@vellumai/assistant 0.8.0 → 0.8.1

package/src/providers/inference/backfill.ts

@@ -0,0 +1,196 @@
+/**
+ * Boot-time backfill: migrates existing config.json from the legacy
+ * `provider` + `source` model to the new `provider_connection` model.
+ *
+ * Walks three locations in `llm.*` on every boot:
+ *   - `llm.default`           — the base profile every dispatch falls back on
+ *   - `llm.profiles.*`        — named alternate profiles (fast/balanced/...)
+ *   - `llm.callSites.*`       — per-call-site overrides with bare `provider`
+ *
+ * Idempotent: any object that already has `provider_connection` is skipped.
+ * Only modifies config.json when at least one location needs updating.
+ *
+ * The `default` and `callSites` walks were added alongside Phase 1.1 of the
+ * post-v1 inference-providers cleanup: dispatch now throws on missing
+ * `provider_connection` instead of silently falling back to legacy
+ * `getProvider(name)`, so existing configs need an explicit field on the
+ * default profile and on any legacy bare-`provider` callsite override.
+ */
+
+import { loadRawConfig, saveRawConfig } from "../../config/loader.js";
+import type { DrizzleDb } from "../../memory/db-connection.js";
+import { credentialKey } from "../../security/credential-key.js";
+import { getLogger } from "../../util/logger.js";
+import { createConnection, getConnection, seedCanonicalConnections } from "./connections.js";
+
+const log = getLogger("provider-connections-backfill");
+
+// Providers that support the managed (platform) auth type.
+const MANAGED_PROVIDERS = new Set(["anthropic", "openai", "gemini"]);
+
+/**
+ * Seed canonical provider_connections and backfill any legacy config locations
+ * that pre-date the connection field.
+ *
+ * Runs on every daemon boot — both halves are idempotent and cheap
+ * (O(profiles + callSites), typically ≤20 entries total). Designed to:
+ *   - propagate new canonical connections as they're added in future versions
+ *   - self-heal manual config.json edits that drop the connection field
+ *
+ * Steps:
+ *   1. Upsert canonical connections.
+ *   2. Walk `llm.default`, `llm.profiles.*`, `llm.callSites.*` in config.json.
+ *   3. For each entry without `provider_connection`, derive one from the
+ *      entry's `provider` field + the global inference mode and write it back.
+ *   4. Save config.json if any entry was updated.
+ */
+export function runProviderConnectionsBackfill(db: DrizzleDb): void {
+  try {
+    seedCanonicalConnections(db);
+    backfillConfigProfiles(db);
+  } catch (err) {
+    log.error({ err }, "provider_connections backfill failed — will retry on next boot");
+  }
+}
+
+function backfillConfigProfiles(db: DrizzleDb): void {
+  const raw = loadRawConfig();
+  const llm = raw.llm as Record<string, unknown> | undefined;
+  if (!llm) return;
+
+  const isPlatform =
+    process.env.IS_PLATFORM === "true" || process.env.IS_PLATFORM === "1";
+  const globalMode = isPlatform ? "managed" : "your-own";
+
+  let changed = false;
+
+  // 1. The default profile — every dispatch path's terminal fallback.
+  const defaultProfile = llm.default as Record<string, unknown> | undefined;
+  if (defaultProfile && typeof defaultProfile === "object") {
+    if (ensureProviderConnection(defaultProfile, "<llm.default>", db, globalMode)) {
+      llm.default = defaultProfile;
+      changed = true;
+    }
+  }
+
+  // 2. Named alternate profiles.
+  const profiles = llm.profiles as Record<string, unknown> | undefined;
+  if (profiles && typeof profiles === "object") {
+    for (const [profileName, profileVal] of Object.entries(profiles)) {
+      const profile = profileVal as Record<string, unknown>;
+      if (!profile || typeof profile !== "object") continue;
+      if (ensureProviderConnection(profile, profileName, db, globalMode)) {
+        profiles[profileName] = profile;
+        changed = true;
+      }
+    }
+    if (changed) llm.profiles = profiles;
+  }
+
+  // 3. Per-call-site overrides. Only legacy entries with a bare `provider`
+  //    field need backfill — entries that just point at a `profile` already
+  //    inherit `provider_connection` from there.
+  const callSites = llm.callSites as Record<string, unknown> | undefined;
+  if (callSites && typeof callSites === "object") {
+    for (const [callSiteName, callSiteVal] of Object.entries(callSites)) {
+      const callSite = callSiteVal as Record<string, unknown>;
+      if (!callSite || typeof callSite !== "object") continue;
+      // Only touch overrides that explicitly set `provider` — the typical
+      // case is `{profile: "fast"}`, which has no provider and inherits
+      // through `resolveCallSiteConfig` deep-merge.
