@vellumai/assistant 0.7.3 → 0.8.0

package/src/__tests__/relay-server.test.ts

@@ -362,7 +362,9 @@ function getLatestAssistantText(conversationId: string): string | null {
     if (Array.isArray(parsed)) {
       return parsed
         .filter(
-          (block): block is {
+          (
+            block,
+          ): block is {
             type: string;
             text?: string;
             surfaceType?: string;
@@ -2332,7 +2334,7 @@ describe("relay-server", () => {
 
       expect(relay.getConnectionState()).toBe("awaiting_name");
 
-      // Fallback prompt should NOT include assistant name but should include guardian label
+      // Fallback prompt should use the existing guardian-label wording.
       const textMessages = ws.sentMessages
         .map((raw) => JSON.parse(raw) as { type: string; token?: string })
         .filter((m) => m.type === "text");
@@ -2348,6 +2350,48 @@ describe("relay-server", () => {
     }
   });
 
+  test("inbound voice: unknown caller name capture does not speak a UUID assistant name", async () => {
+    const prevName = mockAssistantName;
+    mockAssistantName = "11111111-2222-4333-8444-555555555555";
+    const db = getDb();
+    db.run("DELETE FROM contact_channels");
+    db.run("DELETE FROM contacts");
+    try {
+      ensureConversation("conv-invite-uuid-name");
+      const session = createCallSession({
+        conversationId: "conv-invite-uuid-name",
+        provider: "twilio",
+        fromNumber: "+12125550157",
+        toNumber: "+12125550111",
+      });
+
+      const { ws, relay } = createMockWs(session.id);
+
+      await relay.handleMessage(
+        JSON.stringify({
+          type: "setup",
+          callSid: "CA_invite_uuid_name",
+          from: "+12125550157",
+          to: "+12125550111",
+        }),
+      );
+
+      expect(relay.getConnectionState()).toBe("awaiting_name");
+
+      const promptText = ws.sentMessages
+        .map((raw) => JSON.parse(raw) as { type: string; token?: string })
+        .filter((m) => m.type === "text")
+        .map((m) => m.token ?? "")
+        .join("");
+      expect(promptText).toContain("Hi, this is my human's assistant.");
+      expect(promptText).not.toContain("11111111-2222-4333-8444-555555555555");
+
+      relay.destroy();
+    } finally {
+      mockAssistantName = prevName;
+    }
+  });
+
   // ── Friend-initiated in-call guardian approval flow ────────────────────
 
   test("name capture flow: caller provides name and enters guardian decision wait", async () => {

package/src/__tests__/secret-prompt-log-hygiene.test.ts

@@ -39,15 +39,17 @@ mock.module("../runtime/assistant-event-hub.js", () => ({
 }));
 
 // Stub pendingInteractions — SecretPrompter registers/resolves there now
+// Use a real Map so SecretPrompter can store and retrieve promptResolve/promptReject callbacks.
+const _piStore = new Map<string, object>();
 mock.module("../runtime/pending-interactions.js", () => ({
-  register: () => {},
-  resolve: () => undefined,
-  get: () => undefined,
-  getAll: () => [],
+  register: (id: string, entry: object) => _piStore.set(id, entry),
+  resolve: (id: string) => { const e = _piStore.get(id); _piStore.delete(id); return e; },
+  get: (id: string) => _piStore.get(id),
+  getAll: () => [..._piStore.values()],
   getByConversation: () => [],
   getByKind: () => [],
   removeByConversation: () => {},
-  clear: () => {},
+  clear: () => _piStore.clear(),
 }));
 
 // Use a tiny timeout so the setTimeout branch fires quickly in tests

package/src/__tests__/secret-prompter-channel-fallback.test.ts

@@ -38,15 +38,17 @@ mock.module("../runtime/assistant-event-hub.js", () => ({
   broadcastMessage: (msg: ServerMessage) => broadcastMessages.push(msg),
 }));
 
