@vellumai/cli 0.5.7 → 0.5.9

package/src/lib/docker.ts

@@ -15,7 +15,7 @@ import type { AssistantEntry } from "./assistant-config";
 import { writeInitialConfig } from "./config-utils";
 import { DEFAULT_GATEWAY_PORT, PROVIDER_ENV_VAR_NAMES } from "./constants";
 import type { Species } from "./constants";
-import { leaseGuardianToken, saveBootstrapSecret } from "./guardian-token";
+import { leaseGuardianToken } from "./guardian-token";
 import { isVellumProcess, stopProcess } from "./process";
 import { generateInstanceName } from "./random-name";
 import { resolveImageRefs } from "./platform-releases.js";
@@ -271,11 +271,30 @@ async function ensureDockerInstalled(): Promise<void> {
     console.log("🚀 Docker daemon not running. Starting Colima...");
     try {
       await exec("colima", ["start"]);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      throw new Error(
-        `Failed to start Colima. Please run 'colima start' manually.\n${message}`,
+    } catch {
+      // Colima may fail if a previous VM instance is in a corrupt state.
+      // Attempt to delete the stale instance and retry once.
+      console.log(
+        "⚠️  Colima start failed — attempting to reset stale VM state...",
       );
+      try {
+        await exec("colima", ["stop", "--force"]).catch(() => {});
+        await exec("colima", ["delete", "--force"]);
+      } catch {
+        // If delete also fails, fall through to the retry which will
+        // produce a clear error message.
+      }
+
+      try {
+        console.log("🔄 Retrying colima start...");
+        await exec("colima", ["start"]);
+      } catch (retryErr) {
+        const message =
+          retryErr instanceof Error ? retryErr.message : String(retryErr);
+        throw new Error(
+          `Failed to start Colima after resetting stale VM state. Please run 'colima start' manually.\n${message}`,
+        );
+      }
     }
   }
 }
@@ -505,7 +524,7 @@ export function serviceDockerRunArgs(opts: {
         "-e",
         "RUNTIME_HTTP_HOST=0.0.0.0",
         "-e",
-        "WORKSPACE_DIR=/workspace",
+        "VELLUM_WORKSPACE_DIR=/workspace",
         "-e",
         `CES_CREDENTIAL_URL=http://${res.cesContainer}:8090`,
         "-e",
@@ -556,7 +575,7 @@ export function serviceDockerRunArgs(opts: {
       "-v",
       `${res.gatewaySecurityVolume}:/gateway-security`,
       "-e",
-      "WORKSPACE_DIR=/workspace",
+      "VELLUM_WORKSPACE_DIR=/workspace",
       "-e",
       "GATEWAY_SECURITY_DIR=/gateway-security",
       "-e",
@@ -596,7 +615,7 @@ export function serviceDockerRunArgs(opts: {
       "-e",
       "CES_MODE=managed",
       "-e",
-      "WORKSPACE_DIR=/workspace",
+      "VELLUM_WORKSPACE_DIR=/workspace",
       "-e",
       "CES_BOOTSTRAP_SOCKET_DIR=/run/ces-bootstrap",
       "-e",
@@ -789,7 +808,6 @@ export async function stopContainers(
   await removeContainer(res.assistantContainer);
 }
 
-
 /** Stop containers without removing them (preserves state for `docker start`). */
 export async function sleepContainers(
   res: ReturnType<typeof dockerResourceNames>,
@@ -1128,8 +1146,18 @@ export async function hatchDocker(
 
     const cesServiceToken = randomBytes(32).toString("hex");
     const signingKey = randomBytes(32).toString("hex");
-    const bootstrapSecret = randomBytes(32).toString("hex");
-    saveBootstrapSecret(instanceName, bootstrapSecret);
+
+    // When launched by a remote hatch startup script, the env var
+    // GUARDIAN_BOOTSTRAP_SECRET is already set with the laptop's secret.
+    // Generate a new secret for the local docker hatch caller and append
+    // it so the gateway receives a comma-separated list of all expected
+    // bootstrap secrets.
+    const ownSecret = randomBytes(32).toString("hex");
+    const preExisting = process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    const bootstrapSecret = preExisting
+      ? `${preExisting},${ownSecret}`
+      : ownSecret;
+
     await startContainers(
       {
         signingKey,
@@ -1169,6 +1197,7 @@ export async function hatchDocker(
     setActiveAssistant(instanceName);
 
