@vellumai/assistant 0.6.2 → 0.6.3

package/src/memory/graph/store.ts

@@ -2,10 +2,11 @@
 // Memory Graph — Data access layer
 // ---------------------------------------------------------------------------
 
-import { and, desc, eq, inArray, sql } from "drizzle-orm";
+import { and, desc, eq, inArray, or, sql } from "drizzle-orm";
 import { v4 as uuid } from "uuid";
 
 import { getDb } from "../db.js";
+import { enqueueMemoryJob } from "../jobs-store.js";
 import {
   memoryGraphEdges,
   memoryGraphNodeEdits,
@@ -270,7 +271,14 @@ export function updateNode(
 
 export function deleteNode(id: string): void {
   const db = getDb();
-  db.delete(memoryGraphNodes).where(eq(memoryGraphNodes.id, id)).run();
+  db.update(memoryGraphNodes)
+    .set({ fidelity: "gone", lastAccessed: Date.now() })
+    .where(eq(memoryGraphNodes.id, id))
+    .run();
+  enqueueMemoryJob("delete_qdrant_vectors", {
+    targetType: "graph_node",
+    targetId: id,
+  });
 }
 
 // ---------------------------------------------------------------------------
@@ -343,7 +351,7 @@ export function queryNodes(filters: NodeQueryFilters): MemoryNode[] {
     .where(conditions.length > 0 ? and(...conditions) : undefined)
     .orderBy(sql`${memoryGraphNodes.significance} DESC`);
 
-  if (filters.limit) {
+  if (filters.limit != null) {
     query = query.limit(filters.limit) as typeof query;
   }
 
@@ -396,12 +404,19 @@ export function getEdgesForNode(
   direction?: "incoming" | "outgoing",
 ): MemoryEdge[] {
   const db = getDb();
-  const condition =
+  const dirCondition =
     direction === "outgoing"
       ? eq(memoryGraphEdges.sourceNodeId, nodeId)
       : direction === "incoming"
         ? eq(memoryGraphEdges.targetNodeId, nodeId)
-        : sql`${memoryGraphEdges.sourceNodeId} = ${nodeId} OR ${memoryGraphEdges.targetNodeId} = ${nodeId}`;
+        : or(eq(memoryGraphEdges.sourceNodeId, nodeId), eq(memoryGraphEdges.targetNodeId, nodeId));
+
+  // Exclude edges where either endpoint has fidelity='gone' (soft-deleted)
+  const condition = and(
+    dirCondition,
+    sql`NOT EXISTS (SELECT 1 FROM ${memoryGraphNodes} WHERE ${memoryGraphNodes.id} = ${memoryGraphEdges.sourceNodeId} AND ${memoryGraphNodes.fidelity} = 'gone')`,
+    sql`NOT EXISTS (SELECT 1 FROM ${memoryGraphNodes} WHERE ${memoryGraphNodes.id} = ${memoryGraphEdges.targetNodeId} AND ${memoryGraphNodes.fidelity} = 'gone')`,
+  );
 
   return db
     .select()
@@ -512,12 +527,23 @@ export function getActiveTriggersByType(
     return rows.map((r) => rowToTrigger(r.trigger));
   }
 
-  return db
-    .select()
+  const rows = db
+    .select({
+      trigger: memoryGraphTriggers,
+    })
     .from(memoryGraphTriggers)
-    .where(and(...conditions))
-    .all()
-    .map(rowToTrigger);
+    .innerJoin(
+      memoryGraphNodes,
+      eq(memoryGraphTriggers.nodeId, memoryGraphNodes.id),
+    )
+    .where(
+      and(
+        ...conditions,
+        sql`${memoryGraphNodes.fidelity} != 'gone'`,
+      ),
+    )
+    .all();
+  return rows.map((r) => rowToTrigger(r.trigger));
 }
 
