@vellumai/assistant 0.4.48 → 0.4.50

package/src/__tests__/host-shell-tool.test.ts

@@ -501,8 +501,8 @@ describe("host_bash — environment setup", () => {
   });
 
   test("injects INTERNAL_GATEWAY_BASE_URL for host_bash commands", async () => {
-    const originalGatewayBase = process.env.GATEWAY_INTERNAL_BASE_URL;
-    process.env.GATEWAY_INTERNAL_BASE_URL = "http://gateway.internal:9000/";
+    const originalGatewayPort = process.env.GATEWAY_PORT;
+    process.env.GATEWAY_PORT = "9000";
     try {
       const result = await hostShellTool.execute(
         {
@@ -511,12 +511,12 @@ describe("host_bash — environment setup", () => {
         makeContext(),
       );
       expect(result.isError).toBe(false);
-      expect(result.content.trim()).toBe("http://gateway.internal:9000");
+      expect(result.content.trim()).toBe("http://127.0.0.1:9000");
     } finally {
-      if (originalGatewayBase === undefined) {
-        delete process.env.GATEWAY_INTERNAL_BASE_URL;
+      if (originalGatewayPort === undefined) {
+        delete process.env.GATEWAY_PORT;
       } else {
-        process.env.GATEWAY_INTERNAL_BASE_URL = originalGatewayBase;
+        process.env.GATEWAY_PORT = originalGatewayPort;
       }
     }
   });
@@ -695,7 +695,11 @@ describe("host_bash — spawn error handling", () => {
 describe("host_bash — proxy delegation", () => {
   function makeMockProxy(result: ToolExecutionResult) {
     const calls: Array<{
-      input: { command: string; working_dir?: string; timeout_seconds?: number };
+      input: {
+        command: string;
+        working_dir?: string;
+        timeout_seconds?: number;
+      };
       sessionId: string;
     }> = [];
 
@@ -703,7 +707,11 @@ describe("host_bash — proxy delegation", () => {
       proxy: {
         isAvailable: () => true,
         request: async (
-          input: { command: string; working_dir?: string; timeout_seconds?: number },
+          input: {
+            command: string;
+            working_dir?: string;
+            timeout_seconds?: number;
+          },
           sessionId: string,
           _signal?: AbortSignal,
         ) => {
@@ -748,7 +756,10 @@ describe("host_bash — proxy delegation", () => {
   });
 
   test("still validates input before proxying (null bytes in command)", async () => {
-    const proxyResult: ToolExecutionResult = { content: "proxied", isError: false };
+    const proxyResult: ToolExecutionResult = {
+      content: "proxied",
+      isError: false,
+    };
     const { proxy, calls } = makeMockProxy(proxyResult);
 
     const ctx: ToolContext = {
@@ -756,10 +767,7 @@ describe("host_bash — proxy delegation", () => {
       hostBashProxy: proxy as unknown as ToolContext["hostBashProxy"],
     };
 
-    const result = await hostShellTool.execute(
-      { command: "echo \0evil" },
-      ctx,
-    );
+    const result = await hostShellTool.execute({ command: "echo \0evil" }, ctx);
 
     expect(result.isError).toBe(true);
     expect(result.content).toContain("null bytes");
@@ -768,7 +776,10 @@ describe("host_bash — proxy delegation", () => {
   });
 
   test("still validates input before proxying (relative working_dir)", async () => {
-    const proxyResult: ToolExecutionResult = { content: "proxied", isError: false };
+    const proxyResult: ToolExecutionResult = {
+      content: "proxied",
+      isError: false,
+    };
     const { proxy, calls } = makeMockProxy(proxyResult);
 
     const ctx: ToolContext = {
@@ -803,7 +814,8 @@ describe("host_bash — proxy delegation", () => {
 
     const ctx: ToolContext = {
       ...makeContext(),
-      hostBashProxy: unavailableProxy as unknown as ToolContext["hostBashProxy"],
+      hostBashProxy:
+        unavailableProxy as unknown as ToolContext["hostBashProxy"],
     };
 
     spawnCalls.length = 0;

package/src/__tests__/http-user-message-parity.test.ts

@@ -169,6 +169,8 @@ function makeSession(overrides: Record<string, unknown> = {}) {
     updateClient: () => {},
     setHostBashProxy: () => {},
     setHostFileProxy: () => {},
+    setHostCuProxy: () => {},
+    addPreactivatedSkillId: () => {},
     emitConfirmationStateChanged: () => {},
     emitActivityState: () => {},
     setTurnChannelContext: () => {},

package/src/__tests__/ingress-url-consistency.test.ts

@@ -26,6 +26,7 @@ mock.module("../util/logger.js", () => ({
   getLogger: () => makeLoggerStub(),
 }));
 
