@vellumai/cli 0.6.4 → 0.6.6

package/src/lib/local.ts

@@ -1076,6 +1076,7 @@ export async function startGateway(
     // (mirrors the daemon env setup).
     ...(resources
       ? {
+          BASE_DATA_DIR: resources.instanceDir,
           VELLUM_WORKSPACE_DIR: join(
             resources.instanceDir,
             ".vellum",

package/src/lib/platform-client.ts

@@ -222,6 +222,140 @@ export async function ensureSelfHostedLocalRegistration(
   return (await response.json()) as EnsureRegistrationResponse;
 }
 
+// ---------------------------------------------------------------------------
+// API key reprovisioning
+// ---------------------------------------------------------------------------
+
+export interface ReprovisionApiKeyResponse {
+  provisioning: {
+    assistant_api_key: string;
+  };
+}
+
+/**
+ * Reprovision (rotate) the API key for a self-hosted local assistant.
+ *
+ * Calls `POST /v1/assistants/self-hosted-local/reprovision-api-key/`.
+ * Returns a fresh API key. The previous key is revoked server-side.
+ */
+export async function reprovisionAssistantApiKey(
+  token: string,
+  organizationId: string,
+  clientInstallationId: string,
+  runtimeAssistantId: string,
+  clientPlatform: string,
+  assistantVersion?: string,
+  platformUrl?: string,
+): Promise<ReprovisionApiKeyResponse> {
+  const resolvedUrl = platformUrl || getPlatformUrl();
+  const body: Record<string, string> = {
+    client_installation_id: clientInstallationId,
+    runtime_assistant_id: runtimeAssistantId,
+    client_platform: clientPlatform,
+  };
+  if (assistantVersion) {
+    body.assistant_version = assistantVersion;
+  }
+
+  const response = await fetch(
+    `${resolvedUrl}/v1/assistants/self-hosted-local/reprovision-api-key/`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+        "X-Session-Token": token,
+        "Vellum-Organization-Id": organizationId,
+      },
+      body: JSON.stringify(body),
+    },
+  );
+
+  if (response.status === 401 || response.status === 403) {
+    throw new Error("Authentication required for API key reprovisioning.");
+  }
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => "");
+    throw new Error(
+      `API key reprovisioning failed (${response.status}): ${detail || response.statusText}`,
+    );
+  }
+
+  return (await response.json()) as ReprovisionApiKeyResponse;
+}
+
+// ---------------------------------------------------------------------------
+// Credential reading from running assistant via gateway
+// ---------------------------------------------------------------------------
+
+export interface GatewayCredentialResult {
+  /** The credential value, if found. */
+  value: string | null;
+  /** True when the gateway/daemon was unreachable (network error, timeout, etc.). */
+  unreachable: boolean;
+}
+
+/**
+ * Read an existing credential from the assistant's secret store via the
+ * gateway-proxied `POST /v1/secrets/read` endpoint (with `reveal: true`).
+ *
+ * Returns a result distinguishing "key not found" (`value: null,
+ * unreachable: false`) from "gateway unreachable" (`value: null,
+ * unreachable: true`). Callers should only reprovision when the gateway
+ * is reachable but the key is genuinely missing — reprovisioning while
+ * the gateway is down would revoke the old key server-side without being
+ * able to inject the replacement.
+ *
+ * Never throws.
+ */
+export async function readGatewayCredential(
+  gatewayUrl: string,
+  name: string,
+  bearerToken?: string,
+): Promise<GatewayCredentialResult> {
+  try {
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+    };
+    if (bearerToken) {
+      headers["Authorization"] = `Bearer ${bearerToken}`;
+    }
+
+    const response = await fetch(`${gatewayUrl}/v1/secrets/read`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({ type: "credential", name, reveal: true }),
+      signal: AbortSignal.timeout(10_000),
+    });
+
+    if (!response.ok) {
+      // 5xx means the gateway/daemon backend is down — treat as unreachable
+      // so callers don't revoke a potentially valid key.
+      return { value: null, unreachable: response.status >= 500 };
+    }
+
+    const json = (await response.json()) as {
+      found: boolean;
+      value?: string;
+      unreachable?: boolean;
+    };
+    // The daemon's /v1/secrets/read returns `unreachable: true` when the
+    // credential backend (CES) can't be reached. Respect that signal.
+    if (json.unreachable) {
+      return { value: null, unreachable: true };
+    }
+    return {
+      value: json.found && json.value ? json.value : null,
+      unreachable: false,
+    };
+  } catch {
+    // Network error, timeout, or gateway down
+    return { value: null, unreachable: true };
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Credential injection into running assistant via gateway
 // ---------------------------------------------------------------------------

package/src/{commands → lib}/ssh-apple-container.ts

@@ -1,13 +1,17 @@
 import { createConnection } from "net";
 import { existsSync } from "fs";
 
