@vellumai/assistant 0.4.37 → 0.4.41

package/src/__tests__/managed-avatar-client.test.ts

@@ -0,0 +1,280 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+// ---------------------------------------------------------------------------
+// Mock dependencies — must be before importing the module under test
+// ---------------------------------------------------------------------------
+
+let mockApiKey: string | undefined = "test-api-key-123";
+let mockBaseUrl = "https://platform.vellum.ai";
+let mockPlatformEnvUrl = "https://env.vellum.ai";
+
+mock.module("../security/secure-keys.js", () => ({
+  getSecureKey: (account: string) => {
+    if (account === "credential:vellum:assistant_api_key") return mockApiKey;
+    return undefined;
+  },
+}));
+
+mock.module("../config/loader.js", () => ({
+  getConfig: () => ({
+    platform: { baseUrl: mockBaseUrl },
+  }),
+}));
+
+mock.module("../config/env.js", () => ({
+  getPlatformBaseUrl: () => mockPlatformEnvUrl,
+}));
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () => ({
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+  }),
+}));
+
+// Mock global fetch
+let lastFetchArgs: [string, RequestInit] | null = null;
+let fetchResponse: { ok: boolean; status: number; json: () => Promise<unknown> } = {
+  ok: true,
+  status: 200,
+  json: async () => ({}),
+};
+
+const originalFetch = globalThis.fetch;
+globalThis.fetch = (async (url: string, init: RequestInit) => {
+  lastFetchArgs = [url, init];
+  return fetchResponse;
+}) as typeof globalThis.fetch;
+
+// Import after mocking
+import {
+  isManagedAvailable,
+  generateManagedAvatar,
+  getAssistantApiKey,
+} from "../media/managed-avatar-client.js";
+import {
+  ManagedAvatarError,
+  AVATAR_PROMPT_MAX_LENGTH,
+  AVATAR_MAX_DECODED_BYTES,
+} from "../media/avatar-types.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function successResponse() {
+  return {
+    image: {
+      mime_type: "image/png",
+      data_base64: "iVBORw0KGgo=",
+      bytes: 1024,
+      sha256: "abc123",
+    },
+    usage: { billable: true, class_name: "avatar" },
+    generation_source: "managed",
+    profile: "default",
+    correlation_id: "test-corr-id",
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+beforeEach(() => {
+  mockApiKey = "test-api-key-123";
+  mockBaseUrl = "https://platform.vellum.ai";
+  mockPlatformEnvUrl = "https://env.vellum.ai";
+  lastFetchArgs = null;
+  fetchResponse = {
+    ok: true,
+    status: 200,
+    json: async () => successResponse(),
+  };
+});
+
+describe("generateManagedAvatar", () => {
+  test("successful generation returns parsed response", async () => {
+    const result = await generateManagedAvatar("a friendly robot avatar");
+
+    expect(result.image.mime_type).toBe("image/png");
+    expect(result.image.data_base64).toBe("iVBORw0KGgo=");
+    expect(result.image.bytes).toBe(1024);
+    expect(result.generation_source).toBe("managed");
+  });
+
+  test("prompt exceeding max length throws ManagedAvatarError with code validation_error", async () => {
+    const longPrompt = "x".repeat(AVATAR_PROMPT_MAX_LENGTH + 1);
+
+    try {
+      await generateManagedAvatar(longPrompt);
+      expect(true).toBe(false); // should not reach here
+    } catch (err) {
+      expect(err).toBeInstanceOf(ManagedAvatarError);
+      const avatarErr = err as ManagedAvatarError;
+      expect(avatarErr.code).toBe("validation_error");
+      expect(avatarErr.subcode).toBe("prompt_too_long");
+    }
+  });
+
+  test("HTTP 429 response throws ManagedAvatarError with retryable true", async () => {
+    fetchResponse = {
+      ok: false,
+      status: 429,
+      json: async () => ({
+        code: "rate_limit",
+        subcode: "too_many_requests",
+        detail: "Rate limit exceeded",
+        retryable: true,
+        correlation_id: "corr-429",
+      }),
+    };
+
+    try {
+      await generateManagedAvatar("test prompt");
+      expect(true).toBe(false);
+    } catch (err) {
+      expect(err).toBeInstanceOf(ManagedAvatarError);
+      const avatarErr = err as ManagedAvatarError;
+      expect(avatarErr.retryable).toBe(true);
+      expect(avatarErr.statusCode).toBe(429);
+    }
+  });
+
+  test("HTTP 500 response throws ManagedAvatarError with upstream error details", async () => {
+    fetchResponse = {
+      ok: false,
+      status: 500,
+      json: async () => ({
+        code: "internal_error",
