npm - @vellumai/assistant - Versions diffs - 0.4.53 → 0.4.55 - Mend

@vellumai/assistant 0.4.53 → 0.4.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/bun.lock +62 -349
package/docs/architecture/integrations.md +1 -1
package/docs/architecture/keychain-broker.md +94 -29
package/docs/architecture/security.md +2 -2
package/knip.json +7 -29
package/package.json +2 -9
package/src/__tests__/agent-loop.test.ts +1 -1
package/src/__tests__/app-git-history.test.ts +0 -2
package/src/__tests__/app-git-service.test.ts +1 -6
package/src/__tests__/approval-cascade.test.ts +0 -1
package/src/__tests__/avatar-e2e.test.ts +0 -1
package/src/__tests__/browser-fill-credential.test.ts +1 -6
package/src/__tests__/call-domain.test.ts +0 -1
package/src/__tests__/call-routes-http.test.ts +0 -1
package/src/__tests__/channel-guardian.test.ts +4 -4
package/src/__tests__/channel-readiness-routes.test.ts +0 -1
package/src/__tests__/channel-readiness-service.test.ts +0 -1
package/src/__tests__/checker.test.ts +13 -11
package/src/__tests__/claude-code-skill-regression.test.ts +0 -1
package/src/__tests__/claude-code-tool-profiles.test.ts +1 -2
package/src/__tests__/config-loader-backfill.test.ts +0 -3
package/src/__tests__/config-schema.test.ts +3 -9
package/src/__tests__/config-watcher.test.ts +11 -3
package/src/__tests__/credential-broker-browser-fill.test.ts +27 -24
package/src/__tests__/credential-broker-server-use.test.ts +60 -24
package/src/__tests__/credential-security-e2e.test.ts +1 -6
package/src/__tests__/credential-security-invariants.test.ts +13 -8
package/src/__tests__/credential-vault-unit.test.ts +28 -12
package/src/__tests__/credential-vault.test.ts +40 -28
package/src/__tests__/credentials-cli.test.ts +1 -21
package/src/__tests__/email-invite-adapter.test.ts +0 -1
package/src/__tests__/fixtures/credential-security-fixtures.ts +3 -3
package/src/__tests__/fixtures/media-reuse-fixtures.ts +3 -79
package/src/__tests__/gateway-only-enforcement.test.ts +1 -21
package/src/__tests__/guardian-action-conversation-turn.test.ts +8 -8
package/src/__tests__/guardian-action-late-reply.test.ts +13 -14
package/src/__tests__/guardian-action-store.test.ts +0 -57
package/src/__tests__/guardian-outbound-http.test.ts +1 -1
package/src/__tests__/guardian-verification-voice-binding.test.ts +1 -3
package/src/__tests__/hooks-blocking.test.ts +1 -1
package/src/__tests__/hooks-config.test.ts +5 -29
package/src/__tests__/hooks-discovery.test.ts +1 -1
package/src/__tests__/hooks-integration.test.ts +1 -1
package/src/__tests__/hooks-manager.test.ts +1 -1
package/src/__tests__/hooks-runner.test.ts +1 -23
package/src/__tests__/hooks-settings.test.ts +1 -1
package/src/__tests__/hooks-templates.test.ts +1 -1
package/src/__tests__/integration-status.test.ts +0 -1
package/src/__tests__/invite-routes-http.test.ts +0 -3
package/src/__tests__/list-messages-attachments.test.ts +4 -4
package/src/__tests__/llm-usage-store.test.ts +50 -0
package/src/__tests__/managed-proxy-context.test.ts +41 -41
package/src/__tests__/media-generate-image.test.ts +2 -2
package/src/__tests__/media-reuse-story.e2e.test.ts +1 -6
package/src/__tests__/memory-regressions.experimental.test.ts +4 -4
package/src/__tests__/memory-regressions.test.ts +27 -27
package/src/__tests__/memory-retrieval.benchmark.test.ts +1 -1
package/src/__tests__/memory-upsert-concurrency.test.ts +4 -4
package/src/__tests__/notification-decision-fallback.test.ts +1 -1
package/src/__tests__/oauth-cli.test.ts +1 -4
package/src/__tests__/oauth-store.test.ts +1 -3
package/src/__tests__/openai-provider.test.ts +7 -7
package/src/__tests__/platform.test.ts +14 -4
package/src/__tests__/pricing.test.ts +0 -223
package/src/__tests__/provider-commit-message-generator.test.ts +1 -4
package/src/__tests__/provider-fail-open-selection.test.ts +58 -54
package/src/__tests__/provider-managed-proxy-integration.test.ts +63 -63
package/src/__tests__/provider-registry-ollama.test.ts +3 -3
package/src/__tests__/public-ingress-urls.test.ts +1 -1
package/src/__tests__/registry.test.ts +3 -103
package/src/__tests__/script-proxy-injection-runtime.test.ts +2 -7
package/src/__tests__/secret-onetime-send.test.ts +1 -6
package/src/__tests__/secret-routes-managed-proxy.test.ts +6 -13
package/src/__tests__/secure-keys.test.ts +241 -229
package/src/__tests__/session-abort-tool-results.test.ts +0 -1
