@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/__tests__/tool-approval-seed-content-blocks.test.ts

@@ -1,6 +1,6 @@
 import { describe, expect, test } from "bun:test";
 
-import { buildToolApprovalSeedContentBlocks } from "../notifications/tool-approval-copy.js";
+import { buildToolApprovalSeedContentBlocks } from "../notifications/approval-card-data.js";
 
 describe("buildToolApprovalSeedContentBlocks", () => {
   const toolApprovalPayload: Record<string, unknown> = {

package/src/__tests__/tool-audit-listener.test.ts

@@ -1,11 +1,11 @@
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
-// Toggle for the collectUsageData opt-out gate the listener consults when
+// Toggle for the share_analytics opt-out gate the listener consults when
 // populating the telemetry columns.
-let collectUsageData = true;
+let shareAnalytics = true;
 
-mock.module("../config/loader.js", () => ({
-  getConfig: () => ({ collectUsageData }),
+mock.module("../platform/consent-cache.js", () => ({
+  getCachedShareAnalytics: () => shareAnalytics,
 }));
 
 import { createToolAuditListener } from "../events/tool-audit-listener.js";
@@ -17,7 +17,7 @@ import {
 
 describe("tool audit listener", () => {
   beforeEach(() => {
-    collectUsageData = true;
+    shareAnalytics = true;
   });
 
   test("records executed events with truncated output", () => {
@@ -361,8 +361,8 @@ describe("tool audit listener", () => {
     );
   });
 
-  test("persists NULL telemetry columns when usage data collection is opted out", () => {
-    collectUsageData = false;
+  test("persists NULL telemetry columns when share_analytics is opted out", () => {
+    shareAnalytics = false;
     const records: ToolInvocationRecord[] = [];
     const listener = createToolAuditListener((record) => records.push(record));
 

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -34,9 +34,6 @@ const mockConfig = {
   permissions: {
     mode: "workspace" as const,
   },
-  // The audit listener nulls the telemetry columns when this is false; the
-  // end-to-end listener tests below assert the opted-in sizing behavior.
-  collectUsageData: true,
 };
 
 let checkerDecision: "allow" | "prompt" | "deny" = "allow";
@@ -56,6 +53,12 @@ mock.module("../config/loader.js", () => ({
   setNestedValue: () => {},
 }));
 
+// Analytics consent is granted so the audit listener populates the telemetry
+// columns; the end-to-end listener tests below assert the opted-in sizing.
+mock.module("../platform/consent-cache.js", () => ({
+  getCachedShareAnalytics: () => true,
+}));
+
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
     new Proxy({} as Record<string, unknown>, {

package/src/__tests__/tool-executor.test.ts

@@ -587,36 +587,6 @@ describe("isSideEffectTool", () => {
     expect(isSideEffectTool("nonexistent_tool")).toBe(false);
     expect(isSideEffectTool("")).toBe(false);
   });
-
-  describe("action-aware classification for mixed-action tools", () => {
-    test("credential_store store is a side-effect", () => {
-      expect(isSideEffectTool("credential_store", { action: "store" })).toBe(
-        true,
-      );
-    });
-
-    test("credential_store delete is a side-effect", () => {
-      expect(isSideEffectTool("credential_store", { action: "delete" })).toBe(
-        true,
-      );
-    });
-
-    test("credential_store prompt is a side-effect", () => {
-      expect(isSideEffectTool("credential_store", { action: "prompt" })).toBe(
-        true,
-      );
-    });
-
-    test("credential_store list is NOT a side-effect", () => {
-      expect(isSideEffectTool("credential_store", { action: "list" })).toBe(
-        false,
-      );
-    });
-
-    test("credential_store without input is NOT a side-effect", () => {
-      expect(isSideEffectTool("credential_store")).toBe(false);
-    });
-  });
 });
 
 // ---------------------------------------------------------------------------
@@ -751,10 +721,6 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
       { name: "document_create", input: { title: "doc", content: "body" } },
       { name: "document_update", input: { id: "doc-1", content: "updated" } },
       { name: "document_delete", input: { surface_id: "doc-1" } },
-      {
-        name: "credential_store",
-        input: { action: "store", name: "api-key", value: "secret" },
-      },
     ];
 
     for (const { name, input } of sideEffectTools) {
@@ -817,51 +783,6 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
     expect(promptCalled).toBe(true);
   });
 
