@vellumai/assistant 0.4.46 → 0.4.49

package/src/daemon/handlers/config-telegram.ts

@@ -8,6 +8,12 @@ import {
   registerCallbackRoute,
   shouldUsePlatformCallbacks,
 } from "../../inbound/platform-callback-registration.js";
+import {
+  ensureManualTokenConnection,
+  removeManualTokenConnection,
+} from "../../oauth/manual-token-connection.js";
+import { getConnectionByProvider } from "../../oauth/oauth-store.js";
+import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
   getSecureKey,
@@ -60,14 +66,18 @@ export type TelegramConfigResult = Omit<TelegramConfigResponse, "type">;
 // -- Extracted business logic functions --
 
 export function getTelegramConfig(): TelegramConfigResult {
-  const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
-  const hasWebhookSecret = !!getSecureKey("credential:telegram:webhook_secret");
+  const hasBotToken = !!getSecureKey(credentialKey("telegram", "bot_token"));
+  const hasWebhookSecret = !!getSecureKey(
+    credentialKey("telegram", "webhook_secret"),
+  );
+  const conn = getConnectionByProvider("telegram");
+  const connected = !!(conn && conn.status === "active");
   const botUsername = getTelegramBotUsername();
   return {
     success: true,
     hasBotToken,
     botUsername,
-    connected: hasBotToken && hasWebhookSecret,
+    connected: connected && hasBotToken && hasWebhookSecret,
     hasWebhookSecret,
   };
 }
@@ -79,7 +89,7 @@ export async function setTelegramConfig(
   // Track provenance so we only rollback tokens that were freshly provided.
   const isNewToken = !!botToken;
   const resolvedToken =
-    botToken || getSecureKey("credential:telegram:bot_token");
+    botToken || getSecureKey(credentialKey("telegram", "bot_token"));
   if (!resolvedToken) {
     return {
       success: false,
@@ -133,7 +143,7 @@ export async function setTelegramConfig(
 
   // Store bot token securely (async — writes broker + encrypted store)
   const stored = await setSecureKeyAsync(
-    "credential:telegram:bot_token",
+    credentialKey("telegram", "bot_token"),
     resolvedToken,
   );
   if (!stored) {
@@ -156,12 +166,14 @@ export async function setTelegramConfig(
   invalidateConfigCache();
 
   // Ensure webhook secret exists (generate if missing)
-  let hasWebhookSecret = !!getSecureKey("credential:telegram:webhook_secret");
+  let hasWebhookSecret = !!getSecureKey(
+    credentialKey("telegram", "webhook_secret"),
+  );
   if (!hasWebhookSecret) {
     const { randomUUID } = await import("node:crypto");
     const webhookSecret = randomUUID();
     const secretStored = await setSecureKeyAsync(
-      "credential:telegram:webhook_secret",
+      credentialKey("telegram", "webhook_secret"),
       webhookSecret,
     );
     if (secretStored) {
@@ -172,7 +184,7 @@ export async function setTelegramConfig(
       // When the token came from secure storage it was already valid
       // configuration; deleting it would destroy working state.
       if (isNewToken) {
-        await deleteSecureKeyAsync("credential:telegram:bot_token");
+        await deleteSecureKeyAsync(credentialKey("telegram", "bot_token"));
         deleteCredentialMetadata("telegram", "bot_token");
       }
       // Always revert the config write — the botUsername was written
@@ -195,6 +207,13 @@ export async function setTelegramConfig(
     upsertCredentialMetadata("telegram", "webhook_secret", {});
   }
 
+  // Sync oauth_connection record so getConnectionByProvider("telegram")
+  // reflects the current credential state.
+  await ensureManualTokenConnection(
+    "telegram",
+    botUsername ? `@${botUsername}` : undefined,
+  );
+
   const result: TelegramConfigResult = {
     success: true,
     hasBotToken: true,
@@ -222,7 +241,7 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
   // The gateway reconcile short-circuits when credentials are absent,
   // so we must call the Telegram API directly while the token is still
   // available.
-  const botToken = getSecureKey("credential:telegram:bot_token");
+  const botToken = getSecureKey(credentialKey("telegram", "bot_token"));
   if (botToken) {
     try {
       await fetch(`https://api.telegram.org/bot${botToken}/deleteWebhook`);
@@ -234,13 +253,16 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
     }
   }
 
