@vellumai/assistant 0.4.49 → 0.4.50

package/src/__tests__/oauth-store.test.ts

@@ -34,6 +34,8 @@ mock.module("../security/secure-keys.js", () => ({
   deleteSecureKeyAsync: mockDeleteSecureKeyAsync,
   setSecureKeyAsync: mockSetSecureKeyAsync,
   getSecureKey: (account: string) => secureKeyValues.get(account),
+  getSecureKeyAsync: (account: string) =>
+    Promise.resolve(secureKeyValues.get(account)),
 }));
 
 import { initializeDb, resetDb, resetTestTables } from "../memory/db.js";
@@ -179,6 +181,35 @@ describe("provider operations", () => {
       // createdAt should be preserved from the original insert
       expect(row!.createdAt).toBe(originalCreatedAt);
     });
+
+    test("persists pingUrl when provided", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/authorize",
+          tokenUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+          pingUrl: "https://api.github.com/user",
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row!.pingUrl).toBe("https://api.github.com/user");
+    });
+
+    test("pingUrl defaults to null when omitted", () => {
+      seedProviders([
+        {
+          providerKey: "github",
+          authUrl: "https://github.com/authorize",
+          tokenUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row!.pingUrl).toBeNull();
+    });
   });
 
   describe("getProvider", () => {
@@ -279,13 +310,18 @@ describe("app operations", () => {
 
     test("stores clientSecret in secure storage on new app creation", async () => {
       seedTestProvider("github");
-      const app = await upsertApp("github", "client-abc", "my-secret");
+      const app = await upsertApp("github", "client-abc", {
+        clientSecretValue: "my-secret",
+      });
 
       expect(mockSetSecureKeyAsync).toHaveBeenCalledTimes(1);
       expect(mockSetSecureKeyAsync).toHaveBeenCalledWith(
         `oauth_app/${app.id}/client_secret`,
         "my-secret",
       );
+      expect(app.clientSecretCredentialPath).toBe(
+        `oauth_app/${app.id}/client_secret`,
+      );
     });
 
     test("stores clientSecret in secure storage when upserting an existing app", async () => {
@@ -293,11 +329,13 @@ describe("app operations", () => {
       const first = await upsertApp("github", "client-abc");
       mockSetSecureKeyAsync.mockClear();
 
-      await upsertApp("github", "client-abc", "updated-secret");
+      await upsertApp("github", "client-abc", {
+        clientSecretValue: "updated-secret",
+      });
 
       expect(mockSetSecureKeyAsync).toHaveBeenCalledTimes(1);
       expect(mockSetSecureKeyAsync).toHaveBeenCalledWith(
-        `oauth_app/${first.id}/client_secret`,
+        first.clientSecretCredentialPath,
         "updated-secret",
       );
     });
@@ -307,9 +345,70 @@ describe("app operations", () => {
       mockSetSecureKeyAsync.mockResolvedValueOnce(false);
 
