npm - @vellumai/assistant - Versions diffs - 0.4.46 → 0.4.49 - Mend

@vellumai/assistant 0.4.46 → 0.4.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (382) hide show

package/ARCHITECTURE.md +7 -7
package/README.md +2 -23
package/docs/architecture/integrations.md +45 -41
package/docs/architecture/keychain-broker.md +3 -3
package/docs/architecture/security.md +5 -5
package/docs/runbook-trusted-contacts.md +3 -8
package/hook-templates/debug-prompt-logger/hook.json +1 -1
package/hook-templates/debug-prompt-logger/run.sh +1 -3
package/package.json +1 -1
package/src/__tests__/actor-token-service.test.ts +0 -1
package/src/__tests__/anthropic-provider.test.ts +156 -0
package/src/__tests__/approval-cascade.test.ts +810 -0
package/src/__tests__/approval-primitive.test.ts +0 -1
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-attachments.test.ts +12 -34
package/src/__tests__/assistant-feature-flag-guardrails.test.ts +76 -0
package/src/__tests__/assistant-feature-flags-integration.test.ts +0 -1
package/src/__tests__/browser-fill-credential.test.ts +5 -2
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +2 -2
package/src/__tests__/bundled-skill-retrieval-guard.test.ts +2 -1
package/src/__tests__/channel-guardian.test.ts +0 -2
package/src/__tests__/channel-readiness-routes.test.ts +35 -25
package/src/__tests__/channel-readiness-service.test.ts +10 -9
package/src/__tests__/checker.test.ts +9 -29
package/src/__tests__/cli.test.ts +23 -0
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +1 -1
package/src/__tests__/computer-use-tools.test.ts +2 -19
package/src/__tests__/config-watcher.test.ts +0 -1
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +0 -1
package/src/__tests__/context-image-dimensions.test.ts +332 -0
package/src/__tests__/context-token-estimator.test.ts +196 -13
package/src/__tests__/conversation-attention-store.test.ts +0 -1
package/src/__tests__/conversation-attention-telegram.test.ts +0 -1
package/src/__tests__/conversation-routes-guardian-reply.test.ts +144 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-broker-browser-fill.test.ts +23 -22
package/src/__tests__/credential-broker-server-use.test.ts +22 -21
package/src/__tests__/credential-broker.test.ts +2 -1
package/src/__tests__/credential-metadata-store.test.ts +239 -26
package/src/__tests__/credential-resolve.test.ts +5 -4
package/src/__tests__/credential-security-e2e.test.ts +8 -8
package/src/__tests__/credential-security-invariants.test.ts +111 -7
package/src/__tests__/credential-vault-unit.test.ts +287 -54
package/src/__tests__/credential-vault.test.ts +406 -12
package/src/__tests__/credentials-cli.test.ts +82 -6
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +0 -1
package/src/__tests__/ephemeral-permissions.test.ts +3 -3
package/src/__tests__/gateway-only-enforcement.test.ts +4 -2
package/src/__tests__/gateway-only-guard.test.ts +0 -1
package/src/__tests__/gemini-image-service.test.ts +75 -45
package/src/__tests__/gemini-provider.test.ts +9 -6
package/src/__tests__/guardian-action-conversation-turn.test.ts +1 -33
package/src/__tests__/guardian-action-copy-generator.test.ts +0 -20
package/src/__tests__/guardian-action-followup-executor.test.ts +1 -28
package/src/__tests__/guardian-action-followup-store.test.ts +1 -1
package/src/__tests__/guardian-action-grant-mint-consume.test.ts +0 -1
package/src/__tests__/guardian-decision-primitive-canonical.test.ts +0 -1
package/src/__tests__/guardian-grant-minting.test.ts +35 -0
package/src/__tests__/guardian-routing-invariants.test.ts +0 -1
package/src/__tests__/guardian-verification-voice-binding.test.ts +0 -1
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +0 -39
package/src/__tests__/heartbeat-service.test.ts +0 -1
package/src/__tests__/host-cu-proxy.test.ts +629 -0
package/src/__tests__/host-shell-tool.test.ts +27 -15
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/ingress-url-consistency.test.ts +14 -21
package/src/__tests__/integration-status.test.ts +38 -25
package/src/__tests__/intent-routing.test.ts +0 -1
package/src/__tests__/invite-routes-http.test.ts +10 -9
package/src/__tests__/keychain-broker-client.test.ts +11 -43
package/src/__tests__/managed-proxy-context.test.ts +5 -3
package/src/__tests__/media-generate-image.test.ts +63 -2
package/src/__tests__/media-reuse-story.e2e.test.ts +7 -3
package/src/__tests__/messaging-send-tool.test.ts +4 -6
package/src/__tests__/notification-routing-intent.test.ts +0 -1
package/src/__tests__/oauth-cli.test.ts +373 -14
package/src/__tests__/oauth-provider-profiles.test.ts +9 -9
package/src/__tests__/oauth-scope-policy.test.ts +4 -6
package/src/__tests__/oauth-store.test.ts +756 -0
package/src/__tests__/onboarding-starter-tasks.test.ts +0 -1
package/src/__tests__/provider-error-scenarios.test.ts +0 -1
package/src/__tests__/provider-fail-open-selection.test.ts +3 -1
package/src/__tests__/provider-managed-proxy-integration.test.ts +70 -6
package/src/__tests__/provider-streaming.benchmark.test.ts +0 -1
package/src/__tests__/public-ingress-urls.test.ts +15 -21
package/src/__tests__/recording-handler.test.ts +3 -4
package/src/__tests__/registry.test.ts +2 -2
package/src/__tests__/runtime-events-sse.test.ts +55 -7
package/src/__tests__/schedule-store.test.ts +0 -1
package/src/__tests__/scheduler-recurrence.test.ts +0 -1
package/src/__tests__/schema-transforms.test.ts +226 -0
package/src/__tests__/scoped-approval-grants.test.ts +0 -1
package/src/__tests__/scoped-grant-security-matrix.test.ts +0 -1
