@vellumai/assistant 0.5.10 → 0.5.12

package/src/cli/commands/oauth/connect.ts

@@ -0,0 +1,405 @@
+import { createServer, type Server } from "node:http";
+
+import type { Command } from "commander";
+
+import { orchestrateOAuthConnect } from "../../../oauth/connect-orchestrator.js";
+import {
+  getAppByProviderAndClientId,
+  getMostRecentAppByProvider,
+  getProvider,
+} from "../../../oauth/oauth-store.js";
+import { renderOAuthCompletionPage } from "../../../security/oauth-completion-page.js";
+import { openInBrowser } from "../../../util/browser.js";
+import { getSecureKeyViaDaemon } from "../../lib/daemon-credential-client.js";
+import { getCliLogger } from "../../logger.js";
+import { shouldOutputJson, writeOutput } from "../../output.js";
+import {
+  fetchActiveConnections,
+  isManagedMode,
+  requirePlatformClient,
+} from "./shared.js";
+
+const log = getCliLogger("cli");
+
+/**
+ * Start a temporary loopback server to serve a nice completion page after the
+ * platform redirects the user's browser following a managed OAuth flow.
+ * Returns the base URL and a cleanup function.
+ */
+function startManagedRedirectServer(provider: string): Promise<{
+  redirectUrl: string;
+  cleanup: () => void;
+}> {
+  return new Promise((resolve, reject) => {
+    const server: Server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", "http://127.0.0.1");
+      const error = url.searchParams.get("error");
+      const errorDesc = url.searchParams.get("error_description");
+      const providerHint = url.searchParams.get("provider") ?? provider;
+
+      if (error) {
+        const message = errorDesc ?? error;
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(renderOAuthCompletionPage(message, false, providerHint));
+      } else {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(
+          renderOAuthCompletionPage(
+            "You can close this tab and return to your assistant.",
+            true,
+            providerHint,
+          ),
+        );
+      }
+    });
+
+    server.listen(0, "localhost", () => {
+      const addr = server.address() as { port: number };
+      const redirectUrl = `http://localhost:${addr.port}/oauth/complete`;
+      resolve({
+        redirectUrl,
+        cleanup: () => server.close(),
+      });
+    });
+
+    server.on("error", (err) => {
+      reject(new Error(`Failed to start redirect server: ${err.message}`));
+    });
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Command registration
+// ---------------------------------------------------------------------------
+
+export function registerConnectCommand(oauth: Command): void {
+  oauth
+    .command("connect <provider>")
+    .description(
+      "Initiate an OAuth authorization flow for a specified provider",
+    )
+    .option("--scopes <scopes...>", "Scopes to request for the authorization")
+    .option(
+      "--open-browser",
+      "Open the auth URL in the browser and wait for completion",
+    )
+    .option("--client-id <id>", "BYO app client ID disambiguation")
+    .addHelpText(
+      "after",
+      `
+Arguments:
+  provider   Provider name (e.g. google, slack, notion).
+             Run 'assistant oauth providers list' to see available providers.
+
+In managed mode, --scopes must be in the provider's allowed set (use full
+scope URLs). In BYO mode, --scopes are appended to the provider's defaults.
+The --open-browser flag polls for a platform connection (managed) or starts
+a local callback server (BYO).
