@vellumai/assistant 0.4.37 → 0.4.41

package/src/__tests__/twitter-auth-handler.test.ts

@@ -10,17 +10,30 @@ const testDir = mkdtempSync(join(tmpdir(), "handlers-twitter-auth-test-"));
 let rawConfigStore: Record<string, unknown> = {};
 let mockIngressPublicBaseUrl: string | undefined = "https://test.example.com";
 
+function getNestedValue(obj: Record<string, unknown>, path: string): unknown {
+  const keys = path.split(".");
+  let current: unknown = obj;
+  for (const key of keys) {
+    if (current == null || typeof current !== "object") {
+      return undefined;
+    }
+    current = (current as Record<string, unknown>)[key];
+  }
+  return current;
+}
+
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     ui: {},
   }),
   loadConfig: () => ({ ingress: { publicBaseUrl: mockIngressPublicBaseUrl } }),
-  loadRawConfig: () => ({ ...rawConfigStore }),
+  loadRawConfig: () => structuredClone(rawConfigStore),
   saveRawConfig: (cfg: Record<string, unknown>) => {
-    rawConfigStore = { ...cfg };
+    rawConfigStore = structuredClone(cfg);
   },
   saveConfig: () => {},
   invalidateConfigCache: () => {},
+  getNestedValue,
 }));
 
 mock.module("../inbound/public-ingress-urls.js", () => ({
@@ -207,7 +220,7 @@ describe("Twitter auth handler", () => {
 
   describe("twitter_auth_start", () => {
     test("fails if mode is not local_byo", async () => {
-      rawConfigStore = { twitterIntegrationMode: "managed" };
+      rawConfigStore = { twitter: { integrationMode: "managed" } };
 
       const msg: TwitterAuthStartRequest = { type: "twitter_auth_start" };
       const { ctx, sent } = createTestContext();
@@ -228,7 +241,7 @@ describe("Twitter auth handler", () => {
     });
 
     test("fails if no client credentials configured", async () => {
-      rawConfigStore = { twitterIntegrationMode: "local_byo" };
+      rawConfigStore = { twitter: { integrationMode: "local_byo" } };
       // No client ID in secure storage
 
       const msg: TwitterAuthStartRequest = { type: "twitter_auth_start" };
@@ -249,7 +262,7 @@ describe("Twitter auth handler", () => {
     });
 
     test("succeeds with valid config (mock orchestrator)", async () => {
-      rawConfigStore = { twitterIntegrationMode: "local_byo" };
+      rawConfigStore = { twitter: { integrationMode: "local_byo" } };
       secureKeyStore["credential:integration:twitter:oauth_client_id"] =
         "test-client-id";
       secureKeyStore["credential:integration:twitter:oauth_client_secret"] =
@@ -283,7 +296,7 @@ describe("Twitter auth handler", () => {
     });
 
     test("delegates to orchestrateOAuthConnect with correct options", async () => {
-      rawConfigStore = { twitterIntegrationMode: "local_byo" };
+      rawConfigStore = { twitter: { integrationMode: "local_byo" } };
       secureKeyStore["credential:integration:twitter:oauth_client_id"] =
         "test-client-id";
       secureKeyStore["credential:integration:twitter:oauth_client_secret"] =
@@ -312,7 +325,7 @@ describe("Twitter auth handler", () => {
     });
 
     test("fails fast with actionable error when no ingress URL is configured", async () => {
-      rawConfigStore = { twitterIntegrationMode: "local_byo" };
+      rawConfigStore = { twitter: { integrationMode: "local_byo" } };
       secureKeyStore["credential:integration:twitter:oauth_client_id"] =
         "test-client-id";
       mockIngressPublicBaseUrl = undefined;
@@ -349,7 +362,7 @@ describe("Twitter auth handler", () => {
     });
 
     test("maps orchestrator error result to twitter_auth_result", async () => {
-      rawConfigStore = { twitterIntegrationMode: "local_byo" };
+      rawConfigStore = { twitter: { integrationMode: "local_byo" } };
       secureKeyStore["credential:integration:twitter:oauth_client_id"] =
         "test-client-id";
 
