@vellumai/assistant 0.6.2 → 0.6.3

package/src/__tests__/oauth2-gateway-transport.test.ts

@@ -138,10 +138,11 @@ globalThis.fetch = (async (input: RequestInfo | URL, init?: RequestInit) => {
 import { type OAuth2Config, startOAuth2Flow } from "../security/oauth2.js";
 
 const BASE_OAUTH_CONFIG: OAuth2Config = {
-  authUrl: "https://provider.example.com/authorize",
-  tokenUrl: "https://provider.example.com/token",
+  authorizeUrl: "https://provider.example.com/authorize",
+  tokenExchangeUrl: "https://provider.example.com/token",
   scopes: ["read", "write"],
   clientId: "test-client-id",
+  scopeSeparator: " ",
 };
 
 beforeEach(() => {
@@ -219,9 +220,9 @@ describe("OAuth2 gateway transport", () => {
       expect(capturedAuthUrl).toContain(encodeURIComponent("/oauth/callback"));
 
       // Extract the redirect_uri and simulate the callback
-      const authUrl = new URL(capturedAuthUrl);
-      const redirectUri = authUrl.searchParams.get("redirect_uri")!;
-      const state = authUrl.searchParams.get("state")!;
+      const authorizeUrl = new URL(capturedAuthUrl);
+      const redirectUri = authorizeUrl.searchParams.get("redirect_uri")!;
+      const state = authorizeUrl.searchParams.get("state")!;
 
       // Make a request to the loopback server with the auth code
       const callbackUrl = `${redirectUri}?code=loopback-auth-code&state=${state}`;
@@ -282,9 +283,9 @@ describe("OAuth2 gateway transport", () => {
       expect(capturedAuthUrl).not.toContain("gw.example.com");
 
       // Simulate callback to loopback server
-      const authUrl = new URL(capturedAuthUrl);
-      const redirectUri = authUrl.searchParams.get("redirect_uri")!;
-      const state = authUrl.searchParams.get("state")!;
+      const authorizeUrl = new URL(capturedAuthUrl);
+      const redirectUri = authorizeUrl.searchParams.get("redirect_uri")!;
+      const state = authorizeUrl.searchParams.get("state")!;
       await fetch(`${redirectUri}?code=explicit-loopback-code&state=${state}`);
 
       const result = await flowPromise;
@@ -405,9 +406,9 @@ describe("OAuth2 gateway transport", () => {
       expect(capturedAuthUrl).toContain("code_challenge=");
       expect(capturedAuthUrl).toContain("code_challenge_method=S256");
 
-      const authUrl = new URL(capturedAuthUrl);
-      const redirectUri = authUrl.searchParams.get("redirect_uri")!;
-      const state = authUrl.searchParams.get("state")!;
+      const authorizeUrl = new URL(capturedAuthUrl);
+      const redirectUri = authorizeUrl.searchParams.get("redirect_uri")!;
+      const state = authorizeUrl.searchParams.get("state")!;
 
       const resp = await fetch(
         `${redirectUri}?code=loopback-code&state=${state}`,
@@ -440,9 +441,9 @@ describe("OAuth2 gateway transport", () => {
 
       await urlReadyPromise;
 
-      const authUrl = new URL(capturedAuthUrl);
-      const redirectUri = authUrl.searchParams.get("redirect_uri")!;
-      const state = authUrl.searchParams.get("state")!;
+      const authorizeUrl = new URL(capturedAuthUrl);
+      const redirectUri = authorizeUrl.searchParams.get("redirect_uri")!;
+      const state = authorizeUrl.searchParams.get("state")!;
 
       // Fire callback without awaiting — immediately check flowPromise rejection
       fetch(`${redirectUri}?error=access_denied&state=${state}`).catch(
@@ -473,8 +474,8 @@ describe("OAuth2 gateway transport", () => {
 
       await urlReadyPromise;
 
