@vellumai/cli 0.8.6 → 0.8.7-dev.202606052118.34cd356

package/src/__tests__/connect-import.test.ts

@@ -0,0 +1,317 @@
+/**
+ * Tests for `vellum connect import <blob>`: decode a `vellum pair` bundle and
+ * persist a lockfile entry + guardian token under a unique local id.
+ */
+import {
+  afterAll,
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  spyOn,
+  test,
+} from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+const testDir = mkdtempSync(join(tmpdir(), "connect-import-test-"));
+const ORIGINAL_LOCKFILE_DIR = process.env.VELLUM_LOCKFILE_DIR;
+const ORIGINAL_CONFIG_HOME = process.env.XDG_CONFIG_HOME;
+const ORIGINAL_ARGV = [...process.argv];
+
+import { connectImport } from "../commands/connect/import.js";
+import {
+  findAssistantByName,
+  saveAssistantEntry,
+} from "../lib/assistant-config.js";
+import { loadGuardianToken } from "../lib/guardian-token.js";
+
+function bundleFor(overrides: Record<string, unknown> = {}): string {
+  const obj = {
+    gatewayUrl: "http://10.0.0.5:7830",
+    assistantId: "self",
+    token: "test-token",
+    deviceId: "dev-aaa",
+    ...overrides,
+  };
+  return Buffer.from(JSON.stringify(obj)).toString("base64");
+}
+
+describe("connect import", () => {
+  beforeEach(() => {
+    process.env.VELLUM_LOCKFILE_DIR = testDir;
+    process.env.XDG_CONFIG_HOME = testDir;
+  });
+
+  afterEach(() => {
+    process.argv = [...ORIGINAL_ARGV];
+    if (ORIGINAL_LOCKFILE_DIR === undefined)
+      delete process.env.VELLUM_LOCKFILE_DIR;
+    else process.env.VELLUM_LOCKFILE_DIR = ORIGINAL_LOCKFILE_DIR;
+    if (ORIGINAL_CONFIG_HOME === undefined) delete process.env.XDG_CONFIG_HOME;
+    else process.env.XDG_CONFIG_HOME = ORIGINAL_CONFIG_HOME;
+  });
+
+  afterAll(() => {
+    rmSync(testDir, { recursive: true, force: true });
+  });
+
+  test("writes a lockfile entry + guardian token from a valid bundle", async () => {
+    process.argv = ["bun", "vellum", "connect", "import", bundleFor()];
+    const logSpy = spyOn(console, "log").mockImplementation(() => {});
+    try {
+      await connectImport();
+    } finally {
+      logSpy.mockRestore();
+    }
+
+    const entry = findAssistantByName("paired-dev-aaa");
+    expect(entry).not.toBeNull();
+    expect(entry!.runtimeUrl).toBe("http://10.0.0.5:7830");
+    expect(entry!.cloud).toBe("paired");
+    expect(loadGuardianToken("paired-dev-aaa")?.accessToken).toBe("test-token");
+    // Back-compat: a bundle without refresh fields imports access-only.
+    expect(loadGuardianToken("paired-dev-aaa")?.refreshToken).toBe("");
+  });
+
+  test("persists the refresh credential when the bundle carries one", async () => {
+    process.argv = [
+      "bun",
+      "vellum",
+      "connect",
+      "import",
+      bundleFor({
+        deviceId: "dev-refresh",
+        token: "acc-tok",
+        refreshToken: "refresh-tok",
+        refreshTokenExpiresAt: "2027-01-01T00:00:00.000Z",
+        refreshAfter: "2026-07-01T00:00:00.000Z",
+      }),
+    ];
+    const logSpy = spyOn(console, "log").mockImplementation(() => {});
+    try {
+      await connectImport();
+    } finally {
+      logSpy.mockRestore();
+    }
+
+    const tok = loadGuardianToken("paired-dev-refresh");
+    expect(tok?.accessToken).toBe("acc-tok");
