@vellumai/vellum-gateway 0.8.1 → 0.8.2

package/src/__tests__/ipc-route-policy.test.ts

@@ -65,3 +65,96 @@ describe("ipc-route-policy: inference provider connections", () => {
     expect(policy!.requiredScopes).toEqual(["settings.write"]);
   });
 });
+
+describe("ipc-route-policy: ATL-315 Batch 18 — new operationIds", () => {
+  // Batch 18 added IPC policy entries for operationIds shipped after the
+  // initial ATL-315 cutover. Without these entries, an authenticated edge
+  // JWT with only `chat.read` could reach sensitive routes (config writes,
+  // platform connect, schedule creation, credential mutations, sequence
+  // mutations, debug bash, etc.) by setting `X-Vellum-Proxy-Server: ipc`.
+  //
+  // These tests pin the scope mapping so a future refactor can't silently
+  // weaken it.
+
+  // Scope assertions — every Batch 18 entry must match the daemon HTTP
+  // scope its `policyKey`/method resolves to. Asserted explicitly here
+  // so a future refactor can't silently widen IPC vs. HTTP.
+  test.each([
+    // Reads — settings.read
+    ["backup_destinations_list", "settings.read"],
+    ["backup_status", "settings.read"],
+    ["backups_list", "settings.read"],
+    ["backups_verify", "settings.read"],
+    ["config_allowlist_validate", "settings.read"],
+    ["config_schema_get", "settings.read"],
+    ["credentials_status", "settings.read"],
+    ["domain_status", "settings.read"],
+    ["email_attachment_get", "settings.read"],
+    ["email_attachment_list", "settings.read"],
+    ["email_download", "settings.read"],
+    ["email_list", "settings.read"],
+    ["email_status", "settings.read"],
+    ["platform_callback_routes_list", "settings.read"],
+    ["platform_status", "settings.read"],
+    ["sequence_get", "settings.read"],
+    ["sequence_guardrails_show", "settings.read"],
+    ["sequence_list", "settings.read"],
+    ["sequence_stats", "settings.read"],
+
+    // Writes — settings.write
+    ["backup_destinations_add", "settings.write"],
+    ["backup_destinations_remove", "settings.write"],
+    ["backup_destinations_set_encrypt", "settings.write"],
+    ["backup_disable", "settings.write"],
+    ["backup_enable", "settings.write"],
+    ["backups_create", "settings.write"],
+    ["backups_restore", "settings.write"],
+    ["config_set", "settings.write"],
+    ["createSchedule", "settings.write"],
+    ["credentials_delete", "settings.write"],
+    ["credentials_set", "settings.write"],
+    ["debug_bash", "settings.write"],
+    ["domain_register", "settings.write"],
+    ["email_register", "settings.write"],
+    ["email_send", "settings.write"],
+    ["email_unregister", "settings.write"],
+    ["platform_callback_routes_register", "settings.write"],
+    ["platform_connect", "settings.write"],
+    ["platform_disconnect", "settings.write"],
+    ["sequence_cancel_enrollment", "settings.write"],
+    ["sequence_guardrails_set", "settings.write"],
+    ["sequence_pause", "settings.write"],
+    ["sequence_resume", "settings.write"],
+
+    // Conversation CLI — daemon elevates from chat.* to settings.*
+    // because `conversations/cli/clear` wipes every conversation +
+    // message + vector collection. IPC mirrors that elevation.
+    ["conversation_export_cli", "settings.read"],
+    ["conversation_list_cli", "settings.read"],
+    ["conversation_create_cli", "settings.write"],
+    ["conversations_clear_cli", "settings.write"],
+
+    // Credentials — every credential route uses policyKey: "secrets",
+    // which resolves to settings.write on POST and settings.read on GET.
+    ["credentials_inspect", "settings.write"],
+    ["credentials_list", "settings.write"],
+    ["credentials_reveal", "settings.write"],
+
+    // STT / TTS CLI — mirror daemon HTTP scopes
+    ["stt_transcribe_file", "chat.write"],
+    ["tts_synthesize_cli", "chat.read"],
+  ] as const)("%s requires %s", (operationId, expectedScope) => {
+    const policy = getIpcRoutePolicy(operationId);
+    expect(policy).toBeDefined();
+    expect(policy!.requiredScopes).toEqual([expectedScope]);
+  });
+
+  // Principal restriction — `stt_transcribe_file` reads arbitrary host
+  // filesystem paths. The daemon HTTP policy locks it to ["local"] for
+  // that reason; the IPC entry must mirror that boundary.
+  test("stt_transcribe_file is restricted to local principal", () => {
+    const policy = getIpcRoutePolicy("stt_transcribe_file");
+    expect(policy).toBeDefined();
+    expect(policy!.allowedPrincipalTypes).toEqual(["local"]);
+  });
+});

