@vellumai/cli 0.8.5 → 0.8.7

package/src/commands/client.ts

@@ -1,3 +1,4 @@
+import { spawn } from "node:child_process";
 import { existsSync } from "node:fs";
 import { hostname } from "node:os";
 import path from "node:path";
@@ -23,10 +24,27 @@ import {
   WEB_INTERFACE_ID,
   getClientRegistrationHeaders,
 } from "../lib/client-identity";
+import {
+  getLockfileData,
+  upsertLockfileAssistant,
+  replacePlatformAssistants,
+  runHatch,
+  runRetire,
+  getGuardianAccessToken,
+  parseGatewayUrl,
+  readAllowedGatewayPorts,
+  isLoopbackAddr,
+  resolveDevCliInvocation,
+  resolveLockfilePaths,
+  resolveConfigDir,
+  type CliInvocation,
+} from "@vellumai/local-mode";
 import { parseAssistantTargetArg } from "../lib/assistant-target-args.js";
 import {
   fetchOrganizationId,
   fetchPlatformAssistants,
+  getPlatformUrl,
+  getWebUrl,
   readPlatformToken,
 } from "../lib/platform-client";
 import { tuiLog } from "../lib/tui-log";
@@ -278,18 +296,29 @@ async function maybeHydratePlatformAssistantName(
   }
 }
 
+const SPA_BASE = "/assistant/";
+
 /**
- * Walk up from this file's location to find a sibling `clients/web` package.
+ * Locate the pre-built @vellumai/web dist directory.
  *
- * Returns the absolute path to its directory, or null when not found —
- * e.g. when the CLI is installed via npm/bunx, where the `clients/web`
- * source isn't shipped alongside `@vellumai/cli`. For now we treat the
- * `--interface web` path as source-checkout-only.
+ * Resolution order:
+ *   1. npm-installed package — require.resolve('@vellumai/web/package.json')
+ *   2. Source checkout — walk up from cli/ to find apps/web/dist/
  */
-function findClientsWebDir(): string | null {
+function findWebDistDir(): string | null {
+  try {
+    const pkgPath = require.resolve("@vellumai/web/package.json");
+    const distDir = path.join(path.dirname(pkgPath), "dist");
+    if (existsSync(path.join(distDir, "index.html"))) {
+      return distDir;
+    }
+  } catch {
+    // Package not installed; try source checkout.
+  }
+
   let dir = import.meta.dir;
   for (let depth = 0; depth < 8; depth++) {
-    const candidate = path.join(dir, "clients", "web", "package.json");
+    const candidate = path.join(dir, "apps", "web", "dist", "index.html");
     if (existsSync(candidate)) {
       return path.dirname(candidate);
     }
@@ -301,41 +330,453 @@ function findClientsWebDir(): string | null {
 }
 
