@vellumai/assistant 0.6.1 → 0.6.3

package/src/cli/commands/oauth/connect.ts

@@ -336,6 +336,17 @@ Examples:
             // BYO PATH
             // =============================================================
 
+            // Manual-token providers (slack_channel, telegram) don't use
+            // OAuth2 browser flows — credentials are configured via
+            // `assistant credentials` or chat setup instead.
+            if (providerRow.authorizeUrl === "urn:manual-token") {
+              writeError(
+                `"${provider}" uses manual token configuration, not an OAuth browser flow. ` +
+                  `Set the token with: assistant credentials set <token_value> --service ${provider} --field <field_name>`,
+              );
+              return;
+            }
+
             // a. Resolve client credentials from the DB
             const dbApp = opts.clientId
               ? getAppByProviderAndClientId(provider, opts.clientId)
@@ -403,12 +414,15 @@ Examples:
                 writeOutput(cmd, {
                   ok: true,
                   deferred: true,
-                  authUrl: result.authUrl,
+                  // Wire key stays `authUrl` for backward compatibility with
+                  // existing CLI script consumers; the internal field on
+                  // `result` is `authorizeUrl`.
+                  authUrl: result.authorizeUrl,
                   service: result.service,
                 });
               } else {
                 process.stdout.write(
-                  `\nAuthorize with ${provider}:\n\n${result.authUrl}\n\nThe connection will complete automatically once you authorize.\n`,
+                  `\nAuthorize with ${provider}:\n\n${result.authorizeUrl}\n\nThe connection will complete automatically once you authorize.\n`,
                 );
               }
               return;

package/src/cli/commands/oauth/disconnect.ts

@@ -212,7 +212,7 @@ Examples:
               accountLabel = conn.accountInfo ?? undefined;
             } else if (opts.connectionId) {
               const conn = getConnection(opts.connectionId);
-              if (!conn || conn.providerKey !== provider) {
+              if (!conn || conn.provider !== provider) {
                 writeError(
                   `Connection "${opts.connectionId}" is not an active ${provider} connection.\n\n` +
                     `Run 'assistant oauth status ${provider}' to see active connections.`,

package/src/cli/commands/oauth/providers.ts

@@ -23,6 +23,41 @@ const log = getCliLogger("cli");
 
 const LOOPBACK_CALLBACK_PATH = "/oauth/callback";
 
+/**
+ * Resolve a logo URL from CLI flags, enforcing mutual exclusion between
+ * --logo-url and --logo-simpleicons-slug. Returns:
+ *   - `undefined` when neither flag is set (caller should leave the field unchanged)
+ *   - `null` when `--logo-url ""` is passed (clear the stored value)
+ *   - a non-empty string URL otherwise
+ * Throws when both flags are set simultaneously.
+ */
+function resolveLogoUrlFromFlags(opts: {
+  logoUrl?: string;
+  logoSimpleiconsSlug?: string;
+}): string | null | undefined {
+  if (opts.logoUrl !== undefined && opts.logoSimpleiconsSlug !== undefined) {
+    throw new Error(
+      "--logo-url and --logo-simpleicons-slug are mutually exclusive. Provide at most one.",
+    );
+  }
+  if (opts.logoSimpleiconsSlug !== undefined) {
+    const slug = opts.logoSimpleiconsSlug.trim();
+    if (!slug) {
+      throw new Error("--logo-simpleicons-slug cannot be empty.");
+    }
+    return `https://cdn.simpleicons.org/${encodeURIComponent(slug)}`;
+  }
+  if (opts.logoUrl !== undefined) {
+    // Trim whitespace so copy-paste-padded URLs don't fail to parse on the
+    // client. Empty string (after trimming) clears the stored value
+    // (matches --revoke-url semantics documented in the `update` command
+    // help text).
+    const trimmed = opts.logoUrl.trim();
+    return trimmed === "" ? null : trimmed;
+  }
+  return undefined;
+}
+
 /**
  * Resolve the redirect URI for a provider based on its loopback port.
  *
@@ -171,14 +206,14 @@ Examples:
   $ assistant oauth providers get google
   $ assistant oauth providers get twitter --json`,
     )
-    .action((providerKey: string, _opts: unknown, cmd: Command) => {
+    .action((provider: string, _opts: unknown, cmd: Command) => {
       try {
-        const row = getProvider(providerKey);
+        const row = getProvider(provider);
 
