npm - @vellumai/assistant - Versions diffs - 0.4.17 → 0.4.19 - Mend

@vellumai/assistant 0.4.17 → 0.4.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (528) hide show

package/docs/runbook-trusted-contacts.md +5 -3
package/eslint.config.mjs +2 -2
package/package.json +1 -1
package/src/__tests__/access-request-decision.test.ts +128 -120
package/src/__tests__/account-registry.test.ts +121 -110
package/src/__tests__/active-skill-tools.test.ts +200 -172
package/src/__tests__/actor-token-service.test.ts +341 -274
package/src/__tests__/agent-loop-thinking.test.ts +28 -19
package/src/__tests__/agent-loop.test.ts +798 -378
package/src/__tests__/anthropic-provider.test.ts +405 -247
package/src/__tests__/app-builder-tool-scripts.test.ts +97 -97
package/src/__tests__/app-bundler.test.ts +112 -79
package/src/__tests__/app-executors.test.ts +205 -178
package/src/__tests__/app-git-history.test.ts +90 -73
package/src/__tests__/app-git-service.test.ts +67 -53
package/src/__tests__/app-open-proxy.test.ts +29 -25
package/src/__tests__/approval-conversation-turn.test.ts +100 -81
package/src/__tests__/approval-hardcoded-copy-guard.test.ts +45 -17
package/src/__tests__/approval-message-composer.test.ts +119 -119
package/src/__tests__/approval-primitive.test.ts +264 -233
package/src/__tests__/approval-routes-http.test.ts +4 -3
package/src/__tests__/asset-materialize-tool.test.ts +250 -178
package/src/__tests__/asset-search-tool.test.ts +251 -191
package/src/__tests__/assistant-attachment-directive.test.ts +187 -142
package/src/__tests__/assistant-attachments.test.ts +254 -186
package/src/__tests__/assistant-event-hub.test.ts +105 -63
package/src/__tests__/assistant-event.test.ts +66 -58
package/src/__tests__/assistant-events-sse-hardening.test.ts +113 -73
package/src/__tests__/assistant-feature-flag-guard.test.ts +78 -52
package/src/__tests__/assistant-feature-flag-guardrails.test.ts +48 -45
package/src/__tests__/assistant-feature-flags-integration.test.ts +118 -77
package/src/__tests__/assistant-id-boundary-guard.test.ts +158 -104
package/src/__tests__/attachments-store.test.ts +240 -183
package/src/__tests__/attachments.test.ts +70 -62
package/src/__tests__/audit-log-rotation.test.ts +50 -35
package/src/__tests__/browser-fill-credential.test.ts +169 -101
package/src/__tests__/browser-manager.test.ts +97 -75
package/src/__tests__/browser-runtime-check.test.ts +16 -15
package/src/__tests__/browser-skill-baseline-tool-payload.test.ts +12 -10
package/src/__tests__/browser-skill-endstate.test.ts +97 -72
package/src/__tests__/bundle-scanner.test.ts +47 -22
package/src/__tests__/bundled-asset.test.ts +74 -47
package/src/__tests__/call-constants.test.ts +19 -19
package/src/__tests__/call-controller.test.ts +0 -1
package/src/__tests__/call-conversation-messages.test.ts +90 -65
package/src/__tests__/call-domain.test.ts +149 -121
package/src/__tests__/call-pointer-message-composer.test.ts +113 -83
package/src/__tests__/call-pointer-messages.test.ts +213 -154
package/src/__tests__/call-pointer-no-hardcoded-copy.guard.test.ts +9 -10
package/src/__tests__/call-recovery.test.ts +232 -212
package/src/__tests__/call-routes-http.test.ts +0 -1
package/src/__tests__/call-start-guardian-guard.test.ts +32 -30
package/src/__tests__/call-state-machine.test.ts +62 -51
package/src/__tests__/call-state.test.ts +89 -75
package/src/__tests__/call-store.test.ts +387 -316
package/src/__tests__/callback-handoff-copy.test.ts +84 -82
package/src/__tests__/canonical-guardian-store.test.ts +331 -280
package/src/__tests__/channel-approval-routes.test.ts +1643 -1115
package/src/__tests__/channel-approval.test.ts +139 -137
package/src/__tests__/channel-approvals.test.ts +7 -2
package/src/__tests__/channel-delivery-store.test.ts +232 -194
package/src/__tests__/channel-guardian.test.ts +5 -3
package/src/__tests__/channel-invite-transport.test.ts +107 -92
package/src/__tests__/channel-policy.test.ts +42 -38
package/src/__tests__/channel-readiness-service.test.ts +119 -102
package/src/__tests__/channel-reply-delivery.test.ts +147 -118
package/src/__tests__/channel-retry-sweep.test.ts +153 -110
package/src/__tests__/checker.test.ts +3309 -1850
package/src/__tests__/clarification-resolver.test.ts +91 -79
package/src/__tests__/classifier.test.ts +64 -54
package/src/__tests__/claude-code-skill-regression.test.ts +42 -37
package/src/__tests__/claude-code-tool-profiles.test.ts +31 -29
package/src/__tests__/clawhub.test.ts +92 -82
package/src/__tests__/cli.test.ts +30 -30
package/src/__tests__/clipboard.test.ts +53 -46
package/src/__tests__/commit-guarantee.test.ts +59 -52
package/src/__tests__/commit-message-enrichment-service.test.ts +203 -75
package/src/__tests__/compaction.benchmark.test.ts +33 -31
package/src/__tests__/computer-use-session-compaction.test.ts +60 -50
package/src/__tests__/computer-use-session-lifecycle.test.ts +145 -117
package/src/__tests__/computer-use-session-working-dir.test.ts +62 -48
package/src/__tests__/computer-use-skill-baseline.test.ts +22 -19
package/src/__tests__/computer-use-skill-endstate.test.ts +45 -31
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +121 -88
package/src/__tests__/computer-use-skill-manifest-regression.test.ts +65 -42
package/src/__tests__/computer-use-skill-proxy-bridge.test.ts +33 -18
package/src/__tests__/computer-use-tools.test.ts +121 -98
package/src/__tests__/config-schema.test.ts +443 -347
package/src/__tests__/config-watcher.test.ts +96 -81
package/src/__tests__/confirmation-request-guardian-bridge.test.ts +148 -133
package/src/__tests__/conflict-intent-tokenization.test.ts +96 -78
package/src/__tests__/conflict-policy.test.ts +151 -80
package/src/__tests__/conflict-store.test.ts +203 -157
package/src/__tests__/connection-policy.test.ts +89 -59
package/src/__tests__/contacts-tools.test.ts +247 -178
package/src/__tests__/context-memory-e2e.test.ts +306 -214
package/src/__tests__/context-token-estimator.test.ts +114 -74
package/src/__tests__/context-window-manager.test.ts +269 -167
package/src/__tests__/contradiction-checker.test.ts +161 -135
package/src/__tests__/conversation-attention-store.test.ts +350 -290
package/src/__tests__/conversation-attention-telegram.test.ts +0 -1
package/src/__tests__/conversation-pairing.test.ts +220 -113
package/src/__tests__/conversation-routes-guardian-reply.test.ts +8 -0
package/src/__tests__/conversation-store.test.ts +390 -235
package/src/__tests__/credential-broker-browser-fill.test.ts +325 -250
package/src/__tests__/credential-broker-server-use.test.ts +283 -243
package/src/__tests__/credential-broker.test.ts +128 -74
package/src/__tests__/credential-host-pattern-match.test.ts +64 -44
package/src/__tests__/credential-metadata-store.test.ts +360 -311
package/src/__tests__/credential-policy-validate.test.ts +81 -65
