@vellumai/cli 0.4.42 → 0.4.43

package/src/components/DefaultMainScreen.tsx

@@ -1,6 +1,6 @@
 import { spawn } from "child_process";
 import { createHash, randomBytes, randomUUID } from "crypto";
-import { hostname, platform, userInfo } from "os";
+import { hostname, userInfo } from "os";
 import { basename } from "path";
 import qrcode from "qrcode-terminal";
 import {
@@ -145,7 +145,7 @@ interface PendingInteractionsResponse {
   pendingSecret: (PendingSecret & { requestId?: string }) | null;
 }
 
-type TrustDecision = "always_allow" | "always_allow_high_risk" | "always_deny";
+type TrustDecision = "always_allow" | "always_deny";
 
 interface HealthResponse {
   status: string;
@@ -158,18 +158,13 @@ async function runtimeRequest<T>(
   path: string,
   init?: RequestInit,
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<T> {
   const url = `${baseUrl}/v1/assistants/${assistantId}${path}`;
-  // Prefer the JWT access token (from bootstrap) over the shared-secret
-  // bearer token. The JWT carries identity claims and is the canonical
-  // auth mechanism in the single-header auth model.
-  const authToken = accessToken ?? bearerToken;
   const response = await fetch(url, {
     ...init,
     headers: {
       "Content-Type": "application/json",
-      ...(authToken ? { Authorization: `Bearer ${authToken}` } : {}),
+      ...(bearerToken ? { Authorization: `Bearer ${bearerToken}` } : {}),
       ...(init?.headers as Record<string, string> | undefined),
     },
   });
@@ -205,50 +200,10 @@ async function checkHealthRuntime(baseUrl: string): Promise<HealthResponse> {
   return response.json() as Promise<HealthResponse>;
 }
 
-async function bootstrapAccessToken(
-  baseUrl: string,
-  bearerToken?: string,
-): Promise<string> {
-  if (!bearerToken) {
-    throw new Error("Missing bearer token; cannot bootstrap actor identity");
-  }
-
-  const deviceId = `vellum-cli:${platform()}:${hostname()}:${userInfo().username}`;
-  const url = `${baseUrl}/v1/integrations/guardian/vellum/bootstrap`;
-
-  const response = await fetch(url, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Authorization: `Bearer ${bearerToken}`,
-    },
-    body: JSON.stringify({ platform: "cli", deviceId }),
-  });
-
-  if (!response.ok) {
-    const body = await response.text().catch(() => "");
-    throw new Error(`HTTP ${response.status}: ${body || response.statusText}`);
-  }
-
-  const json: unknown = await response.json();
-
-  if (typeof json !== "object" || json === null) {
-    throw new Error("Invalid bootstrap response from gateway/runtime");
-  }
-
-  const accessToken = (json as Record<string, unknown>).accessToken;
-  if (typeof accessToken !== "string" || accessToken.length === 0) {
-    throw new Error("Invalid bootstrap response from gateway/runtime");
-  }
-
-  return accessToken;
-}
-
 async function pollMessages(
   baseUrl: string,
   assistantId: string,
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<ListMessagesResponse> {
   const params = new URLSearchParams({ conversationKey: assistantId });
   return runtimeRequest<ListMessagesResponse>(
@@ -257,7 +212,6 @@ async function pollMessages(
     `/messages?${params.toString()}`,
     undefined,
     bearerToken,
-    accessToken,
   );
 }
 
@@ -267,7 +221,6 @@ async function sendMessage(
   content: string,
   signal?: AbortSignal,
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<SendMessageResponse> {
   return runtimeRequest<SendMessageResponse>(
     baseUrl,
@@ -284,7 +237,6 @@ async function sendMessage(
       signal,
     },
     bearerToken,
-    accessToken,
   );
 }
 
