npm - @vellumai/assistant - Versions diffs - 0.6.1 → 0.6.3 - Mend

@vellumai/assistant 0.6.1 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (463) hide show

package/bun.lock +40 -40
package/bunfig.toml +3 -0
package/docker-entrypoint.sh +12 -2
package/docs/architecture/memory.md +1 -1
package/node_modules/@vellumai/ces-contracts/src/handles.ts +7 -9
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +42 -0
package/openapi.yaml +184 -69
package/package.json +41 -41
package/scripts/generate-openapi.ts +1 -2
package/src/__tests__/acp-session.test.ts +43 -0
package/src/__tests__/app-builder-tool-scripts.test.ts +1 -0
package/src/__tests__/app-executors.test.ts +1 -0
package/src/__tests__/app-source-watcher.test.ts +37 -11
package/src/__tests__/approval-routes-http.test.ts +178 -1
package/src/__tests__/assistant-event-hub.test.ts +30 -0
package/src/__tests__/browser-fill-credential.test.ts +229 -94
package/src/__tests__/browser-manager.test.ts +40 -27
package/src/__tests__/catalog-files.test.ts +862 -0
package/src/__tests__/channel-approvals.test.ts +53 -0
package/src/__tests__/checker.test.ts +104 -170
package/src/__tests__/cli-command-risk-guard.test.ts +1 -1
package/src/__tests__/config-managed-gemini-defaults.test.ts +326 -0
package/src/__tests__/config-schema-cmd.test.ts +2 -2
package/src/__tests__/config-schema.test.ts +125 -48
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +23 -0
package/src/__tests__/context-overflow-approval.test.ts +21 -6
package/src/__tests__/conversation-agent-loop-overflow.test.ts +1 -1
package/src/__tests__/conversation-agent-loop.test.ts +1 -1
package/src/__tests__/conversation-analysis-routes.test.ts +169 -0
package/src/__tests__/conversation-attachments.test.ts +80 -4
package/src/__tests__/conversation-confirmation-signals.test.ts +155 -0
package/src/__tests__/conversation-directories-parse.test.ts +105 -0
package/src/__tests__/conversation-fork-crud.test.ts +17 -0
package/src/__tests__/conversation-history-web-search.test.ts +1 -0
package/src/__tests__/conversation-host-access-routes.test.ts +229 -0
package/src/__tests__/conversation-inject-context.test.ts +103 -0
package/src/__tests__/conversation-queue.test.ts +45 -2
package/src/__tests__/conversation-routes-disk-view.test.ts +5 -0
package/src/__tests__/conversation-routes-guardian-reply.test.ts +16 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/conversation-runtime-assembly.test.ts +269 -46
package/src/__tests__/conversation-starter-routes.test.ts +126 -0
package/src/__tests__/conversation-starters-cadence.test.ts +161 -0
package/src/__tests__/conversation-store.test.ts +195 -0
package/src/__tests__/conversation-workspace-cache-state.test.ts +193 -0
package/src/__tests__/credential-execution-approval-bridge.test.ts +32 -3
package/src/__tests__/credential-security-invariants.test.ts +1 -0
package/src/__tests__/credential-vault-unit.test.ts +4 -4
package/src/__tests__/credential-vault.test.ts +152 -13
package/src/__tests__/credentials-cli.test.ts +2 -2
package/src/__tests__/date-context.test.ts +4 -4
package/src/__tests__/embedding-managed-proxy-selection.test.ts +256 -0
package/src/__tests__/extension-id-sync-guard.test.ts +155 -0
package/src/__tests__/fixtures/mock-chrome-extension.ts +375 -0
package/src/__tests__/gateway-only-guard.test.ts +3 -0
package/src/__tests__/gemini-provider.test.ts +2 -2
package/src/__tests__/guardian-routing-invariants.test.ts +70 -2
package/src/__tests__/headless-browser-interactions.test.ts +707 -371
package/src/__tests__/headless-browser-navigate.test.ts +389 -47
package/src/__tests__/headless-browser-read-tools.test.ts +266 -103
package/src/__tests__/headless-browser-snapshot.test.ts +240 -77
package/src/__tests__/host-bash-proxy.test.ts +150 -1
package/src/__tests__/host-browser-e2e-cloud.test.ts +462 -0
package/src/__tests__/host-browser-e2e-self-hosted-capability.test.ts +286 -0
package/src/__tests__/host-browser-e2e-self-hosted.test.ts +374 -0
package/src/__tests__/host-browser-event-routes.test.ts +350 -0
package/src/__tests__/host-browser-proxy.test.ts +444 -0
package/src/__tests__/host-browser-routes.test.ts +198 -0
package/src/__tests__/host-browser-ws-events-e2e.test.ts +320 -0
package/src/__tests__/host-cu-proxy.test.ts +171 -1
package/src/__tests__/host-file-proxy.test.ts +185 -1
package/src/__tests__/host-file-read-tool.test.ts +52 -0
package/src/__tests__/host-proxy-interface.test.ts +165 -0
package/src/__tests__/host-shell-tool.test.ts +1 -11
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/init-feature-flag-overrides.test.ts +167 -0
package/src/__tests__/inline-command-runner.test.ts +7 -5
package/src/__tests__/integration-status.test.ts +6 -7
package/src/__tests__/list-messages-tool-merge.test.ts +37 -12
package/src/__tests__/log-export-workspace.test.ts +190 -0
package/src/__tests__/managed-credential-catalog-cli.test.ts +12 -14
package/src/__tests__/mcp-client-auth.test.ts +40 -4
package/src/__tests__/mcp-health-check.test.ts +10 -3
package/src/__tests__/migration-cross-version-compatibility.test.ts +3 -1
package/src/__tests__/migration-export-http.test.ts +61 -2
package/src/__tests__/migration-export-streaming.test.ts +66 -0
package/src/__tests__/migration-import-commit-http.test.ts +101 -1
package/src/__tests__/native-host-marker-sync-guard.test.ts +157 -0
package/src/__tests__/navigate-settings-tab.test.ts +14 -1
package/src/__tests__/notification-broadcaster.test.ts +65 -0
package/src/__tests__/oauth-apps-routes.test.ts +17 -12
package/src/__tests__/oauth-cli.test.ts +707 -60
package/src/__tests__/oauth-connect-orchestrator.test.ts +116 -24
package/src/__tests__/oauth-provider-seed-logos.test.ts +23 -0
package/src/__tests__/oauth-provider-serializer.test.ts +146 -10
package/src/__tests__/oauth-provider-visibility.test.ts +19 -21
package/src/__tests__/oauth-providers-routes.test.ts +50 -14
package/src/__tests__/oauth-store.test.ts +1386 -182
package/src/__tests__/oauth2-gateway-transport.test.ts +211 -20
package/src/__tests__/onboarding-template-contract.test.ts +74 -55
package/src/__tests__/openai-provider.test.ts +2 -2
package/src/__tests__/outlook-categories.test.ts +1 -1
package/src/__tests__/outlook-client-automation.test.ts +1 -1
package/src/__tests__/outlook-compose-tools.test.ts +1 -1
package/src/__tests__/outlook-email-watcher.test.ts +1 -1
package/src/__tests__/outlook-follow-up.test.ts +1 -1
package/src/__tests__/outlook-messaging-provider.test.ts +2 -2
package/src/__tests__/outlook-trash.test.ts +1 -1
package/src/__tests__/outlook-unsubscribe.test.ts +1 -1
