vellum 0.2.12 → 0.2.14

package/src/__tests__/conflict-policy.test.ts

@@ -0,0 +1,121 @@
+import { describe, expect, test } from 'bun:test';
+import {
+  isConflictKindEligible,
+  isConflictKindPairEligible,
+  isTransientTrackingStatement,
+  isDurableInstructionStatement,
+  isStatementConflictEligible,
+} from '../memory/conflict-policy.js';
+
+describe('conflict-policy', () => {
+  const config = { conflictableKinds: ['preference', 'profile', 'constraint'] };
+
+  describe('isConflictKindEligible', () => {
+    test('returns true for eligible kind', () => {
+      expect(isConflictKindEligible('preference', config)).toBe(true);
+      expect(isConflictKindEligible('profile', config)).toBe(true);
+      expect(isConflictKindEligible('constraint', config)).toBe(true);
+    });
+
+    test('returns false for ineligible kind', () => {
+      expect(isConflictKindEligible('project', config)).toBe(false);
+      expect(isConflictKindEligible('todo', config)).toBe(false);
+      expect(isConflictKindEligible('fact', config)).toBe(false);
+    });
+  });
+
+  describe('isConflictKindPairEligible', () => {
+    test('returns true when both kinds are eligible', () => {
+      expect(isConflictKindPairEligible('preference', 'profile', config)).toBe(true);
+    });
+
+    test('returns false when existing kind is ineligible', () => {
+      expect(isConflictKindPairEligible('project', 'preference', config)).toBe(false);
+    });
+
+    test('returns false when candidate kind is ineligible', () => {
+      expect(isConflictKindPairEligible('preference', 'todo', config)).toBe(false);
+    });
+
+    test('returns false when both kinds are ineligible', () => {
+      expect(isConflictKindPairEligible('project', 'todo', config)).toBe(false);
+    });
+  });
+
+  describe('isTransientTrackingStatement', () => {
+    test('detects PR URLs', () => {
+      expect(isTransientTrackingStatement('Track https://github.com/org/repo/pull/5526')).toBe(true);
+    });
+
+    test('detects issue/ticket references', () => {
+      expect(isTransientTrackingStatement('Track PR #5526 and #5525')).toBe(true);
+      expect(isTransientTrackingStatement('See issue #42 for details')).toBe(true);
+      expect(isTransientTrackingStatement('Filed ticket 1234')).toBe(true);
+    });
+
+    test('detects tracking language', () => {
+      expect(isTransientTrackingStatement('While we wait for CI to pass')).toBe(true);
+      expect(isTransientTrackingStatement('This PR needs review')).toBe(true);
+    });
+
+    test('does not flag generic time words as transient', () => {
+      expect(isTransientTrackingStatement('The deadline is today')).toBe(false);
+      expect(isTransientTrackingStatement('I need this right now')).toBe(false);
+    });
+
+    test('does not flag durable statements', () => {
+      expect(isTransientTrackingStatement('Always answer with concise bullet points')).toBe(false);
+      expect(isTransientTrackingStatement('User prefers dark mode')).toBe(false);
+    });
+
+    test('does not false-positive on non-PR URLs', () => {
+      expect(isTransientTrackingStatement('Visit https://example.com for docs')).toBe(false);
+    });
+  });
+
+  describe('isDurableInstructionStatement', () => {
+    test('detects durable instruction cues', () => {
+      expect(isDurableInstructionStatement('Always answer with concise bullet points')).toBe(true);
+      expect(isDurableInstructionStatement('Never use semicolons in JavaScript')).toBe(true);
+      expect(isDurableInstructionStatement('Use concise format for status updates')).toBe(true);
+      expect(isDurableInstructionStatement('The default database is Postgres')).toBe(true);
+    });
+
+    test('rejects statements without durable cues', () => {
+      expect(isDurableInstructionStatement('Check the build output')).toBe(false);
+      expect(isDurableInstructionStatement('Run the migration script')).toBe(false);
+    });
+  });
+
+  describe('isStatementConflictEligible', () => {
+    test('rejects transient statements for any kind', () => {
+      expect(isStatementConflictEligible('preference', 'Track PR #5526')).toBe(false);
+      expect(isStatementConflictEligible('instruction', 'This PR needs review')).toBe(false);
+    });
+
+    test('accepts durable instruction statements', () => {
+      expect(isStatementConflictEligible('instruction', 'Always use TypeScript strict mode')).toBe(true);
+      expect(isStatementConflictEligible('style', 'Default to concise format')).toBe(true);
+    });
+
+    test('rejects non-durable instruction statements', () => {
+      expect(isStatementConflictEligible('instruction', 'Run the build first')).toBe(false);
+      expect(isStatementConflictEligible('style', 'Check the output')).toBe(false);
+    });
+
+    test('accepts non-transient statements for non-instruction kinds', () => {
+      expect(isStatementConflictEligible('preference', 'User prefers dark mode')).toBe(true);
+      expect(isStatementConflictEligible('fact', 'User works at Acme Corp')).toBe(true);
+    });
+
+    test('rejects kinds not in conflictableKinds when config is provided', () => {
+      const policyConfig = { conflictableKinds: ['preference', 'profile'] };
+      expect(isStatementConflictEligible('fact', 'User works at Acme Corp', policyConfig)).toBe(false);
+      expect(isStatementConflictEligible('preference', 'User prefers dark mode', policyConfig)).toBe(true);
+    });
+
+    test('skips kind check when config is omitted', () => {
+      expect(isStatementConflictEligible('fact', 'User works at Acme Corp')).toBe(true);
+    });
+  });
+});

