npm - @vellumai/assistant - Versions diffs - 0.5.6 → 0.5.8 - Mend

@vellumai/assistant 0.5.6 → 0.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (442) hide show

package/.env.example +16 -2
package/ARCHITECTURE.md +6 -75
package/Dockerfile +3 -2
package/README.md +0 -2
package/bun.lock +0 -414
package/docker-entrypoint.sh +9 -0
package/docs/architecture/keychain-broker.md +45 -240
package/docs/architecture/memory.md +13 -11
package/docs/architecture/security.md +0 -17
package/docs/credential-execution-service.md +2 -2
package/node_modules/@vellumai/ces-contracts/package.json +1 -0
package/node_modules/@vellumai/ces-contracts/src/error.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/grants.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/handles.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/index.ts +1 -1
package/node_modules/@vellumai/ces-contracts/src/rpc.ts +120 -1
package/node_modules/@vellumai/credential-storage/package.json +1 -0
package/node_modules/@vellumai/egress-proxy/package.json +1 -0
package/package.json +2 -3
package/src/__tests__/actor-token-service.test.ts +0 -114
package/src/__tests__/approval-cascade.test.ts +0 -1
package/src/__tests__/assistant-feature-flags-integration.test.ts +30 -29
package/src/__tests__/browser-fill-credential.test.ts +1 -1
package/src/__tests__/browser-skill-endstate.test.ts +6 -5
package/src/__tests__/btw-routes.test.ts +0 -39
package/src/__tests__/call-controller.test.ts +0 -1
package/src/__tests__/call-domain.test.ts +0 -128
package/src/__tests__/ces-rpc-credential-backend.test.ts +199 -0
package/src/__tests__/ces-startup-timeout.test.ts +40 -0
package/src/__tests__/channel-approval-routes.test.ts +0 -5
package/src/__tests__/channel-readiness-service.test.ts +1 -60
package/src/__tests__/checker.test.ts +4 -2
package/src/__tests__/cli-command-risk-guard.test.ts +112 -0
package/src/__tests__/config-schema-cmd.test.ts +0 -2
package/src/__tests__/config-schema.test.ts +3 -1
package/src/__tests__/conversation-abort-tool-results.test.ts +0 -1
package/src/__tests__/conversation-agent-loop-overflow.test.ts +0 -2
package/src/__tests__/conversation-agent-loop.test.ts +2 -4
package/src/__tests__/conversation-attention-telegram.test.ts +0 -5
package/src/__tests__/conversation-confirmation-signals.test.ts +0 -1
package/src/__tests__/conversation-error.test.ts +15 -1
package/src/__tests__/conversation-init.benchmark.test.ts +0 -2
package/src/__tests__/conversation-messaging-secret-redirect.test.ts +1 -1
package/src/__tests__/conversation-pre-run-repair.test.ts +0 -1
package/src/__tests__/conversation-provider-retry-repair.test.ts +0 -1
package/src/__tests__/conversation-queue.test.ts +0 -1
package/src/__tests__/conversation-skill-tools.test.ts +0 -54
package/src/__tests__/conversation-slash-queue.test.ts +0 -1
package/src/__tests__/conversation-slash-unknown.test.ts +0 -1
package/src/__tests__/conversation-title-service.test.ts +87 -0
package/src/__tests__/conversation-workspace-injection.test.ts +0 -1
package/src/__tests__/conversation-workspace-tool-tracking.test.ts +0 -1
package/src/__tests__/credential-execution-client.test.ts +5 -2
package/src/__tests__/credential-execution-feature-gates.test.ts +59 -30
package/src/__tests__/credential-execution-managed-contract.test.ts +35 -20
package/src/__tests__/credential-security-e2e.test.ts +1 -67
package/src/__tests__/credential-security-invariants.test.ts +6 -50
package/src/__tests__/credentials-cli.test.ts +82 -3
package/src/__tests__/daemon-credential-client.test.ts +123 -0
package/src/__tests__/db-migration-rollback.test.ts +2015 -1
package/src/__tests__/deterministic-verification-control-plane.test.ts +1 -0
package/src/__tests__/docker-signing-key-bootstrap.test.ts +34 -143
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +6 -4
package/src/__tests__/gateway-client-managed-outbound.test.ts +79 -1
package/src/__tests__/guardian-routing-state.test.ts +0 -5
package/src/__tests__/host-shell-tool.test.ts +6 -7
package/src/__tests__/http-user-message-parity.test.ts +3 -103
package/src/__tests__/inbound-invite-redemption.test.ts +0 -4
package/src/__tests__/inline-skill-load-permissions.test.ts +6 -8
package/src/__tests__/intent-routing.test.ts +0 -13
package/src/__tests__/jobs-store-qdrant-breaker.test.ts +178 -0
package/src/__tests__/journal-context.test.ts +335 -0
package/src/__tests__/keychain-broker-client.test.ts +161 -22
package/src/__tests__/memory-context-benchmark.benchmark.test.ts +0 -3
package/src/__tests__/memory-jobs-worker-backoff.test.ts +150 -0
package/src/__tests__/memory-lifecycle-e2e.test.ts +70 -25
package/src/__tests__/memory-recall-quality.test.ts +48 -17
package/src/__tests__/memory-regressions.test.ts +408 -363
package/src/__tests__/memory-retrieval.benchmark.test.ts +0 -3
package/src/__tests__/migration-export-http.test.ts +2 -2
package/src/__tests__/migration-import-commit-http.test.ts +2 -2
package/src/__tests__/migration-import-preflight-http.test.ts +2 -2
package/src/__tests__/migration-validate-http.test.ts +2 -2
package/src/__tests__/non-member-access-request.test.ts +2 -7
package/src/__tests__/notification-decision-fallback.test.ts +4 -0
package/src/__tests__/notification-decision-identity.test.ts +4 -0
package/src/__tests__/notification-decision-strategy.test.ts +71 -0
package/src/__tests__/oauth-cli.test.ts +5 -1
package/src/__tests__/permission-types.test.ts +1 -0
package/src/__tests__/provider-commit-message-generator.test.ts +0 -37
package/src/__tests__/provider-error-scenarios.test.ts +0 -267
package/src/__tests__/provider-managed-proxy-integration.test.ts +5 -6
package/src/__tests__/provider-streaming.benchmark.test.ts +2 -81
package/src/__tests__/qdrant-manager.test.ts +28 -2
package/src/__tests__/registry.test.ts +0 -6
package/src/__tests__/relay-server.test.ts +1 -2
package/src/__tests__/runtime-attachment-metadata.test.ts +0 -4
package/src/__tests__/script-proxy-injection-runtime.test.ts +1 -1
package/src/__tests__/secret-onetime-send.test.ts +1 -1
package/src/__tests__/secret-routes-managed-proxy.test.ts +0 -4
package/src/__tests__/secure-keys.test.ts +95 -272
package/src/__tests__/shell-identity.test.ts +96 -6
package/src/__tests__/skill-feature-flags-integration.test.ts +22 -14
