@vellumai/cli 0.8.1 → 0.8.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/cli",
-  "version": "0.8.1",
+  "version": "0.8.2",
   "description": "CLI tools for vellum-assistant",
   "type": "module",
   "exports": {

package/src/__tests__/backup.test.ts

@@ -81,12 +81,20 @@ const localRuntimePollJobStatusMock = spyOn(
 
 // Mode 1 (runtime-direct local backup) uses guardian tokens. Don't exercise
 // it here, but the spies need to exist so the module under test can import
-// them without surprises.
-spyOn(guardianToken, "loadGuardianToken").mockReturnValue({
+// them without surprises. Saved to variables so afterAll can restore them —
+// otherwise the spied loadGuardianToken leaks into guardian-token.test.ts and
+// setup.test.ts when they run later in the same `bun test` invocation.
+const loadGuardianTokenSpy = spyOn(
+  guardianToken,
+  "loadGuardianToken",
+).mockReturnValue({
   accessToken: "local-token",
   accessTokenExpiresAt: new Date(Date.now() + 60_000).toISOString(),
 } as unknown as ReturnType<typeof guardianToken.loadGuardianToken>);
-spyOn(guardianToken, "leaseGuardianToken").mockResolvedValue({
+const leaseGuardianTokenSpy = spyOn(
+  guardianToken,
+  "leaseGuardianToken",
+).mockResolvedValue({
   accessToken: "leased-token",
   accessTokenExpiresAt: new Date(Date.now() + 60_000).toISOString(),
 } as unknown as Awaited<ReturnType<typeof guardianToken.leaseGuardianToken>>);
@@ -177,6 +185,8 @@ afterAll(() => {
   getBackupsDirMock.mockRestore();
   mkdirSyncMock.mockRestore();
   writeFileSyncMock.mockRestore();
+  loadGuardianTokenSpy.mockRestore();
+  leaseGuardianTokenSpy.mockRestore();
   rmSync(testDir, { recursive: true, force: true });
 });
 

package/src/__tests__/input-history.test.ts

@@ -0,0 +1,102 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import {
+  existsSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+} from "node:fs";
+import { homedir, tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { getInputHistoryPath } from "../lib/environments/paths.js";
+import { appendHistory, loadHistory } from "../lib/input-history.js";
+
+describe("input-history XDG paths", () => {
+  let tempDir: string;
+  let savedState: string | undefined;
+
+  beforeEach(() => {
+    savedState = process.env.XDG_STATE_HOME;
+    tempDir = mkdtempSync(join(tmpdir(), "cli-input-history-test-"));
+    process.env.XDG_STATE_HOME = join(tempDir, ".local", "state");
+  });
+
+  afterEach(() => {
+    if (savedState === undefined) {
+      delete process.env.XDG_STATE_HOME;
+    } else {
+      process.env.XDG_STATE_HOME = savedState;
+    }
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  test("appendHistory writes to $XDG_STATE_HOME/vellum/input-history", () => {
+    appendHistory("hello world");
+
+    const canonical = getInputHistoryPath();
+    expect(canonical).toBe(
+      join(tempDir, ".local", "state", "vellum", "input-history"),
+    );
+    expect(existsSync(canonical)).toBe(true);
+    expect(readFileSync(canonical, "utf-8")).toBe("hello world\n");
+  });
+
+  test("appendHistory does NOT touch ~/.vellum/", () => {
+    // Crucially: the CLI must not create or write to ~/.vellum/ per the
+    // "No `.vellum/` directory access" boundary in cli/AGENTS.md. We snapshot
+    // the legacy path's existence before the call (some test machines already
+    // have a ~/.vellum/ for unrelated daemon state) and assert the file at
+    // that path is unchanged afterwards.
+    const legacyPath = join(homedir(), ".vellum", "input-history");
+    const existedBefore = existsSync(legacyPath);
+    const contentBefore: string = existedBefore
+      ? readFileSync(legacyPath, "utf-8")
+      : "";
+
+    appendHistory("hello");
+
+    expect(existsSync(legacyPath)).toBe(existedBefore);
+    if (existedBefore) {
+      expect(readFileSync(legacyPath, "utf-8")).toBe(contentBefore);
+    }
+  });
+
+  test("XDG_STATE_HOME default is ~/.local/state when unset", () => {
+    delete process.env.XDG_STATE_HOME;
+
+    // os.homedir() is cached at process start by Bun and ignores
+    // process.env.HOME mutations, so compute the expected path from the same
+    // source the production helper uses.
+    expect(getInputHistoryPath()).toBe(
+      join(homedir(), ".local", "state", "vellum", "input-history"),
+    );
+  });
+
+  test("appendHistory skips empty and slash-command entries", () => {
+    appendHistory("");
+    appendHistory("   ");
+    appendHistory("/help");
+    appendHistory("real entry");
+
+    expect(loadHistory()).toEqual(["real entry"]);
+  });
+
+  test("appendHistory deduplicates by moving to most recent", () => {
+    appendHistory("a");
+    appendHistory("b");
+    appendHistory("a");
+
+    expect(loadHistory()).toEqual(["b", "a"]);
+  });
+
+  test("appendHistory caps history at MAX_ENTRIES (1000)", () => {
+    for (let i = 0; i < 1100; i++) {
+      appendHistory(`entry-${i}`);
+    }
+
+    const history = loadHistory();
+    expect(history.length).toBe(1000);
+    expect(history[0]).toBe("entry-100");
+    expect(history[999]).toBe("entry-1099");
+  });
+});

