@vellumai/cli 0.5.6 → 0.5.8

package/src/lib/docker.ts

@@ -12,11 +12,13 @@ import {
   setActiveAssistant,
 } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
+import { writeInitialConfig } from "./config-utils";
 import { DEFAULT_GATEWAY_PORT, PROVIDER_ENV_VAR_NAMES } from "./constants";
 import type { Species } from "./constants";
-import { leaseGuardianToken, saveBootstrapSecret } from "./guardian-token";
+import { leaseGuardianToken } from "./guardian-token";
 import { isVellumProcess, stopProcess } from "./process";
 import { generateInstanceName } from "./random-name";
+import { resolveImageRefs } from "./platform-releases.js";
 import { exec, execOutput } from "./step-runner";
 import {
   closeLogFile,
@@ -269,11 +271,30 @@ async function ensureDockerInstalled(): Promise<void> {
     console.log("🚀 Docker daemon not running. Starting Colima...");
     try {
       await exec("colima", ["start"]);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      throw new Error(
-        `Failed to start Colima. Please run 'colima start' manually.\n${message}`,
+    } catch {
+      // Colima may fail if a previous VM instance is in a corrupt state.
+      // Attempt to delete the stale instance and retry once.
+      console.log(
+        "⚠️  Colima start failed — attempting to reset stale VM state...",
       );
+      try {
+        await exec("colima", ["stop", "--force"]).catch(() => {});
+        await exec("colima", ["delete", "--force"]);
+      } catch {
+        // If delete also fails, fall through to the retry which will
+        // produce a clear error message.
+      }
+
+      try {
+        console.log("🔄 Retrying colima start...");
+        await exec("colima", ["start"]);
+      } catch (retryErr) {
+        const message =
+          retryErr instanceof Error ? retryErr.message : String(retryErr);
+        throw new Error(
+          `Failed to start Colima after resetting stale VM state. Please run 'colima start' manually.\n${message}`,
+        );
+      }
     }
   }
 }
@@ -464,16 +485,19 @@ async function buildAllImages(
  * can be restarted independently.
  */
 export function serviceDockerRunArgs(opts: {
+  signingKey?: string;
   bootstrapSecret?: string;
   cesServiceToken?: string;
   extraAssistantEnv?: Record<string, string>;
   gatewayPort: number;
   imageTags: Record<ServiceName, string>;
+  defaultWorkspaceConfigPath?: string;
   instanceName: string;
   res: ReturnType<typeof dockerResourceNames>;
 }): Record<ServiceName, () => string[]> {
   const {
     cesServiceToken,
+    defaultWorkspaceConfigPath,
     extraAssistantEnv,
     gatewayPort,
     imageTags,
@@ -496,17 +520,31 @@ export function serviceDockerRunArgs(opts: {
         "-e",
         `VELLUM_ASSISTANT_NAME=${instanceName}`,
         "-e",
+        "VELLUM_CLOUD=docker",
+        "-e",
         "RUNTIME_HTTP_HOST=0.0.0.0",
         "-e",
-        "WORKSPACE_DIR=/workspace",
+        "VELLUM_WORKSPACE_DIR=/workspace",
         "-e",
         `CES_CREDENTIAL_URL=http://${res.cesContainer}:8090`,
         "-e",
         `GATEWAY_INTERNAL_URL=http://${res.gatewayContainer}:${GATEWAY_INTERNAL_PORT}`,
       ];
+      if (defaultWorkspaceConfigPath) {
+        const containerPath = `/tmp/vellum-default-workspace-config-${Date.now()}.json`;
+        args.push(
+          "-v",
+          `${defaultWorkspaceConfigPath}:${containerPath}:ro`,
+          "-e",
+          `VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH=${containerPath}`,
+        );
+      }
       if (cesServiceToken) {
         args.push("-e", `CES_SERVICE_TOKEN=${cesServiceToken}`);
       }
+      if (opts.signingKey) {
+        args.push("-e", `ACTOR_TOKEN_SIGNING_KEY=${opts.signingKey}`);
+      }
       for (const envVar of [
         ...Object.values(PROVIDER_ENV_VAR_NAMES),
         "VELLUM_PLATFORM_URL",
@@ -537,7 +575,7 @@ export function serviceDockerRunArgs(opts: {
       "-v",
       `${res.gatewaySecurityVolume}:/gateway-security`,
       "-e",
-      "WORKSPACE_DIR=/workspace",
+      "VELLUM_WORKSPACE_DIR=/workspace",
       "-e",
       "GATEWAY_SECURITY_DIR=/gateway-security",
       "-e",
@@ -553,6 +591,9 @@ export function serviceDockerRunArgs(opts: {
       ...(cesServiceToken
         ? ["-e", `CES_SERVICE_TOKEN=${cesServiceToken}`]
         : []),
+      ...(opts.signingKey
+        ? ["-e", `ACTOR_TOKEN_SIGNING_KEY=${opts.signingKey}`]
+        : []),
       ...(opts.bootstrapSecret
         ? ["-e", `GUARDIAN_BOOTSTRAP_SECRET=${opts.bootstrapSecret}`]
         : []),
@@ -574,7 +615,7 @@ export function serviceDockerRunArgs(opts: {
       "-e",
       "CES_MODE=managed",
       "-e",
-      "WORKSPACE_DIR=/workspace",
+      "VELLUM_WORKSPACE_DIR=/workspace",
       "-e",
       "CES_BOOTSTRAP_SOCKET_DIR=/run/ces-bootstrap",
       "-e",
@@ -739,11 +780,13 @@ export const SERVICE_START_ORDER: ServiceName[] = [
 /** Start all three containers in dependency order. */
 export async function startContainers(
   opts: {
+    signingKey?: string;
     bootstrapSecret?: string;
     cesServiceToken?: string;
     extraAssistantEnv?: Record<string, string>;
     gatewayPort: number;
     imageTags: Record<ServiceName, string>;
+    defaultWorkspaceConfigPath?: string;
     instanceName: string;
     res: ReturnType<typeof dockerResourceNames>;
   },
@@ -765,27 +808,6 @@ export async function stopContainers(
   await removeContainer(res.assistantContainer);
 }
 
