@vellumai/cli 0.4.54 → 0.4.56

package/src/commands/hatch.ts

@@ -1,4 +1,3 @@
-import { createHash, randomBytes, randomUUID } from "crypto";
 import {
   appendFileSync,
   existsSync,
@@ -6,16 +5,14 @@ import {
   mkdirSync,
   readFileSync,
   readlinkSync,
+  rmSync,
   symlinkSync,
   unlinkSync,
   writeFileSync,
 } from "fs";
-import { homedir, hostname, userInfo } from "os";
+import { homedir } from "os";
 import { join } from "path";
 
-import QRCode from "qrcode";
-import qrcode from "qrcode-terminal";
-
 // Direct import — bun embeds this at compile time so it works in compiled binaries.
 import cliPkg from "../../package.json";
 
@@ -40,7 +37,6 @@ import {
 } from "../lib/constants";
 import type { RemoteHost, Species } from "../lib/constants";
 import { hatchDocker } from "../lib/docker";
-import { mintLocalBearerToken } from "../lib/jwt";
 import { hatchGcp } from "../lib/gcp";
 import type { PollResult, WatchHatchingResult } from "../lib/gcp";
 import {
@@ -49,9 +45,10 @@ import {
   stopLocalProcesses,
 } from "../lib/local";
 import { maybeStartNgrokTunnel } from "../lib/ngrok";
+import { httpHealthCheck } from "../lib/http-client";
 import { detectOrphanedProcesses } from "../lib/orphan-detection";
 import { isProcessAlive, stopProcess } from "../lib/process";
-import { generateRandomSuffix } from "../lib/random-name";
+import { generateInstanceName } from "../lib/random-name";
 import { validateAssistantName } from "../lib/retire-archive";
 import { archiveLogFile, resetLogFile } from "../lib/xdg-log";
 
@@ -97,14 +94,12 @@ chown -R "$SSH_USER:$SSH_USER" "$SSH_USER_HOME" 2>/dev/null || true
 
 export async function buildStartupScript(
   species: Species,
-  bearerToken: string,
   sshUser: string,
   anthropicApiKey: string,
   instanceName: string,
   cloud: RemoteHost,
 ): Promise<string> {
-  const platformUrl =
-    process.env.VELLUM_PLATFORM_URL ?? "https://assistant.vellum.ai";
+  const platformUrl = process.env.VELLUM_PLATFORM_URL ?? "https://vellum.ai";
   const logPath =
     cloud === "custom"
       ? "/tmp/vellum-startup.log"
@@ -117,7 +112,6 @@ export async function buildStartupScript(
 
   if (species === "openclaw") {
     return await buildOpenclawStartupScript(
-      bearerToken,
       sshUser,
       anthropicApiKey,
       timestampRedirect,
@@ -567,121 +561,6 @@ function installCLISymlink(): void {
   );
 }
 
