@vellumai/assistant 0.5.5 → 0.5.7

package/src/__tests__/skill-projection-feature-flag.test.ts

@@ -3,7 +3,7 @@
  * tools, even when conversation history contains old markers for those skills.
  */
 import * as realFs from "node:fs";
-import { beforeEach, describe, expect, mock, test } from "bun:test";
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 
 import type { SkillSummary, SkillToolManifest } from "../config/skills.js";
 import { RiskLevel } from "../permissions/types.js";
@@ -38,23 +38,6 @@ mock.module("../config/loader.js", () => ({
   invalidateConfigCache: () => {},
 }));
 
-mock.module("../config/assistant-feature-flags.js", () => ({
-  isAssistantFeatureFlagEnabled: (
-    key: string,
-    config: Record<string, unknown>,
-  ) => {
-    const vals = (
-      config as {
-        assistantFeatureFlagValues?: Record<string, boolean>;
-      }
-    ).assistantFeatureFlagValues;
-    if (vals && typeof vals[key] === "boolean") return vals[key];
-    return true; // default enabled
-  },
-  loadDefaultsRegistry: () => ({}),
-  getAssistantFeatureFlagDefaults: () => ({}),
-}));
-
 mock.module("../config/skill-state.js", () => ({
   skillFlagKey: (skill: { featureFlag?: string }) =>
     skill.featureFlag
@@ -62,6 +45,24 @@ mock.module("../config/skill-state.js", () => ({
       : undefined,
 }));
 
+// Mock assistant-feature-flags to avoid loading the real module (which
+// triggers file I/O and env-registry imports that hang in test context).
+let _mockOverrides: Record<string, boolean> = {};
+mock.module("../config/assistant-feature-flags.js", () => ({
+  isAssistantFeatureFlagEnabled: (key: string, _config: unknown): boolean => {
+    const explicit = _mockOverrides[key];
+    if (typeof explicit === "boolean") return explicit;
+    return true; // undeclared flags default to enabled
+  },
+  clearFeatureFlagOverridesCache: () => {
+    _mockOverrides = {};
+  },
+  _setOverridesForTesting: (overrides: Record<string, boolean>) => {
+    _mockOverrides = { ...overrides };
+  },
+  getAssistantFeatureFlagDefaults: () => ({}),
+}));
+
 mock.module("../skills/active-skill-tools.js", () => {
   const parseMarkers = (messages: Message[]) => {
     const skillLoadUseIds = new Set<string>();
@@ -216,6 +217,10 @@ mock.module("../util/logger.js", () => ({
 
 const { projectSkillTools, resetSkillToolProjection } =
   await import("../daemon/conversation-skill-tools.js");
+const { _setOverridesForTesting } =
+  (await import("../config/assistant-feature-flags.js")) as {
+    _setOverridesForTesting: (o: Record<string, boolean>) => void;
+  };
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -289,9 +294,14 @@ describe("projectSkillTools feature flag enforcement", () => {
     mockUnregisteredSkillIds = [];
     mockSkillRefCount = new Map();
     currentConfig = {};
+    _setOverridesForTesting({});
     resetSkillToolProjection();
   });
 
+  afterEach(() => {
+    _setOverridesForTesting({});
+  });
+
   test("no skill tools projected for flag OFF skill even with old markers", () => {
     mockCatalog = [makeSkill(DECLARED_SKILL_ID, DECLARED_SKILL_ID)];
     mockManifests = {
@@ -302,10 +312,8 @@ describe("projectSkillTools feature flag enforcement", () => {
     const history = buildHistoryWithMarker(DECLARED_SKILL_ID);
     const prevActive = new Map<string, string>();
 
-    // Feature flag is OFF
-    currentConfig = {
-      assistantFeatureFlagValues: { [DECLARED_FLAG_KEY]: false },
-    };
+    // Feature flag is OFF — use protected directory override
+    _setOverridesForTesting({ [DECLARED_FLAG_KEY]: false });
 
     const result = projectSkillTools(history, {
       previouslyActiveSkillIds: prevActive,
@@ -325,10 +333,8 @@ describe("projectSkillTools feature flag enforcement", () => {
     const history = buildHistoryWithMarker(DECLARED_SKILL_ID);
     const prevActive = new Map<string, string>();
 
-    // Feature flag is ON
-    currentConfig = {
-      assistantFeatureFlagValues: { [DECLARED_FLAG_KEY]: true },
-    };
+    // Feature flag is ON — use protected directory override
+    _setOverridesForTesting({ [DECLARED_FLAG_KEY]: true });
 
     const result = projectSkillTools(history, {
       previouslyActiveSkillIds: prevActive,
@@ -419,9 +425,7 @@ describe("projectSkillTools feature flag enforcement", () => {
     const prevActive = new Map<string, string>();
 
