@vellumai/assistant 0.3.4 → 0.3.6

package/src/tools/browser/browser-manager.ts

@@ -5,9 +5,18 @@ import { getLogger } from '../../util/logger.js';
 import { checkBrowserRuntime } from './runtime-check.js';
 import { authSessionCache } from './auth-cache.js';
 import type { ExtractedCredential } from './network-recording-types.js';
+import { silentlyWithLog } from '../../util/silently.js';
 
 const log = getLogger('browser-manager');
 
+function getDownloadsDir(): string {
+  const dir = join(getDataDir(), 'browser-downloads');
+  mkdirSync(dir, { recursive: true });
+  return dir;
+}
+
+export type DownloadInfo = { path: string; filename: string };
+
 type BrowserContext = {
   newPage(): Promise<Page>;
   close(): Promise<void>;
@@ -51,7 +60,7 @@ export type Page = {
     move(x: number, y: number): Promise<void>;
     wheel(deltaX: number, deltaY: number): Promise<void>;
   };
-  bringToFront(): Promise<void>;
+  on(event: string, handler: (...args: unknown[]) => void): void;
 };
 
 type ScreencastFrameMetadata = {
@@ -108,6 +117,8 @@ class BrowserManager {
   private interactiveModeSessions = new Set<string>();
   private handoffResolvers = new Map<string, () => void>();
   private sessionSenders = new Map<string, (msg: { type: string; sessionId: string }) => void>();
+  private downloads = new Map<string, DownloadInfo[]>();
+  private pendingDownloads = new Map<string, { resolve: (info: DownloadInfo) => void; reject: (err: Error) => void }[]>();
 
   get browserMode(): 'headless' | 'cdp' {
     return this._browserMode;
@@ -193,7 +204,7 @@ class BrowserManager {
     this.contextCreating = (async () => {
       // Deterministic test mode: when launch is injected via setLaunchFn,
       // bypass ambient CDP probing/negotiation and use the injected launcher.
-      const hasInjectedLaunchFn = launchPersistentContext !== null;
+      const hasInjectedLaunchFn = launchPersistentContext != null;
 
       if (!hasInjectedLaunchFn) {
         // Try to detect or negotiate CDP before falling back to headless.
@@ -339,6 +350,11 @@ class BrowserManager {
           this.cdpSessions.clear();
           this.screencastCallbacks.clear();
           this.snapshotMaps.clear();
+          this.downloads.clear();
+          for (const pending of this.pendingDownloads.values()) {
+            for (const waiter of pending) waiter.reject(new Error('Browser closed'));
+          }
+          this.pendingDownloads.clear();
         };
         rawCtx.on('close', this.contextCloseHandler);
       }
@@ -365,6 +381,9 @@ class BrowserManager {
     this.pages.set(sessionId, page);
     this.rawPages.set(sessionId, page);
 
+    // Track downloads for this page
+    this.setupDownloadTracking(sessionId, page);
+
     // In CDP mode, keep the window minimized unless we're in an active handoff.
     if (this._browserMode === 'cdp' && !this.interactiveModeSessions.has(sessionId)) {
       await this.moveWindowOffscreen();
@@ -390,6 +409,13 @@ class BrowserManager {
     this.pages.delete(sessionId);
     this.rawPages.delete(sessionId);
     this.snapshotMaps.delete(sessionId);
+    this.downloads.delete(sessionId);
+    // Reject any pending download waiters
+    const pending = this.pendingDownloads.get(sessionId);
+    if (pending) {
+      for (const waiter of pending) waiter.reject(new Error('Session closed'));
+      this.pendingDownloads.delete(sessionId);
+    }
     log.debug({ sessionId }, 'Session page closed');
   }
 
@@ -415,6 +441,11 @@ class BrowserManager {
     this.pages.clear();
     this.rawPages.clear();
     this.snapshotMaps.clear();
+    this.downloads.clear();
+    for (const pending of this.pendingDownloads.values()) {
+      for (const waiter of pending) waiter.reject(new Error('Browser closed'));
+    }
+    this.pendingDownloads.clear();
 
     if (this.context) {
       // Remove the close listener before intentional close to avoid
@@ -477,7 +508,7 @@ class BrowserManager {
 
     cdp.on('Page.screencastFrame', (params) => {
       onFrame({ data: params.data as string, metadata: params.metadata as ScreencastFrameMetadata });
-      cdp.send('Page.screencastFrameAck', { sessionId: params.sessionId }).catch(() => {});
+      silentlyWithLog(cdp.send('Page.screencastFrameAck', { sessionId: params.sessionId }), 'screencast frame ack');
     });
 
     await cdp.send('Page.startScreencast', {
@@ -709,8 +740,92 @@ class BrowserManager {
     }
   }
 
