@vellumai/assistant 0.5.9 → 0.5.10

package/src/__tests__/workspace-migration-016-migrate-credentials-from-keychain.test.ts

@@ -1,220 +1,19 @@
-import { beforeEach, describe, expect, mock, test } from "bun:test";
+import { describe, expect, test } from "bun:test";
 
-// ---------------------------------------------------------------------------
-// Mock state
-// ---------------------------------------------------------------------------
-
-const isAvailableFn = mock((): boolean => true);
-const brokerGetFn = mock(
-  async (
-    _account: string,
-  ): Promise<{ found: boolean; value?: string } | null> => ({
-    found: true,
-    value: "secret",
-  }),
-);
-const brokerDelFn = mock(async (_account: string): Promise<boolean> => true);
-const brokerListFn = mock(async (): Promise<string[]> => []);
-const createBrokerClientFn = mock(() => ({
-  isAvailable: isAvailableFn,
-  get: brokerGetFn,
-  del: brokerDelFn,
-  list: brokerListFn,
-}));
-
-const setKeyFn = mock(
-  (_account: string, _value: string): boolean => true,
-);
-
-// ---------------------------------------------------------------------------
-// Mock modules — before importing module under test
-//
-// The logger is mocked with a silent Proxy to suppress pino output in tests.
-// The broker client and encrypted store are mocked to control migration
-// behavior without touching real keychain or filesystem state.
-// ---------------------------------------------------------------------------
-
-mock.module("../util/logger.js", () => ({
-  getLogger: () =>
-    new Proxy({} as Record<string, unknown>, {
-      get: () => () => {},
-    }),
-}));
-
-mock.module("../security/keychain-broker-client.js", () => ({
-  createBrokerClient: createBrokerClientFn,
-}));
-
-mock.module("../security/encrypted-store.js", () => ({
-  setKey: setKeyFn,
-}));
-
-// Import after mocking
 import { migrateCredentialsFromKeychainMigration } from "../workspace/migrations/016-migrate-credentials-from-keychain.js";
 
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-const WORKSPACE_DIR = "/mock-home/.vellum/workspace";
-
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-
 describe("016-migrate-credentials-from-keychain migration", () => {
-  beforeEach(() => {
-    isAvailableFn.mockClear();
-    brokerGetFn.mockClear();
-    brokerDelFn.mockClear();
-    brokerListFn.mockClear();
-    createBrokerClientFn.mockClear();
-    setKeyFn.mockClear();
-
-    // Defaults: mac production build
-    process.env.VELLUM_DESKTOP_APP = "1";
-    delete process.env.VELLUM_DEV;
-
-    isAvailableFn.mockReturnValue(true);
-    brokerGetFn.mockResolvedValue({ found: true, value: "secret" });
-    brokerDelFn.mockResolvedValue(true);
-    brokerListFn.mockResolvedValue([]);
-    setKeyFn.mockReturnValue(true);
-  });
-
   test("has correct migration id", () => {
     expect(migrateCredentialsFromKeychainMigration.id).toBe(
       "016-migrate-credentials-from-keychain",
     );
   });
 
-  test("skips when VELLUM_DESKTOP_APP is not set", async () => {
-    delete process.env.VELLUM_DESKTOP_APP;
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-    expect(brokerListFn).not.toHaveBeenCalled();
-  });
-
-  test("skips when VELLUM_DESKTOP_APP is not '1'", async () => {
-    process.env.VELLUM_DESKTOP_APP = "0";
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-  });
-
-  test("skips when VELLUM_DEV=1", async () => {
-    process.env.VELLUM_DEV = "1";
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-    expect(brokerListFn).not.toHaveBeenCalled();
+  test("run is a no-op", async () => {
+    await migrateCredentialsFromKeychainMigration.run("/fake");
   });
 
