@vellumai/cli 0.7.1 → 0.7.3

package/src/lib/__tests__/local-runtime-client.test.ts

@@ -4,6 +4,7 @@ import type { AssistantEntry } from "../assistant-config.js";
 import {
   MigrationInProgressError,
   localRuntimeExportToGcs,
+  localRuntimeIdentity,
   localRuntimeImportFromGcs,
   localRuntimePollJobStatus,
 } from "../local-runtime-client.js";
@@ -478,3 +479,188 @@ describe("vellum-cloud routing through wildcard proxy", () => {
     }
   });
 });
+
+describe("localRuntimeIdentity", () => {
+  test("local entry: GETs /v1/health with Bearer auth and returns the version", async () => {
+    const { calls, fetchMock } = captureFetch(() => {
+      return new Response(
+        JSON.stringify({
+          status: "healthy",
+          timestamp: "2025-01-01T00:00:00Z",
+          version: "0.6.5",
+        }),
+        {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        },
+      );
+    });
+    globalThis.fetch = fetchMock;
+
+    const result = await localRuntimeIdentity(ENTRY, TOKEN);
+
+    expect(result.version).toBe("0.6.5");
+    expect(calls).toHaveLength(1);
+    expect(calls[0]!.url).toBe(`${RUNTIME_URL}/v1/health`);
+    expect(calls[0]!.method).toBe("GET");
+    expect(calls[0]!.headers.Authorization).toBe(`Bearer ${TOKEN}`);
+  });
+
+  test("GETs /v1/health, not /v1/identity (works on pre-onboarding runtimes)", async () => {
+    // Regression guard: /v1/identity reads IDENTITY.md (written during
+    // onboarding, NOT hatch) and 404s on freshly-hatched targets. /v1/health
+    // returns the version field unconditionally, so it's the right source.
+    const { calls, fetchMock } = captureFetch(() => {
+      return new Response(JSON.stringify({ version: "0.7.0" }), {
+        status: 200,
+      });
+    });
+    globalThis.fetch = fetchMock;
+
+    await localRuntimeIdentity(ENTRY, TOKEN);
+
+    expect(calls[0]!.url.endsWith("/v1/health")).toBe(true);
+    expect(calls[0]!.url).not.toContain("/v1/identity");
+  });
+
+  test("vellum entry: GETs /v1/assistants/<id>/health through the wildcard proxy", async () => {
+    const { calls, fetchMock } = captureFetch(() => {
+      return new Response(JSON.stringify({ version: "0.7.2" }), {
+        status: 200,
+      });
+    });
+    globalThis.fetch = fetchMock;
+
+    const result = await localRuntimeIdentity(VELLUM_ENTRY, VAK_TOKEN);
+
+    expect(result.version).toBe("0.7.2");
+    expect(calls[0]!.url).toBe(
+      `https://platform.vellum.ai/v1/assistants/11111111-2222-3333-4444-555555555555/health`,
+    );
+    expect(calls[0]!.headers.Authorization).toBe(`Bearer ${VAK_TOKEN}`);
+  });
+
+  test("non-2xx status throws with status + statusText", async () => {
+    const { fetchMock } = captureFetch(() => {
+      return new Response("nope", {
+        status: 503,
+        statusText: "Service Unavailable",
+      });
+    });
+    globalThis.fetch = fetchMock;
+
+    await expect(localRuntimeIdentity(ENTRY, TOKEN)).rejects.toThrow(
+      /Failed to fetch runtime identity: 503/,
+    );
+  });
+
+  test("missing version in body throws", async () => {
+    const { fetchMock } = captureFetch(() => {
+      return new Response(JSON.stringify({}), { status: 200 });
+    });
+    globalThis.fetch = fetchMock;
+
+    await expect(localRuntimeIdentity(ENTRY, TOKEN)).rejects.toThrow(
+      /Runtime identity response missing version/,
+    );
+  });
+
+  test("non-string version in body throws", async () => {
+    const { fetchMock } = captureFetch(() => {
+      return new Response(JSON.stringify({ version: 123 }), { status: 200 });
+    });
+    globalThis.fetch = fetchMock;