+// Use a real Map so SecretPrompter can store and retrieve promptResolve/promptReject callbacks.
+const _piStore = new Map<string, object>();
 mock.module("../runtime/pending-interactions.js", () => ({
-  register: () => {},
-  resolve: () => undefined,
-  get: () => undefined,
-  getAll: () => [],
+  register: (id: string, entry: object) => _piStore.set(id, entry),
+  resolve: (id: string) => { const e = _piStore.get(id); _piStore.delete(id); return e; },
+  get: (id: string) => _piStore.get(id),
+  getAll: () => [..._piStore.values()],
   getByConversation: () => [],
   getByKind: () => [],
   removeByConversation: () => {},
-  clear: () => {},
+  clear: () => _piStore.clear(),
 }));
 
 const { SecretPrompter } = await import("../permissions/secret-prompter.js");

package/src/__tests__/secret-response-routing.test.ts

@@ -11,15 +11,17 @@ mock.module("../runtime/assistant-event-hub.js", () => ({
   broadcastMessage: (msg: ServerMessage) => broadcastedMessages.push(msg),
 }));
 
+// Use a real Map so SecretPrompter can store and retrieve promptResolve/promptReject callbacks.
+const _piStore = new Map<string, object>();
 mock.module("../runtime/pending-interactions.js", () => ({
-  register: () => {},
-  resolve: () => undefined,
-  get: () => undefined,
-  getAll: () => [],
+  register: (id: string, entry: object) => _piStore.set(id, entry),
+  resolve: (id: string) => { const e = _piStore.get(id); _piStore.delete(id); return e; },
+  get: (id: string) => _piStore.get(id),
+  getAll: () => [..._piStore.values()],
   getByConversation: () => [],
   getByKind: () => [],
   removeByConversation: () => {},
-  clear: () => {},
+  clear: () => _piStore.clear(),
 }));
 
 const { SecretPrompter } = await import("../permissions/secret-prompter.js");

package/src/__tests__/server-history-render.test.ts

@@ -154,6 +154,88 @@ describe("renderHistoryContent", () => {
     ]);
   });
 
+  // ── Persisted risk-option ladders (Phase B of conflation track) ─────────────
+
+  test("hydrates persisted _risk*Options annotations onto tool calls", () => {
+    // Mirrors what `annotatePersistedAssistantMessage` writes to the DB so the
+    // rule editor's chip ladder survives chat-history reload. Without these,
+    // hydrated chips fall back to the synthesized `*` allowlist (see web's
+    // `synthesizeFallbackOption` in RuleEditorModal.tsx).
+    const scopeOptions = [
+      { pattern: "exact", label: "exact: rm -rf /tmp" },
+      { pattern: "by-program", label: "All rm" },
+    ];
+    const allowlistOptions = [
+      { label: "exact", description: "exact match", pattern: "rm -rf /tmp" },
+      { label: "All rm", description: "All rm commands", pattern: "rm *" },
+    ];
+    const directoryScopeOptions = [
+      { scope: "/Users/me/code", label: "in code/" },
+      { scope: "everywhere", label: "Everywhere" },
+    ];
+
+    const output = renderHistoryContent([
+      {
+        type: "tool_use",
+        id: "tu_1",
+        name: "bash",
+        input: { command: "rm -rf /tmp" },
+        _riskLevel: "high",
+        _matchedTrustRuleId: "rule_42",
+        _riskScopeOptions: scopeOptions,
+        _riskAllowlistOptions: allowlistOptions,
+        _riskDirectoryScopeOptions: directoryScopeOptions,
+      },
+    ]);
+
+    const [entry] = output.toolCalls;
+    expect(entry.riskLevel).toBe("high");
+    expect(entry.matchedTrustRuleId).toBe("rule_42");
+    expect(entry.riskScopeOptions).toEqual(scopeOptions);
+    expect(entry.riskAllowlistOptions).toEqual(allowlistOptions);
+    expect(entry.riskDirectoryScopeOptions).toEqual(directoryScopeOptions);
+  });
+
+  test("ignores non-array _risk*Options annotations", () => {
+    // Defensive: a malformed persisted block should not throw or coerce.
+    const output = renderHistoryContent([
+      {
+        type: "tool_use",
+        id: "tu_1",
+        name: "bash",
+        input: { command: "ls" },
+        _riskLevel: "low",
+        _riskScopeOptions: "not an array",
+        _riskAllowlistOptions: { not: "an array" },
+        _riskDirectoryScopeOptions: 42,
+      },
+    ]);
+
+    const [entry] = output.toolCalls;
+    expect(entry.riskLevel).toBe("low");
+    expect(entry.riskScopeOptions).toBeUndefined();
+    expect(entry.riskAllowlistOptions).toBeUndefined();
+    expect(entry.riskDirectoryScopeOptions).toBeUndefined();
+  });
+
+  test("omits absent _risk*Options annotations", () => {
+    const output = renderHistoryContent([
+      {
+        type: "tool_use",
+        id: "tu_1",
+        name: "bash",
+        input: { command: "ls" },
+        _riskLevel: "low",
+      },
+    ]);
+
+    const [entry] = output.toolCalls;
+    expect(entry.riskLevel).toBe("low");
+    expect(entry.riskScopeOptions).toBeUndefined();
+    expect(entry.riskAllowlistOptions).toBeUndefined();
+    expect(entry.riskDirectoryScopeOptions).toBeUndefined();
+  });
+
   test("handles mixed text and tool blocks", () => {
     const output = renderHistoryContent([
       { type: "text", text: "Let me look that up." },

