@vellumai/assistant 0.4.43 → 0.4.44

package/src/cli/commands/twitter/oauth-client.ts

@@ -2,42 +2,17 @@
  * OAuth-backed Twitter API client.
  *
  * Accepts an OAuth2 Bearer token as a parameter and uses it to execute
- * Twitter API v2 operations directly, without requiring a browser session.
- * Currently supports post and reply; all other operations fall back to the
- * browser-based CDP client.
+ * Twitter API v2 operations directly (post and reply).
  */
 
 const TWITTER_API_BASE = "https://api.x.com/2";
 
-/** Operations that the OAuth client can handle natively. */
-const SUPPORTED_OPERATIONS = new Set(["post", "reply"]);
-
 export interface OAuthPostResult {
   tweetId: string;
   text: string;
   url?: string;
 }
 
-export interface OAuthOperationError {
-  message: string;
-  suggestFallback: boolean;
-  fallbackPath: "browser";
-  operation: string;
-}
-
-export class UnsupportedOAuthOperationError extends Error {
-  public readonly suggestFallback = true;
-  public readonly fallbackPath = "browser" as const;
-  public readonly operation: string;
-  constructor(operation: string) {
-    super(
-      `The "${operation}" operation is not available via the OAuth API. Use the browser path instead.`,
-    );
-    this.name = "UnsupportedOAuthOperationError";
-    this.operation = operation;
-  }
-}
-
 /**
  * Post a tweet (or reply) using OAuth2 Bearer token authentication.
  *
@@ -83,12 +58,3 @@ export async function oauthPostTweet(
 export function oauthIsAvailable(oauthToken: string | undefined): boolean {
   return oauthToken != null && oauthToken.length > 0;
 }
-
-/**
- * Check whether a given operation is supported via the OAuth API path.
- * Only `post` and `reply` are currently supported; everything else
- * (timeline, search, bookmarks, etc.) requires the browser path.
- */
-export function oauthSupportsOperation(operation: string): boolean {
-  return SUPPORTED_OPERATIONS.has(operation);
-}

package/src/cli/commands/twitter/router.ts

@@ -1,6 +1,6 @@
 /**
- * Strategy router for Twitter operations.
- * Selects managed proxy, OAuth, or browser path based on the caller-provided strategy.
+ * Mode router for Twitter operations.
+ * Selects managed proxy or OAuth path based on the caller-provided integration mode.
  */
 
 import {
@@ -11,47 +11,27 @@ import {
   searchRecentTweets as managedSearchRecentTweets,
   TwitterProxyError,
 } from "../../../twitter/platform-proxy-client.js";
-import type { PostTweetResult, TweetEntry, UserInfo } from "./client.js";
-import {
-  getTweetDetail as browserGetTweetDetail,
-  getUserByScreenName as browserGetUserByScreenName,
-  getUserTweets as browserGetUserTweets,
-  postTweet as browserPostTweet,
-  searchTweets as browserSearchTweets,
-  SessionExpiredError,
-} from "./client.js";
-import {
-  oauthIsAvailable,
-  oauthPostTweet,
-  oauthSupportsOperation,
-} from "./oauth-client.js";
+import { oauthIsAvailable, oauthPostTweet } from "./oauth-client.js";
+import type { PostTweetResult, TweetEntry, UserInfo } from "./types.js";
 
-export type TwitterStrategy = "oauth" | "browser" | "auto" | "managed";
+export type TwitterMode = "oauth" | "managed";
 
 export interface RoutedResult<T> {
   result: T;
-  pathUsed: TwitterStrategy;
-}
-
-export interface RoutedError {
-  message: string;
-  pathUsed: TwitterStrategy;
-  suggestAlternative?: TwitterStrategy;
-  alternativeSetupHint?: string;
+  pathUsed: TwitterMode;
 }
 
 export async function routedPostTweet(
   text: string,
   opts: {
     inReplyToTweetId?: string;
-    strategy: TwitterStrategy;
+    mode: TwitterMode;
     oauthToken?: string;
   },
 ): Promise<RoutedResult<PostTweetResult>> {
-  const strategy = opts.strategy;
-  const operation = opts.inReplyToTweetId ? "reply" : "post";
+  const mode = opts.mode;
 
