@vellumai/assistant 0.4.56 → 0.5.0

package/src/__tests__/drop-capability-card-state-migration.test.ts

@@ -0,0 +1,169 @@
+import { Database } from "bun:sqlite";
+import { describe, expect, test } from "bun:test";
+
+import { drizzle } from "drizzle-orm/bun-sqlite";
+
+import { migrateDropCapabilityCardState } from "../memory/migrations/176-drop-capability-card-state.js";
+import * as schema from "../memory/schema.js";
+
+function createTestDb() {
+  const sqlite = new Database(":memory:");
+  sqlite.exec("PRAGMA journal_mode=WAL");
+  sqlite.exec("PRAGMA foreign_keys = ON");
+  return drizzle(sqlite, { schema });
+}
+
+type TestDb = ReturnType<typeof createTestDb>;
+
+function getRawSqlite(db: TestDb): Database {
+  return (db as unknown as { $client: Database }).$client;
+}
+
+function createLegacyCapabilityCardTables(raw: Database) {
+  raw.exec(/*sql*/ `
+    CREATE TABLE memory_checkpoints (
+      key TEXT PRIMARY KEY,
+      value TEXT NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  raw.exec(/*sql*/ `
+    CREATE TABLE memory_jobs (
+      id TEXT PRIMARY KEY,
+      type TEXT NOT NULL,
+      payload TEXT NOT NULL,
+      status TEXT NOT NULL,
+      attempts INTEGER NOT NULL DEFAULT 0,
+      deferrals INTEGER NOT NULL DEFAULT 0,
+      run_after INTEGER NOT NULL,
+      last_error TEXT,
+      started_at INTEGER,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  raw.exec(/*sql*/ `
+    CREATE TABLE conversation_starters (
+      id TEXT PRIMARY KEY,
+      label TEXT NOT NULL,
+      prompt TEXT NOT NULL,
+      generation_batch INTEGER NOT NULL,
+      scope_id TEXT NOT NULL DEFAULT 'default',
+      card_type TEXT NOT NULL DEFAULT 'chip',
+      created_at INTEGER NOT NULL
+    )
+  `);
+
+  raw.exec(/*sql*/ `
+    CREATE TABLE capability_card_categories (
+      scope_id TEXT NOT NULL,
+      category TEXT NOT NULL,
+      relevance REAL NOT NULL,
+      generation_batch INTEGER NOT NULL,
+      created_at INTEGER NOT NULL,
+      PRIMARY KEY (scope_id, category)
+    )
+  `);
+}
+
+describe("migrateDropCapabilityCardState", () => {
+  test("removes legacy capability-card rows, jobs, checkpoints, and table", () => {
+    const db = createTestDb();
+    const raw = getRawSqlite(db);
+    const now = Date.now();
+
+    createLegacyCapabilityCardTables(raw);
+
+    raw.exec(/*sql*/ `
+      INSERT INTO conversation_starters (id, label, prompt, generation_batch, scope_id, card_type, created_at)
+      VALUES
+        ('chip-1', 'Prep tomorrow', 'Prep tomorrow', 1, 'default', 'chip', ${now}),
+        ('card-1', 'Do this first', 'Do this first', 1, 'default', 'card', ${now})
+    `);
+    raw.exec(/*sql*/ `
+      INSERT INTO memory_jobs (id, type, payload, status, attempts, deferrals, run_after, created_at, updated_at)
+      VALUES
+        ('job-chip', 'generate_conversation_starters', '{}', 'pending', 0, 0, ${now}, ${now}, ${now}),
+        ('job-card', 'generate_capability_cards', '{}', 'pending', 0, 0, ${now}, ${now}, ${now})
+    `);
+    raw.exec(/*sql*/ `
+      INSERT INTO memory_checkpoints (key, value, updated_at)
+      VALUES
+        ('capability_cards:generation_batch', '7', ${now}),
+        ('other_checkpoint', '1', ${now})
+    `);
+    raw.exec(/*sql*/ `
+      INSERT INTO capability_card_categories (scope_id, category, relevance, generation_batch, created_at)
+      VALUES ('default', 'communication', 0.9, 1, ${now})
+    `);
+
+    migrateDropCapabilityCardState(db);
+
+    const starterRows = raw
+      .query(`SELECT id, card_type FROM conversation_starters ORDER BY id`)
+      .all() as Array<{ id: string; card_type: string }>;
+    expect(starterRows).toEqual([{ id: "chip-1", card_type: "chip" }]);
+
+    const jobTypes = raw
+      .query(`SELECT type FROM memory_jobs ORDER BY id`)
+      .all() as Array<{
+      type: string;
+    }>;
+    expect(jobTypes).toEqual([{ type: "generate_conversation_starters" }]);
+
+    const checkpointKeys = raw
+      .query(`SELECT key FROM memory_checkpoints ORDER BY key`)
+      .all() as Array<{ key: string }>;
+    expect(checkpointKeys.map((row) => row.key)).toEqual([
+      "migration_drop_capability_card_state_v1",
+      "other_checkpoint",
+    ]);
+
+    const migrationCheckpoint = raw
+      .query(
+        `SELECT value FROM memory_checkpoints WHERE key = 'migration_drop_capability_card_state_v1'`,
+      )
+      .get() as { value: string } | null;
+    expect(migrationCheckpoint?.value).toBe("1");
+
+    const legacyTable = raw
+      .query(
+        `SELECT 1 FROM sqlite_master WHERE type = 'table' AND name = 'capability_card_categories'`,
+      )
+      .get();
+    expect(legacyTable).toBeNull();
+  });
+
+  test("is idempotent when run more than once", () => {
+    const db = createTestDb();
+    const raw = getRawSqlite(db);
+    const now = Date.now();
+
+    createLegacyCapabilityCardTables(raw);
+    raw.exec(/*sql*/ `
+      INSERT INTO conversation_starters (id, label, prompt, generation_batch, scope_id, card_type, created_at)
+      VALUES ('card-1', 'Do this first', 'Do this first', 1, 'default', 'card', ${now})
+    `);
+    raw.exec(/*sql*/ `
+      INSERT INTO memory_jobs (id, type, payload, status, attempts, deferrals, run_after, created_at, updated_at)
+      VALUES ('job-card', 'generate_capability_cards', '{}', 'pending', 0, 0, ${now}, ${now}, ${now})
+    `);
+
+    migrateDropCapabilityCardState(db);
+    migrateDropCapabilityCardState(db);
+
+    const starterCount = raw
+      .query(`SELECT COUNT(*) AS count FROM conversation_starters`)
+      .get() as { count: number };
+    expect(starterCount.count).toBe(0);
+
+    const jobCount = raw
+      .query(
+        `SELECT COUNT(*) AS count FROM memory_jobs WHERE type = 'generate_capability_cards'`,
+      )
+      .get() as { count: number };
+    expect(jobCount.count).toBe(0);
+  });
+});