+  private setupDownloadTracking(sessionId: string, page: Page): void {
+    page.on('download', async (download: unknown) => {
+      const dl = download as {
+        suggestedFilename(): string;
+        path(): Promise<string | null>;
+        saveAs(path: string): Promise<void>;
+        failure(): Promise<string | null>;
+      };
+      try {
+        const filename = dl.suggestedFilename();
+        const destPath = join(getDownloadsDir(), `${Date.now()}-${filename}`);
+        await dl.saveAs(destPath);
+        const info: DownloadInfo = { path: destPath, filename };
+
+        // Resolve a pending waiter if one exists, otherwise store for later retrieval
+        const pending = this.pendingDownloads.get(sessionId);
+        if (pending && pending.length > 0) {
+          const waiter = pending.shift()!;
+          waiter.resolve(info);
+          if (pending.length === 0) this.pendingDownloads.delete(sessionId);
+        } else {
+          const list = this.downloads.get(sessionId) ?? [];
+          list.push(info);
+          this.downloads.set(sessionId, list);
+        }
+
+        log.info({ sessionId, filename, path: destPath }, 'Download completed');
+      } catch (err) {
+        const failure = await dl.failure();
+        log.warn({ err, failure, sessionId }, 'Download failed');
+
+        // Reject any pending waiters
+        const pending = this.pendingDownloads.get(sessionId);
+        if (pending && pending.length > 0) {
+          const waiter = pending.shift()!;
+          waiter.reject(new Error(`Download failed: ${failure ?? String(err)}`));
+          if (pending.length === 0) this.pendingDownloads.delete(sessionId);
+        }
+      }
+    });
+  }
+
+  getLastDownload(sessionId: string): DownloadInfo | null {
+    const list = this.downloads.get(sessionId);
+    if (!list || list.length === 0) return null;
+    return list[list.length - 1];
+  }
+
+  waitForDownload(sessionId: string, timeoutMs: number = 30_000): Promise<DownloadInfo> {
+    // Check if an unconsumed download already completed for this session
+    const existing = this.downloads.get(sessionId);
+    if (existing && existing.length > 0) {
+      const info = existing.pop()!;
+      if (existing.length === 0) this.downloads.delete(sessionId);
+      return Promise.resolve(info);
+    }
+
+    return new Promise<DownloadInfo>((resolve, reject) => {
+      const timer = setTimeout(() => {
+        // Remove this waiter from the pending list
+        const pending = this.pendingDownloads.get(sessionId);
+        if (pending) {
+          const idx = pending.findIndex(w => w.resolve === wrappedResolve);
+          if (idx >= 0) pending.splice(idx, 1);
+          if (pending.length === 0) this.pendingDownloads.delete(sessionId);
+        }
+        reject(new Error(`Download timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+
+      const wrappedResolve = (info: DownloadInfo) => {
+        clearTimeout(timer);
+        resolve(info);
+      };
+      const wrappedReject = (err: Error) => {
+        clearTimeout(timer);
+        reject(err);
+      };
+
+      const pending = this.pendingDownloads.get(sessionId) ?? [];
+      pending.push({ resolve: wrappedResolve, reject: wrappedReject });
+      this.pendingDownloads.set(sessionId, pending);
+    });
+  }
+
   hasContext(): boolean {
-    return this.context !== null;
+    return this.context != null;
   }
 }
 

package/src/tools/browser/network-recorder.ts

@@ -106,6 +106,11 @@ export class NetworkRecorder {
   /** URL patterns that indicate a successful login (checked via `includes`). */
   loginSignals: string[] = [];
 
