@vellumai/assistant 0.4.2 → 0.4.4

package/src/__tests__/conversation-routes-guardian-reply.test.ts

@@ -0,0 +1,256 @@
+import { beforeEach, describe, expect, mock, test } from 'bun:test';
+
+const routeGuardianReplyMock = mock(async () => ({
+  consumed: false,
+  decisionApplied: false,
+  type: 'not_consumed' as const,
+})) as any;
+const listPendingByDestinationMock = mock((_conversationId: string, _sourceChannel?: string) => [] as Array<{ id: string; kind?: string }>);
+const listCanonicalMock = mock((_filters?: Record<string, unknown>) => [] as Array<{ id: string }>);
+const addMessageMock = mock(async (_conversationId: string, role: string, _content?: string, _metadata?: Record<string, unknown>) => ({
+  id: role === 'user' ? 'persisted-user-id' : 'persisted-assistant-id',
+}));
+
+mock.module('../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+
+mock.module('../memory/conversation-key-store.js', () => ({
+  getOrCreateConversation: () => ({ conversationId: 'conv-canonical-reply' }),
+  getConversationByKey: () => null,
+}));
+
+mock.module('../memory/attachments-store.js', () => ({
+  getAttachmentsByIds: () => [],
+}));
+
+mock.module('../runtime/guardian-reply-router.js', () => ({
+  routeGuardianReply: routeGuardianReplyMock,
+}));
+
+mock.module('../memory/canonical-guardian-store.js', () => ({
+  createCanonicalGuardianRequest: () => ({ id: 'canonical-id', requestCode: 'ABC123' }),
+  generateCanonicalRequestCode: () => 'ABC123',
+  listPendingCanonicalGuardianRequestsByDestinationConversation: (
+    conversationId: string,
+    sourceChannel?: string,
+  ) => listPendingByDestinationMock(conversationId, sourceChannel),
+  listCanonicalGuardianRequests: (filters?: Record<string, unknown>) =>
+    listCanonicalMock(filters),
+}));
+
+mock.module('../runtime/confirmation-request-guardian-bridge.js', () => ({
+  bridgeConfirmationRequestToGuardian: async () => undefined,
+}));
+
+mock.module('../memory/conversation-store.js', () => ({
+  addMessage: (
+    conversationId: string,
+    role: string,
+    content: string,
+    metadata?: Record<string, unknown>,
+  ) => addMessageMock(conversationId, role, content, metadata),
+}));
+
+mock.module('../runtime/local-actor-identity.js', () => ({
+  resolveLocalIpcGuardianContext: () => ({ trustClass: 'guardian', sourceChannel: 'vellum' }),
+}));
+
+import { handleSendMessage } from '../runtime/routes/conversation-routes.js';
+
+const testServer = {
+  requestIP: () => ({ address: '127.0.0.1' }),
+} as unknown as import('../runtime/middleware/actor-token.js').ServerWithRequestIP;
+
+describe('handleSendMessage canonical guardian reply interception', () => {
+  beforeEach(() => {
+    routeGuardianReplyMock.mockClear();
+    listPendingByDestinationMock.mockClear();
+    listCanonicalMock.mockClear();
+    addMessageMock.mockClear();
+  });
+
+  test('consumes access-request code replies on desktop HTTP path without pending confirmations', async () => {
+    listPendingByDestinationMock.mockReturnValue([{ id: 'access-req-1' }]);
+    listCanonicalMock.mockReturnValue([]);
+    routeGuardianReplyMock.mockResolvedValue({
+      consumed: true,
+      decisionApplied: true,
+      type: 'canonical_decision_applied',
+      requestId: 'access-req-1',
+      replyText: 'Access approved. Verification code: 123456.',
+    });
+
+    const persistUserMessage = mock(async () => 'should-not-be-called');
+    const runAgentLoop = mock(async () => undefined);
+    const session = {
+      setGuardianContext: () => {},
+      setStateSignalListener: () => {},
+      emitConfirmationStateChanged: () => {},
+      emitActivityState: () => {},
+      setTurnChannelContext: () => {},
+      setTurnInterfaceContext: () => {},
+      isProcessing: () => false,
+      hasAnyPendingConfirmation: () => false,
+      denyAllPendingConfirmations: () => {},
+      enqueueMessage: () => ({ queued: true, requestId: 'queued-id' }),
+      persistUserMessage,
+      runAgentLoop,
+      getMessages: () => [] as unknown[],
+      assistantId: 'self',
+      guardianContext: undefined,
+      hasPendingConfirmation: () => false,
+    } as unknown as import('../daemon/session.js').Session;
+
+    const req = new Request('http://localhost/v1/messages', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        conversationKey: 'guardian-thread-key',
+        content: '05BECB approve',
+        sourceChannel: 'vellum',
+        interface: 'macos',
+      }),
+    });
+
+    const res = await handleSendMessage(req, {
+      sendMessageDeps: {
+        getOrCreateSession: async () => session,
+        assistantEventHub: { publish: async () => {} } as any,
+        resolveAttachments: () => [],
+      },
+    }, testServer);
+
+    expect(res.status).toBe(202);
+    const body = await res.json() as { accepted: boolean; messageId?: string };
+    expect(body.accepted).toBe(true);
+    expect(body.messageId).toBe('persisted-user-id');