-      const authUrl = new URL(capturedAuthUrl);
-      const redirectUri = authUrl.searchParams.get("redirect_uri")!;
+      const authorizeUrl = new URL(capturedAuthUrl);
+      const redirectUri = authorizeUrl.searchParams.get("redirect_uri")!;
 
       // Send callback with wrong state
       const resp = await fetch(
@@ -484,7 +485,7 @@ describe("OAuth2 gateway transport", () => {
 
       // The flow should still be waiting (not resolved)
       // Send the correct callback to clean up
-      const state = authUrl.searchParams.get("state")!;
+      const state = authorizeUrl.searchParams.get("state")!;
       await fetch(`${redirectUri}?code=correct-code&state=${state}`);
 
       const result = await flowPromise;
@@ -516,9 +517,9 @@ describe("OAuth2 gateway transport", () => {
 
       await urlReadyPromise;
 
-      const authUrl = new URL(capturedAuthUrl);
-      const redirectUri = authUrl.searchParams.get("redirect_uri")!;
-      const state = authUrl.searchParams.get("state")!;
+      const authorizeUrl = new URL(capturedAuthUrl);
+      const redirectUri = authorizeUrl.searchParams.get("redirect_uri")!;
+      const state = authorizeUrl.searchParams.get("state")!;
 
