@vellumai/assistant 0.6.2 → 0.6.3

package/src/runtime/migrations/__tests__/rebind-secrets-credentials.test.ts

@@ -0,0 +1,172 @@
+/**
+ * Tests for credential-aware rebind-secrets screen behavior.
+ *
+ * Covers:
+ * - All credentials imported successfully -> re-enter-secrets auto-completed
+ * - Partial import failure -> targeted list of failed credentials
+ * - Legacy bundles without credentials -> original rebind-secrets behavior
+ */
+
+import { describe, expect, test } from "bun:test";
+
+import type { MigrationWizardState } from "../migration-wizard.js";
+import { createWizardState } from "../migration-wizard.js";
+import {
+  createTaskCompletionState,
+  deriveRebindSecretsScreenState,
+} from "../rebind-secrets-screen.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Create a wizard state that has progressed to the rebind-secrets step.
+ */
+function wizardAtRebindSecrets(
+  credentialsImported?: MigrationWizardState["credentialsImported"],
+): MigrationWizardState {
+  const base = createWizardState();
+  return {
+    ...base,
+    currentStep: "rebind-secrets",
+    direction: "managed-to-self-hosted",
+    steps: {
+      ...base.steps,
+      "select-direction": { status: "success" },
+      "upload-bundle": { status: "success" },
+      validate: { status: "success" },
+      "preflight-review": { status: "success" },
+      transfer: { status: "success" },
+      "rebind-secrets": { status: "idle" },
+      complete: { status: "idle" },
+    },
+    hasBundleData: true,
+    credentialsImported,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("rebind-secrets-screen credential awareness", () => {
+  test("all credentials imported successfully -> re-enter-secrets is auto-completed", () => {
+    const wizard = wizardAtRebindSecrets({
+      total: 3,
+      succeeded: 3,
+      failed: 0,
+      failedAccounts: [],
+    });
+    const completion = createTaskCompletionState();
+    const screen = deriveRebindSecretsScreenState(wizard, completion);
+
+    expect(screen.phase).toBe("active");
+    if (screen.phase !== "active") return;
+
+    const secretsTask = screen.tasks.find((t) => t.id === "re-enter-secrets");
+    expect(secretsTask).toBeDefined();
+    expect(secretsTask!.status).toBe("complete");
+    expect(secretsTask!.title).toBe("API keys and secrets transferred");
+    expect(secretsTask!.description).toContain("3 credential(s)");
+    expect(secretsTask!.description).toContain("automatically imported");
+  });
+
+  test("partial import failure -> shows only failed credentials", () => {
+    const wizard = wizardAtRebindSecrets({
+      total: 3,
+      succeeded: 2,
+      failed: 1,
+      failedAccounts: ["openai-key"],
+    });
+    const completion = createTaskCompletionState();
+    const screen = deriveRebindSecretsScreenState(wizard, completion);
+
+    expect(screen.phase).toBe("active");
+    if (screen.phase !== "active") return;
+
+    const secretsTask = screen.tasks.find((t) => t.id === "re-enter-secrets");
+    expect(secretsTask).toBeDefined();
+    expect(secretsTask!.status).toBe("pending");
+    expect(secretsTask!.title).toBe("Re-enter failed credentials");