-async function waitForDaemonReady(
-  runtimeUrl: string,
-  bearerToken: string | undefined,
-  timeoutMs = 15000,
-): Promise<boolean> {
-  const start = Date.now();
-  const pollInterval = 1000;
-  while (Date.now() - start < timeoutMs) {
-    try {
-      const res = await fetch(`${runtimeUrl}/v1/health`, {
-        method: "GET",
-        headers: bearerToken ? { Authorization: `Bearer ${bearerToken}` } : {},
-        signal: AbortSignal.timeout(2000),
-      });
-      if (res.ok) return true;
-    } catch {
-      // Daemon not ready yet
-    }
-    await new Promise((r) => setTimeout(r, pollInterval));
-  }
-  return false;
-}
-
-async function displayPairingQRCode(
-  runtimeUrl: string,
-  bearerToken: string | undefined,
-  /** External gateway URL for the QR payload. When omitted, runtimeUrl is used. */
-  externalGatewayUrl?: string,
-): Promise<void> {
-  try {
-    const pairingRequestId = randomUUID();
-    const pairingSecret = randomBytes(32).toString("hex");
-
-    // The daemon's HTTP server may not be fully ready even though the gateway
-    // health check passed (the gateway is up, but the upstream daemon HTTP
-    // endpoint it proxies to may still be initializing). Poll the daemon's
-    // health endpoint through the gateway to ensure it's reachable.
-    const daemonReady = await waitForDaemonReady(runtimeUrl, bearerToken);
-    if (!daemonReady) {
-      console.warn(
-        "⚠ Assistant health check did not pass within 15s. Run `vellum pair` to try again.\n",
-      );
-      return;
-    }
-
-    const registerRes = await fetch(`${runtimeUrl}/pairing/register`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        ...(bearerToken ? { Authorization: `Bearer ${bearerToken}` } : {}),
-      },
-      body: JSON.stringify({
-        pairingRequestId,
-        pairingSecret,
-        gatewayUrl: externalGatewayUrl ?? runtimeUrl,
-      }),
-    });
-
-    if (!registerRes.ok) {
-      const body = await registerRes.text().catch(() => "");
-      console.warn(
-        `⚠ Could not register pairing request: ${registerRes.status} ${registerRes.statusText}${body ? ` — ${body}` : ""}. Run \`vellum pair\` to try again.\n`,
-      );
-      return;
-    }
-
-    const hostId = createHash("sha256")
-      .update(hostname() + userInfo().username)
-      .digest("hex");
-    const payload = JSON.stringify({
-      type: "vellum-daemon",
-      v: 4,
-      id: hostId,
-      g: externalGatewayUrl ?? runtimeUrl,
-      pairingRequestId,
-      pairingSecret,
-    });
-
-    const qrString = await new Promise<string>((resolve) => {
-      qrcode.generate(payload, { small: true }, (code: string) => {
-        resolve(code);
-      });
-    });
-
-    // Save QR code as PNG to a well-known location so it can be retrieved
-    // (e.g. via SCP) for pairing through the Desktop app.
-    const qrDir = join(homedir(), ".vellum", "pairing-qr");
-    mkdirSync(qrDir, { recursive: true });
-    const qrPngPath = join(qrDir, "initial.png");
-    try {
-      const pngBuffer = await QRCode.toBuffer(payload, {
-        type: "png",
-        width: 512,
-      });
-      writeFileSync(qrPngPath, pngBuffer);
-      console.log(`QR code PNG saved to ${qrPngPath}\n`);
-    } catch (pngErr) {
-      const pngReason =
-        pngErr instanceof Error ? pngErr.message : String(pngErr);
-      console.warn(`\u26A0 Could not save QR code PNG: ${pngReason}\n`);
-    }
-
-    console.log("Scan this QR code with the Vellum iOS app to pair:\n");
-    console.log(qrString);
-    console.log("This pairing request expires in 5 minutes.");
-    console.log("Run `vellum pair` to generate a new one.\n");
-  } catch (err) {
-    // Non-fatal — pairing is optional
-    const reason = err instanceof Error ? err.message : String(err);
-    console.warn(
-      `⚠ Could not generate pairing QR code: ${reason}. Run \`vellum pair\` to try again.\n`,
-    );
-  }
-}
-
 async function hatchLocal(
   species: Species,
   name: string | null,
@@ -697,13 +576,15 @@ async function hatchLocal(
     process.exit(1);
   }
 
-  const instanceName =
-    name ??
-    process.env.VELLUM_ASSISTANT_NAME ??
-    `${species}-${generateRandomSuffix()}`;
+  const instanceName = generateInstanceName(
+    species,
+    name ?? process.env.VELLUM_ASSISTANT_NAME,
+  );
 
   // Clean up stale local state: if daemon/gateway processes are running but
-  // the lock file has no entries, stop them before starting fresh.
+  // the lock file has no entries AND the daemon is not healthy, stop them
+  // before starting fresh. A healthy daemon should be reused, not killed —
+  // it may have been started intentionally via `vellum wake`.
   const vellumDir = join(homedir(), ".vellum");
   const existingAssistants = loadAllAssistants();
   const localAssistants = existingAssistants.filter((a) => a.cloud === "local");
@@ -711,10 +592,16 @@ async function hatchLocal(
     const daemonPid = isProcessAlive(join(vellumDir, "vellum.pid"));
     const gatewayPid = isProcessAlive(join(vellumDir, "gateway.pid"));
     if (daemonPid.alive || gatewayPid.alive) {
-      console.log(
-        "🧹 Cleaning up stale local processes (no lock file entry)...\n",
-      );
-      await stopLocalProcesses();
+      // Check if the daemon is actually healthy before killing it.
+      // Default port 7821 is used when there's no lockfile entry.
+      const defaultPort = parseInt(process.env.RUNTIME_HTTP_PORT || "7821", 10);
+      const healthy = await httpHealthCheck(defaultPort);
+      if (!healthy) {
+        console.log(
+          "🧹 Cleaning up stale local processes (no lock file entry)...\n",
+        );
+        await stopLocalProcesses();
+      }
     }
   }
 