       await expect(
-        upsertApp("github", "client-abc", "bad-secret"),
+        upsertApp("github", "client-abc", { clientSecretValue: "bad-secret" }),
       ).rejects.toThrow("Failed to store client_secret in secure storage");
     });
+
+    test("accepts clientSecretCredentialPath and verifies existence", async () => {
+      seedTestProvider("github");
+      secureKeyValues.set("custom/path", "stored-secret");
+
+      const app = await upsertApp("github", "client-abc", {
+        clientSecretCredentialPath: "custom/path",
+      });
+
+      expect(app.clientSecretCredentialPath).toBe("custom/path");
+      // Should not have called setSecureKeyAsync since we only provided a path
+      expect(mockSetSecureKeyAsync).not.toHaveBeenCalled();
+    });
+
+    test("throws when clientSecretCredentialPath points to nonexistent secret", async () => {
+      seedTestProvider("github");
+
+      await expect(
+        upsertApp("github", "client-abc", {
+          clientSecretCredentialPath: "nonexistent/path",
+        }),
+      ).rejects.toThrow("No secret found at credential path: nonexistent/path");
+    });
+
+    test("throws when both clientSecretValue and clientSecretCredentialPath are provided", async () => {
+      seedTestProvider("github");
+
+      await expect(
+        upsertApp("github", "client-abc", {
+          clientSecretValue: "my-secret",
+          clientSecretCredentialPath: "custom/path",
+        }),
+      ).rejects.toThrow(
+        "Cannot provide both clientSecretValue and clientSecretCredentialPath",
+      );
+    });
+
+    test("records default clientSecretCredentialPath when neither value nor path is provided", async () => {
+      seedTestProvider("github");
+      const app = await upsertApp("github", "client-abc");
+
+      expect(app.clientSecretCredentialPath).toBe(
+        `oauth_app/${app.id}/client_secret`,
+      );
+    });
+
+    test("updates clientSecretCredentialPath on existing row when path is provided", async () => {
+      seedTestProvider("github");
+      const first = await upsertApp("github", "client-abc");
+      expect(first.clientSecretCredentialPath).toBe(
+        `oauth_app/${first.id}/client_secret`,
+      );
+
+      secureKeyValues.set("new/custom/path", "stored-secret");
+      const updated = await upsertApp("github", "client-abc", {
+        clientSecretCredentialPath: "new/custom/path",
+      });
+
+      expect(updated.id).toBe(first.id);
+      expect(updated.clientSecretCredentialPath).toBe("new/custom/path");
+    });
   });
 
   describe("getApp", () => {
@@ -353,14 +452,29 @@ describe("app operations", () => {
       expect(getApp(app.id)).toBeUndefined();
     });
 
-    test("cleans up client_secret from secure storage", async () => {
+    test("cleans up client_secret from secure storage using stored path", async () => {
       const app = await createTestApp("github", "client-1");
       mockDeleteSecureKeyAsync.mockClear();
 
       await deleteApp(app.id);
 
       expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
-        `oauth_app/${app.id}/client_secret`,
+        app.clientSecretCredentialPath,
+      );
+    });
+
+    test("uses custom clientSecretCredentialPath when deleting", async () => {
+      seedTestProvider("github");
+      secureKeyValues.set("custom/secret/path", "the-secret");
+      const app = await upsertApp("github", "client-1", {
+        clientSecretCredentialPath: "custom/secret/path",
+      });
+      mockDeleteSecureKeyAsync.mockClear();
+
+      await deleteApp(app.id);
+
+      expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+        "custom/secret/path",
       );
     });
 

package/src/__tests__/qdrant-collection-migration.test.ts

@@ -21,12 +21,14 @@ interface MockCallLog {
 
 let mockCollectionExists: boolean;
 let mockCollectionSize: number;
+let mockUseNamedVectors: boolean;
 let mockSentinelPayload: Record<string, unknown> | null;
 let callLog: MockCallLog;
 
 function resetMockState() {
   mockCollectionExists = false;
   mockCollectionSize = 384;
+  mockUseNamedVectors = false;
   mockSentinelPayload = null;
   callLog = {
     collectionExists: 0,
@@ -51,7 +53,9 @@ mock.module("@qdrant/js-client-rest", () => ({
       return {
         config: {
           params: {
-            vectors: { size: mockCollectionSize },
+            vectors: mockUseNamedVectors
+              ? { dense: { size: mockCollectionSize } }
+              : { size: mockCollectionSize },
           },
         },
       };
@@ -77,7 +81,12 @@ mock.module("@qdrant/js-client-rest", () => ({
         mockSentinelPayload &&
         opts.ids.includes("00000000-0000-0000-0000-000000000000")
       ) {
-        return [{ id: "00000000-0000-0000-0000-000000000000", payload: mockSentinelPayload }];
+        return [
+          {
+            id: "00000000-0000-0000-0000-000000000000",
+            payload: mockSentinelPayload,
+          },
+        ];
       }
       return [];
     }
@@ -97,6 +106,7 @@ beforeEach(() => {
 describe("Qdrant collection migration", () => {
   test("deletes and recreates collection on dimension mismatch", async () => {
     mockCollectionExists = true;
+    mockUseNamedVectors = true;
     mockCollectionSize = 384; // Current collection has 384-dim vectors
 
     const client = new VellumQdrantClient({
@@ -108,14 +118,16 @@ describe("Qdrant collection migration", () => {
       embeddingModel: "gemini:gemini-embedding-2-preview",
     });
 
