@vellumai/assistant 0.4.49 → 0.4.51

package/src/oauth/seed-providers.ts

@@ -4,10 +4,15 @@ import { seedProviders } from "./oauth-store.js";
  * Protocol-level seed data for each well-known OAuth provider.
  *
  * These values are upserted into the `oauth_providers` SQLite table on
- * every startup so that corrections (e.g. a fixed baseUrl) propagate to
- * existing installations. Code-side behavioral fields (identityVerifier,
- * injectionTemplates, setup, etc.) live in `provider-behaviors.ts` and
- * are never persisted to the DB.
+ * every startup. Only Vellum implementation fields (authUrl, tokenUrl,
+ * tokenEndpointAuthMethod, extraParams, callbackTransport, loopbackPort,
+ * pingUrl) are overwritten on subsequent startups — user-customizable
+ * fields (defaultScopes, scopePolicy, userinfoUrl, baseUrl) are only
+ * written on initial insert and preserved across restarts.
+ *
+ * Code-side behavioral fields (identityVerifier, injectionTemplates,
+ * setup, etc.) live in `provider-behaviors.ts` and are never persisted
+ * to the DB.
  */
 const PROVIDER_SEED_DATA: Record<
   string,
@@ -17,6 +22,7 @@ const PROVIDER_SEED_DATA: Record<
     tokenUrl: string;
     tokenEndpointAuthMethod?: string;
     userinfoUrl?: string;
+    pingUrl?: string;
     baseUrl?: string;
     defaultScopes: string[];
     scopePolicy: {
@@ -29,11 +35,12 @@ const PROVIDER_SEED_DATA: Record<
     loopbackPort?: number;
   }
 > = {
-  "integration:gmail": {
-    providerKey: "integration:gmail",
+  "integration:google": {
+    providerKey: "integration:google",
     authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
     tokenUrl: "https://oauth2.googleapis.com/token",
     userinfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+    pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
     baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
     defaultScopes: [
       "https://www.googleapis.com/auth/gmail.readonly",
@@ -45,8 +52,11 @@ const PROVIDER_SEED_DATA: Record<
       "https://www.googleapis.com/auth/contacts.readonly",
     ],
     scopePolicy: {
-      allowAdditionalScopes: false,
-      allowedOptionalScopes: [],
+      allowAdditionalScopes: true,
+      allowedOptionalScopes: [
+        "https://www.googleapis.com/auth/drive.readonly",
+        "https://www.googleapis.com/auth/drive.file",
+      ],
       forbiddenScopes: [],
     },
     extraParams: { access_type: "offline", prompt: "consent" },
@@ -57,6 +67,7 @@ const PROVIDER_SEED_DATA: Record<
     providerKey: "integration:slack",
     authUrl: "https://slack.com/oauth/v2/authorize",
     tokenUrl: "https://slack.com/api/oauth.v2.access",
+    pingUrl: "https://slack.com/api/auth.test",
     baseUrl: "https://slack.com/api",
     defaultScopes: [
       "channels:read",
@@ -90,6 +101,7 @@ const PROVIDER_SEED_DATA: Record<
     providerKey: "integration:notion",
     authUrl: "https://api.notion.com/v1/oauth/authorize",
     tokenUrl: "https://api.notion.com/v1/oauth/token",
+    pingUrl: "https://api.notion.com/v1/users/me",
     baseUrl: "https://api.notion.com",
     defaultScopes: [],
     scopePolicy: {
@@ -99,12 +111,14 @@ const PROVIDER_SEED_DATA: Record<
     },
     extraParams: { owner: "user" },
     tokenEndpointAuthMethod: "client_secret_basic",
+    callbackTransport: "gateway",
   },
 
