@vellumai/assistant 0.7.1 → 0.7.2

package/src/__tests__/script-proxy-mitm-handler.test.ts

@@ -13,8 +13,8 @@ import {
   getCAPath,
   issueLeafCert,
   type RewriteCallback,
-  type RouteDecision,
 } from "../outbound-proxy/index.js";
+import type { RouteDecision } from "../outbound-proxy/router.js";
 
 let dataDir: string;
 let caDir: string;

package/src/__tests__/secret-ingress-http.test.ts

@@ -213,6 +213,7 @@ function makeSendMessageDeps() {
     hasPendingConfirmation: () => false,
     setHostBrowserProxy: () => {},
     setHostCuProxy: () => {},
+    setHostAppControlProxy: () => {},
     addPreactivatedSkillId: () => {},
   } as unknown as import("../daemon/conversation.js").Conversation;
 

package/src/__tests__/send-endpoint-busy.test.ts

@@ -160,6 +160,7 @@ function makeCompletingConversation(): Conversation {
     updateClient: () => {},
     setHostBrowserProxy: () => {},
     setHostCuProxy: () => {},
+    setHostAppControlProxy: () => {},
     addPreactivatedSkillId: () => {},
     hasAnyPendingConfirmation: () => false,
     hasPendingConfirmation: () => false,
@@ -216,6 +217,7 @@ function makeHangingConversation(): Conversation {
     updateClient: () => {},
     setHostBrowserProxy: () => {},
     setHostCuProxy: () => {},
+    setHostAppControlProxy: () => {},
     addPreactivatedSkillId: () => {},
     hasAnyPendingConfirmation: () => false,
     hasPendingConfirmation: () => false,
@@ -300,6 +302,7 @@ function makePendingApprovalConversation(
     updateClient: () => {},
     setHostBrowserProxy: () => {},
     setHostCuProxy: () => {},
+    setHostAppControlProxy: () => {},
     addPreactivatedSkillId: () => {},
     hasAnyPendingConfirmation: () => pending.size > 0,
     hasPendingConfirmation: (candidateRequestId: string) =>

package/src/__tests__/shell-tool-proxy-mode.test.ts

@@ -45,7 +45,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => mockConfig,
   loadConfig: () => mockConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,

package/src/__tests__/skill-feature-flags.test.ts

@@ -16,10 +16,11 @@ afterEach(() => {
   _setOverridesForTesting({});
 });
 
-const DECLARED_FLAG_ID = "sounds";
+const DECLARED_FLAG_ID = "email-channel";
 const DECLARED_FLAG_KEY = DECLARED_FLAG_ID;
-const DECLARED_SKILL_ID = "sounds";
-const APP_BUILDER_MULTIFILE_FLAG_KEY = "app-builder-multifile";
+const DECLARED_SKILL_ID = "email-channel";
+const ENABLED_UNDECLARED_FLAG_KEY = "enabled-undeclared-flag";
+const ENABLED_UNDECLARED_SKILL_ID = "enabled-undeclared-skill";
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -91,14 +92,14 @@ describe("skillFlagKey", () => {
 // ---------------------------------------------------------------------------
 
 describe("isAssistantFeatureFlagEnabled with skillFlagKey", () => {
-  test("returns true when no flag overrides (registry default is true)", () => {
+  test("returns false when no flag overrides (registry default is false)", () => {
     const config = makeConfig();
     expect(
       isAssistantFeatureFlagEnabled(
         skillFlagKey({ featureFlag: DECLARED_FLAG_ID })!,
         config,
       ),
-    ).toBe(true);
+    ).toBe(false);
   });
 
   test("returns true when skill key is explicitly true", () => {
@@ -144,27 +145,18 @@ describe("isAssistantFeatureFlagEnabled", () => {
 
   test("falls back to registry default when no override", () => {
     const config = makeConfig();
-    // sounds defaults to true in the registry
-    expect(isAssistantFeatureFlagEnabled(DECLARED_FLAG_KEY, config)).toBe(true);
+    // email-channel defaults to false in the registry
+    expect(isAssistantFeatureFlagEnabled(DECLARED_FLAG_KEY, config)).toBe(
+      false,
+    );
   });
 
