npm - @vellumai/assistant - Versions diffs - 0.4.48 → 0.4.50 - Mend

@vellumai/assistant 0.4.48 → 0.4.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (423) hide show

package/ARCHITECTURE.md +26 -35
package/README.md +5 -26
package/docs/architecture/integrations.md +45 -41
package/docs/architecture/keychain-broker.md +3 -3
package/docs/architecture/memory.md +180 -119
package/docs/runbook-trusted-contacts.md +3 -8
package/hook-templates/debug-prompt-logger/hook.json +1 -1
package/hook-templates/debug-prompt-logger/run.sh +1 -3
package/package.json +2 -2
package/src/__tests__/actor-token-service.test.ts +0 -1
package/src/__tests__/agent-loop.test.ts +3 -1
package/src/__tests__/anthropic-provider.test.ts +249 -2
package/src/__tests__/approval-cascade.test.ts +796 -0
package/src/__tests__/approval-primitive.test.ts +0 -1
package/src/__tests__/approval-routes-http.test.ts +4 -0
package/src/__tests__/assistant-attachments.test.ts +12 -34
package/src/__tests__/assistant-feature-flag-guard.test.ts +0 -23
package/src/__tests__/assistant-feature-flag-guardrails.test.ts +76 -0
package/src/__tests__/assistant-feature-flags-integration.test.ts +0 -1
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +2 -2
package/src/__tests__/canonical-guardian-store.test.ts +95 -0
package/src/__tests__/channel-guardian.test.ts +0 -2
package/src/__tests__/channel-readiness-routes.test.ts +15 -6
package/src/__tests__/channel-readiness-service.test.ts +10 -9
package/src/__tests__/checker.test.ts +13 -20
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +1 -1
package/src/__tests__/computer-use-tools.test.ts +2 -19
package/src/__tests__/config-schema.test.ts +1 -68
package/src/__tests__/config-watcher.test.ts +0 -1
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +0 -1
package/src/__tests__/context-image-dimensions.test.ts +332 -0
package/src/__tests__/context-memory-e2e.test.ts +11 -100
package/src/__tests__/context-token-estimator.test.ts +196 -13
package/src/__tests__/conversation-attention-store.test.ts +0 -1
package/src/__tests__/conversation-attention-telegram.test.ts +0 -1
package/src/__tests__/conversation-routes-guardian-reply.test.ts +152 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +2 -0
package/src/__tests__/credential-metadata-store.test.ts +64 -73
package/src/__tests__/credential-security-e2e.test.ts +1 -0
package/src/__tests__/credential-security-invariants.test.ts +13 -7
package/src/__tests__/credential-vault-unit.test.ts +284 -49
package/src/__tests__/credential-vault.test.ts +150 -16
package/src/__tests__/credentials-cli.test.ts +71 -0
package/src/__tests__/cu-unified-flow.test.ts +532 -0
package/src/__tests__/date-context.test.ts +93 -77
package/src/__tests__/deterministic-verification-control-plane.test.ts +64 -0
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +0 -1
package/src/__tests__/ephemeral-permissions.test.ts +3 -3
package/src/__tests__/gateway-only-guard.test.ts +0 -1
package/src/__tests__/guardian-action-grant-mint-consume.test.ts +0 -1
package/src/__tests__/guardian-decision-primitive-canonical.test.ts +0 -1
package/src/__tests__/guardian-routing-invariants.test.ts +93 -1
package/src/__tests__/guardian-verification-voice-binding.test.ts +0 -1
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +0 -39
package/src/__tests__/heartbeat-service.test.ts +0 -1
package/src/__tests__/history-repair.test.ts +245 -0
package/src/__tests__/host-cu-proxy.test.ts +791 -0
package/src/__tests__/host-shell-tool.test.ts +27 -15
package/src/__tests__/http-user-message-parity.test.ts +2 -0
package/src/__tests__/ingress-url-consistency.test.ts +14 -21
package/src/__tests__/integration-status.test.ts +32 -51
package/src/__tests__/intent-routing.test.ts +0 -1
package/src/__tests__/invite-redemption-service.test.ts +65 -1
package/src/__tests__/invite-routes-http.test.ts +10 -9
package/src/__tests__/keychain-broker-client.test.ts +14 -46
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +56 -18
package/src/__tests__/memory-lifecycle-e2e.test.ts +244 -387
package/src/__tests__/memory-recall-quality.test.ts +244 -407
package/src/__tests__/memory-regressions.experimental.test.ts +126 -101
package/src/__tests__/memory-regressions.test.ts +477 -2841
package/src/__tests__/memory-retrieval.benchmark.test.ts +33 -150
package/src/__tests__/memory-upsert-concurrency.test.ts +5 -244
package/src/__tests__/mime-builder.test.ts +28 -0
package/src/__tests__/native-web-search.test.ts +1 -0
package/src/__tests__/notification-routing-intent.test.ts +0 -1
package/src/__tests__/oauth-cli.test.ts +941 -15
package/src/__tests__/oauth-provider-profiles.test.ts +9 -9
package/src/__tests__/oauth-scope-policy.test.ts +4 -6
package/src/__tests__/oauth-store.test.ts +870 -0
package/src/__tests__/onboarding-starter-tasks.test.ts +0 -1
package/src/__tests__/provider-error-scenarios.test.ts +0 -1
package/src/__tests__/provider-streaming.benchmark.test.ts +0 -1
package/src/__tests__/public-ingress-urls.test.ts +15 -21
package/src/__tests__/qdrant-collection-migration.test.ts +53 -8
package/src/__tests__/recording-handler.test.ts +3 -4
package/src/__tests__/registry.test.ts +2 -3
package/src/__tests__/relay-server.test.ts +46 -1
package/src/__tests__/runtime-events-sse.test.ts +55 -7
package/src/__tests__/schedule-store.test.ts +0 -1
package/src/__tests__/schedule-tools.test.ts +32 -0
package/src/__tests__/scheduler-recurrence.test.ts +0 -1
package/src/__tests__/scoped-approval-grants.test.ts +0 -1
package/src/__tests__/scoped-grant-security-matrix.test.ts +0 -1
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/secret-ingress-handler.test.ts +0 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -0
package/src/__tests__/secure-keys.test.ts +7 -2
package/src/__tests__/send-endpoint-busy.test.ts +24 -6
package/src/__tests__/sequence-store.test.ts +0 -1
package/src/__tests__/session-abort-tool-results.test.ts +1 -14
package/src/__tests__/session-agent-loop-overflow.test.ts +1583 -0
package/src/__tests__/session-agent-loop.test.ts +19 -15
