npm - @vellumai/assistant - Versions diffs - 0.6.2 → 0.6.3 - Mend

@vellumai/assistant 0.6.2 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/bun.lock +40 -40
package/bunfig.toml +3 -0
package/docs/architecture/memory.md +1 -1
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +42 -0
package/openapi.yaml +184 -69
package/package.json +41 -41
package/scripts/generate-openapi.ts +1 -2
package/src/__tests__/acp-session.test.ts +43 -0
package/src/__tests__/app-builder-tool-scripts.test.ts +1 -0
package/src/__tests__/app-executors.test.ts +1 -0
package/src/__tests__/app-source-watcher.test.ts +37 -11
package/src/__tests__/approval-routes-http.test.ts +178 -1
package/src/__tests__/browser-fill-credential.test.ts +229 -94
package/src/__tests__/browser-manager.test.ts +40 -27
package/src/__tests__/catalog-files.test.ts +862 -0
package/src/__tests__/channel-approvals.test.ts +53 -0
package/src/__tests__/config-managed-gemini-defaults.test.ts +326 -0
package/src/__tests__/config-schema-cmd.test.ts +2 -2
package/src/__tests__/config-schema.test.ts +125 -48
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +23 -0
package/src/__tests__/context-overflow-approval.test.ts +16 -1
package/src/__tests__/conversation-agent-loop-overflow.test.ts +1 -1
package/src/__tests__/conversation-agent-loop.test.ts +1 -1
package/src/__tests__/conversation-analysis-routes.test.ts +2 -2
package/src/__tests__/conversation-attachments.test.ts +80 -4
package/src/__tests__/conversation-confirmation-signals.test.ts +155 -0
package/src/__tests__/conversation-fork-crud.test.ts +17 -0
package/src/__tests__/conversation-history-web-search.test.ts +1 -0
package/src/__tests__/conversation-host-access-routes.test.ts +229 -0
package/src/__tests__/conversation-inject-context.test.ts +103 -0
package/src/__tests__/conversation-queue.test.ts +45 -2
package/src/__tests__/conversation-routes-disk-view.test.ts +5 -0
package/src/__tests__/conversation-routes-guardian-reply.test.ts +16 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/conversation-runtime-assembly.test.ts +269 -46
package/src/__tests__/conversation-starter-routes.test.ts +126 -0
package/src/__tests__/conversation-starters-cadence.test.ts +161 -0
package/src/__tests__/conversation-store.test.ts +195 -0
package/src/__tests__/conversation-workspace-cache-state.test.ts +193 -0
package/src/__tests__/credential-execution-approval-bridge.test.ts +32 -1
package/src/__tests__/credential-security-invariants.test.ts +1 -0
package/src/__tests__/credential-vault-unit.test.ts +4 -4
package/src/__tests__/credential-vault.test.ts +152 -13
package/src/__tests__/credentials-cli.test.ts +2 -2
package/src/__tests__/date-context.test.ts +4 -4
package/src/__tests__/embedding-managed-proxy-selection.test.ts +256 -0
package/src/__tests__/extension-id-sync-guard.test.ts +155 -0
package/src/__tests__/fixtures/mock-chrome-extension.ts +375 -0
package/src/__tests__/gateway-only-guard.test.ts +3 -0
package/src/__tests__/gemini-provider.test.ts +2 -2
package/src/__tests__/guardian-routing-invariants.test.ts +70 -2
package/src/__tests__/headless-browser-interactions.test.ts +707 -371
package/src/__tests__/headless-browser-navigate.test.ts +389 -47
package/src/__tests__/headless-browser-read-tools.test.ts +266 -103
package/src/__tests__/headless-browser-snapshot.test.ts +240 -77
package/src/__tests__/host-bash-proxy.test.ts +150 -1
package/src/__tests__/host-browser-e2e-cloud.test.ts +462 -0
package/src/__tests__/host-browser-e2e-self-hosted-capability.test.ts +286 -0
package/src/__tests__/host-browser-e2e-self-hosted.test.ts +374 -0
package/src/__tests__/host-browser-event-routes.test.ts +350 -0
package/src/__tests__/host-browser-proxy.test.ts +444 -0
package/src/__tests__/host-browser-routes.test.ts +198 -0
package/src/__tests__/host-browser-ws-events-e2e.test.ts +320 -0
package/src/__tests__/host-cu-proxy.test.ts +171 -1
package/src/__tests__/host-file-proxy.test.ts +185 -1
package/src/__tests__/host-file-read-tool.test.ts +52 -0
package/src/__tests__/host-proxy-interface.test.ts +165 -0
package/src/__tests__/host-shell-tool.test.ts +1 -11
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/integration-status.test.ts +6 -7
package/src/__tests__/list-messages-tool-merge.test.ts +37 -12
package/src/__tests__/mcp-client-auth.test.ts +40 -4
package/src/__tests__/mcp-health-check.test.ts +10 -3
package/src/__tests__/migration-cross-version-compatibility.test.ts +3 -1
package/src/__tests__/migration-export-http.test.ts +61 -2
package/src/__tests__/migration-export-streaming.test.ts +66 -0
package/src/__tests__/migration-import-commit-http.test.ts +101 -1
package/src/__tests__/native-host-marker-sync-guard.test.ts +157 -0
package/src/__tests__/oauth-apps-routes.test.ts +17 -12
package/src/__tests__/oauth-cli.test.ts +707 -60
package/src/__tests__/oauth-connect-orchestrator.test.ts +116 -24
package/src/__tests__/oauth-provider-seed-logos.test.ts +23 -0
package/src/__tests__/oauth-provider-serializer.test.ts +146 -10
package/src/__tests__/oauth-provider-visibility.test.ts +19 -21
package/src/__tests__/oauth-providers-routes.test.ts +50 -14
package/src/__tests__/oauth-store.test.ts +1386 -182
package/src/__tests__/oauth2-gateway-transport.test.ts +211 -20
package/src/__tests__/onboarding-template-contract.test.ts +75 -57
package/src/__tests__/openai-provider.test.ts +2 -2
package/src/__tests__/outlook-categories.test.ts +1 -1
package/src/__tests__/outlook-client-automation.test.ts +1 -1
package/src/__tests__/outlook-compose-tools.test.ts +1 -1
package/src/__tests__/outlook-email-watcher.test.ts +1 -1
package/src/__tests__/outlook-follow-up.test.ts +1 -1
package/src/__tests__/outlook-messaging-provider.test.ts +2 -2
package/src/__tests__/outlook-trash.test.ts +1 -1
package/src/__tests__/outlook-unsubscribe.test.ts +1 -1
package/src/__tests__/permission-checker-host-gate.test.ts +74 -14
package/src/__tests__/permission-mode.test.ts +28 -56
package/src/__tests__/platform-callback-registration.test.ts +19 -0
package/src/__tests__/post-turn-tool-result-truncation.test.ts +296 -0
package/src/__tests__/proxy-approval-callback.test.ts +18 -0
package/src/__tests__/require-fresh-approval.test.ts +40 -1
package/src/__tests__/sanitize-config-for-transfer.test.ts +132 -0
package/src/__tests__/schedule-routes.test.ts +162 -0
package/src/__tests__/secret-detection-handler.test.ts +84 -0
package/src/__tests__/secret-ingress-http.test.ts +1 -0
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/set-permission-mode.test.ts +13 -250
package/src/__tests__/skills-file-content-endpoint.test.ts +670 -0
package/src/__tests__/skills-files-catalog-fallback.test.ts +450 -0
package/src/__tests__/slack-channel-config.test.ts +12 -15
package/src/__tests__/subagent-detail.test.ts +44 -2
package/src/__tests__/subagent-disposal.test.ts +1 -0
package/src/__tests__/subagent-fork-notifications.test.ts +291 -0
package/src/__tests__/subagent-fork-spawn.test.ts +384 -0
package/src/__tests__/subagent-manager-notify.test.ts +1 -0
package/src/__tests__/subagent-notify-parent.test.ts +1 -0
package/src/__tests__/subagent-spawn-tool-fork.test.ts +411 -0
package/src/__tests__/subagent-tools.test.ts +1 -0
package/src/__tests__/subagent-types.test.ts +1 -0
package/src/__tests__/system-prompt-ask-mode.test.ts +27 -71
package/src/__tests__/system-prompt.test.ts +72 -1
