@vellumai/assistant 0.10.2-dev.202606250318.5e7cfb0 → 0.10.2

package/src/runtime/routes/inbound-stages/guardian-activation-intercept.test.ts

@@ -4,9 +4,7 @@ import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 // Mocks — must be set up before importing the module under test
 // ---------------------------------------------------------------------------
 
-// Gateway guardian-delivery list: empty = unbound, one entry = bound,
-// null = gateway unreachable.
-let mockGuardianList: Array<Record<string, unknown>> | null = [];
+let mockGuardian: { contact: unknown; channel: unknown } | null = null;
 let mockActiveSession: Record<string, unknown> | null = null;
 let mockSessionResult = {
   sessionId: "sess-1",
@@ -22,14 +20,8 @@ let deliverChannelReplyCalls: unknown[][] = [];
 let emitNotificationSignalCalls: unknown[] = [];
 let messageIdCounter = 0;
 
-mock.module("../../../contacts/guardian-delivery-reader.js", () => ({
-  // Existence guard reads fresh (uncached) — only this variant is stubbed.
-  getGuardianDeliveryFresh: () => Promise.resolve(mockGuardianList),
-  guardianForChannel: (
-    list: Array<{ channelType: string; status: string }>,
-    channelType: string,
-  ) =>
-    list.find((g) => g.channelType === channelType && g.status === "active"),
+mock.module("../../../contacts/contact-store.js", () => ({
+  findGuardianForChannel: () => mockGuardian,
 }));
 
 mock.module("../../channel-verification-service.js", () => ({
@@ -104,7 +96,7 @@ function makeParams(
 
 describe("handleGuardianActivationIntercept", () => {
   beforeEach(() => {
-    mockGuardianList = [];
+    mockGuardian = null;
     mockActiveSession = null;
     mockSessionResult = {
       sessionId: "sess-1",
@@ -163,15 +155,10 @@ describe("handleGuardianActivationIntercept", () => {
   });
 
   test("bare /start with existing guardian returns null", async () => {
-    mockGuardianList = [{ channelType: "telegram", status: "active" }];
-
-    const result = await handleGuardianActivationIntercept(makeParams());
-    expect(result).toBeNull();
-    expect(createOutboundSessionCalls).toHaveLength(0);
-  });
-
-  test("null guardian list (gateway unreachable) does NOT auto-start", async () => {
-    mockGuardianList = null;
+    mockGuardian = {
+      contact: { id: "contact-1", role: "guardian" },
+      channel: { id: "ch-1", type: "telegram" },
+    };
 
     const result = await handleGuardianActivationIntercept(makeParams());
     expect(result).toBeNull();

package/src/runtime/routes/inbound-stages/guardian-activation-intercept.ts

@@ -9,10 +9,7 @@
  * the guardian binding, and sends a success reply.
  */
 import type { ChannelId } from "../../../channels/types.js";
-import {
-  getGuardianDeliveryFresh,
-  guardianForChannel,
-} from "../../../contacts/guardian-delivery-reader.js";
+import { findGuardianForChannel } from "../../../contacts/contact-store.js";
 import { emitNotificationSignal } from "../../../notifications/emit-signal.js";
 import { getLogger } from "../../../util/logger.js";
 import {
@@ -91,16 +88,8 @@ export async function handleGuardianActivationIntercept(
   // Only proceed for Telegram (can be extended later)
   if (sourceChannel !== "telegram") return null;
 
-  // If a guardian already exists for this channel, continue to normal flow.
-  // Null-list (gateway unreachable) is treated as guardian-present so a
-  // transient miss does NOT spuriously auto-start verification.
-  // Read fresh: gateway-side binding writes don't invalidate the daemon cache.
-  const guardianList = await getGuardianDeliveryFresh({
-    channelTypes: [sourceChannel],
-  });
-  if (guardianList === null || guardianForChannel(guardianList, sourceChannel)) {
-    return null;
-  }
+  // If a guardian already exists for this channel, continue to normal flow
+  if (findGuardianForChannel(sourceChannel)) return null;
 
