@botcord/daemon 0.2.78 → 0.2.79

package/dist/provision.js

@@ -20,6 +20,7 @@ import { discoverAgentCredentials } from "./agent-discovery.js";
 import { resolveMemoryDir } from "./working-memory.js";
 import { discoverRuntimeModelCatalog } from "./runtime-models.js";
 import { buildRuntimeSelectionExtraArgs, mergeRuntimeExtraArgs, } from "./runtime-route-options.js";
+import { handleCloudGatewayRuntimeInbound } from "./cloud-gateway-runtime.js";
 /**
  * Build a dispatcher function that routes a `ControlFrame` to the right
  * handler. Returned function signature matches
@@ -41,7 +42,7 @@ export function createProvisioner(opts) {
                 return { ok: true, result: { pong: true, ts: Date.now() } };
             case CONTROL_FRAME_TYPES.HELLO: {
                 const params = (frame.params ?? {});
-                const result = applyHelloIdentitySnapshot(params.agents);
+                const result = applyHelloIdentitySnapshot(params.agents, { gateway });
                 daemonLog.debug("hello: identity snapshot applied", {
                     frameId: frame.id,
                     received: params.agents?.length ?? 0,
@@ -62,12 +63,19 @@ export function createProvisioner(opts) {
                     displayName: params.displayName,
                     bio: params.bio,
                 });
+                const runtimeResult = applyAgentRuntimeSnapshot(params, { gateway });
+                const combined = {
+                    changed: result.changed || runtimeResult.changed,
+                    identity: result,
+                    runtime: runtimeResult,
+                };
                 daemonLog.info("update_agent applied", {
                     agentId: params.agentId,
-                    changed: result.changed,
-                    skipped: result.skipped ?? null,
+                    changed: combined.changed,
+                    identitySkipped: result.skipped ?? null,
+                    runtimeSkipped: runtimeResult.skipped ?? null,
                 });
-                return { ok: true, result };
+                return { ok: true, result: combined };
             }
             case CONTROL_FRAME_TYPES.PROVISION_AGENT: {
                 const params = (frame.params ?? {});
@@ -266,6 +274,30 @@ export function createProvisioner(opts) {
                     return v.ack;
                 return gatewayControl.handleSend(v.params);
             }
+            case "cloud_gateway_runtime_inbound": {
+                const params = (frame.params ?? {});
+                const runtimeFrame = params.frame;
+                if (!runtimeFrame || typeof runtimeFrame !== "object") {
+                    return {
+                        ok: false,
+                        error: {
+                            code: "bad_params",
+                            message: "cloud_gateway_runtime_inbound requires params.frame",
+                        },
+                    };
+                }
+                const result = await handleCloudGatewayRuntimeInbound(gateway, runtimeFrame);
+                return result.accepted
+                    ? { ok: true, result }
+                    : {
+                        ok: false,
+                        result,
+                        error: result.error ?? {
+                            code: "runtime_inbound_rejected",
+                            message: "cloud gateway runtime inbound was rejected",
+                        },
+                    };
+            }
             case "list_agent_files": {
                 const params = (frame.params ?? {});
                 if (!params.agentId) {
@@ -1998,10 +2030,84 @@ function openclawBindingIndex() {
     }
     return out;
 }
+function hasOwnField(obj, key) {
+    return Object.prototype.hasOwnProperty.call(obj, key);
+}
+function cleanNullableString(value) {
+    if (typeof value !== "string")
