@vellumai/assistant 0.4.31 → 0.4.32

package/ARCHITECTURE.md

@@ -883,7 +883,7 @@ graph LR
         C5["user_message<br/>text, attachments"]
         C6["confirmation_response<br/>decision"]
         C7["cancel / undo"]
-        C8["model_get / model_set<br/>sandbox_set (deprecated no-op)"]
+        C8["model_get / model_set"]
         C9["ping"]
         C10["ipc_blob_probe<br/>probeId, nonceSha256"]
         C11["work_items_list / work_item_get<br/>work_item_create / work_item_update<br/>work_item_complete / work_item_run_task<br/>(planned)"]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.31",
+  "version": "0.4.32",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"

package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap

@@ -145,13 +145,6 @@ exports[`IPC message snapshots ClientMessage types usage_request serializes to e
 }
 `;
 
-exports[`IPC message snapshots ClientMessage types sandbox_set serializes to expected JSON 1`] = `
-{
-  "enabled": true,
-  "type": "sandbox_set",
-}
-`;
-
 exports[`IPC message snapshots ClientMessage types cu_session_create serializes to expected JSON 1`] = `
 {
   "screenHeight": 1080,

package/src/__tests__/anthropic-provider.test.ts

@@ -8,6 +8,7 @@ import type { Message, ToolDefinition } from "../providers/types.js";
 
 let lastStreamParams: Record<string, unknown> | null = null;
 let _lastStreamOptions: Record<string, unknown> | null = null;
+let lastConstructorArgs: Record<string, unknown> | null = null;
 
 const fakeResponse = {
   content: [{ type: "text", text: "Hello" }],
@@ -33,7 +34,9 @@ class FakeAPIError extends Error {
 mock.module("@anthropic-ai/sdk", () => ({
   default: class MockAnthropic {
     static APIError = FakeAPIError;
-    constructor() {}
+    constructor(args: Record<string, unknown>) {
+      lastConstructorArgs = { ...args };
+    }
     messages = {
       stream: (
         params: Record<string, unknown>,
@@ -127,6 +130,7 @@ describe("AnthropicProvider — Cache-Control Characterization", () => {
   beforeEach(() => {
     lastStreamParams = null;
     _lastStreamOptions = null;
+    lastConstructorArgs = null;
     provider = new AnthropicProvider("sk-ant-test", "claude-sonnet-4-6");
   });
 
@@ -935,3 +939,84 @@ describe("AnthropicProvider — Cache-Control Characterization", () => {
     expect(userMsgs[2].content[1].cache_control).toEqual({ type: "ephemeral" });
   });
 });
+
+// ---------------------------------------------------------------------------
+// Tests — Managed Proxy Fallback
+// ---------------------------------------------------------------------------
+
+describe("AnthropicProvider — Managed Proxy Fallback", () => {
+  beforeEach(() => {
+    lastStreamParams = null;
+    _lastStreamOptions = null;
+    lastConstructorArgs = null;
+  });
+
+  test("constructor passes baseURL to Anthropic SDK when provided", () => {
+    new AnthropicProvider("managed-key", "claude-sonnet-4-6", {
+      baseURL: "https://platform.example.com/v1/runtime-proxy/anthropic",
+    });
+
+    expect(lastConstructorArgs).not.toBeNull();
+    expect(lastConstructorArgs!.apiKey).toBe("managed-key");
+    expect(lastConstructorArgs!.baseURL).toBe(
+      "https://platform.example.com/v1/runtime-proxy/anthropic",
+    );
+  });
+
+  test("constructor does not set baseURL when option is omitted", () => {
+    new AnthropicProvider("sk-ant-user-key", "claude-sonnet-4-6");
+
+    expect(lastConstructorArgs).not.toBeNull();
+    expect(lastConstructorArgs!.apiKey).toBe("sk-ant-user-key");
+    expect(lastConstructorArgs!.baseURL).toBeUndefined();
+  });
+
+  test("managed mode provider preserves tool-pairing behavior", async () => {
+    const provider = new AnthropicProvider("managed-key", "claude-sonnet-4-6", {
+      baseURL: "https://platform.example.com/v1/runtime-proxy/anthropic",
+    });
+
+    const messages: Message[] = [
+      userMsg("Read file"),
+      toolUseMsg("tu_1", "file_read"),
+      toolResultMsg("tu_1", "file contents"),
+    ];
+    await provider.sendMessage(messages);
+
+    const sent = lastStreamParams!.messages as Array<{
+      role: string;
+      content: Array<{ type: string; tool_use_id?: string }>;
+    }>;
+
+    expect(sent).toHaveLength(3);
+    const toolResults = sent[2].content.filter((b) => b.type === "tool_result");
+    expect(toolResults).toHaveLength(1);
+    expect(toolResults[0].tool_use_id).toBe("tu_1");
+  });
+
+  test("managed mode provider preserves cache-control behavior", async () => {
+    const provider = new AnthropicProvider("managed-key", "claude-sonnet-4-6", {
+      baseURL: "https://platform.example.com/v1/runtime-proxy/anthropic",
+    });
+
+    await provider.sendMessage(
+      [userMsg("Hi")],
+      sampleTools,
+      "You are helpful.",
+    );
+
+    // System prompt cache control
+    const system = lastStreamParams!.system as Array<{
+      cache_control?: { type: string };
+    }>;
+    expect(system[0].cache_control).toEqual({ type: "ephemeral" });
+
+    // Last tool cache control
+    const tools = lastStreamParams!.tools as Array<{
+      cache_control?: { type: string };
+    }>;
+    expect(tools[tools.length - 1].cache_control).toEqual({
+      type: "ephemeral",
+    });
+  });
+});

