@vellumai/cli 0.8.5 → 0.8.6

package/src/lib/__tests__/step-runner.test.ts

@@ -1,6 +1,15 @@
+import { mkdtempSync, readFileSync, rmSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+
 import { describe, expect, it } from "bun:test";
 
-import { buildExecErrorMessage, exec, execOutput } from "../step-runner";
+import {
+  buildExecErrorMessage,
+  exec,
+  execOutput,
+  execWithStdin,
+} from "../step-runner";
 
 describe("buildExecErrorMessage", () => {
   it("omits the argv from the header so secrets in args can't leak", () => {
@@ -63,6 +72,45 @@ describe("exec — secret leak regression", () => {
   });
 });
 
+describe("execWithStdin — pipes input + no secret leak in errors", () => {
+  it("writes the supplied input to the child's stdin", async () => {
+    // Use sh `cat > path` to capture stdin to a real file we can inspect.
+    // Mirrors the Docker-hatch overlay-staging call site shape.
+    const workDir = mkdtempSync(join(tmpdir(), "step-runner-stdin-"));
+    const dest = join(workDir, "captured.txt");
+    try {
+      const payload = '{"hello":"world"}\n';
+      await execWithStdin("sh", ["-c", `cat > ${dest}`], payload);
+      expect(readFileSync(dest, "utf-8")).toBe(payload);
+    } finally {
+      rmSync(workDir, { recursive: true, force: true });
+    }
+  });
+
+  it("rejects with an Error whose message contains neither the args nor any -e KEY=VALUE pair", async () => {
+    const fakeSecret = "sk-anthropic-stdin-canary";
+    try {
+      await execWithStdin(
+        "sh",
+        [
+          "-c",
+          'echo "permission denied while trying to connect to docker daemon" 1>&2 && exit 1',
+          "-e",
+          `ANTHROPIC_API_KEY=${fakeSecret}`,
+        ],
+        "",
+      );
+      throw new Error("execWithStdin should have rejected");
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      expect(message).not.toContain(fakeSecret);
+      expect(message).not.toContain("ANTHROPIC_API_KEY");
+      expect(message).toContain("sh exited with code 1");
+      expect(message).toContain("permission denied");
+    }
+  });
+});
+
 describe("execOutput — secret leak regression", () => {
   it("rejects with an Error whose message contains neither the args nor any -e KEY=VALUE pair", async () => {
     const fakeSecret = "sk-openai-leak-canary";

package/src/lib/assistant-config.ts

@@ -559,6 +559,19 @@ export function resolveCloud(entry: AssistantEntry): string {
   return "local";
 }
 
+/**
+ * Extract the hostname from a URL string. Falls back to stripping the scheme
+ * and taking the hostname portion if URL parsing fails.
+ */
+export function extractHostFromUrl(url: string): string {
+  try {
+    const parsed = new URL(url);
+    return parsed.hostname;
+  } catch {
+    return url.replace(/^https?:\/\//, "").split(":")[0];
+  }
+}
+
 export function saveAssistantEntry(entry: AssistantEntry): void {
   const entries = readAssistants().filter(
     (e) => e.assistantId !== entry.assistantId,

package/src/lib/config-utils.ts

@@ -35,6 +35,21 @@ export function buildNestedConfig(
 /**
  * Ensure hatch always provides enough initial LLM config for the assistant to
  * detect a fresh off-platform hatch and seed BYOK profiles.
+ *
+ * @deprecated Part of the workspace-config overlay path — a CLI→Assistant
+ * side channel that bypasses the Assistant's public APIs and has no
+ * equivalent in web/desktop. Two replacement paths are on the table:
+ *
+ *   1. Post-hatch API calls — the CLI calls public Assistant routes after
+ *      boot (`POST /v1/secrets`, plus a small read-only endpoint that
+ *      returns the canonical inference-profile templates so the CLI can
+ *      PATCH them in). See the closed alternatives in PR #32061 and
+ *      PR #32131 for the shape this would take.
+ *   2. Move inference-profile seeds out of workspace config and into
+ *      Assistant code, so there is nothing for the CLI to inject in the
+ *      first place.
+ *
+ * Either path removes the need for this helper.
  */
 export function buildHatchConfigValues(
   configValues: Record<string, string>,
@@ -52,15 +67,21 @@ export function buildHatchConfigValues(
 
