@vellumai/assistant 0.3.19 → 0.3.21

package/src/__tests__/guardian-control-plane-policy.test.ts

@@ -484,15 +484,15 @@ describe('ToolExecutor guardian-only policy gate', () => {
     expect(result.content).toBe('ok');
   });
 
-  test('non-guardian invocation of unrelated endpoint is unaffected', async () => {
+  test('non-guardian invocation of unrelated bash command is blocked by guardian approval gate', async () => {
     const executor = new ToolExecutor(makePrompter());
     const result = await executor.execute(
       'bash',
       { command: 'curl http://localhost:3000/v1/messages' },
       makeContext({ guardianActorRole: 'non-guardian' }),
     );
-    expect(result.isError).toBe(false);
-    expect(result.content).toBe('ok');
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('requires guardian approval');
   });
 
   test('non-guardian invocation of unrelated tool is unaffected', async () => {
@@ -579,4 +579,37 @@ describe('ToolExecutor guardian-only policy gate', () => {
       expect(result.content).toContain('restricted to guardian users');
     }
   });
+
+  test('non-guardian actor is blocked from host read tools (host execution)', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      'host_file_read',
+      { path: '/Users/noaflaherty/.ssh/config' },
+      makeContext({ guardianActorRole: 'non-guardian' }),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('requires guardian approval');
+  });
+
+  test('unverified channel actor is blocked from side-effect tools', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      'reminder_create',
+      { fire_at: '2026-02-27T12:00:00-05:00', label: 'test', message: 'hello' },
+      makeContext({ guardianActorRole: 'unverified_channel' }),
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('verified channel identity');
+  });
+
+  test('guardian actor can execute side-effect tools', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      'reminder_create',
+      { fire_at: '2026-02-27T12:00:00-05:00', label: 'test', message: 'hello' },
+      makeContext({ guardianActorRole: 'guardian' }),
+    );
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe('ok');
+  });
 });

package/src/__tests__/guardian-dispatch.test.ts

@@ -515,4 +515,128 @@ describe('guardian-dispatch', () => {
     const secondPayload = (emitCalls[0] as Record<string, unknown>).contextPayload as Record<string, unknown>;
     expect(secondPayload.activeGuardianRequestCount).toBe(2);
   });
+
+  test('second guardian question in same call session passes conversationAffinityHint with first conversation ID', async () => {
+    const convId = 'conv-dispatch-affinity-1';
+    ensureConversation(convId);
+
+    const sharedConversationId = 'conv-affinity-guardian';
+
+    const session = createCallSession({
+      conversationId: convId,
+      provider: 'twilio',
+      fromNumber: '+15550001111',
+      toNumber: '+15550002222',
+    });
+
+    // First dispatch — no affinity hint expected (no prior delivery exists)
+    const pq1 = createPendingQuestion(session.id, 'First question');
+    mockEmitResult = {
+      signalId: 'sig-affinity-1',
+      deduplicated: false,
+      dispatched: true,
+      reason: 'ok',
+      deliveryResults: [
+        {
+          channel: 'vellum',
+          destination: 'vellum',
+          status: 'sent',
+          conversationId: sharedConversationId,
+        },
+      ],
+    };
+
+    await dispatchGuardianQuestion({
+      callSessionId: session.id,
+      conversationId: convId,
+      assistantId: 'self',
+      pendingQuestion: pq1,
+    });
+
+    const firstParams = emitCalls[0] as Record<string, unknown>;
+    // First dispatch should not have an affinity hint
+    expect(firstParams.conversationAffinityHint).toBeUndefined();
+
+    // Second dispatch — should carry the affinity hint from the first delivery
+    emitCalls.length = 0;
+    const pq2 = createPendingQuestion(session.id, 'Second question');
+    mockEmitResult = {
+      signalId: 'sig-affinity-2',
+      deduplicated: false,
+      dispatched: true,
+      reason: 'ok',
+      deliveryResults: [
+        {
+          channel: 'vellum',
+          destination: 'vellum',
+          status: 'sent',
+          conversationId: sharedConversationId,
+        },
+      ],
+    };
+
+    await dispatchGuardianQuestion({
+      callSessionId: session.id,
+      conversationId: convId,
+      assistantId: 'self',
+      pendingQuestion: pq2,
+    });
+
+    const secondParams = emitCalls[0] as Record<string, unknown>;
+    expect(secondParams.conversationAffinityHint).toEqual({
+      vellum: sharedConversationId,
+    });
+  });
+
+  test('third guardian question in same call session also carries affinity hint', async () => {
+    const convId = 'conv-dispatch-affinity-2';
+    ensureConversation(convId);
+
+    const sharedConversationId = 'conv-affinity-triple';
+
+    const session = createCallSession({
+      conversationId: convId,
+      provider: 'twilio',
+      fromNumber: '+15550001111',
+      toNumber: '+15550002222',
+    });
+
+    // Dispatch three guardian questions in the same call session
+    for (let i = 0; i < 3; i++) {
+      emitCalls.length = 0;
+      const pq = createPendingQuestion(session.id, `Question ${i + 1}`);
+      mockEmitResult = {
+        signalId: `sig-triple-${i}`,
+        deduplicated: false,
+        dispatched: true,
+        reason: 'ok',
+        deliveryResults: [
+          {
+            channel: 'vellum',
+            destination: 'vellum',
+            status: 'sent',
+            conversationId: sharedConversationId,
+          },
+        ],
+      };
+
+      await dispatchGuardianQuestion({
+        callSessionId: session.id,
+        conversationId: convId,
+        assistantId: 'self',
+        pendingQuestion: pq,
+      });
+
+      const params = emitCalls[0] as Record<string, unknown>;
+      if (i === 0) {
+        // First dispatch — no affinity hint
+        expect(params.conversationAffinityHint).toBeUndefined();
+      } else {
+        // Subsequent dispatches — affinity hint points to the shared conversation
+        expect(params.conversationAffinityHint).toEqual({
+          vellum: sharedConversationId,
+        });
+      }
+    }
+  });
 });