package/src/__tests__/dynamic-skill-workflow-prompt.test.ts

@@ -53,7 +53,6 @@ mock.module("../util/logger.js", () => ({
 
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
-    sandbox: { enabled: false, backend: "native" },
     assistantFeatureFlagValues: {
       "feature_flags.browser.enabled": true,
     },
@@ -66,9 +65,9 @@ mock.module("../config/loader.js", () => ({
       "image-generation": {
         mode: "your-own",
         provider: "gemini",
-        model: "gemini-2.5-flash-image",
+        model: "gemini-3.1-flash-image-preview",
       },
-      "web-search": { mode: "your-own", provider: "anthropic-native" },
+      "web-search": { mode: "your-own", provider: "inference-provider-native" },
     },
   }),
   loadConfig: () => ({}),
@@ -83,7 +82,7 @@ mock.module("../config/loader.js", () => ({
 
 const { buildSystemPrompt } = await import("../prompts/system-prompt.js");
 
-describe("Dynamic Skill Authoring Workflow prompt section", () => {
+describe("Dynamic Skill Authoring Workflow moved to tool descriptions", () => {
   beforeEach(() => {
     mkdirSync(TEST_DIR, { recursive: true });
   });
@@ -94,36 +93,11 @@ describe("Dynamic Skill Authoring Workflow prompt section", () => {
     }
   });
 
-  test("buildSystemPrompt includes dynamic skill workflow section", () => {
+  test("system prompt no longer contains Dynamic Skill Authoring section", () => {
     writeFileSync(join(TEST_DIR, "IDENTITY.md"), "I am Vellum.");
     const result = buildSystemPrompt();
-    expect(result).toContain("## Dynamic Skill Authoring Workflow");
-  });
-
-  test("workflow section mentions scaffold and delete tools and bun run workflow", () => {
-    writeFileSync(join(TEST_DIR, "IDENTITY.md"), "I am Vellum.");
-    const result = buildSystemPrompt();
-    expect(result).toContain("bun run /tmp/vellum-eval/snippet.ts");
-    expect(result).toContain("scaffold_managed_skill");
-    expect(result).toContain("delete_managed_skill");
-  });
-
-  test("workflow section includes user confirmation warning", () => {
-    writeFileSync(join(TEST_DIR, "IDENTITY.md"), "I am Vellum.");
-    const result = buildSystemPrompt();
-    expect(result).toContain("explicit user confirmation");
-  });
-
-  test("workflow section includes retry limit guidance", () => {
-    writeFileSync(join(TEST_DIR, "IDENTITY.md"), "I am Vellum.");
-    const result = buildSystemPrompt();
-    expect(result).toContain("3 attempts");
-  });
-
-  test("workflow section includes conversation eviction note", () => {
-    writeFileSync(join(TEST_DIR, "IDENTITY.md"), "I am Vellum.");
-    const result = buildSystemPrompt();
-    expect(result).toContain("recreated session");
+    expect(result).not.toContain("## Dynamic Skill Authoring Workflow");
+    expect(result).not.toContain("### Community Skills Discovery");
   });
 
   test("prompt still includes available skills catalog when skills exist", () => {
@@ -138,8 +112,7 @@ describe("Dynamic Skill Authoring Workflow prompt section", () => {
 
     const result = buildSystemPrompt();
     expect(result).toContain("## Available Skills");
-    expect(result).toContain('id="test-skill"');
-    expect(result).toContain("## Dynamic Skill Authoring Workflow");
+    expect(result).toContain("**test-skill**");
   });
 
   test("prompt is additive with IDENTITY/SOUL/USER files", () => {
@@ -151,21 +124,14 @@ describe("Dynamic Skill Authoring Workflow prompt section", () => {
     expect(result).toContain("Identity here");
     expect(result).toContain("Soul here");
     expect(result).toContain("User here");
-    expect(result).toContain("## Dynamic Skill Authoring Workflow");
-  });
-
-  test("workflow section includes skill_load instruction", () => {
-    writeFileSync(join(TEST_DIR, "IDENTITY.md"), "I am Vellum.");
-    const result = buildSystemPrompt();
-    expect(result).toContain("skill_load");
   });
 
