@vellumai/credential-executor 0.7.0 → 0.7.2

package/src/__tests__/transport.test.ts

@@ -393,16 +393,25 @@ describe("CES data paths", () => {
   });
 
   test("getBootstrapSocketPath respects CES_BOOTSTRAP_SOCKET env var", () => {
-    const saved = process.env["CES_BOOTSTRAP_SOCKET"];
+    const savedSocket = process.env["CES_BOOTSTRAP_SOCKET"];
+    const savedDir = process.env["CES_BOOTSTRAP_SOCKET_DIR"];
+    // CES_BOOTSTRAP_SOCKET_DIR takes precedence; clear it so the
+    // CES_BOOTSTRAP_SOCKET fallback is actually exercised.
+    delete process.env["CES_BOOTSTRAP_SOCKET_DIR"];
     process.env["CES_BOOTSTRAP_SOCKET"] = "/tmp/test-ces.sock";
     try {
       expect(getBootstrapSocketPath()).toBe("/tmp/test-ces.sock");
     } finally {
-      if (saved !== undefined) {
-        process.env["CES_BOOTSTRAP_SOCKET"] = saved;
+      if (savedSocket !== undefined) {
+        process.env["CES_BOOTSTRAP_SOCKET"] = savedSocket;
       } else {
         delete process.env["CES_BOOTSTRAP_SOCKET"];
       }
+      if (savedDir !== undefined) {
+        process.env["CES_BOOTSTRAP_SOCKET_DIR"] = savedDir;
+      } else {
+        delete process.env["CES_BOOTSTRAP_SOCKET_DIR"];
+      }
     }
   });
 });

