@vellumai/cli 0.8.5 → 0.8.7-dev.202606052118.34cd356

package/src/commands/tunnel.ts

@@ -1,4 +1,7 @@
+import { join } from "path";
+
 import { resolveAssistant } from "../lib/assistant-config";
+import { runCloudflareTunnel } from "../lib/cloudflare-tunnel.js";
 import { runNgrokTunnel } from "../lib/ngrok";
 
 const VALID_PROVIDERS = ["vellum", "ngrok", "cloudflare", "tailscale"] as const;
@@ -21,17 +24,45 @@ function parseArgs(): TunnelArgs {
     if (arg === "--help" || arg === "-h") {
       console.log("Usage: vellum tunnel [<name>] [options]");
       console.log("");
-      console.log("Create a tunnel for a locally hosted assistant.");
+      console.log(
+        "Expose a locally running assistant to the internet via a tunnel.",
+      );
+      console.log(
+        "The public URL is saved to the workspace config as the ingress base URL,",
+      );
+      console.log(
+        "enabling webhook integrations (Telegram, Twilio, etc.) to reach the assistant.",
+      );
       console.log("");
       console.log("Arguments:");
       console.log(
-        "  <name>                        Name of the assistant (defaults to latest)",
+        "  <name>                        Name of the assistant (defaults to active or only local)",
       );
       console.log("");
       console.log("Options:");
       console.log(
         `  --provider <provider>         Tunnel provider: ${VALID_PROVIDERS.join(", ")} (default: ${DEFAULT_PROVIDER})`,
       );
+      console.log("");
+      console.log("Providers:");
+      console.log(
+        "  vellum       Managed tunnel via Vellum Cloud (default; requires account)",
+      );
+      console.log(
+        "  ngrok        ngrok tunnel — install: brew install ngrok/ngrok/ngrok",
+      );
+      console.log(
+        "  cloudflare   Cloudflare quick tunnel — install: brew install cloudflare/cloudflare/cloudflared",
+      );
+      console.log(
+        "               No Cloudflare account required for quick tunnels.",
+      );
+      console.log("");
+      console.log("Examples:");
+      console.log("  $ vellum tunnel");
+      console.log("  $ vellum tunnel --provider ngrok");
+      console.log("  $ vellum tunnel --provider cloudflare");
+      console.log("  $ vellum tunnel my-assistant --provider cloudflare");
       process.exit(0);
     } else if (arg === "--provider") {
       const next = args[i + 1];
@@ -78,5 +109,18 @@ export async function tunnel(): Promise<void> {
     return;
   }
 
+  if (provider === "cloudflare") {
+    const resources = entry.resources;
+    await runCloudflareTunnel(
+      resources
+        ? {
+            port: resources.gatewayPort,
+            workspaceDir: join(resources.instanceDir, ".vellum", "workspace"),
+          }
+        : {},
+    );
+    return;
+  }
+
   throw new Error(`Tunnel provider '${provider}' is not yet implemented.`);
 }

