@vellumai/assistant 0.4.45 → 0.4.48

package/src/__tests__/managed-avatar-client.test.ts

@@ -1,337 +0,0 @@
-import { beforeEach, describe, expect, mock, test } from "bun:test";
-
-import { createHash } from "crypto";
-
-// ---------------------------------------------------------------------------
-// Mock dependencies — must be before importing the module under test
-// ---------------------------------------------------------------------------
-
-let mockApiKey: string | undefined = "test-api-key-123";
-let mockBaseUrl = "https://platform.vellum.ai";
-let mockPlatformEnvUrl = "https://env.vellum.ai";
-
-mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (account: string) => {
-    if (account === "credential:vellum:assistant_api_key") return mockApiKey;
-    return undefined;
-  },
-}));
-
-mock.module("../config/loader.js", () => ({
-  getConfig: () => ({
-    platform: { baseUrl: mockBaseUrl },
-  }),
-}));
-
-mock.module("../config/env.js", () => ({
-  getPlatformBaseUrl: () => mockPlatformEnvUrl,
-}));
-
-mock.module("../util/logger.js", () => ({
-  getLogger: () => ({
-    debug: () => {},
-    info: () => {},
-    warn: () => {},
-    error: () => {},
-  }),
-}));
-
-// Mock global fetch
-let lastFetchArgs: [string, RequestInit] | null = null;
-let fetchResponse: {
-  ok: boolean;
-  status: number;
-  json: () => Promise<unknown>;
-  text: () => Promise<string>;
-} = {
-  ok: true,
-  status: 200,
-  json: async () => ({}),
-  text: async () => "",
-};
-
-globalThis.fetch = (async (url: string, init: RequestInit) => {
-  lastFetchArgs = [url, init];
-  return fetchResponse;
-}) as typeof globalThis.fetch;
-
-// Import after mocking
-import {
-  AVATAR_MAX_DECODED_BYTES,
-  AVATAR_PROMPT_MAX_LENGTH,
-  ManagedAvatarError,
-  VERTEX_IMAGE_DEFAULT_MODEL,
-} from "../media/avatar-types.js";
-import {
-  generateManagedAvatar,
-  isManagedAvailable,
-} from "../media/managed-avatar-client.js";
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-const SMALL_PNG_BASE64 = "iVBORw0KGgo=";
-
-function successResponse() {
-  return {
-    predictions: [
-      {
-        bytesBase64Encoded: SMALL_PNG_BASE64,
-        mimeType: "image/png",
-      },
-    ],
-  };
-}
-
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-
-beforeEach(() => {
-  mockApiKey = "test-api-key-123";
-  mockBaseUrl = "https://platform.vellum.ai";
-  mockPlatformEnvUrl = "https://env.vellum.ai";
-  lastFetchArgs = null;
-  fetchResponse = {
-    ok: true,
-    status: 200,
-    json: async () => successResponse(),
-    text: async () => JSON.stringify(successResponse()),
-  };
-});
-
-describe("generateManagedAvatar", () => {
-  test("successful generation returns parsed response", async () => {
-    const result = await generateManagedAvatar("a friendly robot avatar");
-
-    expect(result.image.mime_type).toBe("image/png");
-    expect(result.image.data_base64).toBe(SMALL_PNG_BASE64);
-    // bytes is computed from base64 length, not from the server response
-    const padding = SMALL_PNG_BASE64.endsWith("==")
-      ? 2
-      : SMALL_PNG_BASE64.endsWith("=")
-        ? 1
-        : 0;
-    const expectedBytes =
-      Math.ceil((SMALL_PNG_BASE64.length * 3) / 4) - padding;
-    expect(result.image.bytes).toBe(expectedBytes);
-    const expectedSha256 = createHash("sha256")
-      .update(Buffer.from(SMALL_PNG_BASE64, "base64"))
-      .digest("hex");
-    expect(result.image.sha256).toBe(expectedSha256);
-    expect(result.correlation_id).toBeDefined();
-  });
-
-  test("fetch URL matches runtime proxy Vertex endpoint with default model", async () => {
-    await generateManagedAvatar("test prompt");
-
-    expect(lastFetchArgs).not.toBeNull();
