@vellumai/cli 0.7.1 → 0.7.3

package/src/components/DefaultMainScreen.tsx

@@ -1,8 +1,6 @@
 import { spawn } from "child_process";
-import { createHash, randomBytes, randomUUID } from "crypto";
-import { hostname, userInfo } from "os";
+import { randomUUID } from "crypto";
 import { basename } from "path";
-import qrcode from "qrcode-terminal";
 import {
   useCallback,
   useEffect,
@@ -14,7 +12,7 @@ import {
 import { Box, render as inkRender, Text, useInput, useStdout } from "ink";
 
 import { removeAssistantEntry } from "../lib/assistant-config";
-import { getClientRegistrationHeaders } from "../lib/client-identity";
+
 import { SPECIES_CONFIG, type Species } from "../lib/constants";
 import { callDoctorDaemon, type ChatLogEntry } from "../lib/doctor-client";
 import { checkHealth } from "../lib/health-check";
@@ -46,7 +44,6 @@ export const SLASH_COMMANDS = [
   "/doctor",
   "/exit",
   "/help",
-  "/pair",
   "/q",
   "/quit",
   "/retire",
@@ -173,14 +170,14 @@ async function runtimeRequest<T>(
   assistantId: string,
   path: string,
   init?: RequestInit,
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): Promise<T> {
   const url = `${baseUrl}/v1/assistants/${assistantId}${path}`;
   const response = await fetch(url, {
     ...init,
     headers: {
       "Content-Type": "application/json",
-      ...(bearerToken ? { Authorization: `Bearer ${bearerToken}` } : {}),
+      ...auth,
       ...(init?.headers as Record<string, string> | undefined),
     },
   });
@@ -219,7 +216,7 @@ async function checkHealthRuntime(baseUrl: string): Promise<HealthResponse> {
 async function pollMessages(
   baseUrl: string,
   assistantId: string,
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): Promise<ListMessagesResponse> {
   const params = new URLSearchParams({ conversationKey: assistantId });
   return runtimeRequest<ListMessagesResponse>(
@@ -227,7 +224,7 @@ async function pollMessages(
     assistantId,
     `/messages?${params.toString()}`,
     undefined,
-    bearerToken,
+    auth,
   );
 }
 
@@ -236,7 +233,7 @@ async function sendMessage(
   assistantId: string,
   content: string,
   signal?: AbortSignal,
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): Promise<SendMessageResponse> {
   return runtimeRequest<SendMessageResponse>(
     baseUrl,
@@ -252,7 +249,7 @@ async function sendMessage(
       }),
       signal,
     },
-    bearerToken,
+    auth,
   );
 }
 
@@ -261,7 +258,7 @@ async function submitDecision(
   assistantId: string,
   requestId: string,
   decision: "allow" | "deny",
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): Promise<SubmitDecisionResponse> {
   return runtimeRequest<SubmitDecisionResponse>(
     baseUrl,
@@ -271,7 +268,7 @@ async function submitDecision(
       method: "POST",
       body: JSON.stringify({ requestId, decision }),
     },
-    bearerToken,
+    auth,
   );
 }
 
@@ -282,7 +279,7 @@ async function addTrustRule(
   pattern: string,
   scope: string,
   decision: "allow" | "deny",
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): Promise<AddTrustRuleResponse> {
   return runtimeRequest<AddTrustRuleResponse>(
     baseUrl,
@@ -292,7 +289,7 @@ async function addTrustRule(
       method: "POST",
       body: JSON.stringify({ requestId, pattern, scope, decision }),
     },
-    bearerToken,
+    auth,
   );
 }
 
@@ -351,17 +348,15 @@ async function* streamEvents(
   assistantId: string,
   conversationKey: string,
   signal: AbortSignal,
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): AsyncGenerator<SseEvent> {
   const params = new URLSearchParams({ conversationKey });
   const url = `${baseUrl}/v1/assistants/${assistantId}/events?${params.toString()}`;
-  const clientHeaders = getClientRegistrationHeaders();
-  tuiLog.info("sse connect", { url, clientHeaders });
+  tuiLog.info("sse connect", { url, authHeaders: Object.keys(auth ?? {}) });
   const response = await fetch(url, {
     headers: {
       Accept: "text/event-stream",
-      ...(bearerToken ? { Authorization: `Bearer ${bearerToken}` } : {}),
-      ...clientHeaders,
+      ...auth,
     },
     signal,
   });
@@ -457,7 +452,7 @@ async function handleConfirmationPrompt(
   requestId: string,
   confirmation: PendingConfirmation,
   chatApp: ChatAppHandle,
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): Promise<void> {
   const preview = formatConfirmationPreview(
     confirmation.toolName,
@@ -483,7 +478,7 @@ async function handleConfirmationPrompt(
   const index = await chatApp.showSelection("Tool Approval", options);
 
