@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/runtime/routes/inbound-stages/acl-enforcement.ts

@@ -3,7 +3,7 @@
  * record, enforces allow/deny/escalate policies, handles invite token
  * intercepts, and notifies the guardian of denied access requests.
  */
-import type { SourceMetadata } from "@vellumai/gateway-client";
+import type { AdmissionPolicy, SourceMetadata } from "@vellumai/gateway-client";
 
 import { isInviteCodeRedemptionEnabled } from "../../../channels/config.js";
 import type { ChannelId } from "../../../channels/types.js";
@@ -90,6 +90,18 @@ export interface AclEnforcementParams {
   replyCallbackUrl: string | undefined;
   assistantId: string;
   externalMessageId: string;
+  /**
+   * Effective admission policy for this request (gateway floor resolved with
+   * any per-conversation override). When set, ACL skips its hard-deny paths
+   * when the policy is permissive enough:
+   * - `strangers`: non-members and inactive (non-blocked) members are passed
+   *   through so the admission floor can emit the final verdict.
+   * - `any_contact`: inactive `pending` members are passed through.
+   *
+   * Passing this in avoids having ACL fire guardian notifications and canned
+   * replies for senders who will be admitted by the floor stage anyway.
+   */
+  effectiveAdmissionPolicy?: AdmissionPolicy;
 }
 
 /** Resolved contact + channel pair from ACL enforcement. */
@@ -102,6 +114,12 @@ export interface AclResult {
   resolvedMember: ResolvedMember | null;
   /** When set, the caller must return this response immediately. */
   earlyResponse?: Record<string, unknown>;
+  /**
+   * True when a valid `pending_bootstrap` session was resolved during ACL
+   * enforcement. The caller must skip the admission policy floor so the
+   * bootstrap intercept stage can handle identity binding and emit its reply.
+   */
+  isValidatedBootstrap?: boolean;
 }
 
 /** Map ChannelStatus to the API-facing member status (excludes "unverified"). */
@@ -134,8 +152,11 @@ export async function enforceIngressAcl(
     replyCallbackUrl,
     assistantId,
     externalMessageId,
+    effectiveAdmissionPolicy,
   } = params;
 
+  let isValidatedBootstrap = false;
+
   // Trust signals from Slack users.info, forwarded via sourceMetadata.
   const isStranger = sourceMetadata?.isStranger ?? undefined;
   const isRestricted = sourceMetadata?.isRestricted ?? undefined;
@@ -166,7 +187,7 @@ export async function enforceIngressAcl(
     if (canonicalSenderId) {
       const contactResult = findContactChannel({
         channelType: sourceChannel,
-        externalUserId: canonicalSenderId,
+        address: canonicalSenderId,
         externalChatId: conversationExternalId,
       });
       resolvedMember = contactResult
@@ -196,6 +217,7 @@ export async function enforceIngressAcl(
           bootstrapSessionForAcl.status === "pending_bootstrap"
         ) {
           denyNonMember = false;
+          isValidatedBootstrap = true;
         } else {
           log.info(
             { sourceChannel, hasValidBootstrapSession: false },
@@ -206,8 +228,10 @@ export async function enforceIngressAcl(
 
       // ── Invite token intercept (non-member) ──
       // /start invite deep links grant access without guardian approval.
-      // Intercept here — before the deny gate — so valid invites short-circuit
-      // the ACL rejection and never reach the agent pipeline.
+      // Runs BEFORE the policy-aware bypass so a valid /start iv_<token>
+      // always redeems and creates a member record — even when the
+      // admission policy is `strangers` (which would otherwise admit the
+      // sender as a non-member before the token is consumed).
       if (inviteToken && denyNonMember) {
         const inviteResult = await handleInviteTokenIntercept({
           rawToken: inviteToken,
@@ -232,6 +256,8 @@ export async function enforceIngressAcl(
       // On channels with codeRedemptionEnabled, a bare 6-digit message may be
       // an invite code. Attempt redemption; on failure (no matching code) fall
       // through to normal processing — the number may be a regular message.
+      // Runs before the policy-aware bypass for the same reason as the token
+      // intercept above.
       if (denyNonMember && /^\d{6}$/.test(trimmedContent)) {
         const codeInterceptResult = await handleInviteCodeIntercept({
           code: trimmedContent,
@@ -252,6 +278,28 @@ export async function enforceIngressAcl(
           };
       }
 
