npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.36 → 0.1.0-alpha.360 - Mend

@ouro.bot/cli 0.1.0-alpha.36 → 0.1.0-alpha.360

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (326) hide show

package/README.md +194 -184
package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/agent.json +3 -2
package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/SOUL.md +1 -1
package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/the-serpent.md +1 -1
package/changelog.json +2149 -0
package/dist/arc/attention-types.js +8 -0
package/dist/arc/cares.js +140 -0
package/dist/arc/episodes.js +117 -0
package/dist/arc/intentions.js +133 -0
package/dist/arc/json-store.js +117 -0
package/dist/arc/obligations.js +237 -0
package/dist/arc/packets.js +193 -0
package/dist/arc/presence.js +185 -0
package/dist/arc/task-lifecycle.js +65 -0
package/dist/heart/active-work.js +832 -0
package/dist/heart/agent-entry.js +37 -2
package/dist/heart/attachments/image-normalize.js +194 -0
package/dist/heart/attachments/materialize.js +97 -0
package/dist/heart/attachments/originals.js +88 -0
package/dist/heart/attachments/render.js +29 -0
package/dist/heart/attachments/sources/adapter.js +2 -0
package/dist/heart/attachments/sources/bluebubbles.js +156 -0
package/dist/heart/attachments/sources/cli-local-file.js +78 -0
package/dist/heart/attachments/sources/index.js +16 -0
package/dist/heart/attachments/store.js +103 -0
package/dist/heart/attachments/types.js +93 -0
package/dist/heart/auth/auth-flow.js +463 -0
package/dist/heart/bridges/manager.js +358 -0
package/dist/heart/bridges/state-machine.js +135 -0
package/dist/heart/bridges/store.js +123 -0
package/dist/heart/bundle-state.js +168 -0
package/dist/heart/commitments.js +111 -0
package/dist/heart/config-registry.js +304 -0
package/dist/heart/config.js +53 -21
package/dist/heart/core.js +743 -252
package/dist/heart/cross-chat-delivery.js +131 -0
package/dist/heart/daemon/agent-config-check.js +561 -0
package/dist/heart/daemon/agent-discovery.js +79 -3
package/dist/heart/daemon/agent-service.js +360 -0
package/dist/heart/daemon/agentic-repair.js +185 -0
package/dist/heart/daemon/bluebubbles-health-diagnostics.js +122 -0
package/dist/heart/daemon/cadence.js +70 -0
package/dist/heart/daemon/cli-defaults.js +591 -0
package/dist/heart/daemon/cli-exec.js +2649 -0
package/dist/heart/daemon/cli-help.js +306 -0
package/dist/heart/daemon/cli-parse.js +913 -0
package/dist/heart/daemon/cli-render-doctor.js +57 -0
package/dist/heart/daemon/cli-render.js +560 -0
package/dist/heart/daemon/cli-types.js +8 -0
package/dist/heart/daemon/daemon-cli.js +30 -1171
package/dist/heart/daemon/daemon-entry.js +358 -3
package/dist/heart/daemon/daemon-health.js +141 -0
package/dist/heart/daemon/daemon-runtime-sync.js +157 -12
package/dist/heart/daemon/daemon-tombstone.js +236 -0
package/dist/heart/daemon/daemon.js +757 -58
package/dist/heart/daemon/doctor-types.js +8 -0
package/dist/heart/daemon/doctor.js +465 -0
package/dist/heart/daemon/health-monitor.js +79 -1
package/dist/heart/daemon/hooks/agent-config-v2.js +33 -0
package/dist/heart/daemon/hooks/bundle-meta.js +115 -1
package/dist/heart/daemon/http-health-probe.js +80 -0
package/dist/heart/daemon/inner-status.js +89 -0
package/dist/heart/daemon/interactive-repair.js +91 -0
package/dist/heart/daemon/launchd.js +46 -9
package/dist/heart/daemon/log-tailer.js +82 -12
package/dist/heart/daemon/logs-prune.js +105 -0
package/dist/heart/daemon/message-router.js +17 -8
package/dist/heart/daemon/os-cron-deps.js +134 -0
package/dist/heart/daemon/ouro-bot-entry.js +1 -1
package/dist/heart/daemon/process-manager.js +201 -0
package/dist/heart/daemon/provider-discovery.js +140 -0
package/dist/heart/daemon/pulse.js +475 -0
package/dist/heart/daemon/run-hooks.js +2 -0
package/dist/heart/daemon/runtime-logging.js +67 -16
package/dist/heart/daemon/runtime-metadata.js +101 -0
package/dist/heart/daemon/runtime-mode.js +67 -0
package/dist/heart/daemon/safe-mode.js +161 -0
package/dist/heart/daemon/sense-manager.js +72 -3
package/dist/heart/daemon/session-id-resolver.js +131 -0
package/dist/heart/daemon/skill-management-installer.js +94 -0
package/dist/heart/daemon/socket-client.js +307 -0