+    expect(secretsTask!.description).toContain("2 of 3");
+    expect(secretsTask!.description).toContain('"openai-key"');
+    expect(secretsTask!.description).toContain("manual re-entry");
+  });
+
+  test("legacy bundle without credentials -> original rebind-secrets behavior", () => {
+    const wizard = wizardAtRebindSecrets(undefined);
+    const completion = createTaskCompletionState();
+    const screen = deriveRebindSecretsScreenState(wizard, completion);
+
+    expect(screen.phase).toBe("active");
+    if (screen.phase !== "active") return;
+
+    const secretsTask = screen.tasks.find((t) => t.id === "re-enter-secrets");
+    expect(secretsTask).toBeDefined();
+    expect(secretsTask!.status).toBe("pending");
+    expect(secretsTask!.title).toBe("Re-enter API keys and secrets");
+    expect(secretsTask!.description).toContain("redacted in export bundles");
+  });
+
+  test("all credentials imported -> allRequiredComplete reflects auto-completion", () => {
+    const wizard = wizardAtRebindSecrets({
+      total: 2,
+      succeeded: 2,
+      failed: 0,
+      failedAccounts: [],
+    });
+    // Mark all other required tasks as complete
+    let completion = createTaskCompletionState();
+    completion = {
+      ...completion,
+      "rebind-channels": true,
+      "reconfigure-auth": true,
+    };
+    const screen = deriveRebindSecretsScreenState(wizard, completion);
+
+    expect(screen.phase).toBe("active");
+    if (screen.phase !== "active") return;
+
+    // re-enter-secrets is auto-completed, rebind-channels and reconfigure-auth are manually done
+    expect(screen.allRequiredComplete).toBe(true);
+  });
+
+  test("partial failure -> allRequiredComplete is false when failed creds not manually acknowledged", () => {
+    const wizard = wizardAtRebindSecrets({
+      total: 3,
+      succeeded: 2,
+      failed: 1,
+      failedAccounts: ["anthropic-key"],
+    });
+    const completion = createTaskCompletionState();
+    const screen = deriveRebindSecretsScreenState(wizard, completion);
+
+    expect(screen.phase).toBe("active");
+    if (screen.phase !== "active") return;
+
+    // re-enter-secrets is still pending (partial failure), so not all required complete
+    expect(screen.allRequiredComplete).toBe(false);
+  });
+
+  test("multiple failed credentials are listed in description", () => {
+    const wizard = wizardAtRebindSecrets({
+      total: 4,
+      succeeded: 1,
+      failed: 3,
+      failedAccounts: ["openai-key", "anthropic-key", "github-token"],
+    });
+    const completion = createTaskCompletionState();
+    const screen = deriveRebindSecretsScreenState(wizard, completion);
+
+    expect(screen.phase).toBe("active");
+    if (screen.phase !== "active") return;
+
+    const secretsTask = screen.tasks.find((t) => t.id === "re-enter-secrets");
+    expect(secretsTask).toBeDefined();
+    expect(secretsTask!.description).toContain('"openai-key"');
+    expect(secretsTask!.description).toContain('"anthropic-key"');
+    expect(secretsTask!.description).toContain('"github-token"');
+    expect(secretsTask!.description).toContain("1 of 4");
+  });
+});

