@vellumai/vellum-gateway 0.7.2 → 0.7.3

package/src/__tests__/remote-feature-flag-sync.test.ts

@@ -116,13 +116,13 @@ function defaultCredentials(): Record<string, string> {
 // Setup / teardown
 // ---------------------------------------------------------------------------
 const savedVellumPlatformUrl = process.env.VELLUM_PLATFORM_URL;
-const savedPlatformInternalApiKey = process.env.PLATFORM_INTERNAL_API_KEY;
+const savedAssistantCredential = process.env.ASSISTANT_API_KEY;
 
 beforeEach(() => {
   // Clear env vars that the production code falls back to, so tests remain
   // deterministic unless they explicitly set them.
   delete process.env.VELLUM_PLATFORM_URL;
-  delete process.env.PLATFORM_INTERNAL_API_KEY;
+  delete process.env.ASSISTANT_API_KEY;
   mkdirSync(protectedDir, { recursive: true });
   // Write the test registry and point resolution at it
   writeFileSync(testRegistryPath, JSON.stringify(TEST_REGISTRY, null, 2));
@@ -142,7 +142,7 @@ afterEach(() => {
     }
   };
   restoreEnv("VELLUM_PLATFORM_URL", savedVellumPlatformUrl);
-  restoreEnv("PLATFORM_INTERNAL_API_KEY", savedPlatformInternalApiKey);
+  restoreEnv("ASSISTANT_API_KEY", savedAssistantCredential);
   try {
     rmSync(protectedDir, { recursive: true, force: true });
     mkdirSync(protectedDir, { recursive: true });
@@ -195,7 +195,7 @@ describe("RemoteFeatureFlagSync", () => {
     );
   });
 
-  test("skips sync when assistant_api_key is missing and no PLATFORM_INTERNAL_API_KEY", async () => {
+  test("skips sync when assistant_api_key is missing", async () => {
     const creds = defaultCredentials();
     delete creds["credential/vellum/assistant_api_key"];
 
@@ -208,12 +208,13 @@ describe("RemoteFeatureFlagSync", () => {
     expect(fetchMock).not.toHaveBeenCalled();
   });
 
-  test("does not use PLATFORM_INTERNAL_API_KEY when assistant_api_key is missing", async () => {
-    fetchMock = mock(async () => Response.json({ flags: {} }));
-    process.env.PLATFORM_INTERNAL_API_KEY = "internal-key-123";
+  test("syncs when only platformUrl and assistantApiKey are present", async () => {
+    fetchMock = mock(async () => Response.json({ flags: { ff1: true } }));
 
-    const creds = defaultCredentials();
-    delete creds["credential/vellum/assistant_api_key"];
+    const creds = {
+      "credential/vellum/platform_base_url": "https://platform.example.com",
+      "credential/vellum/assistant_api_key": "test-api-key",
+    };
 
     const sync = new RemoteFeatureFlagSync({
       credentials: fakeCredentialCache(creds),
@@ -221,17 +222,15 @@ describe("RemoteFeatureFlagSync", () => {
     await sync.start();
     sync.stop();
 
-    // PLATFORM_INTERNAL_API_KEY is only for internal gateway endpoints —
-    // feature flag sync requires assistant_api_key (Api-Key auth).
-    expect(fetchMock).not.toHaveBeenCalled();
+    expect(fetchMock).toHaveBeenCalledTimes(1);
   });
 
-  test("syncs when only platformUrl and assistantApiKey are present", async () => {
+  test("falls back to ASSISTANT_API_KEY env var when credential key is missing", async () => {
     fetchMock = mock(async () => Response.json({ flags: { ff1: true } }));
+    process.env.ASSISTANT_API_KEY = "env-key";
 
     const creds = {
       "credential/vellum/platform_base_url": "https://platform.example.com",
-      "credential/vellum/assistant_api_key": "test-api-key",
     };
 
     const sync = new RemoteFeatureFlagSync({
@@ -241,6 +240,9 @@ describe("RemoteFeatureFlagSync", () => {
     sync.stop();
 
     expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [, init] = fetchMock.mock.calls[0];
+    const headers = init?.headers as Record<string, string>;
+    expect(headers.Authorization).toBe("Api-Key env-key");
   });
 
   test("fetches and caches flags on successful response", async () => {

package/src/__tests__/slack-display-name.test.ts

@@ -259,7 +259,9 @@ describe("normalizeSlackAppMention with display name", () => {
     );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("@Leo please look");
+    expect(result!.event.message.content).toBe(
+      "@unknown-user @Leo please look",
+    );
     expect(result!.event.message.content).not.toContain("<@ULEO>");
     expect(result!.event.message.content).not.toContain("ULEO");
   });
@@ -285,7 +287,9 @@ describe("normalizeSlackAppMention with display name", () => {
     );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("@unknown-user please look");
+    expect(result!.event.message.content).toBe(
+      "@unknown-user @unknown-user please look",
+    );
     expect(result!.event.message.content).not.toContain("<@UFAIL>");
     expect(result!.event.message.content).not.toContain("UFAIL");
   });

package/src/__tests__/slack-normalize.test.ts

@@ -1,6 +1,5 @@
 import { describe, test, expect } from "bun:test";
 import {
-  stripBotMention,
   normalizeSlackAppMention,
   normalizeSlackChannelMessage,
   normalizeSlackDirectMessage,
@@ -52,42 +51,6 @@ function makeEvent(
   };
 }
 
-describe("stripBotMention", () => {
-  test("strips a single leading bot mention", () => {
-    expect(stripBotMention("<@U123BOT> hello world")).toBe("hello world");
-  });
-
-  test("strips repeated leading bot mentions while preserving a following human mention", () => {
-    expect(
-      stripBotMention("<@U123BOT> <@U123BOT> <@U456OTHER> hello", "U123BOT"),
-    ).toBe("<@U456OTHER> hello");
-  });
-
-  test("fallback strips only the first leading mention", () => {
-    expect(stripBotMention("<@U123BOT> <@U456OTHER> hello")).toBe(
-      "<@U456OTHER> hello",
-    );
-  });
-
-  test("falls back to original text when stripping produces empty string", () => {
-    expect(stripBotMention("<@U123BOT>")).toBe("<@U123BOT>");
-  });
-
-  test("falls back to original trimmed text when stripping produces whitespace only", () => {
-    expect(stripBotMention("<@U123BOT>   ")).toBe("<@U123BOT>");
-  });
-
-  test("returns text unchanged when no leading mention", () => {
-    expect(stripBotMention("hello world")).toBe("hello world");
-  });
-
-  test("does not strip mid-text mentions", () => {
-    expect(stripBotMention("hello <@U123BOT> world")).toBe(
-      "hello <@U123BOT> world",
-    );
-  });
-});
-
 describe("normalizeSlackAppMention", () => {
   test("normalizes app_mention event with sourceChannel 'slack'", async () => {
     const config = makeConfig();
@@ -129,16 +92,23 @@ describe("normalizeSlackAppMention", () => {
     expect(result!.event.message.externalMessageId).toBe("1700000000.000100");
   });
 
-  test("mention stripping: '<@U123BOT> hello world' becomes 'hello world'", async () => {
+  test("renders the bot's mention using the resolved label", async () => {
     const config = makeConfig();
     const event = makeEvent({ text: "<@U123BOT> hello world" });
-    const result = await normalizeSlackAppMention(event, "evt-005", config);
+    const result = await normalizeSlackAppMention(
+      event,
+      "evt-005",
+      config,
+      "U123BOT",
+      undefined,
+      { userLabels: { U123BOT: "vex" } },
+    );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("hello world");
+    expect(result!.event.message.content).toBe("@vex hello world");
   });
 
-  test("mention stripping with empty result falls back to original text", async () => {
+  test("renders the bot's mention with the unknown-user fallback when unresolved", async () => {
     const config = makeConfig();
     const event = makeEvent({ text: "<@U123BOT>" });
     const result = await normalizeSlackAppMention(event, "evt-006", config);
@@ -147,7 +117,7 @@ describe("normalizeSlackAppMention", () => {
     expect(result!.event.message.content).toBe("@unknown-user");
   });
 
