@ouro.bot/cli 0.1.0-alpha.36 → 0.1.0-alpha.361

package/dist/outlook-ui/index.html

@@ -0,0 +1,15 @@
+<!doctype html>
+<html lang="en" class="dark">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="color-scheme" content="dark" />
+    <title>Ouro Outlook</title>
+    <meta name="description" content="The daemon-hosted shared orientation surface for agents alive on this machine." />
+    <script type="module" crossorigin src="/assets/index-xTdv64BV.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-LwChZTgL.css">
+  </head>
+  <body>
+    <div id="app"></div>
+  </body>
+</html>

package/dist/repertoire/ado-client.js

@@ -9,6 +9,7 @@ exports.discoverOrganizations = discoverOrganizations;
 exports.discoverProjects = discoverProjects;
 const api_error_1 = require("../heart/api-error");
 const runtime_1 = require("../nerves/runtime");
+const api_client_1 = require("./api-client");
 const ADO_BASE = "https://dev.azure.com";
 const VSSPS_BASE = "https://app.vssps.visualstudio.com";
 const DEFAULT_API_VERSION = "api-version=7.1";
@@ -30,62 +31,20 @@ function resolveContentType(method, path) {
 // Generic ADO API request. Returns response body as pretty-printed JSON string.
 // `host` overrides the base URL for non-standard APIs (e.g. "vsapm.dev.azure.com", "vssps.dev.azure.com").
 async function adoRequest(token, method, org, path, body, host) {
-    try {
-        const base = host ? `https://${host}/${org}` : `${ADO_BASE}/${org}`;
-        (0, runtime_1.emitNervesEvent)({
-            event: "client.request_start",
-            component: "clients",
-            message: "starting ADO request",
-            meta: { client: "ado", method, org, path },
-        });
-        const fullPath = ensureApiVersion(path);
-        const url = `${base}${fullPath}`;
-        const contentType = resolveContentType(method, path);
-        const opts = {
-            method,
-            headers: {
-                Authorization: `Bearer ${token}`,
-                "Content-Type": contentType,
-            },
-        };
-        if (body)
-            opts.body = body;
-        const res = await fetch(url, opts);
-        if (!res.ok) {
-            (0, runtime_1.emitNervesEvent)({
-                level: "error",
-                event: "client.error",
-                component: "clients",
-                message: "ADO request failed",
-                meta: { client: "ado", method, org, path, status: res.status },
-            });
-            return (0, api_error_1.handleApiError)(res, "ADO", "ado");
-        }
-        const data = await res.json();
-        (0, runtime_1.emitNervesEvent)({
-            event: "client.request_end",
-            component: "clients",
-            message: "ADO request completed",
-            meta: { client: "ado", method, org, path, success: true },
-        });
-        return JSON.stringify(data, null, 2);
-    }
-    catch (err) {
-        (0, runtime_1.emitNervesEvent)({
-            level: "error",
-            event: "client.error",
-            component: "clients",
-            message: "ADO request threw exception",
-            meta: {
-                client: "ado",
-                method,
-                org,
-                path,
-                reason: err instanceof Error ? err.message : String(err),
-            },
-        });
-        return (0, api_error_1.handleApiError)(err, "ADO", "ado");
-    }
+    const base = host ? `https://${host}/${org}` : `${ADO_BASE}/${org}`;
+    const fullPath = ensureApiVersion(path);
+    return (0, api_client_1.apiRequest)({
+        baseUrl: base,
+        method,
+        path: fullPath,
+        token,
+        clientName: "ado",
+        serviceLabel: "ADO",
+        connectionName: "ado",
+        body,
+        contentType: resolveContentType(method, path),
+        eventMeta: { org },
+    });
 }
 // Backward-compatible thin wrapper: runs WIQL query and returns formatted work items.
 async function queryWorkItems(token, org, query) {

