@vellumai/assistant 0.4.46 → 0.4.49

package/src/oauth/platform-connection.ts

@@ -0,0 +1,111 @@
+import { BackendError } from "../util/errors.js";
+import type {
+  OAuthConnection,
+  OAuthConnectionRequest,
+  OAuthConnectionResponse,
+} from "./connection.js";
+
+export class CredentialRequiredError extends BackendError {
+  constructor(message = "Connection not set up on platform") {
+    super(message);
+    this.name = "CredentialRequiredError";
+  }
+}
+
+export class ProviderUnreachableError extends BackendError {
+  constructor(message = "Provider is unreachable") {
+    super(message);
+    this.name = "ProviderUnreachableError";
+  }
+}
+
+export interface PlatformOAuthConnectionOptions {
+  id: string;
+  providerKey: string;
+  externalId: string;
+  accountInfo: string | null;
+  grantedScopes: string[];
+  assistantId: string;
+  platformBaseUrl: string;
+  apiKey: string;
+}
+
+export class PlatformOAuthConnection implements OAuthConnection {
+  readonly id: string;
+  readonly providerKey: string;
+  readonly externalId: string;
+  readonly accountInfo: string | null;
+  readonly grantedScopes: string[];
+
+  private readonly assistantId: string;
+  private readonly platformBaseUrl: string;
+  private readonly apiKey: string;
+
+  constructor(options: PlatformOAuthConnectionOptions) {
+    this.id = options.id;
+    this.providerKey = options.providerKey;
+    this.externalId = options.externalId;
+    this.accountInfo = options.accountInfo;
+    this.grantedScopes = options.grantedScopes;
+    this.assistantId = options.assistantId;
+    this.platformBaseUrl = options.platformBaseUrl.replace(/\/+$/, "");
+    this.apiKey = options.apiKey;
+  }
+
+  async request(req: OAuthConnectionRequest): Promise<OAuthConnectionResponse> {
+    const providerSlug = this.providerKey.replace(/^integration:/, "");
+    const proxyUrl = `${this.platformBaseUrl}/v1/assistants/${this.assistantId}/external-provider-proxy/${providerSlug}/`;
+
+    const body: Record<string, unknown> = {
+      request: {
+        method: req.method,
+        path: req.path,
+        query: req.query ?? {},
+        headers: req.headers ?? {},
+        body: req.body ?? null,
+        ...(req.baseUrl ? { baseUrl: req.baseUrl } : {}),
+      },
+    };
+
+    const response = await fetch(proxyUrl, {
+      method: "POST",
+      headers: {
+        Authorization: `Api-Key ${this.apiKey}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(body),
+    });
+
+    if (response.status === 424) {
+      throw new CredentialRequiredError();
+    }
+
+    if (response.status === 502) {
+      throw new ProviderUnreachableError();
+    }
+
+    if (!response.ok) {
+      throw new BackendError(
+        `Platform proxy returned unexpected status ${response.status}`,
+      );
+    }
+
+    const json = (await response.json()) as {
+      status: number;
+      headers: Record<string, string>;
+      body: unknown;
+    };
+
+    return {
+      status: json.status,
+      headers: json.headers,
+      body: json.body,
+    };
+  }
+
+  async withToken<T>(_fn: (token: string) => Promise<T>): Promise<T> {
+    throw new BackendError(
+      "Raw token access is not supported for platform-managed connections. Use connection.request() instead.",
+    );
+  }
+}

