npm - machinaos - Versions diffs - 0.0.76 → 0.0.78 - Mend

machinaos 0.0.76 → 0.0.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (393) hide show

package/README.md +143 -107
package/client/dist/assets/ActionBar-Du2MSFSz.js +1 -0
package/client/dist/assets/ApiKeyInput-k2LBmBjb.js +1 -0
package/client/dist/assets/ApiKeyPanel-C_bV9U0X.js +1 -0
package/client/dist/assets/ApiUsageSection-CmVfwZzL.js +1 -0
package/client/dist/assets/EmailPanel-CeKIMGu-.js +1 -0
package/client/dist/assets/OAuthPanel-KA3t3Q2K.js +1 -0
package/client/dist/assets/QrPairingPanel-NgNpJNuk.js +1 -0
package/client/dist/assets/RateLimitSection-Du5YNVIA.js +1 -0
package/client/dist/assets/StatusCard-DNLyayXc.js +1 -0
package/client/dist/assets/index-DQ0nwhec.js +257 -0
package/client/dist/assets/index-DxmbVskS.css +1 -0
package/client/dist/assets/vendor-flow-CZmBvHRo.js +1 -0
package/client/dist/assets/vendor-icons-CVrPjN2Q.js +22 -0
package/client/dist/assets/vendor-markdown-CRou3yQ5.js +62 -0
package/client/dist/assets/vendor-misc-C4VxKHs5.js +1 -0
package/client/dist/assets/vendor-query-SzWcOU0G.js +1 -0
package/client/dist/assets/vendor-radix-Dnos29jG.js +56 -0
package/client/dist/assets/vendor-react-DvWIbVx0.js +1 -0
package/client/dist/index.html +37 -3
package/client/index.html +28 -1
package/client/package.json +44 -40
package/client/src/App.tsx +2 -0
package/client/src/Dashboard.tsx +157 -45
package/client/src/ParameterPanel.tsx +3 -5
package/client/src/adapters/nodeSpecToDescription.ts +1 -0
package/client/src/assets/icons/NodeIcon.tsx +32 -0
package/client/src/assets/icons/index.ts +4 -0
package/client/src/assets/icons/stripe.svg +1 -0
package/client/src/assets/icons/themedGlyphs.ts +404 -0
package/client/src/components/AIAgentNode.tsx +77 -53
package/client/src/components/GenericNode.tsx +34 -52
package/client/src/components/OutputPanel.tsx +64 -147
package/client/src/components/ParameterRenderer.tsx +5 -3
package/client/src/components/SkillEditorModal.tsx +9 -18
package/client/src/components/SquareNode.tsx +97 -115
package/client/src/components/StartNode.tsx +32 -42
package/client/src/components/SvgFilterDefs.tsx +54 -0
package/client/src/components/TeamMonitorNode.tsx +12 -14
package/client/src/components/ToolkitNode.tsx +35 -60
package/client/src/components/TriggerNode.tsx +43 -77
package/client/src/components/__tests__/CredentialsModal.test.tsx +49 -45
package/client/src/components/credentials/CredentialsModal.tsx +98 -30
package/client/src/components/credentials/CredentialsPalette.tsx +73 -5
package/client/src/components/credentials/catalogueAdapter.ts +17 -1
package/client/src/components/credentials/panels/ApiKeyPanel.tsx +102 -37
package/client/src/components/credentials/panels/EmailPanel.tsx +7 -19
package/client/src/components/credentials/panels/OAuthPanel.tsx +5 -1
package/client/src/components/credentials/panels/QrPairingPanel.tsx +1 -3
package/client/src/components/credentials/primitives/ActionBar.tsx +7 -11
package/client/src/components/credentials/primitives/OAuthConnect.tsx +19 -28
package/client/src/components/credentials/sections/ProviderDefaultsSection.tsx +24 -3
package/client/src/components/credentials/types.ts +12 -2
package/client/src/components/credentials/useCredentialPanel.ts +43 -19
package/client/src/components/icons/AIProviderIcons.tsx +16 -0
package/client/src/components/onboarding/OnboardingWizard.tsx +23 -63
package/client/src/components/onboarding/nodeRoleClasses.ts +23 -0
package/client/src/components/onboarding/steps/CanvasStep.tsx +15 -21
package/client/src/components/onboarding/steps/ConceptsStep.tsx +2 -11
package/client/src/components/onboarding/steps/GetStartedStep.tsx +2 -10
package/client/src/components/parameterPanel/InputSection.tsx +9 -7
package/client/src/components/parameterPanel/MasterSkillEditor.tsx +84 -198
package/client/src/components/parameterPanel/MiddleSection.tsx +57 -80
package/client/src/components/parameterPanel/ToolSchemaEditor.tsx +31 -25
package/client/src/components/parameterPanel/__tests__/InputSection.test.tsx +7 -2
package/client/src/components/ui/AIResultModal.tsx +1 -1
package/client/src/components/ui/CollapsibleSection.tsx +9 -5
package/client/src/components/ui/CommandPalette.tsx +147 -0
package/client/src/components/ui/CommandPaletteHost.tsx +189 -0
package/client/src/components/ui/ComponentItem.tsx +13 -7
package/client/src/components/ui/ComponentPalette.tsx +24 -13
package/client/src/components/ui/ConsolePanel.tsx +19 -11
package/client/src/components/ui/DropCap.tsx +28 -0
package/client/src/components/ui/EditableNodeLabel.tsx +10 -2
package/client/src/components/ui/InputNodesPanel.tsx +1 -1
package/client/src/components/ui/Modal.tsx +38 -6
package/client/src/components/ui/OutputDisplayPanel.tsx +1 -1
package/client/src/components/ui/SettingsPanel.tsx +42 -13
package/client/src/components/ui/StatusBar.tsx +108 -0
package/client/src/components/ui/ThemeSwitcher.tsx +109 -0
package/client/src/components/ui/TopToolbar.tsx +42 -25
package/client/src/components/ui/WorkflowSidebar.tsx +32 -16
package/client/src/components/ui/action-button.tsx +40 -15
package/client/src/components/ui/button.tsx +24 -1
package/client/src/components/ui/dropdown-menu.tsx +24 -2
package/client/src/components/ui/input.tsx +19 -2
package/client/src/components/ui/select.tsx +15 -0
package/client/src/components/ui/textarea.tsx +15 -2
