@ouro.bot/cli 0.1.0-alpha.363 → 0.1.0-alpha.365

package/dist/heart/daemon/cli-exec.js

@@ -62,10 +62,13 @@ const bundle_meta_1 = require("./hooks/bundle-meta");
 const agent_config_v2_1 = require("./hooks/agent-config-v2");
 const bundle_manifest_1 = require("../../mind/bundle-manifest");
 const tasks_1 = require("../../repertoire/tasks");
+const credential_access_1 = require("../../repertoire/credential-access");
+const vault_setup_1 = require("../../repertoire/vault-setup");
+const vault_unlock_1 = require("../../repertoire/vault-unlock");
 const thoughts_1 = require("./thoughts");
 const launchd_1 = require("./launchd");
 const auth_flow_1 = require("../auth/auth-flow");
-const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_credentials_1 = require("../provider-credentials");
 const provider_binding_resolver_1 = require("../provider-binding-resolver");
 const provider_state_1 = require("../provider-state");
 const machine_identity_1 = require("../machine-identity");
@@ -94,11 +97,10 @@ const DEFAULT_DAEMON_STARTUP_LOG_LINES = 10;
 async function checkAlreadyRunningAgentProviders(deps) {
     const agents = await Promise.resolve(deps.listDiscoveredAgents ? deps.listDiscoveredAgents() : (0, cli_defaults_1.defaultListDiscoveredAgents)());
     const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
-    const secretsRoot = deps.secretsRoot ?? path.join(os.homedir(), ".agentsecrets");
     const degraded = [];
     for (const agent of agents) {
         try {
-            const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot, secretsRoot);
+            const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot);
             if (result.ok)
                 continue;
             const errorReason = result.error ?? "agent provider health check failed";
@@ -132,8 +134,7 @@ async function checkAlreadyRunningAgentProviders(deps) {
 }
 async function checkProviderHealthBeforeChat(agentName, deps) {
     const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
-    const secretsRoot = deps.secretsRoot ?? path.join(os.homedir(), ".agentsecrets");
-    const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agentName, bundlesRoot, secretsRoot);
+    const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agentName, bundlesRoot);
     if (!result.ok) {
         const output = `${result.error}\n${result.fix ? `      fix:   ${result.fix}` : ""}`;
         deps.writeStdout(output);
@@ -492,8 +493,9 @@ async function checkManualCloneBundles(deps) {
             message: "bundle appears to be a manually cloned git repo",
             meta: { agent: agentDir, remote: remoteName },
         });
-        const answer = await deps.promptInput(`Bundle ${agentDir} appears to be a git clone with a remote. Enable sync? (y/n): `);
-        if (answer.trim().toLowerCase() === "y") {
+        /* v8 ignore next -- ?? fallback: promptInput always returns string in practice @preserve */
+        const answer = (await deps.promptInput(`Bundle ${agentDir} appears to be a git clone with a remote. Enable sync? (y/n): `)) ?? "";
+        if (answer.trim().toLowerCase() === "y" && fs.existsSync(agentJsonPath)) {
             const raw = fs.readFileSync(agentJsonPath, "utf-8");
             const config = JSON.parse(raw);
             config.sync = { enabled: true, remote: remoteName };
@@ -545,7 +547,7 @@ async function resolveHatchInput(command, deps) {
 }
 // ── Provider state CLI helpers ──
 function providerCliHomeDir(deps) {
-    return (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(deps.secretsRoot);
+    return (0, provider_credentials_1.providerCredentialMachineHomeDir)(deps.homeDir);
 }
 function providerCliAgentRoot(command, deps) {
     return path.join(deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)(), `${command.agent}.ouro`);
@@ -553,6 +555,144 @@ function providerCliAgentRoot(command, deps) {
 function providerCliNow(deps) {
     return new Date((deps.now ?? Date.now)());
 }
+function writeAgentVaultConfig(agentName, configPath, config, vault) {
+    const nextConfig = {
+        ...config,
+        vault: {
+            email: vault.email,
+            serverUrl: vault.serverUrl,
+        },
+    };
+    fs.writeFileSync(configPath, `${JSON.stringify(nextConfig, null, 2)}\n`, "utf8");
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.vault_config_written",
+        message: "wrote credential vault locator to agent config",
+        meta: { agentName, configPath, email: vault.email, serverUrl: vault.serverUrl },
+    });
+}
+async function executeVaultUnlock(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        throw new Error("SerpentGuide does not have a persistent credential vault. Hatch bootstrap uses selected provider credentials in memory only.");
+    }
+    const prompt = deps.promptInput;
+    if (!prompt)
+        throw new Error("vault unlock requires an interactive prompt to capture the vault unlock secret");
