@ouro.bot/cli 0.1.0-alpha.35 → 0.1.0-alpha.350

package/dist/heart/provider-binding-resolver.js

@@ -0,0 +1,240 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeProviderLane = normalizeProviderLane;
+exports.resolveEffectiveProviderBinding = resolveEffectiveProviderBinding;
+const runtime_1 = require("../nerves/runtime");
+const provider_credential_pool_1 = require("./provider-credential-pool");
+const provider_state_1 = require("./provider-state");
+function legacyLaneWarning(selector, lane) {
+    return {
+        code: "legacy-lane-selector",
+        message: `${selector} is legacy provider wording; using ${lane} lane`,
+    };
+}
+function normalizeProviderLane(selector) {
+    switch (selector) {
+        case "outward":
+            return { lane: "outward", warnings: [] };
+        case "inner":
+            return { lane: "inner", warnings: [] };
+        case "human":
+        case "humanFacing":
+            return { lane: "outward", warnings: [legacyLaneWarning(selector, "outward")] };
+        case "agent":
+        case "agentFacing":
+            return { lane: "inner", warnings: [legacyLaneWarning(selector, "inner")] };
+    }
+}
+function buildUseRepair(agentName, lane, force = false) {
+    return {
+        command: `ouro use --agent ${agentName} --lane ${lane} --provider <provider> --model <model>${force ? " --force" : ""}`,
+        message: force
+            ? `Rewrite this machine's ${lane} provider binding for ${agentName}.`
+            : `Choose the provider/model this machine should use for ${agentName}'s ${lane} lane.`,
+    };
+}
+function buildAuthRepair(agentName, provider) {
+    return {
+        command: `ouro auth --agent ${agentName} --provider ${provider}`,
+        message: `Authenticate ${provider} once for this machine's shared credential pool.`,
+    };
+}
+function missingProviderStateWarning(agentName) {
+    return {
+        code: "provider-state-missing",
+        message: `No local provider binding exists for ${agentName} on this machine.`,
+    };
+}
+function invalidProviderStateWarning(agentName) {
+    return {
+        code: "provider-state-invalid",
+        message: `Local provider binding state for ${agentName} is invalid.`,
+    };
+}
+function missingCredentialWarning(provider) {
+    return {
+        code: "credential-missing",
+        message: `${provider} has no credential record in the machine credential pool.`,
+    };
+}
+function invalidCredentialPoolWarning(provider) {
+    return {
+        code: "credential-pool-invalid",
+        message: `${provider} cannot read credentials because the machine credential pool is invalid.`,
+    };
+}
+function presentCredential(record) {
+    return {
+        status: "present",
+        provider: record.provider,
+        revision: record.revision,
+        source: record.provenance.source,
+        contributedByAgent: record.provenance.contributedByAgent,
+        updatedAt: record.updatedAt,
+        credentialFields: Object.keys(record.credentials).sort(),
+        configFields: Object.keys(record.config).sort(),
+    };
+}
+function resolveCredential(poolResult, provider, agentName) {
+    if (poolResult.ok) {
+        const record = poolResult.pool.providers[provider];
+        if (record)
+            return { credential: presentCredential(record), warnings: [] };
+        return {
+            credential: {
+                status: "missing",
+                provider,
+                poolPath: poolResult.poolPath,
+                repair: buildAuthRepair(agentName, provider),
+            },
+            warnings: [missingCredentialWarning(provider)],
+        };
+    }
+    if (poolResult.reason === "invalid") {
+        return {
+            credential: {
+                status: "invalid-pool",
+                provider,
+                poolPath: poolResult.poolPath,
+                error: poolResult.error,
+                repair: buildAuthRepair(agentName, provider),
+            },
+            warnings: [invalidCredentialPoolWarning(provider)],
+        };
+    }
+    return {
+        credential: {
+            status: "missing",
+            provider,
+            poolPath: poolResult.poolPath,
+            repair: buildAuthRepair(agentName, provider),
+        },
+        warnings: [missingCredentialWarning(provider)],
+    };
+}
+function readinessFromState(readiness) {
+    return {
+        status: readiness.status,
+        checkedAt: readiness.checkedAt,
+        credentialRevision: readiness.credentialRevision,
+        error: readiness.error,
+        attempts: readiness.attempts,
+    };
+}
+function staleReadiness(readiness, reason) {
+    return {
+        ...readinessFromState(readiness),
+        status: "stale",
+        previousStatus: readiness.status,
+        reason,
+    };
+}
+function resolveReadiness(input) {
