@vellumai/assistant 0.4.49 → 0.4.51

package/src/__tests__/skills-install-extract.test.ts

@@ -0,0 +1,93 @@
+import { existsSync, mkdirSync, readFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+
+import { extractTarToDir } from "../skills/catalog-install.js";
+
+let tempDir: string;
+
+function makeTarEntry(name: string, content: string): Buffer {
+  const header = Buffer.alloc(512, 0);
+  const nameBuffer = Buffer.from(name, "utf-8");
+  nameBuffer.copy(header, 0, 0, Math.min(nameBuffer.length, 100));
+
+  const mode = Buffer.from("0000644\0", "ascii");
+  mode.copy(header, 100);
+  Buffer.from("0000000\0", "ascii").copy(header, 108); // uid
+  Buffer.from("0000000\0", "ascii").copy(header, 116); // gid
+
+  const sizeOct = content.length.toString(8).padStart(11, "0") + "\0";
+  Buffer.from(sizeOct, "ascii").copy(header, 124);
+
+  Buffer.from("00000000000\0", "ascii").copy(header, 136); // mtime
+  Buffer.from("        ", "ascii").copy(header, 148); // checksum placeholder
+  header[156] = "0".charCodeAt(0);
+  Buffer.from("ustar\0", "ascii").copy(header, 257);
+  Buffer.from("00", "ascii").copy(header, 263);
+
+  let sum = 0;
+  for (let i = 0; i < 512; i += 1) sum += header[i] ?? 0;
+  const checksum = sum.toString(8).padStart(6, "0");
+  Buffer.from(`${checksum}\0 `, "ascii").copy(header, 148);
+
+  const data = Buffer.from(content, "utf-8");
+  const paddedSize = Math.ceil(data.length / 512) * 512;
+  const padded = Buffer.alloc(paddedSize, 0);
+  data.copy(padded);
+
+  return Buffer.concat([header, padded]);
+}
+
+function makeTar(entries: Array<{ name: string; content: string }>): Buffer {
+  const body = entries.map((entry) => makeTarEntry(entry.name, entry.content));
+  return Buffer.concat([...body, Buffer.alloc(1024, 0)]);
+}
+
+beforeEach(() => {
+  tempDir = join(
+    tmpdir(),
+    `skills-extract-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+  );
+  mkdirSync(tempDir, { recursive: true });
+});
+
+afterEach(() => {
+  rmSync(tempDir, { recursive: true, force: true });
+});
+
+describe("extractTarToDir", () => {
+  test("extracts valid files and detects SKILL.md", () => {
+    const tar = makeTar([
+      { name: "SKILL.md", content: "# demo\n" },
+      { name: "scripts/run.sh", content: "echo ok\n" },
+    ]);
+
+    const foundSkillMd = extractTarToDir(tar, tempDir);
+
+    expect(foundSkillMd).toBe(true);
+    expect(readFileSync(join(tempDir, "SKILL.md"), "utf-8")).toBe("# demo\n");
+    expect(readFileSync(join(tempDir, "scripts", "run.sh"), "utf-8")).toBe(
+      "echo ok\n",
+    );
+  });
+
+  test("rejects traversal and absolute archive paths", () => {
+    const tar = makeTar([
+      { name: "SKILL.md", content: "# demo\n" },
+      { name: "../../escape.txt", content: "nope\n" },
+      { name: "..\\..\\win-escape.txt", content: "nope\n" },
+      { name: "/absolute.txt", content: "nope\n" },
+      { name: "C:/windows.txt", content: "nope\n" },
+    ]);
+
+    const foundSkillMd = extractTarToDir(tar, tempDir);
+
+    expect(foundSkillMd).toBe(true);
+    expect(existsSync(join(tempDir, "escape.txt"))).toBe(false);
+    expect(existsSync(join(tempDir, "win-escape.txt"))).toBe(false);
+    expect(existsSync(join(tempDir, "absolute.txt"))).toBe(false);
+    expect(existsSync(join(tempDir, "windows.txt"))).toBe(false);
+    expect(readFileSync(join(tempDir, "SKILL.md"), "utf-8")).toBe("# demo\n");
+  });
+});

package/src/__tests__/skills.test.ts

@@ -674,13 +674,13 @@ describe("ingress-dependent setup skills declare public-ingress", () => {
     expect(includes).toContain("public-ingress");
   });
 