+    expect(tok?.refreshToken).toBe("refresh-tok");
+    expect(tok?.refreshTokenExpiresAt).toBe("2027-01-01T00:00:00.000Z");
+    expect(tok?.refreshAfter).toBe("2026-07-01T00:00:00.000Z");
+  });
+
+  test("preserves a numeric (epoch-ms) refreshTokenExpiresAt", async () => {
+    // GuardianTokenData allows refreshTokenExpiresAt to be an epoch-ms number;
+    // a numeric value in the bundle must round-trip, not be dropped to 0.
+    const expiresMs = 1893456000000; // 2030-01-01
+    process.argv = [
+      "bun",
+      "vellum",
+      "connect",
+      "import",
+      bundleFor({
+        deviceId: "dev-num",
+        refreshToken: "refresh-tok",
+        refreshTokenExpiresAt: expiresMs,
+      }),
+    ];
+    const logSpy = spyOn(console, "log").mockImplementation(() => {});
+    try {
+      await connectImport();
+    } finally {
+      logSpy.mockRestore();
+    }
+
+    expect(loadGuardianToken("paired-dev-num")?.refreshTokenExpiresAt).toBe(
+      expiresMs,
+    );
+  });
+
+  test("two different bundles (both assistantId 'self') do not collide", async () => {
+    process.argv = [
+      "bun",
+      "vellum",
+      "connect",
+      "import",
+      bundleFor({ deviceId: "dev-one", token: "tok1" }),
+    ];
+    const logSpy = spyOn(console, "log").mockImplementation(() => {});
+    try {
+      await connectImport();
+      process.argv = [
+        "bun",
+        "vellum",
+        "connect",
+        "import",
+        bundleFor({ deviceId: "dev-two", token: "tok2" }),
+      ];
+      await connectImport();
+    } finally {
+      logSpy.mockRestore();
+    }
+
+    expect(findAssistantByName("paired-dev-one")).not.toBeNull();
+    expect(findAssistantByName("paired-dev-two")).not.toBeNull();
+    expect(loadGuardianToken("paired-dev-one")?.accessToken).toBe("tok1");
+    expect(loadGuardianToken("paired-dev-two")?.accessToken).toBe("tok2");
+  });
+
+  test("--name registers the entry under that name", async () => {
+    process.argv = [
+      "bun",
+      "vellum",
+      "connect",
+      "import",
+      bundleFor({ deviceId: "dev-named" }),
+      "--name",
+      "Desk Box",
+    ];
+    const logSpy = spyOn(console, "log").mockImplementation(() => {});
+    try {
+      await connectImport();
+    } finally {
+      logSpy.mockRestore();
+    }
+    // Slugified to a stable id.
+    expect(findAssistantByName("desk-box")).not.toBeNull();
+  });
+
+  test("sanitizes a malicious bundle deviceId (no path traversal in the local id)", async () => {
+    process.argv = [
+      "bun",
+      "vellum",
+      "connect",
+      "import",
+      bundleFor({ deviceId: "-/../../tmp/x", token: "tokX" }),
+    ];
+    const logs: string[] = [];
+    const logSpy = spyOn(console, "log").mockImplementation(
+      (...a: unknown[]) => {
+        logs.push(a.join(" "));
+      },
+    );
+    try {
+      await connectImport();
+    } finally {
+      logSpy.mockRestore();
+    }
+
+    // The registered id must contain no path separators or `..`.
+    const m = logs.join("\n").match(/paired assistant '([^']+)'/);
+    expect(m).not.toBeNull();
+    const id = m![1];
+    expect(id).not.toContain("/");
+    expect(id).not.toContain("..");
+    expect(loadGuardianToken(id)?.accessToken).toBe("tokX");
+  });
+