+      if (callSite.provider == null) continue;
+      if (
+        ensureProviderConnection(
+          callSite,
+          `<llm.callSites.${callSiteName}>`,
+          db,
+          globalMode,
+        )
+      ) {
+        callSites[callSiteName] = callSite;
+        changed = true;
+      }
+    }
+    if (changed) llm.callSites = callSites;
+  }
+
+  if (changed) {
+    raw.llm = llm;
+    saveRawConfig(raw);
+    log.info("Saved config.json after provider_connection backfill");
+  }
+}
+
+/**
+ * Ensure a profile-shaped config object has `provider_connection` set.
+ *
+ * Mutates `entry` in place when it has `provider` but no `provider_connection`,
+ * deriving the canonical connection name from the global auth mode. If a
+ * `*-personal` connection is needed and doesn't yet exist in the DB, this
+ * also creates it (lazy bootstrap of user-mode credential rows).
+ *
+ * Returns `true` if the entry was changed, `false` otherwise.
+ */
+function ensureProviderConnection(
+  entry: Record<string, unknown>,
+  entryLabel: string,
+  db: DrizzleDb,
+  globalMode: string,
+): boolean {
+  // Treat empty/whitespace strings the same as missing — `resolveDefaultProvider`
+  // (and friends) use a falsy check on the field, so a manually cleared
+  // `provider_connection: ""` would otherwise skip backfill and then hard-throw
+  // at runtime. Self-heal those alongside null/undefined.
+  const existing = entry.provider_connection;
+  const hasValid =
+    typeof existing === "string" && existing.trim() !== "";
+  if (hasValid) return false;
+
+  const provider = entry.provider as string | undefined;
+  if (!provider) return false;
+
+  let connectionName: string;
+
+  if (globalMode === "managed" && MANAGED_PROVIDERS.has(provider)) {
+    connectionName = `${provider}-managed`;
+  } else {
+    // "your-own" path (or provider not managed-supported): ensure a
+    // personal connection exists. Ollama is keyless, so it gets
+    // `auth: { type: "none" }`; everything else gets an api_key
+    // pointing at the conventional credential slot.
+    connectionName = `${provider}-personal`;
+    if (!getConnection(db, connectionName)) {
+      const isKeyless = provider === "ollama";
+      const credName = credentialKey(provider, "api_key");
+      const result = createConnection(db, {
+        name: connectionName,
+        provider,
+        auth: isKeyless
+          ? { type: "none" }
+          : { type: "api_key", credential: credName },
+      });
+      if (!result.ok) {
+        log.warn(
+          { entry: entryLabel, provider, error: result.error },
+          "Failed to create personal connection during backfill; skipping entry",
+        );
+        return false;
+      }
+      log.info(
+        {
+          connectionName,
+          provider,
+          credential: isKeyless ? null : credName,
+        },
+        "Created personal connection during backfill",
+      );
+    }
+  }
+
+  entry.provider_connection = connectionName;
+  log.info(
+    { entry: entryLabel, connectionName },
+    "Backfilled provider_connection",
+  );
+  return true;
+}

package/src/providers/inference/connections.ts

@@ -0,0 +1,356 @@
+import { and, eq, isNull } from "drizzle-orm";
+
+import type { DrizzleDb } from "../../memory/db-connection.js";
+import { providerConnections } from "../../memory/schema/inference.js";
+import { clearConnectionProviderCache } from "../registry.js";
+import {
+  type Auth,
+  AuthSchema,
+  type ConnectionProvider,
+  ConnectionProviderSchema,
+  type ConnectionStatus,
+  ConnectionStatusSchema,
+  type ProviderConnection,
+  VALID_CONNECTION_PROVIDERS,
+} from "./auth.js";
+
+// ---------------------------------------------------------------------------
+// Read
+// ---------------------------------------------------------------------------
+
+export function listConnections(
+  db: DrizzleDb,
+  filter?: { provider?: string },
+): ProviderConnection[] {
+  const rows = filter?.provider
+    ? db.select().from(providerConnections).where(eq(providerConnections.provider, filter.provider)).all()
+    : db.select().from(providerConnections).all();
+
+  return rows.flatMap((row) => {
+    const auth = AuthSchema.safeParse(JSON.parse(row.auth));
+    if (!auth.success) return [];
+    const provider = ConnectionProviderSchema.safeParse(row.provider);
+    if (!provider.success) return [];
+    const statusResult = ConnectionStatusSchema.safeParse(row.status);