package/src/__tests__/skill-include-graph.test.ts

@@ -6,6 +6,7 @@ import {
   getImmediateChildren,
   indexCatalogById,
   traverseIncludes,
+  validateIncludeCycles,
   validateIncludes,
 } from "../skills/include-graph.js";
 
@@ -299,6 +300,36 @@ describe("validateIncludes — cycle detection", () => {
   });
 });
 
+describe("validateIncludeCycles", () => {
+  test("skips missing children while still detecting available cycles", () => {
+    const catalog = [
+      makeSkill("root", ["missing", "a"]),
+      makeSkill("a", ["b"]),
+      makeSkill("b", ["a"]),
+    ];
+    const index = indexCatalogById(catalog);
+
+    const result = validateIncludeCycles("root", index);
+
+    expect(result.ok).toBe(false);
+    if (!result.ok && result.error === "cycle") {
+      expect(result.cyclePath).toEqual(["a", "b", "a"]);
+    }
+  });
+
+  test("returns success when the only invalid edges are missing children", () => {
+    const catalog = [makeSkill("root", ["missing"])];
+    const index = indexCatalogById(catalog);
+
+    const result = validateIncludeCycles("root", index);
+
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.visited).toEqual(["root"]);
+    }
+  });
+});
+
 describe("collectAllMissing", () => {
   test("returns empty set when skill has no includes", () => {
     const catalog = [makeSkill("root")];

package/src/__tests__/skill-load-tool.test.ts

@@ -266,17 +266,19 @@ describe("skill_load tool", () => {
     expect(markers.length).toBe(1);
   });
 
-  test("returns error when skill has missing include", async () => {
+  test("continues when skill has missing include", async () => {
     writeSkillWithIncludes("parent", "Parent", "Has missing child", "Body", [
       "missing-child",
     ]);
     writeFileSync(join(TEST_DIR, "skills", "SKILLS.md"), "- parent\n");
 
     const result = await executeSkillLoad({ skill: "parent" });
-    expect(result.isError).toBe(true);
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Skill: Parent");
+    expect(result.content).toContain("Suggested Included Skills (not loaded):");
     expect(result.content).toContain("missing-child");
-    expect(result.content).toContain("not found");
-    expect(result.content).not.toContain("<loaded_skill");
+    expect(result.content).toContain('<loaded_skill id="parent"');
+    expect(result.content).not.toContain('<loaded_skill id="missing-child"');
   });
 
   test("returns error when skill has circular include", async () => {
@@ -317,7 +319,7 @@ describe("skill_load tool", () => {
     expect(result.content).toContain("<loaded_skill");
   });
 