   // Can't bind a session without sender identity
   if (!rawSenderId) return null;

package/src/runtime/routes/index.ts

@@ -102,7 +102,6 @@ import { ROUTES as OAUTH_COMMANDS_ROUTES } from "./oauth-commands-routes.js";
 import { ROUTES as OAUTH_CONNECT_ROUTES } from "./oauth-connect-routes.js";
 import { ROUTES as OAUTH_LIFECYCLE_ROUTES } from "./oauth-lifecycle-routes.js";
 import { ROUTES as OAUTH_PROVIDERS_ROUTES } from "./oauth-providers.js";
-import { ROUTES as ONBOARDING_CHECKIN_ROUTES } from "./onboarding-checkin-routes.js";
 import { ROUTES as PLATFORM_ROUTES } from "./platform-routes.js";
 import { ROUTES as PLAYGROUND_ROUTES } from "./playground/index.js";
 import { ROUTES as PLUGINS_ROUTES } from "./plugins-routes.js";
@@ -235,7 +234,6 @@ export const ROUTES: RouteDefinition[] = [
   ...OAUTH_LIFECYCLE_ROUTES,
   ...OAUTH_COMMANDS_ROUTES,
   ...OAUTH_PROVIDERS_ROUTES,
-  ...ONBOARDING_CHECKIN_ROUTES,
   ...PLATFORM_ROUTES,
   ...PLAYGROUND_ROUTES,
   ...PLUGINS_ROUTES,

package/src/runtime/routes/llm-context-normalization.ts

@@ -40,31 +40,10 @@ export interface LlmContextSection {
   language?: string;
 }
 
-/**
- * Structured error extracted from a rejected call's response payload.
- * Mirrors the on-disk `responsePayload.error` shape produced by
- * `buildProviderErrorResponsePayload`. Present only when the call failed
- * before returning a response — consumers branch on its presence to
- * render the call as failed.
- */
-export interface LlmContextError {
-  name?: string;
-  message?: string;
-  code?: string;
-  provider?: string;
-  statusCode?: number;
-  retryAfterMs?: number;
-  apiErrorCode?: string;
-  apiErrorType?: string;
-  apiErrorParam?: string;
-  requestId?: string;
-}
-
 export interface LlmContextNormalizationResult {
   summary?: LlmContextSummary;
   requestSections?: LlmContextSection[];
   responseSections?: LlmContextSection[];
-  error?: LlmContextError;
 }
 
 interface NormalizedPayloadCandidate {
@@ -76,68 +55,6 @@ interface NormalizedPayloadCandidate {
 
 export function normalizeLlmContextPayloads(
   input: LlmContextNormalizationInput,
-): LlmContextNormalizationResult {
-  const base = normalizeSuccessPayloads(input);
-  const error = normalizeProviderErrorPayload(input.responsePayload);
-  if (!error) {
-    return base;
-  }
-  // A rejected call has no response sections to render — only the request
-  // side normalized. Attach the structured error so the inspector can show
-  // a failure banner and treat the cost as $0.00 instead of silently
-  // falling back to "section rendering unavailable".
-  return { ...base, error };
-}
-
-/**
- * Detect a provider/transport error stored in the response payload.
- *
- * Error rows are written as `{ error: { name, message, code?, provider?,
- * statusCode?, retryAfterMs? } }` by `buildProviderErrorResponsePayload`.
- * Successful provider responses never carry a top-level `error` object, so
- * the presence of one (with at least one identifying field) is a reliable
- * signal that the call failed.
- */
-function normalizeProviderErrorPayload(
-  responsePayload: unknown,
-): LlmContextError | null {
-  const error = asRecord(asRecord(responsePayload)?.error);
-  if (!error) {
-    return null;
-  }
-
-  const name = asString(error.name);
-  const message = asString(error.message);
-  const code = asString(error.code);
-  // Require at least one identifying field so an unrelated `error` key on a
-  // success payload isn't misread as a provider failure.
-  if (name === undefined && message === undefined && code === undefined) {
-    return null;
-  }
-
-  const normalized: LlmContextError = {};
-  if (name !== undefined) normalized.name = name;
-  if (message !== undefined) normalized.message = message;
-  if (code !== undefined) normalized.code = code;
-  const provider = asString(error.provider);
-  if (provider !== undefined) normalized.provider = provider;
-  const statusCode = asNumber(error.statusCode);
-  if (statusCode !== undefined) normalized.statusCode = statusCode;
-  const retryAfterMs = asNumber(error.retryAfterMs);
-  if (retryAfterMs !== undefined) normalized.retryAfterMs = retryAfterMs;
-  const apiErrorCode = asString(error.apiErrorCode);
-  if (apiErrorCode !== undefined) normalized.apiErrorCode = apiErrorCode;
-  const apiErrorType = asString(error.apiErrorType);
-  if (apiErrorType !== undefined) normalized.apiErrorType = apiErrorType;
-  const apiErrorParam = asString(error.apiErrorParam);
-  if (apiErrorParam !== undefined) normalized.apiErrorParam = apiErrorParam;
-  const requestId = asString(error.requestId);
-  if (requestId !== undefined) normalized.requestId = requestId;
-  return normalized;
-}
-
-function normalizeSuccessPayloads(
-  input: LlmContextNormalizationInput,
 ): LlmContextNormalizationResult {
   const requestCandidates = [
     normalizeOpenAiRequestPayload(input.requestPayload),

