@vellumai/assistant 0.3.16 → 0.3.18

package/src/__tests__/notification-thread-candidate-validation.test.ts

@@ -0,0 +1,215 @@
+/**
+ * Focused tests for thread candidate validation in the notification decision
+ * engine. Validates that:
+ * - Valid reuse targets pass validation
+ * - Invalid reuse targets are rejected and downgraded to start_new
+ * - Candidate context is structurally correct and auditable
+ */
+
+import { describe, expect, test } from 'bun:test';
+
+import { validateThreadActions } from '../notifications/decision-engine.js';
+import type {
+  ThreadCandidate,
+  ThreadCandidateSet,
+} from '../notifications/thread-candidates.js';
+import type {
+  NotificationChannel,
+  ThreadAction,
+} from '../notifications/types.js';
+
+// -- Helpers -----------------------------------------------------------------
+
+function makeCandidate(overrides?: Partial<ThreadCandidate>): ThreadCandidate {
+  return {
+    conversationId: 'conv-default',
+    title: 'Test Thread',
+    updatedAt: Date.now(),
+    latestSourceEventName: 'test.event',
+    channel: 'vellum' as NotificationChannel,
+    ...overrides,
+  };
+}
+
+/**
+ * Simple candidate ID check equivalent to the removed isValidCandidateId.
+ * Used in tests to verify candidate matching semantics.
+ */
+function isCandidateIdPresent(id: string, candidates: ThreadCandidate[]): boolean {
+  return candidates.some((c) => c.conversationId === id);
+}
+
+// -- Tests -------------------------------------------------------------------
+
+describe('thread candidate validation', () => {
+  describe('candidate ID matching', () => {
+    test('returns true when conversationId matches a candidate', () => {
+      const candidates = [
+        makeCandidate({ conversationId: 'conv-001' }),
+        makeCandidate({ conversationId: 'conv-002' }),
+      ];
+
+      expect(isCandidateIdPresent('conv-001', candidates)).toBe(true);
+      expect(isCandidateIdPresent('conv-002', candidates)).toBe(true);
+    });
+
+    test('returns false when conversationId does not match any candidate', () => {
+      const candidates = [
+        makeCandidate({ conversationId: 'conv-001' }),
+      ];
+
+      expect(isCandidateIdPresent('conv-999', candidates)).toBe(false);
+    });
+
+    test('returns false for empty candidate list', () => {
+      expect(isCandidateIdPresent('conv-001', [])).toBe(false);
+    });
+
+    test('returns false for empty string conversationId', () => {
+      const candidates = [
+        makeCandidate({ conversationId: 'conv-001' }),
+      ];
+
+      expect(isCandidateIdPresent('', candidates)).toBe(false);
+    });
+
+    test('matching is exact (no substring or prefix matching)', () => {
+      const candidates = [
+        makeCandidate({ conversationId: 'conv-001' }),
+      ];
+
+      expect(isCandidateIdPresent('conv-00', candidates)).toBe(false);
+      expect(isCandidateIdPresent('conv-0011', candidates)).toBe(false);
+      expect(isCandidateIdPresent('CONV-001', candidates)).toBe(false);
+    });
+  });
+
+  describe('candidate metadata structure', () => {
+    test('candidate without guardian context has no optional fields', () => {
+      const candidate = makeCandidate();
+
+      expect(candidate.guardianContext).toBeUndefined();
+    });
+
+    test('candidate with guardian context includes pending counts', () => {
+      const candidate = makeCandidate({
+        guardianContext: { pendingUnresolvedRequestCount: 3 },
+      });
+
+      expect(candidate.guardianContext?.pendingUnresolvedRequestCount).toBe(3);
+    });
+
+    test('candidate with null title is valid', () => {
+      const candidate = makeCandidate({ title: null });
+      expect(candidate.title).toBeNull();
+    });
+
+    test('candidate with null latestSourceEventName is valid', () => {
+      const candidate = makeCandidate({ latestSourceEventName: null });
