@vellumai/assistant 0.6.3 → 0.6.5

package/src/__tests__/tool-execution-pipeline.benchmark.test.ts

@@ -202,7 +202,7 @@ describe("Tool execution pipeline benchmark", () => {
     expect(p50).toBeLessThan(15);
     expect(p95).toBeLessThan(40);
     // Verify correctness: ls should be low risk
-    expect(results[0]).toBe(RiskLevel.Low);
+    expect(results[0].level).toBe(RiskLevel.Low);
   });
 
   test("classifyRisk: medium-risk tool (file_write)", async () => {
@@ -213,7 +213,7 @@ describe("Tool execution pipeline benchmark", () => {
 
     const p50 = percentile(timings, 50);
     expect(p50).toBeLessThan(5);
-    expect(results[0]).toBe(RiskLevel.Low);
+    expect(results[0].level).toBe(RiskLevel.Low);
   });
 
   test("check: full permission check for low-risk tool", async () => {

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -64,7 +64,7 @@ mock.module("../util/logger.js", () => ({
 }));
 
 mock.module("../permissions/checker.js", () => ({
-  classifyRisk: async () => checkerRisk,
+  classifyRisk: async () => ({ level: checkerRisk }),
   check: async () => ({ decision: checkerDecision, reason: checkerReason }),
   generateAllowlistOptions: () => [
     { label: "exact", description: "exact", pattern: "exact" },
@@ -72,8 +72,12 @@ mock.module("../permissions/checker.js", () => ({
   generateScopeOptions: () => [{ label: "/tmp", scope: "/tmp" }],
 }));
 
+// Mock every export so downstream test files that dynamically import modules
+// with a static `from "../memory/tool-usage-store.js"` still see all symbols.
 mock.module("../memory/tool-usage-store.js", () => ({
   recordToolInvocation: () => {},
+  getRecentInvocations: () => [],
+  rotateToolInvocations: () => 0,
 }));
 
 mock.module("../tools/registry.js", () => ({
@@ -621,11 +625,11 @@ describe("ToolExecutor lifecycle events", () => {
     expect(events.map((e) => e.type)).toEqual(["start", "executed"]);
   });
 
-  test("file_edit to USER.md emits permission_prompt under forcePromptSideEffects", async () => {
-    // Security invariant: editing USER.md in a private thread must always
-    // prompt, even when a trust rule would auto-allow.
+  test("file_edit to guardian persona emits permission_prompt under forcePromptSideEffects", async () => {
+    // Security invariant: editing the guardian persona file in a private
+    // thread must always prompt, even when a trust rule would auto-allow.
     checkerDecision = "allow";
-    checkerReason = "Matched trust rule: file_edit:*/USER.md";
+    checkerReason = "Matched trust rule: file_edit:*/users/*.md";
     checkerRisk = "low";
     promptDecision = "allow";
 
@@ -635,7 +639,7 @@ describe("ToolExecutor lifecycle events", () => {
     const result = await executor.execute(
       "file_edit",
       {
-        path: "/Users/sidd/.vellum/workspace/USER.md",
+        path: "/Users/alice/.vellum/workspace/users/alice.md",
         old_string: "old",
         new_string: "new",
       },

package/src/__tests__/tool-executor-shell-integration.test.ts

@@ -92,8 +92,12 @@ mock.module("../permissions/trust-store.js", () => ({
 }));
 
 // ── Tool usage store ──
+// Mock every export so downstream test files that dynamically import modules
+// with a static `from "../memory/tool-usage-store.js"` still see all symbols.
 mock.module("../memory/tool-usage-store.js", () => ({
   recordToolInvocation: () => {},
+  getRecentInvocations: () => [],
+  rotateToolInvocations: () => 0,
 }));
 
 // ── Path policy ──

package/src/__tests__/tool-executor.test.ts

@@ -109,7 +109,7 @@ mock.module("../util/logger.js", () => ({
 }));
 
 mock.module("../permissions/checker.js", () => ({
-  classifyRisk: async () => "low",
+  classifyRisk: async () => ({ level: "low" }),
   check: async (
     toolName: string,
     input: Record<string, unknown>,
@@ -129,8 +129,12 @@ mock.module("../permissions/checker.js", () => ({
     scopeOptionsOverride ?? [{ label: "/tmp", scope: "/tmp" }],
 }));
 
