@vellumai/assistant 0.5.13 → 0.5.14

package/src/signals/emit-event.ts

@@ -0,0 +1,42 @@
+/**
+ * Handle generic event signals from the CLI.
+ *
+ * When the CLI writes a JSON-encoded {@link ServerMessage} to
+ * `signals/emit-event`, the daemon's ConfigWatcher detects the file
+ * change and invokes {@link handleEmitEventSignal}, which reads the
+ * payload and publishes it to connected clients via the in-process
+ * {@link assistantEventHub}.
+ *
+ * This provides a general-purpose CLI→daemon event bridge so that any
+ * CLI command can place arbitrary events onto the hub without needing
+ * a dedicated signal handler per event type.
+ */
+
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+
+import type { ServerMessage } from "../daemon/message-protocol.js";
+import { buildAssistantEvent } from "../runtime/assistant-event.js";
+import { assistantEventHub } from "../runtime/assistant-event-hub.js";
+import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
+import { getLogger } from "../util/logger.js";
+import { getSignalsDir } from "../util/platform.js";
+
+const log = getLogger("signal:emit-event");
+
+export function handleEmitEventSignal(): void {
+  try {
+    const content = readFileSync(join(getSignalsDir(), "emit-event"), "utf-8");
+    const message = JSON.parse(content) as ServerMessage;
+
+    assistantEventHub
+      .publish(buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, message))
+      .catch((err: unknown) => {
+        log.error({ err }, "Failed to publish event from signal");
+      });
+
+    log.info({ type: message.type }, "Emit-event signal handled");
+  } catch (err) {
+    log.error({ err }, "Failed to handle emit-event signal");
+  }
+}

package/src/signals/user-message.ts

@@ -23,6 +23,18 @@ import { getSignalsDir } from "../util/platform.js";
 
 const log = getLogger("signal:user-message");
 
+// ── Attachment descriptor ───────────────────────────────────────────
+
+/** A file-backed attachment included in a signal payload. */
+export interface SignalAttachment {
+  /** Absolute path to the file on disk. */
+  path: string;
+  /** Display filename (e.g. "f_0001.jpg"). */
+  filename: string;
+  /** MIME type (e.g. "image/jpeg"). */
+  mimeType: string;
+}
+
 // ── Daemon callback registry ─────────────────────────────────────────
 
 type UserMessageCallback = (params: {
@@ -31,6 +43,7 @@ type UserMessageCallback = (params: {
   sourceChannel: string;
   sourceInterface: string;
   bypassSecretCheck?: boolean;
+  attachments?: SignalAttachment[];
 }) => Promise<{ accepted: boolean; error?: string; message?: string }>;
 
 let _sendUserMessage: UserMessageCallback | null = null;
@@ -99,6 +112,11 @@ export async function handleUserMessageSignal(filename: string): Promise<void> {
       interface?: string;
       requestId?: string;
       bypassSecretCheck?: boolean;
+      attachments?: Array<{
+        path?: string;
+        filename?: string;
+        mimeType?: string;
+      }>;
     };
     const { requestId } = parsed;
     parsedRequestId = requestId;
@@ -131,12 +149,31 @@ export async function handleUserMessageSignal(filename: string): Promise<void> {
       return;
     }
 
+    // Validate and normalize attachments
+    const attachments: SignalAttachment[] = [];
+    if (Array.isArray(parsed.attachments)) {
+      for (const a of parsed.attachments) {
+        if (
+          typeof a.path === "string" &&
+          typeof a.filename === "string" &&
+          typeof a.mimeType === "string"
+        ) {
+          attachments.push({
+            path: a.path,
+            filename: a.filename,
+            mimeType: a.mimeType,
+          });
+        }
+      }
+    }
+
     const result = await _sendUserMessage({
       conversationKey: parsed.conversationKey,
       content: parsed.content,
       sourceChannel: parsed.sourceChannel ?? "vellum",
       sourceInterface: parsed.interface ?? "cli",
       bypassSecretCheck: parsed.bypassSecretCheck === true,
+      ...(attachments.length > 0 ? { attachments } : {}),
     });
 
     log.info(

package/src/telemetry/usage-telemetry-reporter.test.ts

@@ -49,17 +49,15 @@ mock.module("../platform/client.js", () => ({
   },
 }));
 
