@vellumai/cli 0.5.12 → 0.5.14

package/src/commands/upgrade.ts

@@ -13,8 +13,6 @@ import {
   captureImageRefs,
   GATEWAY_INTERNAL_PORT,
   dockerResourceNames,
-  migrateCesSecurityFiles,
-  migrateGatewaySecurityFiles,
   startContainers,
   stopContainers,
 } from "../lib/docker";
@@ -417,12 +415,6 @@ async function upgradeDocker(
     }
   }
 
-  console.log("🔄 Migrating security files to gateway volume...");
-  await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-
-  console.log("🔄 Migrating credential files to CES security volume...");
-  await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
   console.log("🚀 Starting upgraded containers...");
   await startContainers(
     {
@@ -522,9 +514,6 @@ async function upgradeDocker(
 
         await stopContainers(res);
 
-        await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-        await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
         await startContainers(
           {
             signingKey,
@@ -729,9 +718,9 @@ async function upgradePlatform(
     process.exit(1);
   }
 
-  const orgId = await fetchOrganizationId(token);
+  const orgId = await fetchOrganizationId(token, entry.runtimeUrl);
 
-  const url = `${getPlatformUrl()}/v1/assistants/upgrade/`;
+  const url = `${entry.runtimeUrl || getPlatformUrl()}/v1/assistants/upgrade/`;
   const body: { assistant_id?: string; version?: string } = {
     assistant_id: entry.assistantId,
   };

package/src/commands/wake.ts

@@ -1,10 +1,14 @@
 import { existsSync, readFileSync, writeFileSync } from "fs";
 import { join } from "path";
 
-import { resolveTargetAssistant } from "../lib/assistant-config.js";
+import {
+  resolveTargetAssistant,
+  saveAssistantEntry,
+} from "../lib/assistant-config.js";
 import { dockerResourceNames, wakeContainers } from "../lib/docker.js";
 import { isProcessAlive, stopProcessByPidFile } from "../lib/process";
 import {
+  generateLocalSigningKey,
   isAssistantWatchModeAvailable,
   isGatewayWatchModeAvailable,
   startLocalDaemon,
@@ -106,8 +110,17 @@ export async function wake(): Promise<void> {
     }
   }
 
+  // Reuse the lockfile-persisted signing key so client actor tokens survive
+  // daemon/gateway restarts. Generate and persist a new one only on first wake.
+  let signingKey = resources.signingKey;
+  if (!signingKey) {
+    signingKey = generateLocalSigningKey();
+    entry.resources = { ...resources, signingKey };
+    saveAssistantEntry(entry);
+  }
+
   if (!daemonRunning) {
-    await startLocalDaemon(watch, resources, { foreground });
+    await startLocalDaemon(watch, resources, { foreground, signingKey });
   }
 
   // Start gateway
@@ -127,13 +140,13 @@ export async function wake(): Promise<void> {
             `Gateway running (pid ${pid}) — restarting in watch mode...`,
           );
           await stopProcessByPidFile(gatewayPidFile, "gateway");
-          await startGateway(watch, resources);
+          await startGateway(watch, resources, { signingKey });
         }
       } else {
         console.log(`Gateway already running (pid ${pid}).`);
       }
     } else {
-      await startGateway(watch, resources);
+      await startGateway(watch, resources, { signingKey });
     }
   }
 

package/src/index.ts

@@ -15,6 +15,7 @@ import { rollback } from "./commands/rollback";
 import { setup } from "./commands/setup";
 import { sleep } from "./commands/sleep";
 import { ssh } from "./commands/ssh";
+import { teleport } from "./commands/teleport";
 import { tunnel } from "./commands/tunnel";
 import { upgrade } from "./commands/upgrade";
 import { use } from "./commands/use";
@@ -44,6 +45,7 @@ const commands = {
   setup,
   sleep,
   ssh,
+  teleport,
   tunnel,
   upgrade,
   use,
@@ -76,6 +78,7 @@ function printHelp(): void {
   console.log("  setup    Configure API keys interactively");
   console.log("  sleep    Stop the assistant process");
   console.log("  ssh      SSH into a remote assistant instance");
+  console.log("  teleport Transfer assistant data between environments");
   console.log("  tunnel   Create a tunnel for a locally hosted assistant");
   console.log("  upgrade  Upgrade an assistant to a newer version");
   console.log("  use      Set the active assistant for commands");

package/src/lib/assistant-config.ts

@@ -16,6 +16,7 @@ import {
   DEFAULT_DAEMON_PORT,
   DEFAULT_GATEWAY_PORT,
   DEFAULT_QDRANT_PORT,
+  LOCKFILE_NAMES,
 } from "./constants.js";
 import { probePort } from "./port-probe.js";
 