package/src/__tests__/logger-retention.test.ts

@@ -0,0 +1,115 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import {
+  existsSync,
+  mkdtempSync,
+  readdirSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import {
+  initLogger,
+  pruneOldLogFiles,
+  getLogger,
+} from "../logger.js";
+
+// NOTE: `sleep-wake-detector.test.ts` installs a process-global
+// `mock.module("../logger.js", …)` with a no-op `initLogger`. That would
+// break the `initLogger prunes once at startup` case below if both files
+// ran in the same Bun process. They don't — `gateway/scripts/test.sh` runs
+// each test file in its own `bun test` invocation precisely to dodge this
+// class of mock cross-talk. If you ever invoke `bun test` directly across
+// multiple files, expect order-dependent flakes and use the canonical
+// runner (`bun run test`) instead.
+
+/**
+ * Helper that fabricates a log file dated `daysAgo` calendar days ago, in
+ * either pretty `.log` or sidecar `.jsonl` form. Used to assert that the
+ * retention sweep prunes both formats once `retentionDays` has elapsed.
+ */
+function makeLogFile(dir: string, daysAgo: number, ext: "log" | "jsonl"): string {
+  const d = new Date();
+  d.setUTCDate(d.getUTCDate() - daysAgo);
+  const stamp = `${d.getUTCFullYear()}-${String(d.getUTCMonth() + 1).padStart(2, "0")}-${String(d.getUTCDate()).padStart(2, "0")}`;
+  const name = `gateway-${stamp}.${ext}`;
+  writeFileSync(join(dir, name), `placeholder for ${stamp}\n`);
+  return name;
+}
+
+describe("gateway log retention", () => {
+  let tmp: string;
+
+  beforeEach(() => {
+    tmp = mkdtempSync(join(tmpdir(), "gw-retention-"));
+  });
+
+  afterEach(() => {
+    rmSync(tmp, { recursive: true, force: true });
+  });
+
+  test("pruneOldLogFiles removes both .log and .jsonl past retention", () => {
+    const young = makeLogFile(tmp, 1, "log");
+    const youngJsonl = makeLogFile(tmp, 1, "jsonl");
+    const old = makeLogFile(tmp, 10, "log");
+    const oldJsonl = makeLogFile(tmp, 10, "jsonl");
+
+    const removed = pruneOldLogFiles(tmp, 7);
+
+    expect(removed).toBe(2);
+    const remaining = readdirSync(tmp).sort();
+    expect(remaining).toEqual([young, youngJsonl].sort());
+    expect(existsSync(join(tmp, old))).toBe(false);
+    expect(existsSync(join(tmp, oldJsonl))).toBe(false);
+  });
+
+  test("pruneOldLogFiles ignores unrelated files in the log dir", () => {
+    makeLogFile(tmp, 10, "log");
+    writeFileSync(join(tmp, "something-else.log"), "not a gateway log\n");
+    writeFileSync(join(tmp, "README"), "noise\n");
+
+    pruneOldLogFiles(tmp, 7);
+
+    expect(existsSync(join(tmp, "something-else.log"))).toBe(true);
+    expect(existsSync(join(tmp, "README"))).toBe(true);
+  });
+
+  test("initLogger prunes once at startup", () => {
+    const old = makeLogFile(tmp, 10, "log");
+    const oldJsonl = makeLogFile(tmp, 10, "jsonl");
+
+    initLogger({ dir: tmp, retentionDays: 7 });
+
+    expect(existsSync(join(tmp, old))).toBe(false);
+    expect(existsSync(join(tmp, oldJsonl))).toBe(false);
+    // Detach from this temp dir before the test teardown rmSyncs it.
+    initLogger({ dir: undefined, retentionDays: 0 });
+  });
+
+  test("retentionDays=0 disables pruning", () => {
+    const old = makeLogFile(tmp, 365, "log");
+
+    // Exercises the guard directly; doesn't depend on `initLogger`'s
+    // module-level state (or any mocks thereof).
+    const removed = pruneOldLogFiles(tmp, 0);
+
+    expect(removed).toBe(0);
+    expect(existsSync(join(tmp, old))).toBe(true);
+  });
+
+  test("retentionDays<0 also disables pruning (defense-in-depth)", () => {
+    const old = makeLogFile(tmp, 365, "log");
+    expect(pruneOldLogFiles(tmp, -7)).toBe(0);
+    expect(existsSync(join(tmp, old))).toBe(true);
+  });
+
+  test("getLogger() works against a configured dir without throwing", () => {
+    initLogger({ dir: tmp, retentionDays: 7 });
+    const log = getLogger("retention-test");
+    // Smoke: just verify the proxy yields a callable .info — full file
+    // emission is covered by the smoke test in logger.ts's own usage.
+    expect(typeof log.info).toBe("function");
+    initLogger({ dir: undefined, retentionDays: 0 });
+  });
+});

