@vellumai/assistant 0.6.1 → 0.6.3

package/src/runtime/routes/workspace-routes.test.ts

@@ -190,6 +190,28 @@ describe("isTextMimeType", () => {
     // A binary plist has a specific MIME type — extension should not override it
     expect(isTextMimeType("application/x-plist", "Info.plist")).toBe(false);
   });
+
+  test("application/octet-stream with .jsonl filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "messages.jsonl")).toBe(
+      true,
+    );
+  });
+
+  test("application/octet-stream with .ndjson filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "events.ndjson")).toBe(
+      true,
+    );
+  });
+
+  test("application/octet-stream with .JSONL uppercase is text", () => {
+    expect(isTextMimeType("application/octet-stream", "DATA.JSONL")).toBe(true);
+  });
+
+  test("application/octet-stream with .NDJSON uppercase is text", () => {
+    expect(isTextMimeType("application/octet-stream", "DATA.NDJSON")).toBe(
+      true,
+    );
+  });
 });
 
 // ===========================================================================

package/src/runtime/routes/workspace-routes.ts

@@ -120,7 +120,14 @@ function handleWorkspaceFile(ctx: RouteContext): Response {
   }
 
   const mimeType = Bun.file(resolved).type;
-  const isText = isTextMimeType(mimeType, basename(resolved));
+  // Empty files with unknown MIME type default to text — there is no binary
+  // content to protect, and files created via the UI "New File" action are
+  // always 0 bytes. Without this override, extensionless files (e.g. "Test")
+  // would be classified as binary and rendered in a non-editable fallback view.
+  const isText =
+    stat.size === 0 && mimeType === "application/octet-stream"
+      ? true
+      : isTextMimeType(mimeType, basename(resolved));
   const isBinary = !isText;
 
   let content: string | undefined = undefined;

package/src/runtime/routes/workspace-utils.ts

@@ -159,6 +159,8 @@ const TEXT_FILE_EXTENSIONS = new Set([
   "patch",
   "log",
   "lock",
+  "jsonl",
+  "ndjson",
 ]);
 
 export function isTextMimeType(mimeType: string, fileName?: string): boolean {

package/src/schedule/scheduler.ts

@@ -23,6 +23,7 @@ const log = getLogger("scheduler");
 
 export interface ScheduleMessageOptions {
   trustClass?: "guardian" | "trusted_contact" | "unknown";
+  taskRunId?: string;
 }
 
 export type ScheduleMessageProcessor = (
@@ -196,11 +197,12 @@ async function runScheduleOnce(
             source: "schedule",
             scheduleJobId: job.id,
           },
-          processMessage as (
-            conversationId: string,
-            message: string,
-            taskRunId: string,
-          ) => Promise<void>,
+          async (conversationId, message, taskRunId) => {
+            await processMessage(conversationId, message, {
+              trustClass: "guardian",
+              taskRunId,
+            });
+          },
         );
 
         onScheduleConversationCreated?.({

package/src/security/ces-credential-client.ts

@@ -190,6 +190,26 @@ export class CesCredentialBackend implements CredentialBackend {
     }
   }
 
+  async bulkSet(
+    credentials: Array<{ account: string; value: string }>,
+  ): Promise<Array<{ account: string; ok: boolean }>> {
+    try {
+      const res = await cesRequest("POST", "/v1/credentials/bulk", {
+        credentials,
+      });
+      if (!res?.ok) {
+        return credentials.map((c) => ({ account: c.account, ok: false }));
+      }
+      const data = (await res.json()) as {
+        results: Array<{ account: string; ok: boolean }>;
+      };
+      return data.results;
+    } catch (err) {
+      log.warn({ err }, "CES credential bulk set threw unexpectedly");
+      return credentials.map((c) => ({ account: c.account, ok: false }));
+    }
+  }
+
   async list(): Promise<CredentialListResult> {
     try {
       const res = await cesRequest("GET", "/v1/credentials");

package/src/security/ces-rpc-credential-backend.ts

@@ -86,4 +86,21 @@ export class CesRpcCredentialBackend implements CredentialBackend {
       return { accounts: [], unreachable: true };
     }
   }
+
+  async bulkSet(
+    credentials: Array<{ account: string; value: string }>,
+  ): Promise<Array<{ account: string; ok: boolean }>> {
+    if (!this.isAvailable()) {
+      return credentials.map((c) => ({ account: c.account, ok: false }));
+    }
+    try {
+      const result = await this.client.call(CesRpcMethod.BulkSetCredentials, {
+        credentials,
+      });
+      return result.results;
+    } catch (err) {
+      log.warn({ err }, "CES RPC bulk credential set failed");
+      return credentials.map((c) => ({ account: c.account, ok: false }));
+    }
+  }
 }

package/src/security/credential-backend.ts

@@ -47,6 +47,11 @@ export interface CredentialBackend {
 
   /** List all account names. */
   list(): Promise<CredentialListResult>;
+
+  /** Bulk-set multiple credentials. Optional — backends without native bulk support omit this. */
+  bulkSet?(
+    credentials: Array<{ account: string; value: string }>,
+  ): Promise<Array<{ account: string; ok: boolean }>>;
 }
 
