@vellumai/cli 0.8.5 → 0.8.7

package/src/commands/retire.ts

@@ -2,14 +2,16 @@ import { existsSync, unlinkSync } from "fs";
 import { join } from "path";
 
 import {
+  extractHostFromUrl,
   formatAssistantLookupError,
   formatAssistantReference,
   getAssistantDisplayName,
   loadAllAssistants,
   lookupAssistantByIdentifier,
   removeAssistantEntry,
+  resolveCloud,
+  type AssistantEntry,
 } from "../lib/assistant-config.js";
-import type { AssistantEntry } from "../lib/assistant-config.js";
 import { parseAssistantTargetArg } from "../lib/assistant-target-args.js";
 import { getConfigDir } from "../lib/environments/paths.js";
 import { getCurrentEnvironment } from "../lib/environments/resolve.js";
@@ -31,28 +33,6 @@ import {
   writeToLogFile,
 } from "../lib/xdg-log.js";
 
-function resolveCloud(entry: AssistantEntry): string {
-  if (entry.cloud) {
-    return entry.cloud;
-  }
-  if (entry.project) {
-    return "gcp";
-  }
-  if (entry.sshUser) {
-    return "custom";
-  }
-  return "local";
-}
-
-function extractHostFromUrl(url: string): string {
-  try {
-    const parsed = new URL(url);
-    return parsed.hostname;
-  } catch {
-    return url.replace(/^https?:\/\//, "").split(":")[0];
-  }
-}
-
 export { retireLocal };
 
 interface RetireArgs {

package/src/commands/rollback.ts

@@ -4,9 +4,10 @@ import {
   findAssistantByName,
   getActiveAssistant,
   loadAllAssistants,
+  resolveCloud,
   saveAssistantEntry,
+  type AssistantEntry,
 } from "../lib/assistant-config";
-import type { AssistantEntry } from "../lib/assistant-config";
 import {
   captureImageRefs,
   GATEWAY_INTERNAL_PORT,
@@ -90,19 +91,6 @@ function parseArgs(): { name: string | null; version: string | null } {
   return { name, version };
 }
 
-function resolveCloud(entry: AssistantEntry): string {
-  if (entry.cloud) {
-    return entry.cloud;
-  }
-  if (entry.project) {
-    return "gcp";
-  }
-  if (entry.sshUser) {
-    return "custom";
-  }
-  return "local";
-}
-
 /**
  * Resolve which assistant to target for the rollback command. Priority:
  * 1. Explicit name argument

package/src/commands/ssh.ts

@@ -1,7 +1,10 @@
 import { spawn } from "child_process";
 
-import { resolveAssistant } from "../lib/assistant-config";
-import type { AssistantEntry } from "../lib/assistant-config";
+import {
+  extractHostFromUrl,
+  resolveAssistant,
+  resolveCloud,
+} from "../lib/assistant-config";
 import { dockerResourceNames } from "../lib/docker";
 import { getPlatformUrl, readPlatformToken } from "../lib/platform-client";
 import { sshAppleContainer } from "../lib/ssh-apple-container";
@@ -18,28 +21,6 @@ const SSH_OPTS = [
   "LogLevel=ERROR",
 ];
 
-function resolveCloud(entry: AssistantEntry): string {
-  if (entry.cloud) {
-    return entry.cloud;
-  }
-  if (entry.project) {
-    return "gcp";
-  }
-  if (entry.sshUser) {
-    return "custom";
-  }
-  return "local";
-}
-
-function extractHostFromUrl(url: string): string {
-  try {
-    const parsed = new URL(url);
-    return parsed.hostname;
-  } catch {
-    return url.replace(/^https?:\/\//, "").split(":")[0];
-  }
-}
-
 export async function ssh(): Promise<void> {
   const args = process.argv.slice(3);
   if (args.includes("--help") || args.includes("-h")) {

package/src/commands/teleport.ts

@@ -3,10 +3,11 @@ import {
   loadAllAssistants,
   getDaemonPidPath,
   removeAssistantEntry,
+  resolveCloud,
   saveAssistantEntry,
   setActiveAssistant,
+  type AssistantEntry,
 } from "../lib/assistant-config.js";
-import type { AssistantEntry } from "../lib/assistant-config.js";
 import {
   loadGuardianToken,
   leaseGuardianToken,
@@ -214,12 +215,6 @@ export function parseArgs(argv: string[]): {
   return { from, to, targetEnv, targetName, keepSource, dryRun, help };
 }
 
