequest",
     "HomeBaseGetRequest",
     "ImageGenModelSetRequest",
+    "IngressConfigRequest",
     "IntegrationConnectRequest",
     "IntegrationDisconnectRequest",
     "IntegrationListRequest",
@@ -80,6 +81,7 @@
     "SuggestionRequest",
     "TaskSubmit",
     "TrustRulesList",
+    "TwilioWebhookConfigRequest",
     "TwitterAuthStartRequest",
     "TwitterAuthStatusRequest",
     "TwitterIntegrationConfigRequest",
@@ -141,6 +143,7 @@
     "GetSigningIdentityRequest",
     "HistoryResponse",
     "HomeBaseGetResponse",
+    "IngressConfigResponse",
     "IntegrationConnectResult",
     "IntegrationListResponse",
     "IpcBlobProbeResult",
@@ -191,6 +194,7 @@
     "ToolUseStart",
     "TraceEvent",
     "TrustRulesListResponse",
+    "TwilioWebhookConfigResponse",
     "TwitterAuthResult",
     "TwitterAuthStatusResponse",
     "TwitterIntegrationConfigResponse",
@@ -253,6 +257,7 @@
     "history_request",
     "home_base_get",
     "image_gen_model_set",
+    "ingress_config",
     "integration_connect",
     "integration_disconnect",
     "integration_list",
@@ -301,6 +306,7 @@
     "suggestion_request",
     "task_submit",
     "trust_rules_list",
+    "twilio_webhook_config",
     "twitter_auth_start",
     "twitter_auth_status",
     "twitter_integration_config",
@@ -362,6 +368,7 @@
     "get_signing_identity",
     "history_response",
     "home_base_get_response",
+    "ingress_config_response",
     "integration_connect_result",
     "integration_list_response",
     "ipc_blob_probe_result",
@@ -412,6 +419,7 @@
     "tool_use_start",
     "trace_event",
     "trust_rules_list_response",
+    "twilio_webhook_config_response",
     "twitter_auth_result",
     "twitter_auth_status_response",
     "twitter_integration_config_response",