npm - @vellumai/assistant - Versions diffs - 0.5.6 → 0.5.8 - Mend

@vellumai/assistant 0.5.6 → 0.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (442) hide show

package/.env.example +16 -2
package/ARCHITECTURE.md +6 -75
package/Dockerfile +3 -2
package/README.md +0 -2
package/bun.lock +0 -414
package/docker-entrypoint.sh +9 -0
package/docs/architecture/keychain-broker.md +45 -240
package/docs/architecture/memory.md +13 -11
package/docs/architecture/security.md +0 -17
package/docs/credential-execution-service.md +2 -2
package/node_modules/@vellumai/ces-contracts/package.json +1 -0
package/node_modules/@vellumai/ces-contracts/src/error.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/grants.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/handles.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/index.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +120 -1
package/node_modules/@vellumai/credential-storage/package.json +1 -0
package/node_modules/@vellumai/egress-proxy/package.json +1 -0
package/package.json +2 -3
package/src/__tests__/actor-token-service.test.ts +0 -114
package/src/__tests__/approval-cascade.test.ts +0 -1
package/src/__tests__/assistant-feature-flags-integration.test.ts +30 -29
package/src/__tests__/browser-fill-credential.test.ts +1 -1
package/src/__tests__/browser-skill-endstate.test.ts +6 -5
package/src/__tests__/btw-routes.test.ts +0 -39
package/src/__tests__/call-controller.test.ts +0 -1
package/src/__tests__/call-domain.test.ts +0 -128
package/src/__tests__/ces-rpc-credential-backend.test.ts +199 -0
package/src/__tests__/ces-startup-timeout.test.ts +40 -0
package/src/__tests__/channel-approval-routes.test.ts +0 -5
package/src/__tests__/channel-readiness-service.test.ts +1 -60
package/src/__tests__/checker.test.ts +4 -2
package/src/__tests__/cli-command-risk-guard.test.ts +112 -0
package/src/__tests__/config-schema-cmd.test.ts +0 -2
package/src/__tests__/config-schema.test.ts +3 -1
package/src/__tests__/conversation-abort-tool-results.test.ts +0 -1
package/src/__tests__/conversation-agent-loop-overflow.test.ts +0 -2
package/src/__tests__/conversation-agent-loop.test.ts +2 -4
package/src/__tests__/conversation-attention-telegram.test.ts +0 -5
package/src/__tests__/conversation-confirmation-signals.test.ts +0 -1
package/src/__tests__/conversation-error.test.ts +15 -1
package/src/__tests__/conversation-init.benchmark.test.ts +0 -2
package/src/__tests__/conversation-messaging-secret-redirect.test.ts +1 -1
package/src/__tests__/conversation-pre-run-repair.test.ts +0 -1
package/src/__tests__/conversation-provider-retry-repair.test.ts +0 -1
package/src/__tests__/conversation-queue.test.ts +0 -1
package/src/__tests__/conversation-skill-tools.test.ts +0 -54
package/src/__tests__/conversation-slash-queue.test.ts +0 -1
package/src/__tests__/conversation-slash-unknown.test.ts +0 -1
package/src/__tests__/conversation-title-service.test.ts +87 -0
package/src/__tests__/conversation-workspace-injection.test.ts +0 -1
package/src/__tests__/conversation-workspace-tool-tracking.test.ts +0 -1
package/src/__tests__/credential-execution-client.test.ts +5 -2
package/src/__tests__/credential-execution-feature-gates.test.ts +59 -30
package/src/__tests__/credential-execution-managed-contract.test.ts +35 -20
package/src/__tests__/credential-security-e2e.test.ts +1 -67
package/src/__tests__/credential-security-invariants.test.ts +6 -50
package/src/__tests__/credentials-cli.test.ts +82 -3
package/src/__tests__/daemon-credential-client.test.ts +123 -0
package/src/__tests__/db-migration-rollback.test.ts +2015 -1
package/src/__tests__/deterministic-verification-control-plane.test.ts +1 -0
package/src/__tests__/docker-signing-key-bootstrap.test.ts +34 -143
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +6 -4
package/src/__tests__/gateway-client-managed-outbound.test.ts +79 -1
package/src/__tests__/guardian-routing-state.test.ts +0 -5
package/src/__tests__/host-shell-tool.test.ts +6 -7
package/src/__tests__/http-user-message-parity.test.ts +3 -103
package/src/__tests__/inbound-invite-redemption.test.ts +0 -4
package/src/__tests__/inline-skill-load-permissions.test.ts +6 -8
package/src/__tests__/intent-routing.test.ts +0 -13
package/src/__tests__/jobs-store-qdrant-breaker.test.ts +178 -0
package/src/__tests__/journal-context.test.ts +335 -0
package/src/__tests__/keychain-broker-client.test.ts +161 -22
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +0 -3
package/src/__tests__/memory-jobs-worker-backoff.test.ts +150 -0
package/src/__tests__/memory-lifecycle-e2e.test.ts +70 -25
package/src/__tests__/memory-recall-quality.test.ts +48 -17
package/src/__tests__/memory-regressions.test.ts +408 -363
package/src/__tests__/memory-retrieval.benchmark.test.ts +0 -3
package/src/__tests__/migration-export-http.test.ts +2 -2
package/src/__tests__/migration-import-commit-http.test.ts +2 -2
package/src/__tests__/migration-import-preflight-http.test.ts +2 -2
package/src/__tests__/migration-validate-http.test.ts +2 -2
package/src/__tests__/non-member-access-request.test.ts +2 -7
package/src/__tests__/notification-decision-fallback.test.ts +4 -0
package/src/__tests__/notification-decision-identity.test.ts +4 -0
package/src/__tests__/notification-decision-strategy.test.ts +71 -0
package/src/__tests__/oauth-cli.test.ts +5 -1
package/src/__tests__/permission-types.test.ts +1 -0
package/src/__tests__/provider-commit-message-generator.test.ts +0 -37
package/src/__tests__/provider-error-scenarios.test.ts +0 -267
package/src/__tests__/provider-managed-proxy-integration.test.ts +5 -6
package/src/__tests__/provider-streaming.benchmark.test.ts +2 -81
package/src/__tests__/qdrant-manager.test.ts +28 -2
package/src/__tests__/registry.test.ts +0 -6
package/src/__tests__/relay-server.test.ts +1 -2
package/src/__tests__/runtime-attachment-metadata.test.ts +0 -4
package/src/__tests__/script-proxy-injection-runtime.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -1
package/src/__tests__/secret-routes-managed-proxy.test.ts +0 -4
package/src/__tests__/secure-keys.test.ts +95 -272
package/src/__tests__/shell-identity.test.ts +96 -6
package/src/__tests__/skill-feature-flags-integration.test.ts +22 -14
