@ouro.bot/cli 0.1.0-alpha.15 → 0.1.0-alpha.17

package/dist/repertoire/coding/tools.js

@@ -61,6 +61,20 @@ const codingStatusTool = {
         },
     },
 };
+const codingTailTool = {
+    type: "function",
+    function: {
+        name: "coding_tail",
+        description: "show recent stdout/stderr tail for a coding session in a readable format",
+        parameters: {
+            type: "object",
+            properties: {
+                sessionId: { type: "string" },
+            },
+            required: ["sessionId"],
+        },
+    },
+};
 const codingSendInputTool = {
     type: "function",
     function: {
@@ -93,7 +107,7 @@ const codingKillTool = {
 exports.codingToolDefinitions = [
     {
         tool: codingSpawnTool,
-        handler: async (args) => {
+        handler: async (args, ctx) => {
             emitCodingToolEvent("coding_spawn");
             const rawRunner = requireArg(args, "runner");
             if (!rawRunner)
@@ -122,7 +136,19 @@ exports.codingToolDefinitions = [
             const stateFile = optionalArg(args, "stateFile");
             if (stateFile)
                 request.stateFile = stateFile;
-            const session = await (0, index_1.getCodingSessionManager)().spawnSession(request);
+            const manager = (0, index_1.getCodingSessionManager)();
+            const session = await manager.spawnSession(request);
+            if (args.runner === "codex" && args.taskRef) {
+                (0, runtime_1.emitNervesEvent)({
+                    component: "repertoire",
+                    event: "repertoire.coding_codex_spawned",
+                    message: "spawned codex coding session",
+                    meta: { sessionId: session.id, taskRef: args.taskRef },
+                });
+            }
+            if (ctx?.codingFeedback) {
+                (0, index_1.attachCodingSessionFeedback)(manager, session, ctx.codingFeedback);
+            }
             return JSON.stringify(session);
         },
     },
@@ -141,6 +167,19 @@ exports.codingToolDefinitions = [
             return JSON.stringify(session);
         },
     },
+    {
+        tool: codingTailTool,
+        handler: (args) => {
+            emitCodingToolEvent("coding_tail");
+            const sessionId = requireArg(args, "sessionId");
+            if (!sessionId)
+                return "sessionId is required";
+            const session = (0, index_1.getCodingSessionManager)().getSession(sessionId);
+            if (!session)
+                return `session not found: ${sessionId}`;
+            return (0, index_1.formatCodingTail)(session);
+        },
+    },
     {
         tool: codingSendInputTool,
         handler: (args) => {

