@vellumai/assistant 0.5.16 → 0.6.1

package/src/__tests__/permission-mode.test.ts

@@ -0,0 +1,101 @@
+import { describe, expect, test } from "bun:test";
+
+import { PermissionsConfigSchema } from "../config/schemas/security.js";
+import {
+  DEFAULT_PERMISSION_MODE,
+  PermissionModeSchema,
+} from "../permissions/permission-mode.js";
+
+// ---------------------------------------------------------------------------
+// Tests: PermissionModeSchema
+// ---------------------------------------------------------------------------
+
+describe("PermissionModeSchema", () => {
+  test("parses empty object with correct defaults", () => {
+    const result = PermissionModeSchema.parse({});
+    expect(result.askBeforeActing).toBe(true);
+    expect(result.hostAccess).toBe(false);
+  });
+
+  test("DEFAULT_PERMISSION_MODE matches schema defaults", () => {
+    const parsed = PermissionModeSchema.parse({});
+    expect(parsed).toEqual(DEFAULT_PERMISSION_MODE);
+  });
+
+  test("accepts explicit true/true", () => {
+    const result = PermissionModeSchema.parse({
+      askBeforeActing: true,
+      hostAccess: true,
+    });
+    expect(result.askBeforeActing).toBe(true);
+    expect(result.hostAccess).toBe(true);
+  });
+
+  test("accepts explicit false/false", () => {
+    const result = PermissionModeSchema.parse({
+      askBeforeActing: false,
+      hostAccess: false,
+    });
+    expect(result.askBeforeActing).toBe(false);
+    expect(result.hostAccess).toBe(false);
+  });
+
+  test("round-trips through JSON serialization", () => {
+    const original = { askBeforeActing: false, hostAccess: true };
+    const json = JSON.stringify(original);
+    const parsed = PermissionModeSchema.parse(JSON.parse(json));
+    expect(parsed).toEqual(original);
+  });
+
+  test("rejects non-boolean askBeforeActing", () => {
+    expect(() =>
+      PermissionModeSchema.parse({ askBeforeActing: "yes" }),
+    ).toThrow();
+  });
+
+  test("rejects non-boolean hostAccess", () => {
+    expect(() => PermissionModeSchema.parse({ hostAccess: "no" })).toThrow();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Tests: PermissionsConfigSchema (permissionMode fields)
+// ---------------------------------------------------------------------------
+
+describe("PermissionsConfigSchema permissionMode fields", () => {
+  test("defaults askBeforeActing to true and hostAccess to false", () => {
+    const result = PermissionsConfigSchema.parse({});
+    expect(result.askBeforeActing).toBe(true);
+    expect(result.hostAccess).toBe(false);
+  });
+
+  test("preserves existing mode field alongside new fields", () => {
+    const result = PermissionsConfigSchema.parse({ mode: "strict" });
+    expect(result.mode).toBe("strict");
+    expect(result.askBeforeActing).toBe(true);
+    expect(result.hostAccess).toBe(false);
+  });
+
+  test("accepts overridden values for new fields", () => {
+    const result = PermissionsConfigSchema.parse({
+      mode: "workspace",
+      askBeforeActing: false,
+      hostAccess: true,
+    });
+    expect(result.mode).toBe("workspace");
+    expect(result.askBeforeActing).toBe(false);
+    expect(result.hostAccess).toBe(true);
+  });
+
+  test("round-trips new fields through JSON serialization", () => {
+    const input = {
+      mode: "workspace" as const,
+      askBeforeActing: false,
+      hostAccess: true,
+    };
+    const json = JSON.stringify(input);
+    const parsed = PermissionsConfigSchema.parse(JSON.parse(json));
+    expect(parsed.askBeforeActing).toBe(false);
+    expect(parsed.hostAccess).toBe(true);
+  });
+});

