@vellumai/assistant 0.4.45 → 0.4.48

package/src/__tests__/media-generate-image.test.ts

@@ -17,6 +17,7 @@ let mockGenerateResult = {
   resolvedModel: "gemini-2.5-flash-image",
 };
 let mockGenerateError: Error | null = null;
+let lastGenerateCredentials: unknown = null;
 
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
@@ -27,7 +28,11 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("../media/gemini-image-service.js", () => ({
-  generateImage: async (_apiKey: string, _request: Record<string, unknown>) => {
+  generateImage: async (
+    credentials: unknown,
+    _request: Record<string, unknown>,
+  ) => {
+    lastGenerateCredentials = credentials;
     if (mockGenerateError) throw mockGenerateError;
     return mockGenerateResult;
   },
@@ -37,6 +42,18 @@ mock.module("../media/gemini-image-service.js", () => ({
   },
 }));
 
+let mockManagedBaseUrl: string | undefined;
+let mockManagedProxyContext = {
+  enabled: false,
+  platformBaseUrl: "",
+  assistantApiKey: "",
+};
+
+mock.module("../providers/managed-proxy/context.js", () => ({
+  buildManagedBaseUrl: () => mockManagedBaseUrl,
+  resolveManagedProxyContext: () => mockManagedProxyContext,
+}));
+
 let mockAttachments: Array<{
   id: string;
   assistantId: string;
@@ -138,6 +155,13 @@ beforeEach(() => {
   };
   mockGenerateError = null;
   mockAttachments = [];
+  lastGenerateCredentials = null;
+  mockManagedBaseUrl = undefined;
+  mockManagedProxyContext = {
+    enabled: false,
+    platformBaseUrl: "",
+    assistantApiKey: "",
+  };
 });
 
 const fakeContext = {
@@ -153,7 +177,7 @@ describe("image-studio skill script wrapper", () => {
     expect(getTool("media_generate_image")).toBeUndefined();
   });
 
-  test("returns error when no API key is configured", async () => {
+  test("returns error when no API key and no managed proxy", async () => {
     mockApiKey = undefined;
 
     const result = await run({ prompt: "a cat" }, fakeContext);
@@ -162,6 +186,43 @@ describe("image-studio skill script wrapper", () => {
     expect(result.content).toContain("No Gemini API key");
   });
 
+  test("falls back to managed proxy when no API key is configured", async () => {
+    mockApiKey = undefined;
+    mockManagedBaseUrl = "https://platform.example.com/v1/runtime-proxy/vertex";
+    mockManagedProxyContext = {
+      enabled: true,
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "managed-key-123",
+    };
+
+    const result = await run({ prompt: "a hippo" }, fakeContext);
+
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Generated 1 image");
+    expect(lastGenerateCredentials).toEqual({
+      type: "managed-proxy",
+      assistantApiKey: "managed-key-123",
+      baseUrl: "https://platform.example.com/v1/runtime-proxy/vertex",
+    });
+  });
+
+  test("prefers direct API key over managed proxy", async () => {
+    mockApiKey = "direct-key";
+    mockManagedBaseUrl = "https://platform.example.com/v1/runtime-proxy/vertex";
+    mockManagedProxyContext = {
+      enabled: true,
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "managed-key-123",
+    };
+
+    await run({ prompt: "a cat" }, fakeContext);
+
+    expect(lastGenerateCredentials).toEqual({
+      type: "direct",
+      apiKey: "direct-key",
+    });
+  });
+
   test("returns generated image with contentBlocks", async () => {
     const result = await run({ prompt: "a sunset" }, fakeContext);
 

package/src/__tests__/media-reuse-story.e2e.test.ts

@@ -62,6 +62,7 @@ mock.module("../config/loader.js", () => ({
 
 // Credential resolver and secure key mocks — must be set up before
 // session-manager is imported so the proxy uses our test data.
+import { credentialKey } from "../security/credential-key.js";
 import type { ResolvedCredential } from "../tools/credentials/resolve.js";
 
 let resolveByIdResults = new Map<string, ResolvedCredential | undefined>();
@@ -154,7 +155,7 @@ function makeResolved(
     credentialId,
     service,
     field,
-    storageKey: `credential:${service}:${field}`,
+    storageKey: credentialKey(service, field),
     injectionTemplates: templates,
     metadata: {
       credentialId,
@@ -357,7 +358,10 @@ describe("Story E2E: selfie yesterday -> generated image today", () => {
       };
       const resolved = makeResolved("cred-story", [tpl]);
       resolveByIdResults.set("cred-story", resolved);
-      secureKeyValues.set("credential:test-service:api-key", "fal_test_secret");
+      secureKeyValues.set(
+        credentialKey("test-service", "api-key"),
+        "fal_test_secret",
+      );
 
