@vellumai/assistant 0.3.16 → 0.3.19

package/src/__tests__/checker.test.ts

@@ -272,8 +272,8 @@ describe('Permission Checker', () => {
         expect(await classifyRisk('bash', { command: 'some_custom_tool' })).toBe(RiskLevel.Medium);
       });
 
-      test('rm (without -r) is medium risk', async () => {
-        expect(await classifyRisk('bash', { command: 'rm file.txt' })).toBe(RiskLevel.Medium);
+      test('rm (without -r) is high risk', async () => {
+        expect(await classifyRisk('bash', { command: 'rm file.txt' })).toBe(RiskLevel.High);
       });
 
       test('chmod is medium risk', async () => {
@@ -354,6 +354,66 @@ describe('Permission Checker', () => {
       test('env injection is high risk', async () => {
         expect(await classifyRisk('bash', { command: 'LD_PRELOAD=evil.so cmd' })).toBe(RiskLevel.High);
       });
+
+      test('wrapped rm via env is high risk', async () => {
+        expect(await classifyRisk('bash', { command: 'env rm -rf /tmp/x' })).toBe(RiskLevel.High);
+      });
+
+      test('wrapped rm via time is high risk', async () => {
+        expect(await classifyRisk('bash', { command: 'time rm file.txt' })).toBe(RiskLevel.High);
+      });
+
+      test('wrapped kill via env is high risk', async () => {
+        expect(await classifyRisk('bash', { command: 'env kill -9 1234' })).toBe(RiskLevel.High);
+      });
+
+      test('wrapped sudo via env is high risk', async () => {
+        expect(await classifyRisk('bash', { command: 'env sudo apt-get install foo' })).toBe(RiskLevel.High);
+      });
+
+      test('wrapped reboot via nice is high risk', async () => {
+        expect(await classifyRisk('bash', { command: 'nice reboot' })).toBe(RiskLevel.High);
+      });
+
+      test('wrapped pkill via nohup is high risk', async () => {
+        expect(await classifyRisk('bash', { command: 'nohup pkill node' })).toBe(RiskLevel.High);
+      });
+
+      test('command -v is low risk (read-only lookup)', async () => {
+        expect(await classifyRisk('bash', { command: 'command -v rm' })).toBe(RiskLevel.Low);
+      });
+
+      test('command -V is low risk (read-only lookup)', async () => {
+        expect(await classifyRisk('bash', { command: 'command -V sudo' })).toBe(RiskLevel.Low);
+      });
+
+      test('command without -v/-V flag escalates wrapped program', async () => {
+        expect(await classifyRisk('bash', { command: 'command rm file.txt' })).toBe(RiskLevel.High);
+      });
+
+      test('rm BOOTSTRAP.md (bare safe file) is medium risk', async () => {
+        expect(await classifyRisk('bash', { command: 'rm BOOTSTRAP.md' })).toBe(RiskLevel.Medium);
+      });
+
+      test('rm UPDATES.md (bare safe file) is medium risk', async () => {
+        expect(await classifyRisk('bash', { command: 'rm UPDATES.md' })).toBe(RiskLevel.Medium);
+      });
+
+      test('rm -rf BOOTSTRAP.md is still high risk (flags present)', async () => {
+        expect(await classifyRisk('bash', { command: 'rm -rf BOOTSTRAP.md' })).toBe(RiskLevel.High);
+      });
+
+      test('rm /path/to/BOOTSTRAP.md is still high risk (path separator)', async () => {
+        expect(await classifyRisk('bash', { command: 'rm /path/to/BOOTSTRAP.md' })).toBe(RiskLevel.High);
+      });
+
+      test('rm BOOTSTRAP.md other.txt is still high risk (multiple targets)', async () => {
+        expect(await classifyRisk('bash', { command: 'rm BOOTSTRAP.md other.txt' })).toBe(RiskLevel.High);
+      });
+
+      test('rm somefile.md is still high risk (not a known safe file)', async () => {
+        expect(await classifyRisk('bash', { command: 'rm somefile.md' })).toBe(RiskLevel.High);
+      });
     });
 
     // unknown tool
@@ -374,7 +434,7 @@ describe('Permission Checker', () => {
       expect(high.matchedRule?.id).toBe('default:allow-bash-global');
 
