@vellumai/assistant 0.5.4 → 0.5.6

package/src/oauth/connection-resolver.ts

@@ -1,13 +1,15 @@
-import { getPlatformAssistantId } from "../config/env.js";
 import { getConfig } from "../config/loader.js";
 import { type Services, ServicesSchema } from "../config/schemas/services.js";
-import { resolveManagedProxyContext } from "../providers/managed-proxy/context.js";
+import { VellumPlatformClient } from "../platform/client.js";
 import { getSecureKeyAsync } from "../security/secure-keys.js";
+import { getLogger } from "../util/logger.js";
 import { BYOOAuthConnection } from "./byo-connection.js";
 import type { OAuthConnection } from "./connection.js";
 import { getActiveConnection, getProvider } from "./oauth-store.js";
 import { PlatformOAuthConnection } from "./platform-connection.js";
 
+const log = getLogger("connection-resolver");
+
 export interface ResolveOAuthConnectionOptions {
   /** OAuth app client ID — narrows to a specific app when multiple BYO apps
    *  exist for the same provider. */
@@ -46,16 +48,32 @@ export async function resolveOAuthConnection(
   if (managedKey && managedKey in ServicesSchema.shape) {
     const services: Services = getConfig().services;
     if (services[managedKey as keyof Services].mode === "managed") {
-      const ctx = await resolveManagedProxyContext();
-      const assistantId = getPlatformAssistantId();
+      const client = await VellumPlatformClient.create();
+      if (!client || !client.platformAssistantId) {
+        const detail = !client
+          ? "missing platform prerequisites"
+          : "missing assistant ID";
+        throw new Error(
+          `Platform-managed connection for "${providerKey}" cannot be created: ${detail}. ` +
+            `Log in to the Vellum platform or switch to using your own OAuth app.`,
+        );
+      }
+
+      const providerSlug = providerKey.replace(/^integration:/, "");
+
+      const connectionId = await resolvePlatformConnectionId({
+        client,
+        provider: providerSlug,
+        account,
+      });
+
       return new PlatformOAuthConnection({
         id: providerKey,
         providerKey,
         externalId: providerKey,
         accountInfo: account ?? null,
-        assistantId,
-        platformBaseUrl: ctx.platformBaseUrl,
-        apiKey: ctx.assistantApiKey,
+        client,
+        connectionId,
       });
     }
   }
@@ -98,3 +116,70 @@ export async function resolveOAuthConnection(
     accountInfo: conn.accountInfo,
   });
 }
+
+// ---------------------------------------------------------------------------
+// Platform connection ID resolution
+// ---------------------------------------------------------------------------
+
+interface ResolvePlatformConnectionIdOptions {
+  client: VellumPlatformClient;
+  provider: string;
+  account?: string;
+}
+
+/**
+ * Fetch the platform-side connection ID for a managed provider by calling
+ * the List Connections endpoint.
+ */
+async function resolvePlatformConnectionId(
+  options: ResolvePlatformConnectionIdOptions,
+): Promise<string> {
+  const { client, provider, account } = options;
+
+  const params = new URLSearchParams();
+  params.set("provider", provider);
+  params.set("status", "ACTIVE");
+  if (account) {
+    params.set("account_identifier", account);
+  }
+
+  const path = `/v1/assistants/${client.platformAssistantId}/oauth/connections/?${params.toString()}`;
+  const response = await client.fetch(path);
+
+  if (!response.ok) {
+    log.error(
+      { status: response.status, provider },
+      "Failed to list platform OAuth connections",
+    );
+    throw new Error(
+      `Failed to resolve platform connection for "${provider}": HTTP ${response.status}`,
+    );
+  }
+
+  const body = (await response.json()) as {
+    results?: Array<{ id: string; account_label?: string }>;
+  };
+  const connections = body.results ?? [];
+
+  if (connections.length === 0) {
+    throw new Error(
+      `No active platform OAuth connection found for provider "${provider}"` +
+        (account ? ` with account "${account}"` : "") +
+        ". Connect the service on the Vellum platform first.",
+    );
+  }
+
+  if (connections.length > 1 && !account) {
+    log.warn(
+      {
+        provider,
+        count: connections.length,
+        selectedId: connections[0].id,
+      },
+      "Multiple active platform connections found; using the most recently created. " +
+        "Pass an account option to select a specific connection.",
+    );
+  }
+
+  return connections[0].id;
+}

package/src/oauth/platform-connection.test.ts

@@ -1,5 +1,6 @@
-import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+import { describe, expect, mock, test } from "bun:test";
 
