@vellumai/assistant 0.6.1 → 0.6.3

package/src/memory/migrations/index.ts

@@ -154,6 +154,12 @@ export { migrateStripThinkingFromConsolidated } from "./209-strip-thinking-from-
 export { migrateScheduleReuseConversation } from "./210-schedule-reuse-conversation.js";
 export { migrateMemoryRecallLogsQueryContext } from "./211-memory-recall-logs-query-context.js";
 export { migrateLlmRequestLogsCreatedAtIndex } from "./212-llm-request-logs-created-at-index.js";
+export { migrateOAuthProvidersScopeSeparator } from "./213-oauth-providers-scope-separator.js";
+export { migrateOAuthProvidersRefreshUrl } from "./214-oauth-providers-refresh-url.js";
+export { migrateOAuthProvidersRevoke } from "./215-oauth-providers-revoke.js";
+export { migrateOAuthProvidersTokenAuthMethodDefault } from "./216-oauth-providers-token-auth-method.js";
+export { migrateConversationHostAccess } from "./217-conversation-host-access.js";
+export { migrateOAuthProvidersLogoUrl } from "./218-oauth-providers-logo-url.js";
 export {
   MIGRATION_REGISTRY,
   type MigrationRegistryEntry,

package/src/memory/migrations/registry.ts

@@ -41,6 +41,7 @@ import { migrateAddSourceTypeColumnsDown } from "./193-add-source-type-columns.j
 import { migrateStripIntegrationPrefixFromProviderKeysDown } from "./196-strip-integration-prefix-from-provider-keys.js";
 import { migrateRenameMemoryGraphTypeValuesDown } from "./204-rename-memory-graph-type-values.js";
 import { migrateScrubCorruptedImageAttachmentsDown } from "./206-scrub-corrupted-image-attachments.js";
+import { downConversationHostAccess } from "./217-conversation-host-access.js";
 
 export interface MigrationRegistryEntry {
   /** The checkpoint key written to memory_checkpoints on completion. */
@@ -357,6 +358,13 @@ export const MIGRATION_REGISTRY: MigrationRegistryEntry[] = [
       "Remove image attachments containing HTML error pages instead of image data",
     down: migrateScrubCorruptedImageAttachmentsDown,
   },
+  {
+    key: "migration_conversation_host_access_v1",
+    version: 41,
+    description:
+      "Add a host_access column to conversations so computer access is persisted per conversation with a safe default of disabled",
+    down: downConversationHostAccess,
+  },
 ];
 
 export function getMaxMigrationVersion(): number {

package/src/memory/schema/conversations.ts

@@ -28,6 +28,7 @@ export const conversations = sqliteTable(
     originInterface: text("origin_interface"),
     forkParentConversationId: text("fork_parent_conversation_id"),
     forkParentMessageId: text("fork_parent_message_id"),
+    hostAccess: integer("host_access").notNull().default(0),
     isAutoTitle: integer("is_auto_title").notNull().default(1),
     scheduleJobId: text("schedule_job_id"),
     lastMessageAt: integer("last_message_at"),

package/src/memory/schema/oauth.ts

@@ -7,24 +7,31 @@ import {
 } from "drizzle-orm/sqlite-core";
 
