@vellumai/assistant 0.6.2 → 0.6.3

package/src/__tests__/conversation-starters-cadence.test.ts

@@ -0,0 +1,161 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { v4 as uuid } from "uuid";
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+import { maybeEnqueueConversationStartersJob } from "../memory/conversation-starters-cadence.js";
+import { getSqlite, initializeDb } from "../memory/db.js";
+
+initializeDb();
+
+function clearTables() {
+  getSqlite().run("DELETE FROM memory_graph_nodes");
+  getSqlite().run("DELETE FROM memory_jobs");
+  getSqlite().run("DELETE FROM memory_checkpoints");
+}
+
+function insertMemoryNode(scopeId = "default") {
+  const now = Date.now();
+  getSqlite().run(
+    `INSERT INTO memory_graph_nodes (
+      id, content, type, created, last_accessed, last_consolidated,
+      emotional_charge, fidelity, confidence, significance,
+      stability, reinforcement_count, last_reinforced,
+      source_conversations, source_type, scope_id
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, 'vivid', 0.8, 0.5, 14, 0, ?, '[]', 'inferred', ?)`,
+    [
+      uuid(),
+      "test statement",
+      "semantic",
+      now,
+      now,
+      now,
+      '{"valence":0,"intensity":0.1,"decayCurve":"linear","decayRate":0.05,"originalIntensity":0.1}',
+      now,
+      scopeId,
+    ],
+  );
+}
+
+function setCheckpoint(key: string, value: string) {
+  getSqlite().run(
+    `INSERT OR REPLACE INTO memory_checkpoints (key, value, updated_at) VALUES (?, ?, ?)`,
+    [key, value, Date.now()],
+  );
+}
+
+function getPendingJobs(): Array<{ type: string }> {
+  return getSqlite()
+    .prepare(
+      `SELECT type FROM memory_jobs WHERE type = 'generate_conversation_starters' AND status = 'pending'`,
+    )
+    .all() as Array<{ type: string }>;
+}
+
+beforeEach(() => {
+  clearTables();
+});
+
+describe("maybeEnqueueConversationStartersJob", () => {
+  test("no-op when zero memory nodes", () => {
+    maybeEnqueueConversationStartersJob("default");
+    expect(getPendingJobs()).toHaveLength(0);
+  });
+
+  test("enqueues when threshold exceeded (<=10 nodes, threshold=1)", () => {
+    insertMemoryNode();
+    insertMemoryNode();
+
+    maybeEnqueueConversationStartersJob("default");
+    expect(getPendingJobs()).toHaveLength(1);
+  });
+
+  test("no-op when delta below threshold", () => {
+    for (let i = 0; i < 5; i++) insertMemoryNode();
+
+    // Set checkpoint to current count — no new items since last gen
+    setCheckpoint("conversation_starters:item_count_at_last_gen:default", "5");
+
+    maybeEnqueueConversationStartersJob("default");
+    expect(getPendingJobs()).toHaveLength(0);
+  });
+
+  test("uses higher threshold for larger memory counts (>50 nodes, threshold=10)", () => {
+    for (let i = 0; i < 55; i++) insertMemoryNode();
+
+    // Set checkpoint so delta is only 4 (below threshold of 10)
+    setCheckpoint(
+      "conversation_starters:item_count_at_last_gen:default",
+      "51",
+    );
+
+    maybeEnqueueConversationStartersJob("default");
+    expect(getPendingJobs()).toHaveLength(0);
+
+    // Add more to exceed threshold
+    for (let i = 0; i < 6; i++) insertMemoryNode();
+
+    maybeEnqueueConversationStartersJob("default");
+    expect(getPendingJobs()).toHaveLength(1);
+  });
+
+  test("dedup prevents double-enqueue", () => {
+    insertMemoryNode();
+    insertMemoryNode();
+
+    maybeEnqueueConversationStartersJob("default");
+    expect(getPendingJobs()).toHaveLength(1);
+
+    // Call again — should not create a second job
+    maybeEnqueueConversationStartersJob("default");
+    expect(getPendingJobs()).toHaveLength(1);
+  });
+
+  test("enqueues when active memory count drops below the last-generation checkpoint", () => {
+    // Start with 5 nodes and set checkpoint to 5
+    for (let i = 0; i < 5; i++) insertMemoryNode();
+    setCheckpoint("conversation_starters:item_count_at_last_gen:default", "5");
+
+    // Simulate pruning: mark 3 nodes as gone (reducing totalActive to 2)
+    const ids = (
+      getSqlite()
+        .prepare(`SELECT id FROM memory_graph_nodes LIMIT 3`)
+        .all() as Array<{ id: string }>
+    ).map((r) => r.id);
+    for (const id of ids) {
+      getSqlite().run(
+        `UPDATE memory_graph_nodes SET fidelity = 'gone' WHERE id = ?`,
+        [id],
+      );
+    }
+
+    // The checkpoint is now ahead of the active memory count. This should
+    // enqueue a refresh immediately so stale starters can recover.
+    maybeEnqueueConversationStartersJob("default");
+    expect(getPendingJobs()).toHaveLength(1);
+  });
+
+  test("scopes are independent", () => {
+    insertMemoryNode("scope-a");
+    insertMemoryNode("scope-b");
+
+    maybeEnqueueConversationStartersJob("scope-a");
+    maybeEnqueueConversationStartersJob("scope-b");
+
+    const jobs = getSqlite()
+      .prepare(
+        `SELECT payload FROM memory_jobs WHERE type = 'generate_conversation_starters' AND status = 'pending'`,
+      )
+      .all() as Array<{ payload: string }>;
+
+    expect(jobs).toHaveLength(2);
+    const payloads = jobs.map((j) => JSON.parse(j.payload).scopeId).sort();
+    expect(payloads).toEqual(["scope-a", "scope-b"]);
+  });
+});

