@vellumai/assistant 0.6.1 → 0.6.3

package/src/__tests__/integration-status.test.ts

@@ -21,17 +21,16 @@ mock.module("../config/loader.js", () => ({
 }));
 
 mock.module("../oauth/oauth-store.js", () => ({
-  isProviderConnected: (providerKey: string) =>
-    connectedProviders.has(providerKey),
-  getConnectionByProvider: (providerKey: string) =>
-    connectedProviders.has(providerKey)
-      ? { id: `conn-${providerKey}`, status: "active" }
+  isProviderConnected: (provider: string) => connectedProviders.has(provider),
+  getConnectionByProvider: (provider: string) =>
+    connectedProviders.has(provider)
+      ? { id: `conn-${provider}`, status: "active" }
       : undefined,
 }));
 
 /** Mark a provider as fully connected (active row + access token). */
-function setOAuthConnected(providerKey: string): void {
-  connectedProviders.add(providerKey);
+function setOAuthConnected(provider: string): void {
+  connectedProviders.add(provider);
 }
 
 const { getIntegrationSummary, formatIntegrationSummary, hasCapability } =

package/src/__tests__/list-messages-tool-merge.test.ts

@@ -84,7 +84,11 @@ describe("handleListMessages tool_result merging", () => {
       conv.id,
       "user",
       JSON.stringify([
-        { type: "tool_result", tool_use_id: "tu1", content: "file1.txt\nfile2.txt" },
+        {
+          type: "tool_result",
+          tool_use_id: "tu1",
+          content: "file1.txt\nfile2.txt",
+        },
       ]),
     );
 
@@ -117,7 +121,12 @@ describe("handleListMessages tool_result merging", () => {
       JSON.stringify([
         { type: "tool_use", id: "tu1", name: "bash", input: { command: "ls" } },
         { type: "text", text: "and also" },
-        { type: "tool_use", id: "tu2", name: "file_read", input: { path: "/tmp/a" } },
+        {
+          type: "tool_use",
+          id: "tu2",
+          name: "file_read",
+          input: { path: "/tmp/a" },
+        },
       ]),
     );
     await addMessage(
@@ -176,7 +185,11 @@ describe("handleListMessages tool_result merging", () => {
       conv.id,
       "user",
       JSON.stringify([
-        { type: "tool_result", tool_use_id: "tu_orphan", content: "stale result" },
+        {
+          type: "tool_result",
+          tool_use_id: "tu_orphan",
+          content: "stale result",
+        },
       ]),
     );
     await addMessage(
@@ -228,7 +241,12 @@ describe("handleListMessages tool_result merging", () => {
       "assistant",
       JSON.stringify([
         { type: "text", text: "Now reading:" },
-        { type: "tool_use", id: "tu2", name: "file_read", input: { path: "/x" } },
+        {
+          type: "tool_use",
+          id: "tu2",
+          name: "file_read",
+          input: { path: "/x" },
+        },
       ]),
     );
     await addMessage(
@@ -248,17 +266,19 @@ describe("handleListMessages tool_result merging", () => {
     const response = handleListMessages(createTestUrl(conv.id), null);
     const body = (await response.json()) as { messages: MessagePayload[] };
 
-    // user("list files"), assistant(bash), assistant(file_read), user("thanks")
-    expect(body.messages).toHaveLength(4);
+    // Consecutive assistant messages are merged at query time so the client
+    // sees one grouped message (matching the streaming path behavior).
+    // user("list files"), merged-assistant(bash + file_read), user("thanks")
+    expect(body.messages).toHaveLength(3);
     expect(body.messages[0].role).toBe("user");
     expect(body.messages[1].role).toBe("assistant");
+    expect(body.messages[1].toolCalls).toHaveLength(2);
     expect(body.messages[1].toolCalls![0].name).toBe("bash");
     expect(body.messages[1].toolCalls![0].result).toBe("files");
-    expect(body.messages[2].role).toBe("assistant");
-    expect(body.messages[2].toolCalls![0].name).toBe("file_read");
-    expect(body.messages[2].toolCalls![0].result).toBe("file data");
-    expect(body.messages[3].role).toBe("user");
-    expect(body.messages[3].content).toBe("thanks");
+    expect(body.messages[1].toolCalls![1].name).toBe("file_read");
+    expect(body.messages[1].toolCalls![1].result).toBe("file data");
+    expect(body.messages[2].role).toBe("user");
+    expect(body.messages[2].content).toBe("thanks");
   });
 