package/dist/repertoire/ado-semantic.js

@@ -221,7 +221,7 @@ exports.adoSemanticToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_backlog_list",
-                description: "Query the backlog and return enriched work items with hierarchy, type, parent, assignee, area path, and iteration. Supports filtering. Use this instead of raw WIQL queries.",
+                description: "Query the backlog and return enriched work items with hierarchy, type, parent, assignee, area path, and iteration. Supports filtering. Use this instead of raw WIQL queries. Provides enriched results with hierarchy.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -279,6 +279,7 @@ exports.adoSemanticToolDefinitions = [
             return formatForChannel(items, ctx, organization, project);
         },
         integration: "ado",
+        summaryKeys: ["organization", "project"],
     },
     // -- ado_create_epic --
     {
@@ -286,7 +287,7 @@ exports.adoSemanticToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_create_epic",
-                description: "Create an epic in Azure DevOps with title, description, area path, and optional parent.",
+                description: "Create an epic in Azure DevOps with title, description, area path, and optional parent. Use ado_preview_changes first to dry-run the operation.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -317,7 +318,7 @@ exports.adoSemanticToolDefinitions = [
             return result;
         },
         integration: "ado",
-        confirmationRequired: true,
+        summaryKeys: ["organization", "project", "title"],
     },
     // -- ado_create_issue --
     {
@@ -325,7 +326,7 @@ exports.adoSemanticToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_create_issue",
-                description: "Create an issue or user story in Azure DevOps with title, description, area path, and parent epic.",
+                description: "Create an issue or user story in Azure DevOps with title, description, area path, and parent epic. Use ado_preview_changes first to dry-run the operation.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -358,7 +359,7 @@ exports.adoSemanticToolDefinitions = [
             return result;
         },
         integration: "ado",
-        confirmationRequired: true,
+        summaryKeys: ["organization", "project", "title"],
     },
     // -- ado_move_items --
     {
@@ -366,7 +367,7 @@ exports.adoSemanticToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_move_items",
-                description: "Reparent work items -- move them to a new parent epic or feature.",
+                description: "Reparent work items -- move them to a new parent epic or feature. Use ado_preview_changes first. These mutations affect real work items.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -412,7 +413,7 @@ exports.adoSemanticToolDefinitions = [
             return JSON.stringify({ moved, errors, organization: adoCtx.organization, project: adoCtx.project });
         },
         integration: "ado",
-        confirmationRequired: true,
+        summaryKeys: ["organization", "project", "workItemIds"],
     },
     // -- ado_restructure_backlog --
     {
@@ -420,7 +421,7 @@ exports.adoSemanticToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_restructure_backlog",
-                description: "Bulk restructure: reparent multiple work items in a single logical operation.",
+                description: "Bulk restructure: reparent multiple work items in a single logical operation. Use ado_preview_changes first. These mutations affect real work items.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -470,7 +471,7 @@ exports.adoSemanticToolDefinitions = [
             return JSON.stringify({ results, organization: adoCtx.organization, project: adoCtx.project });
         },
         integration: "ado",
-        confirmationRequired: true,
+        summaryKeys: ["organization", "project"],
     },
     // -- ado_validate_structure --
     {
@@ -671,7 +672,7 @@ exports.adoSemanticToolDefinitions = [
             return JSON.stringify({ results, organization: adoCtx.organization, project: adoCtx.project });
         },
         integration: "ado",
-        confirmationRequired: true,
+        summaryKeys: ["organization", "project"],
     },
     // -- ado_detect_orphans --
     {

package/dist/repertoire/api-client.js

@@ -0,0 +1,97 @@
+"use strict";
+/**
+ * Shared HTTP API client for Graph, ADO, and GitHub clients.
+ *
+ * All three API clients follow the same pattern: emit request_start event,
+ * build request with auth header, fetch, handle errors, emit request_end,
+ * and return pretty-printed JSON. This module extracts that shared logic.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.apiRequest = apiRequest;
+const api_error_1 = require("../heart/api-error");
+const runtime_1 = require("../nerves/runtime");
+const credential_access_1 = require("./credential-access");
+/**
+ * Execute an authenticated API request with standard logging and error handling.
+ * Returns the response body as a pretty-printed JSON string.
+ */
+async function apiRequest(options) {
+    const { baseUrl, method, path, token, clientName, serviceLabel, connectionName, body, extraHeaders, contentType, eventMeta, credentialDomain, credentialField, } = options;
+    // Resolve token from credential store if credentialDomain is provided
+    let resolvedToken = token;
+    if (credentialDomain) {
+        try {
+            const store = (0, credential_access_1.getCredentialStore)();
+            resolvedToken = await store.getRawSecret(credentialDomain, credentialField ?? "password");
+            (0, runtime_1.emitNervesEvent)({
+                event: "client.credential_fetch",
+                component: "clients",
+                message: `fetched credential from store for ${serviceLabel}`,
+                meta: { client: clientName, credentialDomain },
+            });
+        }
+        catch (err) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "client.credential_error",
+                component: "clients",
+                message: `failed to fetch credential for ${serviceLabel}`,
+                /* v8 ignore next -- defensive: getRawSecret throws Error instances @preserve */
+                meta: { client: clientName, credentialDomain, reason: err instanceof Error ? err.message : String(err) },
+            });
+            return (0, api_error_1.handleApiError)(err, serviceLabel, connectionName);
+        }
+    }
+    try {
+        (0, runtime_1.emitNervesEvent)({
+            event: "client.request_start",
+            component: "clients",
+            message: `starting ${serviceLabel} request`,
+            meta: { client: clientName, method, path, ...eventMeta },
+        });
+        const url = `${baseUrl}${path}`;
+        const headers = {
+            Authorization: `Bearer ${resolvedToken}`,
+            "Content-Type": contentType ?? "application/json",
+            ...extraHeaders,
+        };
+        const opts = { method, headers };
+        if (body)
+            opts.body = body;
+        const res = await fetch(url, opts);
+        if (!res.ok) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "client.error",
+                component: "clients",
+                message: `${serviceLabel} request failed`,
+                meta: { client: clientName, method, path, status: res.status, ...eventMeta },
+            });
+            return (0, api_error_1.handleApiError)(res, serviceLabel, connectionName);
+        }
+        const data = await res.json();
+        (0, runtime_1.emitNervesEvent)({
+            event: "client.request_end",
+            component: "clients",
+            message: `${serviceLabel} request completed`,
+            meta: { client: clientName, method, path, success: true, ...eventMeta },
+        });
+        return JSON.stringify(data, null, 2);
+    }
+    catch (err) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            event: "client.error",
+            component: "clients",
+            message: `${serviceLabel} request threw exception`,
+            meta: {
+                client: clientName,
+                method,
+                path,
+                reason: err instanceof Error ? err.message : String(err),
+                ...eventMeta,
+            },
+        });
+        return (0, api_error_1.handleApiError)(err, serviceLabel, connectionName);
+    }
+}