package/src/__tests__/session-confirmation-signals.test.ts +0 -1
package/src/__tests__/session-messaging-secret-redirect.test.ts +1 -7
package/src/__tests__/session-pre-run-repair.test.ts +0 -1
package/src/__tests__/session-provider-retry-repair.test.ts +0 -1
package/src/__tests__/session-queue.test.ts +2 -4
package/src/__tests__/session-slash-known.test.ts +0 -1
package/src/__tests__/session-slash-queue.test.ts +0 -1
package/src/__tests__/session-slash-unknown.test.ts +0 -1
package/src/__tests__/session-workspace-injection.test.ts +0 -1
package/src/__tests__/session-workspace-tool-tracking.test.ts +0 -1
package/src/__tests__/skill-projection-feature-flag.test.ts +0 -1
package/src/__tests__/slack-channel-config.test.ts +1 -7
package/src/__tests__/swarm-recursion.test.ts +0 -1
package/src/__tests__/swarm-session-integration.test.ts +0 -1
package/src/__tests__/swarm-tool.test.ts +0 -1
package/src/__tests__/task-compiler.test.ts +1 -1
package/src/__tests__/test-support/browser-skill-harness.ts +0 -18
package/src/__tests__/test-support/computer-use-skill-harness.ts +0 -23
package/src/__tests__/tool-executor.test.ts +1 -1
package/src/__tests__/trust-store.test.ts +3 -82
package/src/__tests__/twilio-config.test.ts +0 -1
package/src/__tests__/twilio-provider.test.ts +0 -5
package/src/__tests__/twilio-routes.test.ts +0 -1
package/src/__tests__/usage-cache-backfill-migration.test.ts +10 -10
package/src/calls/guardian-question-copy.ts +1 -1
package/src/cli/commands/bash.ts +3 -0
package/src/cli/commands/doctor.ts +10 -34
package/src/cli/commands/memory.ts +3 -5
package/src/cli/commands/sessions.ts +1 -1
package/src/cli/commands/usage.ts +359 -0
package/src/cli/http-client.ts +22 -12
package/src/cli/program.ts +2 -0
package/src/cli/reference.ts +1 -0
package/src/cli.ts +251 -181
package/src/config/assistant-feature-flags.ts +0 -7
package/src/config/bundled-skills/chatgpt-import/tools/chatgpt-import.ts +1 -1
package/src/config/bundled-skills/claude-code/SKILL.md +1 -1
package/src/config/bundled-skills/claude-code/TOOLS.json +1 -1
package/src/config/bundled-skills/gmail/SKILL.md +0 -1
package/src/config/bundled-skills/image-studio/tools/media-generate-image.ts +2 -2
package/src/config/bundled-skills/media-processing/services/reduce.ts +1 -1
package/src/config/bundled-skills/messaging/SKILL.md +0 -1
package/src/config/bundled-skills/sequences/SKILL.md +0 -1
package/src/config/env.ts +13 -0
package/src/config/feature-flag-registry.json +9 -41
package/src/config/schemas/security.ts +1 -2
package/src/config/skills.ts +1 -1
package/src/contacts/contact-store.ts +0 -50
package/src/daemon/approved-devices-store.ts +0 -44
package/src/daemon/classifier.ts +1 -1
package/src/daemon/config-watcher.ts +14 -8
package/src/daemon/handlers/config-model.ts +1 -1
package/src/daemon/handlers/sessions.ts +4 -116
package/src/daemon/handlers/skills.ts +1 -1
package/src/daemon/lifecycle.ts +13 -15
package/src/daemon/providers-setup.ts +1 -1
package/src/daemon/server.ts +20 -3
package/src/daemon/session-slash.ts +2 -2
package/src/daemon/shutdown-handlers.ts +15 -0
package/src/daemon/watch-handler.ts +2 -2
package/src/email/guardrails.ts +1 -1
package/src/email/service.ts +0 -5
package/src/hooks/templates.ts +1 -1
package/src/media/app-icon-generator.ts +2 -2
package/src/media/avatar-router.ts +2 -2
package/src/media/gemini-image-service.ts +5 -5
package/src/memory/admin.ts +2 -2
package/src/memory/app-git-service.ts +0 -7
package/src/memory/conversation-crud.ts +1 -1
package/src/memory/conversation-title-service.ts +2 -2
package/src/memory/embedding-backend.ts +30 -26
package/src/memory/external-conversation-store.ts +0 -30
package/src/memory/guardian-action-store.ts +0 -31
package/src/memory/guardian-approvals.ts +1 -56
package/src/memory/indexer.ts +4 -3
package/src/memory/items-extractor.ts +1 -1
package/src/memory/job-handlers/backfill.ts +5 -2
package/src/memory/job-handlers/index-maintenance.ts +2 -2
package/src/memory/job-handlers/media-processing.ts +2 -2
package/src/memory/job-handlers/summarization.ts +1 -1
package/src/memory/job-utils.ts +1 -2
package/src/memory/jobs-worker.ts +2 -2
package/src/memory/llm-usage-store.ts +57 -11
package/src/memory/media-store.ts +4 -535
package/src/memory/migrations/032-guardian-delivery-conversation-index.ts +2 -2
package/src/memory/migrations/110-channel-guardian.ts +0 -1
package/src/memory/published-pages-store.ts +0 -83