package/src/__tests__/assistant-feature-flags-integration.test.ts

@@ -241,8 +241,8 @@ describe("buildSystemPrompt assistant feature flag filtering", () => {
 
     const result = buildSystemPrompt();
 
-    // browser is declared in the registry with defaultEnabled: false
-    expect(result).not.toContain('id="browser"');
+    // browser is declared in the registry with defaultEnabled: true
+    expect(result).toContain('id="browser"');
   });
 });
 

package/src/__tests__/checker.test.ts

@@ -55,16 +55,16 @@ mock.module("../util/logger.js", () => ({
 }));
 
 // Mutable config object so tests can switch permissions.mode between
-// 'legacy', 'strict', and 'workspace' without re-registering the mock.
+// 'strict' and 'workspace' without re-registering the mock.
 interface TestConfig {
-  permissions: { mode: "legacy" | "strict" | "workspace" };
+  permissions: { mode: "strict" | "workspace" };
   skills: { load: { extraDirs: string[] } };
   sandbox: { enabled: boolean };
   [key: string]: unknown;
 }
 
 const testConfig: TestConfig = {
-  permissions: { mode: "legacy" },
+  permissions: { mode: "workspace" },
   skills: { load: { extraDirs: [] } },
   sandbox: { enabled: true },
 };
@@ -81,7 +81,6 @@ mock.module("../config/loader.js", () => ({
 }));
 
 import {
-  _resetLegacyDeprecationWarning,
   check,
   classifyRisk,
   generateAllowlistOptions,
@@ -169,11 +168,9 @@ describe("Permission Checker", () => {
   beforeEach(() => {
     // Reset trust-store state between tests
     clearCache();
-    // Reset permissions mode to legacy so existing tests are not affected
-    testConfig.permissions = { mode: "legacy" };
+    // Reset permissions mode to workspace (default) so existing tests are not affected
+    testConfig.permissions = { mode: "workspace" };
     testConfig.skills = { load: { extraDirs: [] } };
-    // Reset the one-time legacy deprecation warning flag and captured log calls
-    _resetLegacyDeprecationWarning();
     loggerWarnCalls.length = 0;
     try {
       rmSync(join(checkerTestDir, "protected", "trust.json"));
@@ -684,12 +681,22 @@ describe("Permission Checker", () => {
       expect(result.decision).toBe("allow");
     });
 
-    test("file_write with no rule → prompt", async () => {
+    test("file_write within workspace with no rule → auto-allowed in workspace mode", async () => {
       const result = await check(
         "file_write",
         { path: "/tmp/file.txt" },
         "/tmp",
       );
+      expect(result.decision).toBe("allow");
+      expect(result.reason).toContain("workspace-scoped");
+    });
+
+    test("file_write outside workspace with no rule → prompt", async () => {
+      const result = await check(
+        "file_write",
+        { path: "/etc/some-file.txt" },
+        "/tmp",
+      );
       expect(result.decision).toBe("prompt");
     });
 