package/src/__tests__/skill-feature-flags.test.ts +46 -45
package/src/__tests__/skill-load-feature-flag.test.ts +7 -10
package/src/__tests__/skill-load-inline-command.test.ts +8 -12
package/src/__tests__/skill-load-inline-includes.test.ts +6 -10
package/src/__tests__/skill-load-tool.test.ts +0 -2
package/src/__tests__/skill-memory.test.ts +17 -3
package/src/__tests__/skill-projection-feature-flag.test.ts +33 -29
package/src/__tests__/skills.test.ts +0 -2
package/src/__tests__/slack-inbound-verification.test.ts +0 -4
package/src/__tests__/stale-approval-dedup.test.ts +171 -0
package/src/__tests__/stt-hints.test.ts +437 -0
package/src/__tests__/suggestion-routes.test.ts +1 -32
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/task-memory-cleanup.test.ts +14 -0
package/src/__tests__/tool-executor-shell-integration.test.ts +5 -3
package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts +0 -5
package/src/__tests__/trusted-contact-multichannel.test.ts +0 -4
package/src/__tests__/twilio-routes-twiml.test.ts +139 -1
package/src/__tests__/update-bulletin.test.ts +0 -2
package/src/__tests__/vellum-self-knowledge-inline-command.test.ts +6 -9
package/src/__tests__/voice-quality.test.ts +58 -0
package/src/__tests__/voice-scoped-grant-consumer.test.ts +0 -7
package/src/__tests__/workspace-migration-015-migrate-credentials-to-keychain.test.ts +252 -0
package/src/__tests__/workspace-migration-016-migrate-credentials-from-keychain.test.ts +220 -0
package/src/__tests__/workspace-migration-down-functions.test.ts +1009 -0
package/src/__tests__/workspace-migrations-runner.test.ts +114 -0
package/src/acp/agent-process.ts +9 -1
package/src/agent/loop.ts +1 -1
package/src/approvals/guardian-request-resolvers.ts +164 -38
package/src/calls/__tests__/tts-text-sanitizer.test.ts +254 -0
package/src/calls/audio-store.test.ts +97 -0
package/src/calls/audio-store.ts +205 -0
package/src/calls/call-controller.ts +90 -8
package/src/calls/call-domain.ts +3 -0
package/src/calls/call-store.ts +10 -3
package/src/calls/fish-audio-client.ts +129 -0
package/src/calls/relay-server.ts +27 -0
package/src/calls/stt-hints.ts +189 -0
package/src/calls/tts-text-sanitizer.ts +61 -0
package/src/calls/twilio-routes.ts +34 -5
package/src/calls/types.ts +1 -0
package/src/calls/voice-ingress-preflight.ts +0 -42
package/src/calls/voice-quality.ts +38 -5
package/src/calls/voice-session-bridge.ts +7 -12
package/src/cli/commands/avatar.ts +2 -2
package/src/cli/commands/config.ts +1 -4
package/src/cli/commands/credentials.ts +128 -82
package/src/cli/commands/doctor.ts +2 -2
package/src/cli/commands/keys.ts +7 -7
package/src/cli/commands/memory.ts +1 -1
package/src/cli/commands/oauth/connections.ts +11 -29
package/src/cli/commands/oauth/index.ts +7 -0
package/src/cli/commands/oauth/platform.ts +525 -0
package/src/cli/commands/platform.ts +3 -3
package/src/cli/lib/daemon-credential-client.ts +284 -0
package/src/cli.ts +1 -1
package/src/config/assistant-feature-flags.ts +186 -5
package/src/config/bundled-skills/AGENTS.md +34 -0
package/src/config/bundled-skills/acp/SKILL.md +10 -0
package/src/config/bundled-skills/app-builder/SKILL.md +0 -4
package/src/config/bundled-skills/messaging/SKILL.md +5 -5
package/src/config/bundled-skills/messaging/tools/messaging-analyze-style.ts +2 -2
package/src/config/bundled-skills/phone-calls/TOOLS.json +4 -0
package/src/config/bundled-skills/playbooks/tools/playbook-create.ts +1 -0
package/src/config/bundled-skills/playbooks/tools/playbook-update.ts +1 -0
package/src/config/bundled-skills/settings/SKILL.md +15 -2
package/src/config/bundled-skills/settings/TOOLS.json +47 -2
package/src/config/bundled-skills/settings/tools/avatar-remove.ts +59 -0
package/src/config/bundled-skills/settings/tools/avatar-update.ts +80 -0
package/src/config/bundled-skills/settings/tools/voice-config-update.ts +42 -0
package/src/config/bundled-skills/slack/SKILL.md +1 -1
package/src/config/bundled-tool-registry.ts +5 -11
package/src/config/defaults.ts +0 -2
package/src/config/env-registry.ts +5 -5
package/src/config/env.ts +21 -14
package/src/config/feature-flag-registry.json +49 -9
package/src/config/loader.ts +106 -42
package/src/config/schema.ts +9 -29
package/src/config/schemas/calls.ts +30 -0
package/src/config/schemas/fish-audio.ts +39 -0
package/src/config/schemas/inference.ts +2 -2
package/src/config/schemas/journal.ts +16 -0
package/src/config/schemas/memory-processing.ts +2 -2
package/src/config/schemas/security.ts +0 -4
package/src/config/types.ts +1 -1
package/src/contacts/contact-store.ts +39 -0
package/src/contacts/types.ts +2 -0
package/src/credential-execution/approval-bridge.ts +1 -0
package/src/credential-execution/executable-discovery.ts +28 -4
package/src/credential-execution/feature-gates.ts +16 -0
package/src/credential-execution/process-manager.ts +38 -0
package/src/credential-execution/startup-timeout.ts +36 -0
package/src/daemon/approval-generators.ts +3 -9
package/src/daemon/assistant-attachments.ts +9 -0
package/src/daemon/config-watcher.ts +5 -0
package/src/daemon/conversation-error.ts +13 -1
package/src/daemon/conversation-memory.ts +1 -2
package/src/daemon/conversation-process.ts +18 -1
package/src/daemon/conversation-surfaces.ts +30 -1
package/src/daemon/conversation-tool-setup.ts +0 -105
package/src/daemon/conversation.ts +21 -1
package/src/daemon/guardian-action-generators.ts +3 -9
package/src/daemon/handlers/config-vercel.ts +92 -0
package/src/daemon/handlers/skills.ts +2 -15
package/src/daemon/install-symlink.ts +195 -0
package/src/daemon/lifecycle.ts +234 -51
package/src/daemon/message-types/conversations.ts +4 -4
package/src/daemon/message-types/diagnostics.ts +3 -22
package/src/daemon/message-types/messages.ts +0 -2
package/src/daemon/message-types/upgrades.ts +8 -0
package/src/daemon/server.ts +32 -95
package/src/events/domain-events.ts +2 -1
package/src/inbound/platform-callback-registration.ts +3 -3
package/src/instrument.ts +8 -5
package/src/memory/app-store.ts +31 -0
package/src/memory/conversation-title-service.ts +50 -1
package/src/memory/db-init.ts +16 -0
package/src/memory/indexer.ts +19 -10
package/src/memory/items-extractor.ts +328 -321
package/src/memory/job-handlers/conversation-starters.ts +4 -1
package/src/memory/job-handlers/summarization.ts +26 -16
