npm - @vellumai/assistant - Versions diffs - 0.4.49 → 0.4.51 - Mend

@vellumai/assistant 0.4.49 → 0.4.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (353) hide show

package/ARCHITECTURE.md +24 -33
package/README.md +3 -3
package/docs/architecture/integrations.md +2 -2
package/docs/architecture/keychain-broker.md +6 -6
package/docs/architecture/memory.md +180 -119
package/knip.json +32 -0
package/package.json +3 -2
package/src/__tests__/agent-loop.test.ts +3 -1
package/src/__tests__/anthropic-provider.test.ts +114 -23
package/src/__tests__/approval-cascade.test.ts +1 -15
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-feature-flag-guard.test.ts +0 -23
package/src/__tests__/btw-routes.test.ts +61 -5
package/src/__tests__/canonical-guardian-store.test.ts +95 -0
package/src/__tests__/checker.test.ts +13 -0
package/src/__tests__/config-schema.test.ts +1 -68
package/src/__tests__/config-watcher.test.ts +8 -0
package/src/__tests__/context-memory-e2e.test.ts +11 -100
package/src/__tests__/conversation-routes-guardian-reply.test.ts +8 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-security-e2e.test.ts +1 -0
package/src/__tests__/credential-security-invariants.test.ts +8 -7
package/src/__tests__/credential-vault-unit.test.ts +23 -18
package/src/__tests__/credential-vault.test.ts +30 -18
package/src/__tests__/credentials-cli.test.ts +257 -82
package/src/__tests__/cu-unified-flow.test.ts +532 -0
package/src/__tests__/date-context.test.ts +93 -77
package/src/__tests__/deterministic-verification-control-plane.test.ts +64 -0
package/src/__tests__/guardian-routing-invariants.test.ts +93 -0
package/src/__tests__/history-repair.test.ts +245 -0
package/src/__tests__/host-cu-proxy.test.ts +165 -3
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/inbound-invite-redemption.test.ts +36 -7
package/src/__tests__/integration-status.test.ts +31 -30
package/src/__tests__/invite-redemption-service.test.ts +166 -13
package/src/__tests__/invite-routes-http.test.ts +166 -5
package/src/__tests__/keychain-broker-client.test.ts +4 -4
package/src/__tests__/list-messages-attachments.test.ts +193 -0
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +56 -18
package/src/__tests__/memory-lifecycle-e2e.test.ts +244 -387
package/src/__tests__/memory-recall-quality.test.ts +244 -407
package/src/__tests__/memory-regressions.experimental.test.ts +126 -101
package/src/__tests__/memory-regressions.test.ts +477 -2841
package/src/__tests__/memory-retrieval.benchmark.test.ts +33 -150
package/src/__tests__/memory-upsert-concurrency.test.ts +5 -244
package/src/__tests__/mime-builder.test.ts +28 -0
package/src/__tests__/native-web-search.test.ts +1 -0
package/src/__tests__/oauth-cli.test.ts +824 -31
package/src/__tests__/oauth-provider-profiles.test.ts +1 -1
package/src/__tests__/oauth-store.test.ts +363 -17
package/src/__tests__/qdrant-collection-migration.test.ts +53 -8
package/src/__tests__/registry.test.ts +0 -1
package/src/__tests__/relay-server.test.ts +55 -1
package/src/__tests__/schedule-tools.test.ts +32 -0
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -0
package/src/__tests__/secret-routes-managed-proxy.test.ts +183 -0
package/src/__tests__/secure-keys.test.ts +78 -18
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/server-history-render.test.ts +2 -2
package/src/__tests__/session-abort-tool-results.test.ts +1 -14
package/src/__tests__/session-agent-loop-overflow.test.ts +1583 -0
package/src/__tests__/session-agent-loop.test.ts +19 -15
package/src/__tests__/session-confirmation-signals.test.ts +1 -15
package/src/__tests__/session-error.test.ts +124 -2
package/src/__tests__/session-history-web-search.test.ts +918 -0
package/src/__tests__/session-pre-run-repair.test.ts +1 -14
package/src/__tests__/session-provider-retry-repair.test.ts +25 -28
package/src/__tests__/session-queue.test.ts +37 -27
package/src/__tests__/session-runtime-assembly.test.ts +54 -0
package/src/__tests__/session-slash-known.test.ts +1 -15
package/src/__tests__/session-slash-queue.test.ts +1 -15
package/src/__tests__/session-slash-unknown.test.ts +1 -15
package/src/__tests__/session-workspace-cache-state.test.ts +3 -33
package/src/__tests__/session-workspace-injection.test.ts +3 -37
package/src/__tests__/session-workspace-tool-tracking.test.ts +3 -37
package/src/__tests__/skills-install-extract.test.ts +93 -0
package/src/__tests__/skills.test.ts +2 -2
package/src/__tests__/skillssh-registry.test.ts +451 -0
package/src/__tests__/slack-channel-config.test.ts +10 -8
package/src/__tests__/trust-store.test.ts +15 -0
package/src/__tests__/twilio-config.test.ts +11 -10
package/src/__tests__/twilio-provider.test.ts +9 -4
package/src/__tests__/voice-invite-redemption.test.ts +85 -5
package/src/agent/ax-tree-compaction.test.ts +51 -0
package/src/agent/loop.ts +39 -12
package/src/approvals/AGENTS.md +1 -1
package/src/approvals/guardian-request-resolvers.ts +14 -2
package/src/bundler/compiler-tools.ts +66 -2
package/src/calls/call-domain.ts +134 -3
package/src/calls/call-store.ts +6 -0
package/src/calls/relay-server.ts +44 -6
package/src/calls/relay-setup-router.ts +17 -1
package/src/calls/twilio-config.ts +5 -4
package/src/calls/twilio-provider.ts +14 -9
package/src/calls/twilio-rest.ts +10 -7
package/src/calls/types.ts +3 -1
package/src/cli/commands/config.ts +14 -9
package/src/cli/commands/contacts.ts +3 -0
package/src/cli/commands/credentials.ts +170 -174
package/src/cli/commands/doctor.ts +11 -8
package/src/cli/commands/keys.ts +9 -9
package/src/cli/commands/mcp.ts +46 -59
package/src/cli/commands/memory.ts +16 -165
package/src/cli/commands/oauth/apps.ts +68 -10
package/src/cli/commands/oauth/connections.ts +475 -105
package/src/cli/commands/oauth/index.ts +3 -3
package/src/cli/commands/oauth/providers.ts +18 -4
package/src/cli/commands/sessions.ts +5 -2
package/src/cli/commands/skills.ts +173 -1
package/src/cli/http-client.ts +0 -20
package/src/cli/main-screen.tsx +2 -2
