npm - @vellumai/assistant - Versions diffs - 0.4.16 → 0.4.18 - Mend

@vellumai/assistant 0.4.16 → 0.4.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (536) hide show

package/Dockerfile +6 -6
package/README.md +1 -2
package/eslint.config.mjs +2 -2
package/package.json +1 -1
package/src/__tests__/access-request-decision.test.ts +128 -120
package/src/__tests__/account-registry.test.ts +121 -110
package/src/__tests__/active-skill-tools.test.ts +200 -172
package/src/__tests__/actor-token-service.test.ts +341 -274
package/src/__tests__/agent-loop-thinking.test.ts +28 -19
package/src/__tests__/agent-loop.test.ts +798 -378
package/src/__tests__/anthropic-provider.test.ts +405 -247
package/src/__tests__/app-builder-tool-scripts.test.ts +97 -97
package/src/__tests__/app-bundler.test.ts +112 -79
package/src/__tests__/app-executors.test.ts +205 -178
package/src/__tests__/app-git-history.test.ts +90 -73
package/src/__tests__/app-git-service.test.ts +67 -53
package/src/__tests__/app-open-proxy.test.ts +29 -25
package/src/__tests__/approval-conversation-turn.test.ts +100 -81
package/src/__tests__/approval-hardcoded-copy-guard.test.ts +45 -17
package/src/__tests__/approval-message-composer.test.ts +119 -119
package/src/__tests__/approval-primitive.test.ts +264 -233
package/src/__tests__/approval-routes-http.test.ts +4 -3
package/src/__tests__/asset-materialize-tool.test.ts +250 -178
package/src/__tests__/asset-search-tool.test.ts +251 -191
package/src/__tests__/assistant-attachment-directive.test.ts +187 -142
package/src/__tests__/assistant-attachments.test.ts +254 -186
package/src/__tests__/assistant-event-hub.test.ts +105 -63
package/src/__tests__/assistant-event.test.ts +66 -58
package/src/__tests__/assistant-events-sse-hardening.test.ts +113 -73
package/src/__tests__/assistant-feature-flag-guard.test.ts +78 -52
package/src/__tests__/assistant-feature-flag-guardrails.test.ts +48 -45
package/src/__tests__/assistant-feature-flags-integration.test.ts +118 -77
package/src/__tests__/assistant-id-boundary-guard.test.ts +158 -104
package/src/__tests__/attachments-store.test.ts +240 -183
package/src/__tests__/attachments.test.ts +70 -62
package/src/__tests__/audit-log-rotation.test.ts +50 -35
package/src/__tests__/browser-fill-credential.test.ts +169 -101
package/src/__tests__/browser-manager.test.ts +97 -75
package/src/__tests__/browser-runtime-check.test.ts +16 -15
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +12 -10
package/src/__tests__/browser-skill-endstate.test.ts +97 -72
package/src/__tests__/bundle-scanner.test.ts +47 -22
package/src/__tests__/bundled-asset.test.ts +74 -47
package/src/__tests__/call-constants.test.ts +19 -19
package/src/__tests__/call-controller.test.ts +1073 -751
package/src/__tests__/call-conversation-messages.test.ts +90 -65
package/src/__tests__/call-domain.test.ts +149 -121
package/src/__tests__/call-pointer-message-composer.test.ts +113 -83
package/src/__tests__/call-pointer-messages.test.ts +213 -154
package/src/__tests__/call-pointer-no-hardcoded-copy.guard.test.ts +9 -10
package/src/__tests__/call-recovery.test.ts +232 -212
package/src/__tests__/call-routes-http.test.ts +328 -279
package/src/__tests__/call-start-guardian-guard.test.ts +32 -30
package/src/__tests__/call-state-machine.test.ts +62 -51
package/src/__tests__/call-state.test.ts +89 -75
package/src/__tests__/call-store.test.ts +387 -316
package/src/__tests__/callback-handoff-copy.test.ts +84 -82
package/src/__tests__/canonical-guardian-store.test.ts +331 -280
package/src/__tests__/channel-approval-routes.test.ts +1643 -1126
package/src/__tests__/channel-approval.test.ts +139 -137
package/src/__tests__/channel-approvals.test.ts +226 -182
package/src/__tests__/channel-delivery-store.test.ts +232 -194
package/src/__tests__/channel-guardian.test.ts +6 -3
package/src/__tests__/channel-invite-transport.test.ts +107 -92
package/src/__tests__/channel-policy.test.ts +42 -38
package/src/__tests__/channel-readiness-service.test.ts +119 -102
package/src/__tests__/channel-reply-delivery.test.ts +147 -118
package/src/__tests__/channel-retry-sweep.test.ts +153 -110
package/src/__tests__/checker.test.ts +3309 -1850
package/src/__tests__/clarification-resolver.test.ts +91 -79
package/src/__tests__/classifier.test.ts +64 -54
package/src/__tests__/claude-code-skill-regression.test.ts +42 -37
package/src/__tests__/claude-code-tool-profiles.test.ts +31 -29
package/src/__tests__/clawhub.test.ts +92 -82
package/src/__tests__/cli.test.ts +30 -30
package/src/__tests__/clipboard.test.ts +53 -46
package/src/__tests__/commit-guarantee.test.ts +59 -52
package/src/__tests__/commit-message-enrichment-service.test.ts +203 -75
package/src/__tests__/compaction.benchmark.test.ts +33 -31
package/src/__tests__/computer-use-session-compaction.test.ts +60 -50
package/src/__tests__/computer-use-session-lifecycle.test.ts +145 -117
package/src/__tests__/computer-use-session-working-dir.test.ts +62 -48
package/src/__tests__/computer-use-skill-baseline.test.ts +22 -19
package/src/__tests__/computer-use-skill-endstate.test.ts +45 -31
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +121 -88
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +65 -42
package/src/__tests__/computer-use-skill-proxy-bridge.test.ts +33 -18
package/src/__tests__/computer-use-tools.test.ts +121 -98
package/src/__tests__/config-schema.test.ts +443 -347
package/src/__tests__/config-watcher.test.ts +96 -81
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +148 -133
package/src/__tests__/conflict-intent-tokenization.test.ts +96 -78
package/src/__tests__/conflict-policy.test.ts +151 -80
package/src/__tests__/conflict-store.test.ts +203 -157
package/src/__tests__/connection-policy.test.ts +89 -59
package/src/__tests__/contacts-tools.test.ts +247 -178
package/src/__tests__/context-memory-e2e.test.ts +306 -214
package/src/__tests__/context-token-estimator.test.ts +114 -74
