npm - vellum - Versions diffs - 0.2.8 → 0.2.9 - Mend

vellum 0.2.8 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/bun.lock +2 -2
package/package.json +3 -2
package/src/__tests__/config-schema.test.ts +0 -6
package/src/__tests__/forbidden-legacy-symbols.test.ts +69 -0
package/src/__tests__/gateway-only-enforcement.test.ts +91 -11
package/src/__tests__/ingress-url-consistency.test.ts +214 -0
package/src/__tests__/ipc-snapshot.test.ts +17 -16
package/src/__tests__/oauth2-gateway-transport.test.ts +7 -1
package/src/__tests__/public-ingress-urls.test.ts +50 -34
package/src/__tests__/runtime-events-sse-parity.test.ts +343 -0
package/src/__tests__/runtime-events-sse.test.ts +162 -0
package/src/__tests__/twilio-provider.test.ts +1 -1
package/src/__tests__/twilio-routes.test.ts +4 -4
package/src/__tests__/twitter-auth-handler.test.ts +87 -2
package/src/calls/call-domain.ts +8 -6
package/src/calls/twilio-config.ts +2 -3
package/src/config/bundled-skills/tasks/TOOLS.json +25 -0
package/src/config/bundled-skills/tasks/tools/task-queue-run.ts +9 -0
package/src/config/bundled-skills/transcribe/SKILL.md +25 -0
package/src/config/bundled-skills/transcribe/TOOLS.json +32 -0
package/src/config/bundled-skills/transcribe/tools/transcribe-media.ts +370 -0
package/src/config/defaults.ts +1 -2
package/src/config/schema.ts +2 -6
package/src/config/vellum-skills/google-oauth-setup/SKILL.md +5 -4
package/src/config/vellum-skills/slack-oauth-setup/SKILL.md +4 -2
package/src/config/vellum-skills/telegram-setup/SKILL.md +3 -3
package/src/daemon/handlers/config.ts +33 -50
package/src/daemon/handlers/shared.ts +1 -0
package/src/daemon/handlers/subagents.ts +85 -2
package/src/daemon/handlers/twitter-auth.ts +31 -2
package/src/daemon/ipc-contract-inventory.json +4 -4
package/src/daemon/ipc-contract.ts +25 -21
package/src/daemon/lifecycle.ts +9 -4
package/src/daemon/server.ts +7 -0
package/src/daemon/session-tool-setup.ts +1 -1
package/src/inbound/public-ingress-urls.ts +36 -30
package/src/memory/db.ts +132 -5
package/src/memory/llm-usage-store.ts +0 -1
package/src/memory/runs-store.ts +51 -3
package/src/memory/schema.ts +2 -2
package/src/runtime/gateway-client.ts +7 -1
package/src/runtime/http-server.ts +95 -10
package/src/runtime/routes/channel-routes.ts +7 -2
package/src/runtime/routes/events-routes.ts +79 -0
package/src/runtime/routes/run-routes.ts +43 -0
package/src/runtime/run-orchestrator.ts +64 -7
package/src/security/oauth-callback-registry.ts +10 -0
package/src/security/oauth2.ts +41 -7
package/src/subagent/manager.ts +3 -1
package/src/tools/tasks/work-item-run.ts +78 -0
package/src/util/platform.ts +1 -1
package/src/work-items/work-item-runner.ts +171 -0
package/src/__tests__/handlers-twilio-config.test.ts +0 -221
package/src/calls/__tests__/twilio-webhook-urls.test.ts +0 -162
package/src/calls/twilio-webhook-urls.ts +0 -47

package/src/__tests__/public-ingress-urls.test.ts CHANGED Viewed

@@ -23,6 +23,7 @@ import {
   getTwilioConnectActionUrl,
   getTwilioRelayUrl,
   getOAuthCallbackUrl,
+  getTelegramWebhookUrl,
 } from '../inbound/public-ingress-urls.js';
 // ---------------------------------------------------------------------------
@@ -30,63 +31,45 @@ import {
 // ---------------------------------------------------------------------------
 describe('getPublicBaseUrl', () => {
-  let savedEnv: string | undefined;
+  let savedIngressEnv: string | undefined;
   beforeEach(() => {
-    savedEnv = process.env.TWILIO_WEBHOOK_BASE_URL;