+// Mock every export so downstream test files that dynamically import modules
+// with a static `from "../memory/tool-usage-store.js"` still see all symbols.
 mock.module("../memory/tool-usage-store.js", () => ({
   recordToolInvocation: () => {},
+  getRecentInvocations: () => [],
+  rotateToolInvocations: () => 0,
 }));
 
 mock.module("../tools/registry.js", () => ({
@@ -305,6 +309,8 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: "sandbox",
     });
   });
@@ -322,7 +328,10 @@ describe("ToolExecutor policy context plumbing", () => {
 
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.policyContext).toBeUndefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      executionContext: "conversation",
+      ephemeralRules: undefined,
+    });
   });
 
   test('passes undefined policyContext for tools with origin "core"', async () => {
@@ -352,7 +361,10 @@ describe("ToolExecutor policy context plumbing", () => {
 
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.policyContext).toBeUndefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      executionContext: "conversation",
+      ephemeralRules: undefined,
+    });
   });
 
   test('includes executionTarget "host" from skill tool metadata', async () => {
@@ -386,6 +398,8 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: "host",
     });
   });
@@ -416,6 +430,8 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: undefined,
     });
   });
@@ -459,7 +475,7 @@ describe("ToolExecutor contextual rule creation", () => {
         scope: string,
         decision = "allow",
         priority = 100,
-        options?: { allowHighRisk?: boolean; executionTarget?: string },
+        options?: { executionTarget?: string },
       ) => {
         return {
           id: "spy-rule-id",
@@ -524,7 +540,7 @@ describe("ToolExecutor contextual rule creation", () => {
     expect(options.executionTarget).toBe("sandbox");
   });
 
-  test("always_allow_high_risk sets allowHighRisk and captures execution target", async () => {
+  test("always_allow captures execution target without allowHighRisk", async () => {
     checkResultOverride = { decision: "prompt", reason: "test prompt" };
     const spy = setupAddRuleSpy();
 
@@ -549,7 +565,7 @@ describe("ToolExecutor contextual rule creation", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "risky_tool:*",
       "everywhere",
     );
@@ -565,7 +581,6 @@ describe("ToolExecutor contextual rule creation", () => {
     expect(scope).toBe("everywhere");
     expect(decision).toBe("allow");
     expect(options).toBeDefined();
-    expect(options.allowHighRisk).toBe(true);
     expect(options.executionTarget).toBe("host");
   });
 
@@ -659,13 +674,13 @@ describe("ToolExecutor contextual rule creation", () => {
     expect(scope).toBe("everywhere");
   });
 
-  test("always_allow_high_risk for core tool sets allowHighRisk without execution target", async () => {
+  test("always_allow for core tool creates rule without execution target", async () => {
     checkResultOverride = { decision: "prompt", reason: "test prompt" };
     const spy = setupAddRuleSpy();
     getToolOverride = undefined;
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "sudo *",
       "everywhere",
     );
@@ -679,10 +694,8 @@ describe("ToolExecutor contextual rule creation", () => {
     expect(result.isError).toBe(false);
     expect(spy).toHaveBeenCalledTimes(1);
     const [, , , , , options] = spy.mock.calls[0];
-    expect(options).toBeDefined();
-    expect(options.allowHighRisk).toBe(true);
-    // No execution target for core tools
-    expect(options.executionTarget).toBeUndefined();
+    // Core tools have no executionTarget, so ruleOptions is empty → undefined
+    expect(options).toBeUndefined();
   });
 
   test("skill tool with host execution target records executionTarget in rule", async () => {
@@ -750,7 +763,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
         scope: string,
         decision = "allow",
         priority = 100,
-        options?: { allowHighRisk?: boolean; executionTarget?: string },
+        options?: { executionTarget?: string },
       ) => {
         return {
           id: "spy-rule-id",
@@ -767,7 +780,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     return addRuleSpy;
   }
 
-  test("always_allow_high_risk creates rule with allowHighRisk: true for high-risk skill tool", async () => {
+  test("always_allow creates rule with execution target for high-risk skill tool", async () => {
     checkResultOverride = {
       decision: "prompt",
       reason: "High risk: always requires approval",
@@ -795,7 +808,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "deploy_tool:*",
       "everywhere",
     );
@@ -814,12 +827,12 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(pattern).toBe("deploy_tool:*");
     expect(scope).toBe("everywhere");
     expect(decision).toBe("allow");
-    // The key integration assertion: allowHighRisk + execution target together
-    expect(options.allowHighRisk).toBe(true);
+    // The key integration assertion: execution target is captured
+    expect(options.executionTarget).toBeDefined();
     expect(options.executionTarget).toBe("host");
   });
 