package/src/__tests__/task-scheduler.test.ts +32 -6
package/src/__tests__/telegram-config.test.ts +10 -13
package/src/__tests__/terminal-tools.test.ts +9 -0
package/src/__tests__/tool-approval-handler.test.ts +73 -0
package/src/__tests__/tool-side-effects-slack-dm.test.ts +22 -0
package/src/__tests__/top-level-renderer.test.ts +73 -1
package/src/__tests__/transport-hints-queue.test.ts +14 -29
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +109 -0
package/src/__tests__/v2-consent-policy.test.ts +103 -0
package/src/acp/client-handler.ts +30 -4
package/src/agent/loop.ts +12 -6
package/src/approvals/guardian-request-resolvers.ts +21 -15
package/src/browser-session/__tests__/manager.test.ts +297 -0
package/src/browser-session/backends/cdp-inspect.ts +30 -0
package/src/browser-session/backends/extension.ts +26 -0
package/src/browser-session/backends/local.ts +24 -0
package/src/browser-session/events.ts +164 -0
package/src/browser-session/index.ts +27 -0
package/src/browser-session/manager.ts +159 -0
package/src/browser-session/types.ts +28 -0
package/src/channels/__tests__/types.test.ts +134 -0
package/src/channels/types.ts +53 -3
package/src/cli/commands/browser-relay.ts +339 -409
package/src/cli/commands/credentials.ts +3 -3
package/src/cli/commands/email.ts +18 -13
package/src/cli/commands/mcp.ts +16 -4
package/src/cli/commands/oauth/__tests__/connect.test.ts +44 -44
package/src/cli/commands/oauth/__tests__/disconnect.test.ts +21 -21
package/src/cli/commands/oauth/__tests__/mode.test.ts +17 -17
package/src/cli/commands/oauth/__tests__/ping.test.ts +16 -16
package/src/cli/commands/oauth/__tests__/providers-delete.test.ts +31 -33
package/src/cli/commands/oauth/__tests__/providers-register.test.ts +329 -0
package/src/cli/commands/oauth/__tests__/providers-update.test.ts +116 -12
package/src/cli/commands/oauth/__tests__/status.test.ts +10 -10
package/src/cli/commands/oauth/__tests__/token.test.ts +7 -7
package/src/cli/commands/oauth/apps.ts +7 -4
package/src/cli/commands/oauth/connect.ts +6 -3
package/src/cli/commands/oauth/disconnect.ts +1 -1
package/src/cli/commands/oauth/providers.ts +200 -36
package/src/cli/commands/oauth/shared.ts +5 -5
package/src/cli/commands/platform/__tests__/callback-routes-list.test.ts +259 -0
package/src/cli/commands/platform/index.ts +107 -10
package/src/cli/commands/usage.ts +10 -9
package/src/cli/lib/daemon-credential-client.ts +4 -0
package/src/cli/program.ts +1 -1
package/src/config/bundled-skills/app-builder/SKILL.md +26 -249
package/src/config/bundled-skills/app-builder/references/CUSTOM_ROUTES.md +105 -0
package/src/config/bundled-skills/app-builder/references/INTERACTION_HOOKS.md +56 -0
package/src/config/bundled-skills/app-builder/references/WIDGETS.md +125 -0
package/src/config/bundled-skills/contacts/SKILL.md +3 -0
package/src/config/bundled-skills/document/SKILL.md +4 -0
package/src/config/bundled-skills/gmail/SKILL.md +1 -1
package/src/config/bundled-skills/outlook/SKILL.md +7 -0
package/src/config/bundled-skills/subagent/SKILL.md +21 -0
package/src/config/bundled-skills/subagent/TOOLS.json +8 -4
package/src/config/bundled-skills/tasks/SKILL.md +5 -0
package/src/config/env-registry.ts +14 -0
package/src/config/env.ts +21 -0
package/src/config/feature-flag-registry.json +44 -5
package/src/config/loader.ts +56 -1
package/src/config/sanitize-for-transfer.ts +47 -0
package/src/config/schema.ts +46 -5
package/src/config/schemas/host-browser.ts +66 -0
package/src/config/schemas/memory-lifecycle.ts +1 -1
package/src/config/schemas/memory-retrieval.ts +103 -0
package/src/config/schemas/security.ts +0 -6
package/src/config/schemas/services.ts +8 -0
package/src/config/types.ts +0 -1
package/src/context/post-turn-tool-result-truncation.ts +176 -0
package/src/context/window-manager.ts +19 -1
package/src/credential-execution/approval-bridge.ts +49 -15
package/src/daemon/__tests__/conversation-tool-setup.test.ts +186 -0
package/src/daemon/app-source-watcher.ts +35 -0
package/src/daemon/context-overflow-approval.ts +5 -0
package/src/daemon/conversation-agent-loop-handlers.ts +17 -2
package/src/daemon/conversation-agent-loop.ts +58 -24
package/src/daemon/conversation-attachments.ts +40 -0
package/src/daemon/conversation-process.ts +48 -1
package/src/daemon/conversation-runtime-assembly.ts +118 -36
package/src/daemon/conversation-surfaces.ts +37 -36
package/src/daemon/conversation-tool-setup.ts +74 -8
package/src/daemon/conversation-workspace.ts +12 -0
package/src/daemon/conversation.ts +226 -8
package/src/daemon/date-context.ts +10 -10
package/src/daemon/first-greeting.ts +3 -2
package/src/daemon/handlers/conversations.ts +9 -140
package/src/daemon/handlers/shared.ts +58 -0
package/src/daemon/handlers/skills.ts +232 -37
package/src/daemon/host-bash-proxy.ts +48 -13
package/src/daemon/host-browser-proxy.ts +191 -0
package/src/daemon/host-cu-proxy.ts +36 -11
package/src/daemon/host-file-proxy.ts +57 -9
package/src/daemon/lifecycle.ts +65 -11
package/src/daemon/message-protocol.ts +7 -0
package/src/daemon/message-types/conversations.ts +55 -13
package/src/daemon/message-types/host-browser.ts +100 -0
package/src/daemon/message-types/messages.ts +5 -5
package/src/daemon/message-types/skills.ts +10 -0
package/src/daemon/message-types/subagents.ts +2 -0
package/src/daemon/server.ts +92 -12
package/src/daemon/tool-side-effects.ts +6 -0
package/src/daemon/transport-hints.ts +5 -24
package/src/inbound/platform-callback-registration.ts +18 -17
package/src/mcp/client.ts +59 -24
package/src/memory/app-store.ts +31 -1
package/src/memory/conversation-crud.ts +23 -0
package/src/memory/conversation-starters-cadence.ts +76 -0
package/src/memory/conversation-title-service.ts +5 -2
package/src/memory/db-init.ts +12 -0
package/src/memory/embedding-backend.test.ts +75 -0
package/src/memory/embedding-backend.ts +131 -5
package/src/memory/embedding-gemini.test.ts +54 -0
package/src/memory/embedding-gemini.ts +20 -9
package/src/memory/embedding-local.ts +176 -17
package/src/memory/graph/consolidation.ts +10 -23
package/src/memory/graph/extraction-job.ts +15 -0
package/src/memory/graph/retriever.ts +40 -22
package/src/memory/graph/store.test.ts +7 -3
package/src/memory/graph/store.ts +47 -12
package/src/memory/llm-usage-store.ts +45 -4
package/src/memory/migrations/213-oauth-providers-scope-separator.ts +13 -0
package/src/memory/migrations/214-oauth-providers-refresh-url.ts +11 -0
package/src/memory/migrations/215-oauth-providers-revoke.ts +14 -0
package/src/memory/migrations/216-oauth-providers-token-auth-method.ts +30 -0
package/src/memory/migrations/217-conversation-host-access.ts +40 -0
package/src/memory/migrations/218-oauth-providers-logo-url.ts +11 -0
package/src/memory/migrations/index.ts +6 -0
package/src/memory/migrations/registry.ts +8 -0
package/src/memory/schema/conversations.ts +1 -0
package/src/memory/schema/oauth.ts +18 -13
package/src/oauth/AGENTS.md +76 -0
package/src/oauth/__tests__/identity-verifier.test.ts +24 -19
package/src/oauth/__tests__/seed-providers-managed.test.ts +32 -0
package/src/oauth/byo-connection.test.ts +8 -8
package/src/oauth/byo-connection.ts +7 -7
package/src/oauth/connect-orchestrator.ts +23 -21
package/src/oauth/connect-types.ts +3 -3
package/src/oauth/connection-resolver.test.ts +17 -4
package/src/oauth/connection-resolver.ts +16 -16
package/src/oauth/connection.ts +1 -1
package/src/oauth/manual-token-connection.ts +13 -13
