npm - @vellumai/assistant - Versions diffs - 0.4.49 → 0.4.50 - Mend

@vellumai/assistant 0.4.49 → 0.4.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (239) hide show

package/ARCHITECTURE.md +24 -33
package/README.md +3 -3
package/docs/architecture/memory.md +180 -119
package/package.json +2 -2
package/src/__tests__/agent-loop.test.ts +3 -1
package/src/__tests__/anthropic-provider.test.ts +114 -23
package/src/__tests__/approval-cascade.test.ts +1 -15
package/src/__tests__/approval-routes-http.test.ts +2 -0
package/src/__tests__/assistant-feature-flag-guard.test.ts +0 -23
package/src/__tests__/canonical-guardian-store.test.ts +95 -0
package/src/__tests__/checker.test.ts +13 -0
package/src/__tests__/config-schema.test.ts +1 -68
package/src/__tests__/context-memory-e2e.test.ts +11 -100
package/src/__tests__/conversation-routes-guardian-reply.test.ts +8 -0
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/credential-security-e2e.test.ts +1 -0
package/src/__tests__/credential-vault-unit.test.ts +4 -0
package/src/__tests__/credential-vault.test.ts +13 -1
package/src/__tests__/cu-unified-flow.test.ts +532 -0
package/src/__tests__/date-context.test.ts +93 -77
package/src/__tests__/deterministic-verification-control-plane.test.ts +64 -0
package/src/__tests__/guardian-routing-invariants.test.ts +93 -0
package/src/__tests__/history-repair.test.ts +245 -0
package/src/__tests__/host-cu-proxy.test.ts +165 -3
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/invite-redemption-service.test.ts +65 -1
package/src/__tests__/keychain-broker-client.test.ts +4 -4
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +56 -18
package/src/__tests__/memory-lifecycle-e2e.test.ts +244 -387
package/src/__tests__/memory-recall-quality.test.ts +244 -407
package/src/__tests__/memory-regressions.experimental.test.ts +126 -101
package/src/__tests__/memory-regressions.test.ts +477 -2841
package/src/__tests__/memory-retrieval.benchmark.test.ts +33 -150
package/src/__tests__/memory-upsert-concurrency.test.ts +5 -244
package/src/__tests__/mime-builder.test.ts +28 -0
package/src/__tests__/native-web-search.test.ts +1 -0
package/src/__tests__/oauth-cli.test.ts +572 -5
package/src/__tests__/oauth-store.test.ts +120 -6
package/src/__tests__/qdrant-collection-migration.test.ts +53 -8
package/src/__tests__/registry.test.ts +0 -1
package/src/__tests__/relay-server.test.ts +46 -1
package/src/__tests__/schedule-tools.test.ts +32 -0
package/src/__tests__/script-proxy-certs.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -0
package/src/__tests__/secure-keys.test.ts +7 -2
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/session-abort-tool-results.test.ts +1 -14
package/src/__tests__/session-agent-loop-overflow.test.ts +1583 -0
package/src/__tests__/session-agent-loop.test.ts +19 -15
package/src/__tests__/session-confirmation-signals.test.ts +1 -15
package/src/__tests__/session-error.test.ts +124 -2
package/src/__tests__/session-history-web-search.test.ts +918 -0
package/src/__tests__/session-pre-run-repair.test.ts +1 -14
package/src/__tests__/session-provider-retry-repair.test.ts +25 -28
package/src/__tests__/session-queue.test.ts +37 -27
package/src/__tests__/session-runtime-assembly.test.ts +54 -0
package/src/__tests__/session-slash-known.test.ts +1 -15
package/src/__tests__/session-slash-queue.test.ts +1 -15
package/src/__tests__/session-slash-unknown.test.ts +1 -15
package/src/__tests__/session-workspace-cache-state.test.ts +3 -33
package/src/__tests__/session-workspace-injection.test.ts +3 -37
package/src/__tests__/session-workspace-tool-tracking.test.ts +3 -37
package/src/__tests__/skills-install-extract.test.ts +93 -0
package/src/__tests__/skillssh-registry.test.ts +451 -0
package/src/__tests__/trust-store.test.ts +15 -0
package/src/__tests__/voice-invite-redemption.test.ts +32 -1
package/src/agent/ax-tree-compaction.test.ts +51 -0
package/src/agent/loop.ts +39 -12
package/src/approvals/AGENTS.md +1 -1
package/src/approvals/guardian-request-resolvers.ts +14 -2
package/src/bundler/compiler-tools.ts +66 -2
package/src/calls/call-domain.ts +132 -0
package/src/calls/call-store.ts +6 -0
package/src/calls/relay-server.ts +43 -5
package/src/calls/relay-setup-router.ts +17 -1
package/src/calls/twilio-config.ts +1 -1
