@vellumai/cli 0.6.2 → 0.6.4

package/src/lib/platform-client.ts

@@ -6,36 +6,37 @@ import {
   existsSync,
   mkdirSync,
 } from "fs";
-import { homedir } from "os";
 import { join, dirname } from "path";
 
-function getXdgConfigHome(): string {
-  return process.env.XDG_CONFIG_HOME?.trim() || join(homedir(), ".config");
-}
+import { getLockfilePlatformBaseUrl } from "./assistant-config.js";
+import { getConfigDir } from "./environments/paths.js";
+import { getCurrentEnvironment } from "./environments/resolve.js";
 
 function getPlatformTokenPath(): string {
-  return join(getXdgConfigHome(), "vellum", "platform-token");
+  return join(getConfigDir(getCurrentEnvironment()), "platform-token");
 }
 
+/**
+ * Resolve the platform API base URL. Resolution order:
+ *   1. `platformBaseUrl` persisted on the lockfile by
+ *      {@link syncConfigToLockfile} when the active assistant was last
+ *      hatched/waked. This is the source of truth for "what URL does the
+ *      currently-active assistant target" — reading the workspace
+ *      `config.json` directly is incorrect for multi-instance and
+ *      non-production XDG layouts because the CLI process has no way to
+ *      know which instance to read from without first consulting the
+ *      lockfile anyway.
+ *   2. `VELLUM_PLATFORM_URL` env var (explicit override, e.g. in CI).
+ *   3. The current environment's seed URL (e.g. `https://dev-platform.vellum.ai`
+ *      for `VELLUM_ENVIRONMENT=dev`, `https://platform.vellum.ai` for prod).
+ *      This makes the CLI environment-aware when no lockfile entry exists yet.
+ */
 export function getPlatformUrl(): string {
-  let configUrl: string | undefined;
-  try {
-    const base = process.env.BASE_DATA_DIR?.trim() || homedir();
-    const configPath = join(base, ".vellum", "workspace", "config.json");
-    if (existsSync(configPath)) {
-      const raw = JSON.parse(readFileSync(configPath, "utf-8")) as Record<
-        string,
-        unknown
-      >;
-      const val = (raw.platform as Record<string, unknown> | undefined)
-        ?.baseUrl;
-      if (typeof val === "string" && val.trim()) configUrl = val.trim();
-    }
-  } catch {
-    // Config not available — fall through
-  }
+  const lockfileUrl = getLockfilePlatformBaseUrl();
   return (
-    configUrl || process.env.VELLUM_PLATFORM_URL || "https://platform.vellum.ai"
+    lockfileUrl ||
+    process.env.VELLUM_PLATFORM_URL?.trim() ||
+    getCurrentEnvironment().platformUrl
   );
 }
 
