@vellumai/assistant 0.7.2 → 0.8.0

package/src/notifications/copy-composer.ts

@@ -32,6 +32,51 @@ export function nonEmpty(value: string | undefined): string | undefined {
   return trimmed.length > 0 ? trimmed : undefined;
 }
 
+export function looksLikeIntermediaryInstruction(text: string): boolean {
+  const normalized = text.replace(/\s+/g, " ").trim();
+  const intermediaryAction =
+    "(?:tell|telling|ask|asking|remind|reminding|nudge|nudging|prompt|prompting|notify|notifying|encourage|encouraging|prime|priming|brief|briefing|coach|coaching)";
+  const target = "(?:the\\s+)?(?:guardian|recipient|user)";
+  return (
+    /\b(?:assistant|agent|system|model|watcher)\s+(?:should|needs?\s+to|must|can|could)\b/i.test(
+      normalized,
+    ) ||
+    new RegExp(
+      `\\b(?:consider|try|please)\\s+${intermediaryAction}\\s+${target}\\b`,
+      "i",
+    ).test(normalized) ||
+    new RegExp(
+      `\\b${intermediaryAction}\\s+${target}\\s+(?:to|that|about|with)\\b`,
+      "i",
+    ).test(normalized) ||
+    new RegExp(
+      `\\b${target}\\s+(?:should|needs?\\s+to|must|might\\s+want\\s+to)\\b`,
+      "i",
+    ).test(normalized) ||
+    new RegExp(`\\b(?:for|to)\\s+${target}\\s+to\\b`, "i").test(normalized)
+  );
+}
+
+function buildHeartbeatAlertCopy(
+  payload: Record<string, unknown>,
+): RenderedChannelCopy {
+  const summary = str(
+    payload.summary,
+    str(payload.body, "Your assistant found something worth your attention."),
+  ).trim();
+  const safePopupBody = looksLikeIntermediaryInstruction(summary)
+    ? "I found something worth your attention in a heartbeat check. Open the conversation for details."
+    : summary;
+
+  return {
+    title: str(payload.title, "Heartbeat Alert"),
+    body: safePopupBody,
+    deliveryText: safePopupBody,
+    conversationTitle: str(payload.conversationTitle, "Heartbeat"),
+    conversationSeedMessage: summary,
+  };
+}
+
 // ── Access-request copy contract ─────────────────────────────────────────────
 //
 // Deterministic helpers for building guardian-facing access-request copy.
@@ -505,6 +550,8 @@ const TEMPLATES: Partial<Record<NotificationSourceEventName, CopyTemplate>> = {
     body: str(payload.body, "A watcher event requires your attention"),
   }),
 
+  "heartbeat.alert": buildHeartbeatAlertCopy,
+
   "tool_confirmation.required_action": (payload) => ({
     title: "Tool Confirmation",
     body: str(payload.toolName, "A tool") + " requires your confirmation",

package/src/notifications/decision-engine.ts

@@ -35,6 +35,7 @@ import {
   composeFallbackCopy,
   hasAccessRequestInstructions,
   hasInviteFlowDirective,
+  looksLikeIntermediaryInstruction,
 } from "./copy-composer.js";
 import { createDecision } from "./decisions-store.js";
 import {
@@ -127,11 +128,13 @@ function buildSystemPrompt(
     ``,
     `Copy guidelines (three distinct outputs):`,
     `- \`title\` and \`body\` are for native notification popups (e.g. vellum desktop/mobile) — keep them short and glanceable (title ≤ 8 words, body ≤ 2 sentences).`,
+    `  - Write popup copy as final copy for the guardian or recipient. Do not write instructions for the assistant or another intermediary.`,
     `- \`deliveryText\` is the channel-native message for chat channels (e.g. telegram). It must read naturally as a standalone message.`,
     `  - Do not prepend mechanical labels like "Conversation:".`,
     `  - Do not mention channel or transport names (e.g. Telegram, Slack, email) unless the event context explicitly requires it.`,
     `  - Do not repeat title/body verbatim unless that repetition is truly necessary.`,
     `  - Avoid meta-send phrasing (e.g. "I'd like to send a notification", "May I go ahead with that?"). Write the recipient-facing message directly.`,
+    `  - Avoid intermediary-instruction phrasing like "consider telling the guardian", "ask the recipient to", or "the assistant should remind them". Rewrite it as final copy the recipient can act on directly.`,
     `  - For telegram: 1-2 concise sentences.`,
     `- \`conversationSeedMessage\` is the opening message in the internal notification conversation — it can be richer and more contextual.`,
     `  - For vellum (desktop): 2-4 short sentences with useful context and clear next step if action is required.`,
@@ -664,6 +667,47 @@ function enforceAccessRequestInstructions(
   };
 }
 
