@ouro.bot/cli 0.1.0-alpha.349 → 0.1.0-alpha.350

package/changelog.json

@@ -1,6 +1,12 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.350",
+      "changes": [
+        "`ouro up`, hatch, and doctor now use the same local provider-state and machine-credential readiness path: new agents get bootstrapped `state/providers.json`, startup checks ping the selected lane/provider/model with machine-wide credentials, readiness is persisted per lane, legacy per-agent secrets migrate into `~/.agentsecrets/providers.json`, and doctor checks provider-pool/state safety without exposing secrets."
+      ]
+    },
     {
       "version": "0.1.0-alpha.349",
       "changes": [

package/dist/heart/daemon/agent-config-check.js

@@ -39,9 +39,19 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
+const provider_models_1 = require("../provider-models");
+const machine_identity_1 = require("../machine-identity");
+const provider_state_1 = require("../provider-state");
+const provider_credential_pool_1 = require("../provider-credential-pool");
 function isAgentProvider(value) {
     return Object.prototype.hasOwnProperty.call(identity_1.PROVIDER_CREDENTIALS, value);
 }
+function agentRootFor(agentName, bundlesRoot) {
+    return path.join(bundlesRoot, `${agentName}.ouro`);
+}
+function configPathFor(agentName, bundlesRoot) {
+    return path.join(agentRootFor(agentName, bundlesRoot), "agent.json");
+}
 function formatFacingList(facings) {
     if (facings.length === 1)
         return facings[0];
@@ -199,6 +209,119 @@ function readConfigCheckContext(agentName, bundlesRoot, secretsRoot) {
         },
     };
 }
+function readAgentConfigForProviderState(agentName, bundlesRoot) {
+    const agentJsonPath = configPathFor(agentName, bundlesRoot);
+    let raw;
+    try {
+        raw = fs.readFileSync(agentJsonPath, "utf-8");
+    }
+    catch {
+        return {
+            ok: false,
+            result: {
+                ok: false,
+                error: `agent.json not found at ${agentJsonPath}`,
+                fix: `Run 'ouro hatch ${agentName}' to create the agent bundle, or verify that ${bundlesRoot}/${agentName}.ouro/ exists.`,
+            },
+        };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return {
+            ok: false,
+            result: {
+                ok: false,
+                error: `agent.json at ${agentJsonPath} contains invalid JSON`,
+                fix: `Open ${agentJsonPath} and fix the JSON syntax.`,
+            },
+        };
+    }
+    if (parsed.enabled === false) {
+        return { ok: true, disabled: true, agentJsonPath, parsed };
+    }
+    return { ok: true, disabled: false, agentJsonPath, parsed };
+}
+function readFacingForBootstrap(parsed, facing, agentName, agentJsonPath) {
+    const providerResult = resolveFacingProvider(parsed, facing, agentName, agentJsonPath);
+    if (!providerResult.ok) {
+        return {
+            ok: false,
+            result: {
+                ok: false,
+                error: providerResult.result.error,
+                fix: `Run 'ouro use --agent ${agentName} --lane ${facing === "humanFacing" ? "outward" : "inner"} --provider <provider> --model <model>' to configure this machine's provider binding.`,
+            },
+        };
+    }
+    const raw = parsed[facing];
+    const model = typeof raw.model === "string" && raw.model.trim().length > 0
+        ? raw.model.trim()
+        : (0, provider_models_1.getDefaultModelForProvider)(providerResult.selected.provider);
+    return { ok: true, provider: providerResult.selected.provider, model };
+}
+function bootstrapMissingProviderState(input) {
+    const outward = readFacingForBootstrap(input.parsed, "humanFacing", input.agentName, input.agentJsonPath);
+    if (!outward.ok)
+        return { ok: false, error: outward.result.error, fix: outward.result.fix };
+    const inner = readFacingForBootstrap(input.parsed, "agentFacing", input.agentName, input.agentJsonPath);
+    if (!inner.ok)
+        return { ok: false, error: inner.result.error, fix: inner.result.fix };
+    const now = new Date();
+    const homeDir = (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(input.secretsRoot);
+    const machine = (0, machine_identity_1.loadOrCreateMachineIdentity)({ homeDir, now: () => now });
+    const state = (0, provider_state_1.bootstrapProviderStateFromAgentConfig)({
+        machineId: machine.machineId,
+        now,
+        agentConfig: {
+            humanFacing: { provider: outward.provider, model: outward.model },
+            agentFacing: { provider: inner.provider, model: inner.model },
+        },
+    });
+    const agentRoot = agentRootFor(input.agentName, input.bundlesRoot);
+    (0, provider_state_1.writeProviderState)(agentRoot, state);
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.provider_state_bootstrapped",
+        message: "bootstrapped local provider state from agent config",
+        meta: { agent: input.agentName, agentRoot },
+    });
+    return { ok: true, agentRoot, state };
+}
+function readOrBootstrapProviderStateForCheck(agentName, bundlesRoot, secretsRoot) {
+    const configResult = readAgentConfigForProviderState(agentName, bundlesRoot);
+    if (!configResult.ok)
+        return { ok: false, result: configResult.result };
+    if (configResult.disabled)
