@vellumai/credential-executor 0.5.5 → 0.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/src/http/credential-routes.ts +5 -1
  3. package/src/materializers/local-secure-key-backend.ts +16 -6
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vellumai/credential-executor",
3
- "version": "0.5.5",
3
+ "version": "0.5.6",
4
4
  "type": "module",
5
5
  "exports": {
6
6
  ".": "./src/index.ts"
package/src/http/credential-routes.ts CHANGED
@@ -16,6 +16,8 @@
16
16
  * via the environment.
17
17
  */
18
18
 
19
+ import { timingSafeEqual } from "node:crypto";
20
+
19
21
  import type { SecureKeyBackend } from "@vellumai/credential-storage";
20
22
 
21
23
  // ---------------------------------------------------------------------------
@@ -43,7 +45,9 @@ function checkAuth(req: Request, serviceToken: string): Response | null {
43
45
  );
44
46
  }
45
47
 
46
- if (parts[1] !== serviceToken) {
48
+ const provided = Buffer.from(parts[1]!);
49
+ const expected = Buffer.from(serviceToken);
50
+ if (provided.length !== expected.length || !timingSafeEqual(provided, expected)) {
47
51
  return new Response(
48
52
  JSON.stringify({ error: "Invalid service token" }),
49
53
  { status: 403, headers: { "Content-Type": "application/json" } },
package/src/materializers/local-secure-key-backend.ts CHANGED
@@ -230,9 +230,9 @@ function readStore(storePath: string): StoreFile | null {
230
230
  /**
231
231
  * Create a SecureKeyBackend backed by the assistant's encrypted key store.
232
232
  *
233
- * Supports `get` and `set` operations. `set` is needed for persisting
234
- * refreshed OAuth tokens. `delete` remains unsupported (returns "error")
235
- * because CES never needs to remove keys.
233
+ * Supports `get`, `set`, and `delete` operations. `set` is needed for
234
+ * persisting refreshed OAuth tokens. `delete` removes a key from the
235
+ * encrypted store.
236
236
  *
237
237
  * @param vellumRoot - The Vellum root directory (e.g. `~/.vellum`).
238
238
  * @param options.entropyOverride - If provided, used instead of local
@@ -310,9 +310,19 @@ export function createLocalSecureKeyBackend(
310
310
  }
311
311
  },
312
312
 
313
- // CES never deletes keys — only reads and writes (for token refresh).
314
- async delete(_key: string): Promise<SecureKeyDeleteResult> {
315
- return "error";
313
+ async delete(key: string): Promise<SecureKeyDeleteResult> {
314
+ try {
315
+ const store = readStore(storePath);
316
+ if (!store) return "error";
317
+
318
+ if (!(key in store.entries)) return "not-found";
319
+
320
+ delete store.entries[key];
321
+ writeStore(store, storePath);
322
+ return "deleted";
323
+ } catch {
324
+ return "error";
325
+ }
316
326
  },
317
327
 
318
328
  async list(): Promise<string[]> {