@vellumai/cli 0.5.13 → 0.5.14

package/src/commands/upgrade.ts

@@ -13,8 +13,6 @@ import {
   captureImageRefs,
   GATEWAY_INTERNAL_PORT,
   dockerResourceNames,
-  migrateCesSecurityFiles,
-  migrateGatewaySecurityFiles,
   startContainers,
   stopContainers,
 } from "../lib/docker";
@@ -417,12 +415,6 @@ async function upgradeDocker(
     }
   }
 
-  console.log("🔄 Migrating security files to gateway volume...");
-  await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-
-  console.log("🔄 Migrating credential files to CES security volume...");
-  await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
   console.log("🚀 Starting upgraded containers...");
   await startContainers(
     {
@@ -522,9 +514,6 @@ async function upgradeDocker(
 
         await stopContainers(res);
 
-        await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-        await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
         await startContainers(
           {
             signingKey,

package/src/commands/wake.ts

@@ -1,10 +1,14 @@
 import { existsSync, readFileSync, writeFileSync } from "fs";
 import { join } from "path";
 
-import { resolveTargetAssistant } from "../lib/assistant-config.js";
+import {
+  resolveTargetAssistant,
+  saveAssistantEntry,
+} from "../lib/assistant-config.js";
 import { dockerResourceNames, wakeContainers } from "../lib/docker.js";
 import { isProcessAlive, stopProcessByPidFile } from "../lib/process";
 import {
+  generateLocalSigningKey,
   isAssistantWatchModeAvailable,
   isGatewayWatchModeAvailable,
   startLocalDaemon,
@@ -106,8 +110,17 @@ export async function wake(): Promise<void> {
     }
   }
 
+  // Reuse the lockfile-persisted signing key so client actor tokens survive
+  // daemon/gateway restarts. Generate and persist a new one only on first wake.
+  let signingKey = resources.signingKey;
+  if (!signingKey) {
+    signingKey = generateLocalSigningKey();
+    entry.resources = { ...resources, signingKey };
+    saveAssistantEntry(entry);
+  }
+
   if (!daemonRunning) {
-    await startLocalDaemon(watch, resources, { foreground });
+    await startLocalDaemon(watch, resources, { foreground, signingKey });
   }
 
   // Start gateway
@@ -127,13 +140,13 @@ export async function wake(): Promise<void> {
             `Gateway running (pid ${pid}) — restarting in watch mode...`,
           );
           await stopProcessByPidFile(gatewayPidFile, "gateway");
-          await startGateway(watch, resources);
+          await startGateway(watch, resources, { signingKey });
         }
       } else {
         console.log(`Gateway already running (pid ${pid}).`);
       }
     } else {
-      await startGateway(watch, resources);
+      await startGateway(watch, resources, { signingKey });
     }
   }
 

package/src/index.ts

@@ -15,6 +15,7 @@ import { rollback } from "./commands/rollback";
 import { setup } from "./commands/setup";
 import { sleep } from "./commands/sleep";
 import { ssh } from "./commands/ssh";
+import { teleport } from "./commands/teleport";
 import { tunnel } from "./commands/tunnel";
 import { upgrade } from "./commands/upgrade";
 import { use } from "./commands/use";
@@ -44,6 +45,7 @@ const commands = {
   setup,
   sleep,
   ssh,
+  teleport,
   tunnel,
   upgrade,
   use,
@@ -76,6 +78,7 @@ function printHelp(): void {
   console.log("  setup    Configure API keys interactively");
   console.log("  sleep    Stop the assistant process");
   console.log("  ssh      SSH into a remote assistant instance");
+  console.log("  teleport Transfer assistant data between environments");
   console.log("  tunnel   Create a tunnel for a locally hosted assistant");
   console.log("  upgrade  Upgrade an assistant to a newer version");
   console.log("  use      Set the active assistant for commands");

package/src/lib/assistant-config.ts

@@ -43,6 +43,9 @@ export interface LocalInstanceResources {
   cesPort: number;
   /** Absolute path to the daemon PID file */
   pidFile: string;
+  /** Persisted HMAC signing key (hex). Survives daemon/gateway restarts so
+   *  client actor tokens remain valid across `wake` cycles. */
+  signingKey?: string;
   [key: string]: unknown;
 }
 
