@vellumai/assistant 0.5.1 → 0.5.2

package/src/runtime/routes/log-export-routes.ts

@@ -444,6 +444,7 @@ const WORKSPACE_SKIP_DIRS = new Set([
   "embedding-models",
   "data/qdrant",
   "data/attachments",
+  "conversations",
 ]);
 
 /** Files at the workspace root to skip (already covered by sanitized fields). */
@@ -513,6 +514,8 @@ function collectWorkspaceFiles(): Record<string, string> {
 
         // SQLite DB handling: dump as SQL text, then enforce size cap
         if (entry.endsWith(".db")) {
+          // Skip the dump entirely if the budget is already exhausted
+          if (totalBytes >= MAX_WORKSPACE_PAYLOAD_BYTES) continue;
           try {
             const proc = spawnSync("sqlite3", [fullPath, ".dump"], {
               timeout: 10_000,

package/src/runtime/routes/memory-item-routes.test.ts

@@ -347,6 +347,40 @@ describe("Memory Item Routes", () => {
       expect(body.items[1].id).toBe("i1");
     });
 
+    test("supports sort by accessCount descending", async () => {
+      insertItem({
+        id: "i1",
+        kind: "preference",
+        subject: "s1",
+        statement: "st1",
+      });
+      insertItem({
+        id: "i2",
+        kind: "preference",
+        subject: "s2",
+        statement: "st2",
+      });
+
+      getDb()
+        .update(memoryItems)
+        .set({ accessCount: 2 })
+        .where(eq(memoryItems.id, "i1"))
+        .run();
+      getDb()
+        .update(memoryItems)
+        .set({ accessCount: 7 })
+        .where(eq(memoryItems.id, "i2"))
+        .run();
+
+      const ctx = makeCtx({ sort: "accessCount", order: "desc" });
+      const res = await handler(ctx);
+      const body = (await res.json()) as {
+        items: Array<{ id: string }>;
+      };
+      expect(body.items[0].id).toBe("i2");
+      expect(body.items[1].id).toBe("i1");
+    });
+
     test("rejects invalid kind filter", async () => {
       const ctx = makeCtx({ kind: "bogus" });
       const res = await handler(ctx);

package/src/runtime/routes/memory-item-routes.ts

@@ -37,6 +37,7 @@ type MemoryItemKind = (typeof VALID_KINDS)[number];
 const VALID_SORT_FIELDS = [
   "lastSeenAt",
   "importance",
+  "accessCount",
   "kind",
   "firstSeenAt",
 ] as const;
@@ -46,6 +47,7 @@ type SortField = (typeof VALID_SORT_FIELDS)[number];
 const SORT_COLUMN_MAP = {
   lastSeenAt: memoryItems.lastSeenAt,
   importance: memoryItems.importance,
+  accessCount: memoryItems.accessCount,
   kind: memoryItems.kind,
   firstSeenAt: memoryItems.firstSeenAt,
 } as const;
@@ -103,6 +105,8 @@ export function handleListMemoryItems(url: URL): Response {
 
   // Build WHERE conditions
   const conditions = [];
+  // Hide system-managed capability memories (skill announcements) from the UI
+  conditions.push(ne(memoryItems.kind, "capability"));
   if (statusParam && statusParam !== "all") {
     conditions.push(eq(memoryItems.status, statusParam));
   }

package/src/runtime/routes/migration-routes.ts

@@ -160,7 +160,10 @@ export async function handleMigrationExport(req: Request): Promise<Response> {
           // Best-effort: if the DB can't be checkpointed (e.g. not a valid
           // SQLite file, missing WAL, etc.) we still proceed with the export
           // using whatever is on disk.
-          log.warn({ err }, "WAL checkpoint failed — exporting without checkpoint");
+          log.warn(
+            { err },
+            "WAL checkpoint failed — exporting without checkpoint",
+          );
         }
       },
     });

