@vellumai/cli 0.3.22 → 0.3.23

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/cli",
-  "version": "0.3.22",
+  "version": "0.3.23",
   "description": "CLI tools for vellum-assistant",
   "type": "module",
   "exports": {

package/src/commands/hatch.ts

@@ -1,7 +1,10 @@
+import { createHash, randomBytes, randomUUID } from "crypto";
 import { appendFileSync, existsSync, lstatSync, mkdirSync, readFileSync, readlinkSync, symlinkSync, unlinkSync } from "fs";
-import { homedir, userInfo } from "os";
+import { homedir, hostname, userInfo } from "os";
 import { join } from "path";
 
+import qrcode from "qrcode-terminal";
+
 // Direct import — bun embeds this at compile time so it works in compiled binaries.
 import cliPkg from "../../package.json";
 
@@ -478,6 +481,49 @@ function installCLISymlink(): void {
   console.log(`   ⚠ Could not create symlink for vellum CLI (tried ${preferredPath} and ${fallbackPath})`);
 }
 
+async function displayPairingQRCode(runtimeUrl: string, bearerToken: string | undefined): Promise<void> {
+  try {
+    const pairingRequestId = randomUUID();
+    const pairingSecret = randomBytes(32).toString("hex");
+
+    const registerRes = await fetch(`${runtimeUrl}/v1/pairing/register`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...(bearerToken ? { Authorization: `Bearer ${bearerToken}` } : {}),
+      },
+      body: JSON.stringify({ pairingRequestId, pairingSecret, gatewayUrl: runtimeUrl }),
+    });
+
+    if (!registerRes.ok) {
+      return;
+    }
+
+    const hostId = createHash("sha256").update(hostname() + userInfo().username).digest("hex");
+    const payload = JSON.stringify({
+      type: "vellum-daemon",
+      v: 4,
+      id: hostId,
+      g: runtimeUrl,
+      pairingRequestId,
+      pairingSecret,
+    });
+
+    const qrString = await new Promise<string>((resolve) => {
+      qrcode.generate(payload, { small: true }, (code: string) => {
+        resolve(code);
+      });
+    });
+
+    console.log("Scan this QR code with the Vellum iOS app to pair:\n");
+    console.log(qrString);
+    console.log("This pairing request expires in 5 minutes.");
+    console.log("Run `vellum pair` to generate a new one.\n");
+  } catch {
+    // Non-fatal — pairing is optional
+  }
+}
+
 async function hatchLocal(species: Species, name: string | null, daemonOnly: boolean = false): Promise<void> {
   const instanceName =
     name ?? process.env.VELLUM_ASSISTANT_NAME ?? `${species}-${generateRandomSuffix()}`;
@@ -549,6 +595,9 @@ async function hatchLocal(species: Species, name: string | null, daemonOnly: boo
     console.log(`  Name: ${instanceName}`);
     console.log(`  Runtime: ${runtimeUrl}`);
     console.log("");
+
+    // Generate and display pairing QR code
+    await displayPairingQRCode(runtimeUrl, bearerToken);
   }
 }
 

package/src/components/DefaultMainScreen.tsx

@@ -1,5 +1,6 @@
 import { spawn } from "child_process";
-import { randomBytes, randomUUID } from "crypto";
+import { createHash, randomBytes, randomUUID } from "crypto";
+import { hostname, userInfo } from "os";
 import { basename } from "path";
 import qrcode from "qrcode-terminal";
 import { useCallback, useEffect, useMemo, useRef, useState, type ReactElement } from "react";
@@ -1322,9 +1323,11 @@ function ChatApp({
             throw new Error(`HTTP ${registerRes.status}: ${body || registerRes.statusText}`);
           }
 
+          const hostId = createHash("sha256").update(hostname() + userInfo().username).digest("hex");
           const payload = JSON.stringify({
             type: "vellum-daemon",
             v: 4,
+            id: hostId,
             g: gatewayUrl,
             pairingRequestId,
             pairingSecret,

package/src/lib/local.ts

@@ -105,7 +105,7 @@ function resolveAssistantIndexPath(): string | undefined {
   return undefined;
 }
 
