@vellumai/cli 0.8.12-staging.2 → 0.9.0-dev.202606162156.4bad3e5

package/src/__tests__/tunnel.test.ts

@@ -0,0 +1,164 @@
+import {
+  afterAll,
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  mock,
+  test,
+} from "bun:test";
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import * as cloudflareTunnel from "../lib/cloudflare-tunnel.js";
+import * as ngrok from "../lib/ngrok.js";
+import type { AssistantEntry } from "../lib/assistant-config.js";
+
+const realCloudflareTunnel = { ...cloudflareTunnel };
+const realNgrok = { ...ngrok };
+
+const runCloudflareTunnelMock = mock<
+  typeof cloudflareTunnel.runCloudflareTunnel
+>(async () => {});
+mock.module("../lib/cloudflare-tunnel.js", () => ({
+  ...realCloudflareTunnel,
+  runCloudflareTunnel: runCloudflareTunnelMock,
+}));
+
+const runNgrokTunnelMock = mock<typeof ngrok.runNgrokTunnel>(async () => {});
+mock.module("../lib/ngrok", () => ({
+  ...realNgrok,
+  runNgrokTunnel: runNgrokTunnelMock,
+}));
+
+const { tunnel } = await import("../commands/tunnel.js");
+
+const originalArgv = [...process.argv];
+const originalFetch = globalThis.fetch;
+const originalLockfileDir = process.env.VELLUM_LOCKFILE_DIR;
+const tempDirs: string[] = [];
+
+function makeLocalEntry(): AssistantEntry {
+  const instanceDir = mkdtempSync(join(tmpdir(), "vellum-tunnel-test-"));
+  tempDirs.push(instanceDir);
+  return {
+    assistantId: "assistant-1",
+    runtimeUrl: "http://127.0.0.1:7830",
+    cloud: "local",
+    resources: {
+      instanceDir,
+      daemonPort: 7821,
+      gatewayPort: 7830,
+      qdrantPort: 6333,
+      cesPort: 7822,
+    },
+  };
+}
+
+function writeLockfile(entry: AssistantEntry): void {
+  const lockfileDir = mkdtempSync(join(tmpdir(), "vellum-tunnel-lockfile-"));
+  tempDirs.push(lockfileDir);
+  process.env.VELLUM_LOCKFILE_DIR = lockfileDir;
+  mkdirSync(lockfileDir, { recursive: true });
+  writeFileSync(
+    join(lockfileDir, ".vellum.lock.json"),
+    JSON.stringify(
+      {
+        activeAssistant: entry.assistantId,
+        assistants: [entry],
+      },
+      null,
+      2,
+    ),
+  );
+}
+
+function mockEnabledFlagFetch() {
+  const fetchMock = mock(async (_input: string, _init?: RequestInit) => {
+    return new Response(
+      JSON.stringify({
+        flags: [{ key: "web-remote-ingress", enabled: true }],
+      }),
+      { status: 200, headers: { "Content-Type": "application/json" } },
+    );
+  });
+  globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+  return fetchMock;
+}
+
+describe("tunnel nginx ingress feature flag", () => {
+  beforeEach(() => {
+    process.argv = ["bun", "vellum", "tunnel"];
+    writeLockfile(makeLocalEntry());
+    globalThis.fetch = (async () => {
+      throw new Error("gateway unavailable");
+    }) as unknown as typeof globalThis.fetch;
+    runCloudflareTunnelMock.mockReset();
+    runCloudflareTunnelMock.mockResolvedValue(undefined);
+    runNgrokTunnelMock.mockReset();
+    runNgrokTunnelMock.mockResolvedValue(undefined);
+  });
+
+  afterEach(() => {
+    process.argv = originalArgv;
+    globalThis.fetch = originalFetch;
+    if (originalLockfileDir === undefined) {
+      delete process.env.VELLUM_LOCKFILE_DIR;
+    } else {
+      process.env.VELLUM_LOCKFILE_DIR = originalLockfileDir;
+    }
+    for (const dir of tempDirs.splice(0)) {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  afterAll(() => {
+    mock.module("../lib/cloudflare-tunnel.js", () => realCloudflareTunnel);
+    mock.module("../lib/ngrok", () => realNgrok);
+  });
+
+  test("does not start ngrok when the flag lookup fails", async () => {
+    process.argv = ["bun", "vellum", "tunnel", "--provider", "ngrok"];
+
+    await expect(tunnel()).rejects.toThrow(
+      "Could not verify the `web-remote-ingress` feature flag",
+    );
+
+    expect(runNgrokTunnelMock).not.toHaveBeenCalled();
+    expect(runCloudflareTunnelMock).not.toHaveBeenCalled();
+  });
+
+  test("checks the nginx flag through the local gateway for ngrok", async () => {
+    const entry = makeLocalEntry();
+    entry.runtimeUrl = "https://stale-tunnel.ngrok-free.dev";
+    writeLockfile(entry);
+    process.argv = ["bun", "vellum", "tunnel", "--provider", "ngrok"];
+    const fetchMock = mockEnabledFlagFetch();
+
+    await tunnel();
+
+    const [url, init] = fetchMock.mock.calls[0];
+    expect(url).toBe(
+      "http://127.0.0.1:7830/v1/assistants/assistant-1/feature-flags",
+    );
+    expect(init?.method).toBe("GET");
+    expect(runNgrokTunnelMock).toHaveBeenCalledWith({
+      port: 7830,
+      workspaceDir: join(entry.resources!.instanceDir, ".vellum", "workspace"),
+      preferNginxIngress: true,
+    });
+    expect(runCloudflareTunnelMock).not.toHaveBeenCalled();
+  });
+
+  test("does not start cloudflared when the flag lookup fails", async () => {
+    process.argv = ["bun", "vellum", "tunnel", "--provider", "cloudflare"];
+
+    await expect(tunnel()).rejects.toThrow(
+      "Could not verify the `web-remote-ingress` feature flag",
+    );
+
+    expect(runNgrokTunnelMock).not.toHaveBeenCalled();
+    expect(runCloudflareTunnelMock).not.toHaveBeenCalled();
+  });
+});