-function resolveCloud(entry: AssistantEntry): string {
-  return (
-    entry.cloud || (entry.project ? "gcp" : entry.sshUser ? "custom" : "local")
-  );
-}
-
 // ---------------------------------------------------------------------------
 // Auth helper — same pattern as restore.ts
 // ---------------------------------------------------------------------------
@@ -228,7 +223,7 @@ async function getAccessToken(
   runtimeUrl: string,
   assistantId: string,
   displayName: string,
-  options?: { forceRefresh?: boolean },
+  options?: { forceRefresh?: boolean; bootstrapSecret?: string },
 ): Promise<string> {
   // When forceRefresh is set (e.g. after a runtime 401 on the cached token)
   // we skip the cache and lease a brand-new token from the gateway, so a
@@ -242,7 +237,11 @@ async function getAccessToken(
   }
 
   try {
-    const freshToken = await leaseGuardianToken(runtimeUrl, assistantId);
+    const freshToken = await leaseGuardianToken(
+      runtimeUrl,
+      assistantId,
+      options?.bootstrapSecret,
+    );
     return freshToken.accessToken;
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -281,11 +280,15 @@ function isRuntime401(err: unknown): boolean {
  * — propagates to the caller.
  */
 async function callRuntimeWithAuthRetry<T>(
-  runtimeUrl: string,
-  assistantId: string,
+  entry: AssistantEntry,
   fn: (token: string) => Promise<T>,
 ): Promise<T> {
-  const firstToken = await getAccessToken(runtimeUrl, assistantId, assistantId);
+  const firstToken = await getAccessToken(
+    entry.runtimeUrl,
+    entry.assistantId,
+    entry.assistantId,
+    { bootstrapSecret: entry.guardianBootstrapSecret },
+  );
   try {
     return await fn(firstToken);
   } catch (err) {
@@ -293,10 +296,13 @@ async function callRuntimeWithAuthRetry<T>(
       throw err;
     }
     const refreshedToken = await getAccessToken(
-      runtimeUrl,
-      assistantId,
-      assistantId,
-      { forceRefresh: true },
+      entry.runtimeUrl,
+      entry.assistantId,
+      entry.assistantId,
+      {
+        forceRefresh: true,
+        bootstrapSecret: entry.guardianBootstrapSecret,
+      },
     );
     return await fn(refreshedToken);
   }
@@ -386,8 +392,7 @@ async function exportFromAssistant(
     let sourceRuntimeVersion: string;
     try {
       const identity = await callRuntimeWithAuthRetry(
-        entry.runtimeUrl,
-        entry.assistantId,
+        entry,
         async (token) => localRuntimeIdentity(entry, token),
       );
       sourceRuntimeVersion = identity.version;
@@ -423,8 +428,7 @@ async function exportFromAssistant(
     let accessToken: string;
     try {
       const result = await callRuntimeWithAuthRetry(
-        entry.runtimeUrl,
-        entry.assistantId,
+        entry,
         async (token) => {
           const r = await localRuntimeExportToGcs(entry, token, {
             uploadUrl,
@@ -462,7 +466,10 @@ async function exportFromAssistant(
           entry.runtimeUrl,
           entry.assistantId,
           entry.assistantId,
-          { forceRefresh: true },
+          {
+            forceRefresh: true,
+            bootstrapSecret: entry.guardianBootstrapSecret,
+          },
         );
       },
     });
@@ -728,8 +735,7 @@ async function importToAssistant(
     let targetRuntimeVersion: string;
     try {
       const identity = await callRuntimeWithAuthRetry(
-        entry.runtimeUrl,
-        entry.assistantId,
+        entry,
         (token) => localRuntimeIdentity(entry, token),
       );
       targetRuntimeVersion = identity.version;
@@ -774,8 +780,7 @@ async function importToAssistant(
     let accessToken: string;
     try {
       const result = await callRuntimeWithAuthRetry(
-        entry.runtimeUrl,
-        entry.assistantId,
+        entry,
         async (token) => {
           const r = await localRuntimeImportFromGcs(entry, token, {
             bundleUrl,
@@ -806,7 +811,10 @@ async function importToAssistant(
           entry.runtimeUrl,
           entry.assistantId,
           entry.assistantId,
-          { forceRefresh: true },
+          {
+            forceRefresh: true,
+            bootstrapSecret: entry.guardianBootstrapSecret,
+          },
         );
       },
     });