package/src/oauth/oauth-store.ts +214 -100
package/src/oauth/platform-connection.test.ts +3 -3
package/src/oauth/platform-connection.ts +4 -4
package/src/oauth/provider-serializer.ts +31 -5
package/src/oauth/revoke.ts +76 -0
package/src/oauth/seed-providers.ts +126 -87
package/src/oauth/token-persistence.ts +1 -1
package/src/permissions/permission-mode.ts +4 -11
package/src/permissions/prompter.ts +13 -1
package/src/permissions/v2-consent-policy.ts +87 -0
package/src/prompts/system-prompt.ts +18 -21
package/src/prompts/templates/BOOTSTRAP-REFERENCE.md +3 -65
package/src/prompts/templates/BOOTSTRAP.md +59 -105
package/src/providers/anthropic/client.ts +1 -0
package/src/providers/types.ts +1 -1
package/src/runtime/AGENTS.md +23 -0
package/src/runtime/__tests__/browser-extension-pair-routes.test.ts +715 -0
package/src/runtime/__tests__/capability-tokens.test.ts +258 -0
package/src/runtime/__tests__/chrome-extension-registry.test.ts +518 -0
package/src/runtime/assistant-event-hub.ts +2 -2
package/src/runtime/auth/__tests__/guard-tests.test.ts +1 -0
package/src/runtime/auth/__tests__/middleware.test.ts +116 -1
package/src/runtime/auth/__tests__/route-policy.test.ts +8 -0
package/src/runtime/auth/middleware.ts +98 -0
package/src/runtime/auth/route-policy.ts +6 -7
package/src/runtime/capability-tokens.ts +414 -0
package/src/runtime/channel-approvals.ts +18 -5
package/src/runtime/chrome-extension-registry.ts +332 -0
package/src/runtime/confirmation-request-guardian-bridge.ts +6 -0
package/src/runtime/guardian-decision-types.ts +7 -0
package/src/runtime/http-server.ts +425 -70
package/src/runtime/migrations/__tests__/rebind-secrets-credentials.test.ts +172 -0
package/src/runtime/migrations/__tests__/vbundle-builder-credentials.test.ts +276 -0
package/src/runtime/migrations/__tests__/vbundle-import-credentials.test.ts +162 -0
package/src/runtime/migrations/migration-transport.ts +6 -0
package/src/runtime/migrations/migration-wizard.ts +22 -2
package/src/runtime/migrations/rebind-secrets-screen.ts +76 -15
package/src/runtime/migrations/vbundle-builder.ts +145 -38
package/src/runtime/migrations/vbundle-import-analyzer.ts +19 -0
package/src/runtime/migrations/vbundle-importer.ts +55 -5
package/src/runtime/pending-interactions.ts +29 -13
package/src/runtime/routes/approval-routes.ts +90 -16
package/src/runtime/routes/browser-cdp-routes.ts +229 -0
package/src/runtime/routes/browser-extension-pair-routes.ts +497 -0
package/src/runtime/routes/conversation-analysis-routes.ts +2 -1
package/src/runtime/routes/conversation-management-routes.ts +108 -0
package/src/runtime/routes/conversation-routes.ts +301 -27
package/src/runtime/routes/conversation-starter-routes.ts +78 -16
package/src/runtime/routes/guardian-action-routes.ts +24 -13
package/src/runtime/routes/host-browser-routes.ts +279 -0
package/src/runtime/routes/host-file-routes.ts +9 -1
package/src/runtime/routes/identity-routes.ts +259 -16
package/src/runtime/routes/log-export-routes.ts +42 -22
package/src/runtime/routes/memory-item-routes.ts +1 -7
package/src/runtime/routes/migration-routes.ts +87 -2
package/src/runtime/routes/oauth-apps.ts +15 -17
package/src/runtime/routes/oauth-providers.ts +4 -0
package/src/runtime/routes/schedule-routes.ts +24 -11
package/src/runtime/routes/settings-routes.ts +9 -97
package/src/runtime/routes/skills-routes.ts +52 -2
package/src/runtime/routes/subagents-routes.ts +14 -10
package/src/runtime/routes/usage-routes.ts +8 -7
package/src/runtime/routes/workspace-routes.test.ts +22 -0
package/src/runtime/routes/workspace-routes.ts +8 -1
package/src/runtime/routes/workspace-utils.ts +2 -0
package/src/schedule/scheduler.ts +7 -5
package/src/security/ces-credential-client.ts +20 -0
package/src/security/ces-rpc-credential-backend.ts +17 -0
package/src/security/credential-backend.ts +5 -0
package/src/security/oauth2.ts +42 -25
package/src/security/secure-keys.ts +118 -25
package/src/security/token-manager.ts +23 -10
package/src/skills/catalog-files.ts +492 -0
package/src/subagent/manager.ts +131 -26
package/src/subagent/types.ts +19 -0
package/src/tools/apps/executors.ts +11 -2
package/src/tools/browser/__tests__/auth-detector.test.ts +202 -108
package/src/tools/browser/auth-detector.ts +43 -12
package/src/tools/browser/browser-execution.ts +645 -340
package/src/tools/browser/browser-manager.ts +36 -12
package/src/tools/browser/cdp-client/__tests__/accessibility-snapshot.test.ts +318 -0
package/src/tools/browser/cdp-client/__tests__/cdp-dom-helpers.test.ts +1175 -0
package/src/tools/browser/cdp-client/__tests__/cdp-inspect-client.test.ts +870 -0
package/src/tools/browser/cdp-client/__tests__/extension-cdp-client.test.ts +330 -0
package/src/tools/browser/cdp-client/__tests__/factory.test.ts +377 -0
package/src/tools/browser/cdp-client/__tests__/fixtures/ax-tree-nested-frames.json +64 -0
package/src/tools/browser/cdp-client/__tests__/fixtures/ax-tree-simple.json +69 -0
package/src/tools/browser/cdp-client/__tests__/local-cdp-client.test.ts +310 -0
package/src/tools/browser/cdp-client/__tests__/types.test.ts +96 -0
package/src/tools/browser/cdp-client/accessibility-snapshot.ts +387 -0
package/src/tools/browser/cdp-client/cdp-dom-helpers.ts +695 -0
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/discovery.test.ts +743 -0
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/ws-transport.test.ts +580 -0
package/src/tools/browser/cdp-client/cdp-inspect/discovery.ts +578 -0
package/src/tools/browser/cdp-client/cdp-inspect/ws-transport.ts +579 -0
package/src/tools/browser/cdp-client/cdp-inspect-client.ts +635 -0
package/src/tools/browser/cdp-client/errors.ts +34 -0
package/src/tools/browser/cdp-client/extension-cdp-client.ts +125 -0
package/src/tools/browser/cdp-client/factory.ts +204 -0
package/src/tools/browser/cdp-client/index.ts +14 -0
package/src/tools/browser/cdp-client/local-cdp-client.ts +187 -0
package/src/tools/browser/cdp-client/types.ts +52 -0
package/src/tools/filesystem/edit.ts +1 -1
package/src/tools/filesystem/list.ts +1 -1
package/src/tools/filesystem/read.ts +1 -1
package/src/tools/filesystem/write.ts +2 -1
package/src/tools/host-filesystem/edit.ts +1 -1
package/src/tools/host-filesystem/read.ts +12 -15
package/src/tools/host-filesystem/write.ts +1 -1
package/src/tools/host-terminal/host-shell.ts +21 -16
package/src/tools/permission-checker.ts +77 -82
package/src/tools/registry.ts +0 -2
package/src/tools/secret-detection-handler.ts +34 -0
package/src/tools/shared/filesystem/image-read.ts +61 -40
package/src/tools/subagent/spawn.ts +47 -3
package/src/tools/subagent/status.ts +2 -0
package/src/tools/system/register.ts +2 -16
package/src/tools/terminal/safe-env.ts +7 -0
package/src/tools/terminal/shell.ts +21 -16
package/src/tools/tool-approval-handler.ts +48 -2
package/src/tools/types.ts +2 -0
package/src/util/platform.ts +14 -19
package/src/workspace/top-level-renderer.ts +19 -1
package/src/__tests__/chrome-cdp.test.ts +0 -419
package/src/__tests__/permission-mode-sse.test.ts +0 -418
package/src/__tests__/permission-mode-store.test.ts +0 -277
package/src/browser-extension-relay/protocol.ts +0 -63
package/src/browser-extension-relay/server.ts +0 -203
package/src/config/schemas/sandbox.ts +0 -14
package/src/permissions/permission-mode-store.ts +0 -180
package/src/tools/browser/chrome-cdp.ts +0 -239
package/src/tools/system/set-permission-mode.ts +0 -103

