@vellumai/cli 0.6.3 → 0.6.5

package/src/commands/teleport.ts

@@ -9,11 +9,13 @@ import type { AssistantEntry } from "../lib/assistant-config.js";
 import {
   loadGuardianToken,
   leaseGuardianToken,
+  computeDeviceId,
 } from "../lib/guardian-token.js";
 import {
   readPlatformToken,
   getPlatformUrl,
   hatchAssistant,
+  checkExistingPlatformAssistant,
   platformInitiateExport,
   platformPollExportStatus,
   platformDownloadExport,
@@ -24,6 +26,12 @@ import {
   platformImportPreflightFromGcs,
   platformImportBundleFromGcs,
   platformPollImportStatus,
+  ensureSelfHostedLocalRegistration,
+  readGatewayCredential,
+  reprovisionAssistantApiKey,
+  injectCredentialsIntoAssistant,
+  fetchCurrentUser,
+  fetchOrganizationId,
 } from "../lib/platform-client.js";
 import {
   hatchDocker,
@@ -35,6 +43,8 @@ import { hatchLocal } from "../lib/hatch-local.js";
 import { retireLocal } from "../lib/retire-local.js";
 import { validateAssistantName } from "../lib/retire-archive.js";
 import { stopProcessByPidFile } from "../lib/process.js";
+import { fetchCurrentVersion } from "../lib/upgrade-lifecycle.js";
+import { compareVersions } from "../lib/version-compat.js";
 import { join } from "node:path";
 
 function printHelp(): void {
@@ -606,6 +616,13 @@ interface ImportResponse {
     files_skipped: number;
     backups_created: number;
   };
+  credentialsImported?: {
+    total: number;
+    succeeded: number;
+    failed: number;
+    failedAccounts: string[];
+    skippedPlatform?: number;
+  };
 }
 
 async function importToAssistant(
@@ -895,7 +912,29 @@ export async function resolveOrHatchTarget(
       process.exit(1);
     }
 
-    const result = await hatchAssistant(token);
+    const { assistant: result, reusedExisting } = await hatchAssistant(token);
+
+    // Defensive safety net — should not happen because of the pre-check in
+    // teleport(), but guards against a TOCTOU race between the pre-check and
+    // hatch (e.g. another client hatches in the GCS-upload window).
+    if (reusedExisting) {
+      const entry: AssistantEntry = {
+        assistantId: result.id,
+        runtimeUrl: getPlatformUrl(),
+        cloud: "vellum",
+        species: "vellum",
+        hatchedAt: new Date().toISOString(),
+      };
+      saveAssistantEntry(entry);
+      console.error(
+        `Error: You already have a platform assistant '${result.id}'.`,
+      );
+      console.error(
+        `Retire it first with 'vellum retire ${result.id}', then retry the teleport.`,
+      );
+      process.exit(1);
+    }
+
     const entry: AssistantEntry = {
       assistantId: result.id,
       runtimeUrl: getPlatformUrl(),
@@ -1048,6 +1087,20 @@ function printImportSummary(result: ImportResponse): void {
   console.log(`  Files skipped:     ${summary.files_skipped}`);
   console.log(`  Backups created:   ${summary.backups_created}`);
 
+  const creds = result.credentialsImported;
+  if (creds) {
+    console.log(`  Credentials imported: ${creds.succeeded}/${creds.total}`);
+    if (creds.skippedPlatform) {
+      console.log(`  Platform credentials skipped: ${creds.skippedPlatform}`);
+    }
+    if (creds.failed > 0) {
+      console.log(`  Credentials failed:  ${creds.failed}`);
+      for (const account of creds.failedAccounts) {
+        console.log(`    - ${account}`);
+      }
+    }
+  }
+
   const warnings = result.warnings ?? [];
   if (warnings.length > 0) {
     console.log("");
@@ -1058,6 +1111,79 @@ function printImportSummary(result: ImportResponse): void {
   }
 }
 