-const mockGetTelemetryPlatformUrl = mock(() => "https://platform.vellum.ai");
-const mockGetTelemetryAppToken = mock(() => "");
+const mockGetPlatformBaseUrl = mock(() => "https://platform.vellum.ai");
 
 const mockGetPlatformOrganizationId = mock(() => "");
 const mockGetPlatformUserId = mock(() => "");
 
 mock.module("../config/env.js", () => ({
+  getPlatformBaseUrl: mockGetPlatformBaseUrl,
   getPlatformOrganizationId: mockGetPlatformOrganizationId,
   getPlatformUserId: mockGetPlatformUserId,
-  getTelemetryPlatformUrl: mockGetTelemetryPlatformUrl,
-  getTelemetryAppToken: mockGetTelemetryAppToken,
   // Re-export anything else the module might import transitively
   str: () => undefined,
   num: () => undefined,
@@ -91,6 +89,20 @@ mock.module("../version.js", () => ({
   APP_VERSION: "1.2.3-test",
 }));
 
+let mockCollectUsageData = true;
+
+mock.module("../config/loader.js", () => ({
+  getConfig: () => ({ collectUsageData: mockCollectUsageData }),
+}));
+
+const mockQueryUnreportedLifecycleEvents = mock(
+  () => [] as { id: string; eventName: string; createdAt: number }[],
+);
+
+mock.module("../memory/lifecycle-events-store.js", () => ({
+  queryUnreportedLifecycleEvents: mockQueryUnreportedLifecycleEvents,
+}));
+
 // ---------------------------------------------------------------------------
 // Production import (after mocks)
 // ---------------------------------------------------------------------------
@@ -135,14 +147,16 @@ let mockFetch: ReturnType<typeof mock>;
 
 beforeEach(() => {
   eventIdCounter = 0;
+  mockCollectUsageData = true;
   mockGetMemoryCheckpoint.mockReset();
   mockSetMemoryCheckpoint.mockReset();
   mockQueryUnreportedUsageEvents.mockReset();
   mockQueryUnreportedTurnEvents.mockReset();
   mockQueryUnreportedTurnEvents.mockReturnValue([]);
+  mockQueryUnreportedLifecycleEvents.mockReset();
+  mockQueryUnreportedLifecycleEvents.mockReturnValue([]);
   mockPlatformClient = null;
-  mockGetTelemetryPlatformUrl.mockReset();
-  mockGetTelemetryAppToken.mockReset();
+  mockGetPlatformBaseUrl.mockReset();
   mockGetDeviceId.mockReset();
   mockGetDeviceId.mockReturnValue("test-device-id");
   mockGetExternalAssistantId.mockReset();
@@ -154,8 +168,7 @@ beforeEach(() => {
 
   // Defaults
   mockGetMemoryCheckpoint.mockReturnValue(null);
-  mockGetTelemetryPlatformUrl.mockReturnValue("https://platform.vellum.ai");
-  mockGetTelemetryAppToken.mockReturnValue("default-test-token");
+  mockGetPlatformBaseUrl.mockReturnValue("https://platform.vellum.ai");
 
   mockFetch = mock(() =>
     Promise.resolve(new Response('{"accepted":0}', { status: 200 })),
@@ -195,10 +208,9 @@ describe("UsageTelemetryReporter", () => {
     expect(mockFetch).not.toHaveBeenCalled();
   });
 