package/src/__tests__/script-proxy-injection-runtime.test.ts +23 -13
package/src/__tests__/script-proxy-policy-runtime.test.ts +1 -1
package/src/__tests__/script-proxy-session-manager.test.ts +1 -1
package/src/__tests__/secret-ingress-handler.test.ts +0 -1
package/src/__tests__/secret-onetime-send.test.ts +5 -3
package/src/__tests__/send-endpoint-busy.test.ts +21 -6
package/src/__tests__/sequence-store.test.ts +0 -1
package/src/__tests__/session-init.benchmark.test.ts +4 -5
package/src/__tests__/session-messaging-secret-redirect.test.ts +5 -4
package/src/__tests__/skill-include-graph.test.ts +66 -0
package/src/__tests__/skill-load-feature-flag.test.ts +0 -1
package/src/__tests__/skill-load-tool.test.ts +149 -1
package/src/__tests__/skill-projection-feature-flag.test.ts +0 -1
package/src/__tests__/skills-uninstall.test.ts +3 -3
package/src/__tests__/skills.test.ts +3 -12
package/src/__tests__/slack-channel-config.test.ts +76 -11
package/src/__tests__/slack-share-routes.test.ts +17 -14
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/telegram-bot-username-resolution.test.ts +3 -0
package/src/__tests__/telegram-invite-adapter.test.ts +18 -22
package/src/__tests__/terminal-tools.test.ts +4 -3
package/src/__tests__/test-support/computer-use-skill-harness.ts +3 -2
package/src/__tests__/tool-approval-handler.test.ts +0 -1
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +0 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +0 -1
package/src/__tests__/tool-executor-shell-integration.test.ts +0 -1
package/src/__tests__/tool-executor.test.ts +0 -1
package/src/__tests__/tool-grant-request-escalation.test.ts +0 -1
package/src/__tests__/trust-store-pattern-matches.test.ts +29 -0
package/src/__tests__/trust-store.test.ts +1 -22
package/src/__tests__/trusted-contact-approval-notifier.test.ts +0 -1
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +0 -1
package/src/__tests__/twilio-config.test.ts +2 -1
package/src/__tests__/twilio-provider.test.ts +4 -2
package/src/__tests__/twilio-routes.test.ts +5 -20
package/src/__tests__/verification-control-plane-policy.test.ts +0 -1
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -1
package/src/agent/ax-tree-compaction.test.ts +235 -0
package/src/agent/loop.ts +76 -130
package/src/calls/call-domain.ts +8 -10
package/src/calls/relay-server.ts +9 -13
package/src/calls/twilio-config.ts +4 -8
package/src/calls/twilio-provider.ts +2 -1
package/src/calls/twilio-rest.ts +2 -1
package/src/calls/twilio-routes.ts +1 -2
package/src/calls/voice-ingress-preflight.ts +1 -1
package/src/cli/commands/browser-relay.ts +46 -15
package/src/cli/commands/completions.ts +0 -3
package/src/cli/commands/credentials.ts +110 -23
package/src/cli/commands/oauth/apps.ts +255 -0
package/src/cli/commands/oauth/connections.ts +299 -0
package/src/cli/commands/oauth/index.ts +52 -0
package/src/cli/commands/oauth/providers.ts +242 -0
package/src/cli/commands/skills.ts +4 -338
package/src/cli/program.ts +1 -5
package/src/cli/reference.ts +1 -3
package/src/cli.ts +3 -2
package/src/config/assistant-feature-flags.ts +0 -3
package/src/config/bundled-skills/_shared/CLI_RETRIEVAL_PATTERN.md +1 -1
package/src/config/bundled-skills/claude-code/TOOLS.json +0 -4
package/src/config/bundled-skills/computer-use/SKILL.md +3 -6
package/src/config/bundled-skills/computer-use/TOOLS.json +22 -4
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +29 -32
package/src/config/bundled-skills/gmail/SKILL.md +4 -4
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +54 -61
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +25 -28
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +14 -17
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +39 -44
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +61 -58
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +50 -49
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +11 -13
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +148 -146
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +4 -7
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +175 -173
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +4 -7
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +71 -76
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +32 -38
package/src/config/bundled-skills/google-calendar/SKILL.md +2 -2
package/src/config/bundled-skills/google-calendar/calendar-client.ts +90 -44
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +9 -10
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +5 -6
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +4 -5
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +14 -15
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +37 -37
package/src/config/bundled-skills/google-calendar/tools/shared.ts +4 -9
package/src/config/bundled-skills/image-studio/tools/media-generate-image.ts +24 -3
package/src/config/bundled-skills/messaging/SKILL.md +6 -6
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +62 -63
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +15 -16
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +6 -7
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +14 -15
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +4 -5
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +128 -128
package/src/config/bundled-skills/messaging/tools/messaging-sender-digest.ts +33 -34
package/src/config/bundled-skills/messaging/tools/shared.ts +12 -15