 /**
- * Spawn the `clients/web` package's `local` script and proxy its lifecycle.
- *
- * The web client is deliberately not declared as a dependency of `@vellumai/cli`:
- * the CLI is published, the web package is not. Locating it on disk and
- * shelling out keeps the two packages independent.
+ * Locate the apps/web source directory for running the Vite dev server.
+ * Only works from a source checkout (not npm-installed).
  */
+function findWebSourceDir(): string | null {
+  let dir = import.meta.dir;
+  for (let depth = 0; depth < 8; depth++) {
+    const candidate = path.join(dir, "apps", "web", "vite.config.ts");
+    if (existsSync(candidate)) {
+      return path.dirname(candidate);
+    }
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+
+const LOCKFILE_PATTERN = /^(?:\/assistant)?\/__local\/lockfile$/;
+const HATCH_PATTERN = /^(?:\/assistant)?\/__local\/hatch$/;
+const RETIRE_PATTERN = /^(?:\/assistant)?\/__local\/retire$/;
+const GUARDIAN_TOKEN_PATTERN =
+  /^(?:\/assistant)?\/__local\/guardian-token\/([^/]+)$/;
+
+function getEnvRecord(): Record<string, string> {
+  const result: Record<string, string> = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== undefined) result[k] = v;
+  }
+  return result;
+}
+
+const _localEnv = getEnvRecord();
+const _lockfilePaths = resolveLockfilePaths(_localEnv);
+const _configDir = resolveConfigDir(_localEnv);
+const _baseDir = getBaseDir();
+
+async function handleLocalEndpoints(
+  req: Request,
+  url: URL,
+  server: { requestIP(req: Request): { address: string } | null },
+): Promise<Response | null> {
+  const { pathname } = url;
+  const lockfilePaths = _lockfilePaths;
+  const configDir = _configDir;
+
+  // Check if this is a __local or __gateway route before enforcing loopback.
+  const isLocalRoute =
+    LOCKFILE_PATTERN.test(pathname) ||
+    HATCH_PATTERN.test(pathname) ||
+    RETIRE_PATTERN.test(pathname) ||
+    GUARDIAN_TOKEN_PATTERN.test(pathname) ||
+    parseGatewayUrl(pathname).match;
+
+  if (!isLocalRoute) return null;
+
+  // All __local and __gateway endpoints are restricted to loopback clients.
+  const peer = server.requestIP(req)?.address ?? "";
+  if (!isLoopbackAddr(peer)) {
+    return Response.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  // Lockfile
+  if (LOCKFILE_PATTERN.test(pathname)) {
+    if (req.method === "GET") {
+      const result = getLockfileData(lockfilePaths);
+      if (result.ok) {
+        return Response.json(result.data);
+      }
+      return new Response(null, { status: result.status });
+    }
+    if (req.method === "POST") {
+      let body: Record<string, unknown>;
+      try {
+        body = (await req.json()) as Record<string, unknown>;
+      } catch {
+        return Response.json(
+          { ok: false, error: "Invalid JSON body" },
+          { status: 400 },
+        );
+      }
+      let result;
+      if (body.syncPlatform && Array.isArray(body.platformAssistants)) {
+        result = replacePlatformAssistants(
+          lockfilePaths,
+          body.platformAssistants as Array<Record<string, unknown>>,
+        );
+      } else {
+        result = upsertLockfileAssistant(
+          lockfilePaths,
+          body.assistant as Record<string, unknown>,
+          body.activeAssistant as string | undefined,
+        );
+      }
+      return Response.json(result, { status: result.ok ? 200 : result.status });
+    }
+    return new Response(null, { status: 405 });
+  }
+
+  // Hatch
+  if (HATCH_PATTERN.test(pathname)) {
+    if (req.method !== "POST") return new Response(null, { status: 405 });
+
+    let species = "vellum";
+    const contentType = req.headers.get("content-type") ?? "";
+    if (contentType.includes("json")) {
+      try {
+        const body = (await req.json()) as { species?: string };
+        if (body.species) species = body.species;
+      } catch {
+        return Response.json(
+          { ok: false, error: "Invalid JSON body" },
+          { status: 400 },
+        );
+      }
+    }
+
+    let invocation: CliInvocation;
+    try {
+      invocation = resolveDevCliInvocation(_baseDir);
+    } catch (err) {
+      return Response.json(
+        { ok: false, error: err instanceof Error ? err.message : String(err) },
+        { status: 500 },
+      );
+    }
+
+    const result = await runHatch(invocation, species);
+    if (result.ok) {
+      return Response.json({ ok: true, assistantId: result.assistantId });
+    }
+    return Response.json(
+      { ok: false, error: result.error },
+      { status: result.status },
+    );
+  }
+
+  // Retire
+  if (RETIRE_PATTERN.test(pathname)) {
+    if (req.method !== "POST") return new Response(null, { status: 405 });
+
+    let assistantId: string | undefined;
+    try {
+      const body = (await req.json()) as { assistantId?: string };
+      assistantId = body.assistantId;
+    } catch {
+      return Response.json(
+        { ok: false, error: "Invalid JSON body" },
+        { status: 400 },
+      );
+    }
+
+    if (!assistantId) {
+      return Response.json(
+        { ok: false, error: "Missing assistantId" },
+        { status: 400 },
+      );
+    }
+
+    let invocation: CliInvocation;
+    try {
+      invocation = resolveDevCliInvocation(_baseDir);
+    } catch (err) {
+      return Response.json(
+        { ok: false, error: err instanceof Error ? err.message : String(err) },
+        { status: 500 },
+      );
+    }
+
+    const result = await runRetire(invocation, assistantId);
+    if (result.ok) {
+      return Response.json({ ok: true });
+    }
+    return Response.json(
+      { ok: false, error: result.error },
+      { status: result.status },
+    );
+  }
+
+  // Guardian token
+  const guardianMatch = pathname.match(GUARDIAN_TOKEN_PATTERN);
+  if (guardianMatch) {
+    if (req.method !== "GET") return new Response(null, { status: 405 });
+
+    const assistantId = decodeURIComponent(guardianMatch[1]!);
+
+    let invocation: CliInvocation;
+    try {
+      invocation = resolveDevCliInvocation(_baseDir);
+    } catch (err) {
+      return Response.json(
+        { error: err instanceof Error ? err.message : String(err) },
+        { status: 500 },
+      );
+    }
+
+    const result = await getGuardianAccessToken(
+      assistantId,
+      configDir,
+      invocation,
+      true,
+      _localEnv,
+    );
+    if (result.ok) {
+      return Response.json({ accessToken: result.accessToken });
+    }
+    return Response.json({ error: result.error }, { status: result.status });
+  }
+
+  // Gateway proxy
+  const gatewayResult = parseGatewayUrl(pathname);
+  if (gatewayResult.match) {
+    if (!gatewayResult.valid) {
+      return new Response("Port must be between 1024 and 65535", {
+        status: 400,
+      });
+    }
+    const { target: gatewayTarget } = gatewayResult;
+    const allowedPorts = readAllowedGatewayPorts(lockfilePaths);
+    if (!allowedPorts.has(gatewayTarget.port)) {
+      return new Response("Gateway port is not active in lockfile", {
+        status: 403,
+      });
+    }
+    const targetUrl = `http://127.0.0.1:${gatewayTarget.port}${gatewayTarget.path}${url.search}`;
+    const headers = new Headers(req.headers);
+    headers.set("host", `127.0.0.1:${gatewayTarget.port}`);
+
+    try {
+      const hasBody = req.method !== "GET" && req.method !== "HEAD";
+      const proxyRes = await fetch(targetUrl, {
+        method: req.method,
+        headers,
+        body: hasBody ? req.body : undefined,
+        redirect: "manual",
+      });
+      const resHeaders = new Headers(proxyRes.headers);
+      resHeaders.delete("transfer-encoding");
+      return new Response(proxyRes.body, {
+        status: proxyRes.status,
+        statusText: proxyRes.statusText,
+        headers: resHeaders,
+      });
+    } catch {
+      return new Response("Gateway proxy error", { status: 502 });
+    }
+  }
+
+  return null;
+}
+
+function getBaseDir(): string {
+  let dir = import.meta.dir;
+  for (let depth = 0; depth < 8; depth++) {
+    if (existsSync(path.join(dir, "cli", "src", "index.ts"))) {
+      return dir;
+    }
+    const pkgPath = path.join(dir, "package.json");
+    if (existsSync(pkgPath)) {
+      return dir;
+    }
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return path.resolve(import.meta.dir, "..", "..", "..");
+}
+
 async function runWebInterface(): Promise<void> {
-  const webDir = findClientsWebDir();
-  if (!webDir) {
+  // Prefer Vite dev server in source checkouts for full local-mode support
+  // (HMR, __local endpoints, gateway proxy).
+  const webSourceDir = findWebSourceDir();
+  if (webSourceDir) {
+    return runViteDevServer(webSourceDir);
+  }
+
+  const distDir = findWebDistDir();
+  if (!distDir) {
     console.error(
       `${ANSI.bold}--interface web${ANSI.reset}: unable to locate ` +
-        `clients/web. This interface currently requires running ` +
-        `vellum from a source checkout of vellum-assistant.`,
+        `@vellumai/web assets.\n\n` +
+        `  npm/bunx install:   npm install @vellumai/web\n` +
+        `  source checkout:    cd apps/web && VITE_PLATFORM_MODE=false bun run build`,
     );
     process.exit(1);
   }
 
