@vellumai/cli 0.4.52 → 0.4.54

package/bun.lock

@@ -5,6 +5,7 @@
     "": {
       "name": "@vellumai/cli",
       "dependencies": {
+        "chalk": "^5.6.0",
         "ink": "^6.7.0",
         "jsqr": "^1.4.0",
         "pngjs": "^7.0.0",

package/knip.json

@@ -1,6 +1,4 @@
 {
-  "entry": ["src/**/*.test.ts", "src/**/__tests__/**/*.ts"],
-  "project": ["src/**/*.ts", "src/**/*.tsx"],
-  "ignore": ["src/adapters/openclaw-http-server.ts"],
-  "ignoreDependencies": ["chalk"]
+  "entry": ["src/**/*.test.ts", "src/**/__tests__/**/*.ts", "src/adapters/openclaw-http-server.ts"],
+  "project": ["src/**/*.ts", "src/**/*.tsx"]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/cli",
-  "version": "0.4.52",
+  "version": "0.4.54",
   "description": "CLI tools for vellum-assistant",
   "type": "module",
   "exports": {
@@ -24,6 +24,7 @@
   "author": "Vellum AI",
   "license": "MIT",
   "dependencies": {
+    "chalk": "^5.6.0",
     "ink": "^6.7.0",
     "jsqr": "^1.4.0",
     "pngjs": "^7.0.0",

package/src/commands/hatch.ts

@@ -40,6 +40,7 @@ import {
 } from "../lib/constants";
 import type { RemoteHost, Species } from "../lib/constants";
 import { hatchDocker } from "../lib/docker";
+import { mintLocalBearerToken } from "../lib/jwt";
 import { hatchGcp } from "../lib/gcp";
 import type { PollResult, WatchHatchingResult } from "../lib/gcp";
 import {
@@ -794,17 +795,9 @@ async function hatchLocal(
     delete process.env.BASE_DATA_DIR;
   }
 
-  // Read the bearer token (JWT) written by the daemon so the CLI can
-  // with the gateway (which requires auth by default). The daemon writes under
-  // getRootDir() which resolves to <instanceDir>/.vellum/.
-  let bearerToken: string | undefined;
-  try {
-    const tokenPath = join(resources.instanceDir, ".vellum", "http-token");
-    const token = readFileSync(tokenPath, "utf-8").trim();
-    if (token) bearerToken = token;
-  } catch {
-    // Token file may not exist if daemon started without HTTP server
-  }
+  // Mint a JWT from the signing key so the CLI can authenticate with the
+  // daemon/gateway (which requires auth by default).
+  const bearerToken = mintLocalBearerToken(resources.instanceDir);
 
   const localEntry: AssistantEntry = {
     assistantId: instanceName,

package/src/commands/recover.ts

@@ -68,9 +68,7 @@ export async function recover(): Promise<void> {
 
   // 7. Start daemon + gateway (same as wake)
   await startLocalDaemon(false, entry.resources);
-  if (!process.env.VELLUM_DESKTOP_APP) {
-    await startGateway(false, entry.resources);
-  }
+  await startGateway(false, entry.resources);
 
   console.log(`✅ Recovered assistant '${name}'.`);
 }

package/src/commands/wake.ts

@@ -3,7 +3,11 @@ import { join } from "path";
 
 import { resolveTargetAssistant } from "../lib/assistant-config.js";
 import { isProcessAlive, stopProcessByPidFile } from "../lib/process";
-import { startLocalDaemon, startGateway } from "../lib/local";
+import {
+  isWatchModeAvailable,
+  startLocalDaemon,
+  startGateway,
+} from "../lib/local";
 import { maybeStartNgrokTunnel } from "../lib/ngrok";
 
 export async function wake(): Promise<void> {
@@ -56,12 +60,21 @@ export async function wake(): Promise<void> {
         process.kill(pid, 0);
         daemonRunning = true;
         if (watch) {
-          // Restart in watch mode
-          console.log(
-            `Assistant running (pid ${pid}) — restarting in watch mode...`,
-          );
-          await stopProcessByPidFile(pidFile, "assistant");
-          daemonRunning = false;
+          // Restart in watch mode — but only if source files are available.
+          // Watch mode requires bun --watch with .ts sources; packaged desktop
+          // builds only have a compiled binary. Stopping the daemon without a
+          // viable watch-mode path would leave the user with no running assistant.
+          if (!isWatchModeAvailable()) {
+            console.log(
+              `Assistant running (pid ${pid}) — watch mode not available (no source files). Keeping existing process.`,
+            );
+          } else {
+            console.log(
+              `Assistant running (pid ${pid}) — restarting in watch mode...`,
+            );
+            await stopProcessByPidFile(pidFile, "assistant");
+            daemonRunning = false;
+          }
         } else {
           console.log(`Assistant already running (pid ${pid}).`);
         }
@@ -82,12 +95,18 @@ export async function wake(): Promise<void> {
     const { alive, pid } = isProcessAlive(gatewayPidFile);
     if (alive) {
       if (watch) {
-        // Restart in watch mode
-        console.log(
-          `Gateway running (pid ${pid}) — restarting in watch mode...`,
-        );
-        await stopProcessByPidFile(gatewayPidFile, "gateway");
-        await startGateway(watch, resources);
+        // Same guard as the daemon: only restart if watch mode is viable.
+        if (!isWatchModeAvailable()) {
+          console.log(
+            `Gateway running (pid ${pid}) — watch mode not available (no source files). Keeping existing process.`,
+          );
+        } else {
+          console.log(
+            `Gateway running (pid ${pid}) — restarting in watch mode...`,
+          );
+          await stopProcessByPidFile(gatewayPidFile, "gateway");
+          await startGateway(watch, resources);
+        }
       } else {
         console.log(`Gateway already running (pid ${pid}).`);
       }