       // Drive the proxy step through the bash tool — the actual integration path.
       // -x "$HTTP_PROXY" forces curl to use the proxy explicitly (macOS curl
@@ -381,7 +385,7 @@ describe("Story E2E: selfie yesterday -> generated image today", () => {
 
       await stopAllSessions();
       resolveByIdResults.delete("cred-story");
-      secureKeyValues.delete("credential:test-service:api-key");
+      secureKeyValues.delete(credentialKey("test-service", "api-key"));
     } finally {
       echo.server.close();
     }

package/src/__tests__/messaging-send-tool.test.ts

@@ -2,6 +2,7 @@ import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 import type { MessagingProvider } from "../messaging/provider.js";
 import type { SendOptions } from "../messaging/provider-types.js";
+import type { OAuthConnection } from "../oauth/connection.js";
 
 const sendMessageMock = mock(async (..._args: unknown[]) => ({
   id: "msg-1",
@@ -23,19 +24,16 @@ const provider: MessagingProvider = {
   getHistory: async () => [],
   search: async () => ({ total: 0, messages: [], hasMore: false }),
   sendMessage: (
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     conversationId: string,
     text: string,
     options?: SendOptions,
-  ) => sendMessageMock(token, conversationId, text, options),
+  ) => sendMessageMock(connectionOrToken, conversationId, text, options),
 };
 
 mock.module("../config/bundled-skills/messaging/tools/shared.js", () => ({
   resolveProvider: () => provider,
-  withProviderToken: async (
-    _provider: MessagingProvider,
-    fn: (token: string) => Promise<unknown>,
-  ) => fn("provider-token"),
+  getProviderConnection: () => "provider-token",
   ok: (content: string) => ({ content, isError: false }),
   err: (content: string) => ({ content, isError: true }),
   extractHeader: () => "",

package/src/__tests__/provider-fail-open-selection.test.ts

@@ -1,5 +1,7 @@
 import { describe, expect, mock, test } from "bun:test";
 
+import { credentialKey } from "../security/credential-key.js";
+
 // ---------------------------------------------------------------------------
 // Mock the underlying dependencies of managed-proxy/context.js rather than
 // the context module itself. This avoids global mock bleed: other test files
@@ -19,7 +21,7 @@ const actualSecureKeys = await import("../security/secure-keys.js");
 mock.module("../security/secure-keys.js", () => ({
   ...actualSecureKeys,
   getSecureKey: (key: string) => {
-    if (key === "credential:vellum:assistant_api_key") {
+    if (key === credentialKey("vellum", "assistant_api_key")) {
       return mockAssistantApiKey || null;
     }
     return null;

package/src/__tests__/provider-managed-proxy-integration.test.ts

@@ -1,6 +1,36 @@
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 import { MANAGED_PROVIDER_META } from "../providers/managed-proxy/constants.js";
+import { credentialKey } from "../security/credential-key.js";
+
+// ---------------------------------------------------------------------------
+// Mock @google/genai to capture constructor arguments for Gemini base URL
+// assertions. Must be before importing the registry.
+// ---------------------------------------------------------------------------
+let lastGeminiConstructorOpts: Record<string, unknown> | null = null;
+
+mock.module("@google/genai", () => ({
+  GoogleGenAI: class MockGoogleGenAI {
+    constructor(opts: Record<string, unknown>) {
+      lastGeminiConstructorOpts = opts;
+    }
+    models = {
+      generateContentStream: async () => ({
+        [Symbol.asyncIterator]: async function* () {
+          /* no chunks */
+        },
+      }),
+    };
+  },
+  ApiError: class FakeApiError extends Error {
+    status: number;
+    constructor(status: number, message: string) {
+      super(message);
+      this.status = status;
+      this.name = "ApiError";
+    }
+  },
+}));
 
 // ---------------------------------------------------------------------------
 // Mock the underlying dependencies that the real context module relies on.
@@ -16,7 +46,7 @@ mock.module("../config/env.js", () => ({
 
