@vellumai/credential-executor 0.5.7 → 0.5.9

package/node_modules/@vellumai/ces-contracts/src/error.ts

@@ -3,7 +3,7 @@
  * dependencies between index.ts and rpc.ts.
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 
 export const RpcErrorSchema = z.object({
   code: z.string(),

package/node_modules/@vellumai/ces-contracts/src/grants.ts

@@ -9,7 +9,7 @@
  * - Audit record summaries (materialization events)
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 
 // ---------------------------------------------------------------------------
 // Grant proposal types

package/node_modules/@vellumai/ces-contracts/src/handles.ts

@@ -20,7 +20,7 @@
  *    is the platform-assigned connection identifier.
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 
 // ---------------------------------------------------------------------------
 // Handle type discriminator

package/node_modules/@vellumai/ces-contracts/src/index.ts

@@ -7,7 +7,7 @@
  * module so that both sides can depend on it without circular references.
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 import { RpcErrorSchema } from "./error.js";
 
 // ---------------------------------------------------------------------------

package/node_modules/@vellumai/ces-contracts/src/rpc.ts

@@ -33,7 +33,7 @@
  * - `list_credentials` — List all credential account names
  */
 
-import { z } from "zod/v4";
+import { z } from "zod";
 import {
   AuditRecordSummarySchema,
   GrantProposalSchema,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/credential-executor",
-  "version": "0.5.7",
+  "version": "0.5.9",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/__tests__/managed-integration.test.ts

@@ -29,6 +29,10 @@ import {
   CesRpcMethod,
   type HandshakeAck,
   type ListGrantsResponse,
+  type GetCredentialResponse,
+  type SetCredentialResponse,
+  type DeleteCredentialResponse,
+  type ListCredentialsResponse,
   type RpcEnvelope,
 } from "@vellumai/ces-contracts";
 
@@ -40,6 +44,7 @@ import {
   createListAuditRecordsHandler,
 } from "../grants/rpc-handlers.js";
 import { CesRpcServer, type RpcHandlerRegistry, type SessionIdRef } from "../server.js";
+import { createLocalSecureKeyBackend } from "../materializers/local-secure-key-backend.js";
 
 // ---------------------------------------------------------------------------
 // Environment setup
@@ -52,6 +57,7 @@ const SAVED_ENV_KEYS = [
   "CES_BOOTSTRAP_SOCKET",
   "CES_HEALTH_PORT",
   "CES_MODE",
+  "CREDENTIAL_SECURITY_DIR",
 ] as const;
 
 type SavedEnv = Record<string, string | undefined>;
@@ -107,6 +113,39 @@ function buildMinimalHandlers(dataDir: string): RpcHandlerRegistry {
   return handlers;
 }
 
