@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/__tests__/schedule-tools.test.ts

@@ -421,7 +421,7 @@ describe("schedule tools — workflow mode", () => {
   beforeEach(() => {
     getRawDb().run("DELETE FROM cron_runs");
     getRawDb().run("DELETE FROM cron_jobs");
-    setOverridesForTesting({ workflows: true });
+    setOverridesForTesting({});
   });
   afterAll(() => {
     setOverridesForTesting({});
@@ -466,22 +466,6 @@ describe("schedule tools — workflow mode", () => {
     expect(result.content).toContain("workflow_name is required");
   });
 
-  test("rejects workflow mode when the workflows flag is off", async () => {
-    setOverridesForTesting({}); // flag off
-    const result = await executeScheduleCreate(
-      {
-        name: "Flag off",
-        expression: "0 8 * * *",
-        mode: "workflow",
-        workflow_name: "inbox-triage",
-      },
-      ctx,
-    );
-
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("workflows are not enabled");
-  });
-
   test("update to workflow mode requires a workflow_name", async () => {
     await executeScheduleCreate(
       { name: "To workflow", expression: "0 9 * * *", message: "test" },
@@ -544,7 +528,7 @@ describe("schedule_create — workflow capability manifest", () => {
   beforeEach(() => {
     getRawDb().run("DELETE FROM cron_runs");
     getRawDb().run("DELETE FROM cron_jobs");
-    setOverridesForTesting({ workflows: true });
+    setOverridesForTesting({});
     // Deterministic registry so a declared side-effecting tool resolves.
     __clearRegistryForTesting();
     registerTool(makeFakeTool("file_write"));

package/src/__tests__/scheduler-reuse-conversation.test.ts

@@ -210,10 +210,13 @@ describe("scheduler conversation reuse", () => {
     expect(runs2[0].conversationId).toBe(firstConversationId);
   });
 
-  test("recurring schedule defaults to reuseConversation=true", async () => {
+  test("recurring schedule defaults to reuseConversation=false", async () => {
     /**
      * When no explicit reuseConversation is provided, recurring schedules
-     * default to true — subsequent runs reuse the same conversation.
+     * default to false — each run gets a fresh conversation. This keeps a
+     * weak model's per-run context bounded instead of accumulating a long,
+     * self-similar transcript that primes it to repeat or drift; durable
+     * cross-run state belongs in workspace files and memory, not history.
      */
 
     // GIVEN a recurring schedule with no explicit reuseConversation
@@ -224,7 +227,7 @@ describe("scheduler conversation reuse", () => {
       message: "Default reuse message",
       syntax: "rrule",
       expression: rruleExpr,
-      // no explicit reuseConversation — should default to true for recurring
+      // no explicit reuseConversation — should default to false
     });
 
     // WHEN the schedule fires for the first time
@@ -250,9 +253,9 @@ describe("scheduler conversation reuse", () => {
     await new Promise((resolve) => setTimeout(resolve, 500));
     scheduler2.stop();
 
-    // THEN the same conversation is reused
+    // THEN a fresh conversation is created instead of reusing the first
     expect(processedMessages).toHaveLength(1);
-    expect(processedMessages[0].conversationId).toBe(firstConversationId);
+    expect(processedMessages[0].conversationId).not.toBe(firstConversationId);
   });
 
   test("recurring schedule with reuseConversation=false creates new conversation each run", async () => {

package/src/__tests__/skill-execute-input.test.ts

@@ -1,6 +1,9 @@
 import { describe, expect, test } from "bun:test";
 
-import { resolveSkillExecuteInput } from "../tools/skills/execute.js";
+import {
+  augmentSkillExecuteError,
+  resolveSkillExecuteInput,
+} from "../tools/skills/execute.js";
 
