@vellumai/assistant 0.3.18 → 0.3.19

package/src/__tests__/guardian-action-grant-mint-consume.test.ts

@@ -0,0 +1,511 @@
+/**
+ * Integration test: guardian-action answer resolution mints a scoped grant
+ * that the voice consumer can consume exactly once.
+ *
+ * Exercises the original voice bug scenario end-to-end:
+ *   1. Voice ASK_GUARDIAN fires -> guardian action request created with tool metadata
+ *   2. Guardian answers via desktop/Telegram -> request resolved
+ *   3. tryMintGuardianActionGrant mints a tool_signature grant
+ *   4. Voice consumer can consume the grant for the same tool+input
+ *   5. Second consume attempt is denied (one-time use)
+ *   6. Grant for a different assistantId is not consumable
+ */
+
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterAll, beforeEach, describe, expect, mock, test } from 'bun:test';
+
+const testDir = mkdtempSync(join(tmpdir(), 'guardian-action-grant-e2e-'));
+
+// ── Platform + logger mocks ─────────────────────────────────────────
+
+mock.module('../util/platform.js', () => ({
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getDbPath: () => join(testDir, 'test.db'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+  migrateToDataLayout: () => {},
+  migrateToWorkspaceLayout: () => {},
+}));
+
+mock.module('../util/logger.js', () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+  isDebug: () => false,
+  truncateForLog: (value: string) => value,
+}));
+
+// ── Imports (after mocks) ───────────────────────────────────────────
+
+import {
+  createGuardianActionRequest,
+  resolveGuardianActionRequest,
+} from '../memory/guardian-action-store.js';
+import {
+  consumeScopedApprovalGrantByToolSignature,
+  type CreateScopedApprovalGrantParams,
+  createScopedApprovalGrant,
+} from '../memory/scoped-approval-grants.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { conversations, scopedApprovalGrants } from '../memory/schema.js';
+import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
+import { tryMintGuardianActionGrant } from '../runtime/guardian-action-grant-minter.js';
+import { createCallSession, createPendingQuestion } from '../calls/call-store.js';
+
+initializeDb();
+
+afterAll(() => {
+  resetDb();
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    /* best effort */
+  }
+});
+
+// ── Constants ───────────────────────────────────────────────────────
+
+const ASSISTANT_ID = 'self';
+const TOOL_NAME = 'execute_shell';
+const TOOL_INPUT = { command: 'rm -rf /tmp/test' };
+const CONVERSATION_ID = 'conv-e2e';
+
+// Mutable references populated by ensureFkParents()
+let CALL_SESSION_ID = '';
+let PENDING_QUESTION_IDS: string[] = [];
+let pqIndex = 0;
+
+function ensureConversation(id: string): void {
+  const db = getDb();
+  const now = Date.now();
+  db.insert(conversations).values({
+    id,
+    title: `Conversation ${id}`,
+    createdAt: now,
+    updatedAt: now,
+  }).run();
+}
+
+/** Create the FK parent rows required by guardian_action_requests. */
+function ensureFkParents(): void {
+  ensureConversation(CONVERSATION_ID);
+  const session = createCallSession({
+    conversationId: CONVERSATION_ID,
+    provider: 'twilio',
+    fromNumber: '+15550001111',
+    toNumber: '+15550002222',
+  });
+  CALL_SESSION_ID = session.id;
+
+  // Pre-create enough pending questions for all tests in a suite run
+  PENDING_QUESTION_IDS = [];
+  pqIndex = 0;
+  for (let i = 0; i < 10; i++) {
+    const pq = createPendingQuestion(session.id, `Question ${i}`);
+    PENDING_QUESTION_IDS.push(pq.id);
+  }
+}
+
+function nextPendingQuestionId(): string {
+  return PENDING_QUESTION_IDS[pqIndex++];
+}
+
+function clearTables(): void {
+  const db = getDb();
+  try {
+    db.run('DELETE FROM scoped_approval_grants');
+  } catch {
+    /* table may not exist */
+  }
+  try {
+    db.run('DELETE FROM guardian_action_deliveries');
