@vellumai/assistant 0.6.4 → 0.6.6

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -64,7 +64,7 @@ mock.module("../util/logger.js", () => ({
 }));
 
 mock.module("../permissions/checker.js", () => ({
-  classifyRisk: async () => checkerRisk,
+  classifyRisk: async () => ({ level: checkerRisk }),
   check: async () => ({ decision: checkerDecision, reason: checkerReason }),
   generateAllowlistOptions: () => [
     { label: "exact", description: "exact", pattern: "exact" },
@@ -639,7 +639,7 @@ describe("ToolExecutor lifecycle events", () => {
     const result = await executor.execute(
       "file_edit",
       {
-        path: "/Users/sidd/.vellum/workspace/users/sidd.md",
+        path: "/Users/alice/.vellum/workspace/users/alice.md",
         old_string: "old",
         new_string: "new",
       },

package/src/__tests__/tool-executor-shell-integration.test.ts

@@ -3,9 +3,9 @@
  *
  * Unlike tool-executor.test.ts, this file does NOT mock ../permissions/checker.js,
  * so generateAllowlistOptions and generateScopeOptions run through the actual
- * implementation (buildShellAllowlistOptions → analyzeShellCommand → tree-sitter
- * WASM parser). This validates the full e2e chain from executor to parser-derived
- * allowlist options.
+ * implementation. With permission-controls-v3 OFF (the default), bash tools use
+ * the legacy shellAllowlistStrategy (buildShellAllowlistOptions → action: key
+ * patterns). With the flag ON, they use classifier-produced scope ladder options.
  */
 import { beforeAll, describe, expect, mock, test } from "bun:test";
 
@@ -111,13 +111,6 @@ mock.module("../tools/terminal/sandbox.js", () => ({
   wrapCommand: () => ({ command: "", sandboxed: false }),
 }));
 
-// ── Hooks manager ──
-mock.module("../hooks/manager.js", () => ({
-  getHookManager: () => ({
-    trigger: async () => ({ blocked: false }),
-  }),
-}));
-
 // ── Ephemeral permissions ──
 mock.module("../tasks/ephemeral-permissions.js", () => ({
   getTaskRunRules: () => [],
@@ -193,6 +186,10 @@ beforeAll(async () => {
 });
 
 describe("ToolExecutor → real shell allowlist integration", () => {
+  // These tests run with permission-controls-v3 OFF (default), so
+  // generateAllowlistOptions falls through to shellAllowlistStrategy
+  // which uses action: key patterns from buildShellAllowlistOptions.
+
   test("simple command produces parser-derived action keys", async () => {
     const { prompter, getAllowlist, getScopes } = makeCapturingPrompter();
     const executor = new ToolExecutor(prompter);

package/src/__tests__/tool-executor.test.ts

@@ -86,6 +86,16 @@ let checkFnOverride:
 /** Override for generateScopeOptions — when set, returns this value instead of the default. */
 let scopeOptionsOverride: ScopeOption[] | undefined;
 
+/** Override for getCachedAssessment — when set, returns this value. */
+let cachedAssessmentOverride:
+  | {
+      riskLevel: string;
+      reason: string;
+      scopeOptions: Array<{ pattern: string; label: string }>;
+      matchType: string;
+    }
+  | undefined;
+
 /** Spy on addRule to capture calls without replacing the real implementation. */
 let addRuleSpy: ReturnType<typeof spyOn> | undefined;
 
@@ -109,7 +119,7 @@ mock.module("../util/logger.js", () => ({
 }));
 
 mock.module("../permissions/checker.js", () => ({
-  classifyRisk: async () => "low",
+  classifyRisk: async () => ({ level: "low" }),
   check: async (
     toolName: string,
     input: Record<string, unknown>,
@@ -127,6 +137,7 @@ mock.module("../permissions/checker.js", () => ({
   ],
   generateScopeOptions: () =>
     scopeOptionsOverride ?? [{ label: "/tmp", scope: "/tmp" }],
+  getCachedAssessment: () => cachedAssessmentOverride,
 }));
 
