@vellumai/assistant 0.3.4 → 0.3.6

package/src/schedule/schedule-store.ts

@@ -2,6 +2,7 @@ import { and, asc, desc, eq, lte } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 import { Cron } from 'croner';
 import { getDb } from '../memory/db.js';
+import { rawChanges } from '../memory/raw-query.js';
 import { scheduleJobs, scheduleRuns } from '../memory/schema.js';
 import { computeNextRunAt as computeNextRunAtEngine, isValidScheduleExpression } from './recurrence-engine.js';
 import { getLogger } from '../util/logger.js';
@@ -189,8 +190,8 @@ export function updateSchedule(
 
 export function deleteSchedule(id: string): boolean {
   const db = getDb();
-  const result = db.delete(scheduleJobs).where(eq(scheduleJobs.id, id)).run() as unknown as { changes?: number };
-  return (result.changes ?? 0) > 0;
+  db.delete(scheduleJobs).where(eq(scheduleJobs.id, id)).run();
+  return rawChanges() > 0;
 }
 
 /**
@@ -244,13 +245,13 @@ export function claimDueSchedules(now: number): ScheduleJob[] {
       updates.nextRunAt = newNextRunAt!;
     }
 
-    const result = db
+    db
       .update(scheduleJobs)
       .set(updates)
       .where(and(eq(scheduleJobs.id, row.id), eq(scheduleJobs.nextRunAt, row.nextRunAt)))
-      .run() as unknown as { changes?: number };
+      .run();
 
-    if ((result.changes ?? 0) === 0) continue;
+    if (rawChanges() === 0) continue;
 
     claimed.push(parseJobRow({
       ...row,
@@ -359,7 +360,14 @@ export function formatLocalDate(timestamp: number): string {
 export function describeCronExpression(expr: string): string {
   try {
     const cron = new Cron(expr, { maxRuns: 0 });
-    const p = (cron as unknown as { _states: { pattern: {
+    // Access Croner internal state to extract the parsed cron pattern.
+    // This is fragile but necessary — Croner doesn't expose a public API for this.
+    const cronInternal = cron as unknown as Record<string, unknown>;
+    const states = cronInternal._states;
+    if (!states || typeof states !== 'object') return expr;
+    const p = (states as Record<string, unknown>).pattern;
+    if (!p || typeof p !== 'object') return expr;
+    const pattern = p as {
       minute: number[];
       hour: number[];
       day: number[];
@@ -367,20 +375,28 @@ export function describeCronExpression(expr: string): string {
       dayOfWeek: number[];
       starDOM: boolean;
       starDOW: boolean;
-    } } })._states.pattern;
+    };
 
-    const activeMinutes = p.minute.reduce<number[]>((acc, v, i) => { if (v) acc.push(i); return acc; }, []);
-    const activeHours = p.hour.reduce<number[]>((acc, v, i) => { if (v) acc.push(i); return acc; }, []);
-    const activeDays = p.day.reduce<number[]>((acc, v, i) => { if (v) acc.push(i + 1); return acc; }, []);
-    const activeDOW = p.dayOfWeek.reduce<number[]>((acc, v, i) => { if (v) acc.push(i); return acc; }, []);
-    const activeMonths = p.month.reduce<number[]>((acc, v, i) => { if (v) acc.push(i + 1); return acc; }, []);
+    const activeMinutes = pattern.minute.reduce<number[]>((acc, v, i) => { if (v) acc.push(i); return acc; }, []);
+    const activeHours = pattern.hour.reduce<number[]>((acc, v, i) => { if (v) acc.push(i); return acc; }, []);
+    const activeDays = pattern.day.reduce<number[]>((acc, v, i) => { if (v) acc.push(i + 1); return acc; }, []);
+    const activeDOW = pattern.dayOfWeek.reduce<number[]>((acc, v, i) => { if (v) acc.push(i); return acc; }, []);
+    const activeMonths = pattern.month.reduce<number[]>((acc, v, i) => { if (v) acc.push(i + 1); return acc; }, []);
 
     const allMinutes = activeMinutes.length === 60;
     const allHours = activeHours.length === 24;
-    const allDays = p.starDOM;
-    const allDOW = p.starDOW;
+    const allDays = pattern.starDOM;
+    const allDOW = pattern.starDOW;
     const allMonths = activeMonths.length === 12;
 