-    delete process.env.TWILIO_WEBHOOK_BASE_URL;
+    savedIngressEnv = process.env.INGRESS_PUBLIC_BASE_URL;
+    delete process.env.INGRESS_PUBLIC_BASE_URL;
   });
   afterEach(() => {
-    if (savedEnv !== undefined) {
-      process.env.TWILIO_WEBHOOK_BASE_URL = savedEnv;
+    if (savedIngressEnv !== undefined) {
+      process.env.INGRESS_PUBLIC_BASE_URL = savedIngressEnv;
     } else {
-      delete process.env.TWILIO_WEBHOOK_BASE_URL;
+      delete process.env.INGRESS_PUBLIC_BASE_URL;
     }
   });
-  test('prefers ingress.publicBaseUrl when set', () => {
+  test('returns ingress.publicBaseUrl when set', () => {
     const result = getPublicBaseUrl({
       ingress: { publicBaseUrl: 'https://ingress.example.com/' },
-      calls: { webhookBaseUrl: 'https://calls.example.com' },
     });
     expect(result).toBe('https://ingress.example.com');
   });
-  test('falls back to calls.webhookBaseUrl when ingress.publicBaseUrl is empty', () => {
+  test('falls back to INGRESS_PUBLIC_BASE_URL env var when ingress.publicBaseUrl is empty', () => {
+    process.env.INGRESS_PUBLIC_BASE_URL = 'https://ingress-env.example.com/';
     const result = getPublicBaseUrl({
       ingress: { publicBaseUrl: '' },
-      calls: { webhookBaseUrl: 'https://calls.example.com/' },
     });
-    expect(result).toBe('https://calls.example.com');
+    expect(result).toBe('https://ingress-env.example.com');
   });
-  test('falls back to calls.webhookBaseUrl when ingress is undefined', () => {
-    const result = getPublicBaseUrl({
-      calls: { webhookBaseUrl: 'https://calls.example.com' },
-    });
-    expect(result).toBe('https://calls.example.com');
-  });
-  test('falls back to TWILIO_WEBHOOK_BASE_URL env var when both config fields are empty', () => {
-    process.env.TWILIO_WEBHOOK_BASE_URL = 'https://env.example.com/';
-    const result = getPublicBaseUrl({
-      ingress: { publicBaseUrl: '' },
-      calls: { webhookBaseUrl: '' },
-    });
-    expect(result).toBe('https://env.example.com');
-  });
-  test('falls back to env var when config fields are undefined', () => {
-    process.env.TWILIO_WEBHOOK_BASE_URL = 'https://env.example.com';
+  test('falls back to INGRESS_PUBLIC_BASE_URL env var when config is empty', () => {
+    process.env.INGRESS_PUBLIC_BASE_URL = 'https://ingress-env.example.com';
     const result = getPublicBaseUrl({});
-    expect(result).toBe('https://env.example.com');
+    expect(result).toBe('https://ingress-env.example.com');
   });
   test('throws when no source provides a value', () => {
     expect(() => getPublicBaseUrl({
       ingress: { publicBaseUrl: '' },
-      calls: { webhookBaseUrl: '' },
     })).toThrow(/No public base URL configured/);
   });
@@ -108,12 +91,24 @@ describe('getPublicBaseUrl', () => {
     expect(result).toBe('https://example.com');
   });
-  test('skips whitespace-only ingress.publicBaseUrl and falls through', () => {
+  test('skips whitespace-only ingress.publicBaseUrl and falls through to env', () => {
+    process.env.INGRESS_PUBLIC_BASE_URL = 'https://ingress-env.example.com';
     const result = getPublicBaseUrl({
       ingress: { publicBaseUrl: '   ' },
-      calls: { webhookBaseUrl: 'https://calls.example.com' },
     });
-    expect(result).toBe('https://calls.example.com');
+    expect(result).toBe('https://ingress-env.example.com');
+  });
+  test('normalizes trailing slashes from INGRESS_PUBLIC_BASE_URL', () => {
+    process.env.INGRESS_PUBLIC_BASE_URL = 'https://ingress-env.example.com///';
