npm - @vellumai/assistant - Versions diffs - 0.6.2 → 0.6.4 - Mend

@vellumai/assistant 0.6.2 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (895) hide show

package/ARCHITECTURE.md +273 -10
package/Dockerfile +2 -3
package/bun.lock +41 -49
package/bunfig.toml +3 -0
package/docs/architecture/memory.md +1 -1
package/docs/backup-troubleshooting.md +52 -0
package/docs/browser-use-architecture-phase2.md +174 -0
package/docs/stt-provider-onboarding.md +120 -0
package/knip.json +12 -2
package/node_modules/@vellumai/ces-contracts/bun.lock +8 -6
package/node_modules/@vellumai/ces-contracts/package.json +3 -3
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +42 -0
package/openapi.yaml +1111 -86
package/package.json +40 -42
package/scripts/generate-openapi.ts +0 -2
package/scripts/test.sh +73 -18
package/src/__tests__/acp-session.test.ts +43 -0
package/src/__tests__/agent-image-optimize.test.ts +28 -0
package/src/__tests__/agent-loop.test.ts +123 -0
package/src/__tests__/anthropic-provider.test.ts +263 -10
package/src/__tests__/app-builder-tool-scripts.test.ts +1 -0
package/src/__tests__/app-executors.test.ts +1 -0
package/src/__tests__/app-source-watcher.test.ts +37 -11
package/src/__tests__/approval-routes-http.test.ts +178 -1
package/src/__tests__/auto-analysis-end-to-end.test.ts +550 -0
package/src/__tests__/auto-analysis-prompt.test.ts +50 -0
package/src/__tests__/browser-fill-credential.test.ts +240 -94
package/src/__tests__/browser-manager.test.ts +40 -27
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +2 -2
package/src/__tests__/browser-skill-endstate.test.ts +31 -7
package/src/__tests__/btw-routes.test.ts +7 -0
package/src/__tests__/call-controller.test.ts +581 -20
package/src/__tests__/catalog-files.test.ts +1000 -0
package/src/__tests__/channel-approvals.test.ts +53 -0
package/src/__tests__/channel-invite-transport.test.ts +2 -2
package/src/__tests__/channel-readiness-routes.test.ts +16 -20
package/src/__tests__/channel-readiness-service.test.ts +12 -7
package/src/__tests__/checker.test.ts +157 -10
package/src/__tests__/clawhub-files.test.ts +347 -0
package/src/__tests__/commit-message-enrichment-service.test.ts +36 -19
package/src/__tests__/config-analysis.test.ts +100 -0
package/src/__tests__/config-managed-gemini-defaults.test.ts +326 -0
package/src/__tests__/config-schema-cmd.test.ts +2 -2
package/src/__tests__/config-schema.test.ts +1248 -224
package/src/__tests__/config-watcher-cleanup-throttle.test.ts +339 -0
package/src/__tests__/config-watcher.test.ts +43 -8
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +23 -0
package/src/__tests__/contact-store-user-file.test.ts +512 -0
package/src/__tests__/contacts-write.test.ts +197 -0
package/src/__tests__/context-overflow-approval.test.ts +16 -1
package/src/__tests__/context-window-manager.test.ts +88 -0
package/src/__tests__/conversation-abort-tool-results.test.ts +2 -0
package/src/__tests__/conversation-agent-loop-overflow.test.ts +2 -1
package/src/__tests__/conversation-agent-loop.test.ts +99 -3
package/src/__tests__/conversation-analysis-routes.test.ts +2 -2
package/src/__tests__/conversation-attachments.test.ts +80 -4
package/src/__tests__/conversation-confirmation-signals.test.ts +290 -0
package/src/__tests__/conversation-error.test.ts +70 -0
package/src/__tests__/conversation-fork-crud.test.ts +17 -0
package/src/__tests__/conversation-history-web-search.test.ts +12 -4
package/src/__tests__/conversation-host-access-routes.test.ts +229 -0
package/src/__tests__/conversation-init.benchmark.test.ts +6 -1
package/src/__tests__/conversation-inject-context.test.ts +103 -0
package/src/__tests__/conversation-launcher-skill-regression.test.ts +51 -0
package/src/__tests__/conversation-list-source.test.ts +145 -0
package/src/__tests__/conversation-pre-run-repair.test.ts +2 -0
package/src/__tests__/conversation-provider-retry-repair.test.ts +2 -0
package/src/__tests__/conversation-queue.test.ts +946 -62
package/src/__tests__/conversation-routes-disk-view.test.ts +275 -0
package/src/__tests__/conversation-routes-guardian-reply.test.ts +16 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/conversation-runtime-assembly.test.ts +324 -46
package/src/__tests__/conversation-skill-tools.test.ts +7 -4
package/src/__tests__/conversation-slash-commands.test.ts +33 -0
package/src/__tests__/conversation-slash-queue.test.ts +89 -18
package/src/__tests__/conversation-slash-unknown.test.ts +2 -0
package/src/__tests__/conversation-starter-routes.test.ts +126 -0
package/src/__tests__/conversation-starters-cadence.test.ts +161 -0
package/src/__tests__/conversation-store.test.ts +195 -0
package/src/__tests__/conversation-tool-setup-batch-authorized.test.ts +226 -0
package/src/__tests__/conversation-workspace-cache-state.test.ts +193 -0
package/src/__tests__/conversation-workspace-injection.test.ts +2 -0
package/src/__tests__/conversation-workspace-tool-tracking.test.ts +2 -0
package/src/__tests__/credential-execution-approval-bridge.test.ts +32 -1
package/src/__tests__/credential-health-service.test.ts +352 -0
package/src/__tests__/credential-security-invariants.test.ts +6 -3
package/src/__tests__/credential-vault-unit.test.ts +383 -7
package/src/__tests__/credential-vault.test.ts +152 -13
package/src/__tests__/credentials-cli.test.ts +42 -18
package/src/__tests__/cross-provider-web-search.test.ts +146 -35
package/src/__tests__/date-context.test.ts +4 -4
package/src/__tests__/deterministic-verification-control-plane.test.ts +10 -1
package/src/__tests__/device-id.test.ts +112 -0
package/src/__tests__/docker-signing-key-bootstrap.test.ts +167 -4
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +1 -3
package/src/__tests__/email-html-renderer.test.ts +71 -0
package/src/__tests__/email-invite-adapter.test.ts +36 -32
package/src/__tests__/embedding-managed-proxy-selection.test.ts +256 -0
package/src/__tests__/emit-event-signal.test.ts +71 -0
package/src/__tests__/extension-id-sync-guard.test.ts +222 -0
package/src/__tests__/fixtures/mock-chrome-extension.ts +386 -0
package/src/__tests__/gateway-only-enforcement.test.ts +206 -1
package/src/__tests__/gateway-only-guard.test.ts +2 -0
package/src/__tests__/gemini-provider.test.ts +66 -2
package/src/__tests__/get-skill-detail-audit.test.ts +325 -0
package/src/__tests__/gmail-archive-fallback.test.ts +193 -0
package/src/__tests__/gmail-archive-gate.test.ts +246 -0
package/src/__tests__/gmail-preferences.test.ts +117 -0
package/src/__tests__/guardian-routing-invariants.test.ts +70 -2
package/src/__tests__/headless-browser-interactions.test.ts +738 -359
package/src/__tests__/headless-browser-mode.test.ts +614 -0
package/src/__tests__/headless-browser-navigate.test.ts +528 -49
package/src/__tests__/headless-browser-read-tools.test.ts +274 -100
package/src/__tests__/headless-browser-snapshot.test.ts +250 -77
package/src/__tests__/heartbeat-service.test.ts +70 -17
package/src/__tests__/home-state-routes.test.ts +162 -0
package/src/__tests__/host-bash-proxy.test.ts +145 -1
package/src/__tests__/host-browser-e2e-cloud.test.ts +596 -0
package/src/__tests__/host-browser-e2e-self-hosted-capability.test.ts +286 -0
package/src/__tests__/host-browser-e2e-self-hosted.test.ts +374 -0
package/src/__tests__/host-browser-event-routes.test.ts +350 -0
package/src/__tests__/host-browser-proxy.test.ts +444 -0
package/src/__tests__/host-browser-routes.test.ts +198 -0
package/src/__tests__/host-browser-ws-events-e2e.test.ts +423 -0
package/src/__tests__/host-cu-proxy.test.ts +166 -1
package/src/__tests__/host-file-proxy.test.ts +185 -1
package/src/__tests__/host-file-read-tool.test.ts +52 -0
package/src/__tests__/host-proxy-interface.test.ts +165 -0
package/src/__tests__/host-shell-tool.test.ts +1 -11
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/identity-intro-cache.test.ts +40 -10
package/src/__tests__/init-feature-flag-overrides.test.ts +38 -112
package/src/__tests__/integration-status.test.ts +6 -7
package/src/__tests__/jobs-store-upsert-debounced.test.ts +141 -0
package/src/__tests__/list-messages-tool-merge.test.ts +37 -12
package/src/__tests__/llm-context-normalization.test.ts +488 -0
package/src/__tests__/llm-context-route-provider.test.ts +86 -5
package/src/__tests__/llm-usage-store.test.ts +363 -0
package/src/__tests__/mcp-client-auth.test.ts +40 -4
package/src/__tests__/mcp-health-check.test.ts +10 -3
package/src/__tests__/media-stream-output.test.ts +555 -0
package/src/__tests__/media-stream-parser.test.ts +374 -0
package/src/__tests__/media-stream-server-integration.test.ts +1234 -0
package/src/__tests__/media-stream-stt-session.test.ts +588 -0
package/src/__tests__/media-turn-detector.test.ts +440 -0
package/src/__tests__/message-queue.test.ts +125 -0
package/src/__tests__/migration-cross-version-compatibility.test.ts +3 -1
package/src/__tests__/migration-export-http.test.ts +67 -8
package/src/__tests__/migration-export-streaming.test.ts +66 -0
package/src/__tests__/migration-import-commit-http.test.ts +109 -7
package/src/__tests__/migration-import-preflight-http.test.ts +6 -5
package/src/__tests__/migration-validate-http.test.ts +3 -3
package/src/__tests__/mock-gateway-ipc.ts +151 -0
package/src/__tests__/model-intents.test.ts +2 -2
package/src/__tests__/native-host-marker-sync-guard.test.ts +157 -0
package/src/__tests__/oauth-apps-routes.test.ts +18 -12
package/src/__tests__/oauth-cli.test.ts +709 -60
package/src/__tests__/oauth-connect-orchestrator.test.ts +118 -24
package/src/__tests__/oauth-provider-seed-logos.test.ts +23 -0
package/src/__tests__/oauth-provider-serializer.test.ts +147 -10
package/src/__tests__/oauth-provider-visibility.test.ts +19 -21
package/src/__tests__/oauth-providers-routes.test.ts +52 -14
package/src/__tests__/oauth-store.test.ts +1465 -176
package/src/__tests__/oauth2-gateway-transport.test.ts +460 -26
package/src/__tests__/onboarding-template-contract.test.ts +81 -70
package/src/__tests__/openai-provider.test.ts +178 -2
package/src/__tests__/openai-responses-cutover-guard.test.ts +184 -0
package/src/__tests__/openai-responses-provider.test.ts +1105 -0
package/src/__tests__/openrouter-token-estimation.test.ts +100 -0
package/src/__tests__/outlook-categories.test.ts +1 -1
package/src/__tests__/outlook-client-automation.test.ts +1 -1
package/src/__tests__/outlook-compose-tools.test.ts +1 -1
package/src/__tests__/outlook-email-watcher.test.ts +1 -1
package/src/__tests__/outlook-follow-up.test.ts +1 -1
package/src/__tests__/outlook-messaging-provider.test.ts +2 -2
package/src/__tests__/outlook-trash.test.ts +1 -1
package/src/__tests__/outlook-unsubscribe.test.ts +32 -3
package/src/__tests__/permission-checker-host-gate.test.ts +74 -14
package/src/__tests__/permission-mode.test.ts +28 -56
package/src/__tests__/persona-resolver.test.ts +251 -0
package/src/__tests__/platform-bash-auto-approve.test.ts +4 -0
package/src/__tests__/platform-callback-registration.test.ts +19 -0
package/src/__tests__/platform.test.ts +92 -1
package/src/__tests__/post-turn-tool-result-truncation.test.ts +343 -0
package/src/__tests__/prechat-onboarding-contract.test.ts +267 -0
package/src/__tests__/pricing.test.ts +174 -0
package/src/__tests__/proxy-approval-callback.test.ts +18 -0
package/src/__tests__/qdrant-manager.test.ts +29 -8
package/src/__tests__/regenerate-fire-and-forget-trace.test.ts +194 -0
package/src/__tests__/relationship-state-contract.test.ts +175 -0
package/src/__tests__/relay-server.test.ts +423 -5
package/src/__tests__/require-fresh-approval.test.ts +40 -1
package/src/__tests__/sanitize-config-for-transfer.test.ts +132 -0
package/src/__tests__/schedule-routes.test.ts +162 -0
package/src/__tests__/search-skills-unified.test.ts +118 -0
package/src/__tests__/secret-detection-handler.test.ts +84 -0
package/src/__tests__/secret-ingress-http.test.ts +1 -0
package/src/__tests__/secret-scanner-executor.test.ts +4 -0
package/src/__tests__/secure-keys.test.ts +107 -0
package/src/__tests__/send-endpoint-busy.test.ts +8 -1
package/src/__tests__/sequence-store.test.ts +1 -1
package/src/__tests__/server-history-render.test.ts +49 -0
package/src/__tests__/set-permission-mode.test.ts +13 -250
package/src/__tests__/settings-routes.test.ts +201 -0
package/src/__tests__/skill-load-feature-flag.test.ts +1 -0
package/src/__tests__/skills-file-content-endpoint.test.ts +801 -0
package/src/__tests__/skills-files-catalog-fallback.test.ts +738 -0
package/src/__tests__/skills.test.ts +5 -2
package/src/__tests__/skillssh-files.test.ts +446 -0
package/src/__tests__/slack-block-formatting.test.ts +110 -0
package/src/__tests__/slack-channel-config.test.ts +576 -16
package/src/__tests__/stt-catalog-parity.test.ts +282 -0
package/src/__tests__/stt-stream-session.test.ts +535 -0
package/src/__tests__/subagent-detail.test.ts +44 -2
package/src/__tests__/subagent-disposal.test.ts +1 -0
package/src/__tests__/subagent-fork-notifications.test.ts +291 -0
package/src/__tests__/subagent-fork-spawn.test.ts +384 -0
package/src/__tests__/subagent-manager-notify.test.ts +1 -0
package/src/__tests__/subagent-notify-parent.test.ts +1 -0
package/src/__tests__/subagent-spawn-tool-fork.test.ts +411 -0
package/src/__tests__/subagent-tools.test.ts +1 -0
package/src/__tests__/subagent-types.test.ts +1 -0