   test("tool_result with is_error propagates error status", async () => {
@@ -272,7 +292,12 @@ describe("handleListMessages tool_result merging", () => {
       conv.id,
       "assistant",
       JSON.stringify([
-        { type: "tool_use", id: "tu1", name: "bash", input: { command: "fail" } },
+        {
+          type: "tool_use",
+          id: "tu1",
+          name: "bash",
+          input: { command: "fail" },
+        },
       ]),
     );
     await addMessage(

package/src/__tests__/log-export-workspace.test.ts

@@ -93,6 +93,35 @@ writeFileSync(
   JSON.stringify({ provider: "anthropic" }),
 );
 
+// Conversation directories — used for workspace allowlist tests
+const conversationsDir = join(testWorkspaceDir, "conversations");
+mkdirSync(conversationsDir, { recursive: true });
+
+function seedConversation(name: string, body: string) {
+  const dir = join(conversationsDir, name);
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(join(dir, "meta.json"), "{}\n");
+  writeFileSync(join(dir, "messages.jsonl"), body);
+}
+
+seedConversation(
+  "2025-01-10T00-00-00.000Z_conv-jan10",
+  '{"role":"user","content":"jan 10"}\n',
+);
+seedConversation(
+  "2025-01-15T00-00-00.000Z_conv-jan15",
+  '{"role":"user","content":"jan 15"}\n',
+);
+seedConversation(
+  "2025-01-20T00-00-00.000Z_conv-jan20",
+  '{"role":"user","content":"jan 20"}\n',
+);
+seedConversation(
+  "2025-01-25T00-00-00.000Z_conv-jan25",
+  '{"role":"user","content":"jan 25"}\n',
+);
+seedConversation("malformed-name", '{"role":"user","content":"x"}\n');
+
 // Daemon log files — used for date filtering tests
 const logsDir = join(testWorkspaceDir, "data", "logs");
 mkdirSync(logsDir, { recursive: true });
@@ -241,3 +270,164 @@ describe("POST /v1/export — daemon log date filtering", () => {
     }
   });
 });
+
+describe("POST /v1/export — workspace allowlist", () => {
+  test("includes all valid conversation dirs by default", async () => {
+    const res = await callExport();
+    const dir = await extractArchive(res);
+    try {
+      const convs = readdirSync(join(dir, "workspace", "conversations"));
+      expect(convs).toContain("2025-01-10T00-00-00.000Z_conv-jan10");
+      expect(convs).toContain("2025-01-15T00-00-00.000Z_conv-jan15");
+      expect(convs).toContain("2025-01-20T00-00-00.000Z_conv-jan20");
+      expect(convs).toContain("2025-01-25T00-00-00.000Z_conv-jan25");
+      expect(convs).not.toContain("malformed-name");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("skips malformed conversation dir names", async () => {
+    const res = await callExport();
+    const dir = await extractArchive(res);
+    try {
+      const convs = readdirSync(join(dir, "workspace", "conversations"));
+      expect(convs).not.toContain("malformed-name");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("filters conversation dirs by startTime", async () => {
+    const startTime = Date.parse("2025-01-14T00:00:00Z");
+    const res = await callExport({ startTime });
+    const dir = await extractArchive(res);
+    try {
+      const convs = readdirSync(join(dir, "workspace", "conversations"));
+      expect(convs).not.toContain("2025-01-10T00-00-00.000Z_conv-jan10");
+      expect(convs).toContain("2025-01-15T00-00-00.000Z_conv-jan15");
+      expect(convs).toContain("2025-01-20T00-00-00.000Z_conv-jan20");
+      expect(convs).toContain("2025-01-25T00-00-00.000Z_conv-jan25");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("filters conversation dirs by endTime", async () => {
+    const endTime = Date.parse("2025-01-22T00:00:00Z");
+    const res = await callExport({ endTime });
+    const dir = await extractArchive(res);
+    try {
+      const convs = readdirSync(join(dir, "workspace", "conversations"));
+      expect(convs).toContain("2025-01-10T00-00-00.000Z_conv-jan10");
+      expect(convs).toContain("2025-01-15T00-00-00.000Z_conv-jan15");
+      expect(convs).toContain("2025-01-20T00-00-00.000Z_conv-jan20");
+      expect(convs).not.toContain("2025-01-25T00-00-00.000Z_conv-jan25");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("filters conversation dirs by both startTime and endTime", async () => {
+    const startTime = Date.parse("2025-01-14T00:00:00Z");
+    const endTime = Date.parse("2025-01-22T00:00:00Z");
+    const res = await callExport({ startTime, endTime });
+    const dir = await extractArchive(res);
+    try {
