@vellumai/assistant 0.10.3 → 0.10.4-staging.1

package/src/calls/__tests__/relay-setup-router.test.ts

@@ -47,9 +47,8 @@ let nextTrust: ActorTrustContext;
 const resolveActorTrustMock = mock(() => nextTrust);
 // Override only `resolveActorTrust`; the real `trust-verdict-consumer` imports
 // `toTrustContext` from this module, so the rest must pass through untouched.
-const actorTrustResolverModule = await import(
-  "../../runtime/actor-trust-resolver.js"
-);
+const actorTrustResolverModule =
+  await import("../../runtime/actor-trust-resolver.js");
 mock.module("../../runtime/actor-trust-resolver.js", () => ({
   ...actorTrustResolverModule,
   resolveActorTrust: resolveActorTrustMock,
@@ -92,13 +91,7 @@ function makeChannel(overrides: Partial<ContactChannel> = {}): ContactChannel {
     address: "+12025550142",
     isPrimary: true,
     externalChatId: null,
-    status: "active",
-    policy: "allow",
-    verifiedAt: null,
-    verifiedVia: null,
     inviteId: null,
-    revokedReason: null,
-    blockedReason: null,
     lastSeenAt: null,
     interactionCount: 0,
     lastInteraction: null,
@@ -115,13 +108,12 @@ function makeContact(
     id: "ct_1",
     displayName: "Test Caller",
     notes: null,
+    role: "contact",
     lastInteraction: null,
     interactionCount: 0,
     createdAt: 0,
     updatedAt: 0,
-    role: "contact",
     contactType: "human",
-    principalId: null,
     userFile: null,
     channels: [],
     ...overrides,
@@ -138,11 +130,11 @@ function makeTrust(
 ): ActorTrustContext {
   const memberRecord = channel
     ? {
-        contact: makeContact({ role: channel.role ?? "contact" }),
-        channel: makeChannel({
-          status: channel.status,
-          policy: channel.policy ?? "allow",
-        }),
+        contact: makeContact(),
+        channel: makeChannel(),
+        status: channel.status,
+        policy: channel.policy ?? "allow",
+        role: channel.role ?? "contact",
       }
     : null;
   return {
@@ -404,8 +396,8 @@ function makeVerdict(overrides: Partial<TrustVerdict> = {}): TrustVerdict {
 }
 
 // A verdict carrying a fully-resolvable member ACL (contactId/channelId + valid
-// known status·policy enums). The REAL `resolvedMemberFromVerdict` synthesizes
-// a memberRecord from these, so the verdict path enforces blocked/revoked/deny.
+// known status·policy enums). The verdict path builds a memberRecord from
+// these, so it enforces blocked/revoked/deny.
 function makeMemberVerdict(
   trustClass: TrustVerdict["trustClass"],
   channel: { status: string; policy?: string },

package/src/calls/guardian-dispatch.ts

@@ -7,7 +7,10 @@
  * 3. Records guardian_action_delivery rows from pipeline delivery results
  */
 
-import { findGuardianForChannel } from "../contacts/contact-store.js";
+import {
+  getGuardianDelivery,
+  guardianForChannel,
+} from "../contacts/guardian-delivery-reader.js";
 import {
   createCanonicalGuardianRequest,
   listCanonicalGuardianDeliveries,
@@ -86,16 +89,16 @@ async function dispatchGuardianQuestionInner(
   try {
     const expiresAt = Date.now() + getUserConsultationTimeoutMs();
 
-    // Resolve the request principal from the same local source as the
-    // submitting actor (guardian-action-routes / actor-trust-resolver both read
-    // findGuardianForChannel("vellum")?.contact.principalId), so they cannot
-    // diverge. applyCanonicalGuardianDecision requires strict equality with
-    // request.guardianPrincipalId; sharing this local source guarantees the
-    // stamped principal == the submitting principal even when the gateway and
-    // local bindings drift during migration. This pair converts to the gateway
-    // together with the actor-trust path.
-    const guardianPrincipalId =
-      findGuardianForChannel("vellum")?.contact.principalId ?? undefined;
+    // Resolve the request principal from the gateway guardian delivery — the
+    // same source the submitting actor (guardian-action-routes /
+    // actor-trust-resolver) resolves, so they cannot diverge.
+    // applyCanonicalGuardianDecision requires strict equality with
+    // request.guardianPrincipalId; sharing this gateway source guarantees the
+    // stamped principal == the submitting principal.
+    const guardians = await getGuardianDelivery({ channelTypes: ["vellum"] });
+    const guardianPrincipalId = guardians
+      ? (guardianForChannel(guardians, "vellum")?.principalId ?? undefined)
+      : undefined;
 
