npm - @vellumai/assistant - Versions diffs - 0.6.2 → 0.6.3 - Mend

@vellumai/assistant 0.6.2 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/bun.lock +40 -40
package/bunfig.toml +3 -0
package/docs/architecture/memory.md +1 -1
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +42 -0
package/openapi.yaml +184 -69
package/package.json +41 -41
package/scripts/generate-openapi.ts +1 -2
package/src/__tests__/acp-session.test.ts +43 -0
package/src/__tests__/app-builder-tool-scripts.test.ts +1 -0
package/src/__tests__/app-executors.test.ts +1 -0
package/src/__tests__/app-source-watcher.test.ts +37 -11
package/src/__tests__/approval-routes-http.test.ts +178 -1
package/src/__tests__/browser-fill-credential.test.ts +229 -94
package/src/__tests__/browser-manager.test.ts +40 -27
package/src/__tests__/catalog-files.test.ts +862 -0
package/src/__tests__/channel-approvals.test.ts +53 -0
package/src/__tests__/config-managed-gemini-defaults.test.ts +326 -0
package/src/__tests__/config-schema-cmd.test.ts +2 -2
package/src/__tests__/config-schema.test.ts +125 -48
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +23 -0
package/src/__tests__/context-overflow-approval.test.ts +16 -1
package/src/__tests__/conversation-agent-loop-overflow.test.ts +1 -1
package/src/__tests__/conversation-agent-loop.test.ts +1 -1
package/src/__tests__/conversation-analysis-routes.test.ts +2 -2
package/src/__tests__/conversation-attachments.test.ts +80 -4
package/src/__tests__/conversation-confirmation-signals.test.ts +155 -0
package/src/__tests__/conversation-fork-crud.test.ts +17 -0
package/src/__tests__/conversation-history-web-search.test.ts +1 -0
package/src/__tests__/conversation-host-access-routes.test.ts +229 -0
package/src/__tests__/conversation-inject-context.test.ts +103 -0
package/src/__tests__/conversation-queue.test.ts +45 -2
package/src/__tests__/conversation-routes-disk-view.test.ts +5 -0
package/src/__tests__/conversation-routes-guardian-reply.test.ts +16 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/conversation-runtime-assembly.test.ts +269 -46
package/src/__tests__/conversation-starter-routes.test.ts +126 -0
package/src/__tests__/conversation-starters-cadence.test.ts +161 -0
package/src/__tests__/conversation-store.test.ts +195 -0
package/src/__tests__/conversation-workspace-cache-state.test.ts +193 -0
package/src/__tests__/credential-execution-approval-bridge.test.ts +32 -1
package/src/__tests__/credential-security-invariants.test.ts +1 -0
package/src/__tests__/credential-vault-unit.test.ts +4 -4
package/src/__tests__/credential-vault.test.ts +152 -13
package/src/__tests__/credentials-cli.test.ts +2 -2
package/src/__tests__/date-context.test.ts +4 -4
package/src/__tests__/embedding-managed-proxy-selection.test.ts +256 -0
package/src/__tests__/extension-id-sync-guard.test.ts +155 -0
package/src/__tests__/fixtures/mock-chrome-extension.ts +375 -0
package/src/__tests__/gateway-only-guard.test.ts +3 -0
package/src/__tests__/gemini-provider.test.ts +2 -2
package/src/__tests__/guardian-routing-invariants.test.ts +70 -2
package/src/__tests__/headless-browser-interactions.test.ts +707 -371
package/src/__tests__/headless-browser-navigate.test.ts +389 -47
package/src/__tests__/headless-browser-read-tools.test.ts +266 -103
package/src/__tests__/headless-browser-snapshot.test.ts +240 -77
package/src/__tests__/host-bash-proxy.test.ts +150 -1
package/src/__tests__/host-browser-e2e-cloud.test.ts +462 -0
package/src/__tests__/host-browser-e2e-self-hosted-capability.test.ts +286 -0
package/src/__tests__/host-browser-e2e-self-hosted.test.ts +374 -0
package/src/__tests__/host-browser-event-routes.test.ts +350 -0
package/src/__tests__/host-browser-proxy.test.ts +444 -0
package/src/__tests__/host-browser-routes.test.ts +198 -0
package/src/__tests__/host-browser-ws-events-e2e.test.ts +320 -0
package/src/__tests__/host-cu-proxy.test.ts +171 -1
package/src/__tests__/host-file-proxy.test.ts +185 -1
package/src/__tests__/host-file-read-tool.test.ts +52 -0
package/src/__tests__/host-proxy-interface.test.ts +165 -0
package/src/__tests__/host-shell-tool.test.ts +1 -11
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/integration-status.test.ts +6 -7
package/src/__tests__/list-messages-tool-merge.test.ts +37 -12
package/src/__tests__/mcp-client-auth.test.ts +40 -4
package/src/__tests__/mcp-health-check.test.ts +10 -3
package/src/__tests__/migration-cross-version-compatibility.test.ts +3 -1
package/src/__tests__/migration-export-http.test.ts +61 -2
package/src/__tests__/migration-export-streaming.test.ts +66 -0
package/src/__tests__/migration-import-commit-http.test.ts +101 -1
package/src/__tests__/native-host-marker-sync-guard.test.ts +157 -0
package/src/__tests__/oauth-apps-routes.test.ts +17 -12
package/src/__tests__/oauth-cli.test.ts +707 -60
package/src/__tests__/oauth-connect-orchestrator.test.ts +116 -24
package/src/__tests__/oauth-provider-seed-logos.test.ts +23 -0
package/src/__tests__/oauth-provider-serializer.test.ts +146 -10
package/src/__tests__/oauth-provider-visibility.test.ts +19 -21
package/src/__tests__/oauth-providers-routes.test.ts +50 -14
package/src/__tests__/oauth-store.test.ts +1386 -182
package/src/__tests__/oauth2-gateway-transport.test.ts +211 -20
package/src/__tests__/onboarding-template-contract.test.ts +75 -57
package/src/__tests__/openai-provider.test.ts +2 -2
package/src/__tests__/outlook-categories.test.ts +1 -1
package/src/__tests__/outlook-client-automation.test.ts +1 -1
package/src/__tests__/outlook-compose-tools.test.ts +1 -1
