@vellumai/assistant 0.7.1 → 0.7.3

package/src/cli/commands/platform/__tests__/disconnect.test.ts

@@ -39,7 +39,6 @@ mock.module("../../../../inbound/platform-callback-registration.js", () => ({
     isPlatform: false,
     platformBaseUrl: "",
     assistantId: "",
-    hasInternalApiKey: false,
     hasAssistantApiKey: false,
     authHeader: null,
     enabled: false,
@@ -64,6 +63,13 @@ mock.module("../../../../security/secure-keys.js", () => ({
   onCesClientChanged: () => ({ unsubscribe: () => {} }),
   setCesReconnect: () => {},
   getActiveBackendName: () => "file",
+  getActiveBackendInfoAsync: async () => ({
+    backend: "encrypted-store",
+    storePath: "/tmp/keys.enc",
+    storeKeyPath: "/tmp/store.key",
+    storeExists: false,
+    storeKeyExists: false,
+  }),
   _resetBackend: () => {},
 }));
 
@@ -109,13 +115,11 @@ mock.module("../../../../config/loader.js", () => ({
   }),
   loadConfig: () => ({}),
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,
   setNestedValue: () => {},
   applyNestedDefaults: (config: unknown) => config,
-  deepMergeMissing: () => false,
   deepMergeOverwrite: () => {},
   mergeDefaultWorkspaceConfig: () => {},
 }));

package/src/cli/commands/platform/__tests__/status.test.ts

@@ -14,12 +14,16 @@ let mockResolvePlatformCallbackRegistrationContext: () => Promise<
   isPlatform: false,
   platformBaseUrl: "",
   assistantId: "",
-  hasInternalApiKey: false,
   hasAssistantApiKey: false,
   authHeader: null,
   enabled: false,
 });
 
+let mockIpcGetVelayStatus: () => Promise<{
+  connected: boolean;
+  publicUrl: string | null;
+} | null> = async () => null;
+
 // ---------------------------------------------------------------------------
 // Mocks
 // ---------------------------------------------------------------------------
@@ -47,6 +51,13 @@ mock.module("../../../../security/secure-keys.js", () => ({
   onCesClientChanged: () => ({ unsubscribe: () => {} }),
   setCesReconnect: () => {},
   getActiveBackendName: () => "file",
+  getActiveBackendInfoAsync: async () => ({
+    backend: "encrypted-store",
+    storePath: "/tmp/keys.enc",
+    storeKeyPath: "/tmp/store.key",
+    storeExists: false,
+    storeKeyExists: false,
+  }),
   _resetBackend: () => {},
 }));
 
@@ -75,6 +86,8 @@ mock.module("../../../../util/logger.js", () => ({
   LOG_FILE_PATTERN: /^assistant-(\d{4}-\d{2}-\d{2})\.log$/,
 }));
 
+// Also mock the CLI logger singleton so log.info calls do not write to stdout.
+
 mock.module("../../../../config/loader.js", () => ({
   API_KEY_PROVIDERS: [] as const,
   getConfig: () => ({
@@ -89,17 +102,24 @@ mock.module("../../../../config/loader.js", () => ({
   }),
   loadConfig: () => ({}),
   invalidateConfigCache: () => {},
-  saveConfig: () => {},
   loadRawConfig: () => ({}),
   saveRawConfig: () => {},
   getNestedValue: () => undefined,
   setNestedValue: () => {},
   applyNestedDefaults: (config: unknown) => config,
-  deepMergeMissing: () => false,
   deepMergeOverwrite: () => {},
   mergeDefaultWorkspaceConfig: () => {},
 }));
 