     if (!guardianPrincipalId) {
       log.error(

package/src/calls/inbound-trust-reader.ts

@@ -17,6 +17,7 @@ import {
 
 import type { ChannelId } from "../channels/types.js";
 import { ipcCall } from "../ipc/gateway-client.js";
+import { setMemberVerdict } from "../runtime/member-verdict-cache.js";
 
 // Short IPC timeout so the read resolves promptly rather than stalling call
 // setup on a gateway that accepts the socket but hangs.
@@ -36,7 +37,12 @@ export async function getInboundTrustVerdict(input: {
     if (!result) return null;
 
     const parsed = TrustVerdictSchema.safeParse(result.verdict);
-    return parsed.success ? parsed.data : null;
+    if (!parsed.success) return null;
+
+    // Single choke point: warm the member-verdict cache so the sync trust
+    // fallback resolves the member without a local ACL read.
+    setMemberVerdict(input.channelType, input.actorExternalId, parsed.data);
+    return parsed.data;
   } catch {
     return null;
   }

package/src/calls/relay-access-wait.ts

@@ -9,6 +9,7 @@
 import { findContactChannel } from "../contacts/contact-store.js";
 import { getCanonicalGuardianRequest } from "../memory/canonical-guardian-store.js";
 import { emitNotificationSignal } from "../notifications/emit-signal.js";
+import { getCachedMemberAcl } from "../runtime/member-verdict-cache.js";
 import { getLogger } from "../util/logger.js";
 import {
   getGuardianWaitUpdateInitialIntervalMs,
@@ -252,12 +253,11 @@ export function emitAccessRequestCallbackHandoff(
         address: fromNumber,
         externalChatId: fromNumber,
       });
-      if (
-        contactResult &&
-        contactResult.channel.status === "active" &&
-        contactResult.channel.policy === "allow"
-      ) {
-        requesterMemberId = contactResult.channel.id;
+      if (contactResult) {
+        const acl = getCachedMemberAcl("phone", fromNumber);
+        if (acl?.status === "active" && acl.policy === "allow") {
+          requesterMemberId = contactResult.channel.id;
+        }
       }
     } catch (err) {
       log.warn(

package/src/calls/relay-server.ts

@@ -13,6 +13,7 @@ import type { ServerWebSocket } from "bun";
 
 import {
   getGuardianDelivery,
+  getGuardianDeliveryFresh,
   voiceGuardianDisplayName,
 } from "../contacts/guardian-delivery-reader.js";
 import { getAssistantName } from "../daemon/identity-helpers.js";
@@ -601,7 +602,19 @@ export class RelayConnection {
     const session = getCallSession(this.callSessionId);
     this.recordSetupBookkeeping(session, msg);
 
-    await this.primeGuardianDisplayName();
+    // Prime the guardian displayName and warm the phone-channel guardian-
+    // delivery cache before routeSetup's SYNC resolveActorTrust fallback. That
+    // fallback reads the IO-free cache snapshot keyed per channel-filter; daemon
+    // startup warms only `vellum`, so a cold-process phone call would otherwise
+    // misclassify a guardian during a gateway verdict blip. Read fresh: gateway-
+    // side binding writes don't invalidate the daemon cache, so a stale empty
+    // snapshot from an earlier setup would survive the TTL otherwise. Both are
+    // independent IPC reads on different cache keys, so run them concurrently
+    // off the sync resolver's hot path.
+    await Promise.all([
+      this.primeGuardianDisplayName(),
+      getGuardianDeliveryFresh({ channelTypes: ["phone"] }),
+    ]);
 
     // Resolve the phone channel's inbound admission floor. The reader fails
     // open to `null` by contract, so a transport hiccup admits the caller.
@@ -811,7 +824,7 @@ export class RelayConnection {
       from,
       trustClass: resolved.actorTrust.trustClass,
       channelId: resolved.actorTrust.memberRecord?.channel.id,
-      memberPolicy: resolved.actorTrust.memberRecord?.channel.policy,
+      memberPolicy: resolved.actorTrust.memberRecord?.policy,
     });
     this.connectionState = "disconnecting";
     updateCallSession(this.callSessionId, {
@@ -940,6 +953,13 @@ export class RelayConnection {
       });
     }
 