+      // ── Policy-aware non-member bypass ──
+      // Skip the ACL deny gate so the admission floor stage emits the final
+      // verdict instead of the ACL prematurely firing guardian notifications,
+      // a canned reply, and (on Slack) a verification challenge.
+      //  - `strangers` (floor 1): any sender (rank 1) clears the floor, so the
+      //    stage admits.
+      //  - `guardian_only` (floor 4): no non-guardian can clear the floor even
+      //    after verifying (a verified contact is only rank 3), so the upgrade
+      //    challenge is misleading — the stage denies with `shouldChallenge:
+      //    false`. `trusted_contacts` is intentionally NOT bypassed here: a
+      //    stranger there still can't reach the floor, but suppressing its
+      //    self-verify challenge is a default-onboarding behavior change left
+      //    for a separate §8.2 decision.
+      // Runs AFTER invite intercepts so valid tokens redeem first.
+      if (
+        denyNonMember &&
+        (effectiveAdmissionPolicy === "strangers" ||
+          effectiveAdmissionPolicy === "guardian_only")
+      ) {
+        denyNonMember = false;
+      }
+
       if (denyNonMember) {
         log.info(
           { sourceChannel, externalUserId: canonicalSenderId },
@@ -465,6 +513,7 @@ export async function enforceIngressAcl(
             bootstrapSessionForAcl.status === "pending_bootstrap"
           ) {
             denyInactiveMember = false;
+            isValidatedBootstrap = true;
           } else {
             log.info(
               {
@@ -481,7 +530,9 @@ export async function enforceIngressAcl(
         // Invite tokens can reactivate revoked/pending members without
         // requiring guardian approval, but blocked members are excluded so
         // they are short-circuited at the ACL layer rather than entering the
-        // redemption path.
+        // redemption path. Runs BEFORE the policy-aware bypass so a valid
+        // invite always redeems and reactivates the member record, rather
+        // than the bypass admitting the sender in their inactive state.
         if (!isBlockedMember && inviteToken && denyInactiveMember) {
           const inviteResult = await handleInviteTokenIntercept({
             rawToken: inviteToken,
@@ -506,7 +557,8 @@ export async function enforceIngressAcl(
         // Codes can reactivate revoked/pending members; non-matching codes
         // fall through. Blocked members are excluded here for consistency —
         // the redemption service would reject them anyway, but early exit
-        // avoids unnecessary work.
+        // avoids unnecessary work. Runs before the policy-aware bypass for
+        // the same reason as the token intercept above.
         if (
           !isBlockedMember &&
           denyInactiveMember &&
@@ -531,6 +583,36 @@ export async function enforceIngressAcl(
             };
         }
 
+        // ── Policy-aware inactive-member bypass ──
+        // `strangers` (floor 1): admit non-blocked, non-revoked senders
+        //   (pending/unverified bypass the inactive-member deny gate).
+        //   Revoked is an EXPLICIT governance action and stays denied even
+        //   under the most permissive policy — it is not the same as an
+        //   unknown stranger who has never interacted with the assistant.
+        // `any_contact` (floor 2): admit `pending` and `unverified` members
+        //   (both classify as `unverified_contact` — rank 2 ≥ floor 2); deny
+        //   `revoked` members (unknown rank 1 < floor 2).
+        // `guardian_only` (floor 4): route `pending`/`unverified` members to
+        //   the floor stage for a plain denial. Verifying only lifts them to
+        //   `trusted_contact` (rank 3 < floor 4), so the ACL's re-verify
+        //   challenge would be misleading. `trusted_contacts` is NOT included:
+        //   there, verifying reaches `trusted_contact` (rank 3 ≥ floor 3), so
+        //   the challenge legitimately upgrades the sender into access.
+        // In every case skip the deny gate so the admission stage decides.
+        // Runs AFTER invite intercepts so valid tokens redeem first.
+        if (!isBlockedMember && denyInactiveMember) {
+          if (
+            (effectiveAdmissionPolicy === "strangers" &&
+              resolvedMember.channel.status !== "revoked") ||
+            ((effectiveAdmissionPolicy === "any_contact" ||
+              effectiveAdmissionPolicy === "guardian_only") &&
+              (resolvedMember.channel.status === "pending" ||
+                resolvedMember.channel.status === "unverified"))
+          ) {
+            denyInactiveMember = false;
+          }
+        }
+
         if (denyInactiveMember) {
           log.info(
             {
@@ -734,7 +816,7 @@ export async function enforceIngressAcl(
     }
   }
 
-  return { resolvedMember };
+  return { resolvedMember, ...(isValidatedBootstrap && { isValidatedBootstrap }) };
 }
 
