@vellumai/credential-executor 0.6.2 → 0.6.4

package/bun.lock

@@ -8,12 +8,12 @@
         "@vellumai/ces-contracts": "file:../packages/ces-contracts",
         "@vellumai/credential-storage": "file:../packages/credential-storage",
         "@vellumai/egress-proxy": "file:../packages/egress-proxy",
-        "pino": "^9.6.0",
-        "pino-pretty": "^13.1.3",
+        "pino": "9.14.0",
+        "pino-pretty": "13.1.3",
       },
       "devDependencies": {
-        "@types/bun": "^1.2.4",
-        "typescript": "^5.7.3",
+        "@types/bun": "1.3.10",
+        "typescript": "5.9.3",
       },
     },
   },

package/node_modules/@vellumai/ces-contracts/bun.lock

@@ -5,22 +5,24 @@
     "": {
       "name": "@vellumai/ces-contracts",
       "dependencies": {
-        "zod": "^4.3.6",
+        "zod": "4.3.6",
       },
       "devDependencies": {
-        "@types/bun": "^1.2.4",
-        "typescript": "^5.7.3",
+        "@types/bun": "1.2.4",
+        "typescript": "5.7.3",
       },
     },
   },
   "packages": {
-    "@types/bun": ["@types/bun@1.3.10", "", { "dependencies": { "bun-types": "1.3.10" } }, "sha512-0+rlrUrOrTSskibryHbvQkDOWRJwJZqZlxrUs1u4oOoTln8+WIXBPmAuCF35SWB2z4Zl3E84Nl/D0P7803nigQ=="],
+    "@types/bun": ["@types/bun@1.2.4", "", { "dependencies": { "bun-types": "1.2.4" } }, "sha512-QtuV5OMR8/rdKJs213iwXDpfVvnskPXY/S0ZiFbsTjQZycuqPbMW8Gf/XhLfwE5njW8sxI2WjISURXPlHypMFA=="],
 
     "@types/node": ["@types/node@25.5.0", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw=="],
 
-    "bun-types": ["bun-types@1.3.10", "", { "dependencies": { "@types/node": "*" } }, "sha512-tcpfCCl6XWo6nCVnpcVrxQ+9AYN1iqMIzgrSKYMB/fjLtV2eyAVEg7AxQJuCq/26R6HpKWykQXuSOq/21RYcbg=="],
+    "@types/ws": ["@types/ws@8.5.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-bd/YFLW+URhBzMXurx7lWByOu+xzU9+kb3RboOteXYDfW+tr+JZa99OyNmPINEGB/ahzKrEuc8rcv4gnpJmxTw=="],
 
-    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
+    "bun-types": ["bun-types@1.2.4", "", { "dependencies": { "@types/node": "*", "@types/ws": "~8.5.10" } }, "sha512-nDPymR207ZZEoWD4AavvEaa/KZe/qlrbMSchqpQwovPZCKc7pwMoENjEtHgMKaAjJhy+x6vfqSBA1QU3bJgs0Q=="],
+
+    "typescript": ["typescript@5.7.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw=="],
 
     "undici-types": ["undici-types@7.18.2", "", {}, "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w=="],
 

package/node_modules/@vellumai/ces-contracts/package.json

@@ -16,10 +16,10 @@
     "test": "bun test src/"
   },
   "dependencies": {
-    "zod": "^4.3.6"
+    "zod": "4.3.6"
   },
   "devDependencies": {
-    "@types/bun": "^1.2.4",
-    "typescript": "^5.7.3"
+    "@types/bun": "1.2.4",
+    "typescript": "5.7.3"
   }
 }

package/node_modules/@vellumai/ces-contracts/src/rpc.ts

@@ -65,6 +65,8 @@ export const CesRpcMethod = {
   DeleteCredential: "delete_credential",
   /** List all credential account names. */
   ListCredentials: "list_credentials",
+  /** Bulk-import credentials (set multiple at once). */
+  BulkSetCredentials: "bulk_set_credentials",
 } as const;
 
 export type CesRpcMethod =
@@ -513,6 +515,38 @@ export type ListCredentialsResponse = z.infer<
   typeof ListCredentialsResponseSchema
 >;
 