package/src/cli.ts

@@ -0,0 +1,158 @@
+#!/usr/bin/env bun
+/**
+ * CES CLI — lightweight credential CRUD for the CES container.
+ *
+ * Operates directly on the encrypted key store (`keys.enc` + `store.key`)
+ * without requiring the RPC server, HTTP routes, or a running assistant.
+ *
+ * Usage:
+ *   ces list
+ *   ces get <account>
+ *   ces set <account> <value>
+ *   ces delete <account>
+ *
+ * Account format: `credential/<service>/<field>` (e.g. `credential/vellum/platform_organization_id`)
+ *
+ * Environment variables:
+ *   CREDENTIAL_SECURITY_DIR — directory containing `keys.enc` + `store.key`
+ *   CES_ASSISTANT_DATA_MOUNT — fallback root for `<mount>/.vellum/protected/`
+ *
+ * When neither is set, defaults to `~/.vellum/protected/` (local mode).
+ */
+
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { createLocalSecureKeyBackend } from "./materializers/local-secure-key-backend.js";
+
+// ---------------------------------------------------------------------------
+// Path resolution (mirrors managed-main.ts)
+// ---------------------------------------------------------------------------
+
+function resolveVellumRoot(): string {
+  const secDir = process.env["CREDENTIAL_SECURITY_DIR"]?.trim();
+  if (secDir) {
+    // CREDENTIAL_SECURITY_DIR points directly at the dir containing
+    // keys.enc, but createLocalSecureKeyBackend wants the parent
+    // (.vellum root) and appends /protected/ itself — unless
+    // CREDENTIAL_SECURITY_DIR is set, in which case the backend reads
+    // from that dir directly. So we pass dirname(secDir) as vellumRoot.
+    // Actually, looking at resolveSecurityDir(): if CREDENTIAL_SECURITY_DIR
+    // is set it uses that directly, ignoring vellumRoot. So vellumRoot
+    // can be anything — the env var takes precedence.
+    return join(secDir, "..");
+  }
+
+  const mount = process.env["CES_ASSISTANT_DATA_MOUNT"]?.trim();
+  if (mount) {
+    return join(mount, ".vellum");
+  }
+
+  return join(homedir(), ".vellum");
+}
+
+// ---------------------------------------------------------------------------
+// CLI
+// ---------------------------------------------------------------------------
+
+async function main(): Promise<void> {
+  const [command, ...args] = process.argv.slice(2);
+
+  if (!command || command === "--help" || command === "-h") {
+    printUsage();
+    process.exit(0);
+  }
+
+  const vellumRoot = resolveVellumRoot();
+  const backend = createLocalSecureKeyBackend(vellumRoot);
+
+  switch (command) {
+    case "list": {
+      const accounts = await backend.list();
+      if (accounts.length === 0) {
+        console.log("(no credentials stored)");
+      } else {
+        for (const account of accounts.sort()) {
+          console.log(account);
+        }
+      }
+      break;
+    }
+
+    case "get": {
+      const account = args[0];
+      if (!account) {
+        console.error("Usage: ces get <account>");
+        process.exit(1);
+      }
+      const value = await backend.get(account);
+      if (value === undefined) {
+        console.error(`Not found: ${account}`);
+        process.exit(1);
+      }
+      // Write raw value to stdout (no trailing newline for piping)
+      process.stdout.write(value);
+      break;
+    }
+
+    case "set": {
+      const account = args[0];
+      const value = args[1];
+      if (!account || value === undefined) {
+        console.error("Usage: ces set <account> <value>");
+        process.exit(1);
+      }
+      const ok = await backend.set(account, value);
+      if (ok) {
+        console.log(`Set: ${account}`);
+      } else {
+        console.error(`Failed to set: ${account}`);
+        process.exit(1);
+      }
+      break;
+    }
+
+    case "delete": {
+      const account = args[0];
+      if (!account) {
+        console.error("Usage: ces delete <account>");
+        process.exit(1);
+      }
+      const result = await backend.delete(account);
+      if (result === "deleted") {
+        console.log(`Deleted: ${account}`);
+      } else {
+        console.error(`Not found: ${account}`);
+        process.exit(1);
+      }
+      break;
+    }
+
+    default:
+      console.error(`Unknown command: ${command}`);
+      printUsage();
+      process.exit(1);
+  }
+}
+
+function printUsage(): void {
+  console.log(`CES CLI — credential CRUD for the encrypted key store
+
+Usage:
+  ces list                     List all credential accounts
+  ces get <account>            Get a credential value
+  ces set <account> <value>    Set a credential value
+  ces delete <account>         Delete a credential
+
+Account format:
+  credential/<service>/<field>
+  Example: credential/vellum/platform_organization_id
+
+Environment:
+  CREDENTIAL_SECURITY_DIR    Directory containing keys.enc + store.key
+  CES_ASSISTANT_DATA_MOUNT   Fallback: <mount>/.vellum/protected/`);
+}
+
+main().catch((err) => {
+  console.error(`Fatal: ${err instanceof Error ? err.message : err}`);
+  process.exit(1);
+});

