@vellumai/cli 0.8.12-staging.2 → 0.9.0-staging.1

package/src/lib/statefulset.ts

@@ -16,22 +16,29 @@ import { PROVIDER_ENV_VAR_NAMES } from "../shared/provider-env-vars.js";
 
 const AVATAR_DEVICE_ENV_VAR = "VELLUM_AVATAR_DEVICE";
 
+/**
+ * In-container path the assistant's extra CA bundle is mounted at when
+ * `assistantCaCertPath` is supplied. Read-only and outside the
+ * `update-ca-certificates` directory so it's consumed purely via
+ * `NODE_EXTRA_CA_CERTS` without touching the system trust store.
+ */
+const ASSISTANT_EXTRA_CA_TARGET = "/etc/vellum/extra-ca-cert.pem";
+
 /** Logical service name used throughout the CLI. */
 export type ServiceName = "assistant" | "gateway" | "credential-executor";
 
 /**
- /**
-  * The four fields from `dockerResourceNames()` that the builder actually uses.
-  * Container/network names come from here; volume names are generated by the
-  * `volumeClaimTemplates` in the spec. `ReturnType<typeof dockerResourceNames>`
-  * structurally satisfies this interface (it has all these fields plus more).
-  */
- export interface DockerResourceNames {
-   assistantContainer: string;
-   cesContainer: string;
-   gatewayContainer: string;
-   network: string;
- }
+ * The four fields from `dockerResourceNames()` that the builder actually uses.
+ * Container/network names come from here; volume names are generated by the
+ * `volumeClaimTemplates` in the spec. `ReturnType<typeof dockerResourceNames>`
+ * structurally satisfies this interface (it has all these fields plus more).
+ */
+export interface DockerResourceNames {
+  assistantContainer: string;
+  cesContainer: string;
+  gatewayContainer: string;
+  network: string;
+}
 
 // ---------------------------------------------------------------------------
 // Types
@@ -133,6 +140,7 @@ export interface DockerRunSecrets {
 // Spec
 // ---------------------------------------------------------------------------
 
+// prettier-ignore
 export const DOCKER_STATEFUL_SET_SPEC: DockerStatefulSetSpec = {
   startOrder: ["assistant", "gateway", "credential-executor"],
 
@@ -260,6 +268,21 @@ export interface BuildServiceRunArgsOpts extends DockerRunSecrets {
   extraGatewayEnv?: Record<string, string>;
   /** Avatar device path, if available. Injected by `docker.ts` after resolving. */
   avatarDevicePath?: string;
+  /**
+   * Name of an existing container whose network namespace every service
+   * joins via `--network=container:<name>`, instead of the assistant owning
+   * the namespace. When set, the assistant publishes no host ports — the
+   * namespace owner is responsible for port publishing — and no per-instance
+   * Docker network is referenced.
+   */
+  netnsContainer?: string;
+  /**
+   * Host path to a PEM CA bundle to bind-mount into the assistant container
+   * and trust at process start via `NODE_EXTRA_CA_CERTS`. Used when the
+   * assistant's outbound TLS is terminated by a proxy whose certificate is
+   * signed by a CA outside the default trust set.
+   */
+  assistantCaCertPath?: string;
 }
 
 interface BuilderManagedEnvKeys {
@@ -283,13 +306,17 @@ export function getBuilderManagedEnvKeys(
   spec = DOCKER_STATEFUL_SET_SPEC,
 ): BuilderManagedEnvKeys {
   const container = spec.containers.find((c) => c.internalName === service);
-  if (!container) throw new Error(`docker-statefulset: unknown service "${service}"`);
+  if (!container)
+    throw new Error(`docker-statefulset: unknown service "${service}"`);
 
