@vellumai/assistant 0.5.11 → 0.5.13

package/src/oauth/oauth-store.ts

@@ -45,12 +45,17 @@ export type OAuthConnectionRow = typeof oauthConnections.$inferSelect;
  * Seed well-known provider profiles into the database. Uses INSERT … ON
  * CONFLICT DO UPDATE so that implementation fields (authUrl, tokenUrl,
  * tokenEndpointAuthMethod, userinfoUrl, extraParams, callbackTransport,
- * pingUrl, pingMethod, pingHeaders, pingBody, managedServiceConfigKey)
+ * pingUrl, pingMethod, pingHeaders, pingBody, managedServiceConfigKey,
+ * loopbackPort, injectionTemplates, appType, setupNotes,
+ * identityUrl, identityMethod, identityHeaders, identityBody,
+ * identityResponsePaths, identityFormat, identityOkField)
  * and display metadata (displayName, description, dashboardUrl,
  * clientIdPlaceholder, requiresClientSecret) propagate to existing
  * installations on every startup, while user-customizable fields
- * (defaultScopes, scopePolicy, baseUrl) are only written on the
- * initial insert.
+ * (defaultScopes, scopePolicy) are only written on the
+ * initial insert. baseUrl is backfilled from seed data when null
+ * (e.g. legacy rows created before the column existed) but preserved
+ * if the user has set a custom value.
  */
 export function seedProviders(
   profiles: Array<{
@@ -74,6 +79,22 @@ export function seedProviders(
     dashboardUrl?: string | null;
     clientIdPlaceholder?: string | null;
     requiresClientSecret?: boolean;
+    loopbackPort?: number;
+    injectionTemplates?: Array<{
+      hostPattern: string;
+      injectionType: string;
+      headerName: string;
+      valuePrefix: string;
+    }>;
+    appType?: string;
+    setupNotes?: string[];
+    identityUrl?: string;
+    identityMethod?: string;
+    identityHeaders?: Record<string, string>;
+    identityBody?: unknown;
+    identityResponsePaths?: string[];
+    identityFormat?: string;
+    identityOkField?: string;
   }>,
 ): void {
   const db = getDb();
@@ -99,6 +120,24 @@ export function seedProviders(
     const dashboardUrl = p.dashboardUrl ?? null;
     const clientIdPlaceholder = p.clientIdPlaceholder ?? null;
     const requiresClientSecret = p.requiresClientSecret !== false ? 1 : 0;
+    const loopbackPort = p.loopbackPort ?? null;
+    const injectionTemplates = p.injectionTemplates
+      ? JSON.stringify(p.injectionTemplates)
+      : null;
+    const appType = p.appType ?? null;
+    const setupNotes = p.setupNotes ? JSON.stringify(p.setupNotes) : null;
+    const identityUrl = p.identityUrl ?? null;
+    const identityMethod = p.identityMethod ?? null;
+    const identityHeaders = p.identityHeaders
+      ? JSON.stringify(p.identityHeaders)
+      : null;
+    const identityBody =
+      p.identityBody !== undefined ? JSON.stringify(p.identityBody) : null;
+    const identityResponsePaths = p.identityResponsePaths
+      ? JSON.stringify(p.identityResponsePaths)
+      : null;
+    const identityFormat = p.identityFormat ?? null;
+    const identityOkField = p.identityOkField ?? null;
 