package/src/runtime/migrations/__tests__/vbundle-builder-credentials.test.ts

@@ -0,0 +1,276 @@
+/**
+ * Tests for credential inclusion in vbundle export.
+ *
+ * Covers:
+ * - buildExportVBundle() with credentials includes credentials/* entries
+ * - Credentials appear in the manifest with correct SHA-256 checksums
+ * - Export with no credentials produces the same archive as before (backward compat)
+ * - Streaming path (streamExportVBundle) includes credential entries
+ */
+
+import { createHash } from "node:crypto";
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { gunzipSync } from "node:zlib";
+import { describe, expect, test } from "bun:test";
+
+import { buildExportVBundle, streamExportVBundle } from "../vbundle-builder.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const BLOCK_SIZE = 512;
+
+function sha256Hex(data: Uint8Array | string): string {
+  return createHash("sha256").update(data).digest("hex");
+}
+
+/** Parse a tar archive into its entries (name -> data). */
+function parseTar(tar: Uint8Array): Map<string, Uint8Array> {
+  const entries = new Map<string, Uint8Array>();
+  let offset = 0;
+  let paxPath: string | undefined;
+
+  while (offset + BLOCK_SIZE <= tar.length) {
+    const header = tar.subarray(offset, offset + BLOCK_SIZE);
+
+    // Check for end-of-archive (all zeros)
+    if (header.every((b) => b === 0)) break;
+
+    // Read file name
+    let name = "";
+    for (let i = 0; i < 100 && header[i] !== 0; i++) {
+      name += String.fromCharCode(header[i]);
+    }
+
+    // Read size (octal at offset 124, 12 bytes)
+    let sizeStr = "";
+    for (let i = 124; i < 136 && header[i] !== 0; i++) {
+      sizeStr += String.fromCharCode(header[i]);
+    }
+    const size = parseInt(sizeStr.trim(), 8) || 0;
+
+    // Type flag
+    const typeFlag = String.fromCharCode(header[156]);
+
+    offset += BLOCK_SIZE;
+
+    const data = tar.subarray(offset, offset + size);
+    const paddedSize = Math.ceil(size / BLOCK_SIZE) * BLOCK_SIZE;
+    offset += paddedSize;
+
+    if (typeFlag === "x") {
+      // PAX extended header — extract path
+      const paxStr = new TextDecoder().decode(data);
+      const match = paxStr.match(/\d+ path=(.+)\n/);
+      if (match) {
+        paxPath = match[1];
+      }
+      continue;
+    }
+
+    const entryName = paxPath ?? name;
+    paxPath = undefined;
+    entries.set(entryName, new Uint8Array(data));
+  }
+
+  return entries;
+}
+
+/** Create a minimal workspace directory with a config file for testing. */
+function createTestWorkspace(): { dir: string; cleanup: () => void } {
+  const dir = join(
+    tmpdir(),
+    `vbundle-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+  );
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(join(dir, "config.json"), JSON.stringify({ test: true }));
+  // Create a minimal data/db directory with a fake database file
+  const dbDir = join(dir, "data", "db");
+  mkdirSync(dbDir, { recursive: true });
+  writeFileSync(join(dbDir, "assistant.db"), "fake-db-content");
+  return {
+    dir,
+    cleanup: () => rmSync(dir, { recursive: true, force: true }),
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("buildExportVBundle with credentials", () => {
+  test("includes credential entries under credentials/ prefix", () => {
+    const workspace = createTestWorkspace();
+    try {
+      const credentials = [
+        { account: "openai-key", value: "sk-test-123" },
+        { account: "anthropic-key", value: "sk-ant-456" },
+      ];
+
+      const result = buildExportVBundle({
+        workspaceDir: workspace.dir,
+        credentials,
+      });
+
+      const tar = gunzipSync(result.archive);
+      const entries = parseTar(tar);
+
+      expect(entries.has("credentials/openai-key")).toBe(true);
+      expect(entries.has("credentials/anthropic-key")).toBe(true);
+
+      const decoder = new TextDecoder();
+      expect(decoder.decode(entries.get("credentials/openai-key")!)).toBe(
+        "sk-test-123",
+      );
+      expect(decoder.decode(entries.get("credentials/anthropic-key")!)).toBe(
+        "sk-ant-456",
+      );
+    } finally {
+      workspace.cleanup();
+    }
+  });
+
+  test("credentials appear in manifest with correct SHA-256 checksums", () => {
