@ouro.bot/cli 0.1.0-alpha.336 → 0.1.0-alpha.338

package/changelog.json

@@ -1,6 +1,19 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.338",
+      "changes": [
+        "fix(mind): instruct agent not to echo timestamp tags in responses"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.337",
+      "changes": [
+        "`ouro up` now checks the selected human-facing and agent-facing providers for each discovered agent, so startup reports degraded agents immediately when a configured provider token is missing or fails a live health check.",
+        "Provider repair prompts now preserve the failed facing's provider, allowing agent-facing GitHub Copilot, MiniMax, Anthropic, Azure, or OpenAI Codex failures to route to the correct `ouro auth --agent <name> --provider <provider>` command."
+      ]
+    },
     {
       "version": "0.1.0-alpha.336",
       "changes": [

package/dist/heart/daemon/agent-config-check.js

@@ -34,16 +34,88 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.checkAgentConfig = checkAgentConfig;
+exports.checkAgentConfigWithProviderHealth = checkAgentConfigWithProviderHealth;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
-/**
- * Pre-spawn validation: ensures agent.json exists and required secrets are present.
- * Returns `{ ok: true }` when the agent is ready to run, or a descriptive error
- * with an actionable fix message when something is missing.
- */
-function checkAgentConfig(agentName, bundlesRoot, secretsRoot) {
+function isAgentProvider(value) {
+    return Object.prototype.hasOwnProperty.call(identity_1.PROVIDER_CREDENTIALS, value);
+}
+function formatFacingList(facings) {
+    if (facings.length === 1)
+        return facings[0];
+    return `${facings.slice(0, -1).join(", ")} and ${facings[facings.length - 1]}`;
+}
+function selectedProviderMap(selectedProviders) {
+    const byProvider = new Map();
+    for (const selected of selectedProviders) {
+        const facings = byProvider.get(selected.provider) ?? [];
+        facings.push(selected.facing);
+        byProvider.set(selected.provider, facings);
+    }
+    return byProvider;
+}
+function resolveFacingProvider(parsed, facing, agentName, agentJsonPath) {
+    const raw = parsed[facing];
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+        return {
+            ok: false,
+            result: {
+                ok: false,
+                error: `agent.json for '${agentName}' is missing ${facing}.provider`,
+                fix: `Add ${facing}: { provider, model } to ${agentJsonPath}. Valid providers: ${Object.keys(identity_1.PROVIDER_CREDENTIALS).join(", ")}`,
+            },
+        };
+    }
+    const provider = raw.provider;
+    if (typeof provider !== "string" || provider.length === 0) {
+        return {
+            ok: false,
+            result: {
+                ok: false,
+                error: `agent.json for '${agentName}' is missing ${facing}.provider`,
+                fix: `Set ${facing}.provider in ${agentJsonPath}. Valid providers: ${Object.keys(identity_1.PROVIDER_CREDENTIALS).join(", ")}`,
+            },
+        };
+    }
+    if (!isAgentProvider(provider)) {
+        return {
+            ok: false,
+            result: {
+                ok: false,
+                error: `Unknown provider '${provider}' in ${facing}.provider for '${agentName}'`,
+                fix: `Set ${facing}.provider to one of: ${Object.keys(identity_1.PROVIDER_CREDENTIALS).join(", ")}`,
+            },
+        };
+    }
+    return { ok: true, selected: { facing, provider } };
+}
+function resolveSelectedProviders(parsed, agentName, agentJsonPath) {
+    const hasHumanFacing = parsed.humanFacing !== undefined;
+    const hasAgentFacing = parsed.agentFacing !== undefined;
+    if (!hasHumanFacing && !hasAgentFacing && typeof parsed.provider === "string") {
+        if (!isAgentProvider(parsed.provider)) {
