npm - @vellumai/assistant - Versions diffs - 0.3.18 → 0.3.20 - Mend

@vellumai/assistant 0.3.18 → 0.3.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (202) hide show

package/ARCHITECTURE.md +155 -15
package/Dockerfile +1 -0
package/README.md +40 -4
package/docs/architecture/integrations.md +7 -11
package/docs/architecture/security.md +80 -0
package/package.json +1 -1
package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap +58 -0
package/src/__tests__/approval-primitive.test.ts +540 -0
package/src/__tests__/assistant-feature-flag-guard.test.ts +206 -0
package/src/__tests__/assistant-feature-flag-guardrails.test.ts +198 -0
package/src/__tests__/assistant-feature-flags-integration.test.ts +272 -0
package/src/__tests__/call-controller.test.ts +605 -104
package/src/__tests__/channel-invite-transport.test.ts +264 -0
package/src/__tests__/checker.test.ts +60 -0
package/src/__tests__/cli.test.ts +42 -1
package/src/__tests__/config-schema.test.ts +11 -127
package/src/__tests__/config-watcher.test.ts +0 -8
package/src/__tests__/daemon-lifecycle.test.ts +1 -0
package/src/__tests__/daemon-server-session-init.test.ts +8 -2
package/src/__tests__/diff.test.ts +22 -0
package/src/__tests__/guardian-action-copy-generator.test.ts +5 -0
package/src/__tests__/guardian-action-grant-mint-consume.test.ts +779 -0
package/src/__tests__/guardian-action-late-reply.test.ts +546 -1
package/src/__tests__/guardian-actions-endpoint.test.ts +774 -0
package/src/__tests__/guardian-control-plane-policy.test.ts +36 -3
package/src/__tests__/guardian-dispatch.test.ts +185 -1
package/src/__tests__/guardian-grant-minting.test.ts +532 -0
package/src/__tests__/inbound-invite-redemption.test.ts +367 -0
package/src/__tests__/invite-redemption-service.test.ts +306 -0
package/src/__tests__/ipc-snapshot.test.ts +58 -0
package/src/__tests__/notification-decision-fallback.test.ts +88 -0
package/src/__tests__/remote-skill-policy.test.ts +215 -0
package/src/__tests__/sandbox-diagnostics.test.ts +6 -249
package/src/__tests__/sandbox-host-parity.test.ts +6 -13
package/src/__tests__/scoped-approval-grants.test.ts +521 -0
package/src/__tests__/scoped-grant-security-matrix.test.ts +444 -0
package/src/__tests__/script-proxy-session-manager.test.ts +1 -19
package/src/__tests__/session-load-history-repair.test.ts +169 -2
package/src/__tests__/session-runtime-assembly.test.ts +33 -5
package/src/__tests__/skill-feature-flags-integration.test.ts +171 -0
package/src/__tests__/skill-feature-flags.test.ts +188 -0
package/src/__tests__/skill-load-feature-flag.test.ts +141 -0
package/src/__tests__/skill-mirror-parity.test.ts +1 -0
package/src/__tests__/skill-projection-feature-flag.test.ts +363 -0
package/src/__tests__/system-prompt.test.ts +1 -1
package/src/__tests__/terminal-sandbox.test.ts +142 -9
package/src/__tests__/terminal-tools.test.ts +2 -93
package/src/__tests__/thread-seed-composer.test.ts +18 -0
package/src/__tests__/tool-approval-handler.test.ts +350 -0
package/src/__tests__/trust-store.test.ts +2 -0
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +8 -10
package/src/__tests__/voice-scoped-grant-consumer.test.ts +533 -0
package/src/agent/loop.ts +36 -1
package/src/approvals/approval-primitive.ts +381 -0
package/src/approvals/guardian-decision-primitive.ts +191 -0
package/src/calls/call-controller.ts +276 -212
package/src/calls/call-domain.ts +56 -6
package/src/calls/guardian-dispatch.ts +56 -0
package/src/calls/relay-server.ts +13 -0
package/src/calls/types.ts +1 -1
package/src/calls/voice-session-bridge.ts +59 -4
package/src/cli/core-commands.ts +0 -4
package/src/cli.ts +76 -34
package/src/config/__tests__/feature-flag-registry-guard.test.ts +179 -0