package/dist/repertoire/data/ado-endpoints.json

@@ -35,6 +35,12 @@
         "description": "Delete a work item (moves to recycle bin)",
         "params": "destroy (boolean, permanently delete)"
     },
+    {
+        "path": "/{project}/_apis/wit/workitemtypes",
+        "method": "GET",
+        "description": "List all work item types available in a project (Bug, Task, Epic, User Story, etc.)",
+        "params": ""
+    },
     {
         "path": "/_apis/git/repositories",
         "method": "GET",
@@ -118,5 +124,187 @@
         "method": "GET",
         "description": "List saved work item queries (shared and personal)",
         "params": "$depth, $expand"
+    },
+    {
+        "path": "/_apis/groupentitlements?api-version=7.1",
+        "method": "GET",
+        "host": "vsaex.dev.azure.com",
+        "description": "List group entitlements (group rules that auto-assign licenses). Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/groupentitlements?api-version=7.1",
+        "method": "POST",
+        "host": "vsaex.dev.azure.com",
+        "description": "Create a group entitlement rule — maps an AAD group to an access level (e.g. Basic) and project membership. All members of the AAD group automatically get the specified license. Use host vsaex.dev.azure.com. This is the best way to bulk-provision users.",
+        "params": "body: { group: { origin: 'aad', originId: '<AAD-group-object-id>', subjectKind: 'group' }, licenseRule: { licensingSource: 'account', accountLicenseType: 'express', licenseDisplayName: 'Basic' }, projectEntitlements: [{ group: { groupType: 'projectContributor' }, projectRef: { id: '<project-id>' } }] }"
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "GET",
+        "host": "vsaex.dev.azure.com",
+        "description": "Get a specific group entitlement by ID. Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "PATCH",
+        "host": "vsaex.dev.azure.com",
+        "description": "Update a group entitlement (change license rule, project access). Use host vsaex.dev.azure.com.",
+        "params": "JSON Patch array: [{op, path, value}]"
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "DELETE",
+        "host": "vsaex.dev.azure.com",
+        "description": "Delete a group entitlement rule. Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements?api-version=7.1-preview.3",
+        "method": "GET",
+        "host": "vsapm.dev.azure.com",
+        "description": "List individual member entitlements (users and their access levels). Use host vsapm.dev.azure.com. For bulk provisioning, prefer the Group Entitlements API on vsaex.dev.azure.com instead.",
+        "params": "$top, $skip, $filter, $orderBy, $select"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements?api-version=7.1-preview.3",
+        "method": "POST",
+        "host": "vsapm.dev.azure.com",
+        "description": "Add a single member entitlement. Use host vsapm.dev.azure.com. For bulk provisioning, prefer the Group Entitlements API on vsaex.dev.azure.com instead.",
+        "params": "body: { accessLevel: { accountLicenseType: 'express'|'stakeholder', licensingSource: 'account' }, user: { principalName: 'user@domain.com', subjectKind: 'user' }, projectEntitlements: [{ group: { groupType: 'projectContributor' }, projectRef: { id: projectId } }] }"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements/{memberId}?api-version=7.1-preview.3",
+        "method": "PATCH",
+        "host": "vsapm.dev.azure.com",
+        "description": "Update a member entitlement (change access level, project access). Use host vsapm.dev.azure.com.",
+        "params": "JSON Patch array: [{op, path, value}]"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements/{memberId}?api-version=7.1-preview.3",
+        "method": "DELETE",
+        "host": "vsapm.dev.azure.com",
