@vellumai/assistant 0.6.4 → 0.6.5

package/src/runtime/routes/__tests__/migration-import-credential-filter.test.ts

@@ -1,22 +1,32 @@
 /**
  * Tests for platform credential filtering during bundle import.
  *
- * The filtering logic in migration-routes.ts uses the PLATFORM_CREDENTIAL_PREFIX
- * constant ("vellum:") to exclude platform-identity credentials from being
- * written to the credential store during import. Since the filtering is a simple
- * array filter, we test the logic directly using the same prefix constant and
- * extractCredentialsFromBundle function — without needing to drive the full
- * HTTP handler (which has heavy transitive dependencies).
+ * `migration-routes.ts` pushes every bundle credential through a filter that
+ * must exclude platform-identity (`vellum:*`) entries so they can't overwrite
+ * the target's own Django-provisioned identity. The filter runs against the
+ * raw CES account format — `credential/{service}/{field}` — produced by
+ * `credentialKey()`, which is what `listSecureKeysAsync()` returns and what
+ * `extractCredentialsFromBundle` surfaces back as `account`.
  *
- * Covers:
- * - vellum:* credentials are excluded when filtering with the prefix
- * - User credentials (without vellum: prefix) pass through unchanged
- * - Mixed bundles correctly split platform vs user credentials
- * - skippedPlatform count is accurate
+ * The constant is duplicated here (rather than imported) because
+ * `migration-routes.ts` has heavy transitive imports that are expensive to
+ * resolve in a test and would require wide mocking. Instead we bind the two
+ * copies with a regression assertion: if `credentialKey()`'s output format
+ * changes, the `startsWith(...)` prefix must change in lockstep. That
+ * regression is explicit at the bottom of this file.
+ *
+ * Covered:
+ * - Platform (vellum:*) credentials stored under the real `credential/vellum/...`
+ *   key format are excluded.
+ * - User credentials (any other prefix) pass through unchanged.
+ * - Mixed bundles correctly split platform vs user credentials.
+ * - skippedPlatform count matches the number of excluded entries.
+ * - Regression: the prefix constant matches `credentialKey("vellum", "")`.
  */
 
 import { describe, expect, test } from "bun:test";
 
+import { credentialKey } from "../../../security/credential-key.js";
 import { extractCredentialsFromBundle } from "../../migrations/vbundle-importer.js";
 import type {
   ManifestType,
@@ -24,10 +34,11 @@ import type {
 } from "../../migrations/vbundle-validator.js";
 
 // ---------------------------------------------------------------------------
-// The same constant used by migration-routes.ts
+// The same constant used by migration-routes.ts — kept in sync via the
+// regression assertion at the bottom of this file.
 // ---------------------------------------------------------------------------
 
-const PLATFORM_CREDENTIAL_PREFIX = "vellum:";
+const PLATFORM_CREDENTIAL_PREFIX = credentialKey("vellum", "");
 
 // ---------------------------------------------------------------------------
 // Helpers (same pattern as vbundle-import-credentials.test.ts)
@@ -52,6 +63,15 @@ function makeManifest(paths: string[]): ManifestType {
   } as ManifestType;
 }
 
+/**
+ * Build a bundle archive entry path for a credential whose CES account is
+ * `account`. `vbundle-builder.ts` stores credentials under
+ * `credentials/<account>`; the importer reverses that split.
+ */
+function bundlePathFor(account: string): string {
+  return `credentials/${account}`;
+}
+
 /**
  * Simulate the filtering logic from migration-routes.ts:
  *
@@ -74,49 +94,45 @@ function filterCredentials(
 // ---------------------------------------------------------------------------
 