         if (!row) {
           writeOutput(cmd, {
             ok: false,
-            error: `Provider not found: "${providerKey}". Run 'assistant oauth providers list' to see all registered providers. To register a custom provider, run 'assistant oauth providers register --help'.`,
+            error: `Provider not found: "${provider}". Run 'assistant oauth providers list' to see all registered providers. To register a custom provider, run 'assistant oauth providers register --help'.`,
           });
           process.exitCode = 1;
           return;
@@ -187,7 +222,7 @@ Examples:
         if (!isProviderVisible(row, loadConfig())) {
           writeOutput(cmd, {
             ok: false,
-            error: `Provider not found: "${providerKey}". Run 'assistant oauth providers list' to see all registered providers. To register a custom provider, run 'assistant oauth providers register --help'.`,
+            error: `Provider not found: "${provider}". Run 'assistant oauth providers list' to see all registered providers. To register a custom provider, run 'assistant oauth providers register --help'.`,
           });
           process.exitCode = 1;
           return;
@@ -220,12 +255,20 @@ Examples:
       "--token-url <url>",
       "OAuth token endpoint URL (e.g. https://oauth2.example.com/token)",
     )
+    .option(
+      "--refresh-url <url>",
+      "OAuth token refresh endpoint URL. Defaults to --token-url when omitted. Set this when the provider uses a different endpoint for the refresh_token grant than for the authorization_code grant.",
+    )
     .option("--base-url <url>", "API base URL for the service")
     .option("--userinfo-url <url>", "OpenID Connect userinfo endpoint URL")
     .option(
       "--scopes <scopes>",
       'Comma-separated default scopes (e.g. "read,write,profile")',
     )
+    .option(
+      "--scope-separator <sep>",
+      'Separator used to join scopes in the authorize URL (default: " "). Use "," for providers like Linear that expect comma-separated scopes.',
+    )
     .option(
       "--token-auth-method <method>",
       'How the client authenticates at the token endpoint: "client_secret_post" or "client_secret_basic"',
@@ -246,6 +289,14 @@ Examples:
       "--ping-body <json>",
       'JSON body to send with the ping request (e.g. \'{"query":"{ viewer { id } }"}\')',
     )
+    .option(
+      "--revoke-url <url>",
+      'OAuth token revocation endpoint URL. Called best-effort during disconnect to invalidate the access token upstream (e.g. "https://oauth2.googleapis.com/revoke"). When omitted, disconnect is local-only — the upstream token is left valid until it naturally expires.',
+    )
+    .option(
+      "--revoke-body-template <json>",
+      'JSON object body template for the revoke request, supporting {access_token} and {client_id} substitution (e.g. \'{"token":"{access_token}","client_id":"{client_id}"}\'). The body is form-encoded and POSTed to --revoke-url.',
+    )
     .option(
       "--display-name <name>",
       "Human-readable display name for the provider",
@@ -255,6 +306,14 @@ Examples:
       "--dashboard-url <url>",
       "URL to the provider's developer console / dashboard",
     )
+    .option(
+      "--logo-url <url>",
+      "URL to the provider's logo image (SVG or PNG). Mutually exclusive with --logo-simpleicons-slug.",
+    )
+    .option(
+      "--logo-simpleicons-slug <slug>",
+      'Simple Icons slug (e.g. "notion", "linear"). Resolves to https://cdn.simpleicons.org/<slug>. Mutually exclusive with --logo-url.',
+    )
     .option(
       "--client-id-placeholder <text>",
       "Placeholder text shown in the client ID input field",
@@ -340,6 +399,17 @@ Examples:
       --ping-url https://example.com/graphql \\
       --ping-method POST \\
       --ping-body '{"query":"{ viewer { id } }"}'
+  $ assistant oauth providers register \\
+      --provider-key linear-custom \\
+      --auth-url https://linear.app/oauth/authorize \\
+      --token-url https://api.linear.app/oauth/token \\
+      --scopes read,write \\
+      --scope-separator ","
+  $ assistant oauth providers register \\
+      --provider-key split-grants \\
+      --auth-url https://example.com/oauth/authorize \\
+      --token-url https://example.com/oauth/token \\
+      --refresh-url https://example.com/oauth/refresh
   $ assistant oauth providers register \\
       --provider-key my-api \\
       --auth-url https://example.com/auth \\
@@ -347,7 +417,18 @@ Examples:
       --loopback-port 17400 \\
       --injection-templates '[{"hostPattern":"api.example.com","injectionType":"header","headerName":"Authorization","valuePrefix":"Bearer "}]' \\
       --identity-url https://api.example.com/me \\
-      --identity-response-paths email,name`,
+      --identity-response-paths email,name
+  $ assistant oauth providers register \\
+      --provider-key custom-revokable \\
+      --auth-url https://example.com/oauth/authorize \\
+      --token-url https://example.com/oauth/token \\
+      --revoke-url https://example.com/oauth/revoke \\
+      --revoke-body-template '{"token":"{access_token}","client_id":"{client_id}"}'
+  $ assistant oauth providers register \\
+      --provider-key notion-custom \\
+      --auth-url https://api.notion.com/v1/oauth/authorize \\
+      --token-url https://api.notion.com/v1/oauth/token \\
+      --logo-simpleicons-slug notion`,
     )
     .action(
       (
@@ -355,17 +436,23 @@ Examples:
           providerKey: string;
           authUrl: string;
           tokenUrl: string;
+          refreshUrl?: string;
           baseUrl?: string;
           userinfoUrl?: string;
           scopes?: string;
+          scopeSeparator?: string;
           tokenAuthMethod?: string;
           pingUrl?: string;
           pingMethod?: string;
           pingHeaders?: string;
           pingBody?: string;
+          revokeUrl?: string;
+          revokeBodyTemplate?: string;
           displayName?: string;
           description?: string;
           dashboardUrl?: string;
+          logoUrl?: string;
+          logoSimpleiconsSlug?: string;
           clientIdPlaceholder?: string;
           clientSecret: boolean;
           loopbackPort?: string;
@@ -383,14 +470,23 @@ Examples:
         cmd: Command,
       ) => {
         try {
+          const resolvedLogoUrl = resolveLogoUrlFromFlags(opts);
+          if (resolvedLogoUrl === null) {
+            throw new Error(
+              "Cannot clear logo_url with empty --logo-url during registration. Omit the flag instead.",
+            );
+          }
+
           const row = registerProvider({
-            providerKey: opts.providerKey,
-            authUrl: opts.authUrl,
-            tokenUrl: opts.tokenUrl,
+            provider: opts.providerKey,
