@ouro.bot/cli 0.1.0-alpha.15 → 0.1.0-alpha.16

package/dist/heart/config.js

@@ -41,8 +41,10 @@ exports.getMinimaxConfig = getMinimaxConfig;
 exports.getAnthropicConfig = getAnthropicConfig;
 exports.getOpenAICodexConfig = getOpenAICodexConfig;
 exports.getTeamsConfig = getTeamsConfig;
+exports.getTeamsSecondaryConfig = getTeamsSecondaryConfig;
 exports.getContextConfig = getContextConfig;
 exports.getOAuthConfig = getOAuthConfig;
+exports.resolveOAuthForTenant = resolveOAuthForTenant;
 exports.getTeamsChannelConfig = getTeamsChannelConfig;
 exports.getBlueBubblesConfig = getBlueBubblesConfig;
 exports.getBlueBubblesChannelConfig = getBlueBubblesChannelConfig;
@@ -84,12 +86,19 @@ const DEFAULT_SECRETS_TEMPLATE = {
         clientId: "",
         clientSecret: "",
         tenantId: "",
+        managedIdentityClientId: "",
     },
     oauth: {
         graphConnectionName: "graph",
         adoConnectionName: "ado",
         githubConnectionName: "",
     },
+    teamsSecondary: {
+        clientId: "",
+        clientSecret: "",
+        tenantId: "",
+        managedIdentityClientId: "",
+    },
     teamsChannel: {
         skipConfirmation: true,
         port: 3978,
@@ -118,6 +127,7 @@ function defaultRuntimeConfig() {
             "openai-codex": { ...DEFAULT_SECRETS_TEMPLATE.providers["openai-codex"] },
         },
         teams: { ...DEFAULT_SECRETS_TEMPLATE.teams },
+        teamsSecondary: { ...DEFAULT_SECRETS_TEMPLATE.teamsSecondary },
         oauth: { ...DEFAULT_SECRETS_TEMPLATE.oauth },
         context: { ...identity_1.DEFAULT_AGENT_CONTEXT },
         teamsChannel: { ...DEFAULT_SECRETS_TEMPLATE.teamsChannel },
@@ -262,6 +272,10 @@ function getTeamsConfig() {
     const config = loadConfig();
     return { ...config.teams };
 }
+function getTeamsSecondaryConfig() {
+    const config = loadConfig();
+    return { ...config.teamsSecondary };
+}
 function getContextConfig() {
     if (_testContextOverride) {
         return { ..._testContextOverride };
@@ -282,6 +296,16 @@ function getOAuthConfig() {
     const config = loadConfig();
     return { ...config.oauth };
 }
+/** Resolve OAuth connection names for a specific tenant, falling back to defaults. */
+function resolveOAuthForTenant(tenantId) {
+    const base = getOAuthConfig();
+    const overrides = tenantId ? base.tenantOverrides?.[tenantId] : undefined;
+    return {
+        graphConnectionName: overrides?.graphConnectionName ?? base.graphConnectionName,
+        adoConnectionName: overrides?.adoConnectionName ?? base.adoConnectionName,
+        githubConnectionName: overrides?.githubConnectionName ?? base.githubConnectionName,
+    };
+}
 function getTeamsChannelConfig() {
     const config = loadConfig();
     const { skipConfirmation, flushIntervalMs, port } = config.teamsChannel;
@@ -321,7 +345,11 @@ function sanitizeKey(key) {
     return key.replace(/[/:]/g, "_");
 }
 function sessionPath(friendId, channel, key) {
-    const dir = path.join(os.homedir(), ".agentstate", (0, identity_1.getAgentName)(), "sessions", friendId, channel);
+    // On Azure App Service, os.homedir() returns /root which is ephemeral.
+    // Use /home (persistent storage) when WEBSITE_SITE_NAME is set.
+    /* v8 ignore next -- Azure vs local path branch; environment-specific @preserve */
+    const homeBase = process.env.WEBSITE_SITE_NAME ? "/home" : os.homedir();
+    const dir = path.join(homeBase, ".agentstate", (0, identity_1.getAgentName)(), "sessions", friendId, channel);
     fs.mkdirSync(dir, { recursive: true });
     return path.join(dir, sanitizeKey(key) + ".json");
 }