-/**
- * Remove the signing-key-bootstrap lockfile from the gateway security volume.
- * This allows the daemon to re-fetch the signing key from the gateway on the
- * next startup — necessary during upgrades where the gateway may generate a
- * new key.
- */
-export async function clearSigningKeyBootstrapLock(
-  res: ReturnType<typeof dockerResourceNames>,
-): Promise<void> {
-  await exec("docker", [
-    "run",
-    "--rm",
-    "-v",
-    `${res.gatewaySecurityVolume}:/gateway-security`,
-    "busybox",
-    "rm",
-    "-f",
-    "/gateway-security/signing-key-bootstrap.lock",
-  ]);
-}
-
 /** Stop containers without removing them (preserves state for `docker start`). */
 export async function sleepContainers(
   res: ReturnType<typeof dockerResourceNames>,
@@ -1028,6 +1050,7 @@ export async function hatchDocker(
   detached: boolean,
   name: string | null,
   watch: boolean = false,
+  configValues: Record<string, string> = {},
 ): Promise<void> {
   resetLogFile("hatch.log");
 
@@ -1074,14 +1097,16 @@ export async function hatchDocker(
     } else {
       const version = cliPkg.version;
       const versionTag = version ? `v${version}` : "latest";
-      imageTags.assistant = `${DOCKERHUB_IMAGES.assistant}:${versionTag}`;
-      imageTags.gateway = `${DOCKERHUB_IMAGES.gateway}:${versionTag}`;
+      log("🔍 Resolving image references...");
+      const resolved = await resolveImageRefs(versionTag, log);
+      imageTags.assistant = resolved.imageTags.assistant;
+      imageTags.gateway = resolved.imageTags.gateway;
       imageTags["credential-executor"] =
-        `${DOCKERHUB_IMAGES["credential-executor"]}:${versionTag}`;
+        resolved.imageTags["credential-executor"];
 
       log(`🥚 Hatching Docker assistant: ${instanceName}`);
       log(`   Species: ${species}`);
-      log(`   Images:`);
+      log(`   Images (${resolved.source}):`);
       log(`     assistant:            ${imageTags.assistant}`);
       log(`     gateway:              ${imageTags.gateway}`);
       log(`     credential-executor:  ${imageTags["credential-executor"]}`);
@@ -1115,24 +1140,35 @@ export async function hatchDocker(
       "/workspace",
     ]);
 
