npm - @vellumai/assistant - Versions diffs - 0.4.34 → 0.4.36 - Mend

@vellumai/assistant 0.4.34 → 0.4.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (251) hide show

package/AGENTS.md +1 -1
package/ARCHITECTURE.md +44 -49
package/README.md +32 -20
package/docs/architecture/keychain-broker.md +186 -0
package/docs/architecture/security.md +110 -116
package/docs/runbook-trusted-contacts.md +2 -2
package/docs/skills.md +25 -25
package/package.json +4 -1
package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap +11 -2
package/src/__tests__/actor-token-service.test.ts +1 -0
package/src/__tests__/amazon-cdp-integration.test.ts +74 -0
package/src/__tests__/assistant-feature-flags-integration.test.ts +38 -9
package/src/__tests__/assistant-id-boundary-guard.test.ts +91 -43
package/src/__tests__/browser-fill-credential.test.ts +1 -1
package/src/__tests__/bundle-scanner.test.ts +1 -1
package/src/__tests__/channel-guardian.test.ts +102 -102
package/src/__tests__/channel-invite-transport.test.ts +155 -256
package/src/__tests__/channel-readiness-routes.test.ts +336 -0
package/src/__tests__/checker.test.ts +6 -6
package/src/__tests__/chrome-cdp.test.ts +350 -0
package/src/__tests__/computer-use-session-lifecycle.test.ts +3 -3
package/src/__tests__/computer-use-session-working-dir.test.ts +86 -52
package/src/__tests__/computer-use-skill-lifecycle-cleanup.test.ts +1 -1
package/src/__tests__/config-loader-migration.test.ts +85 -0
package/src/__tests__/conversation-pairing.test.ts +370 -5
package/src/__tests__/credential-broker-browser-fill.test.ts +1 -10
package/src/__tests__/credential-broker-server-use.test.ts +1 -10
package/src/__tests__/credential-security-e2e.test.ts +7 -1
package/src/__tests__/credential-security-invariants.test.ts +14 -20
package/src/__tests__/credential-vault-unit.test.ts +1 -11
package/src/__tests__/credential-vault.test.ts +5 -19
package/src/__tests__/credentials-cli.test.ts +806 -0
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +23 -4
package/src/__tests__/email-invite-adapter.test.ts +78 -0
package/src/__tests__/email-service-config-fallback.test.ts +102 -0
package/src/__tests__/encrypted-store.test.ts +6 -6
package/src/__tests__/ephemeral-permissions.test.ts +3 -3
package/src/__tests__/gateway-only-enforcement.test.ts +5 -1
package/src/__tests__/guardian-actions-endpoint.test.ts +70 -12
package/src/__tests__/guardian-outbound-http.test.ts +53 -47
package/src/__tests__/handle-user-message-secret-resume.test.ts +23 -0
package/src/__tests__/handlers-add-trust-rule-metadata.test.ts +32 -23
package/src/__tests__/handlers-telegram-config.test.ts +8 -2
package/src/__tests__/handlers-twitter-config.test.ts +2 -2
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +108 -7
package/src/__tests__/ingress-reconcile.test.ts +6 -0
package/src/__tests__/intent-routing.test.ts +23 -4
package/src/__tests__/invite-routes-http.test.ts +12 -0
package/src/__tests__/ipc-snapshot.test.ts +8 -2
package/src/__tests__/keychain-broker-client.test.ts +543 -0
package/src/__tests__/llm-usage-store.test.ts +344 -0
package/src/__tests__/mcp-client-auth.test.ts +2 -2
package/src/__tests__/media-reuse-story.e2e.test.ts +1 -1
package/src/__tests__/migration-transport.test.ts +49 -0
package/src/__tests__/notification-broadcaster.test.ts +205 -5
package/src/__tests__/notification-deep-link.test.ts +365 -1
package/src/__tests__/oauth-connect-handler.test.ts +2 -2
package/src/__tests__/onboarding-starter-tasks.test.ts +17 -4
