@vellumai/assistant 0.7.1 → 0.7.2

package/src/__tests__/memory-jobs-worker-lanes.test.ts

@@ -0,0 +1,188 @@
+/**
+ * Head-of-line repro for the per-lane scheduler in `runMemoryJobsOnce`.
+ *
+ * Before this fix, all non-embed jobs ran through a single bounded worker
+ * pool, so a long-running `graph_consolidate` LLM call would pin every slot
+ * and starve fast-lane jobs (e.g. `embed_concept_page` consolidation pages)
+ * for the duration of that call.
+ *
+ * The new scheduler runs slow / fast / embed lanes in parallel pools, each
+ * with its own concurrency budget. This test enqueues a wave of slow LLM
+ * jobs alongside fast jobs and asserts that every fast job completes before
+ * any slow job's promise resolves — proving the lanes are truly independent.
+ */
+import { beforeAll, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { eq } from "drizzle-orm";
+
+import { DEFAULT_CONFIG } from "../config/defaults.js";
+import type { AssistantConfig } from "../config/types.js";
+
+// ── Mocks (must precede imports of tested module) ──────────────────
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+// Per-lane caps: 1 slow slot (so only 1 of the 5 enqueued slow jobs runs in
+// this tick) and a generous fast cap so every fast job both gets claimed
+// and gets a slot in the lane pool. The OLD shared-pool scheduler — which
+// claimed jobs without lane awareness and ran them through a single
+// workerConcurrency-sized pool — would pin its slots on the first claimed
+// slow jobs and force the fast jobs to queue behind a 200ms LLM call.
+const TEST_CONFIG: AssistantConfig = {
+  ...DEFAULT_CONFIG,
+  memory: {
+    ...DEFAULT_CONFIG.memory,
+    enabled: true,
+    jobs: {
+      ...DEFAULT_CONFIG.memory.jobs,
+      slowLlmConcurrency: 1,
+      fastConcurrency: 5,
+      embedConcurrency: 1,
+      workerConcurrency: 2,
+    },
+  },
+};
+
+mock.module("../config/loader.js", () => ({
+  getConfig: () => TEST_CONFIG,
+  loadConfig: () => TEST_CONFIG,
+  invalidateConfigCache: () => {},
+}));
+
+// ── Track timestamps so we can assert ordering ─────────────────────
+
+type CompletionRecord = {
+  type: string;
+  conversationId: string;
+  completedAt: number;
+};
+const completions: CompletionRecord[] = [];
+
+// Slow-lane handler: blocks for SLOW_DELAY_MS. The test asserts every fast
+// job completes before any slow job — a single 200ms window is plenty.
+const SLOW_DELAY_MS = 200;
+
+mock.module("../memory/graph/consolidation.js", () => ({
+  runConsolidation: async (
+    scopeId: string,
+  ): Promise<{
+    totalUpdated: number;
+    totalDeleted: number;
+    totalMergeEdges: number;
+  }> => {
+    await new Promise((resolve) => setTimeout(resolve, SLOW_DELAY_MS));
+    completions.push({
+      type: "graph_consolidate",
+      conversationId: scopeId,
+      completedAt: Date.now(),
+    });
+    return { totalUpdated: 0, totalDeleted: 0, totalMergeEdges: 0 };
+  },
+}));
+
+// Fast-lane handler: resolves on the next microtask. The test fires this
+// many times in parallel; nothing should block.
+mock.module("../memory/jobs/embed-concept-page.js", () => ({
+  embedConceptPageJob: async (job: {
+    payload: { slug?: string };
+  }): Promise<void> => {
+    completions.push({
+      type: "embed_concept_page",
+      conversationId: job.payload.slug ?? "",
+      completedAt: Date.now(),
+    });
+  },
+}));
+
+// Stub remaining heavy boundaries that we never exercise but that get pulled
+// in transitively through jobs-worker's eager imports. These aren't strictly