   test("respects persisted overrides for undeclared keys", () => {
-    _setOverridesForTesting({ browser: false });
-    const config = makeConfig();
-    expect(isAssistantFeatureFlagEnabled("browser", config)).toBe(false);
-  });
-
-  test("declared keys with no persisted override use registry default", () => {
-    const config = makeConfig();
-    // browser is declared in the registry with defaultEnabled: true
-    expect(isAssistantFeatureFlagEnabled("browser", config)).toBe(true);
-  });
-
-  test("app-builder-multifile defaults to enabled when no override is set", () => {
+    _setOverridesForTesting({ "some-undeclared-flag": false });
     const config = makeConfig();
-    expect(
-      isAssistantFeatureFlagEnabled(APP_BUILDER_MULTIFILE_FLAG_KEY, config),
-    ).toBe(true);
+    expect(isAssistantFeatureFlagEnabled("some-undeclared-flag", config)).toBe(
+      false,
+    );
   });
 });
 
@@ -176,11 +168,15 @@ describe("resolveSkillStates with feature flags", () => {
   test("flag OFF skill does not appear in resolved list", () => {
     _setOverridesForTesting({
       [DECLARED_FLAG_KEY]: false,
-      browser: true,
+      [ENABLED_UNDECLARED_FLAG_KEY]: true,
     });
     const catalog = [
       makeSkill(DECLARED_SKILL_ID, "bundled", DECLARED_FLAG_ID),
-      makeSkill("browser", "bundled", "browser"),
+      makeSkill(
+        ENABLED_UNDECLARED_SKILL_ID,
+        "bundled",
+        ENABLED_UNDECLARED_FLAG_KEY,
+      ),
     ];
     const config = makeConfig();
 
@@ -188,17 +184,21 @@ describe("resolveSkillStates with feature flags", () => {
     const ids = resolved.map((r) => r.summary.id);
 
     expect(ids).not.toContain(DECLARED_SKILL_ID);
-    expect(ids).toContain("browser");
+    expect(ids).toContain(ENABLED_UNDECLARED_SKILL_ID);
   });
 
   test("flag ON skill appears normally", () => {
     _setOverridesForTesting({
       [DECLARED_FLAG_KEY]: true,
-      browser: true,
+      [ENABLED_UNDECLARED_FLAG_KEY]: true,
     });
     const catalog = [
       makeSkill(DECLARED_SKILL_ID, "bundled", DECLARED_FLAG_ID),
-      makeSkill("browser", "bundled", "browser"),
+      makeSkill(
+        ENABLED_UNDECLARED_SKILL_ID,
+        "bundled",
+        ENABLED_UNDECLARED_FLAG_KEY,
+      ),
     ];
     const config = makeConfig();
 
@@ -206,17 +206,16 @@ describe("resolveSkillStates with feature flags", () => {
     const ids = resolved.map((r) => r.summary.id);
 
     expect(ids).toContain(DECLARED_SKILL_ID);
-    expect(ids).toContain("browser");
+    expect(ids).toContain(ENABLED_UNDECLARED_SKILL_ID);
   });
 
-  test("declared flag key defaults to registry value (true)", () => {
+  test("declared flag key defaults to registry value (false)", () => {
     const catalog = [makeSkill(DECLARED_SKILL_ID, "bundled", DECLARED_FLAG_ID)];
     const config = makeConfig();
 
     const resolved = resolveSkillStates(catalog, config);
-    // sounds registry default is true, so it passes through
-    expect(resolved.length).toBe(1);
-    expect(resolved[0].summary.id).toBe(DECLARED_SKILL_ID);
+    // email-channel registry default is false, so it is filtered out
+    expect(resolved.length).toBe(0);
   });
 
   test("skill without featureFlag is never flag-gated", () => {
@@ -259,12 +258,16 @@ describe("resolveSkillStates with feature flags", () => {
   test("multiple skills with mixed flags — persisted overrides respected", () => {
     _setOverridesForTesting({
       [DECLARED_FLAG_KEY]: false,
-      browser: true,
+      [ENABLED_UNDECLARED_FLAG_KEY]: true,
       deploy: false,
     });
     const catalog = [
       makeSkill(DECLARED_SKILL_ID, "bundled", DECLARED_FLAG_ID),
-      makeSkill("browser", "bundled", "browser"),
+      makeSkill(
+        ENABLED_UNDECLARED_SKILL_ID,
+        "bundled",
+        ENABLED_UNDECLARED_FLAG_KEY,
+      ),
       makeSkill("deploy", "bundled", "deploy"),
     ];
     const config = makeConfig();
@@ -272,8 +275,8 @@ describe("resolveSkillStates with feature flags", () => {
     const resolved = resolveSkillStates(catalog, config);
     const ids = resolved.map((r) => r.summary.id);
 
