@vellumai/assistant 0.4.29 → 0.4.31

package/src/__tests__/conflict-store.test.ts

@@ -33,7 +33,6 @@ import {
   getPendingConflictByPair,
   listPendingConflictDetails,
   listPendingConflicts,
-  markConflictAsked,
   resolveConflict,
 } from "../memory/conflict-store.js";
 import { getDb, initializeDb, resetDb } from "../memory/db.js";
@@ -60,6 +59,10 @@ function resetTables() {
 function insertItemPair(
   suffix: string,
   scopeId = "default",
+  opts?: {
+    existingVerificationState?: string;
+    candidateVerificationState?: string;
+  },
 ): { existingItemId: string; candidateItemId: string } {
   const db = getDb();
   const now = Date.now();
@@ -76,7 +79,8 @@ function insertItemPair(
         confidence: 0.8,
         importance: 0.5,
         fingerprint: `fp-existing-${suffix}`,
-        verificationState: "assistant_inferred",
+        verificationState:
+          opts?.existingVerificationState ?? "assistant_inferred",
         scopeId,
         firstSeenAt: now,
         lastSeenAt: now,
@@ -90,7 +94,8 @@ function insertItemPair(
         confidence: 0.8,
         importance: 0.5,
         fingerprint: `fp-candidate-${suffix}`,
-        verificationState: "assistant_inferred",
+        verificationState:
+          opts?.candidateVerificationState ?? "assistant_inferred",
         scopeId,
         firstSeenAt: now,
         lastSeenAt: now,
@@ -218,24 +223,11 @@ describe("conflict-store", () => {
     expect(pendingDefault[0].status).toBe("pending_clarification");
   });
 
-  test("markConflictAsked updates lastAskedAt", () => {
-    const pair = insertItemPair("asked");
-    const conflict = createOrUpdatePendingConflict({
-      scopeId: "default",
-      existingItemId: pair.existingItemId,
-      candidateItemId: pair.candidateItemId,
-      relationship: "ambiguous_contradiction",
+  test("listPendingConflictDetails joins current statements and verification states", () => {
+    const pair = insertItemPair("details", "workspace-a", {
+      existingVerificationState: "user_confirmed",
+      candidateVerificationState: "assistant_inferred",
     });
-
-    const askedAt = 1_734_000_000_000;
-    expect(markConflictAsked(conflict.id, askedAt)).toBe(true);
-    const updated = getConflictById(conflict.id);
-    expect(updated?.lastAskedAt).toBe(askedAt);
-    expect(updated?.updatedAt).toBe(askedAt);
-  });
-
-  test("listPendingConflictDetails joins current statements", () => {
-    const pair = insertItemPair("details", "workspace-a");
     createOrUpdatePendingConflict({
       scopeId: "workspace-a",
       existingItemId: pair.existingItemId,
@@ -250,6 +242,8 @@ describe("conflict-store", () => {
     expect(details[0].candidateStatement).toBe("Candidate statement details");
     expect(details[0].existingKind).toBe("fact");
     expect(details[0].candidateKind).toBe("fact");
+    expect(details[0].existingVerificationState).toBe("user_confirmed");
+    expect(details[0].candidateVerificationState).toBe("assistant_inferred");
   });
 
   test("applyConflictResolution keeps candidate and resolves conflict row", () => {

package/src/__tests__/contacts-tools.test.ts

@@ -140,17 +140,14 @@ describe("contact_upsert tool", () => {
     expect(result.isError).toBe(false);
     expect(result.content).toContain("Created contact");
     expect(result.content).toContain("Alice");
-    expect(result.content).toContain("Importance: 0.50");
   });
 
   test("creates a contact with all fields", async () => {
     const result = await executeContactUpsert(
       {
         display_name: "Bob",
-        relationship: "colleague",
-        importance: 0.8,
-        response_expectation: "within_hours",
-        preferred_tone: "professional",
+        notes:
+          "Colleague at Acme Corp, prefers professional tone, responds within hours",
         channels: [
           { type: "email", address: "bob@example.com", is_primary: true },
           { type: "slack", address: "@bob" },
@@ -161,10 +158,7 @@ describe("contact_upsert tool", () => {
 