package/src/calls/types.ts +3 -1
package/src/cli/commands/doctor.ts +4 -3
package/src/cli/commands/mcp.ts +46 -59
package/src/cli/commands/memory.ts +16 -165
package/src/cli/commands/oauth/apps.ts +31 -2
package/src/cli/commands/oauth/connections.ts +431 -97
package/src/cli/commands/oauth/providers.ts +15 -1
package/src/cli/commands/sessions.ts +5 -2
package/src/cli/commands/skills.ts +173 -1
package/src/cli/http-client.ts +0 -20
package/src/cli/main-screen.tsx +2 -2
package/src/cli/program.ts +5 -6
package/src/cli.ts +4 -10
package/src/config/bundled-skills/computer-use/TOOLS.json +1 -1
package/src/config/bundled-skills/computer-use/tools/computer-use-observe.ts +12 -0
package/src/config/bundled-tool-registry.ts +2 -5
package/src/config/schema.ts +1 -12
package/src/config/schemas/memory-lifecycle.ts +0 -9
package/src/config/schemas/memory-processing.ts +0 -180
package/src/config/schemas/memory-retrieval.ts +32 -104
package/src/config/schemas/memory.ts +0 -10
package/src/config/types.ts +0 -4
package/src/context/window-manager.ts +4 -1
package/src/daemon/config-watcher.ts +61 -3
package/src/daemon/daemon-control.ts +1 -1
package/src/daemon/date-context.ts +114 -31
package/src/daemon/handlers/sessions.ts +18 -13
package/src/daemon/handlers/skills.ts +20 -1
package/src/daemon/history-repair.ts +72 -8
package/src/daemon/host-cu-proxy.ts +55 -26
package/src/daemon/lifecycle.ts +31 -3
package/src/daemon/mcp-reload-service.ts +2 -2
package/src/daemon/message-types/computer-use.ts +1 -12
package/src/daemon/message-types/memory.ts +4 -16
package/src/daemon/message-types/messages.ts +1 -0
package/src/daemon/message-types/sessions.ts +4 -0
package/src/daemon/server.ts +12 -1
package/src/daemon/session-agent-loop-handlers.ts +38 -0
package/src/daemon/session-agent-loop.ts +334 -48
package/src/daemon/session-error.ts +89 -6
package/src/daemon/session-history.ts +17 -7
package/src/daemon/session-media-retry.ts +6 -2
package/src/daemon/session-memory.ts +69 -149
package/src/daemon/session-process.ts +10 -1
package/src/daemon/session-runtime-assembly.ts +49 -19
package/src/daemon/session-surfaces.ts +4 -1
package/src/daemon/session-tool-setup.ts +7 -1
package/src/daemon/session.ts +12 -2
package/src/instrument.ts +61 -1
package/src/memory/admin.ts +2 -191
package/src/memory/canonical-guardian-store.ts +38 -2
package/src/memory/conversation-crud.ts +0 -33
package/src/memory/conversation-queries.ts +22 -3
package/src/memory/db-init.ts +28 -0
package/src/memory/embedding-backend.ts +84 -8
package/src/memory/embedding-types.ts +9 -1
package/src/memory/indexer.ts +7 -46
package/src/memory/items-extractor.ts +274 -76
package/src/memory/job-handlers/backfill.ts +2 -127
package/src/memory/job-handlers/cleanup.ts +2 -16
package/src/memory/job-handlers/extraction.ts +2 -138
package/src/memory/job-handlers/index-maintenance.ts +1 -6
package/src/memory/job-handlers/summarization.ts +3 -148
package/src/memory/job-utils.ts +21 -59
package/src/memory/jobs-store.ts +1 -159
package/src/memory/jobs-worker.ts +9 -52
package/src/memory/migrations/104-core-indexes.ts +3 -3
package/src/memory/migrations/149-oauth-tables.ts +2 -0
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +98 -0
package/src/memory/migrations/151-oauth-providers-ping-url.ts +11 -0
package/src/memory/migrations/152-memory-item-supersession.ts +44 -0
package/src/memory/migrations/153-drop-entity-tables.ts +15 -0
package/src/memory/migrations/154-drop-fts.ts +20 -0
package/src/memory/migrations/155-drop-conflicts.ts +7 -0
package/src/memory/migrations/156-call-session-invite-metadata.ts +24 -0
package/src/memory/migrations/index.ts +7 -0
package/src/memory/qdrant-client.ts +148 -51
package/src/memory/raw-query.ts +1 -1
package/src/memory/retriever.test.ts +294 -273
package/src/memory/retriever.ts +421 -645
package/src/memory/schema/calls.ts +2 -0
package/src/memory/schema/memory-core.ts +3 -48
package/src/memory/schema/oauth.ts +2 -0
package/src/memory/search/formatting.ts +263 -176
package/src/memory/search/lexical.ts +1 -254
package/src/memory/search/ranking.ts +0 -455
package/src/memory/search/semantic.ts +100 -14
package/src/memory/search/staleness.ts +47 -0
package/src/memory/search/tier-classifier.ts +21 -0
