npm - @vellumai/assistant - Versions diffs - 0.4.49 → 0.4.51 - Mend

@vellumai/assistant 0.4.49 → 0.4.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (353) hide show

package/ARCHITECTURE.md +24 -33
package/README.md +3 -3
package/docs/architecture/integrations.md +2 -2
package/docs/architecture/keychain-broker.md +6 -6
package/docs/architecture/memory.md +180 -119
package/knip.json +32 -0
package/package.json +3 -2
package/src/__tests__/agent-loop.test.ts +3 -1
package/src/__tests__/anthropic-provider.test.ts +114 -23
package/src/__tests__/approval-cascade.test.ts +1 -15
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-feature-flag-guard.test.ts +0 -23
package/src/__tests__/btw-routes.test.ts +61 -5
package/src/__tests__/canonical-guardian-store.test.ts +95 -0
package/src/__tests__/checker.test.ts +13 -0
package/src/__tests__/config-schema.test.ts +1 -68
package/src/__tests__/config-watcher.test.ts +8 -0
package/src/__tests__/context-memory-e2e.test.ts +11 -100
package/src/__tests__/conversation-routes-guardian-reply.test.ts +8 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-security-e2e.test.ts +1 -0
package/src/__tests__/credential-security-invariants.test.ts +8 -7
package/src/__tests__/credential-vault-unit.test.ts +23 -18
package/src/__tests__/credential-vault.test.ts +30 -18
package/src/__tests__/credentials-cli.test.ts +257 -82
package/src/__tests__/cu-unified-flow.test.ts +532 -0
package/src/__tests__/date-context.test.ts +93 -77
package/src/__tests__/deterministic-verification-control-plane.test.ts +64 -0
package/src/__tests__/guardian-routing-invariants.test.ts +93 -0
package/src/__tests__/history-repair.test.ts +245 -0
package/src/__tests__/host-cu-proxy.test.ts +165 -3
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/inbound-invite-redemption.test.ts +36 -7
package/src/__tests__/integration-status.test.ts +31 -30
package/src/__tests__/invite-redemption-service.test.ts +166 -13
package/src/__tests__/invite-routes-http.test.ts +166 -5
package/src/__tests__/keychain-broker-client.test.ts +4 -4
package/src/__tests__/list-messages-attachments.test.ts +193 -0
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +56 -18
package/src/__tests__/memory-lifecycle-e2e.test.ts +244 -387
package/src/__tests__/memory-recall-quality.test.ts +244 -407
package/src/__tests__/memory-regressions.experimental.test.ts +126 -101
package/src/__tests__/memory-regressions.test.ts +477 -2841
package/src/__tests__/memory-retrieval.benchmark.test.ts +33 -150
package/src/__tests__/memory-upsert-concurrency.test.ts +5 -244
package/src/__tests__/mime-builder.test.ts +28 -0
package/src/__tests__/native-web-search.test.ts +1 -0
package/src/__tests__/oauth-cli.test.ts +824 -31
package/src/__tests__/oauth-provider-profiles.test.ts +1 -1
package/src/__tests__/oauth-store.test.ts +363 -17
package/src/__tests__/qdrant-collection-migration.test.ts +53 -8
package/src/__tests__/registry.test.ts +0 -1
package/src/__tests__/relay-server.test.ts +55 -1
package/src/__tests__/schedule-tools.test.ts +32 -0
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -0
package/src/__tests__/secret-routes-managed-proxy.test.ts +183 -0
package/src/__tests__/secure-keys.test.ts +78 -18
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/server-history-render.test.ts +2 -2
package/src/__tests__/session-abort-tool-results.test.ts +1 -14
package/src/__tests__/session-agent-loop-overflow.test.ts +1583 -0
package/src/__tests__/session-agent-loop.test.ts +19 -15
package/src/__tests__/session-confirmation-signals.test.ts +1 -15
package/src/__tests__/session-error.test.ts +124 -2
package/src/__tests__/session-history-web-search.test.ts +918 -0
package/src/__tests__/session-pre-run-repair.test.ts +1 -14
package/src/__tests__/session-provider-retry-repair.test.ts +25 -28
package/src/__tests__/session-queue.test.ts +37 -27
package/src/__tests__/session-runtime-assembly.test.ts +54 -0
package/src/__tests__/session-slash-known.test.ts +1 -15
package/src/__tests__/session-slash-queue.test.ts +1 -15
package/src/__tests__/session-slash-unknown.test.ts +1 -15
package/src/__tests__/session-workspace-cache-state.test.ts +3 -33
package/src/__tests__/session-workspace-injection.test.ts +3 -37
package/src/__tests__/session-workspace-tool-tracking.test.ts +3 -37
package/src/__tests__/skills-install-extract.test.ts +93 -0
package/src/__tests__/skills.test.ts +2 -2
package/src/__tests__/skillssh-registry.test.ts +451 -0
package/src/__tests__/slack-channel-config.test.ts +10 -8
package/src/__tests__/trust-store.test.ts +15 -0
package/src/__tests__/twilio-config.test.ts +11 -10
package/src/__tests__/twilio-provider.test.ts +9 -4
package/src/__tests__/voice-invite-redemption.test.ts +85 -5
package/src/agent/ax-tree-compaction.test.ts +51 -0
package/src/agent/loop.ts +39 -12
package/src/approvals/AGENTS.md +1 -1
package/src/approvals/guardian-request-resolvers.ts +14 -2
package/src/bundler/compiler-tools.ts +66 -2