-  test("browser skill has activation hints in available_skills XML instead of dedicated section", () => {
+  test("browser skill has activation hints in skills catalog instead of dedicated section", () => {
     writeFileSync(join(TEST_DIR, "IDENTITY.md"), "I am Vellum.");
     const result = buildSystemPrompt();
-    // Browser routing moved from dedicated section to frontmatter hints
+    // Browser routing moved from dedicated section to inline hints in catalog bullet
     expect(result).not.toContain("Browser Skill Prerequisite");
-    expect(result).toContain('id="browser"');
-    expect(result).toContain("hints=");
+    expect(result).toContain("**browser**");
+    expect(result).toContain("Load first if you need browser_* tools");
   });
 });

package/src/__tests__/emit-signal-routing-intent.test.ts

@@ -116,7 +116,7 @@ describe("emitNotificationSignal routing intent re-persistence", () => {
     const result = await emitNotificationSignal({
       sourceEventName: "schedule.notify",
       sourceChannel: "scheduler",
-      sourceSessionId: "rem-1",
+      sourceContextId: "rem-1",
       attentionHints: {
         requiresAction: true,
         urgency: "high",
@@ -162,7 +162,7 @@ describe("emitNotificationSignal routing intent re-persistence", () => {
     await emitNotificationSignal({
       sourceEventName: "schedule.notify",
       sourceChannel: "scheduler",
-      sourceSessionId: "rem-2",
+      sourceContextId: "rem-2",
       attentionHints: {
         requiresAction: false,
         urgency: "medium",
@@ -198,7 +198,7 @@ describe("emitNotificationSignal routing intent re-persistence", () => {
     await emitNotificationSignal({
       sourceEventName: "schedule.notify",
       sourceChannel: "scheduler",
-      sourceSessionId: "rem-3",
+      sourceContextId: "rem-3",
       attentionHints: {
         requiresAction: false,
         urgency: "medium",

package/src/__tests__/encrypted-store.test.ts

@@ -1,4 +1,4 @@
-import { randomBytes } from "node:crypto";
+import { createCipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
 import {
   chmodSync,
   existsSync,
@@ -7,9 +7,10 @@ import {
   readFileSync,
   rmSync,
   statSync,
+  unlinkSync,
   writeFileSync,
 } from "node:fs";
-import { tmpdir } from "node:os";
+import { hostname, tmpdir, userInfo } from "node:os";
 import { join } from "node:path";
 import {
   afterAll,
@@ -23,7 +24,7 @@ import {
 } from "bun:test";
 
 // ---------------------------------------------------------------------------
-// Mock only the logger (not platform — we use _setStorePath instead)
+// Mock only the logger (not platform -- we use _setStorePath instead)
 // ---------------------------------------------------------------------------
 
 mock.module("../util/logger.js", () => ({
@@ -34,6 +35,7 @@ mock.module("../util/logger.js", () => ({
 }));
 
 import {
+  _setStoreKeyPath,
   _setStorePath,
   deleteKey,
   getKey,
@@ -50,6 +52,80 @@ const TEST_DIR = join(
   `vellum-enc-test-${randomBytes(4).toString("hex")}`,
 );
 const STORE_PATH = join(TEST_DIR, "keys.enc");
+const STORE_KEY_PATH = join(TEST_DIR, "store.key");
+
+// ---------------------------------------------------------------------------
+// Legacy v1 helpers (for migration tests)
+// ---------------------------------------------------------------------------
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+const PBKDF2_ITERATIONS = process.env.BUN_TEST === "1" ? 1 : 100_000;
+const SALT_LENGTH = 32;
+
+/** Local copy of the legacy machine entropy derivation (the export was removed). */
+function legacyMachineEntropy(): string {
+  const parts: string[] = [];
+  try {
+    parts.push(hostname());
+  } catch {
+    parts.push("unknown-host");
+  }
+  try {
+    parts.push(userInfo().username);
+  } catch {
+    parts.push("unknown-user");
+  }
+  parts.push(process.platform);
+  parts.push(process.arch);
+  try {
+    parts.push(userInfo().homedir);
+  } catch {
+    parts.push("/tmp");
+  }
+  return parts.join(":");
+}
+
+function legacyDeriveKey(salt: Buffer): Buffer {
+  const entropy = legacyMachineEntropy();
+  return pbkdf2Sync(entropy, salt, PBKDF2_ITERATIONS, KEY_LENGTH, "sha512");
+}
+
+function legacyEncrypt(
+  plaintext: string,
+  key: Buffer,
+): { iv: string; tag: string; data: string } {
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf-8"),
+    cipher.final(),
+  ]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: iv.toString("hex"),
+    tag: tag.toString("hex"),
+    data: encrypted.toString("hex"),
+  };
+}
+
+/** Write a v1 store file directly (bypassing the module's writeStore). */
+function writeV1Store(
+  path: string,
+  salt: Buffer,
+  entries: Record<string, { iv: string; tag: string; data: string }>,
+): void {
+  const store = {
+    version: 1,
+    salt: salt.toString("hex"),
+    entries,
+  };
+  writeFileSync(path, JSON.stringify(store, null, 2), { mode: 0o600 });
+}
 
