@vellumai/assistant 0.5.15 → 0.6.0

package/src/runtime/routes/oauth-apps.ts

@@ -253,7 +253,10 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
           );
         }
 
-        let body: { scopes?: string[] } = {};
+        let body: {
+          scopes?: string[];
+          callback_transport?: "loopback" | "gateway";
+        } = {};
         try {
           const text = await req.text();
           if (text) {
@@ -263,6 +266,19 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
           // No body or invalid JSON — use defaults
         }
 
+        // Validate callback_transport if present
+        if (
+          body.callback_transport !== undefined &&
+          body.callback_transport !== "loopback" &&
+          body.callback_transport !== "gateway"
+        ) {
+          return httpError(
+            "BAD_REQUEST",
+            'callback_transport must be "loopback" or "gateway"',
+            400,
+          );
+        }
+
         const clientSecret = await getAppClientSecret(app);
 
         const result = await orchestrateOAuthConnect({
@@ -270,6 +286,7 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
           clientId: app.clientId,
           clientSecret,
           requestedScopes: body.scopes,
+          callbackTransport: body.callback_transport ?? "loopback",
           isInteractive: false,
         });
 

package/src/runtime/routes/oauth-providers.ts

@@ -6,8 +6,10 @@
  * runtime auth middleware.
  */
 
+import { loadConfig } from "../../config/loader.js";
 import { getProvider, listProviders } from "../../oauth/oauth-store.js";
 import { serializeProviderSummary } from "../../oauth/provider-serializer.js";
+import { isProviderVisible } from "../../oauth/provider-visibility.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 
@@ -22,7 +24,9 @@ export function oauthProvidersRouteDefinitions(): RouteDefinition[] {
       method: "GET",
       handler: ({ url }) => {
         const rows = listProviders();
-        let serialized = rows
+        const config = loadConfig();
+        const visibleRows = rows.filter((r) => isProviderVisible(r, config));
+        let serialized = visibleRows
           .map((row) => serializeProviderSummary(row))
           .filter((s): s is NonNullable<typeof s> => s !== null);
 
@@ -53,6 +57,14 @@ export function oauthProvidersRouteDefinitions(): RouteDefinition[] {
           );
         }
 
+        if (!isProviderVisible(row, loadConfig())) {
+          return httpError(
+            "NOT_FOUND",
+            `No OAuth provider registered for "${params.providerKey}"`,
+            404,
+          );
+        }
+
         return Response.json({ provider: serializeProviderSummary(row) });
       },
     },

package/src/runtime/routes/schedule-routes.ts

@@ -229,6 +229,7 @@ async function handleRunScheduleNow(
       );
       const fallbackConversation = bootstrapConversation({
         source: "schedule",
+        groupId: "system:scheduled",
         origin: "schedule",
         systemHint: `Schedule (manual): ${schedule.name}`,
       });
@@ -241,6 +242,7 @@ async function handleRunScheduleNow(
   // Regular message-based schedule
   const conversation = bootstrapConversation({
     source: "schedule",
+    groupId: "system:scheduled",
     origin: "schedule",
     systemHint: `Schedule (manual): ${schedule.name}`,
   });

package/src/runtime/routes/settings-routes.ts

@@ -223,6 +223,7 @@ async function handleOAuthConnectStart(body: {
       requestedScopes: body.requestedScopes,
       clientId,
       clientSecret,
+      callbackTransport: "loopback",
       isInteractive: true,
       openUrl: (url: string) => {
         authUrl = url;

package/src/runtime/routes/skills-routes.ts

@@ -39,6 +39,85 @@ export interface SkillRouteDeps {
   getSkillContext: () => SkillOperationContext;
 }
 
