@vellumai/assistant 0.4.34 → 0.4.36

package/src/__tests__/script-proxy-injection-runtime.test.ts

@@ -9,11 +9,16 @@ import type { ResolvedCredential } from "../tools/credentials/resolve.js";
 
 // Track resolveById return values per credential ID
 let resolveByIdResults = new Map<string, ResolvedCredential | undefined>();
+let resolveByServiceFieldResults = new Map<
+  string,
+  ResolvedCredential | undefined
+>();
 let credentialMetadataList: CredentialMetadata[] = [];
 
 mock.module("../tools/credentials/resolve.js", () => ({
   resolveById: (credentialId: string) => resolveByIdResults.get(credentialId),
-  resolveByServiceField: () => undefined,
+  resolveByServiceField: (service: string, field: string) =>
+    resolveByServiceFieldResults.get(`${service}:${field}`),
   resolveForDomain: () => [],
 }));
 
@@ -27,7 +32,7 @@ let secureKeyValues = new Map<string, string | undefined>();
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: (account: string) => secureKeyValues.get(account),
   setSecureKey: () => true,
-  deleteSecureKey: () => true,
+  deleteSecureKey: () => "deleted",
   listSecureKeys: () => [],
   getBackendType: () => "encrypted",
   _resetBackend: () => {},
@@ -54,6 +59,7 @@ import {
 afterEach(async () => {
   await stopAllSessions();
   resolveByIdResults = new Map();
+  resolveByServiceFieldResults = new Map();
   secureKeyValues = new Map();
   credentialMetadataList = [];
 });
@@ -427,3 +433,294 @@ describe("injected header values never appear in sanitized log entries", () => {
     expect(sanitized["x-custom-key"]).toBe("[REDACTED]");
   });
 });
+
+// ---------------------------------------------------------------------------
+// composeWith injection — multi-value credential composition and transforms
+// ---------------------------------------------------------------------------
+
+describe("composeWith injection", () => {
+  const CONV_ID = "conv-compose-test";
+  const DATA_DIR = "/tmp/vellum-compose-test";
+
+  test("composes two credential values with separator via policyCallback", async () => {
+    let receivedHeaders: http.IncomingHttpHeaders = {};
+    const echo = http.createServer((req, res) => {
+      receivedHeaders = req.headers;
+      res.writeHead(200);
+      res.end("ok");
+    });
+    await new Promise<void>((resolve) => echo.listen(0, "127.0.0.1", resolve));
+    const echoPort = (echo.address() as { port: number }).port;
+
+    try {
+      const tpl: CredentialInjectionTemplate = {
+        hostPattern: "127.0.0.1",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Basic ",
+        valueTransform: "base64",
+        composeWith: { service: "twilio", field: "auth_token", separator: ":" },
+      };
+
+      const primaryResolved = makeResolved(
+        "cred-primary",
+        [tpl],
+        "twilio",
+        "account_sid",
+      );
+      resolveByIdResults.set("cred-primary", primaryResolved);
+      credentialMetadataList.push(primaryResolved.metadata);
+
+      const composedResolved = makeResolved(
+        "cred-composed",
+        [],
+        "twilio",
+        "auth_token",
+      );
+      resolveByServiceFieldResults.set("twilio:auth_token", composedResolved);
+
+      secureKeyValues.set("credential:twilio:account_sid", "ACtest123");
+      secureKeyValues.set("credential:twilio:auth_token", "secret456");
+
+      const session = createSession(
+        CONV_ID,
+        ["cred-primary"],
+        undefined,
+        DATA_DIR,
+      );
+      const started = await startSession(session.id);
+      expect(started.status).toBe("active");
+
+      const status = await proxyRequest(
+        started.port!,
+        `http://127.0.0.1:${echoPort}/test`,
+      );
+
+      expect(status).toBe(200);
+      const expectedValue =
+        "Basic " + Buffer.from("ACtest123:secret456").toString("base64");
+      expect(receivedHeaders["authorization"]).toBe(expectedValue);
+    } finally {
+      echo.close();
