@vellumai/assistant 0.7.2 → 0.7.3

package/src/cli/commands/oauth/__tests__/connect.test.ts

@@ -42,6 +42,20 @@ let mockPlatformFetchCallIndex = 0;
 
 let mockIsManagedMode: (key: string) => boolean = () => false;
 
+// Configurable logger mock: by default no-ops; individual tests can override
+// mockLogInfo to write to process.stdout so the JSON-mode suppression guard is
+// exercised (the real CLI logger writes log lines to stdout).
+let mockLogInfo: (msg: string) => void = () => {};
+
+let mockCliIpcCallFn: (
+  method: string,
+  params?: Record<string, unknown>,
+  opts?: { timeoutMs?: number },
+) => Promise<{ ok: boolean; result?: unknown; error?: string; statusCode?: number }> = async () => ({
+  ok: false,
+  error: "IPC unavailable (default mock — forces fallback)",
+});
+
 // ---------------------------------------------------------------------------
 // Mocks
 // ---------------------------------------------------------------------------
@@ -101,7 +115,7 @@ mock.module("../../../../util/logger.js", () => ({
     debug: () => {},
   }),
   getCliLogger: () => ({
-    info: () => {},
+    info: (msg: string) => mockLogInfo(msg),
     warn: () => {},
     error: () => {},
     debug: () => {},
@@ -127,6 +141,14 @@ mock.module("../../../../security/secure-keys.js", () => ({
   _resetBackend: () => {},
 }));
 
+mock.module("../../../../ipc/cli-client.js", () => ({
+  cliIpcCall: (
+    method: string,
+    params?: Record<string, unknown>,
+    opts?: { timeoutMs?: number },
+  ) => mockCliIpcCallFn(method, params, opts),
+}));
+
 mock.module("../../../lib/daemon-credential-client.js", () => ({
   deleteSecureKeyViaDaemon: async () => "not-found" as const,
   setSecureKeyViaDaemon: async () => false,
@@ -254,6 +276,8 @@ describe("assistant oauth connect", () => {
     mockPlatformFetchResults = [];
     mockPlatformFetchCallIndex = 0;
     mockIsManagedMode = () => false;
+    mockCliIpcCallFn = async () => ({ ok: false, error: "IPC unavailable" });
+    mockLogInfo = () => {};
     process.exitCode = 0;
   });
 
@@ -724,6 +748,418 @@ describe("assistant oauth connect", () => {
     expect(parsed.error).toContain("--field");
   });
 