package/src/__tests__/permission-checker-host-gate.test.ts +74 -14
package/src/__tests__/permission-mode.test.ts +28 -56
package/src/__tests__/pkb-autoinject.test.ts +96 -0
package/src/__tests__/platform-callback-registration.test.ts +19 -0
package/src/__tests__/post-turn-tool-result-truncation.test.ts +296 -0
package/src/__tests__/proxy-approval-callback.test.ts +18 -0
package/src/__tests__/require-fresh-approval.test.ts +40 -3
package/src/__tests__/sandbox-diagnostics.test.ts +1 -32
package/src/__tests__/sanitize-config-for-transfer.test.ts +132 -0
package/src/__tests__/schedule-routes.test.ts +162 -0
package/src/__tests__/secret-detection-handler.test.ts +84 -0
package/src/__tests__/secret-ingress-http.test.ts +1 -0
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/set-permission-mode.test.ts +13 -250
package/src/__tests__/skills-file-content-endpoint.test.ts +670 -0
package/src/__tests__/skills-files-catalog-fallback.test.ts +450 -0
package/src/__tests__/slack-channel-config.test.ts +12 -15
package/src/__tests__/subagent-detail.test.ts +44 -2
package/src/__tests__/subagent-disposal.test.ts +1 -0
package/src/__tests__/subagent-fork-notifications.test.ts +291 -0
package/src/__tests__/subagent-fork-spawn.test.ts +384 -0
package/src/__tests__/subagent-manager-notify.test.ts +1 -0
package/src/__tests__/subagent-notify-parent.test.ts +1 -0
package/src/__tests__/subagent-spawn-tool-fork.test.ts +411 -0
package/src/__tests__/subagent-tools.test.ts +1 -0
package/src/__tests__/subagent-types.test.ts +1 -0
package/src/__tests__/system-prompt-ask-mode.test.ts +27 -71
package/src/__tests__/system-prompt.test.ts +72 -1
package/src/__tests__/task-scheduler.test.ts +32 -6
package/src/__tests__/telegram-config.test.ts +10 -13
package/src/__tests__/terminal-sandbox.test.ts +1 -1
package/src/__tests__/terminal-tools.test.ts +11 -5
package/src/__tests__/test-preload.ts +14 -0
package/src/__tests__/tool-approval-handler.test.ts +73 -0
package/src/__tests__/tool-domain-event-publisher.test.ts +0 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +1 -8
package/src/__tests__/tool-executor.test.ts +0 -1
package/src/__tests__/tool-side-effects-slack-dm.test.ts +22 -0
package/src/__tests__/top-level-renderer.test.ts +73 -1
package/src/__tests__/transport-hints-queue.test.ts +62 -0
package/src/__tests__/trust-store.test.ts +4 -4
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +109 -0
package/src/__tests__/v2-consent-policy.test.ts +103 -0
package/src/__tests__/workspace-migration-030-seed-pkb-autoinject.test.ts +168 -0
package/src/__tests__/workspace-policy.test.ts +2 -7
package/src/acp/client-handler.ts +30 -4
package/src/agent/loop.ts +12 -35
package/src/approvals/guardian-request-resolvers.ts +21 -15
package/src/browser-session/__tests__/manager.test.ts +297 -0
package/src/browser-session/backends/cdp-inspect.ts +30 -0
package/src/browser-session/backends/extension.ts +26 -0
package/src/browser-session/backends/local.ts +24 -0
package/src/browser-session/events.ts +164 -0
package/src/browser-session/index.ts +27 -0
package/src/browser-session/manager.ts +159 -0
package/src/browser-session/types.ts +28 -0
package/src/channels/__tests__/types.test.ts +134 -0
package/src/channels/types.ts +55 -0
package/src/cli/__tests__/run-assistant-command.ts +34 -7
package/src/cli/__tests__/unknown-command.test.ts +33 -0
package/src/cli/commands/browser-relay.ts +339 -409
package/src/cli/commands/credentials.ts +3 -3
package/src/cli/commands/default-action.ts +68 -1
package/src/cli/commands/email.ts +18 -13
package/src/cli/commands/mcp.ts +16 -4
package/src/cli/commands/oauth/__tests__/connect.test.ts +68 -41
package/src/cli/commands/oauth/__tests__/disconnect.test.ts +21 -21
package/src/cli/commands/oauth/__tests__/mode.test.ts +17 -17
package/src/cli/commands/oauth/__tests__/ping.test.ts +16 -16
package/src/cli/commands/oauth/__tests__/providers-delete.test.ts +31 -33
package/src/cli/commands/oauth/__tests__/providers-register.test.ts +329 -0
package/src/cli/commands/oauth/__tests__/providers-update.test.ts +116 -12
package/src/cli/commands/oauth/__tests__/status.test.ts +10 -10
package/src/cli/commands/oauth/__tests__/token.test.ts +7 -7
package/src/cli/commands/oauth/apps.ts +7 -4
package/src/cli/commands/oauth/connect.ts +16 -2
package/src/cli/commands/oauth/disconnect.ts +1 -1
package/src/cli/commands/oauth/providers.ts +200 -36
package/src/cli/commands/oauth/shared.ts +5 -5
package/src/cli/commands/platform/__tests__/callback-routes-list.test.ts +259 -0
package/src/cli/commands/platform/__tests__/connect.test.ts +1 -1
package/src/cli/commands/platform/__tests__/disconnect.test.ts +1 -1
package/src/cli/commands/platform/__tests__/status.test.ts +1 -1
package/src/cli/commands/platform/index.ts +107 -10
package/src/cli/commands/usage.ts +10 -9
package/src/cli/lib/daemon-credential-client.ts +4 -0
package/src/cli/program.ts +10 -3
package/src/config/assistant-feature-flags.ts +59 -55
package/src/config/bundled-skills/app-builder/SKILL.md +33 -173
package/src/config/bundled-skills/app-builder/references/CUSTOM_ROUTES.md +105 -0
package/src/config/bundled-skills/app-builder/references/INTERACTION_HOOKS.md +56 -0
package/src/config/bundled-skills/app-builder/references/WIDGETS.md +125 -0
package/src/config/bundled-skills/contacts/SKILL.md +3 -0
package/src/config/bundled-skills/document/SKILL.md +4 -0
package/src/config/bundled-skills/gmail/SKILL.md +12 -7
package/src/config/bundled-skills/gmail/TOOLS.json +1 -1
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +2 -1
package/src/config/bundled-skills/outlook/SKILL.md +7 -0
package/src/config/bundled-skills/settings/TOOLS.json +1 -1
package/src/config/bundled-skills/settings/tools/navigate-settings-tab.ts +8 -3
package/src/config/bundled-skills/subagent/SKILL.md +21 -0
package/src/config/bundled-skills/subagent/TOOLS.json +8 -4
package/src/config/bundled-skills/tasks/SKILL.md +5 -0
package/src/config/env-registry.ts +14 -0
package/src/config/env.ts +21 -0
package/src/config/feature-flag-registry.json +46 -7
package/src/config/loader.ts +56 -1
package/src/config/sanitize-for-transfer.ts +47 -0
package/src/config/schema.ts +46 -5
package/src/config/schemas/host-browser.ts +66 -0
package/src/config/schemas/memory-lifecycle.ts +1 -1
package/src/config/schemas/memory-retrieval.ts +103 -0
package/src/config/schemas/security.ts +0 -6
package/src/config/schemas/services.ts +16 -0
package/src/config/types.ts +0 -1
package/src/context/post-turn-tool-result-truncation.ts +176 -0
package/src/context/window-manager.ts +19 -1
package/src/credential-execution/approval-bridge.ts +49 -16
