@vellumai/assistant 0.9.1-staging.1 → 0.10.0-staging.2

package/src/__tests__/dynamic-page-surface.test.ts

@@ -151,6 +151,57 @@ describe("ui_show dynamic_page app substitute guard", () => {
     expect(proxied).toBe(false);
   });
 
+  test("redirects a weak open model to a declarative surface, not 'resend HTML'", async () => {
+    let proxied = false;
+
+    const result = await uiShowTool.execute(
+      {
+        surface_type: "dynamic_page",
+        title: "Fable 5 vs MiniMax M3",
+        data: {},
+      },
+      {
+        conversationId: "conversation-123",
+        workingDir: "/tmp",
+        trustClass: "guardian",
+        attribution: {
+          resolvedModel: "accounts/fireworks/models/minimax-m3",
+        } as never,
+        proxyToolResolver: async () => {
+          proxied = true;
+          return { content: "proxied", isError: false };
+        },
+      },
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('surface_type: "table"');
+    expect(result.content).toContain("work_result");
+    expect(result.content).not.toContain("Resend ui_show with the full HTML");
+    expect(proxied).toBe(false);
+  });
+
+  test("keeps the resend-HTML hint for a capable model", async () => {
+    const result = await uiShowTool.execute(
+      {
+        surface_type: "dynamic_page",
+        title: "Fable 5 vs MiniMax M3",
+        data: {},
+      },
+      {
+        conversationId: "conversation-123",
+        workingDir: "/tmp",
+        trustClass: "guardian",
+        attribution: { resolvedModel: "claude-opus-4-8" } as never,
+        proxyToolResolver: async () => ({ content: "proxied", isError: false }),
+      },
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain("Resend ui_show with the full HTML");
+    expect(result.content).not.toContain('surface_type: "table"');
+  });
+
   test("rejects dynamic_page with whitespace-only html and does not proxy", async () => {
     let proxied = false;
 

package/src/__tests__/gateway-flag-listener.test.ts

@@ -25,12 +25,14 @@ mock.module("../ipc/socket-path.js", () => ({
 // Track calls to refreshOverridesFromGateway
 // ---------------------------------------------------------------------------
 let refreshCallCount = 0;
+let refreshReturnsLoaded = true;
 
 mock.module("../config/assistant-feature-flags.js", () => ({
   refreshOverridesFromGateway: async () => {
     refreshCallCount++;
+    return refreshReturnsLoaded;
   },
-  initFeatureFlagOverrides: async () => {},
+  initFeatureFlagOverrides: async () => true,
   clearFeatureFlagOverridesCache: () => {},
   isAssistantFeatureFlagEnabled: () => true,
 }));
@@ -60,6 +62,32 @@ mock.module("../tools/registry.js", () => ({
   },
 }));
 
+// ---------------------------------------------------------------------------
+// Track reconcileFlagGatedProfiles calls and let each test control whether it
+// reports a config change, so we can assert the listener broadcasts only when
+// the managed profile set actually changes.
+// ---------------------------------------------------------------------------
+let reconcileCallCount = 0;
+let reconcileReturns = false;
+
+mock.module("../config/sync-gated-profiles.js", () => ({
+  reconcileFlagGatedProfiles: () => {
+    reconcileCallCount++;
+    return reconcileReturns;
+  },
+}));
+
+// ---------------------------------------------------------------------------
+// Track publishConfigChanged so we can assert the picker-refresh broadcast.
+// ---------------------------------------------------------------------------
+let configChangedCount = 0;
+
+mock.module("../runtime/sync/resource-sync-events.js", () => ({
+  publishConfigChanged: () => {
+    configChangedCount++;
+  },
+}));
+
 // ---------------------------------------------------------------------------
 // Dynamic imports (after mock.module)
 // ---------------------------------------------------------------------------
@@ -115,8 +143,12 @@ describe("gateway-flag-listener", () => {
   beforeEach(() => {
     mkdirSync(testRoot, { recursive: true });
     refreshCallCount = 0;
+    refreshReturnsLoaded = true;
     syncToolsCallCount = 0;
     publishedTagSets = [];
+    reconcileCallCount = 0;
+    reconcileReturns = false;
+    configChangedCount = 0;
     testServer = createTestServer();
   });
 