+            return {
+                ok: false,
+                result: {
+                    ok: false,
+                    error: `Unknown provider '${parsed.provider}' in agent.json for '${agentName}'`,
+                    fix: `Set provider to one of: ${Object.keys(identity_1.PROVIDER_CREDENTIALS).join(", ")}`,
+                },
+            };
+        }
+        return { ok: true, selectedProviders: [{ facing: "provider", provider: parsed.provider }] };
+    }
+    const human = resolveFacingProvider(parsed, "humanFacing", agentName, agentJsonPath);
+    if (!human.ok)
+        return human;
+    const agent = resolveFacingProvider(parsed, "agentFacing", agentName, agentJsonPath);
+    if (!agent.ok)
+        return agent;
+    return { ok: true, selectedProviders: [human.selected, agent.selected] };
+}
+function readConfigCheckContext(agentName, bundlesRoot, secretsRoot) {
     const agentJsonPath = path.join(bundlesRoot, `${agentName}.ouro`, "agent.json");
     let raw;
     try {
@@ -52,8 +124,11 @@ function checkAgentConfig(agentName, bundlesRoot, secretsRoot) {
     catch {
         return {
             ok: false,
-            error: `agent.json not found at ${agentJsonPath}`,
-            fix: `Run 'ouro hatch ${agentName}' to create the agent bundle, or verify that ${bundlesRoot}/${agentName}.ouro/ exists.`,
+            result: {
+                ok: false,
+                error: `agent.json not found at ${agentJsonPath}`,
+                fix: `Run 'ouro hatch ${agentName}' to create the agent bundle, or verify that ${bundlesRoot}/${agentName}.ouro/ exists.`,
+            },
         };
     }
     let parsed;
@@ -63,40 +138,28 @@ function checkAgentConfig(agentName, bundlesRoot, secretsRoot) {
     catch {
         return {
             ok: false,
-            error: `agent.json at ${agentJsonPath} contains invalid JSON`,
-            fix: `Open ${agentJsonPath} and fix the JSON syntax.`,
+            result: {
+                ok: false,
+                error: `agent.json at ${agentJsonPath} contains invalid JSON`,
+                fix: `Open ${agentJsonPath} and fix the JSON syntax.`,
+            },
         };
     }
     // Disabled agents are valid — they just won't run
     if (parsed.enabled === false) {
-        return { ok: true };
-    }
-    // Resolve provider: humanFacing.provider > config.provider
-    let provider;
-    const humanFacing = parsed.humanFacing;
-    if (humanFacing && typeof humanFacing.provider === "string") {
-        provider = humanFacing.provider;
-    }
-    else if (typeof parsed.provider === "string") {
-        provider = parsed.provider;
-    }
-    if (!provider) {
         return {
-            ok: false,
-            error: `agent.json for '${agentName}' has no provider configured`,
-            fix: `Add humanFacing.provider to ${agentJsonPath}. Valid providers: ${Object.keys(identity_1.PROVIDER_CREDENTIALS).join(", ")}`,
-        };
-    }
-    const desc = identity_1.PROVIDER_CREDENTIALS[provider];
-    if (!desc) {
-        return {
-            ok: false,
-            error: `Unknown provider '${provider}' in agent.json for '${agentName}'`,
-            fix: `Set humanFacing.provider to one of: ${Object.keys(identity_1.PROVIDER_CREDENTIALS).join(", ")}`,
+            ok: true,
+            context: {
+                agentJsonPath,
+                secretsJsonPath: path.join(secretsRoot, agentName, "secrets.json"),
+                providers: {},
+                selectedProviders: [],
+            },
         };
     }
-    // Azure with managed identity does not require apiKey — skip secrets check
-    // when endpoint + deployment are present (managed identity auth)
+    const selected = resolveSelectedProviders(parsed, agentName, agentJsonPath);
+    if (!selected.ok)
+        return selected;
