npm - vellum - Versions diffs - 0.2.11 → 0.2.13 - Mend

vellum 0.2.11 → 0.2.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/bun.lock +6 -2
package/package.json +2 -2
package/src/__tests__/call-orchestrator.test.ts +58 -0
package/src/__tests__/config-schema.test.ts +278 -0
package/src/__tests__/elevenlabs-client.test.ts +209 -0
package/src/__tests__/gateway-only-enforcement.test.ts +9 -35
package/src/__tests__/oauth2-gateway-transport.test.ts +14 -33
package/src/__tests__/skills.test.ts +2 -2
package/src/__tests__/trust-store.test.ts +1 -0
package/src/__tests__/twilio-routes-twiml.test.ts +127 -0
package/src/__tests__/twilio-routes.test.ts +78 -153
package/src/__tests__/twitter-auth-handler.test.ts +1 -1
package/src/calls/call-orchestrator.ts +3 -1
package/src/calls/elevenlabs-client.ts +89 -0
package/src/calls/elevenlabs-config.ts +29 -0
package/src/calls/twilio-routes.ts +55 -6
package/src/calls/voice-quality.ts +92 -0
package/src/cli/main-screen.tsx +15 -117
package/src/config/bundled-skills/macos-automation/SKILL.md +66 -0
package/src/config/bundled-skills/phone-calls/SKILL.md +414 -0
package/src/config/defaults.ts +18 -0
package/src/config/schema.ts +110 -0
package/src/config/system-prompt.ts +9 -59
package/src/config/types.ts +2 -0
package/src/daemon/lifecycle.ts +20 -7
package/src/memory/db.ts +36 -0
package/src/permissions/defaults.ts +11 -0
package/src/runtime/routes/conversation-routes.ts +12 -5
package/src/security/oauth2.ts +8 -8
package/src/util/logger.ts +4 -4

package/src/__tests__/gateway-only-enforcement.test.ts CHANGED Viewed

@@ -8,8 +8,8 @@
  * - Relay WebSocket upgrade allowed from private network peers/origins
  * - Startup warning when RUNTIME_HTTP_HOST is not loopback
  */
-import { describe, test, expect, beforeEach, afterEach, mock, spyOn } from 'bun:test';
-import { mkdtempSync, rmSync, realpathSync } from 'node:fs';
+import { describe, test, expect, beforeEach, afterEach, mock } from 'bun:test';
+import { mkdtempSync, realpathSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
@@ -176,7 +176,7 @@ describe('gateway-only ingress enforcement', () => {
       expect(res.status).toBe(410);
       const body = await res.json() as { error: string; code: string };
       expect(body.code).toBe('GATEWAY_ONLY');
-      expect(body.error).toContain('gateway-only mode');
+      expect(body.error).toContain('Direct webhook access disabled');
     });
     test('POST /webhooks/twilio/status returns 410', async () => {
@@ -297,7 +297,7 @@ describe('gateway-only ingress enforcement', () => {
       expect(res.status).toBe(403);
       const body = await res.json() as { error: string; code: string };
       expect(body.code).toBe('GATEWAY_ONLY');
-      expect(body.error).toContain('gateway-only mode');
+      expect(body.error).toContain('Direct relay access disabled');
     });
     test('allows request with no origin header (private network peer)', async () => {
@@ -410,52 +410,26 @@ describe('gateway-only ingress enforcement', () => {
   // ── Startup warning for non-loopback host ──────────────────────────
-  describe('startup guard — non-loopback host warning', () => {
-    test('logs warning when hostname is not loopback', async () => {
-      logMessages.length = 0;
+  describe('startup guard — non-loopback host', () => {
+    test('server starts successfully when hostname is not loopback', async () => {
       const warnServer = new RuntimeHttpServer({
         port: 0,
         hostname: '0.0.0.0',
         bearerToken: TEST_TOKEN,
       });
       await warnServer.start();
-      const infoMsg = logMessages.find(
-        m => m.level === 'info' && m.msg.includes('gateway-only ingress mode'),
-      );
-      expect(infoMsg).toBeDefined();
-      const warnMsg = logMessages.find(
-        m => m.level === 'warn' && m.msg.includes('not bound to loopback'),
-      );
-      expect(warnMsg).toBeDefined();
+      expect(warnServer.actualPort).toBeGreaterThan(0);
       await warnServer.stop();
     });
-    test('does NOT log warning when hostname is loopback', async () => {
-      logMessages.length = 0;
-      // The main test server already uses 127.0.0.1, so restart with
-      // a fresh server and capture logs
+    test('server starts successfully when hostname is loopback', async () => {
       const loopbackServer = new RuntimeHttpServer({
         port: 0,
         hostname: '127.0.0.1',
         bearerToken: TEST_TOKEN,
       });
       await loopbackServer.start();
-      const infoMsg = logMessages.find(
-        m => m.level === 'info' && m.msg.includes('gateway-only ingress mode'),
-      );
-      expect(infoMsg).toBeDefined();
-      const warnMsg = logMessages.find(
-        m => m.level === 'warn' && m.msg.includes('not bound to loopback'),
-      );
-      expect(warnMsg).toBeUndefined();
+      expect(loopbackServer.actualPort).toBeGreaterThan(0);
       await loopbackServer.stop();
     });
   });

