@vellumai/cli 0.6.2 → 0.6.4

package/src/commands/ssh-apple-container.ts

@@ -0,0 +1,162 @@
+import { createConnection } from "net";
+import { existsSync } from "fs";
+
+import type { AssistantEntry } from "../lib/assistant-config";
+
+/**
+ * Connect to an Apple Container assistant via its management socket.
+ * Sends a JSON handshake then relays stdin/stdout in raw mode.
+ */
+export async function sshAppleContainer(entry: AssistantEntry): Promise<void> {
+  const mgmtSocket = entry.mgmtSocket as string | undefined;
+  if (!mgmtSocket) {
+    console.error(
+      `No management socket found for '${entry.assistantId}'.\n` +
+        "The assistant may not have finished starting. Try again in a moment.",
+    );
+    process.exit(1);
+  }
+
+  if (!existsSync(mgmtSocket)) {
+    console.error(
+      `Management socket not found at ${mgmtSocket}.\n` +
+        "The assistant may have been stopped. Run 'vellum hatch' to start it.",
+    );
+    process.exit(1);
+  }
+
+  console.log(
+    `🔗 Connecting to ${entry.assistantId} via apple container exec...\n`,
+  );
+
+  const cols = process.stdout.columns || 120;
+  const rows = process.stdout.rows || 40;
+
+  const handshake =
+    JSON.stringify({
+      command: ["/bin/bash"],
+      service: "vellum-assistant",
+      cols,
+      rows,
+    }) + "\n";
+
+  return new Promise<void>((resolve, reject) => {
+    const socket = createConnection({ path: mgmtSocket }, () => {
+      // Send handshake as soon as connected.
+      socket.write(handshake);
+    });
+
+    // 10s handshake timeout — matches SSH ConnectTimeout.
+    const HANDSHAKE_TIMEOUT_MS = 10_000;
+    let handshakeComplete = false;
+    const handshakeChunks: Buffer[] = [];
+    let handshakeLen = 0;
+
+    socket.setTimeout(HANDSHAKE_TIMEOUT_MS);
+    socket.on("timeout", () => {
+      if (!handshakeComplete) {
+        console.error(
+          "Timed out waiting for handshake response from management socket.",
+        );
+        socket.destroy();
+        process.exit(1);
+      }
+      // After handshake, no timeout — interactive session runs indefinitely.
+    });
+
+    socket.on("data", (data: Buffer) => {
+      if (!handshakeComplete) {
+        // Accumulate raw buffers until we find a newline (end of JSON response).
+        handshakeChunks.push(data);
+        handshakeLen += data.length;
+        const accumulated = Buffer.concat(handshakeChunks, handshakeLen);
+        const nlIndex = accumulated.indexOf(0x0a);
+        if (nlIndex === -1) return; // Wait for more data.
+
+        const responseLine = accumulated.slice(0, nlIndex).toString("utf-8");
+        const remainder = accumulated.slice(nlIndex + 1);
+        handshakeComplete = true;
+        socket.setTimeout(0); // Disable timeout for interactive session.
+
+        let response: { status: string; message?: string };
+        try {
+          response = JSON.parse(responseLine) as {
+            status: string;
+            message?: string;
+          };
+        } catch {
+          console.error("Invalid handshake response from management socket.");
+          socket.destroy();
+          process.exit(1);
+          return;
+        }
+
+        if (response.status !== "ok") {
+          console.error(`Exec failed: ${response.message || "unknown error"}`);
+          socket.destroy();
+          process.exit(1);
+          return;
+        }
+
+        // Handshake succeeded — enter raw mode and relay stdio.
+        if (process.stdin.isTTY) {
+          process.stdin.setRawMode(true);
+        }
+        process.stdin.resume();
+        process.stdin.pipe(socket);
+
+        // Write any raw bytes that arrived after the handshake newline.
+        if (remainder.length > 0) {
+          process.stdout.write(remainder);
+        }
+
+        // From now on, relay socket data to stdout.
+        return;
+      }
+
+      // Raw mode: relay container output to stdout.
+      process.stdout.write(data);
+    });
+
+    socket.on("end", () => {
+      cleanup();
+      if (handshakeComplete) {
+        resolve();
+      } else {
+        reject(
+          new Error(
+            "Management socket closed before handshake completed. " +
+              "The assistant may be restarting.",
+          ),
+        );
+      }
+    });
+
+    socket.on("error", (err) => {
+      cleanup();
+      reject(new Error(`Management socket error: ${err.message}`));
+    });
+
+    socket.on("close", () => {
+      cleanup();
+      if (handshakeComplete) {
+        resolve();
+      } else {
+        reject(
+          new Error(
+            "Management socket closed before handshake completed. " +
+              "The assistant may be restarting.",
+          ),
+        );
+      }
+    });
+
+    function cleanup(): void {
+      if (process.stdin.isTTY) {
+        process.stdin.setRawMode(false);
+      }
+      process.stdin.unpipe(socket);
+      process.stdin.pause();
+    }
+  });
+}

