@vellumai/assistant 0.4.46 → 0.4.49

package/src/__tests__/skills.test.ts

@@ -60,7 +60,6 @@ mock.module("../util/logger.js", () => ({
   ...realLogger,
   getLogger: () => noopLogger,
   getCliLogger: () => noopLogger,
-  isDebug: () => false,
   truncateForLog: (v: string) => v,
   initLogger: () => {},
   pruneOldLogFiles: () => 0,
@@ -675,15 +674,6 @@ describe("ingress-dependent setup skills declare public-ingress", () => {
     expect(includes).toContain("public-ingress");
   });
 
-  test("google-oauth-setup includes public-ingress", () => {
-    const includes = readSkillIncludes(
-      FIRST_PARTY_SKILLS_DIR,
-      "google-oauth-setup",
-    );
-    expect(includes).toBeDefined();
-    expect(includes).toContain("public-ingress");
-  });
-
   test("slack-oauth-setup includes browser", () => {
     const includes = readSkillIncludes(
       FIRST_PARTY_SKILLS_DIR,
@@ -728,15 +718,16 @@ describe("bundled computer-use skill", () => {
     expect(cuSkill!.disableModelInvocation).toBe(true);
   });
 
-  test("computer-use skill has a valid tool manifest with 12 tools", () => {
+  test("computer-use skill has a valid tool manifest with 11 tools", () => {
     const catalog = loadSkillCatalog();
     const cuSkill = catalog.find((s) => s.id === "computer-use");
     expect(cuSkill).toBeDefined();
     expect(cuSkill!.toolManifest).toBeDefined();
     expect(cuSkill!.toolManifest!.present).toBe(true);
     expect(cuSkill!.toolManifest!.valid).toBe(true);
-    expect(cuSkill!.toolManifest!.toolCount).toBe(10);
+    expect(cuSkill!.toolManifest!.toolCount).toBe(11);
     expect(cuSkill!.toolManifest!.toolNames).toEqual([
+      "computer_use_observe",
       "computer_use_click",
       "computer_use_type_text",
       "computer_use_key",

package/src/__tests__/slack-channel-config.test.ts

@@ -75,13 +75,11 @@ mock.module("../util/logger.js", () => ({
     debug: () => {},
     trace: () => {},
     fatal: () => {},
-    isDebug: () => false,
     child: () => ({
       info: () => {},
       warn: () => {},
       error: () => {},
       debug: () => {},
-      isDebug: () => false,
     }),
   }),
 }));
@@ -116,6 +114,46 @@ mock.module("../security/secure-keys.js", () => {
   };
 });
 
+// Mock oauth-store (getConnectionByProvider)
+let oauthConnectionStore: Record<
+  string,
+  { id: string; status: string; accountInfo?: string | null }
+> = {};
+
+mock.module("../oauth/oauth-store.js", () => ({
+  getConnectionByProvider: (providerKey: string) =>
+    oauthConnectionStore[providerKey] ?? undefined,
+  createConnection: () => ({ id: "test-conn-id" }),
+  updateConnection: () => true,
+  deleteConnection: (id: string) => {
+    for (const [key, conn] of Object.entries(oauthConnectionStore)) {
+      if (conn.id === id) {
+        delete oauthConnectionStore[key];
+        return true;
+      }
+    }
+    return false;
+  },
+  upsertApp: async () => ({ id: "test-app-id" }),
+}));
+
+// Mock manual-token-connection
+mock.module("../oauth/manual-token-connection.js", () => ({
+  ensureManualTokenConnection: async (
+    providerKey: string,
+    accountInfo?: string,
+  ) => {
+    oauthConnectionStore[providerKey] = {
+      id: `conn-${providerKey}`,
+      status: "active",
+      accountInfo: accountInfo ?? null,
+    };
+  },
+  removeManualTokenConnection: (providerKey: string) => {
+    delete oauthConnectionStore[providerKey];
+  },
+}));
+
 // Mock credential metadata store
 let credentialMetadataStore: Array<{
   service: string;
@@ -172,6 +210,7 @@ import {
   getSlackChannelConfig,
   setSlackChannelConfig,
 } from "../daemon/handlers/config-slack-channel.js";
+import { credentialKey } from "../security/credential-key.js";
 
 afterAll(() => {
   globalThis.fetch = originalFetch;
@@ -186,6 +225,7 @@ describe("Slack channel config handler", () => {
   beforeEach(() => {
     secureKeyStore = {};
     credentialMetadataStore = [];
+    oauthConnectionStore = {};
     configStore = {};
     globalThis.fetch = originalFetch;
   });
@@ -198,9 +238,13 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(false);
   });
 