+    const { config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
+    const vault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
+    const unlockSecret = await prompt(`Ouro vault unlock secret for ${vault.email}: `);
+    const store = (0, vault_unlock_1.storeVaultUnlockSecret)({
+        agentName: command.agent,
+        email: vault.email,
+        serverUrl: vault.serverUrl,
+    }, unlockSecret, { homeDir: deps.homeDir, store: command.store });
+    (0, credential_access_1.resetCredentialStore)();
+    await (0, credential_access_1.getCredentialStore)(command.agent).get("__ouro_vault_probe__");
+    const message = [
+        `vault unlocked for ${command.agent} on this machine`,
+        `vault: ${vault.email} at ${vault.serverUrl}`,
+        `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeVaultCreate(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        throw new Error("SerpentGuide does not have a persistent credential vault. Create a vault for the hatchling agent, not SerpentGuide.");
+    }
+    const prompt = deps.promptInput;
+    const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
+    const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
+    const email = command.email ?? config.vault?.email ?? (prompt ? (await prompt("Ouro credential vault email: ")).trim() : "");
+    if (!email) {
+        throw new Error("vault create requires --email <email> when the agent bundle has no vault.email");
+    }
+    const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
+    const requestedUnlockSecret = command.generateUnlockSecret
+        ? ""
+        : prompt
+            ? (await prompt(`Choose Ouro vault unlock secret for ${email}: `)).trim()
+            : "";
+    if (!requestedUnlockSecret && !command.generateUnlockSecret) {
+        throw new Error("vault create requires an unlock secret. Re-run with an interactive terminal or pass --generate-unlock-secret.");
+    }
+    const unlockSecret = requestedUnlockSecret || (0, crypto_1.randomBytes)(32).toString("base64");
+    const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", serverUrl, email, unlockSecret);
+    if (!result.success) {
+        const message = [
+            `vault create failed for ${command.agent}: ${result.error}`,
+            "",
+            "If this vault account already exists, run:",
+            `  ouro vault unlock --agent ${command.agent}`,
+        ].join("\n");
+        deps.writeStdout(message);
+        return message;
+    }
+    writeAgentVaultConfig(command.agent, configPath, config, { email, serverUrl });
+    const store = (0, vault_unlock_1.storeVaultUnlockSecret)({
+        agentName: command.agent,
+        email,
+        serverUrl,
+    }, unlockSecret, { homeDir: deps.homeDir, store: command.store });
+    (0, credential_access_1.resetCredentialStore)();
+    await (0, credential_access_1.getCredentialStore)(command.agent).get("__ouro_vault_probe__");
+    const message = [
+        `vault created for ${command.agent}`,
+        `vault: ${email} at ${serverUrl}`,
+        `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
+        "Provider credentials will be stored in this agent's Ouro credential vault.",
+        ...(command.generateUnlockSecret
+            ? [
+                "",
+                `vault unlock secret: ${unlockSecret}`,
+                "",
+                "Store this in the operator password manager now. Another machine cannot unlock the vault without it.",
+            ]
+            : ["Store the vault unlock secret in the operator password manager. Another machine will need it once."]),
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeVaultStatus(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        const message = "SerpentGuide has no persistent credential vault. Hatch bootstrap uses selected provider credentials in memory only.";
+        deps.writeStdout(message);
+        return message;
+    }
+    const { config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
+    const vault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
+    const status = (0, vault_unlock_1.getVaultUnlockStatus)({
+        agentName: command.agent,
+        email: vault.email,
+        serverUrl: vault.serverUrl,
+    }, { homeDir: deps.homeDir, store: command.store });
+    const lines = [
+        `agent: ${command.agent}`,
+        `vault: ${vault.email} at ${vault.serverUrl}`,
+        `local unlock store: ${status.store ? `${status.store.kind}${status.store.secure ? "" : " (explicit plaintext fallback)"}` : "unavailable"}`,
+        `local unlock: ${status.stored ? "available" : "missing"}`,
+    ];
+    if (status.stored) {
+        const pool = await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
+        if (pool.ok) {
+            const summary = (0, provider_credentials_1.summarizeProviderCredentialPool)(pool.pool);
+            lines.push(`provider credentials: ${summary.providers.length === 0 ? "none stored" : ""}`);