package/src/commands/ssh.ts

@@ -6,6 +6,7 @@ import {
 } from "../lib/assistant-config";
 import type { AssistantEntry } from "../lib/assistant-config";
 import { dockerResourceNames } from "../lib/docker";
+import { sshAppleContainer } from "./ssh-apple-container";
 
 const SSH_OPTS = [
   "-o",
@@ -81,6 +82,12 @@ export async function ssh(): Promise<void> {
     process.exit(1);
   }
 
+  // Apple container: connect to the management socket for an interactive shell.
+  if (cloud === "apple-container") {
+    await sshAppleContainer(entry);
+    return;
+  }
+
   let child;
 
   if (cloud === "docker") {

package/src/commands/teleport.ts

@@ -9,11 +9,13 @@ import type { AssistantEntry } from "../lib/assistant-config.js";
 import {
   loadGuardianToken,
   leaseGuardianToken,
+  computeDeviceId,
 } from "../lib/guardian-token.js";
 import {
   readPlatformToken,
   getPlatformUrl,
   hatchAssistant,
+  checkExistingPlatformAssistant,
   platformInitiateExport,
   platformPollExportStatus,
   platformDownloadExport,
@@ -23,6 +25,11 @@ import {
   platformUploadToSignedUrl,
   platformImportPreflightFromGcs,
   platformImportBundleFromGcs,
+  platformPollImportStatus,
+  ensureSelfHostedLocalRegistration,
+  injectCredentialsIntoAssistant,
+  fetchCurrentUser,
+  fetchOrganizationId,
 } from "../lib/platform-client.js";
 import {
   hatchDocker,
@@ -34,6 +41,8 @@ import { hatchLocal } from "../lib/hatch-local.js";
 import { retireLocal } from "../lib/retire-local.js";
 import { validateAssistantName } from "../lib/retire-archive.js";
 import { stopProcessByPidFile } from "../lib/process.js";
+import { fetchCurrentVersion } from "../lib/upgrade-lifecycle.js";
+import { compareVersions } from "../lib/version-compat.js";
 import { join } from "node:path";
 
 function printHelp(): void {
@@ -512,6 +521,16 @@ async function exportFromAssistant(
         if (msg.includes("not found")) {
           throw err;
         }
+        // Re-throw permanent 4xx errors (auth, forbidden, etc.)
+        // but retry transient 5xx errors
+        const statusMatch = msg.match(/status check failed: (\d+)/);
+        if (statusMatch) {
+          const statusCode = parseInt(statusMatch[1], 10);
+          if (statusCode >= 400 && statusCode < 500) {
+            throw err;
+          }
+        }
+        // Transient error — retry
         console.warn(`Polling failed, retrying... (${msg})`);
         await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
         continue;
@@ -595,6 +614,13 @@ interface ImportResponse {
     files_skipped: number;
     backups_created: number;
   };
+  credentialsImported?: {
+    total: number;
+    succeeded: number;
+    failed: number;
+    failedAccounts: string[];
+    skippedPlatform?: number;
+  };
 }
 
 async function importToAssistant(
@@ -706,7 +732,7 @@ async function importToAssistant(
         : await platformImportBundle(bundleData, token, entry.runtimeUrl);
     } catch (err) {
       if (err instanceof Error && err.name === "TimeoutError") {
-        console.error("Error: Import request timed out after 5 minutes.");
+        console.error("Error: Import request timed out.");
         process.exit(1);
       }
       throw err;
@@ -714,6 +740,74 @@ async function importToAssistant(
 
     handleImportStatusErrors(importResult.statusCode, entry.assistantId);
 