+mock.module("../../../../ipc/gateway-client.js", () => ({
+  ipcGetVelayStatus: () => mockIpcGetVelayStatus(),
+  ipcCall: async () => undefined,
+  ipcCallPersistent: async () => undefined,
+  resetPersistentClient: () => {},
+  ipcGetFeatureFlags: async () => ({}),
+  ipcClassifyRisk: async () => undefined,
+}));
+
 // ---------------------------------------------------------------------------
 // Import module under test (after mocks are registered)
 // ---------------------------------------------------------------------------
@@ -158,38 +178,35 @@ describe("assistant platform status", () => {
       isPlatform: false,
       platformBaseUrl: "",
       assistantId: "",
-      hasInternalApiKey: false,
       hasAssistantApiKey: false,
       authHeader: null,
       enabled: false,
     });
+    mockIpcGetVelayStatus = async () => null;
     process.exitCode = 0;
   });
 
-  test("connected platform returns full status with stored credentials", async () => {
+  test("platform pod returns full status from context", async () => {
     /**
-     * When the assistant has stored platform credentials and a valid
-     * registration context, the status command should report connected
-     * with all context fields populated.
+     * When the assistant is running as a platform-managed pod, the status
+     * command reports all fields from the registration context plus
+     * organizationId and userId from the keychain. The connected field
+     * is absent — platform status does not expose it.
      */
 
-    // GIVEN a containerized environment with platform configuration
+    // GIVEN a containerized platform environment
     mockResolvePlatformCallbackRegistrationContext = async () => ({
       isPlatform: true,
       platformBaseUrl: "https://platform.vellum.ai",
       assistantId: "asst-abc-123",
-      hasInternalApiKey: true,
       hasAssistantApiKey: true,
-      authHeader: "Bearer internal-key",
+      authHeader: "Api-Key assistant-key",
       enabled: true,
     });
 
-    // AND stored platform credentials exist
+    // AND credentials are stored in the keychain
     mockGetSecureKeyAsync = async (account: string) => {
-      if (account === "credential/vellum/platform_base_url")
-        return "https://platform.vellum.ai";
-      if (account === "credential/vellum/assistant_api_key")
-        return "sk-test-key";
+      if (account === "credential/vellum/webhook_secret") return "wh-secret";
       if (account === "credential/vellum/platform_organization_id")
         return "org-456";
       if (account === "credential/vellum/platform_user_id") return "user-789";
@@ -211,12 +228,91 @@ describe("assistant platform status", () => {
     expect(parsed.isPlatform).toBe(true);
     expect(parsed.baseUrl).toBe("https://platform.vellum.ai");
     expect(parsed.assistantId).toBe("asst-abc-123");
-    expect(parsed.hasInternalApiKey).toBe(true);
     expect(parsed.hasAssistantApiKey).toBe(true);
+    expect(parsed.hasWebhookSecret).toBe(true);
     expect(parsed.available).toBe(true);
-    expect(parsed.connected).toBe(true);
     expect(parsed.organizationId).toBe("org-456");
     expect(parsed.userId).toBe("user-789");
+    // velayTunnel is null when gateway is unreachable
+    expect(parsed.velayTunnel).toBeNull();
+  });
+
+  test("velayTunnel connected with publicUrl is returned when gateway is live", async () => {
+    /**
+     * When the gateway is running and the Velay tunnel is connected, the
+     * status command includes velayTunnel.connected=true and the public URL.
+     */
+
+    // GIVEN a connected Velay tunnel reported by the gateway IPC
+    mockIpcGetVelayStatus = async () => ({
+      connected: true,
+      publicUrl: "https://abc123.vellum.ai",
+    });
+
+    // WHEN the status command is run with --json
+    const { exitCode, stdout } = await runCommand([
+      "platform",
+      "status",
+      "--json",
+    ]);
+
+    // THEN the command succeeds
+    expect(exitCode).toBe(0);
+
+    // AND velayTunnel reflects the live connection
+    const parsed = JSON.parse(stdout);
+    expect(parsed.velayTunnel).toEqual({
+      connected: true,
+      publicUrl: "https://abc123.vellum.ai",
+    });
+  });
+
+  test("velayTunnel disconnected when gateway reports no active connection", async () => {
+    /**
+     * When the gateway is running but Velay is not connected (e.g.
+     * reconnecting after disconnect), velayTunnel.connected is false.
+     */
+
+    // GIVEN a disconnected Velay tunnel
+    mockIpcGetVelayStatus = async () => ({
+      connected: false,
+      publicUrl: null,
+    });
+
+    // WHEN the status command is run with --json
+    const { exitCode, stdout } = await runCommand([
+      "platform",
+      "status",
+      "--json",
+    ]);
+
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.velayTunnel).toEqual({ connected: false, publicUrl: null });
+  });
+
+  test("velayTunnel is null when gateway IPC is unreachable", async () => {
+    /**
+     * When the gateway IPC socket is not available (assistant not running),
+     * velayTunnel is null rather than causing the status command to fail.
+     */
+
+    // GIVEN the gateway IPC throws
+    mockIpcGetVelayStatus = async () => {
+      throw new Error("ENOENT");
+    };
+
+    // WHEN the status command is run with --json
+    const { exitCode, stdout } = await runCommand([
+      "platform",
+      "status",
+      "--json",
+    ]);
+
+    // THEN the command still succeeds (graceful fallback)
+    expect(exitCode).toBe(0);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.velayTunnel).toBeNull();
   });
 
