@vellumai/assistant 0.5.14 → 0.5.16

package/src/runtime/auth/__tests__/token-service.test.ts

@@ -1,22 +1,4 @@
-import { mkdtempSync, realpathSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
-
-const testDir = realpathSync(mkdtempSync(join(tmpdir(), "auth-token-test-")));
-
-mock.module("../../../util/platform.js", () => ({
-  getRootDir: () => testDir,
-  getDataDir: () => testDir,
-  getDbPath: () => join(testDir, "test.db"),
-  normalizeAssistantId: (id: string) => (id === "self" ? "self" : id),
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
+import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 mock.module("../../../util/logger.js", () => ({
   getLogger: () =>
@@ -39,12 +21,6 @@ beforeEach(() => {
   initAuthSigningKey(TEST_KEY);
 });
 
-afterAll(() => {
-  try {
-    rmSync(testDir, { recursive: true, force: true });
-  } catch {}
-});
-
 describe("mintToken / verifyToken round-trip", () => {
   test("mint + verify succeeds for valid token targeting vellum-daemon", () => {
     const token = mintToken({

package/src/runtime/auth/route-policy.ts

@@ -349,10 +349,6 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "config/embeddings:GET", scopes: ["settings.read"] },
   { endpoint: "config/embeddings:PUT", scopes: ["settings.write"] },
 
-  // Permissions config
-  { endpoint: "config/permissions/skip:GET", scopes: ["settings.read"] },
-  { endpoint: "config/permissions/skip:PUT", scopes: ["settings.write"] },
-
   // Generic config read/patch
   { endpoint: "config:GET", scopes: ["settings.read"] },
   { endpoint: "config:PATCH", scopes: ["settings.write"] },

package/src/runtime/guardian-reply-router.ts

@@ -155,8 +155,11 @@ function parseRequestCode(
   text: string,
   scopeConversationId?: string,
 ): CodeParseResult | null {
+  // Strip common channel formatting delimiters (backticks, bold, italic,
+  // strikethrough) that messaging platforms wrap around inline code.
+  const cleaned = text.replace(/^[`*_~]+/, "").replace(/[`*_~]+$/, "").trim();
   // Request codes are 6 hex chars (A-F, 0-9), uppercase
-  const upper = text.toUpperCase();
+  const upper = cleaned.toUpperCase();
   const match = upper.match(/^([A-F0-9]{6})(?:\s|$)/);
   if (!match) return null;
 
@@ -185,7 +188,7 @@ function parseRequestCode(
     return null;
   }
 
-  const remainingText = text.slice(code.length).trim();
+  const remainingText = cleaned.slice(code.length).trim();
   return { request, remainingText };
 }
 
@@ -754,6 +757,7 @@ const EXPLICIT_REJECT_PHRASES: ReadonlySet<string> = new Set([
 
 function normalizeDecisionPhrase(text: string): string {
   return text
+    .replace(/[`*_~]/g, "")
     .trim()
     .toLowerCase()
     .replace(/[.!?]+$/g, "")

package/src/runtime/routes/conversation-query-routes.ts

@@ -1,6 +1,6 @@
 /**
  * HTTP route definitions for model configuration, embedding configuration,
- * permissions configuration, conversation search, message content, LLM
+ * conversation search, message content, LLM
  * context inspection, and queued message deletion.
  *
  * These routes expose conversation query functionality over the HTTP API.
@@ -10,8 +10,6 @@
  * PUT    /v1/model/image-gen            — set image-gen model
  * GET    /v1/config/embeddings          — current embedding config
  * PUT    /v1/config/embeddings          — set embedding provider/model
- * GET    /v1/config/permissions/skip    — dangerouslySkipPermissions status
- * PUT    /v1/config/permissions/skip    — toggle dangerouslySkipPermissions
  * GET    /v1/config                     — full raw workspace config
  * PATCH  /v1/config                     — deep-merge partial config
  * GET    /v1/conversations/search       — search conversations
@@ -24,7 +22,6 @@ import { z } from "zod";
 
 import {
   deepMergeOverwrite,
-  getConfig,
   loadRawConfig,
   saveRawConfig,
 } from "../../config/loader.js";
@@ -113,9 +110,7 @@ function applyStoredProviderToLlmContextResult(
   const mergedSummary = normalized.summary
     ? { ...normalized.summary, provider }
     : { provider };
-  const summary = attachEstimatedCost(
-    mergedSummary as LlmContextSummary,
-  );
+  const summary = attachEstimatedCost(mergedSummary as LlmContextSummary);
   return { ...normalized, summary };
 }
 
