@vellumai/assistant 0.5.1 → 0.5.3

package/src/runtime/routes/log-export-routes.ts

@@ -444,6 +444,7 @@ const WORKSPACE_SKIP_DIRS = new Set([
   "embedding-models",
   "data/qdrant",
   "data/attachments",
+  "conversations",
 ]);
 
 /** Files at the workspace root to skip (already covered by sanitized fields). */
@@ -513,6 +514,8 @@ function collectWorkspaceFiles(): Record<string, string> {
 
         // SQLite DB handling: dump as SQL text, then enforce size cap
         if (entry.endsWith(".db")) {
+          // Skip the dump entirely if the budget is already exhausted
+          if (totalBytes >= MAX_WORKSPACE_PAYLOAD_BYTES) continue;
           try {
             const proc = spawnSync("sqlite3", [fullPath, ".dump"], {
               timeout: 10_000,

package/src/runtime/routes/memory-item-routes.test.ts

@@ -347,6 +347,40 @@ describe("Memory Item Routes", () => {
       expect(body.items[1].id).toBe("i1");
     });
 
+    test("supports sort by accessCount descending", async () => {
+      insertItem({
+        id: "i1",
+        kind: "preference",
+        subject: "s1",
+        statement: "st1",
+      });
+      insertItem({
+        id: "i2",
+        kind: "preference",
+        subject: "s2",
+        statement: "st2",
+      });
+
+      getDb()
+        .update(memoryItems)
+        .set({ accessCount: 2 })
+        .where(eq(memoryItems.id, "i1"))
+        .run();
+      getDb()
+        .update(memoryItems)
+        .set({ accessCount: 7 })
+        .where(eq(memoryItems.id, "i2"))
+        .run();
+
+      const ctx = makeCtx({ sort: "accessCount", order: "desc" });
+      const res = await handler(ctx);
+      const body = (await res.json()) as {
+        items: Array<{ id: string }>;
+      };
+      expect(body.items[0].id).toBe("i2");
+      expect(body.items[1].id).toBe("i1");
+    });
+
     test("rejects invalid kind filter", async () => {
       const ctx = makeCtx({ kind: "bogus" });
       const res = await handler(ctx);

package/src/runtime/routes/memory-item-routes.ts

@@ -8,13 +8,17 @@
  * DELETE /v1/memory-items/:id    — delete a memory item and its embeddings
  */
 
-import { and, asc, count, desc, eq, like, ne, or } from "drizzle-orm";
+import { and, asc, count, desc, eq, inArray, like, ne, or } from "drizzle-orm";
 import { v4 as uuid } from "uuid";
 
 import { getDb } from "../../memory/db.js";
 import { computeMemoryFingerprint } from "../../memory/fingerprint.js";
 import { enqueueMemoryJob } from "../../memory/jobs-store.js";
-import { memoryEmbeddings, memoryItems } from "../../memory/schema.js";
+import {
+  conversations,
+  memoryEmbeddings,
+  memoryItems,
+} from "../../memory/schema.js";
 import { truncate } from "../../util/truncate.js";
 import { httpError } from "../http-errors.js";
 import type { RouteContext, RouteDefinition } from "../http-router.js";
@@ -37,6 +41,7 @@ type MemoryItemKind = (typeof VALID_KINDS)[number];
 const VALID_SORT_FIELDS = [
   "lastSeenAt",
   "importance",
+  "accessCount",
   "kind",
   "firstSeenAt",
 ] as const;
@@ -46,6 +51,7 @@ type SortField = (typeof VALID_SORT_FIELDS)[number];
 const SORT_COLUMN_MAP = {
   lastSeenAt: memoryItems.lastSeenAt,
   importance: memoryItems.importance,
+  accessCount: memoryItems.accessCount,
   kind: memoryItems.kind,
   firstSeenAt: memoryItems.firstSeenAt,
 } as const;
@@ -62,6 +68,54 @@ function isValidSortField(value: string): value is SortField {
   return (VALID_SORT_FIELDS as readonly string[]).includes(value);
 }
 