+function enforceHeartbeatAlertCopy(
+  decision: NotificationDecision,
+  signal: NotificationSignal,
+): NotificationDecision {
+  if (signal.sourceEventName !== "heartbeat.alert") return decision;
+  if (!decision.shouldNotify || decision.selectedChannels.length === 0)
+    return decision;
+
+  const fallbackCopy = composeFallbackCopy(signal, decision.selectedChannels);
+  const nextCopy: Partial<Record<NotificationChannel, RenderedChannelCopy>> = {
+    ...decision.renderedCopy,
+  };
+
+  for (const channel of decision.selectedChannels) {
+    const currentCopy = nextCopy[channel];
+    if (
+      currentCopy &&
+      !heartbeatCopyLooksLikeIntermediaryInstruction(currentCopy)
+    ) {
+      continue;
+    }
+    const safeCopy = fallbackCopy[channel];
+    if (!safeCopy) continue;
+    nextCopy[channel] = safeCopy;
+  }
+
+  return {
+    ...decision,
+    renderedCopy: nextCopy,
+  };
+}
+
+function heartbeatCopyLooksLikeIntermediaryInstruction(
+  copy: RenderedChannelCopy,
+): boolean {
+  return [copy.title, copy.body, copy.deliveryText].some(
+    (value) =>
+      typeof value === "string" && looksLikeIntermediaryInstruction(value),
+  );
+}
+
 function ensureAccessRequestInstructionsInCopy(
   copy: RenderedChannelCopy,
   requestCode: string,
@@ -754,6 +798,7 @@ export async function evaluateSignal(
     let decision = buildFallbackDecision(signal, availableChannels);
     decision = enforceGuardianRequestCode(decision, signal);
     decision = enforceAccessRequestInstructions(decision, signal);
+    decision = enforceHeartbeatAlertCopy(decision, signal);
     decision = enforceGuardianCallConversationAffinity(decision, signal);
     decision = enforceConversationAffinity(
       decision,
@@ -783,6 +828,7 @@ export async function evaluateSignal(
 
   decision = enforceGuardianRequestCode(decision, signal);
   decision = enforceAccessRequestInstructions(decision, signal);
+  decision = enforceHeartbeatAlertCopy(decision, signal);
   decision = enforceGuardianCallConversationAffinity(decision, signal);
   decision = enforceConversationAffinity(
     decision,

package/src/notifications/signal.ts

@@ -101,6 +101,10 @@ export const NOTIFICATION_SOURCE_EVENT_NAMES = [
     description:
       "OAuth credential health issue detected (expired, revoked, missing scopes)",
   },
+  {
+    id: "heartbeat.alert",
+    description: "Heartbeat found something worth surfacing to the guardian",
+  },
 ] as const;
 
 export type NotificationSourceEventName =

package/src/oauth/AGENTS.md

@@ -54,7 +54,9 @@ Most existing logos come from [Simple Icons](https://simpleicons.org) (CC0-licen
 
 If the service is not on Simple Icons, source or create an SVG and convert it the same way. The result must be a true vector PDF (not a rasterized image wrapped in PDF) so it scales cleanly.
 