-    await client.ensureCollection();
+    const result = await client.ensureCollection();
 
     expect(callLog.deleteCollection).toBe(1);
     expect(callLog.createCollection).toBe(1);
+    expect(result.migrated).toBe(true);
   });
 
   test("deletes and recreates collection on model-only mismatch", async () => {
     mockCollectionExists = true;
+    mockUseNamedVectors = true;
     mockCollectionSize = 768; // Same dimension
     mockSentinelPayload = {
       _meta: true,
@@ -131,16 +143,18 @@ describe("Qdrant collection migration", () => {
       embeddingModel: "gemini:gemini-embedding-2-preview", // New model
     });
 
-    await client.ensureCollection();
+    const result = await client.ensureCollection();
 
     expect(callLog.deleteCollection).toBe(1);
     expect(callLog.createCollection).toBe(1);
     // Sentinel should be written for the new model
     expect(callLog.upsert).toBe(1);
+    expect(result.migrated).toBe(true);
   });
 
   test("leaves collection untouched when dimensions and model match", async () => {
     mockCollectionExists = true;
+    mockUseNamedVectors = true;
     mockCollectionSize = 768;
     mockSentinelPayload = {
       _meta: true,
@@ -156,14 +170,16 @@ describe("Qdrant collection migration", () => {
       embeddingModel: "gemini:gemini-embedding-2-preview",
     });
 
-    await client.ensureCollection();
+    const result = await client.ensureCollection();
 
     expect(callLog.deleteCollection).toBe(0);
     expect(callLog.createCollection).toBe(0);
+    expect(result.migrated).toBe(false);
   });
 
   test("does not rebuild pre-existing collection without sentinel (graceful upgrade)", async () => {
     mockCollectionExists = true;
+    mockUseNamedVectors = true;
     mockCollectionSize = 768;
     mockSentinelPayload = null; // No sentinel — pre-existing collection
 
@@ -176,11 +192,12 @@ describe("Qdrant collection migration", () => {
       embeddingModel: "gemini:gemini-embedding-2-preview",
     });
 
-    await client.ensureCollection();
+    const result = await client.ensureCollection();
 
     // No sentinel found → no model mismatch → collection kept
     expect(callLog.deleteCollection).toBe(0);
     expect(callLog.createCollection).toBe(0);
+    expect(result.migrated).toBe(false);
   });
 
   test("writes sentinel point when creating a new collection", async () => {
@@ -195,11 +212,37 @@ describe("Qdrant collection migration", () => {
       embeddingModel: "gemini:gemini-embedding-2-preview",
     });
 
-    await client.ensureCollection();
+    const result = await client.ensureCollection();
 
     expect(callLog.createCollection).toBe(1);
     // Sentinel upsert should be called
     expect(callLog.upsert).toBe(1);
+    // Fresh collection, not a migration
+    expect(result.migrated).toBe(false);
+  });
+
+  test("deletes and recreates collection when migrating from unnamed to named vectors", async () => {
+    mockCollectionExists = true;
+    mockUseNamedVectors = false; // Legacy unnamed vectors
+    mockCollectionSize = 768;
+
+    const client = new VellumQdrantClient({
+      url: "http://localhost:6333",
+      collection: "memory",
+      vectorSize: 768, // Same dimension
+      onDisk: false,
+      quantization: "none",
+      embeddingModel: "gemini:gemini-embedding-2-preview",
+    });
+
+    const result = await client.ensureCollection();
+
+    // Unnamed vectors should trigger delete + recreate with named vectors
+    expect(callLog.deleteCollection).toBe(1);
+    expect(callLog.createCollection).toBe(1);
+    // Sentinel should be written for the new collection
+    expect(callLog.upsert).toBe(1);
+    expect(result.migrated).toBe(true);
   });
 
   test("does not write sentinel when embeddingModel is not provided", async () => {
@@ -214,10 +257,12 @@ describe("Qdrant collection migration", () => {
       // No embeddingModel
     });
 