package/src/commands/unpair.ts

@@ -0,0 +1,118 @@
+/**
+ * `vellum unpair <name> [--yes]`
+ *
+ * Forget a pairing imported from another machine via `vellum connect import`:
+ * remove its lockfile entry and stored guardian token from THIS machine. Only
+ * paired assistants (`cloud: "paired"`) can be unpaired — `vellum retire` owns
+ * local and managed assistants.
+ *
+ * This is client-side only: it forgets the connection here but does not revoke
+ * the device on the host. (Host-side revocation is `vellum devices`.)
+ */
+
+import {
+  formatAssistantLookupError,
+  getAssistantDisplayName,
+  lookupAssistantByIdentifier,
+  removeAssistantEntry,
+} from "../lib/assistant-config";
+import { parseAssistantTargetArg } from "../lib/assistant-target-args.js";
+import {
+  canPromptForConfirmation,
+  confirmAction,
+} from "../lib/confirm-action.js";
+import { deleteGuardianToken } from "../lib/guardian-token";
+
+function printUsage(): void {
+  console.log(`vellum unpair - Forget a paired assistant imported from another machine
+
+USAGE:
+    vellum unpair <name> [--yes]
+
+ARGUMENTS:
+    <name>    Name or id of the paired assistant to forget
+
+OPTIONS:
+    --yes     Skip the interactive confirmation prompt (for automation)
+
+Removes the local connection (lockfile entry + stored token). Only paired
+assistants (imported via 'vellum connect import') can be unpaired; use
+'vellum retire' for local or managed assistants.
+
+EXAMPLES:
+    vellum unpair paired-desk
+    vellum unpair "Desk Box"
+    vellum unpair paired-desk --yes
+`);
+}
+
+export async function unpair(): Promise<void> {
+  const args = process.argv.slice(3);
+
+  if (args.includes("--help") || args.includes("-h")) {
+    printUsage();
+    return;
+  }
+
+  const yes = args.includes("--yes");
+  const name = parseAssistantTargetArg(args, []);
+  if (!name) {
+    console.error("Error: assistant name or id is required.");
+    printUsage();
+    process.exit(1);
+  }
+
+  const lookup = lookupAssistantByIdentifier(name);
+  if (lookup.status !== "found") {
+    console.error(formatAssistantLookupError(name, lookup));
+    process.exit(1);
+  }
+  const entry = lookup.entry;
+
+  if (entry.cloud !== "paired") {
+    console.error(
+      `Error: '${name}' is not a paired assistant. Use \`vellum retire\` to remove a local or managed assistant.`,
+    );
+    process.exit(1);
+  }
+
+  // Print the resolved identity before acting (cli/AGENTS.md).
+  const displayName = getAssistantDisplayName(entry);
+  console.log("Pairing to unpair:");
+  if (displayName !== entry.assistantId) {
+    console.log(`  Name: ${displayName}`);
+  }
+  console.log(`  ID: ${entry.assistantId}`);
+  if (entry.runtimeUrl) {
+    console.log(`  Host: ${entry.runtimeUrl}`);
+  }
+  console.log("");
+
+  if (!yes) {
+    if (!canPromptForConfirmation()) {
+      console.error(
+        "Error: Refusing to unpair without confirmation in a non-interactive terminal.",
+      );
+      console.error("Re-run with --yes to confirm from automation.");
+      process.exit(1);
+    }
+    const confirmed = await confirmAction(
+      "Press Enter to unpair, or Esc/q to cancel: ",
+    );
+    if (!confirmed) {
+      console.log("Unpair cancelled.");
+      process.exit(1);
+    }
+  }
+
+  removeAssistantEntry(entry.assistantId);
+  deleteGuardianToken(entry.assistantId);
+
+  console.log(
+    `Unpaired '${name}' — removed the local connection (lockfile entry + token).`,
+  );
+  console.log("");
+  console.log(
+    "Note: this only forgets the connection on this machine. The assistant's host can fully revoke this device from its side.",
+  );
+}

package/src/commands/upgrade.ts

@@ -7,9 +7,10 @@ import {
   findAssistantByName,
   getActiveAssistant,
   loadAllAssistants,
+  resolveCloud,
   saveAssistantEntry,
+  type AssistantEntry,
 } from "../lib/assistant-config";
-import type { AssistantEntry } from "../lib/assistant-config";
 import {
   captureImageRefs,
   GATEWAY_INTERNAL_PORT,
@@ -145,19 +146,6 @@ function parseArgs(): UpgradeArgs {
   return { name, version, latest, prepare, finalize };
 }
 
-function resolveCloud(entry: AssistantEntry): string {
-  if (entry.cloud) {
-    return entry.cloud;
-  }
-  if (entry.project) {
-    return "gcp";
-  }
-  if (entry.sshUser) {
-    return "custom";
-  }
-  return "local";
-}
-
 /**
  * Resolve which assistant to target for the upgrade command. Priority:
  * 1. Explicit name argument
@@ -512,7 +500,10 @@ async function upgradeDocker(
   } else {
     console.error(`\n❌ Containers failed to become ready within the timeout.`);
 
-    const logDir = await captureUpgradeFailureLogs(res, `${instanceName}-upgrade-failure`);
+    const logDir = await captureUpgradeFailureLogs(
+      res,
+      `${instanceName}-upgrade-failure`,
+    );
     if (logDir) {
       console.log(`📋 Container logs saved to: ${logDir}`);
     }
@@ -938,7 +929,8 @@ async function resolveLatestAndMaybeSelfUpdate(
     );
     if (installResult.error || installResult.status !== 0) {
       const detail =
-        installResult.error?.message ?? `exited with code ${installResult.status}`;
+        installResult.error?.message ??
+        `exited with code ${installResult.status}`;
       console.error(`\n❌ CLI self-update failed: ${detail}`);
       emitCliError("CLI_UPDATE_FAILED", "CLI self-update failed", detail);
       process.exit(1);

package/src/commands/wake.ts

@@ -8,7 +8,7 @@ import {
 } from "../lib/assistant-config.js";
 import { dockerResourceNames, wakeContainers } from "../lib/docker.js";
 import { seedGuardianTokenFromSiblingEnv } from "../lib/guardian-token.js";
-import { isProcessAlive, stopProcessByPidFile } from "../lib/process";
+import { resolveProcessState, stopProcessByPidFile } from "../lib/process";
 import {
   generateLocalSigningKey,
   isAssistantWatchModeAvailable,
@@ -68,6 +68,13 @@ export async function wake(): Promise<void> {
     process.exit(1);
   }
 