+    const fixedMinute = activeMinutes.length === 1;
+    const fixedHour = activeHours.length === 1;
+    const fixedTime = fixedMinute && fixedHour;
+    const steppedMinutes = !allMinutes && activeMinutes.length > 1;
+    const steppedHours = !allHours && activeHours.length > 1;
+    const anyDay = allDays && allDOW;
+    const anyDayAndMonth = anyDay && allMonths;
+
     // Format time as 12-hour clock
     function formatTime(hour: number, minute: number): string {
       const period = hour >= 12 ? 'PM' : 'AM';
@@ -396,14 +412,11 @@ export function describeCronExpression(expr: string): string {
       return n + (s[(v - 20) % 10] || s[v] || s[0]);
     }
 
-    // Every minute: all fields are wildcard
-    if (allMinutes && allHours && allDays && allDOW && allMonths) {
+    if (allMinutes && allHours && anyDayAndMonth) {
       return 'Every minute';
     }
 
-    // Every N minutes: multiple minutes, all hours, all days
-    if (!allMinutes && activeMinutes.length > 1 && allHours && allDays && allDOW && allMonths) {
-      // Check if it's a regular step pattern (e.g. */5)
+    if (steppedMinutes && allHours && anyDayAndMonth) {
       if (activeMinutes.length >= 2 && activeMinutes[0] === 0) {
         const step = activeMinutes[1] - activeMinutes[0];
         const isRegularStep = activeMinutes.every((v, i) => v === i * step);
@@ -413,16 +426,14 @@ export function describeCronExpression(expr: string): string {
       }
     }
 
-    // Every hour: minute is fixed at one value, all hours, all days
-    if (activeMinutes.length === 1 && allHours && allDays && allDOW && allMonths) {
+    if (fixedMinute && allHours && anyDayAndMonth) {
       if (activeMinutes[0] === 0) {
         return 'Every hour';
       }
       return `Every hour at minute ${activeMinutes[0]}`;
     }
 
-    // Every N hours: minute is fixed, multiple hours with regular stepping, all days
-    if (activeMinutes.length === 1 && !allHours && activeHours.length > 1 && allDays && allDOW && allMonths) {
+    if (fixedMinute && steppedHours && anyDayAndMonth) {
       if (activeHours.length >= 2 && activeHours[0] === 0) {
         const step = activeHours[1] - activeHours[0];
         const isRegularStep = activeHours.every((v, i) => v === i * step);
@@ -432,33 +443,26 @@ export function describeCronExpression(expr: string): string {
       }
     }
 
-    // Specific time patterns: single hour and single minute
-    if (activeMinutes.length === 1 && activeHours.length === 1 && allMonths) {
+    if (fixedTime && allMonths) {
       const timeStr = formatTime(activeHours[0], activeMinutes[0]);
 
-      // Check day-of-week constraints
       if (allDays && !allDOW) {
-        // Weekdays: Mon-Fri (1-5)
         if (activeDOW.length === 5 && activeDOW.every((d) => d >= 1 && d <= 5)) {
           return `Every weekday at ${timeStr}`;
         }
-        // Weekends: Sat, Sun (0, 6)
         if (activeDOW.length === 2 && activeDOW.includes(0) && activeDOW.includes(6)) {
           return `Every weekend at ${timeStr}`;
         }
-        // Specific days of week
         const dayNames = ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'];
         const names = activeDOW.map((d) => dayNames[d]);
         return `Every ${names.join(', ')} at ${timeStr}`;
       }
 
-      // Specific day of month
       if (!allDays && allDOW && activeDays.length === 1) {
         return `On the ${ordinal(activeDays[0])} of every month at ${timeStr}`;
       }
 