package/src/lib/jwt.ts

@@ -0,0 +1,62 @@
+/**
+ * Minimal JWT minting for the external CLI.
+ *
+ * Loads the shared HMAC signing key from disk and mints short-lived JWTs
+ * so the CLI can authenticate with the daemon's HTTP server without reading
+ * the deprecated http-token file.
+ */
+
+import { createHmac, randomBytes } from "crypto";
+import { readFileSync } from "fs";
+import { join } from "path";
+
+import { CURRENT_POLICY_EPOCH } from "./policy.js";
+
+function base64urlEncode(data: Buffer | string): string {
+  const buf = typeof data === "string" ? Buffer.from(data, "utf-8") : data;
+  return buf.toString("base64url");
+}
+
+const JWT_HEADER = base64urlEncode(
+  JSON.stringify({ alg: "HS256", typ: "JWT" }),
+);
+
+/**
+ * Mint a short-lived JWT bearer token for the given instance directory.
+ *
+ * Reads the signing key from `<instanceDir>/.vellum/protected/actor-token-signing-key`
+ * and mints a 30-day JWT with `aud=vellum-gateway`.
+ *
+ * Returns undefined if the signing key doesn't exist yet (daemon not started).
+ */
+export function mintLocalBearerToken(instanceDir: string): string | undefined {
+  try {
+    const keyPath = join(
+      instanceDir,
+      ".vellum",
+      "protected",
+      "actor-token-signing-key",
+    );
+    const key = readFileSync(keyPath);
+    if (key.length !== 32) return undefined;
+
+    const now = Math.floor(Date.now() / 1000);
+    const claims = {
+      iss: "vellum-auth",
+      aud: "vellum-gateway",
+      sub: "local:cli:cli",
+      scope_profile: "actor_client_v1",
+      exp: now + 30 * 24 * 60 * 60,
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      iat: now,
+      jti: randomBytes(16).toString("hex"),
+    };
+
+    const payload = base64urlEncode(JSON.stringify(claims));
+    const sigInput = JWT_HEADER + "." + payload;
+    const sig = createHmac("sha256", key).update(sigInput).digest();
+    return sigInput + "." + base64urlEncode(sig);
+  } catch {
+    return undefined;
+  }
+}

package/src/lib/local.ts

@@ -715,6 +715,20 @@ export function getLocalLanIPv4(): string | undefined {
   return undefined;
 }
 
+/**
+ * Check whether watch-mode startup is possible. Watch mode requires source
+ * files (bun --watch only works with .ts sources, not compiled binaries).
+ * Returns true when assistant source can be resolved, false otherwise.
+ *
+ * Use this before stopping a running assistant for a watch-mode restart — if
+ * watch mode isn't available (e.g. packaged desktop app without source), the
+ * caller should keep the existing process alive rather than killing it and
+ * failing.
+ */
+export function isWatchModeAvailable(): boolean {
+  return resolveAssistantIndexPath() !== undefined;
+}
+
 // NOTE: startLocalDaemon() is the CLI-side daemon lifecycle manager.
 // It should eventually converge with
 // assistant/src/daemon/daemon-control.ts::startDaemon which is the
@@ -789,12 +803,17 @@ export async function startLocalDaemon(
       // macOS app the CLI inherits a huge environment (XPC_SERVICE_NAME,
       // __CFBundleIdentifier, CLAUDE_CODE_ENTRYPOINT, etc.) that can cause
       // the daemon to take 50+ seconds to start instead of ~1s.
-      const bunBinDir = join(homedir(), ".bun", "bin");
+      const home = homedir();
+      const bunBinDir = join(home, ".bun", "bin");
+      const localBinDir = join(home, ".local", "bin");
       const basePath =
         process.env.PATH || "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin";
+      const extraDirs = [bunBinDir, localBinDir].filter(
+        (d) => !basePath.split(":").includes(d),
+      );
       const daemonEnv: Record<string, string> = {
-        HOME: process.env.HOME || homedir(),
-        PATH: `${bunBinDir}:${basePath}`,
+        HOME: process.env.HOME || home,
+        PATH: [...extraDirs, basePath].filter(Boolean).join(":"),
       };
       // Forward optional config env vars the daemon may need
       for (const key of [

package/src/lib/platform-client.ts

@@ -11,9 +11,12 @@ import { join, dirname } from "path";
 
 const DEFAULT_PLATFORM_URL = "https://platform.vellum.ai";
 
+function getXdgConfigHome(): string {
+  return process.env.XDG_CONFIG_HOME?.trim() || join(homedir(), ".config");
+}
+
 function getPlatformTokenPath(): string {
-  const base = process.env.BASE_DATA_DIR || homedir();
-  return join(base, ".vellum", "platform-token");
+  return join(getXdgConfigHome(), "vellum", "platform-token");
 }
 
 export function getPlatformUrl(): string {

package/src/lib/policy.ts

@@ -0,0 +1,7 @@
+/**
+ * Policy epoch constant for the external CLI.
+ *
+ * Must stay in sync with assistant/src/runtime/auth/policy.ts.
+ * When the daemon bumps CURRENT_POLICY_EPOCH, update this value too.
+ */
+export const CURRENT_POLICY_EPOCH = 1;