       // Fire callback without awaiting — immediately check flowPromise rejection
       fetch(`${redirectUri}?code=code-that-fails&state=${state}`).catch(
@@ -653,4 +654,194 @@ describe("OAuth2 gateway transport", () => {
       expect(lastTokenRequestBody!.has("client_secret")).toBe(false);
     });
   });
+
+  describe("scope separator", () => {
+    test("authorize URL joins scopes with space when scopeSeparator is ' '", async () => {
+      mockPublicBaseUrl = "https://gw.example.com";
+
+      let capturedAuthUrl = "";
+      const flowPromise = startOAuth2Flow(
+        BASE_OAUTH_CONFIG,
+        {
+          openUrl: (url) => {
+            capturedAuthUrl = url;
+          },
+        },
+        { callbackTransport: "gateway" },
+      );
+
+      await new Promise((r) => setTimeout(r, 10));
+
+      // URLSearchParams encodes spaces as '+' in query strings (application/x-www-form-urlencoded)
+      expect(capturedAuthUrl).toContain("scope=read+write");
+
+      const entries = Array.from(pendingCallbacks.entries());
+      entries[0][1].resolve("space-separator-code");
+      await flowPromise;
+    });
+
+    test("authorize URL joins scopes with comma when scopeSeparator is ','", async () => {
+      mockPublicBaseUrl = "https://gw.example.com";
+
+      const commaConfig: OAuth2Config = {
+        ...BASE_OAUTH_CONFIG,
+        scopeSeparator: ",",
+      };
+
+      let capturedAuthUrl = "";
+      const flowPromise = startOAuth2Flow(
+        commaConfig,
+        {
+          openUrl: (url) => {
+            capturedAuthUrl = url;
+          },
+        },
+        { callbackTransport: "gateway" },
+      );
+
+      await new Promise((r) => setTimeout(r, 10));
+
+      // Comma-encoded scopes
+      expect(capturedAuthUrl).toContain("scope=read%2Cwrite");
+
+      const entries = Array.from(pendingCallbacks.entries());
+      entries[0][1].resolve("comma-separator-code");
+      await flowPromise;
+    });
+
+    test("token response with comma-separated scope splits into individual scopes when scopeSeparator is ','", async () => {
+      mockPublicBaseUrl = "https://gw.example.com";
+      mockTokenResponse = {
+        ok: true,
+        status: 200,
+        body: {
+          access_token: "test-access-token",
+          refresh_token: "test-refresh-token",
+          expires_in: 3600,
+          scope: "read,write,issues:create",
+          token_type: "Bearer",
+        },
+      };
+
+      const commaConfig: OAuth2Config = {
+        ...BASE_OAUTH_CONFIG,
+        scopeSeparator: ",",
+      };
+
+      const flowPromise = startOAuth2Flow(
+        commaConfig,
+        { openUrl: () => {} },
+        { callbackTransport: "gateway" },
+      );
+
+      await new Promise((r) => setTimeout(r, 10));
+
+      const entries = Array.from(pendingCallbacks.entries());
+      entries[0][1].resolve("comma-token-code");
+
+      const result = await flowPromise;
+      expect(result.grantedScopes).toEqual(["read", "write", "issues:create"]);
+    });
+
+    test("token response with whitespace around comma separators is trimmed", async () => {
+      mockPublicBaseUrl = "https://gw.example.com";
+      mockTokenResponse = {
+        ok: true,
+        status: 200,
+        body: {
+          access_token: "test-access-token",
+          refresh_token: "test-refresh-token",
+          expires_in: 3600,
+          scope: " read , write ",
+          token_type: "Bearer",
+        },
+      };
+
+      const commaConfig: OAuth2Config = {
+        ...BASE_OAUTH_CONFIG,
+        scopeSeparator: ",",
+      };
+
+      const flowPromise = startOAuth2Flow(
+        commaConfig,
+        { openUrl: () => {} },
+        { callbackTransport: "gateway" },
+      );
+
+      await new Promise((r) => setTimeout(r, 10));
+
+      const entries = Array.from(pendingCallbacks.entries());
+      entries[0][1].resolve("comma-whitespace-code");
+
+      const result = await flowPromise;
+      expect(result.grantedScopes).toEqual(["read", "write"]);
+    });
+
+    test("default-space provider still parses comma-separated token response scopes (GitHub/Slack compat)", async () => {
+      // Providers like GitHub and Slack use space as their authorize-URL
+      // separator but return comma-separated scopes in token responses.
+      // The defensive split MUST tolerate that without requiring providers
+      // to opt into scopeSeparator: ",".
+      mockPublicBaseUrl = "https://gw.example.com";
+      mockTokenResponse = {
+        ok: true,
+        status: 200,
+        body: {
+          access_token: "test-access-token",
+          refresh_token: "test-refresh-token",
+          expires_in: 3600,
+          scope: "repo,read:user,notifications",
+          token_type: "Bearer",
+        },
+      };
+
+      // BASE_OAUTH_CONFIG uses the default " " separator.
+      const flowPromise = startOAuth2Flow(
+        BASE_OAUTH_CONFIG,
+        { openUrl: () => {} },
+        { callbackTransport: "gateway" },
+      );
+
+      await new Promise((r) => setTimeout(r, 10));
+
+      const entries = Array.from(pendingCallbacks.entries());
+      entries[0][1].resolve("github-style-code");
+
+      const result = await flowPromise;
+      expect(result.grantedScopes).toEqual([
+        "repo",
+        "read:user",
+        "notifications",
+      ]);
+    });
+
+    test("default-space provider parses space-separated token response scopes", async () => {
+      mockPublicBaseUrl = "https://gw.example.com";
+      mockTokenResponse = {
+        ok: true,
+        status: 200,
+        body: {
+          access_token: "test-access-token",
+          refresh_token: "test-refresh-token",
+          expires_in: 3600,
+          scope: "read write admin",
+          token_type: "Bearer",
+        },
+      };
+
+      const flowPromise = startOAuth2Flow(
+        BASE_OAUTH_CONFIG,
+        { openUrl: () => {} },
+        { callbackTransport: "gateway" },
+      );
+
+      await new Promise((r) => setTimeout(r, 10));
+
+      const entries = Array.from(pendingCallbacks.entries());
+      entries[0][1].resolve("space-token-code");
+
+      const result = await flowPromise;
+      expect(result.grantedScopes).toEqual(["read", "write", "admin"]);
+    });
+  });
 });

package/src/__tests__/onboarding-template-contract.test.ts

@@ -19,48 +19,17 @@ describe("onboarding template contracts", () => {
 
     test("contains identity discovery prompts", () => {
       const lower = bootstrap.toLowerCase();
-      expect(lower).toContain("your name");
-      expect(lower).toContain("personality");
+      expect(lower).toContain("identity");
+      expect(lower).toContain("infer");
     });
 