+        "description": "Remove a member entitlement (revoke user access). Use host vsapm.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/graph/users?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List users in the organization (Graph API). Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "subjectTypes (aad, msa, etc.), continuationToken"
+    },
+    {
+        "path": "/_apis/graph/groups?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List groups in the organization. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "subjectTypes, continuationToken"
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List group memberships for a user or group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "direction (up = groups user belongs to, down = members of group)"
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}/{containerDescriptor}?api-version=7.1-preview.1",
+        "method": "PUT",
+        "host": "vssps.dev.azure.com",
+        "description": "Add a user to a group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}/{containerDescriptor}?api-version=7.1-preview.1",
+        "method": "DELETE",
+        "host": "vssps.dev.azure.com",
+        "description": "Remove a user from a group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams",
+        "method": "GET",
+        "description": "List teams in a project",
+        "params": "$top, $skip"
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams/{teamId}",
+        "method": "GET",
+        "description": "Get a specific team by ID",
+        "params": ""
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams",
+        "method": "POST",
+        "description": "Create a new team in a project",
+        "params": "name, description"
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams/{teamId}/members",
+        "method": "GET",
+        "description": "List members of a team",
+        "params": "$top, $skip"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations",
+        "method": "GET",
+        "description": "List iterations (sprints) for a team",
+        "params": "$timeframe (current, past, future)"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations",
+        "method": "POST",
+        "description": "Add an iteration to a team's sprint schedule",
+        "params": "id (iteration node ID)"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations/{iterationId}",
+        "method": "DELETE",
+        "description": "Remove an iteration from a team's sprint schedule",
+        "params": ""
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/iterations",
+        "method": "GET",
+        "description": "List iteration path tree (project-level iteration nodes)",
+        "params": "$depth"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/iterations",
+        "method": "POST",
+        "description": "Create a new iteration node (sprint)",
+        "params": "name, attributes: { startDate, finishDate }"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/areas",
+        "method": "GET",
+        "description": "List area path tree (project-level area nodes)",
+        "params": "$depth"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/areas",
+        "method": "POST",
+        "description": "Create a new area path node",
+        "params": "name"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/{structureGroup}/{path}",
+        "method": "DELETE",
+        "description": "Delete a classification node (area or iteration). structureGroup is 'areas' or 'iterations'.",
+        "params": "$reclassifyId (move items to this node before deleting)"
+    },
+    {
+        "path": "/_apis/hooks/subscriptions",
+        "method": "GET",
+        "description": "List service hook subscriptions (webhooks for events)",
+        "params": ""
+    },
+    {
+        "path": "/_apis/hooks/subscriptions",
+        "method": "POST",
+        "description": "Create a service hook subscription (webhook)",
+        "params": "publisherId, eventType, consumerId, consumerActionId, publisherInputs, consumerInputs"
     }
 ]