-  test("GET returns connected: true when both tokens are set", () => {
-    secureKeyStore["credential:slack_channel:bot_token"] = "xoxb-test";
-    secureKeyStore["credential:slack_channel:app_token"] = "xapp-test";
+  test("GET returns connected: true when oauth_connection is active and both keys exist", () => {
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+    secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
 
     const result = getSlackChannelConfig();
     expect(result.success).toBe(true);
@@ -209,8 +253,29 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(true);
   });
 
+  test("GET reports per-field token presence independently of connection row", () => {
+    // Only bot_token in keychain, no app_token, but connection row exists
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+
+    const result = getSlackChannelConfig();
+    expect(result.success).toBe(true);
+    expect(result.hasBotToken).toBe(true);
+    expect(result.hasAppToken).toBe(false);
+    // connected requires both keys AND connection row
+    expect(result.connected).toBe(false);
+  });
+
   test("GET returns metadata from config when available", () => {
-    secureKeyStore["credential:slack_channel:bot_token"] = "xoxb-test";
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+    secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
     configStore = {
       slack: {
         teamId: "T123",
@@ -240,7 +305,7 @@ describe("Slack channel config handler", () => {
     );
     expect(result.success).toBe(true);
     expect(result.hasAppToken).toBe(true);
-    expect(secureKeyStore["credential:slack_channel:app_token"]).toBe(
+    expect(secureKeyStore[credentialKey("slack_channel", "app_token")]).toBe(
       "xapp-valid-token-123",
     );
   });
@@ -296,8 +361,8 @@ describe("Slack channel config handler", () => {
   });
 
   test("DELETE clears credentials and config", async () => {
-    secureKeyStore["credential:slack_channel:bot_token"] = "xoxb-test";
-    secureKeyStore["credential:slack_channel:app_token"] = "xapp-test";
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+    secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
     credentialMetadataStore.push({
       service: "slack_channel",
       field: "bot_token",
@@ -322,10 +387,10 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(false);
 
     expect(
-      secureKeyStore["credential:slack_channel:bot_token"],
+      secureKeyStore[credentialKey("slack_channel", "bot_token")],
     ).toBeUndefined();
     expect(
-      secureKeyStore["credential:slack_channel:app_token"],
+      secureKeyStore[credentialKey("slack_channel", "app_token")],
     ).toBeUndefined();
     expect(credentialMetadataStore).toHaveLength(0);
 

package/src/__tests__/slack-share-routes.test.ts

@@ -10,6 +10,12 @@ mock.module("../security/secure-keys.js", () => ({
   setSecureKeyAsync: async () => {},
 }));
 
+let connectionByProvider: Record<string, unknown> = {};
+mock.module("../oauth/oauth-store.js", () => ({
+  getConnectionByProvider: (key: string) =>
+    connectionByProvider[key] ?? undefined,
+}));
+
 let listConversationsResult: unknown = { ok: true, channels: [] };
 let postMessageResult: unknown = {
   ok: true,
@@ -84,6 +90,7 @@ function makeRequest(body: unknown): Request {
 
 beforeEach(() => {
   secureKeyValues.clear();
+  connectionByProvider = {};
   listConversationsResult = { ok: true, channels: [] };
   userInfoResults = new Map();
   appStoreResult = null;
@@ -104,8 +111,9 @@ describe("handleListSlackChannels", () => {
   });
 
   test("returns channels sorted by type then name", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
 