package/src/__tests__/conversation-store.test.ts

@@ -1,5 +1,8 @@
+import { Database } from "bun:sqlite";
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
+import { drizzle } from "drizzle-orm/bun-sqlite";
+
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -19,16 +22,28 @@ import {
   createConversation,
   deleteLastExchange,
   getConversation,
+  getConversationHostAccess,
   getConversationMemoryScopeId,
   getConversationType,
   getMessages,
+  updateConversationHostAccess,
 } from "../memory/conversation-crud.js";
 import { isLastUserMessageToolResult } from "../memory/conversation-queries.js";
 import { getDb, initializeDb } from "../memory/db.js";
+import { getSqliteFrom } from "../memory/db-connection.js";
+import { migrateConversationHostAccess } from "../memory/migrations/217-conversation-host-access.js";
+import * as schema from "../memory/schema.js";
 
 // Initialize db once before all tests
 initializeDb();
 
+function createMigrationTestDb() {
+  const sqlite = new Database(":memory:");
+  sqlite.exec("PRAGMA journal_mode=WAL");
+  sqlite.exec("PRAGMA foreign_keys = ON");
+  return drizzle(sqlite, { schema });
+}
+
 describe("deleteLastExchange", () => {
   beforeEach(() => {
     // Reset database between tests by dropping and recreating tables
@@ -406,6 +421,7 @@ describe("conversation metadata defaults", () => {
     expect(loaded).not.toBeNull();
     expect(loaded!.conversationType).toBe("standard");
     expect(loaded!.memoryScopeId).toBe("default");
+    expect(loaded!.hostAccess).toBe(0);
   });
 
   test("existing conversations without explicit values get defaults via migration", () => {
@@ -422,6 +438,7 @@ describe("conversation metadata defaults", () => {
     expect(loaded).not.toBeNull();
     expect(loaded!.conversationType).toBe("standard");
     expect(loaded!.memoryScopeId).toBe("default");
+    expect(loaded!.hostAccess).toBe(0);
   });
 });
 
