npm - @vellumai/assistant - Versions diffs - 0.5.11 → 0.5.13 - Mend

@vellumai/assistant 0.5.11 → 0.5.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/Dockerfile +42 -9
package/docs/architecture/integrations.md +34 -32
package/node_modules/@vellumai/ces-contracts/src/__tests__/grants.test.ts +7 -7
package/node_modules/@vellumai/ces-contracts/src/handles.ts +5 -4
package/node_modules/@vellumai/ces-contracts/src/index.ts +7 -0
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +5 -0
package/node_modules/@vellumai/credential-storage/src/index.ts +1 -1
package/openapi.yaml +87 -9
package/package.json +1 -1
package/src/__tests__/catalog-cache.test.ts +164 -0
package/src/__tests__/catalog-search.test.ts +61 -0
package/src/__tests__/cli-command-risk-guard.test.ts +181 -6
package/src/__tests__/conversation-delete-schedule-cleanup.test.ts +396 -0
package/src/__tests__/conversation-error.test.ts +3 -2
package/src/__tests__/credential-security-invariants.test.ts +9 -15
package/src/__tests__/credential-vault-unit.test.ts +32 -34
package/src/__tests__/credential-vault.test.ts +25 -33
package/src/__tests__/credentials-cli.test.ts +3 -3
package/src/__tests__/daemon-credential-client.test.ts +2 -2
package/src/__tests__/first-greeting.test.ts +7 -0
package/src/__tests__/host-bash-proxy.test.ts +79 -0
package/src/__tests__/host-cu-proxy.test.ts +90 -0
package/src/__tests__/host-file-proxy.test.ts +89 -0
package/src/__tests__/integration-status.test.ts +5 -5
package/src/__tests__/list-messages-attachments.test.ts +171 -0
package/src/__tests__/mcp-abort-signal.test.ts +205 -0
package/src/__tests__/messaging-send-tool.test.ts +5 -5
package/src/__tests__/navigate-settings-tab.test.ts +6 -2
package/src/__tests__/notification-telegram-adapter.test.ts +125 -0
package/src/__tests__/oauth-cli.test.ts +126 -119
package/src/__tests__/oauth-provider-profiles.test.ts +55 -20
package/src/__tests__/oauth-scope-policy.test.ts +4 -6
package/src/__tests__/onboarding-template-contract.test.ts +2 -2
package/src/__tests__/platform.test.ts +3 -168
package/src/__tests__/secret-routes-managed-proxy.test.ts +78 -0
package/src/__tests__/secure-keys-managed-failover.test.ts +73 -0
package/src/__tests__/skill-feature-flags.test.ts +8 -0
package/src/__tests__/skill-secret-handling-guard.test.ts +212 -0
package/src/__tests__/skills-uninstall.test.ts +2 -2
package/src/__tests__/slack-messaging-token-resolution.test.ts +22 -24
package/src/__tests__/slack-share-routes.test.ts +5 -5
package/src/__tests__/system-prompt.test.ts +39 -0
package/src/__tests__/token-estimator-accuracy.benchmark.test.ts +1 -1
package/src/__tests__/workspace-migration-backfill-installation-id.test.ts +5 -4
package/src/cli/AGENTS.md +47 -7
package/src/cli/commands/browser-relay.ts +2 -17
package/src/cli/commands/contacts.ts +6 -4
package/src/cli/commands/conversations.ts +13 -1
package/src/cli/commands/credential-execution.ts +16 -1
package/src/cli/commands/credentials.ts +2 -8
package/src/cli/commands/oauth/__tests__/connect.test.ts +29 -108
package/src/cli/commands/oauth/__tests__/disconnect.test.ts +13 -87
package/src/cli/commands/oauth/__tests__/mode.test.ts +22 -69
package/src/cli/commands/oauth/__tests__/ping.test.ts +20 -79
package/src/cli/commands/oauth/__tests__/providers-delete.test.ts +574 -0
package/src/cli/commands/oauth/__tests__/providers-update.test.ts +416 -0
package/src/cli/commands/oauth/__tests__/status.test.ts +12 -40
package/src/cli/commands/oauth/__tests__/token.test.ts +3 -50
package/src/cli/commands/oauth/apps.ts +63 -44
package/src/cli/commands/oauth/connect.ts +187 -155
package/src/cli/commands/oauth/disconnect.ts +27 -75
package/src/cli/commands/oauth/index.ts +36 -46
package/src/cli/commands/oauth/mode.ts +22 -34
package/src/cli/commands/oauth/ping.ts +19 -45
package/src/cli/commands/oauth/providers.ts +569 -62
package/src/cli/commands/oauth/request.ts +36 -48
package/src/cli/commands/oauth/shared.ts +1 -19
package/src/cli/commands/oauth/status.ts +14 -25
package/src/cli/commands/oauth/token.ts +25 -34
package/src/cli/commands/platform/__tests__/connect.test.ts +224 -0
package/src/cli/commands/platform/__tests__/disconnect.test.ts +237 -0
package/src/cli/commands/platform/__tests__/status.test.ts +246 -0