package/src/calls/call-domain.ts +134 -3
package/src/calls/call-store.ts +6 -0
package/src/calls/relay-server.ts +44 -6
package/src/calls/relay-setup-router.ts +17 -1
package/src/calls/twilio-config.ts +5 -4
package/src/calls/twilio-provider.ts +14 -9
package/src/calls/twilio-rest.ts +10 -7
package/src/calls/types.ts +3 -1
package/src/cli/commands/config.ts +14 -9
package/src/cli/commands/contacts.ts +3 -0
package/src/cli/commands/credentials.ts +170 -174
package/src/cli/commands/doctor.ts +11 -8
package/src/cli/commands/keys.ts +9 -9
package/src/cli/commands/mcp.ts +46 -59
package/src/cli/commands/memory.ts +16 -165
package/src/cli/commands/oauth/apps.ts +68 -10
package/src/cli/commands/oauth/connections.ts +475 -105
package/src/cli/commands/oauth/index.ts +3 -3
package/src/cli/commands/oauth/providers.ts +18 -4
package/src/cli/commands/sessions.ts +5 -2
package/src/cli/commands/skills.ts +173 -1
package/src/cli/http-client.ts +0 -20
package/src/cli/main-screen.tsx +2 -2
package/src/cli/program.ts +5 -6
package/src/cli.ts +20 -22
package/src/config/__tests__/feature-flag-registry-bundled.test.ts +39 -0
package/src/config/bundled-skills/computer-use/TOOLS.json +1 -1
package/src/config/bundled-skills/computer-use/tools/computer-use-observe.ts +12 -0
package/src/config/bundled-skills/contacts/SKILL.md +35 -11
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +1 -1
package/src/config/bundled-skills/gmail/SKILL.md +1 -1
package/src/config/bundled-skills/gmail/TOOLS.json +52 -0
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +13 -3
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +9 -2
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +9 -2
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +5 -1
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +5 -1
package/src/config/bundled-skills/google-calendar/TOOLS.json +20 -0
package/src/config/bundled-skills/google-calendar/tools/calendar-check-availability.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-create-event.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-get-event.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-list-events.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/calendar-rsvp.ts +2 -1
package/src/config/bundled-skills/google-calendar/tools/shared.ts +8 -2
package/src/config/bundled-skills/messaging/SKILL.md +1 -1
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-auth-test.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-list-conversations.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-mark-read.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-read.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-search.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +2 -2
package/src/config/bundled-skills/messaging/tools/messaging-sender-digest.ts +2 -2
package/src/config/bundled-skills/messaging/tools/shared.ts +7 -5
package/src/config/bundled-skills/slack/tools/shared.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-add-reaction.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-channel-details.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-delete-message.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-edit-message.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-leave-channel.ts +1 -1
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +1 -1
package/src/config/bundled-tool-registry.ts +2 -5
package/src/config/loader.ts +6 -42
package/src/config/schema.ts +1 -12
package/src/config/schemas/memory-lifecycle.ts +0 -9
package/src/config/schemas/memory-processing.ts +0 -180
package/src/config/schemas/memory-retrieval.ts +32 -104
package/src/config/schemas/memory.ts +0 -10
package/src/config/types.ts +0 -4
package/src/contacts/contact-store.ts +39 -2
package/src/contacts/contacts-write.ts +9 -0
package/src/context/window-manager.ts +4 -1
package/src/daemon/config-watcher.ts +55 -2
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/date-context.ts +114 -31
package/src/daemon/handlers/config-ingress.ts +2 -2
package/src/daemon/handlers/config-slack-channel.ts +59 -39
package/src/daemon/handlers/config-telegram.ts +23 -14
package/src/daemon/handlers/session-history.ts +1 -358
package/src/daemon/handlers/sessions.ts +18 -13
package/src/daemon/handlers/shared.ts +3 -17
package/src/daemon/handlers/skills.ts +20 -1
package/src/daemon/history-repair.ts +72 -8
package/src/daemon/host-cu-proxy.ts +55 -26
package/src/daemon/lifecycle.ts +39 -4
package/src/daemon/mcp-reload-service.ts +2 -2
package/src/daemon/message-types/computer-use.ts +1 -12
package/src/daemon/message-types/memory.ts +4 -16
package/src/daemon/message-types/messages.ts +1 -0
package/src/daemon/message-types/sessions.ts +4 -42
package/src/daemon/server.ts +6 -1
package/src/daemon/session-agent-loop-handlers.ts +38 -0
package/src/daemon/session-agent-loop.ts +334 -48
package/src/daemon/session-error.ts +89 -6
package/src/daemon/session-history.ts +17 -7
