@vellumai/assistant 0.4.48 → 0.4.49

package/src/runtime/routes/settings-routes.ts

@@ -14,22 +14,23 @@ import { loadSkillCatalog } from "../../config/skills.js";
 import { normalizeActivationKey } from "../../daemon/handlers/config-voice.js";
 import { orchestrateOAuthConnect } from "../../oauth/connect-orchestrator.js";
 import {
-  getProviderProfile,
+  getApp,
+  getConnectionByProvider,
+  getMostRecentAppByProvider,
+  getProvider,
+} from "../../oauth/oauth-store.js";
+import {
+  getProviderBehavior,
   resolveService,
-} from "../../oauth/provider-profiles.js";
+} from "../../oauth/provider-behaviors.js";
 import {
   check,
   classifyRisk,
   generateAllowlistOptions,
   generateScopeOptions,
 } from "../../permissions/checker.js";
-import { credentialKey } from "../../security/credential-key.js";
 import { getSecureKey } from "../../security/secure-keys.js";
 import { parseToolManifestFile } from "../../skills/tool-manifest.js";
-import {
-  assertMetadataWritable,
-  getCredentialMetadata,
-} from "../../tools/credentials/metadata-store.js";
 import {
   type ManifestOverride,
   resolveExecutionTarget,
@@ -139,50 +140,39 @@ function sanitizeOAuthError(message: string): string {
   return "OAuth authentication failed. Please try again.";
 }
 
-/** Resolve client_secret from the keychain, checking canonical then alias service name. */
-function getClientSecret(
-  resolvedService: string,
-  rawService: string,
-): string | undefined {
-  return (
-    getSecureKey(credentialKey(resolvedService, "client_secret")) ??
-    (resolvedService !== rawService
-      ? getSecureKey(credentialKey(rawService, "client_secret"))
-      : undefined) ??
-    undefined
-  );
-}
-
 async function handleOAuthConnectStart(body: {
   service?: string;
   requestedScopes?: string[];
 }): Promise<Response> {
-  try {
-    assertMetadataWritable();
-  } catch {
-    return httpError(
-      "UNPROCESSABLE_ENTITY",
-      "Credential metadata file has an unrecognized version. Cannot store OAuth credentials.",
-      422,
-    );
-  }
-
   if (!body.service) {
     return httpError("BAD_REQUEST", "Missing required field: service", 400);
   }
 
   const resolvedService = resolveService(body.service);
 
-  // client_id is stored in metadata (oauth2ClientId), not the secure store.
-  let clientId = getCredentialMetadata(
-    resolvedService,
-    "access_token",
-  )?.oauth2ClientId;
-  if (!clientId && resolvedService !== body.service) {
-    clientId = getCredentialMetadata(
-      body.service,
-      "access_token",
-    )?.oauth2ClientId;
+  // Resolve client_id and client_secret from oauth-store.
+  let clientId: string | undefined;
+  let clientSecret: string | undefined;
+
+  // Try existing connection first (re-auth flow)
+  const conn = getConnectionByProvider(resolvedService);
+  if (conn) {
+    const app = getApp(conn.oauthAppId);
+    if (app) {
+      clientId = app.clientId;
+      clientSecret = getSecureKey(`oauth_app/${app.id}/client_secret`);
+    }
+  }
+
+  // Fall back to most recent app for this provider (first-time connect with stored app)
+  if (!clientId) {
+    const dbApp = getMostRecentAppByProvider(resolvedService);
+    if (dbApp) {
+      clientId = dbApp.clientId;
+      if (!clientSecret) {
+        clientSecret = getSecureKey(`oauth_app/${dbApp.id}/client_secret`);
+      }
+    }
   }
 
   if (!clientId) {
@@ -193,12 +183,11 @@ async function handleOAuthConnectStart(body: {
     );
   }
 