package/dist/repertoire/bitwarden-store.js

@@ -0,0 +1,319 @@
+"use strict";
+/**
+ * Bitwarden CLI credential store — wraps `bw` CLI for the agent's own vault.
+ *
+ * Unlike AacCredentialStore (which accesses someone else's vault via approval),
+ * this store authenticates directly as the agent using its own master password.
+ * The agent owns the vault, so no human-in-the-loop is needed.
+ *
+ * Requires the `bw` CLI to be installed. Session tokens are cached process-local.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BitwardenCredentialStore = void 0;
+const node_child_process_1 = require("node:child_process");
+const runtime_1 = require("../nerves/runtime");
+const bw_installer_1 = require("./bw-installer");
+// ---------------------------------------------------------------------------
+// bw CLI wrapper
+// ---------------------------------------------------------------------------
+function execBw(args, sessionToken) {
+    const env = sessionToken
+        ? { ...process.env, BW_SESSION: sessionToken }
+        : process.env;
+    return new Promise((resolve, reject) => {
+        (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout) => {
+            if (err) {
+                if (isBwNotInstalled(err)) {
+                    reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
+                    return;
+                }
+                reject(new Error(`bw CLI error: ${err.message}`));
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+/** Check if the error indicates the bw CLI binary is not installed. */
+function isBwNotInstalled(err) {
+    const msg = err.message.toLowerCase();
+    const code = err.code;
+    return code === "ENOENT" || msg.includes("enoent") || msg.includes("not found") || msg.includes("command not found");
+}
+/** Check if the error is transient (network/timeout) and worth retrying. */
+function isTransientError(err) {
+    const msg = err.message.toLowerCase();
+    return (msg.includes("econnrefused") ||
+        msg.includes("etimedout") ||
+        msg.includes("enotfound") ||
+        msg.includes("socket hang up") ||
+        msg.includes("503") ||
+        msg.includes("server unavailable"));
+}
+const MAX_RETRIES = 3;
+const BASE_BACKOFF_MS = 1000;
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+// ---------------------------------------------------------------------------
+// BitwardenCredentialStore
+// ---------------------------------------------------------------------------
+class BitwardenCredentialStore {
+    serverUrl;
+    email;
+    masterPassword;
+    sessionToken = null;
+    constructor(serverUrl, email, masterPassword) {
+        this.serverUrl = serverUrl;
+        this.email = email;
+        this.masterPassword = masterPassword;
+    }
+    isReady() {
+        return true;
+    }
+    /**
+     * Ensure the bw CLI is authenticated and unlocked.
+     * Handles three states: logged out → login, locked → unlock, already unlocked → no-op.
+     * Retries transient failures (network/timeout) up to MAX_RETRIES with exponential backoff.
+     */
+    async login() {
+        // Ensure bw CLI is installed before any bw commands
+        await (0, bw_installer_1.ensureBwCli)();
+        let lastError;
+        for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+            try {
+                await this.loginAttempt();
+                return;
+            }
+            catch (err) {
+                /* v8 ignore next -- defensive: loginAttempt always throws Error instances @preserve */
+                lastError = err instanceof Error ? err : new Error(String(err));
+                // Don't retry non-transient errors (auth failures, bw not installed)
+                if (!isTransientError(lastError)) {
+                    throw lastError;
+                }
+                // Don't retry after final attempt
+                if (attempt === MAX_RETRIES - 1)
+                    break;
+                const backoffMs = BASE_BACKOFF_MS * Math.pow(2, attempt);
+                (0, runtime_1.emitNervesEvent)({
+                    event: "repertoire.bw_login_retry",
+                    component: "repertoire",
+                    message: `bw login attempt ${attempt + 1} failed, retrying in ${backoffMs}ms`,
+                    meta: { attempt: attempt + 1, backoffMs, reason: lastError.message },
+                });
+                await delay(backoffMs);
+            }
+        }
+        throw lastError;
+    }
+    /** Single login attempt — called by login() retry loop. */
+    async loginAttempt() {
+        // Check current status
+        let status = {};
+        try {
+            const raw = await execBw(["status"]);
+            status = JSON.parse(raw);
+        }
+        catch (err) {
+            // If bw CLI is not installed or a transient error, propagate it for retry
+            if (err instanceof Error && (isBwNotInstalled(err) || isTransientError(err))) {
+                throw err;
+            }
+            // CLI not configured or broken — proceed with full setup
+        }
+        // Configure server URL if needed (only works when logged out)
+        if (status.status === "unauthenticated" || !status.serverUrl) {
+            try {
+                await execBw(["config", "server", this.serverUrl]);
+            }
+            catch {
+                // "Logout required" means already logged in — that's fine, skip config
+            }
+        }
+        if (status.status === "locked") {
+            // Already logged in, just needs unlock
+            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"]);
+            this.sessionToken = unlockOutput.trim();
+        }
+        else if (status.status === "unauthenticated" || !status.status) {
+            // Not logged in — full login
+            const loginOutput = await execBw(["login", this.email, this.masterPassword, "--raw"]);
+            try {
+                const parsed = JSON.parse(loginOutput);
+                this.sessionToken = parsed.access_token ?? loginOutput.trim();
+            }
+            catch {