package/src/daemon/session-media-retry.ts +6 -2
package/src/daemon/session-memory.ts +69 -149
package/src/daemon/session-process.ts +10 -1
package/src/daemon/session-runtime-assembly.ts +49 -19
package/src/daemon/session-slash.ts +3 -5
package/src/daemon/session-surfaces.ts +4 -1
package/src/daemon/session-tool-setup.ts +7 -1
package/src/daemon/session.ts +12 -2
package/src/email/providers/index.ts +2 -2
package/src/instrument.ts +61 -1
package/src/media/avatar-router.ts +1 -1
package/src/memory/admin.ts +2 -191
package/src/memory/canonical-guardian-store.ts +38 -2
package/src/memory/conversation-crud.ts +0 -33
package/src/memory/conversation-queries.ts +25 -83
package/src/memory/db-init.ts +32 -0
package/src/memory/embedding-backend.ts +84 -8
package/src/memory/embedding-types.ts +9 -1
package/src/memory/indexer.ts +7 -46
package/src/memory/invite-store.ts +19 -0
package/src/memory/items-extractor.ts +274 -76
package/src/memory/job-handlers/backfill.ts +2 -127
package/src/memory/job-handlers/cleanup.ts +2 -16
package/src/memory/job-handlers/extraction.ts +2 -138
package/src/memory/job-handlers/index-maintenance.ts +1 -6
package/src/memory/job-handlers/summarization.ts +3 -148
package/src/memory/job-utils.ts +21 -59
package/src/memory/jobs-store.ts +1 -159
package/src/memory/jobs-worker.ts +9 -52
package/src/memory/migrations/104-core-indexes.ts +3 -3
package/src/memory/migrations/149-oauth-tables.ts +2 -0
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +98 -0
package/src/memory/migrations/151-oauth-providers-ping-url.ts +11 -0
package/src/memory/migrations/152-memory-item-supersession.ts +44 -0
package/src/memory/migrations/153-drop-entity-tables.ts +15 -0
package/src/memory/migrations/154-drop-fts.ts +20 -0
package/src/memory/migrations/155-drop-conflicts.ts +7 -0
package/src/memory/migrations/156-call-session-invite-metadata.ts +24 -0
package/src/memory/migrations/157-invite-contact-id.ts +104 -0
package/src/memory/migrations/index.ts +8 -0
package/src/memory/migrations/registry.ts +6 -0
package/src/memory/qdrant-client.ts +148 -51
package/src/memory/raw-query.ts +1 -1
package/src/memory/retriever.test.ts +294 -273
package/src/memory/retriever.ts +421 -645
package/src/memory/schema/calls.ts +2 -0
package/src/memory/schema/contacts.ts +1 -0
package/src/memory/schema/memory-core.ts +3 -48
package/src/memory/schema/oauth.ts +2 -0
package/src/memory/search/formatting.ts +263 -176
package/src/memory/search/lexical.ts +1 -254
package/src/memory/search/ranking.ts +0 -455
package/src/memory/search/semantic.ts +100 -14
package/src/memory/search/staleness.ts +47 -0
package/src/memory/search/tier-classifier.ts +21 -0
package/src/memory/search/types.ts +15 -77
package/src/memory/task-memory-cleanup.ts +4 -6
package/src/messaging/provider.ts +1 -1
package/src/messaging/providers/gmail/adapter.ts +1 -1
package/src/messaging/providers/gmail/mime-builder.ts +17 -7
package/src/messaging/providers/telegram-bot/adapter.ts +17 -8
package/src/messaging/providers/whatsapp/adapter.ts +13 -9
package/src/messaging/registry.ts +9 -5
package/src/oauth/byo-connection.test.ts +40 -25
package/src/oauth/connect-orchestrator.ts +4 -10
package/src/oauth/connection-resolver.ts +20 -6
package/src/oauth/manual-token-connection.ts +5 -5
package/src/oauth/oauth-store.ts +183 -31
package/src/oauth/platform-connection.test.ts +1 -1
package/src/oauth/provider-behaviors.ts +503 -4
package/src/oauth/seed-providers.ts +214 -8
package/src/oauth/token-persistence.ts +31 -16
package/src/permissions/defaults.ts +1 -0
package/src/permissions/trust-store.ts +23 -1
package/src/playbooks/playbook-compiler.ts +1 -1
package/src/prompts/system-prompt.ts +18 -2
package/src/providers/anthropic/client.ts +56 -126
package/src/providers/types.ts +7 -1
package/src/runtime/AGENTS.md +9 -0
package/src/runtime/auth/route-policy.ts +6 -3
package/src/runtime/channel-readiness-service.ts +48 -40
package/src/runtime/guardian-reply-router.ts +24 -22
package/src/runtime/http-server.ts +2 -2
package/src/runtime/http-types.ts +2 -0
package/src/runtime/invite-redemption-service.ts +72 -12
package/src/runtime/invite-service.ts +43 -0
package/src/runtime/middleware/twilio-validation.ts +1 -1
package/src/runtime/pending-interactions.ts +2 -2
package/src/runtime/routes/brain-graph-routes.ts +10 -90
package/src/runtime/routes/btw-routes.ts +10 -5
package/src/runtime/routes/conversation-routes.ts +56 -11
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -12
package/src/runtime/routes/integrations/slack/channel.ts +2 -2
package/src/runtime/routes/integrations/telegram.ts +2 -2
package/src/runtime/routes/integrations/twilio.ts +17 -17
package/src/runtime/routes/invite-routes.ts +29 -4
package/src/runtime/routes/memory-item-routes.test.ts +754 -0
package/src/runtime/routes/memory-item-routes.ts +503 -0
package/src/runtime/routes/secret-routes.ts +17 -0
package/src/runtime/routes/session-management-routes.ts +3 -3