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: (key: string) => {
-    if (key === "credential:vellum:assistant_api_key") {
+    if (key === credentialKey("vellum", "assistant_api_key")) {
       return mockAssistantApiKey;
     }
     return null;
@@ -72,6 +102,7 @@ function userKeysFor(...names: string[]): Record<string, string> {
 
 beforeEach(() => {
   disableManagedProxy();
+  lastGeminiConstructorOpts = null;
 });
 
 describe("managed proxy integration — credential precedence", () => {
@@ -172,6 +203,25 @@ describe("managed proxy integration — credential precedence", () => {
       expect(baseURL).toContain("/v1/runtime-proxy/vertex");
       expect(baseURL).not.toContain("/v1/runtime-proxy/anthropic");
     });
+
+    test("managed gemini uses vertex proxy path instead of gemini proxy path", () => {
+      enableManagedProxy();
+      initializeProviders({
+        apiKeys: {},
+        provider: "anthropic",
+        model: "test-model",
+      });
+
+      // The GoogleGenAI constructor was captured by the mock — verify it
+      // received httpOptions.baseUrl pointing at the vertex proxy path.
+      expect(lastGeminiConstructorOpts).toBeDefined();
+      const httpOptions = lastGeminiConstructorOpts!.httpOptions as
+        | { baseUrl?: string }
+        | undefined;
+      expect(httpOptions).toBeDefined();
+      expect(httpOptions!.baseUrl).toContain("/v1/runtime-proxy/vertex");
+      expect(httpOptions!.baseUrl).not.toContain("/v1/runtime-proxy/gemini");
+    });
   });
 
   describe("neither user keys nor managed context → providers not initialized", () => {
@@ -285,10 +335,24 @@ describe("managed proxy integration — constants integrity", () => {
     }
   });
 
-  test("managed proxy paths are unique across providers", () => {
-    const paths = Object.values(MANAGED_PROVIDER_META)
-      .filter((m) => m.managed && m.proxyPath)
-      .map((m) => m.proxyPath);
-    expect(new Set(paths).size).toBe(paths.length);
+  test("anthropic and gemini route through vertex proxy path", () => {
+    expect(MANAGED_PROVIDER_META.anthropic.proxyPath).toBe(
+      "/v1/runtime-proxy/vertex",
+    );
+    expect(MANAGED_PROVIDER_META.gemini.proxyPath).toBe(
+      "/v1/runtime-proxy/vertex",
+    );
+  });
+
+  test("other providers use their own proxy paths", () => {
+    expect(MANAGED_PROVIDER_META.openai.proxyPath).toBe(
+      "/v1/runtime-proxy/openai",
+    );
+    expect(MANAGED_PROVIDER_META.fireworks.proxyPath).toBe(
+      "/v1/runtime-proxy/fireworks",
+    );
+    expect(MANAGED_PROVIDER_META.openrouter.proxyPath).toBe(
+      "/v1/runtime-proxy/openrouter",
+    );
   });
 });

package/src/__tests__/schedule-store.test.ts

@@ -903,7 +903,7 @@ describe("routing and mode fields", () => {
   });
 
   test("routing hints round-trip through DB raw query", () => {
-    const hints = { target: "sms" };
+    const hints = { target: "telegram" };
     const job = createSchedule({
       name: "Raw round-trip",
       message: "check raw",