@@ -324,57 +319,6 @@ export function conversationQueryRouteDefinitions(
       },
     },
 
-    // ── Permissions config ─────────────────────────────────────────────
-    {
-      endpoint: "config/permissions/skip",
-      method: "GET",
-      policyKey: "config/permissions/skip",
-      summary: "Get permission-skip flag",
-      description: "Return whether dangerouslySkipPermissions is enabled.",
-      tags: ["config"],
-      responseBody: z.object({
-        enabled: z.boolean(),
-      }),
-      handler: () => {
-        const config = getConfig();
-        return Response.json({
-          enabled: config.permissions.dangerouslySkipPermissions,
-        });
-      },
-    },
-    {
-      endpoint: "config/permissions/skip",
-      method: "PUT",
-      policyKey: "config/permissions/skip",
-      summary: "Set permission-skip flag",
-      description: "Enable or disable dangerouslySkipPermissions.",
-      tags: ["config"],
-      requestBody: z.object({
-        enabled: z.boolean(),
-      }),
-      handler: async ({ req }) => {
-        const body = (await req.json()) as { enabled?: unknown };
-        if (typeof body.enabled !== "boolean") {
-          return httpError(
-            "BAD_REQUEST",
-            "Missing or invalid field: enabled (boolean)",
-            400,
-          );
-        }
-        const raw = loadRawConfig();
-        const permissions: Record<string, unknown> =
-          raw.permissions != null &&
-          typeof raw.permissions === "object" &&
-          !Array.isArray(raw.permissions)
-            ? (raw.permissions as Record<string, unknown>)
-            : {};
-        permissions.dangerouslySkipPermissions = body.enabled;
-        raw.permissions = permissions;
-        saveRawConfig(raw);
-        return Response.json({ enabled: body.enabled });
-      },
-    },
-
     // ── Full config read ─────────────────────────────────────────────
     {
       endpoint: "config",

package/src/runtime/routes/inbound-stages/background-dispatch.ts

@@ -15,6 +15,7 @@ import * as deliveryCrud from "../../../memory/delivery-crud.js";
 import * as deliveryStatus from "../../../memory/delivery-status.js";
 import {
   extractChannelFromCallbackUrl,
+  extractMessageTsFromCallbackUrl,
   extractThreadTsFromCallbackUrl,
   setThreadTs,
 } from "../../../memory/slack-thread-store.js";
@@ -328,9 +329,49 @@ export function setSlackThinkingStatus(
   // the correct thread for the Assistants API status.
   const threadTs = extractThreadTsFromCallbackUrl(callbackUrl);
 
-  // If there's no thread context, we can't set a thread status — bail.
+  // For non-threaded DMs, fall back to emoji reaction on the original message.
   if (!threadTs) {
-    return () => {};
+    const messageTs = extractMessageTsFromCallbackUrl(callbackUrl);
+    if (!messageTs) return () => {};
+
+    const addPromise = deliverChannelReply(
+      callbackUrl,
+      {
+        chatId,
+        assistantId,
+        reaction: { action: "add", name: "eyes", messageTs },
+      },
+      mintBearerToken(),
+    ).catch((err) => {
+      log.debug({ err, chatId, messageTs }, "Failed to add Slack eyes reaction");
+    });
+
+    const clearReaction = () => {
+      if (cleared) return;
+      cleared = true;
+      clearTimeout(safetyTimer);
+      void addPromise.then(() =>
+        deliverChannelReply(
+          callbackUrl,
+          {
+            chatId,
+            assistantId,
+            reaction: { action: "remove", name: "eyes", messageTs },
+          },
+          mintBearerToken(),
+        ).catch((err) => {
+          log.debug(
+            { err, chatId, messageTs },
+            "Failed to remove Slack eyes reaction",
+          );
+        }),
+      );
+    };
+
+    const safetyTimer = setTimeout(clearReaction, SLACK_THINKING_MAX_DURATION_MS);
+    (safetyTimer as { unref?: () => void }).unref?.();
+
+    return clearReaction;
   }
 
