@vellumai/assistant 0.4.46 → 0.4.49

package/src/__tests__/conversation-routes-guardian-reply.test.ts

@@ -171,6 +171,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       hasPendingConfirmation: () => false,
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
+      setHostCuProxy: () => {},
     } as unknown as import("../daemon/session.js").Session;
 
     const req = new Request("http://localhost/v1/messages", {
@@ -246,6 +247,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       hasPendingConfirmation: () => false,
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
+      setHostCuProxy: () => {},
     } as unknown as import("../daemon/session.js").Session;
 
     const req = new Request("http://localhost/v1/messages", {
@@ -317,6 +319,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
         requestId === "tool-approval-live",
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
+      setHostCuProxy: () => {},
     } as unknown as import("../daemon/session.js").Session;
 
     const req = new Request("http://localhost/v1/messages", {
@@ -392,6 +395,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       hasPendingConfirmation: (id: string) => id === "tool-req-code-1",
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
+      setHostCuProxy: () => {},
     } as unknown as import("../daemon/session.js").Session;
 
     const req = new Request("http://localhost/v1/messages", {
@@ -463,6 +467,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       hasPendingConfirmation: (id: string) => id === "pending-reject-1",
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
+      setHostCuProxy: () => {},
     } as unknown as import("../daemon/session.js").Session;
 
     const req = new Request("http://localhost/v1/messages", {
@@ -528,6 +533,7 @@ describe("handleSendMessage canonical guardian reply interception", () => {
       hasPendingConfirmation: (id: string) => id === "pending-1",
       setHostBashProxy: () => {},
       setHostFileProxy: () => {},
+      setHostCuProxy: () => {},
     } as unknown as import("../daemon/session.js").Session;
 
