@vellumai/assistant 0.5.12 → 0.5.14

package/src/__tests__/skill-secret-handling-guard.test.ts

@@ -0,0 +1,212 @@
+import { execSync } from "node:child_process";
+import { describe, expect, test } from "bun:test";
+
+/**
+ * Guard test: SKILL.md files must never instruct the assistant to accept
+ * secrets (passwords, API keys, tokens, etc.) pasted directly in chat.
+ *
+ * Secrets must always be collected via `credential_store prompt`, which
+ * presents a secure native UI that keeps the value out of conversation
+ * history and LLM context.
+ *
+ * This guard prevents regressions like the gmail/messaging bundled skill
+ * violation where SKILL.md contained "Include client_secret too if they
+ * provide one" — directing the assistant to accept a secret value from
+ * the chat stream.
+ */
+
+/** SKILL.md files permitted to contain otherwise-violating patterns. */
+const ALLOWLIST = new Set<string>([
+  // Add paths here only if there is a genuine, documented exception.
+]);
+
+/**
+ * Words that indicate the line is about a secret/credential value.
+ */
+const SECRET_WORDS =
+  "secret|password|api[_\\s-]?key|auth[_\\s-]?token|private[_\\s-]?key|access[_\\s-]?token|client[_\\s-]?secret|signing[_\\s-]?key|bearer[_\\s-]?token";
+
+/**
+ * Patterns that indicate the assistant is being told to accept a secret
+ * value directly in chat, rather than via credential_store prompt.
+ */
+const VIOLATION_PATTERNS: RegExp[] = [
+  // "accept <secret> in/via/from chat/plaintext/the conversation"
+  new RegExp(
+    `accept\\s+.*(?:${SECRET_WORDS}).*\\b(?:in|via|from)\\s+(?:chat|plaintext|the\\s+conversation)`,
+    "i",
+  ),
+  new RegExp(
+    `accept\\s+.*\\b(?:in|via|from)\\s+(?:chat|plaintext|the\\s+conversation).*(?:${SECRET_WORDS})`,
+    "i",
+  ),
+  // "ask (the user|them) (for|to share/send/paste/type/provide) <secret>" where destination is chat
+  // Must have "the user" or "them" as the object to avoid matching third-party descriptions
+  // like "Discord will ask for a 2FA code before revealing the secret"
+  new RegExp(
+    `ask\\s+(?:the\\s+user|them)\\s+(?:for|to\\s+(?:share|send|paste|type|provide))\\s+(?:the\\s+|their\\s+|a\\s+)?(?:${SECRET_WORDS})`,
+    "i",
+  ),
+  // "Include <secret> too if they provide one" — the original gmail violation pattern
+  new RegExp(
+    `include\\s+(?:the\\s+)?(?:${SECRET_WORDS})\\s+(?:too|as\\s+well|also)\\s+if\\s+they\\s+provide`,
+    "i",
+  ),
+  // "<secret> pasted/typed/sent in chat/conversation/plaintext"
+  new RegExp(
+    `(?:${SECRET_WORDS})\\s+(?:pasted|typed|sent|provided|shared)\\s+(?:in|via|through)\\s+(?:chat|conversation|plaintext)`,
+    "i",
+  ),
+  // "paste/type/send <secret> in chat/here/the conversation"
+  new RegExp(
+    `(?:paste|type|send|share|provide)\\s+(?:the\\s+|your\\s+|their\\s+)?(?:${SECRET_WORDS})\\s+(?:in\\s+(?:chat|the\\s+conversation)|here)`,
+    "i",
+  ),
+];
+
+/**
+ * Lines containing these negation words are typically instructing the
+ * assistant NOT to do something — these are not violations.
+ */
+const NEGATION_PATTERNS =
+  /\b(?:never|do\s+not|don['']t|must\s+not|should\s+not|shouldn['']t)\b|\bNOT\b/;
+
+/**
+ * Lines that are YAML-style field values within a credential_store prompt
+ * block (label, description, placeholder). These contain secret-related
+ * words but are secure UI text, not chat instructions.
+ */
+const CREDENTIAL_STORE_UI_FIELD =
+  /^\s*(?:[-*]\s+)?(?:label|description|placeholder)\s*[:=]\s*/i;
+
+interface Violation {
+  file: string;
+  line: number;
+  text: string;
+}
+
+function findViolations(): Violation[] {
+  const repoRoot = process.cwd() + "/..";
+
+  // Find all SKILL.md files tracked by git
+  let skillFiles: string[];
+  try {
