@vellumai/cli 0.5.16 → 0.6.0

package/src/commands/teleport.ts

@@ -20,6 +20,10 @@ import {
   platformDownloadExport,
   platformImportPreflight,
   platformImportBundle,
+  platformRequestUploadUrl,
+  platformUploadToSignedUrl,
+  platformImportPreflightFromGcs,
+  platformImportBundleFromGcs,
 } from "../lib/platform-client.js";
 import {
   hatchDocker,
@@ -628,6 +632,7 @@ async function importToAssistant(
   cloud: string,
   bundleData: Uint8Array<ArrayBuffer>,
   dryRun: boolean,
+  preUploadedBundleKey?: string | null,
 ): Promise<void> {
   if (cloud === "vellum") {
     // Platform target
@@ -649,6 +654,32 @@ async function importToAssistant(
       throw err;
     }
 
+    // Use pre-uploaded bundle key if provided (string), skip upload if null
+    // (signals signed URLs were already tried and unavailable), or try
+    // signed-URL upload if undefined (never attempted).
+    let bundleKey: string | undefined =
+      preUploadedBundleKey === null ? undefined : preUploadedBundleKey;
+    if (preUploadedBundleKey === undefined) {
+      try {
+        const { uploadUrl, bundleKey: key } = await platformRequestUploadUrl(
+          token,
+          orgId,
+          entry.runtimeUrl,
+        );
+        bundleKey = key;
+        console.log("Uploading bundle...");
+        await platformUploadToSignedUrl(uploadUrl, bundleData);
+      } catch (err) {
+        // If signed uploads unavailable (503), fall back to inline upload
+        const msg = err instanceof Error ? err.message : String(err);
+        if (msg.includes("not available")) {
+          bundleKey = undefined;
+        } else {
+          throw err;
+        }
+      }
+    }
+
     if (dryRun) {
       console.log("Running preflight analysis...\n");
 
@@ -657,12 +688,19 @@ async function importToAssistant(
         body: Record<string, unknown>;
       };
       try {
-        preflightResult = await platformImportPreflight(
-          bundleData,
-          token,
-          orgId,
-          entry.runtimeUrl,
-        );
+        preflightResult = bundleKey
+          ? await platformImportPreflightFromGcs(
+              bundleKey,
+              token,
+              orgId,
+              entry.runtimeUrl,
+            )
+          : await platformImportPreflight(
+              bundleData,
+              token,
+              orgId,
+              entry.runtimeUrl,
+            );
       } catch (err) {
         if (err instanceof Error && err.name === "TimeoutError") {
           console.error("Error: Preflight request timed out after 2 minutes.");
@@ -712,12 +750,19 @@ async function importToAssistant(
 
     let importResult: { statusCode: number; body: Record<string, unknown> };
     try {
-      importResult = await platformImportBundle(
-        bundleData,
-        token,
-        orgId,
-        entry.runtimeUrl,
-      );
+      importResult = bundleKey
+        ? await platformImportBundleFromGcs(
+            bundleKey,
+            token,
+            orgId,
+            entry.runtimeUrl,
+          )
+        : await platformImportBundle(
+            bundleData,
+            token,
+            orgId,
+            entry.runtimeUrl,
+          );
     } catch (err) {
       if (err instanceof Error && err.name === "TimeoutError") {
         console.error("Error: Import request timed out after 2 minutes.");
@@ -751,6 +796,7 @@ async function importToAssistant(
 export async function resolveOrHatchTarget(
   targetEnv: "local" | "docker" | "platform",
   targetName?: string,
+  orgId?: string,
 ): Promise<AssistantEntry> {
   // If a name is provided, try to find an existing assistant
   if (targetName) {
@@ -830,7 +876,25 @@ export async function resolveOrHatchTarget(
       process.exit(1);
     }
 