package/dist/heart/core.js

@@ -8,6 +8,7 @@ exports.getProvider = getProvider;
 exports.createSummarize = createSummarize;
 exports.getProviderDisplayLabel = getProviderDisplayLabel;
 exports.stripLastToolCalls = stripLastToolCalls;
+exports.repairOrphanedToolCalls = repairOrphanedToolCalls;
 exports.isTransientError = isTransientError;
 exports.classifyTransientError = classifyTransientError;
 exports.runAgent = runAgent;
@@ -160,6 +161,68 @@ function stripLastToolCalls(messages) {
         }
     }
 }
+// Roles that end a tool-result scan. When scanning forward from an assistant
+// message, stop at the next assistant or user message (tool results must be
+// adjacent to their originating assistant message).
+const TOOL_SCAN_BOUNDARY_ROLES = new Set(["assistant", "user"]);
+// Repair orphaned tool_calls and tool results anywhere in the message history.
+// 1. If an assistant message has tool_calls but missing tool results, inject synthetic error results.
+// 2. If a tool result's tool_call_id doesn't match any tool_calls in a preceding assistant message, remove it.
+// This prevents 400 errors from the API after an aborted turn.
+function repairOrphanedToolCalls(messages) {
+    // Pass 1: collect all valid tool_call IDs from assistant messages
+    const validCallIds = new Set();
+    for (const msg of messages) {
+        if (msg.role === "assistant") {
+            const asst = msg;
+            if (asst.tool_calls) {
+                for (const tc of asst.tool_calls)
+                    validCallIds.add(tc.id);
+            }
+        }
+    }
+    // Pass 2: remove orphaned tool results (tool_call_id not in any assistant's tool_calls)
+    for (let i = messages.length - 1; i >= 0; i--) {
+        if (messages[i].role === "tool") {
+            const toolMsg = messages[i];
+            if (!validCallIds.has(toolMsg.tool_call_id)) {
+                messages.splice(i, 1);
+            }
+        }
+    }
+    // Pass 3: inject synthetic results for tool_calls missing their tool results
+    for (let i = 0; i < messages.length; i++) {
+        const msg = messages[i];
+        if (msg.role !== "assistant")
+            continue;
+        const asst = msg;
+        if (!asst.tool_calls || asst.tool_calls.length === 0)
+            continue;
+        // Collect tool result IDs that follow this assistant message
+        const resultIds = new Set();
+        for (let j = i + 1; j < messages.length; j++) {
+            const following = messages[j];
+            if (following.role === "tool") {
+                resultIds.add(following.tool_call_id);
+            }
+            else if (TOOL_SCAN_BOUNDARY_ROLES.has(following.role)) {
+                break;
+            }
+        }
+        const missing = asst.tool_calls.filter((tc) => !resultIds.has(tc.id));
+        if (missing.length > 0) {
+            const syntheticResults = missing.map((tc) => ({
+                role: "tool",
+                tool_call_id: tc.id,
+                content: "error: tool call was interrupted (previous turn timed out or was aborted)",
+            }));
+            let insertAt = i + 1;
+            while (insertAt < messages.length && messages[insertAt].role === "tool")
+                insertAt++;
+            messages.splice(insertAt, 0, ...syntheticResults);
+        }
+    }
+}
 // Detect context overflow errors from Azure or MiniMax
 function isContextOverflow(err) {
     if (!(err instanceof Error))

package/dist/heart/daemon/daemon-cli.js

@@ -571,7 +571,8 @@ function defaultListDiscoveredAgents() {
     return discovered.sort((left, right) => left.localeCompare(right));
 }
 async function defaultLinkFriendIdentity(command) {
-    const friendStore = new store_file_1.FileFriendStore(path.join((0, identity_1.getAgentBundlesRoot)(), `${command.agent}.ouro`, "friends"));
+    const fp = path.join((0, identity_1.getAgentBundlesRoot)(), `${command.agent}.ouro`, "friends");
+    const friendStore = new store_file_1.FileFriendStore(fp);
     const current = await friendStore.get(command.friendId);
     if (!current) {
         return `friend not found: ${command.friendId}`;

package/dist/repertoire/ado-client.js

@@ -28,8 +28,10 @@ function resolveContentType(method, path) {
         : "application/json";
 }
 // Generic ADO API request. Returns response body as pretty-printed JSON string.
-async function adoRequest(token, method, org, path, body) {
+// `host` overrides the base URL for non-standard APIs (e.g. "vsapm.dev.azure.com", "vssps.dev.azure.com").
+async function adoRequest(token, method, org, path, body, host) {
     try {
+        const base = host ? `https://${host}/${org}` : `${ADO_BASE}/${org}`;
         (0, runtime_1.emitNervesEvent)({
             event: "client.request_start",
             component: "clients",
@@ -37,7 +39,7 @@ async function adoRequest(token, method, org, path, body) {
             meta: { client: "ado", method, org, path },
         });
         const fullPath = ensureApiVersion(path);
-        const url = `${ADO_BASE}/${org}${fullPath}`;
+        const url = `${base}${fullPath}`;
         const contentType = resolveContentType(method, path);
         const opts = {
             method,