+    const output = execSync(`git grep -l "" -- '*/SKILL.md'`, {
+      encoding: "utf-8",
+      cwd: repoRoot,
+    }).trim();
+    skillFiles = output.split("\n").filter((f) => f.length > 0);
+  } catch (err) {
+    if ((err as { status?: number }).status === 1) {
+      return []; // no SKILL.md files found
+    }
+    throw err;
+  }
+
+  // Filter to skills/ and assistant/src/config/bundled-skills/ directories
+  skillFiles = skillFiles.filter(
+    (f) =>
+      f.startsWith("skills/") ||
+      f.startsWith("assistant/src/config/bundled-skills/"),
+  );
+
+  const violations: Violation[] = [];
+
+  for (const filePath of skillFiles) {
+    if (ALLOWLIST.has(filePath)) continue;
+
+    let content: string;
+    try {
+      content = execSync(`git show HEAD:${filePath}`, {
+        encoding: "utf-8",
+        cwd: repoRoot,
+      });
+    } catch {
+      continue;
+    }
+
+    const lines = content.split("\n");
+
+    // Track whether we're inside a credential_store prompt block
+    // (indented YAML-like content after a credential_store mention)
+    let inCredentialStoreBlock = false;
+    let blockIndent = 0;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+
+      // Track credential_store prompt blocks
+      if (/credential_store\s+prompt/i.test(line)) {
+        inCredentialStoreBlock = true;
+        blockIndent = line.search(/\S/);
+        continue;
+      }
+
+      // Exit credential_store block when indentation returns to same or lesser level
+      if (inCredentialStoreBlock) {
+        const currentIndent = line.search(/\S/);
+        if (
+          currentIndent !== -1 &&
+          currentIndent <= blockIndent &&
+          line.trim().length > 0
+        ) {
+          inCredentialStoreBlock = false;
+        }
+      }
+
+      // Skip empty lines
+      if (line.trim().length === 0) continue;
+
+      // Skip negation lines — these instruct NOT to do something
+      if (NEGATION_PATTERNS.test(line)) continue;
+
+      // Skip credential_store UI field lines (label:, description:, placeholder:)
+      if (inCredentialStoreBlock && CREDENTIAL_STORE_UI_FIELD.test(line))
+        continue;
+
+      // Strip markdown backticks before pattern matching so that
+      // violations like `client_secret` are caught the same as bare words.
+      const stripped = line.replace(/`/g, "");
+
+      // Check against violation patterns
+      for (const pattern of VIOLATION_PATTERNS) {
+        if (pattern.test(stripped)) {
+          violations.push({
+            file: filePath,
+            line: lineNumber,
+            text: line.trim(),
+          });
+          break; // one violation per line is enough
+        }
+      }
+    }
+  }
+
+  return violations;
+}
+
+describe("SKILL.md secret handling guard", () => {
+  test("no SKILL.md files instruct accepting secrets in chat", () => {
+    const violations = findViolations();
+
+    if (violations.length > 0) {
+      const message = [
+        "Found SKILL.md files that instruct accepting secrets directly in chat.",
+        "Secrets must always be collected via `credential_store prompt`, which",
+        "presents a secure native UI that keeps values out of conversation history.",
+        "",
+        "Violations:",
+        ...violations.map((v) => `  - ${v.file}:${v.line}: ${v.text}`),
+        "",
+        "To fix: replace chat-based secret collection with a `credential_store prompt` call.",
+        "See any *-setup skill (e.g. skills/slack-app-setup/SKILL.md) for the correct pattern.",
+        "",
+        "If this is a genuine exception, add the file path to the ALLOWLIST in",
+        "skill-secret-handling-guard.test.ts.",
+      ].join("\n");
+
+      expect(violations, message).toEqual([]);
+    }
+  });
+});