-    // sounds and deploy explicitly false; browser explicitly true
-    expect(ids).toEqual(["browser"]);
+    // email-channel and deploy explicitly false; one unrelated skill explicitly true
+    expect(ids).toEqual([ENABLED_UNDECLARED_SKILL_ID]);
   });
 });
 
@@ -282,15 +285,14 @@ describe("resolveSkillStates with feature flags", () => {
 // ---------------------------------------------------------------------------
 
 describe("resolveSkillStates with frontmatter featureFlag", () => {
-  test("skill with featureFlag (defaultEnabled: true) is included when no config override", () => {
-    // sounds has defaultEnabled: true in the registry
+  test("skill with featureFlag (defaultEnabled: false) is excluded when no config override", () => {
+    // email-channel has defaultEnabled: false in the registry
     const catalog = [makeSkill(DECLARED_SKILL_ID, "bundled", DECLARED_FLAG_ID)];
     const config = makeConfig();
 
     const resolved = resolveSkillStates(catalog, config);
-    // No override, registry default is true → passes through
-    expect(resolved.length).toBe(1);
-    expect(resolved[0].summary.id).toBe(DECLARED_SKILL_ID);
+    // No override, registry default is false → filtered out
+    expect(resolved.length).toBe(0);
   });
 
   test("skill with featureFlag is included when override enables it", () => {

package/src/__tests__/skill-load-feature-flag.test.ts

@@ -12,8 +12,8 @@ const TEST_DIR = process.env.VELLUM_WORKSPACE_DIR!;
 
 let currentConfig: Record<string, unknown> = {};
 
-const DECLARED_SKILL_ID = "sounds";
-const DECLARED_FLAG_KEY = "sounds";
+const DECLARED_SKILL_ID = "email-channel";
+const DECLARED_FLAG_KEY = "email-channel";
 
 const noopLogger = new Proxy({} as Record<string, unknown>, {
   get: (_target, prop) => (prop === "child" ? () => noopLogger : () => {}),
@@ -35,7 +35,6 @@ mock.module("../config/loader.js", () => ({
   getConfigReadOnly: () => currentConfig,
   loadConfig: () => currentConfig,
   loadRawConfig: () => ({}),
-  saveConfig: () => {},
   saveRawConfig: () => {},
   invalidateConfigCache: () => {},
   getNestedValue: () => undefined,
@@ -99,8 +98,8 @@ describe("skill_load feature flag enforcement", () => {
   test("returns deterministic error for flag OFF skill", async () => {
     writeSkill(
       DECLARED_SKILL_ID,
-      "Sounds",
-      "Toggle sounds behavior",
+      "Email Channel",
+      "Toggle email channel behavior",
       "Use the feature.",
     );
     writeFileSync(
@@ -120,8 +119,8 @@ describe("skill_load feature flag enforcement", () => {
   test("loads skill normally when flag is ON", async () => {
     writeSkill(
       DECLARED_SKILL_ID,
-      "Sounds",
-      "Toggle sounds behavior",
+      "Email Channel",
+      "Toggle email channel behavior",
       "Use the feature.",
     );
     writeFileSync(
@@ -134,14 +133,14 @@ describe("skill_load feature flag enforcement", () => {
     const result = await executeSkillLoad({ skill: DECLARED_SKILL_ID });
 
     expect(result.isError).toBe(false);
-    expect(result.content).toContain("Skill: Sounds");
+    expect(result.content).toContain("Skill: Email Channel");
   });
 
-  test("loads skill when flag key is absent (registry defaults to enabled)", async () => {
+  test("returns error when flag key is absent (registry defaults to disabled)", async () => {
     writeSkill(
       DECLARED_SKILL_ID,
-      "Sounds",
-      "Toggle sounds behavior",
+      "Email Channel",
+      "Toggle email channel behavior",
       "Use the feature.",
     );
     writeFileSync(
@@ -153,8 +152,8 @@ describe("skill_load feature flag enforcement", () => {
 
     const result = await executeSkillLoad({ skill: DECLARED_SKILL_ID });
 