-  // ── Credential store action-aware (PR fix9) ──────────
-
-  test("credential_store store forces prompt under forcePromptSideEffects", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "credential_store",
-      { action: "store", name: "api-key", value: "sk-secret-123" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("credential_store delete forces prompt under forcePromptSideEffects", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "credential_store",
-      { action: "delete", name: "api-key" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("credential_store list does NOT force prompt under forcePromptSideEffects", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "credential_store",
-      { action: "list" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // list is read-only — must NOT trigger forced prompting
-    expect(promptCalled).toBe(false);
-  });
-
   // ── Workspace mode + forcePromptSideEffects interaction ──────────
 
   test("workspace mode allow → prompt promotion still works for side-effect tools under forcePromptSideEffects", async () => {

package/src/__tests__/trusted-contact-approval-notifier.test.ts

@@ -169,8 +169,10 @@ async function simulateNotifierPoll(params: {
     notifiedRequestIds,
   } = params;
 
-  // Gate check: only trusted contacts with guardian route
-  if (trustClass !== "trusted_contact" || !guardianExternalUserId) {
+  // Gate check: only identity-known non-guardian contacts with guardian route
+  const isIdentityKnownNonGuardian =
+    trustClass === "trusted_contact" || trustClass === "unverified_contact";
+  if (!isIdentityKnownNonGuardian || !guardianExternalUserId) {
     return false;
   }
 

package/src/__tests__/trusted-contact-inline-approval-integration.test.ts

@@ -92,7 +92,7 @@ mock.module("../runtime/channel-verification-service.js", () => ({
     return null;
   },
   createOutboundSession: () => ({
-    conversationId: "test-session",
+    sessionId: "test-session",
     secret: "123456",
   }),
   bindSessionIdentity: () => {},
@@ -108,16 +108,23 @@ mock.module("../runtime/channel-verification-service.js", () => ({
   }),
 }));
 
-// Mock gateway client — capture delivery calls
+// Mock gateway client — capture delivery calls. `failDeliveryWhen` lets a test
+// simulate a delivery failure for a specific payload (e.g. a DM that can't be
+// opened) so fallback paths can be exercised.
 const deliveredReplies: Array<{
   url: string;
   payload: Record<string, unknown>;
 }> = [];
+let failDeliveryWhen: ((payload: Record<string, unknown>) => boolean) | null =
+  null;
 mock.module("../runtime/gateway-client.js", () => ({
   deliverChannelReply: async (
     url: string,
     payload: Record<string, unknown>,
   ) => {
+    if (failDeliveryWhen?.(payload)) {
+      throw new Error("simulated delivery failure");
+    }
     deliveredReplies.push({ url, payload });
     return { ok: true };
   },
@@ -150,6 +157,7 @@ mock.module("../config/env.js", () => ({
 import { applyCanonicalGuardianDecision } from "../approvals/guardian-decision-primitive.js";
 import type { ActorContext } from "../approvals/guardian-request-resolvers.js";
 import { getResolver } from "../approvals/guardian-request-resolvers.js";
+import { upsertContactChannel } from "../contacts/contacts-write.js";
 import type { TrustContext } from "../daemon/trust-context.js";
 import {
   createCanonicalGuardianRequest,
@@ -564,7 +572,7 @@ describe("(d) unknown actor flow: fail-closed with no interactive approval", ()
 
     expect("skipped" in result && result.skipped).toBe(true);
     if ("skipped" in result) {
-      expect(result.reason).toBe("not_trusted_contact");
+      expect(result.reason).toBe("not_bridgeable_trust_class");
     }
   });
 });
@@ -1088,3 +1096,212 @@ describe("cross-milestone integration checks", () => {
   });
 });
 
