@vellumai/assistant 0.4.46 → 0.4.49

package/src/messaging/providers/slack/client.ts

@@ -1,10 +1,16 @@
 /**
  * Low-level Slack Web API wrapper.
  *
- * All methods take a user OAuth token and throw SlackApiError on failures.
- * Throws with status: 401 on auth errors for withValidToken compatibility.
+ * All methods accept either an OAuthConnection or a raw token string.
+ * Throws SlackApiError on failures, with status: 401 on auth errors
+ * for withValidToken compatibility.
+ *
+ * String overloads are retained for non-OAuth callers (e.g. slack/share.ts)
+ * that pass raw bot tokens via resolveSlackToken(). These bypass the
+ * OAuthConnection model by design.
  */
 
+import type { OAuthConnection } from "../../../oauth/connection.js";
 import type {
   SlackApiResponse,
   SlackAuthTestResponse,
@@ -46,7 +52,159 @@ function sleepMs(ms: number): Promise<void> {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
-async function request<T extends SlackApiResponse>(
+/**
+ * Check a Slack API response envelope for errors and map to SlackApiError.
+ * Returns the data if ok, throws otherwise.
+ */
+function checkSlackEnvelope<T extends SlackApiResponse>(data: T): T {
+  if (!data.ok) {
+    const slackError = data.error ?? "unknown_error";
+    const status = [
+      "invalid_auth",
+      "token_expired",
+      "token_revoked",
+      "not_authed",
+    ].includes(slackError)
+      ? 401
+      : 400;
+    throw new SlackApiError(
+      status,
+      slackError,
+      `Slack API error: ${slackError}`,
+    );
+  }
+  return data;
+}
+
+/**
+ * Build a Slack API request using a raw token (for retry via `connection.withToken`).
+ */
+async function rawSlackRequest<T extends SlackApiResponse>(
+  token: string,
+  method: string,
+  query: Record<string, string> | undefined,
+  body: Record<string, unknown> | undefined,
+): Promise<T> {
+  let url = `${SLACK_API_BASE}/${method}`;
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${token}`,
+  };
+
+  let init: RequestInit;
+  if (body) {
+    headers["Content-Type"] = "application/json; charset=utf-8";
+    init = { method: "POST", headers, body: JSON.stringify(body) };
+  } else {
+    if (query && Object.keys(query).length > 0) {
+      url += `?${new URLSearchParams(query)}`;
+    }
+    init = { method: "GET", headers };
+  }
+
+  const resp = await fetch(url, init);
+  if (resp.status === 429) {
+    throw new SlackApiError(429, "rate_limited", "Slack API rate limited");
+  }
+  if (!resp.ok) {
+    throw new SlackApiError(
+      resp.status,
+      `http_${resp.status}`,
+      `Slack API HTTP ${resp.status}`,
+    );
+  }
+  return checkSlackEnvelope((await resp.json()) as T);
+}
+
+/**
+ * Execute a Slack API request via OAuthConnection with rate-limit retry.
+ *
+ * Slack returns HTTP 200 with `{ ok: false, error: "invalid_auth" }` for
+ * auth errors. Because `connection.request()` delegates to `withValidToken`
+ * which only retries on HTTP-level 401s, we catch Slack envelope auth
+ * errors (mapped to SlackApiError with status 401) and perform a single
+ * retry via `connection.withToken()` which forces a token refresh before
+ * giving us the new token.
+ */
+async function requestViaConnection<T extends SlackApiResponse>(
+  connection: OAuthConnection,
+  method: string,
+  params?: Record<string, string | undefined>,
+  body?: Record<string, unknown>,
+): Promise<T> {
+  const query: Record<string, string> | undefined = params
+    ? Object.fromEntries(
+        Object.entries(params).filter(
+          (entry): entry is [string, string] => entry[1] !== undefined,
+        ),
+      )
+    : undefined;
+
+  for (let attempt = 0; attempt <= MAX_RATE_LIMIT_RETRIES; attempt++) {
+    const resp = await connection.request({
+      method: body ? "POST" : "GET",
+      path: `/${method}`,
+      query: query && Object.keys(query).length > 0 ? query : undefined,
+      body,
+    });
+
+    // Handle 429 rate limits with Retry-After backoff
+    if (resp.status === 429) {
+      if (attempt >= MAX_RATE_LIMIT_RETRIES) {
+        throw new SlackApiError(429, "rate_limited", "Slack API rate limited");
+      }
+      const retryAfter =
+        parseInt(
+          resp.headers["retry-after"] ?? resp.headers["Retry-After"] ?? "",
+          10,
+        ) || DEFAULT_RETRY_AFTER_S;
+      await sleepMs(retryAfter * 1000);
+      continue;
+    }
+
+    if (resp.status >= 400) {
+      throw new SlackApiError(
+        resp.status,
+        `http_${resp.status}`,
+        `Slack API HTTP ${resp.status}`,
+      );
+    }
+
+    const data = resp.body as T;
+
+    // Handle rate_limited error in response body (some Slack APIs return 200 with error)
+    if (
+      !data.ok &&
+      data.error === "rate_limited" &&
+      attempt < MAX_RATE_LIMIT_RETRIES
+    ) {
+      await sleepMs(DEFAULT_RETRY_AFTER_S * 1000);
+      continue;
+    }
+
+    try {
+      return checkSlackEnvelope(data);
+    } catch (err) {
+      // Slack envelope auth errors (invalid_auth, token_expired, etc.) come
+      // back as HTTP 200, so they escape withValidToken's retry scope inside
+      // connection.request(). Catch them here and retry once with a freshly-
+      // refreshed token via connection.withToken().
+      if (err instanceof SlackApiError && err.status === 401) {
+        return connection.withToken((freshToken) =>
+          rawSlackRequest<T>(freshToken, method, query, body),
+        );
+      }
+      throw err;
+    }
+  }
+
+  // Unreachable, but TypeScript needs this
+  throw new SlackApiError(429, "rate_limited", "Slack API rate limited");
+}
+
+/**
+ * Execute a Slack API request via raw token with rate-limit retry.
+ */
+async function requestViaToken<T extends SlackApiResponse>(
   token: string,
   method: string,
   params?: Record<string, string | undefined>,
@@ -96,68 +254,76 @@ async function request<T extends SlackApiResponse>(
     }
 