 export const oauthProviders = sqliteTable("oauth_providers", {
-  providerKey: text("provider_key").primaryKey(),
-  authUrl: text("auth_url").notNull(),
-  tokenUrl: text("token_url").notNull(),
-  tokenEndpointAuthMethod: text("token_endpoint_auth_method"),
+  provider: text("provider_key").primaryKey(),
+  authorizeUrl: text("auth_url").notNull(),
+  tokenExchangeUrl: text("token_url").notNull(),
+  refreshUrl: text("refresh_url"),
+  tokenEndpointAuthMethod: text("token_endpoint_auth_method")
+    .notNull()
+    .default("client_secret_post"),
   userinfoUrl: text("userinfo_url"),
   baseUrl: text("base_url"),
   defaultScopes: text("default_scopes").notNull().default("[]"),
   scopePolicy: text("scope_policy").notNull().default("{}"),
-  extraParams: text("extra_params"),
+  scopeSeparator: text("scope_separator").notNull().default(" "),
+  authorizeParams: text("extra_params"),
   pingUrl: text("ping_url"),
   pingMethod: text("ping_method"),
   pingHeaders: text("ping_headers"),
   pingBody: text("ping_body"),
+  revokeUrl: text("revoke_url"),
+  revokeBodyTemplate: text("revoke_body_template"),
   managedServiceConfigKey: text("managed_service_config_key"),
-  displayName: text("display_name"),
+  displayLabel: text("display_name"),
   description: text("description"),
   dashboardUrl: text("dashboard_url"),
   clientIdPlaceholder: text("client_id_placeholder"),
+  logoUrl: text("logo_url"),
   requiresClientSecret: integer("requires_client_secret").notNull().default(1),
   loopbackPort: integer("loopback_port"),
   injectionTemplates: text("injection_templates"),
@@ -46,9 +53,9 @@ export const oauthApps = sqliteTable(
   "oauth_apps",
   {
     id: text("id").primaryKey(),
-    providerKey: text("provider_key")
+    provider: text("provider_key")
       .notNull()
-      .references(() => oauthProviders.providerKey),
+      .references(() => oauthProviders.provider),
     clientId: text("client_id").notNull(),
     clientSecretCredentialPath: text("client_secret_credential_path").notNull(),
     createdAt: integer("created_at").notNull(),
@@ -56,7 +63,7 @@ export const oauthApps = sqliteTable(
   },
   (table) => [
     uniqueIndex("idx_oauth_apps_provider_client").on(
-      table.providerKey,
+      table.provider,
       table.clientId,
     ),
   ],
@@ -69,7 +76,7 @@ export const oauthConnections = sqliteTable(
     oauthAppId: text("oauth_app_id")
       .notNull()
       .references(() => oauthApps.id),
-    providerKey: text("provider_key").notNull(),
+    provider: text("provider_key").notNull(),
     accountInfo: text("account_info"),
     grantedScopes: text("granted_scopes").notNull().default("[]"),
     expiresAt: integer("expires_at"),
@@ -80,7 +87,5 @@ export const oauthConnections = sqliteTable(
     createdAt: integer("created_at").notNull(),
     updatedAt: integer("updated_at").notNull(),
   },
-  (table) => [
-    index("idx_oauth_connections_provider_key").on(table.providerKey),
-  ],
+  (table) => [index("idx_oauth_connections_provider_key").on(table.provider)],
 );

package/src/messaging/provider.ts

@@ -25,7 +25,7 @@ export interface MessagingProvider {
   id: string;
   /** Human-readable name (e.g. 'Slack', 'Gmail'). */
   displayName: string;
-  /** Credential service name for token-manager (e.g. 'integration:slack'). */
+  /** Credential service name for token-manager (e.g. 'slack'). */
   credentialService: string;
 
   // ── Universal operations (every platform must implement) ──────────

package/src/notifications/broadcaster.ts

@@ -41,6 +41,10 @@ export interface ConversationCreatedInfo {
   sourceEventName: string;
   /** Present when the conversation is for a guardian-sensitive notification. */
   targetGuardianPrincipalId?: string;
+  /** Conversation group identifier from the signal producer (e.g. "system:scheduled"). */
+  groupId?: string;
+  /** Semantic source from the signal producer (e.g. "schedule", "reminder"). */
+  source?: string;
 }
 export type OnConversationCreatedFn = (info: ConversationCreatedInfo) => void;
 export interface BroadcastDecisionOptions {
@@ -238,6 +242,8 @@ export class NotificationBroadcaster {
           title: conversationTitle,
           sourceEventName: signal.sourceEventName,
           targetGuardianPrincipalId,
+          groupId: signal.conversationMetadata?.groupId,
+          source: signal.conversationMetadata?.source,
         };
 