-    // sounds is declared in the registry with defaultEnabled: true
-    expect(result.isError).toBe(false);
-    expect(result.content).toContain("Skill: Sounds");
+    // email-channel is declared in the registry with defaultEnabled: false
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("disabled by feature flag");
   });
 });

package/src/__tests__/skill-load-inline-command.test.ts

@@ -4,8 +4,6 @@
  * Validates that:
  * - Root skills with `!\`command\`` tokens get those tokens expanded exactly
  *   once at skill_load time, wrapped in <inline_skill_command> XML tags.
- * - When the feature flag is off, skill_load returns an error instead of
- *   leaving unresolved live tokens in the prompt.
  * - When the skill source is "extra", skill_load rejects with a specific error.
  * - Render failures produce stable inline stubs rather than raw stderr.
  */
@@ -14,8 +12,6 @@ import { mkdirSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
-
 // ── Test directory ────────────────────────────────────────────────────────────
 
 const TEST_DIR = process.env.VELLUM_WORKSPACE_DIR!;
@@ -93,7 +89,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => testConfig,
   loadConfig: () => testConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,
@@ -163,10 +158,6 @@ describe("skill_load inline command expansion", () => {
       ) => mockRunInlineCommand(command, workingDir),
     }));
 
-    // Enable the feature flag
-    _setOverridesForTesting({
-      "inline-skill-commands": true,
-    });
     testConfig.skills = { load: { extraDirs: [] } };
   });
 
@@ -255,48 +246,6 @@ describe("skill_load inline command expansion", () => {
     });
   });
 
-  // ── Feature flag off ─────────────────────────────────────────────────
-
-  describe("feature flag disabled", () => {
-    test("returns error when flag is off and skill has inline commands", async () => {
-      _setOverridesForTesting({
-        "inline-skill-commands": false,
-      });
-
-      writeSkill(
-        "flagged-off-skill",
-        "Flagged Off Skill",
-        "Has inline commands",
-        "Data: !`echo hello`",
-      );
-
-      const result = await executeSkillLoad({ skill: "flagged-off-skill" });
-      expect(result.isError).toBe(true);
-      expect(result.content).toContain(
-        "inline-skill-commands feature flag is disabled",
-      );
-      // Runner should not be called when flag is off
-      expect(runInlineCommandCalls).toHaveLength(0);
-    });
-
-    test("plain skill still loads when flag is off", async () => {
-      _setOverridesForTesting({
-        "inline-skill-commands": false,
-      });
-
-      writeSkill(
-        "plain-flag-off",
-        "Plain Flag Off",
-        "No inline commands",
-        "Regular content.",
-      );
-
-      const result = await executeSkillLoad({ skill: "plain-flag-off" });
-      expect(result.isError).toBe(false);
-      expect(result.content).toContain("Regular content.");
-    });
-  });
-
   // ── Extra source rejection ───────────────────────────────────────────
   //
   // The SkillLoadTool checks `skill.source === "extra"` and rejects inline

package/src/__tests__/skill-load-inline-includes.test.ts

@@ -16,8 +16,6 @@ import { mkdirSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
-
 // ── Test directory ────────────────────────────────────────────────────────────
 
 const TEST_DIR = process.env.VELLUM_WORKSPACE_DIR!;
@@ -95,7 +93,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => testConfig,
   loadConfig: () => testConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,
@@ -173,10 +170,6 @@ describe("skill_load inline command expansion for included skills", () => {
       ) => mockRunInlineCommand(command, workingDir),
     }));
 
-    // Enable the feature flag
-    _setOverridesForTesting({
-      "inline-skill-commands": true,
-    });
     testConfig.skills = { load: { extraDirs: [] } };
   });
 
@@ -514,42 +507,6 @@ describe("skill_load inline command expansion for included skills", () => {
     });
   });
 