-  test("slack-oauth-setup includes browser", () => {
+  test("slack-oauth-setup includes collaborative-oauth-flow", () => {
     const includes = readSkillIncludes(
       FIRST_PARTY_SKILLS_DIR,
       "slack-oauth-setup",
     );
     expect(includes).toBeDefined();
-    expect(includes).toContain("browser");
+    expect(includes).toContain("collaborative-oauth-flow");
   });
 });
 

package/src/__tests__/skillssh-registry.test.ts

@@ -0,0 +1,451 @@
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import type {
+  AuditResponse,
+  SkillAuditData,
+  SkillsShSearchResult,
+} from "../skills/skillssh-registry.js";
+import {
+  fetchSkillAudits,
+  fetchSkillFromGitHub,
+  formatAuditBadges,
+  providerDisplayName,
+  resolveSkillSource,
+  riskToDisplay,
+  searchSkillsRegistry,
+  validateSkillSlug,
+} from "../skills/skillssh-registry.js";
+
+// ─── Fetch mock helpers ──────────────────────────────────────────────────────
+
+const originalFetch = globalThis.fetch;
+
+let mockFetchImpl: (url: string | URL | Request) => Promise<Response>;
+
+beforeEach(() => {
+  mockFetchImpl = () =>
+    Promise.resolve(new Response("not mocked", { status: 500 }));
+  globalThis.fetch = mock((input: string | URL | Request) =>
+    mockFetchImpl(typeof input === "string" ? input : input.toString()),
+  ) as unknown as typeof fetch;
+});
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+
+// ─── searchSkillsRegistry ────────────────────────────────────────────────────
+
+describe("searchSkillsRegistry", () => {
+  test("sends correct query parameters and returns results", async () => {
+    const mockResults: SkillsShSearchResult[] = [
+      {
+        id: "vercel-labs/agent-skills/vercel-react-best-practices",
+        skillId: "vercel-react-best-practices",
+        name: "Vercel React Best Practices",
+        installs: 1200,
+        source: "vercel-labs/agent-skills",
+      },
+    ];
+
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).toContain("skills.sh/api/search");
+      expect(urlStr).toContain("q=react");
+      expect(urlStr).toContain("limit=5");
+      return Promise.resolve(
+        new Response(JSON.stringify({ skills: mockResults }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+
+    const results = await searchSkillsRegistry("react", 5);
+    expect(results).toEqual(mockResults);
+  });
+
+  test("omits limit parameter when not provided", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).not.toContain("limit=");
+      return Promise.resolve(
+        new Response(JSON.stringify({ skills: [] }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+
+    const results = await searchSkillsRegistry("test");
+    expect(results).toEqual([]);
+  });
+
+  test("throws on non-OK response", async () => {
+    mockFetchImpl = () =>
+      Promise.resolve(new Response("Not Found", { status: 404 }));
+
+    await expect(searchSkillsRegistry("bad-query")).rejects.toThrow(
+      "skills.sh search failed: HTTP 404",
+    );
+  });
+});
+
+// ─── fetchSkillAudits ────────────────────────────────────────────────────────
+
+describe("fetchSkillAudits", () => {
+  test("sends correct parameters and returns audit data", async () => {
+    const mockAudits: AuditResponse = {
+      "vercel-react-best-practices": {
+        ath: {
+          risk: "safe",
+          alerts: 0,
+          score: 100,
+          analyzedAt: "2025-01-15T00:00:00Z",
+        },
+        socket: {
+          risk: "low",
+          alerts: 1,
+          score: 95,
+          analyzedAt: "2025-01-15T00:00:00Z",
+        },
+      },
+    };
+
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).toContain("add-skill.vercel.sh/audit");
+      expect(urlStr).toContain("source=vercel-labs%2Fagent-skills");
+      expect(urlStr).toContain(
+        "skills=vercel-react-best-practices%2Canother-skill",
+      );
+      return Promise.resolve(
+        new Response(JSON.stringify(mockAudits), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+
+    const audits = await fetchSkillAudits("vercel-labs/agent-skills", [
+      "vercel-react-best-practices",
+      "another-skill",
+    ]);
+    expect(audits).toEqual(mockAudits);
+  });
+
+  test("returns empty object for empty slugs list", async () => {
+    const audits = await fetchSkillAudits("some/source", []);
+    expect(audits).toEqual({});
+    // fetch should not have been called
+    expect(globalThis.fetch).not.toHaveBeenCalled();
+  });
+
+  test("throws on non-OK response", async () => {
+    mockFetchImpl = () =>
+      Promise.resolve(new Response("Internal Server Error", { status: 500 }));
+