package/src/__tests__/credential-resolve.test.ts +212 -145
package/src/__tests__/credential-security-e2e.test.ts +144 -103
package/src/__tests__/credential-security-invariants.test.ts +253 -208
package/src/__tests__/credential-selection.test.ts +254 -146
package/src/__tests__/credential-vault-unit.test.ts +531 -341
package/src/__tests__/credential-vault.test.ts +761 -484
package/src/__tests__/daemon-assistant-events.test.ts +91 -66
package/src/__tests__/daemon-lifecycle.test.ts +258 -190
package/src/__tests__/daemon-server-session-init.test.ts +2 -1
package/src/__tests__/date-context.test.ts +314 -249
package/src/__tests__/db-migration-rollback.test.ts +259 -130
package/src/__tests__/db-schedule-syntax-migration.test.ts +78 -41
package/src/__tests__/delete-managed-skill-tool.test.ts +77 -53
package/src/__tests__/deterministic-verification-control-plane.test.ts +0 -1
package/src/__tests__/dictation-mode-detection.test.ts +77 -55
package/src/__tests__/dictation-profile-store.test.ts +70 -56
package/src/__tests__/dictation-text-processing.test.ts +53 -35
package/src/__tests__/diff.test.ts +102 -98
package/src/__tests__/domain-normalize.test.ts +54 -54
package/src/__tests__/domain-policy.test.ts +71 -55
package/src/__tests__/dynamic-page-surface.test.ts +31 -33
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +69 -69
package/src/__tests__/edit-engine.test.ts +56 -56
package/src/__tests__/elevenlabs-client.test.ts +117 -91
package/src/__tests__/elevenlabs-config.test.ts +32 -31
package/src/__tests__/email-classifier.test.ts +15 -12
package/src/__tests__/email-cli.test.ts +121 -108
package/src/__tests__/emit-signal-routing-intent.test.ts +76 -69
package/src/__tests__/encrypted-store.test.ts +180 -154
package/src/__tests__/entity-extractor.test.ts +108 -87
package/src/__tests__/entity-search.test.ts +664 -258
package/src/__tests__/ephemeral-permissions.test.ts +224 -188
package/src/__tests__/event-bus.test.ts +81 -77
package/src/__tests__/extract-email.test.ts +29 -20
package/src/__tests__/file-edit-tool.test.ts +62 -44
package/src/__tests__/file-ops-service.test.ts +131 -114
package/src/__tests__/file-read-tool.test.ts +48 -31
package/src/__tests__/file-write-tool.test.ts +43 -37
package/src/__tests__/filesystem-tools.test.ts +238 -209
package/src/__tests__/followup-tools.test.ts +237 -162
package/src/__tests__/forbidden-legacy-symbols.test.ts +19 -20
package/src/__tests__/frontmatter.test.ts +96 -81
package/src/__tests__/fuzzy-match-property.test.ts +75 -81
package/src/__tests__/fuzzy-match.test.ts +71 -65
package/src/__tests__/gateway-client-managed-outbound.test.ts +76 -57
package/src/__tests__/gateway-only-enforcement.test.ts +0 -1
package/src/__tests__/gateway-only-guard.test.ts +0 -1
package/src/__tests__/gemini-image-service.test.ts +113 -100
package/src/__tests__/gemini-provider.test.ts +297 -220
package/src/__tests__/get-weather.test.ts +188 -114
package/src/__tests__/gmail-integration.test.ts +13 -5
package/src/__tests__/guardian-action-conversation-turn.test.ts +226 -171
package/src/__tests__/guardian-action-copy-generator.test.ts +111 -93
package/src/__tests__/guardian-action-followup-executor.test.ts +0 -1
package/src/__tests__/guardian-action-followup-store.test.ts +199 -167
package/src/__tests__/guardian-action-grant-mint-consume.test.ts +297 -250
package/src/__tests__/guardian-action-late-reply.test.ts +462 -316
package/src/__tests__/guardian-action-no-hardcoded-copy.test.ts +23 -18
package/src/__tests__/guardian-action-store.test.ts +158 -109
package/src/__tests__/guardian-action-sweep.test.ts +114 -100
package/src/__tests__/guardian-actions-endpoint.test.ts +440 -256
package/src/__tests__/guardian-control-plane-policy.test.ts +497 -331
package/src/__tests__/guardian-decision-primitive-canonical.test.ts +217 -215
package/src/__tests__/guardian-dispatch.test.ts +316 -256
package/src/__tests__/guardian-grant-minting.test.ts +247 -178
package/src/__tests__/guardian-outbound-http.test.ts +5 -3
package/src/__tests__/guardian-principal-id-roundtrip.test.ts +99 -96
package/src/__tests__/guardian-question-copy.test.ts +17 -17
package/src/__tests__/guardian-question-mode.test.ts +134 -100
package/src/__tests__/guardian-routing-invariants.test.ts +0 -1
package/src/__tests__/guardian-routing-state.test.ts +0 -1
package/src/__tests__/guardian-verification-intent-routing.test.ts +94 -88
package/src/__tests__/guardian-verification-voice-binding.test.ts +0 -1
package/src/__tests__/guardian-verify-setup-skill-regression.test.ts +0 -1
package/src/__tests__/handle-user-message-secret-resume.test.ts +7 -2
package/src/__tests__/handlers-add-trust-rule-metadata.test.ts +92 -76
package/src/__tests__/handlers-cu-observation-blob.test.ts +103 -70
package/src/__tests__/handlers-ipc-blob-probe.test.ts +77 -51
package/src/__tests__/handlers-slack-config.test.ts +63 -54
package/src/__tests__/handlers-task-submit-slash.test.ts +18 -18
package/src/__tests__/handlers-telegram-config.test.ts +662 -329
package/src/__tests__/handlers-twitter-config.test.ts +525 -298
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +5 -2
package/src/__tests__/headless-browser-interactions.test.ts +444 -280
package/src/__tests__/headless-browser-navigate.test.ts +116 -79
package/src/__tests__/headless-browser-read-tools.test.ts +123 -86
package/src/__tests__/headless-browser-snapshot.test.ts +71 -56
package/src/__tests__/heartbeat-service.test.ts +76 -58
package/src/__tests__/history-repair-observability.test.ts +14 -14
package/src/__tests__/history-repair.test.ts +171 -167
package/src/__tests__/home-base-bootstrap.test.ts +30 -27
package/src/__tests__/hooks-blocking.test.ts +86 -37
package/src/__tests__/hooks-cli.test.ts +104 -68
package/src/__tests__/hooks-config.test.ts +81 -43
package/src/__tests__/hooks-discovery.test.ts +106 -96
package/src/__tests__/hooks-integration.test.ts +78 -72
package/src/__tests__/hooks-manager.test.ts +99 -61
package/src/__tests__/hooks-runner.test.ts +94 -71
package/src/__tests__/hooks-settings.test.ts +69 -64
package/src/__tests__/hooks-templates.test.ts +85 -54
package/src/__tests__/hooks-ts-runner.test.ts +82 -45
package/src/__tests__/hooks-watch.test.ts +32 -22
package/src/__tests__/host-file-edit-tool.test.ts +190 -148
package/src/__tests__/host-file-read-tool.test.ts +86 -63
package/src/__tests__/host-file-write-tool.test.ts +98 -64
package/src/__tests__/host-shell-tool.test.ts +342 -233
package/src/__tests__/inbound-invite-redemption.test.ts +0 -1
package/src/__tests__/ingress-member-store.test.ts +163 -159
package/src/__tests__/ingress-reconcile.test.ts +13 -6
package/src/__tests__/ingress-routes-http.test.ts +441 -356
package/src/__tests__/ingress-url-consistency.test.ts +125 -64
package/src/__tests__/integration-status.test.ts +93 -73
