@vellumai/assistant 0.4.53 → 0.4.55

package/src/__tests__/session-confirmation-signals.test.ts

@@ -56,7 +56,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/session-messaging-secret-redirect.test.ts

@@ -25,17 +25,11 @@ const metadataByKey = new Map<
 >();
 
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: () => undefined,
-  setSecureKey: setSecureKeyMock,
   setSecureKeyAsync: async (key?: string, value?: string) =>
     setSecureKeyMock(key, value),
-  deleteSecureKey: () => "deleted",
   deleteSecureKeyAsync: async () => "deleted" as const,
-  listSecureKeys: () => [],
-  getBackendType: () => null,
-  isDowngradedFromKeychain: () => false,
+  listSecureKeysAsync: async () => [],
   _resetBackend: () => {},
-  _setBackend: () => {},
 }));
 
 mock.module("../tools/credentials/metadata-store.js", () => ({

package/src/__tests__/session-pre-run-repair.test.ts

@@ -15,7 +15,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/session-provider-retry-repair.test.ts

@@ -15,7 +15,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/session-queue.test.ts

@@ -39,7 +39,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));
@@ -621,8 +620,7 @@ describe("Session message queue", () => {
     const sessionErr = events.find((e) => e.type === "session_error");
     expect(sessionErr).toBeDefined();
 
-    // Should also emit generic error for backward compatibility
-    // (callers rely on error events to detect failures)
+    // Should also emit generic error (callers rely on error events to detect failures)
     const genericErr = events.find((e) => e.type === "error");
     expect(genericErr).toBeDefined();
   });
@@ -1674,7 +1672,7 @@ describe("Regression: cancel semantics and error channel split", () => {
     const sessionErr = allEvents.find((e) => e.type === "session_error");
     expect(sessionErr).toBeDefined();
 
-    // Should also get generic error for backward compatibility
+    // Should also get generic error
     const genericErr = allEvents.find((e) => e.type === "error");
     expect(genericErr).toBeDefined();
   });

package/src/__tests__/session-slash-known.test.ts

@@ -22,7 +22,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/session-slash-queue.test.ts

@@ -22,7 +22,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/session-slash-unknown.test.ts

@@ -22,7 +22,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/session-workspace-injection.test.ts

@@ -25,7 +25,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/session-workspace-tool-tracking.test.ts

@@ -23,7 +23,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));

package/src/__tests__/skill-projection-feature-flag.test.ts

@@ -54,7 +54,6 @@ mock.module("../config/assistant-feature-flags.js", () => ({
   },
   loadDefaultsRegistry: () => ({}),
   getAssistantFeatureFlagDefaults: () => ({}),
-  _resetDefaultsCache: () => {},
 }));
 
 mock.module("../config/skill-state.js", () => ({

package/src/__tests__/slack-channel-config.test.ts

@@ -100,19 +100,13 @@ mock.module("../security/secure-keys.js", () => {
     return "not-found" as const;
   };
   return {
-    getSecureKey: (account: string) => secureKeyStore[account] ?? undefined,
     getSecureKeyAsync: async (account: string) =>
       secureKeyStore[account] ?? undefined,
-    setSecureKey: syncSet,
-    deleteSecureKey: syncDelete,
     setSecureKeyAsync: async (account: string, value: string) =>
       syncSet(account, value),
     deleteSecureKeyAsync: async (account: string) => syncDelete(account),
-    listSecureKeys: () => Object.keys(secureKeyStore),
-    getBackendType: () => "encrypted",
-    isDowngradedFromKeychain: () => false,
+    listSecureKeysAsync: async () => Object.keys(secureKeyStore),
     _resetBackend: () => {},
-    _setBackend: () => {},
   };
 });
 

package/src/__tests__/swarm-recursion.test.ts

@@ -68,7 +68,6 @@ const mockProvider = {
 };
 mock.module("../security/secure-keys.js", () => ({
   getSecureKeyAsync: async () => "test-api-key",
-  getSecureKey: () => "test-api-key",
 }));
 
 mock.module("../providers/registry.js", () => ({

package/src/__tests__/swarm-session-integration.test.ts

@@ -57,7 +57,6 @@ const mockTestProvider = {
 let mockAnthropicKey: string | undefined = "test-api-key";
 mock.module("../security/secure-keys.js", () => ({
   getSecureKeyAsync: async () => mockAnthropicKey,
-  getSecureKey: () => mockAnthropicKey,
 }));
 
