@vellumai/assistant 0.3.19 → 0.3.21

package/src/__tests__/sandbox-diagnostics.test.ts

@@ -3,14 +3,10 @@ import * as realChildProcess from 'node:child_process';
 import { beforeEach, describe, expect, mock, test } from 'bun:test';
 
 const execSyncMock = mock((_command: string, _opts?: unknown): unknown => undefined);
-const execFileSyncMock = mock(
-  (_file: string, _args?: readonly string[], _opts?: unknown): unknown => undefined,
-);
 
 mock.module('node:child_process', () => ({
   ...realChildProcess,
   execSync: execSyncMock,
-  execFileSync: execFileSyncMock,
 }));
 
 // Mock platform detection — default to macOS
@@ -36,18 +32,8 @@ mock.module('../util/platform.js', () => ({
 // Mock config loader — return a config with sandbox settings
 let mockSandboxConfig: {
   enabled: boolean;
-  backend: 'native' | 'docker';
-  docker: { image: string; cpus: number; memoryMb: number; pidsLimit: number; network: 'none' | 'bridge' };
 } = {
   enabled: true,
-  backend: 'native',
-  docker: {
-    image: 'vellum-sandbox:latest',
-    cpus: 1,
-    memoryMb: 512,
-    pidsLimit: 256,
-    network: 'none',
-  },
 };
 
 mock.module('../config/loader.js', () => ({
@@ -72,24 +58,13 @@ const { runSandboxDiagnostics } = await import(
 
 beforeEach(() => {
   execSyncMock.mockReset();
-  execFileSyncMock.mockReset();
   mockIsMacOS = true;
   mockIsLinux = false;
   mockSandboxConfig = {
     enabled: true,
-    backend: 'native',
-    docker: {
-      image: 'vellum-sandbox:latest',
-      cpus: 1,
-      memoryMb: 512,
-      pidsLimit: 256,
-      network: 'none',
-    },
   };
-  // Default: all commands succeed. execSync with encoding returns a string,
-  // so we must return a string to avoid .trim() throwing on undefined.
-  execSyncMock.mockImplementation(() => 'Docker version 24.0.7, build afdd53b');
-  execFileSyncMock.mockImplementation(() => 'ok\n');
+  // Default: all commands succeed.
+  execSyncMock.mockImplementation(() => undefined);
 });
 
 describe('runSandboxDiagnostics — config reporting', () => {
@@ -103,22 +78,6 @@ describe('runSandboxDiagnostics — config reporting', () => {
     const result = runSandboxDiagnostics();
     expect(result.config.enabled).toBe(false);
   });
-
-  test('reports configured backend', () => {
-    const result = runSandboxDiagnostics();
-    expect(result.config.backend).toBe('native');
-  });
-
-  test('reports docker backend when configured', () => {
-    mockSandboxConfig.backend = 'docker';
-    const result = runSandboxDiagnostics();
-    expect(result.config.backend).toBe('docker');
-  });
-
-  test('reports docker image', () => {
-    const result = runSandboxDiagnostics();
-    expect(result.config.dockerImage).toBe('vellum-sandbox:latest');
-  });
 });
 
 describe('runSandboxDiagnostics — active backend reason', () => {
@@ -127,12 +86,6 @@ describe('runSandboxDiagnostics — active backend reason', () => {
     expect(result.activeBackendReason).toContain('Native backend');
   });
 
-  test('explains docker backend selection', () => {
-    mockSandboxConfig.backend = 'docker';
-    const result = runSandboxDiagnostics();
-    expect(result.activeBackendReason).toContain('Docker backend');
-  });
-
   test('explains when sandbox is disabled', () => {
     mockSandboxConfig.enabled = false;
     const result = runSandboxDiagnostics();
@@ -203,207 +156,11 @@ describe('runSandboxDiagnostics — native backend check (unsupported OS)', () =
   });
 });
 