-    // Clear any stale signing-key bootstrap lockfile so the daemon can
-    // fetch the key from the gateway on first startup.
-    await exec("docker", [
-      "run",
-      "--rm",
-      "-v",
-      `${res.gatewaySecurityVolume}:/gateway-security`,
-      "busybox",
-      "rm",
-      "-f",
-      "/gateway-security/signing-key-bootstrap.lock",
-    ]);
+    // Write --config key=value pairs to a temp file that gets bind-mounted
+    // into the assistant container and read via VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH.
+    const defaultWorkspaceConfigPath = writeInitialConfig(configValues);
 
     const cesServiceToken = randomBytes(32).toString("hex");
-    const bootstrapSecret = randomBytes(32).toString("hex");
-    saveBootstrapSecret(instanceName, bootstrapSecret);
+    const signingKey = randomBytes(32).toString("hex");
+
+    // When launched by a remote hatch startup script, the env var
+    // GUARDIAN_BOOTSTRAP_SECRET is already set with the laptop's secret.
+    // Generate a new secret for the local docker hatch caller and append
+    // it so the gateway receives a comma-separated list of all expected
+    // bootstrap secrets.
+    const ownSecret = randomBytes(32).toString("hex");
+    const preExisting = process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    const bootstrapSecret = preExisting
+      ? `${preExisting},${ownSecret}`
+      : ownSecret;
+
     await startContainers(
-      { bootstrapSecret, cesServiceToken, gatewayPort, imageTags, instanceName, res },
+      {
+        signingKey,
+        bootstrapSecret,
+        cesServiceToken,
+        gatewayPort,
+        imageTags,
+        defaultWorkspaceConfigPath,
+        instanceName,
+        res,
+      },
       log,
     );
 
@@ -1161,6 +1197,7 @@ export async function hatchDocker(
     setActiveAssistant(instanceName);
 
     const { ready } = await waitForGatewayAndLease({
+      bootstrapSecret: ownSecret,
       containerName: res.assistantContainer,
       detached: watch ? false : detached,
       instanceName,
@@ -1218,13 +1255,21 @@ export async function hatchDocker(
  * lease a guardian token.
  */
 async function waitForGatewayAndLease(opts: {
+  bootstrapSecret: string;
   containerName: string;
   detached: boolean;
   instanceName: string;
   logFd: number | "ignore";
   runtimeUrl: string;
 }): Promise<{ ready: boolean }> {
-  const { containerName, detached, instanceName, logFd, runtimeUrl } = opts;
+  const {
+    bootstrapSecret,
+    containerName,
+    detached,
+    instanceName,
+    logFd,
+    runtimeUrl,
+  } = opts;
 
   const log = (msg: string): void => {
     console.log(msg);
@@ -1298,7 +1343,11 @@ async function waitForGatewayAndLease(opts: {
 
   while (Date.now() < leaseDeadline) {
     try {
-      const tokenData = await leaseGuardianToken(runtimeUrl, instanceName);
+      const tokenData = await leaseGuardianToken(
+        runtimeUrl,
+        instanceName,
+        bootstrapSecret,
+      );
       const leaseElapsed = ((Date.now() - leaseStart) / 1000).toFixed(1);
       log(
         `Guardian token lease: success after ${leaseElapsed}s (principalId=${tokenData.guardianPrincipalId}, expiresAt=${tokenData.accessTokenExpiresAt})`,

package/src/lib/doctor-client.ts

@@ -1,4 +1,4 @@
-const DOCTOR_URL = "https://doctor.vellum.ai";
+const DOCTOR_URL = process.env.DOCTOR_SERVICE_URL?.trim() || "";
 
 export type ProgressPhase =
   | "invoking_prompt"
@@ -107,6 +107,16 @@ async function callDoctorDaemon(
   chatContext?: ChatLogEntry[],
   onLog?: DoctorLogCallback,
 ): Promise<DoctorResult> {
+  if (!DOCTOR_URL) {
+    onLog?.("Doctor service not configured (DOCTOR_SERVICE_URL is not set)");
+    return {
+      assistantId,
+      diagnostics: null,
+      recommendation: null,
+      error: "Doctor service not configured",
+    };
+  }
+
   const MAX_RETRIES = 2;
   let lastError: unknown;
 

package/src/lib/gcp.ts

@@ -11,6 +11,7 @@ import {
 } from "./constants";
 import type { Species } from "./constants";
 import { leaseGuardianToken } from "./guardian-token";
+import { getPlatformUrl } from "./platform-client";
 import { generateInstanceName } from "./random-name";
 import { exec, execOutput } from "./step-runner";
 
@@ -455,13 +456,15 @@ export async function hatchGcp(
     providerApiKeys: Record<string, string>,
     instanceName: string,
     cloud: "gcp",
-  ) => Promise<string>,
+    configValues?: Record<string, string>,
+  ) => Promise<{ script: string; laptopBootstrapSecret: string }>,
   watchHatching: (
     pollFn: () => Promise<PollResult>,
     instanceName: string,
     startTime: number,
     species: Species,
   ) => Promise<WatchHatchingResult>,
+  configValues: Record<string, string> = {},
 ): Promise<void> {
   const startTime = Date.now();
   const account = process.env.GCP_ACCOUNT_EMAIL;
@@ -519,13 +522,15 @@ export async function hatchGcp(
       );
       process.exit(1);
     }
-    const startupScript = await buildStartupScript(
-      species,
-      sshUser,
-      providerApiKeys,
-      instanceName,
-      "gcp",
-    );
+    const { script: startupScript, laptopBootstrapSecret } =
+      await buildStartupScript(
+        species,
+        sshUser,
+        providerApiKeys,
+        instanceName,
+        "gcp",
+        configValues,
+      );
     const startupScriptPath = join(tmpdir(), `${instanceName}-startup.sh`);
     writeFileSync(startupScriptPath, startupScript);
 