@@ -506,6 +523,184 @@ describe("conversation metadata read helpers", () => {
   test("getConversationMemoryScopeId returns default for missing conversation", () => {
     expect(getConversationMemoryScopeId("nonexistent-id")).toBe("default");
   });
+
+  test("getConversationHostAccess returns false by default", () => {
+    const conv = createConversation("test");
+    expect(getConversationHostAccess(conv.id)).toBe(false);
+  });
+
+  test("getConversationHostAccess returns false for missing conversation", () => {
+    expect(getConversationHostAccess("nonexistent-id")).toBe(false);
+  });
+});
+
+describe("conversation host access persistence", () => {
+  beforeEach(() => {
+    const db = getDb();
+    db.run(`DELETE FROM messages`);
+    db.run(`DELETE FROM conversations`);
+  });
+
+  test("new conversations default host access to disabled", () => {
+    const conv = createConversation("test");
+    const loaded = getConversation(conv.id);
+
+    expect(conv.hostAccess).toBe(0);
+    expect(loaded).not.toBeNull();
+    expect(loaded!.hostAccess).toBe(0);
+    expect(getConversationHostAccess(conv.id)).toBe(false);
+  });
+
+  test("updateConversationHostAccess persists mutations", () => {
+    const conv = createConversation("test");
+
+    updateConversationHostAccess(conv.id, true);
+    expect(getConversationHostAccess(conv.id)).toBe(true);
+    expect(getConversation(conv.id)?.hostAccess).toBe(1);
+
+    updateConversationHostAccess(conv.id, false);
+    expect(getConversationHostAccess(conv.id)).toBe(false);
+    expect(getConversation(conv.id)?.hostAccess).toBe(0);
+  });
+});
+
+describe("conversation host access migration", () => {
+  function bootstrapPreHostAccessConversations(raw: Database): void {
+    raw.exec(/*sql*/ `
+      CREATE TABLE memory_checkpoints (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL,
+        updated_at INTEGER NOT NULL
+      )
+    `);
+
+    raw.exec(/*sql*/ `
+      CREATE TABLE conversations (
+        id TEXT PRIMARY KEY,
+        title TEXT,
+        created_at INTEGER NOT NULL,
+        updated_at INTEGER NOT NULL,
+        total_input_tokens INTEGER NOT NULL DEFAULT 0,
+        total_output_tokens INTEGER NOT NULL DEFAULT 0,
+        total_estimated_cost REAL NOT NULL DEFAULT 0,
+        context_summary TEXT,
+        context_compacted_message_count INTEGER NOT NULL DEFAULT 0,
+        context_compacted_at INTEGER,
+        conversation_type TEXT NOT NULL DEFAULT 'standard',
+        source TEXT NOT NULL DEFAULT 'user',
+        memory_scope_id TEXT NOT NULL DEFAULT 'default',
+        origin_channel TEXT,
+        origin_interface TEXT,
+        fork_parent_conversation_id TEXT,
+        fork_parent_message_id TEXT,
+        is_auto_title INTEGER NOT NULL DEFAULT 1,
+        schedule_job_id TEXT,
+        last_message_at INTEGER
+      )
+    `);
+  }
+
+  test("migration adds host access with disabled default for existing rows", () => {
+    const db = createMigrationTestDb();
+    const raw = getSqliteFrom(db);
+    const now = Date.now();
+
+    bootstrapPreHostAccessConversations(raw);
+    raw.exec(/*sql*/ `
+      INSERT INTO conversations (
+        id,
+        title,
+        created_at,
+        updated_at,
+        conversation_type,
+        source,
+        memory_scope_id,
+        is_auto_title
+      ) VALUES (
+        'conv-upgrade',
+        'Existing conversation',
+        ${now},
+        ${now},
+        'standard',
+        'user',
+        'default',
+        1
+      )
+    `);
+
+    migrateConversationHostAccess(db);
+
+    const row = raw
+      .query(
+        `SELECT id, title, host_access FROM conversations WHERE id = 'conv-upgrade'`,
+      )
+      .get() as {
+      id: string;
+      title: string | null;
+      host_access: number;
+    } | null;
+
+    expect(row).toEqual({
+      id: "conv-upgrade",
+      title: "Existing conversation",
+      host_access: 0,
+    });
+
+    const checkpoint = raw
+      .query(
+        `SELECT value FROM memory_checkpoints WHERE key = 'migration_conversation_host_access_v1'`,
+      )
+      .get() as { value: string } | null;
+    expect(checkpoint?.value).toBe("1");
+  });
+
+  test("re-running the migration preserves existing host access values", () => {
+    const db = createMigrationTestDb();
+    const raw = getSqliteFrom(db);
+    const now = Date.now();
+
+    bootstrapPreHostAccessConversations(raw);
+    raw.exec(/*sql*/ `
+      INSERT INTO conversations (
+        id,
+        title,
+        created_at,
+        updated_at,
+        conversation_type,
+        source,
+        memory_scope_id,
+        is_auto_title
+      ) VALUES (
+        'conv-rerun',
+        'Existing conversation',
+        ${now},
+        ${now},
+        'standard',
+        'user',
+        'default',
+        1
+      )
+    `);
+
+    migrateConversationHostAccess(db);
+    raw.exec(
+      `UPDATE conversations SET host_access = 1 WHERE id = 'conv-rerun'`,
+    );
+
+    expect(() => migrateConversationHostAccess(db)).not.toThrow();
+
+    const row = raw
+      .query(`SELECT host_access FROM conversations WHERE id = 'conv-rerun'`)
+      .get() as { host_access: number } | null;
+    const checkpoint = raw
+      .query(
+        `SELECT value FROM memory_checkpoints WHERE key = 'migration_conversation_host_access_v1'`,
+      )
+      .get() as { value: string } | null;
+
+    expect(row).toEqual({ host_access: 1 });
+    expect(checkpoint?.value).toBe("1");
+  });
 });
 
