npm - @vellumai/assistant - Versions diffs - 0.5.11 → 0.5.13 - Mend

@vellumai/assistant 0.5.11 → 0.5.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/Dockerfile +42 -9
package/docs/architecture/integrations.md +34 -32
package/node_modules/@vellumai/ces-contracts/src/__tests__/grants.test.ts +7 -7
package/node_modules/@vellumai/ces-contracts/src/handles.ts +5 -4
package/node_modules/@vellumai/ces-contracts/src/index.ts +7 -0
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +5 -0
package/node_modules/@vellumai/credential-storage/src/index.ts +1 -1
package/openapi.yaml +87 -9
package/package.json +1 -1
package/src/__tests__/catalog-cache.test.ts +164 -0
package/src/__tests__/catalog-search.test.ts +61 -0
package/src/__tests__/cli-command-risk-guard.test.ts +181 -6
package/src/__tests__/conversation-delete-schedule-cleanup.test.ts +396 -0
package/src/__tests__/conversation-error.test.ts +3 -2
package/src/__tests__/credential-security-invariants.test.ts +9 -15
package/src/__tests__/credential-vault-unit.test.ts +32 -34
package/src/__tests__/credential-vault.test.ts +25 -33
package/src/__tests__/credentials-cli.test.ts +3 -3
package/src/__tests__/daemon-credential-client.test.ts +2 -2
package/src/__tests__/first-greeting.test.ts +7 -0
package/src/__tests__/host-bash-proxy.test.ts +79 -0
package/src/__tests__/host-cu-proxy.test.ts +90 -0
package/src/__tests__/host-file-proxy.test.ts +89 -0
package/src/__tests__/integration-status.test.ts +5 -5
package/src/__tests__/list-messages-attachments.test.ts +171 -0
package/src/__tests__/mcp-abort-signal.test.ts +205 -0
package/src/__tests__/messaging-send-tool.test.ts +5 -5
package/src/__tests__/navigate-settings-tab.test.ts +6 -2
package/src/__tests__/notification-telegram-adapter.test.ts +125 -0
package/src/__tests__/oauth-cli.test.ts +126 -119
package/src/__tests__/oauth-provider-profiles.test.ts +55 -20
package/src/__tests__/oauth-scope-policy.test.ts +4 -6
package/src/__tests__/onboarding-template-contract.test.ts +2 -2
package/src/__tests__/platform.test.ts +3 -168
package/src/__tests__/secret-routes-managed-proxy.test.ts +78 -0
package/src/__tests__/secure-keys-managed-failover.test.ts +73 -0
package/src/__tests__/skill-feature-flags.test.ts +8 -0
package/src/__tests__/skill-secret-handling-guard.test.ts +212 -0
package/src/__tests__/skills-uninstall.test.ts +2 -2
package/src/__tests__/slack-messaging-token-resolution.test.ts +22 -24
package/src/__tests__/slack-share-routes.test.ts +5 -5
package/src/__tests__/system-prompt.test.ts +39 -0
package/src/__tests__/token-estimator-accuracy.benchmark.test.ts +1 -1
package/src/__tests__/workspace-migration-backfill-installation-id.test.ts +5 -4
package/src/cli/AGENTS.md +47 -7
package/src/cli/commands/browser-relay.ts +2 -17
package/src/cli/commands/contacts.ts +6 -4
package/src/cli/commands/conversations.ts +13 -1
package/src/cli/commands/credential-execution.ts +16 -1
package/src/cli/commands/credentials.ts +2 -8
package/src/cli/commands/oauth/__tests__/connect.test.ts +29 -108
package/src/cli/commands/oauth/__tests__/disconnect.test.ts +13 -87
package/src/cli/commands/oauth/__tests__/mode.test.ts +22 -69
package/src/cli/commands/oauth/__tests__/ping.test.ts +20 -79
package/src/cli/commands/oauth/__tests__/providers-delete.test.ts +574 -0
package/src/cli/commands/oauth/__tests__/providers-update.test.ts +416 -0
package/src/cli/commands/oauth/__tests__/status.test.ts +12 -40
package/src/cli/commands/oauth/__tests__/token.test.ts +3 -50
package/src/cli/commands/oauth/apps.ts +63 -44
package/src/cli/commands/oauth/connect.ts +187 -155
package/src/cli/commands/oauth/disconnect.ts +27 -75
package/src/cli/commands/oauth/index.ts +36 -46
package/src/cli/commands/oauth/mode.ts +22 -34
package/src/cli/commands/oauth/ping.ts +19 -45
package/src/cli/commands/oauth/providers.ts +569 -62
package/src/cli/commands/oauth/request.ts +36 -48