@@ -77,8 +80,6 @@ export interface AssistantEntry {
   sshUser?: string;
   zone?: string;
   hatchedAt?: string;
-  /** Name of the shared volume backing BASE_DATA_DIR for containerised instances. */
-  volume?: string;
   /** Per-instance resource config. Present for local entries in multi-instance setups. */
   resources?: LocalInstanceResources;
   /** PID of the file watcher process for docker instances hatched with --watch. */

package/src/lib/docker.ts

@@ -306,8 +306,6 @@ export function dockerResourceNames(instanceName: string) {
     assistantContainer: `${instanceName}-assistant`,
     cesContainer: `${instanceName}-credential-executor`,
     cesSecurityVolume: `${instanceName}-ces-sec`,
-    /** @deprecated Legacy — no longer created for new instances. Retained for migration of existing instances. */
-    dataVolume: `${instanceName}-data`,
     gatewayContainer: `${instanceName}-gateway`,
     gatewaySecurityVolume: `${instanceName}-gateway-sec`,
     network: `${instanceName}-net`,
@@ -363,7 +361,6 @@ export async function retireDocker(name: string): Promise<void> {
     // network may not exist
   }
   for (const vol of [
-    res.dataVolume,
     res.socketVolume,
     res.workspaceVolume,
     res.cesSecurityVolume,
@@ -519,6 +516,8 @@ export function serviceDockerRunArgs(opts: {
         "-v",
         `${res.socketVolume}:/run/ces-bootstrap`,
         "-e",
+        "IS_CONTAINERIZED=false",
+        "-e",
         `VELLUM_ASSISTANT_NAME=${instanceName}`,
         "-e",
         "VELLUM_CLOUD=docker",
@@ -629,148 +628,6 @@ export function serviceDockerRunArgs(opts: {
   };
 }
 