-describe('runSandboxDiagnostics — Docker CLI check', () => {
-  test('passes when docker CLI is available', () => {
-    execSyncMock.mockImplementation((cmd: string) => {
-      if (typeof cmd === 'string' && cmd === 'docker --version') {
-        return 'Docker version 24.0.7, build afdd53b';
-      }
-      return undefined;
-    });
-    const result = runSandboxDiagnostics();
-    const cliCheck = result.checks.find((c) => c.label === 'Docker CLI installed');
-    expect(cliCheck).toBeDefined();
-    expect(cliCheck!.ok).toBe(true);
-    expect(cliCheck!.detail).toContain('Docker version');
-  });
-
-  test('fails when docker CLI is not found', () => {
-    execSyncMock.mockImplementation((cmd: string) => {
-      if (typeof cmd === 'string' && cmd === 'docker --version') {
-        throw new Error('command not found: docker');
-      }
-      return undefined;
-    });
-    const result = runSandboxDiagnostics();
-    const cliCheck = result.checks.find((c) => c.label === 'Docker CLI installed');
-    expect(cliCheck).toBeDefined();
-    expect(cliCheck!.ok).toBe(false);
-    expect(cliCheck!.detail).toContain('not found');
-  });
-});
-
-describe('runSandboxDiagnostics — Docker daemon check', () => {
-  test('passes when daemon is reachable', () => {
-    const result = runSandboxDiagnostics();
-    const daemonCheck = result.checks.find((c) => c.label === 'Docker daemon running');
-    expect(daemonCheck).toBeDefined();
-    expect(daemonCheck!.ok).toBe(true);
-  });
-
-  test('fails when daemon is not running', () => {
-    execSyncMock.mockImplementation((cmd: string) => {
-      if (typeof cmd === 'string' && cmd === 'docker info') {
-        throw new Error('Cannot connect to the Docker daemon');
-      }
-      return 'Docker version 24.0.7';
-    });
-    const result = runSandboxDiagnostics();
-    const daemonCheck = result.checks.find((c) => c.label === 'Docker daemon running');
-    expect(daemonCheck).toBeDefined();
-    expect(daemonCheck!.ok).toBe(false);
-  });
-
-  test('skipped when CLI is not available', () => {
-    execSyncMock.mockImplementation((cmd: string) => {
-      if (typeof cmd === 'string' && cmd.includes('docker')) {
-        throw new Error('command not found');
-      }
-      return undefined;
-    });
-    const result = runSandboxDiagnostics();
-    const daemonCheck = result.checks.find((c) => c.label === 'Docker daemon running');
-    expect(daemonCheck).toBeUndefined();
-  });
-});
-
-describe('runSandboxDiagnostics — Docker image check', () => {
-  test('passes when image is available locally', () => {
-    const result = runSandboxDiagnostics();
-    const imageCheck = result.checks.find((c) => c.label.includes('Docker image available'));
-    expect(imageCheck).toBeDefined();
-    expect(imageCheck!.ok).toBe(true);
-  });
-
-  test('fails when image is not available', () => {
-    execFileSyncMock.mockImplementation(
-      (file: string, args?: readonly string[]) => {
-        if (file === 'docker' && Array.isArray(args) && args.includes('inspect')) {
-          throw new Error('No such image');
-        }
-        return 'ok\n';
-      },
-    );
-    const result = runSandboxDiagnostics();
-    const imageCheck = result.checks.find((c) => c.label.includes('Docker image available'));
-    expect(imageCheck).toBeDefined();
-    expect(imageCheck!.ok).toBe(false);
-    expect(imageCheck!.detail).toContain('docker build');
-  });
-
-  test('includes configured image name in label', () => {
-    mockSandboxConfig.docker.image = 'alpine:3.19';
-    const result = runSandboxDiagnostics();
-    const imageCheck = result.checks.find((c) => c.label.includes('Docker image available'));
-    expect(imageCheck).toBeDefined();
-    expect(imageCheck!.label).toContain('alpine:3.19');
-  });
-
-  test('skipped when daemon is not running', () => {
-    execSyncMock.mockImplementation((cmd: string) => {
-      if (typeof cmd === 'string' && cmd === 'docker info') {
-        throw new Error('Cannot connect');
-      }
-      return 'Docker version 24.0.7';
-    });
-    const result = runSandboxDiagnostics();
-    const imageCheck = result.checks.find((c) => c.label.includes('Docker image available'));
-    expect(imageCheck).toBeUndefined();
-  });
-});
-
