@vellumai/assistant 0.3.15 → 0.3.16

package/src/__tests__/access-request-decision.test.ts

@@ -0,0 +1,331 @@
+/**
+ * Tests for the access request decision flow.
+ *
+ * When a guardian approves or denies an `ingress_access_request`:
+ * - Approve: creates a verification session, delivers code to guardian,
+ *   notifies requester to expect a code.
+ * - Deny: sends refusal reply to requester.
+ * - Stale: handles already-resolved requests gracefully.
+ * - Idempotent: approving same request twice does not create duplicate sessions.
+ */
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterAll, beforeEach, describe, expect, mock, test } from 'bun:test';
+
+// ---------------------------------------------------------------------------
+// Test isolation: in-memory SQLite via temp directory
+// ---------------------------------------------------------------------------
+
+const testDir = mkdtempSync(join(tmpdir(), 'access-request-decision-test-'));
+
+mock.module('../util/platform.js', () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getDbPath: () => join(testDir, 'test.db'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
+  readHttpToken: () => 'test-bearer-token',
+}));
+
+mock.module('../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+
+// Track deliverChannelReply calls and allow injecting failures
+const deliverReplyCalls: Array<{ url: string; payload: Record<string, unknown> }> = [];
+let deliverReplyError: Error | null = null;
+mock.module('../runtime/gateway-client.js', () => ({
+  deliverChannelReply: async (url: string, payload: Record<string, unknown>) => {
+    if (deliverReplyError) {
+      throw deliverReplyError;
+    }
+    deliverReplyCalls.push({ url, payload });
+  },
+}));
+
+import {
+  createApprovalRequest,
+  createBinding,
+  getApprovalRequestById,
+  findPendingAccessRequestForRequester,
+} from '../memory/channel-guardian-store.js';
+import {
+  findActiveSession,
+} from '../runtime/channel-guardian-service.js';
+import { initializeDb, resetDb } from '../memory/db.js';
+import {
+  handleAccessRequestDecision,
+  deliverVerificationCodeToGuardian,
+  notifyRequesterOfApproval,
+  notifyRequesterOfDenial,
+  notifyRequesterOfDeliveryFailure,
+} from '../runtime/routes/access-request-decision.js';
+
+initializeDb();
+
+afterAll(() => {
+  resetDb();
+  try { rmSync(testDir, { recursive: true }); } catch { /* best effort */ }
+});
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const GUARDIAN_APPROVAL_TTL_MS = 5 * 60 * 1000;
+
+function resetState(): void {
+  const { getDb } = require('../memory/db.js');
+  const db = getDb();
+  db.run('DELETE FROM channel_guardian_approval_requests');
+  db.run('DELETE FROM channel_guardian_bindings');
+  db.run('DELETE FROM channel_guardian_verification_challenges');
+  deliverReplyCalls.length = 0;
+}
+
+function createTestApproval(overrides: Record<string, unknown> = {}) {
+  return createApprovalRequest({
+    runId: `ingress-access-request-${Date.now()}`,
+    conversationId: `access-req-telegram-user-unknown-456`,
+    assistantId: 'self',
+    channel: 'telegram',
+    requesterExternalUserId: 'user-unknown-456',
+    requesterChatId: 'chat-123',
+    guardianExternalUserId: 'guardian-user-789',
+    guardianChatId: 'guardian-chat-789',
+    toolName: 'ingress_access_request',
+    riskLevel: 'access_request',
+    reason: 'Alice Unknown is requesting access to the assistant',
+    expiresAt: Date.now() + GUARDIAN_APPROVAL_TTL_MS,
+    ...overrides,
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('access request decision handler', () => {
+  beforeEach(() => {