+// ---------------------------------------------------------------------------
+// bulk_set_credentials
+// ---------------------------------------------------------------------------
+
+export const BulkSetCredentialsSchema = z.object({
+  /** Array of credentials to set in bulk. */
+  credentials: z.array(
+    z.object({
+      /** The account name to store the credential under. */
+      account: z.string(),
+      /** The credential value to store. */
+      value: z.string(),
+    }),
+  ),
+});
+export type BulkSetCredentials = z.infer<typeof BulkSetCredentialsSchema>;
+
+export const BulkSetCredentialsResponseSchema = z.object({
+  /** Per-credential results indicating success or failure. */
+  results: z.array(
+    z.object({
+      /** The account name that was set. */
+      account: z.string(),
+      /** Whether the credential was successfully stored. */
+      ok: z.boolean(),
+    }),
+  ),
+});
+export type BulkSetCredentialsResponse = z.infer<
+  typeof BulkSetCredentialsResponseSchema
+>;
+
 // ---------------------------------------------------------------------------
 // Full RPC contract type map
 // ---------------------------------------------------------------------------
@@ -574,6 +608,10 @@ export interface CesRpcContract {
     request: ListCredentials;
     response: ListCredentialsResponse;
   };
+  [CesRpcMethod.BulkSetCredentials]: {
+    request: BulkSetCredentials;
+    response: BulkSetCredentialsResponse;
+  };
 }
 
 /**
@@ -632,4 +670,8 @@ export const CesRpcSchemas = {
     request: ListCredentialsSchema,
     response: ListCredentialsResponseSchema,
   },
+  [CesRpcMethod.BulkSetCredentials]: {
+    request: BulkSetCredentialsSchema,
+    response: BulkSetCredentialsResponseSchema,
+  },
 } as const;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/credential-executor",
-  "version": "0.6.2",
+  "version": "0.6.4",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -21,8 +21,8 @@
     "@vellumai/ces-contracts": "file:../packages/ces-contracts",
     "@vellumai/credential-storage": "file:../packages/credential-storage",
     "@vellumai/egress-proxy": "file:../packages/egress-proxy",
-    "pino": "^9.6.0",
-    "pino-pretty": "^13.1.3"
+    "pino": "9.14.0",
+    "pino-pretty": "13.1.3"
   },
   "bundledDependencies": [
     "@vellumai/ces-contracts",
@@ -30,7 +30,7 @@
     "@vellumai/egress-proxy"
   ],
   "devDependencies": {
-    "@types/bun": "^1.2.4",
-    "typescript": "^5.7.3"
+    "@types/bun": "1.3.10",
+    "typescript": "5.9.3"
   }
 }