+    if (!input.readiness) {
+        if (input.credential.status === "missing") {
+            return { readiness: { status: "unknown", reason: "credential-missing" }, warnings: [] };
+        }
+        if (input.credential.status === "invalid-pool") {
+            return { readiness: { status: "unknown", reason: "credential-pool-invalid" }, warnings: [] };
+        }
+        return { readiness: { status: "unknown" }, warnings: [] };
+    }
+    if (input.readiness.provider !== input.provider || input.readiness.model !== input.model) {
+        return {
+            readiness: staleReadiness(input.readiness, "provider-model-changed"),
+            warnings: [{
+                    code: "readiness-stale",
+                    message: `${input.provider}/${input.model} readiness is stale because the last check was for ${input.readiness.provider}/${input.readiness.model}.`,
+                }],
+        };
+    }
+    if (input.credential.status === "present"
+        && input.readiness.credentialRevision !== undefined
+        && input.readiness.credentialRevision !== input.credential.revision) {
+        return {
+            readiness: staleReadiness(input.readiness, "credential-revision-changed"),
+            warnings: [{
+                    code: "readiness-stale",
+                    message: `${input.provider}/${input.model} readiness is stale because credential revision changed from ${input.readiness.credentialRevision} to ${input.credential.revision}.`,
+                }],
+        };
+    }
+    if (input.credential.status === "missing") {
+        return {
+            readiness: staleReadiness(input.readiness, "credential-missing"),
+            warnings: [],
+        };
+    }
+    if (input.credential.status === "invalid-pool") {
+        return {
+            readiness: staleReadiness(input.readiness, "credential-pool-invalid"),
+            warnings: [],
+        };
+    }
+    return { readiness: readinessFromState(input.readiness), warnings: [] };
+}
+function resolveEffectiveProviderBinding(input) {
+    const laneResolution = normalizeProviderLane(input.lane);
+    const stateResult = (0, provider_state_1.readProviderState)(input.agentRoot);
+    if (!stateResult.ok) {
+        const reason = stateResult.reason === "missing" ? "provider-state-missing" : "provider-state-invalid";
+        const stateWarning = stateResult.reason === "missing"
+            ? missingProviderStateWarning(input.agentName)
+            : invalidProviderStateWarning(input.agentName);
+        const result = {
+            ok: false,
+            lane: laneResolution.lane,
+            reason,
+            statePath: stateResult.statePath,
+            warnings: [...laneResolution.warnings, stateWarning],
+            repair: buildUseRepair(input.agentName, laneResolution.lane, stateResult.reason === "invalid"),
+        };
+        (0, runtime_1.emitNervesEvent)({
+            component: "config/identity",
+            event: "config.provider_binding_resolution_failed",
+            message: "provider binding resolution failed",
+            meta: { agentName: input.agentName, lane: laneResolution.lane, reason },
+        });
+        return result;
+    }
+    const laneBinding = stateResult.state.lanes[laneResolution.lane];
+    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(input.homeDir);
+    const credentialResult = resolveCredential(poolResult, laneBinding.provider, input.agentName);
+    const readinessResult = resolveReadiness({
+        provider: laneBinding.provider,
+        model: laneBinding.model,
+        readiness: stateResult.state.readiness[laneResolution.lane],
+        credential: credentialResult.credential,
+    });
+    const warnings = [
+        ...laneResolution.warnings,
+        ...credentialResult.warnings,
+        ...readinessResult.warnings,
+    ];
+    const binding = {
+        lane: laneResolution.lane,
+        provider: laneBinding.provider,
+        model: laneBinding.model,
+        source: laneBinding.source,
+        machineId: stateResult.state.machineId,
+        statePath: stateResult.statePath,
+        credential: credentialResult.credential,
+        readiness: readinessResult.readiness,
+        warnings,
+    };
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.provider_binding_resolved",
+        message: "resolved effective provider binding",
+        meta: {
+            agentName: input.agentName,
+            lane: binding.lane,
+            provider: binding.provider,
+            model: binding.model,
+            credentialStatus: binding.credential.status,
+            readinessStatus: binding.readiness.status,
+            warningCount: warnings.length,
+        },
+    });
+    return { ok: true, binding };
+}

package/dist/heart/provider-credential-pool.js

