@vellumai/cli 0.5.6 → 0.5.7

package/src/lib/assistant-config.ts

@@ -1,4 +1,12 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { randomBytes } from "crypto";
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  renameSync,
+  unlinkSync,
+  writeFileSync,
+} from "fs";
 import { homedir } from "os";
 import { join } from "path";
 
@@ -82,6 +90,14 @@ export interface AssistantEntry {
   previousServiceGroupVersion?: string;
   /** Docker image metadata from before the last upgrade. Enables rollback to the prior version. */
   previousContainerInfo?: ContainerInfo;
+  /** Path to the .vbundle backup created for the most recent upgrade. Used by rollback to restore
+   *  only the backup from the specific upgrade being rolled back — never a stale backup from a
+   *  previous upgrade cycle. */
+  preUpgradeBackupPath?: string;
+  /** Pre-upgrade DB migration version — used by rollback to know how far back to revert. */
+  previousDbMigrationVersion?: number;
+  /** Pre-upgrade workspace migration ID — used by rollback to know how far back to revert. */
+  previousWorkspaceMigrationId?: string;
   [key: string]: unknown;
 }
 
@@ -92,7 +108,7 @@ interface LockfileData {
   [key: string]: unknown;
 }
 
-function getBaseDir(): string {
+export function getBaseDir(): string {
   return process.env.BASE_DATA_DIR?.trim() || homedir();
 }
 
@@ -124,7 +140,16 @@ function readLockfile(): LockfileData {
 
 function writeLockfile(data: LockfileData): void {
   const lockfilePath = join(getLockfileDir(), ".vellum.lock.json");
-  writeFileSync(lockfilePath, JSON.stringify(data, null, 2) + "\n");
+  const tmpPath = `${lockfilePath}.${randomBytes(4).toString("hex")}.tmp`;
+  try {
+    writeFileSync(tmpPath, JSON.stringify(data, null, 2) + "\n");
+    renameSync(tmpPath, lockfilePath);
+  } catch (err) {
+    try {
+      unlinkSync(tmpPath);
+    } catch {}
+    throw err;
+  }
 }
 
 /**
@@ -412,12 +437,14 @@ export async function allocateLocalResources(
   instanceName: string,
 ): Promise<LocalInstanceResources> {
   // First local assistant gets the home directory with default ports.
+  // Respect BASE_DATA_DIR when set (e.g. in e2e tests) so the daemon,
+  // gateway, and keychain broker all resolve paths under the same root.
   const existingLocals = loadAllAssistants().filter((e) => e.cloud === "local");
   if (existingLocals.length === 0) {
-    const home = homedir();
-    const vellumDir = join(home, ".vellum");
+    const baseDir = getBaseDir();
+    const vellumDir = join(baseDir, ".vellum");
     return {
-      instanceDir: home,
+      instanceDir: baseDir,
       daemonPort: DEFAULT_DAEMON_PORT,
       gatewayPort: DEFAULT_GATEWAY_PORT,
       qdrantPort: DEFAULT_QDRANT_PORT,

package/src/lib/aws.ts

@@ -374,6 +374,7 @@ export async function hatchAws(
   species: Species,
   detached: boolean,
   name: string | null,
+  configValues: Record<string, string> = {},
 ): Promise<void> {
   const startTime = Date.now();
   try {
@@ -448,6 +449,7 @@ export async function hatchAws(
       providerApiKeys,
       instanceName,
       "aws",
+      configValues,
     );
     const startupScriptPath = join(tmpdir(), `${instanceName}-startup.sh`);
     writeFileSync(startupScriptPath, startupScript);

