@vellumai/assistant 0.4.46 → 0.4.49

package/src/__tests__/media-generate-image.test.ts

@@ -17,6 +17,7 @@ let mockGenerateResult = {
   resolvedModel: "gemini-2.5-flash-image",
 };
 let mockGenerateError: Error | null = null;
+let lastGenerateCredentials: unknown = null;
 
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
@@ -27,7 +28,11 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("../media/gemini-image-service.js", () => ({
-  generateImage: async (_apiKey: string, _request: Record<string, unknown>) => {
+  generateImage: async (
+    credentials: unknown,
+    _request: Record<string, unknown>,
+  ) => {
+    lastGenerateCredentials = credentials;
     if (mockGenerateError) throw mockGenerateError;
     return mockGenerateResult;
   },
@@ -37,6 +42,18 @@ mock.module("../media/gemini-image-service.js", () => ({
   },
 }));
 
+let mockManagedBaseUrl: string | undefined;
+let mockManagedProxyContext = {
+  enabled: false,
+  platformBaseUrl: "",
+  assistantApiKey: "",
+};
+
+mock.module("../providers/managed-proxy/context.js", () => ({
+  buildManagedBaseUrl: () => mockManagedBaseUrl,
+  resolveManagedProxyContext: () => mockManagedProxyContext,
+}));
+
 let mockAttachments: Array<{
   id: string;
   assistantId: string;
@@ -138,6 +155,13 @@ beforeEach(() => {
   };
   mockGenerateError = null;
   mockAttachments = [];
+  lastGenerateCredentials = null;
+  mockManagedBaseUrl = undefined;
+  mockManagedProxyContext = {
+    enabled: false,
+    platformBaseUrl: "",
+    assistantApiKey: "",
+  };
 });
 
 const fakeContext = {
@@ -153,7 +177,7 @@ describe("image-studio skill script wrapper", () => {
     expect(getTool("media_generate_image")).toBeUndefined();
   });
 
-  test("returns error when no API key is configured", async () => {
+  test("returns error when no API key and no managed proxy", async () => {
     mockApiKey = undefined;
 
     const result = await run({ prompt: "a cat" }, fakeContext);
@@ -162,6 +186,43 @@ describe("image-studio skill script wrapper", () => {
     expect(result.content).toContain("No Gemini API key");
   });
 
+  test("falls back to managed proxy when no API key is configured", async () => {
+    mockApiKey = undefined;
+    mockManagedBaseUrl = "https://platform.example.com/v1/runtime-proxy/vertex";
+    mockManagedProxyContext = {
+      enabled: true,
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "managed-key-123",
+    };
+
+    const result = await run({ prompt: "a hippo" }, fakeContext);
+
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Generated 1 image");
+    expect(lastGenerateCredentials).toEqual({
+      type: "managed-proxy",
+      assistantApiKey: "managed-key-123",
+      baseUrl: "https://platform.example.com/v1/runtime-proxy/vertex",
+    });
+  });
+
+  test("prefers direct API key over managed proxy", async () => {
+    mockApiKey = "direct-key";
+    mockManagedBaseUrl = "https://platform.example.com/v1/runtime-proxy/vertex";
+    mockManagedProxyContext = {
+      enabled: true,
+      platformBaseUrl: "https://platform.example.com",
+      assistantApiKey: "managed-key-123",
+    };
+
+    await run({ prompt: "a cat" }, fakeContext);
+
+    expect(lastGenerateCredentials).toEqual({
+      type: "direct",
+      apiKey: "direct-key",
+    });
+  });
+
   test("returns generated image with contentBlocks", async () => {
     const result = await run({ prompt: "a sunset" }, fakeContext);
 

package/src/__tests__/media-reuse-story.e2e.test.ts

@@ -62,6 +62,7 @@ mock.module("../config/loader.js", () => ({
 
 // Credential resolver and secure key mocks — must be set up before
 // session-manager is imported so the proxy uses our test data.
+import { credentialKey } from "../security/credential-key.js";
 import type { ResolvedCredential } from "../tools/credentials/resolve.js";
 