+/**
+ * Build an RPC handler registry with credential CRUD handlers backed by
+ * a real SecureKeyBackend using a temp directory for credential storage.
+ *
+ * Mirrors the handler registration in managed-main.ts.
+ */
+function buildCredentialHandlers(vellumRoot: string): RpcHandlerRegistry {
+  const secureKeyBackend = createLocalSecureKeyBackend(vellumRoot);
+  const handlers: RpcHandlerRegistry = {};
+
+  handlers[CesRpcMethod.GetCredential] = (async (req: { account: string }) => {
+    const value = await secureKeyBackend.get(req.account);
+    return { found: value !== undefined, value };
+  }) as typeof handlers[string];
+
+  handlers[CesRpcMethod.SetCredential] = (async (req: { account: string; value: string }) => {
+    const ok = await secureKeyBackend.set(req.account, req.value);
+    return { ok };
+  }) as typeof handlers[string];
+
+  handlers[CesRpcMethod.DeleteCredential] = (async (req: { account: string }) => {
+    const result = await secureKeyBackend.delete(req.account);
+    return { result };
+  }) as typeof handlers[string];
+
+  handlers[CesRpcMethod.ListCredentials] = (async () => {
+    const accounts = await secureKeyBackend.list();
+    return { accounts };
+  }) as typeof handlers[string];
+
+  return handlers;
+}
+
 /**
  * Accept a single connection on a Unix socket and return
  * readable/writable streams plus cleanup helpers.
@@ -629,3 +668,277 @@ describe("managed CES integration (real Unix socket)", () => {
     controller.abort();
   });
 });
+
+// ---------------------------------------------------------------------------
+// Credential CRUD RPC tests
+// ---------------------------------------------------------------------------
+
+describe("credential CRUD RPC", () => {
+  /**
+   * Helper: set up a Unix socket server with credential CRUD handlers,
+   * connect a client, and complete the handshake. Returns the client
+   * socket and a serve promise for cleanup.
+   */
+  async function setupCredentialRpc(): Promise<{
+    clientSock: Socket;
+    servePromise: Promise<void>;
+  }> {
+    savedEnv = saveEnv();
+    tmpDir = mkdtempSync(join(tmpdir(), "ces-cred-integ-"));
+    const dataDir = join(tmpDir, "ces-data");
+    const securityDir = join(tmpDir, "security");
+    const socketDir = join(tmpDir, "bootstrap");
+    const socketPath = join(socketDir, "ces.sock");
+    mkdirSync(dataDir, { recursive: true });
+    mkdirSync(securityDir, { recursive: true });
+    mkdirSync(socketDir, { recursive: true });
+
+    process.env["CES_DATA_DIR"] = dataDir;
+    process.env["CES_MODE"] = "managed";
+    process.env["CREDENTIAL_SECURITY_DIR"] = securityDir;
+
+    controller = new AbortController();
+
+    const connectionPromise = acceptOneConnection(socketPath, controller.signal);
+    clientSocket = await connectToSocket(socketPath);
+    const conn = await connectionPromise;
+
+    // vellumRoot is unused when CREDENTIAL_SECURITY_DIR is set,
+    // but we pass dataDir for consistency with the backend API.
+    const handlers = buildCredentialHandlers(dataDir);
+
+    serverRpcServer = new CesRpcServer({
+      input: conn.readable,
+      output: conn.writable,
+      handlers,
+      logger: { log: () => {}, warn: () => {}, error: () => {} },
+      signal: controller.signal,
+    });
+
+    const servePromise = serverRpcServer.serve();
+
+    // Complete the handshake
+    sendMessage(clientSocket, {
+      type: "handshake_request",
+      protocolVersion: CES_PROTOCOL_VERSION,
+      sessionId: `cred-integ-${Date.now()}`,
+    });
+    const hsMessages = await readMessages(clientSocket, 1);
+    const ack = hsMessages[0] as HandshakeAck;
+    expect(ack.type).toBe("handshake_ack");
+    expect(ack.accepted).toBe(true);
+
+    return { clientSock: clientSocket, servePromise };
+  }
+
+  test("set + get round-trip", async () => {
+    const { clientSock, servePromise } = await setupCredentialRpc();
+
+    // Set credential
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-set-1",
+      kind: "request",
+      method: CesRpcMethod.SetCredential,
+      payload: { account: "test-key", value: "secret-value" },
+      timestamp: new Date().toISOString(),
+    });
+
+    const setMessages = await readMessages(clientSock, 1);
+    expect(setMessages.length).toBe(1);
+    const setResp = setMessages[0] as RpcEnvelope & { type: "rpc" };
+    expect(setResp.id).toBe("cred-set-1");
+    expect(setResp.kind).toBe("response");
+    expect(setResp.method).toBe(CesRpcMethod.SetCredential);
+    const setPayload = setResp.payload as SetCredentialResponse;
+    expect(setPayload.ok).toBe(true);
+
+    // Get credential
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-get-1",
+      kind: "request",
+      method: CesRpcMethod.GetCredential,
+      payload: { account: "test-key" },
+      timestamp: new Date().toISOString(),
+    });
+
+    const getMessages = await readMessages(clientSock, 1);
+    expect(getMessages.length).toBe(1);
+    const getResp = getMessages[0] as RpcEnvelope & { type: "rpc" };
+    expect(getResp.id).toBe("cred-get-1");
+    expect(getResp.kind).toBe("response");
+    expect(getResp.method).toBe(CesRpcMethod.GetCredential);
+    const getPayload = getResp.payload as GetCredentialResponse;
+    expect(getPayload).toEqual({ found: true, value: "secret-value" });
+
+    clientSock.end();
+    controller.abort();
+    await servePromise;
