@vellumai/assistant 0.4.49 → 0.4.50

package/src/__tests__/memory-retrieval.benchmark.test.ts

@@ -4,6 +4,13 @@
  * Measures end-to-end memory recall time with varying database sizes.
  * Validates latency stays within acceptable bounds and token budget
  * enforcement works correctly.
+ *
+ * The new pipeline uses hybrid search (Qdrant) + recency search.
+ * With Qdrant mocked and semanticSearch returning empty, only recency
+ * search provides candidates. These recency-only candidates have
+ * low finalScore (< 0.6) and are filtered out by tier classification,
+ * so injectedText is empty. The tests verify pipeline completion,
+ * latency bounds, and correct handling of recency hits.
  */
 import { mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
@@ -38,8 +45,7 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-// Counter for semantic search invocations — used to verify early termination
-// skips the call entirely rather than relying on flaky wall-clock comparisons.
+// Counter for semantic search invocations
 let semanticSearchCallCount = 0;
 
 mock.module("../memory/search/semantic.js", () => ({
@@ -63,6 +69,8 @@ mock.module("../memory/embedding-backend.js", () => ({
     model: "mock-embedding",
     vectors: [new Array(1536).fill(0)],
   }),
+  generateSparseEmbedding: () => ({ indices: [], values: [] }),
+  logMemoryEmbeddingWarning: () => {},
 }));
 
 import { DEFAULT_CONFIG } from "../config/defaults.js";
@@ -135,13 +143,7 @@ function makeConfig(overrides?: { maxInjectTokens?: number }): AssistantConfig {
       },
       retrieval: {
         ...DEFAULT_CONFIG.memory.retrieval,
-        lexicalTopK: 50,
-        semanticTopK: 20,
         maxInjectTokens: overrides?.maxInjectTokens ?? 750,
-        reranking: {
-          ...DEFAULT_CONFIG.memory.retrieval.reranking,
-          enabled: false,
-        },
         dynamicBudget: {
           enabled: false,
           minInjectTokens: 160,
@@ -161,13 +163,9 @@ describe("Memory retrieval benchmark", () => {
   beforeEach(() => {
     const db = getDb();
     db.run("DELETE FROM memory_item_sources");
-    db.run("DELETE FROM memory_item_entities");
-    db.run("DELETE FROM memory_entity_relations");
-    db.run("DELETE FROM memory_entities");
     db.run("DELETE FROM memory_embeddings");
-    db.run("DELETE FROM memory_summaries");
     db.run("DELETE FROM memory_items");
-    db.run("DELETE FROM memory_segment_fts");
+
     db.run("DELETE FROM memory_segments");
     db.run("DELETE FROM messages");
     db.run("DELETE FROM conversations");
@@ -198,8 +196,8 @@ describe("Memory retrieval benchmark", () => {
 
     expect(recall.enabled).toBe(true);
     expect(recall.degraded).toBe(false);
-    expect(recall.lexicalHits).toBeGreaterThan(0);
-    expect(recall.selectedCount).toBeGreaterThan(0);
+    // Recency search finds conversation-scoped segments
+    expect(recall.recencyHits).toBeGreaterThan(0);
     // Relaxed threshold — guards against severe regressions, not precise benchmarking
     expect(recall.latencyMs).toBeLessThan(500);
   });
@@ -218,8 +216,7 @@ describe("Memory retrieval benchmark", () => {
 
     expect(recall.enabled).toBe(true);
     expect(recall.degraded).toBe(false);
-    expect(recall.lexicalHits).toBeGreaterThan(0);
-    expect(recall.selectedCount).toBeGreaterThan(0);
+    expect(recall.recencyHits).toBeGreaterThan(0);
     expect(recall.latencyMs).toBeLessThan(1000);
   });
 
@@ -237,8 +234,7 @@ describe("Memory retrieval benchmark", () => {
 
     expect(recall.enabled).toBe(true);
     expect(recall.degraded).toBe(false);
-    expect(recall.lexicalHits).toBeGreaterThan(0);
-    expect(recall.selectedCount).toBeGreaterThan(0);
+    expect(recall.recencyHits).toBeGreaterThan(0);
     expect(recall.latencyMs).toBeLessThan(2000);
   });
 