-    const url = lastFetchArgs![0];
-    expect(url).toBe(
-      `https://platform.vellum.ai/v1/runtime-proxy/vertex/v1/models/${VERTEX_IMAGE_DEFAULT_MODEL}:predict`,
-    );
-  });
-
-  test("custom model is used in the URL path", async () => {
-    const customModel = "imagen-3.0-fast-generate-001";
-    await generateManagedAvatar("test prompt", { model: customModel });
-
-    expect(lastFetchArgs).not.toBeNull();
-    const url = lastFetchArgs![0];
-    expect(url).toBe(
-      `https://platform.vellum.ai/v1/runtime-proxy/vertex/v1/models/${customModel}:predict`,
-    );
-  });
-
-  test("request body uses Vertex Imagen format", async () => {
-    await generateManagedAvatar("a cool robot");
-
-    expect(lastFetchArgs).not.toBeNull();
-    const body = JSON.parse(lastFetchArgs![1].body as string);
-    expect(body).toEqual({
-      instances: [{ prompt: "a cool robot" }],
-      parameters: {
-        sampleCount: 1,
-        aspectRatio: "1:1",
-        outputOptions: { mimeType: "image/png" },
-      },
-    });
-  });
-
-  test("prompt exceeding max length throws ManagedAvatarError with code validation_error", async () => {
-    const longPrompt = "x".repeat(AVATAR_PROMPT_MAX_LENGTH + 1);
-
-    try {
-      await generateManagedAvatar(longPrompt);
-      expect(true).toBe(false); // should not reach here
-    } catch (err) {
-      expect(err).toBeInstanceOf(ManagedAvatarError);
-      const avatarErr = err as ManagedAvatarError;
-      expect(avatarErr.code).toBe("validation_error");
-      expect(avatarErr.subcode).toBe("prompt_too_long");
-    }
-  });
-
-  test("HTTP 429 response throws ManagedAvatarError with retryable true", async () => {
-    fetchResponse = {
-      ok: false,
-      status: 429,
-      json: async () => ({}),
-      text: async () => "Rate limit exceeded",
-    };
-
-    try {
-      await generateManagedAvatar("test prompt");
-      expect(true).toBe(false);
-    } catch (err) {
-      expect(err).toBeInstanceOf(ManagedAvatarError);
-      const avatarErr = err as ManagedAvatarError;
-      expect(avatarErr.retryable).toBe(true);
-      expect(avatarErr.statusCode).toBe(429);
-      expect(avatarErr.code).toBe("upstream_error");
-      expect(avatarErr.subcode).toBe("http_error");
-    }
-  });
-
-  test("HTTP 500 response throws retryable ManagedAvatarError", async () => {
-    fetchResponse = {
-      ok: false,
-      status: 500,
-      json: async () => ({}),
-      text: async () => "Internal server error",
-    };
-
-    try {
-      await generateManagedAvatar("test prompt");
-      expect(true).toBe(false);
-    } catch (err) {
-      expect(err).toBeInstanceOf(ManagedAvatarError);
-      const avatarErr = err as ManagedAvatarError;
-      expect(avatarErr.code).toBe("upstream_error");
-      expect(avatarErr.subcode).toBe("http_error");
-      expect(avatarErr.statusCode).toBe(500);
-      expect(avatarErr.retryable).toBe(true);
-    }
-  });
-
-  test("HTTP 400 response throws non-retryable ManagedAvatarError", async () => {
-    fetchResponse = {
-      ok: false,
-      status: 400,
-      json: async () => ({}),
-      text: async () => "Model not allowed on this platform",
-    };
-
-    try {
-      await generateManagedAvatar("test prompt");
-      expect(true).toBe(false);
-    } catch (err) {
-      expect(err).toBeInstanceOf(ManagedAvatarError);
-      const avatarErr = err as ManagedAvatarError;
-      expect(avatarErr.code).toBe("upstream_error");
-      expect(avatarErr.subcode).toBe("http_error");
-      expect(avatarErr.statusCode).toBe(400);
-      expect(avatarErr.retryable).toBe(false);
-    }
-  });
-