-  const clientSecret = getClientSecret(resolvedService, body.service);
-
-  const profile = getProviderProfile(resolvedService);
+  const behavior = getProviderBehavior(resolvedService);
+  const providerRow = getProvider(resolvedService);
   const requiresSecret =
-    profile?.setup?.requiresClientSecret ??
-    !!(profile?.tokenEndpointAuthMethod || profile?.extraParams);
+    behavior?.setup?.requiresClientSecret ??
+    !!(providerRow?.tokenEndpointAuthMethod || providerRow?.extraParams);
   if (requiresSecret && !clientSecret) {
     return httpError(
       "BAD_REQUEST",
@@ -222,6 +211,15 @@ async function handleOAuthConnectStart(body: {
         authUrl = url;
       },
       onDeferredComplete: (deferredResult) => {
+        // Prefer accountInfo from oauth-store when available.
+        let accountInfo = deferredResult.accountInfo;
+        try {
+          const conn = getConnectionByProvider(resolvedService);
+          if (conn?.accountInfo) accountInfo = conn.accountInfo;
+        } catch {
+          // DB not ready — use orchestrator value
+        }
+
         // Emit oauth_connect_result to all connected SSE clients so the
         // UI can update immediately when the deferred browser flow completes.
         assistantEventHub
@@ -230,7 +228,7 @@ async function handleOAuthConnectStart(body: {
               type: "oauth_connect_result",
               success: deferredResult.success,
               service: deferredResult.service,
-              accountInfo: deferredResult.accountInfo,
+              accountInfo,
               error: deferredResult.error,
             }),
           )
@@ -273,10 +271,19 @@ async function handleOAuthConnectStart(body: {
       });
     }
 
+    // Prefer accountInfo from oauth-store when available.
+    let responseAccountInfo = result.accountInfo;
+    try {
+      const conn = getConnectionByProvider(resolvedService);
+      if (conn?.accountInfo) responseAccountInfo = conn.accountInfo;
+    } catch {
+      // DB not ready — use orchestrator value
+    }
+
     return Response.json({
       ok: true,
       grantedScopes: result.grantedScopes,
-      accountInfo: result.accountInfo,
+      accountInfo: responseAccountInfo,
       ...(authUrl ? { authUrl } : {}),
     });
   } catch (err) {

package/src/runtime/routes/surface-action-routes.ts

@@ -10,7 +10,7 @@ import type { RouteDefinition } from "../http-router.js";
 
 const log = getLogger("surface-action-routes");
 
-/** Any object that can handle a surface action (Session or ComputerUseSession). */
+/** Any object that can handle a surface action. */
 interface SurfaceActionTarget {
   handleSurfaceAction(
     surfaceId: string,