   "integration:twitter": {
     providerKey: "integration:twitter",
     authUrl: "https://twitter.com/i/oauth2/authorize",
     tokenUrl: "https://api.x.com/2/oauth2/token",
+    pingUrl: "https://api.x.com/2/users/me",
     baseUrl: "https://api.x.com",
     defaultScopes: [
       "tweet.read",
@@ -121,6 +135,197 @@ const PROVIDER_SEED_DATA: Record<
     callbackTransport: "gateway",
   },
 
+  "integration:github": {
+    providerKey: "integration:github",
+    authUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    pingUrl: "https://api.github.com/user",
+    baseUrl: "https://api.github.com",
+    defaultScopes: ["repo", "read:user", "notifications"],
+    scopePolicy: {
+      allowAdditionalScopes: true,
+      allowedOptionalScopes: [
+        "read:org",
+        "write:discussion",
+        "gist",
+        "project",
+      ],
+      forbiddenScopes: ["delete_repo", "admin:org"],
+    },
+    callbackTransport: "loopback",
+  },
+
+  "integration:linear": {
+    providerKey: "integration:linear",
+    authUrl: "https://linear.app/oauth/authorize",
+    tokenUrl: "https://api.linear.app/oauth/token",
+    pingUrl: "https://api.linear.app/graphql",
+    baseUrl: "https://api.linear.app",
+    defaultScopes: ["read", "write", "issues:create"],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    extraParams: { prompt: "consent" },
+    callbackTransport: "loopback",
+  },
+
+  "integration:spotify": {
+    providerKey: "integration:spotify",
+    authUrl: "https://accounts.spotify.com/authorize",
+    tokenUrl: "https://accounts.spotify.com/api/token",
+    pingUrl: "https://api.spotify.com/v1/me",
+    baseUrl: "https://api.spotify.com/v1",
+    defaultScopes: [
+      "user-read-playback-state",
+      "user-modify-playback-state",
+      "user-read-currently-playing",
+      "user-read-recently-played",
+      "playlist-read-private",
+      "playlist-modify-public",
+      "playlist-modify-private",
+      "user-library-read",
+      "user-library-modify",
+    ],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    callbackTransport: "loopback",
+  },
+
+  "integration:todoist": {
+    providerKey: "integration:todoist",
+    authUrl: "https://todoist.com/oauth/authorize",
+    tokenUrl: "https://todoist.com/oauth/access_token",
+    pingUrl: "https://api.todoist.com/rest/v2/projects",
+    baseUrl: "https://api.todoist.com/rest/v2",
+    defaultScopes: ["data:read_write"],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: ["data:delete"],
+    },
+    callbackTransport: "loopback",
+  },
+
+  "integration:discord": {
+    providerKey: "integration:discord",
+    authUrl: "https://discord.com/oauth2/authorize",
+    tokenUrl: "https://discord.com/api/v10/oauth2/token",
+    pingUrl: "https://discord.com/api/v10/users/@me",
+    baseUrl: "https://discord.com/api/v10",
+    defaultScopes: [
+      "identify",
+      "guilds",
+      "guilds.members.read",
+      "messages.read",
+    ],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: ["bot"],
+      forbiddenScopes: [],
+    },
+    callbackTransport: "loopback",
+  },
+
+  "integration:dropbox": {
+    providerKey: "integration:dropbox",
+    authUrl: "https://www.dropbox.com/oauth2/authorize",
+    tokenUrl: "https://api.dropboxapi.com/oauth2/token",
+    pingUrl: "https://api.dropboxapi.com/2/users/get_current_account",
+    baseUrl: "https://api.dropboxapi.com/2",
+    defaultScopes: [
+      "files.metadata.read",
+      "files.content.read",
+      "files.content.write",
+      "sharing.read",
+    ],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    extraParams: { token_access_type: "offline" },
+    callbackTransport: "loopback",
+  },
+
+  "integration:asana": {
+    providerKey: "integration:asana",
+    authUrl: "https://app.asana.com/-/oauth_authorize",
+    tokenUrl: "https://app.asana.com/-/oauth_token",
+    pingUrl: "https://app.asana.com/api/1.0/users/me",
+    baseUrl: "https://app.asana.com/api/1.0",
+    defaultScopes: ["default"],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    callbackTransport: "loopback",
+  },
+
+  "integration:airtable": {
+    providerKey: "integration:airtable",
+    authUrl: "https://airtable.com/oauth2/v1/authorize",
+    tokenUrl: "https://airtable.com/oauth2/v1/token",
+    pingUrl: "https://api.airtable.com/v0/meta/whoami",
+    baseUrl: "https://api.airtable.com/v0",
+    defaultScopes: [
+      "data.records:read",
+      "data.records:write",
+      "schema.bases:read",
+    ],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    tokenEndpointAuthMethod: "client_secret_post",
+    callbackTransport: "loopback",
+  },
+
+  "integration:hubspot": {
+    providerKey: "integration:hubspot",
+    authUrl: "https://app.hubspot.com/oauth/authorize",
+    tokenUrl: "https://api.hubapi.com/oauth/v1/token",
+    pingUrl: "https://api.hubapi.com/crm/v3/objects/contacts?limit=1",
+    baseUrl: "https://api.hubapi.com",
+    defaultScopes: [
+      "crm.objects.contacts.read",
+      "crm.objects.contacts.write",
+      "crm.objects.deals.read",
+      "crm.objects.deals.write",
+      "crm.objects.companies.read",
+    ],
+    scopePolicy: {
+      allowAdditionalScopes: true,
+      allowedOptionalScopes: [
+        "crm.objects.companies.write",
+        "crm.objects.owners.read",
+      ],
+      forbiddenScopes: [],
+    },
+    callbackTransport: "loopback",
+  },
+
+  "integration:figma": {
+    providerKey: "integration:figma",
+    authUrl: "https://www.figma.com/oauth",
+    tokenUrl: "https://api.figma.com/v1/oauth/token",
+    pingUrl: "https://api.figma.com/v1/me",
+    baseUrl: "https://api.figma.com/v1",
+    defaultScopes: ["files:read", "file_comments:write"],
+    scopePolicy: {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+    callbackTransport: "loopback",
+  },
+
   // Manual-token providers: these don't use OAuth2 flows but need provider
   // rows so that oauth_app and oauth_connection FK chains can reference them.
   // The authUrl/tokenUrl values are placeholders — never used at runtime.
@@ -128,6 +333,7 @@ const PROVIDER_SEED_DATA: Record<
     providerKey: "slack_channel",
     authUrl: "urn:manual-token",
     tokenUrl: "urn:manual-token",
+    pingUrl: "https://slack.com/api/auth.test",
     baseUrl: "https://slack.com/api",
     defaultScopes: [],
     scopePolicy: {