package/src/memory/qdrant-circuit-breaker.ts +0 -8
package/src/memory/retriever.ts +1 -1
package/src/memory/schema/calls.ts +0 -67
package/src/memory/search/semantic.ts +1 -8
package/src/memory/shared-app-links-store.ts +0 -15
package/src/messaging/registry.ts +0 -5
package/src/messaging/style-analyzer.ts +1 -1
package/src/notifications/copy-composer.ts +5 -13
package/src/notifications/decision-engine.ts +2 -2
package/src/notifications/deliveries-store.ts +0 -39
package/src/notifications/guardian-question-mode.ts +6 -10
package/src/notifications/preference-extractor.ts +1 -1
package/src/oauth/byo-connection.test.ts +29 -20
package/src/oauth/provider-behaviors.ts +1 -1
package/src/permissions/checker.ts +1 -1
package/src/permissions/shell-identity.ts +0 -5
package/src/permissions/trust-store.ts +0 -37
package/src/prompts/system-prompt.ts +4 -4
package/src/prompts/templates/SOUL.md +1 -1
package/src/providers/managed-proxy/constants.ts +8 -10
package/src/providers/managed-proxy/context.ts +14 -9
package/src/providers/provider-send-message.ts +4 -52
package/src/providers/registry.ts +16 -50
package/src/runtime/actor-token-store.ts +0 -23
package/src/runtime/auth/__tests__/guard-tests.test.ts +64 -0
package/src/runtime/http-router.ts +5 -1
package/src/runtime/http-server.ts +101 -4
package/src/runtime/invite-instruction-generator.ts +25 -51
package/src/runtime/invite-service.ts +0 -20
package/src/runtime/routes/attachment-routes.ts +1 -1
package/src/runtime/routes/brain-graph-routes.ts +1 -1
package/src/runtime/routes/call-routes.ts +1 -1
package/src/runtime/routes/conversation-routes.ts +32 -11
package/src/runtime/routes/debug-routes.ts +1 -1
package/src/runtime/routes/diagnostics-routes.ts +2 -2
package/src/runtime/routes/documents-routes.ts +3 -3
package/src/runtime/routes/global-search-routes.ts +1 -1
package/src/runtime/routes/guardian-bootstrap-routes.ts +0 -20
package/src/runtime/routes/guardian-refresh-routes.ts +0 -20
package/src/runtime/routes/secret-routes.ts +4 -4
package/src/runtime/routes/session-management-routes.ts +27 -0
package/src/runtime/routes/trust-rules-routes.ts +1 -1
package/src/security/credential-backend.ts +148 -0
package/src/security/oauth2.ts +1 -1
package/src/security/secret-allowlist.ts +1 -1
package/src/security/secure-keys.ts +98 -160
package/src/security/token-manager.ts +0 -7
package/src/sequence/guardrails.ts +0 -4
package/src/sequence/store.ts +1 -20
package/src/sequence/types.ts +1 -36
package/src/signals/bash.ts +33 -0
package/src/signals/cancel.ts +69 -0
package/src/signals/conversation-undo.ts +127 -0
package/src/signals/trust-rule.ts +174 -0
package/src/skills/clawhub.ts +5 -5
package/src/skills/managed-store.ts +4 -4
package/src/subagent/manager.ts +8 -1
package/src/telemetry/usage-telemetry-reporter.test.ts +366 -0
package/src/telemetry/usage-telemetry-reporter.ts +181 -0
package/src/tools/claude-code/claude-code.ts +2 -2
package/src/tools/credentials/vault.ts +8 -4
package/src/tools/memory/handlers.test.ts +24 -26
package/src/tools/memory/handlers.ts +1 -13
package/src/tools/registry.ts +5 -100
package/src/tools/terminal/parser.ts +34 -4
package/src/tools/tool-manifest.ts +0 -10
package/src/usage/actors.ts +0 -12
package/src/util/canonicalize-identity.ts +0 -9
package/src/util/errors.ts +0 -3
package/src/util/platform.ts +24 -7
package/src/util/pricing.ts +0 -38
package/src/watcher/constants.ts +0 -7
package/src/watcher/providers/linear.ts +1 -1
package/src/work-items/work-item-store.ts +4 -4
package/src/workspace/commit-message-provider.ts +1 -1
package/src/workspace/git-service.ts +44 -1
package/src/workspace/provider-commit-message-generator.ts +1 -1
package/src/__tests__/fixtures/proxy-fixtures.ts +0 -147
package/src/browser-extension-relay/client.ts +0 -155
package/src/contacts/index.ts +0 -18
package/src/daemon/tls-certs.ts +0 -270
package/src/errors.ts +0 -41
package/src/events/index.ts +0 -18
package/src/followups/index.ts +0 -10
package/src/playbooks/index.ts +0 -10
package/src/runtime/auth/index.ts +0 -44
package/src/tasks/candidate-store.ts +0 -95
package/src/tools/browser/api-map.ts +0 -313
package/src/tools/browser/auto-navigate.ts +0 -469
package/src/tools/browser/headless-browser.ts +0 -590
package/src/tools/browser/recording-store.ts +0 -75
package/src/tools/computer-use/registry.ts +0 -21
package/src/tools/tasks/index.ts +0 -27