+    const result = getPublicBaseUrl({});
+    expect(result).toBe('https://ingress-env.example.com');
+  });
+  test('trims whitespace from INGRESS_PUBLIC_BASE_URL', () => {
+    process.env.INGRESS_PUBLIC_BASE_URL = '  https://ingress-env.example.com  ';
+    const result = getPublicBaseUrl({});
+    expect(result).toBe('https://ingress-env.example.com');
   });
 });
@@ -204,3 +199,24 @@ describe('getOAuthCallbackUrl', () => {
     expect(url).toBe('https://example.com/webhooks/oauth/callback');
   });
 });
+// ---------------------------------------------------------------------------
+// getTelegramWebhookUrl
+// ---------------------------------------------------------------------------
+describe('getTelegramWebhookUrl', () => {
+  test('builds correct URL', () => {
+    const url = getTelegramWebhookUrl({
+      ingress: { publicBaseUrl: 'https://example.com' },
+    });
+    expect(url).toBe('https://example.com/webhooks/telegram');
+  });
+  test('normalizes trailing slash before composing', () => {
+    const url = getTelegramWebhookUrl({
+      ingress: { publicBaseUrl: 'https://example.com/' },
+    });
+    expect(url).toBe('https://example.com/webhooks/telegram');
+  });
+});

package/src/__tests__/runtime-events-sse-parity.test.ts ADDED Viewed

@@ -0,0 +1,343 @@
+/**
+ * IPC parity tests for the SSE assistant-events endpoint.
+ *
+ * Asserts that every streaming/delta IPC ServerMessage type is preserved
+ * exactly — field-for-field — when delivered through the SSE route.
+ *
+ * Message types covered:
+ *   - assistant_text_delta
+ *   - assistant_thinking_delta
+ *   - tool_input_delta
+ *   - tool_output_chunk
+ *   - tool_result
+ *   - message_complete   (terminal)
+ *   - generation_handoff (terminal)
+ *   - generation_cancelled (terminal)
+ */
+import { describe, test, expect, beforeEach, afterAll, mock } from 'bun:test';
+import { mkdtempSync, rmSync, realpathSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+const testDir = realpathSync(mkdtempSync(join(tmpdir(), 'runtime-events-sse-parity-')));
+mock.module('../util/platform.js', () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getDbPath: () => join(testDir, 'test.db'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+}));
+mock.module('../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+mock.module('../config/loader.js', () => ({
+  getConfig: () => ({
+    model: 'test',
+    provider: 'test',
+    apiKeys: {},
+    memory: { enabled: false },
+    rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
+    secretDetection: { enabled: false },
+  }),
+}));
+import { initializeDb, getDb, resetDb } from '../memory/db.js';
+import { assistantEventHub } from '../runtime/assistant-event-hub.js';
+import { buildAssistantEvent } from '../runtime/assistant-event.js';
+import { getOrCreateConversation } from '../memory/conversation-key-store.js';
+import type { AssistantEvent } from '../runtime/assistant-event.js';
+import type { ServerMessage } from '../daemon/ipc-protocol.js';
+initializeDb();
+afterAll(() => {
+  resetDb();
+  try { rmSync(testDir, { recursive: true, force: true }); } catch { /* best effort */ }
+});
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Subscribe to the SSE endpoint for a given conversationKey, publish one
+ * event, read the first SSE frame, and return the parsed AssistantEvent.
+ *
+ * Uses handleSubscribeAssistantEvents directly (bypassing HTTP) to avoid
+ * chunked-transfer buffering in Bun's loopback implementation.