-  test("anonymous flush uses X-Telemetry-Token and default URL", async () => {
+  test("anonymous flush sends request without auth headers", async () => {
     mockPlatformClient = null;
-    mockGetTelemetryPlatformUrl.mockReturnValue("https://platform.test.ai");
-    mockGetTelemetryAppToken.mockReturnValue("anon-token");
+    mockGetPlatformBaseUrl.mockReturnValue("https://platform.test.ai");
 
     const events = [makeUsageEvent()];
     mockQueryUnreportedUsageEvents.mockReturnValue(events);
@@ -213,9 +225,9 @@ describe("UsageTelemetryReporter", () => {
     const [url, opts] = mockFetch.mock.calls[0] as [string, RequestInit];
     expect(url).toStartWith("https://platform.test.ai");
     expect(url).toEndWith("/telemetry/ingest/");
-    expect((opts.headers as Record<string, string>)["X-Telemetry-Token"]).toBe(
-      "anon-token",
-    );
+    const headers = opts.headers as Record<string, string>;
+    expect(headers["Content-Type"]).toBe("application/json");
+    expect(headers["X-Telemetry-Token"]).toBeUndefined();
   });
 
   test("watermark advances on successful upload", async () => {
@@ -279,7 +291,7 @@ describe("UsageTelemetryReporter", () => {
     const body1 = JSON.parse(
       (mockFetch.mock.calls[0] as [string, RequestInit])[1].body as string,
     );
-    expect(body1.installation_id).toBe("test-device-id");
+    expect(body1.device_id).toBe("test-device-id");
 
     // Second flush — should use the same value
     mockQueryUnreportedUsageEvents.mockReturnValue([makeUsageEvent()]);
@@ -288,7 +300,7 @@ describe("UsageTelemetryReporter", () => {
     const body2 = JSON.parse(
       (mockFetch.mock.calls[1] as [string, RequestInit])[1].body as string,
     );
-    expect(body2.installation_id).toBe("test-device-id");
+    expect(body2.device_id).toBe("test-device-id");
   });
 
   test("empty batch makes no HTTP call", async () => {
@@ -362,8 +374,8 @@ describe("UsageTelemetryReporter", () => {
       (mockFetch.mock.calls[0] as [string, RequestInit])[1].body as string,
     );
 
-    // Top-level: installation_id, assistant_version, and events array (no turn_events key)
-    expect(body.installation_id).toBe("test-device-id");
+    // Top-level: device_id, assistant_version, and events array (no turn_events key)
+    expect(body.device_id).toBe("test-device-id");
     expect(body.assistant_version).toBe("1.2.3-test");
     expect(Array.isArray(body.events)).toBe(true);
     expect(body.events.length).toBe(1);
@@ -437,7 +449,7 @@ describe("UsageTelemetryReporter", () => {
     const body = JSON.parse(
       (mockFetch.mock.calls[0] as [string, RequestInit])[1].body as string,
     );
-    expect(body.installation_id).toBe("test-device-id");
+    expect(body.device_id).toBe("test-device-id");
     expect(body.assistant_id).toBe(DAEMON_INTERNAL_ASSISTANT_ID);
   });
 
