@vellumai/credential-executor 0.6.1 → 0.6.3

package/bun.lock

@@ -8,12 +8,12 @@
         "@vellumai/ces-contracts": "file:../packages/ces-contracts",
         "@vellumai/credential-storage": "file:../packages/credential-storage",
         "@vellumai/egress-proxy": "file:../packages/egress-proxy",
-        "pino": "^9.6.0",
-        "pino-pretty": "^13.1.3",
+        "pino": "9.14.0",
+        "pino-pretty": "13.1.3",
       },
       "devDependencies": {
-        "@types/bun": "^1.2.4",
-        "typescript": "^5.7.3",
+        "@types/bun": "1.3.10",
+        "typescript": "5.9.3",
       },
     },
   },

package/node_modules/@vellumai/ces-contracts/src/handles.ts

@@ -146,14 +146,12 @@ export function parseHandle(raw: string): ParseHandleResult {
     }
 
     case HandleType.LocalOAuth: {
-      // providerKey is typically a bare name (e.g. "google"), but legacy handles
-      // may contain a colon (e.g. "integration:google"), so we split on the
-      // *last* "/" to separate providerKey from connectionId.
-      const lastSlashIdx = rest.lastIndexOf("/");
+      // Split providerKey from connectionId.
+      const slashIdx = rest.indexOf("/");
       if (
-        lastSlashIdx === -1 ||
-        lastSlashIdx === 0 ||
-        lastSlashIdx === rest.length - 1
+        slashIdx === -1 ||
+        slashIdx === 0 ||
+        slashIdx === rest.length - 1
       ) {
         return {
           ok: false,
@@ -164,8 +162,8 @@ export function parseHandle(raw: string): ParseHandleResult {
         ok: true,
         handle: {
           type: HandleType.LocalOAuth,
-          providerKey: rest.slice(0, lastSlashIdx),
-          connectionId: rest.slice(lastSlashIdx + 1),
+          providerKey: rest.slice(0, slashIdx),
+          connectionId: rest.slice(slashIdx + 1),
           raw,
         },
       };

package/node_modules/@vellumai/ces-contracts/src/rpc.ts

@@ -65,6 +65,8 @@ export const CesRpcMethod = {
   DeleteCredential: "delete_credential",
   /** List all credential account names. */
   ListCredentials: "list_credentials",
+  /** Bulk-import credentials (set multiple at once). */
+  BulkSetCredentials: "bulk_set_credentials",
 } as const;
 
 export type CesRpcMethod =
@@ -513,6 +515,38 @@ export type ListCredentialsResponse = z.infer<
   typeof ListCredentialsResponseSchema
 >;
 
+// ---------------------------------------------------------------------------
+// bulk_set_credentials
+// ---------------------------------------------------------------------------
+
+export const BulkSetCredentialsSchema = z.object({
+  /** Array of credentials to set in bulk. */
+  credentials: z.array(
+    z.object({
+      /** The account name to store the credential under. */
+      account: z.string(),
+      /** The credential value to store. */
+      value: z.string(),
+    }),
+  ),
+});
+export type BulkSetCredentials = z.infer<typeof BulkSetCredentialsSchema>;
+
+export const BulkSetCredentialsResponseSchema = z.object({
+  /** Per-credential results indicating success or failure. */
+  results: z.array(
+    z.object({
+      /** The account name that was set. */
+      account: z.string(),
+      /** Whether the credential was successfully stored. */
+      ok: z.boolean(),
+    }),
+  ),
+});
+export type BulkSetCredentialsResponse = z.infer<
+  typeof BulkSetCredentialsResponseSchema
+>;
+
 // ---------------------------------------------------------------------------
 // Full RPC contract type map
 // ---------------------------------------------------------------------------
@@ -574,6 +608,10 @@ export interface CesRpcContract {
     request: ListCredentials;
     response: ListCredentialsResponse;
   };
+  [CesRpcMethod.BulkSetCredentials]: {
+    request: BulkSetCredentials;
+    response: BulkSetCredentialsResponse;
+  };
 }
 