+  // -------------------------------------------------------------------------
+  // IPC-first path (daemon-orchestrated)
+  // -------------------------------------------------------------------------
+
+  describe("IPC-first path (BYO mode via daemon)", () => {
+    beforeEach(() => {
+      // Set up a valid BYO provider and app for all IPC tests
+      mockGetProvider = () => ({
+        provider: "google",
+        authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+        tokenExchangeUrl: "https://oauth2.googleapis.com/token",
+        tokenExchangeBodyFormat: "form",
+        managedServiceConfigKey: null,
+      });
+      mockIsManagedMode = () => false;
+      mockGetMostRecentAppByProvider = () => ({
+        id: "app-1",
+        clientId: "ipc-client-id",
+        clientSecretCredentialPath: "oauth_app/app-1/client_secret",
+        provider: "google",
+        createdAt: 0,
+        updatedAt: 0,
+      });
+    });
+
+    test("IPC start succeeds + polling returns complete → exits 0 with success output", async () => {
+      let pollCallCount = 0;
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return {
+            ok: true,
+            result: {
+              auth_url: "https://accounts.google.com/o/oauth2/auth?state=ipc-state",
+              state: "ipc-state",
+            },
+          };
+        }
+        if (method === "internal_oauth_connect_status") {
+          pollCallCount++;
+          return {
+            ok: true,
+            result: {
+              status: "complete",
+              service: "google",
+              account_info: "user@example.com",
+            },
+          };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(true);
+      expect(parsed.accountInfo).toBe("user@example.com");
+      expect(mockOpenInBrowserCalls.length).toBe(1);
+      expect(mockOpenInBrowserCalls[0]).toBe(
+        "https://accounts.google.com/o/oauth2/auth?state=ipc-state",
+      );
+      expect(pollCallCount).toBeGreaterThanOrEqual(1);
+    });
+
+    test("IPC start succeeds + polling returns error → exits 1 with error message", async () => {
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return {
+            ok: true,
+            result: {
+              auth_url: "https://accounts.google.com/o/oauth2/auth?state=ipc-state",
+              state: "ipc-state",
+            },
+          };
+        }
+        if (method === "internal_oauth_connect_status") {
+          return {
+            ok: true,
+            result: {
+              status: "error",
+              service: "google",
+              error: "exchange failed",
+            },
+          };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(1);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(false);
+      expect(parsed.error).toBe("exchange failed");
+    });
+
+    test("IPC start + --no-browser + json → returns deferred JSON without polling status", async () => {
+      let statusCallCount = 0;
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return {
+            ok: true,
+            result: {
+              auth_url: "https://accounts.google.com/o/oauth2/auth?state=ipc-state",
+              state: "ipc-state",
+            },
+          };
+        }
+        if (method === "internal_oauth_connect_status") {
+          statusCallCount++;
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--no-browser",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(true);
+      expect(parsed.deferred).toBe(true);
+      expect(parsed.authUrl).toBe("https://accounts.google.com/o/oauth2/auth?state=ipc-state");
+      expect(parsed.state).toBe("ipc-state");
+      expect(parsed.service).toBe("google");
+      // Should NOT poll status when --no-browser is set
+      expect(statusCallCount).toBe(0);
+      // Should NOT open browser
+      expect(mockOpenInBrowserCalls.length).toBe(0);
+    });
+
+    test("IPC start + --no-browser without json → prints URL to stdout", async () => {
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return {
+            ok: true,
+            result: {
+              auth_url: "https://accounts.google.com/o/oauth2/auth?state=ipc-state",
+              state: "ipc-state",
+            },
+          };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--no-browser",
+      ]);
+      expect(exitCode).toBe(0);
+      expect(stdout).toContain("https://accounts.google.com/o/oauth2/auth?state=ipc-state");
+      expect(mockOpenInBrowserCalls.length).toBe(0);
+    });
+
+    test("IPC returns ok:false → falls back to in-process orchestrateOAuthConnect", async () => {
+      // Default mockCliIpcCallFn already returns ok: false
+      let orchestratorCalled = false;
+      mockOrchestrateOAuthConnect = async () => {
+        orchestratorCalled = true;
+        return {
+          success: true,
+          deferred: false,
+          grantedScopes: ["email"],
+          accountInfo: "fallback@example.com",
+        };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      expect(orchestratorCalled).toBe(true);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(true);
+      expect(parsed.accountInfo).toBe("fallback@example.com");
+    });
+
+    test("IPC returns ok:false with statusCode → surfaces daemon error, does NOT fall back", async () => {
+      // Daemon was reachable but returned an error (e.g. 500)
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return { ok: false, statusCode: 500, error: "internal server error" };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+      let orchestratorCalled = false;
+      mockOrchestrateOAuthConnect = async () => {
+        orchestratorCalled = true;
+        return { success: true, deferred: false, grantedScopes: [] };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(1);
+      // Must NOT fall back to the in-process orchestrator
+      expect(orchestratorCalled).toBe(false);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(false);
+      expect(parsed.error).toBe("internal server error");
+    });
+
+    test("IPC poll returns ok:false with statusCode → breaks early with error, does NOT wait for timeout", async () => {
+      // Fix 1: daemon was reachable during status poll but errored — should surface the
+      // error immediately instead of waiting out the full 5-minute timeout.
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return {