-    test("leads with personality-first emotional arc", () => {
-      const lower = bootstrap.toLowerCase();
-      expect(lower).toContain("personality");
-      expect(lower).toContain("vibe");
-      // Personality arc should come before usefulness arc
-      const personalityIdx = lower.indexOf("oh, this has personality");
-      const usefulIdx = lower.indexOf("oh, this is useful");
-      expect(personalityIdx).toBeGreaterThan(-1);
-      expect(usefulIdx).toBeGreaterThan(-1);
-      expect(personalityIdx).toBeLessThan(usefulIdx);
-    });
-
-    test("contains name selection with change-later instruction", () => {
-      const lower = bootstrap.toLowerCase();
-      expect(lower).toContain("what they want to call you");
-      expect(lower).toContain("change it later");
-    });
-
-    test("name exchange happens before personality quiz", () => {
-      const nameIdx = bootstrap.indexOf("Step 1: Name Exchange");
-      const quizIdx = bootstrap.indexOf("Step 2: Personality Quiz");
-      expect(nameIdx).toBeGreaterThan(-1);
-      expect(quizIdx).toBeGreaterThan(-1);
-      expect(nameIdx).toBeLessThan(quizIdx);
-    });
-
-    test("gathers user context: work role, hobbies, daily tools", () => {
+    test("gathers user context", () => {
       const lower = bootstrap.toLowerCase();
       expect(lower).toContain("work role");
-      expect(lower).toContain("hobbies");
+      expect(lower).toContain("goals");
       expect(lower).toContain("tools");
     });
 
-    test("references ui_show payloads from BOOTSTRAP-REFERENCE.md", () => {
-      expect(bootstrap).toContain("ui_show");
-      expect(bootstrap).toContain("BOOTSTRAP-REFERENCE.md");
-    });
-
     test("contains wrapping-up criteria with deletion instructions", () => {
       const lower = bootstrap.toLowerCase();
       expect(lower).toContain("wrapping up");
@@ -70,15 +39,12 @@ describe("onboarding template contracts", () => {
 
     test("contains refusal policy", () => {
       const lower = bootstrap.toLowerCase();
-      expect(lower).toContain("hard-required");
-      expect(lower).toContain("best-effort");
       expect(lower).toContain("declined");
-      expect(lower).toContain("not interrogation");
+      expect(lower).toContain("constraints");
     });
 
-    test("defines resolved as provided, inferred, or declined", () => {
+    test("defines field states as inferred or declined", () => {
       const lower = bootstrap.toLowerCase();
-      expect(lower).toContain("resolved");
       expect(lower).toContain("inferred");
       expect(lower).toContain("declined");
     });
@@ -91,6 +57,7 @@ describe("onboarding template contracts", () => {
     });
 
     test("includes budget constraint", () => {
+      expect(bootstrap).toContain("$2");
       expect(bootstrap).toContain("$5");
     });
 
@@ -98,30 +65,73 @@ describe("onboarding template contracts", () => {
       expect(bootstrap).toContain("new colleague");
     });
 
-    test("instructs checking Connected Services for email task variant", () => {
-      expect(bootstrap).toContain("Connected Services");
-      expect(bootstrap).toContain("Connect my email");
-      expect(bootstrap).toContain("Check my email");
+    test("contains numbered goals", () => {
+      const lower = bootstrap.toLowerCase();
+      expect(lower).toContain("establish mutual identity");
+      expect(lower).toContain("prove value fast");
+      expect(lower).toContain("infer, don't interrogate");
+      expect(lower).toContain("surface what you learned");
+      expect(lower).toContain("offer the next level");
+      expect(lower).toContain("write everything immediately");
+      expect(lower).toContain("clean up");
+    });
+
+    test("contains constraints section", () => {
+      expect(bootstrap).toContain("## Constraints");
+      expect(bootstrap).toContain("$2");
+      expect(bootstrap).toContain("2 questions");
+      expect(bootstrap.toLowerCase()).toContain("don't block on setup");
+      expect(bootstrap).toContain("One-shot");
     });
 