package/src/__tests__/intent-routing.test.ts +148 -118
package/src/__tests__/invite-redemption-service.test.ts +163 -121
package/src/__tests__/ipc-blob-store.test.ts +104 -91
package/src/__tests__/ipc-contract-inventory.test.ts +27 -15
package/src/__tests__/ipc-contract.test.ts +24 -23
package/src/__tests__/ipc-protocol.test.ts +52 -46
package/src/__tests__/ipc-roundtrip.benchmark.test.ts +61 -50
package/src/__tests__/ipc-snapshot.test.ts +1135 -1056
package/src/__tests__/ipc-validate.test.ts +240 -179
package/src/__tests__/key-migration.test.ts +123 -90
package/src/__tests__/keychain.test.ts +150 -123
package/src/__tests__/lifecycle-docs-guard.test.ts +65 -64
package/src/__tests__/llm-usage-store.test.ts +112 -87
package/src/__tests__/managed-skill-lifecycle.test.ts +147 -108
package/src/__tests__/managed-store.test.ts +411 -360
package/src/__tests__/mcp-cli.test.ts +190 -124
package/src/__tests__/mcp-health-check.test.ts +26 -21
package/src/__tests__/media-generate-image.test.ts +122 -99
package/src/__tests__/media-reuse-story.e2e.test.ts +282 -214
package/src/__tests__/media-visibility-policy.test.ts +86 -38
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +146 -100
package/src/__tests__/memory-lifecycle-e2e.test.ts +385 -297
package/src/__tests__/memory-query-builder.test.ts +32 -33
package/src/__tests__/memory-recall-quality.test.ts +761 -407
package/src/__tests__/memory-regressions.experimental.test.ts +443 -380
package/src/__tests__/memory-regressions.test.ts +3725 -2642
package/src/__tests__/memory-retrieval-budget.test.ts +7 -8
package/src/__tests__/memory-retrieval.benchmark.test.ts +144 -109
package/src/__tests__/memory-upsert-concurrency.test.ts +292 -201
package/src/__tests__/messaging-send-tool.test.ts +36 -29
package/src/__tests__/migration-cli-flows.test.ts +69 -53
package/src/__tests__/migration-ordering.test.ts +103 -86
package/src/__tests__/mime-builder.test.ts +55 -32
package/src/__tests__/mock-signup-server.test.ts +384 -246
package/src/__tests__/model-intents.test.ts +61 -37
package/src/__tests__/no-direct-anthropic-sdk-imports.test.ts +9 -12
package/src/__tests__/no-is-trusted-guard.test.ts +24 -21
package/src/__tests__/non-member-access-request.test.ts +3 -2
package/src/__tests__/notification-broadcaster.test.ts +99 -81
package/src/__tests__/notification-decision-fallback.test.ts +223 -178
package/src/__tests__/notification-decision-strategy.test.ts +375 -337
package/src/__tests__/notification-deep-link.test.ts +67 -61
package/src/__tests__/notification-guardian-path.test.ts +248 -206
package/src/__tests__/notification-routing-intent.test.ts +166 -93
package/src/__tests__/notification-thread-candidate-validation.test.ts +78 -75
package/src/__tests__/notification-thread-candidates.test.ts +64 -61
package/src/__tests__/oauth-callback-registry.test.ts +40 -30
package/src/__tests__/oauth-connect-handler.test.ts +109 -89
package/src/__tests__/oauth-scope-policy.test.ts +63 -55
package/src/__tests__/oauth2-gateway-transport.test.ts +252 -174
package/src/__tests__/onboarding-starter-tasks.test.ts +93 -89
package/src/__tests__/onboarding-template-contract.test.ts +93 -94
package/src/__tests__/openai-provider.test.ts +366 -274
package/src/__tests__/pairing-concurrent.test.ts +18 -12
package/src/__tests__/pairing-routes.test.ts +45 -41
package/src/__tests__/parallel-tool.benchmark.test.ts +108 -58
package/src/__tests__/parser.test.ts +316 -226
package/src/__tests__/path-classifier.test.ts +24 -25
package/src/__tests__/path-policy.test.ts +187 -147
package/src/__tests__/phone.test.ts +36 -36
package/src/__tests__/platform-move-helper.test.ts +48 -40
package/src/__tests__/platform-socket-path.test.ts +23 -24
package/src/__tests__/platform-workspace-migration.test.ts +464 -414
package/src/__tests__/platform.test.ts +61 -53
package/src/__tests__/playbook-execution.test.ts +397 -265
package/src/__tests__/playbook-tools.test.ts +267 -196
package/src/__tests__/prebuilt-home-base-seed.test.ts +30 -27
package/src/__tests__/pricing.test.ts +316 -136
package/src/__tests__/profile-compiler.test.ts +206 -188
package/src/__tests__/provider-commit-message-generator.test.ts +114 -106
package/src/__tests__/provider-error-scenarios.test.ts +212 -158
package/src/__tests__/provider-fail-open-selection.test.ts +51 -44
package/src/__tests__/provider-registry-ollama.test.ts +13 -9
package/src/__tests__/provider-streaming.benchmark.test.ts +232 -183
package/src/__tests__/proxy-approval-callback.test.ts +180 -119
package/src/__tests__/public-ingress-urls.test.ts +112 -94
package/src/__tests__/qdrant-manager.test.ts +147 -98
package/src/__tests__/ratelimit.test.ts +152 -82
package/src/__tests__/recording-handler.test.ts +273 -151
package/src/__tests__/recording-intent-fallback.test.ts +94 -75
package/src/__tests__/recording-intent-handler.test.ts +9 -2
package/src/__tests__/recording-intent.test.ts +578 -379
package/src/__tests__/recording-state-machine.test.ts +530 -316
package/src/__tests__/recurrence-engine-rruleset.test.ts +150 -92
package/src/__tests__/recurrence-engine.test.ts +81 -41
package/src/__tests__/recurrence-types.test.ts +63 -44
package/src/__tests__/relay-server.test.ts +2131 -1602
package/src/__tests__/reminder-store.test.ts +158 -80
package/src/__tests__/reminder.test.ts +113 -109
package/src/__tests__/remote-skill-policy.test.ts +96 -72
package/src/__tests__/request-file-tool.test.ts +74 -67
package/src/__tests__/response-tier.test.ts +131 -74
package/src/__tests__/runtime-attachment-metadata.test.ts +0 -1
package/src/__tests__/runtime-events-sse-parity.test.ts +167 -145
package/src/__tests__/runtime-events-sse.test.ts +0 -1
package/src/__tests__/sandbox-diagnostics.test.ts +66 -56
package/src/__tests__/sandbox-host-parity.test.ts +377 -301
package/src/__tests__/scaffold-managed-skill-tool.test.ts +213 -161
package/src/__tests__/schedule-store.test.ts +268 -205
package/src/__tests__/schedule-tools.test.ts +702 -524
package/src/__tests__/scheduler-recurrence.test.ts +240 -130
package/src/__tests__/scoped-approval-grants.test.ts +258 -168
package/src/__tests__/scoped-grant-security-matrix.test.ts +160 -146
package/src/__tests__/script-proxy-certs.test.ts +38 -35
package/src/__tests__/script-proxy-connect-tunnel.test.ts +71 -46
package/src/__tests__/script-proxy-decision-trace.test.ts +161 -84
package/src/__tests__/script-proxy-http-forwarder.test.ts +146 -129
package/src/__tests__/script-proxy-injection-runtime.test.ts +139 -113
package/src/__tests__/script-proxy-mitm-handler.test.ts +226 -142
package/src/__tests__/script-proxy-policy-runtime.test.ts +126 -86
package/src/__tests__/script-proxy-policy.test.ts +308 -153
package/src/__tests__/script-proxy-rewrite-specificity.test.ts +74 -62