package/src/cli/commands/platform/connect.ts +104 -0
package/src/cli/commands/platform/disconnect.ts +118 -0
package/src/cli/commands/{platform.ts → platform/index.ts} +108 -38
package/src/cli/commands/sequence.ts +5 -4
package/src/cli/commands/shotgun.ts +16 -0
package/src/cli/commands/skills.ts +173 -41
package/src/cli/commands/usage.ts +5 -11
package/src/cli/lib/daemon-credential-client.ts +22 -38
package/src/cli/program.ts +1 -1
package/src/config/assistant-feature-flags.ts +3 -7
package/src/config/bundled-skills/contacts/tools/google-contacts.ts +1 -1
package/src/config/bundled-skills/conversations/SKILL.md +20 -0
package/src/config/bundled-skills/conversations/TOOLS.json +23 -0
package/src/config/bundled-skills/conversations/tools/rename-conversation.ts +66 -0
package/src/config/bundled-skills/gmail/SKILL.md +13 -13
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +3 -3
package/src/config/bundled-skills/gmail/tools/gmail-attachments.ts +2 -2
package/src/config/bundled-skills/gmail/tools/gmail-draft.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-filters.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-follow-up.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-forward.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-label.ts +2 -2
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-send-draft.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-trash.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-vacation.ts +1 -1
package/src/config/bundled-skills/google-calendar/SKILL.md +10 -4
package/src/config/bundled-skills/google-calendar/tools/shared.ts +1 -1
package/src/config/bundled-skills/messaging/SKILL.md +7 -7
package/src/config/bundled-skills/messaging/tools/messaging-send.ts +5 -2
package/src/config/bundled-skills/messaging/tools/shared.ts +5 -6
package/src/config/bundled-skills/settings/TOOLS.json +5 -3
package/src/config/bundled-skills/settings/tools/navigate-settings-tab.ts +4 -2
package/src/config/bundled-tool-registry.ts +5 -0
package/src/config/feature-flag-registry.json +2 -2
package/src/credential-execution/client.ts +15 -3
package/src/daemon/conversation-agent-loop.ts +2 -0
package/src/daemon/conversation-error.ts +36 -6
package/src/daemon/conversation-messaging.ts +9 -0
package/src/daemon/conversation-runtime-assembly.ts +33 -0
package/src/daemon/conversation-surfaces.ts +120 -14
package/src/daemon/conversation.ts +5 -0
package/src/daemon/first-greeting.ts +6 -1
package/src/daemon/handlers/skills.ts +148 -3
package/src/daemon/host-bash-proxy.ts +16 -0
package/src/daemon/host-cu-proxy.ts +16 -0
package/src/daemon/host-file-proxy.ts +16 -0
package/src/daemon/lifecycle.ts +56 -5
package/src/daemon/message-types/conversations.ts +1 -0
package/src/daemon/message-types/guardian-actions.ts +2 -0
package/src/daemon/message-types/host-bash.ts +6 -1
package/src/daemon/message-types/host-cu.ts +6 -1
package/src/daemon/message-types/host-file.ts +6 -1
package/src/daemon/message-types/integrations.ts +0 -1
package/src/daemon/server.ts +29 -2
package/src/hooks/cli.ts +74 -0
package/src/inbound/platform-callback-registration.ts +7 -12
package/src/index.ts +0 -12
package/src/mcp/client.ts +6 -1
package/src/mcp/manager.ts +2 -1
package/src/memory/conversation-crud.ts +92 -3
package/src/memory/conversation-key-store.ts +26 -0
package/src/memory/conversation-queries.ts +6 -6
package/src/memory/db-init.ts +16 -0
package/src/memory/journal-memory.ts +8 -2
package/src/memory/migrations/196-messages-conversation-created-at-index.ts +9 -0
package/src/memory/migrations/196-strip-integration-prefix-from-provider-keys.ts +186 -0
package/src/memory/migrations/197-oauth-providers-behavior-columns.ts +29 -0
package/src/memory/migrations/198-drop-setup-skill-id-column.ts +11 -0
package/src/memory/migrations/index.ts +4 -0
package/src/memory/migrations/registry.ts +8 -0
package/src/memory/schema/oauth.ts +11 -0
package/src/messaging/provider.ts +13 -12
package/src/messaging/providers/gmail/adapter.ts +44 -35
package/src/messaging/providers/slack/adapter.ts +63 -33
package/src/messaging/providers/telegram-bot/adapter.ts +6 -8
package/src/messaging/providers/whatsapp/adapter.ts +6 -8
package/src/notifications/adapters/telegram.ts +78 -2
