npm - @vellumai/assistant - Versions diffs - 0.10.1 → 0.10.2-dev.202606241651.2d2b40d - Mend

@vellumai/assistant 0.10.1 → 0.10.2-dev.202606241651.2d2b40d

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (367) hide show

package/src/agent/loop-exclusive-tool.test.ts ADDED Viewed

@@ -0,0 +1,150 @@
+/**
+ * Verifies the agent loop's exclusive-tool dispatch: when a tool the loop is
+ * told is exclusive (e.g. the advisor) appears in a multi-call turn, only that
+ * tool runs and the siblings are deferred un-run with a benign result — so the
+ * model incorporates the exclusive tool's output before acting on anything
+ * else. Drives the REAL loop, mocking only the provider boundary.
+ */
+import { describe, expect, test } from "bun:test";
+import { createMockProvider } from "../__tests__/helpers/mock-provider.js";
+import type { ContentBlock, ProviderResponse } from "../providers/types.js";
+import { AgentLoop } from "./loop.js";
+const endTurn = (text: string): ProviderResponse => ({
+  content: [{ type: "text", text }],
+  model: "mock-model",
+  usage: { inputTokens: 1, outputTokens: 1 },
+  stopReason: "end_turn",
+});
+const toolUseTurn = (
+  blocks: Array<{ id: string; name: string }>,
+): ProviderResponse => ({
+  content: [
+    { type: "text", text: "working" },
+    ...blocks.map((b) => ({
+      type: "tool_use" as const,
+      id: b.id,
+      name: b.name,
+      input: {},
+    })),
+  ],
+  model: "mock-model",
+  usage: { inputTokens: 1, outputTokens: 1 },
+  stopReason: "tool_use",
+});
+function toolResults(history: { content: ContentBlock[] }[]) {
+  return history
+    .flatMap((m) => m.content)
+    .filter(
+      (b): b is Extract<ContentBlock, { type: "tool_result" }> =>
+        b.type === "tool_result",
+    );
+}
+const baseRun = {
+  requestId: "req-excl",
+  onEvent: () => {},
+  callSite: "mainAgent" as const,
+  trust: { sourceChannel: "vellum" as const, trustClass: "unknown" as const },
+};
+describe("AgentLoop — exclusive tool deferral", () => {
+  test("runs the exclusive tool alone and defers sibling calls un-run", async () => {
+    const { provider } = createMockProvider([
+      toolUseTurn([
+        { id: "call-advisor", name: "advisor" },
+        { id: "call-edit", name: "write_file" },
+      ]),
+      endTurn("done"),
+    ]);
+    const executed: string[] = [];
+    const loop = new AgentLoop({
+      provider,
+      systemPrompt: "sys",
+      conversationId: "excl-1",
+      tools: [
+        { name: "advisor", description: "", input_schema: { type: "object" } },
+        {
+          name: "write_file",
+          description: "",
+          input_schema: { type: "object" },
+        },
+      ],
+      toolExecutor: async (name) => {
+        executed.push(name);
+        return { content: `ran ${name}`, isError: false };
+      },
+      isExclusiveTool: (name) => name === "advisor",
+    });
+    const { history } = await loop.run({
+      ...baseRun,
+      messages: [{ role: "user", content: [{ type: "text", text: "do it" }] }],
+    });
+    // Only the exclusive tool actually executed.
+    expect(executed).toEqual(["advisor"]);
+    const results = toolResults(history);
+    const advisorResult = results.find(
+      (b) => b.tool_use_id === "call-advisor",
+    )!;
+    const editResult = results.find((b) => b.tool_use_id === "call-edit")!;
+    // The advisor ran; the sibling came back un-run (not an error) so the model
+    // can re-issue it after reading the guidance.
+    expect(advisorResult.content).toBe("ran advisor");
+    expect(editResult.content).toContain("not run");
+    expect(editResult.content).toContain("advisor");
+    expect(editResult.is_error).toBe(false);
+  });
+  test("runs sibling tools normally when no exclusive tool is present", async () => {
+    const { provider } = createMockProvider([
+      toolUseTurn([
+        { id: "call-read", name: "read_file" },
+        { id: "call-write", name: "write_file" },
+      ]),
+      endTurn("done"),
+    ]);
+    const executed: string[] = [];
+    const loop = new AgentLoop({
+      provider,
+      systemPrompt: "sys",
+      conversationId: "excl-2",
+      tools: [
+        {
+          name: "read_file",
+          description: "",
+          input_schema: { type: "object" },
+        },
+        {
+          name: "write_file",
+          description: "",
+          input_schema: { type: "object" },
+        },
+      ],
+      toolExecutor: async (name) => {
+        executed.push(name);
+        return { content: `ran ${name}`, isError: false };
+      },
+      isExclusiveTool: (name) => name === "advisor",
+    });
+    const { history } = await loop.run({
+      ...baseRun,
+      messages: [{ role: "user", content: [{ type: "text", text: "do it" }] }],
+    });
+    // Both non-exclusive tools ran; nothing was deferred.
+    expect(executed.sort()).toEqual(["read_file", "write_file"]);
+    for (const result of toolResults(history)) {
+      expect(result.content).not.toContain("not run");
+    }
+  });
+});

