npm - @vellumai/cli - Versions diffs - 0.8.12 → 0.9.0-dev.202606162156.4bad3e5 - Mend

@vellumai/cli 0.8.12 → 0.9.0-dev.202606162156.4bad3e5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/README.md +1 -1
package/bun.lock +49 -56
package/node_modules/@vellumai/local-mode/src/__tests__/status.test.ts +224 -0
package/node_modules/@vellumai/local-mode/src/__tests__/wake.test.ts +19 -0
package/node_modules/@vellumai/local-mode/src/index.ts +8 -1
package/node_modules/@vellumai/local-mode/src/lockfile-contract.test.ts +0 -15
package/node_modules/@vellumai/local-mode/src/lockfile-contract.ts +8 -4
package/node_modules/@vellumai/local-mode/src/sleep.ts +80 -0
package/node_modules/@vellumai/local-mode/src/status.ts +342 -0
package/node_modules/@vellumai/local-mode/src/wake.ts +12 -1
package/package.json +3 -3
package/src/__tests__/assistant-config.test.ts +1 -2
package/src/__tests__/device-id.test.ts +6 -14
package/src/__tests__/helpers/os-mock.ts +27 -0
package/src/__tests__/login-loopback.test.ts +71 -0
package/src/__tests__/multi-local.test.ts +2 -10
package/src/__tests__/nginx-ingress-command.test.ts +69 -0
package/src/__tests__/nginx-ingress.test.ts +403 -0
package/src/__tests__/sleep.test.ts +4 -0
package/src/__tests__/teleport.test.ts +6 -9
package/src/__tests__/tunnel.test.ts +164 -0
package/src/__tests__/wake.test.ts +15 -4
package/src/__tests__/workos-pkce.test.ts +314 -0
package/src/commands/flags.ts +1 -22
package/src/commands/hatch.ts +90 -9
package/src/commands/login.ts +123 -59
package/src/commands/nginx-ingress.ts +291 -0
package/src/commands/rollback.ts +0 -6
package/src/commands/sleep.ts +17 -0
package/src/commands/teleport.ts +23 -36
package/src/commands/tunnel.ts +69 -11
package/src/commands/upgrade.ts +0 -2
package/src/commands/wake.ts +7 -5
package/src/commands/workflows.ts +301 -0
package/src/index.ts +8 -0
package/src/lib/arg-utils.ts +48 -0
package/src/lib/assistant-client.ts +2 -0
package/src/lib/assistant-config.ts +0 -7
package/src/lib/cloudflare-tunnel.ts +15 -2
package/src/lib/docker.ts +103 -49
package/src/lib/feature-flags.test.ts +157 -0
package/src/lib/feature-flags.ts +38 -0
package/src/lib/hatch-local.ts +0 -1
package/src/lib/local.ts +5 -0
package/src/lib/nginx-ingress.ts +576 -0
package/src/lib/ngrok.ts +26 -4
package/src/lib/platform-client.ts +0 -1
package/src/lib/retire-local.ts +5 -0
package/src/lib/statefulset.ts +73 -21
package/src/lib/sync-cloud-assistants.ts +4 -17
package/src/lib/upgrade-lifecycle.ts +1 -2
package/src/lib/workos-pkce.ts +160 -0

package/src/commands/hatch.ts CHANGED Viewed

@@ -5,7 +5,6 @@ import cliPkg from "../../package.json";
 import { buildOpenclawStartupScript } from "../adapters/openclaw";
 import {
-  normalizeVersion,
   saveAssistantEntry,
   setActiveAssistant,
 } from "../lib/assistant-config";
@@ -183,6 +182,9 @@ interface HatchArgs {
   flagEnvVars: Record<string, string>;
   analyze: boolean;
   disablePlatform: boolean;
+  netnsContainer: string | null;
+  gatewayPort: number | null;
+  assistantCaCert: string | null;
 }
 function parseArgs(): HatchArgs {
@@ -190,8 +192,10 @@ function parseArgs(): HatchArgs {
     process.argv.slice(3),
   );
   const flagEnvVars = { ...readAmbientFlagEnvVars(), ...cliFlagVars };
-  const disablePlatformAmbient = process.env.VELLUM_DISABLE_PLATFORM?.trim().toLowerCase();
-  let disablePlatform = disablePlatformAmbient === "true" || disablePlatformAmbient === "1";
+  const disablePlatformAmbient =
+    process.env.VELLUM_DISABLE_PLATFORM?.trim().toLowerCase();
+  let disablePlatform =
+    disablePlatformAmbient === "true" || disablePlatformAmbient === "1";
   let species: Species = DEFAULT_SPECIES;
   let detached = false;
   let keepAlive = false;
@@ -201,6 +205,9 @@ function parseArgs(): HatchArgs {
   let sourcePath: string | null = null;
   const configValues: Record<string, string> = {};
   let analyze = false;
+  let netnsContainer: string | null = null;
+  let gatewayPort: number | null = null;