-The `logoUrl` field in `seed-providers.ts` still serves as the remote fallback (typically a Simple Icons CDN URL like `https://cdn.simpleicons.org/acme`). The client renders the local PDF first, then falls back to `logoUrl`, then to an initials avatar.
+The `logoUrl` field in `seed-providers.ts` serves as the remote fallback (most providers use a Simple Icons CDN URL like `https://cdn.simpleicons.org/acme`). The client renders the local PDF first, then falls back to `logoUrl`, then to an initials avatar.
+
+For brands Simple Icons doesn't host (e.g. Salesforce, which Simple Icons removed for trademark reasons), use the same `glincker/thesvg` source via jsDelivr — `https://cdn.jsdelivr.net/gh/glincker/thesvg@main/public/icons/<key>/default.svg`. The recognised `logoUrl` prefixes are enforced by `oauth-provider-seed-logos.test.ts`; if you need a third source, extend that allowlist alongside the manifest in `clients/shared/Resources/integration-logos-manifest.json`.
 
 ### 5. Secret patterns (if applicable) — `../security/secret-patterns.ts`
 

package/src/oauth/__tests__/oauth-connect-state.test.ts

@@ -0,0 +1,137 @@
+import { beforeEach, describe, expect, test } from "bun:test";
+
+import {
+  _clearAllOAuthConnectStates,
+  clearExpiredOAuthConnectStates,
+  getOAuthConnectState,
+  setOAuthConnectComplete,
+  setOAuthConnectError,
+  setOAuthConnectPending,
+} from "../oauth-connect-state.js";
+
+describe("oauth-connect-state", () => {
+  beforeEach(() => {
+    _clearAllOAuthConnectStates();
+  });
+
+  test("setOAuthConnectPending → getOAuthConnectState returns pending", () => {
+    setOAuthConnectPending("state-1", "google");
+    const result = getOAuthConnectState("state-1");
+    expect(result).toMatchObject({ status: "pending", service: "google" });
+  });
+
+  test("setOAuthConnectComplete without accountInfo → returns complete", () => {
+    setOAuthConnectComplete("state-1", "google");
+    const result = getOAuthConnectState("state-1");
+    expect(result).toMatchObject({ status: "complete", service: "google" });
+  });
+
+  test("setOAuthConnectComplete with accountInfo → returns complete with accountInfo", () => {
+    setOAuthConnectComplete("state-1", "google", "user@example.com");
+    const result = getOAuthConnectState("state-1");
+    expect(result).toMatchObject({
+      status: "complete",
+      service: "google",
+      accountInfo: "user@example.com",
+    });
+  });
+
+  test("setOAuthConnectComplete with grantedScopes → returns complete with grantedScopes", () => {
+    setOAuthConnectComplete("state-1", "google", "user@example.com", ["scope:read", "scope:write"]);
+    const result = getOAuthConnectState("state-1");
+    expect(result).toMatchObject({
+      status: "complete",
+      service: "google",
+      accountInfo: "user@example.com",
+      grantedScopes: ["scope:read", "scope:write"],
+    });
+  });
+
+  test("setOAuthConnectError → returns error with message", () => {
+    setOAuthConnectError("state-1", "google", "token exchange failed");
+    const result = getOAuthConnectState("state-1");
+    expect(result).toMatchObject({
+      status: "error",
+      service: "google",
+      error: "token exchange failed",
+    });
+  });
+
+  test("re-setting same state token overwrites previous", () => {
+    setOAuthConnectPending("state-1", "google");
