@vellumai/assistant 0.6.1 → 0.6.3

package/src/oauth/platform-connection.test.ts

@@ -27,7 +27,7 @@ function makeMockClient(
     fetch: mock(async (path: string, init?: RequestInit) => {
       const url = `https://platform.example.com${path}`;
       const headers = new Headers(init?.headers);
-      headers.set("Authorization", "Api-Key test-api-key");
+      headers.set("Authorization", "Bearer test-api-key");
       return mockFetchFn(url, { ...init, headers });
     }),
   } as unknown as VellumPlatformClient;
@@ -35,7 +35,7 @@ function makeMockClient(
 
 const DEFAULT_OPTIONS = {
   id: "conn-1",
-  providerKey: "google",
+  provider: "google",
   externalId: "ext-123",
   accountInfo: "user@example.com",
   client: makeMockClient(),
@@ -53,7 +53,7 @@ describe("PlatformOAuthConnection", () => {
         );
         expect(init?.method).toBe("POST");
         const headers = new Headers(init?.headers);
-        expect(headers.get("Authorization")).toBe("Api-Key test-api-key");
+        expect(headers.get("Authorization")).toBe("Bearer test-api-key");
         expect(headers.get("Content-Type")).toBe("application/json");
 
         const parsed = JSON.parse(init?.body as string);
@@ -226,7 +226,7 @@ describe("PlatformOAuthConnection", () => {
     );
   });
 
-  test("uses connectionId in proxy URL regardless of providerKey format", async () => {
+  test("uses connectionId in proxy URL regardless of provider format", async () => {
     const client = makeMockClient(
       mock(async (url: string | URL | Request) => {
         expect(String(url)).toContain(
@@ -242,7 +242,7 @@ describe("PlatformOAuthConnection", () => {
     const conn = new PlatformOAuthConnection({
       ...DEFAULT_OPTIONS,
       client,
-      providerKey: "slack",
+      provider: "slack",
       connectionId: "slack-conn-456",
     });
     await conn.request({ method: "GET", path: "/test" });

package/src/oauth/platform-connection.ts

@@ -22,7 +22,7 @@ export class ProviderUnreachableError extends BackendError {
 
 export interface PlatformOAuthConnectionOptions {
   id: string;
-  providerKey: string;
+  provider: string;
   externalId: string;
   accountInfo: string | null;
   client: VellumPlatformClient;
@@ -35,7 +35,7 @@ export interface PlatformOAuthConnectionOptions {
 
 export class PlatformOAuthConnection implements OAuthConnection {
   readonly id: string;
-  readonly providerKey: string;
+  readonly provider: string;
   readonly externalId: string;
   readonly accountInfo: string | null;
 
@@ -46,13 +46,13 @@ export class PlatformOAuthConnection implements OAuthConnection {
   constructor(options: PlatformOAuthConnectionOptions) {
     if (!options.connectionId) {
       throw new BackendError(
-        `Platform-managed connection for "${options.providerKey}" cannot be created: missing connection ID. ` +
+        `Platform-managed connection for "${options.provider}" cannot be created: missing connection ID. ` +
           `Log in to the Vellum platform or switch to using your own OAuth app.`,
       );
     }
 
     this.id = options.id;
-    this.providerKey = options.providerKey;
+    this.provider = options.provider;
     this.externalId = options.externalId;
     this.accountInfo = options.accountInfo;
     this.client = options.client;