package/src/memory/search/types.ts +15 -77
package/src/memory/task-memory-cleanup.ts +4 -6
package/src/messaging/providers/gmail/mime-builder.ts +17 -7
package/src/oauth/byo-connection.test.ts +8 -1
package/src/oauth/oauth-store.ts +113 -27
package/src/oauth/seed-providers.ts +6 -0
package/src/oauth/token-persistence.ts +11 -3
package/src/permissions/defaults.ts +1 -0
package/src/permissions/trust-store.ts +23 -1
package/src/playbooks/playbook-compiler.ts +1 -1
package/src/prompts/system-prompt.ts +18 -2
package/src/providers/anthropic/client.ts +56 -126
package/src/providers/types.ts +7 -1
package/src/runtime/AGENTS.md +9 -0
package/src/runtime/auth/route-policy.ts +6 -3
package/src/runtime/guardian-reply-router.ts +24 -22
package/src/runtime/http-server.ts +2 -2
package/src/runtime/invite-redemption-service.ts +19 -1
package/src/runtime/invite-service.ts +25 -0
package/src/runtime/pending-interactions.ts +2 -2
package/src/runtime/routes/brain-graph-routes.ts +10 -90
package/src/runtime/routes/conversation-routes.ts +9 -1
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +21 -12
package/src/runtime/routes/memory-item-routes.test.ts +754 -0
package/src/runtime/routes/memory-item-routes.ts +503 -0
package/src/runtime/routes/session-management-routes.ts +3 -3
package/src/runtime/routes/settings-routes.ts +2 -2
package/src/runtime/routes/trust-rules-routes.ts +14 -0
package/src/runtime/routes/workspace-routes.ts +2 -1
package/src/security/keychain-broker-client.ts +17 -4
package/src/security/secure-keys.ts +25 -3
package/src/security/token-manager.ts +36 -36
package/src/skills/catalog-install.ts +74 -18
package/src/skills/skillssh-registry.ts +503 -0
package/src/tools/assets/search.ts +5 -1
package/src/tools/computer-use/definitions.ts +0 -10
package/src/tools/computer-use/registry.ts +1 -1
package/src/tools/credentials/vault.ts +1 -3
package/src/tools/memory/definitions.ts +4 -13
package/src/tools/memory/handlers.test.ts +83 -103
package/src/tools/memory/handlers.ts +50 -85
package/src/tools/schedule/create.ts +8 -1
package/src/tools/schedule/update.ts +8 -1
package/src/tools/skills/load.ts +25 -2
package/src/__tests__/clarification-resolver.test.ts +0 -193
package/src/__tests__/conflict-intent-tokenization.test.ts +0 -160
package/src/__tests__/conflict-policy.test.ts +0 -269
package/src/__tests__/conflict-store.test.ts +0 -372
package/src/__tests__/contradiction-checker.test.ts +0 -361
package/src/__tests__/entity-extractor.test.ts +0 -211
package/src/__tests__/entity-search.test.ts +0 -1117
package/src/__tests__/profile-compiler.test.ts +0 -392
package/src/__tests__/session-conflict-gate.test.ts +0 -1228
package/src/__tests__/session-profile-injection.test.ts +0 -557
package/src/config/bundled-skills/knowledge-graph/SKILL.md +0 -25
package/src/config/bundled-skills/knowledge-graph/TOOLS.json +0 -66
package/src/config/bundled-skills/knowledge-graph/tools/graph-query.ts +0 -211
package/src/daemon/session-conflict-gate.ts +0 -167
package/src/daemon/session-dynamic-profile.ts +0 -77
package/src/memory/clarification-resolver.ts +0 -417
package/src/memory/conflict-intent.ts +0 -205
package/src/memory/conflict-policy.ts +0 -127
package/src/memory/conflict-store.ts +0 -410
package/src/memory/contradiction-checker.ts +0 -508
package/src/memory/entity-extractor.ts +0 -535
package/src/memory/format-recall.ts +0 -47
package/src/memory/fts-reconciler.ts +0 -165
package/src/memory/job-handlers/conflict.ts +0 -200
package/src/memory/profile-compiler.ts +0 -195
package/src/memory/recall-cache.ts +0 -117
package/src/memory/search/entity.ts +0 -535
package/src/memory/search/query-expansion.test.ts +0 -70
package/src/memory/search/query-expansion.ts +0 -118
package/src/runtime/routes/mcp-routes.ts +0 -20

package/src/__tests__/skills-install-extract.test.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { existsSync, mkdirSync, readFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { extractTarToDir } from "../skills/catalog-install.js";
+let tempDir: string;
+function makeTarEntry(name: string, content: string): Buffer {
+  const header = Buffer.alloc(512, 0);
+  const nameBuffer = Buffer.from(name, "utf-8");
+  nameBuffer.copy(header, 0, 0, Math.min(nameBuffer.length, 100));
