@vellumai/assistant 0.5.11 → 0.5.13

package/src/__tests__/oauth-cli.test.ts

@@ -37,7 +37,7 @@ let mockUpsertAppCalls: Array<{
 }> = [];
 let mockUpsertAppResult: Record<string, unknown> = {
   id: "app-upsert-1",
-  providerKey: "integration:test",
+  providerKey: "test",
   clientId: "test-client-id",
   createdAt: 1700000000000,
   updatedAt: 1700000000000,
@@ -53,7 +53,7 @@ let mockUpsertAppImpl:
     ) => Promise<Record<string, unknown>>)
   | undefined;
 
-// Transitive mock state (connect-orchestrator, provider-behaviors, etc.)
+// Transitive mock state (connect-orchestrator, etc.)
 let mockOrchestrateOAuthConnect: (
   opts: Record<string, unknown>,
 ) => Promise<Record<string, unknown>>;
@@ -67,9 +67,6 @@ let mockGetMostRecentAppByProvider: (
 let mockGetProvider: (
   providerKey: string,
 ) => Record<string, unknown> | undefined = () => undefined;
-let mockGetProviderBehavior: (
-  providerKey: string,
-) => Record<string, unknown> | undefined = () => undefined;
 let mockGetSecureKey: (account: string) => string | undefined = () => undefined;
 let mockResolveOAuthConnection: (
   providerKey: string,
@@ -153,6 +150,8 @@ mock.module("../oauth/oauth-store.js", () => ({
   getProvider: (providerKey: string) => mockGetProvider(providerKey),
   listProviders: () => mockListProviders(),
   registerProvider: () => ({}),
+  updateProvider: () => undefined,
+  deleteProvider: () => false,
   seedProviders: () => {},
   getActiveConnection: () => undefined,
   listActiveConnectionsByProvider: () => [],
@@ -208,14 +207,16 @@ mock.module("../oauth/connect-orchestrator.js", () => ({
     mockOrchestrateOAuthConnect(opts),
 }));
 
-// ---------------------------------------------------------------------------
-// Mock provider-behaviors
-// ---------------------------------------------------------------------------
-
-mock.module("../oauth/provider-behaviors.js", () => ({
-  resolveService: (service: string) => service,
-  getProviderBehavior: (providerKey: string) =>
-    mockGetProviderBehavior(providerKey),
+mock.module("../oauth/seed-providers.js", () => ({
+  SEEDED_PROVIDER_KEYS: new Set([
+    "google",
+    "slack",
+    "github",
+    "notion",
+    "twitter",
+    "linear",
+  ]),
+  seedOAuthProviders: () => {},
 }));
 
 // ---------------------------------------------------------------------------
@@ -315,17 +316,13 @@ describe("assistant oauth token <provider-key>", () => {
   });
 
   test("prints bare token in human mode", async () => {
-    const { exitCode, stdout } = await runCli(["token", "integration:twitter"]);
+    const { exitCode, stdout } = await runCli(["token", "twitter"]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("mock-access-token-xyz\n");
   });
 
   test("prints JSON in --json mode", async () => {
-    const { exitCode, stdout } = await runCli([
-      "token",
-      "integration:twitter",
-      "--json",
-    ]);
+    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
     expect(exitCode).toBe(0);
     const parsed = JSON.parse(stdout);
     expect(parsed).toEqual({ ok: true, token: "mock-access-token-xyz" });
@@ -338,8 +335,8 @@ describe("assistant oauth token <provider-key>", () => {
       return cb("tok");
     };
 
-    await runCli(["token", "integration:twitter"]);
-    expect(capturedService).toBe("integration:twitter");
+    await runCli(["token", "twitter"]);
+    expect(capturedService).toBe("twitter");
   });
 
   test("works with other provider keys", async () => {
@@ -349,24 +346,20 @@ describe("assistant oauth token <provider-key>", () => {
       return cb("gmail-token");
     };
 