package/src/oauth/__tests__/identity-verifier.test.ts +464 -0
package/src/oauth/byo-connection.test.ts +22 -24
package/src/oauth/connect-orchestrator.ts +37 -76
package/src/oauth/connect-types.ts +7 -65
package/src/oauth/connection-resolver.test.ts +13 -13
package/src/oauth/connection-resolver.ts +3 -4
package/src/oauth/identity-verifier.ts +177 -0
package/src/oauth/oauth-store.ts +228 -3
package/src/oauth/platform-connection.test.ts +56 -6
package/src/oauth/platform-connection.ts +8 -1
package/src/oauth/seed-providers.ts +247 -34
package/src/permissions/checker.ts +127 -1
package/src/prompts/journal-context.ts +4 -1
package/src/prompts/system-prompt.ts +54 -9
package/src/prompts/templates/BOOTSTRAP.md +16 -5
package/src/providers/anthropic/client.ts +2 -33
package/src/runtime/guardian-action-service.ts +7 -2
package/src/runtime/http-server.ts +12 -18
package/src/runtime/http-types.ts +8 -1
package/src/runtime/migrations/rebind-secrets-screen.ts +2 -2
package/src/runtime/routes/conversation-management-routes.ts +31 -0
package/src/runtime/routes/conversation-routes.ts +79 -4
package/src/runtime/routes/guardian-action-routes.ts +15 -2
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -8
package/src/runtime/routes/integrations/slack/share.ts +1 -1
package/src/runtime/routes/oauth-apps.ts +2 -1
package/src/runtime/routes/secret-routes.ts +45 -15
package/src/runtime/routes/settings-routes.ts +12 -19
package/src/runtime/routes/skills-routes.ts +45 -4
package/src/schedule/integration-status.ts +2 -2
package/src/security/ces-rpc-credential-backend.ts +19 -16
package/src/security/oauth-completion-page.ts +153 -0
package/src/security/oauth2.ts +3 -17
package/src/security/secure-keys.ts +207 -7
package/src/security/token-manager.ts +3 -6
package/src/signals/bash.ts +6 -1
package/src/skills/catalog-cache.ts +44 -0
package/src/skills/catalog-search.ts +18 -0
package/src/tools/browser/browser-manager.ts +2 -2
package/src/tools/credentials/post-connect-hooks.ts +1 -1
package/src/tools/credentials/vault.ts +34 -45
package/src/tools/host-terminal/host-shell.ts +16 -3
package/src/tools/mcp/mcp-tool-factory.ts +2 -1
package/src/tools/skills/sandbox-runner.ts +16 -3
package/src/tools/terminal/shell.ts +16 -3
package/src/util/logger.ts +11 -1
package/src/util/platform.ts +1 -91
package/src/util/sentry-log-stream.ts +51 -0
package/src/watcher/providers/github.ts +2 -2
package/src/watcher/providers/gmail.ts +1 -1
package/src/watcher/providers/google-calendar.ts +1 -1
package/src/watcher/providers/linear.ts +2 -2
package/src/workspace/migrations/011-backfill-installation-id.ts +5 -3
package/src/workspace/migrations/020-rename-oauth-skill-dirs.ts +119 -0
package/src/workspace/migrations/registry.ts +2 -0
package/src/cli/commands/oauth/connections.ts +0 -255
package/src/oauth/provider-behaviors.ts +0 -634

package/src/cli/commands/oauth/disconnect.ts CHANGED Viewed

@@ -7,16 +7,12 @@ import {
   getProvider,
   listActiveConnectionsByProvider,
 } from "../../../oauth/oauth-store.js";
-import { deleteCredentialMetadata } from "../../../tools/credentials/metadata-store.js";
-import { deleteSecureKeyViaDaemon } from "../../lib/daemon-credential-client.js";
 import { getCliLogger } from "../../logger.js";
 import { shouldOutputJson, writeOutput } from "../../output.js";
 import {
   fetchActiveConnections,
   isManagedMode,
   requirePlatformClient,
-  resolveService,
-  toBareProvider,
 } from "./shared.js";
 const log = getCliLogger("cli");
@@ -29,7 +25,7 @@ export function registerDisconnectCommand(oauth: Command): void {
   oauth
     .command("disconnect <provider>")
     .description(
-      "Disconnect an OAuth provider and remove associated credentials (auto-detects managed vs BYO mode)",
+      "Disconnect an OAuth provider and remove associated credentials",
     )
     .option(
       "--account <identifier>",
@@ -40,25 +36,14 @@ export function registerDisconnectCommand(oauth: Command): void {
       "after",
       `
 Arguments:
-  provider   Provider name or key (e.g. google, integration:google, gmail).
+  provider   Provider name (e.g. google, slack, notion).
              Run 'assistant oauth providers list' to see available providers.
-Options:
-  --account          Recommended way to specify which connection to disconnect.
-                     Works for both managed and BYO modes. Use the account
-                     identifier shown by 'assistant oauth status <provider>'
-                     (e.g. an email address for Google).
-  --connection-id    Exact match on the connection ID shown by
-                     'assistant oauth status <provider>'. Useful when account
-                     labels are ambiguous or absent.
+At most one of --account or --connection-id may be specified. Use the values
+shown by 'assistant oauth status <provider>' to find the right identifier.
-  At most one of --account or --connection-id may be specified.
-Disambiguation:
-  When a provider has multiple active connections and neither --account nor
-  --connection-id is given, the command errors with a list of connections
-  (id + account label) and a hint to use --account or --connection-id.
-  Run 'assistant oauth status <provider>' to discover available values.
+When a provider has multiple active connections and neither flag is given,
+the command errors with a list of connections and a hint to disambiguate.
 Examples:
   $ assistant oauth disconnect google
@@ -84,11 +69,9 @@ Examples:
         try {
           // -------------------------------------------------------------------
-          // 1. Resolve + validate provider
+          // 1. Validate provider
           // -------------------------------------------------------------------
-          const providerKey = resolveService(provider);
-          const providerRow = getProvider(providerKey);
+          const providerRow = getProvider(provider);
           if (!providerRow) {
             writeError(
               `Unknown provider "${provider}".\n\n` +
@@ -112,7 +95,7 @@ Examples:
           // -------------------------------------------------------------------
           // 3. Detect mode
           // -------------------------------------------------------------------
-          const managed = isManagedMode(providerKey);
+          const managed = isManagedMode(provider);
           if (managed) {
             // -----------------------------------------------------------------
@@ -121,11 +104,7 @@ Examples:
             const client = await requirePlatformClient(cmd);
             if (!client) return;
-            const entries = await fetchActiveConnections(
-              client,
-              providerKey,
-              cmd,
-            );
+            const entries = await fetchActiveConnections(client, provider, cmd);
             if (!entries) return;
             let connectionId: string | undefined;
@@ -138,7 +117,7 @@ Examples:
               );
               if (matching.length === 0) {
                 writeError(
-                  `No active connection found for "${toBareProvider(providerKey)}" with account "${opts.account}".\n\n` +
+                  `No active connection found for "${provider}" with account "${opts.account}".\n\n` +
                     `Run 'assistant oauth status ${provider}' to see connected accounts.`,
                 );
                 return;
@@ -150,7 +129,7 @@ Examples:
               const match = entries.find((c) => c.id === opts.connectionId);
               if (!match) {
                 writeError(
-                  `Connection "${opts.connectionId}" is not an active ${toBareProvider(providerKey)} connection.\n\n` +
+                  `Connection "${opts.connectionId}" is not an active ${provider} connection.\n\n` +
                     `Run 'assistant oauth status ${provider}' to see active connections.`,
                 );
                 return;
@@ -161,7 +140,7 @@ Examples:
               // Neither specified — auto-resolve
               if (entries.length === 0) {
                 writeError(
-                  `No active connections found for "${toBareProvider(providerKey)}".\n\n` +
+                  `No active connections found for "${provider}".\n\n` +
                     `Run 'assistant oauth status ${provider}' to check connection status.`,
                 );
                 return;
@@ -173,7 +152,7 @@ Examples:
                   account: c.account_label ?? null,
                 }));