package/src/runtime/routes/settings-routes.ts +3 -3
package/src/runtime/routes/trust-rules-routes.ts +14 -0
package/src/runtime/routes/workspace-routes.ts +9 -4
package/src/runtime/routes/workspace-utils.ts +8 -2
package/src/schedule/integration-status.ts +26 -19
package/src/security/keychain-broker-client.ts +17 -4
package/src/security/oauth2.ts +6 -7
package/src/security/secure-keys.ts +44 -19
package/src/security/token-manager.ts +46 -39
package/src/services/vercel-deploy.ts +0 -24
package/src/signals/confirm.ts +78 -0
package/src/signals/mcp-reload.ts +18 -0
package/src/skills/catalog-install.ts +74 -18
package/src/skills/skillssh-registry.ts +503 -0
package/src/tools/assets/search.ts +5 -1
package/src/tools/computer-use/definitions.ts +0 -10
package/src/tools/computer-use/registry.ts +1 -1
package/src/tools/credentials/vault.ts +22 -7
package/src/tools/memory/definitions.ts +4 -13
package/src/tools/memory/handlers.test.ts +83 -103
package/src/tools/memory/handlers.ts +50 -85
package/src/tools/network/script-proxy/session-manager.ts +8 -8
package/src/tools/schedule/create.ts +10 -3
package/src/tools/schedule/update.ts +8 -1
package/src/tools/skills/load.ts +25 -2
package/src/watcher/provider-types.ts +1 -1
package/src/watcher/providers/github.ts +1 -1
package/src/watcher/providers/gmail.ts +3 -3
package/src/watcher/providers/google-calendar.ts +3 -3
package/src/watcher/providers/linear.ts +1 -1
package/src/__tests__/clarification-resolver.test.ts +0 -193
package/src/__tests__/conflict-intent-tokenization.test.ts +0 -160
package/src/__tests__/conflict-policy.test.ts +0 -269
package/src/__tests__/conflict-store.test.ts +0 -372
package/src/__tests__/contradiction-checker.test.ts +0 -361
package/src/__tests__/entity-extractor.test.ts +0 -211
package/src/__tests__/entity-search.test.ts +0 -1117
package/src/__tests__/profile-compiler.test.ts +0 -392
package/src/__tests__/session-conflict-gate.test.ts +0 -1228
package/src/__tests__/session-profile-injection.test.ts +0 -557
package/src/config/bundled-skills/knowledge-graph/SKILL.md +0 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +0 -66
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +0 -211
package/src/daemon/session-conflict-gate.ts +0 -167
package/src/daemon/session-dynamic-profile.ts +0 -77
package/src/memory/clarification-resolver.ts +0 -417
package/src/memory/conflict-intent.ts +0 -205
package/src/memory/conflict-policy.ts +0 -127
package/src/memory/conflict-store.ts +0 -410
package/src/memory/contradiction-checker.ts +0 -508
package/src/memory/entity-extractor.ts +0 -535
package/src/memory/format-recall.ts +0 -47
package/src/memory/fts-reconciler.ts +0 -165
package/src/memory/job-handlers/conflict.ts +0 -200
package/src/memory/profile-compiler.ts +0 -195
package/src/memory/recall-cache.ts +0 -117
package/src/memory/search/entity.ts +0 -535
package/src/memory/search/query-expansion.test.ts +0 -70
package/src/memory/search/query-expansion.ts +0 -118
package/src/runtime/routes/mcp-routes.ts +0 -20

package/src/cli/commands/oauth/connections.ts CHANGED Viewed

@@ -1,18 +1,30 @@
 import type { Command } from "commander";
+import { orchestrateOAuthConnect } from "../../../oauth/connect-orchestrator.js";
 import {
   disconnectOAuthProvider,
+  getAppByProviderAndClientId,
   getConnection,
   getConnectionByProvider,
+  getMostRecentAppByProvider,
+  getProvider,
   listConnections,
 } from "../../../oauth/oauth-store.js";
+import {
+  getProviderBehavior,
+  resolveService,
+} from "../../../oauth/provider-behaviors.js";
 import { credentialKey } from "../../../security/credential-key.js";
-import { deleteSecureKeyAsync } from "../../../security/secure-keys.js";
+import {
+  deleteSecureKeyAsync,
+  getSecureKey,
+} from "../../../security/secure-keys.js";
 import { withValidToken } from "../../../security/token-manager.js";
 import {
   assertMetadataWritable,
   deleteCredentialMetadata,
 } from "../../../tools/credentials/metadata-store.js";
+import { isLinux, isMacOS } from "../../../util/platform.js";
 import { getCliLogger } from "../../logger.js";
 import { shouldOutputJson, writeOutput } from "../../output.js";
@@ -35,7 +47,13 @@ function redactMetadata(obj: Record<string, unknown>): Record<string, unknown> {
   for (const [key, value] of Object.entries(obj)) {
     if (REDACTED_METADATA_KEYS.has(key)) {
       result[key] = "[REDACTED]";
-    } else if (value && typeof value === "object" && !Array.isArray(value)) {
+    } else if (Array.isArray(value)) {
+      result[key] = value.map((item) =>
+        item && typeof item === "object" && !Array.isArray(item)
+          ? redactMetadata(item as Record<string, unknown>)
+          : item,
+      );
+    } else if (value && typeof value === "object") {
       result[key] = redactMetadata(value as Record<string, unknown>);
     } else {
       result[key] = value;
@@ -73,10 +91,16 @@ token expiry, refresh token availability, account info, and status.