@@ -180,6 +212,83 @@ describe("gateway-flag-listener", () => {
     ]);
   });
 
+  test("reconciles flag-gated profiles and broadcasts config_changed when the profile set changes", async () => {
+    reconcileReturns = true;
+    await new Promise<void>((resolve) => {
+      testServer.server.listen(socketPath, resolve);
+    });
+
+    startGatewayFlagListener();
+    await testServer.waitForClient();
+    await new Promise((r) => setTimeout(r, 100));
+
+    // Connect path reconciles once and, since it reports a change, broadcasts.
+    expect(reconcileCallCount).toBe(1);
+    expect(configChangedCount).toBe(1);
+
+    testServer.emit("feature_flags_changed");
+    await new Promise((r) => setTimeout(r, 100));
+
+    expect(reconcileCallCount).toBe(2);
+    expect(configChangedCount).toBe(2);
+  });
+
+  test("reconciles but does not broadcast config_changed when the profile set is unchanged", async () => {
+    reconcileReturns = false;
+    await new Promise<void>((resolve) => {
+      testServer.server.listen(socketPath, resolve);
+    });
+
+    startGatewayFlagListener();
+    await testServer.waitForClient();
+    await new Promise((r) => setTimeout(r, 100));
+
+    testServer.emit("feature_flags_changed");
+    await new Promise((r) => setTimeout(r, 100));
+
+    expect(reconcileCallCount).toBeGreaterThanOrEqual(2);
+    expect(configChangedCount).toBe(0);
+  });
+
+  test("does not reconcile profiles when the refresh reports flags did not load", async () => {
+    reconcileReturns = true;
+    refreshReturnsLoaded = false;
+    await new Promise<void>((resolve) => {
+      testServer.server.listen(socketPath, resolve);
+    });
+
+    startGatewayFlagListener();
+    await testServer.waitForClient();
+    await new Promise((r) => setTimeout(r, 100));
+
+    // Tool sync stays unconditional; the profile reconcile/broadcast are gated.
+    expect(syncToolsCallCount).toBe(1);
+    expect(reconcileCallCount).toBe(0);
+    expect(configChangedCount).toBe(0);
+
+    testServer.emit("feature_flags_changed");
+    await new Promise((r) => setTimeout(r, 100));
+
+    expect(syncToolsCallCount).toBe(2);
+    expect(reconcileCallCount).toBe(0);
+    expect(configChangedCount).toBe(0);
+  });
+
+  test("reconciles profiles when the refresh reports flags loaded", async () => {
+    reconcileReturns = true;
+    refreshReturnsLoaded = true;
+    await new Promise<void>((resolve) => {
+      testServer.server.listen(socketPath, resolve);
+    });
+
+    startGatewayFlagListener();
+    await testServer.waitForClient();
+    await new Promise((r) => setTimeout(r, 100));
+
+    expect(reconcileCallCount).toBe(1);
+    expect(configChangedCount).toBe(1);
+  });
+
   test("ignores non-flag events", async () => {
     await new Promise<void>((resolve) => {
       testServer.server.listen(socketPath, resolve);

package/src/__tests__/guardian-binding-drift-heal.test.ts

@@ -44,7 +44,7 @@ describe("healGuardianBindingDrift", () => {
     const guardian = findGuardianForChannel("vellum");
     expect(guardian).not.toBeNull();
     expect(guardian!.contact.principalId).toBe("vellum-principal-old-uuid");
-    expect(guardian!.channel.externalUserId).toBe("vellum-principal-old-uuid");
+    expect(guardian!.channel.address).toBe("vellum-principal-old-uuid");
   });
 