+
+    await expect(localRuntimeIdentity(ENTRY, TOKEN)).rejects.toThrow(
+      /Runtime identity response missing version/,
+    );
+  });
+
+  test("empty-string version in body throws", async () => {
+    const { fetchMock } = captureFetch(() => {
+      return new Response(JSON.stringify({ version: "" }), { status: 200 });
+    });
+    globalThis.fetch = fetchMock;
+
+    await expect(localRuntimeIdentity(ENTRY, TOKEN)).rejects.toThrow(
+      /Runtime identity response missing version/,
+    );
+  });
+
+  // ---------------------------------------------------------------------
+  // 401-retry parity with platformRequestSignedUrl (Codex P2 regression
+  // guard). localRuntimeIdentity is the first network call in the
+  // backup/teleport export flow for vellum-cloud assistants, so a stale
+  // Vellum-Organization-Id cache entry would surface as a hard abort
+  // before any other helper got a chance to clear the cache and retry.
+  // ---------------------------------------------------------------------
+
+  test("vellum entry: retries once after 401 with a fresh org-ID lookup", async () => {
+    // Use a non-vak session token so authHeaders fetches + caches an org ID.
+    const SESSION_TOKEN = "session-abcdef";
+    const PLATFORM_URL = "https://platform.vellum.ai";
+    const ASSISTANT_ID = "11111111-2222-3333-4444-555555555555";
+
+    let healthCalls = 0;
+    const orgIdFetchedAs: string[] = [];
+
+    const fetchMock = mock(async (url: string | URL | Request) => {
+      const urlStr = typeof url === "string" ? url : url.toString();
+      if (urlStr.endsWith("/v1/organizations/")) {
+        // Each org-ID fetch returns a different ID to prove that the
+        // second health request DID re-resolve the org rather than
+        // reuse a stale cache entry.
+        orgIdFetchedAs.push(`org-${orgIdFetchedAs.length + 1}`);
+        return new Response(
+          JSON.stringify({
+            results: [{ id: orgIdFetchedAs[orgIdFetchedAs.length - 1]! }],
+          }),
+          { status: 200 },
+        );
+      }
+      if (urlStr.endsWith(`/v1/assistants/${ASSISTANT_ID}/health`)) {
+        healthCalls += 1;
+        if (healthCalls === 1) {
+          return new Response("unauthorized", { status: 401 });
+        }
+        return new Response(JSON.stringify({ version: "0.7.4" }), {
+          status: 200,
+        });
+      }
+      return new Response("unexpected", { status: 500 });
+    });
+    globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+
+    const result = await localRuntimeIdentity(
+      {
+        cloud: "vellum",
+        runtimeUrl: PLATFORM_URL,
+        assistantId: ASSISTANT_ID,
+      },
+      SESSION_TOKEN,
+    );
+
+    expect(result.version).toBe("0.7.4");
+    expect(healthCalls).toBe(2);
+    // Two org-ID fetches: the first to satisfy the initial authHeaders
+    // call, the second after the 401-driven cache invalidation.
+    expect(orgIdFetchedAs).toEqual(["org-1", "org-2"]);
+  });
+
+  test("local entry: does NOT retry after 401 (guardian-token refresh is the caller's job via callRuntimeWithAuthRetry)", async () => {
+    let identityCalls = 0;
+    const fetchMock = mock(async () => {
+      identityCalls += 1;
+      return new Response("unauthorized", {
+        status: 401,
+        statusText: "Unauthorized",
+      });
+    });
+    globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+
+    await expect(localRuntimeIdentity(ENTRY, TOKEN)).rejects.toThrow(
+      /Failed to fetch runtime identity: 401/,
+    );
+    expect(identityCalls).toBe(1);
+  });
+});