package/src/config/assistant-feature-flags.ts +162 -0
package/src/config/bundled-skills/api-mapping/icon.svg +18 -0
package/src/config/bundled-skills/messaging/TOOLS.json +30 -0
package/src/config/bundled-skills/messaging/tools/slack-delete-message.ts +24 -0
package/src/config/bundled-skills/notifications/SKILL.md +18 -0
package/src/config/bundled-skills/reminder/SKILL.md +49 -2
package/src/config/bundled-skills/time-based-actions/SKILL.md +49 -2
package/src/config/bundled-skills/voice-setup/SKILL.md +122 -0
package/src/config/core-schema.ts +1 -1
package/src/config/env-registry.ts +10 -0
package/src/config/feature-flag-registry.json +61 -0
package/src/config/loader.ts +22 -1
package/src/config/sandbox-schema.ts +0 -39
package/src/config/schema.ts +12 -2
package/src/config/skill-state.ts +34 -0
package/src/config/skills-schema.ts +26 -0
package/src/config/skills.ts +9 -0
package/src/config/system-prompt.ts +110 -46
package/src/config/templates/SOUL.md +1 -1
package/src/config/types.ts +19 -1
package/src/config/vellum-skills/catalog.json +1 -1
package/src/config/vellum-skills/guardian-verify-setup/SKILL.md +1 -0
package/src/config/vellum-skills/sms-setup/SKILL.md +1 -1
package/src/config/vellum-skills/telegram-setup/SKILL.md +1 -1
package/src/config/vellum-skills/trusted-contacts/SKILL.md +104 -3
package/src/config/vellum-skills/twilio-setup/SKILL.md +1 -1
package/src/daemon/config-watcher.ts +0 -1
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/guardian-invite-intent.ts +124 -0
package/src/daemon/handlers/avatar.ts +68 -0
package/src/daemon/handlers/browser.ts +2 -2
package/src/daemon/handlers/config-channels.ts +18 -0
package/src/daemon/handlers/guardian-actions.ts +120 -0
package/src/daemon/handlers/index.ts +4 -0
package/src/daemon/handlers/sessions.ts +19 -0
package/src/daemon/handlers/shared.ts +3 -1
package/src/daemon/handlers/skills.ts +45 -2
package/src/daemon/install-cli-launchers.ts +58 -13
package/src/daemon/ipc-contract/guardian-actions.ts +53 -0
package/src/daemon/ipc-contract/sessions.ts +8 -2
package/src/daemon/ipc-contract/settings.ts +25 -2
package/src/daemon/ipc-contract/skills.ts +1 -0
package/src/daemon/ipc-contract-inventory.json +10 -0
package/src/daemon/ipc-contract.ts +4 -0
package/src/daemon/lifecycle.ts +6 -2
package/src/daemon/main.ts +1 -0
package/src/daemon/server.ts +1 -0
package/src/daemon/session-lifecycle.ts +52 -7
package/src/daemon/session-memory.ts +45 -0
package/src/daemon/session-process.ts +260 -422
package/src/daemon/session-runtime-assembly.ts +12 -0
package/src/daemon/session-skill-tools.ts +14 -1
package/src/daemon/session-tool-setup.ts +5 -0
package/src/daemon/session.ts +11 -0
package/src/daemon/tool-side-effects.ts +35 -9
package/src/index.ts +0 -2
package/src/memory/conversation-display-order-migration.ts +44 -0
package/src/memory/conversation-queries.ts +2 -0
package/src/memory/conversation-store.ts +91 -0
package/src/memory/db-init.ts +13 -1
package/src/memory/embedding-local.ts +22 -8
package/src/memory/guardian-action-store.ts +133 -2
package/src/memory/guardian-verification.ts +1 -1
package/src/memory/ingress-invite-store.ts +95 -1
package/src/memory/migrations/033-scoped-approval-grants.ts +51 -0
package/src/memory/migrations/034-guardian-action-tool-metadata.ts +12 -0
package/src/memory/migrations/035-guardian-action-supersession.ts +23 -0
package/src/memory/migrations/index.ts +3 -0
package/src/memory/schema.ts +35 -1
package/src/memory/scoped-approval-grants.ts +518 -0
package/src/messaging/providers/slack/client.ts +12 -0
package/src/messaging/providers/slack/types.ts +5 -0
package/src/notifications/decision-engine.ts +49 -12
