@vellumai/vellum-gateway 0.7.0 → 0.7.2

package/src/__tests__/config-file-watcher.test.ts

@@ -0,0 +1,181 @@
+import { existsSync, unlinkSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { afterEach, describe, expect, test } from "bun:test";
+
+import {
+  ConfigFileWatcher,
+  type ConfigChangeEvent,
+} from "../config-file-watcher.js";
+import {
+  isOnlyVelayPublicBaseUrlChange,
+  shouldSyncTwilioPhoneWebhooksAfterConfigChange,
+} from "../twilio/webhook-sync-trigger.js";
+import { testWorkspaceDir } from "./test-preload.js";
+
+const configPath = join(testWorkspaceDir, "config.json");
+
+function writeConfig(data: Record<string, unknown>): void {
+  writeFileSync(configPath, JSON.stringify(data), "utf-8");
+}
+
+function pollOnce(watcher: ConfigFileWatcher): void {
+  (
+    watcher as unknown as {
+      pollOnce: () => void;
+    }
+  ).pollOnce();
+}
+
+function makeEvent(
+  changedKeys: string[],
+  changedFields: Record<string, string[]>,
+): ConfigChangeEvent {
+  return {
+    data: {},
+    changedKeys: new Set(changedKeys),
+    changedFields: new Map(
+      Object.entries(changedFields).map(([section, fields]) => [
+        section,
+        new Set(fields),
+      ]),
+    ),
+  };
+}
+
+afterEach(() => {
+  try {
+    if (existsSync(configPath)) unlinkSync(configPath);
+  } catch {
+    // best-effort cleanup
+  }
+});
+
+describe("ConfigFileWatcher", () => {
+  test("reports shallow ingress fields changed by Velay-managed URL writes", () => {
+    writeConfig({
+      ingress: {
+        publicBaseUrl: "https://public.example.test",
+      },
+    });
+    const events: ConfigChangeEvent[] = [];
+    const watcher = new ConfigFileWatcher((event) => {
+      events.push(event);
+    });
+
+    pollOnce(watcher);
+    writeConfig({
+      ingress: {
+        publicBaseUrl: "https://velay.example.test",
+        publicBaseUrlManagedBy: "velay",
+      },
+    });
+    pollOnce(watcher);
+
+    expect(events).toHaveLength(2);
+    expect(events[1].changedKeys).toEqual(new Set(["ingress"]));
+    expect(events[1].changedFields.get("ingress")).toEqual(
+      new Set(["publicBaseUrl", "publicBaseUrlManagedBy"]),
+    );
+  });
+
+  test("reports Twilio-only fields when Velay creates ingress from scratch", () => {
+    writeConfig({
+      gateway: {
+        runtimeProxyRequireAuth: false,
+      },
+    });
+    const events: ConfigChangeEvent[] = [];
+    const watcher = new ConfigFileWatcher((event) => {
+      events.push(event);
+    });
+
+    pollOnce(watcher);
+    writeConfig({
+      gateway: {
+        runtimeProxyRequireAuth: false,
+      },
+      ingress: {
+        publicBaseUrl: "https://velay.example.test",
+        publicBaseUrlManagedBy: "velay",
+      },
+    });
+    pollOnce(watcher);
+
+    expect(events).toHaveLength(2);
+    expect(events[1].changedKeys).toEqual(new Set(["ingress"]));
+    expect(events[1].changedFields.get("ingress")).toEqual(
+      new Set(["publicBaseUrl", "publicBaseUrlManagedBy"]),
+    );
+  });
+
+  test("detects public base URL changes", () => {
+    writeConfig({
+      ingress: {
+        publicBaseUrl: "https://old-public.example.test",
+        publicBaseUrlManagedBy: "velay",
+      },
+    });
+    const events: ConfigChangeEvent[] = [];
+    const watcher = new ConfigFileWatcher((event) => {
+      events.push(event);
+    });
+
+    pollOnce(watcher);
+    writeConfig({
+      ingress: {
+        publicBaseUrl: "https://new-public.example.test",
+        publicBaseUrlManagedBy: "velay",
+      },
+    });
+    pollOnce(watcher);
+
+    expect(events).toHaveLength(2);
+    expect(events[1].changedFields.get("ingress")).toEqual(
+      new Set(["publicBaseUrl"]),
+    );
+  });
+});
+
+describe("Twilio webhook sync config-change triggers", () => {
+  test("syncs when generic public ingress changes without a Twilio override", () => {
+    const event = makeEvent(["ingress"], { ingress: ["publicBaseUrl"] });
+
+    expect(isOnlyVelayPublicBaseUrlChange(event)).toBe(false);
+    expect(shouldSyncTwilioPhoneWebhooksAfterConfigChange(event)).toBe(true);
+  });
+
+  test("syncs when the Twilio-specific public ingress changes", () => {
+    const event = makeEvent(["ingress"], {
+      ingress: ["publicBaseUrl", "publicBaseUrlManagedBy"],
+    });
+
+    expect(isOnlyVelayPublicBaseUrlChange(event)).toBe(true);
+    expect(shouldSyncTwilioPhoneWebhooksAfterConfigChange(event)).toBe(true);
+  });
+
+  test("does not sync when only the Velay manager marker changes", () => {
+    const event = makeEvent(["ingress"], {
+      ingress: ["publicBaseUrlManagedBy"],
+    });
+
+    expect(isOnlyVelayPublicBaseUrlChange(event)).toBe(true);
+    expect(shouldSyncTwilioPhoneWebhooksAfterConfigChange(event)).toBe(false);
+  });
+
+  test("syncs when Twilio phone configuration becomes available", () => {
+    const event = makeEvent(["twilio"], {
+      twilio: ["phoneNumber", "accountSid"],
+    });
+
+    expect(isOnlyVelayPublicBaseUrlChange(event)).toBe(false);
+    expect(shouldSyncTwilioPhoneWebhooksAfterConfigChange(event)).toBe(true);
+  });
+
+  test("does not sync when unrelated Twilio configuration changes", () => {
+    const event = makeEvent(["twilio"], {
+      twilio: ["assistantPhoneNumbers"],
+    });
+
+    expect(shouldSyncTwilioPhoneWebhooksAfterConfigChange(event)).toBe(false);
+  });
+});

