npm - @vellumai/assistant - Versions diffs - 0.4.48 → 0.4.50 - Mend

@vellumai/assistant 0.4.48 → 0.4.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (423) hide show

package/ARCHITECTURE.md +26 -35
package/README.md +5 -26
package/docs/architecture/integrations.md +45 -41
package/docs/architecture/keychain-broker.md +3 -3
package/docs/architecture/memory.md +180 -119
package/docs/runbook-trusted-contacts.md +3 -8
package/hook-templates/debug-prompt-logger/hook.json +1 -1
package/hook-templates/debug-prompt-logger/run.sh +1 -3
package/package.json +2 -2
package/src/__tests__/actor-token-service.test.ts +0 -1
package/src/__tests__/agent-loop.test.ts +3 -1
package/src/__tests__/anthropic-provider.test.ts +249 -2
package/src/__tests__/approval-cascade.test.ts +796 -0
package/src/__tests__/approval-primitive.test.ts +0 -1
package/src/__tests__/approval-routes-http.test.ts +4 -0
package/src/__tests__/assistant-attachments.test.ts +12 -34
package/src/__tests__/assistant-feature-flag-guard.test.ts +0 -23
package/src/__tests__/assistant-feature-flag-guardrails.test.ts +76 -0
package/src/__tests__/assistant-feature-flags-integration.test.ts +0 -1
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +2 -2
package/src/__tests__/canonical-guardian-store.test.ts +95 -0
package/src/__tests__/channel-guardian.test.ts +0 -2
package/src/__tests__/channel-readiness-routes.test.ts +15 -6
package/src/__tests__/channel-readiness-service.test.ts +10 -9
package/src/__tests__/checker.test.ts +13 -20
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +1 -1
package/src/__tests__/computer-use-tools.test.ts +2 -19
package/src/__tests__/config-schema.test.ts +1 -68
package/src/__tests__/config-watcher.test.ts +0 -1
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +0 -1
package/src/__tests__/context-image-dimensions.test.ts +332 -0
package/src/__tests__/context-memory-e2e.test.ts +11 -100
package/src/__tests__/context-token-estimator.test.ts +196 -13
package/src/__tests__/conversation-attention-store.test.ts +0 -1
package/src/__tests__/conversation-attention-telegram.test.ts +0 -1
package/src/__tests__/conversation-routes-guardian-reply.test.ts +152 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +2 -0
package/src/__tests__/credential-metadata-store.test.ts +64 -73
package/src/__tests__/credential-security-e2e.test.ts +1 -0
package/src/__tests__/credential-security-invariants.test.ts +13 -7
package/src/__tests__/credential-vault-unit.test.ts +284 -49
package/src/__tests__/credential-vault.test.ts +150 -16
package/src/__tests__/credentials-cli.test.ts +71 -0
package/src/__tests__/cu-unified-flow.test.ts +532 -0
package/src/__tests__/date-context.test.ts +93 -77
package/src/__tests__/deterministic-verification-control-plane.test.ts +64 -0
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +0 -1
package/src/__tests__/ephemeral-permissions.test.ts +3 -3
package/src/__tests__/gateway-only-guard.test.ts +0 -1
package/src/__tests__/guardian-action-grant-mint-consume.test.ts +0 -1
package/src/__tests__/guardian-decision-primitive-canonical.test.ts +0 -1
package/src/__tests__/guardian-routing-invariants.test.ts +93 -1
package/src/__tests__/guardian-verification-voice-binding.test.ts +0 -1
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +0 -39
package/src/__tests__/heartbeat-service.test.ts +0 -1
package/src/__tests__/history-repair.test.ts +245 -0
package/src/__tests__/host-cu-proxy.test.ts +791 -0
package/src/__tests__/host-shell-tool.test.ts +27 -15
package/src/__tests__/http-user-message-parity.test.ts +2 -0
package/src/__tests__/ingress-url-consistency.test.ts +14 -21
package/src/__tests__/integration-status.test.ts +32 -51
package/src/__tests__/intent-routing.test.ts +0 -1
package/src/__tests__/invite-redemption-service.test.ts +65 -1
package/src/__tests__/invite-routes-http.test.ts +10 -9
package/src/__tests__/keychain-broker-client.test.ts +14 -46
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +56 -18
package/src/__tests__/memory-lifecycle-e2e.test.ts +244 -387
package/src/__tests__/memory-recall-quality.test.ts +244 -407
package/src/__tests__/memory-regressions.experimental.test.ts +126 -101
package/src/__tests__/memory-regressions.test.ts +477 -2841
package/src/__tests__/memory-retrieval.benchmark.test.ts +33 -150
package/src/__tests__/memory-upsert-concurrency.test.ts +5 -244
package/src/__tests__/mime-builder.test.ts +28 -0
package/src/__tests__/native-web-search.test.ts +1 -0
package/src/__tests__/notification-routing-intent.test.ts +0 -1
package/src/__tests__/oauth-cli.test.ts +941 -15
package/src/__tests__/oauth-provider-profiles.test.ts +9 -9
package/src/__tests__/oauth-scope-policy.test.ts +4 -6
package/src/__tests__/oauth-store.test.ts +870 -0
package/src/__tests__/onboarding-starter-tasks.test.ts +0 -1
package/src/__tests__/provider-error-scenarios.test.ts +0 -1
package/src/__tests__/provider-streaming.benchmark.test.ts +0 -1
package/src/__tests__/public-ingress-urls.test.ts +15 -21
package/src/__tests__/qdrant-collection-migration.test.ts +53 -8
package/src/__tests__/recording-handler.test.ts +3 -4
package/src/__tests__/registry.test.ts +2 -3
package/src/__tests__/relay-server.test.ts +46 -1