+  /** Number of network entries recorded so far. */
+  get entryCount(): number {
+    return this.entries.size;
+  }
+
   constructor(targetDomain?: string) {
     this.targetDomain = targetDomain;
   }

package/src/tools/calls/call-start.ts

@@ -54,6 +54,7 @@ class CallStartTool implements Tool {
       task: input.task as string,
       context: input.context as string | undefined,
       conversationId: context.conversationId,
+      assistantId: context.assistantId,
       callerIdentityMode: input.caller_identity_mode as 'assistant_number' | 'user_number' | undefined,
     });
 

package/src/tools/credentials/broker.ts

@@ -20,6 +20,9 @@ import { getLogger } from '../../util/logger.js';
 
 const log = getLogger('credential-broker');
 
+/** Tokens expire after 5 minutes to limit the window for using stale/revoked credentials. */
+const TOKEN_TTL_MS = 5 * 60 * 1000;
+
 /**
  * Credential broker that issues single-use tokens for policy-checked credential access.
  *
@@ -101,6 +104,11 @@ export class CredentialBroker {
     if (token.consumed) {
       return { success: false, reason: 'Token already consumed' };
     }
+    if (Date.now() - token.createdAt > TOKEN_TTL_MS) {
+      this.tokens.delete(tokenId);
+      log.info({ tokenId }, 'Token expired (TTL exceeded)');
+      return { success: false, reason: 'Token expired' };
+    }
 
     token.consumed = true;
     const storageKey = `credential:${token.service}:${token.field}`;
@@ -358,11 +366,12 @@ export class CredentialBroker {
     };
   }
 
-  /** Return the number of active (non-consumed, non-revoked) tokens. */
+  /** Return the number of active (non-consumed, non-revoked, non-expired) tokens. */
   get activeTokenCount(): number {
+    const now = Date.now();
     let count = 0;
     for (const token of this.tokens.values()) {
-      if (!token.consumed) count++;
+      if (!token.consumed && now - token.createdAt <= TOKEN_TTL_MS) count++;
     }
     return count;
   }

package/src/tools/credentials/metadata-store.ts

@@ -6,9 +6,10 @@
  * in the secure key backend only.
  */
 
-import { readFileSync, writeFileSync, mkdirSync, existsSync, renameSync } from 'node:fs';
+import { writeFileSync, renameSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { getDataDir } from '../../util/platform.js';
+import { ensureDir, readTextFileSync } from '../../util/fs.js';
 import { randomUUID } from 'node:crypto';
 import type { CredentialInjectionTemplate } from './policy-types.js';
 
@@ -28,6 +29,8 @@ export interface CredentialMetadata {
   oauth2ClientId?: string;
   /** OAuth2 client secret — for providers that require it (e.g. Slack). Stored in metadata for autonomous refresh. */
   oauth2ClientSecret?: string;
+  /** How the client authenticates at the token endpoint (client_secret_basic or client_secret_post). */
+  oauth2TokenEndpointAuthMethod?: string;
   /** Human-friendly name for this credential (e.g. "fal-primary"). */
   alias?: string;
   /** Templates describing how to inject this credential into proxied requests. */
@@ -71,7 +74,7 @@ function isUnknownVersion(r: LoadResult): r is UnknownVersionResult {
  * Filters out corrupted or incomplete entries during migration.
  */
 function isValidCredentialRecord(record: unknown): record is Record<string, unknown> {
-  if (typeof record !== 'object' || record === null) return false;
+  if (typeof record !== 'object' || record == null) return false;
   const r = record as Record<string, unknown>;
   return (
     typeof r.credentialId === 'string' &&
@@ -99,6 +102,7 @@ function migrateRecordV1toV2(record: Record<string, unknown>): CredentialMetadat
     oauth2TokenUrl: typeof record.oauth2TokenUrl === 'string' ? record.oauth2TokenUrl : undefined,
     oauth2ClientId: typeof record.oauth2ClientId === 'string' ? record.oauth2ClientId : undefined,
     oauth2ClientSecret: typeof record.oauth2ClientSecret === 'string' ? record.oauth2ClientSecret : undefined,
+    oauth2TokenEndpointAuthMethod: typeof record.oauth2TokenEndpointAuthMethod === 'string' ? record.oauth2TokenEndpointAuthMethod : undefined,
     alias: typeof record.alias === 'string' ? record.alias : undefined,
     injectionTemplates: Array.isArray(record.injectionTemplates)
       ? (record.injectionTemplates as CredentialInjectionTemplate[])
@@ -109,14 +113,13 @@ function migrateRecordV1toV2(record: Record<string, unknown>): CredentialMetadat
 }
 