+        subcode: "server_fault",
+        detail: "Internal server error",
+        retryable: true,
+        correlation_id: "corr-500",
+      }),
+    };
+
+    try {
+      await generateManagedAvatar("test prompt");
+      expect(true).toBe(false);
+    } catch (err) {
+      expect(err).toBeInstanceOf(ManagedAvatarError);
+      const avatarErr = err as ManagedAvatarError;
+      expect(avatarErr.code).toBe("internal_error");
+      expect(avatarErr.subcode).toBe("server_fault");
+      expect(avatarErr.statusCode).toBe(500);
+    }
+  });
+
+  test("response with disallowed MIME type throws validation error", async () => {
+    fetchResponse = {
+      ok: true,
+      status: 200,
+      json: async () => ({
+        ...successResponse(),
+        image: { ...successResponse().image, mime_type: "image/gif" },
+      }),
+    };
+
+    try {
+      await generateManagedAvatar("test prompt");
+      expect(true).toBe(false);
+    } catch (err) {
+      expect(err).toBeInstanceOf(ManagedAvatarError);
+      const avatarErr = err as ManagedAvatarError;
+      expect(avatarErr.code).toBe("validation_error");
+      expect(avatarErr.subcode).toBe("disallowed_mime_type");
+    }
+  });
+
+  test("response with oversized bytes throws validation error", async () => {
+    fetchResponse = {
+      ok: true,
+      status: 200,
+      json: async () => ({
+        ...successResponse(),
+        image: { ...successResponse().image, bytes: AVATAR_MAX_DECODED_BYTES + 1 },
+      }),
+    };
+
+    try {
+      await generateManagedAvatar("test prompt");
+      expect(true).toBe(false);
+    } catch (err) {
+      expect(err).toBeInstanceOf(ManagedAvatarError);
+      const avatarErr = err as ManagedAvatarError;
+      expect(avatarErr.code).toBe("validation_error");
+      expect(avatarErr.subcode).toBe("oversized_image");
+    }
+  });
+
+  test("response with oversized base64 estimated decoded size throws validation error", async () => {
+    // Create a base64 string whose estimated decoded size exceeds the limit,
+    // even though the server-reported bytes field is under the limit
+    const oversizedBase64 = "A".repeat(Math.ceil((AVATAR_MAX_DECODED_BYTES + 100) * 4 / 3));
+    fetchResponse = {
+      ok: true,
+      status: 200,
+      json: async () => ({
+        ...successResponse(),
+        image: { ...successResponse().image, data_base64: oversizedBase64, bytes: 1024 },
+      }),
+    };
+
+    try {
+      await generateManagedAvatar("test prompt");
+      expect(true).toBe(false);
+    } catch (err) {
+      expect(err).toBeInstanceOf(ManagedAvatarError);
+      const avatarErr = err as ManagedAvatarError;
+      expect(avatarErr.code).toBe("validation_error");
+      expect(avatarErr.subcode).toBe("oversized_image");
+    }
+  });
+
+  test("Authorization header uses Api-Key prefix", async () => {
+    await generateManagedAvatar("test prompt");
+
+    expect(lastFetchArgs).not.toBeNull();
+    const headers = lastFetchArgs![1].headers as Record<string, string>;
+    expect(headers.Authorization).toBe("Api-Key test-api-key-123");
+    expect(headers.Authorization).not.toContain("Bearer");
+  });
+
+  test("Idempotency-Key header is present on every request", async () => {
+    await generateManagedAvatar("test prompt");
+
+    expect(lastFetchArgs).not.toBeNull();
+    const headers = lastFetchArgs![1].headers as Record<string, string>;
+    expect(headers["Idempotency-Key"]).toBeDefined();
+    expect(headers["Idempotency-Key"].length).toBeGreaterThan(0);
+  });
+
+  test("caller-provided idempotencyKey is used in the request header", async () => {
+    const customKey = "my-custom-idempotency-key-123";
+    await generateManagedAvatar("test prompt", { idempotencyKey: customKey });
+
+    expect(lastFetchArgs).not.toBeNull();
+    const headers = lastFetchArgs![1].headers as Record<string, string>;
+    expect(headers["Idempotency-Key"]).toBe(customKey);
+  });
+});
+
+describe("isManagedAvailable", () => {
+  test("returns false when API key is missing", () => {
+    mockApiKey = undefined;
+    expect(isManagedAvailable()).toBe(false);
+  });
+
+  test("returns false when base URL is missing", () => {
+    mockBaseUrl = "";
+    mockPlatformEnvUrl = "";
+    expect(isManagedAvailable()).toBe(false);
+  });
+
+  test("returns true when both API key and base URL are present", () => {
+    expect(isManagedAvailable()).toBe(true);
+  });
+});