+        return { ok: true, disabled: true };
+    const agentRoot = agentRootFor(agentName, bundlesRoot);
+    const stateResult = (0, provider_state_1.readProviderState)(agentRoot);
+    if (stateResult.ok) {
+        return { ok: true, disabled: false, agentRoot, state: stateResult.state };
+    }
+    if (stateResult.reason === "invalid") {
+        return {
+            ok: false,
+            result: {
+                ok: false,
+                error: `provider state for ${agentName} is invalid at ${stateResult.statePath}: ${stateResult.error}`,
+                fix: `Run 'ouro use --agent ${agentName} --lane outward --provider <provider> --model <model> --force' to rewrite this machine's provider binding.`,
+            },
+        };
+    }
+    const bootstrap = bootstrapMissingProviderState({
+        agentName,
+        bundlesRoot,
+        secretsRoot,
+        parsed: configResult.parsed,
+        agentJsonPath: configResult.agentJsonPath,
+    });
+    if (!bootstrap.ok)
+        return { ok: false, result: bootstrap };
+    return { ok: true, disabled: false, agentRoot: bootstrap.agentRoot, state: bootstrap.state };
+}
 function validateSelectedProviderSecrets(agentName, context) {
     for (const [provider, facings] of selectedProviderMap(context.selectedProviders)) {
         const desc = identity_1.PROVIDER_CREDENTIALS[provider];
@@ -246,16 +369,101 @@ function emitConfigValid(agentName, context, liveProviderCheck) {
         },
     });
 }
-function providerPingFailureResult(agentName, provider, facings, result) {
-    const selectedBy = formatFacingList(facings);
-    const authFix = `Run 'ouro auth --agent ${agentName} --provider ${provider}' to refresh credentials.`;
-    const verifyFix = `Run 'ouro auth verify --agent ${agentName} --provider ${provider}' for details.`;
+function providerCredentialConfig(record) {
+    return {
+        ...record.credentials,
+        ...record.config,
+    };
+}
+function pingAttemptCount(result) {
+    if (Array.isArray(result.attempts))
+        return result.attempts.length;
+    return undefined;
+}
+function writeLaneReadiness(input) {
+    const binding = input.state.lanes[input.lane];
+    const checkedAt = new Date().toISOString();
+    input.state.updatedAt = checkedAt;
+    input.state.readiness[input.lane] = {
+        status: input.status,
+        provider: binding.provider,
+        model: binding.model,
+        checkedAt,
+        credentialRevision: input.credentialRevision,
+        ...(input.error ? { error: input.error } : {}),
+        ...(input.attempts !== undefined ? { attempts: input.attempts } : {}),
+    };
+    (0, provider_state_1.writeProviderState)(input.agentRoot, input.state);
+}
+function legacyProviderCredentialCandidates(agentName, secretsRoot) {
+    const secretsPath = path.join(secretsRoot, agentName, "secrets.json");
+    let parsed;
+    try {
+        parsed = JSON.parse(fs.readFileSync(secretsPath, "utf-8"));
+    }
+    catch {
+        return [];
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+        return [];
+    const providers = parsed.providers;
+    if (!providers || typeof providers !== "object" || Array.isArray(providers))
+        return [];
+    const candidates = [];
+    for (const [providerKey, rawConfig] of Object.entries(providers)) {
+        if (!isAgentProvider(providerKey) || !rawConfig || typeof rawConfig !== "object" || Array.isArray(rawConfig)) {
+            continue;
+        }
+        const split = (0, provider_credential_pool_1.splitProviderCredentialFields)(providerKey, rawConfig);
+        if (Object.keys(split.credentials).length === 0 && Object.keys(split.config).length === 0)
+            continue;
+        candidates.push({ provider: providerKey, credentials: split.credentials, config: split.config });
+    }
+    return candidates;
+}
+function readPoolWithLegacyMigration(agentName, homeDir, secretsRoot) {
+    const initial = (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir);
+    if (initial.ok || initial.reason === "invalid")
+        return initial;
+    const candidates = legacyProviderCredentialCandidates(agentName, secretsRoot);
+    for (const candidate of candidates) {
+        (0, provider_credential_pool_1.upsertProviderCredential)({
+            homeDir,
+            provider: candidate.provider,
+            credentials: candidate.credentials,
+            config: candidate.config,
+            provenance: {
+                source: "legacy-agent-secrets",
+                contributedByAgent: agentName,
+            },
+        });
+    }
+    return candidates.length > 0 ? (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir) : initial;
+}
+function missingCredentialResult(agentName, lane, provider, model, poolPath) {
+    return {
+        ok: false,
+        error: `${lane} provider ${provider} model ${model} has no credentials in the machine provider pool at ${poolPath}`,
+        fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to authenticate this machine, or run 'ouro use --agent ${agentName} --lane ${lane} --provider <provider> --model <model>' to choose a working provider/model.`,
+    };
+}
+function invalidPoolResult(agentName, lane, provider, model, pool) {
+    return {
+        ok: false,
