@vellumai/cli 0.8.6 → 0.8.7

package/src/commands/client.ts

@@ -1,3 +1,4 @@
+import { spawn } from "node:child_process";
 import { existsSync } from "node:fs";
 import { hostname } from "node:os";
 import path from "node:path";
@@ -23,10 +24,27 @@ import {
   WEB_INTERFACE_ID,
   getClientRegistrationHeaders,
 } from "../lib/client-identity";
+import {
+  getLockfileData,
+  upsertLockfileAssistant,
+  replacePlatformAssistants,
+  runHatch,
+  runRetire,
+  getGuardianAccessToken,
+  parseGatewayUrl,
+  readAllowedGatewayPorts,
+  isLoopbackAddr,
+  resolveDevCliInvocation,
+  resolveLockfilePaths,
+  resolveConfigDir,
+  type CliInvocation,
+} from "@vellumai/local-mode";
 import { parseAssistantTargetArg } from "../lib/assistant-target-args.js";
 import {
   fetchOrganizationId,
   fetchPlatformAssistants,
+  getPlatformUrl,
+  getWebUrl,
   readPlatformToken,
 } from "../lib/platform-client";
 import { tuiLog } from "../lib/tui-log";
@@ -311,7 +329,282 @@ function findWebDistDir(): string | null {
   return null;
 }
 