package/src/oauth/__tests__/seed-providers-managed.test.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { describe, expect, test } from "bun:test";
+import { ServicesSchema } from "../../config/schemas/services.js";
+import { PROVIDER_SEED_DATA } from "../seed-providers.js";
+describe("PROVIDER_SEED_DATA managed mode wiring", () => {
+  test("github provider is wired up for managed mode", () => {
+    const github = PROVIDER_SEED_DATA.github;
+    expect(github).toBeDefined();
+    expect(github.managedServiceConfigKey).toBe("github-oauth");
+    expect("github-oauth" in ServicesSchema.shape).toBe(true);
+  });
+  test("every managedServiceConfigKey resolves to a ServicesSchema key", () => {
+    // Cross-repo invariant: a provider with managedServiceConfigKey but no
+    // matching ServicesSchema entry silently falls back to BYO mode in
+    // connection-resolver.ts. This test guards against that drift.
+    const offenders: Array<{ provider: string; key: string }> = [];
+    for (const [provider, seed] of Object.entries(PROVIDER_SEED_DATA)) {
+      const key = seed.managedServiceConfigKey;
+      if (key && !(key in ServicesSchema.shape)) {
+        offenders.push({ provider, key });
+      }
+    }
+    expect(offenders).toEqual([]);
+  });
+  test("github managed service schema defaults to your-own", () => {
+    const parsed = ServicesSchema.shape["github-oauth"].parse({});
+    expect(parsed.mode).toBe("your-own");
+  });
+});