 let resolveByIdResults = new Map<string, ResolvedCredential | undefined>();
@@ -154,7 +155,7 @@ function makeResolved(
     credentialId,
     service,
     field,
-    storageKey: `credential:${service}:${field}`,
+    storageKey: credentialKey(service, field),
     injectionTemplates: templates,
     metadata: {
       credentialId,
@@ -357,7 +358,10 @@ describe("Story E2E: selfie yesterday -> generated image today", () => {
       };
       const resolved = makeResolved("cred-story", [tpl]);
       resolveByIdResults.set("cred-story", resolved);
-      secureKeyValues.set("credential:test-service:api-key", "fal_test_secret");
+      secureKeyValues.set(
+        credentialKey("test-service", "api-key"),
+        "fal_test_secret",
+      );
 
       // Drive the proxy step through the bash tool — the actual integration path.
       // -x "$HTTP_PROXY" forces curl to use the proxy explicitly (macOS curl
@@ -381,7 +385,7 @@ describe("Story E2E: selfie yesterday -> generated image today", () => {
 
       await stopAllSessions();
       resolveByIdResults.delete("cred-story");
-      secureKeyValues.delete("credential:test-service:api-key");
+      secureKeyValues.delete(credentialKey("test-service", "api-key"));
     } finally {
       echo.server.close();
     }

package/src/__tests__/messaging-send-tool.test.ts

@@ -2,6 +2,7 @@ import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 import type { MessagingProvider } from "../messaging/provider.js";
 import type { SendOptions } from "../messaging/provider-types.js";
+import type { OAuthConnection } from "../oauth/connection.js";
 
 const sendMessageMock = mock(async (..._args: unknown[]) => ({
   id: "msg-1",
@@ -23,19 +24,16 @@ const provider: MessagingProvider = {
   getHistory: async () => [],
   search: async () => ({ total: 0, messages: [], hasMore: false }),
   sendMessage: (
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     conversationId: string,
     text: string,
     options?: SendOptions,
-  ) => sendMessageMock(token, conversationId, text, options),
+  ) => sendMessageMock(connectionOrToken, conversationId, text, options),
 };
 
 mock.module("../config/bundled-skills/messaging/tools/shared.js", () => ({
   resolveProvider: () => provider,
-  withProviderToken: async (
-    _provider: MessagingProvider,
-    fn: (token: string) => Promise<unknown>,
-  ) => fn("provider-token"),
+  getProviderConnection: () => "provider-token",
   ok: (content: string) => ({ content, isError: false }),
   err: (content: string) => ({ content, isError: true }),
   extractHeader: () => "",

package/src/__tests__/notification-routing-intent.test.ts

@@ -13,7 +13,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (v: string) => v,
 }));
 

package/src/__tests__/oauth-cli.test.ts

@@ -2,6 +2,8 @@ import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 import { Command } from "commander";
 
+import { credentialKey } from "../security/credential-key.js";
+
 // ---------------------------------------------------------------------------
 // Mock state
 // ---------------------------------------------------------------------------
@@ -11,6 +13,28 @@ let mockWithValidToken: <T>(
   cb: (token: string) => Promise<T>,
 ) => Promise<T>;
 
+// Disconnect mock state
+let mockListProviders: () => Array<Record<string, unknown>> = () => [];
+let secureKeyStore = new Map<string, string>();
+let metadataStore: Array<{
+  credentialId: string;
+  service: string;
+  field: string;
+  allowedTools: string[];
+  allowedDomains: string[];
+  createdAt: number;
+  updatedAt: number;
+}> = [];
+let disconnectOAuthProviderCalls: string[] = [];
+let disconnectOAuthProviderResult: "disconnected" | "not-found" | "error" =
+  "not-found";
+let idCounter = 0;
+
+function nextUUID(): string {
+  idCounter += 1;
+  return `00000000-0000-0000-0000-${String(idCounter).padStart(12, "0")}`;
+}
+
 // ---------------------------------------------------------------------------
 // Mock token-manager
 // ---------------------------------------------------------------------------
@@ -32,19 +56,77 @@ mock.module("../security/token-manager.js", () => ({
   },
 }));
 