+    setOAuthConnectComplete("state-1", "google", "user@example.com");
+    const result = getOAuthConnectState("state-1");
+    expect(result?.status).toBe("complete");
+  });
+
+  test("getOAuthConnectState returns null for unknown state", () => {
+    expect(getOAuthConnectState("nonexistent")).toBeNull();
+  });
+
+  test("_clearAllOAuthConnectStates removes all entries", () => {
+    setOAuthConnectPending("state-1", "google");
+    setOAuthConnectPending("state-2", "github");
+    _clearAllOAuthConnectStates();
+    expect(getOAuthConnectState("state-1")).toBeNull();
+    expect(getOAuthConnectState("state-2")).toBeNull();
+  });
+
+  test("clearExpiredOAuthConnectStates removes expired pending entries", () => {
+    setOAuthConnectPending("state-1", "google");
+    // Advance Date.now by 6 minutes past PENDING_TTL_MS (5 min)
+    const originalNow = Date.now;
+    Date.now = () => originalNow() + 6 * 60 * 1000;
+    clearExpiredOAuthConnectStates();
+    Date.now = originalNow;
+    expect(getOAuthConnectState("state-1")).toBeNull();
+  });
+
+  test("clearExpiredOAuthConnectStates removes expired complete entries (past 60s grace)", () => {
+    setOAuthConnectComplete("state-1", "google");
+    const originalNow = Date.now;
+    Date.now = () => originalNow() + 2 * 60 * 1000; // advance 2 minutes past 60s grace
+    clearExpiredOAuthConnectStates();
+    Date.now = originalNow;
+    expect(getOAuthConnectState("state-1")).toBeNull();
+  });
+
+  test("clearExpiredOAuthConnectStates removes expired error entries (past 60s grace)", () => {
+    setOAuthConnectError("state-1", "google", "token exchange failed");
+    const originalNow = Date.now;
+    Date.now = () => originalNow() + 2 * 60 * 1000; // advance 2 minutes past 60s grace
+    clearExpiredOAuthConnectStates();
+    Date.now = originalNow;
+    expect(getOAuthConnectState("state-1")).toBeNull();
+  });
+
+  test("clearExpiredOAuthConnectStates does not remove non-expired pending entries", () => {
+    setOAuthConnectPending("state-1", "google");
+    clearExpiredOAuthConnectStates(); // called without advancing time
+    expect(getOAuthConnectState("state-1")).not.toBeNull();
+  });
+
+  test("sweep-on-insert: setOAuthConnectPending purges expired entries before inserting new one", () => {
+    // 1. Add an entry that will expire
+    setOAuthConnectPending("expired-state", "google");
+
+    // 2. Advance Date.now past the PENDING_TTL_MS (5 min)
+    const originalNow = Date.now;
+    Date.now = () => originalNow() + 6 * 60 * 1000;
+
+    // 3. Insert a new entry — this should trigger clearExpiredOAuthConnectStates() internally
+    setOAuthConnectPending("new-state", "github");
+
+    // 4. Restore Date.now before assertions (getOAuthConnectState also calls clearExpiredOAuthConnectStates)
+    Date.now = originalNow;
+
+    // The expired entry must have been swept out during the insert
+    // Use the map directly via getOAuthConnectState — expired-state is gone
+    // We call _clearAllOAuthConnectStates in beforeEach so we know the map started empty.
+    // After the insert the map should only contain "new-state".
+    const expiredResult = getOAuthConnectState("expired-state");
+    expect(expiredResult).toBeNull();
+
+    const newResult = getOAuthConnectState("new-state");
+    expect(newResult).toMatchObject({ status: "pending", service: "github" });
+  });
+});

