@ouro.bot/cli 0.1.0-alpha.33 → 0.1.0-alpha.330

package/dist/repertoire/bitwarden-store.js

@@ -0,0 +1,319 @@
+"use strict";
+/**
+ * Bitwarden CLI credential store — wraps `bw` CLI for the agent's own vault.
+ *
+ * Unlike AacCredentialStore (which accesses someone else's vault via approval),
+ * this store authenticates directly as the agent using its own master password.
+ * The agent owns the vault, so no human-in-the-loop is needed.
+ *
+ * Requires the `bw` CLI to be installed. Session tokens are cached in-memory.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BitwardenCredentialStore = void 0;
+const node_child_process_1 = require("node:child_process");
+const runtime_1 = require("../nerves/runtime");
+const bw_installer_1 = require("./bw-installer");
+// ---------------------------------------------------------------------------
+// bw CLI wrapper
+// ---------------------------------------------------------------------------
+function execBw(args, sessionToken) {
+    const env = sessionToken
+        ? { ...process.env, BW_SESSION: sessionToken }
+        : process.env;
+    return new Promise((resolve, reject) => {
+        (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout) => {
+            if (err) {
+                if (isBwNotInstalled(err)) {
+                    reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
+                    return;
+                }
+                reject(new Error(`bw CLI error: ${err.message}`));
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+/** Check if the error indicates the bw CLI binary is not installed. */
+function isBwNotInstalled(err) {
+    const msg = err.message.toLowerCase();
+    const code = err.code;
+    return code === "ENOENT" || msg.includes("enoent") || msg.includes("not found") || msg.includes("command not found");
+}
+/** Check if the error is transient (network/timeout) and worth retrying. */
+function isTransientError(err) {
+    const msg = err.message.toLowerCase();
+    return (msg.includes("econnrefused") ||
+        msg.includes("etimedout") ||
+        msg.includes("enotfound") ||
+        msg.includes("socket hang up") ||
+        msg.includes("503") ||
+        msg.includes("server unavailable"));
+}
+const MAX_RETRIES = 3;
+const BASE_BACKOFF_MS = 1000;
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+// ---------------------------------------------------------------------------
+// BitwardenCredentialStore
+// ---------------------------------------------------------------------------
+class BitwardenCredentialStore {
+    serverUrl;
+    email;
+    masterPassword;
+    sessionToken = null;
+    constructor(serverUrl, email, masterPassword) {
+        this.serverUrl = serverUrl;
+        this.email = email;
+        this.masterPassword = masterPassword;
+    }
+    isReady() {
+        return true;
+    }
+    /**
+     * Ensure the bw CLI is authenticated and unlocked.
+     * Handles three states: logged out → login, locked → unlock, already unlocked → no-op.
+     * Retries transient failures (network/timeout) up to MAX_RETRIES with exponential backoff.
+     */
+    async login() {
+        // Ensure bw CLI is installed before any bw commands
+        await (0, bw_installer_1.ensureBwCli)();
+        let lastError;
+        for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+            try {
+                await this.loginAttempt();
+                return;
+            }
+            catch (err) {
+                /* v8 ignore next -- defensive: loginAttempt always throws Error instances @preserve */
+                lastError = err instanceof Error ? err : new Error(String(err));
+                // Don't retry non-transient errors (auth failures, bw not installed)
+                if (!isTransientError(lastError)) {
+                    throw lastError;
+                }
+                // Don't retry after final attempt
+                if (attempt === MAX_RETRIES - 1)
+                    break;
+                const backoffMs = BASE_BACKOFF_MS * Math.pow(2, attempt);
+                (0, runtime_1.emitNervesEvent)({
+                    event: "repertoire.bw_login_retry",
+                    component: "repertoire",
+                    message: `bw login attempt ${attempt + 1} failed, retrying in ${backoffMs}ms`,
+                    meta: { attempt: attempt + 1, backoffMs, reason: lastError.message },
+                });
+                await delay(backoffMs);
+            }
+        }
+        throw lastError;
+    }
+    /** Single login attempt — called by login() retry loop. */
+    async loginAttempt() {
+        // Check current status
+        let status = {};
+        try {
+            const raw = await execBw(["status"]);
+            status = JSON.parse(raw);
+        }
+        catch (err) {
+            // If bw CLI is not installed or a transient error, propagate it for retry
+            if (err instanceof Error && (isBwNotInstalled(err) || isTransientError(err))) {
+                throw err;
+            }
+            // CLI not configured or broken — proceed with full setup
+        }
+        // Configure server URL if needed (only works when logged out)
+        if (status.status === "unauthenticated" || !status.serverUrl) {
+            try {
+                await execBw(["config", "server", this.serverUrl]);
+            }
+            catch {
+                // "Logout required" means already logged in — that's fine, skip config
+            }
+        }
+        if (status.status === "locked") {
+            // Already logged in, just needs unlock
+            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"]);
+            this.sessionToken = unlockOutput.trim();
+        }
+        else if (status.status === "unauthenticated" || !status.status) {
+            // Not logged in — full login
+            const loginOutput = await execBw(["login", this.email, this.masterPassword, "--raw"]);
+            try {
+                const parsed = JSON.parse(loginOutput);
+                this.sessionToken = parsed.access_token ?? loginOutput.trim();
+            }
+            catch {