@@ -174,15 +182,6 @@ describe("handleListSlackChannels", () => {
       isPrivate: true,
     });
   });
-
-  test("falls back to legacy bot token", async () => {
-    secureKeyValues.set("credential:slack_channel:bot_token", "xoxb-legacy");
-
-    listConversationsResult = { ok: true, channels: [] };
-
-    const res = await handleListSlackChannels();
-    expect(res.status).toBe(200);
-  });
 });
 
 describe("handleShareToSlackChannel", () => {
@@ -193,8 +192,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 400 for malformed JSON", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     const req = new Request("http://localhost/v1/slack/share", {
@@ -207,8 +207,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 400 when missing required fields", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     const req = makeRequest({ appId: "app1" });
@@ -219,8 +220,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 404 when app not found", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     appStoreResult = null;
@@ -230,8 +232,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("posts message and returns success", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      "credential:integration:slack:access_token",
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     appStoreResult = {

package/src/__tests__/system-prompt.test.ts

@@ -53,7 +53,6 @@ mock.module("../util/logger.js", () => ({
   ...realLogger,
   getLogger: () => noopLogger,
   getCliLogger: () => noopLogger,
-  isDebug: () => false,
   truncateForLog: (v: string) => v,
   initLogger: () => {},
   pruneOldLogFiles: () => 0,

package/src/__tests__/telegram-bot-username-resolution.test.ts

@@ -38,6 +38,9 @@ mock.module("../config/loader.js", () => ({
 
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: (_keyId: string) => mockSecureKey,
+  setSecureKey: (_account: string, _value: string) => true,
+  deleteSecureKey: (_account: string) => "deleted" as const,
+  listSecureKeys: () => [] as string[],
 }));
 
 // Suppress logger output during tests

package/src/__tests__/telegram-invite-adapter.test.ts

@@ -7,44 +7,42 @@
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
 import type { ChannelId } from "../channels/types.js";
-import { telegramInviteAdapter } from "../runtime/channel-invite-transports/telegram.js";
 
 // Mock credential metadata so tests don't depend on local persisted state.
 mock.module("../tools/credentials/metadata-store.js", () => ({
   getCredentialMetadata: () => undefined,
 }));
 
+// Mock getTelegramBotUsername — the env var fallback was removed so we
+// control the return value directly via a mutable variable.
+let mockBotUsername: string | undefined;
+mock.module("../telegram/bot-username.js", () => ({
+  getTelegramBotUsername: () => mockBotUsername,
+}));
+
+import { telegramInviteAdapter } from "../runtime/channel-invite-transports/telegram.js";
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 
 const CHANNEL: ChannelId = "telegram" as ChannelId;
 
-function setEnv(key: string, value: string | undefined) {
-  if (value === undefined) {
-    delete process.env[key];
-  } else {
-    process.env[key] = value;
-  }
-}
-
 // ---------------------------------------------------------------------------
 // buildShareLink
 // ---------------------------------------------------------------------------
 
 describe("telegramInviteAdapter.buildShareLink", () => {
-  let originalBotUsername: string | undefined;
-
   beforeEach(() => {
-    originalBotUsername = process.env.TELEGRAM_BOT_USERNAME;
+    mockBotUsername = undefined;
   });
 
   afterEach(() => {
-    setEnv("TELEGRAM_BOT_USERNAME", originalBotUsername);
+    mockBotUsername = undefined;
   });
 
   test("builds a deep link with iv_ prefix", () => {
-    setEnv("TELEGRAM_BOT_USERNAME", "TestBot");
+    mockBotUsername = "TestBot";
 
     const link = telegramInviteAdapter.buildShareLink!({
       rawToken: "abc123",
@@ -56,7 +54,7 @@ describe("telegramInviteAdapter.buildShareLink", () => {
   });
 
   test("throws when bot username is not configured", () => {
-    setEnv("TELEGRAM_BOT_USERNAME", undefined);
+    mockBotUsername = undefined;
 
     expect(() =>
       telegramInviteAdapter.buildShareLink!({
@@ -138,25 +136,23 @@ describe("telegramInviteAdapter.extractInboundToken", () => {
 // ---------------------------------------------------------------------------
 
 describe("telegramInviteAdapter.resolveChannelHandle", () => {
-  let originalBotUsername: string | undefined;
-
   beforeEach(() => {
-    originalBotUsername = process.env.TELEGRAM_BOT_USERNAME;
+    mockBotUsername = undefined;
   });
 
   afterEach(() => {
-    setEnv("TELEGRAM_BOT_USERNAME", originalBotUsername);
+    mockBotUsername = undefined;
   });
 
