@ouro.bot/cli 0.1.0-alpha.347 → 0.1.0-alpha.349

package/dist/heart/daemon/cli-exec.js

@@ -63,6 +63,11 @@ const tasks_1 = require("../../repertoire/tasks");
 const thoughts_1 = require("./thoughts");
 const launchd_1 = require("./launchd");
 const auth_flow_1 = require("../auth/auth-flow");
+const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_binding_resolver_1 = require("../provider-binding-resolver");
+const provider_state_1 = require("../provider-state");
+const machine_identity_1 = require("../machine-identity");
+const provider_models_1 = require("../provider-models");
 const ouro_version_manager_1 = require("../versioning/ouro-version-manager");
 const cli_parse_1 = require("./cli-parse");
 const cli_parse_2 = require("./cli-parse");
@@ -411,10 +416,6 @@ async function listGithubCopilotModels(baseUrl, token, fetchImpl = fetch) {
     /* v8 ignore stop */
 }
 // ── Provider credential verification ──
-/* v8 ignore next 3 -- only called from auth.switch inside integration block @preserve */
-function hasStoredCredentials(provider, providerSecrets) {
-    return identity_1.PROVIDER_CREDENTIALS[provider].required.every((key) => !!providerSecrets[key]);
-}
 /* v8 ignore start -- verifyProviderCredentials: delegates to pingProvider @preserve */
 async function verifyProviderCredentials(provider, providers) {
     const config = providers[provider];
@@ -458,6 +459,382 @@ async function resolveHatchInput(command, deps) {
         migrationPath: command.migrationPath,
     };
 }
+// ── Provider state CLI helpers ──
+function providerCliHomeDir(deps) {
+    if (!deps.secretsRoot)
+        return os.homedir();
+    return path.basename(deps.secretsRoot) === ".agentsecrets"
+        ? path.dirname(deps.secretsRoot)
+        : deps.secretsRoot;
+}
+function providerCliAgentRoot(command, deps) {
+    return path.join(deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)(), `${command.agent}.ouro`);
+}
+function providerCliNow(deps) {
+    return new Date((deps.now ?? Date.now)());
+}
+function readOrBootstrapProviderState(agentName, deps) {
+    const agentRoot = providerCliAgentRoot({ agent: agentName }, deps);
+    const readResult = (0, provider_state_1.readProviderState)(agentRoot);
+    if (readResult.ok)
+        return { agentRoot, state: readResult.state };
+    if (readResult.reason === "invalid") {
+        throw new Error(`provider state for ${agentName} is invalid at ${readResult.statePath}: ${readResult.error}`);
+    }
+    const { config } = (0, auth_flow_1.readAgentConfigForAgent)(agentName, deps.bundlesRoot);
+    const homeDir = providerCliHomeDir(deps);
+    const machine = (0, machine_identity_1.loadOrCreateMachineIdentity)({
+        homeDir,
+        now: () => providerCliNow(deps),
+    });
+    const state = (0, provider_state_1.bootstrapProviderStateFromAgentConfig)({
+        machineId: machine.machineId,
+        now: providerCliNow(deps),
+        agentConfig: {
+            humanFacing: {
+                provider: config.humanFacing.provider,
+                model: config.humanFacing.model || (0, provider_models_1.getDefaultModelForProvider)(config.humanFacing.provider),
+            },
+            agentFacing: {
+                provider: config.agentFacing.provider,
+                model: config.agentFacing.model || (0, provider_models_1.getDefaultModelForProvider)(config.agentFacing.provider),
+            },
+        },
+    });
+    (0, provider_state_1.writeProviderState)(agentRoot, state);
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.provider_state_bootstrapped",
+        message: "bootstrapped local provider state from agent config",
+        meta: { agent: agentName, agentRoot },
+    });
+    return { agentRoot, state };
+}
+function credentialPingConfig(record) {
+    return {
+        ...record.credentials,
+        ...record.config,
+    };
+}
+function pingAttemptCount(result) {
+    if (typeof result.attempts === "number")
+        return result.attempts;
+    if (Array.isArray(result.attempts))
+        return result.attempts.length;
+    return undefined;
+}
+function providerCliLegacyRecord(agent, provider, deps) {
+    try {
+        const legacyCandidates = (0, provider_credential_pool_1.readLegacyAgentProviderCredentials)({
+            homeDir: providerCliHomeDir(deps),
+            agentName: agent,
+        });
+        const candidate = legacyCandidates.find((entry) => entry.provider === provider);
+        if (candidate)
+            return { credentials: candidate.credentials, config: candidate.config };
+    }
+    catch {
+        // Fall through to the injected/secretsRoot-aware legacy reader below.