   const always = new Set<string>(["PATH"]);
   const hostForwarded: Array<{ name: string; hostVar: string }> = [];
   for (const entry of container.env) {
     if (entry.kind === "host") {
-      hostForwarded.push({ name: entry.name, hostVar: entry.hostVar ?? entry.name });
+      hostForwarded.push({
+        name: entry.name,
+        hostVar: entry.hostVar ?? entry.name,
+      });
     } else {
       always.add(entry.name);
     }
@@ -311,7 +338,8 @@ function resolveVolume(
   volumeName: string,
 ): string {
   const claim = spec.volumeClaimTemplates.find((v) => v.name === volumeName);
-  if (!claim) throw new Error(`docker-statefulset: unknown volume "${volumeName}"`);
+  if (!claim)
+    throw new Error(`docker-statefulset: unknown volume "${volumeName}"`);
   return claim.dockerVolume(instanceName);
 }
 
@@ -331,6 +359,8 @@ export function buildServiceRunArgs(
     extraAssistantEnv,
     extraGatewayEnv,
     avatarDevicePath,
+    netnsContainer,
+    assistantCaCertPath,
   } = opts;
 
   const result = {} as Record<ServiceName, () => string[]>;
@@ -356,7 +386,11 @@ export function buildServiceRunArgs(
       }
 
       // Network
-      if (container.network === "bridge") {
+      if (netnsContainer) {
+        // Every service joins an externally-owned namespace. The owner
+        // publishes host ports, so nothing is published here.
+        args.push(`--network=container:${netnsContainer}`);
+      } else if (container.network === "bridge") {
         args.push(`--network=${res.network}`);
         for (const port of container.ports ?? []) {
           const hostSide =
@@ -374,7 +408,12 @@ export function buildServiceRunArgs(
       // Volume mounts
       for (const mount of container.volumeMounts) {
         const vol = resolveVolume(spec, instanceName, mount.volumeName);
-        args.push("-v", mount.readOnly ? `${vol}:${mount.mountPath}:ro` : `${vol}:${mount.mountPath}`);
+        args.push(
+          "-v",
+          mount.readOnly
+            ? `${vol}:${mount.mountPath}:ro`
+            : `${vol}:${mount.mountPath}`,
+        );
       }
 
       // Env vars from spec
@@ -401,8 +440,10 @@ export function buildServiceRunArgs(
       // Assistant-only computed / optional additions
       if (svc === "assistant") {
         args.push(
-          "-e", `VELLUM_ASSISTANT_NAME=${instanceName}`,
-          "-e", `GATEWAY_INTERNAL_URL=http://localhost:${GATEWAY_INTERNAL_PORT}`,
+          "-e",
+          `VELLUM_ASSISTANT_NAME=${instanceName}`,
+          "-e",
+          `GATEWAY_INTERNAL_URL=http://localhost:${GATEWAY_INTERNAL_PORT}`,
         );
 
         if (extraAssistantEnv) {
@@ -413,8 +454,19 @@ export function buildServiceRunArgs(
 
         if (avatarDevicePath && existsSync(avatarDevicePath)) {
           args.push(
-            "--device", `${avatarDevicePath}:${avatarDevicePath}`,
-            "-e", `${AVATAR_DEVICE_ENV_VAR}=${avatarDevicePath}`,
+            "--device",
+            `${avatarDevicePath}:${avatarDevicePath}`,
+            "-e",
+            `${AVATAR_DEVICE_ENV_VAR}=${avatarDevicePath}`,
+          );
+        }
+
+        if (assistantCaCertPath) {
+          args.push(
+            "-v",
+            `${assistantCaCertPath}:${ASSISTANT_EXTRA_CA_TARGET}:ro`,
+            "-e",
+            `NODE_EXTRA_CA_CERTS=${ASSISTANT_EXTRA_CA_TARGET}`,
           );
         }
       }

package/src/lib/sync-cloud-assistants.ts

@@ -15,7 +15,6 @@
 
 import {
   loadAllAssistants,
-  normalizeVersion,
   removeAssistantEntry,
   saveAssistantEntry,
 } from "./assistant-config.js";
@@ -23,7 +22,6 @@ import {
   fetchCurrentUser,
   fetchPlatformAssistants,
   getPlatformUrl,
-  type HatchedAssistant,
 } from "./platform-client.js";
 
 export type SyncLogger = (message: string) => void;
@@ -84,7 +82,7 @@ export async function syncCloudAssistants(
     }
   }
 