-  test("response with disallowed MIME type throws validation error", async () => {
-    fetchResponse = {
-      ok: true,
-      status: 200,
-      json: async () => ({
-        predictions: [
-          {
-            bytesBase64Encoded: SMALL_PNG_BASE64,
-            mimeType: "image/gif",
-          },
-        ],
-      }),
-      text: async () => "",
-    };
-
-    try {
-      await generateManagedAvatar("test prompt");
-      expect(true).toBe(false);
-    } catch (err) {
-      expect(err).toBeInstanceOf(ManagedAvatarError);
-      const avatarErr = err as ManagedAvatarError;
-      expect(avatarErr.code).toBe("validation_error");
-      expect(avatarErr.subcode).toBe("disallowed_mime_type");
-    }
-  });
-
-  test("response with oversized image throws validation error", async () => {
-    const oversizedBase64 = "A".repeat(
-      Math.ceil(((AVATAR_MAX_DECODED_BYTES + 100) * 4) / 3),
-    );
-    fetchResponse = {
-      ok: true,
-      status: 200,
-      json: async () => ({
-        predictions: [
-          {
-            bytesBase64Encoded: oversizedBase64,
-            mimeType: "image/png",
-          },
-        ],
-      }),
-      text: async () => "",
-    };
-
-    try {
-      await generateManagedAvatar("test prompt");
-      expect(true).toBe(false);
-    } catch (err) {
-      expect(err).toBeInstanceOf(ManagedAvatarError);
-      const avatarErr = err as ManagedAvatarError;
-      expect(avatarErr.code).toBe("validation_error");
-      expect(avatarErr.subcode).toBe("oversized_image");
-    }
-  });
-
-  test("Authorization header uses Api-Key prefix", async () => {
-    await generateManagedAvatar("test prompt");
-
-    expect(lastFetchArgs).not.toBeNull();
-    const headers = lastFetchArgs![1].headers as Record<string, string>;
-    expect(headers.Authorization).toBe("Api-Key test-api-key-123");
-    expect(headers.Authorization).not.toContain("Bearer");
-  });
-
-  test("Idempotency-Key header is present on every request", async () => {
-    await generateManagedAvatar("test prompt");
-
-    expect(lastFetchArgs).not.toBeNull();
-    const headers = lastFetchArgs![1].headers as Record<string, string>;
-    expect(headers["Idempotency-Key"]).toBeDefined();
-    expect(headers["Idempotency-Key"].length).toBeGreaterThan(0);
-  });
-
-  test("caller-provided idempotencyKey is used in the request header", async () => {
-    const customKey = "my-custom-idempotency-key-123";
-    await generateManagedAvatar("test prompt", { idempotencyKey: customKey });
-
-    expect(lastFetchArgs).not.toBeNull();
-    const headers = lastFetchArgs![1].headers as Record<string, string>;
-    expect(headers["Idempotency-Key"]).toBe(customKey);
-  });
-});
-
-describe("isManagedAvailable", () => {
-  test("returns false when API key is missing", () => {
-    mockApiKey = undefined;
-    expect(isManagedAvailable()).toBe(false);
-  });
-
-  test("returns false when base URL is missing", () => {
-    mockBaseUrl = "";
-    mockPlatformEnvUrl = "";
-    expect(isManagedAvailable()).toBe(false);
-  });
-
-  test("returns true when both API key and base URL are present", () => {
-    expect(isManagedAvailable()).toBe(true);
-  });
-});

package/src/config/bundled-skills/doordash/SKILL.md

@@ -1,170 +0,0 @@
----
-name: doordash
-description: Order food, groceries, and convenience items from DoorDash using the built-in CLI integration
-compatibility: "Designed for Vellum personal assistants"
-metadata:
-  emoji: "🍕"
-  vellum:
-    display-name: "DoorDash"
-    user-invocable: true
-    cli:
-      command: "doordash"
-      entry: "doordash-entry.ts"
----
-
-You can order food from DoorDash for the user using the `doordash` CLI.