package/src/__tests__/script-proxy-router.test.ts +111 -77
package/src/__tests__/script-proxy-session-manager.test.ts +156 -113
package/src/__tests__/script-proxy-session-runtime.test.ts +28 -24
package/src/__tests__/secret-allowlist.test.ts +105 -90
package/src/__tests__/secret-ingress-handler.test.ts +41 -30
package/src/__tests__/secret-onetime-send.test.ts +67 -50
package/src/__tests__/secret-prompt-log-hygiene.test.ts +35 -31
package/src/__tests__/secret-response-routing.test.ts +50 -41
package/src/__tests__/secret-scanner-executor.test.ts +152 -111
package/src/__tests__/secret-scanner.test.ts +495 -413
package/src/__tests__/secure-keys.test.ts +132 -121
package/src/__tests__/send-endpoint-busy.test.ts +8 -3
package/src/__tests__/send-notification-tool.test.ts +43 -42
package/src/__tests__/sensitive-output-placeholders.test.ts +72 -64
package/src/__tests__/sequence-store.test.ts +335 -167
package/src/__tests__/server-history-render.test.ts +341 -202
package/src/__tests__/session-abort-tool-results.test.ts +133 -70
package/src/__tests__/session-confirmation-signals.test.ts +252 -160
package/src/__tests__/session-conflict-gate.test.ts +775 -585
package/src/__tests__/session-error.test.ts +222 -191
package/src/__tests__/session-evictor.test.ts +79 -62
package/src/__tests__/session-init.benchmark.test.ts +170 -108
package/src/__tests__/session-load-history-repair.test.ts +273 -139
package/src/__tests__/session-messaging-secret-redirect.test.ts +130 -90
package/src/__tests__/session-pre-run-repair.test.ts +106 -59
package/src/__tests__/session-profile-injection.test.ts +198 -130
package/src/__tests__/session-provider-retry-repair.test.ts +223 -141
package/src/__tests__/session-queue.test.ts +624 -321
package/src/__tests__/session-runtime-assembly.test.ts +425 -329
package/src/__tests__/session-runtime-workspace.test.ts +69 -61
package/src/__tests__/session-skill-tools.test.ts +973 -678
package/src/__tests__/session-slash-known.test.ts +185 -133
package/src/__tests__/session-slash-queue.test.ts +147 -81
package/src/__tests__/session-slash-unknown.test.ts +135 -90
package/src/__tests__/session-surfaces-task-progress.test.ts +122 -87
package/src/__tests__/session-tool-setup-app-refresh.test.ts +338 -177
package/src/__tests__/session-tool-setup-memory-scope.test.ts +63 -40
package/src/__tests__/session-tool-setup-side-effect-flag.test.ts +60 -37
package/src/__tests__/session-tool-setup-tools-disabled.test.ts +28 -26
package/src/__tests__/session-undo.test.ts +43 -30
package/src/__tests__/session-workspace-cache-state.test.ts +108 -67
package/src/__tests__/session-workspace-injection.test.ts +245 -117
package/src/__tests__/session-workspace-tool-tracking.test.ts +260 -93
package/src/__tests__/shared-filesystem-errors.test.ts +47 -47
package/src/__tests__/shell-credential-ref.test.ts +126 -90
package/src/__tests__/shell-identity.test.ts +134 -111
package/src/__tests__/shell-parser-fuzz.test.ts +263 -179
package/src/__tests__/shell-parser-property.test.ts +435 -288
package/src/__tests__/shell-tool-proxy-mode.test.ts +142 -70
package/src/__tests__/size-guard.test.ts +42 -44
package/src/__tests__/skill-feature-flags-integration.test.ts +79 -52
package/src/__tests__/skill-feature-flags.test.ts +75 -47
package/src/__tests__/skill-include-graph.test.ts +143 -148
package/src/__tests__/skill-load-feature-flag.test.ts +94 -59
package/src/__tests__/skill-load-tool.test.ts +371 -199
package/src/__tests__/skill-projection-feature-flag.test.ts +131 -88
package/src/__tests__/skill-projection.benchmark.test.ts +93 -65
package/src/__tests__/skill-script-runner-host.test.ts +460 -250
package/src/__tests__/skill-script-runner-sandbox.test.ts +168 -108
package/src/__tests__/skill-script-runner.test.ts +115 -74
package/src/__tests__/skill-tool-factory.test.ts +140 -96
package/src/__tests__/skill-tool-manifest.test.ts +306 -210
package/src/__tests__/skill-version-hash.test.ts +70 -56
package/src/__tests__/skills.test.ts +0 -1
package/src/__tests__/slack-channel-config.test.ts +127 -84
package/src/__tests__/slack-skill.test.ts +60 -47
package/src/__tests__/slash-commands-catalog.test.ts +37 -31
package/src/__tests__/slash-commands-parser.test.ts +71 -64
package/src/__tests__/slash-commands-resolver.test.ts +143 -107
package/src/__tests__/slash-commands-rewrite.test.ts +22 -22
package/src/__tests__/sms-messaging-provider.test.ts +4 -0
package/src/__tests__/speaker-identification.test.ts +28 -25
package/src/__tests__/starter-bundle.test.ts +27 -23
package/src/__tests__/starter-task-flow.test.ts +67 -52
package/src/__tests__/subagent-manager-notify.test.ts +154 -108
package/src/__tests__/subagent-tools.test.ts +311 -270
package/src/__tests__/subagent-types.test.ts +40 -40
package/src/__tests__/surface-mutex-cleanup.test.ts +42 -30
package/src/__tests__/swarm-dag-pathological.test.ts +122 -111
package/src/__tests__/swarm-orchestrator.test.ts +135 -101
package/src/__tests__/swarm-plan-validator.test.ts +125 -73
package/src/__tests__/swarm-recursion.test.ts +58 -46
package/src/__tests__/swarm-router-planner.test.ts +99 -74
package/src/__tests__/swarm-session-integration.test.ts +148 -91
package/src/__tests__/swarm-tool.test.ts +65 -45
package/src/__tests__/swarm-worker-backend.test.ts +59 -45
package/src/__tests__/swarm-worker-runner.test.ts +133 -118
package/src/__tests__/system-prompt.test.ts +311 -256
package/src/__tests__/task-compiler.test.ts +176 -120
package/src/__tests__/task-management-tools.test.ts +561 -456
package/src/__tests__/task-memory-cleanup.test.ts +627 -362
package/src/__tests__/task-runner.test.ts +117 -94
package/src/__tests__/task-scheduler.test.ts +113 -84
package/src/__tests__/task-tools.test.ts +349 -264
package/src/__tests__/terminal-sandbox.test.ts +138 -108
package/src/__tests__/terminal-tools.test.ts +350 -305
package/src/__tests__/thread-seed-composer.test.ts +307 -180
package/src/__tests__/tool-approval-handler.test.ts +238 -137
package/src/__tests__/tool-audit-listener.test.ts +69 -69
package/src/__tests__/tool-domain-event-publisher.test.ts +142 -132
package/src/__tests__/tool-execution-abort-cleanup.test.ts +155 -146
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +136 -105
package/src/__tests__/tool-executor-lifecycle-events.test.ts +355 -239
package/src/__tests__/tool-executor-redaction.test.ts +112 -109
package/src/__tests__/tool-executor-shell-integration.test.ts +130 -79
package/src/__tests__/tool-executor.test.ts +1274 -674
package/src/__tests__/tool-grant-request-escalation.test.ts +401 -283
package/src/__tests__/tool-metrics-listener.test.ts +97 -85
package/src/__tests__/tool-notification-listener.test.ts +42 -25
package/src/__tests__/tool-permission-simulate-handler.test.ts +137 -113
package/src/__tests__/tool-policy.test.ts +44 -25
