@vellumai/cli 0.8.0 → 0.8.2

package/src/__tests__/provider-secrets.test.ts

@@ -0,0 +1,290 @@
+import { describe, expect, test } from "bun:test";
+import { EventEmitter } from "node:events";
+
+import {
+  ensureProviderApiKey,
+  injectGatewayApiKey,
+  promptSecret,
+  readGatewayApiKey,
+  type ProviderSecretFetch,
+} from "../lib/provider-secrets.js";
+
+interface RecordedFetchCall {
+  url: string;
+  init?: RequestInit;
+  body: unknown;
+}
+
+function jsonResponse(body: unknown, status = 200): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+function makeFetch(responses: Response[]): {
+  calls: RecordedFetchCall[];
+  fetchImpl: ProviderSecretFetch;
+} {
+  const calls: RecordedFetchCall[] = [];
+  const fetchImpl: ProviderSecretFetch = async (input, init) => {
+    calls.push({
+      url: String(input),
+      init,
+      body: typeof init?.body === "string" ? JSON.parse(init.body) : init?.body,
+    });
+    const response = responses.shift();
+    if (!response) {
+      throw new Error("Unexpected fetch call.");
+    }
+    return response;
+  };
+
+  return { calls, fetchImpl };
+}
+
+class FakePromptInput extends EventEmitter {
+  isTTY = true;
+  isRaw = false;
+  private paused = false;
+  pauseCount = 0;
+  rawModes: boolean[] = [];
+
+  isPaused(): boolean {
+    return this.paused;
+  }
+
+  resume(): this {
+    this.paused = false;
+    return this;
+  }
+
+  pause(): this {
+    this.paused = true;
+    this.pauseCount += 1;
+    return this;
+  }
+
+  setRawMode(value: boolean): this {
+    this.isRaw = value;
+    this.rawModes.push(value);
+    return this;
+  }
+}
+
+describe("provider secret helpers", () => {
+  test("reads provider keys from the api_key namespace", async () => {
+    const { calls, fetchImpl } = makeFetch([jsonResponse({ found: true })]);
+
+    await readGatewayApiKey(
+      "http://127.0.0.1:3000/",
+      "anthropic",
+      "guardian-token",
+      fetchImpl,
+    );
+
+    expect(calls).toHaveLength(1);
+    expect(calls[0].url).toBe("http://127.0.0.1:3000/v1/secrets/read");
+    expect(calls[0].init?.method).toBe("POST");
+    expect(calls[0].init?.headers).toMatchObject({
+      Authorization: "Bearer guardian-token",
+      "Content-Type": "application/json",
+    });
+    expect(calls[0].body).toEqual({
+      type: "api_key",
+      name: "anthropic",
+      reveal: false,
+    });
+  });
+
+  test("explains a missing secret route as a wrong active assistant URL", async () => {
+    const { fetchImpl } = makeFetch([
+      jsonResponse(
+        {
+          error: {
+            code: "not_found",
+            message: "Not found",
+            path: "/v1/secrets/read",
+          },
+        },
+        404,
+      ),
+    ]);
+
+    await expect(
+      readGatewayApiKey(
+        "https://platform.vellum.ai",
+        "anthropic",
+        undefined,
+        fetchImpl,
+      ),
+    ).rejects.toThrow("does not expose /v1/secrets/read");
+  });
+
+  test("injects provider keys into the api_key namespace", async () => {
+    const { calls, fetchImpl } = makeFetch([jsonResponse({ success: true })]);
+
+    await injectGatewayApiKey(
+      "http://127.0.0.1:3000",
+      "openai",
+      "test-provider-key",
+      "guardian-token",
+      fetchImpl,
+    );
+
+    expect(calls).toHaveLength(1);
+    expect(calls[0].url).toBe("http://127.0.0.1:3000/v1/secrets");
+    expect(calls[0].body).toEqual({
+      type: "api_key",
+      name: "openai",
+      value: "test-provider-key",
+    });
+  });
+
+  test("does not prompt or rewrite an existing provider key", async () => {
+    const { calls, fetchImpl } = makeFetch([jsonResponse({ found: true })]);
+    let prompted = false;
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "anthropic",
+      env: { ANTHROPIC_API_KEY: "test-provider-key" },
+      fetchImpl,
+      prompt: async () => {
+        prompted = true;
+        return "unused";
+      },
+    });
+
+    expect(result).toEqual({
+      status: "already_configured",
+      provider: "anthropic",
+    });
+    expect(prompted).toBe(false);
+    expect(calls).toHaveLength(1);
+  });
+
