@vellumai/assistant 0.4.48 → 0.4.49

package/src/messaging/providers/gmail/client.ts

@@ -83,6 +83,20 @@ function extractNonAuthHeaders(
   return Object.keys(result).length > 0 ? result : undefined;
 }
 
+/**
+ * Convert URLSearchParams to a query record, collapsing multi-valued keys into arrays.
+ */
+function paramsToQuery(
+  params: URLSearchParams,
+): Record<string, string | string[]> {
+  const result: Record<string, string | string[]> = {};
+  for (const key of new Set(params.keys())) {
+    const values = params.getAll(key);
+    result[key] = values.length === 1 ? values[0] : values;
+  }
+  return result;
+}
+
 /**
  * Extract the JSON body from request options for use with OAuthConnection.
  */
@@ -102,6 +116,7 @@ async function request<T>(
   connection: OAuthConnection,
   path: string,
   options?: GmailRequestOptions,
+  query?: Record<string, string | string[]>,
 ): Promise<T> {
   const canRetry = options?.retryable ?? isIdempotent(options);
   const method = (options?.method ?? "GET").toUpperCase();
@@ -112,6 +127,7 @@ async function request<T>(
       resp = await connection.request({
         method,
         path,
+        query,
         headers: {
           "Content-Type": "application/json",
           ...extractNonAuthHeaders(options),
@@ -171,7 +187,12 @@ export async function listMessages(
   if (labelIds) {
     for (const id of labelIds) params.append("labelIds", id);
   }
-  return request<GmailMessageListResponse>(connection, `/messages?${params}`);
+  return request<GmailMessageListResponse>(
+    connection,
+    "/messages",
+    undefined,
+    paramsToQuery(params),
+  );
 }
 
 /** Get a single message by ID. */
@@ -187,7 +208,12 @@ export async function getMessage(
     for (const h of metadataHeaders) params.append("metadataHeaders", h);
   }
   if (fields) params.set("fields", fields);
-  return request<GmailMessage>(connection, `/messages/${messageId}?${params}`);
+  return request<GmailMessage>(
+    connection,
+    `/messages/${messageId}`,
+    undefined,
+    paramsToQuery(params),
+  );
 }
 
 /**
@@ -332,10 +358,44 @@ async function executeBatchCall(
   return connection.withToken(doBatchFetch);
 }
 
+/** Max concurrent individual getMessage requests (matches batch concurrency) */
+const INDIVIDUAL_CONCURRENCY = BATCH_CONCURRENCY;
+
+/**
+ * Fetch all messages individually using getMessage (no batch endpoint).
+ * Used as a fallback when the batch API is unavailable (e.g. platform connections
+ * that cannot expose raw tokens for the multipart batch endpoint).
+ *
+ * Processes messages in waves of INDIVIDUAL_CONCURRENCY to avoid unbounded
+ * parallelism that would trigger 429s on high-volume paths like senderDigest.
+ */
+async function fetchMessagesIndividually(
+  connection: OAuthConnection,
+  messageIds: string[],
+  format: GmailMessageFormat,
+  metadataHeaders?: string[],
+  fields?: string,
+): Promise<GmailMessage[]> {
+  const results: GmailMessage[] = [];
+  for (let i = 0; i < messageIds.length; i += INDIVIDUAL_CONCURRENCY) {
+    const wave = messageIds.slice(i, i + INDIVIDUAL_CONCURRENCY);
+    const waveResults = await Promise.all(
+      wave.map((id) =>
+        getMessage(connection, id, format, metadataHeaders, fields),
+      ),
+    );
+    results.push(...waveResults);
+  }
+  return results;
+}
+
 /**
  * Get multiple messages using Gmail's batch HTTP endpoint.
  * Packs up to 100 sub-requests per HTTP call and runs up to BATCH_CONCURRENCY calls in parallel.
  * Falls back to individual getMessage for any sub-requests that fail within a batch.
+ *
+ * For connections that do not support raw token access (e.g. platform-managed connections),
+ * falls back to fetching each message individually via connection.request().
  */
 export async function batchGetMessages(
   connection: OAuthConnection,
@@ -359,6 +419,26 @@ export async function batchGetMessages(
     ];
   }
 