package/dist/repertoire/data/ado-endpoints.json

@@ -35,6 +35,12 @@
         "description": "Delete a work item (moves to recycle bin)",
         "params": "destroy (boolean, permanently delete)"
     },
+    {
+        "path": "/{project}/_apis/wit/workitemtypes",
+        "method": "GET",
+        "description": "List all work item types available in a project (Bug, Task, Epic, User Story, etc.)",
+        "params": ""
+    },
     {
         "path": "/_apis/git/repositories",
         "method": "GET",
@@ -118,5 +124,187 @@
         "method": "GET",
         "description": "List saved work item queries (shared and personal)",
         "params": "$depth, $expand"
+    },
+    {
+        "path": "/_apis/groupentitlements?api-version=7.1",
+        "method": "GET",
+        "host": "vsaex.dev.azure.com",
+        "description": "List group entitlements (group rules that auto-assign licenses). Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/groupentitlements?api-version=7.1",
+        "method": "POST",
+        "host": "vsaex.dev.azure.com",
+        "description": "Create a group entitlement rule — maps an AAD group to an access level (e.g. Basic) and project membership. All members of the AAD group automatically get the specified license. Use host vsaex.dev.azure.com. This is the best way to bulk-provision users.",
+        "params": "body: { group: { origin: 'aad', originId: '<AAD-group-object-id>', subjectKind: 'group' }, licenseRule: { licensingSource: 'account', accountLicenseType: 'express', licenseDisplayName: 'Basic' }, projectEntitlements: [{ group: { groupType: 'projectContributor' }, projectRef: { id: '<project-id>' } }] }"
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "GET",
+        "host": "vsaex.dev.azure.com",
+        "description": "Get a specific group entitlement by ID. Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "PATCH",
+        "host": "vsaex.dev.azure.com",
+        "description": "Update a group entitlement (change license rule, project access). Use host vsaex.dev.azure.com.",
+        "params": "JSON Patch array: [{op, path, value}]"
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "DELETE",
+        "host": "vsaex.dev.azure.com",
+        "description": "Delete a group entitlement rule. Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements?api-version=7.1-preview.3",
+        "method": "GET",
+        "host": "vsapm.dev.azure.com",
+        "description": "List individual member entitlements (users and their access levels). Use host vsapm.dev.azure.com. For bulk provisioning, prefer the Group Entitlements API on vsaex.dev.azure.com instead.",
+        "params": "$top, $skip, $filter, $orderBy, $select"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements?api-version=7.1-preview.3",
+        "method": "POST",
+        "host": "vsapm.dev.azure.com",
+        "description": "Add a single member entitlement. Use host vsapm.dev.azure.com. For bulk provisioning, prefer the Group Entitlements API on vsaex.dev.azure.com instead.",
+        "params": "body: { accessLevel: { accountLicenseType: 'express'|'stakeholder', licensingSource: 'account' }, user: { principalName: 'user@domain.com', subjectKind: 'user' }, projectEntitlements: [{ group: { groupType: 'projectContributor' }, projectRef: { id: projectId } }] }"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements/{memberId}?api-version=7.1-preview.3",
+        "method": "PATCH",
+        "host": "vsapm.dev.azure.com",
+        "description": "Update a member entitlement (change access level, project access). Use host vsapm.dev.azure.com.",
+        "params": "JSON Patch array: [{op, path, value}]"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements/{memberId}?api-version=7.1-preview.3",
+        "method": "DELETE",
+        "host": "vsapm.dev.azure.com",
+        "description": "Remove a member entitlement (revoke user access). Use host vsapm.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/graph/users?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List users in the organization (Graph API). Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "subjectTypes (aad, msa, etc.), continuationToken"
+    },
+    {
+        "path": "/_apis/graph/groups?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List groups in the organization. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "subjectTypes, continuationToken"
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List group memberships for a user or group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "direction (up = groups user belongs to, down = members of group)"
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}/{containerDescriptor}?api-version=7.1-preview.1",
+        "method": "PUT",
+        "host": "vssps.dev.azure.com",
+        "description": "Add a user to a group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}/{containerDescriptor}?api-version=7.1-preview.1",
+        "method": "DELETE",
+        "host": "vssps.dev.azure.com",
+        "description": "Remove a user from a group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams",
+        "method": "GET",
+        "description": "List teams in a project",
+        "params": "$top, $skip"
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams/{teamId}",
+        "method": "GET",
+        "description": "Get a specific team by ID",
+        "params": ""
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams",
+        "method": "POST",
+        "description": "Create a new team in a project",
+        "params": "name, description"
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams/{teamId}/members",
+        "method": "GET",
+        "description": "List members of a team",
+        "params": "$top, $skip"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations",
+        "method": "GET",
+        "description": "List iterations (sprints) for a team",
+        "params": "$timeframe (current, past, future)"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations",
+        "method": "POST",
+        "description": "Add an iteration to a team's sprint schedule",
+        "params": "id (iteration node ID)"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations/{iterationId}",
+        "method": "DELETE",
+        "description": "Remove an iteration from a team's sprint schedule",
+        "params": ""
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/iterations",
+        "method": "GET",
+        "description": "List iteration path tree (project-level iteration nodes)",
+        "params": "$depth"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/iterations",
+        "method": "POST",
+        "description": "Create a new iteration node (sprint)",
+        "params": "name, attributes: { startDate, finishDate }"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/areas",
+        "method": "GET",
+        "description": "List area path tree (project-level area nodes)",
+        "params": "$depth"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/areas",
+        "method": "POST",
+        "description": "Create a new area path node",
+        "params": "name"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/{structureGroup}/{path}",
+        "method": "DELETE",
+        "description": "Delete a classification node (area or iteration). structureGroup is 'areas' or 'iterations'.",
+        "params": "$reclassifyId (move items to this node before deleting)"
+    },
+    {
+        "path": "/_apis/hooks/subscriptions",
+        "method": "GET",
+        "description": "List service hook subscriptions (webhooks for events)",
+        "params": ""
+    },
+    {
+        "path": "/_apis/hooks/subscriptions",
+        "method": "POST",
+        "description": "Create a service hook subscription (webhook)",
+        "params": "publisherId, eventType, consumerId, consumerActionId, publisherInputs, consumerInputs"
     }
 ]