+
+    expect(routeGuardianReplyMock).toHaveBeenCalledTimes(1);
+    const routerCall = (routeGuardianReplyMock as any).mock.calls[0][0] as Record<string, unknown>;
+    expect(routerCall.messageText).toBe('05BECB approve');
+    expect(routerCall.pendingRequestIds).toEqual(['access-req-1']);
+    expect(addMessageMock).toHaveBeenCalledTimes(2);
+    expect(persistUserMessage).toHaveBeenCalledTimes(0);
+    expect(runAgentLoop).toHaveBeenCalledTimes(0);
+  });
+
+  test('passes undefined pendingRequestIds when no canonical hints are found', async () => {
+    listPendingByDestinationMock.mockReturnValue([]);
+    listCanonicalMock.mockReturnValue([]);
+    routeGuardianReplyMock.mockResolvedValue({
+      consumed: false,
+      decisionApplied: false,
+      type: 'not_consumed',
+    });
+
+    const persistUserMessage = mock(async () => 'persisted-user-id');
+    const runAgentLoop = mock(async () => undefined);
+    const session = {
+      setGuardianContext: () => {},
+      setStateSignalListener: () => {},
+      emitConfirmationStateChanged: () => {},
+      emitActivityState: () => {},
+      setTurnChannelContext: () => {},
+      setTurnInterfaceContext: () => {},
+      isProcessing: () => false,
+      hasAnyPendingConfirmation: () => false,
+      denyAllPendingConfirmations: () => {},
+      enqueueMessage: () => ({ queued: true, requestId: 'queued-id' }),
+      persistUserMessage,
+      runAgentLoop,
+      getMessages: () => [] as unknown[],
+      assistantId: 'self',
+      guardianContext: undefined,
+      hasPendingConfirmation: () => false,
+    } as unknown as import('../daemon/session.js').Session;
+
+    const req = new Request('http://localhost/v1/messages', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        conversationKey: 'guardian-thread-key',
+        content: 'hello there',
+        sourceChannel: 'vellum',
+        interface: 'macos',
+      }),
+    });
+
+    const res = await handleSendMessage(req, {
+      sendMessageDeps: {
+        getOrCreateSession: async () => session,
+        assistantEventHub: { publish: async () => {} } as any,
+        resolveAttachments: () => [],
+      },
+    }, testServer);
+
+    expect(res.status).toBe(202);
+    expect(routeGuardianReplyMock).toHaveBeenCalledTimes(1);
+    const routerCall = (routeGuardianReplyMock as any).mock.calls[0][0] as Record<string, unknown>;
+    expect(routerCall.pendingRequestIds).toBeUndefined();
+    expect(persistUserMessage).toHaveBeenCalledTimes(1);
+    expect(runAgentLoop).toHaveBeenCalledTimes(1);
+  });
+
+  test('excludes stale tool_approval hints without a live pending confirmation', async () => {
+    listPendingByDestinationMock.mockReturnValue([
+      { id: 'tool-approval-live', kind: 'tool_approval' },
+      { id: 'tool-approval-stale', kind: 'tool_approval' },
+      { id: 'access-req-1', kind: 'access_request' },
+    ]);
+    listCanonicalMock.mockReturnValue([]);
+    routeGuardianReplyMock.mockResolvedValue({
+      consumed: false,
+      decisionApplied: false,
+      type: 'not_consumed',
+    });
+
+    const persistUserMessage = mock(async () => 'persisted-user-id');
+    const runAgentLoop = mock(async () => undefined);
+    const session = {
+      setGuardianContext: () => {},
+      setStateSignalListener: () => {},
+      emitConfirmationStateChanged: () => {},
+      emitActivityState: () => {},
+      setTurnChannelContext: () => {},
+      setTurnInterfaceContext: () => {},
+      isProcessing: () => false,
+      hasAnyPendingConfirmation: () => true,
+      denyAllPendingConfirmations: () => {},
+      enqueueMessage: () => ({ queued: true, requestId: 'queued-id' }),
+      persistUserMessage,
+      runAgentLoop,
+      getMessages: () => [] as unknown[],
+      assistantId: 'self',
+      guardianContext: undefined,
+      hasPendingConfirmation: (requestId: string) => requestId === 'tool-approval-live',
+    } as unknown as import('../daemon/session.js').Session;
+
+    const req = new Request('http://localhost/v1/messages', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        conversationKey: 'guardian-thread-key',
+        content: 'approve',
+        sourceChannel: 'vellum',
+        interface: 'macos',
+      }),
+    });
+
+    const res = await handleSendMessage(req, {
+      sendMessageDeps: {
+        getOrCreateSession: async () => session,
+        assistantEventHub: { publish: async () => {} } as any,
+        resolveAttachments: () => [],
+      },
+    }, testServer);
+
+    expect(res.status).toBe(202);
+    expect(routeGuardianReplyMock).toHaveBeenCalledTimes(1);
+    const routerCall = (routeGuardianReplyMock as any).mock.calls[0][0] as Record<string, unknown>;
+    expect(routerCall.pendingRequestIds).toEqual(['tool-approval-live', 'access-req-1']);
+    expect((routerCall.pendingRequestIds as string[]).includes('tool-approval-stale')).toBe(false);
+  });
+});

