@vellumai/credential-executor 0.7.0 → 0.7.2

package/node_modules/@vellumai/service-contracts/package.json

@@ -7,6 +7,8 @@
   "exports": {
     ".": "./src/index.ts",
     "./credential-rpc": "./src/credential-rpc.ts",
+    "./ingress": "./src/ingress.ts",
+    "./twilio-ingress": "./src/twilio-ingress.ts",
     "./trust-rules": "./src/trust-rules.ts",
     "./handles": "./src/handles.ts",
     "./grants": "./src/grants.ts",

package/node_modules/@vellumai/service-contracts/src/__tests__/contracts.test.ts

@@ -33,6 +33,8 @@ describe("package independence", () => {
     "../transport.ts",
     "../credential-rpc.ts",
     "../trust-rules.ts",
+    "../ingress.ts",
+    "../twilio-ingress.ts",
     "../error.ts",
   ];
 
@@ -219,6 +221,7 @@ describe("ToolResponseBaseSchema", () => {
       result: { html: "<html></html>" },
     });
     expect(result.success).toBe(true);
+    if (!result.success) throw new Error("Expected successful response");
     expect(result.result).toEqual({ html: "<html></html>" });
   });
 
@@ -238,6 +241,7 @@ describe("ToolResponseBaseSchema", () => {
       },
     });
     expect(result.success).toBe(false);
+    if (result.success) throw new Error("Expected failed response");
     expect(result.error.code).toBe("TOOL_FAILED");
   });
 

package/node_modules/@vellumai/service-contracts/src/__tests__/ingress.test.ts

@@ -0,0 +1,107 @@
+import { describe, expect, test } from "bun:test";
+
+import {
+  normalizeHttpPublicBaseUrl,
+  normalizePublicBaseUrl,
+} from "../ingress.js";
+import {
+  buildTwilioConnectActionUrl,
+  buildTwilioMediaStreamUrl,
+  buildTwilioPhoneNumberWebhookUrls,
+  buildTwilioRelayUrl,
+  buildTwilioVoiceWebhookUrl,
+  resolveTwilioPublicBaseUrl,
+} from "../twilio-ingress.js";
+
+describe("normalizePublicBaseUrl", () => {
+  test("trims whitespace and trailing slashes", () => {
+    expect(normalizePublicBaseUrl(" https://example.test/path/// ")).toBe(
+      "https://example.test/path",
+    );
+  });
+
+  test("rejects non-string and empty values", () => {
+    expect(normalizePublicBaseUrl(undefined)).toBeUndefined();
+    expect(normalizePublicBaseUrl("   ")).toBeUndefined();
+  });
+});
+
+describe("normalizeHttpPublicBaseUrl", () => {
+  test("normalizes valid HTTP and HTTPS URLs", () => {
+    expect(normalizeHttpPublicBaseUrl(" HTTPS://EXAMPLE.TEST/twilio ")).toBe(
+      "https://example.test/twilio",
+    );
+    expect(normalizeHttpPublicBaseUrl("https://example.test/twilio///")).toBe(
+      "https://example.test/twilio",
+    );
+    expect(normalizeHttpPublicBaseUrl("https://example.test")).toBe(
+      "https://example.test/",
+    );
+  });
+
+  test("rejects non-HTTP URLs and malformed values", () => {
+    expect(normalizeHttpPublicBaseUrl("ftp://example.test")).toBeUndefined();
+    expect(normalizeHttpPublicBaseUrl("notaurl")).toBeUndefined();
+    expect(normalizeHttpPublicBaseUrl("")).toBeUndefined();
+  });
+
+  test("rejects query strings and fragments instead of mutating them", () => {
+    expect(
+      normalizeHttpPublicBaseUrl("https://example.test/twilio?token=abc/"),
+    ).toBeUndefined();
+    expect(
+      normalizeHttpPublicBaseUrl("https://example.test/twilio#section/"),
+    ).toBeUndefined();
+    expect(
+      normalizeHttpPublicBaseUrl("https://example.test/twilio?"),
+    ).toBeUndefined();
+    expect(
+      normalizeHttpPublicBaseUrl("https://example.test/twilio#"),
+    ).toBeUndefined();
+  });
+});
+
+describe("Twilio ingress helpers", () => {
+  test("resolves public base URL with fallback", () => {
+    expect(
+      resolveTwilioPublicBaseUrl({
+        publicBaseUrl: " https://twilio.example.test/twilio/ ",
+      }),
+    ).toBe("https://twilio.example.test/twilio");
+    expect(
+      resolveTwilioPublicBaseUrl({
+        publicBaseUrl: " ",
+      }),
+    ).toBeUndefined();
+    expect(
+      resolveTwilioPublicBaseUrl({
+        publicBaseUrl: " ",
+      }, "https://fallback.example.test/"),
+    ).toBe("https://fallback.example.test");
+    expect(
+      resolveTwilioPublicBaseUrl({}, "https://fallback.example.test/"),
+    ).toBe("https://fallback.example.test");
+  });
+
+  test("builds Twilio webhook and WebSocket URLs from one base URL", () => {
+    expect(buildTwilioVoiceWebhookUrl("https://example.test")).toBe(
+      "https://example.test/webhooks/twilio/voice",
+    );
+    expect(buildTwilioVoiceWebhookUrl("https://example.test", "call-123")).toBe(
+      "https://example.test/webhooks/twilio/voice?callSessionId=call-123",
+    );
+    expect(buildTwilioConnectActionUrl("https://example.test")).toBe(
+      "https://example.test/webhooks/twilio/connect-action",
+    );
+    expect(buildTwilioRelayUrl("https://example.test")).toBe(
+      "wss://example.test/webhooks/twilio/relay",
+    );
+    expect(buildTwilioMediaStreamUrl("http://example.test")).toBe(
+      "ws://example.test/webhooks/twilio/media-stream",
+    );
+    expect(buildTwilioPhoneNumberWebhookUrls("https://example.test")).toEqual({
+      statusCallbackUrl: "https://example.test/webhooks/twilio/status",
+      voiceUrl: "https://example.test/webhooks/twilio/voice",
+    });
+  });
+});

