@vellumai/assistant 0.4.22 → 0.4.25

package/src/__tests__/conversation-routes-guardian-reply.test.ts

@@ -84,7 +84,10 @@ mock.module("../runtime/guardian-context-resolver.js", () => ({
     trustClass: "guardian",
     sourceChannel: "vellum",
   }),
-  toGuardianRuntimeContext: (ctx: unknown) => ctx,
+  toGuardianRuntimeContext: (sourceChannel: unknown, ctx: unknown) => ({
+    ...(ctx as Record<string, unknown>),
+    sourceChannel,
+  }),
 }));
 
 import type { AuthContext } from "../runtime/auth/types.js";

package/src/__tests__/credential-security-invariants.test.ts

@@ -226,7 +226,6 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "tools/network/script-proxy/session-manager.ts", // proxy credential injection at runtime
       "messaging/registry.ts", // checks stored credentials for connected providers
       "calls/call-domain.ts", // caller identity resolution (user phone number lookup)
-      "calls/elevenlabs-config.ts", // ElevenLabs voice quality API key lookup
       "calls/twilio-config.ts", // call infrastructure credential lookup
       "calls/twilio-provider.ts", // call infrastructure credential lookup
       "calls/twilio-rest.ts", // Twilio REST API credential lookup
@@ -234,7 +233,6 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "runtime/http-server.ts", // HTTP server credential lookup
       "daemon/handlers/twitter-auth.ts", // Twitter OAuth token storage
       "twitter/oauth-client.ts", // Twitter OAuth API client (reads access token for API calls)
-      "calls/elevenlabs-config.ts", // ElevenLabs credential lookup
       "cli/config-commands.ts", // CLI config management
       "messaging/providers/telegram-bot/adapter.ts", // Telegram bot token lookup for connectivity check
       "messaging/providers/sms/adapter.ts", // Twilio credential lookup for SMS connectivity check

package/src/__tests__/guardian-verify-setup-skill-regression.test.ts

@@ -119,13 +119,13 @@ describe("guardian-verify-setup skill — voice auto-followup", () => {
     expect(pollingSection).toContain("Non-rebind flows");
   });
 
-  test("polling is voice-only — does not apply to SMS or Telegram", () => {
+  test("polling is voice-only — does not apply to Telegram", () => {
     const pollingSection =
       skillContent
         .split("## Voice Auto-Check Polling")[1]
         ?.split("## Step 6")[0] ?? "";
     expect(pollingSection).toContain("voice-only");
-    expect(pollingSection).toContain("Do NOT poll for SMS or Telegram");
+    expect(pollingSection).toContain("Do NOT poll for Telegram");
   });
 
   test('no instruction requires waiting for user to ask "did it work?"', () => {

package/src/__tests__/headless-browser-interactions.test.ts

@@ -64,10 +64,6 @@ mock.module("../tools/browser/browser-screencast.js", () => ({
   stopBrowserScreencast: async () => {},
   stopAllScreencasts: async () => {},
   ensureScreencast: async () => {},
-  updateBrowserStatus: () => {},
-  updatePagesList: async () => {},
-  getElementBounds: async () => null,
-  updateHighlights: () => {},
 }));
 