+  test("does not overwrite an existing non-paired assistant", async () => {
+    saveAssistantEntry({
+      assistantId: "desk",
+      name: "Desk",
+      runtimeUrl: "http://127.0.0.1:7830",
+      cloud: "local",
+      species: "vellum",
+    });
+    process.argv = [
+      "bun",
+      "vellum",
+      "connect",
+      "import",
+      bundleFor({ deviceId: "dx" }),
+      "--name",
+      "desk",
+    ];
+    const errSpy = spyOn(console, "error").mockImplementation(() => {});
+    const exitSpy = spyOn(process, "exit").mockImplementation(((c?: number) => {
+      throw new Error(`exit:${c}`);
+    }) as never);
+    let exited = false;
+    try {
+      await connectImport();
+    } catch (e) {
+      exited = (e as Error).message === "exit:1";
+    } finally {
+      errSpy.mockRestore();
+      exitSpy.mockRestore();
+    }
+    expect(exited).toBe(true);
+    // The original local assistant is untouched (not overwritten).
+    const e = findAssistantByName("desk");
+    expect(e!.runtimeUrl).toBe("http://127.0.0.1:7830");
+    expect(e!.paired).toBeUndefined();
+  });
+
+  test("re-importing the same pairing updates in place", async () => {
+    const logSpy = spyOn(console, "log").mockImplementation(() => {});
+    try {
+      process.argv = [
+        "bun",
+        "vellum",
+        "connect",
+        "import",
+        bundleFor({ deviceId: "dev-re", token: "t1" }),
+      ];
+      await connectImport();
+      process.argv = [
+        "bun",
+        "vellum",
+        "connect",
+        "import",
+        bundleFor({ deviceId: "dev-re", token: "t2" }),
+      ];
+      await connectImport();
+    } finally {
+      logSpy.mockRestore();
+    }
+    expect(loadGuardianToken("paired-dev-re")?.accessToken).toBe("t2");
+  });
+
+  test("rejects a bundle whose gatewayUrl is not http(s)", async () => {
+    process.argv = [
+      "bun",
+      "vellum",
+      "connect",
+      "import",
+      bundleFor({ gatewayUrl: "ftp://nope", deviceId: "dz" }),
+    ];
+    const errSpy = spyOn(console, "error").mockImplementation(() => {});
+    const exitSpy = spyOn(process, "exit").mockImplementation(((c?: number) => {
+      throw new Error(`exit:${c}`);
+    }) as never);
+    let exited = false;
+    try {
+      await connectImport();
+    } catch (e) {
+      exited = (e as Error).message === "exit:1";
+    } finally {
+      errSpy.mockRestore();
+      exitSpy.mockRestore();
+    }
+    expect(exited).toBe(true);
+    expect(findAssistantByName("paired-dz")).toBeNull();
+  });
+
+  test("a malformed bundle exits 1 and registers nothing", async () => {
+    process.argv = ["bun", "vellum", "connect", "import", "not-valid-base64!!"];
+    const errSpy = spyOn(console, "error").mockImplementation(() => {});
+    const exitSpy = spyOn(process, "exit").mockImplementation(((c?: number) => {
+      throw new Error(`exit:${c}`);
+    }) as never);
+    let exited = false;
+    try {
+      await connectImport();
+    } catch (e) {
+      exited = (e as Error).message === "exit:1";
+    } finally {
+      errSpy.mockRestore();
+      exitSpy.mockRestore();
+    }
+    expect(exited).toBe(true);
+    // A malformed bundle has no deviceId, so no `paired-*` entry is created.
+    expect(findAssistantByName("paired-")).toBeNull();
+  });
+});