package/node_modules/@vellumai/service-contracts/src/index.ts

@@ -6,9 +6,11 @@
  *
  *   - `@vellumai/service-contracts/credential-rpc`  — transport, RPC, handles, grants, rendering, error
  *   - `@vellumai/service-contracts/trust-rules`     — trust-rule types and parsing helpers
+ *   - `@vellumai/service-contracts/twilio-ingress`  — shared Twilio ingress config constants
+ *   - `@vellumai/service-contracts/ingress`         — shared public ingress URL helpers
  *
  * Fine-grained subpaths are also available for low-friction migration:
- *   `./rpc`, `./handles`, `./grants`, `./rendering`, `./error`, `./trust-rules`
+ *   `./rpc`, `./handles`, `./grants`, `./rendering`, `./error`, `./trust-rules`, `./ingress`, `./twilio-ingress`
  *
  * Neutral wire-protocol contracts for communication between the assistant
  * daemon and the Credential Execution Service (CES). This package is
@@ -23,3 +25,5 @@ export * from "./grants.js";
 export * from "./rpc.js";
 export * from "./rendering.js";
 export * from "./trust-rules.js";
+export * from "./ingress.js";
+export * from "./twilio-ingress.js";

package/node_modules/@vellumai/service-contracts/src/ingress.ts

@@ -0,0 +1,24 @@
+export function normalizePublicBaseUrl(value: unknown): string | undefined {
+  if (typeof value !== "string") return undefined;
+  const normalized = value.trim().replace(/\/+$/, "");
+  return normalized.length > 0 ? normalized : undefined;
+}
+
+export function normalizeHttpPublicBaseUrl(value: unknown): string | undefined {
+  if (typeof value !== "string") return undefined;
+  const trimmed = value.trim();
+  if (trimmed.length === 0) return undefined;
+  if (/[?#]/.test(trimmed)) return undefined;
+
+  try {
+    const url = new URL(trimmed);
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      return undefined;
+    }
+    if (!url.hostname) return undefined;
+    url.pathname = url.pathname.replace(/\/+$/, "") || "/";
+    return url.toString();
+  } catch {
+    return undefined;
+  }
+}