       // Medium risk
-      const med = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      const med = await check('bash', { command: 'curl https://example.com' }, '/tmp');
       expect(med.decision).toBe('allow');
       expect(med.matchedRule?.id).toBe('default:allow-bash-global');
 
@@ -391,7 +451,7 @@ describe('Permission Checker', () => {
         const high = await check('bash', { command: 'sudo rm -rf /' }, '/tmp');
         expect(high.decision).toBe('prompt');
 
-        const med = await check('bash', { command: 'rm file.txt' }, '/tmp');
+        const med = await check('bash', { command: 'curl https://example.com' }, '/tmp');
         expect(med.decision).toBe('prompt');
 
         // Low risk still auto-allows via the normal risk-based fallback
@@ -409,17 +469,31 @@ describe('Permission Checker', () => {
       expect(result.decision).toBe('prompt');
     });
 
-    test('host_bash medium risk with no matching rule → prompt', async () => {
+    test('host_bash rm is always high risk → prompt', async () => {
       const result = await check('host_bash', { command: 'rm file.txt' }, '/tmp');
       expect(result.decision).toBe('prompt');
+      expect(result.reason).toContain('High risk');
     });
 
-    test('medium risk with matching trust rule → allow', async () => {
+    test('plain rm (without -rf) is high risk and prompts despite default allow rule', async () => {
+      // Validates that ALL rm commands are escalated to High risk, not just rm -rf.
+      // The default allow rule for host_bash auto-approves Low/Medium risk but
+      // High risk always prompts.
+      const result = await check('host_bash', { command: 'rm single-file.txt' }, '/tmp');
+      expect(result.decision).toBe('prompt');
+      expect(result.reason).toContain('High risk');
+
+      // Also verify rm -rf still prompts
+      const rfResult = await check('host_bash', { command: 'rm -rf /tmp/dir' }, '/tmp');
+      expect(rfResult.decision).toBe('prompt');
+      expect(rfResult.reason).toContain('High risk');
+    });
+
+    test('rm is high risk even with matching trust rule → prompt', async () => {
       addRule('bash', 'rm *', '/tmp');
       const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
-      expect(result.decision).toBe('allow');
-      expect(result.reason).toContain('Matched trust rule');
-      expect(result.matchedRule).toBeDefined();
+      expect(result.decision).toBe('prompt');
+      expect(result.reason).toContain('High risk');
     });
 
     test('file_read → auto-allow', async () => {
@@ -489,11 +563,11 @@ describe('Permission Checker', () => {
       expect(result.matchedRule?.id).toBe('default:ask-host_file_edit-global');
     });
 
-    test('host_bash prompts by default via host ask rule', async () => {
+    test('host_bash auto-allows low risk via default allow rule', async () => {
       const result = await check('host_bash', { command: 'ls' }, '/tmp');
-      expect(result.decision).toBe('prompt');
-      expect(result.reason).toContain('ask rule');
-      expect(result.matchedRule?.id).toBe('default:ask-host_bash-global');
+      expect(result.decision).toBe('allow');
+      expect(result.reason).toContain('Matched trust rule');
+      expect(result.matchedRule?.id).toBe('default:allow-host_bash-global');
     });
 
     test('scaffold_managed_skill prompts by default via managed skill ask rule', async () => {
@@ -597,7 +671,7 @@ describe('Permission Checker', () => {
     });
 
     // Deny rule tests
-    test('deny rule blocks medium-risk command', async () => {
+    test('deny rule blocks high-risk command', async () => {
       addRule('bash', 'rm *', '/tmp', 'deny');
       const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
       expect(result.decision).toBe('deny');
@@ -764,16 +838,16 @@ describe('Permission Checker', () => {
 
     // Priority-based rule resolution
     test('higher-priority allow rule overrides lower-priority deny rule', async () => {
-      addRule('bash', 'rm *', '/tmp', 'deny', 0);
-      addRule('bash', 'rm *', '/tmp', 'allow', 100);
-      const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      addRule('bash', 'chmod *', '/tmp', 'deny', 0);
+      addRule('bash', 'chmod *', '/tmp', 'allow', 100);
+      const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(result.decision).toBe('allow');
     });
 
     test('higher-priority deny rule overrides lower-priority allow rule', async () => {
-      addRule('bash', 'rm *', '/tmp', 'allow', 0);
-      addRule('bash', 'rm *', '/tmp', 'deny', 100);
-      const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      addRule('bash', 'chmod *', '/tmp', 'allow', 0);
+      addRule('bash', 'chmod *', '/tmp', 'deny', 100);
+      const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(result.decision).toBe('deny');
     });
 