@@ -379,7 +392,7 @@ describe("Twitter auth handler", () => {
 
     describe("auth hardening", () => {
       test("OAuth cancel path returns sanitized failure", async () => {
-        rawConfigStore = { twitterIntegrationMode: "local_byo" };
+        rawConfigStore = { twitter: { integrationMode: "local_byo" } };
         secureKeyStore["credential:integration:twitter:oauth_client_id"] =
           "test-client-id";
 
@@ -404,7 +417,7 @@ describe("Twitter auth handler", () => {
       });
 
       test("OAuth timeout path returns sanitized failure", async () => {
-        rawConfigStore = { twitterIntegrationMode: "local_byo" };
+        rawConfigStore = { twitter: { integrationMode: "local_byo" } };
         secureKeyStore["credential:integration:twitter:oauth_client_id"] =
           "test-client-id";
 
@@ -431,7 +444,7 @@ describe("Twitter auth handler", () => {
       });
 
       test("error payload never includes secrets or raw provider bodies", async () => {
-        rawConfigStore = { twitterIntegrationMode: "local_byo" };
+        rawConfigStore = { twitter: { integrationMode: "local_byo" } };
         secureKeyStore["credential:integration:twitter:oauth_client_id"] =
           "test-client-id";
 
@@ -466,7 +479,7 @@ describe("Twitter auth handler", () => {
       });
 
       test("succeeds even when identity verification returns no accountInfo", async () => {
-        rawConfigStore = { twitterIntegrationMode: "local_byo" };
+        rawConfigStore = { twitter: { integrationMode: "local_byo" } };
         secureKeyStore["credential:integration:twitter:oauth_client_id"] =
           "test-client-id";
 
@@ -499,7 +512,7 @@ describe("Twitter auth handler", () => {
 
   describe("twitter_auth_status", () => {
     test("returns disconnected when no token exists", () => {
-      rawConfigStore = { twitterIntegrationMode: "local_byo" };
+      rawConfigStore = { twitter: { integrationMode: "local_byo" } };
 
       const msg: TwitterAuthStatusRequest = { type: "twitter_auth_status" };
       const { ctx, sent } = createTestContext();
@@ -519,7 +532,7 @@ describe("Twitter auth handler", () => {
     });
 
     test("returns connected with account info when token exists", () => {
-      rawConfigStore = { twitterIntegrationMode: "local_byo" };
+      rawConfigStore = { twitter: { integrationMode: "local_byo" } };
       secureKeyStore["credential:integration:twitter:access_token"] =
         "test-access-token";
       credentialMetadataStore.push({

package/src/__tests__/twitter-cli-error-shaping.test.ts

@@ -19,7 +19,7 @@ import { SessionExpiredError } from "../twitter/client.js";
 
 const SESSION_EXPIRED_MSG =
   "Your Twitter session has expired. Please sign in to Twitter in Chrome — " +
-  "run `vellum twitter refresh` to capture your session automatically.";
+  "run `assistant twitter refresh` to capture your session automatically.";
 
 /**
  * Replicates the error-to-payload logic from `run()` in twitter.ts.

package/src/__tests__/twitter-cli-routing.test.ts

@@ -2,8 +2,6 @@ import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 // --- Mocks (must be declared before importing the module under test) ---
 
-let mockStrategy: string | undefined = undefined;
-let mockOauthAvailable = false;
 let mockOauthPostResult: {
   tweetId: string;
   text: string;
@@ -17,33 +15,13 @@ let mockBrowserPostResult: {
 } | null = null;
 let mockBrowserPostError: Error | null = null;
 
