@ouro.bot/cli 0.1.0-alpha.363 → 0.1.0-alpha.365

package/dist/heart/daemon/cli-parse.js

@@ -65,6 +65,7 @@ function usage() {
         "  ouro status --agent <name>",
         "  ouro use --agent <name> --lane outward|inner --provider <provider> --model <model> [--force]",
         "  ouro check --agent <name> --lane outward|inner",
+        "  ouro provider refresh --agent <name>",
         "  ouro outlook [--json]",
         "  ouro -v|--version",
         "  ouro config model --agent <name> <model-name>",
@@ -72,6 +73,9 @@ function usage() {
         "  ouro auth --agent <name> [--provider <provider>]",
         "  ouro auth verify --agent <name> [--provider <provider>]",
         "  ouro auth switch --agent <name> --provider <provider>",
+        "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>] [--generate-unlock-secret]",
+        "  ouro vault unlock --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
+        "  ouro vault status --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro chat <agent>",
         "  ouro msg --to <agent> [--session <id>] [--task <ref>] <message>",
         "  ouro poke <agent> --task <task-id>",
@@ -426,6 +430,61 @@ function parseAuthCommand(args) {
     }
     return provider ? { kind: "auth.run", agent, provider } : { kind: "auth.run", agent };
 }
+function isVaultUnlockStoreKind(value) {
+    return value === "auto" || value === "macos-keychain" || value === "windows-dpapi" || value === "linux-secret-service" || value === "plaintext-file";
+}
+function parseVaultCommand(args) {
+    const sub = args[0];
+    const { agent, rest } = extractAgentFlag(args.slice(1));
+    let email;
+    let serverUrl;
+    let store;
+    let generateUnlockSecret = false;
+    for (let i = 0; i < rest.length; i += 1) {
+        const token = rest[i];
+        if (token === "--email") {
+            email = rest[i + 1];
+            i += 1;
+            continue;
+        }
+        if (token === "--server") {
+            serverUrl = rest[i + 1];
+            i += 1;
+            continue;
+        }
+        if (token === "--store") {
+            const value = rest[i + 1];
+            if (!isVaultUnlockStoreKind(value)) {
+                throw new Error("vault --store must be auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file");
+            }
+            store = value;
+            i += 1;
+            continue;
+        }
+        if (token === "--generate-unlock-secret") {
+            generateUnlockSecret = true;
+            continue;
+        }
+        throw new Error("Usage: ouro vault create|unlock|status --agent <name>");
+    }
+    if (!agent || (sub !== "create" && sub !== "unlock" && sub !== "status")) {
+        throw new Error("Usage: ouro vault create|unlock|status --agent <name>");
+    }
+    if (sub === "create") {
+        return {
+            kind: "vault.create",
+            agent,
+            ...(email ? { email } : {}),
+            ...(serverUrl ? { serverUrl } : {}),
+            ...(store ? { store } : {}),
+            ...(generateUnlockSecret ? { generateUnlockSecret: true } : {}),
+        };
+    }
+    if (sub === "unlock") {
+        return { kind: "vault.unlock", agent, ...(store ? { store } : {}) };
+    }
+    return { kind: "vault.status", agent, ...(store ? { store } : {}) };
+}
 function parseProviderUseCommand(args) {
     const { agent, rest: afterAgent } = extractAgentFlag(args);
     const { facing, rest: afterFacing } = extractFacingFlag(afterAgent);
@@ -483,6 +542,14 @@ function parseProviderCheckCommand(args) {
         ...(facing ? { legacyFacing: facing } : {}),
     };
 }
+function parseProviderCommand(args) {
+    const sub = args[0];
+    const { agent, rest } = extractAgentFlag(args.slice(1));
+    if (sub === "refresh" && agent && rest.length === 0) {
+        return { kind: "provider.refresh", agent };
+    }
+    throw new Error("Usage: ouro provider refresh --agent <name>");
+}
 function parseReminderCommand(args) {
     const { agent, rest: cleaned } = extractAgentFlag(args);
     const [sub, ...rest] = cleaned;
@@ -878,6 +945,8 @@ function parseOuroCommand(args) {
         return parseProviderUseCommand(args.slice(1));
     if (head === "check")
         return parseProviderCheckCommand(args.slice(1));
+    if (head === "provider")
+        return parseProviderCommand(args.slice(1));
     if (head === "logs") {
         if (second === "prune")
             return { kind: "daemon.logs.prune" };
@@ -889,6 +958,8 @@ function parseOuroCommand(args) {
         return parseHatchCommand(args.slice(1));
     if (head === "auth")
         return parseAuthCommand(args.slice(1));
+    if (head === "vault")
+        return parseVaultCommand(args.slice(1));
     if (head === "task")
         return parseTaskCommand(args.slice(1));
     if (head === "reminder")