     const secretsJsonPath = path.join(secretsRoot, agentName, "secrets.json");
     let secrets;
     try {
@@ -104,46 +167,126 @@ function checkAgentConfig(agentName, bundlesRoot, secretsRoot) {
         secrets = JSON.parse(secretsRaw);
     }
     catch {
+        const firstProvider = selected.selectedProviders[0].provider;
         return {
             ok: false,
-            error: `secrets.json not found or unreadable at ${secretsJsonPath}`,
-            fix: `Run 'ouro auth ${agentName}' to configure credentials, or create ${secretsJsonPath} with providers.${provider} credentials.`,
+            result: {
+                ok: false,
+                error: `secrets.json not found or unreadable at ${secretsJsonPath}`,
+                fix: `Run 'ouro auth --agent ${agentName} --provider ${firstProvider}' to configure credentials, or create ${secretsJsonPath} with providers.${firstProvider} credentials.`,
+            },
         };
     }
     const providers = secrets.providers;
-    const providerSecrets = providers?.[provider];
-    if (!providerSecrets) {
+    if (!providers || typeof providers !== "object" || Array.isArray(providers)) {
+        const firstProvider = selected.selectedProviders[0].provider;
         return {
             ok: false,
-            error: `secrets.json for '${agentName}' is missing providers.${provider} section`,
-            fix: `Run 'ouro auth ${agentName}' to configure ${provider} credentials.`,
+            result: {
+                ok: false,
+                error: `secrets.json for '${agentName}' is missing providers object`,
+                fix: `Run 'ouro auth --agent ${agentName} --provider ${firstProvider}' to configure credentials.`,
+            },
         };
     }
-    // Azure special case: managed identity only needs endpoint + deployment
-    if (provider === "azure") {
-        const hasEndpoint = typeof providerSecrets.endpoint === "string" && providerSecrets.endpoint.length > 0;
-        const hasDeployment = typeof providerSecrets.deployment === "string" && providerSecrets.deployment.length > 0;
-        const hasManagedId = typeof providerSecrets.managedIdentityClientId === "string" && providerSecrets.managedIdentityClientId.length > 0;
-        if (hasEndpoint && hasDeployment && hasManagedId) {
-            return { ok: true };
+    return {
+        ok: true,
+        context: {
+            agentJsonPath,
+            secretsJsonPath,
+            providers,
+            selectedProviders: selected.selectedProviders,
+        },
+    };
+}
+function validateSelectedProviderSecrets(agentName, context) {
+    for (const [provider, facings] of selectedProviderMap(context.selectedProviders)) {
+        const desc = identity_1.PROVIDER_CREDENTIALS[provider];
+        const providerSecrets = context.providers[provider];
+        const selectedBy = formatFacingList(facings);
+        if (!providerSecrets) {
+            return {
+                ok: false,
+                error: `secrets.json for '${agentName}' is missing providers.${provider} section selected by ${selectedBy}`,
+                fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to configure ${provider} credentials.`,
+            };
+        }
+        // Azure special case: managed identity only needs endpoint + deployment.
+        if (provider === "azure") {
+            const hasEndpoint = typeof providerSecrets.endpoint === "string" && providerSecrets.endpoint.length > 0;
+            const hasDeployment = typeof providerSecrets.deployment === "string" && providerSecrets.deployment.length > 0;
+            const hasManagedId = typeof providerSecrets.managedIdentityClientId === "string" && providerSecrets.managedIdentityClientId.length > 0;
+            if (hasEndpoint && hasDeployment && hasManagedId) {
+                continue;
+            }
+        }
+        const missing = desc.required.filter((field) => {