package/src/notifications/emit-signal.ts +7 -0
package/src/notifications/signal.ts +7 -0
package/src/notifications/thread-seed-composer.ts +2 -1
package/src/permissions/checker.ts +27 -0
package/src/runtime/channel-approval-types.ts +16 -6
package/src/runtime/channel-approvals.ts +19 -15
package/src/runtime/channel-invite-transport.ts +85 -0
package/src/runtime/channel-invite-transports/telegram.ts +105 -0
package/src/runtime/guardian-action-grant-minter.ts +154 -0
package/src/runtime/guardian-action-message-composer.ts +30 -0
package/src/runtime/guardian-decision-types.ts +91 -0
package/src/runtime/http-server.ts +23 -1
package/src/runtime/ingress-service.ts +22 -0
package/src/runtime/invite-redemption-service.ts +181 -0
package/src/runtime/invite-redemption-templates.ts +39 -0
package/src/runtime/routes/call-routes.ts +2 -1
package/src/runtime/routes/guardian-action-routes.ts +206 -0
package/src/runtime/routes/guardian-approval-interception.ts +66 -74
package/src/runtime/routes/inbound-message-handler.ts +568 -409
package/src/runtime/routes/pairing-routes.ts +4 -0
package/src/security/encrypted-store.ts +31 -17
package/src/security/keychain.ts +176 -2
package/src/security/secure-keys.ts +97 -0
package/src/security/tool-approval-digest.ts +67 -0
package/src/skills/remote-skill-policy.ts +131 -0
package/src/tools/browser/browser-execution.ts +2 -2
package/src/tools/browser/browser-manager.ts +46 -32
package/src/tools/browser/browser-screencast.ts +2 -2
package/src/tools/calls/call-start.ts +1 -1
package/src/tools/executor.ts +22 -17
package/src/tools/network/script-proxy/session-manager.ts +1 -5
package/src/tools/skills/load.ts +22 -8
package/src/tools/system/avatar-generator.ts +119 -0
package/src/tools/system/navigate-settings.ts +65 -0
package/src/tools/system/open-system-settings.ts +75 -0
package/src/tools/system/voice-config.ts +121 -32
package/src/tools/terminal/backends/native.ts +40 -19
package/src/tools/terminal/backends/types.ts +3 -3
package/src/tools/terminal/parser.ts +1 -1
package/src/tools/terminal/sandbox-diagnostics.ts +6 -87
package/src/tools/terminal/sandbox.ts +1 -12
package/src/tools/terminal/shell.ts +3 -31
package/src/tools/tool-approval-handler.ts +141 -3
package/src/tools/tool-manifest.ts +6 -0
package/src/tools/types.ts +6 -0
package/src/util/diff.ts +36 -13
package/Dockerfile.sandbox +0 -5
package/src/__tests__/doordash-client.test.ts +0 -187
package/src/__tests__/doordash-session.test.ts +0 -154
package/src/__tests__/signup-e2e.test.ts +0 -354
package/src/__tests__/terminal-sandbox-docker.test.ts +0 -1065
package/src/__tests__/terminal-sandbox.integration.test.ts +0 -180
package/src/cli/doordash.ts +0 -1057
package/src/config/bundled-skills/doordash/SKILL.md +0 -163
package/src/config/templates/LOOKS.md +0 -25
package/src/doordash/cart-queries.ts +0 -787
package/src/doordash/client.ts +0 -1016
package/src/doordash/order-queries.ts +0 -85
package/src/doordash/queries.ts +0 -13
package/src/doordash/query-extractor.ts +0 -94
package/src/doordash/search-queries.ts +0 -203
package/src/doordash/session.ts +0 -84
package/src/doordash/store-queries.ts +0 -246
package/src/doordash/types.ts +0 -367
package/src/tools/terminal/backends/docker.ts +0 -379

package/src/__tests__/guardian-grant-minting.test.ts ADDED Viewed

@@ -0,0 +1,532 @@
+/**
+ * Tests for M3: scoped grant minting on guardian tool-approval decisions.
+ *
+ * When a guardian approves a tool-approval request (one with toolName + input),
+ * the approval interception flow should mint a `tool_signature` scoped grant.
+ * Non-tool-approval requests and rejections must NOT mint grants.
