npm - @vellumai/assistant - Versions diffs - 0.4.46 → 0.4.49 - Mend

@vellumai/assistant 0.4.46 → 0.4.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (382) hide show

package/ARCHITECTURE.md +7 -7
package/README.md +2 -23
package/docs/architecture/integrations.md +45 -41
package/docs/architecture/keychain-broker.md +3 -3
package/docs/architecture/security.md +5 -5
package/docs/runbook-trusted-contacts.md +3 -8
package/hook-templates/debug-prompt-logger/hook.json +1 -1
package/hook-templates/debug-prompt-logger/run.sh +1 -3
package/package.json +1 -1
package/src/__tests__/actor-token-service.test.ts +0 -1
package/src/__tests__/anthropic-provider.test.ts +156 -0
package/src/__tests__/approval-cascade.test.ts +810 -0
package/src/__tests__/approval-primitive.test.ts +0 -1
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-attachments.test.ts +12 -34
package/src/__tests__/assistant-feature-flag-guardrails.test.ts +76 -0
package/src/__tests__/assistant-feature-flags-integration.test.ts +0 -1
package/src/__tests__/browser-fill-credential.test.ts +5 -2
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +2 -2
package/src/__tests__/bundled-skill-retrieval-guard.test.ts +2 -1
package/src/__tests__/channel-guardian.test.ts +0 -2
package/src/__tests__/channel-readiness-routes.test.ts +35 -25
package/src/__tests__/channel-readiness-service.test.ts +10 -9
package/src/__tests__/checker.test.ts +9 -29
package/src/__tests__/cli.test.ts +23 -0
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +1 -1
package/src/__tests__/computer-use-tools.test.ts +2 -19
package/src/__tests__/config-watcher.test.ts +0 -1
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +0 -1
package/src/__tests__/context-image-dimensions.test.ts +332 -0
package/src/__tests__/context-token-estimator.test.ts +196 -13
package/src/__tests__/conversation-attention-store.test.ts +0 -1
package/src/__tests__/conversation-attention-telegram.test.ts +0 -1
package/src/__tests__/conversation-routes-guardian-reply.test.ts +144 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-broker-browser-fill.test.ts +23 -22
package/src/__tests__/credential-broker-server-use.test.ts +22 -21
package/src/__tests__/credential-broker.test.ts +2 -1
package/src/__tests__/credential-metadata-store.test.ts +239 -26
package/src/__tests__/credential-resolve.test.ts +5 -4
package/src/__tests__/credential-security-e2e.test.ts +8 -8
package/src/__tests__/credential-security-invariants.test.ts +111 -7
package/src/__tests__/credential-vault-unit.test.ts +287 -54
package/src/__tests__/credential-vault.test.ts +406 -12
package/src/__tests__/credentials-cli.test.ts +82 -6
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +0 -1
package/src/__tests__/ephemeral-permissions.test.ts +3 -3
package/src/__tests__/gateway-only-enforcement.test.ts +4 -2
package/src/__tests__/gateway-only-guard.test.ts +0 -1
package/src/__tests__/gemini-image-service.test.ts +75 -45
package/src/__tests__/gemini-provider.test.ts +9 -6
package/src/__tests__/guardian-action-conversation-turn.test.ts +1 -33
package/src/__tests__/guardian-action-copy-generator.test.ts +0 -20
package/src/__tests__/guardian-action-followup-executor.test.ts +1 -28
package/src/__tests__/guardian-action-followup-store.test.ts +1 -1
package/src/__tests__/guardian-action-grant-mint-consume.test.ts +0 -1
package/src/__tests__/guardian-decision-primitive-canonical.test.ts +0 -1
package/src/__tests__/guardian-grant-minting.test.ts +35 -0
package/src/__tests__/guardian-routing-invariants.test.ts +0 -1
package/src/__tests__/guardian-verification-voice-binding.test.ts +0 -1
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +0 -39
package/src/__tests__/heartbeat-service.test.ts +0 -1
package/src/__tests__/host-cu-proxy.test.ts +629 -0
package/src/__tests__/host-shell-tool.test.ts +27 -15
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/ingress-url-consistency.test.ts +14 -21
package/src/__tests__/integration-status.test.ts +38 -25
package/src/__tests__/intent-routing.test.ts +0 -1
package/src/__tests__/invite-routes-http.test.ts +10 -9
package/src/__tests__/keychain-broker-client.test.ts +11 -43
package/src/__tests__/managed-proxy-context.test.ts +5 -3
package/src/__tests__/media-generate-image.test.ts +63 -2