+      const convs = readdirSync(join(dir, "workspace", "conversations"));
+      expect(convs).not.toContain("2025-01-10T00-00-00.000Z_conv-jan10");
+      expect(convs).toContain("2025-01-15T00-00-00.000Z_conv-jan15");
+      expect(convs).toContain("2025-01-20T00-00-00.000Z_conv-jan20");
+      expect(convs).not.toContain("2025-01-25T00-00-00.000Z_conv-jan25");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("filters conversation dirs by conversationId", async () => {
+    const res = await callExport({ conversationId: "conv-jan15" });
+    const dir = await extractArchive(res);
+    try {
+      const convs = readdirSync(join(dir, "workspace", "conversations"));
+      expect(convs).toContain("2025-01-15T00-00-00.000Z_conv-jan15");
+      expect(convs).not.toContain("2025-01-10T00-00-00.000Z_conv-jan10");
+      expect(convs).not.toContain("2025-01-20T00-00-00.000Z_conv-jan20");
+      expect(convs).not.toContain("2025-01-25T00-00-00.000Z_conv-jan25");
+      expect(convs).not.toContain("malformed-name");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("conversationId + time filter intersect", async () => {
+    const res = await callExport({
+      conversationId: "conv-jan15",
+      startTime: Date.parse("2025-02-01T00:00:00Z"),
+    });
+    const dir = await extractArchive(res);
+    try {
+      const conversationsPath = join(dir, "workspace", "conversations");
+      let convs: string[] = [];
+      try {
+        convs = readdirSync(conversationsPath);
+      } catch {
+        // Directory does not exist — acceptable per the test contract.
+      }
+      expect(convs).toEqual([]);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("conversation dir contents survive the round trip", async () => {
+    const res = await callExport();
+    const dir = await extractArchive(res);
+    try {
+      const messagesPath = join(
+        dir,
+        "workspace",
+        "conversations",
+        "2025-01-15T00-00-00.000Z_conv-jan15",
+        "messages.jsonl",
+      );
+      const content = readFileSync(messagesPath, "utf-8");
+      expect(content).toBe('{"role":"user","content":"jan 15"}\n');
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("treats empty-string conversationId as no filter", async () => {
+    const res = await callExport({ conversationId: "" });
+    const dir = await extractArchive(res);
+    try {
+      // With conversationId === "" (which the rest of handleExport treats as
+      // unfiltered), workspace conversations should also be unfiltered. All
+      // four canonical conversation dirs should be present.
+      const conversationsDir = join(dir, "workspace", "conversations");
+      const entries = readdirSync(conversationsDir);
+      expect(entries).toContain("2025-01-10T00-00-00.000Z_conv-jan10");
+      expect(entries).toContain("2025-01-15T00-00-00.000Z_conv-jan15");
+      expect(entries).toContain("2025-01-20T00-00-00.000Z_conv-jan20");
+      expect(entries).toContain("2025-01-25T00-00-00.000Z_conv-jan25");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("treats startTime=0 and endTime=0 as no filter", async () => {
+    const res = await callExport({ startTime: 0, endTime: 0 });
+    const dir = await extractArchive(res);
+    try {
+      const conversationsDir = join(dir, "workspace", "conversations");
+      const entries = readdirSync(conversationsDir);
+      // All four canonical conversation dirs should be present (no filtering).
+      expect(entries).toContain("2025-01-10T00-00-00.000Z_conv-jan10");
+      expect(entries).toContain("2025-01-15T00-00-00.000Z_conv-jan15");
+      expect(entries).toContain("2025-01-20T00-00-00.000Z_conv-jan20");
+      expect(entries).toContain("2025-01-25T00-00-00.000Z_conv-jan25");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});

package/src/__tests__/managed-credential-catalog-cli.test.ts

@@ -45,7 +45,10 @@ mock.module("../security/secure-keys.js", () => ({
 
 // Mock global fetch
 const _originalFetch = globalThis.fetch;
-const mockFetch = async (input: string | URL | Request, init?: RequestInit) => {
+const mockFetch = async (
+  input: string | URL | Request,
+  _init?: RequestInit,
+) => {
   const url =
     typeof input === "string"
       ? input
@@ -57,14 +60,6 @@ const mockFetch = async (input: string | URL | Request, init?: RequestInit) => {
     return new Response("Not Found", { status: 404 });
   }
 