-  test("always_allow creates rule without allowHighRisk even for high-risk skill tool", async () => {
+  test("always_allow creates rule with execution target for skill tool", async () => {
     checkResultOverride = { decision: "prompt", reason: "test prompt" };
     const spy = setupAddRuleSpy();
 
@@ -843,9 +856,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
       };
     };
 
-    // User chooses always_allow (NOT always_allow_high_risk) — the rule
-    // should NOT have allowHighRisk set, meaning future high-risk checks
-    // will still prompt.
+    // User chooses always_allow — rule is created with execution target.
     const prompter = makePrompterWithDecision(
       "always_allow",
       "risky_op:*",
@@ -860,8 +871,8 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(options).toBeDefined();
     // executionTarget should be present
     expect(options.executionTarget).toBe("sandbox");
-    // But allowHighRisk should NOT be set
-    expect(options.allowHighRisk).toBeUndefined();
+    // Rule should have execution target
+    // allowHighRisk is no longer persisted
   });
 
   test("executor forwards policyContext to check() for version-bound skill tool", async () => {
@@ -890,13 +901,15 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
 
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: "sandbox",
     });
   });
 
   // ── Skill mutation approval regression tests (PR 30) ──────────
 
-  test("always_allow_high_risk for skill source write creates rule with allowHighRisk and execution target", async () => {
+  test("always_allow for skill source write creates rule with execution target", async () => {
     checkResultOverride = {
       decision: "prompt",
       reason: "High risk: always requires approval",
@@ -924,7 +937,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "file_write:*/skills/**",
       "everywhere",
     );
@@ -942,11 +955,11 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(pattern).toBe("file_write:*/skills/**");
     expect(scope).toBe("everywhere");
     expect(decision).toBe("allow");
-    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBeDefined();
     expect(options.executionTarget).toBe("sandbox");
   });
 
-  test("always_allow (not high risk) for skill source write creates rule WITHOUT allowHighRisk", async () => {
+  test("always_allow for skill source write creates rule with execution target (baseline)", async () => {
     checkResultOverride = {
       decision: "prompt",
       reason: "High risk: always requires approval",
@@ -973,7 +986,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
       };
     };
 
-    // User chooses always_allow instead of always_allow_high_risk
+    // User chooses always_allow
     const prompter = makePrompterWithDecision(
       "always_allow",
       "file_write:*/skills/**",
@@ -991,8 +1004,8 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     const [, , , , , options] = spy.mock.calls[0];
     expect(options).toBeDefined();
     expect(options.executionTarget).toBe("sandbox");
-    // Without always_allow_high_risk, the allowHighRisk flag should NOT be set
-    expect(options.allowHighRisk).toBeUndefined();
+    // Execution target is captured from the tool context
+    // allowHighRisk is no longer persisted
   });
 
   test("skill version is captured in rule for future version-bound matching", async () => {
@@ -1023,7 +1036,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "file_edit:*/skills/**",
       "everywhere",
     );
@@ -1038,7 +1051,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(spy).toHaveBeenCalledTimes(1);
     const [tool, , , , , options] = spy.mock.calls[0];
     expect(tool).toBe("file_edit");
-    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBeDefined();
     expect(options.executionTarget).toBe("sandbox");
   });
 
@@ -1072,11 +1085,13 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
 
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: "sandbox",
     });
   });
 
-  test("executor creates rule on always_allow_high_risk with full context", async () => {
+  test("executor creates rule on always_allow with full context", async () => {
     checkResultOverride = {
       decision: "prompt",
       reason: "High risk: always requires approval",
@@ -1104,7 +1119,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "admin_action:*",
       "everywhere",
     );
@@ -1124,7 +1139,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(pattern).toBe("admin_action:*");
     expect(scope).toBe("everywhere");
     expect(decision).toBe("allow");
-    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBeDefined();
     expect(options.executionTarget).toBe("host");
   });
 });
@@ -1143,12 +1158,6 @@ describe("isSideEffectTool", () => {
       "bash",
       "host_bash",
       "web_fetch",
-      "browser_navigate",
-      "browser_click",
-      "browser_type",
-      "browser_press_key",
-      "browser_close",
-      "browser_fill_credential",
       "document_create",
       "document_update",
       "schedule_create",
@@ -1169,6 +1178,14 @@ describe("isSideEffectTool", () => {
       "memory_recall",
       "memory_manage",
       "web_search",
+      "browser_navigate",
+      "browser_click",
+      "browser_type",
+      "browser_press_key",
+      "browser_close",
+      "browser_attach",
+      "browser_detach",
+      "browser_fill_credential",
       "browser_snapshot",
       "browser_screenshot",
       "browser_wait_for",
@@ -1220,12 +1237,13 @@ describe("isSideEffectTool", () => {
   });
 });
 