@@ -256,10 +252,11 @@ describe("Memory retrieval benchmark", () => {
     );
 
     expect(recall.enabled).toBe(true);
+    // With Qdrant mocked empty and recency-only candidates below tier threshold,
+    // injectedTokens is 0. Verify the budget cap is still respected.
     expect(recall.injectedTokens).toBeLessThanOrEqual(smallBudget);
-    expect(recall.injectedTokens).toBeGreaterThan(0);
 
-    // Compare against a larger budget to verify the cap actually constrains
+    // Compare against a larger budget
     const largeBudget = 2000;
     const largeConfig = makeConfig({ maxInjectTokens: largeBudget });
     const largeRecall = await buildMemoryRecall(
@@ -275,137 +272,20 @@ describe("Memory retrieval benchmark", () => {
     );
   });
 
-  test("early termination reduces latency when applicable", async () => {
-    const conversationId = "conv-bench-et";
-    const now = 1_700_500_000_000;
-    // Seed enough items that early termination can trigger
-    seedMemoryItems(conversationId, 500, now);
-
-    // Config with early termination enabled and low thresholds to trigger it
-    const etConfig: AssistantConfig = {
-      ...DEFAULT_CONFIG,
-      memory: {
-        ...DEFAULT_CONFIG.memory,
-        embeddings: {
-          ...DEFAULT_CONFIG.memory.embeddings,
-          provider: "local" as const,
-          required: false,
-        },
-        retrieval: {
-          ...DEFAULT_CONFIG.memory.retrieval,
-          lexicalTopK: 50,
-          semanticTopK: 20,
-          maxInjectTokens: 750,
-          reranking: {
-            ...DEFAULT_CONFIG.memory.retrieval.reranking,
-            enabled: false,
-          },
-          dynamicBudget: {
-            enabled: false,
-            minInjectTokens: 160,
-            maxInjectTokens: 750,
-            targetHeadroomTokens: 900,
-          },
-          earlyTermination: {
-            enabled: true,
-            minCandidates: 5,
-            minHighConfidence: 3,
-            confidenceThreshold: 0.3,
-          },
-        },
-      },
-    };
-
-    const recall = await buildMemoryRecall(
-      "What do we know about topic-5 and keyword-3?",
-      conversationId,
-      etConfig,
-    );
-
-    expect(recall.enabled).toBe(true);
-    expect(recall.earlyTerminated).toBe(true);
-    // Semantic search should be skipped when early termination fires
-    expect(recall.semanticHits).toBe(0);
-    expect(recall.selectedCount).toBeGreaterThan(0);
-  });
-
-  test("early termination skips semantic search entirely", async () => {
-    const conversationId = "conv-bench-et-skip";
+  test("semantic search is invoked when not early terminated", async () => {
+    const conversationId = "conv-bench-semantic";
     const now = 1_700_500_000_000;
-    seedMemoryItems(conversationId, 500, now);
+    seedMemoryItems(conversationId, 100, now);
 
     const query = "What do we know about topic-5 and keyword-3?";
 
