@vellumai/assistant 0.4.1 → 0.4.3

package/src/__tests__/assistant-id-boundary-guard.test.ts

@@ -0,0 +1,290 @@
+import { execFileSync } from 'node:child_process';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+import { describe, expect, test } from 'bun:test';
+
+import { DAEMON_INTERNAL_ASSISTANT_ID } from '../runtime/assistant-scope.js';
+
+/**
+ * Guard tests for the assistant identity boundary.
+ *
+ * The daemon uses a fixed internal scope constant (`DAEMON_INTERNAL_ASSISTANT_ID`)
+ * for all assistant-scoped storage. Public assistant IDs are an edge concern
+ * handled by the gateway/platform layer — they must not leak into daemon
+ * scoping logic.
+ *
+ * These tests prevent regressions by scanning source files for banned patterns:
+ *  - No `normalizeAssistantId` usage in daemon/runtime scoping modules
+ *  - No assistant-scoped route handlers in the daemon HTTP server
+ *  - No hardcoded `'self'` string for assistant scoping (use the constant)
+ *  - The constant itself equals `'self'`
+ */
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Resolve repo root (tests run from assistant/). */
+function getRepoRoot(): string {
+  return join(process.cwd(), '..');
+}
+
+/**
+ * Directories containing daemon/runtime source files that must not reference
+ * `normalizeAssistantId` or hardcode assistant scope strings.
+ *
+ * Each directory gets both a `*.ts` glob (top-level files) and a `**\/*.ts`
+ * glob (nested files) so that `git grep` matches at all directory depths.
+ */
+const SCANNED_DIRS = [
+  'assistant/src/runtime',
+  'assistant/src/daemon',
+  'assistant/src/memory',
+  'assistant/src/approvals',
+  'assistant/src/calls',
+  'assistant/src/tools',
+];
+
+const SCANNED_DIR_GLOBS = SCANNED_DIRS.flatMap((dir) => [`${dir}/*.ts`, `${dir}/**/*.ts`]);
+
+function isTestFile(filePath: string): boolean {
+  return (
+    filePath.includes('/__tests__/') ||
+    filePath.endsWith('.test.ts') ||
+    filePath.endsWith('.test.js') ||
+    filePath.endsWith('.spec.ts') ||
+    filePath.endsWith('.spec.js')
+  );
+}
+
+function isMigrationFile(filePath: string): boolean {
+  return filePath.includes('/migrations/');
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('assistant ID boundary', () => {
+  // -------------------------------------------------------------------------
+  // Rule (d): The DAEMON_INTERNAL_ASSISTANT_ID constant equals 'self'
+  // -------------------------------------------------------------------------
+
+  test('DAEMON_INTERNAL_ASSISTANT_ID equals "self"', () => {
+    expect(DAEMON_INTERNAL_ASSISTANT_ID).toBe('self');
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (a): No normalizeAssistantId in daemon scoping paths — spot check
+  // -------------------------------------------------------------------------
+
+  test('no normalizeAssistantId imports in daemon scoping paths', () => {
+    // Key daemon/runtime files that previously used normalizeAssistantId
+    // should now use DAEMON_INTERNAL_ASSISTANT_ID instead.
+    const daemonScopingFiles = [
+      'runtime/actor-trust-resolver.ts',
+      'runtime/guardian-outbound-actions.ts',
+      'daemon/handlers/config-channels.ts',
+      'runtime/routes/channel-route-shared.ts',
+      'calls/relay-server.ts',
+    ];
+
+    const srcDir = join(import.meta.dir, '..');
+    for (const relPath of daemonScopingFiles) {
+      const content = readFileSync(join(srcDir, relPath), 'utf-8');
+      expect(content).not.toContain("import { normalizeAssistantId }");
+      expect(content).not.toContain("import { normalizeAssistantId,");
+      expect(content).not.toContain("normalizeAssistantId(");
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (a): No normalizeAssistantId in daemon/runtime directories — broad scan
+  // -------------------------------------------------------------------------
+