@@ -0,0 +1,395 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.splitProviderCredentialFields = splitProviderCredentialFields;
+exports.getProviderCredentialPoolPath = getProviderCredentialPoolPath;
+exports.providerCredentialHomeDirFromSecretsRoot = providerCredentialHomeDirFromSecretsRoot;
+exports.validateProviderCredentialPool = validateProviderCredentialPool;
+exports.readProviderCredentialPool = readProviderCredentialPool;
+exports.writeProviderCredentialPool = writeProviderCredentialPool;
+exports.upsertProviderCredential = upsertProviderCredential;
+exports.redactProviderCredentialPool = redactProviderCredentialPool;
+exports.summarizeProviderCredentialPool = summarizeProviderCredentialPool;
+exports.readLegacyAgentProviderCredentials = readLegacyAgentProviderCredentials;
+exports.migrateLegacyAgentProviderCredentials = migrateLegacyAgentProviderCredentials;
+const crypto = __importStar(require("crypto"));
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const runtime_1 = require("../nerves/runtime");
+const VALID_PROVIDERS = ["azure", "minimax", "anthropic", "openai-codex", "github-copilot"];
+const VALID_PROVENANCE_SOURCES = ["auth-flow", "legacy-agent-secrets", "manual"];
+const PROVIDER_FIELD_SPLITS = {
+    anthropic: {
+        credentials: ["setupToken", "refreshToken", "expiresAt"],
+        config: [],
+        meaningfulCredentials: ["setupToken", "refreshToken"],
+    },
+    "openai-codex": {
+        credentials: ["oauthAccessToken"],
+        config: [],
+        meaningfulCredentials: ["oauthAccessToken"],
+    },
+    azure: {
+        credentials: ["apiKey"],
+        config: ["endpoint", "deployment", "apiVersion", "managedIdentityClientId"],
+        meaningfulCredentials: ["apiKey", "managedIdentityClientId"],
+    },
+    minimax: {
+        credentials: ["apiKey"],
+        config: [],
+        meaningfulCredentials: ["apiKey"],
+    },
+    "github-copilot": {
+        credentials: ["githubToken"],
+        config: ["baseUrl"],
+        meaningfulCredentials: ["githubToken"],
+    },
+};
+function isRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function isAgentProvider(value) {
+    return VALID_PROVIDERS.includes(value);
+}
+function isProvenanceSource(value) {
+    return typeof value === "string" && VALID_PROVENANCE_SOURCES.includes(value);
+}
+function isCredentialValue(value) {
+    return typeof value === "string" || typeof value === "number";
+}
+function isPresentCredentialValue(value) {
+    if (!isCredentialValue(value))
+        return false;
+    if (typeof value === "string")
+        return value.trim().length > 0;
+    return Number.isFinite(value) && value !== 0;
+}
+function copyKnownFields(source, fields) {
+    const result = {};
+    for (const field of fields) {
+        const value = source[field];
+        if (isPresentCredentialValue(value)) {
+            result[field] = value;
+        }
+    }
+    return result;
+}
+function splitProviderCredentialFields(provider, rawConfig) {
+    const fields = PROVIDER_FIELD_SPLITS[provider];
+    return {
+        credentials: copyKnownFields(rawConfig, fields.credentials),
+        config: copyKnownFields(rawConfig, fields.config),
+    };
+}
+function legacyProviderHasCredentialData(provider, rawConfig) {
+    const fields = PROVIDER_FIELD_SPLITS[provider];
+    return fields.meaningfulCredentials.some((field) => isPresentCredentialValue(rawConfig[field]));
+}
+function makeEmptyProviderCredentialPool(now) {
+    return {
+        schemaVersion: 1,
+        updatedAt: now.toISOString(),
+        providers: {},
+    };
+}
+function makeRevision() {
+    return `cred_${crypto.randomUUID()}`;
+}
+function getProviderCredentialPoolPath(homeDir = os.homedir()) {
+    return path.join(homeDir, ".agentsecrets", "providers.json");
+}
+function providerCredentialHomeDirFromSecretsRoot(secretsRoot) {
+    if (!secretsRoot)
+        return os.homedir();
+    return path.basename(secretsRoot) === ".agentsecrets"
+        ? path.dirname(secretsRoot)
+        : secretsRoot;
+}
+function validateProviderCredentialPool(value) {
+    if (!isRecord(value)) {
+        throw new Error("provider credential pool must be an object");
+    }
+    if (value.schemaVersion !== 1) {
+        throw new Error("provider credential pool schemaVersion must be 1");
+    }
+    if (typeof value.updatedAt !== "string" || value.updatedAt.length === 0) {
+        throw new Error("provider credential pool updatedAt must be a non-empty string");
+    }
+    if (!isRecord(value.providers)) {
+        throw new Error("provider credential pool providers must be an object");
+    }
+    const providers = value.providers;
+    for (const [providerKey, rawRecord] of Object.entries(providers)) {
+        if (!isAgentProvider(providerKey)) {
+            throw new Error(`provider credential pool has unsupported provider ${providerKey}`);