 function loadFile(): LoadResult {
-  const path = getMetadataPath();
-  if (!existsSync(path)) {
+  const raw = readTextFileSync(getMetadataPath());
+  if (raw == null) {
     return { version: CURRENT_VERSION, credentials: [] };
   }
   try {
-    const raw = readFileSync(path, 'utf-8');
     const data = JSON.parse(raw);
-    if (typeof data !== 'object' || data === null) {
+    if (typeof data !== 'object' || data == null) {
       return { version: CURRENT_VERSION, credentials: [] };
     }
     const fileVersion = typeof data.version === 'number' ? data.version : 1;
@@ -146,9 +149,7 @@ function loadFile(): LoadResult {
 function saveFile(data: MetadataFile): void {
   const path = getMetadataPath();
   const dir = dirname(path);
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true });
-  }
+  ensureDir(dir);
   const tmpPath = join(dir, `.tmp-${randomUUID()}`);
   writeFileSync(tmpPath, JSON.stringify(data, null, 2), 'utf-8');
   renameSync(tmpPath, path);
@@ -186,6 +187,7 @@ export function upsertCredentialMetadata(
     oauth2ClientId?: string;
     /** Pass `null` to explicitly clear a previously-set client secret. */
     oauth2ClientSecret?: string | null;
+    oauth2TokenEndpointAuthMethod?: string;
     /** Pass `null` to explicitly clear a previously-set alias. */
     alias?: string | null;
     /** Pass `null` to explicitly clear injection templates. */
@@ -208,7 +210,7 @@ export function upsertCredentialMetadata(
     if (policy?.allowedDomains !== undefined) existing.allowedDomains = policy.allowedDomains;
     if (policy?.usageDescription !== undefined) existing.usageDescription = policy.usageDescription;
     if (policy?.expiresAt !== undefined) {
-      if (policy.expiresAt === null) {
+      if (policy.expiresAt == null) {
         delete existing.expiresAt;
       } else {
         existing.expiresAt = policy.expiresAt;
@@ -216,7 +218,7 @@ export function upsertCredentialMetadata(
     }
     if (policy?.grantedScopes !== undefined) existing.grantedScopes = policy.grantedScopes;
     if (policy?.accountInfo !== undefined) {
-      if (policy.accountInfo === null) {
+      if (policy.accountInfo == null) {
         delete existing.accountInfo;
       } else {
         existing.accountInfo = policy.accountInfo;
@@ -225,21 +227,22 @@ export function upsertCredentialMetadata(
     if (policy?.oauth2TokenUrl !== undefined) existing.oauth2TokenUrl = policy.oauth2TokenUrl;
     if (policy?.oauth2ClientId !== undefined) existing.oauth2ClientId = policy.oauth2ClientId;
     if (policy?.oauth2ClientSecret !== undefined) {
-      if (policy.oauth2ClientSecret === null) {
+      if (policy.oauth2ClientSecret == null) {
         delete existing.oauth2ClientSecret;
       } else {
         existing.oauth2ClientSecret = policy.oauth2ClientSecret;
       }
     }
+    if (policy?.oauth2TokenEndpointAuthMethod !== undefined) existing.oauth2TokenEndpointAuthMethod = policy.oauth2TokenEndpointAuthMethod;
     if (policy?.alias !== undefined) {
-      if (policy.alias === null) {
+      if (policy.alias == null) {
         delete existing.alias;
       } else {
         existing.alias = policy.alias;
       }
     }
     if (policy?.injectionTemplates !== undefined) {
-      if (policy.injectionTemplates === null) {
+      if (policy.injectionTemplates == null) {
         delete existing.injectionTemplates;
       } else {
         existing.injectionTemplates = policy.injectionTemplates;
@@ -263,6 +266,7 @@ export function upsertCredentialMetadata(
     oauth2TokenUrl: policy?.oauth2TokenUrl,
     oauth2ClientId: policy?.oauth2ClientId,
     oauth2ClientSecret: policy?.oauth2ClientSecret ?? undefined,
+    oauth2TokenEndpointAuthMethod: policy?.oauth2TokenEndpointAuthMethod,
     alias: policy?.alias ?? undefined,
     injectionTemplates: policy?.injectionTemplates ?? undefined,
     createdAt: now,