package/src/__tests__/context-window-manager.test.ts +269 -167
package/src/__tests__/contradiction-checker.test.ts +161 -135
package/src/__tests__/conversation-attention-store.test.ts +350 -290
package/src/__tests__/conversation-attention-telegram.test.ts +156 -114
package/src/__tests__/conversation-pairing.test.ts +220 -113
package/src/__tests__/conversation-routes-guardian-reply.test.ts +164 -104
package/src/__tests__/conversation-routes.test.ts +71 -41
package/src/__tests__/conversation-store.test.ts +390 -235
package/src/__tests__/credential-broker-browser-fill.test.ts +325 -250
package/src/__tests__/credential-broker-server-use.test.ts +283 -243
package/src/__tests__/credential-broker.test.ts +128 -74
package/src/__tests__/credential-host-pattern-match.test.ts +64 -44
package/src/__tests__/credential-metadata-store.test.ts +360 -311
package/src/__tests__/credential-policy-validate.test.ts +81 -65
package/src/__tests__/credential-resolve.test.ts +212 -145
package/src/__tests__/credential-security-e2e.test.ts +144 -103
package/src/__tests__/credential-security-invariants.test.ts +253 -208
package/src/__tests__/credential-selection.test.ts +254 -146
package/src/__tests__/credential-vault-unit.test.ts +531 -341
package/src/__tests__/credential-vault.test.ts +761 -484
package/src/__tests__/daemon-assistant-events.test.ts +91 -66
package/src/__tests__/daemon-lifecycle.test.ts +258 -190
package/src/__tests__/daemon-server-session-init.test.ts +257 -191
package/src/__tests__/date-context.test.ts +314 -249
package/src/__tests__/db-migration-rollback.test.ts +259 -130
package/src/__tests__/db-schedule-syntax-migration.test.ts +78 -41
package/src/__tests__/delete-managed-skill-tool.test.ts +77 -53
package/src/__tests__/deterministic-verification-control-plane.test.ts +183 -135
package/src/__tests__/dictation-mode-detection.test.ts +77 -55
package/src/__tests__/dictation-profile-store.test.ts +70 -56
package/src/__tests__/dictation-text-processing.test.ts +53 -35
package/src/__tests__/diff.test.ts +102 -98
package/src/__tests__/domain-normalize.test.ts +54 -54
package/src/__tests__/domain-policy.test.ts +71 -55
package/src/__tests__/dynamic-page-surface.test.ts +31 -33
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +69 -69
package/src/__tests__/edit-engine.test.ts +56 -56
package/src/__tests__/elevenlabs-client.test.ts +117 -91
package/src/__tests__/elevenlabs-config.test.ts +32 -31
package/src/__tests__/email-classifier.test.ts +15 -12
package/src/__tests__/email-cli.test.ts +121 -108
package/src/__tests__/emit-signal-routing-intent.test.ts +76 -69
package/src/__tests__/encrypted-store.test.ts +180 -154
package/src/__tests__/entity-extractor.test.ts +108 -87
package/src/__tests__/entity-search.test.ts +664 -258
package/src/__tests__/ephemeral-permissions.test.ts +224 -188
package/src/__tests__/event-bus.test.ts +81 -77
package/src/__tests__/extract-email.test.ts +51 -0
package/src/__tests__/file-edit-tool.test.ts +62 -44
package/src/__tests__/file-ops-service.test.ts +131 -114
package/src/__tests__/file-read-tool.test.ts +48 -31
package/src/__tests__/file-write-tool.test.ts +43 -37
package/src/__tests__/filesystem-tools.test.ts +238 -209
package/src/__tests__/followup-tools.test.ts +237 -162
package/src/__tests__/forbidden-legacy-symbols.test.ts +19 -20
package/src/__tests__/frontmatter.test.ts +96 -81
package/src/__tests__/fuzzy-match-property.test.ts +75 -81
package/src/__tests__/fuzzy-match.test.ts +71 -65
package/src/__tests__/gateway-client-managed-outbound.test.ts +76 -57
package/src/__tests__/gateway-only-enforcement.test.ts +467 -369
package/src/__tests__/gateway-only-guard.test.ts +54 -56
package/src/__tests__/gemini-image-service.test.ts +113 -100
package/src/__tests__/gemini-provider.test.ts +297 -220
package/src/__tests__/get-weather.test.ts +188 -114
package/src/__tests__/gmail-integration.test.ts +47 -46
package/src/__tests__/guardian-action-conversation-turn.test.ts +226 -171
package/src/__tests__/guardian-action-copy-generator.test.ts +111 -93
package/src/__tests__/guardian-action-followup-executor.test.ts +215 -151
package/src/__tests__/guardian-action-followup-store.test.ts +199 -167
package/src/__tests__/guardian-action-grant-mint-consume.test.ts +297 -250
package/src/__tests__/guardian-action-late-reply.test.ts +462 -316
package/src/__tests__/guardian-action-no-hardcoded-copy.test.ts +23 -18
package/src/__tests__/guardian-action-store.test.ts +158 -109
package/src/__tests__/guardian-action-sweep.test.ts +114 -100
package/src/__tests__/guardian-actions-endpoint.test.ts +440 -256
package/src/__tests__/guardian-control-plane-policy.test.ts +497 -331
package/src/__tests__/guardian-decision-primitive-canonical.test.ts +217 -215
package/src/__tests__/guardian-dispatch.test.ts +316 -256
package/src/__tests__/guardian-grant-minting.test.ts +247 -178
package/src/__tests__/guardian-outbound-http.test.ts +337 -209
package/src/__tests__/guardian-principal-id-roundtrip.test.ts +99 -96
package/src/__tests__/guardian-question-copy.test.ts +17 -17
package/src/__tests__/guardian-question-mode.test.ts +134 -100
package/src/__tests__/guardian-routing-invariants.test.ts +679 -613
package/src/__tests__/guardian-routing-state.test.ts +256 -209
package/src/__tests__/guardian-verification-intent-routing.test.ts +94 -88
package/src/__tests__/guardian-verification-voice-binding.test.ts +47 -41
package/src/__tests__/guardian-verify-setup-skill-regression.test.ts +0 -1
package/src/__tests__/handle-user-message-secret-resume.test.ts +43 -21
package/src/__tests__/handlers-add-trust-rule-metadata.test.ts +92 -76
package/src/__tests__/handlers-cu-observation-blob.test.ts +103 -70
package/src/__tests__/handlers-ipc-blob-probe.test.ts +77 -51
package/src/__tests__/handlers-slack-config.test.ts +63 -54
package/src/__tests__/handlers-task-submit-slash.test.ts +18 -18
package/src/__tests__/handlers-telegram-config.test.ts +662 -329