+ */
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { afterAll, beforeEach, describe, expect, mock, spyOn, test } from 'bun:test';
+// ---------------------------------------------------------------------------
+// Test isolation: in-memory SQLite via temp directory
+// ---------------------------------------------------------------------------
+const testDir = mkdtempSync(join(tmpdir(), 'guardian-grant-minting-test-'));
+mock.module('../util/platform.js', () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getDbPath: () => join(testDir, 'test.db'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+}));
+mock.module('../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+import { GRANT_TTL_MS } from '../approvals/guardian-decision-primitive.js';
+import type { Session } from '../daemon/session.js';
+import {
+  createApprovalRequest,
+  type GuardianApprovalRequest,
+} from '../memory/channel-guardian-store.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import * as approvalMessageComposer from '../runtime/approval-message-composer.js';
+import * as gatewayClient from '../runtime/gateway-client.js';
+import * as pendingInteractions from '../runtime/pending-interactions.js';
+import type { GuardianContext } from '../runtime/routes/channel-route-shared.js';
+import {
+  handleApprovalInterception,
+} from '../runtime/routes/guardian-approval-interception.js';
+import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
+import '../memory/scoped-approval-grants.js';
+initializeDb();
+afterAll(() => {
+  resetDb();
+  try { rmSync(testDir, { recursive: true }); } catch { /* best effort */ }
+});
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const ASSISTANT_ID = 'self';
+const GUARDIAN_USER = 'guardian-user-1';
+const GUARDIAN_CHAT = 'guardian-chat-1';
+const REQUESTER_USER = 'requester-user-1';
+const REQUESTER_CHAT = 'requester-chat-1';
+const CONVERSATION_ID = 'conv-1';
+const TOOL_NAME = 'execute_shell';
+const TOOL_INPUT = { command: 'rm -rf /tmp/test' };
+function resetTables(): void {
+  try {
+    const db = getDb();
+    db.run('DELETE FROM channel_guardian_approval_requests');
+    db.run('DELETE FROM scoped_approval_grants');
+  } catch { /* tables may not exist yet */ }
+  pendingInteractions.clear();
+}
+function createTestGuardianApproval(
+  requestId: string,
+  overrides: Partial<Parameters<typeof createApprovalRequest>[0]> = {},
+): GuardianApprovalRequest {
+  return createApprovalRequest({
+    runId: `run-${requestId}`,
+    requestId,
+    conversationId: CONVERSATION_ID,
+    assistantId: ASSISTANT_ID,
+    channel: 'telegram',
+    requesterExternalUserId: REQUESTER_USER,
+    requesterChatId: REQUESTER_CHAT,
+    guardianExternalUserId: GUARDIAN_USER,
+    guardianChatId: GUARDIAN_CHAT,
+    toolName: TOOL_NAME,
+    expiresAt: Date.now() + 300_000,
+    ...overrides,
+  });
+}
+function registerPendingInteraction(
+  requestId: string,
+  conversationId: string,
+  toolName: string,
+  input: Record<string, unknown> = TOOL_INPUT,
+): ReturnType<typeof mock> {
+  const handleConfirmationResponse = mock(() => {});
+  const mockSession = {
+    handleConfirmationResponse,
+  } as unknown as Session;
+  pendingInteractions.register(requestId, {
+    session: mockSession,
+    conversationId,
+    kind: 'confirmation',
+    confirmationDetails: {
+      toolName,
+      input,
+      riskLevel: 'high',
+      allowlistOptions: [
+        { label: 'test', description: 'test', pattern: 'test' },
+      ],
+      scopeOptions: [
+        { label: 'everywhere', scope: 'everywhere' },
+      ],
+    },
+  });
+  return handleConfirmationResponse;
+}
+function makeGuardianContext(): GuardianContext {
+  return {
+    actorRole: 'guardian',
+    denialReason: undefined,
+  };
+}
+function countGrants(): number {
+  try {
+    const db = getDb();
+    const row = db.$client.prepare('SELECT count(*) as cnt FROM scoped_approval_grants').get() as { cnt: number };
+    return row.cnt;
+  } catch {
+    return 0;
+  }
+}
+function getLatestGrant(): Record<string, unknown> | null {
+  try {
+    const db = getDb();
+    const row = db.$client.prepare('SELECT * FROM scoped_approval_grants ORDER BY created_at DESC LIMIT 1').get();
+    return (row as Record<string, unknown>) ?? null;
+  } catch {
+    return null;
+  }
+}
+// ═══════════════════════════════════════════════════════════════════════════
+// Tests
+// ═══════════════════════════════════════════════════════════════════════════
+describe('guardian grant minting on tool-approval decisions', () => {
+  let deliverSpy: ReturnType<typeof spyOn>;
+  let composeSpy: ReturnType<typeof spyOn>;
+  beforeEach(() => {
+    resetTables();
+    deliverSpy = spyOn(gatewayClient, 'deliverChannelReply').mockResolvedValue(undefined);
+    composeSpy = spyOn(approvalMessageComposer, 'composeApprovalMessageGenerative')
+      .mockResolvedValue('test message');
+  });
+  // ── 1. approve_once via callback mints a grant ──
+  test('approve_once via callback for tool-approval request mints a scoped grant', async () => {
