npm - @vellumai/assistant - Versions diffs - 0.4.48 → 0.4.49 - Mend

@vellumai/assistant 0.4.48 → 0.4.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/ARCHITECTURE.md +2 -2
package/README.md +2 -23
package/docs/architecture/integrations.md +45 -41
package/docs/architecture/keychain-broker.md +3 -3
package/docs/runbook-trusted-contacts.md +3 -8
package/hook-templates/debug-prompt-logger/hook.json +1 -1
package/hook-templates/debug-prompt-logger/run.sh +1 -3
package/package.json +1 -1
package/src/__tests__/actor-token-service.test.ts +0 -1
package/src/__tests__/anthropic-provider.test.ts +156 -0
package/src/__tests__/approval-cascade.test.ts +810 -0
package/src/__tests__/approval-primitive.test.ts +0 -1
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-attachments.test.ts +12 -34
package/src/__tests__/assistant-feature-flag-guardrails.test.ts +76 -0
package/src/__tests__/assistant-feature-flags-integration.test.ts +0 -1
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +2 -2
package/src/__tests__/channel-guardian.test.ts +0 -2
package/src/__tests__/channel-readiness-routes.test.ts +15 -6
package/src/__tests__/channel-readiness-service.test.ts +10 -9
package/src/__tests__/checker.test.ts +9 -29
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +1 -1
package/src/__tests__/computer-use-tools.test.ts +2 -19
package/src/__tests__/config-watcher.test.ts +0 -1
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +0 -1
package/src/__tests__/context-image-dimensions.test.ts +332 -0
package/src/__tests__/context-token-estimator.test.ts +196 -13
package/src/__tests__/conversation-attention-store.test.ts +0 -1
package/src/__tests__/conversation-attention-telegram.test.ts +0 -1
package/src/__tests__/conversation-routes-guardian-reply.test.ts +144 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-metadata-store.test.ts +64 -73
package/src/__tests__/credential-security-invariants.test.ts +13 -7
package/src/__tests__/credential-vault-unit.test.ts +280 -49
package/src/__tests__/credential-vault.test.ts +138 -16
package/src/__tests__/credentials-cli.test.ts +71 -0
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +0 -1
package/src/__tests__/ephemeral-permissions.test.ts +3 -3
package/src/__tests__/gateway-only-guard.test.ts +0 -1
package/src/__tests__/guardian-action-grant-mint-consume.test.ts +0 -1
package/src/__tests__/guardian-decision-primitive-canonical.test.ts +0 -1
package/src/__tests__/guardian-routing-invariants.test.ts +0 -1
package/src/__tests__/guardian-verification-voice-binding.test.ts +0 -1
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +0 -39
package/src/__tests__/heartbeat-service.test.ts +0 -1
package/src/__tests__/host-cu-proxy.test.ts +629 -0
package/src/__tests__/host-shell-tool.test.ts +27 -15
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/ingress-url-consistency.test.ts +14 -21
package/src/__tests__/integration-status.test.ts +32 -51
package/src/__tests__/intent-routing.test.ts +0 -1
package/src/__tests__/invite-routes-http.test.ts +10 -9
package/src/__tests__/keychain-broker-client.test.ts +11 -43
package/src/__tests__/notification-routing-intent.test.ts +0 -1
package/src/__tests__/oauth-cli.test.ts +373 -14
package/src/__tests__/oauth-provider-profiles.test.ts +9 -9
package/src/__tests__/oauth-scope-policy.test.ts +4 -6
package/src/__tests__/oauth-store.test.ts +756 -0
package/src/__tests__/onboarding-starter-tasks.test.ts +0 -1
package/src/__tests__/provider-error-scenarios.test.ts +0 -1
package/src/__tests__/provider-streaming.benchmark.test.ts +0 -1
package/src/__tests__/public-ingress-urls.test.ts +15 -21
package/src/__tests__/recording-handler.test.ts +3 -4
package/src/__tests__/registry.test.ts +2 -2
package/src/__tests__/runtime-events-sse.test.ts +55 -7
package/src/__tests__/schedule-store.test.ts +0 -1
package/src/__tests__/scheduler-recurrence.test.ts +0 -1