+  test("stores a provider key from the matching environment variable", async () => {
+    const { calls, fetchImpl } = makeFetch([
+      jsonResponse({ found: false }),
+      jsonResponse({ success: true }),
+    ]);
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "anthropic",
+      env: { ANTHROPIC_API_KEY: " test-provider-key " },
+      fetchImpl,
+      stdinIsTTY: false,
+    });
+
+    expect(result).toEqual({
+      status: "configured",
+      provider: "anthropic",
+      source: "env",
+    });
+    expect(calls).toHaveLength(2);
+    expect(calls[1].body).toEqual({
+      type: "api_key",
+      name: "anthropic",
+      value: "test-provider-key",
+    });
+  });
+
+  test("prompts when no matching provider key is in the environment", async () => {
+    const { calls, fetchImpl } = makeFetch([
+      jsonResponse({ found: false }),
+      jsonResponse({ success: true }),
+    ]);
+    let promptText = "";
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "openai",
+      env: {},
+      fetchImpl,
+      prompt: async (prompt) => {
+        promptText = prompt;
+        return "test-openai-key";
+      },
+    });
+
+    expect(result).toEqual({
+      status: "configured",
+      provider: "openai",
+      source: "prompt",
+    });
+    expect(promptText).toContain("OpenAI");
+    expect(promptText).toContain("OPENAI_API_KEY");
+    expect(calls[1].body).toEqual({
+      type: "api_key",
+      name: "openai",
+      value: "test-openai-key",
+    });
+  });
+
+  test("pauses prompt input after reading a secret", async () => {
+    const input = new FakePromptInput();
+    let outputText = "";
+    const output = {
+      write: (text: string) => {
+        outputText += text;
+        return true;
+      },
+    };
+
+    const resultPromise = promptSecret("Enter key: ", {
+      input: input as unknown as NodeJS.ReadStream,
+      output: output as unknown as NodeJS.WriteStream,
+    });
+    input.emit("data", Buffer.from("test-provider-key\n"));
+
+    await expect(resultPromise).resolves.toBe("test-provider-key");
+    expect(input.pauseCount).toBe(1);
+    expect(input.listenerCount("data")).toBe(0);
+    expect(input.rawModes).toEqual([true, false]);
+    expect(outputText).toBe("Enter key: \n");
+  });
+
+  test("returns a missing-key result in non-interactive shells", async () => {
+    const { calls, fetchImpl } = makeFetch([jsonResponse({ found: false })]);
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "anthropic",
+      env: {},
+      fetchImpl,
+      stdinIsTTY: false,
+    });
+
+    expect(result).toEqual({
+      status: "missing",
+      provider: "anthropic",
+      message:
+        "Missing ANTHROPIC_API_KEY. Set it in the environment or run vellum setup from an interactive terminal.",
+    });
+    expect(calls).toHaveLength(1);
+  });
+
+  test("reports an unavailable credential store without prompting", async () => {
+    const { calls, fetchImpl } = makeFetch([
+      jsonResponse({ found: false, unreachable: true }),
+    ]);
+    let prompted = false;
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "anthropic",
+      env: {},
+      fetchImpl,
+      prompt: async () => {
+        prompted = true;
+        return "unused";
+      },
+    });
+
+    expect(result.status).toBe("failed");
+    expect(prompted).toBe(false);
+    expect(calls).toHaveLength(1);
+  });
+});

package/src/__tests__/ps-platform-status.test.ts

@@ -0,0 +1,182 @@
+import { afterAll, afterEach, beforeEach, describe, expect, spyOn, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+// ---------------------------------------------------------------------------
+// Temp directory for lockfile isolation
+// ---------------------------------------------------------------------------
+
+const testDir = mkdtempSync(join(tmpdir(), "cli-ps-platform-status-test-"));
+process.env.VELLUM_LOCKFILE_DIR = testDir;
+
+// ---------------------------------------------------------------------------
+// Mocks — set up before importing the command under test. All spies are
+// restored in afterAll so we don't leak module state to neighbouring suites.