package/src/oauth/provider-behaviors.ts

@@ -0,0 +1,124 @@
+/**
+ * OAuth provider behavior registry.
+ *
+ * Contains code-side behavioral configuration for well-known OAuth
+ * providers. Protocol-level fields (authUrl, tokenUrl, scopes, etc.)
+ * are stored in the `oauth_providers` SQLite table and seeded by
+ * `seed-providers.ts`. This module contains only fields that require
+ * code references (functions, templates, skill IDs) and cannot be
+ * serialised to a DB row.
+ */
+
+import type { OAuthProviderBehavior } from "./connect-types.js";
+
+// ---------------------------------------------------------------------------
+// Provider behaviors
+// ---------------------------------------------------------------------------
+
+export const PROVIDER_BEHAVIORS: Record<string, OAuthProviderBehavior> = {
+  "integration:gmail": {
+    service: "integration:gmail",
+    // Google APIs for Gmail/Calendar/Contacts span multiple hosts; register
+    // all of them so proxied bash can inject the OAuth bearer token reliably.
+    injectionTemplates: [
+      {
+        hostPattern: "gmail.googleapis.com",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Bearer ",
+      },
+      {
+        hostPattern: "www.googleapis.com",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Bearer ",
+      },
+      {
+        hostPattern: "people.googleapis.com",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Bearer ",
+      },
+    ],
+    setupSkillId: "google-oauth-applescript",
+    setup: {
+      displayName: "Google (Gmail & Calendar)",
+      dashboardUrl: "https://console.cloud.google.com/apis/credentials",
+      appType: "Desktop app",
+      requiresClientSecret: true,
+    },
+  },
+
+  "integration:slack": {
+    service: "integration:slack",
+  },
+
+  "integration:notion": {
+    service: "integration:notion",
+    injectionTemplates: [
+      {
+        hostPattern: "api.notion.com",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Bearer ",
+      },
+    ],
+  },
+
+  "integration:twitter": {
+    service: "integration:twitter",
+    setup: {
+      displayName: "Twitter / X",
+      dashboardUrl: "https://developer.x.com/en/portal/dashboard",
+      appType: "App",
+      requiresClientSecret: false,
+    },
+    identityVerifier: async (
+      accessToken: string,
+    ): Promise<string | undefined> => {
+      try {
+        const resp = await fetch("https://api.x.com/2/users/me", {
+          headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        if (resp.ok) {
+          const body = (await resp.json()) as { data?: { username?: string } };
+          return body.data?.username ? `@${body.data.username}` : undefined;
+        }
+      } catch {
+        // Non-fatal — identity verification is best-effort
+      }
+      return undefined;
+    },
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Aliases & resolution
+// ---------------------------------------------------------------------------
+
+/** Map shorthand aliases to canonical service names. */
+export const SERVICE_ALIASES: Record<string, string> = {
+  gmail: "integration:gmail",
+  slack: "integration:slack",
+  notion: "integration:notion",
+  twitter: "integration:twitter",
+};
+
+/**
+ * Resolve a service name through aliases, then fall back to `integration:`
+ * prefix for providers registered in PROVIDER_BEHAVIORS without a
+ * SERVICE_ALIASES entry.
+ */
+export function resolveService(service: string): string {
+  if (SERVICE_ALIASES[service]) return SERVICE_ALIASES[service];
+  if (!service.includes(":") && PROVIDER_BEHAVIORS[`integration:${service}`])
+    return `integration:${service}`;
+  return service;
+}
+
+/** Look up a provider behavior by canonical service name. */
+export function getProviderBehavior(
+  service: string,
+): OAuthProviderBehavior | undefined {
+  return PROVIDER_BEHAVIORS[service];
+}

package/src/oauth/scope-policy.ts

@@ -5,7 +5,7 @@
  * scopes for an OAuth flow based on the provider profile's scope policy.
  */
 
-import type { OAuthProviderProfile } from "./connect-types.js";
+import type { OAuthScopePolicy } from "./connect-types.js";
 
 // ---------------------------------------------------------------------------
 // Result types
@@ -28,8 +28,15 @@ export type ScopeResolutionResult =
  *   requested scope against the provider's `scopePolicy`.
  * - Returns a deduplicated union of default + approved requested scopes.
  */
+/** Minimal shape needed by the scope resolver. */
+export interface ScopeResolverInput {
+  service: string;
+  defaultScopes: string[];
+  scopePolicy: OAuthScopePolicy;
+}
+
 export function resolveScopes(
-  profile: OAuthProviderProfile,
+  profile: ScopeResolverInput,
   requestedScopes?: string[],
 ): ScopeResolutionResult {
   const { defaultScopes, scopePolicy, service } = profile;

