@vellumai/assistant 0.3.15 → 0.3.18

package/src/__tests__/channel-approval-routes.test.ts

@@ -881,7 +881,7 @@ describe('SMS channel approval decisions', () => {
 // ═══════════════════════════════════════════════════════════════════════════
 
 describe('SMS guardian verify intercept', () => {
-  test('/guardian_verify command works with sourceChannel sms', async () => {
+  test('verification code reply works with sourceChannel sms', async () => {
     const { createVerificationChallenge } = await import('../runtime/channel-guardian-service.js');
     const { secret } = createVerificationChallenge('self', 'sms');
 
@@ -898,7 +898,7 @@ describe('SMS guardian verify intercept', () => {
         interface: 'sms',
         externalChatId: 'sms-chat-verify',
         externalMessageId: `msg-${Date.now()}-${Math.random()}`,
-        content: `/guardian_verify ${secret}`,
+        content: secret,
         senderExternalUserId: 'sms-user-42',
         replyCallbackUrl: 'https://gateway.test/deliver',
       }),
@@ -921,7 +921,11 @@ describe('SMS guardian verify intercept', () => {
     deliverSpy.mockRestore();
   });
 
-  test('/guardian_verify with invalid token returns failed via SMS', async () => {
+  test('invalid verification code returns failed via SMS', async () => {
+    const { createVerificationChallenge } = await import('../runtime/channel-guardian-service.js');
+    // Ensure there is a pending challenge so bare-code verification is intercepted.
+    createVerificationChallenge('self', 'sms');
+
     const deliverSpy = spyOn(gatewayClient, 'deliverChannelReply').mockResolvedValue(undefined);
 
     const req = new Request('http://localhost/channels/inbound', {
@@ -935,7 +939,7 @@ describe('SMS guardian verify intercept', () => {
         interface: 'sms',
         externalChatId: 'sms-chat-verify-fail',
         externalMessageId: `msg-${Date.now()}-${Math.random()}`,
-        content: '/guardian_verify invalid-token-here',
+        content: '000000',
         senderExternalUserId: 'sms-user-43',
         replyCallbackUrl: 'https://gateway.test/deliver',
       }),
@@ -956,6 +960,51 @@ describe('SMS guardian verify intercept', () => {
 
     deliverSpy.mockRestore();
   });
+
+  test('64-char hex verification codes are intercepted when a pending challenge exists', async () => {
+    const { createHash, randomBytes } = await import('node:crypto');
+    const { createChallenge } = await import('../memory/channel-guardian-store.js');
+
+    const secret = randomBytes(32).toString('hex');
+    const challengeHash = createHash('sha256').update(secret).digest('hex');
+    createChallenge({
+      id: `challenge-hex-${Date.now()}`,
+      assistantId: 'self',
+      channel: 'sms',
+      challengeHash,
+      expiresAt: Date.now() + 600_000,
+    });
+
+    let processMessageCalled = false;
+    const processMessage = async () => {
+      processMessageCalled = true;
+      return { messageId: 'msg-hex-not-verify' };
+    };
+
+    const req = new Request('http://localhost/channels/inbound', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Gateway-Origin': TEST_BEARER_TOKEN,
+      },
+      body: JSON.stringify({
+        sourceChannel: 'sms',
+        interface: 'sms',
+        externalChatId: 'sms-chat-hex-message',
+        externalMessageId: `msg-${Date.now()}-${Math.random()}`,
+        content: secret,
+        senderExternalUserId: 'sms-user-hex',
+        replyCallbackUrl: 'https://gateway.test/deliver',
+      }),
+    });
+
+    const res = await handleChannelInbound(req, processMessage, TEST_BEARER_TOKEN);
+    const body = await res.json() as Record<string, unknown>;
+
+    expect(body.accepted).toBe(true);
+    expect(body.guardianVerification).toBe('verified');
+    expect(processMessageCalled).toBe(false);
+  });
 });
 
 // ═══════════════════════════════════════════════════════════════════════════
@@ -1242,14 +1291,14 @@ describe('deliver-once idempotency guard', () => {
 // ═══════════════════════════════════════════════════════════════════════════
 
 describe('assistant-scoped guardian verification via handleChannelInbound', () => {
-  test('/guardian_verify uses the threaded assistantId (default: self)', async () => {
+  test('verification code uses the threaded assistantId (default: self)', async () => {
     const { createVerificationChallenge } = await import('../runtime/channel-guardian-service.js');
     const { secret } = createVerificationChallenge('self', 'telegram');
 
     const deliverSpy = spyOn(gatewayClient, 'deliverChannelReply').mockResolvedValue(undefined);
 
     const req = makeInboundRequest({
-      content: `/guardian_verify ${secret}`,
+      content: secret,
       senderExternalUserId: 'user-default-asst',
     });
 