package/src/__tests__/session-confirmation-signals.test.ts +1 -15
package/src/__tests__/session-error.test.ts +124 -2
package/src/__tests__/session-history-web-search.test.ts +918 -0
package/src/__tests__/session-init.benchmark.test.ts +4 -5
package/src/__tests__/session-pre-run-repair.test.ts +1 -14
package/src/__tests__/session-provider-retry-repair.test.ts +25 -28
package/src/__tests__/session-queue.test.ts +37 -27
package/src/__tests__/session-runtime-assembly.test.ts +54 -0
package/src/__tests__/session-slash-known.test.ts +1 -15
package/src/__tests__/session-slash-queue.test.ts +1 -15
package/src/__tests__/session-slash-unknown.test.ts +1 -15
package/src/__tests__/session-workspace-cache-state.test.ts +3 -33
package/src/__tests__/session-workspace-injection.test.ts +3 -37
package/src/__tests__/session-workspace-tool-tracking.test.ts +3 -37
package/src/__tests__/skill-include-graph.test.ts +66 -0
package/src/__tests__/skill-load-feature-flag.test.ts +0 -1
package/src/__tests__/skill-load-tool.test.ts +149 -1
package/src/__tests__/skill-projection-feature-flag.test.ts +0 -1
package/src/__tests__/skills-install-extract.test.ts +93 -0
package/src/__tests__/skills-uninstall.test.ts +1 -1
package/src/__tests__/skills.test.ts +3 -3
package/src/__tests__/skillssh-registry.test.ts +451 -0
package/src/__tests__/slack-channel-config.test.ts +67 -3
package/src/__tests__/slack-share-routes.test.ts +17 -19
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/telegram-invite-adapter.test.ts +18 -22
package/src/__tests__/terminal-tools.test.ts +4 -3
package/src/__tests__/test-support/computer-use-skill-harness.ts +3 -2
package/src/__tests__/tool-approval-handler.test.ts +0 -1
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +0 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +0 -1
package/src/__tests__/tool-executor-shell-integration.test.ts +0 -1
package/src/__tests__/tool-executor.test.ts +0 -1
package/src/__tests__/tool-grant-request-escalation.test.ts +0 -1
package/src/__tests__/trust-store-pattern-matches.test.ts +29 -0
package/src/__tests__/trust-store.test.ts +7 -13
package/src/__tests__/trusted-contact-approval-notifier.test.ts +0 -1
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +0 -1
package/src/__tests__/twilio-routes.test.ts +0 -16
package/src/__tests__/verification-control-plane-policy.test.ts +0 -1
package/src/__tests__/voice-invite-redemption.test.ts +32 -1
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -1
package/src/agent/ax-tree-compaction.test.ts +286 -0
package/src/agent/loop.ts +104 -131
package/src/approvals/AGENTS.md +1 -1
package/src/approvals/guardian-request-resolvers.ts +14 -2
package/src/bundler/compiler-tools.ts +66 -2
package/src/calls/call-domain.ts +133 -6
package/src/calls/call-store.ts +6 -0
package/src/calls/relay-server.ts +52 -18
package/src/calls/relay-setup-router.ts +17 -1
package/src/calls/twilio-config.ts +3 -8
package/src/calls/twilio-routes.ts +1 -2
package/src/calls/types.ts +3 -1
package/src/calls/voice-ingress-preflight.ts +1 -1
package/src/cli/commands/browser-relay.ts +18 -12
package/src/cli/commands/completions.ts +0 -3
package/src/cli/commands/credentials.ts +101 -15
package/src/cli/commands/doctor.ts +4 -3
package/src/cli/commands/mcp.ts +46 -59
package/src/cli/commands/memory.ts +16 -165
package/src/cli/commands/oauth/apps.ts +284 -0
package/src/cli/commands/oauth/connections.ts +633 -0
package/src/cli/commands/oauth/index.ts +52 -0
package/src/cli/commands/oauth/providers.ts +256 -0
package/src/cli/commands/sessions.ts +5 -2
package/src/cli/commands/skills.ts +177 -339
package/src/cli/http-client.ts +0 -20
package/src/cli/main-screen.tsx +2 -2
package/src/cli/program.ts +6 -11
package/src/cli/reference.ts +1 -3
package/src/cli.ts +4 -10
package/src/config/assistant-feature-flags.ts +0 -3
package/src/config/bundled-skills/_shared/CLI_RETRIEVAL_PATTERN.md +1 -1
package/src/config/bundled-skills/computer-use/SKILL.md +3 -6
package/src/config/bundled-skills/computer-use/TOOLS.json +23 -5
package/src/config/bundled-skills/computer-use/tools/{computer-use-request-control.ts → computer-use-observe.ts} +1 -5
package/src/config/bundled-skills/google-calendar/calendar-client.ts +21 -16
package/src/config/bundled-skills/messaging/tools/shared.ts +1 -4
package/src/config/bundled-skills/settings/SKILL.md +1 -1
package/src/config/bundled-skills/settings/TOOLS.json +2 -8
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +5 -33
package/src/config/bundled-tool-registry.ts +2 -5
package/src/config/env-registry.ts +14 -83
package/src/config/env.ts +11 -50
package/src/config/feature-flag-registry.json +16 -16
package/src/config/loader.ts +0 -6
package/src/config/schema.ts +4 -13
package/src/config/schemas/memory-lifecycle.ts +0 -9
package/src/config/schemas/memory-processing.ts +0 -180
package/src/config/schemas/memory-retrieval.ts +32 -104
package/src/config/schemas/memory.ts +0 -10
package/src/config/skills.ts +21 -2
package/src/config/types.ts +0 -4
package/src/context/image-dimensions.ts +229 -0
package/src/context/token-estimator.ts +75 -12
package/src/context/window-manager.ts +53 -11
package/src/daemon/assistant-attachments.ts +1 -13
package/src/daemon/config-watcher.ts +61 -3
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/date-context.ts +114 -31
package/src/daemon/handlers/config-ingress.ts +8 -33
package/src/daemon/handlers/config-slack-channel.ts +49 -46
package/src/daemon/handlers/config-telegram.ts +32 -16
package/src/daemon/handlers/sessions.ts +27 -36
package/src/daemon/handlers/shared.ts +0 -130
package/src/daemon/handlers/skills.ts +20 -1
package/src/daemon/history-repair.ts +72 -8
package/src/daemon/host-cu-proxy.ts +430 -0
package/src/daemon/lifecycle.ts +67 -71
package/src/daemon/mcp-reload-service.ts +2 -2
package/src/daemon/message-protocol.ts +3 -0
package/src/daemon/message-types/computer-use.ts +1 -129
package/src/daemon/message-types/host-cu.ts +19 -0
package/src/daemon/message-types/memory.ts +4 -16