package/src/__tests__/conversation-routes.test.ts

@@ -17,8 +17,17 @@ mock.module('../memory/attachments-store.js', () => ({
   getAttachmentsByIds: () => [],
 }));
 
+mock.module('../runtime/local-actor-identity.js', () => ({
+  resolveLocalIpcGuardianContext: (sourceChannel: string) => ({ trustClass: 'guardian', sourceChannel }),
+}));
+
+import type { ServerWithRequestIP } from '../runtime/middleware/actor-token.js';
 import { handleSendMessage } from '../runtime/routes/conversation-routes.js';
 
+const mockLoopbackServer: ServerWithRequestIP = {
+  requestIP: () => ({ address: '127.0.0.1', family: 'IPv4', port: 0 }),
+};
+
 describe('handleSendMessage', () => {
   test('legacy fallback passes guardian context to processor', async () => {
     let capturedOptions: RuntimeMessageSessionOptions | undefined;
@@ -41,16 +50,16 @@ describe('handleSendMessage', () => {
         capturedSourceChannel = sourceChannel;
         return { messageId: 'msg-legacy-fallback' };
       },
-    });
+    }, mockLoopbackServer);
 
     const body = await res.json() as { accepted: boolean; messageId: string };
     expect(res.status).toBe(202);
     expect(body.accepted).toBe(true);
     expect(body.messageId).toBe('msg-legacy-fallback');
     expect(capturedSourceChannel).toBe('telegram');
-    expect(capturedOptions?.guardianContext).toEqual({
+    expect(capturedOptions?.guardianContext).toEqual(expect.objectContaining({
       trustClass: 'guardian',
       sourceChannel: 'telegram',
-    });
+    }));
   });
 });

package/src/__tests__/credential-security-invariants.test.ts

@@ -196,8 +196,8 @@ describe('Invariant 2: no generic plaintext secret read API', () => {
       'daemon/handlers.ts',            // Vercel API token + integration OAuth
       'daemon/handlers/config-integrations.ts', // Vercel API token + Twitter integration OAuth
       'daemon/handlers/config-telegram.ts',     // Telegram bot token management
-      'daemon/handlers/config-twilio.ts',       // Twilio credential management
       'daemon/handlers/config-ingress.ts',      // Ingress config (reads Twilio credentials for webhook sync)
+      'runtime/routes/twilio-routes.ts',        // Twilio credential management (HTTP control-plane)
       'security/token-manager.ts',     // OAuth token refresh flow
       'email/providers/index.ts',      // email provider API key lookup
       'tools/network/script-proxy/session-manager.ts', // proxy credential injection at runtime

package/src/__tests__/daemon-server-session-init.test.ts

@@ -299,6 +299,10 @@ mock.module('../memory/conversation-store.js', () => ({
   getDisplayMetaForConversations: () => new Map(),
 }));
 