+  // Try batch API first; fall back to individual fetches if withToken is unavailable
+  // (e.g. platform-managed connections where raw tokens cannot be exposed).
+  let useBatch = true;
+  try {
+    // Probe withToken availability with a no-op call
+    await connection.withToken(async (token) => token);
+  } catch {
+    useBatch = false;
+  }
+
+  if (!useBatch) {
+    return fetchMessagesIndividually(
+      connection,
+      messageIds,
+      format,
+      metadataHeaders,
+      fields,
+    );
+  }
+
   const results = new Array<GmailMessage | undefined>(messageIds.length).fill(
     undefined,
   );

package/src/messaging/providers/gmail/people-client.ts

@@ -4,7 +4,8 @@
  */
 
 import type { OAuthConnection } from "../../../oauth/connection.js";
-import { GOOGLE_PEOPLE_BASE_URL } from "../../../oauth/provider-base-urls.js";
+
+const GOOGLE_PEOPLE_BASE_URL = "https://people.googleapis.com/v1";
 import { GmailApiError } from "./client.js";
 import type {
   PeopleConnectionsResponse,
@@ -16,10 +17,12 @@ const PERSON_FIELDS = "names,emailAddresses,phoneNumbers,organizations";
 async function request<T>(
   connection: OAuthConnection,
   path: string,
+  query?: Record<string, string | string[]>,
 ): Promise<T> {
   const resp = await connection.request({
     method: "GET",
     path,
+    query,
     baseUrl: GOOGLE_PEOPLE_BASE_URL,
   });
 
@@ -44,14 +47,15 @@ export async function listContacts(
   pageSize = 50,
   pageToken?: string,
 ): Promise<PeopleConnectionsResponse> {
-  const params = new URLSearchParams({
+  const query: Record<string, string> = {
     personFields: PERSON_FIELDS,
     pageSize: String(pageSize),
-  });
-  if (pageToken) params.set("pageToken", pageToken);
+  };
+  if (pageToken) query.pageToken = pageToken;
   return request<PeopleConnectionsResponse>(
     connection,
-    `/people/me/connections?${params}`,
+    "/people/me/connections",
+    query,
   );
 }
 
@@ -60,12 +64,8 @@ export async function searchContacts(
   connection: OAuthConnection,
   query: string,
 ): Promise<PeopleSearchResponse> {
-  const params = new URLSearchParams({
+  return request<PeopleSearchResponse>(connection, "/people:searchContacts", {
     query,
     readMask: PERSON_FIELDS,
   });
-  return request<PeopleSearchResponse>(
-    connection,
-    `/people:searchContacts?${params}`,
-  );
 }

package/src/messaging/providers/telegram-bot/adapter.ts

@@ -6,14 +6,16 @@
  * with OAuth tokens, Telegram delivery is proxied through the gateway which
  * owns the bot token and handles Telegram API retries.
  *
- * The `token` parameter in MessagingProvider methods is unused for Telegram
- * because delivery is authenticated via the gateway's bearer token, not
- * a per-user OAuth token.
+ * The `connectionOrToken` parameter in MessagingProvider methods is unused
+ * for Telegram because delivery is authenticated via the gateway's bearer
+ * token, not a per-user OAuth token.
  */
 
 import { getGatewayInternalBaseUrl } from "../../../config/env.js";
 import { getOrCreateConversation } from "../../../memory/conversation-key-store.js";
 import * as externalConversationStore from "../../../memory/external-conversation-store.js";
+import type { OAuthConnection } from "../../../oauth/connection.js";
+import { getConnectionByProvider } from "../../../oauth/oauth-store.js";
 import { mintDaemonDeliveryToken } from "../../../runtime/auth/token-service.js";
 import { credentialKey } from "../../../security/credential-key.js";
 import { getSecureKey } from "../../../security/secure-keys.js";
@@ -31,7 +33,7 @@ import type {
 } from "../../provider-types.js";
 import * as telegram from "./client.js";
 