package/src/__tests__/wake.test.ts

@@ -272,12 +272,23 @@ describe("vellum wake", () => {
     expect(leaseGuardianTokenMock).not.toHaveBeenCalled();
   });
 
-  test("skips re-provision when a guardian token already exists", async () => {
+  test("re-provisions even when a guardian token already exists", async () => {
+    // A connect can 401 off a token whose local state looks healthy
+    // (revoked, mis-seeded, wrong principal). The user explicitly confirmed
+    // the destructive repair, so the flag forces a re-lease instead of
+    // guessing from local token state and recreating the no-op loop.
     process.argv = ["bun", "vellum", "wake", "--repair-guardian", "local-assistant"];
-    // loadGuardianToken returns a token by default — recovery must not run.
+    // loadGuardianToken returns a healthy-looking token by default.
     await wake();
 
-    expect(resetGuardianBootstrapMock).not.toHaveBeenCalled();
-    expect(leaseGuardianTokenMock).not.toHaveBeenCalled();
+    expect(resetGuardianBootstrapMock).toHaveBeenCalledWith(
+      "http://127.0.0.1:7830",
+      "generated-bootstrap-secret",
+    );
+    expect(leaseGuardianTokenMock).toHaveBeenCalledWith(
+      "http://127.0.0.1:7830",
+      "local-assistant",
+      "generated-bootstrap-secret",
+    );
   });
 });