package/src/oauth/byo-connection.test.ts CHANGED Viewed

@@ -72,7 +72,7 @@ const mockConnections = new Map<
   string,
   {
     id: string;
-    providerKey: string;
+    provider: string;
     oauthAppId: string;
     expiresAt: number | null;
     grantedScopes?: string;
@@ -83,7 +83,7 @@ const mockApps = new Map<
   string,
   {
     id: string;
-    providerKey: string;
+    provider: string;
     clientId: string;
     clientSecretCredentialPath: string;
   }
@@ -92,7 +92,7 @@ const mockProviders = new Map<
   string,
   {
     key: string;
-    tokenUrl: string;
+    tokenExchangeUrl: string;
     tokenEndpointAuthMethod?: string;
     baseUrl?: string;
   }
@@ -192,7 +192,7 @@ async function setupCredential(
   const connId = `conn-${service}`;
   mockProviders.set(service, {
     key: service,
-    tokenUrl: "https://oauth2.googleapis.com/token",
+    tokenExchangeUrl: "https://oauth2.googleapis.com/token",
     // Only well-known providers (gmail) have a baseUrl; custom services don't
     baseUrl:
       service === "google"
@@ -201,13 +201,13 @@ async function setupCredential(
   });
   mockApps.set(appId, {
     id: appId,
-    providerKey: service,
+    provider: service,
     clientId: "test-client-id",
     clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
   });
   mockConnections.set(service, {
     id: connId,
-    providerKey: service,
+    provider: service,
     oauthAppId: appId,
     expiresAt: opts?.expiresAt ?? Date.now() + 3600 * 1000,
     grantedScopes: JSON.stringify(opts?.grantedScopes ?? ["read", "write"]),
@@ -233,7 +233,7 @@ async function setupCredential(
 function createConnection(service = "google"): BYOOAuthConnection {
   return new BYOOAuthConnection({
     id: `conn-${service}`,
-    providerKey: service,
+    provider: service,
     baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
     accountInfo: null,
   });
@@ -497,7 +497,7 @@ describe("resolveOAuthConnection", () => {
     const conn = await resolveOAuthConnection("google");
     expect(conn).toBeInstanceOf(BYOOAuthConnection);
-    expect(conn.providerKey).toBe("google");
+    expect(conn.provider).toBe("google");
   });
   test("throws when no credential metadata exists", async () => {