-  const child = Bun.spawn({
-    cmd: ["bun", "run", "local"],
-    cwd: webDir,
-    stdio: ["inherit", "inherit", "inherit"],
+  const rawIndexHtml = await Bun.file(path.join(distDir, "index.html")).text();
+  const platformUrl = getPlatformUrl();
+  const webUrl = getWebUrl();
+  const configJson = JSON.stringify({ webUrl, platformUrl });
+  const indexHtml = rawIndexHtml.replace(
+    "</head>",
+    `<script>window.__VELLUM_CONFIG__=${configJson}</script></head>`,
+  );
+
+  const server = Bun.serve({
+    port: 3000,
+    hostname: "127.0.0.1",
+    fetch: async (req) => {
+      const url = new URL(req.url);
+      const { pathname } = url;
+
+      if (pathname === "/" || pathname === "/assistant") {
+        return Response.redirect(SPA_BASE, 302);
+      }
+
+      // Loopback auth: the platform redirects here after login with
+      // ?state=...&session_token=... — forward into the SPA.
+      if (pathname === "/callback") {
+        return Response.redirect(
+          `/account/platform-callback${url.search}`,
+          302,
+        );
+      }
+
+      // Expose environment config to the SPA.
+      if (pathname === "/assistant/__config" || pathname === "/__config") {
+        return new Response(configJson, {
+          headers: { "Content-Type": "application/json" },
+        });
+      }
+
+      // __local endpoints for local-mode (lockfile, hatch, retire, guardian-token, gateway-proxy).
+      const localResponse = await handleLocalEndpoints(req, url, server);
+      if (localResponse) return localResponse;
+
+      // Reverse-proxy platform API requests.
+      if (
+        pathname.startsWith("/v1/") ||
+        pathname.startsWith("/_allauth/") ||
+        pathname.startsWith("/accounts/")
+      ) {
+        const target = new URL(pathname + url.search, platformUrl);
+        const headers = new Headers(req.headers);
+        headers.set("Host", new URL(platformUrl).host);
+        headers.delete("Origin");
+        headers.delete("Referer");
+
+        // Forward the session token — the loopback flow stores it in
+        // the browser cookie jar for localhost, but the platform backend
+        // expects it on its own domain. Set both the Cookie (for Django
+        // session middleware / allauth) and X-Session-Token (for DRF
+        // views that accept header-based auth).
+        const sessionToken = /sessionid=([^;]+)/.exec(
+          req.headers.get("Cookie") ?? "",
+        )?.[1];
+        if (sessionToken) {
+          headers.set(
+            "Cookie",
+            `sessionid=${sessionToken}; __Secure-sessionid=${sessionToken}`,
+          );
+          headers.set("X-Session-Token", sessionToken);
+        }
+
+        try {
+          const hasBody = req.method !== "GET" && req.method !== "HEAD";
+          const body = hasBody ? await req.arrayBuffer() : undefined;
+          const proxyRes = await fetch(target.toString(), {
+            method: req.method,
+            headers,
+            body,
+            redirect: "manual",
+          });
+          const resHeaders = new Headers(proxyRes.headers);
+          resHeaders.delete("transfer-encoding");
+          return new Response(proxyRes.body, {
+            status: proxyRes.status,
+            statusText: proxyRes.statusText,
+            headers: resHeaders,
+          });
+        } catch (err) {
+          return new Response(
+            JSON.stringify({ error: `Platform proxy error: ${err}` }),
+            { status: 502, headers: { "Content-Type": "application/json" } },
+          );
+        }
+      }
+
+      if (pathname.startsWith(SPA_BASE)) {
+        const relPath = pathname.slice(SPA_BASE.length);
+        if (relPath) {
+          const filePath = path.join(distDir, relPath);
+          const file = Bun.file(filePath);
+          if (await file.exists()) {
+            return new Response(file);
+          }
+        }
+        return new Response(indexHtml, {
+          headers: { "Content-Type": "text/html; charset=utf-8" },
+        });
+      }
+
+      // SPA fallback for /account/* routes (login, callback, etc.)
+      if (pathname.startsWith("/account/")) {
+        return new Response(indexHtml, {
+          headers: { "Content-Type": "text/html; charset=utf-8" },
+        });
+      }
+
+      return new Response("Not Found", { status: 404 });
+    },
   });
 