         // The per-dispatch onConversationCreated callback fires whenever a vellum

package/src/notifications/conversation-pairing.ts

@@ -130,7 +130,9 @@ export async function pairDeliveryWithConversation(
       const targetId = conversationAction.conversationId;
       const existing = getConversation(targetId);
 
-      if (existing && existing.source === "notification") {
+      const effectiveSource =
+        signal.conversationMetadata?.source ?? "notification";
+      if (existing && existing.source === effectiveSource) {
         // Append the seed message to the existing conversation
         const message = await addMessage(
           existing.id,
@@ -186,7 +188,9 @@ export async function pairDeliveryWithConversation(
       const conversation = createConversation({
         title,
         conversationType,
-        source: "notification",
+        source: signal.conversationMetadata?.source ?? "notification",
+        groupId: signal.conversationMetadata?.groupId,
+        scheduleJobId: signal.conversationMetadata?.scheduleJobId,
       });
 
       const message = await addMessage(
@@ -241,7 +245,9 @@ export async function pairDeliveryWithConversation(
           existingBinding.conversationId,
         );
 
-        if (boundConversation && boundConversation.source === "notification") {
+        const effectiveSource =
+          signal.conversationMetadata?.source ?? "notification";
+        if (boundConversation && boundConversation.source === effectiveSource) {
           const message = await addMessage(
             boundConversation.id,
             "assistant",
@@ -299,7 +305,9 @@ export async function pairDeliveryWithConversation(
     const conversation = createConversation({
       title,
       conversationType,
-      source: "notification",
+      source: signal.conversationMetadata?.source ?? "notification",
+      groupId: signal.conversationMetadata?.groupId,
+      scheduleJobId: signal.conversationMetadata?.scheduleJobId,
     });
 
     // Skip memory indexing — notification audit messages are not conversational

package/src/notifications/emit-signal.ts

@@ -79,6 +79,8 @@ function getBroadcaster(): NotificationBroadcaster {
           title: info.title,
           sourceEventName: info.sourceEventName,
           targetGuardianPrincipalId: info.targetGuardianPrincipalId,
+          groupId: info.groupId,
+          source: info.source,
         });
         log.info(
           {
@@ -176,6 +178,17 @@ export interface EmitSignalParams<TEventName extends string = string> {
    * Useful for direct user-invoked actions that must fail closed.
    */
   throwOnError?: boolean;
+  /**
+   * Optional metadata propagated to the conversation created by the notification
+   * pipeline. Allows signal producers (e.g. the scheduler) to set groupId,
+   * scheduleJobId, or override the default "notification" source on the
+   * resulting conversation so it appears in the correct folder on clients.
+   */
+  conversationMetadata?: {
+    groupId?: string;
+    scheduleJobId?: string;
+    source?: string;
+  };
 }
 
 export interface EmitSignalResult {
@@ -210,6 +223,7 @@ export async function emitNotificationSignal<TEventName extends string>(
     routingIntent: params.routingIntent,
     routingHints: params.routingHints,
     conversationAffinityHint: params.conversationAffinityHint,
+    conversationMetadata: params.conversationMetadata,
   };
 
   try {

package/src/notifications/signal.ts

@@ -200,4 +200,15 @@ export interface NotificationSignal<TEventName extends string = string> {
    * affinity within a call session.
    */
   conversationAffinityHint?: Partial<Record<string, string>>;
+  /**
+   * Optional metadata propagated to the conversation created by the notification
+   * pipeline. Allows signal producers (e.g. the scheduler) to set groupId,
+   * scheduleJobId, or override the default "notification" source on the
+   * resulting conversation so it appears in the correct folder on clients.
+   */
+  conversationMetadata?: {
+    groupId?: string;
+    scheduleJobId?: string;
+    source?: string;
+  };
 }

