@vellumai/assistant 0.4.48 → 0.4.49

package/src/__tests__/skill-load-tool.test.ts

@@ -60,10 +60,16 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (s: unknown) => String(s),
 }));
 
+// Mock autoInstallFromCatalog — default returns false (not found in catalog).
+// Tests can override via `mockAutoInstall.mockImplementation(...)`.
+const mockAutoInstall = mock((_skillId: string) => Promise.resolve(false));
+mock.module("../skills/catalog-install.js", () => ({
+  autoInstallFromCatalog: (skillId: string) => mockAutoInstall(skillId),
+}));
+
 await import("../tools/skills/load.js");
 const { getTool } = await import("../tools/registry.js");
 
@@ -145,6 +151,10 @@ async function executeSkillLoad(
 describe("skill_load tool", () => {
   beforeEach(() => {
     mkdirSync(join(TEST_DIR, "skills"), { recursive: true });
+    mockAutoInstall.mockReset();
+    mockAutoInstall.mockImplementation((_skillId: string) =>
+      Promise.resolve(false),
+    );
   });
 
   afterEach(() => {
@@ -850,4 +860,142 @@ describe("skill_load tool", () => {
       "Use `skill_execute` to call these tools.",
     );
   });
+
+  test("auto-installs missing includes from catalog", async () => {
+    // Parent includes "dep-a" which is not initially in the catalog
+    writeSkillWithIncludes(
+      "auto-parent",
+      "Auto Parent",
+      "Has auto-installable dep",
+      "Parent body",
+      ["dep-a"],
+    );
+    writeFileSync(join(TEST_DIR, "skills", "SKILLS.md"), "- auto-parent\n");
+
+    // Mock autoInstallFromCatalog to succeed and write the skill to disk
+    mockAutoInstall.mockImplementation((skillId: string) => {
+      if (skillId === "dep-a") {
+        writeSkill("dep-a", "Dep A", "A dependency", "Dep A body");
+        // Add to SKILLS.md so catalog reload finds it
+        writeFileSync(
+          join(TEST_DIR, "skills", "SKILLS.md"),
+          "- auto-parent\n- dep-a\n",
+        );
+        return Promise.resolve(true);
+      }
+      return Promise.resolve(false);
+    });
+
+    const result = await executeSkillLoad({ skill: "auto-parent" });
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Skill: Auto Parent");
+    expect(result.content).toContain("<loaded_skill");
+    expect(mockAutoInstall).toHaveBeenCalledWith("dep-a");
+  });
+
+  test("auto-installs transitive missing includes across rounds", async () => {
+    // Skill A includes B, B includes C. Neither B nor C in initial catalog.
+    writeSkillWithIncludes("trans-a", "Trans A", "Top level", "Body A", [
+      "trans-b",
+    ]);
+    writeFileSync(join(TEST_DIR, "skills", "SKILLS.md"), "- trans-a\n");
+
+    let round = 0;
+    mockAutoInstall.mockImplementation((skillId: string) => {
+      if (skillId === "trans-b" && round === 0) {
+        // First round: install B (which includes C)
+        writeSkillWithIncludes("trans-b", "Trans B", "Mid level", "Body B", [
+          "trans-c",
+        ]);
+        writeFileSync(
+          join(TEST_DIR, "skills", "SKILLS.md"),
+          "- trans-a\n- trans-b\n",
+        );
+        round++;
+        return Promise.resolve(true);
+      }
+      if (skillId === "trans-c") {
+        // Second round: install C
+        writeSkill("trans-c", "Trans C", "Leaf", "Body C");
+        writeFileSync(
+          join(TEST_DIR, "skills", "SKILLS.md"),
+          "- trans-a\n- trans-b\n- trans-c\n",
+        );
+        return Promise.resolve(true);
+      }
+      return Promise.resolve(false);
+    });
+
+    const result = await executeSkillLoad({ skill: "trans-a" });
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Skill: Trans A");
+    expect(result.content).toContain("<loaded_skill");
+    expect(mockAutoInstall).toHaveBeenCalledWith("trans-b");
+    expect(mockAutoInstall).toHaveBeenCalledWith("trans-c");
+  });
+
+  test("returns error when auto-install of missing include fails", async () => {
+    writeSkillWithIncludes(
+      "fail-parent",
+      "Fail Parent",
+      "Has failing dep",
+      "Body",
+      ["dep-x"],
+    );
+    writeFileSync(join(TEST_DIR, "skills", "SKILLS.md"), "- fail-parent\n");
+
+    // autoInstallFromCatalog throws an error
+    mockAutoInstall.mockImplementation((skillId: string) => {
+      if (skillId === "dep-x") {
+        return Promise.reject(new Error("Network error"));
+      }
+      return Promise.resolve(false);
+    });
+
+    const result = await executeSkillLoad({ skill: "fail-parent" });
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("dep-x");
+    expect(result.content).toContain("not found");
+    expect(result.content).not.toContain("<loaded_skill");
+  });
+
+  test("stops after MAX_INSTALL_ROUNDS", async () => {
+    // Pathological case: each install round reveals a new missing dep
+    writeSkillWithIncludes("loop-root", "Loop Root", "Infinite deps", "Body", [
+      "loop-dep-0",
+    ]);
+    writeFileSync(join(TEST_DIR, "skills", "SKILLS.md"), "- loop-root\n");
+
+    let installCount = 0;
+    mockAutoInstall.mockImplementation((skillId: string) => {
+      const id = skillId;
+      if (id.startsWith("loop-dep-")) {
+        installCount++;
+        const nextDepId = `loop-dep-${installCount}`;
+        // Install the requested dep, but it includes yet another missing dep
+        writeSkillWithIncludes(
+          id,
+          `Loop Dep ${installCount}`,
+          "Generated dep",
+          "Body",
+          [nextDepId],
+        );
+        // Update SKILLS.md to include all installed deps so far
+        const entries = ["- loop-root\n"];
+        for (let i = 0; i < installCount; i++) {
+          entries.push(`- loop-dep-${i}\n`);
+        }
+        writeFileSync(join(TEST_DIR, "skills", "SKILLS.md"), entries.join(""));
+        return Promise.resolve(true);
+      }
+      return Promise.resolve(false);
+    });
+
+    const result = await executeSkillLoad({ skill: "loop-root" });
+    // Should terminate with an error (the final dep is still missing)
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("not found");
+    // Should have terminated — installCount should be bounded by MAX_INSTALL_ROUNDS (5)
+    expect(installCount).toBeLessThanOrEqual(5);
+  });
 });

