@vellumai/assistant 0.9.1-staging.1 → 0.10.0-staging.2

package/src/runtime/capabilities.test.ts

@@ -0,0 +1,120 @@
+import { describe, expect, test } from "bun:test";
+
+import type { TrustClass } from "./actor-trust-resolver.js";
+import { type CapabilitySet, resolveCapabilities } from "./capabilities.js";
+
+/**
+ * The capability matrix — the single source of truth for what each trust class
+ * may do. If a call site's behavior changes during migration, it changes here
+ * (reviewed in one diff) instead of across the ~40 inline conditionals.
+ */
+const MATRIX: Record<TrustClass, CapabilitySet> = {
+  guardian: {
+    canSelfApproveTools: true,
+    sensitiveToolApproval: "self",
+    canManageSchedules: true,
+    canUseVerificationControlPlane: true,
+    canSelfAuthorizeArchiveBySender: true,
+    canAccessMemory: true,
+    canAccessPrivilegedDocuments: true,
+    canRunUnsandboxedShell: true,
+    mayBeInteractive: true,
+    canActUnderDiskPressureCleanup: true,
+    promptTrustGuidance: "none",
+  },
+  trusted_contact: {
+    canSelfApproveTools: false,
+    sensitiveToolApproval: "escalate-and-wait",
+    canManageSchedules: false,
+    canUseVerificationControlPlane: false,
+    canSelfAuthorizeArchiveBySender: false,
+    canAccessMemory: false,
+    canAccessPrivilegedDocuments: false,
+    canRunUnsandboxedShell: false,
+    mayBeInteractive: true,
+    canActUnderDiskPressureCleanup: false,
+    promptTrustGuidance: "social-engineering-defense",
+  },
+  unverified_contact: {
+    canSelfApproveTools: false,
+    sensitiveToolApproval: "escalate-and-wait",
+    canManageSchedules: false,
+    canUseVerificationControlPlane: false,
+    canSelfAuthorizeArchiveBySender: false,
+    canAccessMemory: false,
+    canAccessPrivilegedDocuments: false,
+    canRunUnsandboxedShell: false,
+    mayBeInteractive: true,
+    canActUnderDiskPressureCleanup: false,
+    promptTrustGuidance: "social-engineering-defense",
+  },
+  unknown: {
+    canSelfApproveTools: false,
+    sensitiveToolApproval: "deny",
+    canManageSchedules: false,
+    canUseVerificationControlPlane: false,
+    canSelfAuthorizeArchiveBySender: false,
+    canAccessMemory: false,
+    canAccessPrivilegedDocuments: false,
+    canRunUnsandboxedShell: false,
+    mayBeInteractive: false,
+    canActUnderDiskPressureCleanup: false,
+    promptTrustGuidance: "stranger-warning",
+  },
+};
+
+describe("resolveCapabilities", () => {
+  for (const trustClass of Object.keys(MATRIX) as TrustClass[]) {
+    test(`resolves the full capability set for "${trustClass}"`, () => {
+      expect(resolveCapabilities(trustClass)).toEqual(MATRIX[trustClass]);
+    });
+  }
+
+  test("undefined fail-closes to the `unknown` capability set", () => {
+    expect(resolveCapabilities(undefined)).toEqual(MATRIX.unknown);
+  });
+
+  test("an unrecognized/legacy string fail-closes to the `unknown` capability set", () => {
+    expect(resolveCapabilities("non_guardian")).toEqual(MATRIX.unknown);
+    expect(resolveCapabilities("some_future_role")).toEqual(MATRIX.unknown);
+  });
+
+  test("inherited Object.prototype keys fail-closed (no prototype read)", () => {
+    for (const key of [
+      "__proto__",
+      "constructor",
+      "toString",
+      "hasOwnProperty",
+    ]) {
+      expect(resolveCapabilities(key)).toEqual(MATRIX.unknown);
+    }
+  });
+
+  test("unverified_contact is byte-for-byte identical to trusted_contact (admission-only distinction)", () => {
+    expect(resolveCapabilities("unverified_contact")).toEqual(
+      resolveCapabilities("trusted_contact"),
+    );
+  });
+
+  test("only guardian self-approves; only guardian/contacts may be interactive", () => {
+    expect(resolveCapabilities("guardian").canSelfApproveTools).toBe(true);
+    expect(resolveCapabilities("trusted_contact").canSelfApproveTools).toBe(
+      false,
+    );
+
+    expect(resolveCapabilities("guardian").mayBeInteractive).toBe(true);
+    expect(resolveCapabilities("trusted_contact").mayBeInteractive).toBe(true);
+    expect(resolveCapabilities("unverified_contact").mayBeInteractive).toBe(
+      true,
+    );
+    expect(resolveCapabilities("unknown").mayBeInteractive).toBe(false);
+  });
+
+  test("sensitive tool approval is graded across the three tiers", () => {
+    expect(resolveCapabilities("guardian").sensitiveToolApproval).toBe("self");
+    expect(resolveCapabilities("trusted_contact").sensitiveToolApproval).toBe(
+      "escalate-and-wait",
+    );
+    expect(resolveCapabilities("unknown").sensitiveToolApproval).toBe("deny");
+  });
+});