package/src/oauth/AGENTS.md

@@ -0,0 +1,76 @@
+# OAuth — Agent Instructions
+
+## Adding a New First-Class Provider
+
+When introducing a new built-in OAuth integration (one that appears in `seed-providers.ts`), touch each of the following areas. Items marked _(managed only)_ apply only when the provider supports platform-provided credentials.
+
+### 1. Seed the provider — `seed-providers.ts`
+
+Add an entry to `PROVIDER_SEED_DATA`. Required fields: `provider`, `authorizeUrl`, `tokenExchangeUrl`, `defaultScopes`, `scopePolicy`, `displayLabel`, `description`, `dashboardUrl`, `clientIdPlaceholder`, `logoUrl`, and `injectionTemplates`. See existing entries for the full shape. The `provider` key must be snake_case and is used as the canonical identifier everywhere else.
+
+If the provider will support managed mode, set `managedServiceConfigKey` to a slug matching the key you will add to `ServicesSchema` (e.g. `"acme-oauth"`).
+
+### 2. _(managed only)_ Add a service schema — `../config/schemas/services.ts`
+
+Create a schema and export its type:
+
+```ts
+export const AcmeOAuthServiceSchema = BaseServiceSchema.extend({
+  mode: ServiceModeSchema.default("your-own"),
+});
+export type AcmeOAuthService = z.infer<typeof AcmeOAuthServiceSchema>;
+```
+
+Then add the key to `ServicesSchema`:
+
+```ts
+"acme-oauth": AcmeOAuthServiceSchema.default(AcmeOAuthServiceSchema.parse({})),
+```
+
+The key here **must** match the `managedServiceConfigKey` in `seed-providers.ts`. The cross-repo invariant test in `__tests__/seed-providers-managed.test.ts` will fail if they drift.
+
+### 3. _(managed only)_ Enable by default during onboarding — `clients/macos/.../HatchingStepView.swift`
+
+In `buildOnboardingConfigValues()`, add a line so managed-sign-in users get the integration pre-enabled:
+
+```swift
+configValues["services.acme-oauth.mode"] = "managed"
+```
+
+### 4. Add a cached logo — `clients/shared/Resources/IntegrationLogos/`
+
+Drop a **vector PDF** named `{provider_key}.pdf` (e.g. `acme.pdf`) into the `IntegrationLogos/` directory. The file is automatically bundled via `.copy()` in `clients/Package.swift` and looked up at runtime by `IntegrationLogoBundle` using the provider key — no code changes needed.
+
+Most existing logos come from [Simple Icons](https://simpleicons.org) (CC0-licensed). To get a PDF from Simple Icons:
+
+1. Find the icon slug on https://simpleicons.org (e.g. `slack`, `linear`).
+2. Download the SVG: `curl -o acme.svg https://raw.githubusercontent.com/simple-icons/simple-icons/develop/icons/acme.svg`
+3. Convert to PDF using `rsvg-convert` (same tool used by `clients/scripts/sync-lucide-icons.sh`):
+   ```bash
+   # Install if needed: brew install librsvg
+   rsvg-convert -f pdf -o clients/shared/Resources/IntegrationLogos/acme.pdf acme.svg
+   ```
+4. Add the provider key to `clients/shared/Resources/integration-logos-manifest.json`.
+
+If the service is not on Simple Icons, source or create an SVG and convert it the same way. The result must be a true vector PDF (not a rasterized image wrapped in PDF) so it scales cleanly.
+
+The `logoUrl` field in `seed-providers.ts` still serves as the remote fallback (typically a Simple Icons CDN URL like `https://cdn.simpleicons.org/acme`). The client renders the local PDF first, then falls back to `logoUrl`, then to an initials avatar.
+
+### 5. Secret patterns (if applicable) — `../security/secret-patterns.ts`
+
+If the provider issues API keys with a recognizable prefix (e.g. `acme_sk_`), add a `PREFIX_PATTERNS` entry. OAuth-only services with opaque access tokens do not need one. See `../security/AGENTS.md` for details.
+
+### 6. Feature-flag gating (optional) — `seed-providers.ts`
+
+Set `featureFlag: "acme-oauth"` in the seed entry and register the flag in `meta/feature-flags/feature-flag-registry.json` to hide the provider until the flag is enabled. Omit `featureFlag` to make the provider visible immediately.
+
+### What you do NOT need to change
+
+The following are wired automatically once `PROVIDER_SEED_DATA` has an entry:
+
+- **Connection resolver** (`connection-resolver.ts`) — routes managed vs. BYO based on config.
+- **CLI commands** (`../cli/commands/oauth/`) — `providers list`, `providers get`, `connect`, `disconnect`, etc.
+- **Runtime API** (`../runtime/routes/oauth-providers.ts`) — `GET /v1/oauth/providers` and related endpoints.
+- **Gateway proxy** (`gateway/src/http/routes/oauth-providers-proxy.ts`) — forwards to the runtime.
+- **OAuth store** (`oauth-store.ts`) — seeding uses upsert; schema already supports arbitrary providers.
+- **Provider serialization** (`provider-serializer.ts`) — generic over all providers.

