npm - @vellumai/assistant - Versions diffs - 0.7.1 → 0.7.2 - Mend

@vellumai/assistant 0.7.1 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (535) hide show

package/ARCHITECTURE.md +32 -49
package/Dockerfile +1 -0
package/README.md +1 -2
package/__tests__/permissions/gateway-threshold-reader.test.ts +9 -3
package/bun.lock +26 -26
package/docs/architecture/security.md +20 -0
package/docs/plugins.md +7 -9
package/knip.json +1 -0
package/node_modules/@vellumai/gateway-client/src/index.ts +1 -0
package/node_modules/@vellumai/gateway-client/src/ipc-client.ts +39 -1
package/node_modules/@vellumai/gateway-client/src/types.ts +11 -0
package/node_modules/@vellumai/service-contracts/package.json +2 -0
package/node_modules/@vellumai/service-contracts/src/__tests__/contracts.test.ts +4 -0
package/node_modules/@vellumai/service-contracts/src/__tests__/ingress.test.ts +107 -0
package/node_modules/@vellumai/service-contracts/src/index.ts +5 -1
package/node_modules/@vellumai/service-contracts/src/ingress.ts +24 -0
package/node_modules/@vellumai/service-contracts/src/twilio-ingress.ts +84 -0
package/node_modules/@vellumai/skill-host-contracts/src/assistant-event.ts +9 -0
package/node_modules/@vellumai/twilio-client/bun.lock +24 -0
package/node_modules/@vellumai/twilio-client/package.json +18 -0
package/node_modules/@vellumai/twilio-client/src/__tests__/twilio-client.test.ts +128 -0
package/node_modules/@vellumai/twilio-client/src/index.ts +179 -0
package/node_modules/@vellumai/twilio-client/tsconfig.json +20 -0
package/openapi.yaml +565 -12
package/package.json +6 -3
package/src/__tests__/app-builder-tool-scripts.test.ts +3 -3
package/src/__tests__/app-bundler.test.ts +170 -1
package/src/__tests__/app-control-flow.test.ts +374 -0
package/src/__tests__/app-control-no-global-cgevent.test.ts +98 -0
package/src/__tests__/app-control-tool-schemas.test.ts +621 -0
package/src/__tests__/app-executors.test.ts +30 -43
package/src/__tests__/approval-routes-http.test.ts +23 -6
package/src/__tests__/assistant-event-hub-machine-name.test.ts +146 -0
package/src/__tests__/assistant-event-hub-targeted.test.ts +257 -0
package/src/__tests__/assistant-event-hub.test.ts +109 -2
package/src/__tests__/assistant-event.test.ts +10 -0
package/src/__tests__/assistant-events-sse-hardening.test.ts +7 -2
package/src/__tests__/assistant-feature-flags-integration.test.ts +11 -7
package/src/__tests__/background-shell-host-bash.test.ts +14 -15
package/src/__tests__/bootstrap-turn-cleanup.test.ts +44 -0
package/src/__tests__/btw-routes.test.ts +13 -4
package/src/__tests__/call-controller.test.ts +49 -1
package/src/__tests__/call-domain.test.ts +0 -2
package/src/__tests__/call-routes-http.test.ts +0 -2
package/src/__tests__/channel-readiness-service.test.ts +59 -1
package/src/__tests__/checker.test.ts +3 -4
package/src/__tests__/config-loader-backfill.test.ts +90 -155
package/src/__tests__/config-loader-platform-defaults.test.ts +196 -0
package/src/__tests__/config-schema-cmd.test.ts +0 -1
package/src/__tests__/config-set-platform-guard.test.ts +48 -4
package/src/__tests__/config-watcher-cleanup-throttle.test.ts +2 -2
package/src/__tests__/config-watcher.test.ts +2 -2
package/src/__tests__/conversation-app-control-instantiation.test.ts +392 -0
package/src/__tests__/conversation-app-control-lifecycle.test.ts +237 -0
package/src/__tests__/conversation-init.benchmark.test.ts +0 -2
package/src/__tests__/conversation-lifecycle.test.ts +36 -0
package/src/__tests__/conversation-process-app-control-preactivation.test.ts +283 -0
package/src/__tests__/conversation-routes-disk-view.test.ts +6 -0
package/src/__tests__/conversation-routes-guardian-reply.test.ts +120 -72
package/src/__tests__/conversation-routes-slash-commands.test.ts +1 -0
package/src/__tests__/conversation-slash-commands.test.ts +0 -4
package/src/__tests__/conversation-surfaces-action-delivery.test.ts +202 -0
package/src/__tests__/conversation-surfaces-app-control.test.ts +317 -0
package/src/__tests__/credential-execution-feature-gates.test.ts +5 -12
package/src/__tests__/credential-execution-managed-contract.test.ts +3 -131
package/src/__tests__/credentials-cli.test.ts +5 -12
package/src/__tests__/cu-unified-flow.test.ts +185 -23
package/src/__tests__/daemon-credential-client.test.ts +101 -19
package/src/__tests__/db-schedule-syntax-migration.test.ts +2 -0
package/src/__tests__/dynamic-skill-workflow-prompt.test.ts +0 -1
package/src/__tests__/gateway-only-enforcement.test.ts +0 -1
package/src/__tests__/guardian-verification-voice-binding.test.ts +0 -2
package/src/__tests__/handlers-skills-memory-v2-reseed.test.ts +0 -2
package/src/__tests__/handlers-user-message-approval-consumption.test.ts +0 -1
package/src/__tests__/heartbeat-service.test.ts +718 -1
package/src/__tests__/helpers/call-route-handler.ts +7 -1
package/src/__tests__/host-app-control-proxy.test.ts +602 -0
package/src/__tests__/host-app-control-routes.test.ts +263 -0
package/src/__tests__/host-bash-proxy.test.ts +246 -47
package/src/__tests__/host-bash-routes.test.ts +294 -0
package/src/__tests__/host-browser-proxy.test.ts +24 -22
package/src/__tests__/host-browser-routes.test.ts +39 -13
package/src/__tests__/host-cu-proxy.test.ts +41 -52
package/src/__tests__/host-cu-routes-targeted.test.ts +300 -0
package/src/__tests__/host-file-edit-tool.test.ts +47 -1
package/src/__tests__/host-file-proxy-targeted.test.ts +339 -0
package/src/__tests__/host-file-proxy.test.ts +37 -43
package/src/__tests__/host-file-read-tool.test.ts +17 -0
package/src/__tests__/host-file-routes-targeted.test.ts +262 -0
package/src/__tests__/host-file-write-tool.test.ts +42 -1
package/src/__tests__/host-proxy-base.test.ts +312 -0
package/src/__tests__/host-shell-tool.test.ts +22 -4
package/src/__tests__/host-transfer-proxy-targeted.test.ts +583 -0
package/src/__tests__/host-transfer-proxy.test.ts +121 -22
package/src/__tests__/host-transfer-routes-targeted.test.ts +447 -0
package/src/__tests__/http-user-message-parity.test.ts +1 -0
package/src/__tests__/identity-intro-cache.test.ts +29 -0
package/src/__tests__/identity-routes.test.ts +103 -1