-  test("renders a human mention after stripping the app mention", async () => {
+  test("renders bot and human mentions side by side", async () => {
     const config = makeConfig();
     const event = makeEvent({ text: "<@UBOT> <@ULEO> can you check?" });
     const result = await normalizeSlackAppMention(
@@ -156,11 +126,11 @@ describe("normalizeSlackAppMention", () => {
       config,
       "UBOT",
       undefined,
-      { userLabels: { ULEO: "leo" } },
+      { userLabels: { UBOT: "vex", ULEO: "leo" } },
     );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("@leo can you check?");
+    expect(result!.event.message.content).toBe("@vex @leo can you check?");
   });
 
   test("renders unresolved user mentions with the unknown-user fallback", async () => {
@@ -174,7 +144,9 @@ describe("normalizeSlackAppMention", () => {
     );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("@unknown-user can you check?");
+    expect(result!.event.message.content).toBe(
+      "@unknown-user @unknown-user can you check?",
+    );
   });
 
   test("thread_ts is preserved in return value", async () => {
@@ -295,7 +267,7 @@ describe("Slack inbound mention rendering", () => {
     expect(result!.event.message.conversationExternalId).toBe("D_DIRECT1");
   });
 
-  test("channel messages strip only the configured bot mention and render remaining mentions", () => {
+  test("channel messages render bot and human mentions inline", () => {
     const config = makeConfig();
     const event = makeChannelMessageEvent({
       text: "<@UBOT> <@ULEO> hello",
@@ -306,16 +278,16 @@ describe("Slack inbound mention rendering", () => {
       config,
       "UBOT",
       undefined,
-      { userLabels: { ULEO: "leo" } },
+      { userLabels: { UBOT: "vex", ULEO: "leo" } },
     );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("@leo hello");
+    expect(result!.event.message.content).toBe("@vex @leo hello");
     expect(result!.event.actor.actorExternalId).toBe("U_USER123");
     expect(result!.event.message.conversationExternalId).toBe("C_CHANNEL1");
   });
 
-  test("channel messages without bot user ID strip only the first leading mention fallback", () => {
+  test("channel messages render with unknown-user fallback when bot label is missing", () => {
     const config = makeConfig();
     const event = makeChannelMessageEvent({
       text: "<@UBOT> <@ULEO> hello",
@@ -330,10 +302,10 @@ describe("Slack inbound mention rendering", () => {
     );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("@leo hello");
+    expect(result!.event.message.content).toBe("@unknown-user @leo hello");
   });
 
-  test("message edits render mentions and preserve edit metadata", () => {
+  test("message edits render bot and human mentions and preserve edit metadata", () => {
     const config = makeConfig();
     const event = makeMessageChangedEvent({
       message: {
@@ -347,11 +319,11 @@ describe("Slack inbound mention rendering", () => {
       "evt-edit-render",
       config,
       "UBOT",
-      { userLabels: { ULEO: "leo" } },
+      { userLabels: { UBOT: "vex", ULEO: "leo" } },
     );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("@leo edited");
+    expect(result!.event.message.content).toBe("@vex @leo edited");
     expect(result!.event.message.isEdit).toBe(true);
     expect(result!.event.message.externalMessageId).toBe("evt-edit-render");
     expect(result!.event.source.messageId).toBe("1700000000.000100");
@@ -424,7 +396,7 @@ describe("normalizeSlackMessageEdit", () => {
     expect(result).toBeNull();
   });
 
-  test("strips bot mention from edited text", () => {
+  test("renders bot mention in edited text", () => {
     const config = makeConfig();
     const event = makeMessageChangedEvent({
       message: {
@@ -433,10 +405,18 @@ describe("normalizeSlackMessageEdit", () => {
         ts: "1700000000.000100",
       },
     });
-    const result = normalizeSlackMessageEdit(event, "evt-104", config);
+    const result = normalizeSlackMessageEdit(
+      event,
+      "evt-104",
+      config,
+      "U123BOT",
+      {
+        userLabels: { U123BOT: "vex" },
+      },
+    );
 