+    }
+    try {
+        const { secrets } = (0, auth_flow_1.loadAgentSecrets)(agent, { secretsRoot: deps.secretsRoot });
+        const providerSecrets = secrets.providers[provider];
+        const split = (0, provider_credential_pool_1.splitProviderCredentialFields)(provider, providerSecrets);
+        if (Object.keys(split.credentials).length === 0 && Object.keys(split.config).length === 0)
+            return null;
+        return split;
+    }
+    catch {
+        return null;
+    }
+}
+function readProviderCredentialRecord(agent, provider, deps) {
+    const homeDir = providerCliHomeDir(deps);
+    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir);
+    if (poolResult.ok) {
+        const existing = poolResult.pool.providers[provider];
+        if (existing)
+            return { ok: true, record: existing };
+    }
+    else if (poolResult.reason === "invalid") {
+        return { ok: false, reason: "invalid", poolPath: poolResult.poolPath, error: poolResult.error };
+    }
+    const legacy = providerCliLegacyRecord(agent, provider, deps);
+    if (legacy) {
+        const record = (0, provider_credential_pool_1.upsertProviderCredential)({
+            homeDir,
+            provider,
+            credentials: legacy.credentials,
+            config: legacy.config,
+            provenance: {
+                source: "legacy-agent-secrets",
+                contributedByAgent: agent,
+            },
+            now: providerCliNow(deps),
+        });
+        return { ok: true, record };
+    }
+    return {
+        ok: false,
+        reason: "missing",
+        poolPath: poolResult.poolPath,
+        error: `no credentials stored for ${provider}`,
+    };
+}
+function writeProviderBinding(input) {
+    const updatedAt = providerCliNow(input.deps).toISOString();
+    input.state.updatedAt = updatedAt;
+    input.state.lanes[input.lane] = {
+        provider: input.provider,
+        model: input.model,
+        source: "local",
+        updatedAt,
+    };
+    input.state.readiness[input.lane] = {
+        status: input.status,
+        provider: input.provider,
+        model: input.model,
+        checkedAt: updatedAt,
+        ...(input.credentialRevision ? { credentialRevision: input.credentialRevision } : {}),
+        ...(input.error ? { error: input.error } : {}),
+        ...(input.attempts !== undefined ? { attempts: input.attempts } : {}),
+    };
+    (0, provider_state_1.writeProviderState)(input.agentRoot, input.state);
+}
+function writeProviderReadiness(input) {
+    const checkedAt = providerCliNow(input.deps).toISOString();
+    input.state.updatedAt = checkedAt;
+    input.state.readiness[input.lane] = {
+        status: input.status,
+        provider: input.provider,
+        model: input.model,
+        checkedAt,
+        credentialRevision: input.credentialRevision,
+        ...(input.error ? { error: input.error } : {}),
+        ...(input.attempts !== undefined ? { attempts: input.attempts } : {}),
+    };
+    (0, provider_state_1.writeProviderState)(input.agentRoot, input.state);
+}
+async function executeProviderUse(command, deps, options = {}) {
+    const writeMessage = (message) => {
+        if (options.writeStdout !== false)
+            deps.writeStdout(message);
+        return message;
+    };
+    const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
+    const credential = readProviderCredentialRecord(command.agent, command.provider, deps);
+    if (!credential.ok) {
+        if (!command.force) {
+            const message = [
+                `no credentials stored for ${command.provider}.`,
+                `Run \`ouro auth --agent ${command.agent} --provider ${command.provider}\` first.`,
+            ].join("\n");
+            return writeMessage(message);
+        }
+        writeProviderBinding({
+            agentRoot,
+            state,
+            lane: command.lane,
+            provider: command.provider,
+            model: command.model,
+            deps,
+            status: "failed",
+            error: credential.error,
+        });
+        const message = `forced ${command.agent} ${command.lane} to ${command.provider} / ${command.model}: failed (${credential.error})`;