     // Declared skill is OFF, plain-skill is undeclared with no persisted override so remains ON.
-    currentConfig = {
-      assistantFeatureFlagValues: { [DECLARED_FLAG_KEY]: false },
-    };
+    _setOverridesForTesting({ [DECLARED_FLAG_KEY]: false });
 
     const result = projectSkillTools(history, {
       previouslyActiveSkillIds: prevActive,

package/src/__tests__/skills.test.ts

@@ -40,8 +40,6 @@ mock.module("../util/platform.js", () => ({
   getWorkspacePromptPath: (file: string) => join(TEST_DIR, file),
   readSessionToken: () => null,
   normalizeAssistantId: (id: string) => id,
-  readLockfile: () => null,
-  writeLockfile: () => {},
 }));
 
 const noopLogger = {

package/src/__tests__/slack-inbound-verification.test.ts

@@ -38,10 +38,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-mock.module("../security/secret-ingress.js", () => ({
-  checkIngressForSecrets: () => ({ blocked: false }),
-}));
-
 mock.module("../config/env.js", () => ({
   isHttpAuthDisabled: () => true,
   getGatewayInternalBaseUrl: () => "http://127.0.0.1:7830",

package/src/__tests__/suggestion-routes.test.ts

@@ -2,8 +2,7 @@
  * Unit tests for the GET /v1/suggestion endpoint (handleGetSuggestion).
  *
  * Validates happy path, all null-return paths, caching, staleness check,
- * quote stripping, word-boundary truncation, empty response rejection,
- * and modelIntent verification.
+ * quote stripping, empty response rejection, and modelIntent verification.
  */
 
 import { describe, expect, mock, test } from "bun:test";
@@ -293,36 +292,6 @@ describe("GET /v1/suggestion", () => {
     expect(body.suggestion).toBe("Sure, let's go!");
   });
 
-  test("truncates long suggestions at word boundary", async () => {
-    // A 60-char string that will exceed the 50-char limit
-    const longText =
-      "This is a really long suggestion that goes well beyond fifty chars";
-    const provider = makeMockProvider(longText);
-    mockGetConfiguredProvider.mockImplementation(async () => provider);
-    mockGetConversationByKey.mockImplementation(() => ({
-      conversationId: "conv-test",
-    }));
-    mockGetMessages.mockImplementation(() => [
-      {
-        id: "msg-asst-1",
-        conversationId: "conv-test",
-        role: "assistant",
-        content: JSON.stringify([{ type: "text", text: "Hello there" }]),
-        createdAt: Date.now(),
-        metadata: null,
-      },
-    ]);
-
-    const url = makeUrl({ conversationKey: "test-key" });
-    const deps = makeDeps();
-    const res = await handleGetSuggestion(url, deps);
-    const body = (await res.json()) as { suggestion: string };
-
-    expect(body.suggestion.length).toBeLessThanOrEqual(50);
-    // Should end at a word boundary (no partial words)
-    expect(body.suggestion).not.toMatch(/\s$/);
-  });
-
   test("rejects empty LLM response", async () => {
     const provider = makeMockProvider("");
     mockGetConfiguredProvider.mockImplementation(async () => provider);

package/src/__tests__/system-prompt.test.ts

@@ -86,7 +86,6 @@ mock.module("../config/loader.js", () => ({
   invalidateConfigCache: () => {},
   getNestedValue: () => undefined,
   setNestedValue: () => {},
-  syncConfigToLockfile: () => {},
 }));
 
 // eslint-disable-next-line @typescript-eslint/no-require-imports

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -32,6 +32,10 @@ const mockConfig = {
     action: "warn" as const,
     entropyThreshold: 4.0,
   },
+  permissions: {
+    mode: "workspace" as const,
+    dangerouslySkipPermissions: false,
+  },
 };
 
 let checkerDecision: "allow" | "prompt" | "deny" = "allow";

package/src/__tests__/tool-executor-shell-integration.test.ts

@@ -330,7 +330,7 @@ describe("ToolExecutor → real shell allowlist integration", () => {
     expect(patterns).toContain("action:git");
   });
 
-  test("pipeline command produces only exact option", async () => {
+  test("pipeline command produces exact + action-key options", async () => {
     const { prompter, getAllowlist } = makeCapturingPrompter();
     const executor = new ToolExecutor(prompter);
 