   if (index === 0) {
-    await submitDecision(baseUrl, assistantId, requestId, "allow", bearerToken);
+    await submitDecision(baseUrl, assistantId, requestId, "allow", auth);
     chatApp.addStatus("\u2714 Allowed", "green");
     return;
   }
@@ -495,7 +490,7 @@ async function handleConfirmationPrompt(
       confirmation,
       chatApp,
       "always_allow",
-      bearerToken,
+      auth,
     );
     return;
   }
@@ -507,12 +502,12 @@ async function handleConfirmationPrompt(
       confirmation,
       chatApp,
       "always_deny",
-      bearerToken,
+      auth,
     );
     return;
   }
 
-  await submitDecision(baseUrl, assistantId, requestId, "deny", bearerToken);
+  await submitDecision(baseUrl, assistantId, requestId, "deny", auth);
   chatApp.addStatus("\u2718 Denied", "yellow");
 }
 
@@ -523,7 +518,7 @@ async function handlePatternSelection(
   confirmation: PendingConfirmation,
   chatApp: ChatAppHandle,
   trustDecision: TrustDecision,
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): Promise<void> {
   const allowlistOptions = confirmation.allowlistOptions ?? [];
   const label = trustDecision === "always_deny" ? "Denylist" : "Allowlist";
@@ -544,12 +539,12 @@ async function handlePatternSelection(
       chatApp,
       selectedPattern,
       trustDecision,
-      bearerToken,
+      auth,
     );
     return;
   }
 
-  await submitDecision(baseUrl, assistantId, requestId, "deny", bearerToken);
+  await submitDecision(baseUrl, assistantId, requestId, "deny", auth);
   chatApp.addStatus("\u2718 Denied", "yellow");
 }
 
@@ -561,7 +556,7 @@ async function handleScopeSelection(
   chatApp: ChatAppHandle,
   selectedPattern: string,
   trustDecision: TrustDecision,
-  bearerToken?: string,
+  auth?: Record<string, string>,
 ): Promise<void> {
   const scopeOptions = confirmation.scopeOptions ?? [];
   const label = trustDecision === "always_deny" ? "Denylist" : "Allowlist";
@@ -578,14 +573,14 @@ async function handleScopeSelection(
       selectedPattern,
       scopeOptions[index].scope,
       ruleDecision,
-      bearerToken,
+      auth,
     );
     await submitDecision(
       baseUrl,
       assistantId,
       requestId,
       ruleDecision === "deny" ? "deny" : "allow",
-      bearerToken,
+      auth,
     );
     const ruleLabel =
       trustDecision === "always_deny" ? "Denylisted" : "Allowlisted";
@@ -597,7 +592,7 @@ async function handleScopeSelection(
     return;
   }
 
-  await submitDecision(baseUrl, assistantId, requestId, "deny", bearerToken);
+  await submitDecision(baseUrl, assistantId, requestId, "deny", auth);
   chatApp.addStatus("\u2718 Denied", "yellow");
 }
 
