@vellumai/assistant 0.6.1 → 0.6.3

package/src/runtime/auth/__tests__/middleware.test.ts

@@ -34,7 +34,15 @@ mock.module("../../../config/env.js", () => ({
 }));
 
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../../assistant-scope.js";
-import { authenticateRequest } from "../middleware.js";
+import {
+  mintHostBrowserCapability,
+  resetCapabilityTokenSecretForTests,
+  setCapabilityTokenSecretForTests,
+} from "../../capability-tokens.js";
+import {
+  authenticateHostBrowserResultRequest,
+  authenticateRequest,
+} from "../middleware.js";
 import { initAuthSigningKey, mintToken } from "../token-service.js";
 import type { ScopeProfile, TokenAudience } from "../types.js";
 
@@ -262,3 +270,110 @@ describe("authenticateRequest", () => {
     }
   });
 });
+
+// ---------------------------------------------------------------------------
+// authenticateHostBrowserResultRequest — capability-token-aware auth for the
+// /v1/host-browser-result POST route. Verifies that both the capability-token
+// and JWT paths are accepted, and that a garbage bearer falls through to the
+// JWT path and emits a 401 like any other invalid token.
+// ---------------------------------------------------------------------------
+
+describe("authenticateHostBrowserResultRequest", () => {
+  const CAPABILITY_SECRET = Buffer.alloc(32, 7);
+
+  beforeEach(() => {
+    // Pin the capability-token HMAC secret so mint/verify agree across
+    // the test run. The module-level secret cache is reset between
+    // tests so dev-bypass flipping doesn't leak stale state.
+    setCapabilityTokenSecretForTests(CAPABILITY_SECRET);
+  });
+
+  afterAll(() => {
+    resetCapabilityTokenSecretForTests();
+  });
+
+  test("accepts a valid capability token and synthesizes an actor AuthContext", () => {
+    const { token } = mintHostBrowserCapability("guardian-cap-happy");
+    const req = new Request("http://localhost/v1/host-browser-result", {
+      method: "POST",
+      headers: { Authorization: `Bearer ${token}` },
+    });
+
+    const result = authenticateHostBrowserResultRequest(req);
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.context.principalType).toBe("actor");
+      expect(result.context.assistantId).toBe(DAEMON_INTERNAL_ASSISTANT_ID);
+      expect(result.context.actorPrincipalId).toBe("guardian-cap-happy");
+      expect(result.context.scopeProfile).toBe("actor_client_v1");
+      // The synthetic context must carry the scopes the route policy
+      // requires — otherwise the router would 403 the POST even though
+      // auth succeeded.
+      expect(result.context.scopes.has("approval.write")).toBe(true);
+    }
+  });
+
+  test("accepts a valid daemon-audience JWT (regression for the legacy path)", () => {
+    const token = mintValidToken({ sub: "actor:self:jwt-principal" });
+    const req = new Request("http://localhost/v1/host-browser-result", {
+      method: "POST",
+      headers: { Authorization: `Bearer ${token}` },
+    });
+
+    const result = authenticateHostBrowserResultRequest(req);
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.context.principalType).toBe("actor");
+      expect(result.context.actorPrincipalId).toBe("jwt-principal");
+      expect(result.context.scopes.has("approval.write")).toBe(true);
+    }
+  });
+
+  test("returns 401 when the Authorization header is missing entirely", () => {
+    const req = new Request("http://localhost/v1/host-browser-result", {
+      method: "POST",
+    });
+
+    const result = authenticateHostBrowserResultRequest(req);
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.response.status).toBe(401);
+    }
+  });
+
+  test("malformed bearer falls through to JWT path and 401s", () => {
+    // A bearer that is neither a valid capability token (bad HMAC) nor a
+    // parseable JWT must fail the JWT path and return 401. This is the
+    // primary regression guard against someone accidentally making the
+    // capability-token branch "allow-anything" by swallowing
+    // verification failures.
+    const req = new Request("http://localhost/v1/host-browser-result", {
+      method: "POST",
+      headers: { Authorization: "Bearer not-a-token.xxxxxxxxxxxxx" },
+    });
+
+    const result = authenticateHostBrowserResultRequest(req);
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.response.status).toBe(401);
+    }
+  });
+
+  test("dev bypass returns synthetic AuthContext without Authorization header", () => {
+    authDisabled = true;
+
+    const req = new Request("http://localhost/v1/host-browser-result", {
+      method: "POST",
+    });
+
+    const result = authenticateHostBrowserResultRequest(req);
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      // Same synthetic context shape as authenticateRequest's dev
+      // bypass — the tests share the same invariant because a single
+      // helper builds both.
+      expect(result.context.principalType).toBe("actor");
+      expect(result.context.actorPrincipalId).toBe("dev-bypass");
+    }
+  });
+});