+    await expect(fetchSkillAudits("some/source", ["slug"])).rejects.toThrow(
+      "Audit fetch failed: HTTP 500",
+    );
+  });
+});
+
+// ─── Display helpers ─────────────────────────────────────────────────────────
+
+describe("riskToDisplay", () => {
+  test("maps risk levels correctly", () => {
+    expect(riskToDisplay("safe")).toBe("PASS");
+    expect(riskToDisplay("low")).toBe("PASS");
+    expect(riskToDisplay("medium")).toBe("WARN");
+    expect(riskToDisplay("high")).toBe("FAIL");
+    expect(riskToDisplay("critical")).toBe("FAIL");
+    expect(riskToDisplay("unknown")).toBe("?");
+  });
+});
+
+describe("providerDisplayName", () => {
+  test("maps known providers", () => {
+    expect(providerDisplayName("ath")).toBe("ATH");
+    expect(providerDisplayName("socket")).toBe("Socket");
+    expect(providerDisplayName("snyk")).toBe("Snyk");
+  });
+
+  test("returns raw name for unknown providers", () => {
+    expect(providerDisplayName("custom-auditor")).toBe("custom-auditor");
+  });
+});
+
+describe("formatAuditBadges", () => {
+  test("formats multiple providers as badges", () => {
+    const auditData: SkillAuditData = {
+      ath: { risk: "safe", analyzedAt: "2025-01-15T00:00:00Z" },
+      socket: { risk: "safe", analyzedAt: "2025-01-15T00:00:00Z" },
+      snyk: { risk: "medium", analyzedAt: "2025-01-15T00:00:00Z" },
+    };
+    expect(formatAuditBadges(auditData)).toBe(
+      "Security: [ATH:PASS] [Socket:PASS] [Snyk:WARN]",
+    );
+  });
+
+  test("returns fallback message when no providers present", () => {
+    expect(formatAuditBadges({})).toBe("Security: no audit data");
+  });
+
+  test("handles single provider", () => {
+    const auditData: SkillAuditData = {
+      ath: { risk: "critical", analyzedAt: "2025-01-15T00:00:00Z" },
+    };
+    expect(formatAuditBadges(auditData)).toBe("Security: [ATH:FAIL]");
+  });
+});
+
+// ─── resolveSkillSource ─────────────────────────────────────────────────────
+
+describe("resolveSkillSource", () => {
+  test("parses owner/repo@skill-name format", () => {
+    const result = resolveSkillSource("vercel-labs/skills@find-skills");
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+    });
+  });
+
+  test("parses owner/repo/skill-name format", () => {
+    const result = resolveSkillSource("vercel-labs/skills/find-skills");
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+    });
+  });
+
+  test("parses full GitHub URL with main branch", () => {
+    const result = resolveSkillSource(
+      "https://github.com/vercel-labs/skills/tree/main/skills/find-skills",
+    );
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+      ref: "main",
+    });
+  });
+
+  test("parses full GitHub URL with non-main branch", () => {
+    const result = resolveSkillSource(
+      "https://github.com/some-org/repo/tree/develop/skills/my-skill",
+    );
+    expect(result).toEqual({
+      owner: "some-org",
+      repo: "repo",
+      skillSlug: "my-skill",
+      ref: "develop",
+    });
+  });
+
+  test("parses GitHub URL with trailing slash", () => {
+    const result = resolveSkillSource(
+      "https://github.com/owner/repo/tree/main/skills/skill-name/",
+    );
+    expect(result).toEqual({
+      owner: "owner",
+      repo: "repo",
+      skillSlug: "skill-name",
+      ref: "main",
+    });
+  });
+
+  test("throws on bare skill name (no owner/repo)", () => {
+    expect(() => resolveSkillSource("find-skills")).toThrow(
+      'Invalid skill source "find-skills"',
+    );
+  });
+
+  test("throws on empty string", () => {
+    expect(() => resolveSkillSource("")).toThrow('Invalid skill source ""');
+  });
+
+  test("throws on owner-only format", () => {
+    expect(() => resolveSkillSource("vercel-labs")).toThrow(
+      'Invalid skill source "vercel-labs"',
+    );
+  });
+
+  test("throws on owner/repo without skill", () => {
+    expect(() => resolveSkillSource("vercel-labs/skills")).toThrow(
+      'Invalid skill source "vercel-labs/skills"',
+    );
+  });
+
+  test("rejects path traversal in @ format slug", () => {
+    expect(() => resolveSkillSource("owner/repo@../../malicious")).toThrow(
+      'Invalid skill source "owner/repo@../../malicious"',
+    );
+  });
+
+  test("rejects uppercase slug in @ format", () => {
+    expect(() => resolveSkillSource("owner/repo@BadSlug")).toThrow(
+      'Invalid skill source "owner/repo@BadSlug"',
+    );
+  });
+});
+
+// ─── validateSkillSlug ──────────────────────────────────────────────────────
+
+describe("validateSkillSlug", () => {
+  test("accepts valid slugs", () => {
+    expect(() => validateSkillSlug("my-skill")).not.toThrow();
