@vellumai/assistant 0.4.48 → 0.4.49

package/src/__tests__/oauth-cli.test.ts

@@ -2,6 +2,8 @@ import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 import { Command } from "commander";
 
+import { credentialKey } from "../security/credential-key.js";
+
 // ---------------------------------------------------------------------------
 // Mock state
 // ---------------------------------------------------------------------------
@@ -11,6 +13,28 @@ let mockWithValidToken: <T>(
   cb: (token: string) => Promise<T>,
 ) => Promise<T>;
 
+// Disconnect mock state
+let mockListProviders: () => Array<Record<string, unknown>> = () => [];
+let secureKeyStore = new Map<string, string>();
+let metadataStore: Array<{
+  credentialId: string;
+  service: string;
+  field: string;
+  allowedTools: string[];
+  allowedDomains: string[];
+  createdAt: number;
+  updatedAt: number;
+}> = [];
+let disconnectOAuthProviderCalls: string[] = [];
+let disconnectOAuthProviderResult: "disconnected" | "not-found" | "error" =
+  "not-found";
+let idCounter = 0;
+
+function nextUUID(): string {
+  idCounter += 1;
+  return `00000000-0000-0000-0000-${String(idCounter).padStart(12, "0")}`;
+}
+
 // ---------------------------------------------------------------------------
 // Mock token-manager
 // ---------------------------------------------------------------------------
@@ -32,19 +56,77 @@ mock.module("../security/token-manager.js", () => ({
   },
 }));
 
+// ---------------------------------------------------------------------------
+// Mock oauth-store (stateful for disconnect tests)
+// ---------------------------------------------------------------------------
+
+mock.module("../oauth/oauth-store.js", () => ({
+  disconnectOAuthProvider: async (
+    providerKey: string,
+  ): Promise<"disconnected" | "not-found" | "error"> => {
+    disconnectOAuthProviderCalls.push(providerKey);
+    return disconnectOAuthProviderResult;
+  },
+  getConnection: () => undefined,
+  getConnectionByProvider: () => undefined,
+  listConnections: () => [],
+  deleteConnection: () => false,
+  // Stubs required by apps.ts and providers.ts (transitively loaded via oauth/index.ts)
+  upsertApp: async () => ({}),
+  getApp: () => undefined,
+  getAppByProviderAndClientId: () => undefined,
+  getMostRecentAppByProvider: () => undefined,
+  listApps: () => [],
+  deleteApp: async () => false,
+  getProvider: () => undefined,
+  listProviders: () => mockListProviders(),
+  registerProvider: () => ({}),
+  seedProviders: () => {},
+  createConnection: () => ({}),
+  isProviderConnected: () => false,
+  updateConnection: () => ({}),
+}));
+
 // Stub out transitive dependencies that token-manager would normally pull in
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: () => undefined,
   setSecureKey: () => true,
   getSecureKeyAsync: async () => undefined,
   setSecureKeyAsync: async () => true,
-  deleteSecureKey: () => "not-found",
+  deleteSecureKey: (account: string) => {
+    if (secureKeyStore.has(account)) {
+      secureKeyStore.delete(account);
+      return "deleted" as const;
+    }
+    return "not-found" as const;
+  },
+  deleteSecureKeyAsync: async (account: string) => {
+    if (secureKeyStore.has(account)) {
+      secureKeyStore.delete(account);
+      return "deleted" as const;
+    }
+    return "not-found" as const;
+  },
+  listSecureKeys: () => [...secureKeyStore.keys()],
+  getBackendType: () => "encrypted",
+  isDowngradedFromKeychain: () => false,
+  _resetBackend: () => {},
+  _setBackend: () => {},
 }));
 
 mock.module("../tools/credentials/metadata-store.js", () => ({
+  assertMetadataWritable: () => {},
   getCredentialMetadata: () => undefined,
   upsertCredentialMetadata: () => ({}),
   listCredentialMetadata: () => [],
+  deleteCredentialMetadata: (service: string, field: string): boolean => {
+    const idx = metadataStore.findIndex(
+      (c) => c.service === service && c.field === field,
+    );
+    if (idx === -1) return false;
+    metadataStore.splice(idx, 1);
+    return true;
+  },
 }));
 
 mock.module("../util/logger.js", () => ({
@@ -66,7 +148,7 @@ mock.module("../util/logger.js", () => ({
 // Import the module under test (after mocks are registered)
 // ---------------------------------------------------------------------------
 
-const { registerOAuthCommand } = await import("../cli/commands/oauth.js");
+const { registerOAuthCommand } = await import("../cli/commands/oauth/index.js");
 
 // ---------------------------------------------------------------------------
 // Test helper
@@ -117,43 +199,61 @@ async function runCli(
 // Tests
 // ---------------------------------------------------------------------------
 