package/src/__tests__/media-reuse-story.e2e.test.ts +7 -3
package/src/__tests__/messaging-send-tool.test.ts +4 -6
package/src/__tests__/notification-routing-intent.test.ts +0 -1
package/src/__tests__/oauth-cli.test.ts +373 -14
package/src/__tests__/oauth-provider-profiles.test.ts +9 -9
package/src/__tests__/oauth-scope-policy.test.ts +4 -6
package/src/__tests__/oauth-store.test.ts +756 -0
package/src/__tests__/onboarding-starter-tasks.test.ts +0 -1
package/src/__tests__/provider-error-scenarios.test.ts +0 -1
package/src/__tests__/provider-fail-open-selection.test.ts +3 -1
package/src/__tests__/provider-managed-proxy-integration.test.ts +70 -6
package/src/__tests__/provider-streaming.benchmark.test.ts +0 -1
package/src/__tests__/public-ingress-urls.test.ts +15 -21
package/src/__tests__/recording-handler.test.ts +3 -4
package/src/__tests__/registry.test.ts +2 -2
package/src/__tests__/runtime-events-sse.test.ts +55 -7
package/src/__tests__/schedule-store.test.ts +0 -1
package/src/__tests__/scheduler-recurrence.test.ts +0 -1
package/src/__tests__/schema-transforms.test.ts +226 -0
package/src/__tests__/scoped-approval-grants.test.ts +0 -1
package/src/__tests__/scoped-grant-security-matrix.test.ts +0 -1
package/src/__tests__/script-proxy-injection-runtime.test.ts +23 -13
package/src/__tests__/script-proxy-policy-runtime.test.ts +1 -1
package/src/__tests__/script-proxy-session-manager.test.ts +1 -1
package/src/__tests__/secret-ingress-handler.test.ts +0 -1
package/src/__tests__/secret-onetime-send.test.ts +5 -3
package/src/__tests__/send-endpoint-busy.test.ts +21 -6
package/src/__tests__/sequence-store.test.ts +0 -1
package/src/__tests__/session-init.benchmark.test.ts +4 -5
package/src/__tests__/session-messaging-secret-redirect.test.ts +5 -4
package/src/__tests__/skill-include-graph.test.ts +66 -0
package/src/__tests__/skill-load-feature-flag.test.ts +0 -1
package/src/__tests__/skill-load-tool.test.ts +149 -1
package/src/__tests__/skill-projection-feature-flag.test.ts +0 -1
package/src/__tests__/skills-uninstall.test.ts +3 -3
package/src/__tests__/skills.test.ts +3 -12
package/src/__tests__/slack-channel-config.test.ts +76 -11
package/src/__tests__/slack-share-routes.test.ts +17 -14
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/telegram-bot-username-resolution.test.ts +3 -0
package/src/__tests__/telegram-invite-adapter.test.ts +18 -22
package/src/__tests__/terminal-tools.test.ts +4 -3
package/src/__tests__/test-support/computer-use-skill-harness.ts +3 -2
package/src/__tests__/tool-approval-handler.test.ts +0 -1
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +0 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +0 -1
package/src/__tests__/tool-executor-shell-integration.test.ts +0 -1
package/src/__tests__/tool-executor.test.ts +0 -1
package/src/__tests__/tool-grant-request-escalation.test.ts +0 -1
package/src/__tests__/trust-store-pattern-matches.test.ts +29 -0
package/src/__tests__/trust-store.test.ts +1 -22
package/src/__tests__/trusted-contact-approval-notifier.test.ts +0 -1
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +0 -1
package/src/__tests__/twilio-config.test.ts +2 -1
package/src/__tests__/twilio-provider.test.ts +4 -2
package/src/__tests__/twilio-routes.test.ts +5 -20
package/src/__tests__/verification-control-plane-policy.test.ts +0 -1
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -1
package/src/agent/ax-tree-compaction.test.ts +235 -0
package/src/agent/loop.ts +76 -130
package/src/calls/call-domain.ts +8 -10
package/src/calls/relay-server.ts +9 -13
package/src/calls/twilio-config.ts +4 -8
package/src/calls/twilio-provider.ts +2 -1
package/src/calls/twilio-rest.ts +2 -1
package/src/calls/twilio-routes.ts +1 -2
package/src/calls/voice-ingress-preflight.ts +1 -1
package/src/cli/commands/browser-relay.ts +46 -15
package/src/cli/commands/completions.ts +0 -3
package/src/cli/commands/credentials.ts +110 -23
package/src/cli/commands/oauth/apps.ts +255 -0
package/src/cli/commands/oauth/connections.ts +299 -0
package/src/cli/commands/oauth/index.ts +52 -0
package/src/cli/commands/oauth/providers.ts +242 -0
package/src/cli/commands/skills.ts +4 -338
package/src/cli/program.ts +1 -5
package/src/cli/reference.ts +1 -3
package/src/cli.ts +3 -2