   test("no-op when principals already match", () => {

package/src/__tests__/guardian-card-withdrawal.test.ts

@@ -0,0 +1,403 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+  truncateForLog: (value: string) => value,
+}));
+
+const completeSurfaceAndNotify = mock(() => {});
+mock.module("../daemon/conversation-surfaces.js", () => ({
+  completeSurfaceAndNotify,
+}));
+
+const withdrawSlackApprovalCard = mock(
+  async (_params: Record<string, unknown>) => {},
+);
+mock.module("../messaging/providers/slack/withdraw.js", () => ({
+  withdrawSlackApprovalCard,
+}));
+
+import { withdrawGuardianRequestCards } from "../approvals/guardian-card-withdrawal.js";
+import {
+  type CanonicalGuardianRequest,
+  createCanonicalGuardianDelivery,
+  createCanonicalGuardianRequest,
+  getPendingCanonicalRequestByDestinationMessage,
+  listCanonicalGuardianDeliveries,
+} from "../memory/canonical-guardian-store.js";
+import { getDb } from "../memory/db-connection.js";
+import { initializeDb } from "../memory/db-init.js";
+import {
+  recordApprovalCardDelivery,
+  recordGuardianRequestDeliveries,
+} from "../notifications/canonical-delivery-recorder.js";
+
+initializeDb();
+
+const PRINCIPAL_ID = "withdrawal-test-principal";
+
+function resetTables(): void {
+  const db = getDb();
+  db.run("DELETE FROM canonical_guardian_deliveries");
+  db.run("DELETE FROM canonical_guardian_requests");
+}
+
+function makeRequest(
+  overrides: Partial<Parameters<typeof createCanonicalGuardianRequest>[0]> = {},
+): CanonicalGuardianRequest {
+  return createCanonicalGuardianRequest({
+    kind: "access_request",
+    sourceType: "channel",
+    sourceChannel: "slack",
+    guardianPrincipalId: PRINCIPAL_ID,
+    ...overrides,
+  });
+}
+
+describe("withdrawGuardianRequestCards", () => {
+  beforeEach(() => {
+    resetTables();
+    completeSurfaceAndNotify.mockClear();
+    withdrawSlackApprovalCard.mockClear();
+  });
+
+  test("withdraws + broadcasts the in-app card when the decision came from another surface", async () => {
+    const req = makeRequest();
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "vellum",
+      destinationConversationId: "conv-1",
+    });
+
+    await withdrawGuardianRequestCards({
+      request: req,
+      status: "approved",
+      originChannel: "slack",
+    });
+
+    expect(completeSurfaceAndNotify).toHaveBeenCalledTimes(1);
+    expect(completeSurfaceAndNotify).toHaveBeenCalledWith(
+      "conv-1",
+      `access-request-${req.id}`,
+      "Approved",
+    );
+  });
+
+  test("skips the in-app card when the decision originated in-app", async () => {
+    const req = makeRequest();
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "vellum",
+      destinationConversationId: "conv-1",
+    });
+
+    await withdrawGuardianRequestCards({
+      request: req,
+      status: "approved",
+      originChannel: "vellum",
+    });
+
+    // The acting in-app client already completed its own card optimistically.
+    expect(completeSurfaceAndNotify).not.toHaveBeenCalled();
+  });
+
+  test("withdraws the Slack card with decider and decision time", async () => {
+    const req = makeRequest({ decidedByExternalUserId: "U-guardian" });
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "slack",
+      destinationChatId: "C123",
+      destinationMessageId: "1700000000.0001",
+    });
+
+    await withdrawGuardianRequestCards({
+      request: req,
+      status: "denied",
+      originChannel: "vellum",
+    });
+
+    expect(withdrawSlackApprovalCard).toHaveBeenCalledTimes(1);
+    const [params] = withdrawSlackApprovalCard.mock.calls[0];
+    expect(params).toMatchObject({
+      channel: "C123",
+      messageTs: "1700000000.0001",
+      status: "denied",
+      decidedByExternalUserId: "U-guardian",
+    });
+    expect(typeof (params as { decidedAtMs?: number }).decidedAtMs).toBe(
+      "number",
+    );
+  });
+
+  test("skips the Slack edit when no channel message id was captured", async () => {
+    const req = makeRequest();
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "slack",