+// required if the host machine can resolve them, but mocking them keeps the
+// test hermetic and fast under `bun test`.
+mock.module("../memory/db-maintenance.js", () => ({
+  maybeRunDbMaintenance: () => {},
+}));
+
+import { getDb } from "../memory/db-connection.js";
+import { initializeDb } from "../memory/db-init.js";
+import { enqueueMemoryJob } from "../memory/jobs-store.js";
+import { runMemoryJobsOnce } from "../memory/jobs-worker.js";
+import { _resetQdrantBreaker } from "../memory/qdrant-circuit-breaker.js";
+import { memoryJobs } from "../memory/schema.js";
+
+describe("memory jobs worker lane scheduling", () => {
+  beforeAll(() => {
+    initializeDb();
+  });
+
+  beforeEach(() => {
+    const db = getDb();
+    db.run("DELETE FROM memory_jobs");
+    completions.length = 0;
+    _resetQdrantBreaker();
+  });
+
+  test("fast lane completes before slow lane releases its slot", async () => {
+    // 5 slow `graph_consolidate` jobs across distinct scopes (so they would
+    // serialize behind a single shared pool) plus 5 fast `embed_concept_page`
+    // jobs across distinct slugs.
+    for (let i = 0; i < 5; i++) {
+      enqueueMemoryJob("graph_consolidate", { scopeId: `slow-${i}` });
+    }
+    for (let i = 0; i < 5; i++) {
+      enqueueMemoryJob("embed_concept_page", { slug: `fast-${i}` });
+    }
+
+    await runMemoryJobsOnce();
+
+    const fastDone = completions.filter((c) => c.type === "embed_concept_page");
+    const slowDone = completions.filter((c) => c.type === "graph_consolidate");
+
+    // Slow lane is capped at 1 in this test, so only 1 slow job ran in this
+    // tick. Fast lane has cap 2, but with 5 fast jobs it runs all 5 because
+    // each handler resolves on the next microtask.
+    expect(fastDone).toHaveLength(5);
+    expect(slowDone).toHaveLength(1);
+
+    // Head-of-line guarantee: every fast completion timestamp must precede
+    // the (single) slow completion timestamp. Under the old shared pool with
+    // workerConcurrency=2 and 1 slow slot occupied, this still held only if
+    // a fast slot freed up first — but with 2 slow jobs in flight (the old
+    // claim path would have claimed multiple slow jobs into the shared pool)
+    // both slots would be pinned for SLOW_DELAY_MS and fast work would queue
+    // behind. With the lane scheduler, fast work has its own pool.
+    const earliestSlow = Math.min(...slowDone.map((c) => c.completedAt));
+    for (const fast of fastDone) {
+      expect(fast.completedAt).toBeLessThan(earliestSlow);
+    }
+
+    // Sanity: exactly 1 of the 5 enqueued slow jobs reached `completed` (the
+    // slow lane's per-tick budget). The other 4 are still pending and will be
+    // picked up on subsequent ticks. (FIFO ordering inside the slow lane is
+    // covered separately in jobs-store-qdrant-breaker.test.ts.)
+    //
+    // Note: a sixth `graph_consolidate` row may also appear here — the
+    // `maybeEnqueueGraphMaintenanceJobs` tail of `runMemoryJobsOnce` enqueues
+    // its own maintenance job whose checkpoint is missing in this fresh DB.
+    // That row is irrelevant; we only care about the completed-vs-pending
+    // counts of jobs we explicitly seeded.
+    const completedSlow = countSlowByStatus("completed");
+    expect(completedSlow).toBe(1);
+  });
+});
+
+function countSlowByStatus(
+  status: "pending" | "running" | "completed",
+): number {
+  const db = getDb();
+  return db
+    .select()
+    .from(memoryJobs)
+    .where(eq(memoryJobs.type, "graph_consolidate"))
+    .all()
+    .filter((row) => row.status === status).length;
+}