@@ -477,4 +489,56 @@ describe("UsageTelemetryReporter", () => {
     expect(turnEvent.daemon_event_id).toBe("evt-mixed-turn");
     expect(turnEvent.recorded_at).toBe(1700000050000);
   });
+
+  test("flush is skipped and watermarks advanced when collectUsageData is false", async () => {
+    mockCollectUsageData = false;
+    const events = [makeUsageEvent()];
+    mockQueryUnreportedUsageEvents.mockReturnValue(events);
+    mockFetch.mockImplementation(() =>
+      Promise.resolve(new Response('{"accepted":1}', { status: 200 })),
+    );
+
+    const reporter = new UsageTelemetryReporter();
+    await reporter.flush();
+
+    // No HTTP call should have been made
+    expect(mockFetch).not.toHaveBeenCalled();
+
+    // All 6 watermarks should have been advanced (3 timestamps + 3 IDs)
+    expect(mockSetMemoryCheckpoint).toHaveBeenCalledTimes(6);
+
+    const calls = mockSetMemoryCheckpoint.mock.calls;
+    const keys = calls.map((c) => c[0]);
+    expect(keys).toContain("telemetry:usage:last_reported_at");
+    expect(keys).toContain("telemetry:usage:last_reported_id");
+    expect(keys).toContain("telemetry:turns:last_reported_at");
+    expect(keys).toContain("telemetry:turns:last_reported_id");
+    expect(keys).toContain("telemetry:lifecycle:last_reported_at");
+    expect(keys).toContain("telemetry:lifecycle:last_reported_id");
+  });
+
+  test("events sent normally after re-enabling collectUsageData", async () => {
+    // First flush with opt-out — watermarks advance, nothing sent
+    mockCollectUsageData = false;
+    const reporter = new UsageTelemetryReporter();
+    await reporter.flush();
+    expect(mockFetch).not.toHaveBeenCalled();
+    mockSetMemoryCheckpoint.mockReset();
+
+    // Re-enable and flush with new events
+    mockCollectUsageData = true;
+    const events = [makeUsageEvent({ id: "evt-after-reenable" })];
+    mockQueryUnreportedUsageEvents.mockReturnValue(events);
+    mockFetch.mockImplementation(() =>
+      Promise.resolve(new Response('{"accepted":1}', { status: 200 })),
+    );
+
+    await reporter.flush();
+
+    expect(mockFetch).toHaveBeenCalledTimes(1);
+    const body = JSON.parse(
+      (mockFetch.mock.calls[0] as [string, RequestInit])[1].body as string,
+    );
+    expect(body.events[0].daemon_event_id).toBe("evt-after-reenable");
+  });
 });

package/src/telemetry/usage-telemetry-reporter.ts

@@ -6,15 +6,15 @@
  *
  * Two auth modes:
  * - Authenticated: Api-Key header via managed proxy context
- * - Anonymous: X-Telemetry-Token static token from env
+ * - Anonymous: unauthenticated POST (telemetry endpoints are public)
  */
 
 import {
+  getPlatformBaseUrl,
   getPlatformOrganizationId,
   getPlatformUserId,
-  getTelemetryAppToken,
-  getTelemetryPlatformUrl,
 } from "../config/env.js";
+import { getConfig } from "../config/loader.js";
 import {
   getMemoryCheckpoint,
   setMemoryCheckpoint,
@@ -93,6 +93,22 @@ export class UsageTelemetryReporter {
     try {
       if (batchCount >= MAX_CONSECUTIVE_BATCHES) return;
 
+      // Respect runtime opt-out: if the user has disabled usage data collection,
+      // skip the flush and advance watermarks so events recorded during the
+      // opt-out window are never sent retroactively.
+      if (!getConfig().collectUsageData) {
+        // Advance only the timestamp watermarks. Leave the ID watermarks
+        // untouched so the compound-cursor branch stays active — setting them
+        // to "" would make the truthy check fail, falling back to a
+        // timestamp-only `gt(createdAt, watermark)` query that silently drops
+        // events created in the same millisecond as the opt-out watermark.
+        const now = String(Date.now());
+        setMemoryCheckpoint(CHECKPOINT_KEY_WATERMARK, now);
+        setMemoryCheckpoint(CHECKPOINT_KEY_TURN_WATERMARK, now);
+        setMemoryCheckpoint(CHECKPOINT_KEY_LIFECYCLE_WATERMARK, now);
+        return;
+      }
+
       // Read usage watermark (compound cursor: createdAt + id)
       const watermark = Number(
         getMemoryCheckpoint(CHECKPOINT_KEY_WATERMARK) ?? "0",
@@ -138,11 +154,9 @@ export class UsageTelemetryReporter {
       )
         return;
 
-      // Resolve auth context — skip flush when neither auth mode is viable
+      // Resolve auth context — authenticated path uses client, anonymous path
+      // sends unauthenticated (telemetry endpoints are public).
       const client = await VellumPlatformClient.create();
-      if (!client && (!getTelemetryAppToken() || !getTelemetryPlatformUrl())) {
-        return;
-      }
 