     expect(result.isError).toBe(false);
     expect(result.content).toContain("Bob");
-    expect(result.content).toContain("colleague");
-    expect(result.content).toContain("0.80");
-    expect(result.content).toContain("within_hours");
-    expect(result.content).toContain("professional");
+    expect(result.content).toContain("Notes: Colleague at Acme Corp");
     expect(result.content).toContain("email: bob@example.com");
     expect(result.content).toContain("slack: @bob");
   });
@@ -185,7 +179,7 @@ describe("contact_upsert tool", () => {
       {
         id: contactId,
         display_name: "Charlie Updated",
-        importance: 0.9,
+        notes: "Updated notes for Charlie",
       },
       ctx,
     );
@@ -193,7 +187,7 @@ describe("contact_upsert tool", () => {
     expect(updateResult.isError).toBe(false);
     expect(updateResult.content).toContain("Updated contact");
     expect(updateResult.content).toContain("Charlie Updated");
-    expect(updateResult.content).toContain("0.90");
+    expect(updateResult.content).toContain("Notes: Updated notes for Charlie");
   });
 
   test("auto-matches by channel address on create", async () => {
@@ -239,36 +233,6 @@ describe("contact_upsert tool", () => {
     expect(result.isError).toBe(true);
     expect(result.content).toContain("display_name is required");
   });
-
-  test("rejects importance out of range", async () => {
-    const result = await executeContactUpsert(
-      {
-        display_name: "Test",
-        importance: 1.5,
-      },
-      ctx,
-    );
-
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain(
-      "importance must be a number between 0 and 1",
-    );
-  });
-
-  test("rejects negative importance", async () => {
-    const result = await executeContactUpsert(
-      {
-        display_name: "Test",
-        importance: -0.1,
-      },
-      ctx,
-    );
-
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain(
-      "importance must be a number between 0 and 1",
-    );
-  });
 });
 
 // ── contact_search ──────────────────────────────────────────────────
@@ -305,23 +269,6 @@ describe("contact_search tool", () => {
     expect(result.content).toContain("Charlie");
   });
 
-  test("searches by relationship", async () => {
-    await executeContactUpsert(
-      { display_name: "Diana", relationship: "friend" },
-      ctx,
-    );
-    await executeContactUpsert(
-      { display_name: "Eve", relationship: "colleague" },
-      ctx,
-    );
-
-    const result = await executeContactSearch({ relationship: "friend" }, ctx);
-
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Diana");
-    expect(result.content).not.toContain("Eve");
-  });
-
   test("returns no results message when nothing matches", async () => {
     await executeContactUpsert({ display_name: "Existing" }, ctx);
 
@@ -380,7 +327,7 @@ describe("contact_merge tool", () => {
     const r1 = await executeContactUpsert(
       {
         display_name: "Alice (Email)",
-        importance: 0.7,
+        notes: "Prefers email",
         channels: [{ type: "email", address: "alice@example.com" }],
       },
       ctx,
@@ -388,7 +335,7 @@ describe("contact_merge tool", () => {
     const r2 = await executeContactUpsert(
       {
         display_name: "Alice (Slack)",
-        importance: 0.9,
+        notes: "Active on Slack",
         channels: [{ type: "slack", address: "@alice" }],
       },
       ctx,
@@ -407,7 +354,7 @@ describe("contact_merge tool", () => {
 
     expect(result.isError).toBe(false);
     expect(result.content).toContain("Merged");
-    expect(result.content).toContain("Importance: 0.90"); // takes higher importance
+    expect(result.content).toContain("Notes: Prefers email\nActive on Slack"); // concatenated notes
     expect(result.content).toContain("email: alice@example.com");
     expect(result.content).toContain("slack: @alice");
 

package/src/__tests__/contradiction-checker.test.ts

@@ -201,7 +201,11 @@ describe("checkContradictions", () => {
     expect(conflicts[0].existingItemId).toBe("item-existing-ambiguous");
     expect(conflicts[0].candidateItemId).toBe("item-candidate-ambiguous");
     expect(conflicts[0].relationship).toBe("ambiguous_contradiction");
-    expect(conflicts[0].clarificationQuestion).toContain(
+    expect(conflicts[0].clarificationQuestion).toContain("Pending conflict:");
+    expect(conflicts[0].clarificationQuestion).not.toContain(
+      "I have conflicting notes",
+    );
+    expect(conflicts[0].clarificationQuestion).not.toContain(
       "Which one is correct?",
     );
   });

package/src/__tests__/dynamic-skill-workflow-prompt.test.ts

@@ -46,6 +46,15 @@ mock.module("../util/logger.js", () => ({
   truncateForLog: (v: string) => v,
 }));
 