-describe("assistant oauth token", () => {
+describe("assistant oauth connections token <provider-key>", () => {
   beforeEach(() => {
     mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
   });
 
   test("prints bare token in human mode", async () => {
-    const { exitCode, stdout } = await runCli(["token", "twitter"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+    ]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("mock-access-token-xyz\n");
   });
 
   test("prints JSON in --json mode", async () => {
-    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+      "--json",
+    ]);
     expect(exitCode).toBe(0);
     const parsed = JSON.parse(stdout);
     expect(parsed).toEqual({ ok: true, token: "mock-access-token-xyz" });
   });
 
-  test("qualifies service name with integration: prefix", async () => {
+  test("passes provider key directly to withValidToken", async () => {
     let capturedService: string | undefined;
     mockWithValidToken = async (service, cb) => {
       capturedService = service;
       return cb("tok");
     };
 
-    await runCli(["token", "twitter"]);
+    await runCli(["connections", "token", "integration:twitter"]);
     expect(capturedService).toBe("integration:twitter");
   });
 
-  test("works with other service names", async () => {
+  test("works with other provider keys", async () => {
     let capturedService: string | undefined;
     mockWithValidToken = async (service, cb) => {
       capturedService = service;
       return cb("gmail-token");
     };
 
-    const { exitCode, stdout } = await runCli(["token", "gmail"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:gmail",
+    ]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("gmail-token\n");
     expect(capturedService).toBe("integration:gmail");
@@ -166,7 +266,12 @@ describe("assistant oauth token", () => {
       );
     };
 
-    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+      "--json",
+    ]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);
@@ -180,7 +285,12 @@ describe("assistant oauth token", () => {
       );
     };
 
-    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+      "--json",
+    ]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);
@@ -191,13 +301,262 @@ describe("assistant oauth token", () => {
     // Simulate withValidToken refreshing and returning a new token
     mockWithValidToken = async (_service, cb) => cb("refreshed-new-token");
 
-    const { exitCode, stdout } = await runCli(["token", "twitter"]);
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "token",
+      "integration:twitter",
+    ]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("refreshed-new-token\n");
   });
 
-  test("missing service argument exits non-zero", async () => {
-    const { exitCode } = await runCli(["token"]);
+  test("missing provider-key argument exits non-zero", async () => {
+    const { exitCode } = await runCli(["connections", "token"]);
     expect(exitCode).not.toBe(0);
   });
 });
+
+// ---------------------------------------------------------------------------
+// disconnect
+// ---------------------------------------------------------------------------
+
+describe("assistant oauth connections disconnect <provider-key>", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
+  });
+
+  test("succeeds when an OAuth connection exists", async () => {
+    disconnectOAuthProviderResult = "disconnected";
+
+    const result = await runCli([
+      "connections",
+      "disconnect",
+      "integration:gmail",
+      "--json",
+    ]);
+    expect(result.exitCode).toBe(0);
+    const parsed = JSON.parse(result.stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.service).toBe("integration:gmail");
+
+    // disconnectOAuthProvider should have been called with the full provider key
+    expect(disconnectOAuthProviderCalls).toEqual(["integration:gmail"]);
+  });
+
+  test("reports not-found when nothing exists", async () => {
+    const result = await runCli([
+      "connections",
+      "disconnect",
+      "integration:gmail",
+      "--json",
+    ]);
+    expect(result.exitCode).toBe(1);
+    const parsed = JSON.parse(result.stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("No OAuth connection or credentials");
+    expect(parsed.error).toContain("integration:gmail");
+  });
+
+  test("cleans up legacy credential keys if present", async () => {
+    // Seed legacy credential keys (no OAuth connection)
+    const legacyFields = [
+      "access_token",
+      "refresh_token",
+      "client_id",
+      "client_secret",
+    ];
+    for (const field of legacyFields) {
+      secureKeyStore.set(
+        credentialKey("integration:gmail", field),
+        `legacy_${field}_value`,
+      );
+      metadataStore.push({
+        credentialId: nextUUID(),
+        service: "integration:gmail",
+        field,
+        allowedTools: [],
+        allowedDomains: [],
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      });
+    }
+
+    const result = await runCli([
+      "connections",
+      "disconnect",
+      "integration:gmail",
+      "--json",
+    ]);
+    expect(result.exitCode).toBe(0);
+    const parsed = JSON.parse(result.stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.service).toBe("integration:gmail");
+
+    // All legacy keys should be removed
+    for (const field of legacyFields) {
+      expect(
+        secureKeyStore.has(credentialKey("integration:gmail", field)),
+      ).toBe(false);
+      expect(
+        metadataStore.find(
+          (m) => m.service === "integration:gmail" && m.field === field,
+        ),
+      ).toBeUndefined();
+    }
+  });
+
+  test("cleans up both OAuth connection and legacy keys when both exist", async () => {
+    // Seed OAuth connection
+    disconnectOAuthProviderResult = "disconnected";
+
+    // Seed a legacy credential key
+    secureKeyStore.set(
+      credentialKey("integration:gmail", "access_token"),
+      "legacy_token",
+    );
+    metadataStore.push({
+      credentialId: nextUUID(),
+      service: "integration:gmail",
+      field: "access_token",
+      allowedTools: [],
+      allowedDomains: [],
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    });
+
+    const result = await runCli([
+      "connections",
+      "disconnect",
+      "integration:gmail",
+      "--json",
+    ]);
+    expect(result.exitCode).toBe(0);
+    const parsed = JSON.parse(result.stdout);
+    expect(parsed.ok).toBe(true);
+
+    // Both should be cleaned up
+    expect(disconnectOAuthProviderCalls).toEqual(["integration:gmail"]);
+    expect(
+      secureKeyStore.has(credentialKey("integration:gmail", "access_token")),
+    ).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// providers list
+// ---------------------------------------------------------------------------
+
+describe("assistant oauth providers list", () => {
+  const fakeProviders = [
+    {
+      providerKey: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: "2025-01-01T00:00:00.000Z",
+      updatedAt: "2025-01-01T00:00:00.000Z",
+    },
+    {
+      providerKey: "integration:google-calendar",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: "2025-01-01T00:00:00.000Z",
+      updatedAt: "2025-01-01T00:00:00.000Z",
+    },
+    {
+      providerKey: "integration:slack",
+      authUrl: "https://slack.com/oauth/v2/authorize",
+      tokenUrl: "https://slack.com/api/oauth.v2.access",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: "2025-01-01T00:00:00.000Z",
+      updatedAt: "2025-01-01T00:00:00.000Z",
+    },
+    {
+      providerKey: "integration:twitter",
+      authUrl: "https://twitter.com/i/oauth2/authorize",
+      tokenUrl: "https://api.twitter.com/2/oauth2/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: "2025-01-01T00:00:00.000Z",
+      updatedAt: "2025-01-01T00:00:00.000Z",
+    },
+  ];
+
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    mockListProviders = () => fakeProviders;
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
+  });
+
+  test("returns all providers when no --provider-key is given", async () => {
+    const { exitCode, stdout } = await runCli(["providers", "list", "--json"]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(4);
+    const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
+    expect(keys).toContain("integration:gmail");
+    expect(keys).toContain("integration:google-calendar");
+    expect(keys).toContain("integration:slack");
+    expect(keys).toContain("integration:twitter");
+  });
+
+  test("filters by single --provider-key value", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "list",
+      "--provider-key",
+      "gmail",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(1);
+    expect(parsed[0].providerKey).toBe("integration:gmail");
+  });
+
+  test("filters by comma-separated OR values", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "list",
+      "--provider-key",
+      "gmail,google",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(2);
+    const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
+    expect(keys).toContain("integration:gmail");
+    expect(keys).toContain("integration:google-calendar");
+  });
+
+  test("returns empty array when comma-separated filter has no matches", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "list",
+      "--provider-key",
+      "notion,linear",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(0);
+  });
+});