package/src/__tests__/credential-vault-unit.test.ts CHANGED Viewed

@@ -105,7 +105,10 @@ mock.module("../security/oauth2.js", () => ({
 // ---------------------------------------------------------------------------
 import { credentialKey } from "../security/credential-key.js";
-import { getSecureKey, setSecureKey } from "../security/secure-keys.js";
+import {
+  getSecureKeyAsync,
+  setSecureKeyAsync,
+} from "../security/secure-keys.js";
 import { CredentialBroker } from "../tools/credentials/broker.js";
 import {
   _setMetadataPath,
@@ -205,7 +208,7 @@ describe("CredentialBroker transient credentials", () => {
     upsertCredentialMetadata("github", "token", {
       allowedTools: ["browser_fill_credential"],
     });
-    setSecureKey(credentialKey("github", "token"), "stored-value");
+    await setSecureKeyAsync(credentialKey("github", "token"), "stored-value");
     broker.injectTransient("github", "token", "transient-value");
     // First fill uses transient
@@ -468,9 +471,9 @@ describe("credential_store tool — prompt action", () => {
     expect(result.content).not.toContain("prompt-secret-val");
     // Verify stored
-    expect(getSecureKey(credentialKey("test-prompt", "api_key"))).toBe(
-      "prompt-secret-val",
-    );
+    expect(
+      await getSecureKeyAsync(credentialKey("test-prompt", "api_key")),
+    ).toBe("prompt-secret-val");
   });
   test("prompt with policy fields persists metadata", async () => {
@@ -702,7 +705,10 @@ describe("credential_store tool — oauth2_connect error paths", () => {
       callbackTransport: "loopback",
       loopbackPort: 8756,
     }));
-    setSecureKey("oauth_app/test-app-id/client_secret", "test-secret");
+    await setSecureKeyAsync(
+      "oauth_app/test-app-id/client_secret",
+      "test-secret",
+    );
     const result = await credentialStoreTool.execute(
       {
@@ -756,7 +762,10 @@ describe("credential_store tool — oauth2_connect error paths", () => {
       callbackTransport: "loopback",
       loopbackPort: 8756,
     }));
-    setSecureKey("oauth_app/matched-app-id/client_secret", "matched-secret");
+    await setSecureKeyAsync(
+      "oauth_app/matched-app-id/client_secret",
+      "matched-secret",
+    );
     const result = await credentialStoreTool.execute(
       {
@@ -797,7 +806,10 @@ describe("credential_store tool — oauth2_connect error paths", () => {
       callbackTransport: "loopback",
       loopbackPort: 8756,
     }));
-    setSecureKey("oauth_app/recent-app-id/client_secret", "recent-secret");
+    await setSecureKeyAsync(
+      "oauth_app/recent-app-id/client_secret",
+      "recent-secret",
+    );
     const result = await credentialStoreTool.execute(
       {
@@ -1024,7 +1036,9 @@ describe("credential_store tool — store validation edge cases", () => {
     );
     // Verify stored
-    expect(getSecureKey(credentialKey("del-test", "key"))).toBe("secret");
+    expect(await getSecureKeyAsync(credentialKey("del-test", "key"))).toBe(
+      "secret",
+    );
     const { getCredentialMetadata } =
       await import("../tools/credentials/metadata-store.js");
     expect(getCredentialMetadata("del-test", "key")).toBeDefined();
@@ -1041,7 +1055,9 @@ describe("credential_store tool — store validation edge cases", () => {
     expect(result.isError).toBe(false);
     // Both should be gone
-    expect(getSecureKey(credentialKey("del-test", "key"))).toBeUndefined();
+    expect(
+      await getSecureKeyAsync(credentialKey("del-test", "key")),
+    ).toBeUndefined();
     expect(getCredentialMetadata("del-test", "key")).toBeUndefined();
   });
 });
@@ -1130,7 +1146,7 @@ describe("CredentialBroker — serverUseById edge cases", () => {
         },
       ],
     });
-    setSecureKey(credentialKey("multi", "api_key"), "multi-secret");
+    await setSecureKeyAsync(credentialKey("multi", "api_key"), "multi-secret");
     const result = await broker.serverUseById({
       credentialId: meta.credentialId,
@@ -1150,7 +1166,7 @@ describe("CredentialBroker — serverUseById edge cases", () => {
     const meta = upsertCredentialMetadata("fal", "api_key", {
       allowedTools: ["proxy"],
     });
-    // No setSecureKey — metadata exists but value doesn't
+    // No setSecureKeyAsync — metadata exists but value doesn't
     const result = await broker.serverUseById({
       credentialId: meta.credentialId,