@@ -1465,13 +1539,14 @@ describe('Permission Checker', () => {
       expect(result.matchedRule?.id).toBe('default:allow-bash-global');
     });
 
-    test('host_bash with no user rule returns prompt in strict mode', async () => {
+    test('host_bash auto-allows low risk in strict mode (default allow rule is a matching rule)', async () => {
       testConfig.permissions.mode = 'strict';
       const result = await check('host_bash', { command: 'ls' }, '/tmp');
-      expect(result.decision).toBe('prompt');
+      expect(result.decision).toBe('allow');
+      expect(result.matchedRule?.id).toBe('default:allow-host_bash-global');
     });
 
-    test('medium-risk host_bash with no matching rule returns prompt in strict mode', async () => {
+    test('high-risk host_bash (rm) with no matching rule returns prompt in strict mode', async () => {
       testConfig.permissions.mode = 'strict';
       const result = await check('host_bash', { command: 'rm file.txt' }, '/tmp');
       expect(result.decision).toBe('prompt');
@@ -1568,8 +1643,8 @@ describe('Permission Checker', () => {
     });
 
     test('medium-risk tool with allow rule is NOT affected by allowHighRisk', async () => {
-      addRule('bash', 'rm *', '/tmp', 'allow', 100);
-      const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      addRule('bash', 'chmod *', '/tmp', 'allow', 100);
+      const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(result.decision).toBe('allow');
       expect(result.reason).toContain('Matched trust rule');
       // No mention of high-risk in the reason
@@ -1639,8 +1714,8 @@ describe('Permission Checker', () => {
 
     test('strict mode: medium-risk with matching allow rule auto-allows', async () => {
       testConfig.permissions.mode = 'strict';
-      addRule('bash', 'rm *', '/tmp', 'allow');
-      const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      addRule('bash', 'chmod *', '/tmp', 'allow');
+      const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(result.decision).toBe('allow');
       expect(result.reason).toContain('Matched trust rule');
     });
@@ -2416,10 +2491,11 @@ describe('Permission Checker', () => {
         expect(result.matchedRule?.id).toBe('default:allow-bash-global');
       });
 
-      test('low-risk host_bash with no user rule prompts in strict mode', async () => {
+      test('low-risk host_bash auto-allows in strict mode (default allow rule is a matching rule)', async () => {
         testConfig.permissions.mode = 'strict';
         const result = await check('host_bash', { command: 'echo hello' }, '/tmp');
-        expect(result.decision).toBe('prompt');
+        expect(result.decision).toBe('allow');
+        expect(result.matchedRule?.id).toBe('default:allow-host_bash-global');
       });
 
       test('low-risk file_read with no rule prompts in strict mode', async () => {
@@ -2481,10 +2557,10 @@ describe('Permission Checker', () => {
     //    target-scoped. ───────────────────────────────────────────────
 
     describe('Invariant 4: host execution approvals are explicit and target-scoped', () => {
-      test('host_bash prompts by default (no implicit allow)', async () => {
+      test('host_bash auto-allows low risk via default allow rule', async () => {
         const result = await check('host_bash', { command: 'ls' }, '/tmp');
-        expect(result.decision).toBe('prompt');
-        expect(result.matchedRule?.id).toBe('default:ask-host_bash-global');
+        expect(result.decision).toBe('allow');
+        expect(result.matchedRule?.id).toBe('default:allow-host_bash-global');
       });
 
       test('host_file_read prompts by default (no implicit allow)', async () => {
@@ -2531,11 +2607,11 @@ describe('Permission Checker', () => {
         expect(matchResult.matchedRule?.id).toBe('inv4-target-scoped');
 