+    expect(() => validateSkillSlug("skill123")).not.toThrow();
+    expect(() => validateSkillSlug("my.skill")).not.toThrow();
+    expect(() => validateSkillSlug("my_skill")).not.toThrow();
+  });
+
+  test("rejects path traversal characters", () => {
+    expect(() => validateSkillSlug("../../malicious")).toThrow(
+      "path traversal",
+    );
+    expect(() => validateSkillSlug("foo/bar")).toThrow("path traversal");
+    expect(() => validateSkillSlug("foo\\bar")).toThrow("path traversal");
+  });
+
+  test("rejects slugs starting with special chars", () => {
+    expect(() => validateSkillSlug(".hidden")).toThrow();
+    expect(() => validateSkillSlug("-dash")).toThrow();
+  });
+
+  test("rejects empty input", () => {
+    expect(() => validateSkillSlug("")).toThrow("Skill slug is required");
+  });
+});
+
+// ─── fetchSkillFromGitHub ───────────────────────────────────────────────────
+
+describe("fetchSkillFromGitHub", () => {
+  test("fetches from conventional skills/<slug>/ path", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      // Probe request for skills/my-skill
+      if (urlStr.includes("/contents/skills/my-skill")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "SKILL.md",
+                type: "file",
+                download_url: "https://raw.example.com/SKILL.md",
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // File download
+      if (urlStr.includes("raw.example.com/SKILL.md")) {
+        return Promise.resolve(new Response("# My Skill", { status: 200 }));
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+
+    const files = await fetchSkillFromGitHub("owner", "repo", "my-skill");
+    expect(files["SKILL.md"]).toBe("# My Skill");
+  });
+
+  test("falls back to tree search when skills/<slug>/ returns 404", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      // Probe for conventional path returns 404
+      if (urlStr.includes("/contents/skills/csv")) {
+        return Promise.resolve(new Response("Not Found", { status: 404 }));
+      }
+      // Tree search returns the skill at a non-standard path
+      if (urlStr.includes("/git/trees/")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({
+              tree: [
+                { path: "examples/skills/csv/SKILL.md", type: "blob" },
+                { path: "examples/skills/csv/scripts/filter.sh", type: "blob" },
+                { path: "README.md", type: "blob" },
+              ],
+            }),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // Subdirectory listing (must precede parent path check — both use
+      // .includes() and the parent path is a prefix of this one)
+      if (urlStr.includes("/contents/examples/skills/csv/scripts")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "filter.sh",
+                type: "file",
+                download_url: "https://raw.example.com/filter.sh",
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // Contents API for the discovered path
+      if (urlStr.includes("/contents/examples/skills/csv")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "SKILL.md",
+                type: "file",
+                download_url: "https://raw.example.com/SKILL.md",
+              },
+              {
+                name: "scripts",
+                type: "dir",
+                download_url: null,
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // File downloads
+      if (urlStr.includes("raw.example.com/SKILL.md")) {
+        return Promise.resolve(new Response("# CSV Skill", { status: 200 }));
+      }
+      if (urlStr.includes("raw.example.com/filter.sh")) {
+        return Promise.resolve(
+          new Response("#!/bin/bash\necho filter", { status: 200 }),
+        );
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+
+    const files = await fetchSkillFromGitHub("vercel-labs", "bash-tool", "csv");
+    expect(files["SKILL.md"]).toBe("# CSV Skill");
+    expect(files["scripts/filter.sh"]).toBe("#!/bin/bash\necho filter");
+  });
+
+  test("throws when skill not found in tree either", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      if (urlStr.includes("/contents/skills/missing")) {
+        return Promise.resolve(new Response("Not Found", { status: 404 }));
+      }
+      if (urlStr.includes("/git/trees/")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({ tree: [{ path: "README.md", type: "blob" }] }),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+
+    await expect(
+      fetchSkillFromGitHub("owner", "repo", "missing"),
+    ).rejects.toThrow("Searched skills/missing/ and the full repo tree");
+  });
+});