+        error: `${lane} provider ${provider} model ${model} cannot read machine provider credentials at ${pool.poolPath}: ${pool.error}`,
+        fix: `Fix ${pool.poolPath}, then run 'ouro auth --agent ${agentName} --provider ${provider}' or 'ouro use --agent ${agentName} --lane ${lane} --provider <provider> --model <model> --force'.`,
+    };
+}
+function failedPingResult(agentName, lane, provider, model, result) {
     return {
         ok: false,
-        error: `selected provider ${provider} for ${selectedBy} failed health check: ${result.message}`,
-        fix: `${result.classification === "auth-failure" ? authFix : verifyFix} Or switch the affected facing to a working provider.`,
+        error: `${lane} provider ${provider} model ${model} failed live check: ${result.message}`,
+        fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to refresh credentials, or run 'ouro use --agent ${agentName} --lane ${lane} --provider <provider> --model <model>' to switch this lane.`,
     };
 }
+function credentialRecordForLane(pool, provider) {
+    return pool.providers[provider];
+}
 /**
  * Pre-spawn validation: ensures agent.json exists and required secrets are present.
  * Returns `{ ok: true }` when the agent is ready to run, or a descriptive error
@@ -273,20 +481,81 @@ function checkAgentConfig(agentName, bundlesRoot, secretsRoot) {
     return { ok: true };
 }
 async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, secretsRoot, deps = {}) {
-    const contextResult = readConfigCheckContext(agentName, bundlesRoot, secretsRoot);
-    if (!contextResult.ok)
-        return contextResult.result;
-    const context = contextResult.context;
-    const structural = validateSelectedProviderSecrets(agentName, context);
-    if (!structural.ok)
-        return structural;
+    const stateResult = readOrBootstrapProviderStateForCheck(agentName, bundlesRoot, secretsRoot);
+    if (!stateResult.ok)
+        return stateResult.result;
+    if (stateResult.disabled)
+        return { ok: true };
     const ping = deps.pingProvider ?? (await Promise.resolve().then(() => __importStar(require("../provider-ping")))).pingProvider;
-    for (const [provider, facings] of selectedProviderMap(context.selectedProviders)) {
-        const result = await ping(provider, context.providers[provider]);
+    const homeDir = (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(secretsRoot);
+    const poolResult = readPoolWithLegacyMigration(agentName, homeDir, secretsRoot);
+    const pingGroups = new Map();
+    const lanes = ["outward", "inner"];
+    for (const lane of lanes) {
+        const binding = stateResult.state.lanes[lane];
+        if (!poolResult.ok) {
+            if (poolResult.reason === "missing") {
+                return missingCredentialResult(agentName, lane, binding.provider, binding.model, poolResult.poolPath);
+            }
+            return invalidPoolResult(agentName, lane, binding.provider, binding.model, {
+                ...poolResult,
+                reason: "invalid",
+            });
+        }
+        const record = credentialRecordForLane(poolResult.pool, binding.provider);
+        if (!record) {
+            return missingCredentialResult(agentName, lane, binding.provider, binding.model, poolResult.poolPath);
+        }
+        const key = `${binding.provider}\0${binding.model}\0${record.revision}`;
+        const group = pingGroups.get(key);
+        if (group) {
+            group.lanes.push(lane);
+        }
+        else {
+            pingGroups.set(key, {
+                provider: binding.provider,
+                model: binding.model,
+                record,
+                lanes: [lane],
+            });
+        }
+    }
+    for (const group of pingGroups.values()) {
+        const result = await ping(group.provider, providerCredentialConfig(group.record), { model: group.model });
         if (!result.ok) {
-            return providerPingFailureResult(agentName, provider, facings, result);
+            for (const lane of group.lanes) {
+                writeLaneReadiness({
+                    agentRoot: stateResult.agentRoot,
+                    state: stateResult.state,
+                    lane,
+                    status: "failed",
+                    credentialRevision: group.record.revision,
+                    error: result.message,
+                    attempts: pingAttemptCount(result),
+                });
+            }
+            return failedPingResult(agentName, group.lanes[0], group.provider, group.model, result);
+        }
+        for (const lane of group.lanes) {
+            writeLaneReadiness({
+                agentRoot: stateResult.agentRoot,
+                state: stateResult.state,
+                lane,
+                status: "ready",
+                credentialRevision: group.record.revision,
+                attempts: pingAttemptCount(result),
+            });
         }
     }
-    emitConfigValid(agentName, context, true);
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.agent_config_valid",
+        message: "agent config validation passed",
+        meta: {
+            agent: agentName,
+            providers: [...new Set([...pingGroups.values()].map((group) => group.provider))],
+            liveProviderCheck: true,
+        },
+    });
     return { ok: true };
 }