 Examples:
   $ assistant oauth connections list
-  $ assistant oauth connections list --provider integration:gmail
+  $ assistant oauth connections list --provider integration:google
+  $ assistant oauth connections list --client-id abc123
   $ assistant oauth connections get --id <uuid>
-  $ assistant oauth connections get --provider integration:gmail
-  $ assistant oauth connections token integration:twitter`,
+  $ assistant oauth connections get --provider integration:google
+  $ assistant oauth connections get --provider integration:google --client-id abc123
+  $ assistant oauth connections token integration:twitter
+  $ assistant oauth connections ping integration:google
+  $ assistant oauth connections connect integration:google
+  $ assistant oauth connections connect integration:google --open-browser
+  $ assistant oauth connections disconnect integration:google`,
   );
   // ---------------------------------------------------------------------------
@@ -88,23 +112,27 @@ Examples:
     .description("List all OAuth connections")
     .option(
       "--provider <key>",
-      "Filter by provider key (e.g. integration:gmail)",
+      "Filter by provider key (e.g. integration:google)",
     )
+    .option("--client-id <id>", "Filter by OAuth client ID")
     .addHelpText(
       "after",
       `
-Lists all OAuth connections, optionally filtered by provider key.
+Lists all OAuth connections, optionally filtered by provider key and/or client ID.
 Each connection shows its ID, provider, account info, granted scopes, token
 expiry, refresh token availability, and status.
 Examples:
   $ assistant oauth connections list
-  $ assistant oauth connections list --provider integration:gmail`,
+  $ assistant oauth connections list --provider integration:google
+  $ assistant oauth connections list --client-id abc123`,
     )
-    .action((opts: { provider?: string }, cmd: Command) => {
+    .action((opts: { provider?: string; clientId?: string }, cmd: Command) => {
       try {
-        const rows = listConnections(opts.provider).map(formatConnectionRow);
+        const rows = listConnections(opts.provider, opts.clientId).map(
+          formatConnectionRow,
+        );
         if (!shouldOutputJson(cmd)) {
           log.info(`Found ${rows.length} connection(s)`);
@@ -130,6 +158,10 @@ Examples:
       "--provider <key>",
       "Provider key (returns most recent active connection)",
     )
+    .option(
+      "--client-id <id>",
+      "Filter by OAuth client ID (used with --provider)",
+    )
     .addHelpText(
       "after",
       `
@@ -139,40 +171,46 @@ Two lookup modes are supported:
      $ assistant oauth connections get --id <uuid>
   2. By provider (returns the most recent active connection):
-     $ assistant oauth connections get --provider integration:gmail
+     $ assistant oauth connections get --provider integration:google
+     $ assistant oauth connections get --provider integration:google --client-id abc123
 At least --id or --provider must be specified.`,
     )
-    .action((opts: { id?: string; provider?: string }, cmd: Command) => {
-      try {
-        let row;
-        if (opts.id) {
-          row = getConnection(opts.id);
-        } else if (opts.provider) {
-          row = getConnectionByProvider(opts.provider);
-        } else {
-          writeOutput(cmd, {
-            ok: false,
-            error: "Provide --id or --provider",
-          });
+    .action(
+      (
+        opts: { id?: string; provider?: string; clientId?: string },
+        cmd: Command,
+      ) => {
+        try {
+          let row;
+          if (opts.id) {
+            row = getConnection(opts.id);
+          } else if (opts.provider) {
+            row = getConnectionByProvider(opts.provider, opts.clientId);
+          } else {
+            writeOutput(cmd, {
+              ok: false,
+              error: "Provide --id or --provider",
+            });
+            process.exitCode = 1;
+            return;
+          }
+          if (!row) {
+            writeOutput(cmd, { ok: false, error: "Connection not found" });
+            process.exitCode = 1;
+            return;
+          }
+          writeOutput(cmd, formatConnectionRow(row));
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          writeOutput(cmd, { ok: false, error: message });
           process.exitCode = 1;
-          return;
         }
-        if (!row) {
-          writeOutput(cmd, { ok: false, error: "Connection not found" });
-          process.exitCode = 1;
-          return;
-        }
-        writeOutput(cmd, formatConnectionRow(row));
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        writeOutput(cmd, { ok: false, error: message });
-        process.exitCode = 1;
-      }
-    });
+      },
+    );
   // ---------------------------------------------------------------------------
   // connections token <provider-key>
@@ -183,11 +221,15 @@ At least --id or --provider must be specified.`,
     .description(
       "Print a valid OAuth access token for a provider, refreshing if expired",
     )
+    .option(
+      "--client-id <id>",
+      "Filter by OAuth client ID when multiple apps exist for the provider",
+    )
     .addHelpText(
       "after",
       `
 Arguments:
-  provider-key   Provider key (e.g. integration:gmail, integration:twitter)
+  provider-key   Provider key (e.g. integration:google, integration:twitter)
 Returns a valid OAuth access token for the given provider. If the stored token
 is expired or near-expiry, it is refreshed automatically before being returned.
