@vellumai/assistant 0.4.48 → 0.4.49

package/src/__tests__/credential-vault-unit.test.ts

@@ -44,6 +44,62 @@ mock.module("../tools/registry.js", () => ({
   registerTool: () => {},
 }));
 
+// ---------------------------------------------------------------------------
+// Mock oauth-store to avoid SQLite dependency in unit tests
+// ---------------------------------------------------------------------------
+
+let mockGetMostRecentAppByProvider: ReturnType<
+  typeof mock<(key: string) => unknown>
+>;
+let mockGetAppByProviderAndClientId: ReturnType<
+  typeof mock<(key: string, clientId: string) => unknown>
+>;
+let mockGetProvider: ReturnType<typeof mock<(key: string) => unknown>>;
+
+mock.module("../oauth/oauth-store.js", () => {
+  mockGetMostRecentAppByProvider = mock(() => undefined);
+  mockGetAppByProviderAndClientId = mock(() => undefined);
+  mockGetProvider = mock(() => undefined);
+  return {
+    getMostRecentAppByProvider: mockGetMostRecentAppByProvider,
+    getAppByProviderAndClientId: mockGetAppByProviderAndClientId,
+    getProvider: mockGetProvider,
+    listConnections: mock(() => []),
+    seedProviders: mock(() => {}),
+    disconnectOAuthProvider: mock(async () => "not-found" as const),
+  };
+});
+
+// ---------------------------------------------------------------------------
+// Mock public ingress URL — not available in unit tests. The connect
+// orchestrator dynamically imports this for non-interactive flows.
+// ---------------------------------------------------------------------------
+
+mock.module("../inbound/public-ingress-urls.js", () => ({
+  getPublicBaseUrl: () => {
+    throw new Error("No public ingress URL configured");
+  },
+}));
+
+// ---------------------------------------------------------------------------
+// Mock prepareOAuth2Flow — unit tests should not start real loopback HTTP
+// servers. The connect orchestrator still runs its own validation logic
+// (scope policy, non-interactive ingress checks, etc.) but the actual
+// OAuth flow setup is stubbed.
+// ---------------------------------------------------------------------------
+
+mock.module("../security/oauth2.js", () => ({
+  prepareOAuth2Flow: mock(async () => ({
+    authUrl: "https://mock-auth-url.example.com/authorize",
+    state: "mock-state",
+    completion: new Promise(() => {}),
+  })),
+  startOAuth2Flow: mock(async () => ({
+    grantedScopes: [],
+    tokens: { access_token: "mock-token" },
+  })),
+}));
+
 // ---------------------------------------------------------------------------
 // Imports under test
 // ---------------------------------------------------------------------------
@@ -473,18 +529,50 @@ describe("credential_store tool — prompt action", () => {
 // ---------------------------------------------------------------------------
 
 describe("credential_store tool — oauth2_connect error paths", () => {
+  /** Well-known provider rows returned by the mocked getProvider */
+  const wellKnownProviders: Record<string, object> = {
+    "integration:gmail": {
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    },
+    "integration:slack": {
+      key: "integration:slack",
+      authUrl: "https://slack.com/oauth/v2/authorize",
+      tokenUrl: "https://slack.com/api/oauth.v2.access",
+      defaultScopes: JSON.stringify(["channels:read"]),
+      scopePolicy: JSON.stringify({}),
+    },
+  };
+
   beforeEach(() => {
     if (existsSync(TEST_DIR)) rmSync(TEST_DIR, { recursive: true });
     mkdirSync(TEST_DIR, { recursive: true });
     _setStorePath(STORE_PATH);
     _resetBackend();
     _setMetadataPath(join(TEST_DIR, "metadata.json"));
+    // Return well-known provider rows so vault.ts knows gmail/slack are
+    // registered, and custom providers return undefined.
+    mockGetProvider.mockImplementation(
+      (key: string) => wellKnownProviders[key] ?? undefined,
+    );
+    mockGetMostRecentAppByProvider.mockClear();
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetAppByProviderAndClientId.mockClear();
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
   });
 
   afterEach(() => {
     _setMetadataPath(null);
     _setStorePath(null);
     _resetBackend();
+    mockGetProvider.mockImplementation(() => undefined);
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
   });
 
   test("requires service parameter", async () => {
@@ -496,55 +584,38 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("service is required");
   });
 