+                this.sessionToken = loginOutput.trim();
+            }
+        }
+        else {
+            // Status is "unlocked" — already good, just need the session token
+            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"]);
+            this.sessionToken = unlockOutput.trim();
+        }
+    }
+    async ensureSession() {
+        if (!this.sessionToken) {
+            await this.login();
+        }
+        /* v8 ignore next -- defensive: login() always sets sessionToken on success @preserve */
+        return this.sessionToken ?? undefined;
+    }
+    async get(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_get_start",
+            component: "repertoire",
+            message: `getting credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const session = await this.ensureSession();
+        const item = await this.findItemByDomain(domain, session);
+        if (!item) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_get_end",
+                component: "repertoire",
+                message: `no bw credential for ${domain}`,
+                meta: { domain, found: false, backend: "bitwarden" },
+            });
+            return null;
+        }
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_get_end",
+            component: "repertoire",
+            message: `bw credential found for ${domain}`,
+            meta: { domain, found: true, backend: "bitwarden" },
+        });
+        return {
+            domain: item.name,
+            username: item.login?.username,
+            notes: item.notes ?? undefined,
+            createdAt: item.revisionDate ?? new Date().toISOString(),
+        };
+    }
+    async getRawSecret(domain, field) {
+        const session = await this.ensureSession();
+        const item = await this.findItemByDomain(domain, session);
+        if (!item) {
+            throw new Error(`no credential found for domain "${domain}"`);
+        }
+        // Map common field names to bw item structure
+        let value;
+        if (field === "password") {
+            value = item.login?.password;
+        }
+        else if (field === "username") {
+            value = item.login?.username;
+        }
+        else {
+            value = item[field];
+        }
+        if (value === undefined || value === null) {
+            throw new Error(`field "${field}" not found for domain "${domain}"`);
+        }
+        return String(value);
+    }
+    async store(domain, data) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_store_start",
+            component: "repertoire",
+            message: `storing credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const session = await this.ensureSession();
+        // Create a new login item
+        const item = {
+            type: 1, // Login type
+            name: domain,
+            login: {
+                username: data.username ?? "",
+                password: data.password,
+                uris: [{ match: null, uri: `https://${domain}` }],
+            },
+            notes: data.notes ?? null,
+        };
+        const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
+        await execBw(["create", "item", encoded], session);
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_store_end",
+            component: "repertoire",
+            message: `credential stored via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+    }
+    async list() {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_list_start",
+            component: "repertoire",
+            message: "listing bw credentials",
+            meta: { backend: "bitwarden" },
+        });
+        const session = await this.ensureSession();
+        try {
+            const stdout = await execBw(["list", "items"], session);
+            const items = JSON.parse(stdout);
+            const results = items.map((item) => ({
+                domain: item.name,
+                username: item.login?.username,
+                notes: item.notes ?? undefined,
+                createdAt: item.revisionDate ?? new Date().toISOString(),
+            }));
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_list_end",
+                component: "repertoire",
+                message: "bw credentials listed",
+                meta: { backend: "bitwarden", count: results.length },
+            });
+            return results;
+        }
+        catch {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_list_end",
+                component: "repertoire",
+                message: "bw credential list failed",
+                meta: { backend: "bitwarden", count: 0 },
+            });
+            return [];
+        }
+    }
+    async delete(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_delete_start",
+            component: "repertoire",
+            message: `deleting credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const session = await this.ensureSession();
+        const item = await this.findItemByDomain(domain, session);
+        if (!item) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_delete_end",
+                component: "repertoire",
+                message: `no bw credential to delete for ${domain}`,
+                meta: { domain, deleted: false, backend: "bitwarden" },
+            });
+            return false;
+        }
+        await execBw(["delete", "item", item.id], session);
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_delete_end",
+            component: "repertoire",
+            message: `credential deleted via bw for ${domain}`,
+            meta: { domain, deleted: true, backend: "bitwarden" },
+        });
+        return true;
+    }
+    // --- Private ---
+    async findItemByDomain(domain, session) {
+        try {
+            const stdout = await execBw(["list", "items", "--search", domain], session);
+            const items = JSON.parse(stdout);
+            // Find exact match by name
+            return items.find((item) => item.name === domain) ?? items[0] ?? null;
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.BitwardenCredentialStore = BitwardenCredentialStore;

