@vellumai/assistant 0.5.2 → 0.5.3

package/ARCHITECTURE.md

@@ -1261,6 +1261,115 @@ graph TB
     TRUST -->|"Deny rule matches"| DENY["Blocked"]
 ```
 
+### Inline Skill Command Expansion
+
+Skills can embed dynamic shell output in their SKILL.md body using `!`command``tokens. When`skill_load` processes a skill containing these tokens, the commands are executed at load time through a sandboxed runner and their output is substituted inline. This enables externally authored skills to include project-specific context (e.g., directory listings, config values) without requiring manual edits.
+
+**Feature flag:** `feature_flags.inline-skill-commands.enabled` (default: enabled). When disabled, loading a skill that contains `!`command`` tokens fails closed with an error rather than leaving raw tokens in the prompt.
+
+#### Syntax and Parsing
+
+The `!`command``syntax is parsed by`parseInlineCommandExpansions()` from the SKILL.md body after frontmatter extraction. The parser:
+
+- Extracts all `!`command`` tokens outside fenced code blocks (documentation examples in fenced blocks are ignored)
+- Assigns each token a stable `placeholderId` (0-indexed encounter order)
+- Rejects malformed tokens fail-closed: empty commands, nested backticks, and unmatched opening backticks produce `InlineCommandExpansionError` entries rather than best-effort expansions
+
+#### Transitive Version Hash
+
+When a skill contains inline command expansions, the permission system computes a **transitive version hash** (`tv1:<sha256>`) that covers the root skill and all its included children (DFS pre-order). The hash folds:
+
+1. Each visited skill ID (graph structure)
+2. Each visited skill's directory content hash (file changes)
+
+Editing any file in the root skill or any included child invalidates the transitive hash, which forces re-approval. The hash is computed by `computeTransitiveSkillVersionHash()` and fails closed (`TransitiveHashError`) on missing children or cycles in the include graph.
+
+#### Permission Gating (`skill_load_dynamic:*`)
+
+Skills containing inline command expansions use a separate permission candidate namespace (`skill_load_dynamic:*`) instead of the normal `skill_load:*` namespace. This prevents them from falling through to the permissive default `skill_load:*` allow rule. The permission checker emits candidates in specificity order:
+
+1. `skill_load_dynamic:<skill-id>@<transitive-hash>` — version-pinned approval (most specific)
+2. `skill_load_dynamic:<skill-id>` — any-version approval
+
+A default ask rule at priority 200 (`default:ask-skill_load_dynamic-global`) catches these candidates, ensuring the guardian is always prompted before inline commands execute. The user can create a pinned trust rule for a specific transitive hash to auto-approve known-good versions. Non-interactive sessions (no human present) deny dynamic skill loads rather than silently auto-approving.
+
+```mermaid
+graph TB
+    LOAD["skill_load(selector)"] --> PARSE["Parse SKILL.md body"]
+    PARSE --> CHECK{"Has !\x60command\x60<br/>tokens?"}
+    CHECK -->|"No"| NORMAL["Normal skill_load:* candidate<br/>(auto-allowed)"]
+    CHECK -->|"Yes"| FLAG{"inline-skill-commands<br/>flag enabled?"}
+    FLAG -->|"No"| FAIL_FLAG["Fail closed:<br/>error returned"]
+    FLAG -->|"Yes"| SOURCE{"Eligible source?<br/>(bundled/managed/workspace)"}
+    SOURCE -->|"No (extra)"| FAIL_SOURCE["Fail closed:<br/>source not eligible"]
+    SOURCE -->|"Yes"| HASH["Compute transitive hash"]
+    HASH --> DYN["skill_load_dynamic:id@hash<br/>candidate emitted"]
+    DYN --> PERM["PermissionChecker"]
+    PERM --> RULE{"Trust rule?"}
+    RULE -->|"Pinned allow"| RENDER["Execute + render"]
+    RULE -->|"No rule"| PROMPT["Prompt guardian"]
+    RULE -->|"Deny"| DENY["Blocked"]
+```
+
+#### Sandbox-Only Execution
+
+Inline commands are executed through `runInlineCommand()`, a purpose-built sandbox runner with strict security constraints:
+
+- **Sandbox enforced**: The sandbox is always enabled with `networkMode: "off"` — no outbound network connections
+- **Sanitized environment**: Uses `buildSanitizedEnv()` — no API keys, tokens, credentials, gateway URLs, or workspace paths in the environment
+- **No host fallback**: Unlike the general `bash` tool, there is no fallback to host execution when the sandbox is unavailable
+- **No credential proxy**: No CES client, no credential materialization
+- **Timeout**: 10-second wall-clock limit (killed with SIGKILL on timeout)
+- **Output cap**: 20,000 characters maximum (truncated with `[output truncated]` marker)
+- **Binary rejection**: Output with >10% non-printable characters (after ANSI stripping) is rejected
+- **Stdout only**: stderr is discarded; ANSI escape sequences are stripped from stdout
+
+The runner returns a deterministic `InlineCommandResult` with machine-readable failure reasons (`timeout`, `non_zero_exit`, `binary_output`, `spawn_failure`) — raw stderr is never surfaced.
