@vellumai/assistant 0.4.48 → 0.4.50

package/src/__tests__/skillssh-registry.test.ts

@@ -0,0 +1,451 @@
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import type {
+  AuditResponse,
+  SkillAuditData,
+  SkillsShSearchResult,
+} from "../skills/skillssh-registry.js";
+import {
+  fetchSkillAudits,
+  fetchSkillFromGitHub,
+  formatAuditBadges,
+  providerDisplayName,
+  resolveSkillSource,
+  riskToDisplay,
+  searchSkillsRegistry,
+  validateSkillSlug,
+} from "../skills/skillssh-registry.js";
+
+// ─── Fetch mock helpers ──────────────────────────────────────────────────────
+
+const originalFetch = globalThis.fetch;
+
+let mockFetchImpl: (url: string | URL | Request) => Promise<Response>;
+
+beforeEach(() => {
+  mockFetchImpl = () =>
+    Promise.resolve(new Response("not mocked", { status: 500 }));
+  globalThis.fetch = mock((input: string | URL | Request) =>
+    mockFetchImpl(typeof input === "string" ? input : input.toString()),
+  ) as unknown as typeof fetch;
+});
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+
+// ─── searchSkillsRegistry ────────────────────────────────────────────────────
+
+describe("searchSkillsRegistry", () => {
+  test("sends correct query parameters and returns results", async () => {
+    const mockResults: SkillsShSearchResult[] = [
+      {
+        id: "vercel-labs/agent-skills/vercel-react-best-practices",
+        skillId: "vercel-react-best-practices",
+        name: "Vercel React Best Practices",
+        installs: 1200,
+        source: "vercel-labs/agent-skills",
+      },
+    ];
+
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).toContain("skills.sh/api/search");
+      expect(urlStr).toContain("q=react");
+      expect(urlStr).toContain("limit=5");
+      return Promise.resolve(
+        new Response(JSON.stringify({ skills: mockResults }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+
+    const results = await searchSkillsRegistry("react", 5);
+    expect(results).toEqual(mockResults);
+  });
+
+  test("omits limit parameter when not provided", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).not.toContain("limit=");
+      return Promise.resolve(
+        new Response(JSON.stringify({ skills: [] }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+
+    const results = await searchSkillsRegistry("test");
+    expect(results).toEqual([]);
+  });
+
+  test("throws on non-OK response", async () => {
+    mockFetchImpl = () =>
+      Promise.resolve(new Response("Not Found", { status: 404 }));
+
+    await expect(searchSkillsRegistry("bad-query")).rejects.toThrow(
+      "skills.sh search failed: HTTP 404",
+    );
+  });
+});
+
+// ─── fetchSkillAudits ────────────────────────────────────────────────────────
+
+describe("fetchSkillAudits", () => {
+  test("sends correct parameters and returns audit data", async () => {
+    const mockAudits: AuditResponse = {
+      "vercel-react-best-practices": {
+        ath: {
+          risk: "safe",
+          alerts: 0,
+          score: 100,
+          analyzedAt: "2025-01-15T00:00:00Z",
+        },
+        socket: {
+          risk: "low",
+          alerts: 1,
+          score: 95,
+          analyzedAt: "2025-01-15T00:00:00Z",
+        },
+      },
+    };
+
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).toContain("add-skill.vercel.sh/audit");
+      expect(urlStr).toContain("source=vercel-labs%2Fagent-skills");
+      expect(urlStr).toContain(
+        "skills=vercel-react-best-practices%2Canother-skill",
+      );
+      return Promise.resolve(
+        new Response(JSON.stringify(mockAudits), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+
+    const audits = await fetchSkillAudits("vercel-labs/agent-skills", [
+      "vercel-react-best-practices",
+      "another-skill",
+    ]);
+    expect(audits).toEqual(mockAudits);
+  });
+
+  test("returns empty object for empty slugs list", async () => {
+    const audits = await fetchSkillAudits("some/source", []);
+    expect(audits).toEqual({});
+    // fetch should not have been called
+    expect(globalThis.fetch).not.toHaveBeenCalled();
+  });
+
+  test("throws on non-OK response", async () => {
+    mockFetchImpl = () =>
+      Promise.resolve(new Response("Internal Server Error", { status: 500 }));
+
+    await expect(fetchSkillAudits("some/source", ["slug"])).rejects.toThrow(
+      "Audit fetch failed: HTTP 500",
+    );
+  });
+});
+
+// ─── Display helpers ─────────────────────────────────────────────────────────
+
