@vellumai/assistant 0.3.28 → 0.4.1

package/src/__tests__/call-routes-http.test.ts

@@ -47,6 +47,8 @@ const mockCallsConfig = {
 
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
+    ui: {},
+    
     model: 'test',
     provider: 'test',
     apiKeys: {},
@@ -227,8 +229,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('conversationId');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('conversationId');
 
     await stopServer();
   });
@@ -269,8 +271,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('E.164');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('E.164');
 
     await stopServer();
   });
@@ -285,8 +287,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('Invalid JSON');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('Invalid JSON');
 
     await stopServer();
   });
@@ -309,8 +311,8 @@ describe('runtime call routes — HTTP layer', () => {
     // user_number mode requires a configured user phone number;
     // since we haven't set one, this should return a 400 explaining why
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('user_number');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('user_number');
 
     await stopServer();
   });
@@ -364,11 +366,11 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('Invalid callerIdentityMode');
-    expect(body.error).toContain('bogus');
-    expect(body.error).toContain('assistant_number');
-    expect(body.error).toContain('user_number');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('Invalid callerIdentityMode');
+    expect(body.error.message).toContain('bogus');
+    expect(body.error.message).toContain('assistant_number');
+    expect(body.error.message).toContain('user_number');
 
     await stopServer();
   });
@@ -510,8 +512,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('Invalid JSON');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('Invalid JSON');
 
     await stopServer();
   });
@@ -533,9 +535,9 @@ describe('runtime call routes — HTTP layer', () => {
       body: JSON.stringify({ answer: 'Yes, please' }),
     });
 
-    expect(res.status).toBe(404);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('pending question');
+    expect(res.status).toBe(409);
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('No active controller');
 
     await stopServer();
   });
@@ -583,8 +585,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(409);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('orchestrator');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('No active controller');
 
     await stopServer();
   });
@@ -609,8 +611,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('Invalid JSON');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('Invalid JSON');
 
     await stopServer();
   });
@@ -633,8 +635,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('instructionText');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('instructionText');
 
     await stopServer();
   });
@@ -657,8 +659,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(400);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('instructionText');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('instructionText');
 
     await stopServer();
   });
@@ -673,8 +675,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(404);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('No call session found');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('No call session found');
 
     await stopServer();
   });
@@ -699,8 +701,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(409);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('not active');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('not active');
 
     await stopServer();
   });
@@ -723,8 +725,8 @@ describe('runtime call routes — HTTP layer', () => {
     });
 
     expect(res.status).toBe(409);
-    const body = await res.json() as { error: string };
-    expect(body.error).toContain('orchestrator');
+    const body = await res.json() as { error: { message: string; code?: string } };
+    expect(body.error.message).toContain('No active controller');
 
     await stopServer();
   });

package/src/__tests__/call-start-guardian-guard.test.ts

@@ -11,6 +11,8 @@ let activeVoiceSession: {
 
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
+    ui: {},
+    
     calls: { enabled: callsEnabled },
   }),
 }));

package/src/__tests__/channel-invite-transport.test.ts

@@ -71,7 +71,7 @@ describe('channel-invite-transport', () => {
 
   describe('telegram buildShareableInvite', () => {
     test('produces a valid Telegram deep link', () => {
-      const result = telegramInviteTransport.buildShareableInvite({
+      const result = telegramInviteTransport.buildShareableInvite!({
         rawToken: 'abc123_test-token',
         sourceChannel: 'telegram',
       });
@@ -81,15 +81,15 @@ describe('channel-invite-transport', () => {
     });
 
     test('deep link is deterministic for the same token', () => {
-      const a = telegramInviteTransport.buildShareableInvite({ rawToken: 'tok1', sourceChannel: 'telegram' });
-      const b = telegramInviteTransport.buildShareableInvite({ rawToken: 'tok1', sourceChannel: 'telegram' });
+      const a = telegramInviteTransport.buildShareableInvite!({ rawToken: 'tok1', sourceChannel: 'telegram' });
+      const b = telegramInviteTransport.buildShareableInvite!({ rawToken: 'tok1', sourceChannel: 'telegram' });
       expect(a.url).toBe(b.url);
       expect(a.displayText).toBe(b.displayText);
     });
 