package/src/__tests__/skill-projection-feature-flag.test.ts

@@ -210,7 +210,6 @@ mock.module("../util/logger.js", () => ({
     debug: () => {},
     error: () => {},
   }),
-  isDebug: () => false,
 }));
 
 // ---------------------------------------------------------------------------

package/src/__tests__/skills-uninstall.test.ts

@@ -9,7 +9,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterEach, beforeEach, describe, expect, test } from "bun:test";
 
-import { uninstallSkillLocally } from "../cli/commands/skills.js";
+import { uninstallSkillLocally } from "../skills/catalog-install.js";
 
 let tempDir: string;
 let originalBaseDataDir: string | undefined;

package/src/__tests__/skills.test.ts

@@ -60,7 +60,6 @@ mock.module("../util/logger.js", () => ({
   ...realLogger,
   getLogger: () => noopLogger,
   getCliLogger: () => noopLogger,
-  isDebug: () => false,
   truncateForLog: (v: string) => v,
   initLogger: () => {},
   pruneOldLogFiles: () => 0,
@@ -719,15 +718,16 @@ describe("bundled computer-use skill", () => {
     expect(cuSkill!.disableModelInvocation).toBe(true);
   });
 
-  test("computer-use skill has a valid tool manifest with 12 tools", () => {
+  test("computer-use skill has a valid tool manifest with 11 tools", () => {
     const catalog = loadSkillCatalog();
     const cuSkill = catalog.find((s) => s.id === "computer-use");
     expect(cuSkill).toBeDefined();
     expect(cuSkill!.toolManifest).toBeDefined();
     expect(cuSkill!.toolManifest!.present).toBe(true);
     expect(cuSkill!.toolManifest!.valid).toBe(true);
-    expect(cuSkill!.toolManifest!.toolCount).toBe(10);
+    expect(cuSkill!.toolManifest!.toolCount).toBe(11);
     expect(cuSkill!.toolManifest!.toolNames).toEqual([
+      "computer_use_observe",
       "computer_use_click",
       "computer_use_type_text",
       "computer_use_key",

package/src/__tests__/slack-channel-config.test.ts

@@ -75,13 +75,11 @@ mock.module("../util/logger.js", () => ({
     debug: () => {},
     trace: () => {},
     fatal: () => {},
-    isDebug: () => false,
     child: () => ({
       info: () => {},
       warn: () => {},
       error: () => {},
       debug: () => {},
-      isDebug: () => false,
     }),
   }),
 }));
@@ -116,6 +114,46 @@ mock.module("../security/secure-keys.js", () => {
   };
 });
 