package/src/memory/jobs-store.ts +63 -6
package/src/memory/jobs-worker.ts +31 -7
package/src/memory/journal-memory.ts +214 -0
package/src/memory/migrations/001-job-deferrals.ts +19 -0
package/src/memory/migrations/004-entity-relation-dedup.ts +10 -0
package/src/memory/migrations/005-fingerprint-scope-unique.ts +76 -0
package/src/memory/migrations/006-scope-salted-fingerprints.ts +50 -0
package/src/memory/migrations/007-assistant-id-to-self.ts +10 -0
package/src/memory/migrations/008-remove-assistant-id-columns.ts +34 -0
package/src/memory/migrations/009-llm-usage-events-drop-assistant-id.ts +26 -0
package/src/memory/migrations/014-backfill-inbox-thread-state.ts +10 -0
package/src/memory/migrations/015-drop-active-search-index.ts +17 -0
package/src/memory/migrations/019-notification-tables-schema-migration.ts +12 -0
package/src/memory/migrations/020-rename-macos-ios-channel-to-vellum.ts +121 -0
package/src/memory/migrations/024-embedding-vector-blob.ts +74 -0
package/src/memory/migrations/026a-embeddings-nullable-vector-json.ts +82 -0
package/src/memory/migrations/036-normalize-phone-identities.ts +11 -0
package/src/memory/migrations/116-messages-fts.ts +106 -1
package/src/memory/migrations/126-backfill-guardian-principal-id.ts +52 -0
package/src/memory/migrations/127-guardian-principal-id-not-null.ts +77 -0
package/src/memory/migrations/134-contacts-notes-column.ts +13 -0
package/src/memory/migrations/135-backfill-contact-interaction-stats.ts +20 -0
package/src/memory/migrations/136-drop-assistant-id-columns.ts +52 -0
package/src/memory/migrations/140-backfill-usage-cache-accounting.ts +13 -0
package/src/memory/migrations/141-rename-verification-table.ts +54 -0
package/src/memory/migrations/142-rename-verification-session-id-column.ts +25 -0
package/src/memory/migrations/143-rename-guardian-verification-values.ts +35 -0
package/src/memory/migrations/144-rename-voice-to-phone.ts +136 -0
package/src/memory/migrations/145-drop-accounts-table.ts +32 -0
package/src/memory/migrations/147-migrate-reminders-to-schedules.ts +14 -1
package/src/memory/migrations/148-drop-reminders-table.ts +35 -1
package/src/memory/migrations/150-oauth-apps-client-secret-path.ts +69 -1
package/src/memory/migrations/162-guardian-timestamps-epoch-ms.ts +290 -0
package/src/memory/migrations/169-rename-gmail-provider-key-to-google.ts +51 -1
package/src/memory/migrations/174-rename-thread-starters-table.ts +47 -1
package/src/memory/migrations/176-drop-capability-card-state.ts +13 -0
package/src/memory/migrations/180-backfill-inline-attachments-to-disk.ts +16 -0
package/src/memory/migrations/181-rename-thread-starters-checkpoints.ts +28 -1
package/src/memory/migrations/190-call-session-skip-disclosure.ts +15 -0
package/src/memory/migrations/191-backfill-audio-attachment-mime-types.ts +64 -0
package/src/memory/migrations/192-contacts-user-file-column.ts +15 -0
package/src/memory/migrations/193-add-source-type-columns.ts +81 -0
package/src/memory/migrations/index.ts +5 -0
package/src/memory/migrations/registry.ts +98 -0
package/src/memory/migrations/validate-migration-state.ts +137 -11
package/src/memory/qdrant-circuit-breaker.ts +9 -0
package/src/memory/qdrant-manager.ts +64 -7
package/src/memory/retriever.test.ts +37 -25
package/src/memory/retriever.ts +24 -49
package/src/memory/schema/calls.ts +1 -0
package/src/memory/schema/contacts.ts +1 -0
package/src/memory/schema/memory-core.ts +2 -0
package/src/memory/search/formatting.ts +7 -44
package/src/memory/search/staleness.ts +4 -0
package/src/memory/search/tier-classifier.ts +10 -2
package/src/memory/search/types.ts +2 -5
package/src/memory/task-memory-cleanup.ts +4 -3
package/src/notifications/adapters/slack.ts +168 -6
package/src/notifications/broadcaster.ts +1 -0
package/src/notifications/copy-composer.ts +59 -2
package/src/notifications/decision-engine.ts +4 -1
package/src/notifications/signal.ts +2 -0
package/src/notifications/types.ts +2 -0
package/src/oauth/connection-resolver.ts +6 -4
package/src/permissions/checker.ts +0 -38
package/src/permissions/shell-identity.ts +76 -22
package/src/permissions/types.ts +4 -2
package/src/platform/client.ts +35 -7
package/src/prompts/journal-context.ts +133 -0
package/src/prompts/persona-resolver.ts +194 -0
package/src/prompts/system-prompt.ts +44 -4
package/src/prompts/templates/SOUL.md +10 -0
package/src/prompts/templates/users/default.md +1 -0
package/src/providers/provider-send-message.ts +3 -32
package/src/providers/registry.ts +29 -179
package/src/providers/types.ts +1 -1
package/src/runtime/access-request-helper.ts +4 -0
package/src/runtime/auth/__tests__/credential-service.test.ts +0 -1
package/src/runtime/auth/__tests__/external-assistant-id.test.ts +13 -68
package/src/runtime/auth/__tests__/guard-tests.test.ts +9 -50
package/src/runtime/auth/external-assistant-id.ts +13 -59
package/src/runtime/auth/route-policy.ts +17 -1
package/src/runtime/auth/token-service.ts +43 -138
package/src/runtime/channel-readiness-service.ts +1 -16
package/src/runtime/gateway-client.ts +47 -4
package/src/runtime/guardian-decision-types.ts +45 -4
package/src/runtime/http-server.ts +31 -3
package/src/runtime/middleware/error-handler.ts +1 -9
package/src/runtime/routes/access-request-decision.ts +2 -2
package/src/runtime/routes/app-management-routes.ts +2 -1
package/src/runtime/routes/approval-strategies/guardian-callback-strategy.ts +219 -30
package/src/runtime/routes/approval-strategies/guardian-text-engine-strategy.ts +37 -14
package/src/runtime/routes/audio-routes.ts +40 -0
package/src/runtime/routes/btw-routes.ts +0 -17
package/src/runtime/routes/channel-readiness-routes.ts +9 -4
package/src/runtime/routes/conversation-query-routes.ts +63 -1
package/src/runtime/routes/conversation-routes.ts +4 -44
package/src/runtime/routes/debug-routes.ts +12 -9
package/src/runtime/routes/diagnostics-routes.ts +1 -477
package/src/runtime/routes/guardian-approval-interception.ts +168 -11
package/src/runtime/routes/guardian-approval-prompt.ts +6 -1
package/src/runtime/routes/guardian-approval-reply-helpers.ts +103 -21
package/src/runtime/routes/identity-routes.ts +19 -30
package/src/runtime/routes/inbound-message-handler.ts +31 -1
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +64 -5
