@vellumai/assistant 0.5.6 → 0.5.7

package/src/__tests__/ces-rpc-credential-backend.test.ts

@@ -0,0 +1,199 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { CesRpcMethod } from "@vellumai/ces-contracts";
+
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+
+const callFn = mock(
+  async (_method: string, _request: unknown): Promise<unknown> => ({}),
+);
+
+const isReadyFn = mock((): boolean => true);
+
+// ---------------------------------------------------------------------------
+// Mock modules — before importing module under test
+// ---------------------------------------------------------------------------
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+// Import after mocking
+import type { CesClient } from "../credential-execution/client.js";
+import { CesRpcCredentialBackend } from "../security/ces-rpc-credential-backend.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function createMockClient(): CesClient {
+  return {
+    handshake: mock(async () => ({ accepted: true })),
+    call: callFn as CesClient["call"],
+    updateAssistantApiKey: mock(async () => ({ updated: true })),
+    isReady: isReadyFn,
+    close: mock(() => {}),
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("CesRpcCredentialBackend", () => {
+  let client: CesClient;
+  let backend: CesRpcCredentialBackend;
+
+  beforeEach(() => {
+    callFn.mockClear();
+    isReadyFn.mockClear();
+
+    isReadyFn.mockReturnValue(true);
+
+    client = createMockClient();
+    backend = new CesRpcCredentialBackend(client);
+  });
+
+  test("has name 'ces-rpc'", () => {
+    expect(backend.name).toBe("ces-rpc");
+  });
+
+  // -------------------------------------------------------------------------
+  // isAvailable
+  // -------------------------------------------------------------------------
+
+  describe("isAvailable", () => {
+    test("returns true when client is ready", () => {
+      isReadyFn.mockReturnValue(true);
+      expect(backend.isAvailable()).toBe(true);
+    });
+
+    test("returns false when client is not ready", () => {
+      isReadyFn.mockReturnValue(false);
+      expect(backend.isAvailable()).toBe(false);
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // get
+  // -------------------------------------------------------------------------
+
+  describe("get", () => {
+    test("delegates to CesRpcMethod.GetCredential and returns value when found", async () => {
+      callFn.mockResolvedValue({ found: true, value: "my-secret" });
+
+      const result = await backend.get("test-account");
+
+      expect(callFn).toHaveBeenCalledWith(CesRpcMethod.GetCredential, {
+        account: "test-account",
+      });
+      expect(result).toEqual({ value: "my-secret", unreachable: false });
+    });
+
+    test("returns undefined value when credential not found", async () => {
+      callFn.mockResolvedValue({ found: false });
+
+      const result = await backend.get("missing-account");
+
+      expect(callFn).toHaveBeenCalledWith(CesRpcMethod.GetCredential, {
+        account: "missing-account",
+      });
+      expect(result).toEqual({ value: undefined, unreachable: false });
+    });
+
+    test("returns unreachable when RPC call throws", async () => {
+      callFn.mockRejectedValue(new Error("transport error"));
+
+      const result = await backend.get("broken-account");
+
+      expect(result).toEqual({ value: undefined, unreachable: true });
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // set
+  // -------------------------------------------------------------------------
+
+  describe("set", () => {
+    test("delegates to CesRpcMethod.SetCredential and returns true on success", async () => {
+      callFn.mockResolvedValue({ ok: true });
+
+      const result = await backend.set("test-account", "new-secret");
+
+      expect(callFn).toHaveBeenCalledWith(CesRpcMethod.SetCredential, {
+        account: "test-account",
+        value: "new-secret",
+      });
+      expect(result).toBe(true);
+    });
+
+    test("returns false when RPC call throws", async () => {
+      callFn.mockRejectedValue(new Error("transport error"));
+
+      const result = await backend.set("test-account", "new-secret");
+
+      expect(result).toBe(false);
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // delete
+  // -------------------------------------------------------------------------
+
+  describe("delete", () => {
+    test("delegates to CesRpcMethod.DeleteCredential and returns the result", async () => {
+      callFn.mockResolvedValue({ result: "deleted" });
+
+      const result = await backend.delete("test-account");
+
+      expect(callFn).toHaveBeenCalledWith(CesRpcMethod.DeleteCredential, {
+        account: "test-account",
+      });
+      expect(result).toBe("deleted");
+    });
+
+    test("returns not-found result from CES", async () => {
+      callFn.mockResolvedValue({ result: "not-found" });
+
+      const result = await backend.delete("nonexistent-account");
+
+      expect(result).toBe("not-found");
+    });
+
+    test("returns 'error' when RPC call throws", async () => {
+      callFn.mockRejectedValue(new Error("transport error"));
+
+      const result = await backend.delete("test-account");
+
+      expect(result).toBe("error");
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // list
+  // -------------------------------------------------------------------------
+
+  describe("list", () => {
+    test("delegates to CesRpcMethod.ListCredentials and returns accounts", async () => {
+      callFn.mockResolvedValue({ accounts: ["account-a", "account-b"] });
+
+      const result = await backend.list();
+
+      expect(callFn).toHaveBeenCalledWith(CesRpcMethod.ListCredentials, {});
+      expect(result).toEqual(["account-a", "account-b"]);
+    });
+
+    test("returns empty array when RPC call throws", async () => {
+      callFn.mockRejectedValue(new Error("transport error"));
+
+      const result = await backend.list();
+
+      expect(result).toEqual([]);
+    });
+  });
+});