 import {

package/src/__tests__/ipc-snapshot.test.ts

@@ -476,39 +476,6 @@ const clientMessages: Record<ClientMessageType, ClientMessage> = {
     service: "gmail",
     requestedScopes: ["https://www.googleapis.com/auth/gmail.readonly"],
   },
-  browser_cdp_response: {
-    type: "browser_cdp_response",
-    sessionId: "test-session",
-    success: true,
-  },
-  browser_user_click: {
-    type: "browser_user_click",
-    sessionId: "test-session",
-    surfaceId: "test-surface",
-    x: 100,
-    y: 200,
-  },
-  browser_user_scroll: {
-    type: "browser_user_scroll",
-    sessionId: "test-session",
-    surfaceId: "test-surface",
-    deltaX: 0,
-    deltaY: -100,
-    x: 100,
-    y: 200,
-  },
-  browser_user_keypress: {
-    type: "browser_user_keypress",
-    sessionId: "test-session",
-    surfaceId: "test-surface",
-    key: "Enter",
-  },
-  browser_interactive_mode: {
-    type: "browser_interactive_mode",
-    sessionId: "test-session",
-    surfaceId: "test-surface",
-    enabled: true,
-  },
   work_items_list: {
     type: "work_items_list",
     status: "queued",
@@ -1590,19 +1557,6 @@ const serverMessages: Record<ServerMessageType, ServerMessage> = {
     type: "app_files_changed",
     appId: "app-001",
   },
-  browser_frame: {
-    type: "browser_frame",
-    sessionId: "sess-001",
-    surfaceId: "surface-001",
-    frame: "base64-jpeg-data",
-    metadata: {
-      offsetTop: 0,
-      pageScaleFactor: 1,
-      scrollOffsetX: 0,
-      scrollOffsetY: 0,
-      timestamp: 1700000000,
-    },
-  },
   diagnostics_export_response: {
     type: "diagnostics_export_response",
     success: true,
@@ -1633,23 +1587,6 @@ const serverMessages: Record<ServerMessageType, ServerMessage> = {
     grantedScopes: ["https://www.googleapis.com/auth/gmail.readonly"],
     accountInfo: "user@example.com",
   },
-  browser_cdp_request: {
-    type: "browser_cdp_request",
-    sessionId: "test-session",
-  },
-  browser_interactive_mode_changed: {
-    type: "browser_interactive_mode_changed",
-    sessionId: "test-session",
-    surfaceId: "test-surface",
-    enabled: true,
-  },
-  browser_handoff_request: {
-    type: "browser_handoff_request",
-    sessionId: "test-session",
-    surfaceId: "test-surface",
-    reason: "auth" as const,
-    message: "Login required",
-  },
   document_editor_show: {
     type: "document_editor_show",
     sessionId: "sess-001",

package/src/__tests__/onboarding-template-contract.test.ts

@@ -14,11 +14,11 @@ describe("onboarding template contracts", () => {
       expect(lower).toContain("who am i");
     });
 
-    test("infers personality indirectly instead of asking directly", () => {
+    test("infers personality organically instead of asking directly", () => {
       const lower = bootstrap.toLowerCase();
-      // Personality step must instruct indirect/organic discovery
+      // Personality step must instruct organic discovery via conversation
       expect(lower).toContain("personality");
-      expect(lower).toContain("indirectly");
+      expect(lower).toContain("emerge");
       expect(lower).toContain("vibe");
     });
 
@@ -41,15 +41,15 @@ describe("onboarding template contracts", () => {
       const lower = bootstrap.toLowerCase();
       // The template must prompt the assistant to ask about names.
       expect(lower).toContain("name");
-      // The first step should be about locking in the assistant's name
-      expect(lower).toContain("lock in your name");
+      // The first step should be about the assistant's name
+      expect(lower).toContain("your name");
       // The conversation sequence must include identity/naming
       expect(lower).toContain("who am i");
     });
 
     test("asks user name AFTER assistant identity is established", () => {
-      // Step 1 is locking in the assistant's name, step 3 is asking the user's name
-      const assistantNameIdx = bootstrap.indexOf("Lock in your name.");
+      // Step 1 is the assistant's name, step 4 is asking the user's name
+      const assistantNameIdx = bootstrap.indexOf("Your name:");
       const userNameIdx = bootstrap.indexOf("who am I talking to?");
       expect(assistantNameIdx).toBeGreaterThan(-1);
       expect(userNameIdx).toBeGreaterThan(-1);
@@ -87,10 +87,8 @@ describe("onboarding template contracts", () => {
       expect(lower).toContain("home base");
     });
 
-    test("contains privacy/refusal policy", () => {
+    test("contains refusal policy", () => {
       const lower = bootstrap.toLowerCase();
-      // Must have a privacy section
-      expect(lower).toContain("privacy");
       // Assistant name is hard-required, user details are best-effort
       expect(lower).toContain("hard-required");
       expect(lower).toContain("best-effort");
@@ -107,16 +105,8 @@ describe("onboarding template contracts", () => {
       expect(lower).toContain("declined");
     });
 
-    test("preserves no em dashes instruction", () => {
-      const lower = bootstrap.toLowerCase();
-      expect(lower).toContain("em dashes");
-    });
-
-    test("preserves no technical jargon instruction", () => {
-      const lower = bootstrap.toLowerCase();
-      expect(lower).toContain("technical jargon");
-      expect(lower).toContain("system internals");
-    });
+    // em-dash and technical jargon instructions are now hardcoded in the system
+    // prompt builder (buildSystemPrompt) rather than in the BOOTSTRAP.md template.
 
