@vellumai/assistant 0.4.29 → 0.4.30

package/src/__tests__/dynamic-skill-workflow-prompt.test.ts

@@ -46,6 +46,15 @@ mock.module("../util/logger.js", () => ({
   truncateForLog: (v: string) => v,
 }));
 
+mock.module("../config/loader.js", () => ({
+  getConfig: () => ({
+    sandbox: { enabled: false, backend: "native" },
+    assistantFeatureFlagValues: {
+      "feature_flags.browser.enabled": true,
+    },
+  }),
+}));
+
 const { buildSystemPrompt } = await import("../config/system-prompt.js");
 
 describe("Dynamic Skill Authoring Workflow prompt section", () => {

package/src/__tests__/gateway-only-guard.test.ts

@@ -32,6 +32,7 @@ const ALLOWLIST = new Set([
 
   // --- Documentation and comments that mention the port for explanatory purposes ---
   "AGENTS.md", // documents the gateway-only rule itself
+  "assistant/docs/runbook-trusted-contacts.md", // operator runbook targeting runtime-only /v1/contacts endpoints
   "assistant/src/runtime/middleware/twilio-validation.ts", // comment explaining proxy URL rewriting
 ]);
 

package/src/__tests__/gemini-image-service.test.ts

@@ -137,8 +137,8 @@ describe("generateImage", () => {
       .contents as Array<Record<string, unknown>>;
     const parts = contents[0].parts as Array<Record<string, unknown>>;
 
-    // First part is the text prompt
-    expect(parts[0]).toEqual({ text: "remove background" });
+    // First part is the text prompt (with appended title instruction)
+    expect((parts[0] as { text: string }).text).toContain("remove background");
     // Second part is the source image
     expect(parts[1]).toEqual({
       inlineData: { mimeType: "image/jpeg", data: "srcdata" },

package/src/__tests__/guardian-grant-minting.test.ts

@@ -189,9 +189,9 @@ describe("guardian grant minting on tool-approval decisions", () => {
 
   beforeEach(() => {
     resetTables();
-    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue(
-      undefined,
-    );
+    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue({
+      ok: true,
+    });
     composeSpy = spyOn(
       approvalMessageComposer,
       "composeApprovalMessageGenerative",
@@ -593,9 +593,9 @@ describe("approval interception trust-class regression coverage", () => {
 
   beforeEach(() => {
     resetTables();
-    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue(
-      undefined,
-    );
+    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue({
+      ok: true,
+    });
     composeSpy = spyOn(
       approvalMessageComposer,
       "composeApprovalMessageGenerative",

package/src/__tests__/guardian-routing-invariants.test.ts

@@ -169,22 +169,45 @@ function registerPendingToolApprovalInteraction(
 describe("routing invariant: all decision paths reference applyCanonicalGuardianDecision", () => {
   const srcRoot = resolve(__dirname, "..");
 
-  // The files that constitute decision entrypoints. Each must import
-  // `applyCanonicalGuardianDecision` from the guardian-decision-primitive.
-  const DECISION_ENTRYPOINTS = [
+  // The files that constitute decision entrypoints. Each must reference
+  // `applyCanonicalGuardianDecision` (directly) or `processGuardianDecision`
+  // (shared wrapper that calls applyCanonicalGuardianDecision internally).
+  const DECISION_ENTRYPOINTS: Array<{
+    path: string;
+    symbols: string[];
+  }> = [
     // Inbound channel router (Telegram/SMS/WhatsApp)
-    "runtime/guardian-reply-router.ts",
-    // HTTP API route handler (desktop and API clients)
-    "runtime/routes/guardian-action-routes.ts",
-    // IPC handler (desktop socket clients)
-    "daemon/handlers/guardian-actions.ts",
+    {
+      path: "runtime/guardian-reply-router.ts",
+      symbols: ["applyCanonicalGuardianDecision"],
+    },
+    // HTTP API route handler (desktop and API clients) — uses processGuardianDecision
+    // which is a shared wrapper around applyCanonicalGuardianDecision
+    {
+      path: "runtime/routes/guardian-action-routes.ts",
+      symbols: ["processGuardianDecision"],
+    },
+    // IPC handler (desktop socket clients) — uses processGuardianDecision
+    // which is a shared wrapper around applyCanonicalGuardianDecision
+    {
+      path: "daemon/handlers/guardian-actions.ts",
+      symbols: ["processGuardianDecision"],
+    },
+    // Shared service where processGuardianDecision is defined — must route
+    // through the canonical primitive to complete the chain:
+    // entrypoint → processGuardianDecision → applyCanonicalGuardianDecision
+    {
+      path: "runtime/guardian-action-service.ts",
+      symbols: ["applyCanonicalGuardianDecision"],
+    },
   ];
 