package/src/__tests__/skill-feature-flags.test.ts +46 -45
package/src/__tests__/skill-load-feature-flag.test.ts +7 -10
package/src/__tests__/skill-load-inline-command.test.ts +8 -12
package/src/__tests__/skill-load-inline-includes.test.ts +6 -10
package/src/__tests__/skill-load-tool.test.ts +0 -2
package/src/__tests__/skill-memory.test.ts +17 -3
package/src/__tests__/skill-projection-feature-flag.test.ts +33 -29
package/src/__tests__/skills.test.ts +0 -2
package/src/__tests__/slack-inbound-verification.test.ts +0 -4
package/src/__tests__/stale-approval-dedup.test.ts +171 -0
package/src/__tests__/stt-hints.test.ts +437 -0
package/src/__tests__/suggestion-routes.test.ts +1 -32
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/task-memory-cleanup.test.ts +14 -0
package/src/__tests__/tool-executor-shell-integration.test.ts +5 -3
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +0 -5
package/src/__tests__/trusted-contact-multichannel.test.ts +0 -4
package/src/__tests__/twilio-routes-twiml.test.ts +139 -1
package/src/__tests__/update-bulletin.test.ts +0 -2
package/src/__tests__/vellum-self-knowledge-inline-command.test.ts +6 -9
package/src/__tests__/voice-quality.test.ts +58 -0
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -7
package/src/__tests__/workspace-migration-015-migrate-credentials-to-keychain.test.ts +252 -0
package/src/__tests__/workspace-migration-016-migrate-credentials-from-keychain.test.ts +220 -0
package/src/__tests__/workspace-migration-down-functions.test.ts +1009 -0
package/src/__tests__/workspace-migrations-runner.test.ts +114 -0
package/src/acp/agent-process.ts +9 -1
package/src/agent/loop.ts +1 -1
package/src/approvals/guardian-request-resolvers.ts +164 -38
package/src/calls/__tests__/tts-text-sanitizer.test.ts +254 -0
package/src/calls/audio-store.test.ts +97 -0
package/src/calls/audio-store.ts +205 -0
package/src/calls/call-controller.ts +90 -8
package/src/calls/call-domain.ts +3 -0
package/src/calls/call-store.ts +10 -3
package/src/calls/fish-audio-client.ts +129 -0
package/src/calls/relay-server.ts +27 -0
package/src/calls/stt-hints.ts +189 -0
package/src/calls/tts-text-sanitizer.ts +61 -0
package/src/calls/twilio-routes.ts +34 -5
package/src/calls/types.ts +1 -0
package/src/calls/voice-ingress-preflight.ts +0 -42
package/src/calls/voice-quality.ts +38 -5
package/src/calls/voice-session-bridge.ts +7 -12
package/src/cli/commands/avatar.ts +2 -2
package/src/cli/commands/config.ts +1 -4
package/src/cli/commands/credentials.ts +128 -82
package/src/cli/commands/doctor.ts +2 -2
package/src/cli/commands/keys.ts +7 -7
package/src/cli/commands/memory.ts +1 -1
package/src/cli/commands/oauth/connections.ts +11 -29
package/src/cli/commands/oauth/index.ts +7 -0
package/src/cli/commands/oauth/platform.ts +525 -0
package/src/cli/commands/platform.ts +3 -3
package/src/cli/lib/daemon-credential-client.ts +284 -0
package/src/cli.ts +1 -1
package/src/config/assistant-feature-flags.ts +186 -5
package/src/config/bundled-skills/AGENTS.md +34 -0
package/src/config/bundled-skills/acp/SKILL.md +10 -0
package/src/config/bundled-skills/app-builder/SKILL.md +0 -4
package/src/config/bundled-skills/messaging/SKILL.md +5 -5
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +2 -2
package/src/config/bundled-skills/phone-calls/TOOLS.json +4 -0
package/src/config/bundled-skills/playbooks/tools/playbook-create.ts +1 -0
package/src/config/bundled-skills/playbooks/tools/playbook-update.ts +1 -0
package/src/config/bundled-skills/settings/SKILL.md +15 -2
package/src/config/bundled-skills/settings/TOOLS.json +47 -2
package/src/config/bundled-skills/settings/tools/avatar-remove.ts +59 -0
package/src/config/bundled-skills/settings/tools/avatar-update.ts +80 -0
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +42 -0
package/src/config/bundled-skills/slack/SKILL.md +1 -1
package/src/config/bundled-tool-registry.ts +5 -11
package/src/config/defaults.ts +0 -2
package/src/config/env-registry.ts +5 -5
package/src/config/env.ts +21 -14
package/src/config/feature-flag-registry.json +49 -9
package/src/config/loader.ts +106 -42
package/src/config/schema.ts +9 -29
package/src/config/schemas/calls.ts +30 -0
package/src/config/schemas/fish-audio.ts +39 -0
package/src/config/schemas/inference.ts +2 -2
package/src/config/schemas/journal.ts +16 -0
package/src/config/schemas/memory-processing.ts +2 -2
package/src/config/schemas/security.ts +0 -4
package/src/config/types.ts +1 -1
package/src/contacts/contact-store.ts +39 -0
package/src/contacts/types.ts +2 -0
package/src/credential-execution/approval-bridge.ts +1 -0
package/src/credential-execution/executable-discovery.ts +28 -4
package/src/credential-execution/feature-gates.ts +16 -0
package/src/credential-execution/process-manager.ts +38 -0
package/src/credential-execution/startup-timeout.ts +36 -0
package/src/daemon/approval-generators.ts +3 -9
package/src/daemon/assistant-attachments.ts +9 -0
package/src/daemon/config-watcher.ts +5 -0
package/src/daemon/conversation-error.ts +13 -1
package/src/daemon/conversation-memory.ts +1 -2
package/src/daemon/conversation-process.ts +18 -1
package/src/daemon/conversation-surfaces.ts +30 -1
package/src/daemon/conversation-tool-setup.ts +0 -105
package/src/daemon/conversation.ts +21 -1
package/src/daemon/guardian-action-generators.ts +3 -9
package/src/daemon/handlers/config-vercel.ts +92 -0
package/src/daemon/handlers/skills.ts +2 -15
package/src/daemon/install-symlink.ts +195 -0
package/src/daemon/lifecycle.ts +234 -51
package/src/daemon/message-types/conversations.ts +4 -4
package/src/daemon/message-types/diagnostics.ts +3 -22
package/src/daemon/message-types/messages.ts +0 -2
package/src/daemon/message-types/upgrades.ts +8 -0
package/src/daemon/server.ts +32 -95
package/src/events/domain-events.ts +2 -1
package/src/inbound/platform-callback-registration.ts +3 -3
package/src/instrument.ts +8 -5
package/src/memory/app-store.ts +31 -0
package/src/memory/conversation-title-service.ts +50 -1
package/src/memory/db-init.ts +16 -0
package/src/memory/indexer.ts +19 -10
package/src/memory/items-extractor.ts +328 -321
package/src/memory/job-handlers/conversation-starters.ts +4 -1
package/src/memory/job-handlers/summarization.ts +26 -16
package/src/memory/jobs-store.ts +63 -6