package/src/runtime/routes/watch-routes.ts

@@ -0,0 +1,128 @@
+/**
+ * HTTP route handler for watch (ambient observation) functionality.
+ *
+ * Decoupled from computer-use routes so that the watch endpoint has
+ * zero dependency on CU session state.
+ */
+
+import { getLogger } from "../../util/logger.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+const log = getLogger("watch-routes");
+
+// ---------------------------------------------------------------------------
+// Dependency injection interface
+// ---------------------------------------------------------------------------
+
+/**
+ * Minimal interface for watch observation handling.
+ * The daemon wires a concrete implementation at startup.
+ */
+export interface WatchDeps {
+  /** Handle a watch observation. */
+  handleWatchObservation: (params: {
+    watchId: string;
+    sessionId: string;
+    ocrText: string;
+    appName?: string;
+    windowTitle?: string;
+    bundleIdentifier?: string;
+    timestamp: number;
+    captureIndex: number;
+    totalExpected: number;
+  }) => Promise<void>;
+}
+
+// ---------------------------------------------------------------------------
+// Route handler
+// ---------------------------------------------------------------------------
+
+/**
+ * POST /v1/computer-use/watch — send a watch observation.
+ *
+ * Body: { watchId, sessionId, ocrText, appName?, windowTitle?,
+ *         bundleIdentifier?, timestamp, captureIndex, totalExpected }
+ */
+async function handleWatchObservationRoute(
+  req: Request,
+  deps: WatchDeps,
+): Promise<Response> {
+  const body = (await req.json()) as {
+    watchId?: string;
+    sessionId?: string;
+    ocrText?: string;
+    appName?: string;
+    windowTitle?: string;
+    bundleIdentifier?: string;
+    timestamp?: number;
+    captureIndex?: number;
+    totalExpected?: number;
+  };
+
+  if (!body.watchId || typeof body.watchId !== "string") {
+    return httpError("BAD_REQUEST", "watchId is required", 400);
+  }
+  if (!body.sessionId || typeof body.sessionId !== "string") {
+    return httpError("BAD_REQUEST", "sessionId is required", 400);
+  }
+  if (!body.ocrText || typeof body.ocrText !== "string") {
+    return httpError("BAD_REQUEST", "ocrText is required", 400);
+  }
+  if (typeof body.timestamp !== "number") {
+    return httpError("BAD_REQUEST", "timestamp is required", 400);
+  }
+  if (typeof body.captureIndex !== "number") {
+    return httpError("BAD_REQUEST", "captureIndex is required", 400);
+  }
+  if (typeof body.totalExpected !== "number") {
+    return httpError("BAD_REQUEST", "totalExpected is required", 400);
+  }
+
+  try {
+    await deps.handleWatchObservation({
+      watchId: body.watchId,
+      sessionId: body.sessionId,
+      ocrText: body.ocrText,
+      appName: body.appName,
+      windowTitle: body.windowTitle,
+      bundleIdentifier: body.bundleIdentifier,
+      timestamp: body.timestamp,
+      captureIndex: body.captureIndex,
+      totalExpected: body.totalExpected,
+    });
+
+    return Response.json({ ok: true });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error(
+      { err, watchId: body.watchId },
+      "Failed to handle watch observation via HTTP",
+    );
+    return httpError("INTERNAL_ERROR", message, 500);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function watchRouteDefinitions(deps: {
+  getWatchDeps?: () => WatchDeps;
+}): RouteDefinition[] {
+  const getDeps = (): WatchDeps => {
+    if (!deps.getWatchDeps) {
+      throw new Error("Watch deps not available");
+    }
+    return deps.getWatchDeps();
+  };
+
+  return [
+    {
+      endpoint: "computer-use/watch",
+      method: "POST",
+      policyKey: "computer-use/watch",
+      handler: async ({ req }) => handleWatchObservationRoute(req, getDeps()),
+    },
+  ];
+}

package/src/schedule/integration-status.ts

@@ -1,6 +1,8 @@
 import { hasTwilioCredentials } from "../calls/twilio-rest.js";
-import { credentialKey } from "../security/credential-key.js";
-import { getSecureKey } from "../security/secure-keys.js";
+import {
+  getConnectionByProvider,
+  isProviderConnected,
+} from "../oauth/oauth-store.js";
 
 interface IntegrationProbe {
   name: string;
@@ -13,14 +15,12 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
   {
     name: "Gmail",
     category: "email",
-    isConnected: () =>
-      !!getSecureKey(credentialKey("integration:gmail", "access_token")),
+    isConnected: () => isProviderConnected("integration:gmail"),
   },
   {
     name: "Slack",
     category: "messaging",
-    isConnected: () =>
-      !!getSecureKey(credentialKey("integration:slack", "access_token")),
+    isConnected: () => isProviderConnected("integration:slack"),
   },
   {
     name: "Twilio",
@@ -30,9 +30,10 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
   {
     name: "Telegram",
     category: "messaging",
-    isConnected: () =>
-      !!getSecureKey(credentialKey("telegram", "bot_token")) &&
-      !!getSecureKey(credentialKey("telegram", "webhook_secret")),
+    isConnected: () => {
+      const conn = getConnectionByProvider("telegram");
+      return !!(conn && conn.status === "active");
+    },
   },
 ];
 

package/src/security/credential-key.ts

@@ -2,23 +2,8 @@
  * Single source of truth for credential key format in the secure store.
  *
  * Keys follow the pattern: credential/{service}/{field}
- *
- * Previously, keys used colons as delimiters (credential:service:field),
- * which was ambiguous when service names contained colons (e.g.
- * "integration:gmail"). The slash-delimited format avoids this.
  */
 