package/src/__tests__/handlers-twitter-config.test.ts +525 -298
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +270 -195
package/src/__tests__/headless-browser-interactions.test.ts +444 -280
package/src/__tests__/headless-browser-navigate.test.ts +116 -79
package/src/__tests__/headless-browser-read-tools.test.ts +123 -86
package/src/__tests__/headless-browser-snapshot.test.ts +71 -56
package/src/__tests__/heartbeat-service.test.ts +76 -58
package/src/__tests__/history-repair-observability.test.ts +14 -14
package/src/__tests__/history-repair.test.ts +171 -167
package/src/__tests__/home-base-bootstrap.test.ts +30 -27
package/src/__tests__/hooks-blocking.test.ts +86 -37
package/src/__tests__/hooks-cli.test.ts +104 -68
package/src/__tests__/hooks-config.test.ts +81 -43
package/src/__tests__/hooks-discovery.test.ts +106 -96
package/src/__tests__/hooks-integration.test.ts +78 -72
package/src/__tests__/hooks-manager.test.ts +99 -61
package/src/__tests__/hooks-runner.test.ts +94 -71
package/src/__tests__/hooks-settings.test.ts +69 -64
package/src/__tests__/hooks-templates.test.ts +85 -54
package/src/__tests__/hooks-ts-runner.test.ts +82 -45
package/src/__tests__/hooks-watch.test.ts +32 -22
package/src/__tests__/host-file-edit-tool.test.ts +190 -148
package/src/__tests__/host-file-read-tool.test.ts +86 -63
package/src/__tests__/host-file-write-tool.test.ts +98 -64
package/src/__tests__/host-shell-tool.test.ts +342 -233
package/src/__tests__/inbound-invite-redemption.test.ts +194 -152
package/src/__tests__/ingress-member-store.test.ts +163 -159
package/src/__tests__/ingress-reconcile.test.ts +183 -142
package/src/__tests__/ingress-routes-http.test.ts +441 -356
package/src/__tests__/ingress-url-consistency.test.ts +125 -64
package/src/__tests__/integration-status.test.ts +93 -73
package/src/__tests__/intent-routing.test.ts +148 -118
package/src/__tests__/invite-redemption-service.test.ts +163 -121
package/src/__tests__/ipc-blob-store.test.ts +104 -91
package/src/__tests__/ipc-contract-inventory.test.ts +27 -15
package/src/__tests__/ipc-contract.test.ts +24 -23
package/src/__tests__/ipc-protocol.test.ts +52 -46
package/src/__tests__/ipc-roundtrip.benchmark.test.ts +61 -50
package/src/__tests__/ipc-snapshot.test.ts +1135 -1056
package/src/__tests__/ipc-validate.test.ts +240 -179
package/src/__tests__/key-migration.test.ts +123 -90
package/src/__tests__/keychain.test.ts +150 -123
package/src/__tests__/lifecycle-docs-guard.test.ts +65 -64
package/src/__tests__/llm-usage-store.test.ts +112 -87
package/src/__tests__/managed-skill-lifecycle.test.ts +147 -108
package/src/__tests__/managed-store.test.ts +411 -360
package/src/__tests__/mcp-cli.test.ts +189 -123
package/src/__tests__/mcp-health-check.test.ts +26 -21
package/src/__tests__/media-generate-image.test.ts +122 -99
package/src/__tests__/media-reuse-story.e2e.test.ts +282 -214
package/src/__tests__/media-visibility-policy.test.ts +86 -38
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +146 -100
package/src/__tests__/memory-lifecycle-e2e.test.ts +385 -297
package/src/__tests__/memory-query-builder.test.ts +32 -33
package/src/__tests__/memory-recall-quality.test.ts +761 -407
package/src/__tests__/memory-regressions.experimental.test.ts +443 -380
package/src/__tests__/memory-regressions.test.ts +3725 -2642
package/src/__tests__/memory-retrieval-budget.test.ts +7 -8
package/src/__tests__/memory-retrieval.benchmark.test.ts +144 -109
package/src/__tests__/memory-upsert-concurrency.test.ts +292 -201
package/src/__tests__/messaging-send-tool.test.ts +36 -29
package/src/__tests__/migration-cli-flows.test.ts +69 -53
package/src/__tests__/migration-ordering.test.ts +103 -86
package/src/__tests__/mime-builder.test.ts +55 -32
package/src/__tests__/mock-signup-server.test.ts +384 -246
package/src/__tests__/model-intents.test.ts +61 -37
package/src/__tests__/no-direct-anthropic-sdk-imports.test.ts +9 -12
package/src/__tests__/no-is-trusted-guard.test.ts +24 -21
package/src/__tests__/non-member-access-request.test.ts +294 -249
package/src/__tests__/notification-broadcaster.test.ts +99 -81
package/src/__tests__/notification-decision-fallback.test.ts +223 -178
package/src/__tests__/notification-decision-strategy.test.ts +375 -337
package/src/__tests__/notification-deep-link.test.ts +67 -61
package/src/__tests__/notification-guardian-path.test.ts +248 -206
package/src/__tests__/notification-routing-intent.test.ts +166 -93
package/src/__tests__/notification-telegram-adapter.test.ts +60 -46
package/src/__tests__/notification-thread-candidate-validation.test.ts +78 -75
package/src/__tests__/notification-thread-candidates.test.ts +64 -61
package/src/__tests__/oauth-callback-registry.test.ts +40 -30
package/src/__tests__/oauth-connect-handler.test.ts +109 -89
package/src/__tests__/oauth-scope-policy.test.ts +63 -55
package/src/__tests__/oauth2-gateway-transport.test.ts +252 -174
package/src/__tests__/onboarding-starter-tasks.test.ts +93 -89
package/src/__tests__/onboarding-template-contract.test.ts +93 -94
package/src/__tests__/openai-provider.test.ts +366 -274
package/src/__tests__/pairing-concurrent.test.ts +18 -12
package/src/__tests__/pairing-routes.test.ts +45 -41
package/src/__tests__/parallel-tool.benchmark.test.ts +108 -58
package/src/__tests__/parser.test.ts +316 -226
package/src/__tests__/path-classifier.test.ts +24 -25
package/src/__tests__/path-policy.test.ts +187 -147
package/src/__tests__/phone.test.ts +36 -36
package/src/__tests__/platform-move-helper.test.ts +48 -40
package/src/__tests__/platform-socket-path.test.ts +23 -24
package/src/__tests__/platform-workspace-migration.test.ts +464 -414
package/src/__tests__/platform.test.ts +61 -53
package/src/__tests__/playbook-execution.test.ts +397 -265
package/src/__tests__/playbook-tools.test.ts +267 -196
package/src/__tests__/prebuilt-home-base-seed.test.ts +30 -27
package/src/__tests__/pricing.test.ts +316 -136