 describe("resolveSkillExecuteInput", () => {
   test("returns a correctly nested object unchanged", () => {
@@ -83,3 +86,50 @@ describe("resolveSkillExecuteInput", () => {
     expect(result).toEqual({ foo: "bar" });
   });
 });
+
+describe("augmentSkillExecuteError", () => {
+  test("appends envelope guidance when an empty-input call errors", () => {
+    // The subagent_spawn failure: empty input, tool rejects with a field-level
+    // message that says nothing about the skill_execute envelope.
+    const result = augmentSkillExecuteError(
+      "subagent_spawn",
+      {},
+      { content: 'Both "label" and "objective" are required.', isError: true },
+    );
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain(
+      'Both "label" and "objective" are required.',
+    );
+    expect(result.content).toContain("carried no parameters");
+    expect(result.content).toContain('"tool": "subagent_spawn"');
+    expect(result.content).toContain("inside `input`");
+    // The guidance must not condemn the JSON-encoded-string form: the resolver
+    // accepts it (resolveSkillExecuteInput parses string input), and it is a
+    // shape weak models successfully use. Telling them it is wrong steers them
+    // toward dropping the payload entirely.
+    expect(result.content).not.toContain("JSON-encoded string");
+  });
+
+  test("leaves errors untouched when parameters were resolved", () => {
+    // A non-empty resolved input means the model structured the call; any error
+    // is a real tool-level failure, not an envelope-shape mistake.
+    const original = {
+      content: "Subagent quota exceeded.",
+      isError: true,
+    };
+    const result = augmentSkillExecuteError(
+      "subagent_spawn",
+      { label: "x", objective: "y" },
+      original,
+    );
+    expect(result).toBe(original);
+  });
+
+  test("leaves successful empty-input calls untouched", () => {
+    // Tools that legitimately accept no parameters (e.g. subagent_status) must
+    // not have guidance appended to their successful results.
+    const original = { content: "No subagents running.", isError: false };
+    const result = augmentSkillExecuteError("subagent_status", {}, original);
+    expect(result).toBe(original);
+  });
+});

package/src/__tests__/skill-runtime-path.test.ts

@@ -9,9 +9,8 @@
  * branches (macOS `.app` Resources, next-to-binary) key off
  * `import.meta.dir.startsWith("/$bunfs/")`, so at test time only the
  * source-mode early-return is exercised here; the compiled branch is
- * covered structurally via the signing + packaging step in
- * `clients/macos/build.sh` and will be exercised end-to-end by the
- * supervisor integration test added in PR 27.
+ * covered structurally via the Electron signing + packaging step in
+ * `clients/macos/scripts/pack.sh`.
  */
 
 import { mkdirSync, rmSync, writeFileSync } from "node:fs";

package/src/__tests__/skills.test.ts

@@ -691,6 +691,57 @@ describe("category frontmatter parsing", () => {
   });
 });
 
+describe("always-candidate frontmatter parsing", () => {
+  beforeEach(() => {
+    mkdirSync(join(TEST_DIR, "skills"), { recursive: true });
+  });
+
+  afterEach(() => {
+    const skillsDir = join(TEST_DIR, "skills");
+    if (existsSync(skillsDir))
+      rmSync(skillsDir, { recursive: true, force: true });
+  });
+
+  function writeSkillWithAlwaysCandidate(skillId: string, value: string): void {
+    const skillDir = join(TEST_DIR, "skills", skillId);
+    mkdirSync(skillDir, { recursive: true });
+    const metadata = `{"vellum":{"always-candidate":${value}}}`;
+    writeFileSync(
+      join(skillDir, "SKILL.md"),
+      `---\nname: "${skillId}"\ndescription: "test"\nmetadata: ${metadata}\n---\n\nBody.\n`,
+    );
+  }
+
+  test("parses always-candidate: true from metadata.vellum", () => {
+    writeSkillWithAlwaysCandidate("pinned", "true");
+    const skill = loadUserSkillCatalog().find((s) => s.id === "pinned");
+    expect(skill!.alwaysCandidate).toBe(true);
+  });
+
+  test("parses always-candidate: false", () => {
+    writeSkillWithAlwaysCandidate("unpinned", "false");
+    const skill = loadUserSkillCatalog().find((s) => s.id === "unpinned");
+    expect(skill!.alwaysCandidate).toBe(false);
+  });
+
+  test("returns undefined for a non-boolean always-candidate", () => {
+    writeSkillWithAlwaysCandidate("bad", '"yes"');
+    const skill = loadUserSkillCatalog().find((s) => s.id === "bad");
+    expect(skill!.alwaysCandidate).toBeUndefined();
+  });
+
+  test("skill without always-candidate has undefined", () => {
+    writeSkill("plain", "Plain", "Test");
+    const skill = loadUserSkillCatalog().find((s) => s.id === "plain");
+    expect(skill!.alwaysCandidate).toBeUndefined();
+  });
+
+  test("the bundled workflows skill is flagged always-candidate", () => {
+    const wf = loadSkillCatalog().find((s) => s.id === "workflows");
+    expect(wf?.alwaysCandidate).toBe(true);
+  });
+});
+
 describe("bundled skill categories", () => {
   test("every bundled skill declares a valid category slug", () => {
     const yamlPath = join(