     expect(result).not.toBeNull();
-    expect(result!.event.message.content).toBe("edited content");
+    expect(result!.event.message.content).toBe("@vex edited content");
   });
 
   test("sets actor.actorExternalId from edited message user", () => {

package/src/__tests__/slack-socket-mode-thread-tracking.test.ts

@@ -293,7 +293,7 @@ describe("SlackSocketModeClient thread tracking", () => {
       expect(emitted).toHaveLength(2);
       expect(emitted[0].event.source.updateId).toBe("Ev-race-mention");
       expect(emitted[0].event.message.content).toBe(
-        "@Example User can you help here?",
+        "@Example User @Example User can you help here?",
       );
       expect(emitted[1].event.source.updateId).toBe("Ev-race-reply");
       expect(emitted[1].event.message.content).toBe(
@@ -644,7 +644,9 @@ describe("SlackSocketModeClient thread tracking", () => {
       await flushAsyncEventEmission();
 
       expect(emitted).toHaveLength(1);
-      expect(emitted[0].event.message.content).toBe("@Leo please look");
+      expect(emitted[0].event.message.content).toBe(
+        "@Example User @Leo please look",
+      );
       expect(emitted[0].event.message.content).not.toContain("<@ULEO>");
       expect(emitted[0].event.message.content).not.toContain("ULEO");
     } finally {

package/src/__tests__/telegram-webhook-manager.test.ts

@@ -20,6 +20,9 @@ const { reconcileTelegramWebhook } =
 
 afterEach(() => {
   fetchMock = mock(async () => new Response());
+  delete process.env.IS_CONTAINERIZED;
+  delete process.env.VELLUM_PLATFORM_URL;
+  delete process.env.ASSISTANT_API_KEY;
 });
 
 function makeTelegramResponse(result: unknown) {
@@ -290,10 +293,9 @@ describe("reconcileTelegramWebhook", () => {
       "https://platform.example.com/v1/gateway/callbacks/11111111-2222-4333-8444-555555555555/webhooks/telegram/",
     );
     expect((calls[2].body as any).secret_token).toBe("test-webhook-secret");
-    delete process.env.IS_CONTAINERIZED;
   });
 
-  test("registers via credential cache for assistant ID", async () => {
+  test("registers via env assistant key and credential cache for assistant ID", async () => {
     const calls: {
       method: string;
       body: unknown;
@@ -301,7 +303,7 @@ describe("reconcileTelegramWebhook", () => {
     }[] = [];
     process.env.IS_CONTAINERIZED = "true";
     process.env.VELLUM_PLATFORM_URL = "https://env-platform.example.com";
-    process.env.PLATFORM_INTERNAL_API_KEY = "internal-key-from-env";
+    process.env.ASSISTANT_API_KEY = "env-key";
 
     const caches = makeCaches({
       ingressUrl: undefined,
@@ -359,21 +361,14 @@ describe("reconcileTelegramWebhook", () => {
       callback_path: "webhooks/telegram",
       type: "telegram",
     });
-    // PLATFORM_INTERNAL_API_KEY should use Bearer auth scheme
-    expect(calls[0].headers?.Authorization).toBe(
-      "Bearer internal-key-from-env",
-    );
+    expect(calls[0].headers?.Authorization).toBe("Api-Key env-key");
     expect(calls[2].method).toBe("setWebhook");
     expect((calls[2].body as any).url).toBe(
       "https://env-platform.example.com/v1/gateway/callbacks/aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee/webhooks/telegram/",
     );
-
-    delete process.env.IS_CONTAINERIZED;
-    delete process.env.VELLUM_PLATFORM_URL;
-    delete process.env.PLATFORM_INTERNAL_API_KEY;
   });
 