package/src/commands/upgrade.ts

@@ -7,9 +7,10 @@ import {
   findAssistantByName,
   getActiveAssistant,
   loadAllAssistants,
+  resolveCloud,
   saveAssistantEntry,
+  type AssistantEntry,
 } from "../lib/assistant-config";
-import type { AssistantEntry } from "../lib/assistant-config";
 import {
   captureImageRefs,
   GATEWAY_INTERNAL_PORT,
@@ -145,19 +146,6 @@ function parseArgs(): UpgradeArgs {
   return { name, version, latest, prepare, finalize };
 }
 
-function resolveCloud(entry: AssistantEntry): string {
-  if (entry.cloud) {
-    return entry.cloud;
-  }
-  if (entry.project) {
-    return "gcp";
-  }
-  if (entry.sshUser) {
-    return "custom";
-  }
-  return "local";
-}
-
 /**
  * Resolve which assistant to target for the upgrade command. Priority:
  * 1. Explicit name argument
@@ -512,7 +500,10 @@ async function upgradeDocker(
   } else {
     console.error(`\n❌ Containers failed to become ready within the timeout.`);
 
-    const logDir = await captureUpgradeFailureLogs(res, `${instanceName}-upgrade-failure`);
+    const logDir = await captureUpgradeFailureLogs(
+      res,
+      `${instanceName}-upgrade-failure`,
+    );
     if (logDir) {
       console.log(`📋 Container logs saved to: ${logDir}`);
     }
@@ -938,7 +929,8 @@ async function resolveLatestAndMaybeSelfUpdate(
     );
     if (installResult.error || installResult.status !== 0) {
       const detail =
-        installResult.error?.message ?? `exited with code ${installResult.status}`;
+        installResult.error?.message ??
+        `exited with code ${installResult.status}`;
       console.error(`\n❌ CLI self-update failed: ${detail}`);
       emitCliError("CLI_UPDATE_FAILED", "CLI self-update failed", detail);
       process.exit(1);

package/src/commands/wake.ts

@@ -8,7 +8,7 @@ import {
 } from "../lib/assistant-config.js";
 import { dockerResourceNames, wakeContainers } from "../lib/docker.js";
 import { seedGuardianTokenFromSiblingEnv } from "../lib/guardian-token.js";
-import { isProcessAlive, stopProcessByPidFile } from "../lib/process";
+import { resolveProcessState, stopProcessByPidFile } from "../lib/process";
 import {
   generateLocalSigningKey,
   isAssistantWatchModeAvailable,
@@ -85,36 +85,26 @@ export async function wake(): Promise<void> {
 
   const pidFile = getDaemonPidPath(resources);
 