package/node_modules/@vellumai/service-contracts/src/twilio-ingress.ts

@@ -0,0 +1,84 @@
+import { normalizePublicBaseUrl } from "./ingress.js";
+
+export const TWILIO_VOICE_WEBHOOK_PATH = "/webhooks/twilio/voice";
+export const TWILIO_STATUS_WEBHOOK_PATH = "/webhooks/twilio/status";
+export const TWILIO_CONNECT_ACTION_WEBHOOK_PATH =
+  "/webhooks/twilio/connect-action";
+export const TWILIO_RELAY_WEBHOOK_PATH = "/webhooks/twilio/relay";
+export const TWILIO_MEDIA_STREAM_WEBHOOK_PATH = "/webhooks/twilio/media-stream";
+
+/**
+ * Sentinel placeholder embedded in TwiML by the assistant where the real
+ * public base URL should go. The gateway replaces `wss://__VELLUM_PUBLIC_BASE_URL__/…`
+ * with the actual public URL (from Velay registration, config, or the
+ * `X-Vellum-Ingress-URL` header) before returning TwiML to Twilio.
+ *
+ * The placeholder uses `https://` so that `buildTwilioRelayUrl` /
+ * `buildTwilioMediaStreamUrl` can apply the standard `http→ws` scheme
+ * conversion, producing `wss://__VELLUM_PUBLIC_BASE_URL__/…` in the output.
+ */
+export const TWILIO_PUBLIC_BASE_URL_PLACEHOLDER =
+  "https://__VELLUM_PUBLIC_BASE_URL__";
+
+/**
+ * The WebSocket-scheme form of the placeholder that appears in TwiML after
+ * the `http→ws` scheme conversion applied by the URL builders.
+ */
+export const TWILIO_PUBLIC_BASE_WSS_PLACEHOLDER =
+  "wss://__VELLUM_PUBLIC_BASE_URL__";
+
+export { normalizePublicBaseUrl } from "./ingress.js";
+
+export type TwilioPhoneNumberWebhookUrls = {
+  statusCallbackUrl: string;
+  voiceUrl: string;
+};
+
+export function resolveTwilioPublicBaseUrl(
+  ingress: { publicBaseUrl?: unknown } | undefined,
+  fallbackPublicBaseUrl?: unknown,
+): string | undefined {
+  const publicBaseUrl = normalizePublicBaseUrl(ingress?.publicBaseUrl);
+  if (publicBaseUrl) return publicBaseUrl;
+
+  return normalizePublicBaseUrl(fallbackPublicBaseUrl);
+}
+
+export function buildTwilioVoiceWebhookUrl(
+  baseUrl: string,
+  callSessionId?: string,
+): string {
+  if (callSessionId) {
+    return `${baseUrl}${TWILIO_VOICE_WEBHOOK_PATH}?callSessionId=${callSessionId}`;
+  }
+  return `${baseUrl}${TWILIO_VOICE_WEBHOOK_PATH}`;
+}
+
+export function buildTwilioStatusWebhookUrl(baseUrl: string): string {
+  return `${baseUrl}${TWILIO_STATUS_WEBHOOK_PATH}`;
+}
+
+export function buildTwilioConnectActionUrl(baseUrl: string): string {
+  return `${baseUrl}${TWILIO_CONNECT_ACTION_WEBHOOK_PATH}`;
+}
+
+export function buildTwilioRelayUrl(baseUrl: string): string {
+  return `${toTwilioWebSocketBaseUrl(baseUrl)}${TWILIO_RELAY_WEBHOOK_PATH}`;
+}
+
+export function buildTwilioMediaStreamUrl(baseUrl: string): string {
+  return `${toTwilioWebSocketBaseUrl(baseUrl)}${TWILIO_MEDIA_STREAM_WEBHOOK_PATH}`;
+}
+
+export function buildTwilioPhoneNumberWebhookUrls(
+  baseUrl: string,
+): TwilioPhoneNumberWebhookUrls {
+  return {
+    statusCallbackUrl: buildTwilioStatusWebhookUrl(baseUrl),
+    voiceUrl: buildTwilioVoiceWebhookUrl(baseUrl),
+  };
+}
+
+function toTwilioWebSocketBaseUrl(baseUrl: string): string {
+  return baseUrl.replace(/^http(s?)/, "ws$1");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/credential-executor",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -8,7 +8,8 @@
   },
   "bin": {
     "credential-executor": "./src/main.ts",
-    "credential-executor-managed": "./src/managed-main.ts"
+    "credential-executor-managed": "./src/managed-main.ts",
+    "ces": "./src/cli.ts"
   },
   "scripts": {
     "dev": "bun run src/main.ts",