@@ -42,6 +43,9 @@ export interface LocalInstanceResources {
   cesPort: number;
   /** Absolute path to the daemon PID file */
   pidFile: string;
+  /** Persisted HMAC signing key (hex). Survives daemon/gateway restarts so
+   *  client actor tokens remain valid across `wake` cycles. */
+  signingKey?: string;
   [key: string]: unknown;
 }
 
@@ -76,8 +80,6 @@ export interface AssistantEntry {
   sshUser?: string;
   zone?: string;
   hatchedAt?: string;
-  /** Name of the shared volume backing BASE_DATA_DIR for containerised instances. */
-  volume?: string;
   /** Per-instance resource config. Present for local entries in multi-instance setups. */
   resources?: LocalInstanceResources;
   /** PID of the file watcher process for docker instances hatched with --watch. */
@@ -119,10 +121,7 @@ function getLockfileDir(): string {
 
 function readLockfile(): LockfileData {
   const base = getLockfileDir();
-  const candidates = [
-    join(base, ".vellum.lock.json"),
-    join(base, ".vellum.lockfile.json"),
-  ];
+  const candidates = LOCKFILE_NAMES.map((name) => join(base, name));
   for (const lockfilePath of candidates) {
     if (!existsSync(lockfilePath)) continue;
     try {
@@ -139,7 +138,7 @@ function readLockfile(): LockfileData {
 }
 
 function writeLockfile(data: LockfileData): void {
-  const lockfilePath = join(getLockfileDir(), ".vellum.lock.json");
+  const lockfilePath = join(getLockfileDir(), LOCKFILE_NAMES[0]);
   const tmpPath = `${lockfilePath}.${randomBytes(4).toString("hex")}.tmp`;
   try {
     writeFileSync(tmpPath, JSON.stringify(data, null, 2) + "\n");

package/src/lib/constants.ts

@@ -18,6 +18,16 @@ export const DEFAULT_GATEWAY_PORT = 7830;
 export const DEFAULT_QDRANT_PORT = 6333;
 export const DEFAULT_CES_PORT = 8090;
 
+/**
+ * Lockfile candidate filenames, checked in priority order.
+ * `.vellum.lock.json` is the current name; `.vellum.lockfile.json` is the
+ * legacy name kept for backwards compatibility with older installs.
+ */
+export const LOCKFILE_NAMES = [
+  ".vellum.lock.json",
+  ".vellum.lockfile.json",
+] as const;
+
 /**
  * Environment variable names for provider API keys, keyed by provider ID.
  * Loaded from the shared registry at `meta/provider-env-vars.json` — the
@@ -33,6 +43,7 @@ export const VALID_REMOTE_HOSTS = [
   "aws",
   "docker",
   "custom",
+  "vellum",
 ] as const;
 export type RemoteHost = (typeof VALID_REMOTE_HOSTS)[number];
 export const VALID_SPECIES = ["openclaw", "vellum"] as const;

package/src/lib/docker.ts

@@ -306,8 +306,6 @@ export function dockerResourceNames(instanceName: string) {
     assistantContainer: `${instanceName}-assistant`,
     cesContainer: `${instanceName}-credential-executor`,
     cesSecurityVolume: `${instanceName}-ces-sec`,
-    /** @deprecated Legacy — no longer created for new instances. Retained for migration of existing instances. */
-    dataVolume: `${instanceName}-data`,
     gatewayContainer: `${instanceName}-gateway`,
     gatewaySecurityVolume: `${instanceName}-gateway-sec`,
     network: `${instanceName}-net`,
@@ -363,7 +361,6 @@ export async function retireDocker(name: string): Promise<void> {
     // network may not exist
   }
   for (const vol of [
-    res.dataVolume,
     res.socketVolume,
     res.workspaceVolume,
     res.cesSecurityVolume,
@@ -519,6 +516,8 @@ export function serviceDockerRunArgs(opts: {
         "-v",
         `${res.socketVolume}:/run/ces-bootstrap`,
         "-e",
+        "IS_CONTAINERIZED=false",
+        "-e",
         `VELLUM_ASSISTANT_NAME=${instanceName}`,
         "-e",
         "VELLUM_CLOUD=docker",
@@ -629,148 +628,6 @@ export function serviceDockerRunArgs(opts: {
   };
 }
 
