@vellumai/cli 0.7.0 → 0.7.2

package/src/lib/config-utils.ts

@@ -2,11 +2,6 @@ import { writeFileSync } from "fs";
 import { tmpdir } from "os";
 import { join } from "path";
 
-const ANTHROPIC_PROVIDER = "anthropic";
-const ANTHROPIC_DEFAULT_MODEL = "claude-opus-4-7";
-const MAIN_AGENT_OPUS_MODEL = "claude-opus-4-7";
-const MAIN_AGENT_OPUS_MAX_TOKENS = 32000;
-
 /**
  * Convert flat dot-notation key=value pairs into a nested config object.
  *
@@ -37,20 +32,6 @@ export function buildNestedConfig(
   return config;
 }
 
-/**
- * Build the first-boot workspace config overlay passed to the assistant during
- * hatch. Anthropic onboarding sets `llm.default.model` to Sonnet so background
- * fallback work stays cheaper, while the main conversation thread should remain
- * on Opus via the same call-site override seeded by workspace migration 050.
- */
-export function buildInitialConfig(
-  configValues: Record<string, string>,
-): Record<string, unknown> {
-  const config = buildNestedConfig(configValues);
-  seedAnthropicMainAgentCallSite(config);
-  return config;
-}
-
 /**
  * Write arbitrary key-value pairs to a temporary JSON file and return its
  * path. The caller passes this path to the daemon via the
@@ -68,7 +49,7 @@ export function writeInitialConfig(
 ): string | undefined {
   if (Object.keys(configValues).length === 0) return undefined;
 
-  const config = buildInitialConfig(configValues);
+  const config = buildNestedConfig(configValues);
   const tempPath = join(
     tmpdir(),
     `vellum-default-workspace-config-${process.pid}-${Date.now()}.json`,
@@ -76,80 +57,3 @@ export function writeInitialConfig(
   writeFileSync(tempPath, JSON.stringify(config, null, 2) + "\n");
   return tempPath;
 }
-
-function seedAnthropicMainAgentCallSite(config: Record<string, unknown>): void {
-  const llm = ensureObject(config, "llm");
-
-  const existingCallSites = readObject(llm.callSites);
-  if (existingCallSites !== null && "mainAgent" in existingCallSites) return;
-
-  const { provider, model } = resolveInitialMainAgentBaseSelection(llm);
-  if (provider !== ANTHROPIC_PROVIDER) return;
-
-  if (
-    model !== undefined &&
-    model !== ANTHROPIC_DEFAULT_MODEL &&
-    model !== MAIN_AGENT_OPUS_MODEL
-  ) {
-    return;
-  }
-
-  const callSites = ensureObject(llm, "callSites");
-
-  callSites.mainAgent = {
-    model: MAIN_AGENT_OPUS_MODEL,
-    maxTokens: MAIN_AGENT_OPUS_MAX_TOKENS,
-  };
-}
-
-function resolveInitialMainAgentBaseSelection(llm: Record<string, unknown>): {
-  provider: string;
-  model?: string;
-} {
-  const defaultBlock = readObject(llm.default);
-  let provider = readString(defaultBlock?.provider) ?? ANTHROPIC_PROVIDER;
-  let model = readString(defaultBlock?.model);
-
-  const profiles = readObject(llm.profiles);
-  const activeProfileName = readString(llm.activeProfile);
-  const activeProfile =
-    profiles !== null && activeProfileName !== undefined
-      ? readObject(profiles[activeProfileName])
-      : null;
-
-  if (activeProfile !== null) {
-    provider = readString(activeProfile.provider) ?? provider;
-    model = readString(activeProfile.model) ?? model;
-  }
-
-  return model === undefined ? { provider } : { provider, model };
-}
-
-function ensureObject(
-  parent: Record<string, unknown>,
-  key: string,
-): Record<string, unknown> {
-  const existing = parent[key];
-  if (
-    existing != null &&
-    typeof existing === "object" &&
-    !Array.isArray(existing)
-  ) {
-    return existing as Record<string, unknown>;
-  }
-
-  const next: Record<string, unknown> = {};
-  parent[key] = next;
-  return next;
-}
-
-function readObject(value: unknown): Record<string, unknown> | null {
-  if (value == null || typeof value !== "object" || Array.isArray(value)) {
-    return null;
-  }
-  return value as Record<string, unknown>;
-}
-
-function readString(value: unknown): string | undefined {
-  return typeof value === "string" && value.length > 0 ? value : undefined;
-}

package/src/lib/docker-statefulset.ts

@@ -0,0 +1,381 @@
+/**
+ * Declarative StatefulSet spec for the Docker service group.