-  // Check if daemon is already running
   let daemonRunning = false;
-  if (existsSync(pidFile)) {
-    const pidStr = readFileSync(pidFile, "utf-8").trim();
-    const pid = parseInt(pidStr, 10);
-    if (!isNaN(pid)) {
-      try {
-        process.kill(pid, 0);
-        daemonRunning = true;
-        if (watch) {
-          // Restart in watch mode — but only if source files are available.
-          // Watch mode requires bun --watch with .ts sources; packaged desktop
-          // builds only have a compiled binary. Stopping the daemon without a
-          // viable watch-mode path would leave the user with no running assistant.
-          if (!isAssistantWatchModeAvailable()) {
-            console.log(
-              `Assistant running (pid ${pid}) — watch mode not available (no source files). Keeping existing process.`,
-            );
-          } else {
-            console.log(
-              `Assistant running (pid ${pid}) — restarting in watch mode...`,
-            );
-            await stopProcessByPidFile(pidFile, "assistant");
-            daemonRunning = false;
-          }
-        } else {
-          console.log(`Assistant already running (pid ${pid}).`);
-        }
-      } catch {
-        // Process not alive, will start below
+  const daemonState = await resolveProcessState(
+    pidFile,
+    resources.daemonPort,
+    "Assistant",
+  );
+  if (daemonState.status === "healthy") {
+    if (watch && isAssistantWatchModeAvailable()) {
+      console.log(
+        `Assistant running (pid ${daemonState.pid}) — restarting in watch mode...`,
+      );
+      await stopProcessByPidFile(pidFile, "assistant");
+    } else {
+      daemonRunning = true;
+      if (watch) {
+        console.log(
+          `Assistant running (pid ${daemonState.pid}) — watch mode not available (no source files). Keeping existing process.`,
+        );
+      } else {
+        console.log(`Assistant already running (pid ${daemonState.pid}).`);
       }
     }
   }
@@ -153,6 +143,15 @@ export async function wake(): Promise<void> {
     saveAssistantEntry(entry);
   }
 
+  let bootstrapSecret = entry.guardianBootstrapSecret;
+  let bootstrapSecretBackfilled = false;
+  if (!bootstrapSecret) {
+    bootstrapSecret = generateLocalSigningKey();
+    entry.guardianBootstrapSecret = bootstrapSecret;
+    saveAssistantEntry(entry);
+    bootstrapSecretBackfilled = true;
+  }
+
   if (!daemonRunning) {
     await startLocalDaemon(watch, resources, { foreground, signingKey });
   }
@@ -161,26 +160,47 @@ export async function wake(): Promise<void> {
   {
     const vellumDir = join(resources.instanceDir, ".vellum");
     const gatewayPidFile = join(vellumDir, "gateway.pid");
-    const { alive, pid } = isProcessAlive(gatewayPidFile);
-    if (alive) {
-      if (watch) {
-        // Guard gateway restart separately: check gateway source availability.
-        if (!isGatewayWatchModeAvailable()) {
+    const gatewayState = await resolveProcessState(
+      gatewayPidFile,
+      resources.gatewayPort,
+      "Gateway",
+    );
+    const gatewayAlive = gatewayState.status === "healthy";
+    const needsRestart = bootstrapSecretBackfilled && gatewayAlive;
+    if (needsRestart) {
+      const restartWithWatch = watch && isGatewayWatchModeAvailable();
+      if (restartWithWatch) {
+        console.log(
+          `Gateway running (pid ${gatewayState.pid}) — restarting to apply bootstrap secret...`,
+        );
+      } else {
+        console.log(
+          `Gateway running (pid ${gatewayState.pid}) — restarting without watch mode to apply bootstrap secret...`,
+        );
+      }
+      await stopProcessByPidFile(gatewayPidFile, "gateway");
+      await startGateway(restartWithWatch, resources, {
+        signingKey,
+        bootstrapSecret,
+      });
+    } else if (gatewayAlive) {
+      if (watch && isGatewayWatchModeAvailable()) {
+        console.log(
+          `Gateway running (pid ${gatewayState.pid}) — restarting in watch mode...`,
+        );
+        await stopProcessByPidFile(gatewayPidFile, "gateway");
+        await startGateway(watch, resources, { signingKey, bootstrapSecret });
+      } else {
+        if (watch) {
           console.log(
-            `Gateway running (pid ${pid}) — watch mode not available (no source files). Keeping existing process.`,
+            `Gateway running (pid ${gatewayState.pid}) — watch mode not available (no source files). Keeping existing process.`,
           );
         } else {
-          console.log(
-            `Gateway running (pid ${pid}) — restarting in watch mode...`,
-          );
-          await stopProcessByPidFile(gatewayPidFile, "gateway");
-          await startGateway(watch, resources, { signingKey });
+          console.log(`Gateway already running (pid ${gatewayState.pid}).`);
         }
-      } else {
-        console.log(`Gateway already running (pid ${pid}).`);
       }
     } else {
-      await startGateway(watch, resources, { signingKey });
+      await startGateway(watch, resources, { signingKey, bootstrapSecret });
     }
   }
 