+const slimSkillBase = {
+  id: z.string(),
+  name: z.string(),
+  description: z.string(),
+  emoji: z.string().optional(),
+  kind: z.enum(["bundled", "installed", "catalog"]),
+  status: z.enum(["enabled", "disabled", "available"]),
+};
+
+const slimSkillSchema = z.discriminatedUnion("origin", [
+  z.object({ ...slimSkillBase, origin: z.literal("vellum") }),
+  z.object({
+    ...slimSkillBase,
+    origin: z.literal("clawhub"),
+    slug: z.string(),
+    author: z.string(),
+    stars: z.number(),
+    installs: z.number(),
+    reports: z.number(),
+    publishedAt: z.string().optional(),
+  }),
+  z.object({
+    ...slimSkillBase,
+    origin: z.literal("skillssh"),
+    slug: z.string(),
+    sourceRepo: z.string(),
+    installs: z.number(),
+  }),
+  z.object({ ...slimSkillBase, origin: z.literal("custom") }),
+]);
+
+const skillDetailSchema = z.discriminatedUnion("origin", [
+  z.object({ ...slimSkillBase, origin: z.literal("vellum") }),
+  z.object({
+    ...slimSkillBase,
+    origin: z.literal("clawhub"),
+    slug: z.string(),
+    author: z.string(),
+    stars: z.number(),
+    installs: z.number(),
+    reports: z.number(),
+    publishedAt: z.string().optional(),
+    owner: z
+      .object({
+        handle: z.string(),
+        displayName: z.string(),
+        image: z.string().optional(),
+      })
+      .nullable()
+      .optional(),
+    stats: z
+      .object({
+        stars: z.number(),
+        installs: z.number(),
+        downloads: z.number(),
+        versions: z.number(),
+      })
+      .nullable()
+      .optional(),
+    latestVersion: z
+      .object({
+        version: z.string(),
+        changelog: z.string().optional(),
+      })
+      .nullable()
+      .optional(),
+    createdAt: z.number().nullable().optional(),
+    updatedAt: z.number().nullable().optional(),
+  }),
+  z.object({
+    ...slimSkillBase,
+    origin: z.literal("skillssh"),
+    slug: z.string(),
+    sourceRepo: z.string(),
+    installs: z.number(),
+  }),
+  z.object({ ...slimSkillBase, origin: z.literal("custom") }),
+]);
+
 export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
   const ctx = () => deps.getSkillContext();
 
@@ -60,34 +139,7 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
         },
       ],
       responseBody: z.object({
-        skills: z
-          .array(
-            z.object({
-              id: z.string(),
-              name: z.string(),
-              description: z.string(),
-              emoji: z.string().optional(),
-              homepage: z.string().optional(),
-              source: z.enum([
-                "bundled",
-                "managed",
-                "workspace",
-                "clawhub",
-                "extra",
-                "catalog",
-              ]),
-              state: z.enum(["enabled", "disabled"]),
-              installStatus: z.enum(["bundled", "installed", "available"]),
-              updateAvailable: z.boolean(),
-              provenance: z.object({
-                kind: z.enum(["first-party", "third-party", "local"]),
-                provider: z.string().optional(),
-                originId: z.string().optional(),
-                sourceUrl: z.string().optional(),
-              }),
-            }),
-          )
-          .describe("Skill objects"),
+        skills: z.array(slimSkillSchema).describe("Skill objects"),
       }),
       handler: async ({ url }) => {
         const include = url.searchParams.get("include");
@@ -201,16 +253,23 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
         url: z.string().describe("Skill URL"),
         spec: z.string().describe("Skill spec"),
         version: z.string(),
+        origin: z
+          .enum(["clawhub", "skillssh"])
+          .optional()
+          .describe(
+            "Which registry to install from. When omitted, the install flow auto-detects based on slug format.",
+          ),
       }),
       responseBody: z.object({
         ok: z.boolean(),
       }),
-      handler: async ({ req }) => {
+      handler: async ({ req, authContext }) => {
         const body = (await req.json()) as {
           slug?: string;
           url?: string;
           spec?: string;
           version?: string;
+          origin?: "clawhub" | "skillssh";
         };
         const slug = body.slug ?? body.url ?? body.spec;
         if (!slug || typeof slug !== "string") {
@@ -220,8 +279,9 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
             400,
           );
         }
+        const contactId = authContext.actorPrincipalId ?? undefined;
         const result = await installSkill(
-          { slug, version: body.version },
+          { slug, version: body.version, origin: body.origin, contactId },
           ctx(),
         );
         if (!result.success) {
@@ -265,7 +325,9 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
         },
       ],
       responseBody: z.object({
-        data: z.object({}).passthrough().describe("Search results"),
+        skills: z
+          .array(slimSkillSchema)
+          .describe("Skill objects matching the search query"),
       }),
       handler: async ({ url }) => {
         const query = url.searchParams.get("q") ?? "";
@@ -276,7 +338,7 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
         if (!result.success) {
           return httpError("INTERNAL_ERROR", result.error, 500);
         }
-        return Response.json({ data: result.data });
+        return Response.json({ skills: result.skills });
       },
     },
 