@@ -753,10 +748,6 @@ function HelpDisplay(): ReactElement {
         {"  /clear            "}
         <Text dimColor>Clear the screen</Text>
       </Text>
-      <Text>
-        {"  /pair             "}
-        <Text dimColor>Generate a QR code for mobile device pairing</Text>
-      </Text>
       <Text>
         {"  /help, ?          "}
         <Text dimColor>Show this help</Text>
@@ -1368,7 +1359,9 @@ interface ChatAppProps {
   runtimeUrl: string;
   assistantId: string;
   species: Species;
-  bearerToken?: string;
+  /** Pre-built auth headers (e.g. { Authorization: "Bearer ..." } for local,
+   *  { "X-Session-Token": "...", "Vellum-Organization-Id": "..." } for platform). */
+  auth?: Record<string, string>;
   project?: string;
   zone?: string;
   onExit: () => void;
@@ -1379,7 +1372,7 @@ function ChatApp({
   runtimeUrl,
   assistantId,
   species,
-  bearerToken,
+  auth,
   project,
   zone,
   onExit,
@@ -1692,7 +1685,7 @@ function ChatApp({
         const historyResponse = await pollMessages(
           runtimeUrl,
           assistantId,
-          bearerToken,
+          auth,
         );
         h.hideSpinner();
         if (historyResponse.messages.length > 0) {
@@ -1717,7 +1710,7 @@ function ChatApp({
             assistantId,
             assistantId,
             sseAc.signal,
-            bearerToken,
+            auth,
           )) {
             const hRef = handleRef_.current;
             if (!hRef) continue;
@@ -1788,7 +1781,7 @@ function ChatApp({
                       event.persistentDecisionsAllowed,
                   },
                   hRef,
-                  bearerToken,
+                  auth,
                 );
                 hRef.showSpinner("Working...");
                 break;
@@ -1819,7 +1812,7 @@ function ChatApp({
                           delivery,
                         }),
                       },
-                      bearerToken,
+                      auth,
                     );
                   },
                 );
@@ -1903,7 +1896,7 @@ function ChatApp({
       );
       return false;
     }
-  }, [runtimeUrl, assistantId, bearerToken]);
+  }, [runtimeUrl, assistantId, auth]);
 
   const handleInput = useCallback(
     async (input: string): Promise<void> => {
@@ -2110,9 +2103,7 @@ function ChatApp({
               method: "POST",
               headers: {
                 "Content-Type": "application/json",
-                ...(bearerToken
-                  ? { Authorization: `Bearer ${bearerToken}` }
-                  : {}),
+                ...auth,
               },
               body: JSON.stringify({
                 conversationKey: assistantId,
@@ -2171,85 +2162,6 @@ function ChatApp({
         return;
       }
 
-      if (trimmed === "/pair") {
-        h.showSpinner("Generating pairing credentials...");
-
-        const isConnected = await ensureConnected();
-        if (!isConnected) {
-          h.hideSpinner();
-          h.showError("Cannot pair — not connected to the assistant runtime.");
-          return;
-        }
-
-        try {
-          const pairingRequestId = randomUUID();
-          const pairingSecret = randomBytes(32).toString("hex");
-          const gatewayUrl = runtimeUrl;
-
-          // Call /pairing/register on the gateway (dedicated pairing proxy route)
-          const registerUrl = `${runtimeUrl}/pairing/register`;
-          const registerRes = await fetch(registerUrl, {
-            method: "POST",
-            headers: {
-              "Content-Type": "application/json",
-              ...(bearerToken
-                ? { Authorization: `Bearer ${bearerToken}` }
-                : {}),
-            },
-            body: JSON.stringify({
-              pairingRequestId,
-              pairingSecret,
-              gatewayUrl,
-            }),
-          });
-
-          if (!registerRes.ok) {
-            const body = await registerRes.text().catch(() => "");
-            throw new Error(
-              `HTTP ${registerRes.status}: ${body || registerRes.statusText}`,
-            );
-          }
-
-          let username: string;
-          try {
-            username = userInfo().username;
-          } catch {
-            username = "";
-          }
-          const hostId = createHash("sha256")
-            .update(hostname() + username)
-            .digest("hex");
-          const payload = JSON.stringify({
-            type: "vellum-assistant",
-            v: 4,
-            id: hostId,
-            g: gatewayUrl,
-            pairingRequestId,
-            pairingSecret,
-          });
-
-          const qrString = await new Promise<string>((resolve) => {
-            qrcode.generate(payload, { small: true }, (code: string) => {
-              resolve(code);
-            });
-          });
-
-          h.hideSpinner();
-          h.addStatus(
-            `Pairing Ready\n\n` +
-              `Scan this QR code with the Vellum iOS app:\n\n` +
-              `${qrString}\n` +
-              `This pairing request expires in 5 minutes. Run /pair again to generate a new one.`,
-          );
-        } catch (err) {
-          h.hideSpinner();
-          h.showError(
-            `Pairing failed: ${err instanceof Error ? err.message : err}`,
-          );
-        }
-        return;
-      }
-
       if (busyRef.current) {
         // /btw is already handled above this block
         if (!trimmed.startsWith("/")) {
@@ -2278,7 +2190,7 @@ function ChatApp({
             assistantId,
             trimmed,
             controller.signal,
-            bearerToken,
+            auth,
           );
           clearTimeout(timeoutId);
           if (sendResult.accepted) {
@@ -2329,7 +2241,7 @@ function ChatApp({
           assistantId,
           trimmed,
           controller.signal,
-          bearerToken,
+          auth,
         );
         clearTimeout(timeoutId);
         if (!sendResult.accepted) {
@@ -2356,7 +2268,7 @@ function ChatApp({
     [
       runtimeUrl,
       assistantId,
-      bearerToken,
+      auth,
       project,
       zone,
       cleanup,
@@ -2670,7 +2582,7 @@ export function renderChatApp(
   assistantId: string,
   species: Species,
   onExit: () => void,
-  options?: { bearerToken?: string; project?: string; zone?: string },
+  options?: { auth?: Record<string, string>; project?: string; zone?: string },
 ): ChatAppInstance {
   let chatHandle: ChatAppHandle | null = null;
 