package/src/__tests__/migration-import-commit-http.test.ts

@@ -256,6 +256,8 @@ function createValidVBundle(
     bundle_id: string;
     origin_mode: "managed" | "self-hosted-remote" | "self-hosted-local";
     secrets_redacted: boolean;
+    min_runtime_version: string;
+    max_runtime_version: string | null;
   }>,
 ): Uint8Array {
   const dbData = new Uint8Array([0x53, 0x51, 0x4c, 0x69, 0x74, 0x65]);
@@ -296,8 +298,11 @@ function createValidVBundle(
       mode: overrides?.origin_mode ?? "self-hosted-local",
     },
     compatibility: {
-      min_runtime_version: "0.0.0-test",
-      max_runtime_version: null,
+      min_runtime_version: overrides?.min_runtime_version ?? "0.0.0-test",
+      max_runtime_version:
+        overrides?.max_runtime_version === undefined
+          ? null
+          : overrides.max_runtime_version,
     },
     contents,
     checksum: "",
@@ -652,6 +657,107 @@ describe("handleMigrationImport — validation failures", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// HTTP handler tests: version_incompatible (Codex P2 regression)
+//
+// Pin: a bundle whose min_runtime_version exceeds APP_VERSION must surface as
+// a 4xx user-actionable response (422 Unprocessable Entity), not a 500
+// InternalError. Body mirrors the platform's PR #5470 response shape so
+// clients can render the same UX regardless of which gate (platform or
+// runtime) rejected the bundle.
+// ---------------------------------------------------------------------------
+
+describe("handleMigrationImport — version_incompatible", () => {
+  test("incompatible bundle returns 422 with structured body, not 500", async () => {
+    const vbundle = createValidVBundle(undefined, {
+      min_runtime_version: "99.0.0",
+    });
+    const req = new Request("http://localhost/v1/migrations/import", {
+      method: "POST",
+      headers: { "Content-Type": "application/octet-stream" },
+      body: toArrayBuffer(vbundle),
+    });
+
+    const res = await callHandler(handleMigrationImport, req);
+    const body = (await res.json()) as {
+      error: {
+        code: string;
+        message: string;
+        details?: {
+          reason: string;
+          bundle_compat: {
+            min_runtime_version: string;
+            max_runtime_version: string | null;
+          };
+          runtime_version: string;
+        };
+      };
+    };
+
+    expect(res.status).toBe(422);
+    expect(body.error.code).toBe("UNPROCESSABLE_ENTITY");
+    expect(body.error.message).toContain("99.0.0");
+    expect(body.error.details).toBeDefined();
+    expect(body.error.details!.reason).toBe("version_incompatible");
+    expect(body.error.details!.bundle_compat.min_runtime_version).toBe(
+      "99.0.0",
+    );
+    expect(body.error.details!.bundle_compat.max_runtime_version).toBeNull();
+    expect(typeof body.error.details!.runtime_version).toBe("string");
+  });
+
+  test("incompatible bundle does not modify disk", async () => {
+    const originalDb = new Uint8Array(readFileSync(testDbPath));
+    const originalConfig = readFileSync(testConfigPath, "utf8");
+
+    const vbundle = createValidVBundle(undefined, {
+      min_runtime_version: "99.0.0",
+    });
+    const req = new Request("http://localhost/v1/migrations/import", {
+      method: "POST",
+      headers: { "Content-Type": "application/octet-stream" },
+      body: toArrayBuffer(vbundle),
+    });
+
+    await callHandler(handleMigrationImport, req);
+
+    const currentDb = new Uint8Array(readFileSync(testDbPath));
+    const currentConfig = readFileSync(testConfigPath, "utf8");
+
+    expect(currentDb).toEqual(originalDb);
+    expect(currentConfig).toBe(originalConfig);
+  });
+
+  // Regression: the route handler pre-checks runtime-version compat using
+  // `validation.manifest.compatibility` before calling `resetDb()` and
+  // `commitImport()`. If a future refactor reorders the close to come
+  // before the gate, an incompatible bundle would still 422 (commitImport
+  // has its own defense-in-depth gate) but it would unnecessarily close
+  // and reopen the live SQLite singleton on every rejected import.
+  //
+  // We can't easily spy on `resetDb` here without mocking `db-connection.js`
+  // module-wide (which other tests in this file rely on for real). The
+  // semantic regression — disk unchanged + 422 — is covered by the two
+  // tests above. This test is a marker so future readers know the pre-
+  // check intent; if it ever starts failing, recheck `handleMigrationImport`
+  // ordering against the comment at line 861-862 ("Validate the bundle
+  // before closing the DB to avoid an unnecessary close/reopen cycle when
+  // the bundle is invalid").
+  test("incompatible bundle short-circuits before resetDb (intent marker)", async () => {
+    const vbundle = createValidVBundle(undefined, {
+      min_runtime_version: "99.0.0",
+    });
+    const req = new Request("http://localhost/v1/migrations/import", {
+      method: "POST",
+      headers: { "Content-Type": "application/octet-stream" },
+      body: toArrayBuffer(vbundle),
+    });
+
+    const res = await callHandler(handleMigrationImport, req);
+    expect(res.status).toBe(422);
+  });
+});
+
 // ---------------------------------------------------------------------------
 // commitImport unit tests
 // ---------------------------------------------------------------------------

package/src/__tests__/mock-gateway-ipc.ts

@@ -38,6 +38,7 @@ import { mock } from "bun:test";
 // ---------------------------------------------------------------------------
 