package/src/__tests__/schema-transforms.test.ts

@@ -0,0 +1,226 @@
+import { describe, expect, test } from "bun:test";
+
+import type { ToolDefinition } from "../providers/types.js";
+import {
+  injectReasonField,
+  REASON_SKIP_SET,
+  schemaDefinesProperty,
+} from "../tools/schema-transforms.js";
+
+function makeDef(
+  name: string,
+  schema: object = { type: "object", properties: {}, required: [] },
+): ToolDefinition {
+  return { name, description: `Tool ${name}`, input_schema: schema };
+}
+
+describe("REASON_SKIP_SET", () => {
+  test("contains expected tool names", () => {
+    expect(REASON_SKIP_SET.has("skill_execute")).toBe(true);
+    expect(REASON_SKIP_SET.has("bash")).toBe(true);
+    expect(REASON_SKIP_SET.has("host_bash")).toBe(true);
+    expect(REASON_SKIP_SET.has("request_system_permission")).toBe(true);
+    expect(REASON_SKIP_SET.size).toBe(4);
+  });
+});
+
+describe("injectReasonField", () => {
+  test("injects reason on a tool without it", () => {
+    const defs = [makeDef("my_tool")];
+    const result = injectReasonField(defs);
+    const schema = result[0].input_schema as Record<string, unknown>;
+    const props = schema.properties as Record<string, unknown>;
+    expect(props.reason).toEqual({ type: "string" });
+  });
+
+  test("adds reason to required array", () => {
+    const defs = [
+      makeDef("my_tool", {
+        type: "object",
+        properties: { foo: { type: "string" } },
+        required: ["foo"],
+      }),
+    ];
+    const result = injectReasonField(defs);
+    const schema = result[0].input_schema as Record<string, unknown>;
+    expect(schema.required).toEqual(["foo", "reason"]);
+  });
+
+  test("creates required array if missing", () => {
+    const defs = [
+      makeDef("my_tool", {
+        type: "object",
+        properties: { foo: { type: "string" } },
+      }),
+    ];
+    const result = injectReasonField(defs);
+    const schema = result[0].input_schema as Record<string, unknown>;
+    expect(schema.required).toEqual(["reason"]);
+  });
+
+  test("skips tools in skip set (returns unchanged)", () => {
+    const defs = [makeDef("bash"), makeDef("host_bash")];
+    const result = injectReasonField(defs);
+    // Should be the exact same object references
+    expect(Object.is(result[0], defs[0])).toBe(true);
+    expect(Object.is(result[1], defs[1])).toBe(true);
+    // No reason injected
+    const schema0 = result[0].input_schema as Record<string, unknown>;
+    const props0 = schema0.properties as Record<string, unknown>;
+    expect("reason" in props0).toBe(false);
+  });
+
+  test("skips tools that already have reason in properties", () => {
+    const defs = [
+      makeDef("my_tool", {
+        type: "object",
+        properties: { reason: { type: "number" } },
+        required: [],
+      }),
+    ];
+    const result = injectReasonField(defs);
+    // Should be the exact same object reference (no clone needed)
+    expect(Object.is(result[0], defs[0])).toBe(true);
+    const schema = result[0].input_schema as Record<string, unknown>;
+    const props = schema.properties as Record<string, unknown>;
+    // Original reason type preserved
+    expect(props.reason).toEqual({ type: "number" });
+  });
+
+  test("does NOT mutate original definition objects", () => {
+    const originalProps = { foo: { type: "string" } };
+    const originalRequired = ["foo"];
+    const originalSchema = {
+      type: "object",
+      properties: originalProps,
+      required: originalRequired,
+    };
+    const defs = [makeDef("my_tool", originalSchema)];
+
+    const result = injectReasonField(defs);
+
+    // Original properties object is untouched
+    expect("reason" in originalProps).toBe(false);
+    // Original required array is untouched
+    expect(originalRequired).toEqual(["foo"]);
+    // Original schema properties ref is the same object
+    expect(Object.is(originalSchema.properties, originalProps)).toBe(true);
+
+    // Result has different object refs
+    const resultSchema = result[0].input_schema as Record<string, unknown>;
+    expect(Object.is(resultSchema, originalSchema)).toBe(false);
+    expect(Object.is(resultSchema.properties, originalProps)).toBe(false);
+    expect(Object.is(resultSchema.required, originalRequired)).toBe(false);
+  });
+
+  test("passes through non-object schemas unchanged", () => {
+    const defs = [makeDef("my_tool", { type: "string" })];
+    const result = injectReasonField(defs);
+    expect(Object.is(result[0], defs[0])).toBe(true);
+  });
+
+  test("passes through schemas without properties unchanged", () => {
+    const defs = [makeDef("my_tool", { type: "object" })];
+    const result = injectReasonField(defs);
+    expect(Object.is(result[0], defs[0])).toBe(true);
+  });
+
+  test("skips tools with reason defined inside allOf member (composite schema)", () => {
+    const defs = [
+      makeDef("my_tool", {
+        type: "object",
+        properties: { foo: { type: "string" } },
+        allOf: [
+          {
+            properties: { reason: { type: "string" } },
+          },
+        ],
+        required: [],
+      }),
+    ];
+    const result = injectReasonField(defs);
+    // Should be the exact same object reference (no injection)
+    expect(Object.is(result[0], defs[0])).toBe(true);
+    const schema = result[0].input_schema as Record<string, unknown>;
+    const props = schema.properties as Record<string, unknown>;
+    // Top-level properties should NOT have reason injected
+    expect("reason" in props).toBe(false);
+  });
+
+  test("handles empty definitions array", () => {
+    const result = injectReasonField([]);
+    expect(result).toEqual([]);
+  });
+});
+
+describe("schemaDefinesProperty", () => {
+  test("returns true for direct properties match", () => {
+    const schema = {
+      type: "object",
+      properties: { reason: { type: "string" } },
+    };
+    expect(schemaDefinesProperty(schema, "reason")).toBe(true);
+  });
+
+  test("returns true for property in allOf member", () => {
+    const schema = {
+      allOf: [{ properties: { reason: { type: "string" } } }],
+    };
+    expect(schemaDefinesProperty(schema, "reason")).toBe(true);
+  });
+
+  test("returns true for property in oneOf member", () => {
+    const schema = {
+      oneOf: [
+        { properties: { foo: { type: "string" } } },
+        { properties: { reason: { type: "string" } } },
+      ],
+    };
+    expect(schemaDefinesProperty(schema, "reason")).toBe(true);
+  });
+
+  test("returns true for property in anyOf member", () => {
+    const schema = {
+      anyOf: [{ properties: { reason: { type: "string" } } }],
+    };
+    expect(schemaDefinesProperty(schema, "reason")).toBe(true);
+  });
+
+  test("returns true for nested allOf within oneOf", () => {
+    const schema = {
+      oneOf: [
+        {
+          allOf: [{ properties: { reason: { type: "string" } } }],
+        },
+      ],
+    };
+    expect(schemaDefinesProperty(schema, "reason")).toBe(true);
+  });
+
+  test("returns false when property not defined", () => {
+    const schema = {
+      type: "object",
+      properties: { foo: { type: "string" } },
+    };
+    expect(schemaDefinesProperty(schema, "reason")).toBe(false);
+  });
+
+  test("returns false for $ref (fail-closed)", () => {
+    const schema = { $ref: "#/definitions/Foo" };
+    expect(schemaDefinesProperty(schema, "reason")).toBe(false);
+  });
+
+  test("returns false for null schema", () => {
+    expect(schemaDefinesProperty(null, "reason")).toBe(false);
+  });
+
+  test("returns false for undefined schema", () => {
+    expect(schemaDefinesProperty(undefined, "reason")).toBe(false);
+  });
+
+  test("returns false for non-object schema", () => {
+    expect(schemaDefinesProperty("not-an-object", "reason")).toBe(false);
+    expect(schemaDefinesProperty(42, "reason")).toBe(false);
+    expect(schemaDefinesProperty(true, "reason")).toBe(false);
+  });
+});