package/dist/heart/daemon/daemon-cli.js

@@ -14,7 +14,7 @@
  * ouro-entry.ts, ouro-bot-wrapper.ts) continue to work unchanged.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.discoverExistingCredentials = exports.readFirstBundleMetaVersion = exports.createDefaultOuroCliDeps = exports.pingGithubCopilotModel = exports.listGithubCopilotModels = exports.ensureDaemonRunning = exports.runOuroCli = exports.parseOuroCommand = void 0;
+exports.readFirstBundleMetaVersion = exports.createDefaultOuroCliDeps = exports.pingGithubCopilotModel = exports.listGithubCopilotModels = exports.ensureDaemonRunning = exports.runOuroCli = exports.parseOuroCommand = void 0;
 // ── Parsing ──
 var cli_parse_1 = require("./cli-parse");
 Object.defineProperty(exports, "parseOuroCommand", { enumerable: true, get: function () { return cli_parse_1.parseOuroCommand; } });
@@ -29,4 +29,3 @@ Object.defineProperty(exports, "pingGithubCopilotModel", { enumerable: true, get
 var cli_defaults_1 = require("./cli-defaults");
 Object.defineProperty(exports, "createDefaultOuroCliDeps", { enumerable: true, get: function () { return cli_defaults_1.createDefaultOuroCliDeps; } });
 Object.defineProperty(exports, "readFirstBundleMetaVersion", { enumerable: true, get: function () { return cli_defaults_1.readFirstBundleMetaVersion; } });
-Object.defineProperty(exports, "discoverExistingCredentials", { enumerable: true, get: function () { return cli_defaults_1.discoverExistingCredentials; } });

package/dist/heart/daemon/daemon-entry.js

@@ -54,7 +54,6 @@ const habit_migration_1 = require("../habits/habit-migration");
 const os_cron_deps_1 = require("./os-cron-deps");
 const os_cron_1 = require("./os-cron");
 const daemon_tombstone_1 = require("./daemon-tombstone");
-const os = __importStar(require("os"));
 const agent_config_check_1 = require("./agent-config-check");
 const pulse_1 = require("./pulse");
 const socket_client_1 = require("./socket-client");
@@ -102,8 +101,7 @@ const processManager = new process_manager_1.DaemonProcessManager({
     /* v8 ignore next 4 -- wiring: delegates to checkAgentConfigWithProviderHealth which has full unit tests @preserve */
     configCheck: async (agent) => {
         const bundlesRoot = (0, identity_1.getAgentBundlesRoot)();
-        const secretsRoot = path.join(os.homedir(), ".agentsecrets");
-        return (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot, secretsRoot);
+        return (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot);
     },
     /* v8 ignore start -- pulse flush wiring: integration code; flushPulse itself has full unit tests @preserve */
     onSnapshotChange: () => {