 // ---------------------------------------------------------------------------
@@ -614,9 +640,18 @@ export function applyDiff(
   };
 
   db.transaction((tx) => {
-    // Delete nodes first (cascades edges + triggers)
+    // Soft-delete nodes (set fidelity='gone' and enqueue Qdrant cleanup)
     for (const id of diff.deleteNodeIds) {
-      tx.delete(memoryGraphNodes).where(eq(memoryGraphNodes.id, id)).run();
+      tx.update(memoryGraphNodes)
+        .set({ fidelity: "gone", lastAccessed: Date.now() })
+        .where(eq(memoryGraphNodes.id, id))
+        .run();
+      enqueueMemoryJob(
+        "delete_qdrant_vectors",
+        { targetType: "graph_node", targetId: id },
+        Date.now(),
+        tx,
+      );
       result.nodesDeleted++;
     }
 

package/src/memory/llm-usage-store.ts

@@ -301,7 +301,7 @@ export function getUsageHourBuckets(range: UsageTimeRange): UsageDayBucket[] {
   }));
 }
 
-type GroupByDimension = "actor" | "provider" | "model";
+type GroupByDimension = "actor" | "provider" | "model" | "conversation";
 
 /**
  * Return grouped breakdowns across the given time range, ordered by total
@@ -312,10 +312,51 @@ export function getUsageGroupBreakdown(
   groupBy: GroupByDimension,
 ): UsageGroupBreakdown[] {
   // Runtime allowlist — defense-in-depth against SQL injection via type assertions.
-  const ALLOWED_COLUMNS = new Set<string>(["actor", "provider", "model"]);
-  if (!ALLOWED_COLUMNS.has(groupBy)) {
-    throw new Error(`Invalid groupBy column: ${groupBy}`);
+  const ALLOWED_DIMENSIONS = new Set<string>([
+    "actor",
+    "provider",
+    "model",
+    "conversation",
+  ]);
+  if (!ALLOWED_DIMENSIONS.has(groupBy)) {
+    throw new Error(`Invalid groupBy dimension: ${groupBy}`);
   }
+
+  // Conversation grouping requires a JOIN with conversations to resolve titles.
+  if (groupBy === "conversation") {
+    const rows = rawAll<GroupRow>(
+      /*sql*/ `
+      SELECT
+        CASE WHEN e.conversation_id IS NULL THEN 'Other'
+             ELSE COALESCE(c.title, 'Untitled')
+        END AS group_key,
+        COALESCE(SUM(e.input_tokens), 0)                 AS total_input_tokens,
+        COALESCE(SUM(e.output_tokens), 0)                AS total_output_tokens,
+        COALESCE(SUM(e.cache_creation_input_tokens), 0)  AS total_cache_creation_tokens,
+        COALESCE(SUM(e.cache_read_input_tokens), 0)      AS total_cache_read_tokens,
+        COALESCE(SUM(e.estimated_cost_usd), 0)           AS total_estimated_cost_usd,
+        COALESCE(SUM(COALESCE(e.llm_call_count, 1)), 0)  AS event_count
+      FROM llm_usage_events e
+      LEFT JOIN conversations c ON e.conversation_id = c.id
+      WHERE e.created_at >= ?1 AND e.created_at <= ?2
+      GROUP BY e.conversation_id
+      ORDER BY total_estimated_cost_usd DESC
+      LIMIT 50
+      `,
+      range.from,
+      range.to,
+    );
+    return rows.map((r) => ({
+      group: r.group_key,
+      totalInputTokens: r.total_input_tokens,
+      totalOutputTokens: r.total_output_tokens,
+      totalCacheCreationTokens: r.total_cache_creation_tokens,
+      totalCacheReadTokens: r.total_cache_read_tokens,
+      totalEstimatedCostUsd: r.total_estimated_cost_usd ?? 0,
+      eventCount: r.event_count,
+    }));
+  }
+
   const column = groupBy;
   const rows = rawAll<GroupRow>(
     /*sql*/ `

package/src/memory/migrations/213-oauth-providers-scope-separator.ts

@@ -0,0 +1,13 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+
+export function migrateOAuthProvidersScopeSeparator(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+  try {
+    raw.exec(
+      `ALTER TABLE oauth_providers ADD COLUMN scope_separator TEXT NOT NULL DEFAULT ' '`,
+    );
+  } catch {
+    // Column already exists — nothing to do.
+  }
+}