   // Track the set promise so clear waits for it to settle first,

package/src/runtime/routes/memory-item-routes.test.ts

@@ -4,9 +4,6 @@
  * Covers: list with filters, get by ID, create + duplicate rejection,
  * update + fingerprint collision, delete + 404.
  */
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import {
   afterAll,
   beforeAll,
@@ -17,19 +14,6 @@ import {
   test,
 } from "bun:test";
 
-const testDir = mkdtempSync(join(tmpdir(), "memory-item-routes-test-"));
-
-mock.module("../../util/platform.js", () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -206,7 +190,6 @@ describe("Memory Item Routes", () => {
 
   afterAll(() => {
     resetDb();
-    rmSync(testDir, { recursive: true, force: true });
   });
 
   // =========================================================================

package/src/runtime/routes/memory-item-routes.ts

@@ -129,6 +129,26 @@ function buildConversationTitleMap(
   return map;
 }
 
+// ---------------------------------------------------------------------------
+// Semantic search constants
+// ---------------------------------------------------------------------------
+
+/**
+ * Maximum number of candidate IDs fetched from Qdrant for semantic search.
+ *
+ * Kind-filtering and pagination happen *after* this fetch, so if a broad query
+ * matches more items than this ceiling, results beyond it are silently excluded
+ * — kind-filtered counts may be under-reported and offsets past this value are
+ * unreachable. The limit exists to bound Qdrant query cost and the size of the
+ * subsequent `IN (...)` SQL clauses (SQLite's SQLITE_MAX_VARIABLE_NUMBER is
+ * 32,766 in Bun's bundled build, so 10k stays well within that).
+ *
+ * If this becomes a real bottleneck for large memory stores, consider pushing
+ * kind/status filters into Qdrant payload filtering so the fetch limit only
+ * needs to cover the final result set.
+ */
+const SEMANTIC_SEARCH_FETCH_CEILING = 10_000;
+
 // ---------------------------------------------------------------------------
 // Semantic search helper
 // ---------------------------------------------------------------------------
@@ -239,26 +259,68 @@ export async function handleListMemoryItems(url: URL): Promise<Response> {
   // When a search query is present, try Qdrant hybrid search first.
   // Falls back to SQL LIKE when embeddings / Qdrant are unavailable.
   if (searchParam) {
+    // Search WITHOUT kind filter so we can compute cross-kind counts.
+    // Kind filtering is applied post-hoc while preserving relevance order.
     const semanticResult = await searchItemsSemantic(
       searchParam,
-      limitParam + offsetParam,
-      kindParam,
+      SEMANTIC_SEARCH_FETCH_CEILING,
+      null,
       statusParam,
     );
 
     if (semanticResult && semanticResult.ids.length > 0) {
-      // Slice for pagination
-      const pageIds = semanticResult.ids.slice(
-        offsetParam,
-        offsetParam + limitParam,
-      );
+      // Compute kindCounts from all semantic matches (no kind filter).
+      // Status filter is applied as defense-in-depth against stale Qdrant payloads.
+      const kindCountConditions = [inArray(memoryItems.id, semanticResult.ids)];
+      if (statusParam && statusParam !== "all") {
+        kindCountConditions.push(eq(memoryItems.status, statusParam));
+      }
+      const kindCountRows = db
+        .select({ kind: memoryItems.kind, count: count() })
+        .from(memoryItems)
+        .where(and(...kindCountConditions))
+        .groupBy(memoryItems.kind)
+        .all();
+      const semanticKindCounts: Record<string, number> = {};
+      for (const row of kindCountRows) {
+        semanticKindCounts[row.kind] = row.count;
+      }
+
+      // Apply kind filter while preserving semantic relevance ordering.
+      // Status filter is applied here too for defense-in-depth consistency.
+      let filteredIds = semanticResult.ids;
+      if (kindParam) {
+        const kindFilterConditions = [
+          inArray(memoryItems.id, semanticResult.ids),
+          eq(memoryItems.kind, kindParam),
+        ];
+        if (statusParam && statusParam !== "all") {
+          kindFilterConditions.push(eq(memoryItems.status, statusParam));
+        }
+        const kindIdSet = new Set(
+          db
+            .select({ id: memoryItems.id })
+            .from(memoryItems)
+            .where(and(...kindFilterConditions))
+            .all()
+            .map((r) => r.id),
+        );
+        filteredIds = semanticResult.ids.filter((id) => kindIdSet.has(id));
+      }
+
+      const total = filteredIds.length;
+      const pageIds = filteredIds.slice(offsetParam, offsetParam + limitParam);
 