+// ===========================================================================
+// (g) access_request resolver: requester verification-code delivery
+//
+// On approval the requester must receive the 6-digit code so the guardian
+// never has to relay it by hand. On Slack the code is DM'd straight to the
+// requester (a private path is guaranteed via their user ID); other channels
+// keep the courier message because a private path to the requester is not
+// guaranteed there (e.g. a group chat would leak the secret).
+// ===========================================================================
+
+describe("(g) access_request resolver: requester code delivery", () => {
+  const REQUESTER_UID = "U_REQUESTER";
+  const GUARDIAN_UID = "U_GUARDIAN";
+
+  function createAccessRequest(overrides: Record<string, unknown> = {}) {
+    return createCanonicalGuardianRequest({
+      id: `access-req-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+      kind: "access_request",
+      sourceType: "channel",
+      sourceChannel: "slack",
+      conversationId: "conv-access-slack",
+      requesterExternalUserId: REQUESTER_UID,
+      requesterChatId: "C_SHARED_CHANNEL",
+      guardianExternalUserId: GUARDIAN_UID,
+      guardianPrincipalId: "test-principal-id",
+      toolName: "ingress_access_request",
+      expiresAt: Date.now() + 60_000,
+      ...overrides,
+    });
+  }
+
+  beforeEach(() => {
+    resetTables();
+    deliveredReplies.length = 0;
+    emittedSignals.length = 0;
+    failDeliveryWhen = null;
+  });
+
+  test("on-channel Slack approval DMs the verification code to the requester", async () => {
+    const req = createAccessRequest();
+
+    const result = await applyCanonicalGuardianDecision({
+      requestId: req.id,
+      action: "approve_once",
+      actorContext: guardianActor({
+        channel: "slack",
+        actorExternalUserId: GUARDIAN_UID,
+      }),
+      channelDeliveryContext: {
+        replyCallbackUrl:
+          "http://localhost:3000/deliver/slack?threadTs=111.222",
+        guardianChatId: "C_SHARED_CHANNEL",
+        assistantId: "self",
+      },
+    });
+
+    expect(result.applied).toBe(true);
+
+    // The requester receives the actual code in their DM (chatId = user ID),
+    // not a "ask the guardian" courier message.
+    const requesterCodeReply = deliveredReplies.find(
+      (r) =>
+        r.payload.chatId === REQUESTER_UID &&
+        typeof r.payload.text === "string" &&
+        (r.payload.text as string).includes("123456"),
+    );
+    expect(requesterCodeReply).toBeDefined();
+    expect(requesterCodeReply!.payload.text).toContain(
+      "your access request was approved",
+    );
+    // The code DM is durable, never ephemeral.
+    expect(requesterCodeReply!.payload.ephemeral).toBeUndefined();
+    // threadTs (the guardian's channel thread) is stripped for the DM.
+    expect(requesterCodeReply!.url).not.toContain("threadTs");
+
+    // No courier "receive from the guardian" message goes to the requester.
+    const courier = deliveredReplies.find(
+      (r) =>
+        typeof r.payload.text === "string" &&
+        (r.payload.text as string).includes("receive from the guardian"),
+    );
+    expect(courier).toBeUndefined();
+  });
+
+  test("desktop-decided approval DMs the code to the Slack requester via the deliver path", async () => {
+    const req = createAccessRequest();
+
+    const result = await applyCanonicalGuardianDecision({
+      requestId: req.id,
+      action: "approve_once",
+      // Desktop decision: no channelDeliveryContext, actor on the vellum channel.
+      actorContext: guardianActor({
+        channel: "vellum",
+        actorExternalUserId: undefined,
+      }),
+    });
+
+    expect(result.applied).toBe(true);
+
+    const requesterCodeReply = deliveredReplies.find(
+      (r) =>
+        r.payload.chatId === REQUESTER_UID &&