package/dist/heart/daemon/doctor.js

@@ -300,38 +300,18 @@ function checkHabits(deps) {
 function checkSecurity(deps) {
     const checks = [];
     const agents = discoverAgents(deps);
-    const providerPoolPath = `${deps.secretsRoot}/providers.json`;
-    if (deps.existsSync(providerPoolPath)) {
-        const stat = deps.statSync(providerPoolPath);
-        const worldReadable = (stat.mode & 0o004) !== 0;
-        checks.push({
-            label: "machine provider credentials perms",
-            status: worldReadable ? "warn" : "pass",
-            detail: worldReadable ? "world-readable — consider chmod 600" : "not world-readable",
-        });
-        try {
-            JSON.parse(deps.readFileSync(providerPoolPath));
-            checks.push({ label: "machine provider credentials", status: "pass", detail: "readable JSON" });
-        }
-        catch {
-            checks.push({ label: "machine provider credentials", status: "fail", detail: "unparseable JSON" });
-        }
-    }
     for (const agentDir of agents) {
         const agentName = agentDir.replace(/\.ouro$/, "");
         const secretsPath = `${deps.secretsRoot}/${agentName}/secrets.json`;
-        if (!deps.existsSync(secretsPath)) {
-            checks.push({ label: `${agentDir} secrets.json`, status: "fail", detail: "missing" });
-            continue;
-        }
-        // Check file permissions
-        const stat = deps.statSync(secretsPath);
-        const worldReadable = (stat.mode & 0o004) !== 0;
-        if (worldReadable) {
-            checks.push({ label: `${agentDir} secrets.json perms`, status: "warn", detail: "world-readable — consider chmod 600" });
-        }
-        else {
-            checks.push({ label: `${agentDir} secrets.json perms`, status: "pass", detail: "not world-readable" });
+        if (deps.existsSync(secretsPath)) {
+            const stat = deps.statSync(secretsPath);
+            const worldReadable = (stat.mode & 0o004) !== 0;
+            if (worldReadable) {
+                checks.push({ label: `${agentDir} legacy secrets.json perms`, status: "warn", detail: "world-readable — consider deleting or chmod 600" });
+            }
+            else {
+                checks.push({ label: `${agentDir} legacy secrets.json perms`, status: "pass", detail: "not world-readable" });
+            }
         }
         // Check agent.json for leaked credential keys
         const configPath = `${deps.bundlesRoot}/${agentDir}/agent.json`;