+        return writeMessage(message);
+    }
+    const pingResult = await (0, provider_ping_1.pingProvider)(command.provider, credentialPingConfig(credential.record), {
+        model: command.model,
+        attemptPolicy: { baseDelayMs: 0 },
+        sleep: deps.sleep,
+    });
+    const attempts = pingAttemptCount(pingResult);
+    if (!pingResult.ok && !command.force) {
+        const message = [
+            `${command.agent} ${command.lane} ${command.provider} / ${command.model}: failed (${pingResult.message})`,
+            `Fix credentials with \`ouro auth --agent ${command.agent} --provider ${command.provider}\` or force the local binding with \`ouro use --agent ${command.agent} --lane ${command.lane} --provider ${command.provider} --model ${command.model} --force\`.`,
+        ].join("\n");
+        return writeMessage(message);
+    }
+    writeProviderBinding({
+        agentRoot,
+        state,
+        lane: command.lane,
+        provider: command.provider,
+        model: command.model,
+        deps,
+        status: pingResult.ok ? "ready" : "failed",
+        credentialRevision: credential.record.revision,
+        ...(!pingResult.ok ? { error: pingResult.message } : {}),
+        ...(attempts !== undefined ? { attempts } : {}),
+    });
+    const status = pingResult.ok ? "ready" : `failed (${pingResult.message})`;
+    const message = `${command.force ? "forced " : ""}${command.agent} ${command.lane} ${command.provider} / ${command.model}: ${status}`;
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.provider_use_completed",
+        message: "provider use command completed",
+        meta: { agent: command.agent, lane: command.lane, provider: command.provider, model: command.model, status: pingResult.ok ? "ready" : "failed" },
+    });
+    return writeMessage(message);
+}
+async function executeProviderCheck(command, deps) {
+    const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
+    const binding = state.lanes[command.lane];
+    const credential = readProviderCredentialRecord(command.agent, binding.provider, deps);
+    if (!credential.ok) {
+        const message = [
+            `${command.agent} ${command.lane} ${binding.provider} / ${binding.model}: unknown (${credential.error})`,
+            `Run \`ouro auth --agent ${command.agent} --provider ${binding.provider}\` first.`,
+        ].join("\n");
+        deps.writeStdout(message);
+        return message;
+    }
+    const pingResult = await (0, provider_ping_1.pingProvider)(binding.provider, credentialPingConfig(credential.record), {
+        model: binding.model,
+        attemptPolicy: { baseDelayMs: 0 },
+        sleep: deps.sleep,
+    });
+    const attempts = pingAttemptCount(pingResult);
+    writeProviderReadiness({
+        agentRoot,
+        state,
+        lane: command.lane,
+        provider: binding.provider,
+        model: binding.model,
+        deps,
+        status: pingResult.ok ? "ready" : "failed",
+        credentialRevision: credential.record.revision,
+        ...(!pingResult.ok ? { error: pingResult.message } : {}),
+        ...(attempts !== undefined ? { attempts } : {}),
+    });
+    const status = pingResult.ok ? "ready" : `failed (${pingResult.message})`;
+    const message = `${command.agent} ${command.lane} ${binding.provider} / ${binding.model}: ${status}`;
+    deps.writeStdout(message);
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.provider_check_completed",
+        message: "provider check command completed",
+        meta: { agent: command.agent, lane: command.lane, provider: binding.provider, model: binding.model, status: pingResult.ok ? "ready" : "failed" },
+    });
+    return message;
+}
+function renderProviderCredentialLine(credential) {
+    if (credential.status === "present") {
+        const contributor = credential.contributedByAgent ? ` by ${credential.contributedByAgent}` : "";
+        const credentialFields = credential.credentialFields.length > 0 ? ` credentials: ${credential.credentialFields.join(", ")}` : " credentials: none";