@@ -146,10 +147,173 @@ export interface HatchedAssistant {
   status: string;
 }
 
+export interface HatchAssistantResult {
+  assistant: HatchedAssistant;
+  /** true when the platform returned an existing assistant (HTTP 200) */
+  reusedExisting: boolean;
+}
+
+// ---------------------------------------------------------------------------
+// Self-hosted local assistant registration
+// ---------------------------------------------------------------------------
+
+export interface EnsureRegistrationResponse {
+  assistant: { id: string; name: string };
+  registration: {
+    client_installation_id: string;
+    runtime_assistant_id: string;
+    client_platform: string;
+  };
+  assistant_api_key: string | null;
+  webhook_secret: string;
+}
+
+/**
+ * Register (or re-confirm) a self-hosted local assistant with the platform.
+ *
+ * Calls `POST /v1/assistants/self-hosted-local/ensure-registration/`.
+ * The endpoint is idempotent: the first call provisions an API key;
+ * subsequent calls return `assistant_api_key: null`.
+ */
+export async function ensureSelfHostedLocalRegistration(
+  token: string,
+  organizationId: string,
+  clientInstallationId: string,
+  runtimeAssistantId: string,
+  clientPlatform: string,
+  assistantVersion?: string,
+  platformUrl?: string,
+): Promise<EnsureRegistrationResponse> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const body: Record<string, string> = {
+    client_installation_id: clientInstallationId,
+    runtime_assistant_id: runtimeAssistantId,
+    client_platform: clientPlatform,
+  };
+  if (assistantVersion) {
+    body.assistant_version = assistantVersion;
+  }
+
+  const response = await fetch(
+    `${resolvedUrl}/v1/assistants/self-hosted-local/ensure-registration/`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+        "X-Session-Token": token,
+        "Vellum-Organization-Id": organizationId,
+      },
+      body: JSON.stringify(body),
+    },
+  );
+
+  if (response.status === 401 || response.status === 403) {
+    throw new Error("Authentication required for assistant registration.");
+  }
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => "");
+    throw new Error(
+      `Registration failed (${response.status}): ${detail || response.statusText}`,
+    );
+  }
+
+  return (await response.json()) as EnsureRegistrationResponse;
+}
+
+// ---------------------------------------------------------------------------
+// Credential injection into running assistant via gateway
+// ---------------------------------------------------------------------------
+
+/**
+ * Inject a single credential into the assistant's secret store via the
+ * gateway's `POST /v1/secrets` endpoint.
+ *
+ * Mirrors the desktop app's `GatewayHTTPClient.post(path: "secrets", …)`
+ * calls in `LocalAssistantBootstrapService.swift`.
+ */
+async function injectGatewayCredential(
+  gatewayUrl: string,
+  name: string,
+  value: string,
+  bearerToken?: string,
+): Promise<boolean> {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+    Accept: "application/json",
+  };
+  if (bearerToken) {
+    headers["Authorization"] = `Bearer ${bearerToken}`;
+  }
+
+  const response = await fetch(`${gatewayUrl}/v1/secrets`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({ type: "credential", name, value }),
+    signal: AbortSignal.timeout(10_000),
+  });
+  return response.ok;
+}
+
+export interface CredentialInjectionParams {
+  gatewayUrl: string;
+  bearerToken?: string;
+  assistantApiKey?: string | null;
+  platformAssistantId: string;
+  platformBaseUrl: string;
+  organizationId: string;
+  userId?: string;
+  webhookSecret?: string | null;
+}
+
+/**
+ * Inject platform credentials into a running assistant via the gateway,
+ * mirroring `LocalAssistantBootstrapService.injectKeyIntoAssistant` et al.
+ *
+ * Each credential is posted individually. Failures are collected but do
+ * not prevent the remaining credentials from being injected.
+ *
+ * Returns true if all injections succeeded.
+ */
+export async function injectCredentialsIntoAssistant(
+  params: CredentialInjectionParams,
+): Promise<boolean> {
+  const inject = (name: string, value: string) =>
+    injectGatewayCredential(params.gatewayUrl, name, value, params.bearerToken);
+
+  const promises: Promise<boolean>[] = [];
+
+  if (params.assistantApiKey) {
+    promises.push(inject("vellum:assistant_api_key", params.assistantApiKey));
+  }
+
+  promises.push(
+    inject("vellum:platform_assistant_id", params.platformAssistantId),
+  );
+
+  promises.push(inject("vellum:platform_base_url", params.platformBaseUrl));
+
+  promises.push(
+    inject("vellum:platform_organization_id", params.organizationId),
+  );
+
+  if (params.userId) {
+    promises.push(inject("vellum:platform_user_id", params.userId));
+  }
+
+  if (params.webhookSecret) {
+    promises.push(inject("vellum:webhook_secret", params.webhookSecret));
+  }
+
+  const results = await Promise.all(promises);
+  return results.every(Boolean);
+}
+
 export async function hatchAssistant(
   token: string,
   platformUrl?: string,
-): Promise<HatchedAssistant> {
+): Promise<HatchAssistantResult> {
   const resolvedUrl = platformUrl || getPlatformUrl();
   const url = `${resolvedUrl}/v1/assistants/hatch/`;
 
@@ -160,7 +324,8 @@ export async function hatchAssistant(
   });
 
   if (response.ok) {
-    return (await response.json()) as HatchedAssistant;
+    const assistant = (await response.json()) as HatchedAssistant;
+    return { assistant, reusedExisting: response.status === 200 };
   }
 
   if (response.status === 401 || response.status === 403) {
@@ -186,6 +351,37 @@ export async function hatchAssistant(
   );
 }
 