+            for (const provider of summary.providers) {
+                lines.push(`  ${provider.provider}: credential fields ${provider.credentialFields.join(", ") || "none"}, config fields ${provider.configFields.join(", ") || "none"}`);
+            }
+        }
+        else {
+            lines.push(`provider credentials: unavailable (${pool.error})`);
+        }
+    }
+    else {
+        lines.push("");
+        lines.push(status.fix);
+    }
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
 function readOrBootstrapProviderState(agentName, deps) {
     const agentRoot = providerCliAgentRoot({ agent: agentName }, deps);
     const readResult = (0, provider_state_1.readProviderState)(agentRoot);
@@ -603,56 +743,15 @@ function pingAttemptCount(result) {
         return result.attempts.length;
     return undefined;
 }
-function providerCliLegacyRecord(agent, provider, deps) {
-    try {
-        const legacyCandidates = (0, provider_credential_pool_1.readLegacyAgentProviderCredentials)({
-            homeDir: providerCliHomeDir(deps),
-            agentName: agent,
-        });
-        const candidate = legacyCandidates.find((entry) => entry.provider === provider);
-        if (candidate)
-            return { credentials: candidate.credentials, config: candidate.config };
-    }
-    catch {
-        // Fall through to the injected/secretsRoot-aware legacy reader below.
-    }
-    try {
-        const { secrets } = (0, auth_flow_1.loadAgentSecrets)(agent, { secretsRoot: deps.secretsRoot });
-        const providerSecrets = secrets.providers[provider];
-        const split = (0, provider_credential_pool_1.splitProviderCredentialFields)(provider, providerSecrets);
-        if (Object.keys(split.credentials).length === 0 && Object.keys(split.config).length === 0)
-            return null;
-        return split;
-    }
-    catch {
-        return null;
-    }
-}
-function readProviderCredentialRecord(agent, provider, deps) {
-    const homeDir = providerCliHomeDir(deps);
-    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir);
+async function readProviderCredentialRecord(agent, provider, _deps) {
+    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(agent);
     if (poolResult.ok) {
         const existing = poolResult.pool.providers[provider];
         if (existing)
             return { ok: true, record: existing };
     }
-    else if (poolResult.reason === "invalid") {
-        return { ok: false, reason: "invalid", poolPath: poolResult.poolPath, error: poolResult.error };
-    }
-    const legacy = providerCliLegacyRecord(agent, provider, deps);
-    if (legacy) {
-        const record = (0, provider_credential_pool_1.upsertProviderCredential)({
-            homeDir,
-            provider,
-            credentials: legacy.credentials,
-            config: legacy.config,
-            provenance: {
-                source: "legacy-agent-secrets",
-                contributedByAgent: agent,
-            },
-            now: providerCliNow(deps),
-        });
-        return { ok: true, record };
+    else if (poolResult.reason === "invalid" || poolResult.reason === "unavailable") {
+        return { ok: false, reason: poolResult.reason, poolPath: poolResult.poolPath, error: poolResult.error };
     }
     return {
         ok: false,
@@ -702,7 +801,7 @@ async function executeProviderUse(command, deps, options = {}) {
         return message;
     };
     const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
-    const credential = readProviderCredentialRecord(command.agent, command.provider, deps);
+    const credential = await readProviderCredentialRecord(command.agent, command.provider, deps);
     if (!credential.ok) {
         if (!command.force) {
             const message = [
@@ -762,7 +861,7 @@ async function executeProviderUse(command, deps, options = {}) {
 async function executeProviderCheck(command, deps) {
     const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
     const binding = state.lanes[command.lane];
-    const credential = readProviderCredentialRecord(command.agent, binding.provider, deps);
+    const credential = await readProviderCredentialRecord(command.agent, binding.provider, deps);
     if (!credential.ok) {
         const message = [
             `${command.agent} ${command.lane} ${binding.provider} / ${binding.model}: unknown (${credential.error})`,
@@ -802,18 +901,18 @@ async function executeProviderCheck(command, deps) {
 }
 function renderProviderCredentialLine(credential) {
     if (credential.status === "present") {
-        const contributor = credential.contributedByAgent ? ` by ${credential.contributedByAgent}` : "";
         const credentialFields = credential.credentialFields.length > 0 ? ` credentials: ${credential.credentialFields.join(", ")}` : " credentials: none";
         const configFields = credential.configFields.length > 0 ? ` config: ${credential.configFields.join(", ")}` : " config: none";
