@vellumai/cli 0.5.16 → 0.6.1

package/src/lib/assistant-client.ts

@@ -0,0 +1,228 @@
+/**
+ * Gateway client for authenticated requests to a hatched assistant's runtime.
+ *
+ * Encapsulates lockfile reading, guardian-token resolution, and
+ * authenticated fetch so callers can simply do:
+ *
+ * ```ts
+ * const client = new AssistantClient();                          // active / latest
+ * const client = new AssistantClient({ assistantId: "my-bot" }); // by name
+ * await client.get("/healthz");
+ * await client.post("/messages/", { content: "hi" });
+ * ```
+ */
+
+import {
+  findAssistantByName,
+  getActiveAssistant,
+  loadLatestAssistant,
+} from "./assistant-config.js";
+import { GATEWAY_PORT } from "./constants.js";
+import { loadGuardianToken } from "./guardian-token.js";
+
+const DEFAULT_TIMEOUT_MS = 30_000;
+const FALLBACK_RUNTIME_URL = `http://127.0.0.1:${GATEWAY_PORT}`;
+
+export interface AssistantClientOpts {
+  assistantId?: string;
+  /**
+   * When provided alongside `orgId`, the client authenticates with a
+   * session token instead of a guardian token.  The session token is
+   * sent as `Authorization: Bearer <sessionToken>` and the org id is
+   * sent via the `X-Vellum-Org-Id` header.
+   */
+  sessionToken?: string;
+  /** Required when `sessionToken` is provided. */
+  orgId?: string;
+}
+
+export interface RequestOpts {
+  timeout?: number;
+  signal?: AbortSignal;
+  headers?: Record<string, string>;
+  query?: Record<string, string>;
+}
+
+export class AssistantClient {
+  readonly runtimeUrl: string;
+
+  private readonly _assistantId: string;
+  private readonly token: string | undefined;
+  private readonly orgId: string | undefined;
+
+  /**
+   * Resolves an assistant entry from the lockfile and loads auth credentials.
+   *
+   * @param opts.assistantId - Explicit assistant name. When omitted, the
+   *   active assistant is used, falling back to the most recently hatched one.
+   * @throws If no matching assistant is found.
+   */
+  constructor(opts?: AssistantClientOpts) {
+    const nameOrId = opts?.assistantId;
+    let entry = nameOrId ? findAssistantByName(nameOrId) : null;
+
+    if (nameOrId && !entry) {
+      throw new Error(`No assistant found with name '${nameOrId}'.`);
+    }
+
+    if (!entry) {
+      const active = getActiveAssistant();
+      if (active) {
+        entry = findAssistantByName(active);
+      }
+    }
+
+    if (!entry) {
+      entry = loadLatestAssistant();
+    }
+
+    if (!entry) {
+      throw new Error(
+        "No assistant found. Hatch one first with 'vellum hatch'.",
+      );
+    }
+
+    this.runtimeUrl = (
+      entry.localUrl ||
+      entry.runtimeUrl ||
+      FALLBACK_RUNTIME_URL
+    ).replace(/\/+$/, "");
+    this._assistantId = entry.assistantId;
+
+    if (opts?.sessionToken) {
+      // Platform assistant: use session token + org id header.
+      this.token = opts.sessionToken;
+      this.orgId = opts.orgId;
+    } else {
+      this.token =
+        loadGuardianToken(this._assistantId)?.accessToken ?? entry.bearerToken;
+      this.orgId = undefined;
+    }
+  }
+
+  /** GET request to the gateway. Auth headers are added automatically. */
+  async get(urlPath: string, opts?: RequestOpts): Promise<Response> {
+    return this.request("GET", urlPath, undefined, opts);
+  }
+
+  /**
+   * Subscribe to an SSE endpoint and yield parsed JSON objects from `data:` lines.
+   * Automatically sets `Accept: text/event-stream` and skips heartbeat comments.
+   */
+  async *stream<T = unknown>(
+    urlPath: string,
+    opts?: RequestOpts,
+  ): AsyncGenerator<T> {
+    const response = await this.get(urlPath, {
+      ...opts,
+      headers: { Accept: "text/event-stream", ...opts?.headers },
+    });
+
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      throw new Error(
+        `HTTP ${response.status}: ${body || response.statusText}`,
+      );
+    }
+
+    if (!response.body) {
+      throw new Error("No response body received.");
+    }
+
+    const decoder = new TextDecoder();
+    let buffer = "";
+
+    for await (const chunk of response.body) {
+      buffer += decoder.decode(chunk, { stream: true });
+
+      let boundary: number;
+      while ((boundary = buffer.indexOf("\n\n")) !== -1) {
+        const frame = buffer.slice(0, boundary);
+        buffer = buffer.slice(boundary + 2);
+
+        if (!frame.trim() || frame.startsWith(":")) continue;
+
+        let data: string | undefined;
+        for (const line of frame.split("\n")) {
+          if (line.startsWith("data: ")) {
+            data = line.slice(6);
+          }
+        }
+
+        if (!data) continue;
+
+        try {
+          yield JSON.parse(data) as T;
+        } catch {
+          // Skip malformed JSON
+        }
+      }
+    }
+  }
+
+  /** POST request to the gateway with a JSON body. Auth headers are added automatically. */
+  async post(
+    urlPath: string,
+    body: unknown,
+    opts?: RequestOpts,
+  ): Promise<Response> {
+    return this.request("POST", urlPath, body, opts);
+  }
+
+  /** PATCH request to the gateway with a JSON body. Auth headers are added automatically. */
+  async patch(
+    urlPath: string,
+    body: unknown,
+    opts?: RequestOpts,
+  ): Promise<Response> {
+    return this.request("PATCH", urlPath, body, opts);
+  }
+
+  private async request(
+    method: string,
+    urlPath: string,
+    body: unknown | undefined,
+    opts?: RequestOpts,
+  ): Promise<Response> {
+    const qs = opts?.query
+      ? `?${new URLSearchParams(opts.query).toString()}`
+      : "";
+    const url = `${this.runtimeUrl}/v1/assistants/${this._assistantId}${urlPath}${qs}`;
+
+    const headers: Record<string, string> = { ...opts?.headers };
+    if (this.token) {
+      headers["Authorization"] ??= `Bearer ${this.token}`;
+    }
+    if (this.orgId) {
+      headers["X-Vellum-Org-Id"] ??= this.orgId;
+    }
+    if (body !== undefined) {
+      headers["Content-Type"] = "application/json";
+    }
+
+    const jsonBody = body !== undefined ? JSON.stringify(body) : undefined;
+
+    if (opts?.signal) {
+      return fetch(url, {
+        method,
+        headers,
+        body: jsonBody,
+        signal: opts.signal,
+      });
+    }
+
+    const timeout = opts?.timeout ?? DEFAULT_TIMEOUT_MS;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      return await fetch(url, {
+        method,
+        headers,
+        body: jsonBody,
+        signal: controller.signal,
+      });
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+}