package/src/__tests__/script-proxy-injection-runtime.test.ts

@@ -1,6 +1,7 @@
 import * as http from "node:http";
 import { afterEach, describe, expect, mock, test } from "bun:test";
 
+import { credentialKey } from "../security/credential-key.js";
 import type { CredentialMetadata } from "../tools/credentials/metadata-store.js";
 import type { CredentialInjectionTemplate } from "../tools/credentials/policy-types.js";
 import type { ResolvedCredential } from "../tools/credentials/resolve.js";
@@ -82,7 +83,7 @@ function makeResolved(
     credentialId,
     service,
     field,
-    storageKey: `credential:${service}:${field}`,
+    storageKey: credentialKey(service, field),
     injectionTemplates: templates,
     metadata: {
       credentialId,
@@ -154,7 +155,7 @@ describe("policyCallback credential injection", () => {
       resolveByIdResults.set("cred-local", resolved);
       credentialMetadataList.push(resolved.metadata);
       secureKeyValues.set(
-        "credential:test-service:api-key",
+        credentialKey("test-service", "api-key"),
         "fal_secretvalue123",
       );
 
@@ -194,7 +195,10 @@ describe("policyCallback credential injection", () => {
       const resolved = makeResolved("cred-bearer", [tpl]);
       resolveByIdResults.set("cred-bearer", resolved);
       credentialMetadataList.push(resolved.metadata);
-      secureKeyValues.set("credential:test-service:api-key", "tok_abc123");
+      secureKeyValues.set(
+        credentialKey("test-service", "api-key"),
+        "tok_abc123",
+      );
 
       const session = createSession(
         CONV_ID,
@@ -311,7 +315,7 @@ describe("MITM rewriteCallback credential injection", () => {
     const tpl = makeTemplate("*.fal.ai", "authorization", "Key ");
     const resolved = makeResolved("cred-fal", [tpl]);
     resolveByIdResults.set("cred-fal", resolved);
-    secureKeyValues.set("credential:test-service:api-key", "fal_secret");
+    secureKeyValues.set(credentialKey("test-service", "api-key"), "fal_secret");
 