+      expect(candidate.latestSourceEventName).toBeNull();
+    });
+  });
+
+  describe('thread action downgrade semantics', () => {
+    test('start_new action does not require a conversationId', () => {
+      const action: ThreadAction = { action: 'start_new' };
+      expect(action.action).toBe('start_new');
+      expect('conversationId' in action).toBe(false);
+    });
+
+    test('reuse_existing with valid candidate is accepted via validateThreadActions', () => {
+      const candidateSet: ThreadCandidateSet = {
+        vellum: [makeCandidate({ conversationId: 'conv-valid' })],
+      };
+
+      const result = validateThreadActions(
+        { vellum: { action: 'reuse_existing', conversationId: 'conv-valid' } },
+        ['vellum'] as NotificationChannel[],
+        candidateSet,
+      );
+
+      expect(result.vellum?.action).toBe('reuse_existing');
+      if (result.vellum?.action === 'reuse_existing') {
+        expect(result.vellum.conversationId).toBe('conv-valid');
+      }
+    });
+
+    test('reuse_existing with invalid candidate is downgraded to start_new', () => {
+      const candidateSet: ThreadCandidateSet = {
+        vellum: [makeCandidate({ conversationId: 'conv-valid' })],
+      };
+
+      const result = validateThreadActions(
+        { vellum: { action: 'reuse_existing', conversationId: 'conv-hacked' } },
+        ['vellum'] as NotificationChannel[],
+        candidateSet,
+      );
+
+      expect(result.vellum?.action).toBe('start_new');
+    });
+
+    test('reuse_existing with empty candidate set is downgraded to start_new', () => {
+      const result = validateThreadActions(
+        { vellum: { action: 'reuse_existing', conversationId: 'conv-any' } },
+        ['vellum'] as NotificationChannel[],
+        undefined,
+      );
+
+      expect(result.vellum?.action).toBe('start_new');
+    });
+  });
+
+  describe('candidate set per channel', () => {
+    test('channels without candidates result in empty map entries', () => {
+      const candidateMap: ThreadCandidateSet = {};
+
+      // When no candidates exist for vellum, the map has no entry
+      expect(candidateMap.vellum).toBeUndefined();
+    });
+
+    test('candidate set preserves channel association via validateThreadActions', () => {
+      const vellumCandidates = [
+        makeCandidate({ conversationId: 'conv-v1', channel: 'vellum' as NotificationChannel }),
+      ];
+      const telegramCandidates = [
+        makeCandidate({ conversationId: 'conv-t1', channel: 'telegram' as NotificationChannel }),
+      ];
+
+      const candidateSet: ThreadCandidateSet = {
+        vellum: vellumCandidates,
+        telegram: telegramCandidates,
+      };
+
+      // Vellum candidate should not be valid for telegram and vice versa
+      const validChannels: NotificationChannel[] = ['vellum', 'telegram'];
+
+      const result1 = validateThreadActions(
+        { vellum: { action: 'reuse_existing', conversationId: 'conv-v1' } },
+        validChannels,
+        candidateSet,
+      );
+      expect(result1.vellum?.action).toBe('reuse_existing');
+
+      const result2 = validateThreadActions(
+        { vellum: { action: 'reuse_existing', conversationId: 'conv-t1' } },
+        validChannels,
+        candidateSet,
+      );
+      expect(result2.vellum?.action).toBe('start_new');
+
+      const result3 = validateThreadActions(
+        { telegram: { action: 'reuse_existing', conversationId: 'conv-t1' } },
+        validChannels,
+        candidateSet,
+      );
+      expect(result3.telegram?.action).toBe('reuse_existing');
+
+      const result4 = validateThreadActions(
+        { telegram: { action: 'reuse_existing', conversationId: 'conv-v1' } },
+        validChannels,
+        candidateSet,
+      );
+      expect(result4.telegram?.action).toBe('start_new');
+    });
+  });
+});