package/src/oauth/byo-connection.ts CHANGED Viewed

@@ -22,28 +22,28 @@ const REQUEST_TIMEOUT_MS = 30_000;
 export interface BYOOAuthConnectionOptions {
   id: string;
-  providerKey: string;
+  provider: string;
   baseUrl: string;
   accountInfo: string | null;
 }
 export class BYOOAuthConnection implements OAuthConnection {
   readonly id: string;
-  readonly providerKey: string;
+  readonly provider: string;
   readonly accountInfo: string | null;
   private readonly baseUrl: string;
   constructor(opts: BYOOAuthConnectionOptions) {
     this.id = opts.id;
-    this.providerKey = opts.providerKey;
+    this.provider = opts.provider;
     this.baseUrl = opts.baseUrl;
     this.accountInfo = opts.accountInfo;
   }
   async request(req: OAuthConnectionRequest): Promise<OAuthConnectionResponse> {
     return withValidToken(
-      this.providerKey,
+      this.provider,
       async (token) => {
         const effectiveBaseUrl = req.baseUrl ?? this.baseUrl;
         let fullUrl = `${effectiveBaseUrl}${req.path}`;
@@ -61,7 +61,7 @@ export class BYOOAuthConnection implements OAuthConnection {
         }
         log.debug(
-          { method: req.method, url: fullUrl, provider: this.providerKey },
+          { method: req.method, url: fullUrl, provider: this.provider },
           "Making authenticated request",
         );
@@ -88,7 +88,7 @@ export class BYOOAuthConnection implements OAuthConnection {
         if (resp.status === 401) {
           // Throw with a status property so withValidToken detects the 401
           // and triggers its refresh-and-retry logic.
-          const err = new Error(`HTTP 401 from ${this.providerKey}`);
+          const err = new Error(`HTTP 401 from ${this.provider}`);
           (err as Error & { status: number }).status = 401;
           throw err;
         }
@@ -100,7 +100,7 @@ export class BYOOAuthConnection implements OAuthConnection {
   }
   async withToken<T>(fn: (token: string) => Promise<T>): Promise<T> {
-    return withValidToken(this.providerKey, fn, {
+    return withValidToken(this.provider, fn, {
       connectionId: this.id,
     });
   }

package/src/oauth/connect-orchestrator.ts CHANGED Viewed

@@ -23,10 +23,7 @@
 import type { TokenEndpointAuthMethod } from "../security/oauth2.js";
 import { prepareOAuth2Flow, startOAuth2Flow } from "../security/oauth2.js";
 import { getLogger } from "../util/logger.js";
-import type {
-  OAuthConnectResult,
-  OAuthScopePolicy,
-} from "./connect-types.js";
+import type { OAuthConnectResult, OAuthScopePolicy } from "./connect-types.js";
 import { verifyIdentity } from "./identity-verifier.js";
 import { getProvider } from "./oauth-store.js";
 import { resolveScopes } from "./scope-policy.js";
@@ -98,7 +95,7 @@ export interface OAuthConnectOptions {
  *
  * Returns a discriminated result:
  * - Interactive success: `{ success: true, deferred: false, grantedScopes, accountInfo }`
- * - Deferred success:    `{ success: true, deferred: true, authUrl, state, service }`
+ * - Deferred success:    `{ success: true, deferred: true, authorizeUrl, state, service }`
  * - Error:               `{ success: false, error }`
  */
 export async function orchestrateOAuthConnect(
@@ -137,15 +134,15 @@ export async function orchestrateOAuthConnect(
       forbiddenScopes: [],
     },
   );
-  const dbExtraParams = safeJsonParse<Record<string, string> | undefined>(
-    providerRow.extraParams,
+  const dbAuthorizeParams = safeJsonParse<Record<string, string> | undefined>(
+    providerRow.authorizeParams,
     undefined,
   );
   // Resolve all protocol-level config from the DB
-  const authUrl = providerRow.authUrl;
-  const tokenUrl = providerRow.tokenUrl;
-  const extraParams = dbExtraParams;
+  const authorizeUrl = providerRow.authorizeUrl;
+  const tokenExchangeUrl = providerRow.tokenExchangeUrl;
+  const authorizeParams = dbAuthorizeParams;
   const userinfoUrl = providerRow.userinfoUrl ?? undefined;
   const tokenEndpointAuthMethod = providerRow.tokenEndpointAuthMethod as
     | TokenEndpointAuthMethod
@@ -173,14 +170,14 @@ export async function orchestrateOAuthConnect(
   }
   const finalScopes = scopeResult.scopes;
-  if (!authUrl) {
+  if (!authorizeUrl) {
     return {
       success: false,
       error: "auth_url is required (no well-known config for this service)",
       safeError: true,
     };
   }
-  if (!tokenUrl) {
+  if (!tokenExchangeUrl) {
     return {
       success: false,
       error: "token_url is required (no well-known config for this service)",
@@ -191,24 +188,25 @@ export async function orchestrateOAuthConnect(
   log.info(
     {
       service: options.service,
-      authUrl,
-      tokenUrl,
+      authorizeUrl,
+      tokenExchangeUrl,
       scopeCount: finalScopes.length,
       callbackTransport,
       loopbackPort,
-      hasClientSecret: !!options.clientSecret,
+      hasSecret: !!options.clientSecret,
       clientIdPrefix: options.clientId.substring(0, 12) + "…",
     },
     "orchestrateOAuthConnect: resolved provider config",
   );
   const oauthConfig = {
-    authUrl,
-    tokenUrl,
+    authorizeUrl,
+    tokenExchangeUrl,
     scopes: finalScopes,
+    scopeSeparator: providerRow.scopeSeparator,
     clientId: options.clientId,
     clientSecret: options.clientSecret,
-    extraParams,
+    authorizeParams,
     userinfoUrl,
     tokenEndpointAuthMethod,
   };
@@ -308,7 +306,7 @@ export async function orchestrateOAuthConnect(
       return {
         success: true,
         deferred: true,
-        authUrl: prepared.authUrl,
+        authorizeUrl: prepared.authorizeUrl,
         state: prepared.state,
         service: options.service,
       };
@@ -344,14 +342,18 @@ export async function orchestrateOAuthConnect(
             log.info("orchestrateOAuthConnect: using options.openUrl");
             options.openUrl(url);
           } else if (options.sendToClient) {
-            log.info("orchestrateOAuthConnect: using sendToClient with open_url event");
+            log.info(
+              "orchestrateOAuthConnect: using sendToClient with open_url event",
+            );
             options.sendToClient({
               type: "open_url",
               url,
               title: `Connect ${options.service}`,
             });
           } else {
-            log.warn("orchestrateOAuthConnect: no openUrl or sendToClient available — auth URL will not reach the user");
+            log.warn(
+              "orchestrateOAuthConnect: no openUrl or sendToClient available — auth URL will not reach the user",
+            );
           }
         },
       },