package/src/cli/commands/oauth/shared.ts +1 -19
package/src/cli/commands/oauth/status.ts +14 -25
package/src/cli/commands/oauth/token.ts +25 -34
package/src/cli/commands/platform/__tests__/connect.test.ts +224 -0
package/src/cli/commands/platform/__tests__/disconnect.test.ts +237 -0
package/src/cli/commands/platform/__tests__/status.test.ts +246 -0
package/src/cli/commands/platform/connect.ts +104 -0
package/src/cli/commands/platform/disconnect.ts +118 -0
package/src/cli/commands/{platform.ts → platform/index.ts} +108 -38
package/src/cli/commands/sequence.ts +5 -4
package/src/cli/commands/shotgun.ts +16 -0
package/src/cli/commands/skills.ts +173 -41
package/src/cli/commands/usage.ts +5 -11
package/src/cli/lib/daemon-credential-client.ts +22 -38
package/src/cli/program.ts +1 -1
package/src/config/assistant-feature-flags.ts +3 -7
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +1 -1
package/src/config/bundled-skills/conversations/SKILL.md +20 -0
package/src/config/bundled-skills/conversations/TOOLS.json +23 -0
package/src/config/bundled-skills/conversations/tools/rename-conversation.ts +66 -0
package/src/config/bundled-skills/gmail/SKILL.md +13 -13
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +3 -3
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +2 -2
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +2 -2
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +1 -1
package/src/config/bundled-skills/google-calendar/SKILL.md +10 -4
package/src/config/bundled-skills/google-calendar/tools/shared.ts +1 -1
package/src/config/bundled-skills/messaging/SKILL.md +7 -7
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +5 -2
package/src/config/bundled-skills/messaging/tools/shared.ts +5 -6
package/src/config/bundled-skills/settings/TOOLS.json +5 -3
package/src/config/bundled-skills/settings/tools/navigate-settings-tab.ts +4 -2
package/src/config/bundled-tool-registry.ts +5 -0
package/src/config/feature-flag-registry.json +2 -2
package/src/credential-execution/client.ts +15 -3
package/src/daemon/conversation-agent-loop.ts +2 -0
package/src/daemon/conversation-error.ts +36 -6
package/src/daemon/conversation-messaging.ts +9 -0
package/src/daemon/conversation-runtime-assembly.ts +33 -0
package/src/daemon/conversation-surfaces.ts +120 -14
package/src/daemon/conversation.ts +5 -0
package/src/daemon/first-greeting.ts +6 -1
package/src/daemon/handlers/skills.ts +148 -3
package/src/daemon/host-bash-proxy.ts +16 -0
package/src/daemon/host-cu-proxy.ts +16 -0
package/src/daemon/host-file-proxy.ts +16 -0
package/src/daemon/lifecycle.ts +56 -5
package/src/daemon/message-types/conversations.ts +1 -0
package/src/daemon/message-types/guardian-actions.ts +2 -0
package/src/daemon/message-types/host-bash.ts +6 -1
package/src/daemon/message-types/host-cu.ts +6 -1
package/src/daemon/message-types/host-file.ts +6 -1
package/src/daemon/message-types/integrations.ts +0 -1
package/src/daemon/server.ts +29 -2
package/src/hooks/cli.ts +74 -0
package/src/inbound/platform-callback-registration.ts +7 -12
package/src/index.ts +0 -12
package/src/mcp/client.ts +6 -1
package/src/mcp/manager.ts +2 -1
package/src/memory/conversation-crud.ts +92 -3
package/src/memory/conversation-key-store.ts +26 -0
package/src/memory/conversation-queries.ts +6 -6
package/src/memory/db-init.ts +16 -0
package/src/memory/journal-memory.ts +8 -2
package/src/memory/migrations/196-messages-conversation-created-at-index.ts +9 -0
package/src/memory/migrations/196-strip-integration-prefix-from-provider-keys.ts +186 -0
package/src/memory/migrations/197-oauth-providers-behavior-columns.ts +29 -0
package/src/memory/migrations/198-drop-setup-skill-id-column.ts +11 -0
package/src/memory/migrations/index.ts +4 -0
package/src/memory/migrations/registry.ts +8 -0
package/src/memory/schema/oauth.ts +11 -0
package/src/messaging/provider.ts +13 -12
package/src/messaging/providers/gmail/adapter.ts +44 -35