package/src/__tests__/channel-approval-routes.test.ts

@@ -38,11 +38,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-// Mock security check to always pass
-mock.module("../security/secret-ingress.js", () => ({
-  checkIngressForSecrets: () => ({ blocked: false }),
-}));
-
 // Mock render to return the raw content as text
 mock.module("../daemon/handlers/shared.js", () => ({
   renderHistoryContent: (content: unknown) => ({

package/src/__tests__/channel-readiness-service.test.ts

@@ -1,15 +1,9 @@
-import { beforeEach, describe, expect, mock, spyOn, test } from "bun:test";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 let mockTwilioPhoneNumber: string | undefined;
 let mockRawConfig: Record<string, unknown> | undefined;
 let mockSecureKeys: Record<string, string>;
 let mockHasTwilioCredentials: boolean;
-let mockGatewayHealth = {
-  target: "http://127.0.0.1:7830",
-  healthy: true,
-  localDeployment: true,
-  error: undefined as string | undefined,
-};
 
 mock.module("../calls/twilio-rest.js", () => ({
   getPhoneNumberSid: async () => null,
@@ -57,14 +51,12 @@ mock.module("../runtime/channel-invite-transports/whatsapp.js", () => ({
 import type { ChannelId } from "../channels/types.js";
 import {
   ChannelReadinessService,
-  createReadinessService,
   REMOTE_TTL_MS,
 } from "../runtime/channel-readiness-service.js";
 import type {
   ChannelProbe,
   ReadinessCheckResult,
 } from "../runtime/channel-readiness-types.js";
-import * as localGatewayHealth from "../runtime/local-gateway-health.js";
 
 // ── Test helpers ────────────────────────────────────────────────────────────
 
@@ -104,12 +96,6 @@ describe("ChannelReadinessService", () => {
     mockRawConfig = undefined;
     mockSecureKeys = {};
     mockHasTwilioCredentials = false;
-    mockGatewayHealth = {
-      target: "http://127.0.0.1:7830",
-      healthy: true,
-      localDeployment: true,
-      error: undefined,
-    };
   });
 
   test("local checks run on every call (no caching of local results)", async () => {
@@ -403,49 +389,4 @@ describe("ChannelReadinessService", () => {
 
     expect(probe.remoteCallCount).toBe(1);
   });
-
-  test("voice readiness includes gateway_health when ingress is configured", async () => {
-    mockHasTwilioCredentials = true;
-    mockTwilioPhoneNumber = "+15550001111";
-    mockRawConfig = {
-      ingress: {
-        enabled: true,
-        publicBaseUrl: "https://voice.example.com",
-      },
-    };
-    mockGatewayHealth = {
-      target: "http://127.0.0.1:7830",
-      healthy: false,
-      localDeployment: true,
-      error: "connect ECONNREFUSED 127.0.0.1:7830",
-    };
-
-    const probeLocalGatewayHealthSpy = spyOn(
-      localGatewayHealth,
-      "probeLocalGatewayHealth",
-    ).mockImplementation(async () => ({
-      ...mockGatewayHealth,
-    }));
-
-    let snapshot: Awaited<
-      ReturnType<ChannelReadinessService["getReadiness"]>
-    >[number];
-    try {
-      const readinessService = createReadinessService();
-      [snapshot] = await readinessService.getReadiness("phone");
-    } finally {
-      probeLocalGatewayHealthSpy.mockRestore();
-    }
-
-    const gatewayHealthCheck = snapshot.localChecks.find(
-      (check) => check.name === "gateway_health",
-    );
-    expect(gatewayHealthCheck).toBeDefined();
-    expect(gatewayHealthCheck?.passed).toBe(false);
-    expect(snapshot.reasons).toContainEqual({
-      code: "gateway_health",
-      text: "Local gateway is not serving requests at http://127.0.0.1:7830: connect ECONNREFUSED 127.0.0.1:7830",
-    });
-    expect(snapshot.ready).toBe(false);
-  });
 });