       if (pageIds.length === 0) {
-        return Response.json({ items: [], total: semanticResult.total });
+        return Response.json({
+          items: [],
+          total,
+          kindCounts: semanticKindCounts,
+        });
       }
 
-      // Re-apply the same DB-side filters used in the SQL path as defense-
-      // in-depth against stale Qdrant payloads leaking deleted/mismatched rows.
+      // Re-apply DB-side filters as defense-in-depth against stale Qdrant
+      // payloads leaking deleted/mismatched rows.
       const hydrationConditions = [inArray(memoryItems.id, pageIds)];
       if (statusParam && statusParam !== "all") {
         hydrationConditions.push(eq(memoryItems.status, statusParam));
@@ -288,12 +350,41 @@ export async function handleListMemoryItems(url: URL): Promise<Response> {
 
       return Response.json({
         items: enrichedItems,
-        total: semanticResult.total,
+        total,
+        kindCounts: semanticKindCounts,
       });
     }
     // semanticResult was null (Qdrant unavailable) or empty — fall through to SQL
   }
 
+  // ── Kind counts for SQL path ───────────────────────────────────────
+  // Respects status/search filters but NOT kind filter, so the sidebar
+  // can show totals for every kind simultaneously.
+  const kindCountConditions = [];
+  if (statusParam && statusParam !== "all") {
+    kindCountConditions.push(eq(memoryItems.status, statusParam));
+  }
+  if (searchParam) {
+    kindCountConditions.push(
+      or(
+        like(memoryItems.subject, `%${searchParam}%`),
+        like(memoryItems.statement, `%${searchParam}%`),
+      )!,
+    );
+  }
+  const kindCountWhere =
+    kindCountConditions.length > 0 ? and(...kindCountConditions) : undefined;
+  const sqlKindCountRows = db
+    .select({ kind: memoryItems.kind, count: count() })
+    .from(memoryItems)
+    .where(kindCountWhere)
+    .groupBy(memoryItems.kind)
+    .all();
+  const kindCounts: Record<string, number> = {};
+  for (const row of sqlKindCountRows) {
+    kindCounts[row.kind] = row.count;
+  }
+
   // ── SQL path (default or fallback) ──────────────────────────────────
   const conditions = [];
   if (statusParam && statusParam !== "all") {
@@ -344,7 +435,7 @@ export async function handleListMemoryItems(url: URL): Promise<Response> {
     scopeLabel: resolveScopeLabel(item.scopeId, titleMap),
   }));
 
-  return Response.json({ items: enrichedItems, total });
+  return Response.json({ items: enrichedItems, total, kindCounts });
 }
 
 // ---------------------------------------------------------------------------

package/src/runtime/routes/oauth-apps.ts

@@ -253,7 +253,10 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
           );
         }
 
-        let body: { scopes?: string[] } = {};
+        let body: {
+          scopes?: string[];
+          callback_transport?: "loopback" | "gateway";
+        } = {};
         try {
           const text = await req.text();
           if (text) {
@@ -263,6 +266,19 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
           // No body or invalid JSON — use defaults
         }
 