@@ -640,7 +645,7 @@ export async function hatchGcp(
           species === "vellum" &&
           (await checkCurlFailure(instanceName, project, zone, account))
         ) {
-          const installScriptUrl = `${process.env.VELLUM_PLATFORM_URL ?? "https://vellum.ai"}/install.sh`;
+          const installScriptUrl = `${getPlatformUrl()}/install.sh`;
           console.log(
             `\ud83d\udd04 Detected install script curl failure for ${installScriptUrl}, attempting recovery...`,
           );
@@ -658,7 +663,11 @@ export async function hatchGcp(
       }
 
       try {
-        await leaseGuardianToken(runtimeUrl, instanceName);
+        await leaseGuardianToken(
+          runtimeUrl,
+          instanceName,
+          laptopBootstrapSecret,
+        );
       } catch (err) {
         console.warn(
           `\u26a0\ufe0f  Could not lease guardian token: ${err instanceof Error ? err.message : err}`,

package/src/lib/guardian-token.ts

@@ -42,46 +42,6 @@ function getPersistedDeviceIdPath(): string {
   return join(getXdgConfigHome(), "vellum", "device-id");
 }
 
-function getBootstrapSecretPath(assistantId: string): string {
-  return join(
-    getXdgConfigHome(),
-    "vellum",
-    "assistants",
-    assistantId,
-    "bootstrap-secret",
-  );
-}
-
-/**
- * Load a previously saved bootstrap secret for the given assistant.
- * Returns null if the file does not exist or is unreadable.
- */
-export function loadBootstrapSecret(assistantId: string): string | null {
-  try {
-    const raw = readFileSync(getBootstrapSecretPath(assistantId), "utf-8").trim();
-    return raw.length > 0 ? raw : null;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Persist a bootstrap secret for the given assistant so that the desktop
- * client and upgrade/rollback paths can retrieve it later.
- */
-export function saveBootstrapSecret(
-  assistantId: string,
-  secret: string,
-): void {
-  const path = getBootstrapSecretPath(assistantId);
-  const dir = dirname(path);
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true, mode: 0o700 });
-  }
-  writeFileSync(path, secret + "\n", { mode: 0o600 });
-  chmodSync(path, 0o600);
-}
-
 function hashWithSalt(input: string): string {
   return createHash("sha256")
     .update(input + DEVICE_ID_SALT)
@@ -206,10 +166,12 @@ export function saveGuardianToken(
 export async function leaseGuardianToken(
   gatewayUrl: string,
   assistantId: string,
+  bootstrapSecret?: string,
 ): Promise<GuardianTokenData> {
   const deviceId = computeDeviceId();
-  const headers: Record<string, string> = { "Content-Type": "application/json" };
-  const bootstrapSecret = loadBootstrapSecret(assistantId);
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+  };
   if (bootstrapSecret) {
     headers["x-bootstrap-secret"] = bootstrapSecret;
   }

package/src/lib/local.ts

@@ -192,10 +192,15 @@ function resolveDaemonMainPath(assistantIndex: string): string {
   return join(dirname(assistantIndex), "daemon", "main.ts");
 }
 
+type DaemonStartOptions = {
+  foreground?: boolean;
+  defaultWorkspaceConfigPath?: string;
+};
+
 async function startDaemonFromSource(
   assistantIndex: string,
   resources: LocalInstanceResources,
-  options?: { foreground?: boolean },
+  options?: DaemonStartOptions,
 ): Promise<void> {
   const foreground = options?.foreground ?? false;
   const daemonMainPath = resolveDaemonMainPath(assistantIndex);
@@ -260,6 +265,7 @@ async function startDaemonFromSource(
   const env: Record<string, string | undefined> = {
     ...process.env,
     RUNTIME_HTTP_PORT: process.env.RUNTIME_HTTP_PORT || "7821",
+    VELLUM_CLOUD: "local",
   };
   if (resources) {
     env.BASE_DATA_DIR = resources.instanceDir;
@@ -268,6 +274,10 @@ async function startDaemonFromSource(
     env.QDRANT_HTTP_PORT = String(resources.qdrantPort);
     delete env.QDRANT_URL;
   }
+  if (options?.defaultWorkspaceConfigPath) {
+    env.VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH =
+      options.defaultWorkspaceConfigPath;
+  }
 