package/src/messaging/providers/slack/adapter.ts +63 -33
package/src/messaging/providers/telegram-bot/adapter.ts +6 -8
package/src/messaging/providers/whatsapp/adapter.ts +6 -8
package/src/notifications/adapters/telegram.ts +78 -2
package/src/oauth/__tests__/identity-verifier.test.ts +464 -0
package/src/oauth/byo-connection.test.ts +22 -24
package/src/oauth/connect-orchestrator.ts +37 -76
package/src/oauth/connect-types.ts +7 -65
package/src/oauth/connection-resolver.test.ts +13 -13
package/src/oauth/connection-resolver.ts +3 -4
package/src/oauth/identity-verifier.ts +177 -0
package/src/oauth/oauth-store.ts +228 -3
package/src/oauth/platform-connection.test.ts +56 -6
package/src/oauth/platform-connection.ts +8 -1
package/src/oauth/seed-providers.ts +247 -34
package/src/permissions/checker.ts +127 -1
package/src/prompts/journal-context.ts +4 -1
package/src/prompts/system-prompt.ts +54 -9
package/src/prompts/templates/BOOTSTRAP.md +16 -5
package/src/providers/anthropic/client.ts +2 -33
package/src/runtime/guardian-action-service.ts +7 -2
package/src/runtime/http-server.ts +12 -18
package/src/runtime/http-types.ts +8 -1
package/src/runtime/migrations/rebind-secrets-screen.ts +2 -2
package/src/runtime/routes/conversation-management-routes.ts +31 -0
package/src/runtime/routes/conversation-routes.ts +79 -4
package/src/runtime/routes/guardian-action-routes.ts +15 -2
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -8
package/src/runtime/routes/integrations/slack/share.ts +1 -1
package/src/runtime/routes/oauth-apps.ts +2 -1
package/src/runtime/routes/secret-routes.ts +45 -15
package/src/runtime/routes/settings-routes.ts +12 -19
package/src/runtime/routes/skills-routes.ts +45 -4
package/src/schedule/integration-status.ts +2 -2
package/src/security/ces-rpc-credential-backend.ts +19 -16
package/src/security/oauth-completion-page.ts +153 -0
package/src/security/oauth2.ts +3 -17
package/src/security/secure-keys.ts +207 -7
package/src/security/token-manager.ts +3 -6
package/src/signals/bash.ts +6 -1
package/src/skills/catalog-cache.ts +44 -0
package/src/skills/catalog-search.ts +18 -0
package/src/tools/browser/browser-manager.ts +2 -2
package/src/tools/credentials/post-connect-hooks.ts +1 -1
package/src/tools/credentials/vault.ts +34 -45
package/src/tools/host-terminal/host-shell.ts +16 -3
package/src/tools/mcp/mcp-tool-factory.ts +2 -1
package/src/tools/skills/sandbox-runner.ts +16 -3
package/src/tools/terminal/shell.ts +16 -3
package/src/util/logger.ts +11 -1
package/src/util/platform.ts +1 -91
package/src/util/sentry-log-stream.ts +51 -0
package/src/watcher/providers/github.ts +2 -2
package/src/watcher/providers/gmail.ts +1 -1
package/src/watcher/providers/google-calendar.ts +1 -1
package/src/watcher/providers/linear.ts +2 -2
package/src/workspace/migrations/011-backfill-installation-id.ts +5 -3
package/src/workspace/migrations/020-rename-oauth-skill-dirs.ts +119 -0
package/src/workspace/migrations/registry.ts +2 -0
package/src/cli/commands/oauth/connections.ts +0 -255
package/src/oauth/provider-behaviors.ts +0 -634

package/src/cli/commands/oauth/__tests__/providers-delete.test.ts ADDED Viewed

@@ -0,0 +1,574 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+import { Command } from "commander";
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+let mockGetProvider: (
+  key: string,
+) => Record<string, unknown> | undefined = () => undefined;
+let mockDeleteProviderResult = false;
+let mockListAppsResult: Array<Record<string, unknown>> = [];
+let mockListConnectionsResult: Array<Record<string, unknown>> = [];
+let mockDeleteAppCalls: string[] = [];
+let mockDeleteAppResult = true;
+let mockDisconnectCalls: Array<{
+  providerKey: string;
+  clientId: string | undefined;
+  connectionId: string | undefined;
+}> = [];
+let mockDisconnectResult: "disconnected" | "not-found" | "error" =
+  "disconnected";