package/client/src/contexts/AuthContext.tsx +148 -109
package/client/src/contexts/ThemeContext.tsx +93 -17
package/client/src/contexts/WebSocketContext.tsx +373 -206
package/client/src/contexts/__tests__/AuthContext.test.tsx +221 -0
package/client/src/hooks/__tests__/useDragVariable.test.ts +7 -1
package/client/src/hooks/__tests__/useWorkflowOpsListener.test.ts +142 -0
package/client/src/hooks/useAppTheme.ts +209 -7
package/client/src/hooks/useAutoSkillEdges.ts +7 -2
package/client/src/hooks/useCatalogueQuery.ts +67 -1
package/client/src/hooks/useDragVariable.ts +1 -1
package/client/src/hooks/useNodeAllowlist.ts +115 -8
package/client/src/hooks/useOnboarding.ts +20 -8
package/client/src/hooks/useParameterPanel.ts +2 -1
package/client/src/hooks/useReactFlowNodes.ts +2 -1
package/client/src/hooks/useSound.ts +185 -0
package/client/src/hooks/useWorkflowManagement.ts +6 -8
package/client/src/hooks/useWorkflowOpsListener.ts +90 -0
package/client/src/index.css +65 -3
package/client/src/lib/__tests__/connectionConfig.test.ts +91 -0
package/client/src/lib/aiModelProviders.ts +8 -0
package/client/src/lib/connectionConfig.ts +107 -0
package/client/src/lib/queryPersist.ts +13 -5
package/client/src/lib/sound.ts +393 -0
package/client/src/main.tsx +20 -0
package/client/src/store/useAppStore.ts +26 -0
package/client/src/styles/canvasAnimations.ts +37 -36
package/client/src/styles/theme.ts +36 -20
package/client/src/test/setup.ts +1 -0
package/client/src/themes/atomic.css +253 -0
package/client/src/themes/base.css +373 -0
package/client/src/themes/cyber.css +890 -0
package/client/src/themes/dark.css +70 -0
package/client/src/themes/edo.css +246 -0
package/client/src/themes/greek.css +293 -0
package/client/src/themes/light.css +78 -0
package/client/src/themes/plague.css +253 -0
package/client/src/themes/renaissance.css +727 -0
package/client/src/themes/rot.css +249 -0
package/client/src/themes/steampunk.css +272 -0
package/client/src/themes/surveillance.css +289 -0
package/client/src/themes/wasteland.css +250 -0
package/client/src/types/INodeProperties.ts +5 -0
package/client/src/types/NodeTypes.ts +11 -1
package/client/src/types/__tests__/cloudEvents.test.ts +99 -0
package/client/src/types/cloudEvents.ts +78 -0
package/client/src/vite-env.d.ts +7 -0
package/client/tsconfig.json +1 -1
package/client/vite.config.js +62 -2
package/install.ps1 +1 -1
package/install.sh +1 -1
package/machina/commands/build.py +51 -7
package/machina/pyproject.toml +4 -0
package/machina/supervisor.py +12 -2
package/machina/tree.py +71 -21
package/package.json +4 -4
package/scripts/install.js +16 -1
package/server/config/ai_cli_providers.json +54 -0
package/server/config/credential_providers.json +109 -2
package/server/config/llm_defaults.json +24 -0
package/server/config/model_registry.json +338 -499
package/server/config/node_allowlist.json +16 -1
package/server/config/pricing.json +8 -0
package/server/constants.py +38 -15
package/server/core/container.py +2 -2
package/server/core/credentials_database.py +35 -2
package/server/core/logging.py +4 -3
package/server/main.py +99 -13
package/server/models/node_metadata.py +1 -0
package/server/nodejs/package.json +8 -6
package/server/nodejs/src/index.ts +22 -5
package/server/nodes/README.md +31 -4
package/server/nodes/agent/_inline.py +2 -0
package/server/nodes/agent/_specialized.py +6 -3
package/server/nodes/agent/ai_agent.py +13 -3
package/server/nodes/agent/chat_agent.py +6 -3
package/server/nodes/agent/claude_code_agent.py +287 -75
package/server/nodes/agent/codex_agent.py +239 -0
package/server/nodes/agent/deep_agent.py +3 -3
package/server/nodes/agent/rlm_agent.py +3 -3
package/server/nodes/android/__init__.py +31 -1
package/server/nodes/android/_base.py +9 -5
package/server/{services/android_service.py → nodes/android/_dispatcher.py} +2 -2
package/server/nodes/android/_handlers.py +154 -0
package/server/nodes/android/_option_loaders.py +44 -0
package/server/nodes/android/_refresh.py +127 -0
package/server/{services/android → nodes/android/_relay}/client.py +4 -4
package/server/{routers/android.py → nodes/android/_router.py} +27 -8
package/server/nodes/browser/browser.py +2 -2
package/server/nodes/code/_base.py +6 -2
package/server/nodes/code/_claude_code.py +134 -0
package/server/nodes/document/embedding_generator.py +3 -3
package/server/nodes/document/http_scraper.py +3 -3
package/server/nodes/document/vector_store.py +5 -5
package/server/nodes/email/__init__.py +11 -1
package/server/nodes/email/_filters.py +21 -0
package/server/{services/himalaya_service.py → nodes/email/_himalaya.py} +6 -10
package/server/{services/email_service.py → nodes/email/_service.py} +9 -13
package/server/nodes/email/email_read.py +1 -1
package/server/nodes/email/email_receive.py +54 -5
package/server/nodes/email/email_send.py +1 -1
package/server/nodes/filesystem/shell.py +24 -1
package/server/nodes/google/__init__.py +55 -1
package/server/{services/handlers/google_auth.py → nodes/google/_auth_helper.py} +8 -5
package/server/nodes/google/_base.py +2 -2
package/server/nodes/google/_credentials.py +5 -5
package/server/nodes/google/_filters.py +25 -0
package/server/nodes/google/_handlers.py +57 -0
package/server/{services/google_oauth.py → nodes/google/_oauth.py} +195 -162
package/server/nodes/google/_option_loaders.py +107 -0