package/dist/repertoire/tools-teams.js

@@ -82,7 +82,7 @@ exports.teamsToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_query",
-                description: "GET or POST (for WIQL read queries) any Azure DevOps API endpoint. Use ado_docs first to look up the correct path.",
+                description: "GET or POST (for WIQL read queries) any Azure DevOps API endpoint. Use ado_docs first to look up the correct path and host.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -90,6 +90,7 @@ exports.teamsToolDefinitions = [
                         path: { type: "string", description: "ADO API path after /{org}, e.g. /_apis/wit/wiql" },
                         method: { type: "string", enum: ["GET", "POST"], description: "HTTP method (defaults to GET)" },
                         body: { type: "string", description: "JSON request body (optional, used with POST for WIQL)" },
+                        host: { type: "string", description: "API host override for non-standard APIs (e.g. 'vsapm.dev.azure.com' for entitlements, 'vssps.dev.azure.com' for users). Omit for standard dev.azure.com." },
                     },
                     required: ["organization", "path"],
                 },
@@ -100,7 +101,7 @@ exports.teamsToolDefinitions = [
                 return "AUTH_REQUIRED:ado -- I need access to Azure DevOps. Please sign in when prompted.";
             }
             const method = args.method || "GET";
-            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, method, args.organization, args.path, args.body);
+            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, method, args.organization, args.path, args.body, args.host);
             checkAndRecord403(result, "ado", args.organization, method, ctx);
             return result;
         },
@@ -111,7 +112,7 @@ exports.teamsToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_mutate",
-                description: "POST/PATCH/DELETE any Azure DevOps API endpoint for actual mutations. Use ado_docs first to look up the correct path.",
+                description: "POST/PATCH/DELETE any Azure DevOps API endpoint for actual mutations. Use ado_docs first to look up the correct path and host.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -119,6 +120,7 @@ exports.teamsToolDefinitions = [
                         organization: { type: "string", description: "Azure DevOps organization name" },
                         path: { type: "string", description: "ADO API path after /{org}" },
                         body: { type: "string", description: "JSON request body (optional)" },
+                        host: { type: "string", description: "API host override for non-standard APIs (e.g. 'vsapm.dev.azure.com' for entitlements, 'vssps.dev.azure.com' for users). Omit for standard dev.azure.com." },
                     },
                     required: ["method", "organization", "path"],
                 },
@@ -133,7 +135,7 @@ exports.teamsToolDefinitions = [
             }
             /* v8 ignore next -- fallback unreachable: method is validated against MUTATE_METHODS above @preserve */
             const action = METHOD_TO_ACTION[args.method] || args.method;
-            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, args.method, args.organization, args.path, args.body);
+            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, args.method, args.organization, args.path, args.body, args.host);
             checkAndRecord403(result, "ado", args.organization, action, ctx);
             return result;
         },
@@ -201,6 +203,53 @@ exports.teamsToolDefinitions = [
         },
         integration: "ado",
     },
+    // -- Proactive messaging --
+    {
+        tool: {
+            type: "function",
+            function: {
+                name: "teams_send_message",
+                description: "send a proactive 1:1 Teams message to a user. requires their AAD object ID (use graph_query /users to find it). the message appears as coming from the bot.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        user_id: { type: "string", description: "AAD object ID of the user to message" },
+                        user_name: { type: "string", description: "display name of the user (for logging)" },
+                        message: { type: "string", description: "message text to send" },
+                        tenant_id: { type: "string", description: "tenant ID (optional, defaults to current conversation tenant)" },
+                    },
+                    required: ["user_id", "message"],
+                },
+            },
+        },
+        /* v8 ignore start -- proactive messaging requires live Teams SDK conversation client @preserve */
+        handler: async (args, ctx) => {
+            if (!ctx?.botApi) {
+                return "proactive messaging is not available -- no bot API context (this tool only works in the Teams channel)";
+            }
+            try {
+                const tenantId = args.tenant_id || ctx.tenantId;
+                // Cast to the SDK's ConversationClient shape (kept as `unknown` in ToolContext to avoid type coupling)
+                const conversations = ctx.botApi.conversations;
+                const conversation = await conversations.create({
+                    bot: { id: ctx.botApi.id },
+                    members: [{ id: args.user_id, role: "user", name: args.user_name || args.user_id }],
+                    tenantId,
+                    isGroup: false,
+                });
+                await conversations.activities(conversation.id).create({
+                    type: "message",
+                    text: args.message,
+                });
+                return `message sent to ${args.user_name || args.user_id}`;
+            }
+            catch (e) {
+                return `failed to send proactive message: ${e instanceof Error ? e.message : String(e)}`;
+            }
+        },
+        /* v8 ignore stop */
+        confirmationRequired: true,
+    },
     // -- Documentation tools --
     {
         tool: {
@@ -268,6 +317,8 @@ function searchEndpoints(entries, query) {
             `  ${e.description}`,
             `  Params: ${e.params || "none"}`,
         ];
+        if (e.host)
+            lines.push(`  Host: ${e.host}`);
         if (e.scopes)
             lines.push(`  Scopes: ${e.scopes}`);
         return lines.join("\n");
@@ -304,5 +355,7 @@ function summarizeTeamsArgs(name, args) {
         return summarizeKeyValues(["query"]);
     if (name === "ado_docs")
         return summarizeKeyValues(["query"]);
+    if (name === "teams_send_message")
+        return summarizeKeyValues(["user_name", "user_id"]);
     return undefined;
 }