+let mockDeleteConnectionCalls: Array<string | number> = [];
+let mockSeededProviderKeys = new Set<string>(["google", "slack", "github"]);
+let mockLogInfoCalls: string[] = [];
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+mock.module("../../../../config/loader.js", () => ({
+  getConfig: () => ({ services: {} }),
+  loadConfig: () => ({ services: {} }),
+  API_KEY_PROVIDERS: [],
+}));
+mock.module("../../../../oauth/oauth-store.js", () => ({
+  getProvider: (key: string) => mockGetProvider(key),
+  deleteProvider: () => mockDeleteProviderResult,
+  listApps: () => mockListAppsResult,
+  listConnections: (providerKey?: string) => {
+    if (providerKey) {
+      return mockListConnectionsResult.filter(
+        (c) => c.providerKey === providerKey,
+      );
+    }
+    return mockListConnectionsResult;
+  },
+  deleteApp: async (id: string) => {
+    mockDeleteAppCalls.push(id);
+    return mockDeleteAppResult;
+  },
+  disconnectOAuthProvider: async (
+    providerKey: string,
+    clientId?: string,
+    connectionId?: string,
+  ) => {
+    mockDisconnectCalls.push({ providerKey, clientId, connectionId });
+    return mockDisconnectResult;
+  },
+  listProviders: () => [],
+  registerProvider: () => ({}),
+  seedProviders: () => {},
+  upsertApp: async () => ({}),
+  getApp: () => undefined,
+  getAppByProviderAndClientId: () => undefined,
+  getMostRecentAppByProvider: () => undefined,
+  createConnection: () => ({}),
+  updateConnection: () => ({}),
+  getConnection: () => undefined,
+  getActiveConnection: () => undefined,
+  getConnectionByProvider: () => undefined,
+  listActiveConnectionsByProvider: () => [],
+  isProviderConnected: () => false,
+  deleteConnection: (id: string | number) => {
+    mockDeleteConnectionCalls.push(id);
+    return true;
+  },
+}));
+mock.module("../../../../oauth/seed-providers.js", () => ({
+  SEEDED_PROVIDER_KEYS: mockSeededProviderKeys,
+  seedOAuthProviders: () => {},
+}));
+mock.module("../../../../inbound/public-ingress-urls.js", () => ({
+  getOAuthCallbackUrl: () => null,
+}));
+mock.module("../../../../util/logger.js", () => ({
+  getLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+  getCliLogger: () => ({
+    info: (msg: string) => {
+      mockLogInfoCalls.push(msg);
+    },
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+}));
+// ---------------------------------------------------------------------------
+// Import module under test (after mocks are registered)
+// ---------------------------------------------------------------------------
+const { registerProviderCommands } = await import("../providers.js");
+// ---------------------------------------------------------------------------
+// Test helper
+// ---------------------------------------------------------------------------
+async function runCommand(
+  args: string[],
+): Promise<{ stdout: string; exitCode: number }> {
+  const originalStdoutWrite = process.stdout.write.bind(process.stdout);
+  const originalStderrWrite = process.stderr.write.bind(process.stderr);
+  const stdoutChunks: string[] = [];
+  process.stdout.write = ((chunk: unknown) => {
+    stdoutChunks.push(typeof chunk === "string" ? chunk : String(chunk));
+    return true;
+  }) as typeof process.stdout.write;
+  process.stderr.write = (() => true) as typeof process.stderr.write;
+  process.exitCode = 0;
+  try {
+    const program = new Command();
+    program.exitOverride();
+    program.option("--json", "JSON output");
+    program.configureOutput({
+      writeErr: () => {},
+      writeOut: (str: string) => stdoutChunks.push(str),
+    });
+    registerProviderCommands(program);
+    await program.parseAsync(["node", "assistant", ...args]);
+  } catch {
+    if (process.exitCode === 0) process.exitCode = 1;
+  } finally {
+    process.stdout.write = originalStdoutWrite;
+    process.stderr.write = originalStderrWrite;
+  }