package/src/runtime/capabilities.ts

@@ -0,0 +1,197 @@
+/**
+ * Trust capabilities — what an actor may do once admitted.
+ *
+ * Separates *what an actor can do* (capabilities/permissions) from *who the
+ * actor is* (`TrustClass`, their role/level). The ~40+ decision sites
+ * read a named capability instead of re-deriving permissions inline from the
+ * This resolves the class to a named capability set in one place so call sites
+ * read a capability instead of re-deriving it.
+ *
+ * Stateless / derive-on-read: capabilities are derived from the already-resolved
+ * (and already-persisted) `trustClass` at point of use. Nothing here is stored;
+ * `trustClass` remains the persisted field in retry payloads, the journal store,
+ * and conversation CRUD.
+ *
+ * Admission is a SEPARATE axis: `TRUST_CLASS_RANK` vs `ADMISSION_FLOOR`
+ * ("who gets in the door") is intentionally not modeled here. `CapabilitySet`
+ * is the "what they may do once inside" axis.
+ *
+ * Context-dependent decisions (interactivity routing, self-approval races,
+ * channel-specific overrides) COMPOSE these primitives with runtime context.
+ * They are not encoded in the table; named composition helpers live in
+ * `effective-capabilities.ts` (and `resolveRoutingState` in
+ * `trust-context-resolver.ts`).
+ */
+
+import type { TrustClass } from "./actor-trust-resolver.js";
+
+/**
+ * Outcome when an actor invokes a tool that requires guardian approval.
+ * - `self`: the actor self-approves (guardian).
+ * - `escalate-and-wait`: route to the guardian and wait inline for a grant.
+ * - `deny`: fail-closed, no escalation or wait.
+ */
+export type SensitiveToolApproval = "self" | "escalate-and-wait" | "deny";
+
+/**
+ * Which trust-guidance block to inject into the model prompt. The capability
+ * layer owns the *selector*; the prompt layer owns the copy for each value.
+ */
+export type PromptTrustGuidance =
+  | "none"
+  | "social-engineering-defense"
+  | "stranger-warning";
+
+/**
+ * What an actor may do once admitted, derived purely from their trust class.
+ */
+export interface CapabilitySet {
+  // --- Tool approval mechanism ---
+  /**
+   * Auto-approves *ordinary* tool calls (e.g. background/platform-hosted bash)
+   * and honors the actor's own pending-confirmation callback. The
+   * sensitive/guardian-required tool path is governed separately by
+   * `sensitiveToolApproval`; the two are independent levers.
+   */
+  canSelfApproveTools: boolean;
+  /** Outcome when a guardian-approval-required (sensitive) tool is invoked. */
+  sensitiveToolApproval: SensitiveToolApproval;
+
+  // --- Privileged tool gates ---
+  /** May create/update schedules. */
+  canManageSchedules: boolean;
+  /** May use verification control-plane tools. */
+  canUseVerificationControlPlane: boolean;
+  /**
+   * May treat its own `user_approved` flag as sufficient authorization to
+   * archive-by-sender. Non-guardians can still archive by sender, but must be
+   * authorized via surface action, task, or explicit prompt approval instead.
+   */
+  canSelfAuthorizeArchiveBySender: boolean;
+
+  // --- Data & memory ---
+  /**
+   * May access long-term / cross-conversation memory — both the memory *tools*
+   * (recall, auto-analysis, retrospection, graph extraction) and *visibility*
+   * of cross-conversation history in assembled context. Untrusted actors are
+   * walled off from both.
+   */
+  canAccessMemory: boolean;
+  /**
+   * May perform privileged (non-conversation-scoped) document operations from
+   * trust class alone. The effective decision also honors privileged channels —
+   * see `canActOnPrivilegedDocuments` in `effective-capabilities.ts`.
+   */
+  canAccessPrivilegedDocuments: boolean;
+
+  // --- Execution environment ---
+  /**
+   * May run the shell WITHOUT the untrusted sandbox / CES lockdown (no