package/src/__tests__/platform-bash-auto-approve.test.ts

@@ -0,0 +1,359 @@
+/**
+ * Tests for platform-hosted bash auto-approval.
+ *
+ * Verifies that bash and host_bash tools are auto-approved without prompting
+ * when running in platform-hosted mode (IS_PLATFORM=true) for guardian actors.
+ * Also verifies that deny rules, non-guardian actors, requireFreshApproval,
+ * and non-bash tools are unaffected by this auto-approval path.
+ */
+
+import {
+  afterAll,
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  mock,
+  test,
+} from "bun:test";
+
+import type { ScopeOption } from "../permissions/types.js";
+import type { ToolExecutionResult } from "../tools/types.js";
+
+// ---------------------------------------------------------------------------
+// Mock setup — mirrors require-fresh-approval.test.ts patterns
+// ---------------------------------------------------------------------------
+
+const mockConfig = {
+  provider: "anthropic",
+  model: "test",
+  maxTokens: 4096,
+  dataDir: "/tmp",
+  timeouts: {
+    shellDefaultTimeoutSec: 120,
+    shellMaxTimeoutSec: 600,
+    permissionTimeoutSec: 300,
+  },
+  sandbox: {
+    enabled: false,
+    backend: "native" as const,
+    docker: {
+      image: "vellum-sandbox:latest",
+      cpus: 1,
+      memoryMb: 512,
+      pidsLimit: 256,
+      network: "none" as const,
+    },
+  },
+  rateLimit: { maxRequestsPerMinute: 0 },
+  secretDetection: {
+    enabled: false,
+    action: "warn" as const,
+    entropyThreshold: 4.0,
+  },
+  permissions: {
+    mode: "workspace" as const,
+  },
+};
+
+let fakeToolResult: ToolExecutionResult = { content: "ok", isError: false };
+
+/** Override the check() result for specific tests. */
+let checkResultOverride: { decision: string; reason: string } | undefined;
+
+/** Override the risk level returned by classifyRisk(). Defaults to "medium". */
+let riskOverride: string = "medium";
+
+/** Scope options override. */
+let scopeOptionsOverride: ScopeOption[] | undefined;
+
+mock.module("../config/loader.js", () => ({
+  getConfig: () => mockConfig,
+  loadConfig: () => mockConfig,
+  invalidateConfigCache: () => {},
+  saveConfig: () => {},
+  loadRawConfig: () => ({}),
+  saveRawConfig: () => {},
+  getNestedValue: () => undefined,
+  setNestedValue: () => {},
+}));
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+  truncateForLog: (value: string) => value,
+}));
+
+mock.module("../permissions/checker.js", () => ({
+  classifyRisk: async () => riskOverride,
+  check: async () => {
+    if (checkResultOverride) return checkResultOverride;
+    return { decision: "allow", reason: "allowed" };
+  },
+  generateAllowlistOptions: () => [
+    { label: "exact", description: "exact", pattern: "exact" },
+  ],
+  generateScopeOptions: () =>
+    scopeOptionsOverride ?? [{ label: "/tmp", scope: "/tmp" }],
+}));
+
+mock.module("../memory/tool-usage-store.js", () => ({
+  recordToolInvocation: () => {},
+}));
+
+mock.module("../tools/registry.js", () => ({
+  getTool: (name: string) => {
+    if (name === "unknown_tool") return undefined;
+    return {
+      name,
+      description: "test tool",
+      category: "shell",
+      defaultRiskLevel: "medium",
+      getDefinition: () => ({}),
+      execute: async () => fakeToolResult,
+    };
+  },
+  getAllTools: () => [],
+}));
+
+mock.module("../tools/shared/filesystem/path-policy.js", () => ({
+  sandboxPolicy: () => ({ ok: false }),
+  hostPolicy: () => ({ ok: false }),
+}));
+
+mock.module("../tools/terminal/sandbox.js", () => ({
+  wrapCommand: () => ({ command: "", sandboxed: false }),
+}));
+
+mock.module("../approvals/approval-primitive.js", () => ({
+  consumeGrantForInvocation: async () => ({ ok: false, reason: "no_grant" }),
+}));
+
+import { PermissionPrompter } from "../permissions/prompter.js";
+import { clearAll as clearAllOverrides } from "../runtime/conversation-approval-overrides.js";
+import { ToolExecutor } from "../tools/executor.js";
+import type { ToolContext as TC } from "../tools/types.js";
+
+function makeContext(overrides?: Partial<TC>): TC {
+  return {
+    workingDir: "/tmp/project",
+    conversationId: "conversation-1",
+    trustClass: "guardian",
+    isInteractive: true,
+    ...overrides,
+  };
+}
+
+function makePrompter(): PermissionPrompter {
+  return {
+    prompt: async () => ({ decision: "allow" as const }),
+    resolveConfirmation: () => {},
+    updateSender: () => {},
+    dispose: () => {},
+  } as unknown as PermissionPrompter;
+}
+
+afterAll(() => {
+  mock.restore();
+});
+
+// ---------------------------------------------------------------------------
+// Platform-hosted bash auto-approval
+// ---------------------------------------------------------------------------
+
+describe("platform-hosted bash auto-approval", () => {
+  beforeEach(() => {
+    fakeToolResult = { content: "ok", isError: false };
+    checkResultOverride = undefined;
+    scopeOptionsOverride = undefined;
+    riskOverride = "medium";
+    clearAllOverrides();
+  });
+
+  afterEach(() => {
+    clearAllOverrides();
+  });
+
+  test("bash auto-approved in platform-hosted mode", async () => {
+    checkResultOverride = { decision: "prompt", reason: "Needs approval" };
+
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => {
+        promptCalled = true;
+        return { decision: "allow" as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    const result = await executor.execute(
+      "bash",
+      { command: "echo hello" },
+      makeContext({ isPlatformHosted: true, trustClass: "guardian" }),
+    );
+
+    expect(promptCalled).toBe(false);
+    expect(result.isError).toBe(false);
+  });
+
+  test("host_bash NOT auto-approved in platform-hosted mode", async () => {
+    checkResultOverride = { decision: "prompt", reason: "Needs approval" };
+
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => {
+        promptCalled = true;
+        return { decision: "allow" as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    await executor.execute(
+      "host_bash",
+      { command: "echo hello" },
+      makeContext({ isPlatformHosted: true, trustClass: "guardian" }),
+    );
+
+    expect(promptCalled).toBe(true);
+  });
+
+  test("bash NOT auto-approved when not platform-hosted", async () => {
+    checkResultOverride = { decision: "prompt", reason: "Needs approval" };
+
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => {
+        promptCalled = true;
+        return { decision: "allow" as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    await executor.execute(
+      "bash",
+      { command: "echo hello" },
+      makeContext({ isPlatformHosted: false, trustClass: "guardian" }),
+    );
+
+    expect(promptCalled).toBe(true);
+  });
+
+  test("bash NOT auto-approved for non-guardian actors", async () => {
+    checkResultOverride = { decision: "prompt", reason: "Needs approval" };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "bash",
+      { command: "echo hello" },
+      makeContext({ isPlatformHosted: true, trustClass: "trusted_contact" }),
+    );
+
+    // Non-guardian actors are blocked by the pre-execution guardian approval
+    // gate before reaching the permission checker. The tool must NOT succeed
+    // via platform auto-approve.
+    expect(result.isError).toBe(true);
+  });
+
+  test("bash NOT auto-approved when requireFreshApproval is set", async () => {
+    checkResultOverride = { decision: "prompt", reason: "Needs approval" };
+
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => {
+        promptCalled = true;
+        return { decision: "allow" as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    await executor.execute(
+      "bash",
+      { command: "echo hello" },
+      makeContext({
+        isPlatformHosted: true,
+        trustClass: "guardian",
+        requireFreshApproval: true,
+      }),
+    );
+
+    expect(promptCalled).toBe(true);
+  });
+
+  test("deny rules still respected in platform-hosted mode", async () => {
+    checkResultOverride = { decision: "deny", reason: "Explicitly denied" };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "bash",
+      { command: "rm -rf /" },
+      makeContext({ isPlatformHosted: true, trustClass: "guardian" }),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("Explicitly denied");
+  });
+
+  test("high-risk bash auto-approved in platform-hosted mode", async () => {
+    riskOverride = "high";
+    checkResultOverride = { decision: "prompt", reason: "High risk command" };
+
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => {
+        promptCalled = true;
+        return { decision: "allow" as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    const result = await executor.execute(
+      "bash",
+      { command: "rm -rf /tmp/stuff" },
+      makeContext({ isPlatformHosted: true, trustClass: "guardian" }),
+    );
+
+    expect(promptCalled).toBe(false);
+    expect(result.isError).toBe(false);
+  });
+
+  test("non-bash tools NOT auto-approved in platform-hosted mode", async () => {
+    checkResultOverride = { decision: "prompt", reason: "Needs approval" };
+
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => {
+        promptCalled = true;
+        return { decision: "allow" as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    await executor.execute(
+      "file_write",
+      { path: "/tmp/test.txt", content: "hello" },
+      makeContext({ isPlatformHosted: true, trustClass: "guardian" }),
+    );
+
+    expect(promptCalled).toBe(true);
+  });
+});