package/src/lib/backup-ops.ts

@@ -0,0 +1,213 @@
+import {
+  existsSync,
+  mkdirSync,
+  readdirSync,
+  readFileSync,
+  unlinkSync,
+  writeFileSync,
+} from "fs";
+import { homedir } from "os";
+import { dirname, join } from "path";
+
+import { loadGuardianToken, leaseGuardianToken } from "./guardian-token.js";
+
+/** Default backup directory following XDG convention */
+export function getBackupsDir(): string {
+  const dataHome =
+    process.env.XDG_DATA_HOME?.trim() || join(homedir(), ".local", "share");
+  return join(dataHome, "vellum", "backups");
+}
+
+/** Human-readable file size */
+export function formatSize(bytes: number): string {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
+/** Obtain a valid guardian access token (cached or fresh lease) */
+async function getGuardianAccessToken(
+  runtimeUrl: string,
+  assistantId: string,
+  forceRefresh?: boolean,
+): Promise<string> {
+  if (!forceRefresh) {
+    const tokenData = loadGuardianToken(assistantId);
+    if (tokenData && new Date(tokenData.accessTokenExpiresAt) > new Date()) {
+      return tokenData.accessToken;
+    }
+  }
+  const freshToken = await leaseGuardianToken(runtimeUrl, assistantId);
+  return freshToken.accessToken;
+}
+
+/**
+ * Create a .vbundle backup of a running assistant.
+ * Returns the path to the saved backup, or null if backup failed.
+ * Never throws — failures are logged as warnings.
+ */
+export async function createBackup(
+  runtimeUrl: string,
+  assistantId: string,
+  options?: { prefix?: string; description?: string },
+): Promise<string | null> {
+  try {
+    let accessToken = await getGuardianAccessToken(runtimeUrl, assistantId);
+
+    let response = await fetch(`${runtimeUrl}/v1/migrations/export`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        description: options?.description ?? "CLI backup",
+      }),
+      signal: AbortSignal.timeout(120_000),
+    });
+
+    // Retry once with a fresh token on 401 — the cached token may be stale
+    // after a container restart that generated a new gateway signing key.
+    if (response.status === 401) {
+      accessToken = await getGuardianAccessToken(runtimeUrl, assistantId, true);
+      response = await fetch(`${runtimeUrl}/v1/migrations/export`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          description: options?.description ?? "CLI backup",
+        }),
+        signal: AbortSignal.timeout(120_000),
+      });
+    }
+
+    if (!response.ok) {
+      const body = await response.text();
+      console.warn(
+        `Warning: backup export failed (${response.status}): ${body}`,
+      );
+      return null;
+    }
+
+    const arrayBuffer = await response.arrayBuffer();
+    const data = new Uint8Array(arrayBuffer);
+
+    const isoTimestamp = new Date().toISOString().replace(/[:.]/g, "-");
+    const prefix = options?.prefix ?? assistantId;
+    const outputPath = join(
+      getBackupsDir(),
+      `${prefix}-${isoTimestamp}.vbundle`,
+    );
+
+    mkdirSync(dirname(outputPath), { recursive: true });
+    writeFileSync(outputPath, data);
+
+    return outputPath;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.warn(`Warning: backup failed: ${msg}`);
+    return null;
+  }
+}
+
+/**
+ * Restore a .vbundle backup into a running assistant.
+ * Returns true if restore succeeded, false otherwise.
+ * Never throws — failures are logged as warnings.
+ */
+export async function restoreBackup(
+  runtimeUrl: string,
+  assistantId: string,
+  backupPath: string,
+): Promise<boolean> {
+  try {
+    if (!existsSync(backupPath)) {
+      console.warn(`Warning: backup file not found: ${backupPath}`);
+      return false;
+    }
+
+    const bundleData = readFileSync(backupPath);
+    let accessToken = await getGuardianAccessToken(runtimeUrl, assistantId);
+
+    let response = await fetch(`${runtimeUrl}/v1/migrations/import`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/octet-stream",
+      },
+      body: bundleData,
+      signal: AbortSignal.timeout(120_000),
+    });
+
+    // Retry once with a fresh token on 401 — the cached token may be stale
+    // after a container restart that generated a new gateway signing key.
+    if (response.status === 401) {
+      accessToken = await getGuardianAccessToken(runtimeUrl, assistantId, true);
+      response = await fetch(`${runtimeUrl}/v1/migrations/import`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/octet-stream",
+        },
+        body: bundleData,
+        signal: AbortSignal.timeout(120_000),
+      });
+    }
+
+    if (!response.ok) {
+      const body = await response.text();
+      console.warn(`Warning: restore failed (${response.status}): ${body}`);
+      return false;
+    }
+
+    const result = (await response.json()) as {
+      success: boolean;
+      message?: string;
+      reason?: string;
+    };
+    if (!result.success) {
+      console.warn(
+        `Warning: restore failed — ${result.message ?? result.reason ?? "unknown reason"}`,
+      );
+      return false;
+    }
+
+    return true;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.warn(`Warning: restore failed: ${msg}`);
+    return false;
+  }
+}
+
+/**
+ * Keep only the N most recent pre-upgrade backups for an assistant,
+ * deleting older ones. Default: keep 3.
+ * Never throws — failures are silently ignored.
+ */
+export function pruneOldBackups(assistantId: string, keep: number = 3): void {
+  try {
+    const backupsDir = getBackupsDir();
+    if (!existsSync(backupsDir)) return;
+
+    const prefix = `${assistantId}-pre-upgrade-`;
+    const entries = readdirSync(backupsDir)
+      .filter((f) => f.startsWith(prefix) && f.endsWith(".vbundle"))
+      .sort();
+
+    if (entries.length <= keep) return;
+
+    const toDelete = entries.slice(0, entries.length - keep);
+    for (const file of toDelete) {
+      try {
+        unlinkSync(join(backupsDir, file));
+      } catch {
+        // Best-effort cleanup — ignore individual file errors
+      }
+    }
+  } catch {
+    // Best-effort cleanup — never block the upgrade
+  }
+}