package/src/runtime/routes/mcp-auth-routes.ts

@@ -21,18 +21,10 @@ import { reloadMcpServers } from "../../daemon/mcp-reload-service.js";
 import { McpClient } from "../../mcp/client.js";
 import { orchestrateMcpOAuthConnect } from "../../mcp/mcp-auth-orchestrator.js";
 import { getMcpAuthState } from "../../mcp/mcp-auth-state.js";
-import {
-  deleteMcpHeaders,
-  getMcpHeaders,
-  setMcpHeaders,
-} from "../../mcp/mcp-header-store.js";
-import {
-  deleteMcpOAuthCredentials,
-  hasMcpOAuthTokens,
-} from "../../mcp/mcp-oauth-provider.js";
+import { deleteMcpOAuthCredentials } from "../../mcp/mcp-oauth-provider.js";
 import { getMcpToolsByServer } from "../../tools/registry.js";
 import { getLogger } from "../../util/logger.js";
-import { ACTOR_PRINCIPALS } from "../auth/route-policy.js";
+import { ACTOR_PRINCIPALS, GATEWAY_PRINCIPALS } from "../auth/route-policy.js";
 import { BadRequestError, InternalError, NotFoundError } from "./errors.js";
 import type { RouteDefinition } from "./types.js";
 
@@ -178,23 +170,13 @@ async function checkMachineReadableHealth(
 interface McpServerEntry {
   id: string;
   status: string;
-  transport: Omit<McpServerConfig["transport"], "headers"> & { type: string };
+  transport: McpServerConfig["transport"];
   enabled: boolean;
   defaultRiskLevel: string;
-  hasOAuth: boolean;
-  hasStaticAuth: boolean;
-  authType: "none" | "bearer" | "api-key";
-  authHeaderName?: string;
   allowedTools?: string[];
   blockedTools?: string[];
 }
 