+  } catch {
+    /* table may not exist */
+  }
+  try {
+    db.run('DELETE FROM guardian_action_requests');
+  } catch {
+    /* table may not exist */
+  }
+  try {
+    db.run('DELETE FROM call_pending_questions');
+  } catch {
+    /* table may not exist */
+  }
+  try {
+    db.run('DELETE FROM call_events');
+  } catch {
+    /* table may not exist */
+  }
+  try {
+    db.run('DELETE FROM call_sessions');
+  } catch {
+    /* table may not exist */
+  }
+  try {
+    db.run('DELETE FROM conversations');
+  } catch {
+    /* table may not exist */
+  }
+}
+
+// ── Tests ───────────────────────────────────────────────────────────
+
+describe('guardian-action grant mint -> voice consume integration', () => {
+  beforeEach(() => {
+    clearTables();
+    ensureFkParents();
+  });
+
+  test('full flow: resolve guardian action with tool metadata -> mint grant -> voice consume succeeds once', () => {
+    const inputDigest = computeToolApprovalDigest(TOOL_NAME, TOOL_INPUT);
+
+    // Step 1: Create a guardian action request with tool metadata
+    // (simulates the voice ASK_GUARDIAN path)
+    const request = createGuardianActionRequest({
+      assistantId: ASSISTANT_ID,
+      kind: 'ask_guardian',
+      sourceChannel: 'voice',
+      sourceConversationId: CONVERSATION_ID,
+      callSessionId: CALL_SESSION_ID,
+      pendingQuestionId: nextPendingQuestionId(),
+      questionText: 'Can I run rm -rf /tmp/test?',
+      expiresAt: Date.now() + 60_000,
+      toolName: TOOL_NAME,
+      inputDigest,
+    });
+
+    expect(request.toolName).toBe(TOOL_NAME);
+    expect(request.inputDigest).toBe(inputDigest);
+    expect(request.status).toBe('pending');
+
+    // Step 2: Guardian answers -> resolve the request
+    const resolved = resolveGuardianActionRequest(
+      request.id,
+      'yes',
+      'telegram',
+      'guardian-user-123',
+    );
+    expect(resolved).not.toBeNull();
+    expect(resolved!.status).toBe('answered');
+
+    // Step 3: Mint a scoped grant from the resolved request
+    tryMintGuardianActionGrant({
+      resolvedRequest: resolved!,
+      answerText: 'yes',
+      decisionChannel: 'telegram',
+      guardianExternalUserId: 'guardian-user-123',
+    });
+
+    // Verify the grant was created
+    const db = getDb();
+    const grants = db
+      .select()
+      .from(scopedApprovalGrants)
+      .all();
+    expect(grants.length).toBe(1);
+    expect(grants[0].toolName).toBe(TOOL_NAME);
+    expect(grants[0].inputDigest).toBe(inputDigest);
+    expect(grants[0].scopeMode).toBe('tool_signature');
+    expect(grants[0].status).toBe('active');
+    expect(grants[0].assistantId).toBe(ASSISTANT_ID);
+    expect(grants[0].callSessionId).toBe(CALL_SESSION_ID);
+
+    // Step 4: Voice consumer consumes the grant
+    const consumeResult = consumeScopedApprovalGrantByToolSignature({
+      toolName: TOOL_NAME,
+      inputDigest,
+      consumingRequestId: 'voice-req-1',
+      assistantId: ASSISTANT_ID,
+      executionChannel: 'voice',
+      callSessionId: CALL_SESSION_ID,
+      conversationId: CONVERSATION_ID,
+    });
+    expect(consumeResult.ok).toBe(true);
+    expect(consumeResult.grant).not.toBeNull();
+    expect(consumeResult.grant!.status).toBe('consumed');
+    expect(consumeResult.grant!.consumedByRequestId).toBe('voice-req-1');
+
+    // Step 5: Second consume attempt fails (one-time use)
+    const secondConsume = consumeScopedApprovalGrantByToolSignature({
+      toolName: TOOL_NAME,
+      inputDigest,
+      consumingRequestId: 'voice-req-2',
+      assistantId: ASSISTANT_ID,
+      executionChannel: 'voice',
+      callSessionId: CALL_SESSION_ID,
+      conversationId: CONVERSATION_ID,
+    });
+    expect(secondConsume.ok).toBe(false);
+    expect(secondConsume.grant).toBeNull();
+  });
+