-describe('runSandboxDiagnostics — Docker mount writable check', () => {
-  test('passes when mount probe succeeds', () => {
-    const result = runSandboxDiagnostics();
-    const mountCheck = result.checks.find((c) => c.label === 'Docker mount writable');
-    expect(mountCheck).toBeDefined();
-    expect(mountCheck!.ok).toBe(true);
-  });
-
-  test('uses configured image and sandbox working dir for mount probe', () => {
-    mockSandboxConfig.docker.image = 'alpine:3.19';
-    runSandboxDiagnostics();
-    const runCall = execFileSyncMock.mock.calls.find(
-      (call: unknown[]) => call[0] === 'docker' && Array.isArray(call[1]) && call[1].includes('run'),
-    );
-    expect(runCall).toBeDefined();
-    const args = runCall![1] as string[];
-    expect(args).toContain('alpine:3.19');
-    // Mount source should be the sandbox working dir (getSandboxWorkingDir)
-    const mountArg = args.find((a: string) => a.startsWith('type=bind'));
-    expect(mountArg).toContain('/tmp/vellum-test/workspace');
-    // Probe command should be 'test -w /workspace' matching runtime preflight
-    expect(args).toContain('test');
-    expect(args).toContain('-w');
-    expect(args).toContain('/workspace');
-  });
-
-  test('fails when mount probe errors', () => {
-    execFileSyncMock.mockImplementation(
-      (file: string, args?: readonly string[]) => {
-        if (file === 'docker' && Array.isArray(args) && args.includes('run')) {
-          throw new Error('mount failed');
-        }
-        return undefined;
-      },
-    );
-    const result = runSandboxDiagnostics();
-    const mountCheck = result.checks.find((c) => c.label === 'Docker mount writable');
-    expect(mountCheck).toBeDefined();
-    expect(mountCheck!.ok).toBe(false);
-    expect(mountCheck!.detail).toContain('File Sharing');
-  });
-
-  test('skipped when daemon is not running', () => {
-    execSyncMock.mockImplementation((cmd: string) => {
-      if (typeof cmd === 'string' && cmd === 'docker info') {
-        throw new Error('Cannot connect');
-      }
-      return 'Docker version 24.0.7';
-    });
-    const result = runSandboxDiagnostics();
-    const mountCheck = result.checks.find((c) => c.label === 'Docker mount writable');
-    expect(mountCheck).toBeUndefined();
-  });
-});
-
-describe('runSandboxDiagnostics — check cascade', () => {
-  test('Docker daemon, image, and run checks are skipped when CLI is missing', () => {
-    execSyncMock.mockImplementation((cmd: string) => {
-      if (typeof cmd === 'string' && cmd.includes('docker')) {
-        throw new Error('not found');
-      }
-      return undefined;
-    });
-    const result = runSandboxDiagnostics();
-    const labels = result.checks.map((c) => c.label);
-    expect(labels).toContain('Docker CLI installed');
-    expect(labels).not.toContain('Docker daemon running');
-    expect(labels.find((l) => l.includes('Docker image'))).toBeUndefined();
-    expect(labels).not.toContain('Docker mount writable');
-  });
-
-  test('image and run checks are skipped when daemon is down', () => {
-    execSyncMock.mockImplementation((cmd: string) => {
-      if (typeof cmd === 'string' && cmd === 'docker info') {
-        throw new Error('Cannot connect');
-      }
-      return 'Docker version 24.0.7';
-    });
-    const result = runSandboxDiagnostics();
-    const labels = result.checks.map((c) => c.label);
-    expect(labels).toContain('Docker CLI installed');
-    expect(labels).toContain('Docker daemon running');
-    expect(labels.find((l) => l.includes('Docker image'))).toBeUndefined();
-    expect(labels).not.toContain('Docker mount writable');
-  });
-
-  test('all Docker checks run when everything works', () => {
+describe('runSandboxDiagnostics — only native checks', () => {
+  test('only includes native backend check', () => {
     const result = runSandboxDiagnostics();
     const labels = result.checks.map((c) => c.label);
-    expect(labels).toContain('Docker CLI installed');
-    expect(labels).toContain('Docker daemon running');
-    expect(labels.find((l) => l.includes('Docker image'))).toBeDefined();
-    expect(labels).toContain('Docker mount writable');
+    expect(labels).toHaveLength(1);
+    expect(labels[0]).toContain('Native sandbox');
   });
 });