+ */
+async function publishAndReadFrame(
+  conversationKey: string,
+  message: ServerMessage,
+): Promise<AssistantEvent> {
+  const { conversationId } = getOrCreateConversation(conversationKey);
+  const ac = new AbortController();
+  const req = new Request(
+    `http://localhost/v1/events?conversationKey=${conversationKey}`,
+    { signal: ac.signal },
+  );
+  const { handleSubscribeAssistantEvents } = await import('../runtime/routes/events-routes.js');
+  const response = handleSubscribeAssistantEvents(req, new URL(req.url));
+  const event = buildAssistantEvent('self', message, conversationId);
+  await assistantEventHub.publish(event);
+  const reader = response.body!.getReader();
+  const { value } = await reader.read();
+  ac.abort();
+  const frame = new TextDecoder().decode(value);
+  // SSE frame: "event: assistant_event\nid: <id>\ndata: <json>\n\n"
+  const dataLine = frame.split('\n').find(l => l.startsWith('data: '));
+  if (!dataLine) throw new Error(`No data line in SSE frame:\n${frame}`);
+  return JSON.parse(dataLine.slice('data: '.length)) as AssistantEvent;
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe('SSE IPC parity — streaming/delta message types', () => {
+  beforeEach(() => {
+    const db = getDb();
+    db.run('DELETE FROM conversation_keys');
+    db.run('DELETE FROM conversations');
+  });
+  // ── assistant_text_delta ─────────────────────────────────────────────────
+  test('preserves assistant_text_delta payload', async () => {
+    const msg = {
+      type: 'assistant_text_delta' as const,
+      text: 'Hello, world!',
+      sessionId: 'conv-text-delta',
+    };
+    const event = await publishAndReadFrame('parity-text-delta', msg);
+    expect(event.message.type).toBe('assistant_text_delta');
+    const m = event.message as typeof msg;
+    expect(m.text).toBe('Hello, world!');
+    expect(m.sessionId).toBe('conv-text-delta');
+  });
+  test('preserves assistant_text_delta without optional sessionId', async () => {
+    const msg = {
+      type: 'assistant_text_delta' as const,
+      text: 'No session here',
+    };
+    const event = await publishAndReadFrame('parity-text-delta-nosession', msg);
+    const m = event.message as typeof msg;
+    expect(m.type).toBe('assistant_text_delta');
+    expect(m.text).toBe('No session here');
+    expect((m as Record<string, unknown>).sessionId).toBeUndefined();
+  });
+  // ── assistant_thinking_delta ─────────────────────────────────────────────
+  test('preserves assistant_thinking_delta payload', async () => {
+    const msg = {
+      type: 'assistant_thinking_delta' as const,
+      thinking: 'Let me reason through this...',
+    };
+    const event = await publishAndReadFrame('parity-thinking-delta', msg);
+    expect(event.message.type).toBe('assistant_thinking_delta');
+    const m = event.message as typeof msg;
+    expect(m.thinking).toBe('Let me reason through this...');
+  });
+  // ── tool_input_delta ─────────────────────────────────────────────────────
+  test('preserves tool_input_delta payload', async () => {
+    const msg = {
+      type: 'tool_input_delta' as const,
+      toolName: 'bash',
+      content: '{"command": "ls -la"}',
+      sessionId: 'conv-tool-input',
+    };
+    const event = await publishAndReadFrame('parity-tool-input-delta', msg);
+    expect(event.message.type).toBe('tool_input_delta');
+    const m = event.message as typeof msg;
+    expect(m.toolName).toBe('bash');
+    expect(m.content).toBe('{"command": "ls -la"}');
+    expect(m.sessionId).toBe('conv-tool-input');
+  });
+  // ── tool_output_chunk ────────────────────────────────────────────────────
+  test('preserves tool_output_chunk payload', async () => {
+    const msg = {
+      type: 'tool_output_chunk' as const,
+      chunk: 'total 42\n-rw-r--r-- 1 user group 1234 Jan 1 00:00 file.ts',
+      sessionId: 'conv-tool-output',
+      subType: 'tool_complete' as const,
+      subToolName: 'bash',
+      subToolInput: 'ls -la',
+      subToolIsError: false,
+      subToolId: 'tool-abc-123',
+    };
+    const event = await publishAndReadFrame('parity-tool-output-chunk', msg);
+    expect(event.message.type).toBe('tool_output_chunk');
+    const m = event.message as typeof msg;
+    expect(m.chunk).toBe(msg.chunk);
+    expect(m.sessionId).toBe('conv-tool-output');
+    expect(m.subType).toBe('tool_complete');
+    expect(m.subToolName).toBe('bash');
+    expect(m.subToolInput).toBe('ls -la');
+    expect(m.subToolIsError).toBe(false);
+    expect(m.subToolId).toBe('tool-abc-123');