+  if (entry.cloud === "paired") {
+    console.error(
+      `Error: '${entry.assistantId}' is a remote assistant paired from another machine — its lifecycle is managed on its host machine, not here. Use \`vellum client ${entry.assistantId}\` to chat with it.`,
+    );
+    process.exit(1);
+  }
+
   if (entry.cloud && entry.cloud !== "local") {
     console.error(
       `Error: 'vellum wake' only works with local and docker assistants. '${entry.assistantId}' is a ${entry.cloud} instance.`,
@@ -85,36 +92,26 @@ export async function wake(): Promise<void> {
 
   const pidFile = getDaemonPidPath(resources);
 
-  // Check if daemon is already running
   let daemonRunning = false;
-  if (existsSync(pidFile)) {
-    const pidStr = readFileSync(pidFile, "utf-8").trim();
-    const pid = parseInt(pidStr, 10);
-    if (!isNaN(pid)) {
-      try {
-        process.kill(pid, 0);
-        daemonRunning = true;
-        if (watch) {
-          // Restart in watch mode — but only if source files are available.
-          // Watch mode requires bun --watch with .ts sources; packaged desktop
-          // builds only have a compiled binary. Stopping the daemon without a
-          // viable watch-mode path would leave the user with no running assistant.
-          if (!isAssistantWatchModeAvailable()) {
-            console.log(
-              `Assistant running (pid ${pid}) — watch mode not available (no source files). Keeping existing process.`,
-            );
-          } else {
-            console.log(
-              `Assistant running (pid ${pid}) — restarting in watch mode...`,
-            );
-            await stopProcessByPidFile(pidFile, "assistant");
-            daemonRunning = false;
-          }
-        } else {
-          console.log(`Assistant already running (pid ${pid}).`);
-        }
-      } catch {
-        // Process not alive, will start below
+  const daemonState = await resolveProcessState(
+    pidFile,
+    resources.daemonPort,
+    "Assistant",
+  );
+  if (daemonState.status === "healthy") {
+    if (watch && isAssistantWatchModeAvailable()) {
+      console.log(
+        `Assistant running (pid ${daemonState.pid}) — restarting in watch mode...`,
+      );
+      await stopProcessByPidFile(pidFile, "assistant");
+    } else {
+      daemonRunning = true;
+      if (watch) {
+        console.log(
+          `Assistant running (pid ${daemonState.pid}) — watch mode not available (no source files). Keeping existing process.`,
+        );
+      } else {
+        console.log(`Assistant already running (pid ${daemonState.pid}).`);
       }
     }
   }
@@ -153,6 +150,15 @@ export async function wake(): Promise<void> {
     saveAssistantEntry(entry);
   }
 
