@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/__tests__/guardian-grant-minting.test.ts

@@ -36,10 +36,6 @@ import {
 import * as approvalMessageComposer from "../runtime/approval-message-composer.js";
 import * as gatewayClient from "../runtime/gateway-client.js";
 import * as pendingInteractions from "../runtime/pending-interactions.js";
-import {
-  _clearApprovalPromptTsTrackerForTesting,
-  trackApprovalPromptTs,
-} from "../runtime/routes/approval-prompt-ts-tracker.js";
 import { handleApprovalInterception } from "../runtime/routes/guardian-approval-interception.js";
 import { computeToolApprovalDigest } from "../security/tool-approval-digest.js";
 
@@ -69,7 +65,6 @@ function resetTables(): void {
     /* tables may not exist yet */
   }
   pendingInteractions.clear();
-  _clearApprovalPromptTsTrackerForTesting();
 }
 
 function createTestGuardianApproval(
@@ -224,36 +219,9 @@ describe("guardian grant minting on tool-approval decisions", () => {
     composeSpy.mockRestore();
   });
 
-  test("guardian reaction white_check_mark maps to approve_once (legacy compat)", async () => {
-    const requestId = "req-grant-reaction-1";
-    createTestGuardianApproval(requestId, {
-      conversationId: CONVERSATION_ID,
-      channel: "slack",
-      guardianChatId: GUARDIAN_CHAT,
-    });
-    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME);
-    const approvalMessageTs = "1700000000.000100";
-    trackApprovalPromptTs("slack", GUARDIAN_CHAT, approvalMessageTs);
-
-    const result = await handleApprovalInterception({
-      conversationId: "guardian-conv-1",
-      callbackData: "reaction:white_check_mark",
-      content: "",
-      conversationExternalId: GUARDIAN_CHAT,
-      sourceChannel: "slack",
-      actorExternalId: GUARDIAN_USER,
-      replyCallbackUrl: "https://gateway.test/deliver",
-      trustCtx: makeTrustContext(),
-      assistantId: ASSISTANT_ID,
-      approvalMessageTs,
-    });
-
-    // white_check_mark is mapped to approve_once (backward compat) — the
-    // pending approval is resolved and a grant is minted.
-    expect(result.handled).toBe(true);
-    expect(result.type).toBe("guardian_decision_applied");
-    expect(countGrants()).toBe(1);
-  });
+  // Reaction-based approvals are exercised against the canonical pipeline in
+  // slack-reaction-canonical-approval.test.ts — reactions route through
+  // routeGuardianReply, not handleApprovalInterception.
 
   // ── 2. approve_once for non-tool-approval does NOT mint a grant ──
 

package/src/__tests__/guardian-routing-invariants.test.ts

@@ -828,7 +828,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
       replyCtx({
         messageText: "approve",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -857,7 +857,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
       replyCtx({
         messageText: "ok, what is this for?",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -870,7 +870,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
     expect(unchanged!.status).toBe("pending");
   });
 
-  test("explicit empty pendingRequestIds hint stays fail-closed for desktop actors", async () => {
+  test("explicit blocked scope stays fail-closed for desktop actors", async () => {
     createCanonicalGuardianRequest({
       kind: "tool_approval",
       sourceType: "channel",
@@ -887,7 +887,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
         messageText: "approve",
         actor: trustedActor(),
         conversationId: "conv-unrelated",
-        pendingRequestIds: [],
+        pendingScope: { mode: "blocked" },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -897,6 +897,38 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
     expect(result.decisionApplied).toBe(false);
   });
 
