@vellumai/cli 0.8.1 → 0.8.3

package/src/commands/hatch.ts

@@ -8,7 +8,6 @@ import {
   saveAssistantEntry,
   setActiveAssistant,
 } from "../lib/assistant-config";
-import { hatchAws } from "../lib/aws";
 import {
   SPECIES_CONFIG,
   VALID_REMOTE_HOSTS,
@@ -17,7 +16,6 @@ import {
 import type { RemoteHost, Species } from "../lib/constants";
 import { buildNestedConfig } from "../lib/config-utils";
 import { hatchDocker } from "../lib/docker";
-import { hatchGcp } from "../lib/gcp";
 import type { PollResult, WatchHatchingResult } from "../lib/gcp";
 import { hatchLocal } from "../lib/hatch-local";
 import {
@@ -169,6 +167,7 @@ source ${INSTALL_SCRIPT_REMOTE_PATH}
 }
 
 const DEFAULT_REMOTE: RemoteHost = "local";
+const UNSUPPORTED_REMOTE_HATCH_TARGETS = new Set<RemoteHost>(["aws", "gcp"]);
 
 interface HatchArgs {
   species: Species;
@@ -177,7 +176,9 @@ interface HatchArgs {
   name: string | null;
   remote: RemoteHost;
   watch: boolean;
+  sourcePath: string | null;
   configValues: Record<string, string>;
+  analyze: boolean;
 }
 
 function parseArgs(): HatchArgs {
@@ -188,7 +189,9 @@ function parseArgs(): HatchArgs {
   let name: string | null = null;
   let remote: RemoteHost = DEFAULT_REMOTE;
   let watch = false;
+  let sourcePath: string | null = null;
   const configValues: Record<string, string> = {};
+  let analyze = false;
 
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
@@ -210,17 +213,33 @@ function parseArgs(): HatchArgs {
       console.log(
         "  --watch                   Run assistant and gateway in watch mode (hot reload on source changes)",
       );
+      console.log(
+        "  --source <path>           Build images from a local source tree at <path> (no watcher). Useful for callers (e.g. evals) that want each run to pick up local CLI changes.",
+      );
       console.log(
         "  --keep-alive              Stay alive after hatch, exit when gateway stops",
       );
       console.log(
         "  --config <key=value>      Set a workspace config value (repeatable)",
       );
+      console.log(
+        "  --analyze                 Emit a structured hatch-timing log line on stdout",
+      );
       process.exit(0);
     } else if (arg === "-d") {
       detached = true;
     } else if (arg === "--watch") {
       watch = true;
+    } else if (arg === "--analyze") {
+      analyze = true;
+    } else if (arg === "--source") {
+      const next = args[i + 1];
+      if (!next || next.startsWith("-")) {
+        console.error("Error: --source requires a path argument");
+        process.exit(1);
+      }
+      sourcePath = next;
+      i++;
     } else if (arg === "--keep-alive") {
       keepAlive = true;
     } else if (arg === "--name") {
@@ -270,7 +289,7 @@ function parseArgs(): HatchArgs {
       species = arg as Species;
     } else {
       console.error(
-        `Error: Unknown argument '${arg}'. Valid options: ${VALID_SPECIES.join(", ")}, -d, --watch, --keep-alive, --name <name>, --remote <${VALID_REMOTE_HOSTS.join("|")}>, --config <key=value>`,
+        `Error: Unknown argument '${arg}'. Valid options: ${VALID_SPECIES.join(", ")}, -d, --watch, --source <path>, --keep-alive, --name <name>, --remote <${VALID_REMOTE_HOSTS.join("|")}>, --config <key=value>, --analyze`,
       );
       process.exit(1);
     }
@@ -283,7 +302,9 @@ function parseArgs(): HatchArgs {
     name,
     remote,
     watch,
+    sourcePath,
     configValues,
+    analyze,
   };
 }
 