-  test("requires auth_url for unknown service", async () => {
-    const result = await credentialStoreTool.execute(
-      {
-        action: "oauth2_connect",
-        service: "custom-svc",
-        token_url: "https://t",
-        scopes: ["read"],
-      },
-      _ctx,
-    );
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("auth_url is required");
-  });
-
-  test("requires token_url for unknown service", async () => {
-    const result = await credentialStoreTool.execute(
-      {
-        action: "oauth2_connect",
-        service: "custom-svc",
-        auth_url: "https://a",
-        scopes: ["read"],
-      },
-      _ctx,
-    );
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("token_url is required");
-  });
-
-  test("requires scopes for unknown service", async () => {
+  test("rejects unknown service without registered provider", async () => {
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
         service: "custom-svc",
         auth_url: "https://a",
         token_url: "https://t",
+        scopes: ["read"],
       },
       _ctx,
     );
     expect(result.isError).toBe(true);
-    expect(result.content).toContain("scopes is required");
+    expect(result.content).toContain("no OAuth provider registered");
   });
 
   test("requires client_id", async () => {
+    mockGetProvider.mockImplementation((key: string) => {
+      if (key === "custom-svc") {
+        return {
+          key: "custom-svc",
+          authUrl: "https://auth.example.com",
+          tokenUrl: "https://token.example.com",
+          defaultScopes: JSON.stringify(["read"]),
+          scopePolicy: JSON.stringify({}),
+        };
+      }
+      return wellKnownProviders[key] ?? undefined;
+    });
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
         service: "custom-svc",
-        auth_url: "https://auth.example.com",
-        token_url: "https://token.example.com",
         scopes: ["read"],
       },
       _ctx,
@@ -554,6 +625,21 @@ describe("credential_store tool — oauth2_connect error paths", () => {
   });
 
   test("requires interactive context", async () => {
+    // Register custom-svc as a provider so the orchestrator finds it
+    // and reaches the non-interactive check (gateway transport).
+    mockGetProvider.mockImplementation((key: string) => {
+      if (key === "custom-svc") {
+        return {
+          key: "custom-svc",
+          authUrl: "https://auth.example.com",
+          tokenUrl: "https://token.example.com",
+          defaultScopes: JSON.stringify(["read"]),
+          scopePolicy: JSON.stringify({}),
+        };
+      }
+      return wellKnownProviders[key] ?? undefined;
+    });
+
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
@@ -596,18 +682,25 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("client_id is required");
   });
 
-  test("uses stored client_id from metadata", async () => {
-    // Store client_id in metadata (the canonical source) and client_secret
-    // in the secure store — the requiresClientSecret guardrail will
-    // short-circuit if client_secret is missing, so we need both to
-    // validate that stored client_id is resolved correctly.
-    upsertCredentialMetadata("integration:gmail", "access_token", {
-      oauth2ClientId: "stored-client-id-123",
-    });
-    setSecureKey(
-      credentialKey("integration:gmail", "client_secret"),
-      "test-secret",
-    );
+  test("uses stored client_id from oauth-store DB", async () => {
+    // Mock getMostRecentAppByProvider to return an app with a client_id
+    // and store client_secret in the secure store.
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "test-app-id",
+      providerKey: "integration:gmail",
+      clientId: "stored-client-id-123",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/test-app-id/client_secret", "test-secret");
 