package/src/credential-execution/managed-catalog.ts +3 -7
package/src/daemon/__tests__/conversation-tool-setup.test.ts +186 -0
package/src/daemon/app-source-watcher.ts +35 -0
package/src/daemon/config-watcher.ts +6 -2
package/src/daemon/context-overflow-approval.ts +5 -1
package/src/daemon/conversation-agent-loop-handlers.ts +17 -2
package/src/daemon/conversation-agent-loop.ts +74 -19
package/src/daemon/conversation-attachments.ts +40 -1
package/src/daemon/conversation-messaging.ts +3 -0
package/src/daemon/conversation-process.ts +66 -3
package/src/daemon/conversation-queue-manager.ts +8 -0
package/src/daemon/conversation-runtime-assembly.ts +159 -20
package/src/daemon/conversation-surfaces.ts +78 -12
package/src/daemon/conversation-tool-setup.ts +74 -11
package/src/daemon/conversation-workspace.ts +12 -0
package/src/daemon/conversation.ts +227 -11
package/src/daemon/date-context.ts +10 -10
package/src/daemon/first-greeting.ts +3 -2
package/src/daemon/handlers/conversations.ts +9 -139
package/src/daemon/handlers/shared.ts +65 -0
package/src/daemon/handlers/skills.ts +232 -37
package/src/daemon/host-bash-proxy.ts +48 -13
package/src/daemon/host-browser-proxy.ts +191 -0
package/src/daemon/host-cu-proxy.ts +36 -11
package/src/daemon/host-file-proxy.ts +57 -9
package/src/daemon/lifecycle.ts +86 -12
package/src/daemon/message-protocol.ts +7 -0
package/src/daemon/message-types/conversations.ts +59 -13
package/src/daemon/message-types/host-browser.ts +100 -0
package/src/daemon/message-types/messages.ts +5 -6
package/src/daemon/message-types/notifications.ts +12 -0
package/src/daemon/message-types/settings.ts +12 -0
package/src/daemon/message-types/skills.ts +10 -0
package/src/daemon/message-types/subagents.ts +2 -0
package/src/daemon/server.ts +112 -35
package/src/daemon/tool-side-effects.ts +6 -0
package/src/daemon/transport-hints.ts +14 -0
package/src/inbound/platform-callback-registration.ts +18 -17
package/src/index.ts +1 -1
package/src/mcp/client.ts +59 -24
package/src/memory/app-store.ts +31 -1
package/src/memory/conversation-crud.ts +38 -10
package/src/memory/conversation-directories.ts +39 -0
package/src/memory/conversation-group-migration.ts +65 -5
package/src/memory/conversation-starters-cadence.ts +76 -0
package/src/memory/conversation-title-service.ts +5 -2
package/src/memory/db-init.ts +12 -0
package/src/memory/embedding-backend.test.ts +75 -0
package/src/memory/embedding-backend.ts +131 -5
package/src/memory/embedding-gemini.test.ts +54 -0
package/src/memory/embedding-gemini.ts +20 -9
package/src/memory/embedding-local.ts +177 -18
package/src/memory/graph/capability-seed.ts +3 -5
package/src/memory/graph/consolidation.ts +10 -23
package/src/memory/graph/extraction-job.ts +15 -0
package/src/memory/graph/retriever.ts +40 -22
package/src/memory/graph/store.test.ts +7 -3
package/src/memory/graph/store.ts +47 -12
package/src/memory/group-crud.ts +25 -9
package/src/memory/llm-usage-store.ts +45 -4
package/src/memory/migrations/213-oauth-providers-scope-separator.ts +13 -0
package/src/memory/migrations/214-oauth-providers-refresh-url.ts +11 -0
package/src/memory/migrations/215-oauth-providers-revoke.ts +14 -0
package/src/memory/migrations/216-oauth-providers-token-auth-method.ts +30 -0
package/src/memory/migrations/217-conversation-host-access.ts +40 -0
package/src/memory/migrations/218-oauth-providers-logo-url.ts +11 -0
package/src/memory/migrations/index.ts +6 -0
package/src/memory/migrations/registry.ts +8 -0
package/src/memory/schema/conversations.ts +1 -0
package/src/memory/schema/oauth.ts +18 -13
package/src/messaging/provider.ts +1 -1
package/src/notifications/broadcaster.ts +6 -0
package/src/notifications/conversation-pairing.ts +12 -4
package/src/notifications/emit-signal.ts +14 -0
package/src/notifications/signal.ts +11 -0
package/src/oauth/AGENTS.md +76 -0
package/src/oauth/__tests__/identity-verifier.test.ts +24 -19
package/src/oauth/__tests__/seed-providers-managed.test.ts +32 -0
package/src/oauth/byo-connection.test.ts +8 -8
package/src/oauth/byo-connection.ts +7 -7
package/src/oauth/connect-orchestrator.ts +23 -21
package/src/oauth/connect-types.ts +3 -3
package/src/oauth/connection-resolver.test.ts +17 -4
package/src/oauth/connection-resolver.ts +16 -16
package/src/oauth/connection.ts +1 -1
package/src/oauth/manual-token-connection.ts +13 -13
package/src/oauth/oauth-store.ts +214 -100
package/src/oauth/platform-connection.test.ts +5 -5
package/src/oauth/platform-connection.ts +4 -4
package/src/oauth/provider-serializer.ts +31 -5
package/src/oauth/revoke.ts +76 -0
package/src/oauth/seed-providers.ts +127 -87
package/src/oauth/token-persistence.ts +1 -1
package/src/permissions/checker.ts +3 -3
package/src/permissions/defaults.ts +7 -8
package/src/permissions/permission-mode.ts +4 -11
package/src/permissions/prompter.ts +13 -3
package/src/permissions/v2-consent-policy.ts +87 -0
package/src/platform/client.ts +1 -1
package/src/prompts/system-prompt.ts +18 -21
package/src/prompts/templates/BOOTSTRAP-REFERENCE.md +3 -65
package/src/prompts/templates/BOOTSTRAP.md +59 -96
package/src/prompts/templates/SOUL.md +11 -11
package/src/providers/anthropic/client.ts +1 -0
package/src/providers/types.ts +1 -1
package/src/runtime/AGENTS.md +23 -0
package/src/runtime/__tests__/browser-extension-pair-routes.test.ts +715 -0
package/src/runtime/__tests__/capability-tokens.test.ts +258 -0
package/src/runtime/__tests__/chrome-extension-registry.test.ts +518 -0
package/src/runtime/assistant-event-hub.ts +24 -2
package/src/runtime/auth/__tests__/guard-tests.test.ts +1 -0
package/src/runtime/auth/__tests__/middleware.test.ts +116 -1
package/src/runtime/auth/__tests__/route-policy.test.ts +8 -0
package/src/runtime/auth/middleware.ts +98 -0
package/src/runtime/auth/route-policy.ts +6 -7
package/src/runtime/auth/token-service.ts +8 -0
package/src/runtime/capability-tokens.ts +414 -0
package/src/runtime/channel-approvals.ts +18 -5
package/src/runtime/chrome-extension-registry.ts +332 -0
package/src/runtime/confirmation-request-guardian-bridge.ts +6 -0
package/src/runtime/guardian-decision-types.ts +7 -0
package/src/runtime/http-server.ts +425 -70
package/src/runtime/migrations/__tests__/rebind-secrets-credentials.test.ts +172 -0
package/src/runtime/migrations/__tests__/vbundle-builder-credentials.test.ts +276 -0
package/src/runtime/migrations/__tests__/vbundle-import-credentials.test.ts +162 -0
package/src/runtime/migrations/migration-transport.ts +6 -0
package/src/runtime/migrations/migration-wizard.ts +22 -2
package/src/runtime/migrations/rebind-secrets-screen.ts +76 -15