package/src/__tests__/profile-compiler.test.ts +206 -188
package/src/__tests__/provider-commit-message-generator.test.ts +114 -106
package/src/__tests__/provider-error-scenarios.test.ts +212 -158
package/src/__tests__/provider-fail-open-selection.test.ts +51 -44
package/src/__tests__/provider-registry-ollama.test.ts +13 -9
package/src/__tests__/provider-streaming.benchmark.test.ts +232 -183
package/src/__tests__/proxy-approval-callback.test.ts +180 -119
package/src/__tests__/public-ingress-urls.test.ts +112 -94
package/src/__tests__/qdrant-manager.test.ts +147 -98
package/src/__tests__/ratelimit.test.ts +152 -82
package/src/__tests__/recording-handler.test.ts +273 -151
package/src/__tests__/recording-intent-fallback.test.ts +94 -75
package/src/__tests__/recording-intent-handler.test.ts +422 -292
package/src/__tests__/recording-intent.test.ts +578 -379
package/src/__tests__/recording-state-machine.test.ts +530 -316
package/src/__tests__/recurrence-engine-rruleset.test.ts +150 -92
package/src/__tests__/recurrence-engine.test.ts +81 -41
package/src/__tests__/recurrence-types.test.ts +63 -44
package/src/__tests__/relay-server.test.ts +2131 -1602
package/src/__tests__/reminder-store.test.ts +158 -80
package/src/__tests__/reminder.test.ts +113 -109
package/src/__tests__/remote-skill-policy.test.ts +96 -72
package/src/__tests__/request-file-tool.test.ts +74 -67
package/src/__tests__/response-tier.test.ts +131 -74
package/src/__tests__/runtime-attachment-metadata.test.ts +107 -70
package/src/__tests__/runtime-events-sse-parity.test.ts +167 -145
package/src/__tests__/runtime-events-sse.test.ts +67 -51
package/src/__tests__/sandbox-diagnostics.test.ts +66 -56
package/src/__tests__/sandbox-host-parity.test.ts +377 -301
package/src/__tests__/scaffold-managed-skill-tool.test.ts +213 -161
package/src/__tests__/schedule-store.test.ts +268 -205
package/src/__tests__/schedule-tools.test.ts +702 -524
package/src/__tests__/scheduler-recurrence.test.ts +240 -130
package/src/__tests__/scoped-approval-grants.test.ts +258 -168
package/src/__tests__/scoped-grant-security-matrix.test.ts +160 -146
package/src/__tests__/script-proxy-certs.test.ts +38 -35
package/src/__tests__/script-proxy-connect-tunnel.test.ts +71 -46
package/src/__tests__/script-proxy-decision-trace.test.ts +161 -84
package/src/__tests__/script-proxy-http-forwarder.test.ts +146 -129
package/src/__tests__/script-proxy-injection-runtime.test.ts +139 -113
package/src/__tests__/script-proxy-mitm-handler.test.ts +226 -142
package/src/__tests__/script-proxy-policy-runtime.test.ts +126 -86
package/src/__tests__/script-proxy-policy.test.ts +308 -153
package/src/__tests__/script-proxy-rewrite-specificity.test.ts +74 -62
package/src/__tests__/script-proxy-router.test.ts +111 -77
package/src/__tests__/script-proxy-session-manager.test.ts +156 -113
package/src/__tests__/script-proxy-session-runtime.test.ts +28 -24
package/src/__tests__/secret-allowlist.test.ts +105 -90
package/src/__tests__/secret-ingress-handler.test.ts +41 -30
package/src/__tests__/secret-onetime-send.test.ts +67 -50
package/src/__tests__/secret-prompt-log-hygiene.test.ts +35 -31
package/src/__tests__/secret-response-routing.test.ts +50 -41
package/src/__tests__/secret-scanner-executor.test.ts +152 -111
package/src/__tests__/secret-scanner.test.ts +495 -413
package/src/__tests__/secure-keys.test.ts +132 -121
package/src/__tests__/send-endpoint-busy.test.ts +313 -232
package/src/__tests__/send-notification-tool.test.ts +43 -42
package/src/__tests__/sensitive-output-placeholders.test.ts +72 -64
package/src/__tests__/sequence-store.test.ts +335 -167
package/src/__tests__/server-history-render.test.ts +341 -202
package/src/__tests__/session-abort-tool-results.test.ts +133 -70
package/src/__tests__/session-approval-overrides.test.ts +93 -91
package/src/__tests__/session-confirmation-signals.test.ts +252 -160
package/src/__tests__/session-conflict-gate.test.ts +775 -585
package/src/__tests__/session-error.test.ts +222 -191
package/src/__tests__/session-evictor.test.ts +79 -62
package/src/__tests__/session-init.benchmark.test.ts +170 -108
package/src/__tests__/session-load-history-repair.test.ts +273 -139
package/src/__tests__/session-messaging-secret-redirect.test.ts +130 -90
package/src/__tests__/session-pre-run-repair.test.ts +106 -59
package/src/__tests__/session-profile-injection.test.ts +198 -130
package/src/__tests__/session-provider-retry-repair.test.ts +223 -141
package/src/__tests__/session-queue.test.ts +624 -321
package/src/__tests__/session-runtime-assembly.test.ts +425 -329
package/src/__tests__/session-runtime-workspace.test.ts +69 -61
package/src/__tests__/session-skill-tools.test.ts +973 -678
package/src/__tests__/session-slash-known.test.ts +185 -133
package/src/__tests__/session-slash-queue.test.ts +147 -81
package/src/__tests__/session-slash-unknown.test.ts +135 -90
package/src/__tests__/session-surfaces-task-progress.test.ts +122 -87
package/src/__tests__/session-tool-setup-app-refresh.test.ts +338 -177
package/src/__tests__/session-tool-setup-memory-scope.test.ts +63 -40
package/src/__tests__/session-tool-setup-side-effect-flag.test.ts +60 -37
package/src/__tests__/session-tool-setup-tools-disabled.test.ts +28 -26
package/src/__tests__/session-undo.test.ts +43 -30
package/src/__tests__/session-workspace-cache-state.test.ts +108 -67
package/src/__tests__/session-workspace-injection.test.ts +245 -117
package/src/__tests__/session-workspace-tool-tracking.test.ts +260 -93
package/src/__tests__/shared-filesystem-errors.test.ts +47 -47
package/src/__tests__/shell-credential-ref.test.ts +126 -90
package/src/__tests__/shell-identity.test.ts +134 -111
package/src/__tests__/shell-parser-fuzz.test.ts +263 -179
package/src/__tests__/shell-parser-property.test.ts +435 -288
package/src/__tests__/shell-tool-proxy-mode.test.ts +142 -70
package/src/__tests__/size-guard.test.ts +42 -44
package/src/__tests__/skill-feature-flags-integration.test.ts +79 -52
