@vellumai/assistant 0.4.52 → 0.4.53

package/src/__tests__/credential-security-invariants.test.ts

@@ -237,6 +237,20 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "cli/commands/oauth/connections.ts", // CLI OAuth connection delete (legacy credential cleanup)
       "oauth/manual-token-connection.ts", // manual-token provider backfill (keychain credential existence check)
       "cli/commands/doctor.ts", // CLI diagnostic API key verification via secure storage
+      "swarm/backend-claude-code.ts", // Claude Code swarm backend API key lookup
+      "workspace/provider-commit-message-generator.ts", // commit message generation provider key lookup
+      "config/bundled-skills/transcribe/tools/transcribe-media.ts", // transcription tool API key lookup
+      "config/bundled-skills/image-studio/tools/media-generate-image.ts", // image generation tool API key lookup
+      "config/bundled-skills/media-processing/tools/analyze-keyframes.ts", // keyframe analysis tool API key lookup
+      "config/bundled-skills/media-processing/tools/extract-keyframes.ts", // keyframe extraction tool API key lookup
+      "providers/registry.ts", // provider registry API key lookup for initialization
+      "media/app-icon-generator.ts", // app icon generation API key lookup
+      "media/avatar-router.ts", // avatar generation API key lookup
+      "memory/embedding-backend.ts", // embedding backend API key lookup
+      "daemon/handlers/config-model.ts", // model config handler API key lookup
+      "daemon/session-slash.ts", // session slash command API key lookup
+      "daemon/session-process.ts", // session process API key lookup
+      "tools/claude-code/claude-code.ts", // Claude Code tool API key lookup
     ]);
 
     const thisDir = dirname(fileURLToPath(import.meta.url));

package/src/__tests__/credential-vault-unit.test.ts

@@ -1113,7 +1113,7 @@ describe("CredentialBroker — serverUseById edge cases", () => {
     _resetBackend();
   });
 
-  test("serverUseById with multiple injection templates returns all", () => {
+  test("serverUseById with multiple injection templates returns all", async () => {
     const meta = upsertCredentialMetadata("multi", "api_key", {
       allowedTools: ["proxy"],
       injectionTemplates: [
@@ -1132,7 +1132,7 @@ describe("CredentialBroker — serverUseById edge cases", () => {
     });
     setSecureKey(credentialKey("multi", "api_key"), "multi-secret");
 
-    const result = broker.serverUseById({
+    const result = await broker.serverUseById({
       credentialId: meta.credentialId,
       requestingTool: "proxy",
     });
@@ -1146,13 +1146,13 @@ describe("CredentialBroker — serverUseById edge cases", () => {
     expect(JSON.stringify(result)).not.toContain("multi-secret");
   });
 
-  test("serverUseById verifies secret exists in storage (fail-closed)", () => {
+  test("serverUseById verifies secret exists in storage (fail-closed)", async () => {
     const meta = upsertCredentialMetadata("fal", "api_key", {
       allowedTools: ["proxy"],
     });
     // No setSecureKey — metadata exists but value doesn't
 
-    const result = broker.serverUseById({
+    const result = await broker.serverUseById({
       credentialId: meta.credentialId,
       requestingTool: "proxy",
     });

package/src/__tests__/error-handler-friendly-messages.test.ts

@@ -15,11 +15,10 @@ describe("withErrorHandling – friendly error messages", () => {
     };
     expect(body.error.code).toBe("UNPROCESSABLE_ENTITY");
     expect(body.error.message).toContain("No API key configured");
-    expect(body.error.message).toContain("ANTHROPIC_API_KEY");
-    expect(body.error.message).toContain("vellum hatch");
+    expect(body.error.message).toContain("keys set anthropic");
   });
 
