@vellumai/assistant 0.5.13 → 0.5.14

package/src/__tests__/scheduler-recurrence.test.ts

@@ -1,6 +1,3 @@
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import {
   afterAll,
   beforeAll,
@@ -11,19 +8,6 @@ import {
   test,
 } from "bun:test";
 
-const testDir = mkdtempSync(join(tmpdir(), "scheduler-recurrence-test-"));
-
-mock.module("../util/platform.js", () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -59,11 +43,6 @@ function forceScheduleDue(scheduleId: string): void {
 
 afterAll(() => {
   resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
 });
 
 // Build an RRULE expression anchored at the given start date, recurring every minute.

package/src/__tests__/scoped-approval-grants.test.ts

@@ -1,21 +1,5 @@
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 
-const testDir = mkdtempSync(join(tmpdir(), "scoped-grants-test-"));
-
-mock.module("../util/platform.js", () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -52,11 +36,6 @@ function clearTables(): void {
 
 afterAll(() => {
   resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
 });
 
 // ---------------------------------------------------------------------------

package/src/__tests__/scoped-grant-security-matrix.test.ts

@@ -23,24 +23,8 @@
  *  11. Guardian identity mismatch cannot mint grant — guardian-grant-minting.test.ts
  */
 
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 
-const testDir = mkdtempSync(join(tmpdir(), "scoped-grant-security-matrix-"));
-
-mock.module("../util/platform.js", () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -69,11 +53,6 @@ function clearTables(): void {
 
 afterAll(() => {
   resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
 });
 
 // ---------------------------------------------------------------------------

package/src/__tests__/secret-allowlist.test.ts

@@ -14,7 +14,7 @@ mock.module("../util/logger.js", () => ({
 }));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
 }));
 

package/src/__tests__/secret-ingress-channel.test.ts

@@ -24,11 +24,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-mock.module("../util/platform.js", () => ({
-  getRootDir: () => "/tmp/vellum-test-secret-ingress-channel",
-  getWorkspaceDir: () => "/tmp/vellum-test-secret-ingress-channel/workspace",
-}));
-
 const storePayloadMock = mock((_eventId: string, _payload: unknown) => {});
 const clearPayloadMock = mock((_eventId: string) => {});
 

package/src/__tests__/secret-ingress-cli.test.ts

@@ -24,12 +24,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-mock.module("../util/platform.js", () => ({
-  getRootDir: () => "/tmp/vellum-test-secret-ingress-cli",
-  getWorkspaceDir: () => "/tmp/vellum-test-secret-ingress-cli/workspace",
-  getSignalsDir: () => "/tmp/vellum-test-secret-ingress-cli/signals",
-}));
-
 // ---------------------------------------------------------------------------
 // Test: CLI signal path uses registerUserMessageCallback which calls
 // checkIngressForSecrets before calling persistAndProcessMessage.

package/src/__tests__/secret-ingress-http.test.ts

@@ -32,11 +32,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-mock.module("../util/platform.js", () => ({
-  getRootDir: () => "/tmp/vellum-test-secret-ingress-http",
-  getWorkspaceDir: () => "/tmp/vellum-test-secret-ingress-http/workspace",
-}));
-
 mock.module("../memory/conversation-key-store.js", () => ({
   getOrCreateConversation: () => ({ conversationId: "conv-test" }),
   getConversationByKey: () => null,

package/src/__tests__/secret-ingress.test.ts

@@ -32,11 +32,6 @@ mock.module("../util/logger.js", () => ({
   }),
 }));
 
-mock.module("../util/platform.js", () => ({
-  getRootDir: () => "/tmp/vellum-test-ingress",
-  getWorkspaceDir: () => "/tmp/vellum-test-ingress/workspace",
-}));
-
 import { resetAllowlist } from "../security/secret-allowlist.js";
 import { checkIngressForSecrets } from "../security/secret-ingress.js";
 

package/src/__tests__/send-endpoint-busy.test.ts

@@ -6,9 +6,6 @@
  * - Messages are queued (202, queued: true) when the conversation is busy, not 409.
  * - SSE subscribers receive events from messages sent via this endpoint.
  */
-import { mkdtempSync, realpathSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 
 mock.module("../config/env.js", () => ({ isHttpAuthDisabled: () => true }));
@@ -22,22 +19,6 @@ import {
 } from "../memory/canonical-guardian-store.js";
 import { getOrCreateConversation } from "../memory/conversation-key-store.js";
 