package/src/cli/program.ts +5 -6
package/src/cli.ts +20 -22
package/src/config/__tests__/feature-flag-registry-bundled.test.ts +39 -0
package/src/config/bundled-skills/computer-use/TOOLS.json +1 -1
package/src/config/bundled-skills/computer-use/tools/computer-use-observe.ts +12 -0
package/src/config/bundled-skills/contacts/SKILL.md +35 -11
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +1 -1
package/src/config/bundled-skills/gmail/SKILL.md +1 -1
package/src/config/bundled-skills/gmail/TOOLS.json +52 -0
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +13 -3
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +9 -2
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +9 -2
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +5 -1
package/src/config/bundled-skills/google-calendar/TOOLS.json +20 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/shared.ts +8 -2
package/src/config/bundled-skills/messaging/SKILL.md +1 -1
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-sender-digest.ts +2 -2
package/src/config/bundled-skills/messaging/tools/shared.ts +7 -5
package/src/config/bundled-skills/slack/tools/shared.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-add-reaction.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-channel-details.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-delete-message.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-edit-message.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-leave-channel.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +1 -1
package/src/config/bundled-tool-registry.ts +2 -5
package/src/config/loader.ts +6 -42
package/src/config/schema.ts +1 -12
package/src/config/schemas/memory-lifecycle.ts +0 -9
package/src/config/schemas/memory-processing.ts +0 -180
package/src/config/schemas/memory-retrieval.ts +32 -104
package/src/config/schemas/memory.ts +0 -10
package/src/config/types.ts +0 -4
package/src/contacts/contact-store.ts +39 -2
package/src/contacts/contacts-write.ts +9 -0
package/src/context/window-manager.ts +4 -1
package/src/daemon/config-watcher.ts +55 -2
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/date-context.ts +114 -31
package/src/daemon/handlers/config-ingress.ts +2 -2
package/src/daemon/handlers/config-slack-channel.ts +59 -39
package/src/daemon/handlers/config-telegram.ts +23 -14
package/src/daemon/handlers/session-history.ts +1 -358
package/src/daemon/handlers/sessions.ts +18 -13
package/src/daemon/handlers/shared.ts +3 -17
package/src/daemon/handlers/skills.ts +20 -1
package/src/daemon/history-repair.ts +72 -8
package/src/daemon/host-cu-proxy.ts +55 -26
package/src/daemon/lifecycle.ts +39 -4
package/src/daemon/mcp-reload-service.ts +2 -2
package/src/daemon/message-types/computer-use.ts +1 -12
package/src/daemon/message-types/memory.ts +4 -16
package/src/daemon/message-types/messages.ts +1 -0
package/src/daemon/message-types/sessions.ts +4 -42
package/src/daemon/server.ts +6 -1
package/src/daemon/session-agent-loop-handlers.ts +38 -0
package/src/daemon/session-agent-loop.ts +334 -48
package/src/daemon/session-error.ts +89 -6
package/src/daemon/session-history.ts +17 -7
package/src/daemon/session-media-retry.ts +6 -2
package/src/daemon/session-memory.ts +69 -149
package/src/daemon/session-process.ts +10 -1
package/src/daemon/session-runtime-assembly.ts +49 -19
package/src/daemon/session-slash.ts +3 -5
package/src/daemon/session-surfaces.ts +4 -1
package/src/daemon/session-tool-setup.ts +7 -1
package/src/daemon/session.ts +12 -2
package/src/email/providers/index.ts +2 -2
package/src/instrument.ts +61 -1
package/src/media/avatar-router.ts +1 -1
package/src/memory/admin.ts +2 -191
package/src/memory/canonical-guardian-store.ts +38 -2
package/src/memory/conversation-crud.ts +0 -33
package/src/memory/conversation-queries.ts +25 -83
package/src/memory/db-init.ts +32 -0
package/src/memory/embedding-backend.ts +84 -8
package/src/memory/embedding-types.ts +9 -1
package/src/memory/indexer.ts +7 -46
package/src/memory/invite-store.ts +19 -0
package/src/memory/items-extractor.ts +274 -76
package/src/memory/job-handlers/backfill.ts +2 -127
package/src/memory/job-handlers/cleanup.ts +2 -16
package/src/memory/job-handlers/extraction.ts +2 -138
package/src/memory/job-handlers/index-maintenance.ts +1 -6
package/src/memory/job-handlers/summarization.ts +3 -148
package/src/memory/job-utils.ts +21 -59
package/src/memory/jobs-store.ts +1 -159
package/src/memory/jobs-worker.ts +9 -52
package/src/memory/migrations/104-core-indexes.ts +3 -3
package/src/memory/migrations/149-oauth-tables.ts +2 -0
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +98 -0
package/src/memory/migrations/151-oauth-providers-ping-url.ts +11 -0
package/src/memory/migrations/152-memory-item-supersession.ts +44 -0
package/src/memory/migrations/153-drop-entity-tables.ts +15 -0
package/src/memory/migrations/154-drop-fts.ts +20 -0
package/src/memory/migrations/155-drop-conflicts.ts +7 -0
package/src/memory/migrations/156-call-session-invite-metadata.ts +24 -0
package/src/memory/migrations/157-invite-contact-id.ts +104 -0
package/src/memory/migrations/index.ts +8 -0
package/src/memory/migrations/registry.ts +6 -0
package/src/memory/qdrant-client.ts +148 -51
package/src/memory/raw-query.ts +1 -1
package/src/memory/retriever.test.ts +294 -273
package/src/memory/retriever.ts +421 -645
package/src/memory/schema/calls.ts +2 -0
package/src/memory/schema/contacts.ts +1 -0
package/src/memory/schema/memory-core.ts +3 -48
package/src/memory/schema/oauth.ts +2 -0
package/src/memory/search/formatting.ts +263 -176
package/src/memory/search/lexical.ts +1 -254
package/src/memory/search/ranking.ts +0 -455
package/src/memory/search/semantic.ts +100 -14
package/src/memory/search/staleness.ts +47 -0
package/src/memory/search/tier-classifier.ts +21 -0
package/src/memory/search/types.ts +15 -77
package/src/memory/task-memory-cleanup.ts +4 -6
package/src/messaging/provider.ts +1 -1