@@ -1354,12 +1361,10 @@ describe("Permission Checker", () => {
     });
 
     test("core tool (no origin) still follows risk-based fallback", async () => {
-      // file_read is a core tool with Low risk → should auto-allow as before
-      const result = await check(
-        "file_read",
-        { path: "/tmp/test.txt" },
-        "/tmp",
-      );
+      // file_read is a core tool with Low risk — in workspace mode,
+      // workspace-scoped invocations are auto-allowed before risk fallback.
+      // Use a path outside the workspace to test the risk-based fallback.
+      const result = await check("file_read", { path: "/etc/hosts" }, "/tmp");
       expect(result.decision).toBe("allow");
       expect(result.reason).toContain("Low risk");
     });
@@ -1488,7 +1493,8 @@ describe("Permission Checker", () => {
 
     test("file_write of non-workspace file is not auto-allowed", async () => {
       const otherPath = join(checkerTestDir, "workspace", "OTHER.md");
-      const result = await check("file_write", { path: otherPath }, "/tmp");
+      // Use a workingDir that doesn't contain the path so it's not workspace-scoped
+      const result = await check("file_write", { path: otherPath }, "/home");
       // Medium risk with no matching allow rule → prompt
       expect(result.decision).toBe("prompt");
     });
@@ -2565,7 +2571,7 @@ describe("Permission Checker", () => {
       });
 
       test("legacy mode: file_write to skill source still prompts as High risk", async () => {
-        testConfig.permissions.mode = "legacy";
+        testConfig.permissions.mode = "workspace";
         ensureSkillsDir();
         const skillPath = join(
           checkerTestDir,
@@ -3327,7 +3333,7 @@ describe("Permission Checker", () => {
     });
 
     test("skill_load auto-allows in legacy mode (backward compat)", async () => {
-      testConfig.permissions.mode = "legacy";
+      testConfig.permissions.mode = "workspace";
       const result = await check("skill_load", { skill: "any-skill" }, "/tmp");
       expect(result.decision).toBe("allow");
       // The default allow rule matches before the Low risk fallback
@@ -3850,7 +3856,7 @@ describe("Permission Checker", () => {
 
     describe("Invariant 6: user can set broad rules if they choose", () => {
       test("wildcard allow rule matches any command in legacy mode", async () => {
-        testConfig.permissions.mode = "legacy";
+        testConfig.permissions.mode = "workspace";
         addRule("bash", "*", "everywhere");
         const result = await check(
           "bash",
@@ -4203,7 +4209,7 @@ describe("Permission Checker", () => {
     }
 
     test("browser tools are auto-allowed in legacy mode", async () => {
-      testConfig.permissions = { mode: "legacy" };
+      testConfig.permissions = { mode: "workspace" };
       for (const toolName of browserToolNames) {
         const result = await check(toolName, {}, "/tmp");
         expect(result.decision).toBe("allow");
@@ -4218,7 +4224,7 @@ describe("Permission Checker", () => {
           expect(result.decision).toBe("allow");
         }
       } finally {
-        testConfig.permissions = { mode: "legacy" };
+        testConfig.permissions = { mode: "workspace" };
       }
     });
   });
@@ -4295,7 +4301,7 @@ describe("Permission Checker", () => {
 describe("bash network_mode=proxied — no special-casing", () => {
   beforeEach(() => {
     clearCache();
-    testConfig.permissions = { mode: "legacy" };
+    testConfig.permissions = { mode: "workspace" };
     testConfig.skills = { load: { extraDirs: [] } };
   });
 
@@ -4416,7 +4422,7 @@ describe("computer-use tool permission defaults", () => {
 describe("scope matching behavior", () => {
   beforeEach(() => {
     clearCache();
-    testConfig.permissions = { mode: "legacy" };
+    testConfig.permissions = { mode: "workspace" };
     try {
       rmSync(join(checkerTestDir, "protected", "trust.json"));
     } catch {
@@ -4456,6 +4462,8 @@ describe("scope matching behavior", () => {
   });
 
   test("project-scoped rule does NOT match invocations from sibling directory", async () => {
+    // Use strict mode to test rule-matching isolation without workspace auto-allow
+    testConfig.permissions.mode = "strict";
     const projectDir = "/home/user/my-project";
     // Use a broad pattern that matches any file, scoped to the project
     addRule("file_write", "file_write:*", projectDir);
@@ -4470,6 +4478,8 @@ describe("scope matching behavior", () => {
   });
 
   test("project-scoped rule does NOT match invocations from parent directory", async () => {
+    // Use strict mode to test rule-matching isolation without workspace auto-allow
+    testConfig.permissions.mode = "strict";
     const projectDir = "/home/user/my-project";
     addRule("file_write", "file_write:*", projectDir);
 