+ *
+ * Mirrors the schema of the platform's `stateful_template.yaml` (vembda).
+ * Container names, volume names, and env var names are kept in sync with
+ * the K8s template so the two topologies are auditable side-by-side.
+ *
+ * This file is self-contained — it does not import from `docker.ts` to
+ * avoid a circular dependency. Constants are inlined from their definitions
+ * in `docker.ts` and must be kept in sync if those change.
+ */
+
+import { existsSync } from "fs";
+
+import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
+
+// ---------------------------------------------------------------------------
+// Constants (mirrored from docker.ts — keep in sync)
+// ---------------------------------------------------------------------------
+
+const GATEWAY_INTERNAL_PORT = 7830;
+const ASSISTANT_INTERNAL_PORT = 7821;
+const AVATAR_DEVICE_ENV_VAR = "VELLUM_AVATAR_DEVICE";
+
+/** Logical service name used throughout the CLI. */
+export type ServiceName = "assistant" | "gateway" | "credential-executor";
+
+/**
+ /**
+  * The four fields from `dockerResourceNames()` that the builder actually uses.
+  * Container/network names come from here; volume names are generated by the
+  * `volumeClaimTemplates` in the spec. `ReturnType<typeof dockerResourceNames>`
+  * structurally satisfies this interface (it has all these fields plus more).
+  */
+ export interface DockerResourceNames {
+   assistantContainer: string;
+   cesContainer: string;
+   gatewayContainer: string;
+   network: string;
+ }
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+/** A static env var whose value is known at spec-definition time. */
+interface StaticEnv {
+  kind: "static";
+  name: string;
+  value: string;
+}
+
+/**
+ * An env var whose value comes from the opts object passed to
+ * `buildServiceRunArgs` at container-start time.
+ */
+interface SecretEnv {
+  kind: "secret";
+  name: string;
+  /** Key in `DockerRunSecrets`. */
+  secret: keyof DockerRunSecrets;
+}
+
+/**
+ * An env var conditionally forwarded from the host process environment.
+ * Only emitted when `process.env[hostVar]` is set.
+ * Defaults to `name` for `hostVar` when omitted.
+ */
+interface HostEnv {
+  kind: "host";
+  name: string;
+  hostVar?: string;
+}
+
+type EnvEntry = StaticEnv | SecretEnv | HostEnv;
+
+interface VolumeMount {
+  /** Logical volume name — maps to a Docker volume via `DockerVolumeClaimTemplate`. */
+  volumeName: string;
+  mountPath: string;
+  readOnly?: boolean;
+}
+
+interface PortSpec {
+  containerPort: number;
+  /**
+   * Host-side port. Literal string = use as-is. `"{{ gatewayPort }}"` is
+   * a sentinel replaced with the instance-specific gateway port at build time.
+   */
+  hostPort?: string;
+  description?: string;
+}
+
+export interface DockerContainerSpec {
+  /** K8s-style container name (matches `stateful_template.yaml`). */
+  name: string;
+  /** Internal CLI `ServiceName` key used by `SERVICE_START_ORDER`. */
+  internalName: ServiceName;
+  /**
+   * Network mode:
+   * - "bridge": owns the network (assistant only — gateway port published here).
+   * - "container": share the assistant container's network namespace.