 describe("migration import credential filtering", () => {
-  test("vellum:-prefixed credentials are excluded", () => {
-    const entries = new Map<string, VBundleTarEntry>();
-    entries.set("credentials/vellum:assistant_api_key", makeTarEntry("key-1"));
-    entries.set(
-      "credentials/vellum:platform_assistant_id",
-      makeTarEntry("asst-2"),
-    );
-    entries.set(
-      "credentials/vellum:platform_base_url",
-      makeTarEntry("https://example.com"),
-    );
-    entries.set(
-      "credentials/vellum:platform_organization_id",
-      makeTarEntry("org-3"),
+  test("platform (vellum:*) credentials are excluded", () => {
+    const vellumFields = [
+      "assistant_api_key",
+      "platform_assistant_id",
+      "platform_base_url",
+      "platform_organization_id",
+      "platform_user_id",
+      "webhook_secret",
+    ] as const;
+    const vellumPaths = vellumFields.map((f) =>
+      bundlePathFor(credentialKey("vellum", f)),
     );
-    entries.set("credentials/vellum:platform_user_id", makeTarEntry("user-4"));
-    entries.set("credentials/vellum:webhook_secret", makeTarEntry("whsec-5"));
 
-    const manifest = makeManifest([
-      "credentials/vellum:assistant_api_key",
-      "credentials/vellum:platform_assistant_id",
-      "credentials/vellum:platform_base_url",
-      "credentials/vellum:platform_organization_id",
-      "credentials/vellum:platform_user_id",
-      "credentials/vellum:webhook_secret",
-    ]);
+    const entries = new Map<string, VBundleTarEntry>();
+    for (const path of vellumPaths) {
+      entries.set(path, makeTarEntry(`value-for-${path}`));
+    }
+
+    const manifest = makeManifest(vellumPaths);
 
     const bundleCredentials = extractCredentialsFromBundle(entries, manifest);
     const { userCredentials, skippedPlatform } =
       filterCredentials(bundleCredentials);
 
     expect(userCredentials).toHaveLength(0);
-    expect(skippedPlatform).toBe(6);
+    expect(skippedPlatform).toBe(vellumFields.length);
   });
 
-  test("user credentials without vellum: prefix pass through unchanged", () => {
+  test("user credentials pass through unchanged", () => {
+    const openaiAccount = credentialKey("openai", "api_key");
+    const anthropicAccount = credentialKey("anthropic", "api_key");
+
     const entries = new Map<string, VBundleTarEntry>();
-    entries.set("credentials/openai-key", makeTarEntry("sk-user-123"));
-    entries.set("credentials/anthropic-key", makeTarEntry("sk-ant-456"));
+    entries.set(bundlePathFor(openaiAccount), makeTarEntry("sk-user-123"));
+    entries.set(bundlePathFor(anthropicAccount), makeTarEntry("sk-ant-456"));
 
     const manifest = makeManifest([
-      "credentials/openai-key",
-      "credentials/anthropic-key",
+      bundlePathFor(openaiAccount),
+      bundlePathFor(anthropicAccount),
     ]);
 
     const bundleCredentials = extractCredentialsFromBundle(entries, manifest);
@@ -125,50 +141,50 @@ describe("migration import credential filtering", () => {
 
     expect(userCredentials).toHaveLength(2);
     expect(userCredentials).toContainEqual({
-      account: "openai-key",
+      account: openaiAccount,
       value: "sk-user-123",
     });
     expect(userCredentials).toContainEqual({
-      account: "anthropic-key",
+      account: anthropicAccount,
       value: "sk-ant-456",
     });
     expect(skippedPlatform).toBe(0);
   });
 