   test("plain text mode does not emit JSON to stdout", async () => {
@@ -231,7 +327,6 @@ describe("assistant platform status", () => {
       isPlatform: false,
       platformBaseUrl: "",
       assistantId: "",
-      hasInternalApiKey: false,
       hasAssistantApiKey: false,
       authHeader: null,
       enabled: false,
@@ -243,7 +338,7 @@ describe("assistant platform status", () => {
     // THEN the command succeeds
     expect(exitCode).toBe(0);
 
-    // AND stdout contains no JSON (writeOutput is skipped in plain text mode)
-    expect(stdout.trim()).toBe("");
+    // Plain-text mode logs via log.info — verify writeOutput (JSON) was NOT called
+    expect(() => JSON.parse(stdout.trim())).toThrow();
   });
 });

package/src/cli/commands/platform/disconnect.ts

@@ -95,17 +95,18 @@ Examples:
 
         const failedKeys: string[] = [];
         for (const key of keysToDelete) {
-          const result = await deleteSecureKeyViaDaemon(
+          const delResult = await deleteSecureKeyViaDaemon(
             "credential",
             `${key.service}:${key.field}`,
           );
-          if (result === "error") {
-            failedKeys.push(`${key.service}:${key.field}`);
+          if (delResult.result === "error") {
+            const detail = delResult.error ? `: ${delResult.error}` : "";
+            failedKeys.push(`${key.service}:${key.field}${detail}`);
           }
         }
 
         if (failedKeys.length > 0) {
-          writeError(`Failed to delete credentials: ${failedKeys.join(", ")}`);
+          writeError(`Failed to delete credentials: ${failedKeys.join("; ")}`);
           return;
         }
 

package/src/cli/commands/platform/index.ts

@@ -4,6 +4,7 @@ import {
   registerCallbackRoute,
   resolvePlatformCallbackRegistrationContext,
 } from "../../../inbound/platform-callback-registration.js";
+import { ipcGetVelayStatus } from "../../../ipc/gateway-client.js";
 import { credentialKey } from "../../../security/credential-key.js";
 import { getSecureKeyAsync } from "../../../security/secure-keys.js";
 import { log } from "../../logger.js";
@@ -62,15 +63,14 @@ Fields:
   isPlatform          Whether IS_PLATFORM is set (boolean)
   baseUrl             VELLUM_PLATFORM_URL — the platform gateway base URL
   assistantId         This assistant's platform UUID
-  hasInternalApiKey   Whether PLATFORM_INTERNAL_API_KEY is set (boolean,
-                      value not disclosed)
   hasAssistantApiKey  Whether a stored assistant API key is available
   hasWebhookSecret    Whether a stored webhook secret is available (needed
                       for email and other inbound webhook channels)
   available           Whether callback registration prerequisites are satisfied
-  connected           Whether platform credentials are stored (boolean)
   organizationId      The platform organization ID (from stored credentials)
   userId              The platform user ID (from stored credentials)
+  velayTunnel         Live Velay tunnel status from the gateway IPC socket
+                      (null when the gateway is not running)
 