+        const configFields = credential.configFields.length > 0 ? ` config: ${credential.configFields.join(", ")}` : " config: none";
+        return `credentials: present (${credential.source}${contributor}; ${credential.revision};${credentialFields};${configFields})`;
+    }
+    if (credential.status === "invalid-pool") {
+        return `credentials: invalid pool (${credential.error}); repair: ${credential.repair.command}`;
+    }
+    return `credentials: missing; repair: ${credential.repair.command}`;
+}
+function executeProviderStatus(command, deps) {
+    const agentRoot = providerCliAgentRoot(command, deps);
+    const homeDir = providerCliHomeDir(deps);
+    const lines = [`provider status: ${command.agent}`];
+    for (const lane of ["outward", "inner"]) {
+        const resolved = (0, provider_binding_resolver_1.resolveEffectiveProviderBinding)({
+            agentName: command.agent,
+            agentRoot,
+            homeDir,
+            lane,
+        });
+        if (!resolved.ok) {
+            lines.push(`  ${lane}: unavailable`);
+            lines.push(`    ${resolved.reason}: ${resolved.repair.command}`);
+            continue;
+        }
+        const binding = resolved.binding;
+        lines.push(`  ${lane}: ${binding.provider} / ${binding.model} (${binding.source})`);
+        lines.push(`    readiness: ${binding.readiness.status}${binding.readiness.error ? ` (${binding.readiness.error})` : ""}`);
+        lines.push(`    ${renderProviderCredentialLine(binding.credential)}`);
+        for (const warning of binding.warnings) {
+            lines.push(`    warning: ${warning.message}`);
+        }
+    }
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeLegacyAuthSwitch(command, deps) {
+    const { state } = readOrBootstrapProviderState(command.agent, deps);
+    const lanes = command.facing
+        ? [command.facing === "human" ? "outward" : "inner"]
+        : ["outward", "inner"];
+    const messages = [];
+    for (const lane of lanes) {
+        const model = state.lanes[lane].model;
+        messages.push(await executeProviderUse({
+            kind: "provider.use",
+            agent: command.agent,
+            lane,
+            provider: command.provider,
+            model,
+            legacyFacing: command.facing,
+        }, deps, { writeStdout: false }));
+    }
+    const message = [
+        `deprecated: switched this machine's local provider binding. \`ouro auth switch\` no longer edits agent.json.`,
+        ...messages,
+        `Use \`ouro use --agent ${command.agent} --lane <outward|inner> --provider ${command.provider} --model <model>\` for explicit provider/model selection.`,
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeLegacyConfigModel(command, deps) {
+    const lane = command.facing === "agent" ? "inner" : "outward";
+    const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
+    const binding = state.lanes[lane];
+    if (binding.provider === "github-copilot") {
+        const credential = readProviderCredentialRecord(command.agent, "github-copilot", deps);
+        if (credential.ok) {
+            const ghConfig = {
+                ...credential.record.config,
+                ...credential.record.credentials,
+            };
+            const githubToken = ghConfig.githubToken;
+            const baseUrl = ghConfig.baseUrl;
+            if (typeof githubToken === "string" && typeof baseUrl === "string") {
+                const fetchFn = deps.fetchImpl ?? fetch;
+                try {
+                    const models = await listGithubCopilotModels(baseUrl, githubToken, fetchFn);
+                    const available = models.map((m) => m.id);
+                    if (available.length > 0 && !available.includes(command.modelName)) {
+                        const message = `model '${command.modelName}' not found. available models:\n${available.map((id) => `  ${id}`).join("\n")}`;
+                        deps.writeStdout(message);
+                        return message;
+                    }
+                }
+                catch {
+                    // Catalog validation failed; the live ping below gives the actionable result.