package/dist/heart/daemon/stale-bundle-prune.js +96 -0
package/dist/heart/daemon/startup-tui.js +237 -0
package/dist/heart/daemon/task-scheduler.js +3 -25
package/dist/heart/daemon/thoughts.js +510 -0
package/dist/heart/daemon/up-progress.js +135 -0
package/dist/heart/delegation.js +62 -0
package/dist/heart/habits/habit-migration.js +181 -0
package/dist/heart/habits/habit-parser.js +140 -0
package/dist/heart/habits/habit-scheduler.js +371 -0
package/dist/heart/{daemon → hatch}/hatch-flow.js +52 -120
package/dist/heart/{daemon → hatch}/hatch-specialist.js +3 -3
package/dist/heart/{daemon → hatch}/specialist-prompt.js +10 -7
package/dist/heart/{daemon → hatch}/specialist-tools.js +56 -10
package/dist/heart/identity.js +154 -59
package/dist/heart/kept-notes.js +357 -0
package/dist/heart/kicks.js +2 -20
package/dist/heart/machine-identity.js +161 -0
package/dist/heart/mcp/mcp-server.js +653 -0
package/dist/heart/migrate-config.js +127 -0
package/dist/heart/model-capabilities.js +59 -0
package/dist/heart/outlook/outlook-http-hooks.js +64 -0
package/dist/heart/outlook/outlook-http-response.js +7 -0
package/dist/heart/outlook/outlook-http-routes.js +232 -0
package/dist/heart/outlook/outlook-http-static.js +99 -0
package/dist/heart/outlook/outlook-http-transport.js +116 -0
package/dist/heart/outlook/outlook-http.js +99 -0
package/dist/heart/outlook/outlook-read.js +28 -0
package/dist/heart/outlook/outlook-types.js +27 -0
package/dist/heart/outlook/outlook-view.js +195 -0
package/dist/heart/outlook/readers/agent-machine.js +359 -0
package/dist/heart/outlook/readers/continuity-readers.js +332 -0
package/dist/heart/outlook/readers/runtime-readers.js +660 -0
package/dist/heart/outlook/readers/sessions.js +232 -0
package/dist/heart/outlook/readers/shared.js +111 -0
package/dist/heart/progress-story.js +42 -0
package/dist/heart/provider-attempt.js +133 -0
package/dist/heart/provider-binding-resolver.js +240 -0
package/dist/heart/provider-credential-pool.js +395 -0
package/dist/heart/provider-failover.js +274 -0
package/dist/heart/provider-models.js +81 -0
package/dist/heart/provider-ping.js +227 -0
package/dist/heart/provider-state.js +208 -0
package/dist/heart/provider-visibility.js +183 -0
package/dist/heart/providers/anthropic-token.js +163 -0
package/dist/heart/providers/anthropic.js +177 -50
package/dist/heart/providers/azure.js +102 -11
package/dist/heart/providers/error-classification.js +63 -0
package/dist/heart/providers/github-copilot.js +145 -0
package/dist/heart/providers/minimax-vlm.js +189 -0
package/dist/heart/providers/minimax.js +28 -6
package/dist/heart/providers/openai-codex.js +38 -23
package/dist/heart/session-activity.js +190 -0
package/dist/heart/session-events.js +855 -0
package/dist/heart/session-transcript.js +167 -0
package/dist/heart/start-of-turn-packet.js +345 -0
package/dist/heart/streaming.js +36 -27
package/dist/heart/sync.js +332 -0
package/dist/heart/target-resolution.js +127 -0
package/dist/heart/tempo.js +93 -0
package/dist/heart/temporal-view.js +41 -0
package/dist/heart/tool-activity-callbacks.js +36 -0
package/dist/heart/tool-description.js +135 -0
package/dist/heart/tool-friction.js +55 -0
package/dist/heart/tool-loop.js +200 -0
package/dist/heart/turn-context.js +362 -0
package/dist/heart/turn-coordinator.js +28 -0
package/dist/heart/{daemon → versioning}/ouro-bot-global-installer.js +1 -1
package/dist/heart/{daemon → versioning}/ouro-bot-wrapper.js +1 -1
package/dist/heart/versioning/ouro-path-installer.js +296 -0
package/dist/heart/versioning/ouro-version-manager.js +295 -0
package/dist/heart/{daemon → versioning}/staged-restart.js +40 -8
package/dist/heart/{daemon → versioning}/update-checker.js +12 -2
package/dist/heart/{daemon → versioning}/update-hooks.js +63 -59
package/dist/mind/bundle-manifest.js +7 -1
package/dist/mind/context.js +141 -94
package/dist/mind/diary-integrity.js +60 -0
package/dist/mind/{memory.js → diary.js} +84 -96
package/dist/mind/embedding-provider.js +60 -0
package/dist/mind/file-state.js +179 -0
package/dist/mind/first-impressions.js +14 -1
package/dist/mind/friends/channel.js +56 -0
package/dist/mind/friends/group-context.js +144 -0
package/dist/mind/friends/resolver.js +38 -1