-    const etConfig: AssistantConfig = {
-      ...DEFAULT_CONFIG,
-      memory: {
-        ...DEFAULT_CONFIG.memory,
-        embeddings: {
-          ...DEFAULT_CONFIG.memory.embeddings,
-          provider: "local" as const,
-          required: false,
-        },
-        retrieval: {
-          ...DEFAULT_CONFIG.memory.retrieval,
-          lexicalTopK: 50,
-          semanticTopK: 20,
-          maxInjectTokens: 750,
-          reranking: {
-            ...DEFAULT_CONFIG.memory.retrieval.reranking,
-            enabled: false,
-          },
-          dynamicBudget: {
-            enabled: false,
-            minInjectTokens: 160,
-            maxInjectTokens: 750,
-            targetHeadroomTokens: 900,
-          },
-          earlyTermination: {
-            enabled: true,
-            minCandidates: 5,
-            minHighConfidence: 3,
-            confidenceThreshold: 0.3,
-          },
-        },
-      },
-    };
-
-    const noEtConfig: AssistantConfig = {
-      ...etConfig,
-      memory: {
-        ...etConfig.memory,
-        retrieval: {
-          ...etConfig.memory.retrieval,
-          earlyTermination: {
-            enabled: false,
-            minCandidates: 5,
-            minHighConfidence: 3,
-            confidenceThreshold: 0.3,
-          },
-        },
-      },
-    };
-
-    // Run with ET enabled — semantic search should be skipped
-    semanticSearchCallCount = 0;
-    const etRecall = await buildMemoryRecall(query, conversationId, etConfig);
-    const etCalls = semanticSearchCallCount;
-
-    expect(etRecall.earlyTerminated).toBe(true);
-    expect(etRecall.semanticHits).toBe(0);
-    expect(etCalls).toBe(0);
-
-    // Run without ET — semantic search should be invoked
+    // earlyTermination is always false in the new pipeline, so semantic
+    // search should always be invoked when a query vector is available.
     semanticSearchCallCount = 0;
-    const baselineRecall = await buildMemoryRecall(
-      query,
-      conversationId,
-      noEtConfig,
-    );
-    const baselineCalls = semanticSearchCallCount;
+    const config = makeConfig();
+    await buildMemoryRecall(query, conversationId, config);
 
-    expect(baselineRecall.earlyTerminated).toBe(false);
-    expect(baselineCalls).toBeGreaterThan(0);
+    expect(semanticSearchCallCount).toBeGreaterThan(0);
   });
 
   test("recall.latencyMs tracks wall-clock within 50% tolerance", async () => {
@@ -427,14 +307,17 @@ describe("Memory retrieval benchmark", () => {
     const wallMs = Date.now() - wallStart;
 
     expect(recall.enabled).toBe(true);
-    expect(recall.latencyMs).toBeGreaterThan(0);
+    // latencyMs may be 0 when the pipeline runs very fast (< 1ms granularity)
+    expect(recall.latencyMs).toBeGreaterThanOrEqual(0);
 
     // Self-reported latencyMs should agree with wall-clock within 50%.
     // Tolerance is wide because both sides use Date.now() (integer ms),
     // so on fast runs the quantization error can be large relative to
     // total elapsed time.
-    const ratio = recall.latencyMs / Math.max(wallMs, 1);
-    expect(ratio).toBeGreaterThanOrEqual(0.5);
-    expect(ratio).toBeLessThanOrEqual(1.5);
+    if (wallMs > 0) {
+      const ratio = recall.latencyMs / wallMs;
+      expect(ratio).toBeGreaterThanOrEqual(0.5);
+      expect(ratio).toBeLessThanOrEqual(1.5);
+    }
   });
 });

package/src/__tests__/memory-upsert-concurrency.test.ts

@@ -1,11 +1,10 @@
 /**
  * Atomicity tests for memory UPSERT paths.
  *
- * SQLite is single-writer, and indexMessageNow / createOrUpdatePendingConflict
- * are synchronous functions.  Because every call runs to completion before the
- * next microtask starts, the Promise.all / Promise.resolve().then() pattern
- * used here does NOT create true concurrent execution — calls still run
- * sequentially.
+ * SQLite is single-writer, and indexMessageNow is a synchronous function.
+ * Because every call runs to completion before the next microtask starts, the
+ * Promise.all / Promise.resolve().then() pattern used here does NOT create
+ * true concurrent execution — calls still run sequentially.
  *
  * What these tests DO verify is the correctness of the ON CONFLICT /
  * IMMEDIATE-transaction logic when the same logical operation is repeated many
@@ -47,6 +46,7 @@ mock.module("../util/logger.js", () => ({
 mock.module("../memory/qdrant-client.js", () => ({
   getQdrantClient: () => ({
     searchWithFilter: async () => [],
+    hybridSearch: async () => [],
     upsertPoints: async () => {},
     deletePoints: async () => {},
   }),
@@ -75,10 +75,6 @@ mock.module("../config/loader.js", () => ({
   invalidateConfigCache: () => {},
 }));
 