package/src/__tests__/conflict-store.test.ts

@@ -233,6 +233,8 @@ describe('conflict-store', () => {
     expect(details).toHaveLength(1);
     expect(details[0].existingStatement).toBe('Existing statement details');
     expect(details[0].candidateStatement).toBe('Candidate statement details');
+    expect(details[0].existingKind).toBe('fact');
+    expect(details[0].candidateKind).toBe('fact');
   });
 
   test('applyConflictResolution keeps candidate and resolves conflict row', () => {

package/src/__tests__/contacts-tools.test.ts

@@ -32,9 +32,9 @@ mock.module('../config/loader.js', () => ({
 import type { Database } from 'bun:sqlite';
 import { initializeDb, getDb, resetDb } from '../memory/db.js';
 import type { ToolContext } from '../tools/types.js';
-import { executeContactUpsert } from '../tools/contacts/contact-upsert.js';
-import { executeContactSearch } from '../tools/contacts/contact-search.js';
-import { executeContactMerge } from '../tools/contacts/contact-merge.js';
+import { executeContactUpsert } from '../config/bundled-skills/contacts/tools/contact-upsert.js';
+import { executeContactSearch } from '../config/bundled-skills/contacts/tools/contact-search.js';
+import { executeContactMerge } from '../config/bundled-skills/contacts/tools/contact-merge.js';
 
 initializeDb();
 

package/src/__tests__/contradiction-checker.test.ts

@@ -51,9 +51,18 @@ mock.module('../util/logger.js', () => ({
   }),
 }));
 
+let mockConflictableKinds: string[] = [
+  'preference', 'profile', 'constraint', 'instruction', 'style',
+];
+
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
     apiKeys: { anthropic: 'test-key' },
+    memory: {
+      conflicts: {
+        conflictableKinds: mockConflictableKinds,
+      },
+    },
   }),
 }));
 
@@ -67,6 +76,9 @@ beforeAll(() => {
 
 beforeEach(() => {
   classifyCallCount = 0;
+  mockConflictableKinds = [
+    'preference', 'profile', 'constraint', 'instruction', 'style',
+  ];
   const db = getDb();
   db.run('DELETE FROM memory_item_conflicts');
   db.run('DELETE FROM memory_item_sources');
@@ -88,12 +100,13 @@ function insertMemoryItem(params: {
   statement: string;
   scopeId?: string;
   status?: 'active' | 'pending_clarification';
+  kind?: string;
 }): void {
   const now = Date.now();
   const db = getDb();
   db.insert(memoryItems).values({
     id: params.id,
-    kind: 'preference',
+    kind: params.kind ?? 'preference',
     subject: 'framework preference',
     statement: params.statement,
     status: params.status ?? 'active',
@@ -213,4 +226,89 @@ describe('checkContradictions', () => {
     expect(candidate?.status).toBe('active');
     expect(conflicts).toHaveLength(0);
   });
+
+  test('project kind ambiguous contradiction does not generate pending conflict with default config', async () => {
+    nextRelationship = 'ambiguous_contradiction';
+    nextExplanation = 'Project items may conflict but are not durable.';
+
+    insertMemoryItem({
+      id: 'item-existing-project',
+      statement: 'The backend uses Node.js.',
+      kind: 'project',
+    });
+    insertMemoryItem({
+      id: 'item-candidate-project',
+      statement: 'The backend uses Deno.',
+      kind: 'project',
+    });
+
+    await checkContradictions('item-candidate-project');
+
+    expect(classifyCallCount).toBe(0);
+    const db = getDb();
+    const conflicts = db.select().from(memoryItemConflicts).all();
+    expect(conflicts).toHaveLength(0);
+  });
+
+  test('skips classification when item kind is not in conflictableKinds', async () => {
+    mockConflictableKinds = ['instruction', 'style'];
+    nextRelationship = 'ambiguous_contradiction';
+
+    insertMemoryItem({
+      id: 'item-existing-ineligible',
+      statement: 'User prefers React for frontend work.',
+    });
+    insertMemoryItem({
+      id: 'item-candidate-ineligible',
+      statement: 'User prefers Vue for frontend work.',
+    });
+
+    await checkContradictions('item-candidate-ineligible');
+
+    expect(classifyCallCount).toBe(0);
+    const db = getDb();
+    const conflicts = db.select().from(memoryItemConflicts).all();
+    expect(conflicts).toHaveLength(0);
+  });
+
+  test('skips classification when candidate statement contains PR-tracking content', async () => {
+    nextRelationship = 'ambiguous_contradiction';
+
+    insertMemoryItem({
+      id: 'item-existing-pr-tracking',
+      statement: 'Track PR #5526 for review.',
+    });
+    insertMemoryItem({
+      id: 'item-candidate-pr-tracking',
+      statement: 'Track PR #5525 for review.',
+    });
+
+    await checkContradictions('item-candidate-pr-tracking');
+
+    expect(classifyCallCount).toBe(0);
+    const db = getDb();
+    const conflicts = db.select().from(memoryItemConflicts).all();
+    expect(conflicts).toHaveLength(0);
+  });
+
+  test('durable preference contradiction still runs normal flow', async () => {
+    nextRelationship = 'ambiguous_contradiction';
+    nextExplanation = 'Both are valid preferences that conflict.';
+
+    insertMemoryItem({
+      id: 'item-existing-durable',
+      statement: 'User prefers React for frontend work.',
+    });
+    insertMemoryItem({
+      id: 'item-candidate-durable',
+      statement: 'User prefers Vue for frontend work.',
+    });
+
+    await checkContradictions('item-candidate-durable');
+
+    expect(classifyCallCount).toBe(1);
+    const db = getDb();
+    const conflicts = db.select().from(memoryItemConflicts).all();
+    expect(conflicts).toHaveLength(1);
+  });
 });