package/dist/repertoire/tools.js

@@ -45,7 +45,9 @@ function getToolsForChannel(capabilities, toolPreferences) {
         return baseTools;
     }
     const available = new Set(capabilities.availableIntegrations);
-    const integrationDefs = [...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions].filter((d) => d.integration && available.has(d.integration));
+    const channelDefs = [...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions];
+    // Include tools whose integration is available, plus channel tools with no integration gate (e.g. teams_send_message)
+    const integrationDefs = channelDefs.filter((d) => d.integration ? available.has(d.integration) : capabilities.channel === "teams");
     if (!toolPreferences || Object.keys(toolPreferences).length === 0) {
         return [...baseTools, ...integrationDefs.map((d) => d.tool)];
     }
@@ -195,5 +197,13 @@ function summarizeArgs(name, args) {
     }
     if (name === "ado_backlog_list")
         return summarizeKeyValues(args, ["organization", "project"]);
+    if (name === "ado_batch_update")
+        return summarizeKeyValues(args, ["organization", "project"]);
+    if (name === "ado_create_epic" || name === "ado_create_issue")
+        return summarizeKeyValues(args, ["organization", "project", "title"]);
+    if (name === "ado_move_items")
+        return summarizeKeyValues(args, ["organization", "project", "workItemIds"]);
+    if (name === "ado_restructure_backlog")
+        return summarizeKeyValues(args, ["organization", "project"]);
     return summarizeUnknownArgs(args);
 }