package/src/__tests__/scoped-approval-grants.test.ts +0 -1
package/src/__tests__/scoped-grant-security-matrix.test.ts +0 -1
package/src/__tests__/secret-ingress-handler.test.ts +0 -1
package/src/__tests__/send-endpoint-busy.test.ts +21 -6
package/src/__tests__/sequence-store.test.ts +0 -1
package/src/__tests__/session-init.benchmark.test.ts +4 -5
package/src/__tests__/skill-include-graph.test.ts +66 -0
package/src/__tests__/skill-load-feature-flag.test.ts +0 -1
package/src/__tests__/skill-load-tool.test.ts +149 -1
package/src/__tests__/skill-projection-feature-flag.test.ts +0 -1
package/src/__tests__/skills-uninstall.test.ts +1 -1
package/src/__tests__/skills.test.ts +3 -3
package/src/__tests__/slack-channel-config.test.ts +67 -3
package/src/__tests__/slack-share-routes.test.ts +17 -19
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/telegram-invite-adapter.test.ts +18 -22
package/src/__tests__/terminal-tools.test.ts +4 -3
package/src/__tests__/test-support/computer-use-skill-harness.ts +3 -2
package/src/__tests__/tool-approval-handler.test.ts +0 -1
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +0 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +0 -1
package/src/__tests__/tool-executor-shell-integration.test.ts +0 -1
package/src/__tests__/tool-executor.test.ts +0 -1
package/src/__tests__/tool-grant-request-escalation.test.ts +0 -1
package/src/__tests__/trust-store-pattern-matches.test.ts +29 -0
package/src/__tests__/trust-store.test.ts +1 -22
package/src/__tests__/trusted-contact-approval-notifier.test.ts +0 -1
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +0 -1
package/src/__tests__/twilio-routes.test.ts +0 -16
package/src/__tests__/verification-control-plane-policy.test.ts +0 -1
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -1
package/src/agent/ax-tree-compaction.test.ts +235 -0
package/src/agent/loop.ts +76 -130
package/src/calls/call-domain.ts +1 -6
package/src/calls/relay-server.ts +9 -13
package/src/calls/twilio-config.ts +2 -7
package/src/calls/twilio-routes.ts +1 -2
package/src/calls/voice-ingress-preflight.ts +1 -1
package/src/cli/commands/browser-relay.ts +18 -12
package/src/cli/commands/completions.ts +0 -3
package/src/cli/commands/credentials.ts +101 -15
package/src/cli/commands/oauth/apps.ts +255 -0
package/src/cli/commands/oauth/connections.ts +299 -0
package/src/cli/commands/oauth/index.ts +52 -0
package/src/cli/commands/oauth/providers.ts +242 -0
package/src/cli/commands/skills.ts +4 -338
package/src/cli/program.ts +1 -5
package/src/cli/reference.ts +1 -3
package/src/config/assistant-feature-flags.ts +0 -3
package/src/config/bundled-skills/_shared/CLI_RETRIEVAL_PATTERN.md +1 -1
package/src/config/bundled-skills/computer-use/SKILL.md +3 -6
package/src/config/bundled-skills/computer-use/TOOLS.json +22 -4
package/src/config/bundled-skills/google-calendar/calendar-client.ts +21 -16
package/src/config/bundled-skills/messaging/tools/shared.ts +1 -4
package/src/config/bundled-skills/settings/SKILL.md +1 -1
package/src/config/bundled-skills/settings/TOOLS.json +2 -8
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +5 -33
package/src/config/env-registry.ts +14 -83
package/src/config/env.ts +11 -50
package/src/config/feature-flag-registry.json +16 -16
package/src/config/loader.ts +0 -6
package/src/config/schema.ts +3 -1
package/src/config/skills.ts +21 -2
package/src/context/image-dimensions.ts +229 -0
package/src/context/token-estimator.ts +75 -12
package/src/context/window-manager.ts +49 -10
package/src/daemon/assistant-attachments.ts +1 -13
package/src/daemon/handlers/config-ingress.ts +8 -33
package/src/daemon/handlers/config-slack-channel.ts +49 -46
package/src/daemon/handlers/config-telegram.ts +32 -16
package/src/daemon/handlers/sessions.ts +10 -24
package/src/daemon/handlers/shared.ts +0 -130
package/src/daemon/host-cu-proxy.ts +401 -0
package/src/daemon/lifecycle.ts +36 -68