package/src/runtime/routes/inbound-stages/background-dispatch.ts +52 -40
package/src/runtime/routes/inbound-stages/secret-ingress-check.ts +4 -33
package/src/runtime/routes/inbound-stages/transcribe-audio.test.ts +1 -1
package/src/runtime/routes/integrations/twilio.ts +52 -10
package/src/runtime/routes/integrations/vercel.ts +89 -0
package/src/runtime/routes/log-export-routes.ts +5 -0
package/src/runtime/routes/memory-item-routes.test.ts +3 -3
package/src/runtime/routes/memory-item-routes.ts +46 -14
package/src/runtime/routes/migration-rollback-routes.ts +209 -0
package/src/runtime/routes/migration-routes.ts +17 -1
package/src/runtime/routes/notification-routes.ts +58 -0
package/src/runtime/routes/schedule-routes.ts +65 -0
package/src/runtime/routes/secret-routes.ts +141 -10
package/src/runtime/routes/settings-routes.ts +41 -1
package/src/runtime/routes/tts-routes.ts +96 -0
package/src/runtime/routes/upgrade-broadcast-routes.ts +26 -2
package/src/runtime/routes/workspace-commit-routes.ts +62 -0
package/src/runtime/routes/workspace-routes.test.ts +22 -1
package/src/runtime/routes/workspace-routes.ts +1 -1
package/src/runtime/routes/workspace-utils.ts +86 -2
package/src/security/ces-credential-client.ts +75 -29
package/src/security/ces-rpc-credential-backend.ts +86 -0
package/src/security/credential-backend.ts +22 -92
package/src/security/keychain-broker-client.ts +10 -2
package/src/security/secure-keys.ts +113 -115
package/src/skills/catalog-install.ts +6 -32
package/src/skills/skill-memory.ts +1 -0
package/src/subagent/manager.ts +2 -5
package/src/telemetry/usage-telemetry-reporter.ts +4 -2
package/src/tools/acp/spawn.ts +78 -1
package/src/tools/calls/call-start.ts +1 -0
package/src/tools/credentials/vault.ts +5 -3
package/src/tools/executor.ts +0 -4
package/src/tools/memory/definitions.ts +3 -2
package/src/tools/memory/handlers.ts +10 -7
package/src/tools/network/script-proxy/session-manager.ts +19 -4
package/src/tools/network/web-fetch.ts +3 -1
package/src/tools/skills/execute.ts +1 -1
package/src/tools/terminal/safe-env.ts +1 -0
package/src/tools/types.ts +0 -8
package/src/util/browser.ts +15 -0
package/src/util/errors.ts +0 -12
package/src/util/platform.ts +4 -51
package/src/workspace/git-service.ts +5 -2
package/src/workspace/migrations/001-avatar-rename.ts +15 -0
package/src/workspace/migrations/003-seed-device-id.ts +17 -1
package/src/workspace/migrations/004-extract-collect-usage-data.ts +33 -0
package/src/workspace/migrations/005-add-send-diagnostics.ts +3 -0
package/src/workspace/migrations/006-services-config.ts +49 -0
package/src/workspace/migrations/007-web-search-provider-rename.ts +27 -0
package/src/workspace/migrations/008-voice-timeout-and-max-steps.ts +3 -0
package/src/workspace/migrations/009-backfill-conversation-disk-view.ts +4 -0
package/src/workspace/migrations/010-app-dir-rename.ts +78 -0
package/src/workspace/migrations/011-backfill-installation-id.ts +11 -0
package/src/workspace/migrations/012-rename-conversation-disk-view-dirs.ts +44 -0
package/src/workspace/migrations/013-repair-conversation-disk-view.ts +5 -0
package/src/workspace/migrations/015-migrate-credentials-to-keychain.ts +153 -0
package/src/workspace/migrations/016-extract-feature-flags-to-protected.ts +156 -0
package/src/workspace/migrations/016-migrate-credentials-from-keychain.ts +150 -0
package/src/workspace/migrations/017-seed-persona-dirs.ts +96 -0
package/src/workspace/migrations/018-rekey-compound-credential-keys.ts +184 -0
package/src/workspace/migrations/019-scope-journal-to-guardian.ts +103 -0
package/src/workspace/migrations/migrate-to-workspace-volume.ts +27 -5
package/src/workspace/migrations/registry.ts +12 -0
package/src/workspace/migrations/runner.ts +106 -2
package/src/workspace/migrations/types.ts +4 -0
package/src/workspace/provider-commit-message-generator.ts +12 -21
package/src/__tests__/claude-code-skill-regression.test.ts +0 -206
package/src/__tests__/claude-code-tool-profiles.test.ts +0 -99
package/src/__tests__/diagnostics-export.test.ts +0 -288
package/src/__tests__/local-gateway-health.test.ts +0 -209
package/src/__tests__/provider-fail-open-selection.test.ts +0 -271
package/src/__tests__/provider-failover-actual-provider.test.ts +0 -66
package/src/__tests__/secret-ingress-handler.test.ts +0 -120
package/src/__tests__/swarm-conversation-integration.test.ts +0 -358
package/src/__tests__/swarm-dag-pathological.test.ts +0 -547
package/src/__tests__/swarm-orchestrator.test.ts +0 -463
package/src/__tests__/swarm-plan-validator.test.ts +0 -384
package/src/__tests__/swarm-recursion.test.ts +0 -197
package/src/__tests__/swarm-router-planner.test.ts +0 -234
package/src/__tests__/swarm-tool.test.ts +0 -185
package/src/__tests__/swarm-worker-backend.test.ts +0 -144
package/src/__tests__/swarm-worker-runner.test.ts +0 -288
package/src/commands/__tests__/cc-command-registry.test.ts +0 -396
package/src/commands/cc-command-registry.ts +0 -248
package/src/config/bundled-skills/claude-code/SKILL.md +0 -53
package/src/config/bundled-skills/claude-code/TOOLS.json +0 -47
package/src/config/bundled-skills/claude-code/tools/claude-code.ts +0 -12
package/src/config/bundled-skills/orchestration/SKILL.md +0 -33
package/src/config/bundled-skills/orchestration/TOOLS.json +0 -35
package/src/config/bundled-skills/orchestration/tools/swarm-delegate.ts +0 -12
package/src/config/schemas/swarm.ts +0 -82
package/src/logfire.ts +0 -135
package/src/memory/search/lexical.ts +0 -48
package/src/providers/failover.ts +0 -186
package/src/runtime/local-gateway-health.ts +0 -275
package/src/security/secret-ingress.ts +0 -68
package/src/swarm/backend-claude-code.ts +0 -225
package/src/swarm/checkpoint.ts +0 -137
package/src/swarm/graph-utils.ts +0 -53
package/src/swarm/index.ts +0 -55
package/src/swarm/limits.ts +0 -66
package/src/swarm/orchestrator.ts +0 -424
package/src/swarm/plan-validator.ts +0 -117
package/src/swarm/router-planner.ts +0 -162
package/src/swarm/router-prompts.ts +0 -39
package/src/swarm/synthesizer.ts +0 -81
package/src/swarm/types.ts +0 -72
package/src/swarm/worker-backend.ts +0 -131
package/src/swarm/worker-prompts.ts +0 -80
package/src/swarm/worker-runner.ts +0 -170
package/src/tools/claude-code/claude-code.ts +0 -610
package/src/tools/swarm/delegate.ts +0 -205