+import type { VellumPlatformClient } from "../platform/client.js";
 import { BackendError, VellumError } from "../util/errors.js";
 import {
   CredentialRequiredError,
@@ -7,40 +8,53 @@ import {
   ProviderUnreachableError,
 } from "./platform-connection.js";
 
+function makeMockClient(
+  fetchImpl?: typeof globalThis.fetch,
+): VellumPlatformClient {
+  const mockFetchFn =
+    fetchImpl ??
+    (mock(async () => {
+      return new Response(
+        JSON.stringify({ status: 200, headers: {}, body: null }),
+        { status: 200 },
+      );
+    }) as unknown as typeof globalThis.fetch);
+
+  return {
+    baseUrl: "https://platform.example.com",
+    assistantApiKey: "test-api-key",
+    platformAssistantId: "asst-abc",
+    fetch: mock(async (path: string, init?: RequestInit) => {
+      const url = `https://platform.example.com${path}`;
+      const headers = new Headers(init?.headers);
+      headers.set("Authorization", "Api-Key test-api-key");
+      return mockFetchFn(url, { ...init, headers });
+    }),
+  } as unknown as VellumPlatformClient;
+}
+
 const DEFAULT_OPTIONS = {
   id: "conn-1",
   providerKey: "integration:google",
   externalId: "ext-123",
   accountInfo: "user@example.com",
-  assistantId: "asst-abc",
-  platformBaseUrl: "https://platform.example.com",
-  apiKey: "test-api-key",
+  client: makeMockClient(),
+  connectionId: "platform-conn-123",
 };
 
 describe("PlatformOAuthConnection", () => {
-  let originalFetch: typeof globalThis.fetch;
-
-  beforeEach(() => {
-    originalFetch = globalThis.fetch;
-  });
-
-  afterEach(() => {
-    globalThis.fetch = originalFetch;
-  });
-
   test("successful proxied request", async () => {
     const upstreamBody = { messages: [{ id: "msg-1", snippet: "Hello" }] };
 
-    globalThis.fetch = mock(
-      async (url: string | URL | Request, init?: RequestInit) => {
-        expect(url).toBe(
-          "https://platform.example.com/v1/assistants/asst-abc/external-provider-proxy/google/",
+    const client = makeMockClient(
+      mock(async (url: string | URL | Request, init?: RequestInit) => {
+        expect(String(url)).toBe(
+          "https://platform.example.com/v1/assistants/asst-abc/external-provider-proxy/platform-conn-123/",
         );
         expect(init?.method).toBe("POST");
-        expect(init?.headers).toEqual({
-          Authorization: "Api-Key test-api-key",
-          "Content-Type": "application/json",
-        });
+        const headers = new Headers(init?.headers);
+        expect(headers.get("Authorization")).toBe("Api-Key test-api-key");
+        expect(headers.get("Content-Type")).toBe("application/json");
 
         const parsed = JSON.parse(init?.body as string);
         expect(parsed).toEqual({
@@ -61,10 +75,13 @@ describe("PlatformOAuthConnection", () => {
           }),
           { status: 200 },
         );
-      },
-    ) as unknown as typeof globalThis.fetch;
+      }) as unknown as typeof globalThis.fetch,
+    );
 
-    const conn = new PlatformOAuthConnection(DEFAULT_OPTIONS);
+    const conn = new PlatformOAuthConnection({
+      ...DEFAULT_OPTIONS,
+      client,
+    });
     const result = await conn.request({
       method: "GET",
       path: "/gmail/v1/users/me/messages",
@@ -77,8 +94,8 @@ describe("PlatformOAuthConnection", () => {
   });
 
   test("forwards baseUrl when provided", async () => {
-    globalThis.fetch = mock(
-      async (_url: string | URL | Request, init?: RequestInit) => {
+    const client = makeMockClient(
+      mock(async (_url: string | URL | Request, init?: RequestInit) => {
         const parsed = JSON.parse(init?.body as string);
         expect(parsed.request.baseUrl).toBe(
           "https://www.googleapis.com/calendar/v3",
@@ -88,10 +105,10 @@ describe("PlatformOAuthConnection", () => {
           JSON.stringify({ status: 200, headers: {}, body: {} }),
           { status: 200 },
         );
-      },
-    ) as unknown as typeof globalThis.fetch;
+      }) as unknown as typeof globalThis.fetch,
+    );
 