package/src/__tests__/slack-notification-approval-card.test.ts

@@ -0,0 +1,176 @@
+import { describe, expect, test } from "bun:test";
+
+import { parseAccessRequestPayload } from "../notifications/access-request-copy.js";
+import { buildApprovalNotificationBlocks } from "../notifications/adapters/slack.js";
+import type { ChannelDeliveryPayload } from "../notifications/types.js";
+import type { ApprovalUIMetadata } from "../runtime/channel-approval-types.js";
+
+/**
+ * Pins the Slack approval-card block contract: the title, identity subtitle,
+ * quoted-preview body, action callback ids, source/permalink and requester-id
+ * context blocks, the security-warning context block, and guardian
+ * verification note that `buildApprovalNotificationBlocks` emits for an
+ * access request.
+ */
+
+const APPROVAL: ApprovalUIMetadata = {
+  requestId: "req-123",
+  actions: [
+    { id: "approve_once", label: "Approve once" },
+    { id: "reject", label: "Reject" },
+  ],
+  plainTextFallback: 'Reply "ABC123 approve" or "ABC123 reject"',
+};
+
+function buildPayload(
+  raw: Record<string, unknown>,
+  approval: ApprovalUIMetadata = APPROVAL,
+): ChannelDeliveryPayload {
+  return {
+    sourceEventName: "ingress.access_request",
+    copy: { title: "Access Request", body: "Someone is requesting access" },
+    urgency: "high",
+    approvalContext: approval,
+    accessRequestContext: parseAccessRequestPayload(raw),
+  };
+}
+
+type Block = Record<string, unknown>;
+
+function card(blocks: unknown[]): Block {
+  const c = (blocks as Block[]).find((b) => b.type === "card");
+  if (!c) throw new Error("no card block");
+  return c;
+}
+
+function contextTexts(blocks: unknown[]): string[] {
+  return (blocks as Block[])
+    .filter((b) => b.type === "context")
+    .map((b) => {
+      const elements = b.elements as Array<{ text: string }>;
+      return elements.map((e) => e.text).join("");
+    });
+}
+
+function text(node: unknown): string {
+  return (node as { text: string }).text;
+}
+
+const BASE: Record<string, unknown> = {
+  requestId: "req-123",
+  requestCode: "ABC123",
+  sourceChannel: "slack",
+  conversationExternalId: "C01ABC",
+  actorExternalId: "U999",
+  actorDisplayName: "Alice",
+  actorUsername: "alice",
+  senderIdentifier: "U999",
+  messagePreview: "Hello, I need help with something",
+  messageTs: "1700000000.000100",
+};
+
+describe("Slack access-request card blocks", () => {
+  test("card carries title, identity subtitle, and quoted preview body", () => {
+    const c = card(buildApprovalNotificationBlocks(buildPayload(BASE), "msg"));
+    expect(text(c.title)).toBe("Access Request");
+    expect(text(c.subtitle)).toBe("Alice (@alice) via slack");
+    expect(text(c.body)).toBe('> _"Hello, I need help with something"_');
+  });
+
+  test("card actions encode the apr:<requestId>:<action> callback ids", () => {
+    const c = card(buildApprovalNotificationBlocks(buildPayload(BASE), "msg"));
+    const actions = c.actions as Array<Record<string, unknown>>;
+    expect(actions).toHaveLength(2);
+    expect(actions[0].action_id).toBe("apr:req-123:approve_once");
+    expect(actions[0].style).toBe("primary");