-  test("returns @-prefixed bot username from env", () => {
-    setEnv("TELEGRAM_BOT_USERNAME", "MyBot");
+  test("returns @-prefixed bot username from config", () => {
+    mockBotUsername = "MyBot";
 
     const handle = telegramInviteAdapter.resolveChannelHandle!();
     expect(handle).toBe("@MyBot");
   });
 
   test("returns undefined when bot username is not configured", () => {
-    setEnv("TELEGRAM_BOT_USERNAME", undefined);
+    mockBotUsername = undefined;
 
     const handle = telegramInviteAdapter.resolveChannelHandle!();
     expect(handle).toBeUndefined();

package/src/__tests__/terminal-tools.test.ts

@@ -457,10 +457,10 @@ describe("buildSanitizedEnv", () => {
   });
 
   test("injects INTERNAL_GATEWAY_BASE_URL from gateway config", () => {
-    process.env.GATEWAY_INTERNAL_BASE_URL = "http://gateway.internal:9000/";
+    process.env.GATEWAY_PORT = "9000";
     const env = buildSanitizedEnv();
-    expect(env.INTERNAL_GATEWAY_BASE_URL).toBe("http://gateway.internal:9000");
-    delete process.env.GATEWAY_INTERNAL_BASE_URL;
+    expect(env.INTERNAL_GATEWAY_BASE_URL).toBe("http://127.0.0.1:9000");
+    delete process.env.GATEWAY_PORT;
   });
 
   test("result is a plain object with no prototype-inherited secrets", () => {
@@ -485,6 +485,7 @@ describe("buildSanitizedEnv", () => {
       "SSH_AGENT_PID",
       "GPG_TTY",
       "GNUPGHOME",
+      "VELLUM_DEV",
       "INTERNAL_GATEWAY_BASE_URL",
       "VELLUM_DATA_DIR",
     ];

package/src/__tests__/test-support/computer-use-skill-harness.ts

@@ -2,8 +2,9 @@
  * Reusable constants and helpers for the computer-use skill migration test suite.
  */
 
-/** The 10 computer_use_* action tool names provided by the bundled computer-use skill. */
+/** The 11 computer_use_* action tool names provided by the bundled computer-use skill. */
 export const COMPUTER_USE_TOOL_NAMES = [
+  "computer_use_observe",
   "computer_use_click",
   "computer_use_type_text",
   "computer_use_key",
@@ -20,7 +21,7 @@ export const COMPUTER_USE_TOOL_NAMES = [
 export const COMPUTER_USE_SKILL_ID = "computer-use";
 
 /** Number of computer_use_* tools. */
-export const COMPUTER_USE_TOOL_COUNT = COMPUTER_USE_TOOL_NAMES.length; // 10
+export const COMPUTER_USE_TOOL_COUNT = COMPUTER_USE_TOOL_NAMES.length; // 11
 
 import { expect } from "bun:test";
 

package/src/__tests__/tool-approval-handler.test.ts

@@ -21,7 +21,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/tool-execution-pipeline.benchmark.test.ts

@@ -44,7 +44,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
 }));
 
 // Allow toggling between no-rule and matched-rule paths

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -59,7 +59,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/tool-executor-shell-integration.test.ts

@@ -68,7 +68,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/tool-executor.test.ts

@@ -103,7 +103,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/tool-grant-request-escalation.test.ts

@@ -31,7 +31,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/trust-store-pattern-matches.test.ts