+            authorizeUrl: opts.authUrl,
+            tokenExchangeUrl: opts.tokenUrl,
+            refreshUrl: opts.refreshUrl,
             baseUrl: opts.baseUrl,
             userinfoUrl: opts.userinfoUrl,
             defaultScopes: opts.scopes ? opts.scopes.split(",") : [],
             scopePolicy: {},
+            scopeSeparator: opts.scopeSeparator,
             tokenEndpointAuthMethod: opts.tokenAuthMethod,
             pingUrl: opts.pingUrl,
             pingMethod: opts.pingMethod,
@@ -398,9 +494,14 @@ Examples:
               ? JSON.parse(opts.pingHeaders)
               : undefined,
             pingBody: opts.pingBody ? JSON.parse(opts.pingBody) : undefined,
-            displayName: opts.displayName,
+            revokeUrl: opts.revokeUrl,
+            revokeBodyTemplate: opts.revokeBodyTemplate
+              ? JSON.parse(opts.revokeBodyTemplate)
+              : undefined,
+            displayLabel: opts.displayName,
             description: opts.description,
             dashboardUrl: opts.dashboardUrl,
+            logoUrl: resolvedLogoUrl,
             clientIdPlaceholder: opts.clientIdPlaceholder,
             requiresClientSecret: opts.clientSecret ? 1 : 0,
             loopbackPort: opts.loopbackPort
@@ -455,12 +556,20 @@ Examples:
       "--token-url <url>",
       "OAuth token endpoint URL (e.g. https://oauth2.example.com/token)",
     )
+    .option(
+      "--refresh-url <url>",
+      "OAuth token refresh endpoint URL. Defaults to --token-url when omitted. Set this when the provider uses a different endpoint for the refresh_token grant than for the authorization_code grant.",
+    )
     .option("--base-url <url>", "API base URL for the service")
     .option("--userinfo-url <url>", "OpenID Connect userinfo endpoint URL")
     .option(
       "--scopes <scopes>",
       'Comma-separated default scopes (e.g. "read,write,profile")',
     )
+    .option(
+      "--scope-separator <sep>",
+      'Separator used to join scopes in the authorize URL (default: " "). Use "," for providers like Linear that expect comma-separated scopes.',
+    )
     .option(
       "--token-auth-method <method>",
       'How the client authenticates at the token endpoint: "client_secret_post" or "client_secret_basic"',
@@ -481,6 +590,14 @@ Examples:
       "--ping-body <json>",
       'JSON body to send with the ping request (e.g. \'{"query":"{ viewer { id } }"}\')',
     )
+    .option(
+      "--revoke-url <url>",
+      "OAuth token revocation endpoint URL. Called best-effort during disconnect to invalidate the access token upstream. Pass an empty string to clear.",
+    )
+    .option(
+      "--revoke-body-template <json>",
+      "JSON object body template for the revoke request, supporting {access_token} and {client_id} substitution. Pass an empty string to clear.",
+    )
     .option(
       "--display-name <name>",
       "Human-readable display name for the provider",
@@ -490,6 +607,14 @@ Examples:
       "--dashboard-url <url>",
       "URL to the provider's developer console / dashboard",
     )
+    .option(
+      "--logo-url <url>",
+      "URL to the provider's logo image (SVG or PNG). Mutually exclusive with --logo-simpleicons-slug.",
+    )
+    .option(
+      "--logo-simpleicons-slug <slug>",
+      'Simple Icons slug (e.g. "notion", "linear"). Resolves to https://cdn.simpleicons.org/<slug>. Mutually exclusive with --logo-url.',
+    )
     .option(
       "--client-id-placeholder <text>",
       "Placeholder text shown in the client ID input field",
@@ -562,29 +687,42 @@ Examples:
   $ assistant oauth providers update custom-api --display-name "My Custom API"
   $ assistant oauth providers update custom-api --scopes read,write --auth-url https://new.example.com/auth
   $ assistant oauth providers update custom-api --ping-url https://api.example.com/me --json
+  $ assistant oauth providers update custom-api --scope-separator ","
+  $ assistant oauth providers update custom-api --refresh-url https://example.com/oauth/refresh
   $ assistant oauth providers update custom-api \\
       --identity-url https://api.example.com/me \\
       --identity-response-paths email,name
   $ assistant oauth providers update custom-api \\
-      --injection-templates '[{"hostPattern":"api.example.com","injectionType":"header","headerName":"Authorization","valuePrefix":"Bearer "}]'`,
+      --injection-templates '[{"hostPattern":"api.example.com","injectionType":"header","headerName":"Authorization","valuePrefix":"Bearer "}]'
+  $ assistant oauth providers update custom-api \\
+      --revoke-url https://api.example.com/oauth/revoke \\
+      --revoke-body-template '{"token":"{access_token}"}'
+  $ assistant oauth providers update custom-api --logo-simpleicons-slug notion
+  $ assistant oauth providers update custom-api --logo-url ""`,
     )
     .action(
       (
-        providerKey: string,
+        provider: string,
         opts: {
           authUrl?: string;
           tokenUrl?: string;
+          refreshUrl?: string;
           baseUrl?: string;
           userinfoUrl?: string;
           scopes?: string;
+          scopeSeparator?: string;
           tokenAuthMethod?: string;
           pingUrl?: string;
           pingMethod?: string;
           pingHeaders?: string;
           pingBody?: string;
+          revokeUrl?: string;
+          revokeBodyTemplate?: string;
           displayName?: string;
           description?: string;
           dashboardUrl?: string;
+          logoUrl?: string;
+          logoSimpleiconsSlug?: string;
           clientIdPlaceholder?: string;
           clientSecret: boolean;
           loopbackPort?: string;
@@ -603,11 +741,11 @@ Examples:
       ) => {
         try {
           // Verify provider exists
-          const existing = getProvider(providerKey);
+          const existing = getProvider(provider);
           if (!existing) {
             writeOutput(cmd, {
               ok: false,
-              error: `Provider "${providerKey}" not found. Run 'assistant oauth providers list' to see all registered providers.`,
+              error: `Provider "${provider}" not found. Run 'assistant oauth providers list' to see all registered providers.`,
             });
             process.exitCode = 1;
             return;
@@ -616,17 +754,17 @@ Examples:
           if (!isProviderVisible(existing, loadConfig())) {
             writeOutput(cmd, {
               ok: false,
-              error: `Provider "${providerKey}" not found. Run 'assistant oauth providers list' to see all registered providers.`,
+              error: `Provider "${provider}" not found. Run 'assistant oauth providers list' to see all registered providers.`,
             });
             process.exitCode = 1;
             return;
           }
 