+  test("explicit request code still resolves under a blocked scope (cross-chat carve-out)", async () => {
+    // The Slack cross-chat guard blocks identity fallback, but an explicit
+    // request code carries its own target and must still resolve — otherwise a
+    // guardian could not approve-by-code from a chat where no card was delivered.
+    const req = createCanonicalGuardianRequest({
+      kind: "tool_approval",
+      sourceType: "channel",
+      conversationId: "conv-other",
+      guardianExternalUserId: "guardian-1",
+      guardianPrincipalId: TEST_PRINCIPAL_ID,
+      requestCode: "ABC123",
+      toolName: "shell",
+      expiresAt: Date.now() + 60_000,
+    });
+    registerPendingToolApprovalInteraction(req.id, "conv-other", "shell");
+
+    const result = await routeGuardianReply(
+      replyCtx({
+        messageText: "ABC123 approve",
+        actor: trustedActor(),
+        conversationId: "conv-unrelated",
+        pendingScope: { mode: "blocked" },
+        approvalConversationGenerator: undefined,
+      }),
+    );
+
+    expect(result.consumed).toBe(true);
+    expect(result.requestId).toBe(req.id);
+    expect(result.decisionApplied).toBe(true);
+    expect(getCanonicalGuardianRequest(req.id)!.status).toBe("approved");
+  });
+
   test("multiple hinted pending requests with plain-text approve returns disambiguation", async () => {
     const req1 = createCanonicalGuardianRequest({
       kind: "tool_approval",
@@ -924,7 +956,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
       replyCtx({
         messageText: "approve",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [req1.id, req2.id],
+        pendingScope: { mode: "scoped", requestIds: [req1.id, req2.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -977,7 +1009,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
       replyCtx({
         messageText: "yes approve it",
         conversationId: "conv-1",
-        pendingRequestIds: [req1.id, req2.id],
+        pendingScope: { mode: "scoped", requestIds: [req1.id, req2.id] },
         approvalConversationGenerator: mockGenerator as any,
       }),
     );
@@ -1031,7 +1063,10 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
       replyCtx({
         messageText: "approve",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [answerRequest.id, approvalRequest.id],
+        pendingScope: {
+          mode: "scoped",
+          requestIds: [answerRequest.id, approvalRequest.id],
+        },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1075,7 +1110,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
       replyCtx({
         messageText: "yes",
         conversationId: "conv-1",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: mockGenerator as any,
       }),
     );
@@ -1104,7 +1139,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
       replyCtx({
         messageText: "go for it",
         conversationId: "conv-1",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1117,7 +1152,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
     expect(resolved!.status).toBe("approved");
   });
 
-  test("code-based routing is constrained to caller-provided pendingRequestIds scope", async () => {
+  test("code-based routing is constrained to caller-provided scope", async () => {
     const inScope = createCanonicalGuardianRequest({
       kind: "tool_approval",
       sourceType: "channel",
@@ -1145,7 +1180,7 @@ describe("routing invariant: disambiguation stays fail-closed", () => {
       replyCtx({
         messageText: "222BBB approve",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [inScope.id],
+        pendingScope: { mode: "scoped", requestIds: [inScope.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1438,7 +1473,7 @@ describe("routing invariant: directResolve interactions resolve via guardian dec
 describe("routing invariant: destination hints do not bypass tool_approval principal binding", () => {
   beforeEach(() => resetTables());
 
-  test("explicit pendingRequestIds still fail closed when guardianPrincipalId does not match", async () => {
+  test("explicit scope still fails closed when guardianPrincipalId does not match", async () => {
     // Voice-originated tool approval with a different principal than the actor.
     const req = createCanonicalGuardianRequest({
       kind: "tool_approval",
@@ -1452,15 +1487,15 @@ describe("routing invariant: destination hints do not bypass tool_approval princ
     });
     registerPendingToolApprovalInteraction(req.id, "conv-voice-1", "shell");
 
-    // The channel inbound router would compute pendingRequestIds from
-    // delivery-scoped lookup and pass them here. Simulate that.
+    // The channel inbound router would compute the pending scope from
+    // delivery-scoped lookup and pass it here. Simulate that.
     const result = await routeGuardianReply(
       replyCtx({
         messageText: "approve",
         channel: "telegram",
         actor: guardianActor({ guardianPrincipalId: "different-principal" }),
         conversationId: "conv-guardian-chat",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1486,7 +1521,7 @@ describe("routing invariant: destination hints do not bypass tool_approval princ
       expiresAt: Date.now() + 60_000,
     });
 