+    expect(actions[1].action_id).toBe("apr:req-123:reject");
+    expect(actions[1].style).toBe("danger");
+  });
+
+  test("source context renders a channel mention with permalink", () => {
+    const texts = contextTexts(
+      buildApprovalNotificationBlocks(buildPayload(BASE), "msg"),
+    );
+    expect(texts).toContain(
+      "Source: Slack — <#C01ABC> · <https://slack.com/archives/C01ABC/p1700000000000100|View message>",
+    );
+  });
+
+  test("DM source renders as Direct message", () => {
+    const blocks = buildApprovalNotificationBlocks(
+      buildPayload({ ...BASE, conversationExternalId: "D01XYZ" }),
+      "msg",
+    );
+    expect(contextTexts(blocks)).toContain(
+      "Source: Slack — Direct message · <https://slack.com/archives/D01XYZ/p1700000000000100|View message>",
+    );
+  });
+
+  test("requester id block appears when external id adds info", () => {
+    const texts = contextTexts(
+      buildApprovalNotificationBlocks(buildPayload(BASE), "msg"),
+    );
+    expect(texts).toContain("ID: U999");
+  });
+
+  test("invite directive context block is always present", () => {
+    const texts = contextTexts(
+      buildApprovalNotificationBlocks(buildPayload(BASE), "msg"),
+    );
+    expect(texts).toContain(
+      'Reply "open invite flow" to start Trusted Contacts invite flow.',
+    );
+  });
+
+  test("warnings render in a context block under the card", () => {
+    const blocks = buildApprovalNotificationBlocks(
+      buildPayload({
+        ...BASE,
+        isStranger: true,
+        isRestricted: true,
+        previousMemberStatus: "revoked",
+      }),
+      "msg",
+    );
+    // `subtext` is not a Slack card field; warnings must live in a real block
+    // or Slack drops them and the guardian never sees them.
+    expect(card(blocks).subtext).toBeUndefined();
+    const warning = contextTexts(blocks).find((t) => t.includes(":warning:"));
+    expect(warning).toBeDefined();
+    expect(warning).toContain(":warning: This user was previously revoked.");
+    expect(warning).toContain(
+      ":warning: External Slack user (not in this workspace).",
+    );
+    expect(warning).toContain(":warning: Guest / restricted account.");
+  });
+
+  test("no warning context block when there are no warnings", () => {
+    const blocks = buildApprovalNotificationBlocks(buildPayload(BASE), "msg");
+    expect(card(blocks).subtext).toBeUndefined();
+    expect(contextTexts(blocks).some((t) => t.includes(":warning:"))).toBe(
+      false,
+    );
+  });
+
+  test("body falls back to a default label when no preview", () => {
+    const c = card(
+      buildApprovalNotificationBlocks(
+        buildPayload({ ...BASE, messagePreview: undefined }),
+        "msg",
+      ),
+    );
+    expect(text(c.body)).toBe("Requesting access to the assistant");
+  });
+
+  test("guardian verification note appears for fallback guardian resolution", () => {
+    const texts = contextTexts(
+      buildApprovalNotificationBlocks(
+        buildPayload({ ...BASE, guardianResolutionSource: "vellum-anchor" }),
+        "msg",
+      ),
+    );
+    expect(
+      texts.some((t) => t.includes("haven't verified your identity on slack")),
+    ).toBe(true);
+  });
+});