package/src/__tests__/config.test.ts

@@ -17,7 +17,6 @@ describe("config: hardcoded defaults", () => {
       default: 100 * 1024 * 1024,
     });
     expect(config.maxAttachmentConcurrency).toBe(3);
-    expect(config.runtimeProxyEnabled).toBe(false);
     expect(config.runtimeProxyRequireAuth).toBe(true);
     expect(config.trustProxy).toBe(false);
     expect(config.unmappedPolicy).toBe("reject");

package/src/__tests__/contacts-control-plane-proxy.test.ts

@@ -27,7 +27,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,

package/src/__tests__/credential-watcher-managed-bootstrap.test.ts

@@ -1,11 +1,13 @@
 import { afterEach, describe, expect, test } from "bun:test";
-import { createServer } from "node:net";
+import { createServer, type Server } from "node:net";
 import { spawn, type ChildProcess } from "node:child_process";
 import { mkdirSync, renameSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 
+import { startFakeAssistantIpc } from "./fake-assistant-ipc.js";
+
 const TEST_SERVICE_TOKEN = "test-ces-service-token";
 
 const testDir = join(tmpdir(), `gw-managed-${Date.now()}-${Math.random()}`);
@@ -54,6 +56,7 @@ let gatewayProc: ChildProcess | null = null;
 let gatewayPort = 0;
 let cesPort = 0;
 let cesServer: ReturnType<typeof Bun.serve> | null = null;
+let fakeAssistantIpc: Server | null = null;
 
 /** Ask the OS for a free port by briefly binding to port 0. */
 function getFreePort(): Promise<number> {
@@ -95,11 +98,14 @@ async function startGateway(): Promise<void> {
     );
   gatewayPort = await getFreePort();
 