package/src/__tests__/runtime-events-sse.test.ts +55 -7
package/src/__tests__/schedule-store.test.ts +0 -1
package/src/__tests__/schedule-tools.test.ts +32 -0
package/src/__tests__/scheduler-recurrence.test.ts +0 -1
package/src/__tests__/scoped-approval-grants.test.ts +0 -1
package/src/__tests__/scoped-grant-security-matrix.test.ts +0 -1
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/secret-ingress-handler.test.ts +0 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -0
package/src/__tests__/secure-keys.test.ts +7 -2
package/src/__tests__/send-endpoint-busy.test.ts +24 -6
package/src/__tests__/sequence-store.test.ts +0 -1
package/src/__tests__/session-abort-tool-results.test.ts +1 -14
package/src/__tests__/session-agent-loop-overflow.test.ts +1583 -0
package/src/__tests__/session-agent-loop.test.ts +19 -15
package/src/__tests__/session-confirmation-signals.test.ts +1 -15
package/src/__tests__/session-error.test.ts +124 -2
package/src/__tests__/session-history-web-search.test.ts +918 -0
package/src/__tests__/session-init.benchmark.test.ts +4 -5
package/src/__tests__/session-pre-run-repair.test.ts +1 -14
package/src/__tests__/session-provider-retry-repair.test.ts +25 -28
package/src/__tests__/session-queue.test.ts +37 -27
package/src/__tests__/session-runtime-assembly.test.ts +54 -0
package/src/__tests__/session-slash-known.test.ts +1 -15
package/src/__tests__/session-slash-queue.test.ts +1 -15
package/src/__tests__/session-slash-unknown.test.ts +1 -15
package/src/__tests__/session-workspace-cache-state.test.ts +3 -33
package/src/__tests__/session-workspace-injection.test.ts +3 -37
package/src/__tests__/session-workspace-tool-tracking.test.ts +3 -37
package/src/__tests__/skill-include-graph.test.ts +66 -0
package/src/__tests__/skill-load-feature-flag.test.ts +0 -1
package/src/__tests__/skill-load-tool.test.ts +149 -1
package/src/__tests__/skill-projection-feature-flag.test.ts +0 -1
package/src/__tests__/skills-install-extract.test.ts +93 -0
package/src/__tests__/skills-uninstall.test.ts +1 -1
package/src/__tests__/skills.test.ts +3 -3
package/src/__tests__/skillssh-registry.test.ts +451 -0
package/src/__tests__/slack-channel-config.test.ts +67 -3
package/src/__tests__/slack-share-routes.test.ts +17 -19
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/telegram-invite-adapter.test.ts +18 -22
package/src/__tests__/terminal-tools.test.ts +4 -3
package/src/__tests__/test-support/computer-use-skill-harness.ts +3 -2
package/src/__tests__/tool-approval-handler.test.ts +0 -1
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +0 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +0 -1
package/src/__tests__/tool-executor-shell-integration.test.ts +0 -1
package/src/__tests__/tool-executor.test.ts +0 -1
package/src/__tests__/tool-grant-request-escalation.test.ts +0 -1
package/src/__tests__/trust-store-pattern-matches.test.ts +29 -0
package/src/__tests__/trust-store.test.ts +7 -13
package/src/__tests__/trusted-contact-approval-notifier.test.ts +0 -1
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +0 -1
package/src/__tests__/twilio-routes.test.ts +0 -16
package/src/__tests__/verification-control-plane-policy.test.ts +0 -1
package/src/__tests__/voice-invite-redemption.test.ts +32 -1
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -1
package/src/agent/ax-tree-compaction.test.ts +286 -0
package/src/agent/loop.ts +104 -131
package/src/approvals/AGENTS.md +1 -1
package/src/approvals/guardian-request-resolvers.ts +14 -2
package/src/bundler/compiler-tools.ts +66 -2
package/src/calls/call-domain.ts +133 -6
package/src/calls/call-store.ts +6 -0
package/src/calls/relay-server.ts +52 -18
package/src/calls/relay-setup-router.ts +17 -1
package/src/calls/twilio-config.ts +3 -8
package/src/calls/twilio-routes.ts +1 -2
package/src/calls/types.ts +3 -1
package/src/calls/voice-ingress-preflight.ts +1 -1
package/src/cli/commands/browser-relay.ts +18 -12
package/src/cli/commands/completions.ts +0 -3
package/src/cli/commands/credentials.ts +101 -15
package/src/cli/commands/doctor.ts +4 -3
package/src/cli/commands/mcp.ts +46 -59
package/src/cli/commands/memory.ts +16 -165
package/src/cli/commands/oauth/apps.ts +284 -0
package/src/cli/commands/oauth/connections.ts +633 -0
package/src/cli/commands/oauth/index.ts +52 -0
package/src/cli/commands/oauth/providers.ts +256 -0
package/src/cli/commands/sessions.ts +5 -2
package/src/cli/commands/skills.ts +177 -339
package/src/cli/http-client.ts +0 -20
package/src/cli/main-screen.tsx +2 -2
package/src/cli/program.ts +6 -11
package/src/cli/reference.ts +1 -3
package/src/cli.ts +4 -10
package/src/config/assistant-feature-flags.ts +0 -3
package/src/config/bundled-skills/_shared/CLI_RETRIEVAL_PATTERN.md +1 -1
package/src/config/bundled-skills/computer-use/SKILL.md +3 -6
package/src/config/bundled-skills/computer-use/TOOLS.json +23 -5
package/src/config/bundled-skills/computer-use/tools/{computer-use-request-control.ts → computer-use-observe.ts} +1 -5
package/src/config/bundled-skills/google-calendar/calendar-client.ts +21 -16
package/src/config/bundled-skills/messaging/tools/shared.ts +1 -4
package/src/config/bundled-skills/settings/SKILL.md +1 -1
package/src/config/bundled-skills/settings/TOOLS.json +2 -8