+import { setIngressPublicBaseUrl } from "../config/env.js";
 import {
   getPublicBaseUrl,
   getTwilioStatusCallbackUrl,
@@ -78,19 +79,12 @@ function computeTwilioSignature(
 // ---------------------------------------------------------------------------
 
 describe("Ingress URL consistency between assistant and gateway", () => {
-  let savedIngressEnv: string | undefined;
-
   beforeEach(() => {
-    savedIngressEnv = process.env.INGRESS_PUBLIC_BASE_URL;
-    delete process.env.INGRESS_PUBLIC_BASE_URL;
+    setIngressPublicBaseUrl(undefined);
   });
 
   afterEach(() => {
-    if (savedIngressEnv !== undefined) {
-      process.env.INGRESS_PUBLIC_BASE_URL = savedIngressEnv;
-    } else {
-      delete process.env.INGRESS_PUBLIC_BASE_URL;
-    }
+    setIngressPublicBaseUrl(undefined);
   });
 
   test("assistant callback URL and gateway signature reconstruction use same base when config is set", () => {
@@ -104,9 +98,8 @@ describe("Ingress URL consistency between assistant and gateway", () => {
       "session-abc",
     );
 
-    // Simulate: when hatch.ts spawns the gateway, it reads config.ingress.publicBaseUrl
-    // and passes it as INGRESS_PUBLIC_BASE_URL. The gateway stores this as
-    // config.ingressPublicBaseUrl.
+    // The gateway reads config.ingress.publicBaseUrl from the workspace config
+    // file via ConfigFileCache.
     const gatewayIngressPublicBaseUrl = getPublicBaseUrl(config);
 
     // When Twilio calls the gateway, the gateway reconstructs the canonical URL
@@ -147,7 +140,7 @@ describe("Ingress URL consistency between assistant and gateway", () => {
     const localRequestUrl = "http://127.0.0.1:7830/webhooks/twilio/status";
 
     // Gateway reconstructs the canonical URL using its configured base
-    // (which was passed from the assistant's config via INGRESS_PUBLIC_BASE_URL)
+    // (which was read from the workspace config file via ConfigFileCache)
     const gatewayIngressPublicBaseUrl = getPublicBaseUrl(config);
     const canonicalUrl = reconstructGatewayCanonicalUrl(
       gatewayIngressPublicBaseUrl,
@@ -208,20 +201,20 @@ describe("Ingress URL consistency between assistant and gateway", () => {
     expect(recomputedWith).toBe(twilioSignature);
   });
 
-  test("env var fallback produces consistent URLs across assistant and gateway", () => {
-    // When no config.ingress.publicBaseUrl is set, both assistant and gateway
-    // fall back to the INGRESS_PUBLIC_BASE_URL env var.
-    process.env.INGRESS_PUBLIC_BASE_URL = "https://env-tunnel.example.com";
+  test("module-level state fallback produces consistent URLs across assistant and gateway", () => {
+    // When no config.ingress.publicBaseUrl is set, the assistant falls back
+    // to the module-level ingress state.
+    setIngressPublicBaseUrl("https://env-tunnel.example.com");
 
     const config: IngressConfig = {};
 
-    // Assistant resolves the base URL from env
+    // Assistant resolves the base URL from module state
     const assistantBase = getPublicBaseUrl(config);
     expect(assistantBase).toBe("https://env-tunnel.example.com");
 
-    // Gateway would also read the same env var (process.env.INGRESS_PUBLIC_BASE_URL)
-    // and store it as config.ingressPublicBaseUrl.
-    const gatewayIngressPublicBaseUrl = process.env.INGRESS_PUBLIC_BASE_URL;
+    // Gateway would read the same value from the workspace config file
+    // via ConfigFileCache.getString("ingress", "publicBaseUrl").
+    const gatewayIngressPublicBaseUrl = "https://env-tunnel.example.com";
 