package/src/agent/loop.ts CHANGED Viewed

@@ -625,6 +625,20 @@ export type LoopToolExecutor = (
   activityMetadata?: ToolActivityMetadata;
 }>;
+/**
+ * The benign result returned for a sibling tool call that was deferred because
+ * an exclusive tool ran in the same turn. Phrased so the model treats it as a
+ * "not run yet" signal — read the exclusive tool's output, then re-issue this
+ * call if it is still the right next step.
+ */
+function deferredForExclusiveMessage(exclusiveToolName: string): string {
+  return (
+    `(not run: \`${exclusiveToolName}\` was called this turn and runs first, on its own, ` +
+    `so the rest of your tool calls were held back. Read its output, then call this tool ` +
+    `again if it is still the right next step.)`
+  );
+}
 export interface AgentLoopConstructorOptions {
   /** LLM provider the loop issues every call through. */
   provider: Provider;
@@ -634,6 +648,14 @@ export interface AgentLoopConstructorOptions {
   tools?: ToolDefinition[];
   toolExecutor?: LoopToolExecutor;
   resolveTools?: (history: Message[]) => ToolDefinition[];
+  /**
+   * Decide whether a tool runs exclusively in its turn (see
+   * {@link ToolDefinition.exclusive}). When it returns true for a tool present
+   * in a multi-call turn, the loop runs only that tool and defers the siblings
+   * un-run. Injected by the conversation wiring, which can read the tool
+   * registry; lightweight loops that omit it never defer.
+   */
+  isExclusiveTool?: (toolName: string) => boolean;
   /**
    * Conversation this loop drives. Scopes the loop-held compaction circuit
    * breaker and is the source of truth the loop's pipeline contexts and
@@ -659,6 +681,7 @@ export class AgentLoop {
   private tools: ToolDefinition[];
   private resolveTools: ((history: Message[]) => ToolDefinition[]) | null;
   private toolExecutor: LoopToolExecutor | null;
+  private isExclusiveTool: ((toolName: string) => boolean) | null;
   /**
    * Conversation this loop drives. Source of truth for the `conversationId`
@@ -688,6 +711,7 @@ export class AgentLoop {
       tools,
       toolExecutor,
       resolveTools,
+      isExclusiveTool,
       conversationId,
       resolveConversationDir,
     } = options;
@@ -697,6 +721,7 @@ export class AgentLoop {
     this.tools = tools ?? [];
     this.resolveTools = resolveTools ?? null;
     this.toolExecutor = toolExecutor ?? null;
+    this.isExclusiveTool = isExclusiveTool ?? null;
     this.conversationId = conversationId;
     this.resolveConversationDir = resolveConversationDir ?? null;
     this.compactionCircuit = new CompactionCircuit(this.conversationId);
@@ -1883,8 +1908,39 @@ export class AgentLoop {
           "Tool execution start",
         );
+        // When an exclusive tool (e.g. the advisor) is among this turn's calls,
+        // it must run alone: the model should incorporate its output before
+        // acting on anything else. Run only the first exclusive call and defer
+        // the siblings with a benign, un-run result so the model re-issues them
+        // next turn if still needed. Every tool_use still gets a matching
+        // tool_result, so history stays well-formed.
+        const exclusiveBlock = this.isExclusiveTool
+          ? toolUseBlocks.find((block) => this.isExclusiveTool!(block.name))
+          : undefined;
+        const deferSiblings =
+          exclusiveBlock !== undefined && toolUseBlocks.length > 1;
+        if (deferSiblings) {
+          rlog.info(
+            {
+              turn: toolUseTurns,
+              exclusiveTool: exclusiveBlock!.name,
+              deferred: toolUseBlocks
+                .filter((block) => block !== exclusiveBlock)
+                .map((block) => block.name),
+            },
+            "Exclusive tool present — running it alone and deferring sibling tool calls this turn",
+          );
+        }
         const toolExecutionPromise = Promise.all(
           toolUseBlocks.map(async (toolUse) => {
+            if (deferSiblings && toolUse !== exclusiveBlock) {
+              const result: Awaited<ReturnType<LoopToolExecutor>> = {
+                content: deferredForExclusiveMessage(exclusiveBlock!.name),
+                isError: false,
+              };
+              return { toolUse, result };
+            }
             const result = await this.toolExecutor!(
               toolUse.name,
               toolUse.input,