+  test('no normalizeAssistantId usage across daemon/runtime source directories', () => {
+    const repoRoot = getRepoRoot();
+
+    // Scan all daemon/runtime source directories for any reference to
+    // normalizeAssistantId. The function is defined in util/platform.ts for
+    // gateway use — it must not appear in daemon scoping modules.
+    let grepOutput = '';
+    try {
+      grepOutput = execFileSync(
+        'git',
+        ['grep', '-lE', 'normalizeAssistantId', '--', ...SCANNED_DIR_GLOBS],
+        { encoding: 'utf-8', cwd: repoRoot },
+      ).trim();
+    } catch (err) {
+      // Exit code 1 means no matches — happy path
+      if ((err as { status?: number }).status === 1) {
+        return;
+      }
+      throw err;
+    }
+
+    const files = grepOutput.split('\n').filter((f) => f.length > 0);
+    const violations = files.filter((f) => !isTestFile(f));
+
+    if (violations.length > 0) {
+      const message = [
+        'Found daemon/runtime source files that reference `normalizeAssistantId`.',
+        'Daemon code should use the `DAEMON_INTERNAL_ASSISTANT_ID` constant instead.',
+        'The `normalizeAssistantId` function is for gateway/platform use only (defined in util/platform.ts).',
+        '',
+        'Violations:',
+        ...violations.map((f) => `  - ${f}`),
+      ].join('\n');
+
+      expect(violations, message).toEqual([]);
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (b): No assistant-scoped route registration in daemon HTTP server
+  // -------------------------------------------------------------------------
+
+  test('no /v1/assistants/:assistantId/ route handler registration in daemon HTTP server', () => {
+    const httpServerPath = join(import.meta.dir, '..', 'runtime', 'http-server.ts');
+    const content = readFileSync(httpServerPath, 'utf-8');
+
+    // The daemon HTTP server must not contain any assistant-scoped route
+    // patterns. All routes use flat /v1/<endpoint> paths; the gateway handles
+    // legacy assistant-scoped URL rewriting in its runtime proxy layer.
+
+    // Check that there's no regex extracting assistantId from a /v1/assistants/ path.
+    // Match both literal slashes (/v1/assistants/([) and escaped slashes in regex
+    // literals (\/v1\/assistants\/([) so we catch patterns like:
+    //   endpoint.match(/^\/v1\/assistants\/([^/]+)\/(.+)$/)
+    const routeHandlerRegex = /\\?\/v1\\?\/assistants\\?\/\(\[/;
+    const match = content.match(routeHandlerRegex);
+    expect(
+      match,
+      'Found a route pattern matching /v1/assistants/([^/]+)/... that extracts an assistantId. ' +
+        'The daemon HTTP server should not have assistant-scoped route handlers — ' +
+        'use flat /v1/<endpoint> paths instead.',
+    ).toBeNull();
+
+    // Scan the entire file for assistant-scoped path literals. No references
+    // to /v1/assistants/ should exist — the daemon uses flat paths only.
+    const lines = content.split('\n');
+    const violations: string[] = [];
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      // Match both literal /v1/assistants/ and escaped \/v1\/assistants\/
+      if (line.includes('/v1/assistants/') || line.includes('\\/v1\\/assistants\\/')) {
+        violations.push(`  line ${i + 1}: ${line.trim()}`);
+      }
+    }
+
+    expect(
+      violations,
+      'Found /v1/assistants/ references in the daemon HTTP server — ' +
+        'the daemon should not have assistant-scoped path literals.\n' +
+        violations.join('\n'),
+    ).toEqual([]);
+
+    // Guard against prefix-less assistants/ route patterns that extract an
+    // assistantId.  dispatchEndpoint receives the endpoint *after* the /v1/
+    // prefix has been stripped, so a regex like `assistants\/([^/]+)` would
+    // capture an external assistant ID from the path — violating the