package/server/nodes/google/_refresh.py +66 -0
package/server/nodes/google/_router.py +131 -0
package/server/nodes/google/gmail_receive.py +41 -4
package/server/nodes/groups.py +1 -0
package/server/nodes/location/_credentials.py +45 -1
package/server/{services/maps.py → nodes/location/_service.py} +18 -3
package/server/nodes/location/gmaps_create.py +4 -4
package/server/nodes/location/gmaps_locations.py +4 -4
package/server/nodes/location/gmaps_nearby_places.py +4 -4
package/server/nodes/model/_base.py +8 -3
package/server/nodes/model/_credentials.py +96 -8
package/server/nodes/model/_local_validator.py +345 -0
package/server/nodes/model/lmstudio_chat_model.py +23 -0
package/server/nodes/model/ollama_chat_model.py +25 -0
package/server/nodes/proxy/_usage.py +2 -2
package/server/nodes/proxy/proxy_config.py +14 -14
package/server/nodes/proxy/proxy_request.py +4 -4
package/server/nodes/scraper/_credentials.py +29 -1
package/server/nodes/scraper/apify_actor.py +9 -9
package/server/nodes/scraper/crawlee_scraper.py +5 -5
package/server/nodes/search/brave_search.py +4 -0
package/server/nodes/search/perplexity_search.py +9 -0
package/server/nodes/search/serper_search.py +3 -0
package/server/nodes/skill/simple_memory.py +12 -0
package/server/nodes/social/_base.py +2 -2
package/server/nodes/stripe/__init__.py +46 -0
package/server/nodes/stripe/_credentials.py +33 -0
package/server/nodes/stripe/_handlers.py +270 -0
package/server/nodes/stripe/_install.py +127 -0
package/server/nodes/stripe/_source.py +174 -0
package/server/nodes/stripe/stripe_action.py +81 -0
package/server/nodes/stripe/stripe_receive.py +92 -0
package/server/nodes/telegram/_credentials.py +52 -1
package/server/nodes/telegram/_handlers.py +19 -18
package/server/nodes/telegram/_service.py +134 -32
package/server/nodes/telegram/telegram_send.py +5 -6
package/server/nodes/text/file_handler.py +2 -2
package/server/nodes/text/text_generator.py +2 -2
package/server/nodes/tool/agent_builder.py +630 -0
package/server/nodes/tool/task_manager.py +144 -2
package/server/nodes/twitter/__init__.py +38 -1
package/server/nodes/twitter/_base.py +7 -7
package/server/nodes/twitter/_credentials.py +1 -1
package/server/nodes/twitter/_filters.py +37 -0
package/server/nodes/twitter/_handlers.py +77 -0
package/server/nodes/twitter/_oauth.py +124 -0
package/server/nodes/twitter/_refresh.py +78 -0
package/server/nodes/twitter/_router.py +29 -0
package/server/nodes/twitter/twitter_receive.py +4 -0
package/server/nodes/visuals.json +64 -19
package/server/nodes/whatsapp/__init__.py +45 -5
package/server/nodes/whatsapp/_base.py +3 -3
package/server/nodes/whatsapp/_filters.py +137 -0
package/server/nodes/whatsapp/_handlers.py +167 -0
package/server/nodes/whatsapp/_option_loaders.py +68 -0
package/server/nodes/whatsapp/_refresh.py +62 -0
package/server/nodes/whatsapp/_runtime.py +1 -1
package/server/pyproject.toml +29 -7
package/server/routers/schemas.py +2 -2
package/server/routers/webhook.py +26 -9
package/server/routers/websocket.py +149 -810
package/server/services/ai.py +89 -8
package/server/services/auth.py +220 -43
package/server/services/claude_oauth.py +126 -100
package/server/services/cli_agent/__init__.py +78 -0
package/server/services/cli_agent/_handlers.py +237 -0
package/server/services/cli_agent/config.py +112 -0
package/server/services/cli_agent/factory.py +48 -0
package/server/services/cli_agent/lockfile.py +141 -0
package/server/services/cli_agent/mcp_server.py +482 -0
package/server/services/cli_agent/protocol.py +173 -0
package/server/services/cli_agent/providers/__init__.py +9 -0
package/server/services/cli_agent/providers/anthropic_claude.py +419 -0
package/server/services/cli_agent/providers/google_gemini.py +80 -0
package/server/services/cli_agent/providers/openai_codex.py +310 -0
package/server/services/cli_agent/service.py +607 -0
package/server/services/cli_agent/session.py +618 -0
package/server/services/cli_agent/types.py +227 -0
package/server/services/cli_agent/workflow_tools.py +233 -0
package/server/services/credential_registry.py +26 -1
package/server/services/deployment/manager.py +26 -145
package/server/services/deployment/poll_registry.py +59 -0
package/server/services/event_waiter.py +76 -246
package/server/services/events/__init__.py +54 -0
package/server/services/events/cli.py +78 -0
package/server/services/events/daemon.py +163 -0
package/server/services/events/envelope.py +281 -0
package/server/services/events/lifecycle.py +99 -0
package/server/services/events/oauth_lifecycle.py +534 -0
package/server/services/events/polling.py +60 -0
package/server/services/events/push.py +36 -0
package/server/services/events/source.py +63 -0
package/server/services/events/triggers.py +118 -0
package/server/services/events/verifiers/__init__.py +25 -0
package/server/services/events/verifiers/base.py +28 -0
package/server/services/events/verifiers/github.py +25 -0
package/server/services/events/verifiers/hmac_basic.py +32 -0
package/server/services/events/verifiers/standard_webhooks.py +47 -0
package/server/services/events/verifiers/stripe.py +42 -0
package/server/services/events/webhook.py +105 -0
package/server/services/handlers/tools.py +28 -186
package/server/services/llm/config.py +7 -0
package/server/services/llm/factory.py +8 -2
package/server/services/memory/__init__.py +52 -0