package/src/oauth/connect-orchestrator.ts

@@ -81,6 +81,7 @@ export interface OAuthConnectOptions {
     success: boolean;
     service: string;
     accountInfo?: string;
+    grantedScopes?: string[];
     error?: string;
   }) => void;
 }
@@ -256,6 +257,7 @@ export async function orchestrateOAuthConnect(
               success: true,
               service: options.service,
               accountInfo: stored.accountInfo ?? parsedAccountIdentifier,
+              grantedScopes: result.grantedScopes,
             });
           } catch (err) {
             log.error(

package/src/oauth/connection-resolver.test.ts

@@ -62,7 +62,10 @@ mock.module("../platform/client.js", () => ({
 // ---------------------------------------------------------------------------
 
 import { BYOOAuthConnection } from "./byo-connection.js";
-import { resolveOAuthConnection } from "./connection-resolver.js";
+import {
+  resolveEffectiveBaseUrl,
+  resolveOAuthConnection,
+} from "./connection-resolver.js";
 import { PlatformOAuthConnection } from "./platform-connection.js";
 
 // ---------------------------------------------------------------------------
@@ -214,3 +217,65 @@ describe("resolveOAuthConnection", () => {
     ).rejects.toThrow(/No active OAuth connection found/);
   });
 });
+
+describe("resolveEffectiveBaseUrl", () => {
+  const fallback = "https://login.salesforce.com";
+
+  test("uses instance_url from JSON-string metadata for Salesforce", () => {
+    const metadata = JSON.stringify({
+      instance_url: "https://acme.my.salesforce.com",
+      issued_at: "1714000000000",
+    });
+    expect(resolveEffectiveBaseUrl("salesforce", fallback, metadata)).toBe(
+      "https://acme.my.salesforce.com",
+    );
+  });
+
+  test("uses instance_url from already-parsed object metadata", () => {
+    const metadata = { instance_url: "https://na162.salesforce.com" };
+    expect(resolveEffectiveBaseUrl("salesforce", fallback, metadata)).toBe(
+      "https://na162.salesforce.com",
+    );
+  });
+
+  test("falls back to seed baseUrl when metadata is null", () => {
+    expect(resolveEffectiveBaseUrl("salesforce", fallback, null)).toBe(
+      fallback,
+    );
+  });
+
+  test("falls back to seed baseUrl when instance_url is empty string", () => {
+    const metadata = JSON.stringify({ instance_url: "" });
+    expect(resolveEffectiveBaseUrl("salesforce", fallback, metadata)).toBe(
+      fallback,
+    );
+  });
+
+  test("falls back to seed baseUrl when metadata is unparseable JSON", () => {
+    expect(
+      resolveEffectiveBaseUrl("salesforce", fallback, "{ not valid json"),
+    ).toBe(fallback);
+  });
+
+  test("falls back to seed baseUrl when instance_url is the wrong type", () => {
+    const metadata = JSON.stringify({ instance_url: 12345 });
+    expect(resolveEffectiveBaseUrl("salesforce", fallback, metadata)).toBe(
+      fallback,
+    );
+  });
+
+  test("ignores instance_url for non-Salesforce providers", () => {
+    // A different provider whose token response happens to include an
+    // instance_url-shaped field MUST NOT have its baseUrl rewritten.
+    const metadata = JSON.stringify({
+      instance_url: "https://attacker.example.com",
+    });
+    expect(
+      resolveEffectiveBaseUrl(
+        "google",
+        "https://gmail.googleapis.com/gmail/v1/users/me",
+        metadata,
+      ),
+    ).toBe("https://gmail.googleapis.com/gmail/v1/users/me");
+  });
+});

package/src/oauth/connection-resolver.ts

@@ -116,11 +116,65 @@ export async function resolveOAuthConnection(
   return new BYOOAuthConnection({
     id: conn.id,
     provider: conn.provider,
-    baseUrl,
+    baseUrl: resolveEffectiveBaseUrl(conn.provider, baseUrl, conn.metadata),
     accountInfo: conn.accountInfo,
   });
 }
 
+/**
+ * Resolve the effective API base URL for a connection, preferring per-tenant
+ * values stored on the connection's `metadata` over the provider's static
+ * seed value when applicable.
+ *
+ * Salesforce is the only provider that needs this: every org has its own
+ * API instance host (``acme.my.salesforce.com``, ``na162.salesforce.com``)
+ * which is returned in the OAuth token response as ``instance_url`` and
+ * captured into ``oauth_connection.metadata`` by ``storeOAuth2Tokens``.
+ * The seed's ``baseUrl`` for Salesforce is the login domain
+ * (``https://login.salesforce.com``) — correct for the OAuth handshake but
+ * wrong for REST API calls. Pulling the per-connection ``instance_url``
+ * here avoids forcing every caller to override ``baseUrl`` per-request.
+ *
+ * For all other providers the seed value is correct (single API domain),
+ * so we return it unchanged.
+ *
+ * If a future provider needs the same treatment, generalize via a
+ * declarative ``baseUrlMetadataKey`` field on the seed entry rather than
+ * adding more provider-name branches here.
+ */
+export function resolveEffectiveBaseUrl(
+  provider: string,
+  fallbackBaseUrl: string,
+  rawMetadata: unknown,
+): string {
+  if (provider !== "salesforce") return fallbackBaseUrl;
+
+  const metadata = parseConnectionMetadata(rawMetadata);
+  const instanceUrl = metadata?.instance_url;
+  if (typeof instanceUrl === "string" && instanceUrl.length > 0) {
+    return instanceUrl;
+  }
+  return fallbackBaseUrl;
+}
+
+function parseConnectionMetadata(
+  raw: unknown,
+): Record<string, unknown> | undefined {
+  if (raw == null) return undefined;
+  if (typeof raw === "object") {
+    return raw as Record<string, unknown>;
+  }
+  if (typeof raw !== "string") return undefined;
+  try {
+    const parsed = JSON.parse(raw);
+    return typeof parsed === "object" && parsed !== null
+      ? (parsed as Record<string, unknown>)
+      : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Platform connection ID resolution
 // ---------------------------------------------------------------------------