package/src/__tests__/devices.test.ts

@@ -0,0 +1,272 @@
+/**
+ * Tests for `vellum devices` (list) and `vellum devices revoke <hashedDeviceId>`:
+ * the host-side CLI that calls the loopback `GET /v1/devices` and
+ * `POST /v1/devices/revoke` endpoints. Verifies host-gating (refuses paired
+ * connections), the destructive-revoke confirmation, and that requests carry no
+ * browser/proxy headers.
+ */
+import {
+  afterAll,
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  spyOn,
+  test,
+} from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+const testDir = mkdtempSync(join(tmpdir(), "devices-test-"));
+const ORIGINAL_LOCKFILE_DIR = process.env.VELLUM_LOCKFILE_DIR;
+const ORIGINAL_CONFIG_HOME = process.env.XDG_CONFIG_HOME;
+const ORIGINAL_ARGV = [...process.argv];
+const ORIGINAL_FETCH = globalThis.fetch;
+
+import { devices } from "../commands/devices.js";
+import { saveAssistantEntry } from "../lib/assistant-config.js";
+
+interface FetchCall {
+  url: string;
+  init?: RequestInit;
+}
+
+let fetchCalls: FetchCall[] = [];
+
+/** Stub global fetch (spyOn does not intercept fetch in Bun). */
+function stubFetch(
+  handler: (url: string, init?: RequestInit) => Response,
+): void {
+  globalThis.fetch = (async (url: unknown, init?: RequestInit) => {
+    fetchCalls.push({ url: String(url), init });
+    return handler(String(url), init);
+  }) as typeof fetch;
+}
+
+function jsonResponse(body: unknown, status = 200): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+interface RunResult {
+  exited: boolean;
+  logs: string;
+  errors: string;
+}
+
+/** Run devices() with console + process.exit spied. */
+async function runDevices(): Promise<RunResult> {
+  const logs: string[] = [];
+  const errors: string[] = [];
+  const logSpy = spyOn(console, "log").mockImplementation((...a: unknown[]) => {
+    logs.push(a.join(" "));
+  });
+  const errSpy = spyOn(console, "error").mockImplementation(
+    (...a: unknown[]) => {
+      errors.push(a.join(" "));
+    },
+  );
+  const exitSpy = spyOn(process, "exit").mockImplementation(((c?: number) => {
+    throw new Error(`exit:${c}`);
+  }) as never);
+  let exited = false;
+  try {
+    await devices();
+  } catch (e) {
+    exited = (e as Error).message?.startsWith("exit:") ?? false;
+  } finally {
+    logSpy.mockRestore();
+    errSpy.mockRestore();
+    exitSpy.mockRestore();
+  }
+  return { exited, logs: logs.join("\n"), errors: errors.join("\n") };
+}
+
+function headerKeys(init?: RequestInit): string[] {
+  const h = init?.headers as Record<string, string> | undefined;
+  return h ? Object.keys(h).map((k) => k.toLowerCase()) : [];
+}
+
+describe("vellum devices", () => {
+  beforeEach(() => {
+    process.env.VELLUM_LOCKFILE_DIR = testDir;
+    process.env.XDG_CONFIG_HOME = testDir;
+    fetchCalls = [];
+    // Default stub: any unexpected call is recorded and 500s.
+    stubFetch(() => jsonResponse({ error: "unexpected" }, 500));
+  });
+
+  afterEach(() => {
+    process.argv = [...ORIGINAL_ARGV];
+    globalThis.fetch = ORIGINAL_FETCH;
+    if (ORIGINAL_LOCKFILE_DIR === undefined)
+      delete process.env.VELLUM_LOCKFILE_DIR;
+    else process.env.VELLUM_LOCKFILE_DIR = ORIGINAL_LOCKFILE_DIR;
+    if (ORIGINAL_CONFIG_HOME === undefined) delete process.env.XDG_CONFIG_HOME;
+    else process.env.XDG_CONFIG_HOME = ORIGINAL_CONFIG_HOME;
+  });
+
+  afterAll(() => {
+    rmSync(testDir, { recursive: true, force: true });
+  });
+
+  function seedLocal(id: string, localUrl = "http://127.0.0.1:7830"): void {
+    saveAssistantEntry({
+      assistantId: id,
+      name: id,
+      runtimeUrl: "http://127.0.0.1:7830",
+      localUrl,
+      cloud: "local",
+      species: "vellum",
+    });
+  }
+
+  test("--help prints usage including Examples", async () => {
+    process.argv = ["bun", "vellum", "devices", "--help"];
+    const { logs } = await runDevices();
+    expect(logs).toContain("USAGE:");
+    expect(logs).toContain("EXAMPLES:");
+    expect(logs).toContain("vellum devices revoke");
+  });
+
+  test("lists active devices over loopback with no browser/proxy headers", async () => {
+    seedLocal("list-host", "http://127.0.0.1:7833");
+    stubFetch((url) => {
+      if (url.endsWith("/v1/devices")) {
+        return jsonResponse({
+          devices: [
+            {
+              hashedDeviceId: "hashAAA111",