package/src/http/__tests__/credential-routes-normalization.test.ts

@@ -0,0 +1,202 @@
+/**
+ * Tests for credential account key normalization in the HTTP routes.
+ *
+ * Verifies that colon-separated account names (e.g. `vellum:platform_organization_id`)
+ * are transparently normalized to the internal slash-separated format
+ * (e.g. `credential/vellum/platform_organization_id`) so that credentials
+ * stored via direct HTTP are findable by the gateway and assistant.
+ */
+
+import { describe, it, expect } from "bun:test";
+
+import { handleCredentialRoute } from "../credential-routes.js";
+import type { CredentialRouteDeps } from "../credential-routes.js";
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const SERVICE_TOKEN = "test-token-normalization";
+
+function makeDeps(): { deps: CredentialRouteDeps; store: Map<string, string> } {
+  const store = new Map<string, string>();
+  const backend: SecureKeyBackend = {
+    get: async (account: string) => store.get(account),
+    set: async (account: string, value: string) => {
+      store.set(account, value);
+      return true;
+    },
+    delete: async (account: string) => {
+      if (!store.has(account)) return "not-found";
+      store.delete(account);
+      return "deleted";
+    },
+    list: async () => [...store.keys()],
+  };
+  return { deps: { backend, serviceToken: SERVICE_TOKEN }, store };
+}
+
+function makeRequest(
+  method: string,
+  path: string,
+  body?: unknown,
+): Request {
+  const url = `http://localhost:8090${path}`;
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${SERVICE_TOKEN}`,
+  };
+  const init: RequestInit = { method, headers };
+  if (body !== undefined) {
+    init.body = JSON.stringify(body);
+  }
+  return new Request(url, init);
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("credential route key normalization", () => {
+  it("normalizes colon-separated key on POST (set)", async () => {
+    const { deps, store } = makeDeps();
+
+    const req = makeRequest(
+      "POST",
+      "/v1/credentials/vellum%3Aplatform_organization_id",
+      { value: "org-uuid-123" },
+    );
+    const res = await handleCredentialRoute(req, deps);
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+    const body = await res!.json();
+    expect(body.ok).toBe(true);
+    expect(body.account).toBe("credential/vellum/platform_organization_id");
+
+    // Verify it was stored under the normalized key
+    expect(store.get("credential/vellum/platform_organization_id")).toBe("org-uuid-123");
+    expect(store.has("vellum:platform_organization_id")).toBe(false);
+  });
+
+  it("normalizes colon-separated key on GET", async () => {
+    const { deps, store } = makeDeps();
+    store.set("credential/vellum/platform_user_id", "user-uuid-456");
+
+    const req = makeRequest(
+      "GET",
+      "/v1/credentials/vellum%3Aplatform_user_id",
+    );
+    const res = await handleCredentialRoute(req, deps);
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+    const body = await res!.json();
+    expect(body.value).toBe("user-uuid-456");
+  });
+
+  it("normalizes colon-separated key on DELETE", async () => {
+    const { deps, store } = makeDeps();
+    store.set("credential/vellum/temp_cred", "temp-value");
+
+    const req = makeRequest(
+      "DELETE",
+      "/v1/credentials/vellum%3Atemp_cred",
+    );
+    const res = await handleCredentialRoute(req, deps);
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+    expect(store.has("credential/vellum/temp_cred")).toBe(false);
+  });
+
+  it("passes through keys already in credential/ format", async () => {
+    const { deps, store } = makeDeps();
+
+    const req = makeRequest(
+      "POST",
+      "/v1/credentials/credential%2Fvellum%2Fassistant_api_key",
+      { value: "api-key-789" },
+    );
+    const res = await handleCredentialRoute(req, deps);
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+    expect(store.get("credential/vellum/assistant_api_key")).toBe("api-key-789");
+  });
+
+  it("passes through oauth/ prefixed keys", async () => {
+    const { deps, store } = makeDeps();
+
+    const req = makeRequest(
+      "POST",
+      "/v1/credentials/oauth%2Fconnection%2Faccess_token",
+      { value: "token-abc" },
+    );
+    const res = await handleCredentialRoute(req, deps);
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+    expect(store.get("oauth/connection/access_token")).toBe("token-abc");
+  });
+
+  it("normalizes colon-separated keys in bulk set", async () => {
+    const { deps, store } = makeDeps();
+
+    const req = makeRequest("POST", "/v1/credentials/bulk", {
+      credentials: [
+        { account: "vellum:platform_organization_id", value: "org-1" },
+        { account: "vellum:platform_user_id", value: "user-1" },
+        { account: "credential/vellum/assistant_api_key", value: "key-1" },
+      ],
+    });
+    const res = await handleCredentialRoute(req, deps);
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+    const body = await res!.json();
+
+    expect(body.results).toHaveLength(3);
+    expect(body.results[0].account).toBe("credential/vellum/platform_organization_id");
+    expect(body.results[1].account).toBe("credential/vellum/platform_user_id");
+    expect(body.results[2].account).toBe("credential/vellum/assistant_api_key");
+
+    expect(store.get("credential/vellum/platform_organization_id")).toBe("org-1");
+    expect(store.get("credential/vellum/platform_user_id")).toBe("user-1");
+    expect(store.get("credential/vellum/assistant_api_key")).toBe("key-1");
+  });
+
+  it("splits multi-colon keys at the last colon", async () => {
+    const { deps, store } = makeDeps();
+
+    const req = makeRequest(
+      "POST",
+      "/v1/credentials/integration%3Agoogle%3Aaccess_token",
+      { value: "google-token" },
+    );
+    const res = await handleCredentialRoute(req, deps);
+
+    expect(res).not.toBeNull();
+    expect(res!.status).toBe(200);
+    const body = await res!.json();
+    // "integration:google:access_token" splits at last colon →
+    // service="integration:google", field="access_token"
+    expect(body.account).toBe("credential/integration:google/access_token");
+    expect(store.get("credential/integration:google/access_token")).toBe("google-token");
+  });
+
+  it("returns normalized key in response body", async () => {
+    const { deps } = makeDeps();
+
+    const req = makeRequest(
+      "POST",
+      "/v1/credentials/slack_channel%3Abot_token",
+      { value: "xoxb-test" },
+    );
+    const res = await handleCredentialRoute(req, deps);
+
+    const body = await res!.json();
+    expect(body.account).toBe("credential/slack_channel/bot_token");
+  });
+});