+
+#### Rendering Flow
+
+The `renderInlineCommands()` function processes expansions sequentially (not in parallel) to maintain deterministic order. Each `!`command`` token is replaced with an XML-wrapped result:
+
+- **Success**: `<inline_skill_command index="N">...output...</inline_skill_command>`
+- **Failure**: `<inline_skill_command index="N">[inline command unavailable: <reason>]</inline_skill_command>`
+
+Rendering applies at two levels during `skill_load`:
+
+1. **Root skill**: If the loaded skill has inline expansions, they are rendered before the skill body is emitted. A root skill with inline commands that fail the feature-flag or source-eligibility check returns an error (fail closed, no `<loaded_skill>` marker).
+2. **Included children**: Each included child skill's body is rendered independently. A render failure in one child does not prevent sibling rendering — the failed child's body falls back to raw (unexpanded) text with a warning log.
+
+#### v1 Source Restriction
+
+In the initial release, only skills from **bundled**, **managed**, and **workspace** sources are eligible for inline command expansion. Skills from **extra** (third-party) roots are explicitly rejected with an error message. The `INLINE_COMMAND_ELIGIBLE_SOURCES` set in `load.ts` enforces this restriction. Unknown or future source types also fail closed.
+
+#### Fail-Closed Behavior Summary
+
+Every layer in the pipeline defaults to rejection rather than silent degradation:
+
+| Layer            | Failure mode                                         | Behavior                                               |
+| ---------------- | ---------------------------------------------------- | ------------------------------------------------------ |
+| Parser           | Malformed token (empty, nested backtick, unmatched)  | Logged as error, not expanded                          |
+| Feature flag     | Flag disabled                                        | `skill_load` returns error, no `<loaded_skill>` marker |
+| Source check     | `extra` or unknown source                            | `skill_load` returns error, no `<loaded_skill>` marker |
+| Transitive hash  | Missing child or cycle in include graph              | `TransitiveHashError` thrown, permission check fails   |
+| Permission       | No trust rule and non-interactive                    | Denied (never silently auto-approved)                  |
+| Sandbox runner   | Timeout, non-zero exit, binary output, spawn failure | Deterministic stub rendered, no raw stderr             |
+| Renderer (root)  | Feature flag off or ineligible source                | Error returned from `skill_load`                       |
+| Renderer (child) | Exception during render                              | Raw body used, sibling rendering continues             |
+
+#### Key Source Files
+
+| File                                                | Role                                                                             |
+| --------------------------------------------------- | -------------------------------------------------------------------------------- |
+| `assistant/src/skills/inline-command-expansions.ts` | `parseInlineCommandExpansions()` — parser for `!`command`` tokens                |
+| `assistant/src/skills/inline-command-runner.ts`     | `runInlineCommand()` — sandbox-only command executor                             |
+| `assistant/src/skills/inline-command-render.ts`     | `renderInlineCommands()` — token replacement and XML wrapping                    |
+| `assistant/src/skills/transitive-version-hash.ts`   | `computeTransitiveSkillVersionHash()` — hash covering root + included children   |
+| `assistant/src/tools/skills/load.ts`                | `skill_load` execute path — feature flag check, source check, render integration |
+| `assistant/src/permissions/checker.ts`              | `skill_load_dynamic:*` candidate emission and allowlist options                  |
+| `assistant/src/permissions/defaults.ts`             | `default:ask-skill_load_dynamic-global` rule (priority 200)                      |
+| `meta/feature-flags/feature-flag-registry.json`     | `inline-skill-commands` flag definition                                          |
+
 ### Key Source Files
 
 | File                                                | Role                                                                                       |

package/docs/skills.md

@@ -156,3 +156,103 @@ Trust rules are stored in `~/.vellum/protected/trust.json`. You can inspect this
 ### "A skill tool keeps prompting even though I approved it."
 
 Check whether the rule has the correct `executionTarget` — a rule scoped to `sandbox` will not match a tool running on `host`.