-  test("ProviderNotConfiguredError tailors env var to requested provider", async () => {
+  test("ProviderNotConfiguredError tailors keys set command to requested provider", async () => {
     const response = await withErrorHandling("test", async () => {
       throw new ProviderNotConfiguredError("openai", []);
     });
@@ -28,8 +27,8 @@ describe("withErrorHandling – friendly error messages", () => {
     const body = (await response.json()) as {
       error: { code: string; message: string };
     };
-    expect(body.error.message).toContain("OPENAI_API_KEY");
-    expect(body.error.message).not.toContain("ANTHROPIC_API_KEY");
+    expect(body.error.message).toContain("keys set openai");
+    expect(body.error.message).not.toContain("keys set anthropic");
   });
 
   test("generic ConfigError still returns its own message", async () => {

package/src/__tests__/gateway-only-enforcement.test.ts

@@ -57,7 +57,6 @@ mock.module("../config/loader.js", () => ({
   loadConfig: () => ({
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
     secretDetection: { enabled: false },
@@ -80,7 +79,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
     secretDetection: { enabled: false },

package/src/__tests__/host-shell-tool.test.ts

@@ -22,7 +22,6 @@ mock.module("node:child_process", () => ({
 const mockConfig = {
   provider: "anthropic",
   model: "test",
-  apiKeys: {},
   maxTokens: 4096,
   dataDir: "/tmp",
   timeouts: {

package/src/__tests__/http-user-message-parity.test.ts

@@ -349,6 +349,25 @@ describe("HTTP POST /v1/messages does not intercept recording intents (by design
     expect(runAgentLoop).toHaveBeenCalledTimes(1);
   });
 
+  test("structured commandIntent recording actions are ignored by HTTP path", async () => {
+    // Even when the request includes a structured commandIntent for recording,
+    // the HTTP path does not parse or act on it — handleSendMessage only reads
+    // content, conversationKey, attachmentIds, sourceChannel, and interface.
+    // This ensures a future regression that starts parsing commandIntent would
+    // be caught.
+    const persistUserMessage = mock(async () => "persisted-msg-id");
+    const runAgentLoop = mock(async () => undefined);
+    const session = makeSession({ persistUserMessage, runAgentLoop });
+
+    const res = await sendMessage("start screen recording", session, {
+      commandIntent: { type: "start_recording", payload: "screen" },
+    });
+
+    expect(res.status).toBe(202);
+    expect(persistUserMessage).toHaveBeenCalledTimes(1);
+    expect(runAgentLoop).toHaveBeenCalledTimes(1);
+  });
+
   test("stop recording commands pass through to the agent loop", async () => {
     const persistUserMessage = mock(async () => "persisted-msg-id");
     const runAgentLoop = mock(async () => undefined);

package/src/__tests__/list-messages-attachments.test.ts

@@ -38,7 +38,6 @@ mock.module("../config/loader.js", () => ({
     ui: {},
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
   }),