+                }
+                const pingResult = await (0, provider_ping_1.pingGithubCopilotModel)(baseUrl, githubToken, command.modelName, fetchFn);
+                if (!pingResult.ok) {
+                    const message = `model '${command.modelName}' ping failed: ${pingResult.error}\nrun \`ouro config models --agent ${command.agent}\` to see available models.`;
+                    deps.writeStdout(message);
+                    return message;
+                }
+            }
+        }
+    }
+    const updatedAt = providerCliNow(deps).toISOString();
+    state.updatedAt = updatedAt;
+    state.lanes[lane] = {
+        ...binding,
+        model: command.modelName,
+        source: "local",
+        updatedAt,
+    };
+    delete state.readiness[lane];
+    (0, provider_state_1.writeProviderState)(agentRoot, state);
+    const message = `deprecated: updated ${command.agent} model on ${lane}/${binding.provider}: ${binding.model} -> ${command.modelName}\nUse \`ouro use --agent ${command.agent} --lane ${lane} --provider ${binding.provider} --model ${command.modelName}\` next time.`;
+    deps.writeStdout(message);
+    return message;
+}
 // ── System setup ──
 async function registerOuroBundleTypeNonBlocking(deps) {
     const registerOuroBundleType = deps.registerOuroBundleType;
@@ -1731,6 +2108,16 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         deps.writeStdout(message);
         return message;
     }
+    // ── provider state commands (local, no daemon socket needed) ──
+    if (command.kind === "provider.use") {
+        return executeProviderUse(command, deps);
+    }
+    if (command.kind === "provider.check") {
+        return executeProviderCheck(command, deps);
+    }
+    if (command.kind === "provider.status") {
+        return executeProviderStatus(command, deps);
+    }
     // ── auth (local, no daemon socket needed) ──
     if (command.kind === "auth.run") {
         const provider = command.provider ?? (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot).config.humanFacing.provider;
@@ -1741,6 +2128,21 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             provider,
             promptInput: deps.promptInput,
         });
+        const credentials = (result.credentials ?? {});
+        const split = (0, provider_credential_pool_1.splitProviderCredentialFields)(provider, credentials);
+        if (Object.keys(split.credentials).length > 0 || Object.keys(split.config).length > 0) {
+            (0, provider_credential_pool_1.upsertProviderCredential)({
+                homeDir: providerCliHomeDir(deps),
+                provider,
+                credentials: split.credentials,
+                config: split.config,
+                provenance: {
+                    source: "auth-flow",
+                    contributedByAgent: command.agent,
+                },
+                now: providerCliNow(deps),
+            });
+        }
         // Behavior: ouro auth stores credentials only — does NOT switch provider.
         // Use `ouro auth switch` to change the active provider.
         deps.writeStdout(result.message);
@@ -1779,39 +2181,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     }
     // ── auth switch (local, no daemon socket needed) ──
     if (command.kind === "auth.switch") {
-        const { secrets } = (0, auth_flow_1.loadAgentSecrets)(command.agent, { secretsRoot: deps.secretsRoot });
-        const providerSecrets = secrets.providers[command.provider];
-        if (!providerSecrets || !hasStoredCredentials(command.provider, providerSecrets)) {
-            const message = `no credentials stored for ${command.provider}. Run \`ouro auth --agent ${command.agent} --provider ${command.provider}\` first.`;
-            deps.writeStdout(message);
-            return message;
-        }
-        // Verify credentials actually work before switching
-        const status = await verifyProviderCredentials(command.provider, secrets.providers);
-        if (!status.startsWith("ok")) {
-            const message = `${command.provider}: ${status}. fix credentials with \`ouro auth --agent ${command.agent} --provider ${command.provider}\` before switching.`;
-            deps.writeStdout(message);
-            return message;
-        }
-        if (command.facing) {
-            (0, auth_flow_1.writeAgentProviderSelection)(command.agent, command.facing, command.provider, deps.bundlesRoot);
-        }
-        else {
-            (0, auth_flow_1.writeAgentProviderSelection)(command.agent, "human", command.provider, deps.bundlesRoot);