 // ---------------------------------------------------------------------------

package/src/runtime/routes/inbound-stages/admission-policy.test.ts

@@ -0,0 +1,154 @@
+/**
+ * Unit tests for the `enforceAdmissionPolicy` pure function.
+ *
+ * Drives the floor-vs-rank logic in isolation — no I/O, no mocks needed.
+ * Integration-level coverage lives in the gateway's
+ * `handle-inbound-admission.test.ts` and in the full inbound-message
+ * handler integration tests.
+ */
+import { describe, expect,test } from "bun:test";
+
+import type { AdmissionPolicyInput } from "./admission-policy.js";
+import { enforceAdmissionPolicy } from "./admission-policy.js";
+
+function makeInput(overrides: Partial<AdmissionPolicyInput>): AdmissionPolicyInput {
+  return {
+    sourceChannel: "telegram",
+    trustClass: "unknown",
+    memberStatus: undefined,
+    policy: "trusted_contacts",
+    ...overrides,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// §8.1 exempt channels — always admit
+// ---------------------------------------------------------------------------
+
+describe("enforceAdmissionPolicy — exempt channels", () => {
+  test("a2a short-circuits to admitted regardless of policy", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({ sourceChannel: "a2a", trustClass: "unknown", policy: "no_one" }),
+    );
+    expect(result.admitted).toBe(true);
+  });
+
+  test("phone is enforced (not exempt): the floor applies", () => {
+    // Voice ingress is wired, so `phone` is no longer exempt — an `unknown`
+    // caller is denied under `no_one`.
+    const result = enforceAdmissionPolicy(
+      makeInput({ sourceChannel: "phone", trustClass: "unknown", policy: "no_one" }),
+    );
+    expect(result.admitted).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// §8 revoked members — denied regardless of policy
+// ---------------------------------------------------------------------------
+
+describe("enforceAdmissionPolicy — revoked member denial", () => {
+  test("revoked member is denied even under `strangers` (most permissive policy)", () => {
+    // Before the §8 fix, a revoked member with trustClass `unknown` (rank 1)
+    // would pass the `strangers` floor (floor 1, rank ≥ floor). The defense-
+    // in-depth short-circuit in this function now denies them regardless.
+    const result = enforceAdmissionPolicy(
+      makeInput({
+        trustClass: "unknown",
+        memberStatus: "revoked",
+        policy: "strangers",
+      }),
+    );
+    expect(result.admitted).toBe(false);
+    if (!result.admitted) {
+      expect(result.reason).toBe("member_revoked");
+      expect(result.shouldChallenge).toBe(false);
+    }
+  });
+
+  test("revoked member is denied under `any_contact`", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({
+        trustClass: "unknown",
+        memberStatus: "revoked",
+        policy: "any_contact",
+      }),
+    );
+    expect(result.admitted).toBe(false);
+    if (!result.admitted) expect(result.reason).toBe("member_revoked");
+  });
+
+  test("revoked member is denied under `trusted_contacts`", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({
+        trustClass: "unknown",
+        memberStatus: "revoked",
+        policy: "trusted_contacts",
+      }),
+    );
+    expect(result.admitted).toBe(false);
+    if (!result.admitted) expect(result.reason).toBe("member_revoked");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// §8 blocked members — denied regardless of policy (existing behavior)
+// ---------------------------------------------------------------------------
+
+describe("enforceAdmissionPolicy — blocked member denial", () => {
+  test("blocked member is denied under `strangers`", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({ memberStatus: "blocked", policy: "strangers" }),
+    );
+    expect(result.admitted).toBe(false);
+    if (!result.admitted) expect(result.reason).toBe("member_blocked");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Rank-vs-floor: non-revoked, non-blocked members
+// ---------------------------------------------------------------------------
+
+describe("enforceAdmissionPolicy — rank vs floor", () => {
+  test("guardian admitted under any policy including guardian_only", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({ trustClass: "guardian", policy: "guardian_only" }),
+    );
+    expect(result.admitted).toBe(true);
+  });
+
+  test("trusted_contact admitted under trusted_contacts", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({ trustClass: "trusted_contact", policy: "trusted_contacts" }),
+    );
+    expect(result.admitted).toBe(true);
+  });
+
+  test("unverified_contact admitted under any_contact floor", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({ trustClass: "unverified_contact", policy: "any_contact" }),
+    );
+    expect(result.admitted).toBe(true);
+  });
+
+  test("unknown (non-member) admitted under strangers floor", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({ trustClass: "unknown", memberStatus: undefined, policy: "strangers" }),
+    );
+    expect(result.admitted).toBe(true);
+  });
+
+  test("unknown denied under trusted_contacts floor", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({ trustClass: "unknown", policy: "trusted_contacts" }),
+    );
+    expect(result.admitted).toBe(false);
+  });
+
+  test("pending member (unverified_contact) admitted under strangers floor", () => {
+    const result = enforceAdmissionPolicy(
+      makeInput({ trustClass: "unverified_contact", memberStatus: "pending", policy: "strangers" }),
+    );
+    expect(result.admitted).toBe(true);
+  });
+});