package/src/config/bundled-skills/settings/SKILL.md +1 -1
package/src/config/bundled-skills/settings/TOOLS.json +2 -8
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +5 -33
package/src/config/bundled-skills/slack/tools/shared.ts +4 -10
package/src/config/bundled-skills/slack/tools/slack-add-reaction.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-channel-details.ts +15 -16
package/src/config/bundled-skills/slack/tools/slack-delete-message.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-edit-message.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-leave-channel.ts +4 -5
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +95 -92
package/src/config/env-registry.ts +14 -83
package/src/config/env.ts +11 -50
package/src/config/feature-flag-registry.json +16 -16
package/src/config/schema.ts +3 -1
package/src/config/skills.ts +21 -2
package/src/context/image-dimensions.ts +229 -0
package/src/context/token-estimator.ts +75 -12
package/src/context/window-manager.ts +49 -10
package/src/daemon/assistant-attachments.ts +1 -13
package/src/daemon/guardian-action-generators.ts +4 -5
package/src/daemon/handlers/config-ingress.ts +8 -33
package/src/daemon/handlers/config-slack-channel.ts +76 -56
package/src/daemon/handlers/config-telegram.ts +53 -24
package/src/daemon/handlers/sessions.ts +10 -24
package/src/daemon/handlers/shared.ts +0 -130
package/src/daemon/host-cu-proxy.ts +401 -0
package/src/daemon/lifecycle.ts +39 -63
package/src/daemon/message-protocol.ts +3 -0
package/src/daemon/message-types/computer-use.ts +2 -119
package/src/daemon/message-types/host-cu.ts +19 -0
package/src/daemon/message-types/integrations.ts +1 -0
package/src/daemon/message-types/messages.ts +3 -0
package/src/daemon/server.ts +14 -21
package/src/daemon/session-agent-loop-handlers.ts +2 -0
package/src/daemon/session-attachments.ts +1 -2
package/src/daemon/session-messaging.ts +3 -1
package/src/daemon/session-slash.ts +1 -1
package/src/daemon/session-surfaces.ts +40 -28
package/src/daemon/session-tool-setup.ts +20 -11
package/src/daemon/session.ts +139 -16
package/src/daemon/tool-side-effects.ts +2 -8
package/src/daemon/watch-handler.ts +2 -2
package/src/email/providers/index.ts +2 -1
package/src/events/tool-metrics-listener.ts +2 -2
package/src/hooks/manager.ts +1 -4
package/src/inbound/public-ingress-urls.ts +7 -7
package/src/instrument.ts +15 -1
package/src/logfire.ts +16 -5
package/src/media/app-icon-generator.ts +30 -4
package/src/media/avatar-router.ts +26 -3
package/src/media/gemini-image-service.ts +28 -2
package/src/memory/conversation-key-store.ts +21 -0
package/src/memory/db-init.ts +4 -0
package/src/memory/guardian-action-store.ts +1 -1
package/src/memory/migrations/149-oauth-tables.ts +60 -0
package/src/memory/migrations/index.ts +1 -0
package/src/memory/schema/guardian.ts +1 -1
package/src/memory/schema/index.ts +1 -0
package/src/memory/schema/oauth.ts +65 -0
package/src/messaging/provider.ts +19 -13
package/src/messaging/providers/gmail/adapter.ts +40 -23
package/src/messaging/providers/gmail/client.ts +283 -122
package/src/messaging/providers/gmail/people-client.ts +32 -24
package/src/messaging/providers/slack/adapter.ts +29 -19
package/src/messaging/providers/slack/client.ts +265 -78
package/src/messaging/providers/telegram-bot/adapter.ts +19 -18
package/src/messaging/providers/whatsapp/adapter.ts +17 -11
package/src/messaging/registry.ts +2 -31
package/src/notifications/copy-composer.ts +0 -5
package/src/notifications/signal.ts +4 -5
package/src/oauth/byo-connection.test.ts +537 -0
package/src/oauth/byo-connection.ts +128 -0
package/src/oauth/connect-orchestrator.ts +139 -56
package/src/oauth/connect-types.ts +17 -23
package/src/oauth/connection-resolver.ts +58 -0
package/src/oauth/connection.ts +38 -0
package/src/oauth/manual-token-connection.ts +104 -0
package/src/oauth/oauth-store.ts +496 -0
package/src/oauth/platform-connection.test.ts +192 -0
package/src/oauth/platform-connection.ts +111 -0
package/src/oauth/provider-behaviors.ts +124 -0
package/src/oauth/scope-policy.ts +9 -2
package/src/oauth/seed-providers.ts +161 -0
package/src/oauth/token-persistence.ts +74 -78
package/src/permissions/checker.ts +8 -4
package/src/permissions/defaults.ts +0 -1
package/src/permissions/prompter.ts +10 -1
package/src/permissions/trust-store.ts +13 -0
package/src/prompts/__tests__/build-cli-reference-section.test.ts +3 -1
package/src/prompts/system-prompt.ts +70 -45
package/src/providers/anthropic/client.ts +133 -24
package/src/providers/gemini/client.ts +15 -6
package/src/providers/managed-proxy/constants.ts +2 -2
package/src/providers/managed-proxy/context.ts +5 -1
package/src/providers/ratelimit.ts +17 -0
package/src/providers/registry.ts +2 -2
package/src/providers/retry.ts +1 -27
package/src/runtime/AGENTS.md +17 -0
package/src/runtime/auth/route-policy.ts +0 -3
package/src/runtime/channel-invite-transports/telegram.ts +2 -1
package/src/runtime/channel-readiness-service.ts +168 -195
package/src/runtime/channel-readiness-types.ts +4 -0
package/src/runtime/channel-reply-delivery.ts +0 -40
package/src/runtime/gateway-client.ts +0 -7
package/src/runtime/guardian-action-conversation-turn.ts +1 -3
package/src/runtime/guardian-action-followup-executor.ts +1 -1
package/src/runtime/guardian-action-message-composer.ts +3 -23
package/src/runtime/http-server.ts +17 -10
package/src/runtime/http-types.ts +2 -3
package/src/runtime/middleware/rate-limiter.ts +74 -20