package/src/__tests__/bulk-set-credentials.test.ts

@@ -0,0 +1,130 @@
+/**
+ * Tests for the BulkSetCredentials RPC handler.
+ *
+ * Validates that the handler stores each credential independently and
+ * returns per-credential success/failure status.
+ */
+
+import { describe, expect, test } from "bun:test";
+
+import { CesRpcMethod } from "@vellumai/ces-contracts";
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a minimal BulkSetCredentials handler using the same logic as
+ * main.ts / managed-main.ts, backed by the given SecureKeyBackend.
+ */
+function buildBulkSetHandler(secureKeyBackend: SecureKeyBackend) {
+  return async (req: { credentials: Array<{ account: string; value: string }> }) => {
+    const results = [];
+    for (const { account, value } of req.credentials) {
+      const ok = await secureKeyBackend.set(account, value);
+      results.push({ account, ok });
+    }
+    return { results };
+  };
+}
+
+/**
+ * Create an in-memory SecureKeyBackend for testing.
+ * Optionally accepts a set of accounts that should fail on set().
+ */
+function createMockBackend(failingAccounts: Set<string> = new Set()): SecureKeyBackend & { store: Map<string, string> } {
+  const store = new Map<string, string>();
+  return {
+    store,
+    async get(key: string) {
+      return store.get(key);
+    },
+    async set(key: string, value: string) {
+      if (failingAccounts.has(key)) {
+        return false;
+      }
+      store.set(key, value);
+      return true;
+    },
+    async delete(key: string) {
+      if (store.has(key)) {
+        store.delete(key);
+        return "deleted";
+      }
+      return "not-found";
+    },
+    async list() {
+      return Array.from(store.keys());
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("BulkSetCredentials handler", () => {
+  test("stores multiple credentials and returns ok: true for each", async () => {
+    const backend = createMockBackend();
+    const handler = buildBulkSetHandler(backend);
+
+    const result = await handler({
+      credentials: [
+        { account: "acct-1", value: "secret-1" },
+        { account: "acct-2", value: "secret-2" },
+        { account: "acct-3", value: "secret-3" },
+      ],
+    });
+
+    expect(result.results).toEqual([
+      { account: "acct-1", ok: true },
+      { account: "acct-2", ok: true },
+      { account: "acct-3", ok: true },
+    ]);
+
+    // Verify all credentials were actually stored
+    expect(await backend.get("acct-1")).toBe("secret-1");
+    expect(await backend.get("acct-2")).toBe("secret-2");
+    expect(await backend.get("acct-3")).toBe("secret-3");
+  });
+
+  test("partial failure returns mixed results without aborting the rest", async () => {
+    const failingAccounts = new Set(["acct-2"]);
+    const backend = createMockBackend(failingAccounts);
+    const handler = buildBulkSetHandler(backend);
+
+    const result = await handler({
+      credentials: [
+        { account: "acct-1", value: "secret-1" },
+        { account: "acct-2", value: "secret-2" },
+        { account: "acct-3", value: "secret-3" },
+      ],
+    });
+
+    expect(result.results).toEqual([
+      { account: "acct-1", ok: true },
+      { account: "acct-2", ok: false },
+      { account: "acct-3", ok: true },
+    ]);
+
+    // acct-1 and acct-3 should be stored; acct-2 should not
+    expect(await backend.get("acct-1")).toBe("secret-1");
+    expect(await backend.get("acct-2")).toBeUndefined();
+    expect(await backend.get("acct-3")).toBe("secret-3");
+  });
+
+  test("empty credentials array returns empty results array", async () => {
+    const backend = createMockBackend();
+    const handler = buildBulkSetHandler(backend);
+
+    const result = await handler({ credentials: [] });
+
+    expect(result.results).toEqual([]);
+  });
+
+  test("handler is registered under the correct RPC method key", () => {
+    // Verify the enum value matches what we register against
+    expect(CesRpcMethod.BulkSetCredentials).toBe("bulk_set_credentials");
+  });
+});