+   */
+  network: "bridge" | "container";
+  ports?: PortSpec[];
+  env: EnvEntry[];
+  volumeMounts: VolumeMount[];
+}
+
+export interface DockerVolumeClaimTemplate {
+  name: string;
+  dockerVolume: (instanceName: string) => string;
+}
+
+export interface DockerStatefulSetSpec {
+  containers: DockerContainerSpec[];
+  startOrder: ServiceName[];
+  volumeClaimTemplates: DockerVolumeClaimTemplate[];
+  readiness: {
+    endpoint: string;
+    timeoutMs: number;
+    intervalMs: number;
+  };
+}
+
+/** Secrets injected at container-start time (from hatch / upgrade opts). */
+export interface DockerRunSecrets {
+  signingKey?: string;
+  bootstrapSecret?: string;
+  cesServiceToken?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Spec
+// ---------------------------------------------------------------------------
+
+export const DOCKER_STATEFUL_SET_SPEC: DockerStatefulSetSpec = {
+  startOrder: ["assistant", "gateway", "credential-executor"],
+
+  readiness: {
+    endpoint: "/readyz",
+    timeoutMs: 180_000,
+    intervalMs: 1_000,
+  },
+
+  volumeClaimTemplates: [
+    { name: "assistant-workspace",  dockerVolume: (n) => `${n}-workspace` },
+    { name: "ces-bootstrap-socket", dockerVolume: (n) => `${n}-socket` },
+    { name: "assistant-ipc-socket", dockerVolume: (n) => `${n}-assistant-ipc` },
+    { name: "gateway-ipc-socket",   dockerVolume: (n) => `${n}-gateway-ipc` },
+    { name: "gateway-security",     dockerVolume: (n) => `${n}-gateway-sec` },
+    { name: "ces-security",         dockerVolume: (n) => `${n}-ces-sec` },
+  ],
+
+  containers: [
+    {
+      name: "assistant-container",
+      internalName: "assistant",
+      network: "bridge",
+      ports: [
+        {
+          containerPort: GATEWAY_INTERNAL_PORT,
+          hostPort: "{{ gatewayPort }}",
+          description: "Gateway reverse-proxy (published to host)",
+        },
+        {
+          containerPort: ASSISTANT_INTERNAL_PORT,
+          hostPort: `${ASSISTANT_INTERNAL_PORT}`,
+          description: "Assistant HTTP API",
+        },
+      ],
+      env: [
+        { kind: "static", name: "IS_CONTAINERIZED",         value: "true" },
+        { kind: "static", name: "DEBUG_STDOUT_LOGS",         value: "1" },
+        { kind: "static", name: "VELLUM_CLOUD",              value: "docker" },
+        { kind: "static", name: "RUNTIME_HTTP_HOST",         value: "0.0.0.0" },
+        { kind: "static", name: "VELLUM_WORKSPACE_DIR",      value: "/workspace" },
+        { kind: "static", name: "VELLUM_BACKUP_DIR",         value: "/workspace/.backups" },
+        { kind: "static", name: "VELLUM_BACKUP_KEY_PATH",    value: "/workspace/.backup.key" },
+        { kind: "static", name: "CES_CREDENTIAL_URL",        value: "http://localhost:8090" },
+        { kind: "static", name: "GATEWAY_IPC_SOCKET_DIR",    value: "/run/gateway-ipc" },
+        { kind: "static", name: "ASSISTANT_IPC_SOCKET_DIR",  value: "/run/assistant-ipc" },
+        { kind: "secret", name: "CES_SERVICE_TOKEN",         secret: "cesServiceToken" },
+        { kind: "secret", name: "ACTOR_TOKEN_SIGNING_KEY",   secret: "signingKey" },
+        { kind: "secret", name: "GUARDIAN_BOOTSTRAP_SECRET", secret: "bootstrapSecret" },
+        // Provider API keys — forwarded from host if set
+        ...Object.values(PROVIDER_ENV_VAR_NAMES).map(
+          (v): HostEnv => ({ kind: "host", name: v }),
+        ),
+        { kind: "host", name: "VELLUM_ENVIRONMENT" },
+        { kind: "host", name: "VELLUM_PLATFORM_URL" },
+      ],
+      volumeMounts: [
+        { volumeName: "assistant-workspace",  mountPath: "/workspace" },
+        { volumeName: "ces-bootstrap-socket", mountPath: "/run/ces-bootstrap" },