package/src/runtime/middleware/twilio-validation.ts +1 -11
package/src/runtime/pending-interactions.ts +14 -12
package/src/runtime/routes/channel-delivery-routes.ts +0 -1
package/src/runtime/routes/channel-readiness-routes.ts +2 -0
package/src/runtime/routes/conversation-routes.ts +73 -19
package/src/runtime/routes/diagnostics-routes.ts +11 -9
package/src/runtime/routes/events-routes.ts +21 -11
package/src/runtime/routes/guardian-approval-interception.ts +20 -5
package/src/runtime/routes/host-cu-routes.ts +97 -0
package/src/runtime/routes/inbound-stages/background-dispatch.ts +12 -111
package/src/runtime/routes/integrations/slack/share.ts +6 -6
package/src/runtime/routes/integrations/twilio.ts +6 -5
package/src/runtime/routes/log-export-routes.ts +126 -8
package/src/runtime/routes/secret-routes.ts +3 -2
package/src/runtime/routes/settings-routes.ts +113 -48
package/src/runtime/routes/surface-action-routes.ts +1 -1
package/src/runtime/routes/watch-routes.ts +128 -0
package/src/schedule/integration-status.ts +10 -8
package/src/security/credential-key.ts +14 -0
package/src/security/keychain-broker-client.ts +5 -6
package/src/security/oauth2.ts +1 -1
package/src/security/token-manager.ts +145 -43
package/src/skills/catalog-install.ts +358 -0
package/src/skills/include-graph.ts +32 -0
package/src/telegram/bot-username.ts +2 -3
package/src/tools/apps/definitions.ts +0 -5
package/src/tools/assets/materialize.ts +0 -5
package/src/tools/assets/search.ts +0 -5
package/src/tools/browser/headless-browser.ts +1 -67
package/src/tools/browser/network-recorder.ts +1 -1
package/src/tools/browser/network-recording-types.ts +1 -1
package/src/tools/claude-code/claude-code.ts +0 -5
package/src/tools/computer-use/definitions.ts +46 -11
package/src/tools/computer-use/registry.ts +4 -5
package/src/tools/credentials/broker.ts +5 -4
package/src/tools/credentials/metadata-store.ts +22 -74
package/src/tools/credentials/resolve.ts +2 -1
package/src/tools/credentials/vault.ts +139 -151
package/src/tools/filesystem/edit.ts +1 -6
package/src/tools/filesystem/read.ts +0 -5
package/src/tools/filesystem/write.ts +1 -6
package/src/tools/host-filesystem/edit.ts +1 -6
package/src/tools/host-filesystem/read.ts +1 -6
package/src/tools/host-filesystem/write.ts +1 -6
package/src/tools/mcp/mcp-tool-factory.ts +18 -1
package/src/tools/memory/definitions.ts +0 -5
package/src/tools/network/web-fetch.ts +0 -5
package/src/tools/network/web-search.ts +0 -5
package/src/tools/registry.ts +2 -7
package/src/tools/schema-transforms.ts +99 -0
package/src/tools/skills/load.ts +62 -8
package/src/tools/swarm/delegate.ts +0 -5
package/src/tools/system/avatar-generator.ts +0 -5
package/src/tools/ui-surface/definitions.ts +0 -15
package/src/tools/watch/screen-watch.ts +0 -5
package/src/tools/watch/watch-state.ts +0 -12
package/src/util/logger.ts +7 -41
package/src/util/platform.ts +9 -28
package/src/version.ts +10 -0
package/src/watcher/providers/github.ts +51 -52
package/src/watcher/providers/gmail.ts +88 -80
package/src/watcher/providers/google-calendar.ts +94 -86
package/src/watcher/providers/linear.ts +87 -93
package/src/__tests__/computer-use-session-compaction.test.ts +0 -143
package/src/__tests__/computer-use-session-lifecycle.test.ts +0 -322
package/src/__tests__/computer-use-session-working-dir.test.ts +0 -166
package/src/__tests__/computer-use-skill-baseline.test.ts +0 -78
package/src/__tests__/computer-use-skill-endstate.test.ts +0 -105
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +0 -249
package/src/__tests__/ride-shotgun-handler.test.ts +0 -452
package/src/cli/commands/dev.ts +0 -129
package/src/cli/commands/map.ts +0 -391
package/src/cli/commands/oauth.ts +0 -77
package/src/config/bundled-skills/computer-use/tools/computer-use-request-control.ts +0 -16
package/src/daemon/computer-use-session.ts +0 -1020
package/src/daemon/ride-shotgun-handler.ts +0 -567
package/src/oauth/provider-profiles.ts +0 -192
package/src/prompts/computer-use-prompt.ts +0 -98
package/src/runtime/routes/computer-use-routes.ts +0 -641
package/src/runtime/telegram-streaming-delivery.test.ts +0 -597
package/src/runtime/telegram-streaming-delivery.ts +0 -383
package/src/tools/computer-use/request-computer-control.ts +0 -61

package/src/__tests__/credential-vault.test.ts CHANGED Viewed

@@ -45,17 +45,95 @@ mock.module("../tools/registry.js", () => ({
   registerTool: () => {},
 }));
+// ---------------------------------------------------------------------------
+// Mock OAuth2 token refresh for token-manager deduplication tests
+// ---------------------------------------------------------------------------
+let mockRefreshOAuth2Token: ReturnType<
+  typeof mock<() => Promise<{ accessToken: string; expiresIn: number }>>
+>;
+mock.module("../security/oauth2.js", () => {
+  mockRefreshOAuth2Token = mock(() =>
+    Promise.resolve({
+      accessToken: "refreshed-access-token",
+      expiresIn: 3600,
+    }),
+  );
+  return {
+    refreshOAuth2Token: mockRefreshOAuth2Token,
+  };
+});
+// ---------------------------------------------------------------------------
+// Mock oauth-store — token-manager reads refresh config from SQLite
+// ---------------------------------------------------------------------------
+/** Mutable per-test map of provider connections for getConnectionByProvider */
+const mockConnections = new Map<
+  string,
+  {
+    id: string;
+    providerKey: string;
+    oauthAppId: string;