package/src/daemon/message-protocol.ts +3 -0
package/src/daemon/message-types/computer-use.ts +2 -119
package/src/daemon/message-types/host-cu.ts +19 -0
package/src/daemon/message-types/messages.ts +3 -0
package/src/daemon/server.ts +14 -21
package/src/daemon/session-agent-loop-handlers.ts +2 -0
package/src/daemon/session-attachments.ts +1 -2
package/src/daemon/session-slash.ts +1 -1
package/src/daemon/session-surfaces.ts +40 -28
package/src/daemon/session-tool-setup.ts +2 -9
package/src/daemon/session.ts +138 -15
package/src/daemon/tool-side-effects.ts +2 -8
package/src/daemon/watch-handler.ts +2 -2
package/src/events/tool-metrics-listener.ts +2 -2
package/src/hooks/manager.ts +1 -4
package/src/inbound/public-ingress-urls.ts +7 -7
package/src/logfire.ts +16 -5
package/src/memory/conversation-key-store.ts +21 -0
package/src/memory/db-init.ts +4 -0
package/src/memory/migrations/149-oauth-tables.ts +60 -0
package/src/memory/migrations/index.ts +1 -0
package/src/memory/schema/index.ts +1 -0
package/src/memory/schema/oauth.ts +65 -0
package/src/messaging/provider.ts +4 -4
package/src/messaging/providers/gmail/client.ts +82 -2
package/src/messaging/providers/gmail/people-client.ts +10 -10
package/src/messaging/providers/telegram-bot/adapter.ts +17 -17
package/src/messaging/providers/whatsapp/adapter.ts +11 -8
package/src/messaging/registry.ts +2 -32
package/src/notifications/copy-composer.ts +0 -5
package/src/notifications/signal.ts +4 -5
package/src/oauth/byo-connection.test.ts +126 -25
package/src/oauth/byo-connection.ts +22 -6
package/src/oauth/connect-orchestrator.ts +113 -57
package/src/oauth/connect-types.ts +17 -23
package/src/oauth/connection-resolver.ts +35 -11
package/src/oauth/connection.ts +1 -1
package/src/oauth/manual-token-connection.ts +104 -0
package/src/oauth/oauth-store.ts +496 -0
package/src/oauth/platform-connection.test.ts +29 -0
package/src/oauth/platform-connection.ts +6 -5
package/src/oauth/provider-behaviors.ts +124 -0
package/src/oauth/scope-policy.ts +9 -2
package/src/oauth/seed-providers.ts +161 -0
package/src/oauth/token-persistence.ts +74 -78
package/src/permissions/checker.ts +3 -3
package/src/permissions/defaults.ts +0 -1
package/src/permissions/prompter.ts +10 -1
package/src/permissions/trust-store.ts +13 -0
package/src/prompts/__tests__/build-cli-reference-section.test.ts +3 -1
package/src/prompts/system-prompt.ts +28 -40
package/src/providers/anthropic/client.ts +133 -24
package/src/providers/retry.ts +1 -27
package/src/runtime/auth/route-policy.ts +0 -3
package/src/runtime/channel-reply-delivery.ts +0 -40
package/src/runtime/gateway-client.ts +0 -7
package/src/runtime/http-server.ts +8 -6
package/src/runtime/http-types.ts +2 -2
package/src/runtime/middleware/twilio-validation.ts +1 -11
package/src/runtime/pending-interactions.ts +14 -12
package/src/runtime/routes/channel-delivery-routes.ts +0 -1
package/src/runtime/routes/conversation-routes.ts +73 -19
package/src/runtime/routes/events-routes.ts +21 -11
package/src/runtime/routes/host-cu-routes.ts +97 -0
package/src/runtime/routes/inbound-stages/background-dispatch.ts +12 -111
package/src/runtime/routes/integrations/slack/share.ts +6 -7
package/src/runtime/routes/log-export-routes.ts +126 -8
package/src/runtime/routes/settings-routes.ts +55 -48
package/src/runtime/routes/surface-action-routes.ts +1 -1
package/src/runtime/routes/watch-routes.ts +128 -0
package/src/schedule/integration-status.ts +10 -9
package/src/security/credential-key.ts +0 -156
package/src/security/keychain-broker-client.ts +5 -6
package/src/security/oauth2.ts +1 -1
package/src/security/token-manager.ts +119 -46
package/src/skills/catalog-install.ts +358 -0
package/src/skills/include-graph.ts +32 -0
package/src/telegram/bot-username.ts +2 -3
package/src/tools/browser/network-recorder.ts +1 -1
package/src/tools/browser/network-recording-types.ts +1 -1