     // Callback URL generated by assistant
     const callbackUrl = getTwilioVoiceWebhookUrl(config, "session-xyz");

package/src/__tests__/integration-status.test.ts

@@ -5,6 +5,9 @@ import { credentialKey } from "../security/credential-key.js";
 const secureKeyValues = new Map<string, string>();
 let mockTwilioAccountSid: string | undefined;
 
+/** Set of providers that should report as connected via isProviderConnected(). */
+const connectedProviders = new Set<string>();
+
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: (account: string) => secureKeyValues.get(account),
 }));
@@ -17,12 +20,27 @@ mock.module("../config/loader.js", () => ({
   }),
 }));
 
+mock.module("../oauth/oauth-store.js", () => ({
+  isProviderConnected: (providerKey: string) =>
+    connectedProviders.has(providerKey),
+  getConnectionByProvider: (providerKey: string) =>
+    connectedProviders.has(providerKey)
+      ? { id: `conn-${providerKey}`, status: "active" }
+      : undefined,
+}));
+
+/** Mark a provider as fully connected (active row + access token). */
+function setOAuthConnected(providerKey: string): void {
+  connectedProviders.add(providerKey);
+}
+
 const { getIntegrationSummary, formatIntegrationSummary, hasCapability } =
   await import("../schedule/integration-status.js");
 
 describe("integration-status", () => {
   beforeEach(() => {
     secureKeyValues.clear();
+    connectedProviders.clear();
     mockTwilioAccountSid = undefined;
   });
 
@@ -38,21 +56,11 @@ describe("integration-status", () => {
     });
 
     test("returns all connected when all keys are set", () => {
-      secureKeyValues.set(
-        credentialKey("integration:gmail", "access_token"),
-        "tok",
-      );
-      secureKeyValues.set(
-        credentialKey("integration:slack", "access_token"),
-        "tok",
-      );
+      setOAuthConnected("integration:gmail");
+      setOAuthConnected("integration:slack");
       mockTwilioAccountSid = "sid";
       secureKeyValues.set(credentialKey("twilio", "auth_token"), "auth");
-      secureKeyValues.set(credentialKey("telegram", "bot_token"), "tok");
-      secureKeyValues.set(
-        credentialKey("telegram", "webhook_secret"),
-        "secret",
-      );
+      setOAuthConnected("telegram");
 
       const summary = getIntegrationSummary();
       expect(summary.every((s: { connected: boolean }) => s.connected)).toBe(
@@ -63,11 +71,7 @@ describe("integration-status", () => {
     test("returns mixed status", () => {
       mockTwilioAccountSid = "sid";
       secureKeyValues.set(credentialKey("twilio", "auth_token"), "auth");
-      secureKeyValues.set(credentialKey("telegram", "bot_token"), "tok");
-      secureKeyValues.set(
-        credentialKey("telegram", "webhook_secret"),
-        "secret",
-      );
+      setOAuthConnected("telegram");
 
       const summary = getIntegrationSummary();
       const connected = summary.filter(
@@ -95,9 +99,8 @@ describe("integration-status", () => {
       expect(twilio?.connected).toBe(false);
     });
 
-    test("Telegram disconnected when only bot_token is set (missing webhook_secret)", () => {
-      secureKeyValues.set(credentialKey("telegram", "bot_token"), "tok");
-
+    test("Telegram disconnected when no connection record exists", () => {
+      // No oauth_connection record for telegram — should be disconnected
       const summary = getIntegrationSummary();
       const telegram = summary.find(
         (s: { name: string }) => s.name === "Telegram",
@@ -110,11 +113,7 @@ describe("integration-status", () => {
     test("shows checkmarks and crosses", () => {
       mockTwilioAccountSid = "sid";
       secureKeyValues.set(credentialKey("twilio", "auth_token"), "auth");
-      secureKeyValues.set(credentialKey("telegram", "bot_token"), "tok");
-      secureKeyValues.set(
-        credentialKey("telegram", "webhook_secret"),
-        "secret",
-      );
+      setOAuthConnected("telegram");
 
       const result = formatIntegrationSummary();
       expect(result).toBe(
@@ -130,21 +129,11 @@ describe("integration-status", () => {
     });
 