+    expiresAt: number | null;
+  }
+>();
+const mockApps = new Map<
+  string,
+  { id: string; providerKey: string; clientId: string }
+>();
+const mockProviders = new Map<
+  string,
+  {
+    key: string;
+    tokenUrl: string;
+    tokenEndpointAuthMethod?: string;
+  }
+>();
+let mockDisconnectOAuthProvider: ReturnType<
+  typeof mock<
+    (providerKey: string) => Promise<"disconnected" | "not-found" | "error">
+  >
+>;
+mock.module("../oauth/oauth-store.js", () => {
+  mockDisconnectOAuthProvider = mock((providerKey: string) =>
+    Promise.resolve(
+      mockConnections.has(providerKey)
+        ? ("disconnected" as const)
+        : ("not-found" as const),
+    ),
+  );
+  return {
+    disconnectOAuthProvider: mockDisconnectOAuthProvider,
+    getConnectionByProvider: (service: string) => mockConnections.get(service),
+    getApp: (id: string) => mockApps.get(id),
+    getProvider: (key: string) => mockProviders.get(key),
+    updateConnection: () => {},
+    getMostRecentAppByProvider: () => undefined,
+    listConnections: () => [],
+  };
+});
 // ---------------------------------------------------------------------------
 // Import the module under test
 // ---------------------------------------------------------------------------
 // getCredentialValue is no longer exported (sealed in PR 17) — use getSecureKey directly
+import { credentialKey } from "../security/credential-key.js";
 import {
   deleteSecureKey,
   getSecureKey,
   setSecureKey,
 } from "../security/secure-keys.js";
+import {
+  _resetInflightRefreshes,
+  _resetRefreshBreakers,
+  withValidToken,
+} from "../security/token-manager.js";
 import {
   _setMetadataPath,
   getCredentialMetadata,
@@ -120,7 +198,7 @@ async function executeVault(
         };
       }
-      const key = `credential:${service}:${field}`;
+      const key = credentialKey(service, field);
       const ok = setSecureKey(key, value);
       if (!ok) {
         return { content: "Error: failed to store credential", isError: true };
@@ -151,7 +229,7 @@ async function executeVault(
         };
       }
-      const key = `credential:${service}:${field}`;
+      const key = credentialKey(service, field);
       const result = deleteSecureKey(key);
       if (result !== "deleted") {
         return {
@@ -187,12 +265,15 @@ describe("credential_store tool", () => {
     }
     _setStorePath(STORE_PATH);
     _setMetadataPath(join(TEST_DIR, "metadata.json"));
+    mockDisconnectOAuthProvider.mockClear();
+    mockConnections.clear();
   });
   afterEach(() => {
     _setMetadataPath(null);
     _setStorePath(null);
     _resetBackend();
+    mockConnections.clear();
   });
   afterAll(() => {
@@ -553,7 +634,7 @@ describe("credential_store tool", () => {
       // Delete the secret directly without going through the tool (simulates
       // a divergence where metadata write failed after secret deletion)
-      deleteSecureKey("credential:svc-a:key");
+      deleteSecureKey(credentialKey("svc-a", "key"));
       const result = await credentialStoreTool.execute(
         { action: "list" },
@@ -596,7 +677,7 @@ describe("credential_store tool", () => {
   // -----------------------------------------------------------------------
   describe("delete action", () => {
     test("deletes a stored credential", async () => {
-      setSecureKey("credential:gmail:password", "secret");
+      setSecureKey(credentialKey("gmail", "password"), "secret");
       const result = await executeVault({
         action: "delete",
@@ -607,7 +688,7 @@ describe("credential_store tool", () => {
       expect(result.content).toBe("Deleted credential for gmail/password.");
       // Verify it's actually gone
-      expect(getSecureKey("credential:gmail:password")).toBeUndefined();
+      expect(getSecureKey(credentialKey("gmail", "password"))).toBeUndefined();
     });
     test("returns error for non-existent credential", async () => {
@@ -637,6 +718,44 @@ describe("credential_store tool", () => {
       expect(result.isError).toBe(true);
       expect(result.content).toContain("field is required");
     });
+    test("delete also disconnects OAuth connection for the service", async () => {
+      // Store a credential via the real tool so metadata exists
+      await credentialStoreTool.execute(
+        {
+          action: "store",
+          service: "integration:gmail",
+          field: "api_key",
+          value: "test-value",
+        },
+        _ctx,
+      );
+      // Simulate an active OAuth connection for this service
+      mockConnections.set("integration:gmail", {
+        id: "conn-gmail",
+        providerKey: "integration:gmail",
+        oauthAppId: "app-gmail",
+        expiresAt: Date.now() + 3600_000,
+      });
+      const result = await credentialStoreTool.execute(
+        {
+          action: "delete",
+          service: "integration:gmail",
+          field: "api_key",
+        },
+        _ctx,
+      );
+      expect(result.isError).toBe(false);
+      expect(result.content).toContain("Deleted credential");
+      // Verify disconnectOAuthProvider was called with the service name
+      expect(mockDisconnectOAuthProvider).toHaveBeenCalledTimes(1);
+      expect(mockDisconnectOAuthProvider).toHaveBeenCalledWith(
+        "integration:gmail",
+      );
+    });
   });
   // -----------------------------------------------------------------------
@@ -644,12 +763,14 @@ describe("credential_store tool", () => {