-  const forward = (signal: "SIGINT" | "SIGTERM"): void => {
-    try {
-      child.kill(signal);
-    } catch {
-      // Child already exited; nothing to forward.
-    }
+  console.log(
+    `Vellum web interface: http://${server.hostname}:${server.port}${SPA_BASE}`,
+  );
+
+  const shutdown = (): void => {
+    server.stop();
+    process.exit(0);
+  };
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+
+  await new Promise(() => {});
+}
+
+async function runViteDevServer(webSourceDir: string): Promise<void> {
+  const platformUrl = getPlatformUrl();
+
+  const child = spawn("bun", ["run", "dev"], {
+    cwd: webSourceDir,
+    stdio: "inherit",
+    env: {
+      ...process.env,
+      VITE_PLATFORM_MODE: "false",
+      API_PROXY_TARGET: platformUrl,
+      VELLUM_WEB_URL: getWebUrl(),
+      VELLUM_PLATFORM_URL: platformUrl,
+      PORT: "3000",
+    },
+  });
+
+  const shutdown = (): void => {
+    child.kill();
+    process.exit(0);
   };
-  process.on("SIGINT", () => forward("SIGINT"));
-  process.on("SIGTERM", () => forward("SIGTERM"));
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
 
-  const exitCode = await child.exited;
-  process.exit(typeof exitCode === "number" ? exitCode : 0);
+  await new Promise<void>((_, reject) => {
+    child.on("exit", (code) => {
+      if (code !== 0) {
+        reject(new Error(`Vite dev server exited with code ${code}`));
+      }
+    });
+  });
 }
 
 export async function client(): Promise<void> {

package/src/commands/env.ts

@@ -1,4 +1,4 @@
-import { SEEDS } from "../lib/environments/seeds.js";
+import { SEEDS } from "@vellumai/environments";
 import {
   clearDefaultEnvironment,
   readDefaultEnvironment,