+            ok: true,
+            result: {
+              auth_url: "https://accounts.google.com/o/oauth2/auth?state=poll-err-state",
+              state: "poll-err-state",
+            },
+          };
+        }
+        if (method === "internal_oauth_connect_status") {
+          return { ok: false, statusCode: 500, error: "poll error" };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(1);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(false);
+      // The daemon error should be surfaced, not a timeout sentinel
+      expect(parsed.error).toBe("poll error");
+    });
+
+    test("IPC start returns ok:true with no auth_url → surfaces error, does NOT call in-process orchestrator", async () => {
+      // Fix 2: daemon returns { ok: true } but without an auth_url — malformed response
+      // should be an error, not a silent fallback to in-process (which has heap-split bug).
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return { ok: true, result: {} };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+      let orchestratorCalled = false;
+      mockOrchestrateOAuthConnect = async () => {
+        orchestratorCalled = true;
+        return { success: true, deferred: false, grantedScopes: [] };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(1);
+      // Must NOT fall back to the in-process orchestrator
+      expect(orchestratorCalled).toBe(false);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(false);
+      expect(parsed.error).toContain("assistant returned unexpected response");
+    });
+
+    test("IPC poll: transient ok:false with no statusCode does not abort the flow (continues to next poll)", async () => {
+      // Verifies intentional behavior: a single IPC status call returning { ok: false }
+      // with NO statusCode (socket error / timeout) is treated as a transient failure and
+      // silently retried. Only ok:false WITH a statusCode (i.e., the daemon was reachable
+      // and returned an HTTP error) causes an early abort.
+      let statusCallCount = 0;
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return {
+            ok: true,
+            result: {
+              auth_url: "https://accounts.google.com/o/oauth2/auth?state=transient-state",
+              state: "transient-state",
+            },
+          };
+        }
+        if (method === "internal_oauth_connect_status") {
+          statusCallCount++;
+          if (statusCallCount === 1) {
+            // First poll: transient IPC failure (no statusCode — socket error/timeout)
+            return { ok: false };
+          }
+          // Second poll: succeeds
+          return {
+            ok: true,
+            result: {
+              status: "complete",
+              service: "google",
+              account_info: "user@example.com",
+            },
+          };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(true);
+      expect(parsed.accountInfo).toBe("user@example.com");
+      // Both poll calls were made — the transient failure did not abort the loop
+      expect(statusCallCount).toBeGreaterThanOrEqual(2);
+    });
+
+    test("IPC success path with --json: stdout does NOT contain 'Waiting for authorization' text", async () => {
+      // Regression guard for P1: the browser-wait log.info must be suppressed in JSON mode
+      // so that machine consumers parsing stdout as JSON don't see corrupted non-JSON output.
+      //
+      // We configure the logger mock to write to process.stdout (matching the real CLI logger's
+      // behavior) so this test would FAIL if the `if (!jsonMode)` guard were removed from connect.ts.
+      mockLogInfo = (msg: string) => {
+        process.stdout.write(msg + "\n");
+      };
+
+      mockCliIpcCallFn = async (method) => {
+        if (method === "internal_oauth_connect_start") {
+          return {
+            ok: true,
+            result: {
+              auth_url: "https://accounts.google.com/o/oauth2/auth?state=json-mode-state",
+              state: "json-mode-state",
+            },
+          };
+        }
+        if (method === "internal_oauth_connect_status") {
+          return {
+            ok: true,
+            result: {
+              status: "complete",
+              service: "google",
+              account_info: "user@example.com",
+            },
+          };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      // The suppressed log line must not appear anywhere in stdout
+      expect(stdout).not.toContain("Waiting for authorization");
+      // stdout must be valid JSON — no plain-text lines mixed in
+      expect(() => JSON.parse(stdout)).not.toThrow();
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(true);
+    });
+
+    test("IPC start with --callback-transport=gateway passes callbackTransport in body", async () => {
+      let capturedParams: Record<string, unknown> | undefined;
+      mockCliIpcCallFn = async (method, params) => {
+        if (method === "internal_oauth_connect_start") {
+          capturedParams = params;
+          return {
+            ok: true,
+            result: {
+              auth_url: "https://accounts.google.com/o/oauth2/auth?state=gw-state",
+              state: "gw-state",
+            },
+          };
+        }
+        if (method === "internal_oauth_connect_status") {
+          return {
+            ok: true,
+            result: {
+              status: "complete",
+              service: "google",
+              account_info: "gw-user@example.com",
+            },
+          };
+        }
+        return { ok: false, error: "unexpected method" };
+      };
+
+      const { exitCode, stdout } = await runCommand([
+        "connect",
+        "google",
+        "--callback-transport",
+        "gateway",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      // Verify callbackTransport was forwarded in the IPC body
+      expect(capturedParams).toBeDefined();
+      expect((capturedParams!.body as Record<string, unknown>).callbackTransport).toBe("gateway");
+      const parsed = JSON.parse(stdout);
+      expect(parsed.ok).toBe(true);
+      expect(parsed.accountInfo).toBe("gw-user@example.com");
+    });
+  });
+
   // -------------------------------------------------------------------------
   // Orchestrator error propagation
   // -------------------------------------------------------------------------