   // -----------------------------------------------------------------------
   describe("credential value access", () => {
     test("credential values are stored via secure keys", () => {
-      setSecureKey("credential:github:token", "ghp_abc123");
-      expect(getSecureKey("credential:github:token")).toBe("ghp_abc123");
+      setSecureKey(credentialKey("github", "token"), "ghp_abc123");
+      expect(getSecureKey(credentialKey("github", "token"))).toBe("ghp_abc123");
     });
     test("returns undefined for non-existent credential", () => {
-      expect(getSecureKey("credential:nonexistent:field")).toBeUndefined();
+      expect(
+        getSecureKey(credentialKey("nonexistent", "field")),
+      ).toBeUndefined();
     });
   });
@@ -1094,8 +1215,12 @@ describe("credential_store tool", () => {
         value: "github-pass",
       });
-      expect(getSecureKey("credential:gmail:password")).toBe("gmail-pass");
-      expect(getSecureKey("credential:github:password")).toBe("github-pass");
+      expect(getSecureKey(credentialKey("gmail", "password"))).toBe(
+        "gmail-pass",
+      );
+      expect(getSecureKey(credentialKey("github", "password"))).toBe(
+        "github-pass",
+      );
     });
     test("same service with different fields do not collide", async () => {
@@ -1112,10 +1237,279 @@ describe("credential_store tool", () => {
         value: "backup@example.com",
       });
-      expect(getSecureKey("credential:gmail:password")).toBe("pass123");
-      expect(getSecureKey("credential:gmail:recovery_email")).toBe(
+      expect(getSecureKey(credentialKey("gmail", "password"))).toBe("pass123");
+      expect(getSecureKey(credentialKey("gmail", "recovery_email"))).toBe(
         "backup@example.com",
       );
     });
   });
 });
+// ---------------------------------------------------------------------------
+// Token refresh deduplication tests
+// ---------------------------------------------------------------------------
+describe("withValidToken refresh deduplication", () => {
+  beforeAll(() => {
+    mkdirSync(TEST_DIR, { recursive: true });
+  });
+  beforeEach(() => {
+    _resetBackend();
+    for (const entry of readdirSync(TEST_DIR)) {
+      rmSync(join(TEST_DIR, entry), { recursive: true, force: true });
+    }
+    _setStorePath(STORE_PATH);
+    _setMetadataPath(join(TEST_DIR, "metadata.json"));
+    _resetRefreshBreakers();
+    _resetInflightRefreshes();
+    mockRefreshOAuth2Token.mockClear();
+    // Clear mock oauth-store maps
+    mockConnections.clear();
+    mockApps.clear();
+    mockProviders.clear();
+  });
+  afterEach(() => {
+    _setMetadataPath(null);
+    _setStorePath(null);
+    _resetBackend();
+    _resetRefreshBreakers();
+    _resetInflightRefreshes();
+    mockConnections.clear();
+    mockApps.clear();
+    mockProviders.clear();
+  });
+  afterAll(() => {
+    rmSync(TEST_DIR, { recursive: true, force: true });
+  });
+  /**
+   * Helper: set up a service with an access token, refresh token, and
+   * mock DB data so that token refresh can proceed through doRefresh().
+   *
+   * OAuth-specific fields (tokenUrl, clientId, expiresAt) are now stored
+   * in the SQLite oauth-store. The mock maps simulate the DB layer.
+   */
+  function setupService(
+    service: string,
+    opts?: { expired?: boolean; accessToken?: string },
+  ) {
+    const accessToken = opts?.accessToken ?? "old-access-token";
+    // Seed mock oauth-store maps so token-manager can resolve refresh config
+    const appId = `app-${service}`;
+    const connId = `conn-${service}`;
+    // Store access token under the oauth_connection key path that
+    // withValidToken reads (not the legacy credentialKey path).
+    setSecureKey(`oauth_connection/${connId}/access_token`, accessToken);
+    mockProviders.set(service, {
+      key: service,
+      tokenUrl: "https://oauth.example.com/token",
+    });
+    mockApps.set(appId, {
+      id: appId,
+      providerKey: service,
+      clientId: "test-client-id",
+    });
+    mockConnections.set(service, {
+      id: connId,
+      providerKey: service,
+      oauthAppId: appId,
+      expiresAt: opts?.expired
+        ? Date.now() - 60_000 // expired 1 minute ago
+        : Date.now() + 3600_000, // expires in 1 hour
+    });
+    // Store refresh token and client_secret in secure keys (token-manager reads them)
+    setSecureKey(
+      `oauth_connection/${connId}/refresh_token`,
+      "valid-refresh-token",
+    );
+    setSecureKey(`oauth_app/${appId}/client_secret`, "test-client-secret");
+  }
+  test("3 concurrent 401 refreshes for the same service call doRefresh exactly once", async () => {
+    setupService("integration:gmail");
+    let resolveRefresh!: (value: {
+      accessToken: string;
+      expiresIn: number;
+    }) => void;
+    const refreshPromise = new Promise<{
+      accessToken: string;
+      expiresIn: number;
+    }>((resolve) => {
+      resolveRefresh = resolve;
+    });
+    mockRefreshOAuth2Token.mockImplementation(() => refreshPromise);
+    const err401 = Object.assign(new Error("Unauthorized"), { status: 401 });
+    const callback = async (token: string) => {
+      if (token === "old-access-token") throw err401;
+      return `result-with-${token}`;
+    };
+    // Launch 3 concurrent withValidToken calls — all will get a non-expired
+    // token first, call the callback, get a 401, and then try to refresh.