+/**
+ * Resolve a `scopeLabel` for a memory item based on its `scopeId`.
+ *
+ * - `"default"` → `null`
+ * - `"private:<conversationId>"` → `"Private · <title>"` when the conversation
+ *   has a title, or `"Private"` when it doesn't (or the conversation was deleted).
+ */
+function resolveScopeLabel(
+  scopeId: string,
+  titleMap: Map<string, string | null>,
+): string | null {
+  if (scopeId === "default") return null;
+  if (scopeId.startsWith("private:")) {
+    const conversationId = scopeId.slice("private:".length);
+    const title = titleMap.get(conversationId);
+    return title ? `Private · ${title}` : "Private";
+  }
+  return null;
+}
+
+/**
+ * Batch-fetch conversation titles for a set of private-scoped memory items.
+ * Returns a Map from conversation ID → title (or null).
+ */
+function buildConversationTitleMap(
+  db: ReturnType<typeof getDb>,
+  scopeIds: string[],
+): Map<string, string | null> {
+  const conversationIds = scopeIds
+    .filter((s) => s.startsWith("private:"))
+    .map((s) => s.slice("private:".length));
+
+  const uniqueIds = [...new Set(conversationIds)];
+  if (uniqueIds.length === 0) return new Map();
+
+  const rows = db
+    .select({ id: conversations.id, title: conversations.title })
+    .from(conversations)
+    .where(inArray(conversations.id, uniqueIds))
+    .all();
+
+  const map = new Map<string, string | null>();
+  for (const row of rows) {
+    map.set(row.id, row.title);
+  }
+  return map;
+}
+
 // ---------------------------------------------------------------------------
 // GET /v1/memory-items
 // ---------------------------------------------------------------------------
@@ -103,6 +157,8 @@ export function handleListMemoryItems(url: URL): Response {
 
   // Build WHERE conditions
   const conditions = [];
+  // Hide system-managed capability memories (skill announcements) from the UI
+  conditions.push(ne(memoryItems.kind, "capability"));
   if (statusParam && statusParam !== "all") {
     conditions.push(eq(memoryItems.status, statusParam));
   }
@@ -141,7 +197,17 @@ export function handleListMemoryItems(url: URL): Response {
     .offset(offsetParam)
     .all();
 
-  return Response.json({ items, total });
+  // Resolve scope labels for private-scoped items
+  const titleMap = buildConversationTitleMap(
+    db,
+    items.map((i) => i.scopeId),
+  );
+  const enrichedItems = items.map((item) => ({
+    ...item,
+    scopeLabel: resolveScopeLabel(item.scopeId, titleMap),
+  }));
+
+  return Response.json({ items: enrichedItems, total });
 }
 
 // ---------------------------------------------------------------------------
@@ -183,9 +249,14 @@ export function handleGetMemoryItem(ctx: RouteContext): Response {
     supersededBySubject = superseding?.subject;
   }
 
+  // Resolve scope label
+  const titleMap = buildConversationTitleMap(db, [item.scopeId]);
+  const scopeLabel = resolveScopeLabel(item.scopeId, titleMap);
+
   return Response.json({
     item: {
       ...item,
+      scopeLabel,
       ...(supersedesSubject !== undefined ? { supersedesSubject } : {}),
       ...(supersededBySubject !== undefined ? { supersededBySubject } : {}),
     },
@@ -299,7 +370,14 @@ export async function handleCreateMemoryItem(
     .where(eq(memoryItems.id, id))
     .get();
 
-  return Response.json({ item: insertedRow }, { status: 201 });
+  // Enrich with scopeLabel for API consistency
+  const titleMap = buildConversationTitleMap(db, [scopeId]);
+  const scopeLabel = resolveScopeLabel(scopeId, titleMap);
+
+  return Response.json(
+    { item: { ...insertedRow, scopeLabel } },
+    { status: 201 },
+  );
 }
 
 // ---------------------------------------------------------------------------
@@ -426,7 +504,18 @@ export async function handleUpdateMemoryItem(
     .where(eq(memoryItems.id, id))
     .get();
 