package/src/__tests__/guardian-grant-minting.test.ts

@@ -37,24 +37,23 @@ mock.module('../util/logger.js', () => ({
   }),
 }));
 
+import { GRANT_TTL_MS } from '../approvals/guardian-decision-primitive.js';
 import type { Session } from '../daemon/session.js';
 import {
   createApprovalRequest,
-  createBinding,
-  getAllPendingApprovalsByGuardianChat,
   type GuardianApprovalRequest,
 } from '../memory/channel-guardian-store.js';
-import { initializeDb, resetDb } from '../memory/db.js';
-import * as scopedGrantStore from '../memory/scoped-approval-grants.js';
-import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
 import * as approvalMessageComposer from '../runtime/approval-message-composer.js';
 import * as gatewayClient from '../runtime/gateway-client.js';
 import * as pendingInteractions from '../runtime/pending-interactions.js';
+import type { GuardianContext } from '../runtime/routes/channel-route-shared.js';
 import {
   handleApprovalInterception,
-  GRANT_TTL_MS,
 } from '../runtime/routes/guardian-approval-interception.js';
-import type { GuardianContext } from '../runtime/routes/channel-route-shared.js';
+import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
+
+import '../memory/scoped-approval-grants.js';
 
 initializeDb();
 
@@ -78,7 +77,6 @@ const TOOL_INPUT = { command: 'rm -rf /tmp/test' };
 
 function resetTables(): void {
   try {
-    const { getDb } = require('../memory/db.js');
     const db = getDb();
     db.run('DELETE FROM channel_guardian_approval_requests');
     db.run('DELETE FROM scoped_approval_grants');
@@ -144,16 +142,8 @@ function makeGuardianContext(): GuardianContext {
   };
 }
 
-function makeNonGuardianContext(): GuardianContext {
-  return {
-    actorRole: 'non-guardian',
-    denialReason: undefined,
-  };
-}
-
 function countGrants(): number {
   try {
-    const { getDb } = require('../memory/db.js');
     const db = getDb();
     const row = db.$client.prepare('SELECT count(*) as cnt FROM scoped_approval_grants').get() as { cnt: number };
     return row.cnt;
@@ -164,7 +154,6 @@ function countGrants(): number {
 
 function getLatestGrant(): Record<string, unknown> | null {
   try {
-    const { getDb } = require('../memory/db.js');
     const db = getDb();
     const row = db.$client.prepare('SELECT * FROM scoped_approval_grants ORDER BY created_at DESC LIMIT 1').get();
     return (row as Record<string, unknown>) ?? null;