package/src/__tests__/system-prompt-ask-mode.test.ts +27 -71
package/src/__tests__/system-prompt.test.ts +184 -27
package/src/__tests__/task-scheduler.test.ts +32 -6
package/src/__tests__/telegram-config.test.ts +10 -13
package/src/__tests__/telephony-stt-routing.test.ts +329 -0
package/src/__tests__/terminal-tools.test.ts +25 -5
package/src/__tests__/test-preload.ts +18 -0
package/src/__tests__/test-support/browser-skill-harness.ts +4 -1
package/src/__tests__/tool-approval-handler.test.ts +73 -0
package/src/__tests__/tool-executor-lifecycle-events.test.ts +9 -5
package/src/__tests__/tool-executor-shell-integration.test.ts +4 -0
package/src/__tests__/tool-executor.test.ts +33 -24
package/src/__tests__/tool-result-truncation.test.ts +36 -0
package/src/__tests__/tool-side-effects-slack-dm.test.ts +22 -0
package/src/__tests__/top-level-renderer.test.ts +73 -1
package/src/__tests__/transport-hints-queue.test.ts +14 -29
package/src/__tests__/trust-store.test.ts +7 -1
package/src/__tests__/trusted-contact-approval-notifier.test.ts +1 -1
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +109 -0
package/src/__tests__/tts-catalog-parity.test.ts +345 -0
package/src/__tests__/twilio-routes-twiml.test.ts +512 -114
package/src/__tests__/twilio-routes.test.ts +376 -0
package/src/__tests__/unicode.test.ts +293 -0
package/src/__tests__/update-bulletin-format.test.ts +59 -0
package/src/__tests__/update-bulletin.test.ts +206 -5
package/src/__tests__/usage-routes.test.ts +25 -4
package/src/__tests__/user-reference.test.ts +46 -61
package/src/__tests__/v2-consent-policy.test.ts +103 -0
package/src/__tests__/verification-control-plane-policy.test.ts +4 -0
package/src/__tests__/voice-config-update.test.ts +403 -0
package/src/__tests__/voice-quality.test.ts +434 -19
package/src/__tests__/workspace-heartbeat-service.test.ts +7 -0
package/src/__tests__/workspace-migration-033-stt-service-explicit-config.test.ts +547 -0
package/src/__tests__/workspace-migration-034-remove-calls-voice-transcription-provider.test.ts +596 -0
package/src/__tests__/workspace-migration-drop-user-md.test.ts +368 -0
package/src/__tests__/workspace-migration-meets.test.ts +244 -0
package/src/__tests__/workspace-migration-seed-device-id.test.ts +14 -20
package/src/__tests__/workspace-policy.test.ts +2 -0
package/src/acp/client-handler.ts +30 -4
package/src/agent/image-optimize.ts +24 -12
package/src/agent/loop.ts +55 -9
package/src/approvals/guardian-request-resolvers.ts +21 -15
package/src/backup/__tests__/backup-key.test.ts +152 -0
package/src/backup/__tests__/backup-worker.test.ts +767 -0
package/src/backup/__tests__/list-snapshots.test.ts +87 -0
package/src/backup/__tests__/local-writer.test.ts +218 -0
package/src/backup/__tests__/offsite-writer.test.ts +641 -0
package/src/backup/__tests__/paths.test.ts +300 -0
package/src/backup/__tests__/restore.test.ts +498 -0
package/src/backup/__tests__/snapshot-lock.test.ts +352 -0
package/src/backup/__tests__/stream-crypt.test.ts +228 -0
package/src/backup/backup-key.ts +137 -0
package/src/backup/backup-worker.ts +459 -0
package/src/backup/list-snapshots.ts +147 -0
package/src/backup/local-writer.ts +133 -0
package/src/backup/offsite-writer.ts +222 -0
package/src/backup/paths.ts +226 -0
package/src/backup/restore.ts +322 -0
package/src/backup/snapshot-lock.ts +431 -0
package/src/backup/stream-crypt.ts +263 -0
package/src/browser-session/__tests__/manager.test.ts +297 -0
package/src/browser-session/backends/cdp-inspect.ts +30 -0
package/src/browser-session/backends/extension.ts +26 -0
package/src/browser-session/backends/local.ts +24 -0
package/src/browser-session/events.ts +164 -0
package/src/browser-session/index.ts +27 -0
package/src/browser-session/manager.ts +159 -0
package/src/browser-session/types.ts +28 -0
package/src/bundler/package-resolver.ts +4 -0
package/src/calls/audio-store.ts +11 -5
package/src/calls/call-controller.ts +226 -71
package/src/calls/call-domain.ts +9 -0
package/src/calls/call-speech-output.ts +190 -0
package/src/calls/call-transport.ts +77 -0
package/src/calls/media-stream-audio-transcode.ts +173 -0
package/src/calls/media-stream-output.ts +660 -0
package/src/calls/media-stream-parser.ts +300 -0
package/src/calls/media-stream-protocol.ts +166 -0
package/src/calls/media-stream-server.ts +592 -0
package/src/calls/media-stream-stt-session.ts +460 -0
package/src/calls/media-turn-detector.ts +230 -0
package/src/calls/relay-server.ts +90 -75
package/src/calls/resolve-call-tts-provider.ts +136 -0
package/src/calls/telephony-stt-routing.ts +145 -0
package/src/calls/tts-call-strategy.ts +161 -0
package/src/calls/tts-text-sanitizer.ts +32 -16
package/src/calls/twilio-routes.ts +281 -17
package/src/calls/voice-quality.ts +78 -35
package/src/calls/voice-session-bridge.ts +8 -1
package/src/channels/__tests__/types.test.ts +134 -0
package/src/channels/types.ts +69 -3
package/src/cli/__tests__/run-assistant-command.ts +11 -1
package/src/cli/commands/__tests__/backup.test.ts +1165 -0
package/src/cli/commands/__tests__/domain-register.test.ts +234 -0
package/src/cli/commands/__tests__/domain-status.test.ts +132 -0
package/src/cli/commands/__tests__/email-attachment.test.ts +422 -0
package/src/cli/commands/__tests__/email-download.test.ts +16 -1
package/src/cli/commands/__tests__/email-list.test.ts +22 -4
package/src/cli/commands/__tests__/email-register.test.ts +4 -4
package/src/cli/commands/__tests__/email-send.test.ts +37 -4
package/src/cli/commands/__tests__/email-status.test.ts +5 -1
package/src/cli/commands/__tests__/email-unregister.test.ts +34 -5
package/src/cli/commands/backup.ts +993 -0
package/src/cli/commands/conversations.ts +77 -0
package/src/cli/commands/credentials.ts +3 -4
package/src/cli/commands/domain.ts +210 -0
package/src/cli/commands/email.ts +273 -16
package/src/cli/commands/mcp.ts +16 -4
package/src/cli/commands/oauth/__tests__/connect.test.ts +56 -44
package/src/cli/commands/oauth/__tests__/disconnect.test.ts +21 -21
package/src/cli/commands/oauth/__tests__/mode.test.ts +17 -17
package/src/cli/commands/oauth/__tests__/ping.test.ts +16 -16
package/src/cli/commands/oauth/__tests__/providers-delete.test.ts +32 -33
package/src/cli/commands/oauth/__tests__/providers-register.test.ts +330 -0
package/src/cli/commands/oauth/__tests__/providers-update.test.ts +117 -12
package/src/cli/commands/oauth/__tests__/status.test.ts +10 -10
package/src/cli/commands/oauth/__tests__/token.test.ts +7 -7
package/src/cli/commands/oauth/apps.ts +7 -4
package/src/cli/commands/oauth/connect.ts +6 -3
package/src/cli/commands/oauth/disconnect.ts +1 -1
package/src/cli/commands/oauth/mode.ts +12 -3
package/src/cli/commands/oauth/providers.ts +215 -36
package/src/cli/commands/oauth/shared.ts +7 -6
package/src/cli/commands/platform/__tests__/callback-routes-list.test.ts +254 -0
package/src/cli/commands/platform/__tests__/connect.test.ts +6 -0
package/src/cli/commands/platform/__tests__/disconnect.test.ts +7 -1
package/src/cli/commands/platform/__tests__/status.test.ts +6 -0
package/src/cli/commands/platform/index.ts +107 -10
package/src/cli/commands/usage.ts +10 -9
package/src/cli/lib/daemon-credential-client.ts +4 -0
package/src/cli/program.ts +30 -4
package/src/config/__tests__/backup-schema.test.ts +134 -0
package/src/config/assistant-feature-flags.ts +61 -62
package/src/config/bundled-skills/app-builder/SKILL.md +26 -249
package/src/config/bundled-skills/app-builder/references/CUSTOM_ROUTES.md +141 -0
package/src/config/bundled-skills/app-builder/references/INTERACTION_HOOKS.md +56 -0
package/src/config/bundled-skills/app-builder/references/WIDGETS.md +125 -0
package/src/config/bundled-skills/browser/SKILL.md +30 -5
package/src/config/bundled-skills/browser/TOOLS.json +123 -0
package/src/config/bundled-skills/browser/tools/browser-attach.ts +12 -0
package/src/config/bundled-skills/browser/tools/browser-detach.ts +12 -0
package/src/config/bundled-skills/browser/tools/browser-status.ts +12 -0
package/src/config/bundled-skills/browser/tools/browser-wait-for-download.ts +17 -0
package/src/config/bundled-skills/contacts/SKILL.md +5 -2
package/src/config/bundled-skills/document/SKILL.md +4 -0
package/src/config/bundled-skills/gmail/SKILL.md +54 -8
package/src/config/bundled-skills/gmail/TOOLS.json +33 -3
package/src/config/bundled-skills/gmail/tools/gmail-archive.ts +116 -9
package/src/config/bundled-skills/gmail/tools/gmail-outreach-scan.ts +138 -11
package/src/config/bundled-skills/gmail/tools/gmail-preferences-tool.ts +59 -0
package/src/config/bundled-skills/gmail/tools/gmail-preferences.ts +82 -0
package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts +113 -17
package/src/config/bundled-skills/gmail/tools/gmail-unsubscribe.ts +2 -2
package/src/config/bundled-skills/media-processing/SKILL.md +3 -9
package/src/config/bundled-skills/media-processing/TOOLS.json +1 -6
package/src/config/bundled-skills/media-processing/__tests__/audio-transcribe.test.ts +125 -0
package/src/config/bundled-skills/media-processing/__tests__/extract-keyframes.test.ts +181 -0
package/src/config/bundled-skills/media-processing/__tests__/preprocess-audio.test.ts +141 -0
package/src/config/bundled-skills/media-processing/services/audio-transcribe.ts +32 -87
package/src/config/bundled-skills/media-processing/services/preprocess.ts +8 -4
package/src/config/bundled-skills/media-processing/tools/extract-keyframes.ts +0 -10
package/src/config/bundled-skills/messaging/SKILL.md +3 -3
package/src/config/bundled-skills/messaging/tools/messaging-archive-by-sender.ts +2 -2
package/src/config/bundled-skills/outlook/SKILL.md +9 -2
package/src/config/bundled-skills/outlook/tools/outlook-unsubscribe.ts +2 -2
package/src/config/bundled-skills/phone-calls/SKILL.md +2 -2
package/src/config/bundled-skills/phone-calls/references/CONFIG.md +27 -18
package/src/config/bundled-skills/phone-calls/references/TROUBLESHOOTING.md +3 -3
package/src/config/bundled-skills/settings/TOOLS.json +3 -3
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +26 -22
package/src/config/bundled-skills/slack/SKILL.md +1 -0
package/src/config/bundled-skills/subagent/SKILL.md +21 -0
package/src/config/bundled-skills/subagent/TOOLS.json +8 -4
package/src/config/bundled-skills/tasks/SKILL.md +5 -0
package/src/config/bundled-skills/transcribe/SKILL.md +9 -14
package/src/config/bundled-skills/transcribe/TOOLS.json +2 -7
package/src/config/bundled-skills/transcribe/tools/transcribe-media.test.ts +256 -0
package/src/config/bundled-skills/transcribe/tools/transcribe-media.ts +38 -188
package/src/config/bundled-tool-registry.ts +8 -0
package/src/config/env-registry.ts +38 -0
package/src/config/env.ts +49 -4
package/src/config/feature-flag-registry.json +85 -14
package/src/config/loader.ts +82 -13
package/src/config/sanitize-for-transfer.ts +47 -0
package/src/config/schema.ts +81 -15
package/src/config/schemas/__tests__/stt.test.ts +43 -0
package/src/config/schemas/analysis.ts +51 -0
package/src/config/schemas/backup.ts +72 -0
package/src/config/schemas/calls.ts +1 -26
package/src/config/schemas/elevenlabs.ts +0 -59
package/src/config/schemas/filing.ts +47 -7
package/src/config/schemas/heartbeat.ts +27 -5
package/src/config/schemas/host-browser.ts +112 -0
package/src/config/schemas/inference.ts +1 -1
package/src/config/schemas/memory-lifecycle.ts +14 -2
package/src/config/schemas/memory-retrieval.ts +103 -0
package/src/config/schemas/security.ts +0 -6
package/src/config/schemas/services.ts +52 -0
package/src/config/schemas/stt.ts +59 -0
package/src/config/schemas/tts.ts +230 -0
package/src/config/schemas/updates.ts +14 -0
package/src/config/skills.ts +4 -0
package/src/config/types.ts +4 -1
package/src/contacts/contact-store.ts +56 -11
package/src/contacts/contacts-write.ts +38 -1
package/src/context/post-turn-tool-result-truncation.ts +177 -0
package/src/context/tool-result-truncation.ts +2 -1
package/src/context/window-manager.ts +61 -10
package/src/credential-execution/approval-bridge.ts +49 -15
package/src/credential-execution/executable-discovery.ts +12 -2
package/src/credential-execution/process-manager.ts +33 -2
package/src/credential-health/credential-health-service.ts +366 -0
package/src/daemon/__tests__/conversation-lifecycle-auto-analyze.test.ts +324 -0
package/src/daemon/__tests__/conversation-surfaces-launch.test.ts +497 -0
package/src/daemon/__tests__/conversation-tool-setup.test.ts +195 -0
package/src/daemon/__tests__/lifecycle-startup-ordering.test.ts +127 -0
package/src/daemon/app-source-watcher.ts +35 -0
package/src/daemon/config-watcher.ts +99 -5
package/src/daemon/context-overflow-approval.ts +5 -0
package/src/daemon/conversation-agent-loop-handlers.ts +23 -2
package/src/daemon/conversation-agent-loop.ts +153 -42
package/src/daemon/conversation-attachments.ts +40 -0
package/src/daemon/conversation-error.ts +11 -0
package/src/daemon/conversation-history.ts +40 -6
package/src/daemon/conversation-launch.ts +220 -0
package/src/daemon/conversation-lifecycle.ts +59 -9
package/src/daemon/conversation-messaging.ts +37 -3
package/src/daemon/conversation-notifiers.ts +5 -0
package/src/daemon/conversation-process.ts +622 -13
package/src/daemon/conversation-queue-manager.ts +24 -0