+    if (importResult.statusCode === 202) {
+      const jobId = (importResult.body as { job_id?: string }).job_id;
+      if (!jobId) {
+        console.error("Error: Import accepted but no job ID returned.");
+        process.exit(1);
+      }
+
+      const POLL_INTERVAL_MS = 5_000;
+      const TIMEOUT_MS = 10 * 60 * 1_000; // 10 minutes (platform staleness is 930s)
+      const startTime = Date.now();
+      const deadline = startTime + TIMEOUT_MS;
+
+      while (Date.now() < deadline) {
+        await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+
+        let status: {
+          status: string;
+          result?: Record<string, unknown>;
+          error?: string;
+        };
+        try {
+          status = await platformPollImportStatus(
+            jobId,
+            token,
+            entry.runtimeUrl,
+          );
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          if (msg.includes("not found")) {
+            throw err;
+          }
+          // Re-throw permanent 4xx errors (auth, forbidden, etc.)
+          // but retry transient 5xx errors
+          const statusMatch = msg.match(/status check failed: (\d+)/);
+          if (statusMatch) {
+            const statusCode = parseInt(statusMatch[1], 10);
+            if (statusCode >= 400 && statusCode < 500) {
+              throw err;
+            }
+          }
+          // Transient error — retry
+          console.warn(`Polling failed, retrying... (${msg})`);
+          continue;
+        }
+
+        if (status.status === "complete") {
+          importResult = { statusCode: 200, body: status.result ?? {} };
+          break;
+        }
+
+        if (status.status === "failed") {
+          console.error(`Import failed: ${status.error ?? "unknown error"}`);
+          process.exit(1);
+        }
+
+        const elapsed = Math.round((Date.now() - startTime) / 1000);
+        process.stdout.write(`\rImporting... ${elapsed}s elapsed`);
+      }
+
+      // Clear the progress line
+      process.stdout.write("\r" + " ".repeat(40) + "\r");
+
+      if (importResult.statusCode === 202) {
+        console.error("Import timed out after 10 minutes.");
+        process.exit(1);
+      }
+    }
+
     const result = importResult.body as unknown as ImportResponse;
     printImportSummary(result);
     return;
@@ -779,7 +873,7 @@ export async function resolveOrHatchTarget(
   // Hatch a new assistant in the target environment
   if (targetEnv === "local") {
     const beforeIds = new Set(loadAllAssistants().map((e) => e.assistantId));
-    await hatchLocal("vellum", targetName ?? null, false, false, false, {});
+    await hatchLocal("vellum", targetName ?? null, false, false, {});
     const entry = targetName
       ? findAssistantByName(targetName)
       : (loadAllAssistants().find((e) => !beforeIds.has(e.assistantId)) ??
@@ -816,7 +910,29 @@ export async function resolveOrHatchTarget(
       process.exit(1);
     }
 
-    const result = await hatchAssistant(token);
+    const { assistant: result, reusedExisting } = await hatchAssistant(token);
+
+    // Defensive safety net — should not happen because of the pre-check in
+    // teleport(), but guards against a TOCTOU race between the pre-check and
+    // hatch (e.g. another client hatches in the GCS-upload window).
+    if (reusedExisting) {
+      const entry: AssistantEntry = {
+        assistantId: result.id,
+        runtimeUrl: getPlatformUrl(),
+        cloud: "vellum",
+        species: "vellum",
+        hatchedAt: new Date().toISOString(),
+      };
+      saveAssistantEntry(entry);
+      console.error(
+        `Error: You already have a platform assistant '${result.id}'.`,
+      );
+      console.error(
+        `Retire it first with 'vellum retire ${result.id}', then retry the teleport.`,
+      );
+      process.exit(1);
+    }
+
     const entry: AssistantEntry = {
       assistantId: result.id,
       runtimeUrl: getPlatformUrl(),
@@ -969,6 +1085,20 @@ function printImportSummary(result: ImportResponse): void {
   console.log(`  Files skipped:     ${summary.files_skipped}`);
   console.log(`  Backups created:   ${summary.backups_created}`);
 
+  const creds = result.credentialsImported;
+  if (creds) {
+    console.log(`  Credentials imported: ${creds.succeeded}/${creds.total}`);
+    if (creds.skippedPlatform) {
+      console.log(`  Platform credentials skipped: ${creds.skippedPlatform}`);
+    }
+    if (creds.failed > 0) {
+      console.log(`  Credentials failed:  ${creds.failed}`);
+      for (const account of creds.failedAccounts) {
+        console.log(`    - ${account}`);
+      }
+    }
+  }
+
   const warnings = result.warnings ?? [];
   if (warnings.length > 0) {
     console.log("");
@@ -979,6 +1109,54 @@ function printImportSummary(result: ImportResponse): void {
   }
 }
 