-    const { exitCode, stdout } = await runCli(["token", "integration:google"]);
+    const { exitCode, stdout } = await runCli(["token", "google"]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("gmail-token\n");
-    expect(capturedService).toBe("integration:google");
+    expect(capturedService).toBe("google");
   });
 
   test("exits 1 when no token exists", async () => {
     mockWithValidToken = async () => {
       throw new Error(
-        'No access token found for "integration:twitter". Authorization required.',
+        'No access token found for "twitter". Authorization required.',
       );
     };
 
-    const { exitCode, stdout } = await runCli([
-      "token",
-      "integration:twitter",
-      "--json",
-    ]);
+    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);
@@ -375,16 +368,10 @@ describe("assistant oauth token <provider-key>", () => {
 
   test("exits 1 when refresh fails", async () => {
     mockWithValidToken = async () => {
-      throw new Error(
-        'Token refresh failed for "integration:twitter": invalid_grant.',
-      );
+      throw new Error('Token refresh failed for "twitter": invalid_grant.');
     };
 
-    const { exitCode, stdout } = await runCli([
-      "token",
-      "integration:twitter",
-      "--json",
-    ]);
+    const { exitCode, stdout } = await runCli(["token", "twitter", "--json"]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);
@@ -395,7 +382,7 @@ describe("assistant oauth token <provider-key>", () => {
     // Simulate withValidToken refreshing and returning a new token
     mockWithValidToken = async (_service, cb) => cb("refreshed-new-token");
 
-    const { exitCode, stdout } = await runCli(["token", "integration:twitter"]);
+    const { exitCode, stdout } = await runCli(["token", "twitter"]);
     expect(exitCode).toBe(0);
     expect(stdout).toBe("refreshed-new-token\n");
   });
@@ -413,7 +400,7 @@ describe("assistant oauth token <provider-key>", () => {
 describe("assistant oauth providers list", () => {
   const fakeProviders = [
     {
-      providerKey: "integration:google",
+      providerKey: "google",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
@@ -423,7 +410,7 @@ describe("assistant oauth providers list", () => {
       updatedAt: "2025-01-01T00:00:00.000Z",
     },
     {
-      providerKey: "integration:google-calendar",
+      providerKey: "google-calendar",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
@@ -433,7 +420,7 @@ describe("assistant oauth providers list", () => {
       updatedAt: "2025-01-01T00:00:00.000Z",
     },
     {
-      providerKey: "integration:slack",
+      providerKey: "slack",
       authUrl: "https://slack.com/oauth/v2/authorize",
       tokenUrl: "https://slack.com/api/oauth.v2.access",
       defaultScopes: "[]",
@@ -443,7 +430,7 @@ describe("assistant oauth providers list", () => {
       updatedAt: "2025-01-01T00:00:00.000Z",
     },
     {
-      providerKey: "integration:twitter",
+      providerKey: "twitter",
       authUrl: "https://twitter.com/i/oauth2/authorize",
       tokenUrl: "https://api.twitter.com/2/oauth2/token",
       defaultScopes: "[]",
@@ -465,10 +452,10 @@ describe("assistant oauth providers list", () => {
     const parsed = JSON.parse(stdout);
     expect(parsed).toHaveLength(4);
     const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
-    expect(keys).toContain("integration:google");
-    expect(keys).toContain("integration:google-calendar");
-    expect(keys).toContain("integration:slack");
-    expect(keys).toContain("integration:twitter");
+    expect(keys).toContain("google");
+    expect(keys).toContain("google-calendar");
+    expect(keys).toContain("slack");
+    expect(keys).toContain("twitter");
   });
 
   test("filters by single --provider-key value", async () => {
@@ -482,7 +469,7 @@ describe("assistant oauth providers list", () => {
     expect(exitCode).toBe(0);
     const parsed = JSON.parse(stdout);
     expect(parsed).toHaveLength(1);
-    expect(parsed[0].providerKey).toBe("integration:slack");
+    expect(parsed[0].providerKey).toBe("slack");
   });
 