@@ -343,9 +343,11 @@ describe("ToolExecutor → real shell allowlist integration", () => {
     const allowlist = getAllowlist();
     expect(allowlist).toBeDefined();
 
-    // Pipelines are complex commands — only exact option, no action keys
-    expect(allowlist!.length).toBe(1);
+    // Pipelines now produce exact option + action key options
+    expect(allowlist!.length).toBeGreaterThanOrEqual(2);
     expect(allowlist![0].pattern).toBe("cat file.txt | grep error");
     expect(allowlist![0].description).toContain("compound");
+    // Action keys from the first segment before the pipe
+    expect(allowlist!.some((o) => o.pattern.startsWith("action:"))).toBe(true);
   });
 });

package/src/__tests__/tool-executor.test.ts

@@ -50,6 +50,10 @@ const mockConfig = {
     action: "warn" as const,
     entropyThreshold: 4.0,
   },
+  permissions: {
+    mode: "workspace" as const,
+    dangerouslySkipPermissions: false,
+  },
 };
 
 let fakeToolResult: ToolExecutionResult = { content: "ok", isError: false };

package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts

@@ -41,11 +41,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-// Mock security check to always pass
-mock.module("../security/secret-ingress.js", () => ({
-  checkIngressForSecrets: () => ({ blocked: false }),
-}));
-
 mock.module("../config/env.js", () => ({
   isHttpAuthDisabled: () => true,
   getGatewayInternalBaseUrl: () => "http://127.0.0.1:7830",

package/src/__tests__/trusted-contact-multichannel.test.ts

@@ -36,10 +36,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-mock.module("../security/secret-ingress.js", () => ({
-  checkIngressForSecrets: () => ({ blocked: false }),
-}));
-
 mock.module("../config/env.js", () => ({
   isHttpAuthDisabled: () => true,
   getGatewayInternalBaseUrl: () => "http://127.0.0.1:7830",

package/src/__tests__/update-bulletin.test.ts

@@ -66,8 +66,6 @@ mock.module("../util/platform.js", () => ({
   getSandboxWorkingDir: () => "",
   getInterfacesDir: () => "",
   getClipboardCommand: () => null,
-  readLockfile: () => null,
-  writeLockfile: () => {},
   readPlatformToken: () => null,
   readSessionToken: () => null,
   getTCPPort: () => 8765,

package/src/__tests__/vellum-self-knowledge-inline-command.test.ts

@@ -61,9 +61,7 @@ const platformOverrides: Record<string, (...args: unknown[]) => unknown> = {
   getSessionTokenPath: () => join(TEST_DIR, "session-token"),
   readSessionToken: () => null,
   getClipboardCommand: () => null,
-  readLockfile: () => null,
   normalizeAssistantId: (id: unknown) => String(id),
-  writeLockfile: () => {},
   getEmbeddingModelsDir: () => join(TEST_DIR, "embedding-models"),
   getTCPPort: () => 8765,
   isTCPEnabled: () => false,
@@ -141,7 +139,6 @@ interface TestConfig {
   permissions: { mode: "strict" | "workspace" };
   skills: { load: { extraDirs: string[] } };
   sandbox: { enabled: boolean };
-  assistantFeatureFlagValues?: Record<string, boolean>;
   [key: string]: unknown;
 }
 
@@ -149,9 +146,6 @@ const testConfig: TestConfig = {
   permissions: { mode: "workspace" },
   skills: { load: { extraDirs: [] } },
   sandbox: { enabled: true },
-  assistantFeatureFlagValues: {
-    "feature_flags.inline-skill-commands.enabled": true,
-  },
 };
 
 mock.module("../config/loader.js", () => ({
@@ -169,6 +163,8 @@ mock.module("../config/loader.js", () => ({
 
 await import("../tools/skills/load.js");
 const { getTool } = await import("../tools/registry.js");
+const { _setOverridesForTesting } =
+  await import("../config/assistant-feature-flags.js");
 
 // ── Helpers ──────────────────────────────────────────────────────────────
 
@@ -228,16 +224,17 @@ describe("vellum-self-knowledge inline command expansion", () => {
       ) => mockRunInlineCommand(command, workingDir),
     }));
 
-    // Enable the feature flag
-    testConfig.assistantFeatureFlagValues = {
+    // Enable the feature flag via protected directory override
+    _setOverridesForTesting({
       "feature_flags.inline-skill-commands.enabled": true,
-    };
+    });
     testConfig.skills = { load: { extraDirs: [] } };
 
     installSelfKnowledgeSkill();
   });
 
   afterEach(() => {
+    _setOverridesForTesting({});
     if (existsSync(TEST_DIR)) {
       rmSync(TEST_DIR, { recursive: true, force: true });
     }

package/src/__tests__/voice-scoped-grant-consumer.test.ts

@@ -70,12 +70,6 @@ mock.module("../config/loader.js", () => ({
   }),
 }));
 