-// Mock the config loader to return a controllable strategy
-mock.module("../config/loader.js", () => ({
-  loadRawConfig: () => {
-    if (mockStrategy !== undefined) {
-      return { twitterOperationStrategy: mockStrategy };
-    }
-    return {};
-  },
-  loadConfig: () => ({}),
-  saveConfig: () => {},
-  saveRawConfig: () => {},
-  getConfig: () => ({
-    ui: {},
-  }),
-  invalidateConfigCache: () => {},
-  getNestedValue: () => undefined,
-  setNestedValue: () => {},
-  API_KEY_PROVIDERS: [],
-}));
-
 // Mock the OAuth client
 mock.module("../twitter/oauth-client.js", () => ({
-  oauthIsAvailable: () => mockOauthAvailable,
+  oauthIsAvailable: (token?: string) => token != null && token.length > 0,
   oauthSupportsOperation: (op: string) => op === "post" || op === "reply",
   oauthPostTweet: async (
     _text: string,
-    _opts?: { inReplyToTweetId?: string },
+    _opts: { inReplyToTweetId?: string; oauthToken: string },
   ) => {
     if (mockOauthPostError) throw mockOauthPostError;
     if (mockOauthPostResult) return mockOauthPostResult;
@@ -100,8 +78,6 @@ mock.module("../util/logger.js", () => ({
 import { routedPostTweet } from "../twitter/router.js";
 
 beforeEach(() => {
-  mockStrategy = undefined;
-  mockOauthAvailable = false;
   mockOauthPostResult = null;
   mockOauthPostError = null;
   mockBrowserPostResult = null;
@@ -111,14 +87,16 @@ beforeEach(() => {
 describe("Twitter strategy router", () => {
   describe("auto strategy", () => {
     test("uses OAuth when available and supported", async () => {
-      mockOauthAvailable = true;
       mockOauthPostResult = {
         tweetId: "111",
         text: "hello",
         url: "https://x.com/u/status/111",
       };
 
-      const { result, pathUsed } = await routedPostTweet("hello");
+      const { result, pathUsed } = await routedPostTweet("hello", {
+        strategy: "auto",
+        oauthToken: "test-token",
+      });
 
       expect(pathUsed).toBe("oauth");
       expect(result.tweetId).toBe("111");
@@ -127,21 +105,21 @@ describe("Twitter strategy router", () => {
     });
 
     test("falls back to browser when OAuth is unavailable", async () => {
-      mockOauthAvailable = false;
       mockBrowserPostResult = {
         tweetId: "222",
         text: "hello",
         url: "https://x.com/u/status/222",
       };
 
-      const { result, pathUsed } = await routedPostTweet("hello");
+      const { result, pathUsed } = await routedPostTweet("hello", {
+        strategy: "auto",
+      });
 
       expect(pathUsed).toBe("browser");
       expect(result.tweetId).toBe("222");
     });
 
     test("falls back to browser when OAuth fails", async () => {
-      mockOauthAvailable = true;
       mockOauthPostError = new Error("OAuth token expired");
       mockBrowserPostResult = {
         tweetId: "333",
@@ -149,31 +127,38 @@ describe("Twitter strategy router", () => {
         url: "https://x.com/u/status/333",
       };
 
-      const { result, pathUsed } = await routedPostTweet("hello");
+      const { result, pathUsed } = await routedPostTweet("hello", {
+        strategy: "auto",
+        oauthToken: "test-token",
+      });
 
       expect(pathUsed).toBe("browser");
       expect(result.tweetId).toBe("333");
     });
 
     test("constructs URL from tweetId when OAuth result has no url", async () => {
-      mockOauthAvailable = true;
       mockOauthPostResult = { tweetId: "444", text: "no url" };
 