package/src/api/constants/sse-replay.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * Maximum number of events the daemon's per-process SSE replay ring
+ * retains for `Last-Event-ID` resume. This is the ring's count bound; the
+ * ring is also bounded by total bytes and entry age (whichever limit is
+ * hit first wins), so the live ring can hold *fewer* than this many
+ * events, never more. The daemon-side definition and eviction live in
+ * `assistant/src/runtime/assistant-stream-state.ts`.
+ *
+ * Exposed on the API surface so the web client's SSE consumer can size
+ * its seq-gap tolerance against the same number the daemon buffers
+ * against, instead of hard-coding a duplicate.
+ *
+ * A live seq gap smaller than this is benign: the global per-assistant
+ * `seq` counter is stamped before fanout, but the hub deliberately
+ * withholds some events from a given subscriber — self-echo-suppressed
+ * `sync_changed` (a client's own mutation echo) and capability-targeted
+ * host-proxy events — so a subscriber legitimately sees its cursor skip a
+ * few seqs it was never going to receive. Such a hole is not data loss
+ * and must not trigger a destructive authoritative snapshot heal. Only a
+ * gap that meets or exceeds this count proves the live suffix fell
+ * outside the ring entirely and is genuinely non-contiguous.
+ */
+export const SSE_REPLAY_RING_COUNT_LIMIT = 200;
+/**
+ * Maximum age (in milliseconds) an event may reach in the daemon's SSE
+ * replay ring before it is evicted, regardless of count or byte usage.
+ * The daemon-side definition and eviction live in
+ * `assistant/src/runtime/assistant-stream-state.ts`.
+ *
+ * Exposed alongside the count bound so the web client can reason about
+ * the age dimension of the ring too. A small live seq gap is only safe to
+ * treat as benign when the client has been continuously receiving events
+ * — live delivery is concurrent with stamping, so a connected subscriber
+ * never relies on the ring. Once the connection has been quiet for longer
+ * than this window (a disconnect/resume), events the client missed may
+ * have aged out of the ring and become unrecoverable by replay, so even a
+ * small seq gap must trigger an authoritative reconcile rather than be
+ * waved through.
+ */
+export const SSE_REPLAY_RING_AGE_LIMIT_MS = 30_000;

package/src/api/index.ts CHANGED Viewed

@@ -61,6 +61,10 @@ export {
   CALL_SITE_COMPACTION_AGENT,
   CALL_SITE_SYNTHETIC_AGENT_ERROR_MESSAGE,
 } from "./constants/call-sites.js";
+export {
+  SSE_REPLAY_RING_AGE_LIMIT_MS,
+  SSE_REPLAY_RING_COUNT_LIMIT,
+} from "./constants/sse-replay.js";
 export { DEFAULT_TOOL_EXECUTION_TIMEOUT_SEC } from "./constants/tool-execution.js";
 export {
   type AssistantActivityAnchor,
@@ -430,6 +434,8 @@ export {
   LlmContextResponseSchema,
 } from "./responses/llm-context-response.js";
 export {
+  type LLMCallError,
+  LLMCallErrorSchema,
   type LLMCallSummary,
   LLMCallSummarySchema,
   type LLMContextSection,