package/src/__tests__/skills-uninstall.test.ts

@@ -12,10 +12,10 @@ import { afterEach, beforeEach, describe, expect, test } from "bun:test";
 import { uninstallSkillLocally } from "../skills/catalog-install.js";
 
 let tempDir: string;
-let originalBaseDataDir: string | undefined;
+let originalWorkspaceDir: string | undefined;
 
 function getSkillsDir(): string {
-  return join(tempDir, ".vellum", "workspace", "skills");
+  return join(tempDir, "skills");
 }
 
 function getSkillsIndexPath(): string {
@@ -38,15 +38,17 @@ beforeEach(() => {
     tmpdir(),
     `skills-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
   );
-  mkdirSync(join(tempDir, ".vellum", "workspace", "skills"), {
-    recursive: true,
-  });
-  originalBaseDataDir = process.env.BASE_DATA_DIR;
-  process.env.BASE_DATA_DIR = tempDir;
+  mkdirSync(join(tempDir, "skills"), { recursive: true });
+  originalWorkspaceDir = process.env.VELLUM_WORKSPACE_DIR;
+  process.env.VELLUM_WORKSPACE_DIR = tempDir;
 });
 
 afterEach(() => {
-  process.env.BASE_DATA_DIR = originalBaseDataDir;
+  if (originalWorkspaceDir === undefined) {
+    delete process.env.VELLUM_WORKSPACE_DIR;
+  } else {
+    process.env.VELLUM_WORKSPACE_DIR = originalWorkspaceDir;
+  }
   rmSync(tempDir, { recursive: true, force: true });
 });
 

package/src/__tests__/skills.test.ts

@@ -16,7 +16,7 @@ const TEST_DIR = join(tmpdir(), `vellum-skills-test-${crypto.randomUUID()}`);
 const realPlatform = require("../util/platform.js");
 mock.module("../util/platform.js", () => ({
   ...realPlatform,
-  getRootDir: () => TEST_DIR,
+  getProtectedDir: () => join(TEST_DIR, "protected"),
   getDataDir: () => TEST_DIR,
 
   getSandboxRootDir: () => join(TEST_DIR, "sandbox"),

package/src/__tests__/slack-channel-config.test.ts

@@ -60,7 +60,7 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
 
   isMacOS: () => process.platform === "darwin",

package/src/__tests__/slack-inbound-verification.test.ts

@@ -8,29 +8,12 @@
  * 4. Notify the guardian of the access attempt
  * 5. When the user replies with the code in the DM, verify and activate
  */
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 
 // ---------------------------------------------------------------------------
 // Test isolation: in-memory SQLite via temp directory
 // ---------------------------------------------------------------------------
 
-const testDir = mkdtempSync(join(tmpdir(), "slack-inbound-verification-test-"));
-
-mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -81,11 +64,6 @@ initializeDb();
 
 afterAll(() => {
   resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
 });
 
 // ---------------------------------------------------------------------------

package/src/__tests__/starter-bundle.test.ts

@@ -14,9 +14,12 @@ const TRUST_PATH = join(TEST_ROOT, "protected", "trust.json");
 // We need to mock getRootDir before importing trust-store
 import { mock } from "bun:test";
 
+// Point the file-based trust backend at the test temp dir.
+process.env.GATEWAY_SECURITY_DIR = join(TEST_ROOT, "protected");
+
 // Mock the platform module to use our test root
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => TEST_ROOT,
+  getProtectedDir: () => join(TEST_ROOT, "protected"),
 }));
 