package/src/runtime/routes/inbound-stages/admission-policy.ts

@@ -0,0 +1,140 @@
+/**
+ * Admission policy enforcement stage.
+ *
+ * Sits between `resolveTrustContext()` and the agent-loop dispatch in
+ * `inbound-message-handler.ts`. The gateway attaches a per-channel-type
+ * floor (`sourceMetadata.admissionPolicy`); this stage compares the floor
+ * to the resolved trust class's rank and either admits or denies.
+ *
+ * Deny semantics — see `wave-b-plan.md` §8.2:
+ *
+ * - `shouldChallenge: true` when the policy is one that re-verification
+ *   could lift past (`any_contact`, `strangers`). The caller fires the
+ *   existing Slack DM / email upgrade UX so the sender knows verification
+ *   would admit them.
+ * - `shouldChallenge: false` for the stricter floors (`guardian_only`,
+ *   `trusted_contacts`). Denials are silent — sender gets the standard
+ *   canned reply; guardian still gets the access-request notification.
+ *
+ * Blocked / revoked members short-circuit to deny regardless of policy.
+ * The gateway kill switch (`no_one`) is enforced before forwarding, so
+ * this stage never sees a `no_one` policy on the wire; we still handle
+ * the value defensively for defense in depth and unit-test reachability.
+ */
+
+import {
+  ADMISSION_FLOOR,
+  type AdmissionPolicy,
+  isAdmissionPolicyExemptChannel,
+} from "@vellumai/gateway-client";
+
+import type { ChannelId } from "../../../channels/types.js";
+import type { ChannelStatus } from "../../../contacts/types.js";
+import {
+  TRUST_CLASS_RANK,
+  type TrustClass,
+} from "../../actor-trust-resolver.js";
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface AdmissionPolicyInput {
+  sourceChannel: ChannelId;
+  trustClass: TrustClass;
+  /**
+   * Channel record status for the resolved member, when one was found.
+   * Blocked/revoked short-circuit to deny regardless of floor.
+   */
+  memberStatus: ChannelStatus | undefined;
+  /** Per-channel-type floor attached by the gateway. */
+  policy: AdmissionPolicy;
+}
+
+export type AdmissionDenyReason =
+  | "member_blocked"
+  | "member_revoked"
+  | `admission_policy_${AdmissionPolicy}`;
+
+export type AdmissionPolicyResult =
+  | { admitted: true }
+  | {
+      admitted: false;
+      reason: AdmissionDenyReason;
+      /**
+       * Whether the runtime should fire the re-verification upgrade UX
+       * (Slack DM / email guardian forwarder). Only meaningful when the
+       * resolved trust class could clear the floor after verification.
+       */
+      shouldChallenge: boolean;
+      /** Effective policy that produced the deny (after override resolution). */
+      effectivePolicy: AdmissionPolicy;
+    };
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Policies under which completing verification could lift the sender past
+ * the floor. Used to decide whether to fire the upgrade UX on deny.
+ * `unverified_contact` (rank 2) reaches `any_contact` (floor 2) and
+ * `strangers` (floor 1); below those, verification still leaves the
+ * sender short of the floor (§8.2).
+ */
+const POLICIES_THAT_COULD_UPGRADE: ReadonlySet<AdmissionPolicy> = new Set([
+  "any_contact",
+  "strangers",
+]);
+
+/**
+ * Enforce the admission policy floor against the resolved trust class.
+ *
+ * Pure function — all I/O happens in the caller. Returns the canned
+ * admit/deny verdict; the caller wires denials into the existing
+ * canned-reply / guardian-notify pipeline used by `acl-enforcement.ts` for
+ * `not_a_member`.
+ */
+export function enforceAdmissionPolicy(
+  input: AdmissionPolicyInput,
+): AdmissionPolicyResult {
+  // §8.1: short-circuit on internal exempt channels. The gateway should
+  // not have attached a policy for these in the first place; this is
+  // defense in depth and keeps the runtime fail-open if the gateway is
+  // ever called from a path that bypasses the kill-switch insertion.
+  if (isAdmissionPolicyExemptChannel(input.sourceChannel)) {
+    return { admitted: true };
+  }
+
+  // Blocked and revoked members never clear admission regardless of floor.
+  // `enforceIngressAcl` already short-circuits on both: blocked always, and
+  // revoked under any policy including `strangers` (§8 fix: revoked is an
+  // explicit governance action, not the same as an unknown stranger). The
+  // checks here are defense-in-depth so unit tests can drive the floor stage
+  // in isolation and a future refactor that reorders stages doesn't silently
+  // admit a blocked/revoked actor.
+  if (input.memberStatus === "blocked" || input.memberStatus === "revoked") {
+    return {
+      admitted: false,
+      reason: input.memberStatus === "blocked" ? "member_blocked" : "member_revoked",
+      shouldChallenge: false,
+      effectivePolicy: input.policy,
+    };
+  }
+
+  const effectivePolicy = input.policy;
+
+  const rank = TRUST_CLASS_RANK[input.trustClass];
+  const floor = ADMISSION_FLOOR[effectivePolicy];
+
+  if (rank >= floor) {
+    return { admitted: true };
+  }
+
+  return {
+    admitted: false,
+    reason: `admission_policy_${effectivePolicy}` as const,
+    shouldChallenge: POLICIES_THAT_COULD_UPGRADE.has(effectivePolicy),
+    effectivePolicy,
+  };
+}