package/src/memory/migrations/214-oauth-providers-refresh-url.ts

@@ -0,0 +1,11 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+
+export function migrateOAuthProvidersRefreshUrl(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+  try {
+    raw.exec(`ALTER TABLE oauth_providers ADD COLUMN refresh_url TEXT`);
+  } catch {
+    // Column already exists — nothing to do.
+  }
+}

package/src/memory/migrations/215-oauth-providers-revoke.ts

@@ -0,0 +1,14 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+
+export function migrateOAuthProvidersRevoke(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+  const columns = ["revoke_url TEXT", "revoke_body_template TEXT"];
+  for (const col of columns) {
+    try {
+      raw.exec(`ALTER TABLE oauth_providers ADD COLUMN ${col}`);
+    } catch {
+      // Column already exists — nothing to do.
+    }
+  }
+}

package/src/memory/migrations/216-oauth-providers-token-auth-method.ts

@@ -0,0 +1,30 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+
+/**
+ * Backfill `oauth_providers.token_endpoint_auth_method` for any rows where
+ * the value is NULL or empty string, setting them to the new default
+ * "client_secret_post". This brings existing rows in line with the
+ * Drizzle schema's new `.notNull().default("client_secret_post")`
+ * constraint, which is enforced at write time via the TypeScript layer.
+ *
+ * SQLite cannot retroactively add a NOT NULL constraint to an existing
+ * column without a full table rebuild, so the underlying column remains
+ * nullable at the SQLite level. All writes go through Drizzle, which
+ * applies the default for any insert that omits the field.
+ *
+ * The UPDATE is inherently idempotent and safe to re-run. Errors are
+ * allowed to propagate to the migration runner in `db-init.ts`, which
+ * records the failure, logs it, and continues to the next migration.
+ */
+export function migrateOAuthProvidersTokenAuthMethodDefault(
+  database: DrizzleDb,
+): void {
+  const raw = getSqliteFrom(database);
+  raw.exec(
+    `UPDATE oauth_providers
+     SET token_endpoint_auth_method = 'client_secret_post'
+     WHERE token_endpoint_auth_method IS NULL
+        OR token_endpoint_auth_method = ''`,
+  );
+}

package/src/memory/migrations/217-conversation-host-access.ts

@@ -0,0 +1,40 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+import { withCrashRecovery } from "./validate-migration-state.js";
+
+const CHECKPOINT_KEY = "migration_conversation_host_access_v1";
+
+/**
+ * Add conversation-scoped host access state with a safe default of disabled.
+ *
+ * Idempotent: ALTER TABLE is guarded and the backfill only touches NULL rows.
+ */
+export function migrateConversationHostAccess(database: DrizzleDb): void {
+  withCrashRecovery(database, CHECKPOINT_KEY, () => {
+    const raw = getSqliteFrom(database);
+
+    try {
+      raw.exec(
+        `ALTER TABLE conversations ADD COLUMN host_access INTEGER NOT NULL DEFAULT 0`,
+      );
+    } catch {
+      // Column already exists.
+    }
+
+    raw.exec(`
+      UPDATE conversations
+      SET host_access = 0
+      WHERE host_access IS NULL
+    `);
+  });
+}
+
+/**
+ * Reverse: no-op.
+ *
+ * The forward migration is additive and SQLite cannot drop one column without
+ * rebuilding the table.
+ */
+export function downConversationHostAccess(_database: DrizzleDb): void {
+  // Intentionally empty.
+}

package/src/memory/migrations/218-oauth-providers-logo-url.ts

@@ -0,0 +1,11 @@
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
+
+export function migrateOAuthProvidersLogoUrl(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+  try {
+    raw.exec(`ALTER TABLE oauth_providers ADD COLUMN logo_url TEXT`);
+  } catch {
+    // Column already exists — nothing to do.
+  }
+}