 Examples:
   $ assistant platform status
@@ -78,21 +78,11 @@ Examples:
     )
     .action(async (_opts: Record<string, unknown>, cmd: Command) => {
       try {
-        const context = await resolvePlatformCallbackRegistrationContext();
+        const [context, velayTunnel] = await Promise.all([
+          resolvePlatformCallbackRegistrationContext(),
+          ipcGetVelayStatus().catch(() => null),
+        ]);
 
-        const storedBaseUrl =
-          (await getSecureKeyAsync(
-            credentialKey(
-              CREDENTIAL_KEYS.baseUrl.service,
-              CREDENTIAL_KEYS.baseUrl.field,
-            ),
-          )) ?? "";
-        const hasStoredApiKey = !!(await getSecureKeyAsync(
-          credentialKey(
-            CREDENTIAL_KEYS.apiKey.service,
-            CREDENTIAL_KEYS.apiKey.field,
-          ),
-        ));
         const organizationId =
           (
             await getSecureKeyAsync(
@@ -116,19 +106,16 @@ Examples:
           credentialKey("vellum", "webhook_secret"),
         ));
 
-        const connected = !!storedBaseUrl && hasStoredApiKey;
-
         const result = {
           isPlatform: context.isPlatform,
           baseUrl: context.platformBaseUrl,
           assistantId: context.assistantId,
-          hasInternalApiKey: context.hasInternalApiKey,
           hasAssistantApiKey: context.hasAssistantApiKey,
           hasWebhookSecret,
           available: context.enabled,
-          connected,
           organizationId: organizationId || null,
           userId: userId || null,
+          velayTunnel,
         };
 
         if (shouldOutputJson(cmd)) {
@@ -137,9 +124,6 @@ Examples:
           log.info(`Platform: ${result.isPlatform}`);
           log.info(`Base URL: ${result.baseUrl || "(not set)"}`);
           log.info(`Assistant ID: ${result.assistantId || "(not set)"}`);
-          log.info(
-            `Internal API key: ${result.hasInternalApiKey ? "set" : "not set"}`,
-          );
           log.info(
             `Assistant API key: ${result.hasAssistantApiKey ? "set" : "not set"}`,
           );
@@ -149,9 +133,16 @@ Examples:
           log.info(
             `Callback registration available: ${result.available ? "yes" : "no"}`,
           );
-          log.info(`Connected: ${connected}`);
           log.info(`Organization ID: ${organizationId || "(not set)"}`);
           log.info(`User ID: ${userId || "(not set)"}`);
+          if (result.velayTunnel !== null) {
+            const tunnelState = result.velayTunnel.connected
+              ? `connected${result.velayTunnel.publicUrl ? ` (${result.velayTunnel.publicUrl})` : ""}`
+              : "disconnected";
+            log.info(`Velay tunnel: ${tunnelState}`);
+          } else {
+            log.info(`Velay tunnel: (gateway not running)`);
+          }
         }
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);