                 writeError(
-                  `Multiple active connections for "${toBareProvider(providerKey)}". ` +
+                  `Multiple active connections for "${provider}". ` +
                     `Specify which one to disconnect with --account or --connection-id.\n\n` +
                     `Run 'assistant oauth status ${provider}' to see connected accounts and IDs.`,
                   { connections: connectionList },
@@ -202,16 +181,14 @@ Examples:
             const result: Record<string, unknown> = {
               ok: true,
-              provider: providerKey,
+              provider: provider,
               connectionId,
             };
             if (accountLabel) result.account = accountLabel;
             writeOutput(cmd, result);
             if (!jsonMode) {
-              log.info(
-                `Disconnected ${providerKey} connection ${connectionId}`,
-              );
+              log.info(`Disconnected ${provider} connection ${connectionId}`);
             }
           } else {
             // -----------------------------------------------------------------
@@ -221,12 +198,12 @@ Examples:
             let accountLabel: string | undefined;
             if (opts.account) {
-              const conn = getActiveConnection(providerKey, {
+              const conn = getActiveConnection(provider, {
                 account: opts.account,
               });
               if (!conn) {
                 writeError(
-                  `No active connection found for "${providerKey}" with account "${opts.account}".\n\n` +
+                  `No active connection found for "${provider}" with account "${opts.account}".\n\n` +
                     `Run 'assistant oauth status ${provider}' to see connected accounts.`,
                 );
                 return;
@@ -235,9 +212,9 @@ Examples:
               accountLabel = conn.accountInfo ?? undefined;
             } else if (opts.connectionId) {
               const conn = getConnection(opts.connectionId);
-              if (!conn || conn.providerKey !== providerKey) {
+              if (!conn || conn.providerKey !== provider) {
                 writeError(
-                  `Connection "${opts.connectionId}" is not an active ${providerKey} connection.\n\n` +
+                  `Connection "${opts.connectionId}" is not an active ${provider} connection.\n\n` +
                     `Run 'assistant oauth status ${provider}' to see active connections.`,
                 );
                 return;
@@ -246,11 +223,11 @@ Examples:
               accountLabel = conn.accountInfo ?? undefined;
             } else {
               // Neither specified — auto-resolve
-              const active = listActiveConnectionsByProvider(providerKey);
+              const active = listActiveConnectionsByProvider(provider);
               if (active.length === 0) {
                 writeError(
-                  `No active connections found for "${providerKey}".\n\n` +
+                  `No active connections found for "${provider}".\n\n` +
                     `Run 'assistant oauth status ${provider}' to check connection status.`,
                 );
                 return;
@@ -262,7 +239,7 @@ Examples:
                   account: c.accountInfo ?? null,
                 }));
                 writeError(
-                  `Multiple active connections for "${providerKey}". ` +
+                  `Multiple active connections for "${provider}". ` +
                     `Specify which one to disconnect with --account or --connection-id.\n\n` +
                     `Run 'assistant oauth status ${provider}' to see connected accounts and IDs.`,
                   { connections: connectionList },
@@ -276,52 +253,27 @@ Examples:
             // Disconnect the OAuth connection (tokens + connection row)
             const oauthResult = await disconnectOAuthProvider(
-              providerKey,
+              provider,
               undefined,
               connectionId,
             );
             if (oauthResult === "error") {
               writeError(
-                `Failed to disconnect OAuth provider "${providerKey}" — please try again.`,
+                `Failed to disconnect OAuth provider "${provider}" — please try again.`,