package/src/__tests__/slack-channel-config.test.ts

@@ -101,6 +101,8 @@ mock.module("../security/secure-keys.js", () => {
   };
   return {
     getSecureKey: (account: string) => secureKeyStore[account] ?? undefined,
+    getSecureKeyAsync: async (account: string) =>
+      secureKeyStore[account] ?? undefined,
     setSecureKey: syncSet,
     deleteSecureKey: syncDelete,
     setSecureKeyAsync: async (account: string, value: string) =>
@@ -230,15 +232,15 @@ describe("Slack channel config handler", () => {
     globalThis.fetch = originalFetch;
   });
 
-  test("GET returns correct shape when not configured", () => {
-    const result = getSlackChannelConfig();
+  test("GET returns correct shape when not configured", async () => {
+    const result = await getSlackChannelConfig();
     expect(result.success).toBe(true);
     expect(result.hasBotToken).toBe(false);
     expect(result.hasAppToken).toBe(false);
     expect(result.connected).toBe(false);
   });
 
-  test("GET returns connected: true when oauth_connection is active and both keys exist", () => {
+  test("GET returns connected: true when oauth_connection is active and both keys exist", async () => {
     oauthConnectionStore["slack_channel"] = {
       id: "conn-slack",
       status: "active",
@@ -246,14 +248,14 @@ describe("Slack channel config handler", () => {
     secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
     secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
 
-    const result = getSlackChannelConfig();
+    const result = await getSlackChannelConfig();
     expect(result.success).toBe(true);
     expect(result.hasBotToken).toBe(true);
     expect(result.hasAppToken).toBe(true);
     expect(result.connected).toBe(true);
   });
 
-  test("GET reports per-field token presence independently of connection row", () => {
+  test("GET reports per-field token presence independently of connection row", async () => {
     // Only bot_token in keychain, no app_token, but connection row exists
     oauthConnectionStore["slack_channel"] = {
       id: "conn-slack",
@@ -261,7 +263,7 @@ describe("Slack channel config handler", () => {
     };
     secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
 
-    const result = getSlackChannelConfig();
+    const result = await getSlackChannelConfig();
     expect(result.success).toBe(true);
     expect(result.hasBotToken).toBe(true);
     expect(result.hasAppToken).toBe(false);
@@ -269,7 +271,7 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(false);
   });
 
-  test("GET returns metadata from config when available", () => {
+  test("GET returns metadata from config when available", async () => {
     oauthConnectionStore["slack_channel"] = {
       id: "conn-slack",
       status: "active",
@@ -285,7 +287,7 @@ describe("Slack channel config handler", () => {
       },
     };
 
-    const result = getSlackChannelConfig();
+    const result = await getSlackChannelConfig();
     expect(result.teamId).toBe("T123");
     expect(result.teamName).toBe("TestTeam");
     expect(result.botUserId).toBe("U_BOT");

package/src/__tests__/trust-store.test.ts

@@ -777,6 +777,7 @@ describe("Trust Store", () => {
         "computer_use_click",
         "computer_use_drag",
         "computer_use_key",
+        "computer_use_observe",
         "computer_use_open_app",
         "computer_use_run_applescript",
         "computer_use_scroll",
@@ -900,6 +901,20 @@ describe("Trust Store", () => {
       );
     });
 
+    test("findHighestPriorityRule matches default ask for computer_use_observe", () => {
+      const match = findHighestPriorityRule(
+        "computer_use_observe",
+        ["computer_use_observe:"],
+        "/tmp",
+      );
+      expect(match).not.toBeNull();
+      expect(match!.id).toBe("default:ask-computer_use_observe-global");
+      expect(match!.decision).toBe("ask");
+      expect(match!.priority).toBe(
+        DEFAULT_PRIORITY_BY_ID.get("default:ask-computer_use_observe-global")!,
+      );
+    });
+
     test("bootstrap delete rule matches only when workingDir is the workspace dir", () => {
       const workspaceDir = join(testDir, "workspace");
       // Should match when workingDir is the workspace directory — the bootstrap