package/src/__tests__/local-token-refresh.test.ts

@@ -0,0 +1,334 @@
+/**
+ * Tests for CES local-token-refresh `refresh_url` support.
+ *
+ * Verifies that `createLocalTokenRefreshFn`:
+ * 1. Uses `refresh_url` when it is set on the provider.
+ * 2. Falls back to `token_url` when `refresh_url` is null or empty.
+ * 3. Preserves existing `token_exchange_body_format` and `token_endpoint_auth_method` behaviour.
+ */
+
+import Database from "bun:sqlite";
+import { mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import type {
+  SecureKeyBackend,
+  SecureKeyDeleteResult,
+} from "@vellumai/credential-storage";
+
+import { createLocalTokenRefreshFn } from "../materializers/local-token-refresh.js";
+
+// ---------------------------------------------------------------------------
+// Test helpers
+// ---------------------------------------------------------------------------
+
+function createMemoryBackend(
+  initial: Record<string, string> = {},
+): SecureKeyBackend {
+  const store = new Map<string, string>(Object.entries(initial));
+  return {
+    async get(key: string): Promise<string | undefined> {
+      return store.get(key);
+    },
+    async set(key: string, value: string): Promise<boolean> {
+      store.set(key, value);
+      return true;
+    },
+    async delete(key: string): Promise<SecureKeyDeleteResult> {
+      if (store.has(key)) {
+        store.delete(key);
+        return "deleted";
+      }
+      return "not-found";
+    },
+    async list(): Promise<string[]> {
+      return Array.from(store.keys());
+    },
+  };
+}
+
+/** Unique temp root for each test run. */
+let tmpRoot: string;
+
+function setupTestDb(opts: {
+  providerKey?: string;
+  tokenUrl?: string;
+  refreshUrl?: string | null;
+  tokenEndpointAuthMethod?: string | null;
+  tokenExchangeBodyFormat?: string | null;
+}): string {
+  const providerKey = opts.providerKey ?? "test-provider";
+  const tokenUrl = opts.tokenUrl ?? "https://provider.example.com/token";
+  const refreshUrl = opts.refreshUrl ?? null;
+  const authMethod = opts.tokenEndpointAuthMethod ?? "client_secret_post";
+  const bodyFormat = opts.tokenExchangeBodyFormat ?? "form";
+
+  tmpRoot = join(
+    "/tmp",
+    `ces-token-refresh-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+  );
+  const dbDir = join(tmpRoot, "workspace", "data", "db");
+  mkdirSync(dbDir, { recursive: true });
+
+  const dbPath = join(dbDir, "assistant.db");
+  const db = new Database(dbPath);
+
+  // Create minimal schema matching the assistant's tables
+  db.exec(/*sql*/ `
+    CREATE TABLE oauth_providers (
+      provider_key TEXT PRIMARY KEY,
+      auth_url TEXT NOT NULL,
+      token_url TEXT NOT NULL,
+      refresh_url TEXT,
+      token_endpoint_auth_method TEXT,
+      token_exchange_body_format TEXT,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  db.exec(/*sql*/ `
+    CREATE TABLE oauth_apps (
+      id TEXT PRIMARY KEY,
+      provider_key TEXT NOT NULL REFERENCES oauth_providers(provider_key),
+      client_id TEXT NOT NULL,
+      client_secret_credential_path TEXT NOT NULL,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  db.exec(/*sql*/ `
+    CREATE TABLE oauth_connections (
+      id TEXT PRIMARY KEY,
+      oauth_app_id TEXT NOT NULL REFERENCES oauth_apps(id),
+      provider_key TEXT NOT NULL,
+      status TEXT NOT NULL DEFAULT 'active',
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  const now = Date.now();
+
+  db.exec(/*sql*/ `
+    INSERT INTO oauth_providers (provider_key, auth_url, token_url, refresh_url, token_endpoint_auth_method, token_exchange_body_format, created_at, updated_at)
+    VALUES ('${providerKey}', 'https://provider.example.com/authorize', '${tokenUrl}', ${refreshUrl === null ? "NULL" : `'${refreshUrl}'`}, ${authMethod === null ? "NULL" : `'${authMethod}'`}, ${bodyFormat === null ? "NULL" : `'${bodyFormat}'`}, ${now}, ${now})
+  `);
+
+  db.exec(/*sql*/ `
+    INSERT INTO oauth_apps (id, provider_key, client_id, client_secret_credential_path, created_at, updated_at)
+    VALUES ('app-1', '${providerKey}', 'test-client-id', 'oauth_app/app-1/client_secret', ${now}, ${now})
+  `);
+
+  db.exec(/*sql*/ `
+    INSERT INTO oauth_connections (id, oauth_app_id, provider_key, status, created_at, updated_at)
+    VALUES ('conn-1', 'app-1', '${providerKey}', 'active', ${now}, ${now})
+  `);
+
+  db.close();
+  return tmpRoot;
+}
+
+// ---------------------------------------------------------------------------
+// Mock fetch
+// ---------------------------------------------------------------------------
+
+const originalFetch = globalThis.fetch;
+
+function mockFetch(capturedUrls: string[]): void {
+  globalThis.fetch = mock(async (input: string | URL | Request) => {
+    const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
+    capturedUrls.push(url);
+    return new Response(
+      JSON.stringify({
+        access_token: "new-access-token",
+        refresh_token: "new-refresh-token",
+        expires_in: 3600,
+      }),
+      { status: 200, headers: { "Content-Type": "application/json" } },
+    );
+  }) as unknown as typeof globalThis.fetch;
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("createLocalTokenRefreshFn – refresh_url support", () => {
+  const capturedUrls: string[] = [];
+
+  beforeEach(() => {
+    capturedUrls.length = 0;
+    mockFetch(capturedUrls);
+  });
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+    if (tmpRoot) {
+      rmSync(tmpRoot, { recursive: true, force: true });
+    }
+  });
+
+  test("uses refresh_url when set on the provider", async () => {
+    const root = setupTestDb({
+      tokenUrl: "https://provider.example.com/token",