+              platform: "cli",
+              issuedAt: 1_700_000_000_000,
+              expiresAt: 1_800_000_000_000,
+              lastUsedAt: 1_750_000_000_000,
+            },
+            {
+              hashedDeviceId: "hashBBB222",
+              platform: "webview",
+              issuedAt: 1_700_000_000_000,
+              expiresAt: null,
+              lastUsedAt: null,
+            },
+          ],
+        });
+      }
+      return jsonResponse({ error: "unexpected" }, 500);
+    });
+
+    process.argv = ["bun", "vellum", "devices", "list-host"];
+    const { exited, logs } = await runDevices();
+
+    expect(exited).toBe(false);
+    // Both full hashes + platforms surfaced; null lastUsedAt → "never".
+    expect(logs).toContain("hashAAA111");
+    expect(logs).toContain("hashBBB222");
+    expect(logs).toContain("cli");
+    expect(logs).toContain("webview");
+    expect(logs).toContain("never");
+
+    expect(fetchCalls).toHaveLength(1);
+    const call = fetchCalls[0];
+    expect(call.url).toBe("http://127.0.0.1:7833/v1/devices");
+    expect(call.init?.method).toBe("GET");
+    const keys = headerKeys(call.init);
+    expect(keys).not.toContain("origin");
+    expect(keys).not.toContain("x-forwarded-for");
+  });
+
+  test("prints a clear message when no devices are paired", async () => {
+    seedLocal("empty-host");
+    stubFetch(() => jsonResponse({ devices: [] }));
+
+    process.argv = ["bun", "vellum", "devices", "empty-host"];
+    const { exited, logs } = await runDevices();
+
+    expect(exited).toBe(false);
+    expect(logs).toContain("No devices are paired to empty-host");
+  });
+
+  test("revoke posts the hashedDeviceId with --yes (no prompt)", async () => {
+    seedLocal("revoke-host", "http://127.0.0.1:7834");
+    stubFetch((url) => {
+      if (url.endsWith("/v1/devices/revoke")) {
+        return jsonResponse({ revoked: true, hashedDeviceId: "hashAAA111" });
+      }
+      return jsonResponse({ error: "unexpected" }, 500);
+    });
+
+    process.argv = [
+      "bun",
+      "vellum",
+      "devices",
+      "revoke",
+      "hashAAA111",
+      "revoke-host",
+      "--yes",
+    ];
+    const { exited, logs } = await runDevices();
+
+    expect(exited).toBe(false);
+    expect(logs).toContain("Revoked device hashAAA111");
+
+    expect(fetchCalls).toHaveLength(1);
+    const call = fetchCalls[0];
+    expect(call.url).toBe("http://127.0.0.1:7834/v1/devices/revoke");
+    expect(call.init?.method).toBe("POST");
+    expect(JSON.parse(String(call.init?.body))).toEqual({
+      hashedDeviceId: "hashAAA111",
+    });
+  });
+
+  test("revoke without a hashedDeviceId errors and makes no request", async () => {
+    process.argv = ["bun", "vellum", "devices", "revoke", "--yes"];
+    const { exited, errors } = await runDevices();
+
+    expect(exited).toBe(true);
+    expect(errors).toContain("hashedDeviceId is required");
+    expect(fetchCalls).toHaveLength(0);
+  });
+
+  test("revoke refuses without --yes in a non-interactive terminal", async () => {
+    seedLocal("rh3");
+    // process.stdin.isTTY is falsy under the test runner → not promptable.
+    process.argv = ["bun", "vellum", "devices", "revoke", "hashZZZ", "rh3"];
+    const { exited, errors } = await runDevices();
+
+    expect(exited).toBe(true);
+    expect(errors).toContain("--yes");
+    expect(fetchCalls).toHaveLength(0);
+  });
+
+  test("host-gates a paired connection (points to the host / unpair)", async () => {
+    saveAssistantEntry({
+      assistantId: "paired-box",
+      name: "Paired Box",
+      runtimeUrl: "http://10.0.0.9:7830",
+      cloud: "paired",
+      paired: true,
+      species: "vellum",
+    });
+
+    process.argv = ["bun", "vellum", "devices", "paired-box"];
+    const { exited, errors } = await runDevices();
+
+    expect(exited).toBe(true);
+    expect(errors).toContain("vellum unpair");
+    expect(fetchCalls).toHaveLength(0);
+  });
+
+  test("surfaces a non-2xx gateway response on list", async () => {
+    seedLocal("err-host");
+    stubFetch(() => jsonResponse({ error: { code: "FORBIDDEN" } }, 403));
+
+    process.argv = ["bun", "vellum", "devices", "err-host"];
+    const { exited, errors } = await runDevices();
+
+    expect(exited).toBe(true);
+    expect(errors).toContain("403");
+  });
+});

