@vellumai/assistant 0.4.49 → 0.4.51

package/src/schedule/integration-status.ts

@@ -7,7 +7,7 @@ import {
 interface IntegrationProbe {
   name: string;
   category: string;
-  isConnected: () => boolean;
+  isConnected: () => Promise<boolean>;
 }
 
 // Registry — add new integrations here:
@@ -15,7 +15,7 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
   {
     name: "Gmail",
     category: "email",
-    isConnected: () => isProviderConnected("integration:gmail"),
+    isConnected: () => isProviderConnected("integration:google"),
   },
   {
     name: "Slack",
@@ -25,39 +25,46 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
   {
     name: "Twilio",
     category: "telephony",
-    isConnected: () => hasTwilioCredentials(),
+    isConnected: async () => hasTwilioCredentials(),
   },
   {
     name: "Telegram",
     category: "messaging",
-    isConnected: () => {
+    isConnected: async () => {
       const conn = getConnectionByProvider("telegram");
       return !!(conn && conn.status === "active");
     },
   },
 ];
 
-export function getIntegrationSummary(): Array<{
-  name: string;
-  category: string;
-  connected: boolean;
-}> {
-  return INTEGRATION_PROBES.map((probe) => ({
-    name: probe.name,
-    category: probe.category,
-    connected: probe.isConnected(),
-  }));
+export async function getIntegrationSummary(): Promise<
+  Array<{
+    name: string;
+    category: string;
+    connected: boolean;
+  }>
+> {
+  return Promise.all(
+    INTEGRATION_PROBES.map(async (probe) => ({
+      name: probe.name,
+      category: probe.category,
+      connected: await probe.isConnected(),
+    })),
+  );
 }
 
-export function formatIntegrationSummary(): string {
-  const summary = getIntegrationSummary();
+export async function formatIntegrationSummary(): Promise<string> {
+  const summary = await getIntegrationSummary();
   return summary
     .map((s) => `${s.name} ${s.connected ? "\u2713" : "\u2717"}`)
     .join(" | ");
 }
 
-export function hasCapability(category: string): boolean {
-  return INTEGRATION_PROBES.some(
-    (probe) => probe.category === category && probe.isConnected(),
+export async function hasCapability(category: string): Promise<boolean> {
+  const results = await Promise.all(
+    INTEGRATION_PROBES.filter((probe) => probe.category === category).map(
+      (probe) => probe.isConnected(),
+    ),
   );
+  return results.some(Boolean);
 }

package/src/security/keychain-broker-client.ts

@@ -33,11 +33,18 @@ const REQUEST_TIMEOUT_MS = 5_000;
  *  back); `{ found: false }` means the key doesn't exist in the keychain. */
 export type BrokerGetResult = { found: boolean; value?: string } | null;
 
+/** Result of a `set()` call — distinguishes broker-unreachable from an active
+ *  rejection so callers can log meaningful diagnostics. */
+export type BrokerSetResult =
+  | { status: "ok" }
+  | { status: "unreachable" }
+  | { status: "rejected"; code: string; message: string };
+
 export interface KeychainBrokerClient {
   isAvailable(): boolean;
   ping(): Promise<{ pong: boolean } | null>;
   get(account: string): Promise<BrokerGetResult>;
-  set(account: string, value: string): Promise<boolean>;
+  set(account: string, value: string): Promise<BrokerSetResult>;
   del(account: string): Promise<boolean>;
   list(): Promise<string[]>;
 }
@@ -360,12 +367,18 @@ export function createBrokerClient(): KeychainBrokerClient {
       }
     },
 
-    async set(account: string, value: string): Promise<boolean> {
+    async set(account: string, value: string): Promise<BrokerSetResult> {
       try {
         const response = await doRequest("key.set", { account, value });
-        return response?.ok === true;
+        if (!response) return { status: "unreachable" };
+        if (response.ok) return { status: "ok" };
+        return {
+          status: "rejected",
+          code: response.error?.code ?? "UNKNOWN",
+          message: response.error?.message ?? "unknown error",
+        };
       } catch {
-        return false;
+        return { status: "unreachable" };
       }
     },
 