+      refreshUrl: "https://provider.example.com/refresh",
+    });
+
+    const backend = createMemoryBackend({
+      "oauth_app/app-1/client_secret": "test-secret",
+    });
+
+    const refreshFn = createLocalTokenRefreshFn(root, backend);
+    const result = await refreshFn("conn-1", "old-refresh-token");
+
+    expect(result.success).toBe(true);
+    expect(capturedUrls).toHaveLength(1);
+    expect(capturedUrls[0]).toBe("https://provider.example.com/refresh");
+  });
+
+  test("falls back to token_url when refresh_url is null", async () => {
+    const root = setupTestDb({
+      tokenUrl: "https://provider.example.com/token",
+      refreshUrl: null,
+    });
+
+    const backend = createMemoryBackend({
+      "oauth_app/app-1/client_secret": "test-secret",
+    });
+
+    const refreshFn = createLocalTokenRefreshFn(root, backend);
+    const result = await refreshFn("conn-1", "old-refresh-token");
+
+    expect(result.success).toBe(true);
+    expect(capturedUrls).toHaveLength(1);
+    expect(capturedUrls[0]).toBe("https://provider.example.com/token");
+  });
+
+  test("falls back to token_url when refresh_url is an empty string", async () => {
+    const root = setupTestDb({
+      tokenUrl: "https://provider.example.com/token",
+      refreshUrl: "",
+    });
+
+    const backend = createMemoryBackend({
+      "oauth_app/app-1/client_secret": "test-secret",
+    });
+
+    const refreshFn = createLocalTokenRefreshFn(root, backend);
+    const result = await refreshFn("conn-1", "old-refresh-token");
+
+    expect(result.success).toBe(true);
+    expect(capturedUrls).toHaveLength(1);
+    expect(capturedUrls[0]).toBe("https://provider.example.com/token");
+  });
+
+  test("preserves token_endpoint_auth_method=client_secret_basic behaviour", async () => {
+    const root = setupTestDb({
+      refreshUrl: "https://provider.example.com/refresh",
+      tokenEndpointAuthMethod: "client_secret_basic",
+    });
+
+    const backend = createMemoryBackend({
+      "oauth_app/app-1/client_secret": "test-secret",
+    });
+
+    // Capture the fetch call to verify Authorization header
+    const capturedHeaders: Record<string, string>[] = [];
+    globalThis.fetch = mock(async (input: string | URL | Request, init?: RequestInit) => {
+      const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
+      capturedUrls.push(url);
+      if (init?.headers) {
+        capturedHeaders.push(init.headers as Record<string, string>);
+      }
+      return new Response(
+        JSON.stringify({
+          access_token: "new-access-token",
+          refresh_token: "new-refresh-token",
+          expires_in: 3600,
+        }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    }) as unknown as typeof globalThis.fetch;
+
+    const refreshFn = createLocalTokenRefreshFn(root, backend);
+    const result = await refreshFn("conn-1", "old-refresh-token");
+
+    expect(result.success).toBe(true);
+    expect(capturedUrls).toHaveLength(1);
+    expect(capturedUrls[0]).toBe("https://provider.example.com/refresh");
+
+    // Verify Basic auth header was sent
+    expect(capturedHeaders).toHaveLength(1);
+    const expectedCredentials = Buffer.from("test-client-id:test-secret").toString("base64");
+    expect(capturedHeaders[0]["Authorization"]).toBe(`Basic ${expectedCredentials}`);
+  });
+
+  test("preserves token_exchange_body_format=json behaviour", async () => {
+    const root = setupTestDb({
+      refreshUrl: "https://provider.example.com/refresh",
+      tokenExchangeBodyFormat: "json",
+    });
+
+    const backend = createMemoryBackend({
+      "oauth_app/app-1/client_secret": "test-secret",
+    });
+
+    const capturedContentTypes: string[] = [];
+    const capturedBodies: string[] = [];
+    globalThis.fetch = mock(async (input: string | URL | Request, init?: RequestInit) => {
+      const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
+      capturedUrls.push(url);
+      if (init?.headers) {
+        const headers = init.headers as Record<string, string>;
+        capturedContentTypes.push(headers["Content-Type"] ?? "");
+      }
+      if (init?.body) {
+        capturedBodies.push(typeof init.body === "string" ? init.body : String(init.body));
+      }
+      return new Response(
+        JSON.stringify({
+          access_token: "new-access-token",
+          refresh_token: "new-refresh-token",
+          expires_in: 3600,
+        }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    }) as unknown as typeof globalThis.fetch;
+
+    const refreshFn = createLocalTokenRefreshFn(root, backend);
+    const result = await refreshFn("conn-1", "old-refresh-token");
+
+    expect(result.success).toBe(true);
+    expect(capturedContentTypes).toHaveLength(1);
+    expect(capturedContentTypes[0]).toBe("application/json");
+
+    // Verify the body was sent as JSON
+    expect(capturedBodies).toHaveLength(1);
+    const parsed = JSON.parse(capturedBodies[0]);
+    expect(parsed.grant_type).toBe("refresh_token");
+    expect(parsed.refresh_token).toBe("old-refresh-token");
+  });
+
+  test("returns successful token refresh result", async () => {
+    const root = setupTestDb({
+      refreshUrl: "https://provider.example.com/refresh",
+    });
+
+    const backend = createMemoryBackend({
+      "oauth_app/app-1/client_secret": "test-secret",
+    });
+
+    const refreshFn = createLocalTokenRefreshFn(root, backend);
+    const result = await refreshFn("conn-1", "old-refresh-token");
+
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.accessToken).toBe("new-access-token");
+      expect(result.refreshToken).toBe("new-refresh-token");
+      expect(result.expiresAt).toBeTypeOf("number");
+    }
+  });
+});