-  return Response.json({ item: updatedRow });
+  // Enrich with scopeLabel for API consistency
+  const patchTitleMap = buildConversationTitleMap(db, [
+    updatedRow?.scopeId ?? existing.scopeId,
+  ]);
+  const patchScopeLabel = resolveScopeLabel(
+    updatedRow?.scopeId ?? existing.scopeId,
+    patchTitleMap,
+  );
+
+  return Response.json({
+    item: { ...updatedRow, scopeLabel: patchScopeLabel },
+  });
 }
 
 // ---------------------------------------------------------------------------

package/src/runtime/routes/migration-routes.ts

@@ -160,7 +160,10 @@ export async function handleMigrationExport(req: Request): Promise<Response> {
           // Best-effort: if the DB can't be checkpointed (e.g. not a valid
           // SQLite file, missing WAL, etc.) we still proceed with the export
           // using whatever is on disk.
-          log.warn({ err }, "WAL checkpoint failed — exporting without checkpoint");
+          log.warn(
+            { err },
+            "WAL checkpoint failed — exporting without checkpoint",
+          );
         }
       },
     });

package/src/runtime/routes/oauth-apps.ts

@@ -0,0 +1,291 @@
+/**
+ * Route handlers for OAuth app and connection CRUD.
+ *
+ * Provides endpoints for managing user-supplied OAuth apps (e.g. "your own"
+ * Google client credentials) and their connections. All endpoints are
+ * bearer-token authenticated via the standard runtime auth middleware.
+ */
+
+import { orchestrateOAuthConnect } from "../../oauth/connect-orchestrator.js";
+import {
+  deleteApp,
+  disconnectOAuthProvider,
+  getApp,
+  getAppClientSecret,
+  getConnection,
+  getProvider,
+  listApps,
+  listConnections,
+  upsertApp,
+} from "../../oauth/oauth-store.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+function parseGrantedScopes(grantedScopes: string | string[] | null | undefined): string[] {
+  if (Array.isArray(grantedScopes)) {
+    return grantedScopes.filter((scope): scope is string => typeof scope === "string");
+  }
+
+  if (typeof grantedScopes !== "string" || grantedScopes.trim() === "") {
+    return [];
+  }
+
+  try {
+    const parsed = JSON.parse(grantedScopes) as unknown;
+    if (!Array.isArray(parsed)) return [];
+    return parsed.filter((scope): scope is string => typeof scope === "string");
+  } catch {
+    return [];
+  }
+}
+
+function normalizeHasRefreshToken(
+  hasRefreshToken: boolean | number | null | undefined,
+): boolean {
+  return hasRefreshToken === true || hasRefreshToken === 1;
+}
+
+/**
+ * Build route definitions for OAuth app and connection CRUD endpoints.
+ */
+export function oauthAppsRouteDefinitions(): RouteDefinition[] {
+  return [
+    // GET /v1/oauth/apps — List apps filtered by provider_key query param.
+    {
+      endpoint: "oauth/apps",
+      method: "GET",
+      handler: ({ url }) => {
+        const providerKey = url.searchParams.get("provider_key");
+        if (!providerKey) {
+          return httpError(
+            "BAD_REQUEST",
+            "provider_key query parameter is required",
+            400,
+          );
+        }
+
+        const allApps = listApps();
+        const filtered = allApps.filter(
+          (row) => row.providerKey === providerKey,
+        );
+
+        const providerRow = getProvider(providerKey);
+        const provider = providerRow
+          ? {
+              provider_key: providerRow.providerKey,
+              display_name: providerRow.displayName ?? null,
+              description: providerRow.description ?? null,
+              dashboard_url: providerRow.dashboardUrl ?? null,
+              client_id_placeholder: providerRow.clientIdPlaceholder ?? null,
+              requires_client_secret: providerRow.requiresClientSecret ?? 1,
+            }
+          : null;
+
+        return Response.json({
+          provider,
+          apps: filtered.map((row) => ({
+            id: row.id,
+            provider_key: row.providerKey,
+            client_id: row.clientId,
+            created_at: row.createdAt,
+            updated_at: row.updatedAt,
+          })),
+        });
+      },
+    },
+
+    // POST /v1/oauth/apps — Create an OAuth app.
+    {
+      endpoint: "oauth/apps",
+      method: "POST",
+      policyKey: "oauth/apps.create",
+      handler: async ({ req }) => {
+        const body = (await req.json()) as {
+          provider_key?: string;
+          client_id?: string;
+          client_secret?: string;
+        };
+
+        const { provider_key, client_id, client_secret } = body;
+
+        if (
+          !provider_key ||
+          typeof provider_key !== "string" ||
+          !client_id ||
+          typeof client_id !== "string" ||
+          !client_secret ||
+          typeof client_secret !== "string"
+        ) {
+          return httpError(
+            "BAD_REQUEST",
+            "provider_key, client_id, and client_secret are required non-empty strings",