-/** Resolve the gateway base URL, preferring GATEWAY_INTERNAL_BASE_URL if set. */
+/** Resolve the gateway base URL. */
 function getGatewayUrl(): string {
   return getGatewayInternalBaseUrl();
 }
@@ -53,23 +55,21 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   capabilities: new Set(["send"]),
 
   /**
-   * Custom connectivity check. The standard registry check looks for
-   * credential/telegram/access_token, but the Telegram bot token is
-   * stored as credential/telegram/bot_token. This method lets the
-   * registry detect that Telegram credentials exist.
+   * Custom connectivity check using the oauth_connection record as the
+   * single source of truth, consistent with integration-status.ts.
    *
    * Both bot_token and webhook_secret are required — the gateway's
    * /deliver/telegram endpoint rejects requests without the webhook
    * secret, so partial credentials would cause every send to fail.
    */
   isConnected(): boolean {
-    return (
-      getBotToken() !== undefined &&
-      !!getSecureKey(credentialKey("telegram", "webhook_secret"))
-    );
+    const conn = getConnectionByProvider("telegram");
+    return !!(conn && conn.status === "active");
   },
 
-  async testConnection(_token: string): Promise<ConnectionInfo> {
+  async testConnection(
+    _connectionOrToken: OAuthConnection | string,
+  ): Promise<ConnectionInfo> {
     const botToken = getBotToken();
     if (!botToken) {
       return {
@@ -114,7 +114,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   },
 
   async sendMessage(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     conversationId: string,
     text: string,
     _options?: SendOptions,
@@ -152,7 +152,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   // interact with chats where users have initiated contact or the bot
   // has been added to a group.
   async listConversations(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _options?: ListOptions,
   ): Promise<Conversation[]> {
     return [];
@@ -160,7 +160,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
 
   // Telegram Bot API does not provide message history retrieval.
   async getHistory(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _conversationId: string,
     _options?: HistoryOptions,
   ): Promise<Message[]> {
@@ -169,7 +169,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
 
   // Telegram Bot API does not support message search.
   async search(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _query: string,
     _options?: SearchOptions,
   ): Promise<SearchResult> {

package/src/messaging/providers/whatsapp/adapter.ts

@@ -5,14 +5,15 @@
  * endpoint. Delivery is proxied through the gateway which owns the Meta Cloud API
  * credentials (phone_number_id + access_token).
  *
- * The `token` parameter in MessagingProvider methods is unused for WhatsApp
- * because delivery is authenticated via the gateway's bearer token, not
- * a per-user OAuth token.
+ * The `connectionOrToken` parameter in MessagingProvider methods is unused
+ * for WhatsApp because delivery is authenticated via the gateway's bearer
+ * token, not a per-user OAuth token.
  */
 
 import { getGatewayInternalBaseUrl } from "../../../config/env.js";
 import { getOrCreateConversation } from "../../../memory/conversation-key-store.js";
 import * as externalConversationStore from "../../../memory/external-conversation-store.js";
+import type { OAuthConnection } from "../../../oauth/connection.js";
 import { mintDaemonDeliveryToken } from "../../../runtime/auth/token-service.js";
 import { credentialKey } from "../../../security/credential-key.js";
 import { getSecureKey } from "../../../security/secure-keys.js";
@@ -61,7 +62,9 @@ export const whatsappMessagingProvider: MessagingProvider = {
     return hasWhatsAppCredentials();
   },
 
-  async testConnection(_token: string): Promise<ConnectionInfo> {
+  async testConnection(
+    _connectionOrToken: OAuthConnection | string,
+  ): Promise<ConnectionInfo> {
     if (!hasWhatsAppCredentials()) {
       return {
         connected: false,
@@ -89,7 +92,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
   },
 
   async sendMessage(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     conversationId: string,
     text: string,
     options?: SendOptions,
@@ -133,7 +136,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not support listing conversations via this provider.
   async listConversations(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _options?: ListOptions,
   ): Promise<Conversation[]> {
     return [];
@@ -141,7 +144,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not provide message history retrieval via the gateway.
   async getHistory(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _conversationId: string,
     _options?: HistoryOptions,
   ): Promise<Message[]> {
@@ -150,7 +153,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not support message search.
   async search(
-    _token: string,
+    _connectionOrToken: OAuthConnection | string,
     _query: string,
     _options?: SearchOptions,
   ): Promise<SearchResult> {

package/src/messaging/registry.ts

@@ -2,21 +2,9 @@
  * Messaging provider registry — register/lookup providers by platform ID.
  */
 