-  test("mixed bundle with both vellum:* and user credentials correctly splits", () => {
+  test("mixed bundle with both platform and user credentials correctly splits", () => {
+    const vellumApiKey = credentialKey("vellum", "assistant_api_key");
+    const vellumUserId = credentialKey("vellum", "platform_user_id");
+    const openaiKey = credentialKey("openai", "api_key");
+    const anthropicKey = credentialKey("anthropic", "api_key");
+    const githubToken = credentialKey("github", "api_token");
+
     const entries = new Map<string, VBundleTarEntry>();
-    entries.set(
-      "credentials/vellum:assistant_api_key",
-      makeTarEntry("platform-key"),
-    );
-    entries.set(
-      "credentials/vellum:platform_user_id",
-      makeTarEntry("platform-user"),
-    );
-    entries.set("credentials/openai-key", makeTarEntry("sk-user-123"));
-    entries.set("credentials/anthropic-key", makeTarEntry("sk-ant-456"));
-    entries.set("credentials/github-token", makeTarEntry("ghp-789"));
+    entries.set(bundlePathFor(vellumApiKey), makeTarEntry("platform-key"));
+    entries.set(bundlePathFor(vellumUserId), makeTarEntry("platform-user"));
+    entries.set(bundlePathFor(openaiKey), makeTarEntry("sk-user-123"));
+    entries.set(bundlePathFor(anthropicKey), makeTarEntry("sk-ant-456"));
+    entries.set(bundlePathFor(githubToken), makeTarEntry("ghp-789"));
 
     const manifest = makeManifest([
-      "credentials/vellum:assistant_api_key",
-      "credentials/vellum:platform_user_id",
-      "credentials/openai-key",
-      "credentials/anthropic-key",
-      "credentials/github-token",
+      bundlePathFor(vellumApiKey),
+      bundlePathFor(vellumUserId),
+      bundlePathFor(openaiKey),
+      bundlePathFor(anthropicKey),
+      bundlePathFor(githubToken),
     ]);
 
     const bundleCredentials = extractCredentialsFromBundle(entries, manifest);
     const { userCredentials, skippedPlatform } =
       filterCredentials(bundleCredentials);
 
-    // Only user credentials should pass through
+    // Only user credentials should pass through.
     expect(userCredentials).toHaveLength(3);
     const accounts = userCredentials.map((c) => c.account).sort();
-    expect(accounts).toEqual(["anthropic-key", "github-token", "openai-key"]);
+    expect(accounts).toEqual([anthropicKey, githubToken, openaiKey].sort());
 
-    // No vellum: credentials in the filtered output
+    // No platform credentials in the filtered output.
     const vellumCreds = userCredentials.filter((c) =>
-      c.account.startsWith("vellum:"),
+      c.account.startsWith(PLATFORM_CREDENTIAL_PREFIX),
     );
     expect(vellumCreds).toHaveLength(0);
 
@@ -176,17 +192,22 @@ describe("migration import credential filtering", () => {
   });
 
   test("skippedPlatform count is accurate with mixed credentials", () => {
+    const vellumApiKey = credentialKey("vellum", "assistant_api_key");
+    const vellumBaseUrl = credentialKey("vellum", "platform_base_url");
+    const vellumWebhook = credentialKey("vellum", "webhook_secret");
+    const userKey = credentialKey("github", "api_token");
+
     const entries = new Map<string, VBundleTarEntry>();
-    entries.set("credentials/vellum:assistant_api_key", makeTarEntry("v1"));
-    entries.set("credentials/vellum:platform_base_url", makeTarEntry("v2"));
-    entries.set("credentials/vellum:webhook_secret", makeTarEntry("v3"));
-    entries.set("credentials/user-key", makeTarEntry("user-val"));
+    entries.set(bundlePathFor(vellumApiKey), makeTarEntry("v1"));
+    entries.set(bundlePathFor(vellumBaseUrl), makeTarEntry("v2"));
+    entries.set(bundlePathFor(vellumWebhook), makeTarEntry("v3"));
+    entries.set(bundlePathFor(userKey), makeTarEntry("user-val"));
 
     const manifest = makeManifest([
-      "credentials/vellum:assistant_api_key",
-      "credentials/vellum:platform_base_url",
-      "credentials/vellum:webhook_secret",
-      "credentials/user-key",
+      bundlePathFor(vellumApiKey),
+      bundlePathFor(vellumBaseUrl),
+      bundlePathFor(vellumWebhook),
+      bundlePathFor(userKey),
     ]);
 
     const bundleCredentials = extractCredentialsFromBundle(entries, manifest);
@@ -196,7 +217,7 @@ describe("migration import credential filtering", () => {
     expect(skippedPlatform).toBe(3);
     expect(userCredentials).toHaveLength(1);
     expect(userCredentials[0]).toEqual({
-      account: "user-key",
+      account: userKey,
       value: "user-val",
     });
 