+    // Warm the phone-channel guardian-delivery cache before the SYNC
+    // resolveActorTrust fallback, which reads the IO-free per-channel snapshot
+    // that daemon startup leaves cold for `phone`. Read fresh: gateway-side
+    // binding writes don't invalidate the daemon cache, so a stale empty
+    // snapshot would otherwise survive the TTL and misclassify the guardian.
+    await getGuardianDeliveryFresh({ channelTypes: ["phone"] });
+
     return toTrustContext(
       resolveActorTrust({
         assistantId,

package/src/calls/relay-setup-router.ts

@@ -246,7 +246,7 @@ export function routeSetup(ctx: SetupContext): {
     ? enforceAdmissionPolicy({
         sourceChannel: "phone",
         trustClass: actorTrust.trustClass,
-        memberStatus: actorTrust.memberRecord?.channel.status,
+        memberStatus: actorTrust.memberRecord?.status,
         policy: ctx.admissionPolicy!,
       })
     : ({ admitted: true } as const);
@@ -283,7 +283,7 @@ export function routeSetup(ctx: SetupContext): {
     !pendingChallenge
   ) {
     // Check for blocked caller
-    if (actorTrust.memberRecord?.channel.status === "blocked") {
+    if (actorTrust.memberRecord?.status === "blocked") {
       log.info(
         {
           callSessionId: ctx.callSessionId,
@@ -366,14 +366,14 @@ export function routeSetup(ctx: SetupContext): {
     // gateway and assistant DBs) still get useful guidance instead of
     // the "I don't recognize this number" name-capture script.
     const unverifiedStatuses = new Set(["unverified", "pending"]);
-    const memberChannel = actorTrust.memberRecord?.channel;
-    if (memberChannel && unverifiedStatuses.has(memberChannel.status)) {
+    const member = actorTrust.memberRecord;
+    if (member && unverifiedStatuses.has(member.status)) {
       log.info(
         {
           callSessionId: ctx.callSessionId,
           from: ctx.from,
-          channelId: memberChannel.id,
-          channelStatus: memberChannel.status,
+          channelId: member.channel.id,
+          channelStatus: member.status,
         },
         "Inbound voice ACL: known but unverified caller — returning verification guidance",
       );
@@ -382,8 +382,8 @@ export function routeSetup(ctx: SetupContext): {
           action: "unverified_caller",
           assistantId,
           fromNumber: ctx.from,
-          displayName: actorTrust.memberRecord!.contact.displayName,
-          isGuardian: actorTrust.memberRecord!.contact.role === "guardian",
+          displayName: member.contact.displayName,
+          isGuardian: member.role === "guardian",
         },
         resolved,
       };
@@ -409,7 +409,7 @@ export function routeSetup(ctx: SetupContext): {
   }
 
   // Members with policy: 'deny'
-  if (actorTrust.memberRecord?.channel.policy === "deny") {
+  if (actorTrust.memberRecord?.policy === "deny") {
     log.info(
       {
         callSessionId: ctx.callSessionId,
@@ -430,7 +430,7 @@ export function routeSetup(ctx: SetupContext): {
   }
 
   // Members with policy: 'escalate' — live calls can't wait for approval
-  if (actorTrust.memberRecord?.channel.policy === "escalate") {
+  if (actorTrust.memberRecord?.policy === "escalate") {
     log.info(
       {
         callSessionId: ctx.callSessionId,

package/src/cli/commands/__tests__/conversations-slack.test.ts

@@ -142,6 +142,7 @@ mock.module("../../../util/logger.js", () => ({
   truncateForLog: (value: string) => value,
   pruneOldLogFiles: () => 0,
   LOG_FILE_PATTERN: /^assistant-(\d{4}-\d{2}-\d{2})\.log$/,
+  getCurrentLogFilePath: () => "/tmp/test-assistant.log",
 }));
 
 const { registerConversationsCommand } = await import("../conversations.js");

package/src/cli/commands/contacts.ts

@@ -8,13 +8,16 @@ import { shouldOutputJson, writeOutput } from "../output.js";
 // IPC response shapes
 // ---------------------------------------------------------------------------
 