+  test('grant minted for one assistantId cannot be consumed by another', () => {
+    const inputDigest = computeToolApprovalDigest(TOOL_NAME, TOOL_INPUT);
+
+    const request = createGuardianActionRequest({
+      assistantId: ASSISTANT_ID,
+      kind: 'ask_guardian',
+      sourceChannel: 'voice',
+      sourceConversationId: CONVERSATION_ID,
+      callSessionId: CALL_SESSION_ID,
+      pendingQuestionId: nextPendingQuestionId(),
+      questionText: 'Can I run the command?',
+      expiresAt: Date.now() + 60_000,
+      toolName: TOOL_NAME,
+      inputDigest,
+    });
+
+    const resolved = resolveGuardianActionRequest(request.id, 'Yes', 'telegram');
+    expect(resolved).not.toBeNull();
+
+    tryMintGuardianActionGrant({
+      resolvedRequest: resolved!,
+      answerText: 'Yes',
+      decisionChannel: 'telegram',
+    });
+
+    // Attempt to consume with a different assistantId
+    const wrongAssistant = consumeScopedApprovalGrantByToolSignature({
+      toolName: TOOL_NAME,
+      inputDigest,
+      consumingRequestId: 'voice-req-wrong',
+      assistantId: 'other-assistant',
+      executionChannel: 'voice',
+      callSessionId: CALL_SESSION_ID,
+      conversationId: CONVERSATION_ID,
+    });
+    expect(wrongAssistant.ok).toBe(false);
+
+    // Correct assistantId succeeds
+    const correctAssistant = consumeScopedApprovalGrantByToolSignature({
+      toolName: TOOL_NAME,
+      inputDigest,
+      consumingRequestId: 'voice-req-correct',
+      assistantId: ASSISTANT_ID,
+      executionChannel: 'voice',
+      callSessionId: CALL_SESSION_ID,
+      conversationId: CONVERSATION_ID,
+    });
+    expect(correctAssistant.ok).toBe(true);
+  });
+
+  test('no grant minted when guardian action request lacks tool metadata', () => {
+    // Create a request without toolName/inputDigest (informational consult)
+    const request = createGuardianActionRequest({
+      assistantId: ASSISTANT_ID,
+      kind: 'ask_guardian',
+      sourceChannel: 'voice',
+      sourceConversationId: CONVERSATION_ID,
+      callSessionId: CALL_SESSION_ID,
+      pendingQuestionId: nextPendingQuestionId(),
+      questionText: 'What should I tell the caller?',
+      expiresAt: Date.now() + 60_000,
+      // No toolName or inputDigest
+    });
+
+    const resolved = resolveGuardianActionRequest(request.id, 'Tell them to call back', 'vellum');
+    expect(resolved).not.toBeNull();
+
+    tryMintGuardianActionGrant({
+      resolvedRequest: resolved!,
+      answerText: 'Tell them to call back',
+      decisionChannel: 'vellum',
+    });
+
+    // No grant should have been created
+    const db = getDb();
+    const grants = db
+      .select()
+      .from(scopedApprovalGrants)
+      .all();
+    expect(grants.length).toBe(0);
+  });
+
+  test('grant minted via desktop/vellum channel also consumable by voice', () => {
+    const inputDigest = computeToolApprovalDigest(TOOL_NAME, TOOL_INPUT);
+
+    const request = createGuardianActionRequest({
+      assistantId: ASSISTANT_ID,
+      kind: 'ask_guardian',
+      sourceChannel: 'voice',
+      sourceConversationId: CONVERSATION_ID,
+      callSessionId: CALL_SESSION_ID,
+      pendingQuestionId: nextPendingQuestionId(),
+      questionText: 'Permission to execute?',
+      expiresAt: Date.now() + 60_000,
+      toolName: TOOL_NAME,
+      inputDigest,
+    });
+
+    // Guardian answers via desktop (vellum channel)
+    const resolved = resolveGuardianActionRequest(request.id, 'approve', 'vellum');
+    expect(resolved).not.toBeNull();
+
+    // Mint with decisionChannel: 'vellum' (desktop path)
+    tryMintGuardianActionGrant({
+      resolvedRequest: resolved!,
+      answerText: 'approve',
+      decisionChannel: 'vellum',
+    });
+
+    // The grant should have executionChannel: null (wildcard), so voice can consume