@@ -294,7 +246,6 @@ async function submitDecision(
   requestId: string,
   decision: "allow" | "deny",
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<SubmitDecisionResponse> {
   return runtimeRequest<SubmitDecisionResponse>(
     baseUrl,
@@ -305,7 +256,6 @@ async function submitDecision(
       body: JSON.stringify({ requestId, decision }),
     },
     bearerToken,
-    accessToken,
   );
 }
 
@@ -317,7 +267,6 @@ async function addTrustRule(
   scope: string,
   decision: "allow" | "deny",
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<AddTrustRuleResponse> {
   return runtimeRequest<AddTrustRuleResponse>(
     baseUrl,
@@ -328,7 +277,6 @@ async function addTrustRule(
       body: JSON.stringify({ requestId, pattern, scope, decision }),
     },
     bearerToken,
-    accessToken,
   );
 }
 
@@ -336,7 +284,6 @@ async function pollPendingInteractions(
   baseUrl: string,
   assistantId: string,
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<PendingInteractionsResponse> {
   const params = new URLSearchParams({ conversationKey: assistantId });
   return runtimeRequest<PendingInteractionsResponse>(
@@ -345,7 +292,6 @@ async function pollPendingInteractions(
     `/pending-interactions?${params.toString()}`,
     undefined,
     bearerToken,
-    accessToken,
   );
 }
 
@@ -388,7 +334,6 @@ async function handleConfirmationPrompt(
   confirmation: PendingConfirmation,
   chatApp: ChatAppHandle,
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<void> {
   const preview = formatConfirmationPreview(
     confirmation.toolName,
@@ -420,7 +365,6 @@ async function handleConfirmationPrompt(
       requestId,
       "allow",
       bearerToken,
-      accessToken,
     );
     chatApp.addStatus("\u2714 Allowed", "green");
     return;
@@ -434,7 +378,6 @@ async function handleConfirmationPrompt(
       chatApp,
       "always_allow",
       bearerToken,
-      accessToken,
     );
     return;
   }
@@ -447,7 +390,6 @@ async function handleConfirmationPrompt(
       chatApp,
       "always_deny",
       bearerToken,
-      accessToken,
     );
     return;
   }
@@ -458,7 +400,6 @@ async function handleConfirmationPrompt(
     requestId,
     "deny",
     bearerToken,
-    accessToken,
   );
   chatApp.addStatus("\u2718 Denied", "yellow");
 }
@@ -471,7 +412,6 @@ async function handlePatternSelection(
   chatApp: ChatAppHandle,
   trustDecision: TrustDecision,
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<void> {
   const allowlistOptions = confirmation.allowlistOptions ?? [];
   const label = trustDecision === "always_deny" ? "Denylist" : "Allowlist";
@@ -493,7 +433,6 @@ async function handlePatternSelection(
       selectedPattern,
       trustDecision,
       bearerToken,
-      accessToken,
     );
     return;
   }
@@ -504,7 +443,6 @@ async function handlePatternSelection(
     requestId,
     "deny",
     bearerToken,
-    accessToken,
   );
   chatApp.addStatus("\u2718 Denied", "yellow");
 }
@@ -518,7 +456,6 @@ async function handleScopeSelection(
   selectedPattern: string,
   trustDecision: TrustDecision,
   bearerToken?: string,
-  accessToken?: string,
 ): Promise<void> {
   const scopeOptions = confirmation.scopeOptions ?? [];
   const label = trustDecision === "always_deny" ? "Denylist" : "Allowlist";
@@ -536,7 +473,6 @@ async function handleScopeSelection(
       scopeOptions[index].scope,
       ruleDecision,
       bearerToken,
-      accessToken,
     );
     await submitDecision(
       baseUrl,
@@ -544,7 +480,6 @@ async function handleScopeSelection(
       requestId,
       ruleDecision === "deny" ? "deny" : "allow",
       bearerToken,
-      accessToken,
     );
     const ruleLabel =
       trustDecision === "always_deny" ? "Denylisted" : "Allowlisted";
@@ -562,7 +497,6 @@ async function handleScopeSelection(
     requestId,
     "deny",
     bearerToken,
-    accessToken,
   );
   chatApp.addStatus("\u2718 Denied", "yellow");
 }
@@ -1220,7 +1154,6 @@ function ChatApp({
   const pollTimerRef = useRef<ReturnType<typeof setInterval> | null>(null);
   const doctorSessionIdRef = useRef(randomUUID());
   const handleRef_ = useRef<ChatAppHandle | null>(null);
-  const accessTokenRef = useRef<string | undefined>(undefined);
 