+/**
+ * After teleporting to a local/docker target, register the assistant with
+ * the platform and inject fresh platform credentials — mirroring the
+ * login flow. Non-fatal: failures are logged as warnings.
+ */
+async function tryInjectPlatformCredentials(
+  entry: AssistantEntry,
+): Promise<void> {
+  const token = readPlatformToken();
+  if (!token) {
+    console.log("  Skipped platform credential injection (not logged in).");
+    return;
+  }
+
+  try {
+    const user = await fetchCurrentUser(token);
+    const orgId = await fetchOrganizationId(token);
+    const clientInstallationId = computeDeviceId();
+    const registration = await ensureSelfHostedLocalRegistration(
+      token,
+      orgId,
+      clientInstallationId,
+      entry.assistantId,
+      "cli",
+    );
+
+    // Resolve the API key: 1) fresh from registration, 2) existing from
+    // daemon credential store, 3) reprovision as last resort (revokes old key).
+    // Only reprovision when the gateway confirms no key exists — not when
+    // the gateway is merely unreachable (would revoke without injecting).
+    let assistantApiKey = registration.assistant_api_key;
+    if (!assistantApiKey) {
+      const cached = await readGatewayCredential(
+        entry.runtimeUrl,
+        "vellum:assistant_api_key",
+        entry.bearerToken,
+      );
+      if (cached.value) {
+        assistantApiKey = cached.value;
+      } else if (!cached.unreachable) {
+        const reprovision = await reprovisionAssistantApiKey(
+          token,
+          orgId,
+          clientInstallationId,
+          entry.assistantId,
+          "cli",
+        );
+        assistantApiKey = reprovision.provisioning.assistant_api_key;
+      }
+    }
+
+    const allInjected = await injectCredentialsIntoAssistant({
+      gatewayUrl: entry.runtimeUrl,
+      bearerToken: entry.bearerToken,
+      assistantApiKey,
+      platformAssistantId: registration.assistant.id,
+      platformBaseUrl: getPlatformUrl(),
+      organizationId: orgId,
+      userId: user.id,
+      webhookSecret: registration.webhook_secret,
+    });
+
+    if (allInjected) {
+      console.log("  Platform credentials injected.");
+    } else {
+      console.warn("  Some platform credentials could not be injected.");
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.warn(`  Platform credential injection skipped: ${msg}`);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Main entry point
 // ---------------------------------------------------------------------------
@@ -1104,6 +1230,13 @@ export async function teleport(): Promise<void> {
 
   const fromCloud = resolveCloud(fromEntry);
 
+  if (fromCloud === "apple-container") {
+    console.error(
+      `Error: '${from}' uses the Apple Containers runtime. Teleport is not yet supported for this topology.`,
+    );
+    process.exit(1);
+  }
+
   // Early same-environment guard — compare source cloud against the CLI flag
   // BEFORE exporting or hatching, to avoid creating orphaned assistants.
   const normalizedSourceEnv = fromCloud === "vellum" ? "platform" : fromCloud;
@@ -1137,6 +1270,28 @@ export async function teleport(): Promise<void> {
         process.exit(1);
       }
 
+      // Version guard: block platform→non-platform when target is behind
+      if (fromCloud === "vellum" && toCloud !== "vellum") {
+        const [sourceVersion, targetVersion] = await Promise.all([
+          fetchCurrentVersion(fromEntry.runtimeUrl),
+          fetchCurrentVersion(existingTarget.runtimeUrl),
+        ]);
+        const cmp =
+          sourceVersion && targetVersion
+            ? compareVersions(targetVersion, sourceVersion)
+            : null;
+        if (cmp !== null && cmp < 0) {
+          console.error(
+            `Error: Target assistant '${existingTarget.assistantId}' is running ${targetVersion}, ` +
+              `but the platform source is on ${sourceVersion}.`,
+          );
+          console.error(
+            `Upgrade your ${toCloud} assistant first: vellum upgrade ${existingTarget.assistantId}`,
+          );
+          process.exit(1);
+        }
+      }
+
       console.log(`Exporting from ${from} (${fromCloud})...`);
       const bundleData = await exportFromAssistant(fromEntry, fromCloud);
       console.log(`Importing to ${existingTarget.assistantId} (${toCloud})...`);
@@ -1196,6 +1351,31 @@ export async function teleport(): Promise<void> {
     // and import hit the same instance.
     const targetPlatformUrl = existingTarget?.runtimeUrl;
 