@@ -1262,7 +1311,7 @@ describe('assistant-scoped guardian verification via handleChannelInbound', () =
     deliverSpy.mockRestore();
   });
 
-  test('/guardian_verify with explicit assistantId resolves against that assistant', async () => {
+  test('verification code with explicit assistantId resolves against that assistant', async () => {
     const { createVerificationChallenge } = await import('../runtime/channel-guardian-service.js');
     const { getGuardianBinding } = await import('../runtime/channel-guardian-service.js');
 
@@ -1271,7 +1320,7 @@ describe('assistant-scoped guardian verification via handleChannelInbound', () =
     const deliverSpy = spyOn(gatewayClient, 'deliverChannelReply').mockResolvedValue(undefined);
 
     const req = makeInboundRequest({
-      content: `/guardian_verify ${secret}`,
+      content: secret,
       senderExternalUserId: 'user-for-asst-x',
     });
 
@@ -1288,7 +1337,7 @@ describe('assistant-scoped guardian verification via handleChannelInbound', () =
     deliverSpy.mockRestore();
   });
 
-  test('cross-assistant challenge verification fails', async () => {
+  test('cross-assistant challenge code does not verify against a different assistant scope', async () => {
     const { createVerificationChallenge } = await import('../runtime/channel-guardian-service.js');
 
     const { secret } = createVerificationChallenge('asst-A-cross', 'telegram');
@@ -1296,7 +1345,7 @@ describe('assistant-scoped guardian verification via handleChannelInbound', () =
     const deliverSpy = spyOn(gatewayClient, 'deliverChannelReply').mockResolvedValue(undefined);
 
     const req = makeInboundRequest({
-      content: `/guardian_verify ${secret}`,
+      content: secret,
       senderExternalUserId: 'user-cross-test',
     });
 
@@ -1304,7 +1353,7 @@ describe('assistant-scoped guardian verification via handleChannelInbound', () =
     const body = await res.json() as Record<string, unknown>;
 
     expect(body.accepted).toBe(true);
-    expect(body.guardianVerification).toBe('failed');
+    expect(body.guardianVerification).toBeUndefined();
 
     deliverSpy.mockRestore();
   });
@@ -2506,7 +2555,15 @@ describe('non-decision status reply for different channels', () => {
 // ═══════════════════════════════════════════════════════════════════════════
 
 describe('background channel processing approval prompts', () => {
-  test('marks channel turns interactive and delivers approval prompt when confirmation is pending', async () => {
+  test('marks guardian channel turns interactive and delivers approval prompt when confirmation is pending', async () => {
+    // Set up a guardian binding so the sender is recognized as a guardian
+    createBinding({
+      assistantId: 'self',
+      channel: 'telegram',
+      guardianExternalUserId: 'telegram-user-default',
+      guardianDeliveryChatId: 'chat-123',
+    });
+
     const deliverPromptSpy = spyOn(gatewayClient, 'deliverApprovalPrompt').mockResolvedValue(undefined);
     const processCalls: Array<{ options?: Record<string, unknown> }> = [];
 
@@ -2549,4 +2606,43 @@ describe('background channel processing approval prompts', () => {
 