-    const conn = new PlatformOAuthConnection(DEFAULT_OPTIONS);
+    const conn = new PlatformOAuthConnection({ ...DEFAULT_OPTIONS, client });
     await conn.request({
       method: "GET",
       path: "/calendars/primary/events",
@@ -100,8 +117,8 @@ describe("PlatformOAuthConnection", () => {
   });
 
   test("omits baseUrl from envelope when not provided", async () => {
-    globalThis.fetch = mock(
-      async (_url: string | URL | Request, init?: RequestInit) => {
+    const client = makeMockClient(
+      mock(async (_url: string | URL | Request, init?: RequestInit) => {
         const parsed = JSON.parse(init?.body as string);
         expect("baseUrl" in parsed.request).toBe(false);
 
@@ -109,10 +126,10 @@ describe("PlatformOAuthConnection", () => {
           JSON.stringify({ status: 200, headers: {}, body: null }),
           { status: 200 },
         );
-      },
-    ) as unknown as typeof globalThis.fetch;
+      }) as unknown as typeof globalThis.fetch,
+    );
 
-    const conn = new PlatformOAuthConnection(DEFAULT_OPTIONS);
+    const conn = new PlatformOAuthConnection({ ...DEFAULT_OPTIONS, client });
     await conn.request({ method: "GET", path: "/some/path" });
   });
 
@@ -127,22 +144,26 @@ describe("PlatformOAuthConnection", () => {
   });
 
   test("424 response throws CredentialRequiredError", async () => {
-    globalThis.fetch = mock(async () => {
-      return new Response("", { status: 424 });
-    }) as unknown as typeof globalThis.fetch;
+    const client = makeMockClient(
+      mock(
+        async () => new Response("", { status: 424 }),
+      ) as unknown as typeof globalThis.fetch,
+    );
 
-    const conn = new PlatformOAuthConnection(DEFAULT_OPTIONS);
+    const conn = new PlatformOAuthConnection({ ...DEFAULT_OPTIONS, client });
     await expect(
       conn.request({ method: "GET", path: "/test" }),
     ).rejects.toThrow(CredentialRequiredError);
   });
 
   test("502 response throws ProviderUnreachableError", async () => {
-    globalThis.fetch = mock(async () => {
-      return new Response("", { status: 502 });
-    }) as unknown as typeof globalThis.fetch;
+    const client = makeMockClient(
+      mock(
+        async () => new Response("", { status: 502 }),
+      ) as unknown as typeof globalThis.fetch,
+    );
 
-    const conn = new PlatformOAuthConnection(DEFAULT_OPTIONS);
+    const conn = new PlatformOAuthConnection({ ...DEFAULT_OPTIONS, client });
     await expect(
       conn.request({ method: "GET", path: "/test" }),
     ).rejects.toThrow(ProviderUnreachableError);
@@ -155,36 +176,24 @@ describe("PlatformOAuthConnection", () => {
     );
   });
 
-  test("strips trailing slash from platformBaseUrl to avoid double slashes", async () => {
-    globalThis.fetch = mock(async (url: string | URL | Request) => {
-      expect(String(url)).toBe(
-        "https://platform.example.com/v1/assistants/asst-abc/external-provider-proxy/google/",
-      );
-      return new Response(
-        JSON.stringify({ status: 200, headers: {}, body: null }),
-        { status: 200 },
-      );
-    }) as unknown as typeof globalThis.fetch;
-
-    const conn = new PlatformOAuthConnection({
-      ...DEFAULT_OPTIONS,
-      platformBaseUrl: "https://platform.example.com/",
-    });
-    await conn.request({ method: "GET", path: "/test" });
-  });
-
-  test("strips integration: prefix from providerKey for slug", async () => {
-    globalThis.fetch = mock(async (url: string | URL | Request) => {
-      expect(String(url)).toContain("/external-provider-proxy/slack/");
-      return new Response(
-        JSON.stringify({ status: 200, headers: {}, body: null }),
-        { status: 200 },
-      );
-    }) as unknown as typeof globalThis.fetch;
+  test("uses connectionId in proxy URL regardless of providerKey format", async () => {
+    const client = makeMockClient(
+      mock(async (url: string | URL | Request) => {
+        expect(String(url)).toContain(
+          "/external-provider-proxy/slack-conn-456/",
+        );
+        return new Response(
+          JSON.stringify({ status: 200, headers: {}, body: null }),
+          { status: 200 },
+        );
+      }) as unknown as typeof globalThis.fetch,
+    );
 
     const conn = new PlatformOAuthConnection({
       ...DEFAULT_OPTIONS,
+      client,
       providerKey: "integration:slack",
+      connectionId: "slack-conn-456",
     });
     await conn.request({ method: "GET", path: "/test" });
   });