       // Build payload
       const typedEvents: TelemetryEvent[] = [
@@ -203,16 +217,8 @@ export class UsageTelemetryReporter {
       if (client) {
         resp = await client.fetch(TELEMETRY_PATH, fetchInit);
       } else {
-        const platformUrl = getTelemetryPlatformUrl();
-        if (!platformUrl) return;
-        const url = `${platformUrl}${TELEMETRY_PATH}`;
-        resp = await fetch(url, {
-          ...fetchInit,
-          headers: {
-            "Content-Type": "application/json",
-            "X-Telemetry-Token": getTelemetryAppToken(),
-          },
-        });
+        const url = `${getPlatformBaseUrl()}${TELEMETRY_PATH}`;
+        resp = await fetch(url, fetchInit);
       }
 
       if (!resp.ok) {

package/src/tools/browser/runtime-check.ts

@@ -1,7 +1,7 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 
-import { getRootDir } from "../../util/platform.js";
+import { getExternalDir } from "../../util/platform.js";
 
 export interface BrowserRuntimeStatus {
   playwrightAvailable: boolean;
@@ -75,7 +75,7 @@ export async function importPlaywright(): Promise<typeof import("playwright")> {
   // filesystem instead of the compiled module cache.
   // Use the internal assistant root (outside tool sandbox working dir)
   // so untrusted workspace writes cannot plant a forged playwright package.
-  const externalDir = join(getRootDir(), "external");
+  const externalDir = getExternalDir();
   const pwPkg = join(externalDir, "node_modules", "playwright");
 
   if (!existsSync(join(pwPkg, "package.json"))) {

package/src/tools/credentials/vault.ts

@@ -3,25 +3,16 @@ import {
   setSlackChannelConfig,
   type SlackChannelConfigResult,
 } from "../../daemon/handlers/config-slack-channel.js";
-import { orchestrateOAuthConnect } from "../../oauth/connect-orchestrator.js";
 import { syncManualTokenConnection } from "../../oauth/manual-token-connection.js";
 import {
   disconnectOAuthProvider,
   getActiveConnection,
-  getAppByProviderAndClientId,
-  getMostRecentAppByProvider,
-  getProvider,
-  listProviders,
 } from "../../oauth/oauth-store.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
-import { buildAssistantEvent } from "../../runtime/assistant-event.js";
-import { assistantEventHub } from "../../runtime/assistant-event-hub.js";
-import { DAEMON_INTERNAL_ASSISTANT_ID } from "../../runtime/assistant-scope.js";
 import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
-  getSecureKeyAsync,
   listSecureKeysAsync,
   setSecureKeyAsync,
 } from "../../security/secure-keys.js";
@@ -90,16 +81,9 @@ class CredentialStoreTool implements Tool {
         properties: {
           action: {
             type: "string",
-            enum: [
-              "store",
-              "list",
-              "delete",
-              "prompt",
-              "oauth2_connect",
-              "describe",
-            ],
+            enum: ["store", "list", "delete", "prompt"],
             description:
-              'The operation to perform. Use "prompt" to ask the user for a secret via secure UI - the value never enters the conversation. Use "oauth2_connect" to connect an OAuth2 service via browser authorization. Use "describe" to get setup metadata for a well-known OAuth service (dashboard URL, scopes, redirect URI, etc.). For well-known services (google, slack), only the service name is required - endpoints, scopes, and stored client credentials are resolved automatically.',
+              'The operation to perform. Use "prompt" to ask the user for a secret via secure UI - the value never enters the conversation.',
           },
           service: {
             type: "string",
@@ -150,22 +134,6 @@ class CredentialStoreTool implements Tool {
             description:
               'Human-readable description of intended usage (for store/prompt actions), e.g. "GitHub login for pushing changes"',
           },
-          scopes: {
-            type: "array",
-            items: { type: "string" },
-            description:
-              "OAuth2 scopes to request (only for oauth2_connect action). Auto-filled for well-known services (google, slack).",
-          },
-          client_id: {
-            type: "string",
-            description:
-              "OAuth2 client ID (only for oauth2_connect action). If omitted, looked up from previously stored credentials.",
-          },
-          client_secret: {
-            type: "string",
-            description:
-              "OAuth2 client secret for providers that require it (e.g. Google, Slack). If omitted, looked up from previously stored credentials; if still absent, PKCE-only is used (only for oauth2_connect action)",
-          },
           alias: {
             type: "string",
             description:
@@ -817,221 +785,6 @@ class CredentialStoreTool implements Tool {
         };
       }
 