+  let bootstrapSecret = entry.guardianBootstrapSecret;
+  let bootstrapSecretBackfilled = false;
+  if (!bootstrapSecret) {
+    bootstrapSecret = generateLocalSigningKey();
+    entry.guardianBootstrapSecret = bootstrapSecret;
+    saveAssistantEntry(entry);
+    bootstrapSecretBackfilled = true;
+  }
+
   if (!daemonRunning) {
     await startLocalDaemon(watch, resources, { foreground, signingKey });
   }
@@ -161,26 +167,47 @@ export async function wake(): Promise<void> {
   {
     const vellumDir = join(resources.instanceDir, ".vellum");
     const gatewayPidFile = join(vellumDir, "gateway.pid");
-    const { alive, pid } = isProcessAlive(gatewayPidFile);
-    if (alive) {
-      if (watch) {
-        // Guard gateway restart separately: check gateway source availability.
-        if (!isGatewayWatchModeAvailable()) {
+    const gatewayState = await resolveProcessState(
+      gatewayPidFile,
+      resources.gatewayPort,
+      "Gateway",
+    );
+    const gatewayAlive = gatewayState.status === "healthy";
+    const needsRestart = bootstrapSecretBackfilled && gatewayAlive;
+    if (needsRestart) {
+      const restartWithWatch = watch && isGatewayWatchModeAvailable();
+      if (restartWithWatch) {
+        console.log(
+          `Gateway running (pid ${gatewayState.pid}) — restarting to apply bootstrap secret...`,
+        );
+      } else {
+        console.log(
+          `Gateway running (pid ${gatewayState.pid}) — restarting without watch mode to apply bootstrap secret...`,
+        );
+      }
+      await stopProcessByPidFile(gatewayPidFile, "gateway");
+      await startGateway(restartWithWatch, resources, {
+        signingKey,
+        bootstrapSecret,
+      });
+    } else if (gatewayAlive) {
+      if (watch && isGatewayWatchModeAvailable()) {
+        console.log(
+          `Gateway running (pid ${gatewayState.pid}) — restarting in watch mode...`,
+        );
+        await stopProcessByPidFile(gatewayPidFile, "gateway");
+        await startGateway(watch, resources, { signingKey, bootstrapSecret });
+      } else {
+        if (watch) {
           console.log(
-            `Gateway running (pid ${pid}) — watch mode not available (no source files). Keeping existing process.`,
+            `Gateway running (pid ${gatewayState.pid}) — watch mode not available (no source files). Keeping existing process.`,
           );
         } else {
-          console.log(
-            `Gateway running (pid ${pid}) — restarting in watch mode...`,
-          );
-          await stopProcessByPidFile(gatewayPidFile, "gateway");
-          await startGateway(watch, resources, { signingKey });
+          console.log(`Gateway already running (pid ${gatewayState.pid}).`);
         }
-      } else {
-        console.log(`Gateway already running (pid ${pid}).`);
       }
     } else {
-      await startGateway(watch, resources, { signingKey });
+      await startGateway(watch, resources, { signingKey, bootstrapSecret });
     }
   }
 
@@ -196,7 +223,10 @@ export async function wake(): Promise<void> {
 
   // Auto-start ngrok if webhook integrations (e.g. Telegram) are configured.
   const workspaceDir = join(resources.instanceDir, ".vellum", "workspace");
-  const ngrokChild = await maybeStartNgrokTunnel(resources.gatewayPort, workspaceDir);
+  const ngrokChild = await maybeStartNgrokTunnel(
+    resources.gatewayPort,
+    workspaceDir,
+  );
   if (ngrokChild?.pid) {
     const ngrokPidFile = join(resources.instanceDir, ".vellum", "ngrok.pid");
     writeFileSync(ngrokPidFile, String(ngrokChild.pid));

package/src/components/DefaultMainScreen.tsx

@@ -10,9 +10,12 @@ import {
 import { Box, render as inkRender, Text, useInput, useStdout } from "ink";
 
 import { SPECIES_CONFIG, type Species } from "../lib/constants";
+import { lookupAssistantByIdentifier } from "../lib/assistant-config";
 import { checkHealth } from "../lib/health-check";
+import { loadGuardianToken, refreshGuardianToken } from "../lib/guardian-token";
 import { appendHistory, loadHistory } from "../lib/input-history";
 import { tuiLog } from "../lib/tui-log";
+import { segmentsToPlainText } from "../lib/segments-to-plain-text";
 import { statusEmoji, withStatusEmoji } from "../lib/status-emoji";
 import {
   getTerminalCapabilities,
@@ -62,6 +65,9 @@ const HELP_COMMANDS = [
 ] as const;
 
 const SEND_TIMEOUT_MS = 5000;
+/** Fresh deadline for a request retried after a mid-session token refresh —
+ *  the original caller signal may have already timed out during the refresh. */
+const RETRY_TIMEOUT_MS = 30_000;
 
 // ── Layout constants ──────────────────────────────────────
 const MAX_TOTAL_WIDTH = 72;
@@ -176,6 +182,44 @@ function friendlyErrorMessage(status: number, body: string): string {
   return `HTTP ${status}: ${body || "Unknown error"}`;
 }
 