package/dist/heart/daemon/provider-discovery.js

@@ -1,19 +1,20 @@
 "use strict";
 /**
- * Shared provider discovery — single path for finding a working LLM provider.
+ * Shared provider discovery for repair.
  *
- * Scans machine-pool credentials, legacy disk credentials, and environment variables,
- * deduplicates by provider, then pings each candidate to validate credentials actually work.
+ * Runtime repair only trusts the agent vault. First-run conveniences may still
+ * inspect env vars before credentials are stored, but once an agent exists the
+ * vault is the source of truth.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.scanEnvVarCredentials = scanEnvVarCredentials;
 exports.discoverWorkingProvider = discoverWorkingProvider;
 const identity_1 = require("../identity");
-const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_credentials_1 = require("../provider-credentials");
 const runtime_1 = require("../../nerves/runtime");
 /**
- * Scan environment variables for API keys using the canonical PROVIDER_CREDENTIALS descriptor.
- * Returns one DiscoveredCredential per provider that has at least one required field set.
+ * Scan environment variables for API keys during first-run bootstrap.
+ * This does not participate in runtime provider repair.
  */
 function scanEnvVarCredentials(env) {
     const results = [];
@@ -25,7 +26,6 @@ function scanEnvVarCredentials(env) {
                 cred[credKey] = value;
             }
         }
-        // Only register if at least one required field was found
         const hasRequired = desc.required.some((key) => !!cred[key]);
         if (hasRequired) {
             results.push({
@@ -45,62 +45,35 @@ function stringifyProviderFields(fields) {
     }
     return result;
 }
-function machinePoolSource(record) {
-    if (record.provenance.contributedByAgent) {
-        return `machine-pool:${record.provenance.contributedByAgent}`;
-    }
-    return `machine-pool:${record.provenance.source}`;
-}
-function discoverMachinePoolCredentials(secretsRoot) {
-    const homeDir = (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(secretsRoot);
-    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir);
-    if (!poolResult.ok)
-        return [];
-    const credentials = [];
-    for (const [, record] of Object.entries(poolResult.pool.providers)) {
-        credentials.push({
-            provider: record.provider,
-            agentName: machinePoolSource(record),
-            credentials: stringifyProviderFields(record.credentials),
-            providerConfig: stringifyProviderFields(record.config),
-        });
-    }
-    return credentials;
+function discoveredFromVaultRecord(record) {
+    return {
+        provider: record.provider,
+        agentName: "vault",
+        credentials: stringifyProviderFields(record.credentials),
+        providerConfig: stringifyProviderFields(record.config),
+    };
 }
-/**
- * Discover the first working provider by scanning configured credential sources,
- * deduplicating by provider, and pinging each candidate.
- */
 async function discoverWorkingProvider(deps) {
-    const poolCreds = discoverMachinePoolCredentials(deps.secretsRoot);
-    const diskCreds = deps.discoverExistingCredentials(deps.secretsRoot);
-    const envCreds = scanEnvVarCredentials(deps.env);
-    // Deduplicate: machine pool first, legacy per-agent disk next, env vars last.
-    const seenProviders = new Set();
-    const candidates = [];
-    for (const cred of poolCreds) {
-        seenProviders.add(cred.provider);
-        candidates.push(cred);
-    }
-    for (const cred of diskCreds) {
-        if (!seenProviders.has(cred.provider)) {
-            seenProviders.add(cred.provider);
-            candidates.push(cred);
-        }
-    }
-    for (const cred of envCreds) {
-        if (!seenProviders.has(cred.provider)) {
-            seenProviders.add(cred.provider);
-            candidates.push(cred);
-        }
+    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(deps.agentName);
+    if (!poolResult.ok) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "daemon",
+            event: "daemon.provider_discovery_none",
+            message: "provider discovery could not read agent vault",
+            meta: { agentName: deps.agentName, reason: poolResult.reason },
+        });
+        return null;
     }
+    const candidates = Object.entries(poolResult.pool.providers)
+        .map(([, record]) => discoveredFromVaultRecord(record));
     if (candidates.length === 0) {
         (0, runtime_1.emitNervesEvent)({
             level: "info",
             component: "daemon",
             event: "daemon.provider_discovery_none",
-            message: "no provider credentials found in machine pool, legacy disk, or environment",
-            meta: {},
+            message: "no provider credentials found in agent vault",
+            meta: { agentName: deps.agentName },
         });
         return null;
     }
@@ -111,7 +84,7 @@ async function discoverWorkingProvider(deps) {
             component: "daemon",
             event: "daemon.provider_discovery_ping",
             message: `pinging provider: ${candidate.provider}`,
-            meta: { provider: candidate.provider, source: candidate.agentName },
+            meta: { agentName: deps.agentName, provider: candidate.provider, source: candidate.agentName },
         });
         const result = await deps.pingProvider(candidate.provider, config);
         if (result.ok) {
@@ -120,7 +93,7 @@ async function discoverWorkingProvider(deps) {
                 component: "daemon",
                 event: "daemon.provider_discovery_ok",
                 message: `provider discovery succeeded: ${candidate.provider}`,
-                meta: { provider: candidate.provider, source: candidate.agentName },
+                meta: { agentName: deps.agentName, provider: candidate.provider, source: candidate.agentName },
             });
             return {
                 provider: candidate.provider,
@@ -133,8 +106,8 @@ async function discoverWorkingProvider(deps) {
         level: "warn",
         component: "daemon",
         event: "daemon.provider_discovery_all_failed",
-        message: "all provider candidates failed ping",
-        meta: { candidateCount: candidates.length },
+        message: "all vault provider candidates failed ping",
+        meta: { agentName: deps.agentName, candidateCount: candidates.length },
     });
     return null;
 }