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +5 -33
package/src/config/bundled-tool-registry.ts +2 -5
package/src/config/env-registry.ts +14 -83
package/src/config/env.ts +11 -50
package/src/config/feature-flag-registry.json +16 -16
package/src/config/loader.ts +0 -6
package/src/config/schema.ts +4 -13
package/src/config/schemas/memory-lifecycle.ts +0 -9
package/src/config/schemas/memory-processing.ts +0 -180
package/src/config/schemas/memory-retrieval.ts +32 -104
package/src/config/schemas/memory.ts +0 -10
package/src/config/skills.ts +21 -2
package/src/config/types.ts +0 -4
package/src/context/image-dimensions.ts +229 -0
package/src/context/token-estimator.ts +75 -12
package/src/context/window-manager.ts +53 -11
package/src/daemon/assistant-attachments.ts +1 -13
package/src/daemon/config-watcher.ts +61 -3
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/date-context.ts +114 -31
package/src/daemon/handlers/config-ingress.ts +8 -33
package/src/daemon/handlers/config-slack-channel.ts +49 -46
package/src/daemon/handlers/config-telegram.ts +32 -16
package/src/daemon/handlers/sessions.ts +27 -36
package/src/daemon/handlers/shared.ts +0 -130
package/src/daemon/handlers/skills.ts +20 -1
package/src/daemon/history-repair.ts +72 -8
package/src/daemon/host-cu-proxy.ts +430 -0
package/src/daemon/lifecycle.ts +67 -71
package/src/daemon/mcp-reload-service.ts +2 -2
package/src/daemon/message-protocol.ts +3 -0
package/src/daemon/message-types/computer-use.ts +1 -129
package/src/daemon/message-types/host-cu.ts +19 -0
package/src/daemon/message-types/memory.ts +4 -16
package/src/daemon/message-types/messages.ts +4 -0
package/src/daemon/message-types/sessions.ts +4 -0
package/src/daemon/server.ts +25 -21
package/src/daemon/session-agent-loop-handlers.ts +40 -0
package/src/daemon/session-agent-loop.ts +334 -48
package/src/daemon/session-attachments.ts +1 -2
package/src/daemon/session-error.ts +89 -6
package/src/daemon/session-history.ts +17 -7
package/src/daemon/session-media-retry.ts +6 -2
package/src/daemon/session-memory.ts +69 -149
package/src/daemon/session-process.ts +10 -1
package/src/daemon/session-runtime-assembly.ts +49 -19
package/src/daemon/session-slash.ts +1 -1
package/src/daemon/session-surfaces.ts +43 -28
package/src/daemon/session-tool-setup.ts +9 -10
package/src/daemon/session.ts +150 -17
package/src/daemon/tool-side-effects.ts +2 -8
package/src/daemon/watch-handler.ts +2 -2
package/src/events/tool-metrics-listener.ts +2 -2
package/src/hooks/manager.ts +1 -4
package/src/inbound/public-ingress-urls.ts +7 -7
package/src/instrument.ts +61 -1
package/src/logfire.ts +16 -5
package/src/memory/admin.ts +2 -191
package/src/memory/canonical-guardian-store.ts +38 -2
package/src/memory/conversation-crud.ts +0 -33
package/src/memory/conversation-key-store.ts +21 -0
package/src/memory/conversation-queries.ts +22 -3
package/src/memory/db-init.ts +32 -0
package/src/memory/embedding-backend.ts +84 -8
package/src/memory/embedding-types.ts +9 -1
package/src/memory/indexer.ts +7 -46
package/src/memory/items-extractor.ts +274 -76
package/src/memory/job-handlers/backfill.ts +2 -127
package/src/memory/job-handlers/cleanup.ts +2 -16
package/src/memory/job-handlers/extraction.ts +2 -138
package/src/memory/job-handlers/index-maintenance.ts +1 -6
package/src/memory/job-handlers/summarization.ts +3 -148
package/src/memory/job-utils.ts +21 -59
package/src/memory/jobs-store.ts +1 -159
package/src/memory/jobs-worker.ts +9 -52
package/src/memory/migrations/104-core-indexes.ts +3 -3
package/src/memory/migrations/149-oauth-tables.ts +62 -0
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +98 -0
package/src/memory/migrations/151-oauth-providers-ping-url.ts +11 -0
package/src/memory/migrations/152-memory-item-supersession.ts +44 -0
package/src/memory/migrations/153-drop-entity-tables.ts +15 -0
package/src/memory/migrations/154-drop-fts.ts +20 -0
package/src/memory/migrations/155-drop-conflicts.ts +7 -0
package/src/memory/migrations/156-call-session-invite-metadata.ts +24 -0
package/src/memory/migrations/index.ts +8 -0
package/src/memory/qdrant-client.ts +148 -51
package/src/memory/raw-query.ts +1 -1
package/src/memory/retriever.test.ts +294 -273
package/src/memory/retriever.ts +421 -645
package/src/memory/schema/calls.ts +2 -0
package/src/memory/schema/index.ts +1 -0
package/src/memory/schema/memory-core.ts +3 -48
package/src/memory/schema/oauth.ts +67 -0
package/src/memory/search/formatting.ts +263 -176
package/src/memory/search/lexical.ts +1 -254
package/src/memory/search/ranking.ts +0 -455
package/src/memory/search/semantic.ts +100 -14
package/src/memory/search/staleness.ts +47 -0
package/src/memory/search/tier-classifier.ts +21 -0
package/src/memory/search/types.ts +15 -77
package/src/memory/task-memory-cleanup.ts +4 -6
package/src/messaging/provider.ts +4 -4
package/src/messaging/providers/gmail/client.ts +82 -2
package/src/messaging/providers/gmail/mime-builder.ts +17 -7
package/src/messaging/providers/gmail/people-client.ts +10 -10
package/src/messaging/providers/telegram-bot/adapter.ts +17 -17
package/src/messaging/providers/whatsapp/adapter.ts +11 -8
package/src/messaging/registry.ts +2 -32
package/src/notifications/copy-composer.ts +0 -5