-  const r1 = await deleteSecureKeyAsync("credential:telegram:bot_token");
-  const r2 = await deleteSecureKeyAsync("credential:telegram:webhook_secret");
+  const r1 = await deleteSecureKeyAsync(credentialKey("telegram", "bot_token"));
+  const r2 = await deleteSecureKeyAsync(
+    credentialKey("telegram", "webhook_secret"),
+  );
 
   if (r1 === "error" || r2 === "error") {
-    const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
+    // Check each key individually so partial deletions report accurate status.
+    const hasBotToken = !!getSecureKey(credentialKey("telegram", "bot_token"));
     const hasWebhookSecret = !!getSecureKey(
-      "credential:telegram:webhook_secret",
+      credentialKey("telegram", "webhook_secret"),
     );
     return {
       success: false,
@@ -254,6 +276,9 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
   deleteCredentialMetadata("telegram", "bot_token");
   deleteCredentialMetadata("telegram", "webhook_secret");
 
+  // Remove the oauth_connection row so getConnectionByProvider returns undefined.
+  removeManualTokenConnection("telegram");
+
   // Clear bot username from config so getTelegramBotUsername() doesn't
   // return a stale value after disconnect.
   const raw = loadRawConfig();
@@ -272,7 +297,7 @@ export async function clearTelegramConfig(): Promise<TelegramConfigResult> {
 export async function setTelegramCommands(
   commands?: Array<{ command: string; description: string }>,
 ): Promise<TelegramConfigResult> {
-  const storedToken = getSecureKey("credential:telegram:bot_token");
+  const storedToken = getSecureKey(credentialKey("telegram", "bot_token"));
   if (!storedToken) {
     return {
       success: false,
@@ -299,32 +324,36 @@ export async function setTelegramCommands(
     );
     if (!res.ok) {
       const body = await res.text();
+      const cmdConn = getConnectionByProvider("telegram");
+      const cmdConnected = !!(cmdConn && cmdConn.status === "active");
       return {
         success: false,
         hasBotToken: true,
-        connected: !!getSecureKey("credential:telegram:webhook_secret"),
-        hasWebhookSecret: !!getSecureKey("credential:telegram:webhook_secret"),
+        connected: cmdConnected,
+        hasWebhookSecret: cmdConnected,
         error: `Failed to set bot commands: ${body}`,
       };
     }
   } catch (err) {
     const message = summarizeTelegramError(err);
+    const cmdConn = getConnectionByProvider("telegram");
+    const cmdConnected = !!(cmdConn && cmdConn.status === "active");
     return {
       success: false,
       hasBotToken: true,
-      connected: !!getSecureKey("credential:telegram:webhook_secret"),
-      hasWebhookSecret: !!getSecureKey("credential:telegram:webhook_secret"),
+      connected: cmdConnected,
+      hasWebhookSecret: cmdConnected,
       error: `Failed to set bot commands: ${message}`,
     };
   }
 
-  const hasBotToken = !!getSecureKey("credential:telegram:bot_token");
-  const hasWebhookSecret = !!getSecureKey("credential:telegram:webhook_secret");
+  const cmdConn = getConnectionByProvider("telegram");
+  const cmdConnected = !!(cmdConn && cmdConn.status === "active");
   return {
     success: true,
-    hasBotToken,
-    connected: hasBotToken && hasWebhookSecret,
-    hasWebhookSecret,
+    hasBotToken: true,
+    connected: cmdConnected,
+    hasWebhookSecret: cmdConnected,
     commandsRegistered: resolvedCommands.map((c) => c.command),
   };
 }
@@ -401,4 +430,4 @@ export async function handleTelegramConfig(
       error: message,
     });
   }
-}
+}

package/src/daemon/handlers/sessions.ts

@@ -35,6 +35,7 @@ import * as pendingInteractions from "../../runtime/pending-interactions.js";
 import { getSubagentManager } from "../../subagent/index.js";
 import { truncate } from "../../util/truncate.js";
 import { HostBashProxy } from "../host-bash-proxy.js";
+import { HostCuProxy } from "../host-cu-proxy.js";
 import { HostFileProxy } from "../host-file-proxy.js";
 import type {
   CancelRequest,
@@ -60,7 +61,6 @@ import {
   type HandlerContext,
   log,
   pendingStandaloneSecrets,
-  wireEscalationHandler,
 } from "./shared.js";
 