-import {
-  createOrUpdatePendingConflict,
-  listPendingConflicts,
-} from "../memory/conflict-store.js";
 import { getDb, initializeDb, resetDb } from "../memory/db.js";
 import { indexMessageNow } from "../memory/indexer.js";
 import {
@@ -102,15 +98,9 @@ afterAll(() => {
 
 function resetTables() {
   const db = getDb();
-  db.run("DELETE FROM memory_item_conflicts");
-  db.run("DELETE FROM memory_item_entities");
-  db.run("DELETE FROM memory_entity_relations");
-  db.run("DELETE FROM memory_entities");
   db.run("DELETE FROM memory_item_sources");
   db.run("DELETE FROM memory_embeddings");
-  db.run("DELETE FROM memory_summaries");
   db.run("DELETE FROM memory_items");
-  db.run("DELETE FROM memory_segment_fts");
   db.run("DELETE FROM memory_segments");
   db.run("DELETE FROM memory_jobs");
   db.run("DELETE FROM messages");
@@ -151,50 +141,6 @@ function seedConversationAndMessage(
     .run();
 }
 
-/** Insert a pair of memory items that can serve as conflict participants. */
-function seedItemPair(
-  suffix: string,
-  scopeId = "default",
-): { existingItemId: string; candidateItemId: string } {
-  const db = getDb();
-  const now = Date.now();
-  const existingItemId = `existing-${suffix}`;
-  const candidateItemId = `candidate-${suffix}`;
-  db.insert(memoryItems)
-    .values([
-      {
-        id: existingItemId,
-        kind: "preference",
-        subject: "framework preference",
-        statement: `Existing statement ${suffix}`,
-        status: "active",
-        confidence: 0.8,
-        importance: 0.7,
-        fingerprint: `fp-existing-${suffix}`,
-        verificationState: "assistant_inferred",
-        scopeId,
-        firstSeenAt: now,
-        lastSeenAt: now,
-      },
-      {
-        id: candidateItemId,
-        kind: "preference",
-        subject: "framework preference",
-        statement: `Candidate statement ${suffix}`,
-        status: "pending_clarification",
-        confidence: 0.8,
-        importance: 0.7,
-        fingerprint: `fp-candidate-${suffix}`,
-        verificationState: "assistant_inferred",
-        scopeId,
-        firstSeenAt: now,
-        lastSeenAt: now,
-      },
-    ])
-    .run();
-  return { existingItemId, candidateItemId };
-}
-
 // ─────────────────────────────────────────────────────────────────────────────
 // Test suite: segment UPSERT atomicity under parallel indexer load
 // ─────────────────────────────────────────────────────────────────────────────
@@ -484,191 +430,6 @@ describe("segment UPSERT atomicity under repeated indexer invocations", () => {
   });
 });
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Test suite: conflict creation UPSERT atomicity
-// ─────────────────────────────────────────────────────────────────────────────
-
-describe("conflict creation UPSERT atomicity", () => {
-  beforeEach(() => {
-    resetTables();
-  });
-
-  test("repeated createOrUpdatePendingConflict calls for the same pair produce exactly one conflict row", async () => {
-    // Critical UPSERT path: the same conflict pair inserted multiple times
-    // (e.g. duplicate worker dispatches, retries).  The IMMEDIATE transaction
-    // guard in createOrUpdatePendingConflict must ensure only one row exists.
-    const pair = seedItemPair("parallel-create");
-
-    // Call createOrUpdatePendingConflict N times for the same pair.  Calls run
-    // sequentially (synchronous); the test verifies that repeated calls produce
-    // exactly one conflict row — the IMMEDIATE transaction deduplication path.
-    const WORKERS = 10;
-    const results = await Promise.all(
-      Array.from({ length: WORKERS }, (_, i) =>
-        Promise.resolve().then(() =>
-          createOrUpdatePendingConflict({
-            scopeId: "default",
-            existingItemId: pair.existingItemId,
-            candidateItemId: pair.candidateItemId,
-            relationship: "ambiguous_contradiction",
-            clarificationQuestion: `Worker ${i} discovered a contradiction`,
-          }),
-        ),
-      ),
-    );
-
-    // All callers must receive the same conflict ID — the deduplication path
-    // returns the existing row on the second and subsequent calls.
-    const firstId = results[0].id;
-    for (const result of results) {
-      expect(result.id).toBe(firstId);
-    }
-
-    // Exactly one pending conflict row in the DB.
-    const pending = listPendingConflicts("default");
-    expect(pending).toHaveLength(1);
-    expect(pending[0].id).toBe(firstId);
-  });
-
-  test("conflict creation for different pairs produces distinct rows without cross-contamination", async () => {
-    // Each unique item pair must get its own conflict row — deduplication must
-    // be scoped to the pair, not global.  Also exercises the idempotent
-    // insert-then-update path within each pair.
-    const PAIR_COUNT = 6;
-    const pairs = Array.from({ length: PAIR_COUNT }, (_, i) =>
-      seedItemPair(`multi-pair-${i}`),
-    );
-
-    // For each pair, make two calls: one insert and one update.  All calls run
-    // sequentially.  The test verifies that each pair ends up with exactly one