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed || undefined;
+}
+function applyAgentRuntimeSnapshot(snapshot, ctx = {}) {
+    const hasRuntimeFields = (hasOwnField(snapshot, "runtime") ||
+        hasOwnField(snapshot, "runtimeModel") ||
+        hasOwnField(snapshot, "reasoningEffort") ||
+        hasOwnField(snapshot, "thinking"));
+    if (!hasRuntimeFields)
+        return { changed: false, skipped: "no_runtime_fields" };
+    const credentialsFile = defaultCredentialsFile(snapshot.agentId);
+    if (!existsSync(credentialsFile)) {
+        return { changed: false, skipped: "credentials_missing" };
+    }
+    const credentials = loadStoredCredentials(credentialsFile);
+    let changed = false;
+    if (hasOwnField(snapshot, "runtime")) {
+        const runtime = cleanNullableString(snapshot.runtime);
+        if (runtime !== credentials.runtime) {
+            if (runtime)
+                credentials.runtime = runtime;
+            else
+                delete credentials.runtime;
+            changed = true;
+        }
+    }
+    if (hasOwnField(snapshot, "runtimeModel")) {
+        const runtimeModel = cleanNullableString(snapshot.runtimeModel);
+        if (runtimeModel !== credentials.runtimeModel) {
+            if (runtimeModel)
+                credentials.runtimeModel = runtimeModel;
+            else
+                delete credentials.runtimeModel;
+            changed = true;
+        }
+    }
+    if (hasOwnField(snapshot, "reasoningEffort")) {
+        const reasoningEffort = cleanNullableString(snapshot.reasoningEffort);
+        if (reasoningEffort !== credentials.reasoningEffort) {
+            if (reasoningEffort)
+                credentials.reasoningEffort = reasoningEffort;
+            else
+                delete credentials.reasoningEffort;
+            changed = true;
+        }
+    }
+    if (hasOwnField(snapshot, "thinking")) {
+        if (typeof snapshot.thinking === "boolean") {
+            if (credentials.thinking !== snapshot.thinking) {
+                credentials.thinking = snapshot.thinking;
+                changed = true;
+            }
+        }
+        else if (typeof credentials.thinking === "boolean") {
+            delete credentials.thinking;
+            changed = true;
+        }
+    }
+    if (!changed)
+        return { changed: false };
+    writeCredentialsFile(credentialsFile, credentials);
+    if (ctx.gateway) {
+        upsertManagedRouteForCredentials(credentials, loadConfig(), ctx.gateway);
+        return { changed: true, routeUpdated: true };
+    }
+    return { changed: true };
+}
 /**
  * Reconcile every agent identity carried by the `hello.agents` snapshot
- * against the on-disk `identity.md`. Best-effort: a malformed entry or a
- * file-system error for one agent never aborts the rest.
+ * against the on-disk `identity.md` and credentials runtime selectors.
+ * Best-effort: a malformed entry or a file-system error for one agent never
+ * aborts the rest.
  *
  * Identity-snapshot semantics intentionally only touch the metadata
  * line + Bio body — Role/Boundaries paragraphs the user authored locally
@@ -2009,7 +2115,7 @@ function openclawBindingIndex() {
  * (agent provisioned on a different daemon, or workspace cleared) are
  * silently skipped.
  */
-export function applyHelloIdentitySnapshot(snapshot) {
+export function applyHelloIdentitySnapshot(snapshot, ctx = {}) {
     const out = { updated: 0, skipped: 0 };
     if (!Array.isArray(snapshot))
         return out;
@@ -2023,7 +2129,8 @@ export function applyHelloIdentitySnapshot(snapshot) {
                 displayName: entry.displayName,
                 bio: entry.bio,
             });
-            if (result.changed)
+            const runtimeResult = applyAgentRuntimeSnapshot(entry, ctx);
+            if (result.changed || runtimeResult.changed)
                 out.updated += 1;
             else
                 out.skipped += 1;