-import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
-import { getConfig } from "../config/loader.js";
-import { credentialKey } from "../security/credential-key.js";
-import { getSecureKey } from "../security/secure-keys.js";
+import { isProviderConnected } from "../oauth/oauth-store.js";
 import type { MessagingProvider } from "./provider.js";
 
-/**
- * Per-platform feature flag keys. Platforms not listed here are allowed
- * by default (undeclared keys resolve to `true`).
- */
-const PLATFORM_FLAG_KEYS: Record<string, string> = {
-  gmail: "feature_flags.messaging.gmail.enabled",
-  telegram: "feature_flags.messaging.telegram.enabled",
-};
-
 const providers = new Map<string, MessagingProvider>();
 
 export function registerMessagingProvider(provider: MessagingProvider): void {
@@ -31,32 +19,14 @@ export function getMessagingProvider(id: string): MessagingProvider {
       `Messaging provider "${id}" not found. Available: ${available}`,
     );
   }
-  assertPlatformEnabled(id);
   return provider;
 }
 
-export function isPlatformEnabled(platformId: string): boolean {
-  const flagKey = PLATFORM_FLAG_KEYS[platformId];
-  if (!flagKey) return true;
-  return isAssistantFeatureFlagEnabled(flagKey, getConfig());
-}
-
-function assertPlatformEnabled(platformId: string): void {
-  if (!isPlatformEnabled(platformId)) {
-    throw new Error(
-      `The ${platformId} platform is not enabled. Enable it in Settings > Features.`,
-    );
-  }
-}
-
 /** Return all registered providers that have stored credentials. */
 export function getConnectedProviders(): MessagingProvider[] {
   return Array.from(providers.values()).filter((p) => {
     if (p.isConnected) return p.isConnected();
-    const token = getSecureKey(
-      credentialKey(p.credentialService, "access_token"),
-    );
-    return token !== undefined;
+    return isProviderConnected(p.credentialService);
   });
 }
 

package/src/notifications/copy-composer.ts

@@ -351,11 +351,6 @@ const TEMPLATES: Partial<Record<NotificationSourceEventName, CopyTemplate>> = {
     title: "Voice Response",
     body: str(payload.preview, "A voice response is ready"),
   }),
-
-  "ride_shotgun.invitation": (payload) => ({
-    title: "Ride Shotgun",
-    body: str(payload.message, "You have been invited to ride shotgun"),
-  }),
 };
 
 /**

package/src/notifications/signal.ts

@@ -37,7 +37,10 @@ export const NOTIFICATION_SOURCE_EVENT_NAMES = [
     id: "user.send_notification",
     description: "User-initiated notification via assistant tool",
   },
-  { id: "schedule.notify", description: "Scheduled notification triggered (one-shot or recurring)" },
+  {
+    id: "schedule.notify",
+    description: "Scheduled notification triggered (one-shot or recurring)",
+  },
   { id: "schedule.complete", description: "Scheduled task finished running" },
   {
     id: "guardian.question",
@@ -89,10 +92,6 @@ export const NOTIFICATION_SOURCE_EVENT_NAMES = [
     id: "voice.response_ready",
     description: "Voice response ready for playback",
   },
-  {
-    id: "ride_shotgun.invitation",
-    description: "Invitation to ride shotgun on a session",
-  },
 ] as const;
 
 export type NotificationSourceEventName =

package/src/oauth/byo-connection.test.ts

@@ -63,14 +63,49 @@ mock.module("../security/oauth2.js", () => {
   };
 });
 