+
+## Inline Command Expansions
+
+Skills can embed dynamic content by using the **inline command expansion** syntax. When a skill containing these tokens is loaded, each token is executed and replaced with its output before the skill body is delivered to the model. The syntax is shown in the fenced block below.
+
+This syntax is intentionally compatible with the convention established by [inline skill commands](https://x.com) for portable cross-agent skill authoring. Vellum adopts the exact same token format so that externally authored skills load without rewriting — but applies stricter execution constraints.
+
+### Syntax
+
+The canonical syntax is:
+
+```
+!`command`
+```
+
+Where `command` is any shell command string. The exclamation mark immediately precedes the opening backtick with no whitespace in between. Examples:
+
+```markdown
+Current branch: !`git branch --show-current`
+Recent changes: !`git log --oneline -5`
+Project info: !`cat package.json | jq '.name, .version'`
+```
+
+Tokens inside fenced code blocks (` ``` ` or `~~~`) are **not** expanded — they are treated as documentation examples. This allows skills to safely include syntax examples without triggering execution.
+
+### Parsing rules
+
+The parser (`parseInlineCommandExpansions`) enforces fail-closed semantics:
+
+| Condition                                         | Behavior               |
+| ------------------------------------------------- | ---------------------- |
+| Well-formed token outside fenced code             | Parsed as an expansion |
+| Token inside a fenced code block                  | Skipped (not expanded) |
+| Empty command text (no content between backticks) | Rejected as malformed  |
+| Whitespace-only command text                      | Rejected as malformed  |
+| Unmatched opening (no closing backtick found)     | Rejected as malformed  |
+| Nested backticks inside command text              | Rejected as malformed  |
+
+Malformed tokens do not silently pass through — they are collected as errors and logged. If a skill body contains any malformed tokens, the valid tokens are still expanded, but the errors are reported for diagnostics.
+
+### Feature flag
+
+Inline command expansion is gated by the `inline-skill-commands` feature flag (key: `feature_flags.inline-skill-commands.enabled`). The flag defaults to **enabled**.
+
+When the flag is disabled and a skill contains inline command expansion tokens, `skill_load` returns an error rather than delivering unexpanded tokens to the model. This fail-closed behavior prevents the LLM from seeing raw expansion tokens and attempting to interpret them.
+
+### Approval model
+
+Skills with inline command expansions use a separate permission namespace: `skill_load_dynamic:*`. This ensures they do not silently inherit the permissive default `skill_load:*` allow rule.
+
+When a user is prompted to approve a dynamic skill load, the allowlist options are:
+
+| Option         | Pattern                                     | Behavior                                                                                            |
+| -------------- | ------------------------------------------- | --------------------------------------------------------------------------------------------------- |
+| Version-pinned | `skill_load_dynamic:<id>@<transitive-hash>` | Approved for this exact version only. Any change to the skill or its includes invalidates the rule. |
+| Any-version    | `skill_load_dynamic:<id>`                   | Approved for all versions of this skill.                                                            |
+
+The transitive hash covers the skill's own content plus all included skills, so a change anywhere in the dependency graph triggers re-approval for version-pinned rules.
+
+### v1 execution limits
+
+In the initial implementation, inline command execution enforces these constraints:
+
+| Constraint       | Value                                                   |
+| ---------------- | ------------------------------------------------------- |
+| Execution target | Sandbox only (no host fallback)                         |
+| Network access   | Off (no outbound connections)                           |
+| Environment      | Sanitized (no API keys, tokens, or credentials)         |
+| Timeout          | 10 seconds per command                                  |
+| Output cap       | 20,000 characters (truncated with `[output truncated]`) |
+| Binary output    | Rejected if >10% non-printable characters               |
+| ANSI sequences   | Stripped before output processing                       |
+| stderr           | Discarded (only stdout is captured)                     |
+
+Commands that fail (timeout, non-zero exit, spawn failure, binary output) produce a deterministic stub in the rendered body rather than leaking raw error output:
+
+```
+<inline_skill_command index="0">[inline command unavailable: command timed out]</inline_skill_command>
+```
+
+### Eligible skill sources
+
+Only **bundled**, **managed**, and **workspace** skills may use inline command expansions. Third-party **extra** skill sources are explicitly rejected — `skill_load` returns an error if an extra-source skill contains inline expansion tokens.