   test("filters by comma-separated OR values", async () => {
@@ -497,9 +484,9 @@ describe("assistant oauth providers list", () => {
     const parsed = JSON.parse(stdout);
     expect(parsed).toHaveLength(3);
     const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
-    expect(keys).toContain("integration:google");
-    expect(keys).toContain("integration:google-calendar");
-    expect(keys).toContain("integration:slack");
+    expect(keys).toContain("google");
+    expect(keys).toContain("google-calendar");
+    expect(keys).toContain("slack");
   });
 
   test("returns empty array when comma-separated filter has no matches", async () => {
@@ -527,9 +514,9 @@ describe("assistant oauth providers list", () => {
     const parsed = JSON.parse(stdout);
     expect(parsed).toHaveLength(3);
     const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
-    expect(keys).toContain("integration:google");
-    expect(keys).toContain("integration:google-calendar");
-    expect(keys).toContain("integration:slack");
+    expect(keys).toContain("google");
+    expect(keys).toContain("google-calendar");
+    expect(keys).toContain("slack");
   });
 
   test("ignores empty segments from extra commas in --provider-key", async () => {
@@ -544,9 +531,9 @@ describe("assistant oauth providers list", () => {
     const parsed = JSON.parse(stdout);
     expect(parsed).toHaveLength(3);
     const keys = parsed.map((p: { providerKey: string }) => p.providerKey);
-    expect(keys).toContain("integration:google");
-    expect(keys).toContain("integration:google-calendar");
-    expect(keys).toContain("integration:slack");
+    expect(keys).toContain("google");
+    expect(keys).toContain("google-calendar");
+    expect(keys).toContain("slack");
   });
 });
 
@@ -560,7 +547,7 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
     mockUpsertAppCalls = [];
     mockUpsertAppResult = {
       id: "app-upsert-1",
-      providerKey: "integration:google",
+      providerKey: "google",
       clientId: "abc123",
       createdAt: 1700000000000,
       updatedAt: 1700000000000,
@@ -573,18 +560,20 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
     mockGetAppByProviderAndClientId = () => undefined;
     mockGetMostRecentAppByProvider = () => undefined;
     mockGetProvider = () => undefined;
-    mockGetProviderBehavior = () => undefined;
     mockGetSecureKey = () => undefined;
     mockGetCredentialMetadata = () => undefined;
     mockUpsertAppImpl = undefined;
   });
 
   test("upsert with --client-secret-credential-path passes path to upsertApp", async () => {
+    // "custom/path" has no colon and no credential/ or oauth_app/ prefix.
+    // resolveCredentialPath passes it through unchanged since it doesn't
+    // match the service:field shorthand pattern.
     const { exitCode, stdout } = await runCli([
       "apps",
       "upsert",
       "--provider",
-      "integration:google",
+      "google",
       "--client-id",
       "abc123",
       "--client-secret-credential-path",
@@ -594,7 +583,7 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
     expect(exitCode).toBe(0);
     expect(mockUpsertAppCalls).toHaveLength(1);
     expect(mockUpsertAppCalls[0]).toEqual({
-      provider: "integration:google",
+      provider: "google",
       clientId: "abc123",
       clientSecretOpts: { clientSecretCredentialPath: "custom/path" },
     });
@@ -607,7 +596,7 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
       "apps",
       "upsert",
       "--provider",
-      "integration:google",
+      "google",
       "--client-id",
       "abc123",
       "--client-secret",
@@ -631,7 +620,7 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
       "apps",
       "upsert",
       "--provider",
-      "integration:google",
+      "google",
       "--client-id",
       "abc123",
       "--client-secret",
@@ -641,7 +630,7 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
     expect(exitCode).toBe(0);
     expect(mockUpsertAppCalls).toHaveLength(1);
     expect(mockUpsertAppCalls[0]).toEqual({
-      provider: "integration:google",
+      provider: "google",
       clientId: "abc123",
       clientSecretOpts: { clientSecretValue: "s3cret" },
     });
@@ -652,7 +641,7 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
       "apps",
       "upsert",
       "--provider",
-      "integration:google",
+      "google",
       "--client-id",
       "abc123",
       "--json",
@@ -660,48 +649,57 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
     expect(exitCode).toBe(0);
     expect(mockUpsertAppCalls).toHaveLength(1);
     expect(mockUpsertAppCalls[0]).toEqual({
-      provider: "integration:google",
+      provider: "google",
       clientId: "abc123",
       clientSecretOpts: undefined,
     });
   });
 