package/src/config/assistant-feature-flags.ts +0 -3
package/src/config/bundled-skills/_shared/CLI_RETRIEVAL_PATTERN.md +1 -1
package/src/config/bundled-skills/claude-code/TOOLS.json +0 -4
package/src/config/bundled-skills/computer-use/SKILL.md +3 -6
package/src/config/bundled-skills/computer-use/TOOLS.json +22 -4
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +29 -32
package/src/config/bundled-skills/gmail/SKILL.md +4 -4
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +54 -61
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +25 -28
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +14 -17
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +39 -44
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +61 -58
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +50 -49
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +11 -13
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +148 -146
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +4 -7
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +175 -173
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +4 -7
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +71 -76
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +32 -38
package/src/config/bundled-skills/google-calendar/SKILL.md +2 -2
package/src/config/bundled-skills/google-calendar/calendar-client.ts +90 -44
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +9 -10
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +5 -6
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +4 -5
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +14 -15
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +37 -37
package/src/config/bundled-skills/google-calendar/tools/shared.ts +4 -9
package/src/config/bundled-skills/image-studio/tools/media-generate-image.ts +24 -3
package/src/config/bundled-skills/messaging/SKILL.md +6 -6
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +62 -63
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +15 -16
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +6 -7
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +14 -15
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +128 -128
package/src/config/bundled-skills/messaging/tools/messaging-sender-digest.ts +33 -34
package/src/config/bundled-skills/messaging/tools/shared.ts +12 -15
package/src/config/bundled-skills/settings/SKILL.md +1 -1
package/src/config/bundled-skills/settings/TOOLS.json +2 -8
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +5 -33
package/src/config/bundled-skills/slack/tools/shared.ts +4 -10
package/src/config/bundled-skills/slack/tools/slack-add-reaction.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-channel-details.ts +15 -16
package/src/config/bundled-skills/slack/tools/slack-delete-message.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-edit-message.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-leave-channel.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +95 -92
package/src/config/env-registry.ts +14 -83
package/src/config/env.ts +11 -50
package/src/config/feature-flag-registry.json +16 -16
package/src/config/schema.ts +3 -1
package/src/config/skills.ts +21 -2
package/src/context/image-dimensions.ts +229 -0
package/src/context/token-estimator.ts +75 -12
package/src/context/window-manager.ts +49 -10
package/src/daemon/assistant-attachments.ts +1 -13
package/src/daemon/guardian-action-generators.ts +4 -5
package/src/daemon/handlers/config-ingress.ts +8 -33
package/src/daemon/handlers/config-slack-channel.ts +76 -56
package/src/daemon/handlers/config-telegram.ts +53 -24
package/src/daemon/handlers/sessions.ts +10 -24
package/src/daemon/handlers/shared.ts +0 -130
package/src/daemon/host-cu-proxy.ts +401 -0
package/src/daemon/lifecycle.ts +39 -63
package/src/daemon/message-protocol.ts +3 -0
package/src/daemon/message-types/computer-use.ts +2 -119
package/src/daemon/message-types/host-cu.ts +19 -0
package/src/daemon/message-types/integrations.ts +1 -0
package/src/daemon/message-types/messages.ts +3 -0
package/src/daemon/server.ts +14 -21
package/src/daemon/session-agent-loop-handlers.ts +2 -0
package/src/daemon/session-attachments.ts +1 -2
package/src/daemon/session-messaging.ts +3 -1
package/src/daemon/session-slash.ts +1 -1