package/src/tools/credentials/post-connect-hooks.ts

@@ -0,0 +1,61 @@
+/**
+ * Post-connect hooks for OAuth2 services.
+ *
+ * This module decouples provider-specific post-connection side effects
+ * (e.g. sending a welcome DM after Slack OAuth) from the generic vault
+ * OAuth2 flow. Each hook is keyed by canonical service name and receives
+ * the raw token response so it can perform provider-specific actions.
+ */
+
+import { authTest, conversationsOpen, postMessage } from '../../messaging/providers/slack/client.js';
+import { getLogger } from '../../util/logger.js';
+
+const log = getLogger('post-connect-hooks');
+
+export interface PostConnectHookContext {
+  service: string;
+  rawTokenResponse: Record<string, unknown>;
+}
+
+type PostConnectHook = (ctx: PostConnectHookContext) => Promise<void>;
+
+// ---------------------------------------------------------------------------
+// Provider-specific hooks
+// ---------------------------------------------------------------------------
+
+async function slackWelcomeDM(ctx: PostConnectHookContext): Promise<void> {
+  const botToken = ctx.rawTokenResponse.access_token as string | undefined;
+  const authedUser = ctx.rawTokenResponse.authed_user as Record<string, unknown> | undefined;
+  const installingUserId = authedUser?.id as string | undefined;
+  if (!botToken || !installingUserId) return;
+
+  const identity = await authTest(botToken);
+  const dmChannel = await conversationsOpen(botToken, installingUserId);
+  const welcomeMsg =
+    `You have installed ${identity.user}, an AI Assistant, on ${identity.team}. ` +
+    `You can manage the assistant experience for this workspace by chatting with the assistant or from the Settings page.`;
+  await postMessage(botToken, dmChannel.channel.id, welcomeMsg);
+}
+
+// ---------------------------------------------------------------------------
+// Registry
+// ---------------------------------------------------------------------------
+
+const POST_CONNECT_HOOKS: Record<string, PostConnectHook> = {
+  'integration:slack': slackWelcomeDM,
+};
+
+/**
+ * Run the post-connect hook for a service, if one is registered.
+ * Failures are logged but never propagated -- they must not break the OAuth flow.
+ */
+export async function runPostConnectHook(ctx: PostConnectHookContext): Promise<void> {
+  const hook = POST_CONNECT_HOOKS[ctx.service];
+  if (!hook) return;
+
+  try {
+    await hook(ctx);
+  } catch (err) {
+    log.warn({ err, service: ctx.service }, 'Post-connect hook failed (non-fatal)');
+  }
+}

package/src/tools/credentials/vault.ts

@@ -13,8 +13,8 @@ import { upsertCredentialMetadata, deleteCredentialMetadata, getCredentialMetada
 import { validatePolicyInput, toPolicyFromInput } from './policy-validate.js';
 import type { CredentialPolicyInput, CredentialInjectionTemplate } from './policy-types.js';
 import { credentialBroker } from './broker.js';
-import { startOAuth2Flow } from '../../security/oauth2.js';
-import { authTest, conversationsOpen, postMessage } from '../../messaging/providers/slack/client.js';
+import { startOAuth2Flow, type TokenEndpointAuthMethod } from '../../security/oauth2.js';
+import { runPostConnectHook } from './post-connect-hooks.js';
 import { getConfig } from '../../config/loader.js';
 import { getLogger } from '../../util/logger.js';
 