package/src/__tests__/credential-vault.test.ts CHANGED Viewed

@@ -132,13 +132,13 @@ mock.module("../oauth/oauth-store.js", () => {
 // Import the module under test
 // ---------------------------------------------------------------------------
-// getCredentialValue is no longer exported (sealed in PR 17) — use getSecureKey directly
+// getCredentialValue is no longer exported (sealed in PR 17) — use getSecureKeyAsync directly
 import { credentialKey } from "../security/credential-key.js";
 import {
-  deleteSecureKey,
-  getSecureKey,
-  setSecureKey,
+  deleteSecureKeyAsync,
+  getSecureKeyAsync,
+  setSecureKeyAsync,
 } from "../security/secure-keys.js";
 import {
   _resetInflightRefreshes,
@@ -210,7 +210,7 @@ async function executeVault(
       }
       const key = credentialKey(service, field);
-      const ok = setSecureKey(key, value);
+      const ok = await setSecureKeyAsync(key, value);
       if (!ok) {
         return { content: "Error: failed to store credential", isError: true };
       }
@@ -241,7 +241,7 @@ async function executeVault(
       }
       const key = credentialKey(service, field);
-      const result = deleteSecureKey(key);
+      const result = await deleteSecureKeyAsync(key);
       if (result !== "deleted") {
         return {
           content: `Error: credential ${service}/${field} not found`,
@@ -645,7 +645,7 @@ describe("credential_store tool", () => {
       // Delete the secret directly without going through the tool (simulates
       // a divergence where metadata write failed after secret deletion)
-      deleteSecureKey(credentialKey("svc-a", "key"));
+      await deleteSecureKeyAsync(credentialKey("svc-a", "key"));
       const result = await credentialStoreTool.execute(
         { action: "list" },
@@ -688,7 +688,7 @@ describe("credential_store tool", () => {
   // -----------------------------------------------------------------------
   describe("delete action", () => {
     test("deletes a stored credential", async () => {
-      setSecureKey(credentialKey("gmail", "password"), "secret");
+      await setSecureKeyAsync(credentialKey("gmail", "password"), "secret");
       const result = await executeVault({
         action: "delete",
@@ -699,7 +699,9 @@ describe("credential_store tool", () => {
       expect(result.content).toBe("Deleted credential for gmail/password.");
       // Verify it's actually gone
-      expect(getSecureKey(credentialKey("gmail", "password"))).toBeUndefined();
+      expect(
+        await getSecureKeyAsync(credentialKey("gmail", "password")),
+      ).toBeUndefined();
     });
     test("returns error for non-existent credential", async () => {
@@ -773,14 +775,16 @@ describe("credential_store tool", () => {
   // Credential value access (sealed — only via secure-keys internally)
   // -----------------------------------------------------------------------
   describe("credential value access", () => {
-    test("credential values are stored via secure keys", () => {
-      setSecureKey(credentialKey("github", "token"), "ghp_abc123");
-      expect(getSecureKey(credentialKey("github", "token"))).toBe("ghp_abc123");
+    test("credential values are stored via secure keys", async () => {
+      await setSecureKeyAsync(credentialKey("github", "token"), "ghp_abc123");
+      expect(await getSecureKeyAsync(credentialKey("github", "token"))).toBe(
+        "ghp_abc123",
+      );
     });
-    test("returns undefined for non-existent credential", () => {
+    test("returns undefined for non-existent credential", async () => {
       expect(
-        getSecureKey(credentialKey("nonexistent", "field")),
+        await getSecureKeyAsync(credentialKey("nonexistent", "field")),
       ).toBeUndefined();
     });
   });
@@ -1226,10 +1230,10 @@ describe("credential_store tool", () => {
         value: "github-pass",
       });
-      expect(getSecureKey(credentialKey("gmail", "password"))).toBe(
+      expect(await getSecureKeyAsync(credentialKey("gmail", "password"))).toBe(
         "gmail-pass",
       );
-      expect(getSecureKey(credentialKey("github", "password"))).toBe(
+      expect(await getSecureKeyAsync(credentialKey("github", "password"))).toBe(
         "github-pass",
       );
     });
@@ -1248,10 +1252,12 @@ describe("credential_store tool", () => {
         value: "backup@example.com",
       });
-      expect(getSecureKey(credentialKey("gmail", "password"))).toBe("pass123");
-      expect(getSecureKey(credentialKey("gmail", "recovery_email"))).toBe(
-        "backup@example.com",
+      expect(await getSecureKeyAsync(credentialKey("gmail", "password"))).toBe(
+        "pass123",
       );
+      expect(
+        await getSecureKeyAsync(credentialKey("gmail", "recovery_email")),
+      ).toBe("backup@example.com");
     });
   });
 });
@@ -1303,7 +1309,7 @@ describe("withValidToken refresh deduplication", () => {
    * OAuth-specific fields (tokenUrl, clientId, expiresAt) are now stored
    * in the SQLite oauth-store. The mock maps simulate the DB layer.
    */
-  function setupService(
+  async function setupService(
     service: string,
     opts?: { expired?: boolean; accessToken?: string },
   ) {
@@ -1315,7 +1321,10 @@ describe("withValidToken refresh deduplication", () => {
     // Store access token under the oauth_connection key path that
     // withValidToken reads (not the legacy credentialKey path).
-    setSecureKey(`oauth_connection/${connId}/access_token`, accessToken);
+    await setSecureKeyAsync(
+      `oauth_connection/${connId}/access_token`,
+      accessToken,
+    );
     mockProviders.set(service, {
       key: service,
       tokenUrl: "https://oauth.example.com/token",
@@ -1335,15 +1344,18 @@ describe("withValidToken refresh deduplication", () => {
         : Date.now() + 3600_000, // expires in 1 hour
     });
     // Store refresh token and client_secret in secure keys (token-manager reads them)
-    setSecureKey(
+    await setSecureKeyAsync(
       `oauth_connection/${connId}/refresh_token`,
       "valid-refresh-token",
     );
-    setSecureKey(`oauth_app/${appId}/client_secret`, "test-client-secret");
+    await setSecureKeyAsync(
+      `oauth_app/${appId}/client_secret`,
+      "test-client-secret",
+    );
   }
   test("3 concurrent 401 refreshes for the same service call doRefresh exactly once", async () => {
-    setupService("integration:google");
+    await setupService("integration:google");
     let resolveRefresh!: (value: {
       accessToken: string;
@@ -1391,8 +1403,8 @@ describe("withValidToken refresh deduplication", () => {
   });
   test("concurrent refreshes for different services proceed independently", async () => {
-    setupService("integration:google");
-    setupService("integration:slack");
+    await setupService("integration:google");
+    await setupService("integration:slack");
     let resolveGmail!: (value: {
       accessToken: string;
@@ -1455,7 +1467,7 @@ describe("withValidToken refresh deduplication", () => {
   });
   test("deduplication cleans up after refresh completes, allowing subsequent refreshes", async () => {
-    setupService("integration:google");
+    await setupService("integration:google");
     let refreshCount = 0;
     mockRefreshOAuth2Token.mockImplementation(() => {
@@ -1495,7 +1507,7 @@ describe("withValidToken refresh deduplication", () => {
   });
   test("deduplication propagates refresh errors to all waiting callers", async () => {
-    setupService("integration:google");
+    await setupService("integration:google");
     mockRefreshOAuth2Token.mockImplementation(() =>
       Promise.reject(