@@ -205,4 +226,22 @@ describe("migration import credential filtering", () => {
       userCredentials.length + skippedPlatform,
     );
   });
+
+  test("regression: the prefix matches credentialKey('vellum', '') so format changes propagate", () => {
+    // If credentialKey()'s format ever changes (e.g. slash → something else),
+    // this assertion will fail and the duplicated constant in
+    // migration-routes.ts must be updated to stay in sync.
+    expect(PLATFORM_CREDENTIAL_PREFIX).toBe("credential/vellum/");
+    expect(
+      credentialKey("vellum", "assistant_api_key").startsWith(
+        PLATFORM_CREDENTIAL_PREFIX,
+      ),
+    ).toBe(true);
+
+    // The raw "vellum:" string is not a valid CES account prefix — only
+    // the full "credential/vellum/" format from credentialKey() is correct.
+    expect(
+      credentialKey("vellum", "assistant_api_key").startsWith("vellum:"),
+    ).toBe(false);
+  });
 });

package/src/runtime/routes/__tests__/migration-vellum-metadata-reconcile.test.ts

@@ -0,0 +1,246 @@
+/**
+ * Tests for the post-import vellum metadata reconciliation helper.
+ *
+ * After every bundle import, `reconcileVellumMetadataFromCes` walks the
+ * platform-identity fields the gateway requires and, for each one that
+ * CES already holds a value for, ensures `metadata.json` lists a
+ * matching entry. This closes the race where a provisioning write to
+ * CES completes successfully but its metadata upsert gets clobbered by
+ * the import's in-place clear or atomic swap. The reconciled set covers
+ * both the Django-provisioned fields (assistant_api_key,
+ * platform_assistant_id, platform_base_url, webhook_secret) and the
+ * client-injected identity fields (platform_organization_id,
+ * platform_user_id).
+ *
+ * We test the reconcile logic in isolation by mocking the secure-keys
+ * and metadata-store modules — the real migration handler wires the
+ * same imports, so the behavior under test matches production.
+ *
+ * Covered:
+ * - CES has all 6 fields + metadata empty → all 6 upserted.
+ * - CES has all 6 + metadata has 2 → only the missing 4 upserted.
+ * - CES has no values → nothing upserted.
+ * - CES has values + metadata already has them → no-op (no duplicate
+ *   upserts).
+ * - upsert throws for one field → warning recorded, loop continues.
+ */
+
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { credentialKey } from "../../../security/credential-key.js";
+
+type MetadataRecord = {
+  credentialId: string;
+  service: string;
+  field: string;
+  allowedTools: string[];
+  allowedDomains: string[];
+  createdAt: number;
+  updatedAt: number;
+};
+
+const VELLUM_FIELDS = [
+  "platform_base_url",
+  "assistant_api_key",
+  "platform_assistant_id",
+  "platform_organization_id",
+  "platform_user_id",
+  "webhook_secret",
+] as const;
+
+const upsertCalls: Array<{ service: string; field: string }> = [];
+let metadataStore: Map<string, MetadataRecord> = new Map();
+let cesValues: Map<string, string> = new Map();
+let upsertImpl: (service: string, field: string) => void = (service, field) => {
+  const key = `${service}:${field}`;
+  metadataStore.set(key, {
+    credentialId: `id-${key}`,
+    service,
+    field,
+    allowedTools: [],
+    allowedDomains: [],
+    createdAt: Date.now(),
+    updatedAt: Date.now(),
+  });
+};
+
+mock.module("../../../security/secure-keys.js", () => ({
+  bulkSetSecureKeysAsync: async () => [],
+  deleteSecureKeyAsync: async () => "ok",
+  getActiveBackendName: () => "test",
+  getMaskedProviderKey: async () => null,
+  getProviderKeyAsync: async () => null,
+  getSecureKeyAsync: async (key: string) => cesValues.get(key) ?? null,
+  getSecureKeyResultAsync: async () => ({ ok: true, value: null }),
+  listSecureKeysAsync: async () => [],
+  onCesClientChanged: () => {},
+  setCesClient: () => {},
+  setCesReconnect: () => {},
+  setSecureKeyAsync: async () => true,
+  _resetBackend: () => {},
+}));
+
+mock.module("../../../tools/credentials/metadata-store.js", () => ({
+  getCredentialMetadata: (service: string, field: string) =>
+    metadataStore.get(`${service}:${field}`),
+  upsertCredentialMetadata: (
+    service: string,
+    field: string,
+    _policy?: unknown,
+  ) => {
+    upsertCalls.push({ service, field });
+    upsertImpl(service, field);
+    return metadataStore.get(`${service}:${field}`);
+  },
+}));
+
+// Import under test AFTER the mocks are set up.
+const { reconcileVellumMetadataFromCes } =
+  (await import("../migration-routes.js")) as unknown as {
