@vellumai/assistant 0.5.8 → 0.5.10

package/src/__tests__/stt-hints.test.ts

@@ -6,8 +6,8 @@ import type { ContactWithChannels } from "../contacts/types.js";
 // Mock state for resolveCallHints tests
 // ---------------------------------------------------------------------------
 
-let mockAssistantName: string | null = "Velissa";
-let mockGuardianName: string = "Sidd";
+let mockAssistantName: string | null = "Nova";
+let mockGuardianName: string = "Alex";
 let mockTargetContact: ContactWithChannels | null = null;
 let mockRecentContacts: ContactWithChannels[] = [];
 let mockFindContactByAddressThrows = false;
@@ -93,14 +93,14 @@ describe("buildSttHints", () => {
 
   test("assistant name included", () => {
     const input = emptyInput();
-    input.assistantName = "Velissa";
-    expect(buildSttHints(input)).toBe("Velissa");
+    input.assistantName = "Nova";
+    expect(buildSttHints(input)).toBe("Nova");
   });
 
   test("guardian name included", () => {
     const input = emptyInput();
-    input.guardianName = "Sidd";
-    expect(buildSttHints(input)).toBe("Sidd");
+    input.guardianName = "Alex";
+    expect(buildSttHints(input)).toBe("Alex");
   });
 
   test('default guardian name "my human" excluded', () => {
@@ -214,8 +214,8 @@ describe("buildSttHints", () => {
   test("all sources combined in correct order", () => {
     const input: SttHintsInput = {
       staticHints: ["StaticOne"],
-      assistantName: "Velissa",
-      guardianName: "Sidd",
+      assistantName: "Nova",
+      guardianName: "Alex",
       taskDescription: "Call John at Acme",
       targetContactName: "Target",
       callerContactName: "Caller",
@@ -227,8 +227,8 @@ describe("buildSttHints", () => {
     const parts = result.split(",");
     // Verify all expected hints are present
     expect(parts).toContain("StaticOne");
-    expect(parts).toContain("Velissa");
-    expect(parts).toContain("Sidd");
+    expect(parts).toContain("Nova");
+    expect(parts).toContain("Alex");
     expect(parts).toContain("John");
     expect(parts).toContain("Acme");
     expect(parts).toContain("Target");
@@ -308,8 +308,8 @@ function makeContact(displayName: string): ContactWithChannels {
 
 describe("resolveCallHints", () => {
   beforeEach(() => {
-    mockAssistantName = "Velissa";
-    mockGuardianName = "Sidd";
+    mockAssistantName = "Nova";
+    mockGuardianName = "Alex";
     mockTargetContact = null;
     mockRecentContacts = [];
     mockFindContactByAddressThrows = false;
@@ -334,8 +334,8 @@ describe("resolveCallHints", () => {
     const parts = result.split(",");
 
     expect(parts).toContain("StaticHint");
-    expect(parts).toContain("Velissa");
-    expect(parts).toContain("Sidd");
+    expect(parts).toContain("Nova");
+    expect(parts).toContain("Alex");
     expect(parts).toContain("Alice");
     expect(parts).toContain("Dave");
     expect(parts).toContain("Eve");
@@ -365,8 +365,8 @@ describe("resolveCallHints", () => {
 
     // Target contact should be absent (lookup failed)
     // But other sources should still work
-    expect(parts).toContain("Velissa");
-    expect(parts).toContain("Sidd");
+    expect(parts).toContain("Nova");
+    expect(parts).toContain("Alex");
     expect(parts).toContain("Bob");
     expect(logWarnFn).toHaveBeenCalled();
   });
@@ -390,8 +390,8 @@ describe("resolveCallHints", () => {
 
     // Recent contacts should be absent (listing failed)
     // But other sources should still work
-    expect(parts).toContain("Velissa");
-    expect(parts).toContain("Sidd");
+    expect(parts).toContain("Nova");
+    expect(parts).toContain("Alex");
     expect(parts).toContain("Alice");
     expect(logWarnFn).toHaveBeenCalled();
   });
@@ -414,8 +414,8 @@ describe("resolveCallHints", () => {
 