package/src/__tests__/checker.test.ts

@@ -1606,13 +1606,15 @@ describe("Permission Checker", () => {
       expect(options[0].description).toContain("compound");
     });
 
-    test("compound command via pipeline yields exact-only allowlist option", async () => {
+    test("compound command via pipeline yields exact + action-key allowlist options", async () => {
       const options = await generateAllowlistOptions("bash", {
         command: "git log | grep fix",
       });
-      expect(options).toHaveLength(1);
+      expect(options.length).toBeGreaterThanOrEqual(2);
       expect(options[0].description).toContain("compound");
       expect(options[0].pattern).toBe("git log | grep fix");
+      // Pipeline action keys should be offered as broader options
+      expect(options.some((o) => o.pattern.startsWith("action:"))).toBe(true);
     });
 
     test("compound command via && yields exact-only allowlist option", async () => {

package/src/__tests__/cli-command-risk-guard.test.ts

@@ -0,0 +1,112 @@
+// Guard test: assistant CLI commands must always classify as Low risk.
+//
+// The assistant uses its own CLI tools during normal operation. If these
+// commands require user approval, it blocks autonomous assistant workflows.
+// See #18982 / #18998 for the regression that motivated this guard.
+
+import { mkdtempSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { describe, expect, mock, test } from "bun:test";
+
+const guardTestDir = mkdtempSync(join(tmpdir(), "cli-risk-guard-test-"));
+
+mock.module("../util/platform.js", () => ({
+  getRootDir: () => guardTestDir,
+  getDataDir: () => join(guardTestDir, "data"),
+  getWorkspaceSkillsDir: () => join(guardTestDir, "skills"),
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPidPath: () => join(guardTestDir, "test.pid"),
+  getDbPath: () => join(guardTestDir, "test.db"),
+  getLogPath: () => join(guardTestDir, "test.log"),
+  ensureDataDir: () => {},
+}));
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: (_target: Record<string, unknown>, _prop: string) => {
+        return () => {};
+      },
+    }),
+}));
+
+mock.module("../config/loader.js", () => ({
+  getConfig: () => ({
+    permissions: { mode: "workspace" },
+    skills: { load: { extraDirs: [] } },
+    sandbox: { enabled: true },
+  }),
+  loadConfig: () => ({}),
+  invalidateConfigCache: () => {},
+  saveConfig: () => {},
+  loadRawConfig: () => ({}),
+  saveRawConfig: () => {},
+  getNestedValue: () => undefined,
+  setNestedValue: () => {},
+}));
+
+import { buildCliProgram } from "../cli/program.js";
+import { classifyRisk } from "../permissions/checker.js";
+import { RiskLevel } from "../permissions/types.js";
+
+/**
+ * Assert that a command classifies as Low risk, with a descriptive failure
+ * message that guides developers toward the correct fix.
+ */
+function expectLowRisk(command: string, actual: RiskLevel): void {
+  if (actual !== RiskLevel.Low) {
+    throw new Error(
+      `"${command}" classified as ${actual} instead of Low. ` +
+        `assistant CLI commands must always be Low risk — the assistant ` +
+        `uses its own CLI during normal operation. If you need risk ` +
+        `escalation for specific subcommands, add them to an allowlist ` +
+        `in this guard test with justification.`,
+    );
+  }
+  expect(actual).toBe(RiskLevel.Low);
+}
+
+// Dynamically extract subcommand names from the CLI program definition.
+// This ensures new commands added to program.ts are automatically covered
+// by this guard test without manual list maintenance.
+const program = buildCliProgram();
+const ASSISTANT_SUBCOMMANDS = program.commands.map((c) => c.name());
+
+describe("CLI command risk guard: assistant commands", () => {
+  test("subcommand discovery found a reasonable number of commands", () => {
+    // Sanity check: if mocking breaks and no commands are registered,
+    // the risk guard would vacuously pass. Require a minimum count to
+    // catch that failure mode. Update this threshold when commands are
+    // removed (but it should only grow).
+    expect(ASSISTANT_SUBCOMMANDS.length).toBeGreaterThanOrEqual(20);
+  });
+
+  test("all assistant CLI subcommands classify as Low risk", async () => {
+    for (const subcommand of ASSISTANT_SUBCOMMANDS) {
+      const command = `assistant ${subcommand}`;
+      const risk = await classifyRisk("bash", { command });
+      expectLowRisk(command, risk);
+    }
+  });
+
+  test("bare assistant command classifies as Low risk", async () => {
+    const risk = await classifyRisk("bash", { command: "assistant" });
+    expectLowRisk("assistant", risk);
+  });
+
+  test("assistant with flags classifies as Low risk", async () => {
+    const flagCommands = [
+      "assistant --version",
+      "assistant --help",
+      "assistant doctor --verbose",
+    ];
+
+    for (const command of flagCommands) {
+      const risk = await classifyRisk("bash", { command });
+      expectLowRisk(command, risk);
+    }
+  });
+});