     test('uses the configured bot username', () => {
       mockBotUsername = 'my_custom_bot';
-      const result = telegramInviteTransport.buildShareableInvite({
+      const result = telegramInviteTransport.buildShareableInvite!({
         rawToken: 'token',
         sourceChannel: 'telegram',
       });
@@ -103,7 +103,7 @@ describe('channel-invite-transport', () => {
       delete process.env.TELEGRAM_BOT_USERNAME;
       try {
         expect(() =>
-          telegramInviteTransport.buildShareableInvite({
+          telegramInviteTransport.buildShareableInvite!({
             rawToken: 'token',
             sourceChannel: 'telegram',
           }),
@@ -118,7 +118,7 @@ describe('channel-invite-transport', () => {
       const prev = process.env.TELEGRAM_BOT_USERNAME;
       process.env.TELEGRAM_BOT_USERNAME = 'env_bot';
       try {
-        const result = telegramInviteTransport.buildShareableInvite({
+        const result = telegramInviteTransport.buildShareableInvite!({
           rawToken: 'token',
           sourceChannel: 'telegram',
         });

package/src/__tests__/channel-reply-delivery.test.ts

@@ -50,6 +50,25 @@ mock.module('../runtime/gateway-client.js', () => ({
 }));
 
 mock.module('../memory/conversation-store.js', () => ({
+  getConversationThreadType: () => 'default',
+  setConversationOriginChannelIfUnset: () => {},
+  updateConversationContextWindow: () => {},
+  deleteMessageById: () => {},
+  updateConversationTitle: () => {},
+  updateConversationUsage: () => {},
+  addMessage: () => ({ id: 'mock-msg-id' }),
+  getConversation: () => ({
+    id: 'conv-1',
+    contextSummary: null,
+    contextCompactedMessageCount: 0,
+    totalInputTokens: 0,
+    totalOutputTokens: 0,
+    totalEstimatedCost: 0,
+    title: null,
+  }),
+  provenanceFromGuardianContext: () => ({ source: 'user', guardianContext: undefined }),
+  getConversationOriginInterface: () => null,
+  getConversationOriginChannel: () => null,
   getMessages: () => conversationMessages,
 }));
 

package/src/__tests__/channel-retry-sweep.test.ts

@@ -0,0 +1,130 @@
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterAll, beforeEach, describe, expect, mock, test } from 'bun:test';
+import { eq } from 'drizzle-orm';
+
+const testDir = mkdtempSync(join(tmpdir(), 'channel-retry-sweep-test-'));
+
+mock.module('../util/platform.js', () => ({
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getDbPath: () => join(testDir, 'test.db'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+}));
+
+mock.module('../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+
+import * as channelDeliveryStore from '../memory/channel-delivery-store.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { channelInboundEvents, messages } from '../memory/schema.js';
+import { sweepFailedEvents } from '../runtime/channel-retry-sweep.js';
+
+initializeDb();
+
+afterAll(() => {
+  resetDb();
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    // Best effort cleanup
+  }
+});
+
+function resetTables(): void {
+  const db = getDb();
+  db.run('DELETE FROM channel_inbound_events');
+  db.run('DELETE FROM conversation_keys');
+  db.run('DELETE FROM messages');
+  db.run('DELETE FROM conversations');
+}
+
+function seedFailedLegacyEvent(actorRole: 'guardian' | 'non-guardian' | 'unverified_channel'): string {
+  const inbound = channelDeliveryStore.recordInbound('telegram', 'chat-legacy', `msg-${actorRole}`);
+  channelDeliveryStore.storePayload(inbound.eventId, {
+    content: 'retry me',
+    sourceChannel: 'telegram',
+    interface: 'telegram',
+    guardianCtx: {
+      actorRole,
+      sourceChannel: 'telegram',
+      requesterExternalUserId: 'legacy-user',
+      requesterChatId: 'chat-legacy',
+    },
+  });
+
+  const db = getDb();
+  db.update(channelInboundEvents)
+    .set({
+      processingStatus: 'failed',
+      processingAttempts: 1,
+      retryAfter: Date.now() - 1,
+    })
+    .where(eq(channelInboundEvents.id, inbound.eventId))
+    .run();
+
+  return inbound.eventId;
+}
+
+describe('channel-retry-sweep', () => {
+  beforeEach(() => {
+    resetTables();
+  });
+
+  test('replays legacy guardianCtx.actorRole with preserved trust semantics', async () => {
+    const cases: Array<{
+      actorRole: 'guardian' | 'non-guardian' | 'unverified_channel';
+      expectedTrustClass: 'guardian' | 'trusted_contact' | 'unknown';
+      expectedInteractive: boolean;
+    }> = [
+      { actorRole: 'guardian', expectedTrustClass: 'guardian', expectedInteractive: true },
+      { actorRole: 'non-guardian', expectedTrustClass: 'trusted_contact', expectedInteractive: false },
+      { actorRole: 'unverified_channel', expectedTrustClass: 'unknown', expectedInteractive: false },
+    ];
+
+    for (const c of cases) {
+      const eventId = seedFailedLegacyEvent(c.actorRole);
+      let capturedOptions: {
+        guardianContext?: { trustClass?: string };
+        isInteractive?: boolean;
+      } | undefined;
+
+      await sweepFailedEvents(
+        async (conversationId, _content, _attachmentIds, options) => {
+          capturedOptions = options as {
+            guardianContext?: { trustClass?: string };
+            isInteractive?: boolean;
+          };
+          const messageId = `message-${c.actorRole}`;
+          const db = getDb();
+          db.insert(messages).values({
+            id: messageId,
+            conversationId,
+            role: 'user',
+            content: JSON.stringify([{ type: 'text', text: 'retry me' }]),
+            createdAt: Date.now(),
+          }).run();
+          return { messageId };
+        },
+        undefined,
+      );
+
+      expect(capturedOptions?.guardianContext?.trustClass).toBe(c.expectedTrustClass);
+      expect(capturedOptions?.isInteractive).toBe(c.expectedInteractive);
+
+      const db = getDb();
+      const row = db.select().from(channelInboundEvents).where(eq(channelInboundEvents.id, eventId)).get();
+      expect(row?.processingStatus).toBe('processed');
+    }
+  });
+});