+    // assistant-scoping boundary.
+    const prefixLessViolations: string[] = [];
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      // Match regex patterns like assistants\/([^/]+) that capture the ID
+      // segment.  We look for the escaped-slash form used inside JS regex
+      // literals (e.g. /^assistants\/([^/]+)\//).
+      if (/assistants\\\/\(\[/.test(line)) {
+        prefixLessViolations.push(`  line ${i + 1}: ${line.trim()}`);
+      }
+    }
+
+    expect(
+      prefixLessViolations,
+      'Found prefix-less assistants/([^/]+) route pattern that extracts an assistantId. ' +
+        'The daemon should not parse assistant IDs from URL paths — use ' +
+        'DAEMON_INTERNAL_ASSISTANT_ID instead.\n' +
+        prefixLessViolations.join('\n'),
+    ).toEqual([]);
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (c): No hardcoded 'self' for assistant scoping in daemon files
+  // -------------------------------------------------------------------------
+
+  test('no hardcoded \'self\' string for assistant scoping in daemon source files', () => {
+    const repoRoot = getRepoRoot();
+
+    // Search for patterns where 'self' is used as an assistant ID value.
+    // We look for assignment / default / comparison patterns that suggest
+    // using the raw string instead of the DAEMON_INTERNAL_ASSISTANT_ID constant.
+    //
+    // Patterns matched:
+    //   assistantId: 'self'
+    //   assistantId = 'self'
+    //   assistantId ?? 'self'
+    //   ?? 'self'   (fallback to self)
+    //   || 'self'   (fallback to self)
+    //
+    // Excluded:
+    //   - Test files (they may legitimately assert against the value)
+    //   - Migration files (SQL literals like DEFAULT 'self' are fine)
+    //   - IPC contract files (comments documenting default values are fine)
+    //   - CSP headers ('self' in Content-Security-Policy has nothing to do with assistant IDs)
+    const pattern = `(assistantId|assistant_id).*['"]self['"]`;
+
+    let grepOutput = '';
+    try {
+      grepOutput = execFileSync(
+        'git',
+        ['grep', '-nE', pattern, '--', ...SCANNED_DIR_GLOBS],
+        { encoding: 'utf-8', cwd: repoRoot },
+      ).trim();
+    } catch (err) {
+      // Exit code 1 means no matches — happy path
+      if ((err as { status?: number }).status === 1) {
+        return;
+      }
+      throw err;
+    }
+
+    const lines = grepOutput.split('\n').filter((l) => l.length > 0);
+    const violations = lines.filter((line) => {
+      const filePath = line.split(':')[0];
+      if (isTestFile(filePath)) return false;
+      if (isMigrationFile(filePath)) return false;
+
+      // Allow comments (lines where the code portion starts with //)
+      const parts = line.split(':');
+      // parts[0] = file, parts[1] = line number, rest = content
+      const content = parts.slice(2).join(':').trim();
+      if (content.startsWith('//') || content.startsWith('*') || content.startsWith('/*')) {
+        return false;
+      }
+
+      return true;
+    });
+
+    if (violations.length > 0) {
+      const message = [
+        "Found daemon/runtime source files with hardcoded 'self' for assistant scoping.",
+        'Use the `DAEMON_INTERNAL_ASSISTANT_ID` constant from `runtime/assistant-scope.ts` instead.',
+        '',
+        'Violations:',
+        ...violations.map((v) => `  - ${v}`),
+      ].join('\n');
+
+      expect(violations, message).toEqual([]);
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // Rule (d): Daemon storage keys don't contain external assistant IDs
+  // (verified by the constant value test above — if the constant is 'self',
+  // all daemon storage keyed by DAEMON_INTERNAL_ASSISTANT_ID uses the fixed
+  // internal value rather than externally-provided IDs).
+  // -------------------------------------------------------------------------
+});