-        return `credentials: present (${credential.source}${contributor}; ${credential.revision};${credentialFields};${configFields})`;
+        return `credentials: present in vault (${credential.source}; ${credential.revision};${credentialFields};${configFields})`;
     }
     if (credential.status === "invalid-pool") {
-        return `credentials: invalid pool (${credential.error}); repair: ${credential.repair.command}`;
+        return `credentials: vault unavailable (${credential.error}); repair: ${credential.repair.command}`;
     }
     return `credentials: missing; repair: ${credential.repair.command}`;
 }
-function executeProviderStatus(command, deps) {
+async function executeProviderStatus(command, deps) {
     const agentRoot = providerCliAgentRoot(command, deps);
+    await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
     const homeDir = providerCliHomeDir(deps);
     const lines = [`provider status: ${command.agent}`];
     for (const lane of ["outward", "inner"]) {
@@ -840,6 +939,45 @@ function executeProviderStatus(command, deps) {
     deps.writeStdout(message);
     return message;
 }
+async function executeProviderRefresh(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        const message = "SerpentGuide has no persistent provider credentials to refresh. Hatch bootstrap uses selected credentials in memory only.";
+        deps.writeStdout(message);
+        return message;
+    }
+    const pool = await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
+    const lines = [];
+    if (pool.ok) {
+        const summary = (0, provider_credentials_1.summarizeProviderCredentialPool)(pool.pool);
+        lines.push(`refreshed provider credential snapshot for ${command.agent}`);
+        lines.push(`providers: ${summary.providers.map((provider) => provider.provider).join(", ") || "none"}`);
+    }
+    else {
+        lines.push(`provider credential refresh failed for ${command.agent}: ${pool.error}`);
+        lines.push(`Run \`ouro vault unlock --agent ${command.agent}\`, then retry.`);
+    }
+    try {
+        const alive = await deps.checkSocketAlive(deps.socketPath);
+        if (alive) {
+            const response = await deps.sendCommand(deps.socketPath, { kind: "agent.restart", agent: command.agent });
+            if (response.ok) {
+                lines.push(`restarted ${command.agent} so the running agent reloads credentials`);
+            }
+            else {
+                lines.push(`daemon restart skipped: ${response.error ?? response.message ?? "unknown daemon error"}`);
+            }
+        }
+        else {
+            lines.push("daemon is not running; the next start will load the refreshed snapshot");
+        }
+    }
+    catch (error) {
+        lines.push(`daemon restart skipped: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
 async function executeLegacyAuthSwitch(command, deps) {
     const { state } = readOrBootstrapProviderState(command.agent, deps);
     const lanes = command.facing
@@ -854,6 +992,7 @@ async function executeLegacyAuthSwitch(command, deps) {
             lane,
             provider: command.provider,
             model,
+            force: true,
             legacyFacing: command.facing,
         }, deps, { writeStdout: false }));
     }
@@ -870,7 +1009,7 @@ async function executeLegacyConfigModel(command, deps) {
     const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
     const binding = state.lanes[lane];
     if (binding.provider === "github-copilot") {
-        const credential = readProviderCredentialRecord(command.agent, "github-copilot", deps);
+        const credential = await readProviderCredentialRecord(command.agent, "github-copilot", deps);
         if (credential.ok) {
             const ghConfig = {
                 ...credential.record.config,
@@ -1353,10 +1492,15 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                         message: "user chose clone in first-run flow",
                         meta: {},
                     });
-                    const remote = await deps.promptInput("Enter the git remote URL for the agent bundle: ");
-                    // Run clone execution path
-                    const cloneCommand = { kind: "clone", remote: remote.trim() };
-                    return await runOuroCli(["clone", cloneCommand.remote], deps);
+                    /* v8 ignore next -- ?? fallback: promptInput always returns string in practice @preserve */
+                    const remote = (await deps.promptInput("Enter the git remote URL for the agent bundle: "))?.trim() ?? "";
+                    if (!remote) {
+                        deps.writeStdout("no remote URL provided — skipping clone");
+                        // Fall through to hatch flow
+                    }
+                    else {
+                        return await runOuroCli(["clone", remote], deps);
+                    }