package/src/__tests__/outlook-email-watcher.test.ts +1 -1
package/src/__tests__/outlook-follow-up.test.ts +1 -1
package/src/__tests__/outlook-messaging-provider.test.ts +2 -2
package/src/__tests__/outlook-trash.test.ts +1 -1
package/src/__tests__/outlook-unsubscribe.test.ts +1 -1
package/src/__tests__/permission-checker-host-gate.test.ts +74 -14
package/src/__tests__/permission-mode.test.ts +28 -56
package/src/__tests__/platform-callback-registration.test.ts +19 -0
package/src/__tests__/post-turn-tool-result-truncation.test.ts +296 -0
package/src/__tests__/proxy-approval-callback.test.ts +18 -0
package/src/__tests__/require-fresh-approval.test.ts +40 -1
package/src/__tests__/sanitize-config-for-transfer.test.ts +132 -0
package/src/__tests__/schedule-routes.test.ts +162 -0
package/src/__tests__/secret-detection-handler.test.ts +84 -0
package/src/__tests__/secret-ingress-http.test.ts +1 -0
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/set-permission-mode.test.ts +13 -250
package/src/__tests__/skills-file-content-endpoint.test.ts +670 -0
package/src/__tests__/skills-files-catalog-fallback.test.ts +450 -0
package/src/__tests__/slack-channel-config.test.ts +12 -15
package/src/__tests__/subagent-detail.test.ts +44 -2
package/src/__tests__/subagent-disposal.test.ts +1 -0
package/src/__tests__/subagent-fork-notifications.test.ts +291 -0
package/src/__tests__/subagent-fork-spawn.test.ts +384 -0
package/src/__tests__/subagent-manager-notify.test.ts +1 -0
package/src/__tests__/subagent-notify-parent.test.ts +1 -0
package/src/__tests__/subagent-spawn-tool-fork.test.ts +411 -0
package/src/__tests__/subagent-tools.test.ts +1 -0
package/src/__tests__/subagent-types.test.ts +1 -0
package/src/__tests__/system-prompt-ask-mode.test.ts +27 -71
package/src/__tests__/system-prompt.test.ts +72 -1
package/src/__tests__/task-scheduler.test.ts +32 -6
package/src/__tests__/telegram-config.test.ts +10 -13
package/src/__tests__/terminal-tools.test.ts +9 -0
package/src/__tests__/tool-approval-handler.test.ts +73 -0
package/src/__tests__/tool-side-effects-slack-dm.test.ts +22 -0
package/src/__tests__/top-level-renderer.test.ts +73 -1
package/src/__tests__/transport-hints-queue.test.ts +14 -29
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +109 -0
package/src/__tests__/v2-consent-policy.test.ts +103 -0
package/src/acp/client-handler.ts +30 -4
package/src/agent/loop.ts +12 -6
package/src/approvals/guardian-request-resolvers.ts +21 -15
package/src/browser-session/__tests__/manager.test.ts +297 -0
package/src/browser-session/backends/cdp-inspect.ts +30 -0
package/src/browser-session/backends/extension.ts +26 -0
package/src/browser-session/backends/local.ts +24 -0
package/src/browser-session/events.ts +164 -0
package/src/browser-session/index.ts +27 -0
package/src/browser-session/manager.ts +159 -0
package/src/browser-session/types.ts +28 -0
package/src/channels/__tests__/types.test.ts +134 -0
package/src/channels/types.ts +53 -3
package/src/cli/commands/browser-relay.ts +339 -409
package/src/cli/commands/credentials.ts +3 -3
package/src/cli/commands/email.ts +18 -13
package/src/cli/commands/mcp.ts +16 -4
package/src/cli/commands/oauth/__tests__/connect.test.ts +44 -44
package/src/cli/commands/oauth/__tests__/disconnect.test.ts +21 -21
package/src/cli/commands/oauth/__tests__/mode.test.ts +17 -17
package/src/cli/commands/oauth/__tests__/ping.test.ts +16 -16
package/src/cli/commands/oauth/__tests__/providers-delete.test.ts +31 -33
package/src/cli/commands/oauth/__tests__/providers-register.test.ts +329 -0
package/src/cli/commands/oauth/__tests__/providers-update.test.ts +116 -12
package/src/cli/commands/oauth/__tests__/status.test.ts +10 -10
package/src/cli/commands/oauth/__tests__/token.test.ts +7 -7
package/src/cli/commands/oauth/apps.ts +7 -4
package/src/cli/commands/oauth/connect.ts +6 -3
package/src/cli/commands/oauth/disconnect.ts +1 -1
package/src/cli/commands/oauth/providers.ts +200 -36
package/src/cli/commands/oauth/shared.ts +5 -5
package/src/cli/commands/platform/__tests__/callback-routes-list.test.ts +259 -0
package/src/cli/commands/platform/index.ts +107 -10
package/src/cli/commands/usage.ts +10 -9
package/src/cli/lib/daemon-credential-client.ts +4 -0
package/src/cli/program.ts +1 -1
package/src/config/bundled-skills/app-builder/SKILL.md +26 -249
package/src/config/bundled-skills/app-builder/references/CUSTOM_ROUTES.md +105 -0
package/src/config/bundled-skills/app-builder/references/INTERACTION_HOOKS.md +56 -0
package/src/config/bundled-skills/app-builder/references/WIDGETS.md +125 -0
package/src/config/bundled-skills/contacts/SKILL.md +3 -0
package/src/config/bundled-skills/document/SKILL.md +4 -0
package/src/config/bundled-skills/gmail/SKILL.md +1 -1
package/src/config/bundled-skills/outlook/SKILL.md +7 -0
package/src/config/bundled-skills/subagent/SKILL.md +21 -0
package/src/config/bundled-skills/subagent/TOOLS.json +8 -4
package/src/config/bundled-skills/tasks/SKILL.md +5 -0
package/src/config/env-registry.ts +14 -0
package/src/config/env.ts +21 -0
package/src/config/feature-flag-registry.json +44 -5
package/src/config/loader.ts +56 -1
package/src/config/sanitize-for-transfer.ts +47 -0
package/src/config/schema.ts +46 -5
package/src/config/schemas/host-browser.ts +66 -0
package/src/config/schemas/memory-lifecycle.ts +1 -1
package/src/config/schemas/memory-retrieval.ts +103 -0
package/src/config/schemas/security.ts +0 -6
package/src/config/schemas/services.ts +8 -0
package/src/config/types.ts +0 -1