package/src/memory/migrations/index.ts

@@ -154,6 +154,12 @@ export { migrateStripThinkingFromConsolidated } from "./209-strip-thinking-from-
 export { migrateScheduleReuseConversation } from "./210-schedule-reuse-conversation.js";
 export { migrateMemoryRecallLogsQueryContext } from "./211-memory-recall-logs-query-context.js";
 export { migrateLlmRequestLogsCreatedAtIndex } from "./212-llm-request-logs-created-at-index.js";
+export { migrateOAuthProvidersScopeSeparator } from "./213-oauth-providers-scope-separator.js";
+export { migrateOAuthProvidersRefreshUrl } from "./214-oauth-providers-refresh-url.js";
+export { migrateOAuthProvidersRevoke } from "./215-oauth-providers-revoke.js";
+export { migrateOAuthProvidersTokenAuthMethodDefault } from "./216-oauth-providers-token-auth-method.js";
+export { migrateConversationHostAccess } from "./217-conversation-host-access.js";
+export { migrateOAuthProvidersLogoUrl } from "./218-oauth-providers-logo-url.js";
 export {
   MIGRATION_REGISTRY,
   type MigrationRegistryEntry,

package/src/memory/migrations/registry.ts

@@ -41,6 +41,7 @@ import { migrateAddSourceTypeColumnsDown } from "./193-add-source-type-columns.j
 import { migrateStripIntegrationPrefixFromProviderKeysDown } from "./196-strip-integration-prefix-from-provider-keys.js";
 import { migrateRenameMemoryGraphTypeValuesDown } from "./204-rename-memory-graph-type-values.js";
 import { migrateScrubCorruptedImageAttachmentsDown } from "./206-scrub-corrupted-image-attachments.js";
+import { downConversationHostAccess } from "./217-conversation-host-access.js";
 
 export interface MigrationRegistryEntry {
   /** The checkpoint key written to memory_checkpoints on completion. */
@@ -357,6 +358,13 @@ export const MIGRATION_REGISTRY: MigrationRegistryEntry[] = [
       "Remove image attachments containing HTML error pages instead of image data",
     down: migrateScrubCorruptedImageAttachmentsDown,
   },
+  {
+    key: "migration_conversation_host_access_v1",
+    version: 41,
+    description:
+      "Add a host_access column to conversations so computer access is persisted per conversation with a safe default of disabled",
+    down: downConversationHostAccess,
+  },
 ];
 
 export function getMaxMigrationVersion(): number {

package/src/memory/schema/conversations.ts

@@ -28,6 +28,7 @@ export const conversations = sqliteTable(
     originInterface: text("origin_interface"),
     forkParentConversationId: text("fork_parent_conversation_id"),
     forkParentMessageId: text("fork_parent_message_id"),
+    hostAccess: integer("host_access").notNull().default(0),
     isAutoTitle: integer("is_auto_title").notNull().default(1),
     scheduleJobId: text("schedule_job_id"),
     lastMessageAt: integer("last_message_at"),

package/src/memory/schema/oauth.ts

@@ -7,24 +7,31 @@ import {
 } from "drizzle-orm/sqlite-core";
 