package/src/memory/jobs-worker.ts +31 -7
package/src/memory/journal-memory.ts +214 -0
package/src/memory/migrations/001-job-deferrals.ts +19 -0
package/src/memory/migrations/004-entity-relation-dedup.ts +10 -0
package/src/memory/migrations/005-fingerprint-scope-unique.ts +76 -0
package/src/memory/migrations/006-scope-salted-fingerprints.ts +50 -0
package/src/memory/migrations/007-assistant-id-to-self.ts +10 -0
package/src/memory/migrations/008-remove-assistant-id-columns.ts +34 -0
package/src/memory/migrations/009-llm-usage-events-drop-assistant-id.ts +26 -0
package/src/memory/migrations/014-backfill-inbox-thread-state.ts +10 -0
package/src/memory/migrations/015-drop-active-search-index.ts +17 -0
package/src/memory/migrations/019-notification-tables-schema-migration.ts +12 -0
package/src/memory/migrations/020-rename-macos-ios-channel-to-vellum.ts +121 -0
package/src/memory/migrations/024-embedding-vector-blob.ts +74 -0
package/src/memory/migrations/026a-embeddings-nullable-vector-json.ts +82 -0
package/src/memory/migrations/036-normalize-phone-identities.ts +11 -0
package/src/memory/migrations/116-messages-fts.ts +106 -1
package/src/memory/migrations/126-backfill-guardian-principal-id.ts +52 -0
package/src/memory/migrations/127-guardian-principal-id-not-null.ts +77 -0
package/src/memory/migrations/134-contacts-notes-column.ts +13 -0
package/src/memory/migrations/135-backfill-contact-interaction-stats.ts +20 -0
package/src/memory/migrations/136-drop-assistant-id-columns.ts +52 -0
package/src/memory/migrations/140-backfill-usage-cache-accounting.ts +13 -0
package/src/memory/migrations/141-rename-verification-table.ts +54 -0
package/src/memory/migrations/142-rename-verification-session-id-column.ts +25 -0
package/src/memory/migrations/143-rename-guardian-verification-values.ts +35 -0
package/src/memory/migrations/144-rename-voice-to-phone.ts +136 -0
package/src/memory/migrations/145-drop-accounts-table.ts +32 -0
package/src/memory/migrations/147-migrate-reminders-to-schedules.ts +14 -1
package/src/memory/migrations/148-drop-reminders-table.ts +35 -1
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +69 -1
package/src/memory/migrations/162-guardian-timestamps-epoch-ms.ts +290 -0
package/src/memory/migrations/169-rename-gmail-provider-key-to-google.ts +51 -1
package/src/memory/migrations/174-rename-thread-starters-table.ts +47 -1
package/src/memory/migrations/176-drop-capability-card-state.ts +13 -0
package/src/memory/migrations/180-backfill-inline-attachments-to-disk.ts +16 -0
package/src/memory/migrations/181-rename-thread-starters-checkpoints.ts +28 -1
package/src/memory/migrations/190-call-session-skip-disclosure.ts +15 -0
package/src/memory/migrations/191-backfill-audio-attachment-mime-types.ts +64 -0
package/src/memory/migrations/192-contacts-user-file-column.ts +15 -0
package/src/memory/migrations/193-add-source-type-columns.ts +81 -0
package/src/memory/migrations/index.ts +5 -0
package/src/memory/migrations/registry.ts +98 -0
package/src/memory/migrations/validate-migration-state.ts +137 -11
package/src/memory/qdrant-circuit-breaker.ts +9 -0
package/src/memory/qdrant-manager.ts +64 -7
package/src/memory/retriever.test.ts +37 -25
package/src/memory/retriever.ts +24 -49
package/src/memory/schema/calls.ts +1 -0
package/src/memory/schema/contacts.ts +1 -0
package/src/memory/schema/memory-core.ts +2 -0
package/src/memory/search/formatting.ts +7 -44
package/src/memory/search/staleness.ts +4 -0
package/src/memory/search/tier-classifier.ts +10 -2
package/src/memory/search/types.ts +2 -5
package/src/memory/task-memory-cleanup.ts +4 -3
package/src/notifications/adapters/slack.ts +168 -6
package/src/notifications/broadcaster.ts +1 -0
package/src/notifications/copy-composer.ts +59 -2
package/src/notifications/decision-engine.ts +4 -1
package/src/notifications/signal.ts +2 -0
package/src/notifications/types.ts +2 -0
package/src/oauth/connection-resolver.ts +6 -4
package/src/permissions/checker.ts +0 -38
package/src/permissions/shell-identity.ts +76 -22
package/src/permissions/types.ts +4 -2
package/src/platform/client.ts +35 -7
package/src/prompts/journal-context.ts +133 -0
package/src/prompts/persona-resolver.ts +194 -0
package/src/prompts/system-prompt.ts +44 -4
package/src/prompts/templates/SOUL.md +10 -0
package/src/prompts/templates/users/default.md +1 -0
package/src/providers/provider-send-message.ts +3 -32
package/src/providers/registry.ts +29 -179
package/src/providers/types.ts +1 -1
package/src/runtime/access-request-helper.ts +4 -0
package/src/runtime/auth/__tests__/credential-service.test.ts +0 -1
package/src/runtime/auth/__tests__/external-assistant-id.test.ts +13 -68
package/src/runtime/auth/__tests__/guard-tests.test.ts +9 -50
package/src/runtime/auth/external-assistant-id.ts +13 -59
package/src/runtime/auth/route-policy.ts +17 -1
package/src/runtime/auth/token-service.ts +43 -138
package/src/runtime/channel-readiness-service.ts +1 -16
package/src/runtime/gateway-client.ts +47 -4
package/src/runtime/guardian-decision-types.ts +45 -4
package/src/runtime/http-server.ts +31 -3
package/src/runtime/middleware/error-handler.ts +1 -9
package/src/runtime/routes/access-request-decision.ts +2 -2
package/src/runtime/routes/app-management-routes.ts +2 -1
package/src/runtime/routes/approval-strategies/guardian-callback-strategy.ts +219 -30
package/src/runtime/routes/approval-strategies/guardian-text-engine-strategy.ts +37 -14
package/src/runtime/routes/audio-routes.ts +40 -0
package/src/runtime/routes/btw-routes.ts +0 -17
package/src/runtime/routes/channel-readiness-routes.ts +9 -4
package/src/runtime/routes/conversation-query-routes.ts +63 -1
package/src/runtime/routes/conversation-routes.ts +4 -44
package/src/runtime/routes/debug-routes.ts +12 -9
package/src/runtime/routes/diagnostics-routes.ts +1 -477
package/src/runtime/routes/guardian-approval-interception.ts +168 -11
package/src/runtime/routes/guardian-approval-prompt.ts +6 -1
package/src/runtime/routes/guardian-approval-reply-helpers.ts +103 -21
package/src/runtime/routes/identity-routes.ts +19 -30
package/src/runtime/routes/inbound-message-handler.ts +31 -1
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +64 -5
package/src/runtime/routes/inbound-stages/background-dispatch.ts +52 -40
