@vellumai/cli 0.8.0 → 0.8.2

package/src/commands/login.ts

@@ -287,9 +287,10 @@ export async function login(): Promise<void> {
 
     // Sync cloud assistants from the platform into the local lockfile.
     // This ensures `vellum ps` shows managed assistants immediately
-    // after login (e.g. after a retire-and-rehatch cycle).
+    // after login (e.g. after a retire-and-rehatch cycle). We've just
+    // saved this token, so it's guaranteed non-empty here.
     try {
-      const result = await syncCloudAssistants();
+      const result = await syncCloudAssistants(token);
       if (result) {
         const total = result.added + result.removed;
         if (total > 0) {

package/src/commands/ps.ts

@@ -15,6 +15,7 @@ import {
   fetchManagedPs,
   type ManagedProcessEntry,
 } from "../lib/health-check";
+import { readPlatformToken } from "../lib/platform-client";
 import { dockerResourceNames } from "../lib/docker";
 import { existsSync } from "fs";
 import {
@@ -472,7 +473,7 @@ async function showAssistantProcesses(entry: AssistantEntry): Promise<void> {
 
 // ── List all assistants (no arg) ────────────────────────────────
 
-async function listAllAssistants(verbose: boolean): Promise<void> {
+export async function listAllAssistants(verbose: boolean): Promise<void> {
   const { name: envName, source: envSource } = resolveEnvironmentSource();
   const sourceLabels: Record<typeof envSource, string> = {
     flag: "--environment flag",
@@ -486,23 +487,33 @@ async function listAllAssistants(verbose: boolean): Promise<void> {
     ? (msg) => console.log(`  [verbose] ${msg}`)
     : undefined;
 
-  // Refresh cloud assistants from the platform before listing.
-  const syncResult = await syncCloudAssistants({ log });
-
-  // Show platform login status
-  if (syncResult) {
-    const parts = [`Platform: logged in`];
-    if (syncResult.email) parts[0] += ` as ${syncResult.email}`;
-    if (syncResult.added > 0 || syncResult.removed > 0) {
-      const changes: string[] = [];
-      if (syncResult.added > 0) changes.push(`${syncResult.added} added`);
-      if (syncResult.removed > 0)
-        changes.push(`${syncResult.removed} removed`);
-      parts.push(`(${changes.join(", ")})`);
-    }
-    console.log(parts.join(" "));
-  } else {
+  // Decide platform login status FIRST, before touching the network. With no
+  // local token we never enter the platform fetch path — so unreachable-host
+  // errors from the org-ID/user lookups can't leak onto stderr ahead of the
+  // "Platform: not logged in" line.
+  const platformToken = readPlatformToken();
+  if (!platformToken) {
+    log?.("No platform token found — skipping cloud sync");
     console.log("Platform: not logged in");
+  } else {
+    const syncResult = await syncCloudAssistants(platformToken, { log });
+    if (syncResult) {
+      const parts = [`Platform: logged in`];
+      if (syncResult.email) parts[0] += ` as ${syncResult.email}`;
+      if (syncResult.added > 0 || syncResult.removed > 0) {
+        const changes: string[] = [];
+        if (syncResult.added > 0) changes.push(`${syncResult.added} added`);
+        if (syncResult.removed > 0)
+          changes.push(`${syncResult.removed} removed`);
+        parts.push(`(${changes.join(", ")})`);
+      }
+      console.log(parts.join(" "));
+    } else {
+      // We had a token but the platform fetch failed (offline, expired, etc.).
+      // Treat it the same as "not logged in" from a UX perspective — the user
+      // can't reach cloud-managed assistants right now either way.
+      console.log("Platform: not logged in");
+    }
   }
   console.log("");
 

package/src/commands/setup.ts

@@ -1,80 +1,81 @@
-import { createInterface } from "readline";
-
 import { resolveAssistant } from "../lib/assistant-config.js";
-
-async function promptMasked(prompt: string): Promise<string> {
-  return new Promise((resolve) => {
-    const rl = createInterface({
-      input: process.stdin,
-      output: process.stdout,
-    });
-
-    process.stdout.write(prompt);
-
-    const stdin = process.stdin;
-    const wasRaw = stdin.isRaw;
-    if (stdin.isTTY) {
-      stdin.setRawMode(true);
-    }
-
-    let input = "";
-    const onData = (key: Buffer): void => {
-      const char = key.toString("utf-8");
-
-      if (char === "\r" || char === "\n") {
-        stdin.removeListener("data", onData);
-        if (stdin.isTTY) {
-          stdin.setRawMode(wasRaw ?? false);
-        }
-        process.stdout.write("\n");
-        rl.close();
-        resolve(input);
-      } else if (char === "\u0003") {
-        process.stdout.write("\n");
-        process.exit(1);
-      } else if (char === "\u007F" || char === "\b") {
-        if (input.length > 0) {
-          input = input.slice(0, -1);
-          process.stdout.write("\b \b");
-        }
-      } else if (char.length === 1 && char >= " ") {
-        input += char;
-        process.stdout.write("*");
+import {
+  loadGuardianToken,
+  refreshGuardianToken,
+  type GuardianTokenData,
+} from "../lib/guardian-token.js";
+import {
+  ensureProviderApiKey,
+  formatProviderName,
+} from "../lib/provider-secrets.js";
+
+function parseSetupArgs(args: string[]): { provider: string } {
+  let provider = "anthropic";
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--provider") {
+      const value = args[i + 1];
+      if (!value || value.startsWith("-")) {
+        throw new Error("--provider requires a provider name.");
       }
-    };
+      provider = value;
+      i++;
+    } else if (arg.startsWith("--provider=")) {
+      provider = arg.slice("--provider=".length);
+    } else {
+      throw new Error(`Unknown option: ${arg}`);
+    }
+  }
 