-      case "oauth2_connect": {
-        const service = input.service as string | undefined;
-        if (!service)
-          return {
-            content: "Error: service is required for oauth2_connect action",
-            isError: true,
-          };
-
-        // Protocol-level config from the DB (authUrl, tokenUrl, scopes, etc.)
-        const providerRow = getProvider(service);
-
-        // Resolve client_id and client_secret.
-        // Priority:
-        //   1. Explicit input from the caller
-        //   2. oauth-store DB - when clientId is already known, look up the
-        //      matching app so the secret comes from the same app. Only fall
-        //      back to the most-recent-app heuristic when clientId is unknown.
-        let clientId = input.client_id as string | undefined;
-        let clientSecret = input.client_secret as string | undefined;
-
-        if (!clientId || !clientSecret) {
-          const dbApp = clientId
-            ? getAppByProviderAndClientId(service, clientId)
-            : getMostRecentAppByProvider(service);
-          if (dbApp) {
-            if (!clientId) clientId = dbApp.clientId;
-            if (!clientSecret) {
-              clientSecret = await getSecureKeyAsync(
-                dbApp.clientSecretCredentialPath,
-              );
-            }
-          }
-        }
-
-        // Early guardrails that stay in vault.ts (credential resolution is vault-specific)
-        const inputScopes = input.scopes as string[] | undefined;
-
-        if (!providerRow) {
-          return {
-            content: `Error: no OAuth provider registered for "${service}". Ensure the provider is seeded in the database.`,
-            isError: true,
-          };
-        }
-
-        if (!clientId)
-          return {
-            content:
-              "Error: client_id is required for oauth2_connect action. Provide it directly or store it first with credential_store.",
-            isError: true,
-          };
-
-        // Fail early when client_secret is required but missing - guide the
-        // agent to collect it from the user rather than letting it improvise
-        // browser-automation workarounds that inevitably fail.
-        const requiresSecret = !!providerRow.requiresClientSecret;
-        if (requiresSecret && !clientSecret) {
-          return {
-            content: `Error: client_secret is required for ${service} but not found in the vault.\n\nUse credential_store with action "prompt" to securely collect the client_secret from the user before calling oauth2_connect again.`,
-            isError: true,
-          };
-        }
-
-        // Delegate to the shared orchestrator - it resolves authUrl, tokenUrl,
-        // extraParams, userinfoUrl, and tokenEndpointAuthMethod from the DB.
-        const result = await orchestrateOAuthConnect({
-          service,
-          clientId,
-          clientSecret,
-          isInteractive: !!context.isInteractive,
-          sendToClient: context.sendToClient,
-          ...(inputScopes ? { requestedScopes: inputScopes } : {}),
-          onDeferredComplete: (deferredResult) => {
-            // Emit oauth_connect_result to all connected SSE clients so the
-            // UI can update immediately when the deferred browser flow completes.
-            assistantEventHub
-              .publish(
-                buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, {
-                  type: "oauth_connect_result",
-                  success: deferredResult.success,
-                  service: deferredResult.service,
-                  accountInfo: deferredResult.accountInfo,
-                  error: deferredResult.error,
-                }),
-              )
-              .catch((err) => {
-                log.warn(
-                  { err, service: deferredResult.service },
-                  "Failed to publish oauth_connect_result event",
-                );
-              });
-
-            if (deferredResult.success) {
-              log.info(
-                {
-                  service: deferredResult.service,
-                  accountInfo: deferredResult.accountInfo,
-                },
-                "Deferred OAuth connect completed successfully",
-              );
-            } else {