   const { stdout } = useStdout();
   const terminalRows = stdout.rows || DEFAULT_TERMINAL_ROWS;
@@ -1458,12 +1391,6 @@ function ChatApp({
 
     try {
       const health = await checkHealthRuntime(runtimeUrl);
-      if (!accessTokenRef.current) {
-        accessTokenRef.current = await bootstrapAccessToken(
-          runtimeUrl,
-          bearerToken,
-        );
-      }
       h.hideSpinner();
       h.updateHealthStatus(health.status);
       if (health.status === "healthy" || health.status === "ok") {
@@ -1486,7 +1413,6 @@ function ChatApp({
           runtimeUrl,
           assistantId,
           bearerToken,
-          accessTokenRef.current,
         );
         h.hideSpinner();
         if (historyResponse.messages.length > 0) {
@@ -1505,7 +1431,6 @@ function ChatApp({
             runtimeUrl,
             assistantId,
             bearerToken,
-            accessTokenRef.current,
           );
           for (const msg of response.messages) {
             if (!seenMessageIdsRef.current.has(msg.id)) {
@@ -1821,7 +1746,6 @@ function ChatApp({
             trimmed,
             controller.signal,
             bearerToken,
-            accessTokenRef.current,
           );
           clearTimeout(timeoutId);
           if (!sendResult.accepted) {
@@ -1853,7 +1777,6 @@ function ChatApp({
               runtimeUrl,
               assistantId,
               bearerToken,
-              accessTokenRef.current,
             );
 
             if (pending.pendingConfirmation) {
@@ -1865,7 +1788,6 @@ function ChatApp({
                 pending.pendingConfirmation,
                 h,
                 bearerToken,
-                accessTokenRef.current,
               );
               h.showSpinner("Working...");
               continue;
@@ -1890,7 +1812,6 @@ function ChatApp({
                       }),
                     },
                     bearerToken,
-                    accessTokenRef.current,
                   );
                 },
               );
@@ -1907,7 +1828,6 @@ function ChatApp({
               runtimeUrl,
               assistantId,
               bearerToken,
-              accessTokenRef.current,
             );
             for (const msg of pollResult.messages) {
               if (!seenMessageIdsRef.current.has(msg.id)) {

package/src/index.ts

@@ -8,7 +8,6 @@ import { pair } from "./commands/pair";
 import { ps } from "./commands/ps";
 import { recover } from "./commands/recover";
 import { retire } from "./commands/retire";
-import { skills } from "./commands/skills";
 import { sleep } from "./commands/sleep";
 import { ssh } from "./commands/ssh";
 import { tunnel } from "./commands/tunnel";
@@ -24,7 +23,6 @@ const commands = {
   ps,
   recover,
   retire,
-  skills,
   sleep,
   ssh,
   tunnel,
@@ -58,7 +56,6 @@ async function main() {
     );
     console.log("  recover  Restore a previously retired local assistant");
     console.log("  retire   Delete an assistant instance");
-    console.log("  skills   Browse and install skills from the Vellum catalog");
     console.log("  sleep    Stop the assistant process");
     console.log("  ssh      SSH into a remote assistant instance");
     console.log("  tunnel   Create a tunnel for a locally hosted assistant");