   // Write a sentinel PID file before spawning so concurrent hatch() calls
   // detect the in-progress spawn and wait instead of racing.
@@ -306,6 +316,7 @@ async function startDaemonFromSource(
 async function startDaemonWatchFromSource(
   assistantIndex: string,
   resources: LocalInstanceResources,
+  options?: DaemonStartOptions,
 ): Promise<void> {
   const mainPath = resolveDaemonMainPath(assistantIndex);
   if (!existsSync(mainPath)) {
@@ -381,6 +392,10 @@ async function startDaemonWatchFromSource(
     env.QDRANT_HTTP_PORT = String(resources.qdrantPort);
     delete env.QDRANT_URL;
   }
+  if (options?.defaultWorkspaceConfigPath) {
+    env.VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH =
+      options.defaultWorkspaceConfigPath;
+  }
 
   // Write a sentinel PID file before spawning so concurrent hatch() calls
   // detect the in-progress spawn and wait instead of racing.
@@ -819,7 +834,7 @@ export function isGatewayWatchModeAvailable(): boolean {
 export async function startLocalDaemon(
   watch: boolean = false,
   resources: LocalInstanceResources,
-  options?: { foreground?: boolean },
+  options?: DaemonStartOptions,
 ): Promise<void> {
   const foreground = options?.foreground ?? false;
   // Check for a compiled daemon binary adjacent to the CLI executable.
@@ -905,7 +920,7 @@ export async function startLocalDaemon(
 
       // Build a minimal environment for the daemon. When launched from the
       // macOS app the CLI inherits a huge environment (XPC_SERVICE_NAME,
-      // __CFBundleIdentifier, CLAUDE_CODE_ENTRYPOINT, etc.) that can cause
+      // __CFBundleIdentifier, etc.) that can cause
       // the daemon to take 50+ seconds to start instead of ~1s.
       const home = homedir();
       const bunBinDir = join(home, ".bun", "bin");
@@ -924,20 +939,26 @@ export async function startLocalDaemon(
         "ANTHROPIC_API_KEY",
         "APP_VERSION",
         "BASE_DATA_DIR",
-        "PLATFORM_BASE_URL",
+        "VELLUM_PLATFORM_URL",
         "QDRANT_HTTP_PORT",
         "QDRANT_URL",
         "RUNTIME_HTTP_PORT",
-        "SENTRY_DSN",
+        "SENTRY_DSN_ASSISTANT",
         "TMPDIR",
         "USER",
         "LANG",
         "VELLUM_DEBUG",
+        "VELLUM_DEV",
+        "VELLUM_DESKTOP_APP",
       ]) {
         if (process.env[key]) {
           daemonEnv[key] = process.env[key]!;
         }
       }
+      if (options?.defaultWorkspaceConfigPath) {
+        daemonEnv.VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH =
+          options.defaultWorkspaceConfigPath;
+      }
       // When running a named instance, override env so the daemon resolves
       // all paths under the instance directory and listens on its own port.
       if (resources) {
@@ -1005,9 +1026,9 @@ export async function startLocalDaemon(
         // Kill the bundled daemon to avoid two processes competing for the same port
         await stopProcessByPidFile(pidFile, "bundled daemon");
         if (watch) {
-          await startDaemonWatchFromSource(assistantIndex, resources);
+          await startDaemonWatchFromSource(assistantIndex, resources, options);
         } else {
-          await startDaemonFromSource(assistantIndex, resources);
+          await startDaemonFromSource(assistantIndex, resources, options);
         }
         daemonReady = await waitForDaemonReady(resources.daemonPort, 60000);
       }
@@ -1031,7 +1052,7 @@ export async function startLocalDaemon(
       );
     }
     if (watch) {
-      await startDaemonWatchFromSource(assistantIndex, resources);
+      await startDaemonWatchFromSource(assistantIndex, resources, options);
 
       const daemonReady = await waitForDaemonReady(resources.daemonPort, 60000);
       if (daemonReady) {
@@ -1042,7 +1063,7 @@ export async function startLocalDaemon(
         );
       }
     } else {
-      await startDaemonFromSource(assistantIndex, resources, { foreground });
+      await startDaemonFromSource(assistantIndex, resources, options);
 
       const daemonReady = await waitForDaemonReady(resources.daemonPort, 60000);
       if (daemonReady) {