-    stdin.on("data", onData);
-  });
+  return { provider };
 }
 
-async function validateAnthropicKey(apiKey: string): Promise<boolean> {
-  try {
-    const resp = await fetch("https://api.anthropic.com/v1/models", {
-      headers: {
-        "x-api-key": apiKey,
-        "anthropic-version": "2023-06-01",
-      },
-      signal: AbortSignal.timeout(10_000),
-    });
-    return resp.ok;
-  } catch {
+function isGuardianAccessTokenUsable(
+  tokenData: GuardianTokenData | null,
+): tokenData is GuardianTokenData {
+  if (!tokenData?.accessToken) {
     return false;
   }
+  const expiresAt = new Date(tokenData.accessTokenExpiresAt).getTime();
+  return Number.isFinite(expiresAt) && expiresAt > Date.now();
 }
 
 export async function setup(): Promise<void> {
   const args = process.argv.slice(3);
 
   if (args.includes("--help") || args.includes("-h")) {
-    console.log("Usage: vellum setup");
+    console.log("Usage: vellum setup [--provider <provider>]");
+    console.log("");
+    console.log("Configure a provider API key on the active assistant.");
     console.log("");
-    console.log("Interactive wizard to configure API keys.");
+    console.log("Options:");
     console.log(
-      "Injects secrets into your running assistant via the gateway API.",
+      "  --provider <provider>  Provider to configure. Defaults to anthropic.",
     );
+    console.log("");
+    console.log("Behavior:");
+    console.log(
+      "  - Checks the active assistant for an existing provider key.",
+    );
+    console.log("  - Uses the matching environment variable when it is set.");
+    console.log("  - Otherwise prompts securely without echoing the key.");
+    console.log("");
+    console.log("Examples:");
+    console.log("  vellum setup");
+    console.log("  ANTHROPIC_API_KEY=... vellum setup");
+    console.log("  vellum setup --provider openai");
     process.exit(0);
   }
 
+  let parsed: { provider: string };
+  try {
+    parsed = parseSetupArgs(args);
+  } catch (error) {
+    console.error(error instanceof Error ? `Error: ${error.message}` : error);
+    process.exit(1);
+  }
+
   const entry = resolveAssistant();
   if (!entry) {
     console.error(
@@ -84,54 +85,58 @@ export async function setup(): Promise<void> {
   }
 
   const gatewayUrl = entry.localUrl ?? entry.runtimeUrl;
+  let bearerToken: string | undefined;
+  const guardianToken = loadGuardianToken(entry.assistantId);
+  if (isGuardianAccessTokenUsable(guardianToken)) {
+    bearerToken = guardianToken.accessToken;
+  } else {
+    const refreshedToken = guardianToken
+      ? await refreshGuardianToken(gatewayUrl, entry.assistantId)
+      : null;
+    bearerToken = isGuardianAccessTokenUsable(refreshedToken)
+      ? refreshedToken.accessToken
+      : entry.bearerToken;
+  }
 
   console.log("Vellum Setup");
   console.log("============\n");
 
-  const apiKey = await promptMasked(
-    "Enter your Anthropic API key (sk-ant-...): ",
-  );
-
-  if (!apiKey.trim()) {
-    console.error("Error: API key cannot be empty.");
-    process.exit(1);
-  }
-
-  console.log("Validating key...");
-  const valid = await validateAnthropicKey(apiKey.trim());
+  try {
+    const result = await ensureProviderApiKey({
+      gatewayUrl,
+      provider: parsed.provider,
+      bearerToken,
+      env: process.env,
+    });
 
-  if (!valid) {
-    console.error(
-      "Error: Invalid API key. Could not authenticate with the Anthropic API.",
-    );
-    process.exit(1);
-  }
+    if (result.status === "already_configured") {
+      console.log(
+        `${formatProviderName(result.provider)} API key is already configured.`,
+      );
+      return;
+    }
 
-  const headers: Record<string, string> = {
-    "Content-Type": "application/json",
-    Accept: "application/json",
-  };
-  if (entry.bearerToken) {
-    headers["Authorization"] = `Bearer ${entry.bearerToken}`;
-  }
+    if (result.status === "configured") {
+      const providerName = formatProviderName(result.provider);
+      const source = result.source === "env" ? " from the environment" : "";
+      console.log(`\n${providerName} API key saved to assistant${source}.`);
+      console.log("Setup complete.");
+      return;
+    }
 
-  const response = await fetch(`${gatewayUrl}/v1/secrets`, {
-    method: "POST",
-    headers,
-    body: JSON.stringify({
-      type: "credential",
-      name: "ANTHROPIC_API_KEY",
-      value: apiKey.trim(),
-    }),
-    signal: AbortSignal.timeout(10_000),
-  });
+    if (result.status === "skipped") {
+      console.log(result.message);
+      return;
+    }
 
-  if (!response.ok) {
+    console.error(`Error: ${result.message}`);
+    process.exit(1);
+  } catch (error) {
     console.error(
-      `Error: Failed to store API key in assistant (${response.status}).`,
+      error instanceof Error
+        ? `Error: ${error.message}`
+        : "Error: Setup failed.",
     );
     process.exit(1);
   }
-
-  console.log("\nAPI key saved to assistant. Setup complete.");
 }