-  test("failed include validation (missing) emits no loaded_skill marker", async () => {
+  test("missing include emits only the parent loaded_skill marker", async () => {
     const skillDir = join(TEST_DIR, "skills", "marker-missing");
     mkdirSync(skillDir, { recursive: true });
     writeFileSync(
@@ -327,9 +329,13 @@ describe("skill_load tool", () => {
     writeFileSync(join(TEST_DIR, "skills", "SKILLS.md"), "- marker-missing\n");
 
     const result = await executeSkillLoad({ skill: "marker-missing" });
-    expect(result.isError).toBe(true);
-    expect(result.content).not.toContain("<loaded_skill");
-    expect(result.content).not.toMatch(/<loaded_skill\s/);
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Suggested Included Skills (not loaded):");
+    expect(result.content).toContain("nonexistent");
+    const markers = result.content.match(/<loaded_skill/g) || [];
+    expect(markers.length).toBe(1);
+    expect(result.content).toContain('<loaded_skill id="marker-missing"');
+    expect(result.content).not.toContain('<loaded_skill id="nonexistent"');
   });
 
   test("failed include validation (cycle) emits no loaded_skill marker", async () => {
@@ -365,6 +371,28 @@ describe("skill_load tool", () => {
     expect(result.content).toContain("Skill: No Includes");
   });
 
+  test("bundled app-builder loads when frontend-design is unavailable", async () => {
+    const result = await executeSkillLoad({ skill: "app-builder" });
+
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Skill: App Builder");
+    expect(result.content).toContain("Suggested Included Skills (not loaded):");
+    expect(result.content).toContain("frontend-design");
+    expect(result.content).toContain('<loaded_skill id="app-builder"');
+    expect(result.content).not.toContain('<loaded_skill id="frontend-design"');
+  });
+
+  test("bundled phone-calls loads when setup includes are unavailable", async () => {
+    const result = await executeSkillLoad({ skill: "phone-calls" });
+
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Skill: Phone Calls");
+    expect(result.content).toContain("Suggested Included Skills (not loaded):");
+    expect(result.content).toContain("twilio-setup");
+    expect(result.content).toContain('<loaded_skill id="phone-calls"');
+    expect(result.content).not.toContain('<loaded_skill id="twilio-setup"');
+  });
+
   test("skill_load output includes immediate child metadata", async () => {
     writeSkill("child-skill", "Child Skill", "A child skill", "Child body");
     const parentDir = join(TEST_DIR, "skills", "parent-with-children");
@@ -883,7 +911,7 @@ describe("skill_load tool", () => {
     expect(mockAutoInstall).toHaveBeenCalledWith("trans-c");
   });
 
-  test("returns error when auto-install of missing include fails", async () => {
+  test("continues when auto-install of missing include fails", async () => {
     writeSkillWithIncludes(
       "fail-parent",
       "Fail Parent",
@@ -902,10 +930,12 @@ describe("skill_load tool", () => {
     });
 
     const result = await executeSkillLoad({ skill: "fail-parent" });
-    expect(result.isError).toBe(true);
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Skill: Fail Parent");
+    expect(result.content).toContain("Suggested Included Skills (not loaded):");
     expect(result.content).toContain("dep-x");
-    expect(result.content).toContain("not found");
-    expect(result.content).not.toContain("<loaded_skill");
+    expect(result.content).toContain('<loaded_skill id="fail-parent"');
+    expect(result.content).not.toContain('<loaded_skill id="dep-x"');
   });
 
   test("stops after MAX_INSTALL_ROUNDS", async () => {
@@ -941,10 +971,8 @@ describe("skill_load tool", () => {
     });
 
     const result = await executeSkillLoad({ skill: "loop-root" });
-    // Should terminate with an error (the final dep is still missing)
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("not found");
-    // Should have terminated — installCount should be bounded by MAX_INSTALL_ROUNDS (5)
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain("Suggested Included Skills (not loaded):");
     expect(installCount).toBeLessThanOrEqual(5);
   });
 });