package/src/__tests__/oauth2-gateway-transport.test.ts CHANGED Viewed

@@ -36,7 +36,7 @@ mock.module('../util/logger.js', () => ({
 }));
 // Track registerPendingCallback calls
-let pendingCallbacks: Map<string, { resolve: (code: string) => void; reject: (error: Error) => void }> = new Map();
+const pendingCallbacks: Map<string, { resolve: (code: string) => void; reject: (error: Error) => void }> = new Map();
 mock.module('../security/oauth-callback-registry.js', () => ({
   registerPendingCallback: (state: string, resolve: (code: string) => void, reject: (error: Error) => void) => {
@@ -153,32 +153,13 @@ describe('OAuth2 gateway transport', () => {
       expect(result.tokens.accessToken).toBe('test-access-token');
     });
-    test('selects loopback transport when ingress.publicBaseUrl is empty', async () => {
+    test('throws when ingress.publicBaseUrl is not configured', async () => {
       mockPublicBaseUrl = '';
-      let capturedAuthUrl = '';
-      const flowPromise = startOAuth2Flow(BASE_OAUTH_CONFIG, {
-        openUrl: (url) => { capturedAuthUrl = url; },
-      });
-      // Give the flow a tick
-      await new Promise((r) => setTimeout(r, 10));
-      // The auth URL should contain a loopback redirect_uri
-      expect(capturedAuthUrl).toContain('redirect_uri=');
-      expect(capturedAuthUrl).toContain('127.0.0.1');
-      // Extract the redirect_uri to send the callback
-      const authUrlParsed = new URL(capturedAuthUrl);
-      const redirectUri = authUrlParsed.searchParams.get('redirect_uri')!;
-      const stateParam = authUrlParsed.searchParams.get('state')!;
-      // Simulate the OAuth provider callback to the loopback server
-      const callbackUrl = `${redirectUri}?code=loopback-code&state=${stateParam}`;
-      await fetch(callbackUrl);
-      const result = await flowPromise;
-      expect(result.tokens.accessToken).toBe('test-access-token');
+      // Without a public base URL, the flow should reject immediately
+      await expect(
+        startOAuth2Flow(BASE_OAUTH_CONFIG, { openUrl: () => {} }),
+      ).rejects.toThrow('OAuth requires a public ingress URL');
     });
   });
@@ -206,8 +187,8 @@ describe('OAuth2 gateway transport', () => {
       expect(result.tokens.accessToken).toBe('test-access-token');
     });
-    test('uses loopback transport when explicitly specified', async () => {
-      // Even with publicBaseUrl configured, explicit loopback should work
+    test('ignores loopback transport option and uses gateway', async () => {
+      // Loopback transport was removed — gateway is always used
       mockPublicBaseUrl = 'https://gw.example.com';
       let capturedAuthUrl = '';
@@ -219,13 +200,13 @@ describe('OAuth2 gateway transport', () => {
       await new Promise((r) => setTimeout(r, 10));
-      expect(capturedAuthUrl).toContain('127.0.0.1');
-      const authUrlParsed = new URL(capturedAuthUrl);
-      const redirectUri = authUrlParsed.searchParams.get('redirect_uri')!;
-      const stateParam = authUrlParsed.searchParams.get('state')!;
+      // Should use gateway redirect, not loopback
+      expect(capturedAuthUrl).toContain(encodeURIComponent('https://gw.example.com'));
+      expect(capturedAuthUrl).not.toContain('127.0.0.1');
-      await fetch(`${redirectUri}?code=loopback-code&state=${stateParam}`);
+      const entries = Array.from(pendingCallbacks.entries());
+      expect(entries.length).toBe(1);
+      entries[0][1].resolve('gateway-code-despite-loopback-option');
       const result = await flowPromise;
       expect(result.tokens.accessToken).toBe('test-access-token');

package/src/__tests__/skills.test.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { describe, test, expect, beforeEach, afterEach, mock } from 'bun:test';
-import { existsSync, mkdirSync, rmSync, symlinkSync, writeFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readFileSync, rmSync, symlinkSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { tmpdir } from 'node:os';
@@ -585,7 +585,7 @@ describe('ingress-dependent setup skills declare public-ingress', () => {
   const VELLUM_SKILLS_DIR = join(import.meta.dir, '..', 'config', 'vellum-skills');
   function readVellumSkillIncludes(skillId: string): string[] | undefined {
-    const content = require('node:fs').readFileSync(join(VELLUM_SKILLS_DIR, skillId, 'SKILL.md'), 'utf-8');
+    const content = readFileSync(join(VELLUM_SKILLS_DIR, skillId, 'SKILL.md'), 'utf-8');
     const match = content.match(FRONTMATTER_REGEX);
     if (!match) return undefined;
     for (const line of match[1].split(/\r?\n/)) {