 // ---------------------------------------------------------------------------
 // Tests
@@ -66,10 +142,12 @@ describe("encrypted-store", () => {
       rmSync(join(TEST_DIR, entry), { recursive: true, force: true });
     }
     _setStorePath(STORE_PATH);
+    _setStoreKeyPath(STORE_KEY_PATH);
   });
 
   afterEach(() => {
     _setStorePath(null);
+    _setStoreKeyPath(null);
   });
 
   afterAll(() => {
@@ -173,16 +251,15 @@ describe("encrypted-store", () => {
   });
 
   // -----------------------------------------------------------------------
-  // Store format
+  // Store format (v2)
   // -----------------------------------------------------------------------
   describe("store format", () => {
-    test("store file is valid JSON with version, salt, and entries", () => {
+    test("store file is valid JSON with version 2 and entries (no salt)", () => {
       setKey("test", "value");
       const raw = readFileSync(STORE_PATH, "utf-8");
       const parsed = JSON.parse(raw);
-      expect(parsed.version).toBe(1);
-      expect(typeof parsed.salt).toBe("string");
-      expect(parsed.salt.length).toBe(64); // 32 bytes = 64 hex chars
+      expect(parsed.version).toBe(2);
+      expect(parsed.salt).toBeUndefined();
       expect(typeof parsed.entries).toBe("object");
       expect(parsed.entries.test).toBeDefined();
     });
@@ -223,6 +300,163 @@ describe("encrypted-store", () => {
     });
   });
 