 /**
@@ -632,4 +670,8 @@ export const CesRpcSchemas = {
     request: ListCredentialsSchema,
     response: ListCredentialsResponseSchema,
   },
+  [CesRpcMethod.BulkSetCredentials]: {
+    request: BulkSetCredentialsSchema,
+    response: BulkSetCredentialsResponseSchema,
+  },
 } as const;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/credential-executor",
-  "version": "0.6.1",
+  "version": "0.6.3",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -21,8 +21,8 @@
     "@vellumai/ces-contracts": "file:../packages/ces-contracts",
     "@vellumai/credential-storage": "file:../packages/credential-storage",
     "@vellumai/egress-proxy": "file:../packages/egress-proxy",
-    "pino": "^9.6.0",
-    "pino-pretty": "^13.1.3"
+    "pino": "9.14.0",
+    "pino-pretty": "13.1.3"
   },
   "bundledDependencies": [
     "@vellumai/ces-contracts",
@@ -30,7 +30,7 @@
     "@vellumai/egress-proxy"
   ],
   "devDependencies": {
-    "@types/bun": "^1.2.4",
-    "typescript": "^5.7.3"
+    "@types/bun": "1.3.10",
+    "typescript": "5.9.3"
   }
 }

package/src/__tests__/bulk-set-credentials.test.ts

@@ -0,0 +1,130 @@
+/**
+ * Tests for the BulkSetCredentials RPC handler.
+ *
+ * Validates that the handler stores each credential independently and
+ * returns per-credential success/failure status.
+ */
+
+import { describe, expect, test } from "bun:test";
+
+import { CesRpcMethod } from "@vellumai/ces-contracts";
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a minimal BulkSetCredentials handler using the same logic as
+ * main.ts / managed-main.ts, backed by the given SecureKeyBackend.
+ */
+function buildBulkSetHandler(secureKeyBackend: SecureKeyBackend) {
+  return async (req: { credentials: Array<{ account: string; value: string }> }) => {
+    const results = [];
+    for (const { account, value } of req.credentials) {
+      const ok = await secureKeyBackend.set(account, value);
+      results.push({ account, ok });
+    }
+    return { results };
+  };
+}
+
+/**
+ * Create an in-memory SecureKeyBackend for testing.
+ * Optionally accepts a set of accounts that should fail on set().
+ */
+function createMockBackend(failingAccounts: Set<string> = new Set()): SecureKeyBackend & { store: Map<string, string> } {
+  const store = new Map<string, string>();
+  return {
+    store,
+    async get(key: string) {
+      return store.get(key);
+    },
+    async set(key: string, value: string) {
+      if (failingAccounts.has(key)) {
+        return false;
+      }
+      store.set(key, value);
+      return true;
+    },
+    async delete(key: string) {
+      if (store.has(key)) {
+        store.delete(key);
+        return "deleted";
+      }
+      return "not-found";
+    },
+    async list() {
+      return Array.from(store.keys());
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("BulkSetCredentials handler", () => {
+  test("stores multiple credentials and returns ok: true for each", async () => {
+    const backend = createMockBackend();
+    const handler = buildBulkSetHandler(backend);
+
+    const result = await handler({
+      credentials: [
+        { account: "acct-1", value: "secret-1" },
+        { account: "acct-2", value: "secret-2" },
+        { account: "acct-3", value: "secret-3" },
+      ],
+    });
+
+    expect(result.results).toEqual([
+      { account: "acct-1", ok: true },
+      { account: "acct-2", ok: true },
+      { account: "acct-3", ok: true },
+    ]);
+
+    // Verify all credentials were actually stored
+    expect(await backend.get("acct-1")).toBe("secret-1");
+    expect(await backend.get("acct-2")).toBe("secret-2");
+    expect(await backend.get("acct-3")).toBe("secret-3");
+  });
+
+  test("partial failure returns mixed results without aborting the rest", async () => {
+    const failingAccounts = new Set(["acct-2"]);
+    const backend = createMockBackend(failingAccounts);
+    const handler = buildBulkSetHandler(backend);
+
+    const result = await handler({
+      credentials: [
+        { account: "acct-1", value: "secret-1" },
+        { account: "acct-2", value: "secret-2" },
+        { account: "acct-3", value: "secret-3" },
+      ],
+    });
+
+    expect(result.results).toEqual([
+      { account: "acct-1", ok: true },
+      { account: "acct-2", ok: false },
+      { account: "acct-3", ok: true },
+    ]);
+
+    // acct-1 and acct-3 should be stored; acct-2 should not
+    expect(await backend.get("acct-1")).toBe("secret-1");
+    expect(await backend.get("acct-2")).toBeUndefined();
+    expect(await backend.get("acct-3")).toBe("secret-3");
+  });
+
+  test("empty credentials array returns empty results array", async () => {
+    const backend = createMockBackend();
+    const handler = buildBulkSetHandler(backend);
+
+    const result = await handler({ credentials: [] });
+
+    expect(result.results).toEqual([]);
+  });
+
+  test("handler is registered under the correct RPC method key", () => {
+    // Verify the enum value matches what we register against
+    expect(CesRpcMethod.BulkSetCredentials).toBe("bulk_set_credentials");
+  });
+});