package/src/cli/commands/oauth/connect.ts

@@ -3,6 +3,7 @@ import { createServer, type Server } from "node:http";
 import type { Command } from "commander";
 
 import { getIsContainerized } from "../../../config/env-registry.js";
+import { cliIpcCall } from "../../../ipc/cli-client.js";
 import { orchestrateOAuthConnect } from "../../../oauth/connect-orchestrator.js";
 import {
   getAppByProviderAndClientId,
@@ -69,6 +70,39 @@ function startManagedRedirectServer(provider: string): Promise<{
   });
 }
 
+// ---------------------------------------------------------------------------
+// IPC polling helpers
+// ---------------------------------------------------------------------------
+
+type OAuthConnectStatusResponse =
+  | { status: "pending"; service: string }
+  | { status: "complete"; service: string; account_info?: string; granted_scopes?: string[] }
+  | { status: "error"; service: string; error?: string };
+
+async function pollOAuthConnectStatus(
+  state: string,
+  opts: { intervalMs: number; timeoutMs: number },
+): Promise<OAuthConnectStatusResponse> {
+  const deadline = Date.now() + opts.timeoutMs;
+  while (Date.now() < deadline) {
+    const r = await cliIpcCall<OAuthConnectStatusResponse>(
+      "internal_oauth_connect_status",
+      { pathParams: { state } },
+    );
+    if (r.ok && r.result) {
+      const { status } = r.result;
+      if (status === "complete" || status === "error") {
+        return r.result;
+      }
+    }
+    if (!r.ok && r.statusCode !== undefined) {
+      return { status: "error", service: "?", error: r.error ?? "assistant error during OAuth status poll" };
+    }
+    await new Promise<void>((res) => setTimeout(res, opts.intervalMs));
+  }
+  return { status: "error", service: "?", error: "Timed out waiting for OAuth callback" };
+}
+
 // ---------------------------------------------------------------------------
 // Command registration
 // ---------------------------------------------------------------------------
@@ -392,7 +426,99 @@ Examples:
               }
             }
 
-            // e. Call the orchestrator
+            // e. Try daemon-orchestrated path first (fixes heap-split for gateway transport).
+            const startResult = await cliIpcCall<{ auth_url: string; state: string }>(
+              "internal_oauth_connect_start",
+              {
+                body: {
+                  service: provider,
+                  clientId,
+                  ...(clientSecret !== undefined ? { clientSecret } : {}),
+                  callbackTransport: opts.callbackTransport,
+                  ...(opts.scopes ? { requestedScopes: opts.scopes } : {}),
+                },
+              },
+            );
+
+            if (startResult.ok && startResult.result?.auth_url) {
+              const { auth_url, state } = startResult.result;
+
+              if (opts.browser !== false) {
+                await openInHostBrowser(auth_url);
+
+                if (!jsonMode) {
+                  log.info("Waiting for authorization in browser... (press Ctrl+C to cancel)");
+                }
+                const final = await pollOAuthConnectStatus(state, {
+                  intervalMs: 2000,
+                  timeoutMs: 5 * 60 * 1000, // match LOOPBACK_TIMEOUT_MS in oauth2.ts (5 min)
+                });
+
+                if (final.status === "complete") {
+                  if (jsonMode) {
+                    writeOutput(cmd, {
+                      ok: true,
+                      grantedScopes: final.granted_scopes ?? [],
+                      accountInfo: final.account_info,
+                    });
+                  } else {
+                    process.stdout.write(
+                      `Connected to ${provider}${final.account_info ? ` as ${final.account_info}` : ""}\n`,
+                    );
+                  }
+                  return;
+                }
+
+                if (final.status === "error") {
+                  // Includes the timeout sentinel emitted by pollOAuthConnectStatus.
+                  writeError(final.error ?? "OAuth connect failed");
+                  return;
+                }
+
+                // Defensive: pollOAuthConnectStatus should never return pending,
+                // but TS narrowing requires us to handle it.
+                writeError("OAuth connect ended in an unexpected pending state");
+                return;
+              } else {
+                // --no-browser: return the URL immediately, matching existing deferred behavior.
+                if (jsonMode) {
+                  writeOutput(cmd, {
+                    ok: true,
+                    deferred: true,
+                    authUrl: auth_url,
+                    state,
+                    service: provider,
+                  });
+                } else {
+                  process.stdout.write(
+                    `\nAuthorize with ${provider}:\n\n${auth_url}\n\nThe connection will complete automatically once you authorize.\n`,
+                  );
+                }
+                return;
+              }
+            }
+
+            // ok:true but no auth_url means a malformed daemon response — surface an error rather
+            // than falling back to in-process (which would re-introduce the heap-split bug for
+            // gateway transport).
+            if (startResult.ok && !startResult.result?.auth_url) {
+              writeError("assistant returned unexpected response for OAuth connect start");
+              return;
+            }
+
+            // If the daemon was reachable but returned an error, surface it rather than
+            // falling back to in-process (which would re-introduce the heap-split bug for
+            // gateway transport).
+            if (!startResult.ok && startResult.statusCode !== undefined) {
+              writeError(startResult.error ?? "OAuth connect failed (assistant error)");
+              return;
+            }
+
+            // IPC unavailable (daemon unreachable, older daemon without this route, socket missing).
+            // Fall through to the existing in-process flow. This still carries the heap-split bug
+            // for gateway transport, but if the daemon is unreachable we have a worse problem;
+            // the fallback preserves existing behavior as a regression guard.
+            // e. Call the orchestrator (in-process fallback)
             const result = await orchestrateOAuthConnect({
               service: provider,
               clientId,