 // ---------------------------------------------------------------------------

package/src/security/oauth2.ts

@@ -33,13 +33,13 @@ export type TokenEndpointAuthMethod =
   | "client_secret_post";
 
 export interface OAuth2Config {
-  authUrl: string;
-  tokenUrl: string;
+  authorizeUrl: string;
+  tokenExchangeUrl: string;
   scopes: string[];
   clientId: string;
   /** Client secret for providers that require it (e.g. Slack). PKCE is always used regardless. */
   clientSecret?: string;
-  extraParams?: Record<string, string>;
+  authorizeParams?: Record<string, string>;
   /** URL to fetch user identity info after OAuth. If omitted, account info is not fetched. */
   userinfoUrl?: string;
   /**
@@ -49,6 +49,13 @@ export interface OAuth2Config {
    * Defaults to `client_secret_post`.
    */
   tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
+  /**
+   * Separator used to join scopes in the authorize URL and split the
+   * granted-scope string returned by the token endpoint. Defaults to
+   * `" "` (space) per the OAuth 2.0 spec, but providers like Linear
+   * use `","` (comma).
+   */
+  scopeSeparator: string;
 }
 
 export interface OAuth2TokenResult {
@@ -130,7 +137,7 @@ async function exchangeCodeForTokens(
     }
   }
 
-  const tokenResp = await fetch(config.tokenUrl, {
+  const tokenResp = await fetch(config.tokenExchangeUrl, {
     method: "POST",
     headers,
     body: new URLSearchParams(tokenBody),
@@ -187,9 +194,19 @@ async function exchangeCodeForTokens(
       (tokenData.token_type as string | undefined),
   };
 
+  // Defensive split: providers (e.g. GitHub, Slack) may return comma-separated
+  // scopes in token responses regardless of the scope_separator used to join
+  // outbound authorize URLs, so we tolerate both spaces and commas here. When
+  // a provider explicitly configures a non-default separator (e.g. Linear uses
+  // ","), we honor that to keep symmetric round-tripping of configured scopes.
+  const splitPattern =
+    config.scopeSeparator === " " ? /[ ,]/ : config.scopeSeparator;
   const grantedScopes =
     typeof tokens.scope === "string"
-      ? tokens.scope.split(/[ ,]/).filter(Boolean)
+      ? tokens.scope
+          .split(splitPattern)
+          .map((s) => s.trim())
+          .filter(Boolean)
       : [...config.scopes];
 
   return { tokens, grantedScopes, rawTokenResponse: tokenData };
@@ -228,18 +245,18 @@ async function runGatewayFlow(
   });
 
   const authParams = new URLSearchParams({
-    ...config.extraParams,
+    ...config.authorizeParams,
     client_id: config.clientId,
     redirect_uri: redirectUri,
     response_type: "code",
-    scope: config.scopes.join(" "),
+    scope: config.scopes.join(config.scopeSeparator),
     state,
     code_challenge: codeChallenge,
     code_challenge_method: "S256",
   });
 
-  const authUrl = `${config.authUrl}?${authParams}`;
-  callbacks.openUrl(authUrl);
+  const authorizeUrl = `${config.authorizeUrl}?${authParams}`;
+  callbacks.openUrl(authorizeUrl);
 
   const code = await codePromise;
 
@@ -401,22 +418,22 @@ function startLoopbackServerAndWaitForCode(
       );
 
       const authParams = new URLSearchParams({
-        ...config.extraParams,
+        ...config.authorizeParams,
         client_id: config.clientId,
         redirect_uri: boundRedirectUri,
         response_type: "code",
-        scope: config.scopes.join(" "),
+        scope: config.scopes.join(config.scopeSeparator),
         state,
         code_challenge: codeChallenge,
         code_challenge_method: "S256",
       });
 