package/src/oauth/__tests__/identity-verifier.test.ts

@@ -24,29 +24,34 @@ afterEach(() => {
 // ---------------------------------------------------------------------------
 
 function makeProviderRow(
-  overrides: Partial<OAuthProviderRow> & { providerKey: string },
+  overrides: Partial<OAuthProviderRow> & { provider: string },
 ): OAuthProviderRow {
   const now = Date.now();
-  const { providerKey, ...rest } = overrides;
+  const { provider, ...rest } = overrides;
   return {
-    providerKey,
-    authUrl: "https://example.com/auth",
-    tokenUrl: "https://example.com/token",
-    tokenEndpointAuthMethod: null,
+    provider,
+    authorizeUrl: "https://example.com/auth",
+    tokenExchangeUrl: "https://example.com/token",
+    refreshUrl: null,
+    tokenEndpointAuthMethod: "client_secret_post",
     userinfoUrl: null,
     baseUrl: null,
     defaultScopes: "[]",
     scopePolicy: "{}",
-    extraParams: null,
+    scopeSeparator: " ",
+    authorizeParams: null,
     pingUrl: null,
     pingMethod: null,
     pingHeaders: null,
     pingBody: null,
+    revokeUrl: null,
+    revokeBodyTemplate: null,
     managedServiceConfigKey: null,
-    displayName: null,
+    displayLabel: null,
     description: null,
     dashboardUrl: null,
     clientIdPlaceholder: null,
+    logoUrl: null,
     requiresClientSecret: 1,
     loopbackPort: null,
     injectionTemplates: null,
@@ -82,7 +87,7 @@ describe("verifyIdentity", () => {
   // Missing identity URL
   // -----------------------------------------------------------------------
   test("returns undefined when identityUrl is null", async () => {
-    const row = makeProviderRow({ providerKey: "custom" });
+    const row = makeProviderRow({ provider: "custom" });
     const result = await verifyIdentity(row, "token-abc");
     expect(result).toBeUndefined();
     expect(mockFetch).not.toHaveBeenCalled();
@@ -93,7 +98,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Google pattern", () => {
     const googleRow = makeProviderRow({
-      providerKey: "google",
+      provider: "google",
       identityUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
       identityResponsePaths: JSON.stringify(["email"]),
     });
@@ -127,7 +132,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Slack pattern", () => {
     const slackRow = makeProviderRow({
-      providerKey: "slack",
+      provider: "slack",
       identityUrl: "https://slack.com/api/auth.test",
       identityOkField: "ok",
       identityResponsePaths: JSON.stringify(["user", "team"]),
@@ -176,7 +181,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("HubSpot pattern", () => {
     const hubspotRow = makeProviderRow({
-      providerKey: "hubspot",
+      provider: "hubspot",
       identityUrl:
         "https://api.hubapi.com/oauth/v1/access-tokens/${accessToken}",
       identityResponsePaths: JSON.stringify(["user", "hub_domain"]),
@@ -219,7 +224,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Linear pattern", () => {
     const linearRow = makeProviderRow({
-      providerKey: "linear",
+      provider: "linear",
       identityUrl: "https://api.linear.app/graphql",
       identityMethod: "POST",
       identityHeaders: JSON.stringify({ "Content-Type": "application/json" }),
@@ -272,7 +277,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Todoist pattern", () => {
     const todoistRow = makeProviderRow({
-      providerKey: "todoist",
+      provider: "todoist",
       identityUrl: "https://api.todoist.com/sync/v9/sync",
       identityMethod: "POST",
       identityHeaders: JSON.stringify({
@@ -317,7 +322,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Twitter pattern", () => {
     const twitterRow = makeProviderRow({
-      providerKey: "twitter",
+      provider: "twitter",
       identityUrl: "https://api.x.com/2/users/me",
       identityResponsePaths: JSON.stringify(["data.username"]),
       identityFormat: "@${data.username}",
@@ -338,7 +343,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("GitHub pattern", () => {
     const githubRow = makeProviderRow({
-      providerKey: "github",
+      provider: "github",
       identityUrl: "https://api.github.com/user",
       identityResponsePaths: JSON.stringify(["login"]),
       identityFormat: "@${login}",
@@ -357,7 +362,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Notion pattern", () => {
     const notionRow = makeProviderRow({
-      providerKey: "notion",
+      provider: "notion",
       identityUrl: "https://api.notion.com/v1/users/me",
       identityHeaders: JSON.stringify({ "Notion-Version": "2022-06-28" }),
       identityResponsePaths: JSON.stringify(["name", "person.email"]),
@@ -392,7 +397,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("error handling", () => {
     const googleRow = makeProviderRow({
-      providerKey: "google",
+      provider: "google",
       identityUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
       identityResponsePaths: JSON.stringify(["email"]),
     });
@@ -431,7 +436,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Dropbox pattern", () => {
     const dropboxRow = makeProviderRow({
-      providerKey: "dropbox",
+      provider: "dropbox",
       identityUrl: "https://api.dropboxapi.com/2/users/get_current_account",
       identityMethod: "POST",
       identityResponsePaths: JSON.stringify(["name.display_name", "email"]),

