@vellumai/vellum-gateway 0.5.5 → 0.5.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/vellum-gateway",
-  "version": "0.5.5",
+  "version": "0.5.6",
   "type": "module",
   "exports": {
     "./twilio/verify": "./src/twilio/verify.ts",

package/src/__tests__/guardian-init-lockfile.test.ts

@@ -80,6 +80,100 @@ afterEach(() => {
   writtenLockFiles = [];
 });
 
+describe("guardian/init bootstrap secret", () => {
+  test("rejects requests without secret when GUARDIAN_BOOTSTRAP_SECRET is set", async () => {
+    process.env.GUARDIAN_BOOTSTRAP_SECRET = "test-secret-abc123";
+    try {
+      const handler = createChannelVerificationSessionProxyHandler(makeConfig());
+      const res = await handler.handleGuardianInit(
+        new Request("http://localhost:7830/v1/guardian/init", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ platform: "cli", deviceId: "test-device" }),
+        }),
+      );
+
+      expect(res.status).toBe(403);
+      const body = await res.json();
+      expect(body.error).toBe("Invalid bootstrap secret");
+    } finally {
+      delete process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    }
+  });
+
+  test("rejects requests with wrong secret", async () => {
+    process.env.GUARDIAN_BOOTSTRAP_SECRET = "test-secret-abc123";
+    try {
+      const handler = createChannelVerificationSessionProxyHandler(makeConfig());
+      const res = await handler.handleGuardianInit(
+        new Request("http://localhost:7830/v1/guardian/init", {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "x-bootstrap-secret": "wrong-secret",
+          },
+          body: JSON.stringify({ platform: "cli", deviceId: "test-device" }),
+        }),
+      );
+
+      expect(res.status).toBe(403);
+      const body = await res.json();
+      expect(body.error).toBe("Invalid bootstrap secret");
+    } finally {
+      delete process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    }
+  });
+
+  test("accepts requests with correct secret", async () => {
+    process.env.GUARDIAN_BOOTSTRAP_SECRET = "test-secret-abc123";
+    fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({ accessToken: "test-jwt", refreshToken: "test-rt" }),
+        { status: 200, headers: { "content-type": "application/json" } },
+      );
+    });
+
+    try {
+      const handler = createChannelVerificationSessionProxyHandler(makeConfig());
+      const res = await handler.handleGuardianInit(
+        new Request("http://localhost:7830/v1/guardian/init", {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "x-bootstrap-secret": "test-secret-abc123",
+          },
+          body: JSON.stringify({ platform: "cli", deviceId: "test-device" }),
+        }),
+      );
+
+      expect(res.status).toBe(200);
+    } finally {
+      delete process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    }
+  });
+
+  test("skips secret check when GUARDIAN_BOOTSTRAP_SECRET is not set", async () => {
+    delete process.env.GUARDIAN_BOOTSTRAP_SECRET;
+    fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({ accessToken: "test-jwt", refreshToken: "test-rt" }),
+        { status: 200, headers: { "content-type": "application/json" } },
+      );
+    });
+
+    const handler = createChannelVerificationSessionProxyHandler(makeConfig());
+    const res = await handler.handleGuardianInit(
+      new Request("http://localhost:7830/v1/guardian/init", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ platform: "cli", deviceId: "test-device" }),
+      }),
+    );
+
+    expect(res.status).toBe(200);
+  });
+});
+
 describe("guardian/init one-time-use lockfile", () => {
   test("first call succeeds and creates lock file", async () => {
     fetchMock = mock(async () => {

package/src/__tests__/route-schema-guard.test.ts

@@ -130,6 +130,9 @@ const EXCLUDED_FROM_SCHEMA = new Set([
 
   // Runtime proxy catch-all — documented as /{path} in the schema
   "catch-all",
+
+  // Internal Docker bootstrap endpoint — not a public API
+  "/internal/signing-key-bootstrap",
 ]);
 