package/src/__tests__/deterministic-verification-control-plane.test.ts CHANGED Viewed

@@ -128,6 +128,7 @@ describe("TwiML parameter propagation", () => {
     transcriptionProvider: "deepgram",
     ttsProvider: "google",
     voice: "en-US-Standard-A",
+    interruptSensitivity: "low",
   };
   test("includes verificationSessionId as Parameter when provided", () => {

package/src/__tests__/docker-signing-key-bootstrap.test.ts CHANGED Viewed

@@ -1,31 +1,20 @@
 /**
- * Integration tests for resolveSigningKey() covering the Docker bootstrap
- * lifecycle: fresh fetch from gateway, daemon restart (load from disk),
- * and local mode (file-based load/create).
+ * Tests for resolveSigningKey() covering env var injection (Docker)
+ * and file-based load/create (local mode).
  */
-import { mkdtempSync, readFileSync, realpathSync, rmSync } from "node:fs";
+import { mkdirSync, mkdtempSync, realpathSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterAll, afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
-// ---------------------------------------------------------------------------
-// Temp directory for signing key persistence
-// ---------------------------------------------------------------------------
-const testDir = realpathSync(mkdtempSync(join(tmpdir(), "docker-signing-key-test-")));
-// ---------------------------------------------------------------------------
-// Mock platform to redirect signing key file to our temp directory
-// ---------------------------------------------------------------------------
+const testDir = realpathSync(mkdtempSync(join(tmpdir(), "signing-key-test-")));
 mock.module("../util/platform.js", () => ({
   getRootDir: () => testDir,
   getDataDir: () => testDir,
   getDbPath: () => join(testDir, "test.db"),
   normalizeAssistantId: (id: string) => (id === "self" ? "self" : id),
-  readLockfile: () => null,
-  writeLockfile: () => {},
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",
   isWindows: () => process.platform === "win32",
@@ -41,53 +30,23 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
-// ---------------------------------------------------------------------------
-// Import the functions under test (after mocks are installed)
-// ---------------------------------------------------------------------------
-const {
-  resolveSigningKey,
-  loadOrCreateSigningKey: _loadOrCreateSigningKey,
-  BootstrapAlreadyCompleted: _BootstrapAlreadyCompleted,
-} = await import("../runtime/auth/token-service.js");
-// ---------------------------------------------------------------------------
-// Test constants
-// ---------------------------------------------------------------------------
+const { resolveSigningKey } = await import("../runtime/auth/token-service.js");
-const VALID_32_BYTE_KEY = "ab".repeat(32); // 64 hex chars = 32 bytes
-const SIGNING_KEY_PATH = join(testDir, "protected", "actor-token-signing-key");
+const VALID_HEX_KEY = "ab".repeat(32); // 64 hex chars = 32 bytes
-// ---------------------------------------------------------------------------
-// Environment & fetch state management
-// ---------------------------------------------------------------------------
-const originalFetch = globalThis.fetch;
 const savedEnv: Record<string, string | undefined> = {};
-function saveEnv(...keys: string[]) {
-  for (const key of keys) {
-    savedEnv[key] = process.env[key];
-  }
-}
-function restoreEnv() {
-  for (const [key, val] of Object.entries(savedEnv)) {
-    if (val === undefined) {
-      delete process.env[key];
-    } else {
-      process.env[key] = val;
-    }
-  }
-}
 beforeEach(() => {
-  saveEnv("IS_CONTAINERIZED", "GATEWAY_INTERNAL_URL");
+  savedEnv.ACTOR_TOKEN_SIGNING_KEY = process.env.ACTOR_TOKEN_SIGNING_KEY;
+  mkdirSync(join(testDir, "protected"), { recursive: true });
 });
 afterEach(() => {
-  globalThis.fetch = originalFetch;
-  restoreEnv();
+  if (savedEnv.ACTOR_TOKEN_SIGNING_KEY === undefined) {
+    delete process.env.ACTOR_TOKEN_SIGNING_KEY;
+  } else {
+    process.env.ACTOR_TOKEN_SIGNING_KEY = savedEnv.ACTOR_TOKEN_SIGNING_KEY;
+  }
 });
 afterAll(() => {
@@ -96,112 +55,44 @@ afterAll(() => {
   } catch {}
 });
-// ---------------------------------------------------------------------------
-// Docker mode tests — resolveSigningKey() bootstrap lifecycle
-// ---------------------------------------------------------------------------
-describe("resolveSigningKey — Docker bootstrap lifecycle", () => {
-  test("fresh bootstrap: fetches key from gateway and persists to disk", async () => {
-    process.env.IS_CONTAINERIZED = "true";
-    process.env.GATEWAY_INTERNAL_URL = "http://localhost:19876";
+describe("resolveSigningKey", () => {
+  test("reads key from ACTOR_TOKEN_SIGNING_KEY env var", () => {
+    process.env.ACTOR_TOKEN_SIGNING_KEY = VALID_HEX_KEY;
-    // Mock fetch to return a known 32-byte key on first call.
-    globalThis.fetch = (async () =>
-      new Response(JSON.stringify({ key: VALID_32_BYTE_KEY }), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      })) as unknown as typeof fetch;
+    const key = resolveSigningKey();
-    const key = await resolveSigningKey();
-    // Verify the returned key is a 32-byte buffer with the expected content.
     expect(key).toBeInstanceOf(Buffer);