+            const val = providerSecrets[field];
+            return typeof val !== "string" || val.length === 0;
+        });
+        if (missing.length > 0) {
+            return {
+                ok: false,
+                error: `secrets.json for '${agentName}' is missing required ${provider} credentials selected by ${selectedBy}: ${missing.join(", ")}`,
+                fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to set up ${provider} credentials, or add the missing fields to providers.${provider} in ${context.secretsJsonPath}.`,
+            };
         }
     }
-    const missing = desc.required.filter((field) => {
-        const val = providerSecrets[field];
-        return typeof val !== "string" || val.length === 0;
-    });
-    if (missing.length > 0) {
-        return {
-            ok: false,
-            error: `secrets.json for '${agentName}' is missing required ${provider} credentials: ${missing.join(", ")}`,
-            fix: `Run 'ouro auth ${agentName}' to set up ${provider} credentials, or add the missing fields to providers.${provider} in ${secretsJsonPath}.`,
-        };
-    }
+    return { ok: true };
+}
+function emitConfigValid(agentName, context, liveProviderCheck) {
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
         event: "daemon.agent_config_valid",
         message: "agent config validation passed",
-        meta: { agent: agentName, provider },
+        meta: {
+            agent: agentName,
+            providers: [...selectedProviderMap(context.selectedProviders).keys()],
+            liveProviderCheck,
+        },
     });
+}
+function providerPingFailureResult(agentName, provider, facings, result) {
+    const selectedBy = formatFacingList(facings);
+    const authFix = `Run 'ouro auth --agent ${agentName} --provider ${provider}' to refresh credentials.`;
+    const verifyFix = `Run 'ouro auth verify --agent ${agentName} --provider ${provider}' for details.`;
+    return {
+        ok: false,
+        error: `selected provider ${provider} for ${selectedBy} failed health check: ${result.message}`,
+        fix: `${result.classification === "auth-failure" ? authFix : verifyFix} Or switch the affected facing to a working provider.`,
+    };
+}
+/**
+ * Pre-spawn validation: ensures agent.json exists and required secrets are present.
+ * Returns `{ ok: true }` when the agent is ready to run, or a descriptive error
+ * with an actionable fix message when something is missing.
+ */
+function checkAgentConfig(agentName, bundlesRoot, secretsRoot) {
+    const contextResult = readConfigCheckContext(agentName, bundlesRoot, secretsRoot);
+    if (!contextResult.ok)
+        return contextResult.result;
+    const context = contextResult.context;
+    const structural = validateSelectedProviderSecrets(agentName, context);
+    if (!structural.ok)
+        return structural;
+    emitConfigValid(agentName, context, false);
+    return { ok: true };
+}
+async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, secretsRoot, deps = {}) {
+    const contextResult = readConfigCheckContext(agentName, bundlesRoot, secretsRoot);
+    if (!contextResult.ok)
+        return contextResult.result;
+    const context = contextResult.context;
+    const structural = validateSelectedProviderSecrets(agentName, context);
+    if (!structural.ok)
+        return structural;
+    const ping = deps.pingProvider ?? (await Promise.resolve().then(() => __importStar(require("../provider-ping")))).pingProvider;
+    for (const [provider, facings] of selectedProviderMap(context.selectedProviders)) {
+        const result = await ping(provider, context.providers[provider]);
+        if (!result.ok) {
+            return providerPingFailureResult(agentName, provider, facings, result);
+        }
+    }
+    emitConfigValid(agentName, context, true);
     return { ok: true };
 }