+  const mode = Buffer.from("0000644\0", "ascii");
+  mode.copy(header, 100);
+  Buffer.from("0000000\0", "ascii").copy(header, 108); // uid
+  Buffer.from("0000000\0", "ascii").copy(header, 116); // gid
+  const sizeOct = content.length.toString(8).padStart(11, "0") + "\0";
+  Buffer.from(sizeOct, "ascii").copy(header, 124);
+  Buffer.from("00000000000\0", "ascii").copy(header, 136); // mtime
+  Buffer.from("        ", "ascii").copy(header, 148); // checksum placeholder
+  header[156] = "0".charCodeAt(0);
+  Buffer.from("ustar\0", "ascii").copy(header, 257);
+  Buffer.from("00", "ascii").copy(header, 263);
+  let sum = 0;
+  for (let i = 0; i < 512; i += 1) sum += header[i] ?? 0;
+  const checksum = sum.toString(8).padStart(6, "0");
+  Buffer.from(`${checksum}\0 `, "ascii").copy(header, 148);
+  const data = Buffer.from(content, "utf-8");
+  const paddedSize = Math.ceil(data.length / 512) * 512;
+  const padded = Buffer.alloc(paddedSize, 0);
+  data.copy(padded);
+  return Buffer.concat([header, padded]);
+}
+function makeTar(entries: Array<{ name: string; content: string }>): Buffer {
+  const body = entries.map((entry) => makeTarEntry(entry.name, entry.content));
+  return Buffer.concat([...body, Buffer.alloc(1024, 0)]);
+}
+beforeEach(() => {
+  tempDir = join(
+    tmpdir(),
+    `skills-extract-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+  );
+  mkdirSync(tempDir, { recursive: true });
+});
+afterEach(() => {
+  rmSync(tempDir, { recursive: true, force: true });
+});
+describe("extractTarToDir", () => {
+  test("extracts valid files and detects SKILL.md", () => {
+    const tar = makeTar([
+      { name: "SKILL.md", content: "# demo\n" },
+      { name: "scripts/run.sh", content: "echo ok\n" },
+    ]);
+    const foundSkillMd = extractTarToDir(tar, tempDir);
+    expect(foundSkillMd).toBe(true);
+    expect(readFileSync(join(tempDir, "SKILL.md"), "utf-8")).toBe("# demo\n");
+    expect(readFileSync(join(tempDir, "scripts", "run.sh"), "utf-8")).toBe(
+      "echo ok\n",
+    );
+  });
+  test("rejects traversal and absolute archive paths", () => {
+    const tar = makeTar([
+      { name: "SKILL.md", content: "# demo\n" },
+      { name: "../../escape.txt", content: "nope\n" },
+      { name: "..\\..\\win-escape.txt", content: "nope\n" },
+      { name: "/absolute.txt", content: "nope\n" },
+      { name: "C:/windows.txt", content: "nope\n" },
+    ]);
+    const foundSkillMd = extractTarToDir(tar, tempDir);
+    expect(foundSkillMd).toBe(true);
+    expect(existsSync(join(tempDir, "escape.txt"))).toBe(false);
+    expect(existsSync(join(tempDir, "win-escape.txt"))).toBe(false);
+    expect(existsSync(join(tempDir, "absolute.txt"))).toBe(false);
+    expect(existsSync(join(tempDir, "windows.txt"))).toBe(false);
+    expect(readFileSync(join(tempDir, "SKILL.md"), "utf-8")).toBe("# demo\n");
+  });
+});

package/src/__tests__/skillssh-registry.test.ts ADDED Viewed

@@ -0,0 +1,451 @@
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+import type {
+  AuditResponse,
+  SkillAuditData,
+  SkillsShSearchResult,
+} from "../skills/skillssh-registry.js";
+import {
+  fetchSkillAudits,
+  fetchSkillFromGitHub,
+  formatAuditBadges,
+  providerDisplayName,
+  resolveSkillSource,
+  riskToDisplay,
+  searchSkillsRegistry,
+  validateSkillSlug,
+} from "../skills/skillssh-registry.js";
+// ─── Fetch mock helpers ──────────────────────────────────────────────────────
+const originalFetch = globalThis.fetch;
+let mockFetchImpl: (url: string | URL | Request) => Promise<Response>;
+beforeEach(() => {
+  mockFetchImpl = () =>
+    Promise.resolve(new Response("not mocked", { status: 500 }));
+  globalThis.fetch = mock((input: string | URL | Request) =>
+    mockFetchImpl(typeof input === "string" ? input : input.toString()),
+  ) as unknown as typeof fetch;
+});
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+// ─── searchSkillsRegistry ────────────────────────────────────────────────────
+describe("searchSkillsRegistry", () => {
+  test("sends correct query parameters and returns results", async () => {
+    const mockResults: SkillsShSearchResult[] = [
+      {
+        id: "vercel-labs/agent-skills/vercel-react-best-practices",
+        skillId: "vercel-react-best-practices",