     expect(key.length).toBe(32);
-    expect(key.toString("hex")).toBe(VALID_32_BYTE_KEY);
-    // Verify the key was persisted to disk.
-    const persisted = readFileSync(SIGNING_KEY_PATH);
-    expect(persisted.length).toBe(32);
-    expect(Buffer.from(persisted).equals(key)).toBe(true);
+    expect(key.toString("hex")).toBe(VALID_HEX_KEY);
   });
-  test("daemon restart: gateway returns 403, loads persisted key from disk", async () => {
-    process.env.IS_CONTAINERIZED = "true";
-    process.env.GATEWAY_INTERNAL_URL = "http://localhost:19876";
+  test("rejects invalid ACTOR_TOKEN_SIGNING_KEY", () => {
+    process.env.ACTOR_TOKEN_SIGNING_KEY = "tooshort";
-    // The previous test persisted the key. Simulate a daemon restart where
-    // the gateway returns 403 (bootstrap already completed).
-    globalThis.fetch = (async () =>
-      new Response(JSON.stringify({ error: "Bootstrap already completed" }), {
-        status: 403,
-      })) as unknown as typeof fetch;
-    const key = await resolveSigningKey();
-    // Should have loaded the previously persisted key from disk.
-    expect(key).toBeInstanceOf(Buffer);
-    expect(key.length).toBe(32);
-    expect(key.toString("hex")).toBe(VALID_32_BYTE_KEY);
-  });
-});
-// ---------------------------------------------------------------------------
-// Local mode tests — resolveSigningKey() file-based path
-// ---------------------------------------------------------------------------
-describe("resolveSigningKey — local mode", () => {
-  test("uses file-based loadOrCreateSigningKey without calling fetch", async () => {
-    // Ensure Docker env vars are unset.
-    delete process.env.IS_CONTAINERIZED;
-    delete process.env.GATEWAY_INTERNAL_URL;
-    let fetchCalled = false;
-    globalThis.fetch = (async () => {
-      fetchCalled = true;
-      return new Response("should not be called", { status: 500 });
-    }) as unknown as typeof fetch;
-    const key = await resolveSigningKey();
-    // Should return a valid 32-byte key (loaded from disk or newly created).
-    expect(key).toBeInstanceOf(Buffer);
-    expect(key.length).toBe(32);
-    // Crucially, fetch should NOT have been called.
-    expect(fetchCalled).toBe(false);
+    expect(() => resolveSigningKey()).toThrow("Invalid ACTOR_TOKEN_SIGNING_KEY");
   });
-  test("IS_CONTAINERIZED=false does not trigger gateway fetch", async () => {
-    process.env.IS_CONTAINERIZED = "false";
-    process.env.GATEWAY_INTERNAL_URL = "http://localhost:19876";
+  test("falls back to file-based load/create when env var is not set", () => {
+    delete process.env.ACTOR_TOKEN_SIGNING_KEY;
-    let fetchCalled = false;
-    globalThis.fetch = (async () => {
-      fetchCalled = true;
-      return new Response("should not be called", { status: 500 });
-    }) as unknown as typeof fetch;
-    const key = await resolveSigningKey();
+    const key = resolveSigningKey();
     expect(key).toBeInstanceOf(Buffer);
     expect(key.length).toBe(32);
-    expect(fetchCalled).toBe(false);
   });
-  test("IS_CONTAINERIZED=true without GATEWAY_INTERNAL_URL uses local path", async () => {
-    process.env.IS_CONTAINERIZED = "true";
-    delete process.env.GATEWAY_INTERNAL_URL;
+  test("env var takes priority over file on disk", () => {
+    process.env.ACTOR_TOKEN_SIGNING_KEY = VALID_HEX_KEY;
-    let fetchCalled = false;
-    globalThis.fetch = (async () => {
-      fetchCalled = true;
-      return new Response("should not be called", { status: 500 });
-    }) as unknown as typeof fetch;
+    // First call creates a file-based key
+    delete process.env.ACTOR_TOKEN_SIGNING_KEY;
+    const fileKey = resolveSigningKey();
-    const key = await resolveSigningKey();
+    // Second call with env var should use the env var, not the file
+    process.env.ACTOR_TOKEN_SIGNING_KEY = "cd".repeat(32);
+    const envKey = resolveSigningKey();
-    expect(key).toBeInstanceOf(Buffer);
-    expect(key.length).toBe(32);
-    expect(fetchCalled).toBe(false);
+    expect(envKey.toString("hex")).toBe("cd".repeat(32));
+    expect(envKey.toString("hex")).not.toBe(fileKey.toString("hex"));
   });
 });

package/src/__tests__/dynamic-skill-workflow-prompt.test.ts CHANGED Viewed

@@ -53,9 +53,6 @@ mock.module("../util/logger.js", () => ({
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
-    assistantFeatureFlagValues: {
-      "feature_flags.browser.enabled": true,
-    },
     services: {
       inference: {
         mode: "your-own",
@@ -77,17 +74,22 @@ mock.module("../config/loader.js", () => ({
   invalidateConfigCache: () => {},
   getNestedValue: () => undefined,
   setNestedValue: () => {},
-  syncConfigToLockfile: () => {},
 }));
 const { buildSystemPrompt } = await import("../prompts/system-prompt.js");
+const { _setOverridesForTesting } =
+  await import("../config/assistant-feature-flags.js");
 describe("Dynamic Skill Authoring Workflow moved to tool descriptions", () => {
   beforeEach(() => {
     mkdirSync(TEST_DIR, { recursive: true });
+    _setOverridesForTesting({
+      "feature_flags.browser.enabled": true,
+    });
   });
   afterEach(() => {
+    _setOverridesForTesting({});
     if (existsSync(TEST_DIR)) {
       rmSync(TEST_DIR, { recursive: true, force: true });
     }