package/src/runtime/routes/oauth-apps.ts

@@ -0,0 +1,291 @@
+/**
+ * Route handlers for OAuth app and connection CRUD.
+ *
+ * Provides endpoints for managing user-supplied OAuth apps (e.g. "your own"
+ * Google client credentials) and their connections. All endpoints are
+ * bearer-token authenticated via the standard runtime auth middleware.
+ */
+
+import { orchestrateOAuthConnect } from "../../oauth/connect-orchestrator.js";
+import {
+  deleteApp,
+  disconnectOAuthProvider,
+  getApp,
+  getAppClientSecret,
+  getConnection,
+  getProvider,
+  listApps,
+  listConnections,
+  upsertApp,
+} from "../../oauth/oauth-store.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+function parseGrantedScopes(grantedScopes: string | string[] | null | undefined): string[] {
+  if (Array.isArray(grantedScopes)) {
+    return grantedScopes.filter((scope): scope is string => typeof scope === "string");
+  }
+
+  if (typeof grantedScopes !== "string" || grantedScopes.trim() === "") {
+    return [];
+  }
+
+  try {
+    const parsed = JSON.parse(grantedScopes) as unknown;
+    if (!Array.isArray(parsed)) return [];
+    return parsed.filter((scope): scope is string => typeof scope === "string");
+  } catch {
+    return [];
+  }
+}
+
+function normalizeHasRefreshToken(
+  hasRefreshToken: boolean | number | null | undefined,
+): boolean {
+  return hasRefreshToken === true || hasRefreshToken === 1;
+}
+
+/**
+ * Build route definitions for OAuth app and connection CRUD endpoints.
+ */
+export function oauthAppsRouteDefinitions(): RouteDefinition[] {
+  return [
+    // GET /v1/oauth/apps — List apps filtered by provider_key query param.
+    {
+      endpoint: "oauth/apps",
+      method: "GET",
+      handler: ({ url }) => {
+        const providerKey = url.searchParams.get("provider_key");
+        if (!providerKey) {
+          return httpError(
+            "BAD_REQUEST",
+            "provider_key query parameter is required",
+            400,
+          );
+        }
+
+        const allApps = listApps();
+        const filtered = allApps.filter(
+          (row) => row.providerKey === providerKey,
+        );
+
+        const providerRow = getProvider(providerKey);
+        const provider = providerRow
+          ? {
+              provider_key: providerRow.providerKey,
+              display_name: providerRow.displayName ?? null,
+              description: providerRow.description ?? null,
+              dashboard_url: providerRow.dashboardUrl ?? null,
+              client_id_placeholder: providerRow.clientIdPlaceholder ?? null,
+              requires_client_secret: providerRow.requiresClientSecret ?? 1,
+            }
+          : null;
+
+        return Response.json({
+          provider,
+          apps: filtered.map((row) => ({
+            id: row.id,
+            provider_key: row.providerKey,
+            client_id: row.clientId,
+            created_at: row.createdAt,
+            updated_at: row.updatedAt,
+          })),
+        });
+      },
+    },
+
+    // POST /v1/oauth/apps — Create an OAuth app.
+    {
+      endpoint: "oauth/apps",
+      method: "POST",
+      policyKey: "oauth/apps.create",
+      handler: async ({ req }) => {
+        const body = (await req.json()) as {
+          provider_key?: string;
+          client_id?: string;
+          client_secret?: string;
+        };
+
+        const { provider_key, client_id, client_secret } = body;
+
+        if (
+          !provider_key ||
+          typeof provider_key !== "string" ||
+          !client_id ||
+          typeof client_id !== "string" ||
+          !client_secret ||
+          typeof client_secret !== "string"
+        ) {
+          return httpError(
+            "BAD_REQUEST",
+            "provider_key, client_id, and client_secret are required non-empty strings",
+            400,
+          );
+        }
+
+        const provider = getProvider(provider_key);
+        if (!provider) {
+          return httpError(
+            "NOT_FOUND",
+            `No OAuth provider registered for "${provider_key}"`,
+            404,
+          );
+        }
+
+        const app = await upsertApp(provider_key, client_id, {
+          clientSecretValue: client_secret,
+        });
+
+        return Response.json(
+          {
+            app: {
+              id: app.id,