     deliverPromptSpy.mockRestore();
   });
+
+  test('non-guardian channel turns are not interactive to prevent self-approval', async () => {
+    // Set up a guardian binding for a DIFFERENT user so the sender is non-guardian
+    createBinding({
+      assistantId: 'self',
+      channel: 'telegram',
+      guardianExternalUserId: 'guardian-user-other',
+      guardianDeliveryChatId: 'guardian-chat-other',
+    });
+
+    const processCalls: Array<{ options?: Record<string, unknown> }> = [];
+
+    const processMessage = mock(async (
+      _conversationId: string,
+      _content: string,
+      _attachmentIds?: string[],
+      options?: Record<string, unknown>,
+    ) => {
+      processCalls.push({ options });
+      await new Promise((resolve) => setTimeout(resolve, 50));
+      return { messageId: 'msg-ng-1' };
+    });
+
+    const req = makeInboundRequest({
+      content: 'run something',
+      sourceChannel: 'telegram',
+      replyCallbackUrl: 'https://gateway.test/deliver/telegram',
+      externalMessageId: 'msg-ng-1',
+    });
+
+    const res = await handleChannelInbound(req, processMessage as unknown as typeof noopProcessMessage, 'token');
+    const body = await res.json() as Record<string, unknown>;
+    expect(body.accepted).toBe(true);
+
+    await new Promise((resolve) => setTimeout(resolve, 300));
+
+    expect(processCalls.length).toBeGreaterThan(0);
+    expect(processCalls[0].options?.isInteractive).toBe(false);
+  });
 });

package/src/__tests__/channel-guardian.test.ts

@@ -426,7 +426,7 @@ describe('guardian service challenge validation', () => {
     );
 
     expect(result.success).toBe(true);
-    if (result.success) {
+    if (result.success && result.verificationType === 'guardian') {
       expect(result.bindingId).toBeDefined();
     }
   });
@@ -528,7 +528,7 @@ describe('guardian service challenge validation', () => {
     );
 
     expect(result.success).toBe(true);
-    if (result.success) {
+    if (result.success && result.verificationType === 'guardian') {
       expect(result.bindingId).toBeDefined();
     }
 
@@ -1616,7 +1616,7 @@ describe('voice guardian challenge validation', () => {
     );
 
     expect(result.success).toBe(true);
-    if (result.success) {
+    if (result.success && result.verificationType === 'guardian') {
       expect(result.bindingId).toBeDefined();
     }
   });
@@ -2261,7 +2261,7 @@ describe('outbound verification sessions', () => {
     );
 
     expect(result.success).toBe(true);
-    if (result.success) {
+    if (result.success && result.verificationType === 'guardian') {
       expect(result.bindingId).toBeDefined();
     }
   });
@@ -2740,7 +2740,12 @@ describe('outbound SMS verification', () => {
 
     expect(result.success).toBe(true);
     if (result.success) {
-      expect(result.bindingId).toBeDefined();
+      // Guardian outbound sessions (no verificationPurpose override) create
+      // guardian bindings on success
+      expect(result.verificationType).toBe('guardian');
+      if (result.verificationType === 'guardian') {
+        expect(result.bindingId).toBeDefined();
+      }
     }
   });
 
@@ -3166,7 +3171,7 @@ describe('outbound Telegram verification', () => {
     expect(result.success).toBe(false);
   });
 
-  test('backward compat: inbound-only /guardian_verify Telegram flow still works', () => {
+  test('inbound-only Telegram verification flow still works with bare code', () => {
     // Create an inbound-only challenge (no outbound session, no expected identity)
     const challengeResult = createVerificationChallenge('self', 'telegram');
 
@@ -3274,23 +3279,22 @@ describe('outbound Telegram verification', () => {
     expect(revoked).toBeNull();
   });
 
-  test('telegram template includes verification code in message', () => {
+  test('telegram template does not include verification code in message', () => {
     const msg = composeVerificationTelegram(
       GUARDIAN_VERIFY_TEMPLATE_KEYS.TELEGRAM_CHALLENGE_REQUEST,
       { code: 'abc123', expiresInMinutes: 10 },
     );
-    // Code must be visible in-channel for bootstrap flows where the app cannot display it
-    expect(msg).toContain('abc123');
-    expect(msg).toContain('/guardian_verify abc123');
+    expect(msg).not.toContain('abc123');
+    expect(msg).not.toContain('guardian_verify');
   });
 
-  test('telegram resend template includes code and (resent) suffix', () => {
+  test('telegram resend template does not include code and includes (resent) suffix', () => {
     const msg = composeVerificationTelegram(
       GUARDIAN_VERIFY_TEMPLATE_KEYS.TELEGRAM_RESEND,
       { code: 'xyz789', expiresInMinutes: 5 },
     );
-    expect(msg).toContain('xyz789');
-    expect(msg).toContain('/guardian_verify xyz789');
+    expect(msg).not.toContain('xyz789');
+    expect(msg).not.toContain('guardian_verify');
     expect(msg).toContain('(resent)');
   });
 