package/src/__tests__/mcp-cli.test.ts

@@ -131,7 +131,7 @@ async function runMcpRemove(name: string) {
 
 // ── Tests ─────────────────────────────────────────────────────────────
 
-describe("vellum mcp list", () => {
+describe("assistant mcp list", () => {
   beforeAll(() => {
     testDataDir = join(
       tmpdir(),
@@ -258,7 +258,7 @@ describe("vellum mcp list", () => {
   });
 });
 
-describe("vellum mcp add", () => {
+describe("assistant mcp add", () => {
   beforeAll(() => {
     testDataDir = join(
       tmpdir(),
@@ -396,7 +396,7 @@ describe("vellum mcp add", () => {
   });
 });
 
-describe("vellum mcp remove", () => {
+describe("assistant mcp remove", () => {
   beforeAll(() => {
     testDataDir = join(
       tmpdir(),

package/src/__tests__/oauth-cli.test.ts

@@ -0,0 +1,203 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { Command } from "commander";
+
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+
+let mockWithValidToken: <T>(
+  service: string,
+  cb: (token: string) => Promise<T>,
+) => Promise<T>;
+
+// ---------------------------------------------------------------------------
+// Mock token-manager
+// ---------------------------------------------------------------------------
+
+mock.module("../security/token-manager.js", () => ({
+  withValidToken: <T>(
+    service: string,
+    cb: (token: string) => Promise<T>,
+  ): Promise<T> => mockWithValidToken(service, cb),
+  // Stubs for any transitive imports that reference other exports:
+  TokenExpiredError: class TokenExpiredError extends Error {
+    constructor(
+      public readonly service: string,
+      message?: string,
+    ) {
+      super(message ?? `Token expired for "${service}".`);
+      this.name = "TokenExpiredError";
+    }
+  },
+}));
+
+// Stub out transitive dependencies that token-manager would normally pull in
+mock.module("../security/secure-keys.js", () => ({
+  getSecureKey: () => undefined,
+  setSecureKey: () => true,
+  getSecureKeyAsync: async () => undefined,
+  setSecureKeyAsync: async () => true,
+  deleteSecureKey: () => "not-found",
+}));
+
+mock.module("../tools/credentials/metadata-store.js", () => ({
+  getCredentialMetadata: () => undefined,
+  upsertCredentialMetadata: () => ({}),
+  listCredentialMetadata: () => [],
+}));
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+  getCliLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+}));
+
+// ---------------------------------------------------------------------------
+// Import the module under test (after mocks are registered)
+// ---------------------------------------------------------------------------
+
+const { registerOAuthCommand } = await import("../cli/oauth.js");
+
+// ---------------------------------------------------------------------------
+// Test helper
+// ---------------------------------------------------------------------------
+
+async function runCli(
+  args: string[],
+): Promise<{ exitCode: number; stdout: string }> {
+  const originalStdoutWrite = process.stdout.write.bind(process.stdout);
+  const originalStderrWrite = process.stderr.write.bind(process.stderr);
+  const stdoutChunks: string[] = [];
+
+  process.stdout.write = ((chunk: unknown) => {
+    stdoutChunks.push(typeof chunk === "string" ? chunk : String(chunk));
+    return true;
+  }) as typeof process.stdout.write;
+
+  process.stderr.write = (() => true) as typeof process.stderr.write;
+
+  process.exitCode = 0;
+
+  try {
+    const program = new Command();
+    program.exitOverride();
+    program.configureOutput({
+      writeErr: () => {},
+      writeOut: (str: string) => stdoutChunks.push(str),
+    });
+    registerOAuthCommand(program);
+    await program.parseAsync(["node", "assistant", "oauth", ...args]);
+  } catch {
+    if (process.exitCode === 0) process.exitCode = 1;
+  } finally {
+    process.stdout.write = originalStdoutWrite;
+    process.stderr.write = originalStderrWrite;
+  }
+
+  const exitCode = process.exitCode ?? 0;
+  process.exitCode = 0;
+
+  return {
+    exitCode,
+    stdout: stdoutChunks.join(""),
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("assistant oauth token", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+  });
+
+  test("prints bare token in human mode", async () => {
+    const { exitCode, stdout } = await runCli(["token", "twitter"]);
+    expect(exitCode).toBe(0);
+    expect(stdout).toBe("mock-access-token-xyz\n");
+  });
+
+  test("prints JSON in --json mode", async () => {
+    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toEqual({ ok: true, token: "mock-access-token-xyz" });
+  });
+
+  test("qualifies service name with integration: prefix", async () => {
+    let capturedService: string | undefined;
+    mockWithValidToken = async (service, cb) => {
+      capturedService = service;
+      return cb("tok");
+    };
+
+    await runCli(["token", "twitter"]);
+    expect(capturedService).toBe("integration:twitter");
+  });
+
+  test("works with other service names", async () => {
+    let capturedService: string | undefined;
+    mockWithValidToken = async (service, cb) => {
+      capturedService = service;
+      return cb("gmail-token");
+    };
+
+    const { exitCode, stdout } = await runCli(["token", "gmail"]);
+    expect(exitCode).toBe(0);
+    expect(stdout).toBe("gmail-token\n");
+    expect(capturedService).toBe("integration:gmail");
+  });
+
+  test("exits 1 when no token exists", async () => {
+    mockWithValidToken = async () => {
+      throw new Error(
+        'No access token found for "integration:twitter". Authorization required.',
+      );
+    };
+
+    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("No access token found");
+  });
+
+  test("exits 1 when refresh fails", async () => {
+    mockWithValidToken = async () => {
+      throw new Error(
+        'Token refresh failed for "integration:twitter": invalid_grant.',
+      );
+    };
+
+    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("Token refresh failed");
+  });
+
+  test("returns refreshed token transparently", async () => {
+    // Simulate withValidToken refreshing and returning a new token
+    mockWithValidToken = async (_service, cb) => cb("refreshed-new-token");
+
+    const { exitCode, stdout } = await runCli(["token", "twitter"]);
+    expect(exitCode).toBe(0);
+    expect(stdout).toBe("refreshed-new-token\n");
+  });
+
+  test("missing service argument exits non-zero", async () => {
+    const { exitCode } = await runCli(["token"]);
+    expect(exitCode).not.toBe(0);
+  });
+});