package/src/daemon/conversation-runtime-assembly.ts +128 -36
package/src/daemon/conversation-slash.ts +36 -0
package/src/daemon/conversation-surfaces.ts +131 -40
package/src/daemon/conversation-tool-setup.ts +99 -8
package/src/daemon/conversation-usage.ts +7 -4
package/src/daemon/conversation-workspace.ts +12 -0
package/src/daemon/conversation.ts +292 -16
package/src/daemon/date-context.ts +10 -10
package/src/daemon/first-greeting.ts +3 -2
package/src/daemon/handlers/config-slack-channel.ts +269 -94
package/src/daemon/handlers/conversations.ts +13 -141
package/src/daemon/handlers/shared.ts +80 -0
package/src/daemon/handlers/skills.ts +483 -44
package/src/daemon/host-bash-proxy.ts +48 -13
package/src/daemon/host-browser-proxy.ts +192 -0
package/src/daemon/host-cu-proxy.ts +36 -11
package/src/daemon/host-file-proxy.ts +57 -9
package/src/daemon/lifecycle.ts +179 -28
package/src/daemon/message-protocol.ts +13 -0
package/src/daemon/message-types/conversations.ts +89 -14
package/src/daemon/message-types/home.ts +40 -0
package/src/daemon/message-types/host-browser.ts +100 -0
package/src/daemon/message-types/meet.ts +143 -0
package/src/daemon/message-types/messages.ts +19 -5
package/src/daemon/message-types/schedules.ts +34 -2
package/src/daemon/message-types/skills.ts +26 -0
package/src/daemon/message-types/subagents.ts +2 -0
package/src/daemon/message-types/surfaces.ts +2 -0
package/src/daemon/server.ts +439 -14
package/src/daemon/shutdown-handlers.ts +32 -4
package/src/daemon/shutdown-registry.ts +40 -0
package/src/daemon/tool-side-effects.ts +15 -0
package/src/daemon/transport-hints.ts +5 -24
package/src/email/html-renderer.ts +76 -0
package/src/heartbeat/heartbeat-service.ts +93 -7
package/src/home/__tests__/assistant-feed-authoring.test.ts +156 -0
package/src/home/__tests__/emit-feed-event.test.ts +169 -0
package/src/home/__tests__/feed-scheduler.test.ts +194 -0
package/src/home/__tests__/feed-types.test.ts +275 -0
package/src/home/__tests__/feed-writer.test.ts +688 -0
package/src/home/__tests__/phase5-exit-criteria.test.ts +212 -0
package/src/home/__tests__/platform-gmail-digest.test.ts +222 -0
package/src/home/__tests__/progress-formula.test.ts +213 -0
package/src/home/__tests__/relationship-state-writer.test.ts +740 -0
package/src/home/__tests__/rollup-producer.test.ts +398 -0
package/src/home/assistant-feed-authoring.ts +124 -0
package/src/home/emit-feed-event.ts +158 -0
package/src/home/feed-scheduler.ts +247 -0
package/src/home/feed-types.ts +181 -0
package/src/home/feed-writer.ts +469 -0
package/src/home/platform-gmail-digest.ts +163 -0
package/src/home/progress-formula.ts +86 -0
package/src/home/relationship-state-writer.ts +824 -0
package/src/home/relationship-state.ts +143 -0
package/src/home/rollup-producer.ts +384 -0
package/src/hooks/runner.ts +7 -0
package/src/inbound/platform-callback-registration.ts +30 -20
package/src/inbound/public-ingress-urls.ts +12 -0
package/src/instrument.ts +1 -1
package/src/ipc/__tests__/cli-ipc.test.ts +200 -0
package/src/ipc/cli-client.ts +151 -0
package/src/ipc/cli-server.ts +234 -0
package/src/ipc/gateway-client.ts +180 -0
package/src/ipc/routes/index.ts +5 -0
package/src/ipc/routes/wake-conversation.ts +19 -0
package/src/mcp/client.ts +59 -24
package/src/memory/__tests__/auto-analysis-enqueue.test.ts +356 -0
package/src/memory/__tests__/auto-analysis-guard.test.ts +57 -0
package/src/memory/__tests__/conversation-analyze-job.test.ts +232 -0
package/src/memory/__tests__/find-analysis-conversation.test.ts +196 -0
package/src/memory/app-store.ts +31 -1
package/src/memory/attachments-store.ts +70 -0
package/src/memory/auto-analysis-enqueue.ts +127 -0
package/src/memory/auto-analysis-guard.ts +27 -0
package/src/memory/cleanup-schedule-state.ts +37 -0
package/src/memory/conversation-analyze-job.ts +73 -0
package/src/memory/conversation-crud.ts +122 -0
package/src/memory/conversation-disk-view.ts +7 -0
package/src/memory/conversation-group-migration.ts +34 -2
package/src/memory/conversation-queries.ts +6 -5
package/src/memory/conversation-starters-cadence.ts +76 -0
package/src/memory/conversation-title-service.ts +5 -2
package/src/memory/db-init.ts +18 -0
package/src/memory/db-maintenance.ts +108 -0
package/src/memory/db.ts +1 -0
package/src/memory/embedding-backend.test.ts +75 -0
package/src/memory/embedding-backend.ts +131 -5
package/src/memory/embedding-gemini.test.ts +54 -0
package/src/memory/embedding-gemini.ts +20 -9
package/src/memory/embedding-local.ts +176 -17
package/src/memory/graph/consolidation.ts +10 -23
package/src/memory/graph/conversation-graph-memory.ts +15 -0
package/src/memory/graph/extraction-job.ts +15 -0
package/src/memory/graph/extraction.test.ts +23 -0
package/src/memory/graph/extraction.ts +8 -0
package/src/memory/graph/retriever.ts +67 -40
package/src/memory/graph/scoring.test.ts +186 -0
package/src/memory/graph/scoring.ts +31 -1
package/src/memory/graph/store.test.ts +7 -3
package/src/memory/graph/store.ts +47 -12
package/src/memory/graph/tools.ts +1 -1
package/src/memory/group-crud.ts +6 -1
package/src/memory/indexer.ts +95 -16
package/src/memory/job-handlers/cleanup.ts +11 -8
package/src/memory/job-handlers/conversation-starters.ts +16 -10
package/src/memory/jobs-store.ts +64 -4
package/src/memory/jobs-worker.ts +22 -9
package/src/memory/llm-usage-store.ts +137 -60
package/src/memory/migrations/213-oauth-providers-scope-separator.ts +13 -0
package/src/memory/migrations/214-oauth-providers-refresh-url.ts +11 -0
package/src/memory/migrations/215-oauth-providers-revoke.ts +14 -0
package/src/memory/migrations/216-oauth-providers-token-auth-method.ts +30 -0
package/src/memory/migrations/217-conversation-host-access.ts +40 -0
package/src/memory/migrations/218-oauth-providers-logo-url.ts +11 -0
package/src/memory/migrations/219-oauth-providers-token-exchange-body-format.ts +15 -0
package/src/memory/migrations/220-normalize-user-file-by-principal.ts +190 -0
package/src/memory/migrations/221-conversations-archived-at.ts +16 -0
package/src/memory/migrations/index.ts +12 -0
package/src/memory/migrations/registry.ts +16 -0
package/src/memory/qdrant-manager.ts +43 -16
package/src/memory/schema/conversations.ts +3 -0
package/src/memory/schema/oauth.ts +21 -13
package/src/memory/usage-buckets.ts +396 -0
package/src/messaging/providers/gmail/client.ts +57 -6
package/src/messaging/providers/slack/__tests__/adapter-token-routing.test.ts +282 -0
package/src/messaging/providers/slack/adapter.ts +143 -38
package/src/messaging/providers/slack/client.ts +16 -0
package/src/messaging/providers/slack/types.ts +4 -0
package/src/notifications/decision-engine.ts +3 -3
package/src/notifications/signal.ts +5 -0
package/src/oauth/AGENTS.md +76 -0
package/src/oauth/__tests__/identity-verifier.test.ts +25 -19
package/src/oauth/__tests__/seed-providers-managed.test.ts +32 -0
package/src/oauth/byo-connection.test.ts +26 -9
package/src/oauth/byo-connection.ts +10 -8
package/src/oauth/connect-orchestrator.ts +25 -21
package/src/oauth/connect-types.ts +3 -3
package/src/oauth/connection-resolver.test.ts +17 -4
package/src/oauth/connection-resolver.ts +22 -18
package/src/oauth/connection.ts +3 -1
package/src/oauth/manual-token-connection.ts +13 -13
package/src/oauth/oauth-store.ts +223 -100
package/src/oauth/platform-connection.test.ts +101 -3
package/src/oauth/platform-connection.ts +56 -35
package/src/oauth/provider-serializer.ts +31 -5
package/src/oauth/revoke.ts +76 -0
package/src/oauth/seed-providers.ts +133 -87
package/src/oauth/token-persistence.ts +1 -1
package/src/permissions/checker.ts +16 -6
package/src/permissions/defaults.ts +49 -1
package/src/permissions/permission-mode.ts +4 -11
package/src/permissions/prompter.ts +13 -1
package/src/permissions/trust-store.ts +3 -3
package/src/permissions/v2-consent-policy.ts +87 -0
package/src/permissions/workspace-policy.ts +3 -0
package/src/platform/client.test.ts +10 -0
package/src/platform/sync-identity.ts +129 -0
package/src/prompts/persona-resolver.ts +126 -2
package/src/prompts/system-prompt.ts +76 -38
package/src/prompts/templates/BOOTSTRAP-REFERENCE.md +3 -65
package/src/prompts/templates/BOOTSTRAP.md +59 -105
package/src/prompts/templates/SOUL.md +3 -1
package/src/prompts/templates/UPDATES.md +12 -0
package/src/prompts/templates/channels/slack.md +20 -0
package/src/prompts/update-bulletin-format.ts +26 -9
package/src/prompts/update-bulletin.ts +34 -23
package/src/prompts/user-reference.ts +20 -17
package/src/providers/__tests__/provider-secret-catalog.test.ts +42 -0
package/src/providers/anthropic/client.ts +157 -60
package/src/providers/fireworks/client.ts +2 -2
package/src/providers/gemini/client.ts +9 -1
package/src/providers/model-catalog.ts +6 -0
package/src/providers/model-intents.ts +4 -4
package/src/providers/ollama/client.ts +2 -2
package/src/providers/openai/chat-completions-provider.ts +474 -0
package/src/providers/openai/client.ts +25 -440
package/src/providers/openai/responses-provider.ts +502 -0
package/src/providers/openrouter/client.ts +101 -4
package/src/providers/provider-secret-catalog.ts +139 -0
package/src/providers/registry.ts +2 -2
package/src/providers/retry.ts +14 -3
package/src/providers/speech-to-text/__tests__/provider-catalog.test.ts +251 -0
package/src/providers/speech-to-text/__tests__/resolve.test.ts +828 -0
package/src/providers/speech-to-text/deepgram-realtime.test.ts +980 -0
package/src/providers/speech-to-text/deepgram-realtime.ts +767 -0
package/src/providers/speech-to-text/deepgram.test.ts +332 -0
package/src/providers/speech-to-text/deepgram.ts +115 -0
package/src/providers/speech-to-text/google-gemini-live-stream.test.ts +743 -0
package/src/providers/speech-to-text/google-gemini-live-stream.ts +625 -0
package/src/providers/speech-to-text/google-gemini.test.ts +226 -0
package/src/providers/speech-to-text/google-gemini.ts +101 -0
package/src/providers/speech-to-text/openai-whisper-stream.test.ts +564 -0
package/src/providers/speech-to-text/openai-whisper-stream.ts +381 -0
package/src/providers/speech-to-text/openai-whisper.test.ts +1 -37
package/src/providers/speech-to-text/openai-whisper.ts +63 -33
package/src/providers/speech-to-text/provider-catalog.ts +306 -0
package/src/providers/speech-to-text/resolve.ts +386 -6
package/src/providers/types.ts +10 -1
package/src/runtime/AGENTS.md +65 -0
package/src/runtime/__tests__/agent-wake.test.ts +831 -0
package/src/runtime/__tests__/browser-extension-pair-routes.test.ts +715 -0
package/src/runtime/__tests__/capability-tokens.test.ts +258 -0
package/src/runtime/__tests__/chrome-extension-registry.test.ts +518 -0
package/src/runtime/__tests__/runtime-mode.test.ts +62 -0
package/src/runtime/__tests__/slack-block-formatting.test.ts +481 -0
package/src/runtime/agent-wake.ts +512 -0
package/src/runtime/assistant-event-hub.ts +2 -2
package/src/runtime/auth/__tests__/guard-tests.test.ts +1 -0
package/src/runtime/auth/__tests__/middleware.test.ts +116 -1
package/src/runtime/auth/__tests__/route-policy.test.ts +48 -0
package/src/runtime/auth/middleware.ts +98 -0
package/src/runtime/auth/route-policy.ts +33 -9
package/src/runtime/auth/token-service.ts +56 -1
package/src/runtime/btw-sidechain.ts +2 -0
package/src/runtime/capability-tokens.ts +414 -0
package/src/runtime/channel-approvals.ts +18 -5
package/src/runtime/channel-invite-transport.ts +1 -1
package/src/runtime/channel-invite-transports/email.ts +14 -6
package/src/runtime/channel-readiness-service.ts +12 -22
package/src/runtime/chrome-extension-registry.ts +368 -0
package/src/runtime/confirmation-request-guardian-bridge.ts +6 -0
package/src/runtime/guardian-decision-types.ts +7 -0
package/src/runtime/http-server.ts +815 -75
package/src/runtime/http-types.ts +6 -2
package/src/runtime/migrations/__tests__/rebind-secrets-credentials.test.ts +172 -0
package/src/runtime/migrations/__tests__/vbundle-builder-credentials.test.ts +276 -0
package/src/runtime/migrations/__tests__/vbundle-import-credentials.test.ts +198 -0
package/src/runtime/migrations/__tests__/vbundle-legacy-user-md.test.ts +360 -0
package/src/runtime/migrations/migration-transport.ts +7 -0
package/src/runtime/migrations/migration-wizard.ts +23 -2
package/src/runtime/migrations/rebind-secrets-screen.ts +76 -15
package/src/runtime/migrations/vbundle-builder.ts +145 -38
package/src/runtime/migrations/vbundle-import-analyzer.ts +96 -1
package/src/runtime/migrations/vbundle-importer.ts +89 -5
package/src/runtime/pending-interactions.ts +18 -13
package/src/runtime/routes/__tests__/backup-routes.test.ts +967 -0
package/src/runtime/routes/__tests__/home-feed-routes.test.ts +507 -0
package/src/runtime/routes/__tests__/migration-import-credential-filter.test.ts +208 -0
package/src/runtime/routes/__tests__/stt-routes.test.ts +406 -0
package/src/runtime/routes/__tests__/tts-routes.test.ts +474 -0
package/src/runtime/routes/__tests__/user-route-dispatcher.test.ts +148 -17
package/src/runtime/routes/app-management-routes.ts +12 -18
package/src/runtime/routes/approval-routes.ts +90 -16
package/src/runtime/routes/attachment-routes.test.ts +9 -3
package/src/runtime/routes/attachment-routes.ts +216 -17
package/src/runtime/routes/backup-routes.ts +519 -0
package/src/runtime/routes/browser-extension-pair-routes.ts +556 -0