package/server/services/memory/jsonl.py +80 -0
package/server/services/memory/markdown.py +65 -0
package/server/services/memory/state.py +112 -0
package/server/services/memory/vector_store.py +40 -0
package/server/services/model_registry.py +76 -0
package/server/services/node_allowlist.py +71 -15
package/server/services/node_executor.py +2 -2
package/server/services/node_output_schemas.py +21 -10
package/server/services/node_spec.py +1 -1
package/server/services/oauth_utils.py +1 -1
package/server/services/plugin/__init__.py +2 -0
package/server/services/plugin/base.py +44 -2
package/server/services/plugin/credential.py +288 -1
package/server/services/plugin/deps.py +105 -0
package/server/services/plugin/edge_walker.py +12 -4
package/server/services/plugin/oauth.py +381 -0
package/server/services/plugin/polling.py +247 -0
package/server/services/plugin/registry.py +145 -0
package/server/services/plugin/singleton.py +65 -0
package/server/services/plugin/ws.py +81 -0
package/server/services/process_service.py +31 -2
package/server/services/status_broadcaster.py +155 -238
package/server/services/temporal/workflow.py +7 -7
package/server/services/workflow.py +21 -3
package/server/services/ws_handler_registry.py +111 -28
package/server/skills/GUIDE.md +16 -1
package/server/skills/assistant/agent-builder-skill/SKILL.md +166 -0
package/server/skills/payments_agent/stripe-skill/SKILL.md +306 -0
package/server/tests/credentials/test_auth_service.py +16 -9
package/server/tests/credentials/test_credential_broadcasts.py +219 -0
package/server/tests/credentials/test_google_oauth.py +6 -6
package/server/tests/credentials/test_oauth_utils.py +1 -1
package/server/tests/credentials/test_twitter_oauth.py +2 -2
package/server/tests/credentials/test_websocket_handlers.py +44 -20
package/server/tests/llm/test_factory.py +1 -0
package/server/tests/llm/test_wiring.py +5 -1
package/server/tests/nodes/_compat.py +24 -24
package/server/tests/nodes/test_agent_builder.py +439 -0
package/server/tests/nodes/test_ai_tools.py +18 -14
package/server/tests/nodes/test_code_fs_process.py +17 -8
package/server/tests/nodes/test_email.py +10 -9
package/server/tests/nodes/test_google_workspace.py +2 -2
package/server/tests/nodes/test_specialized_agents.py +100 -53
package/server/tests/nodes/test_stripe_plugin.py +293 -0
package/server/tests/nodes/test_telegram_social.py +4 -4
package/server/tests/nodes/test_twitter.py +1 -1
package/server/tests/nodes/test_web_automation.py +2 -2
package/server/tests/nodes/test_whatsapp.py +9 -9
package/server/tests/services/cli_agent/__init__.py +0 -0
package/server/tests/services/cli_agent/test_mcp_server.py +432 -0
package/server/tests/services/cli_agent/test_providers.py +358 -0
package/server/tests/services/cli_agent/test_service.py +298 -0
package/server/tests/services/memory/__init__.py +0 -0
package/server/tests/services/memory/test_jsonl.py +188 -0
package/server/tests/services/test_events.py +333 -0
package/server/tests/test_node_spec.py +56 -16
package/server/tests/test_plugin_helpers.py +116 -0
package/server/tests/test_plugin_self_containment.py +486 -0
package/server/tests/test_status_broadcasts.py +425 -0
package/workflows/{AI Assistant_workflow-1777421105154-0m4snkzjf.json → AI Assistant_workflow-1778504793388-ou1m1tz2x.json } +70 -266
package/workflows/{AI Employee_workflow-1777720598005-u4cm858dv.json → AI Employee_example_workflow-1777720598005-u4cm858dv.json } +112 -112
package/workflows/Claude Assistant_workflow-1778380124051-mdibn807c.json +709 -0
package/client/dist/assets/ActionBar-vzPpSR77.js +0 -1
package/client/dist/assets/ApiKeyInput-Ds7AKFe8.js +0 -1
package/client/dist/assets/ApiKeyPanel-gfblELep.js +0 -1
package/client/dist/assets/ApiUsageSection-BMNWTe2r.js +0 -1
package/client/dist/assets/EmailPanel-B1Om64p5.js +0 -1
package/client/dist/assets/OAuthPanel-CXyQYGBz.js +0 -1
package/client/dist/assets/QrPairingPanel-BgNuI1we.js +0 -1
package/client/dist/assets/RateLimitSection-YYK8sx1T.js +0 -1
package/client/dist/assets/StatusCard-DuYA5hJR.js +0 -1
package/client/dist/assets/index-D9tZfgvi.js +0 -363
package/client/dist/assets/index-al7snTkG.css +0 -1
package/client/src/components/credentials/providers.tsx +0 -177
package/server/routers/google.py +0 -277
package/server/routers/maps.py +0 -142
package/server/routers/twitter.py +0 -365
package/server/services/claude_code_service.py +0 -106
package/server/services/memory.py +0 -159
package/server/services/node_option_loaders/__init__.py +0 -77
package/server/services/node_option_loaders/android_loaders.py +0 -55
package/server/services/node_option_loaders/google_loaders.py +0 -97
package/server/services/node_option_loaders/whatsapp_loaders.py +0 -69
package/server/services/twitter_oauth.py +0 -411
package/server/services/websocket_client.py +0 -29
/package/server/{services/android → nodes/android/_relay}/__init__.py +0 -0
/package/server/{services/android → nodes/android/_relay}/broadcaster.py +0 -0
/package/server/{services/android → nodes/android/_relay}/manager.py +0 -0
/package/server/{services/android → nodes/android/_relay}/protocol.py +0 -0
/package/server/{services/browser_service.py → nodes/browser/_service.py} +0 -0
/package/server/{services/whatsapp_service.py → nodes/whatsapp/_service.py} +0 -0
/package/server/skills/{task_agent → assistant}/write-todos-skill/SKILL.md +0 -0