package/dist/heart/daemon/cli-exec.js

@@ -39,6 +39,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.mergeStartupStability = mergeStartupStability;
 exports.ensureDaemonRunning = ensureDaemonRunning;
 exports.listGithubCopilotModels = listGithubCopilotModels;
 exports.pingGithubCopilotModel = pingGithubCopilotModel;
@@ -69,6 +70,7 @@ const cli_parse_2 = require("./cli-parse");
 const cli_help_1 = require("./cli-help");
 const cli_render_1 = require("./cli-render");
 const cli_defaults_1 = require("./cli-defaults");
+const agent_config_check_1 = require("./agent-config-check");
 const doctor_1 = require("./doctor");
 const cli_render_doctor_1 = require("./cli-render-doctor");
 const interactive_repair_1 = require("./interactive-repair");
@@ -82,6 +84,61 @@ const DEFAULT_DAEMON_STARTUP_POLL_INTERVAL_MS = 500;
 const DEFAULT_DAEMON_STARTUP_STABILITY_WINDOW_MS = 1_500;
 const DEFAULT_DAEMON_STARTUP_RETRY_LIMIT = 1;
 const DEFAULT_DAEMON_STARTUP_LOG_LINES = 10;
+async function checkAlreadyRunningAgentProviders(deps) {
+    const agents = await Promise.resolve(deps.listDiscoveredAgents ? deps.listDiscoveredAgents() : (0, cli_defaults_1.defaultListDiscoveredAgents)());
+    const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
+    const secretsRoot = deps.secretsRoot ?? path.join(os.homedir(), ".agentsecrets");
+    const degraded = [];
+    for (const agent of agents) {
+        try {
+            const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot, secretsRoot);
+            if (result.ok)
+                continue;
+            const errorReason = result.error ?? "agent provider health check failed";
+            const fixHint = result.fix ?? "";
+            degraded.push({ agent, errorReason, fixHint });
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                component: "daemon",
+                event: "daemon.agent_config_invalid",
+                message: errorReason,
+                meta: { agent, fix: fixHint, source: "already-running-provider-check" },
+            });
+        }
+        catch (error) {
+            const errorReason = error instanceof Error ? error.message : String(error);
+            degraded.push({
+                agent,
+                errorReason,
+                fixHint: "Run 'ouro doctor' for diagnostics, then retry 'ouro up'.",
+            });
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                component: "daemon",
+                event: "daemon.agent_config_invalid",
+                message: errorReason,
+                meta: { agent, fix: "ouro doctor", source: "already-running-provider-check" },
+            });
+        }
+    }
+    return degraded;
+}
+function mergeStartupStability(stability, extraDegraded) {
+    if (extraDegraded.length === 0)
+        return stability;
+    const degradedByAgent = new Map();
+    for (const entry of stability?.degraded ?? [])
+        degradedByAgent.set(entry.agent, entry);
+    for (const entry of extraDegraded)
+        degradedByAgent.set(entry.agent, entry);
+    const degraded = [...degradedByAgent.values()];
+    const stable = [];
+    for (const agent of stability?.stable ?? []) {
+        if (!degradedByAgent.has(agent))
+            stable.push(agent);
+    }
+    return { stable, degraded };
+}
 async function ensureDaemonRunning(deps) {
     const readLatestDaemonStartupEvent = () => {
         try {
@@ -1097,6 +1154,12 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                 progress.announceStep?.(label);
             },
         });
+        if (daemonResult.alreadyRunning) {
+            progress.startPhase("provider checks");
+            const providerDegraded = await checkAlreadyRunningAgentProviders(deps);
+            daemonResult.stability = mergeStartupStability(daemonResult.stability, providerDegraded);
+            progress.completePhase("provider checks", providerDegraded.length > 0 ? `${providerDegraded.length} degraded` : "ok");
+        }
         progress.end();
         deps.writeStdout(daemonResult.message);
         // Interactive repair for degraded agents (Unit 5) — skipped by --no-repair (Unit 6)
@@ -1159,9 +1222,9 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                     runInteractiveRepair: interactive_repair_1.runInteractiveRepair,
                     promptInput: deps.promptInput ?? (async () => "n"),
                     writeStdout: deps.writeStdout,
-                    runAuthFlow: async (agent) => {
+                    runAuthFlow: async (agent, providerOverride) => {
                         const { config } = (0, auth_flow_1.readAgentConfigForAgent)(agent, deps.bundlesRoot);
-                        const provider = config.humanFacing.provider;
+                        const provider = providerOverride ?? config.humanFacing.provider;
                         /* v8 ignore next -- tests always inject runAuthFlow; default is for production @preserve */
                         const authRunner = deps.runAuthFlow ?? (await Promise.resolve().then(() => __importStar(require("../auth/auth-flow")))).runRuntimeAuthFlow;
                         await authRunner({ agentName: agent, provider, promptInput: deps.promptInput });