 export const oauthProviders = sqliteTable("oauth_providers", {
-  providerKey: text("provider_key").primaryKey(),
-  authUrl: text("auth_url").notNull(),
-  tokenUrl: text("token_url").notNull(),
-  tokenEndpointAuthMethod: text("token_endpoint_auth_method"),
+  provider: text("provider_key").primaryKey(),
+  authorizeUrl: text("auth_url").notNull(),
+  tokenExchangeUrl: text("token_url").notNull(),
+  refreshUrl: text("refresh_url"),
+  tokenEndpointAuthMethod: text("token_endpoint_auth_method")
+    .notNull()
+    .default("client_secret_post"),
   userinfoUrl: text("userinfo_url"),
   baseUrl: text("base_url"),
   defaultScopes: text("default_scopes").notNull().default("[]"),
   scopePolicy: text("scope_policy").notNull().default("{}"),
-  extraParams: text("extra_params"),
+  scopeSeparator: text("scope_separator").notNull().default(" "),
+  authorizeParams: text("extra_params"),
   pingUrl: text("ping_url"),
   pingMethod: text("ping_method"),
   pingHeaders: text("ping_headers"),
   pingBody: text("ping_body"),
+  revokeUrl: text("revoke_url"),
+  revokeBodyTemplate: text("revoke_body_template"),
   managedServiceConfigKey: text("managed_service_config_key"),
-  displayName: text("display_name"),
+  displayLabel: text("display_name"),
   description: text("description"),
   dashboardUrl: text("dashboard_url"),
   clientIdPlaceholder: text("client_id_placeholder"),
+  logoUrl: text("logo_url"),
   requiresClientSecret: integer("requires_client_secret").notNull().default(1),
   loopbackPort: integer("loopback_port"),
   injectionTemplates: text("injection_templates"),
@@ -46,9 +53,9 @@ export const oauthApps = sqliteTable(
   "oauth_apps",
   {
     id: text("id").primaryKey(),
-    providerKey: text("provider_key")
+    provider: text("provider_key")
       .notNull()
-      .references(() => oauthProviders.providerKey),
+      .references(() => oauthProviders.provider),
     clientId: text("client_id").notNull(),
     clientSecretCredentialPath: text("client_secret_credential_path").notNull(),
     createdAt: integer("created_at").notNull(),
@@ -56,7 +63,7 @@ export const oauthApps = sqliteTable(
   },
   (table) => [
     uniqueIndex("idx_oauth_apps_provider_client").on(
-      table.providerKey,
+      table.provider,
       table.clientId,
     ),
   ],
@@ -69,7 +76,7 @@ export const oauthConnections = sqliteTable(
     oauthAppId: text("oauth_app_id")
       .notNull()
       .references(() => oauthApps.id),
-    providerKey: text("provider_key").notNull(),
+    provider: text("provider_key").notNull(),
     accountInfo: text("account_info"),
     grantedScopes: text("granted_scopes").notNull().default("[]"),
     expiresAt: integer("expires_at"),
@@ -80,7 +87,5 @@ export const oauthConnections = sqliteTable(
     createdAt: integer("created_at").notNull(),
     updatedAt: integer("updated_at").notNull(),
   },
-  (table) => [
-    index("idx_oauth_connections_provider_key").on(table.providerKey),
-  ],
+  (table) => [index("idx_oauth_connections_provider_key").on(table.provider)],
 );