package/src/oauth/platform-connection.ts

@@ -1,3 +1,4 @@
+import type { VellumPlatformClient } from "../platform/client.js";
 import { BackendError } from "../util/errors.js";
 import type {
   OAuthConnection,
@@ -24,9 +25,9 @@ export interface PlatformOAuthConnectionOptions {
   providerKey: string;
   externalId: string;
   accountInfo: string | null;
-  assistantId: string;
-  platformBaseUrl: string;
-  apiKey: string;
+  client: VellumPlatformClient;
+  /** Platform-side connection ID used in the proxy URL path. */
+  connectionId: string;
 }
 
 export class PlatformOAuthConnection implements OAuthConnection {
@@ -35,18 +36,13 @@ export class PlatformOAuthConnection implements OAuthConnection {
   readonly externalId: string;
   readonly accountInfo: string | null;
 
-  private readonly assistantId: string;
-  private readonly platformBaseUrl: string;
-  private readonly apiKey: string;
+  private readonly client: VellumPlatformClient;
+  private readonly connectionId: string;
 
   constructor(options: PlatformOAuthConnectionOptions) {
-    const missing: string[] = [];
-    if (!options.platformBaseUrl) missing.push("platform base URL");
-    if (!options.apiKey) missing.push("assistant API key");
-    if (!options.assistantId) missing.push("assistant ID");
-    if (missing.length > 0) {
+    if (!options.connectionId) {
       throw new BackendError(
-        `Platform-managed connection for "${options.providerKey}" cannot be created: missing ${missing.join(", ")}. ` +
+        `Platform-managed connection for "${options.providerKey}" cannot be created: missing connection ID. ` +
           `Log in to the Vellum platform or switch to using your own OAuth app.`,
       );
     }
@@ -55,14 +51,12 @@ export class PlatformOAuthConnection implements OAuthConnection {
     this.providerKey = options.providerKey;
     this.externalId = options.externalId;
     this.accountInfo = options.accountInfo;
-    this.assistantId = options.assistantId;
-    this.platformBaseUrl = options.platformBaseUrl.replace(/\/+$/, "");
-    this.apiKey = options.apiKey;
+    this.client = options.client;
+    this.connectionId = options.connectionId;
   }
 
   async request(req: OAuthConnectionRequest): Promise<OAuthConnectionResponse> {
-    const providerSlug = this.providerKey.replace(/^integration:/, "");
-    const proxyUrl = `${this.platformBaseUrl}/v1/assistants/${this.assistantId}/external-provider-proxy/${providerSlug}/`;
+    const proxyPath = `/v1/assistants/${this.client.platformAssistantId}/external-provider-proxy/${this.connectionId}/`;
 
     const body: Record<string, unknown> = {
       request: {
@@ -75,10 +69,9 @@ export class PlatformOAuthConnection implements OAuthConnection {
       },
     };
 
-    const response = await fetch(proxyUrl, {
+    const response = await this.client.fetch(proxyPath, {
       method: "POST",
       headers: {
-        Authorization: `Api-Key ${this.apiKey}`,
         "Content-Type": "application/json",
       },
       body: JSON.stringify(body),

package/src/permissions/defaults.ts

@@ -2,7 +2,7 @@ import { join } from "node:path";
 
 import { getConfig } from "../config/loader.js";
 import { getBundledSkillsDir } from "../config/skills.js";
-import { getRootDir } from "../util/platform.js";
+import { getWorkspaceDir } from "../util/platform.js";
 
 export interface DefaultRuleTemplate {
   id: string;
@@ -116,7 +116,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   // Workspace prompt files — the agent should always be able to read, edit,
   // and write these without prompting.  Also allow `rm BOOTSTRAP.md` so the
   // agent can delete it at the end of the onboarding ritual.
-  const workspaceDir = join(getRootDir(), "workspace").replaceAll("\\", "/");
+  const workspaceDir = getWorkspaceDir().replaceAll("\\", "/");
   const WORKSPACE_PROMPT_FILES = [
     "IDENTITY.md",
     "USER.md",
@@ -163,7 +163,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   // Skill source directories — writing or editing skill source files should
   // require explicit user approval so a compromised agent loop cannot silently
   // modify skill code to escalate privileges.
-  const managedSkillsDir = join(getRootDir(), "workspace", "skills").replaceAll(
+  const managedSkillsDir = join(getWorkspaceDir(), "skills").replaceAll(
     "\\",
     "/",
   );