package/dist/heart/daemon/daemon-entry.js

@@ -99,11 +99,11 @@ const processManager = new process_manager_1.DaemonProcessManager({
         autoStart: true,
     })),
     existsSync: fs.existsSync,
-    /* v8 ignore next 4 -- wiring: delegates to checkAgentConfig which has full unit tests @preserve */
-    configCheck: (agent) => {
+    /* v8 ignore next 4 -- wiring: delegates to checkAgentConfigWithProviderHealth which has full unit tests @preserve */
+    configCheck: async (agent) => {
         const bundlesRoot = (0, identity_1.getAgentBundlesRoot)();
         const secretsRoot = path.join(os.homedir(), ".agentsecrets");
-        return (0, agent_config_check_1.checkAgentConfig)(agent, bundlesRoot, secretsRoot);
+        return (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot, secretsRoot);
     },
     /* v8 ignore start -- pulse flush wiring: integration code; flushPulse itself has full unit tests @preserve */
     onSnapshotChange: () => {

package/dist/heart/daemon/interactive-repair.js

@@ -8,6 +8,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runInteractiveRepair = runInteractiveRepair;
 const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
 function isCredentialIssue(degraded) {
     const reason = degraded.errorReason.toLowerCase();
     const hint = degraded.fixHint.toLowerCase();
@@ -16,6 +17,20 @@ function isCredentialIssue(degraded) {
 function isConfigError(degraded) {
     return degraded.fixHint.length > 0 && !isCredentialIssue(degraded);
 }
+function isAgentProvider(value) {
+    return Object.prototype.hasOwnProperty.call(identity_1.PROVIDER_CREDENTIALS, value);
+}
+function extractProviderFromFixHint(fixHint) {
+    const provider = fixHint.match(/--provider\s+([a-z0-9-]+)/)?.[1]
+        ?? fixHint.match(/providers\.([a-z0-9-]+)/)?.[1];
+    if (!provider || !isAgentProvider(provider))
+        return undefined;
+    return provider;
+}
+function authCommandFor(degraded) {
+    const command = degraded.fixHint.match(/ouro auth[^\n.]+/)?.[0]?.trim();
+    return command && command.length > 0 ? command : `ouro auth --agent ${degraded.agent}`;
+}
 async function runInteractiveRepair(degraded, deps) {
     (0, runtime_1.emitNervesEvent)({
         level: "info",
@@ -30,10 +45,17 @@ async function runInteractiveRepair(degraded, deps) {
     let repairsAttempted = false;
     for (const entry of degraded) {
         if (isCredentialIssue(entry)) {
-            const answer = await deps.promptInput(`run \`ouro auth ${entry.agent}\` now? [y/n] `);
+            const provider = extractProviderFromFixHint(entry.fixHint);
+            const authCommand = authCommandFor(entry);
+            const answer = await deps.promptInput(`run \`${authCommand}\` now? [y/n] `);
             if (answer.toLowerCase() === "y") {
                 try {
-                    await deps.runAuthFlow(entry.agent);
+                    if (provider) {
+                        await deps.runAuthFlow(entry.agent, provider);
+                    }
+                    else {
+                        await deps.runAuthFlow(entry.agent);
+                    }
                     repairsAttempted = true;
                 }
                 catch (error) {

package/dist/heart/daemon/process-manager.js

@@ -157,7 +157,7 @@ class DaemonProcessManager {
         state.stopRequested = false;
         state.snapshot.status = "starting";
         if (this.configCheckFn) {
-            const result = this.configCheckFn(agent);
+            const result = await this.configCheckFn(agent);
             if (!result.ok) {
                 state.snapshot.status = "crashed";
                 // Surface the error and fix to the snapshot so sibling agents can