     test("all connected", () => {
-      secureKeyValues.set(
-        credentialKey("integration:gmail", "access_token"),
-        "tok",
-      );
-      secureKeyValues.set(
-        credentialKey("integration:slack", "access_token"),
-        "tok",
-      );
+      setOAuthConnected("integration:gmail");
+      setOAuthConnected("integration:slack");
       mockTwilioAccountSid = "sid";
       secureKeyValues.set(credentialKey("twilio", "auth_token"), "auth");
-      secureKeyValues.set(credentialKey("telegram", "bot_token"), "tok");
-      secureKeyValues.set(
-        credentialKey("telegram", "webhook_secret"),
-        "secret",
-      );
+      setOAuthConnected("telegram");
 
       const result = formatIntegrationSummary();
       expect(result).toBe(
@@ -160,17 +149,12 @@ describe("integration-status", () => {
     });
 
     test("returns true when any integration in category is connected", () => {
-      secureKeyValues.set(credentialKey("telegram", "bot_token"), "tok");
-      secureKeyValues.set(
-        credentialKey("telegram", "webhook_secret"),
-        "secret",
-      );
+      setOAuthConnected("telegram");
       expect(hasCapability("messaging")).toBe(true);
     });
 
-    test("returns false when only partial credentials exist for category integrations", () => {
-      secureKeyValues.set(credentialKey("telegram", "bot_token"), "tok");
-      // Missing webhook_secret — Telegram should not count as connected
+    test("returns false when no connection record exists for category integrations", () => {
+      // No oauth_connection record for telegram — should not count as connected
       expect(hasCapability("messaging")).toBe(false);
     });
 
@@ -179,10 +163,7 @@ describe("integration-status", () => {
     });
 
     test("email category checks Gmail", () => {
-      secureKeyValues.set(
-        credentialKey("integration:gmail", "access_token"),
-        "tok",
-      );
+      setOAuthConnected("integration:gmail");
       expect(hasCapability("email")).toBe(true);
     });
   });

package/src/__tests__/intent-routing.test.ts

@@ -45,7 +45,6 @@ mock.module("../util/logger.js", () => ({
   ...realLogger,
   getLogger: () => noopLogger,
   getCliLogger: () => noopLogger,
-  isDebug: () => false,
   truncateForLog: (v: string) => v,
   initLogger: () => {},
   pruneOldLogFiles: () => 0,

package/src/__tests__/invite-redemption-service.test.ts

@@ -23,7 +23,10 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-import { findContactChannel } from "../contacts/contact-store.js";
+import {
+  findContactChannel,
+  upsertContact,
+} from "../contacts/contact-store.js";
 import { upsertContactChannel } from "../contacts/contacts-write.js";
 import { getSqlite, initializeDb, resetDb } from "../memory/db.js";
 import {
@@ -278,6 +281,67 @@ describe("invite-redemption-service", () => {
     expect(outcome).toEqual({ ok: false, reason: "invalid_token" });
   });
 
+  test("returns invalid_token for a revoked guardian to prevent invite-based reactivation", () => {
+    const { rawToken } = createInvite({
+      sourceChannel: "telegram",
+      maxUses: 5,
+    });
+
+    // Pre-create a guardian contact with a revoked telegram channel
+    upsertContact({
+      displayName: "Guardian",
+      role: "guardian",
+      channels: [
+        {
+          type: "telegram",
+          address: "guardian-tg-id",
+          externalUserId: "guardian-tg-id",
+          status: "revoked",
+        },
+      ],
+    });
+
+    const outcome = redeemInvite({
+      rawToken,
+      sourceChannel: "telegram",
+      externalUserId: "guardian-tg-id",
+    });
+
+    // Must reject — guardian channels are managed via the binding flow, not invites
+    expect(outcome).toEqual({ ok: false, reason: "invalid_token" });
+  });
+
+  test("returns invalid_token for a revoked guardian via 6-digit invite code", () => {
+    const code = "123456";
+    const inviteCodeHash = hashVoiceCode(code);
+    createInvite({
+      sourceChannel: "telegram",
+      maxUses: 5,
+      inviteCodeHash,
+    });
+
+    upsertContact({
+      displayName: "Guardian",
+      role: "guardian",
+      channels: [
+        {
+          type: "telegram",
+          address: "guardian-code-id",
+          externalUserId: "guardian-code-id",
+          status: "revoked",
+        },
+      ],
+    });
+
+    const outcome = redeemInviteByCode({
+      code,
+      sourceChannel: "telegram",
+      externalUserId: "guardian-code-id",
+    });
+
+    expect(outcome).toEqual({ ok: false, reason: "invalid_token" });
+  });
+
   test("does not return already_member for a revoked member", () => {
     const { rawToken } = createInvite({
       sourceChannel: "telegram",

package/src/__tests__/invite-routes-http.test.ts

@@ -24,8 +24,7 @@ mock.module("../util/logger.js", () => ({
 }));
 