package/src/api/responses/llm-request-log-entry.ts CHANGED Viewed

@@ -67,6 +67,30 @@ export const LLMContextSectionSchema = z.object({
 export type LLMContextSection = z.infer<typeof LLMContextSectionSchema>;
+/**
+ * Structured provider/transport error recorded when an LLM call was
+ * rejected before producing a response. Mirrors the on-disk
+ * `responsePayload.error` shape written by
+ * `buildProviderErrorResponsePayload` — the inspector branches on the
+ * presence of this field to render a failed call distinctly (failure
+ * banner in the Response tab, $0.00 cost in the rail, etc.) instead of
+ * the generic "section rendering unavailable" fallback.
+ *
+ * Every field is optional because the serializer degrades a plain
+ * `Error` down to just `{ name, message }`; only the wrapper object is
+ * guaranteed.
+ */
+export const LLMCallErrorSchema = z.object({
+  name: z.string().nullish(),
+  message: z.string().nullish(),
+  code: z.string().nullish(),
+  provider: z.string().nullish(),
+  statusCode: z.number().nullish(),
+  retryAfterMs: z.number().nullish(),
+});
+export type LLMCallError = z.infer<typeof LLMCallErrorSchema>;
 /**
  * One LLM request log row.
  *
@@ -88,6 +112,7 @@ export const LLMRequestLogEntrySchema = z.object({
   responseSections: z.array(LLMContextSectionSchema).nullish(),
   agentLoopExitReason: z.string().nullish(),
   callSite: z.string().nullish(),
+  error: LLMCallErrorSchema.nullish(),
 });
 export type LLMRequestLogEntry = z.infer<typeof LLMRequestLogEntrySchema>;

package/src/api/responses/subagent-detail.ts CHANGED Viewed

@@ -31,6 +31,23 @@ export const SubagentDetailEventSchema = z.object({
   toolName: z.string().optional(),
   isError: z.boolean().optional(),
   messageId: z.string().optional(),
+  /**
+   * Tool-call id — the `tool_use.id` on a tool-call event and the referencing
+   * `tool_use_id` on its tool-result event, in the daemon's canonical
+   * content-block format. That format is provider-agnostic: every provider
+   * (Anthropic, OpenAI, Gemini, …) normalizes its native tool calls into these
+   * `tool_use`/`tool_result` blocks (see `providers/types.ts`), so this id is
+   * present regardless of which model produced the call. Lets the web client
+   * pair a result with its call and key the nested tool-detail view, so tool
+   * pills on reloaded/history subagents are clickable (not just live ones).
+   */
+  toolUseId: z.string().optional(),
+  /**
+   * Raw tool input object on tool-call events. (`content` also carries a
+   * JSON-stringified copy for back-compat / label derivation.) Surfaced in the
+   * tool-detail view's input section.
+   */
+  input: z.record(z.string(), z.unknown()).optional(),
 });
 export type SubagentDetailEvent = z.infer<typeof SubagentDetailEventSchema>;