package/src/lib/cli-error.ts

@@ -0,0 +1,91 @@
+/**
+ * Structured CLI error reporting for upgrade/rollback commands.
+ *
+ * When a CLI command fails, it can emit a machine-readable JSON object
+ * prefixed with `CLI_ERROR:` to stderr so that consumers (e.g. the
+ * desktop app) can parse it reliably. Modeled after the DAEMON_ERROR
+ * protocol in `assistant/src/daemon/startup-error.ts`.
+ */
+
+/** Known error categories emitted by CLI commands. */
+export type CliErrorCategory =
+  | "DOCKER_NOT_RUNNING"
+  | "IMAGE_PULL_FAILED"
+  | "READINESS_TIMEOUT"
+  | "ROLLBACK_FAILED"
+  | "ROLLBACK_NO_STATE"
+  | "AUTH_FAILED"
+  | "NETWORK_ERROR"
+  | "UNSUPPORTED_TOPOLOGY"
+  | "ASSISTANT_NOT_FOUND"
+  | "PLATFORM_API_ERROR"
+  | "UNKNOWN";
+
+interface CliErrorPayload {
+  error: CliErrorCategory;
+  message: string;
+  detail?: string;
+}
+
+const CLI_ERROR_PREFIX = "CLI_ERROR:";
+
+/**
+ * Write a structured error line to stderr. The line is prefixed with
+ * `CLI_ERROR:` followed by JSON, making it unambiguous even if other
+ * stderr output precedes it.
+ */
+export function emitCliError(
+  category: CliErrorCategory,
+  message: string,
+  detail?: string,
+): void {
+  const payload: CliErrorPayload = { error: category, message, detail };
+  const line = `${CLI_ERROR_PREFIX}${JSON.stringify(payload)}`;
+  process.stderr.write(line + "\n");
+}
+
+/**
+ * Inspect an error string and return the most appropriate
+ * {@link CliErrorCategory} for common upgrade/rollback failures.
+ */
+export function categorizeUpgradeError(err: unknown): CliErrorCategory {
+  const msg = String(err).toLowerCase();
+
+  if (
+    msg.includes("cannot connect to the docker") ||
+    msg.includes("is docker running")
+  ) {
+    return "DOCKER_NOT_RUNNING";
+  }
+
+  if (
+    msg.includes("manifest unknown") ||
+    msg.includes("manifest not found") ||
+    msg.includes("pull access denied") ||
+    msg.includes("repository does not exist")
+  ) {
+    return "IMAGE_PULL_FAILED";
+  }
+
+  if (msg.includes("timeout") || msg.includes("readyz")) {
+    return "READINESS_TIMEOUT";
+  }
+
+  if (
+    msg.includes("401") ||
+    msg.includes("403") ||
+    msg.includes("unauthorized")
+  ) {
+    return "AUTH_FAILED";
+  }
+
+  if (
+    msg.includes("enotfound") ||
+    msg.includes("econnrefused") ||
+    msg.includes("network")
+  ) {
+    return "NETWORK_ERROR";
+  }
+
+  return "UNKNOWN";
+}

