@vellumai/assistant 0.5.11 → 0.5.13

package/src/cli/commands/platform/__tests__/status.test.ts

@@ -0,0 +1,246 @@
+import { mkdtempSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+const testDir = mkdtempSync(join(tmpdir(), "platform-status-test-"));
+
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+
+let mockGetSecureKeyViaDaemon: (
+  account: string,
+) => Promise<string | undefined> = async () => undefined;
+
+let mockResolvePlatformCallbackRegistrationContext: () => Promise<
+  Record<string, unknown>
+> = async () => ({
+  containerized: false,
+  platformBaseUrl: "",
+  assistantId: "",
+  hasInternalApiKey: false,
+  hasAssistantApiKey: false,
+  authHeader: null,
+  enabled: false,
+});
+
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+
+mock.module("../../../../inbound/platform-callback-registration.js", () => ({
+  resolvePlatformCallbackRegistrationContext: () =>
+    mockResolvePlatformCallbackRegistrationContext(),
+  registerCallbackRoute: async () => "",
+  shouldUsePlatformCallbacks: () => false,
+  resolveCallbackUrl: async () => "",
+}));
+
+mock.module("../../../lib/daemon-credential-client.js", () => ({
+  getSecureKeyViaDaemon: (account: string) =>
+    mockGetSecureKeyViaDaemon(account),
+  deleteSecureKeyViaDaemon: async () => "not-found" as const,
+  setSecureKeyViaDaemon: async () => false,
+  getProviderKeyViaDaemon: async () => undefined,
+  getSecureKeyResultViaDaemon: async () => ({
+    value: undefined,
+    unreachable: false,
+  }),
+}));
+
+mock.module("../../../../util/logger.js", () => ({
+  getLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+  getCliLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+  initLogger: () => {},
+  truncateForLog: (value: string, maxLen = 500) =>
+    value.length > maxLen ? value.slice(0, maxLen) + "..." : value,
+  pruneOldLogFiles: () => 0,
+}));
+
+mock.module("../../../../util/platform.js", () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => join(testDir, "data"),
+  getWorkspaceSkillsDir: () => join(testDir, "skills"),
+  getWorkspaceDir: () => join(testDir, "workspace"),
+  getWorkspaceHooksDir: () => join(testDir, "workspace", "hooks"),
+  getWorkspaceConfigPath: () => join(testDir, "workspace", "config.json"),
+  getHooksDir: () => join(testDir, "hooks"),
+  getSignalsDir: () => join(testDir, "signals"),
+  getConversationsDir: () => join(testDir, "conversations"),
+  getEmbeddingModelsDir: () => join(testDir, "models"),
+  getSandboxRootDir: () => join(testDir, "sandbox"),
+  getSandboxWorkingDir: () => join(testDir, "sandbox", "work"),
+  getInterfacesDir: () => join(testDir, "interfaces"),
+  getSoundsDir: () => join(testDir, "sounds"),
+  getHistoryPath: () => join(testDir, "history"),
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPlatformName: () => "linux",
+  getClipboardCommand: () => null,
+  resolveInstanceDataDir: () => undefined,
+  normalizeAssistantId: (id: string) => id,
+  getTCPPort: () => 0,
+  isTCPEnabled: () => false,
+  getTCPHost: () => "127.0.0.1",
+  isIOSPairingEnabled: () => false,
+  getPlatformTokenPath: () => join(testDir, "token"),
+  readPlatformToken: () => null,
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => join(testDir, "test.db"),
+  getLogPath: () => join(testDir, "test.log"),
+  getWorkspaceDirDisplay: () => testDir,
+  getWorkspacePromptPath: (file: string) => join(testDir, file),
+  ensureDataDir: () => {},
+}));
+
+mock.module("../../../../config/loader.js", () => ({
+  API_KEY_PROVIDERS: [] as const,
+  getConfig: () => ({
+    permissions: { mode: "workspace" },
+    skills: { load: { extraDirs: [] } },
+    sandbox: { enabled: true },
+  }),
+  loadConfig: () => ({}),
+  invalidateConfigCache: () => {},
+  saveConfig: () => {},
+  loadRawConfig: () => ({}),
+  saveRawConfig: () => {},
+  getNestedValue: () => undefined,
+  setNestedValue: () => {},
+  applyNestedDefaults: (config: unknown) => config,
+  deepMergeMissing: () => false,
+  deepMergeOverwrite: () => {},
+  mergeDefaultWorkspaceConfig: () => {},
+}));
+