package/dist/heart/hatch/hatch-flow.js

@@ -33,7 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.writeSecretsFile = writeSecretsFile;
+exports.storeHatchlingProviderCredentials = storeHatchlingProviderCredentials;
 exports.runHatchFlow = runHatchFlow;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
@@ -45,7 +45,7 @@ const auth_flow_1 = require("../auth/auth-flow");
 const provider_models_1 = require("../provider-models");
 const habit_parser_1 = require("../habits/habit-parser");
 const machine_identity_1 = require("../machine-identity");
-const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_credentials_1 = require("../provider-credentials");
 const provider_state_1 = require("../provider-state");
 const hatch_specialist_1 = require("./hatch-specialist");
 function requiredCredentialKeys(provider) {
@@ -67,8 +67,8 @@ function validateCredentials(provider, credentials) {
         throw new Error(`Missing required credentials for ${provider}: ${missing.join(", ")}`);
     }
 }
-function writeSecretsFile(agentName, provider, credentials, secretsRoot) {
-    return (0, auth_flow_1.writeProviderCredentials)(agentName, provider, credentials, { secretsRoot }).secretsPath;
+async function storeHatchlingProviderCredentials(agentName, provider, credentials) {
+    return (await (0, auth_flow_1.storeProviderCredentials)(agentName, provider, credentials)).credentialPath;
 }
 function writeReadme(dir, purpose) {
     fs.mkdirSync(dir, { recursive: true });
@@ -135,10 +135,10 @@ function writeHatchlingAgentConfig(bundleRoot, input) {
     template.enabled = true;
     fs.writeFileSync(path.join(bundleRoot, "agent.json"), `${JSON.stringify(template, null, 2)}\n`, "utf-8");
 }
-function writeHatchlingProviderState(bundleRoot, input, secretsRoot, now) {
+function writeHatchlingProviderState(bundleRoot, input, now) {
     const model = (0, provider_models_1.getDefaultModelForProvider)(input.provider);
     const machine = (0, machine_identity_1.loadOrCreateMachineIdentity)({
-        homeDir: (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(secretsRoot),
+        homeDir: (0, provider_credentials_1.providerCredentialMachineHomeDir)(),
         now: () => now,
     });
     const state = (0, provider_state_1.bootstrapProviderStateFromAgentConfig)({
@@ -160,7 +160,6 @@ async function runHatchFlow(input, deps = {}) {
     });
     validateCredentials(input.provider, input.credentials);
     const bundlesRoot = deps.bundlesRoot ?? path.join(os.homedir(), "AgentBundles");
-    const secretsRoot = deps.secretsRoot ?? path.join(os.homedir(), ".agentsecrets");
     const sourceIdentities = deps.specialistIdentitySourceDir ?? (0, hatch_specialist_1.getSpecialistIdentitySourceDir)();
     const targetIdentities = deps.specialistIdentityTargetDir ?? (0, hatch_specialist_1.getRepoSpecialistIdentitiesDir)();
     const now = deps.now ? deps.now() : new Date();
@@ -173,8 +172,6 @@ async function runHatchFlow(input, deps = {}) {
         identitiesDir: targetIdentities,
         random,
     });
-    const specialistSecretsPath = writeSecretsFile("SerpentGuide", input.provider, input.credentials, secretsRoot);
-    const hatchlingSecretsPath = writeSecretsFile(input.agentName, input.provider, input.credentials, secretsRoot);
     const bundleRoot = path.join(bundlesRoot, `${input.agentName}.ouro`);
     fs.mkdirSync(bundleRoot, { recursive: true });
     writeReadme(bundleRoot, "Root of this agent bundle.");
@@ -189,7 +186,8 @@ async function runHatchFlow(input, deps = {}) {
     writeReadme(path.join(bundleRoot, "senses"), "Sense-specific config.");
     writeReadme(path.join(bundleRoot, "senses", "teams"), "Teams sense config.");
     writeHatchlingAgentConfig(bundleRoot, input);
-    writeHatchlingProviderState(bundleRoot, input, secretsRoot, now);
+    const credentialPath = await storeHatchlingProviderCredentials(input.agentName, input.provider, input.credentials);
+    writeHatchlingProviderState(bundleRoot, input, now);
     writeDiaryScaffold(bundleRoot);
     writeFriendImprint(bundleRoot, input.humanName, now);
     writeHeartbeatHabit(bundleRoot, now);
@@ -202,7 +200,6 @@ async function runHatchFlow(input, deps = {}) {
     return {
         bundleRoot,
         selectedIdentity: selected.fileName,
-        specialistSecretsPath,
-        hatchlingSecretsPath,
+        credentialPath,
     };
 }

package/dist/heart/hatch/specialist-prompt.js

@@ -44,7 +44,7 @@ function buildSpecialistSystemPrompt(soulText, identityText, existingBundles, co
         `Provider: ${context.provider}`,
         `Temp directory: ${context.tempDir}`,
         "Final home: ~/AgentBundles/<Name>.ouro/",
-        "Secrets: ~/.agentsecrets/<name>/secrets.json",
+        "Provider credentials: the hatch tool stores them in the agent's vault.",
     ].join("\n"));
     sections.push([
         "## Bundle creation guidelines",