package/src/__tests__/skill-feature-flags.test.ts +75 -47
package/src/__tests__/skill-include-graph.test.ts +143 -148
package/src/__tests__/skill-load-feature-flag.test.ts +94 -59
package/src/__tests__/skill-load-tool.test.ts +371 -199
package/src/__tests__/skill-projection-feature-flag.test.ts +131 -88
package/src/__tests__/skill-projection.benchmark.test.ts +93 -65
package/src/__tests__/skill-script-runner-host.test.ts +460 -250
package/src/__tests__/skill-script-runner-sandbox.test.ts +168 -108
package/src/__tests__/skill-script-runner.test.ts +115 -74
package/src/__tests__/skill-tool-factory.test.ts +140 -96
package/src/__tests__/skill-tool-manifest.test.ts +306 -210
package/src/__tests__/skill-version-hash.test.ts +70 -56
package/src/__tests__/skills.test.ts +0 -1
package/src/__tests__/slack-channel-config.test.ts +127 -84
package/src/__tests__/slack-skill.test.ts +60 -47
package/src/__tests__/slash-commands-catalog.test.ts +37 -31
package/src/__tests__/slash-commands-parser.test.ts +71 -64
package/src/__tests__/slash-commands-resolver.test.ts +143 -107
package/src/__tests__/slash-commands-rewrite.test.ts +22 -22
package/src/__tests__/sms-messaging-provider.test.ts +74 -47
package/src/__tests__/speaker-identification.test.ts +28 -25
package/src/__tests__/starter-bundle.test.ts +27 -23
package/src/__tests__/starter-task-flow.test.ts +67 -52
package/src/__tests__/subagent-manager-notify.test.ts +154 -108
package/src/__tests__/subagent-tools.test.ts +311 -270
package/src/__tests__/subagent-types.test.ts +40 -40
package/src/__tests__/surface-mutex-cleanup.test.ts +42 -30
package/src/__tests__/swarm-dag-pathological.test.ts +122 -111
package/src/__tests__/swarm-orchestrator.test.ts +135 -101
package/src/__tests__/swarm-plan-validator.test.ts +125 -73
package/src/__tests__/swarm-recursion.test.ts +58 -46
package/src/__tests__/swarm-router-planner.test.ts +99 -74
package/src/__tests__/swarm-session-integration.test.ts +148 -91
package/src/__tests__/swarm-tool.test.ts +65 -45
package/src/__tests__/swarm-worker-backend.test.ts +59 -45
package/src/__tests__/swarm-worker-runner.test.ts +133 -118
package/src/__tests__/system-prompt.test.ts +290 -256
package/src/__tests__/task-compiler.test.ts +176 -120
package/src/__tests__/task-management-tools.test.ts +561 -456
package/src/__tests__/task-memory-cleanup.test.ts +627 -362
package/src/__tests__/task-runner.test.ts +117 -94
package/src/__tests__/task-scheduler.test.ts +113 -84
package/src/__tests__/task-tools.test.ts +349 -264
package/src/__tests__/terminal-sandbox.test.ts +138 -108
package/src/__tests__/terminal-tools.test.ts +350 -305
package/src/__tests__/thread-seed-composer.test.ts +307 -180
package/src/__tests__/tool-approval-handler.test.ts +238 -137
package/src/__tests__/tool-audit-listener.test.ts +69 -69
package/src/__tests__/tool-domain-event-publisher.test.ts +142 -132
package/src/__tests__/tool-execution-abort-cleanup.test.ts +153 -146
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +136 -105
package/src/__tests__/tool-executor-lifecycle-events.test.ts +355 -239
package/src/__tests__/tool-executor-redaction.test.ts +112 -109
package/src/__tests__/tool-executor-shell-integration.test.ts +130 -79
package/src/__tests__/tool-executor.test.ts +1274 -674
package/src/__tests__/tool-grant-request-escalation.test.ts +401 -283
package/src/__tests__/tool-metrics-listener.test.ts +97 -85
package/src/__tests__/tool-notification-listener.test.ts +42 -25
package/src/__tests__/tool-permission-simulate-handler.test.ts +137 -113
package/src/__tests__/tool-policy.test.ts +44 -25
package/src/__tests__/tool-profiling-listener.test.ts +99 -93
package/src/__tests__/tool-result-truncation.test.ts +5 -4
package/src/__tests__/tool-trace-listener.test.ts +131 -111
package/src/__tests__/top-level-renderer.test.ts +62 -58
package/src/__tests__/top-level-scanner.test.ts +68 -64
package/src/__tests__/trace-emitter.test.ts +56 -56
package/src/__tests__/trust-context-guards.test.ts +65 -65
package/src/__tests__/trust-store.test.ts +1239 -806
package/src/__tests__/trusted-contact-approval-notifier.test.ts +339 -275
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +484 -373
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +264 -241
package/src/__tests__/trusted-contact-multichannel.test.ts +182 -142
package/src/__tests__/trusted-contact-verification.test.ts +251 -231
package/src/__tests__/turn-commit.test.ts +259 -200
package/src/__tests__/twilio-config.test.ts +49 -41
package/src/__tests__/twilio-provider.test.ts +140 -126
package/src/__tests__/twilio-rest.test.ts +22 -18
package/src/__tests__/twilio-routes-elevenlabs.test.ts +188 -162
package/src/__tests__/twilio-routes-twiml.test.ts +55 -55
package/src/__tests__/twilio-routes.test.ts +389 -281
package/src/__tests__/twitter-auth-handler.test.ts +184 -139
package/src/__tests__/twitter-cli-error-shaping.test.ts +88 -73
package/src/__tests__/twitter-cli-routing.test.ts +146 -99
package/src/__tests__/twitter-oauth-client.test.ts +82 -65
package/src/__tests__/update-bulletin-format.test.ts +69 -66
package/src/__tests__/update-bulletin-state.test.ts +66 -60
package/src/__tests__/update-bulletin.test.ts +150 -114
package/src/__tests__/update-template-contract.test.ts +15 -10
package/src/__tests__/url-safety.test.ts +288 -265
package/src/__tests__/user-reference.test.ts +32 -32
package/src/__tests__/view-image-tool.test.ts +118 -96
package/src/__tests__/voice-invite-redemption.test.ts +111 -106
package/src/__tests__/voice-quality.test.ts +117 -102
package/src/__tests__/voice-scoped-grant-consumer.test.ts +204 -146
package/src/__tests__/voice-session-bridge.test.ts +351 -216
package/src/__tests__/weather-skill-regression.test.ts +170 -120
package/src/__tests__/web-fetch.test.ts +664 -526
package/src/__tests__/web-search.test.ts +379 -213
package/src/__tests__/work-item-output.test.ts +90 -53