package/src/tools/computer-use/definitions.ts +46 -11
package/src/tools/computer-use/registry.ts +4 -5
package/src/tools/credentials/broker.ts +1 -2
package/src/tools/credentials/metadata-store.ts +17 -121
package/src/tools/credentials/vault.ts +94 -167
package/src/tools/registry.ts +2 -7
package/src/tools/skills/load.ts +62 -3
package/src/tools/watch/watch-state.ts +0 -12
package/src/util/logger.ts +7 -41
package/src/util/platform.ts +9 -28
package/src/watcher/providers/google-calendar.ts +2 -1
package/src/__tests__/computer-use-session-compaction.test.ts +0 -143
package/src/__tests__/computer-use-session-lifecycle.test.ts +0 -322
package/src/__tests__/computer-use-session-working-dir.test.ts +0 -166
package/src/__tests__/computer-use-skill-baseline.test.ts +0 -78
package/src/__tests__/computer-use-skill-endstate.test.ts +0 -105
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +0 -249
package/src/__tests__/ride-shotgun-handler.test.ts +0 -452
package/src/cli/commands/dev.ts +0 -129
package/src/cli/commands/map.ts +0 -391
package/src/cli/commands/oauth.ts +0 -77
package/src/config/bundled-skills/computer-use/tools/computer-use-request-control.ts +0 -16
package/src/daemon/computer-use-session.ts +0 -1026
package/src/daemon/ride-shotgun-handler.ts +0 -569
package/src/oauth/provider-base-urls.ts +0 -21
package/src/oauth/provider-profiles.ts +0 -192
package/src/prompts/computer-use-prompt.ts +0 -98
package/src/runtime/routes/computer-use-routes.ts +0 -641
package/src/runtime/telegram-streaming-delivery.test.ts +0 -729
package/src/runtime/telegram-streaming-delivery.ts +0 -393
package/src/tools/computer-use/request-computer-control.ts +0 -56

package/src/__tests__/oauth-store.test.ts ADDED Viewed

@@ -0,0 +1,756 @@
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
+const testDir = mkdtempSync(join(tmpdir(), "oauth-store-test-"));
+mock.module("../util/platform.js", () => ({
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => ":memory:",
+  getLogPath: () => join(testDir, "test.log"),
+  ensureDataDir: () => {},
+}));
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+const mockDeleteSecureKeyAsync = mock(
+  (): Promise<"deleted" | "not-found" | "error"> =>
+    Promise.resolve("deleted" as const),
+);
+const mockSetSecureKeyAsync = mock(() => Promise.resolve(true));
+/** Simulated secure key store for getSecureKey lookups. */
+const secureKeyValues = new Map<string, string>();
+mock.module("../security/secure-keys.js", () => ({
+  deleteSecureKeyAsync: mockDeleteSecureKeyAsync,
+  setSecureKeyAsync: mockSetSecureKeyAsync,
+  getSecureKey: (account: string) => secureKeyValues.get(account),
+}));
+import { initializeDb, resetDb, resetTestTables } from "../memory/db.js";
+import {
+  createConnection,
+  deleteApp,
+  deleteConnection,
+  disconnectOAuthProvider,
+  getApp,
+  getAppByProviderAndClientId,
+  getConnection,
+  getConnectionByProvider,
+  getProvider,
+  isProviderConnected,
+  listConnections,
+  registerProvider,
+  seedProviders,
+  updateConnection,
+  upsertApp,
+} from "../oauth/oauth-store.js";
+initializeDb();
+/** Seed a minimal provider row for FK satisfaction. */
+function seedTestProvider(providerKey = "github"): void {
+  seedProviders([
+    {
+      providerKey,
+      authUrl: `https://${providerKey}.example.com/authorize`,
+      tokenUrl: `https://${providerKey}.example.com/token`,
+      defaultScopes: ["read"],
+      scopePolicy: {},
+    },
+  ]);
+}
+/** Create an app linked to the given provider. Returns the app row. */
+async function createTestApp(providerKey = "github", clientId = "client-1") {
+  seedTestProvider(providerKey);
+  return await upsertApp(providerKey, clientId);
+}
+beforeEach(() => {
+  resetDb();
+  initializeDb();
+  // Explicitly clear all OAuth tables to prevent cross-test state pollution.
+  // Delete in FK-dependency order: connections → apps → providers.