-  if (strategy === "managed") {
+  if (mode === "managed") {
     // Route through platform proxy — the platform holds the OAuth credentials
     try {
       const response = await managedPostTweet(text, {
@@ -91,16 +71,15 @@ export async function routedPostTweet(
     }
   }
 
-  if (strategy === "oauth") {
+  if (mode === "oauth") {
     // User explicitly wants OAuth
     if (!oauthIsAvailable(opts.oauthToken)) {
       throw Object.assign(
         new Error(
-          "OAuth is not configured. Provide your X developer credentials here in the chat to set up OAuth, or switch to browser strategy: `assistant config set twitter.operationStrategy browser`.",
+          "OAuth is not configured. Connect your X developer credentials to set up OAuth.",
         ),
         {
           pathUsed: "oauth" as const,
-          suggestAlternative: "browser" as const,
         },
       );
     }
@@ -118,68 +97,9 @@ export async function routedPostTweet(
     };
   }
 
-  if (strategy === "browser") {
-    // User explicitly wants browser
-    try {
-      const result = await browserPostTweet(text, {
-        inReplyToTweetId: opts.inReplyToTweetId,
-      });
-      return { result, pathUsed: "browser" };
-    } catch (err) {
-      if (err instanceof SessionExpiredError) {
-        throw Object.assign(err, {
-          pathUsed: "browser" as const,
-          suggestAlternative: "oauth" as const,
-        });
-      }
-      throw err;
-    }
-  }
-
-  // auto strategy: try OAuth first if available and supported, fallback to browser
-  let oauthError: Error | undefined;
-  if (oauthIsAvailable(opts.oauthToken) && oauthSupportsOperation(operation)) {
-    try {
-      const result = await oauthPostTweet(text, {
-        inReplyToTweetId: opts.inReplyToTweetId,
-        oauthToken: opts.oauthToken!,
-      });
-      return {
-        result: {
-          tweetId: result.tweetId,
-          text: result.text,
-          url: result.url ?? `https://x.com/i/status/${result.tweetId}`,
-        },
-        pathUsed: "oauth",
-      };
-    } catch (err) {
-      oauthError = err instanceof Error ? err : new Error(String(err));
-      // Fall through to browser
-    }
-  }
-
-  // Fallback to browser
-  try {
-    const result = await browserPostTweet(text, {
-      inReplyToTweetId: opts.inReplyToTweetId,
-    });
-    return { result, pathUsed: "browser" };
-  } catch (err) {
-    if (err instanceof SessionExpiredError) {
-      throw Object.assign(err, {
-        pathUsed: "auto" as const,
-        oauthError: oauthError?.message,
-      });
-    }
-    if (oauthError) {
-      const browserError = err instanceof Error ? err : new Error(String(err));
-      throw Object.assign(browserError, {
-        pathUsed: "auto" as const,
-        oauthError: oauthError.message,
-      });
-    }
-    throw err;
-  }
+  // Exhaustive check — should never reach here
+  const _exhaustive: never = mode;
+  throw new Error(`Unknown mode: ${_exhaustive}`);
 }
 
 // ---------------------------------------------------------------------------
@@ -188,13 +108,13 @@ export async function routedPostTweet(
 
 /**
  * Look up a user by screen name.
- * Managed mode uses GET /2/users/by/username/:username; browser mode uses GraphQL.
+ * Managed mode uses GET /2/users/by/username/:username.
  */
 export async function routedGetUserByScreenName(
   screenName: string,
-  opts: { strategy: TwitterStrategy },
+  opts: { mode: TwitterMode },
 ): Promise<RoutedResult<UserInfo>> {
-  if (opts.strategy === "managed") {
+  if (opts.mode === "managed") {
     try {
       const response = await managedGetUserByUsername(screenName, {
         "user.fields": "id,name,username",
@@ -228,21 +148,29 @@ export async function routedGetUserByScreenName(
     }
   }
 