package/src/oauth/__tests__/seed-providers-managed.test.ts

@@ -0,0 +1,32 @@
+import { describe, expect, test } from "bun:test";
+
+import { ServicesSchema } from "../../config/schemas/services.js";
+import { PROVIDER_SEED_DATA } from "../seed-providers.js";
+
+describe("PROVIDER_SEED_DATA managed mode wiring", () => {
+  test("github provider is wired up for managed mode", () => {
+    const github = PROVIDER_SEED_DATA.github;
+    expect(github).toBeDefined();
+    expect(github.managedServiceConfigKey).toBe("github-oauth");
+    expect("github-oauth" in ServicesSchema.shape).toBe(true);
+  });
+
+  test("every managedServiceConfigKey resolves to a ServicesSchema key", () => {
+    // Cross-repo invariant: a provider with managedServiceConfigKey but no
+    // matching ServicesSchema entry silently falls back to BYO mode in
+    // connection-resolver.ts. This test guards against that drift.
+    const offenders: Array<{ provider: string; key: string }> = [];
+    for (const [provider, seed] of Object.entries(PROVIDER_SEED_DATA)) {
+      const key = seed.managedServiceConfigKey;
+      if (key && !(key in ServicesSchema.shape)) {
+        offenders.push({ provider, key });
+      }
+    }
+    expect(offenders).toEqual([]);
+  });
+
+  test("github managed service schema defaults to your-own", () => {
+    const parsed = ServicesSchema.shape["github-oauth"].parse({});
+    expect(parsed.mode).toBe("your-own");
+  });
+});