+  const workspaceDir = join(testDir, ".vellum", "workspace");
+  fakeAssistantIpc = startFakeAssistantIpc(workspaceDir);
+
   gatewayProc = spawn("bun", ["run", gatewayEntry], {
     env: {
       ...process.env,
       GATEWAY_SECURITY_DIR: join(testDir, ".vellum", "protected"),
-      VELLUM_WORKSPACE_DIR: join(testDir, ".vellum", "workspace"),
+      VELLUM_WORKSPACE_DIR: workspaceDir,
       GATEWAY_PORT: String(gatewayPort),
       CES_CREDENTIAL_URL: `http://127.0.0.1:${cesPort}`,
       CES_SERVICE_TOKEN: TEST_SERVICE_TOKEN,
@@ -190,6 +196,8 @@ function startFakeCes(opts: {
 }
 
 afterEach(async () => {
+  fakeAssistantIpc?.close();
+  fakeAssistantIpc = null;
   cesServer?.stop(true);
   cesServer = null;
   gatewayPort = 0;

package/src/__tests__/credential-watcher.test.ts

@@ -17,8 +17,11 @@ import {
 import { mkdirSync, renameSync, writeFileSync, rmSync } from "node:fs";
 import { hostname, tmpdir, userInfo } from "node:os";
 import { dirname, join } from "node:path";
+import { createServer, type Server } from "node:net";
 import { fileURLToPath } from "node:url";
 
+import { startFakeAssistantIpc } from "./fake-assistant-ipc.js";
+
 // ---------------------------------------------------------------------------
 // Constants — must match credential-reader.ts
 // ---------------------------------------------------------------------------
@@ -189,14 +192,37 @@ const gatewayEntry = join(gatewayRoot, "src", "index.ts");
 
 let gatewayProc: ChildProcess | null = null;
 let port = 0;
+let fakeAssistantIpc: Server | null = null;
+
+/** Ask the OS for a free port by briefly binding to port 0. */
+function getFreePort(): Promise<number> {
+  return new Promise((resolve, reject) => {
+    const srv = createServer();
+    srv.listen(0, "127.0.0.1", () => {
+      const addr = srv.address();
+      if (!addr || typeof addr === "string") {
+        srv.close();
+        reject(new Error("Failed to get free port"));
+        return;
+      }
+      const p = addr.port;
+      srv.close(() => resolve(p));
+    });
+    srv.on("error", reject);
+  });
+}
 
 async function startGateway(): Promise<void> {
-  port = 49152 + Math.floor(Math.random() * 16383);
+  port = await getFreePort();
+
+  const workspaceDir = join(testDir, ".vellum", "workspace");
+  fakeAssistantIpc = startFakeAssistantIpc(workspaceDir);
+
   gatewayProc = spawn("bun", ["run", gatewayEntry], {
     env: {
       ...process.env,
       GATEWAY_SECURITY_DIR: join(testDir, ".vellum", "protected"),
-      VELLUM_WORKSPACE_DIR: join(testDir, ".vellum", "workspace"),
+      VELLUM_WORKSPACE_DIR: workspaceDir,
       GATEWAY_PORT: String(port),
       // Ensure Telegram is NOT configured via env vars
       TELEGRAM_BOT_TOKEN: "",
@@ -229,6 +255,8 @@ async function startGateway(): Promise<void> {
 }
 
 afterEach(async () => {
+  fakeAssistantIpc?.close();
+  fakeAssistantIpc = null;
   if (gatewayProc) {
     const proc = gatewayProc;
     gatewayProc = null;