@@ -722,17 +609,32 @@ async function hatchLocal(
   // are not tracked by any PID file or lock file entry and kill them before
   // starting new ones. This prevents resource leaks when the desktop app
   // crashes or is force-quit without a clean shutdown.
+  //
+  // Skip orphan cleanup if the daemon is already healthy on the expected port
+  // — those processes are intentional (e.g. started via `vellum wake`) and
+  // startLocalDaemon() will reuse them.
   if (IS_DESKTOP) {
-    const orphans = await detectOrphanedProcesses();
-    if (orphans.length > 0) {
-      desktopLog(
-        `🧹 Found ${orphans.length} orphaned process${orphans.length === 1 ? "" : "es"} — cleaning up...`,
-      );
-      for (const orphan of orphans) {
-        await stopProcess(
-          parseInt(orphan.pid, 10),
-          `${orphan.name} (PID ${orphan.pid})`,
+    const existingResources = findAssistantByName(instanceName);
+    const expectedPort =
+      existingResources?.cloud === "local" && existingResources.resources
+        ? existingResources.resources.daemonPort
+        : undefined;
+    const daemonAlreadyHealthy = expectedPort
+      ? await httpHealthCheck(expectedPort)
+      : false;
+
+    if (!daemonAlreadyHealthy) {
+      const orphans = await detectOrphanedProcesses();
+      if (orphans.length > 0) {
+        desktopLog(
+          `🧹 Found ${orphans.length} orphaned process${orphans.length === 1 ? "" : "es"} — cleaning up...`,
         );
+        for (const orphan of orphans) {
+          await stopProcess(
+            parseInt(orphan.pid, 10),
+            `${orphan.name} (PID ${orphan.pid})`,
+          );
+        }
       }
     }
   }
@@ -747,6 +649,38 @@ async function hatchLocal(
     resources = await allocateLocalResources(instanceName);
   }
 
+  // Clean up stale workspace data: if the workspace directory already exists for
+  // this instance but no local lockfile entry owns it, a previous retire failed
+  // to archive it (or a managed-only retire left local data behind). Remove the
+  // workspace subtree so the new assistant starts fresh — but preserve the rest
+  // of .vellum (e.g. protected/, credentials) which may be shared.
+  if (
+    !existingEntry ||
+    (existingEntry.cloud != null && existingEntry.cloud !== "local")
+  ) {
+    const instanceWorkspaceDir = join(
+      resources.instanceDir,
+      ".vellum",
+      "workspace",
+    );
+    if (existsSync(instanceWorkspaceDir)) {
+      const ownedByOther = loadAllAssistants().some((a) => {
+        if ((a.cloud != null && a.cloud !== "local") || !a.resources)
+          return false;
+        return (
+          join(a.resources.instanceDir, ".vellum", "workspace") ===
+          instanceWorkspaceDir
+        );
+      });
+      if (!ownedByOther) {
+        console.log(
+          `🧹 Removing stale workspace at ${instanceWorkspaceDir} (not owned by any assistant)...\n`,
+        );
+        rmSync(instanceWorkspaceDir, { recursive: true, force: true });
+      }
+    }
+  }
+
   const logsDir = join(
     resources.instanceDir,
     ".vellum",
@@ -795,15 +729,10 @@ async function hatchLocal(
     delete process.env.BASE_DATA_DIR;
   }
 
-  // Mint a JWT from the signing key so the CLI can authenticate with the
-  // daemon/gateway (which requires auth by default).
-  const bearerToken = mintLocalBearerToken(resources.instanceDir);
-
   const localEntry: AssistantEntry = {
     assistantId: instanceName,
     runtimeUrl,
     localUrl: `http://127.0.0.1:${resources.gatewayPort}`,
-    bearerToken,
     cloud: "local",
     species,
     hatchedAt: new Date().toISOString(),
@@ -825,12 +754,6 @@ async function hatchLocal(
     console.log(`  Name: ${instanceName}`);
     console.log(`  Runtime: ${runtimeUrl}`);
     console.log("");
-
-    // Use loopback for HTTP calls (health check + pairing register) since
-    // mDNS hostnames may not resolve on the local machine, but keep the
-    // external runtimeUrl in the QR payload so iOS devices can reach it.
-    const localGatewayUrl = `http://127.0.0.1:${resources.gatewayPort}`;
-    await displayPairingQRCode(localGatewayUrl, bearerToken, runtimeUrl);
   }
 