package/src/oauth/connect-types.ts CHANGED Viewed

@@ -4,8 +4,8 @@
  * These types are consumed by the token persistence module and the
  * credential vault orchestrator.
  *
- * All provider configuration — protocol-level OAuth config (authUrl,
- * tokenUrl, scopes, etc.) as well as behavioral config (identity
+ * All provider configuration — protocol-level OAuth config (authorizeUrl,
+ * tokenExchangeUrl, scopes, etc.) as well as behavioral config (identity
  * verification, injection templates, setup metadata) — is now stored
  * exclusively in the `oauth_providers` SQLite table and seeded on
  * startup via `seed-providers.ts`.
@@ -47,7 +47,7 @@ export interface OAuthConnectInteractiveResult {
 export interface OAuthConnectDeferredResult {
   success: true;
   deferred: true;
-  authUrl: string;
+  authorizeUrl: string;
   state: string;
   service: string;
 }

package/src/oauth/connection-resolver.test.ts CHANGED Viewed

@@ -79,13 +79,13 @@ function makeMockClient() {
 function setupDefaults(): void {
   mockProvider = {
-    providerKey: "google",
+    provider: "google",
     baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
     managedServiceConfigKey: null,
   };
   mockConnection = {
     id: "conn-1",
-    providerKey: "google",
+    provider: "google",
     oauthAppId: "app-1",
     accountInfo: "user@example.com",
     grantedScopes: JSON.stringify(["scope-a", "scope-b"]),
@@ -125,7 +125,7 @@ describe("resolveOAuthConnection", () => {
     const result = await resolveOAuthConnection("google");
     expect(result).toBeInstanceOf(BYOOAuthConnection);
     expect(result.id).toBe("conn-1");
-    expect(result.providerKey).toBe("google");
+    expect(result.provider).toBe("google");
   });
   test("returns PlatformOAuthConnection when managed mode is active", async () => {
@@ -134,7 +134,7 @@ describe("resolveOAuthConnection", () => {
     const result = await resolveOAuthConnection("google");
     expect(result).toBeInstanceOf(PlatformOAuthConnection);
     expect(result.id).toBe("google");
-    expect(result.providerKey).toBe("google");
+    expect(result.provider).toBe("google");
     expect(result.accountInfo).toBeNull();
   });
@@ -148,6 +148,19 @@ describe("resolveOAuthConnection", () => {
     expect(result.accountInfo).toBe("user@example.com");
   });
+  test("returns PlatformOAuthConnection when GitHub is in managed mode", async () => {
+    mockProvider!.provider = "github";
+    mockProvider!.managedServiceConfigKey = "github-oauth";
+    (mockConfig.services as Record<string, unknown>)["github-oauth"] = {
+      mode: "managed",
+    };
+    const result = await resolveOAuthConnection("github");
+    expect(result).toBeInstanceOf(PlatformOAuthConnection);
+    expect(result.id).toBe("github");
+    expect(result.provider).toBe("github");
+  });
   test("returns BYOOAuthConnection when service config mode is your-own", async () => {
     mockProvider!.managedServiceConfigKey = "google-oauth";
     (mockConfig.services as Record<string, unknown>)["google-oauth"] = {