 // Mock the skills config module used by defaults.ts

package/src/__tests__/suggestion-routes.test.ts

@@ -81,6 +81,7 @@ mock.module("../daemon/handlers/shared.js", () => ({
         textSegments: [],
         contentOrder: [],
         surfaces: [],
+        thinkingSegments: [],
       };
     }
     return {
@@ -90,6 +91,7 @@ mock.module("../daemon/handlers/shared.js", () => ({
       textSegments: [],
       contentOrder: [],
       surfaces: [],
+      thinkingSegments: [],
     };
   },
 }));

package/src/__tests__/system-prompt.test.ts

@@ -18,7 +18,7 @@ import { mock } from "bun:test";
 const realPlatform = require("../util/platform.js");
 mock.module("../util/platform.js", () => ({
   ...realPlatform,
-  getRootDir: () => TEST_DIR,
+  getProtectedDir: () => join(TEST_DIR, "protected"),
   getDataDir: () => TEST_DIR,
   getWorkspaceDir: () => TEST_DIR,
   getWorkspaceConfigPath: () => join(TEST_DIR, "config.json"),

package/src/__tests__/terminal-tools.test.ts

@@ -19,7 +19,7 @@ mock.module("../util/logger.js", () => ({
 const testTmpDir = mkdtempSync(join(tmpdir(), "terminal-test-"));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testTmpDir,
+  getProtectedDir: () => join(testTmpDir, "protected"),
   getDataDir: () => join(testTmpDir, "data"),
   getSandboxWorkingDir: () => join(testTmpDir, "sandbox"),
   isMacOS: () => process.platform === "darwin",

package/src/__tests__/test-preload.ts

@@ -0,0 +1,31 @@
+/**
+ * Shared test preload — runs before every test file.
+ *
+ * Creates a per-file temporary directory and sets VELLUM_WORKSPACE_DIR so that
+ * all workspace-derived helpers (getDataDir, getDbPath, getConversationsDir, …)
+ * resolve under the temp dir instead of the real ~/.vellum/workspace.
+ *
+ * Individual test files can retrieve the workspace dir via getWorkspaceDir()
+ * from platform.ts, or directly from process.env.VELLUM_WORKSPACE_DIR.
+ *
+ * Cleanup: the temp dir is removed after all tests in the file complete.
+ */
+
+import { mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll } from "bun:test";
+
+const testDir = realpathSync(
+  mkdtempSync(join(tmpdir(), "vellum-test-workspace-")),
+);
+process.env.VELLUM_WORKSPACE_DIR = testDir;
+
+afterAll(() => {
+  delete process.env.VELLUM_WORKSPACE_DIR;
+  try {
+    rmSync(testDir, { recursive: true, force: true });
+  } catch {
+    /* best-effort cleanup */
+  }
+});

package/src/__tests__/token-estimator-accuracy.benchmark.test.ts

@@ -205,7 +205,7 @@ function makeSystemPrompt(size: "small" | "production" = "small"): string {
     "### OAuth Setup",
     "Most integrations use OAuth for authentication.",
     "Guide the user through the OAuth flow when setting up a new integration:",
-    "1. Navigate to Settings > Integrations",
+    "1. Navigate to Settings > Models & Services",
     "2. Click 'Connect' for the desired service",
     "3. Authorize in the browser popup",
     "4. Confirm the connection is active",

package/src/__tests__/tool-execution-abort-cleanup.test.ts

@@ -76,7 +76,7 @@ mock.module("../tools/network/script-proxy/index.js", () => ({
 }));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => "/tmp",
+  getProtectedDir: () => "/tmp/protected",
   getDataDir: () => "/tmp",
   getWorkspaceDir: () => "/tmp/workspace",
   getConversationsDir: () => "/tmp/workspace/conversations",

package/src/__tests__/tool-execution-pipeline.benchmark.test.ts

@@ -237,7 +237,7 @@ describe("Tool execution pipeline benchmark", () => {
 
     const p50 = percentile(timings, 50);
     expect(p50).toBeLessThan(5);
-    expect(results[0]).toBe(RiskLevel.Medium);
+    expect(results[0]).toBe(RiskLevel.Low);
   });
 
   test("check: full permission check for low-risk tool", async () => {

package/src/__tests__/tool-executor.test.ts

@@ -1209,12 +1209,6 @@ describe("isSideEffectTool", () => {
       );
     });
 