package/src/__tests__/proxy-approval-callback.test.ts +1 -1
package/src/__tests__/recording-handler.test.ts +1 -1
package/src/__tests__/recording-intent-handler.test.ts +6 -1
package/src/__tests__/recording-state-machine.test.ts +1 -1
package/src/__tests__/relay-server.test.ts +9 -1
package/src/__tests__/ride-shotgun-handler.test.ts +499 -0
package/src/__tests__/runtime-attachment-metadata.test.ts +160 -1
package/src/__tests__/script-proxy-injection-runtime.test.ts +299 -2
package/src/__tests__/script-proxy-profile-template-fallback.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +8 -2
package/src/__tests__/secure-keys.test.ts +175 -216
package/src/__tests__/session-confirmation-signals.test.ts +1 -1
package/src/__tests__/session-messaging-secret-redirect.test.ts +1 -1
package/src/__tests__/session-queue.test.ts +2 -1
package/src/__tests__/session-tool-setup-app-refresh.test.ts +2 -2
package/src/__tests__/skill-feature-flags-integration.test.ts +29 -4
package/src/__tests__/skill-feature-flags.test.ts +12 -9
package/src/__tests__/skill-load-feature-flag.test.ts +26 -5
package/src/__tests__/skill-projection.benchmark.test.ts +0 -1
package/src/__tests__/skills.test.ts +34 -4
package/src/__tests__/slack-channel-config.test.ts +2 -2
package/src/__tests__/system-prompt.test.ts +26 -4
package/src/__tests__/telegram-bot-username-resolution.test.ts +212 -0
package/src/__tests__/telegram-invite-adapter.test.ts +164 -0
package/src/__tests__/tool-execution-pipeline.benchmark.test.ts +1 -1
package/src/__tests__/tool-permission-simulate-handler.test.ts +8 -2
package/src/__tests__/trusted-contact-approval-notifier.test.ts +9 -1
package/src/__tests__/twitter-auth-handler.test.ts +2 -2
package/src/__tests__/twitter-oauth-client.test.ts +1 -1
package/src/__tests__/usage-routes.test.ts +339 -0
package/src/__tests__/whatsapp-invite-adapter.test.ts +94 -0
package/src/agent/loop.ts +3 -0
package/src/amazon/checkout.ts +0 -1
package/src/approvals/guardian-request-resolvers.ts +9 -1
package/src/bundler/app-bundler.ts +28 -12
package/src/bundler/bundle-scanner.ts +1 -1
package/src/bundler/bundle-signer.ts +3 -3
package/src/bundler/manifest.ts +1 -1
package/src/bundler/signature-verifier.ts +3 -3
package/src/channels/config.ts +1 -1
package/src/cli/AGENTS.md +63 -0
package/src/cli/__tests__/notifications.test.ts +470 -0
package/src/cli/amazon.ts +344 -167
package/src/cli/audit.ts +85 -0
package/src/cli/autonomy.ts +369 -0
package/src/cli/channels.ts +51 -0
package/src/cli/completions.ts +208 -0
package/src/cli/config.ts +220 -0
package/src/cli/contacts.ts +471 -0
package/src/cli/credentials.ts +564 -0
package/src/cli/default-action.ts +14 -0
package/src/cli/dev.ts +131 -0
package/src/cli/doctor.ts +398 -0
package/src/cli/email.ts +491 -0
package/src/cli/influencer.ts +72 -0
package/src/cli/integrations.ts +248 -57
package/src/cli/keys.ts +114 -0
package/src/cli/map.ts +46 -54
package/src/cli/mcp.ts +111 -3
package/src/cli/{config-commands.ts → memory.ts} +133 -242
package/src/cli/notifications.ts +407 -0
package/src/cli/program.ts +65 -0
package/src/cli/reference.ts +48 -0
package/src/cli/sequence.ts +154 -0
package/src/cli/sessions.ts +262 -0
package/src/cli/trust.ts +177 -0
package/src/cli/twitter.ts +323 -106
package/src/config/__tests__/build-cli-reference-section.test.ts +49 -0
package/src/config/bundled-skills/amazon/SKILL.md +2 -2
package/src/config/bundled-skills/app-builder/TOOLS.json +26 -0