 // Mock every export so downstream test files that dynamically import modules
@@ -196,6 +207,7 @@ describe("ToolExecutor allowedToolNames gating", () => {
     getToolOverride = undefined;
     checkResultOverride = undefined;
     checkFnOverride = undefined;
+    cachedAssessmentOverride = undefined;
     if (addRuleSpy) {
       addRuleSpy.mockRestore();
       addRuleSpy = undefined;
@@ -272,6 +284,7 @@ describe("ToolExecutor policy context plumbing", () => {
     getToolOverride = undefined;
     checkResultOverride = undefined;
     checkFnOverride = undefined;
+    cachedAssessmentOverride = undefined;
     if (addRuleSpy) {
       addRuleSpy.mockRestore();
       addRuleSpy = undefined;
@@ -309,6 +322,9 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      conversationId: "conversation-1",
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: "sandbox",
     });
   });
@@ -326,7 +342,11 @@ describe("ToolExecutor policy context plumbing", () => {
 
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.policyContext).toBeUndefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      conversationId: "conversation-1",
+      executionContext: "conversation",
+      ephemeralRules: undefined,
+    });
   });
 
   test('passes undefined policyContext for tools with origin "core"', async () => {
@@ -356,7 +376,11 @@ describe("ToolExecutor policy context plumbing", () => {
 
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.policyContext).toBeUndefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      conversationId: "conversation-1",
+      executionContext: "conversation",
+      ephemeralRules: undefined,
+    });
   });
 
   test('includes executionTarget "host" from skill tool metadata', async () => {
@@ -390,6 +414,9 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      conversationId: "conversation-1",
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: "host",
     });
   });
@@ -420,6 +447,9 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      conversationId: "conversation-1",
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: undefined,
     });
   });
@@ -463,7 +493,7 @@ describe("ToolExecutor contextual rule creation", () => {
         scope: string,
         decision = "allow",
         priority = 100,
-        options?: { allowHighRisk?: boolean; executionTarget?: string },
+        options?: { executionTarget?: string },
       ) => {
         return {
           id: "spy-rule-id",
@@ -528,7 +558,7 @@ describe("ToolExecutor contextual rule creation", () => {
     expect(options.executionTarget).toBe("sandbox");
   });
 
-  test("always_allow_high_risk sets allowHighRisk and captures execution target", async () => {
+  test("always_allow captures execution target without allowHighRisk", async () => {
     checkResultOverride = { decision: "prompt", reason: "test prompt" };
     const spy = setupAddRuleSpy();
 
@@ -553,7 +583,7 @@ describe("ToolExecutor contextual rule creation", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "risky_tool:*",
       "everywhere",
     );
@@ -569,7 +599,6 @@ describe("ToolExecutor contextual rule creation", () => {
     expect(scope).toBe("everywhere");
     expect(decision).toBe("allow");
     expect(options).toBeDefined();
-    expect(options.allowHighRisk).toBe(true);
     expect(options.executionTarget).toBe("host");
   });
 
@@ -663,13 +692,13 @@ describe("ToolExecutor contextual rule creation", () => {
     expect(scope).toBe("everywhere");
   });
 
-  test("always_allow_high_risk for core tool sets allowHighRisk without execution target", async () => {
+  test("always_allow for core tool creates rule without execution target", async () => {
     checkResultOverride = { decision: "prompt", reason: "test prompt" };
     const spy = setupAddRuleSpy();
     getToolOverride = undefined;
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "sudo *",
       "everywhere",
     );
@@ -683,10 +712,8 @@ describe("ToolExecutor contextual rule creation", () => {
     expect(result.isError).toBe(false);
     expect(spy).toHaveBeenCalledTimes(1);
     const [, , , , , options] = spy.mock.calls[0];
-    expect(options).toBeDefined();
-    expect(options.allowHighRisk).toBe(true);
-    // No execution target for core tools
-    expect(options.executionTarget).toBeUndefined();
+    // Core tools have no executionTarget, so ruleOptions is empty → undefined
+    expect(options).toBeUndefined();
   });
 
   test("skill tool with host execution target records executionTarget in rule", async () => {
@@ -740,6 +767,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     getToolOverride = undefined;
     checkResultOverride = undefined;
     checkFnOverride = undefined;
+    cachedAssessmentOverride = undefined;
     if (addRuleSpy) {
       addRuleSpy.mockRestore();
       addRuleSpy = undefined;
@@ -754,7 +782,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
         scope: string,
         decision = "allow",
         priority = 100,
-        options?: { allowHighRisk?: boolean; executionTarget?: string },
+        options?: { executionTarget?: string },
       ) => {
         return {
           id: "spy-rule-id",
@@ -771,7 +799,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     return addRuleSpy;
   }
 