@@ -3300,7 +3304,7 @@ describe('outbound Telegram verification', () => {
       { code: '999999', expiresInMinutes: 10, assistantName: 'MyBot' },
     );
     expect(msg).toContain('Vellum assistant');
-    expect(msg).toContain('999999');
+    expect(msg).not.toContain('999999');
   });
 
   test('start_outbound for telegram with missing destination fails', () => {
@@ -3703,13 +3707,13 @@ describe('M1–M4 hardening coverage', () => {
   // ── M2: bootstrap sessions use high-entropy hex secrets ──
 
   test('bootstrap (pending_bootstrap) sessions use high-entropy hex secrets, identity-bound use 6-digit numeric', () => {
-    // Pending bootstrap: high-entropy hex (32 bytes = 64 hex chars)
     const bootstrapResult = createOutboundSession({
       assistantId: 'asst-entropy',
       channel: 'telegram',
       identityBindingStatus: 'pending_bootstrap',
       destinationAddress: '@testuser',
     });
+    // Pending bootstrap: high-entropy hex (32 bytes = 64 hex chars)
     expect(bootstrapResult.secret.length).toBe(64);
     expect(bootstrapResult.secret).toMatch(/^[a-f0-9]{64}$/);
 

package/src/__tests__/checker.test.ts

@@ -272,8 +272,8 @@ describe('Permission Checker', () => {
         expect(await classifyRisk('bash', { command: 'some_custom_tool' })).toBe(RiskLevel.Medium);
       });
 
-      test('rm (without -r) is medium risk', async () => {
-        expect(await classifyRisk('bash', { command: 'rm file.txt' })).toBe(RiskLevel.Medium);
+      test('rm (without -r) is high risk', async () => {
+        expect(await classifyRisk('bash', { command: 'rm file.txt' })).toBe(RiskLevel.High);
       });
 
       test('chmod is medium risk', async () => {
@@ -374,7 +374,7 @@ describe('Permission Checker', () => {
       expect(high.matchedRule?.id).toBe('default:allow-bash-global');
 
       // Medium risk
-      const med = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      const med = await check('bash', { command: 'curl https://example.com' }, '/tmp');
       expect(med.decision).toBe('allow');
       expect(med.matchedRule?.id).toBe('default:allow-bash-global');
 
@@ -391,7 +391,7 @@ describe('Permission Checker', () => {
         const high = await check('bash', { command: 'sudo rm -rf /' }, '/tmp');
         expect(high.decision).toBe('prompt');
 
-        const med = await check('bash', { command: 'rm file.txt' }, '/tmp');
+        const med = await check('bash', { command: 'curl https://example.com' }, '/tmp');
         expect(med.decision).toBe('prompt');
 
         // Low risk still auto-allows via the normal risk-based fallback
@@ -409,17 +409,31 @@ describe('Permission Checker', () => {
       expect(result.decision).toBe('prompt');
     });
 
-    test('host_bash medium risk with no matching rule → prompt', async () => {
+    test('host_bash rm is always high risk → prompt', async () => {
       const result = await check('host_bash', { command: 'rm file.txt' }, '/tmp');
       expect(result.decision).toBe('prompt');
+      expect(result.reason).toContain('High risk');
     });
 
-    test('medium risk with matching trust rule → allow', async () => {
+    test('plain rm (without -rf) is high risk and prompts despite default allow rule', async () => {
+      // Validates that ALL rm commands are escalated to High risk, not just rm -rf.
+      // The default allow rule for host_bash auto-approves Low/Medium risk but
+      // High risk always prompts.
+      const result = await check('host_bash', { command: 'rm single-file.txt' }, '/tmp');
+      expect(result.decision).toBe('prompt');
+      expect(result.reason).toContain('High risk');
+
+      // Also verify rm -rf still prompts
+      const rfResult = await check('host_bash', { command: 'rm -rf /tmp/dir' }, '/tmp');
+      expect(rfResult.decision).toBe('prompt');
+      expect(rfResult.reason).toContain('High risk');
+    });
+
+    test('rm is high risk even with matching trust rule → prompt', async () => {
       addRule('bash', 'rm *', '/tmp');
       const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
-      expect(result.decision).toBe('allow');
-      expect(result.reason).toContain('Matched trust rule');
-      expect(result.matchedRule).toBeDefined();
+      expect(result.decision).toBe('prompt');
+      expect(result.reason).toContain('High risk');
     });
 
     test('file_read → auto-allow', async () => {
@@ -489,11 +503,11 @@ describe('Permission Checker', () => {
       expect(result.matchedRule?.id).toBe('default:ask-host_file_edit-global');
     });
 