package/src/runtime/migrations/vbundle-builder.ts +145 -38
package/src/runtime/migrations/vbundle-import-analyzer.ts +19 -0
package/src/runtime/migrations/vbundle-importer.ts +55 -5
package/src/runtime/pending-interactions.ts +29 -13
package/src/runtime/routes/approval-routes.ts +90 -16
package/src/runtime/routes/browser-cdp-routes.ts +229 -0
package/src/runtime/routes/browser-extension-pair-routes.ts +497 -0
package/src/runtime/routes/conversation-analysis-routes.ts +18 -5
package/src/runtime/routes/conversation-management-routes.ts +108 -0
package/src/runtime/routes/conversation-routes.ts +308 -28
package/src/runtime/routes/conversation-starter-routes.ts +78 -16
package/src/runtime/routes/group-routes.ts +22 -8
package/src/runtime/routes/guardian-action-routes.ts +24 -13
package/src/runtime/routes/host-browser-routes.ts +279 -0
package/src/runtime/routes/host-file-routes.ts +9 -1
package/src/runtime/routes/identity-routes.ts +259 -16
package/src/runtime/routes/log-export/AGENTS.md +104 -0
package/src/runtime/routes/log-export/__tests__/workspace-allowlist-error-contract.test.ts +103 -0
package/src/runtime/routes/log-export/__tests__/workspace-allowlist.test.ts +716 -0
package/src/runtime/routes/log-export/workspace-allowlist.ts +458 -0
package/src/runtime/routes/log-export-routes.ts +60 -25
package/src/runtime/routes/memory-item-routes.ts +1 -7
package/src/runtime/routes/migration-routes.ts +87 -2
package/src/runtime/routes/oauth-apps.ts +15 -17
package/src/runtime/routes/oauth-providers.ts +4 -0
package/src/runtime/routes/schedule-routes.ts +24 -11
package/src/runtime/routes/settings-routes.ts +9 -97
package/src/runtime/routes/skills-routes.ts +52 -2
package/src/runtime/routes/subagents-routes.ts +14 -10
package/src/runtime/routes/usage-routes.ts +8 -7
package/src/runtime/routes/workspace-routes.test.ts +22 -0
package/src/runtime/routes/workspace-routes.ts +8 -1
package/src/runtime/routes/workspace-utils.ts +2 -0
package/src/schedule/scheduler.ts +7 -5
package/src/security/ces-credential-client.ts +20 -0
package/src/security/ces-rpc-credential-backend.ts +17 -0
package/src/security/credential-backend.ts +5 -0
package/src/security/oauth2.ts +42 -25
package/src/security/secure-keys.ts +118 -25
package/src/security/token-manager.ts +23 -10
package/src/skills/catalog-files.ts +492 -0
package/src/skills/inline-command-runner.ts +12 -14
package/src/subagent/manager.ts +131 -26
package/src/subagent/types.ts +19 -0
package/src/tools/apps/executors.ts +11 -2
package/src/tools/browser/__tests__/auth-detector.test.ts +202 -108
package/src/tools/browser/auth-detector.ts +43 -12
package/src/tools/browser/browser-execution.ts +645 -340
package/src/tools/browser/browser-manager.ts +36 -12
package/src/tools/browser/cdp-client/__tests__/accessibility-snapshot.test.ts +318 -0
package/src/tools/browser/cdp-client/__tests__/cdp-dom-helpers.test.ts +1175 -0
package/src/tools/browser/cdp-client/__tests__/cdp-inspect-client.test.ts +870 -0
package/src/tools/browser/cdp-client/__tests__/extension-cdp-client.test.ts +330 -0
package/src/tools/browser/cdp-client/__tests__/factory.test.ts +377 -0
package/src/tools/browser/cdp-client/__tests__/fixtures/ax-tree-nested-frames.json +64 -0
package/src/tools/browser/cdp-client/__tests__/fixtures/ax-tree-simple.json +69 -0
package/src/tools/browser/cdp-client/__tests__/local-cdp-client.test.ts +310 -0
package/src/tools/browser/cdp-client/__tests__/types.test.ts +96 -0
package/src/tools/browser/cdp-client/accessibility-snapshot.ts +387 -0
package/src/tools/browser/cdp-client/cdp-dom-helpers.ts +695 -0
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/discovery.test.ts +743 -0
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/ws-transport.test.ts +580 -0
package/src/tools/browser/cdp-client/cdp-inspect/discovery.ts +578 -0
package/src/tools/browser/cdp-client/cdp-inspect/ws-transport.ts +579 -0
package/src/tools/browser/cdp-client/cdp-inspect-client.ts +635 -0
package/src/tools/browser/cdp-client/errors.ts +34 -0
package/src/tools/browser/cdp-client/extension-cdp-client.ts +125 -0
package/src/tools/browser/cdp-client/factory.ts +204 -0
package/src/tools/browser/cdp-client/index.ts +14 -0
package/src/tools/browser/cdp-client/local-cdp-client.ts +187 -0
package/src/tools/browser/cdp-client/types.ts +52 -0
package/src/tools/filesystem/edit.ts +1 -1
package/src/tools/filesystem/list.ts +1 -1
package/src/tools/filesystem/read.ts +1 -1
package/src/tools/filesystem/write.ts +2 -1
package/src/tools/host-filesystem/edit.ts +1 -1
package/src/tools/host-filesystem/read.ts +12 -15
package/src/tools/host-filesystem/write.ts +1 -1
package/src/tools/host-terminal/host-shell.ts +21 -16
package/src/tools/permission-checker.ts +77 -100
package/src/tools/registry.ts +0 -2
package/src/tools/secret-detection-handler.ts +34 -1
package/src/tools/shared/filesystem/image-read.ts +61 -40
package/src/tools/skills/sandbox-runner.ts +3 -6
package/src/tools/subagent/spawn.ts +47 -3
package/src/tools/subagent/status.ts +2 -0
package/src/tools/system/register.ts +2 -16
package/src/tools/terminal/safe-env.ts +7 -0
package/src/tools/terminal/sandbox-diagnostics.ts +4 -4
package/src/tools/terminal/sandbox.ts +4 -1
package/src/tools/terminal/shell.ts +24 -21
package/src/tools/tool-approval-handler.ts +48 -2
package/src/tools/types.ts +2 -3
package/src/util/platform.ts +14 -19
package/src/watcher/provider-types.ts +1 -1
package/src/workspace/migrations/029-seed-pkb.ts +1 -0
package/src/workspace/migrations/030-seed-pkb-autoinject.ts +73 -0
package/src/workspace/migrations/registry.ts +2 -0
package/src/workspace/top-level-renderer.ts +19 -1
package/src/__tests__/chrome-cdp.test.ts +0 -419
package/src/__tests__/permission-mode-sse.test.ts +0 -418
package/src/__tests__/permission-mode-store.test.ts +0 -277
package/src/browser-extension-relay/protocol.ts +0 -63
package/src/browser-extension-relay/server.ts +0 -203
package/src/config/schemas/sandbox.ts +0 -14
package/src/permissions/permission-mode-store.ts +0 -180
package/src/tools/browser/chrome-cdp.ts +0 -239
package/src/tools/system/set-permission-mode.ts +0 -103

package/src/__tests__/oauth-cli.test.ts CHANGED Viewed

@@ -26,6 +26,11 @@ const disconnectOAuthProviderCalls: string[] = [];
 const disconnectOAuthProviderResult: "disconnected" | "not-found" | "error" =
   "not-found";
+// In-memory provider store used by registerProvider/updateProvider/getProvider
+// mocks below. Tests that exercise the providers register/update/get commands
+// can read and write through this map directly.