-      const { result, pathUsed } = await routedPostTweet("no url");
+      const { result, pathUsed } = await routedPostTweet("no url", {
+        strategy: "auto",
+        oauthToken: "test-token",
+      });
 
       expect(pathUsed).toBe("oauth");
       expect(result.url).toBe("https://x.com/i/status/444");
     });
 
     test("throws combined error when both OAuth and browser fail with SessionExpiredError", async () => {
-      mockOauthAvailable = true;
       mockOauthPostError = new Error("OAuth failed");
       mockBrowserPostError = new MockSessionExpiredError(
         "Browser session expired",
       );
 
       try {
-        await routedPostTweet("will fail");
+        await routedPostTweet("will fail", {
+          strategy: "auto",
+          oauthToken: "test-token",
+        });
         expect(true).toBe(false); // should not reach
       } catch (err) {
         const e = err as Error & { pathUsed: string; oauthError?: string };
@@ -187,11 +172,8 @@ describe("Twitter strategy router", () => {
 
   describe("explicit oauth strategy", () => {
     test("fails with helpful error when OAuth is not configured", async () => {
-      mockStrategy = "oauth";
-      mockOauthAvailable = false;
-
       try {
-        await routedPostTweet("hello");
+        await routedPostTweet("hello", { strategy: "oauth" });
         expect(true).toBe(false); // should not reach
       } catch (err) {
         const e = err as Error & {
@@ -199,18 +181,21 @@ describe("Twitter strategy router", () => {
           suggestAlternative: string;
         };
         expect(e.message).toContain("OAuth is not configured");
-        expect(e.message).toContain("vellum x strategy set browser");
+        expect(e.message).toContain(
+          "assistant config set twitter.operationStrategy browser",
+        );
         expect(e.pathUsed).toBe("oauth");
         expect(e.suggestAlternative).toBe("browser");
       }
     });
 
     test("uses OAuth when available", async () => {
-      mockStrategy = "oauth";
-      mockOauthAvailable = true;
       mockOauthPostResult = { tweetId: "555", text: "oauth post" };
 
-      const { result, pathUsed } = await routedPostTweet("oauth post");
+      const { result, pathUsed } = await routedPostTweet("oauth post", {
+        strategy: "oauth",
+        oauthToken: "test-token",
+      });
 
       expect(pathUsed).toBe("oauth");
       expect(result.tweetId).toBe("555");
@@ -219,26 +204,26 @@ describe("Twitter strategy router", () => {
 
   describe("explicit browser strategy", () => {
     test("uses browser directly, ignoring OAuth availability", async () => {
-      mockStrategy = "browser";
-      mockOauthAvailable = true; // available but should be ignored
       mockBrowserPostResult = {
         tweetId: "666",
         text: "browser post",
         url: "https://x.com/u/status/666",
       };
 
-      const { result, pathUsed } = await routedPostTweet("browser post");
+      const { result, pathUsed } = await routedPostTweet("browser post", {
+        strategy: "browser",
+        oauthToken: "test-token", // available but should be ignored
+      });
 
       expect(pathUsed).toBe("browser");
       expect(result.tweetId).toBe("666");
     });
 
     test("preserves SessionExpiredError type with router metadata", async () => {
-      mockStrategy = "browser";
       mockBrowserPostError = new MockSessionExpiredError("Session expired");
 
       try {
-        await routedPostTweet("will fail");
+        await routedPostTweet("will fail", { strategy: "browser" });
         expect(true).toBe(false); // should not reach
       } catch (err) {
         const e = err as Error & {
@@ -253,11 +238,10 @@ describe("Twitter strategy router", () => {
     });
 
     test("re-throws non-session errors without wrapping", async () => {
-      mockStrategy = "browser";
       mockBrowserPostError = new Error("Network failure");
 
       try {
-        await routedPostTweet("will fail");
+        await routedPostTweet("will fail", { strategy: "browser" });
         expect(true).toBe(false); // should not reach
       } catch (err) {
         expect((err as Error).message).toBe("Network failure");
@@ -267,7 +251,6 @@ describe("Twitter strategy router", () => {
 