package/src/daemon/message-types/messages.ts +4 -0
package/src/daemon/message-types/sessions.ts +4 -0
package/src/daemon/server.ts +25 -21
package/src/daemon/session-agent-loop-handlers.ts +40 -0
package/src/daemon/session-agent-loop.ts +334 -48
package/src/daemon/session-attachments.ts +1 -2
package/src/daemon/session-error.ts +89 -6
package/src/daemon/session-history.ts +17 -7
package/src/daemon/session-media-retry.ts +6 -2
package/src/daemon/session-memory.ts +69 -149
package/src/daemon/session-process.ts +10 -1
package/src/daemon/session-runtime-assembly.ts +49 -19
package/src/daemon/session-slash.ts +1 -1
package/src/daemon/session-surfaces.ts +43 -28
package/src/daemon/session-tool-setup.ts +9 -10
package/src/daemon/session.ts +150 -17
package/src/daemon/tool-side-effects.ts +2 -8
package/src/daemon/watch-handler.ts +2 -2
package/src/events/tool-metrics-listener.ts +2 -2
package/src/hooks/manager.ts +1 -4
package/src/inbound/public-ingress-urls.ts +7 -7
package/src/instrument.ts +61 -1
package/src/logfire.ts +16 -5
package/src/memory/admin.ts +2 -191
package/src/memory/canonical-guardian-store.ts +38 -2
package/src/memory/conversation-crud.ts +0 -33
package/src/memory/conversation-key-store.ts +21 -0
package/src/memory/conversation-queries.ts +22 -3
package/src/memory/db-init.ts +32 -0
package/src/memory/embedding-backend.ts +84 -8
package/src/memory/embedding-types.ts +9 -1
package/src/memory/indexer.ts +7 -46
package/src/memory/items-extractor.ts +274 -76
package/src/memory/job-handlers/backfill.ts +2 -127
package/src/memory/job-handlers/cleanup.ts +2 -16
package/src/memory/job-handlers/extraction.ts +2 -138
package/src/memory/job-handlers/index-maintenance.ts +1 -6
package/src/memory/job-handlers/summarization.ts +3 -148
package/src/memory/job-utils.ts +21 -59
package/src/memory/jobs-store.ts +1 -159
package/src/memory/jobs-worker.ts +9 -52
package/src/memory/migrations/104-core-indexes.ts +3 -3
package/src/memory/migrations/149-oauth-tables.ts +62 -0
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +98 -0
package/src/memory/migrations/151-oauth-providers-ping-url.ts +11 -0
package/src/memory/migrations/152-memory-item-supersession.ts +44 -0
package/src/memory/migrations/153-drop-entity-tables.ts +15 -0
package/src/memory/migrations/154-drop-fts.ts +20 -0
package/src/memory/migrations/155-drop-conflicts.ts +7 -0
package/src/memory/migrations/156-call-session-invite-metadata.ts +24 -0
package/src/memory/migrations/index.ts +8 -0
package/src/memory/qdrant-client.ts +148 -51
package/src/memory/raw-query.ts +1 -1
package/src/memory/retriever.test.ts +294 -273
package/src/memory/retriever.ts +421 -645
package/src/memory/schema/calls.ts +2 -0
package/src/memory/schema/index.ts +1 -0
package/src/memory/schema/memory-core.ts +3 -48
package/src/memory/schema/oauth.ts +67 -0
package/src/memory/search/formatting.ts +263 -176
package/src/memory/search/lexical.ts +1 -254
package/src/memory/search/ranking.ts +0 -455
package/src/memory/search/semantic.ts +100 -14
package/src/memory/search/staleness.ts +47 -0
package/src/memory/search/tier-classifier.ts +21 -0
package/src/memory/search/types.ts +15 -77
package/src/memory/task-memory-cleanup.ts +4 -6
package/src/messaging/provider.ts +4 -4
package/src/messaging/providers/gmail/client.ts +82 -2
package/src/messaging/providers/gmail/mime-builder.ts +17 -7
package/src/messaging/providers/gmail/people-client.ts +10 -10
package/src/messaging/providers/telegram-bot/adapter.ts +17 -17
package/src/messaging/providers/whatsapp/adapter.ts +11 -8
package/src/messaging/registry.ts +2 -32
package/src/notifications/copy-composer.ts +0 -5
package/src/notifications/signal.ts +4 -5
package/src/oauth/byo-connection.test.ts +133 -25
package/src/oauth/byo-connection.ts +22 -6
package/src/oauth/connect-orchestrator.ts +113 -57
package/src/oauth/connect-types.ts +17 -23
package/src/oauth/connection-resolver.ts +35 -11
package/src/oauth/connection.ts +1 -1
package/src/oauth/manual-token-connection.ts +104 -0
package/src/oauth/oauth-store.ts +582 -0
package/src/oauth/platform-connection.test.ts +29 -0
package/src/oauth/platform-connection.ts +6 -5
package/src/oauth/provider-behaviors.ts +124 -0
package/src/oauth/scope-policy.ts +9 -2
package/src/oauth/seed-providers.ts +167 -0
package/src/oauth/token-persistence.ts +81 -77
package/src/permissions/checker.ts +3 -3
package/src/permissions/defaults.ts +1 -1
package/src/permissions/prompter.ts +10 -1
package/src/permissions/trust-store.ts +36 -1
package/src/playbooks/playbook-compiler.ts +1 -1
package/src/prompts/__tests__/build-cli-reference-section.test.ts +3 -1
package/src/prompts/system-prompt.ts +46 -42
package/src/providers/anthropic/client.ts +59 -20
package/src/providers/retry.ts +1 -27
package/src/providers/types.ts +7 -1
package/src/runtime/AGENTS.md +9 -0
package/src/runtime/auth/route-policy.ts +6 -6
package/src/runtime/channel-reply-delivery.ts +0 -40
package/src/runtime/gateway-client.ts +0 -7
package/src/runtime/guardian-reply-router.ts +24 -22
package/src/runtime/http-server.ts +10 -8
package/src/runtime/http-types.ts +2 -2
package/src/runtime/invite-redemption-service.ts +19 -1
package/src/runtime/invite-service.ts +25 -0
package/src/runtime/middleware/twilio-validation.ts +1 -11
package/src/runtime/pending-interactions.ts +14 -12
package/src/runtime/routes/brain-graph-routes.ts +10 -90
package/src/runtime/routes/channel-delivery-routes.ts +0 -1
package/src/runtime/routes/conversation-routes.ts +81 -19
package/src/runtime/routes/events-routes.ts +21 -11
package/src/runtime/routes/host-cu-routes.ts +97 -0
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -12
package/src/runtime/routes/inbound-stages/background-dispatch.ts +12 -111
package/src/runtime/routes/integrations/slack/share.ts +6 -7
package/src/runtime/routes/log-export-routes.ts +126 -8
package/src/runtime/routes/memory-item-routes.test.ts +754 -0
package/src/runtime/routes/memory-item-routes.ts +503 -0
package/src/runtime/routes/session-management-routes.ts +3 -3