package/dist/senses/teams.js

@@ -44,6 +44,8 @@ exports.startTeamsApp = startTeamsApp;
 const teams_apps_1 = require("@microsoft/teams.apps");
 const teams_dev_1 = require("@microsoft/teams.dev");
 const core_1 = require("../heart/core");
+const tools_1 = require("../repertoire/tools");
+const channel_1 = require("../mind/friends/channel");
 const config_1 = require("../heart/config");
 const prompt_1 = require("../mind/prompt");
 const phrases_1 = require("../mind/phrases");
@@ -58,6 +60,7 @@ const resolver_1 = require("../mind/friends/resolver");
 const tokens_1 = require("../mind/friends/tokens");
 const turn_coordinator_1 = require("../heart/turn-coordinator");
 const identity_1 = require("../heart/identity");
+const http = __importStar(require("http"));
 const path = __importStar(require("path"));
 const trust_gate_1 = require("./trust-gate");
 // Strip @mention markup from incoming messages.
@@ -317,7 +320,14 @@ function createTeamsCallbacks(stream, controller, sendMessage, options) {
         onToolStart: (name, args) => {
             stopPhraseRotation();
             flushTextBuffer();
-            const argSummary = Object.values(args).join(", ");
+            // Emit a placeholder to satisfy the 15s Copilot timeout for initial
+            // stream.emit(). Without this, long tool chains (e.g. ADO batch ops)
+            // never emit before the timeout and the user sees "this response was
+            // stopped". The placeholder is replaced by actual content on next emit.
+            // https://learn.microsoft.com/en-us/answers/questions/2288017/m365-custom-engine-agents-timeout-message-after-15
+            if (!streamHasContent)
+                safeEmit("⏳");
+            const argSummary = (0, tools_1.summarizeArgs)(name, args) || Object.keys(args).join(", ");
             safeUpdate(`running ${name} (${argSummary})...`);
             hadToolRun = true;
         },
@@ -421,7 +431,12 @@ async function withConversationLock(convId, fn) {
 // Create a fresh friend store per request so mkdirSync re-runs if directories
 // are deleted while the process is alive.
 function getFriendStore() {
-    const friendsPath = path.join((0, identity_1.getAgentRoot)(), "friends");
+    // On Azure App Service, os.homedir() returns /root which is ephemeral.
+    // Use /home/.agentstate/ (persistent) when WEBSITE_SITE_NAME is set.
+    /* v8 ignore next 3 -- Azure vs local path branch; environment-specific @preserve */
+    const friendsPath = process.env.WEBSITE_SITE_NAME
+        ? path.join("/home", ".agentstate", (0, identity_1.getAgentName)(), "friends")
+        : path.join((0, identity_1.getAgentRoot)(), "friends");
     return new store_file_1.FileFriendStore(friendsPath);
 }
 // Handle an incoming Teams message
@@ -445,6 +460,8 @@ async function handleTeamsMessage(text, stream, conversationId, teamsContext, se
         signin: teamsContext.signin,
         friendStore: store,
         summarize: (0, core_1.createSummarize)(),
+        tenantId: teamsContext.tenantId,
+        botApi: teamsContext.botApi,
     } : undefined;
     if (toolContext) {
         const resolver = new resolver_1.FriendResolver(store, {
@@ -497,6 +514,8 @@ async function handleTeamsMessage(text, stream, conversationId, teamsContext, se
     const messages = existing?.messages && existing.messages.length > 0
         ? existing.messages
         : [{ role: "system", content: await (0, prompt_1.buildSystem)("teams", undefined, toolContext?.context) }];
+    // Repair any orphaned tool calls from a previous aborted turn
+    (0, core_1.repairOrphanedToolCalls)(messages);
     // Push user message
     messages.push({ role: "user", content: text });
     // Run agent
@@ -518,12 +537,12 @@ async function handleTeamsMessage(text, stream, conversationId, teamsContext, se
     // This must happen after the stream is done so the OAuth card renders properly.
     if (teamsContext) {
         const allContent = messages.map(m => typeof m.content === "string" ? m.content : "").join("\n");
-        if (allContent.includes("AUTH_REQUIRED:graph"))
-            await teamsContext.signin("graph");
-        if (allContent.includes("AUTH_REQUIRED:ado"))
-            await teamsContext.signin("ado");
-        if (allContent.includes("AUTH_REQUIRED:github"))
-            await teamsContext.signin("github");
+        if (allContent.includes("AUTH_REQUIRED:graph") && teamsContext.graphConnectionName)
+            await teamsContext.signin(teamsContext.graphConnectionName);
+        if (allContent.includes("AUTH_REQUIRED:ado") && teamsContext.adoConnectionName)
+            await teamsContext.signin(teamsContext.adoConnectionName);
+        if (allContent.includes("AUTH_REQUIRED:github") && teamsContext.githubConnectionName)
+            await teamsContext.signin(teamsContext.githubConnectionName);
     }
     // Trim context and save session
     (0, context_1.postTurn)(messages, sessPath, result.usage);
@@ -533,49 +552,85 @@ async function handleTeamsMessage(text, stream, conversationId, teamsContext, se
     }
     // SDK auto-closes the stream after our handler returns (app.process.js)
 }
-// Start the Teams app in DevtoolsPlugin mode (local dev) or Bot Service mode (real Teams).
-// Mode is determined by getTeamsConfig().clientId.
-// Text is always accumulated in textBuffer and flushed periodically (chunked streaming).
-function startTeamsApp() {
+// Internal port for the secondary bot App (not exposed externally).
+// The primary app proxies /api/messages-secondary → localhost:SECONDARY_PORT/api/messages.
+const SECONDARY_INTERNAL_PORT = 3979;
+// Collect all unique OAuth connection names across top-level config and tenant overrides.
+/* v8 ignore start -- runtime Teams SDK config; no unit-testable surface @preserve */
+function allOAuthConnectionNames() {
+    const oauthConfig = (0, config_1.getOAuthConfig)();
+    const names = new Set();
+    if (oauthConfig.graphConnectionName)
+        names.add(oauthConfig.graphConnectionName);
+    if (oauthConfig.adoConnectionName)
+        names.add(oauthConfig.adoConnectionName);
+    if (oauthConfig.githubConnectionName)
+        names.add(oauthConfig.githubConnectionName);
+    if (oauthConfig.tenantOverrides) {
+        for (const ov of Object.values(oauthConfig.tenantOverrides)) {
+            if (ov.graphConnectionName)
+                names.add(ov.graphConnectionName);
+            if (ov.adoConnectionName)
+                names.add(ov.adoConnectionName);
+            if (ov.githubConnectionName)
+                names.add(ov.githubConnectionName);
+        }
+    }
+    return [...names];
+}
+// Create an App instance from a TeamsConfig. Returns { app, mode }.
+function createBotApp(teamsConfig) {
     const mentionStripping = { activity: { mentions: { stripText: true } } };
-    const teamsConfig = (0, config_2.getTeamsConfig)();
-    let app;
-    let mode;
     const oauthConfig = (0, config_1.getOAuthConfig)();
-    if (teamsConfig.clientId) {
-        // Bot Service mode -- real Teams connection with SingleTenant credentials
-        app = new teams_apps_1.App({