package/src/lib/config-utils.ts

@@ -0,0 +1,59 @@
+import { writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+
+/**
+ * Convert flat dot-notation key=value pairs into a nested config object.
+ *
+ * e.g. {"services.inference.provider": "anthropic", "services.inference.model": "claude-opus-4-6"}
+ *   → {services: {inference: {provider: "anthropic", model: "claude-opus-4-6"}}}
+ */
+export function buildNestedConfig(
+  configValues: Record<string, string>,
+): Record<string, unknown> {
+  const config: Record<string, unknown> = {};
+  for (const [dotKey, value] of Object.entries(configValues)) {
+    const parts = dotKey.split(".");
+    let target: Record<string, unknown> = config;
+    for (let i = 0; i < parts.length - 1; i++) {
+      const part = parts[i];
+      const existing = target[part];
+      if (
+        existing == null ||
+        typeof existing !== "object" ||
+        Array.isArray(existing)
+      ) {
+        target[part] = {};
+      }
+      target = target[part] as Record<string, unknown>;
+    }
+    target[parts[parts.length - 1]] = value;
+  }
+  return config;
+}
+
+/**
+ * Write arbitrary key-value pairs to a temporary JSON file and return its
+ * path. The caller passes this path to the daemon via the
+ * VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH env var so the daemon can merge the
+ * values into its workspace config on first boot.
+ *
+ * Keys use dot-notation to address nested fields. For example:
+ *   "services.inference.provider" → {services: {inference: {provider: ...}}}
+ *   "services.inference.model"    → {services: {inference: {model: ...}}}
+ *
+ * Returns undefined when configValues is empty (nothing to write).
+ */
+export function writeInitialConfig(
+  configValues: Record<string, string>,
+): string | undefined {
+  if (Object.keys(configValues).length === 0) return undefined;
+
+  const config = buildNestedConfig(configValues);
+  const tempPath = join(
+    tmpdir(),
+    `vellum-default-workspace-config-${process.pid}-${Date.now()}.json`,
+  );
+  writeFileSync(tempPath, JSON.stringify(config, null, 2) + "\n");
+  return tempPath;
+}