package/src/__tests__/init-feature-flag-overrides.test.ts +26 -3
package/src/__tests__/inline-command-runner.test.ts +0 -1
package/src/__tests__/inline-skill-load-permissions.test.ts +5 -11
package/src/__tests__/integration-status.test.ts +85 -5
package/src/__tests__/intent-routing.test.ts +0 -1
package/src/__tests__/jobs-store-qdrant-breaker.test.ts +95 -5
package/src/__tests__/lifecycle-memory-v2-seed.test.ts +17 -0
package/src/__tests__/managed-skill-lifecycle.test.ts +0 -1
package/src/__tests__/mcp-auth-routes.test.ts +197 -0
package/src/__tests__/mcp-cli.test.ts +338 -2
package/src/__tests__/memory-jobs-worker-lanes.test.ts +188 -0
package/src/__tests__/migration-import-commit-http.test.ts +108 -2
package/src/__tests__/mock-gateway-ipc.ts +1 -0
package/src/__tests__/oauth-cli.test.ts +0 -2
package/src/__tests__/oauth2-gateway-transport.test.ts +0 -1
package/src/__tests__/persistence-secret-redaction.test.ts +299 -0
package/src/__tests__/platform-bash-auto-approve.test.ts +5 -9
package/src/__tests__/prechat-onboarding-contract.test.ts +3 -1
package/src/__tests__/process-message-background-slack.test.ts +2 -0
package/src/__tests__/provider-commit-message-generator.test.ts +0 -1
package/src/__tests__/public-ingress-urls.test.ts +97 -0
package/src/__tests__/require-fresh-approval.test.ts +0 -1
package/src/__tests__/retry-backoff.test.ts +87 -0
package/src/__tests__/runtime-events-sse.test.ts +10 -6
package/src/__tests__/sanitize-config-for-transfer.test.ts +24 -2
package/src/__tests__/schedule-retry.test.ts +715 -0
package/src/__tests__/script-proxy-mitm-handler.test.ts +1 -1
package/src/__tests__/secret-ingress-http.test.ts +1 -0
package/src/__tests__/send-endpoint-busy.test.ts +3 -0
package/src/__tests__/shell-tool-proxy-mode.test.ts +0 -1
package/src/__tests__/skill-feature-flags.test.ts +43 -41
package/src/__tests__/skill-load-feature-flag.test.ts +13 -14
package/src/__tests__/skill-load-inline-command.test.ts +0 -51
package/src/__tests__/skill-load-inline-includes.test.ts +0 -43
package/src/__tests__/skill-projection.benchmark.test.ts +0 -1
package/src/__tests__/skill-script-runner-sandbox.test.ts +0 -1
package/src/__tests__/slack-channel-config.test.ts +9 -14
package/src/__tests__/system-prompt-ask-mode.test.ts +0 -1
package/src/__tests__/system-prompt.test.ts +0 -1
package/src/__tests__/telegram-config.test.ts +0 -1
package/src/__tests__/test-preload.ts +8 -0
package/src/__tests__/tool-approval-handler.test.ts +3 -4
package/src/__tests__/tool-audit-listener.test.ts +48 -0
package/src/__tests__/tool-execute-pipeline.test.ts +0 -1
package/src/__tests__/tool-execution-abort-cleanup.test.ts +0 -1
package/src/__tests__/tool-executor-lifecycle-events.test.ts +0 -1
package/src/__tests__/tool-executor.test.ts +0 -1
package/src/__tests__/twilio-config.test.ts +3 -16
package/src/__tests__/twilio-routes.test.ts +3 -5
package/src/__tests__/twilio-validation.test.ts +93 -0
package/src/__tests__/vellum-self-knowledge-inline-command.test.ts +1 -4
package/src/__tests__/verification-control-plane-policy.test.ts +2 -4
package/src/__tests__/voice-ingress-preflight.test.ts +19 -0
package/src/__tests__/workspace-migration-006-services-config.test.ts +3 -2
package/src/__tests__/workspace-migration-backfill-installation-id.test.ts +1 -5
package/src/__tests__/workspace-migration-down-functions.test.ts +8 -8
package/src/__tests__/workspace-migration-unify-llm-callsite-configs.test.ts +10 -6
package/src/backup/__tests__/paths.test.ts +0 -22
package/src/backup/__tests__/restore.test.ts +51 -151
package/src/backup/paths.ts +2 -18
package/src/backup/restore.ts +107 -231
package/src/bundler/app-bundler.ts +51 -3
package/src/calls/relay-server.ts +4 -44
package/src/calls/twilio-config.ts +2 -17
package/src/calls/twilio-rest.ts +33 -105
package/src/calls/twilio-routes.ts +11 -12
package/src/channels/types.ts +8 -7
package/src/cli/commands/__tests__/backup.test.ts +6 -277
package/src/cli/commands/__tests__/gateway.test.ts +288 -0
package/src/cli/commands/__tests__/memory-v2.test.ts +4 -0
package/src/cli/commands/__tests__/webhooks.test.ts +0 -1
package/src/cli/commands/backup.ts +6 -331
package/src/cli/commands/clients.ts +36 -37
package/src/cli/commands/contacts.ts +73 -0
package/src/cli/commands/conversations.ts +2 -5
package/src/cli/commands/credentials.ts +15 -7
package/src/cli/commands/domain.ts +66 -15
package/src/cli/commands/gateway.ts +183 -0
package/src/cli/commands/keys.ts +9 -6
package/src/cli/commands/mcp.ts +116 -156
package/src/cli/commands/memory-v2.ts +296 -1
package/src/cli/commands/platform/__tests__/callback-routes-list.test.ts +0 -1
package/src/cli/commands/platform/__tests__/connect.test.ts +0 -2
package/src/cli/commands/platform/__tests__/disconnect.test.ts +0 -2
package/src/cli/commands/platform/__tests__/status.test.ts +13 -15
package/src/cli/commands/platform/disconnect.ts +5 -4
package/src/cli/commands/platform/index.ts +0 -18
package/src/cli/lib/daemon-credential-client.ts +110 -28
package/src/cli/program.ts +2 -0
package/src/config/assistant-feature-flags.ts +67 -10
package/src/config/bundled-skills/acp/SKILL.md +6 -0
package/src/config/bundled-skills/acp/TOOLS.json +1 -22
package/src/config/bundled-skills/app-builder/SKILL.md +14 -109
package/src/config/bundled-skills/app-builder/TOOLS.json +1 -28
package/src/config/bundled-skills/app-builder/tools/app-create.ts +1 -10
package/src/config/bundled-skills/app-control/SKILL.md +75 -0
package/src/config/bundled-skills/app-control/TOOLS.json +299 -0
package/src/config/bundled-skills/app-control/tools/app-control-click.ts +12 -0
package/src/config/bundled-skills/app-control/tools/app-control-combo.ts +12 -0
package/src/config/bundled-skills/app-control/tools/app-control-drag.ts +12 -0
package/src/config/bundled-skills/app-control/tools/app-control-observe.ts +12 -0
package/src/config/bundled-skills/app-control/tools/app-control-press.ts +12 -0
package/src/config/bundled-skills/app-control/tools/app-control-sequence.ts +12 -0
package/src/config/bundled-skills/app-control/tools/app-control-start.ts +12 -0