+    }
+  });
+
+  test("composeWith with missing composed credential blocks request", async () => {
+    const echo = http.createServer((_req, res) => {
+      res.writeHead(200);
+      res.end("ok");
+    });
+    await new Promise<void>((resolve) => echo.listen(0, "127.0.0.1", resolve));
+    const echoPort = (echo.address() as { port: number }).port;
+
+    try {
+      const tpl: CredentialInjectionTemplate = {
+        hostPattern: "127.0.0.1",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Basic ",
+        valueTransform: "base64",
+        composeWith: { service: "twilio", field: "auth_token", separator: ":" },
+      };
+
+      const primaryResolved = makeResolved(
+        "cred-primary",
+        [tpl],
+        "twilio",
+        "account_sid",
+      );
+      resolveByIdResults.set("cred-primary", primaryResolved);
+      credentialMetadataList.push(primaryResolved.metadata);
+      secureKeyValues.set("credential:twilio:account_sid", "ACtest123");
+
+      // Do NOT register the composed credential in resolveByServiceFieldResults
+
+      const session = createSession(
+        CONV_ID,
+        ["cred-primary"],
+        undefined,
+        DATA_DIR,
+      );
+      const started = await startSession(session.id);
+      expect(started.status).toBe("active");
+
+      const status = await proxyRequest(
+        started.port!,
+        `http://127.0.0.1:${echoPort}/test`,
+      );
+
+      // Missing composeWith credential blocks the request (fail-closed)
+      expect(status).toBe(403);
+    } finally {
+      echo.close();
+    }
+  });
+
+  test("valueTransform base64 without composeWith", async () => {
+    let receivedHeaders: http.IncomingHttpHeaders = {};
+    const echo = http.createServer((req, res) => {
+      receivedHeaders = req.headers;
+      res.writeHead(200);
+      res.end("ok");
+    });
+    await new Promise<void>((resolve) => echo.listen(0, "127.0.0.1", resolve));
+    const echoPort = (echo.address() as { port: number }).port;
+
+    try {
+      const tpl: CredentialInjectionTemplate = {
+        hostPattern: "127.0.0.1",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Token ",
+        valueTransform: "base64",
+      };
+
+      const resolved = makeResolved("cred-b64", [tpl]);
+      resolveByIdResults.set("cred-b64", resolved);
+      credentialMetadataList.push(resolved.metadata);
+      secureKeyValues.set("credential:test-service:api-key", "plaintext");
+
+      const session = createSession(CONV_ID, ["cred-b64"], undefined, DATA_DIR);
+      const started = await startSession(session.id);
+      expect(started.status).toBe("active");
+
+      const status = await proxyRequest(
+        started.port!,
+        `http://127.0.0.1:${echoPort}/test`,
+      );
+
+      expect(status).toBe(200);
+      const expectedValue =
+        "Token " + Buffer.from("plaintext").toString("base64");
+      expect(receivedHeaders["authorization"]).toBe(expectedValue);
+    } finally {
+      echo.close();
+    }
+  });
+
+  test("composeWith blocks when composed credential resolves but secret value is missing", async () => {
+    const echo = http.createServer((_req, res) => {
+      res.writeHead(200);
+      res.end("ok");
+    });
+    await new Promise<void>((resolve) => echo.listen(0, "127.0.0.1", resolve));
+    const echoPort = (echo.address() as { port: number }).port;
+
+    try {
+      const tpl: CredentialInjectionTemplate = {
+        hostPattern: "127.0.0.1",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Basic ",
+        valueTransform: "base64",
+        composeWith: { service: "twilio", field: "auth_token", separator: ":" },
+      };
+
+      const primaryResolved = makeResolved(
+        "cred-primary",
+        [tpl],
+        "twilio",
+        "account_sid",
+      );
+      resolveByIdResults.set("cred-primary", primaryResolved);
+      credentialMetadataList.push(primaryResolved.metadata);