package/src/__tests__/slack-channel-config.test.ts

@@ -105,9 +105,9 @@ mock.module('../tools/credentials/metadata-store.js', () => ({
 const originalFetch = globalThis.fetch;
 
 import {
+  clearSlackChannelConfig,
   getSlackChannelConfig,
   setSlackChannelConfig,
-  clearSlackChannelConfig,
 } from '../daemon/handlers/config-slack-channel.js';
 
 afterAll(() => {
@@ -186,7 +186,7 @@ describe('Slack channel config handler', () => {
         status: 200,
         headers: { 'content-type': 'application/json' },
       });
-    }) as typeof globalThis.fetch;
+    }) as unknown as typeof globalThis.fetch;
 
     const result = await setSlackChannelConfig('xoxb-valid-bot-token');
     expect(result.success).toBe(true);
@@ -204,7 +204,7 @@ describe('Slack channel config handler', () => {
         status: 200,
         headers: { 'content-type': 'application/json' },
       });
-    }) as typeof globalThis.fetch;
+    }) as unknown as typeof globalThis.fetch;
 
     const result = await setSlackChannelConfig('xoxb-bad-token');
     expect(result.success).toBe(false);

package/src/__tests__/trust-store.test.ts

@@ -297,15 +297,15 @@ describe('Trust Store', () => {
     });
 
     test('returns null when tool does not match', () => {
-      addRule('file_write', 'git *', '/tmp');
-      // host_bash default is 'ask' so findMatchingRule (allow-only) won't find it
-      const match = findMatchingRule('host_bash', 'git push', '/tmp');
+      addRule('file_write', 'file_write:/tmp/*', '/tmp');
+      // host_file_read default is 'ask' so findMatchingRule (allow-only) won't find it
+      const match = findMatchingRule('host_file_read', 'host_file_read:/etc/hosts', '/tmp');
       expect(match).toBeNull();
     });
 
     test('returns null when pattern does not match', () => {
-      addRule('host_bash', 'git *', '/tmp');
-      const match = findMatchingRule('host_bash', 'npm install', '/tmp');
+      addRule('host_file_read', 'host_file_read:/etc/hosts', '/tmp');
+      const match = findMatchingRule('host_file_read', 'host_file_read:/var/log/syslog', '/tmp');
       expect(match).toBeNull();
     });
 
@@ -324,8 +324,8 @@ describe('Trust Store', () => {
       });
 
       test('does not match when scope is outside rule scope', () => {
-        addRule('host_bash', 'npm *', '/home/user/project');
-        const match = findMatchingRule('host_bash', 'npm install', '/home/other');
+        addRule('host_file_read', 'host_file_read:/home/user/project/*', '/home/user/project');
+        const match = findMatchingRule('host_file_read', 'host_file_read:/home/user/project/file.txt', '/home/other');
         expect(match).toBeNull();
       });
 
@@ -342,8 +342,8 @@ describe('Trust Store', () => {
       });
 
       test('does not match sibling path with shared prefix', () => {
-        addRule('host_bash', 'npm *', '/home/user/project');
-        const match = findMatchingRule('host_bash', 'npm install', '/home/user/project-evil');
+        addRule('host_file_read', 'host_file_read:/home/user/project/*', '/home/user/project');
+        const match = findMatchingRule('host_file_read', 'host_file_read:/home/user/project/file.txt', '/home/user/project-evil');
         expect(match).toBeNull();
       });
 
@@ -360,8 +360,8 @@ describe('Trust Store', () => {
       });
 
       test('does not match sibling with glob-suffixed scope', () => {
-        addRule('host_bash', 'npm *', '/home/user/project*');
-        const match = findMatchingRule('host_bash', 'npm install', '/home/user/project-evil');
+        addRule('host_file_read', 'host_file_read:/home/user/project/*', '/home/user/project*');
+        const match = findMatchingRule('host_file_read', 'host_file_read:/home/user/project/file.txt', '/home/user/project-evil');
         expect(match).toBeNull();
       });
     });
@@ -375,9 +375,9 @@ describe('Trust Store', () => {
       });
 
       test('matches exact string', () => {
-        addRule('host_bash', 'git status', '/tmp');
-        expect(findMatchingRule('host_bash', 'git status', '/tmp')).not.toBeNull();
-        expect(findMatchingRule('host_bash', 'git push', '/tmp')).toBeNull();
+        addRule('host_file_read', 'host_file_read:/etc/hosts', '/tmp');
+        expect(findMatchingRule('host_file_read', 'host_file_read:/etc/hosts', '/tmp')).not.toBeNull();
+        expect(findMatchingRule('host_file_read', 'host_file_read:/etc/passwd', '/tmp')).toBeNull();
       });
 
       test('matches file path pattern', () => {
@@ -545,9 +545,9 @@ describe('Trust Store', () => {
     });
 
     test('findMatchingRule ignores deny rules', () => {
-      // Use host_bash — bash has a default allow rule that would match.
-      addRule('host_bash', 'rm *', '/tmp', 'deny');
-      const match = findMatchingRule('host_bash', 'rm file.txt', '/tmp');
+      // Use host_file_read — it has an 'ask' default so findMatchingRule (allow-only) won't find it.
+      addRule('host_file_read', 'host_file_read:/etc/*', '/tmp', 'deny');
+      const match = findMatchingRule('host_file_read', 'host_file_read:/etc/hosts', '/tmp');
       expect(match).toBeNull();
     });
 