+    reconcileVellumMetadataFromCes: (sink: {
+      warnings: string[];
+    }) => Promise<void>;
+  };
+
+beforeEach(() => {
+  upsertCalls.length = 0;
+  metadataStore = new Map();
+  cesValues = new Map();
+  upsertImpl = (service, field) => {
+    const key = `${service}:${field}`;
+    metadataStore.set(key, {
+      credentialId: `id-${key}`,
+      service,
+      field,
+      allowedTools: [],
+      allowedDomains: [],
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    });
+  };
+});
+
+afterEach(() => {
+  upsertCalls.length = 0;
+});
+
+function seedAllInCes(): void {
+  for (const field of VELLUM_FIELDS) {
+    cesValues.set(credentialKey("vellum", field), `value-for-${field}`);
+  }
+}
+
+describe("reconcileVellumMetadataFromCes", () => {
+  test("CES holds all fields, metadata empty → all upserted", async () => {
+    seedAllInCes();
+    const sink = { warnings: [] as string[] };
+
+    await reconcileVellumMetadataFromCes(sink);
+
+    expect(upsertCalls).toHaveLength(VELLUM_FIELDS.length);
+    expect(new Set(upsertCalls.map((c) => c.field))).toEqual(
+      new Set(VELLUM_FIELDS),
+    );
+    expect(sink.warnings).toHaveLength(0);
+  });
+
+  test("CES holds all, metadata has 2 → only the missing ones upserted", async () => {
+    seedAllInCes();
+    // Pre-populate metadata for 2 of the fields.
+    const prepopulated = ["platform_base_url", "assistant_api_key"] as const;
+    for (const field of prepopulated) {
+      metadataStore.set(`vellum:${field}`, {
+        credentialId: `id-vellum:${field}`,
+        service: "vellum",
+        field,
+        allowedTools: [],
+        allowedDomains: [],
+        createdAt: 1,
+        updatedAt: 1,
+      });
+    }
+
+    const sink = { warnings: [] as string[] };
+    await reconcileVellumMetadataFromCes(sink);
+
+    const expectedMissing = VELLUM_FIELDS.filter(
+      (f) => !(prepopulated as readonly string[]).includes(f),
+    );
+    expect(upsertCalls).toHaveLength(expectedMissing.length);
+    expect(new Set(upsertCalls.map((c) => c.field))).toEqual(
+      new Set(expectedMissing),
+    );
+  });
+
+  test("covers both Django-provisioned and client-injected identity fields", async () => {
+    seedAllInCes();
+    const sink = { warnings: [] as string[] };
+    await reconcileVellumMetadataFromCes(sink);
+
+    const reconciled = new Set(upsertCalls.map((c) => c.field));
+    // Django-provisioned quartet.
+    expect(reconciled).toContain("platform_base_url");
+    expect(reconciled).toContain("assistant_api_key");
+    expect(reconciled).toContain("platform_assistant_id");
+    expect(reconciled).toContain("webhook_secret");
+    // Client-injected identity fields (onboarding / teleport / transfer).
+    expect(reconciled).toContain("platform_organization_id");
+    expect(reconciled).toContain("platform_user_id");
+  });
+
+  test("CES empty → nothing upserted", async () => {
+    const sink = { warnings: [] as string[] };
+    await reconcileVellumMetadataFromCes(sink);
+    expect(upsertCalls).toHaveLength(0);
+    expect(sink.warnings).toHaveLength(0);
+  });
+
+  test("CES has values, metadata already has entries → no duplicate upserts", async () => {
+    seedAllInCes();
+    for (const field of VELLUM_FIELDS) {
+      metadataStore.set(`vellum:${field}`, {
+        credentialId: `id-vellum:${field}`,
+        service: "vellum",
+        field,
+        allowedTools: [],
+        allowedDomains: [],
+        createdAt: 1,
+        updatedAt: 1,
+      });
+    }
+
+    const sink = { warnings: [] as string[] };
+    await reconcileVellumMetadataFromCes(sink);
+
+    expect(upsertCalls).toHaveLength(0);
+  });
+
+  test("upsert throws for one field → warning recorded, loop continues", async () => {
+    seedAllInCes();
+    let calls = 0;
+    upsertImpl = (service, field) => {
+      calls += 1;
+      if (field === "assistant_api_key") {
+        throw new Error("simulated metadata write failure");
+      }
+      const key = `${service}:${field}`;
+      metadataStore.set(key, {
+        credentialId: `id-${key}`,
+        service,
+        field,
+        allowedTools: [],
+        allowedDomains: [],
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      });
+    };
+
+    const sink = { warnings: [] as string[] };
+    await reconcileVellumMetadataFromCes(sink);
+
+    // Every field was attempted (loop did not abort).
+    expect(calls).toBe(VELLUM_FIELDS.length);
+    expect(sink.warnings).toHaveLength(1);
+    expect(sink.warnings[0]).toContain("vellum:assistant_api_key");
+  });
+});