+    const status: ConnectionStatus = statusResult.success ? statusResult.data : "active";
+    return [{
+      ...row,
+      auth: auth.data,
+      provider: provider.data,
+      status,
+      label: row.label ?? null,
+      isManaged: MANAGED_CONNECTION_NAMES.has(row.name),
+    }];
+  });
+}
+
+export function getConnection(
+  db: DrizzleDb,
+  name: string,
+): ProviderConnection | null {
+  const row = db
+    .select()
+    .from(providerConnections)
+    .where(eq(providerConnections.name, name))
+    .get();
+
+  if (!row) return null;
+  const auth = AuthSchema.safeParse(JSON.parse(row.auth));
+  if (!auth.success) return null;
+  const provider = ConnectionProviderSchema.safeParse(row.provider);
+  if (!provider.success) return null;
+  const statusResult = ConnectionStatusSchema.safeParse(row.status);
+  const status: ConnectionStatus = statusResult.success ? statusResult.data : "active";
+  return {
+    ...row,
+    auth: auth.data,
+    provider: provider.data,
+    status,
+    label: row.label ?? null,
+    isManaged: MANAGED_CONNECTION_NAMES.has(row.name),
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Write
+// ---------------------------------------------------------------------------
+
+export type CreateConnectionInput = {
+  name: string;
+  provider: string;
+  auth: Auth;
+  status?: ConnectionStatus;
+  label?: string | null;
+};
+
+export type UpdateConnectionInput = {
+  auth: Auth;
+  status?: ConnectionStatus;
+  label?: string | null;
+};
+
+export type ConnectionCreateError =
+  | { code: "already_exists" }
+  | { code: "invalid_provider"; provider: string }
+  | { code: "invalid_auth" };
+
+export type ConnectionUpdateError =
+  | { code: "not_found" }
+  | { code: "invalid_auth" };
+
+export type ConnectionDeleteError =
+  | { code: "not_found" }
+  | { code: "has_references"; count: number };
+
+export function createConnection(
+  db: DrizzleDb,
+  input: CreateConnectionInput,
+): { ok: true; connection: ProviderConnection } | { ok: false; error: ConnectionCreateError } {
+  if (!VALID_CONNECTION_PROVIDERS.includes(input.provider as never)) {
+    return { ok: false, error: { code: "invalid_provider", provider: input.provider } };
+  }
+  // Safe cast: VALID_CONNECTION_PROVIDERS.includes() guards above.
+  const provider = input.provider as ConnectionProvider;
+
+  const authResult = AuthSchema.safeParse(input.auth);
+  if (!authResult.success) {
+    return { ok: false, error: { code: "invalid_auth" } };
+  }
+
+  const existing = db
+    .select({ name: providerConnections.name })
+    .from(providerConnections)
+    .where(eq(providerConnections.name, input.name))
+    .get();
+  if (existing) {
+    return { ok: false, error: { code: "already_exists" } };
+  }
+
+  const status = input.status ?? "active";
+  const label = input.label ?? null;
+
+  const now = Date.now();
+  db.insert(providerConnections).values({
+    name: input.name,
+    provider,
+    auth: JSON.stringify(authResult.data),
+    status,
+    label,
+    createdAt: now,
+    updatedAt: now,
+  }).run();
+
+  // Invalidate per-connection adapter cache so subsequent dispatch
+  // resolves the freshly-inserted row's auth.
+  clearConnectionProviderCache();
+
+  return {
+    ok: true,
+    connection: {
+      name: input.name,
+      provider,
+      auth: authResult.data,
+      status,
+      label,
+      createdAt: now,
+      updatedAt: now,
+      isManaged: MANAGED_CONNECTION_NAMES.has(input.name),
+    },
+  };
+}
+
+export function updateConnection(
+  db: DrizzleDb,
+  name: string,
+  input: UpdateConnectionInput,
+): { ok: true; connection: ProviderConnection } | { ok: false; error: ConnectionUpdateError } {
+  const existing = getConnection(db, name);
+  if (!existing) {
+    return { ok: false, error: { code: "not_found" } };
+  }
+
+  const authResult = AuthSchema.safeParse(input.auth);
+  if (!authResult.success) {
+    return { ok: false, error: { code: "invalid_auth" } };
+  }
+
+  const now = Date.now();
+  const setClause: {
+    auth: string;
+    updatedAt: number;
+    status?: string;
+    label?: string | null;
+  } = { auth: JSON.stringify(authResult.data), updatedAt: now };
+  if (input.status !== undefined) setClause.status = input.status;
+  if (input.label !== undefined) setClause.label = input.label;
+
+  db.update(providerConnections)
+    .set(setClause)
+    .where(eq(providerConnections.name, name))
+    .run();
+
+  // Drop cached adapter built against the previous auth config.