 /**
@@ -165,6 +165,12 @@ export function makeEventSender(params: {
         conversationId,
         kind: "host_file",
       });
+    } else if (event.type === "host_cu_request") {
+      pendingInteractions.register(event.requestId, {
+        session,
+        conversationId,
+        kind: "host_cu",
+      });
     }
 
     ctx.send(event);
@@ -195,21 +201,6 @@ export function handleConfirmationResponse(
     }
   }
 
-  // Also check computer-use sessions — they have their own PermissionPrompter
-  for (const [, cuSession] of ctx.cuSessions) {
-    if (cuSession.hasPendingConfirmation(msg.requestId)) {
-      cuSession.handleConfirmationResponse(
-        msg.requestId,
-        msg.decision,
-        msg.selectedPattern,
-        msg.selectedScope,
-      );
-      syncCanonicalStatusFromConfirmationDecision(msg.requestId, msg.decision);
-      pendingInteractions.resolve(msg.requestId);
-      return;
-    }
-  }
-
   log.warn(
     { requestId: msg.requestId },
     "No session found with pending confirmation for requestId",
@@ -362,7 +353,6 @@ export async function handleSessionCreate(
     maxResponseTokens: msg.maxResponseTokens,
     transport: msg.transport,
   });
-  wireEscalationHandler(session, ctx);
 
   // Pre-activate skills before sending session_info so they're available
   // for the initial message processing.
@@ -431,6 +421,8 @@ export async function handleSessionCreate(
         pendingInteractions.resolve(requestId);
       });
       session.setHostFileProxy(fileProxy);
+      const cuProxy = new HostCuProxy(sendEvent);
+      session.setHostCuProxy(cuProxy);
     }
     session.updateClient(sendEvent, false);
     session
@@ -492,13 +484,7 @@ export async function switchSession(
     // Load the session without rebinding the client — the session stays headless
     await ctx.getOrCreateSession(sessionId);
   } else {
-    const session = await ctx.getOrCreateSession(sessionId);
-    // Only wire the escalation handler if one isn't already set — handleTaskSubmit
-    // sets a handler with the client's actual screen dimensions, and overwriting it
-    // here would replace those dimensions with the daemon's defaults.
-    if (!session.hasEscalationHandler()) {
-      wireEscalationHandler(session, ctx);
-    }
+    await ctx.getOrCreateSession(sessionId);
   }
 
   return {

package/src/daemon/handlers/shared.ts

@@ -1,17 +1,12 @@
-import { execSync } from "node:child_process";
-
 import { v4 as uuid } from "uuid";
 
 import { getConfig } from "../../config/loader.js";
 import type { HeartbeatService } from "../../heartbeat/heartbeat-service.js";
 import type { SecretPromptResult } from "../../permissions/secret-prompter.js";
-import { RateLimitProvider } from "../../providers/ratelimit.js";
-import { getFailoverProvider } from "../../providers/registry.js";
 import type { AuthContext } from "../../runtime/auth/types.js";
 import type { DebouncerMap } from "../../util/debounce.js";
 import { getLogger } from "../../util/logger.js";
 import { estimateBase64Bytes } from "../assistant-attachments.js";
-import { ComputerUseSession } from "../computer-use-session.js";
 import type {
   ServerMessage,
   SessionTransportMetadata,
@@ -28,9 +23,6 @@ export const CONFIG_RELOAD_DEBOUNCE_MS = 300;
 
 const HISTORY_ATTACHMENT_TEXT_LIMIT = 500;
 
-export const FALLBACK_SCREEN = { width: 1920, height: 1080 };
-let cachedScreenDims: { width: number; height: number } | null = null;
-
 // Module-level map for non-session secret prompts (e.g. publish_page)
 export const pendingStandaloneSecrets = new Map<
   string,
@@ -150,8 +142,6 @@ export interface SessionCreateOptions {
  */
 export interface HandlerContext {
   sessions: Map<string, Session>;
-  cuSessions: Map<string, ComputerUseSession>;
-  cuObservationParseSequence: Map<string, number>;
   sharedRequestTimestamps: number[];
   debounceTimers: DebouncerMap;
   suppressConfigReload: boolean;
@@ -170,126 +160,6 @@ export interface HandlerContext {
   heartbeatService?: HeartbeatService;
 }
 