package/src/runtime/routes/approval-prompt-ts-tracker.ts

@@ -0,0 +1,58 @@
+/**
+ * In-memory tracker for approval prompt message timestamps.
+ *
+ * Scopes guardian reaction approvals so only reactions on a known
+ * approval prompt can resolve a pending request. Without this, a stray
+ * 👍/✅ on any message in the guardian chat could approve a pending
+ * request (since reactions are now admitted from any subscribed channel,
+ * not just tracked bot threads).
+ *
+ * Entries expire after `APPROVAL_PROMPT_TS_TTL_MS` (matches the guardian
+ * approval TTL of 30 minutes, plus grace). Populated when an approval
+ * prompt is successfully delivered; consulted before applying a guardian
+ * reaction decision.
+ */
+
+const APPROVAL_PROMPT_TS_TTL_MS = 35 * 60 * 1000;
+
+const tracked = new Map<string, number>();
+
+function key(channel: string, chatId: string, ts: string): string {
+  return `${channel}\u0000${chatId}\u0000${ts}`;
+}
+
+function pruneExpired(now: number): void {
+  for (const [k, expiresAt] of tracked) {
+    if (expiresAt <= now) tracked.delete(k);
+  }
+}
+
+export function trackApprovalPromptTs(
+  channel: string,
+  chatId: string,
+  ts: string,
+): void {
+  const now = Date.now();
+  pruneExpired(now);
+  tracked.set(key(channel, chatId, ts), now + APPROVAL_PROMPT_TS_TTL_MS);
+}
+
+export function isTrackedApprovalPromptTs(
+  channel: string,
+  chatId: string,
+  ts: string,
+): boolean {
+  const k = key(channel, chatId, ts);
+  const expiresAt = tracked.get(k);
+  if (expiresAt === undefined) return false;
+  if (expiresAt <= Date.now()) {
+    tracked.delete(k);
+    return false;
+  }
+  return true;
+}
+
+/** @internal Test-only — clear all tracked entries. */
+export function _clearApprovalPromptTsTrackerForTesting(): void {
+  tracked.clear();
+}