package/src/lib/assistant-config.ts

@@ -16,13 +16,8 @@ import { probePort } from "./port-probe.js";
  */
 export interface LocalInstanceResources {
   /**
-   * Instance-specific data root. The first local assistant uses `~` (workspace
-   * at `~/.vellum`); subsequent assistants use
-   * `~/.local/share/vellum/assistants/<name>/` (workspace at
-   * `~/.local/share/vellum/assistants/<name>/.vellum`).
-   * The daemon's `.vellum/` directory lives inside it. Equivalent to
-   * `AssistantEntry.baseDataDir` minus the trailing `/.vellum` suffix —
-   * `baseDataDir` is kept on the flat entry for legacy lockfile compat.
+   * Instance-specific data root at `~/.local/share/vellum/assistants/<name>/`.
+   * The daemon's `.vellum/` directory lives inside it.
    */
   instanceDir: string;
   /** HTTP port for the daemon runtime server */
@@ -31,8 +26,6 @@ export interface LocalInstanceResources {
   gatewayPort: number;
   /** HTTP port for the Qdrant vector store */
   qdrantPort: number;
-  /** Absolute path to the Unix domain socket for IPC */
-  socketPath: string;
   /** Absolute path to the daemon PID file */
   pidFile: string;
 }
@@ -43,8 +36,6 @@ export interface AssistantEntry {
   /** Loopback URL for same-machine health checks (e.g. `http://127.0.0.1:7831`).
    *  Avoids mDNS resolution issues when the machine checks its own gateway. */
   localUrl?: string;
-  /** @deprecated Use `resources.instanceDir` for multi-instance entries. Legacy equivalent of `join(instanceDir, ".vellum")`. */
-  baseDataDir?: string;
   bearerToken?: string;
   cloud: string;
   instanceId?: string;
@@ -70,8 +61,13 @@ function getBaseDir(): string {
   return process.env.BASE_DATA_DIR?.trim() || homedir();
 }
 
+/** The lockfile always lives under the home directory. */
+function getLockfileDir(): string {
+  return process.env.VELLUM_LOCKFILE_DIR?.trim() || homedir();
+}
+
 function readLockfile(): LockfileData {
-  const base = getBaseDir();
+  const base = getLockfileDir();
   const candidates = [
     join(base, ".vellum.lock.json"),
     join(base, ".vellum.lockfile.json"),
@@ -92,7 +88,7 @@ function readLockfile(): LockfileData {
 }
 
 function writeLockfile(data: LockfileData): void {
-  const lockfilePath = join(getBaseDir(), ".vellum.lock.json");
+  const lockfilePath = join(getLockfileDir(), ".vellum.lock.json");
   writeFileSync(lockfilePath, JSON.stringify(data, null, 2) + "\n");
 }
 
@@ -138,9 +134,14 @@ export function removeAssistantEntry(assistantId: string): void {
     (e: AssistantEntry) => e.assistantId !== assistantId,
   );
   data.assistants = entries;
-  // Clear active assistant if it matches the removed entry
+  // Reassign active assistant if it matches the removed entry
   if (data.activeAssistant === assistantId) {
-    delete data.activeAssistant;
+    const remaining = entries[0];
+    if (remaining) {
+      data.activeAssistant = remaining.assistantId;
+    } else {
+      delete data.activeAssistant;
+    }
   }
   writeLockfile(data);
 }
@@ -228,19 +229,12 @@ async function findAvailablePort(
 
 /**
  * Allocate an isolated set of resources for a named local instance.
- * The first local assistant gets `instanceDir = ~` with default ports (same as
- * legacy single-instance layout). Subsequent assistants are placed under
+ * Each assistant is placed under
  * `~/.local/share/vellum/assistants/<name>/` with scanned ports.
  */
 export async function allocateLocalResources(
   instanceName: string,
 ): Promise<LocalInstanceResources> {
-  // First local assistant gets the home directory — identical to legacy layout.
-  const existingLocals = loadAllAssistants().filter((e) => e.cloud === "local");
-  if (existingLocals.length === 0) {
-    return defaultLocalResources();
-  }
-
   const instanceDir = join(
     homedir(),
     ".local",
@@ -263,13 +257,6 @@ export async function allocateLocalResources(
         entry.resources.gatewayPort,
         entry.resources.qdrantPort,
       );
-    } else {
-      // Legacy entries without resources use the default ports
-      reservedPorts.push(
-        DEFAULT_DAEMON_PORT,
-        DEFAULT_GATEWAY_PORT,
-        DEFAULT_QDRANT_PORT,
-      );
     }
   }
 