package/src/lib/aws.ts

@@ -6,7 +6,8 @@ import { buildStartupScript, watchHatching } from "../commands/hatch";
 import type { PollResult } from "../commands/hatch";
 import { saveAssistantEntry, setActiveAssistant } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
-import { GATEWAY_PORT, PROVIDER_ENV_VAR_NAMES } from "./constants";
+import { GATEWAY_PORT } from "./constants";
+import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 import type { Species } from "./constants";
 import { leaseGuardianToken } from "./guardian-token";
 import { generateInstanceName } from "./random-name";

package/src/lib/constants.ts

@@ -1,5 +1,3 @@
-import providerEnvVarsRegistry from "../../../meta/provider-env-vars.json";
-
 /**
  * Canonical internal assistant ID used as the default/fallback across the CLI
  * and daemon. Mirrors `DAEMON_INTERNAL_ASSISTANT_ID` from
@@ -28,15 +26,6 @@ export const LOCKFILE_NAMES = [
   ".vellum.lockfile.json",
 ] as const;
 
-/**
- * Environment variable names for provider API keys, keyed by provider ID.
- * Loaded from the shared registry at `meta/provider-env-vars.json` — the
- * single source of truth also consumed by the assistant runtime and the
- * macOS client.
- */
-export const PROVIDER_ENV_VAR_NAMES: Record<string, string> =
-  providerEnvVarsRegistry.providers;
-
 export const VALID_REMOTE_HOSTS = [
   "local",
   "gcp",

package/src/lib/docker.ts

@@ -13,7 +13,8 @@ import {
 } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
 import { writeInitialConfig } from "./config-utils";
-import { DEFAULT_GATEWAY_PORT, PROVIDER_ENV_VAR_NAMES } from "./constants";
+import { DEFAULT_GATEWAY_PORT } from "./constants";
+import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 import type { Species } from "./constants";
 import { leaseGuardianToken } from "./guardian-token";
 import { isVellumProcess, stopProcess } from "./process";
@@ -91,51 +92,60 @@ async function downloadAndExtract(
 }
 