package/src/oauth/oauth-connect-state.ts

@@ -0,0 +1,77 @@
+/**
+ * In-memory OAuth connect flow status map.
+ *
+ * Tracks the current state of daemon-owned OAuth connect flows so the CLI
+ * can poll for completion via the IPC route.
+ */
+type OAuthConnectState =
+  | { status: "pending"; service: string; expiresAt: number }
+  | { status: "complete"; service: string; accountInfo?: string; grantedScopes?: string[]; completedAt: number }
+  | { status: "error"; service: string; error: string; failedAt: number };
+
+const activeOAuthConnectFlows = new Map<string, OAuthConnectState>();
+
+const PENDING_TTL_MS = 5 * 60 * 1000; // 5 min — matches oauth-callback-registry.ts:14
+const COMPLETION_GRACE_MS = 60 * 1000; // 60s so the polling CLI gets one final read
+
+export function setOAuthConnectPending(state: string, service: string): void {
+  clearExpiredOAuthConnectStates();
+  activeOAuthConnectFlows.set(state, {
+    status: "pending",
+    service,
+    expiresAt: Date.now() + PENDING_TTL_MS,
+  });
+}
+
+export function setOAuthConnectComplete(
+  state: string,
+  service: string,
+  accountInfo?: string,
+  grantedScopes?: string[],
+): void {
+  clearExpiredOAuthConnectStates();
+  activeOAuthConnectFlows.set(state, {
+    status: "complete",
+    service,
+    accountInfo,
+    grantedScopes,
+    completedAt: Date.now(),
+  });
+}
+
+export function setOAuthConnectError(
+  state: string,
+  service: string,
+  error: string,
+): void {
+  clearExpiredOAuthConnectStates();
+  activeOAuthConnectFlows.set(state, {
+    status: "error",
+    service,
+    error,
+    failedAt: Date.now(),
+  });
+}
+
+export function getOAuthConnectState(state: string): OAuthConnectState | null {
+  clearExpiredOAuthConnectStates();
+  return activeOAuthConnectFlows.get(state) ?? null;
+}
+
+export function clearExpiredOAuthConnectStates(): void {
+  const now = Date.now();
+  for (const [key, state] of activeOAuthConnectFlows) {
+    if (state.status === "pending" && now > state.expiresAt) {
+      activeOAuthConnectFlows.delete(key);
+    } else if (state.status === "complete" && now > state.completedAt + COMPLETION_GRACE_MS) {
+      activeOAuthConnectFlows.delete(key);
+    } else if (state.status === "error" && now > state.failedAt + COMPLETION_GRACE_MS) {
+      activeOAuthConnectFlows.delete(key);
+    }
+  }
+}
+
+/** Test-only helper — clears all state for test isolation. */
+export function _clearAllOAuthConnectStates(): void {
+  activeOAuthConnectFlows.clear();
+}

