@vellumai/cli 0.6.2 → 0.6.4

package/src/commands/backup.ts

@@ -64,6 +64,14 @@ export async function backup(): Promise<void> {
   // Detect topology and route platform assistants through Django export
   const cloud =
     entry.cloud || (entry.project ? "gcp" : entry.sshUser ? "custom" : "local");
+
+  if (cloud === "apple-container") {
+    console.error(
+      `Error: '${name}' uses the Apple Containers runtime. Backup is not yet supported for this topology.`,
+    );
+    process.exit(1);
+  }
+
   if (cloud === "vellum") {
     await backupPlatform(name, outputArg, entry.runtimeUrl);
     return;

package/src/commands/hatch.ts

@@ -176,7 +176,6 @@ interface HatchArgs {
   keepAlive: boolean;
   name: string | null;
   remote: RemoteHost;
-  restart: boolean;
   watch: boolean;
   configValues: Record<string, string>;
 }
@@ -188,7 +187,6 @@ function parseArgs(): HatchArgs {
   let keepAlive = false;
   let name: string | null = null;
   let remote: RemoteHost = DEFAULT_REMOTE;
-  let restart = false;
   let watch = false;
   const configValues: Record<string, string> = {};
 
@@ -209,9 +207,6 @@ function parseArgs(): HatchArgs {
       console.log(
         "  --remote <host>           Remote host (local, gcp, aws, docker, custom, vellum)",
       );
-      console.log(
-        "  --restart                 Restart processes without onboarding side effects",
-      );
       console.log(
         "  --watch                   Run assistant and gateway in watch mode (hot reload on source changes)",
       );
@@ -224,8 +219,6 @@ function parseArgs(): HatchArgs {
       process.exit(0);
     } else if (arg === "-d") {
       detached = true;
-    } else if (arg === "--restart") {
-      restart = true;
     } else if (arg === "--watch") {
       watch = true;
     } else if (arg === "--keep-alive") {
@@ -277,7 +270,7 @@ function parseArgs(): HatchArgs {
       species = arg as Species;
     } else {
       console.error(
-        `Error: Unknown argument '${arg}'. Valid options: ${VALID_SPECIES.join(", ")}, -d, --restart, --watch, --keep-alive, --name <name>, --remote <${VALID_REMOTE_HOSTS.join("|")}>, --config <key=value>`,
+        `Error: Unknown argument '${arg}'. Valid options: ${VALID_SPECIES.join(", ")}, -d, --watch, --keep-alive, --name <name>, --remote <${VALID_REMOTE_HOSTS.join("|")}>, --config <key=value>`,
       );
       process.exit(1);
     }
@@ -289,7 +282,6 @@ function parseArgs(): HatchArgs {
     keepAlive,
     name,
     remote,
-    restart,
     watch,
     configValues,
   };
@@ -516,23 +508,8 @@ export async function hatch(): Promise<void> {
   const cliVersion = getCliVersion();
   console.log(`@vellumai/cli v${cliVersion}`);
 
-  const {
-    species,
-    detached,
-    keepAlive,
-    name,
-    remote,
-    restart,
-    watch,
-    configValues,
-  } = parseArgs();
-
-  if (restart && remote !== "local") {
-    console.error(
-      "Error: --restart is only supported for local hatch targets.",
-    );
-    process.exit(1);
-  }
+  const { species, detached, keepAlive, name, remote, watch, configValues } =
+    parseArgs();
 
   if (watch && remote !== "local" && remote !== "docker") {
     console.error(
@@ -542,7 +519,7 @@ export async function hatch(): Promise<void> {
   }
 
   if (remote === "local") {
-    await hatchLocal(species, name, restart, watch, keepAlive, configValues);
+    await hatchLocal(species, name, watch, keepAlive, configValues);
     return;
   }
 
@@ -593,7 +570,7 @@ async function hatchVellumPlatform(): Promise<void> {
   console.log("   Hatching assistant on Vellum platform...");
   console.log("");
 
-  const result = await hatchAssistant(token);
+  const { assistant: result } = await hatchAssistant(token);
 
   const platformUrl = getPlatformUrl();
 

package/src/commands/login.ts

@@ -1,20 +1,141 @@
+import { createServer } from "http";
+import { spawn } from "child_process";
+import { randomBytes } from "crypto";
+
+import {
+  findAssistantByName,
+  getActiveAssistant,
+  loadLatestAssistant,
+} from "../lib/assistant-config";
+import { computeDeviceId } from "../lib/guardian-token";
 import {
   clearPlatformToken,
+  ensureSelfHostedLocalRegistration,
   fetchCurrentUser,
+  fetchOrganizationId,
+  getPlatformUrl,
+  injectCredentialsIntoAssistant,
   readPlatformToken,
   savePlatformToken,
 } from "../lib/platform-client";
 