@@ -196,7 +216,10 @@ export async function wake(): Promise<void> {
 
   // Auto-start ngrok if webhook integrations (e.g. Telegram) are configured.
   const workspaceDir = join(resources.instanceDir, ".vellum", "workspace");
-  const ngrokChild = await maybeStartNgrokTunnel(resources.gatewayPort, workspaceDir);
+  const ngrokChild = await maybeStartNgrokTunnel(
+    resources.gatewayPort,
+    workspaceDir,
+  );
   if (ngrokChild?.pid) {
     const ngrokPidFile = join(resources.instanceDir, ".vellum", "ngrok.pid");
     writeFileSync(ngrokPidFile, String(ngrokChild.pid));

package/src/components/DefaultMainScreen.tsx

@@ -13,6 +13,7 @@ import { SPECIES_CONFIG, type Species } from "../lib/constants";
 import { checkHealth } from "../lib/health-check";
 import { appendHistory, loadHistory } from "../lib/input-history";
 import { tuiLog } from "../lib/tui-log";
+import { segmentsToPlainText } from "../lib/segments-to-plain-text";
 import { statusEmoji, withStatusEmoji } from "../lib/status-emoji";
 import {
   getTerminalCapabilities,
@@ -230,13 +231,20 @@ async function pollMessages(
   auth?: Record<string, string>,
 ): Promise<ListMessagesResponse> {
   const params = new URLSearchParams({ conversationKey: assistantId });
-  return runtimeRequest<ListMessagesResponse>(
+  const response = await runtimeRequest<ListMessagesResponse>(
     baseUrl,
     assistantId,
     `/messages?${params.toString()}`,
     undefined,
     auth,
   );
+  return {
+    ...response,
+    messages: response.messages.map((msg) => ({
+      ...msg,
+      content: segmentsToPlainText(msg.textSegments),
+    })),
+  };
 }
 
 async function sendMessage(
@@ -626,6 +634,13 @@ export interface RuntimeMessage {
   id: string;
   role: "user" | "assistant";
   content: string;
+  /**
+   * Ordered text segments from the daemon's history payload, split at
+   * tool_use/surface boundaries. The flat `content` body is derived from
+   * these (see `segmentsToPlainText`); the daemon no longer sends a
+   * redundant flattened `content` field on the wire.
+   */
+  textSegments?: string[];
   timestamp: string;
   toolCalls?: ToolCallInfo[];
   label?: string;

package/src/index.ts

@@ -7,6 +7,8 @@ import { client } from "./commands/client";
 import { env } from "./commands/env";
 import { events } from "./commands/events";
 import { exec } from "./commands/exec";
+import { flags } from "./commands/flags";
+import { gateway } from "./commands/gateway";
 import { hatch } from "./commands/hatch";
 import { login, logout, whoami } from "./commands/login";
 import { logs } from "./commands/logs";
@@ -37,6 +39,8 @@ const commands = {
   env,
   events,
   exec,
+  flags,
+  gateway,
   hatch,
   login,
   logout,
@@ -72,6 +76,8 @@ function printHelp(): void {
   console.log("  env      Manage the default CLI environment");
   console.log("  events   Stream events from a running assistant");
   console.log("  exec     Execute a command inside an assistant's container");
+  console.log("  flags    Show and toggle feature flags");
+  console.log("  gateway  Gateway management commands");
   console.log("  hatch    Create a new assistant instance");
   console.log("  logs     View logs from an assistant instance");
   console.log("  login    Log in to the Vellum platform");