-    const result = await hatchAssistant(token);
+    let resolvedOrgId: string;
+    if (orgId) {
+      resolvedOrgId = orgId;
+    } else {
+      try {
+        resolvedOrgId = await fetchOrganizationId(token);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (msg.includes("401") || msg.includes("403")) {
+          console.error(
+            "Authentication failed. Run 'vellum login' to refresh.",
+          );
+          process.exit(1);
+        }
+        throw err;
+      }
+    }
+
+    const result = await hatchAssistant(token, resolvedOrgId);
     const entry: AssistantEntry = {
       assistantId: result.id,
       runtimeUrl: getPlatformUrl(),
@@ -1080,10 +1144,19 @@ export async function teleport(): Promise<void> {
       // No existing target — just describe what would happen
       console.log("Dry run summary:");
       console.log(`  Would export data from: ${from} (${fromCloud})`);
-      console.log(
-        `  Would hatch a new ${targetEnv} assistant${targetName ? ` named '${targetName}'` : ""}`,
-      );
-      console.log(`  Would import data into the new assistant`);
+      if (targetEnv === "platform") {
+        // For platform targets, reflect the reordered flow
+        console.log(`  Would upload bundle via signed URL (if available)`);
+        console.log(
+          `  Would hatch a new ${targetEnv} assistant${targetName ? ` named '${targetName}'` : ""}`,
+        );
+        console.log(`  Would import data into the new assistant`);
+      } else {
+        console.log(
+          `  Would hatch a new ${targetEnv} assistant${targetName ? ` named '${targetName}'` : ""}`,
+        );
+        console.log(`  Would import data into the new assistant`);
+      }
     }
 
     console.log(`Dry run complete — no changes were made.`);
@@ -1094,6 +1167,84 @@ export async function teleport(): Promise<void> {
   console.log(`Exporting from ${from} (${fromCloud})...`);
   const bundleData = await exportFromAssistant(fromEntry, fromCloud);
 
+  // Platform target: reordered flow — upload to GCS before hatching so that
+  // if upload fails, no empty assistant is left dangling on the platform.
+  if (targetEnv === "platform") {
+    // Step B — Auth + Org ID
+    const token = readPlatformToken();
+    if (!token) {
+      console.error("Not logged in. Run 'vellum login' first.");
+      process.exit(1);
+    }
+
+    // If targeting an existing assistant, validate cloud match early — before
+    // uploading — so we don't waste a GCS upload on an invalid command.
+    const existingTarget = targetName ? findAssistantByName(targetName) : null;
+    if (existingTarget) {
+      const existingCloud = resolveCloud(existingTarget);
+      if (existingCloud !== "vellum") {
+        console.error(
+          `Error: Assistant '${targetName}' is a ${existingCloud} assistant, not platform. ` +
+            `Use --${existingCloud} to target it.`,
+        );
+        process.exit(1);
+      }
+    }
+
+    // Use the existing target's runtimeUrl for all platform calls so upload,
+    // org ID fetch, and import hit the same instance.
+    const targetPlatformUrl = existingTarget?.runtimeUrl;
+
+    let orgId: string;
+    try {
+      orgId = await fetchOrganizationId(token, targetPlatformUrl);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("401") || msg.includes("403")) {
+        console.error("Authentication failed. Run 'vellum login' to refresh.");
+        process.exit(1);
+      }
+      throw err;
+    }
+
+    // Step C — Upload to GCS
+    // bundleKey: string = uploaded successfully, null = tried but unavailable,
+    // undefined would mean "never tried" (not used here).
+    let bundleKey: string | null = null;
+    try {
+      const { uploadUrl, bundleKey: key } = await platformRequestUploadUrl(
+        token,
+        orgId,
+        targetPlatformUrl,
+      );
+      bundleKey = key;
+      console.log("Uploading bundle to GCS...");
+      await platformUploadToSignedUrl(uploadUrl, bundleData);
+    } catch (err) {
+      // If signed uploads unavailable (503), fall back to inline upload later
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("not available")) {
+        bundleKey = null;
+      } else {
+        throw err;
+      }
+    }
+
+    // Step D — Hatch (upload succeeded or fallback to inline — safe to hatch)
+    const toEntry = await resolveOrHatchTarget(targetEnv, targetName, orgId);
+    const toCloud = resolveCloud(toEntry);
+
+    // Step E — Import from GCS (or inline fallback)
+    // Pass bundleKey (string) or null to signal "already tried, use inline".
+    console.log(`Importing to ${toEntry.assistantId} (${toCloud})...`);
+    await importToAssistant(toEntry, toCloud, bundleData, false, bundleKey);
+
+    // Success summary
+    console.log(`Teleport complete: ${from} → ${toEntry.assistantId}`);
+    return;
+  }
+
+  // Non-platform targets (local/docker): existing flow unchanged
   // For local<->docker transfers, stop (sleep) the source to free up ports
   // before hatching the target. We do NOT retire yet — if hatch or import
   // fails, the user can recover by running `vellum wake <source>`.