+const mockProviderStore = new Map<string, Record<string, unknown>>();
 // App upsert mock state
 let mockUpsertAppCalls: Array<{
   provider: string;
@@ -37,7 +42,7 @@ let mockUpsertAppCalls: Array<{
 }> = [];
 let mockUpsertAppResult: Record<string, unknown> = {
   id: "app-upsert-1",
-  providerKey: "test",
+  provider: "test",
   clientId: "test-client-id",
   createdAt: 1700000000000,
   updatedAt: 1700000000000,
@@ -58,18 +63,18 @@ let mockOrchestrateOAuthConnect: (
   opts: Record<string, unknown>,
 ) => Promise<Record<string, unknown>>;
 let mockGetAppByProviderAndClientId: (
-  providerKey: string,
+  provider: string,
   clientId: string,
 ) => Record<string, unknown> | undefined = () => undefined;
 let mockGetMostRecentAppByProvider: (
-  providerKey: string,
+  provider: string,
 ) => Record<string, unknown> | undefined = () => undefined;
 let mockGetProvider: (
-  providerKey: string,
+  provider: string,
 ) => Record<string, unknown> | undefined = () => undefined;
 let mockGetSecureKey: (account: string) => string | undefined = () => undefined;
 let mockResolveOAuthConnection: (
-  providerKey: string,
+  provider: string,
   options?: Record<string, unknown>,
 ) => Promise<{
   request: (req: Record<string, unknown>) => Promise<{
@@ -79,7 +84,7 @@ let mockResolveOAuthConnection: (
   }>;
   withToken: <T>(fn: (token: string) => Promise<T>) => Promise<T>;
   id: string;
-  providerKey: string;
+  provider: string;
   accountInfo: string | null;
 }> = async () => {
   throw new Error("resolveOAuthConnection not configured in test");
@@ -120,9 +125,9 @@ mock.module("../security/token-manager.js", () => ({
 mock.module("../oauth/oauth-store.js", () => ({
   disconnectOAuthProvider: async (
-    providerKey: string,
+    provider: string,
   ): Promise<"disconnected" | "not-found" | "error"> => {
-    disconnectOAuthProviderCalls.push(providerKey);
+    disconnectOAuthProviderCalls.push(provider);
     return disconnectOAuthProviderResult;
   },
   getConnection: () => undefined,
@@ -145,16 +150,120 @@ mock.module("../oauth/oauth-store.js", () => ({
     return mockUpsertAppResult;
   },
   getApp: () => undefined,
-  getAppByProviderAndClientId: (providerKey: string, clientId: string) =>
-    mockGetAppByProviderAndClientId(providerKey, clientId),
-  getMostRecentAppByProvider: (providerKey: string) =>
-    mockGetMostRecentAppByProvider(providerKey),
+  getAppByProviderAndClientId: (provider: string, clientId: string) =>
+    mockGetAppByProviderAndClientId(provider, clientId),
+  getMostRecentAppByProvider: (provider: string) =>
+    mockGetMostRecentAppByProvider(provider),
   listApps: () => [],
   deleteApp: async () => false,
-  getProvider: (providerKey: string) => mockGetProvider(providerKey),
+  getProvider: (provider: string) => {
+    // If the test has plugged in a custom mockGetProvider, prefer that.
+    const custom = mockGetProvider(provider);
+    if (custom !== undefined) return custom;
+    return mockProviderStore.get(provider);
+  },
   listProviders: () => mockListProviders(),
-  registerProvider: () => ({}),
-  updateProvider: () => undefined,
+  registerProvider: (params: Record<string, unknown>) => {
+    const now = Date.now();
+    const row: Record<string, unknown> = {
+      provider: params.provider,
+      authorizeUrl: params.authorizeUrl,
+      tokenExchangeUrl: params.tokenExchangeUrl,
+      refreshUrl: (params.refreshUrl as string | undefined) ?? null,
+      tokenEndpointAuthMethod:
+        (params.tokenEndpointAuthMethod as string | undefined) ||
+        "client_secret_post",
+      userinfoUrl: params.userinfoUrl ?? null,
+      baseUrl: params.baseUrl ?? null,
+      defaultScopes: JSON.stringify(params.defaultScopes ?? []),
+      scopePolicy: JSON.stringify(params.scopePolicy ?? {}),
+      scopeSeparator: (params.scopeSeparator as string | undefined) ?? " ",
+      authorizeParams: params.authorizeParams
+        ? JSON.stringify(params.authorizeParams)
+        : null,
+      pingUrl: params.pingUrl ?? null,
+      pingMethod: params.pingMethod ?? null,
+      pingHeaders: params.pingHeaders
+        ? JSON.stringify(params.pingHeaders)
+        : null,
+      pingBody:
+        params.pingBody !== undefined ? JSON.stringify(params.pingBody) : null,
+      revokeUrl: (params.revokeUrl as string | undefined) ?? null,
+      revokeBodyTemplate: params.revokeBodyTemplate
+        ? JSON.stringify(params.revokeBodyTemplate)
+        : null,
+      managedServiceConfigKey: params.managedServiceConfigKey ?? null,
+      displayLabel: params.displayLabel ?? null,
+      description: params.description ?? null,
+      dashboardUrl: params.dashboardUrl ?? null,
+      logoUrl: params.logoUrl ?? null,
+      clientIdPlaceholder: params.clientIdPlaceholder ?? null,
+      requiresClientSecret: params.requiresClientSecret ?? 1,
+      loopbackPort: params.loopbackPort ?? null,
+      injectionTemplates: params.injectionTemplates
+        ? JSON.stringify(params.injectionTemplates)
+        : null,
+      appType: params.appType ?? null,
+      setupNotes: params.setupNotes ? JSON.stringify(params.setupNotes) : null,
+      identityUrl: params.identityUrl ?? null,
+      identityMethod: params.identityMethod ?? null,
+      identityHeaders: params.identityHeaders
+        ? JSON.stringify(params.identityHeaders)
+        : null,
+      identityBody:
+        params.identityBody !== undefined
+          ? JSON.stringify(params.identityBody)
+          : null,
+      identityResponsePaths: params.identityResponsePaths
+        ? JSON.stringify(params.identityResponsePaths)
+        : null,
+      identityFormat: params.identityFormat ?? null,
+      identityOkField: params.identityOkField ?? null,
+      featureFlag: params.featureFlag ?? null,
+      createdAt: now,
+      updatedAt: now,
+    };
+    mockProviderStore.set(params.provider as string, row);
+    return row;
+  },
+  updateProvider: (provider: string, params: Record<string, unknown>) => {
+    const existing = mockProviderStore.get(provider);
+    if (!existing) return undefined;
+    const updated: Record<string, unknown> = { ...existing };
+    if (params.scopeSeparator !== undefined) {
+      updated.scopeSeparator = params.scopeSeparator;
+    }
+    if (params.authorizeUrl !== undefined) {
+      updated.authorizeUrl = params.authorizeUrl;
+    }
+    if (params.tokenExchangeUrl !== undefined) {
+      updated.tokenExchangeUrl = params.tokenExchangeUrl;
+    }
+    if (params.refreshUrl !== undefined) {
+      updated.refreshUrl = params.refreshUrl;
+    }
+    if (params.revokeUrl !== undefined) {
+      updated.revokeUrl = params.revokeUrl;
+    }
+    if (params.revokeBodyTemplate !== undefined) {