-            clientId: teamsConfig.clientId,
-            clientSecret: teamsConfig.clientSecret,
-            tenantId: teamsConfig.tenantId,
-            oauth: { defaultConnectionName: oauthConfig.graphConnectionName },
-            ...mentionStripping,
-        });
-        mode = "Bot Service";
+    if (teamsConfig.clientId && teamsConfig.clientSecret) {
+        return {
+            app: new teams_apps_1.App({
+                clientId: teamsConfig.clientId,
+                clientSecret: teamsConfig.clientSecret,
+                tenantId: teamsConfig.tenantId,
+                oauth: { defaultConnectionName: oauthConfig.graphConnectionName },
+                ...mentionStripping,
+            }),
+            mode: "Bot Service (client secret)",
+        };
+    }
+    else if (teamsConfig.clientId) {
+        return {
+            app: new teams_apps_1.App({
+                clientId: teamsConfig.clientId,
+                tenantId: teamsConfig.tenantId,
+                ...(teamsConfig.managedIdentityClientId ? { managedIdentityClientId: teamsConfig.managedIdentityClientId } : {}),
+                oauth: { defaultConnectionName: oauthConfig.graphConnectionName },
+                ...mentionStripping,
+            }),
+            mode: "Bot Service (managed identity)",
+        };
     }
     else {
-        // DevtoolsPlugin mode -- local development with Teams DevtoolsPlugin UI
-        app = new teams_apps_1.App({
-            plugins: [new teams_dev_1.DevtoolsPlugin()],
-            ...mentionStripping,
-        });
-        mode = "DevtoolsPlugin";
+        return {
+            app: new teams_apps_1.App({
+                plugins: [new teams_dev_1.DevtoolsPlugin()],
+                ...mentionStripping,
+            }),
+            mode: "DevtoolsPlugin",
+        };
     }
+}
+/* v8 ignore stop */
+// Register message, verify-state, and error handlers on an App instance.
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function registerBotHandlers(app, label) {
+    const connectionNames = allOAuthConnectionNames();
     // Override default OAuth verify-state handler.  The SDK's built-in handler
     // uses a single defaultConnectionName, which breaks multi-connection setups
     // (graph + ado + github).  The verifyState activity only carries a `state`
     // code with no connectionName, so we try each configured connection until
     // one succeeds.
-    const allConnectionNames = [
-        oauthConfig.graphConnectionName,
-        oauthConfig.adoConnectionName,
-        oauthConfig.githubConnectionName,
-    ].filter(Boolean);
     app.on("signin.verify-state", async (ctx) => {
         const { api, activity } = ctx;
         if (!activity.value?.state)
             return { status: 404 };
-        for (const cn of allConnectionNames) {
+        for (const cn of connectionNames) {
             try {
                 await api.users.token.get({
                     channelId: activity.channelId,
@@ -583,12 +638,12 @@ function startTeamsApp() {
                     connectionName: cn,
                     code: activity.value.state,
                 });
-                (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.verify_state", component: "channels", message: `verify-state succeeded for connection "${cn}"`, meta: { connectionName: cn } });
+                (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.verify_state", component: "channels", message: `[${label}] verify-state succeeded for connection "${cn}"`, meta: { connectionName: cn } });
                 return { status: 200 };
             }
             catch { /* try next */ }
         }
-        (0, runtime_1.emitNervesEvent)({ level: "warn", event: "channel.verify_state", component: "channels", message: "verify-state failed for all connections", meta: {} });
+        (0, runtime_1.emitNervesEvent)({ level: "warn", event: "channel.verify_state", component: "channels", message: `[${label}] verify-state failed for all connections`, meta: {} });
         return { status: 412 };
     });
     app.on("message", async (ctx) => {
@@ -598,16 +653,12 @@ function startTeamsApp() {
         const turnKey = teamsTurnKey(convId);
         const userId = activity.from?.id || "";
         const channelId = activity.channelId || "msteams";
-        (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.message_received", component: "channels", message: "incoming teams message", meta: { userId: userId.slice(0, 12), conversationId: convId.slice(0, 20) } });
+        (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.message_received", component: "channels", message: `[${label}] incoming teams message`, meta: { userId: userId.slice(0, 12), conversationId: convId.slice(0, 20) } });
         // Resolve pending confirmations IMMEDIATELY — before token fetches or
         // the conversation lock.  The original message holds the lock while
         // awaiting confirmation, so acquiring it here would deadlock.  Token
         // fetches are also unnecessary (and slow) for a simple yes/no reply.
         if (resolvePendingConfirmation(convId, text)) {
-            // Don't emit on this stream — the original message's stream is still
-            // active.  Opening a second streaming response in the same conversation
-            // can corrupt the first.  The original stream will show tool progress
-            // once the confirmation Promise resolves.
             return;
         }
         // If this conversation already has an active turn, steer follow-up input
@@ -621,27 +672,30 @@ function startTeamsApp() {
             return;
         }
         try {
+            // Resolve OAuth connection names for this user's tenant (supports per-tenant overrides).
+            const tenantId = activity.conversation?.tenantId;
+            const tenantOAuth = (0, config_1.resolveOAuthForTenant)(tenantId);
             // Fetch tokens for both OAuth connections independently.
             // Failures are silently caught -- the tool handler will request signin if needed.
             let graphToken;
             let adoToken;
             let githubToken;
             try {
-                const graphRes = await api.users.token.get({ userId, connectionName: oauthConfig.graphConnectionName, channelId });
+                const graphRes = await api.users.token.get({ userId, connectionName: tenantOAuth.graphConnectionName, channelId });
                 graphToken = graphRes?.token;
             }
             catch { /* no token yet — tool handler will trigger signin */ }
             try {
-                const adoRes = await api.users.token.get({ userId, connectionName: oauthConfig.adoConnectionName, channelId });
+                const adoRes = await api.users.token.get({ userId, connectionName: tenantOAuth.adoConnectionName, channelId });
                 adoToken = adoRes?.token;
             }
             catch { /* no token yet — tool handler will trigger signin */ }
             try {
-                const githubRes = await api.users.token.get({ userId, connectionName: oauthConfig.githubConnectionName, channelId });