package/src/__tests__/platform-callback-registration.test.ts

@@ -2,14 +2,14 @@ import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
 import { credentialKey } from "../security/credential-key.js";
 
-let mockIsContainerized = true;
+let mockIsPlatform = true;
 let mockPlatformBaseUrl = "";
 let mockPlatformAssistantId = "";
 let mockPlatformInternalApiKey = "";
 let mockSecureKeys: Record<string, string> = {};
 
 mock.module("../config/env-registry.js", () => ({
-  getIsContainerized: () => mockIsContainerized,
+  getIsPlatform: () => mockIsPlatform,
 }));
 
 mock.module("../config/env.js", () => ({
@@ -38,7 +38,7 @@ const { registerCallbackRoute, resolvePlatformCallbackRegistrationContext } =
 
 describe("platform callback registration", () => {
   beforeEach(() => {
-    mockIsContainerized = true;
+    mockIsPlatform = true;
     mockPlatformBaseUrl = "";
     mockPlatformAssistantId = "";
     mockPlatformInternalApiKey = "";
@@ -61,7 +61,7 @@ describe("platform callback registration", () => {
     const context = await resolvePlatformCallbackRegistrationContext();
 
     expect(context.enabled).toBe(true);
-    expect(context.containerized).toBe(true);
+    expect(context.isPlatform).toBe(true);
     expect(context.platformBaseUrl).toBe("https://platform.example.com");
     expect(context.assistantId).toBe("11111111-2222-4333-8444-555555555555");
     expect(context.hasInternalApiKey).toBe(false);