+
+Examples:
+  $ assistant oauth connect google
+  $ assistant oauth connect google --open-browser
+  $ assistant oauth connect google --scopes https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events
+  $ assistant oauth connect google --client-id abc123 --open-browser`,
+    )
+    .action(
+      async (
+        provider: string,
+        opts: {
+          scopes?: string[];
+          openBrowser?: boolean;
+          clientId?: string;
+        },
+        cmd: Command,
+      ) => {
+        const jsonMode = shouldOutputJson(cmd);
+
+        // Helper: write an error and set exit code
+        const writeError = (error: string): void => {
+          writeOutput(cmd, { ok: false, error });
+          process.exitCode = 1;
+        };
+
+        try {
+          // ---------------------------------------------------------------
+          // 1. Validate provider exists
+          // ---------------------------------------------------------------
+          const providerRow = getProvider(provider);
+          if (!providerRow) {
+            writeError(
+              `Unknown provider "${provider}". ` +
+                `Run 'assistant oauth providers list' to see available providers.`,
+            );
+            return;
+          }
+
+          // ---------------------------------------------------------------
+          // 3. Detect mode
+          // ---------------------------------------------------------------
+          const managed = isManagedMode(provider);
+
+          if (managed) {
+            // =============================================================
+            // MANAGED PATH
+            // =============================================================
+
+            // Warn about --client-id being ignored in managed mode
+            if (opts.clientId) {
+              log.info(
+                `Warning: --client-id is ignored for platform-managed providers. The platform manages OAuth apps for "${provider}".`,
+              );
+            }
+
+            const client = await requirePlatformClient(cmd);
+            if (!client) return;
+
+            // Call the platform's OAuth start endpoint
+            const startPath = `/v1/assistants/${encodeURIComponent(client.platformAssistantId)}/oauth/${encodeURIComponent(provider)}/start/`;
+
+            const body: Record<string, unknown> = {};
+            if (opts.scopes && opts.scopes.length > 0) {
+              body.requested_scopes = opts.scopes;
+            }
+
+            // When opening the browser, start a local server to show a nice
+            // completion page instead of redirecting to the platform website.
+            let redirectServer:
+              | { redirectUrl: string; cleanup: () => void }
+              | undefined;
+            if (opts.openBrowser) {
+              try {
+                redirectServer = await startManagedRedirectServer(provider);
+                body.redirect_after_connect = redirectServer.redirectUrl;
+              } catch {
+                // Non-fatal — fall back to platform default redirect
+              }
+            }
+
+            try {
+              const response = await client.fetch(startPath, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(body),
+              });
+
+              if (!response.ok) {
+                const errorText = await response.text().catch(() => "");
+                writeError(
+                  `Platform returned HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`,
+                );
+                return;
+              }
+
+              const result = (await response.json()) as {
+                connect_url?: string;
+              };
+
+              if (!result.connect_url) {
+                writeError(
+                  "Platform did not return a connect URL — the OAuth flow could not be started",
+                );
+                return;
+              }
+
+              if (opts.openBrowser) {
+                // Snapshot existing connection IDs before opening browser
+                const snapshotEntries = await fetchActiveConnections(
+                  client,
+                  provider,
+                  cmd,
+                );
+                if (!snapshotEntries) {
+                  // fetchActiveConnections already wrote the error output
+                  return;
+                }
+                const snapshotIds = new Set(snapshotEntries.map((e) => e.id));
+
+                openInBrowser(result.connect_url);
+
+                if (!jsonMode) {
+                  log.info(
+                    `Opening browser to connect ${provider}. Waiting for authorization...`,
+                  );
+                }
+
+                // Poll for a new connection every 2s for up to 5 minutes
+                const pollIntervalMs = 2000;
+                const timeoutMs = 5 * 60 * 1000;
+                const deadline = Date.now() + timeoutMs;
+                let newConnection: {
+                  id: string;
+                  account_label?: string;
+                  scopes_granted?: string[];
+                } | null = null;
+
+                while (Date.now() < deadline) {
+                  await new Promise((r) => setTimeout(r, pollIntervalMs));
+
+                  const currentEntries = await fetchActiveConnections(
+                    client,
+                    provider,
+                    cmd,
+                    { silent: true },
+                  );
+                  if (!currentEntries) continue;
+
+                  const found = currentEntries.find(
+                    (e) => !snapshotIds.has(e.id),
+                  );
+                  if (found) {
+                    newConnection = found;
+                    break;
+                  }
+                }
+
+                if (newConnection) {
+                  // Success — new connection found
+                  if (jsonMode) {
+                    writeOutput(cmd, {
+                      ok: true,
+                      provider: provider,
+                      connectionId: newConnection.id,
+                      accountLabel: newConnection.account_label ?? null,
+                      scopesGranted: newConnection.scopes_granted ?? [],
+                    });
+                  } else {
+                    const label = newConnection.account_label
+                      ? ` as ${newConnection.account_label}`
