@vellumai/cli 0.6.6 → 0.7.0

package/AGENTS.md

@@ -41,6 +41,12 @@ Every command must have high-quality `--help` output. Follow the same standards
    AI agents parse help text to decide which command to run and how. Avoid vague
    language — say exactly what the command does and where state is stored.
 
+## Boundary: No integration-specific references
+
+The CLI is a generic lifecycle manager. It must **never** contain references to specific skills, integrations, or features (e.g. "Meet", "Slack", "Telegram"). Environment variables, volume mounts, and device passthroughs defined here must use generic names (e.g. `VELLUM_AVATAR_DEVICE`, not `VELLUM_MEET_AVATAR_DEVICE`). The skill that uses a resource decides how to interpret it — the CLI just passes it through.
+
+Cross-package imports into `skills/` are forbidden. The CLI is distributed as an npm package; anything outside `cli/` is not included in the tarball and will fail to resolve at runtime.
+
 ## Boundary: No `.vellum/` directory access
 
 The CLI must **never** read from or write to the `.vellum/` directory (e.g. `~/.vellum/protected/`, `<instanceDir>/.vellum/`). That directory structure is an **assistant daemon / gateway implementation detail**. The CLI's job is to spawn those processes and pass configuration via environment variables — not to reach into their internal storage.
@@ -62,9 +68,9 @@ The CLI creates and manages Docker volumes for containerized instances. See the
 **Meet Docker-in-Docker support** (assistant container only): The assistant container runs an inner `dockerd` that hosts the Meet-bot containers as nested children. The CLI supports this by:
 
 - Creating a dedicated `<name>-dockerd-data` volume mounted at `/var/lib/docker` so pulled images and container state persist across assistant restarts.
-- Running the assistant container with `--privileged` (or `CAP_SYS_ADMIN` + `CAP_NET_ADMIN`) so the inner dockerd can configure cgroups, overlay mounts, and container networking.
+- Running the assistant container with `CAP_SYS_ADMIN` + `CAP_NET_ADMIN` plus `--security-opt seccomp=unconfined` + `--security-opt apparmor=unconfined` so the inner dockerd can configure cgroups, overlay mounts, and container networking without the default seccomp profile blocking clone/unshare/pivot_root syscalls or the default AppArmor profile denying its mount operations. `--privileged` is deliberately avoided — dropping it shrinks the escape surface by withholding the rest of the host capability set and access to host device nodes.
 - No longer bind-mounting the host's `/var/run/docker.sock`; Meet-bot spawning happens entirely inside the assistant container.
 
 Both are wired in `serviceDockerRunArgs()` in `lib/docker.ts`.
 
-The privileged assistant container is acceptable for single-user local deployments. Managed/multi-tenant mode needs a different spawn model (e.g. a Kubernetes job runner) and is out of scope for this CLI.
+This capability + security-opt set is acceptable for single-user local deployments. Managed/multi-tenant mode needs a different spawn model (e.g. a Kubernetes job runner) and is out of scope for this CLI.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/cli",
-  "version": "0.6.6",
+  "version": "0.7.0",
   "description": "CLI tools for vellum-assistant",
   "type": "module",
   "exports": {

package/src/__tests__/assistant-config.test.ts

@@ -216,7 +216,7 @@ describe("migrateLegacyEntry", () => {
   test("synthesises full resources when none exist", () => {
     /**
      * Tests that a legacy local entry with no resources object gets a
-     * complete resources object synthesised with default ports and pidFile.
+     * complete resources object synthesised with default ports.
      */
 
     // GIVEN a local entry with no resources
@@ -239,7 +239,6 @@ describe("migrateLegacyEntry", () => {
     expect(resources.gatewayPort).toBe(7830);
     expect(resources.qdrantPort).toBe(6333);
     expect(resources.cesPort).toBe(8090);
-    expect(resources.pidFile).toContain("vellum.pid");
   });
 
   test("infers gateway port from runtimeUrl", () => {
@@ -312,7 +311,6 @@ describe("migrateLegacyEntry", () => {
     expect(resources.gatewayPort).toBe(7830);
     expect(resources.qdrantPort).toBe(6333);
     expect(resources.cesPort).toBe(8090);
-    expect(resources.pidFile).toBe("/custom/path/.vellum/vellum.pid");
   });
 
   test("does not overwrite existing resources fields", () => {
@@ -331,7 +329,6 @@ describe("migrateLegacyEntry", () => {
         gatewayPort: 8001,
         qdrantPort: 8002,
         cesPort: 8003,
-        pidFile: "/my/path/.vellum/vellum.pid",
       },
     };
 
