@vellumai/assistant 0.6.1 → 0.6.3

package/src/oauth/connect-orchestrator.ts

@@ -23,10 +23,7 @@
 import type { TokenEndpointAuthMethod } from "../security/oauth2.js";
 import { prepareOAuth2Flow, startOAuth2Flow } from "../security/oauth2.js";
 import { getLogger } from "../util/logger.js";
-import type {
-  OAuthConnectResult,
-  OAuthScopePolicy,
-} from "./connect-types.js";
+import type { OAuthConnectResult, OAuthScopePolicy } from "./connect-types.js";
 import { verifyIdentity } from "./identity-verifier.js";
 import { getProvider } from "./oauth-store.js";
 import { resolveScopes } from "./scope-policy.js";
@@ -98,7 +95,7 @@ export interface OAuthConnectOptions {
  *
  * Returns a discriminated result:
  * - Interactive success: `{ success: true, deferred: false, grantedScopes, accountInfo }`
- * - Deferred success:    `{ success: true, deferred: true, authUrl, state, service }`
+ * - Deferred success:    `{ success: true, deferred: true, authorizeUrl, state, service }`
  * - Error:               `{ success: false, error }`
  */
 export async function orchestrateOAuthConnect(
@@ -137,15 +134,15 @@ export async function orchestrateOAuthConnect(
       forbiddenScopes: [],
     },
   );
-  const dbExtraParams = safeJsonParse<Record<string, string> | undefined>(
-    providerRow.extraParams,
+  const dbAuthorizeParams = safeJsonParse<Record<string, string> | undefined>(
+    providerRow.authorizeParams,
     undefined,
   );
 
   // Resolve all protocol-level config from the DB
-  const authUrl = providerRow.authUrl;
-  const tokenUrl = providerRow.tokenUrl;
-  const extraParams = dbExtraParams;
+  const authorizeUrl = providerRow.authorizeUrl;
+  const tokenExchangeUrl = providerRow.tokenExchangeUrl;
+  const authorizeParams = dbAuthorizeParams;
   const userinfoUrl = providerRow.userinfoUrl ?? undefined;
   const tokenEndpointAuthMethod = providerRow.tokenEndpointAuthMethod as
     | TokenEndpointAuthMethod
@@ -173,14 +170,14 @@ export async function orchestrateOAuthConnect(
   }
   const finalScopes = scopeResult.scopes;
 
-  if (!authUrl) {
+  if (!authorizeUrl) {
     return {
       success: false,
       error: "auth_url is required (no well-known config for this service)",
       safeError: true,
     };
   }
-  if (!tokenUrl) {
+  if (!tokenExchangeUrl) {
     return {
       success: false,
       error: "token_url is required (no well-known config for this service)",
@@ -191,24 +188,25 @@ export async function orchestrateOAuthConnect(
   log.info(
     {
       service: options.service,
-      authUrl,
-      tokenUrl,
+      authorizeUrl,
+      tokenExchangeUrl,
       scopeCount: finalScopes.length,
       callbackTransport,
       loopbackPort,
-      hasClientSecret: !!options.clientSecret,
+      hasSecret: !!options.clientSecret,
       clientIdPrefix: options.clientId.substring(0, 12) + "…",
     },
     "orchestrateOAuthConnect: resolved provider config",
   );
 
   const oauthConfig = {
-    authUrl,
-    tokenUrl,
+    authorizeUrl,
+    tokenExchangeUrl,
     scopes: finalScopes,
+    scopeSeparator: providerRow.scopeSeparator,
     clientId: options.clientId,
     clientSecret: options.clientSecret,
-    extraParams,
+    authorizeParams,
     userinfoUrl,
     tokenEndpointAuthMethod,
   };
@@ -308,7 +306,7 @@ export async function orchestrateOAuthConnect(
       return {
         success: true,
         deferred: true,
-        authUrl: prepared.authUrl,
+        authorizeUrl: prepared.authorizeUrl,
         state: prepared.state,
         service: options.service,
       };
@@ -344,14 +342,18 @@ export async function orchestrateOAuthConnect(
             log.info("orchestrateOAuthConnect: using options.openUrl");
             options.openUrl(url);
           } else if (options.sendToClient) {
-            log.info("orchestrateOAuthConnect: using sendToClient with open_url event");
+            log.info(
+              "orchestrateOAuthConnect: using sendToClient with open_url event",
+            );
             options.sendToClient({
               type: "open_url",
               url,
               title: `Connect ${options.service}`,
             });
           } else {
-            log.warn("orchestrateOAuthConnect: no openUrl or sendToClient available — auth URL will not reach the user");
+            log.warn(
+              "orchestrateOAuthConnect: no openUrl or sendToClient available — auth URL will not reach the user",
+            );
           }
         },
       },