 /**
- * Installs Docker CLI, Colima, and Lima by downloading pre-built binaries
- * directly into ~/.vellum/bin/. No Homebrew or sudo required.
- *
- * Falls back to Homebrew if available (e.g. admin users who prefer it).
+ * Installs Docker CLI (and Colima + Lima on macOS) by downloading pre-built
+ * binaries directly into ~/.local/bin/. No Homebrew or sudo required.
  */
 async function installDockerToolchain(): Promise<void> {
-  // Try Homebrew first if available — it handles updates and dependencies.
-  let hasBrew = false;
-  try {
-    await execOutput("brew", ["--version"]);
-    hasBrew = true;
-  } catch {
-    // brew not found
-  }
+  const isMac = platform() === "darwin";
+  const isLinux = platform() === "linux";
+
+  mkdirSync(LOCAL_BIN_DIR, { recursive: true });
+
+  const cpuArch = releaseArch();
 
-  if (hasBrew) {
-    console.log("🐳 Docker not found. Installing via Homebrew...");
+  if (isLinux) {
+    // On Linux, Docker runs natively — only need the Docker CLI.
+    console.log(
+      "🐳 Docker not found. Installing Docker CLI to ~/.local/bin/...",
+    );
+
+    const dockerArch = cpuArch === "aarch64" ? "aarch64" : "x86_64";
+    const dockerTarUrl = `https://download.docker.com/linux/static/stable/${dockerArch}/docker-27.5.1.tgz`;
+    const dockerTmpDir = join(LOCAL_BIN_DIR, ".docker-tmp");
+    mkdirSync(dockerTmpDir, { recursive: true });
     try {
-      await exec("brew", ["install", "colima", "docker"]);
-      return;
-    } catch {
-      console.log(
-        "  ⚠ Homebrew install failed, falling back to direct binary download...",
-      );
+      await downloadAndExtract(dockerTarUrl, dockerTmpDir, "Docker CLI");
+      await exec("mv", [
+        join(dockerTmpDir, "docker", "docker"),
+        join(LOCAL_BIN_DIR, "docker"),
+      ]);
+      chmodSync(join(LOCAL_BIN_DIR, "docker"), 0o755);
+    } finally {
+      await exec("rm", ["-rf", dockerTmpDir]).catch(() => {});
     }
-  }
-
-  // Direct binary install — no sudo required.
-  console.log(
-    "🐳 Docker not found. Installing Docker, Colima, and Lima to ~/.local/bin/...",
-  );
 
-  mkdirSync(LOCAL_BIN_DIR, { recursive: true });
+    if (!existsSync(join(LOCAL_BIN_DIR, "docker"))) {
+      throw new Error(
+        "docker binary not found after installation. Please install Docker manually: https://docs.docker.com/engine/install/",
+      );
+    }
 
-  const cpuArch = releaseArch();
-  const isMac = platform() === "darwin";
+    console.log("  ✅ Docker CLI installed to ~/.local/bin/");
+    return;
+  }
 
   if (!isMac) {
     throw new Error(
-      "Automatic Docker installation is only supported on macOS. " +
+      "Automatic Docker installation is only supported on macOS and Linux. " +
         "Please install Docker manually: https://docs.docker.com/engine/install/",
     );
   }
 
-  // --- Docker CLI ---
+  console.log(
+    "🐳 Docker not found. Installing Docker, Colima, and Lima to ~/.local/bin/...",
+  );
+
+  // --- Docker CLI (macOS) ---
   // Docker publishes static binaries at download.docker.com.
   const dockerArch = cpuArch === "aarch64" ? "aarch64" : "x86_64";
   const dockerTarUrl = `https://download.docker.com/mac/static/stable/${dockerArch}/docker-27.5.1.tgz`;
@@ -222,13 +232,17 @@ async function ensureDockerInstalled(): Promise<void> {
   // Always add ~/.local/bin to PATH so previously installed binaries are found.
   ensureLocalBinOnPath();
 