package/dist/mind/friends/store-file.js +58 -3
package/dist/mind/friends/trust-explanation.js +74 -0
package/dist/mind/friends/types.js +9 -1
package/dist/mind/journal-index.js +161 -0
package/dist/mind/note-search.js +268 -0
package/dist/mind/obligation-steering.js +221 -0
package/dist/mind/pending.js +74 -7
package/dist/mind/prompt.js +1013 -112
package/dist/mind/provenance-trust.js +26 -0
package/dist/mind/scrutiny.js +173 -0
package/dist/mind/token-estimate.js +8 -12
package/dist/nerves/cli-logging.js +7 -1
package/dist/nerves/coverage/audit-rules.js +15 -6
package/dist/nerves/coverage/audit.js +28 -2
package/dist/nerves/coverage/cli.js +1 -1
package/dist/nerves/coverage/file-completeness.js +83 -5
package/dist/nerves/coverage/run-artifacts.js +1 -1
package/dist/nerves/event-buffer.js +111 -0
package/dist/nerves/index.js +224 -4
package/dist/nerves/observation.js +20 -0
package/dist/nerves/redact.js +79 -0
package/dist/nerves/runtime.js +5 -1
package/dist/outlook-ui/assets/index-LwChZTgL.css +1 -0
package/dist/outlook-ui/assets/index-xTdv64BV.js +61 -0
package/dist/outlook-ui/index.html +15 -0
package/dist/repertoire/ado-client.js +15 -56
package/dist/repertoire/ado-semantic.js +11 -10
package/dist/repertoire/api-client.js +97 -0
package/dist/repertoire/bitwarden-store.js +319 -0
package/dist/repertoire/bundle-templates.js +72 -0
package/dist/repertoire/bw-installer.js +79 -0
package/dist/repertoire/coding/codex-jsonl.js +64 -0
package/dist/repertoire/coding/context-pack.js +330 -0
package/dist/repertoire/coding/feedback.js +197 -30
package/dist/repertoire/coding/manager.js +158 -9
package/dist/repertoire/coding/spawner.js +55 -9
package/dist/repertoire/coding/tools.js +170 -7
package/dist/repertoire/commerce-errors.js +109 -0
package/dist/repertoire/commerce-self-test.js +156 -0
package/dist/repertoire/credential-access.js +527 -0
package/dist/repertoire/duffel-client.js +185 -0
package/dist/repertoire/github-client.js +14 -55
package/dist/repertoire/graph-client.js +11 -52
package/dist/repertoire/guardrails.js +375 -0
package/dist/repertoire/mcp-client.js +255 -0
package/dist/repertoire/mcp-manager.js +305 -0
package/dist/repertoire/mcp-tools.js +63 -0
package/dist/repertoire/shell-sessions.js +133 -0
package/dist/repertoire/skills.js +15 -24
package/dist/repertoire/stripe-client.js +131 -0
package/dist/repertoire/tasks/board.js +43 -5
package/dist/repertoire/tasks/fix.js +182 -0
package/dist/repertoire/tasks/index.js +28 -10
package/dist/repertoire/tasks/lifecycle.js +2 -2
package/dist/repertoire/tasks/parser.js +3 -2
package/dist/repertoire/tasks/scanner.js +194 -37
package/dist/repertoire/tasks/transitions.js +16 -79
package/dist/repertoire/tool-results.js +29 -0
package/dist/repertoire/tools-attachments.js +316 -0
package/dist/repertoire/tools-base.js +45 -771
package/dist/repertoire/tools-bluebubbles.js +1 -0
package/dist/repertoire/tools-bridge.js +141 -0
package/dist/repertoire/tools-bundle.js +984 -0
package/dist/repertoire/tools-config.js +185 -0
package/dist/repertoire/tools-continuity.js +248 -0
package/dist/repertoire/tools-credential.js +182 -0
package/dist/repertoire/tools-files.js +342 -0
package/dist/repertoire/tools-flight.js +224 -0
package/dist/repertoire/tools-flow.js +105 -0
package/dist/repertoire/tools-github.js +1 -7
package/dist/repertoire/tools-notes.js +376 -0
package/dist/repertoire/tools-session.js +739 -0
package/dist/repertoire/tools-shell.js +120 -0
package/dist/repertoire/tools-stripe.js +180 -0
package/dist/repertoire/tools-surface.js +243 -0
package/dist/repertoire/tools-teams.js +12 -62
package/dist/repertoire/tools-travel.js +125 -0
package/dist/repertoire/tools-user-profile.js +144 -0
package/dist/repertoire/tools-vault.js +110 -0
package/dist/repertoire/tools.js +144 -138
package/dist/repertoire/travel-api-client.js +360 -0
package/dist/repertoire/user-profile.js +118 -0
package/dist/repertoire/vault-setup.js +241 -0
package/dist/scripts/claude-code-hook.js +41 -0
package/dist/scripts/claude-code-stop-hook.js +47 -0
package/dist/senses/attention-queue.js +116 -0
package/dist/senses/bluebubbles/attachment-cache.js +53 -0
package/dist/senses/bluebubbles/attachment-download.js +137 -0