package/src/__tests__/oauth-provider-profiles.test.ts

@@ -1,22 +1,22 @@
 import { describe, expect, test } from "bun:test";
 
 import {
-  getProviderProfile,
+  getProviderBehavior,
   resolveService,
-} from "../oauth/provider-profiles.js";
+} from "../oauth/provider-behaviors.js";
 
-describe("oauth provider profiles", () => {
-  test("gmail profile defines bearer injection templates for Google API hosts", () => {
+describe("oauth provider behaviors", () => {
+  test("gmail behavior defines bearer injection templates for Google API hosts", () => {
     const service = resolveService("gmail");
-    const profile = getProviderProfile(service);
+    const behavior = getProviderBehavior(service);
 
     expect(service).toBe("integration:gmail");
-    expect(profile).toBeDefined();
-    expect(profile?.injectionTemplates).toBeDefined();
-    expect(profile?.injectionTemplates).toHaveLength(3);
+    expect(behavior).toBeDefined();
+    expect(behavior?.injectionTemplates).toBeDefined();
+    expect(behavior?.injectionTemplates).toHaveLength(3);
 
     const byHost = new Map(
-      (profile?.injectionTemplates ?? []).map((t) => [t.hostPattern, t]),
+      (behavior?.injectionTemplates ?? []).map((t) => [t.hostPattern, t]),
     );
 
     for (const host of [

package/src/__tests__/oauth-scope-policy.test.ts

@@ -1,20 +1,18 @@
 import { describe, expect, it } from "bun:test";
 
-import type { OAuthProviderProfile } from "../oauth/connect-types.js";
+import type { ScopeResolverInput } from "../oauth/scope-policy.js";
 import { resolveScopes } from "../oauth/scope-policy.js";
 
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 
-/** Build a minimal profile for testing scope resolution. */
+/** Build a minimal scope resolver input for testing scope resolution. */
 function makeProfile(
-  overrides: Partial<OAuthProviderProfile> = {},
-): OAuthProviderProfile {
+  overrides: Partial<ScopeResolverInput> = {},
+): ScopeResolverInput {
   return {
     service: "integration:test-service",
-    authUrl: "https://auth.example.com/authorize",
-    tokenUrl: "https://auth.example.com/token",
     defaultScopes: ["read", "write"],
     scopePolicy: {
       allowAdditionalScopes: false,