+    // Step B2 — Pre-check: block if the user already has a platform assistant.
+    // This runs BEFORE the expensive GCS upload so we don't waste bandwidth.
+    if (!existingTarget) {
+      const existing = await checkExistingPlatformAssistant(
+        token,
+        targetPlatformUrl,
+      );
+      if (existing) {
+        saveAssistantEntry({
+          assistantId: existing.id,
+          runtimeUrl: getPlatformUrl(),
+          cloud: "vellum",
+          species: "vellum",
+          hatchedAt: new Date().toISOString(),
+        });
+        console.error(
+          `Error: You already have a platform assistant '${existing.id}'.`,
+        );
+        console.error(
+          `Retire it first with 'vellum retire ${existing.id}', then retry the teleport.`,
+        );
+        process.exit(1);
+      }
+    }
+
     // Step C — Upload to GCS
     // bundleKey: string = uploaded successfully, null = tried but unavailable,
     // undefined would mean "never tried" (not used here).
@@ -1238,6 +1418,36 @@ export async function teleport(): Promise<void> {
   // fails, the user can recover by running `vellum wake <source>`.
   const sourceIsLocalOrDocker = fromCloud === "local" || fromCloud === "docker";
   const targetIsLocalOrDocker = targetEnv === "local" || targetEnv === "docker";
+
+  // Version guard (pre-hatch): for existing targets, check BEFORE hatching
+  // to avoid creating orphaned assistants when the version check would fail.
+  let versionGuardPassed = false;
+  if (fromCloud === "vellum" && targetIsLocalOrDocker && targetName) {
+    const existingTarget = findAssistantByName(targetName);
+    if (existingTarget) {
+      const [sourceVersion, existingVersion] = await Promise.all([
+        fetchCurrentVersion(fromEntry.runtimeUrl),
+        fetchCurrentVersion(existingTarget.runtimeUrl),
+      ]);
+      const cmp =
+        sourceVersion && existingVersion
+          ? compareVersions(existingVersion, sourceVersion)
+          : null;
+      if (cmp !== null && cmp < 0) {
+        console.error(
+          `Error: Target assistant '${existingTarget.assistantId}' is running ${existingVersion}, ` +
+            `but the platform source is on ${sourceVersion}.`,
+        );
+        console.error(
+          `Upgrade your ${targetEnv} assistant first: vellum upgrade ${existingTarget.assistantId}`,
+        );
+        process.exit(1);
+      }
+      // Pre-hatch check passed (or was best-effort skipped) — skip post-hatch
+      versionGuardPassed = true;
+    }
+  }
+
   if (sourceIsLocalOrDocker && targetIsLocalOrDocker && !keepSource) {
     console.log(`Stopping source assistant '${from}' to free ports...`);
     if (fromCloud === "docker") {
@@ -1268,10 +1478,52 @@ export async function teleport(): Promise<void> {
     process.exit(1);
   }
 