package/src/__tests__/config-schema-cmd.test.ts

@@ -88,7 +88,6 @@ mock.module("../config/loader.js", () => ({
   invalidateConfigCache: () => {},
   getNestedValue: () => undefined,
   setNestedValue: () => {},
-  syncConfigToLockfile: () => {},
 }));
 
 import { Command } from "commander";

package/src/__tests__/config-schema.test.ts

@@ -137,7 +137,6 @@ describe("AssistantConfigSchema", () => {
       action: "redact",
       entropyThreshold: 4.0,
       allowOneTimeSend: false,
-      blockIngress: true,
     });
     expect(result.auditLog).toEqual({ retentionDays: 0 });
   });
@@ -638,6 +637,7 @@ describe("AssistantConfigSchema", () => {
       voice: {
         language: "en-US",
         transcriptionProvider: "Deepgram",
+        ttsProvider: "elevenlabs",
       },
       callerIdentity: {
         allowPerCallOverride: true,

package/src/__tests__/conversation-attention-telegram.test.ts

@@ -31,11 +31,6 @@ mock.module("../util/logger.js", () => ({
   truncateForLog: (value: string) => value,
 }));
 
-// Mock security check to always pass
-mock.module("../security/secret-ingress.js", () => ({
-  checkIngressForSecrets: () => ({ blocked: false }),
-}));
-
 // Mock render to return the raw content as text
 mock.module("../daemon/handlers/shared.js", () => ({
   renderHistoryContent: (content: unknown) => ({

package/src/__tests__/conversation-init.benchmark.test.ts

@@ -111,10 +111,8 @@ mock.module("../util/platform.js", () => ({
   getTCPPort: () => 8765,
   isIOSPairingEnabled: () => false,
   isTCPEnabled: () => false,
-  readLockfile: () => null,
   readPlatformToken: () => null,
   readSessionToken: () => null,
-  writeLockfile: () => {},
   ensureDataDir: () => {},
 }));
 

package/src/__tests__/conversation-skill-tools.test.ts

@@ -209,11 +209,9 @@ mock.module("../util/logger.js", () => ({
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     skills: { entries: {}, allowBundled: null },
-    assistantFeatureFlagValues: {},
   }),
   loadConfig: () => ({
     skills: { entries: {}, allowBundled: null },
-    assistantFeatureFlagValues: {},
   }),
   invalidateConfigCache: () => {},
 }));
@@ -1721,58 +1719,6 @@ describe("bundled skill: gmail", () => {
   });
 });
 
