npm - @vellumai/cli - Versions diffs - 0.10.2-dev.202606250318.5e7cfb0 → 0.10.2-staging.1 - Mend

@vellumai/cli 0.10.2-dev.202606250318.5e7cfb0 → 0.10.2-staging.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +1 -1
package/src/__tests__/client-token.test.ts +0 -27
package/src/commands/client.ts +7 -65
package/src/commands/login.ts +19 -1
package/src/lib/confirm-action.ts +0 -4
package/src/lib/open-browser.ts +0 -20

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/cli",
-  "version": "0.10.2-dev.202606250318.5e7cfb0",
+  "version": "0.10.2-staging.1",
   "description": "CLI tools for vellum-assistant",
   "type": "module",
   "exports": {

package/src/__tests__/client-token.test.ts CHANGED Viewed

@@ -84,31 +84,4 @@ describe("client --token (ephemeral)", () => {
     expect(parsed.assistantId).toBe("remote-xyz");
     expect(parsed.bearerToken).toBe("tok");
   });
-  test("auto-opens the browser by default", () => {
-    process.argv = [
-      "bun",
-      "vellum",
-      "client",
-      "--url",
-      REMOTE_URL,
-      "--token",
-      "tok",
-    ];
-    expect(parseArgs().openBrowser).toBe(true);
-  });
-  test("--no-open opts out of auto-opening the browser", () => {
-    process.argv = [
-      "bun",
-      "vellum",
-      "client",
-      "--url",
-      REMOTE_URL,
-      "--token",
-      "tok",
-      "--no-open",
-    ];
-    expect(parseArgs().openBrowser).toBe(false);
-  });
 });