package/dist/heart/daemon/cli-exec.js

@@ -461,11 +461,7 @@ async function resolveHatchInput(command, deps) {
 }
 // ── Provider state CLI helpers ──
 function providerCliHomeDir(deps) {
-    if (!deps.secretsRoot)
-        return os.homedir();
-    return path.basename(deps.secretsRoot) === ".agentsecrets"
-        ? path.dirname(deps.secretsRoot)
-        : deps.secretsRoot;
+    return (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(deps.secretsRoot);
 }
 function providerCliAgentRoot(command, deps) {
     return path.join(deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)(), `${command.agent}.ouro`);

package/dist/heart/daemon/doctor.js

@@ -95,6 +95,19 @@ function readJsonObject(deps, filePath) {
         return null;
     }
 }
+const SENSITIVE_CONFIG_KEYS = ["apiKey", "token", "secret", "password"];
+function credentialKeyLeaks(raw) {
+    return SENSITIVE_CONFIG_KEYS.filter((key) => raw.includes(`"${key}"`));
+}
+function checkCredentialLeak(checks, label, raw) {
+    const found = credentialKeyLeaks(raw);
+    if (found.length > 0) {
+        checks.push({ label, status: "warn", detail: `contains credential-looking keys: ${found.join(", ")}` });
+    }
+    else {
+        checks.push({ label, status: "pass", detail: "no credential keys" });
+    }
+}
 function checkAgents(deps) {
     const checks = [];
     if (!deps.existsSync(deps.bundlesRoot)) {
@@ -287,6 +300,23 @@ function checkHabits(deps) {
 function checkSecurity(deps) {
     const checks = [];
     const agents = discoverAgents(deps);
+    const providerPoolPath = `${deps.secretsRoot}/providers.json`;
+    if (deps.existsSync(providerPoolPath)) {
+        const stat = deps.statSync(providerPoolPath);
+        const worldReadable = (stat.mode & 0o004) !== 0;
+        checks.push({
+            label: "machine provider credentials perms",
+            status: worldReadable ? "warn" : "pass",
+            detail: worldReadable ? "world-readable — consider chmod 600" : "not world-readable",
+        });
+        try {
+            JSON.parse(deps.readFileSync(providerPoolPath));
+            checks.push({ label: "machine provider credentials", status: "pass", detail: "readable JSON" });
+        }
+        catch {
+            checks.push({ label: "machine provider credentials", status: "fail", detail: "unparseable JSON" });
+        }
+    }
     for (const agentDir of agents) {
         const agentName = agentDir.replace(/\.ouro$/, "");
         const secretsPath = `${deps.secretsRoot}/${agentName}/secrets.json`;
@@ -308,8 +338,7 @@ function checkSecurity(deps) {
         if (deps.existsSync(configPath)) {
             try {
                 const raw = deps.readFileSync(configPath);
-                const sensitiveKeys = ["apiKey", "token", "secret", "password"];
-                const found = sensitiveKeys.filter((key) => raw.includes(`"${key}"`));
+                const found = credentialKeyLeaks(raw);
                 if (found.length > 0) {
                     checks.push({ label: `${agentDir} credential leak`, status: "warn", detail: `agent.json contains keys: ${found.join(", ")}` });
                 }
@@ -321,6 +350,15 @@ function checkSecurity(deps) {
                 checks.push({ label: `${agentDir} credential leak`, status: "fail", detail: "could not read agent.json" });
             }
         }
+        const providerStatePath = `${deps.bundlesRoot}/${agentDir}/state/providers.json`;
+        if (deps.existsSync(providerStatePath)) {
+            try {
+                checkCredentialLeak(checks, `${agentDir} state/providers.json credential leak`, deps.readFileSync(providerStatePath));
+            }
+            catch {
+                checks.push({ label: `${agentDir} state/providers.json credential leak`, status: "fail", detail: "could not read state/providers.json" });
+            }
+        }
     }
     if (checks.length === 0) {
         checks.push({ label: "security", status: "warn", detail: "no agents found" });