package/src/config/bundled-skills/app-control/tools/app-control-stop.ts +12 -0
package/src/config/bundled-skills/app-control/tools/app-control-type.ts +12 -0
package/src/config/bundled-skills/computer-use/SKILL.md +6 -0
package/src/config/bundled-skills/computer-use/TOOLS.json +67 -43
package/src/config/bundled-skills/contacts/TOOLS.json +0 -16
package/src/config/bundled-skills/document/TOOLS.json +0 -8
package/src/config/bundled-skills/followups/TOOLS.json +0 -12
package/src/config/bundled-skills/image-studio/SKILL.md +4 -0
package/src/config/bundled-skills/image-studio/TOOLS.json +0 -4
package/src/config/bundled-skills/media-processing/TOOLS.json +0 -24
package/src/config/bundled-skills/messaging/TOOLS.json +0 -40
package/src/config/bundled-skills/phone-calls/TOOLS.json +0 -12
package/src/config/bundled-skills/phone-calls/references/TROUBLESHOOTING.md +19 -4
package/src/config/bundled-skills/playbooks/TOOLS.json +0 -16
package/src/config/bundled-skills/schedule/TOOLS.json +14 -14
package/src/config/bundled-skills/sequences/TOOLS.json +0 -36
package/src/config/bundled-skills/settings/SKILL.md +4 -0
package/src/config/bundled-skills/settings/TOOLS.json +0 -12
package/src/config/bundled-skills/skill-management/SKILL.md +6 -0
package/src/config/bundled-skills/skill-management/TOOLS.json +0 -8
package/src/config/bundled-skills/subagent/SKILL.md +6 -2
package/src/config/bundled-skills/subagent/TOOLS.json +0 -20
package/src/config/bundled-skills/transcribe/SKILL.md +4 -0
package/src/config/bundled-skills/transcribe/TOOLS.json +0 -4
package/src/config/bundled-tool-registry.ts +21 -0
package/src/config/env-registry.ts +0 -2
package/src/config/env.ts +19 -12
package/src/config/feature-flag-registry.json +21 -133
package/src/config/loader.ts +73 -99
package/src/config/sanitize-for-transfer.ts +2 -0
package/src/config/schemas/__tests__/memory-lifecycle.test.ts +80 -0
package/src/config/schemas/__tests__/memory-v2.test.ts +7 -4
package/src/config/schemas/calls.ts +0 -9
package/src/config/schemas/heartbeat.ts +63 -0
package/src/config/schemas/ingress.ts +10 -6
package/src/config/schemas/llm.ts +5 -10
package/src/config/schemas/memory-lifecycle.ts +77 -24
package/src/config/schemas/memory-v2.ts +48 -4
package/src/config/schemas/platform.ts +6 -0
package/src/config/schemas/services.ts +1 -15
package/src/config/schemas/skills.ts +0 -6
package/src/config/seed-inference-profiles.ts +1 -1
package/src/contacts/contact-store.ts +0 -30
package/src/contacts/contacts-write.ts +0 -27
package/src/context/window-manager.ts +1 -2
package/src/credential-execution/feature-gates.ts +10 -10
package/src/credential-execution/process-manager.ts +12 -41
package/src/daemon/__tests__/conversation-tool-setup.test.ts +126 -5
package/src/daemon/bootstrap-turn-cleanup.ts +45 -0
package/src/daemon/config-watcher.ts +4 -3
package/src/daemon/conversation-agent-loop-handlers.ts +21 -3
package/src/daemon/conversation-agent-loop.ts +32 -28
package/src/daemon/conversation-lifecycle.ts +8 -1
package/src/daemon/conversation-process.ts +16 -11
package/src/daemon/conversation-runtime-assembly.ts +2 -2
package/src/daemon/conversation-surfaces.ts +125 -4
package/src/daemon/conversation-tool-setup.ts +16 -55
package/src/daemon/conversation.ts +21 -2
package/src/daemon/doordash-steps.ts +1 -1
package/src/daemon/handlers/shared.ts +4 -1
package/src/daemon/host-app-control-proxy.ts +293 -0
package/src/daemon/host-bash-proxy.ts +84 -74
package/src/daemon/host-browser-proxy.ts +67 -82
package/src/daemon/host-cu-proxy.ts +81 -86
package/src/daemon/host-file-proxy.ts +93 -69
package/src/daemon/host-proxy-base.ts +294 -0
package/src/daemon/host-proxy-preactivation.ts +82 -0
package/src/daemon/host-transfer-proxy.ts +247 -129
package/src/daemon/lifecycle.ts +115 -117
package/src/daemon/message-protocol.ts +3 -8
package/src/daemon/message-types/contacts.ts +23 -1
package/src/daemon/message-types/conversations.ts +11 -8
package/src/daemon/message-types/host-app-control.ts +150 -0
package/src/daemon/message-types/host-bash.ts +4 -0
package/src/daemon/message-types/host-cu.ts +2 -0
package/src/daemon/message-types/host-file.ts +4 -0
package/src/daemon/message-types/host-transfer.ts +3 -0
package/src/daemon/message-types/schedules.ts +8 -3
package/src/daemon/message-types/skills.ts +2 -2
package/src/daemon/process-message.ts +18 -1
package/src/daemon/shutdown-handlers.ts +0 -3
package/src/daemon/tool-setup-types.ts +51 -0
package/src/daemon/tool-side-effects.ts +1 -1
package/src/events/tool-audit-listener.ts +2 -1
package/src/heartbeat/__tests__/heartbeat-feed-event.test.ts +15 -7
package/src/heartbeat/__tests__/heartbeat-run-store.test.ts +216 -0
package/src/heartbeat/heartbeat-run-store.ts +236 -0
package/src/heartbeat/heartbeat-service.ts +280 -49
package/src/home/__tests__/post-connect-feed.test.ts +99 -0
package/src/home/__tests__/relationship-state-writer.test.ts +11 -9
package/src/home/__tests__/suggested-prompts.test.ts +89 -0
package/src/home/post-connect-feed.ts +68 -0
package/src/home/relationship-state-writer.ts +17 -92
package/src/home/suggested-prompts.ts +46 -10
package/src/inbound/public-ingress-urls.ts +32 -34
package/src/ipc/__tests__/route-error-envelope.test.ts +80 -0
package/src/ipc/assistant-server.ts +14 -1
package/src/ipc/cli-client.ts +32 -1
package/src/live-voice/live-voice-metrics.ts +10 -10
package/src/mcp/__tests__/mcp-auth-orchestrator.test.ts +304 -0
package/src/mcp/mcp-auth-orchestrator.ts +213 -0
package/src/mcp/mcp-auth-state.ts +133 -0
package/src/mcp/mcp-oauth-provider.ts +19 -0
package/src/memory/__tests__/jobs-store-job-classes.test.ts +24 -0
package/src/memory/__tests__/qdrant-client-sentinel.test.ts +49 -0
package/src/memory/__tests__/sparse-tokenize.test.ts +66 -0
package/src/memory/anisotropy.test.ts +247 -0
package/src/memory/anisotropy.ts +443 -0
package/src/memory/auto-analysis-constants.ts +17 -0
package/src/memory/auto-analysis-guard.ts +5 -15
package/src/memory/canonical-guardian-store.ts +7 -7
package/src/memory/context-search/__tests__/agent-runner-redaction.test.ts +122 -0