@@ -806,12 +806,12 @@ describe('Trust Store', () => {
       expect(match!.priority).toBe(DEFAULT_PRIORITY_BY_ID.get('default:ask-host_file_edit-global')!);
     });
 
-    test('findHighestPriorityRule matches default ask for host_bash', () => {
+    test('findHighestPriorityRule matches default allow for host_bash', () => {
       const match = findHighestPriorityRule('host_bash', ['ls'], '/tmp');
       expect(match).not.toBeNull();
-      expect(match!.id).toBe('default:ask-host_bash-global');
-      expect(match!.decision).toBe('ask');
-      expect(match!.priority).toBe(DEFAULT_PRIORITY_BY_ID.get('default:ask-host_bash-global')!);
+      expect(match!.id).toBe('default:allow-host_bash-global');
+      expect(match!.decision).toBe('allow');
+      expect(match!.priority).toBe(DEFAULT_PRIORITY_BY_ID.get('default:allow-host_bash-global')!);
     });
 
     test('findHighestPriorityRule matches default ask for computer_use_click', () => {

package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts

@@ -85,14 +85,12 @@ mock.module('../runtime/approval-message-composer.js', () => ({
 import {
   createApprovalRequest,
   createBinding,
-  findPendingAccessRequestForRequester,
-  getAllPendingApprovalsByGuardianChat,
 } from '../memory/channel-guardian-store.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { findMember, upsertMember } from '../memory/ingress-member-store.js';
 import {
   createOutboundSession,
 } from '../runtime/channel-guardian-service.js';
-import { findMember, upsertMember } from '../memory/ingress-member-store.js';
-import { initializeDb, resetDb } from '../memory/db.js';
 import { handleChannelInbound } from '../runtime/routes/channel-routes.js';
 
 initializeDb();
@@ -110,7 +108,6 @@ const TEST_BEARER_TOKEN = 'test-token';
 const GUARDIAN_APPROVAL_TTL_MS = 5 * 60 * 1000;
 
 function resetState(): void {
-  const { getDb } = require('../memory/db.js');
   const db = getDb();
   db.run('DELETE FROM channel_guardian_approval_requests');
   db.run('DELETE FROM channel_guardian_bindings');
@@ -177,7 +174,7 @@ describe('trusted contact lifecycle notification signals', () => {
     const testRequestId = `req-deny-${Date.now()}`;
 
     // Create a pending access request approval
-    const approval = createApprovalRequest({
+    const _approval = createApprovalRequest({
       runId: `ingress-access-request-${Date.now()}`,
       requestId: testRequestId,
       conversationId: 'access-req-telegram-requester-user-456',
@@ -252,7 +249,7 @@ describe('trusted contact lifecycle notification signals', () => {
     const testRequestId = `req-approve-${Date.now()}`;
 
     // Create a pending access request approval
-    const approval = createApprovalRequest({
+    const _approval = createApprovalRequest({
       runId: `ingress-access-request-${Date.now()}`,
       requestId: testRequestId,
       conversationId: 'access-req-telegram-requester-user-456',
@@ -426,6 +423,7 @@ describe('trusted contact activated notification signal', () => {
 
   test('guardian verification does NOT emit activated signal', async () => {
     // Create an inbound challenge (guardian flow, not trusted contact)
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
     const { createVerificationChallenge } = require('../runtime/channel-guardian-service.js');
     const { secret } = createVerificationChallenge('self', 'telegram');
 

package/src/__tests__/trusted-contact-multichannel.test.ts

@@ -77,16 +77,13 @@ import {
   createBinding,
   findPendingAccessRequestForRequester,
 } from '../memory/channel-guardian-store.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { findMember, upsertMember } from '../memory/ingress-member-store.js';
 import {
   createOutboundSession,
   validateAndConsumeChallenge,
 } from '../runtime/channel-guardian-service.js';
-import { findMember, upsertMember } from '../memory/ingress-member-store.js';
-import { initializeDb, resetDb } from '../memory/db.js';
 import { handleChannelInbound } from '../runtime/routes/channel-routes.js';
-import {
-  handleAccessRequestDecision,
-} from '../runtime/routes/access-request-decision.js';
 
 initializeDb();
 