+// ACL fields (role, status, policy) are gateway-owned and not hydrated by the
+// daemon-native filtered reads (`--query`/`--channel-address`/`--channel-type`),
+// so they are optional here. The unfiltered default read carries them.
 interface ContactChannel {
   id: string;
   contactId: string;
   type: string;
   address: string;
-  status: string;
-  policy: string;
+  status?: string;
+  policy?: string;
   isPrimary?: boolean;
   revokedReason?: string | null;
   blockedReason?: string | null;
@@ -23,7 +26,7 @@ interface ContactChannel {
 interface ContactWithChannels {
   id: string;
   displayName: string;
-  role: string;
+  role?: string;
   contactType: string;
   notes?: string;
   principalId?: string;
@@ -56,7 +59,7 @@ function formatContactTable(contacts: ContactWithChannels[]): string {
   const rows = contacts.map((c) => [
     c.id,
     c.displayName,
-    `${c.role}/${c.contactType}`,
+    `${c.role ?? "—"}/${c.contactType}`,
     String(c.channels.length),
   ]);
 
@@ -81,8 +84,8 @@ function formatChannelTable(channels: ContactChannel[]): string {
   const rows = channels.map((ch) => {
     const flags = [
       ch.isPrimary ? "primary" : null,
-      ch.status !== "active" ? ch.status : null,
-      ch.policy !== "allow" ? ch.policy : null,
+      ch.status && ch.status !== "active" ? ch.status : null,
+      ch.policy && ch.policy !== "allow" ? ch.policy : null,
     ]
       .filter(Boolean)
       .join(", ");
@@ -124,7 +127,7 @@ function formatContactDetail(
   const lines: string[] = [];
   lines.push(`ID:           ${c.id}`);
   lines.push(`Display Name: ${c.displayName}`);
-  lines.push(`Role:         ${c.role}`);
+  if (c.role) lines.push(`Role:         ${c.role}`);
   lines.push(`Type:         ${c.contactType}`);
   if (c.notes) lines.push(`Notes:        ${c.notes}`);
   if (c.principalId) lines.push(`Principal:    ${c.principalId}`);

package/src/cli/commands/memory/__tests__/worker.test.ts

@@ -3,10 +3,11 @@
  *
  * Validates:
  *   - Subcommand registration (start, stop, status) under `memory worker`.
- *   - `status` reports running/not_running via PID-file liveness.
- *   - `stop` sends SIGTERM to a live worker and errors when none is running.
- *   - `start` refuses to spawn when a worker is already running, and reports
- *     the PID once the spawned process writes its PID file.
+ *   - `status` reports the worker process state, `memory.worker.enabled`, and
+ *     the synchronous in-process runner via PID/marker-file liveness.
+ *   - `stop` sends SIGTERM to a live worker and disables the config flag, and
+ *     still disables the flag (success) when no worker is running.
+ *   - `start` spawns/reuses the worker process and enables the config flag.
  */
 
 import { existsSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
@@ -22,17 +23,51 @@ import { Command } from "commander";
 
 let tmpDir: string;
 let pidPath: string;
+let markerPath: string;
 let logOutput: string[] = [];
 
+/** In-memory stand-in for the on-disk raw config the CLI reads/writes. */
+let rawConfig: Record<string, unknown> = {};
+
 /** Records (pid, signal) pairs passed to the mocked process.kill. */
 let killCalls: Array<{ pid: number; signal: string | number }> = [];
 
+function workerEnabledFromRaw(): boolean {
+  const memory = rawConfig.memory as { worker?: { enabled?: unknown } };
+  return memory?.worker?.enabled === true;
+}
+
 // ---------------------------------------------------------------------------
 // Mocks
 // ---------------------------------------------------------------------------
 