@@ -32,6 +32,10 @@ interface WellKnownOAuthConfig {
   scopes: string[];
   userinfoUrl?: string;
   extraParams?: Record<string, string>;
+  /** How to send client credentials at the token endpoint. Defaults to client_secret_post. */
+  tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
+  /** Injection templates auto-applied to the access_token credential after a successful OAuth2 connect. */
+  injectionTemplates?: CredentialInjectionTemplate[];
 }
 
 const WELL_KNOWN_OAUTH: Record<string, WellKnownOAuthConfig> = {
@@ -64,12 +68,34 @@ const WELL_KNOWN_OAUTH: Record<string, WellKnownOAuthConfig> = {
       user_scope: 'channels:read,channels:history,groups:read,groups:history,im:read,im:history,mpim:read,mpim:history,users:read,chat:write,search:read,reactions:write',
     },
   },
+  // Notion uses a simple OAuth2 flow with client_secret_basic auth at the token endpoint.
+  // The access token is long-lived (no expiry) and scopes are configured per-integration in Notion
+  // (the authorization URL accepts owner=user but there are no traditional scope strings to request).
+  'integration:notion': {
+    authUrl: 'https://api.notion.com/v1/oauth/authorize',
+    tokenUrl: 'https://api.notion.com/v1/oauth/token',
+    scopes: [],
+    extraParams: { owner: 'user' },
+    // Notion requires HTTP Basic Auth (base64 of client_id:client_secret) at the token endpoint,
+    // not the default client_secret_post form-body approach.
+    tokenEndpointAuthMethod: 'client_secret_basic',
+    // Auto-inject the Bearer token for all Notion API calls made through the sandbox proxy.
+    injectionTemplates: [
+      {
+        hostPattern: 'api.notion.com',
+        injectionType: 'header',
+        headerName: 'Authorization',
+        valuePrefix: 'Bearer ',
+      },
+    ],
+  },
 };
 
 /** Map shorthand aliases to canonical service names. */
 const SERVICE_ALIASES: Record<string, string> = {
   gmail: 'integration:gmail',
   slack: 'integration:slack',
+  notion: 'integration:notion',
 };
 
 /** Resolve a service name through aliases. */
@@ -198,6 +224,11 @@ class CredentialStoreTool implements Tool {
             type: 'string',
             description: 'OAuth2 client secret for providers that require it (e.g. Google, Slack). If omitted, looked up from previously stored credentials; if still absent, PKCE-only is used (only for oauth2_connect action)',
           },
+          token_endpoint_auth_method: {
+            type: 'string',
+            enum: ['client_secret_basic', 'client_secret_post'],
+            description: 'How to send client credentials at the token endpoint: "client_secret_post" (default, in POST body) or "client_secret_basic" (HTTP Basic Auth header). Only for oauth2_connect action.',
+          },
           alias: {
             type: 'string',
             description: 'Human-friendly name for this credential (only for store action), e.g. "fal-primary"',
@@ -269,7 +300,7 @@ class CredentialStoreTool implements Tool {
           injectionTemplates = [];
           for (let i = 0; i < rawTemplates.length; i++) {
             const t = rawTemplates[i] as Record<string, unknown>;
-            if (typeof t !== 'object' || t === null) {
+            if (typeof t !== 'object' || t == null) {
               templateErrors.push(`injection_templates[${i}] must be an object`);
               continue;
             }
@@ -540,10 +571,15 @@ class CredentialStoreTool implements Tool {
           ?? findStoredOAuthField(service, ['client_id', 'oauth_client_id']);
         const clientSecret = (input.client_secret as string | undefined)
           ?? findStoredOAuthField(service, ['client_secret', 'oauth_client_secret']);
+        const tokenEndpointAuthMethod = (input.token_endpoint_auth_method as TokenEndpointAuthMethod | undefined)
+          ?? wellKnown?.tokenEndpointAuthMethod;
 
         if (!authUrl) return { content: 'Error: auth_url is required for oauth2_connect action (no well-known config for this service)', isError: true };
         if (!tokenUrl) return { content: 'Error: token_url is required for oauth2_connect action (no well-known config for this service)', isError: true };
-        if (!scopes || scopes.length === 0) return { content: 'Error: scopes is required for oauth2_connect action (no well-known config for this service)', isError: true };
+        // Scopes are optional — some providers (e.g. Notion) configure authorization at the integration
+        // level and don't use traditional scope strings. Reject only when scopes is entirely absent (not
+        // provided and no well-known config), not when it is an empty array.
+        if (!scopes) return { content: 'Error: scopes is required for oauth2_connect action (no well-known config for this service)', isError: true };
         if (!clientId) return { content: 'Error: client_id is required for oauth2_connect action. Provide it directly or store it first with credential_store.', isError: true };
 
