@vellumai/cli 0.6.3 → 0.6.5

package/src/commands/backup.ts

@@ -64,6 +64,14 @@ export async function backup(): Promise<void> {
   // Detect topology and route platform assistants through Django export
   const cloud =
     entry.cloud || (entry.project ? "gcp" : entry.sshUser ? "custom" : "local");
+
+  if (cloud === "apple-container") {
+    console.error(
+      `Error: '${name}' uses the Apple Containers runtime. Backup is not yet supported for this topology.`,
+    );
+    process.exit(1);
+  }
+
   if (cloud === "vellum") {
     await backupPlatform(name, outputArg, entry.runtimeUrl);
     return;

package/src/commands/exec.ts

@@ -0,0 +1,186 @@
+import { spawn } from "child_process";
+
+import {
+  findAssistantByName,
+  loadLatestAssistant,
+  resolveCloud,
+} from "../lib/assistant-config";
+import { dockerResourceNames } from "../lib/docker";
+import type { ServiceName } from "../lib/docker";
+import { execAppleContainer } from "../lib/exec-apple-container";
+import { sshAppleContainer } from "../lib/ssh-apple-container";
+
+const SERVICE_ALIASES: Record<string, ServiceName> = {
+  assistant: "assistant",
+  "vellum-assistant": "assistant",
+  gateway: "gateway",
+  "vellum-gateway": "gateway",
+  "credential-executor": "credential-executor",
+  "vellum-credential-executor": "credential-executor",
+};
+
+function normalizeService(raw: string): ServiceName {
+  const normalized = SERVICE_ALIASES[raw];
+  if (!normalized) {
+    console.error(
+      `Unknown service '${raw}'. Valid services: assistant, gateway, credential-executor`,
+    );
+    process.exit(1);
+  }
+  return normalized;
+}
+
+function resolveDockerContainer(
+  instanceName: string,
+  service: ServiceName,
+): string {
+  const res = dockerResourceNames(instanceName);
+  switch (service) {
+    case "assistant":
+      return res.assistantContainer;
+    case "gateway":
+      return res.gatewayContainer;
+    case "credential-executor":
+      return res.cesContainer;
+  }
+}
+
+export async function exec(): Promise<void> {
+  const rawArgs = process.argv.slice(3);
+
+  // Only check for help flags before the -- separator so that
+  // `vellum exec -- curl --help` passes through correctly.
+  const dashDashIndex = rawArgs.indexOf("--");
+  const preArgs =
+    dashDashIndex === -1 ? rawArgs : rawArgs.slice(0, dashDashIndex);
+
+  if (
+    preArgs.includes("--help") ||
+    preArgs.includes("-h") ||
+    rawArgs.length === 0
+  ) {
+    console.log(
+      "Usage: vellum exec [<name>] [--service <svc>] [-it] -- <command...>",
+    );
+    console.log("");
+    console.log("Execute a command inside an assistant's container.");
+    console.log("");
+    console.log("Arguments:");
+    console.log(
+      "  <name>              Name of the assistant (defaults to active)",
+    );
+    console.log(
+      "  <command...>        Command and arguments to run (after --)",
+    );
+    console.log("");
+    console.log("Options:");
+    console.log(
+      "  --service <svc>     Target service (default: assistant)",
+    );
+    console.log(
+      "  -it                 Interactive mode with TTY (like docker exec -it)",
+    );
+    console.log("");
+    console.log("Services:");
+    console.log("  assistant (or vellum-assistant)");
+    console.log("  gateway (or vellum-gateway)");
+    console.log("  credential-executor (or vellum-credential-executor)");
+    console.log("");
+    console.log("Examples:");
+    console.log("  vellum exec -- ls -la /workspace");
+    console.log("  vellum exec -- cat /workspace/NOW.md");
+    console.log("  vellum exec -it -- /bin/bash");
+    console.log(
+      "  vellum exec --service gateway -- cat /tmp/gateway.log",
+    );
+    process.exit(0);
+  }
+
+  if (dashDashIndex === -1) {
+    console.error(
+      "Error: missing '--' separator before command.\n" +
+        "Usage: vellum exec [<name>] -- <command...>",
+    );
+    process.exit(1);
+  }
+
+  const command = rawArgs.slice(dashDashIndex + 1);
+
+  if (command.length === 0) {
+    console.error("Error: no command specified after '--'.");
+    process.exit(1);
+  }
+
+  let nameArg: string | undefined;
+  let serviceRaw = "assistant";
+  let interactive = false;
+
+  for (let i = 0; i < preArgs.length; i++) {
+    if (preArgs[i] === "--service" && preArgs[i + 1]) {
+      serviceRaw = preArgs[++i];
+    } else if (preArgs[i] === "-it" || preArgs[i] === "-ti") {
+      interactive = true;
+    } else if (!preArgs[i].startsWith("-")) {
+      nameArg = preArgs[i];
+    }
+  }
+
+  const service = normalizeService(serviceRaw);
+
+  const entry = nameArg
+    ? findAssistantByName(nameArg)
+    : loadLatestAssistant();
+
+  if (!entry) {
+    if (nameArg) {
+      console.error(`No assistant instance found with name '${nameArg}'.`);
+    } else {
+      console.error("No assistant instance found. Run `vellum hatch` first.");
+    }
+    process.exit(1);
+  }
+
+  const cloud = resolveCloud(entry);
+
+  if (cloud === "local") {
+    console.error(
+      "Cannot exec into a local assistant — it runs directly on this machine.",
+    );
+    process.exit(1);
+  }
+
+  if (cloud === "apple-container") {
+    const fullServiceName = `vellum-${service}`;
+    if (interactive) {
+      await sshAppleContainer(entry, command, fullServiceName);
+    } else {
+      await execAppleContainer(entry, command, fullServiceName);
+    }
+    return;
+  }
+
+  if (cloud === "docker") {
+    const container = resolveDockerContainer(entry.assistantId, service);
+    const dockerArgs = interactive
+      ? ["exec", "-it", container, ...command]
+      : ["exec", container, ...command];
+
+    const child = spawn("docker", dockerArgs, { stdio: "inherit" });
+    await new Promise<void>((resolve, reject) => {
+      child.on("close", (code) => {
+        if (code === 0) resolve();
+        else {
+          process.exitCode = code ?? 1;
+          resolve();
+        }
+      });
+      child.on("error", reject);
+    });
+    return;
+  }
+
+  console.error(
+    `Error: 'vellum exec' is not supported for ${cloud} instances.`,
+  );
+  process.exit(1);
+}