package/src/lib/docker.ts

@@ -12,11 +12,13 @@ import {
   setActiveAssistant,
 } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
+import { writeInitialConfig } from "./config-utils";
 import { DEFAULT_GATEWAY_PORT, PROVIDER_ENV_VAR_NAMES } from "./constants";
 import type { Species } from "./constants";
 import { leaseGuardianToken, saveBootstrapSecret } from "./guardian-token";
 import { isVellumProcess, stopProcess } from "./process";
 import { generateInstanceName } from "./random-name";
+import { resolveImageRefs } from "./platform-releases.js";
 import { exec, execOutput } from "./step-runner";
 import {
   closeLogFile,
@@ -464,16 +466,19 @@ async function buildAllImages(
  * can be restarted independently.
  */
 export function serviceDockerRunArgs(opts: {
+  signingKey?: string;
   bootstrapSecret?: string;
   cesServiceToken?: string;
   extraAssistantEnv?: Record<string, string>;
   gatewayPort: number;
   imageTags: Record<ServiceName, string>;
+  defaultWorkspaceConfigPath?: string;
   instanceName: string;
   res: ReturnType<typeof dockerResourceNames>;
 }): Record<ServiceName, () => string[]> {
   const {
     cesServiceToken,
+    defaultWorkspaceConfigPath,
     extraAssistantEnv,
     gatewayPort,
     imageTags,
@@ -496,6 +501,8 @@ export function serviceDockerRunArgs(opts: {
         "-e",
         `VELLUM_ASSISTANT_NAME=${instanceName}`,
         "-e",
+        "VELLUM_CLOUD=docker",
+        "-e",
         "RUNTIME_HTTP_HOST=0.0.0.0",
         "-e",
         "WORKSPACE_DIR=/workspace",
@@ -504,9 +511,21 @@ export function serviceDockerRunArgs(opts: {
         "-e",
         `GATEWAY_INTERNAL_URL=http://${res.gatewayContainer}:${GATEWAY_INTERNAL_PORT}`,
       ];
+      if (defaultWorkspaceConfigPath) {
+        const containerPath = `/tmp/vellum-default-workspace-config-${Date.now()}.json`;
+        args.push(
+          "-v",
+          `${defaultWorkspaceConfigPath}:${containerPath}:ro`,
+          "-e",
+          `VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH=${containerPath}`,
+        );
+      }
       if (cesServiceToken) {
         args.push("-e", `CES_SERVICE_TOKEN=${cesServiceToken}`);
       }
+      if (opts.signingKey) {
+        args.push("-e", `ACTOR_TOKEN_SIGNING_KEY=${opts.signingKey}`);
+      }
       for (const envVar of [
         ...Object.values(PROVIDER_ENV_VAR_NAMES),
         "VELLUM_PLATFORM_URL",
@@ -553,6 +572,9 @@ export function serviceDockerRunArgs(opts: {
       ...(cesServiceToken
         ? ["-e", `CES_SERVICE_TOKEN=${cesServiceToken}`]
         : []),
+      ...(opts.signingKey
+        ? ["-e", `ACTOR_TOKEN_SIGNING_KEY=${opts.signingKey}`]
+        : []),
       ...(opts.bootstrapSecret
         ? ["-e", `GUARDIAN_BOOTSTRAP_SECRET=${opts.bootstrapSecret}`]
         : []),
@@ -739,11 +761,13 @@ export const SERVICE_START_ORDER: ServiceName[] = [
 /** Start all three containers in dependency order. */
 export async function startContainers(
   opts: {
+    signingKey?: string;
     bootstrapSecret?: string;
     cesServiceToken?: string;
     extraAssistantEnv?: Record<string, string>;
     gatewayPort: number;
     imageTags: Record<ServiceName, string>;
+    defaultWorkspaceConfigPath?: string;
     instanceName: string;
     res: ReturnType<typeof dockerResourceNames>;
   },
@@ -765,26 +789,6 @@ export async function stopContainers(
   await removeContainer(res.assistantContainer);
 }
 
-/**
- * Remove the signing-key-bootstrap lockfile from the gateway security volume.
- * This allows the daemon to re-fetch the signing key from the gateway on the
- * next startup — necessary during upgrades where the gateway may generate a
- * new key.
- */
-export async function clearSigningKeyBootstrapLock(
-  res: ReturnType<typeof dockerResourceNames>,
-): Promise<void> {
-  await exec("docker", [
-    "run",
-    "--rm",
-    "-v",
-    `${res.gatewaySecurityVolume}:/gateway-security`,
-    "busybox",
-    "rm",
-    "-f",
-    "/gateway-security/signing-key-bootstrap.lock",
-  ]);
-}
 
 /** Stop containers without removing them (preserves state for `docker start`). */
 export async function sleepContainers(
@@ -1028,6 +1032,7 @@ export async function hatchDocker(
   detached: boolean,
   name: string | null,
   watch: boolean = false,
+  configValues: Record<string, string> = {},
 ): Promise<void> {
   resetLogFile("hatch.log");
 
@@ -1074,14 +1079,16 @@ export async function hatchDocker(
     } else {
       const version = cliPkg.version;
       const versionTag = version ? `v${version}` : "latest";
-      imageTags.assistant = `${DOCKERHUB_IMAGES.assistant}:${versionTag}`;
-      imageTags.gateway = `${DOCKERHUB_IMAGES.gateway}:${versionTag}`;
+      log("🔍 Resolving image references...");
+      const resolved = await resolveImageRefs(versionTag, log);
+      imageTags.assistant = resolved.imageTags.assistant;
+      imageTags.gateway = resolved.imageTags.gateway;
       imageTags["credential-executor"] =
-        `${DOCKERHUB_IMAGES["credential-executor"]}:${versionTag}`;
+        resolved.imageTags["credential-executor"];
 
       log(`🥚 Hatching Docker assistant: ${instanceName}`);
       log(`   Species: ${species}`);
-      log(`   Images:`);
+      log(`   Images (${resolved.source}):`);
       log(`     assistant:            ${imageTags.assistant}`);
       log(`     gateway:              ${imageTags.gateway}`);
       log(`     credential-executor:  ${imageTags["credential-executor"]}`);
@@ -1115,24 +1122,25 @@ export async function hatchDocker(
       "/workspace",
     ]);
 