-  test(
-    "throws when broker is not available (skips checkpoint for retry)",
-    async () => {
-      isAvailableFn.mockReturnValue(false);
-
-      // Throwing skips the checkpoint so the migration retries on next startup
-      await expect(
-        migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR),
-      ).rejects.toThrow("Keychain broker not available after waiting");
-
-      // Should not proceed to list or migrate keys
-      expect(brokerListFn).not.toHaveBeenCalled();
-      expect(setKeyFn).not.toHaveBeenCalled();
-    },
-    { timeout: 10_000 },
-  );
-
-  test("no-ops when keychain has no accounts", async () => {
-    brokerListFn.mockResolvedValue([]);
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(setKeyFn).not.toHaveBeenCalled();
-    expect(brokerDelFn).not.toHaveBeenCalled();
-  });
-
-  test("copies credentials from keychain to encrypted store and deletes from keychain", async () => {
-    brokerListFn.mockResolvedValue(["account-a", "account-b"]);
-    brokerGetFn.mockImplementation(async (account: string) => {
-      if (account === "account-a") return { found: true, value: "secret-a" };
-      if (account === "account-b") return { found: true, value: "secret-b" };
-      return null;
-    });
-    setKeyFn.mockReturnValue(true);
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    // Should have written each key to encrypted store
-    expect(setKeyFn).toHaveBeenCalledTimes(2);
-    expect(setKeyFn).toHaveBeenCalledWith("account-a", "secret-a");
-    expect(setKeyFn).toHaveBeenCalledWith("account-b", "secret-b");
-
-    // Should have deleted each key from keychain after successful migration
-    expect(brokerDelFn).toHaveBeenCalledTimes(2);
-    expect(brokerDelFn).toHaveBeenCalledWith("account-a");
-    expect(brokerDelFn).toHaveBeenCalledWith("account-b");
-  });
-
-  test("skips key when broker.get returns null", async () => {
-    brokerListFn.mockResolvedValue(["ghost-key", "real-key"]);
-    brokerGetFn.mockImplementation(async (account: string) => {
-      if (account === "ghost-key") return null;
-      if (account === "real-key") return { found: true, value: "real-secret" };
-      return null;
-    });
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    // ghost-key should not be written or deleted
-    expect(setKeyFn).not.toHaveBeenCalledWith(
-      "ghost-key",
-      expect.anything(),
-    );
-    expect(brokerDelFn).not.toHaveBeenCalledWith("ghost-key");
-
-    // real-key should be migrated
-    expect(setKeyFn).toHaveBeenCalledWith("real-key", "real-secret");
-    expect(brokerDelFn).toHaveBeenCalledWith("real-key");
-  });
-
-  test("skips key when broker.get returns not found", async () => {
-    brokerListFn.mockResolvedValue(["missing-key"]);
-    brokerGetFn.mockResolvedValue({ found: false });
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(setKeyFn).not.toHaveBeenCalled();
-    expect(brokerDelFn).not.toHaveBeenCalled();
-  });
-
-  test("skips key when setKey fails and does not delete from keychain", async () => {
-    brokerListFn.mockResolvedValue(["fail-key", "ok-key"]);
-    brokerGetFn.mockImplementation(async (account: string) => {
-      if (account === "fail-key")
-        return { found: true, value: "fail-secret" };
-      if (account === "ok-key") return { found: true, value: "ok-secret" };
-      return null;
-    });
-    setKeyFn.mockImplementation((account: string) => {
-      if (account === "fail-key") return false;
-      return true;
-    });
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    // fail-key should NOT have been deleted from keychain (setKey failed)
-    expect(brokerDelFn).not.toHaveBeenCalledWith("fail-key");
-
-    // ok-key should have been migrated and deleted
-    expect(setKeyFn).toHaveBeenCalledWith("ok-key", "ok-secret");
-    expect(brokerDelFn).toHaveBeenCalledWith("ok-key");
-    expect(brokerDelFn).toHaveBeenCalledTimes(1);
+  test("down is a no-op", async () => {
+    await migrateCredentialsFromKeychainMigration.down("/fake");
   });
 });

package/src/__tests__/workspace-migrations-runner.test.ts

@@ -130,16 +130,16 @@ describe("runWorkspaceMigrations", () => {
       throw new Error("migration 002 failed");
     });
 