+  });
+  test('preserves minimal tool_output_chunk (chunk only)', async () => {
+    const msg = {
+      type: 'tool_output_chunk' as const,
+      chunk: 'stdout line 1\n',
+    };
+    const event = await publishAndReadFrame('parity-tool-output-chunk-minimal', msg);
+    const m = event.message as typeof msg;
+    expect(m.type).toBe('tool_output_chunk');
+    expect(m.chunk).toBe('stdout line 1\n');
+  });
+  // ── tool_result ──────────────────────────────────────────────────────────
+  test('preserves tool_result payload', async () => {
+    const msg = {
+      type: 'tool_result' as const,
+      toolName: 'read_file',
+      result: 'File contents here',
+      isError: false,
+      sessionId: 'conv-tool-result',
+      status: 'success',
+    };
+    const event = await publishAndReadFrame('parity-tool-result', msg);
+    expect(event.message.type).toBe('tool_result');
+    const m = event.message as typeof msg;
+    expect(m.toolName).toBe('read_file');
+    expect(m.result).toBe('File contents here');
+    expect(m.isError).toBe(false);
+    expect(m.sessionId).toBe('conv-tool-result');
+    expect(m.status).toBe('success');
+  });
+  test('preserves tool_result with error flag', async () => {
+    const msg = {
+      type: 'tool_result' as const,
+      toolName: 'bash',
+      result: 'Command not found: foobar',
+      isError: true,
+    };
+    const event = await publishAndReadFrame('parity-tool-result-error', msg);
+    const m = event.message as typeof msg;
+    expect(m.type).toBe('tool_result');
+    expect(m.isError).toBe(true);
+    expect(m.result).toBe('Command not found: foobar');
+  });
+  // ── message_complete (terminal) ──────────────────────────────────────────
+  test('preserves message_complete payload', async () => {
+    const msg = {
+      type: 'message_complete' as const,
+      sessionId: 'conv-msg-complete',
+    };
+    const event = await publishAndReadFrame('parity-message-complete', msg);
+    expect(event.message.type).toBe('message_complete');
+    const m = event.message as typeof msg;
+    expect(m.sessionId).toBe('conv-msg-complete');
+  });
+  test('preserves message_complete without sessionId', async () => {
+    const msg = { type: 'message_complete' as const };
+    const event = await publishAndReadFrame('parity-message-complete-nosession', msg);
+    expect(event.message.type).toBe('message_complete');
+  });
+  // ── generation_handoff (terminal) ────────────────────────────────────────
+  test('preserves generation_handoff payload', async () => {
+    const msg = {
+      type: 'generation_handoff' as const,
+      sessionId: 'conv-handoff',
+      requestId: 'req-xyz-789',
+      queuedCount: 2,
+    };
+    const event = await publishAndReadFrame('parity-generation-handoff', msg);
+    expect(event.message.type).toBe('generation_handoff');
+    const m = event.message as typeof msg;
+    expect(m.sessionId).toBe('conv-handoff');
+    expect(m.requestId).toBe('req-xyz-789');
+    expect(m.queuedCount).toBe(2);
+  });
+  // ── generation_cancelled (terminal) ─────────────────────────────────────
+  test('preserves generation_cancelled payload', async () => {
+    const msg = {
+      type: 'generation_cancelled' as const,
+      sessionId: 'conv-cancelled',
+    };
+    const event = await publishAndReadFrame('parity-generation-cancelled', msg);
+    expect(event.message.type).toBe('generation_cancelled');
+    const m = event.message as typeof msg;
+    expect(m.sessionId).toBe('conv-cancelled');
+  });
+  // ── Envelope integrity ───────────────────────────────────────────────────
+  test('SSE envelope preserves assistantId and sessionId across all event types', async () => {
+    const conversationKey = 'parity-envelope-check';
+    const { conversationId } = getOrCreateConversation(conversationKey);
+    const ac = new AbortController();
+    const req = new Request(
+      `http://localhost/v1/events?conversationKey=${conversationKey}`,
+      { signal: ac.signal },
+    );
+    const { handleSubscribeAssistantEvents } = await import('../runtime/routes/events-routes.js');
+    const response = handleSubscribeAssistantEvents(req, new URL(req.url));
+    const msg: ServerMessage = { type: 'assistant_text_delta' as const, text: 'envelope test' };
+    const published = buildAssistantEvent('self', msg, conversationId);
+    await assistantEventHub.publish(published);
+    const reader = response.body!.getReader();
+    const { value } = await reader.read();
+    ac.abort();