@@ -323,7 +385,7 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
       responseBody: z.object({
         ok: z.boolean(),
       }),
-      handler: async ({ req }) => {
+      handler: async ({ req, authContext }) => {
         const body = (await req.json()) as CreateSkillParams;
         if (
           !body.skillId ||
@@ -337,7 +399,8 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
             400,
           );
         }
-        const result = await createSkill(body, ctx());
+        const contactId = authContext.actorPrincipalId ?? undefined;
+        const result = await createSkill({ ...body, contactId }, ctx());
         if (!result.success) {
           return httpError("INTERNAL_ERROR", result.error, 500);
         }
@@ -395,10 +458,13 @@ export function skillRouteDefinitions(deps: SkillRouteDeps): RouteDefinition[] {
       method: "GET",
       policyKey: "skills",
       summary: "Get skill",
-      description: "Return a single skill by ID.",
+      description: "Return a single skill by ID with enriched detail fields.",
       tags: ["skills"],
-      handler: ({ params }) => {
-        const result = getSkill(params.id, ctx());
+      responseBody: z.object({
+        skill: skillDetailSchema.describe("Skill detail object"),
+      }),
+      handler: async ({ params }) => {
+        const result = await getSkill(params.id, ctx());
         if ("error" in result) {
           if (result.status === 404) {
             return httpError("NOT_FOUND", result.error, 404);

package/src/runtime/routes/usage-routes.ts

@@ -11,6 +11,7 @@ import { z } from "zod";
 import {
   getUsageDayBuckets,
   getUsageGroupBreakdown,
+  getUsageHourBuckets,
   getUsageTotals,
 } from "../../memory/llm-usage-store.js";
 import { httpError } from "../http-errors.js";
@@ -104,14 +105,30 @@ export function usageRouteDefinitions(): RouteDefinition[] {
           schema: { type: "integer" },
           description: "End epoch millis (required)",
         },
+        {
+          name: "granularity",
+          schema: { type: "string", enum: ["daily", "hourly"] },
+          description: 'Bucket granularity: "daily" (default) or "hourly"',
+        },
       ],
       responseBody: z.object({
-        buckets: z.array(z.unknown()).describe("Daily usage bucket objects"),
+        buckets: z.array(z.unknown()).describe("Usage bucket objects"),
       }),
       handler: ({ url }) => {
         const range = parseTimeRange(url);
         if (range instanceof Response) return range;
-        const buckets = getUsageDayBuckets(range);
+        const granularity = url.searchParams.get("granularity") ?? "daily";
+        if (granularity !== "daily" && granularity !== "hourly") {
+          return httpError(
+            "BAD_REQUEST",
+            `Invalid "granularity" value: "${granularity}". Must be one of: daily, hourly`,
+            400,
+          );
+        }
+        const buckets =
+          granularity === "hourly"
+            ? getUsageHourBuckets(range)
+            : getUsageDayBuckets(range);
         return Response.json({ buckets });
       },
     },