@@ -2679,7 +2591,7 @@ export function renderChatApp(
       runtimeUrl={runtimeUrl}
       assistantId={assistantId}
       species={species}
-      bearerToken={options?.bearerToken}
+      auth={options?.auth}
       project={options?.project}
       zone={options?.zone}
       onExit={onExit}

package/src/index.ts

@@ -11,7 +11,6 @@ import { hatch } from "./commands/hatch";
 import { login, logout, whoami } from "./commands/login";
 import { logs } from "./commands/logs";
 import { message } from "./commands/message";
-import { pair } from "./commands/pair";
 import { ps } from "./commands/ps";
 import { recover } from "./commands/recover";
 import { restore } from "./commands/restore";
@@ -26,10 +25,7 @@ import { tunnel } from "./commands/tunnel";
 import { upgrade } from "./commands/upgrade";
 import { use } from "./commands/use";
 import { wake } from "./commands/wake";
-import {
-  resolveAssistant,
-  setActiveAssistant,
-} from "./lib/assistant-config";
+import { resolveAssistant, setActiveAssistant } from "./lib/assistant-config";
 import { loadGuardianToken } from "./lib/guardian-token";
 import { checkHealth } from "./lib/health-check";
 
@@ -45,7 +41,6 @@ const commands = {
   logout,
   logs,
   message,
-  pair,
   ps,
   recover,
   restore,
@@ -80,7 +75,6 @@ function printHelp(): void {
   console.log("  login    Log in to the Vellum platform");
   console.log("  logout   Log out of the Vellum platform");
   console.log("  message  Send a message to a running assistant");
-  console.log("  pair     Pair with a remote assistant via QR code");
   console.log(
     "  ps       List assistants (or processes for a specific assistant)",
   );

package/src/lib/__tests__/docker.test.ts

@@ -4,9 +4,9 @@ import {
   AVATAR_DEVICE_ENV_VAR,
   dockerResourceNames,
   resolveAvatarDevicePath,
-  serviceDockerRunArgs,
   type ServiceName,
 } from "../docker.js";
+import { buildServiceRunArgs } from "../statefulset.js";
 
 const instanceName = "test-instance";
 const imageTags: Record<ServiceName, string> = {
@@ -16,10 +16,10 @@ const imageTags: Record<ServiceName, string> = {
 };
 
 function buildAssistantArgs(
-  overrides: Partial<Parameters<typeof serviceDockerRunArgs>[0]> = {},
+  overrides: Partial<Parameters<typeof buildServiceRunArgs>[0]> = {},
 ): string[] {
   const res = dockerResourceNames(instanceName);
-  const builders = serviceDockerRunArgs({
+  const builders = buildServiceRunArgs({
     gatewayPort: 7830,
     imageTags,
     instanceName,
@@ -29,50 +29,41 @@ function buildAssistantArgs(
   return builders.assistant();
 }
 