package/src/security/oauth2.ts

@@ -420,18 +420,17 @@ export interface OAuth2PreparedFlow {
  * URL directly in chat and the callback arrives asynchronously via the gateway.
  *
  * Supports two transports:
- * - **gateway** (default): routes callbacks through the public ingress URL.
- *   Requires `ingress.publicBaseUrl` to be configured.
- * - **loopback**: starts a temporary localhost server to receive the callback.
- *   Used for services like Slack that require pre-registered localhost redirect
- *   URIs. The daemon is always local, so this works even in non-interactive
- *   (channel) sessions.
+ * - **loopback** (default): starts a temporary localhost server to receive the
+ *   callback. Works without any public URL or tunnel.
+ * - **gateway**: routes callbacks through the public ingress URL.
+ *   Requires `ingress.publicBaseUrl` to be configured. Used for providers that
+ *   don't support localhost redirects (e.g. Twitter, Notion).
  */
 export async function prepareOAuth2Flow(
   config: OAuth2Config,
   options?: OAuth2FlowOptions,
 ): Promise<OAuth2PreparedFlow> {
-  const transport = options?.callbackTransport ?? "gateway";
+  const transport = options?.callbackTransport ?? "loopback";
 
   if (transport === "loopback") {
     return prepareLoopbackFlow(config, options?.loopbackPort);

package/src/security/secure-keys.ts

@@ -3,14 +3,17 @@
  * available (macOS app embedded), with transparent fallback to the
  * encrypted-at-rest file store.
  *
- * Async variants try the broker first; sync variants always use the
+ * Async variants try the encrypted store first; sync variants always use the
  * encrypted store (startup code paths cannot do async I/O).
  */
 
+import { getLogger } from "../util/logger.js";
 import * as encryptedStore from "./encrypted-store.js";
 import type { KeychainBrokerClient } from "./keychain-broker-client.js";
 import { createBrokerClient } from "./keychain-broker-client.js";
 
+const log = getLogger("secure-keys");
+
 let _broker: KeychainBrokerClient | undefined;
 
 function getBroker(): KeychainBrokerClient {
@@ -79,30 +82,33 @@ export function isDowngradedFromKeychain(): boolean {
 }
 
 // ---------------------------------------------------------------------------
-// Async variants — try broker first, fall back to encrypted store
+// Async variants — try encrypted store first, fall back to broker
 // ---------------------------------------------------------------------------
 
 /**
- * Async version of `getSecureKey`. When the broker is available it is
- * queried first. A `null` return from the broker means error (fall back
- * to encrypted store). A `{ found: false }` also falls back to the
- * encrypted store — keys may exist only in `keys.enc` (e.g. written
- * while the broker was unavailable or via sync `setSecureKey`).
+ * Async version of `getSecureKey`. Checks the encrypted store first
+ * (instant) since `setSecureKeyAsync` always writes to both stores.
+ * Falls back to the broker for keys that may exist only in the macOS
+ * Keychain. Returns `undefined` if the key is not found in either store.
  */
 export async function getSecureKeyAsync(
   account: string,
 ): Promise<string | undefined> {
+  // Check encrypted store first (sync, instant). Since setSecureKeyAsync
+  // always writes to both broker and encrypted store, a hit here is
+  // authoritative and avoids the broker IPC round-trip.
+  const encResult = encryptedStore.getKey(account);
+  if (encResult != null && encResult.length > 0) return encResult;
+
+  // Not in encrypted store — try broker as fallback for keys that may
+  // exist only in the macOS Keychain (e.g. written by the app directly).
   const broker = getBroker();
   if (broker.isAvailable()) {
     const result = await broker.get(account);
-    // null = broker error, fall back to encrypted store
-    if (result == null) return encryptedStore.getKey(account);
-    // Broker found the key — use it
-    if (result.found) return result.value;
-    // Broker says not found — check encrypted store as fallback
-    return encryptedStore.getKey(account);
+    if (result?.found) return result.value;
   }
-  return encryptedStore.getKey(account);
+
+  return undefined;
 }
 