+              provider_key: app.providerKey,
+              client_id: app.clientId,
+              created_at: app.createdAt,
+              updated_at: app.updatedAt,
+            },
+          },
+          { status: 201 },
+        );
+      },
+    },
+
+    // DELETE /v1/oauth/apps/:id — Delete an OAuth app.
+    {
+      endpoint: "oauth/apps/:id",
+      method: "DELETE",
+      policyKey: "oauth/apps.delete",
+      handler: async ({ params }) => {
+        const app = getApp(params.id);
+        if (!app) {
+          return httpError("NOT_FOUND", `OAuth app not found: ${params.id}`, 404);
+        }
+
+        // Disconnect all connections for this app first to clean up tokens.
+        const connections = listConnections(app.providerKey, app.clientId);
+        for (const conn of connections) {
+          await disconnectOAuthProvider(app.providerKey, app.clientId, conn.id);
+        }
+
+        await deleteApp(params.id);
+
+        return Response.json({ ok: true });
+      },
+    },
+
+    // GET /v1/oauth/apps/:appId/connections — List connections for an app.
+    {
+      endpoint: "oauth/apps/:appId/connections",
+      method: "GET",
+      handler: ({ params }) => {
+        const app = getApp(params.appId);
+        if (!app) {
+          return httpError(
+            "NOT_FOUND",
+            `OAuth app not found: ${params.appId}`,
+            404,
+          );
+        }
+
+        const connections = listConnections(app.providerKey, app.clientId);
+
+        return Response.json({
+          connections: connections.map((row) => ({
+            id: row.id,
+            provider_key: row.providerKey,
+            account_info: row.accountInfo,
+            granted_scopes: parseGrantedScopes(row.grantedScopes),
+            status: row.status,
+            has_refresh_token: normalizeHasRefreshToken(row.hasRefreshToken),
+            expires_at: row.expiresAt,
+            created_at: row.createdAt,
+            updated_at: row.updatedAt,
+          })),
+        });
+      },
+    },
+
+    // DELETE /v1/oauth/connections/:id — Disconnect a single connection.
+    {
+      endpoint: "oauth/connections/:id",
+      method: "DELETE",
+      handler: async ({ params }) => {
+        const conn = getConnection(params.id);
+        if (!conn) {
+          return httpError(
+            "NOT_FOUND",
+            `OAuth connection not found: ${params.id}`,
+            404,
+          );
+        }
+
+        const result = await disconnectOAuthProvider(
+          conn.providerKey,
+          undefined,
+          conn.id,
+        );
+        if (result === "error") {
+          return httpError(
+            "INTERNAL_ERROR",
+            "Failed to clean up connection tokens. The connection was not removed.",
+            500,
+          );
+        }
+
+        return Response.json({ ok: true });
+      },
+    },
+
+    // POST /v1/oauth/apps/:appId/connect — Start OAuth connect flow.
+    {
+      endpoint: "oauth/apps/:appId/connect",
+      method: "POST",
+      handler: async ({ req, params }) => {
+        const app = getApp(params.appId);
+        if (!app) {
+          return httpError(
+            "NOT_FOUND",
+            `OAuth app not found: ${params.appId}`,
+            404,
+          );
+        }
+
+        let body: { scopes?: string[] } = {};
+        try {
+          const text = await req.text();
+          if (text) {
+            body = JSON.parse(text);
+          }
+        } catch {
+          // No body or invalid JSON — use defaults
+        }
+
+        const clientSecret = await getAppClientSecret(app);
+
+        const result = await orchestrateOAuthConnect({
+          service: app.providerKey,
+          clientId: app.clientId,
+          clientSecret,
+          requestedScopes: body.scopes,
+          isInteractive: false,
+        });
+
+        if (result.success && result.deferred) {
+          return Response.json({
+            auth_url: result.authUrl,
+            state: result.state,
+          });
+        }
+
+        if (!result.success) {
+          return Response.json({ error: result.error }, { status: 500 });
+        }
+
+        // Interactive success (shouldn't happen with isInteractive: false,
+        // but handle gracefully)
+        return Response.json({ ok: true });
+      },
+    },
+  ];
+}