 // ---------------------------------------------------------------------------

package/src/__tests__/conversation-workspace-cache-state.test.ts

@@ -269,6 +269,199 @@ describe("Conversation workspace cache state", () => {
     expect(conversation.isWorkspaceTopLevelDirty()).toBe(false);
   });
 
+  test("renders client-reported host env when set on the conversation", () => {
+    conversation.hostHomeDir = "/Users/alice";
+    conversation.hostUsername = "alice";
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+
+    const block = conversation.getWorkspaceTopLevelContext();
+    expect(block).not.toBeNull();
+    expect(block!).toContain("Host home directory: /Users/alice");
+    expect(block!).toContain("Host username: alice");
+  });
+
+  test("falls back to daemon os info when client host env is absent", async () => {
+    const { homedir, userInfo } = await import("node:os");
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+
+    const block = conversation.getWorkspaceTopLevelContext();
+    expect(block).not.toBeNull();
+    expect(block!).toContain(`Host home directory: ${homedir()}`);
+    expect(block!).toContain(`Host username: ${userInfo().username}`);
+  });
+
+  test("re-renders with updated host env after marking dirty", () => {
+    conversation.hostHomeDir = "/Users/alice";
+    conversation.hostUsername = "alice";
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+    expect(conversation.getWorkspaceTopLevelContext()!).toContain(
+      "Host home directory: /Users/alice",
+    );
+
+    conversation.hostHomeDir = "/Users/bob";
+    conversation.hostUsername = "bob";
+    conversation.markWorkspaceTopLevelDirty();
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+
+    const block = conversation.getWorkspaceTopLevelContext();
+    expect(block).not.toBeNull();
+    expect(block!).toContain("Host home directory: /Users/bob");
+    expect(block!).toContain("Host username: bob");
+    expect(block!).not.toContain("Host home directory: /Users/alice");
+    expect(block!).not.toContain("Host username: alice");
+  });
+
+  test("falls back to os info after clearing macOS host env (cross-interface reuse)", async () => {
+    const { homedir, userInfo } = await import("node:os");
+
+    // Simulate a macOS turn populating host env.
+    conversation.hostHomeDir = "/Users/alice";
+    conversation.hostUsername = "alice";
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+    expect(conversation.getWorkspaceTopLevelContext()!).toContain(
+      "Host home directory: /Users/alice",
+    );
+
+    // Simulate a subsequent non-macOS turn (iOS, CLI, channel) on the same
+    // conversation clearing the host env — without the clear, the stale
+    // macOS paths would leak into the next render.
+    conversation.hostHomeDir = undefined;
+    conversation.hostUsername = undefined;
+    conversation.markWorkspaceTopLevelDirty();
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+
+    const block = conversation.getWorkspaceTopLevelContext();
+    expect(block).not.toBeNull();
+    expect(block!).toContain(`Host home directory: ${homedir()}`);
+    expect(block!).toContain(`Host username: ${userInfo().username}`);
+    expect(block!).not.toContain("Host home directory: /Users/alice");
+    expect(block!).not.toContain("Host username: alice");
+  });
+
+  // -------------------------------------------------------------------------
+  // applyHostEnvFromTransport — capability-gated setter
+  // -------------------------------------------------------------------------
+
+  test("applyHostEnvFromTransport populates fields for host-proxy transports", () => {
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    });
+