package/src/http/__tests__/credential-routes-bulk.test.ts

@@ -0,0 +1,250 @@
+/**
+ * Tests for the POST /v1/credentials/bulk endpoint.
+ *
+ * Verifies:
+ * - Successful bulk set with multiple credentials
+ * - Validation failure (missing fields, non-array body)
+ * - Auth requirement (401 without token)
+ */
+
+import { describe, it, expect } from "bun:test";
+
+import { handleCredentialRoute } from "../credential-routes.js";
+import type { CredentialRouteDeps } from "../credential-routes.js";
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const SERVICE_TOKEN = "test-ces-service-token-12345";
+
+function makeDeps(
+  overrides: Partial<SecureKeyBackend> = {},
+): CredentialRouteDeps {
+  const store = new Map<string, string>();
+  const backend: SecureKeyBackend = {
+    get: async (account: string) => store.get(account),
+    set: async (account: string, value: string) => {
+      store.set(account, value);
+      return true;
+    },
+    delete: async (account: string) => {
+      if (!store.has(account)) return "not-found";
+      store.delete(account);
+      return "deleted";
+    },
+    list: async () => [...store.keys()],
+    ...overrides,
+  };
+  return { backend, serviceToken: SERVICE_TOKEN };
+}
+
+function makeRequest(
+  opts: {
+    body?: unknown;
+    token?: string | null;
+    method?: string;
+  } = {},
+): Request {
+  const url = "http://localhost:8090/v1/credentials/bulk";
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+  };
+  if (opts.token !== null) {
+    headers["Authorization"] = `Bearer ${opts.token ?? SERVICE_TOKEN}`;
+  }
+
+  return new Request(url, {
+    method: opts.method ?? "POST",
+    headers,
+    body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("POST /v1/credentials/bulk", () => {
+  it("sets multiple credentials and returns per-credential results", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({
+        body: {
+          credentials: [
+            { account: "openai", value: "sk-abc" },
+            { account: "anthropic", value: "sk-xyz" },
+          ],
+        },
+      }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+
+    const body = await res!.json();
+    expect(body.results).toEqual([
+      { account: "openai", ok: true },
+      { account: "anthropic", ok: true },
+    ]);
+
+    // Verify credentials were actually stored
+    expect(await deps.backend.get("openai")).toBe("sk-abc");
+    expect(await deps.backend.get("anthropic")).toBe("sk-xyz");
+  });
+
+  it("reports per-credential failure when backend.set returns false", async () => {
+    let callCount = 0;
+    const deps = makeDeps({
+      set: async () => {
+        callCount++;
+        // Fail on the second call
+        return callCount !== 2;
+      },
+    });
+
+    const res = await handleCredentialRoute(
+      makeRequest({
+        body: {
+          credentials: [
+            { account: "a", value: "1" },
+            { account: "b", value: "2" },
+            { account: "c", value: "3" },
+          ],
+        },
+      }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+
+    const body = await res!.json();
+    expect(body.results).toEqual([
+      { account: "a", ok: true },
+      { account: "b", ok: false },
+      { account: "c", ok: true },
+    ]);
+  });
+
+  it("returns 400 when credentials field is not an array", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ body: { credentials: "not-an-array" } }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(400);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/credentials.*array/i);
+  });
+
+  it("returns 400 when credentials field is missing", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ body: {} }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(400);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/credentials.*array/i);
+  });
+
+  it("returns 400 when an entry is missing account field", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({
+        body: {
+          credentials: [{ value: "sk-abc" }],
+        },
+      }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(400);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/account.*value/i);
+  });
+
+  it("returns 400 when an entry is missing value field", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({
+        body: {
+          credentials: [{ account: "openai" }],
+        },
+      }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(400);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/account.*value/i);
+  });
+
+  it("returns 401 without Authorization header", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ token: null, body: { credentials: [] } }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(401);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/Missing Authorization/i);
+  });
+
+  it("returns 403 with wrong service token", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ token: "wrong-token", body: { credentials: [] } }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(403);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/Invalid service token/i);
+  });
+
+  it("non-POST methods fall through to single-account handler (bulk treated as account name)", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ method: "GET", body: undefined }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    // "bulk" is interpreted as an account name by the :account handler;
+    // no such credential exists, so we get 404.
+    expect(res!.status).toBe(404);
+  });
+
+  it("handles empty credentials array", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ body: { credentials: [] } }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+
+    const body = await res!.json();
+    expect(body.results).toEqual([]);
+  });
+});