     const req = new Request("http://localhost/v1/messages", {
@@ -559,4 +565,142 @@ describe("handleSendMessage canonical guardian reply interception", () => {
     expect(persistUserMessage).toHaveBeenCalledTimes(1);
     expect(runAgentLoop).toHaveBeenCalledTimes(1);
   });
+
+  test("desktop sessions do not pass approvalConversationGenerator to routeGuardianReply", async () => {
+    listPendingByDestinationMock.mockReturnValue([
+      { id: "pending-1", kind: "access_request" },
+    ]);
+    listCanonicalMock.mockReturnValue([]);
+    routeGuardianReplyMock.mockResolvedValue({
+      consumed: false,
+      decisionApplied: false,
+      type: "not_consumed",
+    });
+
+    const mockGenerator = mock(async () => ({}));
+    const persistUserMessage = mock(async () => "persisted-user-id");
+    const runAgentLoop = mock(async () => undefined);
+    const session = {
+      setTrustContext: () => {},
+      updateClient: () => {},
+      emitConfirmationStateChanged: () => {},
+      emitActivityState: () => {},
+      setTurnChannelContext: () => {},
+      setTurnInterfaceContext: () => {},
+      ensureActorScopedHistory: async () => {},
+      usageStats: { inputTokens: 0, outputTokens: 0, estimatedCost: 0 },
+      isProcessing: () => false,
+      hasAnyPendingConfirmation: () => false,
+      denyAllPendingConfirmations: () => {},
+      enqueueMessage: () => ({ queued: true, requestId: "queued-id" }),
+      persistUserMessage,
+      runAgentLoop,
+      getMessages: () => [] as unknown[],
+      assistantId: "self",
+      trustContext: undefined,
+      hasPendingConfirmation: () => false,
+      setHostBashProxy: () => {},
+      setHostFileProxy: () => {},
+      setHostCuProxy: () => {},
+    } as unknown as import("../daemon/session.js").Session;
+
+    const req = new Request("http://localhost/v1/messages", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        conversationKey: "guardian-thread-key",
+        content: "no sorry, beats 0 and 3 should be new threads",
+        sourceChannel: "vellum",
+        interface: "macos",
+      }),
+    });
+
+    await handleSendMessage(
+      req,
+      {
+        sendMessageDeps: {
+          getOrCreateSession: async () => session,
+          assistantEventHub: { publish: async () => {} } as any,
+          resolveAttachments: () => [],
+        },
+        approvalConversationGenerator: mockGenerator as any,
+      },
+      testAuthContext,
+    );
+
+    expect(routeGuardianReplyMock).toHaveBeenCalledTimes(1);
+    const routerCall = (routeGuardianReplyMock as any).mock
+      .calls[0][0] as Record<string, unknown>;
+    // Desktop (vellum) should suppress the NL engine
+    expect(routerCall.approvalConversationGenerator).toBeUndefined();
+  });
+
+  test("channel sessions pass approvalConversationGenerator to routeGuardianReply", async () => {
+    listPendingByDestinationMock.mockReturnValue([
+      { id: "pending-1", kind: "access_request" },
+    ]);
+    listCanonicalMock.mockReturnValue([]);
+    routeGuardianReplyMock.mockResolvedValue({
+      consumed: false,
+      decisionApplied: false,
+      type: "not_consumed",
+    });
+
+    const mockGenerator = mock(async () => ({}));
+    const persistUserMessage = mock(async () => "persisted-user-id");
+    const runAgentLoop = mock(async () => undefined);
+    const session = {
+      setTrustContext: () => {},
+      updateClient: () => {},
+      emitConfirmationStateChanged: () => {},
+      emitActivityState: () => {},
+      setTurnChannelContext: () => {},
+      setTurnInterfaceContext: () => {},
+      ensureActorScopedHistory: async () => {},
+      usageStats: { inputTokens: 0, outputTokens: 0, estimatedCost: 0 },
+      isProcessing: () => false,
+      hasAnyPendingConfirmation: () => false,
+      denyAllPendingConfirmations: () => {},
+      enqueueMessage: () => ({ queued: true, requestId: "queued-id" }),
+      persistUserMessage,
+      runAgentLoop,
+      getMessages: () => [] as unknown[],
+      assistantId: "self",
+      trustContext: undefined,
+      hasPendingConfirmation: () => false,
+      setHostBashProxy: () => {},
+      setHostFileProxy: () => {},
+      setHostCuProxy: () => {},
+    } as unknown as import("../daemon/session.js").Session;
+
+    const req = new Request("http://localhost/v1/messages", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        conversationKey: "guardian-thread-key",
+        content: "no sorry, beats 0 and 3 should be new threads",
+        sourceChannel: "telegram",
+        interface: "telegram",
+      }),
+    });
+
+    await handleSendMessage(
+      req,
+      {
+        sendMessageDeps: {
+          getOrCreateSession: async () => session,
+          assistantEventHub: { publish: async () => {} } as any,
+          resolveAttachments: () => [],
+        },
+        approvalConversationGenerator: mockGenerator as any,
+      },
+      testAuthContext,
+    );
+
+    expect(routeGuardianReplyMock).toHaveBeenCalledTimes(1);
+    const routerCall = (routeGuardianReplyMock as any).mock
+      .calls[0][0] as Record<string, unknown>;
+    // Channel sessions should receive the NL engine
+    expect(routerCall.approvalConversationGenerator).toBe(mockGenerator);
+  });
 });

package/src/__tests__/conversation-routes-slash-commands.test.ts

@@ -203,6 +203,7 @@ function makeSession() {
     hasPendingConfirmation: () => false,
     setHostBashProxy: () => {},
     setHostFileProxy: () => {},
+    setHostCuProxy: () => {},
     usageStats: {
       inputTokens: 1000,
       outputTokens: 500,

package/src/__tests__/credential-broker-browser-fill.test.ts

@@ -49,6 +49,7 @@ mock.module("../tools/registry.js", () => ({
 // Imports under test
 // ---------------------------------------------------------------------------
 