 /** IPC result the fake gateway will return (keyed by method name). */
+
 let ipcResults: Record<string, unknown> = {};
 
 /** Whether the fake ipcCall should simulate a connection error. */

package/src/__tests__/oauth-cli.test.ts

@@ -380,12 +380,10 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => mockGetConfig(),
   getConfigReadOnly: () => mockGetConfig(),
   loadConfig: () => mockGetConfig(),
-  saveConfig: () => {},
   invalidateConfigCache: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   applyNestedDefaults: (c: unknown) => c,
-  deepMergeMissing: (a: unknown) => a,
   deepMergeOverwrite: (a: unknown) => a,
   mergeDefaultWorkspaceConfig: () => {},
   getNestedValue: () => undefined,

package/src/__tests__/oauth2-gateway-transport.test.ts

@@ -16,7 +16,6 @@ mock.module("../config/loader.js", () => ({
     ingress: { publicBaseUrl: mockPublicBaseUrl },
   }),
   loadRawConfig: () => ({}),
-  saveConfig: () => {},
   invalidateConfigCache: () => {},
 }));
 

package/src/__tests__/persistence-secret-redaction.test.ts

@@ -0,0 +1,299 @@
+/**
+ * Verifies that known-pattern secrets are redacted before being written to
+ * durable conversation storage while the live model history (pendingToolResults,
+ * raw message content) is left untouched.
+ *
+ * Touch points under test:
+ *   - Tool result content blocks persisted by handleMessageComplete
+ *   - Assistant message text blocks persisted by handleMessageComplete
+ */
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+// ── Shared mock plumbing (must precede module-under-test imports) ──────────
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+mock.module("../config/loader.js", () => ({
+  getConfig: () => ({
+    skills: {
+      entries: {},
+      load: { extraDirs: [], watch: true, watchDebounceMs: 250 },
+      install: { nodeManager: "npm" },
+      allowBundled: null,
+      remoteProviders: {
+        skillssh: { enabled: true },
+        clawhub: { enabled: true },
+      },
+      remotePolicy: {
+        blockSuspicious: true,
+        blockMalware: true,
+        maxSkillsShRisk: "medium",
+      },
+    },
+  }),
+  loadConfig: () => ({}),
+}));
+
+interface AddMessageCall {
+  conversationId: string;
+  role: string;
+  content: string;
+  metadata?: Record<string, unknown>;
+}
+const addMessageCalls: AddMessageCall[] = [];
+mock.module("../memory/conversation-crud.js", () => ({
+  addMessage: (
+    conversationId: string,
+    role: string,
+    content: string,
+    metadata?: Record<string, unknown>,
+  ) => {
+    addMessageCalls.push({ conversationId, role, content, metadata });
+    return { id: `mock-msg-${addMessageCalls.length}` };
+  },
+  getConversation: () => null,
+  getMessageById: () => null,
+  updateMessageContent: () => {},
+  provenanceFromTrustContext: () => ({}),
+}));
+
+mock.module("../memory/llm-request-log-store.js", () => ({
+  recordRequestLog: () => {},
+  backfillMessageIdOnLogs: () => {},
+}));
+
+mock.module("../memory/memory-recall-log-store.js", () => ({
+  backfillMemoryRecallLogMessageId: () => {},
+}));
+
+mock.module("../memory/conversation-disk-view.js", () => ({
+  syncMessageToDisk: () => {},
+}));
+
+// ── Imports (after mocks) ──────────────────────────────────────────────────
+
+import type { AgentEvent } from "../agent/loop.js";
+import type {
+  EventHandlerDeps,
+  EventHandlerState,
+} from "../daemon/conversation-agent-loop-handlers.js";
+import {
+  createEventHandlerState,
+  handleMessageComplete,
+} from "../daemon/conversation-agent-loop-handlers.js";
+
+// ── Helpers ────────────────────────────────────────────────────────────────
+
+const CONV = "conv-redact-test";
+
+function makeDeps(): EventHandlerDeps {
+  return {
+    ctx: {
+      conversationId: CONV,
+      provider: { name: "anthropic" },
+      traceEmitter: { emit: () => {} },
+      currentTurnSurfaces: [],
+      trustContext: {
+        sourceChannel: "vellum",
+        trustClass: "guardian",
+      },
+    } as unknown as EventHandlerDeps["ctx"],
+    onEvent: () => {},
+    reqId: "test-req",
+    isFirstMessage: false,
+    shouldGenerateTitle: false,
+    rlog: new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }) as unknown as EventHandlerDeps["rlog"],
+    turnChannelContext: {
+      userMessageChannel: "vellum",
+      assistantMessageChannel: "vellum",
+    } as EventHandlerDeps["turnChannelContext"],
+    turnInterfaceContext: {
+      userMessageInterface: "macos",
+      assistantMessageInterface: "macos",
+    } as EventHandlerDeps["turnInterfaceContext"],
+  } as EventHandlerDeps;
+}
+
+function makeMessageCompleteEvent(
+  text: string,
+): Extract<AgentEvent, { type: "message_complete" }> {
+  return {
+    type: "message_complete",
+    message: { role: "assistant", content: [{ type: "text", text }] },
+  };
+}
+
+function lastPersisted(role: "assistant" | "user"): AddMessageCall {
+  for (let i = addMessageCalls.length - 1; i >= 0; i--) {
+    if (addMessageCalls[i].role === role) return addMessageCalls[i];
+  }
+  throw new Error(`No ${role} message was persisted`);
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────────
+
+describe("persistence-layer secret redaction", () => {
+  let state: EventHandlerState;
+
+  beforeEach(() => {
+    addMessageCalls.length = 0;
+    state = createEventHandlerState();
+    state.turnStartedAt = 1_700_000_000_000;
+  });
+
+  afterEach(() => {
+    addMessageCalls.length = 0;
+  });
+
+  // ── Tool result content ──────────────────────────────────────────────────
+
+  test("redacts Anthropic API key in tool result content before persistence", async () => {