package/src/runtime/routes/inbound-stages/secret-ingress-check.ts +4 -33
package/src/runtime/routes/inbound-stages/transcribe-audio.test.ts +1 -1
package/src/runtime/routes/integrations/twilio.ts +52 -10
package/src/runtime/routes/integrations/vercel.ts +89 -0
package/src/runtime/routes/log-export-routes.ts +5 -0
package/src/runtime/routes/memory-item-routes.test.ts +3 -3
package/src/runtime/routes/memory-item-routes.ts +46 -14
package/src/runtime/routes/migration-rollback-routes.ts +209 -0
package/src/runtime/routes/migration-routes.ts +17 -1
package/src/runtime/routes/notification-routes.ts +58 -0
package/src/runtime/routes/schedule-routes.ts +65 -0
package/src/runtime/routes/secret-routes.ts +141 -10
package/src/runtime/routes/settings-routes.ts +41 -1
package/src/runtime/routes/tts-routes.ts +96 -0
package/src/runtime/routes/upgrade-broadcast-routes.ts +26 -2
package/src/runtime/routes/workspace-commit-routes.ts +62 -0
package/src/runtime/routes/workspace-routes.test.ts +22 -1
package/src/runtime/routes/workspace-routes.ts +1 -1
package/src/runtime/routes/workspace-utils.ts +86 -2
package/src/security/ces-credential-client.ts +75 -29
package/src/security/ces-rpc-credential-backend.ts +86 -0
package/src/security/credential-backend.ts +22 -92
package/src/security/keychain-broker-client.ts +10 -2
package/src/security/secure-keys.ts +113 -115
package/src/skills/catalog-install.ts +6 -32
package/src/skills/skill-memory.ts +1 -0
package/src/subagent/manager.ts +2 -5
package/src/telemetry/usage-telemetry-reporter.ts +4 -2
package/src/tools/acp/spawn.ts +78 -1
package/src/tools/calls/call-start.ts +1 -0
package/src/tools/credentials/vault.ts +5 -3
package/src/tools/executor.ts +0 -4
package/src/tools/memory/definitions.ts +3 -2
package/src/tools/memory/handlers.ts +10 -7
package/src/tools/network/script-proxy/session-manager.ts +19 -4
package/src/tools/network/web-fetch.ts +3 -1
package/src/tools/skills/execute.ts +1 -1
package/src/tools/terminal/safe-env.ts +1 -0
package/src/tools/types.ts +0 -8
package/src/util/browser.ts +15 -0
package/src/util/errors.ts +0 -12
package/src/util/platform.ts +4 -51
package/src/workspace/git-service.ts +5 -2
package/src/workspace/migrations/001-avatar-rename.ts +15 -0
package/src/workspace/migrations/003-seed-device-id.ts +17 -1
package/src/workspace/migrations/004-extract-collect-usage-data.ts +33 -0
package/src/workspace/migrations/005-add-send-diagnostics.ts +3 -0
package/src/workspace/migrations/006-services-config.ts +49 -0
package/src/workspace/migrations/007-web-search-provider-rename.ts +27 -0
package/src/workspace/migrations/008-voice-timeout-and-max-steps.ts +3 -0
package/src/workspace/migrations/009-backfill-conversation-disk-view.ts +4 -0
package/src/workspace/migrations/010-app-dir-rename.ts +78 -0
package/src/workspace/migrations/011-backfill-installation-id.ts +11 -0
package/src/workspace/migrations/012-rename-conversation-disk-view-dirs.ts +44 -0
package/src/workspace/migrations/013-repair-conversation-disk-view.ts +5 -0
package/src/workspace/migrations/015-migrate-credentials-to-keychain.ts +153 -0
package/src/workspace/migrations/016-extract-feature-flags-to-protected.ts +156 -0
package/src/workspace/migrations/016-migrate-credentials-from-keychain.ts +150 -0
package/src/workspace/migrations/017-seed-persona-dirs.ts +96 -0
package/src/workspace/migrations/018-rekey-compound-credential-keys.ts +184 -0
package/src/workspace/migrations/019-scope-journal-to-guardian.ts +103 -0
package/src/workspace/migrations/migrate-to-workspace-volume.ts +27 -5
package/src/workspace/migrations/registry.ts +12 -0
package/src/workspace/migrations/runner.ts +106 -2
package/src/workspace/migrations/types.ts +4 -0
package/src/workspace/provider-commit-message-generator.ts +12 -21
package/src/__tests__/claude-code-skill-regression.test.ts +0 -206
package/src/__tests__/claude-code-tool-profiles.test.ts +0 -99
package/src/__tests__/diagnostics-export.test.ts +0 -288
package/src/__tests__/local-gateway-health.test.ts +0 -209
package/src/__tests__/provider-fail-open-selection.test.ts +0 -271
package/src/__tests__/provider-failover-actual-provider.test.ts +0 -66
package/src/__tests__/secret-ingress-handler.test.ts +0 -120
package/src/__tests__/swarm-conversation-integration.test.ts +0 -358
package/src/__tests__/swarm-dag-pathological.test.ts +0 -547
package/src/__tests__/swarm-orchestrator.test.ts +0 -463
package/src/__tests__/swarm-plan-validator.test.ts +0 -384
package/src/__tests__/swarm-recursion.test.ts +0 -197
package/src/__tests__/swarm-router-planner.test.ts +0 -234
package/src/__tests__/swarm-tool.test.ts +0 -185
package/src/__tests__/swarm-worker-backend.test.ts +0 -144
package/src/__tests__/swarm-worker-runner.test.ts +0 -288
package/src/commands/__tests__/cc-command-registry.test.ts +0 -396
package/src/commands/cc-command-registry.ts +0 -248
package/src/config/bundled-skills/claude-code/SKILL.md +0 -53
package/src/config/bundled-skills/claude-code/TOOLS.json +0 -47
package/src/config/bundled-skills/claude-code/tools/claude-code.ts +0 -12
package/src/config/bundled-skills/orchestration/SKILL.md +0 -33
package/src/config/bundled-skills/orchestration/TOOLS.json +0 -35
package/src/config/bundled-skills/orchestration/tools/swarm-delegate.ts +0 -12
package/src/config/schemas/swarm.ts +0 -82
package/src/logfire.ts +0 -135
package/src/memory/search/lexical.ts +0 -48
package/src/providers/failover.ts +0 -186
package/src/runtime/local-gateway-health.ts +0 -275
package/src/security/secret-ingress.ts +0 -68
package/src/swarm/backend-claude-code.ts +0 -225
package/src/swarm/checkpoint.ts +0 -137
package/src/swarm/graph-utils.ts +0 -53
package/src/swarm/index.ts +0 -55
package/src/swarm/limits.ts +0 -66
package/src/swarm/orchestrator.ts +0 -424
package/src/swarm/plan-validator.ts +0 -117
package/src/swarm/router-planner.ts +0 -162
package/src/swarm/router-prompts.ts +0 -39
package/src/swarm/synthesizer.ts +0 -81
package/src/swarm/types.ts +0 -72
package/src/swarm/worker-backend.ts +0 -131
package/src/swarm/worker-prompts.ts +0 -80
package/src/swarm/worker-runner.ts +0 -170
package/src/tools/claude-code/claude-code.ts +0 -610
package/src/tools/swarm/delegate.ts +0 -205