package/src/context/post-turn-tool-result-truncation.ts +176 -0
package/src/context/window-manager.ts +19 -1
package/src/credential-execution/approval-bridge.ts +49 -15
package/src/daemon/__tests__/conversation-tool-setup.test.ts +186 -0
package/src/daemon/app-source-watcher.ts +35 -0
package/src/daemon/context-overflow-approval.ts +5 -0
package/src/daemon/conversation-agent-loop-handlers.ts +17 -2
package/src/daemon/conversation-agent-loop.ts +58 -24
package/src/daemon/conversation-attachments.ts +40 -0
package/src/daemon/conversation-process.ts +48 -1
package/src/daemon/conversation-runtime-assembly.ts +118 -36
package/src/daemon/conversation-surfaces.ts +37 -36
package/src/daemon/conversation-tool-setup.ts +74 -8
package/src/daemon/conversation-workspace.ts +12 -0
package/src/daemon/conversation.ts +226 -8
package/src/daemon/date-context.ts +10 -10
package/src/daemon/first-greeting.ts +3 -2
package/src/daemon/handlers/conversations.ts +9 -140
package/src/daemon/handlers/shared.ts +58 -0
package/src/daemon/handlers/skills.ts +232 -37
package/src/daemon/host-bash-proxy.ts +48 -13
package/src/daemon/host-browser-proxy.ts +191 -0
package/src/daemon/host-cu-proxy.ts +36 -11
package/src/daemon/host-file-proxy.ts +57 -9
package/src/daemon/lifecycle.ts +65 -11
package/src/daemon/message-protocol.ts +7 -0
package/src/daemon/message-types/conversations.ts +55 -13
package/src/daemon/message-types/host-browser.ts +100 -0
package/src/daemon/message-types/messages.ts +5 -5
package/src/daemon/message-types/skills.ts +10 -0
package/src/daemon/message-types/subagents.ts +2 -0
package/src/daemon/server.ts +92 -12
package/src/daemon/tool-side-effects.ts +6 -0
package/src/daemon/transport-hints.ts +5 -24
package/src/inbound/platform-callback-registration.ts +18 -17
package/src/mcp/client.ts +59 -24
package/src/memory/app-store.ts +31 -1
package/src/memory/conversation-crud.ts +23 -0
package/src/memory/conversation-starters-cadence.ts +76 -0
package/src/memory/conversation-title-service.ts +5 -2
package/src/memory/db-init.ts +12 -0
package/src/memory/embedding-backend.test.ts +75 -0
package/src/memory/embedding-backend.ts +131 -5
package/src/memory/embedding-gemini.test.ts +54 -0
package/src/memory/embedding-gemini.ts +20 -9
package/src/memory/embedding-local.ts +176 -17
package/src/memory/graph/consolidation.ts +10 -23
package/src/memory/graph/extraction-job.ts +15 -0
package/src/memory/graph/retriever.ts +40 -22
package/src/memory/graph/store.test.ts +7 -3
package/src/memory/graph/store.ts +47 -12
package/src/memory/llm-usage-store.ts +45 -4
package/src/memory/migrations/213-oauth-providers-scope-separator.ts +13 -0
package/src/memory/migrations/214-oauth-providers-refresh-url.ts +11 -0
package/src/memory/migrations/215-oauth-providers-revoke.ts +14 -0
package/src/memory/migrations/216-oauth-providers-token-auth-method.ts +30 -0
package/src/memory/migrations/217-conversation-host-access.ts +40 -0
package/src/memory/migrations/218-oauth-providers-logo-url.ts +11 -0
package/src/memory/migrations/index.ts +6 -0
package/src/memory/migrations/registry.ts +8 -0
package/src/memory/schema/conversations.ts +1 -0
package/src/memory/schema/oauth.ts +18 -13
package/src/oauth/AGENTS.md +76 -0
package/src/oauth/__tests__/identity-verifier.test.ts +24 -19
package/src/oauth/__tests__/seed-providers-managed.test.ts +32 -0
package/src/oauth/byo-connection.test.ts +8 -8
package/src/oauth/byo-connection.ts +7 -7
package/src/oauth/connect-orchestrator.ts +23 -21
package/src/oauth/connect-types.ts +3 -3
package/src/oauth/connection-resolver.test.ts +17 -4
package/src/oauth/connection-resolver.ts +16 -16
package/src/oauth/connection.ts +1 -1
package/src/oauth/manual-token-connection.ts +13 -13
package/src/oauth/oauth-store.ts +214 -100
package/src/oauth/platform-connection.test.ts +3 -3
package/src/oauth/platform-connection.ts +4 -4
package/src/oauth/provider-serializer.ts +31 -5
package/src/oauth/revoke.ts +76 -0
package/src/oauth/seed-providers.ts +126 -87
package/src/oauth/token-persistence.ts +1 -1
package/src/permissions/permission-mode.ts +4 -11
package/src/permissions/prompter.ts +13 -1
package/src/permissions/v2-consent-policy.ts +87 -0
package/src/prompts/system-prompt.ts +18 -21
package/src/prompts/templates/BOOTSTRAP-REFERENCE.md +3 -65
package/src/prompts/templates/BOOTSTRAP.md +59 -105
package/src/providers/anthropic/client.ts +1 -0
package/src/providers/types.ts +1 -1
package/src/runtime/AGENTS.md +23 -0
package/src/runtime/__tests__/browser-extension-pair-routes.test.ts +715 -0
package/src/runtime/__tests__/capability-tokens.test.ts +258 -0
package/src/runtime/__tests__/chrome-extension-registry.test.ts +518 -0
package/src/runtime/assistant-event-hub.ts +2 -2
package/src/runtime/auth/__tests__/guard-tests.test.ts +1 -0
package/src/runtime/auth/__tests__/middleware.test.ts +116 -1
package/src/runtime/auth/__tests__/route-policy.test.ts +8 -0
package/src/runtime/auth/middleware.ts +98 -0
package/src/runtime/auth/route-policy.ts +6 -7
package/src/runtime/capability-tokens.ts +414 -0
package/src/runtime/channel-approvals.ts +18 -5
package/src/runtime/chrome-extension-registry.ts +332 -0
package/src/runtime/confirmation-request-guardian-bridge.ts +6 -0
package/src/runtime/guardian-decision-types.ts +7 -0
package/src/runtime/http-server.ts +425 -70
package/src/runtime/migrations/__tests__/rebind-secrets-credentials.test.ts +172 -0
package/src/runtime/migrations/__tests__/vbundle-builder-credentials.test.ts +276 -0
package/src/runtime/migrations/__tests__/vbundle-import-credentials.test.ts +162 -0
