@vellumai/assistant 0.6.2 → 0.6.3

package/src/security/secure-keys.ts

@@ -86,6 +86,15 @@ let _cesHttpUnreachable = false;
 /** Minimum interval between CES reconnection attempts. */
 const RECONNECT_COOLDOWN_MS = 3_000;
 
+/**
+ * Hard timeout for each public credential operation (resolve + backend call).
+ * Prevents indefinite blocking when CES reconnection or backend operations hang.
+ *
+ * Set to 45s to comfortably cover the CES HTTP set worst case (~34s:
+ * 3 fetch attempts × 10s REQUEST_TIMEOUT_MS + 2 × 2s SET_RETRY_DELAY_MS).
+ */
+const CREDENTIAL_OP_TIMEOUT_MS = 45_000;
+
 /** Inject a CES RPC client for credential routing. Resets the resolved backend. */
 export function setCesClient(client: CesClient | undefined): void {
   _cesClient = client;
@@ -308,16 +317,58 @@ function updateCesHttpReachability(
   }
 }
 
+// ---------------------------------------------------------------------------
+// Timeout helper
+// ---------------------------------------------------------------------------
+
+const CREDENTIAL_TIMEOUT_MSG = "Credential operation timed out";
+
+/**
+ * Race a credential operation against a hard deadline. If the operation
+ * does not settle within `CREDENTIAL_OP_TIMEOUT_MS`, return the supplied
+ * fallback value so callers degrade gracefully instead of hanging.
+ *
+ * Non-timeout errors from `op()` are propagated to callers rather than
+ * silently swallowed — only genuine timeouts return the fallback.
+ */
+async function withCredentialTimeout<T>(
+  op: () => Promise<T>,
+  fallback: T,
+): Promise<T> {
+  return new Promise<T>((resolve, reject) => {
+    const timer = setTimeout(() => {
+      log.warn(CREDENTIAL_TIMEOUT_MSG + " — returning fallback");
+      resolve(fallback);
+    }, CREDENTIAL_OP_TIMEOUT_MS);
+
+    op().then(
+      (val) => {
+        clearTimeout(timer);
+        resolve(val);
+      },
+      (err) => {
+        clearTimeout(timer);
+        reject(err);
+      },
+    );
+  });
+}
+
 /**
  * List all account names from the resolved backend (async).
  *
  * Queries exactly one backend — no cross-store merge.
  */
 export async function listSecureKeysAsync(): Promise<CredentialListResult> {
-  const backend = await resolveBackendAsync();
-  const result = await backend.list();
-  updateCesHttpReachability(backend, result.unreachable);
-  return result;
+  return withCredentialTimeout(
+    async () => {
+      const backend = await resolveBackendAsync();
+      const result = await backend.list();
+      updateCesHttpReachability(backend, result.unreachable);
+      return result;
+    },
+    { accounts: [], unreachable: true },
+  );
 }
 
 // ---------------------------------------------------------------------------
@@ -336,13 +387,18 @@ export async function listSecureKeysAsync(): Promise<CredentialListResult> {
 export async function getSecureKeyResultAsync(
   account: string,
 ): Promise<SecureKeyResult> {
-  const backend = await resolveBackendAsync();
-  const result = await backend.get(account);
-  updateCesHttpReachability(backend, result.unreachable);
-  if (result.value != null) {
-    return { value: result.value, unreachable: false };
-  }
-  return { value: undefined, unreachable: result.unreachable };
+  return withCredentialTimeout(
+    async () => {
+      const backend = await resolveBackendAsync();
+      const result = await backend.get(account);
+      updateCesHttpReachability(backend, result.unreachable);
+      if (result.value != null) {
+        return { value: result.value, unreachable: false };
+      }
+      return { value: undefined, unreachable: result.unreachable };
+    },
+    { value: undefined, unreachable: true },
+  );
 }
 
 /**
@@ -364,16 +420,18 @@ export async function setSecureKeyAsync(
   account: string,
   value: string,
 ): Promise<boolean> {
-  const backend = await resolveBackendAsync();
-  const ok = await backend.set(account, value);
-  if (!ok) {
-    log.warn(
-      { account, backend: backend.name },
-      "Credential backend set failed",
-    );
-  }
-  updateCesHttpReachability(backend, !ok);
-  return ok;
+  return withCredentialTimeout(async () => {
+    const backend = await resolveBackendAsync();
+    const ok = await backend.set(account, value);
+    if (!ok) {
+      log.warn(
+        { account, backend: backend.name },
+        "Credential backend set failed",
+      );
+    }
+    updateCesHttpReachability(backend, !ok);
+    return ok;
+  }, false);
 }
 