     const result = await credentialStoreTool.execute(
       {
@@ -624,14 +717,148 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("To connect gmail, open this link");
     expect(result.content).not.toContain("client_id is required");
     expect(result.content).not.toContain("client_secret is required");
+
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+
+  test("uses getAppByProviderAndClientId when client_id is provided without client_secret", async () => {
+    // When client_id is supplied but client_secret is not, the vault should
+    // look up the matching app via getAppByProviderAndClientId (not the
+    // most-recent-app heuristic) so the secret comes from the correct app.
+    mockGetAppByProviderAndClientId.mockImplementation(
+      (providerKey: string, cId: string) => {
+        if (
+          providerKey === "integration:gmail" &&
+          cId === "caller-supplied-client-id"
+        ) {
+          return {
+            id: "matched-app-id",
+            providerKey: "integration:gmail",
+            clientId: "caller-supplied-client-id",
+            createdAt: Date.now(),
+          };
+        }
+        return undefined;
+      },
+    );
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/matched-app-id/client_secret", "matched-secret");
+
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+        client_id: "caller-supplied-client-id",
+      },
+      { ..._ctx, isInteractive: false },
+    );
+
+    // Should succeed — client_secret resolved from the matched app
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("To connect gmail, open this link");
+    // getMostRecentAppByProvider should NOT have been called since client_id was known
+    expect(mockGetMostRecentAppByProvider).not.toHaveBeenCalled();
+
+    // Reset mocks
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+
+  test("falls back to getMostRecentAppByProvider when client_id is not provided", async () => {
+    // When neither client_id nor client_secret is provided, the vault should
+    // use getMostRecentAppByProvider (the fallback heuristic).
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "recent-app-id",
+      providerKey: "integration:gmail",
+      clientId: "recent-client-id",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/recent-app-id/client_secret", "recent-secret");
+
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+      },
+      { ..._ctx, isInteractive: false },
+    );
+
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("To connect gmail, open this link");
+    // getAppByProviderAndClientId should NOT have been called since client_id was unknown
+    expect(mockGetAppByProviderAndClientId).not.toHaveBeenCalled();
+
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+
+  test("getAppByProviderAndClientId returning undefined leaves client_secret unresolved", async () => {
+    // When client_id is provided but getAppByProviderAndClientId returns no
+    // matching app, client_secret remains unresolved and the vault should
+    // report the missing secret error.
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+    }));
+
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+        client_id: "unknown-client-id",
+      },
+      _ctx,
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("client_secret is required for gmail");
+    // getMostRecentAppByProvider should NOT have been called
+    expect(mockGetMostRecentAppByProvider).not.toHaveBeenCalled();
+
+    // Reset mocks
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
   });
 
   test("rejects when client_secret is missing for service that requires it", async () => {
-    // Store only client_id in metadata — client_secret is intentionally
-    // absent to validate the requiresClientSecret guardrail.
-    upsertCredentialMetadata("integration:gmail", "access_token", {
-      oauth2ClientId: "stored-client-id-456",
-    });
+    // Mock getMostRecentAppByProvider to return an app with client_id but
+    // no client_secret in secure storage — validates the requiresClientSecret
+    // guardrail.
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "test-app-id-no-secret",
+      providerKey: "integration:gmail",
+      clientId: "stored-client-id-456",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+    }));
 
     const result = await credentialStoreTool.execute(
       {
@@ -643,6 +870,10 @@ describe("credential_store tool — oauth2_connect error paths", () => {
 
     expect(result.isError).toBe(true);
     expect(result.content).toContain("client_secret is required for gmail");
+
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
   });
 });
 

package/src/__tests__/credential-vault.test.ts

@@ -65,6 +65,58 @@ mock.module("../security/oauth2.js", () => {
   };
 });
 