package/src/runtime/migrations/migration-transport.ts +6 -0
package/src/runtime/migrations/migration-wizard.ts +22 -2
package/src/runtime/migrations/rebind-secrets-screen.ts +76 -15
package/src/runtime/migrations/vbundle-builder.ts +145 -38
package/src/runtime/migrations/vbundle-import-analyzer.ts +19 -0
package/src/runtime/migrations/vbundle-importer.ts +55 -5
package/src/runtime/pending-interactions.ts +29 -13
package/src/runtime/routes/approval-routes.ts +90 -16
package/src/runtime/routes/browser-cdp-routes.ts +229 -0
package/src/runtime/routes/browser-extension-pair-routes.ts +497 -0
package/src/runtime/routes/conversation-analysis-routes.ts +2 -1
package/src/runtime/routes/conversation-management-routes.ts +108 -0
package/src/runtime/routes/conversation-routes.ts +301 -27
package/src/runtime/routes/conversation-starter-routes.ts +78 -16
package/src/runtime/routes/guardian-action-routes.ts +24 -13
package/src/runtime/routes/host-browser-routes.ts +279 -0
package/src/runtime/routes/host-file-routes.ts +9 -1
package/src/runtime/routes/identity-routes.ts +259 -16
package/src/runtime/routes/log-export-routes.ts +42 -22
package/src/runtime/routes/memory-item-routes.ts +1 -7
package/src/runtime/routes/migration-routes.ts +87 -2
package/src/runtime/routes/oauth-apps.ts +15 -17
package/src/runtime/routes/oauth-providers.ts +4 -0
package/src/runtime/routes/schedule-routes.ts +24 -11
package/src/runtime/routes/settings-routes.ts +9 -97
package/src/runtime/routes/skills-routes.ts +52 -2
package/src/runtime/routes/subagents-routes.ts +14 -10
package/src/runtime/routes/usage-routes.ts +8 -7
package/src/runtime/routes/workspace-routes.test.ts +22 -0
package/src/runtime/routes/workspace-routes.ts +8 -1
package/src/runtime/routes/workspace-utils.ts +2 -0
package/src/schedule/scheduler.ts +7 -5
package/src/security/ces-credential-client.ts +20 -0
package/src/security/ces-rpc-credential-backend.ts +17 -0
package/src/security/credential-backend.ts +5 -0
package/src/security/oauth2.ts +42 -25
package/src/security/secure-keys.ts +118 -25
package/src/security/token-manager.ts +23 -10
package/src/skills/catalog-files.ts +492 -0
package/src/subagent/manager.ts +131 -26
package/src/subagent/types.ts +19 -0
package/src/tools/apps/executors.ts +11 -2
package/src/tools/browser/__tests__/auth-detector.test.ts +202 -108
package/src/tools/browser/auth-detector.ts +43 -12
package/src/tools/browser/browser-execution.ts +645 -340
package/src/tools/browser/browser-manager.ts +36 -12
package/src/tools/browser/cdp-client/__tests__/accessibility-snapshot.test.ts +318 -0
package/src/tools/browser/cdp-client/__tests__/cdp-dom-helpers.test.ts +1175 -0
package/src/tools/browser/cdp-client/__tests__/cdp-inspect-client.test.ts +870 -0
package/src/tools/browser/cdp-client/__tests__/extension-cdp-client.test.ts +330 -0
package/src/tools/browser/cdp-client/__tests__/factory.test.ts +377 -0
package/src/tools/browser/cdp-client/__tests__/fixtures/ax-tree-nested-frames.json +64 -0
package/src/tools/browser/cdp-client/__tests__/fixtures/ax-tree-simple.json +69 -0
package/src/tools/browser/cdp-client/__tests__/local-cdp-client.test.ts +310 -0
package/src/tools/browser/cdp-client/__tests__/types.test.ts +96 -0
package/src/tools/browser/cdp-client/accessibility-snapshot.ts +387 -0
package/src/tools/browser/cdp-client/cdp-dom-helpers.ts +695 -0
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/discovery.test.ts +743 -0
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/ws-transport.test.ts +580 -0
package/src/tools/browser/cdp-client/cdp-inspect/discovery.ts +578 -0
package/src/tools/browser/cdp-client/cdp-inspect/ws-transport.ts +579 -0
package/src/tools/browser/cdp-client/cdp-inspect-client.ts +635 -0
package/src/tools/browser/cdp-client/errors.ts +34 -0
package/src/tools/browser/cdp-client/extension-cdp-client.ts +125 -0
package/src/tools/browser/cdp-client/factory.ts +204 -0
package/src/tools/browser/cdp-client/index.ts +14 -0
package/src/tools/browser/cdp-client/local-cdp-client.ts +187 -0
package/src/tools/browser/cdp-client/types.ts +52 -0
package/src/tools/filesystem/edit.ts +1 -1
package/src/tools/filesystem/list.ts +1 -1
package/src/tools/filesystem/read.ts +1 -1
package/src/tools/filesystem/write.ts +2 -1
package/src/tools/host-filesystem/edit.ts +1 -1
package/src/tools/host-filesystem/read.ts +12 -15
package/src/tools/host-filesystem/write.ts +1 -1
package/src/tools/host-terminal/host-shell.ts +21 -16
package/src/tools/permission-checker.ts +77 -82
package/src/tools/registry.ts +0 -2
package/src/tools/secret-detection-handler.ts +34 -0
package/src/tools/shared/filesystem/image-read.ts +61 -40
package/src/tools/subagent/spawn.ts +47 -3
package/src/tools/subagent/status.ts +2 -0
package/src/tools/system/register.ts +2 -16
package/src/tools/terminal/safe-env.ts +7 -0
package/src/tools/terminal/shell.ts +21 -16
package/src/tools/tool-approval-handler.ts +48 -2
package/src/tools/types.ts +2 -0
package/src/util/platform.ts +14 -19
package/src/workspace/top-level-renderer.ts +19 -1
package/src/__tests__/chrome-cdp.test.ts +0 -419
package/src/__tests__/permission-mode-sse.test.ts +0 -418
package/src/__tests__/permission-mode-store.test.ts +0 -277
package/src/browser-extension-relay/protocol.ts +0 -63
package/src/browser-extension-relay/server.ts +0 -203
package/src/config/schemas/sandbox.ts +0 -14
package/src/permissions/permission-mode-store.ts +0 -180
package/src/tools/browser/chrome-cdp.ts +0 -239
package/src/tools/system/set-permission-mode.ts +0 -103