         // Different target — the target-scoped rule should NOT match;
-        // falls back to the default host_bash ask rule (prompt)
+        // falls back to the default host_bash allow rule (auto-allows medium risk)
         const noMatchResult = await check('host_bash', { command: 'run script.js' }, '/tmp', {
           executionTarget: '/usr/local/bin/bun',
         });
-        expect(noMatchResult.decision).toBe('prompt');
+        expect(noMatchResult.decision).toBe('allow');
         expect(noMatchResult.matchedRule?.id).not.toBe('inv4-target-scoped');
       });
     });
@@ -2605,7 +2681,7 @@ describe('Permission Checker', () => {
       test('wildcard allow rule matches any command in legacy mode', async () => {
         testConfig.permissions.mode = 'legacy';
         addRule('bash', '*', 'everywhere');
-        const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+        const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
         expect(result.decision).toBe('allow');
         expect(result.matchedRule).toBeDefined();
       });
@@ -2613,7 +2689,7 @@ describe('Permission Checker', () => {
       test('wildcard allow rule matches any command in strict mode', async () => {
         testConfig.permissions.mode = 'strict';
         addRule('bash', '*', 'everywhere');
-        const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+        const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
         expect(result.decision).toBe('allow');
         expect(result.matchedRule).toBeDefined();
       });
@@ -2724,12 +2800,27 @@ describe('Permission Checker', () => {
     );
 
     test('getDefaultRuleTemplates has no extra rules when extraDirs is empty', () => {
-      // Default testConfig has no skills property → getConfig returns default
-      // with extraDirs: []
       const templates = getDefaultRuleTemplates();
       const extraRules = templates.filter((t) => t.id.includes('extra-'));
       expect(extraRules.length).toBe(0);
     });
+
+    test('getDefaultRuleTemplates tolerates partial config mocks', () => {
+      const originalSkills = testConfig.skills;
+      const originalSandbox = testConfig.sandbox;
+      try {
+        testConfig.skills = {} as any;
+        testConfig.sandbox = {} as any;
+
+        const templates = getDefaultRuleTemplates();
+        expect(Array.isArray(templates)).toBe(true);
+        expect(templates.some((t) => t.id.includes('extra-'))).toBe(false);
+        expect(templates.some((t) => t.id === 'default:allow-bash-global')).toBe(true);
+      } finally {
+        testConfig.skills = originalSkills;
+        testConfig.sandbox = originalSandbox;
+      }
+    });
   });
 
   // ── backslash normalization gated to Windows (PR 3558 follow-up) ──
@@ -2952,8 +3043,8 @@ describe('bash network_mode=proxied force prompt', () => {
   });
 
   test('non-proxied bash with trust rule follows normal flow', async () => {
-    addRule('bash', 'rm *', '/tmp');
-    const result = await check('bash', { command: 'rm file.txt' }, '/tmp');
+    addRule('bash', 'chmod *', '/tmp');
+    const result = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
     expect(result.decision).toBe('allow');
     expect(result.reason).not.toContain('Proxied network mode');
   });
@@ -3245,10 +3336,10 @@ describe('workspace mode — auto-allow workspace-scoped operations', () => {
     expect(result.reason).toContain('ask rule');
   });
 
-  test('host_bash → prompt (default ask rule matches)', async () => {
+  test('host_bash → allow (default allow rule matches)', async () => {
     const result = await check('host_bash', { command: 'ls' }, workspaceDir);
-    expect(result.decision).toBe('prompt');
-    expect(result.reason).toContain('ask rule');
+    expect(result.decision).toBe('allow');
+    expect(result.reason).toContain('Matched trust rule');
   });
 
   // ── explicit rules still take precedence in workspace mode ──
@@ -3428,20 +3519,20 @@ describe('integration regressions (PR 11)', () => {
   });
 
   test('raw legacy rule still works alongside new action key system', async () => {
-    // Use medium-risk commands (rm) so they aren't auto-allowed by low-risk classification.
+    // Use medium-risk commands (chmod) so they aren't auto-allowed by low-risk classification.
     // Disable sandbox so the catch-all "**" rule doesn't interfere.
     testConfig.sandbox.enabled = false;
     try { rmSync(join(checkerTestDir, 'protected', 'trust.json')); } catch { /* may not exist */ }
     clearCache();
     try {
-      addRule('bash', 'rm file.txt', 'everywhere');
+      addRule('bash', 'chmod 644 file.txt', 'everywhere');
 
       // Exact match still works
-      const r1 = await check('bash', { command: 'rm file.txt' }, '/tmp');
+      const r1 = await check('bash', { command: 'chmod 644 file.txt' }, '/tmp');
       expect(r1.decision).toBe('allow');
 