+    expect(conversation.hostHomeDir).toBe("/Users/alice");
+    expect(conversation.hostUsername).toBe("alice");
+    expect(conversation.isWorkspaceTopLevelDirty()).toBe(true);
+
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+    const block = conversation.getWorkspaceTopLevelContext();
+    expect(block!).toContain("Host home directory: /Users/alice");
+    expect(block!).toContain("Host username: alice");
+  });
+
+  test("applyHostEnvFromTransport clears fields for non-host-proxy transports", () => {
+    // Seed with a host-proxy turn.
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    });
+    expect(conversation.hostHomeDir).toBe("/Users/alice");
+
+    // Apply a non-host-proxy transport — should clear the stored values so
+    // the next render doesn't leak them from a cross-interface reuse.
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "ios",
+    });
+
+    expect(conversation.hostHomeDir).toBeUndefined();
+    expect(conversation.hostUsername).toBeUndefined();
+    expect(conversation.isWorkspaceTopLevelDirty()).toBe(true);
+  });
+
+  test("applyHostEnvFromTransport clears fields for chrome-extension (browser-only)", () => {
+    // chrome-extension supports only host_browser — the no-arg supportsHostProxy
+    // returns false for it, so the gate treats it as a non-host-proxy transport
+    // for the purposes of host env (no local filesystem to address).
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    });
+
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "chrome-extension",
+    });
+
+    expect(conversation.hostHomeDir).toBeUndefined();
+    expect(conversation.hostUsername).toBeUndefined();
+  });
+
+  test("applyHostEnvFromTransport handles transport with no interfaceId", () => {
+    // Seed and then apply a transport without an interfaceId (legacy/channel
+    // paths may omit it). The gate should clear any stored host env.
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    });
+
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+    });
+
+    expect(conversation.hostHomeDir).toBeUndefined();
+    expect(conversation.hostUsername).toBeUndefined();
+  });
+
+  test("applyHostEnvFromTransport does not mark dirty when values are unchanged", () => {
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    });
+    // Render once so the dirty flag clears.
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+    expect(conversation.isWorkspaceTopLevelDirty()).toBe(false);
+
+    // Re-apply the same values — dirty flag should remain false so we don't
+    // thrash the cached workspace block on every message.
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    });
+    expect(conversation.isWorkspaceTopLevelDirty()).toBe(false);
+  });
+
+  test("applyHostEnvFromTransport marks dirty when macOS values change", () => {
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/alice",
+      hostUsername: "alice",
+    });
+    conversation.refreshWorkspaceTopLevelContextIfNeeded();
+    expect(conversation.isWorkspaceTopLevelDirty()).toBe(false);
+
+    // New values — should mark dirty so the next render picks them up.
+    conversation.applyHostEnvFromTransport({
+      channelId: "vellum",
+      interfaceId: "macos",
+      hostHomeDir: "/Users/bob",
+      hostUsername: "bob",
+    });
+    expect(conversation.isWorkspaceTopLevelDirty()).toBe(true);
+  });
+
   test("workspace hints follow the resolved legacy directory when canonical is absent", () => {
     const workspaceRoot = mkdtempSync(
       join(tmpdir(), "conversation-workspace-cache-state-"),

package/src/__tests__/credential-execution-approval-bridge.test.ts

@@ -12,7 +12,7 @@
  * 7. Error handling: record_grant RPC failure returns error outcome.
  */
 