package/src/__tests__/nonbash-trust-rule-overrides.test.ts

@@ -24,6 +24,7 @@ const dummyFileContext: FileClassificationContext = {
   protectedDir: "/tmp/test-protected",
   deprecatedDir: "/tmp/test-deprecated",
   hooksDir: "/tmp/test-hooks",
+  pluginsDir: "/tmp/test-plugins",
   skillSourceDirs: [],
 };
 

package/src/__tests__/slack-display-name.test.ts

@@ -15,8 +15,11 @@ mock.module("../fetch.js", () => ({
 
 const {
   normalizeSlackAppMention,
+  resolveSlackChannel,
   resolveSlackUser,
+  clearChannelInfoCache,
   clearUserInfoCache,
+  getChannelInfoCacheSize,
   getUserInfoCacheSize,
 } = await import("../slack/normalize.js");
 import type { SlackAppMentionEvent } from "../slack/normalize.js";
@@ -63,6 +66,7 @@ function makeEvent(
 
 beforeEach(() => {
   clearUserInfoCache();
+  clearChannelInfoCache();
 });
 
 describe("resolveSlackUser", () => {
@@ -149,6 +153,72 @@ describe("resolveSlackUser", () => {
   });
 });
 
+describe("resolveSlackChannel", () => {
+  test("resolves channel name from conversations.info", async () => {
+    fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({
+          ok: true,
+          channel: { id: "C123", name: "user-feedback" },
+        }),
+        { status: 200, headers: { "content-type": "application/json" } },
+      );
+    });
+
+    const info = await resolveSlackChannel("C123", "xoxb-token");
+    expect(info).not.toBeUndefined();
+    expect(info!.name).toBe("user-feedback");
+  });
+
+  test("uses name_normalized when name is absent", async () => {
+    fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({
+          ok: true,
+          channel: { id: "C123", name_normalized: "normalized-channel" },
+        }),
+        { status: 200, headers: { "content-type": "application/json" } },
+      );
+    });
+
+    const info = await resolveSlackChannel("C123", "xoxb-token");
+    expect(info!.name).toBe("normalized-channel");
+  });
+
+  test("returns undefined on API failure", async () => {
+    fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({ ok: false, error: "channel_not_found" }),
+        { status: 200, headers: { "content-type": "application/json" } },
+      );
+    });
+
+    const info = await resolveSlackChannel("C_UNKNOWN", "xoxb-token");
+    expect(info).toBeUndefined();
+  });
+
+  test("caches channel names to avoid repeated API calls", async () => {
+    let callCount = 0;
+    fetchMock = mock(async () => {
+      callCount++;
+      return new Response(
+        JSON.stringify({
+          ok: true,
+          channel: { id: "C_CACHED", name: "cached-channel" },
+        }),
+        { status: 200, headers: { "content-type": "application/json" } },
+      );
+    });
+
+    await resolveSlackChannel("C_CACHED", "xoxb-token");
+    await resolveSlackChannel("C_CACHED", "xoxb-token");
+    await resolveSlackChannel("C_CACHED", "xoxb-token");
+
+    expect(callCount).toBe(1);
+    expect(getChannelInfoCacheSize()).toBe(1);
+  });
+});
+
 describe("normalizeSlackAppMention with display name", () => {
   test("omits displayName on first call (cache miss), populates on second after cache warm", async () => {
     fetchMock = mock(async () => {