package/src/__tests__/tool-profiling-listener.test.ts +99 -93
package/src/__tests__/tool-result-truncation.test.ts +5 -4
package/src/__tests__/tool-trace-listener.test.ts +131 -111
package/src/__tests__/top-level-renderer.test.ts +62 -58
package/src/__tests__/top-level-scanner.test.ts +68 -64
package/src/__tests__/trace-emitter.test.ts +56 -56
package/src/__tests__/trust-context-guards.test.ts +65 -65
package/src/__tests__/trust-store.test.ts +1239 -806
package/src/__tests__/trusted-contact-approval-notifier.test.ts +0 -1
package/src/__tests__/trusted-contact-inline-approval-integration.test.ts +0 -1
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +3 -2
package/src/__tests__/trusted-contact-multichannel.test.ts +3 -2
package/src/__tests__/trusted-contact-verification.test.ts +251 -231
package/src/__tests__/turn-commit.test.ts +259 -200
package/src/__tests__/twilio-provider.test.ts +140 -126
package/src/__tests__/twilio-rest.test.ts +22 -18
package/src/__tests__/twilio-routes-elevenlabs.test.ts +0 -1
package/src/__tests__/twilio-routes-twiml.test.ts +55 -55
package/src/__tests__/twilio-routes.test.ts +0 -1
package/src/__tests__/twitter-auth-handler.test.ts +184 -139
package/src/__tests__/twitter-cli-error-shaping.test.ts +88 -73
package/src/__tests__/twitter-cli-routing.test.ts +146 -99
package/src/__tests__/twitter-oauth-client.test.ts +82 -65
package/src/__tests__/update-bulletin-format.test.ts +69 -66
package/src/__tests__/update-bulletin-state.test.ts +66 -60
package/src/__tests__/update-bulletin.test.ts +150 -114
package/src/__tests__/update-template-contract.test.ts +15 -10
package/src/__tests__/url-safety.test.ts +288 -265
package/src/__tests__/user-reference.test.ts +32 -32
package/src/__tests__/view-image-tool.test.ts +118 -96
package/src/__tests__/voice-invite-redemption.test.ts +111 -106
package/src/__tests__/voice-quality.test.ts +117 -102
package/src/__tests__/voice-scoped-grant-consumer.test.ts +204 -146
package/src/__tests__/voice-session-bridge.test.ts +351 -216
package/src/__tests__/weather-skill-regression.test.ts +170 -120
package/src/__tests__/web-fetch.test.ts +664 -526
package/src/__tests__/web-search.test.ts +379 -213
package/src/__tests__/work-item-output.test.ts +90 -53
package/src/__tests__/workspace-git-service.test.ts +437 -356
package/src/__tests__/workspace-heartbeat-service.test.ts +125 -91
package/src/__tests__/workspace-lifecycle.test.ts +98 -64
package/src/__tests__/workspace-policy.test.ts +139 -71
package/src/cli/mcp.ts +81 -28
package/src/commands/__tests__/cc-command-registry.test.ts +142 -134
package/src/config/__tests__/feature-flag-registry-guard.test.ts +48 -39
package/src/config/bundled-skills/chatgpt-import/tools/chatgpt-import.ts +25 -10
package/src/config/bundled-skills/doordash/__tests__/doordash-session.test.ts +0 -1
package/src/config/bundled-skills/guardian-verify-setup/SKILL.md +6 -11
package/src/config/bundled-skills/messaging/SKILL.md +4 -3
package/src/config/bundled-skills/messaging/tools/gmail-outreach-scan.ts +15 -5
package/src/config/bundled-skills/messaging/tools/gmail-sender-digest.ts +16 -5
package/src/config/bundled-skills/phone-calls/SKILL.md +1 -2
package/src/config/bundled-skills/slack/tools/slack-scan-digest.ts +34 -32
package/src/config/bundled-skills/sms-setup/SKILL.md +8 -16
package/src/config/bundled-skills/telegram-setup/SKILL.md +3 -3
package/src/config/bundled-skills/trusted-contacts/SKILL.md +13 -25
package/src/config/bundled-skills/twilio-setup/SKILL.md +13 -23
package/src/config/bundled-tool-registry.ts +2 -0
package/src/config/env.ts +3 -4
package/src/config/system-prompt.ts +32 -0
package/src/mcp/client.ts +2 -7
package/src/memory/db-connection.ts +16 -10
package/src/messaging/providers/gmail/adapter.ts +10 -3
package/src/messaging/providers/gmail/client.ts +280 -72
package/src/runtime/auth/__tests__/context.test.ts +75 -65
package/src/runtime/auth/__tests__/credential-service.test.ts +137 -114
package/src/runtime/auth/__tests__/guard-tests.test.ts +84 -90
package/src/runtime/auth/__tests__/ipc-auth-context.test.ts +40 -40
package/src/runtime/auth/__tests__/middleware.test.ts +80 -74
package/src/runtime/auth/__tests__/policy.test.ts +9 -9
package/src/runtime/auth/__tests__/route-policy.test.ts +76 -65
package/src/runtime/auth/__tests__/scopes.test.ts +68 -60
package/src/runtime/auth/__tests__/subject.test.ts +54 -54
package/src/runtime/auth/__tests__/token-service.test.ts +115 -108
package/src/runtime/auth/scopes.ts +3 -0
package/src/runtime/auth/token-service.ts +4 -1
package/src/runtime/auth/types.ts +2 -1
package/src/runtime/http-server.ts +2 -1
package/src/security/secure-keys.ts +120 -54
package/src/tools/browser/__tests__/auth-cache.test.ts +69 -63
package/src/tools/browser/__tests__/auth-detector.test.ts +218 -157
package/src/tools/browser/__tests__/jit-auth.test.ts +83 -99
package/src/tools/terminal/safe-env.ts +7 -0

package/src/__tests__/credential-selection.test.ts CHANGED Viewed

@@ -1,7 +1,7 @@
-import { describe, expect,test } from 'bun:test';
+import { describe, expect, test } from "bun:test";
-import type { CredentialMetadata } from '../tools/credentials/metadata-store.js';
-import { rankCredentialsForEndpoint } from '../tools/credentials/selection.js';
+import type { CredentialMetadata } from "../tools/credentials/metadata-store.js";
+import { rankCredentialsForEndpoint } from "../tools/credentials/selection.js";
 // Realistic epoch-millisecond timestamps (similar to Date.now())
 const NOW = 1_770_000_000_000;
@@ -9,10 +9,12 @@ const ONE_HOUR_AGO = NOW - 3_600_000;
 const ONE_DAY_AGO = NOW - 86_400_000;
 const ONE_WEEK_AGO = NOW - 604_800_000;
-function makeCred(overrides: Partial<CredentialMetadata> & { credentialId: string }): CredentialMetadata {
+function makeCred(
+  overrides: Partial<CredentialMetadata> & { credentialId: string },
+): CredentialMetadata {
   return {
-    service: 'test',
-    field: 'api_key',
+    service: "test",
+    field: "api_key",
     allowedTools: [],
     allowedDomains: [],
     createdAt: ONE_DAY_AGO,
@@ -21,333 +23,439 @@ function makeCred(overrides: Partial<CredentialMetadata> & { credentialId: strin
   };
 }
-describe('rankCredentialsForEndpoint', () => {
-  test('returns null topChoice for empty credentials list', () => {
-    const result = rankCredentialsForEndpoint([], 'api.example.com');
+describe("rankCredentialsForEndpoint", () => {
+  test("returns null topChoice for empty credentials list", () => {
+    const result = rankCredentialsForEndpoint([], "api.example.com");
     expect(result.topChoice).toBeNull();
     expect(result.candidates).toHaveLength(0);
     expect(result.ambiguous).toBe(false);
   });
-  test('exact host match ranks higher than wildcard', () => {
+  test("exact host match ranks higher than wildcard", () => {