@@ -199,22 +241,156 @@ Exits with code 1 if no access token exists or refresh fails.
 Examples:
   $ assistant oauth connections token integration:twitter
-  $ assistant oauth connections token integration:gmail --json`,
+  $ assistant oauth connections token integration:google --json
+  $ assistant oauth connections token integration:google --client-id abc123`,
     )
-    .action(async (providerKey: string, _opts: unknown, cmd: Command) => {
-      try {
-        const token = await withValidToken(providerKey, async (t) => t);
-        if (shouldOutputJson(cmd)) {
-          writeOutput(cmd, { ok: true, token });
-        } else {
-          process.stdout.write(token + "\n");
+    .action(
+      async (
+        providerKey: string,
+        opts: { clientId?: string },
+        cmd: Command,
+      ) => {
+        try {
+          const token = await withValidToken(
+            providerKey,
+            async (t) => t,
+            opts.clientId,
+          );
+          if (shouldOutputJson(cmd)) {
+            writeOutput(cmd, { ok: true, token });
+          } else {
+            process.stdout.write(token + "\n");
+          }
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          writeOutput(cmd, { ok: false, error: message });
+          process.exitCode = 1;
         }
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        writeOutput(cmd, { ok: false, error: message });
-        process.exitCode = 1;
-      }
-    });
+      },
+    );
+  // ---------------------------------------------------------------------------
+  // connections ping <provider-key>
+  // ---------------------------------------------------------------------------
+  connections
+    .command("ping <provider-key>")
+    .description(
+      "Verify that a stored OAuth token is still valid by hitting the provider's health-check endpoint",
+    )
+    .option(
+      "--client-id <id>",
+      "Filter by OAuth client ID when multiple apps exist for the provider",
+    )
+    .addHelpText(
+      "after",
+      `
+Arguments:
+  provider-key   Provider key (e.g. integration:google, integration:twitter)
+Fetches a valid access token (refreshing if needed) and sends a GET request
+to the provider's configured ping URL. Reports success (HTTP 2xx) or failure.
+The ping URL is set per-provider in seed data or via "providers register --ping-url".
+If no ping URL is configured for the provider, exits with an error.
+Examples:
+  $ assistant oauth connections ping integration:google
+  $ assistant oauth connections ping integration:twitter --json
+  $ assistant oauth connections ping integration:google --client-id abc123`,
+    )
+    .action(
+      async (
+        providerKey: string,
+        opts: { clientId?: string },
+        cmd: Command,
+      ) => {
+        try {
+          const provider = getProvider(providerKey);
+          if (!provider) {
+            writeOutput(cmd, {
+              ok: false,
+              error: `Provider not found: ${providerKey}`,
+            });
+            process.exitCode = 1;
+            return;
+          }
+          if (!provider.pingUrl) {
+            writeOutput(cmd, {
+              ok: false,
+              error: `No ping URL configured for "${providerKey}"`,
+            });
+            process.exitCode = 1;
+            return;
+          }
+          const pingUrl = provider.pingUrl;
+          const PING_TIMEOUT_MS = 15_000;
+          const result = await withValidToken(
+            providerKey,
+            async (token) => {
+              const controller = new AbortController();
+              const timer = setTimeout(
+                () => controller.abort(),
+                PING_TIMEOUT_MS,
+              );
+              try {
+                const res = await fetch(pingUrl, {
+                  method: "GET",
+                  headers: { Authorization: `Bearer ${token}` },
+                  signal: controller.signal,
+                });
+                if (res.status === 401) {
+                  const err = new Error(
+                    `Ping returned HTTP 401 from ${pingUrl}`,
+                  );
+                  (err as unknown as { status: number }).status = 401;
+                  throw err;
+                }
+                return { status: res.status, ok: res.ok };
+              } finally {
+                clearTimeout(timer);
+              }
+            },
+            opts.clientId,
+          );
+          if (result.ok) {
+            if (shouldOutputJson(cmd)) {
+              writeOutput(cmd, {
+                ok: true,
+                provider: providerKey,
+                status: result.status,
+              });
+            } else {
+              log.info(`${providerKey}: OK (HTTP ${result.status})`);
+              writeOutput(cmd, {
+                ok: true,
+                provider: providerKey,
+                status: result.status,
+              });
+            }
+          } else {
+            writeOutput(cmd, {
+              ok: false,
+              provider: providerKey,
+              status: result.status,
+              error: `Ping failed with HTTP ${result.status}`,
+            });
+            process.exitCode = 1;
+          }
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          writeOutput(cmd, { ok: false, error: message });
+          process.exitCode = 1;
+        }
+      },
+    );
   // ---------------------------------------------------------------------------
   // connections disconnect <provider-key>
@@ -225,11 +401,15 @@ Examples:
     .description(
       "Disconnect an OAuth integration and remove all associated credentials",
     )
+    .option(
+      "--client-id <id>",
+      "Filter by OAuth client ID when multiple apps exist for the provider",
+    )
     .addHelpText(
       "after",
       `
 Arguments:
-  provider-key   The full provider key (e.g. integration:gmail, integration:slack)
+  provider-key   The full provider key (e.g. integration:google, integration:slack)
 Removes the OAuth connection, tokens, and any legacy credential metadata for
 the provider. The <provider-key> argument is the full provider key as-is — it
@@ -239,61 +419,251 @@ Legacy credential keys for common fields (access_token, refresh_token,
 client_id, client_secret) are also cleaned up if present.