+/**
+ * Locate the apps/web source directory for running the Vite dev server.
+ * Only works from a source checkout (not npm-installed).
+ */
+function findWebSourceDir(): string | null {
+  let dir = import.meta.dir;
+  for (let depth = 0; depth < 8; depth++) {
+    const candidate = path.join(dir, "apps", "web", "vite.config.ts");
+    if (existsSync(candidate)) {
+      return path.dirname(candidate);
+    }
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+
+const LOCKFILE_PATTERN = /^(?:\/assistant)?\/__local\/lockfile$/;
+const HATCH_PATTERN = /^(?:\/assistant)?\/__local\/hatch$/;
+const RETIRE_PATTERN = /^(?:\/assistant)?\/__local\/retire$/;
+const GUARDIAN_TOKEN_PATTERN =
+  /^(?:\/assistant)?\/__local\/guardian-token\/([^/]+)$/;
+
+function getEnvRecord(): Record<string, string> {
+  const result: Record<string, string> = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== undefined) result[k] = v;
+  }
+  return result;
+}
+
+const _localEnv = getEnvRecord();
+const _lockfilePaths = resolveLockfilePaths(_localEnv);
+const _configDir = resolveConfigDir(_localEnv);
+const _baseDir = getBaseDir();
+
+async function handleLocalEndpoints(
+  req: Request,
+  url: URL,
+  server: { requestIP(req: Request): { address: string } | null },
+): Promise<Response | null> {
+  const { pathname } = url;
+  const lockfilePaths = _lockfilePaths;
+  const configDir = _configDir;
+
+  // Check if this is a __local or __gateway route before enforcing loopback.
+  const isLocalRoute =
+    LOCKFILE_PATTERN.test(pathname) ||
+    HATCH_PATTERN.test(pathname) ||
+    RETIRE_PATTERN.test(pathname) ||
+    GUARDIAN_TOKEN_PATTERN.test(pathname) ||
+    parseGatewayUrl(pathname).match;
+
+  if (!isLocalRoute) return null;
+
+  // All __local and __gateway endpoints are restricted to loopback clients.
+  const peer = server.requestIP(req)?.address ?? "";
+  if (!isLoopbackAddr(peer)) {
+    return Response.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  // Lockfile
+  if (LOCKFILE_PATTERN.test(pathname)) {
+    if (req.method === "GET") {
+      const result = getLockfileData(lockfilePaths);
+      if (result.ok) {
+        return Response.json(result.data);
+      }
+      return new Response(null, { status: result.status });
+    }
+    if (req.method === "POST") {
+      let body: Record<string, unknown>;
+      try {
+        body = (await req.json()) as Record<string, unknown>;
+      } catch {
+        return Response.json(
+          { ok: false, error: "Invalid JSON body" },
+          { status: 400 },
+        );
+      }
+      let result;
+      if (body.syncPlatform && Array.isArray(body.platformAssistants)) {
+        result = replacePlatformAssistants(
+          lockfilePaths,
+          body.platformAssistants as Array<Record<string, unknown>>,
+        );
+      } else {
+        result = upsertLockfileAssistant(
+          lockfilePaths,
+          body.assistant as Record<string, unknown>,
+          body.activeAssistant as string | undefined,
+        );
+      }
+      return Response.json(result, { status: result.ok ? 200 : result.status });
+    }
+    return new Response(null, { status: 405 });
+  }
+
+  // Hatch
+  if (HATCH_PATTERN.test(pathname)) {
+    if (req.method !== "POST") return new Response(null, { status: 405 });
+
+    let species = "vellum";
+    const contentType = req.headers.get("content-type") ?? "";
+    if (contentType.includes("json")) {
+      try {
+        const body = (await req.json()) as { species?: string };
+        if (body.species) species = body.species;
+      } catch {
+        return Response.json(
+          { ok: false, error: "Invalid JSON body" },
+          { status: 400 },
+        );
+      }
+    }
+
+    let invocation: CliInvocation;
+    try {
+      invocation = resolveDevCliInvocation(_baseDir);
+    } catch (err) {
+      return Response.json(
+        { ok: false, error: err instanceof Error ? err.message : String(err) },
+        { status: 500 },
+      );
+    }
+
+    const result = await runHatch(invocation, species);
+    if (result.ok) {
+      return Response.json({ ok: true, assistantId: result.assistantId });
+    }
+    return Response.json(
+      { ok: false, error: result.error },
+      { status: result.status },