package/src/__tests__/slack-socket-mode-scopes.test.ts

@@ -5,15 +5,16 @@ import { inspectSlackScopes } from "../slack/socket-mode.js";
 describe("inspectSlackScopes", () => {
   test("flags files:read when missing", () => {
     const result = inspectSlackScopes(
-      "app_mentions:read,channels:history,im:history,groups:history,mpim:history",
+      "app_mentions:read,channels:history,im:history,groups:history,mpim:history,channels:read,im:read,groups:read,mpim:read",
     );
     expect(result.filesReadMissing).toBe(true);
     expect(result.missingHistoryScopes).toEqual([]);
+    expect(result.missingConversationInfoScopes).toEqual([]);
   });
 
   test("returns exactly the missing *:history scopes", () => {
     const result = inspectSlackScopes(
-      "app_mentions:read,files:read,channels:history",
+      "app_mentions:read,files:read,channels:history,channels:read,im:read,groups:read,mpim:read",
     );
     expect(result.filesReadMissing).toBe(false);
     expect(result.missingHistoryScopes.sort()).toEqual([
@@ -21,14 +22,29 @@ describe("inspectSlackScopes", () => {
       "im:history",
       "mpim:history",
     ]);
+    expect(result.missingConversationInfoScopes).toEqual([]);
+  });
+
+  test("returns exactly the missing *:read scopes for conversations.info", () => {
+    const result = inspectSlackScopes(
+      "app_mentions:read,files:read,channels:history,im:history,groups:history,mpim:history,channels:read",
+    );
+    expect(result.filesReadMissing).toBe(false);
+    expect(result.missingHistoryScopes).toEqual([]);
+    expect(result.missingConversationInfoScopes.sort()).toEqual([
+      "groups:read",
+      "im:read",
+      "mpim:read",
+    ]);
   });
 
   test("returns no missing scopes when all required are present", () => {
     const result = inspectSlackScopes(
-      "app_mentions:read,files:read,channels:history,im:history,groups:history,mpim:history",
+      "app_mentions:read,files:read,channels:history,im:history,groups:history,mpim:history,channels:read,im:read,groups:read,mpim:read",
     );
     expect(result.filesReadMissing).toBe(false);
     expect(result.missingHistoryScopes).toEqual([]);
+    expect(result.missingConversationInfoScopes).toEqual([]);
   });
 
   test("treats an empty scope header as everything missing", () => {
@@ -40,13 +56,20 @@ describe("inspectSlackScopes", () => {
       "im:history",
       "mpim:history",
     ]);
+    expect(result.missingConversationInfoScopes.sort()).toEqual([
+      "channels:read",
+      "groups:read",
+      "im:read",
+      "mpim:read",
+    ]);
   });
 
   test("ignores whitespace and empty entries in the header", () => {
     const result = inspectSlackScopes(
-      " files:read , channels:history,, im:history ,groups:history,mpim:history",
+      " files:read , channels:history,, im:history ,groups:history,mpim:history, channels:read, im:read, groups:read, mpim:read",
     );
     expect(result.filesReadMissing).toBe(false);
     expect(result.missingHistoryScopes).toEqual([]);
+    expect(result.missingConversationInfoScopes).toEqual([]);
   });
 });

package/src/__tests__/slack-socket-mode-thread-tracking.test.ts

@@ -33,7 +33,7 @@ mock.module("../fetch.js", () => ({
 }));
 
 const { SlackSocketModeClient } = await import("../slack/socket-mode.js");
-const { clearUserInfoCache, resolveSlackUser } =
+const { clearChannelInfoCache, clearUserInfoCache, resolveSlackUser } =
   await import("../slack/normalize.js");
 import type { SlackSocketModeConfig } from "../slack/socket-mode.js";
 
@@ -150,6 +150,7 @@ function flushAsyncEventEmission(): Promise<void> {
 
 beforeEach(() => {
   clearUserInfoCache();
+  clearChannelInfoCache();
   fetchMock = mock(async () => makeSlackUserResponse());
 });
 