   describe("reply routing", () => {
     test("auto strategy routes reply through OAuth when available", async () => {
-      mockOauthAvailable = true;
       mockOauthPostResult = {
         tweetId: "777",
         text: "reply text",
@@ -276,6 +259,8 @@ describe("Twitter strategy router", () => {
 
       const { result, pathUsed } = await routedPostTweet("reply text", {
         inReplyToTweetId: "100",
+        strategy: "auto",
+        oauthToken: "test-token",
       });
 
       expect(pathUsed).toBe("oauth");
@@ -283,7 +268,6 @@ describe("Twitter strategy router", () => {
     });
 
     test("browser strategy routes reply through browser", async () => {
-      mockStrategy = "browser";
       mockBrowserPostResult = {
         tweetId: "888",
         text: "reply text",
@@ -292,6 +276,7 @@ describe("Twitter strategy router", () => {
 
       const { result, pathUsed } = await routedPostTweet("reply text", {
         inReplyToTweetId: "200",
+        strategy: "browser",
       });
 
       expect(pathUsed).toBe("browser");

package/src/__tests__/twitter-oauth-client.test.ts

@@ -2,39 +2,6 @@ import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
 // --- Mocks (must be declared before importing the module under test) ---
 
-let secureKeyStore: Record<string, string> = {};
-
-mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (account: string) => secureKeyStore[account] ?? undefined,
-  setSecureKey: (account: string, value: string) => {
-    secureKeyStore[account] = value;
-    return true;
-  },
-  deleteSecureKey: () => "deleted",
-  listSecureKeys: () => Object.keys(secureKeyStore),
-  getBackendType: () => "encrypted",
-  isDowngradedFromKeychain: () => false,
-  _resetBackend: () => {},
-  _setBackend: () => {},
-}));
-
-// withValidToken: call the callback directly with a fake token.
-mock.module("../security/token-manager.js", () => ({
-  withValidToken: async (
-    _service: string,
-    cb: (token: string) => Promise<unknown>,
-  ) => cb("fake-oauth-token"),
-  TokenExpiredError: class TokenExpiredError extends Error {
-    constructor(
-      public readonly service: string,
-      message?: string,
-    ) {
-      super(message ?? `Token expired for "${service}".`);
-      this.name = "TokenExpiredError";
-    }
-  },
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () => ({
     info: () => {},
@@ -65,7 +32,6 @@ const originalFetch = globalThis.fetch;
 let _fetchMock: ReturnType<typeof mock> | null = null;
 
 beforeEach(() => {
-  secureKeyStore = {};
   _fetchMock = null;
 });
 
@@ -101,7 +67,9 @@ describe("Twitter OAuth client", () => {
         json: { data: { id: "12345", text: "Hello world" } },
       });
 
-      const result = await oauthPostTweet("Hello world");
+      const result = await oauthPostTweet("Hello world", {
+        oauthToken: "fake-oauth-token",
+      });
 
       expect(result.tweetId).toBe("12345");
       expect(result.text).toBe("Hello world");
@@ -132,6 +100,7 @@ describe("Twitter OAuth client", () => {
 
       const result = await oauthPostTweet("My reply", {
         inReplyToTweetId: "11111",
+        oauthToken: "fake-oauth-token",
       });
 
       expect(result.tweetId).toBe("67890");
@@ -150,12 +119,12 @@ describe("Twitter OAuth client", () => {
         text: "Rate limit exceeded",
       });
 
-      await expect(oauthPostTweet("will fail")).rejects.toThrow(
-        /Twitter API error \(429\)/,
-      );
+      await expect(
+        oauthPostTweet("will fail", { oauthToken: "fake-oauth-token" }),
+      ).rejects.toThrow(/Twitter API error \(429\)/);
     });
 