-    await expect(
-      runWorkspaceMigrations(WORKSPACE_DIR, [m1, m2]),
-    ).rejects.toThrow("migration 002 failed");
+    // Runner no longer throws — it marks failed migrations and continues
+    await runWorkspaceMigrations(WORKSPACE_DIR, [m1, m2]);
 
-    // m1 ran successfully before the error
+    // m1 ran successfully, m2 was attempted
     expect(m1.run).toHaveBeenCalledTimes(1);
+    expect(m2.run).toHaveBeenCalledTimes(1);
 
-    // Checkpoints saved: started m1, completed m1, started m2 = 3 writes
-    expect(writeFileSyncFn).toHaveBeenCalledTimes(3);
-    expect(renameSyncFn).toHaveBeenCalledTimes(3);
+    // Checkpoints saved: started m1, completed m1, started m2, failed m2 = 4 writes
+    expect(writeFileSyncFn).toHaveBeenCalledTimes(4);
+    expect(renameSyncFn).toHaveBeenCalledTimes(4);
 
     // Verify the completed checkpoint contains m1
     // The second write is the "completed" marker for m1
@@ -149,6 +149,14 @@ describe("runWorkspaceMigrations", () => {
     const parsed = JSON.parse(completedWrite);
     expect(parsed.applied["001"]).toBeDefined();
     expect(parsed.applied["001"].status).toBe("completed");
+
+    // Verify m2 is marked as failed
+    const failedWrite = (
+      writeFileSyncFn.mock.calls[3] as unknown[]
+    )[1] as string;
+    const failedParsed = JSON.parse(failedWrite);
+    expect(failedParsed.applied["002"]).toBeDefined();
+    expect(failedParsed.applied["002"].status).toBe("failed");
   });
 
   test("idempotent on re-run", async () => {

package/src/cli/commands/credentials.ts

@@ -635,7 +635,7 @@ Examples:
             if (unreachable) {
               writeError(
                 cmd,
-                "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+                "Credential store is unreachable — ensure the assistant is running",
               );
             } else {
               writeError(cmd, "Credential not found");
@@ -676,7 +676,7 @@ Examples:
           const output = buildCredentialOutput(metadata, secret, connection);
 
           if (unreachable && (secret == null || secret.length === 0)) {
-            output.scrubbedValue = "(broker unreachable)";
+            output.scrubbedValue = "(credential store unreachable)";
             output.brokerUnreachable = true;
           }
 
@@ -686,7 +686,7 @@ Examples:
             printCredentialHuman(output);
             if (unreachable && (secret == null || secret.length === 0)) {
               log.info(
-                "    \u26A0 Keychain broker unreachable — restart the Vellum app and accept the macOS Keychain prompt to access credentials",
+                "    \u26A0 Credential store is unreachable — ensure the assistant is running",
               );
             }
           }
@@ -770,7 +770,7 @@ Examples:
             if (unreachable) {
               writeError(
                 cmd,
-                "Keychain broker is unreachable — restart the Vellum app and accept the macOS Keychain prompt",
+                "Credential store is unreachable — ensure the assistant is running",
               );
             } else {
               writeError(cmd, "Credential not found");

package/src/cli/commands/oauth/apps.ts

@@ -168,7 +168,7 @@ At least --id or --provider must be specified.`,
     .requiredOption("--client-id <id>", "OAuth client ID")
     .option(
       "--client-secret <secret>",
-      "OAuth client secret (stored in secure keychain)",
+      "OAuth client secret (stored in credential store)",
     )
     .option(
       "--client-secret-credential-path <path>",
@@ -179,7 +179,7 @@ At least --id or --provider must be specified.`,
       `
 Creates a new app registration or returns the existing one if an app with the
 same provider and client ID already exists. The client secret, if provided, is
-stored in the secure system keychain — not in the database.
+stored in the secure credential store — not in the database.
 