package/dist/heart/provider-ping.js

@@ -13,6 +13,7 @@ const auth_flow_1 = require("./auth/auth-flow");
 const provider_models_1 = require("./provider-models");
 const runtime_1 = require("../nerves/runtime");
 const PING_TIMEOUT_MS = 10_000;
+const DEFAULT_AZURE_API_VERSION = "2025-04-01-preview";
 const PING_CALLBACKS = {
     onModelStart() { },
     onModelStreamStart() { },
@@ -54,25 +55,34 @@ function sanitizeErrorMessage(message) {
 }
 function hasEmptyCredentials(provider, config) {
     const record = config;
+    if (provider === "azure") {
+        const hasManagedIdentity = typeof record.endpoint === "string" && record.endpoint.length > 0 &&
+            typeof record.deployment === "string" && record.deployment.length > 0 &&
+            typeof record.managedIdentityClientId === "string" && record.managedIdentityClientId.length > 0;
+        if (hasManagedIdentity)
+            return false;
+    }
     return identity_1.PROVIDER_CREDENTIALS[provider].required.some((key) => !record[key]);
 }
-function createRuntimeForPing(provider, _config) {
-    // The provider constructors read credentials from the active config via getXxxConfig().
-    // For ping, this is acceptable because verifyProviderCredentials patches the runtime
-    // config before calling ping. Use the same provider defaults as auth switch
-    // and hatch so verification cannot drift to stale provider/model pairings.
+function createRuntimeForPing(provider, config) {
+    // Use the same provider defaults as auth switch and hatch so verification
+    // cannot drift to stale provider/model pairings, and pass the checked
+    // credentials directly so daemon-side pings do not depend on --agent globals.
     const model = (0, provider_models_1.getDefaultModelForProvider)(provider);
     switch (provider) {
         case "anthropic":
-            return (0, anthropic_1.createAnthropicProviderRuntime)(model);
+            return (0, anthropic_1.createAnthropicProviderRuntime)(model, config);
         case "azure":
-            return (0, azure_1.createAzureProviderRuntime)(model);
+            return (0, azure_1.createAzureProviderRuntime)(model, {
+                ...config,
+                apiVersion: config.apiVersion ?? DEFAULT_AZURE_API_VERSION,
+            });
         case "minimax":
-            return (0, minimax_1.createMinimaxProviderRuntime)(model);
+            return (0, minimax_1.createMinimaxProviderRuntime)(model, config);
         case "openai-codex":
-            return (0, openai_codex_1.createOpenAICodexProviderRuntime)(model);
+            return (0, openai_codex_1.createOpenAICodexProviderRuntime)(model, config);
         case "github-copilot":
-            return (0, github_copilot_1.createGithubCopilotProviderRuntime)(model);
+            return (0, github_copilot_1.createGithubCopilotProviderRuntime)(model, config);
         /* v8 ignore next 2 -- exhaustive: all providers handled above @preserve */
         default:
             throw new Error(`unsupported provider for ping: ${provider}`);

package/dist/heart/providers/anthropic.js

@@ -72,8 +72,7 @@ function getAnthropicReauthGuidance(reason) {
         getAnthropicSetupTokenInstructions(),
     ].join("\n");
 }
-function resolveAnthropicSetupTokenCredential() {
-    const anthropicConfig = (0, config_1.getAnthropicConfig)();
+function resolveAnthropicSetupTokenCredential(anthropicConfig = (0, config_1.getAnthropicConfig)()) {
     const token = anthropicConfig.setupToken?.trim();
     if (!token) {
         throw new Error(getAnthropicReauthGuidance("Anthropic provider is selected but no setup-token credential was found."));
@@ -395,14 +394,13 @@ async function streamAnthropicMessages(client, model, request) {
         settleStreamed: answerStreamer.streamed,
     };
 }
-function createAnthropicProviderRuntime(model) {
+function createAnthropicProviderRuntime(model, anthropicConfig = (0, config_1.getAnthropicConfig)()) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "anthropic provider init",
         meta: { provider: "anthropic" },
     });
-    const anthropicConfig = (0, config_1.getAnthropicConfig)();
     if (!anthropicConfig.setupToken) {
         throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected in agent.json but providers.anthropic.setupToken is missing in secrets.json."));
     }
@@ -410,7 +408,7 @@ function createAnthropicProviderRuntime(model) {
     const capabilities = new Set();
     if (modelCaps.reasoningEffort)
         capabilities.add("reasoning-effort");
-    const credential = resolveAnthropicSetupTokenCredential();
+    const credential = resolveAnthropicSetupTokenCredential(anthropicConfig);
     const refreshToken = anthropicConfig.refreshToken;
     const expiresAt = anthropicConfig.expiresAt;
     function createClient(token) {