package/src/oauth/token-persistence.ts

@@ -10,19 +10,17 @@
  * `oauth_connection/{id}/...`).
  */
 
-import type {
-  OAuth2FlowResult,
-  TokenEndpointAuthMethod,
-} from "../security/oauth2.js";
+import type { OAuth2FlowResult } from "../security/oauth2.js";
 import {
   deleteSecureKeyAsync,
   setSecureKeyAsync,
 } from "../security/secure-keys.js";
-import type { CredentialInjectionTemplate } from "../tools/credentials/policy-types.js";
 import { runPostConnectHook } from "../tools/credentials/post-connect-hooks.js";
 import {
   createConnection,
+  getApp,
   getConnectionByProvider,
+  getConnectionByProviderAndAccount,
   updateConnection,
   upsertApp,
 } from "./oauth-store.js";
@@ -38,11 +36,7 @@ export interface StoreOAuth2TokensParams {
   rawTokenResponse: Record<string, unknown>;
   clientId: string;
   clientSecret?: string;
-  tokenUrl: string;
-  tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
   userinfoUrl?: string;
-  allowedTools?: string[];
-  wellKnownInjectionTemplates?: CredentialInjectionTemplate[];
   /** Fallback account info from an identity verifier (e.g. @username, email). */
   identityAccountInfo?: string;
   /** Pre-resolved oauth_app ID — skips the upsertApp() call if provided. */
@@ -101,13 +95,20 @@ export async function storeOAuth2Tokens(
 