-describe("bundled skill: claude-code", () => {
-  let sessionState: Map<string, string>;
-
-  beforeEach(() => {
-    mockCatalog = [];
-    mockManifests = {};
-    mockRegisteredTools = new Map();
-    mockUnregisteredSkillIds = [];
-    mockSkillRefCount = new Map();
-    mockSkillRefCount = new Map();
-    mockVersionHashes = {};
-    mockVersionHashErrors = new Set();
-    sessionState = new Map<string, string>();
-  });
-
-  test("claude-code skill activation registers claude_code in allowedToolNames", () => {
-    mockCatalog = [
-      makeSkill("claude-code", "/path/to/bundled-skills/claude-code"),
-    ];
-    mockManifests = { "claude-code": makeManifest(["claude_code"]) };
-
-    const history: Message[] = [
-      ...skillLoadMessages('<loaded_skill id="claude-code" />'),
-    ];
-
-    const result = projectSkillTools(history, {
-      previouslyActiveSkillIds: sessionState,
-    });
-
-    expect(result.toolDefinitions).toEqual([]);
-    expect(result.allowedToolNames).toEqual(new Set(["claude_code"]));
-  });
-
-  test("claude_code tool is absent when claude-code skill is not active", () => {
-    mockCatalog = [
-      makeSkill("claude-code", "/path/to/bundled-skills/claude-code"),
-    ];
-    mockManifests = { "claude-code": makeManifest(["claude_code"]) };
-
-    const history: Message[] = [
-      { role: "user", content: [{ type: "text", text: "Hello" }] },
-    ];
-
-    const result = projectSkillTools(history, {
-      previouslyActiveSkillIds: sessionState,
-    });
-
-    expect(result.toolDefinitions).toHaveLength(0);
-    expect(result.allowedToolNames.has("claude_code")).toBe(false);
-  });
-});
-
 // ---------------------------------------------------------------------------
 // Bundled skill: app-builder
 // ---------------------------------------------------------------------------

package/src/__tests__/conversation-title-service.test.ts

@@ -107,6 +107,93 @@ describe("conversation-title-service", () => {
     );
   });
 
+  test("regeneration extracts text from JSON content blocks", async () => {
+    mockGetMessages.mockReturnValueOnce([
+      {
+        role: "user",
+        content: JSON.stringify([
+          { type: "text", text: "Help me plan the kickoff" },
+        ]),
+      },
+      {
+        role: "assistant",
+        content: JSON.stringify([
+          { type: "text", text: "Sure, here's a plan" },
+          { type: "tool_use", id: "toolu_1", name: "web_search", input: {} },
+        ]),
+      },
+      {
+        role: "user",
+        content: JSON.stringify([{ type: "text", text: "Looks good" }]),
+      },
+    ]);
+
+    const provider = {
+      name: "test-provider",
+      sendMessage: mock(async () => {
+        throw new Error("should not call directly");
+      }),
+    };
+
+    await regenerateConversationTitle({ conversationId: "conv-1", provider });
+
+    // The prompt sent to the sidechain should contain plain text, not raw JSON
+    const prompt = (mockRunBtwSidechain.mock.calls[0] as any)?.[0]
+      ?.content as string;
+    expect(prompt).not.toContain('"type":"text"');
+    expect(prompt).not.toContain('"type":"tool_use"');
+    // Tool metadata should NOT appear in the title prompt
+    expect(prompt).not.toContain("Tool use");
+    expect(prompt).not.toContain("web_search");
+    expect(prompt).toContain("Help me plan the kickoff");
+    expect(prompt).toContain("Sure, here's a plan");
+    expect(prompt).toContain("Looks good");
+  });
+
+  test("regeneration extracts text from tool_result content blocks", async () => {
+    mockGetMessages.mockReturnValueOnce([
+      {
+        role: "user",
+        content: JSON.stringify([
+          { type: "text", text: "Search for restaurants" },
+        ]),
+      },
+      {
+        role: "assistant",
+        content: JSON.stringify([
+          { type: "tool_use", id: "toolu_1", name: "web_search", input: {} },
+        ]),
+      },
+      {
+        role: "user",
+        content: JSON.stringify([
+          {
+            type: "tool_result",
+            tool_use_id: "toolu_1",
+            content: "Found 3 restaurants nearby",
+          },
+        ]),
+      },
+    ]);
+
+    const provider = {
+      name: "test-provider",
+      sendMessage: mock(async () => {
+        throw new Error("should not call directly");
+      }),
+    };
+
+    await regenerateConversationTitle({ conversationId: "conv-1", provider });
+
+    const prompt = (mockRunBtwSidechain.mock.calls[0] as any)?.[0]
+      ?.content as string;
+    expect(prompt).not.toContain('"type":"tool_result"');
+    // Tool-only assistant message should be skipped entirely
+    expect(prompt).not.toContain("Tool use");
+    expect(prompt).toContain("Search for restaurants");
+    expect(prompt).toContain("Found 3 restaurants nearby");
+  });
+
   test("uses the BTW side-chain helper for title regeneration", async () => {
     const provider = {
       name: "test-provider",