-      // Every day at specific time
-      if (allDays && allDOW) {
+      if (anyDay) {
         return `Every day at ${timeStr}`;
       }
     }

package/src/schedule/scheduler.ts

@@ -103,14 +103,14 @@ async function runScheduleOnce(
         const message = err instanceof Error ? err.message : String(err);
         log.warn({ err, jobId: job.id, name: job.name, taskId, syntax: job.syntax, expression: job.expression, isRruleSet }, 'Scheduled task execution failed');
         // Create a fallback conversation for the schedule run record
-        const fallbackConversation = createConversation(`Schedule: ${job.name}`);
+        const fallbackConversation = createConversation({ title: `Schedule: ${job.name}`, source: 'schedule' });
         const runId = createScheduleRun(job.id, fallbackConversation.id);
         completeScheduleRun(runId, { status: 'error', error: message });
       }
       continue;
     }
 
-    const conversation = createConversation(`Schedule: ${job.name}`);
+    const conversation = createConversation({ title: `Schedule: ${job.name}`, source: 'schedule' });
     const runId = createScheduleRun(job.id, conversation.id);
     const isRruleSetMsg = job.syntax === 'rrule' && hasSetConstructs(job.expression);
 
@@ -131,7 +131,7 @@ async function runScheduleOnce(
   const dueReminders = claimDueReminders(now);
   for (const reminder of dueReminders) {
     if (reminder.mode === 'execute') {
-      const conversation = createConversation(`Reminder: ${reminder.label}`);
+      const conversation = createConversation({ title: `Reminder: ${reminder.label}`, source: 'reminder' });
       setReminderConversationId(reminder.id, conversation.id);
       try {
         log.info({ reminderId: reminder.id, label: reminder.label, conversationId: conversation.id }, 'Executing reminder');

package/src/security/encrypted-store.ts

@@ -17,8 +17,9 @@ import {
   createCipheriv,
   createDecipheriv,
 } from 'node:crypto';
-import { readFileSync, writeFileSync, existsSync, mkdirSync, chmodSync } from 'node:fs';
+import { readFileSync, writeFileSync, chmodSync } from 'node:fs';
 import { join, dirname } from 'node:path';
+import { pathExists, ensureDir } from '../util/fs.js';
 import { hostname, userInfo } from 'node:os';
 import { getRootDir, getPlatformName } from '../util/platform.js';
 import { getLogger } from '../util/logger.js';
@@ -98,7 +99,7 @@ function deriveKey(salt: Buffer): Buffer {
  */
 function readStore(): StoreFile | null {
   const path = getStorePath();
-  if (!existsSync(path)) return null;
+  if (!pathExists(path)) return null;
 
   const raw = readFileSync(path, 'utf-8');
   const parsed = JSON.parse(raw);
@@ -114,10 +115,7 @@ function readStore(): StoreFile | null {
 
 function writeStore(store: StoreFile): void {
   const path = getStorePath();
-  const dir = dirname(path);
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true });
-  }
+  ensureDir(dirname(path));
   writeFileSync(path, JSON.stringify(store, null, 2), { mode: 0o600 });
   // Enforce 0600 even if the file already existed with permissive bits
   chmodSync(path, 0o600);
@@ -125,7 +123,7 @@ function writeStore(store: StoreFile): void {
 
 function getOrCreateStore(): StoreFile {
   const path = getStorePath();
-  if (existsSync(path)) {
+  if (pathExists(path)) {
     // File exists — must be parseable, otherwise fail to prevent data loss
     return readStore()!;
   }

package/src/security/oauth2.ts

@@ -18,16 +18,25 @@ const log = getLogger('oauth2');
 // Types
 // ---------------------------------------------------------------------------
 
+export type TokenEndpointAuthMethod = 'client_secret_basic' | 'client_secret_post';
+
 export interface OAuth2Config {
   authUrl: string;
   tokenUrl: string;
   scopes: string[];
   clientId: string;
-  /** Client secret for providers that require it (e.g. Slack). If omitted, PKCE is used. */
+  /** Client secret for providers that require it (e.g. Slack). PKCE is always used regardless. */
   clientSecret?: string;
   extraParams?: Record<string, string>;
   /** URL to fetch user identity info after OAuth. If omitted, account info is not fetched. */
   userinfoUrl?: string;
+  /**
+   * How the client authenticates at the token endpoint when a clientSecret is present.
+   * - `client_secret_post`: Send client_id and client_secret in the POST body (default).
+   * - `client_secret_basic`: Send an HTTP Basic Auth header with base64(client_id:client_secret).
+   * Defaults to `client_secret_post` for backward compatibility.
+   */
+  tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
 }
 