package/src/__tests__/ces-migrations-002-api-keys.test.ts

@@ -0,0 +1,185 @@
+import { describe, expect, test } from "bun:test";
+
+import { apiKeyToCredentialsMigration } from "../migrations/002-api-keys-to-credentials.js";
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Creates an in-memory SecureKeyBackend backed by a Map<string, string>.
+ * Allows us to assert state before/after migration without relying on mocked
+ * function call tracking.
+ */
+function makeMapBackend(
+  initial: Record<string, string> = {},
+): SecureKeyBackend & { store: Map<string, string> } {
+  const store = new Map<string, string>(Object.entries(initial));
+  return {
+    store,
+    get: (_key: string) => Promise.resolve(store.get(_key)),
+    set: (_key: string, value: string) => {
+      store.set(_key, value);
+      return Promise.resolve(true);
+    },
+    delete: (_key: string) => {
+      const existed = store.has(_key);
+      store.delete(_key);
+      return Promise.resolve({ deleted: existed });
+    },
+    list: () => Promise.resolve([...store.keys()]),
+  } as unknown as SecureKeyBackend & { store: Map<string, string> };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("apiKeyToCredentialsMigration (002)", () => {
+  // -------------------------------------------------------------------------
+  // run()
+  // -------------------------------------------------------------------------
+
+  describe("run()", () => {
+    test("bare key present — writes credential key and deletes bare key", async () => {
+      const backend = makeMapBackend({ anthropic: "sk-ant-123" });
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      expect(backend.store.get("credential/anthropic/api_key")).toBe(
+        "sk-ant-123",
+      );
+      expect(backend.store.has("anthropic")).toBe(false);
+    });
+
+    test("idempotent — credential key already exists: bare key deleted, credential value unchanged", async () => {
+      const backend = makeMapBackend({
+        anthropic: "sk-ant-new",
+        "credential/anthropic/api_key": "sk-ant-existing",
+      });
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      // Credential key must NOT be overwritten
+      expect(backend.store.get("credential/anthropic/api_key")).toBe(
+        "sk-ant-existing",
+      );
+      // Bare key must be removed
+      expect(backend.store.has("anthropic")).toBe(false);
+    });
+
+    test("no bare key for provider — no write and no delete for that provider", async () => {
+      // Store only has a key for openai; anthropic has nothing
+      const backend = makeMapBackend({ openai: "sk-openai-abc" });
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      // openai should be migrated
+      expect(backend.store.get("credential/openai/api_key")).toBe(
+        "sk-openai-abc",
+      );
+      expect(backend.store.has("openai")).toBe(false);
+
+      // anthropic: credential key should NOT exist (no accidental write)
+      expect(backend.store.has("credential/anthropic/api_key")).toBe(false);
+    });
+
+    test("multiple providers — each handled independently", async () => {
+      const backend = makeMapBackend({
+        anthropic: "sk-ant-multi",
+        openai: "sk-openai-multi",
+        gemini: "gemini-key",
+        brave: "brave-key",
+      });
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      // All bare keys gone
+      for (const provider of ["anthropic", "openai", "gemini", "brave"]) {
+        expect(backend.store.has(provider)).toBe(false);
+      }
+
+      // All credential keys present
+      expect(backend.store.get("credential/anthropic/api_key")).toBe(
+        "sk-ant-multi",
+      );
+      expect(backend.store.get("credential/openai/api_key")).toBe(
+        "sk-openai-multi",
+      );
+      expect(backend.store.get("credential/gemini/api_key")).toBe("gemini-key");
+      expect(backend.store.get("credential/brave/api_key")).toBe("brave-key");
+
+      // Providers that had no bare key should have no credential key
+      for (const provider of [
+        "ollama",
+        "fireworks",
+        "openrouter",
+        "perplexity",
+        "deepgram",
+        "xai",
+      ]) {
+        expect(backend.store.has(`credential/${provider}/api_key`)).toBe(false);
+      }
+    });
+
+    test("set() failure — bare key preserved, credential key absent", async () => {
+      const backend = makeMapBackend({ anthropic: "sk-ant-123" });
+      // Simulate a write failure
+      backend.set = (_key: string, _value: string) => Promise.resolve(false);
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      // Bare key must survive — it was not deleted because set() failed
+      expect(backend.store.get("anthropic")).toBe("sk-ant-123");
+      // Credential key must not exist
+      expect(backend.store.has("credential/anthropic/api_key")).toBe(false);
+    });
+
+    test("run() is idempotent — running twice leaves store in same state as once", async () => {
+      const backend = makeMapBackend({
+        anthropic: "sk-ant-idem",
+        openai: "sk-openai-idem",
+      });
+
+      await apiKeyToCredentialsMigration.run(backend);
+      // Capture state after first run
+      const afterFirst = new Map(backend.store);
+
+      await apiKeyToCredentialsMigration.run(backend);
+      // State after second run must match first run
+      expect(backend.store).toEqual(afterFirst);
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // down()
+  // -------------------------------------------------------------------------
+
+  describe("down()", () => {
+    test("reverses a migrated key back to bare name", async () => {
+      const backend = makeMapBackend({
+        "credential/anthropic/api_key": "sk-ant-rev",
+      });
+
+      await apiKeyToCredentialsMigration.down(backend);
+
+      expect(backend.store.get("anthropic")).toBe("sk-ant-rev");
+      expect(backend.store.has("credential/anthropic/api_key")).toBe(false);
+    });
+
+    test("idempotent — bare key already exists: credential key deleted, bare key value unchanged", async () => {
+      const backend = makeMapBackend({
+        "credential/anthropic/api_key": "sk-ant-cred",
+        anthropic: "sk-ant-original",
+      });
+
+      await apiKeyToCredentialsMigration.down(backend);
+
+      // Bare key value must NOT be overwritten
+      expect(backend.store.get("anthropic")).toBe("sk-ant-original");
+      // Credential key must be removed
+      expect(backend.store.has("credential/anthropic/api_key")).toBe(false);
+    });
+  });
+});