+    const p1 = withValidToken("integration:gmail", callback);
+    const p2 = withValidToken("integration:gmail", callback);
+    const p3 = withValidToken("integration:gmail", callback);
+    // Let the event loop tick so all 3 calls enter the 401 retry path
+    await new Promise((r) => setTimeout(r, 10));
+    // Resolve the single refresh attempt
+    resolveRefresh({ accessToken: "new-token-123", expiresIn: 3600 });
+    const results = await Promise.all([p1, p2, p3]);
+    // All 3 should succeed with the refreshed token
+    expect(results).toEqual([
+      "result-with-new-token-123",
+      "result-with-new-token-123",
+      "result-with-new-token-123",
+    ]);
+    // refreshOAuth2Token should have been called exactly once
+    expect(mockRefreshOAuth2Token).toHaveBeenCalledTimes(1);
+  });
+  test("concurrent refreshes for different services proceed independently", async () => {
+    setupService("integration:gmail");
+    setupService("integration:slack");
+    let resolveGmail!: (value: {
+      accessToken: string;
+      expiresIn: number;
+    }) => void;
+    let resolveSlack!: (value: {
+      accessToken: string;
+      expiresIn: number;
+    }) => void;
+    const gmailPromise = new Promise<{
+      accessToken: string;
+      expiresIn: number;
+    }>((resolve) => {
+      resolveGmail = resolve;
+    });
+    const slackPromise = new Promise<{
+      accessToken: string;
+      expiresIn: number;
+    }>((resolve) => {
+      resolveSlack = resolve;
+    });
+    let refreshCallCount = 0;
+    mockRefreshOAuth2Token.mockImplementation(() => {
+      refreshCallCount++;
+      // Both services use the same tokenUrl in this test, so we track by
+      // call order to return the correct deferred promise.
+      if (refreshCallCount === 1) return gmailPromise;
+      return slackPromise;
+    });
+    const err401 = Object.assign(new Error("Unauthorized"), { status: 401 });
+    const gmailCallback = async (token: string) => {
+      if (token === "old-access-token") throw err401;
+      return `gmail-${token}`;
+    };
+    const slackCallback = async (token: string) => {
+      if (token === "old-access-token") throw err401;
+      return `slack-${token}`;
+    };
+    const p1 = withValidToken("integration:gmail", gmailCallback);
+    const p2 = withValidToken("integration:slack", slackCallback);
+    await new Promise((r) => setTimeout(r, 10));
+    // Resolve both independently
+    resolveGmail({ accessToken: "gmail-new-token", expiresIn: 3600 });
+    resolveSlack({ accessToken: "slack-new-token", expiresIn: 3600 });
+    const [r1, r2] = await Promise.all([p1, p2]);
+    expect(r1).toBe("gmail-gmail-new-token");
+    expect(r2).toBe("slack-slack-new-token");
+    // Both services should have triggered their own refresh
+    expect(mockRefreshOAuth2Token).toHaveBeenCalledTimes(2);
+  });
+  test("deduplication cleans up after refresh completes, allowing subsequent refreshes", async () => {
+    setupService("integration:gmail");
+    let refreshCount = 0;
+    mockRefreshOAuth2Token.mockImplementation(() => {
+      refreshCount++;
+      return Promise.resolve({
+        accessToken: `token-${refreshCount}`,
+        expiresIn: 3600,
+      });
+    });
+    const err401 = Object.assign(new Error("Unauthorized"), { status: 401 });
+    // First call triggers a refresh (old token → 401 → refresh → token-1)
+    const r1 = await withValidToken(
+      "integration:gmail",
+      async (token: string) => {
+        if (token !== "token-1") throw err401;
+        return token;
+      },
+    );
+    expect(r1).toBe("token-1");
+    expect(refreshCount).toBe(1);
+    // Second call also triggers a 401 to verify dedup state was cleaned up
+    // and a new refresh is allowed (not deduplicated with the first).
+    const r2 = await withValidToken(
+      "integration:gmail",
+      async (token: string) => {
+        if (token !== "token-2") throw err401;
+        return token;
+      },
+    );
+    expect(r2).toBe("token-2");
+    // Second refresh should have happened (not deduplicated with the first,
+    // since the first already completed)
+    expect(refreshCount).toBe(2);
+  });
+  test("deduplication propagates refresh errors to all waiting callers", async () => {
+    setupService("integration:gmail");
+    mockRefreshOAuth2Token.mockImplementation(() =>
+      Promise.reject(
+        Object.assign(
+          new Error("OAuth2 token refresh failed (HTTP 401: invalid_grant)"),
+        ),
+      ),
+    );
+    const err401 = Object.assign(new Error("Unauthorized"), { status: 401 });
+    const callback = async (token: string) => {
+      if (token === "old-access-token") throw err401;
+      return "should-not-reach";
+    };
+    // Launch 2 concurrent calls — both should fail with the same error
+    const p1 = withValidToken("integration:gmail", callback);
+    const p2 = withValidToken("integration:gmail", callback);
+    const results = await Promise.allSettled([p1, p2]);
+    expect(results[0].status).toBe("rejected");
+    expect(results[1].status).toBe("rejected");
+    // Only one actual refresh attempt
+    expect(mockRefreshOAuth2Token).toHaveBeenCalledTimes(1);
+  });
+});

package/src/__tests__/credentials-cli.test.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 import { Command } from "commander";
+import { credentialKey } from "../security/credential-key.js";
 import type { CredentialMetadata } from "../tools/credentials/metadata-store.js";
 // ---------------------------------------------------------------------------
@@ -163,6 +164,26 @@ mock.module("../tools/credentials/metadata-store.js", () => ({
   },
 }));
+// ---------------------------------------------------------------------------
+// Mock oauth-store
+// ---------------------------------------------------------------------------
+let disconnectOAuthProviderCalls: string[] = [];
+let disconnectOAuthProviderResult: "disconnected" | "not-found" | "error" =
+  "not-found";
+mock.module("../oauth/oauth-store.js", () => ({
+  disconnectOAuthProvider: async (
+    providerKey: string,
+  ): Promise<"disconnected" | "not-found" | "error"> => {
+    disconnectOAuthProviderCalls.push(providerKey);