package/dist/heart/hatch/hatch-flow.js

@@ -44,6 +44,9 @@ const runtime_1 = require("../../nerves/runtime");
 const auth_flow_1 = require("../auth/auth-flow");
 const provider_models_1 = require("../provider-models");
 const habit_parser_1 = require("../habits/habit-parser");
+const machine_identity_1 = require("../machine-identity");
+const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_state_1 = require("../provider-state");
 const hatch_specialist_1 = require("./hatch-specialist");
 function requiredCredentialKeys(provider) {
     return identity_1.PROVIDER_CREDENTIALS[provider].required;
@@ -132,6 +135,22 @@ function writeHatchlingAgentConfig(bundleRoot, input) {
     template.enabled = true;
     fs.writeFileSync(path.join(bundleRoot, "agent.json"), `${JSON.stringify(template, null, 2)}\n`, "utf-8");
 }
+function writeHatchlingProviderState(bundleRoot, input, secretsRoot, now) {
+    const model = (0, provider_models_1.getDefaultModelForProvider)(input.provider);
+    const machine = (0, machine_identity_1.loadOrCreateMachineIdentity)({
+        homeDir: (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(secretsRoot),
+        now: () => now,
+    });
+    const state = (0, provider_state_1.bootstrapProviderStateFromAgentConfig)({
+        machineId: machine.machineId,
+        now,
+        agentConfig: {
+            humanFacing: { provider: input.provider, model },
+            agentFacing: { provider: input.provider, model },
+        },
+    });
+    (0, provider_state_1.writeProviderState)(bundleRoot, state);
+}
 async function runHatchFlow(input, deps = {}) {
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
@@ -170,6 +189,7 @@ async function runHatchFlow(input, deps = {}) {
     writeReadme(path.join(bundleRoot, "senses"), "Sense-specific config.");
     writeReadme(path.join(bundleRoot, "senses", "teams"), "Teams sense config.");
     writeHatchlingAgentConfig(bundleRoot, input);
+    writeHatchlingProviderState(bundleRoot, input, secretsRoot, now);
     writeDiaryScaffold(bundleRoot);
     writeFriendImprint(bundleRoot, input.humanName, now);
     writeHeartbeatHabit(bundleRoot, now);

package/dist/heart/provider-credential-pool.js

@@ -35,6 +35,7 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.splitProviderCredentialFields = splitProviderCredentialFields;
 exports.getProviderCredentialPoolPath = getProviderCredentialPoolPath;
+exports.providerCredentialHomeDirFromSecretsRoot = providerCredentialHomeDirFromSecretsRoot;
 exports.validateProviderCredentialPool = validateProviderCredentialPool;
 exports.readProviderCredentialPool = readProviderCredentialPool;
 exports.writeProviderCredentialPool = writeProviderCredentialPool;
@@ -130,6 +131,13 @@ function makeRevision() {
 function getProviderCredentialPoolPath(homeDir = os.homedir()) {
     return path.join(homeDir, ".agentsecrets", "providers.json");
 }
+function providerCredentialHomeDirFromSecretsRoot(secretsRoot) {
+    if (!secretsRoot)
+        return os.homedir();
+    return path.basename(secretsRoot) === ".agentsecrets"
+        ? path.dirname(secretsRoot)
+        : secretsRoot;
+}
 function validateProviderCredentialPool(value) {
     if (!isRecord(value)) {
         throw new Error("provider credential pool must be an object");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.349",
+  "version": "0.1.0-alpha.350",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",