+  });
+
+  test("list includes set key", async () => {
+    const { clientSock, servePromise } = await setupCredentialRpc();
+
+    // Set a credential first
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-set-2",
+      kind: "request",
+      method: CesRpcMethod.SetCredential,
+      payload: { account: "test-key", value: "secret-value" },
+      timestamp: new Date().toISOString(),
+    });
+    await readMessages(clientSock, 1);
+
+    // List credentials
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-list-1",
+      kind: "request",
+      method: CesRpcMethod.ListCredentials,
+      payload: {},
+      timestamp: new Date().toISOString(),
+    });
+
+    const listMessages = await readMessages(clientSock, 1);
+    expect(listMessages.length).toBe(1);
+    const listResp = listMessages[0] as RpcEnvelope & { type: "rpc" };
+    expect(listResp.id).toBe("cred-list-1");
+    expect(listResp.kind).toBe("response");
+    expect(listResp.method).toBe(CesRpcMethod.ListCredentials);
+    const listPayload = listResp.payload as ListCredentialsResponse;
+    expect(listPayload.accounts).toContain("test-key");
+
+    clientSock.end();
+    controller.abort();
+    await servePromise;
+  });
+
+  test("delete credential", async () => {
+    const { clientSock, servePromise } = await setupCredentialRpc();
+
+    // Set a credential first
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-set-3",
+      kind: "request",
+      method: CesRpcMethod.SetCredential,
+      payload: { account: "test-key", value: "secret-value" },
+      timestamp: new Date().toISOString(),
+    });
+    await readMessages(clientSock, 1);
+
+    // Delete credential
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-del-1",
+      kind: "request",
+      method: CesRpcMethod.DeleteCredential,
+      payload: { account: "test-key" },
+      timestamp: new Date().toISOString(),
+    });
+
+    const delMessages = await readMessages(clientSock, 1);
+    expect(delMessages.length).toBe(1);
+    const delResp = delMessages[0] as RpcEnvelope & { type: "rpc" };
+    expect(delResp.id).toBe("cred-del-1");
+    expect(delResp.kind).toBe("response");
+    expect(delResp.method).toBe(CesRpcMethod.DeleteCredential);
+    const delPayload = delResp.payload as DeleteCredentialResponse;
+    expect(delPayload).toEqual({ result: "deleted" });
+
+    clientSock.end();
+    controller.abort();
+    await servePromise;
+  });
+
+  test("get after delete returns not found", async () => {
+    const { clientSock, servePromise } = await setupCredentialRpc();
+
+    // Set a credential
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-set-4",
+      kind: "request",
+      method: CesRpcMethod.SetCredential,
+      payload: { account: "test-key", value: "secret-value" },
+      timestamp: new Date().toISOString(),
+    });
+    await readMessages(clientSock, 1);
+
+    // Delete it
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-del-2",
+      kind: "request",
+      method: CesRpcMethod.DeleteCredential,
+      payload: { account: "test-key" },
+      timestamp: new Date().toISOString(),
+    });
+    await readMessages(clientSock, 1);
+
+    // Get after delete
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-get-2",
+      kind: "request",
+      method: CesRpcMethod.GetCredential,
+      payload: { account: "test-key" },
+      timestamp: new Date().toISOString(),
+    });
+
+    const getMessages = await readMessages(clientSock, 1);
+    expect(getMessages.length).toBe(1);
+    const getResp = getMessages[0] as RpcEnvelope & { type: "rpc" };
+    expect(getResp.id).toBe("cred-get-2");
+    expect(getResp.kind).toBe("response");
+    expect(getResp.method).toBe(CesRpcMethod.GetCredential);
+    const getPayload = getResp.payload as GetCredentialResponse;
+    expect(getPayload).toEqual({ found: false });
+
+    clientSock.end();
+    controller.abort();
+    await servePromise;
+  });
+
+  test("delete non-existent credential returns not-found", async () => {
+    const { clientSock, servePromise } = await setupCredentialRpc();
+
+    // Set a credential first to initialize the store file on disk.
+    // Without a store file, delete returns "error" (no store) rather
+    // than "not-found" (store exists, key absent).
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-set-init",
+      kind: "request",
+      method: CesRpcMethod.SetCredential,
+      payload: { account: "init-key", value: "init-value" },
+      timestamp: new Date().toISOString(),
+    });
+    await readMessages(clientSock, 1);
+
+    // Delete a credential that was never set
+    sendMessage(clientSock, {
+      type: "rpc",
+      id: "cred-del-3",
+      kind: "request",
+      method: CesRpcMethod.DeleteCredential,
+      payload: { account: "nonexistent" },
+      timestamp: new Date().toISOString(),
+    });
+
+    const delMessages = await readMessages(clientSock, 1);
+    expect(delMessages.length).toBe(1);
+    const delResp = delMessages[0] as RpcEnvelope & { type: "rpc" };
+    expect(delResp.id).toBe("cred-del-3");
+    expect(delResp.kind).toBe("response");
+    expect(delResp.method).toBe(CesRpcMethod.DeleteCredential);
+    const delPayload = delResp.payload as DeleteCredentialResponse;
+    expect(delPayload).toEqual({ result: "not-found" });
+
+    clientSock.end();
+    controller.abort();
+    await servePromise;
+  });
+});