-  // Verify the Authorization header never leaks secrets into the request path
-  const authHeader = init?.headers
-    ? (init.headers as Record<string, string>)["Authorization"]
-    : undefined;
-  if (authHeader && !authHeader.startsWith("Api-Key ")) {
-    throw new Error("Unexpected auth header format");
-  }
-
   return new Response(JSON.stringify(entry.body), {
     status: entry.status,
     headers: { "Content-Type": "application/json" },
@@ -266,17 +261,17 @@ describe("fetchManagedCatalog", () => {
     expect(descriptor.handle).toBe("platform_oauth:conn_minimal");
   });
 
-  test("error messages never contain API key values", async () => {
+  test("error messages never contain sensitive details", async () => {
     mockPlatformBaseUrl = "https://platform.example.com";
     mockAssistantApiKey = "sk-super-secret-key-12345";
     mockPlatformAssistantId = "ast-uuid-1234";
 
-    // Simulate a network error
+    // Simulate a network error whose message contains sensitive data
     const savedFetch = globalThis.fetch;
     const errorFetch: typeof fetch = Object.assign(
       async () => {
         throw new Error(
-          "Connect failed to https://platform.example.com/v1/assistants/ast-uuid-1234/oauth/managed/catalog/ with Api-Key sk-super-secret-key-12345",
+          "Connect failed to https://platform.example.com/v1/assistants/ast-uuid-1234/oauth/managed/catalog/ with Bearer sk-super-secret-key-12345",
         );
       },
       { preconnect: savedFetch.preconnect },
@@ -287,9 +282,12 @@ describe("fetchManagedCatalog", () => {
       const result = await fetchManagedCatalog();
       expect(result.ok).toBe(false);
       expect(result.error).toBeDefined();
-      // Ensure the raw API key is not in the error message
+      // Raw error message (with URL, API key, etc.) must not leak
       expect(result.error).not.toContain("sk-super-secret-key-12345");
-      expect(result.error).toContain("[REDACTED]");
+      expect(result.error).not.toContain("platform.example.com");
+      expect(result.error).not.toContain("Connect failed");
+      // Should only contain the error class name
+      expect(result.error).toContain("Error");
     } finally {
       globalThis.fetch = savedFetch;
     }

package/src/__tests__/mcp-client-auth.test.ts

@@ -13,6 +13,7 @@ mock.module("../inbound/platform-callback-registration.js", () => ({
 }));
 
 const { McpClient } = await import("../mcp/client.js");
+const { McpOAuthProvider } = await import("../mcp/mcp-oauth-provider.js");
 
 /**
  * Mimics the SDK's StreamableHTTPError which has a `.code` property
@@ -67,7 +68,7 @@ describe("McpClient auth error detection", () => {
     expect(client.isConnected).toBe(false);
   });
 
-  test("rethrows non-auth StreamableHTTPError for HTTP transports", async () => {
+  test("swallows non-auth StreamableHTTPError (connect never throws)", async () => {
     const client = new McpClient("test-server");
 
     (client as any).createTransport = () => ({});
@@ -78,9 +79,9 @@ describe("McpClient auth error detection", () => {
       close: async () => {},
     };
 
-    await expect(client.connect(httpTransport)).rejects.toThrow(
-      "Internal Server Error",
-    );
+    // Non-auth errors are logged but never propagated — daemon keeps running
+    await client.connect(httpTransport);
+    expect(client.isConnected).toBe(false);
   });
 
   test("treats error message containing 'unauthorized' as auth error", async () => {
@@ -97,4 +98,39 @@ describe("McpClient auth error detection", () => {
     await client.connect(httpTransport);
     expect(client.isConnected).toBe(false);
   });
+
+  test("treats SDK fetchToken 'authorizationCode is required' error as auth error", async () => {
+    const client = new McpClient("test-server");
+
+    (client as any).createTransport = () => ({});
+    (client as any).client = {
+      connect: () => {
+        throw new Error(
+          "Either provider.prepareTokenRequest() or authorizationCode is required",
+        );
+      },
+      close: async () => {},
+    };
+
+    await client.connect(httpTransport);
+    expect(client.isConnected).toBe(false);
+  });
+});
+
+describe("McpOAuthProvider redirectUrl", () => {
+  test("redirectUrl is undefined until startCallbackServer() is called", () => {
+    const nonInteractive = new McpOAuthProvider(
+      "test-server",
+      "https://example.com/mcp",
+      /* interactive */ false,
+    );
+    expect(nonInteractive.redirectUrl).toBeUndefined();
+
+    const interactive = new McpOAuthProvider(
+      "test-server",
+      "https://example.com/mcp",
+      /* interactive */ true,
+    );
+    expect(interactive.redirectUrl).toBeUndefined();
+  });
 });