-function detectAuthType(headers: Record<string, string>): "bearer" | "api-key" {
-  const authValue = headers["Authorization"] ?? headers["authorization"];
-  if (authValue?.startsWith("Bearer ")) return "bearer";
-  return "api-key";
-}
-
 async function handleMcpList(_args: {
   body?: Record<string, unknown>;
 }): Promise<{ servers: McpServerEntry[] }> {
@@ -214,45 +196,12 @@ async function handleMcpList(_args: {
         } else {
           status = await checkMachineReadableHealth(id, config);
         }
-        const hasOAuth =
-          config.transport.type !== "stdio"
-            ? await hasMcpOAuthTokens(id)
-            : false;
-
-        // Check credential store for stored static auth headers
-        const storedHeaders = await getMcpHeaders(id);
-        // Also check legacy config-level headers
-        const configHeaders =
-          config.transport.type !== "stdio"
-            ? config.transport.headers
-            : undefined;
-        const effectiveHeaders = storedHeaders ?? configHeaders;
-        const hasStaticAuth =
-          !!effectiveHeaders && Object.keys(effectiveHeaders).length > 0;
-        const authType: "none" | "bearer" | "api-key" = hasStaticAuth
-          ? detectAuthType(effectiveHeaders!)
-          : "none";
-        const authHeaderName =
-          authType === "api-key" && effectiveHeaders
-            ? Object.keys(effectiveHeaders).find(
-                (k) => k.toLowerCase() !== "authorization",
-              )
-            : undefined;
-
-        // Strip headers from transport — never return secrets
-        const { headers: _stripped, ...safeTransport } =
-          config.transport as Record<string, unknown>;
-
         return {
           id,
           status,
-          transport: safeTransport as McpServerEntry["transport"],
+          transport: config.transport,
           enabled,
           defaultRiskLevel: config.defaultRiskLevel ?? "high",
-          hasOAuth,
-          hasStaticAuth,
-          authType,
-          ...(authHeaderName && { authHeaderName }),
           ...(config.allowedTools && { allowedTools: config.allowedTools }),
           ...(config.blockedTools && { blockedTools: config.blockedTools }),
         };
@@ -332,7 +281,6 @@ async function handleMcpUpdate({
     maxTools,
     allowedTools,
     blockedTools,
-    headers,
   } = body as {
     name: string;
     enabled?: boolean;
@@ -340,7 +288,6 @@ async function handleMcpUpdate({
     maxTools?: number;
     allowedTools?: string[] | null;
     blockedTools?: string[] | null;
-    headers?: Record<string, string> | null;
   };
 
   const raw = loadRawConfig();
@@ -379,33 +326,6 @@ async function handleMcpUpdate({
       server.blockedTools = blockedTools;
     }
   }
-  if (headers !== undefined) {
-    const transport = server.transport as Record<string, unknown> | undefined;
-    if (
-      transport &&
-      (transport.type === "sse" || transport.type === "streamable-http")
-    ) {
-      // Migrate any legacy config-level headers away
-      delete transport.headers;
-
-      // Store in credential store (or delete if clearing)
-      if (headers === null || Object.keys(headers).length === 0) {
-        const ok = await deleteMcpHeaders(name);
-        if (!ok) {
-          throw new InternalError(
-            "Failed to clear auth headers from credential store",
-          );
-        }
-      } else {
-        const ok = await setMcpHeaders(name, headers);
-        if (!ok) {
-          throw new InternalError(
-            "Failed to persist auth headers to credential store",
-          );
-        }
-      }
-    }
-  }
 
   saveRawConfig(raw);
   triggerReload("internal_mcp_update");
@@ -422,17 +342,15 @@ async function handleMcpAdd({
 }: {
   body?: Record<string, unknown>;
 }): Promise<{ added: true }> {
-  const { name, transportType, url, command, args, risk, disabled, headers } =
-    body as {
-      name: string;
-      transportType: string;
-      url?: string;
-      command?: string;
-      args?: string[];
-      risk?: string;
-      disabled?: boolean;
-      headers?: Record<string, string>;
-    };
+  const { name, transportType, url, command, args, risk, disabled } = body as {
+    name: string;
+    transportType: string;
+    url?: string;
+    command?: string;
+    args?: string[];
+    risk?: string;
+    disabled?: boolean;
+  };
 
   const riskLevel = risk ?? "high";
   if (!["low", "medium", "high"].includes(riskLevel)) {
@@ -482,60 +400,12 @@ async function handleMcpAdd({
     defaultRiskLevel: riskLevel,
   };
 
-  // Store auth headers in credential store, not config
-  if (headers && Object.keys(headers).length > 0) {
-    const ok = await setMcpHeaders(name, headers);
-    if (!ok) {
-      throw new InternalError(
-        "Failed to persist auth headers to credential store",
-      );
-    }
-  }
-
   saveRawConfig(raw);
   triggerReload("internal_mcp_add");
 