-/**
- * Query the main display dimensions via CoreGraphics.
- * Cached after the first successful call; falls back to 1920x1080.
- */
-export function getScreenDimensions(): { width: number; height: number } {
-  if (cachedScreenDims) return cachedScreenDims;
-  if (process.platform !== "darwin") return FALLBACK_SCREEN;
-  try {
-    // Use osascript (JXA) instead of `swift` to avoid the
-    // "Install Command Line Developer Tools" popup on fresh macOS installs.
-    const out = execSync(
-      `osascript -l JavaScript -e 'ObjC.import("AppKit"); var f = $.NSScreen.mainScreen.frame; Math.round(f.size.width) + "x" + Math.round(f.size.height)'`,
-      { timeout: 10_000, encoding: "utf-8" },
-    ).trim();
-    const [w, h] = out.split("x").map(Number);
-    if (w > 0 && h > 0) {
-      cachedScreenDims = { width: w, height: h };
-      return cachedScreenDims;
-    }
-  } catch (err) {
-    log.debug({ err }, "Failed to query screen dimensions, using fallback");
-  }
-  return FALLBACK_SCREEN;
-}
-
-/**
- * Wire the escalation handler on a text_qa session so that invoking
- * `computer_use_request_control` creates a CU session and notifies the client.
- *
- * In the HTTP-only world, the escalation handler broadcasts events via
- * `ctx.broadcast` instead of targeting a specific socket.
- */
-export function wireEscalationHandler(
-  session: Session,
-  ctx: HandlerContext,
-  explicitWidth?: number,
-  explicitHeight?: number,
-): void {
-  const dims =
-    explicitWidth && explicitHeight
-      ? { width: explicitWidth, height: explicitHeight }
-      : getScreenDimensions();
-  const screenWidth = dims.width;
-  const screenHeight = dims.height;
-  session.setEscalationHandler(
-    (task: string, sourceSessionId: string): boolean => {
-      const cuSessionId = uuid();
-
-      // Inline CU session creation (previously delegated to deleted handlers/computer-use.ts)
-      const existingSession = ctx.cuSessions.get(cuSessionId);
-      if (existingSession) {
-        existingSession.abort();
-        ctx.cuSessions.delete(cuSessionId);
-        ctx.cuObservationParseSequence.delete(cuSessionId);
-      }
-
-      const config = getConfig();
-      let provider = getFailoverProvider(config.provider, config.providerOrder);
-      const { rateLimit } = config;
-      if (
-        rateLimit.maxRequestsPerMinute > 0 ||
-        rateLimit.maxTokensPerSession > 0
-      ) {
-        provider = new RateLimitProvider(
-          provider,
-          rateLimit,
-          ctx.sharedRequestTimestamps,
-        );
-      }
-
-      const sendToClient = (serverMsg: ServerMessage) => {
-        ctx.send(serverMsg);
-      };
-
-      const sessionRef: { current?: ComputerUseSession } = {};
-      const onTerminal = (sid: string) => {
-        const current = ctx.cuSessions.get(sid);
-        if (sessionRef.current && current && current !== sessionRef.current) {
-          return;
-        }
-        ctx.cuSessions.delete(sid);
-        ctx.cuObservationParseSequence.delete(sid);
-        log.info(
-          { sessionId: sid },
-          "Computer-use session cleaned up after terminal state",
-        );
-      };
-
-      const cuSession = new ComputerUseSession(
-        cuSessionId,
-        task,
-        screenWidth,
-        screenHeight,
-        provider,
-        sendToClient,
-        "computer_use",
-        onTerminal,
-      );
-      sessionRef.current = cuSession;
-
-      ctx.cuSessions.set(cuSessionId, cuSession);
-
-      log.info(
-        { sessionId: cuSessionId, taskLength: task.length },
-        "Computer-use session created via escalation",
-      );
-
-      ctx.broadcast({
-        type: "task_routed",
-        sessionId: cuSessionId,
-        interactionType: "computer_use",
-        task,
-        escalatedFrom: sourceSessionId,
-      });
-
-      return true;
-    },
-  );
-}
-
 export function isRecord(value: unknown): value is Record<string, unknown> {
   return typeof value === "object" && value != null;
 }