package/src/__tests__/relay-server.test.ts

@@ -192,7 +192,7 @@ import {
 import { setVoiceBridgeDeps } from "../calls/voice-session-bridge.js";
 import {
   createGuardianBinding,
-  upsertMember,
+  upsertContactChannel,
 } from "../contacts/contacts-write.js";
 import {
   listCanonicalGuardianRequests,
@@ -291,7 +291,7 @@ function resetTables() {
 }
 
 function addTrustedVoiceContact(phoneNumber: string): void {
-  upsertMember({
+  upsertContactChannel({
     sourceChannel: "voice",
     externalUserId: phoneNumber,
     externalChatId: phoneNumber,
@@ -2452,7 +2452,7 @@ describe("relay-server", () => {
     });
 
     // Create a blocked member
-    upsertMember({
+    upsertContactChannel({
       sourceChannel: "voice",
       externalUserId: "+15558881111",
       externalChatId: "+15558881111",

package/src/__tests__/secret-onetime-send.test.ts

@@ -29,23 +29,30 @@ mock.module("../util/logger.js", () => ({
 
 // Track keychain writes
 const storedKeys = new Map<string, string>();
-mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (key: string) => storedKeys.get(key) ?? null,
-  setSecureKey: (key: string, value: string) => {
+mock.module("../security/secure-keys.js", () => {
+  const syncSet = (key: string, value: string) => {
     storedKeys.set(key, value);
     return true;
-  },
-  deleteSecureKey: (key: string) => {
+  };
+  const syncDelete = (key: string) => {
     if (storedKeys.has(key)) {
       storedKeys.delete(key);
-      return "deleted";
+      return "deleted" as const;
     }
-    return "not-found";
-  },
-  listSecureKeys: () => [],
-  getBackendType: () => "encrypted",
-  isDowngradedFromKeychain: () => false,
-}));
+    return "not-found" as const;
+  };
+  return {
+    getSecureKey: (key: string) => storedKeys.get(key) ?? null,
+    setSecureKey: syncSet,
+    setSecureKeyAsync: async (key: string, value: string) =>
+      syncSet(key, value),
+    deleteSecureKey: syncDelete,
+    deleteSecureKeyAsync: async (key: string) => syncDelete(key),
+    listSecureKeys: () => [],
+    getBackendType: () => "encrypted",
+    isDowngradedFromKeychain: () => false,
+  };
+});
 
 mock.module("./metadata-store.js", () => ({
   upsertCredentialMetadata: () => {},

package/src/__tests__/secure-keys.test.ts

@@ -302,6 +302,84 @@ describe("secure-keys", () => {
     });
   });
 