-  let platformAssistants: HatchedAssistant[];
+  let platformAssistants: { id: string; name: string; status: string }[];
   try {
     log?.("Fetching platform assistants…");
     platformAssistants = await fetchPlatformAssistants(token);
@@ -128,33 +126,22 @@ export async function syncCloudAssistants(
     const existing = existingCloudById.get(pa.id);
     const assistantName = pa.name.trim();
     const nameFields = assistantName ? { name: assistantName } : {};
-    // undefined when the platform reports no release — written through on
-    // update so a stale cached version is cleared, not preserved.
-    const version =
-      pa.current_release_version != null
-        ? normalizeVersion(pa.current_release_version)
-        : undefined;
     if (!existing) {
       log?.(`Adding ${pa.name || pa.id} to lockfile`);
       saveAssistantEntry({
         assistantId: pa.id,
         ...nameFields,
-        ...(version && { version }),
         runtimeUrl: getPlatformUrl(),
         cloud: "vellum",
         species: "vellum",
         hatchedAt: new Date().toISOString(),
       });
       added++;
-    } else if (
-      (assistantName && existing.name !== assistantName) ||
-      existing.version !== version
-    ) {
-      log?.(`Updating ${pa.id} from platform`);
+    } else if (assistantName && existing.name !== assistantName) {
+      log?.(`Updating ${pa.id} name to ${assistantName}`);
       saveAssistantEntry({
         ...existing,
-        ...nameFields,
-        version,
+        name: assistantName,
       });
       updated++;
     }

package/src/lib/upgrade-lifecycle.ts

@@ -4,7 +4,7 @@ import { existsSync, mkdirSync, writeFileSync } from "fs";
 import { join } from "path";
 
 import type { AssistantEntry } from "./assistant-config.js";
-import { normalizeVersion, saveAssistantEntry } from "./assistant-config.js";
+import { saveAssistantEntry } from "./assistant-config.js";
 import { createBackup, pruneOldBackups, restoreBackup } from "./backup-ops.js";
 import { emitCliError } from "./cli-error.js";
 import { getOrCreateHostDeviceId } from "./device-id.js";
@@ -779,7 +779,6 @@ export async function performDockerRollback(
       previousContainerInfo: entry.containerInfo,
       previousDbMigrationVersion: preMigrationState.dbVersion,
       previousWorkspaceMigrationId: preMigrationState.lastWorkspaceMigrationId,
-      version: normalizeVersion(targetVersion),
       preUpgradeBackupPath: undefined,
     };
     saveAssistantEntry(updatedEntry);