-// ── Secret ingress mock ────────────────────────────────────────────
-
-mock.module("../security/secret-ingress.js", () => ({
-  checkIngressForSecrets: () => ({ blocked: false }),
-}));
-
 // ── Assistant event hub mock ───────────────────────────────────────
 
 mock.module("../runtime/assistant-event-hub.js", () => ({

package/src/__tests__/workspace-migration-015-migrate-credentials-to-keychain.test.ts

@@ -0,0 +1,252 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+
+const isAvailableFn = mock((): boolean => true);
+const brokerSetFn = mock(
+  async (
+    _account: string,
+    _value: string,
+  ): Promise<{ status: string; code?: string; message?: string }> => ({
+    status: "ok",
+  }),
+);
+const createBrokerClientFn = mock(() => ({
+  isAvailable: isAvailableFn,
+  set: brokerSetFn,
+}));
+
+const listKeysFn = mock((): string[] => []);
+const getKeyFn = mock((_account: string): string | undefined => undefined);
+const deleteKeyFn = mock(
+  (_account: string): "deleted" | "not-found" | "error" => "deleted",
+);
+
+// ---------------------------------------------------------------------------
+// Mock modules — before importing module under test
+//
+// The logger is mocked with a silent Proxy to suppress pino output in tests.
+// The broker client and encrypted store are mocked to control migration
+// behavior without touching real keychain or filesystem state.
+// ---------------------------------------------------------------------------
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+mock.module("../security/keychain-broker-client.js", () => ({
+  createBrokerClient: createBrokerClientFn,
+}));
+
+mock.module("../security/encrypted-store.js", () => ({
+  listKeys: listKeysFn,
+  getKey: getKeyFn,
+  deleteKey: deleteKeyFn,
+}));
+
+// Import after mocking
+import { migrateCredentialsToKeychainMigration } from "../workspace/migrations/015-migrate-credentials-to-keychain.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const WORKSPACE_DIR = "/mock-home/.vellum/workspace";
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("015-migrate-credentials-to-keychain migration", () => {
+  beforeEach(() => {
+    isAvailableFn.mockClear();
+    brokerSetFn.mockClear();
+    createBrokerClientFn.mockClear();
+    listKeysFn.mockClear();
+    getKeyFn.mockClear();
+    deleteKeyFn.mockClear();
+
+    // Defaults: mac production build
+    process.env.VELLUM_DESKTOP_APP = "1";
+    delete process.env.VELLUM_DEV;
+
+    isAvailableFn.mockReturnValue(true);
+    brokerSetFn.mockResolvedValue({ status: "ok" });
+    listKeysFn.mockReturnValue([]);
+    getKeyFn.mockReturnValue(undefined);
+    deleteKeyFn.mockReturnValue("deleted");
+  });
+
+  test("has correct migration id", () => {
+    expect(migrateCredentialsToKeychainMigration.id).toBe(
+      "015-migrate-credentials-to-keychain",
+    );
+  });
+
+  test("skips when VELLUM_DESKTOP_APP is not set", async () => {
+    delete process.env.VELLUM_DESKTOP_APP;
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    expect(createBrokerClientFn).not.toHaveBeenCalled();
+    expect(listKeysFn).not.toHaveBeenCalled();
+  });
+
+  test("skips when VELLUM_DESKTOP_APP is not '1'", async () => {
+    process.env.VELLUM_DESKTOP_APP = "0";
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    expect(createBrokerClientFn).not.toHaveBeenCalled();
+  });
+
+  test("skips when VELLUM_DEV=1", async () => {
+    process.env.VELLUM_DEV = "1";
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    expect(createBrokerClientFn).not.toHaveBeenCalled();
+    expect(listKeysFn).not.toHaveBeenCalled();
+  });
+
+  test(
+    "throws when broker is not available after max retry attempts",
+    async () => {
+      isAvailableFn.mockReturnValue(false);
+
+      await expect(
+        migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR),
+      ).rejects.toThrow(
+        "Keychain broker not available after waiting — credential migration will be retried on next startup",
+      );
+
+      // Should have retried isAvailable multiple times
+      expect(isAvailableFn.mock.calls.length).toBeGreaterThan(1);
+
+      // Should not proceed to list or migrate keys
+      expect(listKeysFn).not.toHaveBeenCalled();
+      expect(brokerSetFn).not.toHaveBeenCalled();
+    },
+    { timeout: 10_000 },
