@vellumai/assistant 0.4.46 → 0.4.49

package/src/runtime/routes/settings-routes.ts

@@ -14,9 +14,15 @@ import { loadSkillCatalog } from "../../config/skills.js";
 import { normalizeActivationKey } from "../../daemon/handlers/config-voice.js";
 import { orchestrateOAuthConnect } from "../../oauth/connect-orchestrator.js";
 import {
-  getProviderProfile,
+  getApp,
+  getConnectionByProvider,
+  getMostRecentAppByProvider,
+  getProvider,
+} from "../../oauth/oauth-store.js";
+import {
+  getProviderBehavior,
   resolveService,
-} from "../../oauth/provider-profiles.js";
+} from "../../oauth/provider-behaviors.js";
 import {
   check,
   classifyRisk,
@@ -25,17 +31,23 @@ import {
 } from "../../permissions/checker.js";
 import { getSecureKey } from "../../security/secure-keys.js";
 import { parseToolManifestFile } from "../../skills/tool-manifest.js";
-import { assertMetadataWritable } from "../../tools/credentials/metadata-store.js";
 import {
   type ManifestOverride,
   resolveExecutionTarget,
 } from "../../tools/execution-target.js";
 import { getAllTools, getTool } from "../../tools/registry.js";
+import {
+  injectReasonField,
+  REASON_SKIP_SET,
+} from "../../tools/schema-transforms.js";
 import { isSideEffectTool } from "../../tools/side-effects.js";
 import { setAvatarTool } from "../../tools/system/avatar-generator.js";
 import { pathExists } from "../../util/fs.js";
 import { getLogger } from "../../util/logger.js";
 import { getWorkspaceDir } from "../../util/platform.js";
+import { buildAssistantEvent } from "../assistant-event.js";
+import { assistantEventHub } from "../assistant-event-hub.js";
+import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 import { resolveWorkspacePath } from "./workspace-utils.js";
@@ -128,43 +140,39 @@ function sanitizeOAuthError(message: string): string {
   return "OAuth authentication failed. Please try again.";
 }
 
-/** Resolve client_secret from the keychain, checking canonical then alias service name. */
-function getClientSecret(
-  resolvedService: string,
-  rawService: string,
-): string | undefined {
-  return (
-    getSecureKey(`credential:${resolvedService}:client_secret`) ??
-    (resolvedService !== rawService
-      ? getSecureKey(`credential:${rawService}:client_secret`)
-      : undefined) ??
-    undefined
-  );
-}
-
 async function handleOAuthConnectStart(body: {
   service?: string;
   requestedScopes?: string[];
 }): Promise<Response> {
-  try {
-    assertMetadataWritable();
-  } catch {
-    return httpError(
-      "UNPROCESSABLE_ENTITY",
-      "Credential metadata file has an unrecognized version. Cannot store OAuth credentials.",
-      422,
-    );
-  }
-
   if (!body.service) {
     return httpError("BAD_REQUEST", "Missing required field: service", 400);
   }
 
   const resolvedService = resolveService(body.service);
 
-  let clientId = getSecureKey(`credential:${resolvedService}:client_id`);
-  if (!clientId && resolvedService !== body.service) {
-    clientId = getSecureKey(`credential:${body.service}:client_id`);
+  // Resolve client_id and client_secret from oauth-store.
+  let clientId: string | undefined;
+  let clientSecret: string | undefined;
+
+  // Try existing connection first (re-auth flow)
+  const conn = getConnectionByProvider(resolvedService);
+  if (conn) {
+    const app = getApp(conn.oauthAppId);
+    if (app) {
+      clientId = app.clientId;
+      clientSecret = getSecureKey(`oauth_app/${app.id}/client_secret`);
+    }
+  }
+
+  // Fall back to most recent app for this provider (first-time connect with stored app)
+  if (!clientId) {
+    const dbApp = getMostRecentAppByProvider(resolvedService);
+    if (dbApp) {
+      clientId = dbApp.clientId;
+      if (!clientSecret) {
+        clientSecret = getSecureKey(`oauth_app/${dbApp.id}/client_secret`);
+      }
+    }
   }
 
   if (!clientId) {
@@ -175,12 +183,11 @@ async function handleOAuthConnectStart(body: {
     );
   }
 