+// Mock oauth-store (getConnectionByProvider)
+let oauthConnectionStore: Record<
+  string,
+  { id: string; status: string; accountInfo?: string | null }
+> = {};
+
+mock.module("../oauth/oauth-store.js", () => ({
+  getConnectionByProvider: (providerKey: string) =>
+    oauthConnectionStore[providerKey] ?? undefined,
+  createConnection: () => ({ id: "test-conn-id" }),
+  updateConnection: () => true,
+  deleteConnection: (id: string) => {
+    for (const [key, conn] of Object.entries(oauthConnectionStore)) {
+      if (conn.id === id) {
+        delete oauthConnectionStore[key];
+        return true;
+      }
+    }
+    return false;
+  },
+  upsertApp: async () => ({ id: "test-app-id" }),
+}));
+
+// Mock manual-token-connection
+mock.module("../oauth/manual-token-connection.js", () => ({
+  ensureManualTokenConnection: async (
+    providerKey: string,
+    accountInfo?: string,
+  ) => {
+    oauthConnectionStore[providerKey] = {
+      id: `conn-${providerKey}`,
+      status: "active",
+      accountInfo: accountInfo ?? null,
+    };
+  },
+  removeManualTokenConnection: (providerKey: string) => {
+    delete oauthConnectionStore[providerKey];
+  },
+}));
+
 // Mock credential metadata store
 let credentialMetadataStore: Array<{
   service: string;
@@ -187,6 +225,7 @@ describe("Slack channel config handler", () => {
   beforeEach(() => {
     secureKeyStore = {};
     credentialMetadataStore = [];
+    oauthConnectionStore = {};
     configStore = {};
     globalThis.fetch = originalFetch;
   });
@@ -199,7 +238,11 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(false);
   });
 
-  test("GET returns connected: true when both tokens are set", () => {
+  test("GET returns connected: true when oauth_connection is active and both keys exist", () => {
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
     secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
     secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
 
@@ -210,8 +253,29 @@ describe("Slack channel config handler", () => {
     expect(result.connected).toBe(true);
   });
 
+  test("GET reports per-field token presence independently of connection row", () => {
+    // Only bot_token in keychain, no app_token, but connection row exists
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
+    secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+
+    const result = getSlackChannelConfig();
+    expect(result.success).toBe(true);
+    expect(result.hasBotToken).toBe(true);
+    expect(result.hasAppToken).toBe(false);
+    // connected requires both keys AND connection row
+    expect(result.connected).toBe(false);
+  });
+
   test("GET returns metadata from config when available", () => {
+    oauthConnectionStore["slack_channel"] = {
+      id: "conn-slack",
+      status: "active",
+    };
     secureKeyStore[credentialKey("slack_channel", "bot_token")] = "xoxb-test";
+    secureKeyStore[credentialKey("slack_channel", "app_token")] = "xapp-test";
     configStore = {
       slack: {
         teamId: "T123",

package/src/__tests__/slack-share-routes.test.ts

@@ -1,7 +1,5 @@
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-import { credentialKey } from "../security/credential-key.js";
-
 // ---------------------------------------------------------------------------
 // Mocks — must be declared before any imports that pull in mocked modules
 // ---------------------------------------------------------------------------
@@ -12,6 +10,12 @@ mock.module("../security/secure-keys.js", () => ({
   setSecureKeyAsync: async () => {},
 }));
 
+let connectionByProvider: Record<string, unknown> = {};
+mock.module("../oauth/oauth-store.js", () => ({
+  getConnectionByProvider: (key: string) =>
+    connectionByProvider[key] ?? undefined,
+}));
+
 let listConversationsResult: unknown = { ok: true, channels: [] };
 let postMessageResult: unknown = {
   ok: true,
@@ -86,6 +90,7 @@ function makeRequest(body: unknown): Request {
 
 beforeEach(() => {
   secureKeyValues.clear();
+  connectionByProvider = {};
   listConversationsResult = { ok: true, channels: [] };
   userInfoResults = new Map();
   appStoreResult = null;
@@ -106,8 +111,9 @@ describe("handleListSlackChannels", () => {
   });
 
   test("returns channels sorted by type then name", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
 