+// ---------------------------------------------------------------------------
+// Mock oauth-store — token-manager reads refresh config from SQLite
+// ---------------------------------------------------------------------------
+
+/** Mutable per-test map of provider connections for getConnectionByProvider */
+const mockConnections = new Map<
+  string,
+  {
+    id: string;
+    providerKey: string;
+    oauthAppId: string;
+    expiresAt: number | null;
+    grantedScopes?: string;
+    accountInfo?: string | null;
+  }
+>();
+const mockApps = new Map<
+  string,
+  { id: string; providerKey: string; clientId: string }
+>();
+const mockProviders = new Map<
+  string,
+  {
+    key: string;
+    tokenUrl: string;
+    tokenEndpointAuthMethod?: string;
+    baseUrl?: string;
+  }
+>();
+
+mock.module("./oauth-store.js", () => ({
+  getConnectionByProvider: (service: string) => mockConnections.get(service),
+  getApp: (id: string) => mockApps.get(id),
+  getProvider: (key: string) => mockProviders.get(key),
+  updateConnection: () => {},
+  getMostRecentAppByProvider: () => undefined,
+  listConnections: () => [],
+}));
+
 // ---------------------------------------------------------------------------
 // Imports (after mocks)
 // ---------------------------------------------------------------------------
 
-import {
-  _resetMigrationFlag,
-  credentialKey,
-} from "../security/credential-key.js";
 import { setSecureKey } from "../security/secure-keys.js";
 import {
   _resetInflightRefreshes,
@@ -88,7 +123,6 @@ import { resolveOAuthConnection } from "./connection-resolver.js";
 // ---------------------------------------------------------------------------
 
 const originalFetch = globalThis.fetch;
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
 let mockFetch: ReturnType<typeof mock<any>>;
 
 // ---------------------------------------------------------------------------
@@ -110,7 +144,10 @@ beforeEach(() => {
   _resetBackend();
   _resetRefreshBreakers();
   _resetInflightRefreshes();
-  _resetMigrationFlag();
+  // Clear mock oauth-store maps
+  mockConnections.clear();
+  mockApps.clear();
+  mockProviders.clear();
 
   // Default mock fetch returning 200 JSON
   mockFetch = mock(() =>
@@ -139,16 +176,40 @@ function setupCredential(
   service: string,
   opts?: { expiresAt?: number; grantedScopes?: string[] },
 ) {
-  setSecureKey(credentialKey(service, "access_token"), "test-access-token");
-  setSecureKey(credentialKey(service, "refresh_token"), "test-refresh-token");
-  setSecureKey(credentialKey(service, "client_secret"), "test-client-secret");
-  upsertCredentialMetadata(service, "access_token", {
+  // Seed mock oauth-store maps so token-manager can resolve refresh config
+  const appId = `app-${service}`;
+  const connId = `conn-${service}`;
+  mockProviders.set(service, {
+    key: service,
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    // Only well-known providers (gmail) have a baseUrl; custom services don't
+    baseUrl:
+      service === "integration:gmail"
+        ? "https://gmail.googleapis.com/gmail/v1/users/me"
+        : undefined,
+  });
+  mockApps.set(appId, {
+    id: appId,
+    providerKey: service,
+    clientId: "test-client-id",
+  });
+  mockConnections.set(service, {
+    id: connId,
+    providerKey: service,
+    oauthAppId: appId,
     expiresAt: opts?.expiresAt ?? Date.now() + 3600 * 1000,
-    grantedScopes: opts?.grantedScopes ?? ["read", "write"],
-    oauth2TokenUrl: "https://oauth2.googleapis.com/token",
-    oauth2ClientId: "test-client-id",
-    hasRefreshToken: true,
+    grantedScopes: JSON.stringify(opts?.grantedScopes ?? ["read", "write"]),
+    accountInfo: null,
   });
+  // Store access token in oauth-store key format
+  setSecureKey(`oauth_connection/${connId}/access_token`, "test-access-token");
+  // Store refresh token and client_secret in secure keys (token-manager reads them)
+  setSecureKey(
+    `oauth_connection/${connId}/refresh_token`,
+    "test-refresh-token",
+  );
+  setSecureKey(`oauth_app/${appId}/client_secret`, "test-client-secret");
+  upsertCredentialMetadata(service, "access_token", {});
 }
 