package/src/commands/client.ts CHANGED Viewed

@@ -60,7 +60,6 @@ import {
 import { tuiLog } from "../lib/tui-log";
 import { loopbackSafeFetch } from "../lib/loopback-fetch.js";
 import { probePort } from "../lib/port-probe.js";
-import { openBrowser } from "../lib/open-browser";
 const SUPPORTED_INTERFACES = ["cli", "web"] as const;
 type SupportedInterface = (typeof SUPPORTED_INTERFACES)[number];
@@ -91,8 +90,6 @@ interface ParsedArgs {
   /** Parsed --flag overrides: kebab-case key -> typed value (for web injection). */
   parsedFlagOverrides: Record<string, boolean | string>;
   disablePlatform: boolean;
-  /** Auto-open the web interface in the default browser (--interface web only). */
-  openBrowser: boolean;
 }
 function readAssistantName(entry: AssistantEntry | null): string | undefined {
@@ -139,8 +136,6 @@ export function parseArgs(): ParsedArgs {
     "--token",
     "-t",
   ]);
-  // Auto-open the web interface in the browser by default; --no-open opts out.
-  let openBrowserPref = true;
   const flagArgs: string[] = [];
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
@@ -149,8 +144,6 @@ export function parseArgs(): ParsedArgs {
       process.exit(0);
     } else if (arg === "--disable-platform") {
       disablePlatform = true;
-    } else if (arg === "--no-open") {
-      openBrowserPref = false;
     } else if (
       (arg === "--url" ||
         arg === "-u" ||
@@ -271,7 +264,6 @@ export function parseArgs(): ParsedArgs {
     flagEnvVars,
     parsedFlagOverrides,
     disablePlatform,
-    openBrowser: openBrowserPref,
   };
 }
@@ -291,7 +283,6 @@ ${ANSI.bold}OPTIONS:${ANSI.reset}
                               not persisted.
     -a, --assistant-id <id>    Assistant ID
     -i, --interface <id>       Interface identifier: cli (default) or web
-    --no-open                  Don't auto-open the browser (--interface web)
     --flag <key=value>         Feature flag override (repeatable, kebab-case key)
     --disable-platform         Suppress all outbound platform API calls
     -h, --help                 Show this help message
@@ -825,26 +816,10 @@ async function findFreeDualLoopbackPort(preferred: number): Promise<number> {
   return preferred;
 }
-/**
- * Open `url` in the browser once `port` is accepting connections, polling for
- * up to ~10s. Used for the Vite dev server, which binds the port asynchronously
- * after spawn — opening immediately would load the tab before Vite is ready.
- */
-async function openBrowserWhenReady(url: string, port: number): Promise<void> {
-  for (let attempt = 0; attempt < 50; attempt++) {
-    if (await probePort(port, "127.0.0.1")) {
-      openBrowser(url);
-      return;
-    }
-    await new Promise((resolve) => setTimeout(resolve, 200));
-  }
-}
 async function runWebInterface(
   flagEnvVars: Record<string, string>,
   parsedFlagOverrides: Record<string, boolean | string>,
   disablePlatform: boolean,
-  openInBrowser: boolean,
 ): Promise<void> {
   // Propagate flag env vars so child processes (e.g. hatch from the web UI) inherit them.
   Object.assign(process.env, flagEnvVars);
@@ -853,12 +828,7 @@ async function runWebInterface(
   // (HMR, __local endpoints, gateway proxy).
   const webSourceDir = findWebSourceDir();
   if (webSourceDir) {
-    return runViteDevServer(
-      webSourceDir,
-      flagEnvVars,
-      disablePlatform,
-      openInBrowser,
-    );
+    return runViteDevServer(webSourceDir, flagEnvVars, disablePlatform);
   }
   const distDir = findWebDistDir();
@@ -925,27 +895,14 @@ async function runWebInterface(
       headers.delete("Origin");
       headers.delete("Referer");
-      // The DRF API authenticates by header (X-Session-Token); the allauth /
-      // accounts session endpoints need the Django session cookie.
-      const isApiRequest = pathname.startsWith("/v1/");
-      // Authenticate with the loopback session token the SPA registered. Only
+      // Authenticate with the loopback session token the SPA registered. The
+      // platform expects it both as the Django session cookie and as
+      // X-Session-Token (for DRF views that accept header-based auth). Only
       // same-origin SPA traffic gets the credential — never a cross-site caller.
       const sessionToken = isSameOriginRequest(req)
         ? currentPlatformToken()
         : null;
-      if (isApiRequest) {
-        // Header-only auth for the DRF API. Sending a `sessionid` cookie would
-        // engage Django's SessionAuthentication, which enforces CSRF — and the
-        // proxy strips Origin/Referer above, so the CSRF Referer check would
-        // reject every unsafe (POST/PUT/PATCH) request. Drop any browser cookie
-        // (localhost jar) so it can't re-engage that path.
-        headers.delete("Cookie");
-        if (sessionToken) {
-          headers.set("X-Session-Token", sessionToken);
-        }
-      } else if (sessionToken) {
-        // allauth / accounts: the platform expects the Django session cookie.
+      if (sessionToken) {
         headers.set(
           "Cookie",
           `sessionid=${sessionToken}; __Secure-sessionid=${sessionToken}`,
@@ -1008,9 +965,7 @@ async function runWebInterface(
   // Advertise `localhost` (not `127.0.0.1`) so the app origin matches the host
   // the platform hardcodes in its loopback callback. We bind both loopback
   // families above so `localhost` reaches us whichever one it resolves to.
-  const webInterfaceUrl = `http://localhost:${port}${SPA_BASE}`;
-  console.log(`Vellum web interface: ${webInterfaceUrl}`);
-  if (openInBrowser) openBrowser(webInterfaceUrl);
+  console.log(`Vellum web interface: http://localhost:${port}${SPA_BASE}`);
   const shutdown = (): void => {
     for (const server of servers) server.stop();
@@ -1026,7 +981,6 @@ async function runViteDevServer(
   webSourceDir: string,
   flagEnvVars: Record<string, string>,
   disablePlatform: boolean,
-  openInBrowser: boolean,
 ): Promise<void> {
   const platformUrl = getPlatformUrl();
@@ -1060,12 +1014,6 @@ async function runViteDevServer(
     },
   });
-  // Vite binds the port itself, so wait until it's listening before opening the
-  // browser — otherwise the tab loads before the dev server is ready.
-  if (openInBrowser) {
-    void openBrowserWhenReady(`http://localhost:${port}${SPA_BASE}`, port);
-  }
   const shutdown = (): void => {
     child.kill();
     process.exit(0);
@@ -1138,7 +1086,6 @@ export async function client(): Promise<void> {
     flagEnvVars,
     parsedFlagOverrides,
     disablePlatform,
-    openBrowser: openInBrowser,
   } = parseArgs();
   if (disablePlatform) {
@@ -1146,12 +1093,7 @@ export async function client(): Promise<void> {
   }
   if (interfaceId === WEB_INTERFACE_ID) {
-    await runWebInterface(
-      flagEnvVars,
-      parsedFlagOverrides,
-      disablePlatform,
-      openInBrowser,
-    );
+    await runWebInterface(flagEnvVars, parsedFlagOverrides, disablePlatform);
     return;
   }