package/src/lib/__tests__/platform-client-signed-url.test.ts

@@ -3,6 +3,7 @@ import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 import {
   platformPollJobStatus,
   platformRequestSignedUrl,
+  VersionMismatchError,
   type UnifiedJobStatus,
 } from "../platform-client.js";
 
@@ -291,6 +292,240 @@ describe("platformRequestSignedUrl", () => {
     expect(signedUrlCalls[0]!.headers.Authorization).toBeUndefined();
   });
 
+  test("upload operation with min/max runtime versions → posts them in body", async () => {
+    const { calls, fetchMock } = captureFetch(() => {
+      return new Response(
+        JSON.stringify({
+          url: "https://storage.example/signed/v",
+          bundle_key: "bundles/v.tar.gz",
+          expires_at: "2026-04-22T05:00:00Z",
+        }),
+        { status: 201 },
+      );
+    });
+    globalThis.fetch = fetchMock;
+
+    await platformRequestSignedUrl(
+      {
+        operation: "upload",
+        minRuntimeVersion: "1.2.3",
+        maxRuntimeVersion: null,
+      },
+      VAK_TOKEN,
+      PLATFORM_URL,
+    );
+
+    expect(calls[0]!.body).toEqual({
+      operation: "upload",
+      min_runtime_version: "1.2.3",
+      max_runtime_version: null,
+    });
+  });
+
+  test("download operation with target_runtime_version → posts it in body", async () => {
+    const { calls, fetchMock } = captureFetch(() => {
+      return new Response(
+        JSON.stringify({
+          url: "https://storage.example/signed/dl-v",
+          bundle_key: "bundles/dl-v.tar.gz",
+          expires_at: "2026-04-22T06:00:00Z",
+        }),
+        { status: 201 },
+      );
+    });
+    globalThis.fetch = fetchMock;
+
+    await platformRequestSignedUrl(
+      {
+        operation: "download",
+        bundleKey: "bundles/dl-v.tar.gz",
+        targetRuntimeVersion: "2.0.0",
+      },
+      VAK_TOKEN,
+      PLATFORM_URL,
+    );
+
+    expect(calls[0]!.body).toEqual({
+      operation: "download",
+      bundle_key: "bundles/dl-v.tar.gz",
+      target_runtime_version: "2.0.0",
+    });
+  });
+
+  test("download 422 with version_mismatch body → throws VersionMismatchError", async () => {
+    const { fetchMock } = captureFetch(() => {
+      return new Response(
+        JSON.stringify({
+          reason: "version_mismatch",
+          bundle_compat: {
+            min_runtime_version: "2.0.0",
+            max_runtime_version: "2.5.0",
+          },
+          target_runtime_version: "1.9.0",
+        }),
+        { status: 422 },
+      );
+    });
+    globalThis.fetch = fetchMock;
+
+    let caught: unknown;
+    try {
+      await platformRequestSignedUrl(
+        {
+          operation: "download",
+          bundleKey: "bundles/foo.tar.gz",
+          targetRuntimeVersion: "1.9.0",
+        },
+        VAK_TOKEN,
+        PLATFORM_URL,
+      );
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(caught).toBeInstanceOf(VersionMismatchError);
+    expect(caught).toBeInstanceOf(Error);
+    const err = caught as VersionMismatchError;
+    expect(err.bundleCompat).toEqual({
+      min_runtime_version: "2.0.0",
+      max_runtime_version: "2.5.0",
+    });
+    expect(err.targetRuntimeVersion).toBe("1.9.0");
+    expect(err.message).toBe(
+      "Cannot import: bundle requires runtime 2.0.0–2.5.0, but this runtime is 1.9.0. Update your runtime before importing.",
+    );
+  });
+
+  test("download 422 with version_mismatch and null max_runtime_version → '+' suffix in message", async () => {
+    const { fetchMock } = captureFetch(() => {
+      return new Response(
+        JSON.stringify({
+          reason: "version_mismatch",
+          bundle_compat: {
+            min_runtime_version: "3.0.0",
+            max_runtime_version: null,
+          },
+          target_runtime_version: "2.9.0",
+        }),
+        { status: 422 },
+      );
+    });
+    globalThis.fetch = fetchMock;
+
+    let caught: unknown;
+    try {
+      await platformRequestSignedUrl(
+        {
+          operation: "download",
+          bundleKey: "bundles/foo.tar.gz",
+          targetRuntimeVersion: "2.9.0",
+        },
+        VAK_TOKEN,
+        PLATFORM_URL,
+      );
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(caught).toBeInstanceOf(VersionMismatchError);
+    const err = caught as VersionMismatchError;
+    expect(err.message).toBe(
+      "Cannot import: bundle requires runtime 3.0.0+, but this runtime is 2.9.0. Update your runtime before importing.",
+    );
+  });
+
+  test("download 422 with arbitrary body (no reason field) → falls through to generic Error", async () => {
+    const { fetchMock } = captureFetch(() => {
+      return new Response(JSON.stringify({ detail: "validation failed" }), {
+        status: 422,
+      });
+    });
+    globalThis.fetch = fetchMock;
+
+    let caught: unknown;
+    try {
+      await platformRequestSignedUrl(
+        { operation: "download", bundleKey: "bundles/foo.tar.gz" },
+        VAK_TOKEN,
+        PLATFORM_URL,
+      );
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(caught).toBeInstanceOf(Error);
+    expect(caught).not.toBeInstanceOf(VersionMismatchError);
+    expect((caught as Error).message).toBe("validation failed");
+  });
+
+  test("422 is NOT retried after a 401", async () => {
+    let callCount = 0;
+    const { calls, fetchMock } = captureFetch(() => {
+      callCount += 1;
+      if (callCount === 1) {
+        return new Response(JSON.stringify({ detail: "unauthorized" }), {
+          status: 401,
+        });
+      }
+      return new Response(
+        JSON.stringify({
+          reason: "version_mismatch",
+          bundle_compat: {
+            min_runtime_version: "2.0.0",
+            max_runtime_version: "2.5.0",
+          },
+          target_runtime_version: "1.9.0",
+        }),
+        { status: 422 },
+      );
+    });
+    globalThis.fetch = fetchMock;
+
+    let caught: unknown;
+    try {
+      await platformRequestSignedUrl(
+        {
+          operation: "download",
+          bundleKey: "bundles/foo.tar.gz",
+          targetRuntimeVersion: "1.9.0",
+        },
+        VAK_TOKEN,
+        PLATFORM_URL,
+      );
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(calls).toHaveLength(2);
+    expect(caught).toBeInstanceOf(VersionMismatchError);
+  });
+
+  test("non-422 download path remains unchanged (regression pin on body shape)", async () => {
+    const { calls, fetchMock } = captureFetch(() => {
+      return new Response(
+        JSON.stringify({
+          url: "https://storage.example/signed/dl-xyz",
+          bundle_key: "bundles/xyz.tar.gz",
+          expires_at: "2026-04-22T02:00:00Z",
+        }),
+        { status: 201 },
+      );
+    });
+    globalThis.fetch = fetchMock;
+
+    const result = await platformRequestSignedUrl(
+      { operation: "download", bundleKey: "bundles/xyz.tar.gz" },
+      VAK_TOKEN,
+      PLATFORM_URL,
+    );
+
+    expect(result.url).toBe("https://storage.example/signed/dl-xyz");
+    expect(calls[0]!.body).toEqual({
+      operation: "download",
+      bundle_key: "bundles/xyz.tar.gz",
+    });
+  });
+
   test("5xx error response → surfaces platform detail message", async () => {
     const { fetchMock } = captureFetch(() => {
       return new Response(JSON.stringify({ detail: "temporarily down" }), {