package/src/messaging/providers/gmail/adapter.ts +1 -1
package/src/messaging/providers/gmail/mime-builder.ts +17 -7
package/src/messaging/providers/telegram-bot/adapter.ts +17 -8
package/src/messaging/providers/whatsapp/adapter.ts +13 -9
package/src/messaging/registry.ts +9 -5
package/src/oauth/byo-connection.test.ts +40 -25
package/src/oauth/connect-orchestrator.ts +4 -10
package/src/oauth/connection-resolver.ts +20 -6
package/src/oauth/manual-token-connection.ts +5 -5
package/src/oauth/oauth-store.ts +183 -31
package/src/oauth/platform-connection.test.ts +1 -1
package/src/oauth/provider-behaviors.ts +503 -4
package/src/oauth/seed-providers.ts +214 -8
package/src/oauth/token-persistence.ts +31 -16
package/src/permissions/defaults.ts +1 -0
package/src/permissions/trust-store.ts +23 -1
package/src/playbooks/playbook-compiler.ts +1 -1
package/src/prompts/system-prompt.ts +18 -2
package/src/providers/anthropic/client.ts +56 -126
package/src/providers/types.ts +7 -1
package/src/runtime/AGENTS.md +9 -0
package/src/runtime/auth/route-policy.ts +6 -3
package/src/runtime/channel-readiness-service.ts +48 -40
package/src/runtime/guardian-reply-router.ts +24 -22
package/src/runtime/http-server.ts +2 -2
package/src/runtime/http-types.ts +2 -0
package/src/runtime/invite-redemption-service.ts +72 -12
package/src/runtime/invite-service.ts +43 -0
package/src/runtime/middleware/twilio-validation.ts +1 -1
package/src/runtime/pending-interactions.ts +2 -2
package/src/runtime/routes/brain-graph-routes.ts +10 -90
package/src/runtime/routes/btw-routes.ts +10 -5
package/src/runtime/routes/conversation-routes.ts +56 -11
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -12
package/src/runtime/routes/integrations/slack/channel.ts +2 -2
package/src/runtime/routes/integrations/telegram.ts +2 -2
package/src/runtime/routes/integrations/twilio.ts +17 -17
package/src/runtime/routes/invite-routes.ts +29 -4
package/src/runtime/routes/memory-item-routes.test.ts +754 -0
package/src/runtime/routes/memory-item-routes.ts +503 -0
package/src/runtime/routes/secret-routes.ts +17 -0
package/src/runtime/routes/session-management-routes.ts +3 -3
package/src/runtime/routes/settings-routes.ts +3 -3
package/src/runtime/routes/trust-rules-routes.ts +14 -0
package/src/runtime/routes/workspace-routes.ts +9 -4
package/src/runtime/routes/workspace-utils.ts +8 -2
package/src/schedule/integration-status.ts +26 -19
package/src/security/keychain-broker-client.ts +17 -4
package/src/security/oauth2.ts +6 -7
package/src/security/secure-keys.ts +44 -19
package/src/security/token-manager.ts +46 -39
package/src/services/vercel-deploy.ts +0 -24
package/src/signals/confirm.ts +78 -0
package/src/signals/mcp-reload.ts +18 -0
package/src/skills/catalog-install.ts +74 -18
package/src/skills/skillssh-registry.ts +503 -0
package/src/tools/assets/search.ts +5 -1
package/src/tools/computer-use/definitions.ts +0 -10
package/src/tools/computer-use/registry.ts +1 -1
package/src/tools/credentials/vault.ts +22 -7
package/src/tools/memory/definitions.ts +4 -13
package/src/tools/memory/handlers.test.ts +83 -103
package/src/tools/memory/handlers.ts +50 -85
package/src/tools/network/script-proxy/session-manager.ts +8 -8
package/src/tools/schedule/create.ts +10 -3
package/src/tools/schedule/update.ts +8 -1
package/src/tools/skills/load.ts +25 -2
package/src/watcher/provider-types.ts +1 -1
package/src/watcher/providers/github.ts +1 -1
package/src/watcher/providers/gmail.ts +3 -3
package/src/watcher/providers/google-calendar.ts +3 -3
package/src/watcher/providers/linear.ts +1 -1
package/src/__tests__/clarification-resolver.test.ts +0 -193
package/src/__tests__/conflict-intent-tokenization.test.ts +0 -160
package/src/__tests__/conflict-policy.test.ts +0 -269
package/src/__tests__/conflict-store.test.ts +0 -372
package/src/__tests__/contradiction-checker.test.ts +0 -361
package/src/__tests__/entity-extractor.test.ts +0 -211
package/src/__tests__/entity-search.test.ts +0 -1117
package/src/__tests__/profile-compiler.test.ts +0 -392
package/src/__tests__/session-conflict-gate.test.ts +0 -1228
package/src/__tests__/session-profile-injection.test.ts +0 -557
package/src/config/bundled-skills/knowledge-graph/SKILL.md +0 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +0 -66
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +0 -211
package/src/daemon/session-conflict-gate.ts +0 -167
package/src/daemon/session-dynamic-profile.ts +0 -77
package/src/memory/clarification-resolver.ts +0 -417
package/src/memory/conflict-intent.ts +0 -205
package/src/memory/conflict-policy.ts +0 -127
package/src/memory/conflict-store.ts +0 -410
package/src/memory/contradiction-checker.ts +0 -508
package/src/memory/entity-extractor.ts +0 -535
package/src/memory/format-recall.ts +0 -47
package/src/memory/fts-reconciler.ts +0 -165
package/src/memory/job-handlers/conflict.ts +0 -200
package/src/memory/profile-compiler.ts +0 -195
package/src/memory/recall-cache.ts +0 -117
package/src/memory/search/entity.ts +0 -535
package/src/memory/search/query-expansion.test.ts +0 -70
package/src/memory/search/query-expansion.ts +0 -118
package/src/runtime/routes/mcp-routes.ts +0 -20

package/src/__tests__/oauth-cli.test.ts CHANGED Viewed

@@ -30,6 +30,56 @@ let disconnectOAuthProviderResult: "disconnected" | "not-found" | "error" =
   "not-found";
 let idCounter = 0;
+// App upsert mock state
+let mockUpsertAppCalls: Array<{
+  provider: string;
+  clientId: string;
+  clientSecretOpts?: {
+    clientSecretValue?: string;
+    clientSecretCredentialPath?: string;
+  };
+}> = [];
+let mockUpsertAppResult: Record<string, unknown> = {
+  id: "app-upsert-1",
+  providerKey: "integration:test",
+  clientId: "test-client-id",
+  createdAt: 1700000000000,
+  updatedAt: 1700000000000,
+};
+let mockUpsertAppImpl:
+  | ((
+      provider: string,
+      clientId: string,
+      clientSecretOpts?: {
+        clientSecretValue?: string;
+        clientSecretCredentialPath?: string;