+      destinationChatId: "C123",
+    });
+
+    await withdrawGuardianRequestCards({ request: req, status: "approved" });
+
+    expect(withdrawSlackApprovalCard).not.toHaveBeenCalled();
+  });
+
+  test("withdraws every surface (including in-app broadcast) when no origin channel", async () => {
+    const req = makeRequest();
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "vellum",
+      destinationConversationId: "conv-1",
+    });
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "slack",
+      destinationChatId: "C1",
+      destinationMessageId: "1.0",
+    });
+
+    await withdrawGuardianRequestCards({ request: req, status: "expired" });
+
+    expect(completeSurfaceAndNotify).toHaveBeenCalledWith(
+      "conv-1",
+      `access-request-${req.id}`,
+      "Expired",
+    );
+    expect(withdrawSlackApprovalCard).toHaveBeenCalledTimes(1);
+  });
+
+  test("ignores channels without in-place edit support (telegram)", async () => {
+    const req = makeRequest({ sourceChannel: "telegram" });
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "telegram",
+      destinationChatId: "T1",
+      destinationMessageId: "9",
+    });
+
+    await withdrawGuardianRequestCards({ request: req, status: "approved" });
+
+    expect(withdrawSlackApprovalCard).not.toHaveBeenCalled();
+    expect(completeSurfaceAndNotify).not.toHaveBeenCalled();
+  });
+
+  test("is best-effort: a failing surface never blocks the others or throws", async () => {
+    withdrawSlackApprovalCard.mockImplementationOnce(async () => {
+      throw new Error("slack unavailable");
+    });
+    const req = makeRequest();
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "slack",
+      destinationChatId: "C1",
+      destinationMessageId: "1.0",
+    });
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "vellum",
+      destinationConversationId: "conv-1",
+    });
+
+    await expect(
+      withdrawGuardianRequestCards({
+        request: req,
+        status: "approved",
+        originChannel: "telegram",
+      }),
+    ).resolves.toBeUndefined();
+
+    // The in-app card was still withdrawn despite the Slack failure.
+    expect(completeSurfaceAndNotify).toHaveBeenCalledTimes(1);
+  });
+
+  test("tool-approval cards resolve to the tool-approval surface id", async () => {
+    const req = makeRequest({ kind: "tool_approval", toolName: "shell" });
+    createCanonicalGuardianDelivery({
+      requestId: req.id,
+      destinationChannel: "vellum",
+      destinationConversationId: "conv-1",
+    });
+
+    await withdrawGuardianRequestCards({
+      request: req,
+      status: "approved",
+      originChannel: "telegram",
+    });
+
+    expect(completeSurfaceAndNotify).toHaveBeenCalledWith(
+      "conv-1",
+      `tool-approval-${req.id}`,
+      "Approved",
+    );
+  });
+});
+
+describe("recordApprovalCardDelivery", () => {
+  beforeEach(() => {
+    resetTables();
+  });
+
+  test("records a channel card with its addressing and status", () => {
+    const req = makeRequest();
+    const delivery = recordApprovalCardDelivery({
+      requestId: req.id,
+      channel: "slack",
+      chatId: "C1",
+      messageId: "1700000000.0001",
+      status: "sent",
+    });
+    expect(delivery?.destinationChannel).toBe("slack");
+    expect(delivery?.destinationChatId).toBe("C1");
+    expect(delivery?.destinationMessageId).toBe("1700000000.0001");
+    expect(delivery?.status).toBe("sent");
+  });
+
+  test("records a vellum card addressed by conversation id, defaulting to pending", () => {
+    const req = makeRequest();
+    const delivery = recordApprovalCardDelivery({
+      requestId: req.id,
+      channel: "vellum",
+      conversationId: "conv-x",
+    });
+    expect(delivery?.destinationConversationId).toBe("conv-x");
+    expect(delivery?.destinationChatId).toBeNull();
+    expect(delivery?.status).toBe("pending");
+  });
+
+  test("lets a Slack reaction resolve back to its request (LUM-2502)", () => {
+    // A delivered Slack approval card must be addressable by (channel, chat, ts)