+        { volumeName: "assistant-ipc-socket", mountPath: "/run/assistant-ipc" },
+        { volumeName: "gateway-ipc-socket",   mountPath: "/run/gateway-ipc" },
+      ],
+    },
+
+    {
+      name: "gateway-sidecar",
+      internalName: "gateway",
+      network: "container",
+      env: [
+        { kind: "static", name: "VELLUM_WORKSPACE_DIR",      value: "/workspace" },
+        { kind: "static", name: "GATEWAY_SECURITY_DIR",      value: "/gateway-security" },
+        { kind: "static", name: "ASSISTANT_HOST",            value: "localhost" },
+        { kind: "static", name: "CES_CREDENTIAL_URL",        value: "http://localhost:8090" },
+        { kind: "static", name: "GATEWAY_IPC_SOCKET_DIR",    value: "/run/gateway-ipc" },
+        { kind: "static", name: "ASSISTANT_IPC_SOCKET_DIR",  value: "/run/assistant-ipc" },
+        { kind: "static", name: "GATEWAY_PORT",              value: `${GATEWAY_INTERNAL_PORT}` },
+        { kind: "static", name: "RUNTIME_HTTP_PORT",         value: `${ASSISTANT_INTERNAL_PORT}` },
+        { kind: "secret", name: "CES_SERVICE_TOKEN",         secret: "cesServiceToken" },
+        { kind: "secret", name: "ACTOR_TOKEN_SIGNING_KEY",   secret: "signingKey" },
+        { kind: "secret", name: "GUARDIAN_BOOTSTRAP_SECRET", secret: "bootstrapSecret" },
+        { kind: "host",   name: "VELLUM_ENVIRONMENT" },
+        { kind: "host",   name: "VELLUM_PLATFORM_URL" },
+        { kind: "host",   name: "VELAY_BASE_URL" },
+      ],
+      volumeMounts: [
+        { volumeName: "assistant-workspace",  mountPath: "/workspace" },
+        { volumeName: "gateway-security",     mountPath: "/gateway-security" },
+        { volumeName: "assistant-ipc-socket", mountPath: "/run/assistant-ipc" },
+        { volumeName: "gateway-ipc-socket",   mountPath: "/run/gateway-ipc" },
+      ],
+    },
+
+    {
+      name: "credential-executor-sidecar",
+      internalName: "credential-executor",
+      network: "container",
+      env: [
+        { kind: "static", name: "CES_MODE",                  value: "managed" },
+        { kind: "static", name: "VELLUM_WORKSPACE_DIR",      value: "/workspace" },
+        { kind: "static", name: "CES_BOOTSTRAP_SOCKET_DIR",  value: "/run/ces-bootstrap" },
+        { kind: "static", name: "CREDENTIAL_SECURITY_DIR",   value: "/ces-security" },
+        { kind: "secret", name: "CES_SERVICE_TOKEN",         secret: "cesServiceToken" },
+      ],
+      volumeMounts: [
+        { volumeName: "assistant-workspace",  mountPath: "/workspace", readOnly: true },
+        { volumeName: "ces-bootstrap-socket", mountPath: "/run/ces-bootstrap" },
+        { volumeName: "ces-security",         mountPath: "/ces-security" },
+      ],
+    },
+  ],
+};
+
+// ---------------------------------------------------------------------------
+// Builder
+// ---------------------------------------------------------------------------
+
+export interface BuildServiceRunArgsOpts extends DockerRunSecrets {
+  gatewayPort: number;
+  imageTags: Record<ServiceName, string>;
+  instanceName: string;
+  res: DockerResourceNames;
+  extraAssistantEnv?: Record<string, string>;
+  defaultWorkspaceConfigPath?: string;
+  /** Avatar device path, if available. Injected by `docker.ts` after resolving. */
+  avatarDevicePath?: string;
+}
+
+function resolveVolume(
+  spec: DockerStatefulSetSpec,
+  instanceName: string,
+  volumeName: string,
+): string {
+  const claim = spec.volumeClaimTemplates.find((v) => v.name === volumeName);
+  if (!claim) throw new Error(`docker-statefulset: unknown volume "${volumeName}"`);
+  return claim.dockerVolume(instanceName);
+}
+
+/**
+ * Build `docker run` argument arrays for each container in the StatefulSet.
