@vellumai/vellum-gateway 0.5.12 → 0.5.13

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/vellum-gateway",
-  "version": "0.5.12",
+  "version": "0.5.13",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/feature-flag-registry.json

@@ -47,7 +47,7 @@
       "key": "app-builder-multifile",
       "label": "App Builder Multi-file",
       "description": "Enable multi-file TSX app creation with esbuild compilation instead of single-HTML apps",
-      "defaultEnabled": false
+      "defaultEnabled": true
     },
     {
       "id": "mobile-pairing",

package/src/http/middleware/auth.ts

@@ -4,8 +4,11 @@ import { validateEdgeToken } from "../../auth/token-exchange.js";
 import { resolveScopeProfile } from "../../auth/scopes.js";
 import type { Scope } from "../../auth/types.js";
 import type { AuthRateLimiter } from "../../auth-rate-limiter.js";
+import { getLogger } from "../../logger.js";
 import { isLoopbackPeer } from "../routes/browser-relay-websocket.js";
 
+const log = getLogger("auth");
+
 type GetClientIp = () => string;
 
 /**
@@ -34,11 +37,19 @@ export function createAuthMiddleware(
     const token = extractBearerToken(req);
     if (!token) {
       authRateLimiter.recordFailure(getClientIp());
+      log.warn(
+        { path: new URL(req.url).pathname },
+        "Edge auth rejected: missing or malformed Authorization header",
+      );
       return Response.json({ error: "Unauthorized" }, { status: 401 });
     }
     const result = validateEdgeToken(token);
     if (!result.ok) {
       authRateLimiter.recordFailure(getClientIp());
+      log.warn(
+        { path: new URL(req.url).pathname, reason: result.reason },
+        "Edge auth rejected: token validation failed",
+      );
       return Response.json({ error: "Unauthorized" }, { status: 401 });
     }
     return null;
@@ -60,11 +71,19 @@ export function createAuthMiddleware(
     const token = extractBearerToken(req);
     if (!token) {
       authRateLimiter.recordFailure(getClientIp());
+      log.warn(
+        { path: new URL(req.url).pathname, scope },
+        "Scoped edge auth rejected: missing or malformed Authorization header",
+      );
       return Response.json({ error: "Unauthorized" }, { status: 401 });
     }
     const result = validateEdgeToken(token);
     if (!result.ok) {
       authRateLimiter.recordFailure(getClientIp());
+      log.warn(
+        { path: new URL(req.url).pathname, scope, reason: result.reason },
+        "Scoped edge auth rejected: token validation failed",
+      );
       return Response.json({ error: "Unauthorized" }, { status: 401 });
     }
     const scopes = resolveScopeProfile(result.claims.scope_profile);

package/src/http/middleware/deliver-auth.ts

@@ -1,4 +1,7 @@
 import { verifyToken } from "../../auth/token-service.js";
+import { getLogger } from "../../logger.js";
+
+const log = getLogger("deliver-auth");
 
 /**
  * Creates a fail-closed auth check for delivery routes.
@@ -21,12 +24,20 @@ export function checkDeliverAuth(
 
   const authHeader = req.headers.get("authorization");
   if (!authHeader || !authHeader.toLowerCase().startsWith("bearer ")) {
+    log.warn(
+      { path: new URL(req.url).pathname },
+      "Deliver auth rejected: missing or malformed Authorization header",
+    );
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
 
   const token = authHeader.slice(7);
   const result = verifyToken(token, "vellum-daemon");
   if (!result.ok) {
+    log.warn(
+      { path: new URL(req.url).pathname, reason: result.reason },
+      "Deliver auth rejected: token validation failed",
+    );
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
 

package/src/http/routes/runtime-proxy.ts

@@ -44,12 +44,19 @@ export function createRuntimeProxyHandler(config: GatewayConfig) {
     if (config.runtimeProxyRequireAuth && req.method !== "OPTIONS") {
       const authHeader = req.headers.get("authorization");
       if (!authHeader || !authHeader.toLowerCase().startsWith("bearer ")) {
+        log.warn(
+          { method: req.method, path: url.pathname },
+          "Runtime proxy auth rejected: missing or malformed Authorization header",
+        );
         return Response.json({ error: "Unauthorized" }, { status: 401 });
       }
       const edgeJwt = authHeader.slice(7);
       const result = validateEdgeToken(edgeJwt);
       if (!result.ok) {
-        log.debug({ reason: result.reason }, "Edge token validation failed");
+        log.warn(
+          { method: req.method, path: url.pathname, reason: result.reason },
+          "Runtime proxy auth rejected: edge token validation failed",
+        );
         return Response.json({ error: "Unauthorized" }, { status: 401 });
       }
       exchangeToken = mintExchangeToken(

package/src/index.ts

@@ -629,12 +629,20 @@ async function main() {
         const authHeader = req.headers.get("authorization");
         if (!authHeader || !authHeader.toLowerCase().startsWith("bearer ")) {
           authRateLimiter.recordFailure(getClientIp());
+          log.warn(
+            { path: new URL(req.url).pathname },
+            "Guardian refresh auth rejected: missing or malformed Authorization header",
+          );
           return Response.json({ error: "Unauthorized" }, { status: 401 });
         }
         const token = authHeader.slice(7);
         const result = validateEdgeToken(token, { allowExpired: true });
         if (!result.ok) {
           authRateLimiter.recordFailure(getClientIp());
+          log.warn(
+            { path: new URL(req.url).pathname, reason: result.reason },
+            "Guardian refresh auth rejected: token validation failed",
+          );
           return Response.json({ error: "Unauthorized" }, { status: 401 });
         }
         return channelVerificationSessionProxy.handleGuardianRefresh(req);