+        }
+        if (!isRecord(rawRecord)) {
+            throw new Error(`${providerKey} credential record must be an object`);
+        }
+        if (rawRecord.provider !== providerKey) {
+            throw new Error(`${providerKey}.provider must match its provider key`);
+        }
+        if (typeof rawRecord.revision !== "string" || rawRecord.revision.length === 0) {
+            throw new Error(`${providerKey}.revision must be a non-empty string`);
+        }
+        if (typeof rawRecord.updatedAt !== "string" || rawRecord.updatedAt.length === 0) {
+            throw new Error(`${providerKey}.updatedAt must be a non-empty string`);
+        }
+        if (!isRecord(rawRecord.credentials)) {
+            throw new Error(`${providerKey}.credentials must be an object`);
+        }
+        if (!isRecord(rawRecord.config)) {
+            throw new Error(`${providerKey}.config must be an object`);
+        }
+        for (const [field, fieldValue] of Object.entries(rawRecord.credentials)) {
+            if (!isCredentialValue(fieldValue)) {
+                throw new Error(`${providerKey}.credentials.${field} must be a string or number`);
+            }
+        }
+        for (const [field, fieldValue] of Object.entries(rawRecord.config)) {
+            if (!isCredentialValue(fieldValue)) {
+                throw new Error(`${providerKey}.config.${field} must be a string or number`);
+            }
+        }
+        if (!isRecord(rawRecord.provenance)) {
+            throw new Error(`${providerKey}.provenance must be an object`);
+        }
+        if (!isProvenanceSource(rawRecord.provenance.source)) {
+            throw new Error(`${providerKey}.provenance.source must be auth-flow, legacy-agent-secrets, or manual`);
+        }
+        const contributedByAgent = rawRecord.provenance.contributedByAgent;
+        if (contributedByAgent !== undefined && typeof contributedByAgent !== "string") {
+            throw new Error(`${providerKey}.provenance.contributedByAgent must be a string when present`);
+        }
+        if (typeof rawRecord.provenance.updatedAt !== "string" || rawRecord.provenance.updatedAt.length === 0) {
+            throw new Error(`${providerKey}.provenance.updatedAt must be a non-empty string`);
+        }
+    }
+    return value;
+}
+function readProviderCredentialPool(homeDir = os.homedir()) {
+    const poolPath = getProviderCredentialPoolPath(homeDir);
+    try {
+        const raw = fs.readFileSync(poolPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        const pool = validateProviderCredentialPool(parsed);
+        (0, runtime_1.emitNervesEvent)({
+            component: "config/identity",
+            event: "config.provider_credential_pool_read",
+            message: "read provider credential pool",
+            meta: { poolPath },
+        });
+        return { ok: true, poolPath, pool };
+    }
+    catch (error) {
+        if (error.code === "ENOENT") {
+            (0, runtime_1.emitNervesEvent)({
+                component: "config/identity",
+                event: "config.provider_credential_pool_missing",
+                message: "provider credential pool not found",
+                meta: { poolPath },
+            });
+            return {
+                ok: false,
+                reason: "missing",
+                poolPath,
+                error: "provider credential pool not found",
+            };
+        }
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "config/identity",
+            event: "config.provider_credential_pool_invalid",
+            message: "provider credential pool invalid",
+            meta: { poolPath, reason: String(error) },
+        });
+        return {
+            ok: false,
+            reason: "invalid",
+            poolPath,
+            error: String(error),
+        };
+    }
+}
+function writeProviderCredentialPool(homeDir, pool) {
+    const validated = validateProviderCredentialPool(pool);
+    const poolPath = getProviderCredentialPoolPath(homeDir);
+    fs.mkdirSync(path.dirname(poolPath), { recursive: true });
+    fs.writeFileSync(poolPath, `${JSON.stringify(validated, null, 2)}\n`, "utf-8");
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.provider_credential_pool_written",
+        message: "wrote provider credential pool",
+        meta: { poolPath, providerCount: Object.keys(validated.providers).length },
+    });
+}
+function upsertProviderCredential(input) {
+    const homeDir = input.homeDir ?? os.homedir();
+    const now = input.now ?? new Date();
+    const updatedAt = now.toISOString();
+    const readResult = readProviderCredentialPool(homeDir);
+    const pool = readResult.ok ? readResult.pool : makeEmptyProviderCredentialPool(now);
+    if (!readResult.ok && readResult.reason === "invalid") {