+  resetTestTables("oauth_connections", "oauth_apps", "oauth_providers");
+  mockDeleteSecureKeyAsync.mockClear();
+  mockSetSecureKeyAsync.mockClear();
+  secureKeyValues.clear();
+});
+afterAll(() => {
+  resetDb();
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    // best-effort cleanup
+  }
+});
+// ---------------------------------------------------------------------------
+// Provider operations
+// ---------------------------------------------------------------------------
+describe("provider operations", () => {
+  describe("seedProviders", () => {
+    test("creates rows for new providers", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/login/oauth/authorize",
+          tokenUrl: "https://github.com/login/oauth/access_token",
+          defaultScopes: ["repo", "user"],
+          scopePolicy: { required: ["repo"] },
+        },
+        {
+          providerKey: "google",
+          authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+          tokenUrl: "https://oauth2.googleapis.com/token",
+          defaultScopes: ["openid", "email"],
+          scopePolicy: {},
+          extraParams: { access_type: "offline" },
+        },
+      ]);
+      const gh = getProvider("github");
+      expect(gh).toBeDefined();
+      expect(gh!.providerKey).toBe("github");
+      expect(gh!.authUrl).toBe("https://github.com/login/oauth/authorize");
+      expect(gh!.tokenUrl).toBe("https://github.com/login/oauth/access_token");
+      expect(JSON.parse(gh!.defaultScopes)).toEqual(["repo", "user"]);
+      expect(JSON.parse(gh!.scopePolicy)).toEqual({ required: ["repo"] });
+      const goog = getProvider("google");
+      expect(goog).toBeDefined();
+      expect(goog!.providerKey).toBe("google");
+      expect(JSON.parse(goog!.extraParams!)).toEqual({
+        access_type: "offline",
+      });
+    });
+    test("updates existing provider rows with corrected seed data", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/login/oauth/authorize",
+          tokenUrl: "https://github.com/login/oauth/access_token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+          baseUrl: "https://api.github.com",
+        },
+      ]);
+      const original = getProvider("github");
+      expect(original).toBeDefined();
+      expect(original!.baseUrl).toBe("https://api.github.com");
+      const originalCreatedAt = original!.createdAt;
+      // Re-seed with corrected values (simulates a code fix deployed on upgrade)
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/login/oauth/authorize-v2",
+          tokenUrl: "https://github.com/login/oauth/access_token-v2",
+          defaultScopes: ["repo", "user"],
+          scopePolicy: { required: ["repo"] },
+          baseUrl: "https://api.github.com/v2",
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row).toBeDefined();
+      // Seed data should overwrite the existing row
+      expect(row!.authUrl).toBe("https://github.com/login/oauth/authorize-v2");
+      expect(row!.tokenUrl).toBe(
+        "https://github.com/login/oauth/access_token-v2",
+      );
+      expect(row!.baseUrl).toBe("https://api.github.com/v2");
+      expect(JSON.parse(row!.defaultScopes)).toEqual(["repo", "user"]);
+      expect(JSON.parse(row!.scopePolicy)).toEqual({ required: ["repo"] });
+      // createdAt should be preserved from the original insert
+      expect(row!.createdAt).toBe(originalCreatedAt);
+    });
+  });
+  describe("getProvider", () => {
+    test("returns the correct row", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/authorize",
+          tokenUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+          callbackTransport: "loopback",
+          loopbackPort: 8765,
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row).toBeDefined();
+      expect(row!.providerKey).toBe("github");
+      expect(row!.callbackTransport).toBe("loopback");
+      expect(row!.loopbackPort).toBe(8765);
+    });
+    test("returns undefined for unknown keys", () => {
+      expect(getProvider("nonexistent")).toBeUndefined();
+    });
+  });
+  describe("registerProvider", () => {
+    test("creates a new row", () => {
+      const row = registerProvider({
+        providerKey: "linear",
+        authUrl: "https://linear.app/oauth/authorize",
+        tokenUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      expect(row.providerKey).toBe("linear");
+      expect(row.authUrl).toBe("https://linear.app/oauth/authorize");
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.providerKey).toBe("linear");
+    });
+    test("throws for duplicate provider_key", () => {
+      registerProvider({
+        providerKey: "linear",
+        authUrl: "https://linear.app/oauth/authorize",
+        tokenUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      expect(() =>
+        registerProvider({
+          providerKey: "linear",
+          authUrl: "https://linear.app/oauth/authorize",