package/src/__tests__/inbound-invite-redemption.test.ts

@@ -0,0 +1,367 @@
+/**
+ * Integration tests for the inbound invite redemption intercept.
+ *
+ * Validates that non-members with valid `/start iv_<token>` payloads are
+ * granted access without guardian approval, and that invalid/expired/revoked
+ * tokens produce the correct deterministic refusal messages.
+ */
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterAll, beforeEach, describe, expect, mock, test } from 'bun:test';
+
+// ---------------------------------------------------------------------------
+// Test isolation: in-memory SQLite via temp directory
+// ---------------------------------------------------------------------------
+
+const testDir = mkdtempSync(join(tmpdir(), 'inbound-invite-redemption-test-'));
+
+mock.module('../util/platform.js', () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getDbPath: () => join(testDir, 'test.db'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
+  readHttpToken: () => 'test-bearer-token',
+}));
+
+mock.module('../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+
+mock.module('../security/secret-ingress.js', () => ({
+  checkIngressForSecrets: () => ({ blocked: false }),
+}));
+
+mock.module('../config/env.js', () => ({
+  getGatewayInternalBaseUrl: () => 'http://127.0.0.1:7830',
+}));
+
+// Mock the credential metadata store so the Telegram transport adapter
+// resolves without touching the filesystem.
+mock.module('../tools/credentials/metadata-store.js', () => ({
+  getCredentialMetadata: () => undefined,
+  upsertCredentialMetadata: () => {},
+  deleteCredentialMetadata: () => {},
+  listCredentialMetadata: () => [],
+}));
+
+const emitSignalCalls: Array<Record<string, unknown>> = [];
+mock.module('../notifications/emit-signal.js', () => ({
+  emitNotificationSignal: async (params: Record<string, unknown>) => {
+    emitSignalCalls.push(params);
+    return {
+      signalId: 'mock-signal-id',
+      deduplicated: false,
+      dispatched: true,
+      reason: 'mock',
+      deliveryResults: [],
+    };
+  },
+}));
+
+const deliverReplyCalls: Array<{ url: string; payload: Record<string, unknown> }> = [];
+mock.module('../runtime/gateway-client.js', () => ({
+  deliverChannelReply: async (url: string, payload: Record<string, unknown>) => {
+    deliverReplyCalls.push({ url, payload });
+  },
+}));
+
+mock.module('../runtime/approval-message-composer.js', () => ({
+  composeApprovalMessage: () => 'mock approval message',
+  composeApprovalMessageGenerative: async () => 'mock generative message',
+}));
+
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { createInvite, revokeInvite } from '../memory/ingress-invite-store.js';
+import { findMember, upsertMember } from '../memory/ingress-member-store.js';
+import { handleChannelInbound } from '../runtime/routes/channel-routes.js';
+
+initializeDb();
+
+afterAll(() => {
+  resetDb();
+  try { rmSync(testDir, { recursive: true }); } catch { /* best effort */ }
+});
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const TEST_BEARER_TOKEN = 'test-token';
+let msgCounter = 0;
+
+function resetState(): void {
+  const db = getDb();
+  db.run('DELETE FROM assistant_ingress_members');
+  db.run('DELETE FROM assistant_ingress_invites');
+  db.run('DELETE FROM channel_inbound_events');
+  db.run('DELETE FROM conversations');
+  db.run('DELETE FROM channel_guardian_approval_requests');
+  db.run('DELETE FROM channel_guardian_bindings');
+  db.run('DELETE FROM notification_events');
+  emitSignalCalls.length = 0;
+  deliverReplyCalls.length = 0;
+  msgCounter = 0;
+}
+
+function buildInboundRequest(overrides: Record<string, unknown> = {}): Request {
+  msgCounter++;
+  const body: Record<string, unknown> = {
+    sourceChannel: 'telegram',
+    interface: 'telegram',
+    externalChatId: 'chat-invite-test',
+    externalMessageId: `msg-invite-${Date.now()}-${msgCounter}`,
+    content: '/start iv_sometoken',
+    senderExternalUserId: 'user-invite-123',
+    senderName: 'Invite User',
+    senderUsername: 'invite_user',
+    replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
+    sourceMetadata: {
+      commandIntent: { type: 'start', payload: 'iv_sometoken' },
+    },
+    ...overrides,
+  };
+
+  return new Request('http://localhost:8080/channels/inbound', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'X-Gateway-Origin': TEST_BEARER_TOKEN,