 mock.module("../../../../util/platform.js", () => ({
   getMemoryWorkerPidPath: () => pidPath,
+  getMemorySyncRunnerMarkerPath: () => markerPath,
+}));
+
+mock.module("../../../../config/loader.js", () => ({
+  loadRawConfig: () => structuredClone(rawConfig),
+  saveRawConfig: (config: Record<string, unknown>) => {
+    rawConfig = structuredClone(config);
+  },
+  getConfigReadOnly: () => ({
+    memory: { worker: { enabled: workerEnabledFromRaw() } },
+  }),
+  setNestedValue: (
+    obj: Record<string, unknown>,
+    path: string,
+    value: unknown,
+  ) => {
+    const keys = path.split(".");
+    let cur = obj;
+    for (let i = 0; i < keys.length - 1; i++) {
+      const k = keys[i];
+      if (cur[k] == null || typeof cur[k] !== "object") cur[k] = {};
+      cur = cur[k] as Record<string, unknown>;
+    }
+    cur[keys[keys.length - 1]] = value;
+  },
 }));
 
 const capture = (...args: unknown[]) => {
@@ -47,6 +82,7 @@ const fakeLogger = {
 mock.module("../../../../util/logger.js", () => ({
   getLogger: () => fakeLogger,
   getCliLogger: () => fakeLogger,
+  getCurrentLogFilePath: () => `${tmpDir}/assistant-test-mock.log`,
 }));
 
 // ---------------------------------------------------------------------------
@@ -134,8 +170,10 @@ function stubProcessKill(livePids: Set<number>): () => void {
 beforeEach(() => {
   tmpDir = mkdtempSync(join(tmpdir(), "memory-worker-test-"));
   pidPath = join(tmpDir, "memory-worker.pid");
+  markerPath = join(tmpDir, "memory-sync-runner.pid");
   logOutput = [];
   killCalls = [];
+  rawConfig = {};
   process.exitCode = 0;
 });
 
@@ -164,7 +202,7 @@ describe("subcommand registration", () => {
 // ---------------------------------------------------------------------------
 
 describe("memory worker status", () => {
-  test("reports not_running when no PID file exists", async () => {
+  test("reports not_running with workerEnabled and syncRunner when nothing is running", async () => {
     const { exitCode, stdout } = await runCommand([
       "memory",
       "worker",
@@ -172,7 +210,11 @@ describe("memory worker status", () => {
       "--json",
     ]);
     expect(exitCode).toBe(0);
-    expect(JSON.parse(stdout)).toEqual({ status: "not_running" });
+    expect(JSON.parse(stdout)).toEqual({
+      status: "not_running",
+      workerEnabled: false,
+      syncRunner: { status: "not_running" },
+    });
   });
 
   test("reports running when PID file points at a live process", async () => {
@@ -189,6 +231,45 @@ describe("memory worker status", () => {
       expect(JSON.parse(stdout)).toEqual({
         status: "running",
         pid: process.pid,
+        workerEnabled: false,
+        syncRunner: { status: "not_running" },
+      });
+    } finally {
+      restore();
+    }
+  });
+
+  test("reflects memory.worker.enabled from config", async () => {
+    rawConfig = { memory: { worker: { enabled: true } } };
+    const restore = stubProcessKill(new Set());
+    try {
+      const { exitCode, stdout } = await runCommand([
+        "memory",
+        "worker",
+        "status",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      expect(JSON.parse(stdout)).toMatchObject({ workerEnabled: true });
+    } finally {
+      restore();
+    }
+  });
+
+  test("reports the synchronous runner as running when its marker is live", async () => {
+    writeFileSync(markerPath, String(process.pid));
+    const restore = stubProcessKill(new Set([process.pid]));
+    try {
+      const { exitCode, stdout } = await runCommand([
+        "memory",
+        "worker",
+        "status",
+        "--json",
+      ]);
+      expect(exitCode).toBe(0);
+      expect(JSON.parse(stdout)).toMatchObject({
+        status: "not_running",
+        syncRunner: { status: "running", pid: process.pid },
       });
     } finally {
       restore();
@@ -206,7 +287,11 @@ describe("memory worker status", () => {
         "--json",
       ]);
       expect(exitCode).toBe(0);
-      expect(JSON.parse(stdout)).toEqual({ status: "not_running" });
+      expect(JSON.parse(stdout)).toEqual({
+        status: "not_running",
+        workerEnabled: false,
+        syncRunner: { status: "not_running" },
+      });
       expect(existsSync(pidPath)).toBe(false);
     } finally {
       restore();
@@ -219,18 +304,25 @@ describe("memory worker status", () => {
 // ---------------------------------------------------------------------------
 