-  // Check that docker, colima, and limactl are all available. If any is
-  // missing (e.g. partial install from a previous failure), re-run install.
+  const isLinux = platform() === "linux";
+
+  // On Linux, Docker runs natively — only need the docker CLI + daemon.
+  // On macOS, we also need Colima and Lima to provide a Linux VM.
   const toolchainComplete = await (async () => {
     try {
       await execOutput("docker", ["--version"]);
-      await execOutput("colima", ["version"]);
-      await execOutput("limactl", ["--version"]);
+      if (!isLinux) {
+        await execOutput("colima", ["version"]);
+        await execOutput("limactl", ["--version"]);
+      }
       return true;
     } catch {
       return false;
@@ -250,10 +264,19 @@ async function ensureDockerInstalled(): Promise<void> {
     }
   }
 
-  // Verify the Docker daemon is reachable; start Colima if it isn't.
+  // Verify the Docker daemon is reachable.
   try {
     await exec("docker", ["info"]);
   } catch {
+    // On Linux, the daemon must already be running (systemd, etc.).
+    if (isLinux) {
+      throw new Error(
+        "Docker daemon is not running. Please start it with 'sudo systemctl start docker' " +
+          "or ensure the Docker service is enabled.",
+      );
+    }
+
+    // On macOS, try starting Colima.
     let hasColima = false;
     try {
       await execOutput("colima", ["version"]);
@@ -393,6 +416,15 @@ function walkUpForRepoRoot(startDir: string): string | undefined {
   return undefined;
 }
 
+/**
+ * Returns `true` when the given root looks like a full source checkout
+ * (has assistant source code), as opposed to a packaged `.app` bundle
+ * that only contains the Dockerfiles.
+ */
+function hasFullSourceTree(root: string): boolean {
+  return existsSync(join(root, "assistant", "package.json"));
+}
+
 /**
  * Locate the repository root by walking up from `cli/src/lib/` until we
  * find a directory containing the expected Dockerfiles.
@@ -413,6 +445,20 @@ function findRepoRoot(): string {
     return execRoot;
   }
 
+  // Check the app bundle's Resources directory. Debug DMG builds bundle
+  // Dockerfiles at Contents/Resources/dockerfiles/{assistant,gateway,...}/Dockerfile.
+  // The CLI binary lives at Contents/MacOS/vellum-cli, so Resources is at
+  // ../Resources relative to the binary.
+  const bundledRoot = join(
+    dirname(process.execPath),
+    "..",
+    "Resources",
+    "dockerfiles",
+  );
+  if (existsSync(join(bundledRoot, "assistant", "Dockerfile"))) {
+    return bundledRoot;
+  }
+
   // Walk up from cwd as a final fallback
   const cwdRoot = walkUpForRepoRoot(process.cwd());
   if (cwdRoot) {
@@ -479,8 +525,9 @@ async function buildAllImages(
 