package/src/memory/context-search/agent-protocol.ts +6 -6
package/src/memory/context-search/agent-runner.ts +32 -7
package/src/memory/context-search/sources/memory-v2.ts +17 -5
package/src/memory/conversation-crud.ts +1 -1
package/src/memory/conversation-key-store.ts +2 -15
package/src/memory/db-init.ts +4 -0
package/src/memory/embedding-backend.ts +9 -21
package/src/memory/graph/__tests__/conversation-graph-memory-v2-routing.test.ts +49 -4
package/src/memory/graph/conversation-graph-memory.ts +1 -24
package/src/memory/graph/graph-search.ts +8 -0
package/src/memory/graph/retriever.ts +28 -0
package/src/memory/graph/tools.ts +1 -1
package/src/memory/jobs/__tests__/embed-concept-page.test.ts +8 -2
package/src/memory/jobs/embed-concept-page.ts +28 -2
package/src/memory/jobs/embed-pkb-file.test.ts +2 -2
package/src/memory/jobs-store.ts +66 -22
package/src/memory/jobs-worker.ts +112 -63
package/src/memory/memory-v2-activation-log-store.ts +1 -1
package/src/memory/migrations/237-heartbeat-runs.ts +45 -0
package/src/memory/migrations/238-schedule-retry-policy.ts +20 -0
package/src/memory/migrations/index.ts +5 -0
package/src/memory/migrations/registry.ts +8 -0
package/src/memory/pkb/pkb-search.ts +7 -0
package/src/memory/qdrant-client.ts +50 -20
package/src/memory/schema/infrastructure.ts +15 -0
package/src/memory/search/semantic.ts +7 -0
package/src/memory/sparse-tokenize.ts +49 -0
package/src/memory/v2/__tests__/activation.test.ts +77 -95
package/src/memory/v2/__tests__/injection.test.ts +43 -21
package/src/memory/v2/__tests__/sim.test.ts +166 -6
package/src/memory/v2/__tests__/sparse-bm25.test.ts +292 -0
package/src/memory/v2/__tests__/static-context.test.ts +0 -1
package/src/memory/v2/activation.ts +69 -88
package/src/memory/v2/consolidation-job.ts +3 -5
package/src/memory/v2/constants.ts +7 -0
package/src/memory/v2/injection.ts +86 -53
package/src/memory/v2/prompts/consolidation.ts +312 -91
package/src/memory/v2/qdrant.ts +99 -1
package/src/memory/v2/sim.ts +126 -16
package/src/memory/v2/skill-qdrant.ts +12 -3
package/src/memory/v2/skill-store.ts +16 -1
package/src/memory/v2/sparse-bm25.ts +245 -0
package/src/memory/v2/static-context.ts +6 -5
package/src/messaging/providers/gmail/types.ts +0 -49
package/src/messaging/providers/slack/adapter.ts +1 -31
package/src/messaging/providers/slack/types.ts +0 -32
package/src/notifications/README.md +10 -10
package/src/notifications/broadcaster.ts +1 -1
package/src/notifications/guardian-question-mode.ts +5 -5
package/src/oauth/connect-orchestrator.ts +4 -0
package/src/oauth/credential-token-resolver.ts +1 -3
package/src/oauth/manual-token-connection.ts +0 -4
package/src/outbound-proxy/index.ts +1 -37
package/src/outbound-proxy/logging.ts +1 -1
package/src/outbound-proxy/policy.ts +6 -5
package/src/outbound-proxy/router.ts +2 -1
package/src/permissions/approval-policy.test.ts +6 -275
package/src/permissions/approval-policy.ts +0 -51
package/src/permissions/checker.test.ts +0 -1
package/src/permissions/checker.ts +3 -17
package/src/permissions/gateway-threshold-reader.ts +2 -0
package/src/permissions/prompter.ts +34 -1
package/src/permissions/secret-prompter.ts +6 -2
package/src/prompts/bootstrap-cleanup.ts +27 -0
package/src/prompts/system-prompt.ts +3 -18
package/src/prompts/templates/SOUL.md +13 -1
package/src/providers/speech-to-text/provider-catalog.ts +7 -8
package/src/runtime/assistant-event-hub.ts +118 -96
package/src/runtime/assistant-event.ts +1 -0
package/src/runtime/auth/__tests__/middleware.test.ts +11 -56
package/src/runtime/auth/middleware.ts +0 -96
package/src/runtime/auth/route-policy.ts +19 -0
package/src/runtime/btw-sidechain.ts +2 -3
package/src/runtime/channel-invite-transport.ts +2 -48
package/src/runtime/channel-invite-transports/email.ts +1 -1
package/src/runtime/channel-invite-transports/slack.ts +1 -1
package/src/runtime/channel-invite-transports/telegram.ts +1 -1
package/src/runtime/channel-invite-transports/voice.ts +1 -1
package/src/runtime/channel-invite-transports/whatsapp.ts +1 -1
package/src/runtime/channel-invite-types.ts +54 -0
package/src/runtime/channel-readiness-service.ts +32 -13
package/src/runtime/http-server.ts +3 -329
package/src/runtime/http-types.ts +0 -5
package/src/runtime/migrations/__tests__/vbundle-import-parity.test.ts +413 -0
package/src/runtime/migrations/__tests__/vbundle-import-policy.test.ts +260 -0
package/src/runtime/migrations/__tests__/vbundle-import-version-compat.test.ts +189 -0
package/src/runtime/migrations/__tests__/vbundle-streaming-importer.test.ts +153 -1
package/src/runtime/migrations/__tests__/vbundle-symlink-importer.test.ts +451 -0
package/src/runtime/migrations/__tests__/vbundle-symlink-streaming-importer.test.ts +0 -0
package/src/runtime/migrations/__tests__/vbundle-symlink-streaming.test.ts +515 -0
package/src/runtime/migrations/__tests__/vbundle-symlink-tar.test.ts +437 -0
package/src/runtime/migrations/__tests__/vbundle-symlink-walker.test.ts +319 -0
package/src/runtime/migrations/__tests__/vbundle-validator-v1-schema.test.ts +51 -1
package/src/runtime/migrations/migration-transport.ts +7 -7
package/src/runtime/migrations/vbundle-builder.ts +327 -60
package/src/runtime/migrations/vbundle-import-analyzer.ts +4 -4
package/src/runtime/migrations/vbundle-import-policy.ts +172 -0
package/src/runtime/migrations/vbundle-importer.ts +245 -68
package/src/runtime/migrations/vbundle-streaming-importer.ts +326 -35
package/src/runtime/migrations/vbundle-streaming-validator.ts +157 -4
package/src/runtime/migrations/vbundle-tar-stream.ts +15 -6
package/src/runtime/migrations/vbundle-validator.ts +114 -0
package/src/runtime/pending-interactions.ts +35 -9
package/src/runtime/routes/__tests__/backup-routes.test.ts +22 -150
package/src/runtime/routes/__tests__/conversation-query-routes.test.ts +98 -0
package/src/runtime/routes/__tests__/gateway-log-routes.test.ts +242 -0
package/src/runtime/routes/__tests__/heartbeat-routes.test.ts +112 -0
package/src/runtime/routes/approval-interception-types.ts +13 -0
package/src/runtime/routes/approval-strategies/guardian-text-engine-strategy.ts +1 -1