-    test('host_bash prompts by default via host ask rule', async () => {
+    test('host_bash auto-allows low risk via default allow rule', async () => {
       const result = await check('host_bash', { command: 'ls' }, '/tmp');
-      expect(result.decision).toBe('prompt');
-      expect(result.reason).toContain('ask rule');
-      expect(result.matchedRule?.id).toBe('default:ask-host_bash-global');
+      expect(result.decision).toBe('allow');
+      expect(result.reason).toContain('Matched trust rule');
+      expect(result.matchedRule?.id).toBe('default:allow-host_bash-global');
     });
 
     test('scaffold_managed_skill prompts by default via managed skill ask rule', async () => {
@@ -597,7 +611,7 @@ describe('Permission Checker', () => {
     });
 
     // Deny rule tests
-    test('deny rule blocks medium-risk command', async () => {
+    test('deny rule blocks high-risk command', async () => {
       addRule('bash', 'rm *', '/tmp', 'deny');
       const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
       expect(result.decision).toBe('deny');
@@ -764,16 +778,16 @@ describe('Permission Checker', () => {
 
     // Priority-based rule resolution
     test('higher-priority allow rule overrides lower-priority deny rule', async () => {
-      addRule('bash', 'rm *', '/tmp', 'deny', 0);
-      addRule('bash', 'rm *', '/tmp', 'allow', 100);
-      const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      addRule('bash', 'chmod *', '/tmp', 'deny', 0);
+      addRule('bash', 'chmod *', '/tmp', 'allow', 100);
+      const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(result.decision).toBe('allow');
     });
 
     test('higher-priority deny rule overrides lower-priority allow rule', async () => {
-      addRule('bash', 'rm *', '/tmp', 'allow', 0);
-      addRule('bash', 'rm *', '/tmp', 'deny', 100);
-      const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      addRule('bash', 'chmod *', '/tmp', 'allow', 0);
+      addRule('bash', 'chmod *', '/tmp', 'deny', 100);
+      const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(result.decision).toBe('deny');
     });
 
@@ -927,6 +941,30 @@ describe('Permission Checker', () => {
       expect(result.matchedRule!.id).toBe('default:allow-file_write-bootstrap');
     });
 
+    test('file_read of workspace UPDATES.md is auto-allowed', async () => {
+      const updatesPath = join(checkerTestDir, 'workspace', 'UPDATES.md');
+      const result = await check('file_read', { path: updatesPath }, '/tmp');
+      expect(result.decision).toBe('allow');
+      expect(result.matchedRule).toBeDefined();
+      expect(result.matchedRule!.id).toBe('default:allow-file_read-updates');
+    });
+
+    test('file_write of workspace UPDATES.md is auto-allowed', async () => {
+      const updatesPath = join(checkerTestDir, 'workspace', 'UPDATES.md');
+      const result = await check('file_write', { path: updatesPath }, '/tmp');
+      expect(result.decision).toBe('allow');
+      expect(result.matchedRule).toBeDefined();
+      expect(result.matchedRule!.id).toBe('default:allow-file_write-updates');
+    });
+
+    test('file_edit of workspace UPDATES.md is auto-allowed', async () => {
+      const updatesPath = join(checkerTestDir, 'workspace', 'UPDATES.md');
+      const result = await check('file_edit', { path: updatesPath }, '/tmp');
+      expect(result.decision).toBe('allow');
+      expect(result.matchedRule).toBeDefined();
+      expect(result.matchedRule!.id).toBe('default:allow-file_edit-updates');
+    });
+
     test('file_write of non-workspace file is not auto-allowed', async () => {
       const otherPath = join(checkerTestDir, 'workspace', 'OTHER.md');
       const result = await check('file_write', { path: otherPath }, '/tmp');
@@ -1441,13 +1479,14 @@ describe('Permission Checker', () => {
       expect(result.matchedRule?.id).toBe('default:allow-bash-global');
     });
 
-    test('host_bash with no user rule returns prompt in strict mode', async () => {
+    test('host_bash auto-allows low risk in strict mode (default allow rule is a matching rule)', async () => {
       testConfig.permissions.mode = 'strict';
       const result = await check('host_bash', { command: 'ls' }, '/tmp');
-      expect(result.decision).toBe('prompt');
+      expect(result.decision).toBe('allow');
+      expect(result.matchedRule?.id).toBe('default:allow-host_bash-global');
     });
 