+
+| Source      | Eligible | Reason                                 |
+| ----------- | -------- | -------------------------------------- |
+| `bundled`   | Yes      | Shipped with the application, trusted  |
+| `managed`   | Yes      | User-installed, subject to approval    |
+| `workspace` | Yes      | Project-local, subject to approval     |
+| `extra`     | No       | Third-party roots, out of scope for v1 |
+
+### Fail-closed summary
+
+The system fails closed at every layer:
+
+1. **Flag off** — skill_load returns an error, tokens never reach the model.
+2. **Malformed syntax** — rejected by the parser, logged as errors.
+3. **Unsupported source** — skill_load returns an error for extra-source skills.
+4. **Command failure** — deterministic stub replaces the token, no raw stderr.
+5. **No permission** — `skill_load_dynamic:*` namespace requires explicit approval.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.5.2",
+  "version": "0.5.3",
   "type": "module",
   "exports": {
     ".": "./src/index.ts"

package/src/__tests__/conversation-agent-loop-overflow.test.ts

@@ -332,6 +332,13 @@ mock.module("../memory/llm-request-log-store.js", () => ({
   backfillMessageIdOnLogs: () => {},
 }));
 
+mock.module("../memory/archive-store.js", () => ({
+  insertCompactionEpisode: () => ({
+    episodeId: "mock-episode-id",
+    jobId: "mock-job-id",
+  }),
+}));
+
 // ── Imports (after mocks) ────────────────────────────────────────────
 
 import {

package/src/__tests__/conversation-agent-loop.test.ts

@@ -315,6 +315,13 @@ mock.module("../agent/message-types.js", () => ({
   }),
 }));
 
+mock.module("../memory/archive-store.js", () => ({
+  insertCompactionEpisode: () => ({
+    episodeId: "mock-episode-id",
+    jobId: "mock-job-id",
+  }),
+}));
+
 mock.module("../memory/llm-request-log-store.js", () => ({
   recordRequestLog: recordRequestLogMock,
   backfillMessageIdOnLogs: () => {},

package/src/__tests__/conversation-memory-dirty-tail.test.ts

@@ -0,0 +1,150 @@
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
+
+const testDir = mkdtempSync(join(tmpdir(), "conv-dirty-tail-test-"));
+
+mock.module("../util/platform.js", () => ({
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => join(testDir, "test.db"),
+  getLogPath: () => join(testDir, "test.log"),
+  ensureDataDir: () => {},
+}));
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+import {
+  addMessage,
+  createConversation,
+  getConversation,
+  getMessages,
+  markConversationMemoryDirty,
+} from "../memory/conversation-crud.js";
+import { getDb, initializeDb, resetDb } from "../memory/db.js";
+
+initializeDb();
+
+afterAll(() => {
+  resetDb();
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    /* best effort */
+  }
+});
+
+describe("markConversationMemoryDirty", () => {
+  beforeEach(() => {
+    const db = getDb();
+    db.run(`DELETE FROM messages`);
+    db.run(`DELETE FROM conversations`);
+  });
+
+  test("first message marks the conversation dirty with its message ID", async () => {
+    const conv = createConversation("test");
+    const msg = await addMessage(conv.id, "user", "hello world", undefined, {
+      skipIndexing: true,
+    });
+
+    const updated = getConversation(conv.id);
+    expect(updated).not.toBeNull();
+    expect(updated!.memoryDirtyTailSinceMessageId).toBe(msg.id);
+  });
+
+  test("repeated messages preserve the original dirty boundary", async () => {
+    const conv = createConversation("test");
+    const msg1 = await addMessage(conv.id, "user", "first message", undefined, {
+      skipIndexing: true,
+    });
+    const msg2 = await addMessage(
+      conv.id,
+      "assistant",
+      "second message",
+      undefined,
+      { skipIndexing: true },
+    );
+
+    const updated = getConversation(conv.id);
+    expect(updated).not.toBeNull();
+    // The dirty tail should still point to msg1, not msg2.