-/**
- * Check whether a Docker volume exists.
- * Returns true if the volume exists, false otherwise.
- */
-async function dockerVolumeExists(volumeName: string): Promise<boolean> {
-  try {
-    await execOutput("docker", ["volume", "inspect", volumeName]);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Migrate trust.json and actor-token-signing-key from the data volume
- * (old location: /data/.vellum/protected/) to the gateway security volume
- * (new location: /gateway-security/).
- *
- * Uses a temporary busybox container that mounts both volumes. The migration
- * is idempotent: it only copies a file when the source exists on the data
- * volume and the destination does not yet exist on the gateway security volume.
- *
- * Skips migration entirely if the data volume does not exist (new instances
- * no longer create one).
- */
-export async function migrateGatewaySecurityFiles(
-  res: ReturnType<typeof dockerResourceNames>,
-  log: (msg: string) => void,
-): Promise<void> {
-  // New instances don't have a data volume — nothing to migrate.
-  if (!(await dockerVolumeExists(res.dataVolume))) {
-    log("   No data volume found — skipping gateway security migration.");
-    return;
-  }
-
-  const migrationContainer = `${res.gatewayContainer}-migration`;
-  const filesToMigrate = ["trust.json", "actor-token-signing-key"];
-
-  // Remove any leftover migration container from a previous interrupted run.
-  try {
-    await exec("docker", ["rm", "-f", migrationContainer]);
-  } catch {
-    // container may not exist
-  }
-
-  for (const fileName of filesToMigrate) {
-    const src = `/data/.vellum/protected/${fileName}`;
-    const dst = `/gateway-security/${fileName}`;
-
-    try {
-      // Run a busybox container that checks source exists and destination
-      // does not, then copies. The shell exits 0 whether or not a copy
-      // happens, so the migration is always safe to re-run.
-      await exec("docker", [
-        "run",
-        "--rm",
-        "--name",
-        migrationContainer,
-        "-v",
-        `${res.dataVolume}:/data:ro`,
-        "-v",
-        `${res.gatewaySecurityVolume}:/gateway-security`,
-        "busybox",
-        "sh",
-        "-c",
-        `if [ -f "${src}" ] && [ ! -f "${dst}" ]; then cp "${src}" "${dst}" && echo "migrated"; else echo "skipped"; fi`,
-      ]);
-      log(`   ${fileName}: checked`);
-    } catch (err) {
-      // Non-fatal — log and continue. The gateway will create fresh files
-      // if they don't exist.
-      const message = err instanceof Error ? err.message : String(err);
-      log(`   ${fileName}: migration failed (${message}), continuing...`);
-    }
-  }
-}
-
-/**
- * Migrate keys.enc and store.key from the data volume
- * (old location: /data/.vellum/protected/) to the CES security volume
- * (new location: /ces-security/).
- *
- * Uses a temporary busybox container that mounts both volumes. The migration
- * is idempotent: it only copies a file when the source exists on the data
- * volume and the destination does not yet exist on the CES security volume.
- * Migrated files are chowned to 1001:1001 (the CES service user).
- *
- * Skips migration entirely if the data volume does not exist (new instances
- * no longer create one).
- */
-export async function migrateCesSecurityFiles(
-  res: ReturnType<typeof dockerResourceNames>,
-  log: (msg: string) => void,
-): Promise<void> {
-  // New instances don't have a data volume — nothing to migrate.
-  if (!(await dockerVolumeExists(res.dataVolume))) {
-    log("   No data volume found — skipping CES security migration.");
-    return;
-  }
-
-  const migrationContainer = `${res.cesContainer}-migration`;
-  const filesToMigrate = ["keys.enc", "store.key"];
-
-  // Remove any leftover migration container from a previous interrupted run.
-  try {
-    await exec("docker", ["rm", "-f", migrationContainer]);
-  } catch {
-    // container may not exist
-  }
-
-  for (const fileName of filesToMigrate) {
-    const src = `/data/.vellum/protected/${fileName}`;
-    const dst = `/ces-security/${fileName}`;
-
-    try {
-      // Run a busybox container that checks source exists and destination
-      // does not, then copies and sets ownership. The shell exits 0 whether
-      // or not a copy happens, so the migration is always safe to re-run.
-      await exec("docker", [
-        "run",
-        "--rm",
-        "--name",
-        migrationContainer,
-        "-v",
-        `${res.dataVolume}:/data:ro`,
-        "-v",
-        `${res.cesSecurityVolume}:/ces-security`,
-        "busybox",
-        "sh",
-        "-c",
-        `if [ -f "${src}" ] && [ ! -f "${dst}" ]; then cp "${src}" "${dst}" && chown 1001:1001 "${dst}" && echo "migrated"; else echo "skipped"; fi`,
-      ]);
-      log(`   ${fileName}: checked`);
-    } catch (err) {
-      // Non-fatal — log and continue. The CES will start without
-      // credentials if they don't exist.
-      const message = err instanceof Error ? err.message : String(err);
-      log(`   ${fileName}: migration failed (${message}), continuing...`);
-    }
-  }
-}
-
 /** The order in which services must be started. */
 export const SERVICE_START_ORDER: ServiceName[] = [
   "assistant",
@@ -1202,7 +1059,6 @@ export async function hatchDocker(
       cloud: "docker",
       species,
       hatchedAt: new Date().toISOString(),
-      volume: res.dataVolume,
       serviceGroupVersion: cliPkg.version ? `v${cliPkg.version}` : undefined,
       containerInfo: {
         assistantImage: imageTags.assistant,