-    test("credential_store oauth2_connect is a side-effect", () => {
-      expect(
-        isSideEffectTool("credential_store", { action: "oauth2_connect" }),
-      ).toBe(true);
-    });
-
     test("credential_store list is NOT a side-effect", () => {
       expect(isSideEffectTool("credential_store", { action: "list" })).toBe(
         false,
@@ -1731,20 +1725,6 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     expect(promptCalled).toBe(true);
   });
 
-  test("credential_store oauth2_connect forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "credential_store",
-      { action: "oauth2_connect", provider: "google" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
   test("credential_store list does NOT force prompt in private conversation", async () => {
     checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
 

package/src/__tests__/tool-input-summary.test.ts

@@ -0,0 +1,124 @@
+import { describe, expect, test } from "bun:test";
+
+import { summarizeToolInput } from "../tools/tool-input-summary.js";
+
+describe("summarizeToolInput", () => {
+  test("bash with short command returns full command", () => {
+    expect(summarizeToolInput("bash", { command: "ls -la" })).toBe("ls -la");
+  });
+
+  test("bash with long command truncates with ellipsis", () => {
+    const longCmd = "a".repeat(200);
+    const result = summarizeToolInput("bash", { command: longCmd });
+    expect(result.length).toBe(121); // 120 chars + ellipsis
+    expect(result.endsWith("…")).toBe(true);
+    expect(result.startsWith("a".repeat(120))).toBe(true);
+  });
+
+  test("terminal tool behaves like bash", () => {
+    expect(summarizeToolInput("terminal", { command: "echo hello" })).toBe(
+      "echo hello",
+    );
+  });
+
+  test("file_read returns file path", () => {
+    expect(
+      summarizeToolInput("file_read", { file_path: "/src/index.ts" }),
+    ).toBe("/src/index.ts");
+  });
+
+  test("file_write returns file path from path key", () => {
+    expect(summarizeToolInput("file_write", { path: "/src/main.ts" })).toBe(
+      "/src/main.ts",
+    );
+  });
+
+  test("file_edit prefers file_path over path", () => {
+    expect(
+      summarizeToolInput("file_edit", {
+        file_path: "/preferred.ts",
+        path: "/fallback.ts",
+      }),
+    ).toBe("/preferred.ts");
+  });
+
+  test("web_fetch returns URL truncated to 100 chars", () => {
+    const longUrl = `https://example.com/${"x".repeat(200)}`;
+    const result = summarizeToolInput("web_fetch", { url: longUrl });
+    expect(result.length).toBe(101); // 100 chars + ellipsis
+    expect(result.endsWith("…")).toBe(true);
+  });
+
+  test("web_fetch with short URL returns full URL", () => {
+    expect(
+      summarizeToolInput("web_fetch", { url: "https://example.com" }),
+    ).toBe("https://example.com");
+  });
+
+  test("network_request behaves like web_fetch", () => {
+    expect(
+      summarizeToolInput("network_request", { url: "https://api.test.com" }),
+    ).toBe("https://api.test.com");
+  });
+
+  test("empty input returns empty string", () => {
+    expect(summarizeToolInput("bash", {})).toBe("");
+    expect(summarizeToolInput("file_read", {})).toBe("");
+    expect(summarizeToolInput("web_fetch", {})).toBe("");
+    expect(summarizeToolInput("unknown_tool", {})).toBe("");
+  });
+
+  test("unknown tool with string input returns first string value", () => {
+    expect(
+      summarizeToolInput("custom_tool", {
+        query: "search for something",
+        count: 10,
+      }),
+    ).toBe("search for something");
+  });
+
+  test("unknown tool with long string truncates to 80 chars", () => {
+    const longVal = "b".repeat(150);
+    const result = summarizeToolInput("custom_tool", { data: longVal });
+    expect(result.length).toBe(81); // 80 chars + ellipsis
+    expect(result.endsWith("…")).toBe(true);
+  });
+
+  test("input with no string values returns empty string", () => {
+    expect(
+      summarizeToolInput("custom_tool", { count: 42, flag: true, obj: {} }),
+    ).toBe("");
+  });
+
+  test("whitespace-only string values are treated as empty", () => {
+    expect(summarizeToolInput("bash", { command: "   " })).toBe("");
+    expect(summarizeToolInput("custom_tool", { data: "  \n\t  " })).toBe("");
+  });
+
+  test("host_bash behaves like bash", () => {
+    expect(summarizeToolInput("host_bash", { command: "git status" })).toBe(
+      "git status",
+    );
+  });
+
+  test("host_file_read behaves like file_read", () => {
+    expect(
+      summarizeToolInput("host_file_read", { file_path: "/src/index.ts" }),
+    ).toBe("/src/index.ts");
+  });
+
+  test("host_file_write behaves like file_write", () => {
+    expect(
+      summarizeToolInput("host_file_write", { path: "/src/main.ts" }),
+    ).toBe("/src/main.ts");
+  });
+
+  test("host_file_edit behaves like file_edit", () => {
+    expect(
+      summarizeToolInput("host_file_edit", {
+        file_path: "/preferred.ts",
+        path: "/fallback.ts",
+      }),
+    ).toBe("/preferred.ts");
+  });
+});