-
-## CLI Setup
-
-**IMPORTANT: Always use `host_bash` (not `bash`) for all `doordash` commands.** The DoorDash CLI needs host access for Chrome CDP, session cookies, and the CLI binary — none of which are available inside the sandbox.
-
-`doordash` is a standalone CLI tool installed at `~/.vellum/bin/doordash`. It should already be on your PATH. If `doordash` is not found, prepend `PATH="$HOME/.vellum/bin:$PATH"` to the command. Do NOT search for the binary, inspect wrapper scripts, or try to discover how the CLI works. Just run the commands as documented below.
-
-## Task Progress Widget
-
-A task progress card is shown automatically when you run your first `doordash` command. Its surface ID is `doordash-progress`. As each step completes, call `ui_update` with surface ID `doordash-progress` to update step statuses. Update `data.templateData.steps` — set completed steps to `"status": "completed"` with a `"detail"` string, the current step to `"status": "in_progress"`, and future steps to `"status": "pending"`. Adapt the steps to the actual flow (e.g. skip "Search restaurants" if the user named a specific store).
-
-## Typical Flow
-
-When the user asks you to order food (e.g. "Order pizza from Andiamo's"):
-
-1. **Check session** — run `doordash status --json`. If `loggedIn` is false or the session is expired, tell the user: "A Chrome window will open to the DoorDash login page. Please sign in there — I'll detect your login automatically and minimize the window." Then run `doordash refresh --json`. This starts a Ride Shotgun learn session that records your login and auto-stops once it detects you've signed in. The session is imported automatically. **This command blocks until login is complete — just wait for it.**
-
-   Keep the DoorDash Chrome window open in the background — it's needed for API requests.
-
-2. **Search** — run `doordash search "<query>" --json` to find matching restaurants. Present the top results to the user with name, rating, and delivery info. If the user named a specific restaurant, pick the best match. If ambiguous, ask.
-
-3. **Browse menu** — run `doordash menu <storeId> --json` to get the menu. Show the user the categories and items with prices. If the user already said what they want (e.g. "pepperoni pizza"), find the matching item(s). **For convenience/pharmacy stores** (CVS, Duane Reade, Walgreens etc.), the response will have `isRetail: true` and empty items — use `store-search` instead (see step 3b).
-
-3b. **Search within a retail store** — for convenience/pharmacy stores, run `doordash store-search <storeId> "<query>" --json` to find specific products. This returns items with IDs, prices, and menuIds that can be added to cart directly.
-
-4. **Get item details** (if needed) — run `doordash item <storeId> <itemId> --json` to see options/customizations. The response includes:
-   - `options`: each option group has `minSelections`/`maxSelections` indicating how many choices are required
-   - Each choice has `unitAmount` (price impact in cents), `defaultQuantity`, and possibly `nestedOptions` (sub-choices like milk type within a size selection)
-   - `specialInstructionsConfig`: whether special instructions are accepted, max length, and placeholder text
-
-   If the item has required options (like size or toppings), construct the `nestedOptions` JSON from the option/choice IDs and pass it via `--options`. Ask the user for preferences or pick sensible defaults.
-
-5. **Add to cart** — run `doordash cart add --store-id <id> --menu-id <id> --item-id <id> --item-name "<name>" --unit-price <cents> [--options '<json>'] [--special-instructions "<text>"] --json`. For subsequent items at the same store, pass `--cart-id <id>` from the first add response. Use `--special-instructions` for requests like "extra hot", "no ice", etc. Use `--options` to pass customization choices (see Customization Options below).
-
-6. **Review cart** — run `doordash cart view <cartId> --json` and show the user what's in their cart with prices. Ask if they want to add anything else or proceed.
-
-7. **Checkout** — run `doordash checkout <cartId> --json` to get delivery options. Present them to the user.
-
-8. **Payment methods** — run `doordash payment-methods --json` to see saved cards. Show the user which card will be used (the default one).