+        name: "Vercel React Best Practices",
+        installs: 1200,
+        source: "vercel-labs/agent-skills",
+      },
+    ];
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).toContain("skills.sh/api/search");
+      expect(urlStr).toContain("q=react");
+      expect(urlStr).toContain("limit=5");
+      return Promise.resolve(
+        new Response(JSON.stringify({ skills: mockResults }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+    const results = await searchSkillsRegistry("react", 5);
+    expect(results).toEqual(mockResults);
+  });
+  test("omits limit parameter when not provided", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).not.toContain("limit=");
+      return Promise.resolve(
+        new Response(JSON.stringify({ skills: [] }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+    const results = await searchSkillsRegistry("test");
+    expect(results).toEqual([]);
+  });
+  test("throws on non-OK response", async () => {
+    mockFetchImpl = () =>
+      Promise.resolve(new Response("Not Found", { status: 404 }));
+    await expect(searchSkillsRegistry("bad-query")).rejects.toThrow(
+      "skills.sh search failed: HTTP 404",
+    );
+  });
+});
+// ─── fetchSkillAudits ────────────────────────────────────────────────────────
+describe("fetchSkillAudits", () => {
+  test("sends correct parameters and returns audit data", async () => {
+    const mockAudits: AuditResponse = {
+      "vercel-react-best-practices": {
+        ath: {
+          risk: "safe",
+          alerts: 0,
+          score: 100,
+          analyzedAt: "2025-01-15T00:00:00Z",
+        },
+        socket: {
+          risk: "low",
+          alerts: 1,
+          score: 95,
+          analyzedAt: "2025-01-15T00:00:00Z",
+        },
+      },
+    };
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      expect(urlStr).toContain("add-skill.vercel.sh/audit");
+      expect(urlStr).toContain("source=vercel-labs%2Fagent-skills");
+      expect(urlStr).toContain(
+        "skills=vercel-react-best-practices%2Canother-skill",
+      );
+      return Promise.resolve(
+        new Response(JSON.stringify(mockAudits), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      );
+    };
+    const audits = await fetchSkillAudits("vercel-labs/agent-skills", [
+      "vercel-react-best-practices",
+      "another-skill",
+    ]);
+    expect(audits).toEqual(mockAudits);
+  });
+  test("returns empty object for empty slugs list", async () => {
+    const audits = await fetchSkillAudits("some/source", []);
+    expect(audits).toEqual({});
+    // fetch should not have been called
+    expect(globalThis.fetch).not.toHaveBeenCalled();
+  });
+  test("throws on non-OK response", async () => {
+    mockFetchImpl = () =>
+      Promise.resolve(new Response("Internal Server Error", { status: 500 }));
+    await expect(fetchSkillAudits("some/source", ["slug"])).rejects.toThrow(
+      "Audit fetch failed: HTTP 500",
+    );
+  });
+});
+// ─── Display helpers ─────────────────────────────────────────────────────────
+describe("riskToDisplay", () => {
+  test("maps risk levels correctly", () => {
+    expect(riskToDisplay("safe")).toBe("PASS");
+    expect(riskToDisplay("low")).toBe("PASS");
+    expect(riskToDisplay("medium")).toBe("WARN");
+    expect(riskToDisplay("high")).toBe("FAIL");
+    expect(riskToDisplay("critical")).toBe("FAIL");
+    expect(riskToDisplay("unknown")).toBe("?");
+  });
+});
+describe("providerDisplayName", () => {
+  test("maps known providers", () => {
+    expect(providerDisplayName("ath")).toBe("ATH");
+    expect(providerDisplayName("socket")).toBe("Socket");
+    expect(providerDisplayName("snyk")).toBe("Snyk");
+  });
+  test("returns raw name for unknown providers", () => {
+    expect(providerDisplayName("custom-auditor")).toBe("custom-auditor");
+  });
+});
+describe("formatAuditBadges", () => {
+  test("formats multiple providers as badges", () => {
+    const auditData: SkillAuditData = {
+      ath: { risk: "safe", analyzedAt: "2025-01-15T00:00:00Z" },
+      socket: { risk: "safe", analyzedAt: "2025-01-15T00:00:00Z" },
+      snyk: { risk: "medium", analyzedAt: "2025-01-15T00:00:00Z" },
+    };
+    expect(formatAuditBadges(auditData)).toBe(