package/src/__tests__/skills.test.ts

@@ -1,6 +1,7 @@
 import {
   existsSync,
   mkdirSync,
+  readdirSync,
   readFileSync,
   rmSync,
   symlinkSync,
@@ -678,3 +679,41 @@ describe("bundled computer-use skill", () => {
     ]);
   });
 });
+
+describe("skill source ownership", () => {
+  const BUNDLED_SKILLS_DIR = join(
+    import.meta.dir,
+    "..",
+    "config",
+    "bundled-skills",
+  );
+  const FIRST_PARTY_SKILLS_DIR = join(
+    import.meta.dir,
+    "..",
+    "..",
+    "..",
+    "skills",
+  );
+
+  function collectSourceSkillIds(rootDir: string): string[] {
+    return readdirSync(rootDir, { withFileTypes: true })
+      .filter(
+        (entry) =>
+          entry.isDirectory() &&
+          existsSync(join(rootDir, entry.name, "SKILL.md")),
+      )
+      .map((entry) => entry.name)
+      .sort((a, b) => a.localeCompare(b));
+  }
+
+  test("bundled skills are not duplicated in the first-party source catalog", () => {
+    const firstPartyIds = new Set(
+      collectSourceSkillIds(FIRST_PARTY_SKILLS_DIR),
+    );
+    const duplicates = collectSourceSkillIds(BUNDLED_SKILLS_DIR).filter((id) =>
+      firstPartyIds.has(id),
+    );
+
+    expect(duplicates).toEqual([]);
+  });
+});

package/src/__tests__/tool-execution-pipeline.benchmark.test.ts

@@ -30,16 +30,6 @@ mock.module("../util/logger.js", () => ({
     }),
 }));
 
-// Allow toggling between no-rule and matched-rule paths
-let mockRuleResponse: import("../permissions/types.js").TrustRule | null = null;
-
-mock.module("../permissions/trust-store.js", () => ({
-  addRule: () => {},
-  findHighestPriorityRule: () => mockRuleResponse,
-  onRulesChanged: () => {},
-  clearCache: () => {},
-}));
-
 mock.module("../config/loader.js", () => ({
   getConfig: () => ({
     ui: {},
@@ -302,38 +292,6 @@ describe("Tool execution pipeline benchmark", () => {
     expect(results[0].decision).toBe("allow");
   });
 
-  test("check: matched allow-rule path for medium-risk tool", async () => {
-    // Exercise the code path where findHighestPriorityRule returns a matching
-    // allow rule, rather than always falling through to the no-rule default.
-    mockRuleResponse = {
-      id: "bench:allow-file_write",
-      tool: "file_write",
-      pattern: "**",
-      scope: "/tmp",
-      decision: "allow",
-      priority: 90,
-      createdAt: Date.now(),
-    };
-
-    try {
-      const { timings, results } = await benchmarkAsync(
-        () => check("file_write", { path: "/tmp/out.txt" }, "/tmp"),
-        ITERATIONS,
-      );
-
-      const p50 = percentile(timings, 50);
-      const p95 = percentile(timings, 95);
-
-      expect(p50).toBeLessThan(10);
-      expect(p95).toBeLessThan(20);
-      // Medium-risk with a matching allow rule should auto-allow
-      expect(results[0].decision).toBe("allow");
-      expect(results[0].matchedRule?.id).toBe("bench:allow-file_write");
-    } finally {
-      mockRuleResponse = null;
-    }
-  });
-
   test("check: permission cost is stable across different input paths", async () => {
     // Verify that the permission check cost doesn't vary with input path length/complexity.
     // Actual tool-execution-time independence is tested in the ToolExecutor section below.

package/src/__tests__/tool-executor.test.ts

@@ -73,6 +73,11 @@ let cachedAssessmentOverride:
       riskLevel: string;
       reason: string;
       scopeOptions: Array<{ pattern: string; label: string }>;
+      allowlistOptions?: Array<{
+        label: string;
+        description: string;
+        pattern: string;
+      }>;
       directoryScopeOptions?: Array<{ scope: string; label: string }>;
       matchType: string;
     }
@@ -202,6 +207,32 @@ describe("ToolExecutor allowedToolNames gating", () => {
     expect(result.content).toBe("ok");
   });
 