package/src/notifications/signal.ts +4 -5
package/src/oauth/byo-connection.test.ts +133 -25
package/src/oauth/byo-connection.ts +22 -6
package/src/oauth/connect-orchestrator.ts +113 -57
package/src/oauth/connect-types.ts +17 -23
package/src/oauth/connection-resolver.ts +35 -11
package/src/oauth/connection.ts +1 -1
package/src/oauth/manual-token-connection.ts +104 -0
package/src/oauth/oauth-store.ts +582 -0
package/src/oauth/platform-connection.test.ts +29 -0
package/src/oauth/platform-connection.ts +6 -5
package/src/oauth/provider-behaviors.ts +124 -0
package/src/oauth/scope-policy.ts +9 -2
package/src/oauth/seed-providers.ts +167 -0
package/src/oauth/token-persistence.ts +81 -77
package/src/permissions/checker.ts +3 -3
package/src/permissions/defaults.ts +1 -1
package/src/permissions/prompter.ts +10 -1
package/src/permissions/trust-store.ts +36 -1
package/src/playbooks/playbook-compiler.ts +1 -1
package/src/prompts/__tests__/build-cli-reference-section.test.ts +3 -1
package/src/prompts/system-prompt.ts +46 -42
package/src/providers/anthropic/client.ts +59 -20
package/src/providers/retry.ts +1 -27
package/src/providers/types.ts +7 -1
package/src/runtime/AGENTS.md +9 -0
package/src/runtime/auth/route-policy.ts +6 -6
package/src/runtime/channel-reply-delivery.ts +0 -40
package/src/runtime/gateway-client.ts +0 -7
package/src/runtime/guardian-reply-router.ts +24 -22
package/src/runtime/http-server.ts +10 -8
package/src/runtime/http-types.ts +2 -2
package/src/runtime/invite-redemption-service.ts +19 -1
package/src/runtime/invite-service.ts +25 -0
package/src/runtime/middleware/twilio-validation.ts +1 -11
package/src/runtime/pending-interactions.ts +14 -12
package/src/runtime/routes/brain-graph-routes.ts +10 -90
package/src/runtime/routes/channel-delivery-routes.ts +0 -1
package/src/runtime/routes/conversation-routes.ts +81 -19
package/src/runtime/routes/events-routes.ts +21 -11
package/src/runtime/routes/host-cu-routes.ts +97 -0
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -12
package/src/runtime/routes/inbound-stages/background-dispatch.ts +12 -111
package/src/runtime/routes/integrations/slack/share.ts +6 -7
package/src/runtime/routes/log-export-routes.ts +126 -8
package/src/runtime/routes/memory-item-routes.test.ts +754 -0
package/src/runtime/routes/memory-item-routes.ts +503 -0
package/src/runtime/routes/session-management-routes.ts +3 -3
package/src/runtime/routes/settings-routes.ts +55 -48
package/src/runtime/routes/surface-action-routes.ts +1 -1
package/src/runtime/routes/trust-rules-routes.ts +14 -0
package/src/runtime/routes/watch-routes.ts +128 -0
package/src/runtime/routes/workspace-routes.ts +2 -1
package/src/schedule/integration-status.ts +10 -9
package/src/security/credential-key.ts +0 -156
package/src/security/keychain-broker-client.ts +22 -10
package/src/security/oauth2.ts +1 -1
package/src/security/secure-keys.ts +25 -3
package/src/security/token-manager.ts +137 -64
package/src/skills/catalog-install.ts +414 -0
package/src/skills/include-graph.ts +32 -0
package/src/skills/skillssh-registry.ts +503 -0
package/src/telegram/bot-username.ts +2 -3
package/src/tools/assets/search.ts +5 -1
package/src/tools/browser/network-recorder.ts +1 -1
package/src/tools/browser/network-recording-types.ts +1 -1
package/src/tools/computer-use/definitions.ts +36 -11
package/src/tools/computer-use/registry.ts +5 -6
package/src/tools/credentials/broker.ts +1 -2
package/src/tools/credentials/metadata-store.ts +17 -121
package/src/tools/credentials/vault.ts +92 -167
package/src/tools/memory/definitions.ts +4 -13
package/src/tools/memory/handlers.test.ts +83 -103
package/src/tools/memory/handlers.ts +50 -85
package/src/tools/registry.ts +2 -7
package/src/tools/schedule/create.ts +8 -1
package/src/tools/schedule/update.ts +8 -1
package/src/tools/skills/load.ts +85 -3
package/src/tools/watch/watch-state.ts +0 -12
package/src/util/logger.ts +7 -41
package/src/util/platform.ts +9 -28
package/src/watcher/providers/google-calendar.ts +2 -1
package/src/__tests__/clarification-resolver.test.ts +0 -193
package/src/__tests__/computer-use-session-compaction.test.ts +0 -143
package/src/__tests__/computer-use-session-lifecycle.test.ts +0 -322
package/src/__tests__/computer-use-session-working-dir.test.ts +0 -166
package/src/__tests__/computer-use-skill-baseline.test.ts +0 -78
package/src/__tests__/computer-use-skill-endstate.test.ts +0 -105
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +0 -249
package/src/__tests__/conflict-intent-tokenization.test.ts +0 -160
package/src/__tests__/conflict-policy.test.ts +0 -269
package/src/__tests__/conflict-store.test.ts +0 -372
package/src/__tests__/contradiction-checker.test.ts +0 -361
package/src/__tests__/entity-extractor.test.ts +0 -211
package/src/__tests__/entity-search.test.ts +0 -1117
package/src/__tests__/profile-compiler.test.ts +0 -392
package/src/__tests__/ride-shotgun-handler.test.ts +0 -452
package/src/__tests__/session-conflict-gate.test.ts +0 -1228
package/src/__tests__/session-profile-injection.test.ts +0 -557
package/src/cli/commands/dev.ts +0 -129
package/src/cli/commands/map.ts +0 -391
package/src/cli/commands/oauth.ts +0 -77