package/src/daemon/session-surfaces.ts +40 -28
package/src/daemon/session-tool-setup.ts +20 -11
package/src/daemon/session.ts +139 -16
package/src/daemon/tool-side-effects.ts +2 -8
package/src/daemon/watch-handler.ts +2 -2
package/src/email/providers/index.ts +2 -1
package/src/events/tool-metrics-listener.ts +2 -2
package/src/hooks/manager.ts +1 -4
package/src/inbound/public-ingress-urls.ts +7 -7
package/src/instrument.ts +15 -1
package/src/logfire.ts +16 -5
package/src/media/app-icon-generator.ts +30 -4
package/src/media/avatar-router.ts +26 -3
package/src/media/gemini-image-service.ts +28 -2
package/src/memory/conversation-key-store.ts +21 -0
package/src/memory/db-init.ts +4 -0
package/src/memory/guardian-action-store.ts +1 -1
package/src/memory/migrations/149-oauth-tables.ts +60 -0
package/src/memory/migrations/index.ts +1 -0
package/src/memory/schema/guardian.ts +1 -1
package/src/memory/schema/index.ts +1 -0
package/src/memory/schema/oauth.ts +65 -0
package/src/messaging/provider.ts +19 -13
package/src/messaging/providers/gmail/adapter.ts +40 -23
package/src/messaging/providers/gmail/client.ts +283 -122
package/src/messaging/providers/gmail/people-client.ts +32 -24
package/src/messaging/providers/slack/adapter.ts +29 -19
package/src/messaging/providers/slack/client.ts +265 -78
package/src/messaging/providers/telegram-bot/adapter.ts +19 -18
package/src/messaging/providers/whatsapp/adapter.ts +17 -11
package/src/messaging/registry.ts +2 -31
package/src/notifications/copy-composer.ts +0 -5
package/src/notifications/signal.ts +4 -5
package/src/oauth/byo-connection.test.ts +537 -0
package/src/oauth/byo-connection.ts +128 -0
package/src/oauth/connect-orchestrator.ts +139 -56
package/src/oauth/connect-types.ts +17 -23
package/src/oauth/connection-resolver.ts +58 -0
package/src/oauth/connection.ts +38 -0
package/src/oauth/manual-token-connection.ts +104 -0
package/src/oauth/oauth-store.ts +496 -0
package/src/oauth/platform-connection.test.ts +192 -0
package/src/oauth/platform-connection.ts +111 -0
package/src/oauth/provider-behaviors.ts +124 -0
package/src/oauth/scope-policy.ts +9 -2
package/src/oauth/seed-providers.ts +161 -0
package/src/oauth/token-persistence.ts +74 -78
package/src/permissions/checker.ts +8 -4
package/src/permissions/defaults.ts +0 -1
package/src/permissions/prompter.ts +10 -1
package/src/permissions/trust-store.ts +13 -0
package/src/prompts/__tests__/build-cli-reference-section.test.ts +3 -1
package/src/prompts/system-prompt.ts +70 -45
package/src/providers/anthropic/client.ts +133 -24
package/src/providers/gemini/client.ts +15 -6
package/src/providers/managed-proxy/constants.ts +2 -2
package/src/providers/managed-proxy/context.ts +5 -1
package/src/providers/ratelimit.ts +17 -0
package/src/providers/registry.ts +2 -2
package/src/providers/retry.ts +1 -27
package/src/runtime/AGENTS.md +17 -0
package/src/runtime/auth/route-policy.ts +0 -3
package/src/runtime/channel-invite-transports/telegram.ts +2 -1
package/src/runtime/channel-readiness-service.ts +168 -195
package/src/runtime/channel-readiness-types.ts +4 -0
package/src/runtime/channel-reply-delivery.ts +0 -40
package/src/runtime/gateway-client.ts +0 -7
package/src/runtime/guardian-action-conversation-turn.ts +1 -3
package/src/runtime/guardian-action-followup-executor.ts +1 -1
package/src/runtime/guardian-action-message-composer.ts +3 -23
package/src/runtime/http-server.ts +17 -10
package/src/runtime/http-types.ts +2 -3
package/src/runtime/middleware/rate-limiter.ts +74 -20
package/src/runtime/middleware/twilio-validation.ts +1 -11
package/src/runtime/pending-interactions.ts +14 -12
package/src/runtime/routes/channel-delivery-routes.ts +0 -1
package/src/runtime/routes/channel-readiness-routes.ts +2 -0
package/src/runtime/routes/conversation-routes.ts +73 -19
package/src/runtime/routes/diagnostics-routes.ts +11 -9
package/src/runtime/routes/events-routes.ts +21 -11
package/src/runtime/routes/guardian-approval-interception.ts +20 -5
package/src/runtime/routes/host-cu-routes.ts +97 -0
package/src/runtime/routes/inbound-stages/background-dispatch.ts +12 -111
package/src/runtime/routes/integrations/slack/share.ts +6 -6
package/src/runtime/routes/integrations/twilio.ts +6 -5
package/src/runtime/routes/log-export-routes.ts +126 -8