+      },
+    ) => Promise<Record<string, unknown>>)
+  | undefined;
+// Connect mock state
+let mockOrchestrateOAuthConnect: (
+  opts: Record<string, unknown>,
+) => Promise<Record<string, unknown>>;
+let mockGetAppByProviderAndClientId: (
+  providerKey: string,
+  clientId: string,
+) => Record<string, unknown> | undefined = () => undefined;
+let mockGetMostRecentAppByProvider: (
+  providerKey: string,
+) => Record<string, unknown> | undefined = () => undefined;
+let mockGetProvider: (
+  providerKey: string,
+) => Record<string, unknown> | undefined = () => undefined;
+let mockGetProviderBehavior: (
+  providerKey: string,
+) => Record<string, unknown> | undefined = () => undefined;
+let mockGetSecureKey: (account: string) => string | undefined = () => undefined;
+let mockGetCredentialMetadata: (
+  service: string,
+  field: string,
+) => Record<string, unknown> | undefined = () => undefined;
 function nextUUID(): string {
   idCounter += 1;
   return `00000000-0000-0000-0000-${String(idCounter).padStart(12, "0")}`;
@@ -72,13 +122,28 @@ mock.module("../oauth/oauth-store.js", () => ({
   listConnections: () => [],
   deleteConnection: () => false,
   // Stubs required by apps.ts and providers.ts (transitively loaded via oauth/index.ts)
-  upsertApp: async () => ({}),
+  upsertApp: async (
+    provider: string,
+    clientId: string,
+    clientSecretOpts?: {
+      clientSecretValue?: string;
+      clientSecretCredentialPath?: string;
+    },
+  ) => {
+    if (mockUpsertAppImpl) {
+      return mockUpsertAppImpl(provider, clientId, clientSecretOpts);
+    }
+    mockUpsertAppCalls.push({ provider, clientId, clientSecretOpts });
+    return mockUpsertAppResult;
+  },
   getApp: () => undefined,
-  getAppByProviderAndClientId: () => undefined,
-  getMostRecentAppByProvider: () => undefined,
+  getAppByProviderAndClientId: (providerKey: string, clientId: string) =>
+    mockGetAppByProviderAndClientId(providerKey, clientId),
+  getMostRecentAppByProvider: (providerKey: string) =>
+    mockGetMostRecentAppByProvider(providerKey),
   listApps: () => [],
   deleteApp: async () => false,
-  getProvider: () => undefined,
+  getProvider: (providerKey: string) => mockGetProvider(providerKey),
   listProviders: () => mockListProviders(),
   registerProvider: () => ({}),
   seedProviders: () => {},
@@ -89,7 +154,7 @@ mock.module("../oauth/oauth-store.js", () => ({
 // Stub out transitive dependencies that token-manager would normally pull in
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: () => undefined,
+  getSecureKey: (account: string) => mockGetSecureKey(account),
   setSecureKey: () => true,
   getSecureKeyAsync: async () => undefined,
   setSecureKeyAsync: async () => true,
@@ -116,7 +181,8 @@ mock.module("../security/secure-keys.js", () => ({
 mock.module("../tools/credentials/metadata-store.js", () => ({
   assertMetadataWritable: () => {},
-  getCredentialMetadata: () => undefined,
+  getCredentialMetadata: (service: string, field: string) =>
+    mockGetCredentialMetadata(service, field),
   upsertCredentialMetadata: () => ({}),
   listCredentialMetadata: () => [],
   deleteCredentialMetadata: (service: string, field: string): boolean => {
@@ -129,6 +195,25 @@ mock.module("../tools/credentials/metadata-store.js", () => ({
   },
 }));
+// ---------------------------------------------------------------------------
+// Mock connect-orchestrator
+// ---------------------------------------------------------------------------
+mock.module("../oauth/connect-orchestrator.js", () => ({
+  orchestrateOAuthConnect: (opts: Record<string, unknown>) =>
+    mockOrchestrateOAuthConnect(opts),
+}));
+// ---------------------------------------------------------------------------
+// Mock provider-behaviors
+// ---------------------------------------------------------------------------
+mock.module("../oauth/provider-behaviors.js", () => ({
+  resolveService: (service: string) => service,
+  getProviderBehavior: (providerKey: string) =>
+    mockGetProviderBehavior(providerKey),
+}));
 mock.module("../util/logger.js", () => ({
   getLogger: () => ({
     info: () => {},
@@ -252,11 +337,11 @@ describe("assistant oauth connections token <provider-key>", () => {
     const { exitCode, stdout } = await runCli([
       "connections",
       "token",
-      "integration:gmail",
+      "integration:google",
     ]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("gmail-token\n");
-    expect(capturedService).toBe("integration:gmail");
+    expect(capturedService).toBe("integration:google");
   });
   test("exits 1 when no token exists", async () => {
@@ -336,30 +421,30 @@ describe("assistant oauth connections disconnect <provider-key>", () => {
     const result = await runCli([
       "connections",
       "disconnect",
-      "integration:gmail",
+      "integration:google",
       "--json",
     ]);
     expect(result.exitCode).toBe(0);
     const parsed = JSON.parse(result.stdout);
     expect(parsed.ok).toBe(true);
-    expect(parsed.service).toBe("integration:gmail");
+    expect(parsed.service).toBe("integration:google");
     // disconnectOAuthProvider should have been called with the full provider key
-    expect(disconnectOAuthProviderCalls).toEqual(["integration:gmail"]);
+    expect(disconnectOAuthProviderCalls).toEqual(["integration:google"]);
   });
   test("reports not-found when nothing exists", async () => {
     const result = await runCli([
       "connections",
       "disconnect",
-      "integration:gmail",
+      "integration:google",
       "--json",
     ]);
     expect(result.exitCode).toBe(1);
     const parsed = JSON.parse(result.stdout);
     expect(parsed.ok).toBe(false);
     expect(parsed.error).toContain("No OAuth connection or credentials");
-    expect(parsed.error).toContain("integration:gmail");
+    expect(parsed.error).toContain("integration:google");
   });