package/src/oauth/connect-types.ts

@@ -4,8 +4,8 @@
  * These types are consumed by the token persistence module and the
  * credential vault orchestrator.
  *
- * All provider configuration — protocol-level OAuth config (authUrl,
- * tokenUrl, scopes, etc.) as well as behavioral config (identity
+ * All provider configuration — protocol-level OAuth config (authorizeUrl,
+ * tokenExchangeUrl, scopes, etc.) as well as behavioral config (identity
  * verification, injection templates, setup metadata) — is now stored
  * exclusively in the `oauth_providers` SQLite table and seeded on
  * startup via `seed-providers.ts`.
@@ -47,7 +47,7 @@ export interface OAuthConnectInteractiveResult {
 export interface OAuthConnectDeferredResult {
   success: true;
   deferred: true;
-  authUrl: string;
+  authorizeUrl: string;
   state: string;
   service: string;
 }

package/src/oauth/connection-resolver.test.ts

@@ -79,13 +79,13 @@ function makeMockClient() {
 
 function setupDefaults(): void {
   mockProvider = {
-    providerKey: "google",
+    provider: "google",
     baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
     managedServiceConfigKey: null,
   };
   mockConnection = {
     id: "conn-1",
-    providerKey: "google",
+    provider: "google",
     oauthAppId: "app-1",
     accountInfo: "user@example.com",
     grantedScopes: JSON.stringify(["scope-a", "scope-b"]),
@@ -125,7 +125,7 @@ describe("resolveOAuthConnection", () => {
     const result = await resolveOAuthConnection("google");
     expect(result).toBeInstanceOf(BYOOAuthConnection);
     expect(result.id).toBe("conn-1");
-    expect(result.providerKey).toBe("google");
+    expect(result.provider).toBe("google");
   });
 
   test("returns PlatformOAuthConnection when managed mode is active", async () => {
@@ -134,7 +134,7 @@ describe("resolveOAuthConnection", () => {
     const result = await resolveOAuthConnection("google");
     expect(result).toBeInstanceOf(PlatformOAuthConnection);
     expect(result.id).toBe("google");
-    expect(result.providerKey).toBe("google");
+    expect(result.provider).toBe("google");
     expect(result.accountInfo).toBeNull();
   });
 
@@ -148,6 +148,19 @@ describe("resolveOAuthConnection", () => {
     expect(result.accountInfo).toBe("user@example.com");
   });
 
+  test("returns PlatformOAuthConnection when GitHub is in managed mode", async () => {
+    mockProvider!.provider = "github";
+    mockProvider!.managedServiceConfigKey = "github-oauth";
+    (mockConfig.services as Record<string, unknown>)["github-oauth"] = {
+      mode: "managed",
+    };
+
+    const result = await resolveOAuthConnection("github");
+    expect(result).toBeInstanceOf(PlatformOAuthConnection);
+    expect(result.id).toBe("github");
+    expect(result.provider).toBe("github");
+  });
+
   test("returns BYOOAuthConnection when service config mode is your-own", async () => {
     mockProvider!.managedServiceConfigKey = "google-oauth";
     (mockConfig.services as Record<string, unknown>)["google-oauth"] = {

package/src/oauth/connection-resolver.ts

@@ -29,7 +29,7 @@ export interface ResolveOAuthConnectionOptions {
  * BYO providers resolve from the local SQLite oauth-store and require an
  * active connection row and a stored access token.
  *
- * @param providerKey - Provider identifier (e.g. "google").
+ * @param provider - Provider identifier (e.g. "google").
  *   Maps to the `provider_key` primary key in the `oauth_providers` table.
  * @param options.clientId - Optional OAuth app client ID. When multiple BYO
  *   apps exist for the same provider, narrows the connection lookup to the
@@ -38,12 +38,12 @@ export interface ResolveOAuthConnectionOptions {
  *   multi-account connections.
  */
 export async function resolveOAuthConnection(
-  providerKey: string,
+  provider: string,
   options?: ResolveOAuthConnectionOptions,
 ): Promise<OAuthConnection> {
   const { clientId, account } = options ?? {};
-  const provider = getProvider(providerKey);
-  const managedKey = provider?.managedServiceConfigKey;
+  const providerRow = getProvider(provider);
+  const managedKey = providerRow?.managedServiceConfigKey;
 
   if (managedKey && managedKey in ServicesSchema.shape) {
     const services: Services = getConfig().services;
@@ -54,31 +54,31 @@ export async function resolveOAuthConnection(
           ? "missing platform prerequisites"
           : "missing assistant ID";
         throw new Error(
-          `Platform-managed connection for "${providerKey}" cannot be created: ${detail}. ` +
+          `Platform-managed connection for "${provider}" cannot be created: ${detail}. ` +
             `Log in to the Vellum platform or switch to using your own OAuth app.`,
         );
       }
 
       const connectionId = await resolvePlatformConnectionId({
         client,
-        provider: providerKey,
+        provider,
         account,
       });
 
       return new PlatformOAuthConnection({
-        id: providerKey,
-        providerKey,
-        externalId: providerKey,
+        id: provider,
+        provider,
+        externalId: provider,
         accountInfo: account ?? null,
         client,
         connectionId,
-        baseUrl: provider?.baseUrl ?? undefined,
+        baseUrl: providerRow?.baseUrl ?? undefined,
       });
     }
   }
 