         if (!context.isInteractive) {
@@ -560,7 +596,7 @@ class CredentialStoreTool implements Tool {
           const allowedTools = input.allowed_tools as string[] | undefined;
 
           const { tokens, grantedScopes, rawTokenResponse } = await startOAuth2Flow(
-            { authUrl, tokenUrl, scopes, clientId, clientSecret, extraParams, userinfoUrl },
+            { authUrl, tokenUrl, scopes, clientId, clientSecret, extraParams, userinfoUrl, tokenEndpointAuthMethod },
             {
               openUrl: (url) => {
                 context.sendToClient?.({ type: 'open_url', url, title: `Connect ${service}` });
@@ -602,6 +638,10 @@ class CredentialStoreTool implements Tool {
             }
           }
 
+          // Well-known configs may supply injection templates (e.g. auto-inject Bearer header for
+          // api.notion.com) so that bash/network_mode=proxied works without manual setup.
+          const wellKnownInjectionTemplates = wellKnown?.injectionTemplates;
+
           upsertCredentialMetadata(service, 'access_token', {
             allowedTools: allowedTools ?? [],
             expiresAt,
@@ -610,6 +650,8 @@ class CredentialStoreTool implements Tool {
             oauth2TokenUrl: tokenUrl,
             oauth2ClientId: clientId,
             ...(clientSecret ? { oauth2ClientSecret: clientSecret } : {}),
+            ...(tokenEndpointAuthMethod ? { oauth2TokenEndpointAuthMethod: tokenEndpointAuthMethod } : {}),
+            ...(wellKnownInjectionTemplates ? { injectionTemplates: wellKnownInjectionTemplates } : {}),
           });
 
           if (tokens.refreshToken) {
@@ -619,24 +661,8 @@ class CredentialStoreTool implements Tool {
             }
           }
 
-          // Send a welcome DM for Slack connections
-          if (service === 'integration:slack') {
-            try {
-              const botToken = rawTokenResponse.access_token as string | undefined;
-              const authedUser = rawTokenResponse.authed_user as Record<string, unknown> | undefined;
-              const installingUserId = authedUser?.id as string | undefined;
-              if (botToken && installingUserId) {
-                const identity = await authTest(botToken);
-                const dmChannel = await conversationsOpen(botToken, installingUserId);
-                const welcomeMsg =
-                  `You have installed ${identity.user}, an AI Assistant, on ${identity.team}. ` +
-                  `Manage the assistant experience for this workspace in the workspace settings page.`;
-                await postMessage(botToken, dmChannel.channel.id, welcomeMsg);
-              }
-            } catch (err) {
-              log.warn({ err }, 'Failed to send Slack welcome DM (non-fatal)');
-            }
-          }
+          // Run any provider-specific post-connect actions (e.g. Slack welcome DM)
+          await runPostConnectHook({ service, rawTokenResponse });
 
           return {
             content: `Successfully connected "${service}"${accountInfo ? ` as ${accountInfo}` : ''}. The service is now ready to use.`,

package/src/tools/execution-target.ts

@@ -1,7 +1,12 @@
 import type { ExecutionTarget } from './types.js';
 import { getTool } from './registry.js';
 
-export function resolveExecutionTarget(toolName: string): ExecutionTarget {
+export interface ManifestOverride {
+  risk: 'low' | 'medium' | 'high';
+  execution_target: 'host' | 'sandbox';
+}
+
+export function resolveExecutionTarget(toolName: string, manifestOverride?: ManifestOverride): ExecutionTarget {
   const tool = getTool(toolName);
   // Manifest-declared execution target is authoritative — check it first so
   // skill tools with host_/computer_use_ prefixes aren't mis-classified.
@@ -13,6 +18,11 @@ export function resolveExecutionTarget(toolName: string): ExecutionTarget {
   if (tool?.executionMode === 'proxy') {
     return 'host';
   }
+  // Use manifest metadata for unregistered skill tools so the Permission
+  // Simulator shows accurate execution targets instead of defaulting to sandbox.
+  if (!tool && manifestOverride) {
+    return manifestOverride.execution_target;
+  }
   // Prefix heuristics for core tools that don't declare an explicit target.
   if (toolName.startsWith('host_') || toolName.startsWith('computer_use_')) {
     return 'host';