+  // Version guard (post-hatch): for newly hatched targets we must check after
+  // hatch because the assistant doesn't exist yet before. If it fails, clean
+  // up the freshly hatched assistant to avoid orphans.
+  // Skip if the pre-hatch guard already ran for an existing target.
+  if (!versionGuardPassed && fromCloud === "vellum" && toCloud !== "vellum") {
+    const [sourceVersion, targetVersion] = await Promise.all([
+      fetchCurrentVersion(fromEntry.runtimeUrl),
+      fetchCurrentVersion(toEntry.runtimeUrl),
+    ]);
+    const cmp =
+      sourceVersion && targetVersion
+        ? compareVersions(targetVersion, sourceVersion)
+        : null;
+    if (cmp !== null && cmp < 0) {
+      // Clean up the freshly hatched assistant to avoid orphans
+      console.error(
+        `Cleaning up newly hatched assistant '${toEntry.assistantId}'...`,
+      );
+      if (toCloud === "docker") {
+        await retireDocker(toEntry.assistantId);
+      } else {
+        await retireLocal(toEntry.assistantId, toEntry);
+      }
+      removeAssistantEntry(toEntry.assistantId);
+      console.error(
+        `Error: Target assistant '${toEntry.assistantId}' was running ${targetVersion}, ` +
+          `but the platform source is on ${sourceVersion}.`,
+      );
+      console.error(
+        `Upgrade your ${toCloud} environment first, then retry the teleport.`,
+      );
+      process.exit(1);
+    }
+  }
+
   // Import to target
   console.log(`Importing to ${toEntry.assistantId} (${toCloud})...`);
   await importToAssistant(toEntry, toCloud, bundleData, false);
 
+  // After successful import, inject fresh platform credentials if the
+  // user is logged in — replaces the source's stale vellum:* credentials
+  // that were filtered during import.
+  if (fromCloud === "vellum") {
+    await tryInjectPlatformCredentials(toEntry);
+  }
+
   // Retire source after successful import
   if (sourceIsLocalOrDocker && targetIsLocalOrDocker) {
     if (!keepSource) {

package/src/commands/upgrade.ts

@@ -189,18 +189,9 @@ async function upgradeDocker(
   const versionTag =
     version ?? (cliPkg.version ? `v${cliPkg.version}` : "latest");
 
-  // Reject downgrades — `vellum upgrade` only handles forward version changes.
-  // Users should use `vellum rollback --version <version>` for downgrades.
-  const currentVersion = entry.serviceGroupVersion;
-  if (currentVersion && versionTag) {
-    const cmp = compareVersions(versionTag, currentVersion);
-    if (cmp !== null && cmp < 0) {
-      const msg = `Cannot upgrade to an older version (${versionTag} < ${currentVersion}). Use \`vellum rollback --version ${versionTag}\` instead.`;
-      console.error(msg);
-      emitCliError("VERSION_DIRECTION", msg);
-      process.exit(1);
-    }
-  }
+  // Fetch the current running version from the health endpoint.
+  // This is used for logging, commit messages, and version-direction guards.
+  let currentVersion: string | undefined;
 
   console.log("🔍 Resolving image references...");
   const { imageTags } = await resolveImageRefs(versionTag);
@@ -225,7 +216,7 @@ async function upgradeDocker(
     );
   }
 
-  // Capture current migration state for rollback targeting.
+  // Capture current migration state and running version for rollback targeting.
   // Must happen while daemon is still running (before containers are stopped).
   let preMigrationState: {
     dbVersion?: number;
@@ -240,26 +231,47 @@ async function upgradeDocker(
     );
     if (healthResp.ok) {
       const health = (await healthResp.json()) as {
+        version?: string;
         migrations?: { dbVersion?: number; lastWorkspaceMigrationId?: string };
       };
       preMigrationState = health.migrations ?? {};
+      currentVersion = health.version;
     }
   } catch {
     // Best-effort — if we can't get migration state, rollback will skip migration reversal
   }
 