package/src/__tests__/sandbox-host-parity.test.ts

@@ -50,7 +50,6 @@ import { formatShellOutput, MAX_OUTPUT_LENGTH } from '../tools/shared/shell-outp
 
 // Dynamically import modules that depend on the mocked logger
 const { NativeBackend } = await import('../tools/terminal/backends/native.js');
-const { DockerBackend, _resetDockerChecks } = await import('../tools/terminal/backends/docker.js');
 const { wrapCommand } = await import('../tools/terminal/sandbox.js');
 const { ToolError } = await import('../util/errors.js');
 
@@ -589,7 +588,7 @@ describe('SandboxResult shape consistency across backends', () => {
   });
 
   test('wrapCommand disabled returns bash with sandboxed=false', () => {
-    const result = wrapCommand('echo hi', '/tmp', { enabled: false, backend: 'native', docker: { image: 'vellum-sandbox:latest', shell: 'bash', cpus: 1, memoryMb: 512, pidsLimit: 256, network: 'none' } });
+    const result = wrapCommand('echo hi', '/tmp', { enabled: false });
 
     expect(result.command).toBe('bash');
     expect(result.args).toEqual(['-c', '--', 'echo hi']);
@@ -597,7 +596,7 @@ describe('SandboxResult shape consistency across backends', () => {
   });
 
   test('wrapCommand disabled result has same shape as enabled result', () => {
-    const disabled = wrapCommand('echo hi', '/tmp', { enabled: false, backend: 'native', docker: { image: 'vellum-sandbox:latest', shell: 'bash', cpus: 1, memoryMb: 512, pidsLimit: 256, network: 'none' } });
+    const disabled = wrapCommand('echo hi', '/tmp', { enabled: false });
 
     // Both must have: command (string), args (string[]), sandboxed (boolean)
     expect(typeof disabled.command).toBe('string');
@@ -859,26 +858,20 @@ describe('Regression: edge cases in shared FileSystemOps', () => {
 });
 
 // ===========================================================================
-// 9. Docker backend shape parity with native backend
+// 9. NativeBackend shape verification
 // ===========================================================================
 
-describe('DockerBackend vs NativeBackend: SandboxResult shape parity', () => {
-  test('both backends produce results with command, args, sandboxed fields', () => {
-    // Verify both classes have a wrap method that returns SandboxResult
+describe('NativeBackend: SandboxResult shape', () => {
+  test('NativeBackend has a wrap method', () => {
     const native = new NativeBackend();
     expect(typeof native.wrap).toBe('function');
-
-    _resetDockerChecks();
-    // DockerBackend requires a real sandbox root for construction
-    const docker = new DockerBackend(realpathSync('/tmp'), undefined, 1000, 1000);
-    expect(typeof docker.wrap).toBe('function');
   });
 