package/src/__tests__/preload.ts

@@ -10,7 +10,7 @@
 import { mkdtempSync, realpathSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { afterAll } from "bun:test";
+import { afterAll, mock } from "bun:test";
 
 const testDir = realpathSync(
   mkdtempSync(join(tmpdir(), "vellum-cli-test-workspace-")),
@@ -24,4 +24,8 @@ afterAll(() => {
   } catch {
     /* best-effort cleanup */
   }
+
+  // Reset all module mocks so mock.module() calls in one test file
+  // don't leak into the next file in the same bun test run.
+  mock.restore();
 });

package/src/__tests__/provider-secrets.test.ts

@@ -0,0 +1,290 @@
+import { describe, expect, test } from "bun:test";
+import { EventEmitter } from "node:events";
+
+import {
+  ensureProviderApiKey,
+  injectGatewayApiKey,
+  promptSecret,
+  readGatewayApiKey,
+  type ProviderSecretFetch,
+} from "../lib/provider-secrets.js";
+
+interface RecordedFetchCall {
+  url: string;
+  init?: RequestInit;
+  body: unknown;
+}
+
+function jsonResponse(body: unknown, status = 200): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+function makeFetch(responses: Response[]): {
+  calls: RecordedFetchCall[];
+  fetchImpl: ProviderSecretFetch;
+} {
+  const calls: RecordedFetchCall[] = [];
+  const fetchImpl: ProviderSecretFetch = async (input, init) => {
+    calls.push({
+      url: String(input),
+      init,
+      body: typeof init?.body === "string" ? JSON.parse(init.body) : init?.body,
+    });
+    const response = responses.shift();
+    if (!response) {
+      throw new Error("Unexpected fetch call.");
+    }
+    return response;
+  };
+
+  return { calls, fetchImpl };
+}
+
+class FakePromptInput extends EventEmitter {
+  isTTY = true;
+  isRaw = false;
+  private paused = false;
+  pauseCount = 0;
+  rawModes: boolean[] = [];
+
+  isPaused(): boolean {
+    return this.paused;
+  }
+
+  resume(): this {
+    this.paused = false;
+    return this;
+  }
+
+  pause(): this {
+    this.paused = true;
+    this.pauseCount += 1;
+    return this;
+  }
+
+  setRawMode(value: boolean): this {
+    this.isRaw = value;
+    this.rawModes.push(value);
+    return this;
+  }
+}
+
+describe("provider secret helpers", () => {
+  test("reads provider keys from the api_key namespace", async () => {
+    const { calls, fetchImpl } = makeFetch([jsonResponse({ found: true })]);
+
+    await readGatewayApiKey(
+      "http://127.0.0.1:3000/",
+      "anthropic",
+      "guardian-token",
+      fetchImpl,
+    );
+
+    expect(calls).toHaveLength(1);
+    expect(calls[0].url).toBe("http://127.0.0.1:3000/v1/secrets/read");
+    expect(calls[0].init?.method).toBe("POST");
+    expect(calls[0].init?.headers).toMatchObject({
+      Authorization: "Bearer guardian-token",
+      "Content-Type": "application/json",
+    });
+    expect(calls[0].body).toEqual({
+      type: "api_key",
+      name: "anthropic",
+      reveal: false,
+    });
+  });
+
+  test("explains a missing secret route as a wrong active assistant URL", async () => {
+    const { fetchImpl } = makeFetch([
+      jsonResponse(
+        {
+          error: {
+            code: "not_found",
+            message: "Not found",
+            path: "/v1/secrets/read",
+          },
+        },
+        404,
+      ),
+    ]);
+
+    await expect(
+      readGatewayApiKey(
+        "https://platform.vellum.ai",
+        "anthropic",
+        undefined,
+        fetchImpl,
+      ),
+    ).rejects.toThrow("does not expose /v1/secrets/read");
+  });
+
+  test("injects provider keys into the api_key namespace", async () => {
+    const { calls, fetchImpl } = makeFetch([jsonResponse({ success: true })]);
+
+    await injectGatewayApiKey(
+      "http://127.0.0.1:3000",
+      "openai",
+      "test-provider-key",
+      "guardian-token",
+      fetchImpl,
+    );
+
+    expect(calls).toHaveLength(1);
+    expect(calls[0].url).toBe("http://127.0.0.1:3000/v1/secrets");
+    expect(calls[0].body).toEqual({
+      type: "api_key",
+      name: "openai",
+      value: "test-provider-key",
+    });
+  });
+