-  // ── Feature flag off for child inline commands ────────────────────────
-
-  describe("feature flag disabled for included skills", () => {
-    test("skill_load returns error when child has inline commands and flag is off", async () => {
-      _setOverridesForTesting({
-        "inline-skill-commands": false,
-      });
-
-      writeSkill(
-        "child-flag-off",
-        "Flag Off Child",
-        "Child with inline cmds",
-        "Data: !`echo hello`",
-      );
-      writeSkill(
-        "parent-flag-off",
-        "Parent Flag Off",
-        "Parent for flag-off test",
-        "Root content.",
-        { includes: ["child-flag-off"] },
-      );
-
-      const result = await executeSkillLoad({ skill: "parent-flag-off" });
-      // Fail closed: the entire skill_load must error when any included child
-      // has inline commands and the feature flag is off, matching the root
-      // skill behavior and the documented fail-closed contract.
-      expect(result.isError).toBe(true);
-      expect(result.content).toContain("child-flag-off");
-      expect(result.content).toContain(
-        "inline-skill-commands feature flag is disabled",
-      );
-      // Runner should not be called
-      expect(runInlineCommandCalls).toHaveLength(0);
-    });
-  });
-
   // ── Root with inline + child with inline ──────────────────────────────
 
   describe("root and child both have inline commands", () => {

package/src/__tests__/skill-projection.benchmark.test.ts

@@ -28,7 +28,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => ({}),
   loadConfig: () => ({}),
   applyNestedDefaults: (c: unknown) => c,
-  saveConfig: () => {},
   invalidateConfigCache: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},

package/src/__tests__/skill-script-runner-sandbox.test.ts

@@ -28,7 +28,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => mockConfig,
   loadConfig: () => mockConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,

package/src/__tests__/slack-channel-config.test.ts

@@ -61,7 +61,6 @@ mock.module("../config/loader.js", () => ({
   saveRawConfig: (raw: Record<string, unknown>) => {
     configStore = structuredClone(raw);
   },
-  saveConfig: () => {},
   invalidateConfigCache: () => {},
   setNestedValue,
 }));
@@ -438,11 +437,7 @@ describe("Slack channel config handler", () => {
   });
 
   test("POST rejects user token with invalid prefix", async () => {
-    const result = await setSlackChannelConfig(
-      undefined,
-      undefined,
-      "abc-123",
-    );
+    const result = await setSlackChannelConfig(undefined, undefined, "abc-123");
     expect(result.success).toBe(false);
     expect(result.error).toContain("xoxp-");
     // Nothing was stored.
@@ -660,9 +655,7 @@ describe("Slack channel config handler", () => {
     expect(
       await getSecureKeyAsync(credentialKey("slack_channel", "user_token")),
     ).toBe("xoxp-still-valid");
-    expect(
-      getCredentialMetadata("slack_channel", "user_token"),
-    ).toBeDefined();
+    expect(getCredentialMetadata("slack_channel", "user_token")).toBeDefined();
 
     // No warning about user_token removal — nothing was removed.
     expect(result.warning ?? "").not.toContain("User token");
@@ -697,10 +690,10 @@ describe("Slack channel config handler", () => {
       }
       if (auth === "Bearer xoxp-workspace-a") {
         // Workspace mismatch — handler will try to clear the user_token.
-        return new Response(
-          JSON.stringify({ ok: true, team_id: "T_A" }),
-          { status: 200, headers: { "content-type": "application/json" } },
-        );
+        return new Response(JSON.stringify({ ok: true, team_id: "T_A" }), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        });
       }
       throw new Error(`Unexpected auth header: ${auth}`);
     }) as unknown as typeof globalThis.fetch;
@@ -808,7 +801,9 @@ describe("Slack channel config handler", () => {
     expect(
       await getSecureKeyAsync(credentialKey("slack_channel", "user_token")),
     ).toBeUndefined();
-    expect(getCredentialMetadata("slack_channel", "user_token")).toBeUndefined();
+    expect(
+      getCredentialMetadata("slack_channel", "user_token"),
+    ).toBeUndefined();
   });
 
   test("clearSlackUserToken leaves bot+app tokens and oauth_connection intact", async () => {

package/src/__tests__/system-prompt-ask-mode.test.ts

@@ -49,7 +49,6 @@ mock.module("../config/loader.js", () => ({
   }),
   loadConfig: () => ({}),
   loadRawConfig: () => ({}),
-  saveConfig: () => {},
   saveRawConfig: () => {},
   invalidateConfigCache: () => {},
   getNestedValue: () => undefined,

package/src/__tests__/system-prompt.test.ts

@@ -55,7 +55,6 @@ mock.module("../config/loader.js", () => ({
   }),
   loadConfig: () => mockLoadedConfig,
   loadRawConfig: () => ({}),
-  saveConfig: () => {},
   saveRawConfig: () => {},
   invalidateConfigCache: () => {},
   getNestedValue: () => undefined,