     const data = (await resp.json()) as T;
-    if (!data.ok) {
-      const slackError = data.error ?? "unknown_error";
 
-      // Handle rate_limited error in response body (some Slack APIs return 200 with error)
-      if (slackError === "rate_limited" && attempt < MAX_RATE_LIMIT_RETRIES) {
-        await sleepMs(DEFAULT_RETRY_AFTER_S * 1000);
-        continue;
-      }
-
-      // Map auth errors to 401 for token-manager retry
-      const status = [
-        "invalid_auth",
-        "token_expired",
-        "token_revoked",
-        "not_authed",
-      ].includes(slackError)
-        ? 401
-        : 400;
-      throw new SlackApiError(
-        status,
-        slackError,
-        `Slack API error: ${slackError}`,
-      );
+    // Handle rate_limited error in response body (some Slack APIs return 200 with error)
+    if (
+      !data.ok &&
+      data.error === "rate_limited" &&
+      attempt < MAX_RATE_LIMIT_RETRIES
+    ) {
+      await sleepMs(DEFAULT_RETRY_AFTER_S * 1000);
+      continue;
     }
 
-    return data;
+    return checkSlackEnvelope(data);
   }
 
   // Unreachable, but TypeScript needs this
   throw new SlackApiError(429, "rate_limited", "Slack API rate limited");
 }
 
-export async function authTest(token: string): Promise<SlackAuthTestResponse> {
-  return request<SlackAuthTestResponse>(token, "auth.test");
+async function request<T extends SlackApiResponse>(
+  connectionOrToken: OAuthConnection | string,
+  method: string,
+  params?: Record<string, string | undefined>,
+  body?: Record<string, unknown>,
+): Promise<T> {
+  if (typeof connectionOrToken === "string") {
+    return requestViaToken<T>(connectionOrToken, method, params, body);
+  }
+  return requestViaConnection<T>(connectionOrToken, method, params, body);
+}
+
+export async function authTest(
+  connectionOrToken: OAuthConnection | string,
+): Promise<SlackAuthTestResponse> {
+  return request<SlackAuthTestResponse>(connectionOrToken, "auth.test");
 }
 