package/src/runtime/routes/backup-routes.ts +15 -38
package/src/runtime/routes/btw-routes.ts +14 -37
package/src/runtime/routes/client-routes.ts +1 -0
package/src/runtime/routes/contact-prompt-routes.ts +183 -0
package/src/runtime/routes/conversation-query-routes.ts +36 -1
package/src/runtime/routes/conversation-routes.ts +30 -13
package/src/runtime/routes/document-pdf-renderer.ts +165 -0
package/src/runtime/routes/documents-routes.ts +30 -0
package/src/runtime/routes/errors.ts +19 -4
package/src/runtime/routes/events-routes.ts +12 -6
package/src/runtime/routes/gateway-log-routes.ts +79 -0
package/src/runtime/routes/guardian-approval-interception.ts +2 -8
package/src/runtime/routes/heartbeat-routes.ts +103 -38
package/src/runtime/routes/host-app-control-routes.ts +134 -0
package/src/runtime/routes/host-bash-routes.ts +36 -6
package/src/runtime/routes/host-browser-routes.ts +108 -13
package/src/runtime/routes/host-cu-routes.ts +44 -14
package/src/runtime/routes/host-file-routes.ts +33 -10
package/src/runtime/routes/host-transfer-routes.ts +64 -24
package/src/runtime/routes/http-adapter.ts +1 -0
package/src/runtime/routes/identity-intro-cache.ts +30 -0
package/src/runtime/routes/identity-routes.ts +15 -43
package/src/runtime/routes/inbound-message-handler.ts +1 -9
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +0 -7
package/src/runtime/routes/inbound-stages/edit-intercept.ts +0 -8
package/src/runtime/routes/inbound-stages/transcribe-audio.test.ts +0 -20
package/src/runtime/routes/inbound-stages/transcribe-audio.ts +5 -13
package/src/runtime/routes/index.ts +8 -0
package/src/runtime/routes/mcp-auth-routes.ts +132 -0
package/src/runtime/routes/memory-item-routes.ts +10 -12
package/src/runtime/routes/memory-v2-routes.ts +441 -1
package/src/runtime/routes/migration-routes.ts +96 -0
package/src/runtime/routes/schedule-routes.ts +7 -0
package/src/runtime/verification-templates.ts +4 -7
package/src/schedule/integration-status.ts +66 -2
package/src/schedule/recurrence-engine.ts +4 -1
package/src/schedule/retry-backoff.ts +18 -0
package/src/schedule/retry-policy.ts +82 -0
package/src/schedule/schedule-recovery.ts +64 -0
package/src/schedule/schedule-store.ts +106 -2
package/src/schedule/scheduler-types.ts +25 -0
package/src/schedule/scheduler.ts +63 -38
package/src/security/oauth-callback-registry.ts +8 -0
package/src/sequence/analytics.ts +5 -5
package/src/sequence/engine.ts +1 -1
package/src/skills/catalog-files.ts +2 -8
package/src/skills/include-graph.ts +5 -5
package/src/skills/remote-skill-policy.ts +5 -5
package/src/skills/skill-file-provider.ts +1 -1
package/src/skills/skill-file-types.ts +13 -0
package/src/skills/skillssh-audit-types.ts +28 -0
package/src/skills/skillssh-registry.ts +8 -21
package/src/telemetry/types.ts +2 -0
package/src/telemetry/usage-telemetry-reporter.test.ts +21 -0
package/src/telemetry/usage-telemetry-reporter.ts +1 -0
package/src/tools/app-control/skill-proxy-bridge.ts +28 -0
package/src/tools/apps/executors.ts +56 -69
package/src/tools/browser/__tests__/browser-status.test.ts +21 -18
package/src/tools/browser/browser-execution.ts +2 -2
package/src/tools/browser/cdp-client/__tests__/factory.test.ts +55 -4
package/src/tools/browser/cdp-client/cdp-inspect/__tests__/ws-transport.test.ts +12 -6
package/src/tools/browser/cdp-client/factory.ts +23 -24
package/src/tools/browser/cdp-client/index.ts +1 -14
package/src/tools/computer-use/definitions.ts +42 -20
package/src/tools/executor.ts +2 -0
package/src/tools/host-filesystem/edit.ts +26 -0
package/src/tools/host-filesystem/read.ts +26 -0
package/src/tools/host-filesystem/transfer.ts +31 -1
package/src/tools/host-filesystem/write.ts +26 -0
package/src/tools/host-terminal/host-shell.ts +58 -0
package/src/tools/schedule/create.ts +6 -0
package/src/tools/schedule/list.ts +2 -0
package/src/tools/schedule/update.ts +10 -0
package/src/tools/shared/filesystem/file-ops-service.ts +2 -0
package/src/tools/shared/filesystem/path-policy.ts +25 -1
package/src/tools/skills/load.ts +0 -32
package/src/tools/tool-approval-handler.ts +1 -5
package/src/tools/types.ts +4 -0
package/src/usage/pricing.ts +1 -1
package/src/workspace/hatched-date.ts +86 -0
package/src/workspace/migrations/003-seed-device-id.ts +1 -1
package/src/workspace/migrations/006-services-config.ts +8 -5
package/src/workspace/migrations/016-extract-feature-flags-to-protected.ts +3 -9
package/src/workspace/migrations/021-move-signals-to-workspace.ts +4 -10
package/src/workspace/migrations/022-move-hooks-to-workspace.ts +4 -10
package/src/workspace/migrations/023-move-config-files-to-workspace.ts +4 -11
package/src/workspace/migrations/024-move-runtime-files-to-workspace.ts +3 -10
package/src/workspace/migrations/040-seed-latency-callsite-defaults.ts +3 -2
package/src/workspace/migrations/050-seed-main-agent-opus-callsite.ts +2 -1
package/src/workspace/migrations/059-move-pid-to-workspace.ts +3 -8
package/src/workspace/migrations/061-move-backup-key-to-workspace.ts +3 -8
package/src/workspace/migrations/AGENTS.md +1 -1
package/src/workspace/migrations/migrate-to-workspace-volume.ts +4 -10
package/src/workspace/migrations/utils.ts +21 -0
package/src/__tests__/host-browser-e2e-cloud.test.ts +0 -443
package/src/__tests__/host-browser-e2e-self-hosted-capability.test.ts +0 -226
package/src/__tests__/host-browser-ws-events-e2e.test.ts +0 -427
package/src/__tests__/twilio-rest.test.ts +0 -34
package/src/backup/__tests__/backup-key.test.ts +0 -152
package/src/backup/__tests__/backup-worker.test.ts +0 -782
package/src/backup/__tests__/offsite-writer.test.ts +0 -641
package/src/backup/__tests__/stream-crypt.test.ts +0 -228
package/src/backup/backup-key.ts +0 -137
package/src/backup/backup-worker.ts +0 -472
package/src/backup/offsite-writer.ts +0 -222
package/src/backup/stream-crypt.ts +0 -263
package/src/daemon/message-types/pairing.ts +0 -58
package/src/outbound-proxy/config.ts +0 -20
package/src/outbound-proxy/health.ts +0 -18
package/src/outbound-proxy/types.ts +0 -150
package/src/runtime/capability-tokens.ts +0 -190
package/src/signals/mcp-reload.ts +0 -18