+    expect(updated!.memoryDirtyTailSinceMessageId).toBe(msg1.id);
+    // msg2 should still be persisted normally.
+    expect(msg2.id).not.toBe(msg1.id);
+  });
+
+  test("markConversationMemoryDirty is a no-op when already dirty", () => {
+    const conv = createConversation("test");
+    const firstMessageId = "first-msg-id";
+    const secondMessageId = "second-msg-id";
+
+    markConversationMemoryDirty(conv.id, firstMessageId);
+    const after1 = getConversation(conv.id);
+    expect(after1!.memoryDirtyTailSinceMessageId).toBe(firstMessageId);
+
+    markConversationMemoryDirty(conv.id, secondMessageId);
+    const after2 = getConversation(conv.id);
+    // Still points to the first message — boundary preserved.
+    expect(after2!.memoryDirtyTailSinceMessageId).toBe(firstMessageId);
+  });
+
+  test("message ordering and persistence semantics are unchanged", async () => {
+    const conv = createConversation("test");
+    const msg1 = await addMessage(conv.id, "user", "question", undefined, {
+      skipIndexing: true,
+    });
+    const msg2 = await addMessage(conv.id, "assistant", "answer", undefined, {
+      skipIndexing: true,
+    });
+    const msg3 = await addMessage(conv.id, "user", "follow-up", undefined, {
+      skipIndexing: true,
+    });
+
+    const allMessages = getMessages(conv.id);
+    expect(allMessages).toHaveLength(3);
+    // Messages are ordered by createdAt ascending.
+    expect(allMessages[0].id).toBe(msg1.id);
+    expect(allMessages[1].id).toBe(msg2.id);
+    expect(allMessages[2].id).toBe(msg3.id);
+    expect(allMessages[0].content).toBe("question");
+    expect(allMessages[1].content).toBe("answer");
+    expect(allMessages[2].content).toBe("follow-up");
+    // createdAt is monotonically increasing.
+    expect(allMessages[1].createdAt).toBeGreaterThan(allMessages[0].createdAt);
+    expect(allMessages[2].createdAt).toBeGreaterThan(allMessages[1].createdAt);
+  });
+
+  test("every persisted message marks the conversation dirty", async () => {
+    const conv = createConversation("test");
+
+    // Before any messages, the conversation is not dirty.
+    const before = getConversation(conv.id);
+    expect(before!.memoryDirtyTailSinceMessageId).toBeNull();
+
+    // After the first message, it becomes dirty.
+    const msg1 = await addMessage(conv.id, "user", "msg1", undefined, {
+      skipIndexing: true,
+    });
+    const after1 = getConversation(conv.id);
+    expect(after1!.memoryDirtyTailSinceMessageId).toBe(msg1.id);
+
+    // After subsequent messages, the dirty boundary stays on msg1.
+    await addMessage(conv.id, "assistant", "msg2", undefined, {
+      skipIndexing: true,
+    });
+    await addMessage(conv.id, "user", "msg3", undefined, {
+      skipIndexing: true,
+    });
+    const afterAll = getConversation(conv.id);
+    expect(afterAll!.memoryDirtyTailSinceMessageId).toBe(msg1.id);
+  });
+});

package/src/__tests__/conversation-provider-retry-repair.test.ts

@@ -27,6 +27,9 @@ mock.module("../providers/registry.js", () => ({
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     ui: {},
+    daemon: {
+      titleGenerationMaxTokens: 30,
+    },
 
     provider: "mock-provider",
     maxTokens: 4096,
@@ -174,6 +177,10 @@ mock.module("../memory/conversation-queries.js", () => ({
   listConversations: () => [],
 }));
 
+mock.module("../memory/archive-store.js", () => ({
+  insertCompactionEpisode: () => {},
+}));
+
 mock.module("../memory/retriever.js", () => ({
   buildMemoryRecall: async () => ({
     enabled: false,

package/src/__tests__/conversation-wipe.test.ts

@@ -26,6 +26,7 @@ mock.module("../util/logger.js", () => ({
 import {
   addMessage,
   createConversation,
+  deleteConversation,
   getConversation,
   getMessages,
   wipeConversation,
@@ -436,3 +437,228 @@ describe("wipeConversation", () => {