     // For inbound, the contact found via fromNumber should appear as caller, not target
     expect(parts).toContain("Alice");
-    expect(parts).toContain("Velissa");
-    expect(parts).toContain("Sidd");
+    expect(parts).toContain("Nova");
+    expect(parts).toContain("Alex");
     expect(parts).toContain("Bob");
     expect(logWarnFn).not.toHaveBeenCalled();
   });
@@ -427,8 +427,8 @@ describe("resolveCallHints", () => {
     const parts = result.split(",");
 
     expect(parts).toContain("Static");
-    expect(parts).toContain("Velissa");
-    expect(parts).toContain("Sidd");
+    expect(parts).toContain("Nova");
+    expect(parts).toContain("Alex");
     expect(parts).toContain("RecentOne");
     expect(parts).toContain("RecentTwo");
     // No target contact lookup should have been attempted (no session)

package/src/__tests__/voice-quality.test.ts

@@ -175,11 +175,11 @@ describe("resolveVoiceQualityProfile", () => {
         voice: {
           language: "en-US",
           transcriptionProvider: "Deepgram",
-          hints: ["Vellum", "Velissa", "AI assistant"],
+          hints: ["Vellum", "Nova", "AI assistant"],
         },
       },
     };
     const profile = resolveVoiceQualityProfile();
-    expect(profile.hints).toEqual(["Vellum", "Velissa", "AI assistant"]);
+    expect(profile.hints).toEqual(["Vellum", "Nova", "AI assistant"]);
   });
 });

package/src/__tests__/workspace-migration-015-migrate-credentials-to-keychain.test.ts

@@ -1,252 +1,19 @@
-import { beforeEach, describe, expect, mock, test } from "bun:test";
+import { describe, expect, test } from "bun:test";
 
-// ---------------------------------------------------------------------------
-// Mock state
-// ---------------------------------------------------------------------------
-
-const isAvailableFn = mock((): boolean => true);
-const brokerSetFn = mock(
-  async (
-    _account: string,
-    _value: string,
-  ): Promise<{ status: string; code?: string; message?: string }> => ({
-    status: "ok",
-  }),
-);
-const createBrokerClientFn = mock(() => ({
-  isAvailable: isAvailableFn,
-  set: brokerSetFn,
-}));
-
-const listKeysFn = mock((): string[] => []);
-const getKeyFn = mock((_account: string): string | undefined => undefined);
-const deleteKeyFn = mock(
-  (_account: string): "deleted" | "not-found" | "error" => "deleted",
-);
-
-// ---------------------------------------------------------------------------
-// Mock modules — before importing module under test
-//
-// The logger is mocked with a silent Proxy to suppress pino output in tests.
-// The broker client and encrypted store are mocked to control migration
-// behavior without touching real keychain or filesystem state.
-// ---------------------------------------------------------------------------
-
-mock.module("../util/logger.js", () => ({
-  getLogger: () =>
-    new Proxy({} as Record<string, unknown>, {
-      get: () => () => {},
-    }),
-}));
-
-mock.module("../security/keychain-broker-client.js", () => ({
-  createBrokerClient: createBrokerClientFn,
-}));
-
-mock.module("../security/encrypted-store.js", () => ({
-  listKeys: listKeysFn,
-  getKey: getKeyFn,
-  deleteKey: deleteKeyFn,
-}));
-
-// Import after mocking
 import { migrateCredentialsToKeychainMigration } from "../workspace/migrations/015-migrate-credentials-to-keychain.js";
 
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-const WORKSPACE_DIR = "/mock-home/.vellum/workspace";
-
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-
 describe("015-migrate-credentials-to-keychain migration", () => {
-  beforeEach(() => {
-    isAvailableFn.mockClear();
-    brokerSetFn.mockClear();
-    createBrokerClientFn.mockClear();
-    listKeysFn.mockClear();
-    getKeyFn.mockClear();
-    deleteKeyFn.mockClear();
-
-    // Defaults: mac production build
-    process.env.VELLUM_DESKTOP_APP = "1";
-    delete process.env.VELLUM_DEV;
-
-    isAvailableFn.mockReturnValue(true);
-    brokerSetFn.mockResolvedValue({ status: "ok" });
-    listKeysFn.mockReturnValue([]);
-    getKeyFn.mockReturnValue(undefined);
-    deleteKeyFn.mockReturnValue("deleted");
-  });
-
   test("has correct migration id", () => {
     expect(migrateCredentialsToKeychainMigration.id).toBe(
       "015-migrate-credentials-to-keychain",
     );
   });
 