+mock.module("../config/loader.js", () => ({
+  getConfig: () => ({
+    sandbox: { enabled: false, backend: "native" },
+    assistantFeatureFlagValues: {
+      "feature_flags.browser.enabled": true,
+    },
+  }),
+}));
+
 const { buildSystemPrompt } = await import("../config/system-prompt.js");
 
 describe("Dynamic Skill Authoring Workflow prompt section", () => {

package/src/__tests__/gateway-only-guard.test.ts

@@ -32,6 +32,7 @@ const ALLOWLIST = new Set([
 
   // --- Documentation and comments that mention the port for explanatory purposes ---
   "AGENTS.md", // documents the gateway-only rule itself
+  "assistant/docs/runbook-trusted-contacts.md", // operator runbook targeting runtime-only /v1/contacts endpoints
   "assistant/src/runtime/middleware/twilio-validation.ts", // comment explaining proxy URL rewriting
 ]);
 

package/src/__tests__/gemini-image-service.test.ts

@@ -137,8 +137,8 @@ describe("generateImage", () => {
       .contents as Array<Record<string, unknown>>;
     const parts = contents[0].parts as Array<Record<string, unknown>>;
 
-    // First part is the text prompt
-    expect(parts[0]).toEqual({ text: "remove background" });
+    // First part is the text prompt (with appended title instruction)
+    expect((parts[0] as { text: string }).text).toContain("remove background");
     // Second part is the source image
     expect(parts[1]).toEqual({
       inlineData: { mimeType: "image/jpeg", data: "srcdata" },

package/src/__tests__/guardian-decision-primitive-canonical.test.ts

@@ -71,7 +71,8 @@ const TEST_PRINCIPAL_ID = "test-principal-id";
 
 function guardianActor(overrides: Partial<ActorContext> = {}): ActorContext {
   return {
-    externalUserId: "guardian-1",
+    actorPrincipalId: TEST_PRINCIPAL_ID,
+    actorExternalUserId: "guardian-1",
     channel: "telegram",
     guardianPrincipalId: TEST_PRINCIPAL_ID,
     ...overrides,
@@ -80,7 +81,8 @@ function guardianActor(overrides: Partial<ActorContext> = {}): ActorContext {
 
 function trustedActor(overrides: Partial<ActorContext> = {}): ActorContext {
   return {
-    externalUserId: undefined,
+    actorPrincipalId: TEST_PRINCIPAL_ID,
+    actorExternalUserId: undefined,
     channel: "desktop",
     guardianPrincipalId: TEST_PRINCIPAL_ID,
     ...overrides,
@@ -254,7 +256,7 @@ describe("applyCanonicalGuardianDecision", () => {
 
     expect(result.applied).toBe(true);
     if (!result.applied) return;
-    // No grant minted because trusted actor has no externalUserId
+    // No grant minted because trusted actor has no actorExternalUserId
     expect(result.grantMinted).toBe(false);
   });
 

package/src/__tests__/guardian-grant-minting.test.ts

@@ -189,9 +189,9 @@ describe("guardian grant minting on tool-approval decisions", () => {
 
   beforeEach(() => {
     resetTables();
-    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue(
-      undefined,
-    );
+    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue({
+      ok: true,
+    });
     composeSpy = spyOn(
       approvalMessageComposer,
       "composeApprovalMessageGenerative",
@@ -593,9 +593,9 @@ describe("approval interception trust-class regression coverage", () => {
 
   beforeEach(() => {
     resetTables();
-    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue(
-      undefined,
-    );
+    deliverSpy = spyOn(gatewayClient, "deliverChannelReply").mockResolvedValue({
+      ok: true,
+    });
     composeSpy = spyOn(
       approvalMessageComposer,
       "composeApprovalMessageGenerative",

package/src/__tests__/guardian-routing-invariants.test.ts

@@ -94,7 +94,8 @@ const TEST_PRINCIPAL_ID = "test-principal-id";
 
 function guardianActor(overrides: Partial<ActorContext> = {}): ActorContext {
   return {
-    externalUserId: "guardian-1",
+    actorPrincipalId: TEST_PRINCIPAL_ID,
+    actorExternalUserId: "guardian-1",
     channel: "telegram",
     guardianPrincipalId: TEST_PRINCIPAL_ID,
     ...overrides,
@@ -103,7 +104,8 @@ function guardianActor(overrides: Partial<ActorContext> = {}): ActorContext {
 
 function trustedActor(overrides: Partial<ActorContext> = {}): ActorContext {
   return {
-    externalUserId: undefined,
+    actorPrincipalId: TEST_PRINCIPAL_ID,
+    actorExternalUserId: undefined,
     channel: "desktop",
     guardianPrincipalId: TEST_PRINCIPAL_ID,
     ...overrides,
@@ -169,22 +171,45 @@ function registerPendingToolApprovalInteraction(
 describe("routing invariant: all decision paths reference applyCanonicalGuardianDecision", () => {
   const srcRoot = resolve(__dirname, "..");
 