package/src/__tests__/mcp-health-check.test.ts

@@ -3,12 +3,16 @@ import { beforeEach, describe, expect, jest, mock, test } from "bun:test";
 const mockConnect = jest.fn();
 const mockDisconnect = jest.fn();
 let mockIsConnected = true;
+let mockLastError: Error | null = null;
 
 mock.module("../mcp/client.js", () => ({
   McpClient: class {
     get isConnected() {
       return mockIsConnected;
     }
+    get lastError() {
+      return mockLastError;
+    }
     connect = mockConnect;
     disconnect = mockDisconnect;
   },
@@ -32,6 +36,7 @@ describe("checkServerHealth", () => {
     mockConnect.mockReset();
     mockDisconnect.mockReset();
     mockIsConnected = true;
+    mockLastError = null;
   });
 
   test("returns Connected when server connects successfully", async () => {
@@ -43,7 +48,7 @@ describe("checkServerHealth", () => {
     expect(mockDisconnect).toHaveBeenCalled();
   });
 
-  test("returns Needs authentication when isConnected is false", async () => {
+  test("returns Needs authentication when isConnected is false and no lastError", async () => {
     mockConnect.mockResolvedValue(undefined);
     mockIsConnected = false;
 
@@ -51,8 +56,10 @@ describe("checkServerHealth", () => {
     expect(result).toContain("Needs authentication");
   });
 
-  test("returns Error when connect throws", async () => {
-    mockConnect.mockRejectedValue(new Error("Connection refused"));
+  test("returns Error when connect fails with lastError", async () => {
+    mockConnect.mockResolvedValue(undefined);
+    mockIsConnected = false;
+    mockLastError = new Error("Connection refused");
     mockDisconnect.mockResolvedValue(undefined);
 
     const result = await checkServerHealth("test", serverConfig());

package/src/__tests__/migration-cross-version-compatibility.test.ts

@@ -834,7 +834,9 @@ describe("round-trip: export -> validate -> preflight -> import", () => {
       expect(sha256Hex(writtenDb)).toBe(sha256Hex(dbData));
 
       const writtenConfig = readFileSync(testConfigPath, "utf8");
-      expect(writtenConfig).toBe('{"model":"test-round-trip"}');
+      expect(writtenConfig).toBe(
+        JSON.stringify({ model: "test-round-trip" }, null, 2) + "\n",
+      );
     }
   });
 

package/src/__tests__/migration-export-http.test.ts

@@ -75,7 +75,7 @@ beforeAll(() => {
   // Write test fixture files so the export reads real data
   mkdirSync(testDbDir, { recursive: true });
   writeFileSync(testDbPath, SQLITE_HEADER);
-  writeFileSync(testConfigPath, JSON.stringify(TEST_CONFIG, null, 2));
+  writeFileSync(testConfigPath, JSON.stringify(TEST_CONFIG, null, 2) + "\n");
 });
 