package/dist/repertoire/bundle-templates.js

@@ -0,0 +1,72 @@
+"use strict";
+/**
+ * Templates for agent bundle scaffolding.
+ *
+ * ## .gitignore design philosophy
+ *
+ * The bundle .gitignore handles FUNCTIONAL "shouldn't track" cases only:
+ *
+ *   - Runtime state (sessions, logs, runtime files) — stale data with no
+ *     value for review or history.
+ *   - Credentials — real secrets live in `~/.agentsecrets`, but defense
+ *     in depth in case anything leaks into the bundle.
+ *   - Editor / OS noise (.DS_Store, .idea/, etc.).
+ *   - Build artifacts (rare in bundles, but possible).
+ *
+ * It DOES NOT handle PII. The bundle is inherently full of PII — `friends/`,
+ * `diary/`, `journal/`, `psyche/`, `arc/`, `facts/`, `family/`, `travel/`
+ * etc. That's the point of the bundle; blocking those via .gitignore would
+ * defeat the purpose.
+ *
+ * PII is handled at first-push time by `bundle_first_push_review`, which
+ * enumerates PII-bearing directories, shows the agent counts, probes the
+ * remote URL for GitHub visibility, and hard-pauses until the human
+ * confirms. See Directive D in the planning doc.
+ *
+ * No content-pattern blocks (no `**\/sk-ant-*` or similar). Content-review
+ * failures are a different safety layer — credential scanning at commit
+ * time would be a follow-up feature.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PII_BUNDLE_DIRECTORIES = exports.BUNDLE_GITIGNORE_TEMPLATE = void 0;
+exports.BUNDLE_GITIGNORE_TEMPLATE = `# Runtime state — sessions, logs, runtime files, never tracked
+state/
+
+# Credentials — never tracked. Real secrets live in ~/.agentsecrets, but
+# defense in depth in case anything leaks into the bundle.
+.env
+.env.*
+secrets/
+**/*.key
+**/*.pem
+**/*.credentials
+**/*.pfx
+
+# Editor and OS noise
+.DS_Store
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Build artifacts (rare in bundles, but possible if a workspace lands here)
+node_modules/
+dist/
+`;
+/**
+ * PII-sensitive top-level directories. Enumerated here so `bundle_first_push_review`
+ * can categorize and count. Adding a new PII bucket to the bundle means adding
+ * it here so the first-push warning includes it.
+ */
+exports.PII_BUNDLE_DIRECTORIES = [
+    "friends",
+    "diary",
+    "journal",
+    "psyche",
+    "arc",
+    "facts",
+    "family",
+    "travel",
+    "memory",
+    "sessions",
+];