package/src/__tests__/gateway-client-managed-outbound.test.ts CHANGED Viewed

@@ -1,6 +1,9 @@
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
-import { deliverChannelReply } from "../runtime/gateway-client.js";
+import {
+  ChannelDeliveryError,
+  deliverChannelReply,
+} from "../runtime/gateway-client.js";
 type FetchCall = {
   url: string;
@@ -163,4 +166,79 @@ describe("gateway-client managed outbound lane", () => {
       text: "standard gateway callback",
     });
   });
+  test("throws ChannelDeliveryError with userMessage when gateway returns JSON error with userMessage", async () => {
+    globalThis.fetch = mock(async () => {
+      return new Response(
+        JSON.stringify({
+          error: "Permission denied",
+          userMessage:
+            "The bot is not a member of this channel. Please invite it first.",
+        }),
+        { status: 403 },
+      );
+    }) as unknown as typeof globalThis.fetch;
+    let caught: unknown;
+    try {
+      await deliverChannelReply("https://gateway.test/deliver/slack", {
+        chatId: "C123",
+        text: "hello",
+      });
+    } catch (err) {
+      caught = err;
+    }
+    expect(caught).toBeInstanceOf(ChannelDeliveryError);
+    const deliveryError = caught as ChannelDeliveryError;
+    expect(deliveryError.statusCode).toBe(403);
+    expect(deliveryError.userMessage).toBe(
+      "The bot is not a member of this channel. Please invite it first.",
+    );
+    expect(deliveryError.message).toContain("403");
+  });
+  test("throws ChannelDeliveryError without userMessage when gateway returns JSON error without userMessage", async () => {
+    globalThis.fetch = mock(async () => {
+      return new Response(JSON.stringify({ error: "Delivery failed" }), {
+        status: 502,
+      });
+    }) as unknown as typeof globalThis.fetch;
+    let caught: unknown;
+    try {
+      await deliverChannelReply("https://gateway.test/deliver/slack", {
+        chatId: "C123",
+        text: "hello",
+      });
+    } catch (err) {
+      caught = err;
+    }
+    expect(caught).toBeInstanceOf(ChannelDeliveryError);
+    const deliveryError = caught as ChannelDeliveryError;
+    expect(deliveryError.statusCode).toBe(502);
+    expect(deliveryError.userMessage).toBeUndefined();
+  });
+  test("throws ChannelDeliveryError without userMessage when gateway returns non-JSON error", async () => {
+    globalThis.fetch = mock(async () => {
+      return new Response("Internal Server Error", { status: 500 });
+    }) as unknown as typeof globalThis.fetch;
+    let caught: unknown;
+    try {
+      await deliverChannelReply("https://gateway.test/deliver/slack", {
+        chatId: "C123",
+        text: "hello",
+      });
+    } catch (err) {
+      caught = err;
+    }
+    expect(caught).toBeInstanceOf(ChannelDeliveryError);
+    const deliveryError = caught as ChannelDeliveryError;
+    expect(deliveryError.statusCode).toBe(500);
+    expect(deliveryError.userMessage).toBeUndefined();
+  });
 });

package/src/__tests__/guardian-routing-state.test.ts CHANGED Viewed

@@ -31,11 +31,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
-// Mock security check to always pass
-mock.module("../security/secret-ingress.js", () => ({
-  checkIngressForSecrets: () => ({ blocked: false }),
-}));
 import { upsertContact } from "../contacts/contact-store.js";
 import { createGuardianBinding } from "../contacts/contacts-write.js";
 import type { TrustContext } from "../daemon/conversation-runtime-assembly.js";

package/src/__tests__/host-shell-tool.test.ts CHANGED Viewed

@@ -846,12 +846,12 @@ describe("host_bash — proxy delegation", () => {
   });
   test("propagates VELLUM_UNTRUSTED_SHELL env to proxy under CES lockdown", async () => {
-    // Enable CES shell lockdown
-    const origFlags = (mockConfig as Record<string, unknown>)
-      .assistantFeatureFlagValues;
-    (mockConfig as Record<string, unknown>).assistantFeatureFlagValues = {
+    // Enable CES shell lockdown via the override cache
+    const { _setOverridesForTesting } =
+      await import("../config/assistant-feature-flags.js");
+    _setOverridesForTesting({
       "feature_flags.ces-shell-lockdown.enabled": true,
-    };
+    });
     try {
       const proxyResult: ToolExecutionResult = {
@@ -875,8 +875,7 @@ describe("host_bash — proxy delegation", () => {
       expect(calls.length).toBe(1);
       expect(calls[0].input.env).toEqual({ VELLUM_UNTRUSTED_SHELL: "1" });
     } finally {
-      (mockConfig as Record<string, unknown>).assistantFeatureFlagValues =
-        origFlags;
+      _setOverridesForTesting({});
     }
   });