package/dist/heart/hatch/specialist-tools.js

@@ -42,7 +42,10 @@ const tools_base_1 = require("../../repertoire/tools-base");
 const hatch_flow_1 = require("./hatch-flow");
 const hatch_animation_1 = require("./hatch-animation");
 const bundle_manifest_1 = require("../../mind/bundle-manifest");
+const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
+const vault_setup_1 = require("../../repertoire/vault-setup");
+const vault_unlock_1 = require("../../repertoire/vault-unlock");
 const completeAdoptionTool = {
     type: "function",
     function: {
@@ -171,8 +174,17 @@ async function execCompleteAdoption(args, deps) {
     // Move tempDir -> final bundle location
     moveDir(deps.tempDir, targetBundle);
     // Write secrets
+    let generatedVaultUnlockSecret = null;
     try {
-        (0, hatch_flow_1.writeSecretsFile)(name, deps.provider, deps.credentials, deps.secretsRoot);
+        const vault = (0, identity_1.resolveVaultConfig)(name);
+        const vaultUnlockSecret = crypto.randomBytes(32).toString("base64");
+        const vaultResult = await (0, vault_setup_1.createVaultAccount)(name, vault.serverUrl, vault.email, vaultUnlockSecret);
+        if (!vaultResult.success) {
+            throw new Error(`failed to create vault: ${vaultResult.error}`);
+        }
+        (0, vault_unlock_1.storeVaultUnlockSecret)({ agentName: name, email: vault.email, serverUrl: vault.serverUrl }, vaultUnlockSecret);
+        generatedVaultUnlockSecret = vaultUnlockSecret;
+        await (0, hatch_flow_1.storeHatchlingProviderCredentials)(name, deps.provider, deps.credentials);
     }
     catch (e) {
         // Rollback: remove the moved bundle
@@ -217,6 +229,14 @@ async function execCompleteAdoption(args, deps) {
     if (handoffMessage && deps.animationWriter) {
         deps.animationWriter(`\n${handoffMessage}\n`);
     }
+    if (generatedVaultUnlockSecret && deps.animationWriter) {
+        deps.animationWriter([
+            "",
+            `Vault unlock secret for ${name}: ${generatedVaultUnlockSecret}`,
+            `Use this with \`ouro vault unlock --agent ${name}\` on another machine.`,
+            "",
+        ].join("\n"));
+    }
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
         event: "daemon.adoption_complete",

package/dist/heart/migrate-config.js

@@ -1,7 +1,7 @@
 "use strict";
 // v1 → v2 agent.json migration.
-// Moves model from secrets.json into agent.json under humanFacing/agentFacing.
-// Uses raw fs — NO import from config.ts (avoids circular dependency).
+// Creates explicit humanFacing/agentFacing blocks from the legacy provider.
+// Uses raw fs and provider-model defaults — NO import from config.ts.
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -40,19 +40,15 @@ exports.migrateAgentConfigV1ToV2 = migrateAgentConfigV1ToV2;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const runtime_1 = require("../nerves/runtime");
-const MODEL_FIELD = {
-    azure: "modelName",
-    minimax: "model",
-    anthropic: "model",
-    "openai-codex": "model",
-    "github-copilot": "model",
-};
-function resolveSecretsPath(agentRoot, deps) {
-    const agentName = path.basename(agentRoot).replace(/\.ouro$/, "");
-    const secretsBase = deps?.secretsRoot ?? path.join(require("os").homedir(), ".agentsecrets");
-    return path.join(secretsBase, agentName, "secrets.json");
+const provider_models_1 = require("./provider-models");
+function isAgentProvider(value) {
+    return value === "azure" ||
+        value === "minimax" ||
+        value === "anthropic" ||
+        value === "openai-codex" ||
+        value === "github-copilot";
 }
-function migrateAgentConfigV1ToV2(agentRoot, deps) {
+function migrateAgentConfigV1ToV2(agentRoot) {
     const configPath = path.join(agentRoot, "agent.json");
     let raw;
     try {
@@ -84,44 +80,21 @@ function migrateAgentConfigV1ToV2(agentRoot, deps) {
         message: "migrating agent config v1 → v2",
         meta: { agentRoot },
     });
-    const provider = config.provider;
-    let model = "";
-    if (provider) {
-        const secretsPath = resolveSecretsPath(agentRoot, deps);
-        try {
-            const secretsRaw = fs.readFileSync(secretsPath, "utf-8");
-            const secrets = JSON.parse(secretsRaw);
-            const providers = secrets.providers;
-            if (providers) {
-                const providerSecrets = providers[provider];
-                if (providerSecrets) {
-                    /* v8 ignore next -- fallback: all known providers are in MODEL_FIELD @preserve */
-                    const fieldName = MODEL_FIELD[provider] ?? "model";
-                    const rawModel = providerSecrets[fieldName];
-                    model = typeof rawModel === "string" ? rawModel : "";
-                    // Strip model from secrets
-                    delete providerSecrets[fieldName];
-                    fs.writeFileSync(secretsPath, JSON.stringify(secrets, null, 2) + "\n", "utf-8");
-                }
-            }
-        }
-        catch {
-            // Missing or malformed secrets.json — leave model as empty string
-        }
-    }
+    const provider = isAgentProvider(config.provider) ? config.provider : "anthropic";
+    const model = (0, provider_models_1.getDefaultModelForProvider)(provider);
     // Write v2 config
     const { provider: _removed, ...rest } = config;
     const v2Config = {
         ...rest,
         version: 2,
-        humanFacing: { provider: provider ?? "anthropic", model },
-        agentFacing: { provider: provider ?? "anthropic", model },
+        humanFacing: { provider, model },
+        agentFacing: { provider, model },
     };
     fs.writeFileSync(configPath, JSON.stringify(v2Config, null, 2) + "\n", "utf-8");
     (0, runtime_1.emitNervesEvent)({
         component: "config/identity",
         event: "config_identity.migrate_end",
         message: "agent config migration complete",
-        meta: { agentRoot, provider: provider ?? "unknown", model },
+        meta: { agentRoot, provider, model },
     });
 }