 export interface OAuth2TokenResult {
@@ -80,24 +89,32 @@ async function exchangeCodeForTokens(
   redirectUri: string,
   codeVerifier: string,
 ): Promise<OAuth2FlowResult> {
-  const usePKCE = !config.clientSecret;
+  const authMethod = config.tokenEndpointAuthMethod ?? 'client_secret_post';
 
   const tokenBody: Record<string, string> = {
     grant_type: 'authorization_code',
     code,
     redirect_uri: redirectUri,
-    client_id: config.clientId,
+    code_verifier: codeVerifier,
   };
-  if (usePKCE) {
-    tokenBody.code_verifier = codeVerifier;
-  }
-  if (config.clientSecret) {
-    tokenBody.client_secret = config.clientSecret;
+
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/x-www-form-urlencoded',
+  };
+
+  if (config.clientSecret && authMethod === 'client_secret_basic') {
+    const credentials = Buffer.from(`${config.clientId}:${config.clientSecret}`).toString('base64');
+    headers['Authorization'] = `Basic ${credentials}`;
+  } else {
+    tokenBody.client_id = config.clientId;
+    if (config.clientSecret) {
+      tokenBody.client_secret = config.clientSecret;
+    }
   }
 
   const tokenResp = await fetch(config.tokenUrl, {
     method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    headers,
     body: new URLSearchParams(tokenBody),
   });
 
@@ -160,7 +177,6 @@ async function runGatewayFlow(
     registerPendingCallback(state, resolve, reject);
   });
 
-  const usePKCE = !config.clientSecret;
   const authParams = new URLSearchParams({
     ...config.extraParams,
     client_id: config.clientId,
@@ -168,7 +184,8 @@ async function runGatewayFlow(
     response_type: 'code',
     scope: config.scopes.join(' '),
     state,
-    ...(usePKCE ? { code_challenge: codeChallenge, code_challenge_method: 'S256' } : {}),
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
   });
 
   const authUrl = `${config.authUrl}?${authParams}`;
@@ -230,19 +247,32 @@ export async function refreshOAuth2Token(
   clientId: string,
   refreshToken: string,
   clientSecret?: string,
+  tokenEndpointAuthMethod?: TokenEndpointAuthMethod,
 ): Promise<OAuth2TokenResult> {
+  const authMethod = tokenEndpointAuthMethod ?? 'client_secret_post';
+
   const body: Record<string, string> = {
     grant_type: 'refresh_token',
     refresh_token: refreshToken,
-    client_id: clientId,
   };
-  if (clientSecret) {
-    body.client_secret = clientSecret;
+
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/x-www-form-urlencoded',
+  };
+
+  if (clientSecret && authMethod === 'client_secret_basic') {
+    const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+    headers['Authorization'] = `Basic ${credentials}`;
+  } else {
+    body.client_id = clientId;
+    if (clientSecret) {
+      body.client_secret = clientSecret;
+    }
   }
 
   const resp = await fetch(tokenUrl, {
     method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    headers,
     body: new URLSearchParams(body),
   });
 