+        typeof r.payload.text === "string" &&
+        (r.payload.text as string).includes("123456"),
+    );
+    expect(requesterCodeReply).toBeDefined();
+    expect(requesterCodeReply!.url).toContain("/deliver/slack");
+    expect(requesterCodeReply!.payload.text).toContain(
+      "your access request was approved",
+    );
+  });
+
+  test("non-Slack channel keeps the courier message and never delivers the code to the requester chat", async () => {
+    const req = createAccessRequest({
+      sourceChannel: "telegram",
+      requesterChatId: "requester-chat-1",
+      conversationId: "conv-access-telegram",
+    });
+
+    const result = await applyCanonicalGuardianDecision({
+      requestId: req.id,
+      action: "approve_once",
+      actorContext: guardianActor({
+        channel: "telegram",
+        actorExternalUserId: GUARDIAN_UID,
+      }),
+      channelDeliveryContext: {
+        replyCallbackUrl: "http://localhost:3000/deliver/telegram",
+        guardianChatId: "guardian-chat-1",
+        assistantId: "self",
+      },
+    });
+
+    expect(result.applied).toBe(true);
+
+    // The requester is told to expect the code from the guardian; the secret is
+    // never delivered to the requester's (possibly group) chat.
+    const requesterReply = deliveredReplies.find(
+      (r) => r.payload.chatId === "requester-chat-1",
+    );
+    expect(requesterReply).toBeDefined();
+    expect(requesterReply!.payload.text).toContain("receive from the guardian");
+    expect(requesterReply!.payload.text).not.toContain("123456");
+  });
+
+  test("Slack shared-channel fallback posts an ephemeral notice to the channel when the DM fails", async () => {
+    const req = createAccessRequest();
+
+    // Make the direct DM (to the U... user ID) fail so the courier fallback runs.
+    failDeliveryWhen = (payload) => payload.chatId === REQUESTER_UID;
+
+    const result = await applyCanonicalGuardianDecision({
+      requestId: req.id,
+      action: "approve_once",
+      actorContext: guardianActor({
+        channel: "slack",
+        actorExternalUserId: GUARDIAN_UID,
+      }),
+      channelDeliveryContext: {
+        replyCallbackUrl:
+          "http://localhost:3000/deliver/slack?threadTs=111.222",
+        guardianChatId: "C_SHARED_CHANNEL",
+        assistantId: "self",
+      },
+    });
+
+    expect(result.applied).toBe(true);
+
+    // The courier notice falls back to an ephemeral message targeting the
+    // originating channel (C...), since chat.postEphemeral needs a channel ID —
+    // not the requester's user ID.
+    const courier = deliveredReplies.find(
+      (r) =>
+        typeof r.payload.text === "string" &&
+        (r.payload.text as string).includes("receive from the guardian"),
+    );
+    expect(courier).toBeDefined();
+    expect(courier!.payload.chatId).toBe("C_SHARED_CHANNEL");
+    expect(courier!.payload.ephemeral).toBe(true);
+    expect(courier!.payload.user).toBe(REQUESTER_UID);
+  });
+
+  test("guardian-facing reply uses the requester's display name, not the raw ID", async () => {
+    // Seed a contact so the resolver can resolve a display name.
+    upsertContactChannel({
+      sourceChannel: "slack",
+      externalUserId: REQUESTER_UID,
+      displayName: "Alice",
+      status: "unverified",
+    });
+
+    const req = createAccessRequest();
+
+    const result = await applyCanonicalGuardianDecision({
+      requestId: req.id,
+      action: "approve_once",
+      // Desktop decision → resolver returns guardianReplyText for assertion.
+      actorContext: guardianActor({
+        channel: "vellum",
+        actorExternalUserId: undefined,
+      }),
+    });
+
+    expect(result.applied).toBe(true);
+    const replyText = result.applied ? result.resolverReplyText : undefined;
+    expect(replyText).toContain("Alice");
+    expect(replyText).not.toContain(REQUESTER_UID);
+  });
+});