+// ---------------------------------------------------------------------------
+// Mock oauth-store (stateful for disconnect tests)
+// ---------------------------------------------------------------------------
+
+mock.module("../oauth/oauth-store.js", () => ({
+  disconnectOAuthProvider: async (
+    providerKey: string,
+  ): Promise<"disconnected" | "not-found" | "error"> => {
+    disconnectOAuthProviderCalls.push(providerKey);
+    return disconnectOAuthProviderResult;
+  },
+  getConnection: () => undefined,
+  getConnectionByProvider: () => undefined,
+  listConnections: () => [],
+  deleteConnection: () => false,
+  // Stubs required by apps.ts and providers.ts (transitively loaded via oauth/index.ts)
+  upsertApp: async () => ({}),
+  getApp: () => undefined,
+  getAppByProviderAndClientId: () => undefined,
+  getMostRecentAppByProvider: () => undefined,
+  listApps: () => [],
+  deleteApp: async () => false,
+  getProvider: () => undefined,
+  listProviders: () => mockListProviders(),
+  registerProvider: () => ({}),
+  seedProviders: () => {},
+  createConnection: () => ({}),
+  isProviderConnected: () => false,
+  updateConnection: () => ({}),
+}));
+
 // Stub out transitive dependencies that token-manager would normally pull in
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: () => undefined,
   setSecureKey: () => true,
   getSecureKeyAsync: async () => undefined,
   setSecureKeyAsync: async () => true,
-  deleteSecureKey: () => "not-found",
+  deleteSecureKey: (account: string) => {
+    if (secureKeyStore.has(account)) {
+      secureKeyStore.delete(account);
+      return "deleted" as const;
+    }
+    return "not-found" as const;
+  },
+  deleteSecureKeyAsync: async (account: string) => {
+    if (secureKeyStore.has(account)) {
+      secureKeyStore.delete(account);
+      return "deleted" as const;
+    }
+    return "not-found" as const;
+  },
+  listSecureKeys: () => [...secureKeyStore.keys()],
+  getBackendType: () => "encrypted",
+  isDowngradedFromKeychain: () => false,
+  _resetBackend: () => {},
+  _setBackend: () => {},
 }));
 
 mock.module("../tools/credentials/metadata-store.js", () => ({
+  assertMetadataWritable: () => {},
   getCredentialMetadata: () => undefined,
   upsertCredentialMetadata: () => ({}),
   listCredentialMetadata: () => [],
+  deleteCredentialMetadata: (service: string, field: string): boolean => {
+    const idx = metadataStore.findIndex(
+      (c) => c.service === service && c.field === field,
+    );
+    if (idx === -1) return false;
+    metadataStore.splice(idx, 1);
+    return true;
+  },
 }));
 
 mock.module("../util/logger.js", () => ({
@@ -66,7 +148,7 @@ mock.module("../util/logger.js", () => ({
 // Import the module under test (after mocks are registered)
 // ---------------------------------------------------------------------------
 
-const { registerOAuthCommand } = await import("../cli/commands/oauth.js");
+const { registerOAuthCommand } = await import("../cli/commands/oauth/index.js");
 
 // ---------------------------------------------------------------------------
 // Test helper
@@ -117,43 +199,61 @@ async function runCli(
 // Tests
 // ---------------------------------------------------------------------------
 