package/server/tests/credentials/test_auth_service.py CHANGED Viewed

@@ -3,7 +3,9 @@
 Locks in invariants 7 and 8 from docs-internal/credentials_panel.md:
   - store_api_key requires models=[]
   - Memory cache hit path does not query DB on every call
-  - clear_cache wipes _memory_cache, _models_cache, _oauth_cache
+  - clear_cache wipes _api_key_cache, _oauth_cache (one merged cache
+    per RFC 9700 + post-Wave-12 dedup; previously the API-key half was
+    split across _memory_cache + _models_cache).
 """
 from __future__ import annotations
@@ -91,8 +93,7 @@ class TestMemoryCache:
         await auth_service.store_api_key("openai", "sk-foo", models=[])
         # Wipe memory cache to simulate fresh process
-        auth_service._memory_cache.clear()
-        auth_service._models_cache.clear()
+        auth_service._api_key_cache.clear()
         call_count = {"n": 0}
         original = auth_service.credentials_db.get_api_key
@@ -111,19 +112,17 @@ class TestMemoryCache:
         assert await auth_service.get_api_key("openai") == "sk-foo"
         assert call_count["n"] == 1
-    async def test_clear_cache_wipes_all_three_caches(self, auth_service):
+    async def test_clear_cache_wipes_both_caches(self, auth_service):
         await auth_service.store_api_key("openai", "sk-foo", models=["gpt-4"])
         await auth_service.store_oauth_tokens("google", "a", "r", email="u@x.com")
         # Sanity: caches populated
-        assert auth_service._memory_cache
-        assert auth_service._models_cache
+        assert auth_service._api_key_cache
         assert auth_service._oauth_cache
         auth_service.clear_cache()
-        assert auth_service._memory_cache == {}
-        assert auth_service._models_cache == {}
+        assert auth_service._api_key_cache == {}
         assert auth_service._oauth_cache == {}
     async def test_clear_cache_does_not_delete_db_data(self, auth_service):
@@ -149,10 +148,18 @@ class TestOAuthOps:
         tokens = await auth_service.get_oauth_tokens("google")
         assert tokens is not None
         assert tokens["access_token"] == "access-1"
-        assert tokens["refresh_token"] == "refresh-1"
+        # Per RFC 9700 the refresh token is NOT returned by
+        # get_oauth_tokens — read via get_oauth_refresh_token() instead.
+        assert "refresh_token" not in tokens
         assert tokens["email"] == "u@example.com"
         assert tokens["scopes"] == "openid email"
+        # The refresh token is reachable through the dedicated helper
+        # that always reads from the encrypted DB (no in-memory cache).
+        assert (
+            await auth_service.get_oauth_refresh_token("google") == "refresh-1"
+        )
     async def test_remove_oauth_tokens(self, auth_service):
         await auth_service.store_oauth_tokens("google", "a", "r")
         ok = await auth_service.remove_oauth_tokens("google")