package/dist/room-recovery-context.d.ts

@@ -0,0 +1,11 @@
+import type { GatewayInboundMessage } from "./gateway/index.js";
+export interface RecentRoomMessagesRecoveryOptions {
+    credentialPathByAgentId: Map<string, string>;
+    defaultCredentialsPath?: string;
+    hubBaseUrl?: string;
+    limit?: number;
+    log?: {
+        warn: (msg: string, meta?: Record<string, unknown>) => void;
+    };
+}
+export declare function createRecentRoomMessagesRecoveryBuilder(opts: RecentRoomMessagesRecoveryOptions): (message: GatewayInboundMessage) => Promise<string | null>;

package/dist/room-recovery-context.js

@@ -0,0 +1,97 @@
+/**
+ * Build a compact, deterministic recovery block from recent Hub room messages.
+ * Used when a runtime-native session is discarded and the same turn is retried
+ * in a fresh session.
+ */
+import { BotCordClient, loadStoredCredentials } from "@botcord/protocol-core";
+import { sanitizeUntrustedContent } from "./gateway/index.js";
+const DEFAULT_RECENT_LIMIT = 20;
+const MAX_MESSAGE_TEXT_CHARS = 1200;
+function stripNewlines(s) {
+    return s.replace(/[\r\n]+/g, " ");
+}
+function messageLabel(m) {
+    const name = typeof m.from_name === "string" && m.from_name.trim()
+        ? m.from_name
+        : typeof m.from === "string" && m.from.trim()
+            ? m.from
+            : "unknown";
+    return sanitizeUntrustedContent(stripNewlines(name));
+}
+function formatRecentMessages(messages) {
+    if (messages.length === 0)
+        return "[Recent Room Messages]\n(none)";
+    const chronological = [...messages].reverse();
+    const lines = ["[Recent Room Messages]"];
+    for (const m of chronological) {
+        const text = typeof m.text === "string" ? m.text.trim() : "";
+        if (!text)
+            continue;
+        const ts = typeof m.ts === "string" ? m.ts : "";
+        const topic = typeof m.topic_title === "string" && m.topic_title.trim()
+            ? ` topic=${sanitizeUntrustedContent(stripNewlines(m.topic_title))}`
+            : typeof m.topic_id === "string" && m.topic_id
+                ? ` topic=${sanitizeUntrustedContent(stripNewlines(m.topic_id))}`
+                : "";
+        const safeText = sanitizeUntrustedContent(text.length > MAX_MESSAGE_TEXT_CHARS
+            ? `${text.slice(0, MAX_MESSAGE_TEXT_CHARS)}...`
+            : text);
+        lines.push(`- ${ts ? `${ts} ` : ""}${messageLabel(m)}${topic}: ${safeText}`);
+    }
+    return lines.join("\n");
+}
+export function createRecentRoomMessagesRecoveryBuilder(opts) {
+    const clients = new Map();
+    const limit = opts.limit ?? DEFAULT_RECENT_LIMIT;
+    function getClient(accountId) {
+        const existing = clients.get(accountId);
+        if (existing)
+            return existing.client;
+        const credsPath = opts.credentialPathByAgentId.get(accountId) ?? opts.defaultCredentialsPath;
+        if (!credsPath) {
+            opts.log?.warn("daemon.recovery-context.no-credentials", { accountId });
+            return null;
+        }
+        try {
+            const creds = loadStoredCredentials(credsPath);
+            const client = new BotCordClient({
+                hubUrl: opts.hubBaseUrl ?? creds.hubUrl,
+                agentId: creds.agentId,
+                keyId: creds.keyId,
+                privateKey: creds.privateKey,
+                ...(creds.token ? { token: creds.token } : {}),
+                ...(creds.tokenExpiresAt !== undefined
+                    ? { tokenExpiresAt: creds.tokenExpiresAt }
+                    : {}),
+            });
+            clients.set(accountId, { client, credentialsPath: credsPath });
+            return client;
+        }
+        catch (err) {
+            opts.log?.warn("daemon.recovery-context.client-init-failed", {
+                accountId,
+                credsPath,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            return null;
+        }
+    }
+    return async (message) => {
+        const client = getClient(message.accountId);
+        if (!client)
+            return null;
+        try {
+            const body = await client.roomMessages(message.conversation.id, { limit });
+            const messages = Array.isArray(body?.messages) ? body.messages : [];
+            return formatRecentMessages(messages);
+        }
+        catch (err) {
+            opts.log?.warn("daemon.recovery-context.fetch-failed", {
+                accountId: message.accountId,
+                roomId: message.conversation.id,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            return null;
+        }
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botcord/daemon",
-  "version": "0.2.78",
+  "version": "0.2.79",
   "description": "BotCord local daemon — bridges Hub inbox push to local Claude Code / Codex / Gemini CLIs",
   "type": "module",
   "bin": {
@@ -28,7 +28,7 @@
   },
   "dependencies": {
     "@botcord/cli": "^0.1.7",
-    "@botcord/protocol-core": "^0.2.9",
+    "@botcord/protocol-core": "^0.2.10",
     "@larksuiteoapi/node-sdk": "^1.63.1",
     "ws": "^8.20.1"
   },