@@ -176,18 +182,6 @@ describe("handleListSlackChannels", () => {
       isPrivate: true,
     });
   });
-
-  test("falls back to legacy bot token", async () => {
-    secureKeyValues.set(
-      credentialKey("slack_channel", "bot_token"),
-      "xoxb-legacy",
-    );
-
-    listConversationsResult = { ok: true, channels: [] };
-
-    const res = await handleListSlackChannels();
-    expect(res.status).toBe(200);
-  });
 });
 
 describe("handleShareToSlackChannel", () => {
@@ -198,8 +192,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 400 for malformed JSON", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     const req = new Request("http://localhost/v1/slack/share", {
@@ -212,8 +207,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 400 when missing required fields", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     const req = makeRequest({ appId: "app1" });
@@ -224,8 +220,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("returns 404 when app not found", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     appStoreResult = null;
@@ -235,8 +232,9 @@ describe("handleShareToSlackChannel", () => {
   });
 
   test("posts message and returns success", async () => {
+    connectionByProvider["integration:slack"] = { id: "conn-slack-1" };
     secureKeyValues.set(
-      credentialKey("integration:slack", "access_token"),
+      "oauth_connection/conn-slack-1/access_token",
       "xoxb-test",
     );
     appStoreResult = {

package/src/__tests__/system-prompt.test.ts

@@ -53,7 +53,6 @@ mock.module("../util/logger.js", () => ({
   ...realLogger,
   getLogger: () => noopLogger,
   getCliLogger: () => noopLogger,
-  isDebug: () => false,
   truncateForLog: (v: string) => v,
   initLogger: () => {},
   pruneOldLogFiles: () => 0,

package/src/__tests__/telegram-invite-adapter.test.ts

@@ -7,44 +7,42 @@
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
 import type { ChannelId } from "../channels/types.js";
-import { telegramInviteAdapter } from "../runtime/channel-invite-transports/telegram.js";
 
 // Mock credential metadata so tests don't depend on local persisted state.
 mock.module("../tools/credentials/metadata-store.js", () => ({
   getCredentialMetadata: () => undefined,
 }));
 
+// Mock getTelegramBotUsername — the env var fallback was removed so we
+// control the return value directly via a mutable variable.
+let mockBotUsername: string | undefined;
+mock.module("../telegram/bot-username.js", () => ({
+  getTelegramBotUsername: () => mockBotUsername,
+}));
+
+import { telegramInviteAdapter } from "../runtime/channel-invite-transports/telegram.js";
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 
 const CHANNEL: ChannelId = "telegram" as ChannelId;
 
-function setEnv(key: string, value: string | undefined) {
-  if (value === undefined) {
-    delete process.env[key];
-  } else {
-    process.env[key] = value;
-  }
-}
-
 // ---------------------------------------------------------------------------
 // buildShareLink
 // ---------------------------------------------------------------------------
 
 describe("telegramInviteAdapter.buildShareLink", () => {
-  let originalBotUsername: string | undefined;
-
   beforeEach(() => {
-    originalBotUsername = process.env.TELEGRAM_BOT_USERNAME;
+    mockBotUsername = undefined;
   });
 
   afterEach(() => {
-    setEnv("TELEGRAM_BOT_USERNAME", originalBotUsername);
+    mockBotUsername = undefined;
   });
 
   test("builds a deep link with iv_ prefix", () => {
-    setEnv("TELEGRAM_BOT_USERNAME", "TestBot");
+    mockBotUsername = "TestBot";
 
     const link = telegramInviteAdapter.buildShareLink!({
       rawToken: "abc123",
@@ -56,7 +54,7 @@ describe("telegramInviteAdapter.buildShareLink", () => {
   });
 
   test("throws when bot username is not configured", () => {
-    setEnv("TELEGRAM_BOT_USERNAME", undefined);
+    mockBotUsername = undefined;
 
     expect(() =>
       telegramInviteAdapter.buildShareLink!({
@@ -138,25 +136,23 @@ describe("telegramInviteAdapter.extractInboundToken", () => {
 // ---------------------------------------------------------------------------
 
 describe("telegramInviteAdapter.resolveChannelHandle", () => {
-  let originalBotUsername: string | undefined;
-
   beforeEach(() => {
-    originalBotUsername = process.env.TELEGRAM_BOT_USERNAME;
+    mockBotUsername = undefined;
   });
 
   afterEach(() => {
-    setEnv("TELEGRAM_BOT_USERNAME", originalBotUsername);
+    mockBotUsername = undefined;
   });
 