     const templates = new Map([["cred-fal", [tpl]]]);
     const headers: Record<string, string> = {
@@ -350,7 +354,7 @@ describe("MITM rewriteCallback credential injection", () => {
 
     const tpl = makeTemplate("*.fal.ai", "authorization", "Key ");
     resolveByIdResults.set("cred-fal", makeResolved("cred-fal", [tpl]));
-    secureKeyValues.set("credential:test-service:api-key", "fal_secret");
+    secureKeyValues.set(credentialKey("test-service", "api-key"), "fal_secret");
 
     const templates = new Map([["cred-fal", [tpl]]]);
     const headers: Record<string, string> = {
@@ -479,8 +483,8 @@ describe("composeWith injection", () => {
       );
       resolveByServiceFieldResults.set("twilio:auth_token", composedResolved);
 
-      secureKeyValues.set("credential:twilio:account_sid", "ACtest123");
-      secureKeyValues.set("credential:twilio:auth_token", "secret456");
+      secureKeyValues.set(credentialKey("twilio", "account_sid"), "ACtest123");
+      secureKeyValues.set(credentialKey("twilio", "auth_token"), "secret456");
 
       const session = createSession(
         CONV_ID,
@@ -531,7 +535,7 @@ describe("composeWith injection", () => {
       );
       resolveByIdResults.set("cred-primary", primaryResolved);
       credentialMetadataList.push(primaryResolved.metadata);
-      secureKeyValues.set("credential:twilio:account_sid", "ACtest123");
+      secureKeyValues.set(credentialKey("twilio", "account_sid"), "ACtest123");
 
       // Do NOT register the composed credential in resolveByServiceFieldResults
 
@@ -578,7 +582,10 @@ describe("composeWith injection", () => {
       const resolved = makeResolved("cred-b64", [tpl]);
       resolveByIdResults.set("cred-b64", resolved);
       credentialMetadataList.push(resolved.metadata);
-      secureKeyValues.set("credential:test-service:api-key", "plaintext");
+      secureKeyValues.set(
+        credentialKey("test-service", "api-key"),
+        "plaintext",
+      );
 
       const session = createSession(CONV_ID, ["cred-b64"], undefined, DATA_DIR);
       const started = await startSession(session.id);
@@ -624,7 +631,7 @@ describe("composeWith injection", () => {
       );
       resolveByIdResults.set("cred-primary", primaryResolved);
       credentialMetadataList.push(primaryResolved.metadata);
-      secureKeyValues.set("credential:twilio:account_sid", "ACtest123");
+      secureKeyValues.set(credentialKey("twilio", "account_sid"), "ACtest123");
 
       // Composed credential metadata resolves, but no secret value stored
       const composedResolved = makeResolved(
@@ -634,7 +641,7 @@ describe("composeWith injection", () => {
         "auth_token",
       );
       resolveByServiceFieldResults.set("twilio:auth_token", composedResolved);
-      // Do NOT set secureKeyValues for "credential:twilio:auth_token"
+      // Do NOT set secureKeyValues for credentialKey("twilio", "auth_token")
 
       const session = createSession(
         CONV_ID,
@@ -700,8 +707,11 @@ describe("composeWith injection", () => {
         composedResolved,
       );
 
-      secureKeyValues.set("credential:my-service:primary-key", "value1");
-      secureKeyValues.set("credential:my-service:secondary-key", "value2");
+      secureKeyValues.set(credentialKey("my-service", "primary-key"), "value1");
+      secureKeyValues.set(
+        credentialKey("my-service", "secondary-key"),
+        "value2",
+      );
 
       const session = createSession(
         CONV_ID,

package/src/__tests__/script-proxy-policy-runtime.test.ts

@@ -64,7 +64,7 @@ function makeResolved(
     credentialId,
     service: "test-service",
     field: "api-key",
-    storageKey: `credential:test-service:api-key`,
+    storageKey: `credential/test-service/api-key`,
     injectionTemplates: templates,
     metadata: {
       credentialId,

package/src/__tests__/script-proxy-session-manager.test.ts

@@ -56,7 +56,7 @@ function makeResolved(
     credentialId,
     service: "test-service",
     field: "api-key",
-    storageKey: `credential:test-service:api-key`,
+    storageKey: `credential/test-service/api-key`,
     injectionTemplates: templates,
     metadata: {
       credentialId,