-const testDir = realpathSync(
-  mkdtempSync(join(tmpdir(), "send-endpoint-busy-test-")),
-);
-
-mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -337,11 +318,6 @@ describe("POST /v1/messages — queue-if-busy and hub publishing", () => {
 
   afterAll(() => {
     resetDb();
-    try {
-      rmSync(testDir, { recursive: true, force: true });
-    } catch {
-      /* best effort */
-    }
   });
 
   async function startServer(

package/src/__tests__/sequence-store.test.ts

@@ -1,22 +1,6 @@
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { afterAll, beforeEach, describe, expect, test } from "bun:test";
 import { mock } from "bun:test";
 
-const testDir = mkdtempSync(join(tmpdir(), "sequence-store-test-"));
-
-mock.module("../util/platform.js", () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -81,11 +65,6 @@ const testSteps: SequenceStep[] = [
 
 afterAll(() => {
   resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
 });
 
 describe("sequence-store", () => {

package/src/__tests__/server-history-render.test.ts

@@ -1,24 +1,5 @@
-import { mkdtempSync, realpathSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 
-const testDir = realpathSync(
-  mkdtempSync(join(tmpdir(), "history-render-test-")),
-);
-
-mock.module("../util/platform.js", () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-  getRootDir: () => testDir,
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -39,11 +20,6 @@ initializeDb();
 
 afterAll(() => {
   resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
 });
 
 describe("renderHistoryContent", () => {

package/src/__tests__/shell-tool-proxy-mode.test.ts

@@ -85,10 +85,6 @@ mock.module("../tools/terminal/sandbox.js", () => ({
   },
 }));
 
-mock.module("../util/platform.js", () => ({
-  getDataDir: () => "/tmp/test-data",
-}));
-
 // --- Proxy session mocks ---
 let mockActiveSession: { id: string; conversationId: string } | undefined;
 let getOrStartSessionCalls: {

package/src/__tests__/skill-load-inline-command.test.ts

@@ -66,6 +66,15 @@ const platformOverrides: Record<string, (...args: unknown[]) => unknown> = {
   getPlatformName: () => process.platform,
   getWorkspaceDirDisplay: () => "~/.vellum/workspace",
   getConversationsDir: () => join(TEST_DIR, "conversations"),
+  getProtectedDir: () => join(TEST_DIR, "protected"),
+  getSignalsDir: () => join(TEST_DIR, "workspace", "signals"),
+  getDaemonStderrLogPath: () => join(TEST_DIR, "logs", "daemon-stderr.log"),
+  getDaemonStartupLockPath: () => join(TEST_DIR, "daemon-startup.lock"),
+  getExternalDir: () => join(TEST_DIR, "external"),
+  getBinDir: () => join(TEST_DIR, "bin"),
+  getDotEnvPath: () => join(TEST_DIR, ".env"),
+  getEmbedWorkerPidPath: () => join(TEST_DIR, "embed-worker.pid"),
+  getSoundsDir: () => join(TEST_DIR, "sounds"),
 };
 mock.module("../util/platform.js", () => platformOverrides);
 

package/src/__tests__/skill-load-inline-includes.test.ts

@@ -68,6 +68,15 @@ const platformOverrides: Record<string, (...args: unknown[]) => unknown> = {
   getPlatformName: () => process.platform,
   getWorkspaceDirDisplay: () => "~/.vellum/workspace",
   getConversationsDir: () => join(TEST_DIR, "conversations"),
+  getProtectedDir: () => join(TEST_DIR, "protected"),
+  getSignalsDir: () => join(TEST_DIR, "workspace", "signals"),
+  getDaemonStderrLogPath: () => join(TEST_DIR, "logs", "daemon-stderr.log"),
+  getDaemonStartupLockPath: () => join(TEST_DIR, "daemon-startup.lock"),
+  getExternalDir: () => join(TEST_DIR, "external"),
+  getBinDir: () => join(TEST_DIR, "bin"),
+  getDotEnvPath: () => join(TEST_DIR, ".env"),
+  getEmbedWorkerPidPath: () => join(TEST_DIR, "embed-worker.pid"),
+  getSoundsDir: () => join(TEST_DIR, "sounds"),
 };
 mock.module("../util/platform.js", () => platformOverrides);
 