 /**
@@ -112,7 +118,7 @@ export async function getSecureKeyAsync(
  *
  * If the broker is available but `broker.set()` fails we return `false`
  * immediately — falling through to an encrypted-store-only write would
- * leave the broker with stale data that async readers would still see.
+ * leave the two stores out of sync.
  */
 export async function setSecureKeyAsync(
   account: string,
@@ -120,13 +126,32 @@ export async function setSecureKeyAsync(
 ): Promise<boolean> {
   const broker = getBroker();
   if (broker.isAvailable()) {
-    const brokerOk = await broker.set(account, value);
-    if (!brokerOk) return false;
+    const result = await broker.set(account, value);
+    if (result.status !== "ok") {
+      log.warn(
+        {
+          account,
+          brokerStatus: result.status,
+          ...(result.status === "rejected"
+            ? { brokerCode: result.code, brokerMessage: result.message }
+            : {}),
+        },
+        "Broker set failed for secure key",
+      );
+      return false;
+    }
     // Broker succeeded — also persist to encrypted store for sync callers.
     const encOk = encryptedStore.setKey(account, value);
+    if (!encOk) {
+      log.warn({ account }, "Encrypted store set failed after broker success");
+    }
     return encOk;
   }
-  return encryptedStore.setKey(account, value);
+  const encOk = encryptedStore.setKey(account, value);
+  if (!encOk) {
+    log.warn({ account }, "Encrypted store set failed (broker unavailable)");
+  }
+  return encOk;
 }
 
 /**
@@ -139,7 +164,7 @@ export async function setSecureKeyAsync(
  *
  * If the broker is available but `broker.del()` fails we return `"error"`
  * immediately — falling through to an encrypted-store-only delete would
- * leave the broker with the key, and async readers would still see it.
+ * leave the broker with the key, causing stale reads on broker fallback.
  */
 export async function deleteSecureKeyAsync(
   account: string,

package/src/security/token-manager.ts

@@ -9,17 +9,22 @@
 
 import {
   getApp,
+  getConnection,
   getConnectionByProvider,
   getProvider,
   updateConnection,
 } from "../oauth/oauth-store.js";
 import { getLogger } from "../util/logger.js";
 import { refreshOAuth2Token, type TokenEndpointAuthMethod } from "./oauth2.js";
-import { getSecureKey, setSecureKeyAsync } from "./secure-keys.js";
+import {
+  getSecureKey,
+  getSecureKeyAsync,
+  setSecureKeyAsync,
+} from "./secure-keys.js";
 
 const log = getLogger("token-manager");
 
-const MESSAGING_SERVICES = new Set(["integration:gmail", "integration:slack"]);
+const MESSAGING_SERVICES = new Set(["integration:google", "integration:slack"]);
 
 function recoveryHint(service: string): string {
   const shortName = service.startsWith("integration:")
@@ -116,14 +121,14 @@ function recordRefreshFailure(service: string): void {
 
 const inflightRefreshes = new Map<string, Promise<string>>();
 
-function deduplicatedRefresh(service: string): Promise<string> {
-  const existing = inflightRefreshes.get(service);
+function deduplicatedRefresh(service: string, connId: string): Promise<string> {
+  const existing = inflightRefreshes.get(connId);
   if (existing) return existing;
 
-  const promise = doRefresh(service).finally(() => {
-    inflightRefreshes.delete(service);
+  const promise = doRefresh(service, connId).finally(() => {
+    inflightRefreshes.delete(connId);
   });
-  inflightRefreshes.set(service, promise);
+  inflightRefreshes.set(connId, promise);
   return promise;
 }
 
@@ -157,18 +162,11 @@ export class TokenExpiredError extends Error {
 }
 
 /**
- * Check whether the access token for a service is expired or will expire
- * within the buffer window, based on the `expiresAt` field in the
- * oauth_connection row.
+ * Check whether a token is expired or will expire within the buffer window.
  */
-function isTokenExpired(service: string): boolean {
-  try {
-    const conn = getConnectionByProvider(service);
-    if (!conn?.expiresAt) return false;
-    return Date.now() >= conn.expiresAt - EXPIRY_BUFFER_MS;
-  } catch {
-    return false;
-  }
+function isTokenExpired(expiresAt: number | null): boolean {
+  if (!expiresAt) return false;
+  return Date.now() >= expiresAt - EXPIRY_BUFFER_MS;
 }
 
