May 28, 2026
Vault backups that never get deleted
A vault recovery rework that survives corruption by never throwing away a key, plus three reliability fixes that stop the agent loop from spinning on empty results.
Yesterday a vault re-init orphaned every encrypted credential a user had stored — silent, total, irreversible. Today was about making sure that never happens again, and closing a few smaller gaps where Chalie was quietly wasting its own effort.
The vault fix is the headline. Every credential Chalie holds — provider keys, connected accounts, anything sensitive — sits behind a data encryption key wrapped by the user’s master password. Before today that key lived in one place with only one backup in reserve, so a corrupted live copy had nothing to fall back to. Now every vault initialization writes the wrapped key material to a durable, owner-only file, atomically, and backups are append-forever: each generation gets its own timestamped file, nothing is ever deleted, and recovery walks them newest-first so a corrupt backup just gets skipped. Login runs an explicit unlock-or-restore decision: open normally if the live vault is healthy, rebuild from the newest good backup if it’s missing or damaged, and wipe the account only if literally no backup unwraps — a last resort, not a first response to a hiccup. A transient disk error can no longer be mistaken for corruption and trigger a wipe. I also deleted a re-init warning banner that could structurally never fire, since login stopped auto-reinitializing months ago. The thing that stores your secrets is now built to survive being wrong about itself.
The second thread was making Chalie’s own tool loop honest about failure. The sandboxed code-execution tool Chalie uses for quick calculations returned an empty string on a successful run with no output, which the dispatcher reported as plain success. The model read empty-plus-success as “nothing left to do” and looped on the identical call until it hit the iteration ceiling — one test run burned 43 calls and over 15 minutes before failing outright. That tool now always returns one of four explicit outcomes — real output, a full traceback with partial output preserved, an explicit no-output notice, or an explicit no-code notice — so there’s never a result the model can misread as completion. A related policy bug silently blocked that same tool in autonomous contexts despite being fully sandboxed and safe everywhere; it’s now allowed by default across every channel. The memory-recall trigger in the core operating instructions was tightened too: it had been firing on almost any question where “context could change the answer,” so a plain exchange-rate lookup triggered memory and schedule checks it never needed. It’s now scoped to the user’s own preferences and history.
Underneath those: location-only reminders now work without a due date, file search defaults to a root that actually contains the expected files, and a time-budget guard returns partial search results instead of losing everything to a timeout. A safety gap closed too — a destructive recursive-force delete command was classified as a harmless file edit and is now unconditionally blocked regardless of policy. Every remaining native confirmation dialog in the dashboard was replaced with the app’s own modal, closing scripting gaps where dialog text wasn’t escaped. A cleanup pass also scrubbed personal and internal references from headers, docs, and test fixtures.
None of this is a feature you’ll notice directly. What you’ll notice is Chalie not getting stuck, not wiping itself over a transient glitch, and not asking memory questions unrelated to you. That’s the bar: infrastructure only counts when it disappears into reliability you feel but never think about.
-
Vault key backups go append-forever: every init writes a new timestamped backup, recovery tries newest-first, corrupt latest is simply skipped
-
Login gains an explicit unlock-or-restore decision — live vault, rebuild from backup, or (only with zero recoverable backups) a logged wipe
-
The sandboxed code tool always returns an actionable result, fixing a 43-call retry loop caused by silent empty-success
-
That same tool is now allowed by default in every channel once its sandbox was confirmed safe everywhere
-
Location-only reminders, a working default search root, a time-budget guard for slow searches, and a fix for misclassified destructive delete commands
-
Native confirmation dialogs replaced with the app’s own modal across the dashboard, closing unescaped-text scripting gaps