-  test("skips when VELLUM_DESKTOP_APP is not set", async () => {
-    delete process.env.VELLUM_DESKTOP_APP;
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-    expect(listKeysFn).not.toHaveBeenCalled();
-  });
-
-  test("skips when VELLUM_DESKTOP_APP is not '1'", async () => {
-    process.env.VELLUM_DESKTOP_APP = "0";
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-  });
-
-  test("skips when VELLUM_DEV=1", async () => {
-    process.env.VELLUM_DEV = "1";
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-    expect(listKeysFn).not.toHaveBeenCalled();
+  test("run is a no-op", async () => {
+    await migrateCredentialsToKeychainMigration.run("/fake");
   });
 
-  test(
-    "throws when broker is not available after max retry attempts",
-    async () => {
-      isAvailableFn.mockReturnValue(false);
-
-      await expect(
-        migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR),
-      ).rejects.toThrow(
-        "Keychain broker not available after waiting — credential migration will be retried on next startup",
-      );
-
-      // Should have retried isAvailable multiple times
-      expect(isAvailableFn.mock.calls.length).toBeGreaterThan(1);
-
-      // Should not proceed to list or migrate keys
-      expect(listKeysFn).not.toHaveBeenCalled();
-      expect(brokerSetFn).not.toHaveBeenCalled();
-    },
-    { timeout: 10_000 },
-  );
-
-  test("succeeds when broker becomes available after retry", async () => {
-    // Broker unavailable for first 3 calls, then available
-    let callCount = 0;
-    isAvailableFn.mockImplementation(() => {
-      callCount++;
-      return callCount > 3;
-    });
-    listKeysFn.mockReturnValue(["retry-key"]);
-    getKeyFn.mockReturnValue("retry-secret");
-    brokerSetFn.mockResolvedValue({ status: "ok" });
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    // Should have called isAvailable 4 times (3 false + 1 true)
-    expect(isAvailableFn).toHaveBeenCalledTimes(4);
-
-    // Should have proceeded with migration
-    expect(brokerSetFn).toHaveBeenCalledWith("retry-key", "retry-secret");
-    expect(deleteKeyFn).toHaveBeenCalledWith("retry-key");
-  });
-
-  test("no-ops when encrypted store has no keys", async () => {
-    listKeysFn.mockReturnValue([]);
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(brokerSetFn).not.toHaveBeenCalled();
-    expect(deleteKeyFn).not.toHaveBeenCalled();
-  });
-
-  test("successfully migrates keys from encrypted store to keychain", async () => {
-    listKeysFn.mockReturnValue(["account-a", "account-b"]);
-    getKeyFn.mockImplementation((account: string) => {
-      if (account === "account-a") return "secret-a";
-      if (account === "account-b") return "secret-b";
-      return undefined;
-    });
-    brokerSetFn.mockResolvedValue({ status: "ok" });
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    // Should have called broker.set for each key
-    expect(brokerSetFn).toHaveBeenCalledTimes(2);
-    expect(brokerSetFn).toHaveBeenCalledWith("account-a", "secret-a");
-    expect(brokerSetFn).toHaveBeenCalledWith("account-b", "secret-b");
-
-    // Should have deleted each key from encrypted store after successful migration
-    expect(deleteKeyFn).toHaveBeenCalledTimes(2);
-    expect(deleteKeyFn).toHaveBeenCalledWith("account-a");
-    expect(deleteKeyFn).toHaveBeenCalledWith("account-b");
-  });
-
-  test("continues on individual key failure and migrates others", async () => {
-    listKeysFn.mockReturnValue(["fail-key", "ok-key"]);
-    getKeyFn.mockImplementation((account: string) => {
-      if (account === "fail-key") return "fail-secret";
-      if (account === "ok-key") return "ok-secret";
-      return undefined;
-    });
-    brokerSetFn.mockImplementation(async (account: string) => {
-      if (account === "fail-key") {
-        return {
-          status: "rejected" as const,
-          code: "UNKNOWN",
-          message: "broker rejected",
-        };
-      }
-      return { status: "ok" as const };
-    });
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    // fail-key should NOT have been deleted (broker rejected it)
-    expect(deleteKeyFn).not.toHaveBeenCalledWith("fail-key");
-
-    // ok-key should have been migrated and deleted
-    expect(brokerSetFn).toHaveBeenCalledWith("ok-key", "ok-secret");
-    expect(deleteKeyFn).toHaveBeenCalledWith("ok-key");
-    expect(deleteKeyFn).toHaveBeenCalledTimes(1);
-  });
-
-  test("handles getKey returning undefined for a listed key", async () => {
-    listKeysFn.mockReturnValue(["ghost-key", "real-key"]);
-    getKeyFn.mockImplementation((account: string) => {
-      if (account === "ghost-key") return undefined;
-      if (account === "real-key") return "real-secret";
-      return undefined;
-    });
-    brokerSetFn.mockResolvedValue({ status: "ok" });
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    // ghost-key should not be sent to broker or deleted
-    expect(brokerSetFn).not.toHaveBeenCalledWith(
-      "ghost-key",
-      expect.anything(),
-    );
-    expect(deleteKeyFn).not.toHaveBeenCalledWith("ghost-key");
-
-    // real-key should be migrated
-    expect(brokerSetFn).toHaveBeenCalledWith("real-key", "real-secret");
-    expect(deleteKeyFn).toHaveBeenCalledWith("real-key");
-  });
-
-  test("handles broker unreachable status for individual keys", async () => {
-    listKeysFn.mockReturnValue(["key-1"]);
-    getKeyFn.mockReturnValue("secret-1");
-    brokerSetFn.mockResolvedValue({ status: "unreachable" });
-
-    await migrateCredentialsToKeychainMigration.run(WORKSPACE_DIR);
-
-    // Should not delete when broker is unreachable
-    expect(deleteKeyFn).not.toHaveBeenCalled();
+  test("down is a no-op", async () => {
+    await migrateCredentialsToKeychainMigration.down("/fake");
   });
 });