package/src/mcp/client.ts CHANGED Viewed

@@ -35,6 +35,12 @@ export class McpClient {
     | null = null;
   private connected = false;
   private oauthProvider: McpOAuthProvider | null = null;
+  private _lastError: Error | null = null;
+  /** The last connection error, if any. Null when connected or not yet attempted. */
+  get lastError(): Error | null {
+    return this._lastError;
+  }
   get isConnected(): boolean {
     return this.connected;
@@ -46,6 +52,16 @@ export class McpClient {
       name: "vellum-assistant",
       version: "1.0.0",
     });
+    // Prevent SDK-internal transport errors (e.g. SSE reconnection auth
+    // failures) from surfacing as unhandled rejections that crash the daemon
+    // via the global unhandledRejection → shutdown handler.
+    this.client.onerror = (error) => {
+      log.warn(
+        { serverId: this.serverId, err: error },
+        "MCP SDK transport error (non-fatal)",
+      );
+    };
   }
   async connect(transportConfig: McpTransport): Promise<void> {
@@ -102,34 +118,24 @@ export class McpClient {
       }
       this.transport = null;
-      if (isHttpTransport) {
-        const isAuthError =
-          err instanceof UnauthorizedError ||
-          (err instanceof Error &&
-            /\b(401|403|unauthorized|forbidden)\b/i.test(err.message)) ||
-          (err != null &&
-            typeof err === "object" &&
-            "code" in err &&
-            (err.code === 401 || err.code === 403));
-        if (isAuthError) {
-          // Auth-related — user can run `assistant mcp auth <name>` to authenticate.
-          log.info(
-            { serverId: this.serverId, err },
-            "MCP server requires authentication",
-          );
-          return;
-        }
-        // Non-auth error (DNS, TLS, timeout, etc.) — log and re-throw
-        log.error(
+      if (isHttpTransport && isAuthRelatedError(err)) {
+        // Auth-related — user can run `assistant mcp auth <name>` to authenticate.
+        log.info(
           { serverId: this.serverId, err },
-          "MCP server connection failed",
+          "MCP server requires authentication",
         );
-        throw err;
+        return;
       }
-      throw err;
+      // Non-auth error (DNS, TLS, timeout, etc.) — log but never propagate
+      // an MCP connection failure to the caller.  The daemon must keep
+      // running even when individual MCP servers are unreachable.
+      this._lastError = err instanceof Error ? err : new Error(String(err));
+      log.error(
+        { serverId: this.serverId, err },
+        "MCP server connection failed",
+      );
+      return;
     }
     this.connected = true;
@@ -258,3 +264,32 @@ export class McpClient {
     }
   }
 }
+/**
+ * Returns true when `err` looks like an authentication / authorization failure
+ * from the MCP SDK or the remote server.  Used to distinguish "needs auth"
+ * from genuine transport failures so we can log guidance instead of crashing.
+ */
+function isAuthRelatedError(err: unknown): boolean {
+  if (err instanceof UnauthorizedError) return true;
+  if (
+    err instanceof Error &&
+    /\b(401|403|unauthorized|forbidden|authorizationCode is required|prepareTokenRequest)\b/i.test(
+      err.message,
+    )
+  ) {
+    return true;
+  }
+  if (
+    err != null &&
+    typeof err === "object" &&
+    "code" in err &&
+    (err.code === 401 || err.code === 403)
+  ) {
+    return true;
+  }
+  return false;
+}

package/src/memory/app-store.ts CHANGED Viewed

@@ -64,6 +64,23 @@ export function isMultifileApp(app: AppDefinition): boolean {
   return app.formatVersion === 2;
 }
+/**
+ * Resolve the effective HTML for an app. For single-file apps this is
+ * `htmlDefinition` (the root index.html). For multifile apps it reads the
+ * compiled `dist/index.html` and inlines JS/CSS assets so the result is a
+ * self-contained HTML string suitable for `loadHTMLString`.
+ */
+export function resolveEffectiveAppHtml(app: AppDefinition): string {
+  if (!isMultifileApp(app)) return app.htmlDefinition;
+  const appDir = getAppDirPath(app.id);
+  const distIndex = join(appDir, "dist", "index.html");
+  if (existsSync(distIndex)) {
+    return inlineDistAssets(appDir, readFileSync(distIndex, "utf-8"));
+  }
+  return app.htmlDefinition;
+}
 /**
  * Inline dist assets (main.js, main.css) into the compiled HTML so it can be
  * delivered as a self-contained string via loadHTMLString/SSE without needing
@@ -75,7 +92,10 @@ export function inlineDistAssets(appDir: string, html: string): string {
   // Inline main.js
   const jsPath = join(distDir, "main.js");
   if (existsSync(jsPath)) {
-    const js = readFileSync(jsPath, "utf-8").replace(/<\/script>/g, "<\\/script>");
+    const js = readFileSync(jsPath, "utf-8").replace(
+      /<\/script>/g,
+      "<\\/script>",
+    );
     html = html.replace(
       /<script\s+type="module"\s+src="main\.js"\s*><\/script>/,
       () => `<script type="module">${js}</script>`,
@@ -818,6 +838,16 @@ export function listAppFiles(appId: string): string[] {
   return results.sort();
 }
+/**
+ * Check whether a file exists in the app directory.
+ * Path is validated to prevent traversal.
+ */
+export function appFileExists(appId: string, path: string): boolean {
+  validateId(appId);
+  const resolved = validateFilePath(appId, path);
+  return existsSync(resolved);
+}
 /**
  * Read a file from the app directory.
  * Path is validated to prevent traversal.