+// ---------------------------------------------------------------------------
+// Import module under test (after mocks are registered)
+// ---------------------------------------------------------------------------
+
+const { buildCliProgram } = await import("../../../program.js");
+
+// ---------------------------------------------------------------------------
+// Test helper
+// ---------------------------------------------------------------------------
+
+async function runCommand(
+  args: string[],
+): Promise<{ stdout: string; exitCode: number }> {
+  const originalStdoutWrite = process.stdout.write.bind(process.stdout);
+  const originalStderrWrite = process.stderr.write.bind(process.stderr);
+  const stdoutChunks: string[] = [];
+
+  process.stdout.write = ((chunk: unknown) => {
+    stdoutChunks.push(typeof chunk === "string" ? chunk : String(chunk));
+    return true;
+  }) as typeof process.stdout.write;
+
+  process.stderr.write = (() => true) as typeof process.stderr.write;
+
+  process.exitCode = 0;
+
+  try {
+    const program = buildCliProgram();
+    program.exitOverride();
+    program.configureOutput({
+      writeErr: () => {},
+      writeOut: (str: string) => stdoutChunks.push(str),
+    });
+    await program.parseAsync(["node", "assistant", ...args]);
+  } catch {
+    if (process.exitCode === 0) process.exitCode = 1;
+  } finally {
+    process.stdout.write = originalStdoutWrite;
+    process.stderr.write = originalStderrWrite;
+  }
+
+  const exitCode = process.exitCode ?? 0;
+  process.exitCode = 0;
+
+  return { exitCode, stdout: stdoutChunks.join("") };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("assistant platform status", () => {
+  beforeEach(() => {
+    mockGetSecureKeyViaDaemon = async () => undefined;
+    mockResolvePlatformCallbackRegistrationContext = async () => ({
+      containerized: false,
+      platformBaseUrl: "",
+      assistantId: "",
+      hasInternalApiKey: false,
+      hasAssistantApiKey: false,
+      authHeader: null,
+      enabled: false,
+    });
+    process.exitCode = 0;
+  });
+
+  test("connected platform returns full status with stored credentials", async () => {
+    /**
+     * When the assistant has stored platform credentials and a valid
+     * registration context, the status command should report connected
+     * with all context fields populated.
+     */
+
+    // GIVEN a containerized environment with platform configuration
+    mockResolvePlatformCallbackRegistrationContext = async () => ({
+      containerized: true,
+      platformBaseUrl: "https://platform.vellum.ai",
+      assistantId: "asst-abc-123",
+      hasInternalApiKey: true,
+      hasAssistantApiKey: true,
+      authHeader: "Bearer internal-key",
+      enabled: true,
+    });
+
+    // AND stored platform credentials exist
+    mockGetSecureKeyViaDaemon = async (account: string) => {
+      if (account === "credential/vellum/platform_base_url")
+        return "https://platform.vellum.ai";
+      if (account === "credential/vellum/assistant_api_key")
+        return "sk-test-key";
+      if (account === "credential/vellum/platform_organization_id")
+        return "org-456";
+      if (account === "credential/vellum/platform_user_id") return "user-789";
+      return undefined;
+    };
+
+    // WHEN the status command is run with --json
+    const { exitCode, stdout } = await runCommand([
+      "platform",
+      "status",
+      "--json",
+    ]);
+
+    // THEN the command succeeds
+    expect(exitCode).toBe(0);
+
+    // AND the output contains the expected status fields
+    const parsed = JSON.parse(stdout);
+    expect(parsed.containerized).toBe(true);
+    expect(parsed.baseUrl).toBe("https://platform.vellum.ai");
+    expect(parsed.assistantId).toBe("asst-abc-123");
+    expect(parsed.hasInternalApiKey).toBe(true);
+    expect(parsed.hasAssistantApiKey).toBe(true);
+    expect(parsed.available).toBe(true);
+    expect(parsed.connected).toBe(true);
+    expect(parsed.organizationId).toBe("org-456");
+    expect(parsed.userId).toBe("user-789");
+  });
+});