package/src/runtime/routes/inbound-stages/background-dispatch.test.ts

@@ -845,7 +845,7 @@ describe("Slack thinking status timing", () => {
           channel: channelId,
           threadTs,
           status: expect.any(String),
-          loadingMessages: ["Working on it..."],
+          loadingMessages: ["Thinking\u2026"],
         },
       );
       const threadStatus = deliveredChannelReplies[0]!.payload
@@ -948,13 +948,13 @@ describe("Slack thinking status timing", () => {
         channel: channelId,
         threadTs,
         status: expect.any(String),
-        loadingMessages: ["Working on it..."],
+        loadingMessages: ["Thinking\u2026"],
       },
       {
         channel: channelId,
         threadTs,
         status: expect.any(String),
-        loadingMessages: ["Working on it..."],
+        loadingMessages: ["Thinking\u2026"],
       },
       {
         channel: channelId,

package/src/runtime/routes/inbound-stages/background-dispatch.ts

@@ -577,7 +577,7 @@ function createSlackThinkingStatusController(params: {
 }
 
 const SLACK_THINKING_MAX_DURATION_MS = 120_000;
-const SLACK_GENERIC_LOADING_MESSAGES = ["Working on it..."] as const;
+const SLACK_GENERIC_LOADING_MESSAGES = ["Thinking…"] as const;
 const SLACK_THINKING_STATUSES = ["is on it", "is working hard"] as const;
 
 function getRandomSlackThinkingStatus(): string {
@@ -904,10 +904,12 @@ const globalNotifiedApprovalRequestIds = new Map<string, string>();
 
 /**
  * Start a poller that sends a one-shot "waiting for guardian approval" message
- * to the trusted contact when a confirmation_request enters guardian approval
- * wait. Deduplicates by requestId so each request only produces one message.
+ * to the trusted/unverified contact when a confirmation_request enters guardian
+ * approval wait. Deduplicates by requestId so each request only produces one
+ * message.
  *
- * Only activates for trusted-contact actors with a resolvable guardian route.
+ * Only activates for trusted_contact and unverified_contact actors with a
+ * resolvable guardian route.
  */
 function startTrustedContactApprovalNotifier(params: {
   conversationId: string;
@@ -928,8 +930,11 @@ function startTrustedContactApprovalNotifier(params: {
     assistantId,
   } = params;
 