+    const workspace = createTestWorkspace();
+    try {
+      const credentials = [
+        { account: "my-api-key", value: "secret-value-abc" },
+      ];
+
+      const result = buildExportVBundle({
+        workspaceDir: workspace.dir,
+        credentials,
+      });
+
+      const expectedHash = sha256Hex(
+        new TextEncoder().encode("secret-value-abc"),
+      );
+
+      const credEntry = result.manifest.files.find(
+        (f) => f.path === "credentials/my-api-key",
+      );
+      expect(credEntry).toBeDefined();
+      expect(credEntry!.sha256).toBe(expectedHash);
+      expect(credEntry!.size).toBe(
+        new TextEncoder().encode("secret-value-abc").length,
+      );
+    } finally {
+      workspace.cleanup();
+    }
+  });
+
+  test("export with no credentials produces archive without credentials/ entries", () => {
+    const workspace = createTestWorkspace();
+    try {
+      const result = buildExportVBundle({
+        workspaceDir: workspace.dir,
+      });
+
+      const tar = gunzipSync(result.archive);
+      const entries = parseTar(tar);
+
+      const credentialEntries = [...entries.keys()].filter((k) =>
+        k.startsWith("credentials/"),
+      );
+      expect(credentialEntries).toHaveLength(0);
+
+      // Manifest should have no credential entries
+      const credManifestEntries = result.manifest.files.filter((f) =>
+        f.path.startsWith("credentials/"),
+      );
+      expect(credManifestEntries).toHaveLength(0);
+    } finally {
+      workspace.cleanup();
+    }
+  });
+
+  test("export with empty credentials array produces archive without credentials/ entries", () => {
+    const workspace = createTestWorkspace();
+    try {
+      const result = buildExportVBundle({
+        workspaceDir: workspace.dir,
+        credentials: [],
+      });
+
+      const tar = gunzipSync(result.archive);
+      const entries = parseTar(tar);
+
+      const credentialEntries = [...entries.keys()].filter((k) =>
+        k.startsWith("credentials/"),
+      );
+      expect(credentialEntries).toHaveLength(0);
+    } finally {
+      workspace.cleanup();
+    }
+  });
+});
+
+describe("streamExportVBundle with credentials", () => {
+  test("includes credential entries in the streaming archive", async () => {
+    const workspace = createTestWorkspace();
+    let result: Awaited<ReturnType<typeof streamExportVBundle>> | undefined;
+    try {
+      const credentials = [
+        { account: "stream-key", value: "stream-secret-789" },
+      ];
+
+      result = await streamExportVBundle({
+        workspaceDir: workspace.dir,
+        credentials,
+      });
+
+      // Read the temp file and decompress
+      const archiveData = new Uint8Array(
+        await Bun.file(result.tempPath).arrayBuffer(),
+      );
+      const tar = gunzipSync(archiveData);
+      const entries = parseTar(tar);
+
+      expect(entries.has("credentials/stream-key")).toBe(true);
+
+      const decoder = new TextDecoder();
+      expect(decoder.decode(entries.get("credentials/stream-key")!)).toBe(
+        "stream-secret-789",
+      );
+
+      // Verify manifest entry
+      const credEntry = result.manifest.files.find(
+        (f) => f.path === "credentials/stream-key",
+      );
+      expect(credEntry).toBeDefined();
+      expect(credEntry!.sha256).toBe(
+        sha256Hex(new TextEncoder().encode("stream-secret-789")),
+      );
+    } finally {
+      await result?.cleanup();
+      workspace.cleanup();
+    }
+  });
+
+  test("streaming export without credentials has no credentials/ entries", async () => {
+    const workspace = createTestWorkspace();
+    let result: Awaited<ReturnType<typeof streamExportVBundle>> | undefined;
+    try {
+      result = await streamExportVBundle({
+        workspaceDir: workspace.dir,
+      });
+
+      const archiveData = new Uint8Array(
+        await Bun.file(result.tempPath).arrayBuffer(),
+      );
+      const tar = gunzipSync(archiveData);
+      const entries = parseTar(tar);
+
+      const credentialEntries = [...entries.keys()].filter((k) =>
+        k.startsWith("credentials/"),
+      );
+      expect(credentialEntries).toHaveLength(0);
+    } finally {
+      await result?.cleanup();
+      workspace.cleanup();
+    }
+  });
+});