-import type { AssistantEntry } from "../lib/assistant-config";
+import type { AssistantEntry } from "./assistant-config";
 
 /**
  * Connect to an Apple Container assistant via its management socket.
  * Sends a JSON handshake then relays stdin/stdout in raw mode.
  */
-export async function sshAppleContainer(entry: AssistantEntry): Promise<void> {
+export async function sshAppleContainer(
+  entry: AssistantEntry,
+  command?: string[],
+  service?: string,
+): Promise<void> {
   const mgmtSocket = entry.mgmtSocket as string | undefined;
   if (!mgmtSocket) {
     console.error(
@@ -34,8 +38,8 @@ export async function sshAppleContainer(entry: AssistantEntry): Promise<void> {
 
   const handshake =
     JSON.stringify({
-      command: ["/bin/bash"],
-      service: "vellum-assistant",
+      command: command && command.length > 0 ? command : ["/bin/bash"],
+      service: service || "vellum-assistant",
       cols,
       rows,
     }) + "\n";

package/src/lib/terminal-client.ts

@@ -0,0 +1,177 @@
+/**
+ * Platform terminal API client.
+ *
+ * Wraps the Django terminal session endpoints that proxy through vembda to
+ * open K8s exec streams into managed assistant containers. Same transport
+ * the web UI's xterm.js terminal uses.
+ */
+
+import { authHeaders, getPlatformUrl } from "./platform-client.js";
+
+// ---------------------------------------------------------------------------
+// Create / Close
+// ---------------------------------------------------------------------------
+
+export async function createTerminalSession(
+  token: string,
+  assistantId: string,
+  cols: number,
+  rows: number,
+  platformUrl?: string,
+): Promise<{ session_id: string }> {
+  const baseUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(
+    `${baseUrl}/v1/assistants/${assistantId}/terminal/sessions/`,
+    {
+      method: "POST",
+      headers: await authHeaders(token, platformUrl),
+      body: JSON.stringify({ cols, rows }),
+    },
+  );
+  if (!response.ok) {
+    const detail = await response.text().catch(() => "");
+    throw new Error(
+      `Failed to create terminal session (${response.status}): ${detail || response.statusText}`,
+    );
+  }
+  return (await response.json()) as { session_id: string };
+}
+
+export async function closeTerminalSession(
+  token: string,
+  assistantId: string,
+  sessionId: string,
+  platformUrl?: string,
+): Promise<void> {
+  const baseUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(
+    `${baseUrl}/v1/assistants/${assistantId}/terminal/sessions/${sessionId}/`,
+    {
+      method: "DELETE",
+      headers: await authHeaders(token, platformUrl),
+    },
+  );
+  // 404 = already closed, treat as success
+  if (!response.ok && response.status !== 404) {
+    throw new Error(
+      `Failed to close terminal session (${response.status}): ${response.statusText}`,
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Input / Resize
+// ---------------------------------------------------------------------------
+
+export async function sendTerminalInput(
+  token: string,
+  assistantId: string,
+  sessionId: string,
+  data: string,
+  platformUrl?: string,
+): Promise<void> {
+  const baseUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(
+    `${baseUrl}/v1/assistants/${assistantId}/terminal/sessions/${sessionId}/input/`,
+    {
+      method: "POST",
+      headers: await authHeaders(token, platformUrl),
+      body: JSON.stringify({ data }),
+    },
+  );
+  if (!response.ok) {
+    throw new Error(
+      `Failed to send terminal input (${response.status}): ${response.statusText}`,
+    );
+  }
+}
+
+export async function resizeTerminalSession(
+  token: string,
+  assistantId: string,
+  sessionId: string,
+  cols: number,
+  rows: number,
+  platformUrl?: string,
+): Promise<void> {
+  const baseUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(
+    `${baseUrl}/v1/assistants/${assistantId}/terminal/sessions/${sessionId}/resize/`,
+    {
+      method: "POST",
+      headers: await authHeaders(token, platformUrl),
+      body: JSON.stringify({ cols, rows }),
+    },
+  );
+  if (!response.ok) {
+    throw new Error(
+      `Failed to resize terminal (${response.status}): ${response.statusText}`,
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// SSE event stream
+// ---------------------------------------------------------------------------
+
+export interface TerminalOutputEvent {
+  seq: number;
+  /** Base64-encoded PTY output bytes. */
+  data: string;
+}
+
+/**
+ * Subscribe to the terminal output SSE stream. Yields parsed events as they
+ * arrive. The generator completes when the stream ends or is aborted.
+ */
+export async function* subscribeTerminalEvents(
+  token: string,
+  assistantId: string,
+  sessionId: string,
+  platformUrl?: string,
+  signal?: AbortSignal,
+): AsyncGenerator<TerminalOutputEvent> {
+  const baseUrl = platformUrl || getPlatformUrl();
+  const response = await fetch(
+    `${baseUrl}/v1/assistants/${assistantId}/terminal/sessions/${sessionId}/events/`,
+    {
+      headers: await authHeaders(token, platformUrl),
+      signal,
+    },
+  );
+
+  if (!response.ok || !response.body) {
+    throw new Error(
+      `SSE connection failed (${response.status}): ${response.statusText}`,
+    );
+  }
+
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  let buffer = "";
+
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      // Keep the last incomplete line in the buffer
+      buffer = lines.pop() ?? "";
+
+      for (const line of lines) {
+        const trimmed = line.trimEnd();
+        if (trimmed.startsWith("data: ")) {
+          try {
+            yield JSON.parse(trimmed.slice(6)) as TerminalOutputEvent;
+          } catch {
+            // Skip malformed SSE frames
+          }
+        }
+      }
+    }
+  } finally {
+    reader.releaseLock();
+  }
+}