package/src/commands/upgrade.ts

@@ -291,6 +291,11 @@ async function upgradeDocker(
     `   Captured ${Object.keys(capturedEnv).length} env var(s) from ${res.assistantContainer}\n`,
   );
 
+  // Capture GUARDIAN_BOOTSTRAP_SECRET from the gateway container (it is only
+  // set on gateway, not assistant) so it persists across container restarts.
+  const gatewayEnv = await captureContainerEnv(res.gatewayContainer);
+  const bootstrapSecret = gatewayEnv["GUARDIAN_BOOTSTRAP_SECRET"];
+
   // Notify connected clients that an upgrade is about to begin.
   // This must fire BEFORE any progress broadcasts so the UI sets
   // isUpdateInProgress = true and starts displaying status messages.
@@ -419,6 +424,7 @@ async function upgradeDocker(
   await startContainers(
     {
       signingKey,
+      bootstrapSecret,
       cesServiceToken,
       extraAssistantEnv,
       gatewayPort,
@@ -517,6 +523,7 @@ async function upgradeDocker(
         await startContainers(
           {
             signingKey,
+            bootstrapSecret,
             cesServiceToken,
             extraAssistantEnv,
             gatewayPort,

package/src/lib/aws.ts

@@ -6,7 +6,8 @@ import { buildStartupScript, watchHatching } from "../commands/hatch";
 import type { PollResult } from "../commands/hatch";
 import { saveAssistantEntry, setActiveAssistant } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
-import { GATEWAY_PORT, PROVIDER_ENV_VAR_NAMES } from "./constants";
+import { GATEWAY_PORT } from "./constants";
+import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 import type { Species } from "./constants";
 import { leaseGuardianToken } from "./guardian-token";
 import { generateInstanceName } from "./random-name";

package/src/lib/constants.ts

@@ -1,5 +1,3 @@
-import providerEnvVarsRegistry from "../../../meta/provider-env-vars.json";
-
 /**
  * Canonical internal assistant ID used as the default/fallback across the CLI
  * and daemon. Mirrors `DAEMON_INTERNAL_ASSISTANT_ID` from
@@ -28,15 +26,6 @@ export const LOCKFILE_NAMES = [
   ".vellum.lockfile.json",
 ] as const;
 
-/**
- * Environment variable names for provider API keys, keyed by provider ID.
- * Loaded from the shared registry at `meta/provider-env-vars.json` — the
- * single source of truth also consumed by the assistant runtime and the
- * macOS client.
- */
-export const PROVIDER_ENV_VAR_NAMES: Record<string, string> =
-  providerEnvVarsRegistry.providers;
-
 export const VALID_REMOTE_HOSTS = [
   "local",
   "gcp",

package/src/lib/docker.ts

@@ -13,7 +13,8 @@ import {
 } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
 import { writeInitialConfig } from "./config-utils";
-import { DEFAULT_GATEWAY_PORT, PROVIDER_ENV_VAR_NAMES } from "./constants";
+import { DEFAULT_GATEWAY_PORT } from "./constants";
+import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 import type { Species } from "./constants";
 import { leaseGuardianToken } from "./guardian-token";
 import { isVellumProcess, stopProcess } from "./process";
@@ -479,8 +480,9 @@ async function buildAllImages(
 