 // ── Schema paths that don't map to a discrete route definition ──

package/src/__tests__/signing-key-bootstrap.test.ts

@@ -0,0 +1,143 @@
+import { describe, test, expect, mock, afterEach } from "bun:test";
+import * as actualFs from "node:fs";
+import { randomBytes } from "node:crypto";
+import { join } from "node:path";
+import type { GatewayConfig } from "../config.js";
+
+// Generate a realistic 32-byte signing key for tests.
+const TEST_SIGNING_KEY = randomBytes(32);
+
+// Compute the expected key path so we can intercept reads.
+const TEST_SECURITY_DIR = "/tmp/test-gateway-security";
+const SIGNING_KEY_PATH = join(TEST_SECURITY_DIR, "actor-token-signing-key");
+
+// Track lockfile state.
+let lockFileExists = false;
+let writtenLockFiles: string[] = [];
+
+mock.module("node:fs", () => ({
+  ...actualFs,
+  existsSync: (p: string) => {
+    if (typeof p === "string" && p.endsWith("signing-key-bootstrap.lock")) {
+      return lockFileExists;
+    }
+    return actualFs.existsSync(p);
+  },
+  readFileSync: (p: string, ...args: unknown[]) => {
+    if (p === SIGNING_KEY_PATH) {
+      return Buffer.from(TEST_SIGNING_KEY);
+    }
+    return (actualFs.readFileSync as (...a: unknown[]) => unknown)(p, ...args);
+  },
+  writeFileSync: (
+    p: string,
+    data: string | NodeJS.ArrayBufferView,
+    options?: actualFs.WriteFileOptions,
+  ) => {
+    if (typeof p === "string" && p.endsWith("signing-key-bootstrap.lock")) {
+      writtenLockFiles.push(p);
+      lockFileExists = true;
+      return;
+    }
+    return actualFs.writeFileSync(p, data, options);
+  },
+}));
+
+// Set GATEWAY_SECURITY_DIR so getSigningKeyPath() resolves to our test path.
+process.env.GATEWAY_SECURITY_DIR = TEST_SECURITY_DIR;
+
+const { createSigningKeyBootstrapHandler } = await import(
+  "../http/routes/signing-key-bootstrap.js"
+);
+
+function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
+  return {
+    assistantRuntimeBaseUrl: "http://localhost:7821",
+    routingEntries: [],
+    defaultAssistantId: undefined,
+    unmappedPolicy: "reject",
+    port: 7830,
+    runtimeProxyEnabled: false,
+    runtimeProxyRequireAuth: true,
+    shutdownDrainMs: 5000,
+    runtimeTimeoutMs: 30000,
+    runtimeMaxRetries: 2,
+    runtimeInitialBackoffMs: 500,
+    maxWebhookPayloadBytes: 1048576,
+    logFile: { dir: undefined, retentionDays: 30 },
+    maxAttachmentBytes: {
+      telegram: 50 * 1024 * 1024,
+      slack: 100 * 1024 * 1024,
+      whatsapp: 16 * 1024 * 1024,
+      default: 50 * 1024 * 1024,
+    },
+    maxAttachmentConcurrency: 3,
+    gatewayInternalBaseUrl: "http://127.0.0.1:7830",
+    trustProxy: false,
+    ...overrides,
+  };
+}
+
+afterEach(() => {
+  lockFileExists = false;
+  writtenLockFiles = [];
+});
+
+describe("signing-key-bootstrap endpoint", () => {
+  test("first call returns 200 with hex-encoded 32-byte key", async () => {
+    const handler = createSigningKeyBootstrapHandler(makeConfig());
+    const res = await handler.handleGetSigningKey(
+      new Request("http://localhost:7830/internal/signing-key-bootstrap"),
+    );
+
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { key: string };
+    expect(typeof body.key).toBe("string");
+
+    // Verify the hex decodes to exactly 32 bytes.
+    const decoded = Buffer.from(body.key, "hex");
+    expect(decoded.length).toBe(32);
+
+    // Verify it matches the test key.
+    expect(decoded.equals(TEST_SIGNING_KEY)).toBe(true);
+  });
+
+  test("second call returns 403 'Bootstrap already completed'", async () => {
+    const handler = createSigningKeyBootstrapHandler(makeConfig());
+
+    // First call succeeds.
+    const res1 = await handler.handleGetSigningKey(
+      new Request("http://localhost:7830/internal/signing-key-bootstrap"),
+    );
+    expect(res1.status).toBe(200);
+
+    // Second call rejected.
+    const res2 = await handler.handleGetSigningKey(
+      new Request("http://localhost:7830/internal/signing-key-bootstrap"),
+    );
+    expect(res2.status).toBe(403);
+    const body = (await res2.json()) as { error: string };
+    expect(body.error).toBe("Bootstrap already completed");
+  });
+
+  test("lockfile is written after successful response", async () => {
+    const handler = createSigningKeyBootstrapHandler(makeConfig());
+    await handler.handleGetSigningKey(
+      new Request("http://localhost:7830/internal/signing-key-bootstrap"),
+    );
+
+    expect(writtenLockFiles.length).toBe(1);
+    expect(writtenLockFiles[0]).toContain("signing-key-bootstrap.lock");
+  });
+
+  test("returned hex decodes to exactly 32 bytes", async () => {
+    const handler = createSigningKeyBootstrapHandler(makeConfig());
+    const res = await handler.handleGetSigningKey(
+      new Request("http://localhost:7830/internal/signing-key-bootstrap"),
+    );
+
+    const body = (await res.json()) as { key: string };
+    const decoded = Buffer.from(body.key, "hex");
+    expect(decoded.length).toBe(32);
+  });
+});