+      "Security: [ATH:PASS] [Socket:PASS] [Snyk:WARN]",
+    );
+  });
+  test("returns fallback message when no providers present", () => {
+    expect(formatAuditBadges({})).toBe("Security: no audit data");
+  });
+  test("handles single provider", () => {
+    const auditData: SkillAuditData = {
+      ath: { risk: "critical", analyzedAt: "2025-01-15T00:00:00Z" },
+    };
+    expect(formatAuditBadges(auditData)).toBe("Security: [ATH:FAIL]");
+  });
+});
+// ─── resolveSkillSource ─────────────────────────────────────────────────────
+describe("resolveSkillSource", () => {
+  test("parses owner/repo@skill-name format", () => {
+    const result = resolveSkillSource("vercel-labs/skills@find-skills");
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+    });
+  });
+  test("parses owner/repo/skill-name format", () => {
+    const result = resolveSkillSource("vercel-labs/skills/find-skills");
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+    });
+  });
+  test("parses full GitHub URL with main branch", () => {
+    const result = resolveSkillSource(
+      "https://github.com/vercel-labs/skills/tree/main/skills/find-skills",
+    );
+    expect(result).toEqual({
+      owner: "vercel-labs",
+      repo: "skills",
+      skillSlug: "find-skills",
+      ref: "main",
+    });
+  });
+  test("parses full GitHub URL with non-main branch", () => {
+    const result = resolveSkillSource(
+      "https://github.com/some-org/repo/tree/develop/skills/my-skill",
+    );
+    expect(result).toEqual({
+      owner: "some-org",
+      repo: "repo",
+      skillSlug: "my-skill",
+      ref: "develop",
+    });
+  });
+  test("parses GitHub URL with trailing slash", () => {
+    const result = resolveSkillSource(
+      "https://github.com/owner/repo/tree/main/skills/skill-name/",
+    );
+    expect(result).toEqual({
+      owner: "owner",
+      repo: "repo",
+      skillSlug: "skill-name",
+      ref: "main",
+    });
+  });
+  test("throws on bare skill name (no owner/repo)", () => {
+    expect(() => resolveSkillSource("find-skills")).toThrow(
+      'Invalid skill source "find-skills"',
+    );
+  });
+  test("throws on empty string", () => {
+    expect(() => resolveSkillSource("")).toThrow('Invalid skill source ""');
+  });
+  test("throws on owner-only format", () => {
+    expect(() => resolveSkillSource("vercel-labs")).toThrow(
+      'Invalid skill source "vercel-labs"',
+    );
+  });
+  test("throws on owner/repo without skill", () => {
+    expect(() => resolveSkillSource("vercel-labs/skills")).toThrow(
+      'Invalid skill source "vercel-labs/skills"',
+    );
+  });
+  test("rejects path traversal in @ format slug", () => {
+    expect(() => resolveSkillSource("owner/repo@../../malicious")).toThrow(
+      'Invalid skill source "owner/repo@../../malicious"',
+    );
+  });
+  test("rejects uppercase slug in @ format", () => {
+    expect(() => resolveSkillSource("owner/repo@BadSlug")).toThrow(
+      'Invalid skill source "owner/repo@BadSlug"',
+    );
+  });
+});
+// ─── validateSkillSlug ──────────────────────────────────────────────────────
+describe("validateSkillSlug", () => {
+  test("accepts valid slugs", () => {
+    expect(() => validateSkillSlug("my-skill")).not.toThrow();
+    expect(() => validateSkillSlug("skill123")).not.toThrow();
+    expect(() => validateSkillSlug("my.skill")).not.toThrow();
+    expect(() => validateSkillSlug("my_skill")).not.toThrow();
+  });
+  test("rejects path traversal characters", () => {
+    expect(() => validateSkillSlug("../../malicious")).toThrow(
+      "path traversal",
+    );
+    expect(() => validateSkillSlug("foo/bar")).toThrow("path traversal");
+    expect(() => validateSkillSlug("foo\\bar")).toThrow("path traversal");
+  });
+  test("rejects slugs starting with special chars", () => {
+    expect(() => validateSkillSlug(".hidden")).toThrow();
+    expect(() => validateSkillSlug("-dash")).toThrow();
+  });
+  test("rejects empty input", () => {
+    expect(() => validateSkillSlug("")).toThrow("Skill slug is required");
+  });
+});
+// ─── fetchSkillFromGitHub ───────────────────────────────────────────────────
+describe("fetchSkillFromGitHub", () => {