-  test("always_allow_high_risk creates rule with allowHighRisk: true for high-risk skill tool", async () => {
+  test("always_allow creates rule with execution target for high-risk skill tool", async () => {
     checkResultOverride = {
       decision: "prompt",
       reason: "High risk: always requires approval",
@@ -799,7 +827,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "deploy_tool:*",
       "everywhere",
     );
@@ -818,12 +846,12 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(pattern).toBe("deploy_tool:*");
     expect(scope).toBe("everywhere");
     expect(decision).toBe("allow");
-    // The key integration assertion: allowHighRisk + execution target together
-    expect(options.allowHighRisk).toBe(true);
+    // The key integration assertion: execution target is captured
+    expect(options.executionTarget).toBeDefined();
     expect(options.executionTarget).toBe("host");
   });
 
-  test("always_allow creates rule without allowHighRisk even for high-risk skill tool", async () => {
+  test("always_allow creates rule with execution target for skill tool", async () => {
     checkResultOverride = { decision: "prompt", reason: "test prompt" };
     const spy = setupAddRuleSpy();
 
@@ -847,9 +875,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
       };
     };
 
-    // User chooses always_allow (NOT always_allow_high_risk) — the rule
-    // should NOT have allowHighRisk set, meaning future high-risk checks
-    // will still prompt.
+    // User chooses always_allow — rule is created with execution target.
     const prompter = makePrompterWithDecision(
       "always_allow",
       "risky_op:*",
@@ -864,8 +890,8 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(options).toBeDefined();
     // executionTarget should be present
     expect(options.executionTarget).toBe("sandbox");
-    // But allowHighRisk should NOT be set
-    expect(options.allowHighRisk).toBeUndefined();
+    // Rule should have execution target
+    // allowHighRisk is no longer persisted
   });
 
   test("executor forwards policyContext to check() for version-bound skill tool", async () => {
@@ -894,13 +920,16 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
 
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      conversationId: "conversation-1",
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: "sandbox",
     });
   });
 
   // ── Skill mutation approval regression tests (PR 30) ──────────
 
-  test("always_allow_high_risk for skill source write creates rule with allowHighRisk and execution target", async () => {
+  test("always_allow for skill source write creates rule with execution target", async () => {
     checkResultOverride = {
       decision: "prompt",
       reason: "High risk: always requires approval",
@@ -928,7 +957,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "file_write:*/skills/**",
       "everywhere",
     );
@@ -946,11 +975,11 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(pattern).toBe("file_write:*/skills/**");
     expect(scope).toBe("everywhere");
     expect(decision).toBe("allow");
-    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBeDefined();
     expect(options.executionTarget).toBe("sandbox");
   });
 
-  test("always_allow (not high risk) for skill source write creates rule WITHOUT allowHighRisk", async () => {
+  test("always_allow for skill source write creates rule with execution target (baseline)", async () => {
     checkResultOverride = {
       decision: "prompt",
       reason: "High risk: always requires approval",
@@ -977,7 +1006,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
       };
     };
 
-    // User chooses always_allow instead of always_allow_high_risk
+    // User chooses always_allow
     const prompter = makePrompterWithDecision(
       "always_allow",
       "file_write:*/skills/**",
@@ -995,8 +1024,8 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     const [, , , , , options] = spy.mock.calls[0];
     expect(options).toBeDefined();
     expect(options.executionTarget).toBe("sandbox");
-    // Without always_allow_high_risk, the allowHighRisk flag should NOT be set
-    expect(options.allowHighRisk).toBeUndefined();
+    // Execution target is captured from the tool context
+    // allowHighRisk is no longer persisted
   });
 
   test("skill version is captured in rule for future version-bound matching", async () => {
@@ -1027,7 +1056,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "file_edit:*/skills/**",
       "everywhere",
     );
@@ -1042,7 +1071,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(spy).toHaveBeenCalledTimes(1);
     const [tool, , , , , options] = spy.mock.calls[0];
     expect(tool).toBe("file_edit");
-    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBeDefined();
     expect(options.executionTarget).toBe("sandbox");
   });
 