+/**
+ * On a 401, refresh a stale PAIRED-assistant guardian token and update the
+ * shared `auth` headers IN PLACE, returning true if the caller should retry.
+ *
+ * Scoped to paired assistants only (a remote assistant on another machine,
+ * `cloud: "paired"`) — the local/docker TUI flow and platform sessions are left
+ * untouched. Also self-gating: skips platform session auth (no `Authorization`
+ * header), ephemeral `--token` overrides (whose bearer won't match the store),
+ * and access-only tokens. Because the TUI threads one shared `auth` object by
+ * reference, mutating it here propagates to every later request and the SSE
+ * reconnect — no callback threading needed.
+ */
+export async function maybeRefreshAuthHeaders(
+  baseUrl: string,
+  assistantId: string,
+  auth?: Record<string, string>,
+): Promise<boolean> {
+  if (!auth) return false;
+  const bearer = auth["Authorization"]?.replace(/^Bearer /, "");
+  if (!bearer) return false;
+
+  // Only paired (remote-on-another-machine) assistants use refreshable pair
+  // tokens; don't perturb the local/docker session flow.
+  const lookup = lookupAssistantByIdentifier(assistantId);
+  if (lookup.status !== "found" || lookup.entry.cloud !== "paired") {
+    return false;
+  }
+
+  const stored = loadGuardianToken(assistantId);
+  if (!stored || stored.accessToken !== bearer || !stored.refreshToken) {
+    return false;
+  }
+  const refreshed = await refreshGuardianToken(baseUrl, assistantId);
+  if (!refreshed?.accessToken) return false;
+  auth["Authorization"] = `Bearer ${refreshed.accessToken}`;
+  return true;
+}
+
 async function runtimeRequest<T>(
   baseUrl: string,
   assistantId: string,
@@ -184,14 +228,30 @@ async function runtimeRequest<T>(
   auth?: Record<string, string>,
 ): Promise<T> {
   const url = `${baseUrl}/v1/assistants/${assistantId}${path}`;
-  const response = await fetch(url, {
-    ...init,
-    headers: {
-      "Content-Type": "application/json",
-      ...auth,
-      ...(init?.headers as Record<string, string> | undefined),
-    },
-  });
+  const doFetch = (signalOverride?: AbortSignal) =>
+    fetch(url, {
+      ...init,
+      // The retry overrides the caller's signal (see below); otherwise use it.
+      signal: signalOverride ?? init?.signal,
+      headers: {
+        "Content-Type": "application/json",
+        ...auth,
+        ...(init?.headers as Record<string, string> | undefined),
+      },
+    });
+
+  let response = await doFetch();
+  // Mid-session token expiry → 401: refresh once and retry (auth headers are
+  // mutated in place by the helper, so the retry carries the new token). The
+  // refresh can take longer than the caller's timeout (lock wait + refresh
+  // fetch), which would already have aborted the original signal — so give the
+  // retry a fresh deadline instead of reusing the (likely-expired) one.
+  if (
+    response.status === 401 &&
+    (await maybeRefreshAuthHeaders(baseUrl, assistantId, auth))
+  ) {
+    response = await doFetch(AbortSignal.timeout(RETRY_TIMEOUT_MS));
+  }
 
   if (!response.ok) {
     const body = await response.text().catch(() => "");
@@ -230,13 +290,20 @@ async function pollMessages(
   auth?: Record<string, string>,
 ): Promise<ListMessagesResponse> {
   const params = new URLSearchParams({ conversationKey: assistantId });
-  return runtimeRequest<ListMessagesResponse>(
+  const response = await runtimeRequest<ListMessagesResponse>(
     baseUrl,
     assistantId,
     `/messages?${params.toString()}`,
     undefined,
     auth,
   );
+  return {
+    ...response,
+    messages: response.messages.map((msg) => ({
+      ...msg,
+      content: segmentsToPlainText(msg.textSegments),
+    })),
+  };
 }
 
 async function sendMessage(
@@ -366,6 +433,11 @@ async function* streamEvents(
   const params = new URLSearchParams({ conversationKey });
   const url = `${baseUrl}/v1/assistants/${assistantId}/events?${params.toString()}`;
   tuiLog.info("sse connect", { url, authHeaders: Object.keys(auth ?? {}) });
+  // NOTE: the SSE connect deliberately does NOT refresh-on-401 — keeping the
+  // stream path simple. After a mid-session token expiry, the REST path
+  // (runtimeRequest) refreshes the shared `auth` on the next request, and the
+  // existing reconnect (ensureConnected on the next message) re-opens the
+  // stream with the refreshed token.
   const response = await fetch(url, {
     headers: {
       Accept: "text/event-stream",
@@ -626,6 +698,13 @@ export interface RuntimeMessage {
   id: string;
   role: "user" | "assistant";
   content: string;
+  /**
+   * Ordered text segments from the daemon's history payload, split at
+   * tool_use/surface boundaries. The flat `content` body is derived from
+   * these (see `segmentsToPlainText`); the daemon no longer sends a
+   * redundant flattened `content` field on the wire.
+   */
+  textSegments?: string[];
   timestamp: string;
   toolCalls?: ToolCallInfo[];
   label?: string;
@@ -1969,9 +2048,8 @@ function ChatApp({
         if (!isConnected) return;
 
