build(macos): bundle credential-executor binary into Velissa.app#26008
Conversation
Without this, CES is non-functional in the packaged macOS app: the daemon searches for credential-executor at ~/.vellum/workspace/bin/ (not installed) and falls back to source at <monorepoRoot>/credential-executor/src/main.ts, which doesn't resolve because import.meta.dir in a Bun-compiled binary is virtualized. Every credential read then fails over to the encrypted file store and provider-credential lookups (e.g. Deepgram for STT) return undefined. - build.sh: compile credential-executor alongside vellum-daemon / vellum-cli / vellum-gateway and copy to Contents/MacOS/, with matching clean, staleness, signing, and notarize-exclusion entries. - release.yml: add CES to the inline x64 prebuild + cleanup paths. - executable-discovery.ts: search dirname(process.execPath) first so the packaged app locates its own CES; dev runs via `bun run` fall through since process.execPath points at the bun binary.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7623117ad6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| function getLocalBinarySearchPaths(): string[] { | ||
| return [join(getBinDir(), "credential-executor")]; | ||
| return [ | ||
| join(dirname(process.execPath), "credential-executor"), |
There was a problem hiding this comment.
discoverLocalCes() now always checks join(dirname(process.execPath), "credential-executor") first. Outside the packaged app, process.execPath points to the Bun/Node install directory (for example ~/.bun/bin or /usr/bin), so any unrelated file named credential-executor there will be preferred over ~/.vellum/workspace/bin. In that scenario the daemon can spawn the wrong executable (or untrusted code) and credential operations fail unpredictably; this lookup should be limited to verified app-bundle paths (or verified daemon executable names) before using the sibling binary.
Useful? React with 👍 / 👎.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
- Dismiss Meet's media-permission modal before the prejoin wait, and race the name-input / Join-now / Ask-to-join selectors so signed-in flows that skip the name field no longer 30s-out. - On prejoin failure dump HTML + page title + screenshot to /out so operators can see what Meet actually served. - Chrome hardening in the bot image: --disable-gpu, breakpad and background-networking disabled to reduce container crash surface. - Docker runner sets ShmSize: 2 GiB so Chromium doesn't exhaust the default 64 MiB /dev/shm under Meet's heavy JS. - Bump BOT_CONNECT_TIMEOUT_MS 30s -> 120s so the daemon's audio-socket wait covers the bot's worst-case admission path (MEETING_ROOM_TIMEOUT_MS is 90s on its own). - Gitignore clients/macos/ces-bin/ to match the sibling bin-dir pattern introduced by #26008.
…uts (#26009) - Dismiss Meet's media-permission modal before the prejoin wait, and race the name-input / Join-now / Ask-to-join selectors so signed-in flows that skip the name field no longer 30s-out. - On prejoin failure dump HTML + page title + screenshot to /out so operators can see what Meet actually served. - Chrome hardening in the bot image: --disable-gpu, breakpad and background-networking disabled to reduce container crash surface. - Docker runner sets ShmSize: 2 GiB so Chromium doesn't exhaust the default 64 MiB /dev/shm under Meet's heavy JS. - Bump BOT_CONNECT_TIMEOUT_MS 30s -> 120s so the daemon's audio-socket wait covers the bot's worst-case admission path (MEETING_ROOM_TIMEOUT_MS is 90s on its own). - Gitignore clients/macos/ces-bin/ to match the sibling bin-dir pattern introduced by #26008.
|
Addressed in #26266 — sibling executable lookup now gated to |
1 participant
Summary
credential-executoras part of the macOSbuild.shand release workflow so it ships atContents/MacOS/credential-executoralongside the other Bun-compiled binaries. Without this, CES is non-functional in the packaged app — every credential read falls through to the encrypted store and provider-credential lookups (Deepgram, etc.) fail.getLocalBinarySearchPaths()inexecutable-discovery.tsto checkdirname(process.execPath)before~/.vellum/workspace/bin/, so the packaged app locates its own CES without a separate install. Dev runs viabun runfall through sinceprocess.execPathpoints at the bun binary itself.Original prompt
Add a CES compile step to clients/macos/build.sh so the credential-executor binary is built and bundled into Velissa.app alongside vellum-daemon, vellum-cli, vellum-gateway. Follow the existing pattern (ces-bin/ dir + build_bun_binary + copy to Contents/MacOS/). Also update executable-discovery.ts getLocalBinarySearchPaths() to check the Velissa.app Contents/MacOS dir (alongside the bundled daemon binary) as a fallback before the workspace/bin path, so the packaged app works without needing the user to manually install the binary to ~/.vellum/workspace/bin/. Context: without this, CES is completely non-functional in the packaged macOS app — every credential read falls back to the encrypted file store and provider-credential lookups (e.g. Deepgram for STT) fail.