 function createConnection(service = "integration:gmail"): BYOOAuthConnection {
@@ -185,10 +246,10 @@ describe("BYOOAuthConnection", () => {
       expect(url).toBe(
         "https://gmail.googleapis.com/gmail/v1/users/me/messages",
       );
-      expect((init as RequestInit).headers).toMatchObject({
-        Authorization: "Bearer test-access-token",
-        "Content-Type": "application/json",
-      });
+      const headers = (init as RequestInit).headers as Headers;
+      expect(headers.get("Authorization")).toBe("Bearer test-access-token");
+      // GET requests have no body, so Content-Type should not be set
+      expect(headers.has("Content-Type")).toBe(false);
       expect((init as RequestInit).method).toBe("GET");
     });
 
@@ -237,6 +298,9 @@ describe("BYOOAuthConnection", () => {
         JSON.stringify({ raw: "base64-encoded-email" }),
       );
       expect((init as RequestInit).method).toBe("POST");
+      // POST requests with a body should include Content-Type
+      const headers = (init as RequestInit).headers as Headers;
+      expect(headers.get("Content-Type")).toBe("application/json");
     });
 
     test("retries once on 401 response", async () => {
@@ -336,10 +400,9 @@ describe("BYOOAuthConnection", () => {
       });
 
       const [, init] = mockFetch.mock.calls[0];
-      expect((init as RequestInit).headers).toMatchObject({
-        "X-Custom-Header": "custom-value",
-        Authorization: "Bearer test-access-token",
-      });
+      const headers = (init as RequestInit).headers as Headers;
+      expect(headers.get("X-Custom-Header")).toBe("custom-value");
+      expect(headers.get("Authorization")).toBe("Bearer test-access-token");
     });
   });
 
@@ -361,9 +424,10 @@ describe("BYOOAuthConnection", () => {
 
       // The request should use the refreshed token
       const [, init] = mockFetch.mock.calls[0];
-      expect((init as RequestInit).headers).toMatchObject({
-        Authorization: "Bearer refreshed-access-token",
-      });
+      const headers = (init as RequestInit).headers as Headers;
+      expect(headers.get("Authorization")).toBe(
+        "Bearer refreshed-access-token",
+      );
     });
   });
 
@@ -433,4 +497,41 @@ describe("resolveOAuthConnection", () => {
       /No base URL configured for "integration:custom-service"/,
     );
   });
+
+  test("resolves base URL via app's canonical providerKey for custom credential_service", () => {
+    // Set up a well-known provider with a baseUrl
+    mockProviders.set("github", {
+      key: "github",
+      tokenUrl: "https://github.com/login/oauth/access_token",
+      baseUrl: "https://api.github.com",
+    });
+    // The custom credential service has no provider entry of its own
+    // (getProvider("integration:github-work") returns undefined)
+
+    // App points to the canonical "github" provider
+    const appId = "app-github-work";
+    mockApps.set(appId, {
+      id: appId,
+      providerKey: "github",
+      clientId: "test-client-id",
+    });
+
+    // Connection uses the custom credential service as its providerKey
+    const connId = "conn-github-work";
+    mockConnections.set("integration:github-work", {
+      id: connId,
+      providerKey: "integration:github-work",
+      oauthAppId: appId,
+      expiresAt: Date.now() + 3600 * 1000,
+      grantedScopes: JSON.stringify(["repo"]),
+      accountInfo: null,
+    });
+    setSecureKey(`oauth_connection/${connId}/access_token`, "ghp-test-token");
+
+    const conn = resolveOAuthConnection("integration:github-work");
+
+    expect(conn).toBeInstanceOf(BYOOAuthConnection);
+    expect(conn.providerKey).toBe("integration:github-work");
+    expect(conn.grantedScopes).toEqual(["repo"]);
+  });
 });