-  test("upsert resolves non-prefixed credential path via metadata store", async () => {
-    // The resolution logic splits on the LAST colon, so
-    // "integration:google:client_secret" → service="integration:google", field="client_secret"
-    mockGetCredentialMetadata = (service, field) =>
-      service === "integration:google" && field === "client_secret"
-        ? {
-            credentialId: "cred-1",
-            service: "integration:google",
-            field: "client_secret",
-            allowedTools: [],
-            allowedDomains: [],
-            createdAt: Date.now(),
-            updatedAt: Date.now(),
-          }
-        : undefined;
-
+  test("upsert resolves service:field shorthand to full credential path", async () => {
+    // The service:field shorthand is resolved to credential/{service}/{field}
     const { exitCode, stdout } = await runCli([
       "apps",
       "upsert",
       "--provider",
-      "integration:google",
+      "google",
       "--client-id",
       "abc",
       "--client-secret-credential-path",
-      "integration:google:client_secret",
+      "google:client_secret",
       "--json",
     ]);
     expect(exitCode).toBe(0);
     expect(mockUpsertAppCalls).toHaveLength(1);
-    // The non-prefixed path should have been resolved to the full credential key
     expect(mockUpsertAppCalls[0]).toEqual({
-      provider: "integration:google",
+      provider: "google",
       clientId: "abc",
       clientSecretOpts: {
-        clientSecretCredentialPath:
-          "credential/integration:google/client_secret",
+        clientSecretCredentialPath: "credential/google/client_secret",
+      },
+    });
+    const parsed = JSON.parse(stdout);
+    expect(parsed.id).toBe("app-upsert-1");
+  });
+
+  test("upsert resolves slack:client_secret shorthand to full credential path", async () => {
+    const { exitCode, stdout } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "slack",
+      "--client-id",
+      "slack-abc",
+      "--client-secret-credential-path",
+      "slack:client_secret",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockUpsertAppCalls).toHaveLength(1);
+    expect(mockUpsertAppCalls[0]).toEqual({
+      provider: "slack",
+      clientId: "slack-abc",
+      clientSecretOpts: {
+        clientSecretCredentialPath: "credential/slack/client_secret",
       },
     });
     const parsed = JSON.parse(stdout);
@@ -713,22 +711,47 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
       "apps",
       "upsert",
       "--provider",
-      "integration:google",
+      "google",
       "--client-id",
       "abc",
       "--client-secret-credential-path",
-      "credential/integration:google/client_secret",
+      "credential/google/client_secret",
       "--json",
     ]);
     expect(exitCode).toBe(0);
     expect(mockUpsertAppCalls).toHaveLength(1);
     // Already-prefixed path should be passed through as-is
     expect(mockUpsertAppCalls[0]).toEqual({
-      provider: "integration:google",
+      provider: "google",
+      clientId: "abc",
+      clientSecretOpts: {
+        clientSecretCredentialPath: "credential/google/client_secret",
+      },
+    });
+    const parsed = JSON.parse(stdout);
+    expect(parsed.id).toBe("app-upsert-1");
+  });
+
+  test("upsert passes oauth_app/ prefixed credential path through unchanged", async () => {
+    const { exitCode, stdout } = await runCli([
+      "apps",
+      "upsert",
+      "--provider",
+      "google",
+      "--client-id",
+      "abc",
+      "--client-secret-credential-path",
+      "oauth_app/some-id/client_secret",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockUpsertAppCalls).toHaveLength(1);
+    // oauth_app/ prefixed path should be passed through as-is
+    expect(mockUpsertAppCalls[0]).toEqual({
+      provider: "google",
       clientId: "abc",
       clientSecretOpts: {
-        clientSecretCredentialPath:
-          "credential/integration:google/client_secret",
+        clientSecretCredentialPath: "oauth_app/some-id/client_secret",
       },
     });
     const parsed = JSON.parse(stdout);
@@ -747,7 +770,7 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
       "apps",
       "upsert",
       "--provider",
-      "integration:google",
+      "google",
       "--client-id",
       "abc",
       "--client-secret-credential-path",
@@ -776,7 +799,7 @@ describe("assistant oauth ping <provider-key>", () => {
 