   test("cleans up legacy credential keys if present", async () => {
@@ -372,12 +457,12 @@ describe("assistant oauth connections disconnect <provider-key>", () => {
     ];
     for (const field of legacyFields) {
       secureKeyStore.set(
-        credentialKey("integration:gmail", field),
+        credentialKey("integration:google", field),
         `legacy_${field}_value`,
       );
       metadataStore.push({
         credentialId: nextUUID(),
-        service: "integration:gmail",
+        service: "integration:google",
         field,
         allowedTools: [],
         allowedDomains: [],
@@ -389,22 +474,22 @@ describe("assistant oauth connections disconnect <provider-key>", () => {
     const result = await runCli([
       "connections",
       "disconnect",
-      "integration:gmail",
+      "integration:google",
       "--json",
     ]);
     expect(result.exitCode).toBe(0);
     const parsed = JSON.parse(result.stdout);
     expect(parsed.ok).toBe(true);
-    expect(parsed.service).toBe("integration:gmail");
+    expect(parsed.service).toBe("integration:google");
     // All legacy keys should be removed
     for (const field of legacyFields) {
       expect(
-        secureKeyStore.has(credentialKey("integration:gmail", field)),
+        secureKeyStore.has(credentialKey("integration:google", field)),
       ).toBe(false);
       expect(
         metadataStore.find(
-          (m) => m.service === "integration:gmail" && m.field === field,
+          (m) => m.service === "integration:google" && m.field === field,
         ),
       ).toBeUndefined();
     }
@@ -416,12 +501,12 @@ describe("assistant oauth connections disconnect <provider-key>", () => {
     // Seed a legacy credential key
     secureKeyStore.set(
-      credentialKey("integration:gmail", "access_token"),
+      credentialKey("integration:google", "access_token"),
       "legacy_token",
     );
     metadataStore.push({
       credentialId: nextUUID(),
-      service: "integration:gmail",
+      service: "integration:google",
       field: "access_token",
       allowedTools: [],
       allowedDomains: [],
@@ -432,7 +517,7 @@ describe("assistant oauth connections disconnect <provider-key>", () => {
     const result = await runCli([
       "connections",
       "disconnect",
-      "integration:gmail",
+      "integration:google",
       "--json",
     ]);
     expect(result.exitCode).toBe(0);
@@ -440,9 +525,9 @@ describe("assistant oauth connections disconnect <provider-key>", () => {
     expect(parsed.ok).toBe(true);
     // Both should be cleaned up
-    expect(disconnectOAuthProviderCalls).toEqual(["integration:gmail"]);
+    expect(disconnectOAuthProviderCalls).toEqual(["integration:google"]);
     expect(
-      secureKeyStore.has(credentialKey("integration:gmail", "access_token")),
+      secureKeyStore.has(credentialKey("integration:google", "access_token")),
     ).toBe(false);
   });
 });
@@ -454,7 +539,7 @@ describe("assistant oauth connections disconnect <provider-key>", () => {
 describe("assistant oauth providers list", () => {
   const fakeProviders = [
     {
-      providerKey: "integration:gmail",
+      providerKey: "integration:google",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
@@ -511,7 +596,7 @@ describe("assistant oauth providers list", () => {
     const parsed = JSON.parse(stdout);
     expect(parsed).toHaveLength(4);
     const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
-    expect(keys).toContain("integration:gmail");
+    expect(keys).toContain("integration:google");
     expect(keys).toContain("integration:google-calendar");
     expect(keys).toContain("integration:slack");
     expect(keys).toContain("integration:twitter");
@@ -522,13 +607,13 @@ describe("assistant oauth providers list", () => {
       "providers",
       "list",
       "--provider-key",
-      "gmail",
+      "slack",
       "--json",
     ]);
     expect(exitCode).toBe(0);
     const parsed = JSON.parse(stdout);
     expect(parsed).toHaveLength(1);
-    expect(parsed[0].providerKey).toBe("integration:gmail");
+    expect(parsed[0].providerKey).toBe("integration:slack");
   });
   test("filters by comma-separated OR values", async () => {
@@ -536,15 +621,16 @@ describe("assistant oauth providers list", () => {
       "providers",
       "list",
       "--provider-key",
-      "gmail,google",
+      "slack,google",
       "--json",
     ]);
     expect(exitCode).toBe(0);
     const parsed = JSON.parse(stdout);
-    expect(parsed).toHaveLength(2);
+    expect(parsed).toHaveLength(3);
     const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
-    expect(keys).toContain("integration:gmail");
+    expect(keys).toContain("integration:google");
     expect(keys).toContain("integration:google-calendar");
+    expect(keys).toContain("integration:slack");
   });
   test("returns empty array when comma-separated filter has no matches", async () => {
@@ -559,4 +645,711 @@ describe("assistant oauth providers list", () => {
     const parsed = JSON.parse(stdout);
     expect(parsed).toHaveLength(0);
   });
+  test("trims whitespace around commas in --provider-key", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "list",
+      "--provider-key",
+      "slack, google",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(3);
+    const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
+    expect(keys).toContain("integration:google");
+    expect(keys).toContain("integration:google-calendar");
+    expect(keys).toContain("integration:slack");
+  });
+  test("ignores empty segments from extra commas in --provider-key", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "list",
+      "--provider-key",
+      "slack,,google",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toHaveLength(3);
+    const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
+    expect(keys).toContain("integration:google");
+    expect(keys).toContain("integration:google-calendar");