package/src/__tests__/credential-security-invariants.test.ts

@@ -185,10 +185,17 @@ describe('Invariant 2: no generic plaintext secret read API', () => {
       'email/providers/index.ts',      // email provider API key lookup
       'tools/network/script-proxy/session-manager.ts', // proxy credential injection at runtime
       'messaging/registry.ts',          // checks stored credentials for connected providers
+      'calls/call-domain.ts',            // caller identity resolution (user phone number lookup)
+      'calls/elevenlabs-config.ts',     // ElevenLabs voice quality API key lookup
       'calls/twilio-config.ts',         // call infrastructure credential lookup
       'calls/twilio-provider.ts',       // call infrastructure credential lookup
+      'cli/config-commands.ts',         // CLI credential management commands
       'runtime/http-server.ts',         // HTTP server credential lookup
       'daemon/handlers/twitter-auth.ts', // Twitter OAuth token storage
+      'twitter/oauth-client.ts',         // Twitter OAuth API client (reads access token for API calls)
+      'calls/elevenlabs-config.ts',      // ElevenLabs credential lookup
+      'cli/config-commands.ts',          // CLI config management
+      'messaging/providers/telegram-bot/adapter.ts', // Telegram bot token lookup for connectivity check
     ]);
 
     const thisDir = dirname(fileURLToPath(import.meta.url));
@@ -267,18 +274,27 @@ describe('Invariant 3: secrets never logged in plaintext', () => {
       });
     } else if (tc.component === 'ipc_decode') {
       // PR 24 — IPC decode log hygiene: the TS daemon's IPC parser must
-      // not have any logging that could leak raw message content
+      // not log raw message content that could contain secrets.
+      // Logging metadata (line length, error type) is acceptable; logging
+      // the raw line, trimmed content, or error.message is not.
       test(`${tc.label}`, () => {
         const thisDir = dirname(fileURLToPath(import.meta.url));
         const ipcSrc = readFileSync(
           resolve(thisDir, '../daemon/ipc-protocol.ts'),
           'utf-8',
         );
-        // The IPC parser must not use a logger at all — it handles raw
-        // bytes that could contain secrets in malformed messages. Verify
-        // no getLogger import and no log.* calls exist in the source.
-        expect(ipcSrc).not.toContain('getLogger');
-        expect(ipcSrc).not.toMatch(/\blog\.\w+\(/);
+        // Verify log calls never include raw content fields — only safe
+        // metadata like lineLength and errorType are permitted.
+        // `trimmed.length` is safe (numeric); `trimmed` alone would leak raw content.
+        // Use [^\n]* instead of [^)]* so that inner parentheses (e.g.
+        // helper calls like formatErr(err)) don't terminate the match
+        // early — avoiding false negatives — while still scoping each
+        // pattern to a single line (no cross-statement matching).
+        expect(ipcSrc).not.toMatch(/\blog\.\w+\([^\n]*[{,]\s*trimmed[^.]/);
+        expect(ipcSrc).not.toMatch(/\blog\.\w+\([^\n]*[{,]\s*line[^L]/);
+        expect(ipcSrc).not.toMatch(/\blog\.\w+\([^\n]*[{,]\s*data\b/);
+        expect(ipcSrc).not.toMatch(/\blog\.\w+\([^\n]*[{,]\s*buffer\b/);
+        expect(ipcSrc).not.toMatch(/\blog\.\w+\([^\n]*err\.message\b/);
       });
     } else {
       // PR 25 — secret prompter log hygiene: verify the prompter source