package/dist/repertoire/tools-base.js

@@ -235,7 +235,7 @@ exports.baseToolDefinitions = [
         },
         handler: (a) => {
             try {
-                const result = (0, child_process_1.spawnSync)("claude", ["-p", "--dangerously-skip-permissions", "--add-dir", "."], {
+                const result = (0, child_process_1.spawnSync)("claude", ["-p", "--no-session-persistence", "--dangerously-skip-permissions", "--add-dir", "."], {
                     input: a.prompt,
                     encoding: "utf-8",
                     timeout: 60000,

package/dist/repertoire/tools-teams.js

@@ -82,7 +82,7 @@ exports.teamsToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_query",
-                description: "GET or POST (for WIQL read queries) any Azure DevOps API endpoint. Use ado_docs first to look up the correct path.",
+                description: "GET or POST (for WIQL read queries) any Azure DevOps API endpoint. Use ado_docs first to look up the correct path and host.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -90,6 +90,7 @@ exports.teamsToolDefinitions = [
                         path: { type: "string", description: "ADO API path after /{org}, e.g. /_apis/wit/wiql" },
                         method: { type: "string", enum: ["GET", "POST"], description: "HTTP method (defaults to GET)" },
                         body: { type: "string", description: "JSON request body (optional, used with POST for WIQL)" },
+                        host: { type: "string", description: "API host override for non-standard APIs (e.g. 'vsapm.dev.azure.com' for entitlements, 'vssps.dev.azure.com' for users). Omit for standard dev.azure.com." },
                     },
                     required: ["organization", "path"],
                 },
@@ -100,7 +101,7 @@ exports.teamsToolDefinitions = [
                 return "AUTH_REQUIRED:ado -- I need access to Azure DevOps. Please sign in when prompted.";
             }
             const method = args.method || "GET";
-            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, method, args.organization, args.path, args.body);
+            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, method, args.organization, args.path, args.body, args.host);
             checkAndRecord403(result, "ado", args.organization, method, ctx);
             return result;
         },
@@ -111,7 +112,7 @@ exports.teamsToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_mutate",
-                description: "POST/PATCH/DELETE any Azure DevOps API endpoint for actual mutations. Use ado_docs first to look up the correct path.",
+                description: "POST/PATCH/DELETE any Azure DevOps API endpoint for actual mutations. Use ado_docs first to look up the correct path and host.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -119,6 +120,7 @@ exports.teamsToolDefinitions = [
                         organization: { type: "string", description: "Azure DevOps organization name" },
                         path: { type: "string", description: "ADO API path after /{org}" },
                         body: { type: "string", description: "JSON request body (optional)" },
+                        host: { type: "string", description: "API host override for non-standard APIs (e.g. 'vsapm.dev.azure.com' for entitlements, 'vssps.dev.azure.com' for users). Omit for standard dev.azure.com." },
                     },
                     required: ["method", "organization", "path"],
                 },
@@ -133,7 +135,7 @@ exports.teamsToolDefinitions = [
             }
             /* v8 ignore next -- fallback unreachable: method is validated against MUTATE_METHODS above @preserve */
             const action = METHOD_TO_ACTION[args.method] || args.method;
-            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, args.method, args.organization, args.path, args.body);
+            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, args.method, args.organization, args.path, args.body, args.host);
             checkAndRecord403(result, "ado", args.organization, action, ctx);
             return result;
         },
@@ -201,6 +203,53 @@ exports.teamsToolDefinitions = [
         },
         integration: "ado",
     },
+    // -- Proactive messaging --
+    {
+        tool: {
+            type: "function",
+            function: {
+                name: "teams_send_message",
+                description: "send a proactive 1:1 Teams message to a user. requires their AAD object ID (use graph_query /users to find it). the message appears as coming from the bot.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        user_id: { type: "string", description: "AAD object ID of the user to message" },
+                        user_name: { type: "string", description: "display name of the user (for logging)" },
+                        message: { type: "string", description: "message text to send" },
+                        tenant_id: { type: "string", description: "tenant ID (optional, defaults to current conversation tenant)" },
+                    },
+                    required: ["user_id", "message"],
+                },
+            },
+        },
+        /* v8 ignore start -- proactive messaging requires live Teams SDK conversation client @preserve */
+        handler: async (args, ctx) => {
+            if (!ctx?.botApi) {
+                return "proactive messaging is not available -- no bot API context (this tool only works in the Teams channel)";
+            }
+            try {
+                const tenantId = args.tenant_id || ctx.tenantId;
+                // Cast to the SDK's ConversationClient shape (kept as `unknown` in ToolContext to avoid type coupling)
+                const conversations = ctx.botApi.conversations;
+                const conversation = await conversations.create({
+                    bot: { id: ctx.botApi.id },
+                    members: [{ id: args.user_id, role: "user", name: args.user_name || args.user_id }],
+                    tenantId,
+                    isGroup: false,
+                });
+                await conversations.activities(conversation.id).create({
+                    type: "message",
+                    text: args.message,
+                });
+                return `message sent to ${args.user_name || args.user_id}`;
+            }
+            catch (e) {
+                return `failed to send proactive message: ${e instanceof Error ? e.message : String(e)}`;
+            }
+        },
+        /* v8 ignore stop */
+        confirmationRequired: true,
+    },
     // -- Documentation tools --
     {
         tool: {
@@ -268,6 +317,8 @@ function searchEndpoints(entries, query) {
             `  ${e.description}`,
             `  Params: ${e.params || "none"}`,
         ];
+        if (e.host)
+            lines.push(`  Host: ${e.host}`);
         if (e.scopes)
             lines.push(`  Scopes: ${e.scopes}`);
         return lines.join("\n");
@@ -304,5 +355,7 @@ function summarizeTeamsArgs(name, args) {
         return summarizeKeyValues(["query"]);
     if (name === "ado_docs")
         return summarizeKeyValues(["query"]);
+    if (name === "teams_send_message")
+        return summarizeKeyValues(["user_name", "user_id"]);
     return undefined;
 }