-  // Only notify trusted contacts who have a resolvable guardian route.
-  if (trustClass !== "trusted_contact" || !guardianExternalUserId) {
+  // Only notify identity-known non-guardian contacts (trusted_contact and
+  // unverified_contact) who have a resolvable guardian route.
+  const isIdentityKnownNonGuardian =
+    trustClass === "trusted_contact" || trustClass === "unverified_contact";
+  if (!isIdentityKnownNonGuardian || !guardianExternalUserId) {
     return () => {};
   }
 

package/src/runtime/routes/inbound-stages/escalation-intercept.ts

@@ -11,7 +11,6 @@ import type { ChannelId, InterfaceId } from "../../../channels/types.js";
 import { createCanonicalGuardianRequest } from "../../../memory/canonical-guardian-store.js";
 import { storePayload } from "../../../memory/delivery-crud.js";
 import { emitNotificationSignal } from "../../../notifications/emit-signal.js";
-import type { NotificationSourceChannel } from "../../../notifications/signal.js";
 import { getLogger } from "../../../util/logger.js";
 import { getGuardianBinding } from "../../channel-verification-service.js";
 import { GUARDIAN_APPROVAL_TTL_MS } from "../channel-route-shared.js";
@@ -133,7 +132,7 @@ export function handleEscalationIntercept(
   // channels, supplementing the direct guardian notification below.
   void emitNotificationSignal({
     sourceEventName: "ingress.escalation",
-    sourceChannel: sourceChannel as NotificationSourceChannel,
+    sourceChannel,
     sourceContextId: conversationId,
     attentionHints: {
       requiresAction: true,

package/src/runtime/routes/inbound-stages/guardian-activation-intercept.ts

@@ -11,7 +11,6 @@
 import type { ChannelId } from "../../../channels/types.js";
 import { findGuardianForChannel } from "../../../contacts/contact-store.js";
 import { emitNotificationSignal } from "../../../notifications/emit-signal.js";
-import type { NotificationSourceChannel } from "../../../notifications/signal.js";
 import { getLogger } from "../../../util/logger.js";
 import {
   createOutboundSession,
@@ -164,7 +163,7 @@ export async function handleGuardianActivationIntercept(
   // ── Emit notification signal to deliver code to macOS app ──
   void emitNotificationSignal({
     sourceEventName: "guardian.channel_activation",
-    sourceChannel: sourceChannel as NotificationSourceChannel,
+    sourceChannel,
     sourceContextId: `guardian-activation-${sourceChannel}-${rawSenderId}`,
     attentionHints: {
       requiresAction: true,

package/src/runtime/routes/inbound-stages/guardian-reply-intercept.test.ts

@@ -85,7 +85,7 @@ describe("handleGuardianReplyIntercept", () => {
     deliverChannelReplyCalls = [];
   });
 
-  test("passes empty pendingRequestIds when Slack guardian sends message in non-delivery chat", async () => {
+  test("passes a blocked scope when Slack guardian sends message in non-delivery chat", async () => {
     // No delivery-scoped requests for this chat
     mockDeliveryScopedRequests = [];
     // Identity-based lookup would find a pending request in a different chat
@@ -95,8 +95,8 @@ describe("handleGuardianReplyIntercept", () => {
 
     expect(routeGuardianReplyCalls).toHaveLength(1);
     const ctx = routeGuardianReplyCalls[0] as Record<string, unknown>;
-    // Must be [] (empty array), NOT undefined — blocks identity fallback
-    expect(ctx.pendingRequestIds).toEqual([]);
+    // Must be a blocked scope, NOT undefined — blocks identity fallback
+    expect(ctx.pendingScope).toEqual({ mode: "blocked" });
   });
 
   test("preserves identity fallback for non-Slack channels when no deliveries exist", async () => {
@@ -110,11 +110,11 @@ describe("handleGuardianReplyIntercept", () => {
 
     expect(routeGuardianReplyCalls).toHaveLength(1);
     const ctx = routeGuardianReplyCalls[0] as Record<string, unknown>;
-    // Must be undefined — identity-based fallback stays active
-    expect(ctx.pendingRequestIds).toBeUndefined();
+    // Must be unset — identity-based fallback stays active
+    expect(ctx.pendingScope).toBeUndefined();
   });
 
-  test("includes identity-unioned pendingRequestIds when Slack guardian is in delivery chat", async () => {
+  test("passes an identity-unioned scoped set when Slack guardian is in delivery chat", async () => {
     mockDeliveryScopedRequests = [{ id: "delivered-req" }];
     mockIdentityRequests = [
       { id: "delivered-req" },
@@ -125,7 +125,7 @@ describe("handleGuardianReplyIntercept", () => {
 
     expect(routeGuardianReplyCalls).toHaveLength(1);
     const ctx = routeGuardianReplyCalls[0] as Record<string, unknown>;
-    const ids = ctx.pendingRequestIds as string[];
+    const ids = (ctx.pendingScope as { requestIds: string[] }).requestIds;
     expect(ids).toContain("delivered-req");
     expect(ids).toContain("identity-only-req");
   });