package/src/config/bundled-skills/app-builder/tools/app-generate-icon.ts +13 -0
package/src/config/bundled-skills/contacts/SKILL.md +178 -10
package/src/config/bundled-skills/doordash/doordash-cli.ts +23 -168
package/src/config/bundled-skills/google-oauth-setup/SKILL.md +175 -145
package/src/config/bundled-skills/messaging/tools/shared.ts +4 -1
package/src/config/bundled-skills/twilio-setup/SKILL.md +70 -17
package/src/config/bundled-tool-registry.ts +2 -0
package/src/config/core-schema.ts +7 -0
package/src/config/feature-flag-registry.json +16 -0
package/src/config/loader.ts +26 -0
package/src/config/schema.ts +4 -0
package/src/config/skill-state.ts +0 -13
package/src/config/system-prompt.ts +27 -0
package/src/contacts/contact-store.ts +25 -0
package/src/daemon/computer-use-session.ts +1 -1
package/src/daemon/handlers/apps.ts +1 -0
package/src/daemon/handlers/config-channels.ts +3 -3
package/src/daemon/handlers/config-dispatch.ts +29 -0
package/src/daemon/handlers/config-inbox.ts +4 -3
package/src/daemon/handlers/config.ts +3 -43
package/src/daemon/handlers/contacts.ts +34 -0
package/src/daemon/handlers/index.ts +17 -3
package/src/daemon/handlers/session-user-message.ts +7 -0
package/src/daemon/handlers/sessions.ts +21 -2
package/src/daemon/handlers/shared.ts +17 -0
package/src/daemon/ipc-contract/apps.ts +2 -0
package/src/daemon/ipc-contract/computer-use.ts +9 -0
package/src/daemon/ipc-contract/contacts.ts +3 -3
package/src/daemon/ipc-contract/inbox.ts +2 -0
package/src/daemon/ipc-contract/messages.ts +4 -0
package/src/daemon/ipc-contract/sessions.ts +8 -0
package/src/daemon/ipc-contract-inventory.json +1 -0
package/src/daemon/lifecycle.ts +0 -5
package/src/daemon/ride-shotgun-handler.ts +139 -25
package/src/daemon/session-agent-loop-handlers.ts +100 -0
package/src/daemon/session-agent-loop.ts +72 -0
package/src/daemon/session-tool-setup.ts +7 -0
package/src/daemon/session.ts +23 -1
package/src/daemon/tool-side-effects.ts +39 -1
package/src/email/service.ts +59 -2
package/src/index.ts +2 -60
package/src/mcp/mcp-oauth-provider.ts +90 -8
package/src/media/app-icon-generator.ts +86 -0
package/src/memory/db-init.ts +12 -1
package/src/memory/llm-usage-store.ts +186 -0
package/src/memory/migrations/026-guardian-verification-sessions.ts +28 -9
package/src/memory/migrations/027a-guardian-bootstrap-token.ts +16 -3
package/src/memory/migrations/038-actor-token-records.ts +8 -1
package/src/memory/migrations/039-actor-refresh-token-records.ts +11 -2
package/src/memory/migrations/110-channel-guardian.ts +27 -6
package/src/memory/migrations/112-assistant-inbox.ts +39 -15
package/src/memory/migrations/114-notifications.ts +37 -15
package/src/memory/migrations/117-conversation-attention.ts +33 -9
package/src/memory/migrations/137-usage-dashboard-indexes.ts +26 -0
package/src/memory/migrations/139-drop-usage-composite-indexes.ts +30 -0
package/src/memory/migrations/index.ts +2 -0
package/src/memory/migrations/schema-introspection.ts +18 -0
package/src/memory/schema-migration.ts +1 -0
package/src/memory/shared-app-links-store.ts +1 -1
package/src/messaging/registry.ts +27 -0
package/src/notifications/README.md +79 -70
package/src/notifications/broadcaster.ts +2 -1
package/src/notifications/conversation-pairing.ts +147 -13
package/src/notifications/copy-composer.ts +7 -3
package/src/notifications/destination-resolver.ts +14 -1
package/src/notifications/emit-signal.ts +3 -2