-  const clientSecret = getClientSecret(resolvedService, body.service);
-
-  const profile = getProviderProfile(resolvedService);
+  const behavior = getProviderBehavior(resolvedService);
+  const providerRow = getProvider(resolvedService);
   const requiresSecret =
-    profile?.setup?.requiresClientSecret ??
-    !!(profile?.tokenEndpointAuthMethod || profile?.extraParams);
+    behavior?.setup?.requiresClientSecret ??
+    !!(providerRow?.tokenEndpointAuthMethod || providerRow?.extraParams);
   if (requiresSecret && !clientSecret) {
     return httpError(
       "BAD_REQUEST",
@@ -203,6 +210,45 @@ async function handleOAuthConnectStart(body: {
       openUrl: (url: string) => {
         authUrl = url;
       },
+      onDeferredComplete: (deferredResult) => {
+        // Prefer accountInfo from oauth-store when available.
+        let accountInfo = deferredResult.accountInfo;
+        try {
+          const conn = getConnectionByProvider(resolvedService);
+          if (conn?.accountInfo) accountInfo = conn.accountInfo;
+        } catch {
+          // DB not ready — use orchestrator value
+        }
+
+        // Emit oauth_connect_result to all connected SSE clients so the
+        // UI can update immediately when the deferred browser flow completes.
+        assistantEventHub
+          .publish(
+            buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, {
+              type: "oauth_connect_result",
+              success: deferredResult.success,
+              service: deferredResult.service,
+              accountInfo,
+              error: deferredResult.error,
+            }),
+          )
+          .catch((err) => {
+            log.warn(
+              { err, service: deferredResult.service },
+              "Failed to publish oauth_connect_result event",
+            );
+          });
+
+        if (!deferredResult.success) {
+          log.warn(
+            {
+              service: deferredResult.service,
+              err: deferredResult.error,
+            },
+            "Deferred OAuth connect failed",
+          );
+        }
+      },
     });
 
     if (!result.success) {
@@ -225,10 +271,19 @@ async function handleOAuthConnectStart(body: {
       });
     }
 
+    // Prefer accountInfo from oauth-store when available.
+    let responseAccountInfo = result.accountInfo;
+    try {
+      const conn = getConnectionByProvider(resolvedService);
+      if (conn?.accountInfo) responseAccountInfo = conn.accountInfo;
+    } catch {
+      // DB not ready — use orchestrator value
+    }
+
     return Response.json({
       ok: true,
       grantedScopes: result.grantedScopes,
-      accountInfo: result.accountInfo,
+      accountInfo: responseAccountInfo,
       ...(authUrl ? { authUrl } : {}),
     });
   } catch (err) {
@@ -309,23 +364,34 @@ function resolveManifestOverride(
 function handleToolNamesList(): Response {
   const tools = getAllTools();
   const nameSet = new Set(tools.map((t) => t.name));
-  const schemas: Record<
-    string,
-    {
-      type: string;
-      properties?: Record<string, unknown>;
-      required?: string[];
-    }
-  > = {};
+  type SchemaShape = {
+    type: string;
+    properties?: Record<string, unknown>;
+    required?: string[];
+  };
+  const schemas: Record<string, SchemaShape> = {};
+
+  // Collect raw definitions from the registry so we can transform them.
+  const rawDefs: import("../../providers/types.js").ToolDefinition[] = [];
   for (const tool of tools) {
     try {
-      const def = tool.getDefinition();
-      schemas[tool.name] = def.input_schema as (typeof schemas)[string];
+      rawDefs.push(tool.getDefinition());
     } catch {
       // Skip tools whose definitions can't be resolved
     }
   }
 
+  // Apply reason injection so settings/debug schemas match runtime behavior.
+  const transformedDefs = injectReasonField(rawDefs, REASON_SKIP_SET);
+  for (const def of transformedDefs) {
+    schemas[def.name] = def.input_schema as SchemaShape;
+  }
+
+  // Skill manifest schemas are served raw (untransformed). Unlike runtime tool
+  // schemas which have `reason` injected via injectReasonField(), skill manifests
+  // reflect the original TOOLS.json content. This is intentional: skill tools are
+  // invoked through skill_execute (which has its own reason field), so their
+  // individual schemas are never sent to the LLM directly.
   try {
     const catalog = loadSkillCatalog();
     for (const skill of catalog) {
@@ -337,8 +403,7 @@ function handleToolNamesList(): Response {
         for (const entry of manifest.tools) {
           if (nameSet.has(entry.name)) continue;
           nameSet.add(entry.name);
-          schemas[entry.name] =
-            entry.input_schema as unknown as (typeof schemas)[string];
+          schemas[entry.name] = entry.input_schema as unknown as SchemaShape;
         }
       } catch {
         // Skip skills whose manifests can't be parsed

package/src/runtime/routes/surface-action-routes.ts

@@ -10,7 +10,7 @@ import type { RouteDefinition } from "../http-router.js";
 
 const log = getLogger("surface-action-routes");
 