-            (0, auth_flow_1.writeAgentProviderSelection)(command.agent, "agent", command.provider, deps.bundlesRoot);
-        }
-        const { config: updatedConfig } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
-        const facingSummary = command.facing
-            ? (() => {
-                const facingConfig = command.facing === "human" ? updatedConfig.humanFacing : updatedConfig.agentFacing;
-                return `${command.facing} model: ${facingConfig.model}`;
-            })()
-            : updatedConfig.humanFacing.model === updatedConfig.agentFacing.model
-                ? `model: ${updatedConfig.humanFacing.model}`
-                : `human model: ${updatedConfig.humanFacing.model}; agent model: ${updatedConfig.agentFacing.model}`;
-        const message = `switched ${command.agent} to ${command.provider} (${facingSummary}; verified working)`;
-        deps.writeStdout(message);
-        return message;
+        return executeLegacyAuthSwitch(command, deps);
     }
     /* v8 ignore stop */
     // ── config models (local, no daemon socket needed) ──
@@ -1849,42 +2219,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     // ── config model (local, no daemon socket needed) ──
     /* v8 ignore start -- config model: tested via daemon-cli.test.ts @preserve */
     if (command.kind === "config.model") {
-        const facing = command.facing ?? "human";
-        // Validate model availability for github-copilot before writing
-        const { config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
-        const facingConfig = facing === "human" ? config.humanFacing : config.agentFacing;
-        if (facingConfig.provider === "github-copilot") {
-            const { secrets } = (0, auth_flow_1.loadAgentSecrets)(command.agent, { secretsRoot: deps.secretsRoot });
-            const ghConfig = secrets.providers["github-copilot"];
-            if (ghConfig.githubToken && ghConfig.baseUrl) {
-                const fetchFn = deps.fetchImpl ?? fetch;
-                try {
-                    const models = await listGithubCopilotModels(ghConfig.baseUrl, ghConfig.githubToken, fetchFn);
-                    const available = models.map((m) => m.id);
-                    if (available.length > 0 && !available.includes(command.modelName)) {
-                        const message = `model '${command.modelName}' not found. available models:\n${available.map((id) => `  ${id}`).join("\n")}`;
-                        deps.writeStdout(message);
-                        return message;
-                    }
-                }
-                catch {
-                    // Catalog validation failed — fall through to ping test
-                }
-                // Ping test: verify the model actually works before switching
-                const pingResult = await (0, provider_ping_1.pingGithubCopilotModel)(ghConfig.baseUrl, ghConfig.githubToken, command.modelName, fetchFn);
-                if (!pingResult.ok) {
-                    const message = `model '${command.modelName}' ping failed: ${pingResult.error}\nrun \`ouro config models --agent ${command.agent}\` to see available models.`;
-                    deps.writeStdout(message);
-                    return message;
-                }
-            }
-        }
-        const { provider, previousModel } = (0, auth_flow_1.writeAgentModel)(command.agent, facing, command.modelName, { bundlesRoot: deps.bundlesRoot });
-        const message = previousModel
-            ? `updated ${command.agent} model on ${provider}: ${previousModel} → ${command.modelName}`
-            : `set ${command.agent} model on ${provider}: ${command.modelName}`;
-        deps.writeStdout(message);
-        return message;
+        return executeLegacyConfigModel(command, deps);
     }
     /* v8 ignore stop */
     // ── whoami (local, no daemon socket needed) ──

package/dist/heart/daemon/cli-parse.js

@@ -8,6 +8,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.extractAgentFlag = extractAgentFlag;
 exports.extractFacingFlag = extractFacingFlag;
+exports.facingToProviderLane = facingToProviderLane;
 exports.isAgentProvider = isAgentProvider;
 exports.usage = usage;
 exports.parseMcpServeCommand = parseMcpServeCommand;
@@ -34,6 +35,23 @@ function extractFacingFlag(args) {
     const rest = [...args.slice(0, idx), ...args.slice(idx + 2)];
     return { facing: value, rest };
 }
+function facingToProviderLane(facing) {
+    return facing === "human" ? "outward" : "inner";