-  // The files that constitute decision entrypoints. Each must import
-  // `applyCanonicalGuardianDecision` from the guardian-decision-primitive.
-  const DECISION_ENTRYPOINTS = [
+  // The files that constitute decision entrypoints. Each must reference
+  // `applyCanonicalGuardianDecision` (directly) or `processGuardianDecision`
+  // (shared wrapper that calls applyCanonicalGuardianDecision internally).
+  const DECISION_ENTRYPOINTS: Array<{
+    path: string;
+    symbols: string[];
+  }> = [
     // Inbound channel router (Telegram/SMS/WhatsApp)
-    "runtime/guardian-reply-router.ts",
-    // HTTP API route handler (desktop and API clients)
-    "runtime/routes/guardian-action-routes.ts",
-    // IPC handler (desktop socket clients)
-    "daemon/handlers/guardian-actions.ts",
+    {
+      path: "runtime/guardian-reply-router.ts",
+      symbols: ["applyCanonicalGuardianDecision"],
+    },
+    // HTTP API route handler (desktop and API clients) — uses processGuardianDecision
+    // which is a shared wrapper around applyCanonicalGuardianDecision
+    {
+      path: "runtime/routes/guardian-action-routes.ts",
+      symbols: ["processGuardianDecision"],
+    },
+    // IPC handler (desktop socket clients) — uses processGuardianDecision
+    // which is a shared wrapper around applyCanonicalGuardianDecision
+    {
+      path: "daemon/handlers/guardian-actions.ts",
+      symbols: ["processGuardianDecision"],
+    },
+    // Shared service where processGuardianDecision is defined — must route
+    // through the canonical primitive to complete the chain:
+    // entrypoint → processGuardianDecision → applyCanonicalGuardianDecision
+    {
+      path: "runtime/guardian-action-service.ts",
+      symbols: ["applyCanonicalGuardianDecision"],
+    },
   ];
 
-  for (const relPath of DECISION_ENTRYPOINTS) {
-    test(`${relPath} imports applyCanonicalGuardianDecision`, () => {
+  for (const { path: relPath, symbols } of DECISION_ENTRYPOINTS) {
+    test(`${relPath} imports ${symbols.join(" or ")}`, () => {
       const fullPath = join(srcRoot, relPath);
       const source = readFileSync(fullPath, "utf-8");
-      expect(source).toContain("applyCanonicalGuardianDecision");
+      const found = symbols.some((s) => source.includes(s));
+      expect(found).toBe(true);
     });
   }
 
@@ -1189,13 +1214,13 @@ describe("routing invariant: destination hints do not bypass tool_approval princ
     });
 
     // No pendingRequestIds passed — identity-based fallback uses
-    // actor.externalUserId which does not match any request's
+    // actor.actorExternalUserId which does not match any request's
     // guardianExternalUserId (since it's null).
     const result = await routeGuardianReply(
       replyCtx({
         messageText: "approve",
         channel: "telegram",
-        actor: guardianActor({ externalUserId: "guardian-tg-user" }),
+        actor: guardianActor({ actorExternalUserId: "guardian-tg-user" }),
         conversationId: "conv-guardian-chat",
         // pendingRequestIds: undefined — no delivery hints
         approvalConversationGenerator: undefined,

package/src/__tests__/guardian-verify-setup-skill-regression.test.ts

@@ -107,14 +107,12 @@ describe("guardian-verify-setup skill — voice auto-followup", () => {
         ?.split("## Step 6")[0] ?? "";
     // Must mention rebind guard concept
     expect(pollingSection).toContain("Rebind guard");
-    // Must instruct not to trust the first bound: true in a rebind flow
+    // Must instruct not to trust bound: true alone in a rebind flow
     expect(pollingSection).toContain(
-      "do NOT treat the first `bound: true` poll result as success",
+      "do NOT treat `bound: true` alone as success",
     );
-    // Must reference bound_at timestamp comparison as the primary mechanism
-    expect(pollingSection).toContain("bound_at");
-    // Must have a fallback for when bound_at is unavailable
-    expect(pollingSection).toContain("second poll onward");
+    // Must reference verificationSessionId as the mechanism to detect fresh binding
+    expect(pollingSection).toContain("verificationSessionId");
     // Must clarify non-rebind flows are unaffected
     expect(pollingSection).toContain("Non-rebind flows");
   });