package/src/runtime/routes/secret-routes.ts

@@ -13,6 +13,8 @@ import type { CesClient } from "../../credential-execution/client.js";
 import { setSentryOrganizationId } from "../../instrument.js";
 import { syncManualTokenConnection } from "../../oauth/manual-token-connection.js";
 import { validateAnthropicApiKey } from "../../providers/anthropic/client.js";
+import { validateGeminiApiKey } from "../../providers/gemini/client.js";
+import { validateOpenAIApiKey } from "../../providers/openai/client.js";
 import { initializeProviders } from "../../providers/registry.js";
 import { credentialKey } from "../../security/credential-key.js";
 import {
@@ -131,7 +133,7 @@ export async function handleAddSecret(
           400,
         );
       }
-      // Validate Anthropic API keys before storing
+      // Validate API keys before storing (Anthropic, OpenAI, Gemini)
       if (name === "anthropic") {
         const validation = await validateAnthropicApiKey(value);
         if (!validation.valid) {
@@ -144,7 +146,32 @@ export async function handleAddSecret(
             { status: 422 },
           );
         }
+      } else if (name === "openai") {
+        const validation = await validateOpenAIApiKey(value);
+        if (!validation.valid) {
+          log.warn(
+            { provider: name, reason: validation.reason },
+            "API key validation failed",
+          );
+          return Response.json(
+            { success: false, error: validation.reason },
+            { status: 422 },
+          );
+        }
+      } else if (name === "gemini") {
+        const validation = await validateGeminiApiKey(value);
+        if (!validation.valid) {
+          log.warn(
+            { provider: name, reason: validation.reason },
+            "API key validation failed",
+          );
+          return Response.json(
+            { success: false, error: validation.reason },
+            { status: 422 },
+          );
+        }
       }
+      // fireworks, openrouter, ollama — no validation (allow storage)
 
       const stored = await setSecureKeyAsync(name, value);
       if (!stored) {

package/src/runtime/routes/settings-routes.ts

@@ -644,6 +644,20 @@ export function settingsRouteDefinitions(): RouteDefinition[] {
     },
 
     // OAuth connect
+    {
+      endpoint: "oauth/start",
+      method: "POST",
+      policyKey: "oauth/start",
+      handler: async ({ req }) => {
+        const body = (await req.json()) as {
+          service?: string;
+          requestedScopes?: string[];
+        };
+        return handleOAuthConnectStart(body);
+      },
+    },
+    // Legacy alias for oauth/start (kept for backwards compatibility with
+    // older clients and platform proxy routes)
     {
       endpoint: "integrations/oauth/start",
       method: "POST",

package/src/runtime/routes/trace-event-routes.ts

@@ -42,7 +42,10 @@ export function traceEventRouteDefinitions(): RouteDefinition[] {
         const afterSequence = afterSequenceParam
           ? parseInt(afterSequenceParam, 10)
           : undefined;
-        if (afterSequenceParam && (isNaN(afterSequence!) || afterSequence! < 0)) {
+        if (
+          afterSequenceParam &&
+          (isNaN(afterSequence!) || afterSequence! < 0)
+        ) {
           return httpError(
             "BAD_REQUEST",
             "afterSequence must be a non-negative integer",

package/src/schedule/schedule-store.ts

@@ -15,10 +15,7 @@ import type { ScheduleSyntax } from "./recurrence-types.js";
 const logger = getLogger("schedule-store");
 
 export type ScheduleMode = "notify" | "execute";
-export type RoutingIntent =
-  | "single_channel"
-  | "multi_channel"
-  | "all_channels";
+export type RoutingIntent = "single_channel" | "multi_channel" | "all_channels";
 export type ScheduleStatus = "active" | "firing" | "fired" | "cancelled";
 