package/src/security/parental-control-store.ts

@@ -0,0 +1,183 @@
+/**
+ * Parental control settings and PIN management.
+ *
+ * Non-secret settings (enabled state, content restrictions, blocked tool
+ * categories) are persisted to `~/.vellum/parental-control.json`.
+ *
+ * The PIN hash and salt are stored in the encrypted key store under the
+ * account `parental:pin` as the hex string `"<salt>:<hash>"`.
+ *
+ * PIN hashing uses SHA-256 with a random 16-byte salt to prevent offline
+ * dictionary attacks. Comparison uses timingSafeEqual to avoid timing leaks.
+ */
+
+import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { pathExists, ensureDir } from '../util/fs.js';
+import { getRootDir } from '../util/platform.js';
+import { getKey, setKey, deleteKey } from './encrypted-store.js';
+import { getLogger } from '../util/logger.js';
+import type { ParentalContentTopic, ParentalToolCategory } from '../daemon/ipc-contract/parental-control.js';
+
+const log = getLogger('parental-control');
+
+const PIN_ACCOUNT = 'parental:pin';
+
+export type { ParentalContentTopic, ParentalToolCategory };
+
+export interface ParentalControlSettings {
+  enabled: boolean;
+  contentRestrictions: ParentalContentTopic[];
+  blockedToolCategories: ParentalToolCategory[];
+}
+
+const DEFAULT_SETTINGS: ParentalControlSettings = {
+  enabled: false,
+  contentRestrictions: [],
+  blockedToolCategories: [],
+};
+
+function getSettingsPath(): string {
+  return join(getRootDir(), 'parental-control.json');
+}
+
+// ---------------------------------------------------------------------------
+// Settings I/O
+// ---------------------------------------------------------------------------
+
+export function getParentalControlSettings(): ParentalControlSettings {
+  try {
+    const file = getSettingsPath();
+    if (!pathExists(file)) return { ...DEFAULT_SETTINGS };
+    const raw = readFileSync(file, 'utf-8');
+    const parsed = JSON.parse(raw) as Partial<ParentalControlSettings>;
+    return {
+      enabled: typeof parsed.enabled === 'boolean' ? parsed.enabled : false,
+      contentRestrictions: Array.isArray(parsed.contentRestrictions) ? parsed.contentRestrictions : [],
+      blockedToolCategories: Array.isArray(parsed.blockedToolCategories) ? parsed.blockedToolCategories : [],
+    };
+  } catch {
+    return { ...DEFAULT_SETTINGS };
+  }
+}
+
+function saveSettings(settings: ParentalControlSettings): void {
+  const file = getSettingsPath();
+  ensureDir(dirname(file));
+  writeFileSync(file, JSON.stringify(settings, null, 2), { encoding: 'utf-8' });
+}
+
+export function updateParentalControlSettings(
+  patch: Partial<ParentalControlSettings>,
+): ParentalControlSettings {
+  const current = getParentalControlSettings();
+  const next: ParentalControlSettings = {
+    enabled: patch.enabled !== undefined ? patch.enabled : current.enabled,
+    contentRestrictions: patch.contentRestrictions !== undefined
+      ? patch.contentRestrictions
+      : current.contentRestrictions,
+    blockedToolCategories: patch.blockedToolCategories !== undefined
+      ? patch.blockedToolCategories
+      : current.blockedToolCategories,
+  };
+  saveSettings(next);
+  return next;
+}
+
+// ---------------------------------------------------------------------------
+// PIN management
+// ---------------------------------------------------------------------------
+
+/** Returns true if a parental control PIN has been configured. */
+export function hasPIN(): boolean {
+  return getKey(PIN_ACCOUNT) !== undefined;
+}
+
+function hashPIN(pin: string, salt: Buffer): Buffer {
+  return createHash('sha256').update(salt).update(pin).digest();
+}
+
+/**
+ * Set a new PIN. Rejects if `pin` is not exactly 6 ASCII digits.
+ * Throws if the store write fails.
+ */
+export function setPIN(pin: string): void {
+  if (!/^\d{6}$/.test(pin)) {
+    throw new Error('PIN must be exactly 6 digits');
+  }
+  const salt = randomBytes(16);
+  const hash = hashPIN(pin, salt);
+  const stored = `${salt.toString('hex')}:${hash.toString('hex')}`;
+  if (!setKey(PIN_ACCOUNT, stored)) {
+    throw new Error('Failed to persist PIN — encrypted store write error');
+  }
+  log.info('Parental control PIN set');
+}
+
+/**
+ * Verify a PIN attempt. Returns true on match, false on mismatch or if no
+ * PIN has been configured. Uses constant-time comparison to prevent timing
+ * attacks.
+ */
+export function verifyPIN(pin: string): boolean {
+  if (!/^\d{6}$/.test(pin)) return false;
+  const stored = getKey(PIN_ACCOUNT);
+  if (!stored) return false;
+
+  const colonIdx = stored.indexOf(':');
+  if (colonIdx === -1) return false;
+
+  try {
+    const salt = Buffer.from(stored.slice(0, colonIdx), 'hex');
+    const expectedHash = Buffer.from(stored.slice(colonIdx + 1), 'hex');
+    const actualHash = hashPIN(pin, salt);
+    if (actualHash.length !== expectedHash.length) return false;
+    return timingSafeEqual(actualHash, expectedHash);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Remove the PIN. The caller is responsible for requiring PIN verification
+ * before calling this.
+ */
+export function clearPIN(): void {
+  deleteKey(PIN_ACCOUNT);
+  log.info('Parental control PIN cleared');
+}
+
+// ---------------------------------------------------------------------------
+// Tool category → tool name mapping
+// ---------------------------------------------------------------------------
+
+/**
+ * Tool name prefixes that belong to each blocked category.
+ * A tool is considered blocked if its name starts with any of the listed
+ * prefixes (case-sensitive).
+ */
+export const TOOL_CATEGORY_PREFIXES: Record<ParentalToolCategory, string[]> = {
+  computer_use: ['cu_', 'computer_use', 'screenshot', 'accessibility_'],
+  network: ['web_fetch', 'web_search', 'browser_'],
+  shell: ['bash', 'terminal', 'host_shell'],
+  file_write: ['file_write', 'file_edit', 'multi_edit', 'file_delete', 'git'],
+};
+
+/**
+ * Returns true if the given tool name falls within any of the currently
+ * blocked tool categories.
+ */
+export function isToolBlocked(toolName: string): boolean {
+  const { enabled, blockedToolCategories } = getParentalControlSettings();
+  if (!enabled || blockedToolCategories.length === 0) return false;
+
+  for (const category of blockedToolCategories) {
+    const prefixes = TOOL_CATEGORY_PREFIXES[category];
+    // Guard against unknown categories that may appear after deserialization of
+    // settings written by a newer client version — skip rather than throw.
+    if (!prefixes) continue;
+    if (prefixes.some((p) => toolName.startsWith(p))) return true;
+  }
+  return false;
+}