+   * `VELLUM_UNTRUSTED_SHELL`, no credential-secrecy confinement).
+   */
+  canRunUnsandboxedShell: boolean;
+
+  // --- Interactivity & resource ---
+  /**
+   * Trust class alone permits interactive guardian-approval waits. Composed
+   * downstream with `guardianRouteResolvable` to derive `promptWaitingAllowed`
+   * (see `resolveRoutingState`).
+   */
+  mayBeInteractive: boolean;
+  /** May trigger cleanup-mode operations under disk pressure. */
+  canActUnderDiskPressureCleanup: boolean;
+
+  // --- Prompt shaping ---
+  /** Which trust-guidance block to inject into the model prompt. */
+  promptTrustGuidance: PromptTrustGuidance;
+}
+
+/**
+ * Guardian: full control-plane access, self-approves tools.
+ */
+const GUARDIAN_CAPABILITIES: CapabilitySet = {
+  canSelfApproveTools: true,
+  sensitiveToolApproval: "self",
+  canManageSchedules: true,
+  canUseVerificationControlPlane: true,
+  canSelfAuthorizeArchiveBySender: true,
+  canAccessMemory: true,
+  canAccessPrivilegedDocuments: true,
+  canRunUnsandboxedShell: true,
+  mayBeInteractive: true,
+  canActUnderDiskPressureCleanup: true,
+  promptTrustGuidance: "none",
+};
+
+/**
+ * Trusted / unverified contacts: may invoke tools but escalate sensitive ones
+ * to the guardian; no privileged data access; sandboxed execution.
+ *
+ * `trusted_contact` and `unverified_contact` are deliberately identical here —
+ * the distinction is admission-only (see `actor-trust-resolver.ts`). The matrix
+ * test pins this invariant.
+ */
+const CONTACT_CAPABILITIES: CapabilitySet = {
+  canSelfApproveTools: false,
+  sensitiveToolApproval: "escalate-and-wait",
+  canManageSchedules: false,
+  canUseVerificationControlPlane: false,
+  canSelfAuthorizeArchiveBySender: false,
+  canAccessMemory: false,
+  canAccessPrivilegedDocuments: false,
+  canRunUnsandboxedShell: false,
+  mayBeInteractive: true,
+  canActUnderDiskPressureCleanup: false,
+  promptTrustGuidance: "social-engineering-defense",
+};
+
+/**
+ * Unknown actors: fail-closed. No escalation, no interactivity, treated as a
+ * potential stranger in the prompt.
+ */
+const UNKNOWN_CAPABILITIES: CapabilitySet = {
+  canSelfApproveTools: false,
+  sensitiveToolApproval: "deny",
+  canManageSchedules: false,
+  canUseVerificationControlPlane: false,
+  canSelfAuthorizeArchiveBySender: false,
+  canAccessMemory: false,
+  canAccessPrivilegedDocuments: false,
+  canRunUnsandboxedShell: false,
+  mayBeInteractive: false,
+  canActUnderDiskPressureCleanup: false,
+  promptTrustGuidance: "stranger-warning",
+};
+
+const CAPABILITIES_BY_CLASS: Record<TrustClass, CapabilitySet> = {
+  guardian: GUARDIAN_CAPABILITIES,
+  trusted_contact: CONTACT_CAPABILITIES,
+  unverified_contact: CONTACT_CAPABILITIES,
+  unknown: UNKNOWN_CAPABILITIES,
+};
+
+/**
+ * Resolve the capability set for a trust class. Pure and stateless.
+ *
+ * This is the single fail-closed trust boundary: any value that is not a
+ * recognized `TrustClass` — including `undefined` and legacy/persisted strings
+ * (e.g. `"non_guardian"`) — resolves to the `unknown` capability set. Callers
+ * pass their raw trust value directly; they never re-derive "is this a known
+ * class?" at the call site. The `(string & {})` member keeps autocomplete for
+ * the known classes while still accepting an arbitrary string.
+ *
+ * The lookup uses an own-property check so raw values that name inherited
+ * members (`"__proto__"`, `"constructor"`, `"toString"`) fail closed to the
+ * `unknown` set rather than reading off `Object.prototype`.
+ */
+export function resolveCapabilities(
+  trustClass: TrustClass | (string & {}) | undefined,
+): CapabilitySet {
+  if (
+    trustClass != null &&
+    Object.prototype.hasOwnProperty.call(CAPABILITIES_BY_CLASS, trustClass)
+  ) {
+    return CAPABILITIES_BY_CLASS[trustClass as TrustClass];
+  }
+  return UNKNOWN_CAPABILITIES;
+}