 export interface ScheduleJob {
@@ -193,9 +190,7 @@ export function listSchedules(options?: {
     conditions.push(isNull(scheduleJobs.cronExpression));
   }
   if (options?.recurringOnly) {
-    conditions.push(
-      sql`${scheduleJobs.cronExpression} IS NOT NULL`,
-    );
+    conditions.push(sql`${scheduleJobs.cronExpression} IS NOT NULL`);
   }
   const where = conditions.length > 0 ? and(...conditions) : undefined;
   const rows = db
@@ -415,10 +410,7 @@ export function claimDueSchedules(now: number): ScheduleJob[] {
         updatedAt: now,
       })
       .where(
-        and(
-          eq(scheduleJobs.id, row.id),
-          eq(scheduleJobs.status, "active"),
-        ),
+        and(eq(scheduleJobs.id, row.id), eq(scheduleJobs.status, "active")),
       )
       .run();
 
@@ -450,9 +442,7 @@ export function completeOneShot(id: string): void {
       enabled: false,
       updatedAt: now,
     })
-    .where(
-      and(eq(scheduleJobs.id, id), eq(scheduleJobs.status, "firing")),
-    )
+    .where(and(eq(scheduleJobs.id, id), eq(scheduleJobs.status, "firing")))
     .run();
 }
 
@@ -468,9 +458,7 @@ export function failOneShot(id: string): void {
       status: "active",
       updatedAt: now,
     })
-    .where(
-      and(eq(scheduleJobs.id, id), eq(scheduleJobs.status, "firing")),
-    )
+    .where(and(eq(scheduleJobs.id, id), eq(scheduleJobs.status, "firing")))
     .run();
 }
 
@@ -487,9 +475,7 @@ export function cancelSchedule(id: string): boolean {
       enabled: false,
       updatedAt: now,
     })
-    .where(
-      and(eq(scheduleJobs.id, id), eq(scheduleJobs.status, "active")),
-    )
+    .where(and(eq(scheduleJobs.id, id), eq(scheduleJobs.status, "active")))
     .run();
   return rawChanges() > 0;
 }
@@ -770,7 +756,9 @@ function parseJobRow(row: typeof scheduleJobs.$inferSelect): ScheduleJob {
   };
 }
 
-function safeParseJson(json: string | null | undefined): Record<string, unknown> {
+function safeParseJson(
+  json: string | null | undefined,
+): Record<string, unknown> {
   if (!json) return {};
   try {
     return JSON.parse(json) as Record<string, unknown>;

package/src/security/secure-keys.ts

@@ -193,6 +193,27 @@ export async function getProviderKeyAsync(
   return envVar ? process.env[envVar] : undefined;
 }
 
+// ---------------------------------------------------------------------------
+// Masked provider key — for safe display in client UIs
+// ---------------------------------------------------------------------------
+
+/**
+ * Retrieve a provider API key and return a masked version suitable for
+ * display. Shows the first 10 characters and last 4, with `...` in between,
+ * always hiding at least 3 characters. Returns `null` if no key is stored.
+ */
+export async function getMaskedProviderKey(
+  provider: string,
+): Promise<string | null> {
+  const key = await getProviderKeyAsync(provider);
+  if (!key || key.length === 0) return null;
+  const minHidden = 3;
+  const maxVisible = Math.max(1, key.length - minHidden);
+  const prefixLen = Math.min(10, maxVisible);
+  const suffixLen = Math.min(4, Math.max(0, maxVisible - prefixLen));
+  return `${key.slice(0, prefixLen)}...${suffixLen > 0 ? key.slice(-suffixLen) : ""}`;
+}
+
 // ---------------------------------------------------------------------------
 // Test helpers
 // ---------------------------------------------------------------------------

package/src/signals/bash.ts

@@ -80,7 +80,7 @@ export function handleBashSignal(filename: string): void {
         exitCode: null,
         timedOut: false,
         error:
-          "Bash signals are disabled. The running assistant process must have been started with VELLUM_DEBUG=1 (setting it on the CLI command alone is not enough). Restart the assistant with: VELLUM_DEBUG=1 assistant start",
+          "Bash signals are disabled. The running assistant process must have been started with VELLUM_DEBUG=1 (setting it on the CLI command alone is not enough). Restart the assistant with: vellum sleep && VELLUM_DEBUG=1 vellum wake",
       });
     }
     return;