   // 1. Upsert the oauth_app row (or use the pre-resolved ID).
   const app = params.oauthAppId
-    ? { id: params.oauthAppId }
-    : await upsertApp(service, clientId, clientSecret);
+    ? (getApp(params.oauthAppId) ?? {
+        id: params.oauthAppId,
+        clientSecretCredentialPath: `oauth_app/${params.oauthAppId}/client_secret`,
+      })
+    : await upsertApp(
+        service,
+        clientId,
+        clientSecret ? { clientSecretValue: clientSecret } : undefined,
+      );
 
   // When oauthAppId is pre-resolved, still persist clientSecret if provided.
   if (params.oauthAppId && clientSecret) {
     const stored = await setSecureKeyAsync(
-      `oauth_app/${params.oauthAppId}/client_secret`,
+      app.clientSecretCredentialPath,
       clientSecret,
     );
     if (!stored) {
@@ -115,14 +116,28 @@ export async function storeOAuth2Tokens(
     }
   }
 
-  // 2. Upsert oauth_connection — reuse existing active connection for this
-  //    provider, or create a new one.
-  const existingConn = getConnectionByProvider(service);
+  // 2. Upsert oauth_connection — reuse existing active connection for the
+  //    same account, or create a new one for a different account.
+  //    First try to match by account info (email); fall back to provider-only
+  //    lookup so that re-auth without userinfo still updates the right row.
+  const existingConn = resolvedAccountInfo
+    ? getConnectionByProviderAndAccount(service, resolvedAccountInfo)
+    : getConnectionByProvider(service);
   let connId: string;
 
   const hasRefreshToken = !!tokens.refreshToken;
 
-  if (existingConn) {
+  // Only reuse the existing connection if it's the same account (or we can't
+  // tell). When the user connects a different account for the same service,
+  // create a separate connection so we don't overwrite the first account's
+  // tokens.
+  const isNewAccount =
+    existingConn &&
+    resolvedAccountInfo !== undefined &&
+    existingConn.accountInfo !== undefined &&
+    resolvedAccountInfo !== existingConn.accountInfo;
+
+  if (existingConn && !isNewAccount) {
     connId = existingConn.id;
     updateConnection(connId, {
       oauthAppId: app.id,

package/src/permissions/defaults.ts

@@ -20,6 +20,7 @@ const HOST_FILE_TOOLS = [
   "host_file_edit",
 ] as const;
 const COMPUTER_USE_TOOLS = [
+  "computer_use_observe",
   "computer_use_click",
   "computer_use_type_text",
   "computer_use_key",

package/src/permissions/trust-store.ts

@@ -283,12 +283,28 @@ function loadFromDisk(): TrustRule[] {
       // Restore persisted starter bundle flag
       cachedStarterBundleAccepted = data.starterBundleAccepted === true;
 