+  // -----------------------------------------------------------------------
+  // v2 format and store.key
+  // -----------------------------------------------------------------------
+  describe("v2 format and store.key", () => {
+    test("fresh store creates v2 format and store.key", () => {
+      setKey("test", "value");
+
+      // Verify keys.enc is v2 with no salt
+      const raw = readFileSync(STORE_PATH, "utf-8");
+      const parsed = JSON.parse(raw);
+      expect(parsed.version).toBe(2);
+      expect(parsed.salt).toBeUndefined();
+
+      // Verify store.key exists with exactly 32 bytes and 0o600 perms
+      expect(existsSync(STORE_KEY_PATH)).toBe(true);
+      const keyBuf = readFileSync(STORE_KEY_PATH);
+      expect(keyBuf.length).toBe(32);
+      const mode = statSync(STORE_KEY_PATH).mode & 0o777;
+      expect(mode).toBe(0o600);
+    });
+
+    test("v2 round-trip", () => {
+      // Set multiple values and read them back
+      setKey("key-a", "value-a");
+      setKey("key-b", "value-b");
+      setKey("key-c", "value-c");
+
+      expect(getKey("key-a")).toBe("value-a");
+      expect(getKey("key-b")).toBe("value-b");
+      expect(getKey("key-c")).toBe("value-c");
+
+      // Delete one and verify others remain
+      deleteKey("key-b");
+      expect(getKey("key-b")).toBeUndefined();
+      expect(getKey("key-a")).toBe("value-a");
+      expect(getKey("key-c")).toBe("value-c");
+    });
+
+    test("v2 store without store.key returns undefined", () => {
+      setKey("test", "value");
+      // Delete store.key
+      unlinkSync(STORE_KEY_PATH);
+      expect(getKey("test")).toBeUndefined();
+    });
+  });
+
+  // -----------------------------------------------------------------------
+  // v1 -> v2 migration
+  // -----------------------------------------------------------------------
+  describe("v1 to v2 migration", () => {
+    test("v1 to v2 migration preserves entries", () => {
+      // Create a v1 store using legacy encryption
+      const salt = randomBytes(SALT_LENGTH);
+      const legacyKey = legacyDeriveKey(salt);
+      const entries: Record<string, { iv: string; tag: string; data: string }> =
+        {};
+      entries["api-key"] = legacyEncrypt("secret-123", legacyKey);
+      entries["other-key"] = legacyEncrypt("secret-456", legacyKey);
+      writeV1Store(STORE_PATH, salt, entries);
+
+      // Access via getKey -- should trigger migration
+      const val1 = getKey("api-key");
+      expect(val1).toBe("secret-123");
+
+      const val2 = getKey("other-key");
+      expect(val2).toBe("secret-456");
+
+      // Store should now be v2
+      const raw = readFileSync(STORE_PATH, "utf-8");
+      const parsed = JSON.parse(raw);
+      expect(parsed.version).toBe(2);
+      expect(parsed.salt).toBeUndefined();
+
+      // store.key should exist
+      expect(existsSync(STORE_KEY_PATH)).toBe(true);
+    });
+
+    test("migration is idempotent", () => {
+      // Create a v1 store
+      const salt = randomBytes(SALT_LENGTH);
+      const legacyKey = legacyDeriveKey(salt);
+      const entries: Record<string, { iv: string; tag: string; data: string }> =
+        {};
+      entries["my-key"] = legacyEncrypt("my-value", legacyKey);
+      writeV1Store(STORE_PATH, salt, entries);
+
+      // First access triggers migration
+      const val1 = getKey("my-key");
+      expect(val1).toBe("my-value");
+
+      // Second access should work the same (already migrated)
+      const val2 = getKey("my-key");
+      expect(val2).toBe("my-value");
+
+      // Should still be v2