+/**
+ * Lightweight pre-check: returns the first active managed assistant for the
+ * authenticated user, or `null` if none exists. Calls `GET /v1/assistants/`
+ * and looks for any assistant with status "active".
+ *
+ * Used by the teleport flow to block BEFORE the expensive GCS upload when
+ * the user already has a platform assistant.
+ */
+export async function checkExistingPlatformAssistant(
+  token: string,
+  platformUrl?: string,
+): Promise<HatchedAssistant | null> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const url = `${resolvedUrl}/v1/assistants/`;
+
+  const response = await fetch(url, {
+    headers: await authHeaders(token, platformUrl),
+  });
+
+  if (!response.ok) {
+    // Non-fatal: if the list call fails, fall through and let hatch handle it.
+    return null;
+  }
+
+  const body = (await response.json()) as {
+    results?: HatchedAssistant[];
+  };
+  const active = body.results?.find((a) => a.status === "active");
+  return active ?? null;
+}
+
 export interface PlatformUser {
   id: string;
   email: string;
@@ -529,7 +725,7 @@ export async function platformImportBundleFromGcs(
       method: "POST",
       headers: await authHeaders(token, platformUrl),
       body: JSON.stringify({ bundle_key: bundleKey }),
-      signal: AbortSignal.timeout(300_000),
+      signal: AbortSignal.timeout(60_000),
     },
   );
 
@@ -543,3 +739,43 @@ export async function platformImportBundleFromGcs(
   >;
   return { statusCode: response.status, body };
 }
+
+export async function platformPollImportStatus(
+  jobId: string,
+  token: string,
+  platformUrl?: string,
+): Promise<{
+  status: string;
+  result?: Record<string, unknown>;
+  error?: string;
+}> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(
+    `${resolvedUrl}/v1/migrations/import/${jobId}/status/`,
+    {
+      headers: await authHeaders(token, platformUrl),
+    },
+  );
+
+  if (response.status === 404) {
+    throw new Error("Import job not found");
+  }
+
+  if (!response.ok) {
+    throw new Error(
+      `Import status check failed: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const body = (await response.json()) as {
+    status: string;
+    job_id?: string;
+    result?: Record<string, unknown>;
+    error?: string;
+  };
+  return {
+    status: body.status,
+    result: body.result,
+    error: body.error,
+  };
+}

package/src/lib/retire-apple-container.ts

@@ -0,0 +1,102 @@
+import { createConnection } from "net";
+import { existsSync } from "fs";
+
+import type { AssistantEntry } from "./assistant-config.js";
+
+/**
+ * Retire an Apple Container assistant by sending a retire command to the
+ * macOS app via the management socket. The app handles the full lifecycle:
+ * stop the pod, archive the instance directory, remove the guardian token,
+ * deregister from the platform, and remove the lockfile entry.
+ */
+export async function retireAppleContainer(
+  name: string,
+  entry: AssistantEntry,
+): Promise<void> {
+  console.log(`\u{1F5D1}\ufe0f  Retiring Apple Container assistant '${name}'...\n`);
+
+  const mgmtSocket = entry.mgmtSocket as string | undefined;
+  if (!mgmtSocket) {
+    console.error(
+      `No management socket found for '${name}'.\n` +
+        "The assistant may not be running. If the macOS app is closed, " +
+        "open it and try again.",
+    );
+    process.exit(1);
+  }
+
+  if (!existsSync(mgmtSocket)) {
+    console.error(
+      `Management socket not found at ${mgmtSocket}.\n` +
+        "The assistant may have been stopped. Open the macOS app and try again.",
+    );
+    process.exit(1);
+  }
+
+  const handshake = JSON.stringify({ action: "retire" }) + "\n";
+
+  return new Promise<void>((resolve, reject) => {
+    const socket = createConnection({ path: mgmtSocket }, () => {
+      socket.write(handshake);
+    });
+
+    const TIMEOUT_MS = 30_000;
+    const chunks: Buffer[] = [];
+    let totalLen = 0;
+
+    socket.setTimeout(TIMEOUT_MS);
+    socket.on("timeout", () => {
+      console.error("Timed out waiting for retire response from the macOS app.");
+      socket.destroy();
+      process.exit(1);
+    });
+
+    socket.on("data", (data: Buffer) => {
+      chunks.push(data);
+      totalLen += data.length;
+      const accumulated = Buffer.concat(chunks, totalLen);
+      const nlIndex = accumulated.indexOf(0x0a);
+      if (nlIndex === -1) return;
+
+      const responseLine = accumulated.slice(0, nlIndex).toString("utf-8");
+      socket.destroy();
+
+      let response: { status: string; message?: string };
+      try {
+        response = JSON.parse(responseLine) as {
+          status: string;
+          message?: string;
+        };
+      } catch {
+        reject(new Error("Invalid response from management socket."));
+        return;
+      }
+
+      if (response.status === "ok") {
+        console.log(`\u2705 Apple Container assistant '${name}' retired.`);
+        resolve();
+      } else {
+        reject(
+          new Error(
+            `Retire failed: ${response.message || "unknown error"}`,
+          ),
+        );
+      }
+    });
+
+    socket.on("error", (err) => {
+      reject(new Error(`Management socket error: ${err.message}`));
+    });
+
+    socket.on("end", () => {
+      if (chunks.length === 0) {
+        reject(
+          new Error(
+            "Management socket closed without responding. " +
+              "The macOS app may have crashed during retire.",
+          ),
+        );
+      }
+    });
+  });
+}