package/src/runtime/routes/secret-routes.ts +3 -2
package/src/runtime/routes/settings-routes.ts +113 -48
package/src/runtime/routes/surface-action-routes.ts +1 -1
package/src/runtime/routes/watch-routes.ts +128 -0
package/src/schedule/integration-status.ts +10 -8
package/src/security/credential-key.ts +14 -0
package/src/security/keychain-broker-client.ts +5 -6
package/src/security/oauth2.ts +1 -1
package/src/security/token-manager.ts +145 -43
package/src/skills/catalog-install.ts +358 -0
package/src/skills/include-graph.ts +32 -0
package/src/telegram/bot-username.ts +2 -3
package/src/tools/apps/definitions.ts +0 -5
package/src/tools/assets/materialize.ts +0 -5
package/src/tools/assets/search.ts +0 -5
package/src/tools/browser/headless-browser.ts +1 -67
package/src/tools/browser/network-recorder.ts +1 -1
package/src/tools/browser/network-recording-types.ts +1 -1
package/src/tools/claude-code/claude-code.ts +0 -5
package/src/tools/computer-use/definitions.ts +46 -11
package/src/tools/computer-use/registry.ts +4 -5
package/src/tools/credentials/broker.ts +5 -4
package/src/tools/credentials/metadata-store.ts +22 -74
package/src/tools/credentials/resolve.ts +2 -1
package/src/tools/credentials/vault.ts +139 -151
package/src/tools/filesystem/edit.ts +1 -6
package/src/tools/filesystem/read.ts +0 -5
package/src/tools/filesystem/write.ts +1 -6
package/src/tools/host-filesystem/edit.ts +1 -6
package/src/tools/host-filesystem/read.ts +1 -6
package/src/tools/host-filesystem/write.ts +1 -6
package/src/tools/mcp/mcp-tool-factory.ts +18 -1
package/src/tools/memory/definitions.ts +0 -5
package/src/tools/network/web-fetch.ts +0 -5
package/src/tools/network/web-search.ts +0 -5
package/src/tools/registry.ts +2 -7
package/src/tools/schema-transforms.ts +99 -0
package/src/tools/skills/load.ts +62 -8
package/src/tools/swarm/delegate.ts +0 -5
package/src/tools/system/avatar-generator.ts +0 -5
package/src/tools/ui-surface/definitions.ts +0 -15
package/src/tools/watch/screen-watch.ts +0 -5
package/src/tools/watch/watch-state.ts +0 -12
package/src/util/logger.ts +7 -41
package/src/util/platform.ts +9 -28
package/src/version.ts +10 -0
package/src/watcher/providers/github.ts +51 -52
package/src/watcher/providers/gmail.ts +88 -80
package/src/watcher/providers/google-calendar.ts +94 -86
package/src/watcher/providers/linear.ts +87 -93
package/src/__tests__/computer-use-session-compaction.test.ts +0 -143
package/src/__tests__/computer-use-session-lifecycle.test.ts +0 -322
package/src/__tests__/computer-use-session-working-dir.test.ts +0 -166
package/src/__tests__/computer-use-skill-baseline.test.ts +0 -78
package/src/__tests__/computer-use-skill-endstate.test.ts +0 -105
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +0 -249
package/src/__tests__/ride-shotgun-handler.test.ts +0 -452
package/src/cli/commands/dev.ts +0 -129
package/src/cli/commands/map.ts +0 -391
package/src/cli/commands/oauth.ts +0 -77
package/src/config/bundled-skills/computer-use/tools/computer-use-request-control.ts +0 -16
package/src/daemon/computer-use-session.ts +0 -1020
package/src/daemon/ride-shotgun-handler.ts +0 -567
package/src/oauth/provider-profiles.ts +0 -192
package/src/prompts/computer-use-prompt.ts +0 -98
package/src/runtime/routes/computer-use-routes.ts +0 -641
package/src/runtime/telegram-streaming-delivery.test.ts +0 -597
package/src/runtime/telegram-streaming-delivery.ts +0 -383
package/src/tools/computer-use/request-computer-control.ts +0 -61

package/src/__tests__/credential-vault-unit.test.ts CHANGED Viewed

@@ -44,10 +44,67 @@ mock.module("../tools/registry.js", () => ({
   registerTool: () => {},
 }));
+// ---------------------------------------------------------------------------
+// Mock oauth-store to avoid SQLite dependency in unit tests
+// ---------------------------------------------------------------------------
+let mockGetMostRecentAppByProvider: ReturnType<
+  typeof mock<(key: string) => unknown>
+>;
+let mockGetAppByProviderAndClientId: ReturnType<
+  typeof mock<(key: string, clientId: string) => unknown>
+>;
+let mockGetProvider: ReturnType<typeof mock<(key: string) => unknown>>;
+mock.module("../oauth/oauth-store.js", () => {
+  mockGetMostRecentAppByProvider = mock(() => undefined);