package/dist/senses/{bluebubbles-client.js → bluebubbles/client.js} +225 -9
package/dist/senses/bluebubbles/entry.js +13 -0
package/dist/senses/bluebubbles/inbound-log.js +113 -0
package/dist/senses/bluebubbles/index.js +1616 -0
package/dist/senses/{bluebubbles-media.js → bluebubbles/media.js} +121 -70
package/dist/senses/{bluebubbles-model.js → bluebubbles/model.js} +43 -12
package/dist/senses/{bluebubbles-mutation-log.js → bluebubbles/mutation-log.js} +46 -6
package/dist/senses/bluebubbles/replay.js +129 -0
package/dist/senses/bluebubbles/runtime-state.js +109 -0
package/dist/senses/{bluebubbles-session-cleanup.js → bluebubbles/session-cleanup.js} +1 -1
package/dist/senses/cli/bracketed-paste.js +82 -0
package/dist/senses/cli/image-paste.js +287 -0
package/dist/senses/cli/image-ref-navigation.js +75 -0
package/dist/senses/cli/ink-app.js +156 -0
package/dist/senses/cli/inline-diff.js +64 -0
package/dist/senses/cli/input-keys.js +174 -0
package/dist/senses/cli/kill-ring.js +86 -0
package/dist/senses/cli/message-list.js +51 -0
package/dist/senses/cli/ouro-tui.js +605 -0
package/dist/senses/cli/spinner-imperative.js +135 -0
package/dist/senses/cli/spinner.js +101 -0
package/dist/senses/cli/status-line.js +60 -0
package/dist/senses/cli/streaming-markdown.js +526 -0
package/dist/senses/cli/tool-display.js +83 -0
package/dist/senses/cli/tool-render.js +85 -0
package/dist/senses/cli/tui-store.js +240 -0
package/dist/senses/cli/virtual-list.js +35 -0
package/dist/senses/cli-entry.js +1 -1
package/dist/senses/cli-layout.js +187 -0
package/dist/senses/cli.js +587 -249
package/dist/senses/commands.js +66 -3
package/dist/senses/continuity.js +94 -0
package/dist/senses/habit-turn-message.js +108 -0
package/dist/senses/inner-dialog-worker.js +112 -19
package/dist/senses/inner-dialog.js +633 -86
package/dist/senses/pipeline.js +603 -0
package/dist/senses/proactive-content-guard.js +51 -0
package/dist/senses/shared-turn.js +199 -0
package/dist/senses/surface-tool.js +68 -0
package/dist/senses/teams.js +690 -160
package/dist/senses/trust-gate.js +112 -2
package/package.json +29 -7
package/skills/agent-commerce.md +106 -0
package/skills/browser-navigation.md +110 -0
package/skills/commerce-setup-guide.md +116 -0
package/skills/commerce-setup.md +84 -0
package/skills/configure-dev-tools.md +81 -0
package/skills/travel-planning.md +138 -0
package/dist/heart/daemon/ouro-path-installer.js +0 -178
package/dist/heart/daemon/subagent-installer.js +0 -134
package/dist/mind/associative-recall.js +0 -197
package/dist/senses/bluebubbles-entry.js +0 -11
package/dist/senses/bluebubbles.js +0 -558
package/dist/senses/debug-activity.js +0 -127
package/subagents/README.md +0 -73
package/subagents/work-doer.md +0 -235
package/subagents/work-merger.md +0 -618
package/subagents/work-planner.md +0 -382
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/basilisk.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/jafar.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/jormungandr.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/kaa.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/medusa.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/monty.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/nagini.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/ouroboros.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/python.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/quetzalcoatl.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/sir-hiss.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/the-snake.md +0 -0
/package/dist/heart/{daemon → hatch}/hatch-animation.js +0 -0
/package/dist/heart/{daemon → hatch}/specialist-orchestrator.js +0 -0
/package/dist/heart/{daemon → versioning}/ouro-uti.js +0 -0
/package/dist/heart/{daemon → versioning}/wrapper-publish-guard.js +0 -0

package/dist/heart/auth/auth-flow.js ADDED Viewed

@@ -0,0 +1,463 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readAgentConfigForAgent = readAgentConfigForAgent;
+exports.writeAgentProviderSelection = writeAgentProviderSelection;
+exports.loadAgentSecrets = loadAgentSecrets;
+exports.writeProviderCredentials = writeProviderCredentials;