@@ -102,7 +99,6 @@ afterAll(() => {
 const TEST_BEARER_TOKEN = 'test-token';
 
 function resetState(): void {
-  const { getDb } = require('../memory/db.js');
   const db = getDb();
   db.run('DELETE FROM channel_guardian_approval_requests');
   db.run('DELETE FROM channel_guardian_bindings');

package/src/__tests__/trusted-contact-verification.test.ts

@@ -42,20 +42,20 @@ mock.module('../util/logger.js', () => ({
   }),
 }));
 
-import { initializeDb, resetDb } from '../memory/db.js';
 import {
-  createOutboundSession,
-  validateAndConsumeChallenge,
-} from '../runtime/channel-guardian-service.js';
+  createBinding,
+  getActiveBinding,
+} from '../memory/channel-guardian-store.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
 import {
   findMember,
-  upsertMember,
   revokeMember,
+  upsertMember,
 } from '../memory/ingress-member-store.js';
 import {
-  getActiveBinding,
-  createBinding,
-} from '../memory/channel-guardian-store.js';
+  createOutboundSession,
+  validateAndConsumeChallenge,
+} from '../runtime/channel-guardian-service.js';
 
 initializeDb();
 
@@ -69,7 +69,6 @@ afterAll(() => {
 // ---------------------------------------------------------------------------
 
 function resetTables(): void {
-  const { getDb } = require('../memory/db.js');
   const db = getDb();
   db.run('DELETE FROM channel_guardian_verification_challenges');
   db.run('DELETE FROM channel_guardian_bindings');
@@ -339,6 +338,7 @@ describe('trusted contact verification → member activation', () => {
 
   test('guardian inbound verification still creates binding (backward compat)', () => {
     // Create an inbound challenge (no expected identity — guardian flow)
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
     const { createVerificationChallenge } = require('../runtime/channel-guardian-service.js');
     const { secret } = createVerificationChallenge('self', 'telegram');
 

package/src/__tests__/update-bulletin-state.test.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect, beforeEach, mock } from 'bun:test';
+import { beforeEach, describe, expect, it, mock } from 'bun:test';
 
 const store = new Map<string, string>();
 

package/src/__tests__/update-bulletin.test.ts

@@ -1,7 +1,9 @@
-import { describe, it, expect, beforeEach, afterEach, mock } from 'bun:test';
-import { existsSync, mkdirSync, readFileSync, readdirSync, rmSync, writeFileSync } from 'node:fs';
-import { join } from 'node:path';
+import * as fs from 'node:fs';
+import { existsSync, mkdirSync, readdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from 'bun:test';
 
 // --- In-memory checkpoint store ---
 const store = new Map<string, string>();
@@ -14,6 +16,12 @@ mock.module('../memory/checkpoints.js', () => ({
 // --- Temp directory for workspace paths ---
 let tempDir: string;
 
+// --- Temp directory for template files ---
+// Avoids mutating the real source-controlled UPDATES.md template, preventing
+// race conditions with parallel test execution and working tree corruption
+// if the test process crashes.
+let tempTemplateDir: string;
+
 // Mock platform to avoid env-registry transitive imports.
 // All needed exports are stubbed; getWorkspacePromptPath is the only one
 // exercised by update-bulletin.ts.
@@ -92,17 +100,31 @@ mock.module('../version.js', () => ({
   APP_VERSION: '1.0.0',
 }));
 
+// Mock the template path module so tests read from a temp directory instead
+// of the real source-controlled template file.
+mock.module('../config/update-bulletin-template-path.js', () => ({
+  getTemplatePath: () => join(tempTemplateDir, 'UPDATES.md'),
+}));
+
 const { syncUpdateBulletinOnStartup } = await import('../config/update-bulletin.js');
 