package/src/runtime/channel-approval-types.ts

@@ -12,12 +12,16 @@ import type { ApprovalActionOption } from "@vellumai/gateway-client";
 
 import type { GuardianDecisionAction } from "./guardian-decision-types.js";
 
-// Re-export shared wire types so existing daemon imports keep working.
 export type {
   ApprovalActionOption,
   ApprovalUIMetadata,
   PermissionRequestDetails,
 } from "@vellumai/gateway-client";
+// Re-export shared wire types + schemas so existing daemon imports keep working.
+export {
+  ApprovalUIMetadataSchema,
+  PermissionRequestDetailsSchema,
+} from "@vellumai/gateway-client";
 
 // ---------------------------------------------------------------------------
 // Approval actions (daemon-internal)

package/src/runtime/channel-retry-sweep.ts

@@ -52,6 +52,7 @@ function parseTrustRuntimeContext(value: unknown): TrustContext | undefined {
   if (
     trustClass !== "guardian" &&
     trustClass !== "trusted_contact" &&
+    trustClass !== "unverified_contact" &&
     trustClass !== "unknown"
   ) {
     return undefined;

package/src/runtime/channel-verification-service.ts

@@ -333,8 +333,7 @@ export function getGuardianBinding(
       id: result.channel.id,
       assistantId,
       channel,
-      guardianExternalUserId:
-        result.channel.externalUserId ?? result.channel.address ?? "",
+      guardianExternalUserId: result.channel.address,
       guardianDeliveryChatId: result.channel.externalChatId ?? "",
       guardianPrincipalId: result.contact.principalId ?? "",
       status: "active" as const,

package/src/runtime/client-health.ts

@@ -0,0 +1,26 @@
+/**
+ * Health heuristics for connected SSE clients.
+ */
+
+/** Keep-alive comment sent to idle clients every 7 s by default. */
+export const DEFAULT_HEARTBEAT_INTERVAL_MS = 7_000;
+
+/**
+ * Whether a client looks degraded: its last heartbeat (`lastActiveAt`) is
+ * stale by more than two heartbeat intervals. This surfaces a
+ * registered-but-not-heartbeating connection — the symptom of a flapping
+ * extension SSE stream — whether it never heartbeated or heartbeated and
+ * then froze. A healthy client (fresh or actively heartbeating) has a
+ * recent `lastActiveAt` and is not flagged.
+ *
+ * Limitation: a just-reconnected flapping client has a fresh
+ * `lastActiveAt` and looks healthy in a single snapshot — this is
+ * best-effort visibility, not a liveness guarantee.
+ */
+export function isClientDegraded(
+  lastActiveAt: Date,
+  now: Date,
+  heartbeatIntervalMs: number,
+): boolean {
+  return now.getTime() - lastActiveAt.getTime() > 2 * heartbeatIntervalMs;
+}

package/src/runtime/confirmation-request-guardian-bridge.ts

@@ -13,15 +13,16 @@
  */
 
 import type { TrustContext } from "../daemon/trust-context.js";
+import type { CanonicalGuardianRequest } from "../memory/canonical-guardian-store.js";
 import {
-  type CanonicalGuardianRequest,
-  createCanonicalGuardianDelivery,
-} from "../memory/canonical-guardian-store.js";
+  recordApprovalCardDelivery,
+  recordGuardianRequestDeliveries,
+} from "../notifications/canonical-delivery-recorder.js";
 import { emitNotificationSignal } from "../notifications/emit-signal.js";
-import type { NotificationSourceChannel } from "../notifications/signal.js";
 import { canonicalizeInboundIdentity } from "../util/canonicalize-identity.js";
 import { getLogger } from "../util/logger.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "./assistant-scope.js";
+import { resolveCapabilities } from "./capabilities.js";
 import { getGuardianBinding } from "./channel-verification-service.js";
 
 const log = getLogger("confirmation-request-guardian-bridge");
@@ -48,7 +49,7 @@ export type BridgeConfirmationRequestResult =
   | {
       skipped: true;
       reason:
-        | "not_trusted_contact"
+        | "not_bridgeable_trust_class"
         | "no_guardian_binding"
         | "missing_guardian_identity"
         | "binding_identity_mismatch";
@@ -59,11 +60,13 @@ export type BridgeConfirmationRequestResult =
 // ---------------------------------------------------------------------------
 