package/src/auth/token-service.ts

@@ -32,7 +32,7 @@ const log = getLogger("auth-token-service");
 
 let signingKey: Buffer | null = null;
 
-function getSigningKeyPath(): string {
+export function getSigningKeyPath(): string {
   const securityDir = process.env.GATEWAY_SECURITY_DIR;
   if (securityDir) {
     return join(securityDir, "actor-token-signing-key");

package/src/config-file-watcher.ts

@@ -6,7 +6,7 @@
 import { existsSync, readFileSync, watch, type FSWatcher } from "node:fs";
 import { dirname, join } from "node:path";
 import { getLogger } from "./logger.js";
-import { getRootDir } from "./credential-reader.js";
+import { getWorkspaceDir } from "./credential-reader.js";
 
 const log = getLogger("config-file-watcher");
 
@@ -23,7 +23,7 @@ export type ConfigChangeEvent = {
 export type ConfigChangeCallback = (event: ConfigChangeEvent) => void;
 
 function getConfigPath(): string {
-  return join(getRootDir(), "workspace", CONFIG_FILENAME);
+  return join(getWorkspaceDir(), CONFIG_FILENAME);
 }
 
 function readConfigFile(path: string): Record<string, unknown> {

package/src/feature-flag-registry.json

@@ -25,14 +25,6 @@
       "description": "Show the Contacts tab in Settings for viewing and managing contacts",
       "defaultEnabled": true
     },
-    {
-      "id": "custom-inference-provider",
-      "scope": "macos",
-      "key": "custom_inference_provider_enabled",
-      "label": "Custom Inference Provider",
-      "description": "Allow selecting a specific LLM provider and model for inference in Your Own mode",
-      "defaultEnabled": false
-    },
     {
       "id": "email-channel",
       "scope": "assistant",