package/dist/repertoire/bw-installer.js

@@ -0,0 +1,79 @@
+"use strict";
+/**
+ * Lazy bw CLI installer — auto-installs the Bitwarden CLI when not present.
+ *
+ * Mirrors the whisper-cpp pattern in senses/bluebubbles/media.ts:
+ * check PATH first, install via npm if missing, emit nerves event.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureBwCli = ensureBwCli;
+const node_child_process_1 = require("node:child_process");
+const runtime_1 = require("../nerves/runtime");
+const INSTALL_TIMEOUT_MS = 120_000;
+const WHICH_TIMEOUT_MS = 5_000;
+function execFileAsync(cmd, args, timeout) {
+    return new Promise((resolve, reject) => {
+        (0, node_child_process_1.execFile)(cmd, args, { timeout }, (err, stdout) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+/**
+ * Ensure the `bw` CLI is available, installing it via npm if needed.
+ * Returns the path to the `bw` binary.
+ */
+async function ensureBwCli() {
+    // 1. Check if bw is already in PATH
+    try {
+        const existing = (await execFileAsync("which", ["bw"], WHICH_TIMEOUT_MS)).trim();
+        if (existing) {
+            return existing;
+        }
+    }
+    catch {
+        // Not found — fall through to install
+    }
+    // 2. Install via npm
+    (0, runtime_1.emitNervesEvent)({
+        event: "repertoire.bw_cli_install_start",
+        component: "repertoire",
+        message: "bw CLI not found, installing via npm",
+        meta: {},
+    });
+    try {
+        await execFileAsync("npm", ["install", "-g", "@bitwarden/cli"], INSTALL_TIMEOUT_MS);
+    }
+    catch (err) {
+        /* v8 ignore next -- execFileCb always throws Error instances @preserve */
+        const reason = err instanceof Error ? err.message : String(err);
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            event: "repertoire.bw_cli_install_fail",
+            component: "repertoire",
+            message: "failed to install bw CLI via npm",
+            meta: { reason },
+        });
+        throw new Error(`failed to install bw CLI via npm: ${reason}`);
+    }
+    // 3. Verify installation and return path
+    try {
+        const installed = (await execFileAsync("which", ["bw"], WHICH_TIMEOUT_MS)).trim();
+        if (installed) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_cli_install_end",
+                component: "repertoire",
+                message: "bw CLI installed successfully",
+                meta: { path: installed },
+            });
+            return installed;
+        }
+    }
+    catch {
+        // Fall through to error
+    }
+    throw new Error("bw CLI installed via npm but binary not found in PATH");
+}

package/dist/repertoire/coding/codex-jsonl.js

@@ -0,0 +1,64 @@
+"use strict";
+/**
+ * Codex JSONL event parser.
+ * Parses typed events from Codex --json output:
+ * thread.started, turn.started, turn.completed, item.completed.
+ * Maps events to coding session status transitions.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseCodexJsonlEvent = parseCodexJsonlEvent;
+const runtime_1 = require("../../nerves/runtime");
+const KNOWN_TYPES = new Set(["thread.started", "turn.started", "turn.completed", "item.completed"]);
+/**
+ * Parse a single JSONL line from Codex --json output.
+ * Returns null for invalid JSON, empty strings, or unknown event types.
+ */
+function parseCodexJsonlEvent(line) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0)
+        return null;
+    let parsed;
+    try {
+        parsed = JSON.parse(trimmed);
+    }
+    catch {
+        (0, runtime_1.emitNervesEvent)({
+            component: "repertoire",
+            event: "repertoire.codex_jsonl_parse_error",
+            message: "failed to parse codex JSONL line",
+            meta: { line: trimmed.slice(0, 100) },
+        });
+        return null;
+    }
+    const type = parsed.type;
+    if (!type || !KNOWN_TYPES.has(type))
+        return null;
+    const event = {
+        type: type,
+        threadId: typeof parsed.thread_id === "string" ? parsed.thread_id : undefined,
+        turnId: typeof parsed.turn_id === "string" ? parsed.turn_id : undefined,
+        item: typeof parsed.item === "object" && parsed.item !== null ? parsed.item : undefined,
+        raw: parsed,
+        statusHint: mapStatusHint(type),
+    };
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.codex_jsonl_event",
+        message: "parsed codex JSONL event",
+        meta: { type, threadId: event.threadId ?? null },
+    });
+    return event;
+}
+function mapStatusHint(type) {
+    switch (type) {
+        case "thread.started":
+        case "turn.started":
+            return "running";
+        case "turn.completed":
+        case "item.completed":
+            return null; // No automatic status change for completion events
+        /* v8 ignore next -- defensive default for unknown event types */
+        default:
+            return null;
+    }
+}