+    const frame = new TextDecoder().decode(value);
+    const dataLine = frame.split('\n').find(l => l.startsWith('data: '))!;
+    const received = JSON.parse(dataLine.slice('data: '.length)) as AssistantEvent;
+    // Envelope fields
+    expect(received.id).toBe(published.id);
+    expect(received.assistantId).toBe('self');
+    expect(received.sessionId).toBe(conversationId);
+    expect(received.emittedAt).toBe(published.emittedAt);
+    // SSE frame fields
+    expect(frame).toContain('event: assistant_event');
+    expect(frame).toContain(`id: ${published.id}`);
+  });
+});

package/src/__tests__/runtime-events-sse.test.ts ADDED Viewed

@@ -0,0 +1,162 @@
+/**
+ * HTTP-layer integration tests for GET /v1/events (SSE assistant-events endpoint).
+ *
+ * Tests:
+ *   - 401 unauthorized (missing bearer token)
+ *   - 400 when conversationKey is absent
+ *   - Happy path: stream receives a published AssistantEvent
+ */
+import { describe, test, expect, beforeEach, afterAll, mock } from 'bun:test';
+import { mkdtempSync, rmSync, realpathSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+const testDir = realpathSync(mkdtempSync(join(tmpdir(), 'runtime-events-sse-test-')));
+mock.module('../util/platform.js', () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getDbPath: () => join(testDir, 'test.db'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+}));
+mock.module('../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+mock.module('../config/loader.js', () => ({
+  getConfig: () => ({
+    model: 'test',
+    provider: 'test',
+    apiKeys: {},
+    memory: { enabled: false },
+    rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
+    secretDetection: { enabled: false },
+  }),
+}));
+import { initializeDb, getDb, resetDb } from '../memory/db.js';
+import { RuntimeHttpServer } from '../runtime/http-server.js';
+import { assistantEventHub } from '../runtime/assistant-event-hub.js';
+import { buildAssistantEvent } from '../runtime/assistant-event.js';
+import { getOrCreateConversation } from '../memory/conversation-key-store.js';
+initializeDb();
+const TEST_TOKEN = 'test-bearer-token-events-sse';
+const AUTH_HEADERS = { Authorization: `Bearer ${TEST_TOKEN}` };
+describe('SSE assistant-events endpoint', () => {
+  let server: RuntimeHttpServer;
+  let port: number;
+  beforeEach(() => {
+    const db = getDb();
+    db.run('DELETE FROM conversation_keys');
+    db.run('DELETE FROM conversations');
+  });
+  afterAll(() => {
+    resetDb();
+    try { rmSync(testDir, { recursive: true, force: true }); } catch { /* best effort */ }
+  });
+  async function startServer(): Promise<void> {
+    port = 19500 + Math.floor(Math.random() * 500);
+    server = new RuntimeHttpServer({ port, bearerToken: TEST_TOKEN });
+    await server.start();
+  }
+  async function stopServer(): Promise<void> {
+    await server?.stop();
+  }
+  function eventsUrl(params = ''): string {
+    return `http://127.0.0.1:${port}/v1/events${params ? `?${params}` : ''}`;
+  }
+  // ── Auth ──────────────────────────────────────────────────────────────────
+  test('401 when bearer token is missing', async () => {
+    await startServer();
+    const res = await fetch(eventsUrl('conversationKey=test-noauth'));
+    expect(res.status).toBe(401);
+    // Consume body to prevent resource leak
+    await res.body?.cancel();
+    await stopServer();
+  });
+  test('401 when bearer token is wrong', async () => {
+    await startServer();
+    const res = await fetch(eventsUrl('conversationKey=test-badauth'), {
+      headers: { Authorization: 'Bearer wrong-token' },
+    });
+    expect(res.status).toBe(401);
+    await res.body?.cancel();
+    await stopServer();
+  });
+  // ── Validation ────────────────────────────────────────────────────────────
+  test('400 when conversationKey is missing', async () => {
+    await startServer();
+    const res = await fetch(eventsUrl(), { headers: AUTH_HEADERS });
+    expect(res.status).toBe(400);
+    const body = await res.json() as { error: string };
+    expect(body.error).toContain('conversationKey');
+    await stopServer();
+  });
+  // ── Happy path ────────────────────────────────────────────────────────────
+  test('stream receives a published assistant event', async () => {
+    // Test the handler directly (bypassing HTTP) to avoid chunked-transfer
+    // buffering in Bun's loopback SSE implementation. The HTTP auth and
+    // routing are already covered by other test files; here we focus on the
+    // SSE subscription logic and frame delivery.