+  // Reject downgrades — `vellum upgrade` only handles forward version changes.
+  // Users should use `vellum rollback --version <version>` for downgrades.
+  if (!currentVersion && versionTag) {
+    console.warn(
+      "⚠️  Could not determine current version from health endpoint — skipping version-direction check.\n",
+    );
+  }
+  if (currentVersion && versionTag) {
+    const cmp = compareVersions(versionTag, currentVersion);
+    if (cmp !== null && cmp < 0) {
+      const msg = `Cannot upgrade to an older version (${versionTag} < ${currentVersion}). Use \`vellum rollback --version ${versionTag}\` instead.`;
+      console.error(msg);
+      emitCliError("VERSION_DIRECTION", msg);
+      process.exit(1);
+    }
+  }
+
   // Persist rollback state to lockfile BEFORE any destructive changes.
   // This enables the `vellum rollback` command to restore the previous version.
-  if (entry.serviceGroupVersion && entry.containerInfo) {
+  if (entry.containerInfo) {
     const rollbackEntry: AssistantEntry = {
       ...entry,
-      previousServiceGroupVersion: entry.serviceGroupVersion,
       previousContainerInfo: { ...entry.containerInfo },
+      previousVersion: currentVersion,
       previousDbMigrationVersion: preMigrationState.dbVersion,
       previousWorkspaceMigrationId: preMigrationState.lastWorkspaceMigrationId,
     };
     saveAssistantEntry(rollbackEntry);
-    console.log(`   Saved rollback state: ${entry.serviceGroupVersion}\n`);
+    if (currentVersion) {
+      console.log(`   Saved rollback state: ${currentVersion}\n`);
+    }
   }
 
   // Record version transition start in workspace git history
@@ -269,7 +281,7 @@ async function upgradeDocker(
     buildUpgradeCommitMessage({
       action: "upgrade",
       phase: "starting",
-      from: entry.serviceGroupVersion ?? "unknown",
+      from: currentVersion ?? "unknown",
       to: versionTag,
       topology: "docker",
       assistantId: entry.assistantId,
@@ -321,7 +333,7 @@ async function upgradeDocker(
     await broadcastUpgradeEvent(
       entry.runtimeUrl,
       entry.assistantId,
-      buildCompleteEvent(entry.serviceGroupVersion ?? "unknown", false),
+      buildCompleteEvent(currentVersion ?? "unknown", false),
     );
     emitCliError("IMAGE_PULL_FAILED", "Failed to pull Docker images", detail);
     process.exit(1);
@@ -361,7 +373,7 @@ async function upgradeDocker(
   console.log("📦 Creating pre-upgrade backup...");
   const backupPath = await createBackup(entry.runtimeUrl, entry.assistantId, {
     prefix: `${entry.assistantId}-pre-upgrade`,
-    description: `Pre-upgrade snapshot before ${entry.serviceGroupVersion ?? "unknown"} → ${versionTag}`,
+    description: `Pre-upgrade snapshot before ${currentVersion ?? "unknown"} → ${versionTag}`,
   });
   if (backupPath) {
     console.log(`   Backup saved: ${backupPath}\n`);
@@ -434,7 +446,6 @@ async function upgradeDocker(
     const newDigests = await captureImageRefs(res);
     const updatedEntry: AssistantEntry = {
       ...entry,
-      serviceGroupVersion: versionTag,
       containerInfo: {
         assistantImage: imageTags.assistant,
         gatewayImage: imageTags.gateway,
@@ -444,7 +455,6 @@ async function upgradeDocker(
         cesDigest: newDigests?.["credential-executor"],
         networkName: res.network,
       },
-      previousServiceGroupVersion: entry.serviceGroupVersion,
       previousContainerInfo: entry.containerInfo,
       previousDbMigrationVersion: preMigrationState.dbVersion,
       previousWorkspaceMigrationId: preMigrationState.lastWorkspaceMigrationId,
@@ -467,7 +477,7 @@ async function upgradeDocker(
       buildUpgradeCommitMessage({
         action: "upgrade",
         phase: "complete",
-        from: entry.serviceGroupVersion ?? "unknown",
+        from: currentVersion ?? "unknown",
         to: versionTag,
         topology: "docker",
         assistantId: entry.assistantId,
@@ -584,7 +594,6 @@ async function upgradeDocker(
                 previousImageRefs["credential-executor"],
               networkName: res.network,
             },
-            previousServiceGroupVersion: undefined,
             previousContainerInfo: undefined,
             previousDbMigrationVersion: undefined,
             previousWorkspaceMigrationId: undefined,
@@ -598,9 +607,9 @@ async function upgradeDocker(
             entry.runtimeUrl,
             entry.assistantId,
             buildCompleteEvent(
-              entry.serviceGroupVersion ?? "unknown",
+              currentVersion ?? "unknown",
               false,
-              entry.serviceGroupVersion,
+              currentVersion,
             ),
           );
 