               );
               return;
             }
-            // Clean up legacy credential keys
-            const legacyFields = [
-              "access_token",
-              "refresh_token",
-              "client_id",
-              "client_secret",
-            ];
-            for (const field of legacyFields) {
-              try {
-                await deleteSecureKeyViaDaemon(
-                  "credential",
-                  `${providerKey}:${field}`,
-                );
-              } catch {
-                // Best-effort cleanup — ignore failures
-              }
-              try {
-                deleteCredentialMetadata(providerKey, field);
-              } catch {
-                // Best-effort cleanup — ignore failures
-              }
-            }
             const result: Record<string, unknown> = {
               ok: true,
-              provider: providerKey,
+              provider: provider,
               connectionId,
             };
             if (accountLabel) result.account = accountLabel;
             writeOutput(cmd, result);
             if (!jsonMode) {
-              log.info(
-                `Disconnected ${providerKey} connection ${connectionId}`,
-              );
+              log.info(`Disconnected ${provider} connection ${connectionId}`);
             }
           }
         } catch (err) {

package/src/cli/commands/oauth/index.ts CHANGED Viewed

@@ -2,7 +2,6 @@ import type { Command } from "commander";
 import { registerAppCommands } from "./apps.js";
 import { registerConnectCommand } from "./connect.js";
-import { registerConnectionCommands } from "./connections.js";
 import { registerDisconnectCommand } from "./disconnect.js";
 import { registerModeCommand } from "./mode.js";
 import { registerPingCommand } from "./ping.js";
@@ -14,39 +13,36 @@ import { registerTokenCommand } from "./token.js";
 export function registerOAuthCommand(program: Command): void {
   const oauth = program
     .command("oauth")
-    .description("Manage OAuth providers, apps, connections, and tokens")
+    .description(
+      "Manage the full OAuth lifecycle — registering providers, creating apps, connecting accounts, and making authenticated requests",
+    )
     .option("--json", "Machine-readable compact JSON output");
   oauth.addHelpText(
     "after",
     `
-The oauth command group manages the full OAuth lifecycle:
-  connect     Initiate an OAuth flow for a provider (managed or BYO)
-  disconnect  Disconnect an OAuth provider
-  status      Show OAuth connection status for a provider
-  mode        Get or set OAuth mode (managed vs your-own) for a provider
-  token       Print a valid OAuth access token (BYO providers only)
-  ping        Verify an OAuth token is valid by hitting the provider's health-check endpoint
-  request     Make authenticated HTTP requests (curl-like interface)
-  providers   Protocol-level configurations (auth URLs, scopes, endpoints)
-  apps        Client credentials (client ID / secret pairs)
-  connections Active token grants per provider (list, get)
-Providers are seeded on startup for built-in integrations. Apps and connections
-are created during the OAuth authorization flow or can be managed manually via
-their respective subcommands.
+OAuth providers may support up to two modes – "managed" and "your-own".
+  managed:
+    Requires a Vellum Platform account. For providers that support it, managed mode offloads the burden of needing to create and register an oauth app.
+    Vellum Platform manages oauth token management and refresh and proxies requests to the provier.
+  you-own:
+    Provides ultimate control and removes dependency on Vellum Platform, but requires that you set up your own oauth app and register it
+    via \`assistant oauth apps upsert\`.
+All commands are intended to work regardless of the provider's mode. Check and set the mode for a given provider with \`assistant oauth mode\`.
+You can define entirely new oauth providers to integrate with even if they do not show up using \`assistant oauth providers list\` using
+\`assistant oauth providers register\`. Custom-registered providers only support "your-own" mode.