         try {
-          const res = await fetch(
-            `${runtimeUrl}/v1/assistants/${assistantId}/btw`,
-            {
+          const btwFetch = () =>
+            fetch(`${runtimeUrl}/v1/assistants/${assistantId}/btw`, {
               method: "POST",
               headers: {
                 "Content-Type": "application/json",
@@ -1982,8 +2060,16 @@ function ChatApp({
                 content: question,
               }),
               signal: AbortSignal.timeout(30_000),
-            },
-          );
+            });
+
+          let res = await btwFetch();
+          // Mid-session token expiry → 401: refresh once and retry.
+          if (
+            res.status === 401 &&
+            (await maybeRefreshAuthHeaders(runtimeUrl, assistantId, auth))
+          ) {
+            res = await btwFetch();
+          }
 
           if (!res.ok) throw new Error(`HTTP ${res.status}`);
 

package/src/index.ts

@@ -4,13 +4,18 @@ import cliPkg from "../package.json";
 import { backup } from "./commands/backup";
 import { clean } from "./commands/clean";
 import { client } from "./commands/client";
+import { connect } from "./commands/connect";
+import { devices } from "./commands/devices";
 import { env } from "./commands/env";
 import { events } from "./commands/events";
 import { exec } from "./commands/exec";
+import { flags } from "./commands/flags";
+import { gateway } from "./commands/gateway";
 import { hatch } from "./commands/hatch";
 import { login, logout, whoami } from "./commands/login";
 import { logs } from "./commands/logs";
 import { message } from "./commands/message";
+import { pair } from "./commands/pair";
 import { ps } from "./commands/ps";
 import { recover } from "./commands/recover";
 import { restore } from "./commands/restore";
@@ -23,6 +28,7 @@ import { ssh } from "./commands/ssh";
 import { teleport } from "./commands/teleport";
 import { terminal } from "./commands/terminal";
 import { tunnel } from "./commands/tunnel";
+import { unpair } from "./commands/unpair";
 import { upgrade } from "./commands/upgrade";
 import { use } from "./commands/use";
 import { wake } from "./commands/wake";
@@ -34,14 +40,19 @@ const commands = {
   backup,
   clean,
   client,
+  connect,
+  devices,
   env,
   events,
   exec,
+  flags,
+  gateway,
   hatch,
   login,
   logout,
   logs,
   message,
+  pair,
   ps,
   recover,
   restore,
@@ -54,6 +65,7 @@ const commands = {
   teleport,
   terminal,
   tunnel,
+  unpair,
   upgrade,
   use,
   wake,
@@ -69,14 +81,21 @@ function printHelp(): void {
   console.log("  backup   Export a backup of a running assistant");
   console.log("  clean    Kill orphaned vellum processes");
   console.log("  client   Connect to a hatched assistant");
+  console.log("  connect  Import an assistant paired from another machine");
+  console.log("  devices  List or revoke devices paired to a local assistant");
   console.log("  env      Manage the default CLI environment");
   console.log("  events   Stream events from a running assistant");
   console.log("  exec     Execute a command inside an assistant's container");
+  console.log("  flags    Show and toggle feature flags");
+  console.log("  gateway  Gateway management commands");
   console.log("  hatch    Create a new assistant instance");
   console.log("  logs     View logs from an assistant instance");
   console.log("  login    Log in to the Vellum platform");
   console.log("  logout   Log out of the Vellum platform");
   console.log("  message  Send a message to a running assistant");
+  console.log(
+    "  pair     Mint a device-scoped token to connect another machine",
+  );
   console.log(
     "  ps       List assistants (or processes for a specific assistant)",
   );
@@ -93,6 +112,9 @@ function printHelp(): void {
   console.log("  teleport Transfer assistant data between environments");
   console.log("  terminal Open a terminal into a managed assistant container");
   console.log("  tunnel   Create a tunnel for a locally hosted assistant");
+  console.log(
+    "  unpair   Forget a paired assistant imported from another machine",
+  );
   console.log("  upgrade  Upgrade an assistant to a newer version");
   console.log("  use      Set the active assistant for commands");
   console.log("  wake     Start the assistant and gateway");