+    resetState();
+  });
+
+  test('guardian approve creates a verification session', () => {
+    const approval = createTestApproval();
+
+    const result = handleAccessRequestDecision(
+      approval,
+      'approve',
+      'guardian-user-789',
+    );
+
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('approved');
+    expect(result.verificationSessionId).toBeDefined();
+    expect(result.verificationCode).toBeDefined();
+    // Verification code should be a 6-digit numeric string
+    expect(result.verificationCode).toMatch(/^\d{6}$/);
+
+    // Approval record should be updated to 'approved'
+    const updated = getApprovalRequestById(approval.id);
+    expect(updated).not.toBeNull();
+    expect(updated!.status).toBe('approved');
+    expect(updated!.decidedByExternalUserId).toBe('guardian-user-789');
+  });
+
+  test('verification session is identity-bound to the requester', () => {
+    const approval = createTestApproval();
+
+    const result = handleAccessRequestDecision(
+      approval,
+      'approve',
+      'guardian-user-789',
+    );
+
+    expect(result.type).toBe('approved');
+
+    // There should be an active session for this channel
+    const session = findActiveSession('self', 'telegram');
+    expect(session).not.toBeNull();
+    expect(session!.expectedExternalUserId).toBe('user-unknown-456');
+    expect(session!.expectedChatId).toBe('chat-123');
+    expect(session!.identityBindingStatus).toBe('bound');
+    expect(session!.status).toBe('awaiting_response');
+  });
+
+  test('guardian deny marks approval as denied', () => {
+    const approval = createTestApproval();
+
+    const result = handleAccessRequestDecision(
+      approval,
+      'deny',
+      'guardian-user-789',
+    );
+
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('denied');
+    expect(result.verificationSessionId).toBeUndefined();
+    expect(result.verificationCode).toBeUndefined();
+
+    // Approval record should be updated to 'denied'
+    const updated = getApprovalRequestById(approval.id);
+    expect(updated).not.toBeNull();
+    expect(updated!.status).toBe('denied');
+    expect(updated!.decidedByExternalUserId).toBe('guardian-user-789');
+
+    // No verification session should be created
+    const session = findActiveSession('self', 'telegram');
+    expect(session).toBeNull();
+  });
+
+  test('stale decision (already resolved) returns stale', () => {
+    const approval = createTestApproval();
+
+    // Approve first
+    handleAccessRequestDecision(approval, 'approve', 'guardian-user-789');
+
+    // Try to deny the same approval — should be stale
+    const result = handleAccessRequestDecision(
+      approval,
+      'deny',
+      'guardian-user-789',
+    );
+
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('stale');
+  });
+
+  test('idempotent approval does not create duplicate verification sessions', () => {
+    const approval = createTestApproval();
+
+    // Approve first
+    const result1 = handleAccessRequestDecision(
+      approval,
+      'approve',
+      'guardian-user-789',
+    );
+    expect(result1.type).toBe('approved');
+    const sessionId1 = result1.verificationSessionId;
+
+    // Approve again — should be idempotent (already resolved with same decision)
+    const result2 = handleAccessRequestDecision(
+      approval,
+      'approve',
+      'guardian-user-789',
+    );
+
+    // resolveApprovalRequest returns the existing record for same-decision idempotency,
+    // but since the approval is no longer 'pending', a second createOutboundSession