+  clearConnectionProviderCache();
+
+  return {
+    ok: true,
+    connection: {
+      ...existing,
+      auth: authResult.data,
+      status: input.status !== undefined ? input.status : existing.status,
+      label: input.label !== undefined ? input.label : existing.label,
+      updatedAt: now,
+    },
+  };
+}
+
+/**
+ * Delete a connection.
+ *
+ * `force`: when true, delete even if profiles reference it.
+ * When false, rejects if any profile in the provided profile names list
+ * references this connection.
+ */
+export function deleteConnection(
+  db: DrizzleDb,
+  name: string,
+  opts: { force?: boolean; referencingProfiles?: string[] } = {},
+): { ok: true } | { ok: false; error: ConnectionDeleteError } {
+  const existing = db
+    .select({ name: providerConnections.name })
+    .from(providerConnections)
+    .where(eq(providerConnections.name, name))
+    .get();
+
+  if (!existing) {
+    return { ok: false, error: { code: "not_found" } };
+  }
+
+  if (!opts.force && opts.referencingProfiles && opts.referencingProfiles.length > 0) {
+    return {
+      ok: false,
+      error: { code: "has_references", count: opts.referencingProfiles.length },
+    };
+  }
+
+  db.delete(providerConnections).where(eq(providerConnections.name, name)).run();
+
+  // Evict cached adapter for the deleted connection name.
+  clearConnectionProviderCache();
+
+  return { ok: true };
+}
+
+// ---------------------------------------------------------------------------
+// Seed canonical connections (upsert, used at boot time)
+// ---------------------------------------------------------------------------
+
+const CANONICAL_CONNECTIONS: Array<{
+  name: string;
+  provider: string;
+  auth: Auth;
+  label: string;
+}> = [
+  { name: "anthropic-managed", provider: "anthropic", auth: { type: "platform" }, label: "Anthropic" },
+  { name: "openai-managed",    provider: "openai",    auth: { type: "platform" }, label: "OpenAI" },
+  { name: "gemini-managed",    provider: "gemini",    auth: { type: "platform" }, label: "Google Gemini" },
+];
+
+/**
+ * Names of the canonical Vellum-managed connections. These are seeded on every
+ * daemon boot via `seedCanonicalConnections` and represent the platform-managed
+ * inference route. They are write-protected at the route layer:
+ *   - DELETE is blocked outright (would resurrect on next boot anyway, but
+ *     blocking prevents a confusing delete → re-appear loop).
+ *   - PATCH that changes `auth` is blocked (auth is locked to `{type:"platform"}`
+ *     so any other value would be reverted on the next boot upsert).
+ *   - PATCH that changes `label` and/or `status` is allowed — users may legitimately
+ *     disable or relabel the managed connection. `status` is never touched by the
+ *     boot upsert. `label` is seeded on initial INSERT and backfilled when null
+ *     on subsequent boots so pre-seed installs pick up the default; a non-null
+ *     user-customized label is preserved (see `seedCanonicalConnections`).
+ *
+ * Mirrors `MANAGED_PROFILE_NAMES` (config/seed-inference-profiles.ts).
+ */
+export const MANAGED_CONNECTION_NAMES: ReadonlySet<string> = new Set(
+  CANONICAL_CONNECTIONS.map((c) => c.name),
+);
+
+/**
+ * Upsert the three canonical connections on every boot. Existing rows are
+ * updated to the latest provider/auth values so Vellum can push connection
+ * changes to customers in new releases.
+ *
+ * Label handling: the default label is seeded on initial INSERT so new
+ * installs render a human-friendly name in the connections list. The boot
+ * upsert deliberately leaves `label` alone on existing rows so user
+ * customization is preserved; the separate backfill step below assigns the
+ * default only when the existing row has `label IS NULL`, covering installs
+ * that pre-date the label seed.
+ *
+ * Status handling: the upsert never touches `status` so user customization
+ * is preserved across reboots. New rows default to `status: "active"` via the
+ * column default. Off-platform installs flip the three canonical rows to
+ * `status: "disabled"` ONCE at hatch time via
+ * `disableManagedConnectionsForByokHatch` (called from `seedInferenceProfiles`
+ * when `isHatch && !isPlatform`); subsequent boots leave whatever the user
+ * has chosen alone, so a post-hatch re-enable persists.