+  mockGetAppByProviderAndClientId = mock(() => undefined);
+  mockGetProvider = mock(() => undefined);
+  return {
+    getMostRecentAppByProvider: mockGetMostRecentAppByProvider,
+    getAppByProviderAndClientId: mockGetAppByProviderAndClientId,
+    getProvider: mockGetProvider,
+    listConnections: mock(() => []),
+    seedProviders: mock(() => {}),
+    disconnectOAuthProvider: mock(async () => "not-found" as const),
+  };
+});
+// ---------------------------------------------------------------------------
+// Mock public ingress URL — not available in unit tests. The connect
+// orchestrator dynamically imports this for non-interactive flows.
+// ---------------------------------------------------------------------------
+mock.module("../inbound/public-ingress-urls.js", () => ({
+  getPublicBaseUrl: () => {
+    throw new Error("No public ingress URL configured");
+  },
+}));
+// ---------------------------------------------------------------------------
+// Mock prepareOAuth2Flow — unit tests should not start real loopback HTTP
+// servers. The connect orchestrator still runs its own validation logic
+// (scope policy, non-interactive ingress checks, etc.) but the actual
+// OAuth flow setup is stubbed.
+// ---------------------------------------------------------------------------
+mock.module("../security/oauth2.js", () => ({
+  prepareOAuth2Flow: mock(async () => ({
+    authUrl: "https://mock-auth-url.example.com/authorize",
+    state: "mock-state",
+    completion: new Promise(() => {}),
+  })),
+  startOAuth2Flow: mock(async () => ({
+    grantedScopes: [],
+    tokens: { access_token: "mock-token" },
+  })),
+}));
 // ---------------------------------------------------------------------------
 // Imports under test
 // ---------------------------------------------------------------------------
+import { credentialKey } from "../security/credential-key.js";
 import { getSecureKey, setSecureKey } from "../security/secure-keys.js";
 import { CredentialBroker } from "../tools/credentials/broker.js";
 import {
@@ -108,7 +165,7 @@ describe("CredentialBroker transient credentials", () => {
     const result = broker.consume(auth.token.tokenId);
     expect(result.success).toBe(true);
     expect(result.value).toBe("one-time-secret");
-    expect(result.storageKey).toBe("credential:svc:key");
+    expect(result.storageKey).toBe(credentialKey("svc", "key"));
     // Second authorize + consume should NOT have the transient value
     const auth2 = broker.authorize({
@@ -148,7 +205,7 @@ describe("CredentialBroker transient credentials", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "stored-value");
+    setSecureKey(credentialKey("github", "token"), "stored-value");
     broker.injectTransient("github", "token", "transient-value");
     // First fill uses transient
@@ -411,7 +468,7 @@ describe("credential_store tool — prompt action", () => {
     expect(result.content).not.toContain("prompt-secret-val");
     // Verify stored
-    expect(getSecureKey("credential:test-prompt:api_key")).toBe(
+    expect(getSecureKey(credentialKey("test-prompt", "api_key"))).toBe(
       "prompt-secret-val",
     );
   });
@@ -472,18 +529,50 @@ describe("credential_store tool — prompt action", () => {
 // ---------------------------------------------------------------------------
 describe("credential_store tool — oauth2_connect error paths", () => {
+  /** Well-known provider rows returned by the mocked getProvider */
+  const wellKnownProviders: Record<string, object> = {
+    "integration:gmail": {
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    },
+    "integration:slack": {
+      key: "integration:slack",
+      authUrl: "https://slack.com/oauth/v2/authorize",
+      tokenUrl: "https://slack.com/api/oauth.v2.access",
+      defaultScopes: JSON.stringify(["channels:read"]),
+      scopePolicy: JSON.stringify({}),
+    },
+  };
   beforeEach(() => {
     if (existsSync(TEST_DIR)) rmSync(TEST_DIR, { recursive: true });
     mkdirSync(TEST_DIR, { recursive: true });
     _setStorePath(STORE_PATH);
     _resetBackend();
     _setMetadataPath(join(TEST_DIR, "metadata.json"));
+    // Return well-known provider rows so vault.ts knows gmail/slack are
+    // registered, and custom providers return undefined.