package/src/__tests__/inbound-invite-redemption.test.ts

@@ -90,7 +90,7 @@ mock.module("../runtime/approval-message-composer.js", () => ({
 import { findContactChannel } from "../contacts/contact-store.js";
 import { upsertMember } from "../contacts/contacts-write.js";
 import { getDb, initializeDb, resetDb } from "../memory/db.js";
-import { createInvite, revokeInvite } from "../memory/ingress-invite-store.js";
+import { createInvite, revokeInvite } from "../memory/invite-store.js";
 import { handleChannelInbound } from "../runtime/routes/channel-routes.js";
 
 initializeDb();

package/src/__tests__/integrations-cli.test.ts

@@ -108,7 +108,6 @@ describe("vellum integrations CLI", () => {
 
   afterEach(() => {
     delete process.env.GATEWAY_AUTH_TOKEN;
-    delete process.env.INTERNAL_GATEWAY_BASE_URL;
     process.exitCode = 0;
   });
 
@@ -141,8 +140,8 @@ describe("vellum integrations CLI", () => {
     expect(mintCalls).toBe(1);
   });
 
-  test("prefers INTERNAL_GATEWAY_BASE_URL when it is injected", async () => {
-    process.env.INTERNAL_GATEWAY_BASE_URL = "http://gateway.internal:9900/";
+  test("uses configured gateway base for requests", async () => {
+    gatewayBase = "http://gateway.internal:9900";
     const result = await runCli(["--json", "twilio", "config"], {
       success: true,
     });
@@ -163,28 +162,6 @@ describe("vellum integrations CLI", () => {
     );
   });
 
-  test("passes filters for ingress members (now calls /v1/contacts)", async () => {
-    const result = await runCli(
-      ["--json", "ingress", "members", "--role", "contact", "--limit", "20"],
-      { ok: true, contacts: [] },
-    );
-    expect(result.exitCode).toBe(0);
-    expect(result.fetchCalls[0]?.url).toBe(
-      "http://gateway.test/v1/contacts?role=contact&limit=20",
-    );
-  });
-
-  test("ingress members defaults role to contact", async () => {
-    const result = await runCli(["--json", "ingress", "members"], {
-      ok: true,
-      contacts: [],
-    });
-    expect(result.exitCode).toBe(0);
-    expect(result.fetchCalls[0]?.url).toBe(
-      "http://gateway.test/v1/contacts?role=contact",
-    );
-  });
-
   test("reads ingress config without gateway fetch", async () => {
     rawConfig = {
       ingress: {
@@ -192,7 +169,6 @@ describe("vellum integrations CLI", () => {
         publicBaseUrl: "https://public.example.com",
       },
     };
-    process.env.INTERNAL_GATEWAY_BASE_URL = "http://gateway.internal:9900/";
     const result = await runCli(["--json", "ingress", "config"], { ok: true });
 
     expect(result.exitCode).toBe(0);
@@ -201,7 +177,7 @@ describe("vellum integrations CLI", () => {
       success: true,
       enabled: true,
       publicBaseUrl: "https://public.example.com",
-      localGatewayTarget: "http://gateway.internal:9900",
+      localGatewayTarget: "http://gateway.test",
     });
   });
 

package/src/__tests__/intent-routing.test.ts

@@ -50,6 +50,9 @@ mock.module("../config/loader.js", () => ({
     ui: {},
 
     sandbox: { enabled: false, backend: "local" },
+    assistantFeatureFlagValues: {
+      "feature_flags.guardian-verify-setup.enabled": true,
+    },
   }),
 }));
 

package/src/__tests__/invite-redemption-service.test.ts

@@ -29,7 +29,7 @@ import { getSqlite, initializeDb, resetDb } from "../memory/db.js";
 import {
   createInvite,
   revokeInvite as revokeStoreFn,
-} from "../memory/ingress-invite-store.js";
+} from "../memory/invite-store.js";
 import {
   type InviteRedemptionOutcome,
   redeemInvite,