     const creds = [
       makeCred({
-        credentialId: 'wildcard',
-        injectionTemplates: [{ hostPattern: '*.fal.ai', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "wildcard",
+        injectionTemplates: [
+          {
+            hostPattern: "*.fal.ai",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: NOW,
       }),
       makeCred({
-        credentialId: 'exact',
-        injectionTemplates: [{ hostPattern: 'queue.fal.ai', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "exact",
+        injectionTemplates: [
+          {
+            hostPattern: "queue.fal.ai",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: ONE_WEEK_AGO,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'queue.fal.ai');
-    expect(result.topChoice?.credentialId).toBe('exact');
-    expect(result.topChoice?.confidence).toBe('high');
+    const result = rankCredentialsForEndpoint(creds, "queue.fal.ai");
+    expect(result.topChoice?.credentialId).toBe("exact");
+    expect(result.topChoice?.confidence).toBe("high");
     expect(result.ambiguous).toBe(false);
   });
-  test('wildcard match ranks higher than no template match', () => {
+  test("wildcard match ranks higher than no template match", () => {
     const creds = [
-      makeCred({ credentialId: 'no-template', updatedAt: NOW }),
+      makeCred({ credentialId: "no-template", updatedAt: NOW }),
       makeCred({
-        credentialId: 'wildcard',
-        injectionTemplates: [{ hostPattern: '*.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "wildcard",
+        injectionTemplates: [
+          {
+            hostPattern: "*.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: ONE_WEEK_AGO,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.openai.com');
-    expect(result.topChoice?.credentialId).toBe('wildcard');
-    expect(result.topChoice?.confidence).toBe('medium');
+    const result = rankCredentialsForEndpoint(creds, "api.openai.com");
+    expect(result.topChoice?.credentialId).toBe("wildcard");
+    expect(result.topChoice?.confidence).toBe("medium");
   });
-  test('wildcard *.example.com also matches bare example.com', () => {
+  test("wildcard *.example.com also matches bare example.com", () => {
     const creds = [
       makeCred({
-        credentialId: 'wild',
-        injectionTemplates: [{ hostPattern: '*.example.com', injectionType: 'header' }],
+        credentialId: "wild",
+        injectionTemplates: [
+          { hostPattern: "*.example.com", injectionType: "header" },
+        ],
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'example.com');
-    expect(result.topChoice?.credentialId).toBe('wild');
-    expect(result.topChoice?.confidence).toBe('medium');
+    const result = rankCredentialsForEndpoint(creds, "example.com");
+    expect(result.topChoice?.credentialId).toBe("wild");
+    expect(result.topChoice?.confidence).toBe("medium");
   });
-  test('alias set boosts score', () => {
+  test("alias set boosts score", () => {
     const creds = [
-      makeCred({ credentialId: 'no-alias', updatedAt: NOW }),
-      makeCred({ credentialId: 'with-alias', alias: 'primary-key', updatedAt: ONE_WEEK_AGO }),
+      makeCred({ credentialId: "no-alias", updatedAt: NOW }),
+      makeCred({
+        credentialId: "with-alias",
+        alias: "primary-key",
+        updatedAt: ONE_WEEK_AGO,
+      }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.example.com');
-    expect(result.topChoice?.credentialId).toBe('with-alias');
+    const result = rankCredentialsForEndpoint(creds, "api.example.com");
+    expect(result.topChoice?.credentialId).toBe("with-alias");
   });
-  test('recency breaks ties when host specificity and alias are equal', () => {
+  test("recency breaks ties when host specificity and alias are equal", () => {
     const creds = [
-      makeCred({ credentialId: 'older', updatedAt: ONE_DAY_AGO }),
-      makeCred({ credentialId: 'newer', updatedAt: NOW }),
+      makeCred({ credentialId: "older", updatedAt: ONE_DAY_AGO }),
+      makeCred({ credentialId: "newer", updatedAt: NOW }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.example.com');
-    expect(result.topChoice?.credentialId).toBe('newer');
+    const result = rankCredentialsForEndpoint(creds, "api.example.com");
+    expect(result.topChoice?.credentialId).toBe("newer");
   });
-  test('filters out credentials with non-matching allowedDomains', () => {
+  test("filters out credentials with non-matching allowedDomains", () => {
     const creds = [
       makeCred({
-        credentialId: 'restricted',
-        allowedDomains: ['other.com'],
+        credentialId: "restricted",
+        allowedDomains: ["other.com"],
       }),
       makeCred({
-        credentialId: 'unrestricted',
+        credentialId: "unrestricted",
         // empty allowedDomains = no restriction
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.example.com');
+    const result = rankCredentialsForEndpoint(creds, "api.example.com");
     expect(result.candidates).toHaveLength(1);
-    expect(result.topChoice?.credentialId).toBe('unrestricted');
+    expect(result.topChoice?.credentialId).toBe("unrestricted");
   });
-  test('allowedDomains with registrable-domain match allows subdomains', () => {
+  test("allowedDomains with registrable-domain match allows subdomains", () => {
     const creds = [
       makeCred({
-        credentialId: 'domain-match',
-        allowedDomains: ['fal.ai'],
-        injectionTemplates: [{ hostPattern: '*.fal.ai', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "domain-match",
+        allowedDomains: ["fal.ai"],
+        injectionTemplates: [
+          {
+            hostPattern: "*.fal.ai",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'queue.fal.ai');
+    const result = rankCredentialsForEndpoint(creds, "queue.fal.ai");
     expect(result.candidates).toHaveLength(1);
-    expect(result.topChoice?.credentialId).toBe('domain-match');
+    expect(result.topChoice?.credentialId).toBe("domain-match");
   });
-  test('ambiguous is true when top two candidates are in the same scoring tier', () => {
+  test("ambiguous is true when top two candidates are in the same scoring tier", () => {
     const creds = [
       makeCred({
-        credentialId: 'a',
-        injectionTemplates: [{ hostPattern: '*.api.com', injectionType: 'header' }],
+        credentialId: "a",
+        injectionTemplates: [
+          { hostPattern: "*.api.com", injectionType: "header" },
+        ],
         updatedAt: NOW,
       }),
       makeCred({
-        credentialId: 'b',
-        injectionTemplates: [{ hostPattern: '*.api.com', injectionType: 'header' }],
+        credentialId: "b",
+        injectionTemplates: [