package/src/lib/__tests__/lifecycle-reporter.test.ts

@@ -0,0 +1,59 @@
+import { afterEach, beforeEach, describe, expect, spyOn, test } from "bun:test";
+
+import { consoleLifecycleReporter } from "../lifecycle-reporter.js";
+
+describe("consoleLifecycleReporter", () => {
+  const originalDesktopApp = process.env.VELLUM_DESKTOP_APP;
+  let stdoutWriteSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    stdoutWriteSpy = spyOn(process.stdout, "write").mockImplementation(
+      () => true,
+    );
+  });
+
+  afterEach(() => {
+    stdoutWriteSpy.mockRestore();
+    if (originalDesktopApp === undefined) {
+      delete process.env.VELLUM_DESKTOP_APP;
+    } else {
+      process.env.VELLUM_DESKTOP_APP = originalDesktopApp;
+    }
+  });
+
+  test("routes log/warn/error to the matching console methods", () => {
+    const logSpy = spyOn(console, "log").mockImplementation(() => {});
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const errorSpy = spyOn(console, "error").mockImplementation(() => {});
+
+    consoleLifecycleReporter.log("hello");
+    consoleLifecycleReporter.warn("careful");
+    consoleLifecycleReporter.error("boom");
+
+    expect(logSpy).toHaveBeenCalledWith("hello");
+    expect(warnSpy).toHaveBeenCalledWith("careful");
+    expect(errorSpy).toHaveBeenCalledWith("boom");
+
+    logSpy.mockRestore();
+    warnSpy.mockRestore();
+    errorSpy.mockRestore();
+  });
+
+  test("emits the HATCH_PROGRESS stdout contract under VELLUM_DESKTOP_APP", () => {
+    process.env.VELLUM_DESKTOP_APP = "1";
+
+    consoleLifecycleReporter.progress(3, 6, "Starting assistant...");
+
+    expect(stdoutWriteSpy).toHaveBeenCalledWith(
+      `HATCH_PROGRESS:${JSON.stringify({ step: 3, total: 6, label: "Starting assistant..." })}\n`,
+    );
+  });
+
+  test("suppresses progress output when not running under the desktop app", () => {
+    delete process.env.VELLUM_DESKTOP_APP;
+
+    consoleLifecycleReporter.progress(1, 6, "Allocating resources...");
+
+    expect(stdoutWriteSpy).not.toHaveBeenCalled();
+  });
+});

package/src/lib/__tests__/step-runner.test.ts

@@ -1,6 +1,15 @@
+import { mkdtempSync, readFileSync, rmSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+
 import { describe, expect, it } from "bun:test";
 
-import { buildExecErrorMessage, exec, execOutput } from "../step-runner";
+import {
+  buildExecErrorMessage,
+  exec,
+  execOutput,
+  execWithStdin,
+} from "../step-runner";
 
 describe("buildExecErrorMessage", () => {
   it("omits the argv from the header so secrets in args can't leak", () => {
@@ -63,6 +72,45 @@ describe("exec — secret leak regression", () => {
   });
 });
 
+describe("execWithStdin — pipes input + no secret leak in errors", () => {
+  it("writes the supplied input to the child's stdin", async () => {
+    // Use sh `cat > path` to capture stdin to a real file we can inspect.
+    // Mirrors the Docker-hatch overlay-staging call site shape.
+    const workDir = mkdtempSync(join(tmpdir(), "step-runner-stdin-"));
+    const dest = join(workDir, "captured.txt");
+    try {
+      const payload = '{"hello":"world"}\n';
+      await execWithStdin("sh", ["-c", `cat > ${dest}`], payload);
+      expect(readFileSync(dest, "utf-8")).toBe(payload);
+    } finally {
+      rmSync(workDir, { recursive: true, force: true });
+    }
+  });
+
+  it("rejects with an Error whose message contains neither the args nor any -e KEY=VALUE pair", async () => {
+    const fakeSecret = "sk-anthropic-stdin-canary";
+    try {
+      await execWithStdin(
+        "sh",
+        [
+          "-c",
+          'echo "permission denied while trying to connect to docker daemon" 1>&2 && exit 1',
+          "-e",
+          `ANTHROPIC_API_KEY=${fakeSecret}`,
+        ],
+        "",
+      );
+      throw new Error("execWithStdin should have rejected");
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      expect(message).not.toContain(fakeSecret);
+      expect(message).not.toContain("ANTHROPIC_API_KEY");
+      expect(message).toContain("sh exited with code 1");
+      expect(message).toContain("permission denied");
+    }
+  });
+});
+
 describe("execOutput — secret leak regression", () => {
   it("rejects with an Error whose message contains neither the args nor any -e KEY=VALUE pair", async () => {
     const fakeSecret = "sk-openai-leak-canary";