+    );
+  }
+
+  // Retire
+  if (RETIRE_PATTERN.test(pathname)) {
+    if (req.method !== "POST") return new Response(null, { status: 405 });
+
+    let assistantId: string | undefined;
+    try {
+      const body = (await req.json()) as { assistantId?: string };
+      assistantId = body.assistantId;
+    } catch {
+      return Response.json(
+        { ok: false, error: "Invalid JSON body" },
+        { status: 400 },
+      );
+    }
+
+    if (!assistantId) {
+      return Response.json(
+        { ok: false, error: "Missing assistantId" },
+        { status: 400 },
+      );
+    }
+
+    let invocation: CliInvocation;
+    try {
+      invocation = resolveDevCliInvocation(_baseDir);
+    } catch (err) {
+      return Response.json(
+        { ok: false, error: err instanceof Error ? err.message : String(err) },
+        { status: 500 },
+      );
+    }
+
+    const result = await runRetire(invocation, assistantId);
+    if (result.ok) {
+      return Response.json({ ok: true });
+    }
+    return Response.json(
+      { ok: false, error: result.error },
+      { status: result.status },
+    );
+  }
+
+  // Guardian token
+  const guardianMatch = pathname.match(GUARDIAN_TOKEN_PATTERN);
+  if (guardianMatch) {
+    if (req.method !== "GET") return new Response(null, { status: 405 });
+
+    const assistantId = decodeURIComponent(guardianMatch[1]!);
+
+    let invocation: CliInvocation;
+    try {
+      invocation = resolveDevCliInvocation(_baseDir);
+    } catch (err) {
+      return Response.json(
+        { error: err instanceof Error ? err.message : String(err) },
+        { status: 500 },
+      );
+    }
+
+    const result = await getGuardianAccessToken(
+      assistantId,
+      configDir,
+      invocation,
+      true,
+      _localEnv,
+    );
+    if (result.ok) {
+      return Response.json({ accessToken: result.accessToken });
+    }
+    return Response.json({ error: result.error }, { status: result.status });
+  }
+
+  // Gateway proxy
+  const gatewayResult = parseGatewayUrl(pathname);
+  if (gatewayResult.match) {
+    if (!gatewayResult.valid) {
+      return new Response("Port must be between 1024 and 65535", {
+        status: 400,
+      });
+    }
+    const { target: gatewayTarget } = gatewayResult;
+    const allowedPorts = readAllowedGatewayPorts(lockfilePaths);
+    if (!allowedPorts.has(gatewayTarget.port)) {
+      return new Response("Gateway port is not active in lockfile", {
+        status: 403,
+      });
+    }
+    const targetUrl = `http://127.0.0.1:${gatewayTarget.port}${gatewayTarget.path}${url.search}`;
+    const headers = new Headers(req.headers);
+    headers.set("host", `127.0.0.1:${gatewayTarget.port}`);
+
+    try {
+      const hasBody = req.method !== "GET" && req.method !== "HEAD";
+      const proxyRes = await fetch(targetUrl, {
+        method: req.method,
+        headers,
+        body: hasBody ? req.body : undefined,
+        redirect: "manual",
+      });
+      const resHeaders = new Headers(proxyRes.headers);
+      resHeaders.delete("transfer-encoding");
+      return new Response(proxyRes.body, {
+        status: proxyRes.status,
+        statusText: proxyRes.statusText,
+        headers: resHeaders,
+      });
+    } catch {
+      return new Response("Gateway proxy error", { status: 502 });
+    }
+  }
+
+  return null;
+}
+
+function getBaseDir(): string {
+  let dir = import.meta.dir;
+  for (let depth = 0; depth < 8; depth++) {
+    if (existsSync(path.join(dir, "cli", "src", "index.ts"))) {
+      return dir;
+    }
+    const pkgPath = path.join(dir, "package.json");
+    if (existsSync(pkgPath)) {
+      return dir;
+    }
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return path.resolve(import.meta.dir, "..", "..", "..");
+}
+
 async function runWebInterface(): Promise<void> {
+  // Prefer Vite dev server in source checkouts for full local-mode support
+  // (HMR, __local endpoints, gateway proxy).
+  const webSourceDir = findWebSourceDir();
+  if (webSourceDir) {
+    return runViteDevServer(webSourceDir);
+  }
+
   const distDir = findWebDistDir();
   if (!distDir) {
     console.error(
@@ -323,7 +616,14 @@ async function runWebInterface(): Promise<void> {
     process.exit(1);
   }
 