package/src/runtime/routes/settings-routes.ts +55 -48
package/src/runtime/routes/surface-action-routes.ts +1 -1
package/src/runtime/routes/trust-rules-routes.ts +14 -0
package/src/runtime/routes/watch-routes.ts +128 -0
package/src/runtime/routes/workspace-routes.ts +2 -1
package/src/schedule/integration-status.ts +10 -9
package/src/security/credential-key.ts +0 -156
package/src/security/keychain-broker-client.ts +22 -10
package/src/security/oauth2.ts +1 -1
package/src/security/secure-keys.ts +25 -3
package/src/security/token-manager.ts +137 -64
package/src/skills/catalog-install.ts +414 -0
package/src/skills/include-graph.ts +32 -0
package/src/skills/skillssh-registry.ts +503 -0
package/src/telegram/bot-username.ts +2 -3
package/src/tools/assets/search.ts +5 -1
package/src/tools/browser/network-recorder.ts +1 -1
package/src/tools/browser/network-recording-types.ts +1 -1
package/src/tools/computer-use/definitions.ts +36 -11
package/src/tools/computer-use/registry.ts +5 -6
package/src/tools/credentials/broker.ts +1 -2
package/src/tools/credentials/metadata-store.ts +17 -121
package/src/tools/credentials/vault.ts +92 -167
package/src/tools/memory/definitions.ts +4 -13
package/src/tools/memory/handlers.test.ts +83 -103
package/src/tools/memory/handlers.ts +50 -85
package/src/tools/registry.ts +2 -7
package/src/tools/schedule/create.ts +8 -1
package/src/tools/schedule/update.ts +8 -1
package/src/tools/skills/load.ts +85 -3
package/src/tools/watch/watch-state.ts +0 -12
package/src/util/logger.ts +7 -41
package/src/util/platform.ts +9 -28
package/src/watcher/providers/google-calendar.ts +2 -1
package/src/__tests__/clarification-resolver.test.ts +0 -193
package/src/__tests__/computer-use-session-compaction.test.ts +0 -143
package/src/__tests__/computer-use-session-lifecycle.test.ts +0 -322
package/src/__tests__/computer-use-session-working-dir.test.ts +0 -166
package/src/__tests__/computer-use-skill-baseline.test.ts +0 -78
package/src/__tests__/computer-use-skill-endstate.test.ts +0 -105
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +0 -249
package/src/__tests__/conflict-intent-tokenization.test.ts +0 -160
package/src/__tests__/conflict-policy.test.ts +0 -269
package/src/__tests__/conflict-store.test.ts +0 -372
package/src/__tests__/contradiction-checker.test.ts +0 -361
package/src/__tests__/entity-extractor.test.ts +0 -211
package/src/__tests__/entity-search.test.ts +0 -1117
package/src/__tests__/profile-compiler.test.ts +0 -392
package/src/__tests__/ride-shotgun-handler.test.ts +0 -452
package/src/__tests__/session-conflict-gate.test.ts +0 -1228
package/src/__tests__/session-profile-injection.test.ts +0 -557
package/src/cli/commands/dev.ts +0 -129
package/src/cli/commands/map.ts +0 -391
package/src/cli/commands/oauth.ts +0 -77
package/src/config/bundled-skills/knowledge-graph/SKILL.md +0 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +0 -66
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +0 -211
package/src/daemon/computer-use-session.ts +0 -1026
package/src/daemon/ride-shotgun-handler.ts +0 -569
package/src/daemon/session-conflict-gate.ts +0 -167
package/src/daemon/session-dynamic-profile.ts +0 -77
package/src/memory/clarification-resolver.ts +0 -417
package/src/memory/conflict-intent.ts +0 -205
package/src/memory/conflict-policy.ts +0 -127
package/src/memory/conflict-store.ts +0 -410
package/src/memory/contradiction-checker.ts +0 -508
package/src/memory/entity-extractor.ts +0 -535
package/src/memory/format-recall.ts +0 -47
package/src/memory/fts-reconciler.ts +0 -165
package/src/memory/job-handlers/conflict.ts +0 -200
package/src/memory/profile-compiler.ts +0 -195
package/src/memory/recall-cache.ts +0 -117
package/src/memory/search/entity.ts +0 -535
package/src/memory/search/query-expansion.test.ts +0 -70
package/src/memory/search/query-expansion.ts +0 -118
package/src/oauth/provider-base-urls.ts +0 -21
package/src/oauth/provider-profiles.ts +0 -192
package/src/prompts/computer-use-prompt.ts +0 -98
package/src/runtime/routes/computer-use-routes.ts +0 -641
package/src/runtime/routes/mcp-routes.ts +0 -20
package/src/runtime/telegram-streaming-delivery.test.ts +0 -729
package/src/runtime/telegram-streaming-delivery.ts +0 -393
package/src/tools/computer-use/request-computer-control.ts +0 -56

package/src/__tests__/oauth-store.test.ts ADDED Viewed

@@ -0,0 +1,870 @@
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
+const testDir = mkdtempSync(join(tmpdir(), "oauth-store-test-"));
+mock.module("../util/platform.js", () => ({
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => ":memory:",
+  getLogPath: () => join(testDir, "test.log"),
+  ensureDataDir: () => {},
+}));
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+const mockDeleteSecureKeyAsync = mock(
+  (): Promise<"deleted" | "not-found" | "error"> =>
+    Promise.resolve("deleted" as const),
+);
+const mockSetSecureKeyAsync = mock(() => Promise.resolve(true));
+/** Simulated secure key store for getSecureKey lookups. */
+const secureKeyValues = new Map<string, string>();
+mock.module("../security/secure-keys.js", () => ({
+  deleteSecureKeyAsync: mockDeleteSecureKeyAsync,
+  setSecureKeyAsync: mockSetSecureKeyAsync,
+  getSecureKey: (account: string) => secureKeyValues.get(account),
+  getSecureKeyAsync: (account: string) =>
+    Promise.resolve(secureKeyValues.get(account)),
+}));
+import { initializeDb, resetDb, resetTestTables } from "../memory/db.js";
+import {
+  createConnection,
+  deleteApp,
+  deleteConnection,
+  disconnectOAuthProvider,
+  getApp,
+  getAppByProviderAndClientId,
+  getConnection,
+  getConnectionByProvider,
+  getProvider,
+  isProviderConnected,
+  listConnections,
+  registerProvider,
+  seedProviders,
+  updateConnection,
+  upsertApp,
+} from "../oauth/oauth-store.js";
+initializeDb();
+/** Seed a minimal provider row for FK satisfaction. */
+function seedTestProvider(providerKey = "github"): void {
+  seedProviders([
+    {
+      providerKey,
+      authUrl: `https://${providerKey}.example.com/authorize`,