-    // conflict row (no cross-pair contamination, idempotent update path works).
-    await Promise.all(
-      pairs.flatMap((pair) => [
-        // First call: insert with 'contradiction'.
-        Promise.resolve().then(() =>
-          createOrUpdatePendingConflict({
-            scopeId: "default",
-            existingItemId: pair.existingItemId,
-            candidateItemId: pair.candidateItemId,
-            relationship: "contradiction",
-          }),
-        ),
-        // Second call: update to 'ambiguous_contradiction' — tests the idempotent update path.
-        Promise.resolve().then(() =>
-          createOrUpdatePendingConflict({
-            scopeId: "default",
-            existingItemId: pair.existingItemId,
-            candidateItemId: pair.candidateItemId,
-            relationship: "ambiguous_contradiction",
-          }),
-        ),
-      ]),
-    );
-
-    // Each pair must have produced exactly one pending conflict.
-    const pending = listPendingConflicts("default");
-    expect(pending).toHaveLength(PAIR_COUNT);
-
-    // All conflict IDs must be unique.
-    const ids = pending.map((c) => c.id);
-    expect(new Set(ids).size).toBe(PAIR_COUNT);
-
-    // Each returned conflict must reference the correct item pair.
-    for (let i = 0; i < PAIR_COUNT; i++) {
-      const pair = pairs[i];
-      const found = pending.find(
-        (c) =>
-          c.existingItemId === pair.existingItemId &&
-          c.candidateItemId === pair.candidateItemId,
-      );
-      expect(found).toBeDefined();
-      // The update call ran after the insert, so relationship is ambiguous_contradiction.
-      expect(found!.relationship).toBe("ambiguous_contradiction");
-    }
-  });
-
-  test("repeated updates to the same conflict row converge to a consistent state", async () => {
-    // Multiple update calls for the same conflict (e.g. repeated worker runs).
-    // All updates must succeed (last writer wins is acceptable) and the row
-    // must remain internally consistent.
-    const pair = seedItemPair("concurrent-update");
-    const first = createOrUpdatePendingConflict({
-      scopeId: "default",
-      existingItemId: pair.existingItemId,
-      candidateItemId: pair.candidateItemId,
-      relationship: "contradiction",
-      clarificationQuestion: "Initial question",
-    });
-
-    // Call createOrUpdatePendingConflict N times against the same existing row.
-    // Calls are sequential; the test verifies the row stays consistent (one row,
-    // valid status/relationship) after repeated updates — last writer wins.
-    const UPDATES = 8;
-    const results = await Promise.all(
-      Array.from({ length: UPDATES }, (_, i) =>
-        Promise.resolve().then(() =>
-          createOrUpdatePendingConflict({
-            scopeId: "default",
-            existingItemId: pair.existingItemId,
-            candidateItemId: pair.candidateItemId,
-            relationship: "ambiguous_contradiction",
-            clarificationQuestion: `Updated question from worker ${i}`,
-          }),
-        ),
-      ),
-    );
-
-    // All calls must return the same conflict ID.
-    for (const result of results) {
-      expect(result.id).toBe(first.id);
-    }
-
-    // Still exactly one row in the DB.
-    const pending = listPendingConflicts("default");
-    expect(pending).toHaveLength(1);
-
-    // The row must be consistent: valid status, valid relationship.
-    const conflict = pending[0];
-    expect(conflict.status).toBe("pending_clarification");
-    expect(conflict.relationship).toBe("ambiguous_contradiction");
-  });
-
-  test("scope isolation ensures conflicts in different scopes do not interfere", async () => {
-    // Conflicts created in different scopes must not cross-contaminate each
-    // other's conflict sets — scopeId must be part of the deduplication key.
-    const SCOPES = ["scope-alpha", "scope-beta", "scope-gamma"];
-    const scopePairs = SCOPES.map((scope) => ({
-      scope,
-      pair: seedItemPair(`scope-${scope}`, scope),
-    }));
-
-    // Make 3 calls per scope for all scopes.  Calls run sequentially; the test
-    // verifies that each scope produces exactly one conflict row and that there
-    // is no cross-scope contamination from repeated same-scope calls.
-    await Promise.all(
-      scopePairs.flatMap(({ scope, pair }) =>
-        Array.from({ length: 3 }, () =>
-          Promise.resolve().then(() =>
-            createOrUpdatePendingConflict({
-              scopeId: scope,
-              existingItemId: pair.existingItemId,
-              candidateItemId: pair.candidateItemId,
-              relationship: "contradiction",
-            }),
-          ),
-        ),
-      ),
-    );
-
-    for (const scope of SCOPES) {
-      const pending = listPendingConflicts(scope);
-      // Exactly one conflict per scope, no cross-scope leakage.
-      expect(pending).toHaveLength(1);
-      expect(pending[0].scopeId).toBe(scope);
-    }
-  });
-});
-
 // ─────────────────────────────────────────────────────────────────────────────
 // Test suite: memory segment job atomicity
 // ─────────────────────────────────────────────────────────────────────────────