+  );
+
+  test("succeeds when broker becomes available after retry", async () => {
+    // Broker unavailable for first 3 calls, then available
+    let callCount = 0;
+    isAvailableFn.mockImplementation(() => {
+      callCount++;
+      return callCount > 3;
+    });
+    listKeysFn.mockReturnValue(["retry-key"]);
+    getKeyFn.mockReturnValue("retry-secret");
+    brokerSetFn.mockResolvedValue({ status: "ok" });
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    // Should have called isAvailable 4 times (3 false + 1 true)
+    expect(isAvailableFn).toHaveBeenCalledTimes(4);
+
+    // Should have proceeded with migration
+    expect(brokerSetFn).toHaveBeenCalledWith("retry-key", "retry-secret");
+    expect(deleteKeyFn).toHaveBeenCalledWith("retry-key");
+  });
+
+  test("no-ops when encrypted store has no keys", async () => {
+    listKeysFn.mockReturnValue([]);
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    expect(brokerSetFn).not.toHaveBeenCalled();
+    expect(deleteKeyFn).not.toHaveBeenCalled();
+  });
+
+  test("successfully migrates keys from encrypted store to keychain", async () => {
+    listKeysFn.mockReturnValue(["account-a", "account-b"]);
+    getKeyFn.mockImplementation((account: string) => {
+      if (account === "account-a") return "secret-a";
+      if (account === "account-b") return "secret-b";
+      return undefined;
+    });
+    brokerSetFn.mockResolvedValue({ status: "ok" });
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    // Should have called broker.set for each key
+    expect(brokerSetFn).toHaveBeenCalledTimes(2);
+    expect(brokerSetFn).toHaveBeenCalledWith("account-a", "secret-a");
+    expect(brokerSetFn).toHaveBeenCalledWith("account-b", "secret-b");
+
+    // Should have deleted each key from encrypted store after successful migration
+    expect(deleteKeyFn).toHaveBeenCalledTimes(2);
+    expect(deleteKeyFn).toHaveBeenCalledWith("account-a");
+    expect(deleteKeyFn).toHaveBeenCalledWith("account-b");
+  });
+
+  test("continues on individual key failure and migrates others", async () => {
+    listKeysFn.mockReturnValue(["fail-key", "ok-key"]);
+    getKeyFn.mockImplementation((account: string) => {
+      if (account === "fail-key") return "fail-secret";
+      if (account === "ok-key") return "ok-secret";
+      return undefined;
+    });
+    brokerSetFn.mockImplementation(async (account: string) => {
+      if (account === "fail-key") {
+        return {
+          status: "rejected" as const,
+          code: "UNKNOWN",
+          message: "broker rejected",
+        };
+      }
+      return { status: "ok" as const };
+    });
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    // fail-key should NOT have been deleted (broker rejected it)
+    expect(deleteKeyFn).not.toHaveBeenCalledWith("fail-key");
+
+    // ok-key should have been migrated and deleted
+    expect(brokerSetFn).toHaveBeenCalledWith("ok-key", "ok-secret");
+    expect(deleteKeyFn).toHaveBeenCalledWith("ok-key");
+    expect(deleteKeyFn).toHaveBeenCalledTimes(1);
+  });
+
+  test("handles getKey returning undefined for a listed key", async () => {
+    listKeysFn.mockReturnValue(["ghost-key", "real-key"]);
+    getKeyFn.mockImplementation((account: string) => {
+      if (account === "ghost-key") return undefined;
+      if (account === "real-key") return "real-secret";
+      return undefined;
+    });
+    brokerSetFn.mockResolvedValue({ status: "ok" });
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    // ghost-key should not be sent to broker or deleted
+    expect(brokerSetFn).not.toHaveBeenCalledWith(
+      "ghost-key",
+      expect.anything(),
+    );
+    expect(deleteKeyFn).not.toHaveBeenCalledWith("ghost-key");
+
+    // real-key should be migrated
+    expect(brokerSetFn).toHaveBeenCalledWith("real-key", "real-secret");
+    expect(deleteKeyFn).toHaveBeenCalledWith("real-key");
+  });
+
+  test("handles broker unreachable status for individual keys", async () => {
+    listKeysFn.mockReturnValue(["key-1"]);
+    getKeyFn.mockReturnValue("secret-1");
+    brokerSetFn.mockResolvedValue({ status: "unreachable" });
+
+    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
+
+    // Should not delete when broker is unreachable
+    expect(deleteKeyFn).not.toHaveBeenCalled();
+  });
+});