-    test('medium-risk host_bash with no matching rule returns prompt in strict mode', async () => {
+    test('high-risk host_bash (rm) with no matching rule returns prompt in strict mode', async () => {
       testConfig.permissions.mode = 'strict';
       const result = await check('host_bash', { command: 'rm file.txt' }, '/tmp');
       expect(result.decision).toBe('prompt');
@@ -1544,8 +1583,8 @@ describe('Permission Checker', () => {
     });
 
     test('medium-risk tool with allow rule is NOT affected by allowHighRisk', async () => {
-      addRule('bash', 'rm *', '/tmp', 'allow', 100);
-      const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      addRule('bash', 'chmod *', '/tmp', 'allow', 100);
+      const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(result.decision).toBe('allow');
       expect(result.reason).toContain('Matched trust rule');
       // No mention of high-risk in the reason
@@ -1615,8 +1654,8 @@ describe('Permission Checker', () => {
 
     test('strict mode: medium-risk with matching allow rule auto-allows', async () => {
       testConfig.permissions.mode = 'strict';
-      addRule('bash', 'rm *', '/tmp', 'allow');
-      const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      addRule('bash', 'chmod *', '/tmp', 'allow');
+      const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(result.decision).toBe('allow');
       expect(result.reason).toContain('Matched trust rule');
     });
@@ -2392,10 +2431,11 @@ describe('Permission Checker', () => {
         expect(result.matchedRule?.id).toBe('default:allow-bash-global');
       });
 
-      test('low-risk host_bash with no user rule prompts in strict mode', async () => {
+      test('low-risk host_bash auto-allows in strict mode (default allow rule is a matching rule)', async () => {
         testConfig.permissions.mode = 'strict';
         const result = await check('host_bash', { command: 'echo hello' }, '/tmp');
-        expect(result.decision).toBe('prompt');
+        expect(result.decision).toBe('allow');
+        expect(result.matchedRule?.id).toBe('default:allow-host_bash-global');
       });
 
       test('low-risk file_read with no rule prompts in strict mode', async () => {
@@ -2457,10 +2497,10 @@ describe('Permission Checker', () => {
     //    target-scoped. ───────────────────────────────────────────────
 
     describe('Invariant 4: host execution approvals are explicit and target-scoped', () => {
-      test('host_bash prompts by default (no implicit allow)', async () => {
+      test('host_bash auto-allows low risk via default allow rule', async () => {
         const result = await check('host_bash', { command: 'ls' }, '/tmp');
-        expect(result.decision).toBe('prompt');
-        expect(result.matchedRule?.id).toBe('default:ask-host_bash-global');
+        expect(result.decision).toBe('allow');
+        expect(result.matchedRule?.id).toBe('default:allow-host_bash-global');
       });
 
       test('host_file_read prompts by default (no implicit allow)', async () => {
@@ -2507,11 +2547,11 @@ describe('Permission Checker', () => {
         expect(matchResult.matchedRule?.id).toBe('inv4-target-scoped');
 
         // Different target — the target-scoped rule should NOT match;
-        // falls back to the default host_bash ask rule (prompt)
+        // falls back to the default host_bash allow rule (auto-allows medium risk)
         const noMatchResult = await check('host_bash', { command: 'run script.js' }, '/tmp', {
           executionTarget: '/usr/local/bin/bun',
         });
-        expect(noMatchResult.decision).toBe('prompt');
+        expect(noMatchResult.decision).toBe('allow');
         expect(noMatchResult.matchedRule?.id).not.toBe('inv4-target-scoped');
       });
     });
@@ -2581,7 +2621,7 @@ describe('Permission Checker', () => {
       test('wildcard allow rule matches any command in legacy mode', async () => {
         testConfig.permissions.mode = 'legacy';
         addRule('bash', '*', 'everywhere');
-        const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+        const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
         expect(result.decision).toBe('allow');
         expect(result.matchedRule).toBeDefined();
       });
@@ -2589,7 +2629,7 @@ describe('Permission Checker', () => {
       test('wildcard allow rule matches any command in strict mode', async () => {
         testConfig.permissions.mode = 'strict';
         addRule('bash', '*', 'everywhere');
-        const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+        const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
         expect(result.decision).toBe('allow');
         expect(result.matchedRule).toBeDefined();
       });
@@ -2700,12 +2740,27 @@ describe('Permission Checker', () => {
     );
 