package/src/http/routes/channel-verification-session-proxy.ts

@@ -150,6 +150,21 @@ export function createChannelVerificationSessionProxyHandler(
       req: Request,
       clientIp?: string,
     ): Promise<Response> {
+      // When GUARDIAN_BOOTSTRAP_SECRET is set (Docker mode), require the
+      // caller to present the matching secret. This prevents unauthenticated
+      // remote callers from bootstrapping guardian tokens through the gateway.
+      const bootstrapSecret = process.env.GUARDIAN_BOOTSTRAP_SECRET;
+      if (bootstrapSecret) {
+        const provided = req.headers.get("x-bootstrap-secret");
+        if (provided !== bootstrapSecret) {
+          log.warn("Guardian init rejected — invalid or missing bootstrap secret");
+          return Response.json(
+            { error: "Invalid bootstrap secret" },
+            { status: 403 },
+          );
+        }
+      }
+
       const lockDir = process.env.GATEWAY_SECURITY_DIR || getRootDir();
       const lockPath = join(lockDir, "guardian-init.lock");
       if (existsSync(lockPath) || guardianInitInFlight) {

package/src/http/routes/config-file-utils.ts

@@ -7,7 +7,7 @@ import {
 } from "node:fs";
 import { join, dirname } from "node:path";
 import { randomBytes } from "node:crypto";
-import { getRootDir } from "../../credential-reader.js";
+import { getWorkspaceDir } from "../../credential-reader.js";
 
 /**
  * Serializes config writes so concurrent PATCH requests don't race on
@@ -28,7 +28,7 @@ export function enqueueConfigWrite(fn: () => void): void {
 }
 
 export function getConfigPath(): string {
-  return join(getRootDir(), "workspace", "config.json");
+  return join(getWorkspaceDir(), "config.json");
 }
 
 export type ConfigReadResult =

package/src/http/routes/signing-key-bootstrap.ts

@@ -0,0 +1,59 @@
+/**
+ * One-shot endpoint that serves the gateway's actor-token signing key to
+ * the daemon during Docker bootstrap. Protected by a lockfile so the key
+ * can only be read once (across restarts).
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getSigningKeyPath } from "../../auth/token-service.js";
+import type { GatewayConfig } from "../../config.js";
+import { getRootDir } from "../../credential-reader.js";
+import { getLogger } from "../../logger.js";
+
+const log = getLogger("signing-key-bootstrap");
+
+export function createSigningKeyBootstrapHandler(_config: GatewayConfig) {
+  let inFlight = false;
+
+  return {
+    async handleGetSigningKey(_req: Request): Promise<Response> {
+      const lockDir = process.env.GATEWAY_SECURITY_DIR || getRootDir();
+      const lockPath = join(lockDir, "signing-key-bootstrap.lock");
+
+      if (existsSync(lockPath) || inFlight) {
+        log.warn("Signing key bootstrap rejected — already completed");
+        return Response.json(
+          { error: "Bootstrap already completed" },
+          { status: 403 },
+        );
+      }
+
+      inFlight = true;
+      try {
+        const keyPath = getSigningKeyPath();
+        const keyBytes = readFileSync(keyPath);
+
+        const response = Response.json({
+          key: Buffer.from(keyBytes).toString("hex"),
+        });
+
+        try {
+          writeFileSync(lockPath, new Date().toISOString(), { mode: 0o600 });
+        } catch (err) {
+          log.error({ err }, "Failed to write signing-key-bootstrap lock file");
+        }
+
+        return response;
+      } catch (err) {
+        inFlight = false;
+        log.error({ err }, "Failed to read signing key for bootstrap");
+        return Response.json(
+          { error: "Internal server error" },
+          { status: 500 },
+        );
+      }
+    },
+  };
+}