package/dist/heart/provider-binding-resolver.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.normalizeProviderLane = normalizeProviderLane;
 exports.resolveEffectiveProviderBinding = resolveEffectiveProviderBinding;
 const runtime_1 = require("../nerves/runtime");
-const provider_credential_pool_1 = require("./provider-credential-pool");
+const provider_credentials_1 = require("./provider-credentials");
 const provider_state_1 = require("./provider-state");
 function legacyLaneWarning(selector, lane) {
     return {
@@ -36,7 +36,7 @@ function buildUseRepair(agentName, lane, force = false) {
 function buildAuthRepair(agentName, provider) {
     return {
         command: `ouro auth --agent ${agentName} --provider ${provider}`,
-        message: `Authenticate ${provider} once for this machine's shared credential pool.`,
+        message: `Store ${provider} credentials in ${agentName}'s vault.`,
     };
 }
 function missingProviderStateWarning(agentName) {
@@ -54,13 +54,13 @@ function invalidProviderStateWarning(agentName) {
 function missingCredentialWarning(provider) {
     return {
         code: "credential-missing",
-        message: `${provider} has no credential record in the machine credential pool.`,
+        message: `${provider} has no credential record in the agent vault.`,
     };
 }
 function invalidCredentialPoolWarning(provider) {
     return {
         code: "credential-pool-invalid",
-        message: `${provider} cannot read credentials because the machine credential pool is invalid.`,
+        message: `${provider} cannot read credentials from the agent vault.`,
     };
 }
 function presentCredential(record) {
@@ -69,7 +69,6 @@ function presentCredential(record) {
         provider: record.provider,
         revision: record.revision,
         source: record.provenance.source,
-        contributedByAgent: record.provenance.contributedByAgent,
         updatedAt: record.updatedAt,
         credentialFields: Object.keys(record.credentials).sort(),
         configFields: Object.keys(record.config).sort(),
@@ -90,7 +89,7 @@ function resolveCredential(poolResult, provider, agentName) {
             warnings: [missingCredentialWarning(provider)],
         };
     }
-    if (poolResult.reason === "invalid") {
+    if (poolResult.reason === "invalid" || poolResult.reason === "unavailable") {
         return {
             credential: {
                 status: "invalid-pool",
@@ -198,7 +197,7 @@ function resolveEffectiveProviderBinding(input) {
         return result;
     }
     const laneBinding = stateResult.state.lanes[laneResolution.lane];
-    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(input.homeDir);
+    const poolResult = (0, provider_credentials_1.readProviderCredentialPool)(input.agentName);
     const credentialResult = resolveCredential(poolResult, laneBinding.provider, input.agentName);
     const readinessResult = resolveReadiness({
         provider: laneBinding.provider,