@vellumai/assistant 0.4.46 → 0.4.49

package/src/memory/migrations/149-oauth-tables.ts

@@ -0,0 +1,60 @@
+import type { DrizzleDb } from "../db-connection.js";
+
+/**
+ * OAuth provider, app, and connection tables.
+ * Creates tables in FK-dependency order: providers → apps → connections.
+ */
+export function createOAuthTables(database: DrizzleDb): void {
+  database.run(/*sql*/ `
+    CREATE TABLE IF NOT EXISTS oauth_providers (
+      provider_key TEXT PRIMARY KEY,
+      auth_url TEXT NOT NULL,
+      token_url TEXT NOT NULL,
+      token_endpoint_auth_method TEXT,
+      userinfo_url TEXT,
+      base_url TEXT,
+      default_scopes TEXT NOT NULL DEFAULT '[]',
+      scope_policy TEXT NOT NULL DEFAULT '{}',
+      extra_params TEXT,
+      callback_transport TEXT,
+      loopback_port INTEGER,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  database.run(/*sql*/ `
+    CREATE TABLE IF NOT EXISTS oauth_apps (
+      id TEXT PRIMARY KEY,
+      provider_key TEXT NOT NULL REFERENCES oauth_providers(provider_key),
+      client_id TEXT NOT NULL,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  database.run(/*sql*/ `
+    CREATE TABLE IF NOT EXISTS oauth_connections (
+      id TEXT PRIMARY KEY,
+      oauth_app_id TEXT NOT NULL REFERENCES oauth_apps(id),
+      provider_key TEXT NOT NULL,
+      account_info TEXT,
+      granted_scopes TEXT NOT NULL DEFAULT '[]',
+      expires_at INTEGER,
+      has_refresh_token INTEGER NOT NULL DEFAULT 0,
+      status TEXT NOT NULL DEFAULT 'active',
+      label TEXT,
+      metadata TEXT,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  database.run(
+    /*sql*/ `CREATE UNIQUE INDEX IF NOT EXISTS idx_oauth_apps_provider_client ON oauth_apps(provider_key, client_id)`,
+  );
+
+  database.run(
+    /*sql*/ `CREATE INDEX IF NOT EXISTS idx_oauth_connections_provider_key ON oauth_connections(provider_key)`,
+  );
+}

package/src/memory/migrations/index.ts

@@ -90,6 +90,7 @@ export { migrateDropAccountsTable } from "./145-drop-accounts-table.js";
 export { migrateScheduleOneShotRouting } from "./146-schedule-oneshot-routing.js";
 export { migrateRemindersToSchedules } from "./147-migrate-reminders-to-schedules.js";
 export { migrateDropRemindersTable } from "./148-drop-reminders-table.js";
+export { createOAuthTables } from "./149-oauth-tables.js";
 export {
   MIGRATION_REGISTRY,
   type MigrationRegistryEntry,

package/src/memory/schema/guardian.ts

@@ -27,7 +27,7 @@ export const guardianActionRequests = sqliteTable(
     followupState: text("followup_state").notNull().default("none"), // none | awaiting_guardian_choice | dispatching | completed | declined | failed
     lateAnswerText: text("late_answer_text"),
     lateAnsweredAt: integer("late_answered_at"),
-    followupAction: text("followup_action"), // call_back | message_back | decline
+    followupAction: text("followup_action"), // call_back | decline
     followupCompletedAt: integer("followup_completed_at"),
     toolName: text("tool_name"), // tool identity for tool-approval requests
     inputDigest: text("input_digest"), // canonical SHA-256 digest of tool input

package/src/memory/schema/index.ts

@@ -5,4 +5,5 @@ export * from "./guardian.js";
 export * from "./infrastructure.js";
 export * from "./memory-core.js";
 export * from "./notifications.js";
+export * from "./oauth.js";
 export * from "./tasks.js";