package/src/__tests__/env-drift.test.ts

@@ -2,64 +2,52 @@ import { describe, expect, test } from "bun:test";
 import { readFileSync } from "node:fs";
 import { join } from "node:path";
 
-import { SEEDS } from "../lib/environments/seeds.js";
+import { SEEDS } from "@vellumai/environments";
 
-// Drift guard for the TypeScript sites that hardcode the set of known
-// environment names:
+// Drift guard between the two language-level sources of truth for the set of
+// known environment names:
 //
-//   1. cli/src/lib/environments/seeds.ts  — SEEDS record (source of truth)
-//   2. assistant/src/util/platform.ts     — KNOWN_ENVIRONMENTS set
+//   1. packages/environments/src/seeds.ts       — SEEDS record (TS source of truth)
+//   2. clients/shared/App/VellumEnvironment.swift — Swift `VellumEnvironment` enum
 //
-// Cross-package relative imports don't work here: assistant's tsconfig
-// restricts `include` to its own src tree. So this test parses the literal
-// set out of the external file and asserts it agrees with CLI's SEEDS.
-//
-// FOLLOW-UP: split the env name list into a shared `packages/environments`
-// package (mirroring `packages/service-contracts`, `credential-storage`) so
-// both sites can `import { KNOWN_ENVIRONMENTS }` from one place and this
-// drift guard becomes a compile-time check. Planned alongside CLI-driven
-// context support — see the "Environments" design doc.
+// The Swift client can't import the TypeScript package, so the two lists are
+// maintained independently and must be kept in lockstep by hand. This test
+// parses the enum cases out of the Swift source and asserts they agree with
+// SEEDS. Adding an environment means updating both sites.
 
 const REPO_ROOT = join(import.meta.dir, "..", "..", "..");
-const ASSISTANT_PLATFORM = join(
+const SWIFT_ENVIRONMENT = join(
   REPO_ROOT,
-  "assistant",
-  "src",
-  "util",
-  "platform.ts",
+  "clients",
+  "shared",
+  "App",
+  "VellumEnvironment.swift",
 );
 
 /**
- * Extract the string literals from a Set constructor body in a TS source
- * file. Looks for `<setName>: ReadonlySet<string> = new Set([ ... ])` and
- * pulls out every `"..."` entry within the array. The match is anchored to
- * the `setName` to avoid picking up unrelated sets that happen to live in
- * the same file.
+ * Extract the case names declared in the `VellumEnvironment` enum. Matches
+ * standalone `case <name>` declaration lines (one identifier, nothing else),
+ * which is the enum's own declaration syntax. Switch-statement arms like
+ * `case .local:` carry a leading dot and a trailing colon, so they're
+ * excluded — the match is anchored to a bare identifier at end of line.
  */
-function extractSetLiterals(source: string, setName: string): string[] {
-  const pattern = new RegExp(
-    `${setName}\\s*:\\s*ReadonlySet<string>\\s*=\\s*new Set\\(\\[([^\\]]*)\\]`,
-    "m",
-  );
-  const match = source.match(pattern);
-  if (!match) {
-    throw new Error(
-      `Could not find Set literal for ${setName}. Update the drift-guard regex in env-drift.test.ts.`,
-    );
+function extractSwiftEnumCases(source: string): string[] {
+  const names: string[] = [];
+  for (const line of source.split("\n")) {
+    const match = line.match(/^\s*case\s+([a-zA-Z][a-zA-Z0-9]*)\s*$/);
+    if (match) names.push(match[1]!);
   }
-  const body = match[1];
-  const literals = body.match(/"([^"]+)"/g) ?? [];
-  return literals.map((lit) => lit.slice(1, -1));
+  return names;
 }
 
-describe("KNOWN_ENVIRONMENTS drift guard (TS-side)", () => {
+describe("environment name drift guard (TS ↔ Swift)", () => {
   const seedNames = new Set(Object.keys(SEEDS));
 
-  test("assistant/src/util/platform.ts KNOWN_ENVIRONMENTS matches CLI SEEDS", () => {
-    const source = readFileSync(ASSISTANT_PLATFORM, "utf8");
-    const assistantNames = new Set(
-      extractSetLiterals(source, "KNOWN_ENVIRONMENTS"),
-    );
-    expect([...assistantNames].sort()).toEqual([...seedNames].sort());
+  test("clients/shared/App/VellumEnvironment.swift matches SEEDS", () => {
+    const source = readFileSync(SWIFT_ENVIRONMENT, "utf8");
+    const swiftNames = new Set(extractSwiftEnumCases(source));
+
+    expect(swiftNames.size).toBeGreaterThan(0);
+    expect([...swiftNames].sort()).toEqual([...seedNames].sort());
   });
 });