package/src/memory/conversation-crud.ts CHANGED Viewed

@@ -170,6 +170,7 @@ export interface ConversationRow {
   originInterface: string | null;
   forkParentConversationId: string | null;
   forkParentMessageId: string | null;
+  hostAccess: number;
   isAutoTitle: number;
   scheduleJobId: string | null;
   lastMessageAt: number | null;
@@ -196,6 +197,7 @@ export const parseConversation = createRowMapper<
   originInterface: "originInterface",
   forkParentConversationId: "forkParentConversationId",
   forkParentMessageId: "forkParentMessageId",
+  hostAccess: "hostAccess",
   isAutoTitle: "isAutoTitle",
   scheduleJobId: "scheduleJobId",
   lastMessageAt: "lastMessageAt",
@@ -245,6 +247,7 @@ export function createConversation(
         source?: string;
         scheduleJobId?: string;
         groupId?: string;
+        hostAccess?: boolean;
       },
 ) {
   const db = getDb();
@@ -276,6 +279,7 @@ export function createConversation(
     contextSummary: null as string | null,
     contextCompactedMessageCount: 0,
     contextCompactedAt: null as number | null,
+    hostAccess: opts.hostAccess ? 1 : 0,
     conversationType,
     source,
     memoryScopeId,
@@ -388,6 +392,11 @@ export function getConversationMemoryScopeId(conversationId: string): string {
   return conv?.memoryScopeId ?? "default";
 }
+export function getConversationHostAccess(conversationId: string): boolean {
+  const conv = getConversation(conversationId);
+  return conv?.hostAccess === 1;
+}
 /**
  * Fetch group_id for a conversation via raw SQL. group_id is NOT in the
  * Drizzle schema (raw-query-only pattern), so ConversationRow doesn't
@@ -1123,6 +1132,20 @@ export function updateConversationContextWindow(
     .run();
 }
+export function updateConversationHostAccess(
+  id: string,
+  hostAccess: boolean,
+): void {
+  const db = getDb();
+  db.update(conversations)
+    .set({
+      hostAccess: hostAccess ? 1 : 0,
+      updatedAt: Date.now(),
+    })
+    .where(eq(conversations.id, id))
+    .run();
+}
 /**
  * Delete all conversations, messages, and related data (tool invocations,
  * memory segments, etc.) from the daemon database.

package/src/memory/conversation-starters-cadence.ts ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * Cadence logic for conversation starters generation.
+ *
+ * Decides whether a new generation job should be enqueued based on how many
+ * active memory items have accumulated since the last generation.
+ */
+import { and, eq, inArray, sql } from "drizzle-orm";
+import { getLogger } from "../util/logger.js";
+import { getDb } from "./db.js";
+import { enqueueMemoryJob } from "./jobs-store.js";
+import { rawGet } from "./raw-query.js";
+import { memoryCheckpoints, memoryJobs } from "./schema.js";
+const log = getLogger("conversation-starters-cadence");
+/**
+ * Check whether enough new memory items have accumulated to justify
+ * generating a fresh batch of conversation starters.
+ */
+export function maybeEnqueueConversationStartersJob(scopeId: string): void {
+  const db = getDb();
+  // Count total active memory items
+  const countRow = rawGet<{ c: number }>(
+    `SELECT COUNT(*) AS c FROM memory_graph_nodes WHERE fidelity != 'gone' AND scope_id = ?`,
+    scopeId,
+  );
+  const totalActive = countRow?.c ?? 0;
+  if (totalActive === 0) return;
+  // Read checkpoint: item count at last generation (scoped so each scope tracks independently)
+  const checkpointKey = `conversation_starters:item_count_at_last_gen:${scopeId}`;
+  const checkpoint = db
+    .select({ value: memoryCheckpoints.value })
+    .from(memoryCheckpoints)
+    .where(eq(memoryCheckpoints.key, checkpointKey))
+    .get();
+  const parsedLastCount = checkpoint ? parseInt(checkpoint.value, 10) : 0;
+  const lastCount = Number.isFinite(parsedLastCount) ? parsedLastCount : 0;
+  // Cadence formula
+  let threshold: number;
+  if (totalActive <= 10) {
+    threshold = 1;
+  } else if (totalActive <= 50) {
+    threshold = 5;
+  } else {
+    threshold = 10;
+  }
+  const checkpointAhead = totalActive < lastCount;
+  const delta = Math.max(0, totalActive - lastCount);
+  if (!checkpointAhead && delta < threshold) return;
+  // Dedup: don't enqueue if a pending/running job for this scope already exists
+  const existing = db
+    .select({ id: memoryJobs.id })
+    .from(memoryJobs)
+    .where(
+      and(
+        eq(memoryJobs.type, "generate_conversation_starters"),
+        inArray(memoryJobs.status, ["pending", "running"]),
+        sql`json_extract(${memoryJobs.payload}, '$.scopeId') = ${scopeId}`,
+      ),
+    )
+    .get();
+  if (existing) return;
+  enqueueMemoryJob("generate_conversation_starters", { scopeId });
+  log.info(
+    { totalActive, lastCount, delta, threshold, scopeId, checkpointAhead },
+    "Enqueued conversation starters generation job",
+  );
+}

package/src/memory/conversation-title-service.ts CHANGED Viewed

@@ -284,10 +284,13 @@ export function queueRegenerateConversationTitle(
  */
 function buildTitleSystemPrompt(): string {
   return [
-    "You generate short conversation titles. Output ONLY the title text — no explanation, no quotes, no markdown, no preamble.",
+    "You generate ultra-concise conversation titles. Output ONLY the title text — no explanation, no quotes, no markdown, no preamble.",
     "",
     "Rules:",
-    "- Summarize the TOPIC the user is asking about",
+    "- 2–6 words. Titles longer than 6 words are unacceptable — ruthlessly compress",
+    "- Summarize the TOPIC, not the request or instructions",
+    "- Noun phrases are ideal (e.g. 'Auth Middleware Rewrite', 'Docker Volume Mounts')",
+    "- Do NOT echo back what the user asked you to do",
     "- Do NOT respond to the conversation content",
     "- Do NOT assess feasibility or comment on capabilities",
   ].join("\n");

package/src/memory/db-init.ts CHANGED Viewed

@@ -58,6 +58,7 @@ import {
   migrateContactsRolePrincipal,
   migrateContactsUserFileColumn,
   migrateConversationForkLineage,
+  migrateConversationHostAccess,
   migrateConversationsLastMessageAt,
   migrateConversationsThreadTypeIndex,
   migrateCreateConversationGraphMemoryState,
@@ -110,9 +111,14 @@ import {
   migrateOAuthProvidersBehaviorColumns,
   migrateOAuthProvidersDisplayMetadata,
   migrateOAuthProvidersFeatureFlag,
+  migrateOAuthProvidersLogoUrl,
   migrateOAuthProvidersManagedServiceConfigKey,
   migrateOAuthProvidersPingConfig,
   migrateOAuthProvidersPingUrl,
+  migrateOAuthProvidersRefreshUrl,
+  migrateOAuthProvidersRevoke,
+  migrateOAuthProvidersScopeSeparator,
+  migrateOAuthProvidersTokenAuthMethodDefault,
   migrateReminderRoutingIntent,
   migrateRemindersToSchedules,
   migrateRenameConversationTypeColumn,
@@ -352,6 +358,12 @@ export function initializeDb(): void {
     migrateScheduleReuseConversation,
     migrateMemoryRecallLogsQueryContext,
     migrateLlmRequestLogsCreatedAtIndex,
+    migrateOAuthProvidersScopeSeparator,
+    migrateOAuthProvidersRefreshUrl,
+    migrateOAuthProvidersRevoke,
+    migrateOAuthProvidersTokenAuthMethodDefault,
+    migrateConversationHostAccess,
+    migrateOAuthProvidersLogoUrl,
   ];
   // Run each migration step, catching and logging individual failures so one