 /**
  * Returns a function that builds the `docker run` arguments for a given
- * service. Each container joins a shared Docker bridge network so they
- * can be restarted independently.
+ * service. All three containers share a network namespace via
+ * `--network=container:` so inter-service traffic is over localhost,
+ * matching the platform's Kubernetes pod topology.
  */
 export function serviceDockerRunArgs(opts: {
   signingKey?: string;
@@ -511,12 +558,14 @@ export function serviceDockerRunArgs(opts: {
         "--name",
         res.assistantContainer,
         `--network=${res.network}`,
+        "-p",
+        `${gatewayPort}:${GATEWAY_INTERNAL_PORT}`,
         "-v",
         `${res.workspaceVolume}:/workspace`,
         "-v",
         `${res.socketVolume}:/run/ces-bootstrap`,
         "-e",
-        "IS_CONTAINERIZED=false",
+        "IS_CONTAINERIZED=true",
         "-e",
         `VELLUM_ASSISTANT_NAME=${instanceName}`,
         "-e",
@@ -526,9 +575,9 @@ export function serviceDockerRunArgs(opts: {
         "-e",
         "VELLUM_WORKSPACE_DIR=/workspace",
         "-e",
-        `CES_CREDENTIAL_URL=http://${res.cesContainer}:8090`,
+        "CES_CREDENTIAL_URL=http://localhost:8090",
         "-e",
-        `GATEWAY_INTERNAL_URL=http://${res.gatewayContainer}:${GATEWAY_INTERNAL_PORT}`,
+        `GATEWAY_INTERNAL_URL=http://localhost:${GATEWAY_INTERNAL_PORT}`,
       ];
       if (defaultWorkspaceConfigPath) {
         const containerPath = `/tmp/vellum-default-workspace-config-${Date.now()}.json`;
@@ -567,9 +616,7 @@ export function serviceDockerRunArgs(opts: {
       "-d",
       "--name",
       res.gatewayContainer,
-      `--network=${res.network}`,
-      "-p",
-      `${gatewayPort}:${GATEWAY_INTERNAL_PORT}`,
+      `--network=container:${res.assistantContainer}`,
       "-v",
       `${res.workspaceVolume}:/workspace`,
       "-v",
@@ -581,13 +628,13 @@ export function serviceDockerRunArgs(opts: {
       "-e",
       `GATEWAY_PORT=${GATEWAY_INTERNAL_PORT}`,
       "-e",
-      `ASSISTANT_HOST=${res.assistantContainer}`,
+      "ASSISTANT_HOST=localhost",
       "-e",
       `RUNTIME_HTTP_PORT=${ASSISTANT_INTERNAL_PORT}`,
       "-e",
       "RUNTIME_PROXY_ENABLED=true",
       "-e",
-      `CES_CREDENTIAL_URL=http://${res.cesContainer}:8090`,
+      "CES_CREDENTIAL_URL=http://localhost:8090",
       ...(cesServiceToken
         ? ["-e", `CES_SERVICE_TOKEN=${cesServiceToken}`]
         : []),
@@ -605,7 +652,7 @@ export function serviceDockerRunArgs(opts: {
       "-d",
       "--name",
       res.cesContainer,
-      `--network=${res.network}`,
+      `--network=container:${res.assistantContainer}`,
       "-v",
       `${res.socketVolume}:/run/ces-bootstrap`,
       "-v",
@@ -689,11 +736,13 @@ export async function sleepContainers(
   }
 }
 
-/** Start existing stopped containers, starting Colima first if it isn't running. */
+/** Start existing stopped containers, starting Colima first if it isn't running (macOS only). */
 export async function wakeContainers(
   res: ReturnType<typeof dockerResourceNames>,
 ): Promise<void> {
-  await ensureColimaRunning();
+  if (platform() !== "linux") {
+    await ensureColimaRunning();
+  }
   for (const container of [
     res.assistantContainer,
     res.gatewayContainer,
@@ -803,6 +852,9 @@ function affectedServices(
  * images and restart their containers.
  */
 function startFileWatcher(opts: {
+  signingKey?: string;
+  bootstrapSecret?: string;
+  cesServiceToken?: string;
   gatewayPort: number;
   imageTags: Record<ServiceName, string>;
   instanceName: string;
@@ -824,6 +876,9 @@ function startFileWatcher(opts: {
 
   const configs = serviceImageConfigs(repoRoot, imageTags);
   const runArgs = serviceDockerRunArgs({
+    signingKey: opts.signingKey,
+    bootstrapSecret: opts.bootstrapSecret,
+    cesServiceToken: opts.cesServiceToken,
     gatewayPort,
     imageTags,
     instanceName,
@@ -842,6 +897,15 @@ function startFileWatcher(opts: {
     const services = pendingServices;
     pendingServices = new Set();
 
+    // Gateway and CES share the assistant's network namespace. If the
+    // assistant container is removed and recreated, the shared namespace
+    // is destroyed and the other two lose connectivity. Cascade the
+    // restart to all three services in that case.
+    if (services.has("assistant")) {
+      services.add("gateway");
+      services.add("credential-executor");
+    }
+
     const serviceNames = [...services].join(", ");
     console.log(`\n🔄 Changes detected — rebuilding: ${serviceNames}`);
 
@@ -854,7 +918,10 @@ function startFileWatcher(opts: {
         }),
       );
 