           // Block updates to built-in providers
-          if (SEEDED_PROVIDER_KEYS.has(providerKey)) {
+          if (SEEDED_PROVIDER_KEYS.has(provider)) {
             writeOutput(cmd, {
               ok: false,
-              error: `Cannot update built-in provider "${providerKey}". Built-in providers are managed by the system and reset on startup. To create a custom provider with different settings, use 'assistant oauth providers register --provider-key <your-custom-key> ...'`,
+              error: `Cannot update built-in provider "${provider}". Built-in providers are managed by the system and reset on startup. To create a custom provider with different settings, use 'assistant oauth providers register --provider-key <your-custom-key> ...'`,
             });
             process.exitCode = 1;
             return;
@@ -635,13 +773,18 @@ Examples:
           // Build params object from provided options, omitting undefined values
           const params: Record<string, unknown> = {};
 
-          if (opts.authUrl !== undefined) params.authUrl = opts.authUrl;
-          if (opts.tokenUrl !== undefined) params.tokenUrl = opts.tokenUrl;
+          if (opts.authUrl !== undefined) params.authorizeUrl = opts.authUrl;
+          if (opts.tokenUrl !== undefined)
+            params.tokenExchangeUrl = opts.tokenUrl;
+          if (opts.refreshUrl !== undefined)
+            params.refreshUrl = opts.refreshUrl;
           if (opts.baseUrl !== undefined) params.baseUrl = opts.baseUrl;
           if (opts.userinfoUrl !== undefined)
             params.userinfoUrl = opts.userinfoUrl;
           if (opts.scopes !== undefined)
             params.defaultScopes = opts.scopes.split(",");
+          if (opts.scopeSeparator !== undefined)
+            params.scopeSeparator = opts.scopeSeparator;
           if (opts.tokenAuthMethod !== undefined)
             params.tokenEndpointAuthMethod = opts.tokenAuthMethod;
           if (opts.pingUrl !== undefined) params.pingUrl = opts.pingUrl;
@@ -651,8 +794,24 @@ Examples:
             params.pingHeaders = JSON.parse(opts.pingHeaders);
           if (opts.pingBody !== undefined)
             params.pingBody = JSON.parse(opts.pingBody);
+          if (opts.revokeUrl !== undefined) {
+            // Empty string means "clear" — normalize to null so the stored
+            // value matches the "disabled" semantics documented in the help
+            // text. `updateProvider`'s Partial type accepts `string | null`
+            // for this field so drizzle writes `null` to clear the column.
+            params.revokeUrl = opts.revokeUrl === "" ? null : opts.revokeUrl;
+          }
+          if (opts.revokeBodyTemplate !== undefined) {
+            // Empty string means "clear" — normalize to null to match --revoke-url's
+            // empty-string-clear semantics documented in the help text. The
+            // updateProvider type accepts `Record<string, string> | null` for this.
+            params.revokeBodyTemplate =
+              opts.revokeBodyTemplate === ""
+                ? null
+                : JSON.parse(opts.revokeBodyTemplate);
+          }
           if (opts.displayName !== undefined)
-            params.displayName = opts.displayName;
+            params.displayLabel = opts.displayName;
           if (opts.description !== undefined)
             params.description = opts.description;
           if (opts.dashboardUrl !== undefined)
@@ -660,6 +819,11 @@ Examples:
           if (opts.clientIdPlaceholder !== undefined)
             params.clientIdPlaceholder = opts.clientIdPlaceholder;
 