 /**
  * Returns a function that builds the `docker run` arguments for a given
- * service. Each container joins a shared Docker bridge network so they
- * can be restarted independently.
+ * service. All three containers share a network namespace via
+ * `--network=container:` so inter-service traffic is over localhost,
+ * matching the platform's Kubernetes pod topology.
  */
 export function serviceDockerRunArgs(opts: {
   signingKey?: string;
@@ -511,12 +513,14 @@ export function serviceDockerRunArgs(opts: {
         "--name",
         res.assistantContainer,
         `--network=${res.network}`,
+        "-p",
+        `${gatewayPort}:${GATEWAY_INTERNAL_PORT}`,
         "-v",
         `${res.workspaceVolume}:/workspace`,
         "-v",
         `${res.socketVolume}:/run/ces-bootstrap`,
         "-e",
-        "IS_CONTAINERIZED=false",
+        "IS_CONTAINERIZED=true",
         "-e",
         `VELLUM_ASSISTANT_NAME=${instanceName}`,
         "-e",
@@ -526,9 +530,9 @@ export function serviceDockerRunArgs(opts: {
         "-e",
         "VELLUM_WORKSPACE_DIR=/workspace",
         "-e",
-        `CES_CREDENTIAL_URL=http://${res.cesContainer}:8090`,
+        "CES_CREDENTIAL_URL=http://localhost:8090",
         "-e",
-        `GATEWAY_INTERNAL_URL=http://${res.gatewayContainer}:${GATEWAY_INTERNAL_PORT}`,
+        `GATEWAY_INTERNAL_URL=http://localhost:${GATEWAY_INTERNAL_PORT}`,
       ];
       if (defaultWorkspaceConfigPath) {
         const containerPath = `/tmp/vellum-default-workspace-config-${Date.now()}.json`;
@@ -567,9 +571,7 @@ export function serviceDockerRunArgs(opts: {
       "-d",
       "--name",
       res.gatewayContainer,
-      `--network=${res.network}`,
-      "-p",
-      `${gatewayPort}:${GATEWAY_INTERNAL_PORT}`,
+      `--network=container:${res.assistantContainer}`,
       "-v",
       `${res.workspaceVolume}:/workspace`,
       "-v",
@@ -581,13 +583,13 @@ export function serviceDockerRunArgs(opts: {
       "-e",
       `GATEWAY_PORT=${GATEWAY_INTERNAL_PORT}`,
       "-e",
-      `ASSISTANT_HOST=${res.assistantContainer}`,
+      "ASSISTANT_HOST=localhost",
       "-e",
       `RUNTIME_HTTP_PORT=${ASSISTANT_INTERNAL_PORT}`,
       "-e",
       "RUNTIME_PROXY_ENABLED=true",
       "-e",
-      `CES_CREDENTIAL_URL=http://${res.cesContainer}:8090`,
+      "CES_CREDENTIAL_URL=http://localhost:8090",
       ...(cesServiceToken
         ? ["-e", `CES_SERVICE_TOKEN=${cesServiceToken}`]
         : []),
@@ -605,7 +607,7 @@ export function serviceDockerRunArgs(opts: {
       "-d",
       "--name",
       res.cesContainer,
-      `--network=${res.network}`,
+      `--network=container:${res.assistantContainer}`,
       "-v",
       `${res.socketVolume}:/run/ces-bootstrap`,
       "-v",
@@ -842,6 +844,15 @@ function startFileWatcher(opts: {
     const services = pendingServices;
     pendingServices = new Set();
 
+    // Gateway and CES share the assistant's network namespace. If the
+    // assistant container is removed and recreated, the shared namespace
+    // is destroyed and the other two lose connectivity. Cascade the
+    // restart to all three services in that case.
+    if (services.has("assistant")) {
+      services.add("gateway");
+      services.add("credential-executor");
+    }
+
     const serviceNames = [...services].join(", ");
     console.log(`\n🔄 Changes detected — rebuilding: ${serviceNames}`);
 
@@ -854,7 +865,10 @@ function startFileWatcher(opts: {
         }),
       );
 