package/src/runtime/routes/work-items-routes.test.ts

@@ -5,23 +5,7 @@
  * item falls back to the task-level required tools instead of silently
  * skipping permission checks.
  */
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { afterAll, describe, expect, mock, test } from "bun:test";
-
-const testDir = mkdtempSync(join(tmpdir(), "work-items-routes-test-"));
-
-mock.module("../../util/platform.js", () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
+import { describe, expect, mock, test } from "bun:test";
 
 mock.module("../../util/logger.js", () => ({
   getLogger: () =>
@@ -35,7 +19,7 @@ mock.module("../../permissions/checker.js", () => ({
   classifyRisk: async () => "high",
 }));
 
-import { initializeDb, resetDb } from "../../memory/db.js";
+import { initializeDb } from "../../memory/db.js";
 import { createTask } from "../../tasks/task-store.js";
 import { createWorkItem } from "../../work-items/work-item-store.js";
 import type { RouteContext } from "../http-router.js";
@@ -46,15 +30,6 @@ import {
 
 initializeDb();
 
-afterAll(() => {
-  resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
-});
-
 describe("empty required_tools snapshot bypass", () => {
   test("falls back to task required tools when snapshot requiredTools is empty", async () => {
     const task = createTask({

package/src/runtime/routes/workspace-routes.test.ts

@@ -4,37 +4,17 @@
  * Covers path resolution (traversal prevention), MIME type detection,
  * directory listing, file metadata, and raw content serving with range support.
  */
-import {
-  existsSync,
-  mkdirSync,
-  mkdtempSync,
-  readFileSync,
-  realpathSync,
-  rmSync,
-  writeFileSync,
-} from "node:fs";
-import { tmpdir } from "node:os";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
-import { afterAll, beforeAll, describe, expect, mock, test } from "bun:test";
+import { beforeAll, describe, expect, test } from "bun:test";
 
 // ---------------------------------------------------------------------------
 // Create a temp workspace directory for isolation
 // ---------------------------------------------------------------------------
 
-const testWorkspaceDir = realpathSync(
-  mkdtempSync(join(tmpdir(), "workspace-routes-test-")),
-);
+const testWorkspaceDir = process.env.VELLUM_WORKSPACE_DIR!;
 
 // Mock platform module so getWorkspaceDir returns our temp dir
-mock.module("../../util/platform.js", () => ({
-  getWorkspaceDir: () => testWorkspaceDir,
-  getRootDir: () => testWorkspaceDir,
-  getDataDir: () => testWorkspaceDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-}));
-
 import { workspaceRouteDefinitions } from "./workspace-routes.js";
 import { isTextMimeType, resolveWorkspacePath } from "./workspace-utils.js";
 
@@ -65,10 +45,6 @@ beforeAll(() => {
   writeFileSync(binaryFile, pngSignature);
 });
 
-afterAll(() => {
-  rmSync(testWorkspaceDir, { recursive: true, force: true });
-});
-
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------

package/src/schedule/scheduler.ts

@@ -188,7 +188,12 @@ async function runScheduleOnce(
         );
         const { runTask } = await import("../tasks/task-runner.js");
         const result = await runTask(
-          { taskId, workingDir: process.cwd(), source: "schedule", scheduleJobId: job.id },
+          {
+            taskId,
+            workingDir: process.cwd(),
+            source: "schedule",
+            scheduleJobId: job.id,
+          },
           processMessage as (
             conversationId: string,
             message: string,
@@ -237,6 +242,7 @@ async function runScheduleOnce(
         const fallbackConversation = bootstrapConversation({
           source: "schedule",
           scheduleJobId: job.id,
+          groupId: "system:scheduled",
           origin: "schedule",
           systemHint: `Schedule: ${job.name}`,
         });
@@ -255,6 +261,7 @@ async function runScheduleOnce(
     const conversation = bootstrapConversation({
       source: "schedule",
       scheduleJobId: job.id,
+      groupId: "system:scheduled",
       origin: "schedule",
       systemHint: isOneShot ? `Reminder: ${job.name}` : `Schedule: ${job.name}`,
     });