     test("preserves comment line format instruction", () => {
       // The template must start with the comment format explanation

package/src/__tests__/relay-server.test.ts

@@ -2276,7 +2276,7 @@ describe("relay-server", () => {
         .map((raw) => JSON.parse(raw) as { type: string; token?: string })
         .filter((m) => m.type === "text");
       const promptText = textMessages.map((m) => m.token ?? "").join("");
-      expect(promptText).toContain("Hi, this is my guardian's assistant.");
+      expect(promptText).toContain("Hi, this is my human's assistant.");
       expect(promptText).not.toContain("Vellum");
       expect(promptText).toContain("don't recognize this number");
       expect(promptText).toContain("Can I get your name");
@@ -2326,13 +2326,13 @@ describe("relay-server", () => {
     // Should have transitioned to awaiting guardian decision
     expect(relay.getConnectionState()).toBe("awaiting_guardian_decision");
 
-    // Should have sent the hold message (guardian label defaults to "my guardian")
+    // Should have sent the hold message (guardian label defaults to "my human")
     const textMessages = ws.sentMessages
       .map((raw) => JSON.parse(raw) as { type: string; token?: string })
       .filter((m) => m.type === "text");
     expect(
       textMessages.some((m) =>
-        (m.token ?? "").includes("I've let my guardian know"),
+        (m.token ?? "").includes("I've let my human know"),
       ),
     ).toBe(true);
     expect(

package/src/__tests__/resolve-guardian-trust-class.test.ts

@@ -0,0 +1,61 @@
+import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import type { GuardianRuntimeContext } from "../daemon/session-runtime-assembly.js";
+
+// ── Module mocks ─────────────────────────────────────────────────────
+
+let fakeHttpAuthDisabled = false;
+
+mock.module("../config/env.js", () => ({
+  isHttpAuthDisabled: () => fakeHttpAuthDisabled,
+  hasUngatedHttpAuthDisabled: () => false,
+}));
+
+// ── Real imports (after mocks) ───────────────────────────────────────
+
+import { resolveGuardianTrustClass } from "../daemon/session-tool-setup.js";
+
+afterAll(() => {
+  mock.restore();
+});
+
+// ── Tests ────────────────────────────────────────────────────────────
+
+describe("resolveGuardianTrustClass", () => {
+  beforeEach(() => {
+    fakeHttpAuthDisabled = false;
+  });
+
+  test("returns guardian context trust class when auth is enabled", () => {
+    const ctx: Pick<GuardianRuntimeContext, "trustClass"> = {
+      trustClass: "trusted_contact",
+    };
+    expect(resolveGuardianTrustClass(ctx as GuardianRuntimeContext)).toBe(
+      "trusted_contact",
+    );
+  });
+
+  test("defaults to guardian when no guardian context and auth is enabled", () => {
+    expect(resolveGuardianTrustClass(undefined)).toBe("guardian");
+  });
+
+  test("forces guardian when HTTP auth is disabled, regardless of context trust class", () => {
+    fakeHttpAuthDisabled = true;
+    const ctx: Pick<GuardianRuntimeContext, "trustClass"> = {
+      trustClass: "trusted_contact",
+    };
+    expect(resolveGuardianTrustClass(ctx as GuardianRuntimeContext)).toBe(
+      "guardian",
+    );
+  });
+
+  test("forces guardian for unknown trust class when HTTP auth is disabled", () => {
+    fakeHttpAuthDisabled = true;
+    const ctx: Pick<GuardianRuntimeContext, "trustClass"> = {
+      trustClass: "unknown",
+    };
+    expect(resolveGuardianTrustClass(ctx as GuardianRuntimeContext)).toBe(
+      "guardian",
+    );
+  });
+});

package/src/__tests__/runtime-events-sse-parity.test.ts

@@ -106,6 +106,11 @@ async function publishAndReadFrame(
   await assistantEventHub.publish(event);
 
   const reader = response.body!.getReader();
+
+  // The first chunk is the immediate heartbeat comment enqueued in start().
+  await reader.read();
+
+  // The second chunk is the actual assistant event.
   const { value } = await reader.read();
   ac.abort();
 
@@ -366,6 +371,11 @@ describe("SSE IPC parity — streaming/delta message types", () => {
     await assistantEventHub.publish(published);
 
     const reader = response.body!.getReader();
+
+    // The first chunk is the immediate heartbeat comment enqueued in start().
+    await reader.read();
+
+    // The second chunk is the actual assistant event.
     const { value } = await reader.read();
     ac.abort();
 

package/src/__tests__/runtime-events-sse.test.ts

@@ -168,6 +168,13 @@ describe("SSE assistant-events endpoint", () => {
 
     // Read the first frame directly from the response body stream.
     const reader = response.body!.getReader();
+
+    // The first chunk is the immediate heartbeat comment enqueued in start().
+    const initial = await reader.read();
+    expect(initial.done).toBe(false);
+    expect(new TextDecoder().decode(initial.value)).toBe(": heartbeat\n\n");
+
+    // The second chunk is the actual assistant event.
     const { value, done } = await reader.read();
     ac.abort();
 