package/src/notifications/signal.ts +105 -1
package/src/notifications/types.ts +16 -0
package/src/permissions/checker.ts +29 -3
package/src/permissions/prompter.ts +11 -3
package/src/runtime/access-request-helper.ts +2 -1
package/src/runtime/auth/route-policy.ts +7 -1
package/src/runtime/channel-invite-transport.ts +40 -63
package/src/runtime/channel-invite-transports/email.ts +13 -39
package/src/runtime/channel-invite-transports/slack.ts +5 -34
package/src/runtime/channel-invite-transports/sms.ts +8 -29
package/src/runtime/channel-invite-transports/telegram.ts +69 -28
package/src/runtime/channel-invite-transports/voice.ts +0 -7
package/src/runtime/channel-invite-transports/whatsapp.ts +43 -0
package/src/runtime/channel-readiness-service.ts +202 -45
package/src/runtime/confirmation-request-guardian-bridge.ts +2 -1
package/src/runtime/guardian-outbound-actions.ts +8 -5
package/src/runtime/http-server.ts +5 -9
package/src/runtime/http-types.ts +13 -1
package/src/runtime/invite-instruction-generator.ts +178 -0
package/src/runtime/invite-service.ts +22 -25
package/src/runtime/migrations/migration-transport.ts +13 -0
package/src/runtime/routes/app-routes.ts +1 -1
package/src/runtime/routes/approval-strategies/guardian-callback-strategy.ts +8 -7
package/src/runtime/routes/channel-readiness-routes.ts +30 -11
package/src/runtime/routes/contact-routes.ts +54 -26
package/src/runtime/routes/guardian-bootstrap-routes.ts +1 -1
package/src/runtime/routes/inbound-stages/bootstrap-intercept.ts +1 -1
package/src/runtime/routes/inbound-stages/escalation-intercept.ts +2 -1
package/src/runtime/routes/inbound-stages/verification-intercept.ts +2 -1
package/src/runtime/routes/integration-routes.ts +1 -1
package/src/runtime/routes/invite-routes.ts +1 -1
package/src/runtime/routes/secret-routes.ts +31 -7
package/src/runtime/routes/surface-content-routes.ts +104 -0
package/src/runtime/routes/twilio-routes.ts +32 -1
package/src/runtime/routes/usage-routes.ts +114 -0
package/src/runtime/tool-grant-request-helper.ts +2 -1
package/src/security/encrypted-store.ts +9 -5
package/src/security/keychain-broker-client.ts +393 -0
package/src/security/secure-keys.ts +106 -321
package/src/tools/apps/executors.ts +73 -0
package/src/tools/browser/auto-navigate.ts +15 -6
package/src/tools/browser/chrome-cdp.ts +211 -0
package/src/tools/browser/network-recorder.test.ts +83 -0
package/src/tools/browser/network-recorder.ts +8 -7
package/src/tools/browser/x-auto-navigate.ts +12 -6
package/src/tools/credentials/policy-types.ts +24 -0
package/src/tools/credentials/vault.ts +22 -27
package/src/tools/network/script-proxy/session-manager.ts +47 -3
package/src/tools/permission-checker.ts +1 -0
package/src/tools/types.ts +2 -0
package/src/tools/ui-surface/definitions.ts +1 -2
package/src/tools/watch/watch-state.ts +2 -0
package/src/__tests__/key-migration.test.ts +0 -240
package/src/__tests__/keychain.test.ts +0 -286
package/src/cli/core-commands.ts +0 -899
package/src/security/keychain-to-encrypted-migration.ts +0 -66
package/src/security/keychain.ts +0 -490

package/src/__tests__/channel-readiness-routes.test.ts ADDED Viewed

@@ -0,0 +1,336 @@
+/**
+ * Tests that the channel readiness service returns real readiness snapshots
+ * for email and WhatsApp channels (not unsupported placeholders).
+ *
+ * Uses the same mock approach as channel-readiness-service.test.ts but
+ * exercises the createReadinessService factory to verify probe registration.