@@ -4483,6 +4493,8 @@ describe("scope matching behavior", () => {
   });
 
   test("project-scoped rule does NOT match directory with shared prefix", async () => {
+    // Use strict mode to test rule-matching isolation without workspace auto-allow
+    testConfig.permissions.mode = "strict";
     // A rule for /home/user/project should NOT match /home/user/project-evil
     // (directory-boundary enforcement in matchesScope)
     const projectDir = "/home/user/project";
@@ -4562,7 +4574,7 @@ describe("workspace mode — auto-allow workspace-scoped operations", () => {
   });
 
   afterEach(() => {
-    testConfig.permissions = { mode: "legacy" };
+    testConfig.permissions = { mode: "workspace" };
   });
 
   // ── workspace-scoped file operations auto-allow ──────────────────
@@ -4771,79 +4783,6 @@ describe("workspace mode — auto-allow workspace-scoped operations", () => {
   });
 });
 
-// ── legacy mode deprecation warning ─────────────────────────────────────
-
-describe("legacy mode — deprecation warning", () => {
-  beforeEach(() => {
-    clearCache();
-    _resetLegacyDeprecationWarning();
-    loggerWarnCalls.length = 0;
-    testConfig.permissions = { mode: "legacy" };
-    testConfig.skills = { load: { extraDirs: [] } };
-    try {
-      rmSync(join(checkerTestDir, "protected", "trust.json"));
-    } catch {
-      /* may not exist */
-    }
-  });
-
-  afterEach(() => {
-    testConfig.permissions = { mode: "legacy" };
-  });
-
-  test("emits deprecation warning on first check() call in legacy mode", async () => {
-    await check("file_read", { file_path: "/tmp/test.txt" }, "/tmp");
-    expect(loggerWarnCalls.some((m) => m.includes("deprecated"))).toBe(true);
-    expect(loggerWarnCalls.some((m) => m.includes("legacy"))).toBe(true);
-  });
-
-  test("deprecation warning fires only once per process", async () => {
-    await check("file_read", { file_path: "/tmp/a.txt" }, "/tmp");
-    const firstCount = loggerWarnCalls.filter((m) =>
-      m.includes("deprecated"),
-    ).length;
-    expect(firstCount).toBe(1);
-
-    await check("file_read", { file_path: "/tmp/b.txt" }, "/tmp");
-    const secondCount = loggerWarnCalls.filter((m) =>
-      m.includes("deprecated"),
-    ).length;
-    expect(secondCount).toBe(1);
-  });
-
-  test("no deprecation warning in workspace mode", async () => {
-    testConfig.permissions = { mode: "workspace" };
-    await check("file_read", { file_path: "/tmp/test.txt" }, "/tmp");
-    expect(loggerWarnCalls.some((m) => m.includes("deprecated"))).toBe(false);
-  });
-
-  test("no deprecation warning in strict mode", async () => {
-    testConfig.permissions = { mode: "strict" };
-    await check("file_read", { file_path: "/tmp/test.txt" }, "/tmp");
-    expect(loggerWarnCalls.some((m) => m.includes("deprecated"))).toBe(false);
-  });
-
-  test("legacy mode still produces correct decisions (low risk auto-allowed)", async () => {
-    const result = await check(
-      "file_read",
-      { file_path: "/tmp/test.txt" },
-      "/tmp",
-    );
-    expect(result.decision).toBe("allow");
-    expect(result.reason).toContain("Low risk");
-  });
-
-  test("legacy mode still prompts for medium risk", async () => {
-    const result = await check(
-      "file_write",
-      { file_path: "/tmp/test.txt" },
-      "/tmp",
-    );
-    expect(result.decision).toBe("prompt");
-    expect(result.reason).toContain("risk");
-  });
-});
-
 describe("shell command candidates wiring (PR 04)", () => {
   test("existing raw shell rule still matches", async () => {
     clearCache();
@@ -4896,7 +4835,7 @@ describe("integration regressions (PR 11)", () => {
       /* may not exist */
     }
     clearCache();
-    testConfig.permissions = { mode: "legacy" };
+    testConfig.permissions = { mode: "workspace" };
     testConfig.sandbox = { enabled: true };
   });
 

package/src/__tests__/commit-message-enrichment-service.test.ts

@@ -51,6 +51,14 @@ describe("CommitEnrichmentService", () => {
       /* ignore */
     }
     _resetEnrichmentService();
+
+    // Remove stale index.lock left by async enrichment jobs that ran git
+    // commands concurrently. Without this, the next test's createCommit()
+    // can fail with "Unable to create index.lock: File exists".
+    const lockFile = join(testDir, ".git", "index.lock");
+    if (existsSync(lockFile)) {
+      rmSync(lockFile, { force: true });
+    }
   });
 