   test("returns ok when ping endpoint returns 200", async () => {
     mockGetProvider = () => ({
-      providerKey: "integration:google",
+      providerKey: "google",
       pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
@@ -788,16 +811,12 @@ describe("assistant oauth ping <provider-key>", () => {
     });
     mockResolveOAuthConnection = async () => ({
       id: "conn-1",
-      providerKey: "integration:google",
+      providerKey: "google",
       accountInfo: null,
       request: async () => ({ status: 200, headers: {}, body: {} }),
       withToken: async (fn) => fn("mock-access-token-xyz"),
     });
-    const { exitCode, stdout } = await runCli([
-      "ping",
-      "integration:google",
-      "--json",
-    ]);
+    const { exitCode, stdout } = await runCli(["ping", "google", "--json"]);
     expect(exitCode).toBe(0);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(true);
@@ -806,11 +825,7 @@ describe("assistant oauth ping <provider-key>", () => {
 
   test("exits 1 when provider not found", async () => {
     mockGetProvider = () => undefined;
-    const { exitCode, stdout } = await runCli([
-      "ping",
-      "integration:unknown",
-      "--json",
-    ]);
+    const { exitCode, stdout } = await runCli(["ping", "unknown", "--json"]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);
@@ -838,7 +853,7 @@ describe("assistant oauth ping <provider-key>", () => {
 
   test("exits 1 when ping endpoint returns non-2xx", async () => {
     mockGetProvider = () => ({
-      providerKey: "integration:google",
+      providerKey: "google",
       pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
@@ -850,16 +865,12 @@ describe("assistant oauth ping <provider-key>", () => {
     });
     mockResolveOAuthConnection = async () => ({
       id: "conn-1",
-      providerKey: "integration:google",
+      providerKey: "google",
       accountInfo: null,
       request: async () => ({ status: 403, headers: {}, body: "Forbidden" }),
       withToken: async (fn) => fn("mock-access-token-xyz"),
     });
-    const { exitCode, stdout } = await runCli([
-      "ping",
-      "integration:google",
-      "--json",
-    ]);
+    const { exitCode, stdout } = await runCli(["ping", "google", "--json"]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);
@@ -868,7 +879,7 @@ describe("assistant oauth ping <provider-key>", () => {
 
   test("exits 1 when no connection can be resolved", async () => {
     mockGetProvider = () => ({
-      providerKey: "integration:google",
+      providerKey: "google",
       pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
       authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
@@ -879,13 +890,9 @@ describe("assistant oauth ping <provider-key>", () => {
       updatedAt: Date.now(),
     });
     mockResolveOAuthConnection = async () => {
-      throw new Error('No access token found for "integration:google".');
+      throw new Error('No access token found for "google".');
     };
-    const { exitCode, stdout } = await runCli([
-      "ping",
-      "integration:google",
-      "--json",
-    ]);
+    const { exitCode, stdout } = await runCli(["ping", "google", "--json"]);
     expect(exitCode).toBe(1);
     const parsed = JSON.parse(stdout);
     expect(parsed.ok).toBe(false);