-      const authUrl = `${config.authUrl}?${authParams}`;
+      const authorizeUrl = `${config.authorizeUrl}?${authParams}`;
       log.info(
-        { authUrlLength: authUrl.length, state },
+        { authorizeUrlLength: authorizeUrl.length, state },
         "oauth2 loopback: built auth URL, calling openUrl callback",
       );
-      callbacks.openUrl(authUrl);
+      callbacks.openUrl(authorizeUrl);
       log.info("oauth2 loopback: openUrl callback returned");
     });
 
@@ -439,7 +456,7 @@ function startLoopbackServerAndWaitForCode(
 // ---------------------------------------------------------------------------
 
 export interface OAuth2PreparedFlow {
-  authUrl: string;
+  authorizeUrl: string;
   state: string;
   /** Resolves when the user completes authorization and tokens are exchanged. */
   completion: Promise<OAuth2FlowResult>;
@@ -493,17 +510,17 @@ export async function prepareOAuth2Flow(
   });
 
   const authParams = new URLSearchParams({
-    ...config.extraParams,
+    ...config.authorizeParams,
     client_id: config.clientId,
     redirect_uri: redirectUri,
     response_type: "code",
-    scope: config.scopes.join(" "),
+    scope: config.scopes.join(config.scopeSeparator),
     state,
     code_challenge: codeChallenge,
     code_challenge_method: "S256",
   });
 
-  const authUrl = `${config.authUrl}?${authParams}`;
+  const authorizeUrl = `${config.authorizeUrl}?${authParams}`;
 
   const completion = codePromise.then(async (code) => {
     return await exchangeCodeForTokens(config, code, redirectUri, codeVerifier);
@@ -511,7 +528,7 @@ export async function prepareOAuth2Flow(
 
   log.debug({ transport: "gateway", state }, "Prepared deferred OAuth2 flow");
 
-  return { authUrl, state, completion };
+  return { authorizeUrl, state, completion };
 }
 
 /**
@@ -533,17 +550,17 @@ async function prepareLoopbackFlow(
   );
 
   const authParams = new URLSearchParams({
-    ...config.extraParams,
+    ...config.authorizeParams,
     client_id: config.clientId,
     redirect_uri: redirectUri,
     response_type: "code",
-    scope: config.scopes.join(" "),
+    scope: config.scopes.join(config.scopeSeparator),
     state,
     code_challenge: codeChallenge,
     code_challenge_method: "S256",
   });
 
-  const authUrl = `${config.authUrl}?${authParams}`;
+  const authorizeUrl = `${config.authorizeUrl}?${authParams}`;
 
   const completion = codePromise.then(async (code) => {
     return await exchangeCodeForTokens(config, code, redirectUri, codeVerifier);
@@ -554,7 +571,7 @@ async function prepareLoopbackFlow(
     "Prepared deferred OAuth2 flow (loopback)",
   );
 
-  return { authUrl, state, completion };
+  return { authorizeUrl, state, completion };
 }
 
 /**
@@ -763,7 +780,7 @@ export async function startOAuth2Flow(
  * Supports both PKCE (no secret) and client_secret flows.
  */
 export async function refreshOAuth2Token(
-  tokenUrl: string,
+  tokenExchangeUrl: string,
   clientId: string,
   refreshToken: string,
   clientSecret?: string,
@@ -792,7 +809,7 @@ export async function refreshOAuth2Token(
     }
   }
 
-  const resp = await fetch(tokenUrl, {
+  const resp = await fetch(tokenExchangeUrl, {
     method: "POST",
     headers,
     body: new URLSearchParams(body),

package/src/security/secure-keys.ts

@@ -86,6 +86,15 @@ let _cesHttpUnreachable = false;
 /** Minimum interval between CES reconnection attempts. */
 const RECONNECT_COOLDOWN_MS = 3_000;
 
+/**
+ * Hard timeout for each public credential operation (resolve + backend call).
+ * Prevents indefinite blocking when CES reconnection or backend operations hang.
+ *
+ * Set to 45s to comfortably cover the CES HTTP set worst case (~34s:
+ * 3 fetch attempts × 10s REQUEST_TIMEOUT_MS + 2 × 2s SET_RETRY_DELAY_MS).
+ */
+const CREDENTIAL_OP_TIMEOUT_MS = 45_000;
+
 /** Inject a CES RPC client for credential routing. Resets the resolved backend. */
 export function setCesClient(client: CesClient | undefined): void {
   _cesClient = client;
@@ -308,16 +317,58 @@ function updateCesHttpReachability(
   }
 }
 