                 }
                 (0, runtime_1.emitNervesEvent)({
                     component: "daemon",
@@ -1635,15 +1779,12 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             else {
                 await (0, agentic_repair_1.runAgenticRepair)(daemonResult.stability.degraded, {
                     /* v8 ignore start -- production provider discovery wiring @preserve */
-                    discoverWorkingProvider: async () => {
+                    discoverWorkingProvider: async (agentName) => {
                         const { discoverWorkingProvider: discover } = await Promise.resolve().then(() => __importStar(require("./provider-discovery")));
-                        const { discoverExistingCredentials } = await Promise.resolve().then(() => __importStar(require("./cli-defaults")));
                         const { pingProvider } = await Promise.resolve().then(() => __importStar(require("../provider-ping")));
                         return discover({
-                            discoverExistingCredentials,
+                            agentName,
                             pingProvider: pingProvider,
-                            env: process.env,
-                            secretsRoot: deps.secretsRoot ?? `${process.env["HOME"]}/.agentsecrets`,
                         });
                     },
                     createProviderRuntime: agentic_repair_1.createAgenticDiagnosisProviderRuntime,
@@ -2263,6 +2404,18 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     if (command.kind === "provider.status") {
         return executeProviderStatus(command, deps);
     }
+    if (command.kind === "provider.refresh") {
+        return executeProviderRefresh(command, deps);
+    }
+    if (command.kind === "vault.unlock") {
+        return executeVaultUnlock(command, deps);
+    }
+    if (command.kind === "vault.create") {
+        return executeVaultCreate(command, deps);
+    }
+    if (command.kind === "vault.status") {
+        return executeVaultStatus(command, deps);
+    }
     // ── auth (local, no daemon socket needed) ──
     if (command.kind === "auth.run") {
         const provider = command.provider ?? (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot).config.humanFacing.provider;
@@ -2273,29 +2426,18 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             provider,
             promptInput: deps.promptInput,
         });
-        const credentials = (result.credentials ?? {});
-        const split = (0, provider_credential_pool_1.splitProviderCredentialFields)(provider, credentials);
-        if (Object.keys(split.credentials).length > 0 || Object.keys(split.config).length > 0) {
-            (0, provider_credential_pool_1.upsertProviderCredential)({
-                homeDir: providerCliHomeDir(deps),
-                provider,
-                credentials: split.credentials,
-                config: split.config,
-                provenance: {
-                    source: "auth-flow",
-                    contributedByAgent: command.agent,
-                },
-                now: providerCliNow(deps),
-            });
-        }
         // Behavior: ouro auth stores credentials only — does NOT switch provider.
         // Use `ouro auth switch` to change the active provider.
         deps.writeStdout(result.message);
         // Verify the credentials actually work by pinging the provider
         /* v8 ignore start -- integration: real API ping after auth @preserve */
         try {
-            const { secrets } = (0, auth_flow_1.loadAgentSecrets)(command.agent, { secretsRoot: deps.secretsRoot });
-            const status = await verifyProviderCredentials(provider, secrets.providers);
+            const credential = await readProviderCredentialRecord(command.agent, provider, deps);
+            const status = credential.ok
+                ? await verifyProviderCredentials(provider, {
+                    [provider]: { ...credential.record.config, ...credential.record.credentials },
+                })
+                : `stored but could not be re-read from vault (${credential.error})`;
             deps.writeStdout(`${provider}: ${status}`);
         }
         catch {
@@ -2307,19 +2449,35 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     // ── auth verify (local, no daemon socket needed) ──
     /* v8 ignore start -- auth verify/switch: tested in daemon-cli.test.ts but v8 traces differ in CI @preserve */
     if (command.kind === "auth.verify") {
-        const { secrets } = (0, auth_flow_1.loadAgentSecrets)(command.agent, { secretsRoot: deps.secretsRoot });
-        const providers = secrets.providers;
+        const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
+        if (!poolResult.ok) {
+            const message = `vault unavailable: ${poolResult.error}\nRun \`ouro vault unlock --agent ${command.agent}\`, then retry.`;
+            deps.writeStdout(message);
+            return message;