-/**
- * Check whether a Docker volume exists.
- * Returns true if the volume exists, false otherwise.
- */
-async function dockerVolumeExists(volumeName: string): Promise<boolean> {
-  try {
-    await execOutput("docker", ["volume", "inspect", volumeName]);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Migrate trust.json and actor-token-signing-key from the data volume
- * (old location: /data/.vellum/protected/) to the gateway security volume
- * (new location: /gateway-security/).
- *
- * Uses a temporary busybox container that mounts both volumes. The migration
- * is idempotent: it only copies a file when the source exists on the data
- * volume and the destination does not yet exist on the gateway security volume.
- *
- * Skips migration entirely if the data volume does not exist (new instances
- * no longer create one).
- */
-export async function migrateGatewaySecurityFiles(
-  res: ReturnType<typeof dockerResourceNames>,
-  log: (msg: string) => void,
-): Promise<void> {
-  // New instances don't have a data volume — nothing to migrate.
-  if (!(await dockerVolumeExists(res.dataVolume))) {
-    log("   No data volume found — skipping gateway security migration.");
-    return;
-  }
-
-  const migrationContainer = `${res.gatewayContainer}-migration`;
-  const filesToMigrate = ["trust.json", "actor-token-signing-key"];
-
-  // Remove any leftover migration container from a previous interrupted run.
-  try {
-    await exec("docker", ["rm", "-f", migrationContainer]);
-  } catch {
-    // container may not exist
-  }
-
-  for (const fileName of filesToMigrate) {
-    const src = `/data/.vellum/protected/${fileName}`;
-    const dst = `/gateway-security/${fileName}`;
-
-    try {
-      // Run a busybox container that checks source exists and destination
-      // does not, then copies. The shell exits 0 whether or not a copy
-      // happens, so the migration is always safe to re-run.
-      await exec("docker", [
-        "run",
-        "--rm",
-        "--name",
-        migrationContainer,
-        "-v",
-        `${res.dataVolume}:/data:ro`,
-        "-v",
-        `${res.gatewaySecurityVolume}:/gateway-security`,
-        "busybox",
-        "sh",
-        "-c",
-        `if [ -f "${src}" ] && [ ! -f "${dst}" ]; then cp "${src}" "${dst}" && echo "migrated"; else echo "skipped"; fi`,
-      ]);
-      log(`   ${fileName}: checked`);
-    } catch (err) {
-      // Non-fatal — log and continue. The gateway will create fresh files
-      // if they don't exist.
-      const message = err instanceof Error ? err.message : String(err);
-      log(`   ${fileName}: migration failed (${message}), continuing...`);
-    }
-  }
-}
-
-/**
- * Migrate keys.enc and store.key from the data volume
- * (old location: /data/.vellum/protected/) to the CES security volume
- * (new location: /ces-security/).
- *
- * Uses a temporary busybox container that mounts both volumes. The migration
- * is idempotent: it only copies a file when the source exists on the data
- * volume and the destination does not yet exist on the CES security volume.
- * Migrated files are chowned to 1001:1001 (the CES service user).
- *
- * Skips migration entirely if the data volume does not exist (new instances
- * no longer create one).
- */
-export async function migrateCesSecurityFiles(
-  res: ReturnType<typeof dockerResourceNames>,
-  log: (msg: string) => void,
-): Promise<void> {
-  // New instances don't have a data volume — nothing to migrate.
-  if (!(await dockerVolumeExists(res.dataVolume))) {
-    log("   No data volume found — skipping CES security migration.");
-    return;
-  }
-
-  const migrationContainer = `${res.cesContainer}-migration`;
-  const filesToMigrate = ["keys.enc", "store.key"];
-
-  // Remove any leftover migration container from a previous interrupted run.
-  try {
-    await exec("docker", ["rm", "-f", migrationContainer]);
-  } catch {
-    // container may not exist
-  }
-
-  for (const fileName of filesToMigrate) {
-    const src = `/data/.vellum/protected/${fileName}`;
-    const dst = `/ces-security/${fileName}`;
-
-    try {
-      // Run a busybox container that checks source exists and destination
-      // does not, then copies and sets ownership. The shell exits 0 whether
-      // or not a copy happens, so the migration is always safe to re-run.
-      await exec("docker", [
-        "run",
-        "--rm",
-        "--name",
-        migrationContainer,
-        "-v",
-        `${res.dataVolume}:/data:ro`,
-        "-v",
-        `${res.cesSecurityVolume}:/ces-security`,
-        "busybox",
-        "sh",
-        "-c",
-        `if [ -f "${src}" ] && [ ! -f "${dst}" ]; then cp "${src}" "${dst}" && chown 1001:1001 "${dst}" && echo "migrated"; else echo "skipped"; fi`,
-      ]);
-      log(`   ${fileName}: checked`);
-    } catch (err) {
-      // Non-fatal — log and continue. The CES will start without
-      // credentials if they don't exist.
-      const message = err instanceof Error ? err.message : String(err);
-      log(`   ${fileName}: migration failed (${message}), continuing...`);
-    }
-  }
-}
-
 /** The order in which services must be started. */
 export const SERVICE_START_ORDER: ServiceName[] = [
   "assistant",
@@ -1202,7 +1059,6 @@ export async function hatchDocker(
       cloud: "docker",
       species,
       hatchedAt: new Date().toISOString(),
-      volume: res.dataVolume,
       serviceGroupVersion: cliPkg.version ? `v${cliPkg.version}` : undefined,
       containerInfo: {
         assistantImage: imageTags.assistant,

package/src/lib/local.ts

@@ -1,4 +1,5 @@
 import { execFileSync, execSync, spawn } from "child_process";
+import { randomBytes } from "crypto";
 import {
   existsSync,
   mkdirSync,
@@ -192,9 +193,24 @@ function resolveDaemonMainPath(assistantIndex: string): string {
   return join(dirname(assistantIndex), "daemon", "main.ts");
 }
 