+// ---------------------------------------------------------------------------
+// Mock oauth-store — token-manager reads refresh config from SQLite
+// ---------------------------------------------------------------------------
+
+/** Mutable per-test map of provider connections for getConnectionByProvider */
+const mockConnections = new Map<
+  string,
+  {
+    id: string;
+    providerKey: string;
+    oauthAppId: string;
+    expiresAt: number | null;
+  }
+>();
+const mockApps = new Map<
+  string,
+  { id: string; providerKey: string; clientId: string }
+>();
+const mockProviders = new Map<
+  string,
+  {
+    key: string;
+    tokenUrl: string;
+    tokenEndpointAuthMethod?: string;
+  }
+>();
+
+let mockDisconnectOAuthProvider: ReturnType<
+  typeof mock<
+    (providerKey: string) => Promise<"disconnected" | "not-found" | "error">
+  >
+>;
+
+mock.module("../oauth/oauth-store.js", () => {
+  mockDisconnectOAuthProvider = mock((providerKey: string) =>
+    Promise.resolve(
+      mockConnections.has(providerKey)
+        ? ("disconnected" as const)
+        : ("not-found" as const),
+    ),
+  );
+  return {
+    disconnectOAuthProvider: mockDisconnectOAuthProvider,
+    getConnectionByProvider: (service: string) => mockConnections.get(service),
+    getApp: (id: string) => mockApps.get(id),
+    getProvider: (key: string) => mockProviders.get(key),
+    updateConnection: () => {},
+    getMostRecentAppByProvider: () => undefined,
+    listConnections: () => [],
+  };
+});
+
 // ---------------------------------------------------------------------------
 // Import the module under test
 // ---------------------------------------------------------------------------
@@ -85,7 +137,6 @@ import {
 import {
   _setMetadataPath,
   getCredentialMetadata,
-  upsertCredentialMetadata,
 } from "../tools/credentials/metadata-store.js";
 import { credentialStoreTool } from "../tools/credentials/vault.js";
 import type { ToolContext } from "../tools/types.js";
@@ -214,12 +265,15 @@ describe("credential_store tool", () => {
     }
     _setStorePath(STORE_PATH);
     _setMetadataPath(join(TEST_DIR, "metadata.json"));
+    mockDisconnectOAuthProvider.mockClear();
+    mockConnections.clear();
   });
 
   afterEach(() => {
     _setMetadataPath(null);
     _setStorePath(null);
     _resetBackend();
+    mockConnections.clear();
   });
 
   afterAll(() => {
@@ -664,6 +718,44 @@ describe("credential_store tool", () => {
       expect(result.isError).toBe(true);
       expect(result.content).toContain("field is required");
     });
+
+    test("delete also disconnects OAuth connection for the service", async () => {
+      // Store a credential via the real tool so metadata exists
+      await credentialStoreTool.execute(
+        {
+          action: "store",
+          service: "integration:gmail",
+          field: "api_key",
+          value: "test-value",
+        },
+        _ctx,
+      );
+
+      // Simulate an active OAuth connection for this service
+      mockConnections.set("integration:gmail", {
+        id: "conn-gmail",
+        providerKey: "integration:gmail",
+        oauthAppId: "app-gmail",
+        expiresAt: Date.now() + 3600_000,
+      });
+
+      const result = await credentialStoreTool.execute(
+        {
+          action: "delete",
+          service: "integration:gmail",
+          field: "api_key",
+        },
+        _ctx,
+      );
+
+      expect(result.isError).toBe(false);
+      expect(result.content).toContain("Deleted credential");
+      // Verify disconnectOAuthProvider was called with the service name
+      expect(mockDisconnectOAuthProvider).toHaveBeenCalledTimes(1);
+      expect(mockDisconnectOAuthProvider).toHaveBeenCalledWith(
+        "integration:gmail",
+      );
+    });
   });
 