 Examples:
-  $ assistant oauth connections disconnect integration:gmail
-  $ assistant oauth connections disconnect integration:slack`,
+  $ assistant oauth connections disconnect integration:google
+  $ assistant oauth connections disconnect integration:slack
+  $ assistant oauth connections disconnect integration:google --client-id abc123`,
     )
-    .action(async (providerKey: string, _opts: unknown, cmd: Command) => {
-      try {
-        assertMetadataWritable();
-        let cleanedUp = false;
-        // 1. Disconnect the OAuth connection (new-format keys + connection row)
-        const oauthResult = await disconnectOAuthProvider(providerKey);
-        if (oauthResult === "error") {
-          writeOutput(cmd, {
-            ok: false,
-            error: `Failed to disconnect OAuth provider "${providerKey}" — please try again`,
-          });
+    .action(
+      async (
+        providerKey: string,
+        opts: { clientId?: string },
+        cmd: Command,
+      ) => {
+        try {
+          assertMetadataWritable();
+          let cleanedUp = false;
+          // 1. Disconnect the OAuth connection (new-format keys + connection row)
+          const oauthResult = await disconnectOAuthProvider(
+            providerKey,
+            opts.clientId,
+          );
+          if (oauthResult === "error") {
+            writeOutput(cmd, {
+              ok: false,
+              error: `Failed to disconnect OAuth provider "${providerKey}" — please try again`,
+            });
+            process.exitCode = 1;
+            return;
+          }
+          if (oauthResult === "disconnected") cleanedUp = true;
+          // 2. Clean up legacy credential keys for common fields
+          const legacyFields = [
+            "access_token",
+            "refresh_token",
+            "client_id",
+            "client_secret",
+          ];
+          for (const field of legacyFields) {
+            const key = credentialKey(providerKey, field);
+            const result = await deleteSecureKeyAsync(key);
+            if (result === "deleted") cleanedUp = true;
+            const metaDeleted = deleteCredentialMetadata(providerKey, field);
+            if (metaDeleted) cleanedUp = true;
+          }
+          if (!cleanedUp) {
+            writeOutput(cmd, {
+              ok: false,
+              error: `No OAuth connection or credentials found for "${providerKey}"`,
+            });
+            process.exitCode = 1;
+            return;
+          }
+          writeOutput(cmd, { ok: true, service: providerKey });
+          if (!shouldOutputJson(cmd)) {
+            log.info(`Disconnected ${providerKey}`);
+          }
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          writeOutput(cmd, { ok: false, error: message });
           process.exitCode = 1;
-          return;
-        }
-        if (oauthResult === "disconnected") cleanedUp = true;
-        // 2. Clean up legacy credential keys for common fields
-        const legacyFields = [
-          "access_token",
-          "refresh_token",
-          "client_id",
-          "client_secret",
-        ];
-        for (const field of legacyFields) {
-          const key = credentialKey(providerKey, field);
-          const result = await deleteSecureKeyAsync(key);
-          if (result === "deleted") cleanedUp = true;
-          const metaDeleted = deleteCredentialMetadata(providerKey, field);
-          if (metaDeleted) cleanedUp = true;
         }
+      },
+    );
-        if (!cleanedUp) {
-          writeOutput(cmd, {
-            ok: false,
-            error: `No OAuth connection or credentials found for "${providerKey}"`,
-          });
-          process.exitCode = 1;
-          return;
-        }
+  // ---------------------------------------------------------------------------
+  // connections connect <provider-key>
+  // ---------------------------------------------------------------------------
+  connections
+    .command("connect <provider-key>")
+    .description("Initiate an OAuth2 authorization flow for a provider")
+    .option(
+      "--client-id <id>",
+      "Filter by OAuth client ID when multiple apps exist for the provider",
+    )
+    .option(
+      "--scopes <scopes...>",
+      "Additional scopes beyond the provider's defaults",
+    )
+    .option(
+      "--open-browser",
+      "Open the auth URL in the browser and wait for completion",
+    )
+    .addHelpText(
+      "after",
+      `
+Arguments:
+  provider-key   Provider key (e.g. integration:google) or alias (e.g. gmail)
-        writeOutput(cmd, { ok: true, service: providerKey });
+Initiates an OAuth2 authorization flow for the given provider. By default,
+prints the authorization URL to stdout — useful for headless/remote sessions.