@@ -653,4 +654,107 @@ describe("SlackSocketModeClient thread tracking", () => {
       rawDb.close();
     }
   });
+
+  test("renders live app mention channel refs as channel-name labels", async () => {
+    const { rawDb, store } = createSlackStore();
+    const emitted: NormalizedSlackEvent[] = [];
+    const client = createHarness(store, (event) => emitted.push(event));
+    const ws = makeOpenSocket();
+
+    fetchMock = mock(async (input) => {
+      const url = new URL(String(input));
+      if (url.pathname.endsWith("/conversations.info")) {
+        expect(url.searchParams.get("channel")).toBe("CFEEDBACK");
+        return new Response(
+          JSON.stringify({
+            ok: true,
+            channel: { id: "CFEEDBACK", name: "user-feedback" },
+          }),
+          { status: 200, headers: { "content-type": "application/json" } },
+        );
+      }
+      return makeSlackUserResponse();
+    });
+
+    try {
+      client.handleMessage(
+        JSON.stringify({
+          envelope_id: "env-channel-label",
+          type: "events_api",
+          payload: {
+            event_id: "Ev-channel-label",
+            event: {
+              type: "app_mention",
+              user: "U-actor",
+              text: "<@UBOT> continue in <#CFEEDBACK>",
+              ts: "1700000000.000900",
+              channel: "C-thread",
+            },
+          },
+        }),
+        ws,
+      );
+      await flushAsyncEventEmission();
+
+      expect(emitted).toHaveLength(1);
+      expect(emitted[0].event.message.content).toBe(
+        "@Example User continue in #user-feedback",
+      );
+      expect(emitted[0].event.message.content).not.toContain("CFEEDBACK");
+    } finally {
+      rawDb.close();
+    }
+  });
+
+  test("keeps embedded Slack channel labels without conversations.info lookup", async () => {
+    const { rawDb, store } = createSlackStore();
+    const emitted: NormalizedSlackEvent[] = [];
+    const client = createHarness(store, (event) => emitted.push(event));
+    const ws = makeOpenSocket();
+    let conversationInfoCalls = 0;
+
+    fetchMock = mock(async (input) => {
+      const url = new URL(String(input));
+      if (url.pathname.endsWith("/conversations.info")) {
+        conversationInfoCalls++;
+        return new Response(
+          JSON.stringify({
+            ok: true,
+            channel: { id: "CFEEDBACK", name: "private-name" },
+          }),
+          { status: 200, headers: { "content-type": "application/json" } },
+        );
+      }
+      return makeSlackUserResponse();
+    });
+
+    try {
+      client.handleMessage(
+        JSON.stringify({
+          envelope_id: "env-channel-embedded-label",
+          type: "events_api",
+          payload: {
+            event_id: "Ev-channel-embedded-label",
+            event: {
+              type: "app_mention",
+              user: "U-actor",
+              text: "<@UBOT> continue in <#CFEEDBACK|visible-name>",
+              ts: "1700000000.001000",
+              channel: "C-thread",
+            },
+          },
+        }),
+        ws,
+      );
+      await flushAsyncEventEmission();
+
+      expect(emitted).toHaveLength(1);
+      expect(emitted[0].event.message.content).toBe(
+        "@Example User continue in #visible-name",
+      );
+      expect(conversationInfoCalls).toBe(0);
+    } finally {
+      rawDb.close();
+    }
+  });
 });

package/src/__tests__/trust-rule-store.test.ts

@@ -87,6 +87,55 @@ describe("create()", () => {
     expect(rule.createdAt <= after).toBe(true);
     expect(rule.updatedAt).toBe(rule.createdAt);
   });
+
+  test("upserts when a rule with the same tool+pattern already exists", () => {
+    const original = store.create({
+      tool: "bash",
+      pattern: "create-upsert-echo",
+      risk: "low",
+      description: "Original description",
+    });
+
+    const updated = store.create({
+      tool: "bash",
+      pattern: "create-upsert-echo",
+      risk: "high",
+      description: "Updated description",
+    });
+
+    expect(updated.id).toBe(original.id);
+    expect(updated.risk).toBe("high");
+    expect(updated.description).toBe("Updated description");
+    expect(updated.origin).toBe("user_defined");
+    expect(updated.createdAt).toBe(original.createdAt);
+    expect(updated.updatedAt >= original.updatedAt).toBe(true);
+  });
+
+  test("upsert un-deletes a soft-deleted rule with the same tool+pattern", () => {
+    store.upsertDefault({
+      id: "default:bash:create-upsert-undelete",
+      tool: "bash",
+      pattern: "create-upsert-undelete",
+      risk: "low",
+      description: "Default rule",
+    });
+    store.remove("default:bash:create-upsert-undelete");
+
+    const deleted = store.getById("default:bash:create-upsert-undelete")!;
+    expect(deleted.deleted).toBe(true);
+
+    const recreated = store.create({
+      tool: "bash",
+      pattern: "create-upsert-undelete",
+      risk: "medium",
+      description: "Re-created by user",
+    });
+
+    expect(recreated.deleted).toBe(false);
+    expect(recreated.risk).toBe("medium");
+    expect(recreated.description).toBe("Re-created by user");
+    expect(recreated.origin).toBe("user_defined");
+  });
 });
 