   afterAll(async () => {
@@ -78,6 +86,13 @@ describe("CommitEnrichmentService", () => {
   }
 
   async function createCommit(): Promise<string> {
+    // Remove stale index.lock left by async enrichment jobs that ran git
+    // commands concurrently in a previous test. Without this, git add -A
+    // can fail with "Unable to create index.lock: File exists".
+    const lockFile = join(testDir, ".git", "index.lock");
+    if (existsSync(lockFile)) {
+      rmSync(lockFile, { force: true });
+    }
     writeFileSync(join(testDir, `file-${Date.now()}.txt`), "content");
     await gitService.commitChanges("test commit");
     return await gitService.getHeadHash();

package/src/__tests__/config-schema.test.ts

@@ -527,11 +527,12 @@ describe("AssistantConfigSchema", () => {
     expect(result.permissions.mode).toBe("strict");
   });
 
-  test("accepts explicit permissions.mode legacy", () => {
-    const result = AssistantConfigSchema.parse({
-      permissions: { mode: "legacy" },
-    });
-    expect(result.permissions.mode).toBe("legacy");
+  test("rejects permissions.mode legacy", () => {
+    expect(() =>
+      AssistantConfigSchema.parse({
+        permissions: { mode: "legacy" },
+      }),
+    ).toThrow();
   });
 
   test("accepts explicit permissions.mode workspace", () => {

package/src/__tests__/credential-security-invariants.test.ts

@@ -241,6 +241,7 @@ describe("Invariant 2: no generic plaintext secret read API", () => {
       "schedule/integration-status.ts", // integration status checks for scheduled reports
       "daemon/handlers/oauth-connect.ts", // OAuth connect handler for integration setup
       "daemon/handlers/config-slack-channel.ts", // Slack channel config credential management
+      "providers/managed-proxy/context.ts", // managed proxy API key lookup for provider initialization
     ]);
 
     const thisDir = dirname(fileURLToPath(import.meta.url));

package/src/__tests__/daemon-server-session-init.test.ts

@@ -52,7 +52,6 @@ class MockSession {
     | { skipPreMessageRollback?: boolean; isInteractive?: boolean }
     | undefined;
   public updateClientHistory: Array<{ hasNoClient: boolean }> = [];
-  public setSandboxOverrideCalls = 0;
   private stale = false;
   private processing = false;
   public trustContext: Record<string, unknown> | null = null;
@@ -95,9 +94,7 @@ class MockSession {
     return this._currentSender;
   }
 
-  setSandboxOverride(): void {
-    this.setSandboxOverrideCalls += 1;
-  }
+  setSandboxOverride(): void {}
 
   isProcessing(): boolean {
     return this.processing;
@@ -433,21 +430,6 @@ describe("DaemonServer initial session hydration", () => {
     expect(lastCreatedWorkingDir).toBe("/tmp/workspace");
   });
 
-  test("ignores deprecated sandbox_set runtime override messages", async () => {
-    const server = new DaemonServer();
-    const internal = asDaemonServerTestAccess(server);
-    const { socket } = createFakeSocket();
-
-    await internal.sendInitialSession(socket);
-    const session = internal.sessions.get(conversation.id);
-    expect(session).toBeDefined();
-    expect(session!.setSandboxOverrideCalls).toBe(0);
-
-    internal.dispatchMessage({ type: "sandbox_set", enabled: false }, socket);
-
-    expect(session!.setSandboxOverrideCalls).toBe(0);
-  });
-
   test("sendInitialSession includes threadType in session_info", async () => {
     conversation.threadType = "private";
     const server = new DaemonServer();

package/src/__tests__/followup-tools.test.ts

@@ -122,36 +122,6 @@ describe("followup_create tool", () => {
     expect(result.content).toContain("Reminder schedule: sched-abc");
   });
 