@@ -1076,11 +1105,14 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
 
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
+      conversationId: "conversation-1",
+      executionContext: "conversation",
+      ephemeralRules: undefined,
       executionTarget: "sandbox",
     });
   });
 
-  test("executor creates rule on always_allow_high_risk with full context", async () => {
+  test("executor creates rule on always_allow with full context", async () => {
     checkResultOverride = {
       decision: "prompt",
       reason: "High risk: always requires approval",
@@ -1108,7 +1140,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     };
 
     const prompter = makePrompterWithDecision(
-      "always_allow_high_risk",
+      "always_allow",
       "admin_action:*",
       "everywhere",
     );
@@ -1128,7 +1160,7 @@ describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
     expect(pattern).toBe("admin_action:*");
     expect(scope).toBe("everywhere");
     expect(decision).toBe("allow");
-    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBeDefined();
     expect(options.executionTarget).toBe("host");
   });
 });
@@ -1147,14 +1179,6 @@ describe("isSideEffectTool", () => {
       "bash",
       "host_bash",
       "web_fetch",
-      "browser_navigate",
-      "browser_click",
-      "browser_type",
-      "browser_press_key",
-      "browser_close",
-      "browser_attach",
-      "browser_detach",
-      "browser_fill_credential",
       "document_create",
       "document_update",
       "schedule_create",
@@ -1175,6 +1199,14 @@ describe("isSideEffectTool", () => {
       "memory_recall",
       "memory_manage",
       "web_search",
+      "browser_navigate",
+      "browser_click",
+      "browser_type",
+      "browser_press_key",
+      "browser_close",
+      "browser_attach",
+      "browser_detach",
+      "browser_fill_credential",
       "browser_snapshot",
       "browser_screenshot",
       "browser_wait_for",
@@ -1232,7 +1264,7 @@ describe("isSideEffectTool", () => {
 // would cause this test to fail instead of being masked by a blanket
 // mock-allow.
 describe("ToolExecutor baseline: allow rule auto-allows file_edit guardian persona", () => {
-  const guardianPersonaPath = "/Users/sidd/.vellum/workspace/users/sidd.md";
+  const guardianPersonaPath = "/Users/alice/.vellum/workspace/users/alice.md";
   let ruleSpy: ReturnType<typeof spyOn> | undefined;
 
   beforeEach(() => {
@@ -1241,6 +1273,7 @@ describe("ToolExecutor baseline: allow rule auto-allows file_edit guardian perso
     getToolOverride = undefined;
     checkResultOverride = undefined;
     checkFnOverride = undefined;
+    cachedAssessmentOverride = undefined;
     if (addRuleSpy) {
       addRuleSpy.mockRestore();
       addRuleSpy = undefined;
@@ -1358,6 +1391,7 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     getToolOverride = undefined;
     checkResultOverride = undefined;
     checkFnOverride = undefined;
+    cachedAssessmentOverride = undefined;
     promptCalled = false;
     if (addRuleSpy) {
       addRuleSpy.mockRestore();
@@ -1554,7 +1588,7 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     const result = await executor.execute(
       "file_edit",
       {
-        path: "/Users/sidd/.vellum/workspace/users/sidd.md",
+        path: "/Users/alice/.vellum/workspace/users/alice.md",
         old_string: "old pref",
         new_string: "new pref",
       },
@@ -1573,7 +1607,7 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     const result = await executor.execute(
       "host_file_edit",
       {
-        path: "/Users/sidd/.vellum/workspace/users/sidd.md",
+        path: "/Users/alice/.vellum/workspace/users/alice.md",
         old_string: "x",
         new_string: "y",
       },
@@ -1584,51 +1618,6 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     expect(promptCalled).toBe(true);
   });
 