package/src/oauth/seed-providers.ts

@@ -393,6 +393,7 @@ export const PROVIDER_SEED_DATA: Record<
       { scope: "project:delete", description: "Delete entire projects" },
     ],
     loopbackPort: 17325,
+    managedServiceConfigKey: "todoist-oauth",
     injectionTemplates: [
       {
         hostPattern: "api.todoist.com",
@@ -402,7 +403,7 @@ export const PROVIDER_SEED_DATA: Record<
       },
     ],
     appType: "App",
-    identityUrl: "https://api.todoist.com/sync/v9/sync",
+    identityUrl: "https://api.todoist.com/api/v1/sync",
     identityMethod: "POST",
     identityHeaders: { "Content-Type": "application/x-www-form-urlencoded" },
     identityBody: "sync_token=*&resource_types=[%22user%22]",
@@ -429,6 +430,7 @@ export const PROVIDER_SEED_DATA: Record<
     availableScopes:
       "https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes",
     loopbackPort: 17326,
+    managedServiceConfigKey: "discord-oauth",
     injectionTemplates: [
       {
         hostPattern: "discord.com",
@@ -497,6 +499,7 @@ export const PROVIDER_SEED_DATA: Record<
     defaultScopes: ["default"],
     availableScopes: "https://developers.asana.com/docs/oauth-scopes",
     loopbackPort: 17328,
+    managedServiceConfigKey: "asana-oauth",
     injectionTemplates: [
       {
         hostPattern: "app.asana.com",
@@ -563,6 +566,7 @@ export const PROVIDER_SEED_DATA: Record<
     availableScopes:
       "https://developers.hubspot.com/docs/guides/apps/authentication/scopes",
     loopbackPort: 17330,
+    managedServiceConfigKey: "hubspot-oauth",
     injectionTemplates: [
       {
         hostPattern: "api.hubapi.com",
@@ -576,6 +580,59 @@ export const PROVIDER_SEED_DATA: Record<
     identityResponsePaths: ["user", "hub_domain"],
   },
 
+  salesforce: {
+    provider: "salesforce",
+    authorizeUrl: "https://login.salesforce.com/services/oauth2/authorize",
+    tokenExchangeUrl: "https://login.salesforce.com/services/oauth2/token",
+    refreshUrl: "https://login.salesforce.com/services/oauth2/token",
+    pingUrl: "https://login.salesforce.com/services/oauth2/userinfo",
+    // baseUrl points at the login domain — correct for the OAuth handshake
+    // and for ``/services/oauth2/userinfo``/``revoke`` calls. REST API calls
+    // to ``/services/data/...`` go to the per-org instance host returned in
+    // the token response as ``instance_url`` and stored on
+    // ``oauth_connection.metadata``. ``connection-resolver.ts`` substitutes
+    // that instance URL when constructing the BYO connection so callers
+    // don't need to override ``baseUrl`` per request.
+    baseUrl: "https://login.salesforce.com",
+    displayLabel: "Salesforce",
+    description: "CRM contacts, leads, and opportunities",
+    dashboardUrl:
+      "https://help.salesforce.com/s/articleView?id=sf.connected_app_create.htm&type=5",
+    clientIdPlaceholder: null,
+    logoUrl:
+      "https://cdn.jsdelivr.net/gh/glincker/thesvg@main/public/icons/salesforce/default.svg",
+    defaultScopes: ["api", "refresh_token", "openid", "email", "profile"],
+    availableScopes:
+      "https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm",
+    authorizeParams: { prompt: "consent" },
+    tokenEndpointAuthMethod: "client_secret_post",
+    loopbackPort: 17336,
+    // Salesforce REST traffic goes to per-org instance hosts like
+    // ``acme.my.salesforce.com`` and ``acme.lightning.force.com``.
+    // ``matchHostPattern`` only treats ``*.<domain>`` as a wildcard match —
+    // bare ``salesforce.com`` would only match the apex. Use wildcards so
+    // ``Authorization: Bearer`` injection actually fires on tenant hosts.
+    injectionTemplates: [
+      {
+        hostPattern: "*.salesforce.com",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Bearer ",
+      },
+      {
+        hostPattern: "*.force.com",
+        injectionType: "header",
+        headerName: "Authorization",
+        valuePrefix: "Bearer ",
+      },
+    ],
+    revokeUrl: "https://login.salesforce.com/services/oauth2/revoke",
+    revokeBodyTemplate: { token: "{access_token}" },
+    appType: "Connected App",
+    identityUrl: "https://login.salesforce.com/services/oauth2/userinfo",
+    identityResponsePaths: ["email", "preferred_username"],
+  },
+
   figma: {
     provider: "figma",
     authorizeUrl: "https://www.figma.com/oauth",