package/src/config/bundled-skills/knowledge-graph/SKILL.md +0 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +0 -66
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +0 -211
package/src/daemon/computer-use-session.ts +0 -1026
package/src/daemon/ride-shotgun-handler.ts +0 -569
package/src/daemon/session-conflict-gate.ts +0 -167
package/src/daemon/session-dynamic-profile.ts +0 -77
package/src/memory/clarification-resolver.ts +0 -417
package/src/memory/conflict-intent.ts +0 -205
package/src/memory/conflict-policy.ts +0 -127
package/src/memory/conflict-store.ts +0 -410
package/src/memory/contradiction-checker.ts +0 -508
package/src/memory/entity-extractor.ts +0 -535
package/src/memory/format-recall.ts +0 -47
package/src/memory/fts-reconciler.ts +0 -165
package/src/memory/job-handlers/conflict.ts +0 -200
package/src/memory/profile-compiler.ts +0 -195
package/src/memory/recall-cache.ts +0 -117
package/src/memory/search/entity.ts +0 -535
package/src/memory/search/query-expansion.test.ts +0 -70
package/src/memory/search/query-expansion.ts +0 -118
package/src/oauth/provider-base-urls.ts +0 -21
package/src/oauth/provider-profiles.ts +0 -192
package/src/prompts/computer-use-prompt.ts +0 -98
package/src/runtime/routes/computer-use-routes.ts +0 -641
package/src/runtime/routes/mcp-routes.ts +0 -20
package/src/runtime/telegram-streaming-delivery.test.ts +0 -729
package/src/runtime/telegram-streaming-delivery.ts +0 -393
package/src/tools/computer-use/request-computer-control.ts +0 -56

package/src/__tests__/credential-vault-unit.test.ts CHANGED Viewed

@@ -44,6 +44,62 @@ mock.module("../tools/registry.js", () => ({
   registerTool: () => {},
 }));
+// ---------------------------------------------------------------------------
+// Mock oauth-store to avoid SQLite dependency in unit tests
+// ---------------------------------------------------------------------------
+let mockGetMostRecentAppByProvider: ReturnType<
+  typeof mock<(key: string) => unknown>
+>;
+let mockGetAppByProviderAndClientId: ReturnType<
+  typeof mock<(key: string, clientId: string) => unknown>
+>;
+let mockGetProvider: ReturnType<typeof mock<(key: string) => unknown>>;
+mock.module("../oauth/oauth-store.js", () => {
+  mockGetMostRecentAppByProvider = mock(() => undefined);
+  mockGetAppByProviderAndClientId = mock(() => undefined);
+  mockGetProvider = mock(() => undefined);
+  return {
+    getMostRecentAppByProvider: mockGetMostRecentAppByProvider,
+    getAppByProviderAndClientId: mockGetAppByProviderAndClientId,
+    getProvider: mockGetProvider,
+    listConnections: mock(() => []),
+    seedProviders: mock(() => {}),
+    disconnectOAuthProvider: mock(async () => "not-found" as const),
+  };
+});
+// ---------------------------------------------------------------------------
+// Mock public ingress URL — not available in unit tests. The connect
+// orchestrator dynamically imports this for non-interactive flows.
+// ---------------------------------------------------------------------------
+mock.module("../inbound/public-ingress-urls.js", () => ({
+  getPublicBaseUrl: () => {
+    throw new Error("No public ingress URL configured");
+  },
+}));
+// ---------------------------------------------------------------------------
+// Mock prepareOAuth2Flow — unit tests should not start real loopback HTTP
+// servers. The connect orchestrator still runs its own validation logic
+// (scope policy, non-interactive ingress checks, etc.) but the actual
+// OAuth flow setup is stubbed.
+// ---------------------------------------------------------------------------
+mock.module("../security/oauth2.js", () => ({
+  prepareOAuth2Flow: mock(async () => ({
+    authUrl: "https://mock-auth-url.example.com/authorize",
+    state: "mock-state",
+    completion: new Promise(() => {}),
+  })),
+  startOAuth2Flow: mock(async () => ({
+    grantedScopes: [],
+    tokens: { access_token: "mock-token" },
+  })),
+}));
 // ---------------------------------------------------------------------------
 // Imports under test
 // ---------------------------------------------------------------------------
@@ -473,18 +529,50 @@ describe("credential_store tool — prompt action", () => {
 // ---------------------------------------------------------------------------
 describe("credential_store tool — oauth2_connect error paths", () => {
+  /** Well-known provider rows returned by the mocked getProvider */
+  const wellKnownProviders: Record<string, object> = {
+    "integration:gmail": {
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    },
+    "integration:slack": {
+      key: "integration:slack",
+      authUrl: "https://slack.com/oauth/v2/authorize",
+      tokenUrl: "https://slack.com/api/oauth.v2.access",
+      defaultScopes: JSON.stringify(["channels:read"]),
+      scopePolicy: JSON.stringify({}),
+    },
+  };
   beforeEach(() => {
     if (existsSync(TEST_DIR)) rmSync(TEST_DIR, { recursive: true });
     mkdirSync(TEST_DIR, { recursive: true });
     _setStorePath(STORE_PATH);
     _resetBackend();
     _setMetadataPath(join(TEST_DIR, "metadata.json"));
+    // Return well-known provider rows so vault.ts knows gmail/slack are
+    // registered, and custom providers return undefined.