+      secureKeyValues.set("credential:twilio:account_sid", "ACtest123");
+
+      // Composed credential metadata resolves, but no secret value stored
+      const composedResolved = makeResolved(
+        "cred-composed",
+        [],
+        "twilio",
+        "auth_token",
+      );
+      resolveByServiceFieldResults.set("twilio:auth_token", composedResolved);
+      // Do NOT set secureKeyValues for "credential:twilio:auth_token"
+
+      const session = createSession(
+        CONV_ID,
+        ["cred-primary"],
+        undefined,
+        DATA_DIR,
+      );
+      const started = await startSession(session.id);
+      expect(started.status).toBe("active");
+
+      const status = await proxyRequest(
+        started.port!,
+        `http://127.0.0.1:${echoPort}/test`,
+      );
+
+      // Missing secret value for composed credential blocks the request
+      expect(status).toBe(403);
+    } finally {
+      echo.close();
+    }
+  });
+
+  test("composeWith without valueTransform concatenates raw", async () => {
+    let receivedHeaders: http.IncomingHttpHeaders = {};
+    const echo = http.createServer((req, res) => {
+      receivedHeaders = req.headers;
+      res.writeHead(200);
+      res.end("ok");
+    });
+    await new Promise<void>((resolve) => echo.listen(0, "127.0.0.1", resolve));
+    const echoPort = (echo.address() as { port: number }).port;
+
+    try {
+      const tpl: CredentialInjectionTemplate = {
+        hostPattern: "127.0.0.1",
+        injectionType: "header",
+        headerName: "X-Composed",
+        valuePrefix: "Raw ",
+        composeWith: {
+          service: "my-service",
+          field: "secondary-key",
+          separator: ":",
+        },
+      };
+
+      const primaryResolved = makeResolved(
+        "cred-raw-primary",
+        [tpl],
+        "my-service",
+        "primary-key",
+      );
+      resolveByIdResults.set("cred-raw-primary", primaryResolved);
+      credentialMetadataList.push(primaryResolved.metadata);
+
+      const composedResolved = makeResolved(
+        "cred-raw-composed",
+        [],
+        "my-service",
+        "secondary-key",
+      );
+      resolveByServiceFieldResults.set(
+        "my-service:secondary-key",
+        composedResolved,
+      );
+
+      secureKeyValues.set("credential:my-service:primary-key", "value1");
+      secureKeyValues.set("credential:my-service:secondary-key", "value2");
+
+      const session = createSession(
+        CONV_ID,
+        ["cred-raw-primary"],
+        undefined,
+        DATA_DIR,
+      );
+      const started = await startSession(session.id);
+      expect(started.status).toBe("active");
+
+      const status = await proxyRequest(
+        started.port!,
+        `http://127.0.0.1:${echoPort}/test`,
+      );
+
+      expect(status).toBe(200);
+      expect(receivedHeaders["x-composed"]).toBe("Raw value1:value2");
+    } finally {
+      echo.close();
+    }
+  });
+});

package/src/__tests__/script-proxy-profile-template-fallback.test.ts

@@ -23,7 +23,7 @@ mock.module("../tools/credentials/metadata-store.js", () => ({
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: (account: string) => secureKeyValues.get(account),
   setSecureKey: () => true,
-  deleteSecureKey: () => true,
+  deleteSecureKey: () => "deleted",
   listSecureKeys: () => [],
   getBackendType: () => "encrypted",
   _resetBackend: () => {},

package/src/__tests__/secret-onetime-send.test.ts

@@ -35,9 +35,15 @@ mock.module("../security/secure-keys.js", () => ({
     storedKeys.set(key, value);
     return true;
   },
-  deleteSecureKey: (key: string) => storedKeys.delete(key),
+  deleteSecureKey: (key: string) => {
+    if (storedKeys.has(key)) {
+      storedKeys.delete(key);
+      return "deleted";
+    }
+    return "not-found";
+  },
   listSecureKeys: () => [],
-  getBackendType: () => "keychain",
+  getBackendType: () => "encrypted",
   isDowngradedFromKeychain: () => false,
 }));