package/src/__tests__/attention-policy-fetcher.test.ts

@@ -0,0 +1,67 @@
+import { mkdtempSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { generateKeypair } from "@botcord/protocol-core";
+import { createAttentionPolicyFetcher } from "../attention-policy-fetcher.js";
+
+function writeCredentials(agentId: string): string {
+  const dir = mkdtempSync(path.join(tmpdir(), "botcord-policy-"));
+  const file = path.join(dir, `${agentId}.json`);
+  const keys = generateKeypair();
+  writeFileSync(
+    file,
+    JSON.stringify({
+      version: 1,
+      hubUrl: "https://hub.test",
+      agentId,
+      keyId: "key_1",
+      privateKey: keys.privateKey,
+      publicKey: keys.publicKey,
+      savedAt: new Date().toISOString(),
+      token: "jwt",
+      tokenExpiresAt: Math.floor(Date.now() / 1000) + 3600,
+    }),
+  );
+  return file;
+}
+
+describe("createAttentionPolicyFetcher", () => {
+  afterEach(() => {
+    vi.unstubAllGlobals();
+  });
+
+  it("fetches effective room attention policy with agent credentials", async () => {
+    const credentialsPath = writeCredentials("ag_policy");
+    const fetchMock = vi.fn(async (url: string | URL | Request, init?: RequestInit) => {
+      expect(String(url)).toBe(
+        "https://hub.test/hub/attention-policy?room_id=rm_1",
+      );
+      expect((init?.headers as Record<string, string>).Authorization).toBe(
+        "Bearer jwt",
+      );
+      return new Response(
+        JSON.stringify({
+          mode: "mention_only",
+          keywords: [],
+          allowedSenderIds: [],
+        }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    });
+    vi.stubGlobal("fetch", fetchMock);
+
+    const fetchPolicy = createAttentionPolicyFetcher({
+      credentialPathByAgentId: new Map([["ag_policy", credentialsPath]]),
+    });
+
+    await expect(
+      fetchPolicy({ agentId: "ag_policy", roomId: "rm_1" }),
+    ).resolves.toEqual({
+      mode: "mention_only",
+      keywords: [],
+      allowedSenderIds: [],
+    });
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+});