   if (keepAlive) {

package/src/commands/pair.ts

@@ -7,7 +7,7 @@ import { PNG } from "pngjs";
 import { saveAssistantEntry } from "../lib/assistant-config";
 import type { AssistantEntry } from "../lib/assistant-config";
 import type { Species } from "../lib/constants";
-import { generateRandomSuffix } from "../lib/random-name";
+import { generateInstanceName } from "../lib/random-name";
 
 interface QRPairingPayload {
   type: string;
@@ -119,7 +119,7 @@ export async function pair(): Promise<void> {
       throw new Error("QR code does not contain valid Vellum pairing data.");
     }
 
-    const instanceName = `${species}-${generateRandomSuffix()}`;
+    const instanceName = generateInstanceName(species);
     const runtimeUrl = payload.g;
     const deviceId = getDeviceId();
     const deviceName = hostname();

package/src/commands/retire.ts

@@ -9,7 +9,11 @@ import {
   removeAssistantEntry,
 } from "../lib/assistant-config";
 import type { AssistantEntry } from "../lib/assistant-config";
-import { getPlatformUrl, readPlatformToken } from "../lib/platform-client";
+import {
+  fetchOrganizationId,
+  getPlatformUrl,
+  readPlatformToken,
+} from "../lib/platform-client";
 import { retireInstance as retireAwsInstance } from "../lib/aws";
 import { retireDocker } from "../lib/docker";
 import { retireInstance as retireGcpInstance } from "../lib/gcp";
@@ -84,6 +88,21 @@ async function retireLocal(name: string, entry: AssistantEntry): Promise<void> {
   const gatewayPidFile = join(vellumDir, "gateway.pid");
   await stopProcessByPidFile(gatewayPidFile, "gateway", undefined, 7000);
 
+  // Stop Qdrant — the daemon's graceful shutdown tries to stop it via
+  // qdrantManager.stop(), but if the daemon was SIGKILL'd (after 2s timeout)
+  // Qdrant may still be running as an orphan. Check both the current PID file
+  // location and the legacy location.
+  const qdrantPidFile = join(
+    vellumDir,
+    "workspace",
+    "data",
+    "qdrant",
+    "qdrant.pid",
+  );
+  const qdrantLegacyPidFile = join(vellumDir, "qdrant.pid");
+  await stopProcessByPidFile(qdrantPidFile, "qdrant", undefined, 5000);
+  await stopProcessByPidFile(qdrantLegacyPidFile, "qdrant", undefined, 5000);
+
   // If the PID file didn't track a running daemon, scan for orphaned
   // daemon processes that may have been started without writing a PID.
   if (!daemonStopped) {
@@ -116,12 +135,12 @@ async function retireLocal(name: string, entry: AssistantEntry): Promise<void> {
   try {
     renameSync(dirToArchive, stagingDir);
   } catch (err) {
-    console.warn(
-      `⚠️  Failed to move ${dirToArchive}: ${err instanceof Error ? err.message : err}`,
+    // Re-throw so the caller (and the desktop app) knows the archive failed.
+    // If the rename fails, old workspace data stays in place and a subsequent
+    // hatch would inherit stale SOUL.md, IDENTITY.md, and memories.
+    throw new Error(
+      `Failed to archive ${dirToArchive}: ${err instanceof Error ? err.message : err}`,
     );
-    console.warn("Skipping archive.");
-    console.log("\u2705 Local instance retired.");
-    return;
   }
 
   writeFileSync(metadataPath, JSON.stringify(entry, null, 2) + "\n");
@@ -189,10 +208,15 @@ async function retireVellum(assistantId: string): Promise<void> {
     process.exit(1);
   }
 
+  const orgId = await fetchOrganizationId(token);
+
   const url = `${getPlatformUrl()}/v1/assistants/${encodeURIComponent(assistantId)}/retire/`;
   const response = await fetch(url, {
     method: "DELETE",
-    headers: { "X-Session-Token": token },
+    headers: {
+      "X-Session-Token": token,
+      "Vellum-Organization-Id": orgId,
+    },
   });
 