+      tokenUrl: `https://${providerKey}.example.com/token`,
+      defaultScopes: ["read"],
+      scopePolicy: {},
+    },
+  ]);
+}
+/** Create an app linked to the given provider. Returns the app row. */
+async function createTestApp(providerKey = "github", clientId = "client-1") {
+  seedTestProvider(providerKey);
+  return await upsertApp(providerKey, clientId);
+}
+beforeEach(() => {
+  resetDb();
+  initializeDb();
+  // Explicitly clear all OAuth tables to prevent cross-test state pollution.
+  // Delete in FK-dependency order: connections → apps → providers.
+  resetTestTables("oauth_connections", "oauth_apps", "oauth_providers");
+  mockDeleteSecureKeyAsync.mockClear();
+  mockSetSecureKeyAsync.mockClear();
+  secureKeyValues.clear();
+});
+afterAll(() => {
+  resetDb();
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    // best-effort cleanup
+  }
+});
+// ---------------------------------------------------------------------------
+// Provider operations
+// ---------------------------------------------------------------------------
+describe("provider operations", () => {
+  describe("seedProviders", () => {
+    test("creates rows for new providers", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/login/oauth/authorize",
+          tokenUrl: "https://github.com/login/oauth/access_token",
+          defaultScopes: ["repo", "user"],
+          scopePolicy: { required: ["repo"] },
+        },
+        {
+          providerKey: "google",
+          authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+          tokenUrl: "https://oauth2.googleapis.com/token",
+          defaultScopes: ["openid", "email"],
+          scopePolicy: {},
+          extraParams: { access_type: "offline" },
+        },
+      ]);
+      const gh = getProvider("github");
+      expect(gh).toBeDefined();
+      expect(gh!.providerKey).toBe("github");
+      expect(gh!.authUrl).toBe("https://github.com/login/oauth/authorize");
+      expect(gh!.tokenUrl).toBe("https://github.com/login/oauth/access_token");
+      expect(JSON.parse(gh!.defaultScopes)).toEqual(["repo", "user"]);
+      expect(JSON.parse(gh!.scopePolicy)).toEqual({ required: ["repo"] });
+      const goog = getProvider("google");
+      expect(goog).toBeDefined();
+      expect(goog!.providerKey).toBe("google");
+      expect(JSON.parse(goog!.extraParams!)).toEqual({
+        access_type: "offline",
+      });
+    });
+    test("updates existing provider rows with corrected seed data", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/login/oauth/authorize",
+          tokenUrl: "https://github.com/login/oauth/access_token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+          baseUrl: "https://api.github.com",
+        },
+      ]);
+      const original = getProvider("github");
+      expect(original).toBeDefined();
+      expect(original!.baseUrl).toBe("https://api.github.com");
+      const originalCreatedAt = original!.createdAt;
+      // Re-seed with corrected values (simulates a code fix deployed on upgrade)
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/login/oauth/authorize-v2",
+          tokenUrl: "https://github.com/login/oauth/access_token-v2",
+          defaultScopes: ["repo", "user"],
+          scopePolicy: { required: ["repo"] },
+          baseUrl: "https://api.github.com/v2",
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row).toBeDefined();
+      // Seed data should overwrite the existing row
+      expect(row!.authUrl).toBe("https://github.com/login/oauth/authorize-v2");
+      expect(row!.tokenUrl).toBe(
+        "https://github.com/login/oauth/access_token-v2",
+      );
+      expect(row!.baseUrl).toBe("https://api.github.com/v2");
+      expect(JSON.parse(row!.defaultScopes)).toEqual(["repo", "user"]);
+      expect(JSON.parse(row!.scopePolicy)).toEqual({ required: ["repo"] });
+      // createdAt should be preserved from the original insert
+      expect(row!.createdAt).toBe(originalCreatedAt);
+    });
+    test("persists pingUrl when provided", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/authorize",
+          tokenUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+          pingUrl: "https://api.github.com/user",
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row!.pingUrl).toBe("https://api.github.com/user");
+    });
+    test("pingUrl defaults to null when omitted", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/authorize",
+          tokenUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row!.pingUrl).toBeNull();
+    });
+  });
+  describe("getProvider", () => {
+    test("returns the correct row", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/authorize",
+          tokenUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+          callbackTransport: "loopback",
+          loopbackPort: 8765,
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row).toBeDefined();
+      expect(row!.providerKey).toBe("github");
+      expect(row!.callbackTransport).toBe("loopback");
+      expect(row!.loopbackPort).toBe(8765);
+    });
+    test("returns undefined for unknown keys", () => {
+      expect(getProvider("nonexistent")).toBeUndefined();
+    });
+  });
+  describe("registerProvider", () => {
+    test("creates a new row", () => {
+      const row = registerProvider({
+        providerKey: "linear",
+        authUrl: "https://linear.app/oauth/authorize",
+        tokenUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      expect(row.providerKey).toBe("linear");
+      expect(row.authUrl).toBe("https://linear.app/oauth/authorize");
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.providerKey).toBe("linear");
+    });
+    test("throws for duplicate provider_key", () => {
+      registerProvider({
+        providerKey: "linear",
+        authUrl: "https://linear.app/oauth/authorize",
+        tokenUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      expect(() =>
+        registerProvider({
+          providerKey: "linear",