package/src/http/__tests__/credential-routes-bulk.test.ts

@@ -0,0 +1,250 @@
+/**
+ * Tests for the POST /v1/credentials/bulk endpoint.
+ *
+ * Verifies:
+ * - Successful bulk set with multiple credentials
+ * - Validation failure (missing fields, non-array body)
+ * - Auth requirement (401 without token)
+ */
+
+import { describe, it, expect } from "bun:test";
+
+import { handleCredentialRoute } from "../credential-routes.js";
+import type { CredentialRouteDeps } from "../credential-routes.js";
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const SERVICE_TOKEN = "test-ces-service-token-12345";
+
+function makeDeps(
+  overrides: Partial<SecureKeyBackend> = {},
+): CredentialRouteDeps {
+  const store = new Map<string, string>();
+  const backend: SecureKeyBackend = {
+    get: async (account: string) => store.get(account),
+    set: async (account: string, value: string) => {
+      store.set(account, value);
+      return true;
+    },
+    delete: async (account: string) => {
+      if (!store.has(account)) return "not-found";
+      store.delete(account);
+      return "deleted";
+    },
+    list: async () => [...store.keys()],
+    ...overrides,
+  };
+  return { backend, serviceToken: SERVICE_TOKEN };
+}
+
+function makeRequest(
+  opts: {
+    body?: unknown;
+    token?: string | null;
+    method?: string;
+  } = {},
+): Request {
+  const url = "http://localhost:8090/v1/credentials/bulk";
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+  };
+  if (opts.token !== null) {
+    headers["Authorization"] = `Bearer ${opts.token ?? SERVICE_TOKEN}`;
+  }
+
+  return new Request(url, {
+    method: opts.method ?? "POST",
+    headers,
+    body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("POST /v1/credentials/bulk", () => {
+  it("sets multiple credentials and returns per-credential results", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({
+        body: {
+          credentials: [
+            { account: "openai", value: "sk-abc" },
+            { account: "anthropic", value: "sk-xyz" },
+          ],
+        },
+      }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+
+    const body = await res!.json();
+    expect(body.results).toEqual([
+      { account: "openai", ok: true },
+      { account: "anthropic", ok: true },
+    ]);
+
+    // Verify credentials were actually stored
+    expect(await deps.backend.get("openai")).toBe("sk-abc");
+    expect(await deps.backend.get("anthropic")).toBe("sk-xyz");
+  });
+
+  it("reports per-credential failure when backend.set returns false", async () => {
+    let callCount = 0;
+    const deps = makeDeps({
+      set: async () => {
+        callCount++;
+        // Fail on the second call
+        return callCount !== 2;
+      },
+    });
+
+    const res = await handleCredentialRoute(
+      makeRequest({
+        body: {
+          credentials: [
+            { account: "a", value: "1" },
+            { account: "b", value: "2" },
+            { account: "c", value: "3" },
+          ],
+        },
+      }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+
+    const body = await res!.json();
+    expect(body.results).toEqual([
+      { account: "a", ok: true },
+      { account: "b", ok: false },
+      { account: "c", ok: true },
+    ]);
+  });
+
+  it("returns 400 when credentials field is not an array", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ body: { credentials: "not-an-array" } }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(400);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/credentials.*array/i);
+  });
+
+  it("returns 400 when credentials field is missing", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ body: {} }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(400);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/credentials.*array/i);
+  });
+
+  it("returns 400 when an entry is missing account field", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({
+        body: {
+          credentials: [{ value: "sk-abc" }],
+        },
+      }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(400);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/account.*value/i);
+  });
+
+  it("returns 400 when an entry is missing value field", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({
+        body: {
+          credentials: [{ account: "openai" }],
+        },
+      }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(400);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/account.*value/i);
+  });
+
+  it("returns 401 without Authorization header", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ token: null, body: { credentials: [] } }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(401);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/Missing Authorization/i);
+  });
+
+  it("returns 403 with wrong service token", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ token: "wrong-token", body: { credentials: [] } }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(403);
+
+    const body = await res!.json();
+    expect(body.error).toMatch(/Invalid service token/i);
+  });
+
+  it("non-POST methods fall through to single-account handler (bulk treated as account name)", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ method: "GET", body: undefined }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    // "bulk" is interpreted as an account name by the :account handler;
+    // no such credential exists, so we get 404.
+    expect(res!.status).toBe(404);
+  });
+
+  it("handles empty credentials array", async () => {
+    const deps = makeDeps();
+    const res = await handleCredentialRoute(
+      makeRequest({ body: { credentials: [] } }),
+      deps,
+    );
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+
+    const body = await res!.json();
+    expect(body.results).toEqual([]);
+  });
+});