   if (!response.ok) {

package/src/commands/wake.ts

@@ -4,7 +4,8 @@ import { join } from "path";
 import { resolveTargetAssistant } from "../lib/assistant-config.js";
 import { isProcessAlive, stopProcessByPidFile } from "../lib/process";
 import {
-  isWatchModeAvailable,
+  isAssistantWatchModeAvailable,
+  isGatewayWatchModeAvailable,
   startLocalDaemon,
   startGateway,
 } from "../lib/local";
@@ -24,12 +25,16 @@ export async function wake(): Promise<void> {
     console.log("");
     console.log("Options:");
     console.log(
-      "  --watch    Run assistant and gateway in watch mode (hot reload on source changes)",
+      "  --watch        Run assistant and gateway in watch mode (hot reload on source changes)",
+    );
+    console.log(
+      "  --foreground   Run assistant in foreground with logs printed to terminal",
     );
     process.exit(0);
   }
 
   const watch = args.includes("--watch");
+  const foreground = args.includes("--foreground");
   const nameArg = args.find((a) => !a.startsWith("-"));
   const entry = resolveTargetAssistant(nameArg);
 
@@ -64,7 +69,7 @@ export async function wake(): Promise<void> {
           // Watch mode requires bun --watch with .ts sources; packaged desktop
           // builds only have a compiled binary. Stopping the daemon without a
           // viable watch-mode path would leave the user with no running assistant.
-          if (!isWatchModeAvailable()) {
+          if (!isAssistantWatchModeAvailable()) {
             console.log(
               `Assistant running (pid ${pid}) — watch mode not available (no source files). Keeping existing process.`,
             );
@@ -85,7 +90,7 @@ export async function wake(): Promise<void> {
   }
 
   if (!daemonRunning) {
-    await startLocalDaemon(watch, resources);
+    await startLocalDaemon(watch, resources, { foreground });
   }
 
   // Start gateway
@@ -95,8 +100,8 @@ export async function wake(): Promise<void> {
     const { alive, pid } = isProcessAlive(gatewayPidFile);
     if (alive) {
       if (watch) {
-        // Same guard as the daemon: only restart if watch mode is viable.
-        if (!isWatchModeAvailable()) {
+        // Guard gateway restart separately: check gateway source availability.
+        if (!isGatewayWatchModeAvailable()) {
           console.log(
             `Gateway running (pid ${pid}) — watch mode not available (no source files). Keeping existing process.`,
           );
@@ -131,4 +136,18 @@ export async function wake(): Promise<void> {
   }
 
   console.log("Wake complete.");
+
+  if (foreground) {
+    console.log("Running in foreground (Ctrl+C to stop)...\n");
+    // Block forever — the daemon is running with inherited stdio so its
+    // output streams to this terminal. When the user hits Ctrl+C, SIGINT
+    // propagates to the daemon child and both exit.
+    await new Promise<void>((resolve) => {
+      process.on("SIGINT", () => {
+        console.log("\nShutting down...");
+        resolve();
+      });
+      process.on("SIGTERM", () => resolve());
+    });
+  }
 }

package/src/components/DefaultMainScreen.tsx

@@ -1943,7 +1943,7 @@ function ChatApp({
             .update(hostname() + userInfo().username)
             .digest("hex");
           const payload = JSON.stringify({
-            type: "vellum-daemon",
+            type: "vellum-assistant",
             v: 4,
             id: hostId,
             g: gatewayUrl,

package/src/lib/assistant-config.ts

@@ -3,6 +3,7 @@ import { homedir } from "os";
 import { join } from "path";
 
 import {
+  DAEMON_INTERNAL_ASSISTANT_ID,
   DEFAULT_DAEMON_PORT,
   DEFAULT_GATEWAY_PORT,
   DEFAULT_QDRANT_PORT,
@@ -49,6 +50,8 @@ export interface AssistantEntry {
   sshUser?: string;
   zone?: string;
   hatchedAt?: string;
+  /** Name of the shared volume backing BASE_DATA_DIR for containerised instances. */
+  volume?: string;
   /** Per-instance resource config. Present for local entries in multi-instance setups. */
   resources?: LocalInstanceResources;
   [key: string]: unknown;
@@ -152,7 +155,9 @@ export function migrateLegacyEntry(raw: Record<string, unknown>): boolean {
       "share",
       "vellum",
       "assistants",
-      typeof raw.assistantId === "string" ? raw.assistantId : "default",
+      typeof raw.assistantId === "string"
+        ? raw.assistantId
+        : DAEMON_INTERNAL_ASSISTANT_ID,
     );
     raw.resources = {
       instanceDir,
@@ -172,7 +177,9 @@ export function migrateLegacyEntry(raw: Record<string, unknown>): boolean {
         "share",
         "vellum",
         "assistants",
-        typeof raw.assistantId === "string" ? raw.assistantId : "default",
+        typeof raw.assistantId === "string"
+          ? raw.assistantId
+          : DAEMON_INTERNAL_ASSISTANT_ID,
       );
       mutated = true;
     }