package/src/cli/commands/platform/__tests__/callback-routes-list.test.ts

@@ -10,7 +10,6 @@ let mockResolvePlatformCallbackRegistrationContext: () => Promise<
   isPlatform: false,
   platformBaseUrl: "",
   assistantId: "",
-  hasInternalApiKey: false,
   hasAssistantApiKey: false,
   authHeader: null,
   enabled: false,
@@ -93,7 +92,6 @@ function connectedContext(
     isPlatform: false,
     platformBaseUrl: "https://dev-platform.vellum.ai",
     assistantId: "019d6d4f-6dbd-779f-91d3-cb273b9429a5",
-    hasInternalApiKey: false,
     hasAssistantApiKey: true,
     authHeader: "Api-Key vak_test123",
     enabled: false,
@@ -181,7 +179,6 @@ describe("assistant platform callback-routes list", () => {
       isPlatform: false,
       platformBaseUrl: "",
       assistantId: "",
-      hasInternalApiKey: false,
       hasAssistantApiKey: false,
       authHeader: null,
       enabled: false,

package/src/cli/commands/platform/__tests__/connect.test.ts

@@ -32,6 +32,13 @@ mock.module("../../../../security/secure-keys.js", () => ({
   onCesClientChanged: () => ({ unsubscribe: () => {} }),
   setCesReconnect: () => {},
   getActiveBackendName: () => "file",
+  getActiveBackendInfoAsync: async () => ({
+    backend: "encrypted-store",
+    storePath: "/tmp/keys.enc",
+    storeKeyPath: "/tmp/store.key",
+    storeExists: false,
+    storeKeyExists: false,
+  }),
   _resetBackend: () => {},
 }));
 
@@ -45,7 +52,6 @@ mock.module("../../../../inbound/platform-callback-registration.js", () => ({
     isPlatform: false,
     platformBaseUrl: "",
     assistantId: "",
-    hasInternalApiKey: false,
     hasAssistantApiKey: false,
     authHeader: null,
     enabled: false,

package/src/cli/commands/platform/__tests__/disconnect.test.ts

@@ -39,7 +39,6 @@ mock.module("../../../../inbound/platform-callback-registration.js", () => ({
     isPlatform: false,
     platformBaseUrl: "",
     assistantId: "",
-    hasInternalApiKey: false,
     hasAssistantApiKey: false,
     authHeader: null,
     enabled: false,
@@ -64,6 +63,13 @@ mock.module("../../../../security/secure-keys.js", () => ({
   onCesClientChanged: () => ({ unsubscribe: () => {} }),
   setCesReconnect: () => {},
   getActiveBackendName: () => "file",
+  getActiveBackendInfoAsync: async () => ({
+    backend: "encrypted-store",
+    storePath: "/tmp/keys.enc",
+    storeKeyPath: "/tmp/store.key",
+    storeExists: false,
+    storeKeyExists: false,
+  }),
   _resetBackend: () => {},
 }));