   return { added: true };
 }
 
-// ---------------------------------------------------------------------------
-// Revoke OAuth
-// ---------------------------------------------------------------------------
-
-async function handleMcpAuthRevoke({
-  body,
-}: {
-  body?: Record<string, unknown>;
-}): Promise<{ revoked: true }> {
-  const { serverId } = body as { serverId: string };
-
-  const raw = loadRawConfig();
-  const servers = (raw.mcp as Partial<McpConfig> | undefined)?.servers ?? {};
-  const serverConfig = servers[serverId];
-
-  if (!serverConfig) {
-    throw new NotFoundError(`MCP server "${serverId}" not found`);
-  }
-
-  let result: { ok: boolean; failedKeys: string[] };
-  try {
-    result = await deleteMcpOAuthCredentials(serverId);
-  } catch (err) {
-    throw new InternalError(
-      `Failed to revoke OAuth credentials: ${err instanceof Error ? err.message : String(err)}`,
-    );
-  }
-
-  if (!result.ok) {
-    throw new InternalError(
-      `Failed to delete OAuth credentials for keys: ${result.failedKeys.join(", ")}`,
-    );
-  }
-
-  triggerReload("internal_mcp_auth_revoke");
-  return { revoked: true };
-}
-
 // ---------------------------------------------------------------------------
 // Remove
 // ---------------------------------------------------------------------------
@@ -555,17 +425,14 @@ async function handleMcpRemove({
     throw new NotFoundError(`MCP server "${name}" not found.`);
   }
 
-  // Best-effort cleanup of credentials stored for this server
+  // Best-effort cleanup of any OAuth credentials stored for this server
   const serverConfig = serverMap[name] as Record<string, unknown>;
   const transport = serverConfig?.transport as
     | Record<string, unknown>
     | undefined;
   if (transport?.type === "sse" || transport?.type === "streamable-http") {
     try {
-      await Promise.all([
-        deleteMcpOAuthCredentials(name),
-        deleteMcpHeaders(name),
-      ]);
+      await deleteMcpOAuthCredentials(name);
     } catch {
       // Ignore — credentials may not exist
     }
@@ -588,8 +455,8 @@ export const ROUTES: RouteDefinition[] = [
     endpoint: "internal/mcp/auth/start",
     method: "POST",
     policy: {
-      requiredScopes: ["settings.write"],
-      allowedPrincipalTypes: ACTOR_PRINCIPALS,
+      requiredScopes: ["internal.write"],
+      allowedPrincipalTypes: GATEWAY_PRINCIPALS,
     },
     summary: "Start MCP OAuth flow",
     description:
@@ -603,8 +470,8 @@ export const ROUTES: RouteDefinition[] = [
     endpoint: "internal/mcp/auth/status/:serverId",
     method: "GET",
     policy: {
-      requiredScopes: ["settings.read"],
-      allowedPrincipalTypes: ACTOR_PRINCIPALS,
+      requiredScopes: ["internal.write"],
+      allowedPrincipalTypes: GATEWAY_PRINCIPALS,
     },
     summary: "Poll MCP OAuth flow status",
     description:
@@ -654,7 +521,6 @@ export const ROUTES: RouteDefinition[] = [
             .passthrough(),
           enabled: z.boolean(),
           defaultRiskLevel: z.string(),
-          hasOAuth: z.boolean(),
           allowedTools: z.array(z.string()).optional(),
           blockedTools: z.array(z.string()).optional(),
         }),
@@ -713,7 +579,6 @@ export const ROUTES: RouteDefinition[] = [
       maxTools: z.number().optional(),
       allowedTools: z.array(z.string()).nullable().optional(),
       blockedTools: z.array(z.string()).nullable().optional(),
-      headers: z.record(z.string(), z.string()).nullable().optional(),
     }),
     handler: handleMcpUpdate,
   },
@@ -737,26 +602,9 @@ export const ROUTES: RouteDefinition[] = [
       args: z.array(z.string()).optional(),
       risk: z.string().optional(),
       disabled: z.boolean().optional(),
-      headers: z.record(z.string(), z.string()).optional(),
     }),
     handler: handleMcpAdd,
   },
-  {
-    operationId: "internal_mcp_auth_revoke",
-    endpoint: "internal/mcp/auth/revoke",
-    method: "POST",
-    policy: {
-      requiredScopes: ["settings.write"],
-      allowedPrincipalTypes: ACTOR_PRINCIPALS,
-    },
-    summary: "Revoke MCP OAuth credentials",
-    description:
-      "Deletes stored OAuth tokens for an MCP server and triggers a reload.",
-    tags: ["internal"],
-    requestBody: z.object({ serverId: z.string() }),
-    responseBody: z.object({ revoked: z.boolean() }),
-    handler: handleMcpAuthRevoke,
-  },
   {
     operationId: "internal_mcp_remove",
     endpoint: "internal/mcp/remove",