package/src/oauth/provider-serializer.ts

@@ -30,6 +30,7 @@ export interface SerializedProviderSummary {
   dashboard_url: string | null;
   client_id_placeholder: string | null;
   requires_client_secret: boolean;
+  logo_url: string | null;
   supports_managed_mode: boolean;
   feature_flag: string | null;
 }
@@ -58,19 +59,43 @@ function _serializeProvider(
   row: OAuthProviderRow,
   options?: { redirectUri?: string | null },
 ) {
+  // Destructure the renamed Drizzle TS-side fields out of the row so they
+  // do not leak into the spread below. The wire format intentionally keeps
+  // the legacy camelCase keys (`providerKey`, `authUrl`, `tokenUrl`,
+  // `displayName`, `extraParams`) so existing CLI script consumers and any
+  // other clients that parse this output don't break. The renamed fields
+  // are emitted explicitly under their old names instead.
+  const {
+    provider,
+    authorizeUrl,
+    tokenExchangeUrl,
+    displayLabel,
+    authorizeParams,
+    ...rest
+  } = row;
   return {
-    ...row,
-    displayName: row.displayName ?? null,
+    ...rest,
+    providerKey: provider,
+    authUrl: authorizeUrl,
+    tokenUrl: tokenExchangeUrl,
+    refreshUrl: row.refreshUrl ?? null,
+    displayName: displayLabel ?? null,
     description: row.description ?? null,
     dashboardUrl: row.dashboardUrl ?? null,
+    logoUrl: row.logoUrl ?? null,
     clientIdPlaceholder: row.clientIdPlaceholder ?? null,
     requiresClientSecret: !!(row.requiresClientSecret ?? 1),
     supportsManagedMode: !!row.managedServiceConfigKey,
     defaultScopes: row.defaultScopes ? JSON.parse(row.defaultScopes) : [],
     scopePolicy: row.scopePolicy ? JSON.parse(row.scopePolicy) : {},
-    extraParams: row.extraParams ? JSON.parse(row.extraParams) : null,
+    scopeSeparator: row.scopeSeparator,
+    extraParams: authorizeParams ? JSON.parse(authorizeParams) : null,
     pingHeaders: row.pingHeaders ? JSON.parse(row.pingHeaders) : null,
     pingBody: row.pingBody ? JSON.parse(row.pingBody) : null,
+    revokeUrl: row.revokeUrl || null,
+    revokeBodyTemplate: row.revokeBodyTemplate
+      ? JSON.parse(row.revokeBodyTemplate)
+      : null,
     loopbackPort: row.loopbackPort ?? null,
     injectionTemplates: row.injectionTemplates
       ? JSON.parse(row.injectionTemplates)
@@ -107,12 +132,13 @@ export function serializeProviderSummary(
 ): SerializedProviderSummary | null {
   if (!row) return null;
   return {
-    provider_key: row.providerKey,
-    display_name: row.displayName ?? null,
+    provider_key: row.provider,
+    display_name: row.displayLabel ?? null,
     description: row.description ?? null,
     dashboard_url: row.dashboardUrl ?? null,
     client_id_placeholder: row.clientIdPlaceholder ?? null,
     requires_client_secret: !!(row.requiresClientSecret ?? 1),
+    logo_url: row.logoUrl ?? null,
     supports_managed_mode: !!row.managedServiceConfigKey,
     feature_flag: row.featureFlag ?? null,
   };

package/src/oauth/revoke.ts

@@ -0,0 +1,76 @@
+/**
+ * Best-effort upstream OAuth token revocation.
+ *
+ * Mirrors the platform's `try_revoke_token` (django/app/assistant/oauth/providers/base.py).
+ * The HTTP shape is fixed: POST + application/x-www-form-urlencoded body, no auth headers
+ * (credentials are expected to live in the body via {access_token}/{client_id} substitution),
+ * 10 second timeout, all errors swallowed and logged as warnings.
+ *
+ * The body template grammar supports two substitution variables:
+ * - `{access_token}` — replaced with the connection's access token
+ * - `{client_id}` — replaced with the OAuth app's client ID
+ *
+ * Non-string template values are coerced via String(value), matching platform's str(value)
+ * fallback. Substitution replaces ALL occurrences of each placeholder within a value
+ * (matching Python's str.replace default) and preserves literal semantics for replacement
+ * text (no $-pattern expansion). Returns void on every path — callers must NOT depend on
+ * the upstream result.
+ */
+
+import { getLogger } from "../util/logger.js";
+
+const log = getLogger("oauth-revoke");
+
+const REVOKE_TIMEOUT_MS = 10_000;
+
+export async function tryRevokeOAuthToken(params: {
+  provider: string;
+  revokeUrl: string;
+  bodyTemplate: Record<string, unknown> | null;
+  accessToken: string;
+  clientId: string;
+}): Promise<void> {
+  const { provider, revokeUrl, bodyTemplate, accessToken, clientId } = params;
+
+  // Build the substituted body. An empty/null template still produces an empty
+  // body, which is a valid request shape — some revoke endpoints accept an empty
+  // body and rely on the URL alone (we still POST per spec).
+  const body: Record<string, string> = {};
+  if (bodyTemplate) {
+    for (const [key, value] of Object.entries(bodyTemplate)) {
+      if (typeof value === "string") {
+        // Use .replaceAll with function callbacks to:
+        // 1. Replace ALL occurrences (matching Python's str.replace default).
+        // 2. Bypass String.replace's $-pattern expansion (e.g. $&, $', $`, $$),
+        //    so an access token containing "$&" substitutes literally.
+        // This mirrors platform's str.replace() semantics character-for-character.
+        body[key] = value
+          .replaceAll("{access_token}", () => accessToken)
+          .replaceAll("{client_id}", () => clientId);
+      } else {
+        body[key] = String(value);
+      }
+    }
+  }
+
+  try {
+    const resp = await fetch(revokeUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams(body),
+      signal: AbortSignal.timeout(REVOKE_TIMEOUT_MS),
+    });
+    if (!resp.ok) {
+      log.warn(
+        { provider, status: resp.status, revokeUrl },
+        "Upstream OAuth revoke returned non-2xx (best-effort, ignoring)",
+      );
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.warn(
+      { provider, revokeUrl, err: message },
+      "Failed to revoke OAuth token upstream (best-effort, ignoring)",
+    );
+  }
+}