     const { ready } = await waitForGatewayAndLease({
+      bootstrapSecret: ownSecret,
       containerName: res.assistantContainer,
       detached: watch ? false : detached,
       instanceName,
@@ -1226,13 +1255,21 @@ export async function hatchDocker(
  * lease a guardian token.
  */
 async function waitForGatewayAndLease(opts: {
+  bootstrapSecret: string;
   containerName: string;
   detached: boolean;
   instanceName: string;
   logFd: number | "ignore";
   runtimeUrl: string;
 }): Promise<{ ready: boolean }> {
-  const { containerName, detached, instanceName, logFd, runtimeUrl } = opts;
+  const {
+    bootstrapSecret,
+    containerName,
+    detached,
+    instanceName,
+    logFd,
+    runtimeUrl,
+  } = opts;
 
   const log = (msg: string): void => {
     console.log(msg);
@@ -1306,7 +1343,11 @@ async function waitForGatewayAndLease(opts: {
 
   while (Date.now() < leaseDeadline) {
     try {
-      const tokenData = await leaseGuardianToken(runtimeUrl, instanceName);
+      const tokenData = await leaseGuardianToken(
+        runtimeUrl,
+        instanceName,
+        bootstrapSecret,
+      );
       const leaseElapsed = ((Date.now() - leaseStart) / 1000).toFixed(1);
       log(
         `Guardian token lease: success after ${leaseElapsed}s (principalId=${tokenData.guardianPrincipalId}, expiresAt=${tokenData.accessTokenExpiresAt})`,

package/src/lib/gcp.ts

@@ -457,7 +457,7 @@ export async function hatchGcp(
     instanceName: string,
     cloud: "gcp",
     configValues?: Record<string, string>,
-  ) => Promise<string>,
+  ) => Promise<{ script: string; laptopBootstrapSecret: string }>,
   watchHatching: (
     pollFn: () => Promise<PollResult>,
     instanceName: string,
@@ -522,14 +522,15 @@ export async function hatchGcp(
       );
       process.exit(1);
     }
-    const startupScript = await buildStartupScript(
-      species,
-      sshUser,
-      providerApiKeys,
-      instanceName,
-      "gcp",
-      configValues,
-    );
+    const { script: startupScript, laptopBootstrapSecret } =
+      await buildStartupScript(
+        species,
+        sshUser,
+        providerApiKeys,
+        instanceName,
+        "gcp",
+        configValues,
+      );
     const startupScriptPath = join(tmpdir(), `${instanceName}-startup.sh`);
     writeFileSync(startupScriptPath, startupScript);
 
@@ -662,7 +663,11 @@ export async function hatchGcp(
       }
 
       try {
-        await leaseGuardianToken(runtimeUrl, instanceName);
+        await leaseGuardianToken(
+          runtimeUrl,
+          instanceName,
+          laptopBootstrapSecret,
+        );
       } catch (err) {
         console.warn(
           `\u26a0\ufe0f  Could not lease guardian token: ${err instanceof Error ? err.message : err}`,

package/src/lib/guardian-token.ts

@@ -42,46 +42,6 @@ function getPersistedDeviceIdPath(): string {
   return join(getXdgConfigHome(), "vellum", "device-id");
 }
 
-function getBootstrapSecretPath(assistantId: string): string {
-  return join(
-    getXdgConfigHome(),
-    "vellum",
-    "assistants",
-    assistantId,
-    "bootstrap-secret",
-  );
-}
-
-/**
- * Load a previously saved bootstrap secret for the given assistant.
- * Returns null if the file does not exist or is unreadable.
- */
-export function loadBootstrapSecret(assistantId: string): string | null {
-  try {
-    const raw = readFileSync(getBootstrapSecretPath(assistantId), "utf-8").trim();
-    return raw.length > 0 ? raw : null;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Persist a bootstrap secret for the given assistant so that the desktop
- * client and upgrade/rollback paths can retrieve it later.
- */
-export function saveBootstrapSecret(
-  assistantId: string,
-  secret: string,
-): void {
-  const path = getBootstrapSecretPath(assistantId);
-  const dir = dirname(path);
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true, mode: 0o700 });
-  }
-  writeFileSync(path, secret + "\n", { mode: 0o600 });
-  chmodSync(path, 0o600);
-}
-
 function hashWithSalt(input: string): string {
   return createHash("sha256")
     .update(input + DEVICE_ID_SALT)
@@ -206,10 +166,12 @@ export function saveGuardianToken(
 export async function leaseGuardianToken(
   gatewayUrl: string,
   assistantId: string,
+  bootstrapSecret?: string,
 ): Promise<GuardianTokenData> {
   const deviceId = computeDeviceId();
-  const headers: Record<string, string> = { "Content-Type": "application/json" };
-  const bootstrapSecret = loadBootstrapSecret(assistantId);
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+  };
   if (bootstrapSecret) {
     headers["x-bootstrap-secret"] = bootstrapSecret;
   }