+    // so an emoji reaction on it resolves to the right request rather than
+    // silently falling through to transcript persistence.
+    const req = makeRequest();
+    recordApprovalCardDelivery({
+      requestId: req.id,
+      channel: "slack",
+      chatId: "C-guardian",
+      messageId: "1700000000.5678",
+      status: "sent",
+    });
+
+    const resolved = getPendingCanonicalRequestByDestinationMessage(
+      "slack",
+      "C-guardian",
+      "1700000000.5678",
+    );
+    expect(resolved?.id).toBe(req.id);
+  });
+});
+
+describe("recordGuardianRequestDeliveries", () => {
+  beforeEach(() => {
+    resetTables();
+    withdrawSlackApprovalCard.mockClear();
+  });
+
+  test("records each delivery with addressing + status and returns the vellum id", () => {
+    const req = makeRequest();
+    const vellumId = recordGuardianRequestDeliveries({
+      requestId: req.id,
+      deliveryResults: [
+        {
+          channel: "vellum",
+          destination: "",
+          status: "sent",
+          conversationId: "conv-1",
+        },
+        {
+          channel: "slack",
+          destination: "C999",
+          status: "sent",
+          messageId: "1700000000.1234",
+        },
+      ],
+    });
+
+    const deliveries = listCanonicalGuardianDeliveries(req.id);
+    expect(deliveries).toHaveLength(2);
+    const vellum = deliveries.find((d) => d.destinationChannel === "vellum");
+    const slack = deliveries.find((d) => d.destinationChannel === "slack");
+    expect(vellumId).toBe(vellum?.id);
+    expect(vellum?.destinationConversationId).toBe("conv-1");
+    expect(vellum?.status).toBe("sent");
+    expect(slack?.destinationChatId).toBe("C999");
+    expect(slack?.destinationMessageId).toBe("1700000000.1234");
+    expect(slack?.status).toBe("sent");
+  });
+
+  test("reuses a pre-created vellum row instead of creating a second", () => {
+    const req = makeRequest();
+    const pre = recordApprovalCardDelivery({
+      requestId: req.id,
+      channel: "vellum",
+      conversationId: "conv-1",
+    });
+
+    const vellumId = recordGuardianRequestDeliveries({
+      requestId: req.id,
+      deliveryResults: [
+        {
+          channel: "vellum",
+          destination: "",
+          status: "sent",
+          conversationId: "conv-1",
+        },
+      ],
+      vellumDeliveryId: pre?.id,
+    });
+
+    expect(vellumId).toBe(pre?.id);
+    const deliveries = listCanonicalGuardianDeliveries(req.id);
+    expect(deliveries).toHaveLength(1);
+    expect(deliveries[0].status).toBe("sent");
+  });
+
+  test("marks a non-sent delivery result as failed (status now tracked for all producers)", () => {
+    const req = makeRequest();
+    recordGuardianRequestDeliveries({
+      requestId: req.id,
+      deliveryResults: [
+        { channel: "slack", destination: "C1", status: "failed" },
+      ],
+    });
+    const [delivery] = listCanonicalGuardianDeliveries(req.id);
+    expect(delivery.status).toBe("failed");
+  });
+
+  test("omits chat id when the channel destination is empty", () => {
+    const req = makeRequest();
+    recordGuardianRequestDeliveries({
+      requestId: req.id,
+      deliveryResults: [{ channel: "slack", destination: "", status: "sent" }],
+    });
+    const [delivery] = listCanonicalGuardianDeliveries(req.id);
+    expect(delivery.destinationChatId).toBeNull();
+  });
+
+  test("records a Slack delivery the withdrawal path can then edit in place", async () => {
+    const req = makeRequest();
+    recordGuardianRequestDeliveries({
+      requestId: req.id,
+      deliveryResults: [
+        {
+          channel: "slack",
+          destination: "C999",
+          status: "sent",
+          messageId: "1700000000.1234",
+        },
+      ],
+    });
+
+    await withdrawGuardianRequestCards({
+      request: req,
+      status: "approved",
+      originChannel: "vellum",
+    });
+    const [params] = withdrawSlackApprovalCard.mock.calls[0];
+    expect((params as { messageTs?: string }).messageTs).toBe(
+      "1700000000.1234",
+    );
+  });
+});