+exports.writeAgentModel = writeAgentModel;
+exports.collectRuntimeAuthCredentials = collectRuntimeAuthCredentials;
+exports.resolveHatchCredentials = resolveHatchCredentials;
+exports.runRuntimeAuthFlow = runRuntimeAuthFlow;
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
+const migrate_config_1 = require("../migrate-config");
+const provider_models_1 = require("../provider-models");
+const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
+const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
+const DEFAULT_SECRETS_TEMPLATE = {
+    providers: {
+        azure: {
+            apiKey: "",
+            endpoint: "",
+            deployment: "",
+            apiVersion: "2025-04-01-preview",
+        },
+        minimax: {
+            apiKey: "",
+        },
+        anthropic: {
+            setupToken: "",
+            refreshToken: "",
+            expiresAt: 0,
+        },
+        "openai-codex": {
+            oauthAccessToken: "",
+        },
+        "github-copilot": {
+            githubToken: "",
+            baseUrl: "",
+        },
+    },
+    teams: {
+        clientId: "",
+        clientSecret: "",
+        tenantId: "",
+    },
+    oauth: {
+        graphConnectionName: "graph",
+        adoConnectionName: "ado",
+        githubConnectionName: "",
+    },
+    teamsChannel: {
+        skipConfirmation: true,
+        port: 3978,
+    },
+    vault: {
+        masterPassword: "",
+    },
+    integrations: {
+        perplexityApiKey: "",
+        openaiEmbeddingsApiKey: "",
+    },
+};
+function deepMerge(defaults, partial) {
+    const result = { ...defaults };
+    for (const key of Object.keys(partial)) {
+        const left = result[key];
+        const right = partial[key];
+        if (right !== null &&
+            typeof right === "object" &&
+            !Array.isArray(right) &&
+            left !== null &&
+            typeof left === "object" &&
+            !Array.isArray(left)) {
+            result[key] = deepMerge(left, right);
+            continue;
+        }
+        result[key] = right;
+    }
+    return result;
+}
+function readJsonRecord(filePath, label) {
+    try {
+        const raw = fs.readFileSync(filePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            throw new Error("expected object");
+        }
+        return parsed;
+    }
+    catch (error) {
+        throw new Error(`Failed to read ${label} at ${filePath}: ${String(error)}`);
+    }
+}
+function readAgentConfigForAgent(agentName, bundlesRoot = (0, identity_1.getAgentBundlesRoot)()) {
+    const agentRoot = path.join(bundlesRoot, `${agentName}.ouro`);
+    const configPath = path.join(agentRoot, "agent.json");
+    let parsed = readJsonRecord(configPath, "agent config");
+    // Inline migration: v1 -> v2
+    const version = typeof parsed.version === "number" ? parsed.version : 1;
+    if (version < 2) {
+        (0, migrate_config_1.migrateAgentConfigV1ToV2)(agentRoot);
+        parsed = readJsonRecord(configPath, "agent config");
+    }
+    // Validate v2 required facing fields
+    const humanFacing = parsed.humanFacing;
+    const agentFacing = parsed.agentFacing;
+    if (!humanFacing || typeof humanFacing !== "object") {
+        throw new Error(`agent.json at ${configPath} has unsupported provider '${String(parsed.provider)}'`);
+    }
+    const provider = humanFacing.provider;
+    if (provider !== "azure" &&
+        provider !== "anthropic" &&
+        provider !== "minimax" &&
+        provider !== "openai-codex" &&
+        provider !== "github-copilot") {
+        throw new Error(`agent.json at ${configPath} has unsupported provider '${String(provider)}'`);
+    }
+    if (!agentFacing || typeof agentFacing !== "object") {
+        throw new Error(`agent.json at ${configPath} has unsupported provider '${String(parsed.provider)}'`);
+    }
+    // Spread-with-validation: same pattern as loadAgentConfig to eliminate
+    // the unvalidated-pass-through bug class. The spread carries through
+    // every field present in parsed; senses goes through the same
+    // normalization as loadAgentConfig so the two entry points return
+    // equivalent configs for the same file.