package/src/lib/local.ts

@@ -948,6 +948,7 @@ export async function startLocalDaemon(
         "USER",
         "LANG",
         "VELLUM_DEBUG",
+        "VELLUM_DEV",
         "VELLUM_DESKTOP_APP",
       ]) {
         if (process.env[key]) {

package/src/lib/platform-client.ts

@@ -9,8 +9,6 @@ import {
 import { homedir } from "os";
 import { join, dirname } from "path";
 
-const DEFAULT_PLATFORM_URL = "";
-
 function getXdgConfigHome(): string {
   return process.env.XDG_CONFIG_HOME?.trim() || join(homedir(), ".config");
 }
@@ -20,21 +18,25 @@ function getPlatformTokenPath(): string {
 }
 
 export function getPlatformUrl(): string {
-  return process.env.VELLUM_PLATFORM_URL ?? DEFAULT_PLATFORM_URL;
-}
-
-/**
- * Returns the platform URL, throwing a clear error if it is not configured.
- * Use this in functions that need a valid URL to make HTTP requests.
- */
-function requirePlatformUrl(): string {
-  const url = getPlatformUrl();
-  if (!url) {
-    throw new Error(
-      "VELLUM_PLATFORM_URL is not configured. Set it in your environment or .env file.",
-    );
+  let configUrl: string | undefined;
+  try {
+    const base = process.env.BASE_DATA_DIR?.trim() || homedir();
+    const configPath = join(base, ".vellum", "workspace", "config.json");
+    if (existsSync(configPath)) {
+      const raw = JSON.parse(readFileSync(configPath, "utf-8")) as Record<
+        string,
+        unknown
+      >;
+      const val = (raw.platform as Record<string, unknown> | undefined)
+        ?.baseUrl;
+      if (typeof val === "string" && val.trim()) configUrl = val.trim();
+    }
+  } catch {
+    // Config not available — fall through
   }
-  return url;
+  return (
+    configUrl || process.env.VELLUM_PLATFORM_URL || "https://platform.vellum.ai"
+  );
 }
 
 export function readPlatformToken(): string | null {
@@ -74,7 +76,7 @@ interface OrganizationListResponse {
 }
 
 export async function fetchOrganizationId(token: string): Promise<string> {
-  const platformUrl = requirePlatformUrl();
+  const platformUrl = getPlatformUrl();
   const url = `${platformUrl}/v1/organizations/`;
   const response = await fetch(url, {
     headers: { "X-Session-Token": token },
@@ -106,7 +108,7 @@ interface AllauthSessionResponse {
 }
 