 /**
@@ -384,10 +442,45 @@ export async function setSecureKeyAsync(
 export async function deleteSecureKeyAsync(
   account: string,
 ): Promise<DeleteResult> {
-  const backend = await resolveBackendAsync();
-  const result = await backend.delete(account);
-  updateCesHttpReachability(backend, result === "error");
-  return result;
+  return withCredentialTimeout(async () => {
+    const backend = await resolveBackendAsync();
+    const result = await backend.delete(account);
+    updateCesHttpReachability(backend, result === "error");
+    return result;
+  }, "error");
+}
+
+/**
+ * Bulk-set multiple credentials in a single operation.
+ *
+ * Uses the backend's native `bulkSet` when available (CES RPC / HTTP),
+ * otherwise falls back to individual `set` calls.
+ */
+export async function bulkSetSecureKeysAsync(
+  credentials: Array<{ account: string; value: string }>,
+): Promise<Array<{ account: string; ok: boolean }>> {
+  return withCredentialTimeout(
+    async () => {
+      const backend = await resolveBackendAsync();
+      if (backend.bulkSet) {
+        const results = await backend.bulkSet(credentials);
+        const anyFailed = results.some((r) => !r.ok);
+        updateCesHttpReachability(backend, anyFailed);
+        return results;
+      }
+      // Fallback: loop individual sets
+      const results = [];
+      let anyFailed = false;
+      for (const { account, value } of credentials) {
+        const ok = await backend.set(account, value);
+        if (!ok) anyFailed = true;
+        results.push({ account, ok });
+      }
+      updateCesHttpReachability(backend, anyFailed);
+      return results;
+    },
+    credentials.map((c) => ({ account: c.account, ok: false })),
+  );
 }
 
 // ---------------------------------------------------------------------------

package/src/security/token-manager.ts

@@ -1,7 +1,7 @@
 /**
  * Token manager for OAuth2 credentials.
  *
- * Reads refresh configuration (tokenUrl, clientId, authMethod) exclusively
+ * Reads refresh configuration (refreshUrl with fallback to tokenExchangeUrl, clientId, authMethod) exclusively
  * from the SQLite oauth-store (provider + app + connection rows). After a
  * successful refresh, writes tokens to new-format secure key paths and
  * updates the oauth_connection row.
@@ -90,7 +90,12 @@ const secureKeyBackend: SecureKeyBackend = {
 
 /** Shared shape for resolved refresh configuration. */
 interface RefreshConfig {
-  tokenUrl: string;
+  /**
+   * Token endpoint used for the refresh grant. Resolved from
+   * `provider.refreshUrl` when set to a non-empty string, otherwise
+   * `provider.tokenExchangeUrl` (matching platform's Python `or` semantics).
+   */
+  tokenExchangeUrl: string;
   clientId: string;
   /** OAuth client secret (optional — PKCE flows may omit it). */
   secret?: string;
@@ -102,8 +107,9 @@ interface RefreshConfig {
 /**
  * Resolve refresh configuration from the SQLite oauth-store.
  *
- * Looks up connection -> app -> provider to read tokenUrl, clientId, and
- * authMethod. Throws `TokenExpiredError` if the connection is not found
+ * Looks up connection -> app -> provider to read the refresh endpoint (preferring
+ * `provider.refreshUrl`, falling back to `provider.tokenExchangeUrl`), clientId,
+ * and authMethod. Throws `TokenExpiredError` if the connection is not found
  * or incomplete.
  */
 async function resolveRefreshConfig(
@@ -126,7 +132,7 @@ async function resolveRefreshConfig(
     );
   }
 
-  const provider = getProvider(conn.providerKey);
+  const provider = getProvider(conn.provider);
   if (!provider) {
     throw new TokenExpiredError(
       service,
@@ -134,9 +140,16 @@ async function resolveRefreshConfig(
     );
   }
 
-  const tokenUrl = provider.tokenUrl;
+  // Prefer provider.refreshUrl when set; fall back to tokenExchangeUrl.
+  // This mirrors platform's `oauth_app.refresh_url or oauth_app.token_exchange_url`
+  // in `token_service.py:112`, so both repos resolve the refresh endpoint
+  // identically for managed and BYO flows. We use `||` (not `??`) so empty
+  // strings fall back to tokenExchangeUrl — matching Python's `or` semantics
+  // and preventing a malformed provider row with `refreshUrl: ""` from
+  // resolving to an empty endpoint.
+  const tokenExchangeUrl = provider.refreshUrl || provider.tokenExchangeUrl;
   const resolvedClientId = app.clientId;
-  if (!tokenUrl || !resolvedClientId) {
+  if (!tokenExchangeUrl || !resolvedClientId) {
     throw new TokenExpiredError(
       service,
       `Missing OAuth2 refresh config for "${service}".${recoveryHint(service)}`,
@@ -155,7 +168,7 @@ async function resolveRefreshConfig(
 
   return {
     connId: conn.id,
-    tokenUrl,
+    tokenExchangeUrl,
     clientId: resolvedClientId,
     secret,
     refreshToken,
@@ -175,7 +188,7 @@ async function resolveRefreshConfig(
 async function doRefresh(service: string, connId: string): Promise<string> {
   const refreshConfig = await resolveRefreshConfig(service, connId);
   const {
-    tokenUrl,
+    tokenExchangeUrl,
     clientId: resolvedClientId,
     secret,
     authMethod,
@@ -204,7 +217,7 @@ async function doRefresh(service: string, connId: string): Promise<string> {
   let result;
   try {
     result = await refreshOAuth2Token(
-      tokenUrl,
+      tokenExchangeUrl,
       resolvedClientId,
       refreshToken,
       secret,