+  let assistantCaCert: string | null = null;
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
@@ -240,6 +247,15 @@ function parseArgs(): HatchArgs {
       console.log(
         "  --disable-platform        Suppress all outbound platform API calls",
       );
+      console.log(
+        "  --netns-container <name>  Join an existing container's network namespace (docker target only) instead of creating a per-instance network. The namespace owner publishes host ports, so --gateway-port is required.",
+      );
+      console.log(
+        "  --gateway-port <port>     Use an explicit host port for the gateway runtime URL instead of auto-allocating. Required with --netns-container.",
+      );
+      console.log(
+        "  --assistant-ca-cert <path>  Trust an extra PEM CA bundle in the assistant container (NODE_EXTRA_CA_CERTS) from process start. Useful behind a TLS-terminating egress proxy.",
+      );
       process.exit(0);
     } else if (arg === "-d") {
       detached = true;
@@ -302,11 +318,38 @@ function parseArgs(): HatchArgs {
       i++;
     } else if (arg === "--disable-platform") {
       disablePlatform = true;
+    } else if (arg === "--netns-container") {
+      const next = args[i + 1];
+      if (!next || next.startsWith("-")) {
+        console.error("Error: --netns-container requires a container name");
+        process.exit(1);
+      }
+      netnsContainer = next;
+      i++;
+    } else if (arg === "--gateway-port") {
+      const next = args[i + 1];
+      const parsed = next ? Number(next) : NaN;
+      if (!Number.isInteger(parsed) || parsed <= 0 || parsed > 65535) {
+        console.error(
+          "Error: --gateway-port requires an integer port in 1-65535",
+        );
+        process.exit(1);
+      }
+      gatewayPort = parsed;
+      i++;
+    } else if (arg === "--assistant-ca-cert") {
+      const next = args[i + 1];
+      if (!next || next.startsWith("-")) {
+        console.error("Error: --assistant-ca-cert requires a path argument");
+        process.exit(1);
+      }
+      assistantCaCert = next;
+      i++;
     } else if (VALID_SPECIES.includes(arg as Species)) {
       species = arg as Species;
     } else {
       console.error(
-        `Error: Unknown argument '${arg}'. Valid options: ${VALID_SPECIES.join(", ")}, -d, --watch, --source <path>, --keep-alive, --name <name>, --remote <${VALID_REMOTE_HOSTS.join("|")}>, --config <key=value>, --flag <key=value>, --analyze, --disable-platform`,
+        `Error: Unknown argument '${arg}'. Valid options: ${VALID_SPECIES.join(", ")}, -d, --watch, --source <path>, --keep-alive, --name <name>, --remote <${VALID_REMOTE_HOSTS.join("|")}>, --config <key=value>, --flag <key=value>, --analyze, --disable-platform, --netns-container <name>, --gateway-port <port>, --assistant-ca-cert <path>`,
       );
       process.exit(1);
     }
@@ -324,6 +367,9 @@ function parseArgs(): HatchArgs {
     flagEnvVars,
     analyze,
     disablePlatform,
+    netnsContainer,
+    gatewayPort,
+    assistantCaCert,
   };
 }
@@ -560,6 +606,9 @@ export async function hatch(): Promise<void> {
     flagEnvVars,
     analyze,
     disablePlatform,
+    netnsContainer,
+    gatewayPort,
+    assistantCaCert,
   } = parseArgs();
   if (disablePlatform) {
@@ -581,6 +630,25 @@ export async function hatch(): Promise<void> {
     process.exit(1);
   }
+  if (
+    (netnsContainer !== null ||
+      gatewayPort !== null ||
+      assistantCaCert !== null) &&
+    remote !== "docker"
+  ) {
+    console.error(
+      "Error: --netns-container, --gateway-port, and --assistant-ca-cert are only supported for docker hatch targets.",
+    );
+    process.exit(1);
+  }
+  if (netnsContainer !== null && gatewayPort === null) {
+    console.error(
+      "Error: --gateway-port is required with --netns-container (the namespace owner publishes the port before hatch runs).",
+    );
+    process.exit(1);
+  }
   if (UNSUPPORTED_REMOTE_HATCH_TARGETS.has(remote)) {