+          { hostPattern: "*.api.com", injectionType: "header" },
+        ],
         updatedAt: ONE_HOUR_AGO,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'v1.api.com');
+    const result = rankCredentialsForEndpoint(creds, "v1.api.com");
     expect(result.ambiguous).toBe(true);
-    expect(result.topChoice?.confidence).toBe('low');
+    expect(result.topChoice?.confidence).toBe("low");
   });
-  test('ambiguous is false when top candidate is in a strictly higher tier', () => {
+  test("ambiguous is false when top candidate is in a strictly higher tier", () => {
     const creds = [
       makeCred({
-        credentialId: 'exact',
-        injectionTemplates: [{ hostPattern: 'api.example.com', injectionType: 'header' }],
+        credentialId: "exact",
+        injectionTemplates: [
+          { hostPattern: "api.example.com", injectionType: "header" },
+        ],
         updatedAt: ONE_WEEK_AGO,
       }),
       makeCred({
-        credentialId: 'wildcard',
-        injectionTemplates: [{ hostPattern: '*.example.com', injectionType: 'header' }],
+        credentialId: "wildcard",
+        injectionTemplates: [
+          { hostPattern: "*.example.com", injectionType: "header" },
+        ],
         updatedAt: NOW,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.example.com');
+    const result = rankCredentialsForEndpoint(creds, "api.example.com");
     expect(result.ambiguous).toBe(false);
-    expect(result.topChoice?.credentialId).toBe('exact');
+    expect(result.topChoice?.credentialId).toBe("exact");
   });
-  test('candidates are sorted descending by score', () => {
+  test("candidates are sorted descending by score", () => {
     const creds = [
-      makeCred({ credentialId: 'low', updatedAt: NOW }),
+      makeCred({ credentialId: "low", updatedAt: NOW }),
       makeCred({
-        credentialId: 'high',
-        injectionTemplates: [{ hostPattern: 'api.test.com', injectionType: 'header' }],
-        alias: 'primary',
+        credentialId: "high",
+        injectionTemplates: [
+          { hostPattern: "api.test.com", injectionType: "header" },
+        ],
+        alias: "primary",
         updatedAt: ONE_WEEK_AGO,
       }),
       makeCred({
-        credentialId: 'mid',
-        injectionTemplates: [{ hostPattern: '*.test.com', injectionType: 'header' }],
+        credentialId: "mid",
+        injectionTemplates: [
+          { hostPattern: "*.test.com", injectionType: "header" },
+        ],
         updatedAt: ONE_DAY_AGO,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.test.com');
-    expect(result.candidates.map((c) => c.credentialId)).toEqual(['high', 'mid', 'low']);
+    const result = rankCredentialsForEndpoint(creds, "api.test.com");
+    expect(result.candidates.map((c) => c.credentialId)).toEqual([
+      "high",
+      "mid",
+      "low",
+    ]);
   });
-  test('match reasons reflect actual matching criteria', () => {
+  test("match reasons reflect actual matching criteria", () => {
     const creds = [
       makeCred({
-        credentialId: 'full',
-        injectionTemplates: [{ hostPattern: 'api.test.com', injectionType: 'header' }],
-        alias: 'my-key',
+        credentialId: "full",
+        injectionTemplates: [
+          { hostPattern: "api.test.com", injectionType: "header" },
+        ],
+        alias: "my-key",
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.test.com');
-    expect(result.candidates[0].matchReason).toContain('exact host match');
-    expect(result.candidates[0].matchReason).toContain('alias set');
+    const result = rankCredentialsForEndpoint(creds, "api.test.com");
+    expect(result.candidates[0].matchReason).toContain("exact host match");
+    expect(result.candidates[0].matchReason).toContain("alias set");
   });
-  test('credential with no templates and no alias gets domain allowed reason', () => {
-    const creds = [makeCred({ credentialId: 'basic' })];
-    const result = rankCredentialsForEndpoint(creds, 'api.test.com');
-    expect(result.candidates[0].matchReason).toBe('domain allowed');
+  test("credential with no templates and no alias gets domain allowed reason", () => {
+    const creds = [makeCred({ credentialId: "basic" })];
+    const result = rankCredentialsForEndpoint(creds, "api.test.com");
+    expect(result.candidates[0].matchReason).toBe("domain allowed");
   });
-  test('single credential returns non-ambiguous result', () => {
+  test("single credential returns non-ambiguous result", () => {
     const creds = [
       makeCred({
-        credentialId: 'only',
-        injectionTemplates: [{ hostPattern: '*.example.com', injectionType: 'query', queryParamName: 'key' }],
+        credentialId: "only",
+        injectionTemplates: [
+          {
+            hostPattern: "*.example.com",
+            injectionType: "query",
+            queryParamName: "key",
+          },
+        ],
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.example.com');
+    const result = rankCredentialsForEndpoint(creds, "api.example.com");
     expect(result.ambiguous).toBe(false);
-    expect(result.topChoice?.credentialId).toBe('only');
-    expect(result.topChoice?.confidence).toBe('medium');
+    expect(result.topChoice?.credentialId).toBe("only");
+    expect(result.topChoice?.confidence).toBe("medium");
     expect(result.candidates).toHaveLength(1);
   });
-  test('host matching is case-insensitive', () => {
+  test("host matching is case-insensitive", () => {
     const creds = [
       makeCred({
-        credentialId: 'case',
-        injectionTemplates: [{ hostPattern: 'API.Example.COM', injectionType: 'header' }],
+        credentialId: "case",
+        injectionTemplates: [
+          { hostPattern: "API.Example.COM", injectionType: "header" },
+        ],
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.example.com');
-    expect(result.topChoice?.credentialId).toBe('case');
-    expect(result.topChoice?.confidence).toBe('high');
+    const result = rankCredentialsForEndpoint(creds, "api.example.com");
+    expect(result.topChoice?.credentialId).toBe("case");
+    expect(result.topChoice?.confidence).toBe("high");
   });
-  test('tier score always dominates recency even with real timestamps', () => {
+  test("tier score always dominates recency even with real timestamps", () => {
     const creds = [
       makeCred({
-        credentialId: 'old-exact',
-        injectionTemplates: [{ hostPattern: 'api.example.com', injectionType: 'header' }],
+        credentialId: "old-exact",
+        injectionTemplates: [
+          { hostPattern: "api.example.com", injectionType: "header" },
+        ],
         updatedAt: ONE_WEEK_AGO,
       }),
       makeCred({
-        credentialId: 'new-no-match',
+        credentialId: "new-no-match",