package/src/__tests__/conversation-skill-tools.test.ts CHANGED Viewed

@@ -209,11 +209,9 @@ mock.module("../util/logger.js", () => ({
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     skills: { entries: {}, allowBundled: null },
-    assistantFeatureFlagValues: {},
   }),
   loadConfig: () => ({
     skills: { entries: {}, allowBundled: null },
-    assistantFeatureFlagValues: {},
   }),
   invalidateConfigCache: () => {},
 }));
@@ -1721,58 +1719,6 @@ describe("bundled skill: gmail", () => {
   });
 });
-describe("bundled skill: claude-code", () => {
-  let sessionState: Map<string, string>;
-  beforeEach(() => {
-    mockCatalog = [];
-    mockManifests = {};
-    mockRegisteredTools = new Map();
-    mockUnregisteredSkillIds = [];
-    mockSkillRefCount = new Map();
-    mockSkillRefCount = new Map();
-    mockVersionHashes = {};
-    mockVersionHashErrors = new Set();
-    sessionState = new Map<string, string>();
-  });
-  test("claude-code skill activation registers claude_code in allowedToolNames", () => {
-    mockCatalog = [
-      makeSkill("claude-code", "/path/to/bundled-skills/claude-code"),
-    ];
-    mockManifests = { "claude-code": makeManifest(["claude_code"]) };
-    const history: Message[] = [
-      ...skillLoadMessages('<loaded_skill id="claude-code" />'),
-    ];
-    const result = projectSkillTools(history, {
-      previouslyActiveSkillIds: sessionState,
-    });
-    expect(result.toolDefinitions).toEqual([]);
-    expect(result.allowedToolNames).toEqual(new Set(["claude_code"]));
-  });
-  test("claude_code tool is absent when claude-code skill is not active", () => {
-    mockCatalog = [
-      makeSkill("claude-code", "/path/to/bundled-skills/claude-code"),
-    ];
-    mockManifests = { "claude-code": makeManifest(["claude_code"]) };
-    const history: Message[] = [
-      { role: "user", content: [{ type: "text", text: "Hello" }] },
-    ];
-    const result = projectSkillTools(history, {
-      previouslyActiveSkillIds: sessionState,
-    });
-    expect(result.toolDefinitions).toHaveLength(0);
-    expect(result.allowedToolNames.has("claude_code")).toBe(false);
-  });
-});
 // ---------------------------------------------------------------------------
 // Bundled skill: app-builder
 // ---------------------------------------------------------------------------

package/src/__tests__/conversation-slash-queue.test.ts CHANGED Viewed

@@ -130,7 +130,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-slash-unknown.test.ts CHANGED Viewed

@@ -137,7 +137,6 @@ mock.module("../memory/retriever.js", () => ({
     injectedText: "",
     semanticHits: 0,
-    recencyHits: 0,
     injectedTokens: 0,
     latencyMs: 0,
   }),

package/src/__tests__/conversation-title-service.test.ts CHANGED Viewed

@@ -107,6 +107,93 @@ describe("conversation-title-service", () => {
     );
   });
+  test("regeneration extracts text from JSON content blocks", async () => {
+    mockGetMessages.mockReturnValueOnce([
+      {
+        role: "user",
+        content: JSON.stringify([
+          { type: "text", text: "Help me plan the kickoff" },
+        ]),
+      },
+      {
+        role: "assistant",
+        content: JSON.stringify([
+          { type: "text", text: "Sure, here's a plan" },
+          { type: "tool_use", id: "toolu_1", name: "web_search", input: {} },
+        ]),
+      },
+      {
+        role: "user",
+        content: JSON.stringify([{ type: "text", text: "Looks good" }]),
+      },
+    ]);
+    const provider = {
+      name: "test-provider",
+      sendMessage: mock(async () => {
+        throw new Error("should not call directly");
+      }),
+    };
+    await regenerateConversationTitle({ conversationId: "conv-1", provider });
+    // The prompt sent to the sidechain should contain plain text, not raw JSON
+    const prompt = (mockRunBtwSidechain.mock.calls[0] as any)?.[0]
+      ?.content as string;
+    expect(prompt).not.toContain('"type":"text"');
+    expect(prompt).not.toContain('"type":"tool_use"');
+    // Tool metadata should NOT appear in the title prompt
+    expect(prompt).not.toContain("Tool use");
+    expect(prompt).not.toContain("web_search");
+    expect(prompt).toContain("Help me plan the kickoff");
+    expect(prompt).toContain("Sure, here's a plan");
+    expect(prompt).toContain("Looks good");
+  });
+  test("regeneration extracts text from tool_result content blocks", async () => {
+    mockGetMessages.mockReturnValueOnce([
+      {
+        role: "user",
+        content: JSON.stringify([
+          { type: "text", text: "Search for restaurants" },
+        ]),
+      },
+      {
+        role: "assistant",
+        content: JSON.stringify([
+          { type: "tool_use", id: "toolu_1", name: "web_search", input: {} },
+        ]),
+      },
+      {
+        role: "user",
+        content: JSON.stringify([
+          {
+            type: "tool_result",
+            tool_use_id: "toolu_1",
+            content: "Found 3 restaurants nearby",
+          },
+        ]),
+      },
+    ]);
+    const provider = {
+      name: "test-provider",
+      sendMessage: mock(async () => {
+        throw new Error("should not call directly");
+      }),
+    };
+    await regenerateConversationTitle({ conversationId: "conv-1", provider });
+    const prompt = (mockRunBtwSidechain.mock.calls[0] as any)?.[0]
+      ?.content as string;
+    expect(prompt).not.toContain('"type":"tool_result"');
+    // Tool-only assistant message should be skipped entirely
+    expect(prompt).not.toContain("Tool use");
+    expect(prompt).toContain("Search for restaurants");
+    expect(prompt).toContain("Found 3 restaurants nearby");
+  });
   test("uses the BTW side-chain helper for title regeneration", async () => {
     const provider = {
       name: "test-provider",