 describe("memory worker stop", () => {
-  test("errors with exit 1 when no worker is running", async () => {
+  test("disables the config flag and succeeds when no worker is running", async () => {
+    rawConfig = { memory: { worker: { enabled: true } } };
     const { exitCode, stdout } = await runCommand([
       "memory",
       "worker",
       "stop",
       "--json",
     ]);
-    expect(exitCode).toBe(1);
-    expect(JSON.parse(stdout)).toMatchObject({ ok: false });
+    expect(exitCode).toBe(0);
+    expect(JSON.parse(stdout)).toMatchObject({
+      ok: true,
+      workerWasRunning: false,
+      workerEnabled: false,
+    });
+    expect(workerEnabledFromRaw()).toBe(false);
   });
 
-  test("sends SIGTERM to a running worker", async () => {
+  test("sends SIGTERM to a running worker and disables the flag", async () => {
+    rawConfig = { memory: { worker: { enabled: true } } };
     writeFileSync(pidPath, String(process.pid));
     const restore = stubProcessKill(new Set([process.pid]));
     try {
@@ -241,11 +333,16 @@ describe("memory worker stop", () => {
         "--json",
       ]);
       expect(exitCode).toBe(0);
-      expect(JSON.parse(stdout)).toEqual({ ok: true, pid: process.pid });
+      expect(JSON.parse(stdout)).toEqual({
+        ok: true,
+        pid: process.pid,
+        workerEnabled: false,
+      });
       expect(killCalls).toContainEqual({
         pid: process.pid,
         signal: "SIGTERM",
       });
+      expect(workerEnabledFromRaw()).toBe(false);
     } finally {
       restore();
     }
@@ -257,7 +354,7 @@ describe("memory worker stop", () => {
 // ---------------------------------------------------------------------------
 
 describe("memory worker start", () => {
-  test("refuses to start when a worker is already running", async () => {
+  test("reuses an already-running worker and enables the flag", async () => {
     writeFileSync(pidPath, String(process.pid));
     const restore = stubProcessKill(new Set([process.pid]));
     try {
@@ -267,17 +364,20 @@ describe("memory worker start", () => {
         "start",
         "--json",
       ]);
-      expect(exitCode).toBe(1);
+      expect(exitCode).toBe(0);
       expect(JSON.parse(stdout)).toMatchObject({
-        ok: false,
+        ok: true,
         pid: process.pid,
+        alreadyRunning: true,
+        workerEnabled: true,
       });
+      expect(workerEnabledFromRaw()).toBe(true);
     } finally {
       restore();
     }
   });
 
-  test("spawns the worker and reports the PID it writes", async () => {
+  test("spawns the worker, reports its PID, and enables the flag", async () => {
     const restore = stubProcessKill(new Set());
     const originalSpawn = Bun.spawn;
     // Simulate the spawned worker writing its PID file on startup.
@@ -293,7 +393,37 @@ describe("memory worker start", () => {
         "--json",
       ]);
       expect(exitCode).toBe(0);
-      expect(JSON.parse(stdout)).toMatchObject({ ok: true, pid: 424242 });
+      expect(JSON.parse(stdout)).toMatchObject({
+        ok: true,
+        pid: 424242,
+        workerEnabled: true,
+      });
+      expect(workerEnabledFromRaw()).toBe(true);
+    } finally {
+      (Bun as { spawn: typeof Bun.spawn }).spawn = originalSpawn;
+      restore();
+    }
+  });
+
+  test("leaves the config flag untouched when the spawn fails", async () => {
+    const restore = stubProcessKill(new Set());
+    const originalSpawn = Bun.spawn;
+    // Spawn returns but never writes a PID file → spawnMemoryWorkerProcess
+    // throws after its wait loop, so the flag must stay disabled.
+    (Bun as { spawn: typeof Bun.spawn }).spawn = (() => ({
+      unref: () => {},
+      pid: 0,
+    })) as unknown as typeof Bun.spawn;
+    try {
+      const { exitCode, stdout } = await runCommand([
+        "memory",
+        "worker",
+        "start",
+        "--json",
+      ]);
+      expect(exitCode).toBe(1);
+      expect(JSON.parse(stdout)).toMatchObject({ ok: false });
+      expect(workerEnabledFromRaw()).toBe(false);
     } finally {
       (Bun as { spawn: typeof Bun.spawn }).spawn = originalSpawn;
       restore();