     expect(itemBRow).not.toBeNull();
   });
 });
+
+describe("deleteConversation — private scope cleanup", () => {
+  beforeEach(() => {
+    const db = getDb();
+    db.run(`DELETE FROM conversation_starters`);
+    db.run(`DELETE FROM memory_item_sources`);
+    db.run(`DELETE FROM memory_segments`);
+    db.run(`DELETE FROM memory_items`);
+    db.run(`DELETE FROM memory_summaries`);
+    db.run(`DELETE FROM memory_embeddings`);
+    db.run(`DELETE FROM memory_jobs`);
+    db.run(`DELETE FROM tool_invocations`);
+    db.run(`DELETE FROM llm_request_logs`);
+    db.run(`DELETE FROM messages`);
+    db.run(`DELETE FROM conversations`);
+  });
+
+  test("sourceless items cleaned up", () => {
+    const conv = createConversation({ conversationType: "private" });
+    const scopeId = conv.memoryScopeId;
+    const now = Date.now();
+
+    const raw = (
+      getDb() as unknown as {
+        $client: import("bun:sqlite").Database;
+      }
+    ).$client;
+
+    // Insert a memory item with matching scopeId but no memory_item_sources
+    raw
+      .query(
+        `INSERT INTO memory_items (id, status, kind, subject, statement, confidence, fingerprint, scope_id, first_seen_at, last_seen_at)
+         VALUES ('priv-item-1', 'active', 'fact', 'test', 'test fact', 0.8, 'fp-priv-1', ?, ?, ?)`,
+      )
+      .run(scopeId, now, now);
+
+    const result = deleteConversation(conv.id);
+
+    // Item should be gone
+    const itemRow = raw
+      .query("SELECT * FROM memory_items WHERE id = 'priv-item-1'")
+      .get();
+    expect(itemRow).toBeNull();
+
+    // Its ID should be in orphanedItemIds
+    expect(result.orphanedItemIds).toContain("priv-item-1");
+  });
+
+  test("summaries cleaned up", () => {
+    const conv = createConversation({ conversationType: "private" });
+    const scopeId = conv.memoryScopeId;
+    const now = Date.now();
+
+    const raw = (
+      getDb() as unknown as {
+        $client: import("bun:sqlite").Database;
+      }
+    ).$client;
+
+    // Insert a memory summary with matching scopeId
+    raw
+      .query(
+        `INSERT INTO memory_summaries (id, scope, scope_key, summary, token_estimate, version, scope_id, start_at, end_at, created_at, updated_at)
+         VALUES ('priv-sum-1', 'global', 'all', 'private summary', 100, 1, ?, ?, ?, ?, ?)`,
+      )
+      .run(scopeId, now, now, now, now);
+
+    const result = deleteConversation(conv.id);
+
+    // Summary should be gone
+    const summaryRow = raw
+      .query("SELECT * FROM memory_summaries WHERE id = 'priv-sum-1'")
+      .get();
+    expect(summaryRow).toBeNull();
+
+    // Its ID should be in deletedSummaryIds
+    expect(result.deletedSummaryIds).toContain("priv-sum-1");
+  });
+
+  test("standard conversations unaffected", async () => {
+    const conv = createConversation("standard test");
+    const now = Date.now();
+
+    const raw = (
+      getDb() as unknown as {
+        $client: import("bun:sqlite").Database;
+      }
+    ).$client;
+
+    // Insert items with scopeId = "default"
+    raw
+      .query(
+        `INSERT INTO memory_items (id, status, kind, subject, statement, confidence, fingerprint, scope_id, first_seen_at, last_seen_at)
+         VALUES ('default-item-1', 'active', 'fact', 'test', 'test fact', 0.8, 'fp-default', 'default', ?, ?)`,
+      )
+      .run(now, now);
+
+    deleteConversation(conv.id);
+
+    // Default-scope items should still exist
+    const itemRow = raw
+      .query("SELECT * FROM memory_items WHERE id = 'default-item-1'")
+      .get();
+    expect(itemRow).not.toBeNull();
+  });
+
+  test("embeddings cleaned up", () => {
+    const conv = createConversation({ conversationType: "private" });
+    const scopeId = conv.memoryScopeId;
+    const now = Date.now();
+
+    const raw = (
+      getDb() as unknown as {
+        $client: import("bun:sqlite").Database;