-      // Different rm argument should not match this exact raw rule
-      const r2 = await check('bash', { command: 'rm other.txt' }, '/tmp');
+      // Different chmod argument should not match this exact raw rule
+      const r2 = await check('bash', { command: 'chmod 755 other.txt' }, '/tmp');
       expect(r2.decision).not.toBe('allow');
     } finally {
       testConfig.sandbox.enabled = true;

package/src/__tests__/config-watcher.test.ts

@@ -73,6 +73,7 @@ const fakeWatcher = {
 };
 
 mock.module('node:fs', () => {
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
   const actual = require('node:fs');
   return {
     ...actual,
@@ -93,10 +94,6 @@ mock.module('node:fs', () => {
   };
 });
 
-// Track refreshConfigFromSources calls
-let refreshConfigCalled = false;
-let refreshConfigReturn = false;
-
 // Mock config/loader and other dependencies that ConfigWatcher imports
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({}),
@@ -107,16 +104,18 @@ mock.module('../memory/embedding-backend.js', () => ({
   clearEmbeddingBackendCache: () => {},
 }));
 
+let trustClearCacheCallCount = 0;
 mock.module('../permissions/trust-store.js', () => ({
-  clearCache: () => {},
+  clearCache: () => { trustClearCacheCallCount++; },
 }));
 
 mock.module('../providers/registry.js', () => ({
   initializeProviders: () => {},
 }));
 
+let resetAllowlistCallCount = 0;
 mock.module('../security/secret-allowlist.js', () => ({
-  resetAllowlist: () => {},
+  resetAllowlist: () => { resetAllowlistCallCount++; },
   validateAllowlistFile: () => [],
 }));
 
@@ -159,6 +158,8 @@ const onSessionEvict = () => { evictCallCount++; };
 beforeEach(() => {
   capturedWatchers.length = 0;
   evictCallCount = 0;
+  trustClearCacheCallCount = 0;
+  resetAllowlistCallCount = 0;
   watcher = new ConfigWatcher();
 });
 
@@ -209,8 +210,6 @@ describe('ConfigWatcher workspace file handlers', () => {
   });
 
   test('config.json change calls refreshConfigFromSources', async () => {
-    // Spy on refreshConfigFromSources to verify it is called
-    const originalRefresh = watcher.refreshConfigFromSources.bind(watcher);
     let refreshCalled = false;
     watcher.refreshConfigFromSources = () => {
       refreshCalled = true;
@@ -273,11 +272,6 @@ describe('ConfigWatcher workspace file handlers', () => {
 
 describe('ConfigWatcher protected directory handlers', () => {
   test('trust.json change calls clearTrustCache', async () => {
-    let trustCacheClearCalled = false;
-
-    // Re-mock trust-store to track calls
-    const { clearCache } = await import('../permissions/trust-store.js');
-
     watcher.start(onSessionEvict);
     const protectedWatcher = findWatcher(PROTECTED_DIR);
     expect(protectedWatcher).toBeDefined();
@@ -286,6 +280,8 @@ describe('ConfigWatcher protected directory handlers', () => {
     await new Promise((r) => setTimeout(r, 300));
     // trust.json should NOT trigger session eviction
     expect(evictCallCount).toBe(0);
+    // but clearCache should have been called
+    expect(trustClearCacheCallCount).toBe(1);
   });
 
   test('secret-allowlist.json change calls resetAllowlist', async () => {
@@ -297,6 +293,8 @@ describe('ConfigWatcher protected directory handlers', () => {
     await new Promise((r) => setTimeout(r, 300));
     // secret-allowlist.json should NOT trigger session eviction
     expect(evictCallCount).toBe(0);
+    // but resetAllowlist should have been called
+    expect(resetAllowlistCallCount).toBe(1);
   });
 });
 

package/src/__tests__/conversation-pairing.test.ts

@@ -2,8 +2,9 @@
  * Regression tests for notification conversation pairing.
  *
  * Validates that pairDeliveryWithConversation materializes conversations
- * and messages according to the channel's conversation strategy, and that
- * errors in pairing never break the notification pipeline.
+ * and messages according to the channel's conversation strategy, handles
+ * thread reuse decisions, and that errors in pairing never break the
+ * notification pipeline.
  */
 
 import { beforeEach, describe, expect, mock, test } from 'bun:test';
@@ -22,6 +23,9 @@ let mockMessageId = 'msg-001';
 let createConversationShouldThrow = false;
 let addMessageShouldThrow = false;
 