+    mockGetProvider.mockImplementation(
+      (key: string) => wellKnownProviders[key] ?? undefined,
+    );
+    mockGetMostRecentAppByProvider.mockClear();
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetAppByProviderAndClientId.mockClear();
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
   });
   afterEach(() => {
     _setMetadataPath(null);
     _setStorePath(null);
     _resetBackend();
+    mockGetProvider.mockImplementation(() => undefined);
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
   });
   test("requires service parameter", async () => {
@@ -496,55 +584,38 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("service is required");
   });
-  test("requires auth_url for unknown service", async () => {
-    const result = await credentialStoreTool.execute(
-      {
-        action: "oauth2_connect",
-        service: "custom-svc",
-        token_url: "https://t",
-        scopes: ["read"],
-      },
-      _ctx,
-    );
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("auth_url is required");
-  });
-  test("requires token_url for unknown service", async () => {
-    const result = await credentialStoreTool.execute(
-      {
-        action: "oauth2_connect",
-        service: "custom-svc",
-        auth_url: "https://a",
-        scopes: ["read"],
-      },
-      _ctx,
-    );
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("token_url is required");
-  });
-  test("requires scopes for unknown service", async () => {
+  test("rejects unknown service without registered provider", async () => {
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
         service: "custom-svc",
         auth_url: "https://a",
         token_url: "https://t",
+        scopes: ["read"],
       },
       _ctx,
     );
     expect(result.isError).toBe(true);
-    expect(result.content).toContain("scopes is required");
+    expect(result.content).toContain("no OAuth provider registered");
   });
   test("requires client_id", async () => {
+    mockGetProvider.mockImplementation((key: string) => {
+      if (key === "custom-svc") {
+        return {
+          key: "custom-svc",
+          authUrl: "https://auth.example.com",
+          tokenUrl: "https://token.example.com",
+          defaultScopes: JSON.stringify(["read"]),
+          scopePolicy: JSON.stringify({}),
+        };
+      }
+      return wellKnownProviders[key] ?? undefined;
+    });
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
         service: "custom-svc",
-        auth_url: "https://auth.example.com",
-        token_url: "https://token.example.com",
         scopes: ["read"],
       },
       _ctx,
@@ -554,6 +625,21 @@ describe("credential_store tool — oauth2_connect error paths", () => {
   });
   test("requires interactive context", async () => {
+    // Register custom-svc as a provider so the orchestrator finds it
+    // and reaches the non-interactive check (gateway transport).
+    mockGetProvider.mockImplementation((key: string) => {
+      if (key === "custom-svc") {
+        return {
+          key: "custom-svc",
+          authUrl: "https://auth.example.com",
+          tokenUrl: "https://token.example.com",
+          defaultScopes: JSON.stringify(["read"]),
+          scopePolicy: JSON.stringify({}),
+        };
+      }
+      return wellKnownProviders[key] ?? undefined;
+    });
     const result = await credentialStoreTool.execute(
       {
         action: "oauth2_connect",
@@ -596,18 +682,26 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("client_id is required");
   });
-  test("uses stored client_id from metadata", async () => {
-    // Store client_id in metadata (the canonical source) and client_secret
-    // in the secure store — the requiresClientSecret guardrail will
-    // short-circuit if client_secret is missing, so we need both to
-    // validate that stored client_id is resolved correctly.
-    upsertCredentialMetadata("integration:gmail", "access_token", {
-      oauth2ClientId: "stored-client-id-123",
-    });
-    setSecureKey(
-      credentialKey("integration:gmail", "client_secret"),
-      "test-secret",
-    );
+  test("uses stored client_id from oauth-store DB", async () => {
+    // Mock getMostRecentAppByProvider to return an app with a client_id
+    // and store client_secret in the secure store.
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "test-app-id",
+      providerKey: "integration:gmail",
+      clientId: "stored-client-id-123",
+      clientSecretCredentialPath: "oauth_app/test-app-id/client_secret",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/test-app-id/client_secret", "test-secret");
     const result = await credentialStoreTool.execute(
       {
@@ -624,14 +718,151 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.content).toContain("To connect gmail, open this link");
     expect(result.content).not.toContain("client_id is required");
     expect(result.content).not.toContain("client_secret is required");
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+  test("uses getAppByProviderAndClientId when client_id is provided without client_secret", async () => {
+    // When client_id is supplied but client_secret is not, the vault should
+    // look up the matching app via getAppByProviderAndClientId (not the
+    // most-recent-app heuristic) so the secret comes from the correct app.
+    mockGetAppByProviderAndClientId.mockImplementation(
+      (providerKey: string, cId: string) => {
+        if (
+          providerKey === "integration:gmail" &&
+          cId === "caller-supplied-client-id"
+        ) {
+          return {
+            id: "matched-app-id",
+            providerKey: "integration:gmail",
+            clientId: "caller-supplied-client-id",
+            clientSecretCredentialPath:
+              "oauth_app/matched-app-id/client_secret",
+            createdAt: Date.now(),
+          };
+        }
+        return undefined;
+      },
+    );
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/matched-app-id/client_secret", "matched-secret");
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+        client_id: "caller-supplied-client-id",
+      },
+      { ..._ctx, isInteractive: false },
+    );
+    // Should succeed — client_secret resolved from the matched app
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("To connect gmail, open this link");
+    // getMostRecentAppByProvider should NOT have been called since client_id was known
+    expect(mockGetMostRecentAppByProvider).not.toHaveBeenCalled();
+    // Reset mocks
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+  test("falls back to getMostRecentAppByProvider when client_id is not provided", async () => {
+    // When neither client_id nor client_secret is provided, the vault should
+    // use getMostRecentAppByProvider (the fallback heuristic).