package/src/__tests__/workspace-git-service.test.ts +437 -356
package/src/__tests__/workspace-heartbeat-service.test.ts +125 -91
package/src/__tests__/workspace-lifecycle.test.ts +98 -64
package/src/__tests__/workspace-policy.test.ts +139 -71
package/src/commands/__tests__/cc-command-registry.test.ts +142 -134
package/src/config/__tests__/feature-flag-registry-guard.test.ts +48 -39
package/src/config/bundled-skills/chatgpt-import/tools/chatgpt-import.ts +44 -4
package/src/config/bundled-skills/doordash/__tests__/doordash-session.test.ts +0 -1
package/src/config/bundled-skills/messaging/SKILL.md +9 -7
package/src/config/bundled-skills/messaging/tools/gmail-outreach-scan.ts +15 -5
package/src/config/bundled-skills/messaging/tools/gmail-sender-digest.ts +16 -5
package/src/config/bundled-skills/messaging/tools/messaging-reply.ts +11 -7
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +34 -32
package/src/config/bundled-tool-registry.ts +2 -0
package/src/config/env.ts +38 -29
package/src/daemon/handlers/skills.ts +18 -10
package/src/daemon/ipc-contract/messages.ts +1 -0
package/src/daemon/ipc-contract/surfaces.ts +7 -1
package/src/daemon/session-agent-loop-handlers.ts +5 -0
package/src/daemon/session-agent-loop.ts +1 -1
package/src/daemon/session-process.ts +1 -1
package/src/daemon/session-surfaces.ts +42 -2
package/src/memory/db-connection.ts +16 -10
package/src/messaging/providers/gmail/adapter.ts +10 -3
package/src/messaging/providers/gmail/client.ts +280 -72
package/src/runtime/auth/__tests__/context.test.ts +75 -65
package/src/runtime/auth/__tests__/credential-service.test.ts +137 -114
package/src/runtime/auth/__tests__/guard-tests.test.ts +84 -90
package/src/runtime/auth/__tests__/ipc-auth-context.test.ts +40 -40
package/src/runtime/auth/__tests__/middleware.test.ts +80 -74
package/src/runtime/auth/__tests__/policy.test.ts +9 -9
package/src/runtime/auth/__tests__/route-policy.test.ts +76 -65
package/src/runtime/auth/__tests__/scopes.test.ts +68 -60
package/src/runtime/auth/__tests__/subject.test.ts +54 -54
package/src/runtime/auth/__tests__/token-service.test.ts +115 -108
package/src/runtime/auth/scopes.ts +3 -0
package/src/runtime/auth/token-service.ts +78 -48
package/src/runtime/auth/types.ts +2 -1
package/src/runtime/http-server.ts +2 -1
package/src/security/secure-keys.ts +103 -53
package/src/sequence/reply-matcher.ts +10 -6
package/src/skills/frontmatter.ts +9 -6
package/src/tools/browser/__tests__/auth-cache.test.ts +69 -63
package/src/tools/browser/__tests__/auth-detector.test.ts +218 -157
package/src/tools/browser/__tests__/jit-auth.test.ts +83 -99
package/src/tools/ui-surface/definitions.ts +2 -1
package/src/util/platform.ts +0 -12
package/docs/architecture/http-token-refresh.md +0 -274

package/Dockerfile CHANGED Viewed

@@ -22,9 +22,6 @@ COPY package.json bun.lock ./
 # Install dependencies
 RUN bun install --frozen-lockfile
-# Copy source
-COPY . .
 # Final stage
 FROM debian:trixie@sha256:3615a749858a1cba49b408fb49c37093db813321355a9ab7c1f9f4836341e9db AS runner
@@ -55,9 +52,6 @@ RUN groupadd --system --gid 1001 assistant && \
     useradd --system --uid 1001 --gid assistant --create-home --shell /bin/bash assistant && \
     echo "assistant ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
-# Copy from builder
-COPY --from=builder /app /app
 # Set up data directory
 RUN mkdir -p /home/assistant/.vellum /data && \
     chown -R assistant:assistant /home/assistant/.vellum /data && \
@@ -98,5 +92,11 @@ ENV VELLUM_DAEMON_SOCKET=/home/assistant/.vellum/vellum.sock
 ENV BASE_DATA_DIR=/data
 ENV IS_CONTAINERIZED=true
+# Copy from builder
+COPY --from=builder /app /app
+# Copy source
+COPY . .
 # Run the daemon + http server
 CMD ["bun", "run", "src/daemon/main.ts"]

package/README.md CHANGED Viewed

@@ -47,7 +47,6 @@ cp .env.example .env
 | `OLLAMA_API_KEY` | No | — | API key for authenticated Ollama deployments |
 | `OLLAMA_BASE_URL` | No | `http://127.0.0.1:11434/v1` | Ollama base URL |
 | `RUNTIME_HTTP_PORT` | No | — | Enable the HTTP server (required for gateway/web) |
-| `RUNTIME_GATEWAY_ORIGIN_SECRET` | No | — | **Deprecated.** Gateway origin is now proven by JWT principal type (`svc_gateway`), not a separate header. |
 | `VELLUM_DAEMON_SOCKET` | No | `~/.vellum/vellum.sock` | Override the daemon socket path |
 ## Update Bulletin
@@ -228,7 +227,7 @@ The runtime exposes a RESTful HTTP API for Twilio configuration, credential mana
 | POST | `/v1/integrations/twilio/sms/test` | Sends a test SMS and polls for delivery status |
 | POST | `/v1/integrations/twilio/sms/doctor` | Runs comprehensive SMS health diagnostics |
-All endpoints are bearer-authenticated via the runtime HTTP token. Skills and clients should call the gateway URL (default `http://localhost:7830`) rather than the runtime port directly, as the gateway proxies all `/v1/integrations/twilio/*` routes.
+All endpoints are JWT-authenticated (require a valid JWT with appropriate scopes). Skills and clients should call the gateway URL (default `http://localhost:7830`) rather than the runtime port directly, as the gateway proxies all `/v1/integrations/twilio/*` routes.
 ### Ingress Webhook Reconciliation

package/eslint.config.mjs CHANGED Viewed

@@ -14,8 +14,8 @@ const eslintConfig = defineConfig([
         "error",
         {
           groups: [
-            // Node.js builtins
-            ["^node:"],
+            // Runtime builtins (Node.js and Bun)
+            ["^node:", "^bun:"],
             // External packages
             ["^@?\\w"],
             // Internal/relative imports

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.16",
+  "version": "0.4.18",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"

package/src/__tests__/access-request-decision.test.ts CHANGED Viewed

@@ -8,43 +8,49 @@
  * - Stale: handles already-resolved requests gracefully.
  * - Idempotent: approving same request twice does not create duplicate sessions.