 export async function listConversations(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   types = "public_channel,private_channel,mpim,im",
   excludeArchived = true,
   limit = 200,
   cursor?: string,
 ): Promise<SlackConversationsListResponse> {
-  return request<SlackConversationsListResponse>(token, "conversations.list", {
-    types,
-    exclude_archived: String(excludeArchived),
-    limit: String(limit),
-    cursor,
-  });
+  return request<SlackConversationsListResponse>(
+    connectionOrToken,
+    "conversations.list",
+    {
+      types,
+      exclude_archived: String(excludeArchived),
+      limit: String(limit),
+      cursor,
+    },
+  );
 }
 
 export async function conversationInfo(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
 ): Promise<SlackConversationInfoResponse> {
-  return request<SlackConversationInfoResponse>(token, "conversations.info", {
-    channel,
-  });
+  return request<SlackConversationInfoResponse>(
+    connectionOrToken,
+    "conversations.info",
+    {
+      channel,
+    },
+  );
 }
 
 export async function conversationHistory(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
   limit = 50,
   latest?: string,
@@ -165,7 +331,7 @@ export async function conversationHistory(
   cursor?: string,
 ): Promise<SlackConversationHistoryResponse> {
   return request<SlackConversationHistoryResponse>(
-    token,
+    connectionOrToken,
     "conversations.history",
     {
       channel,
@@ -178,13 +344,13 @@ export async function conversationHistory(
 }
 
 export async function conversationReplies(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
   ts: string,
   limit = 50,
 ): Promise<SlackConversationRepliesResponse> {
   return request<SlackConversationRepliesResponse>(
-    token,
+    connectionOrToken,
     "conversations.replies",
     {
       channel,
@@ -195,12 +361,12 @@ export async function conversationReplies(
 }
 
 export async function conversationMark(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
   ts: string,
 ): Promise<SlackConversationMarkResponse> {
   return request<SlackConversationMarkResponse>(
-    token,
+    connectionOrToken,
     "conversations.mark",
     undefined,
     {
@@ -211,11 +377,11 @@ export async function conversationMark(
 }
 
 export async function conversationsOpen(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   userId: string,
 ): Promise<SlackConversationsOpenResponse> {
   return request<SlackConversationsOpenResponse>(
-    token,
+    connectionOrToken,
     "conversations.open",
     undefined,
     {
@@ -225,10 +391,12 @@ export async function conversationsOpen(
 }
 
 export async function userInfo(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   userId: string,
 ): Promise<SlackUserInfoResponse> {
-  return request<SlackUserInfoResponse>(token, "users.info", { user: userId });
+  return request<SlackUserInfoResponse>(connectionOrToken, "users.info", {
+    user: userId,
+  });
 }
 
 export interface PostMessageOptions {
@@ -237,7 +405,7 @@ export interface PostMessageOptions {
 }
 
 export async function postMessage(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
   text: string,
   optionsOrThreadTs?: PostMessageOptions | string,
@@ -250,7 +418,7 @@ export async function postMessage(
   if (opts.threadTs) body.thread_ts = opts.threadTs;
   if (opts.blocks) body.blocks = opts.blocks;
   return request<SlackPostMessageResponse>(
-    token,
+    connectionOrToken,
     "chat.postMessage",
     undefined,
     body,
@@ -264,7 +432,7 @@ export async function postMessage(
  * after posting, and they disappear when the user reloads the Slack client.
  */
 export async function postEphemeral(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
   user: string,
   text: string,
@@ -273,7 +441,7 @@ export async function postEphemeral(
   const body: Record<string, unknown> = { channel, user, text };
   if (threadTs) body.thread_ts = threadTs;
   return request<SlackPostEphemeralResponse>(
-    token,
+    connectionOrToken,
     "chat.postEphemeral",
     undefined,
     body,
@@ -281,61 +449,80 @@ export async function postEphemeral(
 }
 
 export async function searchMessages(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   query: string,
   count = 20,
   page = 1,
 ): Promise<SlackSearchMessagesResponse> {
-  return request<SlackSearchMessagesResponse>(token, "search.messages", {
-    query,
-    count: String(count),
-    page: String(page),
-  });
+  return request<SlackSearchMessagesResponse>(
+    connectionOrToken,
+    "search.messages",
+    {
+      query,
+      count: String(count),
+      page: String(page),
+    },
+  );
 }
 