     test('getDefaultRuleTemplates has no extra rules when extraDirs is empty', () => {
-      // Default testConfig has no skills property → getConfig returns default
-      // with extraDirs: []
       const templates = getDefaultRuleTemplates();
       const extraRules = templates.filter((t) => t.id.includes('extra-'));
       expect(extraRules.length).toBe(0);
     });
+
+    test('getDefaultRuleTemplates tolerates partial config mocks', () => {
+      const originalSkills = testConfig.skills;
+      const originalSandbox = testConfig.sandbox;
+      try {
+        testConfig.skills = {} as any;
+        testConfig.sandbox = {} as any;
+
+        const templates = getDefaultRuleTemplates();
+        expect(Array.isArray(templates)).toBe(true);
+        expect(templates.some((t) => t.id.includes('extra-'))).toBe(false);
+        expect(templates.some((t) => t.id === 'default:allow-bash-global')).toBe(true);
+      } finally {
+        testConfig.skills = originalSkills;
+        testConfig.sandbox = originalSandbox;
+      }
+    });
   });
 
   // ── backslash normalization gated to Windows (PR 3558 follow-up) ──
@@ -2928,8 +2983,8 @@ describe('bash network_mode=proxied force prompt', () => {
   });
 
   test('non-proxied bash with trust rule follows normal flow', async () => {
-    addRule('bash', 'rm *', '/tmp');
-    const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+    addRule('bash', 'chmod *', '/tmp');
+    const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
     expect(result.decision).toBe('allow');
     expect(result.reason).not.toContain('Proxied network mode');
   });
@@ -3221,10 +3276,10 @@ describe('workspace mode — auto-allow workspace-scoped operations', () => {
     expect(result.reason).toContain('ask rule');
   });
 
-  test('host_bash → prompt (default ask rule matches)', async () => {
+  test('host_bash → allow (default allow rule matches)', async () => {
     const result = await check('host_bash', { command: 'ls' }, workspaceDir);
-    expect(result.decision).toBe('prompt');
-    expect(result.reason).toContain('ask rule');
+    expect(result.decision).toBe('allow');
+    expect(result.reason).toContain('Matched trust rule');
   });
 
   // ── explicit rules still take precedence in workspace mode ──
@@ -3404,20 +3459,20 @@ describe('integration regressions (PR 11)', () => {
   });
 
   test('raw legacy rule still works alongside new action key system', async () => {
-    // Use medium-risk commands (rm) so they aren't auto-allowed by low-risk classification.
+    // Use medium-risk commands (chmod) so they aren't auto-allowed by low-risk classification.
     // Disable sandbox so the catch-all "**" rule doesn't interfere.
     testConfig.sandbox.enabled = false;
     try { rmSync(join(checkerTestDir, 'protected', 'trust.json')); } catch { /* may not exist */ }
     clearCache();
     try {
-      addRule('bash', 'rm file.txt', 'everywhere');
+      addRule('bash', 'chmod 644 file.txt', 'everywhere');
 
       // Exact match still works
-      const r1 = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      const r1 = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(r1.decision).toBe('allow');
 
-      // Different rm argument should not match this exact raw rule
-      const r2 = await check('bash', { command: 'rm other.txt' }, '/tmp');
+      // Different chmod argument should not match this exact raw rule
+      const r2 = await check('bash', { command: 'chmod 755 other.txt' }, '/tmp');
       expect(r2.decision).not.toBe('allow');
     } finally {
       testConfig.sandbox.enabled = true;

package/src/__tests__/computer-use-skill-manifest-regression.test.ts

@@ -77,8 +77,8 @@ describe('computer-use skill manifest regression', () => {
     await initializeTools();
 
     // The 12 computer_use_* action tools must NOT be in the global registry
-    // after initializeTools(). If they were, registerSkillTools() would throw
-    // a "collides with core tool" error when the computer-use skill is activated.
+    // after initializeTools(). If they were, registerSkillTools() would skip
+    // them as core tool collisions when the computer-use skill is activated.
     for (const name of COMPUTER_USE_TOOL_NAMES) {
       expect(getTool(name)).toBeUndefined();
     }