package/src/security/secret-allowlist.ts

@@ -13,9 +13,10 @@
  * }
  */
 
-import { readFileSync, existsSync } from 'node:fs';
+import { readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { getRootDir } from '../util/platform.js';
+import { pathExists } from '../util/fs.js';
 import { getLogger } from '../util/logger.js';
 
 const log = getLogger('secret-allowlist');
@@ -44,7 +45,7 @@ export function loadAllowlist(): void {
   if (loaded || fileChecked) return;
 
   const filePath = join(getRootDir(), 'protected', 'secret-allowlist.json');
-  if (!existsSync(filePath)) {
+  if (!pathExists(filePath)) {
     fileChecked = true;
     return;
   }
@@ -143,7 +144,7 @@ export function validateAllowlist(config: AllowlistConfig): AllowlistValidationE
  */
 export function validateAllowlistFile(): AllowlistValidationError[] | null {
   const filePath = join(getRootDir(), 'protected', 'secret-allowlist.json');
-  if (!existsSync(filePath)) return null;
+  if (!pathExists(filePath)) return null;
 
   const raw = readFileSync(filePath, 'utf-8');
   const config: AllowlistConfig = JSON.parse(raw);

package/src/security/secret-scanner.ts

@@ -393,7 +393,7 @@ function scanEntropy(
   // Scan hex tokens
   HEX_TOKEN_RE.lastIndex = 0;
   let m: RegExpExecArray | null;
-  while ((m = HEX_TOKEN_RE.exec(text)) !== null) {
+  while ((m = HEX_TOKEN_RE.exec(text)) != null) {
     const value = m[1];
     if (value.length < config.minLength) continue;
     const startIndex = m.index;
@@ -424,7 +424,7 @@ function scanEntropy(
 