package/src/__tests__/mime-builder.test.ts

@@ -81,4 +81,32 @@ describe("buildMultipartMime", () => {
     expect(decoded).toContain('filename="b.png"');
     expect(decoded).toContain("Content-Type: image/png");
   });
+
+  test("sanitizes CRLF from header values to prevent header injection", () => {
+    const result = buildMultipartMime({
+      to: "victim@example.com\r\nBcc: attacker@example.com",
+      subject: "Fwd: Hello\r\nCc: attacker@example.com",
+      body: "Body",
+      cc: "team@example.com\nX-Injected: yes",
+      bcc: "audit@example.com\r\nX-Another: value",
+      inReplyTo: "<id@example.com>\nReferences: <evil@example.com>",
+      attachments: [],
+    });
+
+    const decoded = Buffer.from(
+      result.replace(/-/g, "+").replace(/_/g, "/"),
+      "base64",
+    ).toString("utf-8");
+
+    expect(decoded).toContain("To: victim@example.com Bcc: attacker@example.com");
+    expect(decoded).toContain("Subject: Fwd: Hello Cc: attacker@example.com");
+    expect(decoded).toContain("Cc: team@example.com X-Injected: yes");
+    expect(decoded).toContain("Bcc: audit@example.com X-Another: value");
+    expect(decoded).toContain(
+      "In-Reply-To: <id@example.com> References: <evil@example.com>",
+    );
+    expect(decoded).not.toContain("\r\nBcc: attacker@example.com");
+    expect(decoded).not.toContain("\r\nCc: attacker@example.com");
+  });
+
 });

package/src/__tests__/native-web-search.test.ts

@@ -431,6 +431,7 @@ describe("Native Web Search — Streaming Events", () => {
       type: "server_tool_start",
       name: "web_search",
       toolUseId: "stu_stream123",
+      input: {},
     });
   });