+describe("riskToDisplay", () => {
+  test("maps risk levels correctly", () => {
+    expect(riskToDisplay("safe")).toBe("PASS");
+    expect(riskToDisplay("low")).toBe("PASS");
+    expect(riskToDisplay("medium")).toBe("WARN");
+    expect(riskToDisplay("high")).toBe("FAIL");
+    expect(riskToDisplay("critical")).toBe("FAIL");
+    expect(riskToDisplay("unknown")).toBe("?");
+  });
+});
+
+describe("providerDisplayName", () => {
+  test("maps known providers", () => {
+    expect(providerDisplayName("ath")).toBe("ATH");
+    expect(providerDisplayName("socket")).toBe("Socket");
+    expect(providerDisplayName("snyk")).toBe("Snyk");
+  });
+
+  test("returns raw name for unknown providers", () => {
+    expect(providerDisplayName("custom-auditor")).toBe("custom-auditor");
+  });
+});
+
+describe("formatAuditBadges", () => {
+  test("formats multiple providers as badges", () => {
+    const auditData: SkillAuditData = {
+      ath: { risk: "safe", analyzedAt: "2025-01-15T00:00:00Z" },
+      socket: { risk: "safe", analyzedAt: "2025-01-15T00:00:00Z" },
+      snyk: { risk: "medium", analyzedAt: "2025-01-15T00:00:00Z" },
+    };
+    expect(formatAuditBadges(auditData)).toBe(
+      "Security: [ATH:PASS] [Socket:PASS] [Snyk:WARN]",
+    );
+  });
+
+  test("returns fallback message when no providers present", () => {
+    expect(formatAuditBadges({})).toBe("Security: no audit data");
+  });
+
+  test("handles single provider", () => {
+    const auditData: SkillAuditData = {
+      ath: { risk: "critical", analyzedAt: "2025-01-15T00:00:00Z" },
+    };
+    expect(formatAuditBadges(auditData)).toBe("Security: [ATH:FAIL]");
+  });
+});
+
+// ─── resolveSkillSource ─────────────────────────────────────────────────────
+
+describe("resolveSkillSource", () => {
+  test("parses owner/repo@skill-name format", () => {
+    const result = resolveSkillSource("vercel-labs/skills@find-skills");
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+    });
+  });
+
+  test("parses owner/repo/skill-name format", () => {
+    const result = resolveSkillSource("vercel-labs/skills/find-skills");
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+    });
+  });
+
+  test("parses full GitHub URL with main branch", () => {
+    const result = resolveSkillSource(
+      "https://github.com/vercel-labs/skills/tree/main/skills/find-skills",
+    );
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+      ref: "main",
+    });
+  });
+
+  test("parses full GitHub URL with non-main branch", () => {
+    const result = resolveSkillSource(
+      "https://github.com/some-org/repo/tree/develop/skills/my-skill",
+    );
+    expect(result).toEqual({
+      owner: "some-org",
+      repo: "repo",
+      skillSlug: "my-skill",
+      ref: "develop",
+    });
+  });
+
+  test("parses GitHub URL with trailing slash", () => {
+    const result = resolveSkillSource(
+      "https://github.com/owner/repo/tree/main/skills/skill-name/",
+    );
+    expect(result).toEqual({
+      owner: "owner",
+      repo: "repo",
+      skillSlug: "skill-name",
+      ref: "main",
+    });
+  });
+
+  test("throws on bare skill name (no owner/repo)", () => {
+    expect(() => resolveSkillSource("find-skills")).toThrow(
+      'Invalid skill source "find-skills"',
+    );
+  });
+
+  test("throws on empty string", () => {
+    expect(() => resolveSkillSource("")).toThrow('Invalid skill source ""');
+  });
+
+  test("throws on owner-only format", () => {
+    expect(() => resolveSkillSource("vercel-labs")).toThrow(
+      'Invalid skill source "vercel-labs"',
+    );
+  });
+
+  test("throws on owner/repo without skill", () => {
+    expect(() => resolveSkillSource("vercel-labs/skills")).toThrow(
+      'Invalid skill source "vercel-labs/skills"',
+    );
+  });
+
+  test("rejects path traversal in @ format slug", () => {
+    expect(() => resolveSkillSource("owner/repo@../../malicious")).toThrow(
+      'Invalid skill source "owner/repo@../../malicious"',
+    );
+  });
+
+  test("rejects uppercase slug in @ format", () => {
+    expect(() => resolveSkillSource("owner/repo@BadSlug")).toThrow(
+      'Invalid skill source "owner/repo@BadSlug"',
+    );
+  });
+});
+
+// ─── validateSkillSlug ──────────────────────────────────────────────────────
+
+describe("validateSkillSlug", () => {
+  test("accepts valid slugs", () => {
+    expect(() => validateSkillSlug("my-skill")).not.toThrow();
+    expect(() => validateSkillSlug("skill123")).not.toThrow();