-  const indexHtml = await Bun.file(path.join(distDir, "index.html")).text();
+  const rawIndexHtml = await Bun.file(path.join(distDir, "index.html")).text();
+  const platformUrl = getPlatformUrl();
+  const webUrl = getWebUrl();
+  const configJson = JSON.stringify({ webUrl, platformUrl });
+  const indexHtml = rawIndexHtml.replace(
+    "</head>",
+    `<script>window.__VELLUM_CONFIG__=${configJson}</script></head>`,
+  );
 
   const server = Bun.serve({
     port: 3000,
@@ -332,10 +632,82 @@ async function runWebInterface(): Promise<void> {
       const url = new URL(req.url);
       const { pathname } = url;
 
-      if (pathname === "/") {
+      if (pathname === "/" || pathname === "/assistant") {
         return Response.redirect(SPA_BASE, 302);
       }
 
+      // Loopback auth: the platform redirects here after login with
+      // ?state=...&session_token=... — forward into the SPA.
+      if (pathname === "/callback") {
+        return Response.redirect(
+          `/account/platform-callback${url.search}`,
+          302,
+        );
+      }
+
+      // Expose environment config to the SPA.
+      if (pathname === "/assistant/__config" || pathname === "/__config") {
+        return new Response(configJson, {
+          headers: { "Content-Type": "application/json" },
+        });
+      }
+
+      // __local endpoints for local-mode (lockfile, hatch, retire, guardian-token, gateway-proxy).
+      const localResponse = await handleLocalEndpoints(req, url, server);
+      if (localResponse) return localResponse;
+
+      // Reverse-proxy platform API requests.
+      if (
+        pathname.startsWith("/v1/") ||
+        pathname.startsWith("/_allauth/") ||
+        pathname.startsWith("/accounts/")
+      ) {
+        const target = new URL(pathname + url.search, platformUrl);
+        const headers = new Headers(req.headers);
+        headers.set("Host", new URL(platformUrl).host);
+        headers.delete("Origin");
+        headers.delete("Referer");
+
+        // Forward the session token — the loopback flow stores it in
+        // the browser cookie jar for localhost, but the platform backend
+        // expects it on its own domain. Set both the Cookie (for Django
+        // session middleware / allauth) and X-Session-Token (for DRF
+        // views that accept header-based auth).
+        const sessionToken = /sessionid=([^;]+)/.exec(
+          req.headers.get("Cookie") ?? "",
+        )?.[1];
+        if (sessionToken) {
+          headers.set(
+            "Cookie",
+            `sessionid=${sessionToken}; __Secure-sessionid=${sessionToken}`,
+          );
+          headers.set("X-Session-Token", sessionToken);
+        }
+
+        try {
+          const hasBody = req.method !== "GET" && req.method !== "HEAD";
+          const body = hasBody ? await req.arrayBuffer() : undefined;
+          const proxyRes = await fetch(target.toString(), {
+            method: req.method,
+            headers,
+            body,
+            redirect: "manual",
+          });
+          const resHeaders = new Headers(proxyRes.headers);
+          resHeaders.delete("transfer-encoding");
+          return new Response(proxyRes.body, {
+            status: proxyRes.status,
+            statusText: proxyRes.statusText,
+            headers: resHeaders,
+          });
+        } catch (err) {
+          return new Response(
+            JSON.stringify({ error: `Platform proxy error: ${err}` }),
+            { status: 502, headers: { "Content-Type": "application/json" } },
+          );
+        }
+      }
+
       if (pathname.startsWith(SPA_BASE)) {
         const relPath = pathname.slice(SPA_BASE.length);
         if (relPath) {
@@ -350,6 +722,13 @@ async function runWebInterface(): Promise<void> {
         });
       }
 
+      // SPA fallback for /account/* routes (login, callback, etc.)
+      if (pathname.startsWith("/account/")) {
+        return new Response(indexHtml, {
+          headers: { "Content-Type": "text/html; charset=utf-8" },
+        });
+      }
+
       return new Response("Not Found", { status: 404 });
     },
   });
@@ -368,6 +747,38 @@ async function runWebInterface(): Promise<void> {
   await new Promise(() => {});
 }
 
+async function runViteDevServer(webSourceDir: string): Promise<void> {
+  const platformUrl = getPlatformUrl();
+
+  const child = spawn("bun", ["run", "dev"], {
+    cwd: webSourceDir,
+    stdio: "inherit",
+    env: {
+      ...process.env,
+      VITE_PLATFORM_MODE: "false",
+      API_PROXY_TARGET: platformUrl,
+      VELLUM_WEB_URL: getWebUrl(),
+      VELLUM_PLATFORM_URL: platformUrl,
+      PORT: "3000",
+    },
+  });
+
+  const shutdown = (): void => {
+    child.kill();
+    process.exit(0);
+  };
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+
+  await new Promise<void>((_, reject) => {
+    child.on("exit", (code) => {
+      if (code !== 0) {
+        reject(new Error(`Vite dev server exited with code ${code}`));
+      }
+    });
+  });
+}
+
 export async function client(): Promise<void> {
   const {
     runtimeUrl,

package/src/commands/env.ts

@@ -1,4 +1,4 @@
-import { SEEDS } from "../lib/environments/seeds.js";
+import { SEEDS } from "@vellumai/environments";
 import {
   clearDefaultEnvironment,
   readDefaultEnvironment,

package/src/commands/flags.ts

@@ -1,4 +1,8 @@
 import { AssistantClient } from "../lib/assistant-client.js";
+import {
+  formatAssistantLookupError,
+  lookupAssistantByIdentifier,
+} from "../lib/assistant-config.js";
 
 type FeatureFlagEntry = {
   key: string;
@@ -17,7 +21,12 @@ function pad(s: string, w: number): string {
 }
 