+            400,
+          );
+        }
+
+        const provider = getProvider(provider_key);
+        if (!provider) {
+          return httpError(
+            "NOT_FOUND",
+            `No OAuth provider registered for "${provider_key}"`,
+            404,
+          );
+        }
+
+        const app = await upsertApp(provider_key, client_id, {
+          clientSecretValue: client_secret,
+        });
+
+        return Response.json(
+          {
+            app: {
+              id: app.id,
+              provider_key: app.providerKey,
+              client_id: app.clientId,
+              created_at: app.createdAt,
+              updated_at: app.updatedAt,
+            },
+          },
+          { status: 201 },
+        );
+      },
+    },
+
+    // DELETE /v1/oauth/apps/:id — Delete an OAuth app.
+    {
+      endpoint: "oauth/apps/:id",
+      method: "DELETE",
+      policyKey: "oauth/apps.delete",
+      handler: async ({ params }) => {
+        const app = getApp(params.id);
+        if (!app) {
+          return httpError("NOT_FOUND", `OAuth app not found: ${params.id}`, 404);
+        }
+
+        // Disconnect all connections for this app first to clean up tokens.
+        const connections = listConnections(app.providerKey, app.clientId);
+        for (const conn of connections) {
+          await disconnectOAuthProvider(app.providerKey, app.clientId, conn.id);
+        }
+
+        await deleteApp(params.id);
+
+        return Response.json({ ok: true });
+      },
+    },
+
+    // GET /v1/oauth/apps/:appId/connections — List connections for an app.
+    {
+      endpoint: "oauth/apps/:appId/connections",
+      method: "GET",
+      handler: ({ params }) => {
+        const app = getApp(params.appId);
+        if (!app) {
+          return httpError(
+            "NOT_FOUND",
+            `OAuth app not found: ${params.appId}`,
+            404,
+          );
+        }
+
+        const connections = listConnections(app.providerKey, app.clientId);
+
+        return Response.json({
+          connections: connections.map((row) => ({
+            id: row.id,
+            provider_key: row.providerKey,
+            account_info: row.accountInfo,
+            granted_scopes: parseGrantedScopes(row.grantedScopes),
+            status: row.status,
+            has_refresh_token: normalizeHasRefreshToken(row.hasRefreshToken),
+            expires_at: row.expiresAt,
+            created_at: row.createdAt,
+            updated_at: row.updatedAt,
+          })),
+        });
+      },
+    },
+
+    // DELETE /v1/oauth/connections/:id — Disconnect a single connection.
+    {
+      endpoint: "oauth/connections/:id",
+      method: "DELETE",
+      handler: async ({ params }) => {
+        const conn = getConnection(params.id);
+        if (!conn) {
+          return httpError(
+            "NOT_FOUND",
+            `OAuth connection not found: ${params.id}`,
+            404,
+          );
+        }
+
+        const result = await disconnectOAuthProvider(
+          conn.providerKey,
+          undefined,
+          conn.id,
+        );
+        if (result === "error") {
+          return httpError(
+            "INTERNAL_ERROR",
+            "Failed to clean up connection tokens. The connection was not removed.",
+            500,
+          );
+        }
+
+        return Response.json({ ok: true });
+      },
+    },
+
+    // POST /v1/oauth/apps/:appId/connect — Start OAuth connect flow.
+    {
+      endpoint: "oauth/apps/:appId/connect",
+      method: "POST",
+      handler: async ({ req, params }) => {
+        const app = getApp(params.appId);
+        if (!app) {
+          return httpError(
+            "NOT_FOUND",
+            `OAuth app not found: ${params.appId}`,
+            404,
+          );
+        }
+
+        let body: { scopes?: string[] } = {};
+        try {
+          const text = await req.text();
+          if (text) {
+            body = JSON.parse(text);
+          }
+        } catch {
+          // No body or invalid JSON — use defaults
+        }
+
+        const clientSecret = await getAppClientSecret(app);
+
+        const result = await orchestrateOAuthConnect({
+          service: app.providerKey,
+          clientId: app.clientId,
+          clientSecret,
+          requestedScopes: body.scopes,
+          isInteractive: false,
+        });
+
+        if (result.success && result.deferred) {
+          return Response.json({
+            auth_url: result.authUrl,
+            state: result.state,
+          });
+        }
+
+        if (!result.success) {
+          return Response.json({ error: result.error }, { status: 500 });
+        }
+
+        // Interactive success (shouldn't happen with isInteractive: false,
+        // but handle gracefully)
+        return Response.json({ ok: true });
+      },
+    },
+  ];
+}