package/src/http/routes/upgrade-broadcast-proxy.ts

@@ -0,0 +1,90 @@
+/**
+ * Gateway proxy for the daemon upgrade-broadcast control-plane endpoint.
+ *
+ * Follows the same forwarding pattern as channel-readiness-proxy.ts:
+ * strips hop-by-hop headers, replaces the client's edge JWT with a
+ * minted service token, and proxies the request to the daemon.
+ */
+
+import { mintServiceToken } from "../../auth/token-exchange.js";
+import type { GatewayConfig } from "../../config.js";
+import { fetchImpl } from "../../fetch.js";
+import { getLogger } from "../../logger.js";
+import { stripHopByHop } from "../../util/strip-hop-by-hop.js";
+
+const log = getLogger("upgrade-broadcast-proxy");
+
+export function createUpgradeBroadcastProxyHandler(config: GatewayConfig) {
+  return async function handleUpgradeBroadcast(
+    req: Request,
+  ): Promise<Response> {
+    const start = performance.now();
+    const bodyBuffer = await req.arrayBuffer();
+
+    const upstream = `${config.assistantRuntimeBaseUrl}/v1/admin/upgrade-broadcast`;
+
+    const reqHeaders = stripHopByHop(new Headers(req.headers));
+    reqHeaders.delete("host");
+    reqHeaders.delete("authorization");
+
+    reqHeaders.set("authorization", `Bearer ${mintServiceToken()}`);
+    reqHeaders.set("content-length", String(bodyBuffer.byteLength));
+
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => {
+      controller.abort(
+        new DOMException(
+          "The operation was aborted due to timeout",
+          "TimeoutError",
+        ),
+      );
+    }, config.runtimeTimeoutMs);
+
+    let response: Response;
+    try {
+      response = await fetchImpl(upstream, {
+        method: "POST",
+        headers: reqHeaders,
+        body: bodyBuffer,
+        signal: controller.signal,
+      });
+      clearTimeout(timeoutId);
+    } catch (err) {
+      clearTimeout(timeoutId);
+      const duration = Math.round(performance.now() - start);
+      if (err instanceof DOMException && err.name === "TimeoutError") {
+        log.error({ duration }, "Upgrade broadcast proxy upstream timed out");
+        return Response.json({ error: "Gateway Timeout" }, { status: 504 });
+      }
+      log.error(
+        { err, duration },
+        "Upgrade broadcast proxy upstream connection failed",
+      );
+      return Response.json({ error: "Bad Gateway" }, { status: 502 });
+    }
+
+    const resHeaders = stripHopByHop(new Headers(response.headers));
+    const duration = Math.round(performance.now() - start);
+
+    if (response.status >= 400) {
+      const body = await response.text();
+      log.warn(
+        { status: response.status, duration },
+        "Upgrade broadcast proxy upstream error",
+      );
+      return new Response(body, {
+        status: response.status,
+        headers: resHeaders,
+      });
+    }
+
+    log.info(
+      { status: response.status, duration },
+      "Upgrade broadcast proxy completed",
+    );
+    return new Response(response.body, {
+      status: response.status,
+      headers: resHeaders,
+    });
+  };
+}

package/src/index.ts

@@ -19,6 +19,7 @@ import {
   CredentialWatcher,
   type CredentialChangeEvent,
 } from "./credential-watcher.js";
+import { createSigningKeyBootstrapHandler } from "./http/routes/signing-key-bootstrap.js";
 import { createRuntimeProxyHandler } from "./http/routes/runtime-proxy.js";
 import {
   createBrowserRelayWebsocketHandler,
@@ -53,6 +54,7 @@ import { createSlackControlPlaneProxyHandler } from "./http/routes/slack-control
 import { createOAuthAppsProxyHandler } from "./http/routes/oauth-apps-proxy.js";
 import { createChannelReadinessProxyHandler } from "./http/routes/channel-readiness-proxy.js";
 import { createRuntimeHealthProxyHandler } from "./http/routes/runtime-health-proxy.js";
+import { createUpgradeBroadcastProxyHandler } from "./http/routes/upgrade-broadcast-proxy.js";
 import { createBrainGraphProxyHandler } from "./http/routes/brain-graph-proxy.js";
 import {
   createTrustRulesListHandler,
@@ -202,6 +204,8 @@ async function main() {
   initSigningKey(signingKey);
   log.info("JWT signing key initialized");
 