-  // ── Browser action tools as side-effect tools (PR fix2) ──────────
-
-  test("browser_click forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "browser_click",
-      { selector: "#submit-btn" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("browser_type forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "browser_type",
-      { selector: "#search-input", text: "query" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("browser_snapshot does NOT force prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "browser_snapshot",
-      {},
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // browser_snapshot is read-only — must NOT trigger forced prompting
-    expect(promptCalled).toBe(false);
-  });
-
   // ── Always-mutating document tools (PR fix5) ──────────
 
   test("document_create forces prompt in private conversation", async () => {
@@ -1832,7 +1821,7 @@ describe("ToolExecutor persistentDecisionsAllowed contract", () => {
         scope: string,
         decision = "allow",
         priority = 100,
-        options?: { allowHighRisk?: boolean; executionTarget?: string },
+        options?: { executionTarget?: string },
       ) => {
         return {
           id: "spy-rule-id",
@@ -2158,6 +2147,7 @@ describe("ToolExecutor persistent-allow lifecycle", () => {
     getToolOverride = undefined;
     checkResultOverride = undefined;
     checkFnOverride = undefined;
+    cachedAssessmentOverride = undefined;
     if (addRuleSpy) {
       addRuleSpy.mockRestore();
       addRuleSpy = undefined;
@@ -2172,7 +2162,7 @@ describe("ToolExecutor persistent-allow lifecycle", () => {
         scope: string,
         decision = "allow",
         priority = 100,
-        options?: { allowHighRisk?: boolean; executionTarget?: string },
+        options?: { executionTarget?: string },
       ) => {
         return {
           id: "spy-rule-id",
@@ -2336,3 +2326,120 @@ describe("integration regressions — prompt payload (PR 11)", () => {
     expect(capturedScopes![0]).toHaveProperty("scope");
   });
 });
+
+// ---------------------------------------------------------------------------
+// Risk metadata on ToolExecutionResult (PR 5 — scope-ladder-v1)
+// ---------------------------------------------------------------------------
+
+describe("ToolExecutionResult includes risk metadata from classifier assessment", () => {
+  beforeEach(() => {
+    fakeToolResult = { content: "ok", isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    cachedAssessmentOverride = undefined;
+    if (addRuleSpy) {
+      addRuleSpy.mockRestore();
+      addRuleSpy = undefined;
+    }
+  });
+
+  test("auto-approved tool result includes risk metadata when classifier assessment exists", async () => {
+    cachedAssessmentOverride = {
+      riskLevel: "medium",
+      reason: "Writes to a file outside the workspace",
+      scopeOptions: [
+        { pattern: "file_write:/tmp/test.txt", label: "This file only" },
+        { pattern: "file_write:/tmp/**", label: "Anything in tmp/" },
+      ],
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "README.md" },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(result.riskLevel).toBe("medium");
+    expect(result.riskReason).toBe("Writes to a file outside the workspace");
+    expect(result.riskScopeOptions).toEqual([
+      { pattern: "file_write:/tmp/test.txt", label: "This file only" },
+      { pattern: "file_write:/tmp/**", label: "Anything in tmp/" },
+    ]);
+  });
+
+  test("tool result omits risk metadata when no classifier assessment exists (e.g. MCP tools)", async () => {
+    // cachedAssessmentOverride is undefined (no classifier ran)
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "README.md" },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(result.riskLevel).toBeUndefined();
+    expect(result.riskReason).toBeUndefined();
+    expect(result.riskScopeOptions).toBeUndefined();
+  });
+
+  test("denied tool result includes risk metadata", async () => {
+    checkResultOverride = {
+      decision: "deny",
+      reason: "Blocked by deny rule",
+    };
+    cachedAssessmentOverride = {
+      riskLevel: "high",
+      reason: "Recursive force delete",
+      scopeOptions: [{ pattern: "bash:rm -rf*", label: "rm -rf commands" }],
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "bash",
+      { command: "rm -rf /" },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.riskLevel).toBe("high");
+    expect(result.riskReason).toBe("Recursive force delete");
+    expect(result.riskScopeOptions).toEqual([
+      { pattern: "bash:rm -rf*", label: "rm -rf commands" },
+    ]);
+  });
+
+  test("prompted-then-approved tool result includes risk metadata", async () => {
+    checkResultOverride = {
+      decision: "prompt",
+      reason: "Medium risk: requires approval",
+    };
+    cachedAssessmentOverride = {
+      riskLevel: "medium",
+      reason: "Package manager installation",
+      scopeOptions: [
+        { pattern: "bash:npm install*", label: "npm install commands" },
+        { pattern: "bash:npm*", label: "All npm commands" },
+      ],
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "bash",
+      { command: "npm install lodash" },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe("ok");
+    expect(result.riskLevel).toBe("medium");
+    expect(result.riskReason).toBe("Package manager installation");
+    expect(result.riskScopeOptions).toHaveLength(2);
+  });
+});