package/src/__tests__/conversation-workspace-injection.test.ts CHANGED Viewed

@@ -149,7 +149,6 @@ mock.module("../memory/retriever.js", () => ({
     model: "mock",
     injectedText: "",
     semanticHits: 0,
-    recencyHits: 0,
     mergedCount: 0,
     selectedCount: 0,
     injectedTokens: 0,

package/src/__tests__/conversation-workspace-tool-tracking.test.ts CHANGED Viewed

@@ -145,7 +145,6 @@ mock.module("../memory/retriever.js", () => ({
     model: "mock",
     injectedText: "",
     semanticHits: 0,
-    recencyHits: 0,
     mergedCount: 0,
     selectedCount: 0,
     injectedTokens: 0,

package/src/__tests__/credential-execution-client.test.ts CHANGED Viewed

@@ -84,6 +84,9 @@ describe("local CES discovery", () => {
     if (result.mode === "unavailable") {
       expect(result.reason).toContain("CES executable not found");
       expect(result.mode).toBe("unavailable");
+    } else if (result.mode === "local-source") {
+      // Source entry point exists in the monorepo — verify the success shape.
+      expect(result.sourcePath).toBeTruthy();
     } else {
       // Binary exists in this environment — verify the success shape.
       expect(result.mode).toBe("local");
@@ -95,9 +98,9 @@ describe("local CES discovery", () => {
   test("never returns a fallback or in-process mode", () => {
     const result = discoverLocalCes();
-    // The result must be either "local" (with a valid path) or "unavailable".
+    // The result must be "local", "local-source", or "unavailable".
     // There must never be a fallback mode like "in-process" or "degraded".
-    expect(["local", "unavailable"]).toContain(result.mode);
+    expect(["local", "local-source", "unavailable"]).toContain(result.mode);
   });
 });