-  test("credential cache for assistant ID and base URL, env for auth key", async () => {
+  test("credential cache for assistant ID, base URL, and auth key", async () => {
     const calls: {
       method: string;
       body: unknown;
@@ -381,7 +376,6 @@ describe("reconcileTelegramWebhook", () => {
     }[] = [];
     process.env.IS_CONTAINERIZED = "true";
     process.env.VELLUM_PLATFORM_URL = "https://env-platform.example.com";
-    process.env.PLATFORM_INTERNAL_API_KEY = "env-internal-key";
 
     const caches = makeCaches({
       ingressUrl: undefined,
@@ -435,28 +429,20 @@ describe("reconcileTelegramWebhook", () => {
     expect(calls).toHaveLength(3);
     expect(calls[0].method).toBe("registerCallbackRoute");
     // platform_base_url: credential cache takes precedence over env var
-    // PLATFORM_INTERNAL_API_KEY: env var takes
-    // precedence, matching the daemon's resolvePlatformCallbackRegistrationContext().
     expect(calls[0].body).toEqual({
       assistant_id: "cache-assistant-id",
       callback_path: "webhooks/telegram",
       type: "telegram",
     });
-    expect(calls[0].headers?.Authorization).toBe("Bearer env-internal-key");
+    expect(calls[0].headers?.Authorization).toBe("Api-Key cache-api-key");
     // Registration URL should use cache platform URL
     expect((calls[2].body as any).url).toBe(
       "https://cache-platform.example.com/v1/gateway/callbacks/cache-assistant-id/webhooks/telegram/",
     );
-
-    delete process.env.IS_CONTAINERIZED;
-    delete process.env.VELLUM_PLATFORM_URL;
-    delete process.env.PLATFORM_INTERNAL_API_KEY;
   });
 
   test("skips registration when no platform URL is available from cache or env", async () => {
     process.env.IS_CONTAINERIZED = "true";
-    process.env.PLATFORM_INTERNAL_API_KEY = "internal-key-from-env";
-    delete process.env.VELLUM_PLATFORM_URL;
 
     const caches = makeCaches({
       ingressUrl: undefined,
@@ -471,9 +457,6 @@ describe("reconcileTelegramWebhook", () => {
 
     // No fetch calls should be made — registration is skipped
     expect(fetchMock).not.toHaveBeenCalled();
-
-    delete process.env.IS_CONTAINERIZED;
-    delete process.env.PLATFORM_INTERNAL_API_KEY;
   });
 
   test("calls setWebhook when current URL is empty", async () => {

package/src/__tests__/twilio-webhooks.test.ts

@@ -150,11 +150,7 @@ function makeCaches(
     ingressUrl?: string;
   } = {},
 ) {
-  const {
-    authToken = AUTH_TOKEN,
-    ingressEnabled,
-    ingressUrl,
-  } = opts;
+  const { authToken = AUTH_TOKEN, ingressEnabled, ingressUrl } = opts;
   const credentials = {
     get: async (key: string, _opts?: { force?: boolean }) => {
       if (key === credentialKey("twilio", "auth_token")) return authToken;
@@ -876,7 +872,7 @@ describe("Twilio webhook signature with canonical ingress base URL", () => {
 });
 
 describe("Twilio webhook force retry", () => {
-  test("refreshes Twilio-specific ingress URL before retrying signature validation", async () => {
+  test("refreshes configured ingress URL before retrying signature validation", async () => {
     fetchMock = mock(
       async () =>
         new Response('<?xml version="1.0" encoding="UTF-8"?><Response/>', {