-    test("attaches status to thrown error for token manager retry", async () => {
+    test("throws with status in error message on 401", async () => {
       mockFetch({
         ok: false,
         status: 401,
@@ -163,23 +132,25 @@ describe("Twitter OAuth client", () => {
       });
 
       try {
-        await oauthPostTweet("will fail");
+        await oauthPostTweet("will fail", { oauthToken: "fake-oauth-token" });
         expect(true).toBe(false); // should not reach
       } catch (err) {
-        expect((err as Error & { status: number }).status).toBe(401);
+        expect((err as Error).message).toContain("401");
       }
     });
   });
 
   describe("oauthIsAvailable", () => {
-    test("returns true when access token exists", () => {
-      secureKeyStore["credential:integration:twitter:access_token"] =
-        "some-token";
-      expect(oauthIsAvailable()).toBe(true);
+    test("returns true when token is provided", () => {
+      expect(oauthIsAvailable("some-token")).toBe(true);
+    });
+
+    test("returns false when token is undefined", () => {
+      expect(oauthIsAvailable(undefined)).toBe(false);
     });
 
-    test("returns false when no access token", () => {
-      expect(oauthIsAvailable()).toBe(false);
+    test("returns false when token is empty string", () => {
+      expect(oauthIsAvailable("")).toBe(false);
     });
   });
 

package/src/__tests__/voice-invite-redemption.test.ts

@@ -24,7 +24,8 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-import { upsertMember } from "../contacts/contacts-write.js";
+import { findContactChannel } from "../contacts/contact-store.js";
+import { upsertContactChannel } from "../contacts/contacts-write.js";
 import { getSqlite, initializeDb, resetDb } from "../memory/db.js";
 import { createInvite, revokeInvite } from "../memory/invite-store.js";
 import { redeemVoiceInviteCode } from "../runtime/invite-redemption-service.js";
@@ -177,6 +178,29 @@ describe("redeemVoiceInviteCode", () => {
     });
   });
 
+  test("marks channel as verified via invite on voice redemption", () => {
+    const phone = "+15551234567";
+    const { code } = createVoiceInvite({ callerPhone: phone });
+
+    const result = redeemVoiceInviteCode({
+      callerExternalUserId: phone,
+      sourceChannel: "voice",
+      code,
+    });
+
+    expect(result.ok).toBe(true);
+
+    const channelResult = findContactChannel({
+      channelType: "voice",
+      externalUserId: phone,
+    });
+
+    expect(channelResult).not.toBeNull();
+    expect(channelResult!.channel.verifiedAt).toBeGreaterThan(0);
+    expect(channelResult!.channel.verifiedVia).toBe("invite");
+    expect(channelResult!.channel.status).toBe("active");
+  });
+
   test("wrong caller identity fails with generic error", () => {
     const { code } = createVoiceInvite({ callerPhone: "+15551234567" });
 
@@ -281,7 +305,7 @@ describe("redeemVoiceInviteCode", () => {
     const { code } = createVoiceInvite({ callerPhone: phone });
 
     // Pre-create an active member for this phone on voice channel
-    upsertMember({
+    upsertContactChannel({
       sourceChannel: "voice",
       externalUserId: phone,
       status: "active",
@@ -306,7 +330,7 @@ describe("redeemVoiceInviteCode", () => {
     const phone = "+15551234567";
     const { code } = createVoiceInvite({ callerPhone: phone });
 
-    upsertMember({
+    upsertContactChannel({
       sourceChannel: "voice",
       externalUserId: phone,
       status: "blocked",

package/src/amazon/cart.ts

@@ -321,7 +321,7 @@ export async function addToCart(opts: {
                       __error: true,
                       __message: 'Add-to-cart failed: ASIN ' + ${JSON.stringify(
                         opts.asin,
-                      )} + ' was not found in the Fresh cart after adding. The item may be unavailable or the session cookies may be stale. Try running vellum amazon refresh.'
+                      )} + ' was not found in the Fresh cart after adding. The item may be unavailable or the session cookies may be stale. Try running assistant amazon refresh.'
                     });
                   }
                   items = allFreshItems.map(function(item) {