package/src/__tests__/clarification-resolver.test.ts

@@ -57,6 +57,8 @@ mock.module('../providers/provider-send-message.js', () => ({
 
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
+    ui: {},
+    
     apiKeys: {
       anthropic: 'test-key',
     },

package/src/__tests__/claude-code-skill-regression.test.ts

@@ -23,6 +23,8 @@ mock.module('../util/logger.js', () => ({
 
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
+    ui: {},
+    
     apiKeys: { anthropic: 'test-key' },
   }),
 }));

package/src/__tests__/claude-code-tool-profiles.test.ts

@@ -31,6 +31,8 @@ mock.module('../util/logger.js', () => ({
 // Mock config
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
+    ui: {},
+    
     apiKeys: { anthropic: 'test-key' },
   }),
 }));

package/src/__tests__/commit-message-enrichment-service.test.ts

@@ -3,11 +3,12 @@ import { existsSync,mkdirSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 
-import { afterEach,beforeEach, describe, expect, test } from 'bun:test';
+import { afterAll, afterEach, beforeEach, describe, expect, test } from 'bun:test';
 
 import {
   _resetEnrichmentService,
   CommitEnrichmentService,
+  getEnrichmentService,
 } from '../workspace/commit-message-enrichment-service.js';
 import type { CommitContext } from '../workspace/commit-message-provider.js';
 import { _resetGitServiceRegistry,WorkspaceGitService } from '../workspace/git-service.js';
@@ -27,11 +28,18 @@ describe('CommitEnrichmentService', () => {
   });
 
   afterEach(async () => {
+    try { await getEnrichmentService().shutdown(); } catch { /* ignore */ }
+    _resetEnrichmentService();
     if (existsSync(testDir)) {
       rmSync(testDir, { recursive: true, force: true });
     }
   });
 
+  afterAll(async () => {
+    try { await getEnrichmentService().shutdown(); } catch { /* ignore */ }
+    _resetEnrichmentService();
+  });
+
   function makeContext(overrides?: Partial<CommitContext>): CommitContext {
     return {
       workspaceDir: testDir,

package/src/__tests__/computer-use-session-lifecycle.test.ts

@@ -5,6 +5,8 @@ import { describe, expect, mock,test } from 'bun:test';
 // (which have no trust rules in test) don't trigger approval prompts.
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
+    ui: {},
+    
     provider: 'mock-provider',
     permissions: { mode: 'legacy' },
     apiKeys: {},

package/src/__tests__/computer-use-session-working-dir.test.ts

@@ -47,6 +47,7 @@ mock.module('../util/platform.js', () => ({
   isLinux: () => true,
   isWindows: () => false,
   readHttpToken: () => null,
+  normalizeAssistantId: (id: string) => id,
 }));
 
 mock.module('../tools/executor.js', () => ({

package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts

@@ -3,6 +3,8 @@ import { beforeAll, describe, expect, mock,test } from 'bun:test';
 // Mock config before importing modules that depend on it.
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
+    ui: {},
+    
     provider: 'mock-provider',
     permissions: { mode: 'legacy' },
     apiKeys: {},