+    mockGetProvider.mockImplementation(
+      (key: string) => wellKnownProviders[key] ?? undefined,
+    );
+    mockGetMostRecentAppByProvider.mockClear();
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetAppByProviderAndClientId.mockClear();
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
   });
   afterEach(() => {
     _setMetadataPath(null);
     _setStorePath(null);
     _resetBackend();
+    mockGetProvider.mockImplementation(() => undefined);
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
   });
   test("requires service parameter", async () => {
@@ -495,55 +584,38 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("service is required");
   });
-  test("requires auth_url for unknown service", async () => {
-    const result = await credentialStoreTool.execute(
-      {
-        action: "oauth2_connect",
-        service: "custom-svc",
-        token_url: "https://t",
-        scopes: ["read"],
-      },
-      _ctx,
-    );
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("auth_url is required");
-  });
-  test("requires token_url for unknown service", async () => {
-    const result = await credentialStoreTool.execute(
-      {
-        action: "oauth2_connect",
-        service: "custom-svc",
-        auth_url: "https://a",
-        scopes: ["read"],
-      },
-      _ctx,
-    );
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("token_url is required");
-  });
-  test("requires scopes for unknown service", async () => {
+  test("rejects unknown service without registered provider", async () => {
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
         service: "custom-svc",
         auth_url: "https://a",
         token_url: "https://t",
+        scopes: ["read"],
       },
       _ctx,
     );
     expect(result.isError).toBe(true);
-    expect(result.content).toContain("scopes is required");
+    expect(result.content).toContain("no OAuth provider registered");
   });
   test("requires client_id", async () => {
+    mockGetProvider.mockImplementation((key: string) => {
+      if (key === "custom-svc") {
+        return {
+          key: "custom-svc",
+          authUrl: "https://auth.example.com",
+          tokenUrl: "https://token.example.com",
+          defaultScopes: JSON.stringify(["read"]),
+          scopePolicy: JSON.stringify({}),
+        };
+      }
+      return wellKnownProviders[key] ?? undefined;
+    });
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
         service: "custom-svc",
-        auth_url: "https://auth.example.com",
-        token_url: "https://token.example.com",
         scopes: ["read"],
       },
       _ctx,
@@ -553,6 +625,21 @@ describe("credential_store tool — oauth2_connect error paths", () => {
   });
   test("requires interactive context", async () => {
+    // Register custom-svc as a provider so the orchestrator finds it
+    // and reaches the non-interactive check (gateway transport).
+    mockGetProvider.mockImplementation((key: string) => {
+      if (key === "custom-svc") {
+        return {
+          key: "custom-svc",
+          authUrl: "https://auth.example.com",
+          tokenUrl: "https://token.example.com",
+          defaultScopes: JSON.stringify(["read"]),
+          scopePolicy: JSON.stringify({}),
+        };
+      }
+      return wellKnownProviders[key] ?? undefined;
+    });
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
@@ -595,16 +682,25 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("client_id is required");
   });
-  test("uses stored client_id from secure storage", async () => {
-    // Store both client_id and client_secret for the service — the
-    // requiresClientSecret guardrail will short-circuit if client_secret
-    // is missing, so we need both to validate that stored client_id
-    // is resolved correctly.
-    setSecureKey(
-      "credential:integration:gmail:client_id",
-      "stored-client-id-123",
-    );
-    setSecureKey("credential:integration:gmail:client_secret", "test-secret");
+  test("uses stored client_id from oauth-store DB", async () => {
+    // Mock getMostRecentAppByProvider to return an app with a client_id
+    // and store client_secret in the secure store.
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "test-app-id",
+      providerKey: "integration:gmail",
+      clientId: "stored-client-id-123",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/test-app-id/client_secret", "test-secret");
     const result = await credentialStoreTool.execute(
       {
@@ -621,26 +717,163 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("To connect gmail, open this link");
     expect(result.content).not.toContain("client_id is required");
     expect(result.content).not.toContain("client_secret is required");
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
   });
-  test("rejects when client_secret is missing for service that requires it", async () => {
-    // Store only client_id — client_secret is intentionally absent to
-    // validate the requiresClientSecret guardrail.