 export async function addReaction(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
   timestamp: string,
   name: string,
 ): Promise<SlackReactionAddResponse> {
-  return request<SlackReactionAddResponse>(token, "reactions.add", undefined, {
-    channel,
-    timestamp,
-    name,
-  });
+  return request<SlackReactionAddResponse>(
+    connectionOrToken,
+    "reactions.add",
+    undefined,
+    {
+      channel,
+      timestamp,
+      name,
+    },
+  );
 }
 
 export async function updateMessage(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
   ts: string,
   text: string,
 ): Promise<SlackChatUpdateResponse> {
-  return request<SlackChatUpdateResponse>(token, "chat.update", undefined, {
-    channel,
-    ts,
-    text,
-  });
+  return request<SlackChatUpdateResponse>(
+    connectionOrToken,
+    "chat.update",
+    undefined,
+    {
+      channel,
+      ts,
+      text,
+    },
+  );
 }
 
 export async function deleteMessage(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
   ts: string,
 ): Promise<SlackChatDeleteResponse> {
-  return request<SlackChatDeleteResponse>(token, "chat.delete", undefined, {
-    channel,
-    ts,
-  });
+  return request<SlackChatDeleteResponse>(
+    connectionOrToken,
+    "chat.delete",
+    undefined,
+    {
+      channel,
+      ts,
+    },
+  );
 }
 
 export async function leaveConversation(
-  token: string,
+  connectionOrToken: OAuthConnection | string,
   channel: string,
 ): Promise<SlackConversationLeaveResponse> {
   return request<SlackConversationLeaveResponse>(
-    token,
+    connectionOrToken,
     "conversations.leave",
     undefined,
     {

package/src/messaging/providers/telegram-bot/adapter.ts

@@ -6,15 +6,18 @@
  * with OAuth tokens, Telegram delivery is proxied through the gateway which
  * owns the bot token and handles Telegram API retries.
  *
- * The `token` parameter in MessagingProvider methods is unused for Telegram
- * because delivery is authenticated via the gateway's bearer token, not
- * a per-user OAuth token.
+ * The `connectionOrToken` parameter in MessagingProvider methods is unused
+ * for Telegram because delivery is authenticated via the gateway's bearer
+ * token, not a per-user OAuth token.
  */
 
 import { getGatewayInternalBaseUrl } from "../../../config/env.js";
 import { getOrCreateConversation } from "../../../memory/conversation-key-store.js";
 import * as externalConversationStore from "../../../memory/external-conversation-store.js";
+import type { OAuthConnection } from "../../../oauth/connection.js";
+import { getConnectionByProvider } from "../../../oauth/oauth-store.js";
 import { mintDaemonDeliveryToken } from "../../../runtime/auth/token-service.js";
+import { credentialKey } from "../../../security/credential-key.js";
 import { getSecureKey } from "../../../security/secure-keys.js";
 import type { MessagingProvider } from "../../provider.js";
 import type {
@@ -30,7 +33,7 @@ import type {
 } from "../../provider-types.js";
 import * as telegram from "./client.js";
 
-/** Resolve the gateway base URL, preferring GATEWAY_INTERNAL_BASE_URL if set. */
+/** Resolve the gateway base URL. */
 function getGatewayUrl(): string {
   return getGatewayInternalBaseUrl();
 }
@@ -42,7 +45,7 @@ function getBearerToken(): string {
 
 /** Read the Telegram bot token from the credential vault. */
 function getBotToken(): string | undefined {
-  return getSecureKey("credential:telegram:bot_token");
+  return getSecureKey(credentialKey("telegram", "bot_token"));
 }
 
 export const telegramBotMessagingProvider: MessagingProvider = {
@@ -52,23 +55,21 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   capabilities: new Set(["send"]),
 
   /**
-   * Custom connectivity check. The standard registry check looks for
-   * credential:telegram:access_token, but the Telegram bot token is
-   * stored as credential:telegram:bot_token. This method lets the
-   * registry detect that Telegram credentials exist.
+   * Custom connectivity check using the oauth_connection record as the
+   * single source of truth, consistent with integration-status.ts.
    *
    * Both bot_token and webhook_secret are required — the gateway's
    * /deliver/telegram endpoint rejects requests without the webhook
    * secret, so partial credentials would cause every send to fail.
    */
   isConnected(): boolean {
-    return (
-      getBotToken() !== undefined &&
-      !!getSecureKey("credential:telegram:webhook_secret")
-    );
+    const conn = getConnectionByProvider("telegram");
+    return !!(conn && conn.status === "active");
   },
 