+mock.module('../runtime/confirmation-request-guardian-bridge.js', () => ({
+  bridgeConfirmationRequestToGuardian: () => ({ skipped: true, reason: 'not_trusted_contact' }),
+}));
+
 mock.module('../daemon/session.js', () => ({
   Session: MockSession,
   DEFAULT_MEMORY_POLICY: MOCK_DEFAULT_MEMORY_POLICY,

package/src/__tests__/deterministic-verification-control-plane.test.ts

@@ -32,7 +32,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));
 

package/src/__tests__/guardian-actions-endpoint.test.ts

@@ -58,12 +58,17 @@ import {
 import { initializeDb, resetDb } from '../memory/db.js';
 import { getDb } from '../memory/db.js';
 import { conversations } from '../memory/schema.js';
+import type { ServerWithRequestIP } from '../runtime/middleware/actor-token.js';
 import {
   handleGuardianActionDecision,
   handleGuardianActionsPending,
   listGuardianDecisionPrompts,
 } from '../runtime/routes/guardian-action-routes.js';
 
+const mockLoopbackServer: ServerWithRequestIP = {
+  requestIP: () => ({ address: '127.0.0.1', family: 'IPv4', port: 0 }),
+};
+
 initializeDb();
 
 function ensureConversation(id: string): void {
@@ -145,7 +150,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ action: 'approve_once' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(400);
     const body = await res.json();
     expect(body.error.message).toContain('requestId');
@@ -156,7 +161,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-1' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(400);
     const body = await res.json();
     expect(body.error.message).toContain('action');
@@ -167,7 +172,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-1', action: 'nuke_from_orbit' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(400);
     const body = await res.json();
     expect(body.error.message).toContain('Invalid action');
@@ -180,7 +185,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'nonexistent', action: 'approve_once' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(404);
   });
 
@@ -192,7 +197,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-gd-1', action: 'approve_once' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(200);
     const body = await res.json();
     expect(body.applied).toBe(true);
@@ -207,7 +212,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-scope-1', action: 'approve_once', conversationId: 'conv-wrong' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(404);
     const body = await res.json();
     expect(body.error.message).toContain('No pending guardian action');
@@ -222,7 +227,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-scope-2', action: 'reject', conversationId: 'conv-match' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(200);
     const body = await res.json();
     expect(body.applied).toBe(true);
@@ -236,7 +241,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-scope-3', action: 'approve_once' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(200);
   });
 
@@ -254,7 +259,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-access-1', action: 'approve_once' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     expect(res.status).toBe(200);
     const body = await res.json();
     expect(body.applied).toBe(true);
@@ -262,6 +267,27 @@ describe('HTTP handleGuardianActionDecision', () => {
     expect(mockApplyCanonicalGuardianDecision).toHaveBeenCalledTimes(1);
   });
 
+  test('applies decision for voice access_request kind through canonical primitive', async () => {
+    createTestCanonicalRequest({
+      conversationId: 'conv-voice-access',
+      requestId: 'req-voice-access-1',
+      kind: 'access_request',
+      toolName: 'ingress_access_request',
+      guardianExternalUserId: 'guardian-voice-42',
+    });
+    mockApplyCanonicalGuardianDecision.mockResolvedValueOnce({ applied: true, requestId: 'req-voice-access-1', grantMinted: false });
+
+    const req = new Request('http://localhost/v1/guardian-actions/decision', {
+      method: 'POST',
+      body: JSON.stringify({ requestId: 'req-voice-access-1', action: 'approve_once' }),
+    });
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.applied).toBe(true);
+    expect(mockApplyCanonicalGuardianDecision).toHaveBeenCalledTimes(1);
+  });
+
   test('returns stale reason from canonical decision primitive', async () => {
     createTestCanonicalRequest({ conversationId: 'conv-stale', requestId: 'req-stale-1' });
     mockApplyCanonicalGuardianDecision.mockResolvedValueOnce({ applied: false, reason: 'already_resolved' });
@@ -270,7 +296,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-stale-1', action: 'approve_once' }),
     });
-    const res = await handleGuardianActionDecision(req);
+    const res = await handleGuardianActionDecision(req, mockLoopbackServer);
     const body = await res.json();
     expect(body.applied).toBe(false);
     expect(body.reason).toBe('already_resolved');
@@ -286,7 +312,7 @@ describe('HTTP handleGuardianActionDecision', () => {
       method: 'POST',
       body: JSON.stringify({ requestId: 'req-actor-1', action: 'approve_once' }),
     });
-    await handleGuardianActionDecision(req);
+    await handleGuardianActionDecision(req, mockLoopbackServer);
     const call = mockApplyCanonicalGuardianDecision.mock.calls[0]![0] as Record<string, unknown>;
     const actorContext = call.actorContext as Record<string, unknown>;
     expect(actorContext.externalUserId).toBeUndefined();
@@ -304,7 +330,7 @@ describe('HTTP handleGuardianActionsPending', () => {
 