package/src/calls/__tests__/relay-setup-router.test.ts CHANGED Viewed

@@ -15,7 +15,7 @@
 import { beforeEach, describe, expect, mock, test } from "bun:test";
-import type { AdmissionPolicy } from "@vellumai/gateway-client";
+import type { AdmissionPolicy, TrustVerdict } from "@vellumai/gateway-client";
 import type {
   ChannelPolicy,
@@ -38,10 +38,21 @@ mock.module("../../config/loader.js", () => ({
   getConfig: () => ({ calls: { verification: { enabled: false } } }),
 }));
-// Controllable resolved trust context.
+// Controllable resolved trust context. `resolveActorTrust` is a tracked mock
+// so the verdict-source tests can assert the local fallback fires (or not).
+// The verdict path uses the REAL, pure `actorTrustContextFromVerdict` /
+// `verdictMemberUnresolvable` — no module mock — so this file leaks nothing
+// into sibling test files sharing the bun process.
 let nextTrust: ActorTrustContext;
+const resolveActorTrustMock = mock(() => nextTrust);
+// Override only `resolveActorTrust`; the real `trust-verdict-consumer` imports
+// `toTrustContext` from this module, so the rest must pass through untouched.
+const actorTrustResolverModule = await import(
+  "../../runtime/actor-trust-resolver.js"
+);
 mock.module("../../runtime/actor-trust-resolver.js", () => ({
-  resolveActorTrust: () => nextTrust,
+  ...actorTrustResolverModule,
+  resolveActorTrust: resolveActorTrustMock,
 }));
 // Controllable pending verification challenge.
@@ -151,13 +162,17 @@ function makeTrust(
   };
 }
-function route(admissionPolicy?: AdmissionPolicy | null) {
+function route(
+  admissionPolicy?: AdmissionPolicy | null,
+  verdict?: TrustVerdict | null,
+) {
   return routeSetup({
     callSessionId: "cs_1",
     session: null, // inbound
     from: "+12025550142",
     to: "+12025550199",
     admissionPolicy,
+    verdict,
   });
 }
@@ -165,6 +180,7 @@ beforeEach(() => {
   pendingChallenge = null;
   activeInvites = [];
   boundContact = null;
+  resolveActorTrustMock.mockClear();
 });
 // ---------------------------------------------------------------------------
@@ -374,3 +390,245 @@ describe("routeSetup — floor bypasses", () => {
     expect(outcome.action).toBe("verification");
   });
 });
+// ---------------------------------------------------------------------------
+// Caller-trust source: gateway verdict first, local fallback
+// ---------------------------------------------------------------------------
+function makeVerdict(overrides: Partial<TrustVerdict> = {}): TrustVerdict {
+  return {
+    trustClass: "guardian",
+    canonicalSenderId: "+12025550142",
+    ...overrides,
+  };
+}
+// A verdict carrying a fully-resolvable member ACL (contactId/channelId + valid
+// known status·policy enums). The REAL `resolvedMemberFromVerdict` synthesizes
+// a memberRecord from these, so the verdict path enforces blocked/revoked/deny.
+function makeMemberVerdict(
+  trustClass: TrustVerdict["trustClass"],
+  channel: { status: string; policy?: string },
+  overrides: Partial<TrustVerdict> = {},
+): TrustVerdict {
+  return makeVerdict({
+    trustClass,
+    contactId: "ct_1",
+    channelId: "ch_1",
+    status: channel.status,
+    policy: channel.policy ?? "allow",
+    ...overrides,
+  });
+}
+describe("routeSetup — caller-trust source", () => {
+  test("present verdict builds trust from the verdict (no local resolve)", () => {
+    const { resolved, outcome } = route(
+      null,
+      makeMemberVerdict("guardian", { status: "active" }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(resolved.actorTrust.trustClass).toBe("guardian");
+    expect(outcome.action).toBe("normal_call");
+  });
+  test("resolutionFailed verdict falls back to local resolveActorTrust", () => {
+    nextTrust = makeTrust("guardian", { status: "active", role: "guardian" });
+    const { resolved } = route(null, makeVerdict({ resolutionFailed: true }));
+    expect(resolveActorTrustMock).toHaveBeenCalledTimes(1);
+    expect(resolved.actorTrust.trustClass).toBe("guardian");
+  });
+  test("null verdict falls back to local resolveActorTrust", () => {
+    nextTrust = makeTrust("trusted_contact", { status: "active" });
+    const { resolved } = route(null, null);
+    expect(resolveActorTrustMock).toHaveBeenCalledTimes(1);
+    expect(resolved.actorTrust.trustClass).toBe("trusted_contact");
+  });
+  test("absent verdict falls back to local resolveActorTrust", () => {
+    nextTrust = makeTrust("guardian", { status: "active", role: "guardian" });
+    route(null);
+    expect(resolveActorTrustMock).toHaveBeenCalledTimes(1);
+  });
+  test("admission floor still applies on the verdict path (guardian_only denies trusted_contact)", () => {
+    const { outcome } = route(
+      "guardian_only",
+      makeMemberVerdict("trusted_contact", { status: "active" }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(outcome.action).toBe("deny");
+  });
+  test("admission floor still applies on the fallback path (guardian_only denies trusted_contact)", () => {
+    nextTrust = makeTrust("trusted_contact", { status: "active" });
+    const { outcome } = route(