+ * Returns `Record<ServiceName, () => string[]>` — callers evaluate lazily.
+ */
+export function buildServiceRunArgs(
+  opts: BuildServiceRunArgsOpts,
+  spec = DOCKER_STATEFUL_SET_SPEC,
+): Record<ServiceName, () => string[]> {
+  const {
+    gatewayPort,
+    imageTags,
+    instanceName,
+    res,
+    extraAssistantEnv,
+    defaultWorkspaceConfigPath,
+    avatarDevicePath,
+  } = opts;
+
+  const result = {} as Record<ServiceName, () => string[]>;
+
+  for (const container of spec.containers) {
+    const svc = container.internalName;
+
+    result[svc] = () => {
+      const args: string[] = ["run", "--init", "-d"];
+
+      // Container name
+      const containerName =
+        svc === "assistant"
+          ? res.assistantContainer
+          : svc === "gateway"
+            ? res.gatewayContainer
+            : res.cesContainer;
+      args.push("--name", containerName);
+
+      // Network
+      if (container.network === "bridge") {
+        args.push(`--network=${res.network}`);
+        for (const port of container.ports ?? []) {
+          const hostSide =
+            port.hostPort === "{{ gatewayPort }}"
+              ? `${gatewayPort}`
+              : port.hostPort;
+          if (hostSide !== undefined) {
+            args.push("-p", `${hostSide}:${port.containerPort}`);
+          }
+        }
+      } else {
+        args.push(`--network=container:${res.assistantContainer}`);
+      }
+
+      // Volume mounts
+      for (const mount of container.volumeMounts) {
+        const vol = resolveVolume(spec, instanceName, mount.volumeName);
+        args.push("-v", mount.readOnly ? `${vol}:${mount.mountPath}:ro` : `${vol}:${mount.mountPath}`);
+      }
+
+      // Env vars from spec
+      for (const entry of container.env) {
+        if (entry.kind === "static") {
+          args.push("-e", `${entry.name}=${entry.value}`);
+        } else if (entry.kind === "secret") {
+          const val = opts[entry.secret];
+          if (val) args.push("-e", `${entry.name}=${val}`);
+        } else {
+          const hostVar = entry.hostVar ?? entry.name;
+          const val = process.env[hostVar];
+          if (val) args.push("-e", `${entry.name}=${val}`);
+        }
+      }
+
+      // Assistant-only computed / optional additions
+      if (svc === "assistant") {
+        args.push(
+          "-e", `VELLUM_ASSISTANT_NAME=${instanceName}`,
+          "-e", `GATEWAY_INTERNAL_URL=http://localhost:${GATEWAY_INTERNAL_PORT}`,
+        );
+
+        if (defaultWorkspaceConfigPath) {
+          const cPath = `/tmp/vellum-default-workspace-config-${Date.now()}.json`;
+          args.push(
+            "-v", `${defaultWorkspaceConfigPath}:${cPath}:ro`,
+            "-e", `VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH=${cPath}`,
+          );
+        }
+
+        if (extraAssistantEnv) {
+          for (const [k, v] of Object.entries(extraAssistantEnv)) {
+            args.push("-e", `${k}=${v}`);
+          }
+        }
+
+        if (avatarDevicePath && existsSync(avatarDevicePath)) {
+          args.push(
+            "--device", `${avatarDevicePath}:${avatarDevicePath}`,
+            "-e", `${AVATAR_DEVICE_ENV_VAR}=${avatarDevicePath}`,
+          );
+        }
+      }
+
+      // Image is always last
+      args.push(imageTags[svc]);
+      return args;
+    };
+  }
+
+  return result;
+}