-  // Browser path (used for browser, oauth, auto — read operations always go through browser)
-  const result = await browserGetUserByScreenName(screenName);
-  return { result, pathUsed: "browser" };
+  if (opts.mode === "oauth") {
+    throw Object.assign(
+      new Error(
+        "Read operations are not supported via OAuth. Use managed mode for read access.",
+      ),
+      { pathUsed: "oauth" as const },
+    );
+  }
+
+  const _exhaustive: never = opts.mode;
+  throw new Error(`Unknown mode: ${_exhaustive}`);
 }
 
 /**
  * Fetch a user's recent tweets.
- * Managed mode uses GET /2/users/:id/tweets; browser mode uses GraphQL.
+ * Managed mode uses GET /2/users/:id/tweets.
  */
 export async function routedGetUserTweets(
   userId: string,
   count: number,
-  opts: { strategy: TwitterStrategy },
+  opts: { mode: TwitterMode },
 ): Promise<RoutedResult<TweetEntry[]>> {
-  if (opts.strategy === "managed") {
+  if (opts.mode === "managed") {
     try {
       const response = await managedGetUserTweets(userId, {
         max_results: String(Math.min(count, 100)),
@@ -269,19 +197,28 @@ export async function routedGetUserTweets(
     }
   }
 
-  const result = await browserGetUserTweets(userId, count);
-  return { result, pathUsed: "browser" };
+  if (opts.mode === "oauth") {
+    throw Object.assign(
+      new Error(
+        "Read operations are not supported via OAuth. Use managed mode for read access.",
+      ),
+      { pathUsed: "oauth" as const },
+    );
+  }
+
+  const _exhaustive: never = opts.mode;
+  throw new Error(`Unknown mode: ${_exhaustive}`);
 }
 
 /**
  * Fetch a single tweet by ID.
- * Managed mode uses GET /2/tweets/:id; browser mode uses GraphQL TweetDetail.
+ * Managed mode uses GET /2/tweets/:id.
  */
 export async function routedGetTweetDetail(
   tweetId: string,
-  opts: { strategy: TwitterStrategy },
+  opts: { mode: TwitterMode },
 ): Promise<RoutedResult<TweetEntry[]>> {
-  if (opts.strategy === "managed") {
+  if (opts.mode === "managed") {
     try {
       const response = await managedGetTweet(tweetId, {
         "tweet.fields": "id,text,created_at,author_id,conversation_id",
@@ -340,20 +277,29 @@ export async function routedGetTweetDetail(
     }
   }
 
-  const result = await browserGetTweetDetail(tweetId);
-  return { result, pathUsed: "browser" };
+  if (opts.mode === "oauth") {
+    throw Object.assign(
+      new Error(
+        "Read operations are not supported via OAuth. Use managed mode for read access.",
+      ),
+      { pathUsed: "oauth" as const },
+    );
+  }
+
+  const _exhaustive: never = opts.mode;
+  throw new Error(`Unknown mode: ${_exhaustive}`);
 }
 
 /**
  * Search tweets.
- * Managed mode uses GET /2/tweets/search/recent; browser mode uses GraphQL SearchTimeline.
+ * Managed mode uses GET /2/tweets/search/recent.
  */
 export async function routedSearchTweets(
   query: string,
   product: "Top" | "Latest" | "People" | "Media",
-  opts: { strategy: TwitterStrategy },
+  opts: { mode: TwitterMode },
 ): Promise<RoutedResult<TweetEntry[]>> {
-  if (opts.strategy === "managed") {
+  if (opts.mode === "managed") {
     if (product === "People" || product === "Media") {
       throw Object.assign(
         new Error(
@@ -391,6 +337,15 @@ export async function routedSearchTweets(
     }
   }
 