package/src/__tests__/credential-execution-feature-gates.test.ts CHANGED Viewed

@@ -2,15 +2,18 @@
  * Tests for CES (Credential Execution Service) feature gates.
  *
  * Verifies:
- * - All CES flags default to disabled (safe dark-launch).
- * - Each flag can be enabled independently via config overrides.
+ * - Each CES flag defaults to its registry-declared value.
+ * - Each flag can be toggled independently via config overrides.
  * - Enabling CES flags does not implicitly change unrelated approval
  *   behavior or existing feature flags.
  */
-import { describe, expect, test } from "bun:test";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
-import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
+import {
+  _setOverridesForTesting,
+  isAssistantFeatureFlagEnabled,
+} from "../config/assistant-feature-flags.js";
 import type { AssistantConfig } from "../config/schema.js";
 import {
   CES_GRANT_AUDIT_FLAG_KEY,
@@ -25,15 +28,21 @@ import {
   isCesToolsEnabled,
 } from "../credential-execution/feature-gates.js";
+beforeEach(() => {
+  _setOverridesForTesting({});
+});
+afterEach(() => {
+  _setOverridesForTesting({});
+});
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
-/** Create a minimal AssistantConfig with optional feature flag values. */
-function makeConfig(flagOverrides?: Record<string, boolean>): AssistantConfig {
-  return {
-    ...(flagOverrides ? { assistantFeatureFlagValues: flagOverrides } : {}),
-  } as AssistantConfig;
+/** Create a minimal AssistantConfig (flag overrides are now set via _setOverridesForTesting). */
+function makeConfig(): AssistantConfig {
+  return {} as AssistantConfig;
 }
 /** All CES flag keys for iteration. */
@@ -45,28 +54,37 @@ const ALL_CES_FLAG_KEYS = [
   CES_MANAGED_SIDECAR_FLAG_KEY,
 ] as const;
-/** All CES predicate functions paired with their flag keys. */
+/** All CES predicate functions paired with their flag keys and expected defaults. */
 const ALL_CES_PREDICATES = [
-  { name: "isCesToolsEnabled", fn: isCesToolsEnabled, key: CES_TOOLS_FLAG_KEY },
+  {
+    name: "isCesToolsEnabled",
+    fn: isCesToolsEnabled,
+    key: CES_TOOLS_FLAG_KEY,
+    defaultEnabled: false,
+  },
   {
     name: "isCesShellLockdownEnabled",
     fn: isCesShellLockdownEnabled,
     key: CES_SHELL_LOCKDOWN_FLAG_KEY,
+    defaultEnabled: false,
   },
   {
     name: "isCesSecureInstallEnabled",
     fn: isCesSecureInstallEnabled,
     key: CES_SECURE_INSTALL_FLAG_KEY,
+    defaultEnabled: false,
   },
   {
     name: "isCesGrantAuditEnabled",
     fn: isCesGrantAuditEnabled,
     key: CES_GRANT_AUDIT_FLAG_KEY,
+    defaultEnabled: false,
   },
   {
     name: "isCesManagedSidecarEnabled",
     fn: isCesManagedSidecarEnabled,
     key: CES_MANAGED_SIDECAR_FLAG_KEY,
+    defaultEnabled: true,
   },
 ] as const;
@@ -83,21 +101,23 @@ describe("CES flag key format", () => {
 });
 // ---------------------------------------------------------------------------
-// Default-safe: all CES flags disabled by default
+// Defaults: each CES flag matches its registry-declared default
 // ---------------------------------------------------------------------------
-describe("CES flags default safely (all disabled)", () => {
-  const config = makeConfig();
-  for (const { name, fn } of ALL_CES_PREDICATES) {
-    test(`${name} returns false with no config overrides`, () => {
-      expect(fn(config)).toBe(false);
+describe("CES flags match registry defaults", () => {
+  for (const { name, fn, defaultEnabled } of ALL_CES_PREDICATES) {
+    test(`${name} returns ${defaultEnabled} with no config overrides`, () => {
+      const config = makeConfig();
+      expect(fn(config)).toBe(defaultEnabled);
     });
   }
-  for (const key of ALL_CES_FLAG_KEYS) {
-    test(`isAssistantFeatureFlagEnabled('${key}') returns false with no overrides`, () => {
-      expect(isAssistantFeatureFlagEnabled(key, config)).toBe(false);
+  for (const pred of ALL_CES_PREDICATES) {
+    test(`isAssistantFeatureFlagEnabled('${pred.key}') returns ${pred.defaultEnabled} with no overrides`, () => {
+      const config = makeConfig();
+      expect(isAssistantFeatureFlagEnabled(pred.key, config)).toBe(
+        pred.defaultEnabled,
+      );
     });
   }
 });
@@ -106,18 +126,24 @@ describe("CES flags default safely (all disabled)", () => {
 // Independent enablement: each flag can be enabled without affecting others
 // ---------------------------------------------------------------------------
-describe("CES flags can be enabled independently", () => {
+describe("CES flags can be toggled independently", () => {
   for (const { name, fn, key } of ALL_CES_PREDICATES) {
     test(`enabling ${key} makes ${name} return true`, () => {
-      const config = makeConfig({ [key]: true });
+      _setOverridesForTesting({ [key]: true });
+      const config = makeConfig();
       expect(fn(config)).toBe(true);
     });
-    test(`enabling ${key} does not enable other CES flags`, () => {
-      const config = makeConfig({ [key]: true });
-      for (const { fn: otherFn, key: otherKey } of ALL_CES_PREDICATES) {
+    test(`enabling ${key} does not change other CES flags from their defaults`, () => {
+      _setOverridesForTesting({ [key]: true });
+      const config = makeConfig();
+      for (const {
+        fn: otherFn,
+        key: otherKey,
+        defaultEnabled,
+      } of ALL_CES_PREDICATES) {
         if (otherKey === key) continue;
-        expect(otherFn(config)).toBe(false);
+        expect(otherFn(config)).toBe(defaultEnabled);
       }
     });
   }
@@ -130,7 +156,8 @@ describe("CES flags can be enabled independently", () => {
 describe("CES flags respect explicit false overrides", () => {
   for (const { name, fn, key } of ALL_CES_PREDICATES) {
     test(`${name} returns false when explicitly set to false`, () => {
-      const config = makeConfig({ [key]: false });
+      _setOverridesForTesting({ [key]: false });
+      const config = makeConfig();
       expect(fn(config)).toBe(false);
     });
   }
@@ -146,7 +173,8 @@ describe("CES flags do not affect unrelated flags", () => {
     for (const key of ALL_CES_FLAG_KEYS) {
       overrides[key] = true;
     }
-    const config = makeConfig(overrides);
+    _setOverridesForTesting(overrides);
+    const config = makeConfig();
     // browser defaults to true in the registry and should stay true
     expect(
@@ -159,7 +187,8 @@ describe("CES flags do not affect unrelated flags", () => {
     for (const key of ALL_CES_FLAG_KEYS) {
       overrides[key] = true;
     }
-    const config = makeConfig(overrides);
+    _setOverridesForTesting(overrides);
+    const config = makeConfig();
     // contacts defaults to true in the registry and should stay true
     expect(

package/src/__tests__/credential-execution-managed-contract.test.ts CHANGED Viewed

@@ -26,7 +26,17 @@
  * contracts — no real CES process or socket dependencies are needed.
  */
-import { describe, expect, test } from "bun:test";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
+beforeEach(() => {
+  _setOverridesForTesting({});
+});
+afterEach(() => {
+  _setOverridesForTesting({});
+});
 import {
   CES_PROTOCOL_VERSION,
@@ -58,11 +68,9 @@ import {
 // Helpers
 // ---------------------------------------------------------------------------
-/** Create a minimal AssistantConfig with optional feature flag values. */
-function makeConfig(flagOverrides?: Record<string, boolean>): AssistantConfig {
-  return {
-    ...(flagOverrides ? { assistantFeatureFlagValues: flagOverrides } : {}),
-  } as AssistantConfig;
+/** Create a minimal AssistantConfig (flag overrides are now set via _setOverridesForTesting). */
+function makeConfig(): AssistantConfig {
+  return {} as AssistantConfig;
 }
 // ---------------------------------------------------------------------------
@@ -438,38 +446,42 @@ describe("managed OAuth materialization through CES sidecar", () => {
 // ---------------------------------------------------------------------------
 describe("feature-flag rollback safety", () => {
-  test("managed sidecar flag defaults to false (safe dark-launch)", () => {
+  test("managed sidecar flag defaults to true (enabled by default)", () => {
     const config = makeConfig();
-    expect(isCesManagedSidecarEnabled(config)).toBe(false);
+    expect(isCesManagedSidecarEnabled(config)).toBe(true);
   });
   test("managed sidecar flag can be explicitly enabled", () => {
-    const config = makeConfig({
+    _setOverridesForTesting({
       "feature_flags.ces-managed-sidecar.enabled": true,
     });
+    const config = makeConfig();
     expect(isCesManagedSidecarEnabled(config)).toBe(true);
   });
   test("managed sidecar flag can be explicitly disabled", () => {
-    const config = makeConfig({
+    _setOverridesForTesting({
       "feature_flags.ces-managed-sidecar.enabled": false,
     });
+    const config = makeConfig();
     expect(isCesManagedSidecarEnabled(config)).toBe(false);
   });
   test("enabling managed sidecar does not enable CES tools", () => {
-    const config = makeConfig({
+    _setOverridesForTesting({
       "feature_flags.ces-managed-sidecar.enabled": true,
     });
+    const config = makeConfig();
     // CES tools flag should remain independently controlled
     expect(isCesToolsEnabled(config)).toBe(false);
   });
   test("disabling managed sidecar does not affect other CES flags", () => {
-    const config = makeConfig({
+    _setOverridesForTesting({
       "feature_flags.ces-managed-sidecar.enabled": false,
       "feature_flags.ces-tools.enabled": true,
     });
+    const config = makeConfig();
     expect(isCesToolsEnabled(config)).toBe(true);
   });
 });
@@ -480,10 +492,11 @@ describe("feature-flag rollback safety", () => {
 describe("process manager config wiring", () => {
   test("CesProcessManagerConfig accepts assistantConfig for flag gating", () => {
+    _setOverridesForTesting({
+      "feature_flags.ces-managed-sidecar.enabled": true,
+    });
     const config: CesProcessManagerConfig = {
-      assistantConfig: makeConfig({
-        "feature_flags.ces-managed-sidecar.enabled": true,
-      }),
+      assistantConfig: makeConfig(),
     };
     expect(config.assistantConfig).toBeDefined();
     expect(isCesManagedSidecarEnabled(config.assistantConfig!)).toBe(true);
@@ -491,16 +504,17 @@ describe("process manager config wiring", () => {
   test("CesProcessManagerConfig requires assistantConfig for feature-flag gate", () => {
     const config: CesProcessManagerConfig = {
-      assistantConfig: makeConfig({}),
+      assistantConfig: makeConfig(),
     };
     expect(config.assistantConfig).toBeDefined();
   });
   test("when flag is off, managed discovery is skipped", () => {
+    _setOverridesForTesting({
+      "feature_flags.ces-managed-sidecar.enabled": false,
+    });
     const config: CesProcessManagerConfig = {
-      assistantConfig: makeConfig({
-        "feature_flags.ces-managed-sidecar.enabled": false,
-      }),
+      assistantConfig: makeConfig(),
     };
     // The managed path should be gated
     expect(isCesManagedSidecarEnabled(config.assistantConfig!)).toBe(false);
@@ -513,9 +527,10 @@ describe("process manager config wiring", () => {
 describe("non-CES internal consumers intact when flag is off", () => {
   test("existing non-agent flows are unaffected by managed sidecar flag", () => {
-    const config = makeConfig({
+    _setOverridesForTesting({
       "feature_flags.ces-managed-sidecar.enabled": false,
     });
+    const config = makeConfig();
     expect(isCesManagedSidecarEnabled(config)).toBe(false);
   });