package/src/cli/commands/platform/connect.ts

@@ -0,0 +1,104 @@
+import type { Command } from "commander";
+
+import { credentialKey } from "../../../security/credential-key.js";
+import { getSecureKeyViaDaemon } from "../../lib/daemon-credential-client.js";
+import { getCliLogger } from "../../logger.js";
+import { shouldOutputJson, writeOutput } from "../../output.js";
+
+const log = getCliLogger("cli");
+
+// ---------------------------------------------------------------------------
+// Credential store keys
+// ---------------------------------------------------------------------------
+
+const CREDENTIAL_KEYS = {
+  baseUrl: { service: "vellum", field: "platform_base_url" },
+  apiKey: { service: "vellum", field: "assistant_api_key" },
+  assistantId: { service: "vellum", field: "platform_assistant_id" },
+  organizationId: { service: "vellum", field: "platform_organization_id" },
+  userId: { service: "vellum", field: "platform_user_id" },
+} as const;
+
+// ---------------------------------------------------------------------------
+// Command registration
+// ---------------------------------------------------------------------------
+
+export function registerPlatformConnectCommand(platform: Command): void {
+  platform
+    .command("connect")
+    .description(
+      "Connect this assistant to the Vellum Platform by storing credentials",
+    )
+    .addHelpText(
+      "after",
+      `
+Initiates a platform connection flow. Credentials are collected via a secure
+UI component rendered by the assistant client.
+
+Use 'assistant platform status' to check the current connection state and
+'assistant platform disconnect' to remove stored credentials.
+
+Examples:
+  $ assistant platform connect
+  $ assistant platform connect --json`,
+    )
+    .action(async (_opts: Record<string, unknown>, cmd: Command) => {
+      const jsonMode = shouldOutputJson(cmd);
+
+      const writeError = (error: string): void => {
+        writeOutput(cmd, { ok: false, error });
+        process.exitCode = 1;
+      };
+
+      try {
+        // Check if already connected
+        const existingUrl = await getSecureKeyViaDaemon(
+          credentialKey(
+            CREDENTIAL_KEYS.baseUrl.service,
+            CREDENTIAL_KEYS.baseUrl.field,
+          ),
+        );
+        const existingApiKey = await getSecureKeyViaDaemon(
+          credentialKey(
+            CREDENTIAL_KEYS.apiKey.service,
+            CREDENTIAL_KEYS.apiKey.field,
+          ),
+        );
+
+        const alreadyConnected = !!existingUrl && !!existingApiKey;
+
+        if (alreadyConnected) {
+          writeOutput(cmd, {
+            ok: true,
+            alreadyConnected: true,
+            baseUrl: existingUrl,
+          });
+
+          if (!jsonMode) {
+            log.info(
+              `Already connected to platform at ${existingUrl}. ` +
+                `Run 'assistant platform disconnect' first to reconnect.`,
+            );
+          }
+          return;
+        }
+
+        // TODO: Send a UI component to collect credentials from the user
+        writeError(
+          "Platform connect UI component not yet implemented. " +
+            "Credentials will be collected via a secure client-side flow.",
+        );
+
+        if (!jsonMode) {
+          log.info(
+            "Platform connect will be available once the client-side credential flow is implemented.",
+          );
+        }
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        writeError(message);
+      }
+    });
+}
+
+export { CREDENTIAL_KEYS };

package/src/cli/commands/platform/disconnect.ts

@@ -0,0 +1,118 @@
+import type { Command } from "commander";
+
+import { credentialKey } from "../../../security/credential-key.js";
+import {
+  deleteSecureKeyViaDaemon,
+  getSecureKeyViaDaemon,
+} from "../../lib/daemon-credential-client.js";
+import { getCliLogger } from "../../logger.js";
+import { shouldOutputJson, writeOutput } from "../../output.js";
+import { CREDENTIAL_KEYS } from "./connect.js";
+
+const log = getCliLogger("cli");
+
+// ---------------------------------------------------------------------------
+// Command registration
+// ---------------------------------------------------------------------------
+
+export function registerPlatformDisconnectCommand(platform: Command): void {
+  platform
+    .command("disconnect")
+    .description(
+      "Disconnect from the Vellum Platform by removing stored credentials",
+    )
+    .addHelpText(
+      "after",
+      `
+Removes all stored platform credentials from the assistant's secure
+credential store. After disconnecting, platform-managed features (managed
+proxy, managed OAuth, callback routing) will no longer be available until
+you reconnect with 'assistant platform connect'.
+
+Use 'assistant platform status' to check the current connection state
+before disconnecting.
+
+Examples:
+  $ assistant platform disconnect
+  $ assistant platform disconnect --json`,
+    )
+    .action(async (_opts: Record<string, unknown>, cmd: Command) => {
+      const jsonMode = shouldOutputJson(cmd);
+
+      const writeError = (error: string): void => {
+        writeOutput(cmd, { ok: false, error });
+        process.exitCode = 1;
+      };
+
+      try {
+        // ---------------------------------------------------------------
+        // 1. Check if connected
+        // ---------------------------------------------------------------
+        const baseUrl = await getSecureKeyViaDaemon(
+          credentialKey(
+            CREDENTIAL_KEYS.baseUrl.service,
+            CREDENTIAL_KEYS.baseUrl.field,
+          ),
+        );
+        const apiKey = await getSecureKeyViaDaemon(
+          credentialKey(
+            CREDENTIAL_KEYS.apiKey.service,
+            CREDENTIAL_KEYS.apiKey.field,
+          ),
+        );
+
+        if (!baseUrl && !apiKey) {
+          writeError(
+            "Not connected to a platform. Nothing to disconnect.\n\n" +
+              "Run 'assistant platform status' to check connection state.",
+          );
+          return;
+        }
+
+        // ---------------------------------------------------------------
+        // 2. Delete all platform credentials
+        // ---------------------------------------------------------------
+        const keysToDelete = [
+          CREDENTIAL_KEYS.baseUrl,
+          CREDENTIAL_KEYS.apiKey,
+          CREDENTIAL_KEYS.assistantId,
+          CREDENTIAL_KEYS.organizationId,
+          CREDENTIAL_KEYS.userId,
+        ] as const;
+
+        const failedKeys: string[] = [];
+        for (const key of keysToDelete) {
+          const result = await deleteSecureKeyViaDaemon(
+            "credential",
+            `${key.service}:${key.field}`,
+          );
+          if (result === "error") {
+            failedKeys.push(`${key.service}:${key.field}`);
+          }
+        }
+
+        if (failedKeys.length > 0) {
+          writeError(`Failed to delete credentials: ${failedKeys.join(", ")}`);
+          return;
+        }
+
+        // ---------------------------------------------------------------
+        // 3. Output result
+        // ---------------------------------------------------------------
+        writeOutput(cmd, {
+          ok: true,
+          disconnected: true,
+          previousBaseUrl: baseUrl ?? null,
+        });
+
+        if (!jsonMode) {
+          log.info(
+            `Disconnected from platform${baseUrl ? ` at ${baseUrl}` : ""}`,
+          );
+        }
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        writeError(message);
+      }
+    });
+}