+    expect(keys).toContain("integration:slack");
+  });
+});
+// ---------------------------------------------------------------------------
+// connect
+// ---------------------------------------------------------------------------
+describe("assistant oauth connections connect <provider-key>", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
+    mockOrchestrateOAuthConnect = async () => ({
+      success: true,
+      deferred: false,
+      grantedScopes: [],
+    });
+    mockGetAppByProviderAndClientId = () => undefined;
+    mockGetMostRecentAppByProvider = () => undefined;
+    mockGetProvider = () => undefined;
+    mockGetProviderBehavior = () => undefined;
+    mockGetSecureKey = () => undefined;
+  });
+  test("completes interactive flow and prints success (human mode)", async () => {
+    mockGetAppByProviderAndClientId = () => ({
+      id: "app-1",
+      clientId: "test-id",
+      clientSecretCredentialPath: "oauth_app/app-1/client_secret",
+      providerKey: "integration:google",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    mockOrchestrateOAuthConnect = async () => ({
+      success: true,
+      deferred: false,
+      grantedScopes: ["read"],
+      accountInfo: "user@example.com",
+    });
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "connect",
+      "integration:google",
+      "--client-id",
+      "test-id",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain("Connected");
+  });
+  test("completes interactive flow and returns JSON with --json flag", async () => {
+    mockGetAppByProviderAndClientId = () => ({
+      id: "app-1",
+      clientId: "test-id",
+      clientSecretCredentialPath: "oauth_app/app-1/client_secret",
+      providerKey: "integration:google",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    mockOrchestrateOAuthConnect = async () => ({
+      success: true,
+      deferred: false,
+      grantedScopes: ["read"],
+      accountInfo: "user@example.com",
+    });
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "connect",
+      "integration:google",
+      "--client-id",
+      "test-id",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed).toEqual({
+      ok: true,
+      grantedScopes: ["read"],
+      accountInfo: "user@example.com",
+    });
+  });
+  test("returns auth URL in default (non-interactive) mode (JSON)", async () => {
+    mockGetAppByProviderAndClientId = () => ({
+      id: "app-1",
+      clientId: "test-id",
+      clientSecretCredentialPath: "oauth_app/app-1/client_secret",
+      providerKey: "integration:google",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    mockOrchestrateOAuthConnect = async () => ({
+      success: true,
+      deferred: true,
+      authUrl: "https://example.com/auth",
+      state: "abc",
+      service: "integration:google",
+    });
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "connect",
+      "integration:google",
+      "--client-id",
+      "test-id",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.deferred).toBe(true);
+    expect(parsed.authUrl).toBe("https://example.com/auth");
+  });
+  test("fails when no client_id available", async () => {
+    mockGetMostRecentAppByProvider = () => undefined;
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "connect",
+      "integration:google",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("client_id");
+  });
+  test("resolves client_id from DB when not provided", async () => {
+    mockGetMostRecentAppByProvider = () => ({
+      id: "app-1",
+      clientId: "db-client-id",
+      clientSecretCredentialPath: "oauth_app/app-1/client_secret",
+      providerKey: "integration:google",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    let capturedClientId: string | undefined;
+    mockOrchestrateOAuthConnect = async (opts) => {
+      capturedClientId = opts.clientId as string;
+      return {
+        success: true,
+        deferred: false,
+        grantedScopes: [],
+      };
+    };
+    await runCli(["connections", "connect", "integration:google"]);
+    expect(capturedClientId).toBe("db-client-id");
+  });
+  test("resolves client_secret from secure store when not provided", async () => {
+    mockGetMostRecentAppByProvider = () => ({
+      id: "app-1",
+      clientId: "db-client-id",
+      clientSecretCredentialPath: "oauth_app/app-1/client_secret",
+      providerKey: "integration:google",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    mockGetSecureKey = (account: string) =>
+      account === "oauth_app/app-1/client_secret" ? "db-secret" : undefined;
+    let capturedOpts: Record<string, unknown> | undefined;
+    mockOrchestrateOAuthConnect = async (opts) => {
+      capturedOpts = opts;
+      return {
+        success: true,
+        deferred: false,
+        grantedScopes: [],
+      };
+    };
+    await runCli(["connections", "connect", "integration:google"]);
+    expect(capturedOpts).toBeDefined();
+    expect(capturedOpts!.clientId).toBe("db-client-id");
+    expect(capturedOpts!.clientSecret).toBe("db-secret");
+  });
+  test("outputs error from orchestrator", async () => {
+    mockGetAppByProviderAndClientId = () => ({
+      id: "app-1",
+      clientId: "x",
+      clientSecretCredentialPath: "oauth_app/app-1/client_secret",
+      providerKey: "integration:google",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    mockOrchestrateOAuthConnect = async () => ({
+      success: false,
+      error: "Something went wrong",
+    });
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "connect",
+      "integration:google",
+      "--client-id",
+      "x",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toBe("Something went wrong");
+  });
+  test("succeeds when callbackTransport is null (loopback default)", async () => {
+    // Provider row has callbackTransport: null — orchestrator should default
+    // to loopback and not require a public ingress URL.