+      updated.revokeBodyTemplate =
+        params.revokeBodyTemplate === null
+          ? null
+          : JSON.stringify(params.revokeBodyTemplate);
+    }
+    if (params.defaultScopes !== undefined) {
+      updated.defaultScopes = JSON.stringify(params.defaultScopes);
+    }
+    if (params.displayLabel !== undefined) {
+      updated.displayLabel = params.displayLabel;
+    }
+    if (params.logoUrl !== undefined) {
+      updated.logoUrl = params.logoUrl;
+    }
+    updated.updatedAt = Date.now();
+    mockProviderStore.set(provider, updated);
+    return updated;
+  },
   deleteProvider: () => false,
   seedProviders: () => {},
   getActiveConnection: () => undefined,
@@ -229,9 +338,9 @@ mock.module("../oauth/seed-providers.js", () => ({
 mock.module("../oauth/connection-resolver.js", () => ({
   resolveOAuthConnection: (
-    providerKey: string,
+    provider: string,
     options?: Record<string, unknown>,
-  ) => mockResolveOAuthConnection(providerKey, options),
+  ) => mockResolveOAuthConnection(provider, options),
 }));
 // ---------------------------------------------------------------------------
@@ -439,45 +548,45 @@ describe("assistant oauth token <provider-key>", () => {
 describe("assistant oauth providers list", () => {
   const fakeProviders = [
     {
-      providerKey: "google",
-      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-      tokenUrl: "https://oauth2.googleapis.com/token",
+      provider: "google",
+      authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenExchangeUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       managedServiceConfigKey: "google-oauth",
       createdAt: "2025-01-01T00:00:00.000Z",
       updatedAt: "2025-01-01T00:00:00.000Z",
     },
     {
-      providerKey: "google-calendar",
-      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-      tokenUrl: "https://oauth2.googleapis.com/token",
+      provider: "google-calendar",
+      authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenExchangeUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       managedServiceConfigKey: "google-calendar-oauth",
       createdAt: "2025-01-01T00:00:00.000Z",
       updatedAt: "2025-01-01T00:00:00.000Z",
     },
     {
-      providerKey: "slack",
-      authUrl: "https://slack.com/oauth/v2/authorize",
-      tokenUrl: "https://slack.com/api/oauth.v2.access",
+      provider: "slack",
+      authorizeUrl: "https://slack.com/oauth/v2/authorize",
+      tokenExchangeUrl: "https://slack.com/api/oauth.v2.access",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       managedServiceConfigKey: null,
       createdAt: "2025-01-01T00:00:00.000Z",
       updatedAt: "2025-01-01T00:00:00.000Z",
     },
     {
-      providerKey: "twitter",
-      authUrl: "https://twitter.com/i/oauth2/authorize",
-      tokenUrl: "https://api.twitter.com/2/oauth2/token",
+      provider: "twitter",
+      authorizeUrl: "https://twitter.com/i/oauth2/authorize",
+      tokenExchangeUrl: "https://api.twitter.com/2/oauth2/token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       managedServiceConfigKey: null,
       createdAt: "2025-01-01T00:00:00.000Z",
       updatedAt: "2025-01-01T00:00:00.000Z",
@@ -638,7 +747,7 @@ describe("assistant oauth apps upsert --client-secret-credential-path", () => {
     mockUpsertAppCalls = [];
     mockUpsertAppResult = {
       id: "app-upsert-1",
-      providerKey: "google",
+      provider: "google",
       clientId: "abc123",
       createdAt: 1700000000000,
       updatedAt: 1700000000000,
@@ -890,19 +999,19 @@ describe("assistant oauth ping <provider-key>", () => {
   test("returns ok when ping endpoint returns 200", async () => {
     mockGetProvider = () => ({
-      providerKey: "google",
+      provider: "google",
       pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
-      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-      tokenUrl: "https://oauth2.googleapis.com/token",
+      authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenExchangeUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       createdAt: Date.now(),
       updatedAt: Date.now(),
     });
     mockResolveOAuthConnection = async () => ({
       id: "conn-1",
-      providerKey: "google",
+      provider: "google",
       accountInfo: null,
       request: async () => ({ status: 200, headers: {}, body: {} }),
       withToken: async (fn) => fn("mock-access-token-xyz"),
@@ -925,13 +1034,13 @@ describe("assistant oauth ping <provider-key>", () => {
   test("exits 1 when no ping URL configured", async () => {
     mockGetProvider = () => ({
-      providerKey: "telegram",
+      provider: "telegram",
       pingUrl: null,
-      authUrl: "urn:manual-token",
-      tokenUrl: "urn:manual-token",
+      authorizeUrl: "urn:manual-token",
+      tokenExchangeUrl: "urn:manual-token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       createdAt: Date.now(),
       updatedAt: Date.now(),
     });
@@ -944,19 +1053,19 @@ describe("assistant oauth ping <provider-key>", () => {
   test("exits 1 when ping endpoint returns non-2xx", async () => {
     mockGetProvider = () => ({
-      providerKey: "google",
+      provider: "google",
       pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
-      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-      tokenUrl: "https://oauth2.googleapis.com/token",
+      authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenExchangeUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       createdAt: Date.now(),
       updatedAt: Date.now(),
     });
     mockResolveOAuthConnection = async () => ({
       id: "conn-1",
-      providerKey: "google",
+      provider: "google",
       accountInfo: null,
       request: async () => ({ status: 403, headers: {}, body: "Forbidden" }),
       withToken: async (fn) => fn("mock-access-token-xyz"),
@@ -970,13 +1079,13 @@ describe("assistant oauth ping <provider-key>", () => {
   test("exits 1 when no connection can be resolved", async () => {
     mockGetProvider = () => ({
-      providerKey: "google",
+      provider: "google",
       pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
-      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-      tokenUrl: "https://oauth2.googleapis.com/token",
+      authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenExchangeUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       createdAt: Date.now(),
       updatedAt: Date.now(),
     });
@@ -1023,12 +1132,12 @@ describe("assistant oauth connect managed mode — platform 401/403 errors", ()
     // Set up managed mode: provider has managedServiceConfigKey, config
     // returns the matching service with mode "managed".