+const LOGIN_TIMEOUT_MS = 120_000; // 2 minutes
+
+/**
+ * Open a URL in the user's default browser.
+ */
+function openBrowser(url: string): void {
+  const platform = process.platform;
+  const cmd =
+    platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
+  const args =
+    platform === "win32"
+      ? ["/c", "start", '""', url.replace(/&/g, "^&")]
+      : [url];
+  const child = spawn(cmd, args, { stdio: "ignore", detached: true });
+  child.on("error", () => {
+    // Silently ignore — the user can still copy the URL from the console
+  });
+  child.unref();
+}
+
+/**
+ * Start a local HTTP server, open the browser to the platform login page,
+ * and wait for the platform to redirect back with the session token.
+ */
+function browserLogin(platformUrl: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const state = randomBytes(32).toString("hex");
+
+    const server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost`);
+
+      if (url.pathname !== "/callback") {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not found");
+        return;
+      }
+
+      const receivedState = url.searchParams.get("state");
+      const sessionToken = url.searchParams.get("session_token");
+
+      if (receivedState !== state) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(
+          "<html><body><h2>Login failed</h2><p>State mismatch. Please try again.</p></body></html>",
+        );
+        cleanup("State mismatch — possible CSRF attack.");
+        return;
+      }
+
+      if (!sessionToken) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(
+          "<html><body><h2>Login failed</h2><p>No session token received. Please try again.</p></body></html>",
+        );
+        cleanup("No session token received from platform.");
+        return;
+      }
+
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(
+        "<html><body><h2>Login successful!</h2><p>You can close this window and return to your terminal.</p></body></html>",
+      );
+      cleanup(null, sessionToken);
+    });
+
+    const timeout = setTimeout(() => {
+      cleanup("Login timed out. Please try again.");
+    }, LOGIN_TIMEOUT_MS);
+
+    function cleanup(error: string | null, token?: string): void {
+      clearTimeout(timeout);
+      server.close();
+      if (error) {
+        reject(new Error(error));
+      } else if (token) {
+        resolve(token);
+      } else {
+        reject(new Error("Unknown error during login."));
+      }
+    }
+
+    server.on("error", (err) => cleanup(err.message));
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") {
+        cleanup("Failed to start local server.");
+        return;
+      }
+
+      const port = addr.port;
+      const returnTo = `/accounts/cli/callback?port=${port}&state=${state}`;
+      const loginUrl = `${platformUrl}/account/login?returnTo=${encodeURIComponent(returnTo)}`;
+
+      console.log("Opening browser for login...");
+      console.log(`If the browser doesn't open, visit: ${loginUrl}`);
+      openBrowser(loginUrl);
+    });
+  });
+}
+
 export async function login(): Promise<void> {
   const args = process.argv.slice(3);
 
   if (args.includes("--help") || args.includes("-h")) {
-    console.log("Usage: vellum login --token <session-token>");
+    console.log("Usage: vellum login [--token <session-token>]");
     console.log("");
     console.log("Log in to the Vellum platform.");
     console.log("");
+    console.log("By default, opens a browser window for authentication.");
+    console.log("Alternatively, pass a session token directly with --token.");
+    console.log("");
     console.log("Options:");
     console.log("  --token <token>    Session token from the Vellum platform");
+    console.log("");
+    console.log("Examples:");
+    console.log("  vellum login");
+    console.log("  vellum login --token <session-token>");
     process.exit(0);
   }
 
@@ -31,14 +152,15 @@ export async function login(): Promise<void> {
     }
   }
 
+  // If no --token flag, use browser-based login
   if (!token) {
-    console.error("Usage: vellum login --token <session-token>");
-    console.error("");
-    console.error("To get your session token:");
-    console.error("  1. Log in to the Vellum platform in your browser");
-    console.error("  2. Open Developer Tools → Application → Cookies");
-    console.error("  3. Copy the value of the session token");
-    process.exit(1);
+    const platformUrl = getPlatformUrl();
+    try {
+      token = await browserLogin(platformUrl);
+    } catch (error) {
+      console.error(`❌ ${error instanceof Error ? error.message : error}`);
+      process.exit(1);
+    }
   }
 
   console.log("Validating token...");
@@ -47,6 +169,53 @@ export async function login(): Promise<void> {
     const user = await fetchCurrentUser(token);
     savePlatformToken(token);
     console.log(`✅ Logged in as ${user.email}`);
+
+    // Register the local assistant with the platform (non-fatal).
+    // Mirrors the desktop app's LocalAssistantBootstrapService flow.
+    try {
+      const activeName = getActiveAssistant();
+      const entry = activeName
+        ? findAssistantByName(activeName)
+        : loadLatestAssistant();
+
+      // Skip managed ("vellum") assistants — they are handled by the platform.
+      if (entry && entry.cloud !== "vellum") {
+        const orgId = await fetchOrganizationId(token);
+        const clientInstallationId = computeDeviceId();
+        const registration = await ensureSelfHostedLocalRegistration(
+          token,
+          orgId,
+          clientInstallationId,
+          entry.assistantId,
+          "cli",
+        );
+        console.log(
+          `Registered assistant: ${registration.assistant.name} (${registration.assistant.id})`,
+        );
+
+        // Inject credentials into the running assistant via the gateway,
+        // mirroring the desktop app's LocalAssistantBootstrapService flow.
+        const allInjected = await injectCredentialsIntoAssistant({
+          gatewayUrl: entry.runtimeUrl,
+          bearerToken: entry.bearerToken,
+          assistantApiKey: registration.assistant_api_key,
+          platformAssistantId: registration.assistant.id,
+          platformBaseUrl: getPlatformUrl(),
+          organizationId: orgId,
+          userId: user.id,
+          webhookSecret: registration.webhook_secret,
+        });
+        if (allInjected) {
+          console.log("Injected platform credentials into assistant.");
+        } else {
+          console.warn(
+            "Some credentials could not be injected into the assistant.",
+          );
+        }
+      }
+    } catch {
+      // Non-fatal — login succeeded even if registration fails
+    }
   } catch (error) {
     console.error(
       `❌ Login failed: ${error instanceof Error ? error.message : error}`,
@@ -81,7 +250,7 @@ export async function whoami(): Promise<void> {
 
   const token = readPlatformToken();
   if (!token) {
-    console.error("Not logged in. Run `vellum login --token <token>` first.");
+    console.error("Not logged in. Run `vellum login` first.");
     process.exit(1);
   }