+          tokenUrl: "https://api.linear.app/oauth/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        }),
+      ).toThrow(/already exists.*linear/);
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// App operations
+// ---------------------------------------------------------------------------
+describe("app operations", () => {
+  describe("upsertApp", () => {
+    test("creates a new app and returns it with a UUID", async () => {
+      seedTestProvider("github");
+      const app = await upsertApp("github", "client-abc");
+      expect(app.id).toBeTruthy();
+      // UUID v4 format check
+      expect(app.id).toMatch(
+        /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/,
+      );
+      expect(app.providerKey).toBe("github");
+      expect(app.clientId).toBe("client-abc");
+      expect(app.createdAt).toBeGreaterThan(0);
+      expect(app.updatedAt).toBeGreaterThan(0);
+    });
+    test("returns the existing app when called again with same (providerKey, clientId)", async () => {
+      seedTestProvider("github");
+      const first = await upsertApp("github", "client-abc");
+      const second = await upsertApp("github", "client-abc");
+      expect(second.id).toBe(first.id);
+      expect(second.createdAt).toBe(first.createdAt);
+    });
+    test("stores clientSecret in secure storage on new app creation", async () => {
+      seedTestProvider("github");
+      const app = await upsertApp("github", "client-abc", "my-secret");
+      expect(mockSetSecureKeyAsync).toHaveBeenCalledTimes(1);
+      expect(mockSetSecureKeyAsync).toHaveBeenCalledWith(
+        `oauth_app/${app.id}/client_secret`,
+        "my-secret",
+      );
+    });
+    test("stores clientSecret in secure storage when upserting an existing app", async () => {
+      seedTestProvider("github");
+      const first = await upsertApp("github", "client-abc");
+      mockSetSecureKeyAsync.mockClear();
+      await upsertApp("github", "client-abc", "updated-secret");
+      expect(mockSetSecureKeyAsync).toHaveBeenCalledTimes(1);
+      expect(mockSetSecureKeyAsync).toHaveBeenCalledWith(
+        `oauth_app/${first.id}/client_secret`,
+        "updated-secret",
+      );
+    });
+    test("throws when setSecureKeyAsync returns false", async () => {
+      seedTestProvider("github");
+      mockSetSecureKeyAsync.mockResolvedValueOnce(false);
+      await expect(
+        upsertApp("github", "client-abc", "bad-secret"),
+      ).rejects.toThrow("Failed to store client_secret in secure storage");
+    });
+  });
+  describe("getApp", () => {
+    test("returns the correct row by id", async () => {
+      const app = await createTestApp("github", "client-1");
+      const fetched = getApp(app.id);
+      expect(fetched).toBeDefined();
+      expect(fetched!.id).toBe(app.id);
+      expect(fetched!.providerKey).toBe("github");
+      expect(fetched!.clientId).toBe("client-1");
+    });
+    test("returns undefined for unknown id", () => {
+      expect(getApp("nonexistent-id")).toBeUndefined();
+    });
+  });
+  describe("getAppByProviderAndClientId", () => {
+    test("returns the correct row", async () => {
+      const app = await createTestApp("github", "client-1");
+      const fetched = getAppByProviderAndClientId("github", "client-1");
+      expect(fetched).toBeDefined();
+      expect(fetched!.id).toBe(app.id);
+    });
+    test("returns undefined for unknown combination", () => {
+      expect(
+        getAppByProviderAndClientId("github", "nonexistent"),
+      ).toBeUndefined();
+    });
+  });
+  describe("deleteApp", () => {
+    test("removes the row and returns true", async () => {
+      const app = await createTestApp("github", "client-1");
+      const deleted = await deleteApp(app.id);
+      expect(deleted).toBe(true);
+      expect(getApp(app.id)).toBeUndefined();
+    });
+    test("cleans up client_secret from secure storage", async () => {
+      const app = await createTestApp("github", "client-1");
+      mockDeleteSecureKeyAsync.mockClear();
+      await deleteApp(app.id);
+      expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+        `oauth_app/${app.id}/client_secret`,
+      );
+    });
+    test("returns false for nonexistent id", async () => {
+      expect(await deleteApp("nonexistent-id")).toBe(false);
+    });
+    test("throws when deleteSecureKeyAsync returns error", async () => {
+      const app = await createTestApp("github", "client-1");
+      mockDeleteSecureKeyAsync.mockResolvedValueOnce("error");
+      await expect(deleteApp(app.id)).rejects.toThrow(
+        /failed to remove client_secret from secure storage/i,
+      );
+      // DB row should already be deleted (delete happens before secure key cleanup)
+      expect(getApp(app.id)).toBeUndefined();
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// Connection operations
+// ---------------------------------------------------------------------------