package/src/__tests__/config-schema.test.ts

@@ -79,7 +79,7 @@ describe('AssistantConfigSchema', () => {
     expect(result.thinking).toEqual({ enabled: false, budgetTokens: 10000, streamThinking: false });
     expect(result.contextWindow).toEqual({
       enabled: true,
-      maxInputTokens: 180000,
+      maxInputTokens: 200000,
       targetInputTokens: 110000,
       compactThreshold: 0.8,
       preserveRecentUserTurns: 8,
@@ -1098,7 +1098,7 @@ describe('loadConfig with schema validation', () => {
     expect(config.thinking).toEqual({ enabled: false, budgetTokens: 10000, streamThinking: false });
     expect(config.contextWindow).toEqual({
       enabled: true,
-      maxInputTokens: 180000,
+      maxInputTokens: 200000,
       targetInputTokens: 110000,
       compactThreshold: 0.8,
       preserveRecentUserTurns: 8,
@@ -1188,7 +1188,7 @@ describe('loadConfig with schema validation', () => {
   test('falls back for invalid contextWindow relationship', () => {
     writeConfig({ contextWindow: { maxInputTokens: 1000, targetInputTokens: 1000 } });
     const config = loadConfig();
-    expect(config.contextWindow.maxInputTokens).toBe(180000);
+    expect(config.contextWindow.maxInputTokens).toBe(200000);
     expect(config.contextWindow.targetInputTokens).toBe(110000);
   });
 
@@ -1348,7 +1348,7 @@ describe('Call entrypoint gating', () => {
     const response = await handleStartCall(req);
     expect(response.status).toBe(403);
 
-    const body = await response.json() as { error: string };
-    expect(body.error).toContain('disabled');
+    const body = await response.json() as { error: { message: string } };
+    expect(body.error.message).toContain('disabled');
   });
 });

package/src/__tests__/config-watcher.test.ts

@@ -96,7 +96,9 @@ mock.module('node:fs', () => {
 
 // Mock config/loader and other dependencies that ConfigWatcher imports
 mock.module('../config/loader.js', () => ({
-  getConfig: () => ({}),
+  getConfig: () => ({
+    ui: {},
+    }),
   invalidateConfigCache: () => {},
 }));
 

package/src/__tests__/connection-policy.test.ts

@@ -41,21 +41,30 @@ describe('hasNoAuthOverride', () => {
     expect(hasNoAuthOverride({ VELLUM_DAEMON_NOAUTH: 'false' })).toBe(false);
   });
 
-  test('returns true when VELLUM_DAEMON_NOAUTH is 1', () => {
-    expect(hasNoAuthOverride({ VELLUM_DAEMON_NOAUTH: '1' })).toBe(true);
+  test('returns true when VELLUM_DAEMON_NOAUTH is 1 with safety gate', () => {
+    expect(hasNoAuthOverride({ VELLUM_DAEMON_NOAUTH: '1', VELLUM_UNSAFE_AUTH_BYPASS: '1' })).toBe(true);
   });
 
-  test('returns true when VELLUM_DAEMON_NOAUTH is true', () => {
-    expect(hasNoAuthOverride({ VELLUM_DAEMON_NOAUTH: 'true' })).toBe(true);
+  test('returns false when VELLUM_DAEMON_NOAUTH is 1 without safety gate', () => {
+    expect(hasNoAuthOverride({ VELLUM_DAEMON_NOAUTH: '1' })).toBe(false);
+  });
+
+  test('returns true when VELLUM_DAEMON_NOAUTH is true with safety gate', () => {
+    expect(hasNoAuthOverride({ VELLUM_DAEMON_NOAUTH: 'true', VELLUM_UNSAFE_AUTH_BYPASS: '1' })).toBe(true);
+  });
+
+  test('returns false when VELLUM_DAEMON_NOAUTH is true without safety gate', () => {
+    expect(hasNoAuthOverride({ VELLUM_DAEMON_NOAUTH: 'true' })).toBe(false);
   });
 
   test('is independent of VELLUM_DAEMON_SOCKET', () => {
     // Socket override alone does NOT enable no-auth
     expect(hasNoAuthOverride({ VELLUM_DAEMON_SOCKET: '/tmp/custom.sock' })).toBe(false);
-    // No-auth requires its own explicit flag
+    // No-auth requires its own explicit flag plus safety gate
     expect(hasNoAuthOverride({
       VELLUM_DAEMON_SOCKET: '/tmp/custom.sock',
       VELLUM_DAEMON_NOAUTH: '1',
+      VELLUM_UNSAFE_AUTH_BYPASS: '1',
     })).toBe(true);
   });
 });