 // Prevent ensureTelegramBotUsernameResolved() from reading real credentials
-// and calling the Telegram API, which would populate credential metadata
-// with the real bot username and shadow the env var override in tests.
+// and calling the Telegram API.
 mock.module("../security/secure-keys.js", () => ({
   getSecureKey: () => undefined,
   setSecureKey: () => {},
@@ -35,6 +34,13 @@ mock.module("../security/secure-keys.js", () => ({
   deleteSecureKeyAsync: async () => {},
 }));
 
+// Mock getTelegramBotUsername — the env var fallback was removed so we
+// control the return value directly via a mutable variable.
+let mockTelegramBotUsername: string | undefined;
+mock.module("../telegram/bot-username.js", () => ({
+  getTelegramBotUsername: () => mockTelegramBotUsername,
+}));
+
 import { getSqlite, initializeDb, resetDb } from "../memory/db.js";
 import {
   handleCreateInvite,
@@ -94,8 +100,7 @@ describe("ingress invite HTTP routes", () => {
   });
 
   test("POST /v1/contacts/invites — includes canonical share URL when bot username is configured", async () => {
-    const prevBotUsername = process.env.TELEGRAM_BOT_USERNAME;
-    process.env.TELEGRAM_BOT_USERNAME = "test_invite_bot";
+    mockTelegramBotUsername = "test_invite_bot";
 
     try {
       const req = new Request("http://localhost/v1/contacts/invites", {
@@ -121,11 +126,7 @@ describe("ingress invite HTTP routes", () => {
       expect(share.url).toBe(`https://t.me/test_invite_bot?start=iv_${token}`);
       expect(typeof share.displayText).toBe("string");
     } finally {
-      if (prevBotUsername === undefined) {
-        delete process.env.TELEGRAM_BOT_USERNAME;
-      } else {
-        process.env.TELEGRAM_BOT_USERNAME = prevBotUsername;
-      }
+      mockTelegramBotUsername = undefined;
     }
   });
 

package/src/__tests__/keychain-broker-client.test.ts

@@ -36,7 +36,7 @@ const TEST_DIR = join(
 );
 const TOKEN_DIR = join(TEST_DIR, ".vellum", "protected");
 const TOKEN_PATH = join(TOKEN_DIR, "keychain-broker.token");
-const SOCKET_PATH = join(TEST_DIR, "broker.sock");
+const SOCKET_PATH = join(TEST_DIR, ".vellum", "keychain-broker.sock");
 const TEST_TOKEN = "test-auth-token-abc123";
 
 // ---------------------------------------------------------------------------
@@ -106,14 +106,11 @@ function createMockBroker(): {
 // Setup / teardown
 // ---------------------------------------------------------------------------
 
-let originalEnv: string | undefined;
-
 beforeAll(() => {
   mkdirSync(TOKEN_DIR, { recursive: true });
 });
 
 beforeEach(() => {
-  originalEnv = process.env.VELLUM_KEYCHAIN_BROKER_SOCKET;
   // Clean up socket file from prior test
   try {
     rmSync(SOCKET_PATH, { force: true });
@@ -122,14 +119,6 @@ beforeEach(() => {
   }
 });
 
-afterEach(() => {
-  if (originalEnv === undefined) {
-    delete process.env.VELLUM_KEYCHAIN_BROKER_SOCKET;
-  } else {
-    process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = originalEnv;
-  }
-});
-
 afterAll(() => {
   rmSync(TEST_DIR, { recursive: true, force: true });
 });
@@ -157,15 +146,15 @@ describe("keychain-broker-client", () => {
   // isAvailable()
   // -----------------------------------------------------------------------
   describe("isAvailable", () => {
-    test("returns false when env var is unset", () => {
-      delete process.env.VELLUM_KEYCHAIN_BROKER_SOCKET;
+    test("returns false when socket file does not exist", () => {
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       const client = createBrokerClient();
       expect(client.isAvailable()).toBe(false);
     });
 
     test("returns false when token file does not exist", () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
+      // Create the socket file so that check passes
+      writeFileSync(SOCKET_PATH, "");
       try {
         rmSync(TOKEN_PATH, { force: true });
       } catch {
@@ -175,8 +164,8 @@ describe("keychain-broker-client", () => {
       expect(client.isAvailable()).toBe(false);
     });
 