 // ---------------------------------------------------------------------------

package/src/__tests__/upsert-verified-contact-channel.test.ts

@@ -3,7 +3,10 @@
  * revoked or blocked channels.
  */
 
-import { describe, test, expect, beforeEach, mock } from "bun:test";
+import { describe, test, expect, beforeEach, afterEach, mock } from "bun:test";
+import { rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
 
 import "./test-preload.js";
 
@@ -18,10 +21,18 @@ type ExistingRow = {
 };
 
 let queryRows: ExistingRow[] = [];
+const queryCalls: { sql: string; params: unknown[] }[] = [];
 const runCalls: { sql: string; params: unknown[] }[] = [];
+const TEST_SOCKET_PATH = join(
+  tmpdir(),
+  `vellum-upsert-contact-channel-test-${process.pid}.sock`,
+);
 
 mock.module("../db/assistant-db-proxy.js", () => ({
-  assistantDbQuery: async (_sql: string, _params: unknown[]) => queryRows,
+  assistantDbQuery: async (sql: string, params: unknown[]) => {
+    queryCalls.push({ sql, params });
+    return queryRows;
+  },
   assistantDbRun: async (sql: string, params: unknown[]) => {
     runCalls.push({ sql, params });
   },
@@ -50,17 +61,22 @@ mock.module("../verification/identity.js", () => ({
 }));
 
 mock.module("../ipc/socket-path.js", () => ({
-  resolveIpcSocketPath: () => ({ path: "/tmp/test.sock" }),
+  resolveIpcSocketPath: () => ({ path: TEST_SOCKET_PATH }),
 }));
 
 // Import after mocks
-const { upsertVerifiedContactChannel } = await import(
-  "../verification/contact-helpers.js"
-);
+const { upsertContactChannel, upsertVerifiedContactChannel } =
+  await import("../verification/contact-helpers.js");
 
 beforeEach(() => {
   queryRows = [];
+  queryCalls.length = 0;
   runCalls.length = 0;
+  writeFileSync(TEST_SOCKET_PATH, "");
+});
+
+afterEach(() => {
+  rmSync(TEST_SOCKET_PATH, { force: true });
 });
 
 // ---------------------------------------------------------------------------
@@ -171,3 +187,30 @@ describe("upsertVerifiedContactChannel — revoked/blocked guards", () => {
     expect(inserts).toHaveLength(2);
   });
 });
+
+describe("upsertContactChannel — channel address casing", () => {
+  test("preserves Slack actor ID casing when seeding an inbound contact channel", async () => {
+    queryRows = [];
+
+    await upsertContactChannel({
+      sourceChannel: "slack",
+      externalUserId: "U123EXAMPLE",
+      externalChatId: "D123EXAMPLE",
+    });
+
+    const channelInsert = runCalls.find((c) =>
+      c.sql.includes("INSERT OR IGNORE INTO contact_channels"),
+    );
+    expect(channelInsert).toBeTruthy();
+    expect(channelInsert!.params[3]).toBe("U123EXAMPLE");
+    expect(channelInsert!.params[4]).toBe("U123EXAMPLE");
+
+    expect(queryCalls[0]!.sql).toContain("CASE WHEN cc.address = ?");
+    expect(queryCalls[0]!.params).toEqual([
+      "slack",
+      "U123EXAMPLE",
+      "U123EXAMPLE",
+      "U123EXAMPLE",
+    ]);
+  });
+});