-/** Any object that can handle a surface action (Session or ComputerUseSession). */
+/** Any object that can handle a surface action. */
 interface SurfaceActionTarget {
   handleSurfaceAction(
     surfaceId: string,

package/src/runtime/routes/watch-routes.ts

@@ -0,0 +1,128 @@
+/**
+ * HTTP route handler for watch (ambient observation) functionality.
+ *
+ * Decoupled from computer-use routes so that the watch endpoint has
+ * zero dependency on CU session state.
+ */
+
+import { getLogger } from "../../util/logger.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+const log = getLogger("watch-routes");
+
+// ---------------------------------------------------------------------------
+// Dependency injection interface
+// ---------------------------------------------------------------------------
+
+/**
+ * Minimal interface for watch observation handling.
+ * The daemon wires a concrete implementation at startup.
+ */
+export interface WatchDeps {
+  /** Handle a watch observation. */
+  handleWatchObservation: (params: {
+    watchId: string;
+    sessionId: string;
+    ocrText: string;
+    appName?: string;
+    windowTitle?: string;
+    bundleIdentifier?: string;
+    timestamp: number;
+    captureIndex: number;
+    totalExpected: number;
+  }) => Promise<void>;
+}
+
+// ---------------------------------------------------------------------------
+// Route handler
+// ---------------------------------------------------------------------------
+
+/**
+ * POST /v1/computer-use/watch — send a watch observation.
+ *
+ * Body: { watchId, sessionId, ocrText, appName?, windowTitle?,
+ *         bundleIdentifier?, timestamp, captureIndex, totalExpected }
+ */
+async function handleWatchObservationRoute(
+  req: Request,
+  deps: WatchDeps,
+): Promise<Response> {
+  const body = (await req.json()) as {
+    watchId?: string;
+    sessionId?: string;
+    ocrText?: string;
+    appName?: string;
+    windowTitle?: string;
+    bundleIdentifier?: string;
+    timestamp?: number;
+    captureIndex?: number;
+    totalExpected?: number;
+  };
+
+  if (!body.watchId || typeof body.watchId !== "string") {
+    return httpError("BAD_REQUEST", "watchId is required", 400);
+  }
+  if (!body.sessionId || typeof body.sessionId !== "string") {
+    return httpError("BAD_REQUEST", "sessionId is required", 400);
+  }
+  if (!body.ocrText || typeof body.ocrText !== "string") {
+    return httpError("BAD_REQUEST", "ocrText is required", 400);
+  }
+  if (typeof body.timestamp !== "number") {
+    return httpError("BAD_REQUEST", "timestamp is required", 400);
+  }
+  if (typeof body.captureIndex !== "number") {
+    return httpError("BAD_REQUEST", "captureIndex is required", 400);
+  }
+  if (typeof body.totalExpected !== "number") {
+    return httpError("BAD_REQUEST", "totalExpected is required", 400);
+  }
+
+  try {
+    await deps.handleWatchObservation({
+      watchId: body.watchId,
+      sessionId: body.sessionId,
+      ocrText: body.ocrText,
+      appName: body.appName,
+      windowTitle: body.windowTitle,
+      bundleIdentifier: body.bundleIdentifier,
+      timestamp: body.timestamp,
+      captureIndex: body.captureIndex,
+      totalExpected: body.totalExpected,
+    });
+
+    return Response.json({ ok: true });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error(
+      { err, watchId: body.watchId },
+      "Failed to handle watch observation via HTTP",
+    );
+    return httpError("INTERNAL_ERROR", message, 500);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function watchRouteDefinitions(deps: {
+  getWatchDeps?: () => WatchDeps;
+}): RouteDefinition[] {
+  const getDeps = (): WatchDeps => {
+    if (!deps.getWatchDeps) {
+      throw new Error("Watch deps not available");
+    }
+    return deps.getWatchDeps();
+  };
+
+  return [
+    {
+      endpoint: "computer-use/watch",
+      method: "POST",
+      policyKey: "computer-use/watch",
+      handler: async ({ req }) => handleWatchObservationRoute(req, getDeps()),
+    },
+  ];
+}