+import { credentialKey } from "../security/credential-key.js";
 import { setSecureKey } from "../security/secure-keys.js";
 import { CredentialBroker } from "../tools/credentials/broker.js";
 import {
@@ -92,7 +93,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     let filledValue: string | undefined;
     const result = await broker.browserFill({
@@ -114,7 +115,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -167,7 +168,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -193,8 +194,8 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "password", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:username", "octocat");
-    setSecureKey("credential:github:password", "hunter2");
+    setSecureKey(credentialKey("github", "username"), "octocat");
+    setSecureKey(credentialKey("github", "password"), "hunter2");
 
     const filled: Record<string, string> = {};
 
@@ -227,7 +228,7 @@ describe("CredentialBroker.browserFill", () => {
       allowedTools: ["browser_fill_credential"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -245,7 +246,7 @@ describe("CredentialBroker.browserFill", () => {
       allowedTools: ["browser_fill_credential"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -263,7 +264,7 @@ describe("CredentialBroker.browserFill", () => {
       allowedTools: ["browser_fill_credential"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -286,7 +287,7 @@ describe("CredentialBroker.browserFill", () => {
       allowedTools: ["browser_fill_credential"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -305,7 +306,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     // No domain provided and no allowedDomains policy — should succeed
     const result = await broker.browserFill({
@@ -322,7 +323,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["other_tool"],
     });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     let fillCalled = false;
     const result = await broker.browserFill({
@@ -343,7 +344,7 @@ describe("CredentialBroker.browserFill", () => {
 
   test("denies fill when allowedTools is empty (fail-closed)", async () => {
     upsertCredentialMetadata("github", "token", { allowedTools: [] });
-    setSecureKey("credential:github:token", "ghp_secret123");
+    setSecureKey(credentialKey("github", "token"), "ghp_secret123");
 
     const result = await broker.browserFill({
       service: "github",
@@ -362,7 +363,7 @@ describe("CredentialBroker.browserFill", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey("credential:github:token", "ghp_supersecret");
+    setSecureKey(credentialKey("github", "token"), "ghp_supersecret");
 
     const result = await broker.browserFill({
       service: "github",
@@ -388,7 +389,7 @@ describe("CredentialBroker.browserFill", () => {
         allowedTools: ["s3_upload", "cloudfront_invalidate"],
         allowedDomains: [],
       });
-      setSecureKey("credential:aws:access_key", "AKIA_test");
+      setSecureKey(credentialKey("aws", "access_key"), "AKIA_test");
 
       let fillCalled = false;
       const result = await broker.browserFill({
@@ -413,7 +414,7 @@ describe("CredentialBroker.browserFill", () => {
         allowedTools: ["browser_fill_credential"],
         allowedDomains: ["github.com"],
       });
-      setSecureKey("credential:github:pat", "ghp_fill_test");
+      setSecureKey(credentialKey("github", "pat"), "ghp_fill_test");
 
       let fillCalled = false;
       const result = await broker.browserFill({
@@ -437,7 +438,7 @@ describe("CredentialBroker.browserFill", () => {
         allowedTools: ["slack_post"],
         allowedDomains: ["slack.com"],
       });
-      setSecureKey("credential:slack:bot_token", "xoxb-test");
+      setSecureKey(credentialKey("slack", "bot_token"), "xoxb-test");
 
       const result = await broker.browserFill({
         service: "slack",
@@ -460,7 +461,7 @@ describe("CredentialBroker.browserFill", () => {
       upsertCredentialMetadata("custom", "key", {
         allowedTools: [],
       });
-      setSecureKey("credential:custom:key", "secret");
+      setSecureKey(credentialKey("custom", "key"), "secret");
 
       const result = await broker.browserFill({
         service: "custom",
@@ -490,7 +491,7 @@ describe("CredentialBroker.browserFill", () => {
       upsertCredentialMetadata("github", "token", {
         allowedTools: ["browser_fill_credential"],
       });
-      setSecureKey("credential:github:token", "ghp_updated");
+      setSecureKey(credentialKey("github", "token"), "ghp_updated");
 
       let filledValue: string | undefined;
       const result = await broker.browserFill({
@@ -514,8 +515,8 @@ describe("CredentialBroker.browserFill", () => {
       upsertCredentialMetadata("github", "password", {
         allowedTools: ["other_tool"],
       });
-      setSecureKey("credential:github:username", "octocat");
-      setSecureKey("credential:github:password", "hunter2");
+      setSecureKey(credentialKey("github", "username"), "octocat");
+      setSecureKey(credentialKey("github", "password"), "hunter2");
 