+    // will still be called. However, createOutboundSession auto-revokes prior sessions,
+    // so there will be exactly one active session at the end.
+    // The important thing is that the result indicates approval was handled.
+    expect(result2.handled).toBe(true);
+    // Either 'approved' (creates a new session) or something else is acceptable,
+    // but it should not crash.
+  });
+});
+
+describe('access request notification delivery', () => {
+  beforeEach(() => {
+    deliverReplyCalls.length = 0;
+    deliverReplyError = null;
+  });
+
+  test('delivers verification code to guardian and returns ok', async () => {
+    const result = await deliverVerificationCodeToGuardian({
+      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
+      guardianChatId: 'guardian-chat-789',
+      requesterIdentifier: 'user-unknown-456',
+      verificationCode: '123456',
+      assistantId: 'self',
+      bearerToken: 'test-token',
+    });
+
+    expect(result.ok).toBe(true);
+    expect(deliverReplyCalls.length).toBe(1);
+    const call = deliverReplyCalls[0];
+    expect(call.payload.chatId).toBe('guardian-chat-789');
+    const text = call.payload.text as string;
+    expect(text).toContain('123456');
+    expect(text).toContain('user-unknown-456');
+    expect(text).toContain('10 minutes');
+  });
+
+  test('returns failure result when guardian code delivery fails', async () => {
+    deliverReplyError = new Error('Gateway timeout');
+
+    const result = await deliverVerificationCodeToGuardian({
+      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
+      guardianChatId: 'guardian-chat-789',
+      requesterIdentifier: 'user-unknown-456',
+      verificationCode: '123456',
+      assistantId: 'self',
+      bearerToken: 'test-token',
+    });
+
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toBe('Gateway timeout');
+    }
+    // No calls should have been recorded (error thrown before push)
+    expect(deliverReplyCalls.length).toBe(0);
+  });
+
+  test('notifies requester of approval', async () => {
+    await notifyRequesterOfApproval({
+      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
+      requesterChatId: 'chat-123',
+      assistantId: 'self',
+      bearerToken: 'test-token',
+    });
+
+    expect(deliverReplyCalls.length).toBe(1);
+    const call = deliverReplyCalls[0];
+    expect(call.payload.chatId).toBe('chat-123');
+    const text = call.payload.text as string;
+    expect(text).toContain('approved');
+    expect(text).toContain('verification code');
+  });
+
+  test('notifies requester of denial', async () => {
+    await notifyRequesterOfDenial({
+      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
+      requesterChatId: 'chat-123',
+      assistantId: 'self',
+      bearerToken: 'test-token',
+    });
+
+    expect(deliverReplyCalls.length).toBe(1);
+    const call = deliverReplyCalls[0];
+    expect(call.payload.chatId).toBe('chat-123');
+    const text = call.payload.text as string;
+    expect(text).toContain('denied');
+  });
+
+  test('notifies requester of delivery failure', async () => {
+    await notifyRequesterOfDeliveryFailure({
+      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
+      requesterChatId: 'chat-123',
+      assistantId: 'self',
+      bearerToken: 'test-token',
+    });
+
+    expect(deliverReplyCalls.length).toBe(1);
+    const call = deliverReplyCalls[0];
+    expect(call.payload.chatId).toBe('chat-123');
+    const text = call.payload.text as string;
+    expect(text).toContain('approved');
+    expect(text).toContain('unable to deliver');
+    expect(text).toContain('try again');
+  });
+});