package/src/memory/embedding-backend.test.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import { afterEach, describe, expect, mock, test } from "bun:test";
+import type { AssistantConfig } from "../config/types.js";
+import {
+  clearEmbeddingBackendCache,
+  resetLocalEmbeddingFailureState,
+  selectEmbeddingBackend,
+} from "./embedding-backend.js";
+const LOCAL_CONFIG = {
+  memory: {
+    embeddings: {
+      provider: "local",
+      localModel: "BAAI/bge-small-en-v1.5",
+    },
+  },
+} as unknown as AssistantConfig;
+describe("embedding backend cache invalidation", () => {
+  afterEach(() => {
+    clearEmbeddingBackendCache();
+  });
+  test("clearEmbeddingBackendCache disposes cached backends before clearing", async () => {
+    const firstSelection = await selectEmbeddingBackend(LOCAL_CONFIG);
+    expect(firstSelection.backend).not.toBeNull();
+    const dispose = mock();
+    (firstSelection.backend as { dispose?: () => void }).dispose = dispose;
+    clearEmbeddingBackendCache();
+    expect(dispose).toHaveBeenCalledTimes(1);
+    const secondSelection = await selectEmbeddingBackend(LOCAL_CONFIG);
+    expect(secondSelection.backend).not.toBe(firstSelection.backend);
+  });
+  test("resetLocalEmbeddingFailureState preserves live cached backends", async () => {
+    const firstSelection = await selectEmbeddingBackend(LOCAL_CONFIG);
+    expect(firstSelection.backend).not.toBeNull();
+    const dispose = mock();
+    (firstSelection.backend as { dispose?: () => void }).dispose = dispose;
+    resetLocalEmbeddingFailureState();
+    expect(dispose).not.toHaveBeenCalled();
+    const secondSelection = await selectEmbeddingBackend(LOCAL_CONFIG);
+    expect(secondSelection.backend).toBe(firstSelection.backend);
+  });
+  test("resetLocalEmbeddingFailureState clears poisoned local backend retry state", async () => {
+    const firstSelection = await selectEmbeddingBackend(LOCAL_CONFIG);
+    expect(firstSelection.backend).not.toBeNull();
+    const poisonedInitPromise = Promise.reject(new Error("poisoned"));
+    poisonedInitPromise.catch(() => {});
+    const backend = firstSelection.backend as unknown as {
+      delegate: unknown;
+      initPromise: Promise<unknown> | null;
+    };
+    backend.delegate = null;
+    backend.initPromise = poisonedInitPromise;
+    resetLocalEmbeddingFailureState();
+    expect(backend.initPromise).toBeNull();
+    const secondSelection = await selectEmbeddingBackend(LOCAL_CONFIG);
+    expect(secondSelection.backend).toBe(firstSelection.backend);
+  });
+});