-      for (const service of services) {
+      // Restart in dependency order (assistant first) so the network
+      // namespace owner is up before dependents try to attach.
+      for (const service of SERVICE_START_ORDER) {
+        if (!services.has(service)) continue;
         const container = containerForService[service];
         console.log(`🔄 Restarting ${container}...`);
         await removeContainer(container);

package/src/lib/gcp.ts

@@ -4,11 +4,8 @@ import { join } from "path";
 
 import { saveAssistantEntry, setActiveAssistant } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
-import {
-  FIREWALL_TAG,
-  GATEWAY_PORT,
-  PROVIDER_ENV_VAR_NAMES,
-} from "./constants";
+import { FIREWALL_TAG, GATEWAY_PORT } from "./constants";
+import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 import type { Species } from "./constants";
 import { leaseGuardianToken } from "./guardian-token";
 import { getPlatformUrl } from "./platform-client";

package/src/lib/platform-client.ts

@@ -87,14 +87,20 @@ export interface HatchedAssistant {
   status: string;
 }
 
-export async function hatchAssistant(token: string): Promise<HatchedAssistant> {
-  const url = `${getPlatformUrl()}/v1/assistants/hatch/`;
+export async function hatchAssistant(
+  token: string,
+  orgId: string,
+  platformUrl?: string,
+): Promise<HatchedAssistant> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const url = `${resolvedUrl}/v1/assistants/hatch/`;
 
   const response = await fetch(url, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
       ...authHeaders(token),
+      "Vellum-Organization-Id": orgId,
     },
     body: JSON.stringify({}),
   });
@@ -143,7 +149,7 @@ export async function fetchOrganizationId(
   const resolvedUrl = platformUrl || getPlatformUrl();
   const url = `${resolvedUrl}/v1/organizations/`;
   const response = await fetch(url, {
-    headers: { "X-Session-Token": token },
+    headers: { ...authHeaders(token) },
   });
 
   if (!response.ok) {
@@ -213,7 +219,7 @@ export async function rollbackPlatformAssistant(
     method: "POST",
     headers: {
       "Content-Type": "application/json",
-      "X-Session-Token": token,
+      ...authHeaders(token),
       "Vellum-Organization-Id": orgId,
     },
     body: JSON.stringify(version ? { version } : {}),
@@ -258,7 +264,7 @@ export async function platformInitiateExport(
     method: "POST",
     headers: {
       "Content-Type": "application/json",
-      "X-Session-Token": token,
+      ...authHeaders(token),
       "Vellum-Organization-Id": orgId,
     },
     body: JSON.stringify({ description: description ?? "CLI backup" }),
@@ -292,7 +298,7 @@ export async function platformPollExportStatus(
     `${resolvedUrl}/v1/migrations/export/${jobId}/status/`,
     {
       headers: {
-        "X-Session-Token": token,
+        ...authHeaders(token),
         "Vellum-Organization-Id": orgId,
       },
     },
@@ -349,7 +355,7 @@ export async function platformImportPreflight(
       method: "POST",
       headers: {
         "Content-Type": "application/octet-stream",
-        "X-Session-Token": token,
+        ...authHeaders(token),
         "Vellum-Organization-Id": orgId,
       },
       body: new Blob([bundleData]),
@@ -375,7 +381,7 @@ export async function platformImportBundle(
     method: "POST",
     headers: {
       "Content-Type": "application/octet-stream",
-      "X-Session-Token": token,
+      ...authHeaders(token),
       "Vellum-Organization-Id": orgId,
     },
     body: new Blob([bundleData]),
@@ -388,3 +394,131 @@ export async function platformImportBundle(
   >;
   return { statusCode: response.status, body };
 }
+
+// ---------------------------------------------------------------------------
+// Signed-URL upload flow
+// ---------------------------------------------------------------------------
+
+export async function platformRequestUploadUrl(
+  token: string,
+  orgId: string,
+  platformUrl?: string,
+): Promise<{ uploadUrl: string; bundleKey: string; expiresAt: string }> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(`${resolvedUrl}/v1/migrations/upload-url/`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      ...authHeaders(token),
+      "Vellum-Organization-Id": orgId,
+    },
+    body: JSON.stringify({ content_type: "application/octet-stream" }),
+  });
+
+  if (response.status === 201) {
+    const body = (await response.json()) as {
+      upload_url: string;
+      bundle_key: string;
+      expires_at: string;
+    };
+    return {
+      uploadUrl: body.upload_url,
+      bundleKey: body.bundle_key,
+      expiresAt: body.expires_at,
+    };
+  }
+
+  if (response.status === 404 || response.status === 503) {
+    throw new Error(
+      "Signed uploads are not available on this platform instance",
+    );
+  }
+
+  const errorBody = (await response.json().catch(() => ({}))) as {
+    detail?: string;
+  };
+  throw new Error(
+    errorBody.detail ??
+      `Failed to request upload URL: ${response.status} ${response.statusText}`,
+  );
+}
+
+export async function platformUploadToSignedUrl(
+  uploadUrl: string,
+  bundleData: Uint8Array<ArrayBuffer>,
+): Promise<void> {
+  const response = await fetch(uploadUrl, {
+    method: "PUT",
+    headers: {
+      "Content-Type": "application/octet-stream",
+    },
+    body: new Blob([bundleData]),
+    signal: AbortSignal.timeout(600_000),
+  });
+
+  if (!response.ok) {
+    throw new Error(
+      `Upload to signed URL failed: ${response.status} ${response.statusText}`,
+    );
+  }
+}
+
+export async function platformImportPreflightFromGcs(
+  bundleKey: string,
+  token: string,
+  orgId: string,
+  platformUrl?: string,
+): Promise<{ statusCode: number; body: Record<string, unknown> }> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(
+    `${resolvedUrl}/v1/migrations/import-preflight-from-gcs/`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...authHeaders(token),
+        "Vellum-Organization-Id": orgId,
+      },
+      body: JSON.stringify({ bundle_key: bundleKey }),
+      signal: AbortSignal.timeout(120_000),
+    },
+  );
+
+  const body = (await response.json().catch(() => ({}))) as Record<
+    string,
+    unknown
+  >;
+  return { statusCode: response.status, body };
+}
+
+export async function platformImportBundleFromGcs(
+  bundleKey: string,
+  token: string,
+  orgId: string,
+  platformUrl?: string,
+): Promise<{ statusCode: number; body: Record<string, unknown> }> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(
+    `${resolvedUrl}/v1/migrations/import-from-gcs/`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...authHeaders(token),
+        "Vellum-Organization-Id": orgId,
+      },
+      body: JSON.stringify({ bundle_key: bundleKey }),
+      signal: AbortSignal.timeout(120_000),
+    },
+  );
+
+  if (response.status === 413) {
+    throw new Error("Bundle too large to import");
+  }
+
+  const body = (await response.json().catch(() => ({}))) as Record<
+    string,
+    unknown
+  >;
+  return { statusCode: response.status, body };
+}