@@ -508,8 +529,17 @@ export async function hatch(): Promise<void> {
   const cliVersion = getCliVersion();
   console.log(`@vellumai/cli v${cliVersion}`);
 
-  const { species, detached, keepAlive, name, remote, watch, configValues } =
-    parseArgs();
+  const {
+    species,
+    detached,
+    keepAlive,
+    name,
+    remote,
+    watch,
+    sourcePath,
+    configValues,
+    analyze,
+  } = parseArgs();
 
   if (watch && remote !== "local" && remote !== "docker") {
     console.error(
@@ -518,30 +548,33 @@ export async function hatch(): Promise<void> {
     process.exit(1);
   }
 
-  if (remote === "local") {
-    await hatchLocal(species, name, watch, keepAlive, configValues);
-    return;
+  if (sourcePath !== null && remote !== "docker") {
+    console.error(
+      "Error: --source is only supported for docker hatch targets.",
+    );
+    process.exit(1);
   }
 
-  if (remote === "gcp") {
-    await hatchGcp(
-      species,
-      detached,
-      name,
-      buildStartupScript,
-      watchHatching,
-      configValues,
+  if (UNSUPPORTED_REMOTE_HATCH_TARGETS.has(remote)) {
+    console.error(
+      `Error: \`vellum hatch --remote ${remote}\` is not a supported provisioning target yet.`,
     );
-    return;
+    console.error(
+      "No cloud resources were created. To self-host on AWS/GCP, SSH into the VM and run `vellum hatch` or `vellum hatch --remote docker` there.",
+    );
+    process.exit(1);
   }
 
-  if (remote === "aws") {
-    await hatchAws(species, detached, name, configValues);
+  if (remote === "local") {
+    await hatchLocal(species, name, watch, keepAlive, configValues);
     return;
   }
 
   if (remote === "docker") {
-    await hatchDocker(species, detached, name, watch, configValues);
+    await hatchDocker(species, detached, name, watch, configValues, {
+      sourcePath,
+      analyze,
+    });
     return;
   }
 

package/src/commands/setup.ts

@@ -1,80 +1,126 @@
-import { createInterface } from "readline";
-
 import { resolveAssistant } from "../lib/assistant-config.js";
+import {
+  leaseGuardianToken,
+  loadGuardianToken,
+  refreshGuardianToken,
+  type GuardianTokenData,
+} from "../lib/guardian-token.js";
+import {
+  ensureProviderApiKey,
+  formatProviderName,
+} from "../lib/provider-secrets.js";
+
+function parseSetupArgs(args: string[]): { provider: string } {
+  let provider = "anthropic";
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--provider") {
+      const value = args[i + 1];
+      if (!value || value.startsWith("-")) {
+        throw new Error("--provider requires a provider name.");
+      }
+      provider = value;
+      i++;
+    } else if (arg.startsWith("--provider=")) {
+      provider = arg.slice("--provider=".length);
+    } else {
+      throw new Error(`Unknown option: ${arg}`);
+    }
+  }
 
-async function promptMasked(prompt: string): Promise<string> {
-  return new Promise((resolve) => {
-    const rl = createInterface({
-      input: process.stdin,
-      output: process.stdout,
-    });
+  return { provider };
+}
 
-    process.stdout.write(prompt);
+function isGuardianAccessTokenUsable(
+  tokenData: GuardianTokenData | null,
+): tokenData is GuardianTokenData {
+  if (!tokenData?.accessToken) {
+    return false;
+  }
+  const expiresAt = new Date(tokenData.accessTokenExpiresAt).getTime();
+  return Number.isFinite(expiresAt) && expiresAt > Date.now();
+}
 