package/src/commands/hatch.ts

@@ -570,7 +570,7 @@ async function hatchVellumPlatform(): Promise<void> {
   console.log("   Hatching assistant on Vellum platform...");
   console.log("");
 
-  const result = await hatchAssistant(token);
+  const { assistant: result } = await hatchAssistant(token);
 
   const platformUrl = getPlatformUrl();
 

package/src/commands/login.ts

@@ -1,20 +1,143 @@
+import { createServer } from "http";
+import { spawn } from "child_process";
+import { randomBytes } from "crypto";
+
+import {
+  findAssistantByName,
+  getActiveAssistant,
+  loadLatestAssistant,
+} from "../lib/assistant-config";
+import { computeDeviceId } from "../lib/guardian-token";
 import {
   clearPlatformToken,
+  ensureSelfHostedLocalRegistration,
   fetchCurrentUser,
+  fetchOrganizationId,
+  getPlatformUrl,
+  injectCredentialsIntoAssistant,
+  readGatewayCredential,
   readPlatformToken,
+  reprovisionAssistantApiKey,
   savePlatformToken,
 } from "../lib/platform-client";
 
+const LOGIN_TIMEOUT_MS = 120_000; // 2 minutes
+
+/**
+ * Open a URL in the user's default browser.
+ */
+function openBrowser(url: string): void {
+  const platform = process.platform;
+  const cmd =
+    platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
+  const args =
+    platform === "win32"
+      ? ["/c", "start", '""', url.replace(/&/g, "^&")]
+      : [url];
+  const child = spawn(cmd, args, { stdio: "ignore", detached: true });
+  child.on("error", () => {
+    // Silently ignore — the user can still copy the URL from the console
+  });
+  child.unref();
+}
+
+/**
+ * Start a local HTTP server, open the browser to the platform login page,
+ * and wait for the platform to redirect back with the session token.
+ */
+function browserLogin(platformUrl: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const state = randomBytes(32).toString("hex");
+
+    const server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost`);
+
+      if (url.pathname !== "/callback") {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not found");
+        return;
+      }
+
+      const receivedState = url.searchParams.get("state");
+      const sessionToken = url.searchParams.get("session_token");
+
+      if (receivedState !== state) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(
+          "<html><body><h2>Login failed</h2><p>State mismatch. Please try again.</p></body></html>",
+        );
+        cleanup("State mismatch — possible CSRF attack.");
+        return;
+      }
+
+      if (!sessionToken) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(
+          "<html><body><h2>Login failed</h2><p>No session token received. Please try again.</p></body></html>",
+        );
+        cleanup("No session token received from platform.");
+        return;
+      }
+
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(
+        "<html><body><h2>Login successful!</h2><p>You can close this window and return to your terminal.</p></body></html>",
+      );
+      cleanup(null, sessionToken);
+    });
+
+    const timeout = setTimeout(() => {
+      cleanup("Login timed out. Please try again.");
+    }, LOGIN_TIMEOUT_MS);
+
+    function cleanup(error: string | null, token?: string): void {
+      clearTimeout(timeout);
+      server.close();
+      if (error) {
+        reject(new Error(error));
+      } else if (token) {
+        resolve(token);
+      } else {
+        reject(new Error("Unknown error during login."));
+      }
+    }
+
+    server.on("error", (err) => cleanup(err.message));
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") {
+        cleanup("Failed to start local server.");
+        return;
+      }
+
+      const port = addr.port;
+      const returnTo = `/accounts/cli/callback?port=${port}&state=${state}`;
+      const loginUrl = `${platformUrl}/account/login?returnTo=${encodeURIComponent(returnTo)}`;
+
+      console.log("Opening browser for login...");
+      console.log(`If the browser doesn't open, visit: ${loginUrl}`);
+      openBrowser(loginUrl);
+    });
+  });
+}
+
 export async function login(): Promise<void> {
   const args = process.argv.slice(3);
 
