@vellumai/cli 0.5.13 → 0.5.15

package/src/commands/hatch.ts

@@ -42,6 +42,7 @@ import { hatchGcp } from "../lib/gcp";
 import type { PollResult, WatchHatchingResult } from "../lib/gcp";
 import { buildNestedConfig, writeInitialConfig } from "../lib/config-utils";
 import {
+  generateLocalSigningKey,
   startLocalDaemon,
   startGateway,
   stopLocalProcesses,
@@ -776,12 +777,16 @@ async function hatchLocal(
   const defaultWorkspaceConfigPath = writeInitialConfig(configValues);
 
   emitProgress(4, 7, "Starting assistant...");
-  await startLocalDaemon(watch, resources, { defaultWorkspaceConfigPath });
+  const signingKey = generateLocalSigningKey();
+  await startLocalDaemon(watch, resources, {
+    defaultWorkspaceConfigPath,
+    signingKey,
+  });
 
   emitProgress(5, 7, "Starting gateway...");
   let runtimeUrl = `http://127.0.0.1:${resources.gatewayPort}`;
   try {
-    runtimeUrl = await startGateway(watch, resources);
+    runtimeUrl = await startGateway(watch, resources, { signingKey });
   } catch (error) {
     // Gateway failed — stop the daemon we just started so we don't leave
     // orphaned processes with no lock file entry.
@@ -824,7 +829,7 @@ async function hatchLocal(
     species,
     hatchedAt: new Date().toISOString(),
     serviceGroupVersion: cliPkg.version ? `v${cliPkg.version}` : undefined,
-    resources,
+    resources: { ...resources, signingKey },
   };
   emitProgress(7, 7, "Saving configuration...");
   if (!restart) {

package/src/commands/ps.ts

@@ -238,7 +238,7 @@ async function getLocalProcesses(entry: AssistantEntry): Promise<TableRow[]> {
       name: "embed-worker",
       pgrepName: "embed-worker",
       port: 0,
-      pidFile: join(vellumDir, "embed-worker.pid"),
+      pidFile: join(vellumDir, "workspace", "embed-worker.pid"),
     },
   ];
 

package/src/commands/recover.ts

@@ -4,7 +4,11 @@ import { join } from "path";
 
 import { saveAssistantEntry } from "../lib/assistant-config";
 import type { AssistantEntry } from "../lib/assistant-config";
-import { startLocalDaemon, startGateway } from "../lib/local";
+import {
+  generateLocalSigningKey,
+  startLocalDaemon,
+  startGateway,
+} from "../lib/local";
 import { getArchivePath, getMetadataPath } from "../lib/retire-archive";
 import { exec } from "../lib/step-runner";
 
@@ -66,9 +70,14 @@ export async function recover(): Promise<void> {
   unlinkSync(archivePath);
   unlinkSync(metadataPath);
 
-  // 7. Start daemon + gateway (same as wake)
-  await startLocalDaemon(false, entry.resources);
-  await startGateway(false, entry.resources);
+  // 7. Persist signing key so it survives daemon/gateway restarts (same as wake)
+  const signingKey = generateLocalSigningKey();
+  entry.resources = { ...entry.resources, signingKey };
+  saveAssistantEntry(entry);
+
+  // 8. Start daemon + gateway
+  await startLocalDaemon(false, entry.resources, { signingKey });
+  await startGateway(false, entry.resources, { signingKey });
 
   console.log(`✅ Recovered assistant '${name}'.`);
 }

package/src/commands/rollback.ts

@@ -11,8 +11,6 @@ import {
   captureImageRefs,
   GATEWAY_INTERNAL_PORT,
   dockerResourceNames,
-  migrateCesSecurityFiles,
-  migrateGatewaySecurityFiles,
   startContainers,
   stopContainers,
 } from "../lib/docker";
@@ -428,13 +426,6 @@ export async function rollback(): Promise<void> {
     await stopContainers(res);
     console.log("✅ Containers stopped\n");
 
-    // Run security file migrations and signing key cleanup
-    console.log("🔄 Migrating security files to gateway volume...");
-    await migrateGatewaySecurityFiles(res, (msg) => console.log(msg));
-
-    console.log("🔄 Migrating credential files to CES security volume...");
-    await migrateCesSecurityFiles(res, (msg) => console.log(msg));
-
     console.log("🚀 Starting containers with previous version...");
     await startContainers(
       {