   test('disabled sandbox returns consistent bash -c -- invocation', () => {
     // Various commands should all be wrapped consistently when disabled
     const commands = ['echo hello', 'ls -la', 'cat /etc/hosts', 'true && false'];
     for (const cmd of commands) {
-      const result = wrapCommand(cmd, '/tmp', { enabled: false, backend: 'native', docker: { image: 'vellum-sandbox:latest', shell: 'bash', cpus: 1, memoryMb: 512, pidsLimit: 256, network: 'none' } });
+      const result = wrapCommand(cmd, '/tmp', { enabled: false });
       expect(result.command).toBe('bash');
       expect(result.args[0]).toBe('-c');
       expect(result.args[1]).toBe('--');

package/src/__tests__/scoped-approval-grants.test.ts

@@ -29,16 +29,16 @@ mock.module('../util/logger.js', () => ({
   truncateForLog: (value: string) => value,
 }));
 
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { scopedApprovalGrants } from '../memory/schema.js';
 import {
+  _internal,
   type CreateScopedApprovalGrantParams,
-  consumeScopedApprovalGrantByRequestId,
-  consumeScopedApprovalGrantByToolSignature,
-  createScopedApprovalGrant,
   expireScopedApprovalGrants,
   revokeScopedApprovalGrantsForContext,
 } from '../memory/scoped-approval-grants.js';
-import { getDb, initializeDb, resetDb } from '../memory/db.js';
-import { scopedApprovalGrants } from '../memory/schema.js';
+
+const { consumeScopedApprovalGrantByRequestId, consumeScopedApprovalGrantByToolSignature, createScopedApprovalGrant } = _internal;
 import {
   canonicalJsonSerialize,
   computeToolApprovalDigest,
@@ -389,7 +389,7 @@ describe('scoped-approval-grants / expiry', () => {
   });
 
   test('already-consumed grants are not affected by expiry sweep', () => {
-    const pastExpiry = new Date(Date.now() - 1_000).toISOString();
+    const _pastExpiry = new Date(Date.now() - 1_000).toISOString();
     createScopedApprovalGrant(
       grantParams({ scopeMode: 'request_id', requestId: 'req-consumed', expiresAt: new Date(Date.now() + 60_000).toISOString() }),
     );

package/src/__tests__/scoped-grant-security-matrix.test.ts

@@ -54,13 +54,14 @@ mock.module('../util/logger.js', () => ({
   truncateForLog: (value: string) => value,
 }));
 
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { scopedApprovalGrants } from '../memory/schema.js';
 import {
+  _internal,
   type CreateScopedApprovalGrantParams,
-  consumeScopedApprovalGrantByToolSignature,
-  createScopedApprovalGrant,
 } from '../memory/scoped-approval-grants.js';
-import { getDb, initializeDb, resetDb } from '../memory/db.js';
-import { scopedApprovalGrants } from '../memory/schema.js';
+
+const { consumeScopedApprovalGrantByToolSignature, createScopedApprovalGrant } = _internal;
 import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
 
 initializeDb();

package/src/__tests__/script-proxy-session-manager.test.ts

@@ -169,25 +169,7 @@ describe('session-manager', () => {
       expect(() => getSessionEnv(session.id)).toThrow(/not active/);
     });
 
-    test('returns host.docker.internal URL when dockerMode is true', async () => {
-      const session = createSession(CONV_ID, CRED_IDS);
-      const started = await startSession(session.id);
-      const env = getSessionEnv(session.id, { dockerMode: true });
-
-      expect(env.HTTP_PROXY).toBe(`http://host.docker.internal:${started.port}`);
-      expect(env.HTTPS_PROXY).toBe(`http://host.docker.internal:${started.port}`);
-    });
-
-    test('returns 127.0.0.1 URL when dockerMode is false', async () => {
-      const session = createSession(CONV_ID, CRED_IDS);
-      const started = await startSession(session.id);
-      const env = getSessionEnv(session.id, { dockerMode: false });
-
-      expect(env.HTTP_PROXY).toBe(`http://127.0.0.1:${started.port}`);
-      expect(env.HTTPS_PROXY).toBe(`http://127.0.0.1:${started.port}`);
-    });
-
-    test('returns 127.0.0.1 URL when no options are passed', async () => {
+    test('returns 127.0.0.1 URL for active session', async () => {
       const session = createSession(CONV_ID, CRED_IDS);
       const started = await startSession(session.id);
       const env = getSessionEnv(session.id);