-    setSecureKey(
-      "credential:integration:gmail:client_id",
-      "stored-client-id-456",
+  test("uses getAppByProviderAndClientId when client_id is provided without client_secret", async () => {
+    // When client_id is supplied but client_secret is not, the vault should
+    // look up the matching app via getAppByProviderAndClientId (not the
+    // most-recent-app heuristic) so the secret comes from the correct app.
+    mockGetAppByProviderAndClientId.mockImplementation(
+      (providerKey: string, cId: string) => {
+        if (
+          providerKey === "integration:gmail" &&
+          cId === "caller-supplied-client-id"
+        ) {
+          return {
+            id: "matched-app-id",
+            providerKey: "integration:gmail",
+            clientId: "caller-supplied-client-id",
+            createdAt: Date.now(),
+          };
+        }
+        return undefined;
+      },
+    );
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/matched-app-id/client_secret", "matched-secret");
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+        client_id: "caller-supplied-client-id",
+      },
+      { ..._ctx, isInteractive: false },
     );
+    // Should succeed — client_secret resolved from the matched app
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("To connect gmail, open this link");
+    // getMostRecentAppByProvider should NOT have been called since client_id was known
+    expect(mockGetMostRecentAppByProvider).not.toHaveBeenCalled();
+    // Reset mocks
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+  test("falls back to getMostRecentAppByProvider when client_id is not provided", async () => {
+    // When neither client_id nor client_secret is provided, the vault should
+    // use getMostRecentAppByProvider (the fallback heuristic).
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "recent-app-id",
+      providerKey: "integration:gmail",
+      clientId: "recent-client-id",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/recent-app-id/client_secret", "recent-secret");
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
         service: "gmail",
       },
+      { ..._ctx, isInteractive: false },
+    );
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("To connect gmail, open this link");
+    // getAppByProviderAndClientId should NOT have been called since client_id was unknown
+    expect(mockGetAppByProviderAndClientId).not.toHaveBeenCalled();
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+  test("getAppByProviderAndClientId returning undefined leaves client_secret unresolved", async () => {
+    // When client_id is provided but getAppByProviderAndClientId returns no
+    // matching app, client_secret remains unresolved and the vault should
+    // report the missing secret error.
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+    }));
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+        client_id: "unknown-client-id",
+      },
       _ctx,
     );
     expect(result.isError).toBe(true);
     expect(result.content).toContain("client_secret is required for gmail");
+    // getMostRecentAppByProvider should NOT have been called
+    expect(mockGetMostRecentAppByProvider).not.toHaveBeenCalled();
+    // Reset mocks
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+  test("rejects when client_secret is missing for service that requires it", async () => {
+    // Mock getMostRecentAppByProvider to return an app with client_id but
+    // no client_secret in secure storage — validates the requiresClientSecret
+    // guardrail.
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "test-app-id-no-secret",
+      providerKey: "integration:gmail",
+      clientId: "stored-client-id-456",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+    }));
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+      },
+      _ctx,
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("client_secret is required for gmail");
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
   });
 });
@@ -786,7 +1019,7 @@ describe("credential_store tool — store validation edge cases", () => {
     );
     // Verify stored
-    expect(getSecureKey("credential:del-test:key")).toBe("secret");
+    expect(getSecureKey(credentialKey("del-test", "key"))).toBe("secret");
     const { getCredentialMetadata } =
       await import("../tools/credentials/metadata-store.js");
     expect(getCredentialMetadata("del-test", "key")).toBeDefined();
@@ -803,7 +1036,7 @@ describe("credential_store tool — store validation edge cases", () => {
     expect(result.isError).toBe(false);
     // Both should be gone
-    expect(getSecureKey("credential:del-test:key")).toBeUndefined();
+    expect(getSecureKey(credentialKey("del-test", "key"))).toBeUndefined();
     expect(getCredentialMetadata("del-test", "key")).toBeUndefined();
   });
 });
@@ -892,7 +1125,7 @@ describe("CredentialBroker — serverUseById edge cases", () => {
         },
       ],
     });
-    setSecureKey("credential:multi:api_key", "multi-secret");
+    setSecureKey(credentialKey("multi", "api_key"), "multi-secret");
     const result = broker.serverUseById({
       credentialId: meta.credentialId,