package/src/__tests__/slack-reaction-canonical-approval.test.ts

@@ -0,0 +1,285 @@
+/**
+ * Tests for guardian approval-by-reaction on the canonical pipeline.
+ *
+ * A Slack emoji reaction (✅ / ❌) on a delivered approval card is routed
+ * through `routeGuardianReply` exactly like a button press or text reply. The
+ * emoji maps to an action and the reacted card's message id (`reactedMessageTs`)
+ * resolves the target request via its canonical delivery record — so the
+ * decision is applied precisely even when several cards are pending in the same
+ * chat, with no clarification prompt.
+ */
+
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+  truncateForLog: (value: string) => value,
+}));
+
+const _conversationMocks = new Map<string, unknown>();
+mock.module("../daemon/conversation-registry.js", () => ({
+  findConversation: (id: string) => _conversationMocks.get(id),
+}));
+
+import type { Conversation } from "../daemon/conversation.js";
+import {
+  createCanonicalGuardianDelivery,
+  createCanonicalGuardianRequest,
+  getCanonicalGuardianRequest,
+  getPendingCanonicalRequestByDestinationMessage,
+  resolveCanonicalGuardianRequest,
+} from "../memory/canonical-guardian-store.js";
+import { getDb } from "../memory/db-connection.js";
+import { initializeDb } from "../memory/db-init.js";
+import { routeGuardianReply } from "../runtime/guardian-reply-router.js";
+import * as pendingInteractions from "../runtime/pending-interactions.js";
+
+initializeDb();
+
+// ---------------------------------------------------------------------------
+// Constants & helpers
+// ---------------------------------------------------------------------------
+
+const GUARDIAN_USER = "U_GUARDIAN";
+const PRINCIPAL = "principal-1";
+const CHAT_ID = "D_GUARDIAN_DM";
+const TOOL_NAME = "execute_shell";
+
+function resetTables(): void {
+  const db = getDb();
+  db.run("DELETE FROM canonical_guardian_deliveries");
+  db.run("DELETE FROM canonical_guardian_requests");
+  db.run("DELETE FROM scoped_approval_grants");
+  pendingInteractions.clear();
+  _conversationMocks.clear();
+}
+
+/**
+ * Seed a pending tool-approval (canonical request + delivery + pending
+ * interaction with a mock conversation) and return the mocked
+ * `handleConfirmationResponse` so callers can assert it was driven.
+ */
+function seedApproval(opts: {
+  requestId: string;
+  ts: string;
+  chatId?: string;
+  principal?: string;
+}): ReturnType<typeof mock> {
+  const chatId = opts.chatId ?? CHAT_ID;
+  const principal = opts.principal ?? PRINCIPAL;
+  const conversationId = `conv-${opts.requestId}`;
+
+  createCanonicalGuardianRequest({
+    id: opts.requestId,
+    kind: "tool_approval",
+    sourceType: "channel",
+    sourceChannel: "slack",
+    conversationId,
+    requesterExternalUserId: "requester-1",
+    requesterChatId: chatId,
+    guardianExternalUserId: GUARDIAN_USER,
+    guardianPrincipalId: principal,
+    toolName: TOOL_NAME,
+    status: "pending",
+    expiresAt: Date.now() + 300_000,
+  });
+
+  createCanonicalGuardianDelivery({
+    requestId: opts.requestId,
+    destinationChannel: "slack",
+    destinationChatId: chatId,
+    destinationMessageId: opts.ts,
+  });
+
+  const handleConfirmationResponse = mock(() => {});
+  _conversationMocks.set(conversationId, {
+    handleConfirmationResponse,
+    ensureActorScopedHistory: async () => {},
+  } as unknown as Conversation);
+  pendingInteractions.register(opts.requestId, {
+    conversationId,
+    kind: "confirmation",
+    confirmationDetails: {
+      toolName: TOOL_NAME,
+      input: { command: "echo hi" },
+      riskLevel: "high",
+      allowlistOptions: [{ label: "t", description: "t", pattern: "t" }],
+      scopeOptions: [{ label: "everywhere", scope: "everywhere" }],
+    },
+  });
+  return handleConfirmationResponse;
+}
+
+function reaction(opts: {
+  emoji: string;
+  reactedMessageTs?: string;
+  chatId?: string;
+  principal?: string;
+}): Parameters<typeof routeGuardianReply>[0] {
+  return {
+    messageText: "",
+    channel: "slack",
+    actor: {
+      actorPrincipalId: opts.principal ?? PRINCIPAL,
+      actorExternalUserId: GUARDIAN_USER,
+      channel: "slack",
+      guardianPrincipalId: opts.principal ?? PRINCIPAL,
+    },
+    conversationId: "guardian-conv",
+    callbackData: `reaction:${opts.emoji}`,
+    reactedMessageTs: opts.reactedMessageTs,
+    channelDeliveryContext: {
+      replyCallbackUrl: "https://gateway.test/deliver",
+      guardianChatId: opts.chatId ?? CHAT_ID,
+      assistantId: "self",
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Store lookup
+// ---------------------------------------------------------------------------
+
+describe("getPendingCanonicalRequestByDestinationMessage", () => {
+  beforeEach(resetTables);
+
+  test("resolves the request whose delivery matches channel + chat + message id", () => {