package/src/__tests__/db-connection-isolation.test.ts

@@ -0,0 +1,157 @@
+import { afterEach, expect, test } from "bun:test";
+import {
+  existsSync,
+  mkdirSync,
+  mkdtempSync,
+  realpathSync,
+  rmSync,
+  symlinkSync,
+  writeFileSync,
+} from "node:fs";
+import { homedir, tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { initGatewayDb, resetGatewayDb } from "../db/connection.js";
+
+const originalSecurityDir = process.env.GATEWAY_SECURITY_DIR;
+const originalAllowRealSecurity =
+  process.env.VELLUM_ALLOW_REAL_GATEWAY_SECURITY_IN_TESTS;
+const originalTestRealSecurity =
+  process.env.VELLUM_TEST_REAL_GATEWAY_SECURITY_DIR;
+const originalHome = process.env.HOME;
+
+afterEach(() => {
+  resetGatewayDb();
+  if (originalSecurityDir === undefined) {
+    delete process.env.GATEWAY_SECURITY_DIR;
+  } else {
+    process.env.GATEWAY_SECURITY_DIR = originalSecurityDir;
+  }
+
+  if (originalAllowRealSecurity === undefined) {
+    delete process.env.VELLUM_ALLOW_REAL_GATEWAY_SECURITY_IN_TESTS;
+  } else {
+    process.env.VELLUM_ALLOW_REAL_GATEWAY_SECURITY_IN_TESTS =
+      originalAllowRealSecurity;
+  }
+
+  if (originalTestRealSecurity === undefined) {
+    delete process.env.VELLUM_TEST_REAL_GATEWAY_SECURITY_DIR;
+  } else {
+    process.env.VELLUM_TEST_REAL_GATEWAY_SECURITY_DIR =
+      originalTestRealSecurity;
+  }
+
+  if (originalHome === undefined) {
+    delete process.env.HOME;
+  } else {
+    process.env.HOME = originalHome;
+  }
+});
+
+test("initGatewayDb refuses test runs without an isolated security dir", async () => {
+  resetGatewayDb();
+  delete process.env.GATEWAY_SECURITY_DIR;
+  delete process.env.VELLUM_ALLOW_REAL_GATEWAY_SECURITY_IN_TESTS;
+
+  await expect(initGatewayDb()).rejects.toThrow(
+    "Refusing to open the gateway DB during tests without GATEWAY_SECURITY_DIR",
+  );
+});
+
+test("initGatewayDb refuses the real security dir during tests even when explicitly set", async () => {
+  resetGatewayDb();
+  process.env.GATEWAY_SECURITY_DIR = join(homedir(), ".vellum", "protected");
+  delete process.env.VELLUM_ALLOW_REAL_GATEWAY_SECURITY_IN_TESTS;
+
+  await expect(initGatewayDb()).rejects.toThrow(
+    "Refusing to open the real gateway security DB during tests",
+  );
+});
+
+test("initGatewayDb refuses symlink aliases to the real security dir during tests", async () => {
+  resetGatewayDb();
+  const testRoot = realpathSync(
+    mkdtempSync(join(tmpdir(), "vellum-gateway-db-isolation-")),
+  );
+
+  try {
+    const fakeHome = join(testRoot, "home");
+    const realSecurityDir = join(fakeHome, ".vellum", "protected");
+    const aliasParent = join(testRoot, "aliases");
+    const securityAlias = join(aliasParent, "gateway-security-link");
+
+    mkdirSync(realSecurityDir, { recursive: true });
+    mkdirSync(aliasParent, { recursive: true });
+    symlinkSync(realSecurityDir, securityAlias, "dir");
+
+    process.env.HOME = fakeHome;
+    process.env.GATEWAY_SECURITY_DIR = securityAlias;
+    process.env.VELLUM_TEST_REAL_GATEWAY_SECURITY_DIR = realSecurityDir;
+    delete process.env.VELLUM_ALLOW_REAL_GATEWAY_SECURITY_IN_TESTS;
+
+    await expect(initGatewayDb()).rejects.toThrow(
+      "Refusing to open the real gateway security DB during tests",
+    );
+  } finally {
+    rmSync(testRoot, { recursive: true, force: true });
+  }
+});
+
+test("initGatewayDb refuses missing children under symlink aliases to the real security dir", async () => {
+  resetGatewayDb();
+  const testRoot = realpathSync(
+    mkdtempSync(join(tmpdir(), "vellum-gateway-db-isolation-")),
+  );
+
+  try {
+    const fakeHome = join(testRoot, "home");
+    const realSecurityDir = join(fakeHome, ".vellum", "protected");
+    const aliasParent = join(testRoot, "aliases");
+    const securityLink = join(aliasParent, "gateway-security-link");
+    const missingChild = join(securityLink, "new-security-dir");
+
+    mkdirSync(realSecurityDir, { recursive: true });
+    mkdirSync(aliasParent, { recursive: true });
+    symlinkSync(realSecurityDir, securityLink, "dir");
+
+    process.env.HOME = fakeHome;
+    process.env.GATEWAY_SECURITY_DIR = missingChild;
+    process.env.VELLUM_TEST_REAL_GATEWAY_SECURITY_DIR = realSecurityDir;
+    delete process.env.VELLUM_ALLOW_REAL_GATEWAY_SECURITY_IN_TESTS;
+
+    await expect(initGatewayDb()).rejects.toThrow(
+      "Refusing to open the real gateway security DB during tests",
+    );
+  } finally {
+    rmSync(testRoot, { recursive: true, force: true });
+  }
+});
+
+test("initGatewayDb does not migrate legacy gateway DBs during tests", async () => {
+  resetGatewayDb();
+  const testRoot = realpathSync(
+    mkdtempSync(join(tmpdir(), "vellum-gateway-db-isolation-")),
+  );
+
+  try {
+    const fakeHome = join(testRoot, "home");
+    const legacyDir = join(fakeHome, ".vellum", "data");
+    const legacyDb = join(legacyDir, "gateway.sqlite");
+    const securityDir = join(testRoot, "gateway-security");
+
+    mkdirSync(legacyDir, { recursive: true });
+    writeFileSync(legacyDb, "legacy gateway db");
+
+    process.env.HOME = fakeHome;
+    process.env.GATEWAY_SECURITY_DIR = securityDir;
+    delete process.env.VELLUM_ALLOW_REAL_GATEWAY_SECURITY_IN_TESTS;
+
+    await initGatewayDb();
+
+    expect(existsSync(legacyDb)).toBe(true);
+    expect(existsSync(join(securityDir, "gateway.sqlite"))).toBe(true);
+  } finally {
+    rmSync(testRoot, { recursive: true, force: true });
+  }
+});