 mock.module("../providers/registry.js", () => ({

package/src/__tests__/swarm-tool.test.ts

@@ -63,7 +63,6 @@ const mockProvider = {
 };
 mock.module("../security/secure-keys.js", () => ({
   getSecureKeyAsync: async () => "test-api-key",
-  getSecureKey: () => "test-api-key",
 }));
 
 mock.module("../providers/registry.js", () => ({

package/src/__tests__/task-compiler.test.ts

@@ -32,7 +32,7 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("./indexer.js", () => ({
-  indexMessageNow: () => {},
+  indexMessageNow: async () => ({ indexedSegments: 0, enqueuedJobs: 0 }),
 }));
 
 import type { Database } from "bun:sqlite";

package/src/__tests__/test-support/browser-skill-harness.ts

@@ -61,24 +61,6 @@ export function buildSkillLoadHistory(
   ];
 }
 
-/**
- * Assert that a set of tool names is exactly the expected set (order-independent).
- */
-export function expectToolNamesEqual(
-  actual: string[],
-  expected: readonly string[],
-): void {
-  const sorted = [...actual].sort();
-  const expectedSorted = [...expected].sort();
-  if (JSON.stringify(sorted) !== JSON.stringify(expectedSorted)) {
-    throw new Error(
-      `Tool names mismatch.\nExpected: ${JSON.stringify(
-        expectedSorted,
-      )}\nActual: ${JSON.stringify(sorted)}`,
-    );
-  }
-}
-
 /**
  * Assert that all browser tool names are present in a given set.
  */

package/src/__tests__/test-support/computer-use-skill-harness.ts

@@ -17,28 +17,5 @@ export const COMPUTER_USE_TOOL_NAMES = [
   "computer_use_respond",
 ] as const;
 
-/** The skill ID for the bundled computer-use skill (used in later PRs). */
-export const COMPUTER_USE_SKILL_ID = "computer-use";
-
 /** Number of computer_use_* tools. */
 export const COMPUTER_USE_TOOL_COUNT = COMPUTER_USE_TOOL_NAMES.length; // 11
-
-import { expect } from "bun:test";
-
-/**
- * Assert that every COMPUTER_USE_TOOL_NAMES entry is present in `names`.
- */
-export function assertComputerUseToolsPresent(names: string[]): void {
-  for (const name of COMPUTER_USE_TOOL_NAMES) {
-    expect(names).toContain(name);
-  }
-}
-
-/**
- * Assert that no COMPUTER_USE_TOOL_NAMES entry is present in `names`.
- */
-export function assertComputerUseToolsAbsent(names: string[]): void {
-  for (const name of COMPUTER_USE_TOOL_NAMES) {
-    expect(names).not.toContain(name);
-  }
-}

package/src/__tests__/tool-executor.test.ts

@@ -196,7 +196,7 @@ describe("ToolExecutor allowedToolNames gating", () => {
     }
   });
 
-  test("executes normally when allowedToolNames is not set (backward compat)", async () => {
+  test("executes normally when allowedToolNames is not set", async () => {
     const executor = new ToolExecutor(makePrompter());
     const result = await executor.execute(
       "file_read",

package/src/__tests__/trust-store.test.ts

@@ -57,7 +57,6 @@ import {
 } from "../permissions/trust-store.js";
 
 const trustPath = join(testDir, "protected", "trust.json");
-const legacyTrustPath = join(testDir, "trust.json");
 const DEFAULT_TEMPLATES = getDefaultRuleTemplates();
 const NUM_DEFAULTS = DEFAULT_TEMPLATES.length;
 const DEFAULT_PRIORITY_BY_ID = new Map(
@@ -73,11 +72,6 @@ describe("Trust Store", () => {
     } catch {
       /* may not exist */
     }
-    try {
-      rmSync(legacyTrustPath);
-    } catch {
-      /* may not exist */
-    }
   });
 