   // -----------------------------------------------------------------------
@@ -1172,6 +1264,10 @@ describe("withValidToken refresh deduplication", () => {
     _resetRefreshBreakers();
     _resetInflightRefreshes();
     mockRefreshOAuth2Token.mockClear();
+    // Clear mock oauth-store maps
+    mockConnections.clear();
+    mockApps.clear();
+    mockProviders.clear();
   });
 
   afterEach(() => {
@@ -1180,6 +1276,9 @@ describe("withValidToken refresh deduplication", () => {
     _resetBackend();
     _resetRefreshBreakers();
     _resetInflightRefreshes();
+    mockConnections.clear();
+    mockApps.clear();
+    mockProviders.clear();
   });
 
   afterAll(() => {
@@ -1187,26 +1286,48 @@ describe("withValidToken refresh deduplication", () => {
   });
 
   /**
-   * Helper: set up a service with an access token, refresh token, and OAuth2
-   * metadata so that token refresh can proceed through doRefresh().
+   * Helper: set up a service with an access token, refresh token, and
+   * mock DB data so that token refresh can proceed through doRefresh().
+   *
+   * OAuth-specific fields (tokenUrl, clientId, expiresAt) are now stored
+   * in the SQLite oauth-store. The mock maps simulate the DB layer.
    */
   function setupService(
     service: string,
     opts?: { expired?: boolean; accessToken?: string },
   ) {
     const accessToken = opts?.accessToken ?? "old-access-token";
-    setSecureKey(credentialKey(service, "access_token"), accessToken);
+
+    // Seed mock oauth-store maps so token-manager can resolve refresh config
+    const appId = `app-${service}`;
+    const connId = `conn-${service}`;
+
+    // Store access token under the oauth_connection key path that
+    // withValidToken reads (not the legacy credentialKey path).
+    setSecureKey(`oauth_connection/${connId}/access_token`, accessToken);
+    mockProviders.set(service, {
+      key: service,
+      tokenUrl: "https://oauth.example.com/token",
+    });
+    mockApps.set(appId, {
+      id: appId,
+      providerKey: service,
+      clientId: "test-client-id",
+    });
+    mockConnections.set(service, {
+      id: connId,
+      providerKey: service,
+      oauthAppId: appId,
+      expiresAt: opts?.expired
+        ? Date.now() - 60_000 // expired 1 minute ago
+        : Date.now() + 3600_000, // expires in 1 hour
+    });
+    // Store refresh token and client_secret in secure keys (token-manager reads them)
     setSecureKey(
-      credentialKey(service, "refresh_token"),
+      `oauth_connection/${connId}/refresh_token`,
       "valid-refresh-token",
     );
-    upsertCredentialMetadata(service, "access_token", {
-      oauth2TokenUrl: "https://oauth.example.com/token",
-      oauth2ClientId: "test-client-id",
-      ...(opts?.expired
-        ? { expiresAt: Date.now() - 60_000 } // expired 1 minute ago
-        : { expiresAt: Date.now() + 3600_000 }), // expires in 1 hour
-    });
+    setSecureKey(`oauth_app/${appId}/client_secret`, "test-client-secret");
   }
 
   test("3 concurrent 401 refreshes for the same service call doRefresh exactly once", async () => {
@@ -1335,22 +1456,23 @@ describe("withValidToken refresh deduplication", () => {
 
     const err401 = Object.assign(new Error("Unauthorized"), { status: 401 });
 
-    // First call triggers a refresh
+    // First call triggers a refresh (old token → 401 → refresh → token-1)
     const r1 = await withValidToken(
       "integration:gmail",
       async (token: string) => {
-        if (token === "old-access-token") throw err401;
+        if (token !== "token-1") throw err401;
         return token;
       },
     );
     expect(r1).toBe("token-1");
     expect(refreshCount).toBe(1);
 
-    // Set up so the next call will also get a 401 (token-1 stored from first refresh)
+    // Second call also triggers a 401 to verify dedup state was cleaned up
+    // and a new refresh is allowed (not deduplicated with the first).
     const r2 = await withValidToken(
       "integration:gmail",
       async (token: string) => {
-        if (token === "token-1") throw err401;
+        if (token !== "token-2") throw err401;
         return token;
       },
     );