-  async testConnection(_token: string): Promise<ConnectionInfo> {
+  async testConnection(
+    _connectionOrToken: OAuthConnection | string,
+  ): Promise<ConnectionInfo> {
     const botToken = getBotToken();
     if (!botToken) {
       return {
@@ -113,7 +114,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   },
 
   async sendMessage(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     conversationId: string,
     text: string,
     _options?: SendOptions,
@@ -151,7 +152,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   // interact with chats where users have initiated contact or the bot
   // has been added to a group.
   async listConversations(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _options?: ListOptions,
   ): Promise<Conversation[]> {
     return [];
@@ -159,7 +160,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
 
   // Telegram Bot API does not provide message history retrieval.
   async getHistory(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _conversationId: string,
     _options?: HistoryOptions,
   ): Promise<Message[]> {
@@ -168,7 +169,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
 
   // Telegram Bot API does not support message search.
   async search(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _query: string,
     _options?: SearchOptions,
   ): Promise<SearchResult> {

package/src/messaging/providers/whatsapp/adapter.ts

@@ -5,15 +5,17 @@
  * endpoint. Delivery is proxied through the gateway which owns the Meta Cloud API
  * credentials (phone_number_id + access_token).
  *
- * The `token` parameter in MessagingProvider methods is unused for WhatsApp
- * because delivery is authenticated via the gateway's bearer token, not
- * a per-user OAuth token.
+ * The `connectionOrToken` parameter in MessagingProvider methods is unused
+ * for WhatsApp because delivery is authenticated via the gateway's bearer
+ * token, not a per-user OAuth token.
  */
 
 import { getGatewayInternalBaseUrl } from "../../../config/env.js";
 import { getOrCreateConversation } from "../../../memory/conversation-key-store.js";
 import * as externalConversationStore from "../../../memory/external-conversation-store.js";
+import type { OAuthConnection } from "../../../oauth/connection.js";
 import { mintDaemonDeliveryToken } from "../../../runtime/auth/token-service.js";
+import { credentialKey } from "../../../security/credential-key.js";
 import { getSecureKey } from "../../../security/secure-keys.js";
 import type { MessagingProvider } from "../../provider.js";
 import type {
@@ -42,8 +44,8 @@ function getBearerToken(): string {
 /** Check whether WhatsApp credentials are stored. */
 function hasWhatsAppCredentials(): boolean {
   return (
-    !!getSecureKey("credential:whatsapp:phone_number_id") &&
-    !!getSecureKey("credential:whatsapp:access_token")
+    !!getSecureKey(credentialKey("whatsapp", "phone_number_id")) &&
+    !!getSecureKey(credentialKey("whatsapp", "access_token"))
   );
 }
 
@@ -60,7 +62,9 @@ export const whatsappMessagingProvider: MessagingProvider = {
     return hasWhatsAppCredentials();
   },
 
-  async testConnection(_token: string): Promise<ConnectionInfo> {
+  async testConnection(
+    _connectionOrToken: OAuthConnection | string,
+  ): Promise<ConnectionInfo> {
     if (!hasWhatsAppCredentials()) {
       return {
         connected: false,
@@ -73,7 +77,9 @@ export const whatsappMessagingProvider: MessagingProvider = {
       };
     }
 
-    const phoneNumberId = getSecureKey("credential:whatsapp:phone_number_id")!;
+    const phoneNumberId = getSecureKey(
+      credentialKey("whatsapp", "phone_number_id"),
+    )!;
 
     return {
       connected: true,
@@ -86,7 +92,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
   },
 
   async sendMessage(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     conversationId: string,
     text: string,
     options?: SendOptions,
@@ -130,7 +136,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not support listing conversations via this provider.
   async listConversations(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _options?: ListOptions,
   ): Promise<Conversation[]> {
     return [];
@@ -138,7 +144,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not provide message history retrieval via the gateway.
   async getHistory(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _conversationId: string,
     _options?: HistoryOptions,
   ): Promise<Message[]> {
@@ -147,7 +153,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not support message search.
   async search(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _query: string,
     _options?: SearchOptions,
   ): Promise<SearchResult> {