-    test("keeps momentum by chaining off the first task", () => {
+    test("contains 'what you own' section", () => {
       const lower = bootstrap.toLowerCase();
-      expect(lower).toContain("keep the momentum");
-      expect(lower).toContain("don't pivot to setup");
-      expect(lower).toContain("chain off the task");
-      expect(lower).toContain("while we're at it");
+      expect(lower).toContain("sequencing");
+      expect(lower).toContain("pacing");
     });
-  });
 
-  describe("BOOTSTRAP-REFERENCE.md", () => {
-    test("contains personality form with 4 dropdowns", () => {
-      expect(bootstrapRef).toContain('surface_type: "form"');
-      expect(bootstrapRef).toContain("communication_style");
-      expect(bootstrapRef).toContain("task_style");
-      expect(bootstrapRef).toContain("humor");
-      expect(bootstrapRef).toContain("depth");
+    test("contains technical contract", () => {
+      expect(bootstrap).toContain("Technical Contract");
+      expect(bootstrap).toContain("prescribed");
     });
 
+    test("contains capability unlock pattern", () => {
+      const lower = bootstrap.toLowerCase();
+      expect(lower).toContain("email");
+      expect(lower).toContain("voice");
+      expect(lower).toContain("slack");
+    });
+
+    test("contains tone guidance", () => {
+      expect(bootstrap).toContain("Not servile");
+      expect(bootstrap.toLowerCase()).toContain("match");
+      expect(bootstrap.toLowerCase()).toContain("energy");
+    });
+
+    test("contains pre-chat onboarding context section", () => {
+      const lower = bootstrap.toLowerCase();
+      expect(lower).toContain("onboarding");
+      expect(lower).toContain("json");
+      expect(lower).toContain("context");
+    });
+
+    test("does not contain personality quiz references", () => {
+      // BOOTSTRAP.md says "No personality quiz" as part of goal 3,
+      // but should NOT contain instructions TO USE or SHOW a personality quiz
+      expect(bootstrap).not.toMatch(/show.*personality quiz/i);
+      expect(bootstrap).not.toMatch(/present.*personality quiz/i);
+      // "dropdown" only appears in "No dropdown forms" — that's a prohibition, not an instruction
+      expect(bootstrap).not.toMatch(/show.*dropdown/i);
+    });
+
+    test("does not contain rigid step sequence", () => {
+      expect(bootstrap).not.toMatch(/Step 1:/);
+      expect(bootstrap).not.toMatch(/Step 2:/);
+      expect(bootstrap).not.toMatch(/Step 3:/);
+    });
+  });
+
+  describe("BOOTSTRAP-REFERENCE.md", () => {
     test("contains email-not-connected task card variant", () => {
       expect(bootstrapRef).toContain("Email Not Connected");
       expect(bootstrapRef).toContain("Connect my email");
@@ -132,6 +142,14 @@ describe("onboarding template contracts", () => {
       expect(bootstrapRef).toContain("Email Already Connected");
       expect(bootstrapRef).toContain("Check my email");
     });
+
+    test("does not contain personality form", () => {
+      expect(bootstrapRef).not.toContain('surface_type: "form"');
+      expect(bootstrapRef).not.toContain("communication_style");
+      expect(bootstrapRef).not.toContain("task_style");
+      expect(bootstrapRef).not.toContain("humor");
+      expect(bootstrapRef).not.toContain("depth");
+    });
   });
 
   describe("IDENTITY.md", () => {

package/src/__tests__/openai-provider.test.ts

@@ -653,10 +653,10 @@ describe("OpenAIProvider", () => {
       [{ role: "user", content: [{ type: "text", text: "Hi" }] }],
       undefined,
       undefined,
-      { config: { max_tokens: 32000 } },
+      { config: { max_tokens: 64000 } },
     );
 