     console.error(
       `Error: \`vellum hatch --remote ${remote}\` is not a supported provisioning target yet.`,
@@ -592,14 +660,30 @@ export async function hatch(): Promise<void> {
   }
   if (remote === "local") {
-    await hatchLocal(species, name, watch, keepAlive, configValues, flagEnvVars);
+    await hatchLocal(
+      species,
+      name,
+      watch,
+      keepAlive,
+      configValues,
+      flagEnvVars,
+    );
     return;
   }
   if (remote === "docker") {
-    await hatchDocker(species, detached, name, watch, configValues, flagEnvVars, {
+    await hatchDocker({
+      species,
+      detached,
+      name,
+      watch,
+      configValues,
+      flagEnvVars,
       sourcePath,
       analyze,
+      netnsContainer: netnsContainer ?? undefined,
+      gatewayPort: gatewayPort ?? undefined,
+      assistantCaCertPath: assistantCaCert ?? undefined,
     });
     return;
   }
@@ -639,9 +723,6 @@ async function hatchVellumPlatform(): Promise<void> {
     cloud: "vellum",
     species: "vellum",
     hatchedAt: new Date().toISOString(),
-    ...(result.current_release_version != null && {
-      version: normalizeVersion(result.current_release_version),
-    }),
   });
   setActiveAssistant(result.id);

package/src/commands/login.ts CHANGED Viewed

@@ -1,19 +1,16 @@
-import { createServer } from "http";
 import { spawn } from "child_process";
 import { randomBytes } from "crypto";
+import { createServer } from "http";
+import type { AddressInfo } from "net";
 import {
   getActiveAssistant,
-  resolveAssistant,
   loadAllAssistants,
   removeAssistantEntry,
+  resolveAssistant,
   setActiveAssistant,
 } from "../lib/assistant-config";
 import { computeDeviceId } from "../lib/guardian-token";
-import {
-  fetchAssistantIngressUrl,
-  fetchCurrentVersion,
-} from "../lib/upgrade-lifecycle.js";
 import {
   clearPlatformToken,
   ensureSelfHostedLocalRegistration,
@@ -21,7 +18,6 @@ import {
   fetchOrganizationId,
   fetchPlatformAssistants,
   getPlatformUrl,
-  getWebUrl,
   injectCredentialsIntoAssistant,
   readGatewayCredential,
   readPlatformToken,
@@ -29,6 +25,18 @@ import {
   savePlatformToken,
 } from "../lib/platform-client";
 import { syncCloudAssistants } from "../lib/sync-cloud-assistants";
+import {
+  fetchAssistantIngressUrl,
+  fetchCurrentVersion,
+} from "../lib/upgrade-lifecycle.js";
+import {
+  CALLBACK_PATH,
+  buildAuthorizeUrl,
+  exchangeAccessTokenForSession,
+  exchangeCodeWithWorkos,
+  fetchWorkosClientId,
+  generatePkcePair,
+} from "../lib/workos-pkce";
 const LOGIN_TIMEOUT_MS = 120_000; // 2 minutes
@@ -41,7 +49,11 @@ function escapeHtml(s: string): string {
     .replace(/'/g, "&#39;");
 }
-function renderLoginPage(title: string, subtitle: string, success: boolean): string {
+function renderLoginPage(
+  title: string,
+  subtitle: string,
+  success: boolean,
+): string {
   const checkmarkSvg = `<svg class="icon" viewBox="0 0 56 56" fill="none" xmlns="http://www.w3.org/2000/svg">
       <circle cx="28" cy="28" r="28" fill="var(--positive-bg)"/>
       <path class="check" d="M17 28.5L24.5 36L39 21" stroke="var(--positive-fg)" stroke-width="3.5" stroke-linecap="round" stroke-linejoin="round" fill="none"/>
@@ -175,78 +187,131 @@ function openBrowser(url: string): void {
   child.unref();
 }
+export interface LoopbackListener {
+  /** The full `http://127.0.0.1:<port>/auth/callback` redirect URI. */
+  redirectUri: string;
+  /** Resolves with the authorization code once the state-matched callback arrives. */
+  waitForCode: Promise<string>;
+  /** Tear down the server, rejecting any pending waiter with `reason`. */
+  close: (reason?: string) => void;
+}
 /**
- * Start a local HTTP server, open the browser to the platform login page,
- * and wait for the platform to redirect back with the session token.
+ * Bind an ephemeral 127.0.0.1 listener and wait for the OAuth redirect.
+ * Exported for tests; production callers go through `workosPkceLogin`.