     db.insert(oauthProviders)
       .values({
@@ -122,6 +161,17 @@ export function seedProviders(
         dashboardUrl,
         clientIdPlaceholder,
         requiresClientSecret,
+        loopbackPort,
+        injectionTemplates,
+        appType,
+        setupNotes,
+        identityUrl,
+        identityMethod,
+        identityHeaders,
+        identityBody,
+        identityResponsePaths,
+        identityFormat,
+        identityOkField,
         createdAt: now,
         updatedAt: now,
       })
@@ -132,6 +182,7 @@ export function seedProviders(
           tokenUrl,
           tokenEndpointAuthMethod,
           userinfoUrl,
+          baseUrl: sql`COALESCE(${oauthProviders.baseUrl}, ${baseUrl})`,
           extraParams,
           callbackTransport,
           pingUrl,
@@ -144,6 +195,17 @@ export function seedProviders(
           dashboardUrl,
           clientIdPlaceholder,
           requiresClientSecret,
+          loopbackPort,
+          injectionTemplates,
+          appType,
+          setupNotes,
+          identityUrl,
+          identityMethod,
+          identityHeaders,
+          identityBody,
+          identityResponsePaths,
+          identityFormat,
+          identityOkField,
           updatedAt: now,
         },
       })
@@ -192,6 +254,22 @@ export function registerProvider(params: {
   dashboardUrl?: string;
   clientIdPlaceholder?: string;
   requiresClientSecret?: number;
+  loopbackPort?: number;
+  injectionTemplates?: Array<{
+    hostPattern: string;
+    injectionType: string;
+    headerName: string;
+    valuePrefix: string;
+  }>;
+  appType?: string;
+  setupNotes?: string[];
+  identityUrl?: string;
+  identityMethod?: string;
+  identityHeaders?: Record<string, string>;
+  identityBody?: unknown;
+  identityResponsePaths?: string[];
+  identityFormat?: string;
+  identityOkField?: string;
 }): OAuthProviderRow {
   const db = getDb();
   const now = Date.now();
@@ -223,6 +301,26 @@ export function registerProvider(params: {
     dashboardUrl: params.dashboardUrl ?? null,
     clientIdPlaceholder: params.clientIdPlaceholder ?? null,
     requiresClientSecret: params.requiresClientSecret ?? 1,
+    loopbackPort: params.loopbackPort ?? null,
+    injectionTemplates: params.injectionTemplates
+      ? JSON.stringify(params.injectionTemplates)
+      : null,
+    appType: params.appType ?? null,
+    setupNotes: params.setupNotes ? JSON.stringify(params.setupNotes) : null,
+    identityUrl: params.identityUrl ?? null,
+    identityMethod: params.identityMethod ?? null,
+    identityHeaders: params.identityHeaders
+      ? JSON.stringify(params.identityHeaders)
+      : null,
+    identityBody:
+      params.identityBody !== undefined
+        ? JSON.stringify(params.identityBody)
+        : null,
+    identityResponsePaths: params.identityResponsePaths
+      ? JSON.stringify(params.identityResponsePaths)
+      : null,
+    identityFormat: params.identityFormat ?? null,
+    identityOkField: params.identityOkField ?? null,
     createdAt: now,
     updatedAt: now,
   };
@@ -232,6 +330,133 @@ export function registerProvider(params: {
   return row;
 }
 