-
-9. **Place order** — after the user explicitly confirms, run `doordash order place --cart-id <id> --store-id <id> --total <cents> [--tip <cents>] [--dropoff-option <id>] --json`. The command auto-selects the default payment method if `--payment-uuid` is not provided. The response contains `orderUuid` on success.
-
-## Important Behavior
-
-- **Always confirm before checkout.** Never place an order without explicit user approval.
-- **Be proactive.** If the user says "order pizza from Andiamo's", don't ask clarifying questions upfront — search, find the store, show the menu, and suggest items. Only ask when you need a choice the user hasn't specified.
-- **Handle expired sessions gracefully.** If any command returns `"error": "session_expired"`, run `doordash refresh --json` to re-capture the session.
-- **Show prices.** Always show prices when presenting items or the cart summary.
-- **Use `--json` flag** on all commands for reliable parsing.
-- **Do NOT use the browser skill.** All DoorDash interaction goes through the CLI, not browser automation.
-- **Rate limiting.** DoorDash rate-limits rapid sequential requests. When adding multiple items (e.g. a team order), wait 8–10 seconds between `cart add` calls. If you get a 403 error, wait 15–20 seconds and retry. For large orders (5+ items), consider running `doordash refresh --json` midway through if you hit repeated 403s.
-- **Special instructions are unreliable.** Some merchants disable special instructions entirely. Always prefer `--options` for customizations (size, milk type, etc.). Only use `--special-instructions` for free-text requests that aren't covered by the item's option groups. If the merchant rejects special instructions, drop them and proceed without.
-- **Customization fallback.** If `cart add` with `--options` fails, or if the item details show options that are hard to construct (deeply nested, unusual format), proactively offer to use `cart learn` so the user can customize the item visually in the browser. Don't silently drop customizations — tell the user what happened and offer alternatives.
-- **Always-allow tip.** At the start of an ordering flow, suggest the user enable "always allow" for `doordash` commands: "Tip: You can type 'a' to always allow `doordash` commands for this session so you won't be prompted each time."
-- **Error attribution.** When errors occur, assume it's more likely a bug in our query/parsing than a DoorDash API change. Suggest running `doordash record` to capture fresh queries before assuming the schema changed.
-
-## Customization Options
-
-Many items (especially coffee, boba, sandwiches) have required customization options like size, milk type, or toppings. Here's how to handle them:
-
-### Constructing nestedOptions JSON
-
-1. Run `doordash item <storeId> <itemId> --json` to get the item's option groups
-2. Each option group has `id`, `name`, `required`, `minSelections`, `maxSelections`, and `choices`
-3. Build a JSON array of selections matching the DoorDash format:
-
-```json
-[
-  {
-    "optionId": "<option-group-id>",
-    "optionChoiceId": "<choice-id>",
-    "quantity": 1,
-    "nestedOptions": []
-  }
-]
-```
-
-For choices with nested sub-options (e.g., selecting "Oat Milk" under the "Milk" option within a size), add them to the `nestedOptions` array of the parent choice.
-
-4. Pass the JSON string to `cart add --options '<json>'`
-
-### Special Instructions
-
-Use `--special-instructions` on `cart add` for free-text requests like "extra hot", "no ice", "light foam". The `item` command response includes `specialInstructionsConfig` with the max length and whether instructions are supported.
-
-**Warning:** Some merchants disable special instructions entirely. If `specialInstructionsConfig.isEnabled` is false, or if the add-to-cart call returns an error about special requests, drop the instructions and retry without them. Always prefer `--options` for customizations — special instructions are a last resort for requests not covered by the item's option groups.
-
-### Learning Customizations via Ride Shotgun
-
-For complex items where constructing the JSON manually is difficult, use `cart learn`:
-
-1. Run `doordash cart learn --json`
-2. A Chrome window opens — navigate to the item, customize it visually, and click "Add to Cart"
-3. The command auto-detects the `updateCartItem` operation and extracts the exact `nestedOptions` and `specialInstructions`
-4. Use the extracted options directly with `cart add --options '<json>'`
-
-You can also extract options from an existing recording with `doordash inspect <recordingId> --extract-options --json`.