package/src/__tests__/workspace-migration-016-migrate-credentials-from-keychain.test.ts

@@ -1,220 +1,19 @@
-import { beforeEach, describe, expect, mock, test } from "bun:test";
+import { describe, expect, test } from "bun:test";
 
-// ---------------------------------------------------------------------------
-// Mock state
-// ---------------------------------------------------------------------------
-
-const isAvailableFn = mock((): boolean => true);
-const brokerGetFn = mock(
-  async (
-    _account: string,
-  ): Promise<{ found: boolean; value?: string } | null> => ({
-    found: true,
-    value: "secret",
-  }),
-);
-const brokerDelFn = mock(async (_account: string): Promise<boolean> => true);
-const brokerListFn = mock(async (): Promise<string[]> => []);
-const createBrokerClientFn = mock(() => ({
-  isAvailable: isAvailableFn,
-  get: brokerGetFn,
-  del: brokerDelFn,
-  list: brokerListFn,
-}));
-
-const setKeyFn = mock(
-  (_account: string, _value: string): boolean => true,
-);
-
-// ---------------------------------------------------------------------------
-// Mock modules — before importing module under test
-//
-// The logger is mocked with a silent Proxy to suppress pino output in tests.
-// The broker client and encrypted store are mocked to control migration
-// behavior without touching real keychain or filesystem state.
-// ---------------------------------------------------------------------------
-
-mock.module("../util/logger.js", () => ({
-  getLogger: () =>
-    new Proxy({} as Record<string, unknown>, {
-      get: () => () => {},
-    }),
-}));
-
-mock.module("../security/keychain-broker-client.js", () => ({
-  createBrokerClient: createBrokerClientFn,
-}));
-
-mock.module("../security/encrypted-store.js", () => ({
-  setKey: setKeyFn,
-}));
-
-// Import after mocking
 import { migrateCredentialsFromKeychainMigration } from "../workspace/migrations/016-migrate-credentials-from-keychain.js";
 