package/src/runtime/routes/migration-rollback-routes.ts

@@ -10,9 +10,8 @@
 import { z } from "zod";
 
 import { getDb } from "../../memory/db-connection.js";
-import { getMaxRollbackVersion } from "../../memory/migrations/run-migrations.js";
+import { getMaxMigrationVersion } from "../../memory/migrations/registry.js";
 import { rollbackMemoryMigration } from "../../memory/migrations/validate-migration-state.js";
-import { migrationSteps } from "../../memory/steps.js";
 import { getWorkspaceDir } from "../../util/platform.js";
 import { WORKSPACE_MIGRATIONS } from "../../workspace/migrations/registry.js";
 import {
@@ -44,7 +43,7 @@ async function handleRollbackMigrations({ body = {} }: RouteHandlerArgs) {
 
   if (rollbackToRegistryCeiling === true) {
     if (effectiveDbVersion === undefined)
-      effectiveDbVersion = getMaxRollbackVersion(migrationSteps);
+      effectiveDbVersion = getMaxMigrationVersion();
     if (effectiveWorkspaceMigrationId === undefined)
       effectiveWorkspaceMigrationId =
         getLastWorkspaceMigrationId(WORKSPACE_MIGRATIONS) ?? undefined;
@@ -105,7 +104,7 @@ async function handleRollbackMigrations({ body = {} }: RouteHandlerArgs) {
   // Roll back DB migrations if requested.
   if (effectiveDbVersion !== undefined) {
     try {
-      rolledBack.db = rollbackMemoryMigration(getDb(), effectiveDbVersion, migrationSteps);
+      rolledBack.db = rollbackMemoryMigration(getDb(), effectiveDbVersion);
     } catch (err) {
       const detail = err instanceof Error ? err.message : "Unknown error";
       throw new InternalError(`DB migration rollback failed: ${detail}`);

package/src/runtime/routes/migration-routes.ts

@@ -28,11 +28,9 @@ import {
   getDb,
   getLogsSqlite,
   getMemorySqlite,
-  getTelemetrySqlite,
   resetDb,
 } from "../../memory/db-connection.js";
 import { validateMigrationState } from "../../memory/migrations/validate-migration-state.js";
-import { migrationSteps } from "../../memory/steps.js";
 import { credentialKey } from "../../security/credential-key.js";
 import {
   bulkSetSecureKeysAsync,
@@ -182,7 +180,6 @@ async function checkpointDbsForExport(): Promise<void> {
   for (const [label, sqlite] of [
     ["logs", getLogsSqlite()],
     ["memory", getMemorySqlite()],
-    ["telemetry", getTelemetrySqlite()],
   ] as const) {
     if (!sqlite) {
       log.warn(
@@ -1715,7 +1712,7 @@ function appendNewerMigrationWarningsIfAny(report: ImportCommitReport): void {
     return;
   }
   try {
-    const migrationValidation = validateMigrationState(getDb(), migrationSteps);
+    const migrationValidation = validateMigrationState(getDb());
     if (migrationValidation.unknownCheckpoints.length > 0) {
       report.warnings.push(
         `Imported data contains ${migrationValidation.unknownCheckpoints.length} migration(s) from a newer version. Some data may not be fully compatible.`,

package/src/runtime/routes/subagents-routes.ts

@@ -39,8 +39,6 @@ export interface SubagentDetailResult {
     toolName?: string;
     isError?: boolean;
     messageId?: string;
-    toolUseId?: string;
-    input?: Record<string, unknown>;
   }>;
 }
 
@@ -114,8 +112,6 @@ export function parseSubagentMessages(
           type: "tool_use",
           content: JSON.stringify(input),
           toolName: name,
-          toolUseId: id || undefined,
-          input,
         });
         if (id) pendingTools.set(id, name);
       } else if (
@@ -151,7 +147,6 @@ export function parseSubagentMessages(
           content: resultContent,
           toolName: toolName ?? "unknown",
           isError,
-          toolUseId: toolUseId || undefined,
         });
       }
     }