package/src/__tests__/skill-load-tool.test.ts

@@ -50,6 +50,17 @@ const platformOverrides: Record<string, (...args: unknown[]) => unknown> = {
   isLinux: () => process.platform === "linux",
   isWindows: () => process.platform === "win32",
   getPlatformName: () => process.platform,
+  getWorkspaceDirDisplay: () => "~/.vellum/workspace",
+  getConversationsDir: () => join(TEST_DIR, "conversations"),
+  getProtectedDir: () => join(TEST_DIR, "protected"),
+  getSignalsDir: () => join(TEST_DIR, "workspace", "signals"),
+  getDaemonStderrLogPath: () => join(TEST_DIR, "logs", "daemon-stderr.log"),
+  getDaemonStartupLockPath: () => join(TEST_DIR, "daemon-startup.lock"),
+  getExternalDir: () => join(TEST_DIR, "external"),
+  getBinDir: () => join(TEST_DIR, "bin"),
+  getDotEnvPath: () => join(TEST_DIR, ".env"),
+  getEmbedWorkerPidPath: () => join(TEST_DIR, "embed-worker.pid"),
+  getSoundsDir: () => join(TEST_DIR, "sounds"),
 };
 mock.module("../util/platform.js", () => platformOverrides);
 

package/src/__tests__/skills-uninstall.test.ts

@@ -12,10 +12,10 @@ import { afterEach, beforeEach, describe, expect, test } from "bun:test";
 import { uninstallSkillLocally } from "../skills/catalog-install.js";
 
 let tempDir: string;
-let originalBaseDataDir: string | undefined;
+let originalWorkspaceDir: string | undefined;
 
 function getSkillsDir(): string {
-  return join(tempDir, ".vellum", "workspace", "skills");
+  return join(tempDir, "skills");
 }
 
 function getSkillsIndexPath(): string {
@@ -38,15 +38,17 @@ beforeEach(() => {
     tmpdir(),
     `skills-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
   );
-  mkdirSync(join(tempDir, ".vellum", "workspace", "skills"), {
-    recursive: true,
-  });
-  originalBaseDataDir = process.env.BASE_DATA_DIR;
-  process.env.BASE_DATA_DIR = tempDir;
+  mkdirSync(join(tempDir, "skills"), { recursive: true });
+  originalWorkspaceDir = process.env.VELLUM_WORKSPACE_DIR;
+  process.env.VELLUM_WORKSPACE_DIR = tempDir;
 });
 
 afterEach(() => {
-  process.env.BASE_DATA_DIR = originalBaseDataDir;
+  if (originalWorkspaceDir === undefined) {
+    delete process.env.VELLUM_WORKSPACE_DIR;
+  } else {
+    process.env.VELLUM_WORKSPACE_DIR = originalWorkspaceDir;
+  }
   rmSync(tempDir, { recursive: true, force: true });
 });
 

package/src/__tests__/skills.test.ts

@@ -16,7 +16,7 @@ const TEST_DIR = join(tmpdir(), `vellum-skills-test-${crypto.randomUUID()}`);
 const realPlatform = require("../util/platform.js");
 mock.module("../util/platform.js", () => ({
   ...realPlatform,
-  getRootDir: () => TEST_DIR,
+  getProtectedDir: () => join(TEST_DIR, "protected"),
   getDataDir: () => TEST_DIR,
 
   getSandboxRootDir: () => join(TEST_DIR, "sandbox"),

package/src/__tests__/slack-channel-config.test.ts

@@ -60,7 +60,7 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
 
   isMacOS: () => process.platform === "darwin",

package/src/__tests__/slack-inbound-verification.test.ts

@@ -8,29 +8,12 @@
  * 4. Notify the guardian of the access attempt
  * 5. When the user replies with the code in the DM, verify and activate
  */
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 
 // ---------------------------------------------------------------------------
 // Test isolation: in-memory SQLite via temp directory
 // ---------------------------------------------------------------------------
 
-const testDir = mkdtempSync(join(tmpdir(), "slack-inbound-verification-test-"));
-
-mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -81,11 +64,6 @@ initializeDb();
 
 afterAll(() => {
   resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
 });
 
 // ---------------------------------------------------------------------------

package/src/__tests__/starter-bundle.test.ts

@@ -14,9 +14,12 @@ const TRUST_PATH = join(TEST_ROOT, "protected", "trust.json");
 // We need to mock getRootDir before importing trust-store
 import { mock } from "bun:test";
 
+// Point the file-based trust backend at the test temp dir.
+process.env.GATEWAY_SECURITY_DIR = join(TEST_ROOT, "protected");
+
 // Mock the platform module to use our test root
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => TEST_ROOT,
+  getProtectedDir: () => join(TEST_ROOT, "protected"),
 }));
 