+  const exitCode = process.exitCode ?? 0;
+  process.exitCode = 0;
+  return { exitCode, stdout: stdoutChunks.join("") };
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("assistant oauth providers delete", () => {
+  beforeEach(() => {
+    mockGetProvider = () => undefined;
+    mockDeleteProviderResult = true;
+    mockListAppsResult = [];
+    mockListConnectionsResult = [];
+    mockDeleteAppCalls = [];
+    mockDeleteAppResult = true;
+    mockDisconnectCalls = [];
+    mockDisconnectResult = "disconnected";
+    mockDeleteConnectionCalls = [];
+    mockSeededProviderKeys = new Set(["google", "slack", "github"]);
+    mockLogInfoCalls = [];
+    process.exitCode = 0;
+  });
+  // -------------------------------------------------------------------------
+  // Provider not found
+  // -------------------------------------------------------------------------
+  test("provider not found returns exit code 1 with actionable error", async () => {
+    mockGetProvider = () => undefined;
+    const { exitCode, stdout } = await runCommand([
+      "providers",
+      "delete",
+      "nonexistent",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("not found");
+    expect(parsed.error).toContain("nonexistent");
+    expect(parsed.error).toContain("providers list");
+  });
+  // -------------------------------------------------------------------------
+  // Provider with dependents, no --force
+  // -------------------------------------------------------------------------
+  test("provider with dependents and no --force returns exit code 1 with counts", async () => {
+    mockGetProvider = (key) =>
+      key === "custom-api"
+        ? { providerKey: "custom-api", authUrl: "https://example.com/auth" }
+        : undefined;
+    mockListAppsResult = [
+      {
+        id: "app-1",
+        providerKey: "custom-api",
+        clientId: "c1",
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      },
+      {
+        id: "app-2",
+        providerKey: "custom-api",
+        clientId: "c2",
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      },
+    ];
+    mockListConnectionsResult = [
+      {
+        id: "conn-1",
+        providerKey: "custom-api",
+        oauthAppId: "app-1",
+        status: "active",
+      },
+      {
+        id: "conn-2",
+        providerKey: "custom-api",
+        oauthAppId: "app-1",
+        status: "active",
+      },
+      {
+        id: "conn-3",
+        providerKey: "custom-api",
+        oauthAppId: "app-2",
+        status: "active",
+      },
+    ];
+    const { exitCode, stdout } = await runCommand([
+      "providers",
+      "delete",
+      "custom-api",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("2 app(s)");
+    expect(parsed.error).toContain("3 connection(s)");
+    expect(parsed.error).toContain("--force");
+  });
+  // -------------------------------------------------------------------------
+  // Provider with dependents, --force
+  // -------------------------------------------------------------------------
+  test("provider with dependents and --force cascades deletion and returns summary", async () => {
+    mockGetProvider = (key) =>
+      key === "custom-api"
+        ? { providerKey: "custom-api", authUrl: "https://example.com/auth" }
+        : undefined;
+    mockListAppsResult = [
+      {
+        id: "app-1",
+        providerKey: "custom-api",
+        clientId: "c1",
+        clientSecretCredentialPath: "cred/app-1",
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      },
+      {
+        id: "app-other",
+        providerKey: "other-provider",
+        clientId: "c3",
+        clientSecretCredentialPath: "cred/app-other",
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      },
+    ];
+    mockListConnectionsResult = [
+      {
+        id: "conn-1",
+        providerKey: "custom-api",
+        oauthAppId: "app-1",