package/src/__tests__/workos-pkce.test.ts

@@ -0,0 +1,314 @@
+import { afterEach, describe, expect, mock, test } from "bun:test";
+
+import {
+  buildAuthorizeUrl,
+  exchangeAccessTokenForSession,
+  exchangeCodeWithWorkos,
+  fetchWorkosClientId,
+  generatePkcePair,
+  selectWorkosClientId,
+} from "../lib/workos-pkce.js";
+
+const originalFetch = globalThis.fetch;
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+
+/**
+ * Route fetch responses by URL substring so each WorkOS/platform call can be
+ * inspected. The module talks to remote hosts via loopbackSafeFetch, which
+ * delegates to globalThis.fetch.
+ */
+function mockFetchByUrl(responses: Record<string, () => Response>) {
+  const calls: Array<{ url: string; init?: RequestInit }> = [];
+  globalThis.fetch = mock(
+    async (input: RequestInfo | URL, init?: RequestInit) => {
+      const url = String(input);
+      calls.push({ url, init });
+      const match = Object.entries(responses).find(([prefix]) =>
+        url.includes(prefix),
+      );
+      if (!match) throw new Error(`Unexpected fetch: ${url}`);
+      return match[1]();
+    },
+  ) as unknown as typeof globalThis.fetch;
+  return calls;
+}
+
+describe("generatePkcePair", () => {
+  test("challenge is the base64url sha256 of the verifier", async () => {
+    const { verifier, challenge } = generatePkcePair();
+    const digest = await crypto.subtle.digest(
+      "SHA-256",
+      new TextEncoder().encode(verifier),
+    );
+    const expected = Buffer.from(digest).toString("base64url");
+    expect(challenge).toBe(expected);
+  });
+
+  test("verifiers are unique", () => {
+    expect(generatePkcePair().verifier).not.toBe(generatePkcePair().verifier);
+  });
+});
+
+describe("buildAuthorizeUrl", () => {
+  const base = {
+    clientId: "client_123",
+    redirectUri: "http://127.0.0.1:4242/auth/callback",
+    challenge: "chal",
+    state: "st",
+  };
+
+  test("targets user_management/authorize with PKCE and authkit defaults", () => {
+    const url = new URL(buildAuthorizeUrl(base));
+    expect(url.origin).toBe("https://api.workos.com");
+    expect(url.pathname).toBe("/user_management/authorize");
+    expect(url.searchParams.get("client_id")).toBe("client_123");
+    expect(url.searchParams.get("redirect_uri")).toBe(base.redirectUri);
+    expect(url.searchParams.get("response_type")).toBe("code");
+    expect(url.searchParams.get("scope")).toBe("openid profile email");
+    expect(url.searchParams.get("code_challenge")).toBe("chal");
+    expect(url.searchParams.get("code_challenge_method")).toBe("S256");
+    expect(url.searchParams.get("state")).toBe("st");
+    expect(url.searchParams.get("provider")).toBe("authkit");
+    // Session reuse: never force a fresh IdP login.
+    expect(url.searchParams.has("prompt")).toBe(false);
+  });
+
+  test("provider hint replaces authkit", () => {
+    const url = new URL(
+      buildAuthorizeUrl({ ...base, providerHint: "GoogleOAuth" }),
+    );
+    expect(url.searchParams.get("provider")).toBe("GoogleOAuth");
+  });
+
+  test("login hint is forwarded", () => {
+    const url = new URL(
+      buildAuthorizeUrl({ ...base, loginHint: "user@example.com" }),
+    );
+    expect(url.searchParams.get("login_hint")).toBe("user@example.com");
+
+    const noHint = new URL(buildAuthorizeUrl(base));
+    expect(noHint.searchParams.has("login_hint")).toBe(false);
+  });
+});
+
+describe("selectWorkosClientId", () => {
+  // During coexistence the platform lists two providers that share the
+  // "workos-oidc" id; only the OAuth2 one (no discovery URL) is usable.
+  const legacy = {
+    id: "workos-oidc",
+    name: "WorkOS OIDC",
+    client_id: "client_connect",
+    flows: ["provider_redirect", "provider_token"],
+    openid_configuration_url:
+      "https://x.authkit.app/.well-known/openid-configuration",
+  };
+  const modern = {
+    id: "workos-oidc",
+    name: "WorkOS",
+    client_id: "client_um",
+    flows: ["provider_redirect", "provider_token"],
+  };
+
+  test("picks the OAuth2 entry during coexistence", () => {
+    expect(selectWorkosClientId([legacy, modern])).toBe("client_um");
+    expect(selectWorkosClientId([modern, legacy])).toBe("client_um");
+  });
+
+  test("returns null when the platform lacks token auth", () => {
+    const preTokenAuth = { ...modern, flows: ["provider_redirect"] };
+    expect(selectWorkosClientId([legacy, preTokenAuth])).toBeNull();
+    expect(selectWorkosClientId([])).toBeNull();
+  });
+
+  test("ignores an entry missing client_id", () => {
+    const noClientId = { id: "workos-oidc", flows: ["provider_token"] };
+    expect(selectWorkosClientId([noClientId])).toBeNull();
+  });
+});
+
+describe("fetchWorkosClientId", () => {
+  test("resolves the client id from the headless config", async () => {
+    const calls = mockFetchByUrl({
+      "/_allauth/app/v1/config": () =>
+        new Response(
+          JSON.stringify({
+            data: {
+              socialaccount: {
+                providers: [
+                  {
+                    id: "workos-oidc",
+                    client_id: "client_um",
+                    flows: ["provider_token"],
+                  },
+                ],
+              },
+            },
+          }),
+          { status: 200 },
+        ),
+    });
+
+    expect(await fetchWorkosClientId("https://platform.example")).toBe(
+      "client_um",
+    );
+    expect(calls[0]!.url).toBe(
+      "https://platform.example/_allauth/app/v1/config",
+    );
+  });
+
+  test("derives the config URL from the origin, ignoring any path", async () => {
+    const calls = mockFetchByUrl({
+      "/_allauth/app/v1/config": () =>
+        new Response(
+          JSON.stringify({
+            data: {
+              socialaccount: {
+                providers: [
+                  { client_id: "client_um", flows: ["provider_token"] },
+                ],
+              },
+            },
+          }),
+          { status: 200 },
+        ),
+    });
+
+    await fetchWorkosClientId("https://platform.example/some/path");
+    expect(calls[0]!.url).toBe(
+      "https://platform.example/_allauth/app/v1/config",
+    );
+  });
+
+  test("throws a clear error when no token-auth provider is advertised", async () => {
+    mockFetchByUrl({
+      "/_allauth/app/v1/config": () =>
+        new Response(
+          JSON.stringify({ data: { socialaccount: { providers: [] } } }),
+          { status: 200 },
+        ),
+    });
+
+    await expect(
+      fetchWorkosClientId("https://platform.example"),
+    ).rejects.toThrow(/does not advertise/);
+  });
+
+  test("throws on a non-OK config response", async () => {
+    mockFetchByUrl({
+      "/_allauth/app/v1/config": () => new Response("nope", { status: 500 }),
+    });
+
+    await expect(
+      fetchWorkosClientId("https://platform.example"),
+    ).rejects.toThrow(/500/);
+  });
+});
+
+describe("exchangeCodeWithWorkos", () => {
+  test("posts a public-client PKCE exchange and returns the access token", async () => {
+    const calls = mockFetchByUrl({
+      "/user_management/authenticate": () =>
+        new Response(JSON.stringify({ access_token: "at_1", user: {} }), {
+          status: 200,
+        }),
+    });
+
+    const token = await exchangeCodeWithWorkos({
+      clientId: "client_um",
+      code: "c",
+      verifier: "v",
+    });
+
+    expect(token).toBe("at_1");
+    expect(calls[0]!.url).toBe(
+      "https://api.workos.com/user_management/authenticate",
+    );
+    const body = JSON.parse(String(calls[0]!.init?.body));