package/src/runtime/routes/approval-routes.ts

@@ -50,9 +50,7 @@ function canonicalizeV2ConfirmDecision(params: {
   }
 
   if (
-    (decision === "always_allow" ||
-      decision === "always_allow_high_risk" ||
-      decision === "always_deny") &&
+    (decision === "always_allow" || decision === "always_deny") &&
     details.persistentDecisionsAllowed
   ) {
     return decision === "always_deny" ? "deny" : "allow";
@@ -79,7 +77,11 @@ export async function handleConfirm(
     selectedScope?: string;
   };
 
-  const { requestId, decision, selectedPattern, selectedScope } = body;
+  const { requestId, selectedPattern, selectedScope } = body;
+  // Normalize legacy decision: older clients may still send
+  // "always_allow_high_risk" for high-risk prompts.
+  const decision =
+    body.decision === "always_allow_high_risk" ? "always_allow" : body.decision;
 
   if (!requestId || typeof requestId !== "string") {
     return httpError("BAD_REQUEST", "requestId is required", 400);
@@ -111,7 +113,6 @@ export async function handleConfirm(
     "deny",
     "always_allow",
     "always_deny",
-    "always_allow_high_risk",
   ];
   if (
     (v2Enabled && effectiveDecision == null) ||
@@ -152,9 +153,7 @@ export async function handleConfirm(
   // and selectedScope are among the options the server actually offered.
   // This prevents a crafted request from injecting overly-broad rules.
   const persistsRule =
-    decision === "always_allow" ||
-    decision === "always_deny" ||
-    decision === "always_allow_high_risk";
+    decision === "always_allow" || decision === "always_deny";
   if (persistsRule && (selectedPattern || selectedScope)) {
     const confirmation = peeked.confirmationDetails;
     if (!confirmation) {
@@ -312,10 +311,9 @@ export async function handleTrustRule(
     pattern?: string;
     scope?: string;
     decision?: string;
-    allowHighRisk?: boolean;
   };
 
-  const { requestId, pattern, scope, decision, allowHighRisk } = body;
+  const { requestId, pattern, scope, decision } = body;
 
   if (!requestId || typeof requestId !== "string") {
     return httpError("BAD_REQUEST", "requestId is required", 400);
@@ -396,9 +394,10 @@ export async function handleTrustRule(
     const tool = getTool(confirmation.toolName);
     const executionTarget =
       tool?.origin === "skill" ? confirmation.executionTarget : undefined;
+
+    // Canonicalization is handled inside addRule — no need to pre-parse here.
     addRule(confirmation.toolName, pattern, scope, decision, undefined, {
-      allowHighRisk: allowHighRisk || undefined,
-      executionTarget,
+      ...(executionTarget != null ? { executionTarget } : {}),
     });
     log.info(
       { tool: confirmation.toolName, pattern, scope, decision, requestId },
@@ -504,7 +503,7 @@ export function approvalRouteDefinitions(): RouteDefinition[] {
         decision: z
           .string()
           .describe(
-            "One of: allow, allow_10m, allow_conversation, deny, always_allow, always_deny, always_allow_high_risk",
+            "One of: allow, allow_10m, allow_conversation, deny, always_allow, always_deny",
           ),
         selectedPattern: z
           .string()
@@ -551,10 +550,6 @@ export function approvalRouteDefinitions(): RouteDefinition[] {
         pattern: z.string().describe("Allowlist pattern"),
         scope: z.string().describe("Scope for the rule"),
         decision: z.string().describe("allow or deny"),
-        allowHighRisk: z
-          .boolean()
-          .describe("Allow high-risk invocations")
-          .optional(),
       }),
       responseBody: z.object({
         accepted: z.boolean(),