+          authUrl: "https://linear.app/oauth/authorize",
+          tokenUrl: "https://api.linear.app/oauth/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        }),
+      ).toThrow(/already exists.*linear/);
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// App operations
+// ---------------------------------------------------------------------------
+describe("app operations", () => {
+  describe("upsertApp", () => {
+    test("creates a new app and returns it with a UUID", async () => {
+      seedTestProvider("github");
+      const app = await upsertApp("github", "client-abc");
+      expect(app.id).toBeTruthy();
+      // UUID v4 format check
+      expect(app.id).toMatch(
+        /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/,
+      );
+      expect(app.providerKey).toBe("github");
+      expect(app.clientId).toBe("client-abc");
+      expect(app.createdAt).toBeGreaterThan(0);
+      expect(app.updatedAt).toBeGreaterThan(0);
+    });
+    test("returns the existing app when called again with same (providerKey, clientId)", async () => {
+      seedTestProvider("github");
+      const first = await upsertApp("github", "client-abc");
+      const second = await upsertApp("github", "client-abc");
+      expect(second.id).toBe(first.id);
+      expect(second.createdAt).toBe(first.createdAt);
+    });
+    test("stores clientSecret in secure storage on new app creation", async () => {
+      seedTestProvider("github");
+      const app = await upsertApp("github", "client-abc", {
+        clientSecretValue: "my-secret",
+      });
+      expect(mockSetSecureKeyAsync).toHaveBeenCalledTimes(1);
+      expect(mockSetSecureKeyAsync).toHaveBeenCalledWith(
+        `oauth_app/${app.id}/client_secret`,
+        "my-secret",
+      );
+      expect(app.clientSecretCredentialPath).toBe(
+        `oauth_app/${app.id}/client_secret`,
+      );
+    });
+    test("stores clientSecret in secure storage when upserting an existing app", async () => {
+      seedTestProvider("github");
+      const first = await upsertApp("github", "client-abc");
+      mockSetSecureKeyAsync.mockClear();
+      await upsertApp("github", "client-abc", {
+        clientSecretValue: "updated-secret",
+      });
+      expect(mockSetSecureKeyAsync).toHaveBeenCalledTimes(1);
+      expect(mockSetSecureKeyAsync).toHaveBeenCalledWith(
+        first.clientSecretCredentialPath,
+        "updated-secret",
+      );
+    });
+    test("throws when setSecureKeyAsync returns false", async () => {
+      seedTestProvider("github");
+      mockSetSecureKeyAsync.mockResolvedValueOnce(false);
+      await expect(
+        upsertApp("github", "client-abc", { clientSecretValue: "bad-secret" }),
+      ).rejects.toThrow("Failed to store client_secret in secure storage");
+    });
+    test("accepts clientSecretCredentialPath and verifies existence", async () => {
+      seedTestProvider("github");
+      secureKeyValues.set("custom/path", "stored-secret");
+      const app = await upsertApp("github", "client-abc", {
+        clientSecretCredentialPath: "custom/path",
+      });
+      expect(app.clientSecretCredentialPath).toBe("custom/path");
+      // Should not have called setSecureKeyAsync since we only provided a path
+      expect(mockSetSecureKeyAsync).not.toHaveBeenCalled();
+    });
+    test("throws when clientSecretCredentialPath points to nonexistent secret", async () => {
+      seedTestProvider("github");
+      await expect(
+        upsertApp("github", "client-abc", {
+          clientSecretCredentialPath: "nonexistent/path",
+        }),
+      ).rejects.toThrow("No secret found at credential path: nonexistent/path");
+    });
+    test("throws when both clientSecretValue and clientSecretCredentialPath are provided", async () => {
+      seedTestProvider("github");
+      await expect(
+        upsertApp("github", "client-abc", {
+          clientSecretValue: "my-secret",
+          clientSecretCredentialPath: "custom/path",
+        }),
+      ).rejects.toThrow(
+        "Cannot provide both clientSecretValue and clientSecretCredentialPath",
+      );
+    });
+    test("records default clientSecretCredentialPath when neither value nor path is provided", async () => {
+      seedTestProvider("github");
+      const app = await upsertApp("github", "client-abc");
+      expect(app.clientSecretCredentialPath).toBe(
+        `oauth_app/${app.id}/client_secret`,
+      );
+    });
+    test("updates clientSecretCredentialPath on existing row when path is provided", async () => {
+      seedTestProvider("github");
+      const first = await upsertApp("github", "client-abc");
+      expect(first.clientSecretCredentialPath).toBe(
+        `oauth_app/${first.id}/client_secret`,
+      );
+      secureKeyValues.set("new/custom/path", "stored-secret");
+      const updated = await upsertApp("github", "client-abc", {
+        clientSecretCredentialPath: "new/custom/path",
+      });
+      expect(updated.id).toBe(first.id);
+      expect(updated.clientSecretCredentialPath).toBe("new/custom/path");
+    });
+  });
+  describe("getApp", () => {
+    test("returns the correct row by id", async () => {
+      const app = await createTestApp("github", "client-1");
+      const fetched = getApp(app.id);
+      expect(fetched).toBeDefined();
+      expect(fetched!.id).toBe(app.id);
+      expect(fetched!.providerKey).toBe("github");
+      expect(fetched!.clientId).toBe("client-1");
+    });
+    test("returns undefined for unknown id", () => {
+      expect(getApp("nonexistent-id")).toBeUndefined();
+    });
+  });
+  describe("getAppByProviderAndClientId", () => {
+    test("returns the correct row", async () => {
+      const app = await createTestApp("github", "client-1");
+      const fetched = getAppByProviderAndClientId("github", "client-1");
+      expect(fetched).toBeDefined();
+      expect(fetched!.id).toBe(app.id);
+    });
+    test("returns undefined for unknown combination", () => {
+      expect(