-
-### Coffee Order Example
-
-**User**: "Order a large oat milk latte with an extra shot from Blue Bottle"
-
-1. `doordash search "Blue Bottle" --json` -> finds store
-2. `doordash menu <storeId> --json` -> finds "Latte" item
-3. `doordash item <storeId> <latteItemId> --json` -> returns options:
-   - Size (required, min:1, max:1): Small (id:101), Medium (id:102), Large (id:103, +$1.00)
-   - Milk (required, min:1, max:1): Whole (id:201), Oat (id:202, +$0.70), Almond (id:203, +$0.70)
-   - Extras (optional, min:0, max:5): Extra Shot (id:301, +$0.90), Vanilla Syrup (id:302, +$0.60)
-4. Construct options JSON and add to cart:
-
-```
-doordash cart add --store-id <id> --menu-id <id> --item-id <id> --item-name "Latte" --unit-price 550 --options '[{"optionId":"size-group-id","optionChoiceId":"103","quantity":1,"nestedOptions":[]},{"optionId":"milk-group-id","optionChoiceId":"202","quantity":1,"nestedOptions":[]},{"optionId":"extras-group-id","optionChoiceId":"301","quantity":1,"nestedOptions":[]}]' --special-instructions "Extra hot" --json
-```
-
-## Command Reference
-
-```
-doordash status --json              # Check if logged in
-doordash refresh --json             # Capture fresh session via Ride Shotgun (auto-stops after login)
-doordash logout --json              # Clear session
-doordash search "<query>" --json    # Search restaurants
-doordash menu <storeId> --json      # Get store menu (auto-detects retail stores)
-doordash store-search <storeId> "<query>" --json  # Search items within a convenience/pharmacy store
-doordash item <storeId> <itemId> --json  # Get item details + options
-doordash cart add --store-id <id> --menu-id <id> --item-id <id> --item-name "<name>" --unit-price <cents> [--quantity <n>] [--cart-id <id>] [--options '<json>'] [--special-instructions "<text>"] --json
-doordash cart remove --cart-id <id> --item-id <orderItemId> --json
-doordash cart view <cartId> --json
-doordash cart list [--store-id <id>] --json
-doordash cart learn --json                 # Learn customization options by recording browser interaction
-doordash inspect <recordingId> --extract-options --json  # Extract nestedOptions from a recording
-doordash checkout <cartId> [--address-id <id>] --json
-doordash payment-methods --json     # List saved payment methods
-doordash order place --cart-id <id> --store-id <id> --total <cents> [--tip <cents>] [--delivery-option <type>] [--dropoff-option <id>] [--payment-uuid <uuid>] --json
-```
-
-## Example Interaction
-
-**User**: "Order a pepperoni pizza from Andiamo's"
-
-1. `doordash status --json` -> logged in
-2. `doordash search "Andiamo's" --json` -> finds store 22926474
-3. `doordash menu 22926474 --json` -> finds "Pepperoni Pizza Pie" (item 2956709006, $28.00)
-4. Tell user: "I found Pepperoni Pizza Pie at Andiamo's for $28.00. Adding it to your cart."
-5. `doordash cart add --store-id 22926474 --menu-id 12847574 --item-id 2956709006 --item-name "Pepperoni Pizza Pie" --unit-price 2800 --json`
-6. `doordash cart view <cartId> --json` -> show summary
-7. "Your cart has 1x Pepperoni Pizza Pie ($28.00), total $28.00. Ready to check out?"
-
-**User**: "I need Tylenol from CVS"
-
-1. `doordash status --json` -> logged in
-2. `doordash search "CVS" --json` -> finds store 1231787
-3. `doordash menu 1231787 --json` -> isRetail: true, categories but no items
-4. `doordash store-search 1231787 "tylenol" --json` -> finds results
-5. Show top results: "Tylenol Extra Strength Gelcaps (24 ct) - $8.79, Tylenol Extra Strength Caplets (100 ct) - $13.49..."
-6. User picks one -> add to cart with the item's `id`, `menuId`, and `unitAmount`