+        // Validate callback_transport if present
+        if (
+          body.callback_transport !== undefined &&
+          body.callback_transport !== "loopback" &&
+          body.callback_transport !== "gateway"
+        ) {
+          return httpError(
+            "BAD_REQUEST",
+            'callback_transport must be "loopback" or "gateway"',
+            400,
+          );
+        }
+
         const clientSecret = await getAppClientSecret(app);
 
         const result = await orchestrateOAuthConnect({
@@ -270,6 +286,7 @@ export function oauthAppsRouteDefinitions(): RouteDefinition[] {
           clientId: app.clientId,
           clientSecret,
           requestedScopes: body.scopes,
+          callbackTransport: body.callback_transport ?? "loopback",
           isInteractive: false,
         });
 

package/src/runtime/routes/oauth-providers.ts

@@ -6,8 +6,10 @@
  * runtime auth middleware.
  */
 
+import { loadConfig } from "../../config/loader.js";
 import { getProvider, listProviders } from "../../oauth/oauth-store.js";
 import { serializeProviderSummary } from "../../oauth/provider-serializer.js";
+import { isProviderVisible } from "../../oauth/provider-visibility.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
 
@@ -22,7 +24,9 @@ export function oauthProvidersRouteDefinitions(): RouteDefinition[] {
       method: "GET",
       handler: ({ url }) => {
         const rows = listProviders();
-        let serialized = rows
+        const config = loadConfig();
+        const visibleRows = rows.filter((r) => isProviderVisible(r, config));
+        let serialized = visibleRows
           .map((row) => serializeProviderSummary(row))
           .filter((s): s is NonNullable<typeof s> => s !== null);
 
@@ -53,6 +57,14 @@ export function oauthProvidersRouteDefinitions(): RouteDefinition[] {
           );
         }
 
+        if (!isProviderVisible(row, loadConfig())) {
+          return httpError(
+            "NOT_FOUND",
+            `No OAuth provider registered for "${params.providerKey}"`,
+            404,
+          );
+        }
+
         return Response.json({ provider: serializeProviderSummary(row) });
       },
     },

package/src/runtime/routes/settings-routes.ts

@@ -223,6 +223,7 @@ async function handleOAuthConnectStart(body: {
       requestedScopes: body.requestedScopes,
       clientId,
       clientSecret,
+      callbackTransport: "loopback",
       isInteractive: true,
       openUrl: (url: string) => {
         authUrl = url;

package/src/runtime/routes/usage-routes.ts

@@ -11,6 +11,7 @@ import { z } from "zod";
 import {
   getUsageDayBuckets,
   getUsageGroupBreakdown,
+  getUsageHourBuckets,
   getUsageTotals,
 } from "../../memory/llm-usage-store.js";
 import { httpError } from "../http-errors.js";
@@ -104,14 +105,30 @@ export function usageRouteDefinitions(): RouteDefinition[] {
           schema: { type: "integer" },
           description: "End epoch millis (required)",
         },
+        {
+          name: "granularity",
+          schema: { type: "string", enum: ["daily", "hourly"] },
+          description: 'Bucket granularity: "daily" (default) or "hourly"',
+        },
       ],
       responseBody: z.object({
-        buckets: z.array(z.unknown()).describe("Daily usage bucket objects"),
+        buckets: z.array(z.unknown()).describe("Usage bucket objects"),
       }),
       handler: ({ url }) => {
         const range = parseTimeRange(url);
         if (range instanceof Response) return range;
-        const buckets = getUsageDayBuckets(range);
+        const granularity = url.searchParams.get("granularity") ?? "daily";
+        if (granularity !== "daily" && granularity !== "hourly") {
+          return httpError(
+            "BAD_REQUEST",
+            `Invalid "granularity" value: "${granularity}". Must be one of: daily, hourly`,
+            400,
+          );
+        }
+        const buckets =
+          granularity === "hourly"
+            ? getUsageHourBuckets(range)
+            : getUsageDayBuckets(range);
         return Response.json({ buckets });
       },
     },

package/src/runtime/routes/work-items-routes.test.ts

@@ -5,24 +5,8 @@
  * item falls back to the task-level required tools instead of silently
  * skipping permission checks.
  */
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
 import { afterAll, describe, expect, mock, test } from "bun:test";
 