package/src/shared/provider-env-vars.ts

@@ -1,19 +1,43 @@
 /**
  * Provider API key environment variable names, keyed by provider ID.
  *
- * Keep in sync with:
- *   - assistant/src/shared/provider-env-vars.ts
- *   - meta/provider-env-vars.json  (consumed by the macOS client build)
+ * Two sources are merged into a single combined map:
  *
- * Once a consolidated shared package exists in packages/, all three
- * copies can be replaced by a single import.
+ *   1. Search-provider env vars — sourced from `meta/provider-env-vars.json`
+ *      (single source of truth, also bundled into the macOS client).
+ *   2. LLM-provider env vars — sourced from `PROVIDER_CATALOG` in
+ *      `assistant/src/providers/model-catalog.ts` via a locally-maintained
+ *      mirror (the CLI does not import from `assistant/src/`; drift is caught
+ *      by `cli/src/__tests__/llm-provider-env-var-parity.test.ts`).
+ *
+ * The combined map is what cloud-infra code (docker.ts, aws.ts, gcp.ts)
+ * iterates to forward provider API keys from the caller's environment into
+ * containers / VMs. Keeping both kinds of provider env vars in one map means
+ * the infra call sites don't need to know which kind is which — they just
+ * forward every value whose env var is set.
  */
-export const PROVIDER_ENV_VAR_NAMES: Record<string, string> = {
+
+/** LLM provider env var names. Mirrors `PROVIDER_CATALOG` entries with an `envVar`. */
+export const LLM_PROVIDER_ENV_VAR_NAMES: Record<string, string> = {
   anthropic: "ANTHROPIC_API_KEY",
   openai: "OPENAI_API_KEY",
   gemini: "GEMINI_API_KEY",
   fireworks: "FIREWORKS_API_KEY",
   openrouter: "OPENROUTER_API_KEY",
+};
+
+/** Search-provider env var names. Mirrors `meta/provider-env-vars.json`. */
+export const SEARCH_PROVIDER_ENV_VAR_NAMES: Record<string, string> = {
   brave: "BRAVE_API_KEY",
   perplexity: "PERPLEXITY_API_KEY",
 };
+
+/**
+ * Combined provider env var names — the union of LLM and search providers.
+ * Used by the cloud-infra flows (docker/aws/gcp) to forward every supported
+ * provider API key from the caller's environment.
+ */
+export const PROVIDER_ENV_VAR_NAMES: Record<string, string> = {
+  ...LLM_PROVIDER_ENV_VAR_NAMES,
+  ...SEARCH_PROVIDER_ENV_VAR_NAMES,
+};