+    // Pattern requires 80+ chars after "sk-ant-"
+    const secret =
+      "sk-ant-api03-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" +
+      "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+    state.pendingToolResults.set("tool-use-1", {
+      content: `Here is the key: ${secret}`,
+      isError: false,
+    });
+
+    await handleMessageComplete(state, makeDeps(), makeMessageCompleteEvent("done"));
+
+    const persisted = lastPersisted("user");
+    const blocks = JSON.parse(persisted.content) as Array<{
+      type: string;
+      content: string;
+    }>;
+    expect(blocks[0].content).not.toContain("sk-ant-api03-");
+    expect(blocks[0].content).toContain("<redacted");
+  });
+
+  test("redacts GitHub PAT in tool result content before persistence", async () => {
+    // Pattern requires 36+ chars after "ghp_"
+    const secret = "ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
+    state.pendingToolResults.set("tool-use-2", {
+      content: `token=${secret}`,
+      isError: false,
+    });
+
+    await handleMessageComplete(state, makeDeps(), makeMessageCompleteEvent("done"));
+
+    const persisted = lastPersisted("user");
+    const blocks = JSON.parse(persisted.content) as Array<{
+      type: string;
+      content: string;
+    }>;
+    expect(blocks[0].content).not.toContain("ghp_");
+    expect(blocks[0].content).toContain("<redacted");
+  });
+
+  test("does not redact non-secret content (UUID, hex hash) in tool result", async () => {
+    const safe = "id=550e8400-e29b-41d4-a716-446655440000 sha=a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2";
+    state.pendingToolResults.set("tool-use-3", {
+      content: safe,
+      isError: false,
+    });
+
+    await handleMessageComplete(state, makeDeps(), makeMessageCompleteEvent("done"));
+
+    const persisted = lastPersisted("user");
+    const blocks = JSON.parse(persisted.content) as Array<{
+      type: string;
+      content: string;
+    }>;
+    expect(blocks[0].content).toBe(safe);
+  });
+
+  test("live model state (pendingToolResults) is not modified by persistence redaction", async () => {
+    const secret =
+      "sk-ant-api03-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" +
+      "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+    const originalContent = `key=${secret}`;
+    state.pendingToolResults.set("tool-use-4", {
+      content: originalContent,
+      isError: false,
+    });
+
+    // Capture the content before handleMessageComplete clears pendingToolResults
+    const contentSnapshot = state.pendingToolResults.get("tool-use-4")!.content;
+
+    await handleMessageComplete(state, makeDeps(), makeMessageCompleteEvent("done"));
+
+    // The snapshot taken from live state before the call must be unmodified
+    expect(contentSnapshot).toBe(originalContent);
+    expect(contentSnapshot).toContain("sk-ant-api03-");
+  });
+
+  // ── Assistant message text ───────────────────────────────────────────────
+
+  test("redacts known-pattern secret quoted in assistant text before persistence", async () => {
+    const secret =
+      "sk-ant-api03-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" +
+      "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+    const text = `Your API key is \`${secret}\`. Keep it safe.`;
+
+    await handleMessageComplete(state, makeDeps(), makeMessageCompleteEvent(text));
+
+    const persisted = lastPersisted("assistant");
+    const blocks = JSON.parse(persisted.content) as Array<{
+      type: string;
+      text?: string;
+    }>;
+    const textBlock = blocks.find((b) => b.type === "text");
+    expect(textBlock?.text).not.toContain("sk-ant-api03-");
+    expect(textBlock?.text).toContain("<redacted");
+  });
+
+  test("redacts OpenAI Project Key quoted in assistant text before persistence", async () => {
+    // Pattern requires 40+ chars after "sk-proj-"
+    const secret = "sk-proj-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrst";
+    const text = `I found this key in the config: ${secret}`;
+
+    await handleMessageComplete(state, makeDeps(), makeMessageCompleteEvent(text));
+
+    const persisted = lastPersisted("assistant");
+    const blocks = JSON.parse(persisted.content) as Array<{
+      type: string;
+      text?: string;
+    }>;
+    const textBlock = blocks.find((b) => b.type === "text");
+    expect(textBlock?.text).not.toContain("sk-proj-");
+    expect(textBlock?.text).toContain("<redacted");
+  });
+
+  test("does not redact non-secret text in assistant message", async () => {
+    const safe = "Here is the file list: index.ts, util.ts, main.ts";
+
+    await handleMessageComplete(state, makeDeps(), makeMessageCompleteEvent(safe));
+
+    const persisted = lastPersisted("assistant");
+    const blocks = JSON.parse(persisted.content) as Array<{
+      type: string;
+      text?: string;
+    }>;
+    const textBlock = blocks.find((b) => b.type === "text");
+    expect(textBlock?.text).toBe(safe);
+  });
+
+  test("does not redact random-looking strings that lack known prefixes", async () => {
+    // High-entropy but no known credential prefix — should NOT be redacted
+    const text = "checksum: 8f14e45fceea167a5a36dedd4bea2543";
+
+    await handleMessageComplete(state, makeDeps(), makeMessageCompleteEvent(text));
+
+    const persisted = lastPersisted("assistant");
+    const blocks = JSON.parse(persisted.content) as Array<{
+      type: string;
+      text?: string;
+    }>;
+    const textBlock = blocks.find((b) => b.type === "text");
+    expect(textBlock?.text).toBe(text);
+  });
+});