-// Baseline: allow rules can auto-allow file_edit for USER.md today (no forced prompting).
-// The mock check() delegates to findHighestPriorityRule (via spy) so a regression
-// in trust-rule matching would cause this test to fail instead of being masked by
-// a blanket mock-allow.
-describe("ToolExecutor baseline: allow rule auto-allows file_edit USER.md", () => {
-  const userMdPath = "/Users/sidd/.vellum/workspace/USER.md";
+// Baseline: allow rules can auto-allow file_edit for the guardian persona
+// today (no forced prompting). The mock check() delegates to
+// findHighestPriorityRule (via spy) so a regression in trust-rule matching
+// would cause this test to fail instead of being masked by a blanket
+// mock-allow.
+describe("ToolExecutor baseline: allow rule auto-allows file_edit guardian persona", () => {
+  const guardianPersonaPath = "/Users/alice/.vellum/workspace/users/alice.md";
   let ruleSpy: ReturnType<typeof spyOn> | undefined;
 
   beforeEach(() => {
@@ -1239,18 +1257,19 @@ describe("ToolExecutor baseline: allow rule auto-allows file_edit USER.md", () =
       addRuleSpy = undefined;
     }
 
-    // Simulate a trust rule that allows file_edit on USER.md by stubbing
-    // findHighestPriorityRule. This mirrors the default allow rules that
-    // the trust-store creates for workspace prompt files.
+    // Simulate a trust rule that allows file_edit on the guardian's per-user
+    // persona file by stubbing findHighestPriorityRule. This mirrors the
+    // default allow rules that the trust-store creates for the guardian
+    // persona file (see permissions/defaults.ts).
     ruleSpy = spyOn(trustStore, "findHighestPriorityRule").mockImplementation(
       (tool: string, commands: string[], _scope: string) => {
         if (tool !== "file_edit") return null;
         for (const cmd of commands) {
-          if (cmd === `file_edit:${userMdPath}`) {
+          if (cmd === `file_edit:${guardianPersonaPath}`) {
             return {
-              id: "default:allow-file_edit-user",
+              id: "default:allow-file_edit-guardian-persona",
               tool: "file_edit",
-              pattern: `file_edit:${userMdPath}`,
+              pattern: `file_edit:${guardianPersonaPath}`,
               scope: "everywhere",
               decision: "allow" as const,
               priority: 100,
@@ -1294,11 +1313,11 @@ describe("ToolExecutor baseline: allow rule auto-allows file_edit USER.md", () =
     }
   });
 
-  test("file_edit to USER.md is auto-allowed via trust rule", async () => {
+  test("file_edit to guardian persona is auto-allowed via trust rule", async () => {
     const executor = new ToolExecutor(makePrompter());
     const result = await executor.execute(
       "file_edit",
-      { path: userMdPath, content: "hello" },
+      { path: guardianPersonaPath, content: "hello" },
       makeContext(),
     );
     expect(result.isError).toBe(false);
@@ -1310,7 +1329,7 @@ describe("ToolExecutor baseline: allow rule auto-allows file_edit USER.md", () =
     expect(ruleSpy).toHaveBeenCalled();
   });
 
-  test("file_edit to a non-USER.md path is NOT auto-allowed without a matching rule", async () => {
+  test("file_edit to a non-guardian-persona path is NOT auto-allowed without a matching rule", async () => {
     let promptCalled = false;
     const trackingPrompter = {
       prompt: async () => {
@@ -1530,22 +1549,23 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     expect(promptCount).toBe(1);
   });
 
-  // ── USER.md security invariant (PR 31) ──────────
+  // ── Guardian persona security invariant (PR 31) ──────────
 
-  test("file_edit to USER.md forces prompt in private conversation even with matching trust rule", async () => {
-    // This is a key security invariant: USER.md contains the user's persistent
-    // memory. In a private conversation (forcePromptSideEffects=true), edits to it
-    // must always require explicit approval, even when a trust rule matches.
+  test("file_edit to guardian persona forces prompt in private conversation even with matching trust rule", async () => {
+    // This is a key security invariant: the guardian persona file contains
+    // the user's persistent memory. In a private conversation
+    // (forcePromptSideEffects=true), edits to it must always require explicit
+    // approval, even when a trust rule matches.
     checkResultOverride = {
       decision: "allow",
-      reason: "Matched trust rule: file_edit:*/USER.md",
+      reason: "Matched trust rule: file_edit:*/users/*.md",
     };
 
     const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
       "file_edit",
       {
-        path: "/Users/sidd/.vellum/workspace/USER.md",
+        path: "/Users/alice/.vellum/workspace/users/alice.md",
         old_string: "old pref",
         new_string: "new pref",
       },
@@ -1557,14 +1577,14 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     expect(promptCalled).toBe(true);
   });
 