+    },
+    body: JSON.stringify(body),
+  });
+}
+
+/**
+ * Build a request with a specific invite token, using the structured
+ * commandIntent that the gateway produces for `/start <payload>`.
+ */
+function buildInviteRequest(rawToken: string, overrides: Record<string, unknown> = {}): Request {
+  return buildInboundRequest({
+    content: `/start iv_${rawToken}`,
+    sourceMetadata: {
+      commandIntent: { type: 'start', payload: `iv_${rawToken}` },
+    },
+    ...overrides,
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('inbound invite redemption intercept', () => {
+  beforeEach(resetState);
+
+  test('non-member with valid invite token becomes active member without guardian approval', async () => {
+    const { rawToken } = createInvite({ sourceChannel: 'telegram', maxUses: 5 });
+
+    const req = buildInviteRequest(rawToken);
+    const resp = await handleChannelInbound(req, undefined, TEST_BEARER_TOKEN);
+    const json = await resp.json() as Record<string, unknown>;
+
+    expect(json.accepted).toBe(true);
+    expect(json.inviteRedemption).toBe('redeemed');
+    expect(json.memberId).toEqual(expect.any(String));
+    expect(json.denied).toBeUndefined();
+
+    // Verify the user is now an active member
+    const member = findMember({
+      assistantId: 'self',
+      sourceChannel: 'telegram',
+      externalUserId: 'user-invite-123',
+    });
+    expect(member).not.toBeNull();
+    expect(member!.status).toBe('active');
+
+    // Verify a welcome reply was delivered
+    expect(deliverReplyCalls.length).toBe(1);
+    const replyText = (deliverReplyCalls[0].payload as Record<string, unknown>).text;
+    expect(replyText).toContain("Welcome! You've been granted access via invite link.");
+  });
+
+  test('non-member with invalid token gets refusal text', async () => {
+    const req = buildInviteRequest('completely-bogus-token-xyz');
+    const resp = await handleChannelInbound(req, undefined, TEST_BEARER_TOKEN);
+    const json = await resp.json() as Record<string, unknown>;
+
+    expect(json.accepted).toBe(true);
+    expect(json.denied).toBe(true);
+    expect(json.inviteRedemption).toBe('invalid_token');
+
+    // Verify refusal reply was delivered
+    expect(deliverReplyCalls.length).toBe(1);
+    const replyText = (deliverReplyCalls[0].payload as Record<string, unknown>).text;
+    expect(replyText).toContain('no longer valid');
+
+    // Verify the user was NOT made a member
+    const member = findMember({
+      assistantId: 'self',
+      sourceChannel: 'telegram',
+      externalUserId: 'user-invite-123',
+    });
+    expect(member).toBeNull();
+  });
+
+  test('non-member with expired token gets appropriate message', async () => {
+    const { rawToken } = createInvite({
+      sourceChannel: 'telegram',
+      maxUses: 1,
+      expiresInMs: -1, // already expired
+    });
+
+    const req = buildInviteRequest(rawToken);
+    const resp = await handleChannelInbound(req, undefined, TEST_BEARER_TOKEN);
+    const json = await resp.json() as Record<string, unknown>;
+
+    expect(json.accepted).toBe(true);
+    expect(json.denied).toBe(true);
+    expect(json.inviteRedemption).toBe('expired');
+
+    expect(deliverReplyCalls.length).toBe(1);
+    const replyText = (deliverReplyCalls[0].payload as Record<string, unknown>).text;
+    expect(replyText).toContain('no longer valid');
+  });
+
+  test('non-member with revoked token gets refusal text', async () => {
+    const { rawToken, invite } = createInvite({
+      sourceChannel: 'telegram',
+      maxUses: 5,
+    });
+    revokeInvite(invite.id);
+
+    const req = buildInviteRequest(rawToken);
+    const resp = await handleChannelInbound(req, undefined, TEST_BEARER_TOKEN);
+    const json = await resp.json() as Record<string, unknown>;
+
+    expect(json.accepted).toBe(true);
+    expect(json.denied).toBe(true);
+    expect(json.inviteRedemption).toBe('revoked');
+
+    expect(deliverReplyCalls.length).toBe(1);
+    const replyText = (deliverReplyCalls[0].payload as Record<string, unknown>).text;
+    expect(replyText).toContain('no longer valid');
+  });
+
+  test('existing /start gv_<token> guardian bootstrap flow is unaffected', async () => {
+    // Send a /start gv_ command — should not be intercepted by the invite flow.
+    // Without a valid bootstrap session, it should be denied at the ACL gate.