package/src/__tests__/session-init.benchmark.test.ts

@@ -277,11 +277,7 @@ mock.module("../tools/browser/browser-screencast.js", () => ({
   registerSessionSender: () => {},
   unregisterSessionSender: () => {},
   ensureScreencast: () => Promise.resolve(),
-  updateBrowserStatus: () => {},
-  updatePagesList: () => Promise.resolve(),
   stopBrowserScreencast: () => Promise.resolve(),
-  getElementBounds: () => Promise.resolve(null),
-  updateHighlights: () => {},
   stopAllScreencasts: () => Promise.resolve(),
   isScreencastActive: () => false,
   getSender: () => undefined,

package/src/__tests__/session-runtime-assembly.test.ts

@@ -44,6 +44,14 @@ describe("resolveChannelCapabilities", () => {
     expect(caps.supportsVoiceInput).toBe(true);
   });
 
+  test("vellum channel with vellum interface supports dynamic UI", () => {
+    const caps = resolveChannelCapabilities("vellum", "vellum");
+    expect(caps.channel).toBe("vellum");
+    expect(caps.dashboardCapable).toBe(false);
+    expect(caps.supportsDynamicUi).toBe(true);
+    expect(caps.supportsVoiceInput).toBe(false);
+  });
+
   test("defaults to vellum for null source channel", () => {
     const caps = resolveChannelCapabilities(null);
     expect(caps.channel).toBe("vellum");
@@ -407,6 +415,24 @@ describe("trust-gating via channel capabilities", () => {
     expect(injected).toContain("Present information as well-formatted text");
     expect(injected).toContain("desktop app");
   });
+
+  test("vellum web interface allows dynamic UI but constrains dashboard references", () => {
+    const caps = resolveChannelCapabilities("vellum", "vellum");
+    const message: Message = {
+      role: "user",
+      content: [{ type: "text", text: "Show me a form" }],
+    };
+
+    const result = injectChannelCapabilityContext(message, caps);
+    const injected = (result.content[0] as { type: "text"; text: string }).text;
+
+    expect(injected).toContain("CHANNEL CONSTRAINTS");
+    expect(injected).toContain("Do NOT reference the dashboard UI");
+    expect(injected).not.toContain("Do NOT use ui_show");
+    expect(injected).not.toContain("Present information as well-formatted text");
+    expect(injected).toContain("supports_dynamic_ui: true");
+    expect(injected).toContain("dashboard_capable: false");
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -994,12 +1020,12 @@ describe("sanitizePttActivationKey", () => {
     expect(sanitizePttActivationKey("none")).toBe("none");
   });
 
-  test('returns "unknown" for invalid keys', () => {
-    expect(sanitizePttActivationKey("malicious\nprompt injection")).toBe(
-      "unknown",
-    );
-    expect(sanitizePttActivationKey("arbitrary_value")).toBe("unknown");
-    expect(sanitizePttActivationKey("")).toBe("unknown");
+  test("returns undefined for invalid keys", () => {
+    expect(
+      sanitizePttActivationKey("malicious\nprompt injection"),
+    ).toBeUndefined();
+    expect(sanitizePttActivationKey("arbitrary_value")).toBeUndefined();
+    expect(sanitizePttActivationKey("")).toBeUndefined();
   });
 });
 
@@ -1015,11 +1041,11 @@ describe("resolveChannelCapabilities with PTT metadata", () => {
     expect(caps.pttActivationKey).toBe("fn");
   });
 
-  test("sanitizes invalid pttActivationKey to unknown", () => {
+  test("sanitizes invalid pttActivationKey to undefined", () => {
     const caps = resolveChannelCapabilities("macos", "macos", {
       pttActivationKey: "evil\nprompt",
     });
-    expect(caps.pttActivationKey).toBe("unknown");
+    expect(caps.pttActivationKey).toBeUndefined();
   });
 
   test("passes through microphonePermissionGranted", () => {

package/src/__tests__/system-prompt.test.ts

@@ -75,9 +75,15 @@ const {
   buildPhoneCallsRoutingSection,
 } = await import("../config/system-prompt.js");
 