package/src/cli/commands/status.ts

@@ -0,0 +1,57 @@
+import type { Command } from "commander";
+
+import { cliIpcCall } from "../../ipc/cli-client.js";
+import { getWorkspaceDirDisplay } from "../../util/platform.js";
+import { log } from "../logger.js";
+
+interface HealthResponse {
+  version: string;
+  memory: { currentMb: number; maxMb: number };
+  disk: { freeMb: number; totalMb: number } | null;
+}
+
+function fmtMb(mb: number): string {
+  if (mb >= 1024) return `${(mb / 1024).toFixed(1)} GB`;
+  return `${Math.round(mb)} MB`;
+}
+
+export function registerStatusCommand(program: Command): void {
+  program
+    .command("status")
+    .description("Show assistant version, workspace, and runtime health")
+    .action(async () => {
+      const result = await cliIpcCall<HealthResponse>("health");
+
+      if (!result.ok || !result.result) {
+        log.error(
+          result.error ??
+            "Assistant not running — could not connect to IPC socket.",
+        );
+        process.exit(1);
+      }
+
+      const h = result.result;
+      const workspace = getWorkspaceDirDisplay();
+
+      const rows: [string, string][] = [
+        ["Version", h.version],
+        ["Workspace", workspace],
+        ["", ""],
+        ["Memory", `${fmtMb(h.memory.currentMb)} / ${fmtMb(h.memory.maxMb)}`],
+        ...(h.disk
+          ? ([["Disk", `${fmtMb(h.disk.freeMb)} free`]] as [string, string][])
+          : []),
+      ];
+
+      const labelWidth = Math.max(
+        ...rows.filter(([l]) => l).map(([l]) => l.length),
+      );
+      for (const [label, value] of rows) {
+        if (!label) {
+          log.info("");
+          continue;
+        }
+        log.info(`${label.padEnd(labelWidth)}  ${value}`);
+      }
+    });
+}

package/src/cli/lib/daemon-credential-client.ts

@@ -3,6 +3,7 @@ import type { DeleteResult } from "../../security/credential-backend.js";
 import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
+  getActiveBackendName,
   setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import { getLogger } from "../../util/logger.js";
@@ -16,6 +17,26 @@ function isDaemonUnreachable(error: string): boolean {
   return error === DAEMON_UNREACHABLE;
 }
 
+// ---------------------------------------------------------------------------
+// Result types — include error context so the CLI can surface it
+// ---------------------------------------------------------------------------
+
+export interface SetSecureKeyResult {
+  ok: boolean;
+  /** Human-readable error reason when ok=false. */
+  error?: string;
+}
+
+export interface DeleteSecureKeyResult {
+  result: DeleteResult;
+  /** Human-readable error reason when result="error". */
+  error?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Set
+// ---------------------------------------------------------------------------
+
 /**
  * Store a secret via the daemon IPC socket (so daemon-side singletons
  * stay in sync). Falls back to direct `setSecureKeyAsync()` when the
@@ -25,37 +46,61 @@ export async function setSecureKeyViaDaemon(
   type: string,
   name: string,
   value: string,
-): Promise<boolean> {
-  const ipc = await cliIpcCall<{ success: boolean }>("secrets/write", {
-    type,
-    name,
-    value,
-  });
+): Promise<SetSecureKeyResult> {
+  const ipc = await cliIpcCall<{ success: boolean; error?: string }>(
+    "secrets/write",
+    { type, name, value },
+  );
 
-  if (ipc.ok && ipc.result) {
-    return ipc.result.success;
+  if (ipc.ok && ipc.result?.success) {
+    return { ok: true };
   }
 
+  // Daemon returned an IPC-level error (thrown InternalError, etc.)
   if (ipc.error && !isDaemonUnreachable(ipc.error)) {
     log.warn({ type, name, error: ipc.error }, "Daemon secret write failed");
-    return false;
+    return { ok: false, error: ipc.error };
+  }
+
+  // Daemon returned success=false (e.g. validation error, backend failure)
+  if (ipc.ok && ipc.result && !ipc.result.success) {
+    return {
+      ok: false,
+      error: ipc.result.error || "Credential write rejected by assistant",
+    };
   }
 