+        status: "active",
+      },
+      {
+        id: "conn-2",
+        providerKey: "custom-api",
+        oauthAppId: "app-1",
+        status: "active",
+      },
+    ];
+    const { exitCode, stdout } = await runCommand([
+      "providers",
+      "delete",
+      "custom-api",
+      "--force",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.deleted.provider).toBe(1);
+    expect(parsed.deleted.apps).toBe(1); // Only custom-api apps, not other-provider
+    expect(parsed.deleted.connections).toBe(2);
+    // Verify disconnectOAuthProvider was called for each connection
+    expect(mockDisconnectCalls).toEqual([
+      {
+        providerKey: "custom-api",
+        clientId: undefined,
+        connectionId: "conn-1",
+      },
+      {
+        providerKey: "custom-api",
+        clientId: undefined,
+        connectionId: "conn-2",
+      },
+    ]);
+    // Verify only matching apps were deleted (not app-other)
+    expect(mockDeleteAppCalls).toEqual(["app-1"]);
+  });
+  // -------------------------------------------------------------------------
+  // Provider with no dependents, no --force
+  // -------------------------------------------------------------------------
+  test("provider with no dependents and no --force deletes cleanly", async () => {
+    mockGetProvider = (key) =>
+      key === "custom-api"
+        ? { providerKey: "custom-api", authUrl: "https://example.com/auth" }
+        : undefined;
+    mockListAppsResult = [];
+    mockListConnectionsResult = [];
+    const { exitCode, stdout } = await runCommand([
+      "providers",
+      "delete",
+      "custom-api",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.deleted.provider).toBe(1);
+    expect(parsed.deleted.apps).toBe(0);
+    expect(parsed.deleted.connections).toBe(0);
+    // No cascade deletes should have happened
+    expect(mockDisconnectCalls).toHaveLength(0);
+    expect(mockDeleteAppCalls).toHaveLength(0);
+  });
+  // -------------------------------------------------------------------------
+  // Built-in provider with --force logs warning
+  // -------------------------------------------------------------------------
+  test("built-in provider with --force succeeds and logs warning about re-creation", async () => {
+    mockGetProvider = (key) =>
+      key === "google"
+        ? { providerKey: "google", authUrl: "https://accounts.google.com" }
+        : undefined;
+    mockListAppsResult = [
+      {
+        id: "app-g",
+        providerKey: "google",
+        clientId: "goog-client",
+        clientSecretCredentialPath: "cred/app-g",
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      },
+    ];
+    mockListConnectionsResult = [
+      {
+        id: "conn-g",
+        providerKey: "google",
+        oauthAppId: "app-g",
+        status: "active",
+      },
+    ];
+    const { exitCode, stdout } = await runCommand([
+      "providers",
+      "delete",
+      "google",
+      "--force",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.deleted.provider).toBe(1);
+    expect(parsed.deleted.apps).toBe(1);
+    expect(parsed.deleted.connections).toBe(1);
+    // Should have logged a warning about re-creation
+    const warningLogged = mockLogInfoCalls.some(
+      (msg) => msg.includes("built-in") && msg.includes("re-created"),
+    );
+    expect(warningLogged).toBe(true);
+  });
+  // -------------------------------------------------------------------------
+  // Built-in provider without --force and no dependents logs warning
+  // -------------------------------------------------------------------------
+  test("built-in provider without --force and no dependents logs warning and deletes", async () => {
+    mockGetProvider = (key) =>
+      key === "google"
+        ? { providerKey: "google", authUrl: "https://accounts.google.com" }
+        : undefined;
+    mockListAppsResult = [];