+// ---------------------------------------------------------------------------
+// Timeout helper
+// ---------------------------------------------------------------------------
+
+const CREDENTIAL_TIMEOUT_MSG = "Credential operation timed out";
+
+/**
+ * Race a credential operation against a hard deadline. If the operation
+ * does not settle within `CREDENTIAL_OP_TIMEOUT_MS`, return the supplied
+ * fallback value so callers degrade gracefully instead of hanging.
+ *
+ * Non-timeout errors from `op()` are propagated to callers rather than
+ * silently swallowed — only genuine timeouts return the fallback.
+ */
+async function withCredentialTimeout<T>(
+  op: () => Promise<T>,
+  fallback: T,
+): Promise<T> {
+  return new Promise<T>((resolve, reject) => {
+    const timer = setTimeout(() => {
+      log.warn(CREDENTIAL_TIMEOUT_MSG + " — returning fallback");
+      resolve(fallback);
+    }, CREDENTIAL_OP_TIMEOUT_MS);
+
+    op().then(
+      (val) => {
+        clearTimeout(timer);
+        resolve(val);
+      },
+      (err) => {
+        clearTimeout(timer);
+        reject(err);
+      },
+    );
+  });
+}
+
 /**
  * List all account names from the resolved backend (async).
  *
  * Queries exactly one backend — no cross-store merge.
  */
 export async function listSecureKeysAsync(): Promise<CredentialListResult> {
-  const backend = await resolveBackendAsync();
-  const result = await backend.list();
-  updateCesHttpReachability(backend, result.unreachable);
-  return result;
+  return withCredentialTimeout(
+    async () => {
+      const backend = await resolveBackendAsync();
+      const result = await backend.list();
+      updateCesHttpReachability(backend, result.unreachable);
+      return result;
+    },
+    { accounts: [], unreachable: true },
+  );
 }
 
 // ---------------------------------------------------------------------------
@@ -336,13 +387,18 @@ export async function listSecureKeysAsync(): Promise<CredentialListResult> {
 export async function getSecureKeyResultAsync(
   account: string,
 ): Promise<SecureKeyResult> {
-  const backend = await resolveBackendAsync();
-  const result = await backend.get(account);
-  updateCesHttpReachability(backend, result.unreachable);
-  if (result.value != null) {
-    return { value: result.value, unreachable: false };
-  }
-  return { value: undefined, unreachable: result.unreachable };
+  return withCredentialTimeout(
+    async () => {
+      const backend = await resolveBackendAsync();
+      const result = await backend.get(account);
+      updateCesHttpReachability(backend, result.unreachable);
+      if (result.value != null) {
+        return { value: result.value, unreachable: false };
+      }
+      return { value: undefined, unreachable: result.unreachable };
+    },
+    { value: undefined, unreachable: true },
+  );
 }
 
 /**
@@ -364,16 +420,18 @@ export async function setSecureKeyAsync(
   account: string,
   value: string,
 ): Promise<boolean> {
-  const backend = await resolveBackendAsync();
-  const ok = await backend.set(account, value);
-  if (!ok) {
-    log.warn(
-      { account, backend: backend.name },
-      "Credential backend set failed",
-    );
-  }
-  updateCesHttpReachability(backend, !ok);
-  return ok;
+  return withCredentialTimeout(async () => {
+    const backend = await resolveBackendAsync();
+    const ok = await backend.set(account, value);
+    if (!ok) {
+      log.warn(
+        { account, backend: backend.name },
+        "Credential backend set failed",
+      );
+    }
+    updateCesHttpReachability(backend, !ok);
+    return ok;
+  }, false);
 }
 
 /**
@@ -384,10 +442,45 @@ export async function setSecureKeyAsync(
 export async function deleteSecureKeyAsync(
   account: string,
 ): Promise<DeleteResult> {
-  const backend = await resolveBackendAsync();
-  const result = await backend.delete(account);
-  updateCesHttpReachability(backend, result === "error");
-  return result;
+  return withCredentialTimeout(async () => {
+    const backend = await resolveBackendAsync();
+    const result = await backend.delete(account);
+    updateCesHttpReachability(backend, result === "error");
+    return result;
+  }, "error");
+}
+
+/**
+ * Bulk-set multiple credentials in a single operation.
+ *
+ * Uses the backend's native `bulkSet` when available (CES RPC / HTTP),
+ * otherwise falls back to individual `set` calls.
+ */
+export async function bulkSetSecureKeysAsync(
+  credentials: Array<{ account: string; value: string }>,
+): Promise<Array<{ account: string; ok: boolean }>> {
+  return withCredentialTimeout(
+    async () => {
+      const backend = await resolveBackendAsync();
+      if (backend.bulkSet) {
+        const results = await backend.bulkSet(credentials);
+        const anyFailed = results.some((r) => !r.ok);
+        updateCesHttpReachability(backend, anyFailed);
+        return results;
+      }
+      // Fallback: loop individual sets
+      const results = [];
+      let anyFailed = false;
+      for (const { account, value } of credentials) {
+        const ok = await backend.set(account, value);
+        if (!ok) anyFailed = true;
+        results.push({ account, ok });
+      }
+      updateCesHttpReachability(backend, anyFailed);
+      return results;
+    },
+    credentials.map((c) => ({ account: c.account, ok: false })),
+  );
 }
 