package/dist/heart/providers/azure.js

@@ -74,8 +74,7 @@ function createAzureTokenProvider(managedIdentityClientId) {
         }
     };
 }
-function createAzureProviderRuntime(model) {
-    const azureConfig = (0, config_1.getAzureConfig)();
+function createAzureProviderRuntime(model, azureConfig = (0, config_1.getAzureConfig)()) {
     const useApiKey = !!azureConfig.apiKey;
     const authMethod = useApiKey ? "key" : "managed-identity";
     (0, runtime_1.emitNervesEvent)({

package/dist/heart/providers/github-copilot.js

@@ -14,14 +14,13 @@ const error_classification_1 = require("./error-classification");
 function classifyGithubCopilotError(error) {
     return (0, error_classification_1.classifyHttpError)(error);
 }
-function createGithubCopilotProviderRuntime(model) {
+function createGithubCopilotProviderRuntime(model, config = (0, config_1.getGithubCopilotConfig)()) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "github-copilot provider init",
         meta: { provider: "github-copilot" },
     });
-    const config = (0, config_1.getGithubCopilotConfig)();
     if (!config.githubToken) {
         throw new Error("provider 'github-copilot' is selected in agent.json but providers.github-copilot.githubToken is missing in secrets.json.");
     }

package/dist/heart/providers/minimax.js

@@ -21,14 +21,13 @@ function classifyMinimaxError(error) {
 }
 const streaming_1 = require("../streaming");
 const model_capabilities_1 = require("../model-capabilities");
-function createMinimaxProviderRuntime(model) {
+function createMinimaxProviderRuntime(model, minimaxConfig = (0, config_1.getMinimaxConfig)()) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "minimax provider init",
         meta: { provider: "minimax" },
     });
-    const minimaxConfig = (0, config_1.getMinimaxConfig)();
     if (!minimaxConfig.apiKey) {
         throw new Error("provider 'minimax' is selected in agent.json but providers.minimax.apiKey is missing in secrets.json.");
     }

package/dist/heart/providers/openai-codex.js

@@ -87,14 +87,13 @@ function getChatGPTAccountIdFromToken(token) {
         return "";
     return accountId.trim();
 }
-function createOpenAICodexProviderRuntime(model) {
+function createOpenAICodexProviderRuntime(model, codexConfig = (0, config_1.getOpenAICodexConfig)()) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "openai-codex provider init",
         meta: { provider: "openai-codex" },
     });
-    const codexConfig = (0, config_1.getOpenAICodexConfig)();
     if (!codexConfig.oauthAccessToken) {
         throw new Error(getOpenAICodexReauthGuidance("provider 'openai-codex' is selected in agent.json but providers.openai-codex.oauthAccessToken is missing in secrets.json."));
     }

package/dist/mind/prompt.js

@@ -476,7 +476,11 @@ function dateSection() {
     const parts = Object.fromEntries(fmt.formatToParts(now).map((p) => [p.type, p.value]));
     /* v8 ignore next -- Intl hour-24 bug only triggers at midnight @preserve */
     const hour = parts.hour === "24" ? "00" : parts.hour;
-    return `current date and time: ${parts.year}-${parts.month}-${parts.day} ${hour}:${parts.minute} ${parts.timeZoneName}`;
+    const datetime = `${parts.year}-${parts.month}-${parts.day} ${hour}:${parts.minute} ${parts.timeZoneName}`;
+    return [
+        `current date and time: ${datetime}`,
+        "messages in conversations may have a relative-time tag like [-5m] or [-2h] prepended to their content. these indicate how long ago each message was sent relative to now. they are metadata for your orientation only — never echo or reproduce them in your responses.",
+    ].join("\n");
 }
 function uniqueToolsByName(tools) {
     const seen = new Set();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.336",
+  "version": "0.1.0-alpha.338",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",