+      }
+    ).$client;
+
+    // Insert a memory item with matching scopeId
+    raw
+      .query(
+        `INSERT INTO memory_items (id, status, kind, subject, statement, confidence, fingerprint, scope_id, first_seen_at, last_seen_at)
+         VALUES ('priv-item-emb', 'active', 'fact', 'test', 'test fact', 0.8, 'fp-priv-emb', ?, ?, ?)`,
+      )
+      .run(scopeId, now, now);
+
+    // Insert a corresponding embedding
+    raw
+      .query(
+        `INSERT INTO memory_embeddings (id, target_type, target_id, provider, model, dimensions, created_at, updated_at)
+         VALUES ('emb-priv-item', 'item', 'priv-item-emb', 'test', 'test', 384, ?, ?)`,
+      )
+      .run(now, now);
+
+    deleteConversation(conv.id);
+
+    // Both item and embedding should be deleted
+    const itemRow = raw
+      .query("SELECT * FROM memory_items WHERE id = 'priv-item-emb'")
+      .get();
+    expect(itemRow).toBeNull();
+
+    const embeddingRow = raw
+      .query("SELECT * FROM memory_embeddings WHERE id = 'emb-priv-item'")
+      .get();
+    expect(embeddingRow).toBeNull();
+  });
+
+  test("conversationStarters cleaned up", () => {
+    const conv = createConversation({ conversationType: "private" });
+    const scopeId = conv.memoryScopeId;
+    const now = Date.now();
+
+    const raw = (
+      getDb() as unknown as {
+        $client: import("bun:sqlite").Database;
+      }
+    ).$client;
+
+    // Insert a conversation_starters row with the private scopeId
+    raw
+      .query(
+        `INSERT INTO conversation_starters (id, label, prompt, generation_batch, scope_id, card_type, created_at)
+         VALUES ('starter-1', 'Test starter', 'Tell me about tests', 1, ?, 'chip', ?)`,
+      )
+      .run(scopeId, now);
+
+    // Also insert a default-scope starter that should NOT be deleted
+    raw
+      .query(
+        `INSERT INTO conversation_starters (id, label, prompt, generation_batch, scope_id, card_type, created_at)
+         VALUES ('starter-default', 'Default starter', 'Hello', 1, 'default', 'chip', ?)`,
+      )
+      .run(now);
+
+    deleteConversation(conv.id);
+
+    // Private-scope starter should be gone
+    const starterRow = raw
+      .query("SELECT * FROM conversation_starters WHERE id = 'starter-1'")
+      .get();
+    expect(starterRow).toBeNull();
+
+    // Default-scope starter should still exist
+    const defaultStarterRow = raw
+      .query("SELECT * FROM conversation_starters WHERE id = 'starter-default'")
+      .get();
+    expect(defaultStarterRow).not.toBeNull();
+  });
+
+  test("no duplicate IDs", async () => {
+    const conv = createConversation({ conversationType: "private" });
+    const scopeId = conv.memoryScopeId;
+    const msg = await addMessage(conv.id, "user", "hello");
+    const now = Date.now();
+
+    const raw = (
+      getDb() as unknown as {
+        $client: import("bun:sqlite").Database;
+      }
+    ).$client;
+
+    // Insert a memory item with the private scopeId AND a source linking to the message
+    raw
+      .query(
+        `INSERT INTO memory_items (id, status, kind, subject, statement, confidence, fingerprint, scope_id, first_seen_at, last_seen_at)
+         VALUES ('priv-item-dup', 'active', 'fact', 'test', 'test fact', 0.8, 'fp-priv-dup', ?, ?, ?)`,
+      )
+      .run(scopeId, now, now);
+
+    raw
+      .query(
+        `INSERT INTO memory_item_sources (memory_item_id, message_id, created_at) VALUES ('priv-item-dup', ?, ?)`,
+      )
+      .run(msg.id, now);
+
+    const result = deleteConversation(conv.id);
+
+    // The item ID should appear exactly once in orphanedItemIds (caught by
+    // source-based cleanup, not double-counted by scope sweep).
+    const count = result.orphanedItemIds.filter(
+      (id) => id === "priv-item-dup",
+    ).length;
+    expect(count).toBe(1);
+  });
+});