package/src/runtime/routes/btw-routes.ts +8 -6
package/src/runtime/routes/contact-routes.test.ts +298 -0
package/src/runtime/routes/contact-routes.ts +132 -5
package/src/runtime/routes/conversation-analysis-routes.ts +22 -141
package/src/runtime/routes/conversation-management-routes.ts +223 -0
package/src/runtime/routes/conversation-routes.ts +598 -103
package/src/runtime/routes/conversation-starter-routes.ts +78 -16
package/src/runtime/routes/filing-routes.ts +93 -0
package/src/runtime/routes/guardian-action-routes.ts +24 -13
package/src/runtime/routes/home-feed-routes.ts +334 -0
package/src/runtime/routes/home-state-routes.ts +138 -0
package/src/runtime/routes/host-browser-routes.ts +268 -0
package/src/runtime/routes/host-file-routes.ts +9 -1
package/src/runtime/routes/identity-intro-cache.ts +7 -3
package/src/runtime/routes/identity-routes.ts +262 -33
package/src/runtime/routes/inbound-stages/transcribe-audio.test.ts +46 -39
package/src/runtime/routes/inbound-stages/transcribe-audio.ts +15 -15
package/src/runtime/routes/integrations/slack/__tests__/channel.test.ts +137 -0
package/src/runtime/routes/integrations/slack/__tests__/share.test.ts +179 -0
package/src/runtime/routes/integrations/slack/channel.ts +11 -3
package/src/runtime/routes/integrations/slack/share.ts +45 -7
package/src/runtime/routes/llm-context-normalization.ts +303 -0
package/src/runtime/routes/log-export-routes.ts +42 -22
package/src/runtime/routes/memory-item-routes.test.ts +3 -2
package/src/runtime/routes/memory-item-routes.ts +1 -7
package/src/runtime/routes/migration-routes.ts +122 -2
package/src/runtime/routes/oauth-apps.ts +15 -17
package/src/runtime/routes/oauth-providers.ts +4 -0
package/src/runtime/routes/schedule-routes.ts +24 -11
package/src/runtime/routes/settings-routes.ts +31 -102
package/src/runtime/routes/skills-routes.ts +128 -9
package/src/runtime/routes/stt-routes.ts +233 -0
package/src/runtime/routes/subagents-routes.ts +14 -10
package/src/runtime/routes/surface-action-routes.ts +41 -2
package/src/runtime/routes/tts-routes.ts +108 -24
package/src/runtime/routes/usage-routes.ts +38 -9
package/src/runtime/routes/user-route-dispatcher.ts +50 -5
package/src/runtime/routes/user-routes.ts +13 -1
package/src/runtime/routes/work-items-routes.ts +8 -1
package/src/runtime/routes/workspace-routes.test.ts +22 -0
package/src/runtime/routes/workspace-routes.ts +8 -1
package/src/runtime/routes/workspace-utils.ts +2 -0
package/src/runtime/runtime-mode.ts +33 -0
package/src/runtime/services/__tests__/analyze-conversation.test.ts +444 -0
package/src/runtime/services/__tests__/analyze-deps-singleton.test.ts +67 -0
package/src/runtime/services/__tests__/auto-analysis-prompt.test.ts +53 -0
package/src/runtime/services/__tests__/manual-analysis-prompt.test.ts +41 -0
package/src/runtime/services/analyze-conversation.ts +344 -0
package/src/runtime/services/analyze-deps-singleton.ts +32 -0
package/src/runtime/services/auto-analysis-prompt.ts +55 -0
package/src/runtime/skill-route-registry.ts +49 -0
package/src/runtime/slack-block-formatting.ts +437 -10
package/src/schedule/scheduler.ts +57 -5
package/src/security/ces-credential-client.ts +20 -0
package/src/security/ces-rpc-credential-backend.ts +17 -0
package/src/security/credential-backend.ts +5 -0
package/src/security/oauth2.ts +68 -29
package/src/security/secure-keys.ts +143 -27
package/src/security/token-manager.ts +31 -10
package/src/sequence/engine.ts +23 -0
package/src/sequence/types.ts +1 -1
package/src/skills/catalog-files.ts +554 -0
package/src/skills/category-inference.ts +122 -0
package/src/skills/clawhub-files.ts +213 -0
package/src/skills/clawhub.ts +84 -23
package/src/skills/skill-file-provider.ts +40 -0
package/src/skills/skillssh-files.ts +395 -0
package/src/skills/skillssh-registry.ts +4 -4
package/src/stt/__tests__/daemon-batch-transcriber.test.ts +392 -0
package/src/stt/__tests__/types.test.ts +89 -0
package/src/stt/daemon-batch-transcriber.ts +195 -0
package/src/stt/stt-stream-session.ts +499 -0
package/src/stt/types.ts +330 -0
package/src/stt/wav-encoder.test.ts +373 -0
package/src/stt/wav-encoder.ts +175 -0
package/src/subagent/manager.ts +169 -40
package/src/subagent/types.ts +19 -0
package/src/tools/apps/executors.ts +11 -2
package/src/tools/browser/__tests__/auth-detector.test.ts +202 -108
package/src/tools/browser/__tests__/browser-mode.test.ts +119 -0
package/src/tools/browser/__tests__/browser-status.test.ts +123 -0
package/src/tools/browser/auth-detector.ts +43 -12
package/src/tools/browser/browser-execution.ts +1787 -342
package/src/tools/browser/browser-manager.ts +81 -12
package/src/tools/browser/browser-mode-constants.ts +12 -0
package/src/tools/browser/browser-mode.ts +92 -0
package/src/tools/browser/browser-status-constants.ts +33 -0
package/src/tools/browser/cdp-client/__tests__/accessibility-snapshot.test.ts +318 -0
package/src/tools/browser/cdp-client/__tests__/cdp-dom-helpers.test.ts +1175 -0
package/src/tools/browser/cdp-client/__tests__/cdp-inspect-client.test.ts +1263 -0
package/src/tools/browser/cdp-client/__tests__/extension-cdp-client.test.ts +359 -0
package/src/tools/browser/cdp-client/__tests__/factory.test.ts +1993 -0
package/src/tools/browser/cdp-client/__tests__/fixtures/ax-tree-nested-frames.json +64 -0
package/src/tools/browser/cdp-client/__tests__/fixtures/ax-tree-simple.json +69 -0
package/src/tools/browser/cdp-client/__tests__/local-cdp-client.test.ts +310 -0
package/src/tools/browser/cdp-client/__tests__/types.test.ts +96 -0
package/src/tools/browser/cdp-client/accessibility-snapshot.ts +387 -0
package/src/tools/browser/cdp-client/cdp-dom-helpers.ts +695 -0
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/discovery.test.ts +1007 -0
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/ws-transport.test.ts +580 -0
package/src/tools/browser/cdp-client/cdp-inspect/discovery.ts +744 -0
package/src/tools/browser/cdp-client/cdp-inspect/ws-transport.ts +579 -0
package/src/tools/browser/cdp-client/cdp-inspect-client.ts +868 -0
package/src/tools/browser/cdp-client/errors.ts +49 -0
package/src/tools/browser/cdp-client/extension-cdp-client.ts +148 -0
package/src/tools/browser/cdp-client/factory.ts +914 -0
package/src/tools/browser/cdp-client/index.ts +28 -0
package/src/tools/browser/cdp-client/local-cdp-client.ts +187 -0
package/src/tools/browser/cdp-client/types.ts +120 -0
package/src/tools/credentials/vault.ts +35 -6
package/src/tools/filesystem/edit.ts +1 -1
package/src/tools/filesystem/list.ts +1 -1
package/src/tools/filesystem/read.ts +1 -1
package/src/tools/filesystem/write.ts +2 -1
package/src/tools/host-filesystem/edit.ts +1 -1
package/src/tools/host-filesystem/read.ts +12 -15
package/src/tools/host-filesystem/write.ts +1 -1
package/src/tools/host-terminal/host-shell.ts +21 -16
package/src/tools/network/web-fetch.ts +5 -2
package/src/tools/network/web-search.ts +5 -2
package/src/tools/permission-checker.ts +77 -82
package/src/tools/registry.ts +0 -2
package/src/tools/secret-detection-handler.ts +34 -0
package/src/tools/shared/filesystem/image-read.ts +61 -40
package/src/tools/shared/shell-output.ts +3 -1
package/src/tools/side-effects.ts +2 -0
package/src/tools/skills/sandbox-runner.ts +3 -2
package/src/tools/subagent/spawn.ts +47 -3
package/src/tools/subagent/status.ts +2 -0
package/src/tools/system/register.ts +2 -16
package/src/tools/terminal/safe-env.ts +15 -0
package/src/tools/terminal/shell.ts +36 -20
package/src/tools/tool-approval-handler.ts +48 -2
package/src/tools/tool-manifest.ts +21 -0
package/src/tools/types.ts +19 -0
package/src/tools/ui-surface/definitions.ts +6 -1
package/src/tts/__tests__/provider-adapters.test.ts +834 -0
package/src/tts/__tests__/provider-catalog-consistency.test.ts +196 -0
package/src/tts/__tests__/provider-catalog.test.ts +183 -0
package/src/tts/__tests__/provider-registry.test.ts +90 -0
package/src/tts/provider-catalog.ts +201 -0
package/src/tts/provider-registry.ts +73 -0
package/src/tts/providers/deepgram-provider.ts +219 -0
package/src/tts/providers/elevenlabs-provider.ts +211 -0
package/src/tts/providers/fish-audio-provider.ts +183 -0
package/src/tts/providers/index.ts +42 -0
package/src/tts/providers/register-builtins.ts +130 -0
package/src/tts/synthesize-text.ts +110 -0
package/src/tts/tts-config-resolver.ts +78 -0
package/src/tts/types.ts +153 -0
package/src/types/onboarding-context.ts +7 -0
package/src/util/abort-reasons.ts +58 -0
package/src/util/device-id.ts +32 -16
package/src/util/errors.ts +9 -1
package/src/util/platform.ts +63 -24
package/src/util/pricing.ts +66 -3
package/src/util/spawn.ts +1 -1
package/src/util/truncate.ts +4 -2
package/src/util/unicode.ts +201 -0
package/src/version.ts +19 -24
package/src/watcher/engine.ts +23 -0
package/src/watcher/watcher-store.ts +31 -0
package/src/workspace/migrations/003-seed-device-id.ts +9 -3
package/src/workspace/migrations/017-seed-persona-dirs.ts +68 -4
package/src/workspace/migrations/029-seed-pkb.ts +1 -1
package/src/workspace/migrations/031-drop-user-md.ts +317 -0
package/src/workspace/migrations/031-llm-log-retention-zero-to-null.ts +73 -0
package/src/workspace/migrations/032-tts-provider-unification.ts +227 -0
package/src/workspace/migrations/033-stt-service-explicit-config.ts +122 -0
package/src/workspace/migrations/034-remove-calls-voice-transcription-provider.ts +215 -0
package/src/workspace/migrations/035-seed-slack-channel-persona.ts +50 -0
package/src/workspace/migrations/036-update-pkb-index-bar.ts +37 -0
package/src/workspace/migrations/037-create-meets-dir.ts +61 -0
package/src/workspace/migrations/registry.ts +16 -0
package/src/workspace/top-level-renderer.ts +31 -1
package/src/workspace/turn-commit.ts +31 -0
package/src/__tests__/chrome-cdp.test.ts +0 -419
package/src/__tests__/email-cli.test.ts +0 -297
package/src/__tests__/email-service-config-fallback.test.ts +0 -102
package/src/__tests__/permission-mode-sse.test.ts +0 -418
package/src/__tests__/permission-mode-store.test.ts +0 -277
package/src/browser-extension-relay/protocol.ts +0 -63
package/src/browser-extension-relay/server.ts +0 -203
package/src/cli/commands/browser-relay.ts +0 -536
package/src/config/schemas/sandbox.ts +0 -14
package/src/email/guardrails.ts +0 -221
package/src/email/provider.ts +0 -117
package/src/email/providers/agentmail.ts +0 -361
package/src/email/providers/index.ts +0 -65
package/src/email/service.ts +0 -384
package/src/email/types.ts +0 -126
package/src/permissions/permission-mode-store.ts +0 -180
package/src/prompts/templates/USER.md +0 -13
package/src/providers/speech-to-text/types.ts +0 -17
package/src/tools/browser/chrome-cdp.ts +0 -239
package/src/tools/system/set-permission-mode.ts +0 -103

package/src/__tests__/oauth-store.test.ts CHANGED Viewed

@@ -24,6 +24,8 @@ mock.module("../security/secure-keys.js", () => ({
 import { eq } from "drizzle-orm";
 import { getDb, initializeDb, resetDb, resetTestTables } from "../memory/db.js";
+import { getSqliteFrom } from "../memory/db-connection.js";
+import { migrateOAuthProvidersTokenAuthMethodDefault } from "../memory/migrations/216-oauth-providers-token-auth-method.js";
 import { oauthProviders } from "../memory/schema/oauth.js";
 import {
   createConnection,
@@ -43,18 +45,21 @@ import {
   registerProvider,
   seedProviders,
   updateConnection,
+  updateProvider,
   upsertApp,
 } from "../oauth/oauth-store.js";
+import { seedOAuthProviders } from "../oauth/seed-providers.js";
+import { getMockFetchCalls, mockFetch, resetMockFetch } from "./mock-fetch.js";
 initializeDb();
 /** Seed a minimal provider row for FK satisfaction. */
-function seedTestProvider(providerKey = "github"): void {
+function seedTestProvider(provider = "github"): void {
   seedProviders([
     {
-      providerKey,
-      authUrl: `https://${providerKey}.example.com/authorize`,
-      tokenUrl: `https://${providerKey}.example.com/token`,
+      provider,
+      authorizeUrl: `https://${provider}.example.com/authorize`,
+      tokenExchangeUrl: `https://${provider}.example.com/token`,
       defaultScopes: ["read"],
       scopePolicy: {},
     },
@@ -62,9 +67,9 @@ function seedTestProvider(providerKey = "github"): void {
 }
 /** Create an app linked to the given provider. Returns the app row. */
-async function createTestApp(providerKey = "github", clientId = "client-1") {
-  seedTestProvider(providerKey);
-  return await upsertApp(providerKey, clientId);
+async function createTestApp(provider = "github", clientId = "client-1") {
+  seedTestProvider(provider);
+  return await upsertApp(provider, clientId);
 }
 beforeEach(() => {
@@ -74,6 +79,7 @@ beforeEach(() => {
   mockDeleteSecureKeyAsync.mockClear();
   mockSetSecureKeyAsync.mockClear();
   secureKeyValues.clear();
+  resetMockFetch();
 });
 afterAll(() => {
@@ -89,34 +95,36 @@ describe("provider operations", () => {
     test("creates rows for new providers", () => {
       seedProviders([
         {
-          providerKey: "github",
-          authUrl: "https://github.com/login/oauth/authorize",
-          tokenUrl: "https://github.com/login/oauth/access_token",
+          provider: "github",
+          authorizeUrl: "https://github.com/login/oauth/authorize",