+ */
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+// ---------------------------------------------------------------------------
+// Mocks — must be set up before importing the service
+// ---------------------------------------------------------------------------
+let mockTwilioPhoneNumberEnv: string | undefined;
+let mockRawConfig: Record<string, unknown> | undefined;
+let mockSecureKeys: Record<string, string>;
+let mockHasTwilioCredentials: boolean;
+let mockPrimaryInboxAddress: string | undefined;
+mock.module("../calls/twilio-rest.js", () => ({
+  hasTwilioCredentials: () => mockHasTwilioCredentials,
+  getPhoneNumberSid: async () => null,
+  getTollFreeVerificationStatus: async () => null,
+}));
+mock.module("../config/env.js", () => ({
+  getTwilioPhoneNumberEnv: () => mockTwilioPhoneNumberEnv,
+}));
+mock.module("../config/loader.js", () => ({
+  loadRawConfig: () => mockRawConfig,
+  getConfig: () => {
+    const raw = mockRawConfig ?? {};
+    const wa = (raw.whatsapp ?? {}) as Record<string, unknown>;
+    return { whatsapp: { phoneNumber: (wa.phoneNumber as string) ?? "" } };
+  },
+  invalidateConfigCache: () => {},
+}));
+mock.module("../security/secure-keys.js", () => ({
+  getSecureKey: (key: string) => mockSecureKeys[key] ?? null,
+}));
+mock.module("../email/service.js", () => ({
+  getEmailService: () => ({
+    getPrimaryInboxAddress: async () => mockPrimaryInboxAddress,
+  }),
+}));
+// ---------------------------------------------------------------------------
+// Import under test
+// ---------------------------------------------------------------------------
+import { createReadinessService } from "../runtime/channel-readiness-service.js";
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("channel readiness routes — email and WhatsApp probes", () => {
+  beforeEach(() => {
+    mockTwilioPhoneNumberEnv = undefined;
+    mockRawConfig = undefined;
+    mockSecureKeys = {};
+    mockHasTwilioCredentials = false;
+    mockPrimaryInboxAddress = undefined;
+  });
+  // -------------------------------------------------------------------------
+  // Email probe
+  // -------------------------------------------------------------------------
+  describe("email", () => {
+    test("returns real readiness snapshot (not unsupported)", async () => {
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("email");
+      expect(snapshot.channel).toBe("email");
+      // Should have real local checks, not the unsupported placeholder
+      expect(snapshot.localChecks.length).toBeGreaterThan(0);
+      expect(
+        snapshot.reasons.some((r) => r.code === "unsupported_channel"),
+      ).toBe(false);
+    });
+    test("reports not ready when AgentMail API key is missing", async () => {
+      mockRawConfig = {};
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("email");
+      expect(snapshot.ready).toBe(false);
+      expect(snapshot.reasons.some((r) => r.code === "agentmail_api_key")).toBe(
+        true,
+      );
+    });
+    test("checks invite policy", async () => {
+      mockSecureKeys = { agentmail: "test-key" };
+      mockRawConfig = {
+        ingress: { publicBaseUrl: "https://example.com", enabled: true },
+      };
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("email");
+      const inviteCheck = snapshot.localChecks.find(
+        (c) => c.name === "invite_policy",
+      );
+      expect(inviteCheck).toBeDefined();
+      // Email has codeRedemptionEnabled: true in the channel policy registry
+      expect(inviteCheck!.passed).toBe(true);
+    });
+    test("checks ingress configuration", async () => {
+      mockSecureKeys = { agentmail: "test-key" };
+      mockRawConfig = {};
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("email");
+      const ingressCheck = snapshot.localChecks.find(
+        (c) => c.name === "ingress",
+      );
+      expect(ingressCheck).toBeDefined();
+      expect(ingressCheck!.passed).toBe(false);
+    });
+    test("ready when all prerequisites are met (including inbox)", async () => {
+      mockSecureKeys = { agentmail: "test-key" };
+      mockRawConfig = {
+        ingress: { publicBaseUrl: "https://example.com", enabled: true },
+      };
+      mockPrimaryInboxAddress = "hello@example.agentmail.to";
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("email", true);
+      expect(snapshot.ready).toBe(true);
+      expect(snapshot.reasons).toHaveLength(0);
+    });
+    test("not ready when inbox is missing (remote check)", async () => {
+      mockSecureKeys = { agentmail: "test-key" };
+      mockRawConfig = {
+        ingress: { publicBaseUrl: "https://example.com", enabled: true },
+      };
+      mockPrimaryInboxAddress = undefined;
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("email", true);