package/src/lib/upgrade-lifecycle.ts

@@ -125,6 +125,72 @@ export async function captureContainerEnv(
   return captured;
 }
 
+/**
+ * Best-effort fetch of the running service group version from the gateway
+ * `/healthz` endpoint.  Returns `undefined` when the endpoint is
+ * unreachable or does not include a version field.
+ */
+export async function fetchCurrentVersion(
+  runtimeUrl: string,
+): Promise<string | undefined> {
+  try {
+    const resp = await fetch(`${runtimeUrl}/healthz`, {
+      signal: AbortSignal.timeout(5000),
+    });
+    if (resp.ok) {
+      const body = (await resp.json()) as { version?: string };
+      return body.version;
+    }
+  } catch {
+    // Best-effort
+  }
+  return undefined;
+}
+
+/**
+ * Determine the version that was running before the current one.
+ *
+ * Checks (in order):
+ *  1. `entry.previousVersion` (saved by the upgrade flow from health).
+ *  2. The releases list from the platform API — finds the version
+ *     immediately before `currentVersion`.
+ *
+ * Returns `undefined` when neither source yields a result.
+ */
+export async function fetchPreviousVersion(
+  currentVersion: string | undefined,
+  previousVersionFromLockfile: string | undefined,
+): Promise<string | undefined> {
+  // 1. Lockfile-cached value (written during upgrade from health endpoint)
+  if (previousVersionFromLockfile) return previousVersionFromLockfile;
+
+  // 2. Derive from releases list
+  if (!currentVersion) return undefined;
+  try {
+    const { getPlatformUrl } = await import("./platform-client.js");
+    const platformUrl = getPlatformUrl();
+    const resp = await fetch(`${platformUrl}/v1/releases/?stable=true`, {
+      signal: AbortSignal.timeout(10_000),
+    });
+    if (!resp.ok) return undefined;
+
+    const releases = (await resp.json()) as Array<{ version?: string }>;
+    const normalizedCurrent = currentVersion.replace(/^v/, "");
+
+    // Releases are ordered newest-first; find the entry right after the
+    // current version (i.e. the one that was running before the upgrade).
+    const idx = releases.findIndex(
+      (r) => (r.version ?? "").replace(/^v/, "") === normalizedCurrent,
+    );
+    if (idx >= 0 && idx + 1 < releases.length) {
+      return releases[idx + 1].version;
+    }
+  } catch {
+    // Best-effort
+  }
+  return undefined;
+}
+
 /**
  * Poll the gateway `/readyz` endpoint until it returns 200 or the timeout
  * elapses. Returns whether the assistant became ready.
@@ -314,27 +380,8 @@ export async function performDockerRollback(
     throw new Error("targetVersion is required for performDockerRollback");
   }
 