 // Mock the skills config module used by defaults.ts

package/src/__tests__/suggestion-routes.test.ts

@@ -81,6 +81,7 @@ mock.module("../daemon/handlers/shared.js", () => ({
         textSegments: [],
         contentOrder: [],
         surfaces: [],
+        thinkingSegments: [],
       };
     }
     return {
@@ -90,6 +91,7 @@ mock.module("../daemon/handlers/shared.js", () => ({
       textSegments: [],
       contentOrder: [],
       surfaces: [],
+      thinkingSegments: [],
     };
   },
 }));

package/src/__tests__/system-prompt.test.ts

@@ -18,7 +18,7 @@ import { mock } from "bun:test";
 const realPlatform = require("../util/platform.js");
 mock.module("../util/platform.js", () => ({
   ...realPlatform,
-  getRootDir: () => TEST_DIR,
+  getProtectedDir: () => join(TEST_DIR, "protected"),
   getDataDir: () => TEST_DIR,
   getWorkspaceDir: () => TEST_DIR,
   getWorkspaceConfigPath: () => join(TEST_DIR, "config.json"),

package/src/__tests__/terminal-tools.test.ts

@@ -19,7 +19,7 @@ mock.module("../util/logger.js", () => ({
 const testTmpDir = mkdtempSync(join(tmpdir(), "terminal-test-"));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testTmpDir,
+  getProtectedDir: () => join(testTmpDir, "protected"),
   getDataDir: () => join(testTmpDir, "data"),
   getSandboxWorkingDir: () => join(testTmpDir, "sandbox"),
   isMacOS: () => process.platform === "darwin",

package/src/__tests__/test-preload.ts

@@ -0,0 +1,31 @@
+/**
+ * Shared test preload — runs before every test file.
+ *
+ * Creates a per-file temporary directory and sets VELLUM_WORKSPACE_DIR so that
+ * all workspace-derived helpers (getDataDir, getDbPath, getConversationsDir, …)
+ * resolve under the temp dir instead of the real ~/.vellum/workspace.
+ *
+ * Individual test files can retrieve the workspace dir via getWorkspaceDir()
+ * from platform.ts, or directly from process.env.VELLUM_WORKSPACE_DIR.
+ *
+ * Cleanup: the temp dir is removed after all tests in the file complete.
+ */
+
+import { mkdtempSync, realpathSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll } from "bun:test";
+
+const testDir = realpathSync(
+  mkdtempSync(join(tmpdir(), "vellum-test-workspace-")),
+);
+process.env.VELLUM_WORKSPACE_DIR = testDir;
+
+afterAll(() => {
+  delete process.env.VELLUM_WORKSPACE_DIR;
+  try {
+    rmSync(testDir, { recursive: true, force: true });
+  } catch {
+    /* best-effort cleanup */
+  }
+});

package/src/__tests__/tool-execution-abort-cleanup.test.ts

@@ -76,7 +76,7 @@ mock.module("../tools/network/script-proxy/index.js", () => ({
 }));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => "/tmp",
+  getProtectedDir: () => "/tmp/protected",
   getDataDir: () => "/tmp",
   getWorkspaceDir: () => "/tmp/workspace",
   getConversationsDir: () => "/tmp/workspace/conversations",

package/src/__tests__/tool-execution-pipeline.benchmark.test.ts

@@ -237,7 +237,7 @@ describe("Tool execution pipeline benchmark", () => {
 
     const p50 = percentile(timings, 50);
     expect(p50).toBeLessThan(5);
-    expect(results[0]).toBe(RiskLevel.Medium);
+    expect(results[0]).toBe(RiskLevel.Low);
   });
 
   test("check: full permission check for low-risk tool", async () => {

package/src/__tests__/tool-executor.test.ts

@@ -1209,12 +1209,6 @@ describe("isSideEffectTool", () => {
       );
     });
 
-    test("credential_store oauth2_connect is a side-effect", () => {
-      expect(
-        isSideEffectTool("credential_store", { action: "oauth2_connect" }),
-      ).toBe(true);
-    });
-
     test("credential_store list is NOT a side-effect", () => {
       expect(isSideEffectTool("credential_store", { action: "list" })).toBe(
         false,
@@ -1731,20 +1725,6 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     expect(promptCalled).toBe(true);
   });
 
-  test("credential_store oauth2_connect forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "credential_store",
-      { action: "oauth2_connect", provider: "google" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
   test("credential_store list does NOT force prompt in private conversation", async () => {
     checkResultOverride = { decision: "allow", reason: "Matched trust rule" };