     mockGetProvider = () => ({
-      providerKey: "google",
-      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-      tokenUrl: "https://oauth2.googleapis.com/token",
+      provider: "google",
+      authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenExchangeUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       managedServiceConfigKey: "google-oauth",
       createdAt: Date.now(),
       updatedAt: Date.now(),
@@ -1249,12 +1358,12 @@ describe("assistant oauth mode", () => {
   beforeEach(() => {
     mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
     mockGetProvider = () => ({
-      providerKey: "google",
-      authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-      tokenUrl: "https://oauth2.googleapis.com/token",
+      provider: "google",
+      authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenExchangeUrl: "https://oauth2.googleapis.com/token",
       defaultScopes: "[]",
       scopePolicy: "{}",
-      extraParams: null,
+      authorizeParams: null,
       managedServiceConfigKey: "google-oauth",
       createdAt: Date.now(),
       updatedAt: Date.now(),
@@ -1313,3 +1422,541 @@ describe("assistant oauth mode", () => {
     expect(parsed.mode).toBe("your-own");
   });
 });
+// ---------------------------------------------------------------------------
+// providers register / update / get — --scope-separator wiring
+// ---------------------------------------------------------------------------
+describe("assistant oauth providers --scope-separator", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    mockProviderStore.clear();
+    // Default getProvider falls through to mockProviderStore via the
+    // oauth-store mock module. Tests in this describe block don't need
+    // a per-test mockGetProvider override.
+    mockGetProvider = () => undefined;
+    mockGetConfig = () => ({ services: {} });
+  });
+  afterEach(() => {
+    mockProviderStore.clear();
+    mockGetProvider = () => undefined;
+  });
+  test("providers register --scope-separator , stores ',' on the provider row", async () => {
+    const { exitCode } = await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-linear",
+      "--auth-url",
+      "https://linear.app/oauth/authorize",
+      "--token-url",
+      "https://api.linear.app/oauth/token",
+      "--scopes",
+      "read,write",
+      "--scope-separator",
+      ",",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const stored = mockProviderStore.get("custom-linear");
+    expect(stored).toBeDefined();
+    expect(stored?.scopeSeparator).toBe(",");
+  });
+  test("providers register without --scope-separator stores the default ' '", async () => {
+    const { exitCode } = await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-default-sep",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--scopes",
+      "read,write",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const stored = mockProviderStore.get("custom-default-sep");
+    expect(stored).toBeDefined();
+    expect(stored?.scopeSeparator).toBe(" ");
+  });
+  test("providers update --scope-separator , updates an existing custom provider", async () => {
+    // Seed the store with an existing custom provider that uses the default
+    // " " separator.
+    await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-update-target",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--scopes",
+      "read",
+      "--json",
+    ]);
+    expect(mockProviderStore.get("custom-update-target")?.scopeSeparator).toBe(
+      " ",
+    );
+    const { exitCode } = await runCli([
+      "providers",
+      "update",
+      "custom-update-target",
+      "--scope-separator",
+      ",",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockProviderStore.get("custom-update-target")?.scopeSeparator).toBe(
+      ",",
+    );
+  });
+  test("providers get <key> --json includes scopeSeparator from the serialized output", async () => {
+    // Seed the store with a custom provider that uses ',' as the separator.
+    await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-get-target",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--scopes",
+      "read,write",
+      "--scope-separator",
+      ",",
+      "--json",
+    ]);
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "get",
+      "custom-get-target",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.scopeSeparator).toBe(",");
+  });
+});
+// ---------------------------------------------------------------------------
+// providers register / update / get — --refresh-url wiring
+// ---------------------------------------------------------------------------
+describe("assistant oauth providers --refresh-url", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    mockProviderStore.clear();
+    // Default getProvider falls through to mockProviderStore via the
+    // oauth-store mock module.
+    mockGetProvider = () => undefined;
+    mockGetConfig = () => ({ services: {} });
+  });
+  afterEach(() => {
+    mockProviderStore.clear();
+    mockGetProvider = () => undefined;
+  });
+  test("providers register --refresh-url stores the URL on the provider row", async () => {
+    const { exitCode } = await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-refresh-url",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--refresh-url",
+      "https://refresh.example.com/token",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const stored = mockProviderStore.get("custom-refresh-url");
+    expect(stored).toBeDefined();
+    expect(stored?.refreshUrl).toBe("https://refresh.example.com/token");
+  });
+  test("providers register without --refresh-url stores null", async () => {
+    const { exitCode } = await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-no-refresh-url",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const stored = mockProviderStore.get("custom-no-refresh-url");
+    expect(stored).toBeDefined();
+    expect(stored?.refreshUrl).toBeNull();
+  });
+  test("providers update --refresh-url updates an existing custom provider", async () => {
+    // Seed the store with an existing custom provider that has no refresh URL.
+    await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-update-refresh",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--json",
+    ]);
+    expect(
+      mockProviderStore.get("custom-update-refresh")?.refreshUrl,
+    ).toBeNull();
+    const { exitCode } = await runCli([
+      "providers",
+      "update",
+      "custom-update-refresh",
+      "--refresh-url",
+      "https://new-refresh.example.com/token",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockProviderStore.get("custom-update-refresh")?.refreshUrl).toBe(
+      "https://new-refresh.example.com/token",
+    );
+  });
+  test("providers get <key> --json includes refreshUrl from the serialized output", async () => {
+    // Seed the store with a custom provider that has a refresh URL set.
+    await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-get-refresh",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--refresh-url",
+      "https://refresh.example.com/token",
+      "--json",
+    ]);
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "get",
+      "custom-get-refresh",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.refreshUrl).toBe("https://refresh.example.com/token");
+  });
+});
+// ---------------------------------------------------------------------------
+// providers register / update / get — --revoke-url and --revoke-body-template wiring
+// ---------------------------------------------------------------------------
+describe("assistant oauth providers --revoke-url and --revoke-body-template", () => {
+  beforeEach(() => {
+    mockWithValidToken = async (_service, cb) => cb("mock-access-token-xyz");
+    mockProviderStore.clear();
+    mockGetProvider = () => undefined;
+    mockGetConfig = () => ({ services: {} });
+  });
+  afterEach(() => {
+    mockProviderStore.clear();
+    mockGetProvider = () => undefined;
+  });
+  test("providers register --revoke-url and --revoke-body-template stores both fields", async () => {
+    const { exitCode } = await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-revoke-roundtrip",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--revoke-url",
+      "https://revoke.example.com",
+      "--revoke-body-template",
+      '{"token":"{access_token}"}',
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const stored = mockProviderStore.get("custom-revoke-roundtrip");
+    expect(stored).toBeDefined();
+    expect(stored?.revokeUrl).toBe("https://revoke.example.com");
+    // revokeBodyTemplate is JSON-stringified at the storage layer.