-import { listCredentialMetadata } from "../tools/credentials/metadata-store.js";
-import { getLogger } from "../util/logger.js";
-import {
-  deleteSecureKey,
-  getSecureKey,
-  listSecureKeys,
-  setSecureKey,
-} from "./secure-keys.js";
-
-const log = getLogger("credential-key");
-
 /**
  * Build a credential key for the secure store.
  *
@@ -27,144 +12,3 @@ const log = getLogger("credential-key");
 export function credentialKey(service: string, field: string): string {
   return `credential/${service}/${field}`;
 }
-
-// ---------------------------------------------------------------------------
-// Migration from colon-delimited keys
-// ---------------------------------------------------------------------------
-
-let migrated = false;
-
-/**
- * Migrate any legacy colon-delimited credential keys to the new
- * slash-delimited format. Idempotent: skips keys that already exist
- * under the new format, and only runs once per process (guarded by a
- * module-level flag).
- *
- * Legacy key format: `credential:<service>:<field>`
- * New key format:    `credential/<service>/<field>`
- *
- * The old colon-delimited format is ambiguous when either the service
- * or field name contains colons — for `credential:A:B:C:D`, you can't
- * tell where the service ends and the field begins without external
- * context.
- *
- * To resolve this, the function first consults the credential metadata
- * store to find which (service, field) pair matches a valid split.
- * If no metadata match is found, it falls back to splitting on the
- * **first** colon after the prefix — this handles the common case
- * where service names are simple (e.g. "doordash.com") and field
- * names may contain colons (e.g. "session:cookies").
- */
-export function migrateKeys(): void {
-  if (migrated) return;
-  migrated = true;
-
-  let allKeys: string[];
-  try {
-    allKeys = listSecureKeys();
-  } catch (err) {
-    log.warn({ err }, "Failed to list secure keys during migration");
-    return;
-  }
-
-  const colonKeys = allKeys.filter(
-    (k) => k.startsWith("credential:") && !k.startsWith("credential/"),
-  );
-  if (colonKeys.length === 0) return;
-
-  log.info(
-    { count: colonKeys.length },
-    "Migrating colon-delimited credential keys to slash-delimited format",
-  );
-
-  // Build a set of known (service, field) pairs from credential metadata
-  // to disambiguate colon-delimited keys.
-  const knownPairs = new Set<string>();
-  try {
-    for (const meta of listCredentialMetadata()) {
-      knownPairs.add(`${meta.service}\0${meta.field}`);
-    }
-  } catch {
-    // If metadata is unavailable, we'll rely on the first-colon fallback.
-  }
-
-  for (const oldKey of colonKeys) {
-    // Strip the "credential:" prefix — `rest` is "service:field" with
-    // potential colons in either part.
-    const rest = oldKey.slice("credential:".length);
-
-    const parsed = parseServiceField(rest, knownPairs);
-    if (parsed === undefined) {
-      log.warn({ key: oldKey }, "Skipping malformed credential key");
-      continue;
-    }
-
-    const { service, field } = parsed;
-    const newKey = credentialKey(service, field);
-
-    // Skip if the new key already exists (idempotent)
-    if (getSecureKey(newKey) !== undefined) {
-      // Clean up old key
-      deleteSecureKey(oldKey);
-      continue;
-    }
-
-    const value = getSecureKey(oldKey);
-    if (value === undefined) {
-      continue;
-    }
-
-    const ok = setSecureKey(newKey, value);
-    if (ok) {
-      deleteSecureKey(oldKey);
-    } else {
-      log.warn(
-        { oldKey, newKey },
-        "Failed to write migrated key; keeping old key",
-      );
-    }
-  }
-}
-
-/**
- * Parse a "service:field" string, using known metadata pairs to
- * disambiguate when colons appear in either part.
- *
- * Strategy:
- * 1. Try every possible split position and check against metadata.
- * 2. If no metadata match, fall back to splitting on the first colon
- *    (field names with colons are more common than service names with colons).
- *
- * Returns undefined for malformed keys that have no colon.
- */
-function parseServiceField(
-  rest: string,
-  knownPairs: Set<string>,
-): { service: string; field: string } | undefined {
-  const firstColon = rest.indexOf(":");
-  if (firstColon <= 0) return undefined;
-
-  // Try each possible split position against metadata
-  if (knownPairs.size > 0) {
-    for (let i = firstColon; i < rest.length; i++) {
-      if (rest[i] !== ":") continue;
-      const service = rest.slice(0, i);
-      const field = rest.slice(i + 1);
-      if (field.length > 0 && knownPairs.has(`${service}\0${field}`)) {
-        return { service, field };
-      }
-    }
-  }
-
-  // Fallback: split on first colon — handles simple services with
-  // compound field names (e.g. "doordash.com:session:cookies").
-  return {
-    service: rest.slice(0, firstColon),
-    field: rest.slice(firstColon + 1),
-  };
-}
-
-/** @internal Test-only: reset the migration guard so migrateKeys() runs again. */
-export function _resetMigrationFlag(): void {
-  migrated = false;
-}