package/src/__tests__/trusted-contact-multichannel.test.ts

@@ -266,7 +266,7 @@ for (const config of CHANNEL_CONFIGS) {
 
       const contactResult = findContactChannel({
         channelType: config.channel,
-        externalUserId: config.senderExternalUserId,
+        address: config.senderExternalUserId,
       });
 
       expect(contactResult).not.toBeNull();
@@ -288,7 +288,7 @@ for (const config of CHANNEL_CONFIGS) {
       // Should be found on this channel
       const sameChanResult = findContactChannel({
         channelType: config.channel,
-        externalUserId: config.senderExternalUserId,
+        address: config.senderExternalUserId,
       });
       expect(sameChanResult).not.toBeNull();
 
@@ -296,7 +296,7 @@ for (const config of CHANNEL_CONFIGS) {
       const otherChannel = config.channel === "telegram" ? "slack" : "telegram";
       const crossChanResult = findContactChannel({
         channelType: otherChannel,
-        externalUserId: config.senderExternalUserId,
+        address: config.senderExternalUserId,
       });
       expect(crossChanResult).toBeNull();
     });

package/src/__tests__/trusted-contact-verification.test.ts

@@ -102,13 +102,13 @@ describe("trusted contact verification → member activation", () => {
     // Verify: active member record exists
     const contactResult = findContactChannel({
       channelType: "telegram",
-      externalUserId: "requester-user-123",
+      address: "requester-user-123",
     });
 
     expect(contactResult).not.toBeNull();
     expect(contactResult!.channel.status).toBe("active");
     expect(contactResult!.channel.policy).toBe("allow");
-    expect(contactResult!.channel.externalUserId).toBe("requester-user-123");
+    expect(contactResult!.channel.address).toBe("requester-user-123");
     expect(contactResult!.channel.externalChatId).toBe("requester-chat-123");
     expect(contactResult!.contact.displayName).toBe("Requester Name");
     expect(contactResult!.channel.type).toBe("telegram");
@@ -236,7 +236,7 @@ describe("trusted contact verification → member activation", () => {
     // Simulate the ACL check that inbound-message-handler performs
     const contactResult = findContactChannel({
       channelType: "telegram",
-      externalUserId: "requester-user-456",
+      address: "requester-user-456",
     });
 
     expect(contactResult).not.toBeNull();
@@ -274,7 +274,7 @@ describe("trusted contact verification → member activation", () => {
     // Member should be found via contacts
     const contactResult = findContactChannel({
       channelType: "telegram",
-      externalUserId: "user-cross-test",
+      address: "user-cross-test",
     });
     expect(contactResult).not.toBeNull();
     expect(contactResult!.channel.status).toBe("active");
@@ -282,7 +282,7 @@ describe("trusted contact verification → member activation", () => {
     // Member should NOT be found for a different channel type
     const otherChannel = findContactChannel({
       channelType: "slack",
-      externalUserId: "user-cross-test",
+      address: "user-cross-test",
     });
     expect(otherChannel).toBeNull();
   });
@@ -306,7 +306,7 @@ describe("trusted contact verification → member activation", () => {
     // Verify the member is indeed revoked (ACL would reject)
     const revokedResult = findContactChannel({
       channelType: "telegram",
-      externalUserId: "user-revoked",
+      address: "user-revoked",
     });
     expect(revokedResult).not.toBeNull();
     expect(revokedResult!.channel.status).toBe("revoked");
@@ -345,7 +345,7 @@ describe("trusted contact verification → member activation", () => {
     // Verify: member is now active again
     const reactivatedResult = findContactChannel({
       channelType: "telegram",
-      externalUserId: "user-revoked",
+      address: "user-revoked",
     });
     expect(reactivatedResult).not.toBeNull();
     expect(reactivatedResult!.channel.status).toBe("active");
@@ -390,9 +390,7 @@ describe("trusted contact verification → member activation", () => {
     // The original guardian binding should remain intact
     const guardianResult = findGuardianForChannel("telegram");
     expect(guardianResult).not.toBeNull();
-    expect(guardianResult!.channel.externalUserId).toBe(
-      "guardian-user-original",
-    );
+    expect(guardianResult!.channel.address).toBe("guardian-user-original");
   });
 
   test("guardian inbound verification succeeds but does not create binding", async () => {

package/src/__tests__/twilio-routes.test.ts

@@ -92,8 +92,21 @@ let mockRouteSetupResult: {
   },
 };
 
+// Captures the last context passed to routeSetup so preflight tests can
+// assert the resolved phone admission policy was threaded through.
+let lastRouteSetupCtx: Record<string, unknown> | null = null;
 mock.module("../calls/relay-setup-router.js", () => ({
-  routeSetup: () => mockRouteSetupResult,
+  routeSetup: (ctx: Record<string, unknown>) => {
+    lastRouteSetupCtx = ctx;
+    return mockRouteSetupResult;
+  },
+}));
+
+// Mock the phone channel admission reader used by the media-stream preflight.
+// Tests override mockAdmissionPolicy to exercise floor classification.
+let mockAdmissionPolicy: unknown = null;
+mock.module("../calls/channel-admission-reader.js", () => ({
+  getChannelAdmissionPolicy: async () => mockAdmissionPolicy,
 }));
 
 mock.module("../config/env.js", () => ({
@@ -454,6 +467,9 @@ describe("twilio webhook routes", () => {
     mockTwilioApiValidationBody = JSON.stringify({ sid: "AC_validated" });
     // Reset STT config to defaults between tests
     mockConfigObj.services.stt.provider = "deepgram" as any;
+    // Reset admission policy + captured routeSetup context between tests
+    mockAdmissionPolicy = null;
+    lastRouteSetupCtx = null;
     // Reset routeSetup mock to default normal_call
     mockRouteSetupResult = {
       outcome: { action: "normal_call", isInbound: true },
@@ -1228,6 +1244,70 @@ describe("twilio webhook routes", () => {
       expect(twiml).not.toContain("<ConversationRelay");
     });
 