+                this.sessionToken = loginOutput.trim();
+            }
+        }
+        else {
+            // Status is "unlocked" — already good, just need the session token
+            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"]);
+            this.sessionToken = unlockOutput.trim();
+        }
+    }
+    async ensureSession() {
+        if (!this.sessionToken) {
+            await this.login();
+        }
+        /* v8 ignore next -- defensive: login() always sets sessionToken on success @preserve */
+        return this.sessionToken ?? undefined;
+    }
+    async get(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_get_start",
+            component: "repertoire",
+            message: `getting credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const session = await this.ensureSession();
+        const item = await this.findItemByDomain(domain, session);
+        if (!item) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_get_end",
+                component: "repertoire",
+                message: `no bw credential for ${domain}`,
+                meta: { domain, found: false, backend: "bitwarden" },
+            });
+            return null;
+        }
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_get_end",
+            component: "repertoire",
+            message: `bw credential found for ${domain}`,
+            meta: { domain, found: true, backend: "bitwarden" },
+        });
+        return {
+            domain: item.name,
+            username: item.login?.username,
+            notes: item.notes ?? undefined,
+            createdAt: item.revisionDate ?? new Date().toISOString(),
+        };
+    }
+    async getRawSecret(domain, field) {
+        const session = await this.ensureSession();
+        const item = await this.findItemByDomain(domain, session);
+        if (!item) {
+            throw new Error(`no credential found for domain "${domain}"`);
+        }
+        // Map common field names to bw item structure
+        let value;
+        if (field === "password") {
+            value = item.login?.password;
+        }
+        else if (field === "username") {
+            value = item.login?.username;
+        }
+        else {
+            value = item[field];
+        }
+        if (value === undefined || value === null) {
+            throw new Error(`field "${field}" not found for domain "${domain}"`);
+        }
+        return String(value);
+    }
+    async store(domain, data) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_store_start",
+            component: "repertoire",
+            message: `storing credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const session = await this.ensureSession();
+        // Create a new login item
+        const item = {
+            type: 1, // Login type
+            name: domain,
+            login: {
+                username: data.username ?? "",
+                password: data.password,
+                uris: [{ match: null, uri: `https://${domain}` }],
+            },
+            notes: data.notes ?? null,
+        };
+        const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
+        await execBw(["create", "item", encoded], session);
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_store_end",
+            component: "repertoire",
+            message: `credential stored via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+    }
+    async list() {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_list_start",
+            component: "repertoire",
+            message: "listing bw credentials",
+            meta: { backend: "bitwarden" },
+        });
+        const session = await this.ensureSession();
+        try {
+            const stdout = await execBw(["list", "items"], session);
+            const items = JSON.parse(stdout);
+            const results = items.map((item) => ({
+                domain: item.name,
+                username: item.login?.username,
+                notes: item.notes ?? undefined,
+                createdAt: item.revisionDate ?? new Date().toISOString(),
+            }));
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_list_end",
+                component: "repertoire",
+                message: "bw credentials listed",
+                meta: { backend: "bitwarden", count: results.length },
+            });
+            return results;
+        }
+        catch {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_list_end",
+                component: "repertoire",
+                message: "bw credential list failed",
+                meta: { backend: "bitwarden", count: 0 },
+            });
+            return [];
+        }
+    }
+    async delete(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_delete_start",
+            component: "repertoire",
+            message: `deleting credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const session = await this.ensureSession();
+        const item = await this.findItemByDomain(domain, session);
+        if (!item) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_delete_end",
+                component: "repertoire",
+                message: `no bw credential to delete for ${domain}`,
+                meta: { domain, deleted: false, backend: "bitwarden" },
+            });
+            return false;
+        }
+        await execBw(["delete", "item", item.id], session);
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_delete_end",
+            component: "repertoire",
+            message: `credential deleted via bw for ${domain}`,
+            meta: { domain, deleted: true, backend: "bitwarden" },
+        });
+        return true;
+    }
+    // --- Private ---
+    async findItemByDomain(domain, session) {
+        try {
+            const stdout = await execBw(["list", "items", "--search", domain], session);
+            const items = JSON.parse(stdout);
+            // Find exact match by name
+            return items.find((item) => item.name === domain) ?? items[0] ?? null;
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.BitwardenCredentialStore = BitwardenCredentialStore;