   // Scan base64 tokens
   BASE64_TOKEN_RE.lastIndex = 0;
-  while ((m = BASE64_TOKEN_RE.exec(text)) !== null) {
+  while ((m = BASE64_TOKEN_RE.exec(text)) != null) {
     const value = m[1];
     if (value.length < config.minLength) continue;
     // Must look like base64 (not pure alphanumeric) or pure hex
@@ -603,7 +603,7 @@ function scanEncoded(
     for (const pattern of PATTERNS) {
       pattern.regex.lastIndex = 0;
       let pm: RegExpExecArray | null;
-      while ((pm = pattern.regex.exec(decoded)) !== null) {
+      while ((pm = pattern.regex.exec(decoded)) != null) {
         const value = pm[1] ?? pm[0];
         if (isPlaceholder(value)) continue;
         if (isAllowlisted(value)) continue;
@@ -649,7 +649,7 @@ function scanEncoded(
     if (quickCheck && !quickCheck(text)) continue;
     regex.lastIndex = 0;
     let m: RegExpExecArray | null;
-    while ((m = regex.exec(text)) !== null) {
+    while ((m = regex.exec(text)) != null) {
       const encoded = m[1] ?? m[0];
       if (encoded.length > 1000) continue;
       const startIndex = m.index + (m[0].indexOf(encoded));
@@ -688,7 +688,7 @@ export function scanText(text: string, entropyConfig?: Partial<EntropyConfig>):
     // Reset lastIndex for global regexes
     pattern.regex.lastIndex = 0;
     let m: RegExpExecArray | null;
-    while ((m = pattern.regex.exec(text)) !== null) {
+    while ((m = pattern.regex.exec(text)) != null) {
       // Use first capturing group if present, otherwise full match
       const value = m[1] ?? m[0];
       const startIndex = m.index + (m[0].indexOf(value));

package/src/security/secure-keys.ts

@@ -123,7 +123,7 @@ export function deleteSecureKey(account: string): boolean {
   // backend — saveConfig routinely deletes keys for unset providers.
   // getKey now returns null for "not found" and throws on runtime errors.
   try {
-    if (keychain.getKey(account) === null) {
+    if (keychain.getKey(account) == null) {
       return false;
     }
   } catch {

package/src/security/token-manager.ts

@@ -8,7 +8,7 @@
 
 import { getSecureKey, setSecureKey } from './secure-keys.js';
 import { getCredentialMetadata, upsertCredentialMetadata } from '../tools/credentials/metadata-store.js';
-import { refreshOAuth2Token } from './oauth2.js';
+import { refreshOAuth2Token, type TokenEndpointAuthMethod } from './oauth2.js';
 import { getLogger } from '../util/logger.js';
 
 const log = getLogger('token-manager');
@@ -66,11 +66,12 @@ async function doRefresh(service: string): Promise<string> {
   }
 
   const clientSecret = meta?.oauth2ClientSecret as string | undefined;
+  const authMethod = meta?.oauth2TokenEndpointAuthMethod as TokenEndpointAuthMethod | undefined;
   const resolvedTokenUrl = tokenUrl;
 
   log.info({ service }, 'Refreshing OAuth2 access token');
 
-  const result = await refreshOAuth2Token(resolvedTokenUrl, clientId, refreshToken, clientSecret);
+  const result = await refreshOAuth2Token(resolvedTokenUrl, clientId, refreshToken, clientSecret, authMethod);
 
   if (!setSecureKey(`credential:${service}:access_token`, result.accessToken)) {
     throw new Error(`Failed to store refreshed access token for "${service}"`);

package/src/services/vercel-deploy.ts

@@ -2,6 +2,8 @@
  * Thin wrapper around the Vercel REST API for deploying static HTML pages.
  */
 
+import { ProviderError } from '../util/errors.js';
+
 export async function deployHtmlToVercel(opts: {
   html: string;
   name: string;
@@ -37,7 +39,7 @@ export async function deployHtmlToVercel(opts: {
 
   if (!response.ok) {
     const text = await response.text();
-    throw new Error(`Vercel deploy failed (${response.status}): ${text}`);
+    throw new ProviderError(`Vercel deploy failed (${response.status}): ${text}`, 'vercel', response.status);
   }
 
   const data = (await response.json()) as { url: string; id: string };
@@ -66,8 +68,10 @@ export async function deleteVercelDeployment(
 
   if (!response.ok) {
     const text = await response.text();
-    throw new Error(
+    throw new ProviderError(
       `Vercel delete deployment failed (${response.status}): ${text}`,
+      'vercel',
+      response.status,
     );
   }
 }