+    mockListConnectionsResult = [];
+    const { exitCode, stdout } = await runCommand([
+      "providers",
+      "delete",
+      "google",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.deleted.provider).toBe(1);
+    // Should have logged a warning about re-creation
+    const warningLogged = mockLogInfoCalls.some(
+      (msg) => msg.includes("built-in") && msg.includes("re-created"),
+    );
+    expect(warningLogged).toBe(true);
+  });
+  // -------------------------------------------------------------------------
+  // Token cleanup error is logged but does not abort cascade
+  // -------------------------------------------------------------------------
+  test("token cleanup error logs warning but continues cascade delete", async () => {
+    mockGetProvider = (key) =>
+      key === "custom-api"
+        ? { providerKey: "custom-api", authUrl: "https://example.com/auth" }
+        : undefined;
+    mockListAppsResult = [
+      {
+        id: "app-1",
+        providerKey: "custom-api",
+        clientId: "c1",
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      },
+    ];
+    mockListConnectionsResult = [
+      {
+        id: "conn-1",
+        providerKey: "custom-api",
+        oauthAppId: "app-1",
+        status: "active",
+      },
+    ];
+    // Simulate token cleanup failure
+    mockDisconnectResult = "error";
+    const { exitCode, stdout } = await runCommand([
+      "providers",
+      "delete",
+      "custom-api",
+      "--force",
+      "--json",
+    ]);
+    // Should still succeed despite token cleanup error
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(true);
+    expect(parsed.deleted.provider).toBe(1);
+    expect(parsed.deleted.connections).toBe(1);
+    // Should have logged a warning about the token cleanup failure
+    const warningLogged = mockLogInfoCalls.some(
+      (msg) =>
+        msg.includes("failed to clean up tokens") && msg.includes("conn-1"),
+    );
+    expect(warningLogged).toBe(true);
+    // Should have called deleteConnection as a fallback
+    expect(mockDeleteConnectionCalls).toEqual(["conn-1"]);
+  });
+  // -------------------------------------------------------------------------
+  // Token cleanup error falls back to deleteConnection
+  // -------------------------------------------------------------------------
+  test("token cleanup error calls deleteConnection as fallback to avoid FK violation", async () => {
+    mockGetProvider = (key) =>
+      key === "custom-api"
+        ? { providerKey: "custom-api", authUrl: "https://example.com/auth" }
+        : undefined;
+    mockListAppsResult = [
+      {
+        id: "app-1",
+        providerKey: "custom-api",
+        clientId: "c1",
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      },
+    ];
+    mockListConnectionsResult = [
+      {
+        id: "conn-1",
+        providerKey: "custom-api",
+        oauthAppId: "app-1",
+        status: "active",
+      },
+      {
+        id: "conn-2",
+        providerKey: "custom-api",
+        oauthAppId: "app-1",
+        status: "active",
+      },
+    ];
+    // Simulate token cleanup failure for all connections
+    mockDisconnectResult = "error";
+    const { exitCode, stdout } = await runCommand([
+      "providers",
+      "delete",
+      "custom-api",
+      "--force",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(true);
+    // Both disconnectOAuthProvider calls should have been made
+    expect(mockDisconnectCalls).toHaveLength(2);
+    expect(mockDisconnectCalls[0]!.connectionId).toBe("conn-1");
+    expect(mockDisconnectCalls[1]!.connectionId).toBe("conn-2");
+    // Both should have fallen back to deleteConnection
+    expect(mockDeleteConnectionCalls).toEqual(["conn-1", "conn-2"]);
+    // Apps should still have been deleted after connections were cleaned up
+    expect(mockDeleteAppCalls).toEqual(["app-1"]);
+  });
+});