+describe("connection operations", () => {
+  describe("createConnection", () => {
+    test("creates a row with status='active'", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo", "user"],
+        hasRefreshToken: true,
+        accountInfo: "user@example.com",
+        label: "Primary GitHub",
+        metadata: { login: "octocat" },
+      });
+      expect(conn.id).toBeTruthy();
+      expect(conn.oauthAppId).toBe(app.id);
+      expect(conn.providerKey).toBe("github");
+      expect(conn.status).toBe("active");
+      expect(JSON.parse(conn.grantedScopes)).toEqual(["repo", "user"]);
+      expect(conn.hasRefreshToken).toBe(1);
+      expect(conn.accountInfo).toBe("user@example.com");
+      expect(conn.label).toBe("Primary GitHub");
+      expect(JSON.parse(conn.metadata!)).toEqual({ login: "octocat" });
+      expect(conn.createdAt).toBeGreaterThan(0);
+    });
+  });
+  describe("getConnection", () => {
+    test("returns the correct row", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      const fetched = getConnection(conn.id);
+      expect(fetched).toBeDefined();
+      expect(fetched!.id).toBe(conn.id);
+      expect(fetched!.providerKey).toBe("github");
+    });
+    test("returns undefined for unknown id", () => {
+      expect(getConnection("nonexistent-id")).toBeUndefined();
+    });
+  });
+  describe("getConnectionByProvider", () => {
+    test("returns the most recent active connection", async () => {
+      const app = await createTestApp("github", "client-1");
+      // Create two connections with explicit timestamps so ordering is deterministic
+      createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+        createdAt: 1000,
+      });
+      const conn2 = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo", "user"],
+        hasRefreshToken: true,
+        createdAt: 2000,
+      });
+      const result = getConnectionByProvider("github");
+      expect(result).toBeDefined();
+      expect(result!.id).toBe(conn2.id);
+    });
+    test("skips connections with status='revoked'", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn1 = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      const conn2 = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo", "user"],
+        hasRefreshToken: true,
+      });
+      // Revoke the most recent connection
+      updateConnection(conn2.id, { status: "revoked" });
+      const result = getConnectionByProvider("github");
+      expect(result).toBeDefined();
+      expect(result!.id).toBe(conn1.id);
+    });
+    test("skips connections with status='expired'", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      updateConnection(conn.id, { status: "expired" });
+      const result = getConnectionByProvider("github");
+      expect(result).toBeUndefined();
+    });
+    test("returns undefined when no active connections exist", () => {
+      expect(getConnectionByProvider("github")).toBeUndefined();
+    });
+  });
+  describe("isProviderConnected", () => {
+    test("returns true when active connection has an access token in secure storage", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      secureKeyValues.set(`oauth_connection/${conn.id}/access_token`, "tok");
+      expect(isProviderConnected("github")).toBe(true);
+    });
+    test("returns false when active connection exists but access token is missing", async () => {
+      const app = await createTestApp("github", "client-1");
+      createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      // No secure key set — simulates failed token write
+      expect(isProviderConnected("github")).toBe(false);
+    });
+    test("returns false when no connection exists", () => {
+      expect(isProviderConnected("github")).toBe(false);
+    });
+    test("returns false when connection is revoked even with token in store", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      updateConnection(conn.id, { status: "revoked" });
+      secureKeyValues.set(`oauth_connection/${conn.id}/access_token`, "tok");
+      expect(isProviderConnected("github")).toBe(false);
+    });
+  });
+  describe("updateConnection", () => {
+    test("modifies specific fields", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      const updated = updateConnection(conn.id, {
+        status: "revoked",
+        label: "Revoked account",
+        grantedScopes: ["repo", "user", "gist"],
+        hasRefreshToken: true,
+        metadata: { reason: "user-requested" },
+      });
+      expect(updated).toBe(true);
+      const fetched = getConnection(conn.id);
+      expect(fetched).toBeDefined();
+      expect(fetched!.status).toBe("revoked");
+      expect(fetched!.label).toBe("Revoked account");
+      expect(JSON.parse(fetched!.grantedScopes)).toEqual([
+        "repo",
+        "user",
+        "gist",
+      ]);
+      expect(fetched!.hasRefreshToken).toBe(1);
+      expect(JSON.parse(fetched!.metadata!)).toEqual({