+/**
+ * After teleporting to a local/docker target, register the assistant with
+ * the platform and inject fresh platform credentials — mirroring the
+ * login flow. Non-fatal: failures are logged as warnings.
+ */
+async function tryInjectPlatformCredentials(
+  entry: AssistantEntry,
+): Promise<void> {
+  const token = readPlatformToken();
+  if (!token) {
+    console.log("  Skipped platform credential injection (not logged in).");
+    return;
+  }
+
+  try {
+    const user = await fetchCurrentUser(token);
+    const orgId = await fetchOrganizationId(token);
+    const clientInstallationId = computeDeviceId();
+    const registration = await ensureSelfHostedLocalRegistration(
+      token,
+      orgId,
+      clientInstallationId,
+      entry.assistantId,
+      "cli",
+    );
+
+    const allInjected = await injectCredentialsIntoAssistant({
+      gatewayUrl: entry.runtimeUrl,
+      bearerToken: entry.bearerToken,
+      assistantApiKey: registration.assistant_api_key,
+      platformAssistantId: registration.assistant.id,
+      platformBaseUrl: getPlatformUrl(),
+      organizationId: orgId,
+      userId: user.id,
+      webhookSecret: registration.webhook_secret,
+    });
+
+    if (allInjected) {
+      console.log("  Platform credentials injected.");
+    } else {
+      console.warn("  Some platform credentials could not be injected.");
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.warn(`  Platform credential injection skipped: ${msg}`);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Main entry point
 // ---------------------------------------------------------------------------
@@ -1025,6 +1203,13 @@ export async function teleport(): Promise<void> {
 
   const fromCloud = resolveCloud(fromEntry);
 
+  if (fromCloud === "apple-container") {
+    console.error(
+      `Error: '${from}' uses the Apple Containers runtime. Teleport is not yet supported for this topology.`,
+    );
+    process.exit(1);
+  }
+
   // Early same-environment guard — compare source cloud against the CLI flag
   // BEFORE exporting or hatching, to avoid creating orphaned assistants.
   const normalizedSourceEnv = fromCloud === "vellum" ? "platform" : fromCloud;
@@ -1058,6 +1243,28 @@ export async function teleport(): Promise<void> {
         process.exit(1);
       }
 
+      // Version guard: block platform→non-platform when target is behind
+      if (fromCloud === "vellum" && toCloud !== "vellum") {
+        const [sourceVersion, targetVersion] = await Promise.all([
+          fetchCurrentVersion(fromEntry.runtimeUrl),
+          fetchCurrentVersion(existingTarget.runtimeUrl),
+        ]);
+        const cmp =
+          sourceVersion && targetVersion
+            ? compareVersions(targetVersion, sourceVersion)
+            : null;
+        if (cmp !== null && cmp < 0) {
+          console.error(
+            `Error: Target assistant '${existingTarget.assistantId}' is running ${targetVersion}, ` +
+              `but the platform source is on ${sourceVersion}.`,
+          );
+          console.error(
+            `Upgrade your ${toCloud} assistant first: vellum upgrade ${existingTarget.assistantId}`,
+          );
+          process.exit(1);
+        }
+      }
+
       console.log(`Exporting from ${from} (${fromCloud})...`);
       const bundleData = await exportFromAssistant(fromEntry, fromCloud);
       console.log(`Importing to ${existingTarget.assistantId} (${toCloud})...`);
@@ -1117,6 +1324,31 @@ export async function teleport(): Promise<void> {
     // and import hit the same instance.
     const targetPlatformUrl = existingTarget?.runtimeUrl;
 