package/src/__tests__/tool-execute-pipeline.test.ts CHANGED Viewed

@@ -55,7 +55,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => mockConfig,
   loadConfig: () => mockConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,

package/src/__tests__/tool-execution-abort-cleanup.test.ts CHANGED Viewed

@@ -39,7 +39,6 @@ mock.module("../config/loader.js", () => ({
   }),
   loadConfig: () => ({}),
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
 }));

package/src/__tests__/tool-executor-lifecycle-events.test.ts CHANGED Viewed

@@ -46,7 +46,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => mockConfig,
   loadConfig: () => mockConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,

package/src/__tests__/tool-executor.test.ts CHANGED Viewed

@@ -82,7 +82,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => mockConfig,
   loadConfig: () => mockConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,

package/src/__tests__/twilio-config.test.ts CHANGED Viewed

@@ -20,11 +20,6 @@ mock.module("../config/loader.js", () => ({
   loadConfig: () => mockLoadConfigResult,
 }));
-mock.module("../inbound/public-ingress-urls.js", () => ({
-  getPublicBaseUrl: () => "https://test.example.com",
-  getTwilioRelayUrl: () => "wss://test.example.com/twilio/relay",
-}));
 import { getTwilioConfig } from "../calls/twilio-config.js";
 import { credentialKey } from "../security/credential-key.js";
@@ -36,7 +31,7 @@ describe("twilio-config", () => {
     mockLoadConfigResult = {
       twilio: {
         accountSid: "AC_test_sid",
-        phoneNumber: "+15551234567",
+        phoneNumber: "+15550123",
       },
     };
   });
@@ -45,14 +40,12 @@ describe("twilio-config", () => {
     const config = await getTwilioConfig();
     expect(config.accountSid).toBe("AC_test_sid");
     expect(config.authToken).toBe("test_auth_token");
-    expect(config.phoneNumber).toBe("+15551234567");
-    expect(config.webhookBaseUrl).toBe("https://test.example.com");
-    expect(config.wssBaseUrl).toBe("wss://test.example.com/twilio/relay");
+    expect(config.phoneNumber).toBe("+15550123");
   });
   test("throws ConfigError when account SID is missing", async () => {
     mockLoadConfigResult = {
-      twilio: { accountSid: "", phoneNumber: "+15551234567" },
+      twilio: { accountSid: "", phoneNumber: "+15550123" },
     };
     expect(getTwilioConfig()).rejects.toThrow(
       /Twilio credentials not configured/,
@@ -61,12 +54,6 @@ describe("twilio-config", () => {
   test("throws ConfigError when auth token is missing", async () => {
     mockSecureKeys = {};
-    mockLoadConfigResult = {
-      twilio: {
-        accountSid: "AC_test_sid",
-        phoneNumber: "+15551234567",
-      },
-    };
     expect(getTwilioConfig()).rejects.toThrow(
       /Twilio credentials not configured/,
     );

package/src/__tests__/twilio-routes.test.ts CHANGED Viewed

@@ -209,8 +209,6 @@ mock.module("../calls/twilio-config.js", () => ({
     accountSid: "AC_test",
     authToken: "test-auth-token-for-webhooks",
     phoneNumber: "+15550001111",
-    webhookBaseUrl: "https://test.example.com",
-    wssBaseUrl: "wss://test.example.com",
   }),
   resolveTwilioPhoneNumber: () => readMockTwilioPhoneNumber(),
 }));
@@ -813,7 +811,7 @@ describe("twilio webhook routes", () => {
   // Call handleVoiceWebhook directly since direct routes are blocked.
   describe("voice webhook TwiML relay URL", () => {
-    test("TwiML relay URL is sourced from getTwilioRelayUrl", async () => {
+    test("TwiML relay URL uses placeholder for gateway resolution", async () => {
       const session = createTestSession("conv-twiml-1", "CA_twiml_1");
       const req = makeVoiceRequest(session.id, { CallSid: "CA_twiml_1" });
@@ -822,7 +820,7 @@ describe("twilio webhook routes", () => {
       expect(res.status).toBe(200);
       const twiml = await res.text();
       expect(twiml).toContain(
-        "wss://ingress.example.com/webhooks/twilio/relay",
+        "wss://__VELLUM_PUBLIC_BASE_URL__/webhooks/twilio/relay",
       );
     });
@@ -1138,7 +1136,7 @@ describe("twilio webhook routes", () => {
       expect(twiml).not.toContain("transcriptionProvider=");
       // callSessionId is in the URL path, not as a query param
       expect(twiml).toContain(
-        `wss://ingress.example.com/webhooks/twilio/media-stream/${session.id}`,
+        `wss://__VELLUM_PUBLIC_BASE_URL__/webhooks/twilio/media-stream/${session.id}`,
       );
       expect(twiml).not.toContain("?callSessionId=");
     });