package/src/__tests__/http-user-message-parity.test.ts CHANGED Viewed

@@ -2,10 +2,9 @@
  * Tests for HTTP POST /v1/messages behavior after the legacy handleUserMessage
  * legacy entry point was retired.
  *
- * Secret ingress blocking has been ported to the HTTP path. Recording intent
- * interception has been deliberately retired — the HTTP path has dedicated
- * /v1/recording/* endpoints and the model handles recording-related messages
- * through the agent loop.
+ * Recording intent interception has been deliberately retired — the HTTP path
+ * has dedicated /v1/recording/* endpoints and the model handles
+ * recording-related messages through the agent loop.
  *
  * Approval reply interception has parity and is covered by
  * conversation-routes-guardian-reply.test.ts and send-endpoint-busy.test.ts.
@@ -121,12 +120,10 @@ mock.module("../runtime/trust-context-resolver.js", () => ({
   }),
 }));
-// Mock config to enable secret detection + ingress blocking
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     secretDetection: {
       enabled: true,
-      blockIngress: true,
       customPatterns: [],
       entropyThreshold: 3.5,
     },
@@ -238,103 +235,6 @@ async function sendMessage(
   );
 }
-// ============================================================================
-// SECRET INGRESS BLOCKING — now ported to HTTP path
-// ============================================================================
-describe("HTTP POST /v1/messages blocks secret ingress", () => {
-  beforeEach(() => {
-    routeGuardianReplyMock.mockClear();
-    listPendingByDestinationMock.mockClear();
-    listCanonicalMock.mockClear();
-    addMessageMock.mockClear();
-  });
-  test("handleSendMessage rejects messages containing Telegram bot token patterns", async () => {
-    const secretContent =
-      "Set up Telegram with my bot token 123456789:ABCDefGHIJklmnopQRSTuvwxyz012345678";
-    const persistUserMessage = mock(async () => "persisted-msg-id");
-    const runAgentLoop = mock(async () => undefined);
-    const conversation = makeConversation({ persistUserMessage, runAgentLoop });
-    const res = await sendMessage(secretContent, conversation);
-    expect(res.status).toBe(422);
-    const body = (await res.json()) as {
-      accepted: boolean;
-      error: string;
-      message: string;
-      detectedTypes: string[];
-    };
-    expect(body.accepted).toBe(false);
-    expect(body.error).toBe("secret_blocked");
-    expect(body.detectedTypes.length).toBeGreaterThan(0);
-    // The message should NOT reach the agent loop
-    expect(persistUserMessage).toHaveBeenCalledTimes(0);
-    expect(runAgentLoop).toHaveBeenCalledTimes(0);
-  });
-  test("handleSendMessage rejects messages containing AWS credentials", async () => {
-    const secretContent =
-      "Here is my AWS key AKIAQRSTUVWXYZ123456 and secret wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
-    const persistUserMessage = mock(async () => "persisted-msg-id");
-    const runAgentLoop = mock(async () => undefined);
-    const conversation = makeConversation({ persistUserMessage, runAgentLoop });
-    const res = await sendMessage(secretContent, conversation);
-    expect(res.status).toBe(422);
-    const body = (await res.json()) as {
-      accepted: boolean;
-      error: string;
-    };
-    expect(body.accepted).toBe(false);
-    expect(body.error).toBe("secret_blocked");
-    // The message should NOT reach the agent loop
-    expect(persistUserMessage).toHaveBeenCalledTimes(0);
-    expect(runAgentLoop).toHaveBeenCalledTimes(0);
-  });
-  test("handleSendMessage rejects messages containing Stripe live API keys", async () => {
-    const secretContent = "My Stripe key is sk_live_4eC39HqLyjWDarjtT1zdp7dc";
-    const persistUserMessage = mock(async () => "persisted-msg-id");
-    const runAgentLoop = mock(async () => undefined);
-    const conversation = makeConversation({ persistUserMessage, runAgentLoop });
-    const res = await sendMessage(secretContent, conversation);
-    expect(res.status).toBe(422);
-    const body = (await res.json()) as {
-      accepted: boolean;
-      error: string;
-    };
-    expect(body.accepted).toBe(false);
-    expect(body.error).toBe("secret_blocked");
-    // The message should NOT reach the agent loop
-    expect(persistUserMessage).toHaveBeenCalledTimes(0);
-    expect(runAgentLoop).toHaveBeenCalledTimes(0);
-  });
-  test("handleSendMessage allows normal messages without secrets", async () => {
-    const normalContent = "What is the weather today?";
-    const persistUserMessage = mock(async () => "persisted-msg-id");
-    const runAgentLoop = mock(async () => undefined);
-    const conversation = makeConversation({ persistUserMessage, runAgentLoop });
-    const res = await sendMessage(normalContent, conversation);
-    expect(res.status).toBe(202);
-    const body = (await res.json()) as { accepted: boolean };
-    expect(body.accepted).toBe(true);
-    // Normal messages proceed to the agent loop
-    expect(persistUserMessage).toHaveBeenCalledTimes(1);
-    expect(runAgentLoop).toHaveBeenCalledTimes(1);
-  });
-});
 // ============================================================================
 // RECORDING INTENT — deliberately NOT intercepted on HTTP path
 // ============================================================================

package/src/__tests__/inbound-invite-redemption.test.ts CHANGED Viewed

@@ -35,10 +35,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
-mock.module("../security/secret-ingress.js", () => ({
-  checkIngressForSecrets: () => ({ blocked: false }),
-}));
 mock.module("../config/env.js", () => ({
   isHttpAuthDisabled: () => true,
   getGatewayInternalBaseUrl: () => "http://127.0.0.1:7830",

package/src/__tests__/inline-skill-load-permissions.test.ts CHANGED Viewed

@@ -18,6 +18,8 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { beforeEach, describe, expect, mock, test } from "bun:test";
+import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
 // ── Mock setup (must be before any imports from the project) ──────────────
 const testDir = mkdtempSync(join(tmpdir(), "inline-skill-perm-test-"));
@@ -46,7 +48,6 @@ interface TestConfig {
   permissions: { mode: "strict" | "workspace" };
   skills: { load: { extraDirs: string[] } };
   sandbox: { enabled: boolean };
-  assistantFeatureFlagValues?: Record<string, boolean>;
   [key: string]: unknown;
 }
@@ -54,9 +55,6 @@ const testConfig: TestConfig = {
   permissions: { mode: "workspace" },
   skills: { load: { extraDirs: [] } },
   sandbox: { enabled: true },
-  assistantFeatureFlagValues: {
-    "feature_flags.inline-skill-commands.enabled": true,
-  },
 };
 mock.module("../config/loader.js", () => ({
@@ -118,9 +116,9 @@ describe("inline-command skill_load permissions", () => {
     clearCache();
     testConfig.permissions = { mode: "workspace" };
     testConfig.skills = { load: { extraDirs: [] } };
-    testConfig.assistantFeatureFlagValues = {
+    _setOverridesForTesting({
       "feature_flags.inline-skill-commands.enabled": true,
-    };
+    });
     try {
       rmSync(join(testDir, "protected", "trust.json"));
     } catch {
@@ -352,9 +350,9 @@ describe("inline-command skill_load permissions", () => {
       writeDynamicSkill("dynamic-flag-off", "Dynamic Flag Off Skill");
       // Disable the feature flag
-      testConfig.assistantFeatureFlagValues = {
+      _setOverridesForTesting({
         "feature_flags.inline-skill-commands.enabled": false,
-      };
+      });
       const result = await check(
         "skill_load",

package/src/__tests__/intent-routing.test.ts CHANGED Viewed

@@ -53,8 +53,6 @@ mock.module("../util/logger.js", () => ({
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     ui: {},
-    assistantFeatureFlagValues: {},
     services: {
       inference: {
         mode: "your-own",
@@ -76,7 +74,6 @@ mock.module("../config/loader.js", () => ({
   invalidateConfigCache: () => {},
   getNestedValue: () => undefined,
   setNestedValue: () => {},
-  syncConfigToLockfile: () => {},
 }));
 // ── Import after mocks ───────────────────────────────────────────────
@@ -250,16 +247,6 @@ describe("Activation hints in skills catalog", () => {
     expect(line).toContain("voice-setup");
   });
-  test("orchestration skill includes hints and avoid-when in catalog line", () => {
-    const prompt = buildSystemPrompt();
-    const line = prompt
-      .split("\n")
-      .find((l) => l.includes("**orchestration**"));
-    expect(line).toBeDefined();
-    expect(line).toContain("parallel");
-    expect(line).toContain("Single-focus");
-  });
   test("browser skill includes hints in catalog line", () => {
     const prompt = buildSystemPrompt();
     const line = prompt.split("\n").find((l) => l.includes("**browser**"));