package/src/lib/__tests__/runtime-url.test.ts

@@ -1,7 +1,10 @@
 import { describe, expect, test } from "bun:test";
 
 import type { AssistantEntry } from "../assistant-config.js";
-import { resolveRuntimeMigrationUrl } from "../runtime-url.js";
+import {
+  resolveRuntimeMigrationUrl,
+  resolveRuntimeUrl,
+} from "../runtime-url.js";
 
 function makeEntry(
   overrides: Partial<AssistantEntry> & {
@@ -85,3 +88,38 @@ describe("resolveRuntimeMigrationUrl", () => {
     );
   });
 });
+
+describe("resolveRuntimeUrl", () => {
+  test("local cloud uses gateway-loopback /v1/<subpath>", () => {
+    const entry = makeEntry({
+      cloud: "local",
+      runtimeUrl: "http://localhost:7821",
+      assistantId: "ast-local-1",
+    });
+    expect(resolveRuntimeUrl(entry, "identity")).toBe(
+      "http://localhost:7821/v1/identity",
+    );
+  });
+
+  test("docker cloud uses gateway-loopback /v1/<subpath>", () => {
+    const entry = makeEntry({
+      cloud: "docker",
+      runtimeUrl: "http://localhost:7831",
+      assistantId: "ast-docker-1",
+    });
+    expect(resolveRuntimeUrl(entry, "identity")).toBe(
+      "http://localhost:7831/v1/identity",
+    );
+  });
+
+  test("vellum cloud uses wildcard-proxy /v1/assistants/<id>/<subpath>", () => {
+    const entry = makeEntry({
+      cloud: "vellum",
+      runtimeUrl: "https://platform.vellum.ai",
+      assistantId: "11111111-2222-3333-4444-555555555555",
+    });
+    expect(resolveRuntimeUrl(entry, "identity")).toBe(
+      "https://platform.vellum.ai/v1/assistants/11111111-2222-3333-4444-555555555555/identity",
+    );
+  });
+});