 function printFlagTable(flags: FeatureFlagEntry[]): void {
-  const headers = { key: "KEY", enabled: "ENABLED", default: "DEFAULT", label: "LABEL" };
+  const headers = {
+    key: "KEY",
+    enabled: "ENABLED",
+    default: "DEFAULT",
+    label: "LABEL",
+  };
 
   const rows = flags
     .slice()
@@ -55,7 +64,9 @@ function printHelp(): void {
   console.log("Usage: vellum flags [subcommand] [options]");
   console.log("");
   console.log("Show and toggle feature flags for the active assistant.");
-  console.log("Reads from the gateway's merged flag state (persisted overrides > remote > defaults).");
+  console.log(
+    "Reads from the gateway's merged flag state (persisted overrides > remote > defaults).",
+  );
   console.log("");
   console.log("Subcommands:");
   console.log("  (none)              List all feature flags in a table");
@@ -63,20 +74,53 @@ function printHelp(): void {
   console.log("  set <key> <bool>    Set a flag override to true or false");
   console.log("");
   console.log("Options:");
+  console.log(
+    "  --assistant <name>  Target a specific assistant (display name or ID)",
+  );
+  console.log(
+    "                      instead of the active one. Useful for scripted",
+  );
+  console.log(
+    "                      flows like eval harnesses that must not mutate",
+  );
+  console.log("                      the user's active-assistant pointer.");
   console.log("  --help, -h          Show this help");
   console.log("");
   console.log("Examples:");
-  console.log("  $ vellum flags                                 # list all flags");
-  console.log("  $ vellum flags get query-complexity-routing     # inspect one flag");
-  console.log("  $ vellum flags set voice-mode true              # enable a flag");
+  console.log(
+    "  $ vellum flags                                              # list flags for active assistant",
+  );
+  console.log(
+    "  $ vellum flags get query-complexity-routing                  # inspect one flag",
+  );
+  console.log(
+    "  $ vellum flags set voice-mode true                           # enable a flag",
+  );
+  console.log(
+    "  $ vellum flags set external-plugins true --assistant eval-1  # target by name/id",
+  );
 }
 
-function createClient(): AssistantClient {
+function createClient(assistantName?: string): AssistantClient {
+  // When `--assistant <name>` is provided, resolve the display name or
+  // explicit ID through the standard lookup helper (see cli/AGENTS.md
+  // "Assistant targeting convention"). Exact ID wins over display-name
+  // matches; ambiguous names fail loudly.
+  let assistantId: string | undefined;
+  if (assistantName) {
+    const result = lookupAssistantByIdentifier(assistantName);
+    if (result.status !== "found") {
+      throw new Error(formatAssistantLookupError(assistantName, result));
+    }
+    assistantId = result.entry.assistantId;
+  }
   try {
-    return new AssistantClient();
+    return new AssistantClient(assistantId ? { assistantId } : undefined);
   } catch {
     throw new Error(
-      "No assistant found. Hatch one with 'vellum hatch' first.",
+      assistantName
+        ? `No assistant found matching '${assistantName}'.`
+        : "No assistant found. Hatch one with 'vellum hatch' first.",
     );
   }
 }
@@ -93,8 +137,8 @@ function rethrowFetchError(err: unknown): never {
   throw err;
 }
 
-async function listFlags(): Promise<void> {
-  const client = createClient();
+async function listFlags(assistantName?: string): Promise<void> {
+  const client = createClient(assistantName);
   let res: Response;
   try {
     res = await client.get("/feature-flags");
@@ -113,8 +157,8 @@ async function listFlags(): Promise<void> {
   printFlagTable(data.flags);
 }
 
-async function getFlag(key: string): Promise<void> {
-  const client = createClient();
+async function getFlag(key: string, assistantName?: string): Promise<void> {
+  const client = createClient(assistantName);
   let res: Response;
   try {
     res = await client.get("/feature-flags");
@@ -136,8 +180,12 @@ async function getFlag(key: string): Promise<void> {
   console.log(`Description:    ${flag.description || "(none)"}`);
 }
 