+    const config = {
+        ...parsed,
+        senses: (0, identity_1.normalizeSenses)(parsed.senses, configPath),
+    };
+    return {
+        configPath,
+        config,
+    };
+}
+function writeAgentProviderSelection(agentName, facing, provider, bundlesRoot = (0, identity_1.getAgentBundlesRoot)()) {
+    const { configPath, config } = readAgentConfigForAgent(agentName, bundlesRoot);
+    const facingKey = facing === "human" ? "humanFacing" : "agentFacing";
+    const previousFacing = config[facingKey];
+    const resolved = (0, provider_models_1.resolveModelForProviderSelection)(provider, previousFacing.model);
+    const nextConfig = {
+        ...config,
+        [facingKey]: { ...previousFacing, provider, model: resolved.model },
+    };
+    fs.writeFileSync(configPath, `${JSON.stringify(nextConfig, null, 2)}\n`, "utf8");
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_provider_selected",
+        message: "updated agent provider selection after auth flow",
+        meta: {
+            agentName,
+            facing,
+            provider,
+            previousProvider: previousFacing.provider,
+            previousModel: previousFacing.model,
+            model: resolved.model,
+            preservedModel: resolved.preserved,
+            configPath,
+        },
+    });
+    return configPath;
+}
+function resolveAgentSecretsPath(agentName, deps = {}) {
+    if (deps.secretsRoot)
+        return path.join(deps.secretsRoot, agentName, "secrets.json");
+    const homeDir = deps.homeDir ?? os.homedir();
+    return (0, identity_1.getAgentSecretsPath)(agentName).replace(os.homedir(), homeDir);
+}
+function loadAgentSecrets(agentName, deps = {}) {
+    const secretsPath = resolveAgentSecretsPath(agentName, deps);
+    const secretsDir = path.dirname(secretsPath);
+    fs.mkdirSync(secretsDir, { recursive: true });
+    let onDisk = {};
+    try {
+        onDisk = readJsonRecord(secretsPath, "secrets config");
+    }
+    catch (error) {
+        const message = error.message;
+        if (!message.includes("ENOENT"))
+            throw error;
+    }
+    return {
+        secretsPath,
+        secrets: deepMerge(DEFAULT_SECRETS_TEMPLATE, onDisk),
+    };
+}
+function writeSecrets(secretsPath, secrets) {
+    fs.writeFileSync(secretsPath, `${JSON.stringify(secrets, null, 2)}\n`, "utf8");
+}
+function writeProviderCredentials(agentName, provider, credentials, deps = {}) {
+    const { secretsPath, secrets } = loadAgentSecrets(agentName, deps);
+    applyCredentials(secrets, provider, credentials);
+    writeSecrets(secretsPath, secrets);
+    return { secretsPath, secrets };
+}
+function writeAgentModel(agentName, facing, modelName, deps = {}) {
+    const { configPath, config } = readAgentConfigForAgent(agentName, deps.bundlesRoot);
+    const facingKey = facing === "human" ? "humanFacing" : "agentFacing";
+    const facingBlock = config[facingKey];
+    const previousModel = facingBlock.model;
+    const provider = facingBlock.provider;
+    const nextConfig = {
+        ...config,
+        [facingKey]: { ...facingBlock, model: modelName },
+    };
+    fs.writeFileSync(configPath, `${JSON.stringify(nextConfig, null, 2)}\n`, "utf8");
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.config_model_updated",
+        message: "updated agent model in agent.json",
+        meta: { agentName, facing, provider, modelName, previousModel, configPath },
+    });
+    return { configPath, provider, previousModel };
+}
+function readCodexAccessToken(homeDir) {
+    const authPath = path.join(homeDir, ".codex", "auth.json");
+    try {
+        const raw = fs.readFileSync(authPath, "utf8");
+        const parsed = JSON.parse(raw);
+        const token = parsed?.tokens?.access_token;
+        return typeof token === "string" ? token.trim() : /* v8 ignore next -- defensive: codex login always writes a string token @preserve */ "";
+    }
+    catch {
+        return "";
+    }
+}
+function ensurePromptInput(promptInput, provider) {
+    if (promptInput)
+        return promptInput;
+    throw new Error(`No prompt input is available for ${provider} authentication.`);
+}
+function validateAnthropicToken(token) {
+    const trimmed = token.trim();
+    if (!trimmed) {
+        throw new Error("No Anthropic setup token was provided.");
+    }
+    if (!trimmed.startsWith(ANTHROPIC_SETUP_TOKEN_PREFIX)) {
+        throw new Error(`Invalid Anthropic setup token format. Expected prefix ${ANTHROPIC_SETUP_TOKEN_PREFIX}.`);
+    }
+    if (trimmed.length < ANTHROPIC_SETUP_TOKEN_MIN_LENGTH) {