+  const signingKeyBootstrap = createSigningKeyBootstrapHandler(config);
+
   // ── TTL caches ──
   // Instantiate caches for credential and config file reads.
   // Handlers read dynamic credentials and config.json values from these
@@ -279,6 +283,7 @@ async function main() {
   const oauthAppsProxy = createOAuthAppsProxyHandler(config);
   const channelReadinessProxy = createChannelReadinessProxyHandler(config);
   const runtimeHealthProxy = createRuntimeHealthProxyHandler(config);
+  const upgradeBroadcastProxy = createUpgradeBroadcastProxyHandler(config);
   const brainGraphProxy = createBrainGraphProxyHandler(config);
   const handleFeatureFlagsGet = createFeatureFlagsGetHandler();
   const handleFeatureFlagsPatch = createFeatureFlagsPatchHandler();
@@ -528,6 +533,14 @@ async function main() {
         contactsControlPlaneProxy.handleGetContact(req, params[0]),
     },
 
+    // ── Signing key bootstrap (one-shot, lockfile-protected) ──
+    {
+      path: "/internal/signing-key-bootstrap",
+      method: "GET",
+      auth: "none",
+      handler: (req) => signingKeyBootstrap.handleGetSigningKey(req),
+    },
+
     // ── Channel verification sessions ──
     {
       // Bootstrap endpoint — may be replaced with an SSH-based exchange in the
@@ -707,6 +720,14 @@ async function main() {
       handler: (req, params) => oauthAppsProxy.handleConnect(req, params[0]),
     },
 
+    // ── Upgrade broadcast ──
+    {
+      path: "/v1/admin/upgrade-broadcast",
+      method: "POST",
+      auth: "edge",
+      handler: (req) => upgradeBroadcastProxy(req),
+    },
+
     // ── Channel readiness ──
     {
       path: "/v1/channels/readiness",
@@ -884,6 +905,9 @@ async function main() {
   const server = Bun.serve({
     port: config.port,
     idleTimeout: 0,
+    // Match the daemon's 512 MB limit (assistant/src/runtime/http-server.ts)
+    // so large .vbundle imports proxied through the gateway aren't rejected.
+    maxRequestBodySize: 512 * 1024 * 1024,
     websocket: {
       open(ws) {
         if (isBrowserRelaySocketData(ws.data)) {

package/src/schema.ts

@@ -1643,7 +1643,9 @@ export function buildSchema(): Record<string, unknown> {
                 },
               },
             },
-            "400": { description: "Missing or invalid provider_key query parameter" },
+            "400": {
+              description: "Missing or invalid provider_key query parameter",
+            },
             "401": {
               description: "Unauthorized — missing or invalid bearer token",
             },
@@ -2525,6 +2527,31 @@ export function buildSchema(): Record<string, unknown> {
           },
         },
       },
+      "/v1/admin/upgrade-broadcast": {
+        post: {
+          summary: "Broadcast upgrade to connected clients",
+          description:
+            "Internal control-plane endpoint that proxies an upgrade-broadcast request to the assistant daemon. Authenticated with an edge JWT. The daemon notifies all connected clients that a new version is available.",
+          operationId: "upgradeBroadcast",
+          security: [{ BearerAuth: [] }],
+          requestBody: {
+            required: false,
+            content: {
+              "application/json": {
+                schema: { type: "object", additionalProperties: true },
+              },
+            },
+          },
+          responses: {
+            "200": { description: "Broadcast sent successfully" },
+            "401": {
+              description: "Unauthorized — missing or invalid bearer token",
+            },
+            "502": { description: "Failed to reach assistant daemon" },
+            "504": { description: "Assistant daemon request timed out" },
+          },
+        },
+      },
       "/{path}": {
         get: {
           summary: "Runtime proxy",