package/src/security/oauth2.ts

@@ -61,7 +61,7 @@ export interface OAuth2TokenResult {
 
 export interface OAuth2FlowCallbacks {
   /** Open a URL in the user's browser (e.g. via `open_url` message). */
-  openUrl: (url: string) => void;
+  openUrl: (url: string) => void | Promise<void>;
 }
 
 export interface OAuth2FlowOptions {

package/src/security/secret-allowlist.ts

@@ -1,7 +1,7 @@
 /**
  * User-defined allowlist for suppressing secret scanner false positives.
  *
- * Reads `~/.vellum/secret-allowlist.json` (if present) and provides
+ * Reads `~/.vellum/workspace/data/secret-allowlist.json` (if present) and provides
  * `isAllowlisted(value)` to check whether a matched value should be
  * suppressed.
  *
@@ -18,7 +18,7 @@ import { join } from "node:path";
 
 import { pathExists } from "../util/fs.js";
 import { getLogger } from "../util/logger.js";
-import { getProtectedDir } from "../util/platform.js";
+import { getDataDir } from "../util/platform.js";
 
 const log = getLogger("secret-allowlist");
 
@@ -45,7 +45,7 @@ let allowedRegexes: RegExp[] = [];
 export function loadAllowlist(): void {
   if (loaded || fileChecked) return;
 
-  const filePath = join(getProtectedDir(), "secret-allowlist.json");
+  const filePath = join(getDataDir(), "secret-allowlist.json");
   if (!pathExists(filePath)) {
     fileChecked = true;
     return;
@@ -169,7 +169,7 @@ function validateAllowlist(
  * Returns validation errors, or null if the file doesn't exist.
  */
 export function validateAllowlistFile(): AllowlistValidationError[] | null {
-  const filePath = join(getProtectedDir(), "secret-allowlist.json");
+  const filePath = join(getDataDir(), "secret-allowlist.json");
   if (!pathExists(filePath)) return null;
 
   const raw = readFileSync(filePath, "utf-8");

package/src/security/secure-keys.ts

@@ -22,9 +22,9 @@ import type {
   SecureKeyDeleteResult,
 } from "@vellumai/credential-storage";
 
-import providerEnvVarsRegistry from "../../../meta/provider-env-vars.json" with { type: "json" };
 import { getIsContainerized } from "../config/env-registry.js";
 import type { CesClient } from "../credential-execution/client.js";
+import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 import { getLogger } from "../util/logger.js";
 import { createCesCredentialBackend } from "./ces-credential-client.js";
 import { CesRpcCredentialBackend } from "./ces-rpc-credential-backend.js";
@@ -395,14 +395,10 @@ export async function deleteSecureKeyAsync(
 // ---------------------------------------------------------------------------
 
 /**
- * Env var names keyed by provider. Loaded from the shared registry at
- * `meta/provider-env-vars.json` — the single source of truth also consumed
- * by the CLI and the macOS client.
- * Ollama is intentionally omitted from the registry — it doesn't require
- * an API key.
+ * Env var names keyed by provider.
+ * Ollama is intentionally omitted — it doesn't require an API key.
  */
-const PROVIDER_ENV_VARS: Record<string, string> =
-  providerEnvVarsRegistry.providers;
+const PROVIDER_ENV_VARS: Record<string, string> = PROVIDER_ENV_VAR_NAMES;
 