-describe("serviceDockerRunArgs — assistant", () => {
-  test("grants the minimum capability set needed for DinD (SYS_ADMIN + NET_ADMIN) rather than --privileged", () => {
-    const args = buildAssistantArgs();
-    expect(args).not.toContain("--privileged");
-    // --cap-add SYS_ADMIN and --cap-add NET_ADMIN are each passed as two
-    // adjacent args: "--cap-add" followed by the capability name.
-    const sysAdminIdx = args.indexOf("SYS_ADMIN");
-    expect(sysAdminIdx).toBeGreaterThan(0);
-    expect(args[sysAdminIdx - 1]).toBe("--cap-add");
-    const netAdminIdx = args.indexOf("NET_ADMIN");
-    expect(netAdminIdx).toBeGreaterThan(0);
-    expect(args[netAdminIdx - 1]).toBe("--cap-add");
+function buildGatewayArgs(
+  overrides: Partial<Parameters<typeof buildServiceRunArgs>[0]> = {},
+): string[] {
+  const res = dockerResourceNames(instanceName);
+  const builders = buildServiceRunArgs({
+    gatewayPort: 7830,
+    imageTags,
+    instanceName,
+    res,
+    ...overrides,
   });
+  return builders.gateway();
+}
 
-  test("disables the default seccomp and AppArmor profiles so the inner dockerd can mount overlayfs and run pivot_root", () => {
+describe("buildServiceRunArgs — assistant", () => {
+  test("does not grant elevated capabilities or disable security profiles", () => {
     const args = buildAssistantArgs();
-    const seccompIdx = args.indexOf("seccomp=unconfined");
-    expect(seccompIdx).toBeGreaterThan(0);
-    expect(args[seccompIdx - 1]).toBe("--security-opt");
-    const apparmorIdx = args.indexOf("apparmor=unconfined");
-    expect(apparmorIdx).toBeGreaterThan(0);
-    expect(args[apparmorIdx - 1]).toBe("--security-opt");
+    expect(args).not.toContain("--privileged");
+    expect(args).not.toContain("--cap-add");
+    expect(args).not.toContain("SYS_ADMIN");
+    expect(args).not.toContain("NET_ADMIN");
+    expect(args).not.toContain("seccomp=unconfined");
+    expect(args).not.toContain("apparmor=unconfined");
   });
 
-  test("mounts a dedicated named volume at /var/lib/docker for the inner dockerd data store", () => {
+  test("does not mount a dockerd data volume", () => {
     const args = buildAssistantArgs();
-    const spec = `${instanceName}-dockerd-data:/var/lib/docker`;
-    const mountIndex = args.indexOf(spec);
-    expect(mountIndex).toBeGreaterThan(0);
-    expect(args[mountIndex - 1]).toBe("-v");
+    expect(args.some((a) => a.includes("/var/lib/docker"))).toBe(false);
   });
 
-  test("does NOT bind-mount the host Docker socket (DinD replaces host-socket access)", () => {
+  test("does NOT bind-mount the host Docker socket", () => {
     const args = buildAssistantArgs();
     expect(args).not.toContain("/var/run/docker.sock:/var/run/docker.sock");
   });
 
-  test("does NOT set VELLUM_WORKSPACE_VOLUME_NAME (legacy Phase 1.8 hint, no longer needed in DinD)", () => {
-    const args = buildAssistantArgs();
-    expect(
-      args.some((a) => a.startsWith("VELLUM_WORKSPACE_VOLUME_NAME=")),
-    ).toBe(false);
-  });
-
   test("keeps existing workspace and socket volume mounts intact", () => {
     const args = buildAssistantArgs();
     expect(args).toContain(`${instanceName}-workspace:/workspace`);
@@ -112,6 +103,33 @@ describe("serviceDockerRunArgs — assistant", () => {
   });
 });
 
+describe("buildServiceRunArgs — gateway", () => {
+  const savedVelayBaseUrl = process.env.VELAY_BASE_URL;
+
+  beforeEach(() => {
+    delete process.env.VELAY_BASE_URL;
+  });
+
+  afterEach(() => {
+    if (savedVelayBaseUrl === undefined) delete process.env.VELAY_BASE_URL;
+    else process.env.VELAY_BASE_URL = savedVelayBaseUrl;
+  });
+
+  test("passes VELAY_BASE_URL into the gateway container when set", () => {
+    process.env.VELAY_BASE_URL = "http://host.docker.internal:8501";
+
+    expect(buildGatewayArgs()).toContain(
+      "VELAY_BASE_URL=http://host.docker.internal:8501",
+    );
+  });
+
+  test("omits VELAY_BASE_URL from gateway args when unset", () => {
+    expect(
+      buildGatewayArgs().some((arg) => arg.startsWith("VELAY_BASE_URL=")),
+    ).toBe(false);
+  });
+});
+
 describe("VELLUM_AVATAR_DEVICE passthrough", () => {
   const savedValue = process.env[AVATAR_DEVICE_ENV_VAR];