package/src/__tests__/platform-bash-auto-approve.test.ts

@@ -67,7 +67,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => mockConfig,
   loadConfig: () => mockConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,
@@ -245,13 +244,11 @@ describe("platform-hosted bash auto-approval", () => {
     expect(promptCalled).toBe(true);
   });
 
-  test("bash NOT auto-approved for non-guardian actors via platform path (sandbox bash is allowed)", async () => {
+  test("bash NOT auto-approved for non-guardian actors via platform path (trusted_contact requires grant)", async () => {
     checkResultOverride = { decision: "prompt", reason: "Needs approval" };
 
-    const platformAutoApproveCalled = false;
     const trackingPrompter = {
       prompt: async () => {
-        // If this is called, we know the platform auto-approve did NOT fire
         return { decision: "allow" as const };
       },
       resolveConfirmation: () => {},
@@ -270,11 +267,10 @@ describe("platform-hosted bash auto-approval", () => {
       }),
     );
 
-    // With requireFreshApproval, trusted_contact+bash goes through check()
-    // which returns "prompt" and then the interactive prompter is called.
-    // The platform auto-approve path (guardian-only) is NOT taken.
-    expect(result.isError).toBe(false);
-    void platformAutoApproveCalled; // suppress unused warning
+    // trusted_contact now requires a guardian-scoped grant for side-effect
+    // tools. Without a grant, the pre-execution gate denies the invocation
+    // before the permission checker or prompter is reached.
+    expect(result.isError).toBe(true);
   });
 
   test("bash NOT auto-approved when requireFreshApproval is set", async () => {