-  test("creates a follow-up with deprecated reminder_cron_id alias", async () => {
-    const result = await executeFollowupCreate(
-      {
-        channel: "email",
-        thread_id: "thread-789",
-        reminder_cron_id: "cron-abc",
-      },
-      ctx,
-    );
-
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Reminder schedule: cron-abc");
-  });
-
-  test("reminder_schedule_id takes precedence over reminder_cron_id", async () => {
-    const result = await executeFollowupCreate(
-      {
-        channel: "email",
-        thread_id: "thread-prio",
-        reminder_schedule_id: "sched-wins",
-        reminder_cron_id: "cron-loses",
-      },
-      ctx,
-    );
-
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Reminder schedule: sched-wins");
-    expect(result.content).not.toContain("cron-loses");
-  });
-
   test("rejects missing channel", async () => {
     const result = await executeFollowupCreate(
       {

package/src/__tests__/gemini-provider.test.ts

@@ -30,6 +30,7 @@ interface FakeChunk {
 
 let fakeChunks: FakeChunk[] = [];
 let lastStreamParams: Record<string, unknown> | null = null;
+let lastConstructorOpts: Record<string, unknown> | null = null;
 let shouldThrow: Error | null = null;
 
 class FakeApiError extends Error {
@@ -43,7 +44,9 @@ class FakeApiError extends Error {
 
 mock.module("@google/genai", () => ({
   GoogleGenAI: class MockGoogleGenAI {
-    constructor(_opts: Record<string, unknown>) {}
+    constructor(opts: Record<string, unknown>) {
+      lastConstructorOpts = opts;
+    }
     models = {
       generateContentStream: async (params: Record<string, unknown>) => {
         lastStreamParams = params;
@@ -108,6 +111,7 @@ describe("GeminiProvider", () => {
     provider = new GeminiProvider("test-api-key", "gemini-3-flash");
     fakeChunks = [];
     lastStreamParams = null;
+    lastConstructorOpts = null;
     shouldThrow = null;
   });
 
@@ -726,4 +730,78 @@ describe("GeminiProvider", () => {
 
     expect(result.usage).toEqual({ inputTokens: 0, outputTokens: 0 });
   });
+
+  // -----------------------------------------------------------------------
+  // Managed transport — constructor configuration
+  // -----------------------------------------------------------------------
+  test("does not set httpOptions when managedBaseUrl is not provided", () => {
+    new GeminiProvider("test-key", "gemini-3-flash");
+    expect(lastConstructorOpts).toEqual({ apiKey: "test-key" });
+  });
+
+  test("sets httpOptions.baseUrl when managedBaseUrl is provided", () => {
+    new GeminiProvider("managed-key", "gemini-3-flash", {
+      managedBaseUrl: "https://platform.example.com/v1/runtime-proxy/gemini",
+    });
+    expect(lastConstructorOpts).toEqual({
+      apiKey: "managed-key",
+      httpOptions: {
+        baseUrl: "https://platform.example.com/v1/runtime-proxy/gemini",
+      },
+    });
+  });
+
+  test("managed transport produces same ProviderResponse shape", async () => {
+    const managedProvider = new GeminiProvider(
+      "managed-key",
+      "gemini-3-flash",
+      {
+        managedBaseUrl: "https://platform.example.com/v1/runtime-proxy/gemini",
+      },
+    );
+
+    fakeChunks = [textChunk("Hello from managed"), finishChunk("STOP", 15, 8)];
+
+    const result = await managedProvider.sendMessage([
+      { role: "user", content: [{ type: "text", text: "Hi" }] },
+    ]);
+
+    expect(result.content).toHaveLength(1);
+    expect(result.content[0]).toEqual({
+      type: "text",
+      text: "Hello from managed",
+    });
+    expect(result.model).toBe("gemini-3-flash-001");
+    expect(result.usage).toEqual({ inputTokens: 15, outputTokens: 8 });
+    expect(result.stopReason).toBe("STOP");
+  });
+
+  test("managed transport handles tool calls correctly", async () => {
+    const managedProvider = new GeminiProvider(
+      "managed-key",
+      "gemini-3-flash",
+      {
+        managedBaseUrl: "https://platform.example.com/v1/runtime-proxy/gemini",
+      },
+    );
+
+    fakeChunks = [
+      functionCallChunk([
+        { id: "call_managed", name: "file_read", args: { path: "/tmp/test" } },
+      ]),
+      finishChunk("STOP", 10, 15),
+    ];
+
+    const result = await managedProvider.sendMessage([
+      { role: "user", content: [{ type: "text", text: "Read /tmp/test" }] },
+    ]);
+
+    expect(result.content).toHaveLength(1);
+    expect(result.content[0]).toEqual({
+      type: "tool_use",
+      id: "call_managed",
+      name: "file_read",
+      input: { path: "/tmp/test" },
+    });
+  });
 });