-describe("assistant oauth token", () => {
+describe("assistant oauth connections token <provider-key>", () => {
   beforeEach(() => {
     mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
   });
 
   test("prints bare token in human mode", async () => {
-    const { exitCode, stdout } = await runCli(["token", "twitter"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+    ]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("mock-access-token-xyz\n");
   });
 
   test("prints JSON in --json mode", async () => {
-    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+      "--json",
+    ]);
     expect(exitCode).toBe(0);
     const parsed = JSON.parse(stdout);
     expect(parsed).toEqual({ ok: true, token: "mock-access-token-xyz" });
   });
 
-  test("qualifies service name with integration: prefix", async () => {
+  test("passes provider key directly to withValidToken", async () => {
     let capturedService: string | undefined;
     mockWithValidToken = async (service, cb) => {
       capturedService = service;
       return cb("tok");
     };
 
-    await runCli(["token", "twitter"]);
+    await runCli(["connections", "token", "integration:twitter"]);
     expect(capturedService).toBe("integration:twitter");
   });
 
-  test("works with other service names", async () => {
+  test("works with other provider keys", async () => {
     let capturedService: string | undefined;
     mockWithValidToken = async (service, cb) => {
       capturedService = service;
       return cb("gmail-token");
     };
 
-    const { exitCode, stdout } = await runCli(["token", "gmail"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:gmail",
+    ]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("gmail-token\n");
     expect(capturedService).toBe("integration:gmail");
@@ -166,7 +266,12 @@ describe("assistant oauth token", () => {
       );
     };
 
-    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+      "--json",
+    ]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);
@@ -180,7 +285,12 @@ describe("assistant oauth token", () => {
       );
     };
 
-    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+      "--json",
+    ]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);
@@ -191,13 +301,262 @@ describe("assistant oauth token", () => {
     // Simulate withValidToken refreshing and returning a new token
     mockWithValidToken = async (_service, cb) => cb("refreshed-new-token");
 
-    const { exitCode, stdout } = await runCli(["token", "twitter"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+    ]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("refreshed-new-token\n");
   });
 