         updatedAt: NOW,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.example.com');
+    const result = rankCredentialsForEndpoint(creds, "api.example.com");
     // Exact host match must always win over recency
-    expect(result.topChoice?.credentialId).toBe('old-exact');
-    expect(result.topChoice?.confidence).toBe('high');
+    expect(result.topChoice?.credentialId).toBe("old-exact");
+    expect(result.topChoice?.confidence).toBe("high");
   });
 });
-describe('multi-key same-service selection', () => {
-  test('two OpenAI credentials targeting the same endpoint — deterministic chosen credential_id', () => {
+describe("multi-key same-service selection", () => {
+  test("two OpenAI credentials targeting the same endpoint — deterministic chosen credential_id", () => {
     const creds = [
       makeCred({
-        credentialId: 'openai-key-1',
-        service: 'openai',
-        injectionTemplates: [{ hostPattern: 'api.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "openai-key-1",
+        service: "openai",
+        injectionTemplates: [
+          {
+            hostPattern: "api.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: ONE_DAY_AGO,
       }),
       makeCred({
-        credentialId: 'openai-key-2',
-        service: 'openai',
-        injectionTemplates: [{ hostPattern: 'api.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "openai-key-2",
+        service: "openai",
+        injectionTemplates: [
+          {
+            hostPattern: "api.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: NOW,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.openai.com');
+    const result = rankCredentialsForEndpoint(creds, "api.openai.com");
     // Both have exact host match (tier score 100) — same tier, so ambiguous
     expect(result.ambiguous).toBe(true);
-    expect(result.topChoice?.confidence).toBe('low');
+    expect(result.topChoice?.confidence).toBe("low");
     // Despite ambiguity, topChoice is deterministic: the more recent key wins.
-    expect(result.topChoice?.credentialId).toBe('openai-key-2');
+    expect(result.topChoice?.credentialId).toBe("openai-key-2");
     expect(result.candidates).toHaveLength(2);
   });
-  test('ambiguity fallback path when two credentials have identical scores', () => {
+  test("ambiguity fallback path when two credentials have identical scores", () => {
     const creds = [
       makeCred({
-        credentialId: 'key-a',
-        service: 'openai',
-        injectionTemplates: [{ hostPattern: '*.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "key-a",
+        service: "openai",
+        injectionTemplates: [
+          {
+            hostPattern: "*.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: ONE_DAY_AGO,
       }),
       makeCred({
-        credentialId: 'key-b',
-        service: 'openai',
-        injectionTemplates: [{ hostPattern: '*.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "key-b",
+        service: "openai",
+        injectionTemplates: [
+          {
+            hostPattern: "*.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: ONE_DAY_AGO,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.openai.com');
+    const result = rankCredentialsForEndpoint(creds, "api.openai.com");
     expect(result.ambiguous).toBe(true);
-    expect(result.topChoice?.confidence).toBe('low');
+    expect(result.topChoice?.confidence).toBe("low");
     // Both candidates are present
     expect(result.candidates).toHaveLength(2);
   });
-  test('one credential with specific host template wins over one with generic template', () => {
+  test("one credential with specific host template wins over one with generic template", () => {
     const creds = [
       makeCred({
-        credentialId: 'generic-key',
-        service: 'openai',
-        injectionTemplates: [{ hostPattern: '*.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "generic-key",
+        service: "openai",
+        injectionTemplates: [
+          {
+            hostPattern: "*.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: NOW,
       }),
       makeCred({
-        credentialId: 'specific-key',
-        service: 'openai',
-        injectionTemplates: [{ hostPattern: 'api.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "specific-key",
+        service: "openai",
+        injectionTemplates: [
+          {
+            hostPattern: "api.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: ONE_WEEK_AGO,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.openai.com');
+    const result = rankCredentialsForEndpoint(creds, "api.openai.com");
     // exact host (100) vs wildcard (50) — not ambiguous, specific key wins even though it's older
-    expect(result.topChoice?.credentialId).toBe('specific-key');
-    expect(result.topChoice?.confidence).toBe('high');
+    expect(result.topChoice?.credentialId).toBe("specific-key");
+    expect(result.topChoice?.confidence).toBe("high");
     expect(result.ambiguous).toBe(false);
   });
-  test('both credentials have aliases — alias alone does not break ties', () => {
+  test("both credentials have aliases — alias alone does not break ties", () => {
     const creds = [
       makeCred({
-        credentialId: 'aliased-1',
-        service: 'openai',
-        alias: 'production-key',
-        injectionTemplates: [{ hostPattern: 'api.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "aliased-1",
+        service: "openai",
+        alias: "production-key",
+        injectionTemplates: [
+          {
+            hostPattern: "api.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: ONE_DAY_AGO,
       }),
       makeCred({
-        credentialId: 'aliased-2',
-        service: 'openai',
-        alias: 'staging-key',
-        injectionTemplates: [{ hostPattern: 'api.openai.com', injectionType: 'header', headerName: 'Authorization' }],
+        credentialId: "aliased-2",
+        service: "openai",
+        alias: "staging-key",
+        injectionTemplates: [
+          {
+            hostPattern: "api.openai.com",
+            injectionType: "header",
+            headerName: "Authorization",
+          },
+        ],
         updatedAt: ONE_DAY_AGO,
       }),
     ];
-    const result = rankCredentialsForEndpoint(creds, 'api.openai.com');
+    const result = rankCredentialsForEndpoint(creds, "api.openai.com");
     // Both have exact host (100) + alias (10) = 110 tier score + identical recency
     expect(result.ambiguous).toBe(true);
-    expect(result.topChoice?.confidence).toBe('low');
+    expect(result.topChoice?.confidence).toBe("low");
     expect(result.candidates).toHaveLength(2);
     // Both candidates have same tier score
     expect(result.candidates[0].score).toBe(result.candidates[1].score);