+      const raw = readFileSync(STORE_PATH, "utf-8");
+      expect(JSON.parse(raw).version).toBe(2);
+    });
+
+    test("migration skips corrupt entries", () => {
+      // Create a v1 store with one good entry and one tampered entry
+      const salt = randomBytes(SALT_LENGTH);
+      const legacyKey = legacyDeriveKey(salt);
+      const entries: Record<string, { iv: string; tag: string; data: string }> =
+        {};
+      entries["good"] = legacyEncrypt("good-value", legacyKey);
+      entries["bad"] = legacyEncrypt("bad-value", legacyKey);
+      // Tamper with the bad entry
+      const badData = entries["bad"].data;
+      entries["bad"].data =
+        badData[0] === "0" ? "1" + badData.slice(1) : "0" + badData.slice(1);
+      writeV1Store(STORE_PATH, salt, entries);
+
+      // Trigger migration via getKey
+      const goodVal = getKey("good");
+      expect(goodVal).toBe("good-value");
+
+      // Bad entry should be gone (not migrated)
+      const badVal = getKey("bad");
+      expect(badVal).toBeUndefined();
+
+      // Store should be v2
+      const raw = readFileSync(STORE_PATH, "utf-8");
+      const parsed = JSON.parse(raw);
+      expect(parsed.version).toBe(2);
+      expect(parsed.entries["good"]).toBeDefined();
+      expect(parsed.entries["bad"]).toBeUndefined();
+    });
+
+    test("partial migration recovery", () => {
+      // Simulate crash between store.key write and store rewrite:
+      // write v1 store + store.key but leave store as v1
+      const salt = randomBytes(SALT_LENGTH);
+      const legacyKey = legacyDeriveKey(salt);
+      const entries: Record<string, { iv: string; tag: string; data: string }> =
+        {};
+      entries["test-key"] = legacyEncrypt("test-value", legacyKey);
+      writeV1Store(STORE_PATH, salt, entries);
+
+      // Pre-write store.key (simulating partial migration)
+      const preKey = randomBytes(32);
+      writeFileSync(STORE_KEY_PATH, preKey, { mode: 0o600 });
+
+      // Migration should complete using the existing store.key
+      const val = getKey("test-key");
+      expect(val).toBe("test-value");
+
+      // Verify the store.key was reused (not regenerated)
+      const afterKey = readFileSync(STORE_KEY_PATH);
+      expect(afterKey.equals(preKey)).toBe(true);
+
+      // Store should now be v2
+      const raw = readFileSync(STORE_PATH, "utf-8");
+      expect(JSON.parse(raw).version).toBe(2);
+    });
+  });
+
   // -----------------------------------------------------------------------
   // Error handling
   // -----------------------------------------------------------------------
@@ -273,7 +507,9 @@ describe("encrypted-store", () => {
     test("setKey creates directory if missing", () => {
       // Point to a path in a non-existent subdirectory
       const nestedPath = join(TEST_DIR, "sub", "dir", "keys.enc");
+      const nestedKeyPath = join(TEST_DIR, "sub", "dir", "store.key");
       _setStorePath(nestedPath);
+      _setStoreKeyPath(nestedKeyPath);
       const result = setKey("test", "value");
       expect(result).toBe(true);
       expect(getKey("test")).toBe("value");
@@ -311,7 +547,7 @@ describe("encrypted-store", () => {
       setKey("test", "value");
       // Loosen permissions
       chmodSync(STORE_PATH, 0o644);
-      // Write again — should re-enforce 0600
+      // Write again -- should re-enforce 0600
       setKey("test2", "value2");
       const mode = statSync(STORE_PATH).mode & 0o777;
       expect(mode).toBe(0o600);
@@ -352,16 +588,14 @@ describe("encrypted-store", () => {
       expect(getKey("__proto__")).toBeUndefined();
     });
 