@@ -366,7 +363,6 @@ describe("migrateLegacyEntry", () => {
         daemonPort: 7821,
         gatewayPort: 7830,
         qdrantPort: 6333,
-        pidFile: "/new/path/.vellum/vellum.pid",
       },
     };
 
@@ -393,7 +389,6 @@ describe("migrateLegacyEntry", () => {
         daemonPort: 7821,
         gatewayPort: 7830,
         qdrantPort: 6333,
-        pidFile: "/custom/path/.vellum/vellum.pid",
       },
     };
     // WHEN we migrate the entry
@@ -415,7 +410,6 @@ describe("migrateLegacyEntry", () => {
         gatewayPort: 8001,
         qdrantPort: 8002,
         cesPort: 9090,
-        pidFile: "/my/path/.vellum/vellum.pid",
       },
     };
     const changed = migrateLegacyEntry(entry);

package/src/__tests__/config-utils.test.ts

@@ -0,0 +1,159 @@
+import { describe, expect, test } from "bun:test";
+
+import { buildInitialConfig, buildNestedConfig } from "../lib/config-utils.js";
+
+describe("config-utils", () => {
+  test("buildNestedConfig only converts dot-notation values", () => {
+    expect(
+      buildNestedConfig({
+        "llm.default.provider": "anthropic",
+        "llm.default.model": "claude-sonnet-4-6",
+      }),
+    ).toEqual({
+      llm: {
+        default: {
+          provider: "anthropic",
+          model: "claude-sonnet-4-6",
+        },
+      },
+    });
+  });
+
+  test("buildInitialConfig seeds mainAgent callSite for Anthropic default", () => {
+    expect(
+      buildInitialConfig({
+        "llm.default.provider": "anthropic",
+        "llm.default.model": "claude-opus-4-7",
+      }),
+    ).toEqual({
+      llm: {
+        default: {
+          provider: "anthropic",
+          model: "claude-opus-4-7",
+        },
+        callSites: {
+          mainAgent: {
+            model: "claude-opus-4-7",
+            maxTokens: 32000,
+          },
+        },
+      },
+    });
+  });
+
+  test("buildInitialConfig seeds Opus when provider falls back to Anthropic", () => {
+    expect(
+      buildInitialConfig({
+        "services.inference.mode": "managed",
+      }),
+    ).toEqual({
+      services: {
+        inference: {
+          mode: "managed",
+        },
+      },
+      llm: {
+        callSites: {
+          mainAgent: {
+            model: "claude-opus-4-7",
+            maxTokens: 32000,
+          },
+        },
+      },
+    });
+  });
+
+  test("buildInitialConfig preserves explicit mainAgent overrides", () => {
+    expect(
+      buildInitialConfig({
+        "llm.default.provider": "anthropic",
+        "llm.default.model": "claude-opus-4-7",
+        "llm.callSites.mainAgent.model": "claude-haiku-4-5-20251001",
+      }),
+    ).toEqual({
+      llm: {
+        default: {
+          provider: "anthropic",
+          model: "claude-opus-4-7",
+        },
+        callSites: {
+          mainAgent: {
+            model: "claude-haiku-4-5-20251001",
+          },
+        },
+      },
+    });
+  });
+
+  test("buildInitialConfig respects explicit non-default Anthropic models", () => {
+    expect(
+      buildInitialConfig({
+        "llm.default.provider": "anthropic",
+        "llm.default.model": "claude-haiku-4-5-20251001",
+      }),
+    ).toEqual({
+      llm: {
+        default: {
+          provider: "anthropic",
+          model: "claude-haiku-4-5-20251001",
+        },
+      },
+    });
+  });
+
+  test("buildInitialConfig respects active profile provider overrides", () => {
+    expect(
+      buildInitialConfig({
+        "llm.activeProfile": "fast",
+        "llm.profiles.fast.provider": "openai",
+        "llm.profiles.fast.model": "gpt-5.5",
+      }),
+    ).toEqual({
+      llm: {
+        activeProfile: "fast",
+        profiles: {
+          fast: {
+            provider: "openai",
+            model: "gpt-5.5",
+          },
+        },
+      },
+    });
+  });
+
+  test("buildInitialConfig uses active profile model when deciding to seed", () => {
+    expect(
+      buildInitialConfig({
+        "llm.activeProfile": "fast",
+        "llm.profiles.fast.provider": "anthropic",
+        "llm.profiles.fast.model": "claude-haiku-4-5-20251001",
+      }),
+    ).toEqual({
+      llm: {
+        activeProfile: "fast",
+        profiles: {
+          fast: {
+            provider: "anthropic",
+            model: "claude-haiku-4-5-20251001",
+          },
+        },
+      },
+    });
+  });
+
+  test("buildInitialConfig does not seed Opus for non-Anthropic providers", () => {
+    expect(
+      buildInitialConfig({
+        "llm.default.provider": "openai",
+        "llm.default.model": "gpt-5.5",
+      }),
+    ).toEqual({
+      llm: {
+        default: {
+          provider: "openai",
+          model: "gpt-5.5",
+        },
+      },
+    });
+  });
+});