 /**
- * Bridge a trusted-contact confirmation_request to a guardian.question notification.
+ * Bridge a non-guardian contact confirmation_request to a guardian.question
+ * notification.
  *
- * Only emits when the session belongs to a trusted-contact actor with a
- * resolvable guardian binding. Guardian and unknown actors are skipped — guardians
- * self-approve, and unknown actors are already fail-closed by the routing layer.
+ * Only emits when the session belongs to a trusted_contact or unverified_contact
+ * actor with a resolvable guardian binding. Guardian and unknown actors are
+ * skipped — guardians self-approve, and unknown actors are already fail-closed
+ * by the routing layer.
  *
  * Fire-and-forget safe: notification emission errors are logged but not propagated.
  */
@@ -78,10 +81,14 @@ export function bridgeConfirmationRequestToGuardian(
     assistantId = DAEMON_INTERNAL_ASSISTANT_ID,
   } = params;
 
-  // Only bridge for trusted-contact sessions. Guardians self-approve and
-  // unknown actors are fail-closed by the routing layer.
-  if (trustContext.trustClass !== "trusted_contact") {
-    return { skipped: true, reason: "not_trusted_contact" };
+  // Only bridge for actors whose sensitive tool approval escalates-and-waits.
+  // Guardians self-approve and unknown actors are fail-closed by the routing
+  // layer, so neither needs a guardian bridge.
+  if (
+    resolveCapabilities(trustContext.trustClass).sensitiveToolApproval !==
+    "escalate-and-wait"
+  ) {
+    return { skipped: true, reason: "not_bridgeable_trust_class" };
   }
 
   if (!trustContext.guardianExternalUserId) {
@@ -144,10 +151,14 @@ export function bridgeConfirmationRequestToGuardian(
     ? `Approve tool: ${toolName} — ${canonicalRequest.activityText}`
     : `Approve tool: ${toolName}`;
 
+  // The vellum delivery row is created up front in onConversationCreated so the
+  // in-app client sees it immediately; the post-resolve recorder reuses it.
+  let vellumDeliveryId: string | undefined;
+
   // Emit guardian.question notification so the guardian is alerted.
   const signalPromise = emitNotificationSignal({
     sourceEventName: "guardian.question",
-    sourceChannel: sourceChannel as NotificationSourceChannel,
+    sourceChannel,
     sourceContextId: conversationId,
     requiresConversation: true,
     attentionHints: {
@@ -157,7 +168,7 @@ export function bridgeConfirmationRequestToGuardian(
       visibleInSourceNow: false,
     },
     contextPayload: {
-      requestKind: "tool_approval" as const,
+      requestKind: "tool_approval",
       requestId: canonicalRequest.id,
       requestCode:
         canonicalRequest.requestCode ??
@@ -168,29 +179,27 @@ export function bridgeConfirmationRequestToGuardian(
       requesterIdentifier: senderLabel,
       toolName,
       questionText,
+      riskLevel: canonicalRequest.riskLevel ?? undefined,
+      commandPreview: canonicalRequest.commandPreview ?? undefined,
     },
     dedupeKey: `tc-confirmation-request:${canonicalRequest.id}`,
     onConversationCreated: (info) => {
-      createCanonicalGuardianDelivery({
+      vellumDeliveryId = recordApprovalCardDelivery({
         requestId: canonicalRequest.id,
-        destinationChannel: "vellum",
-        destinationConversationId: info.conversationId,
-      });
+        channel: "vellum",
+        conversationId: info.conversationId,
+      })?.id;
     },
   });
 