+        throw new Error("Anthropic setup token looks too short.");
+    }
+    return trimmed;
+}
+async function collectRuntimeAuthCredentials(input, deps) {
+    const spawnSync = deps.spawnSync ?? child_process_1.spawnSync;
+    const homeDir = deps.homeDir ?? os.homedir();
+    if (input.provider === "github-copilot") {
+        let token = process.env.GH_TOKEN?.trim() || process.env.GITHUB_TOKEN?.trim() || "";
+        if (!token) {
+            const result = spawnSync("gh", ["auth", "token"], { encoding: "utf8" });
+            token = (result.status === 0 && result.stdout ? result.stdout.trim() : "");
+        }
+        if (!token) {
+            (0, runtime_1.emitNervesEvent)({
+                component: "daemon",
+                event: "daemon.auth_gh_login_start",
+                message: "starting gh auth login for runtime auth",
+                meta: { agentName: input.agentName },
+            });
+            const loginResult = spawnSync("gh", ["auth", "login"], { stdio: "inherit" });
+            if (loginResult.status !== 0) {
+                throw new Error("'gh auth login' failed. Install the GitHub CLI (gh) and try again.");
+            }
+            const retryResult = spawnSync("gh", ["auth", "token"], { encoding: "utf8" });
+            /* v8 ignore next -- branch: retry after login always succeeds in tests @preserve */
+            token = (retryResult.status === 0 && retryResult.stdout ? retryResult.stdout.trim() : "");
+            /* v8 ignore next -- defensive: gh auth login succeeded but token still missing @preserve */
+            if (!token) {
+                throw new Error("gh auth login completed but no token was found. Run `gh auth login` and try again.");
+            }
+        }
+        const response = await fetch("https://api.github.com/copilot_internal/user", {
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        if (!response.ok) {
+            throw new Error(`GitHub Copilot endpoint discovery failed (HTTP ${response.status}). Ensure your GitHub account has Copilot access.`);
+        }
+        const body = await response.json();
+        const baseUrl = body?.endpoints?.api;
+        /* v8 ignore next -- defensive: valid response but missing endpoints field @preserve */
+        if (!baseUrl) {
+            throw new Error("GitHub Copilot endpoint discovery returned no endpoints.api. Ensure your GitHub account has Copilot access.");
+        }
+        return { githubToken: token, baseUrl };
+    }
+    if (input.provider === "openai-codex") {
+        // Always run codex login when auth is explicitly requested — stale tokens
+        // are indistinguishable from valid ones without an API call, and the user
+        // is asking to re-authenticate.
+        (0, runtime_1.emitNervesEvent)({
+            component: "daemon",
+            event: "daemon.auth_codex_login_start",
+            message: "starting codex login for runtime auth",
+            meta: { agentName: input.agentName },
+        });
+        const result = spawnSync("codex", ["login"], { stdio: "inherit" });
+        if (result.error) {
+            throw new Error(`Failed to run 'codex login': ${result.error.message}`);
+        }
+        if (result.status !== 0) {
+            throw new Error(`'codex login' exited with status ${result.status}.`);
+        }
+        const token = readCodexAccessToken(homeDir);
+        if (!token) {
+            throw new Error("Codex login completed but no token was found in ~/.codex/auth.json. Re-run `codex login` and try again.");
+        }
+        return { oauthAccessToken: token };
+    }
+    if (input.provider === "anthropic") {
+        (0, runtime_1.emitNervesEvent)({
+            component: "daemon",
+            event: "daemon.auth_claude_setup_start",
+            message: "starting claude setup-token for runtime auth",
+            meta: { agentName: input.agentName },
+        });
+        const result = spawnSync("claude", ["setup-token"], { stdio: "inherit" });
+        if (result.error) {
+            throw new Error(`Failed to run 'claude setup-token': ${result.error.message}`);
+        }
+        if (result.status !== 0) {
+            throw new Error(`'claude setup-token' exited with status ${result.status}.`);
+        }
+        const prompt = ensurePromptInput(input.promptInput, input.provider);
+        const setupToken = validateAnthropicToken(await prompt("Paste the setup token from `claude setup-token`: "));
+        // Exchange the setup token for an access+refresh token pair so auto-refresh works.