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "recent-app-id",
+      providerKey: "integration:gmail",
+      clientId: "recent-client-id",
+      clientSecretCredentialPath: "oauth_app/recent-app-id/client_secret",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+      scopePolicy: JSON.stringify({}),
+      callbackTransport: "loopback",
+      loopbackPort: 8756,
+    }));
+    setSecureKey("oauth_app/recent-app-id/client_secret", "recent-secret");
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+      },
+      { ..._ctx, isInteractive: false },
+    );
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("To connect gmail, open this link");
+    // getAppByProviderAndClientId should NOT have been called since client_id was unknown
+    expect(mockGetAppByProviderAndClientId).not.toHaveBeenCalled();
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
+  });
+  test("getAppByProviderAndClientId returning undefined leaves client_secret unresolved", async () => {
+    // When client_id is provided but getAppByProviderAndClientId returns no
+    // matching app, client_secret remains unresolved and the vault should
+    // report the missing secret error.
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+    }));
+    const result = await credentialStoreTool.execute(
+      {
+        action: "oauth2_connect",
+        service: "gmail",
+        client_id: "unknown-client-id",
+      },
+      _ctx,
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("client_secret is required for gmail");
+    // getMostRecentAppByProvider should NOT have been called
+    expect(mockGetMostRecentAppByProvider).not.toHaveBeenCalled();
+    // Reset mocks
+    mockGetAppByProviderAndClientId.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
   });
   test("rejects when client_secret is missing for service that requires it", async () => {
-    // Store only client_id in metadata — client_secret is intentionally
-    // absent to validate the requiresClientSecret guardrail.
-    upsertCredentialMetadata("integration:gmail", "access_token", {
-      oauth2ClientId: "stored-client-id-456",
-    });
+    // Mock getMostRecentAppByProvider to return an app with client_id but
+    // no client_secret in secure storage — validates the requiresClientSecret
+    // guardrail.
+    mockGetMostRecentAppByProvider.mockImplementation(() => ({
+      id: "test-app-id-no-secret",
+      providerKey: "integration:gmail",
+      clientId: "stored-client-id-456",
+      createdAt: Date.now(),
+    }));
+    mockGetProvider.mockImplementation(() => ({
+      key: "integration:gmail",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: JSON.stringify(["https://mail.google.com/"]),
+    }));
     const result = await credentialStoreTool.execute(
       {
@@ -643,6 +874,10 @@ describe("credential_store tool — oauth2_connect error paths", () => {
     expect(result.isError).toBe(true);
     expect(result.content).toContain("client_secret is required for gmail");
+    // Reset mocks
+    mockGetMostRecentAppByProvider.mockImplementation(() => undefined);
+    mockGetProvider.mockImplementation(() => undefined);
   });
 });

package/src/__tests__/credential-vault.test.ts CHANGED Viewed

@@ -65,6 +65,69 @@ mock.module("../security/oauth2.js", () => {
   };
 });
+// ---------------------------------------------------------------------------
+// Mock oauth-store — token-manager reads refresh config from SQLite
+// ---------------------------------------------------------------------------
+/** Mutable per-test map of provider connections for getConnectionByProvider */
+const mockConnections = new Map<
+  string,
+  {
+    id: string;
+    providerKey: string;
+    oauthAppId: string;
+    expiresAt: number | null;
+  }
+>();
+const mockApps = new Map<
+  string,
+  {
+    id: string;
+    providerKey: string;
+    clientId: string;
+    clientSecretCredentialPath: string;
+  }
+>();
+const mockProviders = new Map<
+  string,
+  {
+    key: string;
+    tokenUrl: string;
+    tokenEndpointAuthMethod?: string;
+  }
+>();
+let mockDisconnectOAuthProvider: ReturnType<
+  typeof mock<
+    (providerKey: string) => Promise<"disconnected" | "not-found" | "error">
+  >
+>;
+mock.module("../oauth/oauth-store.js", () => {
+  mockDisconnectOAuthProvider = mock((providerKey: string) =>
+    Promise.resolve(
+      mockConnections.has(providerKey)
+        ? ("disconnected" as const)
+        : ("not-found" as const),
+    ),
+  );
+  return {
+    disconnectOAuthProvider: mockDisconnectOAuthProvider,
+    getConnectionByProvider: (service: string) => mockConnections.get(service),
+    getConnection: (id: string) => {
+      for (const conn of mockConnections.values()) {
+        if (conn.id === id) return conn;
+      }
+      return undefined;
+    },
+    getApp: (id: string) => mockApps.get(id),
+    getProvider: (key: string) => mockProviders.get(key),
+    updateConnection: () => {},
+    getMostRecentAppByProvider: () => undefined,
+    listConnections: () => [],
+  };
+});
 // ---------------------------------------------------------------------------
 // Import the module under test
 // ---------------------------------------------------------------------------
@@ -85,7 +148,6 @@ import {
 import {
   _setMetadataPath,
   getCredentialMetadata,
-  upsertCredentialMetadata,
 } from "../tools/credentials/metadata-store.js";
 import { credentialStoreTool } from "../tools/credentials/vault.js";
 import type { ToolContext } from "../tools/types.js";
@@ -214,12 +276,15 @@ describe("credential_store tool", () => {
     }
     _setStorePath(STORE_PATH);
     _setMetadataPath(join(TEST_DIR, "metadata.json"));
+    mockDisconnectOAuthProvider.mockClear();
+    mockConnections.clear();