package/src/cli/commands/{platform.ts → platform/index.ts}

@@ -3,9 +3,13 @@ import type { Command } from "commander";
 import {
   registerCallbackRoute,
   resolvePlatformCallbackRegistrationContext,
-} from "../../inbound/platform-callback-registration.js";
-import { log } from "../logger.js";
-import { shouldOutputJson, writeOutput } from "../output.js";
+} from "../../../inbound/platform-callback-registration.js";
+import { credentialKey } from "../../../security/credential-key.js";
+import { getSecureKeyViaDaemon } from "../../lib/daemon-credential-client.js";
+import { log } from "../../logger.js";
+import { shouldOutputJson, writeOutput } from "../../output.js";
+import { CREDENTIAL_KEYS, registerPlatformConnectCommand } from "./connect.js";
+import { registerPlatformDisconnectCommand } from "./disconnect.js";
 
 export function registerPlatformCommand(program: Command): void {
   const platform = program
@@ -16,32 +20,42 @@ export function registerPlatformCommand(program: Command): void {
   platform.addHelpText(
     "after",
     `
-The platform subsystem manages callback routing, containerized deployment
-context, and webhook forwarding for assistants running inside platform
-containers. When IS_CONTAINERIZED=true with a configured VELLUM_PLATFORM_URL
+The platform subsystem manages the connection to Vellum Platform, callback
+routing, containerized deployment context, and webhook forwarding for
+assistants. Use 'connect', 'status', and 'disconnect' to manage platform
+credentials. When IS_CONTAINERIZED=true with a configured VELLUM_PLATFORM_URL
 and PLATFORM_ASSISTANT_ID, external service callbacks (Telegram webhooks,
 Twilio webhooks, OAuth redirects) route through the platform's gateway proxy
 instead of hitting the assistant directly.
 
 Examples:
   $ assistant platform status --json
-  $ assistant platform callback-routes register --path webhooks/telegram --type telegram --json
-  $ assistant platform status`,
+  $ assistant platform connect
+  $ assistant platform disconnect
+  $ assistant platform callback-routes register --path webhooks/telegram --type telegram --json`,
   );
 
   // ---------------------------------------------------------------------------
-  // status
+  // connect — store platform credentials and validate the connection
+  // ---------------------------------------------------------------------------
+
+  registerPlatformConnectCommand(platform);
+
+  // ---------------------------------------------------------------------------
+  // status — deployment context and connection status combined
   // ---------------------------------------------------------------------------
 
   platform
     .command("status")
-    .description("Show current platform deployment context")
+    .description(
+      "Show current platform deployment context and connection status",
+    )
     .addHelpText(
       "after",
       `
-Reads platform-related environment variables and returns the current
-containerized deployment context. Does not require the assistant to be
-running.
+Reads platform-related environment variables and stored credentials to report
+the current containerized deployment context and connection state. Does not
+require the assistant to be running.
 