package/src/__tests__/credentials-cli.test.ts CHANGED Viewed

@@ -31,15 +31,6 @@ let _getMetadataByIdCalls = 0;
 // ---------------------------------------------------------------------------
 mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (account: string): string | undefined => {
-    _getSecureKeyCalls += 1;
-    return secureKeyStore.get(account);
-  },
-  setSecureKey: (account: string, value: string): boolean => {
-    _setSecureKeyCalls += 1;
-    secureKeyStore.set(account, value);
-    return true;
-  },
   setSecureKeyAsync: async (
     account: string,
     value: string,
@@ -48,14 +39,6 @@ mock.module("../security/secure-keys.js", () => ({
     secureKeyStore.set(account, value);
     return true;
   },
-  deleteSecureKey: (account: string): "deleted" | "not-found" | "error" => {
-    _deleteSecureKeyCalls += 1;
-    if (secureKeyStore.has(account)) {
-      secureKeyStore.delete(account);
-      return "deleted";
-    }
-    return "not-found";
-  },
   deleteSecureKeyAsync: async (
     account: string,
   ): Promise<"deleted" | "not-found" | "error"> => {
@@ -66,17 +49,14 @@ mock.module("../security/secure-keys.js", () => ({
     }
     return "not-found";
   },
-  listSecureKeys: (): string[] => {
+  listSecureKeysAsync: async (): Promise<string[]> => {
     return [...secureKeyStore.keys()];
   },
   getSecureKeyAsync: async (account: string): Promise<string | undefined> => {
     _getSecureKeyCalls += 1;
     return secureKeyStore.get(account);
   },
-  getBackendType: (): "broker" | "encrypted" | null => null,
-  isDowngradedFromKeychain: (): boolean => false,
   _resetBackend: (): void => {},
-  _setBackend: (): void => {},
 }));
 // ---------------------------------------------------------------------------

package/src/__tests__/email-invite-adapter.test.ts CHANGED Viewed

@@ -22,7 +22,6 @@ mock.module("../email/service.js", () => ({
   }),
   // Re-export other symbols that callers might need
   EmailService: class {},
-  _resetEmailService: () => {},
 }));
 // ---------------------------------------------------------------------------

package/src/__tests__/fixtures/credential-security-fixtures.ts CHANGED Viewed

@@ -100,7 +100,7 @@ export const directReadCases: DirectReadCase[] = [
 export interface LogLeakageCase {
   label: string;
   /** Component where logging might leak credentials */
-  component: "daemon_handler" | "prompter" | "tool_executor" | "ipc_decode";
+  component: "daemon_handler" | "prompter" | "tool_executor" | "message_decode";
   /** Description of what log output is checked */
   logCheck: string;
 }
@@ -122,8 +122,8 @@ export const logLeakageCases: LogLeakageCase[] = [
     logCheck: "password/token/value fields masked",
   },
   {
-    label: "IPC decode failure does not dump raw line",
-    component: "ipc_decode",
+    label: "message decode failure does not dump raw line",
+    component: "message_decode",
     logCheck: "malformed line not logged verbatim",
   },
 ];