   test('returns 400 when conversationId is missing', () => {
     const req = new Request('http://localhost/v1/guardian-actions/pending');
-    const res = handleGuardianActionsPending(req);
+    const res = handleGuardianActionsPending(req, mockLoopbackServer);
     expect(res.status).toBe(400);
   });
 
@@ -316,7 +342,7 @@ describe('HTTP handleGuardianActionsPending', () => {
     });
 
     const req = new Request('http://localhost/v1/guardian-actions/pending?conversationId=conv-list');
-    const res = handleGuardianActionsPending(req);
+    const res = handleGuardianActionsPending(req, mockLoopbackServer);
     expect(res.status).toBe(200);
 
     // Verify the prompts directly via the shared helper

package/src/__tests__/guardian-dispatch.test.ts

@@ -367,6 +367,11 @@ describe('guardian-dispatch', () => {
     expect(request).toBeDefined();
     expect(request!.tool_name).toBe('send_email');
     expect(request!.input_digest).toBe('abc123def456');
+
+    const signalParams = emitCalls[0] as Record<string, unknown>;
+    const payload = signalParams.contextPayload as Record<string, unknown>;
+    expect(payload.requestKind).toBe('pending_question');
+    expect(payload.toolName).toBe('send_email');
   });
 
   test('omitting toolName and inputDigest stores null for informational ASK_GUARDIAN dispatches', async () => {
@@ -422,6 +427,9 @@ describe('guardian-dispatch', () => {
     // The request was just created so there is 1 pending request for this session
     expect(payload.activeGuardianRequestCount).toBe(1);
     expect(payload.callSessionId).toBe(session.id);
+    expect(payload.requestKind).toBe('pending_question');
+    expect(payload.toolName).toBeUndefined();
+    expect(payload.pendingQuestionId).toBeUndefined();
   });
 
   test('repeated guardian questions in the same call each create per-request delivery rows even when sharing a conversation', async () => {

package/src/__tests__/guardian-outbound-http.test.ts

@@ -35,7 +35,6 @@ mock.module('../util/platform.js', () => ({
   getDbPath: () => join(testDir, 'test.db'),
   getLogPath: () => join(testDir, 'test.log'),
   ensureDataDir: () => {},
-  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
   readHttpToken: () => 'test-bearer-token',
 }));
 
@@ -269,7 +268,7 @@ describe('startOutbound', () => {
 
 describe('resendOutbound', () => {
   test('returns no_active_session when no session exists', () => {
-    const result = resendOutbound({ channel: 'sms', assistantId: 'no-such-assistant' });
+    const result = resendOutbound({ channel: 'sms' });
     expect(result.success).toBe(false);
     expect(result.error).toBe('no_active_session');
   });
@@ -340,7 +339,7 @@ describe('resendOutbound', () => {
 
 describe('cancelOutbound', () => {
   test('returns no_active_session when no session exists', () => {
-    const result = cancelOutbound({ channel: 'sms', assistantId: 'no-such-assistant-cancel' });
+    const result = cancelOutbound({ channel: 'sms' });
     expect(result.success).toBe(false);
     expect(result.error).toBe('no_active_session');
   });
@@ -398,7 +397,7 @@ describe('HTTP route: handleResendOutbound', () => {
   });
 
   test('returns 400 for no_active_session', async () => {
-    const req = jsonRequest({ channel: 'sms', assistantId: 'resend-no-session' });
+    const req = jsonRequest({ channel: 'sms' });
     const resp = await handleResendOutbound(req);
     expect(resp.status).toBe(400);
     const body = await resp.json() as { error?: string };
@@ -440,7 +439,7 @@ describe('HTTP route: handleCancelOutbound', () => {
   });
 
   test('returns 400 for no_active_session', async () => {
-    const req = jsonRequest({ channel: 'sms', assistantId: 'cancel-no-session' });
+    const req = jsonRequest({ channel: 'sms' });
     const resp = await handleCancelOutbound(req);
     expect(resp.status).toBe(400);
     const body = await resp.json() as { error?: string };