+/**
+ * Update mutable fields on an existing provider. Only the fields explicitly
+ * provided (not `undefined`) are written; everything else is left unchanged.
+ * JSON fields (defaultScopes, scopePolicy, extraParams, pingHeaders, pingBody)
+ * are serialized with JSON.stringify before storage.
+ *
+ * Returns the updated provider row, or `undefined` if no provider with the
+ * given key exists.
+ */
+export function updateProvider(
+  providerKey: string,
+  params: Partial<{
+    authUrl: string;
+    tokenUrl: string;
+    tokenEndpointAuthMethod: string;
+    userinfoUrl: string;
+    pingUrl: string;
+    pingMethod: string;
+    pingHeaders: Record<string, string>;
+    pingBody: unknown;
+    baseUrl: string;
+    defaultScopes: string[];
+    scopePolicy: Record<string, unknown>;
+    extraParams: Record<string, string>;
+    callbackTransport: string;
+    displayName: string;
+    description: string;
+    dashboardUrl: string;
+    clientIdPlaceholder: string;
+    requiresClientSecret: boolean;
+    loopbackPort: number;
+    injectionTemplates: Array<{
+      hostPattern: string;
+      injectionType: string;
+      headerName: string;
+      valuePrefix: string;
+    }>;
+    appType: string;
+    setupNotes: string[];
+    identityUrl: string;
+    identityMethod: string;
+    identityHeaders: Record<string, string>;
+    identityBody: unknown;
+    identityResponsePaths: string[];
+    identityFormat: string;
+    identityOkField: string;
+  }>,
+): OAuthProviderRow | undefined {
+  const existing = getProvider(providerKey);
+  if (!existing) return undefined;
+
+  const db = getDb();
+  const set: Record<string, unknown> = { updatedAt: Date.now() };
+
+  if (params.authUrl !== undefined) set.authUrl = params.authUrl;
+  if (params.tokenUrl !== undefined) set.tokenUrl = params.tokenUrl;
+  if (params.tokenEndpointAuthMethod !== undefined)
+    set.tokenEndpointAuthMethod = params.tokenEndpointAuthMethod;
+  if (params.userinfoUrl !== undefined) set.userinfoUrl = params.userinfoUrl;
+  if (params.pingUrl !== undefined) set.pingUrl = params.pingUrl;
+  if (params.pingMethod !== undefined) set.pingMethod = params.pingMethod;
+  if (params.pingHeaders !== undefined)
+    set.pingHeaders = JSON.stringify(params.pingHeaders);
+  if (params.pingBody !== undefined)
+    set.pingBody = JSON.stringify(params.pingBody);
+  if (params.baseUrl !== undefined) set.baseUrl = params.baseUrl;
+  if (params.defaultScopes !== undefined)
+    set.defaultScopes = JSON.stringify(params.defaultScopes);
+  if (params.scopePolicy !== undefined)
+    set.scopePolicy = JSON.stringify(params.scopePolicy);
+  if (params.extraParams !== undefined)
+    set.extraParams = JSON.stringify(params.extraParams);
+  if (params.callbackTransport !== undefined)
+    set.callbackTransport = params.callbackTransport;
+  if (params.displayName !== undefined) set.displayName = params.displayName;
+  if (params.description !== undefined) set.description = params.description;
+  if (params.dashboardUrl !== undefined) set.dashboardUrl = params.dashboardUrl;
+  if (params.clientIdPlaceholder !== undefined)
+    set.clientIdPlaceholder = params.clientIdPlaceholder;
+  if (params.requiresClientSecret !== undefined)
+    set.requiresClientSecret = params.requiresClientSecret ? 1 : 0;
+  if (params.loopbackPort !== undefined) set.loopbackPort = params.loopbackPort;
+  if (params.injectionTemplates !== undefined)
+    set.injectionTemplates = JSON.stringify(params.injectionTemplates);
+  if (params.appType !== undefined) set.appType = params.appType;
+  if (params.setupNotes !== undefined)
+    set.setupNotes = JSON.stringify(params.setupNotes);
+  if (params.identityUrl !== undefined) set.identityUrl = params.identityUrl;
+  if (params.identityMethod !== undefined)
+    set.identityMethod = params.identityMethod;
+  if (params.identityHeaders !== undefined)
+    set.identityHeaders = JSON.stringify(params.identityHeaders);
+  if (params.identityBody !== undefined)
+    set.identityBody = JSON.stringify(params.identityBody);
+  if (params.identityResponsePaths !== undefined)
+    set.identityResponsePaths = JSON.stringify(params.identityResponsePaths);
+  if (params.identityFormat !== undefined)
+    set.identityFormat = params.identityFormat;
+  if (params.identityOkField !== undefined)
+    set.identityOkField = params.identityOkField;
+
+  db.update(oauthProviders)
+    .set(set)
+    .where(eq(oauthProviders.providerKey, providerKey))
+    .run();
+
+  return getProvider(providerKey);
+}
+
+/**
+ * Delete a provider by its key. Returns `true` if a row was deleted,
+ * `false` if no provider with that key existed.
+ *
+ * Note: SQLite enforces the foreign-key constraint from `oauth_apps.provider_key`,
+ * so deleting a provider that has existing apps will throw.
+ */
+export function deleteProvider(providerKey: string): boolean {
+  const existing = getProvider(providerKey);
+  if (!existing) return false;
+
+  const db = getDb();
+  db.delete(oauthProviders)
+    .where(eq(oauthProviders.providerKey, providerKey))
+    .run();
+  return rawChanges() > 0;
+}
+
 // ---------------------------------------------------------------------------
 // App operations
 // ---------------------------------------------------------------------------

package/src/oauth/platform-connection.test.ts

@@ -35,7 +35,7 @@ function makeMockClient(
 
 const DEFAULT_OPTIONS = {
   id: "conn-1",
-  providerKey: "integration:google",
+  providerKey: "google",
   externalId: "ext-123",
   accountInfo: "user@example.com",
   client: makeMockClient(),
@@ -93,11 +93,11 @@ describe("PlatformOAuthConnection", () => {
     expect(result.body).toEqual(upstreamBody);
   });
 
-  test("forwards baseUrl when provided", async () => {
+  test("forwards per-request baseUrl when provided", async () => {
     const client = makeMockClient(
       mock(async (_url: string | URL | Request, init?: RequestInit) => {
         const parsed = JSON.parse(init?.body as string);
-        expect(parsed.request.baseUrl).toBe(
+        expect(parsed.request.base_url).toBe(
           "https://www.googleapis.com/calendar/v3",
         );
 