+        throw new Error(`Cannot update invalid provider credential pool at ${readResult.poolPath}: ${readResult.error}`);
+    }
+    const record = {
+        provider: input.provider,
+        revision: (input.makeRevision ?? makeRevision)(),
+        updatedAt,
+        credentials: { ...input.credentials },
+        config: { ...input.config },
+        provenance: {
+            ...input.provenance,
+            updatedAt,
+        },
+    };
+    pool.updatedAt = updatedAt;
+    pool.providers[input.provider] = record;
+    writeProviderCredentialPool(homeDir, pool);
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.provider_credential_upserted",
+        message: "upserted provider credential record",
+        meta: { provider: input.provider, revision: record.revision, source: record.provenance.source },
+    });
+    return record;
+}
+function redactProviderCredentialPool(pool) {
+    const validated = validateProviderCredentialPool(pool);
+    const providers = {};
+    for (const [provider, record] of Object.entries(validated.providers)) {
+        const redactedCredentials = {};
+        for (const key of Object.keys(record.credentials)) {
+            redactedCredentials[key] = "[redacted]";
+        }
+        providers[provider] = {
+            ...record,
+            credentials: redactedCredentials,
+            config: { ...record.config },
+            provenance: { ...record.provenance },
+        };
+    }
+    return {
+        ...validated,
+        providers,
+    };
+}
+function summarizeProviderCredentialPool(pool) {
+    const validated = validateProviderCredentialPool(pool);
+    return {
+        providers: Object.entries(validated.providers).map(([, record]) => ({
+            provider: record.provider,
+            revision: record.revision,
+            source: record.provenance.source,
+            contributedByAgent: record.provenance.contributedByAgent,
+            updatedAt: record.updatedAt,
+            credentialFields: Object.keys(record.credentials).sort(),
+            configFields: Object.keys(record.config).sort(),
+        })),
+    };
+}
+function readLegacyAgentProviderCredentials(input) {
+    const homeDir = input.homeDir ?? os.homedir();
+    const secretsPath = path.join(homeDir, ".agentsecrets", input.agentName, "secrets.json");
+    let parsed;
+    try {
+        parsed = JSON.parse(fs.readFileSync(secretsPath, "utf-8"));
+    }
+    catch (error) {
+        if (error.code === "ENOENT") {
+            return [];
+        }
+        throw new Error(`Failed to read legacy provider credentials for ${input.agentName}: ${String(error)}`);
+    }
+    if (!isRecord(parsed) || !isRecord(parsed.providers)) {
+        return [];
+    }
+    const candidates = [];
+    for (const [providerKey, rawProviderConfig] of Object.entries(parsed.providers)) {
+        if (!isAgentProvider(providerKey) || !isRecord(rawProviderConfig)) {
+            continue;
+        }
+        if (!legacyProviderHasCredentialData(providerKey, rawProviderConfig)) {
+            continue;
+        }
+        const { credentials, config } = splitProviderCredentialFields(providerKey, rawProviderConfig);
+        candidates.push({
+            provider: providerKey,
+            credentials,
+            config,
+            provenance: {
+                source: "legacy-agent-secrets",
+                contributedByAgent: input.agentName,
+            },
+        });
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.provider_credential_legacy_read",
+        message: "read legacy provider credential candidates",
+        meta: { agentName: input.agentName, providerCount: candidates.length },
+    });
+    return candidates;
+}
+function migrateLegacyAgentProviderCredentials(input) {
+    const homeDir = input.homeDir ?? os.homedir();
+    const migrated = [];
+    for (const agentName of input.agentNames) {
+        const candidates = readLegacyAgentProviderCredentials({ homeDir, agentName });
+        for (const candidate of candidates) {
+            const record = upsertProviderCredential({
+                homeDir,
+                provider: candidate.provider,
+                credentials: candidate.credentials,
+                config: candidate.config,
+                provenance: candidate.provenance,
+                now: input.now,
+                makeRevision: input.makeRevision,
+            });
+            migrated.push({ agentName, provider: candidate.provider, revision: record.revision });
+        }
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.provider_credential_legacy_migrated",
+        message: "migrated legacy provider credentials",
+        meta: { migratedCount: migrated.length },
+    });
+    return {
+        poolPath: getProviderCredentialPoolPath(homeDir),
+        migrated,
+    };
+}