 Examples:
-  $ assistant oauth connect google --open-browser
-  $ assistant oauth status google
-  $ assistant oauth ping google
-  $ assistant oauth disconnect google
-  $ assistant oauth request --provider integration:google /gmail/v1/users/me/messages
-  $ assistant oauth request --provider integration:twitter -X POST -d '{"text":"Hello"}' https://api.x.com/2/tweets
-  $ assistant oauth token integration:twitter
-  $ assistant oauth providers list
-  $ assistant oauth providers get integration:google`,
+  assistant oauth providers list
+  assistant oauth providers get google
+  assistant oauth mode google --set=managed
+  assistant oauth connect google --open-browser
+  assistant oauth status google
+  assistant oauth ping google
+  assistant oauth request --provider google /gmail/v1/users/me/messages
+  assistant oauth disconnect google`,
   );
   // ---------------------------------------------------------------------------
@@ -56,22 +52,16 @@ Examples:
   registerProviderCommands(oauth);
   // ---------------------------------------------------------------------------
-  // apps — subcommand group
-  // ---------------------------------------------------------------------------
-  registerAppCommands(oauth);
-  // ---------------------------------------------------------------------------
-  // connections — subcommand group (list, get)
+  // mode — get or set OAuth mode (managed vs your-own) for a provider
   // ---------------------------------------------------------------------------
-  registerConnectionCommands(oauth);
+  registerModeCommand(oauth);
   // ---------------------------------------------------------------------------
-  // request — curl-like authenticated request command
+  // apps — subcommand group
   // ---------------------------------------------------------------------------
-  registerRequestCommand(oauth);
+  registerAppCommands(oauth);
   // ---------------------------------------------------------------------------
   // connect — unified connect command (auto-detects managed vs BYO)
@@ -80,31 +70,31 @@ Examples:
   registerConnectCommand(oauth);
   // ---------------------------------------------------------------------------
-  // disconnect — unified disconnect with auto-detected managed/BYO routing
+  // status — unified connection status
   // ---------------------------------------------------------------------------
-  registerDisconnectCommand(oauth);
+  registerStatusCommand(oauth);
   // ---------------------------------------------------------------------------
-  // status — unified connection status (auto-detects managed vs BYO)
+  // ping — ping to see if a provider is connected and healthy
   // ---------------------------------------------------------------------------
-  registerStatusCommand(oauth);
+  registerPingCommand(oauth);
   // ---------------------------------------------------------------------------
-  // mode — get or set OAuth mode (managed vs your-own) for a provider
+  // request — curl-like authenticated request command
   // ---------------------------------------------------------------------------
-  registerModeCommand(oauth);
+  registerRequestCommand(oauth);
   // ---------------------------------------------------------------------------
-  // ping — unified ping command (auto-detects managed vs BYO)
+  // disconnect — unified disconnect with auto-detected managed/BYO routing
   // ---------------------------------------------------------------------------
-  registerPingCommand(oauth);
+  registerDisconnectCommand(oauth);
   // ---------------------------------------------------------------------------
-  // token — unified token retrieval (BYO only, managed-mode guard)
+  // token — retrieve a valid oauth token (your-own mode only)
   // ---------------------------------------------------------------------------
   registerTokenCommand(oauth);

package/src/cli/commands/oauth/mode.ts CHANGED Viewed

@@ -17,8 +17,6 @@ import { shouldOutputJson, writeOutput } from "../../output.js";
 import {
   fetchActiveConnections,
   getManagedServiceConfigKey,
-  resolveService,
-  toBareProvider,
 } from "./shared.js";
 /**
@@ -30,13 +28,13 @@ import {
  * command output or set a non-zero exit code.
  */
 async function countManagedConnections(
-  providerKey: string,
+  provider: string,
   cmd: Command,
 ): Promise<number> {
   try {
     const client = await VellumPlatformClient.create();
     if (!client || !client.platformAssistantId) return 0;
-    const entries = await fetchActiveConnections(client, providerKey, cmd, {
+    const entries = await fetchActiveConnections(client, provider, cmd, {
       silent: true,
     });
     return entries?.length ?? 0;
@@ -63,14 +61,9 @@ export function registerModeCommand(oauth: Command): void {
       "after",
       `
 Arguments:
-  provider   Provider key, alias, or ID (e.g. google, integration:google).
+  provider   Provider name (e.g. google, slack).
              Run "assistant oauth providers list" to see available providers.
-Options:
-  --set <mode>   Set the mode to "managed" (platform-handled credentials) or
-                 "your-own" (bring-your-own client ID and secret). Omit to
-                 show the current mode.
 Modes:
   managed    OAuth credentials are managed by the Vellum platform. The
              assistant connects via a platform-hosted authorization flow.