package/src/lib/workos-pkce.ts

@@ -0,0 +1,160 @@
+/**
+ * App-held PKCE login against WorkOS User Management (RFC 8252 loopback).
+ */
+
+import crypto from "node:crypto";
+
+import { loopbackSafeFetch } from "./loopback-fetch.js";
+
+const WORKOS_API_BASE_URL = "https://api.workos.com";
+const PROVIDER_ID = "workos";
+const SCOPE = "openid profile email";
+
+// Use a loopback callback: `http://127.0.0.1:*/auth/callback`
+export const CALLBACK_PATH = "/auth/callback";
+
+export interface PkcePair {
+  verifier: string;
+  challenge: string;
+}
+
+export function generatePkcePair(): PkcePair {
+  const verifier = crypto.randomBytes(32).toString("base64url");
+  const challenge = crypto
+    .createHash("sha256")
+    .update(verifier)
+    .digest("base64url");
+  return { verifier, challenge };
+}
+
+export interface AuthorizeUrlOptions {
+  clientId: string;
+  redirectUri: string;
+  challenge: string;
+  state: string;
+  loginHint?: string;
+  providerHint?: string;
+}
+
+export function buildAuthorizeUrl(options: AuthorizeUrlOptions): string {
+  const url = new URL("/user_management/authorize", WORKOS_API_BASE_URL);
+  url.searchParams.set("client_id", options.clientId);
+  url.searchParams.set("redirect_uri", options.redirectUri);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("scope", SCOPE);
+  url.searchParams.set("code_challenge", options.challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("state", options.state);
+  // No `prompt`: lets the browser's existing IdP session be reused.
+  url.searchParams.set("provider", options.providerHint || "authkit");
+  if (options.loginHint) url.searchParams.set("login_hint", options.loginHint);
+  return url.toString();
+}
+
+interface HeadlessProviderEntry {
+  id: string;
+  name?: string;
+  client_id?: string;
+  flows?: string[];
+  openid_configuration_url?: string;
+}
+
+/**
+ * Pick the OAuth2 WorkOS provider from the headless config. During the
+ * coexistence window two entries share the "workos-oidc" id; the usable one
+ * has token auth and no OIDC discovery URL. Null if none.
+ */
+export function selectWorkosClientId(
+  providers: HeadlessProviderEntry[],
+): string | null {
+  const entry = providers.find(
+    (p) =>
+      !p.openid_configuration_url &&
+      (p.flows ?? []).includes("provider_token") &&
+      typeof p.client_id === "string",
+  );
+  return entry?.client_id ?? null;
+}
+
+export async function fetchWorkosClientId(
+  platformUrl: string,
+): Promise<string> {
+  const url = `${new URL(platformUrl).origin}/_allauth/app/v1/config`;
+  const response = await loopbackSafeFetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch auth config (${response.status})`);
+  }
+  const body = (await response.json()) as {
+    data?: { socialaccount?: { providers?: HeadlessProviderEntry[] } };
+  };
+  const clientId = selectWorkosClientId(
+    body.data?.socialaccount?.providers ?? [],
+  );
+  if (!clientId) {
+    throw new Error(
+      "Platform does not advertise a token-auth WorkOS provider; cannot start PKCE login.",
+    );
+  }
+  return clientId;
+}
+
+/** Exchange the authorization code at WorkOS as a public client. */
+export async function exchangeCodeWithWorkos(options: {
+  clientId: string;
+  code: string;
+  verifier: string;
+}): Promise<string> {
+  const response = await loopbackSafeFetch(
+    `${WORKOS_API_BASE_URL}/user_management/authenticate`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_id: options.clientId,
+        grant_type: "authorization_code",
+        code: options.code,
+        code_verifier: options.verifier,
+      }),
+    },
+  );
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(
+      `WorkOS code exchange failed (${response.status}): ${body}`,
+    );
+  }
+  const data = (await response.json()) as { access_token?: string };
+  if (!data.access_token) {
+    throw new Error("WorkOS code exchange returned no access token.");
+  }
+  return data.access_token;
+}
+
+/** Exchange the WorkOS access token for a platform session token. */
+export async function exchangeAccessTokenForSession(
+  platformUrl: string,
+  clientId: string,
+  accessToken: string,
+): Promise<string> {
+  const url = `${new URL(platformUrl).origin}/_allauth/app/v1/auth/provider/token`;
+  const response = await loopbackSafeFetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      provider: PROVIDER_ID,
+      process: "login",
+      token: { client_id: clientId, access_token: accessToken },
+    }),
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(`Session exchange failed (${response.status}): ${body}`);
+  }
+  const data = (await response.json()) as {
+    meta?: { session_token?: string };
+  };
+  if (!data.meta?.session_token) {
+    throw new Error("Session exchange returned no session token.");
+  }
+  return data.meta.session_token;
+}