package/src/__tests__/cloud-gateway-runtime.test.ts

@@ -0,0 +1,127 @@
+import { mkdtempSync, rmSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { RUNTIME_FRAME_TYPES, type GatewayInboundFrame } from "@botcord/protocol-core";
+
+import { handleCloudGatewayRuntimeInbound } from "../cloud-gateway-runtime.js";
+import { Gateway, type ChannelAdapter } from "../gateway/index.js";
+
+describe("cloud gateway runtime inbound", () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(path.join(os.tmpdir(), "cloud-gateway-runtime-"));
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it("injects a gateway_inbound frame and captures the runtime reply", async () => {
+    const gateway = new Gateway({
+      config: {
+        channels: [],
+        defaultRoute: { runtime: "fake", cwd: tmpDir },
+      },
+      sessionStorePath: path.join(tmpDir, "sessions.json"),
+      createChannel: (cfg) => stubChannel(cfg.id, cfg.type, cfg.accountId),
+      createRuntime: () => ({
+        id: "fake",
+        async run() {
+          return { text: "hello from runtime", newSessionId: "sess_1" };
+        },
+      }),
+      transcriptEnabled: false,
+    });
+    await gateway.start();
+
+    const frame: GatewayInboundFrame = {
+      type: RUNTIME_FRAME_TYPES.GATEWAY_INBOUND,
+      event_id: "evt_1",
+      gateway_id: "gw_tg_1",
+      agent_id: "ag_1",
+      provider: "telegram",
+      message: {
+        id: "telegram:1:2",
+        channel: "gw_tg_1",
+        accountId: "ag_1",
+        conversation: { id: "telegram:user:1", kind: "direct" },
+        sender: { id: "telegram:user:1", kind: "user" },
+        text: "hi",
+        replyTo: null,
+        mentioned: true,
+        receivedAt: Date.now(),
+        trace: { id: "telegram:1:2", streamable: false },
+      },
+    };
+
+    const result = await handleCloudGatewayRuntimeInbound(gateway, frame);
+    await gateway.stop("test");
+
+    expect(result.accepted).toBe(true);
+    expect(result.eventId).toBe("evt_1");
+    expect(result.gatewayId).toBe("gw_tg_1");
+    expect(result.conversationId).toBe("telegram:user:1");
+    expect(result.outbound?.finalText).toBe("hello from runtime");
+  });
+
+  it("rejects frames outside the token scope", async () => {
+    const gateway = new Gateway({
+      config: {
+        channels: [],
+        defaultRoute: { runtime: "fake", cwd: tmpDir },
+      },
+      sessionStorePath: path.join(tmpDir, "sessions.json"),
+      createChannel: (cfg) => stubChannel(cfg.id, cfg.type, cfg.accountId),
+      createRuntime: () => ({
+        id: "fake",
+        async run() {
+          return { text: "unused", newSessionId: "sess_1" };
+        },
+      }),
+      transcriptEnabled: false,
+    });
+
+    const result = await handleCloudGatewayRuntimeInbound(gateway, {
+      type: RUNTIME_FRAME_TYPES.GATEWAY_INBOUND,
+      event_id: "evt_bad",
+      gateway_id: "gw_tg_1",
+      agent_id: "ag_1",
+      provider: "telegram",
+      message: {
+        id: "telegram:1:2",
+        channel: "gw_other",
+        accountId: "ag_1",
+        conversation: { id: "telegram:user:1", kind: "direct" },
+        sender: { id: "telegram:user:1", kind: "user" },
+        text: "hi",
+        replyTo: null,
+        mentioned: true,
+        receivedAt: Date.now(),
+      },
+    });
+
+    expect(result.accepted).toBe(false);
+    expect(result.error?.code).toBe("channel_mismatch");
+  });
+});
+
+function stubChannel(id: string, type: string, accountId: string): ChannelAdapter {
+  return {
+    id,
+    type,
+    async start() {
+      return undefined;
+    },
+    async stop() {
+      return undefined;
+    },
+    async send() {
+      return {};
+    },
+    status() {
+      return { channel: id, accountId, running: true };
+    },
+  };
+}