-  const result = await browserSearchTweets(query, product);
-  return { result, pathUsed: "browser" };
+  if (opts.mode === "oauth") {
+    throw Object.assign(
+      new Error(
+        "Read operations are not supported via OAuth. Use managed mode for read access.",
+      ),
+      { pathUsed: "oauth" as const },
+    );
+  }
+
+  const _exhaustive: never = opts.mode;
+  throw new Error(`Unknown mode: ${_exhaustive}`);
 }

package/src/cli/commands/twitter/types.ts

@@ -0,0 +1,30 @@
+/**
+ * Public types shared across the Twitter CLI module.
+ * Extracted from the former browser CDP client.
+ */
+
+export interface PostTweetResult {
+  tweetId: string;
+  text: string;
+  url: string;
+}
+
+export interface UserInfo {
+  userId: string;
+  screenName: string;
+  name: string;
+}
+
+export interface TweetEntry {
+  tweetId: string;
+  text: string;
+  url: string;
+  createdAt: string;
+}
+
+export interface NotificationEntry {
+  id: string;
+  message: string;
+  timestamp: string;
+  url?: string;
+}

package/src/cli/reference.ts

@@ -24,7 +24,7 @@ Commands:
   email [options]                          Email operations (provider-agnostic)
   contacts [options]                       Manage and query the contact graph
   channel-verification-sessions [options]  Manage channel verification sessions
-  amazon [options]                         Shop on Amazon and Amazon Fresh. Requires a session imported from a Ride Shotgun recording.
+  amazon [options]                         Shop on Amazon and Amazon Fresh. Requires an active session (use "refresh" to authenticate).
   autonomy [options]                       View and configure autonomy tiers
   completions <shell>                      Generate shell completion script (e.g. assistant completions bash >> ~/.bashrc)
   notifications [options]                  Send and inspect notifications through the unified notification router
@@ -32,7 +32,7 @@ Commands:
   oauth [options]                          Manage OAuth tokens for connected integrations
   skills                                   Browse and install skills from the Vellum catalog
   browser                                  Browser automation, extension relay, and Chrome CDP management
-  x|twitter [options]                      Post on X and manage connections. Supports OAuth (official API) and browser session paths.
+  x|twitter [options]                      Post on X and manage connections. Supports managed (platform proxy) and OAuth (official API) paths.
   map [options] <domain>                   Auto-navigate a domain and produce a deduplicated API map. Launches Chrome with CDP, starts a Ride Shotgun learn session, then analyzes captured network traffic.
   sequence [options]                       Manage email sequences
 `;

package/src/config/bundled-skills/amazon/SKILL.md

@@ -86,7 +86,6 @@ Session capture (`assistant amazon refresh`) and session checks (`assistant amaz
 ```
 assistant amazon status --json                     # Check if logged in
 assistant amazon refresh --json                    # Capture fresh session via Ride Shotgun
-assistant amazon login --recording <path>          # Import session from a recording file
 assistant amazon logout                            # Clear session
 
 assistant amazon search "<query>" [--fresh] [--limit <n>] --json

package/src/config/bundled-skills/app-builder/SKILL.md

@@ -533,12 +533,6 @@ When the user wants to triage or bulk-act on items, generate an interactive UI w
 4. Execute tools, update UI with `ui_update`, show feedback via `widgets.toast()`
 5. Use `window.vellum.confirm()` for destructive actions
 
-## Home Base
-
-Home Base starts from a prebuilt scaffold. When updating, preserve required task-lane anchors and apply changes through `app_file_edit` or `app_file_write`.
-
-Home Base buttons send prefilled natural-language prompts through `vellum.sendAction`. Treat these as normal user messages.
-
 ## External Links
 
 Use `vellum.openLink(url, metadata)` to make items clickable. Construct deep-link URLs when possible. Include `metadata.provider` and `metadata.type` for context.

package/src/config/bundled-skills/app-builder/TOOLS.json

@@ -36,10 +36,6 @@
             "type": "boolean",
             "description": "When true (default), an inline preview card is shown in chat after creation. The app is NOT automatically opened in a workspace panel \u2014 users can open it explicitly via the 'Open App' button on the inline card."
           },
-          "set_as_home_base": {
-            "type": "boolean",
-            "description": "Link this app as the user's Home Base dashboard. Defaults to false. When true, this app becomes the default Home Base shown on launch."
-          },
           "preview": {
             "type": "object",
             "description": "Inline preview card shown in chat after creation. Always include this so users see a compact summary of what was built. Required fields: title.",

package/src/config/bundled-skills/doordash/SKILL.md

@@ -125,7 +125,6 @@ doordash cart add --store-id <id> --menu-id <id> --item-id <id> --item-name "Lat
 ```
 doordash status --json              # Check if logged in
 doordash refresh --json             # Capture fresh session via Ride Shotgun (auto-stops after login)
-doordash login --recording <path>   # Import session from a recording file manually
 doordash logout --json              # Clear session
 doordash search "<query>" --json    # Search restaurants
 doordash menu <storeId> --json      # Get store menu (auto-detects retail stores)