  */
-import { mkdtempSync, rmSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-import { afterAll, beforeEach, describe, expect, mock, test } from 'bun:test';
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 // ---------------------------------------------------------------------------
 // Test isolation: in-memory SQLite via temp directory
 // ---------------------------------------------------------------------------
-const testDir = mkdtempSync(join(tmpdir(), 'access-request-decision-test-'));
+const testDir = mkdtempSync(join(tmpdir(), "access-request-decision-test-"));
-mock.module('../util/platform.js', () => ({
+mock.module("../util/platform.js", () => ({
   getRootDir: () => testDir,
   getDataDir: () => testDir,
-  isMacOS: () => process.platform === 'darwin',
-  isLinux: () => process.platform === 'linux',
-  isWindows: () => process.platform === 'win32',
-  getSocketPath: () => join(testDir, 'test.sock'),
-  getPidPath: () => join(testDir, 'test.pid'),
-  getDbPath: () => join(testDir, 'test.db'),
-  getLogPath: () => join(testDir, 'test.log'),
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getSocketPath: () => join(testDir, "test.sock"),
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => join(testDir, "test.db"),
+  getLogPath: () => join(testDir, "test.log"),
   ensureDataDir: () => {},
-  readHttpToken: () => 'test-bearer-token',
+  readHttpToken: () => "test-bearer-token",
 }));
-mock.module('../util/logger.js', () => ({
-  getLogger: () => new Proxy({} as Record<string, unknown>, {
-    get: () => () => {},
-  }),
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
 }));
 // Track deliverChannelReply calls and allow injecting failures
-const deliverReplyCalls: Array<{ url: string; payload: Record<string, unknown> }> = [];
+const deliverReplyCalls: Array<{
+  url: string;
+  payload: Record<string, unknown>;
+}> = [];
 let deliverReplyError: Error | null = null;
-mock.module('../runtime/gateway-client.js', () => ({
-  deliverChannelReply: async (url: string, payload: Record<string, unknown>) => {
+mock.module("../runtime/gateway-client.js", () => ({
+  deliverChannelReply: async (
+    url: string,
+    payload: Record<string, unknown>,
+  ) => {
     if (deliverReplyError) {
       throw deliverReplyError;
     }
@@ -55,24 +61,26 @@ mock.module('../runtime/gateway-client.js', () => ({
 import {
   createApprovalRequest,
   getApprovalRequestById,
-} from '../memory/channel-guardian-store.js';
-import { getDb, initializeDb, resetDb } from '../memory/db.js';
-import {
-  findActiveSession,
-} from '../runtime/channel-guardian-service.js';
+} from "../memory/channel-guardian-store.js";
+import { getDb, initializeDb, resetDb } from "../memory/db.js";
+import { findActiveSession } from "../runtime/channel-guardian-service.js";
 import {
   deliverVerificationCodeToGuardian,
   handleAccessRequestDecision,
   notifyRequesterOfApproval,
   notifyRequesterOfDeliveryFailure,
   notifyRequesterOfDenial,
-} from '../runtime/routes/access-request-decision.js';
+} from "../runtime/routes/access-request-decision.js";
 initializeDb();
 afterAll(() => {
   resetDb();
-  try { rmSync(testDir, { recursive: true }); } catch { /* best effort */ }
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    /* best effort */
+  }
 });
 // ---------------------------------------------------------------------------
@@ -83,9 +91,9 @@ const GUARDIAN_APPROVAL_TTL_MS = 5 * 60 * 1000;
 function resetState(): void {
   const db = getDb();
-  db.run('DELETE FROM channel_guardian_approval_requests');
-  db.run('DELETE FROM channel_guardian_bindings');
-  db.run('DELETE FROM channel_guardian_verification_challenges');
+  db.run("DELETE FROM channel_guardian_approval_requests");
+  db.run("DELETE FROM channel_guardian_bindings");
+  db.run("DELETE FROM channel_guardian_verification_challenges");
   deliverReplyCalls.length = 0;
 }
@@ -93,15 +101,15 @@ function createTestApproval(overrides: Record<string, unknown> = {}) {
   return createApprovalRequest({
     runId: `ingress-access-request-${Date.now()}`,
     conversationId: `access-req-telegram-user-unknown-456`,
-    assistantId: 'self',
-    channel: 'telegram',
-    requesterExternalUserId: 'user-unknown-456',
-    requesterChatId: 'chat-123',
-    guardianExternalUserId: 'guardian-user-789',
-    guardianChatId: 'guardian-chat-789',
-    toolName: 'ingress_access_request',
-    riskLevel: 'access_request',
-    reason: 'Alice Unknown is requesting access to the assistant',
+    assistantId: "self",
+    channel: "telegram",
+    requesterExternalUserId: "user-unknown-456",
+    requesterChatId: "chat-123",
+    guardianExternalUserId: "guardian-user-789",
+    guardianChatId: "guardian-chat-789",
+    toolName: "ingress_access_request",
+    riskLevel: "access_request",
+    reason: "Alice Unknown is requesting access to the assistant",
     expiresAt: Date.now() + GUARDIAN_APPROVAL_TTL_MS,
     ...overrides,
   });
@@ -111,22 +119,22 @@ function createTestApproval(overrides: Record<string, unknown> = {}) {
 // Tests
 // ---------------------------------------------------------------------------
-describe('access request decision handler', () => {
+describe("access request decision handler", () => {
   beforeEach(() => {
     resetState();
   });
-  test('guardian approve creates a verification session', () => {
+  test("guardian approve creates a verification session", () => {
     const approval = createTestApproval();
     const result = handleAccessRequestDecision(
       approval,
-      'approve',
-      'guardian-user-789',
+      "approve",
+      "guardian-user-789",
     );
     expect(result.handled).toBe(true);
-    expect(result.type).toBe('approved');
+    expect(result.type).toBe("approved");
     expect(result.verificationSessionId).toBeDefined();
     expect(result.verificationCode).toBeDefined();
     // Verification code should be a 6-digit numeric string
@@ -135,89 +143,89 @@ describe('access request decision handler', () => {
     // Approval record should be updated to 'approved'
     const updated = getApprovalRequestById(approval.id);
     expect(updated).not.toBeNull();
-    expect(updated!.status).toBe('approved');
-    expect(updated!.decidedByExternalUserId).toBe('guardian-user-789');
+    expect(updated!.status).toBe("approved");
+    expect(updated!.decidedByExternalUserId).toBe("guardian-user-789");
   });
-  test('verification session is identity-bound to the requester', () => {
+  test("verification session is identity-bound to the requester", () => {
     const approval = createTestApproval();
     const result = handleAccessRequestDecision(
       approval,
-      'approve',
-      'guardian-user-789',
+      "approve",
+      "guardian-user-789",
     );
-    expect(result.type).toBe('approved');
+    expect(result.type).toBe("approved");
     // There should be an active session for this channel
-    const session = findActiveSession('self', 'telegram');
+    const session = findActiveSession("self", "telegram");
     expect(session).not.toBeNull();
-    expect(session!.expectedExternalUserId).toBe('user-unknown-456');
-    expect(session!.expectedChatId).toBe('chat-123');
-    expect(session!.identityBindingStatus).toBe('bound');
-    expect(session!.status).toBe('awaiting_response');
+    expect(session!.expectedExternalUserId).toBe("user-unknown-456");
+    expect(session!.expectedChatId).toBe("chat-123");
+    expect(session!.identityBindingStatus).toBe("bound");
+    expect(session!.status).toBe("awaiting_response");
   });
-  test('guardian deny marks approval as denied', () => {
+  test("guardian deny marks approval as denied", () => {
     const approval = createTestApproval();
     const result = handleAccessRequestDecision(
       approval,
-      'deny',
-      'guardian-user-789',
+      "deny",
+      "guardian-user-789",
     );