package/server/tests/credentials/test_credential_broadcasts.py ADDED Viewed

@@ -0,0 +1,219 @@
+"""Pytest invariant: every credential-mutation handler MUST broadcast.
+The frontend's `useCatalogueQuery` cache + `apiKeyStatuses` map both go
+stale unless the backend explicitly invalidates via:
+- ``broadcaster.update_api_key_status(...)`` — per-provider validation
+  state change (carries the validation result payload).
+- ``broadcaster.broadcast_credential_event("credential.*", ...)`` —
+  CloudEvents-typed mutation (refetch signal). Wraps ``WorkflowEvent``
+  from ``services.events.envelope``.
+Cross-tab visibility breaks the moment a handler omits both. This test
+locks the contract by reading each handler's source via
+``inspect.getsource`` and asserting it contains at least one of the two
+broadcast call patterns. New credential mutations that forget to
+broadcast fail CI before they ship.
+Companion: ``test_auth_service.py`` locks the DB-write-then-cache-update
+ordering inside AuthService.
+"""
+from __future__ import annotations
+import inspect
+import re
+import pytest
+pytestmark = pytest.mark.credentials
+# Match either:
+#   broadcaster.update_api_key_status(...)
+#   broadcaster.broadcast_credential_event("credential.<anything>", ...)
+# Anchor on `.update_api_key_status(` or `.broadcast_credential_event(`
+# so renames force a test update (intentional).
+_BROADCAST_PATTERN = re.compile(
+    r"\.(?:update_api_key_status|broadcast_credential_event)\s*\("
+)
+def _handler_source(handler) -> str:
+    """Return the unwrapped source of a handler decorated by `@ws_handler`."""
+    fn = handler
+    while hasattr(fn, "__wrapped__"):
+        fn = fn.__wrapped__
+    return inspect.getsource(fn)
+class TestCredentialMutationHandlersBroadcast:
+    """Every handler that mutates credential state MUST broadcast.
+    Failing this test means a frontend cache will go stale across tabs
+    after the mutation; users will see the wrong stored / connected
+    state until they manually refresh.
+    """
+    def test_validate_api_key_broadcasts(self):
+        """Validation broadcasts come from ``Credential.validate`` now.
+        ``handle_validate_api_key`` is a pure dispatcher that calls
+        ``CREDENTIAL_REGISTRY[provider].validate(...)``. The broadcast
+        happens inside ``Credential.validate`` (the shared scaffold in
+        ``services/plugin/credential.py``). This test checks the
+        invariant at the point where it actually lives.
+        """
+        from services.plugin.credential import Credential
+        src = inspect.getsource(Credential.validate)
+        assert _BROADCAST_PATTERN.search(src), (
+            "Credential.validate must broadcast via update_api_key_status — "
+            "every credential mutation must surface to connected clients."
+        )
+    def test_save_api_key_broadcasts(self):
+        from routers import websocket as ws_module
+        src = _handler_source(ws_module.handle_save_api_key)
+        assert _BROADCAST_PATTERN.search(src), (
+            "handle_save_api_key must broadcast credential.api_key.saved "
+            "via broadcast_credential_event so the catalogue's stored "
+            "flag flips on every connected client"
+        )
+    def test_delete_api_key_broadcasts(self):
+        from routers import websocket as ws_module
+        src = _handler_source(ws_module.handle_delete_api_key)
+        # Delete must trigger BOTH broadcasts: api_key_status (clears
+        # apiKeyStatuses) + credential.api_key.deleted (catalogue refetch).
+        matches = _BROADCAST_PATTERN.findall(src)
+        assert len(matches) >= 2, (
+            "handle_delete_api_key must broadcast both update_api_key_status "
+            "(clears apiKeyStatuses[provider]) AND broadcast_credential_event "
+            "('credential.api_key.deleted') (catalogue refetch). "
+            f"Found {len(matches)} broadcast call(s)."
+        )
+    def test_twitter_logout_broadcasts(self):
+        # Twitter handler moved to ``nodes/twitter/_handlers.py`` as
+        # part of the plugin-extraction migration. The invariant now
+        # asserts on the plugin-owned source.
+        from nodes.twitter._handlers import handle_twitter_logout
+        src = _handler_source(handle_twitter_logout)
+        assert _BROADCAST_PATTERN.search(src), (
+            "handle_twitter_logout must broadcast credential.oauth.disconnected"
+        )
+    def test_google_logout_broadcasts(self):
+        from nodes.google._handlers import handle_google_logout
+        src = _handler_source(handle_google_logout)
+        assert _BROADCAST_PATTERN.search(src), (
+            "handle_google_logout must broadcast credential.oauth.disconnected"
+        )
+class TestCredentialEventCloudEventsShape:
+    """The credential broadcast helper wraps `WorkflowEvent` so the
+    on-the-wire body is a CloudEvents v1.0 envelope. Locks the spec
+    fields so future refactors don't quietly drop required keys.
+    """
+    @pytest.fixture
+    def envelope(self):
+        from services.events.envelope import WorkflowEvent
+        event = WorkflowEvent(
+            source="machinaos://services/credentials",
+            type="credential.api_key.saved",
+            subject="openai",
+            data={"provider": "openai"},
+        )
+        return event.model_dump(mode="json")
+    def test_specversion_pinned_to_1(self, envelope):
+        assert envelope["specversion"] == "1.0"
+    def test_required_fields_present(self, envelope):
+        # CloudEvents 1.0 mandatory: id, source, specversion, type
+        for field in ("id", "source", "specversion", "type"):
+            assert envelope.get(field), f"missing required field: {field}"
+    def test_credential_subject_is_provider(self, envelope):
+        assert envelope["subject"] == "openai"
+    def test_event_type_namespaced(self, envelope):
+        # Convention: credential.<area>.<action>
+        assert envelope["type"].startswith("credential."), envelope["type"]
+class TestAuthServiceDbCanonicalInvariant:
+    """AuthService.store_*/remove_* must do the DB call before touching
+    the in-memory cache. Reverse order leaves a stale-cache window.
+    Static-source check; doesn't run the methods.
+    """
+    @pytest.fixture
+    def auth_source(self):
+        from services import auth as auth_module
+        return inspect.getsource(auth_module.AuthService)
+    @pytest.mark.parametrize(
+        "method_name,db_call",
+        [
+            ("store_api_key", "credentials_db.save_api_key"),
+            ("remove_api_key", "credentials_db.delete_api_key"),
+            ("store_oauth_tokens", "credentials_db.save_oauth_tokens"),
+            ("remove_oauth_tokens", "credentials_db.delete_oauth_tokens"),
+        ],
+    )
+    def test_method_calls_db(self, auth_source, method_name, db_call):
+        """Every store_*/remove_* method must call the canonical DB
+        method. Invariant breaks if a refactor accidentally bypasses
+        the DB and only updates the cache."""
+        # Find the method body in the AuthService source. Anchor end on
+        # the next method/class start OR end-of-string (the last method
+        # in the class has no trailing sibling).
+        method_re = re.compile(
+            rf"async def {method_name}\b.*?(?=\n    async def |\n    def |\nclass |\Z)",
+            re.DOTALL,
+        )
+        match = method_re.search(auth_source)
+        assert match, f"AuthService.{method_name} not found in source"
+        body = match.group(0)
+        assert db_call in body, (
+            f"AuthService.{method_name} must call self.{db_call}() "
+            f"before touching the in-memory cache (DB is canonical "
+            f"source of truth)"
+        )
+    def test_oauth_cache_does_not_carry_refresh_token(self, auth_source):
+        """Per RFC 9700, refresh tokens must not live in process memory.
+        store_oauth_tokens caches only the access token + display fields.
+        """
+        match = re.search(
+            r"async def store_oauth_tokens\b.*?(?=\n    async def |\n    def |\nclass )",
+            auth_source,
+            re.DOTALL,
+        )
+        assert match, "AuthService.store_oauth_tokens not found"
+        body = match.group(0)
+        # Find the cache-write block. It assigns to self._oauth_cache[...].
+        cache_block = re.search(
+            r"self\._oauth_cache\[\w+\]\s*=\s*\{[^}]+\}", body, re.DOTALL
+        )
+        assert cache_block, (
+            "AuthService.store_oauth_tokens must populate _oauth_cache"
+        )
+        assert '"refresh_token"' not in cache_block.group(0), (
+            "RFC 9700 violation: _oauth_cache entry must not carry "
+            "refresh_token. Use get_oauth_refresh_token() helper that "
+            "always reads from the encrypted DB."
+        )

package/server/tests/credentials/test_google_oauth.py CHANGED Viewed

@@ -11,8 +11,8 @@ from urllib.parse import parse_qs, urlparse
 import pytest
-from services import google_oauth
-from services.google_oauth import GoogleOAuth, get_callback_paths
+from nodes.google import _oauth as google_oauth
+from nodes.google._oauth import GoogleOAuth, get_callback_paths
 pytestmark = pytest.mark.credentials
@@ -88,18 +88,18 @@ class TestAuthorizationUrl:
 class TestExchangeCode:
-    def test_unknown_state_fails(self, oauth):
+    async def test_unknown_state_fails(self, oauth):
         # Don't even register a state -- exchange must fail without hitting Google.
-        result = oauth.exchange_code("code", "never-generated-state")
+        result = await oauth.exchange_code("code", "never-generated-state")
         assert result["success"] is False
         assert "state" in result["error"].lower()
-    def test_state_consumed_on_failure(self, oauth):
+    async def test_state_consumed_on_failure(self, oauth):
         """Even if the token exchange fails, the state must be popped (single use)."""
         auth = oauth.generate_authorization_url()
         state = auth["state"]
         # Exchange will fail because we haven't mocked Google -- network error
-        oauth.exchange_code("invalid-code", state)
+        await oauth.exchange_code("invalid-code", state)
         # State must be gone regardless of success
         assert state not in google_oauth._oauth_states