package/src/__tests__/asset-materialize-tool.test.ts

@@ -311,7 +311,7 @@ describe('AssetMaterializeTool visibility policy', () => {
     const standardConv = createConversation({ title: 'standard-conv' });
     const base64Content = Buffer.from('standard content').toString('base64');
     const attachment = uploadAttachment('public.txt', 'text/plain', base64Content);
-    const msg = addMessage(standardConv.id, 'user', 'standard message');
+    const msg = await addMessage(standardConv.id, 'user', 'standard message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // Materialize from a different standard conversation
@@ -334,7 +334,7 @@ describe('AssetMaterializeTool visibility policy', () => {
     const privateConv = createConversation({ title: 'private-conv', threadType: 'private' });
     const base64Content = Buffer.from('private content').toString('base64');
     const attachment = uploadAttachment('secret.txt', 'text/plain', base64Content);
-    const msg = addMessage(privateConv.id, 'user', 'private message');
+    const msg = await addMessage(privateConv.id, 'user', 'private message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // Materialize from the same private conversation
@@ -356,7 +356,7 @@ describe('AssetMaterializeTool visibility policy', () => {
     const privateConv = createConversation({ title: 'private-conv', threadType: 'private' });
     const base64Content = Buffer.from('private content').toString('base64');
     const attachment = uploadAttachment('secret.txt', 'text/plain', base64Content);
-    const msg = addMessage(privateConv.id, 'user', 'private message');
+    const msg = await addMessage(privateConv.id, 'user', 'private message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // Attempt to materialize from a different conversation
@@ -380,7 +380,7 @@ describe('AssetMaterializeTool visibility policy', () => {
     const privateConv = createConversation({ title: 'private-conv', threadType: 'private' });
     const base64Content = Buffer.from('private content').toString('base64');
     const attachment = uploadAttachment('confidential.pdf', 'application/pdf', base64Content);
-    const msg = addMessage(privateConv.id, 'user', 'private message');
+    const msg = await addMessage(privateConv.id, 'user', 'private message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // From a standard conversation
@@ -406,7 +406,7 @@ describe('AssetMaterializeTool visibility policy', () => {
     const privateConv1 = createConversation({ title: 'private-conv-1', threadType: 'private' });
     const base64Content = Buffer.from('private content').toString('base64');
     const attachment = uploadAttachment('secret.txt', 'text/plain', base64Content);
-    const msg = addMessage(privateConv1.id, 'user', 'private message');
+    const msg = await addMessage(privateConv1.id, 'user', 'private message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // Attempt from a different private conversation
@@ -431,8 +431,8 @@ describe('AssetMaterializeTool visibility policy', () => {
     const base64Content = Buffer.from('shared content').toString('base64');
     const attachment = uploadAttachment('shared.txt', 'text/plain', base64Content);
 
-    const msg1 = addMessage(privateConv.id, 'user', 'private message');
-    const msg2 = addMessage(standardConv.id, 'user', 'standard message');
+    const msg1 = await addMessage(privateConv.id, 'user', 'private message');
+    const msg2 = await addMessage(standardConv.id, 'user', 'standard message');
     linkAttachmentToMessage(msg1.id, attachment.id, 0);
     linkAttachmentToMessage(msg2.id, attachment.id, 0);
 

package/src/__tests__/asset-search-tool.test.ts

@@ -219,14 +219,14 @@ describe('searchAttachments', () => {
 describe('searchAttachments with conversation_id', () => {
   beforeEach(resetTables);
 
-  test('returns only attachments linked to the specified conversation', () => {
+  test('returns only attachments linked to the specified conversation', async () => {
     const png1 = uploadAttachment('in-conv.png', 'image/png', 'AAAA');
     const png2 = uploadAttachment('other-conv.png', 'image/png', 'BBBB');
 
     const conv1 = createConversation();
     const conv2 = createConversation();
-    const msg1 = addMessage(conv1.id, 'user', 'First conv');
-    const msg2 = addMessage(conv2.id, 'user', 'Second conv');
+    const msg1 = await addMessage(conv1.id, 'user', 'First conv');
+    const msg2 = await addMessage(conv2.id, 'user', 'Second conv');
 
     linkAttachmentToMessage(msg1.id, png1.id, 0);
     linkAttachmentToMessage(msg2.id, png2.id, 0);
@@ -236,10 +236,10 @@ describe('searchAttachments with conversation_id', () => {
     expect(results[0].id).toBe(png1.id);
   });
 
-  test('returns empty when conversation has no attachments', () => {
+  test('returns empty when conversation has no attachments', async () => {
     uploadAttachment('orphan.png', 'image/png', 'AAAA');
     const conv = createConversation();
-    addMessage(conv.id, 'user', 'No attachments here');
+    await addMessage(conv.id, 'user', 'No attachments here');
 
     const results = searchAttachments({ conversation_id: conv.id });
     expect(results.length).toBe(0);
@@ -251,12 +251,12 @@ describe('searchAttachments with conversation_id', () => {
     expect(results.length).toBe(0);
   });
 