package/src/__tests__/twilio-validation.test.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+let mockConfig: Record<string, unknown>;
+let mockVerifyCalls: Array<{
+  url: string;
+  params: Record<string, string>;
+  signature: string;
+  authToken: string;
+}> = [];
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+mock.module("../config/loader.js", () => ({
+  loadConfig: () => mockConfig,
+}));
+mock.module("../calls/twilio-provider.js", () => ({
+  TwilioConversationRelayProvider: class {
+    static getAuthToken() {
+      return "test-auth-token";
+    }
+    static verifyWebhookSignature(
+      url: string,
+      params: Record<string, string>,
+      signature: string,
+      authToken: string,
+    ) {
+      mockVerifyCalls.push({ url, params, signature, authToken });
+      return signature === "valid";
+    }
+  },
+}));
+import { validateTwilioWebhook } from "../runtime/middleware/twilio-validation.js";
+describe("Twilio validation middleware", () => {
+  beforeEach(() => {
+    mockVerifyCalls = [];
+    mockConfig = {
+      ingress: {
+        publicBaseUrl: "https://generic.example.com",
+      },
+    };
+  });
+  test("validates signatures against Twilio-specific public ingress first", async () => {
+    mockConfig = {
+      ingress: {
+        publicBaseUrl: "  https://twilio.example.com///  ",
+      },
+    };
+    const req = new Request(
+      "http://127.0.0.1:7821/v1/calls/twilio/voice-webhook?callSessionId=session-123",
+      {
+        method: "POST",
+        headers: { "x-twilio-signature": "valid" },
+        body: new URLSearchParams({ CallSid: "CA123" }),
+      },
+    );
+    const result = await validateTwilioWebhook(req);
+    expect(result).toEqual({ body: "CallSid=CA123" });
+    expect(mockVerifyCalls).toEqual([
+      {
+        url: "https://twilio.example.com/v1/calls/twilio/voice-webhook?callSessionId=session-123",
+        params: { CallSid: "CA123" },
+        signature: "valid",
+        authToken: "test-auth-token",
+      },
+    ]);
+  });
+  test("falls back to generic public ingress when Twilio-specific ingress is empty", async () => {
+    const req = new Request("http://127.0.0.1:7821/v1/calls/twilio/status", {
+      method: "POST",
+      headers: { "x-twilio-signature": "valid" },
+      body: new URLSearchParams({ CallSid: "CA123" }),
+    });
+    await validateTwilioWebhook(req);
+    expect(mockVerifyCalls[0]?.url).toBe(
+      "https://generic.example.com/v1/calls/twilio/status",
+    );
+  });
+});

package/src/__tests__/vellum-self-knowledge-inline-command.test.ts CHANGED Viewed

@@ -56,7 +56,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => testConfig,
   loadConfig: () => testConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,
@@ -153,9 +152,7 @@ describe("vellum-self-knowledge skill", () => {
   test("references the GitHub repo for deep implementation questions", async () => {
     const result = await executeSkillLoad({ skill: "vellum-self-knowledge" });
-    expect(result.content).toContain(
-      "github.com/vellum-ai/vellum-assistant",
-    );
+    expect(result.content).toContain("github.com/vellum-ai/vellum-assistant");
     expect(result.content).toContain("ARCHITECTURE.md");
   });

package/src/__tests__/verification-control-plane-policy.test.ts CHANGED Viewed

@@ -49,7 +49,6 @@ mock.module("../config/loader.js", () => ({
   getConfig: () => mockConfig,
   loadConfig: () => mockConfig,
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,
@@ -700,15 +699,14 @@ describe("ToolExecutor verification control-plane policy gate", () => {
     expect(result.content).toBe("ok");
   });
-  test("non-guardian invocation of unrelated bash command is allowed (sandbox bash is auto-approved)", async () => {
+  test("non-guardian invocation of unrelated bash command requires guardian grant", async () => {
     const executor = new ToolExecutor(makePrompter());
     const result = await executor.execute(
       "bash",
       { command: "curl http://localhost:3000/v1/messages" },
       makeContext({ trustClass: "trusted_contact" }),
     );
-    expect(result.isError).toBe(false);
-    expect(result.content).toBe("ok");
+    expect(result.isError).toBe(true);
   });
   test("non-guardian invocation of unrelated tool is unaffected", async () => {

package/src/__tests__/voice-ingress-preflight.test.ts CHANGED Viewed

@@ -33,4 +33,23 @@ describe("voice ingress preflight", () => {
       expect(result.ingressConfig.ingress?.enabled).toBe(false);
     }
   });
+  test("accepts public base URL for Twilio when configured", async () => {
+    mockLoadConfig = () => ({
+      ingress: {
+        enabled: true,
+        publicBaseUrl: "https://twilio.example.com/",
+      },
+    });
+    const result = await preflightVoiceIngress();
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.publicBaseUrl).toBe("https://twilio.example.com");
+      expect(result.ingressConfig.ingress?.publicBaseUrl).toBe(
+        "https://twilio.example.com",
+      );
+    }
+  });
 });

package/src/__tests__/workspace-migration-006-services-config.test.ts CHANGED Viewed

@@ -183,8 +183,9 @@ describe("006-services-config migration", () => {
   });
   test("merges with existing backfilled services object", async () => {
-    // Simulates the scenario where backfillConfigDefaults wrote a default
-    // services object before migrations run, and legacy fields coexist.
+    // Simulates a legacy-daemon scenario where an older loader wrote a
+    // schema-default services object to disk before migrations run, and
+    // legacy top-level fields coexist with it.
     writeConfig({
       provider: "openai",
       model: "gpt-4o",

package/src/__tests__/workspace-migration-backfill-installation-id.test.ts CHANGED Viewed