  */
-function browserLogin(webUrl: string): Promise<string> {
-  return new Promise((resolve, reject) => {
-    const state = randomBytes(32).toString("hex");
+export function startLoopbackListener(
+  expectedState: string,
+): Promise<LoopbackListener> {
+  return new Promise((resolveListener, rejectListener) => {
+    let settle: {
+      resolve: (code: string) => void;
+      reject: (err: Error) => void;
+    };
+    const waitForCode = new Promise<string>((resolve, reject) => {
+      settle = { resolve, reject };
+    });
     const server = createServer((req, res) => {
-      const url = new URL(req.url ?? "/", `http://localhost`);
-      if (url.pathname !== "/callback") {
+      const url = new URL(req.url ?? "/", "http://127.0.0.1");
+      if (
+        url.pathname !== CALLBACK_PATH ||
+        url.searchParams.get("state") !== expectedState
+      ) {
         res.writeHead(404, { "Content-Type": "text/plain" });
         res.end("Not found");
         return;
       }
-      const receivedState = url.searchParams.get("state");
-      const sessionToken = url.searchParams.get("session_token");
-      if (receivedState !== state) {
+      const error = url.searchParams.get("error");
+      const code = url.searchParams.get("code");
+      if (error || !code) {
         res.writeHead(400, { "Content-Type": "text/html" });
-        res.end(renderLoginPage("Login Failed", "State mismatch. Please try again.", false));
-        cleanup("State mismatch — possible CSRF attack.");
-        return;
-      }
-      if (!sessionToken) {
-        res.writeHead(400, { "Content-Type": "text/html" });
-        res.end(renderLoginPage("Login Failed", "No session token received. Please try again.", false));
-        cleanup("No session token received from platform.");
+        res.end(
+          renderLoginPage(
+            "Login Failed",
+            "Please try again from your terminal.",
+            false,
+          ),
+        );
+        server.close();
+        settle.reject(
+          new Error(
+            `Authentication failed: ${error ?? "no authorization code received"}`,
+          ),
+        );
         return;
       }
       res.writeHead(200, { "Content-Type": "text/html" });
-      res.end(renderLoginPage("Login Successful", "You can close this window and return to your terminal.", true));
-      cleanup(null, sessionToken);
-    });
-    const timeout = setTimeout(() => {
-      cleanup("Login timed out. Please try again.");
-    }, LOGIN_TIMEOUT_MS);
-    function cleanup(error: string | null, token?: string): void {
-      clearTimeout(timeout);
+      res.end(
+        renderLoginPage(
+          "Login Successful",
+          "You can close this window and return to your terminal.",
+          true,
+        ),
+      );
       server.close();
-      if (error) {
-        reject(new Error(error));
-      } else if (token) {
-        resolve(token);
-      } else {
-        reject(new Error("Unknown error during login."));
-      }
-    }
+      settle.resolve(code);
+    });
-    server.on("error", (err) => cleanup(err.message));
+    server.on("error", rejectListener);
     server.listen(0, "127.0.0.1", () => {
       const addr = server.address();
       if (!addr || typeof addr === "string") {
-        cleanup("Failed to start local server.");
+        rejectListener(new Error("Failed to start local server."));
         return;
       }
+      const { port } = addr as AddressInfo;
+      resolveListener({
+        redirectUri: `http://127.0.0.1:${port}${CALLBACK_PATH}`,
+        waitForCode,
+        close: (reason?: string) => {
+          server.close();
+          settle.reject(new Error(reason ?? "Login cancelled."));
+        },
+      });
+    });
+  });
+}
+/** App-held WorkOS PKCE login */
+async function workosPkceLogin(platformUrl: string): Promise<string> {
+  const clientId = await fetchWorkosClientId(platformUrl);
+  const { verifier, challenge } = generatePkcePair();
+  const state = randomBytes(32).toString("hex");
-      const port = addr.port;
-      const returnTo = `/accounts/cli/callback?port=${port}&state=${state}`;
-      const loginUrl = `${webUrl}/account/login?returnTo=${encodeURIComponent(returnTo)}`;
+  const listener = await startLoopbackListener(state);
+  const timeout = setTimeout(() => {
+    listener.close("Login timed out. Please try again.");
+  }, LOGIN_TIMEOUT_MS);
-      console.log("Opening browser for login...");
-      console.log(`If the browser doesn't open, visit: ${loginUrl}`);
-      openBrowser(loginUrl);
+  try {
+    const authorizeUrl = buildAuthorizeUrl({
+      clientId,
+      redirectUri: listener.redirectUri,
+      challenge,
+      state,
     });
-  });
+    console.log("Opening browser for login...");
+    console.log(`If the browser doesn't open, visit: ${authorizeUrl}`);
+    openBrowser(authorizeUrl);
+    const code = await listener.waitForCode;
+    const accessToken = await exchangeCodeWithWorkos({
+      clientId,
+      code,
+      verifier,
+    });
+    return await exchangeAccessTokenForSession(
+      platformUrl,
+      clientId,
+      accessToken,
+    );
+  } finally {
+    clearTimeout(timeout);
+  }
 }
 export async function login(): Promise<void> {
@@ -306,11 +371,10 @@ export async function login(): Promise<void> {
     }
   }
-  // If no --token flag, use browser-based login
+  // If no --token flag, use app-held WorkOS PKCE login.
   if (!token) {
-    const webUrl = getWebUrl();
     try {
-      token = await browserLogin(webUrl);
+      token = await workosPkceLogin(getPlatformUrl());
     } catch (error) {
       console.error(`❌ ${error instanceof Error ? error.message : error}`);
       process.exit(1);