 Fields:
   containerized       Whether IS_CONTAINERIZED is set (boolean)
@@ -51,40 +65,96 @@ Fields:
                       value not disclosed)
   hasAssistantApiKey  Whether a stored assistant API key is available
   available           Whether callback registration prerequisites are satisfied
+  connected           Whether platform credentials are stored (boolean)
+  organizationId      The platform organization ID (from stored credentials)
+  userId              The platform user ID (from stored credentials)
 
 Examples:
   $ assistant platform status
   $ assistant platform status --json`,
     )
     .action(async (_opts: Record<string, unknown>, cmd: Command) => {
-      const context = await resolvePlatformCallbackRegistrationContext();
-      const result = {
-        containerized: context.containerized,
-        baseUrl: context.platformBaseUrl,
-        assistantId: context.assistantId,
-        hasInternalApiKey: context.hasInternalApiKey,
-        hasAssistantApiKey: context.hasAssistantApiKey,
-        available: context.enabled,
-      };
-
-      writeOutput(cmd, result);
-
-      if (!shouldOutputJson(cmd)) {
-        log.info(`Containerized: ${result.containerized}`);
-        log.info(`Base URL: ${result.baseUrl || "(not set)"}`);
-        log.info(`Assistant ID: ${result.assistantId || "(not set)"}`);
-        log.info(
-          `Internal API key: ${result.hasInternalApiKey ? "set" : "not set"}`,
-        );
-        log.info(
-          `Assistant API key: ${result.hasAssistantApiKey ? "set" : "not set"}`,
-        );
-        log.info(
-          `Callback registration available: ${result.available ? "yes" : "no"}`,
-        );
+      try {
+        const context = await resolvePlatformCallbackRegistrationContext();
+
+        const storedBaseUrl =
+          (await getSecureKeyViaDaemon(
+            credentialKey(
+              CREDENTIAL_KEYS.baseUrl.service,
+              CREDENTIAL_KEYS.baseUrl.field,
+            ),
+          )) ?? "";
+        const hasStoredApiKey = !!(await getSecureKeyViaDaemon(
+          credentialKey(
+            CREDENTIAL_KEYS.apiKey.service,
+            CREDENTIAL_KEYS.apiKey.field,
+          ),
+        ));
+        const organizationId =
+          (
+            await getSecureKeyViaDaemon(
+              credentialKey(
+                CREDENTIAL_KEYS.organizationId.service,
+                CREDENTIAL_KEYS.organizationId.field,
+              ),
+            )
+          )?.trim() ?? "";
+        const userId =
+          (
+            await getSecureKeyViaDaemon(
+              credentialKey(
+                CREDENTIAL_KEYS.userId.service,
+                CREDENTIAL_KEYS.userId.field,
+              ),
+            )
+          )?.trim() ?? "";
+
+        const connected = !!storedBaseUrl && hasStoredApiKey;
+
+        const result = {
+          containerized: context.containerized,
+          baseUrl: context.platformBaseUrl,
+          assistantId: context.assistantId,
+          hasInternalApiKey: context.hasInternalApiKey,
+          hasAssistantApiKey: context.hasAssistantApiKey,
+          available: context.enabled,
+          connected,
+          organizationId: organizationId || null,
+          userId: userId || null,
+        };
+
+        writeOutput(cmd, result);
+
+        if (!shouldOutputJson(cmd)) {
+          log.info(`Containerized: ${result.containerized}`);
+          log.info(`Base URL: ${result.baseUrl || "(not set)"}`);
+          log.info(`Assistant ID: ${result.assistantId || "(not set)"}`);
+          log.info(
+            `Internal API key: ${result.hasInternalApiKey ? "set" : "not set"}`,
+          );
+          log.info(
+            `Assistant API key: ${result.hasAssistantApiKey ? "set" : "not set"}`,
+          );
+          log.info(
+            `Callback registration available: ${result.available ? "yes" : "no"}`,
+          );
+          log.info(`Connected: ${connected}`);
+          log.info(`Organization ID: ${organizationId || "(not set)"}`);
+          log.info(`User ID: ${userId || "(not set)"}`);
+        }
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        writeOutput(cmd, { ok: false, error: message });
+        process.exitCode = 1;
       }
     });
 
+  // ---------------------------------------------------------------------------
+  // disconnect — remove stored platform credentials
+  // ---------------------------------------------------------------------------
+
+  registerPlatformDisconnectCommand(platform);
+
   // ---------------------------------------------------------------------------
   // callback-routes
   // ---------------------------------------------------------------------------