@vellumai/cli 0.4.53 → 0.4.54

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/cli",
-  "version": "0.4.53",
+  "version": "0.4.54",
   "description": "CLI tools for vellum-assistant",
   "type": "module",
   "exports": {

package/src/commands/hatch.ts

@@ -40,6 +40,7 @@ import {
 } from "../lib/constants";
 import type { RemoteHost, Species } from "../lib/constants";
 import { hatchDocker } from "../lib/docker";
+import { mintLocalBearerToken } from "../lib/jwt";
 import { hatchGcp } from "../lib/gcp";
 import type { PollResult, WatchHatchingResult } from "../lib/gcp";
 import {
@@ -794,17 +795,9 @@ async function hatchLocal(
     delete process.env.BASE_DATA_DIR;
   }
 
-  // Read the bearer token (JWT) written by the daemon so the CLI can
-  // with the gateway (which requires auth by default). The daemon writes under
-  // getRootDir() which resolves to <instanceDir>/.vellum/.
-  let bearerToken: string | undefined;
-  try {
-    const tokenPath = join(resources.instanceDir, ".vellum", "http-token");
-    const token = readFileSync(tokenPath, "utf-8").trim();
-    if (token) bearerToken = token;
-  } catch {
-    // Token file may not exist if daemon started without HTTP server
-  }
+  // Mint a JWT from the signing key so the CLI can authenticate with the
+  // daemon/gateway (which requires auth by default).
+  const bearerToken = mintLocalBearerToken(resources.instanceDir);
 
   const localEntry: AssistantEntry = {
     assistantId: instanceName,

package/src/lib/jwt.ts

@@ -0,0 +1,62 @@
+/**
+ * Minimal JWT minting for the external CLI.
+ *
+ * Loads the shared HMAC signing key from disk and mints short-lived JWTs
+ * so the CLI can authenticate with the daemon's HTTP server without reading
+ * the deprecated http-token file.
+ */
+
+import { createHmac, randomBytes } from "crypto";
+import { readFileSync } from "fs";
+import { join } from "path";
+
+import { CURRENT_POLICY_EPOCH } from "./policy.js";
+
+function base64urlEncode(data: Buffer | string): string {
+  const buf = typeof data === "string" ? Buffer.from(data, "utf-8") : data;
+  return buf.toString("base64url");
+}
+
+const JWT_HEADER = base64urlEncode(
+  JSON.stringify({ alg: "HS256", typ: "JWT" }),
+);
+
+/**
+ * Mint a short-lived JWT bearer token for the given instance directory.
+ *
+ * Reads the signing key from `<instanceDir>/.vellum/protected/actor-token-signing-key`
+ * and mints a 30-day JWT with `aud=vellum-gateway`.
+ *
+ * Returns undefined if the signing key doesn't exist yet (daemon not started).
+ */
+export function mintLocalBearerToken(instanceDir: string): string | undefined {
+  try {
+    const keyPath = join(
+      instanceDir,
+      ".vellum",
+      "protected",
+      "actor-token-signing-key",
+    );
+    const key = readFileSync(keyPath);
+    if (key.length !== 32) return undefined;
+
+    const now = Math.floor(Date.now() / 1000);
+    const claims = {
+      iss: "vellum-auth",
+      aud: "vellum-gateway",
+      sub: "local:cli:cli",
+      scope_profile: "actor_client_v1",
+      exp: now + 30 * 24 * 60 * 60,
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      iat: now,
+      jti: randomBytes(16).toString("hex"),
+    };
+
+    const payload = base64urlEncode(JSON.stringify(claims));
+    const sigInput = JWT_HEADER + "." + payload;
+    const sig = createHmac("sha256", key).update(sigInput).digest();
+    return sigInput + "." + base64urlEncode(sig);
+  } catch {
+    return undefined;
+  }
+}

package/src/lib/local.ts

@@ -803,12 +803,17 @@ export async function startLocalDaemon(
       // macOS app the CLI inherits a huge environment (XPC_SERVICE_NAME,
       // __CFBundleIdentifier, CLAUDE_CODE_ENTRYPOINT, etc.) that can cause
       // the daemon to take 50+ seconds to start instead of ~1s.
-      const bunBinDir = join(homedir(), ".bun", "bin");
+      const home = homedir();
+      const bunBinDir = join(home, ".bun", "bin");
+      const localBinDir = join(home, ".local", "bin");
       const basePath =
         process.env.PATH || "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin";
+      const extraDirs = [bunBinDir, localBinDir].filter(
+        (d) => !basePath.split(":").includes(d),
+      );
       const daemonEnv: Record<string, string> = {
-        HOME: process.env.HOME || homedir(),
-        PATH: `${bunBinDir}:${basePath}`,
+        HOME: process.env.HOME || home,
+        PATH: [...extraDirs, basePath].filter(Boolean).join(":"),
       };
       // Forward optional config env vars the daemon may need
       for (const key of [

package/src/lib/platform-client.ts

@@ -11,9 +11,12 @@ import { join, dirname } from "path";
 
 const DEFAULT_PLATFORM_URL = "https://platform.vellum.ai";
 
+function getXdgConfigHome(): string {
+  return process.env.XDG_CONFIG_HOME?.trim() || join(homedir(), ".config");
+}
+
 function getPlatformTokenPath(): string {
-  const base = process.env.BASE_DATA_DIR || homedir();
-  return join(base, ".vellum", "platform-token");
+  return join(getXdgConfigHome(), "vellum", "platform-token");
 }
 
 export function getPlatformUrl(): string {

package/src/lib/policy.ts

@@ -0,0 +1,7 @@
+/**
+ * Policy epoch constant for the external CLI.
+ *
+ * Must stay in sync with assistant/src/runtime/auth/policy.ts.
+ * When the daemon bumps CURRENT_POLICY_EPOCH, update this value too.
+ */
+export const CURRENT_POLICY_EPOCH = 1;