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-const WORKSPACE_DIR = "/mock-home/.vellum/workspace";
-
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-
 describe("016-migrate-credentials-from-keychain migration", () => {
-  beforeEach(() => {
-    isAvailableFn.mockClear();
-    brokerGetFn.mockClear();
-    brokerDelFn.mockClear();
-    brokerListFn.mockClear();
-    createBrokerClientFn.mockClear();
-    setKeyFn.mockClear();
-
-    // Defaults: mac production build
-    process.env.VELLUM_DESKTOP_APP = "1";
-    delete process.env.VELLUM_DEV;
-
-    isAvailableFn.mockReturnValue(true);
-    brokerGetFn.mockResolvedValue({ found: true, value: "secret" });
-    brokerDelFn.mockResolvedValue(true);
-    brokerListFn.mockResolvedValue([]);
-    setKeyFn.mockReturnValue(true);
-  });
-
   test("has correct migration id", () => {
     expect(migrateCredentialsFromKeychainMigration.id).toBe(
       "016-migrate-credentials-from-keychain",
     );
   });
 
-  test("skips when VELLUM_DESKTOP_APP is not set", async () => {
-    delete process.env.VELLUM_DESKTOP_APP;
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-    expect(brokerListFn).not.toHaveBeenCalled();
-  });
-
-  test("skips when VELLUM_DESKTOP_APP is not '1'", async () => {
-    process.env.VELLUM_DESKTOP_APP = "0";
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-  });
-
-  test("skips when VELLUM_DEV=1", async () => {
-    process.env.VELLUM_DEV = "1";
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(createBrokerClientFn).not.toHaveBeenCalled();
-    expect(brokerListFn).not.toHaveBeenCalled();
+  test("run is a no-op", async () => {
+    await migrateCredentialsFromKeychainMigration.run("/fake");
   });
 