-const testDir = mkdtempSync(join(tmpdir(), "work-items-routes-test-"));
-
-mock.module("../../util/platform.js", () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-  getPidPath: () => join(testDir, "test.pid"),
-  getDbPath: () => join(testDir, "test.db"),
-  getLogPath: () => join(testDir, "test.log"),
-  ensureDataDir: () => {},
-}));
-
 mock.module("../../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {
@@ -48,11 +32,6 @@ initializeDb();
 
 afterAll(() => {
   resetDb();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
 });
 
 describe("empty required_tools snapshot bypass", () => {

package/src/runtime/routes/workspace-routes.test.ts

@@ -4,37 +4,17 @@
  * Covers path resolution (traversal prevention), MIME type detection,
  * directory listing, file metadata, and raw content serving with range support.
  */
-import {
-  existsSync,
-  mkdirSync,
-  mkdtempSync,
-  readFileSync,
-  realpathSync,
-  rmSync,
-  writeFileSync,
-} from "node:fs";
-import { tmpdir } from "node:os";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
-import { afterAll, beforeAll, describe, expect, mock, test } from "bun:test";
+import { beforeAll, describe, expect, test } from "bun:test";
 
 // ---------------------------------------------------------------------------
 // Create a temp workspace directory for isolation
 // ---------------------------------------------------------------------------
 
-const testWorkspaceDir = realpathSync(
-  mkdtempSync(join(tmpdir(), "workspace-routes-test-")),
-);
+const testWorkspaceDir = process.env.VELLUM_WORKSPACE_DIR!;
 
 // Mock platform module so getWorkspaceDir returns our temp dir
-mock.module("../../util/platform.js", () => ({
-  getWorkspaceDir: () => testWorkspaceDir,
-  getRootDir: () => testWorkspaceDir,
-  getDataDir: () => testWorkspaceDir,
-  isMacOS: () => process.platform === "darwin",
-  isLinux: () => process.platform === "linux",
-  isWindows: () => process.platform === "win32",
-}));
-
 import { workspaceRouteDefinitions } from "./workspace-routes.js";
 import { isTextMimeType, resolveWorkspacePath } from "./workspace-utils.js";
 
@@ -65,10 +45,6 @@ beforeAll(() => {
   writeFileSync(binaryFile, pngSignature);
 });
 
-afterAll(() => {
-  rmSync(testWorkspaceDir, { recursive: true, force: true });
-});
-
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------

package/src/security/secret-allowlist.ts

@@ -1,7 +1,7 @@
 /**
  * User-defined allowlist for suppressing secret scanner false positives.
  *
- * Reads `~/.vellum/secret-allowlist.json` (if present) and provides
+ * Reads `~/.vellum/workspace/data/secret-allowlist.json` (if present) and provides
  * `isAllowlisted(value)` to check whether a matched value should be
  * suppressed.
  *
@@ -18,7 +18,7 @@ import { join } from "node:path";
 
 import { pathExists } from "../util/fs.js";
 import { getLogger } from "../util/logger.js";
-import { getProtectedDir } from "../util/platform.js";
+import { getDataDir } from "../util/platform.js";
 
 const log = getLogger("secret-allowlist");
 
@@ -45,7 +45,7 @@ let allowedRegexes: RegExp[] = [];
 export function loadAllowlist(): void {
   if (loaded || fileChecked) return;
 
-  const filePath = join(getProtectedDir(), "secret-allowlist.json");
+  const filePath = join(getDataDir(), "secret-allowlist.json");
   if (!pathExists(filePath)) {
     fileChecked = true;
     return;
@@ -169,7 +169,7 @@ function validateAllowlist(
  * Returns validation errors, or null if the file doesn't exist.
  */
 export function validateAllowlistFile(): AllowlistValidationError[] | null {
-  const filePath = join(getProtectedDir(), "secret-allowlist.json");
+  const filePath = join(getDataDir(), "secret-allowlist.json");
   if (!pathExists(filePath)) return null;
 
   const raw = readFileSync(filePath, "utf-8");