     expect(result.handled).toBe(true);
-    expect(result.type).toBe('denied');
+    expect(result.type).toBe("denied");
     expect(result.verificationSessionId).toBeUndefined();
     expect(result.verificationCode).toBeUndefined();
     // Approval record should be updated to 'denied'
     const updated = getApprovalRequestById(approval.id);
     expect(updated).not.toBeNull();
-    expect(updated!.status).toBe('denied');
-    expect(updated!.decidedByExternalUserId).toBe('guardian-user-789');
+    expect(updated!.status).toBe("denied");
+    expect(updated!.decidedByExternalUserId).toBe("guardian-user-789");
     // No verification session should be created
-    const session = findActiveSession('self', 'telegram');
+    const session = findActiveSession("self", "telegram");
     expect(session).toBeNull();
   });
-  test('stale decision (already resolved) returns stale', () => {
+  test("stale decision (already resolved) returns stale", () => {
     const approval = createTestApproval();
     // Approve first
-    handleAccessRequestDecision(approval, 'approve', 'guardian-user-789');
+    handleAccessRequestDecision(approval, "approve", "guardian-user-789");
     // Try to deny the same approval — should be stale
     const result = handleAccessRequestDecision(
       approval,
-      'deny',
-      'guardian-user-789',
+      "deny",
+      "guardian-user-789",
     );
     expect(result.handled).toBe(true);
-    expect(result.type).toBe('stale');
+    expect(result.type).toBe("stale");
   });
-  test('idempotent approval does not create duplicate verification sessions', () => {
+  test("idempotent approval does not create duplicate verification sessions", () => {
     const approval = createTestApproval();
     // Approve first
     const result1 = handleAccessRequestDecision(
       approval,
-      'approve',
-      'guardian-user-789',
+      "approve",
+      "guardian-user-789",
     );
-    expect(result1.type).toBe('approved');
+    expect(result1.type).toBe("approved");
     const _sessionId1 = result1.verificationSessionId;
     // Approve again — should be idempotent (already resolved with same decision)
     const result2 = handleAccessRequestDecision(
       approval,
-      'approve',
-      'guardian-user-789',
+      "approve",
+      "guardian-user-789",
     );
     // resolveApprovalRequest returns the existing record for same-decision idempotency,
@@ -231,97 +239,97 @@ describe('access request decision handler', () => {
   });
 });
-describe('access request notification delivery', () => {
+describe("access request notification delivery", () => {
   beforeEach(() => {
     deliverReplyCalls.length = 0;
     deliverReplyError = null;
   });
-  test('delivers verification code to guardian and returns ok', async () => {
+  test("delivers verification code to guardian and returns ok", async () => {
     const result = await deliverVerificationCodeToGuardian({
-      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
-      guardianChatId: 'guardian-chat-789',
-      requesterIdentifier: 'user-unknown-456',
-      verificationCode: '123456',
-      assistantId: 'self',
-      bearerToken: 'test-token',
+      replyCallbackUrl: "http://localhost:7830/deliver/telegram",
+      guardianChatId: "guardian-chat-789",
+      requesterIdentifier: "user-unknown-456",
+      verificationCode: "123456",
+      assistantId: "self",
+      bearerToken: "test-token",
     });
     expect(result.ok).toBe(true);
     expect(deliverReplyCalls.length).toBe(1);
     const call = deliverReplyCalls[0];
-    expect(call.payload.chatId).toBe('guardian-chat-789');
+    expect(call.payload.chatId).toBe("guardian-chat-789");
     const text = call.payload.text as string;
-    expect(text).toContain('123456');
-    expect(text).toContain('user-unknown-456');
-    expect(text).toContain('10 minutes');
+    expect(text).toContain("123456");
+    expect(text).toContain("user-unknown-456");
+    expect(text).toContain("10 minutes");
   });
-  test('returns failure result when guardian code delivery fails', async () => {
-    deliverReplyError = new Error('Gateway timeout');
+  test("returns failure result when guardian code delivery fails", async () => {
+    deliverReplyError = new Error("Gateway timeout");
     const result = await deliverVerificationCodeToGuardian({
-      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
-      guardianChatId: 'guardian-chat-789',
-      requesterIdentifier: 'user-unknown-456',
-      verificationCode: '123456',
-      assistantId: 'self',
-      bearerToken: 'test-token',
+      replyCallbackUrl: "http://localhost:7830/deliver/telegram",
+      guardianChatId: "guardian-chat-789",
+      requesterIdentifier: "user-unknown-456",
+      verificationCode: "123456",
+      assistantId: "self",
+      bearerToken: "test-token",
     });
     expect(result.ok).toBe(false);
     if (!result.ok) {
-      expect(result.reason).toBe('Gateway timeout');
+      expect(result.reason).toBe("Gateway timeout");
     }
     // No calls should have been recorded (error thrown before push)
     expect(deliverReplyCalls.length).toBe(0);
   });
-  test('notifies requester of approval', async () => {
+  test("notifies requester of approval", async () => {
     await notifyRequesterOfApproval({
-      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
-      requesterChatId: 'chat-123',
-      assistantId: 'self',
-      bearerToken: 'test-token',
+      replyCallbackUrl: "http://localhost:7830/deliver/telegram",
+      requesterChatId: "chat-123",
+      assistantId: "self",
+      bearerToken: "test-token",
     });
     expect(deliverReplyCalls.length).toBe(1);
     const call = deliverReplyCalls[0];
-    expect(call.payload.chatId).toBe('chat-123');
+    expect(call.payload.chatId).toBe("chat-123");
     const text = call.payload.text as string;
-    expect(text).toContain('approved');
-    expect(text).toContain('verification code');
+    expect(text).toContain("approved");
+    expect(text).toContain("verification code");
   });
-  test('notifies requester of denial', async () => {
+  test("notifies requester of denial", async () => {
     await notifyRequesterOfDenial({
-      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
-      requesterChatId: 'chat-123',
-      assistantId: 'self',
-      bearerToken: 'test-token',
+      replyCallbackUrl: "http://localhost:7830/deliver/telegram",
+      requesterChatId: "chat-123",
+      assistantId: "self",
+      bearerToken: "test-token",
     });
     expect(deliverReplyCalls.length).toBe(1);
     const call = deliverReplyCalls[0];
-    expect(call.payload.chatId).toBe('chat-123');
+    expect(call.payload.chatId).toBe("chat-123");
     const text = call.payload.text as string;
-    expect(text).toContain('denied');
+    expect(text).toContain("denied");
   });
-  test('notifies requester of delivery failure', async () => {
+  test("notifies requester of delivery failure", async () => {
     await notifyRequesterOfDeliveryFailure({
-      replyCallbackUrl: 'http://localhost:7830/deliver/telegram',
-      requesterChatId: 'chat-123',
-      assistantId: 'self',
-      bearerToken: 'test-token',
+      replyCallbackUrl: "http://localhost:7830/deliver/telegram",
+      requesterChatId: "chat-123",
+      assistantId: "self",
+      bearerToken: "test-token",
     });
     expect(deliverReplyCalls.length).toBe(1);
     const call = deliverReplyCalls[0];
-    expect(call.payload.chatId).toBe('chat-123');
+    expect(call.payload.chatId).toBe("chat-123");
     const text = call.payload.text as string;
-    expect(text).toContain('approved');
-    expect(text).toContain('unable to deliver');
-    expect(text).toContain('try again');
+    expect(text).toContain("approved");
+    expect(text).toContain("unable to deliver");
+    expect(text).toContain("try again");
   });
 });