+    return disconnectOAuthProviderResult;
+  },
+  getConnectionByProvider: (): undefined => undefined,
+  listConnections: (): never[] => [],
+  deleteConnection: (): boolean => false,
+}));
 // ---------------------------------------------------------------------------
 // Import the module under test (after mocks are registered)
 // ---------------------------------------------------------------------------
@@ -238,7 +259,7 @@ function seedCredential(
     ...extra,
   };
   metadataStore.push(record);
-  secureKeyStore.set(`credential:${service}:${field}`, secret);
+  secureKeyStore.set(credentialKey(service, field), secret);
   return record;
 }
@@ -280,6 +301,8 @@ describe("assistant credentials CLI", () => {
     _listMetadataCalls = 0;
     _getMetadataCalls = 0;
     _getMetadataByIdCalls = 0;
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
     process.exitCode = 0;
   });
@@ -437,7 +460,7 @@ describe("assistant credentials CLI", () => {
       expect(parsed.credentialId).toBeTruthy();
       // Verify secret stored in mock map
-      expect(secureKeyStore.get("credential:twilio:account_sid")).toBe(
+      expect(secureKeyStore.get(credentialKey("twilio", "account_sid"))).toBe(
         "AC1234567890",
       );
@@ -546,7 +569,7 @@ describe("assistant credentials CLI", () => {
       expect(meta2!.updatedAt).toBeGreaterThan(firstUpdatedAt);
       // Verify secret is overwritten
-      expect(secureKeyStore.get("credential:twilio:account_sid")).toBe(
+      expect(secureKeyStore.get(credentialKey("twilio", "account_sid"))).toBe(
         "new_value",
       );
     });
@@ -568,7 +591,9 @@ describe("assistant credentials CLI", () => {
       expect(parsed.field).toBe("auth_token");
       // Verify both removed
-      expect(secureKeyStore.has("credential:twilio:auth_token")).toBe(false);
+      expect(secureKeyStore.has(credentialKey("twilio", "auth_token"))).toBe(
+        false,
+      );
       expect(
         metadataStore.find(
           (m) => m.service === "twilio" && m.field === "auth_token",
@@ -608,6 +633,55 @@ describe("assistant credentials CLI", () => {
         ),
       ).toBeUndefined();
     });
+    test("calls disconnectOAuthProvider for OAuth cleanup", async () => {
+      seedCredential("gmail", "access_token", "ya29.token_value");
+      const result = await runCli(["delete", "gmail:access_token", "--json"]);
+      expect(result.exitCode).toBe(0);
+      const parsed = JSON.parse(result.stdout);
+      expect(parsed.ok).toBe(true);
+      // disconnectOAuthProvider should have been called with the service name
+      expect(disconnectOAuthProviderCalls).toEqual(["gmail"]);
+    });
+    test("succeeds when only OAuth connection exists (no legacy credential)", async () => {
+      // No legacy credential seeded — only the OAuth disconnect finds something
+      disconnectOAuthProviderResult = "disconnected";
+      const result = await runCli(["delete", "gmail:access_token", "--json"]);
+      expect(result.exitCode).toBe(0);
+      const parsed = JSON.parse(result.stdout);
+      expect(parsed.ok).toBe(true);
+      expect(parsed.service).toBe("gmail");
+      expect(parsed.field).toBe("access_token");
+      expect(disconnectOAuthProviderCalls).toEqual(["gmail"]);
+    });
+    test("demonstrates colon-in-service-name parsing limitation with integration:gmail", async () => {
+      // parseCredentialName("integration:gmail:access_token") splits on the
+      // first colon, yielding service="integration" and field="gmail:access_token".
+      // This is incorrect for the intended service "integration:gmail". The fix
+      // for this limitation is addressed by introducing a dedicated `disconnect`
+      // subcommand (PR 5).
+      const result = await runCli([
+        "delete",
+        "integration:gmail:access_token",
+        "--json",
+      ]);
+      // The command parses as service="integration", field="gmail:access_token"
+      // which finds nothing and reports not-found.
+      expect(result.exitCode).toBe(1);
+      const parsed = JSON.parse(result.stdout);
+      expect(parsed.ok).toBe(false);
+      expect(parsed.error).toContain("not found");
+      // disconnectOAuthProvider was called with "integration" (wrong) instead
+      // of "integration:gmail" (intended).
+      expect(disconnectOAuthProviderCalls).toEqual(["integration"]);
+    });
   });
   // =========================================================================
@@ -833,8 +907,10 @@ describe("assistant credentials CLI", () => {
       expect(parsed.value).toBe("instance_secret_abc123");
       // Verify the correct key was looked up in the secure store
-      expect(secureKeyStore.has("credential:twilio:auth_token")).toBe(true);
-      expect(secureKeyStore.get("credential:twilio:auth_token")).toBe(
+      expect(secureKeyStore.has(credentialKey("twilio", "auth_token"))).toBe(
+        true,
+      );
+      expect(secureKeyStore.get(credentialKey("twilio", "auth_token"))).toBe(
         "instance_secret_abc123",
       );
     });

package/src/__tests__/dynamic-skill-workflow-prompt.test.ts CHANGED Viewed

@@ -46,7 +46,6 @@ mock.module("../util/logger.js", () => ({
   ...realLogger,
   getLogger: () => noopLogger,
   getCliLogger: () => noopLogger,
-  isDebug: () => false,
   truncateForLog: (v: string) => v,
   initLogger: () => {},
   pruneOldLogFiles: () => 0,

package/src/__tests__/ephemeral-permissions.test.ts CHANGED Viewed

@@ -328,11 +328,11 @@ describe("ephemeral-permissions", () => {
       testConfig.permissions.mode = "workspace";
     });
-    test("workspace mode auto-allows workspace-scoped file_write (medium risk)", async () => {
+    test("workspace mode prompts for workspace-scoped file_write (medium risk)", async () => {
       const filePath = join(testDir, "workspace-test-file.txt");
       const result = await check("file_write", { path: filePath }, testDir);
-      expect(result.decision).toBe("allow");
-      expect(result.reason).toContain("Workspace mode");
+      expect(result.decision).toBe("prompt");
+      expect(result.reason).toContain("medium risk");
     });
     test("workspace mode still prompts for file_write outside workspace", async () => {