package/src/lib/assistant-client.ts

@@ -26,8 +26,8 @@ export interface AssistantClientOpts {
   /**
    * When provided alongside `orgId`, the client authenticates with a
    * session token instead of a guardian token.  The session token is
-   * sent as `Authorization: Bearer <sessionToken>` and the org id is
-   * sent via the `X-Vellum-Org-Id` header.
+   * sent as `X-Session-Token: <sessionToken>` and the org id is
+   * sent via the `Vellum-Organization-Id` header.
    */
   sessionToken?: string;
   /** Required when `sessionToken` is provided. */
@@ -46,6 +46,8 @@ export class AssistantClient {
 
   private readonly _assistantId: string;
   private readonly token: string | undefined;
+  /** True when token is a platform session token (X-Session-Token), false for guardian JWT (Authorization: Bearer). */
+  private readonly isSessionAuth: boolean;
   private readonly orgId: string | undefined;
 
   /**
@@ -74,12 +76,14 @@ export class AssistantClient {
     this._assistantId = entry.assistantId;
 
     if (opts?.sessionToken) {
-      // Platform assistant: use session token + org id header.
+      // Platform assistant: use X-Session-Token + Vellum-Organization-Id.
       this.token = opts.sessionToken;
+      this.isSessionAuth = true;
       this.orgId = opts.orgId;
     } else {
       this.token =
         loadGuardianToken(this._assistantId)?.accessToken ?? entry.bearerToken;
+      this.isSessionAuth = false;
       this.orgId = undefined;
     }
   }
@@ -175,10 +179,14 @@ export class AssistantClient {
 
     const headers: Record<string, string> = { ...opts?.headers };
     if (this.token) {
-      headers["Authorization"] ??= `Bearer ${this.token}`;
+      if (this.isSessionAuth) {
+        headers["X-Session-Token"] ??= this.token;
+      } else {
+        headers["Authorization"] ??= `Bearer ${this.token}`;
+      }
     }
     if (this.orgId) {
-      headers["X-Vellum-Org-Id"] ??= this.orgId;
+      headers["Vellum-Organization-Id"] ??= this.orgId;
     }
     if (body !== undefined) {
       headers["Content-Type"] = "application/json";

package/src/lib/assistant-config.ts

@@ -108,10 +108,6 @@ interface LockfileData {
   [key: string]: unknown;
 }
 
-export function getBaseDir(): string {
-  return process.env.BASE_DATA_DIR?.trim() || homedir();
-}
-
 /**
  * Derive the daemon PID file path from a resources object. The PID file
  * lives inside the instance's workspace directory. When no resources are
@@ -512,25 +508,4 @@ export function getLockfilePlatformBaseUrl(): string | undefined {
   return undefined;
 }
 
-/**
- * Read the assistant config file and sync client-relevant values to the
- * lockfile. This lets external tools (e.g. vel) discover the platform URL
- * without importing the assistant config schema.
- */
-export function syncConfigToLockfile(): void {
-  const configPath = join(getBaseDir(), ".vellum", "workspace", "config.json");
-  if (!existsSync(configPath)) return;
 
-  try {
-    const raw = JSON.parse(readFileSync(configPath, "utf-8")) as Record<
-      string,
-      unknown
-    >;
-    const platform = raw.platform as Record<string, unknown> | undefined;
-    const data = readLockfile();
-    data.platformBaseUrl = (platform?.baseUrl as string) || undefined;
-    writeLockfile(data);
-  } catch {
-    // Config file unreadable — skip sync
-  }
-}

package/src/lib/backup-ops.ts

@@ -9,7 +9,10 @@ import {
 import { homedir } from "os";
 import { dirname, join } from "path";
 