package/src/memory/schema/oauth.ts

@@ -0,0 +1,65 @@
+import {
+  index,
+  integer,
+  sqliteTable,
+  text,
+  uniqueIndex,
+} from "drizzle-orm/sqlite-core";
+
+export const oauthProviders = sqliteTable("oauth_providers", {
+  providerKey: text("provider_key").primaryKey(),
+  authUrl: text("auth_url").notNull(),
+  tokenUrl: text("token_url").notNull(),
+  tokenEndpointAuthMethod: text("token_endpoint_auth_method"),
+  userinfoUrl: text("userinfo_url"),
+  baseUrl: text("base_url"),
+  defaultScopes: text("default_scopes").notNull().default("[]"),
+  scopePolicy: text("scope_policy").notNull().default("{}"),
+  extraParams: text("extra_params"),
+  callbackTransport: text("callback_transport"),
+  loopbackPort: integer("loopback_port"),
+  createdAt: integer("created_at").notNull(),
+  updatedAt: integer("updated_at").notNull(),
+});
+
+export const oauthApps = sqliteTable(
+  "oauth_apps",
+  {
+    id: text("id").primaryKey(),
+    providerKey: text("provider_key")
+      .notNull()
+      .references(() => oauthProviders.providerKey),
+    clientId: text("client_id").notNull(),
+    createdAt: integer("created_at").notNull(),
+    updatedAt: integer("updated_at").notNull(),
+  },
+  (table) => [
+    uniqueIndex("idx_oauth_apps_provider_client").on(
+      table.providerKey,
+      table.clientId,
+    ),
+  ],
+);
+
+export const oauthConnections = sqliteTable(
+  "oauth_connections",
+  {
+    id: text("id").primaryKey(),
+    oauthAppId: text("oauth_app_id")
+      .notNull()
+      .references(() => oauthApps.id),
+    providerKey: text("provider_key").notNull(),
+    accountInfo: text("account_info"),
+    grantedScopes: text("granted_scopes").notNull().default("[]"),
+    expiresAt: integer("expires_at"),
+    hasRefreshToken: integer("has_refresh_token").notNull().default(0),
+    status: text("status").notNull().default("active"),
+    label: text("label"),
+    metadata: text("metadata"),
+    createdAt: integer("created_at").notNull(),
+    updatedAt: integer("updated_at").notNull(),
+  },
+  (table) => [
+    index("idx_oauth_connections_provider_key").on(table.providerKey),
+  ],
+);

package/src/messaging/provider.ts

@@ -5,6 +5,7 @@
  * implementing one adapter file + an OAuth setup skill.
  */
 
+import type { OAuthConnection } from "../oauth/connection.js";
 import type {
   ArchiveResult,
   ConnectionInfo,
@@ -29,23 +30,25 @@ export interface MessagingProvider {
 
   // ── Universal operations (every platform must implement) ──────────
 
-  testConnection(token: string): Promise<ConnectionInfo>;
+  testConnection(
+    connectionOrToken: OAuthConnection | string,
+  ): Promise<ConnectionInfo>;
   listConversations(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     options?: ListOptions,
   ): Promise<Conversation[]>;
   getHistory(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     conversationId: string,
     options?: HistoryOptions,
   ): Promise<Message[]>;
   search(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     query: string,
     options?: SearchOptions,
   ): Promise<SearchResult>;
   sendMessage(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     conversationId: string,
     text: string,
     options?: SendOptions,
@@ -54,32 +57,35 @@ export interface MessagingProvider {
   // ── Optional operations (platforms implement what they support) ───
 
   getThreadReplies?(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     conversationId: string,
     threadId: string,
     options?: HistoryOptions,
   ): Promise<Message[]>;
   markRead?(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     conversationId: string,
     messageId?: string,
   ): Promise<void>;
 