package/src/lib/upgrade-lifecycle.ts

@@ -90,6 +90,7 @@ export function buildUpgradeCommitMessage(options: {
  */
 export const CONTAINER_ENV_EXCLUDE_KEYS: ReadonlySet<string> = new Set([
   "CES_SERVICE_TOKEN",
+  "GUARDIAN_BOOTSTRAP_SECRET",
   "VELLUM_ASSISTANT_NAME",
   "RUNTIME_HTTP_HOST",
   "PATH",
@@ -467,6 +468,11 @@ export async function performDockerRollback(
     `   Captured ${Object.keys(capturedEnv).length} env var(s) from ${res.assistantContainer}\n`,
   );
 
+  // Capture GUARDIAN_BOOTSTRAP_SECRET from the gateway container (it is only
+  // set on gateway, not assistant) so it persists across container restarts.
+  const gatewayEnv = await captureContainerEnv(res.gatewayContainer);
+  const bootstrapSecret = gatewayEnv["GUARDIAN_BOOTSTRAP_SECRET"];
+
   const cesServiceToken =
     capturedEnv["CES_SERVICE_TOKEN"] || randomBytes(32).toString("hex");
 
@@ -575,6 +581,7 @@ export async function performDockerRollback(
   await startContainers(
     {
       signingKey,
+      bootstrapSecret,
       cesServiceToken,
       extraAssistantEnv,
       gatewayPort,
@@ -695,6 +702,7 @@ export async function performDockerRollback(
         await startContainers(
           {
             signingKey,
+            bootstrapSecret,
             cesServiceToken,
             extraAssistantEnv,
             gatewayPort,