-    expect(lastCreateParams!.max_completion_tokens).toBe(32000);
+    expect(lastCreateParams!.max_completion_tokens).toBe(64000);
   });
 
   // -----------------------------------------------------------------------

package/src/__tests__/outlook-categories.test.ts

@@ -15,7 +15,7 @@ const mockListMasterCategories = mock(() =>
   }),
 );
 const mockResolveOAuthConnection = mock(() =>
-  Promise.resolve({ id: "conn-1", providerKey: "outlook" }),
+  Promise.resolve({ id: "conn-1", provider: "outlook" }),
 );
 
 mock.module("../messaging/providers/outlook/client.js", () => ({

package/src/__tests__/outlook-client-automation.test.ts

@@ -25,7 +25,7 @@ function createMockConnection(
 ): OAuthConnection {
   return {
     id: "outlook-conn-1",
-    providerKey: "outlook",
+    provider: "outlook",
     accountInfo: "test@outlook.com",
     request: mock(() =>
       Promise.resolve({ status, headers: {}, body: responseBody }),

package/src/__tests__/outlook-compose-tools.test.ts

@@ -56,7 +56,7 @@ const createForwardDraftMock = mock(
 
 const fakeConnection = {
   id: "conn-1",
-  providerKey: "microsoft",
+  provider: "microsoft",
   accountInfo: "user@outlook.com",
 } as unknown as OAuthConnection;
 

package/src/__tests__/outlook-email-watcher.test.ts

@@ -40,7 +40,7 @@ mock.module("../messaging/providers/outlook/client.js", () => ({
 }));
 
 const mockResolveOAuthConnection =
-  mock<(providerKey: string) => Promise<unknown>>();
+  mock<(provider: string) => Promise<unknown>>();
 
 mock.module("../oauth/connection-resolver.js", () => ({
   resolveOAuthConnection: mockResolveOAuthConnection,

package/src/__tests__/outlook-follow-up.test.ts

@@ -24,7 +24,7 @@ const mockListMessages = mock(() =>
   }),
 );
 const mockResolveOAuthConnection = mock(() =>
-  Promise.resolve({ id: "conn-1", providerKey: "outlook" }),
+  Promise.resolve({ id: "conn-1", provider: "outlook" }),
 );
 
 mock.module("../messaging/providers/outlook/client.js", () => ({

package/src/__tests__/outlook-messaging-provider.test.ts

@@ -164,7 +164,7 @@ import {
 function createMockConnection(): OAuthConnection {
   return {
     id: "outlook-conn-1",
-    providerKey: "outlook",
+    provider: "outlook",
     accountInfo: "test@outlook.com",
     request: mock(() =>
       Promise.resolve({ status: 200, headers: {}, body: {} }),
@@ -884,7 +884,7 @@ describe("Outlook client functions", () => {
   ): OAuthConnection {
     return {
       id: "outlook-conn-1",
-      providerKey: "outlook",
+      provider: "outlook",
       accountInfo: "test@outlook.com",
       request: mock(() =>
         Promise.resolve({ status, headers: {}, body: responseBody }),

package/src/__tests__/outlook-trash.test.ts

@@ -4,7 +4,7 @@ import { describe, expect, mock, test } from "bun:test";
 
 const mockTrashMessage = mock(() => Promise.resolve({}));
 const mockResolveOAuthConnection = mock(() =>
-  Promise.resolve({ id: "conn-1", providerKey: "outlook" }),
+  Promise.resolve({ id: "conn-1", provider: "outlook" }),
 );
 
 mock.module("../messaging/providers/outlook/client.js", () => ({

package/src/__tests__/outlook-unsubscribe.test.ts

@@ -57,7 +57,7 @@ const { run } =
 
 // ── Helpers ──────────────────────────────────────────────────────────────────
 
-const fakeConnection = { id: "outlook-conn-1", providerKey: "outlook" };
+const fakeConnection = { id: "outlook-conn-1", provider: "outlook" };
 
 function makeContext(overrides: Partial<ToolContext> = {}): ToolContext {
   return {