+    // Step B2 — Pre-check: block if the user already has a platform assistant.
+    // This runs BEFORE the expensive GCS upload so we don't waste bandwidth.
+    if (!existingTarget) {
+      const existing = await checkExistingPlatformAssistant(
+        token,
+        targetPlatformUrl,
+      );
+      if (existing) {
+        saveAssistantEntry({
+          assistantId: existing.id,
+          runtimeUrl: getPlatformUrl(),
+          cloud: "vellum",
+          species: "vellum",
+          hatchedAt: new Date().toISOString(),
+        });
+        console.error(
+          `Error: You already have a platform assistant '${existing.id}'.`,
+        );
+        console.error(
+          `Retire it first with 'vellum retire ${existing.id}', then retry the teleport.`,
+        );
+        process.exit(1);
+      }
+    }
+
     // Step C — Upload to GCS
     // bundleKey: string = uploaded successfully, null = tried but unavailable,
     // undefined would mean "never tried" (not used here).
@@ -1159,6 +1391,36 @@ export async function teleport(): Promise<void> {
   // fails, the user can recover by running `vellum wake <source>`.
   const sourceIsLocalOrDocker = fromCloud === "local" || fromCloud === "docker";
   const targetIsLocalOrDocker = targetEnv === "local" || targetEnv === "docker";
+
+  // Version guard (pre-hatch): for existing targets, check BEFORE hatching
+  // to avoid creating orphaned assistants when the version check would fail.
+  let versionGuardPassed = false;
+  if (fromCloud === "vellum" && targetIsLocalOrDocker && targetName) {
+    const existingTarget = findAssistantByName(targetName);
+    if (existingTarget) {
+      const [sourceVersion, existingVersion] = await Promise.all([
+        fetchCurrentVersion(fromEntry.runtimeUrl),
+        fetchCurrentVersion(existingTarget.runtimeUrl),
+      ]);
+      const cmp =
+        sourceVersion && existingVersion
+          ? compareVersions(existingVersion, sourceVersion)
+          : null;
+      if (cmp !== null && cmp < 0) {
+        console.error(
+          `Error: Target assistant '${existingTarget.assistantId}' is running ${existingVersion}, ` +
+            `but the platform source is on ${sourceVersion}.`,
+        );
+        console.error(
+          `Upgrade your ${targetEnv} assistant first: vellum upgrade ${existingTarget.assistantId}`,
+        );
+        process.exit(1);
+      }
+      // Pre-hatch check passed (or was best-effort skipped) — skip post-hatch
+      versionGuardPassed = true;
+    }
+  }
+
   if (sourceIsLocalOrDocker && targetIsLocalOrDocker && !keepSource) {
     console.log(`Stopping source assistant '${from}' to free ports...`);
     if (fromCloud === "docker") {
@@ -1189,10 +1451,52 @@ export async function teleport(): Promise<void> {
     process.exit(1);
   }
 
+  // Version guard (post-hatch): for newly hatched targets we must check after
+  // hatch because the assistant doesn't exist yet before. If it fails, clean
+  // up the freshly hatched assistant to avoid orphans.
+  // Skip if the pre-hatch guard already ran for an existing target.
+  if (!versionGuardPassed && fromCloud === "vellum" && toCloud !== "vellum") {
+    const [sourceVersion, targetVersion] = await Promise.all([
+      fetchCurrentVersion(fromEntry.runtimeUrl),
+      fetchCurrentVersion(toEntry.runtimeUrl),
+    ]);
+    const cmp =
+      sourceVersion && targetVersion
+        ? compareVersions(targetVersion, sourceVersion)
+        : null;
+    if (cmp !== null && cmp < 0) {
+      // Clean up the freshly hatched assistant to avoid orphans
+      console.error(
+        `Cleaning up newly hatched assistant '${toEntry.assistantId}'...`,
+      );
+      if (toCloud === "docker") {
+        await retireDocker(toEntry.assistantId);
+      } else {
+        await retireLocal(toEntry.assistantId, toEntry);
+      }
+      removeAssistantEntry(toEntry.assistantId);
+      console.error(
+        `Error: Target assistant '${toEntry.assistantId}' was running ${targetVersion}, ` +
+          `but the platform source is on ${sourceVersion}.`,
+      );
+      console.error(
+        `Upgrade your ${toCloud} environment first, then retry the teleport.`,
+      );
+      process.exit(1);
+    }
+  }
+
   // Import to target
   console.log(`Importing to ${toEntry.assistantId} (${toCloud})...`);
   await importToAssistant(toEntry, toCloud, bundleData, false);
 
+  // After successful import, inject fresh platform credentials if the
+  // user is logged in — replaces the source's stale vellum:* credentials
+  // that were filtered during import.
+  if (fromCloud === "vellum") {
+    await tryInjectPlatformCredentials(toEntry);
+  }
+
   // Retire source after successful import
   if (sourceIsLocalOrDocker && targetIsLocalOrDocker) {
     if (!keepSource) {