+/** Simulated existing conversations for getConversation mock. */
+let mockExistingConversations: Record<string, { id: string; source: string; title: string | null }> = {};
+
 const createConversationMock = mock((_opts?: unknown) => {
   if (createConversationShouldThrow) throw new Error('DB write failed');
   return { id: mockConversationId };
@@ -40,14 +44,19 @@ const addMessageMock = mock(
   },
 );
 
+const getConversationMock = mock((id: string) => {
+  return mockExistingConversations[id] ?? null;
+});
+
 mock.module('../memory/conversation-store.js', () => ({
   createConversation: createConversationMock,
   addMessage: addMessageMock,
+  getConversation: getConversationMock,
 }));
 
 import { pairDeliveryWithConversation } from '../notifications/conversation-pairing.js';
 import type { NotificationSignal } from '../notifications/signal.js';
-import type { NotificationChannel, RenderedChannelCopy } from '../notifications/types.js';
+import type { NotificationChannel, RenderedChannelCopy, ThreadAction } from '../notifications/types.js';
 
 // ── Test helpers ────────────────────────────────────────────────────────
 
@@ -82,10 +91,12 @@ describe('pairDeliveryWithConversation', () => {
   beforeEach(() => {
     createConversationMock.mockClear();
     addMessageMock.mockClear();
+    getConversationMock.mockClear();
     mockConversationId = 'conv-001';
     mockMessageId = 'msg-001';
     createConversationShouldThrow = false;
     addMessageShouldThrow = false;
+    mockExistingConversations = {};
   });
 
   // ── start_new_conversation (vellum) ─────────────────────────────────
@@ -99,6 +110,8 @@ describe('pairDeliveryWithConversation', () => {
     expect(result.conversationId).toBe('conv-001');
     expect(result.messageId).toBe('msg-001');
     expect(result.strategy).toBe('start_new_conversation');
+    expect(result.createdNewConversation).toBe(true);
+    expect(result.threadDecisionFallbackUsed).toBe(false);
     expect(createConversationMock).toHaveBeenCalledTimes(1);
     expect(addMessageMock).toHaveBeenCalledTimes(1);
     const callArgs = createConversationMock.mock.calls[0]![0] as Record<string, unknown>;
@@ -195,6 +208,7 @@ describe('pairDeliveryWithConversation', () => {
     expect(result.conversationId).toBe('conv-001');
     expect(result.messageId).toBe('msg-001');
     expect(result.strategy).toBe('continue_existing_conversation');
+    expect(result.createdNewConversation).toBe(true);
     expect(createConversationMock).toHaveBeenCalledTimes(1);
     const callArgs = createConversationMock.mock.calls[0]![0] as Record<string, unknown>;
     expect(callArgs.threadType).toBe('background');
@@ -218,10 +232,95 @@ describe('pairDeliveryWithConversation', () => {
     expect(result.conversationId).toBeNull();
     expect(result.messageId).toBeNull();
     expect(result.strategy).toBe('not_deliverable');
+    expect(result.createdNewConversation).toBe(false);
     expect(createConversationMock).not.toHaveBeenCalled();
     expect(addMessageMock).not.toHaveBeenCalled();
   });
 