   if (args.includes("--help") || args.includes("-h")) {
-    console.log("Usage: vellum login --token <session-token>");
+    console.log("Usage: vellum login [--token <session-token>]");
     console.log("");
     console.log("Log in to the Vellum platform.");
     console.log("");
+    console.log("By default, opens a browser window for authentication.");
+    console.log("Alternatively, pass a session token directly with --token.");
+    console.log("");
     console.log("Options:");
     console.log("  --token <token>    Session token from the Vellum platform");
+    console.log("");
+    console.log("Examples:");
+    console.log("  vellum login");
+    console.log("  vellum login --token <session-token>");
     process.exit(0);
   }
 
@@ -31,14 +154,15 @@ export async function login(): Promise<void> {
     }
   }
 
+  // If no --token flag, use browser-based login
   if (!token) {
-    console.error("Usage: vellum login --token <session-token>");
-    console.error("");
-    console.error("To get your session token:");
-    console.error("  1. Log in to the Vellum platform in your browser");
-    console.error("  2. Open Developer Tools → Application → Cookies");
-    console.error("  3. Copy the value of the session token");
-    process.exit(1);
+    const platformUrl = getPlatformUrl();
+    try {
+      token = await browserLogin(platformUrl);
+    } catch (error) {
+      console.error(`❌ ${error instanceof Error ? error.message : error}`);
+      process.exit(1);
+    }
   }
 
   console.log("Validating token...");
@@ -47,6 +171,82 @@ export async function login(): Promise<void> {
     const user = await fetchCurrentUser(token);
     savePlatformToken(token);
     console.log(`✅ Logged in as ${user.email}`);
+
+    // Register the local assistant with the platform (non-fatal).
+    // Mirrors the desktop app's LocalAssistantBootstrapService flow.
+    try {
+      const activeName = getActiveAssistant();
+      const entry = activeName
+        ? findAssistantByName(activeName)
+        : loadLatestAssistant();
+
+      // Skip managed ("vellum") assistants — they are handled by the platform.
+      if (entry && entry.cloud !== "vellum") {
+        const orgId = await fetchOrganizationId(token);
+        const clientInstallationId = computeDeviceId();
+        const registration = await ensureSelfHostedLocalRegistration(
+          token,
+          orgId,
+          clientInstallationId,
+          entry.assistantId,
+          "cli",
+        );
+        console.log(
+          `Registered assistant: ${registration.assistant.name} (${registration.assistant.id})`,
+        );
+
+        // Resolve the API key to inject, mirroring the macOS app's
+        // LocalAssistantBootstrapService 3-step flow:
+        // 1. Use fresh key from registration (first-time only)
+        // 2. Use existing key from the daemon's credential store
+        // 3. Reprovision (rotate) as a last resort — this revokes the
+        //    old key server-side, so we only do it when the gateway
+        //    confirms no key exists (not when it's merely unreachable).
+        let assistantApiKey = registration.assistant_api_key;
+        if (!assistantApiKey) {
+          const cached = await readGatewayCredential(
+            entry.runtimeUrl,
+            "vellum:assistant_api_key",
+            entry.bearerToken,
+          );
+          if (cached.value) {
+            assistantApiKey = cached.value;
+          } else if (!cached.unreachable) {
+            console.log("No API key available locally — reprovisioning...");
+            const reprovision = await reprovisionAssistantApiKey(
+              token,
+              orgId,
+              clientInstallationId,
+              entry.assistantId,
+              "cli",
+            );
+            assistantApiKey = reprovision.provisioning.assistant_api_key;
+          }
+        }
+
+        // Inject credentials into the running assistant via the gateway,
+        // mirroring the desktop app's LocalAssistantBootstrapService flow.
+        const allInjected = await injectCredentialsIntoAssistant({
+          gatewayUrl: entry.runtimeUrl,
+          bearerToken: entry.bearerToken,
+          assistantApiKey,
+          platformAssistantId: registration.assistant.id,
+          platformBaseUrl: getPlatformUrl(),
+          organizationId: orgId,
+          userId: user.id,
+          webhookSecret: registration.webhook_secret,
+        });
+        if (allInjected) {
+          console.log("Injected platform credentials into assistant.");
+        } else {
+          console.warn(
+            "Some credentials could not be injected into the assistant.",
+          );
+        }
+      }
+    } catch {
+      // Non-fatal — login succeeded even if registration fails
+    }
   } catch (error) {
     console.error(
       `❌ Login failed: ${error instanceof Error ? error.message : error}`,
@@ -81,7 +281,7 @@ export async function whoami(): Promise<void> {
 
   const token = readPlatformToken();
   if (!token) {
-    console.error("Not logged in. Run `vellum login --token <token>` first.");
+    console.error("Not logged in. Run `vellum login` first.");
     process.exit(1);
   }