+          tokenExchangeUrl: "https://github.com/login/oauth/access_token",
           defaultScopes: ["repo", "user"],
           scopePolicy: { required: ["repo"] },
         },
         {
-          providerKey: "google",
-          authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-          tokenUrl: "https://oauth2.googleapis.com/token",
+          provider: "google",
+          authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+          tokenExchangeUrl: "https://oauth2.googleapis.com/token",
           defaultScopes: ["openid", "email"],
           scopePolicy: {},
-          extraParams: { access_type: "offline" },
+          authorizeParams: { access_type: "offline" },
         },
       ]);
       const gh = getProvider("github");
       expect(gh).toBeDefined();
-      expect(gh!.providerKey).toBe("github");
-      expect(gh!.authUrl).toBe("https://github.com/login/oauth/authorize");
-      expect(gh!.tokenUrl).toBe("https://github.com/login/oauth/access_token");
+      expect(gh!.provider).toBe("github");
+      expect(gh!.authorizeUrl).toBe("https://github.com/login/oauth/authorize");
+      expect(gh!.tokenExchangeUrl).toBe(
+        "https://github.com/login/oauth/access_token",
+      );
       expect(JSON.parse(gh!.defaultScopes)).toEqual(["repo", "user"]);
       expect(JSON.parse(gh!.scopePolicy)).toEqual({ required: ["repo"] });
       const goog = getProvider("google");
       expect(goog).toBeDefined();
-      expect(goog!.providerKey).toBe("google");
-      expect(JSON.parse(goog!.extraParams!)).toEqual({
+      expect(goog!.provider).toBe("google");
+      expect(JSON.parse(goog!.authorizeParams!)).toEqual({
         access_type: "offline",
       });
     });
@@ -124,9 +132,9 @@ describe("provider operations", () => {
     test("updates implementation fields while preserving user-customizable fields on re-seed", () => {
       seedProviders([
         {
-          providerKey: "github",
-          authUrl: "https://github.com/login/oauth/authorize",
-          tokenUrl: "https://github.com/login/oauth/access_token",
+          provider: "github",
+          authorizeUrl: "https://github.com/login/oauth/authorize",
+          tokenExchangeUrl: "https://github.com/login/oauth/access_token",
           defaultScopes: ["repo"],
           scopePolicy: {},
           baseUrl: "https://api.github.com",
@@ -141,9 +149,9 @@ describe("provider operations", () => {
       // Re-seed with corrected values (simulates a code fix deployed on upgrade)
       seedProviders([
         {
-          providerKey: "github",
-          authUrl: "https://github.com/login/oauth/authorize-v2",
-          tokenUrl: "https://github.com/login/oauth/access_token-v2",
+          provider: "github",
+          authorizeUrl: "https://github.com/login/oauth/authorize-v2",
+          tokenExchangeUrl: "https://github.com/login/oauth/access_token-v2",
           defaultScopes: ["repo", "user"],
           scopePolicy: { required: ["repo"] },
           baseUrl: "https://api.github.com/v2",
@@ -153,8 +161,10 @@ describe("provider operations", () => {
       const row = getProvider("github");
       expect(row).toBeDefined();
       // Implementation fields should be overwritten by the re-seed
-      expect(row!.authUrl).toBe("https://github.com/login/oauth/authorize-v2");
-      expect(row!.tokenUrl).toBe(
+      expect(row!.authorizeUrl).toBe(
+        "https://github.com/login/oauth/authorize-v2",
+      );
+      expect(row!.tokenExchangeUrl).toBe(
         "https://github.com/login/oauth/access_token-v2",
       );
       // User-customizable fields (baseUrl, defaultScopes, scopePolicy) are
@@ -166,172 +176,1069 @@ describe("provider operations", () => {
       expect(row!.createdAt).toBe(originalCreatedAt);
     });
-    test("persists pingUrl when provided", () => {
+    test("persists pingUrl when provided", () => {
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+          pingUrl: "https://api.github.com/user",
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row!.pingUrl).toBe("https://api.github.com/user");
+    });
+    test("pingUrl defaults to null when omitted", () => {
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row!.pingUrl).toBeNull();
+    });
+    test("preserves user-customizable fields while overwriting implementation fields on re-seed", () => {
+      // Initial seed with all fields
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          tokenEndpointAuthMethod: "client_secret_post",
+          defaultScopes: ["repo"],
+          scopePolicy: { required: ["repo"] },
+          userinfoUrl: "https://api.github.com/user",
+          baseUrl: "https://api.github.com",
+          authorizeParams: { prompt: "consent" },
+          pingUrl: "https://api.github.com/user",
+        },
+      ]);
+      // Manually update user-customizable fields to simulate user edits
+      const db = getDb();
+      db.update(oauthProviders)
+        .set({
+          defaultScopes: JSON.stringify(["repo", "user", "gist"]),
+          scopePolicy: JSON.stringify({
+            required: ["repo"],
+            allowAdditionalScopes: true,
+          }),
+          baseUrl: "https://custom.github.com/api",
+        })
+        .where(eq(oauthProviders.provider, "github"))
+        .run();
+      // Verify the manual updates took effect
+      const beforeReseed = getProvider("github");
+      expect(JSON.parse(beforeReseed!.defaultScopes)).toEqual([
+        "repo",
+        "user",
+        "gist",
+      ]);
+      expect(beforeReseed!.baseUrl).toBe("https://custom.github.com/api");
+      // Re-seed with updated implementation fields
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize-v2",
+          tokenExchangeUrl: "https://github.com/token-v2",
+          tokenEndpointAuthMethod: "client_secret_basic",
+          defaultScopes: ["repo-only"],
+          scopePolicy: {},
+          userinfoUrl: "https://api.github.com/user-v2",
+          baseUrl: "https://api.github.com/v2",
+          authorizeParams: { prompt: "login" },
+          pingUrl: "https://api.github.com/user-v2",
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row).toBeDefined();
+      // User-customizable fields should retain their manual values
+      expect(JSON.parse(row!.defaultScopes)).toEqual(["repo", "user", "gist"]);
+      expect(JSON.parse(row!.scopePolicy)).toEqual({
+        required: ["repo"],
+        allowAdditionalScopes: true,
+      });
+      expect(row!.baseUrl).toBe("https://custom.github.com/api");
+      // Implementation fields should be overwritten from the seed data
+      expect(row!.authorizeUrl).toBe("https://github.com/authorize-v2");
+      expect(row!.tokenExchangeUrl).toBe("https://github.com/token-v2");
+      expect(row!.tokenEndpointAuthMethod).toBe("client_secret_basic");
+      expect(row!.userinfoUrl).toBe("https://api.github.com/user-v2");
+      expect(JSON.parse(row!.authorizeParams!)).toEqual({ prompt: "login" });
+      expect(row!.pingUrl).toBe("https://api.github.com/user-v2");
+    });
+    test("persists custom scopeSeparator when provided", () => {
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          defaultScopes: ["read", "write"],
+          scopePolicy: {},
+          scopeSeparator: ",",
+        },
+      ]);
+      const row = getProvider("test-provider");
+      expect(row).toBeDefined();
+      expect(row!.scopeSeparator).toBe(",");
+    });
+    test("scopeSeparator defaults to ' ' when omitted", () => {
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row).toBeDefined();
+      expect(row!.scopeSeparator).toBe(" ");
+    });
+    test("re-seeding with a changed scopeSeparator overwrites the stored value", () => {
+      seedProviders([
+        {
+          provider: "linear",
+          authorizeUrl: "https://linear.app/oauth/authorize",
+          tokenExchangeUrl: "https://api.linear.app/oauth/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+          scopeSeparator: " ",
+        },
+      ]);
+      const first = getProvider("linear");
+      expect(first!.scopeSeparator).toBe(" ");
+      // Re-seed with a different separator — it should be overwritten,
+      // proving scopeSeparator is in the onConflictDoUpdate set clause.
+      seedProviders([
+        {
+          provider: "linear",
+          authorizeUrl: "https://linear.app/oauth/authorize",
+          tokenExchangeUrl: "https://api.linear.app/oauth/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+          scopeSeparator: ",",
+        },
+      ]);
+      const row = getProvider("linear");
+      expect(row!.scopeSeparator).toBe(",");
+    });
+    test("persists refreshUrl when provided", () => {
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          refreshUrl: "https://refresh.example.com/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("test-provider");
+      expect(row).toBeDefined();
+      expect(row!.refreshUrl).toBe("https://refresh.example.com/token");
+    });
+    test("refreshUrl defaults to null when omitted", () => {
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("test-provider");
+      expect(row).toBeDefined();
+      expect(row!.refreshUrl).toBeNull();
+    });
+    test("re-seeding with a changed refreshUrl overwrites the stored value", () => {
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          refreshUrl: "https://refresh.example.com/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        },
+      ]);
+      const first = getProvider("test-provider");
+      expect(first!.refreshUrl).toBe("https://refresh.example.com/token");
+      // Re-seed with a different refreshUrl — it should be overwritten,
+      // proving refreshUrl is in the onConflictDoUpdate set clause (not
+      // preserved like defaultScopes).
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          refreshUrl: "https://refresh-v2.example.com/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("test-provider");
+      expect(row!.refreshUrl).toBe("https://refresh-v2.example.com/token");
+    });
+    test("persists revokeUrl and revokeBodyTemplate when provided", () => {
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          revokeUrl: "https://revoke.example.com",
+          revokeBodyTemplate: { token: "{access_token}" },
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("test-provider");
+      expect(row).toBeDefined();
+      expect(row!.revokeUrl).toBe("https://revoke.example.com");
+      expect(JSON.parse(row!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+      });
+    });
+    test("revokeUrl and revokeBodyTemplate default to null when omitted", () => {
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("test-provider");
+      expect(row).toBeDefined();
+      expect(row!.revokeUrl).toBeNull();
+      expect(row!.revokeBodyTemplate).toBeNull();
+    });
+    test("writes logoUrl on insert", () => {
+      seedProviders([
+        {
+          provider: "google",
+          authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+          tokenExchangeUrl: "https://oauth2.googleapis.com/token",
+          defaultScopes: ["openid"],
+          scopePolicy: {},
+          logoUrl: "https://cdn.simpleicons.org/google",
+        },
+      ]);
+      const row = getProvider("google");
+      expect(row).toBeDefined();
+      expect(row!.logoUrl).toBe("https://cdn.simpleicons.org/google");
+    });
+    test("overwrites logoUrl on conflict", () => {
+      seedProviders([
+        {
+          provider: "google",
+          authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+          tokenExchangeUrl: "https://oauth2.googleapis.com/token",
+          defaultScopes: ["openid"],
+          scopePolicy: {},
+          logoUrl: "https://cdn.simpleicons.org/google",
+        },
+      ]);
+      expect(getProvider("google")!.logoUrl).toBe(
+        "https://cdn.simpleicons.org/google",
+      );
+      // Re-seed with a different logoUrl — it should be overwritten,
+      // proving logoUrl is in the onConflictDoUpdate set clause alongside
+      // the other display-metadata fields.
+      seedProviders([
+        {
+          provider: "google",
+          authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+          tokenExchangeUrl: "https://oauth2.googleapis.com/token",
+          defaultScopes: ["openid"],
+          scopePolicy: {},
+          logoUrl: "https://cdn.simpleicons.org/google-v2",
+        },
+      ]);
+      const row = getProvider("google");
+      expect(row!.logoUrl).toBe("https://cdn.simpleicons.org/google-v2");
+    });
+    test("re-seeding with a changed revokeUrl overwrites the stored value", () => {
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          revokeUrl: "https://revoke.example.com",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        },
+      ]);
+      const first = getProvider("test-provider");
+      expect(first!.revokeUrl).toBe("https://revoke.example.com");
+      // Re-seed with a different revokeUrl — it should be overwritten,
+      // proving revokeUrl is in the onConflictDoUpdate set clause (not
+      // preserved like defaultScopes).