-  test("returns @-prefixed bot username from env", () => {
-    setEnv("TELEGRAM_BOT_USERNAME", "MyBot");
+  test("returns @-prefixed bot username from config", () => {
+    mockBotUsername = "MyBot";
 
     const handle = telegramInviteAdapter.resolveChannelHandle!();
     expect(handle).toBe("@MyBot");
   });
 
   test("returns undefined when bot username is not configured", () => {
-    setEnv("TELEGRAM_BOT_USERNAME", undefined);
+    mockBotUsername = undefined;
 
     const handle = telegramInviteAdapter.resolveChannelHandle!();
     expect(handle).toBeUndefined();

package/src/__tests__/terminal-tools.test.ts

@@ -457,10 +457,10 @@ describe("buildSanitizedEnv", () => {
   });
 
   test("injects INTERNAL_GATEWAY_BASE_URL from gateway config", () => {
-    process.env.GATEWAY_INTERNAL_BASE_URL = "http://gateway.internal:9000/";
+    process.env.GATEWAY_PORT = "9000";
     const env = buildSanitizedEnv();
-    expect(env.INTERNAL_GATEWAY_BASE_URL).toBe("http://gateway.internal:9000");
-    delete process.env.GATEWAY_INTERNAL_BASE_URL;
+    expect(env.INTERNAL_GATEWAY_BASE_URL).toBe("http://127.0.0.1:9000");
+    delete process.env.GATEWAY_PORT;
   });
 
   test("result is a plain object with no prototype-inherited secrets", () => {
@@ -485,6 +485,7 @@ describe("buildSanitizedEnv", () => {
       "SSH_AGENT_PID",
       "GPG_TTY",
       "GNUPGHOME",
+      "VELLUM_DEV",
       "INTERNAL_GATEWAY_BASE_URL",
       "VELLUM_DATA_DIR",
     ];

package/src/__tests__/test-support/computer-use-skill-harness.ts

@@ -2,8 +2,9 @@
  * Reusable constants and helpers for the computer-use skill migration test suite.
  */
 
-/** The 10 computer_use_* action tool names provided by the bundled computer-use skill. */
+/** The 11 computer_use_* action tool names provided by the bundled computer-use skill. */
 export const COMPUTER_USE_TOOL_NAMES = [
+  "computer_use_observe",
   "computer_use_click",
   "computer_use_type_text",
   "computer_use_key",
@@ -20,7 +21,7 @@ export const COMPUTER_USE_TOOL_NAMES = [
 export const COMPUTER_USE_SKILL_ID = "computer-use";
 
 /** Number of computer_use_* tools. */
-export const COMPUTER_USE_TOOL_COUNT = COMPUTER_USE_TOOL_NAMES.length; // 10
+export const COMPUTER_USE_TOOL_COUNT = COMPUTER_USE_TOOL_NAMES.length; // 11
 
 import { expect } from "bun:test";
 

package/src/__tests__/tool-approval-handler.test.ts

@@ -21,7 +21,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/tool-execution-pipeline.benchmark.test.ts

@@ -44,7 +44,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
 }));
 
 // Allow toggling between no-rule and matched-rule paths

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -59,7 +59,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/tool-executor-shell-integration.test.ts

@@ -68,7 +68,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/tool-executor.test.ts

@@ -103,7 +103,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/tool-grant-request-escalation.test.ts

@@ -31,7 +31,6 @@ mock.module("../util/logger.js", () => ({
     new Proxy({} as Record<string, unknown>, {
       get: () => () => {},
     }),
-  isDebug: () => false,
   truncateForLog: (value: string) => value,
 }));
 

package/src/__tests__/trust-store-pattern-matches.test.ts

@@ -0,0 +1,29 @@
+import { describe, expect, test } from "bun:test";
+
+import { patternMatchesCandidate } from "../permissions/trust-store.js";
+
+describe("patternMatchesCandidate", () => {
+  test("exact match", () => {
+    expect(patternMatchesCandidate("bash:git commit", "bash:git commit")).toBe(
+      true,
+    );
+  });
+
+  test("glob match", () => {
+    expect(patternMatchesCandidate("bash:git *", "bash:git commit")).toBe(true);
+  });
+
+  test("no match", () => {
+    expect(patternMatchesCandidate("bash:git *", "file_write:/foo")).toBe(
+      false,
+    );
+  });
+
+  test("globstar matches anything", () => {
+    expect(patternMatchesCandidate("**", "bash:anything")).toBe(true);
+  });
+
+  test("invalid pattern returns false", () => {
+    expect(patternMatchesCandidate("[", "bash:anything")).toBe(false);
+  });
+});