 export async function fetchCurrentUser(token: string): Promise<PlatformUser> {
-  const url = `${requirePlatformUrl()}/_allauth/app/v1/auth/session`;
+  const url = `${getPlatformUrl()}/_allauth/app/v1/auth/session`;
   const response = await fetch(url, {
     headers: { "X-Session-Token": token },
   });
@@ -127,3 +129,189 @@ export async function fetchCurrentUser(token: string): Promise<PlatformUser> {
   const body = (await response.json()) as AllauthSessionResponse;
   return body.data.user;
 }
+
+// ---------------------------------------------------------------------------
+// Rollback
+// ---------------------------------------------------------------------------
+
+export async function rollbackPlatformAssistant(
+  token: string,
+  orgId: string,
+  version?: string,
+): Promise<{ detail: string; version: string | null }> {
+  const platformUrl = getPlatformUrl();
+  const response = await fetch(`${platformUrl}/v1/assistants/rollback/`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-Session-Token": token,
+      "Vellum-Organization-Id": orgId,
+    },
+    body: JSON.stringify(version ? { version } : {}),
+  });
+
+  const body = (await response.json().catch(() => ({}))) as {
+    detail?: string;
+    version?: string | null;
+  };
+
+  if (response.status === 200) {
+    return { detail: body.detail ?? "", version: body.version ?? null };
+  }
+
+  if (response.status === 400) {
+    throw new Error(body.detail ?? "Rollback failed: bad request");
+  }
+
+  if (response.status === 404) {
+    throw new Error(body.detail ?? "Rollback target not found");
+  }
+
+  if (response.status === 502) {
+    throw new Error(body.detail ?? "Rollback failed: transport error");
+  }
+
+  throw new Error(`Rollback failed: ${response.status} ${response.statusText}`);
+}
+
+// ---------------------------------------------------------------------------
+// Migration export
+// ---------------------------------------------------------------------------
+
+export async function platformInitiateExport(
+  token: string,
+  orgId: string,
+  description?: string,
+): Promise<{ jobId: string; status: string }> {
+  const platformUrl = getPlatformUrl();
+  const response = await fetch(`${platformUrl}/v1/migrations/export/`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-Session-Token": token,
+      "Vellum-Organization-Id": orgId,
+    },
+    body: JSON.stringify({ description: description ?? "CLI backup" }),
+  });
+
+  if (response.status !== 201) {
+    const body = (await response.json().catch(() => ({}))) as {
+      detail?: string;
+    };
+    throw new Error(
+      body.detail ??
+        `Export initiation failed: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const body = (await response.json()) as {
+    job_id: string;
+    status: string;
+  };
+  return { jobId: body.job_id, status: body.status };
+}
+
+export async function platformPollExportStatus(
+  jobId: string,
+  token: string,
+  orgId: string,
+): Promise<{ status: string; downloadUrl?: string; error?: string }> {
+  const platformUrl = getPlatformUrl();
+  const response = await fetch(
+    `${platformUrl}/v1/migrations/export/${jobId}/status/`,
+    {
+      headers: {
+        "X-Session-Token": token,
+        "Vellum-Organization-Id": orgId,
+      },
+    },
+  );
+
+  if (response.status === 404) {
+    throw new Error("Export job not found");
+  }
+
+  if (!response.ok) {
+    throw new Error(
+      `Export status check failed: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const body = (await response.json()) as {
+    status: string;
+    download_url?: string;
+    error?: string;
+  };
+  return {
+    status: body.status,
+    downloadUrl: body.download_url,
+    error: body.error,
+  };
+}
+
+export async function platformDownloadExport(
+  downloadUrl: string,
+): Promise<Response> {
+  const response = await fetch(downloadUrl);
+  if (!response.ok) {
+    throw new Error(
+      `Download failed: ${response.status} ${response.statusText}`,
+    );
+  }
+  return response;
+}
+
+// ---------------------------------------------------------------------------
+// Migration import
+// ---------------------------------------------------------------------------
+
+export async function platformImportPreflight(
+  bundleData: Uint8Array<ArrayBuffer>,
+  token: string,
+  orgId: string,
+): Promise<{ statusCode: number; body: Record<string, unknown> }> {
+  const platformUrl = getPlatformUrl();
+  const response = await fetch(
+    `${platformUrl}/v1/migrations/import-preflight/`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/octet-stream",
+        "X-Session-Token": token,
+        "Vellum-Organization-Id": orgId,
+      },
+      body: new Blob([bundleData]),
+      signal: AbortSignal.timeout(120_000),
+    },
+  );
+
+  const body = (await response.json().catch(() => ({}))) as Record<
+    string,
+    unknown
+  >;
+  return { statusCode: response.status, body };
+}
+
+export async function platformImportBundle(
+  bundleData: Uint8Array<ArrayBuffer>,
+  token: string,
+  orgId: string,
+): Promise<{ statusCode: number; body: Record<string, unknown> }> {
+  const platformUrl = getPlatformUrl();
+  const response = await fetch(`${platformUrl}/v1/migrations/import/`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/octet-stream",
+      "X-Session-Token": token,
+      "Vellum-Organization-Id": orgId,
+    },
+    body: new Blob([bundleData]),
+    signal: AbortSignal.timeout(120_000),
+  });
+
+  const body = (await response.json().catch(() => ({}))) as Record<
+    string,
+    unknown
+  >;
+  return { statusCode: response.status, body };
+}