@@ -294,42 +281,10 @@ export async function allocateLocalResources(
     daemonPort,
     gatewayPort,
     qdrantPort,
-    socketPath: join(instanceDir, ".vellum", "vellum.sock"),
     pidFile: join(instanceDir, ".vellum", "vellum.pid"),
   };
 }
 
-/**
- * Return default resources representing the legacy single-instance layout.
- * Used to normalize existing lockfile entries so callers can treat all local
- * entries uniformly.
- */
-export function defaultLocalResources(): LocalInstanceResources {
-  const vellumDir = join(homedir(), ".vellum");
-  return {
-    instanceDir: homedir(),
-    daemonPort: DEFAULT_DAEMON_PORT,
-    gatewayPort: DEFAULT_GATEWAY_PORT,
-    qdrantPort: DEFAULT_QDRANT_PORT,
-    socketPath: join(vellumDir, "vellum.sock"),
-    pidFile: join(vellumDir, "vellum.pid"),
-  };
-}
-
-/**
- * Normalize existing lockfile entries so local entries include resource fields.
- * Remote entries are left untouched. Returns a new array (does not mutate input).
- */
-export function normalizeExistingEntryResources(
-  entries: AssistantEntry[],
-): AssistantEntry[] {
-  return entries.map((entry) => {
-    if (entry.cloud !== "local") return entry;
-    if (entry.resources) return entry;
-    return { ...entry, resources: defaultLocalResources() };
-  });
-}
-
 /**
  * Read the assistant config file and sync client-relevant values to the
  * lockfile. This lets external tools (e.g. vel) discover the platform URL

package/src/lib/aws.ts

@@ -5,7 +5,7 @@ import { join } from "path";
 
 import { buildStartupScript, watchHatching } from "../commands/hatch";
 import type { PollResult } from "../commands/hatch";
-import { saveAssistantEntry } from "./assistant-config";
+import { saveAssistantEntry, setActiveAssistant } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
 import { GATEWAY_PORT } from "./constants";
 import type { Species } from "./constants";
@@ -370,6 +370,28 @@ async function pollAwsInstance(
   }
 }
 
+async function fetchRemoteBearerToken(
+  ip: string,
+  keyPath: string,
+): Promise<string | null> {
+  try {
+    const remoteCmd =
+      'cat ~/.vellum.lock.json 2>/dev/null || cat ~/.vellum.lockfile.json 2>/dev/null || echo "{}"';
+    const output = await awsSshExec(ip, keyPath, remoteCmd);
+    const data = JSON.parse(output.trim());
+    const assistants = data.assistants;
+    if (Array.isArray(assistants) && assistants.length > 0) {
+      const token = assistants[0].bearerToken;
+      if (typeof token === "string" && token) {
+        return token;
+      }
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
 export async function hatchAws(
   species: Species,
   detached: boolean,
@@ -500,6 +522,7 @@ export async function hatchAws(
       hatchedAt: new Date().toISOString(),
     };
     saveAssistantEntry(awsEntry);
+    setActiveAssistant(instanceName);
 
     if (detached) {
       console.log("\u{1F680} Startup script is running on the instance...");
@@ -535,6 +558,12 @@ export async function hatchAws(
           }
           process.exit(1);
         }
+
+        const remoteBearerToken = await fetchRemoteBearerToken(ip, keyPath);
+        if (remoteBearerToken) {
+          awsEntry.bearerToken = remoteBearerToken;
+          saveAssistantEntry(awsEntry);
+        }
       } else {
         console.log(
           "\u26a0\ufe0f  No external IP available for monitoring. Instance is still running.",