package/src/__tests__/log-export-workspace.test.ts

@@ -0,0 +1,233 @@
+/**
+ * Tests for workspace file collection in the log export route handler.
+ *
+ * Validates that `POST /v1/export` includes workspace files with correct
+ * filtering: text files included, SQLite DB files dumped as SQL, excluded
+ * directories (embedding-models/, data/qdrant/) absent, binary files skipped.
+ */
+
+import {
+  mkdirSync,
+  mkdtempSync,
+  realpathSync,
+  rmSync,
+  symlinkSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll, describe, expect, mock, test } from "bun:test";
+
+// Set up temp directories before mocking
+const testDir = realpathSync(
+  mkdtempSync(join(tmpdir(), "log-export-workspace-test-")),
+);
+const testWorkspaceDir = join(testDir, "workspace");
+const testDbDir = join(testDir, "db");
+const testDbPath = join(testDbDir, "assistant.db");
+
+mkdirSync(testWorkspaceDir, { recursive: true });
+mkdirSync(testDbDir, { recursive: true });
+
+mock.module("../util/platform.js", () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => testDir,
+  getWorkspaceDir: () => testWorkspaceDir,
+  getWorkspaceConfigPath: () => join(testWorkspaceDir, "config.json"),
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => testDbPath,
+  getLogPath: () => join(testDir, "test.log"),
+  ensureDataDir: () => {},
+}));
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+// Mock getSecureKeyAsync to avoid keychain access during tests
+mock.module("../util/secure-keys.js", () => ({
+  getSecureKeyAsync: async () => undefined,
+}));
+
+import { initializeDb, resetDb } from "../memory/db.js";
+import { logExportRouteDefinitions } from "../runtime/routes/log-export-routes.js";
+
+initializeDb();
+
+afterAll(() => {
+  resetDb();
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    /* best effort */
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const routes = logExportRouteDefinitions();
+const exportRoute = routes.find((r) => r.endpoint === "export")!;
+
+async function callExport(): Promise<Response> {
+  const req = new Request("http://localhost/v1/export", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({}),
+  });
+  const url = new URL(req.url);
+  return exportRoute.handler({
+    req,
+    url,
+    server: null as never,
+    authContext: {} as never,
+    params: {},
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Seed workspace files
+// ---------------------------------------------------------------------------
+
+// Text files — should be included
+writeFileSync(join(testWorkspaceDir, "IDENTITY.md"), "# My Identity\nHello");
+mkdirSync(join(testWorkspaceDir, "notes"), { recursive: true });
+writeFileSync(join(testWorkspaceDir, "notes", "daily.txt"), "Some daily notes");
+
+// SQLite DB file — should be dumped as .sql
+mkdirSync(join(testWorkspaceDir, "data", "db"), { recursive: true });
+// Create a real sqlite db with a table
+import { Database } from "bun:sqlite";
+const wsDbPath = join(testWorkspaceDir, "data", "db", "assistant.db");
+const wsDb = new Database(wsDbPath);
+wsDb.run("CREATE TABLE test_table (id INTEGER PRIMARY KEY, name TEXT)");
+wsDb.run("INSERT INTO test_table (name) VALUES ('hello')");
+wsDb.close();
+
+// Excluded directory: embedding-models/
+mkdirSync(join(testWorkspaceDir, "embedding-models"), { recursive: true });
+writeFileSync(
+  join(testWorkspaceDir, "embedding-models", "model.bin"),
+  "large binary model data",
+);
+
+// Excluded directory: data/qdrant/
+mkdirSync(join(testWorkspaceDir, "data", "qdrant"), { recursive: true });
+writeFileSync(
+  join(testWorkspaceDir, "data", "qdrant", "index.bin"),
+  "vector index data",
+);
+
+// Binary file — should be skipped
+writeFileSync(
+  join(testWorkspaceDir, "binary-file.dat"),
+  Buffer.from([0x48, 0x65, 0x6c, 0x00, 0x6f]), // contains null byte
+);
+
+// config.json at workspace root — should be skipped (already in configSnapshot)
+writeFileSync(
+  join(testWorkspaceDir, "config.json"),
+  JSON.stringify({ provider: "anthropic" }),
+);
+
+// Symlink pointing outside workspace — should be skipped
+const outsideFile = join(testDir, "outside-secret.txt");
+writeFileSync(outsideFile, "sensitive data outside workspace");
+try {
+  symlinkSync(outsideFile, join(testWorkspaceDir, "sneaky-link.txt"));
+} catch {
+  // Symlink creation may fail on some platforms; tests will still pass
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("POST /v1/export — workspace files", () => {
+  test("includes text files in workspaceFiles", async () => {
+    const res = await callExport();
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      workspaceFiles: Record<string, string>;
+    };
+    expect(body.workspaceFiles["IDENTITY.md"]).toBe("# My Identity\nHello");
+    expect(body.workspaceFiles["notes/daily.txt"]).toBe("Some daily notes");
+  });
+
+  test("dumps SQLite DB files as .sql text", async () => {
+    const res = await callExport();
+    const body = (await res.json()) as {
+      workspaceFiles: Record<string, string>;
+    };
+    const sqlKey = "data/db/assistant.db.sql";
+    expect(body.workspaceFiles[sqlKey]).toBeDefined();
+    expect(body.workspaceFiles[sqlKey]).toContain("CREATE TABLE");
+    expect(body.workspaceFiles[sqlKey]).toContain("test_table");
+    // The raw .db file should NOT be present
+    expect(body.workspaceFiles["data/db/assistant.db"]).toBeUndefined();
+  });
+
+  test("excludes embedding-models/ directory", async () => {
+    const res = await callExport();
+    const body = (await res.json()) as {
+      workspaceFiles: Record<string, string>;
+    };
+    const embeddingKeys = Object.keys(body.workspaceFiles).filter((k) =>
+      k.startsWith("embedding-models/"),
+    );
+    expect(embeddingKeys).toHaveLength(0);
+  });
+
+  test("excludes data/qdrant/ directory", async () => {
+    const res = await callExport();
+    const body = (await res.json()) as {
+      workspaceFiles: Record<string, string>;
+    };
+    const qdrantKeys = Object.keys(body.workspaceFiles).filter((k) =>
+      k.startsWith("data/qdrant/"),
+    );
+    expect(qdrantKeys).toHaveLength(0);
+  });
+
+  test("skips binary files containing null bytes", async () => {
+    const res = await callExport();
+    const body = (await res.json()) as {
+      workspaceFiles: Record<string, string>;
+    };
+    expect(body.workspaceFiles["binary-file.dat"]).toBeUndefined();
+  });
+
+  test("excludes config.json at workspace root", async () => {
+    const res = await callExport();
+    const body = (await res.json()) as {
+      workspaceFiles: Record<string, string>;
+    };
+    expect(body.workspaceFiles["config.json"]).toBeUndefined();
+  });
+
+  test("skips symlinks", async () => {
+    const res = await callExport();
+    const body = (await res.json()) as {
+      workspaceFiles: Record<string, string>;
+    };
+    expect(body.workspaceFiles["sneaky-link.txt"]).toBeUndefined();
+  });
+
+  test("response includes workspaceFiles field", async () => {
+    const res = await callExport();
+    const body = (await res.json()) as {
+      success: boolean;
+      workspaceFiles: Record<string, string>;
+    };
+    expect(body.success).toBe(true);
+    expect(body.workspaceFiles).toBeDefined();
+    expect(typeof body.workspaceFiles).toBe("object");
+  });
+});