+                      : "";
+                    process.stdout.write(`Connected to ${provider}${label}\n`);
+                  }
+                } else {
+                  // Timeout — authorization may still be in progress
+                  if (jsonMode) {
+                    writeOutput(cmd, {
+                      ok: true,
+                      deferred: true,
+                      provider: provider,
+                      connectUrl: result.connect_url,
+                      message:
+                        "Authorization may still be in progress. Check with 'assistant oauth status <provider>'.",
+                    });
+                  } else {
+                    process.stdout.write(
+                      `Timed out waiting for authorization. It may still be in progress.\n` +
+                        `Check with: assistant oauth status ${provider}\n`,
+                    );
+                  }
+                }
+              } else {
+                // No --open-browser: output the connect URL
+                if (jsonMode) {
+                  writeOutput(cmd, {
+                    ok: true,
+                    deferred: true,
+                    connectUrl: result.connect_url,
+                    provider: provider,
+                  });
+                } else {
+                  process.stdout.write(result.connect_url + "\n");
+                }
+              }
+            } finally {
+              redirectServer?.cleanup();
+            }
+          } else {
+            // =============================================================
+            // BYO PATH
+            // =============================================================
+
+            // a. Resolve client credentials from the DB
+            const dbApp = opts.clientId
+              ? getAppByProviderAndClientId(provider, opts.clientId)
+              : getMostRecentAppByProvider(provider);
+
+            let clientId = opts.clientId;
+            let clientSecret: string | undefined;
+
+            if (dbApp) {
+              if (!clientId) clientId = dbApp.clientId;
+              const storedSecret = await getSecureKeyViaDaemon(
+                dbApp.clientSecretCredentialPath,
+              );
+              if (storedSecret) clientSecret = storedSecret;
+            } else if (opts.clientId) {
+              // --client-id was explicitly provided but no matching app exists
+              writeError(
+                `No registered app found for "${provider}" with client ID "${opts.clientId}". ` +
+                  `Register one with 'assistant oauth apps upsert'.`,
+              );
+              return;
+            }
+
+            // c. Validate client_id exists
+            if (!clientId) {
+              writeError(
+                `No client_id found for "${provider}". ` +
+                  `Register one with 'assistant oauth apps upsert'.`,
+              );
+              return;
+            }
+
+            // d. Check if client_secret is required but missing
+            if (clientSecret === undefined) {
+              const requiresSecret = !!providerRow?.requiresClientSecret;
+
+              if (requiresSecret) {
+                writeError(
+                  `client_secret is required for ${provider} but not found. ` +
+                    `Store it with 'assistant oauth apps upsert --client-secret'.`,
+                );
+                return;
+              }
+            }
+
+            // e. Call the orchestrator
+            const result = await orchestrateOAuthConnect({
+              service: provider,
+              clientId,
+              clientSecret,
+              isInteractive: !!opts.openBrowser,
+              openUrl: opts.openBrowser ? openInBrowser : undefined,
+              ...(opts.scopes ? { requestedScopes: opts.scopes } : {}),
+            });
+
+            // f. Handle results
+            if (!result.success) {
+              writeError(result.error ?? "OAuth connect failed");
+              return;
+            }
+
+            if (result.deferred) {
+              if (jsonMode) {
+                writeOutput(cmd, {
+                  ok: true,
+                  deferred: true,
+                  authUrl: result.authUrl,
+                  service: result.service,
+                });
+              } else {
+                process.stdout.write(
+                  `\nAuthorize with ${provider}:\n\n${result.authUrl}\n\nThe connection will complete automatically once you authorize.\n`,
+                );
+              }
+              return;
+            }
+
+            // Interactive mode completed
+            if (jsonMode) {
+              writeOutput(cmd, {
+                ok: true,
+                grantedScopes: result.grantedScopes,
+                accountInfo: result.accountInfo,
+              });
+            } else {
+              const msg = `Connected to ${provider}${result.accountInfo ? ` as ${result.accountInfo}` : ""}`;
+              process.stdout.write(msg + "\n");
+            }
+          }
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          writeError(message);
+        }
+      },
+    );
+}

package/src/cli/commands/oauth/disconnect.ts

@@ -0,0 +1,285 @@
+import type { Command } from "commander";
+
+import {
+  disconnectOAuthProvider,
+  getActiveConnection,
+  getConnection,
+  getProvider,
+  listActiveConnectionsByProvider,
+} from "../../../oauth/oauth-store.js";
+import { getCliLogger } from "../../logger.js";
+import { shouldOutputJson, writeOutput } from "../../output.js";
+import {
+  fetchActiveConnections,
+  isManagedMode,
+  requirePlatformClient,
+} from "./shared.js";
+
+const log = getCliLogger("cli");
+
+// ---------------------------------------------------------------------------
+// Command registration
+// ---------------------------------------------------------------------------
+
+export function registerDisconnectCommand(oauth: Command): void {
+  oauth
+    .command("disconnect <provider>")
+    .description(
+      "Disconnect an OAuth provider and remove associated credentials",
+    )
+    .option(
+      "--account <identifier>",
+      "Account identifier to disconnect (e.g. email address)",
+    )
+    .option("--connection-id <id>", "Exact connection ID to disconnect")
+    .addHelpText(
+      "after",
+      `
+Arguments:
+  provider   Provider name (e.g. google, slack, notion).