@@ -621,7 +630,7 @@ async function upgradeDocker(
           await broadcastUpgradeEvent(
             entry.runtimeUrl,
             entry.assistantId,
-            buildCompleteEvent(entry.serviceGroupVersion ?? "unknown", false),
+            buildCompleteEvent(currentVersion ?? "unknown", false),
           );
           emitCliError(
             "ROLLBACK_FAILED",
@@ -641,7 +650,7 @@ async function upgradeDocker(
         await broadcastUpgradeEvent(
           entry.runtimeUrl,
           entry.assistantId,
-          buildCompleteEvent(entry.serviceGroupVersion ?? "unknown", false),
+          buildCompleteEvent(currentVersion ?? "unknown", false),
         );
         emitCliError(
           "ROLLBACK_FAILED",
@@ -657,7 +666,7 @@ async function upgradeDocker(
       await broadcastUpgradeEvent(
         entry.runtimeUrl,
         entry.assistantId,
-        buildCompleteEvent(entry.serviceGroupVersion ?? "unknown", false),
+        buildCompleteEvent(currentVersion ?? "unknown", false),
       );
       emitCliError(
         "ROLLBACK_NO_STATE",
@@ -678,22 +687,6 @@ async function upgradePlatform(
   entry: AssistantEntry,
   version: string | null,
 ): Promise<void> {
-  // Reject downgrades — `vellum upgrade` only handles forward version changes.
-  // Users should use `vellum rollback --version <version>` for downgrades.
-  // Only enforce this guard when the user explicitly passed `--version`.
-  // When version is null the platform API decides the actual target, so
-  // we must not block the request based on the local CLI version.
-  const currentVersion = entry.serviceGroupVersion;
-  if (version && currentVersion) {
-    const cmp = compareVersions(version, currentVersion);
-    if (cmp !== null && cmp < 0) {
-      const msg = `Cannot upgrade to an older version (${version} < ${currentVersion}). Use \`vellum rollback --version ${version}\` instead.`;
-      console.error(msg);
-      emitCliError("VERSION_DIRECTION", msg);
-      process.exit(1);
-    }
-  }
-
   console.log(
     `🔄 Upgrading platform-hosted assistant '${entry.assistantId}'...\n`,
   );
@@ -733,7 +726,7 @@ async function upgradePlatform(
       await broadcastUpgradeEvent(
         entry.runtimeUrl,
         entry.assistantId,
-        buildCompleteEvent(entry.serviceGroupVersion ?? "unknown", false),
+        buildCompleteEvent("unknown", false),
       );
     } catch {
       // Best-effort — broadcast may fail if the assistant is unreachable
@@ -755,7 +748,7 @@ async function upgradePlatform(
       await broadcastUpgradeEvent(
         entry.runtimeUrl,
         entry.assistantId,
-        buildCompleteEvent(entry.serviceGroupVersion ?? "unknown", false),
+        buildCompleteEvent("unknown", false),
       );
     } catch {
       // Best-effort — broadcast may fail if the assistant is unreachable
@@ -788,8 +781,8 @@ async function upgradePrepare(
   entry: AssistantEntry,
   version: string | null,
 ): Promise<void> {
-  const targetVersion = version ?? entry.serviceGroupVersion ?? "unknown";
-  const currentVersion = entry.serviceGroupVersion ?? "unknown";
+  const targetVersion = version ?? "unknown";
+  const currentVersion = "unknown";
 