+        }
         if (command.provider) {
-            const status = await verifyProviderCredentials(command.provider, providers);
+            const record = poolResult.pool.providers[command.provider];
+            if (!record) {
+                const message = `${command.provider}: missing. Run \`ouro auth --agent ${command.agent} --provider ${command.provider}\`.`;
+                deps.writeStdout(message);
+                return message;
+            }
+            const status = await verifyProviderCredentials(command.provider, {
+                [command.provider]: { ...record.config, ...record.credentials },
+            });
             const message = `${command.provider}: ${status}`;
             deps.writeStdout(message);
             return message;
         }
         const lines = [];
-        for (const p of Object.keys(providers)) {
-            const status = await verifyProviderCredentials(p, providers);
+        for (const [p, record] of Object.entries(poolResult.pool.providers)) {
+            const status = await verifyProviderCredentials(p, {
+                [p]: { ...record.config, ...record.credentials },
+            });
             lines.push(`${p}: ${status}`);
         }
+        if (lines.length === 0)
+            lines.push(`no provider credentials in ${command.agent}'s vault`);
         const message = lines.join("\n");
         deps.writeStdout(message);
         return message;
@@ -2339,9 +2497,11 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             deps.writeStdout(message);
             return message;
         }
-        const { secrets } = (0, auth_flow_1.loadAgentSecrets)(command.agent, { secretsRoot: deps.secretsRoot });
-        const ghConfig = secrets.providers["github-copilot"];
-        if (!ghConfig.githubToken || !ghConfig.baseUrl) {
+        const credential = await readProviderCredentialRecord(command.agent, "github-copilot", deps);
+        const ghConfig = credential.ok
+            ? { ...credential.record.config, ...credential.record.credentials }
+            : {};
+        if (typeof ghConfig.githubToken !== "string" || typeof ghConfig.baseUrl !== "string") {
             throw new Error(`github-copilot credentials not configured. Run \`ouro auth --agent ${command.agent} --provider github-copilot\` first.`);
         }
         const fetchFn = deps.fetchImpl ?? fetch;
@@ -2722,7 +2882,10 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             await deps.startChat(hatchInput.agentName);
             return "";
         }
-        const message = `hatched ${hatchInput.agentName} at ${result.bundleRoot} using specialist identity ${result.selectedIdentity}; ${daemonResult.message}`;
+        const vaultLine = result.vaultUnlockSecret
+            ? `\nvault unlock secret for ${hatchInput.agentName}: ${result.vaultUnlockSecret}\nUse this with \`ouro vault unlock --agent ${hatchInput.agentName}\` on another machine.`
+            : "";
+        const message = `hatched ${hatchInput.agentName} at ${result.bundleRoot} using specialist identity ${result.selectedIdentity}; ${daemonResult.message}${vaultLine}`;
         deps.writeStdout(message);
         return message;
     }
@@ -2787,10 +2950,18 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         try {
             (0, child_process_1.execFileSync)("git", ["ls-remote", "--exit-code", command.remote], { stdio: "pipe", timeout: 15000 });
         }
-        catch {
-            const message = `could not reach remote: ${command.remote}\nCheck the URL and your network connection.`;
-            deps.writeStdout(message);
-            return message;
+        catch (lsErr) {
+            const stderr = lsErr?.stderr?.toString() ?? "";
+            const isAuth = stderr.includes("Authentication failed")
+                || stderr.includes("could not read Username")
+                || stderr.includes("terminal prompts disabled")
+                || stderr.includes("403")
+                || stderr.includes("401");
+            const hint = isAuth
+                ? `authentication failed for: ${command.remote}\nSet up credentials first:\n  gh auth login          (GitHub repos)\n  git config credential.helper store   (other hosts)`
+                : `could not reach remote: ${command.remote}\nCheck the URL and your network connection.`;
+            deps.writeStdout(hint);
+            return hint;
         }
         // 5. Clone
         (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.clone_git_clone", message: "cloning agent bundle", meta: { remote: command.remote, targetPath } });
@@ -2800,18 +2971,79 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.clone_identity_created", message: "machine identity created", meta: {} });
         // 7. Enable sync in agent.json
         const agentJsonPath = path.join(targetPath, "agent.json");
+        let syncEnabled = false;
         if (fs.existsSync(agentJsonPath)) {