+      expect(snapshot.ready).toBe(false);
+      expect(snapshot.reasons.some((r) => r.code === "inbox_configured")).toBe(
+        true,
+      );
+    });
+    test("local-only readiness still passes without inbox check", async () => {
+      mockSecureKeys = { agentmail: "test-key" };
+      mockRawConfig = {
+        ingress: { publicBaseUrl: "https://example.com", enabled: true },
+      };
+      // No inbox configured — explicitly opt out of remote checks
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("email", false);
+      // Local checks pass — remote inbox check is not included
+      expect(snapshot.ready).toBe(true);
+    });
+  });
+  // -------------------------------------------------------------------------
+  // WhatsApp probe — Meta WhatsApp Business API credentials
+  // -------------------------------------------------------------------------
+  describe("whatsapp", () => {
+    test("returns real readiness snapshot (not unsupported)", async () => {
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("whatsapp");
+      expect(snapshot.channel).toBe("whatsapp");
+      expect(snapshot.localChecks.length).toBeGreaterThan(0);
+      expect(
+        snapshot.reasons.some((r) => r.code === "unsupported_channel"),
+      ).toBe(false);
+    });
+    test("reports not ready when Meta credentials are missing", async () => {
+      mockRawConfig = {};
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("whatsapp");
+      expect(snapshot.ready).toBe(false);
+      expect(
+        snapshot.reasons.some((r) => r.code === "whatsapp_phone_number_id"),
+      ).toBe(true);
+      expect(
+        snapshot.reasons.some((r) => r.code === "whatsapp_access_token"),
+      ).toBe(true);
+    });
+    test("reports ready when all Meta credentials and display number are configured", async () => {
+      mockSecureKeys = {
+        "credential:whatsapp:phone_number_id": "123456789",
+        "credential:whatsapp:access_token": "EAAxxxxxx",
+        "credential:whatsapp:app_secret": "abc123",
+        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+      };
+      mockRawConfig = {
+        whatsapp: { phoneNumber: "+15551234567" },
+        ingress: { publicBaseUrl: "https://example.com", enabled: true },
+      };
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("whatsapp");
+      expect(snapshot.ready).toBe(true);
+      expect(snapshot.reasons).toHaveLength(0);
+    });
+    test("reports not ready when display phone number is missing", async () => {
+      mockSecureKeys = {
+        "credential:whatsapp:phone_number_id": "123456789",
+        "credential:whatsapp:access_token": "EAAxxxxxx",
+        "credential:whatsapp:app_secret": "abc123",
+        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+      };
+      mockRawConfig = {
+        ingress: { publicBaseUrl: "https://example.com", enabled: true },
+      };
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("whatsapp");
+      expect(snapshot.ready).toBe(false);
+      expect(
+        snapshot.reasons.some(
+          (r) => r.code === "whatsapp_display_phone_number",
+        ),
+      ).toBe(true);
+    });
+    test("checks each Meta credential individually", async () => {
+      mockSecureKeys = {
+        "credential:whatsapp:phone_number_id": "123456789",
+        // access_token missing
+        "credential:whatsapp:app_secret": "abc123",
+        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+      };
+      mockRawConfig = {
+        ingress: { publicBaseUrl: "https://example.com", enabled: true },
+      };
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("whatsapp");
+      expect(snapshot.ready).toBe(false);
+      const phoneIdCheck = snapshot.localChecks.find(
+        (c) => c.name === "whatsapp_phone_number_id",
+      );
+      expect(phoneIdCheck!.passed).toBe(true);
+      const accessTokenCheck = snapshot.localChecks.find(
+        (c) => c.name === "whatsapp_access_token",
+      );
+      expect(accessTokenCheck!.passed).toBe(false);
+      const appSecretCheck = snapshot.localChecks.find(
+        (c) => c.name === "whatsapp_app_secret",
+      );
+      expect(appSecretCheck!.passed).toBe(true);
+      const webhookCheck = snapshot.localChecks.find(
+        (c) => c.name === "whatsapp_webhook_verify_token",
+      );
+      expect(webhookCheck!.passed).toBe(true);
+    });
+    test("checks invite policy", async () => {
+      mockSecureKeys = {
+        "credential:whatsapp:phone_number_id": "123456789",
+        "credential:whatsapp:access_token": "EAAxxxxxx",
+        "credential:whatsapp:app_secret": "abc123",
+        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+      };
+      mockRawConfig = {
+        whatsapp: { phoneNumber: "+15551234567" },