 When an existing app is matched and a --client-secret is provided, the stored
 secret is updated. The app row itself is returned as-is.
@@ -277,7 +277,7 @@ Arguments:
   id   The app UUID to delete (as returned by "apps list" or "apps get")
 
 Permanently removes the app registration and its stored client secret from
-the keychain. Any OAuth connections that reference this app will no longer be
+the credential store. Any OAuth connections that reference this app will no longer be
 able to refresh tokens.
 
 Exits with code 1 if the app ID is not found.

package/src/daemon/lifecycle.ts

@@ -285,9 +285,8 @@ export async function runDaemon(): Promise<void> {
     // Slack channel) that already have keychain credentials from before the
     // oauth_connection migration. Safe to call on every startup.
     //
-    // Must run AFTER workspace migrations so that migration 015 (which copies
-    // encrypted-store credentials to the keychain) has already executed.
-    // Otherwise syncManualTokenConnection sees no keychain credentials and
+    // Must run AFTER workspace migrations.
+    // Otherwise syncManualTokenConnection sees no stored credentials and
     // incorrectly removes existing connection rows.
     try {
       await backfillManualTokenConnections();

package/src/memory/migrations/validate-migration-state.ts

@@ -98,7 +98,20 @@ export function withCrashRecovery(
     )
     .run(checkpointKey, Date.now());
 
-  migrationFn();
+  try {
+    migrationFn();
+  } catch (error) {
+    log.error(
+      { checkpointKey, error },
+      `Memory migration failed: ${checkpointKey} — marking as failed and continuing`,
+    );
+    raw
+      .query(
+        `UPDATE memory_checkpoints SET value = 'failed', updated_at = ? WHERE key = ?`,
+      )
+      .run(Date.now(), checkpointKey);
+    return;
+  }
 
   raw
     .query(

package/src/runtime/routes/settings-routes.ts

@@ -213,7 +213,7 @@ async function handleOAuthConnectStart(body: {
   if (requiresSecret && !clientSecret) {
     return httpError(
       "BAD_REQUEST",
-      `client_secret is required for "${body.service}" but not found in the keychain. Store it first via the credential vault.`,
+      `client_secret is required for "${body.service}" but not found in the credential store. Store it first via the credential vault.`,
       400,
     );
   }

package/src/workspace/migrations/015-migrate-credentials-to-keychain.ts

@@ -1,153 +1,18 @@
-import { getLogger } from "../../util/logger.js";
 import type { WorkspaceMigration } from "./types.js";
 