-async function waitForSocketFile(socketPath: string, timeoutMs = 15000): Promise<boolean> {
+async function waitForSocketFile(socketPath: string, timeoutMs = 60000): Promise<boolean> {
   if (existsSync(socketPath)) return true;
 
   const start = Date.now();
@@ -390,26 +390,27 @@ export async function startLocalDaemon(): Promise<void> {
       }
     }
 
-    // Wait for socket at ~/.vellum/vellum.sock (up to 15s)
-    let socketReady = await waitForSocketFile(socketFile, 15000);
+    // Wait for socket at ~/.vellum/vellum.sock (up to 60s — fresh installs
+    // may need 30-60s for Qdrant download, migrations, and first-time init)
+    let socketReady = await waitForSocketFile(socketFile, 60000);
 
     // Dev fallback: if the bundled daemon did not create a socket in time,
     // fall back to source daemon startup so local `./build.sh run` still works.
     if (!socketReady) {
       const assistantIndex = resolveAssistantIndexPath();
       if (assistantIndex) {
-        console.log("   Bundled daemon socket not ready after 15s — falling back to source daemon...");
+        console.log("   Bundled daemon socket not ready after 60s — falling back to source daemon...");
         // Kill the bundled daemon to avoid two processes competing for the same socket/port
         await stopProcessByPidFile(pidFile, "bundled daemon", [socketFile]);
         await startDaemonFromSource(assistantIndex);
-        socketReady = await waitForSocketFile(socketFile, 15000);
+        socketReady = await waitForSocketFile(socketFile, 60000);
       }
     }
 
     if (socketReady) {
       console.log("   Daemon socket ready\n");
     } else {
-      console.log("   ⚠️  Daemon socket did not appear within 15s — continuing anyway\n");
+      console.log("   ⚠️  Daemon socket did not appear within 60s — continuing anyway\n");
     }
   } else {
     console.log("🔨 Starting local daemon...");
@@ -454,16 +455,16 @@ export async function startGateway(assistantId?: string): Promise<string> {
   }
 
   // If no token is available (first startup — daemon hasn't written it yet),
-  // poll for the file to appear. The daemon writes the token shortly after
-  // startup, so we wait generously — the daemon socket wait is 15s, and
-  // the token may be written after the socket. Starting the gateway without
-  // auth is a security risk since the config is loaded once at startup and
-  // never reloads, so we fail rather than silently disabling auth.
+  // poll for the file to appear. On fresh installs the daemon may take 60s+
+  // for Qdrant download, migrations, and first-time init. Starting the
+  // gateway without auth is a security risk since the config is loaded once
+  // at startup and never reloads, so we fail rather than silently disabling auth.
   if (!runtimeProxyBearerToken) {
     console.log("   Waiting for bearer token file...");
-    const maxWait = 30000;
+    const maxWait = 60000;
     const pollInterval = 500;
     const start = Date.now();
+    const pidFile = join(process.env.BASE_DATA_DIR?.trim() || homedir(), ".vellum", "vellum.pid");
     while (Date.now() - start < maxWait) {
       await new Promise((r) => setTimeout(r, pollInterval));
       try {
@@ -475,12 +476,19 @@ export async function startGateway(assistantId?: string): Promise<string> {
       } catch {
         // File still doesn't exist, keep polling.
       }
+      // Check if the daemon process is still alive — no point waiting if it crashed
+      try {
+        const pid = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
+        if (pid) process.kill(pid, 0); // throws if process doesn't exist
+      } catch {
+        break; // daemon process is gone
+      }
     }
   }
 
   if (!runtimeProxyBearerToken) {
     throw new Error(
-      `Bearer token file not found at ${httpTokenPath} after 30s.\n` +
+      `Bearer token file not found at ${httpTokenPath} after 60s.\n` +
         "  The gateway cannot start without authentication — this would leave the proxy permanently unauthenticated.\n" +
         "  Ensure the daemon is running and has written the token file, or set VELLUM_HTTP_TOKEN_PATH to the correct path.",
     );