package/src/lib/aws.ts

@@ -1,4 +1,3 @@
-import { randomBytes } from "crypto";
 import { existsSync, mkdirSync, unlinkSync, writeFileSync } from "fs";
 import { homedir, tmpdir, userInfo } from "os";
 import { join } from "path";
@@ -9,7 +8,8 @@ import { saveAssistantEntry, setActiveAssistant } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
 import { GATEWAY_PORT } from "./constants";
 import type { Species } from "./constants";
-import { generateRandomSuffix } from "./random-name";
+import { leaseGuardianToken } from "./guardian-token";
+import { generateInstanceName } from "./random-name";
 import { exec, execOutput } from "./step-runner";
 
 const KEY_PAIR_NAME = "vellum-assistant";
@@ -370,28 +370,6 @@ async function pollAwsInstance(
   }
 }
 
-async function fetchRemoteBearerToken(
-  ip: string,
-  keyPath: string,
-): Promise<string | null> {
-  try {
-    const remoteCmd =
-      'cat ~/.vellum.lock.json 2>/dev/null || cat ~/.vellum.lockfile.json 2>/dev/null || echo "{}"';
-    const output = await awsSshExec(ip, keyPath, remoteCmd);
-    const data = JSON.parse(output.trim());
-    const assistants = data.assistants;
-    if (Array.isArray(assistants) && assistants.length > 0) {
-      const token = assistants[0].bearerToken;
-      if (typeof token === "string" && token) {
-        return token;
-      }
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-
 export async function hatchAws(
   species: Species,
   detached: boolean,
@@ -405,12 +383,7 @@ export async function hatchAws(
       (await getActiveRegion().catch(() => AWS_DEFAULT_REGION));
     let instanceName: string;
 
-    if (name) {
-      instanceName = name;
-    } else {
-      const suffix = generateRandomSuffix();
-      instanceName = `${species}-${suffix}`;
-    }
+    instanceName = generateInstanceName(species, name);
 
     console.log(`\u{1F95A} Creating new assistant: ${instanceName}`);
     console.log(`   Species: ${species}`);
@@ -431,13 +404,11 @@ export async function hatchAws(
         console.log(
           `\u26a0\ufe0f  Instance name ${instanceName} already exists, generating a new name...`,
         );
-        const suffix = generateRandomSuffix();
-        instanceName = `${species}-${suffix}`;
+        instanceName = generateInstanceName(species);
       }
     }
 
     const sshUser = userInfo().username;
-    const bearerToken = randomBytes(32).toString("hex");
     const hatchedBy = process.env.VELLUM_HATCHED_BY;
     const anthropicApiKey = process.env.ANTHROPIC_API_KEY;
     if (!anthropicApiKey) {
@@ -465,7 +436,6 @@ export async function hatchAws(
 
     const startupScript = await buildStartupScript(
       species,
-      bearerToken,
       sshUser,
       anthropicApiKey,
       instanceName,
@@ -558,10 +528,14 @@ export async function hatchAws(
           process.exit(1);
         }
 
-        const remoteBearerToken = await fetchRemoteBearerToken(ip, keyPath);
-        if (remoteBearerToken) {
-          awsEntry.bearerToken = remoteBearerToken;
+        try {
+          const tokenData = await leaseGuardianToken(runtimeUrl, instanceName);
+          awsEntry.bearerToken = tokenData.accessToken;
           saveAssistantEntry(awsEntry);
+        } catch (err) {
+          console.warn(
+            `\u26a0\ufe0f  Could not lease guardian token: ${err instanceof Error ? err.message : err}`,
+          );
         }
       } else {
         console.log(

package/src/lib/constants.ts

@@ -1,3 +1,10 @@
+/**
+ * Canonical internal assistant ID used as the default/fallback across the CLI
+ * and daemon. Mirrors `DAEMON_INTERNAL_ASSISTANT_ID` from
+ * `assistant/src/runtime/assistant-scope.ts`.
+ */
+export const DAEMON_INTERNAL_ASSISTANT_ID = "self" as const;
+
 export const FIREWALL_TAG = "vellum-assistant";
 export const GATEWAY_PORT = process.env.GATEWAY_PORT
   ? Number(process.env.GATEWAY_PORT)