+    expect(() => validateSkillSlug("my.skill")).not.toThrow();
+    expect(() => validateSkillSlug("my_skill")).not.toThrow();
+  });
+
+  test("rejects path traversal characters", () => {
+    expect(() => validateSkillSlug("../../malicious")).toThrow(
+      "path traversal",
+    );
+    expect(() => validateSkillSlug("foo/bar")).toThrow("path traversal");
+    expect(() => validateSkillSlug("foo\\bar")).toThrow("path traversal");
+  });
+
+  test("rejects slugs starting with special chars", () => {
+    expect(() => validateSkillSlug(".hidden")).toThrow();
+    expect(() => validateSkillSlug("-dash")).toThrow();
+  });
+
+  test("rejects empty input", () => {
+    expect(() => validateSkillSlug("")).toThrow("Skill slug is required");
+  });
+});
+
+// ─── fetchSkillFromGitHub ───────────────────────────────────────────────────
+
+describe("fetchSkillFromGitHub", () => {
+  test("fetches from conventional skills/<slug>/ path", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      // Probe request for skills/my-skill
+      if (urlStr.includes("/contents/skills/my-skill")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "SKILL.md",
+                type: "file",
+                download_url: "https://raw.example.com/SKILL.md",
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // File download
+      if (urlStr.includes("raw.example.com/SKILL.md")) {
+        return Promise.resolve(new Response("# My Skill", { status: 200 }));
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+
+    const files = await fetchSkillFromGitHub("owner", "repo", "my-skill");
+    expect(files["SKILL.md"]).toBe("# My Skill");
+  });
+
+  test("falls back to tree search when skills/<slug>/ returns 404", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      // Probe for conventional path returns 404
+      if (urlStr.includes("/contents/skills/csv")) {
+        return Promise.resolve(new Response("Not Found", { status: 404 }));
+      }
+      // Tree search returns the skill at a non-standard path
+      if (urlStr.includes("/git/trees/")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({
+              tree: [
+                { path: "examples/skills/csv/SKILL.md", type: "blob" },
+                { path: "examples/skills/csv/scripts/filter.sh", type: "blob" },
+                { path: "README.md", type: "blob" },
+              ],
+            }),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // Subdirectory listing (must precede parent path check — both use
+      // .includes() and the parent path is a prefix of this one)
+      if (urlStr.includes("/contents/examples/skills/csv/scripts")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "filter.sh",
+                type: "file",
+                download_url: "https://raw.example.com/filter.sh",
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // Contents API for the discovered path
+      if (urlStr.includes("/contents/examples/skills/csv")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "SKILL.md",
+                type: "file",
+                download_url: "https://raw.example.com/SKILL.md",
+              },
+              {
+                name: "scripts",
+                type: "dir",
+                download_url: null,
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // File downloads
+      if (urlStr.includes("raw.example.com/SKILL.md")) {
+        return Promise.resolve(new Response("# CSV Skill", { status: 200 }));
+      }
+      if (urlStr.includes("raw.example.com/filter.sh")) {
+        return Promise.resolve(
+          new Response("#!/bin/bash\necho filter", { status: 200 }),
+        );
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+
+    const files = await fetchSkillFromGitHub("vercel-labs", "bash-tool", "csv");
+    expect(files["SKILL.md"]).toBe("# CSV Skill");
+    expect(files["scripts/filter.sh"]).toBe("#!/bin/bash\necho filter");
+  });
+
+  test("throws when skill not found in tree either", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      if (urlStr.includes("/contents/skills/missing")) {
+        return Promise.resolve(new Response("Not Found", { status: 404 }));
+      }
+      if (urlStr.includes("/git/trees/")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({ tree: [{ path: "README.md", type: "blob" }] }),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+
+    await expect(
+      fetchSkillFromGitHub("owner", "repo", "missing"),
+    ).rejects.toThrow("Searched skills/missing/ and the full repo tree");
+  });
+});