package/src/__tests__/credential-security-e2e.test.ts CHANGED Viewed

@@ -10,7 +10,6 @@ const mockConfig = {
     action: "block" as "redact" | "warn" | "block",
     entropyThreshold: 4.0,
     allowOneTimeSend: false,
-    blockIngress: true,
   },
   timeouts: { permissionTimeoutSec: 300 },
 };
@@ -67,7 +66,7 @@ mock.module("../security/secure-keys.js", () => {
     setSecureKeyAsync: async (key: string, value: string) =>
       syncSet(key, value),
     deleteSecureKeyAsync: async (key: string) => syncDelete(key),
-    listSecureKeysAsync: async () => [...storedKeys.keys()],
+    listSecureKeysAsync: async () => ({ accounts: [...storedKeys.keys()], unreachable: false }),
   };
 });
@@ -118,8 +117,6 @@ mock.module("../tools/credentials/policy-validate.js", () => ({
 // Import modules under test
 const { credentialStoreTool } = await import("../tools/credentials/vault.js");
-const { checkIngressForSecrets } =
-  await import("../security/secret-ingress.js");
 const { isToolAllowed } = await import("../tools/credentials/tool-policy.js");
 const { isDomainAllowed } =
   await import("../tools/credentials/domain-policy.js");
@@ -203,61 +200,6 @@ describe("E2E: secure store and list lifecycle", () => {
   });
 });
-// ---------------------------------------------------------------------------
-// E2E Scenario 2 — Secret-in-chat blocked and redirected
-// ---------------------------------------------------------------------------
-describe("E2E: secret ingress blocking", () => {
-  beforeEach(() => {
-    mockConfig.secretDetection.enabled = true;
-    mockConfig.secretDetection.action = "block";
-  });
-  test("blocks message containing AWS access key", () => {
-    const awsKey = ["AKIA", "IOSFODNN7", "REALKEY"].join("");
-    const check = checkIngressForSecrets(`Here is my key: ${awsKey}`);
-    expect(check.blocked).toBe(true);
-    expect(check.detectedTypes.length).toBeGreaterThan(0);
-    // Notice must never contain the actual secret
-    expect(check.userNotice).toBeDefined();
-    expect(check.userNotice).not.toContain(awsKey);
-  });
-  test("blocks message containing GitHub token", () => {
-    const ghToken = ["ghp_", "ABCDEFghijklMN01234567", "89abcdef"].join("");
-    const check = checkIngressForSecrets(`Use this token: ${ghToken}`);
-    expect(check.blocked).toBe(true);
-  });
-  test("allows normal text through", () => {
-    const check = checkIngressForSecrets("Please help me configure my project");
-    expect(check.blocked).toBe(false);
-    expect(check.detectedTypes).toEqual([]);
-  });
-  test("bypasses when detection is disabled", () => {
-    mockConfig.secretDetection.enabled = false;
-    const awsKey = ["AKIA", "IOSFODNN7", "REALKEY"].join("");
-    const check = checkIngressForSecrets(awsKey);
-    expect(check.blocked).toBe(false);
-  });
-  test("bypasses when blockIngress is false", () => {
-    mockConfig.secretDetection.blockIngress = false;
-    const awsKey = ["AKIA", "IOSFODNN7", "REALKEY"].join("");
-    const check = checkIngressForSecrets(awsKey);
-    expect(check.blocked).toBe(false);
-  });
-  test("still blocks when action is warn but blockIngress is true", () => {
-    mockConfig.secretDetection.action = "warn";
-    mockConfig.secretDetection.blockIngress = true;
-    const awsKey = ["AKIA", "IOSFODNN7", "REALKEY"].join("");
-    const check = checkIngressForSecrets(awsKey);
-    expect(check.blocked).toBe(true);
-  });
-});
 // ---------------------------------------------------------------------------
 // E2E Scenario 3 — One-time send override path
 // ---------------------------------------------------------------------------
@@ -411,12 +353,4 @@ describe("E2E: cross-cutting secret leak prevention", () => {
     );
     expect(result.content).not.toContain(secret);
   });
-  test("ingress notice never contains the detected secret", () => {
-    const awsKey = ["AKIA", "IOSFODNN7", "REALKEY"].join("");
-    const check = checkIngressForSecrets(awsKey);
-    expect(check.blocked).toBe(true);
-    expect(check.userNotice).toBeDefined();
-    expect(check.userNotice).not.toContain(awsKey);
-  });
 });