+    // Public client: no secret, no API key.
+    expect(body).toEqual({
+      client_id: "client_um",
+      grant_type: "authorization_code",
+      code: "c",
+      code_verifier: "v",
+    });
+  });
+
+  test("throws with upstream detail on failure", async () => {
+    mockFetchByUrl({
+      "/user_management/authenticate": () =>
+        new Response(JSON.stringify({ error: "invalid_grant" }), {
+          status: 400,
+        }),
+    });
+
+    await expect(
+      exchangeCodeWithWorkos({ clientId: "c", code: "x", verifier: "v" }),
+    ).rejects.toThrow(/400/);
+  });
+
+  test("throws when the exchange returns no access token", async () => {
+    mockFetchByUrl({
+      "/user_management/authenticate": () =>
+        new Response(JSON.stringify({}), { status: 200 }),
+    });
+
+    await expect(
+      exchangeCodeWithWorkos({ clientId: "c", code: "x", verifier: "v" }),
+    ).rejects.toThrow(/no access token/);
+  });
+});
+
+describe("exchangeAccessTokenForSession", () => {
+  test("posts the headless token payload and returns the session token", async () => {
+    const calls = mockFetchByUrl({
+      "/_allauth/app/v1/auth/provider/token": () =>
+        new Response(JSON.stringify({ meta: { session_token: "sess_1" } }), {
+          status: 200,
+        }),
+    });
+
+    const token = await exchangeAccessTokenForSession(
+      "https://platform.example",
+      "client_um",
+      "at_1",
+    );
+
+    expect(token).toBe("sess_1");
+    expect(calls[0]!.url).toBe(
+      "https://platform.example/_allauth/app/v1/auth/provider/token",
+    );
+    const body = JSON.parse(String(calls[0]!.init?.body));
+    expect(body).toEqual({
+      provider: "workos",
+      process: "login",
+      token: { client_id: "client_um", access_token: "at_1" },
+    });
+  });
+
+  test("throws on a rejected token", async () => {
+    mockFetchByUrl({
+      "/_allauth/app/v1/auth/provider/token": () =>
+        new Response(JSON.stringify({ errors: [{ code: "invalid_token" }] }), {
+          status: 400,
+        }),
+    });
+
+    await expect(
+      exchangeAccessTokenForSession("https://platform.example", "c", "bad"),
+    ).rejects.toThrow(/400/);
+  });
+
+  test("throws when the session exchange returns no session token", async () => {
+    mockFetchByUrl({
+      "/_allauth/app/v1/auth/provider/token": () =>
+        new Response(JSON.stringify({ meta: {} }), { status: 200 }),
+    });
+
+    await expect(
+      exchangeAccessTokenForSession("https://platform.example", "c", "at"),
+    ).rejects.toThrow(/no session token/);
+  });
+});

package/src/commands/flags.ts

@@ -1,3 +1,4 @@
+import { extractAssistantFlag } from "../lib/arg-utils.js";
 import { AssistantClient } from "../lib/assistant-client.js";
 import {
   formatAssistantLookupError,
@@ -199,28 +200,6 @@ async function setFlag(
   console.log(`Flag "${key}" set to ${value}`);
 }
 
-/**
- * Strip `--assistant <name>` from argv and return the captured value.
- *
- * Mutates the input array so positional parsing downstream sees a clean
- * shape (subcommand + key + value). Returns `undefined` if the flag is
- * absent. Error-reports a missing value so the user gets a clear message
- * rather than the flag being silently swallowed as a positional.
- */
-function extractAssistantFlag(args: string[]): string | undefined {
-  for (let i = 0; i < args.length; i++) {
-    if (args[i] !== "--assistant") continue;
-    const value = args[i + 1];
-    if (!value || value.startsWith("-")) {
-      console.error("Missing value for --assistant <name>");
-      process.exit(1);
-    }
-    args.splice(i, 2);
-    return value;
-  }
-  return undefined;
-}
-
 export async function flags(): Promise<void> {
   const args = process.argv.slice(3);