+    seedApproval({ requestId: "req-1", ts: "1700000000.000001" });
+    const found = getPendingCanonicalRequestByDestinationMessage(
+      "slack",
+      CHAT_ID,
+      "1700000000.000001",
+    );
+    expect(found?.id).toBe("req-1");
+  });
+
+  test("returns null when no delivery matches the message id", () => {
+    seedApproval({ requestId: "req-1", ts: "1700000000.000001" });
+    expect(
+      getPendingCanonicalRequestByDestinationMessage(
+        "slack",
+        CHAT_ID,
+        "9999.0",
+      ),
+    ).toBeNull();
+  });
+
+  test("returns null once the matched request is no longer pending", () => {
+    seedApproval({ requestId: "req-1", ts: "1700000000.000001" });
+    resolveCanonicalGuardianRequest("req-1", "pending", { status: "approved" });
+    expect(
+      getPendingCanonicalRequestByDestinationMessage(
+        "slack",
+        CHAT_ID,
+        "1700000000.000001",
+      ),
+    ).toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Reaction routing
+// ---------------------------------------------------------------------------
+
+describe("routeGuardianReply / reactions", () => {
+  beforeEach(resetTables);
+
+  test("✅ on a delivered card approves the matching request", async () => {
+    const hcr = seedApproval({ requestId: "req-1", ts: "111.1" });
+
+    const result = await routeGuardianReply(
+      reaction({ emoji: "white_check_mark", reactedMessageTs: "111.1" }),
+    );
+
+    expect(result.consumed).toBe(true);
+    expect(result.decisionApplied).toBe(true);
+    expect(result.type).toBe("canonical_decision_applied");
+    expect(getCanonicalGuardianRequest("req-1")?.status).toBe("approved");
+    expect(hcr).toHaveBeenCalledTimes(1);
+    expect(hcr.mock.calls[0]?.[0]).toBe("req-1");
+    expect(hcr.mock.calls[0]?.[1]).toBe("allow");
+  });
+
+  test("❌ on a delivered card rejects the matching request", async () => {
+    const hcr = seedApproval({ requestId: "req-1", ts: "111.1" });
+
+    const result = await routeGuardianReply(
+      reaction({ emoji: "-1", reactedMessageTs: "111.1" }),
+    );
+
+    expect(result.decisionApplied).toBe(true);
+    expect(getCanonicalGuardianRequest("req-1")?.status).toBe("denied");
+    expect(hcr.mock.calls[0]?.[1]).toBe("deny");
+  });
+
+  test("reacting on a specific card resolves only that card (disambiguates N>1)", async () => {
+    const hcrA = seedApproval({ requestId: "req-A", ts: "100.1" });
+    const hcrB = seedApproval({ requestId: "req-B", ts: "200.2" });
+
+    // React on card B's message — only B should resolve.
+    const result = await routeGuardianReply(
+      reaction({ emoji: "white_check_mark", reactedMessageTs: "200.2" }),
+    );
+
+    expect(result.requestId).toBe("req-B");
+    expect(getCanonicalGuardianRequest("req-B")?.status).toBe("approved");
+    expect(getCanonicalGuardianRequest("req-A")?.status).toBe("pending");
+    expect(hcrB).toHaveBeenCalledTimes(1);
+    expect(hcrA).not.toHaveBeenCalled();
+  });
+
+  test("a reaction on an unknown message is not consumed (left for transcript)", async () => {
+    seedApproval({ requestId: "req-1", ts: "111.1" });
+
+    const result = await routeGuardianReply(
+      reaction({ emoji: "white_check_mark", reactedMessageTs: "no-such-ts" }),
+    );
+
+    expect(result.consumed).toBe(false);
+    expect(result.type).toBe("not_consumed");
+    expect(getCanonicalGuardianRequest("req-1")?.status).toBe("pending");
+  });
+
+  test("an unknown emoji is not consumed", async () => {
+    seedApproval({ requestId: "req-1", ts: "111.1" });
+
+    const result = await routeGuardianReply(
+      reaction({ emoji: "tada", reactedMessageTs: "111.1" }),
+    );
+
+    expect(result.consumed).toBe(false);
+    expect(getCanonicalGuardianRequest("req-1")?.status).toBe("pending");
+  });
+
+  test("a reaction without a reacted message id is not consumed", async () => {
+    seedApproval({ requestId: "req-1", ts: "111.1" });
+
+    const result = await routeGuardianReply(
+      reaction({ emoji: "white_check_mark" }),
+    );
+
+    expect(result.consumed).toBe(false);
+  });
+
+  test("a reaction from a different principal is surfaced, not silently dropped", async () => {
+    const hcr = seedApproval({ requestId: "req-1", ts: "111.1" });
+
+    const result = await routeGuardianReply(
+      reaction({
+        emoji: "white_check_mark",
+        reactedMessageTs: "111.1",
+        principal: "someone-else",
+      }),
+    );
+
+    // Consumed with a user-facing reply, request untouched, side effect not run.
+    expect(result.consumed).toBe(true);
+    expect(result.decisionApplied).toBe(false);
+    expect(result.replyText).toMatch(/permission/i);
+    expect(getCanonicalGuardianRequest("req-1")?.status).toBe("pending");
+    expect(hcr).not.toHaveBeenCalled();
+  });
+});