package/src/__tests__/env-drift.test.ts

@@ -4,25 +4,21 @@ import { join } from "node:path";
 
 import { SEEDS } from "../lib/environments/seeds.js";
 
-// Drift guard for the three TypeScript sites that each hardcode the set of
-// known environment names:
+// Drift guard for the TypeScript sites that hardcode the set of known
+// environment names:
 //
-//   1. cli/src/lib/environments/seeds.ts          — SEEDS record (source of truth)
-//   2. assistant/src/util/platform.ts             — KNOWN_ENVIRONMENTS set
-//   3. clients/chrome-extension/native-host/
-//         src/lockfile.ts                         — NON_PRODUCTION_ENVIRONMENTS set
+//   1. cli/src/lib/environments/seeds.ts  — SEEDS record (source of truth)
+//   2. assistant/src/util/platform.ts     — KNOWN_ENVIRONMENTS set
 //
 // Cross-package relative imports don't work here: assistant's tsconfig
-// restricts `include` to its own src tree, and the native host is a
-// standalone TS project with `rootDir: ./src`. So this test parses the
-// literal sets out of the two external files and asserts they agree with
-// CLI's SEEDS.
+// restricts `include` to its own src tree. So this test parses the literal
+// set out of the external file and asserts it agrees with CLI's SEEDS.
 //
 // FOLLOW-UP: split the env name list into a shared `packages/environments`
-// package (mirroring `packages/ces-contracts`, `credential-storage`) so
-// all three sites can `import { KNOWN_ENVIRONMENTS }` from one place and
-// this drift guard becomes a compile-time check. Planned alongside CLI-
-// driven context support — see the "Environments" design doc.
+// package (mirroring `packages/service-contracts`, `credential-storage`) so
+// both sites can `import { KNOWN_ENVIRONMENTS }` from one place and this
+// drift guard becomes a compile-time check. Planned alongside CLI-driven
+// context support — see the "Environments" design doc.
 
 const REPO_ROOT = join(import.meta.dir, "..", "..", "..");
 const ASSISTANT_PLATFORM = join(
@@ -32,14 +28,6 @@ const ASSISTANT_PLATFORM = join(
   "util",
   "platform.ts",
 );
-const NATIVE_HOST_LOCKFILE = join(
-  REPO_ROOT,
-  "clients",
-  "chrome-extension",
-  "native-host",
-  "src",
-  "lockfile.ts",
-);
 
 /**
  * Extract the string literals from a Set constructor body in a TS source
@@ -74,14 +62,4 @@ describe("KNOWN_ENVIRONMENTS drift guard (TS-side)", () => {
     );
     expect([...assistantNames].sort()).toEqual([...seedNames].sort());
   });
-
-  test("native-host/src/lockfile.ts NON_PRODUCTION_ENVIRONMENTS matches CLI SEEDS minus production", () => {
-    const source = readFileSync(NATIVE_HOST_LOCKFILE, "utf8");
-    const nativeNames = new Set(
-      extractSetLiterals(source, "NON_PRODUCTION_ENVIRONMENTS"),
-    );
-    const expected = new Set(seedNames);
-    expected.delete("production");
-    expect([...nativeNames].sort()).toEqual([...expected].sort());
-  });
 });

package/src/__tests__/llm-provider-env-var-parity.test.ts

@@ -2,10 +2,7 @@ import { readFileSync } from "node:fs";
 import { join } from "node:path";
 import { describe, expect, test } from "bun:test";
 