+/**
+ * Generate a fresh signing key for a local hatch session.
+ *
+ * Both the daemon and gateway must use the same HMAC signing key so JWT
+ * tokens minted by one can be verified by the other. The CLI generates
+ * an ephemeral key each time and passes it as `ACTOR_TOKEN_SIGNING_KEY`
+ * to both processes — the daemon and gateway each persist it on their
+ * own terms (the `.vellum/` directory layout is their concern, not the
+ * CLI's).
+ */
+export function generateLocalSigningKey(): string {
+  return randomBytes(32).toString("hex");
+}
+
 type DaemonStartOptions = {
   foreground?: boolean;
   defaultWorkspaceConfigPath?: string;
+  signingKey?: string;
 };
 
 async function startDaemonFromSource(
@@ -267,6 +283,9 @@ async function startDaemonFromSource(
     RUNTIME_HTTP_PORT: process.env.RUNTIME_HTTP_PORT || "7821",
     VELLUM_CLOUD: "local",
     VELLUM_DEV: "1",
+    ...(options?.signingKey
+      ? { ACTOR_TOKEN_SIGNING_KEY: options.signingKey }
+      : {}),
   };
   if (resources) {
     env.BASE_DATA_DIR = resources.instanceDir;
@@ -385,6 +404,9 @@ async function startDaemonWatchFromSource(
     ...process.env,
     RUNTIME_HTTP_PORT: process.env.RUNTIME_HTTP_PORT || "7821",
     VELLUM_DEV: "1",
+    ...(options?.signingKey
+      ? { ACTOR_TOKEN_SIGNING_KEY: options.signingKey }
+      : {}),
   };
   if (resources) {
     env.BASE_DATA_DIR = resources.instanceDir;
@@ -970,6 +992,10 @@ export async function startLocalDaemon(
         delete daemonEnv.QDRANT_URL;
       }
 
+      if (options?.signingKey) {
+        daemonEnv.ACTOR_TOKEN_SIGNING_KEY = options.signingKey;
+      }
+
       // Write a sentinel PID file before spawning so concurrent hatch() calls
       // see the file and fall through to the isDaemonResponsive() port check
       // instead of racing to spawn a duplicate daemon.
@@ -1081,6 +1107,7 @@ export async function startLocalDaemon(
 export async function startGateway(
   watch: boolean = false,
   resources?: LocalInstanceResources,
+  options?: { signingKey?: string },
 ): Promise<string> {
   const effectiveGatewayPort = resources?.gatewayPort ?? GATEWAY_PORT;
 
@@ -1117,9 +1144,12 @@ export async function startGateway(
     ...(process.env as Record<string, string>),
     RUNTIME_HTTP_PORT: String(effectiveDaemonPort),
     GATEWAY_PORT: String(effectiveGatewayPort),
+    ...(options?.signingKey
+      ? { ACTOR_TOKEN_SIGNING_KEY: options.signingKey }
+      : {}),
     ...(watch ? { VELLUM_DEV: "1" } : {}),
-    // Set BASE_DATA_DIR so the gateway loads the correct signing key and
-    // credentials for this instance (mirrors the daemon env setup).
+    // Set BASE_DATA_DIR so the gateway loads the correct credentials and
+    // workspace config for this instance (mirrors the daemon env setup).
     ...(resources ? { BASE_DATA_DIR: resources.instanceDir } : {}),
   };
   // The gateway reads the ingress URL from the workspace config file via

package/src/lib/upgrade-lifecycle.ts

@@ -9,8 +9,6 @@ import {
   DOCKER_READY_TIMEOUT_MS,
   dockerResourceNames,
   GATEWAY_INTERNAL_PORT,
-  migrateCesSecurityFiles,
-  migrateGatewaySecurityFiles,
   startContainers,
   stopContainers,
 } from "./docker.js";
@@ -573,12 +571,6 @@ export async function performDockerRollback(
   await stopContainers(res);
   console.log("✅ Containers stopped\n");
 
-  console.log("🔄 Migrating security files to gateway volume...");
-  await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-
-  console.log("🔄 Migrating credential files to CES security volume...");
-  await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
   console.log("🚀 Starting containers with target version...");
   await startContainers(
     {
@@ -700,9 +692,6 @@ export async function performDockerRollback(
 
         await stopContainers(res);
 
-        await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-        await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
         await startContainers(
           {
             signingKey,