+        ingress: { publicBaseUrl: "https://example.com", enabled: true },
+      };
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("whatsapp");
+      const inviteCheck = snapshot.localChecks.find(
+        (c) => c.name === "invite_policy",
+      );
+      expect(inviteCheck).toBeDefined();
+      expect(inviteCheck!.passed).toBe(true);
+    });
+    test("checks ingress configuration", async () => {
+      mockSecureKeys = {
+        "credential:whatsapp:phone_number_id": "123456789",
+        "credential:whatsapp:access_token": "EAAxxxxxx",
+        "credential:whatsapp:app_secret": "abc123",
+        "credential:whatsapp:webhook_verify_token": "my-verify-token",
+      };
+      mockRawConfig = {
+        whatsapp: { phoneNumber: "+15551234567" },
+      };
+      const service = createReadinessService();
+      const [snapshot] = await service.getReadiness("whatsapp");
+      const ingressCheck = snapshot.localChecks.find(
+        (c) => c.name === "ingress",
+      );
+      expect(ingressCheck).toBeDefined();
+      expect(ingressCheck!.passed).toBe(false);
+    });
+  });
+  // -------------------------------------------------------------------------
+  // Factory coverage — all channels registered
+  // -------------------------------------------------------------------------
+  describe("createReadinessService factory", () => {
+    test("registers probes for all deliverable channels including email and whatsapp", async () => {
+      const service = createReadinessService();
+      const snapshots = await service.getReadiness();
+      const channels = snapshots.map((s) => s.channel).sort();
+      expect(channels).toContain("email");
+      expect(channels).toContain("whatsapp");
+      // None should be unsupported placeholders
+      for (const s of snapshots) {
+        expect(s.reasons.some((r) => r.code === "unsupported_channel")).toBe(
+          false,
+        );
+      }
+    });
+  });
+});

package/src/__tests__/checker.test.ts CHANGED Viewed

@@ -2570,7 +2570,7 @@ describe("Permission Checker", () => {
         expect(result.reason).toContain("Strict mode");
       });
-      test("legacy mode: file_write to skill source still prompts as High risk", async () => {
+      test("workspace mode: file_write to skill source still prompts as High risk", async () => {
         testConfig.permissions.mode = "workspace";
         ensureSkillsDir();
         const skillPath = join(
@@ -2996,7 +2996,7 @@ describe("Permission Checker", () => {
       ensureSkillsDir();
       writeSkill("test-hash-skill", "Test Hash Skill");
-      // skill_load is Low risk, so with no trust rule in legacy mode it
+      // skill_load is Low risk, so with no trust rule in workspace mode it
       // auto-allows. We set strict mode and add specific rules to verify
       // the correct candidates are generated.
       testConfig.permissions.mode = "strict";
@@ -3332,7 +3332,7 @@ describe("Permission Checker", () => {
       expect(result.matchedRule!.pattern).toBe("skill_load:pr34-bare-id");
     });
-    test("skill_load auto-allows in legacy mode (backward compat)", async () => {
+    test("skill_load auto-allows in workspace mode", async () => {
       testConfig.permissions.mode = "workspace";
       const result = await check("skill_load", { skill: "any-skill" }, "/tmp");
       expect(result.decision).toBe("allow");
@@ -3855,7 +3855,7 @@ describe("Permission Checker", () => {
     //    high-risk allow) if they choose. ────────────────────────────
     describe("Invariant 6: user can set broad rules if they choose", () => {
-      test("wildcard allow rule matches any command in legacy mode", async () => {
+      test("wildcard allow rule matches any command in workspace mode", async () => {
         testConfig.permissions.mode = "workspace";
         addRule("bash", "*", "everywhere");
         const result = await check(
@@ -4208,7 +4208,7 @@ describe("Permission Checker", () => {
       });
     }
-    test("browser tools are auto-allowed in legacy mode", async () => {
+    test("browser tools are auto-allowed in workspace mode", async () => {
       testConfig.permissions = { mode: "workspace" };
       for (const toolName of browserToolNames) {
         const result = await check(toolName, {}, "/tmp");
@@ -4404,7 +4404,7 @@ describe("computer-use tool permission defaults", () => {
     for (const name of cuToolNames) {
       const risk = await classifyRisk(name, {});
       // CU tools are proxy tools with RiskLevel.Low, but classifyRisk looks them up
-      // in the registry. In legacy mode, Low risk tools are auto-allowed.
+      // in the registry. In workspace mode, Low risk tools are auto-allowed.
       expect(risk).toBe(RiskLevel.Low);
     }
   });