+      "guardian_only",
+      makeVerdict({ resolutionFailed: true }),
+    );
+    expect(resolveActorTrustMock).toHaveBeenCalledTimes(1);
+    expect(outcome.action).toBe("deny");
+  });
+});
+// ---------------------------------------------------------------------------
+// Verdict-path ACL: blocked / revoked / deny enforced from the verdict-derived
+// memberRecord (no local fallback). Guards the P1 where a verdict member with
+// no memberRecord bypassed these gates.
+// ---------------------------------------------------------------------------
+describe("routeSetup — verdict path enforces member ACL", () => {
+  test("blocked member via verdict is denied (not normal_call) under permissive floor", () => {
+    const { outcome } = route(
+      "strangers",
+      makeMemberVerdict("unknown", { status: "blocked" }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(outcome.action).toBe("deny");
+  });
+  test("revoked member via verdict is denied under permissive floor", () => {
+    const { outcome } = route(
+      "strangers",
+      makeMemberVerdict("unknown", { status: "revoked" }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(outcome.action).toBe("deny");
+  });
+  test("policy deny member via verdict is denied (not normal_call)", () => {
+    const { outcome } = route(
+      null,
+      makeMemberVerdict("trusted_contact", {
+        status: "active",
+        policy: "deny",
+      }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(outcome.action).toBe("deny");
+  });
+  test("policy escalate member via verdict is denied (live call can't await approval)", () => {
+    const { outcome } = route(
+      null,
+      makeMemberVerdict("trusted_contact", {
+        status: "active",
+        policy: "escalate",
+      }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(outcome.action).toBe("deny");
+  });
+  test("trusted/active member via verdict still admits to normal_call", () => {
+    const { outcome } = route(
+      null,
+      makeMemberVerdict("trusted_contact", {
+        status: "active",
+        policy: "allow",
+      }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(outcome.action).toBe("normal_call");
+  });
+  test("guardian via verdict still admits to normal_call", () => {
+    const { outcome } = route(
+      null,
+      makeMemberVerdict("guardian", { status: "active" }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(outcome.action).toBe("normal_call");
+  });
+});
+// ---------------------------------------------------------------------------
+// Unresolvable member verdict → local fallback (never trust an un-ACL-checkable
+// member). A verdict claiming a member (contactId/channelId) whose ACL can't be
+// reassembled (missing/unknown status·policy) must take the local resolveActorTrust
+// path so the member is ACL-checked locally, not trusted by trustClass.
+// ---------------------------------------------------------------------------
+describe("routeSetup — unresolvable member verdict falls back to local", () => {
+  test("member identity with missing status falls back to local resolveActorTrust", () => {
+    nextTrust = makeTrust("trusted_contact", { status: "active" });
+    const { resolved } = route(
+      null,
+      makeVerdict({
+        trustClass: "trusted_contact",
+        contactId: "ct_1",
+        channelId: "ch_1",
+        policy: "allow",
+        // status absent → unresolvable
+      }),
+    );
+    expect(resolveActorTrustMock).toHaveBeenCalledTimes(1);
+    expect(resolved.actorTrust.trustClass).toBe("trusted_contact");
+  });
+  test("member identity with unknown status falls back to local resolveActorTrust", () => {
+    nextTrust = makeTrust("trusted_contact", { status: "active" });
+    route(
+      null,
+      makeVerdict({
+        trustClass: "trusted_contact",
+        contactId: "ct_1",
+        channelId: "ch_1",
+        status: "bogus",
+        policy: "allow",
+      }),
+    );
+    expect(resolveActorTrustMock).toHaveBeenCalledTimes(1);
+  });
+  test("member identity with unknown policy falls back to local resolveActorTrust", () => {
+    nextTrust = makeTrust("trusted_contact", { status: "active" });
+    route(
+      null,
+      makeVerdict({
+        trustClass: "trusted_contact",
+        contactId: "ct_1",
+        channelId: "ch_1",
+        status: "active",
+        policy: "bogus",
+      }),
+    );
+    expect(resolveActorTrustMock).toHaveBeenCalledTimes(1);
+  });
+  test("real stranger verdict (no member identity) still takes the verdict path", () => {
+    const { resolved } = route(null, makeVerdict({ trustClass: "unknown" }));
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(resolved.actorTrust.trustClass).toBe("unknown");
+  });
+  test("valid member verdict (good status+policy) still takes the verdict path", () => {
+    const { outcome } = route(
+      null,
+      makeMemberVerdict("trusted_contact", {
+        status: "active",
+        policy: "allow",
+      }),
+    );
+    expect(resolveActorTrustMock).not.toHaveBeenCalled();
+    expect(outcome.action).toBe("normal_call");
+  });
+});