package/src/oauth/byo-connection.test.ts

@@ -72,7 +72,7 @@ const mockConnections = new Map<
   string,
   {
     id: string;
-    providerKey: string;
+    provider: string;
     oauthAppId: string;
     expiresAt: number | null;
     grantedScopes?: string;
@@ -83,7 +83,7 @@ const mockApps = new Map<
   string,
   {
     id: string;
-    providerKey: string;
+    provider: string;
     clientId: string;
     clientSecretCredentialPath: string;
   }
@@ -92,7 +92,7 @@ const mockProviders = new Map<
   string,
   {
     key: string;
-    tokenUrl: string;
+    tokenExchangeUrl: string;
     tokenEndpointAuthMethod?: string;
     baseUrl?: string;
   }
@@ -192,7 +192,7 @@ async function setupCredential(
   const connId = `conn-${service}`;
   mockProviders.set(service, {
     key: service,
-    tokenUrl: "https://oauth2.googleapis.com/token",
+    tokenExchangeUrl: "https://oauth2.googleapis.com/token",
     // Only well-known providers (gmail) have a baseUrl; custom services don't
     baseUrl:
       service === "google"
@@ -201,13 +201,13 @@ async function setupCredential(
   });
   mockApps.set(appId, {
     id: appId,
-    providerKey: service,
+    provider: service,
     clientId: "test-client-id",
     clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
   });
   mockConnections.set(service, {
     id: connId,
-    providerKey: service,
+    provider: service,
     oauthAppId: appId,
     expiresAt: opts?.expiresAt ?? Date.now() + 3600 * 1000,
     grantedScopes: JSON.stringify(opts?.grantedScopes ?? ["read", "write"]),
@@ -233,7 +233,7 @@ async function setupCredential(
 function createConnection(service = "google"): BYOOAuthConnection {
   return new BYOOAuthConnection({
     id: `conn-${service}`,
-    providerKey: service,
+    provider: service,
     baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
     accountInfo: null,
   });
@@ -497,7 +497,7 @@ describe("resolveOAuthConnection", () => {
     const conn = await resolveOAuthConnection("google");
 
     expect(conn).toBeInstanceOf(BYOOAuthConnection);
-    expect(conn.providerKey).toBe("google");
+    expect(conn.provider).toBe("google");
   });
 
   test("throws when no credential metadata exists", async () => {

package/src/oauth/byo-connection.ts

@@ -22,28 +22,28 @@ const REQUEST_TIMEOUT_MS = 30_000;
 
 export interface BYOOAuthConnectionOptions {
   id: string;
-  providerKey: string;
+  provider: string;
   baseUrl: string;
   accountInfo: string | null;
 }
 
 export class BYOOAuthConnection implements OAuthConnection {
   readonly id: string;
-  readonly providerKey: string;
+  readonly provider: string;
   readonly accountInfo: string | null;
 
   private readonly baseUrl: string;
 
   constructor(opts: BYOOAuthConnectionOptions) {
     this.id = opts.id;
-    this.providerKey = opts.providerKey;
+    this.provider = opts.provider;
     this.baseUrl = opts.baseUrl;
     this.accountInfo = opts.accountInfo;
   }
 
   async request(req: OAuthConnectionRequest): Promise<OAuthConnectionResponse> {
     return withValidToken(
-      this.providerKey,
+      this.provider,
       async (token) => {
         const effectiveBaseUrl = req.baseUrl ?? this.baseUrl;
         let fullUrl = `${effectiveBaseUrl}${req.path}`;
@@ -61,7 +61,7 @@ export class BYOOAuthConnection implements OAuthConnection {
         }
 
         log.debug(
-          { method: req.method, url: fullUrl, provider: this.providerKey },
+          { method: req.method, url: fullUrl, provider: this.provider },
           "Making authenticated request",
         );
 
@@ -88,7 +88,7 @@ export class BYOOAuthConnection implements OAuthConnection {
         if (resp.status === 401) {
           // Throw with a status property so withValidToken detects the 401
           // and triggers its refresh-and-retry logic.
-          const err = new Error(`HTTP 401 from ${this.providerKey}`);
+          const err = new Error(`HTTP 401 from ${this.provider}`);
           (err as Error & { status: number }).status = 401;
           throw err;
         }
@@ -100,7 +100,7 @@ export class BYOOAuthConnection implements OAuthConnection {
   }
 
   async withToken<T>(fn: (token: string) => Promise<T>): Promise<T> {
-    return withValidToken(this.providerKey, fn, {
+    return withValidToken(this.provider, fn, {
       connectionId: this.id,
     });
   }