package/src/__tests__/slack-channel-config.test.ts

@@ -75,13 +75,11 @@ mock.module("../util/logger.js", () => ({
     debug: () => {},
     trace: () => {},
     fatal: () => {},
-    isDebug: () => false,
     child: () => ({
       info: () => {},
       warn: () => {},
       error: () => {},
       debug: () => {},
-      isDebug: () => false,
     }),
   }),
 }));
@@ -116,6 +114,46 @@ mock.module("../security/secure-keys.js", () => {
   };
 });
 
+// Mock oauth-store (getConnectionByProvider)
+let oauthConnectionStore: Record<
+  string,
+  { id: string; status: string; accountInfo?: string | null }
+> = {};
+
+mock.module("../oauth/oauth-store.js", () => ({
+  getConnectionByProvider: (providerKey: string) =>
+    oauthConnectionStore[providerKey] ?? undefined,
+  createConnection: () => ({ id: "test-conn-id" }),
+  updateConnection: () => true,
+  deleteConnection: (id: string) => {
+    for (const [key, conn] of Object.entries(oauthConnectionStore)) {
+      if (conn.id === id) {
+        delete oauthConnectionStore[key];
+        return true;
+      }
+    }
+    return false;
+  },
+  upsertApp: async () => ({ id: "test-app-id" }),
+}));
+
+// Mock manual-token-connection
+mock.module("../oauth/manual-token-connection.js", () => ({
+  ensureManualTokenConnection: async (
+    providerKey: string,
+    accountInfo?: string,
+  ) => {
+    oauthConnectionStore[providerKey] = {
+      id: `conn-${providerKey}`,
+      status: "active",
+      accountInfo: accountInfo ?? null,
+    };
+  },
+  removeManualTokenConnection: (providerKey: string) => {
+    delete oauthConnectionStore[providerKey];
+  },
+}));
+
 // Mock credential metadata store
 let credentialMetadataStore: Array<{
   service: string;
@@ -187,6 +225,7 @@ describe("Slack channel config handler", () => {
   beforeEach(() => {
     secureKeyStore = {};
     credentialMetadataStore = [];
+    oauthConnectionStore = {};
     configStore = {};
     globalThis.fetch = originalFetch;
   });
@@ -199,7 +238,11 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(false);
   });
 
-  test("GET returns connected: true when both tokens are set", () => {
+  test("GET returns connected: true when oauth_connection is active and both keys exist", () => {
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
     secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
     secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
 
@@ -210,8 +253,29 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(true);
   });
 
+  test("GET reports per-field token presence independently of connection row", () => {
+    // Only bot_token in keychain, no app_token, but connection row exists
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+
+    const result = getSlackChannelConfig();
+    expect(result.success).toBe(true);
+    expect(result.hasBotToken).toBe(true);
+    expect(result.hasAppToken).toBe(false);
+    // connected requires both keys AND connection row
+    expect(result.connected).toBe(false);
+  });
+
   test("GET returns metadata from config when available", () => {
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
     secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+    secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
     configStore = {
       slack: {
         teamId: "T123",

package/src/__tests__/slack-share-routes.test.ts

@@ -1,7 +1,5 @@
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-import { credentialKey } from "../security/credential-key.js";
-
 // ---------------------------------------------------------------------------
 // Mocks — must be declared before any imports that pull in mocked modules
 // ---------------------------------------------------------------------------
@@ -12,6 +10,12 @@ mock.module("../security/secure-keys.js", () => ({
   setSecureKeyAsync: async () => {},
 }));
 
+let connectionByProvider: Record<string, unknown> = {};
+mock.module("../oauth/oauth-store.js", () => ({
+  getConnectionByProvider: (key: string) =>
+    connectionByProvider[key] ?? undefined,
+}));
+
 let listConversationsResult: unknown = { ok: true, channels: [] };
 let postMessageResult: unknown = {
   ok: true,
@@ -86,6 +90,7 @@ function makeRequest(body: unknown): Request {
 
 beforeEach(() => {
   secureKeyValues.clear();
+  connectionByProvider = {};
   listConversationsResult = { ok: true, channels: [] };
   userInfoResults = new Map();
   appStoreResult = null;
@@ -106,8 +111,9 @@ describe("handleListSlackChannels", () => {
   });
 
   test("returns channels sorted by type then name", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
 
@@ -176,18 +182,6 @@ describe("handleListSlackChannels", () => {
       isPrivate: true,
     });
   });
-
-  test("falls back to legacy bot token", async () => {
-    secureKeyValues.set(
-      credentialKey("slack_channel", "bot_token"),
-      "xoxb-legacy",
-    );
-
-    listConversationsResult = { ok: true, channels: [] };
-
-    const res = await handleListSlackChannels();
-    expect(res.status).toBe(200);
-  });
 });
 
 describe("handleShareToSlackChannel", () => {
@@ -198,8 +192,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 400 for malformed JSON", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     const req = new Request("http://localhost/v1/slack/share", {
@@ -212,8 +207,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 400 when missing required fields", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     const req = makeRequest({ appId: "app1" });
@@ -224,8 +220,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 404 when app not found", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     appStoreResult = null;
@@ -235,8 +232,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("posts message and returns success", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     appStoreResult = {

package/src/__tests__/system-prompt.test.ts

@@ -53,7 +53,6 @@ mock.module("../util/logger.js", () => ({
   ...realLogger,
   getLogger: () => noopLogger,
   getCliLogger: () => noopLogger,
-  isDebug: () => false,
   truncateForLog: (v: string) => v,
   initLogger: () => {},
   pruneOldLogFiles: () => 0,