package/src/security/keychain-broker-client.ts

@@ -6,7 +6,7 @@
  * provides a graceful-fallback interface: every public method returns a
  * safe default on failure and never throws.
  *
- * Socket path: read from VELLUM_KEYCHAIN_BROKER_SOCKET env var.
+ * Socket path: derived from getRootDir() as `~/.vellum/keychain-broker.sock`.
  * Auth token: read from ~/.vellum/protected/keychain-broker.token on first
  * connection, cached for process lifetime.
  */
@@ -70,8 +70,8 @@ function getTokenPath(): string {
   return join(getRootDir(), "protected", "keychain-broker.token");
 }
 
-function getSocketPath(): string | undefined {
-  return process.env.VELLUM_KEYCHAIN_BROKER_SOCKET;
+function getSocketPath(): string {
+  return join(getRootDir(), "keychain-broker.sock");
 }
 
 // ---------------------------------------------------------------------------
@@ -172,7 +172,7 @@ export function createBrokerClient(): KeychainBrokerClient {
   function connect(): Promise<Socket> {
     return new Promise((resolve, reject) => {
       const socketPath = getSocketPath();
-      if (!socketPath) {
+      if (!pathExists(socketPath)) {
         reject(new Error("No socket path"));
         return;
       }
@@ -328,8 +328,7 @@ export function createBrokerClient(): KeychainBrokerClient {
   return {
     isAvailable(): boolean {
       if (permanentlyUnavailable) return false;
-      const socketPath = getSocketPath();
-      if (!socketPath) return false;
+      if (!pathExists(getSocketPath())) return false;
       return pathExists(getTokenPath());
     },
 

package/src/security/oauth2.ts

@@ -691,7 +691,7 @@ export async function startOAuth2Flow(
   if (transport === "gateway") {
     if (!hasPublicUrl) {
       throw new Error(
-        "Gateway transport requires a public ingress URL. Set ingress.publicBaseUrl or INGRESS_PUBLIC_BASE_URL, or use loopback transport.",
+        "Gateway transport requires a public ingress URL. Set ingress.publicBaseUrl, or use loopback transport.",
       );
     }
     log.debug({ transport: "gateway" }, "OAuth2 flow starting");