-  // Record channel deliveries from the notification pipeline (fire-and-forget).
+  // Record deliveries from the notification pipeline (fire-and-forget).
   void signalPromise
     .then((signalResult) => {
-      for (const result of signalResult.deliveryResults) {
-        if (result.channel === "vellum") continue; // handled in onConversationCreated
-        createCanonicalGuardianDelivery({
-          requestId: canonicalRequest.id,
-          destinationChannel: result.channel,
-          destinationChatId:
-            result.destination.length > 0 ? result.destination : undefined,
-        });
-      }
+      recordGuardianRequestDeliveries({
+        requestId: canonicalRequest.id,
+        deliveryResults: signalResult.deliveryResults,
+        vellumDeliveryId,
+      });
     })
     .catch((err) => {
       log.warn(

package/src/runtime/effective-capabilities.test.ts

@@ -0,0 +1,128 @@
+import { describe, expect, test } from "bun:test";
+
+import {
+  canActOnPrivilegedDocuments,
+  isArchiveBySenderAuthorized,
+  isUntrustedShellLockdownActive,
+} from "./effective-capabilities.js";
+
+describe("canActOnPrivilegedDocuments", () => {
+  test("guardian is privileged regardless of channel", () => {
+    expect(canActOnPrivilegedDocuments({ trustClass: "guardian" })).toBe(true);
+    expect(
+      canActOnPrivilegedDocuments({
+        trustClass: "guardian",
+        executionChannel: "telegram",
+      }),
+    ).toBe(true);
+  });
+
+  test("non-guardian is privileged only on a privileged channel", () => {
+    expect(
+      canActOnPrivilegedDocuments({
+        trustClass: "trusted_contact",
+        executionChannel: "telegram",
+      }),
+    ).toBe(false);
+    expect(
+      canActOnPrivilegedDocuments({
+        trustClass: "trusted_contact",
+        executionChannel: "vellum",
+      }),
+    ).toBe(true);
+  });
+
+  test("the vellum channel grants access even to unknown actors", () => {
+    expect(
+      canActOnPrivilegedDocuments({
+        trustClass: "unknown",
+        executionChannel: "vellum",
+      }),
+    ).toBe(true);
+    expect(canActOnPrivilegedDocuments({ trustClass: "unknown" })).toBe(false);
+  });
+});
+
+describe("isUntrustedShellLockdownActive", () => {
+  test("inactive when the lockdown flag is off", () => {
+    expect(
+      isUntrustedShellLockdownActive({
+        trustClass: "unknown",
+        lockdownEnabled: false,
+      }),
+    ).toBe(false);
+  });
+
+  test("inactive for guardians even when the flag is on", () => {
+    expect(
+      isUntrustedShellLockdownActive({
+        trustClass: "guardian",
+        lockdownEnabled: true,
+      }),
+    ).toBe(false);
+  });
+
+  test("active for non-unsandboxed actors when the flag is on", () => {
+    expect(
+      isUntrustedShellLockdownActive({
+        trustClass: "trusted_contact",
+        lockdownEnabled: true,
+      }),
+    ).toBe(true);
+    expect(
+      isUntrustedShellLockdownActive({
+        trustClass: "unknown",
+        lockdownEnabled: true,
+      }),
+    ).toBe(true);
+  });
+});
+
+describe("isArchiveBySenderAuthorized", () => {
+  test("any non-self authorization path suffices", () => {
+    expect(
+      isArchiveBySenderAuthorized({
+        trustClass: "unknown",
+        triggeredBySurfaceAction: true,
+      }),
+    ).toBe(true);
+    expect(
+      isArchiveBySenderAuthorized({
+        trustClass: "unknown",
+        batchAuthorizedByTask: true,
+      }),
+    ).toBe(true);
+    expect(
+      isArchiveBySenderAuthorized({
+        trustClass: "unknown",
+        approvedViaPrompt: true,
+      }),
+    ).toBe(true);
+  });
+
+  test("user_approved self-authorizes only for a permitted trust class", () => {
+    expect(
+      isArchiveBySenderAuthorized({
+        trustClass: "guardian",
+        userApproved: true,
+      }),
+    ).toBe(true);
+    expect(
+      isArchiveBySenderAuthorized({
+        trustClass: "trusted_contact",
+        userApproved: true,
+      }),
+    ).toBe(false);
+  });
+
+  test("unauthorized when no path applies", () => {
+    expect(isArchiveBySenderAuthorized({ trustClass: "guardian" })).toBe(false);
+    expect(
+      isArchiveBySenderAuthorized({
+        trustClass: "trusted_contact",
+        triggeredBySurfaceAction: false,
+        userApproved: false,
+      }),
+    ).toBe(false);
+  });
+});