package/src/__tests__/fake-assistant-ipc.ts

@@ -0,0 +1,39 @@
+/**
+ * Minimal fake assistant IPC server for tests.
+ *
+ * Listens on assistant.sock inside the given workspace dir and responds
+ * to the "health" JSON-RPC call with { status: "ok" }. This satisfies
+ * the gateway's waitForAssistant() poll so it starts immediately.
+ */
+import { createServer, type Server } from "node:net";
+import { join } from "node:path";
+import { mkdirSync } from "node:fs";
+
+export function startFakeAssistantIpc(workspaceDir: string): Server {
+  mkdirSync(workspaceDir, { recursive: true });
+  const socketPath = join(workspaceDir, "assistant.sock");
+
+  const server = createServer((conn) => {
+    let buffer = "";
+    conn.on("data", (chunk) => {
+      buffer += chunk.toString();
+      let idx: number;
+      while ((idx = buffer.indexOf("\n")) !== -1) {
+        const line = buffer.slice(0, idx).trim();
+        buffer = buffer.slice(idx + 1);
+        if (!line) continue;
+        try {
+          const req = JSON.parse(line) as { id: string; method: string };
+          conn.write(
+            JSON.stringify({ id: req.id, result: { status: "ok" } }) + "\n",
+          );
+        } catch {
+          // ignore malformed
+        }
+      }
+    });
+  });
+
+  server.listen(socketPath);
+  return server;
+}

package/src/__tests__/feature-flags-route.test.ts

@@ -41,7 +41,7 @@ const TEST_REGISTRY = {
     },
     {
       id: "user-hosted-enabled",
-      scope: "macos",
+      scope: "client",
       key: "user-hosted-enabled",
       label: "User Hosted Enabled",
       description: "Enable user-hosted onboarding flow",
@@ -103,7 +103,7 @@ describe("GET /v1/feature-flags handler", () => {
     const defaults = loadFeatureFlagDefaults();
     const declaredKeys = Object.keys(defaults);
 
-    // Should return all declared assistant-scope flags (not macos-scope)
+    // Should return all declared assistant-scope flags (not client-scope)
     expect(body.flags.length).toBe(declaredKeys.length);
     expect(body.flags.length).toBeGreaterThan(0);
 
@@ -159,11 +159,11 @@ describe("GET /v1/feature-flags handler", () => {
     expect(res.status).toBe(200);
     const body = await res.json();
 