package/src/__tests__/session-load-history-repair.test.ts

@@ -1,4 +1,4 @@
-import { describe, expect, mock, test } from 'bun:test';
+import { beforeEach, describe, expect, mock, test } from 'bun:test';
 
 import type { Message } from '../providers/types.js';
 
@@ -49,14 +49,27 @@ mock.module('../security/secret-allowlist.js', () => ({
 }));
 
 // Mutable store so each test can configure its own messages
-let mockDbMessages: Array<{ id: string; role: string; content: string }> = [];
+let mockDbMessages: Array<{ id: string; role: string; content: string; metadata?: string | null }> = [];
 let mockConversation: Record<string, unknown> | null = null;
+let nextMockMessageId = 1;
 
 mock.module('../memory/conversation-store.js', () => ({
   getMessages: () => mockDbMessages,
   getConversation: () => mockConversation,
   createConversation: () => ({ id: 'conv-1' }),
   listConversations: () => [],
+  addMessage: async (_conversationId: string, role: string, content: string, metadata?: Record<string, unknown>) => {
+    const id = `persisted-${nextMockMessageId++}`;
+    mockDbMessages.push({
+      id,
+      role,
+      content,
+      metadata: metadata ? JSON.stringify(metadata) : null,
+    });
+    return { id };
+  },
+  setConversationOriginChannelIfUnset: () => {},
+  setConversationOriginInterfaceIfUnset: () => {},
 }));
 
 import { Session } from '../daemon/session.js';
@@ -67,6 +80,10 @@ function makeSession(): Session {
 }
 