+    test("media-stream: resolves the phone admission floor and threads it into the preflight routeSetup", async () => {
+      mockConfigObj.services.stt.provider = "openai-whisper" as any;
+      mockAdmissionPolicy = "guardian_only";
+      mockRouteSetupResult = {
+        outcome: { action: "normal_call", isInbound: true },
+        resolved: {
+          assistantId: "self",
+          isInbound: true,
+          otherPartyNumber: "+15559998888",
+          actorTrust: { trustClass: "guardian", memberRecord: null },
+        },
+      };
+
+      const session = createTestSession("conv-ms-floor-1", "CA_ms_floor_1");
+      const req = makeVoiceRequest(session.id, { CallSid: "CA_ms_floor_1" });
+
+      const res = await handleVoiceWebhook(req);
+      expect(res.status).toBe(200);
+
+      // The resolved floor was passed into the preflight routeSetup so its
+      // classification matches the real stream-start enforcement.
+      expect(lastRouteSetupCtx).not.toBeNull();
+      expect(lastRouteSetupCtx?.admissionPolicy).toBe("guardian_only");
+    });
+
+    test("media-stream: floor-denied caller classified deny still produces Stream TwiML (deny handled at stream level)", async () => {
+      mockConfigObj.services.stt.provider = "openai-whisper" as any;
+      mockAdmissionPolicy = "guardian_only";
+      // With the floor wired, the real router returns `deny` for a
+      // below-floor trusted_contact caller; the mock reflects that.
+      mockRouteSetupResult = {
+        outcome: {
+          action: "deny",
+          message:
+            "This number is not authorized to reach the assistant right now.",
+          logReason: "Inbound voice admission floor: guardian_only",
+        },
+        resolved: {
+          assistantId: "self",
+          isInbound: true,
+          otherPartyNumber: "+14155550000",
+          actorTrust: { trustClass: "trusted_contact", memberRecord: null },
+        },
+      };
+
+      const session = createTestSession(
+        "conv-ms-floor-deny-1",
+        "CA_ms_floor_deny_1",
+      );
+      const req = makeVoiceRequest(session.id, {
+        CallSid: "CA_ms_floor_deny_1",
+      });
+
+      const res = await handleVoiceWebhook(req);
+      expect(res.status).toBe(200);
+
+      // Policy was threaded; deny is supported on media-stream, so Stream
+      // TwiML is still produced (denial spoken + torn down at stream start).
+      expect(lastRouteSetupCtx?.admissionPolicy).toBe("guardian_only");
+      const twiml = await res.text();
+      expect(twiml).toContain("<Stream");
+      expect(twiml).not.toContain("<ConversationRelay");
+    });
+
     test("media-stream: deny setup proceeds with Stream TwiML (deny is handled at stream level)", async () => {
       mockConfigObj.services.stt.provider = "openai-whisper" as any;
       mockRouteSetupResult = {

package/src/__tests__/voice-invite-redemption.test.ts

@@ -180,7 +180,7 @@ describe("redeemVoiceInviteCode", () => {
 
     const channelResult = findContactChannel({
       channelType: "phone",
-      externalUserId: phone,
+      address: phone,
     });
 
     expect(channelResult).not.toBeNull();
@@ -368,7 +368,6 @@ describe("redeemVoiceInviteCode", () => {
         {
           type: "phone",
           address: phone,
-          externalUserId: phone,
           status: "revoked",
         },
       ],
@@ -399,7 +398,7 @@ describe("redeemVoiceInviteCode", () => {
     // Verify the redeemer's phone is now bound to Mom's contact
     const contactResult = findContactChannel({
       channelType: "phone",
-      externalUserId: phone,
+      address: phone,
     });
     expect(contactResult).not.toBeNull();
     expect(contactResult!.contact.id).toBe(momContact.id);