package/src/lib/health-check.ts

@@ -28,7 +28,7 @@ export async function checkManagedHealth(
   let orgId: string;
   try {
     const { fetchOrganizationId } = await import("./platform-client.js");
-    orgId = await fetchOrganizationId(token);
+    orgId = await fetchOrganizationId(token, runtimeUrl);
   } catch (err) {
     return {
       status: "error (auth)",

package/src/lib/local.ts

@@ -1,4 +1,5 @@
 import { execFileSync, execSync, spawn } from "child_process";
+import { randomBytes } from "crypto";
 import {
   existsSync,
   mkdirSync,
@@ -192,9 +193,24 @@ function resolveDaemonMainPath(assistantIndex: string): string {
   return join(dirname(assistantIndex), "daemon", "main.ts");
 }
 
+/**
+ * Generate a fresh signing key for a local hatch session.
+ *
+ * Both the daemon and gateway must use the same HMAC signing key so JWT
+ * tokens minted by one can be verified by the other. The CLI generates
+ * an ephemeral key each time and passes it as `ACTOR_TOKEN_SIGNING_KEY`
+ * to both processes — the daemon and gateway each persist it on their
+ * own terms (the `.vellum/` directory layout is their concern, not the
+ * CLI's).
+ */
+export function generateLocalSigningKey(): string {
+  return randomBytes(32).toString("hex");
+}
+
 type DaemonStartOptions = {
   foreground?: boolean;
   defaultWorkspaceConfigPath?: string;
+  signingKey?: string;
 };
 
 async function startDaemonFromSource(
@@ -267,6 +283,9 @@ async function startDaemonFromSource(
     RUNTIME_HTTP_PORT: process.env.RUNTIME_HTTP_PORT || "7821",
     VELLUM_CLOUD: "local",
     VELLUM_DEV: "1",
+    ...(options?.signingKey
+      ? { ACTOR_TOKEN_SIGNING_KEY: options.signingKey }
+      : {}),
   };
   if (resources) {
     env.BASE_DATA_DIR = resources.instanceDir;
@@ -385,6 +404,9 @@ async function startDaemonWatchFromSource(
     ...process.env,
     RUNTIME_HTTP_PORT: process.env.RUNTIME_HTTP_PORT || "7821",
     VELLUM_DEV: "1",
+    ...(options?.signingKey
+      ? { ACTOR_TOKEN_SIGNING_KEY: options.signingKey }
+      : {}),
   };
   if (resources) {
     env.BASE_DATA_DIR = resources.instanceDir;
@@ -970,6 +992,10 @@ export async function startLocalDaemon(
         delete daemonEnv.QDRANT_URL;
       }
 