+  test("fetches from conventional skills/<slug>/ path", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      // Probe request for skills/my-skill
+      if (urlStr.includes("/contents/skills/my-skill")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "SKILL.md",
+                type: "file",
+                download_url: "https://raw.example.com/SKILL.md",
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // File download
+      if (urlStr.includes("raw.example.com/SKILL.md")) {
+        return Promise.resolve(new Response("# My Skill", { status: 200 }));
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+    const files = await fetchSkillFromGitHub("owner", "repo", "my-skill");
+    expect(files["SKILL.md"]).toBe("# My Skill");
+  });
+  test("falls back to tree search when skills/<slug>/ returns 404", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      // Probe for conventional path returns 404
+      if (urlStr.includes("/contents/skills/csv")) {
+        return Promise.resolve(new Response("Not Found", { status: 404 }));
+      }
+      // Tree search returns the skill at a non-standard path
+      if (urlStr.includes("/git/trees/")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({
+              tree: [
+                { path: "examples/skills/csv/SKILL.md", type: "blob" },
+                { path: "examples/skills/csv/scripts/filter.sh", type: "blob" },
+                { path: "README.md", type: "blob" },
+              ],
+            }),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // Subdirectory listing (must precede parent path check — both use
+      // .includes() and the parent path is a prefix of this one)
+      if (urlStr.includes("/contents/examples/skills/csv/scripts")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "filter.sh",
+                type: "file",
+                download_url: "https://raw.example.com/filter.sh",
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // Contents API for the discovered path
+      if (urlStr.includes("/contents/examples/skills/csv")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify([
+              {
+                name: "SKILL.md",
+                type: "file",
+                download_url: "https://raw.example.com/SKILL.md",
+              },
+              {
+                name: "scripts",
+                type: "dir",
+                download_url: null,
+              },
+            ]),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      // File downloads
+      if (urlStr.includes("raw.example.com/SKILL.md")) {
+        return Promise.resolve(new Response("# CSV Skill", { status: 200 }));
+      }
+      if (urlStr.includes("raw.example.com/filter.sh")) {
+        return Promise.resolve(
+          new Response("#!/bin/bash\necho filter", { status: 200 }),
+        );
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+    const files = await fetchSkillFromGitHub("vercel-labs", "bash-tool", "csv");
+    expect(files["SKILL.md"]).toBe("# CSV Skill");
+    expect(files["scripts/filter.sh"]).toBe("#!/bin/bash\necho filter");
+  });
+  test("throws when skill not found in tree either", async () => {
+    mockFetchImpl = (url: string | URL | Request) => {
+      const urlStr = url.toString();
+      if (urlStr.includes("/contents/skills/missing")) {
+        return Promise.resolve(new Response("Not Found", { status: 404 }));
+      }
+      if (urlStr.includes("/git/trees/")) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({ tree: [{ path: "README.md", type: "blob" }] }),
+            { status: 200, headers: { "Content-Type": "application/json" } },
+          ),
+        );
+      }
+      return Promise.resolve(new Response("not found", { status: 404 }));
+    };
+    await expect(
+      fetchSkillFromGitHub("owner", "repo", "missing"),
+    ).rejects.toThrow("Searched skills/missing/ and the full repo tree");
+  });
+});

package/src/__tests__/trust-store.test.ts CHANGED Viewed

@@ -777,6 +777,7 @@ describe("Trust Store", () => {
         "computer_use_click",
         "computer_use_drag",
         "computer_use_key",
+        "computer_use_observe",
         "computer_use_open_app",
         "computer_use_run_applescript",
         "computer_use_scroll",