-    test("salt is preserved across set operations", () => {
+    test("store.key is reused across set operations", () => {
       setKey("key1", "val1");
-      const raw1 = readFileSync(STORE_PATH, "utf-8");
-      const salt1 = JSON.parse(raw1).salt;
+      const key1 = readFileSync(STORE_KEY_PATH);
 
       setKey("key2", "val2");
-      const raw2 = readFileSync(STORE_PATH, "utf-8");
-      const salt2 = JSON.parse(raw2).salt;
+      const key2 = readFileSync(STORE_KEY_PATH);
 
-      expect(salt1).toBe(salt2);
+      expect(key1.equals(key2)).toBe(true);
     });
   });
 });

package/src/__tests__/ephemeral-permissions.test.ts

@@ -328,20 +328,19 @@ describe("ephemeral-permissions", () => {
       testConfig.permissions.mode = "workspace";
     });
 
-    test("workspace mode prompts for workspace-scoped file_write (medium risk)", async () => {
+    test("workspace mode auto-allows workspace-scoped file_write (low risk)", async () => {
       const filePath = join(testDir, "workspace-test-file.txt");
       const result = await check("file_write", { path: filePath }, testDir);
-      expect(result.decision).toBe("prompt");
-      expect(result.reason).toContain("medium risk");
+      expect(result.decision).toBe("allow");
     });
 
-    test("workspace mode still prompts for file_write outside workspace", async () => {
+    test("workspace mode auto-allows file_write outside workspace (low risk)", async () => {
       const result = await check(
         "file_write",
         { path: "/etc/config" },
         testDir,
       );
-      expect(result.decision).toBe("prompt");
+      expect(result.decision).toBe("allow");
     });
 
     test("explicit deny rule overrides workspace mode auto-allow", async () => {