package/src/swarm/backend-claude-code.ts

@@ -7,7 +7,7 @@
 
 import { resolveModelIntent } from "../providers/model-intents.js";
 import type { ModelIntent } from "../providers/types.js";
-import { getSecureKeyAsync } from "../security/secure-keys.js";
+import { getProviderKeyAsync } from "../security/secure-keys.js";
 import { getLogger } from "../util/logger.js";
 import type {
   SwarmWorkerBackend,
@@ -29,8 +29,7 @@ export function createClaudeCodeBackend(): SwarmWorkerBackend {
     name: "claude_code",
 
     async isAvailable(): Promise<boolean> {
-      const apiKey =
-        (await getSecureKeyAsync("anthropic")) ?? process.env.ANTHROPIC_API_KEY;
+      const apiKey = await getProviderKeyAsync("anthropic");
       return !!apiKey;
     },
 
@@ -39,9 +38,7 @@ export function createClaudeCodeBackend(): SwarmWorkerBackend {
       const stderrLines: string[] = [];
       try {
         const { query } = await import("@anthropic-ai/claude-agent-sdk");
-        const apiKey =
-          (await getSecureKeyAsync("anthropic")) ??
-          process.env.ANTHROPIC_API_KEY;
+        const apiKey = await getProviderKeyAsync("anthropic");
         if (!apiKey) {
           return {
             success: false,

package/src/telemetry/usage-telemetry-reporter.test.ts

@@ -97,6 +97,7 @@ mock.module("../version.js", () => ({
 // Production import (after mocks)
 // ---------------------------------------------------------------------------
 
+import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
 import type { UsageEvent } from "../usage/types.js";
 import { UsageTelemetryReporter } from "./usage-telemetry-reporter.js";
 
@@ -434,7 +435,7 @@ describe("UsageTelemetryReporter", () => {
     expect(body.user_id).toBeUndefined();
   });
 
-  test("assistant_id falls back to 'self' when getExternalAssistantId returns undefined", async () => {
+  test("assistant_id falls back to DAEMON_INTERNAL_ASSISTANT_ID when getExternalAssistantId returns undefined", async () => {
     mockGetExternalAssistantId.mockReturnValue(undefined);
     const events = [makeUsageEvent()];
     mockQueryUnreportedUsageEvents.mockReturnValue(events);
@@ -450,7 +451,7 @@ describe("UsageTelemetryReporter", () => {
       (mockFetch.mock.calls[0] as [string, RequestInit])[1].body as string,
     );
     expect(body.installation_id).toBe("test-device-id");
-    expect(body.assistant_id).toBe("self");
+    expect(body.assistant_id).toBe(DAEMON_INTERNAL_ASSISTANT_ID);
   });
 
   test("turn events are included in the events array with type discriminator", async () => {

package/src/telemetry/usage-telemetry-reporter.ts

@@ -23,6 +23,7 @@ import { queryUnreportedLifecycleEvents } from "../memory/lifecycle-events-store
 import { queryUnreportedUsageEvents } from "../memory/llm-usage-store.js";
 import { queryUnreportedTurnEvents } from "../memory/turn-events-store.js";
 import { resolveManagedProxyContext } from "../providers/managed-proxy/context.js";
+import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
 import { getExternalAssistantId } from "../runtime/auth/external-assistant-id.js";
 import { getDeviceId } from "../util/device-id.js";
 import { getLogger } from "../util/logger.js";
@@ -187,7 +188,8 @@ export class UsageTelemetryReporter {
         ),
       ];
 
-      const assistantId = getExternalAssistantId() ?? "self";
+      const assistantId =
+        getExternalAssistantId() ?? DAEMON_INTERNAL_ASSISTANT_ID;
       const organizationId = getPlatformOrganizationId() || undefined;
       const userId = getPlatformUserId() || undefined;
       const payload = {