+// ---------------------------------------------------------------------------
+
+import * as assistantConfig from "../lib/assistant-config.js";
+import * as orphanDetection from "../lib/orphan-detection.js";
+import * as platformClient from "../lib/platform-client.js";
+
+const loadAllAssistantsMock = spyOn(
+  assistantConfig,
+  "loadAllAssistants",
+).mockReturnValue([]);
+const getActiveAssistantMock = spyOn(
+  assistantConfig,
+  "getActiveAssistant",
+).mockReturnValue(null);
+const detectOrphanedProcessesMock = spyOn(
+  orphanDetection,
+  "detectOrphanedProcesses",
+).mockResolvedValue([]);
+const getPlatformUrlMock = spyOn(
+  platformClient,
+  "getPlatformUrl",
+).mockReturnValue("http://platform.test");
+
+// Per-test toggle for `readPlatformToken`.
+const readPlatformTokenMock = spyOn(
+  platformClient,
+  "readPlatformToken",
+).mockReturnValue(null);
+
+// `fetchCurrentUser` + `fetchPlatformAssistants` are spied so we can assert
+// they're never invoked on the no-token path, and re-shaped per-test for the
+// token-but-unreachable path.
+const fetchCurrentUserMock = spyOn(
+  platformClient,
+  "fetchCurrentUser",
+).mockResolvedValue({
+  id: "u1",
+  email: "test@example.com",
+  display: "Test",
+});
+const fetchPlatformAssistantsMock = spyOn(
+  platformClient,
+  "fetchPlatformAssistants",
+).mockResolvedValue([]);
+
+// ---------------------------------------------------------------------------
+// stdout / stderr capture
+// ---------------------------------------------------------------------------
+
+let stdout: string[];
+let stderr: string[];
+let originalLog: typeof console.log;
+let originalError: typeof console.error;
+
+beforeEach(() => {
+  stdout = [];
+  stderr = [];
+  originalLog = console.log;
+  originalError = console.error;
+  console.log = ((...args: unknown[]) => {
+    stdout.push(args.map((a) => String(a)).join(" "));
+  }) as typeof console.log;
+  console.error = ((...args: unknown[]) => {
+    stderr.push(args.map((a) => String(a)).join(" "));
+  }) as typeof console.error;
+});
+
+afterEach(() => {
+  console.log = originalLog;
+  console.error = originalError;
+  readPlatformTokenMock.mockReturnValue(null);
+  fetchCurrentUserMock.mockReset();
+  fetchCurrentUserMock.mockResolvedValue({
+    id: "u1",
+    email: "test@example.com",
+    display: "Test",
+  });
+  fetchPlatformAssistantsMock.mockReset();
+  fetchPlatformAssistantsMock.mockResolvedValue([]);
+});
+
+afterAll(() => {
+  loadAllAssistantsMock.mockRestore();
+  getActiveAssistantMock.mockRestore();
+  detectOrphanedProcessesMock.mockRestore();
+  getPlatformUrlMock.mockRestore();
+  readPlatformTokenMock.mockRestore();
+  fetchCurrentUserMock.mockRestore();
+  fetchPlatformAssistantsMock.mockRestore();
+  rmSync(testDir, { recursive: true, force: true });
+});
+
+// ---------------------------------------------------------------------------
+// Import the command under test AFTER mocks are wired up
+// ---------------------------------------------------------------------------
+
+import { listAllAssistants } from "../commands/ps.js";
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("vellum ps — platform status line", () => {
+  test("no local token: prints 'Platform: not logged in' and skips ALL network fetches", async () => {
+    readPlatformTokenMock.mockReturnValue(null);
+
+    await listAllAssistants(false);
+
+    // The status line is present, exactly once, with no redundant error log.