package/src/http/credential-routes.ts

@@ -7,6 +7,7 @@
  *
  * Endpoints:
  * - `GET  /v1/credentials`           — list credential account names
+ * - `POST /v1/credentials/bulk`      — bulk set credentials
  * - `GET  /v1/credentials/:account`  — get a credential value
  * - `POST /v1/credentials/:account`  — set a credential value
  * - `DELETE /v1/credentials/:account` — delete a credential
@@ -96,6 +97,55 @@ export async function handleCredentialRoute(
   // Extract account from path: /v1/credentials/:account
   const accountSegment = pathname.slice(CREDENTIAL_PATH_PREFIX.length);
 
+  // POST /v1/credentials/bulk — bulk set credentials
+  // Only intercept POST; other methods (GET, DELETE) fall through to the
+  // :account handler so a credential literally named "bulk" stays accessible.
+  if (accountSegment === "/bulk" && req.method === "POST") {
+    let body: { credentials?: unknown };
+    try {
+      body = await req.json();
+    } catch {
+      return new Response(
+        JSON.stringify({ error: "Invalid JSON body" }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    if (!Array.isArray(body.credentials)) {
+      return new Response(
+        JSON.stringify({ error: "Body must contain a 'credentials' array field" }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    for (const entry of body.credentials) {
+      if (
+        typeof entry !== "object" ||
+        entry === null ||
+        typeof entry.account !== "string" ||
+        typeof entry.value !== "string"
+      ) {
+        return new Response(
+          JSON.stringify({
+            error: "Each credential entry must have string 'account' and 'value' fields",
+          }),
+          { status: 400, headers: { "Content-Type": "application/json" } },
+        );
+      }
+    }
+
+    const results: Array<{ account: string; ok: boolean }> = [];
+    for (const entry of body.credentials as Array<{ account: string; value: string }>) {
+      const ok = await backend.set(entry.account, entry.value);
+      results.push({ account: entry.account, ok: !!ok });
+    }
+
+    return new Response(
+      JSON.stringify({ results }),
+      { status: 200, headers: { "Content-Type": "application/json" } },
+    );
+  }
+
   // GET /v1/credentials — list all credential account names
   if (accountSegment === "" || accountSegment === "/") {
     if (req.method !== "GET") {

package/src/main.ts

@@ -284,6 +284,15 @@ function buildHandlers(sessionIdRef: SessionIdRef): RpcHandlerRegistry {
     return { accounts };
   }) as typeof handlers[string];
 