-import { describe, expect, test } from "bun:test";
+import { beforeEach, describe, expect, test } from "bun:test";
 
 import type {
   ApprovalRequired,
@@ -22,6 +22,7 @@ import type {
   RecordGrantResponse,
 } from "@vellumai/ces-contracts";
 
+import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
 import { bridgeCesApproval } from "../credential-execution/approval-bridge.js";
 import type { CesClient } from "../credential-execution/client.js";
 import type { PermissionPrompter } from "../permissions/prompter.js";
@@ -166,6 +167,36 @@ function makeCesClient(
 // ---------------------------------------------------------------------------
 
 describe("CES approval bridge", () => {
+  beforeEach(() => {
+    _setOverridesForTesting({});
+  });
+
+  test("suppresses deterministic CES approval prompts and auto-allows under v2", async () => {
+    _setOverridesForTesting({ "permission-controls-v2": true });
+
+    const prompter = makePrompter("allow");
+    const cesClient = makeCesClient();
+
+    const result = await bridgeCesApproval(
+      makeApprovalRequired(),
+      prompter,
+      cesClient,
+      { isInteractive: true, conversationId: "session-1" },
+    );
+
+    expect(result.outcome).toBe("approved");
+    if (result.outcome === "approved") {
+      expect(result.userDecision).toBe("allow");
+      expect(result.grantId).toBe("grant-001");
+    }
+    expect(prompter.promptCalls).toHaveLength(0);
+    expect(cesClient.recordGrantCalls).toHaveLength(1);
+    expect(cesClient.recordGrantCalls[0]?.decision.decision).toBe("approved");
+    expect(cesClient.recordGrantCalls[0]?.decision.grantType).toBe(
+      "allow_once",
+    );
+  });
+
   describe("single-use approval", () => {
     test("allow decision commits grant to CES and returns grantId", async () => {
       const prompter = makePrompter("allow");

package/src/__tests__/credential-security-invariants.test.ts

@@ -194,6 +194,7 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "oauth/token-persistence.ts", // OAuth token persistence (set/delete tokens)
       "oauth/connection-resolver.ts", // resolve OAuthConnection from oauth-store (access_token lookup)
       "runtime/routes/secret-routes.ts", // HTTP secret management routes (set/delete secrets)
+      "runtime/routes/migration-routes.ts", // migration import credential restore
       "daemon/conversation-messaging.ts", // credential storage during session messaging
       "runtime/routes/settings-routes.ts", // settings routes OAuth credential lookup (client_secret)
       "oauth/oauth-store.ts", // OAuth provider disconnect (delete stored tokens)

package/src/__tests__/credential-vault-unit.test.ts

@@ -60,11 +60,11 @@ let slackChannelConfigCalls: Array<{
 }> = [];
 
 mock.module("../oauth/manual-token-connection.js", () => ({
-  syncManualTokenConnection: async (providerKey: string) => {
+  syncManualTokenConnection: async (provider: string) => {
     const { credentialKey } = await import("../security/credential-key.js");
     const { getSecureKeyAsync } = await import("../security/secure-keys.js");
 
-    if (providerKey === "slack_channel") {
+    if (provider === "slack_channel") {
       const hasBotToken = !!(await getSecureKeyAsync(
         credentialKey("slack_channel", "bot_token"),
       ));
@@ -72,9 +72,9 @@ mock.module("../oauth/manual-token-connection.js", () => ({
         credentialKey("slack_channel", "app_token"),
       ));
       if (hasBotToken && hasAppToken) {
-        manualConnectionStore[providerKey] = "active";
+        manualConnectionStore[provider] = "active";
       } else {
-        delete manualConnectionStore[providerKey];
+        delete manualConnectionStore[provider];
       }
     }
   },