+      seedProviders([
+        {
+          provider: "test-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          revokeUrl: "https://revoke-v2.example.com",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("test-provider");
+      expect(row!.revokeUrl).toBe("https://revoke-v2.example.com");
+    });
+    test("seedOAuthProviders seeds Google, Twitter, and Linear with revoke config and leaves other providers null", () => {
+      seedOAuthProviders();
+      const google = getProvider("google");
+      expect(google).toBeDefined();
+      expect(google!.revokeUrl).toBe("https://oauth2.googleapis.com/revoke");
+      expect(JSON.parse(google!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+      });
+      const twitter = getProvider("twitter");
+      expect(twitter).toBeDefined();
+      expect(twitter!.revokeUrl).toBe("https://api.x.com/2/oauth2/revoke");
+      expect(JSON.parse(twitter!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+        token_type_hint: "access_token",
+        client_id: "{client_id}",
+      });
+      const linear = getProvider("linear");
+      expect(linear).toBeDefined();
+      expect(linear!.revokeUrl).toBe("https://api.linear.app/oauth/revoke");
+      expect(JSON.parse(linear!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+      });
+      const slack = getProvider("slack");
+      expect(slack).toBeDefined();
+      expect(slack!.revokeUrl).toBeNull();
+      expect(slack!.revokeBodyTemplate).toBeNull();
+      const github = getProvider("github");
+      expect(github).toBeDefined();
+      expect(github!.revokeUrl).toBeNull();
+      const outlook = getProvider("outlook");
+      expect(outlook).toBeDefined();
+      expect(outlook!.revokeUrl).toBeNull();
+    });
+    test("applies client_secret_post default when tokenEndpointAuthMethod is omitted from seed", () => {
+      seedProviders([
+        {
+          provider: "no-auth-method-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          defaultScopes: [],
+          scopePolicy: {},
+          // Note: tokenEndpointAuthMethod intentionally omitted
+        },
+      ]);
+      const row = getProvider("no-auth-method-provider");
+      expect(row).toBeDefined();
+      expect(row!.tokenEndpointAuthMethod).toBe("client_secret_post");
+    });
+    test("defaults tokenExchangeBodyFormat to 'form' when omitted from seed", () => {
+      seedProviders([
+        {
+          provider: "no-body-format-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          defaultScopes: [],
+          scopePolicy: {},
+          // Note: tokenExchangeBodyFormat intentionally omitted
+        },
+      ]);
+      const row = getProvider("no-body-format-provider");
+      expect(row).toBeDefined();
+      expect(row!.tokenExchangeBodyFormat).toBe("form");
+    });
+    test("persists explicit tokenExchangeBodyFormat value on seed", () => {
+      seedProviders([
+        {
+          provider: "json-body-format-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          defaultScopes: [],
+          scopePolicy: {},
+          tokenExchangeBodyFormat: "json",
+        },
+      ]);
+      const row = getProvider("json-body-format-provider");
+      expect(row).toBeDefined();
+      expect(row!.tokenExchangeBodyFormat).toBe("json");
+    });
+    test("migration 216 backfills NULL token_endpoint_auth_method to client_secret_post", () => {
+      // Use raw SQLite to bypass Drizzle's NOT NULL enforcement and insert
+      // a legacy-shaped row with NULL token_endpoint_auth_method.
+      const db = getDb();
+      const raw = getSqliteFrom(db);
+      raw.exec(`
+        INSERT INTO oauth_providers (
+          provider_key, auth_url, token_url, token_endpoint_auth_method,
+          default_scopes, scope_policy, scope_separator, requires_client_secret,
+          created_at, updated_at
+        ) VALUES (
+          'legacy-null-provider',
+          'https://example.com/authorize',
+          'https://example.com/token',
+          NULL,
+          '[]',
+          '{}',
+          ' ',
+          1,
+          ${Date.now()},
+          ${Date.now()}
+        )
+      `);
+      // Run the migration directly
+      migrateOAuthProvidersTokenAuthMethodDefault(db);
+      // Verify the row was backfilled
+      const row = raw
+        .prepare(
+          `SELECT token_endpoint_auth_method FROM oauth_providers WHERE provider_key = 'legacy-null-provider'`,
+        )
+        .get() as { token_endpoint_auth_method: string };
+      expect(row.token_endpoint_auth_method).toBe("client_secret_post");
+    });
+    test("migration 216 is idempotent — running twice on backfilled rows is a no-op", () => {
+      seedProviders([
+        {
+          provider: "already-set-provider",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          tokenEndpointAuthMethod: "client_secret_basic",
+          defaultScopes: [],
+          scopePolicy: {},
+        },
+      ]);
+      const db = getDb();
+      migrateOAuthProvidersTokenAuthMethodDefault(db);
+      migrateOAuthProvidersTokenAuthMethodDefault(db);
+      const row = getProvider("already-set-provider");
+      expect(row!.tokenEndpointAuthMethod).toBe("client_secret_basic");
+    });
+  });
+  describe("getProvider", () => {
+    test("returns the correct row", () => {
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+        },
+      ]);
+      const row = getProvider("github");
+      expect(row).toBeDefined();
+      expect(row!.provider).toBe("github");
+    });
+    test("returns undefined for unknown keys", () => {
+      expect(getProvider("nonexistent")).toBeUndefined();
+    });
+  });
+  describe("registerProvider", () => {
+    test("creates a new row", () => {
+      const row = registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      expect(row.provider).toBe("linear");
+      expect(row.authorizeUrl).toBe("https://linear.app/oauth/authorize");
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.provider).toBe("linear");
+    });
+    test("throws for duplicate provider_key", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      expect(() =>
+        registerProvider({
+          provider: "linear",
+          authorizeUrl: "https://linear.app/oauth/authorize",
+          tokenExchangeUrl: "https://api.linear.app/oauth/token",
+          defaultScopes: ["read"],
+          scopePolicy: {},
+        }),
+      ).toThrow(/already exists.*linear/);
+    });
+    test("persists scopeSeparator and round-trips via getProvider", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+        scopeSeparator: ";",
+      });
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.scopeSeparator).toBe(";");
+    });
+    test("scopeSeparator defaults to ' ' when omitted", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.scopeSeparator).toBe(" ");
+    });
+    test("persists refreshUrl and round-trips via getProvider", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        refreshUrl: "https://api.linear.app/oauth/refresh",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.refreshUrl).toBe("https://api.linear.app/oauth/refresh");
+    });
+    test("refreshUrl defaults to null when omitted", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.refreshUrl).toBeNull();
+    });
+    test("persists revokeUrl and revokeBodyTemplate and round-trips via getProvider", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        revokeUrl: "https://api.linear.app/oauth/revoke",
+        revokeBodyTemplate: { token: "{access_token}" },
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.revokeUrl).toBe("https://api.linear.app/oauth/revoke");
+      expect(JSON.parse(fetched!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+      });
+    });
+    test("applies client_secret_post default when tokenEndpointAuthMethod is omitted", () => {
+      const row = registerProvider({
+        provider: "custom-default-test",
+        authorizeUrl: "https://example.com/authorize",
+        tokenExchangeUrl: "https://example.com/token",
+        defaultScopes: [],
+        scopePolicy: {},
+        // Note: tokenEndpointAuthMethod intentionally omitted
+      });
+      expect(row.tokenEndpointAuthMethod).toBe("client_secret_post");
+      const fetched = getProvider("custom-default-test");
+      expect(fetched!.tokenEndpointAuthMethod).toBe("client_secret_post");
+    });
+    test("preserves explicit client_secret_basic when registering a provider", () => {
+      const row = registerProvider({
+        provider: "custom-basic-test",
+        authorizeUrl: "https://example.com/authorize",
+        tokenExchangeUrl: "https://example.com/token",
+        defaultScopes: [],
+        scopePolicy: {},
+        tokenEndpointAuthMethod: "client_secret_basic",
+      });
+      expect(row.tokenEndpointAuthMethod).toBe("client_secret_basic");
+    });
+    test("defaults tokenExchangeBodyFormat to 'form' when omitted", () => {
+      const row = registerProvider({
+        provider: "no-body-format-test",
+        authorizeUrl: "https://example.com/authorize",
+        tokenExchangeUrl: "https://example.com/token",
+        defaultScopes: [],
+        scopePolicy: {},
+        // Note: tokenExchangeBodyFormat intentionally omitted
+      });
+      expect(row.tokenExchangeBodyFormat).toBe("form");
+      const fetched = getProvider("no-body-format-test");
+      expect(fetched!.tokenExchangeBodyFormat).toBe("form");
+    });
+    test("persists explicit tokenExchangeBodyFormat 'json' when registering a provider", () => {
+      const row = registerProvider({
+        provider: "json-body-format-test",
+        authorizeUrl: "https://example.com/authorize",
+        tokenExchangeUrl: "https://example.com/token",
+        defaultScopes: [],
+        scopePolicy: {},
+        tokenExchangeBodyFormat: "json",
+      });
+      expect(row.tokenExchangeBodyFormat).toBe("json");
+    });
+    test("stores logoUrl when provided", () => {
+      registerProvider({
+        provider: "notion",
+        authorizeUrl: "https://api.notion.com/v1/oauth/authorize",
+        tokenExchangeUrl: "https://api.notion.com/v1/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+        logoUrl: "https://cdn.simpleicons.org/notion",
+      });
+      const fetched = getProvider("notion");
+      expect(fetched).toBeDefined();
+      expect(fetched!.logoUrl).toBe("https://cdn.simpleicons.org/notion");
+    });
+    test("defaults logoUrl to null when omitted", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+      });
+      const fetched = getProvider("linear");
+      expect(fetched).toBeDefined();
+      expect(fetched!.logoUrl).toBeNull();
+    });
+  });
+  describe("updateProvider", () => {
+    test("updates scopeSeparator on an existing row", () => {
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+        },
+      ]);
+      const before = getProvider("github");
+      expect(before!.scopeSeparator).toBe(" ");
+      const updated = updateProvider("github", { scopeSeparator: "," });
+      expect(updated).toBeDefined();
+      expect(updated!.scopeSeparator).toBe(",");
+      const fetched = getProvider("github");
+      expect(fetched!.scopeSeparator).toBe(",");
+    });
+    test("coerces empty-string scopeSeparator to default ' '", () => {
+      // An empty separator would join scopes into a single concatenated token
+      // (e.g. ["read","write"].join("") === "readwrite") which is never a
+      // valid OAuth authorize URL value. Coerce to the default.
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+          scopeSeparator: ",",
+        },
+      ]);
+      expect(getProvider("github")!.scopeSeparator).toBe(",");
+      const updated = updateProvider("github", { scopeSeparator: "" });
+      expect(updated).toBeDefined();
+      expect(updated!.scopeSeparator).toBe(" ");
+      expect(getProvider("github")!.scopeSeparator).toBe(" ");
+    });
+    test("sets refreshUrl on an existing row where it was previously null", () => {
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+        },
+      ]);
+      const before = getProvider("github");
+      expect(before!.refreshUrl).toBeNull();
+      const updated = updateProvider("github", {
+        refreshUrl: "https://github.com/login/oauth/refresh",
+      });
+      expect(updated).toBeDefined();
+      expect(updated!.refreshUrl).toBe(
+        "https://github.com/login/oauth/refresh",
+      );
+      const fetched = getProvider("github");
+      expect(fetched!.refreshUrl).toBe(
+        "https://github.com/login/oauth/refresh",
+      );
+    });
+    test("leaves refreshUrl unchanged when not passed to updateProvider", () => {
+      seedProviders([
+        {
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          refreshUrl: "https://github.com/login/oauth/refresh",
+          defaultScopes: ["repo"],
+          scopePolicy: {},
+        },
+      ]);
+      expect(getProvider("github")!.refreshUrl).toBe(
+        "https://github.com/login/oauth/refresh",
+      );
+      // Update a different field — refreshUrl should be left alone.
+      const updated = updateProvider("github", {
+        displayLabel: "GitHub (updated)",
+      });
+      expect(updated).toBeDefined();
+      expect(updated!.refreshUrl).toBe(
+        "https://github.com/login/oauth/refresh",
+      );
+      expect(updated!.displayLabel).toBe("GitHub (updated)");
+    });
+    test("sets revokeUrl on an existing row where it was previously null", () => {
       seedProviders([
         {
-          providerKey: "github",
-          authUrl: "https://github.com/authorize",
-          tokenUrl: "https://github.com/token",
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
           defaultScopes: ["repo"],
           scopePolicy: {},
-          pingUrl: "https://api.github.com/user",
         },
       ]);
-      const row = getProvider("github");
-      expect(row!.pingUrl).toBe("https://api.github.com/user");
+      const before = getProvider("github");
+      expect(before!.revokeUrl).toBeNull();
+      const updated = updateProvider("github", {
+        revokeUrl: "https://github.com/login/oauth/revoke",
+      });
+      expect(updated).toBeDefined();
+      expect(updated!.revokeUrl).toBe("https://github.com/login/oauth/revoke");
+      const fetched = getProvider("github");
+      expect(fetched!.revokeUrl).toBe("https://github.com/login/oauth/revoke");
     });
-    test("pingUrl defaults to null when omitted", () => {
+    test("sets revokeBodyTemplate on an existing row and JSON round-trips", () => {
       seedProviders([
         {
-          providerKey: "github",
-          authUrl: "https://github.com/authorize",
-          tokenUrl: "https://github.com/token",
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
           defaultScopes: ["repo"],
           scopePolicy: {},
         },
       ]);
-      const row = getProvider("github");
-      expect(row!.pingUrl).toBeNull();
+      const before = getProvider("github");
+      expect(before!.revokeBodyTemplate).toBeNull();
+      const updated = updateProvider("github", {
+        revokeBodyTemplate: {
+          token: "{access_token}",
+          client_id: "{client_id}",
+        },
+      });
+      expect(updated).toBeDefined();
+      expect(JSON.parse(updated!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+        client_id: "{client_id}",
+      });
+      const fetched = getProvider("github");
+      expect(JSON.parse(fetched!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+        client_id: "{client_id}",
+      });
     });
-    test("preserves user-customizable fields while overwriting implementation fields on re-seed", () => {
-      // Initial seed with all fields
+    test("leaves revokeUrl and revokeBodyTemplate unchanged when not passed to updateProvider", () => {
       seedProviders([
         {
-          providerKey: "github",
-          authUrl: "https://github.com/authorize",
-          tokenUrl: "https://github.com/token",
-          tokenEndpointAuthMethod: "client_secret_post",
+          provider: "github",
+          authorizeUrl: "https://github.com/authorize",
+          tokenExchangeUrl: "https://github.com/token",
+          revokeUrl: "https://github.com/login/oauth/revoke",
+          revokeBodyTemplate: { token: "{access_token}" },
           defaultScopes: ["repo"],
-          scopePolicy: { required: ["repo"] },
-          userinfoUrl: "https://api.github.com/user",
-          baseUrl: "https://api.github.com",
-          extraParams: { prompt: "consent" },
-          pingUrl: "https://api.github.com/user",
+          scopePolicy: {},
         },
       ]);
-      // Manually update user-customizable fields to simulate user edits
-      const db = getDb();
-      db.update(oauthProviders)
-        .set({
-          defaultScopes: JSON.stringify(["repo", "user", "gist"]),
-          scopePolicy: JSON.stringify({
-            required: ["repo"],
-            allowAdditionalScopes: true,
-          }),
-          baseUrl: "https://custom.github.com/api",
-        })
-        .where(eq(oauthProviders.providerKey, "github"))
-        .run();
+      expect(getProvider("github")!.revokeUrl).toBe(
+        "https://github.com/login/oauth/revoke",
+      );
+      expect(JSON.parse(getProvider("github")!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+      });
-      // Verify the manual updates took effect
-      const beforeReseed = getProvider("github");
-      expect(JSON.parse(beforeReseed!.defaultScopes)).toEqual([
-        "repo",
-        "user",
-        "gist",
-      ]);
-      expect(beforeReseed!.baseUrl).toBe("https://custom.github.com/api");
+      // Update a different field — revoke fields should be left alone.