package/src/__tests__/guardian-decision-primitive-canonical.test.ts

@@ -235,8 +235,10 @@ describe("applyCanonicalGuardianDecision", () => {
 
   test("rejects decision when request has no guardianPrincipalId", async () => {
     // unknown_kind is not in DECISIONABLE_KINDS so it can be created without
-    // guardianPrincipalId, but the decision primitive still rejects because
-    // the request is missing its principal binding.
+    // guardianPrincipalId. A request with no bound principal can never be
+    // authorized by anyone — this is a data-integrity fault
+    // (request_misconfigured), not an authorization denial against the actor,
+    // so it must not be reported as identity_mismatch / "no permission".
     const req = createCanonicalGuardianRequest({
       kind: "unknown_kind",
       sourceType: "channel",
@@ -253,7 +255,7 @@ describe("applyCanonicalGuardianDecision", () => {
 
     expect(result.applied).toBe(false);
     if (result.applied) return;
-    expect(result.reason).toBe("identity_mismatch");
+    expect(result.reason).toBe("request_misconfigured");
   });
 
   test("rejects decision when actor has no guardianPrincipalId", async () => {

package/src/__tests__/guardian-grant-minting.test.ts

@@ -36,10 +36,6 @@ import {
 import * as approvalMessageComposer from "../runtime/approval-message-composer.js";
 import * as gatewayClient from "../runtime/gateway-client.js";
 import * as pendingInteractions from "../runtime/pending-interactions.js";
-import {
-  _clearApprovalPromptTsTrackerForTesting,
-  trackApprovalPromptTs,
-} from "../runtime/routes/approval-prompt-ts-tracker.js";
 import { handleApprovalInterception } from "../runtime/routes/guardian-approval-interception.js";
 import { computeToolApprovalDigest } from "../security/tool-approval-digest.js";
 
@@ -69,7 +65,6 @@ function resetTables(): void {
     /* tables may not exist yet */
   }
   pendingInteractions.clear();
-  _clearApprovalPromptTsTrackerForTesting();
 }
 
 function createTestGuardianApproval(
@@ -224,36 +219,9 @@ describe("guardian grant minting on tool-approval decisions", () => {
     composeSpy.mockRestore();
   });
 
-  test("guardian reaction white_check_mark maps to approve_once (legacy compat)", async () => {
-    const requestId = "req-grant-reaction-1";
-    createTestGuardianApproval(requestId, {
-      conversationId: CONVERSATION_ID,
-      channel: "slack",
-      guardianChatId: GUARDIAN_CHAT,
-    });
-    registerPendingInteraction(requestId, CONVERSATION_ID, TOOL_NAME);
-    const approvalMessageTs = "1700000000.000100";
-    trackApprovalPromptTs("slack", GUARDIAN_CHAT, approvalMessageTs);
-
-    const result = await handleApprovalInterception({
-      conversationId: "guardian-conv-1",
-      callbackData: "reaction:white_check_mark",
-      content: "",
-      conversationExternalId: GUARDIAN_CHAT,
-      sourceChannel: "slack",
-      actorExternalId: GUARDIAN_USER,
-      replyCallbackUrl: "https://gateway.test/deliver",
-      trustCtx: makeTrustContext(),
-      assistantId: ASSISTANT_ID,
-      approvalMessageTs,
-    });
-
-    // white_check_mark is mapped to approve_once (backward compat) — the
-    // pending approval is resolved and a grant is minted.
-    expect(result.handled).toBe(true);
-    expect(result.type).toBe("guardian_decision_applied");
-    expect(countGrants()).toBe(1);
-  });
+  // Reaction-based approvals are exercised against the canonical pipeline in
+  // slack-reaction-canonical-approval.test.ts — reactions route through
+  // routeGuardianReply, not handleApprovalInterception.
 
   // ── 2. approve_once for non-tool-approval does NOT mint a grant ──