package/src/__tests__/managed-proxy-context.test.ts

@@ -110,7 +110,7 @@ describe("buildManagedBaseUrl", () => {
       "https://platform.example.com/v1/runtime-proxy/openai",
     );
     expect(buildManagedBaseUrl("anthropic")).toBe(
-      "https://platform.example.com/v1/runtime-proxy/vertex",
+      "https://platform.example.com/v1/runtime-proxy/anthropic",
     );
     expect(buildManagedBaseUrl("gemini")).toBe(
       "https://platform.example.com/v1/runtime-proxy/vertex",

package/src/__tests__/managed-skill-lifecycle.test.ts

@@ -9,7 +9,6 @@ let TEST_DIR = "";
 const mockConfig = {
   provider: "anthropic",
   model: "test",
-  apiKeys: {},
   maxTokens: 4096,
   dataDir: "/tmp",
   timeouts: {

package/src/__tests__/media-generate-image.test.ts

@@ -22,11 +22,16 @@ let lastGenerateCredentials: unknown = null;
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     ui: {},
-
-    apiKeys: { gemini: mockApiKey },
   }),
 }));
 
+mock.module("../security/secure-keys.js", () => ({
+  getSecureKeyAsync: async (account: string) => {
+    if (account === "gemini") return mockApiKey;
+    return undefined;
+  },
+}));
+
 mock.module("../media/gemini-image-service.js", () => ({
   generateImage: async (
     credentials: unknown,

package/src/__tests__/media-reuse-story.e2e.test.ts

@@ -52,7 +52,6 @@ mock.module("../config/loader.js", () => ({
 
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
     timeouts: { shellDefaultTimeoutSec: 30, shellMaxTimeoutSec: 60 },

package/src/__tests__/memory-regressions.test.ts

@@ -935,7 +935,6 @@ describe("Memory regressions", () => {
     const config = {
       ...DEFAULT_CONFIG,
       provider: "anthropic" as const,
-      apiKeys: {},
       memory: {
         ...DEFAULT_CONFIG.memory,
         embeddings: {

package/src/__tests__/migration-cross-version-compatibility.test.ts

@@ -82,7 +82,6 @@ mock.module("../config/loader.js", () => ({
     ui: {},
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
     secretDetection: { enabled: false },

package/src/__tests__/migration-export-http.test.ts

@@ -56,7 +56,6 @@ mock.module("../config/loader.js", () => ({
     ui: {},
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
     secretDetection: { enabled: false },

package/src/__tests__/migration-import-commit-http.test.ts

@@ -77,7 +77,6 @@ mock.module("../config/loader.js", () => ({
     ui: {},
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
     secretDetection: { enabled: false },

package/src/__tests__/migration-import-preflight-http.test.ts

@@ -63,7 +63,6 @@ mock.module("../config/loader.js", () => ({
     ui: {},
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
     secretDetection: { enabled: false },

package/src/__tests__/migration-validate-http.test.ts

@@ -52,7 +52,6 @@ mock.module("../config/loader.js", () => ({
     ui: {},
     model: "test",
     provider: "test",
-    apiKeys: {},
     memory: { enabled: false },
     rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
     secretDetection: { enabled: false },