 /**
  * Write arbitrary key-value pairs to a temporary JSON file and return its
- * path. The caller passes this path to the daemon via the
- * VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH env var so the daemon can merge the
- * values into its workspace config on first boot.
+ * path. The caller is responsible for getting the file to the daemon — for
+ * the local hatch flow that means setting `VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH`
+ * on the daemon process; for the Docker hatch flow the caller stages the
+ * file into the workspace volume so the rename-after-consume step in
+ * `mergeDefaultWorkspaceConfig` is a same-filesystem rename.
  *
  * Keys use dot-notation to address nested fields. For example:
  *   "llm.default.provider" → {llm: {default: {provider: ...}}}
  *   "llm.default.model"    → {llm: {default: {model: ...}}}
  *
  * Returns undefined when configValues is empty (nothing to write).
+ *
+ * @deprecated See {@link buildHatchConfigValues} for the replacement
+ * direction. This overlay path is a CLI→Assistant side channel and will be
+ * removed once one of the documented replacements lands.
  */
 export function writeInitialConfig(
   configValues: Record<string, string>,

package/src/lib/docker.ts

@@ -1,5 +1,11 @@
 import { randomBytes } from "crypto";
-import { chmodSync, existsSync, mkdirSync, watch as fsWatch } from "fs";
+import {
+  chmodSync,
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  watch as fsWatch,
+} from "fs";
 import { arch, platform } from "os";
 import { dirname, join, resolve } from "path";
 
@@ -12,6 +18,7 @@ import {
   setActiveAssistant,
 } from "./assistant-config";
 import type { AssistantEntry } from "./assistant-config";
+import { buildHatchConfigValues, writeInitialConfig } from "./config-utils";
 import { buildServiceRunArgs } from "./statefulset.js";
 import type { Species } from "./constants";
 import { getDefaultPorts } from "./environments/paths.js";
@@ -35,7 +42,7 @@ import {
   resolveHatchProvider,
 } from "./provider-secrets.js";
 import { findOpenPort } from "./port-allocator.js";
-import { exec, execOutput } from "./step-runner";
+import { exec, execOutput, execWithStdin } from "./step-runner";
 import {
   closeLogFile,
   openLogFile,
@@ -1164,11 +1171,53 @@ export async function hatchDocker(
       "chown 1001:1001 /workspace /run/assistant-ipc /run/gateway-ipc",
     ]);
 
-    // BYOK setup (API key, custom profiles, active-profile selection) is
-    // driven post-boot by the CLI calling the Assistant's public APIs
-    // (`POST /v1/secrets`, etc.) via `configureHatchProviderApiKey` below.
-    // The Assistant container comes up clean — no overlay file, no
-    // client-side workspace-config injection.
+    // Stage the BYOK default-workspace-config overlay *inside* the workspace
+    // volume so the daemon's startup loader can consume it. The loader
+    // (`mergeDefaultWorkspaceConfig` in assistant/src/config/loader.ts) does:
+    //   1. JSON.parse + deep-merge into the workspace's config.json.
+    //   2. `renameSync(defaultConfigPath, <workspace>/default-config.json)`
+    //      to mark the overlay consumed so subsequent restarts skip it.
+    //
+    // The rename must be same-filesystem. Bind-mounting the host file into
+    // `/tmp/...` (the pre-#32025 design) crossed filesystems and silently
+    // failed with EXDEV, so every `docker start` re-applied the overlay.
+    // Staging into the workspace volume keeps the rename in-place.
+    //
+    // Streaming the JSON via stdin (instead of bind-mounting the host file
+    // into the staging container) sidesteps macOS Colima's virtiofs share,
+    // which doesn't expose `/var/folders/...` (where `os.tmpdir()` resolves
+    // on macOS) and would otherwise materialize an empty directory at the
+    // bind-mount target.
+    //
+    // @deprecated stopgap. Replacement direction is one of:
+    //   1. Post-hatch API calls (POST /v1/secrets + a small endpoint that
+    //      returns canonical inference-profile templates).
+    //   2. Move inference-profile seeds out of workspace config and into
+    //      Assistant code, eliminating the overlay entirely.
+    // See `cli/src/lib/config-utils.ts` JSDoc for context.
+    const hatchConfigValues = buildHatchConfigValues(configValues, provider);
+    const hostOverlayPath = writeInitialConfig(hatchConfigValues);
+    const stagedOverlayInContainer = "/workspace/.default-config-overlay.json";
+    const extraAssistantEnv: Record<string, string> = {};
+    if (hostOverlayPath) {
+      await execWithStdin(
+        "docker",
+        [
+          "run",
+          "--rm",
+          "-i",
+          "-v",
+          `${res.workspaceVolume}:/workspace`,
+          "busybox",
+          "sh",
+          "-c",
+          `cat > ${stagedOverlayInContainer} && chown 1001:1001 ${stagedOverlayInContainer}`,
+        ],
+        readFileSync(hostOverlayPath, "utf-8"),
+      );
+      extraAssistantEnv.VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH =
+        stagedOverlayInContainer;
+    }
 