   });
   afterEach(() => {
     _setMetadataPath(null);
     _setStorePath(null);
     _resetBackend();
+    mockConnections.clear();
   });
   afterAll(() => {
@@ -664,6 +729,44 @@ describe("credential_store tool", () => {
       expect(result.isError).toBe(true);
       expect(result.content).toContain("field is required");
     });
+    test("delete also disconnects OAuth connection for the service", async () => {
+      // Store a credential via the real tool so metadata exists
+      await credentialStoreTool.execute(
+        {
+          action: "store",
+          service: "integration:gmail",
+          field: "api_key",
+          value: "test-value",
+        },
+        _ctx,
+      );
+      // Simulate an active OAuth connection for this service
+      mockConnections.set("integration:gmail", {
+        id: "conn-gmail",
+        providerKey: "integration:gmail",
+        oauthAppId: "app-gmail",
+        expiresAt: Date.now() + 3600_000,
+      });
+      const result = await credentialStoreTool.execute(
+        {
+          action: "delete",
+          service: "integration:gmail",
+          field: "api_key",
+        },
+        _ctx,
+      );
+      expect(result.isError).toBe(false);
+      expect(result.content).toContain("Deleted credential");
+      // Verify disconnectOAuthProvider was called with the service name
+      expect(mockDisconnectOAuthProvider).toHaveBeenCalledTimes(1);
+      expect(mockDisconnectOAuthProvider).toHaveBeenCalledWith(
+        "integration:gmail",
+      );
+    });
   });
   // -----------------------------------------------------------------------
@@ -1172,6 +1275,10 @@ describe("withValidToken refresh deduplication", () => {
     _resetRefreshBreakers();
     _resetInflightRefreshes();
     mockRefreshOAuth2Token.mockClear();
+    // Clear mock oauth-store maps
+    mockConnections.clear();
+    mockApps.clear();
+    mockProviders.clear();
   });
   afterEach(() => {
@@ -1180,6 +1287,9 @@ describe("withValidToken refresh deduplication", () => {
     _resetBackend();
     _resetRefreshBreakers();
     _resetInflightRefreshes();
+    mockConnections.clear();
+    mockApps.clear();
+    mockProviders.clear();
   });
   afterAll(() => {
@@ -1187,26 +1297,49 @@ describe("withValidToken refresh deduplication", () => {
   });
   /**
-   * Helper: set up a service with an access token, refresh token, and OAuth2
-   * metadata so that token refresh can proceed through doRefresh().
+   * Helper: set up a service with an access token, refresh token, and
+   * mock DB data so that token refresh can proceed through doRefresh().
+   *
+   * OAuth-specific fields (tokenUrl, clientId, expiresAt) are now stored
+   * in the SQLite oauth-store. The mock maps simulate the DB layer.
    */
   function setupService(
     service: string,
     opts?: { expired?: boolean; accessToken?: string },
   ) {
     const accessToken = opts?.accessToken ?? "old-access-token";
-    setSecureKey(credentialKey(service, "access_token"), accessToken);
+    // Seed mock oauth-store maps so token-manager can resolve refresh config
+    const appId = `app-${service}`;
+    const connId = `conn-${service}`;
+    // Store access token under the oauth_connection key path that
+    // withValidToken reads (not the legacy credentialKey path).
+    setSecureKey(`oauth_connection/${connId}/access_token`, accessToken);
+    mockProviders.set(service, {
+      key: service,
+      tokenUrl: "https://oauth.example.com/token",
+    });
+    mockApps.set(appId, {
+      id: appId,
+      providerKey: service,
+      clientId: "test-client-id",
+      clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
+    });
+    mockConnections.set(service, {
+      id: connId,
+      providerKey: service,
+      oauthAppId: appId,
+      expiresAt: opts?.expired
+        ? Date.now() - 60_000 // expired 1 minute ago
+        : Date.now() + 3600_000, // expires in 1 hour
+    });
+    // Store refresh token and client_secret in secure keys (token-manager reads them)
     setSecureKey(
-      credentialKey(service, "refresh_token"),
+      `oauth_connection/${connId}/refresh_token`,
       "valid-refresh-token",
     );
-    upsertCredentialMetadata(service, "access_token", {
-      oauth2TokenUrl: "https://oauth.example.com/token",
-      oauth2ClientId: "test-client-id",
-      ...(opts?.expired
-        ? { expiresAt: Date.now() - 60_000 } // expired 1 minute ago
-        : { expiresAt: Date.now() + 3600_000 }), // expires in 1 hour
-    });
+    setSecureKey(`oauth_app/${appId}/client_secret`, "test-client-secret");
   }
   test("3 concurrent 401 refreshes for the same service call doRefresh exactly once", async () => {
@@ -1335,22 +1468,23 @@ describe("withValidToken refresh deduplication", () => {
     const err401 = Object.assign(new Error("Unauthorized"), { status: 401 });
-    // First call triggers a refresh
+    // First call triggers a refresh (old token → 401 → refresh → token-1)
     const r1 = await withValidToken(
       "integration:gmail",
       async (token: string) => {
-        if (token === "old-access-token") throw err401;
+        if (token !== "token-1") throw err401;
         return token;
       },
     );
     expect(r1).toBe("token-1");
     expect(refreshCount).toBe(1);
-    // Set up so the next call will also get a 401 (token-1 stored from first refresh)
+    // Second call also triggers a 401 to verify dedup state was cleaned up
+    // and a new refresh is allowed (not deduplicated with the first).
     const r2 = await withValidToken(
       "integration:gmail",
       async (token: string) => {
-        if (token === "token-1") throw err401;
+        if (token !== "token-2") throw err401;
         return token;
       },
     );