+        // The setup token IS the initial access token — we use it as a refresh token to
+        // get back a proper token pair from the OAuth endpoint.
+        /* v8 ignore start -- token exchange: requires live Anthropic OAuth endpoint @preserve */
+        try {
+            const { refreshAnthropicToken } = await Promise.resolve().then(() => __importStar(require("../providers/anthropic-token")));
+            const tokenState = await refreshAnthropicToken(setupToken);
+            if (tokenState) {
+                return {
+                    setupToken: tokenState.accessToken,
+                    refreshToken: tokenState.refreshToken,
+                    expiresAt: tokenState.expiresAt,
+                };
+            }
+        }
+        catch {
+            // Exchange failed — use the raw setup token as-is (it'll work until expiry)
+        }
+        /* v8 ignore stop */
+        return { setupToken };
+    }
+    // Generic prompt-for-fields fallback (minimax, azure, any future simple providers)
+    const prompt = ensurePromptInput(input.promptInput, input.provider);
+    const desc = identity_1.PROVIDER_CREDENTIALS[input.provider];
+    const creds = {};
+    for (const field of desc.required) {
+        /* v8 ignore next -- fallback: all current providers define promptLabels for required fields @preserve */
+        const label = desc.promptLabels[field] ?? field;
+        const value = (await prompt(`${label}: `)).trim();
+        if (!value)
+            throw new Error(`${label} is required.`);
+        creds[field] = value;
+    }
+    return creds;
+}
+async function resolveHatchCredentials(input) {
+    const credentials = { ...(input.credentials ?? {}) };
+    // If all required fields are already provided, return as-is
+    const cred = credentials;
+    const missing = identity_1.PROVIDER_CREDENTIALS[input.provider].required.some((key) => !cred[key]);
+    if (!missing)
+        return credentials;
+    // Try the full auth flow (wraps collectRuntimeAuthCredentials + writes secrets)
+    if (input.runAuthFlow) {
+        const result = await input.runAuthFlow({
+            agentName: input.agentName,
+            provider: input.provider,
+            promptInput: input.promptInput,
+        });
+        Object.assign(credentials, result.credentials);
+        /* v8 ignore next 3 -- branch: auth flow always fills all required fields in production @preserve */
+        if (!identity_1.PROVIDER_CREDENTIALS[input.provider].required.some((key) => !credentials[key])) {
+            return credentials;
+        }
+    }
+    // Prompt for any still-missing required fields
+    /* v8 ignore next -- guard: no promptInput means we can't collect remaining fields @preserve */
+    if (input.promptInput) {
+        const desc = identity_1.PROVIDER_CREDENTIALS[input.provider];
+        for (const field of desc.required) {
+            if (!cred[field]) {
+                const label = desc.promptLabels[field] ?? field;
+                cred[field] = await input.promptInput(`${label}: `);
+            }
+        }
+    }
+    return credentials;
+}
+function applyCredentials(secrets, provider, credentials) {
+    const target = secrets.providers[provider];
+    // Copy all non-empty credential fields to the provider's secrets block
+    for (const [key, value] of Object.entries(credentials)) {
+        /* v8 ignore next -- guard: skip null/empty fields from partial credential objects @preserve */
+        if (value != null && value !== "") {
+            target[key] = typeof value === "string" ? value.trim() : value;
+        }
+    }
+}
+async function runRuntimeAuthFlow(input, deps = {}) {
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_flow_start",
+        message: "starting runtime auth flow",
+        meta: { agentName: input.agentName, provider: input.provider },
+    });
+    const homeDir = deps.homeDir ?? os.homedir();
+    const credentials = await collectRuntimeAuthCredentials(input, deps);
+    const { secretsPath } = writeProviderCredentials(input.agentName, input.provider, credentials, { homeDir });
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_flow_end",
+        message: "completed runtime auth flow",
+        meta: { agentName: input.agentName, provider: input.provider, secretsPath },
+    });
+    return {
+        agentName: input.agentName,
+        provider: input.provider,
+        secretsPath,
+        message: `authenticated ${input.agentName} with ${input.provider}`,
+        credentials,
+    };
+}