-  test("missing service argument exits non-zero", async () => {
-    const { exitCode } = await runCli(["token"]);
+  test("missing provider-key argument exits non-zero", async () => {
+    const { exitCode } = await runCli(["connections", "token"]);
     expect(exitCode).not.toBe(0);
   });
 });
+
+// ---------------------------------------------------------------------------
+// disconnect
+// ---------------------------------------------------------------------------
+
+describe("assistant oauth connections disconnect <provider-key>", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
+  });
+
+  test("succeeds when an OAuth connection exists", async () => {
+    disconnectOAuthProviderResult = "disconnected";
+
+    const result = await runCli([
+      "connections",
+      "disconnect",
+      "integration:gmail",
+      "--json",
+    ]);
+    expect(result.exitCode).toBe(0);
+    const parsed = JSON.parse(result.stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.service).toBe("integration:gmail");
+
+    // disconnectOAuthProvider should have been called with the full provider key
+    expect(disconnectOAuthProviderCalls).toEqual(["integration:gmail"]);
+  });
+
+  test("reports not-found when nothing exists", async () => {
+    const result = await runCli([
+      "connections",
+      "disconnect",
+      "integration:gmail",
+      "--json",
+    ]);
+    expect(result.exitCode).toBe(1);
+    const parsed = JSON.parse(result.stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("No OAuth connection or credentials");
+    expect(parsed.error).toContain("integration:gmail");
+  });
+
+  test("cleans up legacy credential keys if present", async () => {
+    // Seed legacy credential keys (no OAuth connection)
+    const legacyFields = [
+      "access_token",
+      "refresh_token",
+      "client_id",
+      "client_secret",
+    ];
+    for (const field of legacyFields) {
+      secureKeyStore.set(
+        credentialKey("integration:gmail", field),
+        `legacy_${field}_value`,
+      );
+      metadataStore.push({
+        credentialId: nextUUID(),
+        service: "integration:gmail",
+        field,
+        allowedTools: [],
+        allowedDomains: [],
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      });
+    }
+
+    const result = await runCli([
+      "connections",
+      "disconnect",
+      "integration:gmail",
+      "--json",
+    ]);
+    expect(result.exitCode).toBe(0);
+    const parsed = JSON.parse(result.stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.service).toBe("integration:gmail");
+
+    // All legacy keys should be removed
+    for (const field of legacyFields) {
+      expect(
+        secureKeyStore.has(credentialKey("integration:gmail", field)),
+      ).toBe(false);
+      expect(
+        metadataStore.find(
+          (m) => m.service === "integration:gmail" && m.field === field,
+        ),
+      ).toBeUndefined();
+    }
+  });
+
+  test("cleans up both OAuth connection and legacy keys when both exist", async () => {
+    // Seed OAuth connection
+    disconnectOAuthProviderResult = "disconnected";
+
+    // Seed a legacy credential key
+    secureKeyStore.set(
+      credentialKey("integration:gmail", "access_token"),
+      "legacy_token",
+    );
+    metadataStore.push({
+      credentialId: nextUUID(),
+      service: "integration:gmail",
+      field: "access_token",
+      allowedTools: [],
+      allowedDomains: [],
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    });
+
+    const result = await runCli([
+      "connections",
+      "disconnect",
+      "integration:gmail",
+      "--json",
+    ]);
+    expect(result.exitCode).toBe(0);
+    const parsed = JSON.parse(result.stdout);
+    expect(parsed.ok).toBe(true);
+
+    // Both should be cleaned up
+    expect(disconnectOAuthProviderCalls).toEqual(["integration:gmail"]);
+    expect(
+      secureKeyStore.has(credentialKey("integration:gmail", "access_token")),
+    ).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// providers list
+// ---------------------------------------------------------------------------
+
+describe("assistant oauth providers list", () => {
+  const fakeProviders = [
+    {
+      providerKey: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: "2025-01-01T00:00:00.000Z",
+      updatedAt: "2025-01-01T00:00:00.000Z",
+    },
+    {
+      providerKey: "integration:google-calendar",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: "2025-01-01T00:00:00.000Z",
+      updatedAt: "2025-01-01T00:00:00.000Z",
+    },
+    {
+      providerKey: "integration:slack",
+      authUrl: "https://slack.com/oauth/v2/authorize",
+      tokenUrl: "https://slack.com/api/oauth.v2.access",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: "2025-01-01T00:00:00.000Z",
+      updatedAt: "2025-01-01T00:00:00.000Z",
+    },
+    {
+      providerKey: "integration:twitter",
+      authUrl: "https://twitter.com/i/oauth2/authorize",
+      tokenUrl: "https://api.twitter.com/2/oauth2/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: "2025-01-01T00:00:00.000Z",
+      updatedAt: "2025-01-01T00:00:00.000Z",
+    },
+  ];
+
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    mockListProviders = () => fakeProviders;
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
+  });
+
+  test("returns all providers when no --provider-key is given", async () => {
+    const { exitCode, stdout } = await runCli(["providers", "list", "--json"]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(4);
+    const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
+    expect(keys).toContain("integration:gmail");
+    expect(keys).toContain("integration:google-calendar");
+    expect(keys).toContain("integration:slack");
+    expect(keys).toContain("integration:twitter");
+  });
+
+  test("filters by single --provider-key value", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "list",
+      "--provider-key",
+      "gmail",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(1);
+    expect(parsed[0].providerKey).toBe("integration:gmail");
+  });
+
+  test("filters by comma-separated OR values", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "list",
+      "--provider-key",
+      "gmail,google",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(2);
+    const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
+    expect(keys).toContain("integration:gmail");
+    expect(keys).toContain("integration:google-calendar");
+  });
+
+  test("returns empty array when comma-separated filter has no matches", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "list",
+      "--provider-key",
+      "notion,linear",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(0);
+  });
+});