+      const updated = updateProvider("github", {
+        displayLabel: "GitHub (updated)",
+      });
+      expect(updated).toBeDefined();
+      expect(updated!.revokeUrl).toBe("https://github.com/login/oauth/revoke");
+      expect(JSON.parse(updated!.revokeBodyTemplate!)).toEqual({
+        token: "{access_token}",
+      });
+      expect(updated!.displayLabel).toBe("GitHub (updated)");
+    });
-      // Re-seed with updated implementation fields
+    test("coerces empty string tokenEndpointAuthMethod to client_secret_post", () => {
       seedProviders([
         {
-          providerKey: "github",
-          authUrl: "https://github.com/authorize-v2",
-          tokenUrl: "https://github.com/token-v2",
+          provider: "update-empty-test",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
           tokenEndpointAuthMethod: "client_secret_basic",
-          defaultScopes: ["repo-only"],
+          defaultScopes: [],
           scopePolicy: {},
-          userinfoUrl: "https://api.github.com/user-v2",
-          baseUrl: "https://api.github.com/v2",
-          extraParams: { prompt: "login" },
-          pingUrl: "https://api.github.com/user-v2",
         },
       ]);
-      const row = getProvider("github");
-      expect(row).toBeDefined();
+      expect(getProvider("update-empty-test")!.tokenEndpointAuthMethod).toBe(
+        "client_secret_basic",
+      );
-      // User-customizable fields should retain their manual values
-      expect(JSON.parse(row!.defaultScopes)).toEqual(["repo", "user", "gist"]);
-      expect(JSON.parse(row!.scopePolicy)).toEqual({
-        required: ["repo"],
-        allowAdditionalScopes: true,
+      const updated = updateProvider("update-empty-test", {
+        tokenEndpointAuthMethod: "",
       });
-      expect(row!.baseUrl).toBe("https://custom.github.com/api");
+      expect(updated).toBeDefined();
+      expect(updated!.tokenEndpointAuthMethod).toBe("client_secret_post");
-      // Implementation fields should be overwritten from the seed data
-      expect(row!.authUrl).toBe("https://github.com/authorize-v2");
-      expect(row!.tokenUrl).toBe("https://github.com/token-v2");
-      expect(row!.tokenEndpointAuthMethod).toBe("client_secret_basic");
-      expect(row!.userinfoUrl).toBe("https://api.github.com/user-v2");
-      expect(JSON.parse(row!.extraParams!)).toEqual({ prompt: "login" });
-      expect(row!.pingUrl).toBe("https://api.github.com/user-v2");
+      const row = getProvider("update-empty-test");
+      expect(row!.tokenEndpointAuthMethod).toBe("client_secret_post");
     });
-  });
-  describe("getProvider", () => {
-    test("returns the correct row", () => {
+    test("coerces empty string tokenExchangeBodyFormat to 'form'", () => {
       seedProviders([
         {
-          providerKey: "github",
-          authUrl: "https://github.com/authorize",
-          tokenUrl: "https://github.com/token",
-          defaultScopes: ["repo"],
+          provider: "update-empty-body-format-test",
+          authorizeUrl: "https://example.com/authorize",
+          tokenExchangeUrl: "https://example.com/token",
+          tokenExchangeBodyFormat: "json",
+          defaultScopes: [],
           scopePolicy: {},
         },
       ]);
-      const row = getProvider("github");
-      expect(row).toBeDefined();
-      expect(row!.providerKey).toBe("github");
-    });
+      expect(
+        getProvider("update-empty-body-format-test")!.tokenExchangeBodyFormat,
+      ).toBe("json");
-    test("returns undefined for unknown keys", () => {
-      expect(getProvider("nonexistent")).toBeUndefined();
+      const updated = updateProvider("update-empty-body-format-test", {
+        tokenExchangeBodyFormat: "",
+      });
+      expect(updated).toBeDefined();
+      expect(updated!.tokenExchangeBodyFormat).toBe("form");
+      const row = getProvider("update-empty-body-format-test");
+      expect(row!.tokenExchangeBodyFormat).toBe("form");
     });
-  });
-  describe("registerProvider", () => {
-    test("creates a new row", () => {
-      const row = registerProvider({
-        providerKey: "linear",
-        authUrl: "https://linear.app/oauth/authorize",
-        tokenUrl: "https://api.linear.app/oauth/token",
+    test("sets logoUrl on an existing row where it was previously null", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
         defaultScopes: ["read"],
         scopePolicy: {},
       });
-      expect(row.providerKey).toBe("linear");
-      expect(row.authUrl).toBe("https://linear.app/oauth/authorize");
+      expect(getProvider("linear")!.logoUrl).toBeNull();
+      const updated = updateProvider("linear", {
+        logoUrl: "https://cdn.simpleicons.org/linear",
+      });
+      expect(updated).toBeDefined();
+      expect(updated!.logoUrl).toBe("https://cdn.simpleicons.org/linear");
       const fetched = getProvider("linear");
-      expect(fetched).toBeDefined();
-      expect(fetched!.providerKey).toBe("linear");
+      expect(fetched!.logoUrl).toBe("https://cdn.simpleicons.org/linear");
     });
-    test("throws for duplicate provider_key", () => {
+    test("clears logoUrl when passed null", () => {
       registerProvider({
-        providerKey: "linear",
-        authUrl: "https://linear.app/oauth/authorize",
-        tokenUrl: "https://api.linear.app/oauth/token",
+        provider: "notion",
+        authorizeUrl: "https://api.notion.com/v1/oauth/authorize",
+        tokenExchangeUrl: "https://api.notion.com/v1/oauth/token",
         defaultScopes: ["read"],
         scopePolicy: {},
+        logoUrl: "https://cdn.simpleicons.org/notion",
       });
-      expect(() =>
-        registerProvider({
-          providerKey: "linear",
-          authUrl: "https://linear.app/oauth/authorize",
-          tokenUrl: "https://api.linear.app/oauth/token",
+      expect(getProvider("notion")!.logoUrl).toBe(
+        "https://cdn.simpleicons.org/notion",
+      );
+      const updated = updateProvider("notion", { logoUrl: null });
+      expect(updated).toBeDefined();
+      expect(updated!.logoUrl).toBeNull();
+      expect(getProvider("notion")!.logoUrl).toBeNull();
+    });
+    test("leaves logoUrl unchanged when not passed to updateProvider", () => {
+      registerProvider({
+        provider: "notion",
+        authorizeUrl: "https://api.notion.com/v1/oauth/authorize",
+        tokenExchangeUrl: "https://api.notion.com/v1/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+        logoUrl: "https://cdn.simpleicons.org/notion",
+      });
+      expect(getProvider("notion")!.logoUrl).toBe(
+        "https://cdn.simpleicons.org/notion",
+      );
+      // Update a different field — logoUrl should be left alone.
+      const updated = updateProvider("notion", {
+        displayLabel: "Notion (updated)",
+      });
+      expect(updated).toBeDefined();
+      expect(updated!.logoUrl).toBe("https://cdn.simpleicons.org/notion");
+      expect(updated!.displayLabel).toBe("Notion (updated)");
+    });
+  });
+  describe("scopeSeparator empty-string coercion", () => {
+    test("seedProviders coerces empty-string scopeSeparator to ' '", () => {
+      seedProviders([
+        {
+          provider: "linear",
+          authorizeUrl: "https://linear.app/oauth/authorize",
+          tokenExchangeUrl: "https://api.linear.app/oauth/token",
           defaultScopes: ["read"],
           scopePolicy: {},
-        }),
-      ).toThrow(/already exists.*linear/);
+          scopeSeparator: "",
+        },
+      ]);
+      const row = getProvider("linear");
+      expect(row!.scopeSeparator).toBe(" ");
+    });
+    test("registerProvider coerces empty-string scopeSeparator to ' '", () => {
+      registerProvider({
+        provider: "linear",
+        authorizeUrl: "https://linear.app/oauth/authorize",
+        tokenExchangeUrl: "https://api.linear.app/oauth/token",
+        defaultScopes: ["read"],
+        scopePolicy: {},
+        scopeSeparator: "",
+      });
+      const row = getProvider("linear");
+      expect(row!.scopeSeparator).toBe(" ");
     });
   });
 });
@@ -351,13 +1258,13 @@ describe("app operations", () => {
       expect(app.id).toMatch(
         /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/,
       );
-      expect(app.providerKey).toBe("github");
+      expect(app.provider).toBe("github");
       expect(app.clientId).toBe("client-abc");
       expect(app.createdAt).toBeGreaterThan(0);
       expect(app.updatedAt).toBeGreaterThan(0);
     });
-    test("returns the existing app when called again with same (providerKey, clientId)", async () => {
+    test("returns the existing app when called again with same (provider, clientId)", async () => {
       seedTestProvider("github");
       const first = await upsertApp("github", "client-abc");
       const second = await upsertApp("github", "client-abc");
@@ -476,7 +1383,7 @@ describe("app operations", () => {
       expect(fetched).toBeDefined();
       expect(fetched!.id).toBe(app.id);
-      expect(fetched!.providerKey).toBe("github");
+      expect(fetched!.provider).toBe("github");
       expect(fetched!.clientId).toBe("client-1");
     });
@@ -564,7 +1471,7 @@ describe("connection operations", () => {
       const app = await createTestApp("github", "client-1");
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo", "user"],
         hasRefreshToken: true,
         accountInfo: "user@example.com",
@@ -574,7 +1481,7 @@ describe("connection operations", () => {
       expect(conn.id).toBeTruthy();
       expect(conn.oauthAppId).toBe(app.id);
-      expect(conn.providerKey).toBe("github");
+      expect(conn.provider).toBe("github");
       expect(conn.status).toBe("active");
       expect(JSON.parse(conn.grantedScopes)).toEqual(["repo", "user"]);
       expect(conn.hasRefreshToken).toBe(1);
@@ -590,7 +1497,7 @@ describe("connection operations", () => {
       const app = await createTestApp("github", "client-1");
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -598,7 +1505,7 @@ describe("connection operations", () => {
       const fetched = getConnection(conn.id);
       expect(fetched).toBeDefined();
       expect(fetched!.id).toBe(conn.id);
-      expect(fetched!.providerKey).toBe("github");
+      expect(fetched!.provider).toBe("github");
     });
     test("returns undefined for unknown id", () => {
@@ -612,7 +1519,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
         createdAt: 1000,
@@ -620,7 +1527,7 @@ describe("connection operations", () => {
       const conn2 = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo", "user"],
         hasRefreshToken: true,
         createdAt: 2000,
@@ -636,7 +1543,7 @@ describe("connection operations", () => {
       const conn1 = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user1@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -645,7 +1552,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user2@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -665,7 +1572,7 @@ describe("connection operations", () => {
       const conn1 = createConnection({
         oauthAppId: app1.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
         createdAt: 1000,
@@ -673,7 +1580,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app2.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
         createdAt: 2000,
@@ -689,7 +1596,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -705,7 +1612,7 @@ describe("connection operations", () => {
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -727,7 +1634,7 @@ describe("connection operations", () => {
       // Create two connections with explicit timestamps so ordering is deterministic
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
         createdAt: 1000,
@@ -735,7 +1642,7 @@ describe("connection operations", () => {
       const conn2 = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo", "user"],
         hasRefreshToken: true,
         createdAt: 2000,
@@ -751,14 +1658,14 @@ describe("connection operations", () => {
       const conn1 = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
       const conn2 = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo", "user"],
         hasRefreshToken: true,
       });
@@ -776,7 +1683,7 @@ describe("connection operations", () => {
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -798,7 +1705,7 @@ describe("connection operations", () => {
       const conn1 = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user1@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -807,7 +1714,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user2@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -827,7 +1734,7 @@ describe("connection operations", () => {
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -843,7 +1750,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -861,7 +1768,7 @@ describe("connection operations", () => {
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -882,7 +1789,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user1@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -890,7 +1797,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user2@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -905,7 +1812,7 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user1@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -913,7 +1820,7 @@ describe("connection operations", () => {
       const conn2 = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         accountInfo: "user2@example.com",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
@@ -936,7 +1843,7 @@ describe("connection operations", () => {
       const app = await createTestApp("github", "client-1");
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -950,7 +1857,7 @@ describe("connection operations", () => {
       const app = await createTestApp("github", "client-1");
       createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -967,7 +1874,7 @@ describe("connection operations", () => {
       const app = await createTestApp("github", "client-1");
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -984,7 +1891,7 @@ describe("connection operations", () => {
       const app = await createTestApp("github", "client-1");
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -1021,7 +1928,7 @@ describe("connection operations", () => {
       const conn = createConnection({
         oauthAppId: app1.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -1051,13 +1958,13 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: ghApp.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
       createConnection({
         oauthAppId: googApp.id,
-        providerKey: "google",
+        provider: "google",
         grantedScopes: ["email"],
         hasRefreshToken: true,
       });
@@ -1073,24 +1980,24 @@ describe("connection operations", () => {
       createConnection({
         oauthAppId: ghApp.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
       createConnection({
         oauthAppId: googApp.id,
-        providerKey: "google",
+        provider: "google",
         grantedScopes: ["email"],
         hasRefreshToken: true,
       });
       const ghConns = listConnections("github");
       expect(ghConns).toHaveLength(1);
-      expect(ghConns[0].providerKey).toBe("github");
+      expect(ghConns[0].provider).toBe("github");
       const googConns = listConnections("google");
       expect(googConns).toHaveLength(1);
-      expect(googConns[0].providerKey).toBe("google");
+      expect(googConns[0].provider).toBe("google");
     });
     test("returns empty array when no connections exist", () => {
@@ -1103,7 +2010,7 @@ describe("connection operations", () => {
       const app = await createTestApp("github", "client-1");
       const conn = createConnection({
         oauthAppId: app.id,
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       });
@@ -1124,17 +2031,40 @@ describe("connection operations", () => {
 // ---------------------------------------------------------------------------
 describe("disconnectOAuthProvider", () => {
+  /**
+   * Seed a provider with revokeUrl and (optionally) a revokeBodyTemplate.