+  test("does not prompt or rewrite an existing provider key", async () => {
+    const { calls, fetchImpl } = makeFetch([jsonResponse({ found: true })]);
+    let prompted = false;
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "anthropic",
+      env: { ANTHROPIC_API_KEY: "test-provider-key" },
+      fetchImpl,
+      prompt: async () => {
+        prompted = true;
+        return "unused";
+      },
+    });
+
+    expect(result).toEqual({
+      status: "already_configured",
+      provider: "anthropic",
+    });
+    expect(prompted).toBe(false);
+    expect(calls).toHaveLength(1);
+  });
+
+  test("stores a provider key from the matching environment variable", async () => {
+    const { calls, fetchImpl } = makeFetch([
+      jsonResponse({ found: false }),
+      jsonResponse({ success: true }),
+    ]);
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "anthropic",
+      env: { ANTHROPIC_API_KEY: " test-provider-key " },
+      fetchImpl,
+      stdinIsTTY: false,
+    });
+
+    expect(result).toEqual({
+      status: "configured",
+      provider: "anthropic",
+      source: "env",
+    });
+    expect(calls).toHaveLength(2);
+    expect(calls[1].body).toEqual({
+      type: "api_key",
+      name: "anthropic",
+      value: "test-provider-key",
+    });
+  });
+
+  test("prompts when no matching provider key is in the environment", async () => {
+    const { calls, fetchImpl } = makeFetch([
+      jsonResponse({ found: false }),
+      jsonResponse({ success: true }),
+    ]);
+    let promptText = "";
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "openai",
+      env: {},
+      fetchImpl,
+      prompt: async (prompt) => {
+        promptText = prompt;
+        return "test-openai-key";
+      },
+    });
+
+    expect(result).toEqual({
+      status: "configured",
+      provider: "openai",
+      source: "prompt",
+    });
+    expect(promptText).toContain("OpenAI");
+    expect(promptText).toContain("OPENAI_API_KEY");
+    expect(calls[1].body).toEqual({
+      type: "api_key",
+      name: "openai",
+      value: "test-openai-key",
+    });
+  });
+
+  test("pauses prompt input after reading a secret", async () => {
+    const input = new FakePromptInput();
+    let outputText = "";
+    const output = {
+      write: (text: string) => {
+        outputText += text;
+        return true;
+      },
+    };
+
+    const resultPromise = promptSecret("Enter key: ", {
+      input: input as unknown as NodeJS.ReadStream,
+      output: output as unknown as NodeJS.WriteStream,
+    });
+    input.emit("data", Buffer.from("test-provider-key\n"));
+
+    await expect(resultPromise).resolves.toBe("test-provider-key");
+    expect(input.pauseCount).toBe(1);
+    expect(input.listenerCount("data")).toBe(0);
+    expect(input.rawModes).toEqual([true, false]);
+    expect(outputText).toBe("Enter key: \n");
+  });
+
+  test("returns a missing-key result in non-interactive shells", async () => {
+    const { calls, fetchImpl } = makeFetch([jsonResponse({ found: false })]);
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "anthropic",
+      env: {},
+      fetchImpl,
+      stdinIsTTY: false,
+    });
+
+    expect(result).toEqual({
+      status: "missing",
+      provider: "anthropic",
+      message:
+        "Missing ANTHROPIC_API_KEY. Set it in the environment or run vellum setup from an interactive terminal.",
+    });
+    expect(calls).toHaveLength(1);
+  });
+
+  test("reports an unavailable credential store without prompting", async () => {
+    const { calls, fetchImpl } = makeFetch([
+      jsonResponse({ found: false, unreachable: true }),
+    ]);
+    let prompted = false;
+
+    const result = await ensureProviderApiKey({
+      gatewayUrl: "http://127.0.0.1:3000",
+      provider: "anthropic",
+      env: {},
+      fetchImpl,
+      prompt: async () => {
+        prompted = true;
+        return "unused";
+      },
+    });
+
+    expect(result.status).toBe("failed");
+    expect(prompted).toBe(false);
+    expect(calls).toHaveLength(1);
+  });
+});