-    await client.ensureCollection();
+    const result = await client.ensureCollection();
 
     expect(callLog.createCollection).toBe(1);
     // No sentinel should be written
     expect(callLog.upsert).toBe(0);
+    // Fresh collection, not a migration
+    expect(result.migrated).toBe(false);
   });
 });

package/src/__tests__/registry.test.ts

@@ -524,6 +524,5 @@ describe("computer-use registration split", () => {
     expect(registered.every((t) => t.name.startsWith("computer_use_"))).toBe(
       true,
     );
-    expect(getTool("computer_use_request_control")).toBeUndefined();
   });
 });

package/src/__tests__/relay-server.test.ts

@@ -4055,7 +4055,7 @@ describe("relay-server", () => {
       .filter((m) => m.type === "text");
     expect(
       textMessages.some((m) =>
-        (m.token ?? "").includes("said I can speak with you"),
+        (m.token ?? "").includes("verified that you are Eve"),
       ),
     ).toBe(true);
 
@@ -4079,6 +4079,51 @@ describe("relay-server", () => {
     relay.destroy();
   });
 
+  test("outbound invite prompt uses assistant introduction", async () => {
+    ensureConversation("conv-outbound-invite-origin");
+    ensureConversation("conv-outbound-invite");
+    const session = createCallSession({
+      conversationId: "conv-outbound-invite",
+      provider: "twilio",
+      fromNumber: "+15551111111",
+      toNumber: "+15558887777",
+      callMode: "invite",
+      inviteFriendName: "Grace",
+      inviteGuardianName: "Hank",
+      initiatedFromConversationId: "conv-outbound-invite-origin",
+    });
+
+    mockAssistantName = "Vellum";
+
+    const { ws, relay } = createMockWs(session.id);
+
+    await relay.handleMessage(
+      JSON.stringify({
+        type: "setup",
+        callSid: "CA_outbound_invite",
+        from: "+15551111111",
+        to: "+15558887777",
+      }),
+    );
+
+    // Should be in verification-pending for invite redemption
+    expect(relay.getConnectionState()).toBe("verification_pending");
+
+    // The prompt should use the outbound assistant introduction
+    const textMessages = ws.sentMessages
+      .map((raw) => JSON.parse(raw) as { type: string; token?: string })
+      .filter((m) => m.type === "text");
+    expect(
+      textMessages.some(
+        (m) =>
+          (m.token ?? "").includes("this is Vellum") &&
+          (m.token ?? "").includes("Hank's assistant"),
+      ),
+    ).toBe(true);
+
+    relay.destroy();
+  });
+
   // ── resolveGuardianLabel resolution priority ─────────────────────────
 
   test("guardian label: USER.md name takes precedence over Contact.displayName", async () => {

package/src/__tests__/schedule-tools.test.ts

@@ -61,6 +61,11 @@ const ctx: ToolContext = {
   trustClass: "guardian",
 };
 
+const trustedCtx: ToolContext = {
+  ...ctx,
+  trustClass: "trusted_contact",
+};
+
 // ── schedule_create ─────────────────────────────────────────────────
 
 describe("schedule_create tool", () => {
@@ -169,6 +174,20 @@ describe("schedule_create tool", () => {
     expect(result.isError).toBe(true);
     expect(result.content).toContain("Invalid cron expression");
   });
+
+  test("rejects non-guardian actors", async () => {
+    const result = await executeScheduleCreate(
+      {
+        name: "Blocked schedule",
+        expression: "0 9 * * *",
+        message: "test",
+      },
+      trustedCtx,
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("restricted to guardian actors");
+  });
 });
 
 // ── schedule_create with fire_at (one-shot) ──────────────────────────
@@ -680,6 +699,19 @@ describe("schedule_update tool", () => {
     expect(result.isError).toBe(true);
     expect(result.content).toContain("Invalid cron expression");
   });
+
+  test("rejects non-guardian actors", async () => {
+    const result = await executeScheduleUpdate(
+      {
+        job_id: "nonexistent-id",
+        message: "injected",
+      },
+      trustedCtx,
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("restricted to guardian actors");
+  });
 });
 