-const log = getLogger("workspace-migrations");
-
-const BROKER_WAIT_INTERVAL_MS = 500;
-const BROKER_WAIT_MAX_ATTEMPTS = 10; // 5 seconds total
-
+/**
+ * Originally migrated credentials from encrypted store to macOS Keychain.
+ * No-op'd because: (1) the keychain broker was deleted, (2) inline security
+ * CLI calls trigger macOS permission prompts on every daemon startup even for
+ * users who never had keychain credentials, (3) migration 016 reverses this
+ * migration anyway, so the net effect is a round-trip.
+ *
+ * Users who had credentials stranded in the macOS Keychain from a brief
+ * intermediate release will need to re-enter their API keys.
+ */
 export const migrateCredentialsToKeychainMigration: WorkspaceMigration = {
   id: "015-migrate-credentials-to-keychain",
-  description:
-    "Copy encrypted store credentials to keychain for single-backend migration",
-
-  async down(_workspaceDir: string): Promise<void> {
-    // Reverse: copy credentials from keychain back to encrypted store.
-    // Mirrors the forward logic of 016-migrate-credentials-from-keychain.
-    if (
-      process.env.VELLUM_DESKTOP_APP !== "1" ||
-      process.env.VELLUM_DEV === "1"
-    ) {
-      return;
-    }
-
-    const { createBrokerClient } =
-      await import("../../security/keychain-broker-client.js");
-    const client = createBrokerClient();
-
-    let brokerAvailable = false;
-    for (let i = 0; i < BROKER_WAIT_MAX_ATTEMPTS; i++) {
-      if (client.isAvailable()) {
-        brokerAvailable = true;
-        break;
-      }
-      await new Promise((r) => setTimeout(r, BROKER_WAIT_INTERVAL_MS));
-    }
-
-    if (!brokerAvailable) {
-      throw new Error(
-        "Keychain broker not available after waiting — credential rollback " +
-          "will be retried on next startup",
-      );
-    }
-
-    const { setKey } = await import("../../security/encrypted-store.js");
-
-    const accounts = await client.list();
-    if (accounts.length === 0) return;
-
-    let rolledBackCount = 0;
-    let failedCount = 0;
-
-    for (const account of accounts) {
-      const result = await client.get(account);
-      if (!result || !result.found || result.value === undefined) {
-        log.warn(
-          { account },
-          "Failed to read key from keychain during rollback — skipping",
-        );
-        failedCount++;
-        continue;
-      }
-
-      const written = setKey(account, result.value);
-      if (written) {
-        await client.del(account);
-        rolledBackCount++;
-      } else {
-        log.warn(
-          { account },
-          "Failed to write key to encrypted store during rollback — skipping",
-        );
-        failedCount++;
-      }
-    }
-
-    log.info(
-      { rolledBackCount, failedCount },
-      "Credential rollback from keychain to encrypted store complete",
-    );
-  },
-
-  async run(_workspaceDir: string): Promise<void> {
-    // Only run on mac production builds (desktop app, non-dev).
-    if (
-      process.env.VELLUM_DESKTOP_APP !== "1" ||
-      process.env.VELLUM_DEV === "1"
-    ) {
-      return;
-    }
-
-    const { createBrokerClient } =
-      await import("../../security/keychain-broker-client.js");
-    const client = createBrokerClient();
-
-    // Wait for the broker to become available (up to 5 seconds), matching
-    // the retry strategy in secure-keys.ts waitForBrokerAvailability().
-    let brokerAvailable = false;
-    for (let i = 0; i < BROKER_WAIT_MAX_ATTEMPTS; i++) {
-      if (client.isAvailable()) {
-        brokerAvailable = true;
-        break;
-      }
-      await new Promise((r) => setTimeout(r, BROKER_WAIT_INTERVAL_MS));
-    }
-
-    if (!brokerAvailable) {
-      throw new Error(
-        "Keychain broker not available after waiting — credential migration " +
-          "will be retried on next startup",
-      );
-    }
-
-    const { listKeys, getKey, deleteKey } =
-      await import("../../security/encrypted-store.js");
-
-    const accounts = listKeys();
-    if (accounts.length === 0) {
-      return;
-    }
-
-    let migratedCount = 0;
-    let failedCount = 0;
-
-    for (const account of accounts) {
-      const value = getKey(account);
-      if (value === undefined) {
-        log.warn(
-          { account },
-          "Failed to read key from encrypted store — skipping",
-        );
-        failedCount++;
-        continue;
-      }
-
-      const result = await client.set(account, value);
-      if (result.status === "ok") {
-        deleteKey(account);
-        migratedCount++;
-      } else {
-        log.warn(
-          { account, status: result.status },
-          "Failed to write key to keychain — skipping",
-        );
-        failedCount++;
-      }
-    }
-
-    log.info(
-      { migratedCount, failedCount },
-      "Credential migration to keychain complete",
-    );
-  },
+  description: "No-op (keychain migration removed)",
+  async run(): Promise<void> {},
+  async down(): Promise<void> {},
 };