-  test('combines conversation_id with mime_type filter', () => {
+  test('combines conversation_id with mime_type filter', async () => {
     const png = uploadAttachment('image.png', 'image/png', 'AAAA');
     const pdf = uploadAttachment('doc.pdf', 'application/pdf', 'BBBB');
 
     const conv = createConversation();
-    const msg = addMessage(conv.id, 'user', 'Both types');
+    const msg = await addMessage(conv.id, 'user', 'Both types');
 
     linkAttachmentToMessage(msg.id, png.id, 0);
     linkAttachmentToMessage(msg.id, pdf.id, 1);
@@ -266,12 +266,12 @@ describe('searchAttachments with conversation_id', () => {
     expect(results[0].mimeType).toBe('image/png');
   });
 
-  test('combines conversation_id with filename filter', () => {
+  test('combines conversation_id with filename filter', async () => {
     const a = uploadAttachment('target.png', 'image/png', 'AAAA');
     const b = uploadAttachment('other.png', 'image/png', 'BBBB');
 
     const conv = createConversation();
-    const msg = addMessage(conv.id, 'user', 'Both');
+    const msg = await addMessage(conv.id, 'user', 'Both');
 
     linkAttachmentToMessage(msg.id, a.id, 0);
     linkAttachmentToMessage(msg.id, b.id, 1);
@@ -367,7 +367,7 @@ describe('AssetSearchTool visibility policy', () => {
   test('attachments from standard threads are visible from any context', async () => {
     const standardConv = createConversation({ title: 'standard-conv' });
     const attachment = uploadAttachment('public.png', 'image/png', 'AAAA');
-    const msg = addMessage(standardConv.id, 'user', 'standard message');
+    const msg = await addMessage(standardConv.id, 'user', 'standard message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // Search from a different standard conversation
@@ -386,7 +386,7 @@ describe('AssetSearchTool visibility policy', () => {
   test('attachments from private threads are visible within the same private thread', async () => {
     const privateConv = createConversation({ title: 'private-conv', threadType: 'private' });
     const attachment = uploadAttachment('secret.png', 'image/png', 'AAAA');
-    const msg = addMessage(privateConv.id, 'user', 'private message');
+    const msg = await addMessage(privateConv.id, 'user', 'private message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // Search from the same private conversation
@@ -404,7 +404,7 @@ describe('AssetSearchTool visibility policy', () => {
   test('attachments from private threads are NOT visible from a different conversation', async () => {
     const privateConv = createConversation({ title: 'private-conv', threadType: 'private' });
     const attachment = uploadAttachment('secret.png', 'image/png', 'AAAA');
-    const msg = addMessage(privateConv.id, 'user', 'private message');
+    const msg = await addMessage(privateConv.id, 'user', 'private message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // Search from a different private conversation
@@ -423,7 +423,7 @@ describe('AssetSearchTool visibility policy', () => {
   test('attachments from private threads are NOT visible from standard threads', async () => {
     const privateConv = createConversation({ title: 'private-conv', threadType: 'private' });
     const attachment = uploadAttachment('secret.png', 'image/png', 'AAAA');
-    const msg = addMessage(privateConv.id, 'user', 'private message');
+    const msg = await addMessage(privateConv.id, 'user', 'private message');
     linkAttachmentToMessage(msg.id, attachment.id, 0);
 
     // Search from a standard conversation
@@ -444,8 +444,8 @@ describe('AssetSearchTool visibility policy', () => {
     const standardConv = createConversation({ title: 'standard-conv' });
     const attachment = uploadAttachment('shared.png', 'image/png', 'AAAA');
 
-    const msg1 = addMessage(privateConv.id, 'user', 'private message');
-    const msg2 = addMessage(standardConv.id, 'user', 'standard message');
+    const msg1 = await addMessage(privateConv.id, 'user', 'private message');
+    const msg2 = await addMessage(standardConv.id, 'user', 'standard message');
     linkAttachmentToMessage(msg1.id, attachment.id, 0);
     linkAttachmentToMessage(msg2.id, attachment.id, 0);
 

package/src/__tests__/attachments-store.test.ts

@@ -206,10 +206,10 @@ describe('deleteAttachment', () => {
     expect(result).toBe('not_found');
   });
 