@@ -0,0 +1,29 @@
+import { describe, expect, test } from "bun:test";
+
+import { patternMatchesCandidate } from "../permissions/trust-store.js";
+
+describe("patternMatchesCandidate", () => {
+  test("exact match", () => {
+    expect(patternMatchesCandidate("bash:git commit", "bash:git commit")).toBe(
+      true,
+    );
+  });
+
+  test("glob match", () => {
+    expect(patternMatchesCandidate("bash:git *", "bash:git commit")).toBe(true);
+  });
+
+  test("no match", () => {
+    expect(patternMatchesCandidate("bash:git *", "file_write:/foo")).toBe(
+      false,
+    );
+  });
+
+  test("globstar matches anything", () => {
+    expect(patternMatchesCandidate("**", "bash:anything")).toBe(true);
+  });
+
+  test("invalid pattern returns false", () => {
+    expect(patternMatchesCandidate("[", "bash:anything")).toBe(false);
+  });
+});

package/src/__tests__/trust-store.test.ts

@@ -778,7 +778,6 @@ describe("Trust Store", () => {
         "computer_use_drag",
         "computer_use_key",
         "computer_use_open_app",
-        "computer_use_request_control",
         "computer_use_run_applescript",
         "computer_use_scroll",
         "computer_use_type_text",
@@ -901,22 +900,6 @@ describe("Trust Store", () => {
       );
     });
 
-    test("findHighestPriorityRule matches default ask for computer_use_request_control", () => {
-      const match = findHighestPriorityRule(
-        "computer_use_request_control",
-        ["computer_use_request_control:"],
-        "/tmp",
-      );
-      expect(match).not.toBeNull();
-      expect(match!.id).toBe("default:ask-computer_use_request_control-global");
-      expect(match!.decision).toBe("ask");
-      expect(match!.priority).toBe(
-        DEFAULT_PRIORITY_BY_ID.get(
-          "default:ask-computer_use_request_control-global",
-        )!,
-      );
-    });
-
     test("bootstrap delete rule matches only when workingDir is the workspace dir", () => {
       const workspaceDir = join(testDir, "workspace");
       // Should match when workingDir is the workspace directory — the bootstrap
@@ -1755,11 +1738,7 @@ describe("computer-use tool trust rule matching", () => {
   test("actionable CU tools have default ask trust rules", () => {
     // Actionable CU tools (those that perform screen interactions) should
     // have default "ask" rules so strict mode prompts before use.
-    const actionableCuTools = [
-      "computer_use_click",
-      "computer_use_type_text",
-      "computer_use_request_control",
-    ];
+    const actionableCuTools = ["computer_use_click", "computer_use_type_text"];
 
     for (const name of actionableCuTools) {
       const rule = findHighestPriorityRule(name, [name], "/tmp/test");

package/src/__tests__/trusted-contact-approval-notifier.test.ts

@@ -42,7 +42,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/trusted-contact-inline-approval-integration.test.ts

@@ -45,7 +45,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/twilio-config.test.ts

@@ -26,11 +26,12 @@ mock.module("../inbound/public-ingress-urls.js", () => ({
 }));
 
 import { getTwilioConfig } from "../calls/twilio-config.js";
+import { credentialKey } from "../security/credential-key.js";
 
 describe("twilio-config", () => {
   beforeEach(() => {
     mockSecureKeys = {
-      "credential:twilio:auth_token": "test_auth_token",
+      [credentialKey("twilio", "auth_token")]: "test_auth_token",
     };
     mockLoadConfigResult = {
       twilio: {

package/src/__tests__/twilio-provider.test.ts

@@ -8,6 +8,8 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
+import { credentialKey } from "../security/credential-key.js";
+
 const testDir = mkdtempSync(join(tmpdir(), "twilio-provider-test-"));
 
 mock.module("../util/platform.js", () => ({
@@ -40,8 +42,8 @@ mock.module("../config/loader.js", () => ({
 
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: (key: string) => {
-    if (key === "credential:twilio:auth_token") return mockAuthToken;
-    if (key === "credential:twilio:account_sid") return mockAccountSid;
+    if (key === credentialKey("twilio", "auth_token")) return mockAuthToken;
+    if (key === credentialKey("twilio", "account_sid")) return mockAccountSid;
     return undefined;
   },
 }));