+The token exchange completes in the background when the user authorizes.
-        if (!shouldOutputJson(cmd)) {
-          log.info(`Disconnected ${providerKey}`);
+With --open-browser, opens the authorization URL in your browser and waits
+for completion.
+Client credentials are resolved from the OAuth app store. Use --client-id
+to select a specific app when multiple apps exist for the same provider.
+Examples:
+  $ assistant oauth connections connect integration:google
+  $ assistant oauth connections connect gmail --open-browser
+  $ assistant oauth connections connect integration:slack --client-id abc123
+  $ assistant oauth connections connect integration:google --scopes calendar.readonly --json`,
+    )
+    .action(
+      async (
+        providerKey: string,
+        opts: {
+          clientId?: string;
+          scopes?: string[];
+          openBrowser?: boolean;
+        },
+        cmd: Command,
+      ) => {
+        try {
+          // a. Resolve service alias
+          const resolvedServiceKey = resolveService(providerKey);
+          // b. Resolve client credentials from the DB
+          const dbApp = opts.clientId
+            ? getAppByProviderAndClientId(resolvedServiceKey, opts.clientId)
+            : getMostRecentAppByProvider(resolvedServiceKey);
+          let clientId = opts.clientId;
+          let clientSecret: string | undefined;
+          if (dbApp) {
+            if (!clientId) clientId = dbApp.clientId;
+            const storedSecret = getSecureKey(dbApp.clientSecretCredentialPath);
+            if (storedSecret) clientSecret = storedSecret;
+          } else if (opts.clientId) {
+            // --client-id was explicitly provided but no matching app exists
+            writeOutput(cmd, {
+              ok: false,
+              error: `No registered app found for "${resolvedServiceKey}" with client ID "${opts.clientId}". Register it first with 'assistant oauth apps upsert --client-id ${opts.clientId}'.`,
+            });
+            process.exitCode = 1;
+            return;
+          }
+          // c. Validate client_id
+          if (!clientId) {
+            writeOutput(cmd, {
+              ok: false,
+              error:
+                "No client_id found. Provide --client-id or register an app first with 'assistant oauth apps upsert'.",
+            });
+            process.exitCode = 1;
+            return;
+          }
+          // d. Check if client_secret is required but missing
+          if (clientSecret === undefined) {
+            const providerRow = getProvider(resolvedServiceKey);
+            const behavior = getProviderBehavior(resolvedServiceKey);
+            const requiresSecret =
+              behavior?.setup?.requiresClientSecret ??
+              !!(
+                providerRow?.tokenEndpointAuthMethod || providerRow?.extraParams
+              );
+            if (requiresSecret) {
+              writeOutput(cmd, {
+                ok: false,
+                error: `client_secret is required for ${resolvedServiceKey} but not found. Store it first with 'assistant oauth apps upsert --client-secret'.`,
+              });
+              process.exitCode = 1;
+              return;
+            }
+          }
+          // e. Call the orchestrator
+          const result = await orchestrateOAuthConnect({
+            service: providerKey,
+            clientId,
+            clientSecret,
+            isInteractive: !!opts.openBrowser,
+            openUrl: opts.openBrowser
+              ? (url) => {
+                  if (isMacOS()) {
+                    Bun.spawn(["open", url], {
+                      stdout: "ignore",
+                      stderr: "ignore",
+                    });
+                  } else if (isLinux()) {
+                    Bun.spawn(["xdg-open", url], {
+                      stdout: "ignore",
+                      stderr: "ignore",
+                    });
+                  } else {
+                    // Fallback: print URL for manual opening (stderr to keep --json stdout clean)
+                    process.stderr.write(
+                      `Open this URL to authorize:\n\n${url}\n`,
+                    );
+                  }
+                }
+              : undefined,
+            ...(opts.scopes ? { requestedScopes: opts.scopes } : {}),
+          });
+          // f. Handle results
+          if (!result.success) {
+            writeOutput(cmd, { ok: false, error: result.error });
+            process.exitCode = 1;
+            return;
+          }
+          if (result.deferred) {
+            if (shouldOutputJson(cmd)) {
+              writeOutput(cmd, {
+                ok: true,
+                deferred: true,
+                authUrl: result.authUrl,
+                service: result.service,
+              });
+            } else {
+              process.stdout.write(
+                `Open this URL to authorize:\n\n${result.authUrl}\n\nThe connection will complete automatically once you authorize.\n`,
+              );
+            }
+            return;
+          }
+          // Interactive mode completed
+          if (shouldOutputJson(cmd)) {
+            writeOutput(cmd, {
+              ok: true,
+              grantedScopes: result.grantedScopes,
+              accountInfo: result.accountInfo,
+            });
+          } else {
+            const msg = `Connected to ${resolvedServiceKey}${result.accountInfo ? ` as ${result.accountInfo}` : ""}`;
+            process.stdout.write(msg + "\n");
+          }
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          writeOutput(cmd, { ok: false, error: message });
+          process.exitCode = 1;
         }
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        writeOutput(cmd, { ok: false, error: message });
-        process.exitCode = 1;
-      }
-    });
+      },
+    );
 }