package/src/config/bundled-skills/doordash/__tests__/doordash-session.test.ts

@@ -1,20 +1,11 @@
-import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { afterEach, beforeEach, describe, expect, it } from "bun:test";
+import { describe, expect, it } from "bun:test";
 
 import {
   type DoorDashSession,
   getCookieHeader,
   getCsrfToken,
-  importFromRecording,
 } from "../lib/session.js";
 
-// Override VELLUM_DATA_DIR to use a temp directory during tests.
-// session.ts reads process.env.VELLUM_DATA_DIR directly.
-const TEST_DIR = join(tmpdir(), `vellum-dd-test-${process.pid}`);
-let originalDataDir: string | undefined;
-
 function makeCookie(
   name: string,
   value: string,
@@ -81,75 +72,3 @@ describe("DoorDash session helpers", () => {
     });
   });
 });
-
-describe("DoorDash session persistence", () => {
-  // These tests exercise the real loadSession/saveSession/clearSession
-  // by pointing VELLUM_DATA_DIR at a temp directory and testing via
-  // importFromRecording which exercises save+load.
-
-  beforeEach(() => {
-    originalDataDir = process.env.VELLUM_DATA_DIR;
-    process.env.VELLUM_DATA_DIR = TEST_DIR;
-    mkdirSync(TEST_DIR, { recursive: true });
-  });
-
-  afterEach(() => {
-    if (originalDataDir === undefined) {
-      delete process.env.VELLUM_DATA_DIR;
-    } else {
-      process.env.VELLUM_DATA_DIR = originalDataDir;
-    }
-    if (existsSync(TEST_DIR)) {
-      rmSync(TEST_DIR, { recursive: true, force: true });
-    }
-  });
-
-  describe("importFromRecording", () => {
-    it("throws when the recording file does not exist", () => {
-      expect(() => importFromRecording("/nonexistent/recording.json")).toThrow(
-        "Recording not found",
-      );
-    });
-
-    it("throws when the recording contains no cookies", () => {
-      const recordingPath = join(TEST_DIR, "empty-recording.json");
-      writeFileSync(
-        recordingPath,
-        JSON.stringify({
-          id: "rec-empty",
-          startedAt: 0,
-          endedAt: 1,
-          targetDomain: "doordash.com",
-          networkEntries: [],
-          cookies: [],
-          observations: [],
-        }),
-      );
-      expect(() => importFromRecording(recordingPath)).toThrow(
-        "Recording contains no cookies",
-      );
-    });
-
-    it("successfully imports a recording with cookies", () => {
-      const recordingPath = join(TEST_DIR, "valid-recording.json");
-      writeFileSync(
-        recordingPath,
-        JSON.stringify({
-          id: "rec-valid",
-          startedAt: 0,
-          endedAt: 1,
-          targetDomain: "doordash.com",
-          networkEntries: [],
-          cookies: [makeCookie("session_id", "xyz")],
-          observations: [],
-        }),
-      );
-      const session = importFromRecording(recordingPath);
-      expect(session.cookies).toHaveLength(1);
-      expect(session.cookies[0].name).toBe("session_id");
-      expect(session.cookies[0].value).toBe("xyz");
-      expect(session.recordingId).toBe("rec-valid");
-      expect(session.importedAt).toBeTruthy();
-    });
-  });
-});