package/src/oauth/seed-providers.ts

@@ -0,0 +1,161 @@
+import { seedProviders } from "./oauth-store.js";
+
+/**
+ * Protocol-level seed data for each well-known OAuth provider.
+ *
+ * These values are upserted into the `oauth_providers` SQLite table on
+ * every startup so that corrections (e.g. a fixed baseUrl) propagate to
+ * existing installations. Code-side behavioral fields (identityVerifier,
+ * injectionTemplates, setup, etc.) live in `provider-behaviors.ts` and
+ * are never persisted to the DB.
+ */
+const PROVIDER_SEED_DATA: Record<
+  string,
+  {
+    providerKey: string;
+    authUrl: string;
+    tokenUrl: string;
+    tokenEndpointAuthMethod?: string;
+    userinfoUrl?: string;
+    baseUrl?: string;
+    defaultScopes: string[];
+    scopePolicy: {
+      allowAdditionalScopes: boolean;
+      allowedOptionalScopes: string[];
+      forbiddenScopes: string[];
+    };
+    extraParams?: Record<string, string>;
+    callbackTransport?: string;
+    loopbackPort?: number;
+  }
+> = {
+  "integration:gmail": {
+    providerKey: "integration:gmail",
+    authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    userinfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+    baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
+    defaultScopes: [
+      "https://www.googleapis.com/auth/gmail.readonly",
+      "https://www.googleapis.com/auth/gmail.modify",
+      "https://www.googleapis.com/auth/gmail.send",
+      "https://www.googleapis.com/auth/calendar.readonly",
+      "https://www.googleapis.com/auth/calendar.events",
+      "https://www.googleapis.com/auth/userinfo.email",
+      "https://www.googleapis.com/auth/contacts.readonly",
+    ],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    extraParams: { access_type: "offline", prompt: "consent" },
+    callbackTransport: "loopback",
+  },
+
+  "integration:slack": {
+    providerKey: "integration:slack",
+    authUrl: "https://slack.com/oauth/v2/authorize",
+    tokenUrl: "https://slack.com/api/oauth.v2.access",
+    baseUrl: "https://slack.com/api",
+    defaultScopes: [
+      "channels:read",
+      "channels:history",
+      "groups:read",
+      "groups:history",
+      "im:read",
+      "im:history",
+      "im:write",
+      "mpim:read",
+      "mpim:history",
+      "users:read",
+      "chat:write",
+      "search:read",
+      "reactions:write",
+    ],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    extraParams: {
+      user_scope:
+        "channels:read,channels:history,groups:read,groups:history,im:read,im:history,im:write,mpim:read,mpim:history,users:read,chat:write,search:read,reactions:write",
+    },
+    callbackTransport: "loopback",
+    loopbackPort: 17322,
+  },
+
+  "integration:notion": {
+    providerKey: "integration:notion",
+    authUrl: "https://api.notion.com/v1/oauth/authorize",
+    tokenUrl: "https://api.notion.com/v1/oauth/token",
+    baseUrl: "https://api.notion.com",
+    defaultScopes: [],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    extraParams: { owner: "user" },
+    tokenEndpointAuthMethod: "client_secret_basic",
+  },
+
+  "integration:twitter": {
+    providerKey: "integration:twitter",
+    authUrl: "https://twitter.com/i/oauth2/authorize",
+    tokenUrl: "https://api.x.com/2/oauth2/token",
+    baseUrl: "https://api.x.com",
+    defaultScopes: [
+      "tweet.read",
+      "tweet.write",
+      "users.read",
+      "offline.access",
+    ],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    tokenEndpointAuthMethod: "client_secret_basic",
+    callbackTransport: "gateway",
+  },
+
+  // Manual-token providers: these don't use OAuth2 flows but need provider
+  // rows so that oauth_app and oauth_connection FK chains can reference them.
+  // The authUrl/tokenUrl values are placeholders — never used at runtime.
+  slack_channel: {
+    providerKey: "slack_channel",
+    authUrl: "urn:manual-token",
+    tokenUrl: "urn:manual-token",
+    baseUrl: "https://slack.com/api",
+    defaultScopes: [],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+  },
+
+  telegram: {
+    providerKey: "telegram",
+    authUrl: "urn:manual-token",
+    tokenUrl: "urn:manual-token",
+    baseUrl: "https://api.telegram.org",
+    defaultScopes: [],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+  },
+};
+
+/**
+ * Seed the oauth_providers table with well-known provider configurations.
+ * Uses INSERT … ON CONFLICT DO UPDATE so seed-data corrections propagate
+ * to existing installations. Safe to call on every startup.
+ */
+export function seedOAuthProviders(): void {
+  seedProviders(Object.values(PROVIDER_SEED_DATA));
+}

package/src/oauth/token-persistence.ts

@@ -2,8 +2,12 @@
  * OAuth2 token persistence helper.
  *
  * Extracted from vault.ts so it can be reused by both the credential
- * vault tool (interactive and deferred paths) and the future OAuth
+ * vault tool (interactive and deferred paths) and the OAuth
  * orchestrator without duplicating storage logic.
+ *
+ * Writes exclusively to the SQLite tables (oauth_app, oauth_connection)
+ * and new-format secure keys (`oauth_app/{id}/...`,
+ * `oauth_connection/{id}/...`).
  */
 
 import type {
@@ -14,12 +18,14 @@ import {
   deleteSecureKeyAsync,
   setSecureKeyAsync,
 } from "../security/secure-keys.js";
-import {
-  deleteCredentialMetadata,
-  upsertCredentialMetadata,
-} from "../tools/credentials/metadata-store.js";
 import type { CredentialInjectionTemplate } from "../tools/credentials/policy-types.js";
 import { runPostConnectHook } from "../tools/credentials/post-connect-hooks.js";
+import {
+  createConnection,
+  getConnectionByProvider,
+  updateConnection,
+  upsertApp,
+} from "./oauth-store.js";
 