+    const consumeResult = consumeScopedApprovalGrantByToolSignature({
+      toolName: TOOL_NAME,
+      inputDigest,
+      consumingRequestId: 'voice-req-desktop',
+      assistantId: ASSISTANT_ID,
+      executionChannel: 'voice',
+      callSessionId: CALL_SESSION_ID,
+      conversationId: CONVERSATION_ID,
+    });
+    expect(consumeResult.ok).toBe(true);
+  });
+
+  test('no grant minted when guardian answer is a denial', () => {
+    const inputDigest = computeToolApprovalDigest(TOOL_NAME, TOOL_INPUT);
+
+    const request = createGuardianActionRequest({
+      assistantId: ASSISTANT_ID,
+      kind: 'ask_guardian',
+      sourceChannel: 'voice',
+      sourceConversationId: CONVERSATION_ID,
+      callSessionId: CALL_SESSION_ID,
+      pendingQuestionId: nextPendingQuestionId(),
+      questionText: 'Can I run rm -rf /tmp/test?',
+      expiresAt: Date.now() + 60_000,
+      toolName: TOOL_NAME,
+      inputDigest,
+    });
+
+    // Guardian explicitly denies the action
+    const resolved = resolveGuardianActionRequest(request.id, 'No', 'telegram', 'guardian-user-456');
+    expect(resolved).not.toBeNull();
+
+    tryMintGuardianActionGrant({
+      resolvedRequest: resolved!,
+      answerText: 'No',
+      decisionChannel: 'telegram',
+      guardianExternalUserId: 'guardian-user-456',
+    });
+
+    // No grant should have been created for a denial
+    const db = getDb();
+    const grants = db
+      .select()
+      .from(scopedApprovalGrants)
+      .all();
+    expect(grants.length).toBe(0);
+  });
+
+  test.each(['no', 'reject', 'deny', 'cancel'])('no grant minted for denial keyword: %s', (denialWord) => {
+    const inputDigest = computeToolApprovalDigest(TOOL_NAME, TOOL_INPUT);
+
+    const request = createGuardianActionRequest({
+      assistantId: ASSISTANT_ID,
+      kind: 'ask_guardian',
+      sourceChannel: 'voice',
+      sourceConversationId: CONVERSATION_ID,
+      callSessionId: CALL_SESSION_ID,
+      pendingQuestionId: nextPendingQuestionId(),
+      questionText: 'Permission to execute?',
+      expiresAt: Date.now() + 60_000,
+      toolName: TOOL_NAME,
+      inputDigest,
+    });
+
+    const resolved = resolveGuardianActionRequest(request.id, denialWord, 'telegram');
+    expect(resolved).not.toBeNull();
+
+    tryMintGuardianActionGrant({
+      resolvedRequest: resolved!,
+      answerText: denialWord,
+      decisionChannel: 'telegram',
+    });
+
+    const db = getDb();
+    const grants = db
+      .select()
+      .from(scopedApprovalGrants)
+      .all();
+    expect(grants.length).toBe(0);
+  });
+
+  test('no grant minted for unrecognised free-form answer (fail-closed)', () => {
+    const inputDigest = computeToolApprovalDigest(TOOL_NAME, TOOL_INPUT);
+
+    const request = createGuardianActionRequest({
+      assistantId: ASSISTANT_ID,
+      kind: 'ask_guardian',
+      sourceChannel: 'voice',
+      sourceConversationId: CONVERSATION_ID,
+      callSessionId: CALL_SESSION_ID,
+      pendingQuestionId: nextPendingQuestionId(),
+      questionText: 'Can I run the command?',
+      expiresAt: Date.now() + 60_000,
+      toolName: TOOL_NAME,
+      inputDigest,
+    });
+
+    // Free-form text that doesn't match a known approval phrase
+    const resolved = resolveGuardianActionRequest(request.id, 'Sure, go ahead and run it', 'telegram');
+    expect(resolved).not.toBeNull();
+
+    tryMintGuardianActionGrant({
+      resolvedRequest: resolved!,
+      answerText: 'Sure, go ahead and run it',
+      decisionChannel: 'telegram',
+    });
+
+    // No grant — unrecognised text is not treated as approval (fail-closed)
+    const db = getDb();
+    const grants = db
+      .select()
+      .from(scopedApprovalGrants)
+      .all();
+    expect(grants.length).toBe(0);
+  });
+
+  test.each(['yes', 'approve', 'approve once', 'allow', 'go ahead'])('grant IS minted for approval keyword: %s', (approveWord) => {