-      for (const service of services) {
+      // Restart in dependency order (assistant first) so the network
+      // namespace owner is up before dependents try to attach.
+      for (const service of SERVICE_START_ORDER) {
+        if (!services.has(service)) continue;
         const container = containerForService[service];
         console.log(`🔄 Restarting ${container}...`);
         await removeContainer(container);
@@ -949,8 +1016,23 @@ export async function hatchDocker(
     let repoRoot: string | undefined;
 
     if (watch) {
-      emitProgress(2, 6, "Building images...");
       repoRoot = findRepoRoot();
+
+      // When running from a packaged .app bundle, the Dockerfiles are
+      // present (so findRepoRoot succeeds) but the full source tree is
+      // not — we can't build images locally. Fall back to pulling
+      // pre-built images instead.
+      if (!hasFullSourceTree(repoRoot)) {
+        log(
+          "⚠️  Dockerfiles found but no source tree — falling back to image pull",
+        );
+        watch = false;
+        repoRoot = undefined;
+      }
+    }
+
+    if (watch && repoRoot) {
+      emitProgress(2, 6, "Building images...");
       const localTag = `local-${instanceName}`;
       imageTags.assistant = `vellum-assistant:${localTag}`;
       imageTags.gateway = `vellum-gateway:${localTag}`;
@@ -969,20 +1051,41 @@ export async function hatchDocker(
 
       await buildAllImages(repoRoot, imageTags, log);
       log("✅ Docker images built");
-    } else {
+    }
+
+    if (!watch || !repoRoot) {
       emitProgress(2, 6, "Pulling images...");
-      const version = cliPkg.version;
-      const versionTag = version ? `v${version}` : "latest";
-      log("🔍 Resolving image references...");
-      const resolved = await resolveImageRefs(versionTag, log);
-      imageTags.assistant = resolved.imageTags.assistant;
-      imageTags.gateway = resolved.imageTags.gateway;
-      imageTags["credential-executor"] =
-        resolved.imageTags["credential-executor"];
+
+      // Allow explicit image overrides via environment variables.
+      // When all three are set, skip version-based resolution entirely.
+      const envAssistant = process.env.VELLUM_ASSISTANT_IMAGE;
+      const envGateway = process.env.VELLUM_GATEWAY_IMAGE;
+      const envCredentialExecutor =
+        process.env.VELLUM_CREDENTIAL_EXECUTOR_IMAGE;
+
+      let imageSource: string;
+
+      if (envAssistant && envGateway && envCredentialExecutor) {
+        imageTags.assistant = envAssistant;
+        imageTags.gateway = envGateway;
+        imageTags["credential-executor"] = envCredentialExecutor;
+        imageSource = "env override";
+        log("Using image overrides from environment variables");
+      } else {
+        const version = cliPkg.version;
+        const versionTag = version ? `v${version}` : "latest";
+        log("🔍 Resolving image references...");
+        const resolved = await resolveImageRefs(versionTag, log);
+        imageTags.assistant = resolved.imageTags.assistant;
+        imageTags.gateway = resolved.imageTags.gateway;
+        imageTags["credential-executor"] =
+          resolved.imageTags["credential-executor"];
+        imageSource = resolved.source;
+      }
 
       log(`🥚 Hatching Docker assistant: ${instanceName}`);
       log(`   Species: ${species}`);
-      log(`   Images (${resolved.source}):`);
+      log(`   Images (${imageSource}):`);
       log(`     assistant:            ${imageTags.assistant}`);
       log(`     gateway:              ${imageTags.gateway}`);
       log(`     credential-executor:  ${imageTags["credential-executor"]}`);
@@ -1092,6 +1195,9 @@ export async function hatchDocker(
       saveAssistantEntry({ ...dockerEntry, watcherPid: process.pid });
 
       const stopWatcher = startFileWatcher({
+        signingKey,
+        bootstrapSecret,
+        cesServiceToken,
         gatewayPort,
         imageTags,
         instanceName,

package/src/lib/gcp.ts

@@ -4,11 +4,8 @@ import { join } from "path";
 
 import { saveAssistantEntry, setActiveAssistant } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
-import {
-  FIREWALL_TAG,
-  GATEWAY_PORT,
-  PROVIDER_ENV_VAR_NAMES,
-} from "./constants";
+import { FIREWALL_TAG, GATEWAY_PORT } from "./constants";
+import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 import type { Species } from "./constants";
 import { leaseGuardianToken } from "./guardian-token";
 import { getPlatformUrl } from "./platform-client";