package/src/__tests__/call-routes-http.test.ts

@@ -177,10 +177,6 @@ describe('runtime call routes — HTTP layer', () => {
     return `http://127.0.0.1:${port}/v1/calls${path}`;
   }
 
-  function assistantCallsUrl(assistantId: string, path = ''): string {
-    return `http://127.0.0.1:${port}/v1/assistants/${assistantId}/calls${path}`;
-  }
-
   // ── POST /v1/calls/start ────────────────────────────────────────────
 
   test('POST /v1/calls/start returns 201 with call session', async () => {
@@ -235,27 +231,6 @@ describe('runtime call routes — HTTP layer', () => {
     await stopServer();
   });
 
-  test('POST /v1/assistants/:assistantId/calls/start uses assistant-scoped caller number', async () => {
-    await startServer();
-    ensureConversation('conv-start-scoped-1');
-
-    const res = await fetch(assistantCallsUrl('asst-alpha', '/start'), {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', ...AUTH_HEADERS },
-      body: JSON.stringify({
-        phoneNumber: '+15559997777',
-        task: 'Check order status',
-        conversationId: 'conv-start-scoped-1',
-      }),
-    });
-
-    expect(res.status).toBe(201);
-    const body = await res.json() as { fromNumber: string };
-    expect(body.fromNumber).toBe('+15550009999');
-
-    await stopServer();
-  });
-
   test('POST /v1/calls/start returns 400 for invalid phone number', async () => {
     await startServer();
     ensureConversation('conv-start-2');

package/src/__tests__/channel-approval-routes.test.ts

@@ -2615,6 +2615,56 @@ describe('background channel processing approval prompts', () => {
     deliverPromptSpy.mockRestore();
   });
 
+  test('guardian prompt delivery still works when binding ID formatting differs from sender ID', async () => {
+    // Guardian binding includes extra whitespace; trust resolution canonicalizes
+    // identity and prompt delivery should still treat this sender as the guardian.
+    createBinding({
+      assistantId: 'self',
+      channel: 'telegram',
+      guardianExternalUserId: '  telegram-user-default  ',
+      guardianDeliveryChatId: 'chat-123',
+    });
+
+    const deliverPromptSpy = spyOn(gatewayClient, 'deliverApprovalPrompt').mockResolvedValue(undefined);
+    const processCalls: Array<{ options?: Record<string, unknown> }> = [];
+
+    const processMessage = mock(async (
+      conversationId: string,
+      _content: string,
+      _attachmentIds?: string[],
+      options?: Record<string, unknown>,
+    ) => {
+      processCalls.push({ options });
+
+      registerPendingInteraction('req-bg-format-1', conversationId, 'host_bash', {
+        input: { command: 'ls -la' },
+        riskLevel: 'medium',
+      });
+
+      await new Promise((resolve) => setTimeout(resolve, 350));
+      return { messageId: 'msg-bg-format-1' };
+    });
+
+    const req = makeInboundRequest({
+      content: 'run ls',
+      sourceChannel: 'telegram',
+      replyCallbackUrl: 'https://gateway.test/deliver/telegram',
+      externalMessageId: 'msg-bg-format-1',
+    });
+
+    const res = await handleChannelInbound(req, processMessage as unknown as typeof noopProcessMessage, 'token');
+    const body = await res.json() as Record<string, unknown>;
+    expect(body.accepted).toBe(true);
+
+    await new Promise((resolve) => setTimeout(resolve, 700));
+
+    expect(processCalls.length).toBeGreaterThan(0);
+    expect(processCalls[0].options?.isInteractive).toBe(true);
+    expect(deliverPromptSpy).toHaveBeenCalled();
+
+    deliverPromptSpy.mockRestore();
+  });
+
   test('non-guardian channel turns are not interactive to prevent self-approval', async () => {
     // Set up a guardian binding for a DIFFERENT user so the sender is non-guardian
     createBinding({
@@ -2709,8 +2759,8 @@ describe('NL approval routing via destination-scoped canonical requests', () =>
     noopProcessMessage.mockClear();
   });
 
-  test('guardian plain-text "yes" resolves a pending_question with no guardianExternalUserId via delivery-scoped hint', async () => {
-    // Simulate a voice-originated pending_question without guardianExternalUserId
+  test('guardian plain-text "yes" fails closed for tool_approval with no guardianExternalUserId', async () => {
+    // Simulate a voice-originated tool approval without guardianExternalUserId
     const guardianChatId = 'guardian-chat-nl-1';
     const guardianUserId = 'guardian-user-nl-1';
 
@@ -2759,12 +2809,12 @@ describe('NL approval routing via destination-scoped canonical requests', () =>
     const body = await res.json() as Record<string, unknown>;
 
     expect(body.accepted).toBe(true);
-    expect(body.canonicalRouter).toBe('canonical_decision_applied');
+    expect(body.canonicalRouter).toBe('canonical_decision_stale');
 
-    // Verify the request was resolved
+    // Verify the request remains pending (identity-bound fail-closed).
     const resolved = getCanonicalGuardianRequest(canonicalReq.id);
     expect(resolved).not.toBeNull();
-    expect(resolved!.status).toBe('approved');
+    expect(resolved!.status).toBe('pending');
   });
 
   test('inbound from different chat ID does not auto-match delivery-scoped canonical request', async () => {

package/src/__tests__/channel-guardian.test.ts

@@ -22,7 +22,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));
 