+    const inputDigest = computeToolApprovalDigest(TOOL_NAME, TOOL_INPUT);
+
+    const request = createGuardianActionRequest({
+      assistantId: ASSISTANT_ID,
+      kind: 'ask_guardian',
+      sourceChannel: 'voice',
+      sourceConversationId: CONVERSATION_ID,
+      callSessionId: CALL_SESSION_ID,
+      pendingQuestionId: nextPendingQuestionId(),
+      questionText: 'Can I run the command?',
+      expiresAt: Date.now() + 60_000,
+      toolName: TOOL_NAME,
+      inputDigest,
+    });
+
+    const resolved = resolveGuardianActionRequest(request.id, approveWord, 'telegram');
+    expect(resolved).not.toBeNull();
+
+    tryMintGuardianActionGrant({
+      resolvedRequest: resolved!,
+      answerText: approveWord,
+      decisionChannel: 'telegram',
+    });
+
+    const db = getDb();
+    const grants = db
+      .select()
+      .from(scopedApprovalGrants)
+      .all();
+    expect(grants.length).toBe(1);
+    expect(grants[0].toolName).toBe(TOOL_NAME);
+  });
+});

package/src/__tests__/guardian-dispatch.test.ts

@@ -336,10 +336,70 @@ describe('guardian-dispatch', () => {
     expect(vellumDelivery!.destination_conversation_id).toBe('conv-from-thread-created');
   });
 
-  test('includes activeGuardianRequestCount in context payload', async () => {
+  test('persists toolName and inputDigest on guardian action request for tool-approval dispatches', async () => {
     const convId = 'conv-dispatch-5';
     ensureConversation(convId);
 
+    const session = createCallSession({
+      conversationId: convId,
+      provider: 'twilio',
+      fromNumber: '+15550001111',
+      toNumber: '+15550002222',
+    });
+    const pq = createPendingQuestion(session.id, 'Allow send_email to bob@example.com?');
+
+    await dispatchGuardianQuestion({
+      callSessionId: session.id,
+      conversationId: convId,
+      assistantId: 'self',
+      pendingQuestion: pq,
+      toolName: 'send_email',
+      inputDigest: 'abc123def456',
+    });
+
+    const db = getDb();
+    const raw = (db as unknown as { $client: import('bun:sqlite').Database }).$client;
+    const request = raw.query('SELECT * FROM guardian_action_requests WHERE call_session_id = ?').get(session.id) as
+      | { id: string; tool_name: string | null; input_digest: string | null }
+      | undefined;
+    expect(request).toBeDefined();
+    expect(request!.tool_name).toBe('send_email');
+    expect(request!.input_digest).toBe('abc123def456');
+  });
+
+  test('omitting toolName and inputDigest stores null for informational ASK_GUARDIAN dispatches', async () => {
+    const convId = 'conv-dispatch-6';
+    ensureConversation(convId);
+
+    const session = createCallSession({
+      conversationId: convId,
+      provider: 'twilio',
+      fromNumber: '+15550001111',
+      toNumber: '+15550002222',
+    });
+    const pq = createPendingQuestion(session.id, 'What time works?');
+
+    await dispatchGuardianQuestion({
+      callSessionId: session.id,
+      conversationId: convId,
+      assistantId: 'self',
+      pendingQuestion: pq,
+    });
+
+    const db = getDb();
+    const raw = (db as unknown as { $client: import('bun:sqlite').Database }).$client;
+    const request = raw.query('SELECT * FROM guardian_action_requests WHERE call_session_id = ?').get(session.id) as
+      | { id: string; tool_name: string | null; input_digest: string | null }
+      | undefined;
+    expect(request).toBeDefined();
+    expect(request!.tool_name).toBeNull();
+    expect(request!.input_digest).toBeNull();
+  });
+
+  test('includes activeGuardianRequestCount in context payload', async () => {
+    const convId = 'conv-dispatch-7';
+    ensureConversation(convId);
+
     const session = createCallSession({
       conversationId: convId,
       provider: 'twilio',