   // Intentionally do not remove `testDir` in afterAll.
@@ -1227,79 +1221,6 @@ describe("Trust Store", () => {
   // ── loadFromDisk resilience (misc) ──────────────────────────────
 
   describe("loadFromDisk resilience (misc)", () => {
-    test("migrates legacy root trust file to protected path", () => {
-      mkdirSync(dirname(legacyTrustPath), { recursive: true });
-      writeFileSync(
-        legacyTrustPath,
-        JSON.stringify({
-          version: 3,
-          rules: [
-            {
-              id: "legacy-deny",
-              tool: "host_bash",
-              pattern: "rm -rf *",
-              scope: "everywhere",
-              decision: "deny",
-              priority: 200,
-              createdAt: 123,
-            },
-          ],
-        }),
-      );
-
-      clearCache();
-      const rules = getAllRules();
-
-      expect(rules.find((r) => r.id === "legacy-deny")).toBeDefined();
-      expect(readFileSync(trustPath, "utf-8")).toContain("legacy-deny");
-      expect(() => readFileSync(legacyTrustPath, "utf-8")).toThrow();
-    });
-
-    test("prefers protected trust file when both protected and legacy files exist", () => {
-      mkdirSync(dirname(trustPath), { recursive: true });
-      writeFileSync(
-        trustPath,
-        JSON.stringify({
-          version: 3,
-          rules: [
-            {
-              id: "protected-rule",
-              tool: "bash",
-              pattern: "protected *",
-              scope: "/tmp",
-              decision: "allow",
-              priority: 100,
-              createdAt: 1,
-            },
-          ],
-        }),
-      );
-      writeFileSync(
-        legacyTrustPath,
-        JSON.stringify({
-          version: 3,
-          rules: [
-            {
-              id: "legacy-rule",
-              tool: "bash",
-              pattern: "legacy *",
-              scope: "/tmp",
-              decision: "deny",
-              priority: 200,
-              createdAt: 2,
-            },
-          ],
-        }),
-      );
-
-      clearCache();
-      const rules = getAllRules();
-
-      expect(rules.find((r) => r.id === "protected-rule")).toBeDefined();
-      expect(rules.find((r) => r.id === "legacy-rule")).toBeUndefined();
-      expect(readFileSync(legacyTrustPath, "utf-8")).toContain("legacy-rule");
-    });
-
     test("malformed file (valid JSON but null) is handled gracefully", () => {
       mkdirSync(dirname(trustPath), { recursive: true });
       writeFileSync(trustPath, "null");
@@ -1540,10 +1461,10 @@ describe("Trust Store", () => {
       });
     });
 
-    // ── backward compatibility ────────────────────────────────────
+    // ── optional ctx parameter ────────────────────────────────────
 
-    describe("backward compatibility", () => {
-      test("existing callers without ctx parameter still work", () => {
+    describe("optional ctx parameter", () => {
+      test("callers without ctx parameter still work", () => {
         addRule("bash", "git *", "/tmp", "allow", 200);
         // Calling without the 4th argument — must still match
         const match = findHighestPriorityRule("bash", ["git status"], "/tmp");

package/src/__tests__/twilio-config.test.ts

@@ -13,7 +13,6 @@ mock.module("../util/logger.js", () => ({
 }));
 
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (key: string) => mockSecureKeys[key] ?? null,
   getSecureKeyAsync: async (key: string) => mockSecureKeys[key] ?? null,
 }));
 

package/src/__tests__/twilio-provider.test.ts

@@ -41,11 +41,6 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (key: string) => {
-    if (key === credentialKey("twilio", "auth_token")) return mockAuthToken;
-    if (key === credentialKey("twilio", "account_sid")) return mockAccountSid;
-    return undefined;
-  },
   getSecureKeyAsync: async (key: string) => {
     if (key === credentialKey("twilio", "auth_token")) return mockAuthToken;
     if (key === credentialKey("twilio", "account_sid")) return mockAccountSid;

package/src/__tests__/twilio-routes.test.ts

@@ -143,7 +143,6 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (key: string) => mockSecureKeyStore[key],
   setSecureKeyAsync: async (key: string, value: string) => {
     mockSecureKeyStore[key] = value;
     return true;

package/src/__tests__/usage-cache-backfill-migration.test.ts

@@ -46,7 +46,7 @@ import {
 import { migrateBackfillUsageCacheAccounting } from "../memory/migrations/140-backfill-usage-cache-accounting.js";
 import type { PricingUsage } from "../usage/types.js";
 import {
-  estimateCost,
+  resolvePricing,
   resolvePricingForUsageWithOverrides,
 } from "../util/pricing.js";
 