package/server/tests/credentials/test_oauth_utils.py CHANGED Viewed

@@ -80,7 +80,7 @@ class TestGetRedirectUri:
     def test_paths_loaded_from_config_not_hardcoded(self):
         """Smoke test: the real config must expose google + twitter paths."""
-        from services.google_oauth import get_callback_paths
+        from nodes.google._oauth import get_callback_paths
         paths = get_callback_paths()
         assert "google" in paths

package/server/tests/credentials/test_twitter_oauth.py CHANGED Viewed

@@ -16,8 +16,8 @@ import httpx
 import pytest
 import respx
-from services import twitter_oauth
-from services.twitter_oauth import (
+from nodes.twitter import _oauth as twitter_oauth
+from nodes.twitter._oauth import (
     TwitterOAuth,
     TOKEN_URL,
     REVOKE_URL,

package/server/tests/credentials/test_websocket_handlers.py CHANGED Viewed

@@ -60,6 +60,10 @@ def patched_container(monkeypatch, auth_service):
     # not on services.status_broadcaster (the bound name in the handler module).
     fake_broadcaster = MagicMock()
     fake_broadcaster.update_api_key_status = AsyncMock()
+    # Wave-12 credential broadcast helper used by save / delete /
+    # oauth-logout handlers. Wraps WorkflowEvent (CloudEvents v1.0)
+    # and broadcasts as `credential_catalogue_updated`.
+    fake_broadcaster.broadcast_credential_event = AsyncMock()
     fake_broadcaster.broadcast = AsyncMock()
     fake_broadcaster._status = {}
     monkeypatch.setattr(ws_module, "get_status_broadcaster", lambda: fake_broadcaster)
@@ -110,22 +114,23 @@ class TestValidateApiKey:
         # Broadcaster notified with hasKey + models
         patched_container.broadcaster.update_api_key_status.assert_awaited_once()
-    @patch("services.ai.PROVIDER_CONFIGS", {})
-    @patch.object(ws_module, "_SPECIAL_PROVIDER_VALIDATORS", {})
-    async def test_validate_skips_model_fetch_for_non_llm(
+    async def test_validate_unknown_provider_returns_error(
         self, patched_container, fake_ws
     ):
-        # Pick a provider that's neither in PROVIDER_CONFIGS (LLM) nor in
-        # _SPECIAL_PROVIDER_VALIDATORS (Google Maps / Apify probe). The
-        # handler should fall through to the empty-models path.
+        # ``handle_validate_api_key`` dispatches via
+        # ``CREDENTIAL_REGISTRY``; a provider without a registered
+        # ``Credential`` subclass is an explicit error (no fall-through
+        # to the default LLM probe — every supported provider must own
+        # its credential class).
         result = await _call(
             ws_module.handle_validate_api_key,
             {"provider": "anonymous_provider", "api_key": "any-test"},
             fake_ws,
         )
-        assert result["valid"] is True
-        assert result["models"] == []
+        assert result["success"] is False
+        assert result["valid"] is False
+        assert "anonymous_provider" in result["error"]
         patched_container.ai.fetch_models.assert_not_called()
     async def test_missing_required_fields_returns_error(
@@ -214,14 +219,22 @@ class TestDeleteApiKey:
 class TestTwitterOAuthHandlers:
+    # Twitter handlers moved to ``nodes/twitter/_handlers.py`` as part
+    # of the plugin-extraction migration. The tests now import
+    # directly from the plugin folder; the dispatch contract via
+    # ``register_ws_handlers`` is exercised by
+    # ``test_plugin_self_containment.py``.
     async def test_login_fails_without_client_id(self, patched_container, fake_ws):
-        result = await _call(ws_module.handle_twitter_oauth_login, {}, fake_ws)
+        from nodes.twitter._handlers import handle_twitter_oauth_login
+        result = await _call(handle_twitter_oauth_login, {}, fake_ws)
         assert result["success"] is False
         assert "Client ID" in result["error"]
     async def test_login_returns_authorization_url(
         self, patched_container, fake_ws
     ):
+        from nodes.twitter._handlers import handle_twitter_oauth_login
         await patched_container.auth.store_api_key(
             "twitter_client_id", "ci-test", models=[]
         )
@@ -229,41 +242,51 @@ class TestTwitterOAuthHandlers:
             "twitter_client_secret", "cs-test", models=[]
         )
-        result = await _call(ws_module.handle_twitter_oauth_login, {}, fake_ws)
+        result = await _call(handle_twitter_oauth_login, {}, fake_ws)
         assert result["success"] is True
         assert result["url"].startswith("https://x.com/i/oauth2/authorize")
         assert "state" in result
     async def test_status_when_disconnected(self, patched_container, fake_ws):
-        result = await _call(ws_module.handle_twitter_oauth_status, {}, fake_ws)
+        from nodes.twitter._handlers import handle_twitter_oauth_status
+        result = await _call(handle_twitter_oauth_status, {}, fake_ws)
         assert result["connected"] is False
         assert result["username"] is None
     async def test_logout_clears_oauth_tokens(self, patched_container, fake_ws):
-        # Pre-populate OAuth tokens
+        from nodes.twitter._handlers import handle_twitter_logout
         await patched_container.auth.store_oauth_tokens(
             "twitter", "access", "refresh"
         )
-        # Mock the revoke calls so we don't hit the network
-        with patch("services.twitter_oauth.TwitterOAuth.revoke_token", new=AsyncMock(return_value={"success": True})):
-            result = await _call(ws_module.handle_twitter_logout, {}, fake_ws)
+        with patch(
+            "nodes.twitter._oauth.TwitterOAuth.revoke_token",
+            new=AsyncMock(return_value={"success": True}),
+        ):
+            result = await _call(handle_twitter_logout, {}, fake_ws)
         assert result["success"] is True
         assert await patched_container.auth.get_oauth_tokens("twitter") is None
 class TestGoogleOAuthHandlers:
+    # Google OAuth handlers moved to ``nodes/google/_handlers.py`` as
+    # part of the plugin-extraction migration. Tests now import from
+    # the plugin folder; the dispatch contract is exercised by
+    # ``test_plugin_self_containment.py``.
     async def test_login_fails_without_client_credentials(
         self, patched_container, fake_ws
     ):
-        result = await _call(ws_module.handle_google_oauth_login, {}, fake_ws)
+        from nodes.google._handlers import handle_google_oauth_login
+        result = await _call(handle_google_oauth_login, {}, fake_ws)
         assert result["success"] is False
         assert "Client ID" in result["error"]
     async def test_login_returns_authorization_url(
         self, patched_container, fake_ws
     ):
+        from nodes.google._handlers import handle_google_oauth_login
         await patched_container.auth.store_api_key(
             "google_client_id", "ci.apps.googleusercontent.com", models=[]
         )
@@ -271,7 +294,7 @@ class TestGoogleOAuthHandlers:
             "google_client_secret", "cs-test", models=[]
         )
-        result = await _call(ws_module.handle_google_oauth_login, {}, fake_ws)
+        result = await _call(handle_google_oauth_login, {}, fake_ws)
         assert result["success"] is True
         assert result["url"].startswith("https://accounts.google.com/o/oauth2/auth")
@@ -279,15 +302,16 @@ class TestGoogleOAuthHandlers:
         assert "prompt=consent" in result["url"]
     async def test_status_when_disconnected(self, patched_container, fake_ws):
-        result = await _call(ws_module.handle_google_oauth_status, {}, fake_ws)
-        # success may be auto-injected by the decorator; check connected=False
+        from nodes.google._handlers import handle_google_oauth_status
+        result = await _call(handle_google_oauth_status, {}, fake_ws)
         assert result["connected"] is False
         assert result["email"] is None
     async def test_logout_removes_oauth_tokens(self, patched_container, fake_ws):
+        from nodes.google._handlers import handle_google_logout
         await patched_container.auth.store_oauth_tokens(
             "google", "access", "refresh", email="user@example.com"
         )
-        result = await _call(ws_module.handle_google_logout, {}, fake_ws)
+        result = await _call(handle_google_logout, {}, fake_ws)
         assert result["success"] is True
         assert await patched_container.auth.get_oauth_tokens("google") is None