       // username allows browser_fill_credential
       const r1 = await broker.browserFill({
@@ -548,8 +549,8 @@ describe("CredentialBroker.browserFill", () => {
         allowedTools: ["browser_fill_credential"],
         allowedDomains: ["gitlab.com"],
       });
-      setSecureKey("credential:github:token", "gh_tok");
-      setSecureKey("credential:gitlab:token", "gl_tok");
+      setSecureKey(credentialKey("github", "token"), "gh_tok");
+      setSecureKey(credentialKey("gitlab", "token"), "gl_tok");
 
       // github credential on github.com succeeds
       let filled1 = "";

package/src/__tests__/credential-broker-server-use.test.ts

@@ -48,6 +48,7 @@ mock.module("../tools/registry.js", () => ({
 // Imports under test
 // ---------------------------------------------------------------------------
 
+import { credentialKey } from "../security/credential-key.js";
 import { setSecureKey } from "../security/secure-keys.js";
 import { CredentialBroker } from "../tools/credentials/broker.js";
 import {
@@ -85,7 +86,7 @@ describe("CredentialBroker.serverUse", () => {
     upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["publish_page"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -109,7 +110,7 @@ describe("CredentialBroker.serverUse", () => {
     upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["publish_page"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -161,7 +162,7 @@ describe("CredentialBroker.serverUse", () => {
     upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["publish_page"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -182,7 +183,7 @@ describe("CredentialBroker.serverUse", () => {
     upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["publish_page"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -201,7 +202,7 @@ describe("CredentialBroker.serverUse", () => {
       allowedTools: ["publish_page"],
       allowedDomains: ["vercel.com"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -222,7 +223,7 @@ describe("CredentialBroker.serverUse", () => {
       allowedTools: ["publish_page"],
       allowedDomains: [],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = await broker.serverUse({
       service: "vercel",
@@ -247,7 +248,7 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("aws", "access_key", {
         allowedTools: ["deploy_lambda", "s3_upload"],
       });
-      setSecureKey("credential:aws:access_key", "AKIA_test");
+      setSecureKey(credentialKey("aws", "access_key"), "AKIA_test");
 
       const result = await broker.serverUse({
         service: "aws",
@@ -270,7 +271,7 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("stripe", "secret_key", {
         allowedTools: [],
       });
-      setSecureKey("credential:stripe:secret_key", "sk_test_xyz");
+      setSecureKey(credentialKey("stripe", "secret_key"), "sk_test_xyz");
 
       const result = await broker.serverUse({
         service: "stripe",
@@ -291,7 +292,7 @@ describe("CredentialBroker.serverUse", () => {
         allowedTools: ["git_push"],
         allowedDomains: ["github.com"],
       });
-      setSecureKey("credential:github:oauth_token", "gho_test");
+      setSecureKey(credentialKey("github", "oauth_token"), "gho_test");
 
       const result = await broker.serverUse({
         service: "github",
@@ -322,7 +323,7 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("vercel", "api_token", {
         allowedTools: ["publish_page", "unpublish_page"],
       });
-      setSecureKey("credential:vercel:api_token", "tok_updated");
+      setSecureKey(credentialKey("vercel", "api_token"), "tok_updated");
 
       const result = await broker.serverUse({
         service: "vercel",
@@ -342,8 +343,8 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("vercel", "deploy_hook", {
         allowedTools: ["trigger_deploy"],
       });
-      setSecureKey("credential:vercel:api_token", "tok_api");
-      setSecureKey("credential:vercel:deploy_hook", "hook_secret");
+      setSecureKey(credentialKey("vercel", "api_token"), "tok_api");
+      setSecureKey(credentialKey("vercel", "deploy_hook"), "hook_secret");
 