package/src/managed-main.ts

@@ -57,6 +57,7 @@ import { materializeManagedToken } from "./materializers/managed-platform.js";
 import { HandleType, parseHandle } from "@vellumai/ces-contracts";
 import { buildLazyGetters, type ApiKeyRef } from "./managed-lazy-getters.js";
 import { MANAGED_LOCAL_STATIC_REJECTION_ERROR } from "./managed-errors.js";
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
 import { createLocalSecureKeyBackend } from "./materializers/local-secure-key-backend.js";
 import { handleCredentialRoute, type CredentialRouteDeps } from "./http/credential-routes.js";
 
@@ -90,7 +91,7 @@ function ensureDataDirs(): void {
 // Build RPC handler registry (managed mode)
 // ---------------------------------------------------------------------------
 
-function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef): RpcHandlerRegistry {
+function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef, secureKeyBackend: SecureKeyBackend): RpcHandlerRegistry {
   // -- Grant stores ----------------------------------------------------------
   const persistentGrantStore = new PersistentGrantStore(
     getCesGrantsDir("managed"),
@@ -129,10 +130,9 @@ function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef): RpcHan
   }
 
   // -- Workspace root for command execution cwd ------------------------------
-  // Prefer WORKSPACE_DIR when set (new Docker layout mounts workspace at
-  // /workspace). Fall back to the legacy path derived from the assistant
-  // data mount for backwards compatibility.
-  const defaultWorkspaceDir = process.env["WORKSPACE_DIR"] ?? (() => {
+  // Use VELLUM_WORKSPACE_DIR when set, otherwise fall back to the legacy
+  // path derived from the assistant data mount.
+  const defaultWorkspaceDir = process.env["VELLUM_WORKSPACE_DIR"] ?? (() => {
     const assistantDataMount =
       process.env["CES_ASSISTANT_DATA_MOUNT"] ?? "/assistant-data-ro";
     return join(join(assistantDataMount, ".vellum"), "workspace");
@@ -322,6 +322,27 @@ function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef): RpcHan
     auditStore,
   }) as typeof handlers[string];
 
+  // Register credential CRUD handlers
+  handlers[CesRpcMethod.GetCredential] = (async (req: { account: string }) => {
+    const value = await secureKeyBackend.get(req.account);
+    return { found: value !== undefined, value };
+  }) as typeof handlers[string];
+
+  handlers[CesRpcMethod.SetCredential] = (async (req: { account: string; value: string }) => {
+    const ok = await secureKeyBackend.set(req.account, req.value);
+    return { ok };
+  }) as typeof handlers[string];
+
+  handlers[CesRpcMethod.DeleteCredential] = (async (req: { account: string }) => {
+    const result = await secureKeyBackend.delete(req.account);
+    return { result };
+  }) as typeof handlers[string];
+
+  handlers[CesRpcMethod.ListCredentials] = (async () => {
+    const accounts = await secureKeyBackend.list();
+    return { accounts };
+  }) as typeof handlers[string];
+
   return handlers;
 }
 
@@ -498,6 +519,14 @@ async function main(): Promise<void> {
   process.on("SIGTERM", shutdown);
   process.on("SIGINT", shutdown);
 
+  // Create the secure key backend unconditionally — it's needed by both
+  // HTTP credential routes (when CES_SERVICE_TOKEN is set) and RPC
+  // credential CRUD handlers (always available).
+  const assistantDataMount =
+    process.env["CES_ASSISTANT_DATA_MOUNT"] ?? "/assistant-data-ro";
+  const vellumRoot = join(assistantDataMount, ".vellum");
+  const secureKeyBackend = createLocalSecureKeyBackend(vellumRoot);
+
   // Set up credential CRUD routes if a service token is configured.
   // The assistant and gateway use CES_SERVICE_TOKEN to authenticate
   // credential management requests over HTTP.
@@ -505,11 +534,7 @@ async function main(): Promise<void> {
   let credentialDeps: CredentialRouteDeps | null = null;
 
   if (serviceToken) {
-    const assistantDataMount =
-      process.env["CES_ASSISTANT_DATA_MOUNT"] ?? "/assistant-data-ro";
-    const vellumRoot = join(assistantDataMount, ".vellum");
-    const backend = createLocalSecureKeyBackend(vellumRoot);
-    credentialDeps = { backend, serviceToken };
+    credentialDeps = { backend: secureKeyBackend, serviceToken };
     log("Credential CRUD routes enabled (CES_SERVICE_TOKEN configured)");
   } else {
     warn(
@@ -545,7 +570,7 @@ async function main(): Promise<void> {
   // are available to handlers at call time (after the handshake completes).
   const sessionIdRef: SessionIdRef = { current: `ces-managed-${Date.now()}` };
   const apiKeyRef: ApiKeyRef = { current: "" };
-  const handlers = buildHandlers(sessionIdRef, apiKeyRef);
+  const handlers = buildHandlers(sessionIdRef, apiKeyRef, secureKeyBackend);
 
   const server = new CesRpcServer({
     input: connection.readable,