package/src/oauth/AGENTS.md

@@ -0,0 +1,76 @@
+# OAuth — Agent Instructions
+
+## Adding a New First-Class Provider
+
+When introducing a new built-in OAuth integration (one that appears in `seed-providers.ts`), touch each of the following areas. Items marked _(managed only)_ apply only when the provider supports platform-provided credentials.
+
+### 1. Seed the provider — `seed-providers.ts`
+
+Add an entry to `PROVIDER_SEED_DATA`. Required fields: `provider`, `authorizeUrl`, `tokenExchangeUrl`, `defaultScopes`, `scopePolicy`, `displayLabel`, `description`, `dashboardUrl`, `clientIdPlaceholder`, `logoUrl`, and `injectionTemplates`. See existing entries for the full shape. The `provider` key must be snake_case and is used as the canonical identifier everywhere else.
+
+If the provider will support managed mode, set `managedServiceConfigKey` to a slug matching the key you will add to `ServicesSchema` (e.g. `"acme-oauth"`).
+
+### 2. _(managed only)_ Add a service schema — `../config/schemas/services.ts`
+
+Create a schema and export its type:
+
+```ts
+export const AcmeOAuthServiceSchema = BaseServiceSchema.extend({
+  mode: ServiceModeSchema.default("your-own"),
+});
+export type AcmeOAuthService = z.infer<typeof AcmeOAuthServiceSchema>;
+```
+
+Then add the key to `ServicesSchema`:
+
+```ts
+"acme-oauth": AcmeOAuthServiceSchema.default(AcmeOAuthServiceSchema.parse({})),
+```
+
+The key here **must** match the `managedServiceConfigKey` in `seed-providers.ts`. The cross-repo invariant test in `__tests__/seed-providers-managed.test.ts` will fail if they drift.
+
+### 3. _(managed only)_ Enable by default during onboarding — `clients/macos/.../HatchingStepView.swift`
+
+In `buildOnboardingConfigValues()`, add a line so managed-sign-in users get the integration pre-enabled:
+
+```swift
+configValues["services.acme-oauth.mode"] = "managed"
+```
+
+### 4. Add a cached logo — `clients/shared/Resources/IntegrationLogos/`
+
+Drop a **vector PDF** named `{provider_key}.pdf` (e.g. `acme.pdf`) into the `IntegrationLogos/` directory. The file is automatically bundled via `.copy()` in `clients/Package.swift` and looked up at runtime by `IntegrationLogoBundle` using the provider key — no code changes needed.
+
+Most existing logos come from [Simple Icons](https://simpleicons.org) (CC0-licensed). To get a PDF from Simple Icons:
+
+1. Find the icon slug on https://simpleicons.org (e.g. `slack`, `linear`).
+2. Download the SVG: `curl -o acme.svg https://raw.githubusercontent.com/simple-icons/simple-icons/develop/icons/acme.svg`
+3. Convert to PDF using `rsvg-convert` (same tool used by `clients/scripts/sync-lucide-icons.sh`):
+   ```bash
+   # Install if needed: brew install librsvg
+   rsvg-convert -f pdf -o clients/shared/Resources/IntegrationLogos/acme.pdf acme.svg
+   ```
+4. Add the provider key to `clients/shared/Resources/integration-logos-manifest.json`.
+
+If the service is not on Simple Icons, source or create an SVG and convert it the same way. The result must be a true vector PDF (not a rasterized image wrapped in PDF) so it scales cleanly.
+
+The `logoUrl` field in `seed-providers.ts` still serves as the remote fallback (typically a Simple Icons CDN URL like `https://cdn.simpleicons.org/acme`). The client renders the local PDF first, then falls back to `logoUrl`, then to an initials avatar.
+
+### 5. Secret patterns (if applicable) — `../security/secret-patterns.ts`
+
+If the provider issues API keys with a recognizable prefix (e.g. `acme_sk_`), add a `PREFIX_PATTERNS` entry. OAuth-only services with opaque access tokens do not need one. See `../security/AGENTS.md` for details.
+
+### 6. Feature-flag gating (optional) — `seed-providers.ts`
+
+Set `featureFlag: "acme-oauth"` in the seed entry and register the flag in `meta/feature-flags/feature-flag-registry.json` to hide the provider until the flag is enabled. Omit `featureFlag` to make the provider visible immediately.
+
+### What you do NOT need to change
+
+The following are wired automatically once `PROVIDER_SEED_DATA` has an entry:
+
+- **Connection resolver** (`connection-resolver.ts`) — routes managed vs. BYO based on config.
+- **CLI commands** (`../cli/commands/oauth/`) — `providers list`, `providers get`, `connect`, `disconnect`, etc.
+- **Runtime API** (`../runtime/routes/oauth-providers.ts`) — `GET /v1/oauth/providers` and related endpoints.
+- **Gateway proxy** (`gateway/src/http/routes/oauth-providers-proxy.ts`) — forwards to the runtime.
+- **OAuth store** (`oauth-store.ts`) — seeding uses upsert; schema already supports arbitrary providers.
+- **Provider serialization** (`provider-serializer.ts`) — generic over all providers.

package/src/oauth/__tests__/identity-verifier.test.ts

@@ -24,29 +24,34 @@ afterEach(() => {
 // ---------------------------------------------------------------------------
 
