@vellumai/cli 0.4.32 → 0.4.33

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/cli",
-  "version": "0.4.32",
+  "version": "0.4.33",
   "description": "CLI tools for vellum-assistant",
   "type": "module",
   "exports": {

package/src/commands/client.ts

@@ -1,6 +1,3 @@
-import { readFileSync } from "fs";
-import { join } from "path";
-
 import {
   findAssistantByName,
   loadLatestAssistant,
@@ -60,21 +57,8 @@ function parseArgs(): ParsedArgs {
     process.env.RUNTIME_URL || entry?.runtimeUrl || FALLBACK_RUNTIME_URL;
   let assistantId =
     process.env.ASSISTANT_ID || entry?.assistantId || FALLBACK_ASSISTANT_ID;
-  let bearerToken =
+  const bearerToken =
     process.env.RUNTIME_PROXY_BEARER_TOKEN || entry?.bearerToken || undefined;
-
-  // For local assistants, read the daemon's http-token file as a fallback
-  // when the lockfile doesn't include a bearer token.
-  if (!bearerToken && entry?.cloud === "local") {
-    const tokenDir =
-      entry.baseDataDir ?? join(process.env.HOME ?? "", ".vellum");
-    try {
-      const token = readFileSync(join(tokenDir, "http-token"), "utf-8").trim();
-      if (token) bearerToken = token;
-    } catch {
-      // Token file may not exist
-    }
-  }
   const species: Species = (entry?.species as Species) ?? "vellum";
 
   for (let i = 0; i < flagArgs.length; i++) {

package/src/commands/contacts.ts

@@ -1,7 +1,3 @@
-import { existsSync, readFileSync } from "node:fs";
-import { homedir } from "node:os";
-import { join } from "node:path";
-
 import { loadLatestAssistant } from "../lib/assistant-config";
 import { GATEWAY_PORT } from "../lib/constants.js";
 
@@ -17,21 +13,7 @@ function getGatewayUrl(): string {
 
 function getBearerToken(): string | undefined {
   const entry = loadLatestAssistant();
-  if (entry?.bearerToken) return entry.bearerToken;
-  try {
-    const tokenPath = join(
-      process.env.BASE_DATA_DIR?.trim() || homedir(),
-      ".vellum",
-      "http-token",
-    );
-    if (existsSync(tokenPath)) {
-      const token = readFileSync(tokenPath, "utf-8").trim();
-      if (token) return token;
-    }
-  } catch {
-    // ignore
-  }
-  return undefined;
+  return entry?.bearerToken;
 }
 
 function buildHeaders(): Record<string, string> {

package/src/commands/hatch.ts

@@ -756,8 +756,8 @@ async function hatchLocal(
     throw error;
   }
 
-  // Read the bearer token written by the daemon so the client can authenticate
-  // with the gateway (which requires auth by default).
+  // Read the bearer token (JWT) written by the daemon so the CLI can
+  // authenticate with the gateway.
   let bearerToken: string | undefined;
   try {
     const token = readFileSync(join(baseDataDir, "http-token"), "utf-8").trim();

package/src/commands/ps.ts

@@ -403,7 +403,7 @@ async function listAllAssistants(): Promise<void> {
 
   await Promise.all(
     assistants.map(async (a, rowIndex) => {
-      const health = await checkHealth(a.runtimeUrl);
+      const health = await checkHealth(a.runtimeUrl, a.bearerToken);
 
       const infoParts = [a.runtimeUrl];
       if (a.cloud) infoParts.push(`cloud: ${a.cloud}`);

package/src/lib/health-check.ts

@@ -12,18 +12,26 @@ export interface HealthCheckResult {
 
 export async function checkHealth(
   runtimeUrl: string,
+  bearerToken?: string,
 ): Promise<HealthCheckResult> {
   try {
-    const url = `${runtimeUrl}/healthz`;
+    const url = `${runtimeUrl}/v1/health`;
     const controller = new AbortController();
     const timeoutId = setTimeout(
       () => controller.abort(),
       HEALTH_CHECK_TIMEOUT_MS,
     );
 
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+    };
+    if (bearerToken) {
+      headers["Authorization"] = `Bearer ${bearerToken}`;
+    }
+
     const response = await fetch(url, {
       signal: controller.signal,
-      headers: { "Content-Type": "application/json" },
+      headers,
     });
 
     clearTimeout(timeoutId);

package/src/lib/local.ts

@@ -829,73 +829,10 @@ export async function startGateway(
     process.env.GATEWAY_DEFAULT_ASSISTANT_ID ||
     loadLatestAssistant()?.assistantId;
 
-  // Read the bearer token so the gateway can authenticate proxied requests
-  // (e.g. from paired iOS devices). Respect VELLUM_HTTP_TOKEN_PATH and
-  // BASE_DATA_DIR for consistency with gateway/config.ts and the daemon.
-  const httpTokenPath =
-    process.env.VELLUM_HTTP_TOKEN_PATH ??
-    join(
-      process.env.BASE_DATA_DIR?.trim() || homedir(),
-      ".vellum",
-      "http-token",
-    );
-  let runtimeProxyBearerToken: string | undefined;
-  try {
-    const tok = readFileSync(httpTokenPath, "utf-8").trim();
-    if (tok) runtimeProxyBearerToken = tok;
-  } catch {
-    // Token file doesn't exist yet — daemon hasn't written it.
-  }
-
-  // If no token is available (first startup — daemon hasn't written it yet),
-  // poll for the file to appear. On fresh installs the daemon may take 60s+
-  // for Qdrant download, migrations, and first-time init. Starting the
-  // gateway without auth is a security risk since the config is loaded once
-  // at startup and never reloads, so we fail rather than silently disabling auth.
-  if (!runtimeProxyBearerToken) {
-    console.log("   Waiting for bearer token file...");
-    const maxWait = 60000;
-    const pollInterval = 500;
-    const start = Date.now();
-    const pidFile = join(
-      process.env.BASE_DATA_DIR?.trim() || homedir(),
-      ".vellum",
-      "vellum.pid",
-    );
-    while (Date.now() - start < maxWait) {
-      await new Promise((r) => setTimeout(r, pollInterval));
-      try {
-        const tok = readFileSync(httpTokenPath, "utf-8").trim();
-        if (tok) {
-          runtimeProxyBearerToken = tok;
-          break;
-        }
-      } catch {
-        // File still doesn't exist, keep polling.
-      }
-      // Check if the daemon process is still alive — no point waiting if it crashed
-      try {
-        const pid = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
-        if (pid) process.kill(pid, 0); // throws if process doesn't exist
-      } catch {
-        break; // daemon process is gone
-      }
-    }
-  }
-
-  if (!runtimeProxyBearerToken) {
-    throw new Error(
-      `Bearer token file not found at ${httpTokenPath} after 60s.\n` +
-        "  The gateway cannot start without authentication — this would leave the proxy permanently unauthenticated.\n" +
-        "  Ensure the daemon is running and has written the token file, or set VELLUM_HTTP_TOKEN_PATH to the correct path.",
-    );
-  }
-
   const gatewayEnv: Record<string, string> = {
     ...(process.env as Record<string, string>),
     GATEWAY_RUNTIME_PROXY_ENABLED: "true",
     GATEWAY_RUNTIME_PROXY_REQUIRE_AUTH: "true",
-    RUNTIME_PROXY_BEARER_TOKEN: runtimeProxyBearerToken,
     RUNTIME_HTTP_PORT: process.env.RUNTIME_HTTP_PORT || "7821",
     // Skip the drain window for locally-launched gateways — there is no load
     // balancer draining connections, so waiting serves no purpose and causes