package/src/__tests__/fixtures/media-reuse-fixtures.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 /**
  * Shared fixtures for media-reuse testing.
  *
- * Provides deterministic attachment blobs, message links, and approval
- * response helpers used by the proxy and asset tool test suites.
+ * Provides deterministic attachment blobs and approval response helpers
+ * used by the proxy and asset tool test suites.
  */
 import type { StoredAttachment } from "../../memory/attachments-store.js";
@@ -16,12 +16,6 @@ import type { UserDecision } from "../../permissions/types.js";
 export const TINY_PNG_BASE64 =
   "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8/5+hHgAHggJ/PchI7wAAAABJRU5ErkJggg==";
-/** A tiny 1x1 JPEG pixel, base64-encoded. */
-export const TINY_JPEG_BASE64 =
-  "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMCwsKCwsM" +
-  "CgwMDQwMCwwMDQsLCwwODQoMEAwMEQ4ODwwLDgz/2wBDAQMEBAUEBQkFBQkMCwkLDAwMDAwMDAwMDAwM" +
-  "DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wAARCAABAAEDASIAAhEBAxEB/8QAFAABAAAAAAAAAAAAAAAAAAAACf/EABQQAQAAAAAAAAAAAAAAAAAAAAD/xAAUAQEAAAAAAAAAAAAAAAAAAAAA/8QAFBEBAAAAAAAAAAAAAAAAAAAAAP/aAAwDAQACEQMRAD8AKwA//9k=";
 // ---------------------------------------------------------------------------
 // Deterministic attachment records
 // ---------------------------------------------------------------------------
@@ -39,60 +33,11 @@ export const FAKE_SELFIE_ATTACHMENT: StoredAttachment = {
   createdAt: NOW,
 };
-/** A fake document attachment. */
-export const FAKE_DOCUMENT_ATTACHMENT: StoredAttachment = {
-  id: "att-doc-001",
-  originalFilename: "report.pdf",
-  mimeType: "application/pdf",
-  sizeBytes: 4096,
-  kind: "document",
-  thumbnailBase64: null,
-  createdAt: NOW,
-};
-/** A fake JPEG photo attachment. */
-export const FAKE_PHOTO_ATTACHMENT: StoredAttachment = {
-  id: "att-photo-001",
-  originalFilename: "photo.jpg",
-  mimeType: "image/jpeg",
-  sizeBytes: Buffer.from(TINY_JPEG_BASE64, "base64").length,
-  kind: "image",
-  thumbnailBase64: null,
-  createdAt: NOW,
-};
-// ---------------------------------------------------------------------------
-// Message link helpers
-// ---------------------------------------------------------------------------
-export interface FakeMessageLink {
-  messageId: string;
-  attachmentId: string;
-  conversationId: string;
-  position: number;
-}
-/** A deterministic message-attachment link for the selfie. */
-export const FAKE_SELFIE_LINK: FakeMessageLink = {
-  messageId: "msg-001",
-  attachmentId: FAKE_SELFIE_ATTACHMENT.id,
-  conversationId: "conv-001",
-  position: 0,
-};
-/** A second link showing multiple attachments on one message. */
-export const FAKE_DOCUMENT_LINK: FakeMessageLink = {
-  messageId: "msg-001",
-  attachmentId: FAKE_DOCUMENT_ATTACHMENT.id,
-  conversationId: "conv-001",
-  position: 1,
-};
 // ---------------------------------------------------------------------------
 // Approval response helpers
 // ---------------------------------------------------------------------------
-export interface FakeApprovalResponse {
+interface FakeApprovalResponse {
   decision: UserDecision;
   /** Pattern for "always allow" decisions (undefined for one-shot allow/deny). */
   pattern?: string;
@@ -109,24 +54,3 @@ export function fakeAllowOnce(): FakeApprovalResponse {
 export function fakeDeny(): FakeApprovalResponse {
   return { decision: "deny" };
 }
-/** Returns an "always allow" decision with a pattern for the trust rule. */
-export function fakeAlwaysAllow(
-  pattern: string,
-  scope = "/tmp/test-project",
-): FakeApprovalResponse {
-  return { decision: "always_allow", pattern, scope };
-}
-/** Returns an "always allow high risk" decision. */
-export function fakeAlwaysAllowHighRisk(
-  pattern: string,
-  scope = "/tmp/test-project",
-): FakeApprovalResponse {
-  return { decision: "always_allow_high_risk", pattern, scope };
-}
-/** Returns an "always deny" decision. */
-export function fakeAlwaysDeny(): FakeApprovalResponse {
-  return { decision: "always_deny" };
-}

package/src/__tests__/gateway-only-enforcement.test.ts CHANGED Viewed

@@ -110,27 +110,7 @@ mock.module("../calls/twilio-provider.js", () => ({
   },
 }));
-import { credentialKey } from "../security/credential-key.js";
-const secureKeyStore: Record<string, string | undefined> = {
-  [credentialKey("twilio", "account_sid")]: "AC_test",
-  [credentialKey("twilio", "auth_token")]: "test_token",
-};
-mock.module("../security/secure-keys.js", () => ({
-  getSecureKey: (key: string) => secureKeyStore[key] ?? null,
-  setSecureKey: (key: string, value: string) => {
-    secureKeyStore[key] = value;
-    return true;
-  },
-  deleteSecureKey: (key: string) => {
-    if (key in secureKeyStore) {
-      delete secureKeyStore[key];
-      return "deleted";
-    }
-    return "not-found";
-  },
-}));
+mock.module("../security/secure-keys.js", () => ({}));
 // NOTE: Do NOT mock '../inbound/public-ingress-urls.js' here.
 // Those are pure functions that derive URLs from the config object returned by

