@vellumai/assistant 0.5.11 → 0.5.13

package/src/cli/commands/oauth/apps.ts

@@ -9,10 +9,33 @@ import {
   upsertApp,
 } from "../../../oauth/oauth-store.js";
 import { credentialKey } from "../../../security/credential-key.js";
-import { getCredentialMetadata } from "../../../tools/credentials/metadata-store.js";
 import { getCliLogger } from "../../logger.js";
 import { shouldOutputJson, writeOutput } from "../../output.js";
 
+/**
+ * Resolve a credential path input to its full internal format.
+ *
+ * The primary input format is `service:field` (e.g. `google:client_secret`),
+ * which is split on the **last** colon and expanded to `credential/{service}/{field}`.
+ *
+ * Full internal paths (`credential/…` or `oauth_app/…`) are also accepted
+ * and returned as-is for backwards compatibility.
+ */
+function resolveCredentialPath(input: string): string {
+  if (input.startsWith("credential/") || input.startsWith("oauth_app/")) {
+    return input;
+  }
+
+  const lastColon = input.lastIndexOf(":");
+  if (lastColon < 1 || lastColon === input.length - 1) {
+    return input;
+  }
+
+  const service = input.slice(0, lastColon);
+  const field = input.slice(lastColon + 1);
+  return credentialKey(service, field);
+}
+
 const log = getCliLogger("cli");
 
 /** Format an app row for output, converting timestamps to ISO strings. */
@@ -35,20 +58,22 @@ function formatAppRow(row: {
 export function registerAppCommands(oauth: Command): void {
   const apps = oauth
     .command("apps")
-    .description("Manage OAuth app registrations (client IDs and secrets)");
+    .description("Manage custom OAuth app registrations");
 
   apps.addHelpText(
     "after",
     `
-Apps represent OAuth client registrations — a client_id and optional
+Apps represent custom OAuth client registrations — a client_id and optional
 client_secret linked to a provider. Each provider can have multiple apps
-(e.g. different client IDs for different environments).
+(e.g. different client IDs for different environments). Only needed if using
+a provider with a mode of "your-own" set.
 
 Examples:
   $ assistant oauth apps list
+  $ assistant oauth apps list --provider-key google
   $ assistant oauth apps get --id <uuid>
-  $ assistant oauth apps get --provider integration:google
-  $ assistant oauth apps upsert --provider integration:google --client-id abc123
+  $ assistant oauth apps get --provider google
+  $ assistant oauth apps upsert --provider google --client-id abc123
   $ assistant oauth apps delete <id>`,
   );
 
@@ -59,22 +84,34 @@ Examples:
   apps
     .command("list")
     .description("List all OAuth app registrations")
+    .option(
+      "--provider-key <key>",
+      "Filter by provider key (exact match). Only apps associated with this provider are returned. Run 'assistant oauth providers list' to see available keys.",
+    )
     .addHelpText(
       "after",
       `
-Returns all registered OAuth apps with their provider key, client ID, and
+Returns registered OAuth apps with their provider key, client ID, and
 timestamps. Output is an array of app objects.
 
+When --provider-key is specified, only apps whose providerKey exactly matches
+the given value are returned. Without the flag, all apps are listed.
+
 In JSON mode (--json), returns the array directly. In human mode, logs a
 summary count and prints the formatted list.
 
 Examples:
   $ assistant oauth apps list
-  $ assistant oauth apps list --json`,
+  $ assistant oauth apps list --provider-key google
+  $ assistant oauth apps list --provider-key slack --json`,
     )
-    .action((_opts: unknown, cmd: Command) => {
+    .action((opts: { providerKey?: string }, cmd: Command) => {
       try {
-        const rows = listApps().map(formatAppRow);
+        let rows = listApps().map(formatAppRow);
+
+        if (opts.providerKey) {
+          rows = rows.filter((r) => r.providerKey === opts.providerKey);
+        }
 
         if (!shouldOutputJson(cmd)) {
           log.info(`Found ${rows.length} app(s)`);
@@ -100,7 +137,7 @@ Examples:
     .option("--id <id>", "App ID (UUID) from 'assistant oauth apps list'")
     .option(
       "--provider <key>",
-      "Provider key (e.g. integration:google) from 'assistant oauth providers list'",
+      "Provider key (e.g. google) from 'assistant oauth providers list'",
     )
     .option(
       "--client-id <id>",
@@ -115,10 +152,10 @@ Three lookup modes are supported:
      $ assistant oauth apps get --id <uuid>
 