package/server/tests/llm/test_factory.py CHANGED Viewed

@@ -11,6 +11,7 @@ def test_native_providers_set():
     assert NATIVE_PROVIDERS == {
         "anthropic", "openai", "gemini", "openrouter", "xai",
         "deepseek", "kimi", "mistral",
+        "ollama", "lmstudio",
     }

package/server/tests/llm/test_wiring.py CHANGED Viewed

@@ -107,7 +107,11 @@ async def test_fetch_models_uses_native_for_anthropic(ai_service):
         models = await ai_service.fetch_models("anthropic", "sk-ant-test")
     assert models == expected_models
-    mock_factory.assert_called_once_with("anthropic", "sk-ant-test")
+    # ai.fetch_models forwards `proxy_url` (defaulting to None) to the native
+    # factory so the Ollama-pattern proxy override path stays uniform with
+    # execute_chat. Asserting the full call signature including the explicit
+    # `None` kwarg ensures the proxy path is not silently dropped.
+    mock_factory.assert_called_once_with("anthropic", "sk-ant-test", proxy_url=None)
 @pytest.mark.asyncio

package/server/tests/nodes/_compat.py CHANGED Viewed

@@ -91,33 +91,33 @@ async def _execute_current_time(
 async def _execute_duckduckgo_search(
     args: Dict[str, Any],
-    node_params: Dict[str, Any] = None,
+    config: Dict[str, Any] = None,
 ) -> Dict[str, Any]:
-    """Shim for deleted services.handlers.tools._execute_duckduckgo_search."""
-    try:
-        # Plugin layout under scaling branch: nodes/search/duckduckgo_search.py
-        from nodes.search.duckduckgo_search import (
-            DuckDuckGoSearchNode,
-            DuckDuckGoSearchParams,
-        )
-    except ImportError:
-        return {"error": "duckduckgo search plugin missing"}
+    """Flat (args, config) -> dict shim for the deleted
+    ``services.handlers.tools._execute_duckduckgo_search``.
-    q = str(args.get("query", "")).strip()
-    if not q:
+    Wave 11.I milestone O moved this here from production code -- it
+    only ever served contract tests that patch ``sys.modules['ddgs']``
+    and assert the flat output shape. Production callers go through
+    :class:`nodes.search.duckduckgo_search.DuckDuckGoSearchNode`.
+    """
+    config = config or {}
+    query = str(args.get("query", "")).strip()
+    if not query:
         return {"error": "No search query provided"}
-    params = DuckDuckGoSearchParams(
-        query=q,
-        max_results=int(args.get("max_results", args.get("maxResults", 5))),
-    )
-    node = DuckDuckGoSearchNode()
-    try:
-        out = await node.search(_DummyContext(), params)
-    except Exception as exc:
-        return {"error": str(exc)}
-    return out.model_dump() if hasattr(out, "model_dump") else dict(out)
+    max_results = int(config.get("max_results", args.get("max_results", 5)))
+    provider = config.get("provider", "duckduckgo")
+    from ddgs import DDGS
+    raw = list(DDGS().text(query, max_results=max_results))
+    results = [
+        {
+            "title": item.get("title", ""),
+            "snippet": item.get("body", ""),
+            "url": item.get("href", ""),
+        }
+        for item in raw
+    ]
+    return {"query": query, "provider": provider, "results": results}
 async def handle_write_todos(