package/src/__tests__/guardian-action-conversation-turn.test.ts CHANGED Viewed

@@ -34,8 +34,8 @@ import {
   createGuardianActionDelivery,
   createGuardianActionRequest,
   finalizeFollowup,
+  getFollowupDeliveriesByConversation,
   getFollowupDeliveriesByDestination,
-  getFollowupDeliveryByConversation,
   getGuardianActionRequest,
   markTimedOutWithReason,
   progressFollowupState,
@@ -391,7 +391,7 @@ describe("guardian-action-conversation-turn", () => {
     expect(deliveries).toHaveLength(0);
   });
-  test("getFollowupDeliveryByConversation returns delivery in awaiting_guardian_choice", () => {
+  test("getFollowupDeliveriesByConversation returns delivery in awaiting_guardian_choice", () => {
     const { delivery, deliveryConvId } = createAwaitingChoiceRequest(
       "conv-turn-4",
       {
@@ -399,18 +399,18 @@ describe("guardian-action-conversation-turn", () => {
       },
     );
-    const found = getFollowupDeliveryByConversation(deliveryConvId);
-    expect(found).not.toBeNull();
-    expect(found!.id).toBe(delivery.id);
+    const found = getFollowupDeliveriesByConversation(deliveryConvId);
+    expect(found).toHaveLength(1);
+    expect(found[0].id).toBe(delivery.id);
   });
-  test("getFollowupDeliveryByConversation returns null for non-matching conversation", () => {
+  test("getFollowupDeliveriesByConversation returns empty for non-matching conversation", () => {
     createAwaitingChoiceRequest("conv-turn-5", {
       conversationId: "mac-conv-2",
     });
-    const found = getFollowupDeliveryByConversation("nonexistent-conv");
-    expect(found).toBeNull();
+    const found = getFollowupDeliveriesByConversation("nonexistent-conv");
+    expect(found).toHaveLength(0);
   });
   // ── State transitions from conversation engine results ──────────────

package/src/__tests__/guardian-action-late-reply.test.ts CHANGED Viewed

@@ -41,7 +41,6 @@ import {
   expireGuardianActionRequest,
   getExpiredDeliveriesByConversation,
   getExpiredDeliveriesByDestination,
-  getExpiredDeliveryByConversation,
   getFollowupDeliveriesByConversation,
   getGuardianActionRequest,
   getPendingDeliveriesByConversation,
@@ -180,34 +179,34 @@ describe("guardian-action-late-reply", () => {
     expect(deliveries).toHaveLength(0);
   });
-  // ── getExpiredDeliveryByConversation ───────────────────────────────
+  // ── getExpiredDeliveriesByConversation (singular-to-plural migration) ──
-  test("getExpiredDeliveryByConversation returns expired delivery for mac channel", () => {
+  test("getExpiredDeliveriesByConversation returns expired delivery for mac channel", () => {
     const { delivery, deliveryConvId } = createExpiredRequest("conv-late-4", {
       conversationId: "mac-conv-1",
     });
-    const found = getExpiredDeliveryByConversation(deliveryConvId);
-    expect(found).not.toBeNull();
-    expect(found!.id).toBe(delivery.id);
+    const found = getExpiredDeliveriesByConversation(deliveryConvId);
+    expect(found).toHaveLength(1);
+    expect(found[0].id).toBe(delivery.id);
   });
-  test("getExpiredDeliveryByConversation returns null for non-matching conversation", () => {
+  test("getExpiredDeliveriesByConversation returns empty for non-matching conversation", () => {
     createExpiredRequest("conv-late-5", { conversationId: "mac-conv-2" });
-    const found = getExpiredDeliveryByConversation("nonexistent-conv");
-    expect(found).toBeNull();
+    const found = getExpiredDeliveriesByConversation("nonexistent-conv");
+    expect(found).toHaveLength(0);
   });
-  test("getExpiredDeliveryByConversation returns null when followup already started", () => {
+  test("getExpiredDeliveriesByConversation returns empty when followup already started", () => {
     const { request, deliveryConvId } = createExpiredRequest("conv-late-6", {
       conversationId: "mac-conv-3",
     });
     startFollowupFromExpiredRequest(request.id, "already answered");
-    const found = getExpiredDeliveryByConversation(deliveryConvId);
-    expect(found).toBeNull();
+    const found = getExpiredDeliveriesByConversation(deliveryConvId);
+    expect(found).toHaveLength(0);
   });
   // ── startFollowupFromExpiredRequest ───────────────────────────────
@@ -309,8 +308,8 @@ describe("guardian-action-late-reply", () => {
     );
     expect(expiredByDest).toHaveLength(0);
-    const expiredByConv = getExpiredDeliveryByConversation(answeredConvId);
-    expect(expiredByConv).toBeNull();
+    const expiredByConv = getExpiredDeliveriesByConversation(answeredConvId);
+    expect(expiredByConv).toHaveLength(0);
   });
   // ── Composed follow-up text verification ──────────────────────────