+    const req = buildInboundRequest({
+      content: '/start gv_some_bootstrap_token',
+      sourceMetadata: {
+        commandIntent: { type: 'start', payload: 'gv_some_bootstrap_token' },
+      },
+    });
+    const resp = await handleChannelInbound(req, undefined, TEST_BEARER_TOKEN);
+    const json = await resp.json() as Record<string, unknown>;
+
+    // Should be denied as a non-member (bootstrap token is invalid/no session)
+    expect(json.denied).toBe(true);
+    expect(json.reason).toBe('not_a_member');
+    // Should NOT have invite redemption fields
+    expect(json.inviteRedemption).toBeUndefined();
+  });
+
+  test('duplicate Telegram webhook deliveries do not double-redeem', async () => {
+    const { rawToken } = createInvite({ sourceChannel: 'telegram', maxUses: 5 });
+
+    const sharedMessageId = `msg-dedup-${Date.now()}`;
+    const makeReq = () => buildInviteRequest(rawToken, {
+      externalMessageId: sharedMessageId,
+    });
+
+    // First delivery
+    const resp1 = await handleChannelInbound(makeReq(), undefined, TEST_BEARER_TOKEN);
+    const json1 = await resp1.json() as Record<string, unknown>;
+    expect(json1.inviteRedemption).toBe('redeemed');
+
+    // Second delivery (duplicate webhook)
+    const resp2 = await handleChannelInbound(makeReq(), undefined, TEST_BEARER_TOKEN);
+    const json2 = await resp2.json() as Record<string, unknown>;
+    // Dedup kicks in — the message is treated as a duplicate and no second
+    // redemption attempt occurs.
+    expect(json2.duplicate).toBe(true);
+
+    // Only one welcome reply was delivered
+    expect(deliverReplyCalls.length).toBe(1);
+  });
+
+  test('existing active member sending normal message is unaffected', async () => {
+    // Pre-create an active member
+    upsertMember({
+      assistantId: 'self',
+      sourceChannel: 'telegram',
+      externalUserId: 'user-active-member',
+      externalChatId: 'chat-active',
+      status: 'active',
+      policy: 'allow',
+    });
+
+    // Active member sends a normal message (no invite token)
+    const req = buildInboundRequest({
+      content: 'Hello, just a normal message!',
+      senderExternalUserId: 'user-active-member',
+      externalChatId: 'chat-active',
+      sourceMetadata: {},
+    });
+    const resp = await handleChannelInbound(req, undefined, TEST_BEARER_TOKEN);
+    const json = await resp.json() as Record<string, unknown>;
+
+    // Should be accepted normally, not denied, not invite-redeemed
+    expect(json.accepted).toBe(true);
+    expect(json.denied).toBeUndefined();
+    expect(json.inviteRedemption).toBeUndefined();
+  });
+
+  test('channel mismatch returns appropriate message', async () => {
+    // Create an invite for SMS, but try to redeem via Telegram
+    const { rawToken } = createInvite({ sourceChannel: 'sms', maxUses: 5 });
+
+    const req = buildInviteRequest(rawToken);
+    const resp = await handleChannelInbound(req, undefined, TEST_BEARER_TOKEN);
+    const json = await resp.json() as Record<string, unknown>;
+
+    expect(json.accepted).toBe(true);
+    expect(json.denied).toBe(true);
+    expect(json.inviteRedemption).toBe('channel_mismatch');
+
+    expect(deliverReplyCalls.length).toBe(1);
+    const replyText = (deliverReplyCalls[0].payload as Record<string, unknown>).text;
+    expect(replyText).toContain('not valid for this channel');
+  });
+
+  test('already-active member with invite token gets acknowledgement', async () => {
+    const { rawToken } = createInvite({ sourceChannel: 'telegram', maxUses: 5 });
+
+    // Pre-create an active member that will click the invite link
+    upsertMember({
+      assistantId: 'self',
+      sourceChannel: 'telegram',
+      externalUserId: 'user-already-active',
+      externalChatId: 'chat-invite-test',
+      status: 'active',
+      policy: 'allow',
+    });
+
+    const req = buildInviteRequest(rawToken, {
+      senderExternalUserId: 'user-already-active',
+    });
+    const resp = await handleChannelInbound(req, undefined, TEST_BEARER_TOKEN);
+    const json = await resp.json() as Record<string, unknown>;
+
+    // Active members pass through the ACL gate, so the invite intercept
+    // does not fire. The message proceeds to normal processing.
+    expect(json.accepted).toBe(true);
+    expect(json.denied).toBeUndefined();
+  });
+});