package/src/commands/login.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { spawn } from "child_process";
 import { randomBytes } from "crypto";
 import { createServer } from "http";
 import type { AddressInfo } from "net";
@@ -10,7 +11,6 @@ import {
   setActiveAssistant,
 } from "../lib/assistant-config";
 import { computeDeviceId } from "../lib/guardian-token";
-import { openBrowser } from "../lib/open-browser";
 import {
   clearPlatformToken,
   ensureSelfHostedLocalRegistration,
@@ -169,6 +169,24 @@ function renderLoginPage(
 </html>`;
 }
+/**
+ * Open a URL in the user's default browser.
+ */
+function openBrowser(url: string): void {
+  const platform = process.platform;
+  const cmd =
+    platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
+  const args =
+    platform === "win32"
+      ? ["/c", "start", '""', url.replace(/&/g, "^&")]
+      : [url];
+  const child = spawn(cmd, args, { stdio: "ignore", detached: true });
+  child.on("error", () => {
+    // Silently ignore — the user can still copy the URL from the console
+  });
+  child.unref();
+}
 export interface LoopbackListener {
   /** The full `http://127.0.0.1:<port>/auth/callback` redirect URI. */
   redirectUri: string;

package/src/lib/confirm-action.ts CHANGED Viewed

@@ -18,9 +18,6 @@ export function canPromptForConfirmation(): boolean {
  * Show `prompt` and resolve true on Enter, false on Esc/q/Ctrl-C. Restores the
  * prior stdin raw/paused state on exit. Caller must gate on
  * {@link canPromptForConfirmation} first.
- *
- * `unref()`s stdin on cleanup so the resumed handle doesn't keep the process
- * alive after the prompt resolves.
  */
 export async function confirmAction(prompt: string): Promise<boolean> {
   const stdin = process.stdin;
@@ -39,7 +36,6 @@ export async function confirmAction(prompt: string): Promise<boolean> {
       if (wasPaused) {
         stdin.pause();
       }
-      stdin.unref?.();
       stdout.write("\n");
     };

package/src/lib/open-browser.ts DELETED Viewed

@@ -1,20 +0,0 @@
-import { spawn } from "node:child_process";
-/**
- * Open a URL in the user's default browser. Best-effort: a failure to launch is
- * swallowed so the caller can still surface the URL for the user to copy.
- */
-export function openBrowser(url: string): void {
-  const platform = process.platform;
-  const cmd =
-    platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
-  const args =
-    platform === "win32"
-      ? ["/c", "start", '""', url.replace(/&/g, "^&")]
-      : [url];
-  const child = spawn(cmd, args, { stdio: "ignore", detached: true });
-  child.on("error", () => {
-    // Silently ignore — the user can still copy the URL from the console.
-  });
-  child.unref();
-}