-    const stdin = process.stdin;
-    const wasRaw = stdin.isRaw;
-    if (stdin.isTTY) {
-      stdin.setRawMode(true);
+async function resolveSetupBearerToken(
+  entry: NonNullable<ReturnType<typeof resolveAssistant>>,
+  gatewayUrl: string,
+): Promise<string | undefined> {
+  const guardianToken = loadGuardianToken(entry.assistantId);
+  if (isGuardianAccessTokenUsable(guardianToken)) {
+    return guardianToken.accessToken;
+  }
+
+  if (guardianToken) {
+    const refreshedToken = await refreshGuardianToken(
+      gatewayUrl,
+      entry.assistantId,
+    );
+    if (isGuardianAccessTokenUsable(refreshedToken)) {
+      return refreshedToken.accessToken;
     }
+  }
 
-    let input = "";
-    const onData = (key: Buffer): void => {
-      const char = key.toString("utf-8");
-
-      if (char === "\r" || char === "\n") {
-        stdin.removeListener("data", onData);
-        if (stdin.isTTY) {
-          stdin.setRawMode(wasRaw ?? false);
-        }
-        process.stdout.write("\n");
-        rl.close();
-        resolve(input);
-      } else if (char === "\u0003") {
-        process.stdout.write("\n");
-        process.exit(1);
-      } else if (char === "\u007F" || char === "\b") {
-        if (input.length > 0) {
-          input = input.slice(0, -1);
-          process.stdout.write("\b \b");
-        }
-      } else if (char.length === 1 && char >= " ") {
-        input += char;
-        process.stdout.write("*");
+  const canLeaseGuardianToken =
+    entry.cloud === "local" || entry.cloud === "docker" || entry.localUrl;
+  if (canLeaseGuardianToken) {
+    try {
+      const bootstrapSecret =
+        typeof entry.guardianBootstrapSecret === "string"
+          ? entry.guardianBootstrapSecret
+          : undefined;
+      const leasedToken = await leaseGuardianToken(
+        gatewayUrl,
+        entry.assistantId,
+        bootstrapSecret,
+      );
+      if (isGuardianAccessTokenUsable(leasedToken)) {
+        return leasedToken.accessToken;
       }
-    };
-
-    stdin.on("data", onData);
-  });
-}
-
-async function validateAnthropicKey(apiKey: string): Promise<boolean> {
-  try {
-    const resp = await fetch("https://api.anthropic.com/v1/models", {
-      headers: {
-        "x-api-key": apiKey,
-        "anthropic-version": "2023-06-01",
-      },
-      signal: AbortSignal.timeout(10_000),
-    });
-    return resp.ok;
-  } catch {
-    return false;
+    } catch {
+      // Fall through to any lockfile bearer token, or let the setup request
+      // surface the gateway's auth error below.
+    }
   }
+
+  return entry.bearerToken;
 }
 
 export async function setup(): Promise<void> {
   const args = process.argv.slice(3);
 
   if (args.includes("--help") || args.includes("-h")) {
-    console.log("Usage: vellum setup");
+    console.log("Usage: vellum setup [--provider <provider>]");
     console.log("");
-    console.log("Interactive wizard to configure API keys.");
+    console.log("Configure a provider API key on the active assistant.");
+    console.log("");
+    console.log("Options:");
     console.log(
-      "Injects secrets into your running assistant via the gateway API.",
+      "  --provider <provider>  Provider to configure. Defaults to anthropic.",
     );
+    console.log("");
+    console.log("Behavior:");
+    console.log(
+      "  - Checks the active assistant for an existing provider key.",
+    );
+    console.log("  - Uses the matching environment variable when it is set.");
+    console.log("  - Otherwise prompts securely without echoing the key.");
+    console.log("");
+    console.log("Examples:");
+    console.log("  vellum setup");
+    console.log("  ANTHROPIC_API_KEY=... vellum setup");
+    console.log("  vellum setup --provider openai");
     process.exit(0);
   }
 