package/src/http/credential-routes.ts

@@ -7,6 +7,7 @@
  *
  * Endpoints:
  * - `GET  /v1/credentials`           — list credential account names
+ * - `POST /v1/credentials/bulk`      — bulk set credentials
  * - `GET  /v1/credentials/:account`  — get a credential value
  * - `POST /v1/credentials/:account`  — set a credential value
  * - `DELETE /v1/credentials/:account` — delete a credential
@@ -96,6 +97,55 @@ export async function handleCredentialRoute(
   // Extract account from path: /v1/credentials/:account
   const accountSegment = pathname.slice(CREDENTIAL_PATH_PREFIX.length);
 
+  // POST /v1/credentials/bulk — bulk set credentials
+  // Only intercept POST; other methods (GET, DELETE) fall through to the
+  // :account handler so a credential literally named "bulk" stays accessible.
+  if (accountSegment === "/bulk" && req.method === "POST") {
+    let body: { credentials?: unknown };
+    try {
+      body = await req.json();
+    } catch {
+      return new Response(
+        JSON.stringify({ error: "Invalid JSON body" }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    if (!Array.isArray(body.credentials)) {
+      return new Response(
+        JSON.stringify({ error: "Body must contain a 'credentials' array field" }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    for (const entry of body.credentials) {
+      if (
+        typeof entry !== "object" ||
+        entry === null ||
+        typeof entry.account !== "string" ||
+        typeof entry.value !== "string"
+      ) {
+        return new Response(
+          JSON.stringify({
+            error: "Each credential entry must have string 'account' and 'value' fields",
+          }),
+          { status: 400, headers: { "Content-Type": "application/json" } },
+        );
+      }
+    }
+
+    const results: Array<{ account: string; ok: boolean }> = [];
+    for (const entry of body.credentials as Array<{ account: string; value: string }>) {
+      const ok = await backend.set(entry.account, entry.value);
+      results.push({ account: entry.account, ok: !!ok });
+    }
+
+    return new Response(
+      JSON.stringify({ results }),
+      { status: 200, headers: { "Content-Type": "application/json" } },
+    );
+  }
+
   // GET /v1/credentials — list all credential account names
   if (accountSegment === "" || accountSegment === "/") {
     if (req.method !== "GET") {

package/src/main.ts

@@ -284,6 +284,15 @@ function buildHandlers(sessionIdRef: SessionIdRef): RpcHandlerRegistry {
     return { accounts };
   }) as typeof handlers[string];
 
+  handlers[CesRpcMethod.BulkSetCredentials] = (async (req: { credentials: Array<{ account: string; value: string }> }) => {
+    const results = [];
+    for (const { account, value } of req.credentials) {
+      const ok = await secureKeyBackend.set(account, value);
+      results.push({ account, ok });
+    }
+    return { results };
+  }) as typeof handlers[string];
+
   return handlers;
 }
 

package/src/managed-main.ts

@@ -344,6 +344,15 @@ function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef, assista
     return { accounts };
   }) as typeof handlers[string];
 
+  handlers[CesRpcMethod.BulkSetCredentials] = (async (req: { credentials: Array<{ account: string; value: string }> }) => {
+    const results = [];
+    for (const { account, value } of req.credentials) {
+      const ok = await secureKeyBackend.set(account, value);
+      results.push({ account, ok });
+    }
+    return { results };
+  }) as typeof handlers[string];
+
   return handlers;
 }