 // ── Refresh config resolution ─────────────────────────────────────────
@@ -191,8 +189,11 @@ interface RefreshConfig {
  * authMethod. Throws `TokenExpiredError` if the connection is not found
  * or incomplete.
  */
-function resolveRefreshConfig(service: string): RefreshConfig {
-  const conn = getConnectionByProvider(service);
+async function resolveRefreshConfig(
+  service: string,
+  connId: string,
+): Promise<RefreshConfig> {
+  const conn = getConnection(connId);
   if (!conn) {
     throw new TokenExpiredError(
       service,
@@ -217,17 +218,17 @@ function resolveRefreshConfig(service: string): RefreshConfig {
   }
 
   const tokenUrl = provider.tokenUrl;
-  const clientId = app.clientId;
-  if (!tokenUrl || !clientId) {
+  const resolvedClientId = app.clientId;
+  if (!tokenUrl || !resolvedClientId) {
     throw new TokenExpiredError(
       service,
       `Missing OAuth2 refresh config for "${service}".${recoveryHint(service)}`,
     );
   }
 
-  const secret = getSecureKey(`oauth_app/${app.id}/client_secret`);
+  const secret = await getSecureKeyAsync(app.clientSecretCredentialPath);
 
-  const refreshToken = getSecureKey(
+  const refreshToken = await getSecureKeyAsync(
     `oauth_connection/${conn.id}/refresh_token`,
   );
 
@@ -238,7 +239,7 @@ function resolveRefreshConfig(service: string): RefreshConfig {
   return {
     connId: conn.id,
     tokenUrl,
-    clientId,
+    clientId: resolvedClientId,
     secret,
     refreshToken,
     authMethod,
@@ -254,10 +255,15 @@ function resolveRefreshConfig(service: string): RefreshConfig {
  * Returns the new access token on success.
  * Throws `TokenExpiredError` if refresh is not possible.
  */
-async function doRefresh(service: string): Promise<string> {
-  const refreshConfig = resolveRefreshConfig(service);
-  const { tokenUrl, clientId, secret, authMethod, connId, refreshToken } =
-    refreshConfig;
+async function doRefresh(service: string, connId: string): Promise<string> {
+  const refreshConfig = await resolveRefreshConfig(service, connId);
+  const {
+    tokenUrl,
+    clientId: resolvedClientId,
+    secret,
+    authMethod,
+    refreshToken,
+  } = refreshConfig;
 
   if (!refreshToken) {
     throw new TokenExpiredError(
@@ -266,8 +272,8 @@ async function doRefresh(service: string): Promise<string> {
     );
   }
 
-  if (isRefreshBreakerOpen(service)) {
-    const state = refreshBreakers.get(service)!;
+  if (isRefreshBreakerOpen(connId)) {
+    const state = refreshBreakers.get(connId)!;
     const remainingMs = state.cooldownMs - (Date.now() - state.openedAt);
     throw new TokenExpiredError(
       service,
@@ -282,13 +288,13 @@ async function doRefresh(service: string): Promise<string> {
   try {
     result = await refreshOAuth2Token(
       tokenUrl,
-      clientId,
+      resolvedClientId,
       refreshToken,
       secret,
       authMethod,
     );
   } catch (err) {
-    recordRefreshFailure(service);
+    recordRefreshFailure(connId);
     if (isCredentialError(err)) {
       const msg = err instanceof Error ? err.message : String(err);
       throw new TokenExpiredError(
@@ -349,7 +355,7 @@ async function doRefresh(service: string): Promise<string> {
     );
   }
 
-  recordRefreshSuccess(service);
+  recordRefreshSuccess(connId);
   log.info({ service }, "OAuth2 access token refreshed successfully");
   return result.accessToken;
 }
@@ -368,12 +374,13 @@ async function doRefresh(service: string): Promise<string> {
 export async function withValidToken<T>(
   service: string,
   callback: (token: string) => Promise<T>,
+  clientId?: string,
 ): Promise<T> {
-  const conn = getConnectionByProvider(service);
+  const conn = getConnectionByProvider(service, clientId);
   let token = conn
     ? getSecureKey(`oauth_connection/${conn.id}/access_token`)
     : undefined;
-  if (!token) {
+  if (!token || !conn) {
     throw new TokenExpiredError(
       service,
       `No access token found for "${service}". Authorization required.${recoveryHint(service)}`,
@@ -381,15 +388,15 @@ export async function withValidToken<T>(
   }
 