+    const { conversationId } = getOrCreateConversation('sse-happy-path');
+    const ac = new AbortController();
+    const req = new Request(
+      'http://localhost/v1/events?conversationKey=sse-happy-path',
+      { signal: ac.signal },
+    );
+    const { handleSubscribeAssistantEvents } = await import('../runtime/routes/events-routes.js');
+    const response = handleSubscribeAssistantEvents(req, new URL(req.url));
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')).toContain('text/event-stream');
+    // start() is called synchronously during ReadableStream construction, so the
+    // hub subscription is already registered before we publish.
+    const event = buildAssistantEvent('self', { type: 'pong' }, conversationId);
+    await assistantEventHub.publish(event);
+    // Read the first frame directly from the response body stream.
+    const reader = response.body!.getReader();
+    const { value, done } = await reader.read();
+    ac.abort();
+    expect(done).toBe(false);
+    const frame = new TextDecoder().decode(value);
+    expect(frame).toContain('event: assistant_event');
+    expect(frame).toContain(`"assistantId":"self"`);
+    expect(frame).toContain(`"sessionId":"${conversationId}"`);
+    expect(frame).toContain('"type":"pong"');
+  });
+});

package/src/__tests__/twilio-provider.test.ts CHANGED Viewed

@@ -33,7 +33,7 @@ let mockAuthToken: string | undefined = 'test-auth-token-secret';
 mock.module('../security/secure-keys.js', () => ({
   getSecureKey: (account: string) => {
-    if (account === 'twilio_auth_token') return mockAuthToken;
+    if (account === 'credential:twilio:auth_token') return mockAuthToken;
     return undefined;
   },
 }));

package/src/__tests__/twilio-routes.test.ts CHANGED Viewed

@@ -52,7 +52,7 @@ let mockAuthToken: string | undefined = 'test-auth-token-for-webhooks';
 mock.module('../security/secure-keys.js', () => ({
   getSecureKey: (account: string) => {
-    if (account === 'twilio_auth_token') return mockAuthToken;
+    if (account === 'credential:twilio:auth_token') return mockAuthToken;
     return undefined;
   },
 }));
@@ -72,7 +72,7 @@ mock.module('../calls/twilio-provider.js', () => {
       readonly name = 'twilio';
       static getAuthToken(): string | null {
-        return getSecureKey('twilio_auth_token') ?? null;
+        return getSecureKey('credential:twilio:auth_token') ?? null;
       }
       static verifyWebhookSignature(
@@ -205,9 +205,9 @@ describe('twilio webhook routes', () => {
   });
   async function startServer(): Promise<void> {
-    port = 20000 + Math.floor(Math.random() * 1000);
-    server = new RuntimeHttpServer({ port, bearerToken: TEST_TOKEN });
+    server = new RuntimeHttpServer({ port: 0, bearerToken: TEST_TOKEN });
     await server.start();
+    port = server.actualPort;
   }
   async function stopServer(): Promise<void> {