-/** Strip the Configuration and Skills sections so base-prompt tests stay focused. */
+/** Strip the Configuration, Skills, and hardcoded preamble sections so base-prompt tests stay focused. */
 function basePrompt(result: string): string {
   let s = result;
+  // Strip the hardcoded em-dash instruction preamble
+  const emDashLine =
+    "IMPORTANT: Never use em dashes (\u2014) in your messages. Use commas, periods, or just start a new sentence instead.";
+  if (s.startsWith(emDashLine)) {
+    s = s.slice(emDashLine.length).replace(/^\n\n/, "");
+  }
   for (const heading of [
     "## Configuration",
     "## Skills Catalog",

package/src/__tests__/trusted-contact-approval-notifier.test.ts

@@ -120,8 +120,14 @@ mock.module("../config/env.js", () => ({
   getGatewayInternalBaseUrl: () => "http://localhost:3000",
 }));
 
+// ── User reference mock ──
+mock.module("../config/user-reference.js", () => ({
+  resolveUserReference: () => "my human",
+}));
+
 // Import module under test AFTER mocks are set up
 import type { ChannelId } from "../channels/types.js";
+import { resolveUserReference } from "../config/user-reference.js";
 import type { GuardianContext } from "../runtime/guardian-context-resolver.js";
 
 // We need to test the private functions by importing the module.
@@ -220,9 +226,7 @@ async function simulateNotifierPoll(params: {
     }
   }
 
-  const waitingText = guardianName
-    ? `Waiting for ${guardianName}'s approval...`
-    : "Waiting for your guardian's approval...";
+  const waitingText = `Waiting for ${guardianName ?? resolveUserReference()}'s approval...`;
 
   try {
     await deliverChannelReply(
@@ -330,7 +334,7 @@ describe("trusted-contact pending-approval notifier", () => {
     );
   });
 
-  test("uses generic phrasing when no guardian name is available", async () => {
+  test("falls back to user reference when no guardian name is available", async () => {
     mockPendingApprovals = [
       {
         requestId: "req-3",
@@ -359,11 +363,11 @@ describe("trusted-contact pending-approval notifier", () => {
 
     expect(deliveredReplies).toHaveLength(1);
     expect(deliveredReplies[0].payload.text).toBe(
-      "Waiting for your guardian's approval...",
+      "Waiting for my human's approval...",
     );
   });
 
-  test("uses generic phrasing when no guardian binding exists", async () => {
+  test("falls back to user reference when no guardian binding exists", async () => {
     mockPendingApprovals = [
       {
         requestId: "req-4",
@@ -388,7 +392,7 @@ describe("trusted-contact pending-approval notifier", () => {
 
     expect(deliveredReplies).toHaveLength(1);
     expect(deliveredReplies[0].payload.text).toBe(
-      "Waiting for your guardian's approval...",
+      "Waiting for my human's approval...",
     );
   });
 
@@ -736,7 +740,7 @@ describe("trusted-contact pending-approval notifier", () => {
     expect(deliveredReplies).toHaveLength(1);
     // Falls back to generic phrasing
     expect(deliveredReplies[0].payload.text).toBe(
-      "Waiting for your guardian's approval...",
+      "Waiting for my human's approval...",
     );
   });
 });

package/src/__tests__/twilio-routes-twiml.test.ts

@@ -46,7 +46,7 @@ describe("generateTwiML with voice quality profile", () => {
     expect(twiml).toContain('voice="voice123-turbo_v2_5-1_0.5_0.75"');
   });
 
-  test("voice attribute reflects configured voice for twilio_standard mode", () => {
+  test("voice attribute reflects configured Google voice", () => {
     const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
       language: "en-US",
       transcriptionProvider: "Deepgram",
@@ -57,7 +57,7 @@ describe("generateTwiML with voice quality profile", () => {
     expect(twiml).toContain('voice="Google.en-US-Journey-O"');
   });
 
-  test("voice attribute reflects configured voice for twilio_elevenlabs_tts mode", () => {
+  test("voice attribute reflects configured ElevenLabs voice", () => {
     const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting, {
       language: "en-US",
       transcriptionProvider: "Deepgram",

package/src/__tests__/twilio-routes.test.ts

@@ -60,13 +60,12 @@ const mockConfigObj = {
   memory: { enabled: false },
   rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
   secretDetection: { enabled: false },
+  elevenlabs: { voiceId: "21m00Tcm4TlvDq8ikWAM" },
   calls: {
     voice: {
-      mode: "twilio_standard",
       language: "en-US",
       transcriptionProvider: "Deepgram",
-      fallbackToStandardOnError: true,
-      elevenlabs: { voiceId: "" },
+      elevenlabs: {},
     },
   },
 };