+             Run 'assistant oauth providers list' to see available providers.
+
+At most one of --account or --connection-id may be specified. Use the values
+shown by 'assistant oauth status <provider>' to find the right identifier.
+
+When a provider has multiple active connections and neither flag is given,
+the command errors with a list of connections and a hint to disambiguate.
+
+Examples:
+  $ assistant oauth disconnect google
+  $ assistant oauth disconnect google --account user@gmail.com
+  $ assistant oauth disconnect google --connection-id conn_abc123`,
+    )
+    .action(
+      async (
+        provider: string,
+        opts: { account?: string; connectionId?: string },
+        cmd: Command,
+      ) => {
+        const jsonMode = shouldOutputJson(cmd);
+
+        // Helper: write an error and set exit code
+        const writeError = (
+          error: string,
+          extra?: Record<string, unknown>,
+        ): void => {
+          writeOutput(cmd, { ok: false, error, ...extra });
+          process.exitCode = 1;
+        };
+
+        try {
+          // -------------------------------------------------------------------
+          // 1. Validate provider
+          // -------------------------------------------------------------------
+          const providerRow = getProvider(provider);
+          if (!providerRow) {
+            writeError(
+              `Unknown provider "${provider}".\n\n` +
+                `Run 'assistant oauth providers list' to see available providers.\n` +
+                `If this is a custom provider, register it first with 'assistant oauth providers register --help'.`,
+            );
+            return;
+          }
+
+          // -------------------------------------------------------------------
+          // 2. Validate mutual exclusivity
+          // -------------------------------------------------------------------
+          if (opts.account && opts.connectionId) {
+            writeError(
+              `Cannot specify both --account and --connection-id. Use one or the other.\n\n` +
+                `Run 'assistant oauth status ${provider}' to see connected accounts and IDs.`,
+            );
+            return;
+          }
+
+          // -------------------------------------------------------------------
+          // 3. Detect mode
+          // -------------------------------------------------------------------
+          const managed = isManagedMode(provider);
+
+          if (managed) {
+            // -----------------------------------------------------------------
+            // Managed path
+            // -----------------------------------------------------------------
+            const client = await requirePlatformClient(cmd);
+            if (!client) return;
+
+            const entries = await fetchActiveConnections(client, provider, cmd);
+            if (!entries) return;
+
+            let connectionId: string | undefined;
+            let accountLabel: string | undefined;
+
+            if (opts.account) {
+              // Filter connections by account_label matching the account value
+              const matching = entries.filter(
+                (c) => c.account_label === opts.account,
+              );
+              if (matching.length === 0) {
+                writeError(
+                  `No active connection found for "${provider}" with account "${opts.account}".\n\n` +
+                    `Run 'assistant oauth status ${provider}' to see connected accounts.`,
+                );
+                return;
+              }
+              connectionId = matching[0].id;
+              accountLabel = matching[0].account_label;
+            } else if (opts.connectionId) {
+              // Verify the supplied ID belongs to this provider
+              const match = entries.find((c) => c.id === opts.connectionId);
+              if (!match) {
+                writeError(
+                  `Connection "${opts.connectionId}" is not an active ${provider} connection.\n\n` +
+                    `Run 'assistant oauth status ${provider}' to see active connections.`,
+                );
+                return;
+              }
+              connectionId = match.id;
+              accountLabel = match.account_label;
+            } else {
+              // Neither specified — auto-resolve
+              if (entries.length === 0) {
+                writeError(
+                  `No active connections found for "${provider}".\n\n` +
+                    `Run 'assistant oauth status ${provider}' to check connection status.`,
+                );
+                return;
+              }
+
+              if (entries.length > 1) {
+                const connectionList = entries.map((c) => ({
+                  id: c.id,
+                  account: c.account_label ?? null,
+                }));
+                writeError(
+                  `Multiple active connections for "${provider}". ` +
+                    `Specify which one to disconnect with --account or --connection-id.\n\n` +