package/src/oauth/connection-resolver.ts CHANGED Viewed

@@ -29,7 +29,7 @@ export interface ResolveOAuthConnectionOptions {
  * BYO providers resolve from the local SQLite oauth-store and require an
  * active connection row and a stored access token.
  *
- * @param providerKey - Provider identifier (e.g. "google").
+ * @param provider - Provider identifier (e.g. "google").
  *   Maps to the `provider_key` primary key in the `oauth_providers` table.
  * @param options.clientId - Optional OAuth app client ID. When multiple BYO
  *   apps exist for the same provider, narrows the connection lookup to the
@@ -38,12 +38,12 @@ export interface ResolveOAuthConnectionOptions {
  *   multi-account connections.
  */
 export async function resolveOAuthConnection(
-  providerKey: string,
+  provider: string,
   options?: ResolveOAuthConnectionOptions,
 ): Promise<OAuthConnection> {
   const { clientId, account } = options ?? {};
-  const provider = getProvider(providerKey);
-  const managedKey = provider?.managedServiceConfigKey;
+  const providerRow = getProvider(provider);
+  const managedKey = providerRow?.managedServiceConfigKey;
   if (managedKey && managedKey in ServicesSchema.shape) {
     const services: Services = getConfig().services;
@@ -54,31 +54,31 @@ export async function resolveOAuthConnection(
           ? "missing platform prerequisites"
           : "missing assistant ID";
         throw new Error(
-          `Platform-managed connection for "${providerKey}" cannot be created: ${detail}. ` +
+          `Platform-managed connection for "${provider}" cannot be created: ${detail}. ` +
             `Log in to the Vellum platform or switch to using your own OAuth app.`,
         );
       }
       const connectionId = await resolvePlatformConnectionId({
         client,
-        provider: providerKey,
+        provider,
         account,
       });
       return new PlatformOAuthConnection({
-        id: providerKey,
-        providerKey,
-        externalId: providerKey,
+        id: provider,
+        provider,
+        externalId: provider,
         accountInfo: account ?? null,
         client,
         connectionId,
-        baseUrl: provider?.baseUrl ?? undefined,
+        baseUrl: providerRow?.baseUrl ?? undefined,
       });
     }
   }
   // BYO path — requires a local connection row, access token, and base URL.
-  const conn = getActiveConnection(providerKey, { clientId, account });
+  const conn = getActiveConnection(provider, { clientId, account });
   if (!conn) {
     const filters = [
       account && `account "${account}"`,
@@ -88,7 +88,7 @@ export async function resolveOAuthConnection(
       ? ` matching ${filters.join(" and ")}`
       : "";
     throw new Error(
-      `No active OAuth connection found for "${providerKey}"${qualifier}. Connect the service first with \`assistant oauth connect ${providerKey}\`.`,
+      `No active OAuth connection found for "${provider}"${qualifier}. Connect the service first with \`assistant oauth connect ${provider}\`.`,
     );
   }
@@ -97,20 +97,20 @@ export async function resolveOAuthConnection(
   );
   if (!accessToken) {
     throw new Error(
-      `OAuth connection for "${providerKey}" exists but has no access token. Re-authorize with \`assistant oauth connect ${providerKey}\`.`,
+      `OAuth connection for "${provider}" exists but has no access token. Re-authorize with \`assistant oauth connect ${provider}\`.`,
     );
   }
-  const baseUrl = provider?.baseUrl;
+  const baseUrl = providerRow?.baseUrl;
   if (!baseUrl) {
     throw new Error(
-      `OAuth provider "${providerKey}" has no base URL configured. Check provider setup.`,
+      `OAuth provider "${provider}" has no base URL configured. Check provider setup.`,
     );
   }
   return new BYOOAuthConnection({
     id: conn.id,
-    providerKey: conn.providerKey,
+    provider: conn.provider,
     baseUrl,
     accountInfo: conn.accountInfo,
   });

package/src/oauth/connection.ts CHANGED Viewed

@@ -32,6 +32,6 @@ export interface OAuthConnection {
   withToken<T>(fn: (token: string) => Promise<T>): Promise<T>;
   readonly id: string;
-  readonly providerKey: string;
+  readonly provider: string;
   readonly accountInfo: string | null;
 }

package/src/oauth/manual-token-connection.ts CHANGED Viewed

@@ -25,14 +25,14 @@ const MANUAL_TOKEN_CLIENT_ID = "manual-config";
  * Ensure an active oauth_connection row exists for the given manual-token
  * provider. Creates the synthetic oauth_app row on first use.
  *
- * @param providerKey - The provider key (e.g. "slack_channel", "telegram")
+ * @param provider - The provider key (e.g. "slack_channel", "telegram")
  * @param accountInfo - Optional account info to store (e.g. team name, bot username)
  */
 export async function ensureManualTokenConnection(
-  providerKey: string,
+  provider: string,
   accountInfo?: string,
 ): Promise<void> {
-  const existing = getConnectionByProvider(providerKey);
+  const existing = getConnectionByProvider(provider);
   if (existing) {
     // Update account info if provided
     if (accountInfo !== undefined) {
@@ -42,11 +42,11 @@ export async function ensureManualTokenConnection(
   }
   // Create synthetic app + connection
-  const app = await upsertApp(providerKey, MANUAL_TOKEN_CLIENT_ID);
+  const app = await upsertApp(provider, MANUAL_TOKEN_CLIENT_ID);
   createConnection({
     oauthAppId: app.id,
-    providerKey,
+    provider,
     accountInfo,
     grantedScopes: [],
     hasRefreshToken: false,
@@ -59,8 +59,8 @@ export async function ensureManualTokenConnection(
  * Note: This only removes the oauth_connection row. The caller is still
  * responsible for deleting the stored credentials separately.
  */
-export function removeManualTokenConnection(providerKey: string): void {
-  const conn = getConnectionByProvider(providerKey);
+export function removeManualTokenConnection(provider: string): void {
+  const conn = getConnectionByProvider(provider);
   if (!conn) return;
   deleteConnection(conn.id);
 }
@@ -73,10 +73,10 @@ export function removeManualTokenConnection(providerKey: string): void {
  * keep connection status in sync without duplicating per-provider rules.
  */
 export async function syncManualTokenConnection(
-  providerKey: string,
+  provider: string,
   accountInfo?: string,
 ): Promise<void> {
-  switch (providerKey) {
+  switch (provider) {
     case "telegram": {
       const hasBotToken = !!(await getSecureKeyAsync(
         credentialKey("telegram", "bot_token"),
@@ -85,9 +85,9 @@ export async function syncManualTokenConnection(
         credentialKey("telegram", "webhook_secret"),
       ));
       if (hasBotToken && hasWebhookSecret) {
-        await ensureManualTokenConnection(providerKey, accountInfo);
+        await ensureManualTokenConnection(provider, accountInfo);
       } else {
-        removeManualTokenConnection(providerKey);
+        removeManualTokenConnection(provider);
       }
       return;
     }
@@ -100,9 +100,9 @@ export async function syncManualTokenConnection(
         credentialKey("slack_channel", "app_token"),
       ));
       if (hasBotToken && hasAppToken) {
-        await ensureManualTokenConnection(providerKey, accountInfo);
+        await ensureManualTokenConnection(provider, accountInfo);
       } else {
-        removeManualTokenConnection(providerKey);
+        removeManualTokenConnection(provider);
       }
       return;
     }