 // ── schedule_update with mode and routing ────────────────────────────

package/src/__tests__/script-proxy-certs.test.ts

@@ -84,7 +84,7 @@ describe("issueLeafCert", () => {
 
     expect(certA.cert).not.toBe(certB.cert);
     expect(certA.key).not.toBe(certB.key);
-  });
+  }, 15_000);
 });
 
 describe("getCAPath", () => {

package/src/__tests__/secret-onetime-send.test.ts

@@ -43,6 +43,7 @@ mock.module("../security/secure-keys.js", () => {
   };
   return {
     getSecureKey: (key: string) => storedKeys.get(key) ?? null,
+    getSecureKeyAsync: async (key: string) => storedKeys.get(key) ?? undefined,
     setSecureKey: syncSet,
     setSecureKeyAsync: async (key: string, value: string) =>
       syncSet(key, value),

package/src/__tests__/secure-keys.test.ts

@@ -46,9 +46,14 @@ mock.module("../security/keychain-broker-client.js", () => ({
       return { found: false };
     },
     set: async (account: string, value: string) => {
-      if (mockBrokerSetError) return false;
+      if (mockBrokerSetError)
+        return {
+          status: "rejected" as const,
+          code: "KEYCHAIN_ERROR",
+          message: "mock error",
+        };
       mockBrokerStore.set(account, value);
-      return true;
+      return { status: "ok" as const };
     },
     del: async (account: string) => {
       if (mockBrokerDelError) return false;

package/src/__tests__/send-endpoint-busy.test.ts

@@ -118,6 +118,7 @@ function makeCompletingSession(): Session {
     setHostBashProxy: () => {},
     setHostFileProxy: () => {},
     setHostCuProxy: () => {},
+    addPreactivatedSkillId: () => {},
     hasAnyPendingConfirmation: () => false,
     hasPendingConfirmation: () => false,
     denyAllPendingConfirmations: () => {},
@@ -175,6 +176,7 @@ function makeHangingSession(): Session {
     setHostBashProxy: () => {},
     setHostFileProxy: () => {},
     setHostCuProxy: () => {},
+    addPreactivatedSkillId: () => {},
     hasAnyPendingConfirmation: () => false,
     hasPendingConfirmation: () => false,
     denyAllPendingConfirmations: () => {},
@@ -260,6 +262,7 @@ function makePendingApprovalSession(
     setHostBashProxy: () => {},
     setHostFileProxy: () => {},
     setHostCuProxy: () => {},
+    addPreactivatedSkillId: () => {},
     hasAnyPendingConfirmation: () => pending.size > 0,
     hasPendingConfirmation: (candidateRequestId: string) =>
       pending.has(candidateRequestId),

package/src/__tests__/session-abort-tool-results.test.ts

@@ -75,18 +75,6 @@ mock.module("../security/secret-allowlist.js", () => ({
   resetAllowlist: () => {},
 }));
 
-mock.module("../memory/admin.js", () => ({
-  getMemoryConflictAndCleanupStats: () => ({
-    conflicts: { pending: 0, resolved: 0, oldestPendingAgeMs: null },
-    cleanup: {
-      resolvedBacklog: 0,
-      supersededBacklog: 0,
-      resolvedCompleted24h: 0,
-      supersededCompleted24h: 0,
-    },
-  }),
-}));
-
 // Track all messages persisted to DB
 let persistedMessages: Array<{ role: string; content: string }> = [];
 
@@ -128,13 +116,12 @@ mock.module("../memory/retriever.js", () => ({
     enabled: false,
     degraded: false,
     injectedText: "",
-    lexicalHits: 0,
+
     semanticHits: 0,
     recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),
-  injectMemoryRecallIntoUserMessage: (msg: Message) => msg,
   stripMemoryRecallMessages: (msgs: Message[]) => msgs,
 }));