+      if (options?.signingKey) {
+        daemonEnv.ACTOR_TOKEN_SIGNING_KEY = options.signingKey;
+      }
+
       // Write a sentinel PID file before spawning so concurrent hatch() calls
       // see the file and fall through to the isDaemonResponsive() port check
       // instead of racing to spawn a duplicate daemon.
@@ -1081,6 +1107,7 @@ export async function startLocalDaemon(
 export async function startGateway(
   watch: boolean = false,
   resources?: LocalInstanceResources,
+  options?: { signingKey?: string },
 ): Promise<string> {
   const effectiveGatewayPort = resources?.gatewayPort ?? GATEWAY_PORT;
 
@@ -1117,9 +1144,12 @@ export async function startGateway(
     ...(process.env as Record<string, string>),
     RUNTIME_HTTP_PORT: String(effectiveDaemonPort),
     GATEWAY_PORT: String(effectiveGatewayPort),
+    ...(options?.signingKey
+      ? { ACTOR_TOKEN_SIGNING_KEY: options.signingKey }
+      : {}),
     ...(watch ? { VELLUM_DEV: "1" } : {}),
-    // Set BASE_DATA_DIR so the gateway loads the correct signing key and
-    // credentials for this instance (mirrors the daemon env setup).
+    // Set BASE_DATA_DIR so the gateway loads the correct credentials and
+    // workspace config for this instance (mirrors the daemon env setup).
     ...(resources ? { BASE_DATA_DIR: resources.instanceDir } : {}),
   };
   // The gateway reads the ingress URL from the workspace config file via

package/src/lib/platform-client.ts

@@ -65,6 +65,67 @@ export function clearPlatformToken(): void {
   }
 }
 
+const VAK_PREFIX = "vak_";
+
+/**
+ * Returns the appropriate auth header for the given platform token.
+ *
+ * - `vak_`-prefixed tokens are long-lived platform API keys and use
+ *   `Authorization: Bearer`.
+ * - All other tokens are allauth session tokens and use `X-Session-Token`.
+ */
+export function authHeaders(token: string): Record<string, string> {
+  if (token.startsWith(VAK_PREFIX)) {
+    return { Authorization: `Bearer ${token}` };
+  }
+  return { "X-Session-Token": token };
+}
+
+export interface HatchedAssistant {
+  id: string;
+  name: string;
+  status: string;
+}
+
+export async function hatchAssistant(token: string): Promise<HatchedAssistant> {
+  const url = `${getPlatformUrl()}/v1/assistants/hatch/`;
+
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      ...authHeaders(token),
+    },
+    body: JSON.stringify({}),
+  });
+
+  if (response.ok) {
+    return (await response.json()) as HatchedAssistant;
+  }
+
+  if (response.status === 401 || response.status === 403) {
+    const detail = (await response.json().catch(() => ({}))) as {
+      detail?: string;
+    };
+    throw new Error(
+      detail.detail ??
+        "Invalid or expired token. Run `vellum login` to re-authenticate.",
+    );
+  }
+
+  if (response.status === 402) {
+    throw new Error("Insufficient balance to hatch a new assistant.");
+  }
+
+  const errorBody = (await response.json().catch(() => ({}))) as {
+    detail?: string;
+  };
+  throw new Error(
+    errorBody.detail ??
+      `Platform API error: ${response.status} ${response.statusText}`,
+  );
+}
+
 export interface PlatformUser {
   id: string;
   email: string;
@@ -75,16 +136,19 @@ interface OrganizationListResponse {
   results: { id: string; name: string }[];
 }
 
-export async function fetchOrganizationId(token: string): Promise<string> {
-  const platformUrl = getPlatformUrl();
-  const url = `${platformUrl}/v1/organizations/`;
+export async function fetchOrganizationId(
+  token: string,
+  platformUrl?: string,
+): Promise<string> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const url = `${resolvedUrl}/v1/organizations/`;
   const response = await fetch(url, {
     headers: { "X-Session-Token": token },
   });
 
   if (!response.ok) {
     throw new Error(
-      `Failed to fetch organizations from ${platformUrl} (${response.status}). Try logging in again.`,
+      `Failed to fetch organizations from ${resolvedUrl} (${response.status}). Try logging in again.`,
     );
   }
 