+  handlers[CesRpcMethod.BulkSetCredentials] = (async (req: { credentials: Array<{ account: string; value: string }> }) => {
+    const results = [];
+    for (const { account, value } of req.credentials) {
+      const ok = await secureKeyBackend.set(account, value);
+      results.push({ account, ok });
+    }
+    return { results };
+  }) as typeof handlers[string];
+
   return handlers;
 }
 

package/src/managed-main.ts

@@ -344,6 +344,15 @@ function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef, assista
     return { accounts };
   }) as typeof handlers[string];
 
+  handlers[CesRpcMethod.BulkSetCredentials] = (async (req: { credentials: Array<{ account: string; value: string }> }) => {
+    const results = [];
+    for (const { account, value } of req.credentials) {
+      const ok = await secureKeyBackend.set(account, value);
+      results.push({ account, ok });
+    }
+    return { results };
+  }) as typeof handlers[string];
+
   return handlers;
 }
 

package/src/materializers/local-token-refresh.ts

@@ -46,7 +46,9 @@ interface OAuthAppRow {
 interface OAuthProviderRow {
   provider_key: string;
   token_url: string;
+  refresh_url: string | null;
   token_endpoint_auth_method: string | null;
+  token_exchange_body_format: string | null;
 }
 
 // ---------------------------------------------------------------------------
@@ -64,6 +66,7 @@ interface RefreshConfig {
   clientId: string;
   clientSecret?: string;
   authMethod: TokenEndpointAuthMethod;
+  bodyFormat: "form" | "json";
 }
 
 /**
@@ -108,7 +111,7 @@ async function resolveRefreshConfig(
     // 3. Look up the provider to get token_url and auth method
     const provider = db
       .query<OAuthProviderRow, [string]>(
-        `SELECT provider_key, token_url, token_endpoint_auth_method FROM oauth_providers WHERE provider_key = ? LIMIT 1`,
+        `SELECT provider_key, token_url, refresh_url, token_endpoint_auth_method, token_exchange_body_format FROM oauth_providers WHERE provider_key = ? LIMIT 1`,
       )
       .get(conn.provider_key);
 
@@ -116,7 +119,10 @@ async function resolveRefreshConfig(
       return { error: `No OAuth provider found for "${conn.provider_key}"` };
     }
 
-    if (!provider.token_url || !app.client_id) {
+    // Resolve the effective token URL: prefer refresh_url, fall back to token_url
+    const tokenUrl = provider.refresh_url || provider.token_url;
+
+    if (!tokenUrl || !app.client_id) {
       return { error: `Missing OAuth2 refresh config for "${conn.provider_key}"` };
     }
 
@@ -126,12 +132,14 @@ async function resolveRefreshConfig(
     );
 
     const authMethod = (provider.token_endpoint_auth_method as TokenEndpointAuthMethod | null) ?? "client_secret_post";
+    const bodyFormat = (provider.token_exchange_body_format as "form" | "json" | null) ?? "form";
 
     return {
-      tokenUrl: provider.token_url,
+      tokenUrl,
       clientId: app.client_id,
       clientSecret,
       authMethod,
+      bodyFormat,
     };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -161,7 +169,10 @@ async function performTokenRefresh(
   };
 
   const headers: Record<string, string> = {
-    "Content-Type": "application/x-www-form-urlencoded",
+    "Content-Type":
+      config.bodyFormat === "json"
+        ? "application/json"
+        : "application/x-www-form-urlencoded",
   };
 
   if (config.clientSecret && config.authMethod === "client_secret_basic") {
@@ -179,7 +190,10 @@ async function performTokenRefresh(
   const resp = await fetch(config.tokenUrl, {
     method: "POST",
     headers,
-    body: new URLSearchParams(body),
+    body:
+      config.bodyFormat === "json"
+        ? JSON.stringify(body)
+        : new URLSearchParams(body),
   });
 
   if (!resp.ok) {