   // 1. Broadcast "starting" so the UI shows the progress spinner
   await broadcastUpgradeEvent(
@@ -857,9 +850,7 @@ async function upgradeFinalize(
   }
 
   const fromVersion = version;
-  const currentVersion = cliPkg.version
-    ? `v${cliPkg.version}`
-    : (entry.serviceGroupVersion ?? "unknown");
+  const currentVersion = cliPkg.version ? `v${cliPkg.version}` : "unknown";
 
   // 1. Broadcast "complete" so the UI clears the progress spinner
   await broadcastUpgradeEvent(
@@ -911,7 +902,7 @@ export async function upgrade(): Promise<void> {
     await broadcastUpgradeEvent(
       entry.runtimeUrl,
       entry.assistantId,
-      buildCompleteEvent(entry.serviceGroupVersion ?? "unknown", false),
+      buildCompleteEvent("unknown", false),
     );
     emitCliError(categorizeUpgradeError(err), "Upgrade failed", detail);
     process.exit(1);

package/src/commands/wake.ts

@@ -6,6 +6,7 @@ import {
   saveAssistantEntry,
 } from "../lib/assistant-config.js";
 import { dockerResourceNames, wakeContainers } from "../lib/docker.js";
+import { seedGuardianTokenFromSiblingEnv } from "../lib/guardian-token.js";
 import { isProcessAlive, stopProcessByPidFile } from "../lib/process";
 import {
   generateLocalSigningKey,
@@ -182,19 +183,33 @@ export async function wake(): Promise<void> {
     }
   }
 
+  // Self-heal the guardian token when the current environment's config dir
+  // is missing it. Hatch cross-writes the lockfile across env dirs but the
+  // guardian token is only persisted under the hatch-time env, so a desktop
+  // app built under a different VELLUM_ENVIRONMENT can't find a bearer and
+  // cascades into 401 → auth-rate-limit → 429. A sibling env copy is cheap
+  // and strictly additive.
+  if (seedGuardianTokenFromSiblingEnv(entry.assistantId)) {
+    console.log("   Seeded guardian token from sibling environment.");
+  }
+
   // Auto-start ngrok if webhook integrations (e.g. Telegram) are configured.
-  // Set BASE_DATA_DIR so ngrok reads the correct instance config.
+  // Scope BASE_DATA_DIR to the woken instance so ngrok reads the correct
+  // instance config, then restore on any exit path.
   const prevBaseDataDir = process.env.BASE_DATA_DIR;
   process.env.BASE_DATA_DIR = resources.instanceDir;
-  const ngrokChild = await maybeStartNgrokTunnel(resources.gatewayPort);
-  if (ngrokChild?.pid) {
-    const ngrokPidFile = join(resources.instanceDir, ".vellum", "ngrok.pid");
-    writeFileSync(ngrokPidFile, String(ngrokChild.pid));
-  }
-  if (prevBaseDataDir !== undefined) {
-    process.env.BASE_DATA_DIR = prevBaseDataDir;
-  } else {
-    delete process.env.BASE_DATA_DIR;
+  try {
+    const ngrokChild = await maybeStartNgrokTunnel(resources.gatewayPort);
+    if (ngrokChild?.pid) {
+      const ngrokPidFile = join(resources.instanceDir, ".vellum", "ngrok.pid");
+      writeFileSync(ngrokPidFile, String(ngrokChild.pid));
+    }
+  } finally {
+    if (prevBaseDataDir !== undefined) {
+      process.env.BASE_DATA_DIR = prevBaseDataDir;
+    } else {
+      delete process.env.BASE_DATA_DIR;
+    }
   }
 
   console.log("Wake complete.");

package/src/components/DefaultMainScreen.tsx

@@ -1939,8 +1939,14 @@ function ChatApp({
             );
           }
 
+          let username: string;
+          try {
+            username = userInfo().username;
+          } catch {
+            username = "";
+          }
           const hostId = createHash("sha256")
-            .update(hostname() + userInfo().username)
+            .update(hostname() + username)
             .digest("hex");
           const payload = JSON.stringify({
             type: "vellum-assistant",