package/src/__tests__/gateway-control.test.ts

@@ -733,3 +733,139 @@ describe("W4: handleLoginStatus accountId ownership check", () => {
     expect(ack.error?.code).toBe("bad_params");
   });
 });
+
+describe("login_missing vs login_expired", () => {
+  it("wechat upsert with an unknown loginId returns login_missing", async () => {
+    const gw = makeFakeGateway();
+    const { io } = makeConfigIO(baseCfg());
+    const sessions = new LoginSessionStore();
+    const ctrl = createGatewayControl({
+      gateway: gw as any,
+      configIO: io,
+      loginSessions: sessions,
+    });
+
+    const ack = await ctrl.handleUpsert({
+      id: uniqId("wx_missing"),
+      type: "wechat",
+      accountId: "ag_alice",
+      enabled: true,
+      loginId: "wxl_never_created",
+    });
+
+    expect(ack.ok).toBe(false);
+    expect(ack.error?.code).toBe("login_missing");
+    expect(gw.addChannel).not.toHaveBeenCalled();
+  });
+
+  it("feishu upsert with an unknown loginId returns login_missing", async () => {
+    const gw = makeFakeGateway();
+    const { io } = makeConfigIO(baseCfg());
+    const sessions = new LoginSessionStore();
+    const ctrl = createGatewayControl({
+      gateway: gw as any,
+      configIO: io,
+      loginSessions: sessions,
+    });
+
+    const ack = await ctrl.handleUpsert({
+      id: uniqId("fs_missing"),
+      type: "feishu",
+      accountId: "ag_alice",
+      enabled: true,
+      loginId: "fsl_never_created",
+    });
+
+    expect(ack.ok).toBe(false);
+    expect(ack.error?.code).toBe("login_missing");
+    expect(gw.addChannel).not.toHaveBeenCalled();
+  });
+
+  it("recent_senders with an unknown loginId returns login_missing", async () => {
+    const gw = makeFakeGateway();
+    const { io } = makeConfigIO(baseCfg());
+    const sessions = new LoginSessionStore();
+    const ctrl = createGatewayControl({
+      gateway: gw as any,
+      configIO: io,
+      loginSessions: sessions,
+    });
+
+    const ack = await ctrl.handleRecentSenders({
+      provider: "wechat",
+      loginId: "wxl_never_created",
+      accountId: "ag_alice",
+    });
+
+    expect(ack.ok).toBe(false);
+    expect(ack.error?.code).toBe("login_missing");
+  });
+
+  it("wechat upsert with a TTL-expired loginId returns login_expired", async () => {
+    const gw = makeFakeGateway();
+    const { io } = makeConfigIO(baseCfg());
+    let nowMs = 1_000_000;
+    const sessions = new LoginSessionStore({ now: () => nowMs, ttlMs: 60_000 });
+    sessions.create({
+      loginId: "wxl_aged",
+      accountId: "ag_alice",
+      provider: "wechat",
+      qrcode: "QR",
+      baseUrl: "https://ilinkai.weixin.qq.com",
+      botToken: "wechat-bot-token-aged",
+    });
+    nowMs += 120_000;
+
+    const ctrl = createGatewayControl({
+      gateway: gw as any,
+      configIO: io,
+      loginSessions: sessions,
+    });
+
+    const ack = await ctrl.handleUpsert({
+      id: uniqId("wx_expired"),
+      type: "wechat",
+      accountId: "ag_alice",
+      enabled: true,
+      loginId: "wxl_aged",
+    });
+
+    expect(ack.ok).toBe(false);
+    expect(ack.error?.code).toBe("login_expired");
+    // resolve() also evicts — a follow-up call should now report missing.
+    expect(sessions.resolve("wxl_aged").state).toBe("missing");
+  });
+
+  it("feishu upsert with a TTL-expired loginId returns login_expired", async () => {
+    const gw = makeFakeGateway();
+    const { io } = makeConfigIO(baseCfg());
+    let nowMs = 2_000_000;
+    const sessions = new LoginSessionStore({ now: () => nowMs, ttlMs: 60_000 });
+    sessions.create({
+      loginId: "fsl_aged",
+      accountId: "ag_alice",
+      provider: "feishu",
+      appId: "cli_xxx",
+      appSecret: "feishu-secret-aged",
+      domain: "feishu",
+    });
+    nowMs += 120_000;
+
+    const ctrl = createGatewayControl({
+      gateway: gw as any,
+      configIO: io,
+      loginSessions: sessions,
+    });
+
+    const ack = await ctrl.handleUpsert({
+      id: uniqId("fs_expired"),
+      type: "feishu",
+      accountId: "ag_alice",
+      enabled: true,
+      loginId: "fsl_aged",
+    });
+
+    expect(ack.ok).toBe(false);
+    expect(ack.error?.code).toBe("login_expired");
+  });
+});

package/src/__tests__/policy-resolver.test.ts

@@ -65,6 +65,26 @@ describe("PolicyResolver", () => {
     expect(p.mode).toBe("always");
   });
 
+  it.each(["telegram:user:42", "wechat:user:alice", "feishu:user:ou_alice"])(
+    "forces third-party direct chat %s to mode=always",
+    async (conversationId) => {
+      const resolver = new PolicyResolver({ fetchGlobal: async () => undefined });
+      resolver.put("ag_a", null, { mode: "mention_only", keywords: [] });
+      const p = await resolver.resolve("ag_a", conversationId);
+      expect(p.mode).toBe("always");
+    },
+  );
+
+  it.each(["telegram:group:-1001", "feishu:chat:oc_team"])(
+    "does not force third-party group chat %s to mode=always",
+    async (conversationId) => {
+      const resolver = new PolicyResolver({ fetchGlobal: async () => undefined });
+      resolver.put("ag_a", null, { mode: "mention_only", keywords: [] });
+      const p = await resolver.resolve("ag_a", conversationId);
+      expect(p.mode).toBe("mention_only");
+    },
+  );
+
   it("falls back to defaults when fetch throws", async () => {
     const resolver = new PolicyResolver({
       fetchGlobal: async () => {