             const raw = fs.readFileSync(agentJsonPath, "utf-8");
             const config = JSON.parse(raw);
             config.sync = { enabled: true, remote: "origin" };
             fs.writeFileSync(agentJsonPath, JSON.stringify(config, null, 2) + "\n");
+            syncEnabled = true;
             (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.clone_sync_enabled", message: "sync enabled in agent.json", meta: { agentName } });
         }
+        else {
+            (0, runtime_1.emitNervesEvent)({ level: "warn", component: "daemon", event: "daemon.clone_no_agent_json", message: "cloned repo has no agent.json — may not be a valid bundle", meta: { agentName, targetPath } });
+        }
         // 8. Output success message
         (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.clone_complete", message: "clone complete", meta: { agentName, targetPath } });
-        const message = `cloned ${agentName} to ${targetPath}\nsync enabled (remote: origin)\nnext steps:\n  ouro auth run --agent ${agentName}`;
-        deps.writeStdout(message);
-        return message;
+        const syncMsg = syncEnabled ? "\nsync enabled (remote: origin)" : "\nwarning: no agent.json found — this may not be a valid agent bundle";
+        deps.writeStdout(`cloned ${agentName} to ${targetPath}${syncMsg}`);
+        // 9. Guided post-clone flow (when interactive)
+        if (deps.promptInput) {
+            // Auth
+            const authAnswer = await deps.promptInput(`\nSet up provider auth now? (y/n): `) ?? "";
+            if (authAnswer.trim().toLowerCase() === "y") {
+                (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.clone_chain_auth", message: "chaining auth from clone flow", meta: { agentName } });
+                try {
+                    await runOuroCli(["auth", "--agent", agentName], deps);
+                    /* v8 ignore start -- chained command failures: tested via interactive clone test, catch branches are defensive @preserve */
+                }
+                catch (e) {
+                    deps.writeStdout(`auth setup failed: ${e instanceof Error ? e.message : String(e)}\nYou can retry later with: ouro auth run --agent ${agentName}`);
+                }
+                /* v8 ignore stop */
+            }
+            // Daemon
+            const upAnswer = await deps.promptInput(`\nStart the daemon now? (y/n): `) ?? "";
+            if (upAnswer.trim().toLowerCase() === "y") {
+                (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.clone_chain_up", message: "chaining daemon start from clone flow", meta: { agentName } });
+                try {
+                    await runOuroCli(["up"], deps);
+                    /* v8 ignore start -- chained command failures: defensive catch @preserve */
+                }
+                catch (e) {
+                    deps.writeStdout(`daemon start failed: ${e instanceof Error ? e.message : String(e)}\nYou can retry later with: ouro up`);
+                }
+                /* v8 ignore stop */
+            }
+            // Dev tool setup
+            const setupAnswer = await deps.promptInput(`\nSet up Claude Code integration? (y/n): `) ?? "";
+            if (setupAnswer.trim().toLowerCase() === "y") {
+                (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.clone_chain_setup", message: "chaining dev tool setup from clone flow", meta: { agentName } });
+                try {
+                    await runOuroCli(["setup", "--tool", "claude-code", "--agent", agentName], deps);
+                    /* v8 ignore start -- chained command failures: defensive catch @preserve */
+                }
+                catch (e) {
+                    deps.writeStdout(`dev tool setup failed: ${e instanceof Error ? e.message : String(e)}\nYou can retry later with: ouro setup --tool claude-code --agent ${agentName}`);
+                }
+                /* v8 ignore stop */
+            }
+        }
+        else {
+            deps.writeStdout(`\nnext steps:\n  ouro auth run --agent ${agentName}\n  ouro up\n  ouro setup --tool claude-code --agent ${agentName}`);
+        }
+        /* v8 ignore start -- PATH hint: only fires inside npx, not testable in vitest @preserve */
+        if (process.env.npm_execpath) {
+            const shell = process.env.SHELL ? path.basename(process.env.SHELL) : "";
+            const bashProfile = process.platform === "darwin" ? "~/.bash_profile" : "~/.bashrc";
+            const sourceCmd = shell === "zsh" ? "source ~/.zshrc"
+                : shell === "bash" ? `source ${bashProfile}`
+                    : shell === "fish" ? "source ~/.config/fish/config.fish"
+                        : "restart your shell";
+            deps.writeStdout(`\ntip: if 'ouro' is not found, run: ${sourceCmd}`);
+        }
+        /* v8 ignore stop */
+        return `clone complete: ${agentName}`;
     }
     const daemonCommand = toDaemonCommand(command);
     let response;