-  test("host_file_edit to USER.md forces prompt in private conversation", async () => {
+  test("host_file_edit to guardian persona forces prompt in private conversation", async () => {
     checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
 
     const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
       "host_file_edit",
       {
-        path: "/Users/sidd/.vellum/workspace/USER.md",
+        path: "/Users/alice/.vellum/workspace/users/alice.md",
         old_string: "x",
         new_string: "y",
       },
@@ -1575,51 +1595,6 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     expect(promptCalled).toBe(true);
   });
 
-  // ── Browser action tools as side-effect tools (PR fix2) ──────────
-
-  test("browser_click forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "browser_click",
-      { selector: "#submit-btn" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("browser_type forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "browser_type",
-      { selector: "#search-input", text: "query" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("browser_snapshot does NOT force prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "browser_snapshot",
-      {},
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // browser_snapshot is read-only — must NOT trigger forced prompting
-    expect(promptCalled).toBe(false);
-  });
-
   // ── Always-mutating document tools (PR fix5) ──────────
 
   test("document_create forces prompt in private conversation", async () => {
@@ -1823,7 +1798,7 @@ describe("ToolExecutor persistentDecisionsAllowed contract", () => {
         scope: string,
         decision = "allow",
         priority = 100,
-        options?: { allowHighRisk?: boolean; executionTarget?: string },
+        options?: { executionTarget?: string },
       ) => {
         return {
           id: "spy-rule-id",
@@ -2163,7 +2138,7 @@ describe("ToolExecutor persistent-allow lifecycle", () => {
         scope: string,
         decision = "allow",
         priority = 100,
-        options?: { allowHighRisk?: boolean; executionTarget?: string },
+        options?: { executionTarget?: string },
       ) => {
         return {
           id: "spy-rule-id",

package/src/__tests__/tool-result-truncation.test.ts

@@ -11,6 +11,20 @@ import {
 } from "../context/tool-result-truncation.js";
 import type { ContentBlock, ToolResultContent } from "../providers/types.js";
 
+function hasOrphanedSurrogate(str: string): boolean {
+  for (let i = 0; i < str.length; i++) {
+    const code = str.charCodeAt(i);
+    if (code >= 0xd800 && code <= 0xdbff) {
+      const next = i + 1 < str.length ? str.charCodeAt(i + 1) : 0;
+      if (next < 0xdc00 || next > 0xdfff) return true;
+      i++;
+    } else if (code >= 0xdc00 && code <= 0xdfff) {
+      return true;
+    }
+  }
+  return false;
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -100,6 +114,28 @@ describe("truncateToolResultText", () => {
     expect(result).toBe(text);
     expect(result).not.toContain(TRUNCATION_SUFFIX);
   });
+
+  test("does not orphan a UTF-16 surrogate pair at the cut boundary", () => {
+    // Regression for the "no low surrogate in string" Anthropic 400 error.
+    // Build a string where the cut point lands inside a surrogate pair:
+    // 4999 padding chars, then an emoji (2 code units), then enough filler
+    // to push the cut inside the pair.
+    const EMOJI = "\uD83C\uDF89";
+    // maxChars = 5_000, so cutPoint = 5_000 - TRUNCATION_SUFFIX.length.
+    // Put the emoji so its high surrogate lands exactly at cutPoint - 1.
+    const maxChars = 5_000;
+    const cutPoint = maxChars - TRUNCATION_SUFFIX.length;
+    // Fill up to cutPoint - 1 with "a"s, then place the emoji so the high
+    // surrogate is the character at cutPoint - 1 and the low is at cutPoint.
+    const prefix = "a".repeat(cutPoint - 1);
+    const text = prefix + EMOJI + "b".repeat(100);
+    // Use a long filler with no newlines so lastIndexOf("\n", cutPoint) === -1
+    // and the function falls back to cutPoint itself.
+    const result = truncateToolResultText(text, maxChars);
+    expect(hasOrphanedSurrogate(result)).toBe(false);
+    // JSON.stringify must not throw on the result.
+    expect(() => JSON.stringify(result)).not.toThrow();
+  });
 });
 
 // ---------------------------------------------------------------------------