-    // Clear any stale signing-key bootstrap lockfile so the daemon can
-    // fetch the key from the gateway on first startup.
-    await exec("docker", [
-      "run",
-      "--rm",
-      "-v",
-      `${res.gatewaySecurityVolume}:/gateway-security`,
-      "busybox",
-      "rm",
-      "-f",
-      "/gateway-security/signing-key-bootstrap.lock",
-    ]);
+    // Write --config key=value pairs to a temp file that gets bind-mounted
+    // into the assistant container and read via VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH.
+    const defaultWorkspaceConfigPath = writeInitialConfig(configValues);
 
     const cesServiceToken = randomBytes(32).toString("hex");
+    const signingKey = randomBytes(32).toString("hex");
     const bootstrapSecret = randomBytes(32).toString("hex");
     saveBootstrapSecret(instanceName, bootstrapSecret);
     await startContainers(
-      { bootstrapSecret, cesServiceToken, gatewayPort, imageTags, instanceName, res },
+      {
+        signingKey,
+        bootstrapSecret,
+        cesServiceToken,
+        gatewayPort,
+        imageTags,
+        defaultWorkspaceConfigPath,
+        instanceName,
+        res,
+      },
       log,
     );
 

package/src/lib/doctor-client.ts

@@ -1,4 +1,4 @@
-const DOCTOR_URL = "https://doctor.vellum.ai";
+const DOCTOR_URL = process.env.DOCTOR_SERVICE_URL?.trim() || "";
 
 export type ProgressPhase =
   | "invoking_prompt"
@@ -107,6 +107,16 @@ async function callDoctorDaemon(
   chatContext?: ChatLogEntry[],
   onLog?: DoctorLogCallback,
 ): Promise<DoctorResult> {
+  if (!DOCTOR_URL) {
+    onLog?.("Doctor service not configured (DOCTOR_SERVICE_URL is not set)");
+    return {
+      assistantId,
+      diagnostics: null,
+      recommendation: null,
+      error: "Doctor service not configured",
+    };
+  }
+
   const MAX_RETRIES = 2;
   let lastError: unknown;
 

package/src/lib/gcp.ts

@@ -11,6 +11,7 @@ import {
 } from "./constants";
 import type { Species } from "./constants";
 import { leaseGuardianToken } from "./guardian-token";
+import { getPlatformUrl } from "./platform-client";
 import { generateInstanceName } from "./random-name";
 import { exec, execOutput } from "./step-runner";
 
@@ -455,6 +456,7 @@ export async function hatchGcp(
     providerApiKeys: Record<string, string>,
     instanceName: string,
     cloud: "gcp",
+    configValues?: Record<string, string>,
   ) => Promise<string>,
   watchHatching: (
     pollFn: () => Promise<PollResult>,
@@ -462,6 +464,7 @@ export async function hatchGcp(
     startTime: number,
     species: Species,
   ) => Promise<WatchHatchingResult>,
+  configValues: Record<string, string> = {},
 ): Promise<void> {
   const startTime = Date.now();
   const account = process.env.GCP_ACCOUNT_EMAIL;
@@ -525,6 +528,7 @@ export async function hatchGcp(
       providerApiKeys,
       instanceName,
       "gcp",
+      configValues,
     );
     const startupScriptPath = join(tmpdir(), `${instanceName}-startup.sh`);
     writeFileSync(startupScriptPath, startupScript);
@@ -640,7 +644,7 @@ export async function hatchGcp(
           species === "vellum" &&
           (await checkCurlFailure(instanceName, project, zone, account))
         ) {
-          const installScriptUrl = `${process.env.VELLUM_PLATFORM_URL ?? "https://vellum.ai"}/install.sh`;
+          const installScriptUrl = `${getPlatformUrl()}/install.sh`;
           console.log(
             `\ud83d\udd04 Detected install script curl failure for ${installScriptUrl}, attempting recovery...`,
           );