+          const resolvedLogoUrl = resolveLogoUrlFromFlags(opts);
+          if (resolvedLogoUrl !== undefined) {
+            params.logoUrl = resolvedLogoUrl;
+          }
+
           // Handle the negated --no-client-* flag: Commander defaults
           // opts.clientSecret to true; the negated form sets it to false.
           // Use getOptionValueSource to detect explicit user intent.
@@ -701,7 +865,7 @@ Examples:
             return;
           }
 
-          const row = updateProvider(providerKey, params);
+          const row = updateProvider(provider, params);
 
           writeOutput(cmd, parseProviderRow(row));
         } catch (err) {
@@ -747,53 +911,53 @@ Examples:
   $ assistant oauth providers delete custom-api --force --json`,
     )
     .action(
-      async (providerKey: string, opts: { force?: boolean }, cmd: Command) => {
+      async (provider: string, opts: { force?: boolean }, cmd: Command) => {
         try {
-          const provider = getProvider(providerKey);
-          if (!provider) {
+          const providerRow = getProvider(provider);
+          if (!providerRow) {
             writeOutput(cmd, {
               ok: false,
-              error: `Provider not found: "${providerKey}". Run 'assistant oauth providers list' to see all registered providers.`,
+              error: `Provider not found: "${provider}". Run 'assistant oauth providers list' to see all registered providers.`,
             });
             process.exitCode = 1;
             return;
           }
 