-              log.warn(
-                {
-                  service: deferredResult.service,
-                  err: deferredResult.error,
-                },
-                "Deferred OAuth connect failed",
-              );
-            }
-          },
-        });
-
-        if (!result.success) {
-          return { content: `Error: ${result.error}`, isError: true };
-        }
-
-        if (result.deferred) {
-          return {
-            content: `To connect ${service}, open this link and authorize access:\n\n${result.authUrl}\n\nOnce you authorize, the connection will be set up automatically. You can verify by asking me to check your inbox.`,
-            isError: false,
-          };
-        }
-
-        return {
-          content: `Successfully connected "${service}"${
-            result.accountInfo ? ` as ${result.accountInfo}` : ""
-          }. The service is now ready to use.`,
-          isError: false,
-        };
-      }
-
-      case "describe": {
-        const descService = (input.service as string | undefined) ?? "";
-        if (!descService) {
-          return {
-            content: "Error: service is required for describe action",
-            isError: true,
-          };
-        }
-        const descProviderRow = getProvider(descService);
-        if (!descProviderRow) {
-          const availableServices = listProviders().map((p) => p.providerKey);
-          return {
-            content: `No well-known OAuth config found for "${descService}". Available services: ${availableServices.join(", ")}`,
-            isError: false,
-          };
-        }
-
-        // Compute the redirect URI based on callback transport
-        let redirectUri: string;
-        const transport =
-          (descProviderRow.callbackTransport as
-            | "loopback"
-            | "gateway"
-            | null) ?? "loopback";
-        const loopbackPort = descProviderRow.loopbackPort;
-        if (transport === "loopback" && loopbackPort) {
-          redirectUri = `http://localhost:${loopbackPort}/oauth/callback`;
-        } else if (transport === "loopback") {
-          redirectUri =
-            "(automatic - no redirect URI needed, uses random localhost port)";
-        } else {
-          // Try to compute the actual URL from config/env
-          try {
-            const { loadConfig } = await import("../../config/loader.js");
-            const { getPublicBaseUrl } =
-              await import("../../inbound/public-ingress-urls.js");
-            const baseUrl = getPublicBaseUrl(loadConfig());
-            redirectUri = `${baseUrl}/webhooks/oauth/callback`;
-          } catch {
-            redirectUri =
-              "(requires ingress.publicBaseUrl - not currently configured)";
-          }
-        }
-
-        const requiresClientSecret = !!descProviderRow.requiresClientSecret;
-
-        const descDefaultScopes: string[] = descProviderRow.defaultScopes
-          ? JSON.parse(descProviderRow.defaultScopes)
-          : [];
-
-        const info: Record<string, unknown> = {
-          service: descService,
-          authUrl: descProviderRow.authUrl,
-          tokenUrl: descProviderRow.tokenUrl,
-          scopes: descDefaultScopes,
-          callbackTransport: transport,
-          redirectUri,
-          requiresClientSecret,
-        };
-        if (
-          descProviderRow.displayName &&
-          descProviderRow.dashboardUrl &&
-          descProviderRow.appType
-        ) {
-          info.setup = {
-            displayName: descProviderRow.displayName,
-            dashboardUrl: descProviderRow.dashboardUrl,
-            appType: descProviderRow.appType,
-            requiresClientSecret: !!descProviderRow.requiresClientSecret,
-            ...(descProviderRow.setupNotes
-              ? { notes: JSON.parse(descProviderRow.setupNotes) }
-              : {}),
-          };
-        }
-        if (descProviderRow.extraParams) {
-          try {
-            info.extraParams = JSON.parse(descProviderRow.extraParams);
-          } catch {
-            // Non-fatal
-          }
-        }
-
-        return { content: JSON.stringify(info, null, 2), isError: false };
-      }
-
       default:
         return { content: `Error: unknown action "${action}"`, isError: true };
     }