-import { loadGuardianToken, leaseGuardianToken } from "./guardian-token.js";
+import {
+  loadGuardianToken,
+  refreshGuardianToken,
+} from "./guardian-token.js";
 
 /** Default backup directory following XDG convention */
 export function getBackupsDir(): string {
@@ -25,20 +28,25 @@ export function formatSize(bytes: number): string {
   return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
 }
 
-/** Obtain a valid guardian access token (cached or fresh lease) */
+/**
+ * Obtain a valid guardian access token.
+ *
+ * Resolution order:
+ *  1. Cached token that is not yet expired — use as-is.
+ *  2. Cached token with a valid refresh token — call /v1/guardian/refresh.
+ *  3. No usable token — return null so callers can skip the backup gracefully
+ *     rather than hitting /v1/guardian/init (which 403s on bootstrapped instances).
+ */
 async function getGuardianAccessToken(
   runtimeUrl: string,
   assistantId: string,
-  forceRefresh?: boolean,
-): Promise<string> {
-  if (!forceRefresh) {
-    const tokenData = loadGuardianToken(assistantId);
-    if (tokenData && new Date(tokenData.accessTokenExpiresAt) > new Date()) {
-      return tokenData.accessToken;
-    }
+): Promise<string | null> {
+  const tokenData = loadGuardianToken(assistantId);
+  if (tokenData && new Date(tokenData.accessTokenExpiresAt) > new Date()) {
+    return tokenData.accessToken;
   }
-  const freshToken = await leaseGuardianToken(runtimeUrl, assistantId);
-  return freshToken.accessToken;
+  const refreshed = await refreshGuardianToken(runtimeUrl, assistantId);
+  return refreshed?.accessToken ?? null;
 }
 
 /**
@@ -53,6 +61,10 @@ export async function createBackup(
 ): Promise<string | null> {
   try {
     let accessToken = await getGuardianAccessToken(runtimeUrl, assistantId);
+    if (!accessToken) {
+      console.warn("Warning: backup skipped — no valid guardian token available");
+      return null;
+    }
 
     let response = await fetch(`${runtimeUrl}/v1/migrations/export`, {
       method: "POST",
@@ -66,10 +78,15 @@ export async function createBackup(
       signal: AbortSignal.timeout(120_000),
     });
 
-    // Retry once with a fresh token on 401 — the cached token may be stale
-    // after a container restart that generated a new gateway signing key.
+    // Retry once with a refreshed token on 401 — the cached token may be
+    // stale after a container restart that regenerated the gateway signing key.
     if (response.status === 401) {
-      accessToken = await getGuardianAccessToken(runtimeUrl, assistantId, true);
+      const refreshed = await refreshGuardianToken(runtimeUrl, assistantId);
+      if (!refreshed) {
+        console.warn(`Warning: backup export failed (401) and token refresh failed`);
+        return null;
+      }
+      accessToken = refreshed.accessToken;
       response = await fetch(`${runtimeUrl}/v1/migrations/export`, {
         method: "POST",
         headers: {
@@ -130,6 +147,10 @@ export async function restoreBackup(
 
     const bundleData = readFileSync(backupPath);
     let accessToken = await getGuardianAccessToken(runtimeUrl, assistantId);
+    if (!accessToken) {
+      console.warn("Warning: restore skipped — no valid guardian token available");
+      return false;
+    }
 
     let response = await fetch(`${runtimeUrl}/v1/migrations/import`, {
       method: "POST",
@@ -141,10 +162,15 @@ export async function restoreBackup(
       signal: AbortSignal.timeout(120_000),
     });
 
-    // Retry once with a fresh token on 401 — the cached token may be stale
-    // after a container restart that generated a new gateway signing key.
+    // Retry once with a refreshed token on 401 — the cached token may be
+    // stale after a container restart that regenerated the gateway signing key.
     if (response.status === 401) {
-      accessToken = await getGuardianAccessToken(runtimeUrl, assistantId, true);
+      const refreshed = await refreshGuardianToken(runtimeUrl, assistantId);
+      if (!refreshed) {
+        console.warn(`Warning: restore failed (401) and token refresh failed`);
+        return false;
+      }
+      accessToken = refreshed.accessToken;
       response = await fetch(`${runtimeUrl}/v1/migrations/import`, {
         method: "POST",
         headers: {