+ */
+export function seedCanonicalConnections(db: DrizzleDb): void {
+  const now = Date.now();
+  for (const { name, provider, auth, label } of CANONICAL_CONNECTIONS) {
+    db.insert(providerConnections)
+      .values({
+        name,
+        provider,
+        auth: JSON.stringify(auth),
+        label,
+        createdAt: now,
+        updatedAt: now,
+      })
+      .onConflictDoUpdate({
+        target: providerConnections.name,
+        set: {
+          provider,
+          auth: JSON.stringify(auth),
+          updatedAt: now,
+        },
+      })
+      .run();
+
+    // Backfill the default label on rows that pre-date label seeding so
+    // existing installs pick up the friendly name. Does not overwrite a
+    // user-set label.
+    db.update(providerConnections)
+      .set({ label, updatedAt: now })
+      .where(and(eq(providerConnections.name, name), isNull(providerConnections.label)))
+      .run();
+  }
+}
+
+/**
+ * Flip the three canonical managed connections to `status: "disabled"` at
+ * hatch time on BYOK (off-platform) installs.
+ *
+ * Why hatch-time only: managed connections need platform auth that a fresh
+ * BYOK user doesn't have yet, so surfacing them as enabled in the picker
+ * would let users pick an unusable option on day one. But this is a
+ * first-time-only default — the moment the user explicitly flips one
+ * back to active (e.g. after logging into Vellum), we never want a daemon
+ * restart to revert that. `seedCanonicalConnections` leaves `status` alone
+ * on the UPDATE path, and this helper is invoked ONLY from
+ * `seedInferenceProfiles`'s `isHatch && !isPlatform` branch. Subsequent
+ * non-hatch boots never call it.
+ *
+ * Idempotent: a second hatch (workspace reset) re-disables the rows, which
+ * is the right call — re-hatch means re-onboard.
+ */
+export function disableManagedConnectionsForByokHatch(db: DrizzleDb): void {
+  const now = Date.now();
+  for (const name of MANAGED_CONNECTION_NAMES) {
+    db.update(providerConnections)
+      .set({ status: "disabled", updatedAt: now })
+      .where(eq(providerConnections.name, name))
+      .run();
+  }
+}

package/src/providers/inference/resolve-auth.ts

@@ -0,0 +1,65 @@
+/**
+ * Resolves an `Auth` config into a `ResolvedAuth` that adapters consume.
+ *
+ * Resolution rules:
+ *   - api_key  → fetch credential from vault → inject as bearer header
+ *   - platform → build managed proxy URL and fetch the platform API key
+ *   - none     → pass through with no auth headers
+ *   - oauth_subscription / service_account → reject (v2 not yet shipped)
+ */
+
+import {
+  buildManagedBaseUrl,
+  resolveManagedProxyContext,
+} from "../../providers/managed-proxy/context.js";
+import { getSecureKeyAsync } from "../../security/secure-keys.js";
+import type { Auth, ResolvedAuth } from "./auth.js";
+
+export type ResolveAuthError =
+  | { code: "credential_not_found"; credential: string }
+  | { code: "platform_unavailable" }
+  | { code: "not_implemented"; authType: string };
+
+export async function resolveAuth(
+  auth: Auth,
+  provider: string,
+): Promise<{ ok: true; resolved: ResolvedAuth } | { ok: false; error: ResolveAuthError }> {
+  switch (auth.type) {
+    case "api_key": {
+      const value = await getSecureKeyAsync(auth.credential);
+      if (!value) {
+        return { ok: false, error: { code: "credential_not_found", credential: auth.credential } };
+      }
+      return {
+        ok: true,
+        resolved: { kind: "header", headers: { Authorization: `Bearer ${value}` } },
+      };
+    }
+
+    case "platform": {
+      const managedBaseUrl = await buildManagedBaseUrl(provider);
+      if (!managedBaseUrl) {
+        return { ok: false, error: { code: "platform_unavailable" } };
+      }
+      const ctx = await resolveManagedProxyContext();
+      return {
+        ok: true,
+        resolved: {
+          kind: "header",
+          headers: { Authorization: `Bearer ${ctx.assistantApiKey}` },
+          baseUrl: managedBaseUrl,
+        },
+      };
+    }
+
+    case "none":
+      return { ok: true, resolved: { kind: "none" } };
+
+    case "oauth_subscription":
+    case "service_account":
+      return {
+        ok: false,
+        error: { code: "not_implemented", authType: auth.type },
+      };
+  }
+}