@@ -187,7 +187,8 @@ describe("migrateBackfillUsageCacheAccounting", () => {
       model,
       inputTokens: 700,
       outputTokens: 70,
-      estimatedCostUsd: estimateCost(700, 70, model, "anthropic"),
+      estimatedCostUsd:
+        resolvePricing("anthropic", model, 700, 70).estimatedCostUsd ?? 0,
     });
     insertRequestLog({
       id: "log-prev",
@@ -201,12 +202,9 @@ describe("migrateBackfillUsageCacheAccounting", () => {
       }),
     });
 
-    const flattenedHistoricalCost = estimateCost(
-      3_420_218,
-      11_768,
-      model,
-      "anthropic",
-    );
+    const flattenedHistoricalCost =
+      resolvePricing("anthropic", model, 3_420_218, 11_768).estimatedCostUsd ??
+      0;
     insertUsageEvent({
       id: "usage-target",
       conversationId: "conv-usage-1",
@@ -245,7 +243,8 @@ describe("migrateBackfillUsageCacheAccounting", () => {
       }),
     });
 
-    const noLogCost = estimateCost(1_234, 56, model, "anthropic");
+    const noLogCost =
+      resolvePricing("anthropic", model, 1_234, 56).estimatedCostUsd ?? 0;
     insertUsageEvent({
       id: "usage-no-logs",
       conversationId: "conv-usage-2",
@@ -346,7 +345,8 @@ describe("migrateBackfillUsageCacheAccounting", () => {
       model,
       inputTokens: 1_200,
       outputTokens: 80,
-      estimatedCostUsd: estimateCost(1_200, 80, model, "anthropic"),
+      estimatedCostUsd:
+        resolvePricing("anthropic", model, 1_200, 80).estimatedCostUsd ?? 0,
     });
     insertRequestLog({
       id: "log-target",

package/src/calls/guardian-question-copy.ts

@@ -52,7 +52,7 @@ export async function generateGuardianCopy(
   const fallback = buildFallbackCopy(questionText);
 
   // If no provider is configured, return fallback immediately
-  const resolved = resolveConfiguredProvider();
+  const resolved = await resolveConfiguredProvider();
   if (!resolved) {
     log.debug(
       "No provider available for guardian copy generation, using fallback",

package/src/cli/commands/bash.ts

@@ -47,6 +47,9 @@ This is a developer debugging tool for inspecting how the assistant invokes and
 observes shell commands. The command runs with the assistant's environment, working
 directory, and process context — not the caller's shell.
 
+Requires the assistant to be running with VELLUM_DEBUG=1. When debug mode is off
+(the default), the assistant ignores bash signal files and returns an error.
+
 The CLI writes the command to signals/bash.<requestId> and polls
 signals/bash.<requestId>.result for the output. The assistant must be running
 for this to work.

package/src/cli/commands/doctor.ts

@@ -10,10 +10,10 @@ import { isHttpHealthy } from "../../daemon/daemon-control.js";
 import { getSecureKeyAsync } from "../../security/secure-keys.js";
 import {
   getDbPath,
+  getHooksDir,
   getLogPath,
   getRootDir,
   getWorkspaceDir,
-  getWorkspaceHooksDir,
   getWorkspaceSkillsDir,
 } from "../../util/platform.js";
 import { log } from "../logger.js";
@@ -42,11 +42,10 @@ Diagnostic checks performed:
   6.  Disk space                 Ensures at least 100MB free on the data partition
   7.  Log file size              Warns if the log file exceeds 50MB
   8.  Database integrity         Runs SQLite PRAGMA integrity_check
-  9.  HTTP token permissions     Verifies the http-token file has 0600 or 0700 mode
-  10. Trust rule syntax          Validates trust.json structure and rule fields
-  11. WASM files                 Checks that tree-sitter WASM binaries are present
-  12. Browser runtime            Verifies Playwright and Chromium availability
-  13. Sandbox diagnostics        Reports sandbox backend status and configuration
+  9.  Trust rule syntax          Validates trust.json structure and rule fields
+  10. WASM files                 Checks that tree-sitter WASM binaries are present
+  11. Browser runtime            Verifies Playwright and Chromium availability
+  12. Sandbox diagnostics        Reports sandbox backend status and configuration
 