package/dist/repertoire/bundle-templates.js

@@ -0,0 +1,72 @@
+"use strict";
+/**
+ * Templates for agent bundle scaffolding.
+ *
+ * ## .gitignore design philosophy
+ *
+ * The bundle .gitignore handles FUNCTIONAL "shouldn't track" cases only:
+ *
+ *   - Runtime state (sessions, logs, runtime files) — stale data with no
+ *     value for review or history.
+ *   - Credentials — real secrets live in `~/.agentsecrets`, but defense
+ *     in depth in case anything leaks into the bundle.
+ *   - Editor / OS noise (.DS_Store, .idea/, etc.).
+ *   - Build artifacts (rare in bundles, but possible).
+ *
+ * It DOES NOT handle PII. The bundle is inherently full of PII — `friends/`,
+ * `diary/`, `journal/`, `psyche/`, `arc/`, `facts/`, `family/`, `travel/`
+ * etc. That's the point of the bundle; blocking those via .gitignore would
+ * defeat the purpose.
+ *
+ * PII is handled at first-push time by `bundle_first_push_review`, which
+ * enumerates PII-bearing directories, shows the agent counts, probes the
+ * remote URL for GitHub visibility, and hard-pauses until the human
+ * confirms. See Directive D in the planning doc.
+ *
+ * No content-pattern blocks (no `**\/sk-ant-*` or similar). Content-review
+ * failures are a different safety layer — credential scanning at commit
+ * time would be a follow-up feature.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PII_BUNDLE_DIRECTORIES = exports.BUNDLE_GITIGNORE_TEMPLATE = void 0;
+exports.BUNDLE_GITIGNORE_TEMPLATE = `# Runtime state — sessions, logs, runtime files, never tracked
+state/
+
+# Credentials — never tracked. Real secrets live in ~/.agentsecrets, but
+# defense in depth in case anything leaks into the bundle.
+.env
+.env.*
+secrets/
+**/*.key
+**/*.pem
+**/*.credentials
+**/*.pfx
+
+# Editor and OS noise
+.DS_Store
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Build artifacts (rare in bundles, but possible if a workspace lands here)
+node_modules/
+dist/
+`;
+/**
+ * PII-sensitive top-level directories. Enumerated here so `bundle_first_push_review`
+ * can categorize and count. Adding a new PII bucket to the bundle means adding
+ * it here so the first-push warning includes it.
+ */
+exports.PII_BUNDLE_DIRECTORIES = [
+    "friends",
+    "diary",
+    "journal",
+    "psyche",
+    "arc",
+    "facts",
+    "family",
+    "travel",
+    "notes",
+    "sessions",
+];