package/src/runtime/routes/secret-routes.ts

@@ -11,8 +11,11 @@ import {
 } from "../../config/loader.js";
 import type { CesClient } from "../../credential-execution/client.js";
 import { setSentryOrganizationId } from "../../instrument.js";
+import { clearEmbeddingBackendCache } from "../../memory/embedding-backend.js";
 import { syncManualTokenConnection } from "../../oauth/manual-token-connection.js";
 import { validateAnthropicApiKey } from "../../providers/anthropic/client.js";
+import { validateGeminiApiKey } from "../../providers/gemini/client.js";
+import { validateOpenAIApiKey } from "../../providers/openai/client.js";
 import { initializeProviders } from "../../providers/registry.js";
 import { credentialKey } from "../../security/credential-key.js";
 import {
@@ -131,7 +134,7 @@ export async function handleAddSecret(
           400,
         );
       }
-      // Validate Anthropic API keys before storing
+      // Validate API keys before storing (Anthropic, OpenAI, Gemini)
       if (name === "anthropic") {
         const validation = await validateAnthropicApiKey(value);
         if (!validation.valid) {
@@ -144,7 +147,32 @@ export async function handleAddSecret(
             { status: 422 },
           );
         }
+      } else if (name === "openai") {
+        const validation = await validateOpenAIApiKey(value);
+        if (!validation.valid) {
+          log.warn(
+            { provider: name, reason: validation.reason },
+            "API key validation failed",
+          );
+          return Response.json(
+            { success: false, error: validation.reason },
+            { status: 422 },
+          );
+        }
+      } else if (name === "gemini") {
+        const validation = await validateGeminiApiKey(value);
+        if (!validation.valid) {
+          log.warn(
+            { provider: name, reason: validation.reason },
+            "API key validation failed",
+          );
+          return Response.json(
+            { success: false, error: validation.reason },
+            { status: 422 },
+          );
+        }
       }
+      // fireworks, openrouter, ollama — no validation (allow storage)
 
       const stored = await setSecureKeyAsync(name, value);
       if (!stored) {
@@ -319,6 +347,7 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
           500,
         );
       }
+      clearEmbeddingBackendCache();
       invalidateConfigCache();
       await initializeProviders(getConfig());
       log.info({ provider: name }, "API key deleted via HTTP");

package/src/runtime/routes/settings-routes.ts

@@ -644,6 +644,20 @@ export function settingsRouteDefinitions(): RouteDefinition[] {
     },
 
     // OAuth connect
+    {
+      endpoint: "oauth/start",
+      method: "POST",
+      policyKey: "oauth/start",
+      handler: async ({ req }) => {
+        const body = (await req.json()) as {
+          service?: string;
+          requestedScopes?: string[];
+        };
+        return handleOAuthConnectStart(body);
+      },
+    },
+    // Legacy alias for oauth/start (kept for backwards compatibility with
+    // older clients and platform proxy routes)
     {
       endpoint: "integrations/oauth/start",
       method: "POST",