 function makeProviderRow(
-  overrides: Partial<OAuthProviderRow> & { providerKey: string },
+  overrides: Partial<OAuthProviderRow> & { provider: string },
 ): OAuthProviderRow {
   const now = Date.now();
-  const { providerKey, ...rest } = overrides;
+  const { provider, ...rest } = overrides;
   return {
-    providerKey,
-    authUrl: "https://example.com/auth",
-    tokenUrl: "https://example.com/token",
-    tokenEndpointAuthMethod: null,
+    provider,
+    authorizeUrl: "https://example.com/auth",
+    tokenExchangeUrl: "https://example.com/token",
+    refreshUrl: null,
+    tokenEndpointAuthMethod: "client_secret_post",
     userinfoUrl: null,
     baseUrl: null,
     defaultScopes: "[]",
     scopePolicy: "{}",
-    extraParams: null,
+    scopeSeparator: " ",
+    authorizeParams: null,
     pingUrl: null,
     pingMethod: null,
     pingHeaders: null,
     pingBody: null,
+    revokeUrl: null,
+    revokeBodyTemplate: null,
     managedServiceConfigKey: null,
-    displayName: null,
+    displayLabel: null,
     description: null,
     dashboardUrl: null,
     clientIdPlaceholder: null,
+    logoUrl: null,
     requiresClientSecret: 1,
     loopbackPort: null,
     injectionTemplates: null,
@@ -82,7 +87,7 @@ describe("verifyIdentity", () => {
   // Missing identity URL
   // -----------------------------------------------------------------------
   test("returns undefined when identityUrl is null", async () => {
-    const row = makeProviderRow({ providerKey: "custom" });
+    const row = makeProviderRow({ provider: "custom" });
     const result = await verifyIdentity(row, "token-abc");
     expect(result).toBeUndefined();
     expect(mockFetch).not.toHaveBeenCalled();
@@ -93,7 +98,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Google pattern", () => {
     const googleRow = makeProviderRow({
-      providerKey: "google",
+      provider: "google",
       identityUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
       identityResponsePaths: JSON.stringify(["email"]),
     });
@@ -127,7 +132,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Slack pattern", () => {
     const slackRow = makeProviderRow({
-      providerKey: "slack",
+      provider: "slack",
       identityUrl: "https://slack.com/api/auth.test",
       identityOkField: "ok",
       identityResponsePaths: JSON.stringify(["user", "team"]),
@@ -176,7 +181,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("HubSpot pattern", () => {
     const hubspotRow = makeProviderRow({
-      providerKey: "hubspot",
+      provider: "hubspot",
       identityUrl:
         "https://api.hubapi.com/oauth/v1/access-tokens/${accessToken}",
       identityResponsePaths: JSON.stringify(["user", "hub_domain"]),
@@ -219,7 +224,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Linear pattern", () => {
     const linearRow = makeProviderRow({
-      providerKey: "linear",
+      provider: "linear",
       identityUrl: "https://api.linear.app/graphql",
       identityMethod: "POST",
       identityHeaders: JSON.stringify({ "Content-Type": "application/json" }),
@@ -272,7 +277,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Todoist pattern", () => {
     const todoistRow = makeProviderRow({
-      providerKey: "todoist",
+      provider: "todoist",
       identityUrl: "https://api.todoist.com/sync/v9/sync",
       identityMethod: "POST",
       identityHeaders: JSON.stringify({
@@ -317,7 +322,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Twitter pattern", () => {
     const twitterRow = makeProviderRow({
-      providerKey: "twitter",
+      provider: "twitter",
       identityUrl: "https://api.x.com/2/users/me",
       identityResponsePaths: JSON.stringify(["data.username"]),
       identityFormat: "@${data.username}",
@@ -338,7 +343,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("GitHub pattern", () => {
     const githubRow = makeProviderRow({
-      providerKey: "github",
+      provider: "github",
       identityUrl: "https://api.github.com/user",
       identityResponsePaths: JSON.stringify(["login"]),
       identityFormat: "@${login}",
@@ -357,7 +362,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Notion pattern", () => {
     const notionRow = makeProviderRow({
-      providerKey: "notion",
+      provider: "notion",
       identityUrl: "https://api.notion.com/v1/users/me",
       identityHeaders: JSON.stringify({ "Notion-Version": "2022-06-28" }),
       identityResponsePaths: JSON.stringify(["name", "person.email"]),
@@ -392,7 +397,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("error handling", () => {
     const googleRow = makeProviderRow({
-      providerKey: "google",
+      provider: "google",
       identityUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
       identityResponsePaths: JSON.stringify(["email"]),
     });
@@ -431,7 +436,7 @@ describe("verifyIdentity", () => {
   // -----------------------------------------------------------------------
   describe("Dropbox pattern", () => {
     const dropboxRow = makeProviderRow({
-      providerKey: "dropbox",
+      provider: "dropbox",
       identityUrl: "https://api.dropboxapi.com/2/users/get_current_account",
       identityMethod: "POST",
       identityResponsePaths: JSON.stringify(["name.display_name", "email"]),