 describe('loadFromDb history repair', () => {
+  beforeEach(() => {
+    nextMockMessageId = 1;
+  });
+
   test('repairs corrupt persisted history: missing tool_result inserted', async () => {
     mockConversation = {
       id: 'conv-1',
@@ -220,4 +237,154 @@ describe('loadFromDb history repair', () => {
     expect(messages).toHaveLength(2);
     expect(messages[1].content).toEqual([{ type: 'text', text: 'Sure' }]);
   });
+
+  test('untrusted actor load hides guardian-provenance history and context summary', async () => {
+    mockConversation = {
+      id: 'conv-1',
+      contextSummary: 'Sensitive guardian summary',
+      contextCompactedMessageCount: 3,
+      totalInputTokens: 0,
+      totalOutputTokens: 0,
+      totalEstimatedCost: 0,
+    };
+    mockDbMessages = [
+      {
+        id: 'm1',
+        role: 'user',
+        content: JSON.stringify([{ type: 'text', text: 'Guardian secret question' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'guardian', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm2',
+        role: 'assistant',
+        content: JSON.stringify([{ type: 'text', text: 'Guardian-only answer' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'guardian', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm3',
+        role: 'user',
+        content: JSON.stringify([{ type: 'text', text: 'Untrusted follow-up' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'unverified_channel', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm4',
+        role: 'assistant',
+        content: JSON.stringify([{ type: 'text', text: 'Untrusted-safe reply' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'unverified_channel', provenanceSourceChannel: 'telegram' }),
+      },
+    ];
+
+    const session = makeSession();
+    session.setGuardianContext({ actorRole: 'unverified_channel', sourceChannel: 'telegram' });
+    await session.loadFromDb();
+    const messages = session.getMessages();
+
+    expect(messages).toHaveLength(2);
+    expect(messages[0].role).toBe('user');
+    expect(messages[0].content).toEqual([{ type: 'text', text: 'Untrusted follow-up' }]);
+    expect(messages[1].role).toBe('assistant');
+    expect(messages[1].content).toEqual([{ type: 'text', text: 'Untrusted-safe reply' }]);
+  });
+
+  test('ensureActorScopedHistory reloads when actor role changes', async () => {
+    mockConversation = {
+      id: 'conv-1',
+      contextSummary: null,
+      contextCompactedMessageCount: 0,
+      totalInputTokens: 0,
+      totalOutputTokens: 0,
+      totalEstimatedCost: 0,
+    };
+    mockDbMessages = [
+      {
+        id: 'm1',
+        role: 'user',
+        content: JSON.stringify([{ type: 'text', text: 'Guardian question' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'guardian', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm2',
+        role: 'assistant',
+        content: JSON.stringify([{ type: 'text', text: 'Guardian answer' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'guardian', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm3',
+        role: 'user',
+        content: JSON.stringify([{ type: 'text', text: 'Unverified ping' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'unverified_channel', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm4',
+        role: 'assistant',
+        content: JSON.stringify([{ type: 'text', text: 'Unverified reply' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'unverified_channel', provenanceSourceChannel: 'telegram' }),
+      },
+    ];
+
+    const session = makeSession();
+
+    session.setGuardianContext({ actorRole: 'guardian', sourceChannel: 'telegram' });
+    await session.ensureActorScopedHistory();
+    expect(session.getMessages()).toHaveLength(4);
+
+    session.setGuardianContext({ actorRole: 'unverified_channel', sourceChannel: 'telegram' });
+    await session.ensureActorScopedHistory();
+    const downgradedMessages = session.getMessages();
+    expect(downgradedMessages).toHaveLength(2);
+    expect(downgradedMessages[0].content).toEqual([{ type: 'text', text: 'Unverified ping' }]);
+    expect(downgradedMessages[1].content).toEqual([{ type: 'text', text: 'Unverified reply' }]);
+  });
+
+  test('persistUserMessage reloads actor-scoped history before persisting on role switch', async () => {
+    mockConversation = {
+      id: 'conv-1',
+      contextSummary: null,
+      contextCompactedMessageCount: 0,
+      totalInputTokens: 0,
+      totalOutputTokens: 0,
+      totalEstimatedCost: 0,
+    };
+    mockDbMessages = [
+      {
+        id: 'm1',
+        role: 'user',
+        content: JSON.stringify([{ type: 'text', text: 'Guardian-only question' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'guardian', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm2',
+        role: 'assistant',
+        content: JSON.stringify([{ type: 'text', text: 'Guardian-only answer' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'guardian', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm3',
+        role: 'user',
+        content: JSON.stringify([{ type: 'text', text: 'Unverified ping' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'unverified_channel', provenanceSourceChannel: 'telegram' }),
+      },
+      {
+        id: 'm4',
+        role: 'assistant',
+        content: JSON.stringify([{ type: 'text', text: 'Unverified reply' }]),
+        metadata: JSON.stringify({ provenanceActorRole: 'unverified_channel', provenanceSourceChannel: 'telegram' }),
+      },
+    ];
+
+    const session = makeSession();
+
+    session.setGuardianContext({ actorRole: 'unverified_channel', sourceChannel: 'telegram' });
+    await session.ensureActorScopedHistory();
+    expect(session.getMessages()).toHaveLength(2);
+
+    session.setGuardianContext({ actorRole: 'guardian', sourceChannel: 'telegram' });
+    await session.persistUserMessage('Guardian follow-up', []);
+    const messagesAfterPersist = session.getMessages();
+
+    expect(messagesAfterPersist).toHaveLength(5);
+    expect(messagesAfterPersist[0].content).toEqual([{ type: 'text', text: 'Guardian-only question' }]);
+    expect(messagesAfterPersist[1].content).toEqual([{ type: 'text', text: 'Guardian-only answer' }]);
+    expect(messagesAfterPersist[4].content).toEqual([{ type: 'text', text: 'Guardian follow-up' }]);
+  });
 });