+    const requestId = 'req-grant-cb-1';
+    createTestGuardianApproval(requestId);
+    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME, TOOL_INPUT);
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-1',
+      callbackData: `apr:${requestId}:approve_once`,
+      content: '',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+    });
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('guardian_decision_applied');
+    // Verify a grant was minted
+    expect(countGrants()).toBe(1);
+    const grant = getLatestGrant();
+    expect(grant).not.toBeNull();
+    expect(grant!.scope_mode).toBe('tool_signature');
+    expect(grant!.tool_name).toBe(TOOL_NAME);
+    expect(grant!.status).toBe('active');
+    expect(grant!.request_channel).toBe('telegram');
+    expect(grant!.decision_channel).toBe('telegram');
+    expect(grant!.guardian_external_user_id).toBe(GUARDIAN_USER);
+    expect(grant!.requester_external_user_id).toBe(REQUESTER_USER);
+    expect(grant!.conversation_id).toBe(CONVERSATION_ID);
+    expect(grant!.execution_channel).toBeNull();
+    expect(grant!.call_session_id).toBeNull();
+    // Verify the input digest matches what computeToolApprovalDigest produces
+    const expectedDigest = computeToolApprovalDigest(TOOL_NAME, TOOL_INPUT);
+    expect(grant!.input_digest).toBe(expectedDigest);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 2. approve_once for non-tool-approval does NOT mint a grant ──
+  test('approve_once for informational request (no toolName) does NOT mint a grant', async () => {
+    const requestId = 'req-no-grant-1';
+    // Informational requests have no meaningful tool name — the empty string
+    // signals that this is not a tool-approval request.
+    createTestGuardianApproval(requestId, { toolName: '' });
+    registerPendingInteraction(requestId, CONVERSATION_ID, '', {});
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-2',
+      callbackData: `apr:${requestId}:approve_once`,
+      content: '',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+    });
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('guardian_decision_applied');
+    // No grant should have been minted
+    expect(countGrants()).toBe(0);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 2b. approve_once for zero-argument tool call DOES mint a grant ──
+  test('approve_once for zero-argument tool call mints a scoped grant', async () => {
+    const requestId = 'req-grant-zero-arg';
+    const zeroArgTool = 'get_system_status';
+    createTestGuardianApproval(requestId, { toolName: zeroArgTool });
+    // Register with empty input object to simulate a zero-argument tool call
+    registerPendingInteraction(requestId, CONVERSATION_ID, zeroArgTool, {});
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-2b',
+      callbackData: `apr:${requestId}:approve_once`,
+      content: '',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+    });
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('guardian_decision_applied');
+    // A grant MUST be minted even though input is {}
+    expect(countGrants()).toBe(1);
+    const grant = getLatestGrant();
+    expect(grant).not.toBeNull();
+    expect(grant!.scope_mode).toBe('tool_signature');
+    expect(grant!.tool_name).toBe(zeroArgTool);
+    expect(grant!.status).toBe('active');
+    // Verify the input digest matches what computeToolApprovalDigest produces for empty input
+    const expectedDigest = computeToolApprovalDigest(zeroArgTool, {});
+    expect(grant!.input_digest).toBe(expectedDigest);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 3. reject does NOT mint a grant ──
+  test('reject decision does NOT mint a scoped grant', async () => {
+    const requestId = 'req-no-grant-rej';
+    createTestGuardianApproval(requestId);
+    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME, TOOL_INPUT);
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-3',
+      callbackData: `apr:${requestId}:reject`,
+      content: '',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+    });
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('guardian_decision_applied');
+    // No grant should have been minted
+    expect(countGrants()).toBe(0);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 4. Identity mismatch remains fail-closed (no grant minted) ──
+  test('identity mismatch does NOT mint a grant and fails closed', async () => {
+    const requestId = 'req-mismatch-1';
+    createTestGuardianApproval(requestId);
+    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME, TOOL_INPUT);
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-4',
+      callbackData: `apr:${requestId}:approve_once`,
+      content: '',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: 'wrong-guardian-user',
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+    });
+    expect(result.handled).toBe(true);
+    // Identity mismatch results in guardian_decision_applied (fail-closed, no actual decision applied)
+    expect(result.type).toBe('guardian_decision_applied');