 Examples:
   $ assistant doctor`,
@@ -134,7 +133,7 @@ Examples:
         `${dataDir}/db`,
         `${dataDir}/logs`,
         getWorkspaceSkillsDir(),
-        getWorkspaceHooksDir(),
+        getHooksDir(),
         `${rootDir}/protected`,
       ];
       const missing = requiredDirs.filter((d) => !existsSync(d));
@@ -216,30 +215,7 @@ Examples:
         fail("Database integrity check", "database file not found");
       }
 
-      // 9. HTTP token
-      const tokenPath = `${rootDir}/http-token`;
-      if (existsSync(tokenPath)) {
-        try {
-          const tokenStat = statSync(tokenPath);
-          const mode = tokenStat.mode & 0o777;
-          if (mode === 0o600 || mode === 0o700) {
-            pass(
-              `HTTP token permissions (${mode.toString(8).padStart(4, "0")})`,
-            );
-          } else {
-            fail(
-              "HTTP token permissions",
-              `expected 0600 or 0700, got 0${mode.toString(8)}`,
-            );
-          }
-        } catch {
-          fail("HTTP token permissions", "could not stat http-token file");
-        }
-      } else {
-        pass("HTTP token (not present — assistant not running)");
-      }
-
-      // 10. Trust rule syntax
+      // 9. Trust rule syntax
       const trustPath = `${rootDir}/protected/trust.json`;
       if (existsSync(trustPath)) {
         try {
@@ -279,7 +255,7 @@ Examples:
         pass("Trust rule syntax (no trust.json yet)");
       }
 
-      // 11. WASM files
+      // 10. WASM files
       const wasmFiles = [
         { pkg: "web-tree-sitter", file: "web-tree-sitter.wasm" },
         { pkg: "tree-sitter-bash", file: "tree-sitter-bash.wasm" },
@@ -321,7 +297,7 @@ Examples:
         fail("WASM files", missingWasm.join(", "));
       }
 
-      // 12. Browser runtime (Playwright + Chromium)
+      // 11. Browser runtime (Playwright + Chromium)
       const { checkBrowserRuntime } =
         await import("../../tools/browser/runtime-check.js");
       const browserStatus = await checkBrowserRuntime();
@@ -339,7 +315,7 @@ Examples:
         );
       }
 
-      // 13. Sandbox backend diagnostics
+      // 12. Sandbox backend diagnostics
       const { runSandboxDiagnostics } =
         await import("../../tools/terminal/sandbox-diagnostics.js");
       const sandbox = runSandboxDiagnostics();

package/src/cli/commands/memory.ts

@@ -58,9 +58,9 @@ Fields shown:
 Examples:
   $ assistant memory status`,
     )
-    .action(() => {
+    .action(async () => {
       initializeDb();
-      const status = getMemorySystemStatus();
+      const status = await getMemorySystemStatus();
       log.info(`Memory enabled: ${status.enabled ? "yes" : "no"}`);
       log.info(`Memory degraded: ${status.degraded ? "yes" : "no"}`);
       if (status.reason) log.info(`Reason: ${status.reason}`);
@@ -112,9 +112,7 @@ Examples:
 
   memory
     .command("cleanup")
-    .description(
-      "Queue cleanup jobs for stale superseded items",
-    )
+    .description("Queue cleanup jobs for stale superseded items")
     .option(
       "--retention-ms <ms>",
       "Optional retention threshold in milliseconds",

package/src/cli/commands/sessions.ts

@@ -227,7 +227,7 @@ Examples:
 
       const config = getConfig();
       const qdrantUrl = getQdrantUrlEnv() || config.memory.qdrant.url;
-      const embeddingSelection = selectEmbeddingBackend(config);
+      const embeddingSelection = await selectEmbeddingBackend(config);
       const embeddingModel = embeddingSelection.backend
         ? `${embeddingSelection.backend.provider}:${embeddingSelection.backend.model}:sparse-v${SPARSE_EMBEDDING_VERSION}`
         : undefined;