+const TEST_TEMPLATE = '## What\'s New\n\nTest release notes.\n';
+const COMMENT_ONLY_TEMPLATE = '_ This is a comment-only template.\n_ No real content here.\n';
+
 describe('syncUpdateBulletinOnStartup', () => {
   beforeEach(() => {
     store.clear();
     tempDir = join(tmpdir(), `update-bulletin-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
     mkdirSync(tempDir, { recursive: true });
+    tempTemplateDir = join(tmpdir(), `update-bulletin-tpl-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(tempTemplateDir, { recursive: true });
+    // Write a test template with real content so materialization proceeds
+    writeFileSync(join(tempTemplateDir, 'UPDATES.md'), TEST_TEMPLATE, 'utf-8');
   });
 
   afterEach(() => {
     rmSync(tempDir, { recursive: true, force: true });
+    rmSync(tempTemplateDir, { recursive: true, force: true });
   });
 
   it('creates workspace file on first eligible run', () => {
@@ -257,4 +279,45 @@ describe('syncUpdateBulletinOnStartup', () => {
     const tmpFiles = entries.filter((e) => e.includes('.tmp.'));
     expect(tmpFiles).toHaveLength(0);
   });
+
+  it('skips materialization when template is comment-only', () => {
+    // Write a comment-only template fixture (no real content after stripping)
+    writeFileSync(join(tempTemplateDir, 'UPDATES.md'), COMMENT_ONLY_TEMPLATE, 'utf-8');
+
+    const workspacePath = join(tempDir, 'UPDATES.md');
+    syncUpdateBulletinOnStartup();
+
+    expect(existsSync(workspacePath)).toBe(false);
+  });
+
+  it('preserves existing file when atomic write fails', () => {
+    const workspacePath = join(tempDir, 'UPDATES.md');
+    const originalContent = '<!-- vellum-update-release:0.9.0 -->\nOriginal content.\n';
+    writeFileSync(workspacePath, originalContent, 'utf-8');
+
+    // Mock writeFileSync to throw when writing the temp file, simulating a
+    // disk-full or permission error deterministically (chmod-based approaches
+    // are unreliable when running as root or with CAP_DAC_OVERRIDE).
+    const originalWriteFileSync = fs.writeFileSync;
+    const spy = spyOn(fs, 'writeFileSync').mockImplementation((...args: Parameters<typeof fs.writeFileSync>) => {
+      if (typeof args[0] === 'string' && args[0].includes('.tmp.')) {
+        throw new Error('Simulated write failure');
+      }
+      return originalWriteFileSync(...args);
+    });
+    try {
+      expect(() => syncUpdateBulletinOnStartup()).toThrow('Simulated write failure');
+    } finally {
+      spy.mockRestore();
+    }
+
+    // Original content should be preserved (atomic write never renamed over it)
+    const content = readFileSync(workspacePath, 'utf-8');
+    expect(content).toBe(originalContent);
+
+    // No temp file leftovers
+    const entries = readdirSync(tempDir);
+    const tmpFiles = entries.filter((e: string) => e.includes('.tmp.'));
+    expect(tmpFiles).toHaveLength(0);
+  });
 });

package/src/__tests__/update-template-contract.test.ts

@@ -1,13 +1,13 @@
 /**
- * Contract test: ensures the bundled UPDATES.md template exists and meets
- * the format expectations that the bulletin system depends on at runtime.
+ * Contract test: ensures the bundled UPDATES.md template exists and is readable.
  *
- * The "## What's New" heading is a structural contract — bulletin rendering
- * logic expects this section to be present in the template.
+ * The template may be comment-only (no real content) for no-op releases —
+ * the bulletin system treats an empty-after-stripping template as a skip signal.
  */
 
 import { existsSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
+
 import { describe, expect, test } from 'bun:test';
 
 const TEMPLATE_PATH = join(import.meta.dirname, '..', 'config', 'templates', 'UPDATES.md');
@@ -17,13 +17,8 @@ describe('UPDATES.md template contract', () => {
     expect(existsSync(TEMPLATE_PATH)).toBe(true);
   });
 
-  test('template contains non-whitespace content', () => {
-    const content = readFileSync(TEMPLATE_PATH, 'utf-8');
-    expect(content.trim().length).toBeGreaterThan(0);
-  });
-
-  test('template contains the "## What\'s New" heading', () => {
+  test('template is a readable UTF-8 file', () => {
     const content = readFileSync(TEMPLATE_PATH, 'utf-8');
-    expect(content).toContain("## What's New");
+    expect(typeof content).toBe('string');
   });
 });