package/src/memory/embedding-backend.ts CHANGED Viewed

@@ -1,7 +1,10 @@
 import { createHash } from "node:crypto";
+import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import { getOllamaBaseUrlEnv } from "../config/env.js";
 import type { AssistantConfig } from "../config/types.js";
+import { MANAGED_PROVIDER_META } from "../providers/managed-proxy/constants.js";
+import { resolveManagedProxyContext } from "../providers/managed-proxy/context.js";
 import { getProviderKeyAsync } from "../security/secure-keys.js";
 import { getLogger } from "../util/logger.js";
 import { GeminiEmbeddingBackend } from "./embedding-gemini.js";
@@ -67,6 +70,16 @@ class LazyLocalEmbeddingBackend implements EmbeddingBackend {
     }
   }
+  dispose(): void {
+    this.delegate?.dispose?.();
+  }
+  resetForRetry(): void {
+    if (!this.delegate) {
+      this.initPromise = null;
+    }
+  }
   private async getDelegate(): Promise<EmbeddingBackend> {
     if (this.delegate) return this.delegate;
     if (!this.initPromise) {
@@ -176,12 +189,32 @@ function putInVectorCache(
 /** Clear cached embedding backends and the in-memory vector cache. */
 export function clearEmbeddingBackendCache(): void {
+  for (const backend of new Set(backendCache.values())) {
+    try {
+      backend.dispose?.();
+    } catch (err) {
+      log.warn(
+        { err, provider: backend.provider, model: backend.model },
+        "Failed to dispose embedding backend during cache clear",
+      );
+    }
+  }
   backendCache.clear();
   vectorCache.clear();
   vectorCacheBytes = 0;
   localBackendBroken = false;
 }
+/** Reset the sticky local-backend failure flag without evicting live backends. */
+export function resetLocalEmbeddingFailureState(): void {
+  localBackendBroken = false;
+  for (const backend of new Set(backendCache.values())) {
+    if (backend instanceof LazyLocalEmbeddingBackend) {
+      backend.resetForRetry();
+    }
+  }
+}
 function cacheKey(provider: string, model: string, extras?: string[]): string {
   if (extras && extras.length > 0) {
     return `${provider}:${model}:${extras.join(":")}`;
@@ -243,6 +276,7 @@ export interface EmbeddingBackend {
     inputs: EmbeddingInput[],
     options?: EmbeddingRequestOptions,
   ): Promise<number[][]>;
+  dispose?(): void;
 }
 export interface EmbeddingBackendSelection {
@@ -280,6 +314,44 @@ export async function selectEmbeddingBackend(
     };
   }
+  // When the managed-gemini-embeddings-enabled flag is on AND managed proxy
+  // prerequisites are satisfied, insert managed-proxy Gemini at the front of
+  // the auto chain so platform assistants use Vellum-managed Gemini embeddings.
+  if (
+    (requested === "auto" || requested === "gemini") &&
+    isAssistantFeatureFlagEnabled("managed-gemini-embeddings-enabled", config)
+  ) {
+    const proxyCtx = await resolveManagedProxyContext();
+    if (proxyCtx.enabled) {
+      const meta = MANAGED_PROVIDER_META["gemini"];
+      if (meta?.managed && meta.proxyPath) {
+        const managedBaseUrl = `${proxyCtx.platformBaseUrl}${meta.proxyPath}`;
+        const managedModel = config.memory.embeddings.geminiModel;
+        const managedDimensions =
+          config.memory.embeddings.geminiDimensions ?? 3072;
+        const extras = geminiCacheExtras(config);
+        return {
+          backend: getCachedOrCreate(
+            "gemini",
+            managedModel,
+            () =>
+              new GeminiEmbeddingBackend(
+                proxyCtx.assistantApiKey,
+                managedModel,
+                {
+                  taskType: config.memory.embeddings.geminiTaskType,
+                  dimensions: managedDimensions,
+                  managedBaseUrl,
+                },
+              ),
+            [...extras, "managed"],
+          ),
+          reason: null,
+        };
+      }
+    }
+  }
   // Auto order: local → openai → gemini → ollama
   const order: EmbeddingProviderName[] =
     requested === "auto"
@@ -329,11 +401,18 @@ export async function selectEmbeddingBackend(
       case "gemini": {
         const geminiKey = await getProviderKeyAsync("gemini");
         if (!geminiKey) {
-          const cached = getCached(
-            "gemini",
-            config.memory.embeddings.geminiModel,
-            geminiCacheExtras(config),
-          );
+          // Check managed cache variant first so a warm managed backend
+          // survives transient proxy-context blips, then non-managed.
+          const cached =
+            getCached("gemini", config.memory.embeddings.geminiModel, [
+              ...geminiCacheExtras(config),
+              "managed",
+            ]) ??
+            getCached(
+              "gemini",
+              config.memory.embeddings.geminiModel,
+              geminiCacheExtras(config),
+            );
           if (cached) return { backend: cached, reason: null };
           continue;
         }
@@ -614,6 +693,53 @@ async function selectFallbackBackends(
               geminiCacheExtras(config),
             ),
           );
+        } else if (
+          isAssistantFeatureFlagEnabled(
+            "managed-gemini-embeddings-enabled",
+            config,
+          )
+        ) {
+          // Try managed proxy Gemini as fallback when no direct key exists.
+          const proxyCtx = await resolveManagedProxyContext();
+          const meta = MANAGED_PROVIDER_META["gemini"];
+          if (proxyCtx.enabled && meta?.managed && meta.proxyPath) {
+            const managedBaseUrl = `${proxyCtx.platformBaseUrl}${meta.proxyPath}`;
+            const managedModel = config.memory.embeddings.geminiModel;
+            const managedDimensions =
+              config.memory.embeddings.geminiDimensions ?? 3072;
+            const extras = geminiCacheExtras(config);
+            backends.push(
+              getCachedOrCreate(
+                "gemini",
+                managedModel,
+                () =>
+                  new GeminiEmbeddingBackend(
+                    proxyCtx.assistantApiKey,
+                    managedModel,
+                    {
+                      taskType: config.memory.embeddings.geminiTaskType,
+                      dimensions: managedDimensions,
+                      managedBaseUrl,
+                    },
+                  ),
+                [...extras, "managed"],
+              ),
+            );
+          } else {
+            // Check managed cache variant first, then non-managed, so a warm
+            // managed backend survives transient proxy-context blips.
+            const cached =
+              getCached("gemini", config.memory.embeddings.geminiModel, [
+                ...geminiCacheExtras(config),
+                "managed",
+              ]) ??
+              getCached(
+                "gemini",
+                config.memory.embeddings.geminiModel,
+                geminiCacheExtras(config),
+              );
+            if (cached) backends.push(cached);
+          }
         } else {
           // Preserve cached backend on transient credential-store failures.
           const cached = getCached(

package/src/memory/embedding-gemini.test.ts CHANGED Viewed

@@ -253,4 +253,58 @@ describe("GeminiEmbeddingBackend", () => {
       expect(result[1]).toEqual([0.2, 0.4]);
     });
   });
+  describe("managed proxy transport", () => {
+    test("routes through managed proxy base URL when managedBaseUrl is set", async () => {
+      const backend = new GeminiEmbeddingBackend(
+        "ast-managed-key",
+        "gemini-embedding-2-preview",
+        {
+          managedBaseUrl:
+            "https://platform.example.com/v1/runtime-proxy/gemini",
+        },
+      );
+      await backend.embed(["hello"]);
+      expect(mockFetch).toHaveBeenCalledTimes(1);
+      const [url, init] = mockFetch.mock.calls[0] as [string, RequestInit];
+      expect(url).toBe(
+        "https://platform.example.com/v1/runtime-proxy/gemini/v1beta/models/gemini-embedding-2-preview:embedContent",
+      );
+      // Should NOT have key= query param
+      expect(url).not.toContain("key=");
+      // Should have Bearer auth header
+      const headers = init.headers as Record<string, string>;
+      expect(headers["Authorization"]).toBe("Bearer ast-managed-key");
+    });
+    test("uses direct Google API URL when managedBaseUrl is not set", async () => {
+      const backend = new GeminiEmbeddingBackend("direct-key", "test-model");
+      await backend.embed(["hello"]);
+      const [url, init] = mockFetch.mock.calls[0] as [string, RequestInit];
+      expect(url).toContain("generativelanguage.googleapis.com");
+      expect(url).toContain("key=direct-key");
+      // Should NOT have Authorization header
+      const headers = init.headers as Record<string, string>;
+      expect(headers["Authorization"]).toBeUndefined();
+    });
+    test("includes outputDimensionality with managed proxy", async () => {
+      const backend = new GeminiEmbeddingBackend(
+        "ast-managed-key",
+        "gemini-embedding-2-preview",
+        {
+          managedBaseUrl:
+            "https://platform.example.com/v1/runtime-proxy/gemini",
+          dimensions: 3072,
+        },
+      );
+      await backend.embed(["hello"]);
+      const [, init] = mockFetch.mock.calls[0] as [string, RequestInit];
+      const body = JSON.parse(init.body as string);
+      expect(body.outputDimensionality).toBe(3072);
+    });
+  });
 });