+      // Defense-in-depth: strip any __internal: prefixed rules that may have
+      // been hand-edited into trust.json.
+      const sanitizedRules = rawRules.filter((r) => {
+        if (typeof r.tool === "string" && r.tool.startsWith("__internal:")) {
+          log.warn(
+            { ruleId: r.id, tool: r.tool },
+            "Stripping __internal: rule from trust file on load",
+          );
+          return false;
+        }
+        return true;
+      });
+
       if (
         data.version === TRUST_FILE_VERSION ||
         data.version === 1 ||
         data.version === 2
       ) {
-        rules = rawRules;
+        rules = sanitizedRules;
+        if (sanitizedRules.length < rawRules.length) {
+          needsSave = true;
+        }
         if (data.version !== TRUST_FILE_VERSION) {
           needsSave = true;
           log.info(
@@ -395,6 +411,8 @@ export function addRule(
     executionTarget?: string;
   },
 ): TrustRule {
+  if (tool.startsWith("__internal:"))
+    throw new Error(`Cannot create internal pseudo-rule via addRule: ${tool}`);
   // Re-read from disk to avoid lost updates if another call modified rules
   // between our last read and now (e.g. two rapid trust rule additions).
   cachedRules = null;
@@ -437,6 +455,10 @@ export function updateRule(
   const defaultIds = new Set(getDefaultRuleTemplates().map((t) => t.id));
   if (defaultIds.has(id))
     throw new Error(`Cannot modify default trust rule: ${id}`);
+  if (updates.tool?.startsWith("__internal:"))
+    throw new Error(
+      `Cannot update tool to internal pseudo-rule: ${updates.tool}`,
+    );
 
   // Re-read from disk to avoid lost updates from concurrent modifications.
   cachedRules = null;

package/src/playbooks/playbook-compiler.ts

@@ -1,7 +1,7 @@
 /**
  * Compile all active playbook memory items into a triage context block
  * that can be injected into the system prompt alongside the contact
- * graph and dynamic profile.
+ * graph.
  */
 
 import { and, desc, eq, isNull } from "drizzle-orm";

package/src/prompts/system-prompt.ts

@@ -690,7 +690,7 @@ function buildMemoryRecallSection(): string {
     "- The auto-injected memory context doesn't contain what you need",
     "- The user references something from a previous session",
     "",
-    "The tool searches across semantic, lexical, entity graph, and recency sources. Be specific in your query for best results.",
+    "The tool uses hybrid search (dense and sparse vectors) supplemented by recency. Be specific in your query for best results.",
   ].join("\n");
 }
 
@@ -845,7 +845,7 @@ export function buildCliReferenceSection(): string {
   return [
     "## Assistant CLI",
     "",
-    "The `assistant` CLI is installed on the user's machine and available via `bash`.",
+    "The `assistant` CLI is available in the sandbox. Always use the `bash` tool (never `host_bash`) when running `assistant` commands.",
     "For account and authentication work, prefer real `assistant` CLI workflows over any legacy account-record abstraction.",
     "- Use `assistant credentials ...` for stored secrets and credential metadata.",
     "- Use `assistant oauth connections token <provider-key>` for connected integration tokens.",
@@ -960,6 +960,22 @@ function buildDynamicSkillWorkflowSection(
     );
   }
 
+  lines.push(
+    "",
+    "### Community Skills Discovery",
+    "",
+    "When no built-in skill satisfies a request, search the community skills.sh registry:",
+    "1. Run `assistant skills search <query>` to find community skills. Results include install counts and security audit badges (ATH, Socket, Snyk).",
+    "2. Present the search results to the user, highlighting the security audit status. ATH is Gen Agent Trust Hub. Audits show PASS (safe/low risk), WARN (medium risk), or FAIL (high/critical risk) for each provider.",
+    "3. Check the skill's **source owner** to determine the trust level:",
+    "   - **Vellum-owned** (source starts with `vellum-ai/`): These are first-party skills published by the Vellum team. Install them directly without prompting — they are vetted and trusted.",
+    "   - **Third-party** (any other owner): Ask the user for permission before installing. Say something like: \"I found a community skill that could help with this, but it's published by a third party — we haven't vetted it. Want to install it anyway?\" Share the skill name, source, audit results, and install count.",
+    "4. Install with `assistant skills add <owner>/<repo>@<skill-name>` (e.g., `assistant skills add vercel-labs/skills@find-skills`).",
+    "5. After installation, load the skill with `skill_load` as usual.",
+    "",
+    "**Never install third-party community skills without explicit user confirmation.** Vellum-owned skills (`vellum-ai/*`) can be installed automatically.",
+  );
+
   return lines.join("\n");
 }