package/src/runtime/auth/__tests__/route-policy.test.ts

@@ -168,6 +168,14 @@ describe("enforcePolicy", () => {
     expect(policy!.requiredScopes).toContain("approval.write");
   });
 
+  test("conversation host-access write requires approval.write scope", () => {
+    authDisabled = false;
+    const policy = getPolicy("conversations/host-access");
+    expect(policy).toBeDefined();
+    expect(policy!.requiredScopes).toContain("approval.write");
+    expect(policy!.requiredScopes).not.toContain("chat.write");
+  });
+
   test("events endpoint requires chat.read scope", () => {
     authDisabled = false;
     const policy = getPolicy("events");

package/src/runtime/auth/middleware.ts

@@ -25,6 +25,7 @@
 import { isHttpAuthDisabled } from "../../config/env.js";
 import { getLogger } from "../../util/logger.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
+import { verifyHostBrowserCapability } from "../capability-tokens.js";
 import { extractBearerToken } from "../middleware/auth.js";
 import { buildAuthContext } from "./context.js";
 import { resolveScopeProfile } from "./scopes.js";
@@ -186,3 +187,100 @@ export function authenticateRequest(req: Request): AuthenticateResult {
 
   return { ok: true, context: contextResult.context };
 }
+
+// ---------------------------------------------------------------------------
+// Capability-token-aware auth for /v1/host-browser-result
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a synthetic AuthContext from a verified host_browser capability
+ * claim. The resulting context is shaped to look like an
+ * `actor_client_v1` actor so downstream route policy (which requires
+ * `approval.write`) and `requireBoundGuardian` (which compares
+ * `actorPrincipalId` against the bound guardian) both accept it.
+ *
+ * The capability token already carries its own HMAC-checked expiry, so
+ * there is no policy-epoch gate to apply here — we pin `policyEpoch` to
+ * `Number.MAX_SAFE_INTEGER` the same way the dev-bypass context does.
+ */
+function buildCapabilityAuthContext(guardianId: string): AuthContext {
+  return {
+    subject: `actor:${DAEMON_INTERNAL_ASSISTANT_ID}:${guardianId}`,
+    principalType: "actor",
+    assistantId: DAEMON_INTERNAL_ASSISTANT_ID,
+    actorPrincipalId: guardianId,
+    scopeProfile: "actor_client_v1",
+    scopes: resolveScopeProfile("actor_client_v1"),
+    policyEpoch: Number.MAX_SAFE_INTEGER,
+  };
+}
+
+/**
+ * Authenticate a request that is allowed to present either a JWT or a
+ * host_browser capability token. This is the auth entry point for
+ * `/v1/host-browser-result` POST specifically — the chrome extension
+ * stores a capability token (minted by the
+ * `/v1/browser-extension-pair` flow) rather than a daemon JWT, so the
+ * POST fallback used when the `/v1/browser-relay` WebSocket is
+ * unavailable would otherwise 401 through the JWT-only
+ * `authenticateRequest` path.
+ *
+ * Order of operations (mirrors `handleBrowserRelayUpgrade`):
+ *   1. Extract the bearer token. Missing header → 401.
+ *   2. Try `verifyHostBrowserCapability(token)` first. If it succeeds,
+ *      derive `guardianId` from the capability claims and synthesize an
+ *      AuthContext.
+ *   3. Otherwise fall through to the standard JWT path so daemon-minted
+ *      JWTs (gateway-proxied or direct) continue to work as a
+ *      regression-safe compatibility path.
+ *
+ * Dev bypass (`isHttpAuthDisabled()`) is honored the same way as
+ * `authenticateRequest` — we delegate to it directly to pick up the
+ * shared synthetic dev-bypass context.
+ */
+export function authenticateHostBrowserResultRequest(
+  req: Request,
+): AuthenticateResult {
+  if (isHttpAuthDisabled()) {
+    return { ok: true, context: buildDevBypassContext() };
+  }
+
+  const rawToken = extractBearerToken(req);
+  if (!rawToken) {
+    log.warn(
+      { reason: "missing_token", path: "/v1/host-browser-result" },
+      "Host browser result auth denied: missing Authorization header",
+    );
+    return {
+      ok: false,
+      response: Response.json(
+        {
+          error: {
+            code: "UNAUTHORIZED",
+            message: "Missing Authorization header",
+          },
+        },
+        { status: 401 },
+      ),
+    };
+  }
+
+  // 1) Capability-token path (self-hosted default). The chrome
+  //    extension presents the token it received from the native
+  //    messaging pair flow. We derive `actorPrincipalId` from the
+  //    capability claims directly — the claims are HMAC-signed by the
+  //    same daemon so there is no cross-tenant risk.
+  const capabilityClaims = verifyHostBrowserCapability(rawToken);
+  if (capabilityClaims) {
+    return {
+      ok: true,
+      context: buildCapabilityAuthContext(capabilityClaims.guardianId),
+    };
+  }
+
+  // 2) JWT compatibility path. Fall back to the existing daemon/gateway
+  //    JWT verification so cloud callers and any legacy self-hosted
+  //    clients still holding a daemon JWT continue to work. Any 401
+  //    emitted here already includes the JWT-specific reason.
+  return authenticateRequest(req);
+}