package/src/runtime/migrations/__tests__/vbundle-import-credentials.test.ts

@@ -0,0 +1,162 @@
+/**
+ * Tests for credential import from vbundle archives.
+ *
+ * Covers:
+ * - extractCredentialsFromBundle() correctly extracts credential entries
+ * - DefaultPathResolver skips credentials/ paths (not written to disk)
+ * - Empty and missing credential entries are handled gracefully
+ */
+
+import { describe, expect, test } from "bun:test";
+
+import { DefaultPathResolver } from "../vbundle-import-analyzer.js";
+import { extractCredentialsFromBundle } from "../vbundle-importer.js";
+import type { ManifestType, VBundleTarEntry } from "../vbundle-validator.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeTarEntry(data: string): VBundleTarEntry {
+  const encoded = new TextEncoder().encode(data);
+  return { name: "", data: encoded, size: encoded.length };
+}
+
+function makeManifest(paths: string[]): ManifestType {
+  return {
+    schema_version: "1.0.0",
+    created_at: new Date().toISOString(),
+    source: "test",
+    manifest_sha256: "test",
+    files: paths.map((path) => ({
+      path,
+      size: 0,
+      sha256: "test",
+    })),
+  } as ManifestType;
+}
+
+// ---------------------------------------------------------------------------
+// extractCredentialsFromBundle
+// ---------------------------------------------------------------------------
+
+describe("extractCredentialsFromBundle", () => {
+  test("extracts credential entries from tar entries map", () => {
+    const entries = new Map<string, VBundleTarEntry>();
+    entries.set("credentials/openai-key", makeTarEntry("sk-test-123"));
+    entries.set("credentials/anthropic-key", makeTarEntry("sk-ant-456"));
+    entries.set("workspace/config.json", makeTarEntry('{"test": true}'));
+    entries.set("manifest.json", makeTarEntry("{}"));
+
+    const manifest = makeManifest([
+      "credentials/openai-key",
+      "credentials/anthropic-key",
+      "workspace/config.json",
+    ]);
+    const credentials = extractCredentialsFromBundle(entries, manifest);
+
+    expect(credentials).toHaveLength(2);
+    expect(credentials).toContainEqual({
+      account: "openai-key",
+      value: "sk-test-123",
+    });
+    expect(credentials).toContainEqual({
+      account: "anthropic-key",
+      value: "sk-ant-456",
+    });
+  });
+
+  test("returns empty array when no credential entries exist", () => {
+    const entries = new Map<string, VBundleTarEntry>();
+    entries.set("workspace/config.json", makeTarEntry('{"test": true}'));
+    entries.set("manifest.json", makeTarEntry("{}"));
+
+    const manifest = makeManifest(["workspace/config.json"]);
+    const credentials = extractCredentialsFromBundle(entries, manifest);
+
+    expect(credentials).toHaveLength(0);
+  });
+
+  test("returns empty array for empty entries map", () => {
+    const entries = new Map<string, VBundleTarEntry>();
+
+    const manifest = makeManifest([]);
+    const credentials = extractCredentialsFromBundle(entries, manifest);
+
+    expect(credentials).toHaveLength(0);
+  });
+
+  test("skips bare credentials/ path with no account name", () => {
+    const entries = new Map<string, VBundleTarEntry>();
+    entries.set("credentials/", makeTarEntry("some-value"));
+    entries.set("credentials/valid-key", makeTarEntry("valid-secret"));
+
+    const manifest = makeManifest(["credentials/", "credentials/valid-key"]);
+    const credentials = extractCredentialsFromBundle(entries, manifest);
+
+    expect(credentials).toHaveLength(1);
+    expect(credentials[0]).toEqual({
+      account: "valid-key",
+      value: "valid-secret",
+    });
+  });
+
+  test("ignores credential entries not declared in manifest", () => {
+    const entries = new Map<string, VBundleTarEntry>();
+    entries.set("credentials/declared-key", makeTarEntry("declared-secret"));
+    entries.set(
+      "credentials/undeclared-key",
+      makeTarEntry("undeclared-secret"),
+    );
+
+    const manifest = makeManifest(["credentials/declared-key"]);
+    const credentials = extractCredentialsFromBundle(entries, manifest);
+
+    expect(credentials).toHaveLength(1);
+    expect(credentials[0]).toEqual({
+      account: "declared-key",
+      value: "declared-secret",
+    });
+  });
+
+  test("handles credential values with special characters", () => {
+    const entries = new Map<string, VBundleTarEntry>();
+    entries.set(
+      "credentials/complex-key",
+      makeTarEntry("value with spaces & special=chars!"),
+    );
+
+    const manifest = makeManifest(["credentials/complex-key"]);
+    const credentials = extractCredentialsFromBundle(entries, manifest);
+
+    expect(credentials).toHaveLength(1);
+    expect(credentials[0]).toEqual({
+      account: "complex-key",
+      value: "value with spaces & special=chars!",
+    });
+  });
+});
+
+// ---------------------------------------------------------------------------
+// DefaultPathResolver — credential path skipping
+// ---------------------------------------------------------------------------
+
+describe("DefaultPathResolver skips credential paths", () => {
+  test("resolve() returns null for credentials/ paths", () => {
+    const resolver = new DefaultPathResolver("/tmp/workspace", "/tmp/hooks");
+
+    expect(resolver.resolve("credentials/openai-key")).toBeNull();
+    expect(resolver.resolve("credentials/anthropic-key")).toBeNull();
+    expect(resolver.resolve("credentials/")).toBeNull();
+  });
+
+  test("resolve() still resolves non-credential paths normally", () => {
+    const resolver = new DefaultPathResolver("/tmp/workspace", "/tmp/hooks");
+
+    // workspace/ paths should resolve
+    expect(resolver.resolve("workspace/config.json")).not.toBeNull();
+
+    // data/db should resolve
+    expect(resolver.resolve("data/db/assistant.db")).not.toBeNull();
+  });
+});