+                    `Run 'assistant oauth status ${provider}' to see connected accounts and IDs.`,
+                  { connections: connectionList },
+                );
+                return;
+              }
+
+              connectionId = entries[0].id;
+              accountLabel = entries[0].account_label;
+            }
+
+            // Call platform /disconnect/ endpoint
+            const disconnectPath = `/v1/assistants/${encodeURIComponent(client.platformAssistantId)}/oauth/connections/${encodeURIComponent(connectionId)}/disconnect/`;
+            const disconnectResponse = await client.fetch(disconnectPath, {
+              method: "POST",
+              headers: { "Content-Type": "application/json" },
+            });
+
+            if (!disconnectResponse.ok) {
+              const errorText = await disconnectResponse.text().catch(() => "");
+              writeError(
+                `Platform returned HTTP ${disconnectResponse.status}${errorText ? `: ${errorText}` : ""}`,
+              );
+              return;
+            }
+
+            const result: Record<string, unknown> = {
+              ok: true,
+              provider: provider,
+              connectionId,
+            };
+            if (accountLabel) result.account = accountLabel;
+            writeOutput(cmd, result);
+
+            if (!jsonMode) {
+              log.info(`Disconnected ${provider} connection ${connectionId}`);
+            }
+          } else {
+            // -----------------------------------------------------------------
+            // BYO path
+            // -----------------------------------------------------------------
+            let connectionId: string | undefined;
+            let accountLabel: string | undefined;
+
+            if (opts.account) {
+              const conn = getActiveConnection(provider, {
+                account: opts.account,
+              });
+              if (!conn) {
+                writeError(
+                  `No active connection found for "${provider}" with account "${opts.account}".\n\n` +
+                    `Run 'assistant oauth status ${provider}' to see connected accounts.`,
+                );
+                return;
+              }
+              connectionId = conn.id;
+              accountLabel = conn.accountInfo ?? undefined;
+            } else if (opts.connectionId) {
+              const conn = getConnection(opts.connectionId);
+              if (!conn || conn.providerKey !== provider) {
+                writeError(
+                  `Connection "${opts.connectionId}" is not an active ${provider} connection.\n\n` +
+                    `Run 'assistant oauth status ${provider}' to see active connections.`,
+                );
+                return;
+              }
+              connectionId = conn.id;
+              accountLabel = conn.accountInfo ?? undefined;
+            } else {
+              // Neither specified — auto-resolve
+              const active = listActiveConnectionsByProvider(provider);
+
+              if (active.length === 0) {
+                writeError(
+                  `No active connections found for "${provider}".\n\n` +
+                    `Run 'assistant oauth status ${provider}' to check connection status.`,
+                );
+                return;
+              }
+
+              if (active.length > 1) {
+                const connectionList = active.map((c) => ({
+                  id: c.id,
+                  account: c.accountInfo ?? null,
+                }));
+                writeError(
+                  `Multiple active connections for "${provider}". ` +
+                    `Specify which one to disconnect with --account or --connection-id.\n\n` +
+                    `Run 'assistant oauth status ${provider}' to see connected accounts and IDs.`,
+                  { connections: connectionList },
+                );
+                return;
+              }
+
+              connectionId = active[0].id;
+              accountLabel = active[0].accountInfo ?? undefined;
+            }
+
+            // Disconnect the OAuth connection (tokens + connection row)
+            const oauthResult = await disconnectOAuthProvider(
+              provider,
+              undefined,
+              connectionId,
+            );
+            if (oauthResult === "error") {
+              writeError(
+                `Failed to disconnect OAuth provider "${provider}" — please try again.`,
+              );
+              return;
+            }
+
+            const result: Record<string, unknown> = {
+              ok: true,
+              provider: provider,
+              connectionId,
+            };
+            if (accountLabel) result.account = accountLabel;
+            writeOutput(cmd, result);
+
+            if (!jsonMode) {
+              log.info(`Disconnected ${provider} connection ${connectionId}`);
+            }
+          }
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          writeError(message);
+        }
+      },
+    );
+}