-    test("returns true when both env var and token file exist", () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
+    test("returns true when both socket file and token file exist", () => {
+      writeFileSync(SOCKET_PATH, "");
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       const client = createBrokerClient();
       expect(client.isAvailable()).toBe(true);
@@ -190,7 +179,6 @@ describe("keychain-broker-client", () => {
     let broker: ReturnType<typeof createMockBroker>;
 
     beforeEach(async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       broker = createMockBroker();
     });
@@ -276,7 +264,7 @@ describe("keychain-broker-client", () => {
 
       const client = createBrokerClient();
       const result = await client.set("my-key", "new-value");
-      expect(result).toBe(true);
+      expect(result).toEqual({ status: "ok" });
     });
 
     test("del returns true on success", async () => {
@@ -343,7 +331,6 @@ describe("keychain-broker-client", () => {
     let broker: ReturnType<typeof createMockBroker>;
 
     beforeEach(async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       broker = createMockBroker();
     });
@@ -381,7 +368,6 @@ describe("keychain-broker-client", () => {
     let broker: ReturnType<typeof createMockBroker>;
 
     beforeEach(async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
       writeFileSync(TOKEN_PATH, "old-token");
       broker = createMockBroker();
     });
@@ -441,59 +427,42 @@ describe("keychain-broker-client", () => {
   // Graceful degradation
   // -----------------------------------------------------------------------
   describe("graceful degradation", () => {
-    test("get returns null when broker is not running", async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
+    test("get returns null when socket file does not exist", async () => {
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       const client = createBrokerClient();
       const result = await client.get("test-key");
       expect(result).toBeNull();
     });
 
-    test("set returns false when broker is not running", async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
+    test("set returns unreachable when socket file does not exist", async () => {
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       const client = createBrokerClient();
       const result = await client.set("test-key", "value");
-      expect(result).toBe(false);
+      expect(result).toEqual({ status: "unreachable" });
     });
 
-    test("del returns false when broker is not running", async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
+    test("del returns false when socket file does not exist", async () => {
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       const client = createBrokerClient();
       const result = await client.del("test-key");
       expect(result).toBe(false);
     });
 
-    test("list returns empty array when broker is not running", async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
+    test("list returns empty array when socket file does not exist", async () => {
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       const client = createBrokerClient();
       const result = await client.list();
       expect(result).toEqual([]);
     });
 
-    test("ping returns null when broker is not running", async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
+    test("ping returns null when socket file does not exist", async () => {
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       const client = createBrokerClient();
       const result = await client.ping();
       expect(result).toBeNull();
     });
 
-    test("returns fallbacks when socket path env var is unset", async () => {
-      delete process.env.VELLUM_KEYCHAIN_BROKER_SOCKET;
-      writeFileSync(TOKEN_PATH, TEST_TOKEN);
-      const client = createBrokerClient();
-      expect(await client.get("key")).toBeNull();
-      expect(await client.set("key", "val")).toBe(false);
-      expect(await client.del("key")).toBe(false);
-      expect(await client.list()).toEqual([]);
-      expect(await client.ping()).toBeNull();
-    });
-
     test("returns fallbacks when token file is missing", async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
       try {
         rmSync(TOKEN_PATH, { force: true });
       } catch {
@@ -501,7 +470,7 @@ describe("keychain-broker-client", () => {
       }
       const client = createBrokerClient();
       expect(await client.get("key")).toBeNull();
-      expect(await client.set("key", "val")).toBe(false);
+      expect(await client.set("key", "val")).toEqual({ status: "unreachable" });
       expect(await client.del("key")).toBe(false);
       expect(await client.list()).toEqual([]);
       expect(await client.ping()).toBeNull();
@@ -515,7 +484,6 @@ describe("keychain-broker-client", () => {
     let broker: ReturnType<typeof createMockBroker>;
 
     beforeEach(async () => {
-      process.env.VELLUM_KEYCHAIN_BROKER_SOCKET = SOCKET_PATH;
       writeFileSync(TOKEN_PATH, TEST_TOKEN);
       broker = createMockBroker();
     });