   /** Scan messages and group by sender for bulk cleanup (e.g. newsletter decluttering). */
   senderDigest?(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     query: string,
     options?: { maxMessages?: number; maxSenders?: number; pageToken?: string },
   ): Promise<SenderDigestResult>;
   /** Archive messages matching a search query. */
-  archiveByQuery?(token: string, query: string): Promise<ArchiveResult>;
+  archiveByQuery?(
+    connectionOrToken: OAuthConnection | string,
+    query: string,
+  ): Promise<ArchiveResult>;
 
   /**
    * Override the default credential check used by getConnectedProviders().
-   * When present, the registry calls this instead of looking for
-   * credential:${credentialService}:access_token. Useful for providers
-   * that don't use OAuth (e.g. Telegram bot tokens stored under a
-   * non-standard key).
+   * When present, the registry calls this instead of checking for an
+   * active oauth-store connection via isProviderConnected(). Useful
+   * for providers that don't use OAuth (e.g. Telegram bot tokens stored
+   * under a non-standard key).
    */
   isConnected?(): boolean;
 

package/src/messaging/providers/gmail/adapter.ts

@@ -5,6 +5,7 @@
  * and implements the MessagingProvider interface.
  */
 
+import type { OAuthConnection } from "../../../oauth/connection.js";
 import type { MessagingProvider } from "../../provider.js";
 import type {
   ArchiveResult,
@@ -94,8 +95,11 @@ export const gmailMessagingProvider: MessagingProvider = {
     "unsubscribe",
   ]),
 
-  async testConnection(token: string): Promise<ConnectionInfo> {
-    const profile = await gmail.getProfile(token);
+  async testConnection(
+    connectionOrToken: OAuthConnection | string,
+  ): Promise<ConnectionInfo> {
+    const connection = connectionOrToken as OAuthConnection;
+    const profile = await gmail.getProfile(connection);
     return {
       connected: true,
       user: profile.emailAddress,
@@ -108,11 +112,12 @@ export const gmailMessagingProvider: MessagingProvider = {
   },
 
   async listConversations(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     _options?: ListOptions,
   ): Promise<Conversation[]> {
+    const connection = connectionOrToken as OAuthConnection;
     // Gmail "conversations" are modeled as labels with unread counts
-    const labels = await gmail.listLabels(token);
+    const labels = await gmail.listLabels(connection);
     const conversations: Conversation[] = [];
 
     for (const label of labels) {
@@ -151,14 +156,15 @@ export const gmailMessagingProvider: MessagingProvider = {
   },
 
   async getHistory(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     conversationId: string,
     options?: HistoryOptions,
   ): Promise<Message[]> {
+    const connection = connectionOrToken as OAuthConnection;
     // conversationId is a label ID — list messages in that label
     const limit = options?.limit ?? 50;
     const listResult = await gmail.listMessages(
-      token,
+      connection,
       undefined,
       limit,
       undefined,
@@ -168,7 +174,7 @@ export const gmailMessagingProvider: MessagingProvider = {
     if (!listResult.messages?.length) return [];
 
     const messages = await gmail.batchGetMessages(
-      token,
+      connection,
       listResult.messages.map((m) => m.id),
       "full",
     );
@@ -177,19 +183,20 @@ export const gmailMessagingProvider: MessagingProvider = {
   },
 
   async search(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     query: string,
     options?: SearchOptions,
   ): Promise<SearchResult> {
+    const connection = connectionOrToken as OAuthConnection;
     const count = options?.count ?? 20;
-    const listResult = await gmail.listMessages(token, query, count);
+    const listResult = await gmail.listMessages(connection, query, count);
 
     if (!listResult.messages?.length) {
       return { total: 0, messages: [], hasMore: false };
     }
 
     const messages = await gmail.batchGetMessages(
-      token,
+      connection,
       listResult.messages.map((m) => m.id),
       "full",
     );
@@ -203,16 +210,17 @@ export const gmailMessagingProvider: MessagingProvider = {
   },
 