   // Daemon unreachable — fall back to direct write.
+  let account: string;
   if (type === "api_key") {
-    return setSecureKeyAsync(credentialKey(name, "api_key"), value);
-  }
-  if (type === "credential" && !name.startsWith("credential/")) {
+    account = credentialKey(name, "api_key");
+  } else if (type === "credential" && !name.startsWith("credential/")) {
     const colonIdx = name.lastIndexOf(":");
     if (colonIdx > 0 && colonIdx < name.length - 1) {
       const service = name.slice(0, colonIdx);
       const field = name.slice(colonIdx + 1);
-      return setSecureKeyAsync(credentialKey(service, field), value);
+      account = credentialKey(service, field);
+    } else {
+      account = name;
     }
+  } else {
+    account = name;
+  }
+
+  const ok = await setSecureKeyAsync(account, value);
+  if (!ok) {
+    return {
+      ok: false,
+      error: `Failed to store credential (backend: ${getActiveBackendName()})`,
+    };
   }
-  return setSecureKeyAsync(name, value);
+  return { ok: true };
 }
 
+// ---------------------------------------------------------------------------
+// Delete
+// ---------------------------------------------------------------------------
+
 /**
  * Delete a secret via the daemon IPC socket. Falls back to direct
  * `deleteSecureKeyAsync()` when the daemon is not running.
@@ -63,42 +108,79 @@ export async function setSecureKeyViaDaemon(
 export async function deleteSecureKeyViaDaemon(
   type: string,
   name: string,
-): Promise<DeleteResult> {
+): Promise<DeleteSecureKeyResult> {
   const ipc = await cliIpcCall<{ success: boolean }>("secrets/delete", {
     type,
     name,
   });
 
-  if (ipc.ok && ipc.result) {
-    return ipc.result.success ? "deleted" : "error";
+  if (ipc.ok && ipc.result?.success) {
+    return { result: "deleted" };
   }
 
+  // Daemon returned an IPC-level error
   if (ipc.error && !isDaemonUnreachable(ipc.error)) {
     if (ipc.error.includes("not found") || ipc.error.includes("404")) {
-      return "not-found";
+      return { result: "not-found" };
     }
-    return "error";
+    return { result: "error", error: ipc.error };
+  }
+
+  // Daemon returned success=false
+  if (ipc.ok && ipc.result && !ipc.result.success) {
+    return {
+      result: "error",
+      error: "Credential delete rejected by assistant",
+    };
   }
 
   // Daemon unreachable — fall back to direct delete.
   if (type === "api_key") {
     // Delete from both locations; during migration overlap both may exist.
-    // Ignore "not-found" on each — one location may already be empty.
-    const credResult = await deleteSecureKeyAsync(credentialKey(name, "api_key"));
-    if (credResult === "error") return "error";
+    const credResult = await deleteSecureKeyAsync(
+      credentialKey(name, "api_key"),
+    );
+    if (credResult === "error") {
+      return {
+        result: "error",
+        error: `Failed to delete credential (backend: ${getActiveBackendName()})`,
+      };
+    }
     const bareResult = await deleteSecureKeyAsync(name);
-    if (bareResult === "error") return "error";
-    return credResult === "deleted" || bareResult === "deleted"
-      ? "deleted"
-      : "not-found";
+    if (bareResult === "error") {
+      return {
+        result: "error",
+        error: `Failed to delete credential (backend: ${getActiveBackendName()})`,
+      };
+    }
+    return {
+      result:
+        credResult === "deleted" || bareResult === "deleted"
+          ? "deleted"
+          : "not-found",
+    };
   }
+
+  let account: string;
   if (type === "credential" && !name.startsWith("credential/")) {
     const colonIdx = name.lastIndexOf(":");
     if (colonIdx > 0 && colonIdx < name.length - 1) {
       const service = name.slice(0, colonIdx);
       const field = name.slice(colonIdx + 1);
-      return deleteSecureKeyAsync(credentialKey(service, field));
+      account = credentialKey(service, field);
+    } else {
+      account = name;
     }
+  } else {
+    account = name;
+  }
+
+  const result = await deleteSecureKeyAsync(account);
+  if (result === "error") {
+    return {
+      result: "error",
+      error: `Failed to delete credential (backend: ${getActiveBackendName()})`,
+    };
   }
-  return deleteSecureKeyAsync(name);
+  return { result };
 }