+   */
+  function seedProviderWithRevoke(
+    provider: string,
+    revokeUrl: string | null,
+    revokeBodyTemplate?: Record<string, string>,
+  ): void {
+    seedProviders([
+      {
+        provider,
+        authorizeUrl: `https://${provider}.example.com/authorize`,
+        tokenExchangeUrl: `https://${provider}.example.com/token`,
+        defaultScopes: ["read"],
+        scopePolicy: {},
+        ...(revokeUrl ? { revokeUrl } : {}),
+        ...(revokeBodyTemplate ? { revokeBodyTemplate } : {}),
+      },
+    ]);
+  }
   test("returns 'not-found' when no connection exists for the provider", async () => {
     const result = await disconnectOAuthProvider("github");
     expect(result).toBe("not-found");
     expect(mockDeleteSecureKeyAsync).not.toHaveBeenCalled();
+    // No upstream call should be made when there is no connection at all.
+    expect(getMockFetchCalls().length).toBe(0);
   });
   test("returns 'disconnected' and deletes connection row and secure keys when connection exists", async () => {
     const app = await createTestApp("github", "client-1");
     const conn = createConnection({
       oauthAppId: app.id,
-      providerKey: "github",
+      provider: "github",
       grantedScopes: ["repo"],
       hasRefreshToken: true,
     });
@@ -1154,6 +2084,365 @@ describe("disconnectOAuthProvider", () => {
     // Verify connection row was deleted
     expect(getConnection(conn.id)).toBeUndefined();
   });
+  test("calls upstream revoke when provider has revokeUrl and access token exists", async () => {
+    seedProviderWithRevoke("google", "https://oauth2.googleapis.com/revoke", {
+      token: "{access_token}",
+      client_id: "{client_id}",
+    });
+    const app = await upsertApp("google", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: true,
+    });
+    secureKeyValues.set(
+      `oauth_connection/${conn.id}/access_token`,
+      "fake-token-xyz",
+    );
+    mockFetch(
+      "https://oauth2.googleapis.com/revoke",
+      { method: "POST" },
+      { status: 200, body: {} },
+    );
+    const result = await disconnectOAuthProvider("google");
+    expect(result).toBe("disconnected");
+    const calls = getMockFetchCalls();
+    expect(calls.length).toBe(1);
+    expect(calls[0]!.path).toContain("https://oauth2.googleapis.com/revoke");
+    const body = String(calls[0]!.init.body ?? "");
+    const params = new URLSearchParams(body);
+    expect(params.get("token")).toBe("fake-token-xyz");
+    expect(params.get("client_id")).toBe("client-1");
+  });
+  test("skips upstream revoke when provider has no revokeUrl", async () => {
+    // GitHub seeded by createTestApp via seedTestProvider — no revokeUrl.
+    const app = await createTestApp("github", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "github",
+      grantedScopes: ["repo"],
+      hasRefreshToken: false,
+    });
+    secureKeyValues.set(
+      `oauth_connection/${conn.id}/access_token`,
+      "github-token",
+    );
+    const result = await disconnectOAuthProvider("github");
+    expect(result).toBe("disconnected");
+    expect(getMockFetchCalls().length).toBe(0);
+  });
+  test("skips upstream revoke when no access token exists in secure storage", async () => {
+    seedProviderWithRevoke("google", "https://oauth2.googleapis.com/revoke", {
+      token: "{access_token}",
+    });
+    const app = await upsertApp("google", "client-1");
+    createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: false,
+    });
+    // No access token seeded into secureKeyValues.
+    const result = await disconnectOAuthProvider("google");
+    expect(result).toBe("disconnected");
+    expect(getMockFetchCalls().length).toBe(0);
+  });
+  test("continues local cleanup when upstream revoke returns non-2xx", async () => {
+    seedProviderWithRevoke("google", "https://oauth2.googleapis.com/revoke", {
+      token: "{access_token}",
+    });
+    const app = await upsertApp("google", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: true,
+    });
+    secureKeyValues.set(
+      `oauth_connection/${conn.id}/access_token`,
+      "fake-token-xyz",
+    );
+    mockFetch(
+      "https://oauth2.googleapis.com/revoke",
+      { method: "POST" },
+      { status: 400, body: { error: "invalid_token" } },
+    );
+    const result = await disconnectOAuthProvider("google");
+    expect(result).toBe("disconnected");
+    expect(getMockFetchCalls().length).toBe(1);
+    // Local cleanup still happened
+    expect(mockDeleteSecureKeyAsync).toHaveBeenCalledWith(
+      `oauth_connection/${conn.id}/access_token`,
+    );
+    expect(getConnection(conn.id)).toBeUndefined();
+  });
+  test("continues local cleanup when upstream revoke throws (network error)", async () => {
+    seedProviderWithRevoke("google", "https://oauth2.googleapis.com/revoke", {
+      token: "{access_token}",
+    });
+    const app = await upsertApp("google", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: true,
+    });
+    secureKeyValues.set(
+      `oauth_connection/${conn.id}/access_token`,
+      "fake-token-xyz",
+    );
+    // 500 exercises the same swallow path as a network error.
+    mockFetch(
+      "https://oauth2.googleapis.com/revoke",
+      { method: "POST" },
+      { status: 500, body: { error: "server_error" } },
+    );
+    const result = await disconnectOAuthProvider("google");
+    expect(result).toBe("disconnected");
+    expect(getConnection(conn.id)).toBeUndefined();
+  });
+  test("substitutes {access_token} and {client_id} in body template values", async () => {
+    seedProviderWithRevoke("google", "https://oauth2.googleapis.com/revoke", {
+      token: "{access_token}",
+      client_id: "{client_id}",
+      token_type_hint: "access_token",
+    });
+    const app = await upsertApp("google", "client-substitution");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: false,
+    });
+    secureKeyValues.set(
+      `oauth_connection/${conn.id}/access_token`,
+      "tok-substitution",
+    );
+    mockFetch(
+      "https://oauth2.googleapis.com/revoke",
+      { method: "POST" },
+      { status: 200, body: {} },
+    );
+    await disconnectOAuthProvider("google");
+    const calls = getMockFetchCalls();
+    expect(calls.length).toBe(1);
+    const body = String(calls[0]!.init.body ?? "");
+    const params = new URLSearchParams(body);
+    expect(params.get("token")).toBe("tok-substitution");
+    expect(params.get("client_id")).toBe("client-substitution");
+    expect(params.get("token_type_hint")).toBe("access_token");
+  });
+  test("treats $-prefixed patterns in access token as literal text (String.replace gotcha)", async () => {
+    // String.prototype.replace interprets $-prefixed patterns in the
+    // replacement string as special sequences ($& = matched substring,
+    // $' = after match, $` = before match, $$ = literal $). If the access
+    // token contains "$&", a naive `.replace("{access_token}", accessToken)`
+    // would expand it to "{access_token}" (the matched string) instead of
+    // substituting literally. This test guards against that by asserting
+    // the captured body contains the literal "tok$&abc" — which only holds
+    // when we use a function-replacement callback that preserves literal
+    // semantics and mirrors Python's str.replace() behavior.
+    seedProviderWithRevoke("google", "https://revoke.example.com/r", {
+      token: "{access_token}",
+    });
+    const app = await upsertApp("google", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: false,
+    });
+    secureKeyValues.set(`oauth_connection/${conn.id}/access_token`, "tok$&abc");
+    mockFetch(
+      "https://revoke.example.com/r",
+      { method: "POST" },
+      { status: 200, body: {} },
+    );
+    await disconnectOAuthProvider("google");
+    const calls = getMockFetchCalls();
+    expect(calls.length).toBe(1);
+    const body = String(calls[0]!.init.body ?? "");
+    const params = new URLSearchParams(body);
+    // The literal access token — not the $&-expanded version, which would
+    // be "tok{access_token}abc" (where $& matched "{access_token}").
+    expect(params.get("token")).toBe("tok$&abc");
+  });
+  test("replaces all occurrences of {access_token} in body template values (matching Python str.replace)", async () => {
+    // Python's str.replace(old, new) replaces ALL occurrences by default,
+    // whereas JavaScript's String.prototype.replace with a string pattern
+    // only replaces the FIRST occurrence. The platform's try_revoke_token
+    // is implemented in Python, so any template value containing repeated
+    // placeholders must have ALL of them substituted to preserve parity.
+    // This test guards against a regression to .replace(), which would
+    // leave the second {access_token} as a literal placeholder.
+    seedProviderWithRevoke("google", "https://revoke.example.com/r", {
+      token: "token={access_token}&also={access_token}",
+    });
+    const app = await upsertApp("google", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: false,
+    });
+    secureKeyValues.set(`oauth_connection/${conn.id}/access_token`, "fake-abc");
+    mockFetch(
+      "https://revoke.example.com/r",
+      { method: "POST" },
+      { status: 200, body: {} },
+    );
+    await disconnectOAuthProvider("google");
+    const calls = getMockFetchCalls();
+    expect(calls.length).toBe(1);
+    const body = String(calls[0]!.init.body ?? "");
+    const params = new URLSearchParams(body);
+    // Both {access_token} placeholders must be substituted. With the buggy
+    // .replace() (single-occurrence), this would be
+    // "token=fake-abc&also={access_token}" instead.
+    expect(params.get("token")).toBe("token=fake-abc&also=fake-abc");
+  });
+  test("coerces non-string body template values to strings", async () => {
+    // seedProviderWithRevoke restricts to Record<string, string>; bypass it
+    // here by inserting a template with a numeric value via a direct seed.
+    seedProviders([
+      {
+        provider: "google",
+        authorizeUrl: "https://google.example.com/authorize",
+        tokenExchangeUrl: "https://google.example.com/token",
+        defaultScopes: ["email"],
+        scopePolicy: {},
+        revokeUrl: "https://oauth2.googleapis.com/revoke",
+        revokeBodyTemplate: {
+          token: "{access_token}",
+          // expires_in is a number — must be coerced via String(value).
+          expires_in: 3600,
+        } as unknown as Record<string, string>,
+      },
+    ]);
+    const app = await upsertApp("google", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: false,
+    });
+    secureKeyValues.set(
+      `oauth_connection/${conn.id}/access_token`,
+      "fake-token-xyz",
+    );
+    mockFetch(
+      "https://oauth2.googleapis.com/revoke",
+      { method: "POST" },
+      { status: 200, body: {} },
+    );
+    await disconnectOAuthProvider("google");
+    const calls = getMockFetchCalls();
+    expect(calls.length).toBe(1);
+    const body = String(calls[0]!.init.body ?? "");
+    const params = new URLSearchParams(body);
+    expect(params.get("token")).toBe("fake-token-xyz");
+    expect(params.get("expires_in")).toBe("3600");
+  });
+  test("revokes BEFORE deleting tokens from secure storage", async () => {
+    seedProviderWithRevoke("google", "https://oauth2.googleapis.com/revoke", {
+      token: "{access_token}",
+    });
+    const app = await upsertApp("google", "client-1");
+    const conn = createConnection({
+      oauthAppId: app.id,
+      provider: "google",
+      grantedScopes: ["email"],
+      hasRefreshToken: true,
+    });
+    secureKeyValues.set(
+      `oauth_connection/${conn.id}/access_token`,
+      "fake-token-xyz",
+    );
+    const order: string[] = [];
+    // Wrap the mockFetch entry's response handler by registering a fetch
+    // mock that records the call order via the existing mockFetch helper.
+    // The mock fetch records to getMockFetchCalls; we tag ordering by
+    // pushing a marker as soon as the response is constructed below.
+    mockFetch(
+      "https://oauth2.googleapis.com/revoke",
+      { method: "POST" },
+      new Response(JSON.stringify({}), {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      }),
+    );
+    // Wrap delete to record its order. We replace the mock implementation
+    // for the duration of this test only.
+    mockDeleteSecureKeyAsync.mockImplementation(() => {
+      order.push("delete");
+      return Promise.resolve("deleted" as const);
+    });
+    // Wrap fetch one more layer: tap into the actual fetch call to record
+    // ordering. We do this by overriding globalThis.fetch with a wrapper
+    // that calls through to the existing mock and records ordering first.
+    const wrappedFetch = globalThis.fetch;
+    globalThis.fetch = (async (
+      input: RequestInfo | URL,
+      init?: RequestInit,
+    ) => {
+      order.push("fetch");
+      return wrappedFetch(input, init);
+    }) as typeof globalThis.fetch;
+    try {
+      const result = await disconnectOAuthProvider("google");
+      expect(result).toBe("disconnected");
+    } finally {
+      // Restore the wrapper layer; resetMockFetch in beforeEach will reset
+      // the underlying mock for the next test.
+      globalThis.fetch = wrappedFetch;
+      mockDeleteSecureKeyAsync.mockImplementation(
+        (): Promise<"deleted" | "not-found" | "error"> =>
+          Promise.resolve("deleted" as const),
+      );
+    }
+    expect(order[0]).toBe("fetch");
+    expect(order).toContain("delete");
+    expect(order.indexOf("fetch")).toBeLessThan(order.indexOf("delete"));
+  });
 });
 // ---------------------------------------------------------------------------
@@ -1172,7 +2461,7 @@ describe("FK constraints", () => {
     expect(() =>
       createConnection({
         oauthAppId: "nonexistent-app-id",
-        providerKey: "github",
+        provider: "github",
         grantedScopes: ["repo"],
         hasRefreshToken: false,
       }),