+    mockGetMostRecentAppByProvider = () => ({
+      id: "app-loopback",
+      clientId: "loopback-client",
+      clientSecretCredentialPath: "oauth_app/app-loopback/client_secret",
+      providerKey: "integration:test-loopback",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    let capturedOpts: Record<string, unknown> | undefined;
+    mockOrchestrateOAuthConnect = async (opts) => {
+      capturedOpts = opts;
+      return {
+        success: true,
+        deferred: true,
+        authUrl: "https://example.com/auth?loopback",
+        state: "state-loopback",
+        service: "integration:test-loopback",
+      };
+    };
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "connect",
+      "integration:test-loopback",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.deferred).toBe(true);
+    expect(capturedOpts).toBeDefined();
+    expect(capturedOpts!.clientId).toBe("loopback-client");
+  });
+  test("returns ingress URL error when callbackTransport is explicitly gateway", async () => {
+    // Provider row has callbackTransport: "gateway" — orchestrator should
+    // require a public ingress URL, which is not configured in the test env.
+    mockGetMostRecentAppByProvider = () => ({
+      id: "app-gateway",
+      clientId: "gateway-client",
+      clientSecretCredentialPath: "oauth_app/app-gateway/client_secret",
+      providerKey: "integration:test-gateway",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    mockOrchestrateOAuthConnect = async () => ({
+      success: false,
+      error:
+        "oauth2_connect from a non-interactive session requires a public ingress URL. Configure ingress.publicBaseUrl first.",
+    });
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "connect",
+      "integration:test-gateway",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("requires a public ingress URL");
+  });
+  test("fails when client_secret is required but missing", async () => {
+    mockGetAppByProviderAndClientId = () => ({
+      id: "app-1",
+      clientId: "test-id",
+      clientSecretCredentialPath: "oauth_app/app-1/client_secret",
+      providerKey: "integration:google",
+      createdAt: 0,
+      updatedAt: 0,
+    });
+    mockGetProviderBehavior = () => ({
+      setup: {
+        requiresClientSecret: true,
+        displayName: "Test",
+        dashboardUrl: "https://example.com",
+        appType: "app",
+      },
+    });
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "connect",
+      "integration:google",
+      "--client-id",
+      "test-id",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("client_secret");
+    expect(parsed.error).toContain("apps upsert");
+  });
+});
+// ---------------------------------------------------------------------------
+// apps upsert --client-secret-credential-path
+// ---------------------------------------------------------------------------
+describe("assistant oauth apps upsert --client-secret-credential-path", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
+    mockUpsertAppCalls = [];
+    mockUpsertAppResult = {
+      id: "app-upsert-1",
+      providerKey: "integration:google",
+      clientId: "abc123",
+      createdAt: 1700000000000,
+      updatedAt: 1700000000000,
+    };
+    mockOrchestrateOAuthConnect = async () => ({
+      success: true,
+      deferred: false,
+      grantedScopes: [],
+    });
+    mockGetAppByProviderAndClientId = () => undefined;
+    mockGetMostRecentAppByProvider = () => undefined;
+    mockGetProvider = () => undefined;
+    mockGetProviderBehavior = () => undefined;
+    mockGetSecureKey = () => undefined;
+    mockGetCredentialMetadata = () => undefined;
+    mockUpsertAppImpl = undefined;
+  });
+  test("upsert with --client-secret-credential-path passes path to upsertApp", async () => {
+    const { exitCode, stdout } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "integration:google",
+      "--client-id",
+      "abc123",
+      "--client-secret-credential-path",
+      "custom/path",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockUpsertAppCalls).toHaveLength(1);
+    expect(mockUpsertAppCalls[0]).toEqual({
+      provider: "integration:google",
+      clientId: "abc123",
+      clientSecretOpts: { clientSecretCredentialPath: "custom/path" },
+    });
+    const parsed = JSON.parse(stdout);
+    expect(parsed.id).toBe("app-upsert-1");
+  });
+  test("upsert with both --client-secret and --client-secret-credential-path returns error", async () => {
+    const { exitCode, stdout } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "integration:google",
+      "--client-id",
+      "abc123",
+      "--client-secret",
+      "s3cret",
+      "--client-secret-credential-path",
+      "custom/path",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain(
+      "Cannot provide both --client-secret and --client-secret-credential-path",
+    );
+    // upsertApp should NOT have been called
+    expect(mockUpsertAppCalls).toHaveLength(0);
+  });
+  test("upsert with --client-secret passes clientSecretValue to upsertApp", async () => {
+    const { exitCode } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "integration:google",
+      "--client-id",
+      "abc123",
+      "--client-secret",
+      "s3cret",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockUpsertAppCalls).toHaveLength(1);
+    expect(mockUpsertAppCalls[0]).toEqual({
+      provider: "integration:google",
+      clientId: "abc123",
+      clientSecretOpts: { clientSecretValue: "s3cret" },
+    });
+  });
+  test("upsert without any secret option passes undefined", async () => {
+    const { exitCode } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "integration:google",
+      "--client-id",
+      "abc123",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockUpsertAppCalls).toHaveLength(1);
+    expect(mockUpsertAppCalls[0]).toEqual({
+      provider: "integration:google",
+      clientId: "abc123",
+      clientSecretOpts: undefined,
+    });
+  });
+  test("upsert resolves non-prefixed credential path via metadata store", async () => {