+  let parsed: { provider: string };
+  try {
+    parsed = parseSetupArgs(args);
+  } catch (error) {
+    console.error(error instanceof Error ? `Error: ${error.message}` : error);
+    process.exit(1);
+  }
+
   const entry = resolveAssistant();
   if (!entry) {
     console.error(
@@ -84,54 +130,47 @@ export async function setup(): Promise<void> {
   }
 
   const gatewayUrl = entry.localUrl ?? entry.runtimeUrl;
+  const bearerToken = await resolveSetupBearerToken(entry, gatewayUrl);
 
   console.log("Vellum Setup");
   console.log("============\n");
 
-  const apiKey = await promptMasked(
-    "Enter your Anthropic API key (sk-ant-...): ",
-  );
-
-  if (!apiKey.trim()) {
-    console.error("Error: API key cannot be empty.");
-    process.exit(1);
-  }
+  try {
+    const result = await ensureProviderApiKey({
+      gatewayUrl,
+      provider: parsed.provider,
+      bearerToken,
+      env: process.env,
+    });
 
-  console.log("Validating key...");
-  const valid = await validateAnthropicKey(apiKey.trim());
+    if (result.status === "already_configured") {
+      console.log(
+        `${formatProviderName(result.provider)} API key is already configured.`,
+      );
+      return;
+    }
 
-  if (!valid) {
-    console.error(
-      "Error: Invalid API key. Could not authenticate with the Anthropic API.",
-    );
-    process.exit(1);
-  }
+    if (result.status === "configured") {
+      const providerName = formatProviderName(result.provider);
+      const source = result.source === "env" ? " from the environment" : "";
+      console.log(`\n${providerName} API key saved to assistant${source}.`);
+      console.log("Setup complete.");
+      return;
+    }
 
-  const headers: Record<string, string> = {
-    "Content-Type": "application/json",
-    Accept: "application/json",
-  };
-  if (entry.bearerToken) {
-    headers["Authorization"] = `Bearer ${entry.bearerToken}`;
-  }
+    if (result.status === "skipped") {
+      console.log(result.message);
+      return;
+    }
 
-  const response = await fetch(`${gatewayUrl}/v1/secrets`, {
-    method: "POST",
-    headers,
-    body: JSON.stringify({
-      type: "credential",
-      name: "ANTHROPIC_API_KEY",
-      value: apiKey.trim(),
-    }),
-    signal: AbortSignal.timeout(10_000),
-  });
-
-  if (!response.ok) {
+    console.error(`Error: ${result.message}`);
+    process.exit(1);
+  } catch (error) {
     console.error(
-      `Error: Failed to store API key in assistant (${response.status}).`,
+      error instanceof Error
+        ? `Error: ${error.message}`
+        : "Error: Setup failed.",
     );
     process.exit(1);
   }
-
-  console.log("\nAPI key saved to assistant. Setup complete.");
 }

package/src/commands/teleport.ts

@@ -877,7 +877,16 @@ export async function resolveOrHatchTarget(
   // Hatch a new assistant in the target environment
   if (targetEnv === "local") {
     const beforeIds = new Set(loadAllAssistants().map((e) => e.assistantId));
-    await hatchLocal("vellum", targetName ?? null, false, false, {});
+    await hatchLocal(
+      "vellum",
+      targetName ?? null,
+      false,
+      false,
+      {},
+      {
+        setupProviderCredentials: false,
+      },
+    );
     const entry = targetName
       ? findAssistantByName(targetName)
       : (loadAllAssistants().find((e) => !beforeIds.has(e.assistantId)) ??
@@ -892,7 +901,16 @@ export async function resolveOrHatchTarget(
 
   if (targetEnv === "docker") {
     const beforeIds = new Set(loadAllAssistants().map((e) => e.assistantId));
-    await hatchDocker("vellum", false, targetName ?? null, false, {});
+    await hatchDocker(
+      "vellum",
+      false,
+      targetName ?? null,
+      false,
+      {},
+      {
+        setupProviderCredentials: false,
+      },
+    );
     const entry = targetName
       ? findAssistantByName(targetName)
       : (loadAllAssistants().find((e) => !beforeIds.has(e.assistantId)) ??