+  test("canonicalizes app-builder create_app alias before active-tool gating", async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const allowed = new Set(["app_create"]);
+    const result = await executor.execute(
+      "create_app",
+      { name: "Calculator" },
+      makeContext({ allowedToolNames: allowed }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe("ok");
+  });
+
+  test("preserves exact active create_app tool before applying compatibility aliases", async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const allowed = new Set(["create_app", "app_create"]);
+    const result = await executor.execute(
+      "create_app",
+      { name: "Custom App" },
+      makeContext({ allowedToolNames: allowed }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(lastCheckArgs?.toolName).toBe("create_app");
+  });
+
   test("blocks execution when tool is NOT in the allowed set", async () => {
     const executor = new ToolExecutor(makePrompter());
     const allowed = new Set(["file_read", "bash"]);
@@ -1123,4 +1154,128 @@ describe("ToolExecutionResult includes risk metadata from classifier assessment"
       { scope: "/tmp", label: "Anywhere in tmp/" },
     ]);
   });
+
+  test("auto-approved tool result includes riskAllowlistOptions when classifier emits them (Minimatch-glob shape for save path)", async () => {
+    cachedAssessmentOverride = {
+      riskLevel: "medium",
+      reason: "Reads workspace files",
+      // Display ladder (regex shape — not for save).
+      scopeOptions: [
+        { pattern: "^echo\\b.*hello$", label: "echo hello" },
+        { pattern: "^echo\\b", label: "echo *" },
+      ],
+      // Save ladder (Minimatch-glob shape — what gateway matches against).
+      allowlistOptions: [
+        {
+          label: "echo hello",
+          description: "This exact command",
+          pattern: "echo hello",
+        },
+        {
+          label: "echo *",
+          description: "Any echo command",
+          pattern: "action:echo",
+        },
+      ],
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "README.md" },
+      makeContext({ requireFreshApproval: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // Both shapes flow through independently — same labels, different patterns.
+    expect(result.riskScopeOptions).toEqual([
+      { pattern: "^echo\\b.*hello$", label: "echo hello" },
+      { pattern: "^echo\\b", label: "echo *" },
+    ]);
+    expect(result.riskAllowlistOptions).toEqual([
+      {
+        label: "echo hello",
+        description: "This exact command",
+        pattern: "echo hello",
+      },
+      {
+        label: "echo *",
+        description: "Any echo command",
+        pattern: "action:echo",
+      },
+    ]);
+  });
+
+  test("riskAllowlistOptions is undefined when classifier did not produce allowlist (e.g. web-risk classifier)", async () => {
+    cachedAssessmentOverride = {
+      riskLevel: "low",
+      reason: "GET request to public URL",
+      scopeOptions: [{ pattern: "https://example.com/.*", label: "example.com" }],
+      // allowlistOptions intentionally omitted — some classifiers don't emit them.
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "README.md" },
+      makeContext({ requireFreshApproval: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // Display ladder still flows; save ladder is absent so the client must
+    // fall back to a synthesized option (or omit save).
+    expect(result.riskScopeOptions).toEqual([
+      { pattern: "https://example.com/.*", label: "example.com" },
+    ]);
+    expect(result.riskAllowlistOptions).toBeUndefined();
+  });
+
+  test("riskAllowlistOptions is undefined when no classifier ran (MCP tools)", async () => {
+    // cachedAssessmentOverride is undefined — no classifier ran.
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "README.md" },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(result.riskScopeOptions).toBeUndefined();
+    expect(result.riskAllowlistOptions).toBeUndefined();
+  });
+
+  test("denied tool result still carries riskAllowlistOptions for the rule editor save path", async () => {
+    checkResultOverride = { decision: "deny", reason: "Blocked by deny rule" };
+    cachedAssessmentOverride = {
+      riskLevel: "high",
+      reason: "Recursive force delete",
+      scopeOptions: [{ pattern: "^rm\\s+-rf", label: "rm -rf *" }],
+      allowlistOptions: [
+        {
+          label: "rm -rf *",
+          description: "Any rm -rf command",
+          pattern: "action:rm",
+        },
+      ],
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "anything" },
+      makeContext({ requireFreshApproval: true }),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.riskAllowlistOptions).toEqual([
+      {
+        label: "rm -rf *",
+        description: "Any rm -rf command",
+        pattern: "action:rm",
+      },
+    ]);
+  });
 });

package/src/__tests__/voice-session-bridge.test.ts

@@ -652,6 +652,9 @@ describe("voice-session-bridge", () => {
     expect(prompt).toContain(
       "If your assistant name is not known, skip the name and just identify yourself as the guardian's assistant.",
     );
+    expect(prompt).toContain(
+      "Never use a UUID-shaped internal assistant ID as your spoken name.",
+    );
     expect(prompt).toContain(
       'Do NOT say "I\'m calling" or "I\'m calling on behalf of".',
     );