package/src/__tests__/oauth-provider-profiles.test.ts

@@ -1,23 +1,58 @@
-import { describe, expect, test } from "bun:test";
-
-import {
-  getProviderBehavior,
-  resolveService,
-} from "../oauth/provider-behaviors.js";
-
-describe("oauth provider behaviors", () => {
-  test("gmail behavior defines bearer injection templates for Google API hosts", () => {
-    const service = resolveService("gmail");
-    const behavior = getProviderBehavior(service);
-
-    expect(service).toBe("integration:google");
-    expect(behavior).toBeDefined();
-    expect(behavior?.injectionTemplates).toBeDefined();
-    expect(behavior?.injectionTemplates).toHaveLength(3);
-
-    const byHost = new Map(
-      (behavior?.injectionTemplates ?? []).map((t) => [t.hostPattern, t]),
-    );
+import { mkdtempSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { describe, expect, mock, test } from "bun:test";
+
+const testDir = mkdtempSync(join(tmpdir(), "oauth-provider-profiles-test-"));
+
+mock.module("../util/platform.js", () => ({
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => ":memory:",
+  getLogPath: () => join(testDir, "test.log"),
+  ensureDataDir: () => {},
+}));
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+mock.module("../security/secure-keys.js", () => ({
+  deleteSecureKeyAsync: async () => "deleted" as const,
+  setSecureKeyAsync: async () => true,
+  getSecureKeyAsync: async () => undefined,
+}));
+
+import { initializeDb } from "../memory/db.js";
+import { getProvider } from "../oauth/oauth-store.js";
+import { seedOAuthProviders } from "../oauth/seed-providers.js";
+
+initializeDb();
+seedOAuthProviders();
+
+describe("oauth provider profiles (DB-seeded)", () => {
+  test("google provider row contains bearer injection templates for 3 Google API hosts", () => {
+    const provider = getProvider("google");
+
+    expect(provider).toBeDefined();
+    expect(provider?.injectionTemplates).toBeDefined();
+
+    const templates = JSON.parse(provider!.injectionTemplates!) as Array<{
+      hostPattern: string;
+      injectionType: string;
+      headerName: string;
+      valuePrefix: string;
+    }>;
+
+    expect(templates).toHaveLength(3);
+
+    const byHost = new Map(templates.map((t) => [t.hostPattern, t]));
 
     for (const host of [
       "gmail.googleapis.com",

package/src/__tests__/oauth-scope-policy.test.ts

@@ -12,7 +12,7 @@ function makeProfile(
   overrides: Partial<ScopeResolverInput> = {},
 ): ScopeResolverInput {
   return {
-    service: "integration:test-service",
+    service: "test-service",
     defaultScopes: ["read", "write"],
     scopePolicy: {
       allowAdditionalScopes: false,
@@ -57,9 +57,7 @@ describe("resolveScopes", () => {
     const result = resolveScopes(profile, ["delete"]);
     expect(result.ok).toBe(false);
     if (!result.ok) {
-      expect(result.error).toBe(
-        "Scope 'delete' is forbidden for integration:test-service",
-      );
+      expect(result.error).toBe("Scope 'delete' is forbidden for test-service");
     }
   });
 
@@ -76,7 +74,7 @@ describe("resolveScopes", () => {
     expect(result.ok).toBe(false);
     if (!result.ok) {
       expect(result.error).toContain(
-        "Additional scopes are not allowed for integration:test-service",
+        "Additional scopes are not allowed for test-service",
       );
       expect(result.allowedScopes).toEqual(["read", "write"]);
     }
@@ -95,7 +93,7 @@ describe("resolveScopes", () => {
     expect(result.ok).toBe(false);
     if (!result.ok) {
       expect(result.error).toBe(
-        "Scope 'admin' is not in the allowed optional scopes for integration:test-service",
+        "Scope 'admin' is not in the allowed optional scopes for test-service",
       );
       expect(result.allowedScopes).toEqual(["read", "write"]);
     }