   // BYO path — requires a local connection row, access token, and base URL.
-  const conn = getActiveConnection(providerKey, { clientId, account });
+  const conn = getActiveConnection(provider, { clientId, account });
   if (!conn) {
     const filters = [
       account && `account "${account}"`,
@@ -88,7 +88,7 @@ export async function resolveOAuthConnection(
       ? ` matching ${filters.join(" and ")}`
       : "";
     throw new Error(
-      `No active OAuth connection found for "${providerKey}"${qualifier}. Connect the service first with \`assistant oauth connect ${providerKey}\`.`,
+      `No active OAuth connection found for "${provider}"${qualifier}. Connect the service first with \`assistant oauth connect ${provider}\`.`,
     );
   }
 
@@ -97,20 +97,20 @@ export async function resolveOAuthConnection(
   );
   if (!accessToken) {
     throw new Error(
-      `OAuth connection for "${providerKey}" exists but has no access token. Re-authorize with \`assistant oauth connect ${providerKey}\`.`,
+      `OAuth connection for "${provider}" exists but has no access token. Re-authorize with \`assistant oauth connect ${provider}\`.`,
     );
   }
 
-  const baseUrl = provider?.baseUrl;
+  const baseUrl = providerRow?.baseUrl;
   if (!baseUrl) {
     throw new Error(
-      `OAuth provider "${providerKey}" has no base URL configured. Check provider setup.`,
+      `OAuth provider "${provider}" has no base URL configured. Check provider setup.`,
     );
   }
 
   return new BYOOAuthConnection({
     id: conn.id,
-    providerKey: conn.providerKey,
+    provider: conn.provider,
     baseUrl,
     accountInfo: conn.accountInfo,
   });

package/src/oauth/connection.ts

@@ -32,6 +32,6 @@ export interface OAuthConnection {
   withToken<T>(fn: (token: string) => Promise<T>): Promise<T>;
 
   readonly id: string;
-  readonly providerKey: string;
+  readonly provider: string;
   readonly accountInfo: string | null;
 }

package/src/oauth/manual-token-connection.ts

@@ -25,14 +25,14 @@ const MANUAL_TOKEN_CLIENT_ID = "manual-config";
  * Ensure an active oauth_connection row exists for the given manual-token
  * provider. Creates the synthetic oauth_app row on first use.
  *
- * @param providerKey - The provider key (e.g. "slack_channel", "telegram")
+ * @param provider - The provider key (e.g. "slack_channel", "telegram")
  * @param accountInfo - Optional account info to store (e.g. team name, bot username)
  */
 export async function ensureManualTokenConnection(
-  providerKey: string,
+  provider: string,
   accountInfo?: string,
 ): Promise<void> {
-  const existing = getConnectionByProvider(providerKey);
+  const existing = getConnectionByProvider(provider);
   if (existing) {
     // Update account info if provided
     if (accountInfo !== undefined) {
@@ -42,11 +42,11 @@ export async function ensureManualTokenConnection(
   }
 
   // Create synthetic app + connection
-  const app = await upsertApp(providerKey, MANUAL_TOKEN_CLIENT_ID);
+  const app = await upsertApp(provider, MANUAL_TOKEN_CLIENT_ID);
 
   createConnection({
     oauthAppId: app.id,
-    providerKey,
+    provider,
     accountInfo,
     grantedScopes: [],
     hasRefreshToken: false,
@@ -59,8 +59,8 @@ export async function ensureManualTokenConnection(
  * Note: This only removes the oauth_connection row. The caller is still
  * responsible for deleting the stored credentials separately.
  */
-export function removeManualTokenConnection(providerKey: string): void {
-  const conn = getConnectionByProvider(providerKey);
+export function removeManualTokenConnection(provider: string): void {
+  const conn = getConnectionByProvider(provider);
   if (!conn) return;
   deleteConnection(conn.id);
 }
@@ -73,10 +73,10 @@ export function removeManualTokenConnection(providerKey: string): void {
  * keep connection status in sync without duplicating per-provider rules.
  */
 export async function syncManualTokenConnection(
-  providerKey: string,
+  provider: string,
   accountInfo?: string,
 ): Promise<void> {
-  switch (providerKey) {
+  switch (provider) {
     case "telegram": {
       const hasBotToken = !!(await getSecureKeyAsync(
         credentialKey("telegram", "bot_token"),
@@ -85,9 +85,9 @@ export async function syncManualTokenConnection(
         credentialKey("telegram", "webhook_secret"),
       ));
       if (hasBotToken && hasWebhookSecret) {
-        await ensureManualTokenConnection(providerKey, accountInfo);
+        await ensureManualTokenConnection(provider, accountInfo);
       } else {
-        removeManualTokenConnection(providerKey);
+        removeManualTokenConnection(provider);
       }
       return;
     }
@@ -100,9 +100,9 @@ export async function syncManualTokenConnection(
         credentialKey("slack_channel", "app_token"),
       ));
       if (hasBotToken && hasAppToken) {
-        await ensureManualTokenConnection(providerKey, accountInfo);
+        await ensureManualTokenConnection(provider, accountInfo);
       } else {
-        removeManualTokenConnection(providerKey);
+        removeManualTokenConnection(provider);
       }
       return;
     }