package/src/__tests__/trust-store.test.ts CHANGED Viewed

@@ -741,6 +741,7 @@ describe('Trust Store', () => {
         'host_file_edit',
         'host_file_read',
         'host_file_write',
+        'memory_search',
         'scaffold_managed_skill',
         'skill_load',
         'ui_dismiss',

package/src/__tests__/twilio-routes-twiml.test.ts ADDED Viewed

@@ -0,0 +1,127 @@
+/**
+ * Unit tests for TwiML generation with voice quality profiles.
+ *
+ * Tests that generateTwiML correctly uses profile values for
+ * ttsProvider, voice, language, and transcriptionProvider.
+ */
+import { describe, test, expect, mock } from 'bun:test';
+mock.module('../util/logger.js', () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+import { generateTwiML } from '../calls/twilio-routes.js';
+describe('generateTwiML with voice quality profile', () => {
+  const callSessionId = 'test-session-123';
+  const relayUrl = 'wss://test.example.com/v1/calls/relay';
+  const welcomeGreeting = 'Hello, how can I help?';
+  test('TwiML includes ttsProvider="Google" when profile specifies Google', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'en-US',
+      transcriptionProvider: 'Deepgram',
+      ttsProvider: 'Google',
+      voice: 'Google.en-US-Journey-O',
+    });
+    expect(twiml).toContain('ttsProvider="Google"');
+    expect(twiml).toContain('voice="Google.en-US-Journey-O"');
+    expect(twiml).toContain('language="en-US"');
+    expect(twiml).toContain('transcriptionProvider="Deepgram"');
+  });
+  test('TwiML includes ttsProvider="ElevenLabs" when profile specifies ElevenLabs', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'en-US',
+      transcriptionProvider: 'Deepgram',
+      ttsProvider: 'ElevenLabs',
+      voice: 'voice123-turbo_v2_5-0.5_0.75_0',
+    });
+    expect(twiml).toContain('ttsProvider="ElevenLabs"');
+    expect(twiml).toContain('voice="voice123-turbo_v2_5-0.5_0.75_0"');
+  });
+  test('voice attribute reflects configured voice for twilio_standard mode', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'en-US',
+      transcriptionProvider: 'Deepgram',
+      ttsProvider: 'Google',
+      voice: 'Google.en-US-Journey-O',
+    });
+    expect(twiml).toContain('voice="Google.en-US-Journey-O"');
+  });
+  test('voice attribute reflects configured voice for twilio_elevenlabs_tts mode', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'en-US',
+      transcriptionProvider: 'Deepgram',
+      ttsProvider: 'ElevenLabs',
+      voice: 'abc123-turbo_v2_5-0.5_0.75_0',
+    });
+    expect(twiml).toContain('voice="abc123-turbo_v2_5-0.5_0.75_0"');
+  });
+  test('language attribute reflects configured language', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'es-MX',
+      transcriptionProvider: 'Google',
+      ttsProvider: 'Google',
+      voice: 'Google.es-MX-Standard-A',
+    });
+    expect(twiml).toContain('language="es-MX"');
+  });
+  test('transcriptionProvider reflects configured value', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'en-US',
+      transcriptionProvider: 'Google',
+      ttsProvider: 'Google',
+      voice: 'Google.en-US-Journey-O',
+    });
+    expect(twiml).toContain('transcriptionProvider="Google"');
+  });
+  test('TwiML properly escapes XML characters in profile values', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'en-US',
+      transcriptionProvider: 'Deepgram',
+      ttsProvider: 'Google',
+      voice: 'voice<>&"test',
+    });
+    expect(twiml).toContain('voice="voice&lt;&gt;&amp;&quot;test"');
+    expect(twiml).not.toContain('voice="voice<>&"test"');
+  });
+  test('TwiML includes callSessionId in relay URL', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'en-US',
+      transcriptionProvider: 'Deepgram',
+      ttsProvider: 'Google',
+      voice: 'Google.en-US-Journey-O',
+    });
+    expect(twiml).toContain(`callSessionId=${callSessionId}`);
+  });
+  test('TwiML includes interruptible and dtmfDetection attributes', () => {
+    const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
+      language: 'en-US',
+      transcriptionProvider: 'Deepgram',
+      ttsProvider: 'Google',
+      voice: 'Google.en-US-Journey-O',
+    });
+    expect(twiml).toContain('interruptible="true"');
+    expect(twiml).toContain('dtmfDetection="true"');
+  });
+});