+    expect(stdout.filter((l) => l.startsWith("Platform:"))).toEqual([
+      "Platform: not logged in",
+    ]);
+    expect(
+      stderr.some((l) => l.includes("Failed to fetch organization")),
+    ).toBe(false);
+    expect(
+      stdout.some((l) => l.includes("Failed to fetch organization")),
+    ).toBe(false);
+
+    // Structural guarantee: we never even tried to talk to the platform.
+    expect(fetchCurrentUserMock).not.toHaveBeenCalled();
+    expect(fetchPlatformAssistantsMock).not.toHaveBeenCalled();
+  });
+
+  test("local token present but platform is unreachable: still shows 'Platform: not logged in' with no leaked org-fetch error", async () => {
+    readPlatformTokenMock.mockReturnValue("session_abc123");
+    // Simulate the exact Bun connect failure the user reported:
+    //   "Unable to connect. Is the computer able to access the url?"
+    const connectError = new Error(
+      "Unable to connect. Is the computer able to access the url?",
+    );
+    fetchCurrentUserMock.mockRejectedValue(connectError);
+    fetchPlatformAssistantsMock.mockRejectedValue(connectError);
+
+    await listAllAssistants(false);
+
+    expect(stdout.filter((l) => l.startsWith("Platform:"))).toEqual([
+      "Platform: not logged in",
+    ]);
+    expect(
+      stderr.some((l) => l.includes("Failed to fetch organization")),
+    ).toBe(false);
+    expect(
+      stdout.some((l) => l.includes("Failed to fetch organization")),
+    ).toBe(false);
+    expect(
+      stderr.some((l) => l.includes("Unable to connect")),
+    ).toBe(false);
+  });
+
+  test("local token present and platform reachable: prints 'Platform: logged in as <email>'", async () => {
+    readPlatformTokenMock.mockReturnValue("session_abc123");
+    fetchCurrentUserMock.mockResolvedValue({
+      id: "u1",
+      email: "vargas@vellum.ai",
+      display: "Vargas",
+    });
+    fetchPlatformAssistantsMock.mockResolvedValue([]);
+
+    await listAllAssistants(false);
+
+    expect(stdout).toContain("Platform: logged in as vargas@vellum.ai");
+    expect(
+      stderr.some((l) => l.includes("Failed to fetch organization")),
+    ).toBe(false);
+  });
+});

package/src/__tests__/search-provider-env-var-parity.test.ts

@@ -0,0 +1,48 @@
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import { describe, expect, test } from "bun:test";
+
+import { SEARCH_PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
+
+/**
+ * Drift guard for the CLI-side search provider env-var mirror.
+ *
+ * `cli/src/shared/provider-env-vars.ts` hardcodes the search env-var names so
+ * the CLI doesn't need to import the assistant's
+ * `SEARCH_PROVIDER_CATALOG` (no CLI → assistant cross-package imports exist).
+ * This test pulls the catalog JSON at `meta/web-search-provider-catalog.json`
+ * — which is kept in sync with `SEARCH_PROVIDER_CATALOG` by
+ * `assistant/src/__tests__/web-search-catalog-parity.test.ts` — and asserts
+ * the CLI's mirror matches the catalog's `envVar` entries.
+ *
+ * Mirrors `llm-provider-env-var-parity.test.ts`.
+ */
+
+const REPO_ROOT = join(import.meta.dir, "..", "..", "..");
+
+interface SearchCatalogEntry {
+  id: string;
+  kind: "managed" | "byok";
+  envVar?: string;
+}
+
+interface SearchCatalog {
+  version: number;
+  providers: SearchCatalogEntry[];
+}
+
+function loadSearchCatalog(): SearchCatalog {
+  const path = join(REPO_ROOT, "meta", "web-search-provider-catalog.json");
+  return JSON.parse(readFileSync(path, "utf-8"));
+}
+
+describe("CLI search provider env-var parity", () => {
+  test("SEARCH_PROVIDER_ENV_VAR_NAMES matches meta/web-search-provider-catalog.json entries with envVar", () => {
+    const catalog = loadSearchCatalog();
+    const expected: Record<string, string> = {};
+    for (const provider of catalog.providers) {
+      if (provider.envVar) expected[provider.id] = provider.envVar;
+    }
+    expect(SEARCH_PROVIDER_ENV_VAR_NAMES).toEqual(expected);
+  });
+});