+  // ── Thread reuse (reuse_existing) ─────────────────────────────────
+
+  test('reuses existing conversation when threadAction is reuse_existing and target is valid', async () => {
+    mockExistingConversations['conv-existing'] = {
+      id: 'conv-existing',
+      source: 'notification',
+      title: 'Previous Thread',
+    };
+
+    const signal = makeSignal();
+    const copy = makeCopy({ threadSeedMessage: 'Follow-up notification message content' });
+    const threadAction: ThreadAction = { action: 'reuse_existing', conversationId: 'conv-existing' };
+
+    const result = await pairDeliveryWithConversation(signal, 'vellum' as NotificationChannel, copy, { threadAction });
+
+    expect(result.conversationId).toBe('conv-existing');
+    expect(result.messageId).toBe('msg-001');
+    expect(result.createdNewConversation).toBe(false);
+    expect(result.threadDecisionFallbackUsed).toBe(false);
+    // Should NOT have created a new conversation — only addMessage should be called
+    expect(createConversationMock).not.toHaveBeenCalled();
+    expect(addMessageMock).toHaveBeenCalledTimes(1);
+    // Verify addMessage was called with the existing conversation ID
+    expect(addMessageMock.mock.calls[0]![0]).toBe('conv-existing');
+  });
+
+  test('falls back to new conversation when reuse target does not exist', async () => {
+    // No existing conversations — target is stale/invalid
+    const signal = makeSignal();
+    const copy = makeCopy();
+    const threadAction: ThreadAction = { action: 'reuse_existing', conversationId: 'conv-nonexistent' };
+
+    const result = await pairDeliveryWithConversation(signal, 'vellum' as NotificationChannel, copy, { threadAction });
+
+    expect(result.conversationId).toBe('conv-001');
+    expect(result.messageId).toBe('msg-001');
+    expect(result.createdNewConversation).toBe(true);
+    expect(result.threadDecisionFallbackUsed).toBe(true);
+    expect(createConversationMock).toHaveBeenCalledTimes(1);
+  });
+
+  test('falls back to new conversation when reuse target has wrong source', async () => {
+    // Conversation exists but was created by user, not notification
+    mockExistingConversations['conv-user'] = {
+      id: 'conv-user',
+      source: 'user',
+      title: 'User Thread',
+    };
+
+    const signal = makeSignal();
+    const copy = makeCopy();
+    const threadAction: ThreadAction = { action: 'reuse_existing', conversationId: 'conv-user' };
+
+    const result = await pairDeliveryWithConversation(signal, 'vellum' as NotificationChannel, copy, { threadAction });
+
+    expect(result.conversationId).toBe('conv-001');
+    expect(result.createdNewConversation).toBe(true);
+    expect(result.threadDecisionFallbackUsed).toBe(true);
+  });
+
+  test('creates new conversation when threadAction is start_new', async () => {
+    const signal = makeSignal();
+    const copy = makeCopy();
+    const threadAction: ThreadAction = { action: 'start_new' };
+
+    const result = await pairDeliveryWithConversation(signal, 'vellum' as NotificationChannel, copy, { threadAction });
+
+    expect(result.conversationId).toBe('conv-001');
+    expect(result.createdNewConversation).toBe(true);
+    expect(result.threadDecisionFallbackUsed).toBe(false);
+    expect(createConversationMock).toHaveBeenCalledTimes(1);
+  });
+
+  test('creates new conversation when threadAction is undefined (default)', async () => {
+    const signal = makeSignal();
+    const copy = makeCopy();
+
+    const result = await pairDeliveryWithConversation(signal, 'vellum' as NotificationChannel, copy);
+
+    expect(result.conversationId).toBe('conv-001');
+    expect(result.createdNewConversation).toBe(true);
+    expect(result.threadDecisionFallbackUsed).toBe(false);
+  });
+
   // ── Error resilience ──────────────────────────────────────────────
 
   test('catches createConversation errors and returns null IDs without throwing', async () => {
@@ -236,6 +335,7 @@ describe('pairDeliveryWithConversation', () => {
     expect(result.messageId).toBeNull();
     // Strategy should still be resolved from the policy registry
     expect(result.strategy).toBe('start_new_conversation');
+    expect(result.createdNewConversation).toBe(false);
   });
 
   test('catches addMessage errors and returns null IDs without throwing', async () => {

package/src/__tests__/guardian-action-conversation-turn.test.ts

@@ -39,13 +39,13 @@ import {
   startFollowupFromExpiredRequest,
   updateDeliveryStatus,
 } from '../memory/guardian-action-store.js';
+import { conversations } from '../memory/schema.js';
 import { processGuardianFollowUpTurn } from '../runtime/guardian-action-conversation-turn.js';
 import type {
   GuardianFollowUpConversationContext,
   GuardianFollowUpConversationGenerator,
   GuardianFollowUpTurnResult,
 } from '../runtime/http-types.js';
-import { conversations } from '../memory/schema.js';
 
 initializeDb();
 

package/src/__tests__/guardian-action-followup-executor.test.ts

@@ -71,9 +71,9 @@ import {
   startFollowupFromExpiredRequest,
   updateDeliveryStatus,
 } from '../memory/guardian-action-store.js';
+import { conversations } from '../memory/schema.js';
 import { executeFollowupAction } from '../runtime/guardian-action-followup-executor.js';
 import { resolveCounterparty } from '../runtime/guardian-action-followup-executor.js';
-import { conversations } from '../memory/schema.js';
 
 initializeDb();