-  test(
-    "throws when broker is not available (skips checkpoint for retry)",
-    async () => {
-      isAvailableFn.mockReturnValue(false);
-
-      // Throwing skips the checkpoint so the migration retries on next startup
-      await expect(
-        migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR),
-      ).rejects.toThrow("Keychain broker not available after waiting");
-
-      // Should not proceed to list or migrate keys
-      expect(brokerListFn).not.toHaveBeenCalled();
-      expect(setKeyFn).not.toHaveBeenCalled();
-    },
-    { timeout: 10_000 },
-  );
-
-  test("no-ops when keychain has no accounts", async () => {
-    brokerListFn.mockResolvedValue([]);
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(setKeyFn).not.toHaveBeenCalled();
-    expect(brokerDelFn).not.toHaveBeenCalled();
-  });
-
-  test("copies credentials from keychain to encrypted store and deletes from keychain", async () => {
-    brokerListFn.mockResolvedValue(["account-a", "account-b"]);
-    brokerGetFn.mockImplementation(async (account: string) => {
-      if (account === "account-a") return { found: true, value: "secret-a" };
-      if (account === "account-b") return { found: true, value: "secret-b" };
-      return null;
-    });
-    setKeyFn.mockReturnValue(true);
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    // Should have written each key to encrypted store
-    expect(setKeyFn).toHaveBeenCalledTimes(2);
-    expect(setKeyFn).toHaveBeenCalledWith("account-a", "secret-a");
-    expect(setKeyFn).toHaveBeenCalledWith("account-b", "secret-b");
-
-    // Should have deleted each key from keychain after successful migration
-    expect(brokerDelFn).toHaveBeenCalledTimes(2);
-    expect(brokerDelFn).toHaveBeenCalledWith("account-a");
-    expect(brokerDelFn).toHaveBeenCalledWith("account-b");
-  });
-
-  test("skips key when broker.get returns null", async () => {
-    brokerListFn.mockResolvedValue(["ghost-key", "real-key"]);
-    brokerGetFn.mockImplementation(async (account: string) => {
-      if (account === "ghost-key") return null;
-      if (account === "real-key") return { found: true, value: "real-secret" };
-      return null;
-    });
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    // ghost-key should not be written or deleted
-    expect(setKeyFn).not.toHaveBeenCalledWith(
-      "ghost-key",
-      expect.anything(),
-    );
-    expect(brokerDelFn).not.toHaveBeenCalledWith("ghost-key");
-
-    // real-key should be migrated
-    expect(setKeyFn).toHaveBeenCalledWith("real-key", "real-secret");
-    expect(brokerDelFn).toHaveBeenCalledWith("real-key");
-  });
-
-  test("skips key when broker.get returns not found", async () => {
-    brokerListFn.mockResolvedValue(["missing-key"]);
-    brokerGetFn.mockResolvedValue({ found: false });
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    expect(setKeyFn).not.toHaveBeenCalled();
-    expect(brokerDelFn).not.toHaveBeenCalled();
-  });
-
-  test("skips key when setKey fails and does not delete from keychain", async () => {
-    brokerListFn.mockResolvedValue(["fail-key", "ok-key"]);
-    brokerGetFn.mockImplementation(async (account: string) => {
-      if (account === "fail-key")
-        return { found: true, value: "fail-secret" };
-      if (account === "ok-key") return { found: true, value: "ok-secret" };
-      return null;
-    });
-    setKeyFn.mockImplementation((account: string) => {
-      if (account === "fail-key") return false;
-      return true;
-    });
-
-    await migrateCredentialsFromKeychainMigration.run(WORKSPACE_DIR);
-
-    // fail-key should NOT have been deleted from keychain (setKey failed)
-    expect(brokerDelFn).not.toHaveBeenCalledWith("fail-key");
-
-    // ok-key should have been migrated and deleted
-    expect(setKeyFn).toHaveBeenCalledWith("ok-key", "ok-secret");
-    expect(brokerDelFn).toHaveBeenCalledWith("ok-key");
-    expect(brokerDelFn).toHaveBeenCalledTimes(1);
+  test("down is a no-op", async () => {
+    await migrateCredentialsFromKeychainMigration.down("/fake");
   });
 });

package/src/__tests__/workspace-migrations-runner.test.ts

@@ -130,16 +130,16 @@ describe("runWorkspaceMigrations", () => {
       throw new Error("migration 002 failed");
     });
 
-    await expect(
-      runWorkspaceMigrations(WORKSPACE_DIR, [m1, m2]),
-    ).rejects.toThrow("migration 002 failed");
+    // Runner no longer throws — it marks failed migrations and continues
+    await runWorkspaceMigrations(WORKSPACE_DIR, [m1, m2]);
 
-    // m1 ran successfully before the error
+    // m1 ran successfully, m2 was attempted
     expect(m1.run).toHaveBeenCalledTimes(1);
+    expect(m2.run).toHaveBeenCalledTimes(1);
 
-    // Checkpoints saved: started m1, completed m1, started m2 = 3 writes
-    expect(writeFileSyncFn).toHaveBeenCalledTimes(3);
-    expect(renameSyncFn).toHaveBeenCalledTimes(3);
+    // Checkpoints saved: started m1, completed m1, started m2, failed m2 = 4 writes
+    expect(writeFileSyncFn).toHaveBeenCalledTimes(4);
+    expect(renameSyncFn).toHaveBeenCalledTimes(4);
 
     // Verify the completed checkpoint contains m1
     // The second write is the "completed" marker for m1
@@ -149,6 +149,14 @@ describe("runWorkspaceMigrations", () => {
     const parsed = JSON.parse(completedWrite);
     expect(parsed.applied["001"]).toBeDefined();
     expect(parsed.applied["001"].status).toBe("completed");
+
+    // Verify m2 is marked as failed
+    const failedWrite = (
+      writeFileSyncFn.mock.calls[3] as unknown[]
+    )[1] as string;
+    const failedParsed = JSON.parse(failedWrite);
+    expect(failedParsed.applied["002"]).toBeDefined();
+    expect(failedParsed.applied["002"].status).toBe("failed");
   });
 
   test("idempotent on re-run", async () => {