package/src/runtime/migrations/migration-transport.ts

@@ -202,6 +202,12 @@ export interface ImportCommitSuccessResponse {
   files: ImportedFileReport[];
   manifest: Manifest;
   warnings: string[];
+  credentialsImported?: {
+    total: number;
+    succeeded: number;
+    failed: number;
+    failedAccounts: string[];
+  };
 }
 
 export interface ImportCommitFailureResponse {

package/src/runtime/migrations/migration-wizard.ts

@@ -92,6 +92,14 @@ export interface MigrationWizardState {
   /** Import commit result. */
   importResult?: ImportCommitResponse;
 
+  /** Credential import results from the transfer step (if credentials were in the bundle). */
+  credentialsImported?: {
+    total: number;
+    succeeded: number;
+    failed: number;
+    failedAccounts: string[];
+  };
+
   /** Timestamp of last state change (ISO 8601). */
   updatedAt: string;
 
@@ -317,7 +325,11 @@ export function goBackTo(
       ? { preflightResult: undefined }
       : {}),
     ...(targetIdx <= STEP_INDEX.get("transfer")!
-      ? { exportResult: undefined, importResult: undefined }
+      ? {
+          exportResult: undefined,
+          importResult: undefined,
+          credentialsImported: undefined,
+        }
       : {}),
   });
 }
@@ -488,7 +500,14 @@ export async function executeTransferStep(
 
     if (importResult.success) {
       current = setStepStatus(current, "transfer", "success");
-      current = { ...current, currentStep: "rebind-secrets" };
+      // Extract credential import results from the response (if present)
+      current = {
+        ...current,
+        currentStep: "rebind-secrets",
+        ...(importResult.credentialsImported
+          ? { credentialsImported: importResult.credentialsImported }
+          : {}),
+      };
     } else {
       current = setStepStatus(current, "transfer", "error", {
         message:
@@ -639,6 +658,7 @@ export function prepareForResume(
       preflightResult: undefined,
       exportResult: undefined,
       importResult: undefined,
+      credentialsImported: undefined,
     };
   }