       // api_token should deny trigger_deploy
       const r1 = await broker.serverUse({
@@ -377,8 +378,8 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("gitlab", "api_token", {
         allowedTools: ["gitlab_api"],
       });
-      setSecureKey("credential:github:api_token", "gh_tok");
-      setSecureKey("credential:gitlab:api_token", "gl_tok");
+      setSecureKey(credentialKey("github", "api_token"), "gh_tok");
+      setSecureKey(credentialKey("gitlab", "api_token"), "gl_tok");
 
       // github credential should not serve gitlab tool
       const r1 = broker.serverUseById({
@@ -395,8 +396,8 @@ describe("CredentialBroker.serverUse", () => {
       upsertCredentialMetadata("gitlab", "api_token", {
         allowedTools: ["gitlab_api"],
       });
-      setSecureKey("credential:github:api_token", "gh_tok");
-      setSecureKey("credential:gitlab:api_token", "gl_tok");
+      setSecureKey(credentialKey("github", "api_token"), "gh_tok");
+      setSecureKey(credentialKey("gitlab", "api_token"), "gl_tok");
 
       // github credential should not serve gitlab tool
       const r1 = await broker.serverUse({
@@ -458,7 +459,7 @@ describe("CredentialBroker.serverUseById", () => {
         },
       ],
     });
-    setSecureKey("credential:fal:api_key", "fal-secret-key");
+    setSecureKey(credentialKey("fal", "api_key"), "fal-secret-key");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,
@@ -483,7 +484,7 @@ describe("CredentialBroker.serverUseById", () => {
     const meta = upsertCredentialMetadata("fal", "api_key", {
       allowedTools: ["media_proxy"],
     });
-    setSecureKey("credential:fal:api_key", "fal-secret-key");
+    setSecureKey(credentialKey("fal", "api_key"), "fal-secret-key");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,
@@ -514,7 +515,7 @@ describe("CredentialBroker.serverUseById", () => {
       allowedTools: ["media_proxy"],
       allowedDomains: ["github.com"],
     });
-    setSecureKey("credential:github:oauth_token", "gho_test");
+    setSecureKey(credentialKey("github", "oauth_token"), "gho_test");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,
@@ -531,7 +532,7 @@ describe("CredentialBroker.serverUseById", () => {
     const meta = upsertCredentialMetadata("vercel", "api_token", {
       allowedTools: ["media_proxy"],
     });
-    setSecureKey("credential:vercel:api_token", "test-vercel-token");
+    setSecureKey(credentialKey("vercel", "api_token"), "test-vercel-token");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,
@@ -547,7 +548,7 @@ describe("CredentialBroker.serverUseById", () => {
     const meta = upsertCredentialMetadata("stripe", "secret_key", {
       allowedTools: [],
     });
-    setSecureKey("credential:stripe:secret_key", "sk_test_xyz");
+    setSecureKey(credentialKey("stripe", "secret_key"), "sk_test_xyz");
 
     const result = broker.serverUseById({
       credentialId: meta.credentialId,

package/src/__tests__/credential-broker.test.ts

@@ -3,6 +3,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterEach, beforeEach, describe, expect, test } from "bun:test";
 
+import { credentialKey } from "../security/credential-key.js";
 import { CredentialBroker } from "../tools/credentials/broker.js";
 import {
   _setMetadataPath,
@@ -125,7 +126,7 @@ describe("CredentialBroker", () => {
 
       const result = broker.consume(auth.token.tokenId);
       expect(result.success).toBe(true);
-      expect(result.storageKey).toBe("credential:github:token");
+      expect(result.storageKey).toBe(credentialKey("github", "token"));
     });
 
     test("rejects double consumption", () => {