package/src/__tests__/contacts-tools.test.ts

@@ -27,7 +27,9 @@ mock.module('../util/logger.js', () => ({
 }));
 
 mock.module('../config/loader.js', () => ({
-  getConfig: () => ({ memory: {} }),
+  getConfig: () => ({
+    ui: {},
+     memory: {} }),
 }));
 
 import type { Database } from 'bun:sqlite';

package/src/__tests__/contradiction-checker.test.ts

@@ -73,6 +73,8 @@ let mockConflictableKinds: string[] = [
 
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
+    ui: {},
+    
     apiKeys: { anthropic: 'test-key' },
     memory: {
       conflicts: {

package/src/__tests__/conversation-pairing.test.ts

@@ -49,6 +49,16 @@ const getConversationMock = mock((id: string) => {
 });
 
 mock.module('../memory/conversation-store.js', () => ({
+  getConversationThreadType: () => 'default',
+  setConversationOriginChannelIfUnset: () => {},
+  updateConversationContextWindow: () => {},
+  deleteMessageById: () => {},
+  updateConversationTitle: () => {},
+  updateConversationUsage: () => {},
+  getMessages: () => [],
+  provenanceFromGuardianContext: () => ({ source: 'user', guardianContext: undefined }),
+  getConversationOriginInterface: () => null,
+  getConversationOriginChannel: () => null,
   createConversation: createConversationMock,
   addMessage: addMessageMock,
   getConversation: getConversationMock,

package/src/__tests__/conversation-routes.test.ts

@@ -49,7 +49,7 @@ describe('handleSendMessage', () => {
     expect(body.messageId).toBe('msg-legacy-fallback');
     expect(capturedSourceChannel).toBe('telegram');
     expect(capturedOptions?.guardianContext).toEqual({
-      actorRole: 'guardian',
+      trustClass: 'guardian',
       sourceChannel: 'telegram',
     });
   });

package/src/__tests__/credential-security-invariants.test.ts

@@ -61,6 +61,7 @@ mock.module('../tools/registry.js', () => ({
 // Imports under test
 // ---------------------------------------------------------------------------
 
+import { DEFAULT_CONFIG } from '../config/defaults.js';
 import { redactSensitiveFields } from '../security/redaction.js';
 import { setSecureKey } from '../security/secure-keys.js';
 import { CredentialBroker } from '../tools/credentials/broker.js';
@@ -125,7 +126,18 @@ describe('Invariant 1: secrets never enter LLM context', () => {
   test('user message containing secret is blocked from entering history', () => {
     // Mock config to enable block mode
     mock.module('../config/loader.js', () => ({
+      applyNestedDefaults: (config: unknown) => config,
       getConfig: () => ({
+        ui: {},
+        secretDetection: {
+          enabled: true,
+          action: 'block',
+          blockIngress: true,
+        },
+      }),
+      invalidateConfigCache: () => {},
+      loadConfig: () => ({
+        ui: {},
         secretDetection: {
           enabled: true,
           action: 'block',
@@ -204,6 +216,10 @@ describe('Invariant 2: no generic plaintext secret read API', () => {
       'messaging/providers/telegram-bot/adapter.ts', // Telegram bot token lookup for connectivity check
       'messaging/providers/sms/adapter.ts', // Twilio credential lookup for SMS connectivity check
       'runtime/channel-readiness-service.ts', // channel readiness probes for SMS/Telegram connectivity
+      'messaging/providers/whatsapp/adapter.ts', // WhatsApp credential lookup for connectivity check
+      'schedule/integration-status.ts',          // integration status checks for scheduled reports
+      'daemon/handlers/oauth-connect.ts',        // OAuth connect handler for integration setup
+      'daemon/handlers/config-slack-channel.ts', // Slack channel config credential management
     ]);
 
     const thisDir = dirname(fileURLToPath(import.meta.url));
@@ -436,20 +452,14 @@ describe('One-time send override', () => {
   });
 
   test('allowOneTimeSend defaults to false in config', () => {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { DEFAULT_CONFIG } = require('../config/defaults.js');
     expect(DEFAULT_CONFIG.secretDetection.allowOneTimeSend).toBe(false);
   });
 
   test('default secretDetection.action is redact', () => {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { DEFAULT_CONFIG } = require('../config/defaults.js');
     expect(DEFAULT_CONFIG.secretDetection.action).toBe('redact');
   });
 
   test('default secretDetection.blockIngress is true', () => {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { DEFAULT_CONFIG } = require('../config/defaults.js');
     expect(DEFAULT_CONFIG.secretDetection.blockIngress).toBe(true);
   });
 });