+                const githubRes = await api.users.token.get({ userId, connectionName: tenantOAuth.githubConnectionName, channelId });
                 githubToken = githubRes?.token;
             }
             catch { /* no token yet — tool handler will trigger signin */ }
-            (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.token_status", component: "channels", message: "oauth token availability", meta: { graph: !!graphToken, ado: !!adoToken, github: !!githubToken } });
+            (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.token_status", component: "channels", message: "oauth token availability", meta: { graph: !!graphToken, ado: !!adoToken, github: !!githubToken, tenantId } });
             const teamsContext = {
                 graphToken,
                 adoToken,
@@ -661,6 +715,11 @@ function startTeamsApp() {
                 aadObjectId: activity.from?.aadObjectId,
                 tenantId: activity.conversation?.tenantId,
                 displayName: activity.from?.name,
+                graphConnectionName: tenantOAuth.graphConnectionName,
+                adoConnectionName: tenantOAuth.adoConnectionName,
+                githubConnectionName: tenantOAuth.githubConnectionName,
+                /* v8 ignore next -- bot API availability branch; requires live SDK context @preserve */
+                botApi: app.id && api ? { id: app.id, conversations: api.conversations } : undefined,
             };
             /* v8 ignore next 5 -- bot-framework integration callback; tested via handleTeamsMessage sendMessage path @preserve */
             const ctxSend = async (t) => {
@@ -678,6 +737,23 @@ function startTeamsApp() {
             _turnCoordinator.endTurn(turnKey);
         }
     });
+    app.event("error", ({ error }) => {
+        const msg = error instanceof Error ? error.message : String(error);
+        (0, runtime_1.emitNervesEvent)({ level: "error", event: "channel.app_error", component: "channels", message: `[${label}] ${msg}`, meta: {} });
+    });
+}
+// Start the Teams app in DevtoolsPlugin mode (local dev) or Bot Service mode (real Teams).
+// Mode is determined by getTeamsConfig().clientId.
+// Text is always accumulated in textBuffer and flushed periodically (chunked streaming).
+//
+// Dual-bot support: if teamsSecondary is configured with a clientId, a second App
+// instance starts on an internal port and the primary app proxies requests from
+// /api/messages-secondary to it. This lets a single App Service serve two bot
+// registrations (e.g. one per tenant) without SDK modifications.
+function startTeamsApp() {
+    const teamsConfig = (0, config_2.getTeamsConfig)();
+    const { app, mode } = createBotApp(teamsConfig);
+    registerBotHandlers(app, "primary");
     if (!process.listeners("unhandledRejection").some((l) => l.__agentHandler)) {
         const handler = (err) => {
             const msg = err instanceof Error ? err.message : String(err);
@@ -686,11 +762,54 @@ function startTeamsApp() {
         handler.__agentHandler = true;
         process.on("unhandledRejection", handler);
     }
-    app.event("error", ({ error }) => {
-        const msg = error instanceof Error ? error.message : String(error);
-        (0, runtime_1.emitNervesEvent)({ level: "error", event: "channel.app_error", component: "channels", message: msg, meta: {} });
-    });
-    const port = (0, config_2.getTeamsChannelConfig)().port;
+    /* v8 ignore next -- PORT env branch; runtime-only @preserve */
+    const port = process.env.PORT ? Number(process.env.PORT) : (0, config_2.getTeamsChannelConfig)().port;
     app.start(port);
-    (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.app_started", component: "channels", message: `Teams bot started on port ${port} with ${mode} (chunked streaming)`, meta: { port, mode } });
+    // Diagnostic: log tool count at startup to verify deploy
+    const startupTools = (0, tools_1.getToolsForChannel)((0, channel_1.getChannelCapabilities)("teams"));
+    const toolNames = startupTools.map((t) => t.function.name);
+    (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.app_started", component: "channels", message: `Teams bot started on port ${port} with ${mode} (chunked streaming)`, meta: { port, mode, toolCount: toolNames.length, hasProactive: toolNames.includes("teams_send_message") } });
+    // --- Secondary bot (dual-bot support) ---
+    // If teamsSecondary has a clientId, start a second App on an internal port
+    // and proxy /api/messages-secondary on the primary app to it.
+    /* v8 ignore start -- dual-bot proxy wiring; requires live Teams SDK + HTTP @preserve */
+    const secondaryConfig = (0, config_1.getTeamsSecondaryConfig)();
+    if (secondaryConfig.clientId) {
+        const { app: secondaryApp, mode: secondaryMode } = createBotApp(secondaryConfig);
+        registerBotHandlers(secondaryApp, "secondary");
+        secondaryApp.start(SECONDARY_INTERNAL_PORT);
+        (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.app_started", component: "channels", message: `Secondary bot started on internal port ${SECONDARY_INTERNAL_PORT} with ${secondaryMode}`, meta: { port: SECONDARY_INTERNAL_PORT, mode: secondaryMode } });
+        // Proxy: forward /api/messages-secondary on the primary app's Express
+        // to localhost:SECONDARY_INTERNAL_PORT/api/messages.
+        // The SDK's HttpPlugin exposes .post() bound to its Express instance.
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const httpPlugin = app.http;
+        httpPlugin.post("/api/messages-secondary", (req, res) => {
+            const body = JSON.stringify(req.body);
+            const proxyReq = http.request({
+                hostname: "127.0.0.1",
+                port: SECONDARY_INTERNAL_PORT,
+                path: "/api/messages",
+                method: "POST",
+                headers: {
+                    ...req.headers,
+                    "content-length": Buffer.byteLength(body).toString(),
+                },
+            }, (proxyRes) => {
+                res.writeHead(proxyRes.statusCode ?? 200, proxyRes.headers);
+                proxyRes.pipe(res);
+            });
+            proxyReq.on("error", (err) => {
+                (0, runtime_1.emitNervesEvent)({ level: "error", event: "channel.proxy_error", component: "channels", message: `secondary proxy error: ${err.message}`, meta: {} });
+                if (!res.headersSent) {
+                    res.writeHead(502);
+                    res.end("Bad Gateway");
+                }
+            });
+            proxyReq.write(body);
+            proxyReq.end();
+        });
+        (0, runtime_1.emitNervesEvent)({ level: "info", event: "channel.proxy_ready", component: "channels", message: "proxy /api/messages-secondary → secondary bot ready", meta: {} });
+    }
+    /* v8 ignore stop */
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.15",
+  "version": "0.1.0-alpha.16",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "ouro": "dist/heart/daemon/ouro-entry.js",