-import {
-  LLM_PROVIDER_ENV_VAR_NAMES,
-  SEARCH_PROVIDER_ENV_VAR_NAMES,
-} from "../shared/provider-env-vars.js";
+import { LLM_PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 
 /**
  * Drift guard for the CLI-side LLM provider env-var mirror.
@@ -16,8 +13,6 @@ import {
  * `meta/llm-provider-catalog.json` — which is kept in sync with
  * `PROVIDER_CATALOG` by `assistant/src/__tests__/llm-catalog-parity.test.ts` —
  * and asserts the CLI's mirror matches the catalog's `envVar` entries.
- *
- * It also asserts the search-provider mirror matches `meta/provider-env-vars.json`.
  */
 
 const REPO_ROOT = join(import.meta.dir, "..", "..", "..");
@@ -32,21 +27,11 @@ interface LlmCatalog {
   providers: LlmCatalogEntry[];
 }
 
-interface SearchProviderRegistry {
-  version: number;
-  providers: Record<string, string>;
-}
-
 function loadLlmCatalog(): LlmCatalog {
   const path = join(REPO_ROOT, "meta", "llm-provider-catalog.json");
   return JSON.parse(readFileSync(path, "utf-8"));
 }
 
-function loadSearchProviderRegistry(): SearchProviderRegistry {
-  const path = join(REPO_ROOT, "meta", "provider-env-vars.json");
-  return JSON.parse(readFileSync(path, "utf-8"));
-}
-
 describe("CLI provider env-var parity", () => {
   test("LLM_PROVIDER_ENV_VAR_NAMES matches meta/llm-provider-catalog.json entries with envVar", () => {
     const catalog = loadLlmCatalog();
@@ -56,9 +41,4 @@ describe("CLI provider env-var parity", () => {
     }
     expect(LLM_PROVIDER_ENV_VAR_NAMES).toEqual(expected);
   });
-
-  test("SEARCH_PROVIDER_ENV_VAR_NAMES matches meta/provider-env-vars.json", () => {
-    const registry = loadSearchProviderRegistry();
-    expect(SEARCH_PROVIDER_ENV_VAR_NAMES).toEqual(registry.providers);
-  });
 });

package/src/__tests__/multi-local.test.ts

@@ -114,11 +114,6 @@ describe("multi-local", () => {
         expect(res.daemonPort).toBe(DEFAULT_DAEMON_PORT);
         expect(res.gatewayPort).toBe(DEFAULT_GATEWAY_PORT);
         expect(res.qdrantPort).toBe(DEFAULT_QDRANT_PORT);
-
-        // AND the PID file is under the instance's .vellum/
-        expect(res.pidFile).toBe(
-          join(res.instanceDir, ".vellum", "vellum.pid"),
-        );
       } finally {
         if (prevXdg !== undefined) {
           process.env.XDG_DATA_HOME = prevXdg;

package/src/__tests__/sleep.test.ts

@@ -52,7 +52,6 @@ function writeLockfile(): void {
               daemonPort: DEFAULT_DAEMON_PORT,
               gatewayPort: DEFAULT_GATEWAY_PORT,
               qdrantPort: DEFAULT_QDRANT_PORT,
-              pidFile: join(assistantRootDir, "vellum.pid"),
             },
           },
         ],
@@ -158,7 +157,7 @@ describe("sleep command", () => {
     expect(stopProcessByPidFileMock).toHaveBeenCalledTimes(2);
     expect(stopProcessByPidFileMock).toHaveBeenNthCalledWith(
       1,
-      join(assistantRootDir, "vellum.pid"),
+      join(assistantRootDir, "workspace", "vellum.pid"),
       "assistant",
     );
     expect(stopProcessByPidFileMock).toHaveBeenNthCalledWith(