@@ -107,8 +171,12 @@ interface AllauthSessionResponse {
   };
 }
 
-export async function fetchCurrentUser(token: string): Promise<PlatformUser> {
-  const url = `${getPlatformUrl()}/_allauth/app/v1/auth/session`;
+export async function fetchCurrentUser(
+  token: string,
+  platformUrl?: string,
+): Promise<PlatformUser> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const url = `${resolvedUrl}/_allauth/app/v1/auth/session`;
   const response = await fetch(url, {
     headers: { "X-Session-Token": token },
   });
@@ -138,9 +206,10 @@ export async function rollbackPlatformAssistant(
   token: string,
   orgId: string,
   version?: string,
+  platformUrl?: string,
 ): Promise<{ detail: string; version: string | null }> {
-  const platformUrl = getPlatformUrl();
-  const response = await fetch(`${platformUrl}/v1/assistants/rollback/`, {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(`${resolvedUrl}/v1/assistants/rollback/`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -182,9 +251,10 @@ export async function platformInitiateExport(
   token: string,
   orgId: string,
   description?: string,
+  platformUrl?: string,
 ): Promise<{ jobId: string; status: string }> {
-  const platformUrl = getPlatformUrl();
-  const response = await fetch(`${platformUrl}/v1/migrations/export/`, {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(`${resolvedUrl}/v1/migrations/export/`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -215,10 +285,11 @@ export async function platformPollExportStatus(
   jobId: string,
   token: string,
   orgId: string,
+  platformUrl?: string,
 ): Promise<{ status: string; downloadUrl?: string; error?: string }> {
-  const platformUrl = getPlatformUrl();
+  const resolvedUrl = platformUrl || getPlatformUrl();
   const response = await fetch(
-    `${platformUrl}/v1/migrations/export/${jobId}/status/`,
+    `${resolvedUrl}/v1/migrations/export/${jobId}/status/`,
     {
       headers: {
         "X-Session-Token": token,
@@ -269,10 +340,11 @@ export async function platformImportPreflight(
   bundleData: Uint8Array<ArrayBuffer>,
   token: string,
   orgId: string,
+  platformUrl?: string,
 ): Promise<{ statusCode: number; body: Record<string, unknown> }> {
-  const platformUrl = getPlatformUrl();
+  const resolvedUrl = platformUrl || getPlatformUrl();
   const response = await fetch(
-    `${platformUrl}/v1/migrations/import-preflight/`,
+    `${resolvedUrl}/v1/migrations/import-preflight/`,
     {
       method: "POST",
       headers: {
@@ -296,9 +368,10 @@ export async function platformImportBundle(
   bundleData: Uint8Array<ArrayBuffer>,
   token: string,
   orgId: string,
+  platformUrl?: string,
 ): Promise<{ statusCode: number; body: Record<string, unknown> }> {
-  const platformUrl = getPlatformUrl();
-  const response = await fetch(`${platformUrl}/v1/migrations/import/`, {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(`${resolvedUrl}/v1/migrations/import/`, {
     method: "POST",
     headers: {
       "Content-Type": "application/octet-stream",

package/src/lib/upgrade-lifecycle.ts

@@ -9,8 +9,6 @@ import {
   DOCKER_READY_TIMEOUT_MS,
   dockerResourceNames,
   GATEWAY_INTERNAL_PORT,
-  migrateCesSecurityFiles,
-  migrateGatewaySecurityFiles,
   startContainers,
   stopContainers,
 } from "./docker.js";
@@ -573,12 +571,6 @@ export async function performDockerRollback(
   await stopContainers(res);
   console.log("✅ Containers stopped\n");
 
-  console.log("🔄 Migrating security files to gateway volume...");
-  await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-
-  console.log("🔄 Migrating credential files to CES security volume...");
-  await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
   console.log("🚀 Starting containers with target version...");
   await startContainers(
     {
@@ -700,9 +692,6 @@ export async function performDockerRollback(
 
         await stopContainers(res);
 
-        await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-        await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
         await startContainers(
           {
             signingKey,