+  // -----------------------------------------------------------------------
+  // Stale-value prevention — broker-first reads after credential updates
+  // -----------------------------------------------------------------------
+  describe("stale-value prevention", () => {
+    test("setSecureKeyAsync updates broker so broker-first read returns new value", async () => {
+      mockBrokerAvailable = true;
+      // Simulate broker holding an old value
+      mockBrokerStore.set("api-key", "old-broker-value");
+      setSecureKey("api-key", "old-encrypted-value");
+
+      // Update via async path (writes both broker + encrypted)
+      const ok = await setSecureKeyAsync("api-key", "new-value");
+      expect(ok).toBe(true);
+
+      // Broker-first read should return the new value, not stale old value
+      const value = await getSecureKeyAsync("api-key");
+      expect(value).toBe("new-value");
+      // Both stores should agree
+      expect(mockBrokerStore.get("api-key")).toBe("new-value");
+      expect(getSecureKey("api-key")).toBe("new-value");
+    });
+
+    test("deleteSecureKeyAsync removes from broker so broker-first read falls through", async () => {
+      mockBrokerAvailable = true;
+      mockBrokerStore.set("api-key", "old-broker-value");
+      setSecureKey("api-key", "old-encrypted-value");
+
+      // Delete via async path (deletes from both broker + encrypted)
+      const result = await deleteSecureKeyAsync("api-key");
+      expect(result).toBe("deleted");
+
+      // Broker-first read should not find the key in either store
+      const value = await getSecureKeyAsync("api-key");
+      expect(value).toBeUndefined();
+    });
+
+    test("sync setSecureKey does NOT update broker — stale read demonstrates the problem", async () => {
+      mockBrokerAvailable = true;
+      mockBrokerStore.set("api-key", "old-broker-value");
+
+      // Sync write only updates encrypted store, NOT broker
+      setSecureKey("api-key", "new-encrypted-value");
+
+      // Broker-first read still returns the stale broker value
+      const value = await getSecureKeyAsync("api-key");
+      expect(value).toBe("old-broker-value");
+      // This is the exact bug that async migration fixes
+    });
+
+    test("setSecureKeyAsync failure leaves both stores unchanged", async () => {
+      mockBrokerAvailable = true;
+      mockBrokerSetError = true;
+      mockBrokerStore.set("api-key", "original-value");
+      setSecureKey("api-key", "original-value");
+
+      const ok = await setSecureKeyAsync("api-key", "new-value");
+      expect(ok).toBe(false);
+
+      // Both stores should retain original value — no partial update
+      expect(mockBrokerStore.get("api-key")).toBe("original-value");
+      expect(getSecureKey("api-key")).toBe("original-value");
+    });
+
+    test("deleteSecureKeyAsync failure leaves both stores unchanged", async () => {
+      mockBrokerAvailable = true;
+      mockBrokerDelError = true;
+      mockBrokerStore.set("api-key", "value");
+      setSecureKey("api-key", "value");
+
+      const result = await deleteSecureKeyAsync("api-key");
+      expect(result).toBe("error");
+
+      // Both stores should retain the key — no partial deletion
+      expect(mockBrokerStore.has("api-key")).toBe(true);
+      expect(getSecureKey("api-key")).toBe("value");
+    });
+  });
+
   // -----------------------------------------------------------------------
   // _setBackend / _resetBackend (no-ops kept for test compat)
   // -----------------------------------------------------------------------

package/src/__tests__/session-messaging-secret-redirect.test.ts

@@ -26,7 +26,10 @@ const metadataByKey = new Map<
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: () => undefined,
   setSecureKey: setSecureKeyMock,
+  setSecureKeyAsync: async (key?: string, value?: string) =>
+    setSecureKeyMock(key, value),
   deleteSecureKey: () => "deleted",
+  deleteSecureKeyAsync: async () => "deleted" as const,
   listSecureKeys: () => [],
   getBackendType: () => null,
   isDowngradedFromKeychain: () => false,