 // ---------------------------------------------------------------------------

package/src/security/token-manager.ts

@@ -1,7 +1,7 @@
 /**
  * Token manager for OAuth2 credentials.
  *
- * Reads refresh configuration (tokenUrl, clientId, authMethod) exclusively
+ * Reads refresh configuration (refreshUrl with fallback to tokenExchangeUrl, clientId, authMethod) exclusively
  * from the SQLite oauth-store (provider + app + connection rows). After a
  * successful refresh, writes tokens to new-format secure key paths and
  * updates the oauth_connection row.
@@ -90,7 +90,12 @@ const secureKeyBackend: SecureKeyBackend = {
 
 /** Shared shape for resolved refresh configuration. */
 interface RefreshConfig {
-  tokenUrl: string;
+  /**
+   * Token endpoint used for the refresh grant. Resolved from
+   * `provider.refreshUrl` when set to a non-empty string, otherwise
+   * `provider.tokenExchangeUrl` (matching platform's Python `or` semantics).
+   */
+  tokenExchangeUrl: string;
   clientId: string;
   /** OAuth client secret (optional — PKCE flows may omit it). */
   secret?: string;
@@ -102,8 +107,9 @@ interface RefreshConfig {
 /**
  * Resolve refresh configuration from the SQLite oauth-store.
  *
- * Looks up connection -> app -> provider to read tokenUrl, clientId, and
- * authMethod. Throws `TokenExpiredError` if the connection is not found
+ * Looks up connection -> app -> provider to read the refresh endpoint (preferring
+ * `provider.refreshUrl`, falling back to `provider.tokenExchangeUrl`), clientId,
+ * and authMethod. Throws `TokenExpiredError` if the connection is not found
  * or incomplete.
  */
 async function resolveRefreshConfig(
@@ -126,7 +132,7 @@ async function resolveRefreshConfig(
     );
   }
 
-  const provider = getProvider(conn.providerKey);
+  const provider = getProvider(conn.provider);
   if (!provider) {
     throw new TokenExpiredError(
       service,
@@ -134,9 +140,16 @@ async function resolveRefreshConfig(
     );
   }
 
-  const tokenUrl = provider.tokenUrl;
+  // Prefer provider.refreshUrl when set; fall back to tokenExchangeUrl.
+  // This mirrors platform's `oauth_app.refresh_url or oauth_app.token_exchange_url`
+  // in `token_service.py:112`, so both repos resolve the refresh endpoint
+  // identically for managed and BYO flows. We use `||` (not `??`) so empty
+  // strings fall back to tokenExchangeUrl — matching Python's `or` semantics
+  // and preventing a malformed provider row with `refreshUrl: ""` from
+  // resolving to an empty endpoint.
+  const tokenExchangeUrl = provider.refreshUrl || provider.tokenExchangeUrl;
   const resolvedClientId = app.clientId;
-  if (!tokenUrl || !resolvedClientId) {
+  if (!tokenExchangeUrl || !resolvedClientId) {
     throw new TokenExpiredError(
       service,
       `Missing OAuth2 refresh config for "${service}".${recoveryHint(service)}`,
@@ -155,7 +168,7 @@ async function resolveRefreshConfig(
 
   return {
     connId: conn.id,
-    tokenUrl,
+    tokenExchangeUrl,
     clientId: resolvedClientId,
     secret,
     refreshToken,
@@ -175,7 +188,7 @@ async function resolveRefreshConfig(
 async function doRefresh(service: string, connId: string): Promise<string> {
   const refreshConfig = await resolveRefreshConfig(service, connId);
   const {
-    tokenUrl,
+    tokenExchangeUrl,
     clientId: resolvedClientId,
     secret,
     authMethod,
@@ -204,7 +217,7 @@ async function doRefresh(service: string, connId: string): Promise<string> {
   let result;
   try {
     result = await refreshOAuth2Token(
-      tokenUrl,
+      tokenExchangeUrl,
       resolvedClientId,
       refreshToken,
       secret,