+        getAppByProviderAndClientId("github", "nonexistent"),
+      ).toBeUndefined();
+    });
+  });
+  describe("deleteApp", () => {
+    test("removes the row and returns true", async () => {
+      const app = await createTestApp("github", "client-1");
+      const deleted = await deleteApp(app.id);
+      expect(deleted).toBe(true);
+      expect(getApp(app.id)).toBeUndefined();
+    });
+    test("cleans up client_secret from secure storage using stored path", async () => {
+      const app = await createTestApp("github", "client-1");
+      mockDeleteSecureKeyAsync.mockClear();
+      await deleteApp(app.id);
+      expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+        app.clientSecretCredentialPath,
+      );
+    });
+    test("uses custom clientSecretCredentialPath when deleting", async () => {
+      seedTestProvider("github");
+      secureKeyValues.set("custom/secret/path", "the-secret");
+      const app = await upsertApp("github", "client-1", {
+        clientSecretCredentialPath: "custom/secret/path",
+      });
+      mockDeleteSecureKeyAsync.mockClear();
+      await deleteApp(app.id);
+      expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+        "custom/secret/path",
+      );
+    });
+    test("returns false for nonexistent id", async () => {
+      expect(await deleteApp("nonexistent-id")).toBe(false);
+    });
+    test("throws when deleteSecureKeyAsync returns error", async () => {
+      const app = await createTestApp("github", "client-1");
+      mockDeleteSecureKeyAsync.mockResolvedValueOnce("error");
+      await expect(deleteApp(app.id)).rejects.toThrow(
+        /failed to remove client_secret from secure storage/i,
+      );
+      // DB row should already be deleted (delete happens before secure key cleanup)
+      expect(getApp(app.id)).toBeUndefined();
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// Connection operations
+// ---------------------------------------------------------------------------
+describe("connection operations", () => {
+  describe("createConnection", () => {
+    test("creates a row with status='active'", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo", "user"],
+        hasRefreshToken: true,
+        accountInfo: "user@example.com",
+        label: "Primary GitHub",
+        metadata: { login: "octocat" },
+      });
+      expect(conn.id).toBeTruthy();
+      expect(conn.oauthAppId).toBe(app.id);
+      expect(conn.providerKey).toBe("github");
+      expect(conn.status).toBe("active");
+      expect(JSON.parse(conn.grantedScopes)).toEqual(["repo", "user"]);
+      expect(conn.hasRefreshToken).toBe(1);
+      expect(conn.accountInfo).toBe("user@example.com");
+      expect(conn.label).toBe("Primary GitHub");
+      expect(JSON.parse(conn.metadata!)).toEqual({ login: "octocat" });
+      expect(conn.createdAt).toBeGreaterThan(0);
+    });
+  });
+  describe("getConnection", () => {
+    test("returns the correct row", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      const fetched = getConnection(conn.id);
+      expect(fetched).toBeDefined();
+      expect(fetched!.id).toBe(conn.id);
+      expect(fetched!.providerKey).toBe("github");
+    });
+    test("returns undefined for unknown id", () => {
+      expect(getConnection("nonexistent-id")).toBeUndefined();
+    });
+  });
+  describe("getConnectionByProvider", () => {
+    test("returns the most recent active connection", async () => {
+      const app = await createTestApp("github", "client-1");
+      // Create two connections with explicit timestamps so ordering is deterministic
+      createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+        createdAt: 1000,
+      });
+      const conn2 = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo", "user"],
+        hasRefreshToken: true,
+        createdAt: 2000,
+      });
+      const result = getConnectionByProvider("github");
+      expect(result).toBeDefined();
+      expect(result!.id).toBe(conn2.id);
+    });
+    test("skips connections with status='revoked'", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn1 = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      const conn2 = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo", "user"],
+        hasRefreshToken: true,
+      });
+      // Revoke the most recent connection
+      updateConnection(conn2.id, { status: "revoked" });
+      const result = getConnectionByProvider("github");
+      expect(result).toBeDefined();
+      expect(result!.id).toBe(conn1.id);
+    });
+    test("skips connections with status='expired'", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      updateConnection(conn.id, { status: "expired" });
+      const result = getConnectionByProvider("github");
+      expect(result).toBeUndefined();
+    });
+    test("returns undefined when no active connections exist", () => {
+      expect(getConnectionByProvider("github")).toBeUndefined();
+    });
+  });
+  describe("isProviderConnected", () => {
+    test("returns true when active connection has an access token in secure storage", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      secureKeyValues.set(`oauth_connection/${conn.id}/access_token`, "tok");
+      expect(isProviderConnected("github")).toBe(true);
+    });
+    test("returns false when active connection exists but access token is missing", async () => {
+      const app = await createTestApp("github", "client-1");
+      createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      // No secure key set — simulates failed token write
+      expect(isProviderConnected("github")).toBe(false);
+    });
+    test("returns false when no connection exists", () => {
+      expect(isProviderConnected("github")).toBe(false);
+    });
+    test("returns false when connection is revoked even with token in store", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      updateConnection(conn.id, { status: "revoked" });
+      secureKeyValues.set(`oauth_connection/${conn.id}/access_token`, "tok");