package/src/__tests__/tool-preview-lifecycle.test.ts

@@ -8,12 +8,13 @@
  * - handleToolResult includes toolUseId in emitted tool_result
  * - Event ordering: tool_use_preview_start → input_json_delta → tool_use
  */
+import { join } from "node:path";
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 // ── Mock platform (must precede imports that read it) ─────────────────────────
 mock.module("../util/platform.js", () => ({
   getSessionTokenPath: () => "/tmp/test-token",
-  getRootDir: () => "/tmp/test",
+  getProtectedDir: () => join("/tmp/test", "protected"),
   getDataDir: () => "/tmp/test",
   getWorkspaceDir: () => "/tmp/test/workspace",
   getWorkspaceSkillsDir: () => "/tmp/test/skills",

package/src/__tests__/trust-store.test.ts

@@ -12,9 +12,15 @@ import { beforeEach, describe, expect, mock, test } from "bun:test";
 // Create a temp directory for the trust file
 const testDir = mkdtempSync(join(tmpdir(), "trust-store-test-"));
 
+// Point the file-based trust backend at the test temp dir so
+// getGatewaySecurityDir() (which checks this env var first) writes
+// trust.json under the test directory instead of ~/.vellum/protected.
+process.env.GATEWAY_SECURITY_DIR = join(testDir, "protected");
+
 // Mock platform module so trust-store writes to temp dir instead of ~/.vellum
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
+  getWorkspaceDir: () => join(testDir, "workspace"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/trusted-contact-inline-approval-integration.test.ts

@@ -30,7 +30,7 @@ const testDir = mkdtempSync(join(tmpdir(), "tc-inline-approval-integration-"));
 
 mock.module("../util/platform.js", () => ({
   getDataDir: () => testDir,
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",
   isWindows: () => process.platform === "win32",

package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts

@@ -23,7 +23,7 @@ import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 const testDir = mkdtempSync(join(tmpdir(), "trusted-contact-lifecycle-notif-"));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/trusted-contact-multichannel.test.ts

@@ -18,7 +18,7 @@ import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 const testDir = mkdtempSync(join(tmpdir(), "trusted-contact-multichannel-"));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/trusted-contact-verification.test.ts

@@ -21,7 +21,7 @@ import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 const testDir = mkdtempSync(join(tmpdir(), "trusted-contact-verify-test-"));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/turn-boundary-resolution.test.ts

@@ -10,7 +10,7 @@ const workspaceDir = join(testDir, ".vellum", "workspace");
 const conversationsDir = join(workspaceDir, "conversations");
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => join(testDir, ".vellum"),
+  getProtectedDir: () => join(join(testDir, ".vellum"), "protected"),
   getDataDir: () => join(workspaceDir, "data"),
   getWorkspaceDir: () => workspaceDir,
   getConversationsDir: () => conversationsDir,