   // Proactively refresh if expired or about to expire.
-  if (isTokenExpired(service)) {
-    token = await deduplicatedRefresh(service);
+  if (isTokenExpired(conn.expiresAt)) {
+    token = await deduplicatedRefresh(service, conn.id);
   }
 
   try {
     return await callback(token);
   } catch (err: unknown) {
     if (is401Error(err)) {
-      token = await deduplicatedRefresh(service);
+      token = await deduplicatedRefresh(service, conn.id);
       return callback(token);
     }
     throw err;

package/src/services/vercel-deploy.ts

@@ -55,27 +55,3 @@ export async function deployHtmlToVercel(opts: {
 
   return { url: publicUrl, deploymentId: data.id };
 }
-
-export async function deleteVercelDeployment(
-  deploymentId: string,
-  token: string,
-): Promise<void> {
-  const response = await fetch(
-    `https://api.vercel.com/v13/deployments/${deploymentId}`,
-    {
-      method: "DELETE",
-      headers: {
-        Authorization: `Bearer ${token}`,
-      },
-    },
-  );
-
-  if (!response.ok) {
-    const text = await response.text();
-    throw new ProviderError(
-      `Vercel delete deployment failed (${response.status}): ${text}`,
-      "vercel",
-      response.status,
-    );
-  }
-}

package/src/signals/confirm.ts

@@ -0,0 +1,78 @@
+/**
+ * Handle confirmation decisions delivered via signal files from the CLI.
+ *
+ * The built-in CLI writes JSON to `signals/confirm` instead of making an
+ * HTTP POST to `/v1/confirm`. The daemon's ConfigWatcher detects the file
+ * change and invokes {@link handleConfirmationSignal}, which reads the
+ * payload and resolves the pending interaction in-process.
+ */
+
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+
+import type { UserDecision } from "../permissions/types.js";
+import * as pendingInteractions from "../runtime/pending-interactions.js";
+import { getLogger } from "../util/logger.js";
+import { getWorkspaceDir } from "../util/platform.js";
+
+const log = getLogger("signal:confirm");
+
+const VALID_DECISIONS: ReadonlySet<string> = new Set<string>([
+  "allow",
+  "allow_10m",
+  "allow_thread",
+  "always_allow",
+  "always_allow_high_risk",
+  "deny",
+  "always_deny",
+  "temporary_override",
+]);
+
+function isUserDecision(value: string): value is UserDecision {
+  return VALID_DECISIONS.has(value);
+}
+
+/**
+ * Read the `signals/confirm` file and resolve the pending interaction.
+ * Called by ConfigWatcher when the signal file is written or modified.
+ */
+export function handleConfirmationSignal(): void {
+  try {
+    const content = readFileSync(
+      join(getWorkspaceDir(), "signals", "confirm"),
+      "utf-8",
+    );
+    const parsed = JSON.parse(content) as {
+      requestId?: string;
+      decision?: string;
+    };
+    const { requestId, decision } = parsed;
+
+    if (!requestId || typeof requestId !== "string") {
+      log.warn("Confirmation signal missing requestId");
+      return;
+    }
+    if (!decision || !isUserDecision(decision)) {
+      log.warn({ decision }, "Confirmation signal has invalid decision");
+      return;
+    }
+
+    const interaction = pendingInteractions.resolve(requestId);
+    if (!interaction) {
+      log.warn({ requestId }, "No pending interaction for confirmation signal");
+      return;
+    }
+
+    interaction.session.handleConfirmationResponse(
+      requestId,
+      decision,
+      undefined,
+      undefined,
+      undefined,
+      { source: "button" },
+    );
+    log.info({ requestId, decision }, "Confirmation resolved via signal file");
+  } catch (err) {
+    log.error({ err }, "Failed to handle confirmation signal");
+  }
+}

package/src/signals/mcp-reload.ts

@@ -0,0 +1,18 @@
+/**
+ * Handle MCP reload signals from the CLI.
+ *
+ * When the CLI writes to `signals/mcp-reload`, the daemon's ConfigWatcher
+ * detects the file change and invokes {@link handleMcpReloadSignal} to
+ * restart MCP servers with the latest configuration.
+ */
+
+import { reloadMcpServers } from "../daemon/mcp-reload-service.js";
+import { getLogger } from "../util/logger.js";
+
+const log = getLogger("signal:mcp-reload");
+
+export function handleMcpReloadSignal(): void {
+  reloadMcpServers().catch((err: unknown) => {
+    log.error({ err }, "MCP reload triggered by signal file failed");
+  });
+}