     const cesServiceToken = randomBytes(32).toString("hex");
     const signingKey = randomBytes(32).toString("hex");
@@ -1190,6 +1239,7 @@ export async function hatchDocker(
         signingKey,
         bootstrapSecret,
         cesServiceToken,
+        extraAssistantEnv,
         gatewayPort,
         imageTags,
         instanceName,

package/src/lib/hatch-local.ts

@@ -199,6 +199,7 @@ export async function hatchLocal(
 
   emitProgress(3, 6, "Starting assistant...");
   const signingKey = generateLocalSigningKey();
+  const bootstrapSecret = generateLocalSigningKey();
   await startLocalDaemon(watch, resources, {
     defaultWorkspaceConfigPath,
     signingKey,
@@ -207,7 +208,7 @@ export async function hatchLocal(
   emitProgress(4, 6, "Starting gateway...");
   let runtimeUrl = `http://127.0.0.1:${resources.gatewayPort}`;
   try {
-    runtimeUrl = await startGateway(watch, resources, { signingKey });
+    runtimeUrl = await startGateway(watch, resources, { signingKey, bootstrapSecret });
   } catch (error) {
     // Gateway failed — stop the daemon we just started so we don't leave
     // orphaned processes with no lock file entry.
@@ -228,7 +229,7 @@ export async function hatchLocal(
   let guardianAccessToken: string | undefined;
   for (let attempt = 1; attempt <= maxLeaseAttempts; attempt++) {
     try {
-      const tokenData = await leaseGuardianToken(loopbackUrl, instanceName);
+      const tokenData = await leaseGuardianToken(loopbackUrl, instanceName, bootstrapSecret);
       guardianAccessToken = tokenData.accessToken;
       break;
     } catch (err) {
@@ -257,6 +258,7 @@ export async function hatchLocal(
     species,
     hatchedAt: new Date().toISOString(),
     resources: { ...resources, signingKey },
+    guardianBootstrapSecret: bootstrapSecret,
   };
 
   emitProgress(6, 6, "Saving configuration...");

package/src/lib/http-client.ts

@@ -8,8 +8,6 @@ export function buildDaemonUrl(port: number): string {
 /**
  * Perform an HTTP health check against the daemon's `/healthz` endpoint.
  * Returns true if the daemon responds with HTTP 200, false otherwise.
- *
- * This replaces the socket-based `isSocketResponsive()` check.
  */
 export async function httpHealthCheck(
   port: number,
@@ -28,7 +26,7 @@ export async function httpHealthCheck(
 
 /**
  * Poll the daemon's `/healthz` endpoint until it responds with 200 or the
- * timeout is reached. This replaces `waitForSocketFile()`.
+ * timeout is reached.
  *
  * Returns true if the daemon became healthy within the timeout, false otherwise.
  */