-  for (const relPath of DECISION_ENTRYPOINTS) {
-    test(`${relPath} imports applyCanonicalGuardianDecision`, () => {
+  for (const { path: relPath, symbols } of DECISION_ENTRYPOINTS) {
+    test(`${relPath} imports ${symbols.join(" or ")}`, () => {
       const fullPath = join(srcRoot, relPath);
       const source = readFileSync(fullPath, "utf-8");
-      expect(source).toContain("applyCanonicalGuardianDecision");
+      const found = symbols.some((s) => source.includes(s));
+      expect(found).toBe(true);
     });
   }
 

package/src/__tests__/guardian-verify-setup-skill-regression.test.ts

@@ -107,14 +107,12 @@ describe("guardian-verify-setup skill — voice auto-followup", () => {
         ?.split("## Step 6")[0] ?? "";
     // Must mention rebind guard concept
     expect(pollingSection).toContain("Rebind guard");
-    // Must instruct not to trust the first bound: true in a rebind flow
+    // Must instruct not to trust bound: true alone in a rebind flow
     expect(pollingSection).toContain(
-      "do NOT treat the first `bound: true` poll result as success",
+      "do NOT treat `bound: true` alone as success",
     );
-    // Must reference bound_at timestamp comparison as the primary mechanism
-    expect(pollingSection).toContain("bound_at");
-    // Must have a fallback for when bound_at is unavailable
-    expect(pollingSection).toContain("second poll onward");
+    // Must reference verificationSessionId as the mechanism to detect fresh binding
+    expect(pollingSection).toContain("verificationSessionId");
     // Must clarify non-rebind flows are unaffected
     expect(pollingSection).toContain("Non-rebind flows");
   });

package/src/__tests__/inbound-invite-redemption.test.ts

@@ -90,7 +90,7 @@ mock.module("../runtime/approval-message-composer.js", () => ({
 import { findContactChannel } from "../contacts/contact-store.js";
 import { upsertMember } from "../contacts/contacts-write.js";
 import { getDb, initializeDb, resetDb } from "../memory/db.js";
-import { createInvite, revokeInvite } from "../memory/ingress-invite-store.js";
+import { createInvite, revokeInvite } from "../memory/invite-store.js";
 import { handleChannelInbound } from "../runtime/routes/channel-routes.js";
 
 initializeDb();

package/src/__tests__/integrations-cli.test.ts

@@ -108,7 +108,6 @@ describe("vellum integrations CLI", () => {
 
   afterEach(() => {
     delete process.env.GATEWAY_AUTH_TOKEN;
-    delete process.env.INTERNAL_GATEWAY_BASE_URL;
     process.exitCode = 0;
   });
 
@@ -141,8 +140,8 @@ describe("vellum integrations CLI", () => {
     expect(mintCalls).toBe(1);
   });
 
-  test("prefers INTERNAL_GATEWAY_BASE_URL when it is injected", async () => {
-    process.env.INTERNAL_GATEWAY_BASE_URL = "http://gateway.internal:9900/";
+  test("uses configured gateway base for requests", async () => {
+    gatewayBase = "http://gateway.internal:9900";
     const result = await runCli(["--json", "twilio", "config"], {
       success: true,
     });
@@ -163,28 +162,6 @@ describe("vellum integrations CLI", () => {
     );
   });
 
-  test("passes filters for ingress members (now calls /v1/contacts)", async () => {
-    const result = await runCli(
-      ["--json", "ingress", "members", "--role", "contact", "--limit", "20"],
-      { ok: true, contacts: [] },
-    );
-    expect(result.exitCode).toBe(0);
-    expect(result.fetchCalls[0]?.url).toBe(
-      "http://gateway.test/v1/contacts?role=contact&limit=20",
-    );
-  });
-
-  test("ingress members defaults role to contact", async () => {
-    const result = await runCli(["--json", "ingress", "members"], {
-      ok: true,
-      contacts: [],
-    });
-    expect(result.exitCode).toBe(0);
-    expect(result.fetchCalls[0]?.url).toBe(
-      "http://gateway.test/v1/contacts?role=contact",
-    );
-  });
-
   test("reads ingress config without gateway fetch", async () => {
     rawConfig = {
       ingress: {
@@ -192,7 +169,6 @@ describe("vellum integrations CLI", () => {
         publicBaseUrl: "https://public.example.com",
       },
     };
-    process.env.INTERNAL_GATEWAY_BASE_URL = "http://gateway.internal:9900/";
     const result = await runCli(["--json", "ingress", "config"], { ok: true });
 
     expect(result.exitCode).toBe(0);
@@ -201,7 +177,7 @@ describe("vellum integrations CLI", () => {
       success: true,
       enabled: true,
       publicBaseUrl: "https://public.example.com",
-      localGatewayTarget: "http://gateway.internal:9900",
+      localGatewayTarget: "http://gateway.test",
     });
   });
 

package/src/__tests__/intent-routing.test.ts

@@ -50,6 +50,9 @@ mock.module("../config/loader.js", () => ({
     ui: {},
 
     sandbox: { enabled: false, backend: "local" },
+    assistantFeatureFlagValues: {
+      "feature_flags.guardian-verify-setup.enabled": true,
+    },
   }),
 }));
 

package/src/__tests__/invite-redemption-service.test.ts

@@ -29,7 +29,7 @@ import { getSqlite, initializeDb, resetDb } from "../memory/db.js";
 import {
   createInvite,
   revokeInvite as revokeStoreFn,
-} from "../memory/ingress-invite-store.js";
+} from "../memory/invite-store.js";
 import {
   type InviteRedemptionOutcome,
   redeemInvite,