-  test('returns still_referenced when messages reference the attachment', () => {
+  test('returns still_referenced when messages reference the attachment', async () => {
     const conv = createConversation();
-    const msg1 = addMessage(conv.id, 'user', 'First upload');
-    const msg2 = addMessage(conv.id, 'user', 'Duplicate upload');
+    const msg1 = await addMessage(conv.id, 'user', 'First upload');
+    const msg2 = await addMessage(conv.id, 'user', 'Duplicate upload');
 
     // Dedup: both uploads return the same attachment row
     const first = uploadAttachment('photo.png', 'image/png', 'SHAREDCONTENT1');
@@ -304,9 +304,9 @@ describe('getAttachmentById', () => {
 describe('linkAttachmentToMessage + getAttachmentsForMessage', () => {
   beforeEach(resetTables);
 
-  test('links attachment and retrieves it by message', () => {
+  test('links attachment and retrieves it by message', async () => {
     const conv = createConversation();
-    const msg = addMessage(conv.id, 'assistant', 'Here is a chart');
+    const msg = await addMessage(conv.id, 'assistant', 'Here is a chart');
     const stored = uploadAttachment('chart.png', 'image/png', 'iVBORw0K');
 
     linkAttachmentToMessage(msg.id, stored.id, 0);
@@ -318,9 +318,9 @@ describe('linkAttachmentToMessage + getAttachmentsForMessage', () => {
     expect(linked[0].dataBase64).toBe('iVBORw0K');
   });
 
-  test('returns attachments in position order', () => {
+  test('returns attachments in position order', async () => {
     const conv = createConversation();
-    const msg = addMessage(conv.id, 'assistant', 'Multiple files');
+    const msg = await addMessage(conv.id, 'assistant', 'Multiple files');
     const a = uploadAttachment('first.txt', 'text/plain', 'AAAA');
     const b = uploadAttachment('second.txt', 'text/plain', 'BBBB');
 
@@ -334,9 +334,9 @@ describe('linkAttachmentToMessage + getAttachmentsForMessage', () => {
     expect(linked[1].originalFilename).toBe('second.txt');
   });
 
-  test('returns empty for message with no attachments', () => {
+  test('returns empty for message with no attachments', async () => {
     const conv = createConversation();
-    const msg = addMessage(conv.id, 'assistant', 'No attachments');
+    const msg = await addMessage(conv.id, 'assistant', 'No attachments');
 
     const linked = getAttachmentsForMessage(msg.id);
     expect(linked).toHaveLength(0);
@@ -357,9 +357,9 @@ describe('deleteOrphanAttachments', () => {
     expect(removed).toBe(1);
   });
 
-  test('preserves attachments that are still linked', () => {
+  test('preserves attachments that are still linked', async () => {
     const conv = createConversation();
-    const msg = addMessage(conv.id, 'assistant', 'With attachment');
+    const msg = await addMessage(conv.id, 'assistant', 'With attachment');
     const stored = uploadAttachment('linked.txt', 'text/plain', 'ZGF0YQ==');
     linkAttachmentToMessage(msg.id, stored.id, 0);
 
@@ -370,9 +370,9 @@ describe('deleteOrphanAttachments', () => {
     expect(fetched).not.toBeNull();
   });
 
-  test('removes only orphans when mixed candidates provided', () => {
+  test('removes only orphans when mixed candidates provided', async () => {
     const conv = createConversation();
-    const msg = addMessage(conv.id, 'assistant', 'Mixed');
+    const msg = await addMessage(conv.id, 'assistant', 'Mixed');
     const linked = uploadAttachment('linked.txt', 'text/plain', 'AAAA');
     const orphan = uploadAttachment('orphan.txt', 'text/plain', 'BBBB');
     linkAttachmentToMessage(msg.id, linked.id, 0);