+    expect(JSON.parse(stored?.revokeBodyTemplate as string)).toEqual({
+      token: "{access_token}",
+    });
+  });
+  test("providers register without --revoke-url or --revoke-body-template stores both as null", async () => {
+    const { exitCode } = await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-no-revoke",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const stored = mockProviderStore.get("custom-no-revoke");
+    expect(stored).toBeDefined();
+    expect(stored?.revokeUrl).toBeNull();
+    expect(stored?.revokeBodyTemplate).toBeNull();
+  });
+  test("providers register with malformed --revoke-body-template fails with a JSON parse error", async () => {
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-bad-revoke",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--revoke-body-template",
+      "not-json{",
+      "--json",
+    ]);
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    // The error message comes from JSON.parse — match permissively.
+    expect(parsed.error).toMatch(/JSON|Unexpected|parse/i);
+    // Provider should not have been written.
+    expect(mockProviderStore.get("custom-bad-revoke")).toBeUndefined();
+  });
+  test("providers update --revoke-url updates only the URL", async () => {
+    // Seed an existing custom provider.
+    await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-update-revoke-url",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--json",
+    ]);
+    expect(
+      mockProviderStore.get("custom-update-revoke-url")?.revokeUrl,
+    ).toBeNull();
+    const { exitCode } = await runCli([
+      "providers",
+      "update",
+      "custom-update-revoke-url",
+      "--revoke-url",
+      "https://new-revoke.example.com",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(mockProviderStore.get("custom-update-revoke-url")?.revokeUrl).toBe(
+      "https://new-revoke.example.com",
+    );
+    // revokeBodyTemplate should still be null (unchanged).
+    expect(
+      mockProviderStore.get("custom-update-revoke-url")?.revokeBodyTemplate,
+    ).toBeNull();
+  });
+  test("providers update --revoke-url with empty string clears the stored URL to null", async () => {
+    // Seed an existing custom provider that already has a non-null revokeUrl.
+    await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-clear-revoke-url",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--revoke-url",
+      "https://revoke.example.com",
+      "--json",
+    ]);
+    expect(mockProviderStore.get("custom-clear-revoke-url")?.revokeUrl).toBe(
+      "https://revoke.example.com",
+    );
+    // Pass an empty string to --revoke-url — the help text promises this
+    // clears the field, so the stored value should end up as null (not "").
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "update",
+      "custom-clear-revoke-url",
+      "--revoke-url",
+      "",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(
+      mockProviderStore.get("custom-clear-revoke-url")?.revokeUrl,
+    ).toBeNull();
+    // The serialized --json output should also reflect null, not "".
+    const parsed = JSON.parse(stdout);
+    expect(parsed.revokeUrl).toBeNull();
+  });
+  test("providers update --revoke-body-template updates only the template (JSON round-trip)", async () => {
+    await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-update-revoke-body",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--json",
+    ]);
+    const { exitCode } = await runCli([
+      "providers",
+      "update",
+      "custom-update-revoke-body",
+      "--revoke-body-template",
+      '{"token":"{access_token}","client_id":"{client_id}"}',
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const stored = mockProviderStore.get("custom-update-revoke-body");
+    expect(stored).toBeDefined();
+    expect(JSON.parse(stored?.revokeBodyTemplate as string)).toEqual({
+      token: "{access_token}",
+      client_id: "{client_id}",
+    });
+    // revokeUrl should still be null (unchanged).
+    expect(stored?.revokeUrl).toBeNull();
+  });
+  test("providers update --revoke-body-template with empty string clears the stored template to null", async () => {
+    // Seed an existing custom provider that already has a non-null
+    // revokeBodyTemplate set via register.
+    await runCli([
+      "providers",
+      "register",
+      "--provider-key",
+      "custom-clear-revoke-body",
+      "--auth-url",
+      "https://example.com/oauth/authorize",
+      "--token-url",
+      "https://example.com/oauth/token",
+      "--revoke-url",
+      "https://revoke.example.com",
+      "--revoke-body-template",
+      '{"token":"{access_token}"}',
+      "--json",
+    ]);
+    const initial = mockProviderStore.get("custom-clear-revoke-body");
+    expect(initial?.revokeBodyTemplate).toBeDefined();
+    expect(JSON.parse(initial?.revokeBodyTemplate as string)).toEqual({
+      token: "{access_token}",
+    });
+    // Pass an empty string to --revoke-body-template — the help text promises
+    // this clears the field, so the stored value should end up as null
+    // (not the string "null" or a JSON.parse crash).
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "update",
+      "custom-clear-revoke-body",
+      "--revoke-body-template",
+      "",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    expect(
+      mockProviderStore.get("custom-clear-revoke-body")?.revokeBodyTemplate,
+    ).toBeNull();
+    // The serialized --json output should also reflect null.
+    const parsed = JSON.parse(stdout);
+    expect(parsed.revokeBodyTemplate).toBeNull();
+  });
+  test("providers get google --json includes both fields populated from PR 1's seed data", async () => {
+    // Simulate the seeded "google" provider row by overriding mockGetProvider
+    // to return a row matching what PR 1's seed inserts.
+    const now = Date.now();
+    mockGetProvider = (provider: string) => {
+      if (provider !== "google") return undefined;
+      return {
+        provider: "google",
+        authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+        tokenExchangeUrl: "https://oauth2.googleapis.com/token",
+        refreshUrl: null,
+        tokenEndpointAuthMethod: "client_secret_post",
+        userinfoUrl: null,
+        baseUrl: null,
+        defaultScopes: "[]",
+        scopePolicy: "{}",
+        scopeSeparator: " ",
+        authorizeParams: null,
+        pingUrl: null,
+        pingMethod: null,
+        pingHeaders: null,
+        pingBody: null,
+        revokeUrl: "https://oauth2.googleapis.com/revoke",
+        revokeBodyTemplate: JSON.stringify({ token: "{access_token}" }),
+        managedServiceConfigKey: null,
+        displayLabel: "Google",
+        description: null,
+        dashboardUrl: null,
+        clientIdPlaceholder: null,
+        requiresClientSecret: 1,
+        loopbackPort: null,
+        injectionTemplates: null,
+        appType: null,
+        setupNotes: null,
+        identityUrl: null,
+        identityMethod: null,
+        identityHeaders: null,
+        identityBody: null,
+        identityResponsePaths: null,
+        identityFormat: null,
+        identityOkField: null,
+        featureFlag: null,
+        createdAt: now,
+        updatedAt: now,
+      };
+    };
+    const { exitCode, stdout } = await runCli([
+      "providers",
+      "get",
+      "google",
+      "--json",
+    ]);
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.revokeUrl).toBe("https://oauth2.googleapis.com/revoke");
+    expect(parsed.revokeBodyTemplate).toEqual({ token: "{access_token}" });
+  });
+});