@@ -84,7 +84,6 @@ describe("011-backfill-installation-id migration", () => {
     getExternalAssistantIdFn.mockReturnValue("my-assistant");
     getMemoryCheckpointFn.mockReturnValue(null);
     randomUUIDFn.mockReturnValue("generated-uuid-1234");
-    delete process.env.BASE_DATA_DIR;
   });
   test("no-op when no lockfile exists", () => {
@@ -284,12 +283,9 @@ describe("011-backfill-installation-id migration", () => {
     expect(parsed.assistants[0].installationId).toBe("sqlite-id");
   });
-  test("ignores BASE_DATA_DIR and always reads lockfile from homedir", () => {
-    process.env.BASE_DATA_DIR = "/custom-base";
+  test("always reads lockfile from homedir (per-user, not per-instance)", () => {
     getMemoryCheckpointFn.mockReturnValue("sqlite-id");
-    // Lockfile under BASE_DATA_DIR should be ignored — the migration
-    // always reads from homedir() (per-user, not per-instance).
     setupFs({
       [LOCK_PATH]: makeLockfile([{ assistantId: "my-assistant" }]),
     });

package/src/__tests__/workspace-migration-down-functions.test.ts CHANGED Viewed

@@ -32,7 +32,7 @@ mock.module("../security/credential-key.js", () => ({
   credentialKey: (...args: string[]) => args.join(":"),
 }));
-// Mock getRootDir for 016-extract-feature-flags-to-protected
+// Mutable root dir used by 016-extract-feature-flags-to-protected tests
 let mockRootDir: string = "/tmp/mock-root";
 // ---------------------------------------------------------------------------
 // Imports — after mocking
@@ -763,21 +763,21 @@ describe("014-migrate-to-workspace-volume down()", () => {
 // ---------------------------------------------------------------------------
 describe("016-extract-feature-flags-to-protected down()", () => {
-  let savedBaseDataDir: string | undefined;
+  let savedWorkspaceDir: string | undefined;
   beforeEach(() => {
-    // The migration has an inlined platform helpers that reads BASE_DATA_DIR,
-    // so we set that env var so the inlined function resolves to mockRootDir.
+    // getVellumRoot() resolves via dirname(VELLUM_WORKSPACE_DIR), so we set
+    // VELLUM_WORKSPACE_DIR to <mockRootDir>/workspace so dirname gives mockRootDir.
     const baseDir = freshWorkspace();
     mockRootDir = join(baseDir, ".vellum");
     mkdirSync(mockRootDir, { recursive: true });
-    savedBaseDataDir = process.env.BASE_DATA_DIR;
-    process.env.BASE_DATA_DIR = baseDir;
+    savedWorkspaceDir = process.env.VELLUM_WORKSPACE_DIR;
+    process.env.VELLUM_WORKSPACE_DIR = join(mockRootDir, "workspace");
   });
   afterEach(() => {
-    if (savedBaseDataDir === undefined) delete process.env.BASE_DATA_DIR;
-    else process.env.BASE_DATA_DIR = savedBaseDataDir;
+    if (savedWorkspaceDir === undefined) delete process.env.VELLUM_WORKSPACE_DIR;
+    else process.env.VELLUM_WORKSPACE_DIR = savedWorkspaceDir;
   });
   test("moves feature flags from protected dir back to config.json", () => {

package/src/__tests__/workspace-migration-unify-llm-callsite-configs.test.ts CHANGED Viewed

@@ -119,15 +119,17 @@ describe("038-unify-llm-callsite-configs migration", () => {
   // ─── Schema-default-injection regression (the original bug) ────────────
   test("legacy services.inference.{provider,model} win over schema-default-injected llm.default", () => {
-    // Reproduces the production bug: between PR #26095 (added
-    // `LLMSchema.default(LLMSchema.parse({}))` to AssistantConfigSchema)
-    // and PR #26101 (this migration), any daemon boot caused the loader's
-    // `backfillConfigDefaults()` to write a schema-default `llm.default`
+    // Reproduces a production bug from a legacy-daemon era: between PR
+    // #26095 (added `LLMSchema.default(LLMSchema.parse({}))` to
+    // AssistantConfigSchema) and PR #26101 (this migration), any daemon
+    // boot caused the loader to write a schema-default `llm.default`
     // block to disk. Migration 038's old idempotency check (`return early
     // if llm.default exists`) then silently skipped, and migration 039
     // stripped `services.inference.{provider,model}` — losing the user's
     // actual configuration. The fix prefers legacy source keys over the
-    // injected schema defaults whenever both are present.
+    // injected schema defaults whenever both are present. (The loader
+    // no longer writes defaults to disk, but workspaces still on disk
+    // from that era can carry the bad state forward.)
     writeConfig({
       services: {
         inference: {
@@ -806,7 +808,9 @@ describe("038-unify-llm-callsite-configs migration", () => {
     // documented no-op — it leaves the config exactly as it found it,
     // whether the `llm` block is present or absent.
     const original = {
-      services: { inference: { mode: "your-own", provider: "openai", model: "gpt-5.4" } },
+      services: {
+        inference: { mode: "your-own", provider: "openai", model: "gpt-5.4" },
+      },
       maxTokens: 32000,
       llm: {
         default: {

package/src/backup/__tests__/paths.test.ts CHANGED Viewed

@@ -5,7 +5,6 @@ import { afterEach, describe, expect, test } from "bun:test";
 import {
   deriveSafeAncestor,
   formatBackupFilename,
-  getBackupKeyPath,
   getBackupRootDir,
   getDefaultOffsiteBackupsDir,
   getICloudDriveRoot,
@@ -162,27 +161,6 @@ describe("resolveOffsiteDestinations", () => {
   });
 });
-describe("getBackupKeyPath", () => {
-  const ORIGINAL_KEY_PATH = process.env.VELLUM_BACKUP_KEY_PATH;
-  afterEach(() => {
-    if (ORIGINAL_KEY_PATH === undefined) {
-      delete process.env.VELLUM_BACKUP_KEY_PATH;
-    } else {
-      process.env.VELLUM_BACKUP_KEY_PATH = ORIGINAL_KEY_PATH;
-    }
-  });
-  test("ends with /.backup.key when env var is unset", () => {
-    delete process.env.VELLUM_BACKUP_KEY_PATH;
-    expect(getBackupKeyPath().endsWith("/.backup.key")).toBe(true);
-  });
-  test("returns the env var override when VELLUM_BACKUP_KEY_PATH is set", () => {
-    process.env.VELLUM_BACKUP_KEY_PATH = "/workspace/.backup.key";
-    expect(getBackupKeyPath()).toBe("/workspace/.backup.key");
-  });
-});
 describe("formatBackupFilename", () => {
   const fixture = new Date("2026-04-11T15:30:45.000Z");