@@ -1458,9 +1457,11 @@ describe('IPC handler channel-aware guardian status', () => {
     expect(resp!.channel).toBe('sms');
   });
 
-  test('status action with custom assistantId returns correct value', () => {
+  test('status action with custom assistantId is ignored (daemon uses internal scope)', () => {
+    // Create binding under the internal scope constant — the handler always
+    // uses DAEMON_INTERNAL_ASSISTANT_ID regardless of what the caller passes.
     createBinding({
-      assistantId: 'asst-custom',
+      assistantId: 'self',
       channel: 'telegram',
       guardianExternalUserId: 'user-77',
       guardianDeliveryChatId: 'chat-77',
@@ -1471,7 +1472,7 @@ describe('IPC handler channel-aware guardian status', () => {
       type: 'guardian_verification',
       action: 'status',
       channel: 'telegram',
-      assistantId: 'asst-custom',
+      assistantId: 'asst-custom',  // ignored by handler
     };
 
     handleGuardianVerification(msg, mockSocket, ctx);
@@ -1480,7 +1481,7 @@ describe('IPC handler channel-aware guardian status', () => {
     expect(resp).not.toBeNull();
     expect(resp!.success).toBe(true);
     expect(resp!.bound).toBe(true);
-    expect(resp!.assistantId).toBe('asst-custom');
+    expect(resp!.assistantId).toBe('self');
     expect(resp!.channel).toBe('telegram');
     expect(resp!.guardianExternalUserId).toBe('user-77');
     expect(resp!.guardianDeliveryChatId).toBe('chat-77');

package/src/__tests__/config-schema.test.ts

@@ -581,6 +581,8 @@ describe('AssistantConfigSchema', () => {
       provider: 'twilio',
       maxDurationSeconds: 3600,
       userConsultTimeoutSeconds: 120,
+      ttsPlaybackDelayMs: 3000,
+      accessRequestPollIntervalMs: 500,
       disclosure: {
         enabled: true,
         text: 'At the very beginning of the call, introduce yourself as an assistant calling on behalf of the person you represent. Do not say "AI assistant".',

package/src/__tests__/daemon-server-session-init.test.ts

@@ -36,6 +36,7 @@ let lastCreateConversationArgs: unknown;
 // field declarations create own-properties that mask prototype assignments.
 let mockConfirmationToEmitDuringLoop: Record<string, unknown> | undefined;
 let mockMidLoopCallback: ((session: MockSession) => void) | undefined;
+let lastCanonicalGuardianCreateParams: Record<string, unknown> | undefined;
 
 class MockSession {
   public readonly conversationId: string;
@@ -253,7 +254,10 @@ mock.module('../memory/conversation-attention-store.js', () => ({
 
 mock.module('../memory/canonical-guardian-store.js', () => ({
   generateCanonicalRequestCode: () => 'mock-code-0000',
-  createCanonicalGuardianRequest: () => ({ requestCode: 'mock-code-0000', status: 'pending' }),
+  createCanonicalGuardianRequest: (params: Record<string, unknown>) => {
+    lastCanonicalGuardianCreateParams = params;
+    return { requestCode: 'mock-code-0000', status: 'pending' };
+  },
   submitCanonicalRequest: () => ({ requestCode: 'mock-code-0000', status: 'pending' }),
   getCanonicalRequest: () => null,
   resolveCanonicalRequest: () => false,
@@ -342,6 +346,7 @@ describe('DaemonServer initial session hydration', () => {
     lastCreatedWorkingDir = undefined;
     lastCreatedMemoryPolicy = undefined;
     lastCreateConversationArgs = undefined;
+    lastCanonicalGuardianCreateParams = undefined;
     mockConfirmationToEmitDuringLoop = undefined;
     mockMidLoopCallback = undefined;
     pendingInteractions.clear();
@@ -686,6 +691,54 @@ describe('DaemonServer initial session hydration', () => {
     expect(interaction?.conversationId).toBe(conversation.id);
   });
 