package/src/config/bundled-skills/doordash/doordash-cli.ts

@@ -33,11 +33,16 @@ import {
 import { extractQueries, saveQueries } from "./lib/query-extractor.js";
 import {
   clearSession,
-  importFromRecording,
+  importFromCredentialStore,
   loadSession,
 } from "./lib/session.js";
 import { NetworkRecorder } from "./lib/shared/network-recorder.js";
-import { buildDaemonUrl, getDataDir, getHttpPort, readHttpToken } from "./lib/shared/platform.js";
+import {
+  buildDaemonUrl,
+  getDataDir,
+  getHttpPort,
+  readHttpToken,
+} from "./lib/shared/platform.js";
 import { loadRecording, saveRecording } from "./lib/shared/recording-store.js";
 import type { SessionRecording } from "./lib/shared/recording-types.js";
 
@@ -94,27 +99,10 @@ export function registerDoordashCommand(program: Command): void {
   const dd = program
     .command("doordash")
     .description(
-      "Order food from DoorDash. Requires a session imported from a Ride Shotgun recording.",
+      'Order food from DoorDash. Requires an active session (use "refresh" to authenticate).',
     )
     .option("--json", "Machine-readable JSON output");
 
-  // =========================================================================
-  // login — import session from a recording
-  // =========================================================================
-  dd.command("login")
-    .description("Import a DoorDash session from a Ride Shotgun recording")
-    .requiredOption("--recording <path>", "Path to the recording JSON file")
-    .action(async (opts: { recording: string }, cmd: Command) => {
-      await run(cmd, async () => {
-        const session = importFromRecording(opts.recording);
-        return {
-          message: "Session imported successfully",
-          cookieCount: session.cookies.length,
-          recordingId: session.recordingId,
-        };
-      });
-    });
-
   // =========================================================================
   // logout — clear saved session
   // =========================================================================
@@ -148,13 +136,13 @@ export function registerDoordashCommand(program: Command): void {
         }
 
         const result = await startLearnSession(duration);
-        if (result.recordingPath) {
-          const session = importFromRecording(result.recordingPath);
+        if (result.recordingId) {
+          const session = await importFromCredentialStore("doordash.com");
 
           // Also extract and save captured queries for self-healing
           let queriesCaptured = 0;
           try {
-            const recording = loadRecording(result.recordingId ?? "");
+            const recording = loadRecording(result.recordingId);
             if (recording) {
               const queries = extractQueries(recording);
               if (queries.length > 0) {
@@ -188,7 +176,7 @@ export function registerDoordashCommand(program: Command): void {
           output(
             {
               ok: false,
-              error: "Recording completed but no recording path returned",
+              error: "Recording completed but no recording ID returned",
               recordingId: result.recordingId,
             },
             json,
@@ -1020,7 +1008,10 @@ async function startLearnSession(
       // Poll session status to detect failures early
       try {
         const fetchAbort = AbortSignal.timeout(10_000);
-        const statusRes = await fetch(statusUrl, { headers, signal: fetchAbort });
+        const statusRes = await fetch(statusUrl, {
+          headers,
+          signal: fetchAbort,
+        });
         if (statusRes.ok) {
           const status = (await statusRes.json()) as {
             status: string;
@@ -1073,9 +1064,7 @@ async function startLearnSession(
 
             // Completed but no recordingId — cannot correlate
             reject(
-              new Error(
-                "Learn session completed but no recording was saved.",
-              ),
+              new Error("Learn session completed but no recording was saved."),
             );
             return;
           }