+    // The resolution logic splits on the LAST colon, so
+    // "integration:google:client_secret" → service="integration:google", field="client_secret"
+    mockGetCredentialMetadata = (service, field) =>
+      service === "integration:google" && field === "client_secret"
+        ? {
+            credentialId: "cred-1",
+            service: "integration:google",
+            field: "client_secret",
+            allowedTools: [],
+            allowedDomains: [],
+            createdAt: Date.now(),
+            updatedAt: Date.now(),
+          }
+        : undefined;
+    const { exitCode, stdout } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "integration:google",
+      "--client-id",
+      "abc",
+      "--client-secret-credential-path",
+      "integration:google:client_secret",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockUpsertAppCalls).toHaveLength(1);
+    // The non-prefixed path should have been resolved to the full credential key
+    expect(mockUpsertAppCalls[0]).toEqual({
+      provider: "integration:google",
+      clientId: "abc",
+      clientSecretOpts: {
+        clientSecretCredentialPath:
+          "credential/integration:google/client_secret",
+      },
+    });
+    const parsed = JSON.parse(stdout);
+    expect(parsed.id).toBe("app-upsert-1");
+  });
+  test("upsert passes prefixed credential path through unchanged", async () => {
+    const { exitCode, stdout } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "integration:google",
+      "--client-id",
+      "abc",
+      "--client-secret-credential-path",
+      "credential/integration:google/client_secret",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockUpsertAppCalls).toHaveLength(1);
+    // Already-prefixed path should be passed through as-is
+    expect(mockUpsertAppCalls[0]).toEqual({
+      provider: "integration:google",
+      clientId: "abc",
+      clientSecretOpts: {
+        clientSecretCredentialPath:
+          "credential/integration:google/client_secret",
+      },
+    });
+    const parsed = JSON.parse(stdout);
+    expect(parsed.id).toBe("app-upsert-1");
+  });
+  test("upsert with invalid credential path returns error when no secret found", async () => {
+    // Override upsertApp to throw when given an unresolvable credential path
+    mockUpsertAppImpl = async (_provider, _clientId, clientSecretOpts) => {
+      throw new Error(
+        `No secret found at credential path: ${clientSecretOpts?.clientSecretCredentialPath}`,
+      );
+    };
+    const { exitCode, stdout } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "integration:google",
+      "--client-id",
+      "abc",
+      "--client-secret-credential-path",
+      "bogus:nonexistent:path",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("No secret found");
+  });
+});
+// ---------------------------------------------------------------------------
+// ping
+// ---------------------------------------------------------------------------
+describe("assistant oauth connections ping <provider-key>", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    secureKeyStore = new Map();
+    metadataStore = [];
+    disconnectOAuthProviderCalls = [];
+    disconnectOAuthProviderResult = "not-found";
+    idCounter = 0;
+  });
+  test("returns ok when ping endpoint returns 200", async () => {
+    mockGetProvider = () => ({
+      providerKey: "integration:google",
+      pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    });
+    const originalFetch = globalThis.fetch;
+    globalThis.fetch = (async () =>
+      new Response("{}", { status: 200 })) as unknown as typeof fetch;
+    try {
+      const { exitCode, stdout } = await runCli([
+        "connections",
+        "ping",
+        "integration:google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(true);
+      expect(parsed.status).toBe(200);
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+  test("exits 1 when provider not found", async () => {
+    mockGetProvider = () => undefined;
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "ping",
+      "integration:unknown",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("Provider not found");
+  });
+  test("exits 1 when no ping URL configured", async () => {
+    mockGetProvider = () => ({
+      providerKey: "telegram",
+      pingUrl: null,
+      authUrl: "urn:manual-token",
+      tokenUrl: "urn:manual-token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    });
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "ping",
+      "telegram",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("No ping URL configured");
+  });
+  test("exits 1 when ping endpoint returns non-2xx", async () => {
+    mockGetProvider = () => ({
+      providerKey: "integration:google",
+      pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    });
+    const originalFetch = globalThis.fetch;
+    // Use 403 (not 401) — 401 now throws inside withValidToken for retry
+    globalThis.fetch = (async () =>
+      new Response("Forbidden", { status: 403 })) as unknown as typeof fetch;
+    try {
+      const { exitCode, stdout } = await runCli([
+        "connections",
+        "ping",
+        "integration:google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(1);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(false);
+      expect(parsed.status).toBe(403);
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+  test("exits 1 when no token exists", async () => {
+    mockWithValidToken = async () => {
+      throw new Error('No access token found for "integration:google".');
+    };
+    mockGetProvider = () => ({
+      providerKey: "integration:google",
+      pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      defaultScopes: "[]",
+      scopePolicy: "{}",
+      extraParams: null,
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    });
+    const { exitCode, stdout } = await runCli([
+      "connections",
+      "ping",
+      "integration:google",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("No access token");
+  });
 });