 // ---------------------------------------------------------------------------
 // Types
@@ -39,6 +45,8 @@ export interface StoreOAuth2TokensParams {
   wellKnownInjectionTemplates?: CredentialInjectionTemplate[];
   /** Fallback account info from an identity verifier (e.g. @username, email). */
   identityAccountInfo?: string;
+  /** Pre-resolved oauth_app ID — skips the upsertApp() call if provided. */
+  oauthAppId?: string;
 }
 
 // ---------------------------------------------------------------------------
@@ -49,9 +57,9 @@ export interface StoreOAuth2TokensParams {
  * Store OAuth2 tokens and associated metadata after a successful flow.
  *
  * Persists the access token, optional refresh token, client credentials,
- * and metadata (scopes, expiry, account info) into the secure key store
- * and credential metadata file. Runs any registered post-connect hook
- * for the service.
+ * and metadata (scopes, expiry, account info) into the SQLite oauth_app /
+ * oauth_connection tables with new-format secure keys. Runs any registered
+ * post-connect hook for the service.
  */
 export async function storeOAuth2Tokens(
   params: StoreOAuth2TokensParams,
@@ -63,21 +71,9 @@ export async function storeOAuth2Tokens(
     rawTokenResponse,
     clientId,
     clientSecret,
-    tokenUrl,
-    tokenEndpointAuthMethod,
     userinfoUrl,
-    allowedTools,
-    wellKnownInjectionTemplates,
   } = params;
 
-  const tokenStored = await setSecureKeyAsync(
-    `credential:${service}:access_token`,
-    tokens.accessToken,
-  );
-  if (!tokenStored) {
-    throw new Error("Failed to store access token in secure storage");
-  }
-
   const expiresAt = tokens.expiresIn
     ? Date.now() + tokens.expiresIn * 1000
     : null;
@@ -97,82 +93,82 @@ export async function storeOAuth2Tokens(
     }
   }
 
-  // Persist client credentials in keychain for defense in depth
-  const clientIdStored = await setSecureKeyAsync(
-    `credential:${service}:client_id`,
-    clientId,
-  );
-  if (!clientIdStored) {
-    throw new Error("Failed to store client_id in secure storage");
-  }
-  if (clientSecret) {
-    const clientSecretStored = await setSecureKeyAsync(
-      `credential:${service}:client_secret`,
+  const resolvedAccountInfo = accountInfo ?? params.identityAccountInfo;
+
+  // -------------------------------------------------------------------
+  // SQLite oauth_app + oauth_connection + new-format secure keys
+  // -------------------------------------------------------------------
+
+  // 1. Upsert the oauth_app row (or use the pre-resolved ID).
+  const app = params.oauthAppId
+    ? { id: params.oauthAppId }
+    : await upsertApp(service, clientId, clientSecret);
+
+  // When oauthAppId is pre-resolved, still persist clientSecret if provided.
+  if (params.oauthAppId && clientSecret) {
+    const stored = await setSecureKeyAsync(
+      `oauth_app/${params.oauthAppId}/client_secret`,
       clientSecret,
     );
-    if (!clientSecretStored) {
+    if (!stored) {
       throw new Error("Failed to store client_secret in secure storage");
     }
   }
 