+      expect(isProviderConnected("github")).toBe(false);
+    });
+  });
+  describe("updateConnection", () => {
+    test("modifies specific fields", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      const updated = updateConnection(conn.id, {
+        status: "revoked",
+        label: "Revoked account",
+        grantedScopes: ["repo", "user", "gist"],
+        hasRefreshToken: true,
+        metadata: { reason: "user-requested" },
+      });
+      expect(updated).toBe(true);
+      const fetched = getConnection(conn.id);
+      expect(fetched).toBeDefined();
+      expect(fetched!.status).toBe("revoked");
+      expect(fetched!.label).toBe("Revoked account");
+      expect(JSON.parse(fetched!.grantedScopes)).toEqual([
+        "repo",
+        "user",
+        "gist",
+      ]);
+      expect(fetched!.hasRefreshToken).toBe(1);
+      expect(JSON.parse(fetched!.metadata!)).toEqual({
+        reason: "user-requested",
+      });
+      expect(fetched!.updatedAt).toBeGreaterThanOrEqual(conn.createdAt);
+    });
+    test("updates oauthAppId to a different app", async () => {
+      const app1 = await createTestApp("github", "client-1");
+      const app2 = await upsertApp("github", "client-2");
+      const conn = createConnection({
+        oauthAppId: app1.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      expect(getConnection(conn.id)!.oauthAppId).toBe(app1.id);
+      const updated = updateConnection(conn.id, { oauthAppId: app2.id });
+      expect(updated).toBe(true);
+      const fetched = getConnection(conn.id);
+      expect(fetched).toBeDefined();
+      expect(fetched!.oauthAppId).toBe(app2.id);
+    });
+    test("returns false for nonexistent id", () => {
+      expect(updateConnection("nonexistent-id", { status: "revoked" })).toBe(
+        false,
+      );
+    });
+  });
+  describe("listConnections", () => {
+    test("returns all connections when no filter is given", async () => {
+      const ghApp = await createTestApp("github", "client-1");
+      seedTestProvider("google");
+      const googApp = await upsertApp("google", "client-2");
+      createConnection({
+        oauthAppId: ghApp.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      createConnection({
+        oauthAppId: googApp.id,
+        providerKey: "google",
+        grantedScopes: ["email"],
+        hasRefreshToken: true,
+      });
+      const all = listConnections();
+      expect(all).toHaveLength(2);
+    });
+    test("filters by provider key", async () => {
+      const ghApp = await createTestApp("github", "client-1");
+      seedTestProvider("google");
+      const googApp = await upsertApp("google", "client-2");
+      createConnection({
+        oauthAppId: ghApp.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      createConnection({
+        oauthAppId: googApp.id,
+        providerKey: "google",
+        grantedScopes: ["email"],
+        hasRefreshToken: true,
+      });
+      const ghConns = listConnections("github");
+      expect(ghConns).toHaveLength(1);
+      expect(ghConns[0].providerKey).toBe("github");
+      const googConns = listConnections("google");
+      expect(googConns).toHaveLength(1);
+      expect(googConns[0].providerKey).toBe("google");
+    });
+    test("returns empty array when no connections exist", () => {
+      expect(listConnections()).toEqual([]);
+    });
+  });
+  describe("deleteConnection", () => {
+    test("removes the row and returns true", async () => {
+      const app = await createTestApp("github", "client-1");
+      const conn = createConnection({
+        oauthAppId: app.id,
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      });
+      const deleted = deleteConnection(conn.id);
+      expect(deleted).toBe(true);
+      expect(getConnection(conn.id)).toBeUndefined();
+    });
+    test("returns false for nonexistent id", () => {
+      expect(deleteConnection("nonexistent-id")).toBe(false);
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// disconnectOAuthProvider
+// ---------------------------------------------------------------------------
+describe("disconnectOAuthProvider", () => {
+  test("returns 'not-found' when no connection exists for the provider", async () => {
+    const result = await disconnectOAuthProvider("github");
+    expect(result).toBe("not-found");
+    expect(mockDeleteSecureKeyAsync).not.toHaveBeenCalled();
+  });
+  test("returns 'disconnected' and deletes connection row and secure keys when connection exists", async () => {
+    const app = await createTestApp("github", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      providerKey: "github",
+      grantedScopes: ["repo"],
+      hasRefreshToken: true,
+    });
+    const result = await disconnectOAuthProvider("github");
+    expect(result).toBe("disconnected");
+    // Verify secure keys were deleted
+    expect(mockDeleteSecureKeyAsync).toHaveBeenCalledTimes(2);
+    expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+      `oauth_connection/${conn.id}/access_token`,
+    );
+    expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+      `oauth_connection/${conn.id}/refresh_token`,
+    );
+    // Verify connection row was deleted
+    expect(getConnection(conn.id)).toBeUndefined();
+  });
+});
+// ---------------------------------------------------------------------------
+// FK constraint enforcement
+// ---------------------------------------------------------------------------
+describe("FK constraints", () => {
+  test("creating an app with a nonexistent provider_key fails", async () => {
+    await expect(
+      upsertApp("nonexistent-provider", "client-1"),
+    ).rejects.toThrow();
+  });
+  test("creating a connection with a nonexistent oauth_app_id fails", () => {
+    seedTestProvider("github");
+    expect(() =>
+      createConnection({
+        oauthAppId: "nonexistent-app-id",
+        providerKey: "github",
+        grantedScopes: ["repo"],
+        hasRefreshToken: false,
+      }),
+    ).toThrow();
+  });
+});