+    // No grant should have been minted
+    expect(countGrants()).toBe(0);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 5. Stale/already-resolved request does NOT mint a grant ──
+  test('stale request (already resolved) does NOT mint a grant', async () => {
+    const requestId = 'req-stale-1';
+    // Create guardian approval but do NOT register a pending interaction
+    // This simulates the pending interaction being already resolved
+    createTestGuardianApproval(requestId);
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-5',
+      callbackData: `apr:${requestId}:approve_once`,
+      content: '',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+    });
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('stale_ignored');
+    // No grant should have been minted
+    expect(countGrants()).toBe(0);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 6. approve_once via conversation engine mints a grant ──
+  test('approve_once via conversation engine mints a scoped grant', async () => {
+    const requestId = 'req-grant-eng-1';
+    createTestGuardianApproval(requestId);
+    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME, TOOL_INPUT);
+    const mockGenerator = async () => ({
+      disposition: 'approve_once' as const,
+      replyText: 'Approved!',
+      targetRequestId: requestId,
+    });
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-6',
+      content: 'yes, approve it',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+      approvalConversationGenerator: mockGenerator,
+    });
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('guardian_decision_applied');
+    // Verify a grant was minted
+    expect(countGrants()).toBe(1);
+    const grant = getLatestGrant();
+    expect(grant).not.toBeNull();
+    expect(grant!.scope_mode).toBe('tool_signature');
+    expect(grant!.tool_name).toBe(TOOL_NAME);
+    expect(grant!.status).toBe('active');
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 7. reject via conversation engine does NOT mint a grant ──
+  test('reject via conversation engine does NOT mint a grant', async () => {
+    const requestId = 'req-no-grant-eng-rej';
+    createTestGuardianApproval(requestId);
+    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME, TOOL_INPUT);
+    const mockGenerator = async () => ({
+      disposition: 'reject' as const,
+      replyText: 'Denied.',
+      targetRequestId: requestId,
+    });
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-7',
+      content: 'no, deny it',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+      approvalConversationGenerator: mockGenerator,
+    });
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('guardian_decision_applied');
+    // No grant should have been minted
+    expect(countGrants()).toBe(0);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 8. approve_once via legacy parser mints a grant ──
+  test('approve_once via legacy parser mints a scoped grant', async () => {
+    const requestId = 'req-grant-leg-1';
+    createTestGuardianApproval(requestId);
+    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME, TOOL_INPUT);
+    // No approvalConversationGenerator => legacy parser path
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-8',
+      content: 'yes',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+    });
+    expect(result.handled).toBe(true);
+    expect(result.type).toBe('guardian_decision_applied');
+    // Verify a grant was minted
+    expect(countGrants()).toBe(1);
+    const grant = getLatestGrant();
+    expect(grant).not.toBeNull();
+    expect(grant!.scope_mode).toBe('tool_signature');
+    expect(grant!.tool_name).toBe(TOOL_NAME);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+  // ── 9. Grant TTL is approximately 5 minutes ──
+  test('minted grant has approximately 5-minute TTL', async () => {
+    const requestId = 'req-grant-ttl-1';
+    createTestGuardianApproval(requestId);
+    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME, TOOL_INPUT);
+    const beforeTime = Date.now();
+    const result = await handleApprovalInterception({
+      conversationId: 'guardian-conv-9',
+      callbackData: `apr:${requestId}:approve_once`,
+      content: '',
+      externalChatId: GUARDIAN_CHAT,
+      sourceChannel: 'telegram',
+      senderExternalUserId: GUARDIAN_USER,
+      replyCallbackUrl: 'https://gateway.test/deliver',
+      guardianCtx: makeGuardianContext(),
+      assistantId: ASSISTANT_ID,
+    });
+    expect(result.type).toBe('guardian_decision_applied');
+    const grant = getLatestGrant();
+    expect(grant).not.toBeNull();
+    const expiresAt = new Date(grant!.expires_at as string).getTime();
+    const expectedMin = beforeTime + GRANT_TTL_MS - 1000; // 1s tolerance
+    const expectedMax = beforeTime + GRANT_TTL_MS + 5000;  // 5s tolerance
+    expect(expiresAt).toBeGreaterThanOrEqual(expectedMin);
+    expect(expiresAt).toBeLessThanOrEqual(expectedMax);
+    deliverSpy.mockRestore();
+    composeSpy.mockRestore();
+  });
+});