package/src/runtime/auth/route-policy.ts

@@ -133,6 +133,8 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "conversations/analyze", scopes: ["chat.write"] },
   { endpoint: "conversations/switch", scopes: ["chat.write"] },
   { endpoint: "conversations/name", scopes: ["chat.write"] },
+  { endpoint: "conversations/host-access:GET", scopes: ["chat.read"] },
+  { endpoint: "conversations/host-access", scopes: ["approval.write"] },
   { endpoint: "conversations/cancel", scopes: ["chat.write"] },
   { endpoint: "conversations/undo", scopes: ["chat.write"] },
   { endpoint: "conversations/regenerate", scopes: ["chat.write"] },
@@ -148,6 +150,7 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "secret", scopes: ["approval.write"] },
   { endpoint: "trust-rules", scopes: ["approval.write"] },
   { endpoint: "host-bash-result", scopes: ["approval.write"] },
+  { endpoint: "host-browser-result", scopes: ["approval.write"] },
   { endpoint: "host-cu-result", scopes: ["approval.write"] },
   { endpoint: "host-file-result", scopes: ["approval.write"] },
   { endpoint: "pending-interactions", scopes: ["approval.read"] },
@@ -381,10 +384,6 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // Queued message deletion
   { endpoint: "messages/queued", scopes: ["chat.write"] },
 
-  // Browser relay
-  { endpoint: "browser-relay/status", scopes: ["settings.read"] },
-  { endpoint: "browser-relay/command", scopes: ["settings.write"] },
-
   // Interfaces
   { endpoint: "interfaces", scopes: ["settings.read"] },
 
@@ -482,9 +481,9 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "tools", scopes: ["settings.read"] },
   { endpoint: "tools/simulate-permission", scopes: ["settings.read"] },
 
-  // Permission mode
-  { endpoint: "permission-mode:GET", scopes: ["settings.read"] },
-  { endpoint: "permission-mode", scopes: ["settings.write"] },
+  // Browser CDP shim — backs the `assistant browser chrome relay` CLI used
+  // by the in-tree Amazon and Influencer skills.
+  { endpoint: "browser-cdp", scopes: ["settings.write"] },
 ];
 
 for (const { endpoint, scopes } of ACTOR_ENDPOINTS) {

package/src/runtime/auth/token-service.ts

@@ -171,6 +171,14 @@ export function isSigningKeyInitialized(): boolean {
   return _authSigningKey !== undefined;
 }
 
+/**
+ * Reset the signing key to undefined. **Test-only** — used to simulate a
+ * fresh CLI subprocess where initAuthSigningKey() was never called.
+ */
+export function _resetSigningKeyForTesting(): void {
+  _authSigningKey = undefined;
+}
+
 /**
  * Returns a short hex fingerprint of the current signing key.
  * Used by assistant_status to let clients detect instance switches.