package/src/__tests__/upsert-verified-contact-channel.test.ts

@@ -0,0 +1,173 @@
+/**
+ * Tests for upsertVerifiedContactChannel: must not reactivate
+ * revoked or blocked channels.
+ */
+
+import { describe, test, expect, beforeEach, mock } from "bun:test";
+
+import "./test-preload.js";
+
+// ---------------------------------------------------------------------------
+// DB mock — configurable per test
+// ---------------------------------------------------------------------------
+
+type ExistingRow = {
+  channelId: string;
+  contactId: string;
+  channelStatus: string;
+};
+
+let queryRows: ExistingRow[] = [];
+const runCalls: { sql: string; params: unknown[] }[] = [];
+
+mock.module("../db/assistant-db-proxy.js", () => ({
+  assistantDbQuery: async (_sql: string, _params: unknown[]) => queryRows,
+  assistantDbRun: async (sql: string, params: unknown[]) => {
+    runCalls.push({ sql, params });
+  },
+}));
+
+mock.module("../db/connection.js", () => ({
+  getGatewayDb: () => ({
+    update: () => ({ set: () => ({ where: () => ({ run: () => {} }) }) }),
+    insert: () => ({
+      values: () => ({ onConflictDoNothing: () => ({ run: () => {} }) }),
+    }),
+  }),
+}));
+
+mock.module("../db/schema.js", () => ({
+  contactChannels: "contactChannels",
+  contacts: "contacts",
+}));
+
+mock.module("drizzle-orm", () => ({
+  eq: (col: unknown, val: unknown) => ({ col, val }),
+}));
+
+mock.module("../verification/identity.js", () => ({
+  canonicalizeInboundIdentity: (_channel: string, id: string) => id,
+}));
+
+mock.module("../ipc/socket-path.js", () => ({
+  resolveIpcSocketPath: () => ({ path: "/tmp/test.sock" }),
+}));
+
+// Import after mocks
+const { upsertVerifiedContactChannel } = await import(
+  "../verification/contact-helpers.js"
+);
+
+beforeEach(() => {
+  queryRows = [];
+  runCalls.length = 0;
+});
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("upsertVerifiedContactChannel — revoked/blocked guards", () => {
+  test("skips update when existing channel is revoked", async () => {
+    queryRows = [
+      {
+        channelId: "ch-1",
+        contactId: "co-1",
+        channelStatus: "revoked",
+      },
+    ];
+
+    await upsertVerifiedContactChannel({
+      sourceChannel: "phone",
+      externalUserId: "+15550001111",
+      externalChatId: "+15550001111",
+    });
+
+    expect(runCalls.filter((c) => c.sql.includes("UPDATE"))).toHaveLength(0);
+  });
+
+  test("skips update when channel is blocked", async () => {
+    queryRows = [
+      {
+        channelId: "ch-2",
+        contactId: "co-2",
+        channelStatus: "blocked",
+      },
+    ];
+
+    await upsertVerifiedContactChannel({
+      sourceChannel: "phone",
+      externalUserId: "+15550001111",
+      externalChatId: "+15550001111",
+    });
+
+    expect(runCalls.filter((c) => c.sql.includes("UPDATE"))).toHaveLength(0);
+  });
+
+  test("skips update when a guardian's channel is revoked", async () => {
+    queryRows = [
+      {
+        channelId: "ch-3",
+        contactId: "co-3",
+        channelStatus: "revoked",
+      },
+    ];
+
+    await upsertVerifiedContactChannel({
+      sourceChannel: "phone",
+      externalUserId: "+15550001111",
+      externalChatId: "+15550001111",
+    });
+
+    expect(runCalls.filter((c) => c.sql.includes("UPDATE"))).toHaveLength(0);
+  });
+
+  test("updates an active channel belonging to a guardian contact", async () => {
+    queryRows = [
+      {
+        channelId: "ch-4",
+        contactId: "co-4",
+        channelStatus: "active",
+      },
+    ];
+
+    await upsertVerifiedContactChannel({
+      sourceChannel: "phone",
+      externalUserId: "+15550001111",
+      externalChatId: "+15550001111",
+    });
+
+    expect(runCalls.filter((c) => c.sql.includes("UPDATE"))).toHaveLength(1);
+  });
+
+  test("updates an active channel belonging to a non-guardian contact", async () => {
+    queryRows = [
+      {
+        channelId: "ch-5",
+        contactId: "co-5",
+        channelStatus: "active",
+      },
+    ];
+
+    await upsertVerifiedContactChannel({
+      sourceChannel: "phone",
+      externalUserId: "+15550001111",
+      externalChatId: "+15550001111",
+    });
+
+    expect(runCalls.filter((c) => c.sql.includes("UPDATE"))).toHaveLength(1);
+  });
+
+  test("creates new contact + channel when no existing channel found", async () => {
+    queryRows = [];
+
+    await upsertVerifiedContactChannel({
+      sourceChannel: "phone",
+      externalUserId: "+15550009999",
+      externalChatId: "+15550009999",
+    });
+
+    const inserts = runCalls.filter((c) => c.sql.includes("INSERT"));
+    expect(inserts).toHaveLength(2);
+  });
+});