@@ -116,11 +116,61 @@ describe("PlatformOAuthConnection", () => {
     });
   });
 
-  test("omits baseUrl from envelope when not provided", async () => {
+  test("falls back to connection-level baseUrl when per-request baseUrl is absent", async () => {
     const client = makeMockClient(
       mock(async (_url: string | URL | Request, init?: RequestInit) => {
         const parsed = JSON.parse(init?.body as string);
-        expect("baseUrl" in parsed.request).toBe(false);
+        expect(parsed.request.base_url).toBe(
+          "https://gmail.googleapis.com/gmail/v1/users/me",
+        );
+
+        return new Response(
+          JSON.stringify({ status: 200, headers: {}, body: null }),
+          { status: 200 },
+        );
+      }) as unknown as typeof globalThis.fetch,
+    );
+
+    const conn = new PlatformOAuthConnection({
+      ...DEFAULT_OPTIONS,
+      client,
+      baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
+    });
+    await conn.request({ method: "GET", path: "/messages" });
+  });
+
+  test("per-request baseUrl overrides connection-level baseUrl", async () => {
+    const client = makeMockClient(
+      mock(async (_url: string | URL | Request, init?: RequestInit) => {
+        const parsed = JSON.parse(init?.body as string);
+        expect(parsed.request.base_url).toBe(
+          "https://www.googleapis.com/calendar/v3",
+        );
+
+        return new Response(
+          JSON.stringify({ status: 200, headers: {}, body: {} }),
+          { status: 200 },
+        );
+      }) as unknown as typeof globalThis.fetch,
+    );
+
+    const conn = new PlatformOAuthConnection({
+      ...DEFAULT_OPTIONS,
+      client,
+      baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
+    });
+    await conn.request({
+      method: "GET",
+      path: "/calendars/primary/events",
+      baseUrl: "https://www.googleapis.com/calendar/v3",
+    });
+  });
+
+  test("omits base_url from envelope when neither connection nor request provides one", async () => {
+    const client = makeMockClient(
+      mock(async (_url: string | URL | Request, init?: RequestInit) => {
+        const parsed = JSON.parse(init?.body as string);
+        expect("base_url" in parsed.request).toBe(false);
 
         return new Response(
           JSON.stringify({ status: 200, headers: {}, body: null }),
@@ -192,7 +242,7 @@ describe("PlatformOAuthConnection", () => {
     const conn = new PlatformOAuthConnection({
       ...DEFAULT_OPTIONS,
       client,
-      providerKey: "integration:slack",
+      providerKey: "slack",
       connectionId: "slack-conn-456",
     });
     await conn.request({ method: "GET", path: "/test" });

package/src/oauth/platform-connection.ts

@@ -28,6 +28,9 @@ export interface PlatformOAuthConnectionOptions {
   client: VellumPlatformClient;
   /** Platform-side connection ID used in the proxy URL path. */
   connectionId: string;
+  /** Provider API base URL (e.g. "https://gmail.googleapis.com/gmail/v1/users/me").
+   *  Sent to the proxy so it can construct the full upstream URL. */
+  baseUrl?: string;
 }
 
 export class PlatformOAuthConnection implements OAuthConnection {
@@ -38,6 +41,7 @@ export class PlatformOAuthConnection implements OAuthConnection {
 
   private readonly client: VellumPlatformClient;
   private readonly connectionId: string;
+  private readonly baseUrl: string | undefined;
 
   constructor(options: PlatformOAuthConnectionOptions) {
     if (!options.connectionId) {
@@ -53,6 +57,7 @@ export class PlatformOAuthConnection implements OAuthConnection {
     this.accountInfo = options.accountInfo;
     this.client = options.client;
     this.connectionId = options.connectionId;
+    this.baseUrl = options.baseUrl;
   }
 
   async request(req: OAuthConnectionRequest): Promise<OAuthConnectionResponse> {
@@ -65,7 +70,9 @@ export class PlatformOAuthConnection implements OAuthConnection {
         query: req.query ?? {},
         headers: req.headers ?? {},
         body: req.body ?? null,
-        ...(req.baseUrl ? { baseUrl: req.baseUrl } : {}),
+        ...((req.baseUrl ?? this.baseUrl)
+          ? { base_url: req.baseUrl ?? this.baseUrl }
+          : {}),
       },
     };