@@ -86,10 +79,9 @@ Examples:
     .action(async (provider: string, opts: { set?: string }, cmd: Command) => {
       try {
         // -----------------------------------------------------------------
-        // Resolve + validate provider
+        // Validate provider
         // -----------------------------------------------------------------
-        const providerKey = resolveService(provider);
-        const providerRow = getProvider(providerKey);
+        const providerRow = getProvider(provider);
         if (!providerRow) {
           writeOutput(cmd, {
@@ -102,7 +94,7 @@ Examples:
           return;
         }
-        const managedKey = getManagedServiceConfigKey(providerKey);
+        const managedKey = getManagedServiceConfigKey(provider);
         // -----------------------------------------------------------------
         // GET mode (no --set flag)
@@ -113,13 +105,13 @@ Examples:
             if (shouldOutputJson(cmd)) {
               writeOutput(cmd, {
                 ok: true,
-                provider: providerKey,
+                provider: provider,
                 mode: "your-own",
                 managedModeSupported: false,
               });
             } else {
               log.info(
-                `${providerKey} mode: your-own (managed mode not available for this provider)`,
+                `${provider} mode: your-own (managed mode not available for this provider)`,
               );
             }
             return;
@@ -132,12 +124,12 @@ Examples:
           if (shouldOutputJson(cmd)) {
             writeOutput(cmd, {
               ok: true,
-              provider: providerKey,
+              provider: provider,
               mode: currentMode,
               managedModeSupported: true,
             });
           } else {
-            log.info(`${providerKey} mode: ${currentMode}`);
+            log.info(`${provider} mode: ${currentMode}`);
           }
           return;
         }
@@ -164,14 +156,14 @@ Examples:
             if (shouldOutputJson(cmd)) {
               writeOutput(cmd, {
                 ok: true,
-                provider: providerKey,
+                provider: provider,
                 mode: "your-own",
                 changed: false,
                 managedModeSupported: false,
               });
             } else {
               log.info(
-                `${providerKey} is already set to your-own (managed mode not available for this provider)`,
+                `${provider} is already set to your-own (managed mode not available for this provider)`,
               );
             }
             return;
@@ -181,7 +173,7 @@ Examples:
           writeOutput(cmd, {
             ok: false,
             error:
-              `Managed mode is not available for ${providerKey}. ` +
+              `Managed mode is not available for ${provider}. ` +
               `Only providers with platform-managed OAuth support can be switched to managed mode.`,
           });
           process.exitCode = 1;
@@ -197,13 +189,13 @@ Examples:
           if (shouldOutputJson(cmd)) {
             writeOutput(cmd, {
               ok: true,
-              provider: providerKey,
+              provider: provider,
               mode: newMode,
               changed: false,
               managedModeSupported: true,
             });
           } else {
-            log.info(`${providerKey} is already set to ${newMode}`);
+            log.info(`${provider} is already set to ${newMode}`);
           }
           return;
         }
@@ -216,32 +208,28 @@ Examples:
         // Best-effort check for active connections on old and new modes
         let oldModeConnections = 0;
         let newModeConnections = 0;
-        const bareProvider = toBareProvider(providerKey);
         if (currentMode === "managed") {
           // Old mode was managed — check platform connections
-          oldModeConnections = await countManagedConnections(providerKey, cmd);
+          oldModeConnections = await countManagedConnections(provider, cmd);
           // New mode is your-own — check local connections
-          newModeConnections =
-            listActiveConnectionsByProvider(providerKey).length;
+          newModeConnections = listActiveConnectionsByProvider(provider).length;
         } else {
           // Old mode was your-own — check local connections
-          oldModeConnections =
-            listActiveConnectionsByProvider(providerKey).length;
+          oldModeConnections = listActiveConnectionsByProvider(provider).length;
           // New mode is managed — check platform connections
-          newModeConnections = await countManagedConnections(providerKey, cmd);
+          newModeConnections = await countManagedConnections(provider, cmd);
         }
         // Build hint if there are connections on the old mode but none on the new
         let hint: string | undefined;
         if (oldModeConnections > 0 && newModeConnections === 0) {
-          hint = `No active connections in ${newMode} mode. Run 'assistant oauth connect ${bareProvider}' to connect.`;
+          hint = `No active connections in ${newMode} mode. Run 'assistant oauth connect ${provider}' to connect.`;
         }
         if (shouldOutputJson(cmd)) {
           const result: Record<string, unknown> = {
             ok: true,
-            provider: providerKey,
+            provider: provider,
             mode: newMode,
             changed: true,
             managedModeSupported: true,
@@ -249,7 +237,7 @@ Examples:
           if (hint) result.hint = hint;
           writeOutput(cmd, result);
         } else {
-          log.info(`${providerKey} mode changed to ${newMode}`);
+          log.info(`${provider} mode changed to ${newMode}`);
           if (hint) {
             process.stderr.write(hint + "\n");
           }