-          if (!isProviderVisible(provider, loadConfig())) {
+          if (!isProviderVisible(providerRow, loadConfig())) {
             writeOutput(cmd, {
               ok: false,
-              error: `Provider not found: "${providerKey}". Run 'assistant oauth providers list' to see all registered providers.`,
+              error: `Provider not found: "${provider}". Run 'assistant oauth providers list' to see all registered providers.`,
             });
             process.exitCode = 1;
             return;
           }
 
-          if (SEEDED_PROVIDER_KEYS.has(providerKey) && !opts.force) {
+          if (SEEDED_PROVIDER_KEYS.has(provider) && !opts.force) {
             log.info(
-              `Note: "${providerKey}" is a built-in provider and will be re-created on next startup.`,
+              `Note: "${provider}" is a built-in provider and will be re-created on next startup.`,
             );
           }
 
           const dependentApps = listApps().filter(
-            (a) => a.providerKey === providerKey,
+            (a) => a.provider === provider,
           );
-          const dependentConnections = listConnections(providerKey);
+          const dependentConnections = listConnections(provider);
           const appCount = dependentApps.length;
           const connCount = dependentConnections.length;
 
           if ((appCount > 0 || connCount > 0) && !opts.force) {
             writeOutput(cmd, {
               ok: false,
-              error: `Cannot delete provider "${providerKey}": ${appCount} app(s) and ${connCount} connection(s) depend on it. Use --force to cascade-delete all dependent apps and connections, or remove them manually first with 'assistant oauth apps delete' and 'assistant oauth disconnect'.`,
+              error: `Cannot delete provider "${provider}": ${appCount} app(s) and ${connCount} connection(s) depend on it. Use --force to cascade-delete all dependent apps and connections, or remove them manually first with 'assistant oauth apps delete' and 'assistant oauth disconnect'.`,
             });
             process.exitCode = 1;
             return;
           }
 
           // Warn about built-in providers when --force is used
-          if (SEEDED_PROVIDER_KEYS.has(providerKey) && opts.force) {
+          if (SEEDED_PROVIDER_KEYS.has(provider) && opts.force) {
             log.info(
-              `Note: "${providerKey}" is a built-in provider and will be re-created on next startup.`,
+              `Note: "${provider}" is a built-in provider and will be re-created on next startup.`,
             );
           }
 
@@ -802,7 +966,7 @@ Examples:
           // storage in addition to deleting the connection DB row.
           for (const conn of dependentConnections) {
             const result = await disconnectOAuthProvider(
-              providerKey,
+              provider,
               undefined,
               conn.id as string,
             );
@@ -816,10 +980,10 @@ Examples:
           for (const app of dependentApps) {
             await deleteApp(app.id);
           }
-          deleteProvider(providerKey);
+          deleteProvider(provider);
 
           if (!shouldOutputJson(cmd)) {
-            log.info(`Deleted provider: ${providerKey}`);
+            log.info(`Deleted provider: ${provider}`);
           }
 
           writeOutput(cmd, {

package/src/cli/commands/oauth/shared.ts

@@ -30,9 +30,9 @@ export interface PlatformConnectionEntry {
  * lookup so that callers (e.g. `isManagedMode`, `mode.ts`) don't duplicate the
  * validation.
  */
-export function getManagedServiceConfigKey(providerKey: string): string | null {
-  const provider = getProvider(providerKey);
-  const managedKey = provider?.managedServiceConfigKey;
+export function getManagedServiceConfigKey(provider: string): string | null {
+  const providerRow = getProvider(provider);
+  const managedKey = providerRow?.managedServiceConfigKey;
   if (!managedKey || !(managedKey in ServicesSchema.shape)) return null;
   return managedKey;
 }
@@ -41,8 +41,8 @@ export function getManagedServiceConfigKey(providerKey: string): string | null {
  * Determine whether a provider is running in platform-managed mode.
  * Returns false if config is unavailable (e.g. in test environments).
  */
-export function isManagedMode(providerKey: string): boolean {
-  const managedKey = getManagedServiceConfigKey(providerKey);
+export function isManagedMode(provider: string): boolean {
+  const managedKey = getManagedServiceConfigKey(provider);
   if (!managedKey) return false;
   try {
     const services: Services = getConfig().services;