-    // No pendingRequestIds passed — identity-based fallback uses
+    // No pendingScope passed — identity-based fallback uses
     // actor.actorExternalUserId which does not match any request's
     // guardianExternalUserId (since it's null).
     const result = await routeGuardianReply(
@@ -1495,7 +1530,7 @@ describe("routing invariant: destination hints do not bypass tool_approval princ
         channel: "telegram",
         actor: guardianActor({ actorExternalUserId: "guardian-tg-user" }),
         conversationId: "conv-guardian-chat",
-        // pendingRequestIds: undefined — no delivery hints
+        // pendingScope omitted — no delivery hints
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1534,7 +1569,7 @@ describe("routing invariant: invite handoff bypass for access requests", () => {
       replyCtx({
         messageText: "open invite flow",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1569,7 +1604,7 @@ describe("routing invariant: invite handoff bypass for access requests", () => {
         replyCtx({
           messageText: phrase,
           conversationId: "conv-test",
-          pendingRequestIds: [req.id],
+          pendingScope: { mode: "scoped", requestIds: [req.id] },
           approvalConversationGenerator: undefined,
         }),
       );
@@ -1595,7 +1630,7 @@ describe("routing invariant: invite handoff bypass for access requests", () => {
       replyCtx({
         messageText: "open invite flow",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1625,7 +1660,7 @@ describe("routing invariant: invite handoff bypass for access requests", () => {
       replyCtx({
         messageText: "A00B01 approve",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1655,7 +1690,7 @@ describe("routing invariant: invite handoff bypass for access requests", () => {
       channel: "vellum",
       actor: trustedActor({ channel: "vellum" }),
       conversationId: "conv-guardian-conversation",
-      pendingRequestIds: [req.id],
+      pendingScope: { mode: "scoped", requestIds: [req.id] },
       approvalConversationGenerator: undefined,
     });
 
@@ -1694,7 +1729,7 @@ describe("routing invariant: invite handoff bypass for access requests", () => {
       channel: "vellum",
       actor: trustedActor({ channel: "vellum" }),
       conversationId: "conv-guardian-conversation",
-      pendingRequestIds: [req.id],
+      pendingScope: { mode: "scoped", requestIds: [req.id] },
       approvalConversationGenerator: approvalConversationGenerator as any,
     });
 
@@ -1746,7 +1781,7 @@ describe("routing invariant: expired requests are excluded from pending discover
       replyCtx({
         messageText: "approve",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [expired.id, active.id],
+        pendingScope: { mode: "scoped", requestIds: [expired.id, active.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1781,7 +1816,7 @@ describe("routing invariant: expired requests are excluded from pending discover
       replyCtx({
         messageText: "`approve`",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [req.id],
+        pendingScope: { mode: "scoped", requestIds: [req.id] },
         approvalConversationGenerator: undefined,
       }),
     );
@@ -1821,7 +1856,10 @@ describe("routing invariant: expired requests are excluded from pending discover
       replyCtx({
         messageText: "approve",
         conversationId: "conv-guardian-conversation",
-        pendingRequestIds: [expired1.id, expired2.id],
+        pendingScope: {
+          mode: "scoped",
+          requestIds: [expired1.id, expired2.id],
+        },
         approvalConversationGenerator: undefined,
       }),
     );

package/src/__tests__/guardian-routing-state.test.ts

@@ -162,7 +162,6 @@ describe("inbound-message-handler trusted-contact interactivity", () => {
         {
           type: "telegram",
           address: "telegram-user-default",
-          externalUserId: "telegram-user-default",
           status: "active",
           policy: "allow",
         },

package/src/__tests__/headless-browser-mode.test.ts

@@ -75,6 +75,16 @@ mock.module("../tools/browser/cdp-client/factory.js", () => ({
   },
 }));
 
+// The real proxy is an always-present singleton; stub the grace wait so
+// extension-pinned acquisition doesn't poll for the full window here.
+mock.module("../daemon/host-browser-proxy.js", () => ({
+  HostBrowserProxy: {
+    get instance() {
+      return { waitForExtensionClient: async () => true };
+    },
+  },
+}));
+
 // ── Minimal browserManager stub ──────────────────────────────────────
 