package/src/__tests__/telegram-config.test.ts

@@ -13,7 +13,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => ({ telegram: {}, ui: {} }),
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
-  saveConfig: () => {},
   invalidateConfigCache: () => {},
   setNestedValue: () => {},
 }));

package/src/__tests__/test-preload.ts

@@ -17,6 +17,7 @@ import { join } from "node:path";
 import { afterAll } from "bun:test";
 
 import { installGatewayIpcMock } from "../__tests__/mock-gateway-ipc.js";
+import { _setOverridesForTesting } from "../config/assistant-feature-flags.js";
 import { resetDb } from "../memory/db-connection.js";
 import { _setStorePath } from "../security/encrypted-store.js";
 
@@ -36,6 +37,13 @@ _setStorePath(join(testDir, "keys.enc"));
 // Tests that need to control IPC responses use mockGatewayIpc() / resetMockGatewayIpc().
 installGatewayIpcMock();
 
+// Pre-populate the feature-flag override cache so `initFeatureFlagOverrides()`
+// short-circuits its retry loop — there is no real gateway in tests, and the
+// retry backoff would otherwise exceed the per-test timeout for any test that
+// builds the CLI program. Tests exercising the retry behavior call
+// `clearFeatureFlagOverridesCache()` first.
+_setOverridesForTesting({});
+
 // Force-close any DB connection inherited from the parent process (e.g. when
 // the test runner is spawned by the running assistant via a pre-push hook).
 // Without this, the db singleton in db-connection.ts may still point at the

package/src/__tests__/tool-approval-handler.test.ts

@@ -518,7 +518,7 @@ describe("ToolApprovalHandler / pre-exec gate grant check", () => {
     }
   });
 
-  test("trusted contact bypasses tool grants for sandboxed side-effect tools", async () => {
+  test("trusted contact requires grant for sandboxed side-effect tools", async () => {
     const result = await handler.checkPreExecutionGates(
       "bash",
       { command: "echo hello" },
@@ -529,12 +529,11 @@ describe("ToolApprovalHandler / pre-exec gate grant check", () => {
       emitLifecycleEvent,
     );
 
-    expect(result.allowed).toBe(true);
+    expect(result.allowed).toBe(false);
     expect(events.filter((e) => e.type === "permission_denied")).toHaveLength(
-      0,
+      1,
     );
   });
-
 });
 
 afterAll(() => {

package/src/__tests__/tool-audit-listener.test.ts

@@ -64,6 +64,54 @@ describe("tool audit listener", () => {
     expect(records[1].decision).toBe("denied");
   });
 
+  test("redacts known-pattern secrets in tool result content before recording", () => {
+    const records: ToolInvocationRecord[] = [];
+    const listener = createToolAuditListener((record) => records.push(record));
+
+    // Anthropic key pattern requires 80+ chars after "sk-ant-"
+    const anthropicKey =
+      "sk-ant-api03-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" +
+      "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+    listener({
+      type: "executed",
+      toolName: "bash",
+      input: { command: "echo $ANTHROPIC_API_KEY" },
+      workingDir: "/tmp",
+      conversationId: "conv-redact",
+      riskLevel: "low",
+      decision: "allow",
+      durationMs: 5,
+      result: { content: `key=${anthropicKey}`, isError: false },
+    });
+
+    expect(records).toHaveLength(1);
+    expect(records[0].result).not.toContain("sk-ant-api03-");
+    expect(records[0].result).toContain("<redacted");
+  });
+
+  test("does not redact non-secret content like UUIDs or hashes", () => {
+    const records: ToolInvocationRecord[] = [];
+    const listener = createToolAuditListener((record) => records.push(record));
+
+    const safeContent =
+      "file id: 550e8400-e29b-41d4-a716-446655440000, sha: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2";
+
+    listener({
+      type: "executed",
+      toolName: "file_read",
+      input: { path: "/tmp/data" },
+      workingDir: "/tmp",
+      conversationId: "conv-safe",
+      riskLevel: "low",
+      decision: "allow",
+      durationMs: 3,
+      result: { content: safeContent, isError: false },
+    });
+
+    expect(records).toHaveLength(1);
+    expect(records[0].result).toBe(safeContent);
+  });
+
   test("records error events and ignores non-terminal events", () => {
     const records: ToolInvocationRecord[] = [];
     const listener = createToolAuditListener((record) => records.push(record));