package/dist/repertoire/tools.js

@@ -19,9 +19,29 @@ Object.defineProperty(exports, "teamsTools", { enumerable: true, get: function (
 // All tool definitions in a single registry
 const allDefinitions = [...tools_base_1.baseToolDefinitions, ...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions];
 const REMOTE_BLOCKED_LOCAL_TOOLS = new Set(["shell", "read_file", "write_file", "git_commit", "gh_cli"]);
-function baseToolsForCapabilities(capabilities) {
-    const isRemoteChannel = capabilities?.channel === "teams" || capabilities?.channel === "bluebubbles";
-    if (!isRemoteChannel)
+function isRemoteChannel(capabilities) {
+    return capabilities?.channel === "teams" || capabilities?.channel === "bluebubbles";
+}
+function isSharedRemoteContext(friend) {
+    const externalIds = friend.externalIds ?? [];
+    return externalIds.some((externalId) => externalId.externalId.startsWith("group:") || externalId.provider === "teams-conversation");
+}
+function isTrustedRemoteContext(context) {
+    if (!context?.friend || !isRemoteChannel(context.channel))
+        return false;
+    const trustLevel = context.friend.trustLevel ?? "stranger";
+    return trustLevel !== "stranger" && !isSharedRemoteContext(context.friend);
+}
+function shouldBlockLocalTools(capabilities, context) {
+    if (!isRemoteChannel(capabilities))
+        return false;
+    return !isTrustedRemoteContext(context);
+}
+function blockedLocalToolMessage() {
+    return "I can't do that from here because I'm talking to multiple people in a shared remote channel, and local shell/file/git/gh operations could let conversations interfere with each other. Ask me for a remote-safe alternative (Graph/ADO/web), or run that operation from CLI.";
+}
+function baseToolsForCapabilities(capabilities, context) {
+    if (!shouldBlockLocalTools(capabilities, context))
         return tools_base_1.tools;
     return tools_base_1.tools.filter((tool) => !REMOTE_BLOCKED_LOCAL_TOOLS.has(tool.function.name));
 }
@@ -39,13 +59,15 @@ function applyPreference(tool, pref) {
 // Base tools (no integration) are always included.
 // Teams/integration tools are included only if their integration is in availableIntegrations.
 // When toolPreferences is provided, matching preferences are appended to tool descriptions.
-function getToolsForChannel(capabilities, toolPreferences) {
-    const baseTools = baseToolsForCapabilities(capabilities);
+function getToolsForChannel(capabilities, toolPreferences, context) {
+    const baseTools = baseToolsForCapabilities(capabilities, context);
     if (!capabilities || capabilities.availableIntegrations.length === 0) {
         return baseTools;
     }
     const available = new Set(capabilities.availableIntegrations);
-    const integrationDefs = [...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions].filter((d) => d.integration && available.has(d.integration));
+    const channelDefs = [...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions];
+    // Include tools whose integration is available, plus channel tools with no integration gate (e.g. teams_send_message)
+    const integrationDefs = channelDefs.filter((d) => d.integration ? available.has(d.integration) : capabilities.channel === "teams");
     if (!toolPreferences || Object.keys(toolPreferences).length === 0) {
         return [...baseTools, ...integrationDefs.map((d) => d.tool)];
     }
@@ -87,9 +109,8 @@ async function execTool(name, args, ctx) {
         });
         return `unknown: ${name}`;
     }
-    const isRemoteChannel = ctx?.context?.channel?.channel === "teams" || ctx?.context?.channel?.channel === "bluebubbles";
-    if (isRemoteChannel && REMOTE_BLOCKED_LOCAL_TOOLS.has(name)) {
-        const message = "I can't do that from here because I'm talking to multiple people in a shared remote channel, and local shell/file/git/gh operations could let conversations interfere with each other. Ask me for a remote-safe alternative (Graph/ADO/web), or run that operation from CLI.";
+    if (shouldBlockLocalTools(ctx?.context?.channel, ctx?.context) && REMOTE_BLOCKED_LOCAL_TOOLS.has(name)) {
+        const message = blockedLocalToolMessage();
         (0, runtime_1.emitNervesEvent)({
             level: "warn",
             event: "tool.error",
@@ -176,6 +197,8 @@ function summarizeArgs(name, args) {
         return summarizeKeyValues(args, ["runner", "workdir", "taskRef"]);
     if (name === "coding_status")
         return summarizeKeyValues(args, ["sessionId"]);
+    if (name === "coding_tail")
+        return summarizeKeyValues(args, ["sessionId"]);
     if (name === "coding_send_input")
         return summarizeKeyValues(args, ["sessionId", "input"]);
     if (name === "coding_kill")
@@ -195,5 +218,13 @@ function summarizeArgs(name, args) {
     }
     if (name === "ado_backlog_list")
         return summarizeKeyValues(args, ["organization", "project"]);
+    if (name === "ado_batch_update")
+        return summarizeKeyValues(args, ["organization", "project"]);
+    if (name === "ado_create_epic" || name === "ado_create_issue")
+        return summarizeKeyValues(args, ["organization", "project", "title"]);
+    if (name === "ado_move_items")
+        return summarizeKeyValues(args, ["organization", "project", "workItemIds"]);
+    if (name === "ado_restructure_backlog")
+        return summarizeKeyValues(args, ["organization", "project"]);
     return summarizeUnknownArgs(args);
 }