+}
+function isProviderLane(value) {
+    return value === "outward" || value === "inner";
+}
+function extractLaneFlag(args) {
+    const idx = args.indexOf("--lane");
+    if (idx === -1 || idx + 1 >= args.length)
+        return { rest: args };
+    const value = args[idx + 1];
+    if (!isProviderLane(value)) {
+        throw new Error("--lane must be 'outward' or 'inner'");
+    }
+    const rest = [...args.slice(0, idx), ...args.slice(idx + 2)];
+    return { lane: value, rest };
+}
 function isAgentProvider(value) {
     return value === "azure" || value === "anthropic" || value === "minimax" || value === "openai-codex" || value === "github-copilot";
 }
@@ -43,6 +61,9 @@ function usage() {
         "  ouro [up] [--no-repair]",
         "  ouro dev [--repo-path <path>] [--clone [--clone-path <path>]]",
         "  ouro stop|down|status|logs|hatch",
+        "  ouro status --agent <name>",
+        "  ouro use --agent <name> --lane outward|inner --provider <provider> --model <model> [--force]",
+        "  ouro check --agent <name> --lane outward|inner",
         "  ouro outlook [--json]",
         "  ouro -v|--version",
         "  ouro config model --agent <name> <model-name>",
@@ -403,6 +424,63 @@ function parseAuthCommand(args) {
     }
     return provider ? { kind: "auth.run", agent, provider } : { kind: "auth.run", agent };
 }
+function parseProviderUseCommand(args) {
+    const { agent, rest: afterAgent } = extractAgentFlag(args);
+    const { facing, rest: afterFacing } = extractFacingFlag(afterAgent);
+    const { lane, rest } = extractLaneFlag(afterFacing);
+    let provider;
+    let model;
+    let force = false;
+    for (let i = 0; i < rest.length; i += 1) {
+        const token = rest[i];
+        if (token === "--provider") {
+            const value = rest[i + 1];
+            if (!isAgentProvider(value))
+                throw new Error(`Usage: ouro use --agent <name> --lane outward|inner --provider <provider> --model <model>`);
+            provider = value;
+            i += 1;
+            continue;
+        }
+        if (token === "--model") {
+            model = rest[i + 1];
+            i += 1;
+            continue;
+        }
+        if (token === "--force") {
+            force = true;
+            continue;
+        }
+        throw new Error("Usage: ouro use --agent <name> --lane outward|inner --provider <provider> --model <model> [--force]");
+    }
+    const resolvedLane = lane ?? (facing ? facingToProviderLane(facing) : undefined);
+    if (!agent || !resolvedLane || !provider || !model) {
+        throw new Error("Usage: ouro use --agent <name> --lane outward|inner --provider <provider> --model <model> [--force]");
+    }
+    return {
+        kind: "provider.use",
+        agent,
+        lane: resolvedLane,
+        provider,
+        model,
+        ...(force ? { force: true } : {}),
+        ...(facing ? { legacyFacing: facing } : {}),
+    };
+}
+function parseProviderCheckCommand(args) {
+    const { agent, rest: afterAgent } = extractAgentFlag(args);
+    const { facing, rest: afterFacing } = extractFacingFlag(afterAgent);
+    const { lane, rest } = extractLaneFlag(afterFacing);
+    const resolvedLane = lane ?? (facing ? facingToProviderLane(facing) : undefined);
+    if (!agent || !resolvedLane || rest.length > 0) {
+        throw new Error("Usage: ouro check --agent <name> --lane outward|inner");
+    }
+    return {
+        kind: "provider.check",
+        agent,
+        lane: resolvedLane,
+        ...(facing ? { legacyFacing: facing } : {}),
+    };
+}
 function parseReminderCommand(args) {
     const { agent, rest: cleaned } = extractAgentFlag(args);
     const [sub, ...rest] = cleaned;
@@ -750,8 +828,19 @@ function parseOuroCommand(args) {
         return { kind: "versions" };
     if (head === "stop" || head === "down")
         return { kind: "daemon.stop" };
-    if (head === "status")
+    if (head === "status") {
+        const { agent, rest } = extractAgentFlag(args.slice(1));
+        if (agent) {
+            if (rest.length > 0)
+                throw new Error("Usage: ouro status --agent <name>");
+            return { kind: "provider.status", agent };
+        }
         return { kind: "daemon.status" };
+    }
+    if (head === "use")
+        return parseProviderUseCommand(args.slice(1));
+    if (head === "check")
+        return parseProviderCheckCommand(args.slice(1));
     if (head === "logs") {
         if (second === "prune")
             return { kind: "daemon.logs.prune" };