 // ---------------------------------------------------------------------------
@@ -323,7 +323,7 @@ describe("export data population", () => {
     );
     expect(configFile).toBeDefined();
     const expectedConfigSize = Buffer.byteLength(
-      JSON.stringify(TEST_CONFIG, null, 2),
+      JSON.stringify(TEST_CONFIG, null, 2) + "\n",
     );
     expect(configFile!.size).toBe(expectedConfigSize);
   });
@@ -428,6 +428,65 @@ describe("export graceful fallback", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// Config sanitization tests
+// ---------------------------------------------------------------------------
+
+describe("export config sanitization", () => {
+  test("exported config.json has environment-specific fields stripped", async () => {
+    // Write a config with environment-specific fields that should be stripped
+    const configWithEnvFields = {
+      provider: "anthropic",
+      model: "test-model",
+      ingress: {
+        publicBaseUrl: "https://my-tunnel.example.com",
+        enabled: true,
+        port: 8080,
+      },
+      daemon: {
+        autoStart: true,
+        logLevel: "debug",
+      },
+      skills: {
+        load: {
+          extraDirs: ["/home/user/custom-skills", "/opt/skills"],
+          autoReload: true,
+        },
+      },
+      memory: { enabled: true },
+    };
+    writeFileSync(testConfigPath, JSON.stringify(configWithEnvFields, null, 2));
+
+    const req = new Request("http://localhost/v1/migrations/export", {
+      method: "POST",
+    });
+
+    const res = await handleMigrationExport(req);
+    const archiveData = new Uint8Array(await res.arrayBuffer());
+    const entries = parseTarEntries(archiveData);
+
+    const configEntry = entries.find((e) => e.name === "workspace/config.json");
+    expect(configEntry).toBeDefined();
+
+    const parsedConfig = JSON.parse(
+      new TextDecoder().decode(configEntry!.data),
+    );
+
+    // Environment-specific fields should be stripped/reset
+    expect(parsedConfig.ingress.publicBaseUrl).toBe("");
+    expect(parsedConfig.ingress.enabled).toBeUndefined();
+    expect(parsedConfig.daemon).toBeUndefined();
+    expect(parsedConfig.skills.load.extraDirs).toEqual([]);
+
+    // Non-environment-specific fields should be preserved
+    expect(parsedConfig.provider).toBe("anthropic");
+    expect(parsedConfig.model).toBe("test-model");
+    expect(parsedConfig.ingress.port).toBe(8080);
+    expect(parsedConfig.skills.load.autoReload).toBe(true);
+    expect(parsedConfig.memory.enabled).toBe(true);
+  });
+});
+
 // ---------------------------------------------------------------------------
 // Auth policy registration tests
 // ---------------------------------------------------------------------------

package/src/__tests__/migration-export-streaming.test.ts

@@ -285,6 +285,72 @@ describe("streamExportVBundle round-trip", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// Streaming config sanitization test
+// ---------------------------------------------------------------------------
+
+describe("streamExportVBundle config sanitization", () => {
+  test("exported config.json has environment-specific fields stripped", async () => {
+    // Write a config with environment-specific fields that should be stripped
+    const configWithEnvFields = {
+      provider: "anthropic",
+      model: "test-model",
+      ingress: {
+        publicBaseUrl: "https://my-tunnel.example.com",
+        enabled: true,
+        port: 8080,
+      },
+      daemon: {
+        autoStart: true,
+        logLevel: "debug",
+      },
+      skills: {
+        load: {
+          extraDirs: ["/home/user/custom-skills", "/opt/skills"],
+          autoReload: true,
+        },
+      },
+      memory: { enabled: true },
+    };
+    writeFileSync(testConfigPath, JSON.stringify(configWithEnvFields, null, 2));
+
+    const result = await streamExportVBundle({
+      workspaceDir: testDir,
+    });
+
+    try {
+      const archiveData = new Uint8Array(readFileSync(result.tempPath));
+      const entries = parseTarEntries(archiveData);
+
+      const configEntry = entries.find(
+        (e) => e.name === "workspace/config.json",
+      );
+      expect(configEntry).toBeDefined();
+
+      const parsedConfig = JSON.parse(
+        new TextDecoder().decode(configEntry!.data),
+      );
+
+      // Environment-specific fields should be stripped/reset
+      expect(parsedConfig.ingress.publicBaseUrl).toBe("");
+      expect(parsedConfig.ingress.enabled).toBeUndefined();
+      expect(parsedConfig.daemon).toBeUndefined();
+      expect(parsedConfig.skills.load.extraDirs).toEqual([]);
+
+      // Non-environment-specific fields should be preserved
+      expect(parsedConfig.provider).toBe("anthropic");
+      expect(parsedConfig.model).toBe("test-model");
+      expect(parsedConfig.ingress.port).toBe(8080);
+      expect(parsedConfig.skills.load.autoReload).toBe(true);
+      expect(parsedConfig.memory.enabled).toBe(true);
+    } finally {
+      // Restore original config for subsequent tests
+      writeFileSync(testConfigPath, JSON.stringify(TEST_CONFIG, null, 2));
+      await result.cleanup();
+    }
+  });
+});
+
 // ---------------------------------------------------------------------------
 // Cleanup idempotency test
 // ---------------------------------------------------------------------------