-  upsertCredentialMetadata(service, "access_token", {
-    allowedTools: allowedTools ?? [],
-    expiresAt,
-    grantedScopes,
-    oauth2TokenUrl: tokenUrl,
-    oauth2ClientId: clientId,
-    oauth2ClientSecret: clientSecret ?? null,
-    ...(tokenEndpointAuthMethod
-      ? { oauth2TokenEndpointAuthMethod: tokenEndpointAuthMethod }
-      : {}),
-    ...(wellKnownInjectionTemplates
-      ? { injectionTemplates: wellKnownInjectionTemplates }
-      : {}),
-  });
-
-  // Write accountInfo to config using a namespaced key (dynamic import to
-  // avoid circular dependencies — the config loader may transitively depend
-  // on credential modules).
-  const resolvedAccountInfo = accountInfo ?? params.identityAccountInfo;
-  if (resolvedAccountInfo) {
-    try {
-      const {
-        invalidateConfigCache,
-        loadRawConfig,
-        saveRawConfig,
-        setNestedValue,
-      } = await import("../config/loader.js");
-      const raw = loadRawConfig();
-      setNestedValue(
-        raw,
-        `integrations.accountInfo.${service}`,
-        resolvedAccountInfo,
-      );
-      saveRawConfig(raw);
-      invalidateConfigCache();
-    } catch {
-      // Non-fatal — tokens stored even if config write fails
-    }
+  // 2. Upsert oauth_connection — reuse existing active connection for this
+  //    provider, or create a new one.
+  const existingConn = getConnectionByProvider(service);
+  let connId: string;
+
+  const hasRefreshToken = !!tokens.refreshToken;
+
+  if (existingConn) {
+    connId = existingConn.id;
+    updateConnection(connId, {
+      oauthAppId: app.id,
+      accountInfo: resolvedAccountInfo,
+      grantedScopes,
+      expiresAt,
+      hasRefreshToken,
+      metadata: rawTokenResponse,
+    });
+  } else {
+    const conn = createConnection({
+      oauthAppId: app.id,
+      providerKey: service,
+      accountInfo: resolvedAccountInfo,
+      grantedScopes,
+      expiresAt: expiresAt ?? undefined,
+      hasRefreshToken,
+      metadata: rawTokenResponse,
+    });
+    connId = conn.id;
   }
 
+  // 3. Write access_token: oauth_connection/{conn.id}/access_token
+  const tokenStored = await setSecureKeyAsync(
+    `oauth_connection/${connId}/access_token`,
+    tokens.accessToken,
+  );
+  if (!tokenStored) {
+    throw new Error("Failed to store access token in secure storage");
+  }
+
+  // 4. Write or clear refresh_token: oauth_connection/{conn.id}/refresh_token
   if (tokens.refreshToken) {
-    const refreshStored = await setSecureKeyAsync(
-      `credential:${service}:refresh_token`,
+    await setSecureKeyAsync(
+      `oauth_connection/${connId}/refresh_token`,
       tokens.refreshToken,
     );
-    if (refreshStored) {
-      upsertCredentialMetadata(service, "refresh_token", {});
-    }
   } else {
     // Re-auth grants that omit refresh_token must clear any stale stored
     // token — otherwise withValidToken() will attempt refresh with invalid
     // credentials.
-    await deleteSecureKeyAsync(`credential:${service}:refresh_token`);
-    deleteCredentialMetadata(service, "refresh_token");
+    await deleteSecureKeyAsync(`oauth_connection/${connId}/refresh_token`);
   }
 
   // Run any provider-specific post-connect actions (e.g. Slack welcome DM)
   await runPostConnectHook({ service, rawTokenResponse });
 
-  return { accountInfo: accountInfo ?? params.identityAccountInfo };
+  return { accountInfo: resolvedAccountInfo };
 }

package/src/permissions/checker.ts

@@ -48,7 +48,11 @@ function riskCacheKey(
   workingDir?: string,
   manifestOverride?: ManifestOverride,
 ): string {
-  const inputJson = JSON.stringify(input);
+  // Strip `reason` before computing the cache key — it is cosmetic and varies
+  // per invocation even for identical tool operations, causing unnecessary
+  // cache misses.
+  const { reason: _reason, ...cacheableInput } = input;
+  const inputJson = JSON.stringify(cacheableInput);
   const hash = createHash("sha256")
     .update(inputJson)
     .update("\0")
@@ -801,12 +805,12 @@ export async function check(
   }
 
   // Workspace mode: auto-allow workspace-scoped operations that don't have
-  // an explicit rule. Non-workspace operations fall through to risk-based policy.
-  // High-risk operations always require approval regardless of scope.
+  // an explicit rule, but only when risk is Low. Medium and High risk operations
+  // fall through to risk-based policy and always require approval.
   if (
     permissionsMode === "workspace" &&
     !matchedRule &&
-    risk !== RiskLevel.High
+    risk === RiskLevel.Low
   ) {
     // When sandbox is disabled, bash runs on the host — don't auto-allow
     const sandboxEnabled = getConfig().sandbox.enabled;

package/src/permissions/defaults.ts

@@ -28,7 +28,6 @@ const COMPUTER_USE_TOOLS = [
   "computer_use_wait",
   "computer_use_open_app",
   "computer_use_run_applescript",
-  "computer_use_request_control",
   // computer_use_done and computer_use_respond are terminal signal tools
   // (RiskLevel.Low) — they don't perform any computer action, so they
   // should NOT get an 'ask' rule.