-  const currentVersion = entry.serviceGroupVersion;
-
-  // Validate target version < current version
-  if (currentVersion) {
-    const cmp = compareVersions(targetVersion, currentVersion);
-    if (cmp !== null) {
-      if (cmp > 0) {
-        const msg =
-          "Cannot roll back to a newer version. Use `vellum upgrade` instead.";
-        console.error(msg);
-        emitCliError("VERSION_DIRECTION", msg);
-        process.exit(1);
-      }
-      if (cmp === 0) {
-        const msg = `Already on version ${targetVersion}. Nothing to roll back to.`;
-        console.error(msg);
-        emitCliError("VERSION_DIRECTION", msg);
-        process.exit(1);
-      }
-    }
-  }
+  // Fetch the current running version from the health endpoint.
+  let currentVersion: string | undefined;
 
   const instanceName = entry.assistantId;
   const res = dockerResourceNames(instanceName);
@@ -383,7 +430,7 @@ export async function performDockerRollback(
   console.log("📸 Capturing current image references for rollback...");
   const currentImageRefs = await captureImageRefs(res);
 
-  // Capture current migration state for rollback targeting
+  // Capture current migration state and running version for rollback targeting
   let preMigrationState: {
     dbVersion?: number;
     lastWorkspaceMigrationId?: string;
@@ -395,25 +442,54 @@ export async function performDockerRollback(
     );
     if (healthResp.ok) {
       const health = (await healthResp.json()) as {
+        version?: string;
         migrations?: { dbVersion?: number; lastWorkspaceMigrationId?: string };
       };
       preMigrationState = health.migrations ?? {};
+      currentVersion = health.version;
     }
   } catch {
     // Best-effort
   }
 
+  // Validate target version < current version
+  if (!currentVersion) {
+    console.warn(
+      "⚠️  Could not determine current version from health endpoint — skipping version-direction check.\n",
+    );
+  }
+  if (currentVersion) {
+    const cmp = compareVersions(targetVersion, currentVersion);
+    if (cmp !== null) {
+      if (cmp > 0) {
+        const msg =
+          "Cannot roll back to a newer version. Use `vellum upgrade` instead.";
+        console.error(msg);
+        emitCliError("VERSION_DIRECTION", msg);
+        process.exit(1);
+      }
+      if (cmp === 0) {
+        const msg = `Already on version ${targetVersion}. Nothing to roll back to.`;
+        console.error(msg);
+        emitCliError("VERSION_DIRECTION", msg);
+        process.exit(1);
+      }
+    }
+  }
+
   // Persist rollback state to lockfile BEFORE any destructive changes
-  if (entry.serviceGroupVersion && entry.containerInfo) {
+  if (entry.containerInfo) {
     const rollbackEntry: AssistantEntry = {
       ...entry,
-      previousServiceGroupVersion: entry.serviceGroupVersion,
       previousContainerInfo: { ...entry.containerInfo },
+      previousVersion: currentVersion,
       previousDbMigrationVersion: preMigrationState.dbVersion,
       previousWorkspaceMigrationId: preMigrationState.lastWorkspaceMigrationId,
     };
     saveAssistantEntry(rollbackEntry);
-    console.log(`   Saved rollback state: ${entry.serviceGroupVersion}\n`);
+    if (currentVersion) {
+      console.log(`   Saved rollback state: ${currentVersion}\n`);
+    }
   }
 
   // Record rollback start in workspace git history
@@ -613,7 +689,6 @@ export async function performDockerRollback(
     // Swap current/previous state to enable "rollback the rollback"
     const updatedEntry: AssistantEntry = {
       ...entry,
-      serviceGroupVersion: targetVersion,
       containerInfo: {
         assistantImage: targetImageTags.assistant,
         gatewayImage: targetImageTags.gateway,
@@ -623,7 +698,6 @@ export async function performDockerRollback(
         cesDigest: newDigests?.["credential-executor"],
         networkName: res.network,
       },
-      previousServiceGroupVersion: entry.serviceGroupVersion,
       previousContainerInfo: entry.containerInfo,
       previousDbMigrationVersion: preMigrationState.dbVersion,
       previousWorkspaceMigrationId: preMigrationState.lastWorkspaceMigrationId,
@@ -749,7 +823,6 @@ export async function performDockerRollback(
                 currentImageRefs["credential-executor"],
               networkName: res.network,
             },
-            previousServiceGroupVersion: undefined,
             previousContainerInfo: undefined,
             previousDbMigrationVersion: undefined,
             previousWorkspaceMigrationId: undefined,