+  test('confirmation_request canonical records include bound guardian identity context', async () => {
+    const server = new DaemonServer();
+
+    mockConfirmationToEmitDuringLoop = {
+      type: 'confirmation_request',
+      requestId: 'req-bound-1',
+      toolName: 'host_bash',
+      input: { command: 'ls' },
+      riskLevel: 'high',
+      allowlistOptions: [{ label: 'host_bash:*', description: 'host_bash:*', pattern: 'host_bash:*' }],
+      scopeOptions: [{ label: 'everywhere', scope: 'everywhere' }],
+      persistentDecisionsAllowed: true,
+    };
+
+    await server.processMessage(
+      conversation.id,
+      'run ls',
+      undefined,
+      {
+        isInteractive: false,
+        guardianContext: {
+          sourceChannel: 'telegram',
+          trustClass: 'trusted_contact',
+          guardianExternalUserId: 'guardian-123',
+          requesterExternalUserId: 'trusted-456',
+          requesterChatId: 'chat-789',
+        },
+      },
+      'telegram',
+      'telegram',
+    );
+
+    expect(lastCanonicalGuardianCreateParams).toBeDefined();
+    expect(lastCanonicalGuardianCreateParams).toMatchObject({
+      id: 'req-bound-1',
+      kind: 'tool_approval',
+      sourceType: 'channel',
+      sourceChannel: 'telegram',
+      conversationId: conversation.id,
+      guardianExternalUserId: 'guardian-123',
+      requesterExternalUserId: 'trusted-456',
+      requesterChatId: 'chat-789',
+      toolName: 'host_bash',
+      status: 'pending',
+      requestCode: 'mock-code-0000',
+    });
+  });
+
   test('finally block does not overwrite IPC client that connected during interactive agent loop (processMessage)', async () => {
     const server = new DaemonServer();
     const internal = asDaemonServerTestAccess(server);

package/src/__tests__/deterministic-verification-control-plane.test.ts

@@ -32,7 +32,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));
 

package/src/__tests__/guardian-actions-endpoint.test.ts

@@ -262,6 +262,27 @@ describe('HTTP handleGuardianActionDecision', () => {
     expect(mockApplyCanonicalGuardianDecision).toHaveBeenCalledTimes(1);
   });
 
+  test('applies decision for voice access_request kind through canonical primitive', async () => {
+    createTestCanonicalRequest({
+      conversationId: 'conv-voice-access',
+      requestId: 'req-voice-access-1',
+      kind: 'access_request',
+      toolName: 'ingress_access_request',
+      guardianExternalUserId: 'guardian-voice-42',
+    });
+    mockApplyCanonicalGuardianDecision.mockResolvedValueOnce({ applied: true, requestId: 'req-voice-access-1', grantMinted: false });
+
+    const req = new Request('http://localhost/v1/guardian-actions/decision', {
+      method: 'POST',
+      body: JSON.stringify({ requestId: 'req-voice-access-1', action: 'approve_once' }),
+    });
+    const res = await handleGuardianActionDecision(req);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.applied).toBe(true);
+    expect(mockApplyCanonicalGuardianDecision).toHaveBeenCalledTimes(1);
+  });
+
   test('returns stale reason from canonical decision primitive', async () => {
     createTestCanonicalRequest({ conversationId: 'conv-stale', requestId: 'req-stale-1' });
     mockApplyCanonicalGuardianDecision.mockResolvedValueOnce({ applied: false, reason: 'already_resolved' });

package/src/__tests__/guardian-decision-primitive-canonical.test.ts

@@ -248,7 +248,7 @@ describe('applyCanonicalGuardianDecision', () => {
     expect(result.grantMinted).toBe(false);
   });
 
-  test('allows decision when request has no guardian binding', async () => {
+  test('rejects non-trusted decision when tool approval has no guardian binding', async () => {
     const req = createCanonicalGuardianRequest({
       kind: 'tool_approval',
       sourceType: 'channel',
@@ -263,7 +263,9 @@ describe('applyCanonicalGuardianDecision', () => {
       actorContext: guardianActor({ externalUserId: 'anyone' }),
     });
 
-    expect(result.applied).toBe(true);
+    expect(result.applied).toBe(false);
+    if (result.applied) return;
+    expect(result.reason).toBe('identity_mismatch');
   });
 
   // ── Stale / already-resolved (race condition) ──────────────────────

package/src/__tests__/guardian-outbound-http.test.ts

@@ -35,7 +35,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));