@@ -900,6 +901,20 @@ describe("Trust Store", () => {
       );
     });
+    test("findHighestPriorityRule matches default ask for computer_use_observe", () => {
+      const match = findHighestPriorityRule(
+        "computer_use_observe",
+        ["computer_use_observe:"],
+        "/tmp",
+      );
+      expect(match).not.toBeNull();
+      expect(match!.id).toBe("default:ask-computer_use_observe-global");
+      expect(match!.decision).toBe("ask");
+      expect(match!.priority).toBe(
+        DEFAULT_PRIORITY_BY_ID.get("default:ask-computer_use_observe-global")!,
+      );
+    });
     test("bootstrap delete rule matches only when workingDir is the workspace dir", () => {
       const workspaceDir = join(testDir, "workspace");
       // Should match when workingDir is the workspace directory — the bootstrap

package/src/__tests__/voice-invite-redemption.test.ts CHANGED Viewed

@@ -23,7 +23,10 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
-import { findContactChannel } from "../contacts/contact-store.js";
+import {
+  findContactChannel,
+  upsertContact,
+} from "../contacts/contact-store.js";
 import { upsertContactChannel } from "../contacts/contacts-write.js";
 import { getSqlite, initializeDb, resetDb } from "../memory/db.js";
 import { createInvite, revokeInvite } from "../memory/invite-store.js";
@@ -354,4 +357,32 @@ describe("redeemVoiceInviteCode", () => {
     expect(result).toEqual({ ok: false, reason: "invalid_or_expired" });
   });
+  test("returns invalid_or_expired for a revoked guardian to prevent invite-based reactivation", () => {
+    const phone = "+15559998888";
+    const { code } = createVoiceInvite({ callerPhone: phone });
+    // Pre-create a guardian contact with a revoked phone channel
+    upsertContact({
+      displayName: "Guardian",
+      role: "guardian",
+      channels: [
+        {
+          type: "phone",
+          address: phone,
+          externalUserId: phone,
+          status: "revoked",
+        },
+      ],
+    });
+    const result = redeemVoiceInviteCode({
+      callerExternalUserId: phone,
+      sourceChannel: "phone",
+      code,
+    });
+    // Must reject — guardian channels are managed via the binding flow, not invites
+    expect(result).toEqual({ ok: false, reason: "invalid_or_expired" });
+  });
 });

package/src/agent/ax-tree-compaction.test.ts CHANGED Viewed

@@ -182,6 +182,57 @@ describe("compactAxTreeHistory", () => {
     expect(result).toEqual([]);
   });
+  test("counts AX trees per block, not per message", () => {
+    // One message has two AX tree blocks — they should count as 2 trees
+    const messages: Message[] = [
+      {
+        role: "user",
+        content: [
+          {
+            type: "tool_result",
+            tool_use_id: "t1a",
+            content: "<ax-tree>\ntree-1a\n</ax-tree>",
+            is_error: false,
+          },
+          {
+            type: "tool_result",
+            tool_use_id: "t1b",
+            content: "<ax-tree>\ntree-1b\n</ax-tree>",
+            is_error: false,
+          },
+        ],
+      },
+      assistantText("ok"),
+      axTreeToolResult("t2", "tree-2"),
+    ];
+    const result = compactAxTreeHistory(messages);
+    // 3 total AX tree blocks, keep last 2 → strip only first block (t1a)
+    const msg0 = result[0];
+    const block0 = msg0.content[0];
+    expect(block0.type).toBe("tool_result");
+    if (block0.type === "tool_result") {
+      expect(block0.content).toContain("<ax_tree_omitted />");
+      expect(block0.content).not.toContain("<ax-tree>");
+    }
+    // Second block in same message (t1b) should be kept
+    const block1 = msg0.content[1];
+    expect(block1.type).toBe("tool_result");
+    if (block1.type === "tool_result") {
+      expect(block1.content).toContain("<ax-tree>");
+      expect(block1.content).not.toContain("<ax_tree_omitted />");
+    }
+    // Last message (t2) should also be kept
+    const lastBlock = result[2].content[0];
+    expect(lastBlock.type).toBe("tool_result");
+    if (lastBlock.type === "tool_result") {
+      expect(lastBlock.content).toContain("<ax-tree>");
+    }
+  });
   test("is pure — does not mutate input messages", () => {
     const messages: Message[] = [
       axTreeToolResult("t1", "tree-1"),