 /** Mutable memo shared between mock methods and tests. */

package/src/__tests__/headless-browser-navigate.test.ts

@@ -58,9 +58,14 @@ let mockExtensionAvailable = false;
 mock.module("../daemon/host-browser-proxy.js", () => ({
   HostBrowserProxy: {
     get instance() {
-      return mockExtensionAvailable
-        ? { isAvailable: () => true, request: mock(async () => ({})) }
-        : undefined;
+      // The real proxy is a lazily-created singleton that always exists;
+      // `isAvailable`/`waitForExtensionClient` reflect whether an extension
+      // is connected rather than the instance being absent.
+      return {
+        isAvailable: () => mockExtensionAvailable,
+        waitForExtensionClient: async () => mockExtensionAvailable,
+        request: mock(async () => ({})),
+      };
     },
   },
 }));

package/src/__tests__/helpers/create-guardian-binding.ts

@@ -55,7 +55,6 @@ export function createGuardianBinding(params: {
       {
         type: params.channel,
         address: canonicalId,
-        externalUserId: canonicalId,
         externalChatId: params.guardianDeliveryChatId,
         status: "active",
         verifiedAt: Date.now(),

package/src/__tests__/host-browser-proxy.test.ts

@@ -46,6 +46,8 @@ mock.module("../runtime/assistant-event-hub.js", () => ({
       mockClients.filter((c) => c.capabilities.includes(cap)),
     listClientsByInterface: (interfaceId: string) =>
       mockClients.filter((c) => c.interfaceId === interfaceId),
+    getClientById: (clientId: string) =>
+      mockClients.find((c) => c.clientId === clientId),
     getActorPrincipalIdForClient: (clientId: string) =>
       mockClients.find((c) => c.clientId === clientId)?.actorPrincipalId,
   },
@@ -108,6 +110,91 @@ describe("HostBrowserProxy", () => {
     pendingInteractions.clear();
   });
 
+  describe("waitForExtensionClient", () => {
+    const EXTENSION: MockClient = {
+      clientId: "ext-client",
+      interfaceId: "chrome-extension",
+      capabilities: ["host_browser"],
+    };
+
+    test("returns true immediately when an extension is connected", async () => {
+      mockClients = [EXTENSION];
+      expect(await proxy.waitForExtensionClient(undefined, undefined, 1_000)).toBe(
+        true,
+      );
+    });
+
+    test("returns false after the timeout when none connects", async () => {
+      mockClients = [DEFAULT_CLIENT]; // macos only, no extension
+      expect(await proxy.waitForExtensionClient(undefined, undefined, 100)).toBe(
+        false,
+      );
+    });
+
+    test("returns true when an extension appears within the window", async () => {
+      mockClients = [DEFAULT_CLIENT];
+      setTimeout(() => {
+        mockClients = [DEFAULT_CLIENT, EXTENSION];
+      }, 50);
+      expect(await proxy.waitForExtensionClient(undefined, undefined, 2_000)).toBe(
+        true,
+      );
+    });
+
+    test("respects sourceActorPrincipalId", async () => {
+      mockClients = [
+        {
+          clientId: "other-actor-ext",
+          interfaceId: "chrome-extension",
+          actorPrincipalId: "actor-b",
+          capabilities: ["host_browser"],
+        },
+      ];
+      // Caller is actor-a; the connected extension belongs to actor-b.
+      expect(await proxy.waitForExtensionClient("actor-a", undefined, 100)).toBe(
+        false,
+      );
+    });
+
+    test("with a targetClientId, waits for that exact client (not a sibling)", async () => {
+      // A sibling extension is connected, but the targeted client is not —
+      // the wait must not return early on the sibling's presence.
+      mockClients = [
+        {
+          clientId: "sibling-ext",
+          interfaceId: "chrome-extension",
+          capabilities: ["host_browser"],
+        },
+      ];
+      expect(
+        await proxy.waitForExtensionClient(undefined, "target-ext", 100),
+      ).toBe(false);
+    });
+
+    test("with a targetClientId, returns true once that client appears", async () => {
+      mockClients = [
+        {
+          clientId: "sibling-ext",
+          interfaceId: "chrome-extension",
+          capabilities: ["host_browser"],
+        },
+      ];
+      setTimeout(() => {
+        mockClients = [
+          ...mockClients,
+          {
+            clientId: "target-ext",
+            interfaceId: "chrome-extension",
+            capabilities: ["host_browser"],
+          },
+        ];
+      }, 50);
+      expect(
+        await proxy.waitForExtensionClient(undefined, "target-ext", 2_000),
+      ).toBe(true);
+    });
+  });
+
   describe("request/resolve lifecycle (happy path)", () => {
     test("sends host_browser_request and resolves with content", async () => {
       const resultPromise = proxy.request(