   2. By provider + client ID (exact match):
-     $ assistant oauth apps get --provider integration:google --client-id abc123
+     $ assistant oauth apps get --provider google --client-id abc123
 
   3. By provider only (returns the most recently created app):
-     $ assistant oauth apps get --provider integration:google
+     $ assistant oauth apps get --provider google
 
 At least --id or --provider must be specified.`,
     )
@@ -178,7 +215,7 @@ At least --id or --provider must be specified.`,
     .description("Create or return an existing OAuth app registration")
     .requiredOption(
       "--provider <key>",
-      "Provider key (e.g. integration:google) from 'assistant oauth providers list'",
+      "Provider key (e.g. google) from 'assistant oauth providers list'",
     )
     .requiredOption(
       "--client-id <id>",
@@ -190,7 +227,7 @@ At least --id or --provider must be specified.`,
     )
     .option(
       "--client-secret-credential-path <path>",
-      "Path to an existing client secret in the credential store (mutually exclusive with --client-secret)",
+      "Credential reference in service:field format (e.g. google:client_secret). Mutually exclusive with --client-secret.",
     )
     .addHelpText(
       "after",
@@ -206,17 +243,14 @@ You can supply the client secret directly via --client-secret, or reference an
 existing credential in the store via --client-secret-credential-path. These two
 options are mutually exclusive — providing both is an error.
 
-The --client-secret-credential-path accepts two formats:
-  1. Full credential path: "credential/integration:google/client_secret"
-  2. Short name (service:field): "integration:google:client_secret"
-     Resolved via the metadata store by splitting on the last colon.
+The --client-secret-credential-path takes a \`service:field\` reference
+(e.g. \`google:client_secret\`).
 
 Examples:
-  $ assistant oauth apps upsert --provider integration:google --client-id abc123
-  $ assistant oauth apps upsert --provider integration:slack --client-id def456 --client-secret s3cret
-  $ assistant oauth apps upsert --provider integration:slack --client-id def456 --client-secret-credential-path "credential/integration:slack/client_secret"
-  $ assistant oauth apps upsert --provider integration:slack --client-id def456 --client-secret-credential-path "integration:slack:client_secret"
-  $ assistant oauth apps upsert --provider integration:google --client-id abc123 --json`,
+  $ assistant oauth apps upsert --provider google --client-id abc123
+  $ assistant oauth apps upsert --provider slack --client-id def456 --client-secret s3cret
+  $ assistant oauth apps upsert --provider slack --client-id def456 --client-secret-credential-path "slack:client_secret"
+  $ assistant oauth apps upsert --provider google --client-id abc123 --json`,
     )
     .action(
       async (
@@ -239,28 +273,13 @@ Examples:
             return;
           }
 
-          let resolvedCredentialPath = opts.clientSecretCredentialPath;
-          if (
-            resolvedCredentialPath &&
-            !resolvedCredentialPath.startsWith("credential/")
-          ) {
-            // Attempt to interpret as a credential key — split on the LAST colon to get service/field
-            const lastColon = resolvedCredentialPath.lastIndexOf(":");
-            if (lastColon > 0) {
-              const asService = resolvedCredentialPath.slice(0, lastColon);
-              const asField = resolvedCredentialPath.slice(lastColon + 1);
-              // If a credential exists in metadata with these coordinates, resolve it
-              const meta = getCredentialMetadata(asService, asField);
-              if (meta) {
-                resolvedCredentialPath = credentialKey(asService, asField);
-              }
-            }
-          }
-
+          const resolvedPath = opts.clientSecretCredentialPath
+            ? resolveCredentialPath(opts.clientSecretCredentialPath)
+            : undefined;
           const clientSecretOpts = opts.clientSecret
             ? { clientSecretValue: opts.clientSecret }
-            : resolvedCredentialPath
-              ? { clientSecretCredentialPath: resolvedCredentialPath }
+            : resolvedPath
+              ? { clientSecretCredentialPath: resolvedPath }
               : undefined;
           const row = await upsertApp(
             opts.provider,