 /**
  * Retrieve a provider API key, checking secure storage first and falling

package/src/shared/provider-env-vars.ts

@@ -0,0 +1,19 @@
+/**
+ * Provider API key environment variable names, keyed by provider ID.
+ *
+ * Keep in sync with:
+ *   - cli/src/shared/provider-env-vars.ts
+ *   - meta/provider-env-vars.json  (consumed by the macOS client build)
+ *
+ * Once a consolidated shared package exists in packages/, all three
+ * copies can be replaced by a single import.
+ */
+export const PROVIDER_ENV_VAR_NAMES: Record<string, string> = {
+  anthropic: "ANTHROPIC_API_KEY",
+  openai: "OPENAI_API_KEY",
+  gemini: "GEMINI_API_KEY",
+  fireworks: "FIREWORKS_API_KEY",
+  openrouter: "OPENROUTER_API_KEY",
+  brave: "BRAVE_API_KEY",
+  perplexity: "PERPLEXITY_API_KEY",
+};

package/src/skills/catalog-cache.ts

@@ -37,6 +37,11 @@ export async function getCatalog(): Promise<CatalogSkill[]> {
   return catalog;
 }
 
+/** Return the cached catalog synchronously, or [] if no cache exists yet. */
+export function getCachedCatalogSync(): CatalogSkill[] {
+  return cachedCatalog ?? [];
+}
+
 /** Invalidate the cache (for testing or forced refresh). */
 export function invalidateCatalogCache(): void {
   cachedCatalog = null;

package/src/skills/catalog-install.ts

@@ -16,6 +16,7 @@ import { gunzipSync } from "node:zlib";
 import { getPlatformBaseUrl } from "../config/env.js";
 import { getLogger } from "../util/logger.js";
 import { getWorkspaceSkillsDir, readPlatformToken } from "../util/platform.js";
+import { computeSkillHash, writeInstallMeta } from "./install-meta.js";
 import { deleteSkillCapabilityMemory } from "./skill-memory.js";
 
 const log = getLogger("catalog-install");
@@ -270,6 +271,7 @@ export async function installSkillLocally(
   skillId: string,
   catalogEntry: CatalogSkill,
   overwrite: boolean,
+  contactId?: string,
 ): Promise<void> {
   const skillDir = join(getWorkspaceSkillsDir(), skillId);
   const skillFilePath = join(skillDir, "SKILL.md");
@@ -294,19 +296,18 @@ export async function installSkillLocally(
     await fetchAndExtractSkill(skillId, skillDir);
   }
 
-  // Write version metadata
-  if (catalogEntry.version) {
-    const meta = {
-      version: catalogEntry.version,
-      installedAt: new Date().toISOString(),
-    };
-    atomicWriteFile(
-      join(skillDir, "version.json"),
-      JSON.stringify(meta, null, 2) + "\n",
-    );
-  }
+  // Write install metadata
+  writeInstallMeta(skillDir, {
+    origin: "vellum",
+    installedAt: new Date().toISOString(),
+    ...(catalogEntry.version ? { version: catalogEntry.version } : {}),
+    ...(contactId ? { installedBy: contactId } : {}),
+    contentHash: computeSkillHash(skillDir) ?? undefined,
+  });
 
-  // Install npm dependencies if the skill has a package.json
+  // Post-install: install dependencies first, then index the skill.
+  // Running bun install before upsertSkillsIndex ensures we don't index a
+  // skill whose dependencies failed to install.
   if (existsSync(join(skillDir, "package.json"))) {
     const bunPath = `${homedir()}/.bun/bin`;
     execSync("bun install", {
@@ -315,8 +316,6 @@ export async function installSkillLocally(
       env: { ...process.env, PATH: `${bunPath}:${process.env.PATH}` },
     });
   }
-
-  // Register in SKILLS.md only after all steps succeed
   upsertSkillsIndex(skillId);
 }
 
@@ -393,6 +392,8 @@ export async function autoInstallFromCatalog(
     return false;
   }
 
+  // installSkillLocally handles dependency installation and SKILLS.md indexing.
   await installSkillLocally(skillId, entry, false);
+
   return true;
 }