package/src/http/credential-routes.ts

@@ -21,6 +21,49 @@ import { timingSafeEqual } from "node:crypto";
 
 import type { SecureKeyBackend } from "@vellumai/credential-storage";
 
+// ---------------------------------------------------------------------------
+// Account key normalization
+// ---------------------------------------------------------------------------
+
+/**
+ * Known internal key prefixes. Keys in the encrypted store use slash-separated
+ * paths (e.g. `credential/vellum/platform_organization_id`), but callers
+ * (especially manual `curl` invocations) often use the colon-separated format
+ * visible in the CLI (e.g. `vellum:platform_organization_id`).
+ *
+ * This normalizer transparently converts colon-separated credential names
+ * to the internal format so writes land under the correct key. Without this,
+ * a credential stored as `vellum:platform_organization_id` would silently
+ * succeed but be invisible to the gateway and assistant, which look up
+ * `credential/vellum/platform_organization_id`.
+ */
+const CREDENTIAL_PREFIX = "credential/";
+
+function normalizeAccountKey(account: string): string {
+  // Already in internal format — pass through
+  if (account.startsWith(CREDENTIAL_PREFIX)) {
+    return account;
+  }
+
+  // Other known internal prefixes — pass through as-is
+  if (account.startsWith("oauth/")) {
+    return account;
+  }
+
+  // Convert "service:field" → "credential/service/field"
+  // Use lastIndexOf to match the canonical split in secret-routes.ts
+  // (e.g. "integration:google:access_token" → service="integration:google", field="access_token")
+  const colonIdx = account.lastIndexOf(":");
+  if (colonIdx > 0 && colonIdx < account.length - 1) {
+    const service = account.slice(0, colonIdx);
+    const field = account.slice(colonIdx + 1);
+    return `${CREDENTIAL_PREFIX}${service}/${field}`;
+  }
+
+  // Unrecognized format — return as-is (will likely fail lookup, which is fine)
+  return account;
+}
+
 // ---------------------------------------------------------------------------
 // Auth
 // ---------------------------------------------------------------------------
@@ -136,8 +179,9 @@ export async function handleCredentialRoute(
 
     const results: Array<{ account: string; ok: boolean }> = [];
     for (const entry of body.credentials as Array<{ account: string; value: string }>) {
-      const ok = await backend.set(entry.account, entry.value);
-      results.push({ account: entry.account, ok: !!ok });
+      const normalized = normalizeAccountKey(entry.account);
+      const ok = await backend.set(normalized, entry.value);
+      results.push({ account: normalized, ok: !!ok });
     }
 
     return new Response(
@@ -167,15 +211,17 @@ export async function handleCredentialRoute(
     return null; // Not a credential route
   }
 
-  const account = decodeURIComponent(accountSegment.slice(1));
-  if (!account) {
+  const rawAccount = decodeURIComponent(accountSegment.slice(1));
+  if (!rawAccount) {
     return new Response(
       JSON.stringify({ error: "Account name is required" }),
       { status: 400, headers: { "Content-Type": "application/json" } },
-    );
-  }
+      );
+    }
+
+    const account = normalizeAccountKey(rawAccount);
 
-  switch (req.method) {
+    switch (req.method) {
     // GET /v1/credentials/:account — get credential value
     case "GET": {
       const value = await backend.get(account);