-async function setFlag(key: string, value: boolean): Promise<void> {
-  const client = createClient();
+async function setFlag(
+  key: string,
+  value: boolean,
+  assistantName?: string,
+): Promise<void> {
+  const client = createClient(assistantName);
   let res: Response;
   try {
     res = await client.patch(`/feature-flags/${key}`, { enabled: value });
@@ -151,6 +199,28 @@ async function setFlag(key: string, value: boolean): Promise<void> {
   console.log(`Flag "${key}" set to ${value}`);
 }
 
+/**
+ * Strip `--assistant <name>` from argv and return the captured value.
+ *
+ * Mutates the input array so positional parsing downstream sees a clean
+ * shape (subcommand + key + value). Returns `undefined` if the flag is
+ * absent. Error-reports a missing value so the user gets a clear message
+ * rather than the flag being silently swallowed as a positional.
+ */
+function extractAssistantFlag(args: string[]): string | undefined {
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] !== "--assistant") continue;
+    const value = args[i + 1];
+    if (!value || value.startsWith("-")) {
+      console.error("Missing value for --assistant <name>");
+      process.exit(1);
+    }
+    args.splice(i, 2);
+    return value;
+  }
+  return undefined;
+}
+
 export async function flags(): Promise<void> {
   const args = process.argv.slice(3);
 
@@ -159,10 +229,12 @@ export async function flags(): Promise<void> {
     return;
   }
 
+  const assistantName = extractAssistantFlag(args);
+
   const subcommand = args[0];
 
   if (!subcommand) {
-    await listFlags();
+    await listFlags(assistantName);
     return;
   }
 
@@ -172,7 +244,7 @@ export async function flags(): Promise<void> {
       console.error("Usage: vellum flags get <key>");
       process.exit(1);
     }
-    await getFlag(key);
+    await getFlag(key, assistantName);
     return;
   }
 
@@ -187,7 +259,7 @@ export async function flags(): Promise<void> {
       console.error(`Invalid value "${rawValue}". Must be "true" or "false".`);
       process.exit(1);
     }
-    await setFlag(key, rawValue === "true");
+    await setFlag(key, rawValue === "true", assistantName);
     return;
   }
 

package/src/components/DefaultMainScreen.tsx

@@ -13,6 +13,7 @@ import { SPECIES_CONFIG, type Species } from "../lib/constants";
 import { checkHealth } from "../lib/health-check";
 import { appendHistory, loadHistory } from "../lib/input-history";
 import { tuiLog } from "../lib/tui-log";
+import { segmentsToPlainText } from "../lib/segments-to-plain-text";
 import { statusEmoji, withStatusEmoji } from "../lib/status-emoji";
 import {
   getTerminalCapabilities,
@@ -230,13 +231,20 @@ async function pollMessages(
   auth?: Record<string, string>,
 ): Promise<ListMessagesResponse> {
   const params = new URLSearchParams({ conversationKey: assistantId });
-  return runtimeRequest<ListMessagesResponse>(
+  const response = await runtimeRequest<ListMessagesResponse>(
     baseUrl,
     assistantId,
     `/messages?${params.toString()}`,
     undefined,
     auth,
   );
+  return {
+    ...response,
+    messages: response.messages.map((msg) => ({
+      ...msg,
+      content: segmentsToPlainText(msg.textSegments),
+    })),
+  };
 }
 
 async function sendMessage(
@@ -626,6 +634,13 @@ export interface RuntimeMessage {
   id: string;
   role: "user" | "assistant";
   content: string;
+  /**
+   * Ordered text segments from the daemon's history payload, split at
+   * tool_use/surface boundaries. The flat `content` body is derived from
+   * these (see `segmentsToPlainText`); the daemon no longer sends a
+   * redundant flattened `content` field on the wire.
+   */
+  textSegments?: string[];
   timestamp: string;
   toolCalls?: ToolCallInfo[];
   label?: string;