npm - @vellumai/vellum-gateway - Versions diffs - 0.4.17 → 0.4.19 - Mend

@vellumai/vellum-gateway 0.4.17 → 0.4.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +1 -1
package/package.json +1 -1
package/src/__tests__/credential-reader.test.ts +75 -5
package/src/__tests__/credential-watcher.test.ts +2 -13
package/src/auth/scopes.ts +3 -0
package/src/auth/types.ts +2 -1
package/src/credential-reader.ts +4 -10

package/README.md CHANGED Viewed

@@ -412,7 +412,7 @@ See [`benchmarking/gateway/README.md`](../benchmarking/gateway/README.md) for lo
 | "No route configured" replies | Add a routing entry or set `GATEWAY_UNMAPPED_POLICY=default` with a default assistant |
 | Runtime errors | Is `ASSISTANT_RUNTIME_BASE_URL` reachable? Check runtime logs. |
 | No reply from assistant | Is the assistant runtime processing messages? Check for `RUNTIME_HTTP_PORT` env var. |
-| 403 on channel inbound | The runtime rejected the request because JWT authentication failed. Ensure the gateway and runtime share the same signing key (`RUNTIME_BEARER_TOKEN` / `~/.vellum/http-token`). |
+| 403 on channel inbound | The runtime rejected the request because JWT authentication failed. Ensure the gateway and runtime share the same signing key (`~/.vellum/protected/actor-token-signing-key`). |
 ### Guardian-Specific Troubleshooting

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/vellum-gateway",
-  "version": "0.4.17",
+  "version": "0.4.19",
   "type": "module",
   "exports": {
     "./twilio/verify": "./src/twilio/verify.ts",

package/src/__tests__/credential-reader.test.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { describe, test, expect, beforeEach, afterEach, mock } from "bun:test";
 import { mkdirSync, writeFileSync, rmSync } from "node:fs";
 import { join } from "node:path";
-import { tmpdir } from "node:os";
-import { randomBytes } from "node:crypto";
+import { hostname, tmpdir, userInfo } from "node:os";
+import { createCipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
 // ---------------------------------------------------------------------------
 // Mock logger — capture log calls to verify no secrets leak
@@ -54,6 +54,69 @@ function writeMetadata(credentials: { service: string; field: string }[]): void
   writeFileSync(join(dir, "metadata.json"), JSON.stringify({ credentials }));
 }
+const ALGORITHM = "aes-256-gcm";
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+const PBKDF2_ITERATIONS = 100_000;
+function getMachineEntropy(): string {
+  const parts: string[] = [];
+  try {
+    parts.push(hostname());
+  } catch {
+    parts.push("unknown-host");
+  }
+  try {
+    parts.push(userInfo().username);
+  } catch {
+    parts.push("unknown-user");
+  }
+  // Must match assistant/src/util/platform.ts#getPlatformName.
+  parts.push(process.platform);
+  parts.push(process.arch);
+  try {
+    parts.push(userInfo().homedir);
+  } catch {
+    parts.push("/tmp");
+  }
+  return parts.join(":");
+}
+function writeEncryptedStore(entries: Record<string, string>): void {
+  const storePath = join(testDir, ".vellum", "protected", "keys.enc");
+  mkdirSync(join(testDir, ".vellum", "protected"), { recursive: true });
+  const salt = randomBytes(16);
+  const key = pbkdf2Sync(
+    getMachineEntropy(),
+    salt,
+    PBKDF2_ITERATIONS,
+    KEY_LENGTH,
+    "sha512",
+  );
+  const encryptedEntries: Record<string, { iv: string; tag: string; data: string }> = {};
+  for (const [account, value] of Object.entries(entries)) {
+    const iv = randomBytes(12);
+    const cipher = createCipheriv(ALGORITHM, key, iv, {
+      authTagLength: AUTH_TAG_LENGTH,
+    });
+    const encrypted = Buffer.concat([cipher.update(value, "utf-8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    encryptedEntries[account] = {
+      iv: iv.toString("hex"),
+      tag: tag.toString("hex"),
+      data: encrypted.toString("hex"),
+    };
+  }
+  const store = {
+    version: 1,
+    salt: salt.toString("hex"),
+    entries: encryptedEntries,
+  };
+  writeFileSync(storePath, JSON.stringify(store));
+}
 const originalPlatform = process.platform;
 beforeEach(() => {
@@ -161,10 +224,17 @@ describe("readTelegramCredentials: keychain on macOS", () => {
       { service: "telegram", field: "webhook_secret" },
     ]);
-    // Keychain throws (credential not found) — fall through to encrypted store
-    // Encrypted store also has nothing, so result should be null
+    // Keychain throws (credential not found) — fall through to encrypted store.
+    writeEncryptedStore({
+      "credential:telegram:bot_token": "enc-bot-token",
+      "credential:telegram:webhook_secret": "enc-webhook-secret",
+    });
     const result = readTelegramCredentials();
-    expect(result).toBeNull();
+    expect(result).toEqual({
+      botToken: "enc-bot-token",
+      webhookSecret: "enc-webhook-secret",
+    });
   });
 });

package/src/__tests__/credential-watcher.test.ts CHANGED Viewed

@@ -53,19 +53,8 @@ function getMachineEntropy(): string {
   } catch {
     parts.push("unknown-user");
   }
-  switch (process.platform) {
-    case "darwin":
-      parts.push("macOS");
-      break;
-    case "win32":
-      parts.push("Windows");
-      break;
-    case "linux":
-      parts.push("Linux");
-      break;
-    default:
-      parts.push(process.platform);
-  }
+  // Must mirror assistant/src/util/platform.ts#getPlatformName (raw platform).
+  parts.push(process.platform);
   parts.push(process.arch);
   try {
     parts.push(userInfo().homedir);

package/src/auth/scopes.ts CHANGED Viewed

@@ -42,6 +42,9 @@ const PROFILE_SCOPES: Record<ScopeProfile, ReadonlySet<Scope>> = {
   ipc_v1: new Set<Scope>([
     'ipc.all',
   ]),
+  ui_page_v1: new Set<Scope>([
+    'settings.read',
+  ]),
 };
 // ---------------------------------------------------------------------------

package/src/auth/types.ts CHANGED Viewed

@@ -13,7 +13,8 @@ export type ScopeProfile =
   | 'actor_client_v1'
   | 'gateway_ingress_v1'
   | 'gateway_service_v1'
-  | 'ipc_v1';
+  | 'ipc_v1'
+  | 'ui_page_v1';
 // ---------------------------------------------------------------------------
 // Individual scope strings

package/src/credential-reader.ts CHANGED Viewed

@@ -39,16 +39,10 @@ interface StoreFile {
 }
 function getPlatformName(): string {
-  switch (process.platform) {
-    case "darwin":
-      return "macOS";
-    case "win32":
-      return "Windows";
-    case "linux":
-      return "Linux";
-    default:
-      return process.platform;
-  }
+  // Must match assistant/src/util/platform.ts#getPlatformName exactly.
+  // Using user-friendly labels like "macOS" here changes PBKDF2 entropy and
+  // makes gateway unable to decrypt credentials written by the daemon.
+  return process.platform;
 }
 function getMachineEntropy(): string {