+        reason: "user-requested",
+      });
+      expect(fetched!.updatedAt).toBeGreaterThanOrEqual(conn.createdAt);
+    });
+    test("updates oauthAppId to a different app", async () => {
+      const app1 = await createTestApp("github", "client-1");
+      const app2 = await upsertApp("github", "client-2");
+      const conn = createConnection({
+        oauthAppId: app1.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      expect(getConnection(conn.id)!.oauthAppId).toBe(app1.id);
+      const updated = updateConnection(conn.id, { oauthAppId: app2.id });
+      expect(updated).toBe(true);
+      const fetched = getConnection(conn.id);
+      expect(fetched).toBeDefined();
+      expect(fetched!.oauthAppId).toBe(app2.id);
+    });
+    test("returns false for nonexistent id", () => {
+      expect(updateConnection("nonexistent-id", { status: "revoked" })).toBe(
+        false,
+      );
+    });
+  });
+  describe("listConnections", () => {
+    test("returns all connections when no filter is given", async () => {
+      const ghApp = await createTestApp("github", "client-1");
+      seedTestProvider("google");
+      const googApp = await upsertApp("google", "client-2");
+      createConnection({
+        oauthAppId: ghApp.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      createConnection({
+        oauthAppId: googApp.id,
+        providerKey: "google",
+        grantedScopes: ["email"],
+        hasRefreshToken: true,
+      });
+      const all = listConnections();
+      expect(all).toHaveLength(2);
+    });
+    test("filters by provider key", async () => {
+      const ghApp = await createTestApp("github", "client-1");
+      seedTestProvider("google");
+      const googApp = await upsertApp("google", "client-2");
+      createConnection({
+        oauthAppId: ghApp.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      createConnection({
+        oauthAppId: googApp.id,
+        providerKey: "google",
+        grantedScopes: ["email"],
+        hasRefreshToken: true,
+      });
+      const ghConns = listConnections("github");
+      expect(ghConns).toHaveLength(1);
+      expect(ghConns[0].providerKey).toBe("github");
+      const googConns = listConnections("google");
+      expect(googConns).toHaveLength(1);
+      expect(googConns[0].providerKey).toBe("google");
+    });
+    test("returns empty array when no connections exist", () => {
+      expect(listConnections()).toEqual([]);
+    });
+  });
+  describe("deleteConnection", () => {
+    test("removes the row and returns true", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      const deleted = deleteConnection(conn.id);
+      expect(deleted).toBe(true);
+      expect(getConnection(conn.id)).toBeUndefined();
+    });
+    test("returns false for nonexistent id", () => {
+      expect(deleteConnection("nonexistent-id")).toBe(false);
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// disconnectOAuthProvider
+// ---------------------------------------------------------------------------
+describe("disconnectOAuthProvider", () => {
+  test("returns 'not-found' when no connection exists for the provider", async () => {
+    const result = await disconnectOAuthProvider("github");
+    expect(result).toBe("not-found");
+    expect(mockDeleteSecureKeyAsync).not.toHaveBeenCalled();
+  });
+  test("returns 'disconnected' and deletes connection row and secure keys when connection exists", async () => {
+    const app = await createTestApp("github", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      providerKey: "github",
+      grantedScopes: ["repo"],
+      hasRefreshToken: true,
+    });
+    const result = await disconnectOAuthProvider("github");
+    expect(result).toBe("disconnected");
+    // Verify secure keys were deleted
+    expect(mockDeleteSecureKeyAsync).toHaveBeenCalledTimes(2);
+    expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+      `oauth_connection/${conn.id}/access_token`,
+    );
+    expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+      `oauth_connection/${conn.id}/refresh_token`,
+    );
+    // Verify connection row was deleted
+    expect(getConnection(conn.id)).toBeUndefined();
+  });
+});
+// ---------------------------------------------------------------------------
+// FK constraint enforcement
+// ---------------------------------------------------------------------------
+describe("FK constraints", () => {
+  test("creating an app with a nonexistent provider_key fails", async () => {
+    await expect(
+      upsertApp("nonexistent-provider", "client-1"),
+    ).rejects.toThrow();
+  });
+  test("creating a connection with a nonexistent oauth_app_id fails", () => {
+    seedTestProvider("github");
+    expect(() =>
+      createConnection({
+        oauthAppId: "nonexistent-app-id",
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      }),
+    ).toThrow();
+  });
+});