   async sendMessage(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     conversationId: string,
     text: string,
     options?: SendOptions,
   ): Promise<SendResult> {
+    const connection = connectionOrToken as OAuthConnection;
     // conversationId is the recipient email for Gmail
     const to = conversationId;
     const subject = options?.subject ?? "";
     const msg = await gmail.sendMessage(
-      token,
+      connection,
       to,
       subject,
       text,
@@ -228,15 +236,16 @@ export const gmailMessagingProvider: MessagingProvider = {
   },
 
   async getThreadReplies(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     _conversationId: string,
     threadId: string,
     options?: HistoryOptions,
   ): Promise<Message[]> {
+    const connection = connectionOrToken as OAuthConnection;
     // Get all messages in a Gmail thread
     const limit = options?.limit ?? 50;
     const listResult = await gmail.listMessages(
-      token,
+      connection,
       `thread:${threadId}`,
       limit,
     );
@@ -244,7 +253,7 @@ export const gmailMessagingProvider: MessagingProvider = {
     if (!listResult.messages?.length) return [];
 
     const messages = await gmail.batchGetMessages(
-      token,
+      connection,
       listResult.messages.map((m) => m.id),
       "full",
     );
@@ -253,19 +262,23 @@ export const gmailMessagingProvider: MessagingProvider = {
   },
 
   async markRead(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     _conversationId: string,
     messageId?: string,
   ): Promise<void> {
+    const connection = connectionOrToken as OAuthConnection;
     if (!messageId) return;
-    await gmail.modifyMessage(token, messageId, { removeLabelIds: ["UNREAD"] });
+    await gmail.modifyMessage(connection, messageId, {
+      removeLabelIds: ["UNREAD"],
+    });
   },
 
   async senderDigest(
-    token: string,
+    connectionOrToken: OAuthConnection | string,
     query: string,
     options?: { maxMessages?: number; maxSenders?: number; pageToken?: string },
   ): Promise<SenderDigestResult> {
+    const connection = connectionOrToken as OAuthConnection;
     const maxMessages = Math.min(options?.maxMessages ?? 5000, 5000);
     const maxSenders = options?.maxSenders ?? 30;
     const maxIdsPerSender = 5000;
@@ -285,7 +298,7 @@ export const gmailMessagingProvider: MessagingProvider = {
       }
       const pageSize = Math.min(100, maxMessages - allMessageIds.length);
       const listResp = await gmail.listMessages(
-        token,
+        connection,
         query,
         pageSize,
         pageToken,
@@ -295,7 +308,7 @@ export const gmailMessagingProvider: MessagingProvider = {
       allMessageIds.push(...ids);
       fetchPromises.push(
         gmail.batchGetMessages(
-          token,
+          connection,
           ids,
           "metadata",
           metadataHeaders,
@@ -409,7 +422,11 @@ export const gmailMessagingProvider: MessagingProvider = {
     };
   },
 
-  async archiveByQuery(token: string, query: string): Promise<ArchiveResult> {
+  async archiveByQuery(
+    connectionOrToken: OAuthConnection | string,
+    query: string,
+  ): Promise<ArchiveResult> {
+    const connection = connectionOrToken as OAuthConnection;
     const maxMessages = 5000;
     const batchModifyLimit = 1000;
 
@@ -419,7 +436,7 @@ export const gmailMessagingProvider: MessagingProvider = {
 
     while (allMessageIds.length < maxMessages) {
       const listResp = await gmail.listMessages(
-        token,
+        connection,
         query,
         Math.min(500, maxMessages - allMessageIds.length),
         pageToken,
@@ -441,7 +458,7 @@ export const gmailMessagingProvider: MessagingProvider = {
 
     for (let i = 0; i < allMessageIds.length; i += batchModifyLimit) {
       const chunk = allMessageIds.slice(i, i + batchModifyLimit);
-      await gmail.batchModifyMessages(token, chunk, {
+      await gmail.batchModifyMessages(connection, chunk, {
         removeLabelIds: ["INBOX"],
       });
     }