package/src/schedule/integration-status.ts

@@ -1,5 +1,8 @@
 import { hasTwilioCredentials } from "../calls/twilio-rest.js";
-import { getSecureKey } from "../security/secure-keys.js";
+import {
+  getConnectionByProvider,
+  isProviderConnected,
+} from "../oauth/oauth-store.js";
 
 interface IntegrationProbe {
   name: string;
@@ -12,14 +15,12 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
   {
     name: "Gmail",
     category: "email",
-    isConnected: () =>
-      !!getSecureKey("credential:integration:gmail:access_token"),
+    isConnected: () => isProviderConnected("integration:gmail"),
   },
   {
     name: "Slack",
     category: "messaging",
-    isConnected: () =>
-      !!getSecureKey("credential:integration:slack:access_token"),
+    isConnected: () => isProviderConnected("integration:slack"),
   },
   {
     name: "Twilio",
@@ -29,9 +30,10 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
   {
     name: "Telegram",
     category: "messaging",
-    isConnected: () =>
-      !!getSecureKey("credential:telegram:bot_token") &&
-      !!getSecureKey("credential:telegram:webhook_secret"),
+    isConnected: () => {
+      const conn = getConnectionByProvider("telegram");
+      return !!(conn && conn.status === "active");
+    },
   },
 ];
 

package/src/security/credential-key.ts

@@ -0,0 +1,14 @@
+/**
+ * Single source of truth for credential key format in the secure store.
+ *
+ * Keys follow the pattern: credential/{service}/{field}
+ */
+
+/**
+ * Build a credential key for the secure store.
+ *
+ * @returns A key of the form `credential/{service}/{field}`
+ */
+export function credentialKey(service: string, field: string): string {
+  return `credential/${service}/${field}`;
+}

package/src/security/keychain-broker-client.ts

@@ -6,7 +6,7 @@
  * provides a graceful-fallback interface: every public method returns a
  * safe default on failure and never throws.
  *
- * Socket path: read from VELLUM_KEYCHAIN_BROKER_SOCKET env var.
+ * Socket path: derived from getRootDir() as `~/.vellum/keychain-broker.sock`.
  * Auth token: read from ~/.vellum/protected/keychain-broker.token on first
  * connection, cached for process lifetime.
  */
@@ -70,8 +70,8 @@ function getTokenPath(): string {
   return join(getRootDir(), "protected", "keychain-broker.token");
 }
 
-function getSocketPath(): string | undefined {
-  return process.env.VELLUM_KEYCHAIN_BROKER_SOCKET;
+function getSocketPath(): string {
+  return join(getRootDir(), "keychain-broker.sock");
 }
 
 // ---------------------------------------------------------------------------
@@ -172,7 +172,7 @@ export function createBrokerClient(): KeychainBrokerClient {
   function connect(): Promise<Socket> {
     return new Promise((resolve, reject) => {
       const socketPath = getSocketPath();
-      if (!socketPath) {
+      if (!pathExists(socketPath)) {
         reject(new Error("No socket path"));
         return;
       }
@@ -328,8 +328,7 @@ export function createBrokerClient(): KeychainBrokerClient {
   return {
     isAvailable(): boolean {
       if (permanentlyUnavailable) return false;
-      const socketPath = getSocketPath();
-      if (!socketPath) return false;
+      if (!pathExists(getSocketPath())) return false;
       return pathExists(getTokenPath());
     },
 

package/src/security/oauth2.ts

@@ -691,7 +691,7 @@ export async function startOAuth2Flow(
   if (transport === "gateway") {
     if (!hasPublicUrl) {
       throw new Error(
-        "Gateway transport requires a public ingress URL. Set ingress.publicBaseUrl or INGRESS_PUBLIC_BASE_URL, or use loopback transport.",
+        "Gateway transport requires a public ingress URL. Set ingress.publicBaseUrl, or use loopback transport.",
       );
     }
     log.debug({ transport: "gateway" }, "OAuth2 flow starting");