-    // The macos-scope flag should not appear
-    const macosFlag = body.flags.find(
+    // The client-scope flag should not appear
+    const clientFlag = body.flags.find(
       (f: { key: string }) => f.key === "user-hosted-enabled",
     );
-    expect(macosFlag).toBeUndefined();
+    expect(clientFlag).toBeUndefined();
   });
 
   test("returns all declared flags even when store has no persisted values", async () => {
@@ -488,12 +488,12 @@ describe("PATCH /v1/feature-flags/:flagKey handler", () => {
 
     const handler = createFeatureFlagsPatchHandler();
     const res = await handler(
-      new Request("http://gateway.test/v1/feature-flags/browser", {
+      new Request("http://gateway.test/v1/feature-flags/email-channel", {
         method: "PATCH",
         headers: { "content-type": "application/json" },
         body: JSON.stringify({ enabled: true }),
       }),
-      "browser",
+      "email-channel",
     );
 
     expect(res.status).toBe(200);
@@ -501,7 +501,7 @@ describe("PATCH /v1/feature-flags/:flagKey handler", () => {
 
     clearFeatureFlagStoreCache();
     const persisted = readPersistedFeatureFlags();
-    expect(persisted["browser"]).toBe(true);
+    expect(persisted["email-channel"]).toBe(true);
   });
 
   // Validation tests

package/src/__tests__/guardian-init-lockfile.test.ts

@@ -138,7 +138,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
@@ -359,9 +358,12 @@ describe("guardian/init one-time-use lockfile", () => {
     const body = await res.json();
 
     // Verify contact records were written to the assistant DB
-    const assistantDb = new Database(join(testRoot, "data", "db", "assistant.db"), {
-      readonly: true,
-    });
+    const assistantDb = new Database(
+      join(testRoot, "data", "db", "assistant.db"),
+      {
+        readonly: true,
+      },
+    );
 
     const contact = assistantDb
       .query<
@@ -581,6 +583,7 @@ describe("guardian/reset-bootstrap", () => {
 describe("guardian/init bare-metal loopback gating", () => {
   test("rejects non-loopback clients in bare-metal mode", async () => {
     delete process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    delete process.env.IS_PLATFORM;
     const handler = createChannelVerificationSessionProxyHandler(makeConfig());
     const res = await handler.handleGuardianInit(
       new Request("http://localhost:7830/v1/guardian/init", {
@@ -598,6 +601,7 @@ describe("guardian/init bare-metal loopback gating", () => {
 
   test("allows loopback clients in bare-metal mode", async () => {
     delete process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    delete process.env.IS_PLATFORM;
     const handler = createChannelVerificationSessionProxyHandler(makeConfig());
     const res = await handler.handleGuardianInit(
       new Request("http://localhost:7830/v1/guardian/init", {
@@ -632,6 +636,28 @@ describe("guardian/init bare-metal loopback gating", () => {
     const body = await res.json();
     expect(body.accessToken).toBeTruthy();
   });
+
+  test("skips loopback check in platform-managed mode (IS_PLATFORM=true)", async () => {
+    delete process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    process.env.IS_PLATFORM = "true";
+    try {
+      const handler = createChannelVerificationSessionProxyHandler(makeConfig());
+      const res = await handler.handleGuardianInit(
+        new Request("http://localhost:7830/v1/guardian/init", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ platform: "web", deviceId: "platform-abc123" }),
+        }),
+        "::ffff:10.112.1.68",
+      );
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.accessToken).toBeTruthy();
+    } finally {
+      delete process.env.IS_PLATFORM;
+    }
+  });
 });
 
 describe("guardian/init request validation", () => {

package/src/__tests__/ipc-feature-flag-routes.test.ts

@@ -39,7 +39,7 @@ const TEST_REGISTRY = {
     },
     {
       id: "user-hosted-enabled",
-      scope: "macos",
+      scope: "client",
       key: "user-hosted-enabled",
       label: "User Hosted Enabled",
       description: "Enable user-hosted onboarding flow",

package/src/__tests__/live-voice-websocket.test.ts

@@ -45,7 +45,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,

package/src/__tests__/load-guards.test.ts

@@ -22,7 +22,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,

package/src/__tests__/migration-teleport-gcs-proxy.test.ts

@@ -30,7 +30,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,

package/src/__tests__/oauth-callback.test.ts

@@ -34,7 +34,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,